diff --git a/LICENSE.android b/LICENSE.android deleted file mode 100644 index 89ae7c4..0000000 --- a/LICENSE.android +++ /dev/null @@ -1,190 +0,0 @@ - - Copyright (c) 2008-2015, The Android Open Source Project - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - diff --git a/META-INF/com/google/android/update-binary b/META-INF/com/google/android/update-binary deleted file mode 100644 index a8f7aec..0000000 --- a/META-INF/com/google/android/update-binary +++ /dev/null @@ -1,182 +0,0 @@ -#!/sbin/sh - -################# -# Initialization -################# - -umask 022 - -# echo before loading util_functions -ui_print() { echo "$1"; } - -require_new_magisk() { - ui_print "*******************************" - ui_print " Please install Magisk v19.0+! " - ui_print "*******************************" - exit 1 -} - -######################### -# Load util_functions.sh -######################### - -OUTFD=$2 -ZIPFILE=$3 - -mount /data 2>/dev/null - -[ -f /data/adb/magisk/util_functions.sh ] || require_new_magisk -. /data/adb/magisk/util_functions.sh -[ $MAGISK_VER_CODE -lt 19000 ] && require_new_magisk - -if [ $MAGISK_VER_CODE -ge 20400 ]; then - # New Magisk have complete installation logic within util_functions.sh - install_module - exit 0 -fi - -################# -# Legacy Support -################# - -# Global vars -TMPDIR=/dev/tmp -PERSISTDIR=/sbin/.magisk/mirror/persist - -rm -rf $TMPDIR 2>/dev/null -mkdir -p $TMPDIR - -is_legacy_script() { - unzip -l "$ZIPFILE" install.sh | grep -q install.sh - return $? -} - -print_modname() { - local len - len=`echo -n $MODNAME | wc -c` - len=$((len + 2)) - local pounds=`printf "%${len}s" | tr ' ' '*'` - ui_print "$pounds" - ui_print " $MODNAME " - ui_print "$pounds" - ui_print "*******************" - ui_print " Powered by Magisk " - ui_print "*******************" -} - -# Preperation for flashable zips -setup_flashable - -# Mount partitions -mount_partitions - -# Detect version and architecture -api_level_arch_detect - -# Setup busybox and binaries -$BOOTMODE && boot_actions || recovery_actions - -############## -# Preparation -############## - -# Extract prop file -unzip -o "$ZIPFILE" module.prop -d $TMPDIR >&2 -[ ! -f $TMPDIR/module.prop ] && abort "! Unable to extract zip file!" - -$BOOTMODE && MODDIRNAME=modules_update || MODDIRNAME=modules -MODULEROOT=$NVBASE/$MODDIRNAME -MODID=`grep_prop id $TMPDIR/module.prop` -MODPATH=$MODULEROOT/$MODID -MODNAME=`grep_prop name $TMPDIR/module.prop` - -# Create mod paths -rm -rf $MODPATH 2>/dev/null -mkdir -p $MODPATH - -########## -# Install -########## - -if is_legacy_script; then - unzip -oj "$ZIPFILE" module.prop install.sh uninstall.sh 'common/*' -d $TMPDIR >&2 - - # Load install script - . $TMPDIR/install.sh - - # Callbacks - print_modname - on_install - - # Custom uninstaller - [ -f $TMPDIR/uninstall.sh ] && cp -af $TMPDIR/uninstall.sh $MODPATH/uninstall.sh - - # Skip mount - $SKIPMOUNT && touch $MODPATH/skip_mount - - # prop file - $PROPFILE && cp -af $TMPDIR/system.prop $MODPATH/system.prop - - # Module info - cp -af $TMPDIR/module.prop $MODPATH/module.prop - - # post-fs-data scripts - $POSTFSDATA && cp -af $TMPDIR/post-fs-data.sh $MODPATH/post-fs-data.sh - - # service scripts - $LATESTARTSERVICE && cp -af $TMPDIR/service.sh $MODPATH/service.sh - - ui_print "- Setting permissions" - set_permissions -else - print_modname - - unzip -o "$ZIPFILE" customize.sh -d $MODPATH >&2 - - if ! grep -q '^SKIPUNZIP=1$' $MODPATH/customize.sh 2>/dev/null; then - ui_print "- Extracting module files" - unzip -o "$ZIPFILE" -x 'META-INF/*' -d $MODPATH >&2 - - # Default permissions - set_perm_recursive $MODPATH 0 0 0755 0644 - fi - - # Load customization script - [ -f $MODPATH/customize.sh ] && . $MODPATH/customize.sh -fi - -# Handle replace folders -for TARGET in $REPLACE; do - ui_print "- Replace target: $TARGET" - mktouch $MODPATH$TARGET/.replace -done - -if $BOOTMODE; then - # Update info for Magisk Manager - mktouch $NVBASE/modules/$MODID/update - cp -af $MODPATH/module.prop $NVBASE/modules/$MODID/module.prop -fi - -# Copy over custom sepolicy rules -if [ -f $MODPATH/sepolicy.rule -a -e $PERSISTDIR ]; then - ui_print "- Installing custom sepolicy patch" - PERSISTMOD=$PERSISTDIR/magisk/$MODID - mkdir -p $PERSISTMOD - cp -af $MODPATH/sepolicy.rule $PERSISTMOD/sepolicy.rule -fi - -# Remove stuffs that don't belong to modules -rm -rf \ -$MODPATH/system/placeholder $MODPATH/customize.sh \ -$MODPATH/README.md $MODPATH/.git* 2>/dev/null - -############## -# Finalizing -############## - -cd / -$BOOTMODE || recovery_cleanup -rm -rf $TMPDIR - -ui_print "- Done" -exit 0 diff --git a/META-INF/com/google/android/updater-script b/META-INF/com/google/android/updater-script deleted file mode 100644 index 11d5c96..0000000 --- a/META-INF/com/google/android/updater-script +++ /dev/null @@ -1 +0,0 @@ -#MAGISK diff --git a/Makefile b/Makefile deleted file mode 100644 index d5e9199..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -getprop = $(shell cat module.prop | grep "^$(1)=" | head -n1 | cut -d'=' -f2) - -MODNAME ?= $(call getprop,id) -MODVER ?= $(call getprop,version) -ZIP = $(MODNAME)-$(MODVER).zip - -all: $(ZIP) - -zip: $(ZIP) - -%.zip: clean - zip -r9 $(ZIP) . -x $(MODNAME)-*.zip .gitignore .gitattributes Makefile /.git* *.DS_Store* *placeholder /patches* - -install: $(ZIP) - adb push $(ZIP) /sdcard/ - echo '/sbin/.magisk/busybox/unzip -p "/sdcard/$(ZIP)" META-INF/com/google/android/update-binary | /sbin/.magisk/busybox/sh /proc/self/fd/0 x 1 "/sdcard/$(ZIP)"' | adb shell su -c sh - - -clean: - rm -f *.zip - -.PHONY: all zip %.zip install clean diff --git a/customize.sh b/customize.sh deleted file mode 100755 index 4e3a898..0000000 --- a/customize.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/sbin/sh - -# We check the native ABI instead of all supported ABIs because this is a system -# service, and underlying AIDL/HIDL ABIs may not match. We also link against other -# system libraries. -arch="$(getprop ro.product.cpu.abi)" -if [[ "$arch" != "arm64-v8a" ]]; then - ui_print "Unsupported CPU architecture: $arch" - exit 1 -fi - -sdk="$(getprop ro.build.version.sdk)" -version="$(getprop ro.vendor.build.version.release)" - -# Initial version check; version can be changed later. -if [[ ! -d "$MODPATH/system_sdk$sdk" ]]; then - ui_print "Android $version (SDK $sdk) is not supported!" - rm -fr "$MODPATH" - exit 1 -fi - -# Set executable permissions -for sdk in $MODPATH/system_sdk* -do - set_perm_recursive $sdk/bin 0 0 0755 0755 -done -chmod 755 $MODPATH/*.sh diff --git a/module.prop b/module.prop deleted file mode 100644 index f004619..0000000 --- a/module.prop +++ /dev/null @@ -1,7 +0,0 @@ -id=safetynet-fix -name=Universal SafetyNet Fix -version=v1.2.0 -versionCode=10200 -author=kdrag0n -description=A universal fix for SafetyNet on Android 8–12 Beta 2 devices with hardware attestation and unlocked bootloaders. Requires MagiskHide if rooted. -support=https://github.com/kdrag0n/safetynet-fix diff --git a/patches/10/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/10/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch deleted file mode 100644 index a954539..0000000 --- a/patches/10/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 9dd88a70668da3d7b0581489d55d0d1a2ced2f5c Mon Sep 17 00:00:00 2001 -From: Danny Lin -Date: Wed, 13 Jan 2021 02:05:05 -0800 -Subject: [PATCH] keystore: Block key attestation for Google Play Services - -In order to enforce SafetyNet security, Google Play Services is now -using hardware attestation for ctsProfile validation in