CyanogenMod 11 on Nexus 5

LG Nexus 5 is a powerful mobile phone and stock version of Android has nearly everything. Nevertheless CyanogenMod 11 M9 (or newer), based on Android 4.4.4 (KitKat), can improve the experience, security, and customization even further.

Preparation

Requirements

• LG Nexus 5 (Google/LG D820/D821, hammerhead)
• micro USB cable
• backup your data (contacts, calendar, photos, videos…)
• turn off phone encryption (if you enabled it, as it causes problems)
• working adb and fastboot from Android SDK Tools

Download

• Android SDK Tools and Platform-tools
• ClockworkMod Recovery 6.0.4.5 (or TWRP Recovery 2.8.7.0 or newer) for LG Nexus 5
• CyanogenMod 11 M9 (or newer) snapshot for LG Nexus 5
• Google Apps for CM 11

Installation

Installing CyanogenMod 11 on LG Nexus 5 is straightforward as there is actually no need to exploit a security hole in the system. There is also no need to create backup images of your original stock Android, as all factory versions are officially available.

For a thorough description see the usual CyanogenMod 11 installation instructions, but the following steps should be sufficient.

Unlocking

Reboot into the bootloader using USB (alternatively volume up + volume down + power) and unlock the bootloader:

$ adb reboot bootloader
$ fastboot oem unlock

In case of permission problems, run commands as root and enable USB debugging on the device. On success an unlocked icon will appear at the bottom of the Google boot screen during reboots.

Recovery console

Again reboot into the bootloader (as before) and flash previously downloaded advanced recovery console ClockworkMod Recovery (or TWRP Recovery):

$ adb reboot bootloader
$ fastboot flash recovery recovery-clockwork-6.0.4.5-hammerhead.img

Wait for the flashing procedure to complete.

Install CyanogenMod

Reboot into the recovery using USB (alternatively volume up + volume down + power, navigate with volume up/down, and confirm using power button):

$ adb reboot recovery

In ClockworkMod Recovery select wipe data/factory reset (navigate with volume up/down, and confirm using power button). Repeat procedure for wipe cache partition. In case of problems with encryption also navigate to mounts and storage and format /data.

Afterwards transfer and install previously downloaded CyanogenMod 11 package by selecting install zip and using the install zip from sideload method. Transfer the package over USB with:

$ adb sideload cm-11-20140805-SNAPSHOT-M9-hammerhead.zip

Wait for the flashing and installation to complete. The procedure is complete if there were no fatal error messages and you regained control over the menu on top.

Install Google Apps

As CyanogenMod 11 comes without any apps from Google (especially without Google Play Store) it is recommended to install them too.

Again reboot into the recovery (if not there yet) and install previously downloaded Google Apps for CM 11 by selecting install zip and using the install zip from sideload method:

$ adb reboot recovery
$ adb sideload gapps-kk-20140606-signed.zip

Setup wizard

Once the installation has finished, you can select reboot system now and wait for it to boot the first time (takes a few minutes).

A setup wizard will appear and it is recommended to not setup a Google account yet, as it can not be configured in detail here and it initiates syncing and restoration procedures.

Security

Encrypt phone

Newest Android phones also support a full-device encryption feature to prevent potential thieves from accessing your data. Note that encryption decreases the performance a little and is one-way only (factory reset to turn it off).

Unfortunately by default the boot-time encryption password is linked with your lock screen PIN or password (other options are unavailable), which may be inconvenient if you are used to an unlock pattern. Nevertheless it is possible to manually enable encryption independent of your lock screen.

For this first open Settings/Lock screen/Screen security and setup your preferred Screen lock method (such as Pattern). Choose a good pattern as it is not trivial to change it later on.

Than enable encryption independently on a rooted system through the terminal (choose a long secure password). In case you are using USB you will need to temporarily enable Settings/Superuser/Root access to Apps and ADB to gain root privileges (turn it off afterwards):

$ adb shell
$ su
$ vdc cryptfs enablecrypto inplace [password]

After a few seconds your Android device will reboot and begin with the encryption process (takes around 30 min). On completion your system will reboot and now you will only need to enter the chosen password once for each reboot.

