How to set up a new Pixel to avoid Google before installing GrapheneOS

Watermelon

de0u It is certainly impossible for devices that require a network connection before enabling OEM unlocking

I'm aware of OEM unlocking requiring internet access. I was talking about the suggestion of not updating before flashing GrapheneOS.

sappy_junior728

Watermelon

I'm glad I found this thread before I opened my sealed Google Pixel 9.

I don't understand why you skipped WiFi setup at the beginning of the install and waited until you got to the home screen?

Is it even possible to decline any of the ToS and still get to the home screen?

I also want to give as little data to Google as possible. I heard Google even collects the SSIDs that the phone scans and connects to?

Watermelon

sappy_junior728 I don't understand why you skipped WiFi setup at the beginning of the install and waited until you got to the home screen?

I already answered this :)
https://discuss.grapheneos.org/d/30767-how-to-set-up-a-new-pixel-to-avoid-google-before-installing-grapheneos/8

sappy_junior728 Is it even possible to decline any of the ToS and still get to the home screen?

I don't know, but there's a difference between a ToS, which is for an online service, and a EULA, which is for a software program (i.e. the same code you physically have even offline). Anyway, you should look very closely and try whatever possible to reject legal agreements unless you're 100% sure you need to accept it to continue.

sappy_junior728 I also want to give as little data to Google as possible. I heard Google even collects the SSIDs that the phone scans and connects to?

Try to see if you can disable location scanning during the onboarding process. If you're already past the onboarding, don't bother messing with it. Stick to installing updates and OEM unlocking, power off, and then delete the stock OS.

sappy_junior728

de0u

Why? Wouldn't that mean I'll have to use my usernames and passwords setting up GOS on an unsecured network?

de0u

sappy_junior728 Some people advise unboxing the phone and activating OEM unlock on a public Wi-Fi network to avoid associating the device identifiers with one's home network.

sappy_junior728 Wouldn't that mean I'll have to use my usernames and passwords setting up GOS on an unsecured network?

It's not clear what threat that would pose, but no. Operating the device on a public network briefly while running Google's stock OS does not require that any later steps, such as installing GrapheneOS or configuring GrapheneOS, be carried out on the same network.

raccoondad

sappy_junior728 unsecured network

Nothing about public wifi suggests they are 'unsecure', there is a number of factors like the person running the service, how the AP is configured, what protections they have in place, and if you are using TLS.

A lot of APs I have seen in public don't even allow other devices to communicate with each other outside of the gateway

sappy_junior728

de0u

At some point, wouldn't you want to use your home network?

raccoondad

Graphner I wonder how you configured these steps on your Pixel phones the first time you turned them on to avoid giving too much information to Google

The "skip" button, connect to WiFi -> skip everything else -> settings -> OEM unlocking (needs WiFi to be connected)

de0u

sappy_junior728 At some point, wouldn't you want to use your home network?

Probably yes.

userofgos

sappy_junior728 At some point, wouldn't you want to use your home network?

Most often yes, but before that happens you would have already installed GrapheneOS and configured a VPN. Alternatively, depending on your router, you could configure the VPN on the whole network and then perform the install and setup of GrapheneOS on that network after VPN is configured. Really depends on your threat model and preferences.

unlocked

forum713696

I hope it is ok to comment here even though it is not my post; if not, i will create a new post and delete my comments below............

"A new phone connects to cell towers at the first boot, even without a SIM card."

When i take my phone out of the box for the 1st time and turn it on, even though it is not connected to any wifi and does not have a sim card, thus no internet at all - are you saying that my pixel will 'still' connect to a cell tower anyway?

"When these cellular connections are made, the IMEI of your phone is associated with the physical location of the phone. "

This cellular connection: is this being made without wifi or sim; just a first boot as i mentioned above?

If so, i will boot it away from where i live - seems like a good idea to protect the IMEI.

Graphner

In this other thread, 2 very interesting things appear, posted by two different users:

https://discuss.grapheneos.org/d/27314-privacy-risk-of-booting-on-an-idd-device/5

I have several questions, which I will divide up to make it easier to answer them. Let's first see what I mean:

Your IMEI is only sent once to Google during the bootloader unlock process. If you don't want them to have your IP address, do it over a public WiFi or a router with a VPN.

I setup GrapheneOS for lots of my friends and family members. Whenever I do, I ALWAYS do the initial wifi connection to turn on OEM unlock on public wifi networks and also use a burner Pixel with GrapheneOS installed on it to actually do the install, but I do that using that using the burner's own data tunneled through Mullvad VPN. And I do this with my own personal device turned off and in a faraday bag. For the friends that prefer to use burner accounts, I set those up out in the field also. It seems excessive, but it's the only way to really be sure that no important telemetry data is received by and/or sent to any of the big tech companies.

In addition to this, I have read this other thing here:

https://grapheneos.org/install/web#enabling-oem-unlocking

On device model variants (SKUs) which support being sold as locked devices by carriers, enabling OEM unlocking requires internet access so that the stock OS can check if the device was sold as locked by a carrier.

