how time support Android 10 #25

8MiYile · 2024-07-25T03:20:41Z

No description provided.

5ec1cff · 2024-07-25T03:24:05Z

waiting for pr

VisionR1 · 2024-07-25T10:26:39Z

Maybe is possible.
Unfortunately the only common as I see in the stub folder, between A11 and A12 is the content/pm (all files inside) and the os (all files inside) the other hardware/security/keymint and system/keystore2 and all files inside, don't even exist on A11 and under.
in the ServiceManager.smali the getService, on A11 have 19 results and on A12 have 21.

VisionR1 · 2024-07-25T12:40:20Z

Maybe if we get some files from Zygisk-KeystoreInjection by @aviraxp, and merged with this project 🤔

VisionR1 · 2024-07-25T13:08:17Z

@aviraxp why thumb down? 😕
I just propose, if anyone have the knowledge and want start from somewhere.

VisionR1 · 2024-07-25T13:18:11Z

@aviraxp
You know much better than me.
Just write my thoughts, and maybe someone else, can broke the limit and make it for A10+
I respect your opinion 🙏
Thank you for your patience 😌

5ec1cff · 2024-07-25T14:58:42Z

I don't have an A11- device for development, but I can offer some ideas

Just wait for for kind people to submit PR :)

Current implementation of A12+ (keystore2)

Leaf hack: Replace the certificate chain returned by AndroidKeyStoreSpi.engineGetCertificateChain
and re-sign the leaf certificate with our keybox

Implement: hook IKeystoreService.getKeyEntry

Keypair generation: Make AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair returns a keypair signed by our keybox

Implement: hook IKeystoreSecurityLevel.generateKey, generate the KeyEntryResponse by params, including the certificate chain. And hook IKeystoreService.getKeyEntry to return the generated response

keystore2 apis:

Useful methods and apis of A11- (keystore)

Leaf hack: AndroidKeyStoreSpi.engineGetCertificateChain

Key pair generation: AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey

keystore apis:
IKeystoreService
Keystore
KeymasterDefs

VisionR1 · 2024-07-25T20:04:38Z

I don't have an A11- device for development, but I can offer some ideas

Just wait for for kind people to submit PR :)

Current implementation of A12+ (keystore2)

Leaf hack: Replace the certificate chain returned by AndroidKeyStoreSpi.engineGetCertificateChain and re-sign the leaf certificate with our keybox

Implement: hook IKeystoreService.getKeyEntry

Keypair generation: Make AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair returns a keypair signed by our keybox

Implement: hook IKeystoreSecurityLevel.generateKey, generate the KeyEntryResponse by params, including the certificate chain. And hook IKeystoreService.getKeyEntry to return the generated response

keystore2 apis:

IKeystoreService

android.hardware.security.keymint

Useful methods and apis of A11- (keystore)

Leaf hack: AndroidKeyStoreSpi.engineGetCertificateChain

Key pair generation: AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey

keystore apis: IKeystoreService Keystore KeymasterDefs

Thank you for this.
Exactly this i say above, people can offer ideas, and maybe after like you say kind people submit PR for A11+
Really i appreciate both you and @aviraxp all your hard work.
Τhank you both for your patience 😌

VisionR1 · 2024-07-26T11:50:13Z

The first person that I saw to do this with the leaf hack, is @chiteroman on his project frameworkpatch.

osm0sis · 2024-07-26T14:56:02Z

Yes, some of the ideas for this module come from FrameworkPatch and BootloaderSpoofer:
https://github.com/5ec1cff/TrickyStore?tab=readme-ov-file#acknowledgement

VisionR1 · 2024-07-26T15:02:56Z

Yes, some of the ideas for this module come from FrameworkPatch and BootloaderSpoofer: https://github.com/5ec1cff/TrickyStore?tab=readme-ov-file#acknowledgement

Exactly all other work, for A10+
Just the @5ec1cff not included in this module because say, don't have an A11- device for development, so for that remove all support behind the A12, seems logical.
For that, I believe is possible for A11, I try some modify, but I failed as always 🤣😂

