Related
The overall goal is to run debian or a linux distribution with LXDE on a Samgsung Galaxy Tab 4 (8", SM-T330NU).
I've been doing some research for a last week but if there are readers who can point out any obvious pitfalls, any constructive feedback will be greatly appreciated.
Please shout out if I'm straying off in a wrong direction or a time wasting dead-end.
Device:
- Samsung Galaxy Tab 4, 8", SM-T330NU.
- Android 4.4.2
- Build number: KOT49H.T330NUUEU1AND4
- SE for Android status: Enforcing
- Knox Enabled device
- Boot loader is locked?
- device has been rooted with CF-AutoRoot, automatic updates disabled.
------------------------------------------------
The story up to now:
Of all the interesting debian install options out there, I'm interested in Sven-Ola's Debian on Android Kit, which allows Debian and Android to run "side-by-side" without chroot.
http://sven-ola.dyndns.org/repo/debian-kit-en.html
-> various Debian on Android options can't install, installer scripts fail, likely due to SELinux status set to Enforcing by Default.
->
Code:
setenforce 0
does not work.
Apparently the stock kernel was compiled with flag
Code:
EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true
which prevents changing the SELinux status.
-> Proceeded to build the kernel from source (http://opensource.samsung.com/) according to online documentation and turn off the flag for enforcing SELinux.
http://graemehill.ca/compiling-permissive-android-kernel/
-> Kernel build was successful. Outputs:
Code:
zImage
and module drivers as
Code:
*.ko
-> I needed to repackage the new kernel into a boot.img to flash to device via ODIN.
Utilities that I found included:
- bootimg_tools_7.8.13.zip from xda forum
http://forum.xda-developers.com/showthread.php?t=2319018
- abootimg (from linux repository)
https://gitorious.org/ac100/abootimg/source/7e127fee6a3981f6b0a50ce9910267cd501e09d4:
- mkbootimg scripts by xiaolu
https://github.com/xiaolu/mkbootimg_tools
- The tools create a
Code:
boot.img
which I've made into a tar and attempted to flash to device.
-> So far, the only BOOT file that successfully downloaded was the one from stock. Any customized ones don't download properly.
-> Customized boot.img attempts results in "
Code:
Cannot do normal boot
" or "
Code:
Unsupported dev_type
" errors on the tablet screen in download mode.
So far I have not bricked the device. In all cases, I was able to re-flash with the stock boot.img and the device still works.
-> after a week of research and trying out different attempts, could it possible that the bootloader is locked?
I see QUALCOMM SECUREBOOT Enabled.
Is it true that new Samsung devices with Android 4.4.2+ come with locked bootloaders?
http://androidforums.com/samsung-galaxy-s4/788644-knox-security-locked-bootloader-new-firmwares.html
----------------------
For those who've read the long story. Thanks
Is the bootloader indeed locked? Is this a real dead-end?
Any suggestions?
I have returned to square-one and started debugging lines in the Debian for Android Kit Installer scripts.
I am able to make baby-steps, altering lines of code to get incrementally closer to a Debian installation, but it will be pointless if userspace programs on Debian don't work in the end.
Can anyone provide insight if Debian on Android is possible on Samgsung Galaxy Tab 4 ?
Thanks,
garrooo said:
The overall goal is to run debian or a linux distribution with LXDE on a Samgsung Galaxy Tab 4 (8", SM-T330NU).
I've been doing some research for a last week but if there are readers who can point out any obvious pitfalls, any constructive feedback will be greatly appreciated.
Please shout out if I'm straying off in a wrong direction or a time wasting dead-end.
Device:
- Samsung Galaxy Tab 4, 8", SM-T330NU.
- Android 4.4.2
- Build number: KOT49H.T330NUUEU1AND4
- SE for Android status: Enforcing
- Knox Enabled device
- Boot loader is locked?
- device has been rooted with CF-AutoRoot, automatic updates disabled.
------------------------------------------------
The story up to now:
Of all the interesting debian install options out there, I'm interested in Sven-Ola's Debian on Android Kit, which allows Debian and Android to run "side-by-side" without chroot.
http://sven-ola.dyndns.org/repo/debian-kit-en.html
-> various Debian on Android options can't install, installer scripts fail, likely due to SELinux status set to Enforcing by Default.
->
Code:
setenforce 0
does not work.
Apparently the stock kernel was compiled with flag
Code:
EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true
which prevents changing the SELinux status.
-> Proceeded to build the kernel from source (http://opensource.samsung.com/) according to online documentation and turn off the flag for enforcing SELinux.
http://graemehill.ca/compiling-permissive-android-kernel/
-> Kernel build was successful. Outputs:
Code:
zImage
and module drivers as
Code:
*.ko
-> I needed to repackage the new kernel into a boot.img to flash to device via ODIN.
