├── _config.yml
├── update.json
├── module.json
├── SECURITY.md
├── changelog.md
├── README.zh-CN.md
└── README.md
/_config.yml:
--------------------------------------------------------------------------------
1 | theme: jekyll-theme-slate
2 |
--------------------------------------------------------------------------------
/update.json:
--------------------------------------------------------------------------------
1 | {
2 | "versionCode": 245,
3 | "version": "v1.4.1",
4 | "zipUrl": "https://github.com/5ec1cff/TrickyStore/releases/download/1.4.1/Tricky-Store-v1.4.1-245-72b2e84-release.zip",
5 | "changelog": "https://github.com/5ec1cff/TrickyStore/raw/release/changelog.md"
6 | }
7 |
--------------------------------------------------------------------------------
/module.json:
--------------------------------------------------------------------------------
1 | {
2 | "summary": "A trick of keystore",
3 | "sourceUrl": "https://github.com/5ec1cff/TrickyStore",
4 | "additionalAuthors": [
5 | {
6 | "type": "add",
7 | "name": "aviraxp",
8 | "link": "https://github.com/aviraxp"
9 | },
10 | {
11 | "type": "add",
12 | "name": "Cyberenchanter",
13 | "link": "https://github.com/Cyberenchanter"
14 | }
15 | ]
16 | }
17 |
--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
1 | # Security
2 |
3 | ### Will TrickyStore expose my private keys?
4 |
5 | It depends. At most times, your private keys generated by the Android Keystore Provider remain securely in TEE/Strongbox and are never exposed to TrickyStore or other Android softwares. However, there are two exceptions:
6 |
7 | * Usually, TrickyStore uses the keybox.xml to (re)sign the certificate of a public key from Android Keystore, if such certificate contains an attestation extension which includes verified boot status. However, applications can explicitly choose another attest key in the Keystore to sign a newly generated public key certificate. In this case, TrickyStore has to know the private key of the said attest key in order to be able to (re)sign the certificate, thus will generate a new attest key or intercept an imported one on the software level.
8 |
9 | * On certain brand's devices (such as Oneplus), the OEM disabled the Android Keystore Provider's ability to generate asymmetric keys while the bootloader is unlocked (commonly known as teeBroken). In this case, TrickyStore has to act in the stead of Android Keystore to handle all asymmetric keys generation, which is known as 'generate mode' compared to the usual 'hack mode'.
10 |
11 | When TrickyStore determines it is necessary to own a private key, it is stored in the '/data/adb/tricky_store/key_db' in a sqlite database. This directory is only accessible by the root user thus offering some protection from regular applications.
12 |
13 | ### Will TrickyStore compromise the chain of trust by re-signing certificates?
14 |
15 | TrickyStore currently does not check if the certificate chain of to-be-hacked keys is valid. Even if it does check it according to Google's terms, given the readily available keyboxs on the Internet, any attacker can bypass this check if they sign their key with a valid keybox.
16 |
17 | ### If you have any suggestion to improve TrickyStore's security or point out any other security flaws, feel free to open an issue.
--------------------------------------------------------------------------------
/changelog.md:
--------------------------------------------------------------------------------
