"Your device is corrupt and can't be trusted"

GrapheneOS

Meatheadmarty You can't install the non-security-preview update if you updated to the security preview. You need to download the security preview update, which you can do by changing the URL from https://releases.grapheneos.org/DEVICE-ota_update-2025100900.zip to https://releases.grapheneos.org/DEVICE-ota_update-2025100901.zip. We haven't decided how to include this on the releases page yet and don't want to make it too much longer.

userofgos

Meatheadmarty Could this be a hack or it almost certainly hardware wear and tear?

I'm quite certain it was a hardware failure. It's happened to me once or twice before, but haven't had any issues since (probably been 9 months since it happened).

I sideloaded the currently installed OTA update and that resolved it for me then.

Meatheadmarty

userofgos i hope you are right.

I am concerned about reloading the os by plugging it into a computer because the pixel is saying it's "corrupt."

There is a non-zero chance I would end up corrupting the computer when I plug it in if some sort of sophisticated malware was added to the phone.

I don't know enouh about malware that I can be confident there's not some sort of malware payload on the device now.

I know certain types hate Graphene because they want to be able to send 0 click malware and Graphene makes it harder. They do not like being unable to know who is using a device.

I could try to use a computer at a place with publicly available computers but I doubt I can install adb and connect the phone that way. Adb probably needs admin rights so isn't going to be allowed.

I may just need to get a new pixel or just go without a phone completely or get a dumb phone of some kind. For now I have to treat this device as infected because I don't have the skills to be sure it isn't. I don't feel comfortable plugging this in at the moment.

userofgos

Meatheadmarty would end up corrupting the computer when I plug it in if some sort of sophisticated malware was added to the phone.

Highly unlikely

userofgos

Meatheadmarty could try to use a computer at a place with publicly available computers but I doubt I can install adb and connect the phone that way. Adb probably needs admin rights so isn't going to be allowed.

Sorry for being so blunt, but did you even read the https://grapheneos.org/usage#updates-sideloading page?

It gives you detailed instructions, and clear reasons why it is secure if you follow the instructions exactly

Meatheadmarty

userofgos I did read it. I understand that when the OS is working correctly, there is little risk. I just don't know if the OS has sophisticated malware on it now. My hardware seems fine and the hash is the same. So, I don't know what that means.

One possibility could be that the OS was attacked during the upgrade or prior to that, and now the entire system is compromised.

Many sophisticated agencies have created things like Peaguses. Graphene OS users would be a more valuable target for such types of hacks. I can't discard the possibility this is a sophisticated hack. If it is, the system itself could be corrupt and showing the expected hash but still be compromised in some way.

There is also a cellular modem in this device and if I am hacked, it could be off airplane mode right now and exfiltrating data using the cellular modem.

If my understanding of advanced malware is wrong or if this is theoretically impossible, please educate me. I am not among the smartest most knowledgable people on this forum, I am a technology enthusiast at best.

I have still used the phone since the "corruption" error, but will likely stop using it soon. Even if it's not advanced malware, then likely the hardware is damaged. Google won't repair the hardware without my name and information and also won't do it while GOS is on the pixel. So why bother then? If the hardware is so damaged, I need a different iption anyway.

I would feel more secure doing this if I were using a Qubes system and could attach it to a disposible template, but I'm not and don't have access to one.

I guess I could actually use a Live distro to do it and then reflash the bios on the system after? It would probably be hard to infect some other sort of firmware on the system. It just feels uncomfortable. Could advanced malware infect another type of firmware?

My system is not Qubes capable. Is there a way to isolate the phone so it couldn't do anything if it were infected? Would malware on a phone have to get root priviledges to install malware? It probably would. I could just change the live distro to have a strong admin password.

Am I being irrational in this concern, even if I were to have a very high threat model?

userofgos

Meatheadmarty I just don't know if the OS has sophisticated malware on it now. My hardware seems fine and the hash is the same. So, I don't know what that means.

Again, highly doubtful that there is any malware involved in your case. Did you try searching this forum for any users that came across this same error?

