Indicate if firmware is included in /e/os

Few days ago google warned about security issue CVE-2024-32896 affecting all their pixel smartphones (some people pointed out that this CVE affects also devices from other vendors). Google provides the patch via firmware update, so I wanted to know if /e/os updates also include firmware updates. Unfortunately, it’s not that easy to find out, but it seems that the answer is no. Some ROMs like iodé or divestos clearly state on their website for each device whether the software contains the firmware or not. Maybe /e/os could do it in a similar way?
By the way, I tried to update the firmware manually on my pixel 7 by flashing the latest android 13 vendor.img from google, but the device wouldn’t start anymore. Had to re-install e os to make it work, no data lost.
With my previous xiaomi mi8 on /e/os, I also had to update the firmware manually. This usually worked well.

[Walkthrough] Extract eRecovery and boot images using payload-dumper-go

This post Will answer if firmware is present but not its release date.

One the /e/ download page, is a link to /e/ release notes, it indicate the date of the CVE included.

1 Like

… but not this one which is not a regular Android SPL, but a quite recent June, I think, (Pixel specific, I read at one source, but only a quick read) Vendor firmware SPL.

From what I know, only FairPhones, murena One/Two Phones and Teracube 2e phone have received firmware updates through /e/ os updates.

I agree that we would need clearer information on which phone has its firmware updated or not as it may sometimes be very important or at least valuable.

My pixel 7 on /e/os 2.1 indicates baseband version g5300g-230323-230525-B-10200345. I think it’s still the latest version for Android 13, despite that it was released around June 2023. Newer baseband versions were only released for Android 14, so I guess that a firmware patch would also only available for Android 14. Therefore, if /e/os doesn’t include the firmware and I’d like to install the latest firmware manually, I guess that /e/os needs to upgrade to android 14 first anyway.

I don’t understand what the problem is, but grapheneos say that CVE-2024-32896 affects other devices (from other vendors) too. The patch was introduced in AOSP and rolled out as part of Android 14 QPR3. I’m just a user and find this all confusing, to be honest.