Meces97 · 2024-07-30T15:05:12Z

Mohon buat yang support android 11

N-X-T · 2024-08-25T12:32:26Z

I don't have an A11- device for development, but I can offer some ideas

Just wait for for kind people to submit PR :)

Current implementation of A12+ (keystore2)

Leaf hack: Replace the certificate chain returned by AndroidKeyStoreSpi.engineGetCertificateChain and re-sign the leaf certificate with our keybox

Implement: hook IKeystoreService.getKeyEntry

Keypair generation: Make AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair returns a keypair signed by our keybox

Implement: hook IKeystoreSecurityLevel.generateKey, generate the KeyEntryResponse by params, including the certificate chain. And hook IKeystoreService.getKeyEntry to return the generated response

keystore2 apis:

IKeystoreService

android.hardware.security.keymint

Useful methods and apis of A11- (keystore)

Leaf hack: AndroidKeyStoreSpi.engineGetCertificateChain

Key pair generation: AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey

keystore apis: IKeystoreService Keystore KeymasterDefs

I trying implement for android 11 follow your comment.
Some modify for tryRunKeystoreInterceptor method:

    fun tryRunKeystoreInterceptor(): Boolean {
        Logger.i("trying to register keystore interceptor ($triedCount) ...")
        val b = ServiceManager.getService("android.security.keystore") ?: return false
        val bd = getBinderBackdoor(b)
        if (bd == null) {
            // no binder hook, try inject
            if (triedCount >= 3) {
                Logger.e("tried injection but still has no backdoor, exit")
                exitProcess(1)
            }
            if (!injected) {
                Logger.i("trying to inject keystore ...")
                val p = Runtime.getRuntime().exec(
                    arrayOf(
                        "/system/bin/sh",
                        "-c",
                        "exec ./inject `pidof keystore` libtricky_store.so entry"
                    )
                )
                // logD(p.inputStream.readBytes().decodeToString())
                // logD(p.errorStream.readBytes().decodeToString())
                if (p.waitFor() != 0) {
                    Logger.e("failed to inject! daemon exit")
                    exitProcess(1)
                }
                ...

but that got error at libinject.so, does this mean that the c++ code needs to be modified?, below is log:

