🔐Spoof locked bootloader | "Bypass" TEE check
- Thread starter chiteroman
- Start date
i tried cib but it didn't work i have lsposed-zygisk 26.1 magisk
and when i installed 'key attestation ' app it says the boadloader is locked ! but cib app doesn't open
Last edited:
Yes i have shamiko module, what do you mean by hiding root ?
i use configure deny list and checked the app and didn't force
and i have these modules installed
This is now patched in latest key attestation app by Rikka, et. all. Version 1.4.1
Last edited:
1. Should work.
2. If your device has a broken TEE it will never work, so no
3. I temporarily removed it.
Thanks for the feedback.2. If your device has a broken TEE it will never work, so no
I have Oneplus 8T, but I am not sure if it has a brocken TEE.
Is there a way to confirm?
Thanks for the feedback.
I have Oneplus 8T, but I am not sure if it has a brocken TEE.
Is there a way to confirm?
Releases · vvb2060/KeyAttestation
Contribute to vvb2060/KeyAttestation development by creating an account on GitHub.
github.com
CHECK FIRST POST
Attachments
Last edited:
BootloaderSpoofer + KeyAttestation 1.3.4 bootloader shown as locked
BootloaderSpoofer + KeyAttestation 1.4.1 bootloader shown as unlocked
What could be the reason for this?
Attachments
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
41chiteroman
will the PINE hook module be easily detected? I haven't tried it out, but I have tested that I can just let the app to not load the play service package dynamically in framework.jar, so it will just use conscrypt classes instead, but apps require play service class to work may fail. But this looks fine to me already.
BTW, it took me days to just find out that I need to delete '/system/framework/arm', '/system/framework/arm64' and '/system/framework/oat' to make it work after overlaying the framework.jar....1
Good questions, and you probably understand the technical/practical side better than my understanding of the theory, which is only based on reading Google docs.
However, I understand that it's not actually the attestation certificate chain the app has that gets modified; it's only the validation data that is intercepted and returned with spoofed extension data replacing the attestation certificate data...
That's why the "server sample" for validating an Android attestation certificate chain outside the Android framework is provided. "This is the recommended best practice, since if the Android device is rooted or otherwise compromised, on-device validation of the attestation may be inaccurate"...
Where 'local attestation' is used to extract the attestation extension data from the attestation certificate and verify (and print) data elements from the attestation extension (ie. done within the Android framework), the tested certificate and extension data cannot be guaranteed/trusted.
https://github.com/google/android-key-attestation/tree/master/server#introduction
A server based setup utilising an ASN.1 parser (eg. from Bouncy Castle) will extract the same attestation certificate extension data, but without risk or interception or manipulation...
Hope it helps...
@chiteroman may be able to add to/clarify this further. PW1
I haven't figured it out how to integrate Pine into the framework, but I managed to put your code into framework.jar, I don't find any impacts on other apps for now but finally I can now bypass local key attestation and pass CTS profile without any runtime code injection, just plain kernel su, overlayfs module and hiding overlayfs in kernel. So I think that's enough for me ATM, gotta take some rest.
And of course, kudos to your code, much appreciated
1
As I said even I locked bootloader still tee broken and can't restore strongintegrity so I will continue using device with root and ignore this bank app cause everything is working good no issues faced.As I said, this generally means OEM messed up... And I've never heard of post production fixes for this...
I believe even China hardware/firmware should support AVB/key attestation correctly even when Google APIs are not used...
So you could complain/enquire of Xiaomi but doubtful if they can/will help...
Or continue using rooted with root fixes supporting broken keymaster, but when/if banks start enforcing strongIntegrity you would be able to restore that by locking...
There is a slim chance you've messed up /persist as Poco users (notably) experienced, but Symptoms look different to me... You have L1 and other stuff working it seems... Please say if you have issues with SIM, BT, WiFi, seeing IMEI and S/N etc (normally /persist corruption signs, even if stock/locked)...
PW
-
10Modify the root of trust in local attestations.
This module modify the byte array obtained from certificate extensions (link) to spoof a fake root of trust, so we get a fake attestation with a locked bootloader.
More info about certificate extensions:
Verifying hardware-backed key pairs with Key Attestation | Android Developers
A tool for verifying security properties of...
developer.android.com
NOTES:
- This module doesn't work with devices which TEE is broken, like OnePlus.
- You won't pass MEETS_STRONG_INTEGRITY using this.
Source code and download:
GitHub - chiteroman/BootloaderSpoofer: Spoof a locked bootloader in local attestations
Spoof a locked bootloader in local...
github.com
Apps detecting a locked bootloader:
- Key Attestation Demo (WORKING)
- CIB Egypt Mobile Banking (WORKING)
- Bet365 Authenticator (NOT WORKING)44
Finally Pine Injector works, now we can hook like LSPosed but without using it.
I will try to bypass that app protection.3
I tried it before but with Magisk magic and it worked! But I will need to study how to implement this in better way. I just throw an exception in engineGetCertificateChain, Momo don't detect it due it's not injection.
It's a first step3
Yep, you must make your super.img partitions read-write and modify it from recovery. You can modify it unpacking the .img or using systemRW script from here link this:
In TWRP after reboot use:
adb shell mount -w -v /system_root
adb push modifiedFramework.jar /system_root/system/framework/framework.jar
adb shell umount -v /system_root
In some roms framework directory is an overlay so you must modify it from recovery, also check group and permission to be the same or system won't boot. Also zipalign to 4 bytes the framework.jar always.
Now you can modify framework.jar and include hooks like mine (POCO X3 Pro MIUI 14.0.3 Indonesian stock rom):
framework.jar
drive.google.com
My source code of es.chiteroman.Hooks:
Hooks.java
drive.google.com
You must implement Pine:
GitHub - canyie/pine: Dynamic java method hook framework on ART. Allowing you to change almost all java methods' behavior dynamically.
Dynamic java method hook framework on ART...
github.com
And remember to move libpine.so to /system/lib64 (check your CPU arch)
Now you can hook any class
