doesn't work on devices with Broken TEE like oneplus devices or rog3
🔐Spoof locked bootloader | "Bypass" TEE check
- Thread starter chiteroman
- Start date
InstaPay doesn't check bootloader status, I have latest Magisk Alpha (26102) + Shamiko and I can bypass it
Thanks for your hard work 
It works great.
Are you Egyptian?
And do you have patreon or Vodafone cash?
It works great.
Are you Egyptian?
And do you have patreon or Vodafone cash?
No, I saw a post in Reddit with people complaining about this app.
No, just Paypal
Ok np give me your paypalNo, I saw a post in Reddit with people complaining about this app.
No, just Paypal
It is not needed cause Appdome started checking bootloader just in a new version
Yeah, it checks your bootloader status and detect injection like Xposed. Sorry but I can't help you more, if you want to use that app you must lock your bootloader
I could bypass xposed detection but not bootloader... It checks that certificate issuer is Google and detects it as Strong play integrity does. That's sadYeah, it checks your bootloader status and detect injection like Xposed. Sorry but I can't help you more, if you want to use that app you must lock your bootloader
How could you know if you bypass Xposed detection? Also the app can't check Strong because isn't in Google Play...
There are different messages for them. For instance, for frida, for magisk, for developer settings and for bootloader.
I hooked bootloader check in keystore bia xposed. I hooked it to throw exception and app crashed. Without throwing exception app closes on its behalf but with it it crashes without any messages
Which method did you hook and which throw class did you use ?
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
43
Yep, you must make your super.img partitions read-write and modify it from recovery. You can modify it unpacking the .img or using systemRW script from here link this:
In TWRP after reboot use:
adb shell mount -w -v /system_root
adb push modifiedFramework.jar /system_root/system/framework/framework.jar
adb shell umount -v /system_root
In some roms framework directory is an overlay so you must modify it from recovery, also check group and permission to be the same or system won't boot. Also zipalign to 4 bytes the framework.jar always.
Now you can modify framework.jar and include hooks like mine (POCO X3 Pro MIUI 14.0.3 Indonesian stock rom):
framework.jar
drive.google.com
My source code of es.chiteroman.Hooks:
Hooks.java
drive.google.com
You must implement Pine:
GitHub - canyie/pine: Dynamic java method hook framework on ART. Allowing you to change almost all java methods' behavior dynamically.
Dynamic java method hook framework on ART...
github.com
And remember to move libpine.so to /system/lib64 (check your CPU arch)
Now you can hook any class2
This has (happily) proved to be incorrect.
A user has been running Uber Driver on old Samsung Galaxy A5 (launched with Android 6.01) for some time and has now published newly devised method to make it run on Xiaomi Mi A3 (LV Android 9.0, Android One OS) here:
Key elements were Zygisk on KernelSU running in Magisk, Alpha Magisk or KernelSU and use of Android Faker, xPrivacyLua, and App Manager modding utilities...
Hope it helps Uber Driver modders! PW1chiteroman
Just want to say thank you for your opensource code, now I managed to write my own frida script based on your lsposed code to spoof the bootloader locally on my pixel 3a with stock rom. But there is a slightly difference between the momo app and keyattestation app, in keyattestation app, it seems the class of the certificates[] return from 'KeyStore.getCertificateChain' is NOT 'com.android.org.conscrypt.OpenSSLX509Certificate' but 'com.google.android.gms.org.conscrypt.OpenSSLX509Certificate' which seems it is from google play service, and I need to cast the certificate instance to 'com.google.android.gms.org.conscrypt.OpenSSLX509Certificate' so I can hook the
'getExtensionValue' method.
Besides, I tried to build the stock rom, and using overlay to mount the modified conscrypt.jar and framework.jar before starting zygote, I found that only conscrypt.jar works but not framework.jar, and it only works for momo app. So right now I have no idea to find a way to hook the getExtensionValue method for 'com.google.android.gms.org.conscrypt' in my AOSP, any ideas?1
As I said even I locked bootloader still tee broken and can't restore strongintegrity so I will continue using device with root and ignore this bank app cause everything is working good no issues faced.As I said, this generally means OEM messed up... And I've never heard of post production fixes for this...
I believe even China hardware/firmware should support AVB/key attestation correctly even when Google APIs are not used...
So you could complain/enquire of Xiaomi but doubtful if they can/will help...
Or continue using rooted with root fixes supporting broken keymaster, but when/if banks start enforcing strongIntegrity you would be able to restore that by locking...
There is a slim chance you've messed up /persist as Poco users (notably) experienced, but Symptoms look different to me... You have L1 and other stuff working it seems... Please say if you have issues with SIM, BT, WiFi, seeing IMEI and S/N etc (normally /persist corruption signs, even if stock/locked)...
PW
-
10Modify the root of trust in local attestations.
This module modify the byte array obtained from certificate extensions (link) to spoof a fake root of trust, so we get a fake attestation with a locked bootloader.
More info about certificate extensions:
Verifying hardware-backed key pairs with Key Attestation | Android Developers
A tool for verifying security properties of...
developer.android.com
NOTES:
- This module doesn't work with devices which TEE is broken, like OnePlus.
- You won't pass MEETS_STRONG_INTEGRITY using this.
Source code and download:
GitHub - chiteroman/BootloaderSpoofer: Spoof a locked bootloader in local attestations
Spoof a locked bootloader in local...
github.com
Apps detecting a locked bootloader:
- Key Attestation Demo (WORKING)
- CIB Egypt Mobile Banking (WORKING)
- Bet365 Authenticator (NOT WORKING)44
Finally Pine Injector works, now we can hook like LSPosed but without using it.
I will try to bypass that app protection.3
I tried it before but with Magisk magic and it worked! But I will need to study how to implement this in better way. I just throw an exception in engineGetCertificateChain, Momo don't detect it due it's not injection.
It's a first step3
Yep, you must make your super.img partitions read-write and modify it from recovery. You can modify it unpacking the .img or using systemRW script from here link this:
In TWRP after reboot use:
adb shell mount -w -v /system_root
adb push modifiedFramework.jar /system_root/system/framework/framework.jar
adb shell umount -v /system_root
In some roms framework directory is an overlay so you must modify it from recovery, also check group and permission to be the same or system won't boot. Also zipalign to 4 bytes the framework.jar always.
Now you can modify framework.jar and include hooks like mine (POCO X3 Pro MIUI 14.0.3 Indonesian stock rom):
framework.jar
drive.google.com
My source code of es.chiteroman.Hooks:
Hooks.java
drive.google.com
You must implement Pine:
GitHub - canyie/pine: Dynamic java method hook framework on ART. Allowing you to change almost all java methods' behavior dynamically.
Dynamic java method hook framework on ART...
github.com
And remember to move libpine.so to /system/lib64 (check your CPU arch)
Now you can hook any class