all cases, even -when basic attestation is selected. The SafetyNet API response from GMS -will report that basic attestation was used, but under the hood, -hardware attestation is always used regardless of the reported state. -This results in SafetyNet failing to pass due to TrustZone reporting an -unlocked bootloader (and a partially invalidated root of trust) in the -key attestation result. - -We can still take advantage of the fact that this usage of hardware -attestation is opportunistic - that is, it falls back to basic -attestation if key attestation fails to run - and prevent GMS from using -key attestation at the framework level. This causes it to gracefully -fall back to basic attestation and pass SafetyNet with an unlocked -bootloader. - -Key attestation is still available for other apps, as there are valid -uses for it that do not involve SafetyNet. - -The "not implemented" error code from keymaster is used to simulate the -most realistic failure condition to evade detection, i.e. an old device -that lacks support for key attestation. - -Change-Id: Iba5fe0791622839e1bad4730593a319ea03661f2 ---- - keystore/key_store_service.cpp | 9 +++++++-- - keystore/keystore_attestation_id.cpp | 6 ++++++ - 2 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp -index b6b7295..40550a7 100644 ---- a/keystore/key_store_service.cpp -+++ b/keystore/key_store_service.cpp -@@ -48,6 +48,7 @@ - #include - - #include -+#include - - namespace keystore { - -@@ -122,8 +123,12 @@ KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, Authoriza - - auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid); - if (!asn1_attestation_id_result.isOk()) { -- ALOGE("failed to gather attestation_id"); -- return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; -+ if (asn1_attestation_id_result.status() == KM_ERROR_UNIMPLEMENTED) { -+ return KeyStoreServiceReturnCode(KM_ERROR_UNIMPLEMENTED); -+ } else { -+ ALOGE("failed to gather attestation_id"); -+ return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; -+ } - } - std::vector& asn1_attestation_id = asn1_attestation_id_result; - -diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp -index b48639f..1f1f79b 100644 ---- a/keystore/keystore_attestation_id.cpp -+++ b/keystore/keystore_attestation_id.cpp -@@ -34,6 +34,8 @@ - #include - #include - -+#include -+ - #include /* for AID_SYSTEM */ - - #include -@@ -209,6 +211,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat - return BAD_VALUE; - } - std::string package_name(String8(*pinfo->package_name()).string()); -+ // Prevent Google Play Services from using key attestation for SafetyNet -+ if (package_name == "com.google.android.gms") { -+ return KM_ERROR_UNIMPLEMENTED; -+ } - std::unique_ptr attestation_package_info; - auto rc = build_attestation_package_info(*pinfo, &attestation_package_info); - if (rc != NO_ERROR) { --- -2.29.2 - diff --git a/patches/11/fwb/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/11/fwb/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch deleted file mode 100644 index 787ea5a..0000000 --- a/patches/11/fwb/0001-KeyStore-Block-key-attestation-for-Google-Play-Servi.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 7f7a9b19c8293c09dfee12bec75ff17225c6710e Mon Sep 17 00:00:00 2001 -From: Danny Lin -Date: Tue, 12 Jan 2021 22:25:13 -0800 -Subject: [PATCH] KeyStore: Block key attestation for Google Play Services - -In order to enforce SafetyNet security, Google Play Services is now -using hardware attestation for ctsProfile validation in all cases, even -when basic attestation is selected. The SafetyNet API response from GMS -will report that basic attestation was used, but under the hood, -hardware attestation is always used regardless of the reported state. -This results in SafetyNet