1 | # 1.4.1
2 |
3 | - 修复一些问题
4 |
5 | ---
6 |
7 | - Fix some issues
8 |
9 | # 1.4.0
10 |
11 | - 支持持久化存储已生成的密钥
12 | - 支持自动解析 AVB key(联发科设备疑似使用了自定义算法,暂不支持)
13 | - 支持自定义认证密钥的解析和导入
14 | - 支持拦截并模拟更多 keystore 操作
15 | - 修复一些证书链生成问题
16 |
17 | ---
18 |
19 | - Support persistent storage of generated keys
20 | - Support automatic parsing of AVB keys (MediaTek devices seem to use a custom algorithm, currently not supported)
21 | - Support parsing and importing of custom attestation keys
22 | - Support intercepting and simulating more keystore operations
23 | - Fix some certificate chain generation issues
24 |
25 | # 1.3.0
26 |
27 | - 支持 KeyMint 4.0 新增的 moduleHash 字段
28 | - 支持 Android 16
29 | - 修复偶发注入失败的问题
30 | - 将 Play 商店加入默认作用列表
31 | - 修复大量证书链生成问题
32 |
33 | ---
34 |
35 | - Support for the new moduleHash field introduced in KeyMint 4.0
36 | - Compatibility with Android 16
37 | - Fixed occasional injection failures
38 | - Added Play Store to the default scope list
39 | - Resolved numerous certificate chain generation issues
40 |
41 | # 1.2.1
42 |
43 | 支持自定义安全补丁级别(请参见 README.md)
44 |
45 | ---
46 |
47 | Support customizing security patch level (please refer to README.md)
48 |
49 | # 1.2.0
50 |
51 | 修复注入失败的问题
52 | 修复安装失败的问题
53 | 修复 cert hack 下报错的问题
54 |
55 | ---
56 |
57 | Fixed the injection failure issue
58 | Fixed the installation failure issue
59 | Fixed the error issue under cert hack
60 |
61 | # 1.2.0-RC2
62 |
63 | 修改叶证书模式同时会修改安全等级与信任根为非软件
64 | 修复缺失的 osVersion 字段
65 |
66 | ---
67 |
68 | Leaf hack mode will also change the security level and root of trust to non-software based
69 | Fix missing osVersion field
70 |
71 | # 1.2.0-RC1
72 |
73 | 初步支持 Android 10-11 (感谢 @N-X-T )
74 | 自动模式会检测是否支持硬件加密
75 | 修复模块损坏问题
76 | 修复证书签名算法选择的问题
77 |
78 | ---
79 |
80 | Add initial support for Android 10-11 (Thanks @N-X-T )
81 | Auto mode will detect if hardware encryption is supported
82 | Fix issue that module may be corrupted
83 | Fix issue with certificate signature algorithm selection
84 |
--------------------------------------------------------------------------------
/README.zh-CN.md:
--------------------------------------------------------------------------------
1 | # Tricky Store
2 |
3 | **支持 Android 10 及以上版本**.
4 |
5 | 该模块用于修改 Android Keystore 生成的 Android KeyAttestation 证书链。
6 |
7 | [中文 README](README.zh-CN.md)
8 |
9 | ## 停止开源
10 |
11 | 考虑到二改泛滥,且开源后获得的贡献少于预期,因此本模块自 1.1.0 版本起闭源发布。
12 |
13 | ## 用法
14 |
15 | 1. 刷入模块并重启。
16 | 2. For more than DEVICE integrity, put an unrevoked hardware keybox.xml at `/data/adb/tricky_store/keybox.xml` (可选)。
17 | 3. 在 `/data/adb/tricky_store/target.txt` 自定义修改生效的应用包名(可选) 。
18 | 4. 大功告成!
19 |
20 | **所有配置会立即生效**
21 |
22 | ## keybox.xml
23 |
24 | format:
25 |
26 | ```xml
27 |
28 |
29 | 1
30 |
31 |
32 |
33 | -----BEGIN EC PRIVATE KEY-----
34 | ...
35 | -----END EC PRIVATE KEY-----
36 |
37 |
38 | ...
39 |
40 | -----BEGIN CERTIFICATE-----
41 | ...
42 | -----END CERTIFICATE-----
43 |
44 | ... more certificates
45 |
46 | ...
47 |
48 |
49 | ```
50 |
51 | ## 支持 TEE 损坏的设备
52 |
53 | TrickyStore 默认采用修改来自 TEE 的叶证书的方式。
54 | 这在 TEE 损坏的设备上无法工作,因为 TEE 无法提供证书链。
55 | 因此,TrickyStore 会自动切换到生成证书链模式。
56 |
57 | 在 target.txt 中,在包名后添加一个 `!` 可以强制使用生成证书链模式。
58 | 添加 `?` 到包名后可强制使用修改证书链模式。如无后缀则自动选择。
59 |
60 | 例子
61 |
62 | ```
63 | # target.txt
64 | # 对 KeyAttestation App 使用自动模式
65 | io.github.vvb2060.keyattestation
66 | # 对 momo 使用修改证书链模式
67 | io.github.vvb2060.mahoshojo?
68 | # 对 gms 使用生成证书链模式
69 | com.google.android.gms!