1) OK, according to the latter, enabling OEM unlocking requires internet access on some devices, but apparently not all. I haven't checked yet if it will be necessary on mine, but at home I always find a Wi-Fi network that I can access without a password, so seeing as you recommend connecting to public Wi-Fi networks for this, I could do that. Now, what if that public Wi-Fi network that I can access without a password belongs to someone who leaves it open with malicious intent? This seems to be quite common. I understand that my device would be linked to that person, and I don't think that's a very good idea. I would like to know your opinion on this.

2) Wouldn't it be better to enable OEM unlocking with a router with a VPN instead of using public WiFi? Can I do this with the free version of Proton VPN? How?

3) Why does this user do this? “And I do this with my own personal device turned off and in a Faraday bag.”

4) What does he mean here by burner accounts? “For the friends who prefer to use burner accounts, I set those up out in the field as well.”

5) Regarding what the first user says, there is something that confuses me. The “unlock bootloader” process is a step that comes after “enabling OEM unlocking.” Is the IMEI sent to Google in this step, even though it is something that is done after turning off the phone?

de0u

Graphner

Personally I OEM-unlocked my 6a at home, because personally I wasn't trying to keep Google from knowing that I had bought that particular 6a, because actually I bought it from the Google Store (under my actual identity). I mention this because lots of people describe elaborate practices online, sometimes without connecting those practices to an explicit threat model, and some people just getting started may be put off by feeling they shouldn't install GrapheneOS unless they're in international waters inside a Faraday cage etc.

That said, for people who have already written down a threat model according to which it is important to conceal from Google that a specific IMEI is associated with a specific person, I will point out that leeching a neighbor's open Wi-Fi network, even if the neighbor is not malicious, will tie the IMEI to the neighbor's location (it's prudent to assume that Google knows the latitude and longitude of roughly all Wi-Fi networks, as does Apple, because that's a key ingredient of their network location services).

There is good reason to believe that Google's OEM-unlock service is contacted only once ever -- or at least only once after a factory reset while running Google's Pixel OS. Locking and unlocking the bootloader can be done without a network connection, which is good reason to conclude that Google's OEM-unlock service is not being contacted.

userofgos

Graphner 2) Wouldn't it be better to enable OEM unlocking with a router with a VPN instead of using public WiFi?

Depends who you ask, and what their threat model is (if they have one). As de0u mentioned, if the device is already tied to your actual identity (bought directly from Google with credit card in your name) then I don't it is absolutely necessary to use a VPN on your home wifi, but some may disagree.

However, some folks may have gone the route of buying the device second hand and have a different threat model and may not want the device attributed to their actual identity in any capacity.

Graphner Can I do this with the free version of Proton VPN? How?

Yes, same way you would without VPN but you'd want to make sure you setup the VPN first before enabling D

Graphner 3) Why does this user do this? “And I do this with my own personal device turned off and in a Faraday bag.”

As I mentioned above, and as it appears to be for this individual, they have a different threat model and they do not want their actual identity or that of their colleagues tied to either device (1. the "burner" device used to install GrapheneOS, 2. the "new" device to have GrapheneOS installed). I don't know their reasoning beyond that.

Graphner 5) Regarding what the first user says, there is something that confuses me. The “unlock bootloader” process is a step that comes after “enabling OEM unlocking.” Is the IMEI sent to Google in this step

It does not happen in the unlock bootloader phase, AND it does not happen when OEM unlocking is toggled ON, it does happen at a step before all of this.

When you first open the box of a new pixel, power it on and then turn on Developer options OEM Unlocking is typically greyed out and untoggleable until some time after Google verifies that the device is bootloader unlockable by transmitting the IMEI (which is only possible when the device is connected to the internet).

de0u There is good reason to believe that Google's OEM-unlock service is contacted only once ever -- or at least only once after a factory reset while running Google's Pixel OS.

Is it known if Google transmits the IMEI immediately after connecting to internet at any stage whether during initial setup-wizard, before Developer options are enabled, or after Developer options are enabled? I would think only the latter right?

Graphner 4) What does he mean here by burner accounts? “For the friends who prefer to use burner accounts, I set those up out in the field as well.”

They're most likely referring to setting up "burner" or "dummy" or "fake name/persona" Google accounts which are not tied to anyone's actual name so that the user of the device can still download apps from Google Play Store without it being tied to all the other data collection that google does.

de0u

userofgos Is it known if Google transmits the IMEI immediately after connecting to internet at any stage whether during initial setup-wizard, before Developer options are enabled, or after Developer options are enabled? I would think only the latter right?

Personally I would suspect that it would happen at some not-super-predictable time after the setup wizard has finished. It seems clear that a large portfolio of activities kicks off, such as checking for system updates and APEX component updates, also things like downloading spelling dictionaries. I would suspect checking for unlockability would be part of that portfolio, and it would arguably be easier to include it there than to include code in Settings to do that when developer mode is enabled. But I don't recall anybody reporting exactly when the unlockability check happens.

userofgos

de0u Fair reasoning. If that is the case, then it might make sense of why some users have issues/delays with OEM Unlocking still being greyed out for a longer period of time if they did not connect to internet during the setup-wizard and instead connected to the internet after enabling Developer Options.

« Previous Page