Utilities that I found included:
- bootimg_tools_7.8.13.zip from xda forum
http://forum.xda-developers.com/showthread.php?t=2319018
- abootimg (from linux repository)
https://gitorious.org/ac100/abootimg/source/7e127fee6a3981f6b0a50ce9910267cd501e09d4:
- mkbootimg scripts by xiaolu
https://github.com/xiaolu/mkbootimg_tools
- The tools create a
Code:
boot.img
which I've made into a tar and attempted to flash to device.
-> So far, the only BOOT file that successfully downloaded was the one from stock. Any customized ones don't download properly.
-> Customized boot.img attempts results in "
Code:
Cannot do normal boot
" or "
Code:
Unsupported dev_type
" errors on the tablet screen in download mode.
So far I have not bricked the device. In all cases, I was able to re-flash with the stock boot.img and the device still works.
-> after a week of research and trying out different attempts, could it possible that the bootloader is locked?
I see QUALCOMM SECUREBOOT Enabled.
Is it true that new Samsung devices with Android 4.4.2+ come with locked bootloaders?
http://androidforums.com/samsung-galaxy-s4/788644-knox-security-locked-bootloader-new-firmwares.html
----------------------
For those who've read the long story. Thanks
Is the bootloader indeed locked? Is this a real dead-end?
Any suggestions?
I have returned to square-one and started debugging lines in the Debian for Android Kit Installer scripts.
I am able to make baby-steps, altering lines of code to get incrementally closer to a Debian installation, but it will be pointless if userspace programs on Debian don't work in the end.
Can anyone provide insight if Debian on Android is possible on Samgsung Galaxy Tab 4 ?
Thanks,
Click to expand...
Click to collapse
I have the same device - Linux would be cool. What about Ubuntu? You should delete that Knox stuff??
Sent from my SM-T330NU using XDA Free mobile app
debian noroot offers some linux experience on Samsung Galaxy Tab 4
Thanks for your reply, rsktkr1,
I have installed the pelya's "debian no root" app in Google Play Store
It is not exactly what I am looking for, but it is one step closer.
From debugging the installation scripts of Debian on Android Kit, I've been executing the lines of the scripts in shell one by one. It is a good learning experience of learning linux commands. The line that fails is the busybox's "chroot" command, which is used to safely install the linux environment using "debootstrap". The command fails due to security constraints of SELinux=Enforcing.
That got me researching along the lines of chroot and fakechroot.
pelya's "debian no root" works using fakechroot, which doesn't need as many permissions and thus can be deployed on the T330NU with straight forward installation.
(an interesting video is hosted on the google play website as well)
Once the app is installed, it appears to be a Wheezy installation of Debian with a XFCE desktop. The app has some learning curve to it to make it easier to use (not many people have the patience for it, hence the 3.7 star rating at the time of writing).
If you use this app to get a running linux distribution on your Galaxy Tab 4, here are a few things to try:
- back button = onscreen keyboard.
- there are also onscreen buttons for special keys like Alt, Ctrl, etc
- use terminal and apt-get install <packages of your choice; (packages may be named slightly differently than Canonical's/ubuntu's repository)>
I personally got a text editor (leafpad) so that I can write into a text file and save in a known location than to write in Samsung's Memopad that saves to some unknown location on the device.
----------------------------------------------------------------
Plans to come:
- debian noroot is good but has some limitations that affect me: no audio support.
- fakechroot has a few things that aren't supported. I was unable to properly install openjdk and openjre as it still requires some high privileged backend features, unfortunately also blocked by SELinux=Enforcing.
Workarounds in mind:
- get a hold of another ARM-powered android device and unpackage debian by executing the "debootstrap" command on it, maybe onto an SDCard, then insert into my device.
- Cyanogenmods have been known to release custom mods even on top of locked bootloaders. I might wait for that, yet it might be a long while. Developers at Cyanogenmods must have lots of hurdles to overcome.
It's been fun looking at code for ARM processor (armel/armhf), though SELinux and locked devices are restrictive.
For now, I'm happy with running full Lubuntu Linux installation on x86 Acer Iconia.
Here is a tip: Use 'Complete Linux Installer'. It lets you run Debian, Ubuntu with LXDE. Everything works. Has everything you need and has instructions. It should work perfectly in the Tab 4 becuase last time I ran it, it was in my 1st Generation Kindle Fire and it has horrible specs compared to this tab, and it ran fine in the Fire with almost no hiccups
Sent from my SM-T230NU using XDA Free mobile app
2/18 Update:
USB charging and controller works, audio probably works. Here's some update on this project:
Battery
Put C:\DPP and C:\EFIESP back. Nokia's driver reads C:\EFIESP\Battery.json in kernel mode (WTF). If you have NokiaEnergyDriver.sys and other PMIC/PEP/MIPI BIF (on some models) drivers installed, you should get battery show up.