Firewall

Install AFWall+ (Android Firewall +) and allow superuser access forever. It is recommended to enable the following Preferences:

• check Enable notifications
• check Active Rules
• check LAN Control
• check IPv6 support (in case of problems copy systems ip6tables to app directory)
• check Confirm box on AFWall+ disable (to prevent accidentally disabling)
• check Enable Firewall Logs

Do not forget to Enable firewall and Apply. Now use apps normally and check logs if any app has internet connection issues (than enable access).

Note that CM Updater does not work with CWM 6.0.4.5 therefore there is no need to allow internet access for Settings and CM Updater.

In case Miracast display functionality is not working, you may need to use the following custom startup script:

$IPTABLES -A "droidwall-wifi" -p udp --destination 224.0.0.0/16 -j RETURN
$IPTABLES -A "droidwall-lan" -p udp -j RETURN
$IPTABLES -A "droidwall-input" -p udp --source 192.168.0.0/16 -j RETURN

Install and update

You will probably want to setup Google Play Store to enable simple installation and updating of apps.

Apps you really want to install:

• AFWall+ (Android Firewall +)
• LostNet NoRoot Firewall (interesting alternative)
• Google Camera
• Titanium Backup

Also check settings of apps:

• Google Play Store - in Settings: disable auto-update apps
• YouTube - in Settings/General: turn off Improve YouTube, check Limit mobile data usage
• Hangouts - turn off Improve
• Google+
• Google Maps - turn off Shake to send feedback
• Phone - in Settings/Advanced: turn off Call lookup (turn off Caller ID by Google, turn off Nearby places)
• Google Translate - in Settings/Data usage: turn off Prefer network text-to-speach, turn off Improve camera input

Privacy settings

Many security and privacy options are available and you may want to check them out under Settings:

• Data usage: set mobile data limit, enable show Wi-Fi usage
• Mobile networks/Access Point Names/Internet APN: remove proxy setting
• Wireless & networks/More…/NFC: turn off
• Wireless & networks/More…/Tethering & portable hotspot: setup Wi-Fi hotspot name and password
• Display & lights/Cast screen: turn off
• Location/Google Location Reporting: turn off for all Google accounts
• Security/Owner info: set to something sensible
• Security/Set up SIM card lock: lock SIM card
• Security/Make passwords visible: uncheck
• Privacy/Privacy Guard: check enabled by default, show built-in apps, enable guard on all except Dialer, long tap to enable location on Maps and Google Play services
• Privacy/CyanogenMod statistics: uncheck enable reporting
• Languages & input: uncheck Google voice typing
• Languages & input/Voice Search: turn off Ok Google hotword detection, turn off offline speech recognition automatic updates, turn off personalized recognition
• Backup & reset: enable backup my data, uncheck automatic restore
• Superuser/Settings: set superuser access for apps only, set PIN protection

Also check out Google Settings app:

• Search & Now/Google Now: turn off
• Search & Now/Accounts & privacy: turn off commute sharing, search on google.com
• Search & Now/Accounts & privacy: turn off Web History, turn off Personal results
• Ads: reset advertising ID, opt out of interest-based ads
• Android Device Manager: decide whether to allow remotely locating this device or locking and erasing data

Finally it is time to connect your device to the internet using Wi-Fi and add your Google and other accounts (carefully specify what data they should sync).

Locking

Once you tested that everything works and are satisfied with the operating system, it makes sense to again lock the bootloader. This step secures your data as everything will be wiped clean the next time anyone unlocks it again.

Reboot into the bootloader using USB (alternatively volume up + volume down + power) and lock the bootloader:

$ adb reboot bootloader
$ fastboot oem lock

Other

Screenshots

Related

• http://wiki.CyanogenMod.org/w/Install_CM_for_hammerhead
• http://pocketnow.com/2014/04/17/nexus-5-CyanogenMod-11
• http://developers.google.com/android/nexus/images
• http://forum.xda-developers.com/showpost.php?p=35514297&postcount=24