mirror of
https://github.com/kdrag0n/safetynet-fix.git
synced 2024-11-20 05:14:20 +00:00
6e35ac2b6c
This method is more portable, does not require a different executable for each Android version, and avoids breaking ROMs with heavy keystore customizations. It works by injecting a shared library into the keystore service and wrapping the Binder transaction handler in the generated AIDL interface. Because the actual attestKey implementation is statically linked into the keystore service executable, we can't hijack it directly without messy and error-prone code patching. Instead, we check each Binder transaction handled by the AIDL stub and hijack transactions with the TRANSACTION_attestKey code. In order to keep key attestation working for apps, we only block Google Play Services by checking the command line of the calling process through Binder. This is not infallible and can be spoofed, but it's much easier to do in C++ than looking up the calling UID's package name through PackageManagerService. There are no negative security implications as the only difference is a denied operation. We can't set LD_PRELOAD for the keystore service because Magisk modules start too late to modify its init.rc, so we inject the shim library as a dependency instead using patchelf and build it with the DF_1_GLOBAL ELF flag to make the dynamic linker prioritize it in symbol resolution. TRANSACTION_attestKey values and AIDL stub names by Android version: Android 10 - 11 (SDK 29-30): TX# 28, android::security::keystore::BnKeystoreService Android 9 (SDK 28 ): TX# 35, android::security::BnKeystoreService Android 7.0 - 8.1.0 (SDK 24-27): TX# 36, android::BnKeystoreService Fixes #3, #6, #7, #8, #10, and #12.
24 KiB
Executable File
24 KiB
Executable File