Sign drivers?
Yes. Sign everything to prevent bad things from happening. I used a commercial certificate for conveience , but you don't have to do that. Here's a handy script that generates a self-signed certificate and installs it on your phone: https://gist.github.com/imbushuo/4de89ad18a0f538d8ebd18bf6daca56a
Download it, run it as administrator and specify ImageDir to your phone's partition (in mass storage mode). Then sign all your drivers binaries (and catalogs as well) with the fingerprint provided.
When signing your drivers, remember timpstamp all drivers. DigiCert's help documentation is useful for signing binaries.
Turn off UMCI
See https://forum.xda-developers.com/showpost.php?p=36394268&postcount=222. Set UMCIAuditMode key to allow all desktop applications and UMDF drivers load.
Make USB work
You will need several supplemental drivers from Windows Phone: BattFltr.sys, CAD.sys, ufx01000.sys, ufxsynposys.sys (or ufxchipidea.sys, depends on your chipset). Copy registry keys (HKLM\ControlSet001\Services and HKLM\ControlSet001\Enum\ROOT\CAD / HKLM\ControlSet001\Enum\ROOT\BattFltr) add supplemental WDF registry keys. Some files are attached as attachments, so you can take a look to get some idea about that.
Make Windows Store Apps work on unsupported resolution
See my blog post.
---------
While this project is not totally finished (e.g. No Battery status/charging unknown, no cellular, no audio), I decided to post this thread as many people asked me about the tutorial. This is just a brief tutorial, you need to have plenty of time on this to make this happen. Be careful as some steps are very dangerous.
This tutorial is provided AS-IS, without any implicit or expressed warranties. By reading this brief tutorial, you are agreed that you are taking your own risk trying this. I am not responsible for any possible consequences of installing Windows RT or other non-Windows Phone OS on Lumia phones. If your phone ships with Windows 10 Mobile, then this tutorial might not fit you. You can try drivers from other models, but I have no guarantee on this.
General workflow
- Unlock your phone with WPInternals 2.4
- Enter mass storage mode, copy registry files from MainOS partition
- Copy files from DPP partition
- Download Windows RT 8.1 ISO (publicly available on Internet, Google it)
- Download a Lumia 2520 recovery image for some files (I will post these files later)
- Download a Windows Phone 8.1 firmware for your phone
- Extract drivers, re-assembly INF files
- Patch some drivers (see my note)
- Self-sign some drivers (see my note)
- Make sure you know what you are doing: Delete MainOS and Data partition, create new NTFS partition for Windows RT. Do not touch other partitions.
- Apply system image (dism works fine)
- Copy DPP files back (C:\DPP)
- Modify sysprep tasks (see my note)
- Apply BCD configuration
- Boot
- Let OOBE fail once
- Go to mass storage mode again, mount registry and force OOBE run again
- Have fun
Notes on this project
ACPI
Reading ACPI DSDT table will help you understand your phone architecture. ACPI tables are located in PLAT partition. It is easy to extract them with 7-zip (after converting FFU to VHD). To decompile dsdt.aml, you need to download iASL tool, which is available on Internet.
Certain devices, like touch screen or panel, require other devices have driver loaded and enabled. This is not shown in Qualcomm's ACPI implementation. In my case, I need PEP, PEP 3rd, GPIO, BAM, I2C Device, QMUX, Shared Memory drivers loaded to make touchscreen work. It varies by model.
Re-assembly INF files
Mount SYSTEM registry from your phone or FFU, go to DriverDatabase\DriverPackages\<Some Driver Package>, each key in driver package key matches INF sections respectively. See some driver INF files to get some idea.
Remember to check ControlSet001\Service for additional information if necessary. If you are working on Windows Phone 8.1 firmware, check \Windows\System32\Packages to make sure you've got correct files and registry configs. These files are gzipped.
Patch drivers
Certain drivers read DPP partition for device-specific calibration information. While Qualcomm shares the codebase between Windows RT and Windows Phone, DPP partition is handled differently between platforms. You can search Unicode string "PhoneNT" to determine whether drivers read DPP or not.
To fool drivers think they are living in Windows Phone, you can create another multi-string value in the ProductOptions key. I created a value called "AnotherSuite" and filled "PhoneNT" in. Then I modified all "ProductSuite" Unicode strings in drivers to "AnotherSuite". Remember to re-calculate linker checksum (dependencies) and PE checksum.
This is critical to make wireless (Wi-Fi and Bluetooth) subsystem work.