2024-08-26 17:23:50.838  5708-5708  TrickyStore             pid-5708                             E  Named image component already covered by previous image: /system/framework/boot.art
2024-08-26 17:23:50.997  5708-5708  TrickyStore             pid-5708                             D  Time zone APEX ICU file found: /apex/com.android.tzdata/etc/icu/icu_tzdata.dat
2024-08-26 17:23:50.998  5708-5708  TrickyStore             pid-5708                             D  I18n APEX ICU file found: /apex/com.android.i18n/etc/icu/icudt66l.dat
2024-08-26 17:23:51.335  5708-5708  TrickyStore             TrickyStore                          W  JNI RegisterNativeMethods: attempt to register 0 native methods for android.media.AudioAttributes
2024-08-26 17:23:51.372  5708-5708  AndroidRuntime          TrickyStore                          D  Calling main entry io.github.a13e300.tricky_store.MainKt
2024-08-26 17:23:51.380  5708-5708  TrickyStore             TrickyStore                          I  Welcome to TrickyStore!
2024-08-26 17:23:51.386  5708-5708  TrickyStore             TrickyStore                          I  trying to register keystore interceptor (0) ...
2024-08-26 17:23:51.389  5708-5708  System                  TrickyStore                          W  ClassLoader referenced unknown path: /system/framework/mediatek-cta.jar
2024-08-26 17:23:51.390  5708-5708  CtaManagerFactory       TrickyStore                          W  CtaManagerFactoryImpl not found
2024-08-26 17:23:51.402  5708-5708  TrickyStore             TrickyStore                          D  remote return false!
2024-08-26 17:23:51.402  5708-5708  TrickyStore             TrickyStore                          I  trying to inject keystore ...
2024-08-26 17:23:51.455  5735-5735  TrickyStore             pid-5735                             I  injecting /data/adb/modules/tricky_store/libtricky_store.so and calling entry in 5672
2024-08-26 17:23:51.456  5735-5735  TrickyStore             pid-5735                             D  stopped at entry
2024-08-26 17:23:51.459  5735-5735  TrickyStore             pid-5735                             D  libc return addr 0x735be52000
2024-08-26 17:23:51.460  5735-5735  TrickyStore             pid-5735                             D  sym close: 0x7f75796fc8
2024-08-26 17:23:51.460  5735-5735  TrickyStore             pid-5735                             D  found local base 0x7f75744000 remote base 0x735be52000
2024-08-26 17:23:51.460  5735-5735  TrickyStore             pid-5735                             D  addr 0x735bea4fc8
2024-08-26 17:23:51.461  5735-5735  TrickyStore             pid-5735                             D  sym socket: 0x7f75792278
2024-08-26 17:23:51.461  5735-5735  TrickyStore             pid-5735                             D  found local base 0x7f75744000 remote base 0x735be52000
2024-08-26 17:23:51.461  5735-5735  TrickyStore             pid-5735                             D  addr 0x735bea0278
2024-08-26 17:23:51.462  5735-5735  TrickyStore             pid-5735                             D  sym bind: 0x7f757e0540
2024-08-26 17:23:51.462  5735-5735  TrickyStore             pid-5735                             D  found local base 0x7f75744000 remote base 0x735be52000
2024-08-26 17:23:51.462  5735-5735  TrickyStore             pid-5735                             D  addr 0x735beee540
2024-08-26 17:23:51.462  5735-5735  TrickyStore             pid-5735                             D  sym recvmsg: 0x7f7579fcf0
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             D  found local base 0x7f75744000 remote base 0x735be52000
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             D  addr 0x735beadcf0
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             D  sym __errno: 0x7f75792470
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             D  found local base 0x7f75744000 remote base 0x735be52000
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             D  addr 0x735bea0470
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             V  calling remote function 735bea0278 args 3
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             V  arg 0x1
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             V  arg 0x80002
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             V  arg 0x0
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             D  socket name gfyi19G1GbTGgxOb
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             V  write to 5672 addr 7fe6be1a70 size 110 use_proc_mem=0
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             D  pushed mem 7fe6be1a70
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             V  calling remote function 735beee540 args 3
2024-08-26 17:23:51.463  5735-5735  TrickyStore             pid-5735                             V  arg 0x7
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             V  arg 0x7fe6be1a70
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             V  arg 0x13
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             V  write to 5672 addr 7fe6be1a50 size 24 use_proc_mem=0
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             D  pushed mem 7fe6be1a50
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             V  write to 5672 addr 7fe6be1a10 size 56 use_proc_mem=0
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             D  pushed mem 7fe6be1a10
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             V  calling remote function 735beadcf0 args 3
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             V  arg 0x7
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             V  arg 0x7fe6be1a10
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             V  arg 0x100
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             D  remote lib fd: 8
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             V  calling remote function 735bea4fc8 args 1
2024-08-26 17:23:51.464  5735-5735  TrickyStore             pid-5735                             V  arg 0x7
2024-08-26 17:23:51.465  5735-5735  TrickyStore             pid-5735                             D  sym android_dlopen_ext: 0x7f757260c0
2024-08-26 17:23:51.466  5735-5735  TrickyStore             pid-5735                             D  found local base 0x7f75725000 remote base 0x735c835000
