Connecting GrapheneOS phone to Qubes

Hi,

TL;DR: How to connect a smartphone (running GrapheneOS) to a Qube?

I have just bought a Google Pixel 4a where I have installed GrapheneOS.
NB: The device undergoes some disconnect during the flashing so I used Tails instead of Qubes for that part.

Steps to reproduce

0. sys-usb and the GrapheneOS VM use fedora-32 and kernel 5.4.88-1:

user@grapheneos:~$ uname -r
5.4.88-1.qubes.x86_64
user@grapheneos:~$

[user@sys-usb ~]$ uname -r
5.4.88-1.qubes.x86_64
[user@sys-usb ~]$ 

1. Plug smartphone into computer

2. Configure the smartphone’s USB preferences :

  • “USB controlled by” → “This device” (“Connected device” does not work)

  • “Use USB for” → “File Transfer”

    As a result, dmesg on sys-usb displays:

    [ 1102.232648] usb 5-3: USB disconnect, device number 5
    [ 1103.041929] usb 5-3: new SuperSpeed Gen 1 USB device number 6 using xhci_hcd
    [ 1103.065857] usb 5-3: New USB device found, idVendor=18d1, idProduct=4ee1, bcdDevice= 4.40
    [ 1103.065874] usb 5-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    [ 1103.065887] usb 5-3: Product: Pixel 4a
    [ 1103.065895] usb 5-3: Manufacturer: Google
    [ 1103.065903] usb 5-3: SerialNumber: [redacted]

3. Attach phone to the GrapheneOS VM.

  • dmesg on sys-usb then displays:

    [ 1351.611334] usbip-host 5-3: usbip-host: register new device (bus 5 dev 6)
    [ 1351.618832] usbip-host 5-3: stub up
    
  • dmesg on the VM “GrapheneOS” then displays (grepping out the audit lines):

    [  692.349009] vhci_hcd vhci_hcd.0: pdev(0) rhport(0) sockfd(0)
    [  692.349022] vhci_hcd vhci_hcd.0: devid(327686) speed(5) speed_str(super-speed)
    [  692.568223] usb 2-1: SetAddress Request (3) to port 0
    [  692.568236] usb 2-1: new SuperSpeed Gen 1 USB device number 3 using vhci_hcd
    [  692.592526] usb 2-1: New USB device found, idVendor=18d1, idProduct=4ee1, bcdDevice= 4.40
    [  692.592539] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    [  692.592549] usb 2-1: Product: Pixel 4a
    [  692.592554] usb 2-1: Manufacturer: Google
    [  692.592560] usb 2-1: SerialNumber: [redacted]
    

So far, so good. At least, it looks so…

4. Open Nautilus on GrapheneOS VM

dmesg on GrapheneOS displays:

[ 1068.813287] blkfront: xvdd: empty flush op failed
[ 1068.813300] blkfront: xvdd: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled;

Is this related to the subsequent (lack of) connection problem? I don’t know and Google is not that helpful.

5. click on “Pixel 4a” in Nautilus

  • Nautilus displays the error: 'Unable to access “Pixel 4a” / Unable to open MTP device “002,003” '.

  • dmesg in sys-usb displays:

    [ 2117.531511] usbip-host 5-3: unlinked by a call to usb_unlink_urb()
    
  • dmesg in GrapheneOS displays:

    [ 1458.260452] vhci_hcd: unlink->seqnum 30
    [ 1458.260492] vhci_hcd: urb->status -104
    [ 1459.150325] usb usb2-port1: Cannot enable. Maybe the USB cable is bad?
    [ 1460.038548] usb usb2-port1: Cannot enable. Maybe the USB cable is bad?
    [ 1460.926233] usb usb2-port1: Cannot enable. Maybe the USB cable is bad?
    [ 1461.814302] usb usb2-port1: Cannot enable. Maybe the USB cable is bad?
    [ 1461.815597] usb 2-1: USB disconnect, device number 3
    [ 1462.710238] usb usb2-port1: Cannot enable. Maybe the USB cable is bad?
    [ 1463.598278] usb usb2-port1: Cannot enable. Maybe the USB cable is bad?
    [ 1463.598351] usb usb2-port1: attempt power cycle
    [ 1464.798278] usb usb2-port1: Cannot enable. Maybe the USB cable is bad?
    [ 1465.686291] usb usb2-port1: Cannot enable. Maybe the USB cable is bad?
    [ 1465.686376] usb usb2-port1: unable to enumerate USB device
    

What I have tried so far

  • My smartphone connects easily on the Windows Explorer of my brother’s laptop.
  • debian-10:
    • on both sys-usb and GrapheneOS
    • with kernel 4.19.94-1 and 5.4.88-1
    • apt install gmtp (under kernel 5.4.88-1)
  • fedora-32:
    • on both sys-usb and GrapheneOS
    • with kernel 5.4.88-1 (the logs here above) and kernel 5.10.8-1.qubes.x86_64

Any ideas to move forward would be greatly appreciated! Thank you!!

2 Likes

sounds like Android MTP attach fails · Issue #6330 · QubesOS/qubes-issues · GitHub

1 Like

NB: The device undergoes some disconnect during the flashing so I used Tails instead of Qubes for that part.

This is expected as the passthrough is broken when the phone reboots. FWIW, you should be able to work around this by assigning your usb controller to the vm where the flashing occurs.

1 Like

Alternatively, one can do everything with the phone in the sys-usb qube. It should even be more secure if the qube is disposable.

1 Like

Thanks, I hadn’t seen that one!
Good that an issue is already open.

This will be a perfect workaround for my usage. Thanks!

I’ll try this one as well as an alternative to using disp-sys-usb.
Thanks for suggesting!

2 Likes

Hi, I read through the posts because I am facing a similar issue. The solution of making a disposable VM and adding the usb controllers was great; however, when I tried it, the device wasn’t recognized because it didn’t show up under the device manager icon. I added all usb controllers, changed the VM to HMV, made it disposable changed the OS to debian, added the firewall network and closed the sys-usb-vm. But the device didn’t appear. Is there another config I am missing? Or must I create another sys-usb-vm in addition to the mobile-VM. Thanks,

You don’t need the Device Manager if you connected all USB hubs to sys-usb and you are working in sys-usb with them. All connected devices should work in this qube just like they work on a Linux OS.

Adding some additional notes:

  1. Use the platform-tools distributed by Google, don’t rely on your package manager for adb/fastboot.

  2. My observation is any low-level flashing with a phone can’t be done through Qubes USB attachment procedures as there are many reboots involved, going from adb mode to bootloader/fastboot, flashing partitions and such, which USB proxying just does not have the capabilities to reliably handle. See this related comment on Issue #2022

1 Like

Hi, I check it again and noticed that it does show up. However, I am still getting device error messages when I try to connect the device to Android Flash Tool The connection issue is partly due to some configuring I tried to accomplish previously.
Your proposed set up set up, recongnizes the device when I close the previous sys-usb and use the new sys-usb-android; however, the sys-usb-android will not open a google browser application. Which is required to flash to OS. I’ll probably have more to say in a few days about the ideal VM config.

Nice, I’ll add the suggested code to the sys-usb-android and see what occurs.

(modified the title to better reflect the issue at hand)