Graphics
DO NOT use user-mode driver module from WP on Windows RT. The Windows Phone Qualcomm GPU driver does not implement DirectX 9, which is required by Windows desktop. Using WP UM driver will crash DWM.
To correctly enable GPU acceleration, use kernel driver and decoder module from your firmware, and user mode driver from Lumia 2520's recovery image. At least this works on Lumia 640 XL.
Touchscreen
Touchscreen works, however, WP driver reports wrong metric system to Windows RT. To workaround this, modify SYSTEM\TOUCH key, make some value larger than expected. See my value for 640XL in attachment.
Remove some sysprep tasks
Remove BCD and WinRE specialization and generalization tasks from sysprep task definition. OOBE will fail still. Boot to mass storage mode, mount SYSTEM registry, change setup type to 1 (see your current OS for ideas about other values), change program path to oobe\msoobe.exe. You should be able to see normal OOBE then.
BCD and Driver Signing
Test signing should be on. Disabling integrity check is recommended (though documentation says this key is ignored prior to Windows 10). Copy catalogs to the new OS, and self-sign drivers you patched.
Kernel Debugger
To enable WinDbg KD, modify your phone BCD:
Code:
bcdedit /store <Path> /dbgsettings usb TARGETNAME:WOATARGET
bcdedit /store <Path> /set {Your OS GUID} Debug On
Connect your phone to PC, start WinDbg, USB kernel debugging, target name "WOATARGET".
Have fun with Windows RT on Lumia, I am going to continue working on audio and battery
Follow
Ty Imbushuo , GREAT WORK
didnt you forgot to make efiesp guid to a efi partition else bcd cant be updated
Is there a way to patch the kernel or a bypass to avoid SECURITY_SYSTEM BSOD on MSM8960 devices?
Thanks for your work. I hope to get a newer Windows Phone soon and try Win10PE, I'm working on a custom shell that hopefully grants it a good experience on handheld devices since we lack ARMv7 ShellExperiences
J0SH1X said:
didnt you forgot to make efiesp guid to a efi partition else bcd cant be updated
Click to expand...
Click to collapse
Qualcomm's firmware is weird, so I didn't do that. (They hard-coded something) Maybe I will try it later with a dev board and see what will happen.
Fantastic job :good:
Is it possible to enable a second external monitor via Miracast ?
What about bluetooth keyboard and mouse ?
Lumia 950/XL should also support 2x monitors ( DisplayPort/HDMI via USB-C ).
It also has more RAM and might run apps better than L640.
imbushuo said:
Qualcomm's firmware is weird, so I didn't do that. (They hard-coded something) Maybe I will try it later with a dev board and see what will happen.
Click to expand...
Click to collapse
thats weired on my 930 this is NEEDED to get rt to boot but weired enough my 640 lte doesnt boot it at alll but sadly i dont get how to reassamble the inf files (im litterally just comparing my compiled touch driver inf with the registry of my 930)
I can not find the windows rt on the Internet. Can I send the file link download?
imbushuo said:
While this project is not totally finished (e.g. No Battery status/charging unknown, no cellular, no r FFU, go to DriverDatabase\DriverPackages\<Some Driver Package>, each key in driver package key matches INF sections res
Click to expand...
Click to collapse
I use google translate so it's hard to follow, it's great when you have a video tutorial, everything is more intuitive and easy.
INF files Qualcomm ARM-based View attachment Inf.zip
prokakavip said:
I use google translate so it's hard to follow, it's great when you have a video tutorial, everything is more intuitive and easy.
Click to expand...
Click to collapse
If you are an end user I would recommend waiting for WPInternals partition dumps for your device
I knew this solution... so they cant make general Qualcomm drivers never. Device specification is nightmare. Better get a hammer and deepmagic
Thank you for all the effort of going through this and providing the information.
Can somebody whoever upload fixed registry files and drivers? i was able to follow all steps successfully (except these parts) but on first boot i just get a blue screen with a sad smiley.
Also, i assumed you meant applying the install.wim image via DISM from the Windows RT 8.1 ISO.
(For those who need more help with this, Google: "Append, apply, and export volume images with a Windows Image (.wim) file",
i'm not allowed to post links due to post count).
Die Anleitung ist jetzt auch in deutsch verfügbar und hier zu finden:
Windows RT 8.1 auf ein Lumia installieren
WPVision.de said:
Die Anleitung ist jetzt auch in deutsch verfügbar und hier zu finden:
Click to expand...
Click to collapse
I registered and it still said i'm not allowed to visit the forum because i dont have permission.
D-V-D-K said:
I registered and it still said i'm not allowed to visit the forum because i dont have permission.
Click to expand...