2024-08-26 17:23:51.466  5735-5735  TrickyStore             pid-5735                             D  addr 0x735c8360c0
2024-08-26 17:23:51.466  5735-5735  TrickyStore             pid-5735                             V  write to 5672 addr 7fe6be19e0 size 48 use_proc_mem=0
2024-08-26 17:23:51.466  5735-5735  TrickyStore             pid-5735                             D  pushed mem 7fe6be19e0
2024-08-26 17:23:51.466  5735-5735  TrickyStore             pid-5735                             V  write to 5672 addr 7fe6be19a0 size 50 use_proc_mem=0
2024-08-26 17:23:51.466  5735-5735  TrickyStore             pid-5735                             D  pushed string 7fe6be19a0
2024-08-26 17:23:51.466  5735-5735  TrickyStore             pid-5735                             V  calling remote function 735c8360c0 args 3
2024-08-26 17:23:51.466  5735-5735  TrickyStore             pid-5735                             V  arg 0x7fe6be19a0
2024-08-26 17:23:51.467  5735-5735  TrickyStore             pid-5735                             V  arg 0x2
2024-08-26 17:23:51.467  5735-5735  TrickyStore             pid-5735                             V  arg 0x7fe6be19e0
2024-08-26 17:23:51.468  5735-5735  TrickyStore             pid-5735                             D  remote handle 0x0
2024-08-26 17:23:51.468  5735-5735  TrickyStore             pid-5735                             E  handle is null
2024-08-26 17:23:51.468  5735-5735  TrickyStore             pid-5735                             D  sym dlerror: 0x7f75726030
2024-08-26 17:23:51.468  5735-5735  TrickyStore             pid-5735                             D  found local base 0x7f75725000 remote base 0x735c835000
2024-08-26 17:23:51.468  5735-5735  TrickyStore             pid-5735                             D  addr 0x735c836030
2024-08-26 17:23:51.468  5735-5735  TrickyStore             pid-5735                             V  calling remote function 735c836030 args 0
2024-08-26 17:23:51.468  5735-5735  TrickyStore             pid-5735                             D  dlerror str 0x735df155e8
2024-08-26 17:23:51.469  5735-5735  TrickyStore             pid-5735                             D  sym strlen: 0x7f7578ecf0
2024-08-26 17:23:51.469  5735-5735  TrickyStore             pid-5735                             D  found local base 0x7f75744000 remote base 0x735be52000
2024-08-26 17:23:51.469  5735-5735  TrickyStore             pid-5735                             D  addr 0x735be9ccf0
2024-08-26 17:23:51.469  5735-5735  TrickyStore             pid-5735                             V  calling remote function 735be9ccf0 args 1
2024-08-26 17:23:51.469  5735-5735  TrickyStore             pid-5735                             V  arg 0x735df155e8
2024-08-26 17:23:51.470  5735-5735  TrickyStore             pid-5735                             E  dlerror info dlopen failed: cannot locate symbol "_ZN7android7RefBase12weakref_type18incWeakRequireWeakEPKv" referenced by "/data/adb/modules/tricky_store/libtricky_store.so"...
2024-08-26 17:23:51.482  5708-5708  TrickyStore             TrickyStore                          E  [I][5735:5735][TrickyStore]:injecting /data/adb/modules/tricky_store/libtricky_store.so and calling entry in 5672
                                                                                                    [D][5735:5735][TrickyStore]:stopped at entry
                                                                                                    [D][5735:5735][TrickyStore]:libc return addr 0x735be52000
                                                                                                    [D][5735:5735][TrickyStore]:sym close: 0x7f75796fc8
                                                                                                    [D][5735:5735][TrickyStore]:found local base 0x7f75744000 remote base 0x735be52000
                                                                                                    [D][5735:5735][TrickyStore]:addr 0x735bea4fc8
                                                                                                    [D][5735:5735][TrickyStore]:sym socket: 0x7f75792278
                                                                                                    [D][5735:5735][TrickyStore]:found local base 0x7f75744000 remote base 0x735be52000
                                                                                                    [D][5735:5735][TrickyStore]:addr 0x735bea0278
                                                                                                    [D][5735:5735][TrickyStore]:sym bind: 0x7f757e0540
                                                                                                    [D][5735:5735][TrickyStore]:found local base 0x7f75744000 remote base 0x735be52000
                                                                                                    [D][5735:5735][TrickyStore]:addr 0x735beee540
                                                                                                    [D][5735:5735][TrickyStore]:sym recvmsg: 0x7f7579fcf0
                                                                                                    [D][5735:5735][TrickyStore]:found local base 0x7f75744000 remote base 0x735be52000
                                                                                                    [D][5735:5735][TrickyStore]:addr 0x735beadcf0
                                                                                                    [D][5735:5735][TrickyStore]:sym __errno: 0x7f75792470
                                                                                                    [D][5735:5735][TrickyStore]:found local base 0x7f75744000 remote base 0x735be52000
                                                                                                    [D][5735:5735][TrickyStore]:addr 0x735bea0470
                                                                                                    [V][5735:5735][TrickyStore]:calling remote function 735bea0278 args 3
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x1
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x80002
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x0