If you search "corrupt" in the search bar, you'll get numerous threads of other users reporting the same issue as you, and nearly every time the answer is the same. A: likely a hardware issue, try sideloading the latest OTA release.

https://discuss.grapheneos.org/?q=corrupt

Meatheadmarty

@ryrona what should i do? The GOS developers are smart too but they haven't responded in a way in which I completely understand what to do. I have one user saying yes, I should just use adb and reload. Shoukd I do that and discount the risks?

ryrona

Meatheadmarty what should i do? The GOS developers are smart too but they haven't responded in a way in which I completely understand what to do.

Backup everything on your phone, and then reinstall GrapheneOS from scratch. That is what I would have done. If that doesn't help, your hardware might be failing, such as the flash storage.

If you are fine with waiting until the next update, you can do as @Aru suggests. The next update will reflash the whole OS image, all updates do, and that might correct the problem. But something is wrong. I don't know exactly what red triangle indicates, but either there are data blocks that are failing to load, or verified boot failed to confirm genuine software is loaded. Either way, I would not trust the system until you are back at the yellow triangle.

Meatheadmarty Is this an actual compromise or more Google fuckery?

Assume it is a compromise, even if it maybe only is early signs of failing hardware. Because if you don't have yellow triangle, you are not booting genuine unmodified GrapheneOS anymore.

Meatheadmarty

Could this be because I never made the battery repair?

Aru

I got a similar issue after an upgrade a few weeks ago. Other than the corrupted message at boot, my phone worked fine. I tried to sideload the same update, without success. The message went away after upgrading to the next version. So far, I'm good.

Meatheadmarty

Aru I'll try this instead. If the next update can make it go away, then there's no problem. GOS updates so frequently it will be faster. If it's still a problem, then I'll deal with it in a week or two.

Meatheadmarty

Aru I did the most recent upgrade and the error went away. I still don't feel like this is proof that I was not hacked.

I also use a 6a and am worried this is a warning about the battery.

After the upgrade things feel slightly warm. It's concerning.

Upstate1618

Have you tried to use a public computer to use adb?

GrapheneOS

ryrona It won't allow loading data with an invalid signature or hashes. That means some aspects of what has been described don't make much sense.

Meatheadmarty

GrapheneOS if it wouldn't load with the correct hash, it suggests hardware failure, right?

I know I should treat it as compromised, but my threat model isn't that high. Even if this were an advanced hack and all data could be secretly extracted using the modem, I don't know if it matters.

It is also a device susceptible to battery failure and not repaired. It seems possible it's a hardware failure.

Backing up and treating the phone as compromised is a huge pain in the ass. I probably should listen to @ryona and treat it like a compromised device, however.

userofgos

Meatheadmarty I personally don't believe your device is compromised, and believe it became corrupted due to a hardware issue (which may only be temporary, like it was in my case). I think the next course of action would be to perform a factory reset of the device, then follow the GrapheneOS Post-install instructions to verify the boot key hash, and finally perform hardware attestation via the Auditor app.

Once those steps have been followed and verified that everything is working as normal, then you're safe to use the device.

c86

Meatheadmarty

I'm using a pair of newer models and they both get warm after an update, then they go back to normal.

Like others have said, it really doesn't sound like you were compromised. I get that kind of worry can consume someone, but if the newest update was successful that's a good sign. If there was a compromise don't you think a subsequent update would have caused more issues and the error or a different one would show?

It sounds like you just experienced a glitch or there may be a hardware issue going on. Make sure you're backed up just in case you have to switch devices.

userofgos

Meatheadmarty I did the most recent upgrade and the error went away.

That's good news!

Meatheadmarty I also use a 6a and am worried this is a warning about the battery.

Have you checked if you're 6a's battery is one of the faulty ones that Google has a replacement program for? https://support.google.com/pixelphone/answer/16340779?hl=en

userofgos

Meatheadmarty I still don't feel like this is proof that I was not hacked

Have you checked if the verified boot key hash matches your device? https://grapheneos.org/install/web#verified-boot-key-hash

If it matches then your device is not compromised.

« Previous Page