Click to collapse
That's correct, because you did not follow the guidelines.
The activation for this area is done manually by your first post.
Samuelgames said:
If you are an end user I would recommend waiting for WPInternals partition dumps for your device
Click to expand...
Click to collapse
Can you upload your partition dumps for 640xl?
Removed. Sorry I was being rash.
spavlin said:
INF files Qualcomm ARM-based View attachment 4410518
Click to expand...
Click to collapse
but theese inffiles arent redone from registry
for example touch driver is missing
imbushuo said:
- Download a Lumia 2520 recovery image for some files (I will post these files later)
Click to expand...
Click to collapse
Use at your own risk!
Some Lumia 2520 Firmware And Driver Update 10. 6. 2014:
Code:
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/03/20623735_d3143757b17f94d00f53dc6f3f4dbdf48c36430e.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/03/20624060_4b5dec4829bf5e013bf5e6c045a4ed9367afe88d.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/03/20624064_70ea6951b8f7c7d72963c38e302356f46642ec85.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/03/20624552_3c10b74a53f010a90539ea1e606f562d65a03082.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/03/20626644_7f0f6945d5e0e19e78b3794490990145b98e2c0c.cab
http://au.ds.download.windowsupdate.com/d/msdownload/update/driver/drvs/2014/04/20639225_555ea122b93d34720513db1b344254a0a69a158c.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20639552_08956ac77c46334650fc675794d58325f279ddbb.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20640693_4d4f789e1349e350324fb7e31b60514ae191cb46.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20642401_1278d3d9f4ae8d1903ec0c6f0861ec9912139b96.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20643591_beca8afddf93a8679f6e875f5abfc44f9395975a.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20643598_4a154479fe2ad83eef04c99e96e44b0e88efce8e.cab
http://au.ds.download.windowsupdate.com/c/msdownload/update/driver/drvs/2014/04/20643814_2d9a86009238af018f92aa76a9be453ef9231424.cab
Some useful links for those reinstalling Windows 10 at any point:
Builds - http://mdluup.ct8.pl
This uses Microsoft's UUP (unified update platform) to fetch specific full builds. Choose from Retail or Insider builds. At the time of writing selecting 17134 from the retail channel will get you the newest non-beta build with minimal Windows Updates following installation. Just specify x64/86/ARM, edition and language.
Using the blue Aria2 button will give you a zip which, on execution, will download and create a usable, full ISO for personal use - despite the use of the words "cumulative update" on-site. Just follow the instructions on screen. All images are compiled using Microsoft's internal imaging utility so they're close to what you'd get with a precompiled MSDN ISO.
MSMG Toolkit - http://m.majorgeeks.com/files/details/msmg_toolkit.html
This provides a frontend for component removal utilizing the official Microsoft DISM utility.
Use of this is straightforward and can remove Apps, Windows Features and components from an ISO.
Tip: Once you've mounted an ISO, open a separate command line and run DISM.exe /Image:<path_to_image_directory> [/Get-ProvisionedAppxPackages to get a full list of Apps in the ISO. Copy and paste the output, placing it in the provided RemoveAppsList.txt, removing any lines you want to keep.
Using install_wim_tweak.exe tool will also get you a full listing of all Windows Packages, most of which can be safely removed with zero side effects. NTLite can be a useful guide but its commercial software, so you won't be able to remove all the components you see listed if you install it.
AIO boot tool - https://www.aioboot.com/en/
This tool creates nifty bootable USB sticks that come in handy for booting anything. I recommend the precompiled WinPE 10 images which allow you to use a Live PE Windows Desktop (I.e. it has a full GUI) from a USB prior to installation. This should alleviate the need for making bootable USBs in future. As it's the same platform used during a conventional booted Windows Setup so you can run the setup once its loaded in, format hard drives, etc. Or actually use it as a desktop, I guess. It has its limitations.
DISM++ - https://www.chuyu.me/en/index.html
Post-install utility, you can thoroughly clean up redundant internal Windows folders, remove Apps, activate popular regedits and whatnot. Very useful.
Blackviper - https://github.com/madbomb122/BlackViperScript
Power shell script that makes running services in Windows slightly more efficient.
If people are interested I'm happy to create a tutorial to making your own properly-serviced Windows ISOs for those who want new builds of Windows with less to none of the Microsoft extras .
So I tried Installing Samsung DeX from Samsungs official website. After installing Samsung DeX and opening it up for the first time I get an error "Android File Transfer can't be used while Samsung DeX is installed on your Mac. To use Android File Transfer, uninstall Samsung DeX." I had already removed and uninstalled Android File Transfer before installing Samsung DeX. I even tried contacting Samsung Customer Care but they are of no help. Can Anyone Please provide a solution?