70 | ```
71 |
72 | ## 自定义安全补丁级别(1.2.1+)
73 |
74 | 配置文件 `/data/adb/tricky_store/security_patch.txt`
75 |
76 | 简易:
77 |
78 | ```
79 | # 修改 os/vendor/boot 的安全补丁级别
80 | 20241101
81 | ```
82 |
83 | 高级:
84 |
85 | ```
86 | # os 安全补丁级别为 202411
87 | system=202411
88 | # 不要修改 boot 安全补丁级别
89 | boot=no
90 | # vendor 安全补丁级别 20241101 (使用了另一种格式)
91 | vendor=2024-11-01
92 | # 默认值
93 | # all=20241101
94 | # system 安全补丁级别与系统属性一致
95 | # system=prop
96 | ```
97 |
98 | 注意:该功能仅修改 KeyAttestation 返回的结果,不会重置系统属性。
99 |
100 | ## Acknowledgement
101 |
102 | - [FrameworkPatch](https://github.com/chiteroman/FrameworkPatch)
103 | - [BootloaderSpoofer](https://github.com/chiteroman/BootloaderSpoofer)
104 | - [KeystoreInjection](https://github.com/aviraxp/Zygisk-KeystoreInjection)
105 | - [LSPosed](https://github.com/LSPosed/LSPosed)
106 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Tricky Store
2 |
3 | A trick of keystore. **Android 10 or above is required**.
4 |
5 | This module is used for modifying the certificate chain generated for android key attestation.
6 |
7 | [中文 README](README.zh-CN.md)
8 |
9 | ## Stop opening source
10 |
11 | Due to the rampant misuse and the contributions received after open-sourcing being less than expected, this module will be closed-source starting from version 1.1.0.
12 |
13 | ## Usage
14 |
15 | 1. Flash this module and reboot.
16 | 2. For more than DEVICE integrity, put an unrevoked hardware keybox.xml at `/data/adb/tricky_store/keybox.xml` (Optional).
17 | 3. Customize target packages at `/data/adb/tricky_store/target.txt` (Optional).
18 | 4. Enjoy!
19 |
20 | **All configuration files will take effect immediately.**
21 |
22 | ## keybox.xml
23 |
24 | format:
25 |
26 | ```xml
27 |
28 |
29 | 1
30 |
31 |
32 |
33 | -----BEGIN EC PRIVATE KEY-----
34 | ...
35 | -----END EC PRIVATE KEY-----
36 |
37 |
38 | ...
39 |
40 | -----BEGIN CERTIFICATE-----
41 | ...
42 | -----END CERTIFICATE-----
43 |
44 | ... more certificates
45 |
46 | ...
47 |
48 |
49 | ```
50 |
51 | ## Support TEE broken devices
52 |
53 | Tricky Store will hack the leaf certificate by default.
54 | On TEE broken devices, this will not work because we can't retrieve the leaf certificate from TEE.
55 | In this case, we fallback to use generate key mode automatically.
56 |
57 | You can add a `!` after a package name to force use generate certificate support for this package.
58 | Also, you can add a `?` after a package name to force use leaf hack mode for this package.
59 |
60 | For example:
61 |
62 | ```
63 | # target.txt
64 | # use auto mode for KeyAttestation App
65 | io.github.vvb2060.keyattestation
66 | # always use leaf hack mode
67 | io.github.vvb2060.mahoshojo?
68 | # always use certificate generating mode for gms
69 | com.google.android.gms!
70 | ```
71 |
72 | ## Customize security patch level (1.2.1+)
73 |
74 | Create the file `/data/adb/tricky_store/security_patch.txt`.
75 |
76 | Simple:
77 |
78 | ```
79 | # Hack os/vendor/boot security patch level
80 | 20241101
81 | ```
82 |
83 | Advanced:
84 |
85 | ```
86 | # os security patch level is 202411
87 | system=202411
88 | # do not hack boot patch level
89 | boot=no
90 | # vendor patch level is 20241101 (another format)
91 | vendor=2024-11-01
92 | # default value
93 | # all=20241101
94 | # keep consistent with system prop
95 | # system=prop
96 | ```
97 |
98 | Note: this feature will only hack the result of KeyAttestation, it will not do resetprop, you need do it yourself.
99 |
100 | ## Acknowledgement
101 |
102 | - [FrameworkPatch](https://github.com/chiteroman/FrameworkPatch)
103 | - [BootloaderSpoofer](https://github.com/chiteroman/BootloaderSpoofer)
104 | - [KeystoreInjection](https://github.com/aviraxp/Zygisk-KeystoreInjection)
105 | - [LSPosed](https://github.com/LSPosed/LSPosed)
106 |
--------------------------------------------------------------------------------