                                                                                                    [D][5735:5735][TrickyStore]:socket name gfyi19G1GbTGgxOb
                                                                                                    [V][5735:5735][TrickyStore]:write to 5672 addr 7fe6be1a70 size 110 use_proc_mem=0
                                                                                                    [D][5735:5735][TrickyStore]:pushed mem 7fe6be1a70
                                                                                                    [V][5735:5735][TrickyStore]:calling remote function 735beee540 args 3
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x7
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x7fe6be1a70
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x13
                                                                                                    [V][5735:5735][TrickyStore]:write to 5672 addr 7fe6be1a50 size 24 use_proc_mem=0
                                                                                                    [D][5735:5735][TrickyStore]:pushed mem 7fe6be1a50
                                                                                                    [V][5735:5735][TrickyStore]:write to 5672 addr 7fe6be1a10 size 56 use_proc_mem=0
                                                                                                    [D][5735:5735][TrickyStore]:pushed mem 7fe6be1a10
                                                                                                    [V][5735:5735][TrickyStore]:calling remote function 735beadcf0 args 3
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x7
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x7fe6be1a10
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x100
                                                                                                    [D][5735:5735][TrickyStore]:remote lib fd: 8
                                                                                                    [V][5735:5735][TrickyStore]:calling remote function 735bea4fc8 args 1
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x7
                                                                                                    [D][5735:5735][TrickyStore]:sym android_dlopen_ext: 0x7f757260c0
                                                                                                    [D][5735:5735][TrickyStore]:found local base 0x7f75725000 remote base 0x735c835000
                                                                                                    [D][5735:5735][TrickyStore]:addr 0x735c8360c0
                                                                                                    [V][5735:5735][TrickyStore]:write to 5672 addr 7fe6be19e0 size 48 use_proc_mem=0
                                                                                                    [D][5735:5735][TrickyStore]:pushed mem 7fe6be19e0
                                                                                                    [V][5735:5735][TrickyStore]:write to 5672 addr 7fe6be19a0 size 50 use_proc_mem=0
                                                                                                    [D][5735:5735][TrickyStore]:pushed string 7fe6be19a0
                                                                                                    [V][5735:5735][TrickyStore]:calling remote function 735c8360c0 args 3
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x7fe6be19a0
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x2
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x7fe6be19e0
                                                                                                    [D][5735:5735][TrickyStore]:remote handle 0x0
                                                                                                    [E][5735:5735][TrickyStore]:handle is null
                                                                                                    [D][5735:5735][TrickyStore]:sym dlerror: 0x7f75726030
                                                                                                    [D][5735:5735][TrickyStore]:found local base 0x7f75725000 remote base 0x735c835000
                                                                                                    [D][5735:5735][TrickyStore]:addr 0x735c836030
                                                                                                    [V][5735:5735][TrickyStore]:calling remote function 735c836030 args 0
                                                                                                    [D][5735:5735][TrickyStore]:dlerror str 0x735df155e8
                                                                                                    [D][5735:5735][TrickyStore]:sym strlen: 0x7f7578ecf0
                                                                                                    [D][5735:5735][TrickyStore]:found local base 0x7f75744000 remote base 0x735be52000
                                                                                                    [D][5735:5735][TrickyStore]:addr 0x735be9ccf0
                                                                                                    [V][5735:5735][TrickyStore]:calling remote function 735be9ccf0 args 1
                                                                                                    [V][5735:5735][TrickyStore]:arg 0x735df155e8
                                                                                                    [E][5735:5735][TrickyStore]:dlerror info dlopen failed: cannot locate symbol "_ZN7android7RefBase12weakref_type18incWeakRequireWeakEPKv" referenced by "/data/adb/modules/tricky_store/libtricky_store.so"...
2024-08-26 17:23:51.483  5708-5708  TrickyStore             TrickyStore                          E  
2024-08-26 17:23:51.483  5708-5708  TrickyStore             TrickyStore                          E  failed to inject! daemon exit
2024-08-26 17:23:51.485  5708-5708  TrickyStore             TrickyStore                          I  System.exit called, status: 1
2024-08-26 17:23:51.485  5708-5708  AndroidRuntime          TrickyStore                          I  VM exiting with result code 1.

