Installing DivestOS 19.1 on an Essential PH‑1 (mata)

Keeping a perfectly functional phone in service, with strong privacy and security to boot.

Preparation

A word on ADB and fastboot

  • The included USB C–C cable does not work for fastboot. You will need to try your luck with third-party cables (USB A–C or USB C–C).
  • To get ADB and fastboot, use your package manager to install android-tools or download the SDK platform tools from the Android Developers site. Your fastboot version must be 31.0.2 or newer to work with mata (legacy A/B support required).
  • Install android-udev-rules through your package manager (if available) or manually from the Git repo to avoid the “no permissions” error and needing to run ADB and fastboot as root.
  • Mata has a quirk where fastboot commands sometimes hang. If you experience this, use the volume keys to scroll to “Restart bootloader” and press the power button to select. Then immediately rerun the intended fastboot command — it will succeed as soon as the bootloader finishes restarting. This workaround has been 100% consistent in my testing (when using a compatible cable).

Downloads

Download the following:

Verify each of the downloads — we want to be extra cautious to minimize the risk of bricking and other issues. Hashes for the stock ROM are posted on XDA by DivestOS maintainer SkewedZeppelin and the download site. Adjust filenames accordingly:

$ gpg --import divestos_signing.key
gpg: key 7F627E920F316994: public key "DivestOS Release Signing (2020 #1) <support+releasesigning@divestos.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --verify divested-19.1-20220601-dos-mata-fastboot.zip.sha512sum
gpg: Signature made Wed 01 Jun 2022 02:30:58 AM UTC
gpg:                using EDDSA key B8744D67F9F1E14E145DFD8E7F627E920F316994
gpg: Good signature from "DivestOS Release Signing (2020 #1) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: B874 4D67 F9F1 E14E 145D  FD8E 7F62 7E92 0F31 6994

$ sha512sum -c divested*sha512sum
divested-19.1-20220601-dos-mata-fastboot.zip: OK
sha512sum: WARNING: 10 lines are improperly formatted

$ echo 'a9d979fdde4b2b59ff9c0c1256f440b4d5250242179648494a9b641ca75b4911cae666b6197162b6a93009b94cdc07f9f04df2bd0a72e819db09f7392f60ddde' 'PH1-Images-QQ1A.200105.032.zip' | sha512sum -c
PH1-Images-QQ1A.200105.032.zip: OK

$ echo '3b02ec475e8ae567f709e7cdfef1316f177a30f4bf797ab44e372735375f2ace' 'PH1-Images-QQ1A.200105.032.zip' | sha256sum -c
PH1-Images-QQ1A.200105.032.zip: OK

Unlocking the bootloader

Go to Settings > About phone, and tap Build number 7 times to unlock developer options. In the developer options (under “System”), enable OEM unlocking. Then restart the device while holding the volume down key to access the bootloader, and connect to the PC with the USB cable.

Run fastboot flashing unlock. If you get a Device already : unlocked! error, simply move on to the next command. Otherwise choose Yes and wait for the phone to finish restarting, then restart into the bootloader once again.

Run fastboot flashing unlock_critical. If you get a Device already : unlocked! error, you are done. Otherwise choose Yes and wait for the phone to finish restarting.

Back to stock

Extract PH1-Images-QQ1A.200105.032.zip and change directory into the extracted folder.

To work around mata’s fastboot quirk, add a redundant fastboot flash command to the beginning of flashall.sh:

#!/bin/bash
fastboot flash boot_a boot.img
fastboot flash nvdef_a nvdef.img
fastboot flash nvdef_b nvdef.img
fastboot flash boot_a boot.img
…

Save and exit. Run flashall.sh and restart the bootloader if necessary:

$ cd PH1-Images-QQ1A.200105.032/

$ ./flashall.sh
Sending 'boot_a' (23885 KB)                        OKAY [  0.185s]
Writing 'boot_a'                                   OKAY [  0.310s]
Finished. Total time: 0.515s
Sending 'nvdef_a' (310 KB)                         OKAY [  0.088s]
…
Writing 'userdata'                                 OKAY [  0.057s]
Finished. Total time: 0.293s
Rebooting                                          OKAY [  0.000s]
Finished. Total time: 0.050s

The phone will reboot into the OS at this point.

Installing DivestOS

Restart into the bootloader and push the fastboot.zip, restarting the bootloader and rerunning the command if necessary:

$ fastboot update divested-19.1-20220601-dos-mata-fastboot.zip
--------------------------------------------
Bootloader Version...: mata-34cc3f5
Baseband Version.....: 2.0.c4-M2.0.10
Serial Number........: XXXXXXXXXXXXXXXX
--------------------------------------------
extracting android-info.txt (0 MB) to RAM...
Checking 'product'                                 OKAY [  0.000s]
…
archive does not contain 'vendor_other.img'
Rebooting                                          OKAY [  0.000s]
Finished. Total time: 29.959s

The phone will reboot twice before showing an error “Can’t load Android system. Your data may be corrupt…” Use the volume keys to highlight Factory data reset and press the power key to select. Confirm by selecting Format data on the next screen. The phone will reboot into DivestOS.

Proceed through the setup wizard. Avoid setting up personal data and settings at this stage because user data will be wiped again, but it is necessary to connect to the internet via WiFi or mobile data. Go to Settings > System > Updater and download the latest DivestOS version available. Install it after the download finishes, then finally reboot.

Relocking the bootloader

Before relocking, verify that all functionality works properly: touch, brightness, WiFi, Bluetooth, GPS, camera, microphone, rotation, fingerprint, etc.

Restart into the bootloader. Run fastboot flashing lock and choose Yes. Upon reboot, press the power key to pause boot when directed, and compare the displayed cryptographic ID against the published verified boot hash. It may require multiple boots to compare the full hash.

Restart into the bootloader once last time. Run fastboot flashing lock_critical and choose Yes.

Post-installation notes

  • Activate developer options by tapping Build number 7 times in Settings > About phone. In the developer options:
    • Do not disable OEM unlocking. This is an important precaution for recovering from a bricked state (since the recovery is broken).
    • Disable USB debugging (ADB) unless in active use.
    • The developer options menu can be turned off if desired. The settings themselves will be preserved.
  • Under Settings > Security:
    • Enable Auto reboot to fully encrypt user data and disable fingerprint unlock after a configurable period of inactivity.
    • Enable secure app spawning.
  • In Settings > About phone, change the device name to a random string. This will be visible to all connected networks.
    • Change the device name in the Bluetooth settings as well. This will be visible to all nearby Bluetooth devices when in pairing mode.
  • Under Settings > Privacy > Trust, change Restrict USB to deny or only allow when unlocked.
  • Choose a specific provider for Private DNS or turn it off entirely.
    • If you wish to use it, I recommend Quad9. Alternatively, NextDNS offers customizable filterlists.
    • Nebulo offers a much more robust filterlist and encrypted DNS implementation using the VPN slot.
  • Enable Seedvault backup.
  • Disable Extend compatibility in the WiFi hotspot settings unless you need 2.4 GHz support.
  • Use Neo Store (formerly Droid‑ify) to download and seamlessly update F‑Droid apps.
  • Install and run AirGuard if daily‑driving the device. (Why?)
  • Set up FindMyDevice and/or Wasted for remotely locating, locking, and wiping the device.
  • Use Shelter or separate user profiles to isolate untrusted apps.
  • Use the GrapheneOS app store to reinstall the Camera app (for seamless updates) and install the GrapheneOS PDF Viewer.

See also