Side question: what's a good way of getting a GrapheneOS phone?
I have been interested in using GrapheneOS but hesitant about actually getting a Pixel phone. Used phone prices are usually >$300 even for "a" series unless I go back several generations. Whether the device bootloader can be unlocked is also a question. I am definitely not ready to spend $449 on a new Pixel 10a.
This won't help you right now, but GrapheneOS did recently announce a partnership with Motorola, so presumably in a year or so support will start showing up for some Motorola devices.
Side note: I did get the 10a on launch from Google Fi for ~300.
Refurbished phones are cheap and even going back 3, 4, 5 years you have great hardware, indistinguishable from what you would pay 1000$ new now. 200 or 300$ for a high quality refurbished pixel is really not that bad.
Pixel 10a is essentially a proper Pixel 9a. It uses the Pixel 9 SoC and Pixel 9 cellular radio compared to the Pixel 9a using the cellular radio used by 8th gen Pixels. The 9th gen Pixel cellular radio was a huge upgrade for connectivity and power efficiency so it's a major advantage for the Pixel 10a over the Pixel 9a. They're budget devices and definitely have significant compromises for the display, wireless charging and other areas.
No, GrapheneOS adheres to the same support period that the OEM provides. End of life devices are insecure and should not be used. Only the OEM can provide the firmware updates necessary for proper support, because the firmware images are signed by the OEM/component manufacturers. All GrapheneOS can do is push the updated firmware.
GrapheneOS has a requirement of a 5-7 year support window from an OEM.
Graphene OS only supports devices for as long as the manufacturer is providing security updates for the phone's firmware. Firmware is binary blob, so there'd be no practical way for anyone else to provide/develop security updates once the manufacturer is no longer providing official updates.
Their partnership with Motorola, I think, involves some ability of Graphene OS devs to access/harden/update the firmware, but I'm not 100% sure. Firmware on phones, especially for the baseband processor, often involves a nasty confluence of copyright, trade secrets, patents, and government rules/demands.
It can be done, fairphone rather famously did it once.
But it is vastly uneconomical, and I doubt anyone is going to start doing it regularly.
We really need some kind of regulation demanding firmware support for longer. The EU seems the most likely entity to achieve something like that. Phone vendors can't even control how long they support their own hardware, because the SoC is almost always Qualcomm, and once they drop support, there aren't any good options left.
> It can be done, fairphone rather famously did it once.
No, they ported a new major Android release beyond what the SoC officially supported. They had already stopped providing firmware, kernel or driver security patches long before that point. They did what LineageOS regularly does by porting a new major Android release to hardware not officially supporting it. Unlike LineageOS, they had to convince a company to certify it as meeting the CDD/CTS requirements. Most OEMs including Fairphone have major CDD/CTS violations but yet still get certified in practice so that doesn't really mean as much as you'd think. It's common for Android OEMs to break functionality tested by the CTS and yet somehow they have certification. This is part of why the Play Integrity API's flimsy justification for the highly anti-competitive approach it uses is such nonsense.
Even the Fairphone 5 already lacks standard Linux kernel security patches due to having an end-of-life kernel branch. Fairphone doesn't provide anything close to proper updates.
Qualcomm offers up to 8 years of major Android version updates and basic security patches for their firmware and drivers. They charge money for each year of support. It's there if OEMs are willing to pay for an up-to-date SoC and pay for many years of support.
GrapheneOS will stop releasing updates when Google stops supporting a device. They put an emphasis on security and unpatched drivers or firmware (which they can't/won't/don't have the resources to patch) are a major security risk.
Luckily, Google's support periods are actually quite long, and very clear (stated on the website on launch date, unlike iOS or even Windows these days).
Basically, buy a Pixel 6 or later (I suggest Pixel 7 or later, since Pixel 6 will be minimal support soon) that you are sure has an unlockable bootloader. The majority you'll see don't have an unlockable bootloader.
Which mostly means either buy direct from Google, or buy one on eBay that already has GrapheneOS/CalyxOS/LineageOS on it or for which the seller expressly says it has an unlockable bootloader.
(IME, don't bother trying to ask a seller to check bootloader, if they haven't already said. Almost no one is going to go through the process to check, the answer is probably no anyway, they might misunderstand your question and answer that it's "unlocked", and they may be tired of people asking.)
If you have time and the ebay listing is unclear, I would definitely ask. That way if they say you can unlock the boatloader and in reality you can't, you can return it to them as an item "not as described" at no cost.
I tried asking, years ago, with the rationale of I'm not wasting people's time, since they could get more money if they knew about bootloader unlocking.
Then I decided everyone who knows about bootloader unlocking would've already checked and mentioned if it was unlockable (but not if it wasn't, since why confuse normal buyers with a fringe thing), and I've never gotten a positive response trying to tell any seller about it, so I think I'm just wasting everyone's time.
An 8 series device or higher is recommended. Getting new from non-carrier stores or google store is reliable.
Used is a gamble due to improper OEM unlocking practices, so make sure it has a good return policy and try to verify OEM unlocking is accessible if you purchase used.
I have been interested in using GrapheneOS but hesitant about actually getting a Pixel phone. Used phone prices are usually >$300 even for "a" series unless I go back several generations. Whether the device bootloader can be unlocked is also a question. I am definitely not ready to spend $449 on a new Pixel 10a.