A Marshmallowy CM

We’ve been pretty quiet publicly on the CM13 (Marshmallow) progress, but we’ve been busy bees behind the scenes. Today, we’ve enabled the first wave of devices to receive CM13 nightlies. Now, before you jump head first into flashing these, please take a moment to read the items below – as they will impact your experience.

If you are on CM 12.1 YOG4P or CM 12.1 YOG7D releases, we recommend you stay on course with the SNAPSHOT release channel and not jump to nightlies unless you are willing to accept a dip in quality. Our stable branches are vetted, CTS run and (in some cases) shipped on retail devices – which means the quality of those branches is far and above that of nightlies. We’d advise these folks to stay on the SNAPSHOT train, and we’ll have a quality approved SNAPSHOT for CM13 sometime Jan. If you are on a 12.1 nightly, you can ‘dirty flash’ CM13 …

Read the Rest…

Android Security Bulletin – October 5th update

Google’s monthly security release just hit AOSP code this morning, and as of this post has been merged into CM 12.1 source (Android 5.1.1._r24). Nightlies from today forwards will contain the security fixes identified on the release document.

For our stable release users, we’ll be rolling out an update to the stable CMUpdater channel with this set of fixes this week as well.

-The CyanogenMod Team

PS: Marshmallow source just released, we are syncing and will begin evaluating it. When we have more to share on this, we will publish a separate post.

Expanding the CM device family

Over the past few months, device maintainers new and old have been pushing hard to get support up to par for a wide range of devices. While some flagships (M9/S6/G4, etc) still need more time in the proverbial oven, we’ve seen a large increase in the medium range devices.


Thanks in part to device contributions from Huawei’s team directly, we are now supporting the Honor 4 & 4x (cherry), Ascend Mate 2 (mt2) and Snapto (g620_a2). These devices represent the first set of Huawei devices we’ve supported since CM 7(!) and it’s nice to see the company supporting the community ahead of the rumored Huawei Nexus. We’re expecting good things to come here.


Moto continues to make headway with their budget line – and we’ve now enabled support for both the Moto E (otus) and G (osprey) 2015 variants.


This Chinese OEM has been making waves in Asia. That wave has reached …

Read the Rest…

Releases, Releases, Releases – August 2015

Tapping into my inner Balmer with the post title

We’re queuing up releases across three branches this evening, releasing into the wild CM 11.0-security, 12.0-security and our very first 12.1 release. As always, these releases are being marked as ‘known good’ by their maintainer, and signed-off individually. This means that not every CM device will receive a release – only those marked as ‘Good to go’ by the maintainer.

The 11.0 and 12.0 builds are security releases built on top of the last CM11/12.0 releases, modified to include the recent security disclosures, including the vulnerabilities in Stagefright. Users of the previous 11/12.0 release builds are encouraged to update. Users of 11.0/12.0 weeklies (nightlies) will see no net change, and need not update.

The CM12.1 release marks our first Android 5.1.1 release which brings our IMAP idle support, SDK v1 release and the security fixes mentioned previously.

If you are updating to any of these builds, please pay close …

Read the Rest…

CVE-2015-3833 and you

The past month has been dominated by highly publicized vulnerabilities such as ‘Stagefright’, ‘Certifi-gate’, and ‘Deserialization’, however the August wave of fixes also included many other fixes, one of which in particular we have received a lot of questions/complaints over.

CVE-2015-3833 affects Android 5.0 and higher, and is officially described as follows:

Mitigation bypass of restrictions on getRecentTasks()

A local application can reliably determine the foreground application, circumventing the getRecentTasks() restriction introduced in Android 5.0. This is rated as a moderate severity vulnerability because it can allow a local app to access data normally protected by permissions with a “dangerous” protection level.

This particular patch was merged into CM sources on August 12th. As a result, apps that relied on attaining a list of running processes via the now plugged hole will fail to function properly. This includes (but is not limited to) apps like Greenify, FMR Memory cleaner, Zillow and System Panel [1]. …

Read the Rest…

More Stagefright

The issue described in the the latest publication of Stagefright issues (link) has been patched in source for CM 10.1 -> 12.1. Nightlies for 12.1 beginning tonight (~2hours) will include this fix, in addition to all the other exploits that came as a result of Stagefright and DefCon/Blackhat.

On the topic of 10.1 & 10.2, while these have been patched for this particular series of issues, we do not intend to issue a new release for these branches – the patches are there more so to protect derivative ROMs that use our source as base code.

We will be releasing another stable version of 11.0 and 12.0 (as well as a stable 12.1 release) with all of these fixes (and more) by the end of this month. More on that in a separate post.