Next public release(s) will be published after robustness improvements
to fingerprint spoofing are done. In the meantime, revert this to avoid
linking to a 404 release.
"AndroidCAStore" always seems to be used early in the attestation
process, before the fingerprint is checked.
Dynamic patching avoids problems with device detection and functionality
that can be caused by permanently spoofing another device.
Closes#207, closes#224, closes#222, closes#220, closes#218, closes#212, closes#211, closes#210, closes#204, closes#203, closes#201, closes#196, closes#188, closes#171, closes#170
If ro.product.first_api_level is 33, its forced to use HW attestation even though the safteynet checker app shows BASIC
setting it to 32 allows for software attestation and passing CTS
Signed-off-by: Anirudh Gupta <anirudhgupta109@aosip.dev>
Key attestation was introduced in Android 7.0, but Android 7.x doesn't
have InMemoryDexClassLoader so our Zygisk module is incompatible.
In general, users on such old versions of Android don't need to bypass
hardware-backed attestation (which isn't even applicable on Android 6
and older), so allow them to install the module without the Zygisk part.
Closes#156.
- move ro.boot.vbmeta.device_state to late props since any earlier appears to break Oppo (ColorOS/OOS12) fingerprint readers
Thanks @MlgmXyysd
Fixes#157
Originally Magisk required the Denylist to be enforced to access the Denylist.
When enforced, Magisk is unloaded while the processes on the Denylist are called.
Now you can access the Denylist when it is not enforced.
Since Magisk runs normally when not enforced, the Denylist is just a list.
No need to remove 'gms' from the Denylist when it is not enforced.
- I recently discovered `ro.is_ever_orange` on OOS 11, which gets set roughly 32 seconds after boot completed and is equal to the number of times a device has ever been `fastboot oem unlock`ed
- a fresh MSM (i.e. factory locked device) has it set to 0, and using system.prop to set it to 0 earlier in the boot seems to keep it set to 0 instead of the real unlock count
- I haven't seen this exploited anywhere, though I presume it exists for a reason, so probably good to manage it as well
Android 7.x lacks the InMemoryDexClassLoader API, which is necessary for
the module to load Java code, and is unlikely to support hardware
attestation on any production devices anyway.
Fixes#124, #127
- move ro.boot.flash.locked to late props since any earlier appears to break Realme fingerprint readers
Thanks @byxiaorun for finding the problem prop, and @Jowat97 for testing
This ensures that GMS will never start before it's removed from the
DenyList, even if another module's service.sh is blocking our script.
Suggested-by: osm0sis <osm0sis@outlook.com>
Zygisk is now the primary implementation of this module.
NB: The Zygisk module template is in the public domain, so attribution
is no longer needed in the license.