MhmRdd · 2024-08-25T13:07:35Z

I don't have an A11- device for development, but I can offer some ideas

Just wait for for kind people to submit PR :)

Current implementation of A12+ (keystore2)

Leaf hack: Replace the certificate chain returned by AndroidKeyStoreSpi.engineGetCertificateChain and re-sign the leaf certificate with our keybox

Implement: hook IKeystoreService.getKeyEntry

Keypair generation: Make AndroidKeyStoreKeyPairGeneratorSpi.generateKeyPair returns a keypair signed by our keybox

Implement: hook IKeystoreSecurityLevel.generateKey, generate the KeyEntryResponse by params, including the certificate chain. And hook IKeystoreService.getKeyEntry to return the generated response

keystore2 apis:

IKeystoreService

android.hardware.security.keymint

Useful methods and apis of A11- (keystore)

Leaf hack: AndroidKeyStoreSpi.engineGetCertificateChain

Key pair generation: AndroidKeyStoreKeyGeneratorSpi.engineGenerateKey

keystore apis: IKeystoreService Keystore KeymasterDefs

I trying implement for android 11 follow your comment.
Some modify for tryRunKeystoreInterceptor method:

    fun tryRunKeystoreInterceptor(): Boolean {
        Logger.i("trying to register keystore interceptor ($triedCount) ...")
        val b = ServiceManager.getService("android.security.keystore") ?: return false
        val bd = getBinderBackdoor(b)
        if (bd == null) {
            // no binder hook, try inject
            if (triedCount >= 3) {
                Logger.e("tried injection but still has no backdoor, exit")
                exitProcess(1)
            }
            if (!injected) {
                Logger.i("trying to inject keystore ...")
                val p = Runtime.getRuntime().exec(
                    arrayOf(
                        "/system/bin/sh",
                        "-c",
                        "exec ./inject `pidof keystore` libtricky_store.so entry"
                    )
                )
                // logD(p.inputStream.readBytes().decodeToString())
                // logD(p.errorStream.readBytes().decodeToString())
                if (p.waitFor() != 0) {
                    Logger.e("failed to inject! daemon exit")
                    exitProcess(1)
                }
                ...

but that got error at libinject.so, does this mean that the c++ code needs to be modified?, below is log:

