LG Nexus 5 is a powerful mobile phone and stock version of Android has nearly everything. Nevertheless CyanogenMod 11 M9 (or newer), based on Android 4.4.4 (KitKat), can improve the experience, security, and customization even further.
- LG Nexus 5 (Google/LG D820/D821, hammerhead)
- micro USB cable
- backup your data (contacts, calendar, photos, videos…)
- turn off phone encryption (if you enabled it, as it causes problems)
fastbootfrom Android SDK Tools
- Android SDK Tools and Platform-tools
- ClockworkMod Recovery 184.108.40.206 (or TWRP Recovery 220.127.116.11 or newer) for LG Nexus 5
- CyanogenMod 11 M9 (or newer) snapshot for LG Nexus 5
- Google Apps for CM 11
Installing CyanogenMod 11 on LG Nexus 5 is straightforward as there is actually no need to exploit a security hole in the system. There is also no need to create backup images of your original stock Android, as all factory versions are officially available.
For a thorough description see the usual CyanogenMod 11 installation instructions, but the following steps should be sufficient.
Reboot into the bootloader using USB (alternatively volume up + volume down + power) and unlock the bootloader:
$ adb reboot bootloader $ fastboot oem unlock
In case of permission problems, run commands as root and enable USB debugging on the device. On success an unlocked icon will appear at the bottom of the Google boot screen during reboots.
Again reboot into the bootloader (as before) and flash previously downloaded advanced recovery console ClockworkMod Recovery (or TWRP Recovery):
$ adb reboot bootloader $ fastboot flash recovery recovery-clockwork-18.104.22.168-hammerhead.img
Wait for the flashing procedure to complete.
Reboot into the recovery using USB (alternatively volume up + volume down + power, navigate with volume up/down, and confirm using power button):
$ adb reboot recovery
In ClockworkMod Recovery select wipe data/factory reset (navigate with volume up/down, and confirm using power button). Repeat procedure for wipe cache partition. In case of problems with encryption also navigate to mounts and storage and format /data.
Afterwards transfer and install previously downloaded CyanogenMod 11 package by selecting install zip and using the install zip from sideload method. Transfer the package over USB with:
$ adb sideload cm-11-20140805-SNAPSHOT-M9-hammerhead.zip
Wait for the flashing and installation to complete. The procedure is complete if there were no fatal error messages and you regained control over the menu on top.
Install Google Apps
As CyanogenMod 11 comes without any apps from Google (especially without Google Play Store) it is recommended to install them too.
Again reboot into the recovery (if not there yet) and install previously downloaded Google Apps for CM 11 by selecting install zip and using the install zip from sideload method:
$ adb reboot recovery $ adb sideload gapps-kk-20140606-signed.zip
Once the installation has finished, you can select reboot system now and wait for it to boot the first time (takes a few minutes).
A setup wizard will appear and it is recommended to not setup a Google account yet, as it can not be configured in detail here and it initiates syncing and restoration procedures.
Newest Android phones also support a full-device encryption feature to prevent potential thieves from accessing your data. Note that encryption decreases the performance a little and is one-way only (factory reset to turn it off).
Unfortunately by default the boot-time encryption password is linked with your lock screen PIN or password (other options are unavailable), which may be inconvenient if you are used to an unlock pattern. Nevertheless it is possible to manually enable encryption independent of your lock screen.
For this first open Settings/Lock screen/Screen security and setup your preferred Screen lock method (such as Pattern). Choose a good pattern as it is not trivial to change it later on.
Than enable encryption independently on a rooted system through the terminal (choose a long secure password). In case you are using USB you will need to temporarily enable Settings/Superuser/Root access to Apps and ADB to gain root privileges (turn it off afterwards):
$ adb shell $ su $ vdc cryptfs enablecrypto inplace [password]
After a few seconds your Android device will reboot and begin with the encryption process (takes around 30 min). On completion your system will reboot and now you will only need to enter the chosen password once for each reboot.
Install AFWall+ (Android Firewall +) and allow superuser access forever. It is recommended to enable the following Preferences:
- check Enable notifications
- check Active Rules
- check LAN Control
- check IPv6 support (in case of problems copy systems
ip6tablesto app directory)
- check Confirm box on AFWall+ disable (to prevent accidentally disabling)
- check Enable Firewall Logs
Do not forget to Enable firewall and Apply. Now use apps normally and check logs if any app has internet connection issues (than enable access).
Note that CM Updater does not work with CWM 22.214.171.124 therefore there is no need to allow internet access for Settings and CM Updater.
In case Miracast display functionality is not working, you may need to use the following custom startup script:
$IPTABLES -A "droidwall-wifi" -p udp --destination 126.96.36.199/16 -j RETURN $IPTABLES -A "droidwall-lan" -p udp -j RETURN $IPTABLES -A "droidwall-input" -p udp --source 192.168.0.0/16 -j RETURN
Install and update
You will probably want to setup Google Play Store to enable simple installation and updating of apps.
Apps you really want to install:
- AFWall+ (Android Firewall +)
- LostNet NoRoot Firewall (interesting alternative)
- Google Camera
- Titanium Backup
Also check settings of apps:
- Google Play Store - in Settings: disable auto-update apps
- YouTube - in Settings/General: turn off Improve YouTube, check Limit mobile data usage
- Hangouts - turn off Improve
- Google Maps - turn off Shake to send feedback
- Phone - in Settings/Advanced: turn off Call lookup (turn off Caller ID by Google, turn off Nearby places)
- Google Translate - in Settings/Data usage: turn off Prefer network text-to-speach, turn off Improve camera input
Many security and privacy options are available and you may want to check them out under Settings:
- Data usage: set mobile data limit, enable show Wi-Fi usage
- Mobile networks/Access Point Names/Internet APN: remove proxy setting
- Wireless & networks/More…/NFC: turn off
- Wireless & networks/More…/Tethering & portable hotspot: setup Wi-Fi hotspot name and password
- Display & lights/Cast screen: turn off
- Location/Google Location Reporting: turn off for all Google accounts
- Security/Owner info: set to something sensible
- Security/Set up SIM card lock: lock SIM card
- Security/Make passwords visible: uncheck
- Privacy/Privacy Guard: check enabled by default, show built-in apps, enable guard on all except Dialer, long tap to enable location on Maps and Google Play services
- Privacy/CyanogenMod statistics: uncheck enable reporting
- Languages & input: uncheck Google voice typing
- Languages & input/Voice Search: turn off Ok Google hotword detection, turn off offline speech recognition automatic updates, turn off personalized recognition
- Backup & reset: enable backup my data, uncheck automatic restore
- Superuser/Settings: set superuser access for apps only, set PIN protection
Also check out Google Settings app:
- Search & Now/Google Now: turn off
- Search & Now/Accounts & privacy: turn off commute sharing, search on google.com
- Search & Now/Accounts & privacy: turn off Web History, turn off Personal results
- Ads: reset advertising ID, opt out of interest-based ads
- Android Device Manager: decide whether to allow remotely locating this device or locking and erasing data
Finally it is time to connect your device to the internet using Wi-Fi and add your Google and other accounts (carefully specify what data they should sync).
Once you tested that everything works and are satisfied with the operating system, it makes sense to again lock the bootloader. This step secures your data as everything will be wiped clean the next time anyone unlocks it again.
Reboot into the bootloader using USB (alternatively volume up + volume down + power) and lock the bootloader:
$ adb reboot bootloader $ fastboot oem lock