This is the error I get only after opening the software for the First time
---https://imgur.com/8uKlabO---
System Info
---https://imgur.com/9jtvpdb---
Even after connecting my phone to my Mac this screen stays static. Image provided.
---https://imgur.com/jcXnsAc---
USB Options section of my phone:
---https://imgur.com/sTLWkpZ----
My phones info
---https://imgur.com/9ZYh8Sm---
Since I am a new user I can't use links
The DeX Link is an Note10(+) exclusive atm.
Yes you can make windows completely 100% private as if it was linux.
Ofcourse privacy doesn’t fix zero day security exploits, this guide is about privacy not security.
For a first impression of what a truely optimized windows system looks like check the screenshots below.
Make a backup of your data is always the first thing to do.
➤ 1 Download the official windows iso from microsofts website (The iso NOT the mediacreationtool !!)
If you can’t download the iso install the useragentswitcher browser extension and switch to linux (microsoft's website detects your operatingsystem and doesn't let you download the iso if you are on windows...)
https://microsoft.com/en-us/software-download/windows10ISO
User-Agent Switcher and Manager – Get this Extension for Firefox (en-US)
➤ 2 Download rufus and use it to create a bootable usb drive with the windows iso file you just downloaded
Rufus - Create bootable USB drives the easy way
➤ 3 Use the bootable usb drive to Install windows 10 pro offline
You will have to boot into BIOS mode and change the primary boot device to the usb drive
➤ 4 Use https://privacy.sexy 10 to generate a script that will rip the guts of microsoft out of windows
Use either one of the predefined settings (standard, strict, all) or create your own script via the options.
Be careful when creating your own script, you can break functionality like windows search, to keep functionality only standard and strict are recommended.
➤ 5 Install Device Drivers
If you have an nvidia GPU use NVCleanstall for an installation that will remove MOST of the
integrated driver spyware https://techpowerup.com/download/techpowerup-nvcleanstall/
Install your CPU chipset but DO NOT install intel management engine or AMT vPRO, these are known backdoors so governments can potentialy remotely access your pc.
Intel Desktop Chipsets - Latest Motherboard Desktop and PC Chipsets
https://amd.com/en/support
➤ 6 Install Netframework Offline
Many programs require old netframework version to work, you don't need windows update for that.
To install offline without using windowsupdate you need a copy of the windows iso you previously
downloaded.
Mount the windows iso
Open powershell as administrator
Use this command to install netframework:
Dism /online /enable-feature /featurename:NetFX3 /All /Source:X:\sources\sxs /LimitAccess
Replace Source:X: with whatever the location of your mounted iso is, for example Source:
To find out where your iso is mounted, open the windows explorer, rightklick on the mounted iso and select open file location.
➤ 7 Install Visual Studio Redistributables
Latest supported Visual C++ Redistributable downloads | Microsoft Learn
➤ 8 Install Librewolf WebBrowser (no extensions required, ublockorigin is already preinstalled)
Installation – LibreWolf
Searchengines:
https://search.brave.com
https://searx.work/ Luxembourg (LU)
https://searx.fmac.xyz/ Switzerland (CH)
https://searx.tuxcloud.net/ Czechia (CZ)
https://searx.prvcy.eu/ Finland (FI)
Duckduckgo cannot be trusted anymore since they had a tracking agreement with microsoft.
Don't use startpage search engine or waterfox browser, both have been acquired by an adversting company called System1.
Librewolf is a modified version of firefox for increased privacy and security, while google chrome and microsoft edge collect your entire browsing history and every website you visited.
PS: Opera Browser is now owned by china, delete that if you haven't already.
➤ 9 Use ShutUp10 to modify windows privacy settings
Recommended: Klick on “actions” select “activate all privacy settings”, then manually uncheck what
you need.
Examples: microphone, camera, bluetooth, notifications.
O&O ShutUp10++ – Free antispy tool for Windows 10 and 11
➤ 10 Go Online for the first time, instantly install Portmaster from https://safing.io
Select Quad9 as your DNS server, they are non-profit, unlike most other providers like your internetservicepovider (ISP) are commerical and spy on everything you do on the internet.
Configure portmaster to block all connections by default and only allow what you need. (must have for privacy)
Unlock the systemdnsclient in portmaster otherwise you cannot connect to the internet. (all other windows services can be fully blocked)
Now klick on systemdnsclient and block connections that you don't trust, for example:
go.microsoft.com
ctldl.windowsupdate.com
services.gfe.nvidia.com (block this if using an nvidia GPU, even if you use nvcleanstall)
There should not be many connections to block if you used https://privacy.sexy 10 to cleanup windows.