--------- beginning of main
--------- beginning of system
2024-08-25 19:23:18.692   903-903   TrickyStore             pid-903                              E  Named image component already covered by previous image: /system/framework/boot.art
2024-08-25 19:23:19.998   903-903   TrickyStore             pid-903                              W  JNI RegisterNativeMethods: attempt to register 0 native methods for android.media.AudioAttributes
2024-08-25 19:23:20.125   903-903   TrickyStore             pid-903                              I  Welcome to TrickyStore!
2024-08-25 19:23:20.153   903-903   TrickyStore             pid-903                              I  trying to register keystore interceptor (0) ...
2024-08-25 19:23:20.185   903-903   TrickyStore             pid-903                              I  trying to inject keystore ...
2024-08-25 19:23:20.257  1114-1114  TrickyStore             pid-1114                             I  injecting /data/adb/modules/tricky_store/libtricky_store.so and calling entry in 741
2024-08-25 19:23:20.265  1114-1114  TrickyStore             pid-1114                             E  handle is null
--------- beginning of crash
2024-08-25 19:23:20.267  1114-1114  TrickyStore             pid-1114                             E  dlerror info dlopen failed: cannot locate symbol "_ZN7android7RefBase12weakref_type18incWeakRequireWeakEPKv" referenced by "/data/adb/modules/tricky_store/libtricky_store.so"...
2024-08-25 19:23:20.268   903-903   TrickyStore             pid-903                              E  failed to inject! daemon exit
2024-08-25 19:23:20.276   903-903   TrickyStore             pid-903                              I  System.exit called, status: 1

Yes, you need to check with the source code of libtricky_store.so, specifically on dlsym of the symbol mentioned above.

N-X-T · 2024-08-25T13:12:07Z

@MhmRdd i run: readelf -s libtricky_store.so | grep incWeakRequireWeak then got:
58: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND _ZN7android7RefBase12weakref_type18incWeakRequireWeakEPKv
the symbol is referenced in libtricky_store.so, but it is not defined within it. 🤔

MhmRdd · 2024-08-25T13:17:57Z

@MhmRdd i run: readelf -s libtricky_store.so | grep incWeakRequireWeak then got:
58: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND _ZN7android7RefBase12weakref_type18incWeakRequireWeakEPKv
the symbol is referenced in libtricky_store.so, but it is not defined within it. 🤔

Apparently the error is caused by the handle being null as referred to on the log, you should investigate the reason why handle is null.

VisionR1 · 2024-08-27T13:56:44Z

@N-X-T
In TG, a test version is released of this module for A11, by you.
Is really from you ?

N-X-T · 2024-08-27T13:58:53Z

@N-X-T In TG, a test version is released of this module for A11, by you. Is really from you ?

yes :v

VisionR1 · 2024-08-27T14:11:34Z

@N-X-T In TG, a test version is released of this module for A11, by you. Is really from you ?

yes :v

That is good.
Very good news for the users still on A11.
How long to release it publicly for test ?

N-X-T · 2024-08-27T14:14:25Z

@N-X-T In TG, a test version is released of this module for A11, by you. Is really from you ?

yes :v

That is good. Very good news for the users still on A11. How long to release it publicly for test ?

I trying support TEE Broken

VisionR1 · 2024-08-27T14:18:02Z

@N-X-T In TG, a test version is released of this module for A11, by you. Is really from you ?

yes :v

That is good. Very good news for the users still on A11. How long to release it publicly for test ?

I trying support TEE Broken

That is good.
I have a thread on XDA about this module.
So after all change you make, you create a PR to merge the original dev, or you release your own version?

N-X-T · 2024-08-27T14:22:07Z

@N-X-T In TG, a test version is released of this module for A11, by you. Is really from you ?

yes :v

That is good. Very good news for the users still on A11. How long to release it publicly for test ?

I trying support TEE Broken

That is good. I have a thread on XDA about this module. So after all change you make, you create a PR to merge the original dev, or you release your own version?

merge the original dev, i'm noob in C++ :v

VisionR1 · 2024-08-27T14:29:48Z

@N-X-T In TG, a test version is released of this module for A11, by you. Is really from you ?

yes :v

That is good. Very good news for the users still on A11. How long to release it publicly for test ?

I trying support TEE Broken

That is good. I have a thread on XDA about this module. So after all change you make, you create a PR to merge the original dev, or you release your own version?

merge the original dev, i'm noob in C++ :v

Understand.
If you have XDA, you can write a few words and upload your test version for A11.
So we know, is you the user, who make this.
https://xdaforums.com/t/tricky-store-bootloader-keybox-spoofing.4683446/

osm0sis · 2024-08-27T17:47:41Z

@5ec1cff N-X-T@91fac08 🎉🤘

Reported working!

