mirror of
https://github.com/kdrag0n/safetynet-fix.git
synced 2024-10-04 13:49:51 +00:00
6e35ac2b6c
This method is more portable, does not require a different executable for each Android version, and avoids breaking ROMs with heavy keystore customizations. It works by injecting a shared library into the keystore service and wrapping the Binder transaction handler in the generated AIDL interface. Because the actual attestKey implementation is statically linked into the keystore service executable, we can't hijack it directly without messy and error-prone code patching. Instead, we check each Binder transaction handled by the AIDL stub and hijack transactions with the TRANSACTION_attestKey code. In order to keep key attestation working for apps, we only block Google Play Services by checking the command line of the calling process through Binder. This is not infallible and can be spoofed, but it's much easier to do in C++ than looking up the calling UID's package name through PackageManagerService. There are no negative security implications as the only difference is a denied operation. We can't set LD_PRELOAD for the keystore service because Magisk modules start too late to modify its init.rc, so we inject the shim library as a dependency instead using patchelf and build it with the DF_1_GLOBAL ELF flag to make the dynamic linker prioritize it in symbol resolution. TRANSACTION_attestKey values and AIDL stub names by Android version: Android 10 - 11 (SDK 29-30): TX# 28, android::security::keystore::BnKeystoreService Android 9 (SDK 28 ): TX# 35, android::security::BnKeystoreService Android 7.0 - 8.1.0 (SDK 24-27): TX# 36, android::BnKeystoreService Fixes #3, #6, #7, #8, #10, and #12.
23 lines
759 B
Bash
Executable File
23 lines
759 B
Bash
Executable File
#!/sbin/sh
|
|
|
|
# We check the native ABI instead of all supported ABIs because this is a system
|
|
# service, and underlying AIDL/HIDL ABIs may not match. We also link against other
|
|
# system libraries.
|
|
arch="$(getprop ro.product.cpu.abi)"
|
|
if [[ "$arch" != "arm64-v8a" ]] && [[ "$arch" != "armeabi-v7a" ]]; then
|
|
ui_print "Unsupported CPU architecture: $arch"
|
|
exit 1
|
|
fi
|
|
|
|
# Key attestation was introduced in Android 7.0
|
|
sdk="$(getprop ro.build.version.sdk)"
|
|
if [[ "$sdk" -lt 24 ]]; then
|
|
version="$(getprop ro.vendor.build.version.release)"
|
|
ui_print "Android $version (SDK $sdk) does not support key attestation, not installing."
|
|
exit 1
|
|
fi
|
|
|
|
mkdir $MODPATH/system/bin
|
|
chmod 755 $MODPATH/post-fs-data.sh
|
|
set_perm_recursive $MODPATH/_bin 0 0 0755 0755
|