failing to pass due to TrustZone reporting an -unlocked bootloader (and a partially invalidated root of trust) in the -key attestation result. - -We can still take advantage of the fact that this usage of hardware -attestation is opportunistic - that is, it falls back to basic -attestation if key attestation fails to run - and prevent GMS from using -key attestation at the framework level. This causes it to gracefully -fall back to basic attestation and pass SafetyNet with an unlocked -bootloader. - -Key attestation is still available for other apps, as there are valid -uses for it that do not involve SafetyNet. - -The "not implemented" error code from keymaster is used to simulate the -most realistic failure condition to evade detection, i.e. an old device -that lacks support for key attestation. - -Change-Id: I7282ab22b933434bb11037743d46b8a20dad063a ---- - keystore/java/android/security/KeyStore.java | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/keystore/java/android/security/KeyStore.java b/keystore/java/android/security/KeyStore.java -index 88b614dc7eef..0f766ef738bf 100644 ---- a/keystore/java/android/security/KeyStore.java -+++ b/keystore/java/android/security/KeyStore.java -@@ -1124,6 +1124,11 @@ public class KeyStore { - - public int attestKey( - String alias, KeymasterArguments params, KeymasterCertificateChain outChain) { -+ // Prevent Google Play Services from using key attestation for SafetyNet -+ if (mContext.getPackageName().equals("com.google.android.gms")) { -+ return KeymasterDefs.KM_ERROR_UNIMPLEMENTED; -+ } -+ - CertificateChainPromise promise = new CertificateChainPromise(); - try { - mBinder.asBinder().linkToDeath(promise, 0); --- -2.29.2 - diff --git a/patches/11/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/11/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch deleted file mode 100644 index 6a7bd77..0000000 --- a/patches/11/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 15633a3d29bf727b83083f2c49d906c16527d389 Mon Sep 17 00:00:00 2001 -From: Danny Lin -Date: Wed, 13 Jan 2021 02:05:05 -0800 -Subject: [PATCH] keystore: Block key attestation for Google Play Services - -In order to enforce SafetyNet security, Google Play Services is now -using hardware attestation for ctsProfile validation in all cases, even -when basic attestation is selected. The SafetyNet API response from GMS -will report that basic attestation was used, but under the hood, -hardware attestation is always used regardless of the reported state. -This results in SafetyNet failing to pass due to TrustZone reporting an -unlocked bootloader (and a partially invalidated root of trust) in the -key attestation result. - -We can still take advantage of the fact that this usage of hardware -attestation is opportunistic - that is, it falls back to basic -attestation if key attestation fails to run - and prevent GMS from using -key attestation at the framework level. This causes it to gracefully -fall back to basic attestation and pass SafetyNet with an unlocked -bootloader. - -Key attestation is still available for other apps, as there are valid -uses for it that do not involve SafetyNet. - -The "not implemented" error code from keymaster is used to simulate the -most realistic failure condition to evade detection, i.e. an old device -that lacks support for key attestation. - -Change-Id: Iba5fe0791622839e1bad4730593a319ea03661f2 ---- - keystore/key_store_service.cpp | 11 ++++++++--- - keystore/keystore_attestation_id.cpp | 6 ++++++ - 2 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp -index 1b38643..b1f1304 100644 ---- a/keystore/key_store_service.cpp -+++ b/keystore/key_store_service.cpp -@@ -49,6 +49,7 @@ - #include - - #include -+#include - - namespace keystore { - -@@ -120,9 +121,13 @@ KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, Authoriza - - auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid); - if (!asn1_attestation_id_result.isOk()) { -- ALOGE("failed to gather attestation_id"); -- // Couldn't get attestation ID; just use an empty one rather than failing. -- asn1_attestation_id_result = std::vector(); -+ if (asn1_attestation_id_result.status() == KM_ERROR_UNIMPLEMENTED) { -+ return KeyStoreServiceReturnCode(KM_ERROR_UNIMPLEMENTED); -+ } else { -+ ALOGE("failed to gather attestation_id"); -+ // Couldn't get attestation ID; just use an empty one rather than failing. -+ asn1_attestation_id_result = std::vector(); -+ } - } - std::vector& asn1_attestation_id = asn1_attestation_id_result; - -diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp -index 3d9e87e..448a909 100644 ---- a/keystore/keystore_attestation_id.cpp -+++ b/keystore/keystore_attestation_id.cpp -@@ -35,6 +35,8 @@ - #include - #include - -+#include -+ - #include /* for AID_SYSTEM */ - - #include -@@ -210,6 +212,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat - return BAD_VALUE; - } - std::string package_name(String8(*pinfo->package_name()).string()); -+ // Prevent Google Play Services from using key attestation for SafetyNet -+ if (package_name == "com.google.android.gms") { -+ return KM_ERROR_UNIMPLEMENTED; -+ } - std::unique_ptr attestation_package_info; - auto rc = build_attestation_package_info(*pinfo, &attestation_package_info); - if (rc != NO_ERROR) { --- -2.29.2 - diff --git a/patches/8/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/8/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch deleted file mode 100644 index 7796e05..0000000 --- a/patches/8/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch +++ /dev/null @@ -1,89 +0,0 @@ -From f106ca40883616561fe866daadc11011bbecb806 Mon Sep 17 00:00:00 2001 -From: Danny Lin -Date: Wed, 13 Jan 2021 02:05:05 -0800 -Subject: [PATCH] keystore: Block key attestation for Google Play Services - -In order to enforce SafetyNet security, Google Play Services is now -using hardware attestation for ctsProfile validation in all cases, even -when basic attestation is selected. The SafetyNet API response from GMS -will report that basic attestation was used, but under the hood, -hardware attestation is always used regardless of the reported state. -This results in SafetyNet failing to pass due to TrustZone reporting an -unlocked bootloader (and a partially invalidated root of trust) in the -key attestation result. - -We can still take advantage of the fact that this usage of hardware -attestation is opportunistic - that is, it falls back to basic -attestation if key attestation fails to run - and prevent GMS from using -key attestation at the framework level. This causes it to gracefully -fall back to basic attestation and pass SafetyNet with an unlocked -bootloader. - -Key attestation is still available for other apps, as there are valid -uses for it that do not involve SafetyNet. - -The "not implemented" error code from keymaster is used to simulate the -most realistic failure condition to evade detection, i.e. an old device -that lacks support for key attestation. - -Change-Id: Iba5fe0791622839e1bad4730593a319ea03661f2 ---- - keystore/key_store_service.cpp | 10 ++++++++-- - keystore/keystore_attestation_id.cpp | 6 ++++++ - 2 files changed, 14 insertions(+), 2 deletions(-) - -diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp -index 39341ef..2554432 100644 ---- a/keystore/key_store_service.cpp -+++ b/keystore/key_store_service.cpp -@@ -39,6 +39,8 @@ - #include "keystore_utils.h" - #include - -+#include -+ - namespace keystore { - - using namespace android; -@@ -103,8 +105,12 @@ KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, Authoriza - - auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid); - if (!asn1_attestation_id_result.isOk()) { -- ALOGE("failed to gather attestation_id"); -- return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; -+ if (asn1_attestation_id_result.status() == KM_ERROR_UNIMPLEMENTED) { -+ return KeyStoreServiceReturnCode(ErrorCode(KM_ERROR_UNIMPLEMENTED)); -+ } else { -+ ALOGE("failed to gather attestation_id"); -+ return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; -+ } - } - std::vector& asn1_attestation_id = asn1_attestation_id_result; - -diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp -index 830482b..362bbc5 100644 ---- a/keystore/keystore_attestation_id.cpp -+++ b/keystore/keystore_attestation_id.cpp -@@ -34,6 +34,8 @@ - #include - #include - -+#include -+ - #include - #include - -@@ -165,6 +167,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat - return BAD_VALUE; - } - std::string package_name(String8(*pinfo->package_name()).string()); -+ // Prevent Google Play Services from using key attestation for SafetyNet -+ if (package_name == "com.google.android.gms") { -+ return KM_ERROR_UNIMPLEMENTED; -+ } - std::unique_ptr attestation_package_info; - auto rc = build_attestation_package_info(*pinfo, &attestation_package_info); - if (rc != NO_ERROR) { --- -2.29.2 - diff --git a/patches/9/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch b/patches/9/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch deleted file mode 100644 index 5115939..0000000 --- a/patches/9/sys/0001-keystore-Block-key-attestation-for-Google-Play-Servi.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 1e60fb921aa6cd03398acee1ce6ca758c0b39fd0 Mon Sep 17 00:00:00 2001 -From: Danny Lin -Date: Wed, 13 Jan 2021 02:05:05 -0800 -Subject: [PATCH] keystore: Block key attestation for Google Play Services - -In order to enforce SafetyNet security, Google Play Services is now -using hardware attestation for ctsProfile validation in all cases, even -when basic attestation is selected. The SafetyNet API response from GMS -will report that basic attestation was used, but under the hood, -hardware attestation is always used regardless of the reported state. -This results in SafetyNet failing to pass due to TrustZone reporting an -unlocked bootloader (and a partially invalidated root of trust) in the -key attestation result. - -We can still take advantage of the fact that this usage of hardware -attestation is opportunistic - that is, it falls back to basic -attestation if key attestation fails to run - and prevent GMS from using -key attestation at the framework level. This causes it to gracefully -fall back to basic attestation and pass SafetyNet with an unlocked -bootloader. - -Key attestation is still available for other apps, as there are valid -uses for it that do not involve SafetyNet. - -The "not implemented" error code from keymaster is used to simulate the -most realistic failure condition to evade detection, i.e. an old device -that lacks support for key attestation. - -Change-Id: Iba5fe0791622839e1bad4730593a319ea03661f2 ---- - keystore/key_store_service.cpp | 9 +++++++-- - keystore/keystore_attestation_id.cpp | 6 ++++++ - 2 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp -index 6b26b57..352d708 100644 ---- a/keystore/key_store_service.cpp -+++ b/keystore/key_store_service.cpp -@@ -45,6 +45,7 @@ - #include - - #include -+#include - - namespace keystore { - -@@ -121,8 +122,12 @@ KeyStoreServiceReturnCode updateParamsForAttestation(uid_t callingUid, Authoriza - - auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid); - if (!asn1_attestation_id_result.isOk()) { -- ALOGE("failed to gather attestation_id"); -- return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; -+ if (asn1_attestation_id_result.status() == KM_ERROR_UNIMPLEMENTED) { -+ return KeyStoreServiceReturnCode(KM_ERROR_UNIMPLEMENTED); -+ } else { -+ ALOGE("failed to gather attestation_id"); -+ return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING; -+ } - } - std::vector& asn1_attestation_id = asn1_attestation_id_result; - -diff --git a/keystore/keystore_attestation_id.cpp b/keystore/keystore_attestation_id.cpp -index 3d34ac5..16f3bf6 100644 ---- a/keystore/keystore_attestation_id.cpp -+++ b/keystore/keystore_attestation_id.cpp -@@ -34,6 +34,8 @@ - #include - #include - -+#include -+ - #include /* for AID_SYSTEM */ - - #include -@@ -181,6 +183,10 @@ build_attestation_application_id(const KeyAttestationApplicationId& key_attestat - return BAD_VALUE; - } - std::string package_name(String8(*pinfo->package_name()).string()); -+ // Prevent Google Play Services from using key attestation for SafetyNet -+ if (package_name == "com.google.android.gms") { -+ return KM_ERROR_UNIMPLEMENTED; -+ } - std::unique_ptr attestation_package_info; - auto rc = build_attestation_package_info(*pinfo, &attestation_package_info); - if (rc != NO_ERROR) { --- -2.29.2 - diff --git a/post-fs-data.sh b/post-fs-data.sh deleted file mode 100755 index 83692e1..0000000 --- a/post-fs-data.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/system/bin/sh - -MODPATH="/data/adb/modules/safetynet-fix" - -# Get runtime version -sdk="$(getprop ro.build.version.sdk)" -version="$(getprop ro.vendor.build.version.release)" - -# Prepare to update version -rm -fr "$MODPATH/system" - -# Make sure version is supported -if [[ ! -d "$MODPATH/system_sdk$sdk" ]]; then - exit -fi - -# Symlink results in the wrong SELinux context -cp -r "$MODPATH/system_sdk$sdk" "$MODPATH/system" diff --git a/service.sh b/service.sh deleted file mode 100755 index 5f5d95f..0000000 --- a/service.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash - -# Keystore v2 starts before Magisk on Android 12, so it needs to be restarted. -# Do this in service.sh to make sure that files have been mounted already. -sdk="$(getprop ro.build.version.sdk)" -if [[ "$sdk" -ge 31 ]]; then - stop keystore2 - start keystore2 -fi diff --git a/system_sdk26/bin/keystore b/system_sdk26/bin/keystore deleted file mode 100755 index 2d22c88..0000000 Binary files a/system_sdk26/bin/keystore and /dev/null differ diff --git a/system_sdk27/bin/keystore b/system_sdk27/bin/keystore deleted file mode 100755 index 23ba51e..0000000 Binary files a/system_sdk27/bin/keystore and /dev/null differ diff --git a/system_sdk28/bin/keystore b/system_sdk28/bin/keystore deleted file mode 100755 index 4b21bb4..0000000 Binary files a/system_sdk28/bin/keystore and /dev/null differ diff --git a/system_sdk29/bin/keystore b/system_sdk29/bin/keystore deleted file mode 100755 index 6622850..0000000 Binary files a/system_sdk29/bin/keystore and /dev/null differ diff --git a/system_sdk30/bin/keystore b/system_sdk30/bin/keystore deleted file mode 100755 index 568753f..0000000 Binary files a/system_sdk30/bin/keystore and /dev/null differ diff --git a/system_sdk30/lib64/libkeystore-attestation-application-id.so b/system_sdk30/lib64/libkeystore-attestation-application-id.so deleted file mode 100755 index 61e23a4..0000000 Binary files a/system_sdk30/lib64/libkeystore-attestation-application-id.so and /dev/null differ diff --git a/system_sdk31/bin/keystore2 b/system_sdk31/bin/keystore2 deleted file mode 100755 index 655575a..0000000 Binary files a/system_sdk31/bin/keystore2 and /dev/null differ diff --git a/system_sdk31/lib64/libkeystore-attestation-application-id.so b/system_sdk31/lib64/libkeystore-attestation-application-id.so deleted file mode 100755 index 3820497..0000000 Binary files a/system_sdk31/lib64/libkeystore-attestation-application-id.so and /dev/null differ