Edit: Still needs broken TEE support added, however, I see.

sdranju · 2024-09-01T12:45:12Z

I'm interested to test it on my A11 if you allow.

osm0sis · 2024-09-01T13:51:59Z

It's a PR now. 👍

#62

ElDavoo · 2024-09-05T21:08:35Z

It's a RC release now.

5ec1cff added the enhancement New feature or request label Jul 25, 2024

VisionR1 mentioned this issue Aug 15, 2024

Hope to support Android 11 chiteroman/TrickyStore#8

Open

aviraxp closed this as completed Sep 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

how time support Android 10 #25

how time support Android 10 #25

8MiYile commented Jul 25, 2024

5ec1cff commented Jul 25, 2024

VisionR1 commented Jul 25, 2024 •

edited

Loading

VisionR1 commented Jul 25, 2024

VisionR1 commented Jul 25, 2024

VisionR1 commented Jul 25, 2024 •

edited

Loading

5ec1cff commented Jul 25, 2024 •

edited

Loading

VisionR1 commented Jul 25, 2024

VisionR1 commented Jul 26, 2024 •

edited

Loading

osm0sis commented Jul 26, 2024

VisionR1 commented Jul 26, 2024 •

edited

Loading

Meces97 commented Jul 30, 2024

N-X-T commented Aug 25, 2024 •

edited

Loading

MhmRdd commented Aug 25, 2024

N-X-T commented Aug 25, 2024

MhmRdd commented Aug 25, 2024

VisionR1 commented Aug 27, 2024 •

edited

Loading

N-X-T commented Aug 27, 2024

VisionR1 commented Aug 27, 2024

N-X-T commented Aug 27, 2024

VisionR1 commented Aug 27, 2024

N-X-T commented Aug 27, 2024

VisionR1 commented Aug 27, 2024

osm0sis commented Aug 27, 2024 •

edited

Loading

sdranju commented Sep 1, 2024

osm0sis commented Sep 1, 2024

ElDavoo commented Sep 5, 2024

how time support Android 10 #25

how time support Android 10 #25

Comments

8MiYile commented Jul 25, 2024

5ec1cff commented Jul 25, 2024

VisionR1 commented Jul 25, 2024 • edited Loading

VisionR1 commented Jul 25, 2024

VisionR1 commented Jul 25, 2024

VisionR1 commented Jul 25, 2024 • edited Loading

5ec1cff commented Jul 25, 2024 • edited Loading

VisionR1 commented Jul 25, 2024

VisionR1 commented Jul 26, 2024 • edited Loading

osm0sis commented Jul 26, 2024

VisionR1 commented Jul 26, 2024 • edited Loading

Meces97 commented Jul 30, 2024

N-X-T commented Aug 25, 2024 • edited Loading

MhmRdd commented Aug 25, 2024

N-X-T commented Aug 25, 2024

MhmRdd commented Aug 25, 2024

VisionR1 commented Aug 27, 2024 • edited Loading

N-X-T commented Aug 27, 2024

VisionR1 commented Aug 27, 2024

N-X-T commented Aug 27, 2024

VisionR1 commented Aug 27, 2024

N-X-T commented Aug 27, 2024

VisionR1 commented Aug 27, 2024

osm0sis commented Aug 27, 2024 • edited Loading

sdranju commented Sep 1, 2024

osm0sis commented Sep 1, 2024

ElDavoo commented Sep 5, 2024

VisionR1 commented Jul 25, 2024 •

edited

Loading

VisionR1 commented Jul 25, 2024 •

edited

Loading

5ec1cff commented Jul 25, 2024 •

edited

Loading

VisionR1 commented Jul 26, 2024 •

edited

Loading

VisionR1 commented Jul 26, 2024 •

edited

Loading

N-X-T commented Aug 25, 2024 •

edited

Loading

VisionR1 commented Aug 27, 2024 •

edited

Loading

osm0sis commented Aug 27, 2024 •

edited

Loading