➤ 11 Install a trusthworthy VPN, for example ProtonVPN or Mullvad (They have a free plan and are based in switzerland)
If you are currently using one of these, nordvpn, expressvpn, surfshark, you're making a big mistake. These providers are known to share your data with advertising companys and law enforcement.
They also use google trackers and analytics, source:
why not to use nordvpn
why not to use surfshark
why not to use expressvpn
why protonvpn is probably much better
Free VPN download for your device | Proton VPN
Obviously as you will do almost all of these steps offline you will have to downloaded all the software beforehand and copy it to an offline drive which you can access without any internet connection.
A usbdrive would be enough.
Software that is generally recommended and you should use because https://privacy.sexy 10 will delete all preinstalled garbage apps.
https://7-zip.org/ (compression software)
https://notepad-plus-plus.org/ 2 (windows notepad on steroids)
Official download of VLC media player, the best Open Source player - VideoLAN (video and photo viewer)
If you wish to delete certain parts of windows or take ownership of them which by default your administratoraccount has no access to, use NSudo which is an extremely powerfull windows admin-tool that lets you take full control over windows.
https://github.com/M2TeamArchived/NSudo/releases/download/6.2/NSudo_6.2.1812.31_All_Binary.zip
Examples of what you should delete with nsudo: (No deleting those won’t break anything, renaming also works)
smartscreen.exe
upfc.exe
Compatibility Telement.exe
CompPkgSrv.exe
mobsync.exe
GameBarPresenceWriter.exe
microsoftedge
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Privacydroid said:
Yes you can make windows completely 100% private as if it was linux.
Ofcourse privacy doesn’t fix zero day security exploits, this guide is about privacy not security.
For a first impression of what a truely optimized windows system looks like check the screenshots below.
Make a backup of your data is always the first thing to do.
➤ 1 Download the official windows iso from microsofts website (The iso NOT the mediacreationtool !!)
If you can’t download the iso install the useragentswitcher browser extension and switch to linux (microsoft's website detects your operatingsystem and doesn't let you download the iso if you are on windows...)
https://microsoft.com/en-us/software-download/windows10ISO
User-Agent Switcher and Manager – Get this Extension for Firefox (en-US)
➤ 2 Download rufus and use it to create a bootable usb drive with the windows iso file you just downloaded
Rufus - Create bootable USB drives the easy way
➤ 3 Use the bootable usb drive to Install windows 10 pro offline
You will have to boot into BIOS mode and change the primary boot device to the usb drive
➤ 4 Use https://privacy.sexy 10 to generate a script that will rip the guts of microsoft out of windows
Use either one of the predefined settings (standard, strict, all) or create your own script via the options.
Be careful when creating your own script, you can break functionality like windows search, to keep functionality only standard and strict are recommended.
➤ 5 Install Device Drivers
If you have an nvidia GPU use NVCleanstall for an installation that will remove MOST of the
integrated driver spyware https://techpowerup.com/download/techpowerup-nvcleanstall/
Install your CPU chipset but DO NOT install intel management engine or AMT vPRO, these are known backdoors so governments can potentialy remotely access your pc.
Intel Desktop Chipsets - Latest Motherboard Desktop and PC Chipsets
https://amd.com/en/support
➤ 6 Install Netframework Offline
Many programs require old netframework version to work, you don't need windows update for that.
To install offline without using windowsupdate you need a copy of the windows iso you previously
downloaded.
Mount the windows iso
Open powershell as administrator
Use this command to install netframework:
Dism /online /enable-feature /featurename:NetFX3 /All /Source:X:\sources\sxs /LimitAccess
Replace Source:X: with whatever the location of your mounted iso is, for example Source:
To find out where your iso is mounted, open the windows explorer, rightklick on the mounted iso and select open file location.
➤ 7 Install Visual Studio Redistributables
Latest supported Visual C++ Redistributable downloads | Microsoft Learn
➤ 8 Install Librewolf WebBrowser (no extensions required, ublockorigin is already preinstalled)
Installation – LibreWolf
Searchengines:
https://search.brave.com
https://swisscows.com
https://searx.work/ Luxembourg (LU)
https://searx.fmac.xyz/ Switzerland (CH)
https://searx.tuxcloud.net/ Czechia (CZ)
https://searx.prvcy.eu/ Finland (FI)
Duckduckgo cannot be trusted anymore since they had a secret tracking agreement with microsoft.
Don't use startpage search engine or waterfox browser, both have been acquired by an adversting company called System1.
Librewolf is a modified version of firefox for increased privacy and security, while google chrome and microsoft edge collect your entire browsing history and every website you visited.
PS: Opera Browser is now owned by china, delete that if you haven't already.
