Pixel 4a (5G), Pixel 5 and Pixel 5a are end-of-life and shouldn't be used anymore due to lack of security patches for firmware and drivers. We provide extended support for harm reduction.

Tags:

  • 2024091700-redfin (Pixel 4a (5G), Pixel 5)
  • 2024091700 (Pixel 5a, Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, emulator, generic, other targets)
  • 2024091700-caimito (Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold)

Changes since the 2024090400 release:

  • Sandboxed Google Play compatibility layer: handle the updated client dynamite module initialization sequence
  • extend standard Android eBPF filter to prevent apps sending multicast packets outside of the VPN tunnel either directly or separately via kernel-generated multicast traffic (IGMP, MLD) when leak blocking is enabled
  • add netfilter-based multicast firewall only permitting sending multicast packets to permitted interfaces for the process to prevent apps sending multicast packets through a disallowed interface such as a VPN tunnel for another profile
  • exclude com.android.rkpdapp from backup/restore to avoid breaking key provisioning for hardware key attestation including for Auditor (users can clear RemoteProvisioner system app data via Settings if they restored data for it and have this issue)
  • Pixel 9 Fold Pro: temporarily manually add resource overlays not yet automatically handled by adevtool from the stock Pixel OS to use the correct layout for quick settings, status bar, etc. and to provide the split folded/unfolded auto-rotate settings (this will be replaced by adevtool improvements before the end of the month since we'll need it for more resources in Android 15)
  • hardened_malloc: fix microdroid virtual machine compatibility by using armv8a+dotprod+memtag when enabling memory tagging instead of armv9+memtag
  • init: disable auto-reboot setup for microdroid virtual machines
  • expat: backport patches for CVE-2024-28757, CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492 (none of these is exploitable on official GrapheneOS since the DoS bug involves a feature Android doesn't use, the integer overflows require that size_t is 32-bit which is never going to be the case due to the code only being used in 64-bit processes and the negative parameter API issue requires a usage pattern not done by Android, but the integer overflows would be exploitable on an official build for a 32-bit device or a 64-bit device still partially using 32-bit drivers)
  • kernel (5.10): update to latest GKI LTS branch revision including update to 5.10.225
  • kernel (5.15): update to latest GKI LTS branch revision including update to 5.15.165
  • kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.104
  • kernel (6.6): update to latest GKI LTS branch revision including update to 6.6.51
  • TalkBack (screen reader): update dependencies
  • Vanadium: update to version 128.0.6613.127.0
  • Vanadium: update to version 128.0.6613.146.0
  • Vanadium: update to version 129.0.6668.54.0
  • App Store: update to version 25
  • Auditor: update to version 85
  • Info: update to version 4
  • GmsCompatConfig: update to version 136
  • GmsCompatConfig: update to version 137