🔐Spoof locked bootloader | "Bypass" TEE check

Search This thread


New member
May 28, 2023
Hide root, do you have Shamiko module?
Yes i have shamiko module, what do you mean by hiding root ?
i use configure deny list and checked the app and didn't force
and i have these modules installed



Senior Member
Apr 19, 2012
Is this module still working for CIB app?
Does it have any workaround to work with OnePlus devices?
Does it have any new updates? The GitHub page seems down.


Senior Member
BootloaderSpoofer + KeyAttestation 1.3.4 bootloader shown as locked

BootloaderSpoofer + KeyAttestation 1.4.1 bootloader shown as unlocked

What could be the reason for this?


  • Screenshot_20230608_193850~2.jpg
    184.9 KB · Views: 78
  • Screenshot_20230608_194200~2.jpg
    186.4 KB · Views: 75
  • Wow
Reactions: chiteroman

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    If the app checks for the presence of Pine package name yes, but you can modify it.
    I haven't figured it out how to integrate Pine into the framework, but I managed to put your code into framework.jar, I don't find any impacts on other apps for now but finally I can now bypass local key attestation and pass CTS profile without any runtime code injection, just plain kernel su, overlayfs module and hiding overlayfs in kernel. So I think that's enough for me ATM, gotta take some rest.
    And of course, kudos to your code, much appreciated👍
    As I said, this generally means OEM messed up... And I've never heard of post production fixes for this...

    I believe even China hardware/firmware should support AVB/key attestation correctly even when Google APIs are not used...

    So you could complain/enquire of Xiaomi but doubtful if they can/will help...

    Or continue using rooted with root fixes supporting broken keymaster, but when/if banks start enforcing strongIntegrity you would be able to restore that by locking...

    There is a slim chance you've messed up /persist as Poco users (notably) experienced, but Symptoms look different to me... You have L1 and other stuff working it seems... Please say if you have issues with SIM, BT, WiFi, seeing IMEI and S/N etc (normally /persist corruption signs, even if stock/locked)...

    🙃 PW
    As I said even I locked bootloader still tee broken and can't restore strongintegrity so I will continue using device with root and ignore this bank app cause everything is working good no issues faced.

    I just came across this thread does this work for uber driver app?
    No, Uber Driver requires Strong so you must lock bootloader.
    Hey ! What should i do to make this work?
    Detecting Zygisk...

    LSPosed Metagisk Magisk WIP native bridge loaded Zygisk built in Alpha fork + latest Shamiko hides it:

    Nb. NB-Z may still not be fully baked but seems conflicts are now resolved... Devs hoped it would be ready for official Magisk 27.0... This PR:
    Refactor zygisk to use native bridge to inject

    Or you can try it in bleeding edge Alpha if you can't wait, warts and all...

    Hope bypass helps you to pass Neet entry test & get admission in a medical college in India... 😛 PW
  • 10

    Modify the root of trust in local attestations.

    This module modify the byte array obtained from certificate extensions (link) to spoof a fake root of trust, so we get a fake attestation with a locked bootloader.


    More info about certificate extensions:

    - This module doesn't work with devices which TEE is broken, like OnePlus.
    - You won't pass MEETS_STRONG_INTEGRITY using this.

    Source code and download:

    Apps detecting a locked bootloader:

    - Key Attestation Demo (WORKING)
    - CIB Egypt Mobile Banking (WORKING)
    - Bet365 Authenticator (NOT WORKING)

    Finally Pine Injector works, now we can hook like LSPosed but without using it.

    I will try to bypass that app protection.
    Not exactly what I was hoping for but thanks for your answer nonetheless
    I tried it before but with Magisk magic and it worked! But I will need to study how to implement this in better way. I just throw an exception in engineGetCertificateChain, Momo don't detect it due it's not injection.
    It's a first step 🙃
    I found that only conscrypt.jar works but not framework.jar
    Yep, you must make your super.img partitions read-write and modify it from recovery. You can modify it unpacking the .img or using systemRW script from here link this:

    In TWRP after reboot use:

    adb shell mount -w -v /system_root

    adb push modifiedFramework.jar /system_root/system/framework/framework.jar

    adb shell umount -v /system_root

    In some roms framework directory is an overlay so you must modify it from recovery, also check group and permission to be the same or system won't boot. Also zipalign to 4 bytes the framework.jar always.

    Now you can modify framework.jar and include hooks like mine (POCO X3 Pro MIUI 14.0.3 Indonesian stock rom):

    My source code of es.chiteroman.Hooks:

    You must implement Pine:

    And remember to move libpine.so to /system/lib64 (check your CPU arch)

    Now you can hook any class :)