➤ 9 Use ShutUp10 to modify windows privacy settings
Recommended: Klick on “actions” select “activate all privacy settings”, then manually uncheck what
you need.
Examples: microphone, camera, bluetooth, notifications.
O&O ShutUp10++ – Free antispy tool for Windows 10 and 11
➤ 10 Go Online for the first time, instantly install Portmaster from https://safing.io
Select Quad9 as your DNS server, they are non-profit, unlike most other providers like your internetservicepovider (ISP) are commerical and spy on everything you do on the internet.
Configure portmaster to block all connections by default and only allow what you need. (must have for privacy)
Unlock the systemdnsclient in portmaster otherwise you cannot connect to the internet. (all other windows services can be fully blocked)
Now klick on systemdnsclient and block connections that you don't trust, for example:
go.microsoft.com
ctldl.windowsupdate.com
services.gfe.nvidia.com (block this if using an nvidia GPU, even if you use nvcleanstall)
There should not be many connections to block if you used https://privacy.sexy 10 to cleanup windows.
➤ 11 Install a trusthworthy VPN, for example ProtonVPN (They have a free plan and are based in switzerland)
If you are currently using one of these, nordvpn, expressvpn, surfshark, you're making a big mistake. These providers are known to share your data with advertising companys and law enforcement.
They also use google trackers and analytics, source:
why not to use nordvpn
why not to use surfshark
why not to use expressvpn
why protonvpn is probably much better
Free VPN download for your device | Proton VPN
Obviously as you will do almost all of these steps offline you will have to downloaded all the software beforehand and copy it to an offline drive which you can access without any internet connection.
A usbdrive would be enough.
Software that is generally recommended and you should use because https://privacy.sexy 10 will delete all preinstalled garbage apps.
https://7-zip.org/ (compression software)
https://notepad-plus-plus.org/ 2 (windows notepad on steroids)
Official download of VLC media player, the best Open Source player - VideoLAN (video and photo viewer)
If you wish to delete certain parts of windows or take ownership of them which by default your administratoraccount has no access to, use NSudo which is an extremely powerfull windows admin-tool that lets you take full control over windows.
https://github.com/M2TeamArchived/NSudo/releases/download/6.2/NSudo_6.2.1812.31_All_Binary.zip
Examples of what you should delete with nsudo: (No deleting those won’t break anything, renaming also works)
smartscreen.exe
upfc.exe
Compatibility Telement.exe
CompPkgSrv.exe
mobsync.exe
GameBarPresenceWriter.exe
microsoftedge
View attachment 5890115
View attachment 5890117
View attachment 5890119
Click to expand...
Click to collapse
I don't use Windows, only Linux, but I thought this looked interesting. The bloatware decreases are crazy. Do you think this would work running in VirtualBox (I know VBox is proprietary, but at least cut down on how much spyware is on Windows)? The only time I do use Windows is on Linux to flash phones with Odin like this.
ethical_haquer said:
I don't use Windows, only Linux, but I thought this looked interesting. The bloatware decreases are crazy. Do you think this would work running in VirtualBox (I know VBox is proprietary, but at least cut down on how much spyware is on Windows)? The only time I do use Windows is on Linux to flash phones with Odin like this.
Click to expand...
Click to collapse
Yes the same steps described here work with virtualbox.
Odin should work offline, so you can disable the checkmark "networkadapter" in virtualbox to cut the entire os from accessing the internet.
Or you could install portmaster to block microsoft from spying on your vm.
As described above there's a setting to block all connections by default, use that and only allow programs to access the network that you trust or need.
All in all, debloating is great for performance and privacy, but if you are just after privacy then portmaster should be the only thing you need (simplewall is another great option and they can be used together), ps: portmaster also supports linux.
Privacydroid said:
Yes the same steps described here work with virtualbox.
Odin should work offline, so you can disable the checkmark "networkadapter" in virtualbox to cut the entire os from accessing the internet.
Or you could install portmaster to block microsoft from spying on your vm.
As described above there's a setting to block all connections by default, use that and only allow programs to access the network that you trust or need.
All in all, debloating is great for performance and privacy, but if you are just after privacy then portmaster should be the only thing you need (simplewall is another great option and they can be used together), ps: portmaster also supports linux.
Click to expand...
Click to collapse
Yes, I just installed PortMaster and it's amazing. Thanks!
Bumping this so more people will see and benefit from it.
Needless to say ANY windows users should install portmaster from safing.io, a must have.
Privacydroid said:
Bumping this so more people will see and benefit from it.
Needless to say ANY windows users should install portmaster from safing.io, a must have.
Click to expand...
Click to collapse
Perhaps I should make tutorial on switching from Windows to Linux as well. Although I'm probably not the best for that, seeing as how I haven't used Windows. Oh well.