A trick of keystore. Android 12 or above is required.
- Flash this module and reboot.
- For more than DEVICE integrity, put an unrevoked hardware keybox.xml at
/data/adb/tricky_store/keybox.xml(Optional). - Customize target packages at
/data/adb/tricky_store/target.txt(Optional). - Enjoy!
format:
<?xml version="1.0"?>
<AndroidAttestation>
<NumberOfKeyboxes>1</NumberOfKeyboxes>
<Keybox DeviceID="...">
<Key algorithm="ecdsa|rsa">
<PrivateKey format="pem">
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----
</PrivateKey>
<CertificateChain>
<NumberOfCertificates>...</NumberOfCertificates>
<Certificate format="pem">
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</Certificate>
... more certificates
</CertificateChain>
</Key>...
</Keybox>
</AndroidAttestation>Zygisk (or Zygisk Next) is needed for this feature to work.
If you still do not pass you can try enabling/disabling Build variable spoofing by creating/deleting the file /data/adb/tricky_store/spoof_build_vars.
Tricky Store will automatically generate example config props inside /data/adb/tricky_store/spoof_build_vars once created, on next reboot, then you may manually edit your spoof config.
Here is an example of a spoof config:
MANUFACTURER=Google
MODEL=Pixel 8 Pro
FINGERPRINT=google/husky_beta/husky:15/AP31.240617.009/12094726:user/release-keys
BRAND=google
PRODUCT=husky_beta
DEVICE=husky
RELEASE=15
ID=AP31.240617.009
INCREMENTAL=12094726
TYPE=user
TAGS=release-keys
SECURITY_PATCH=2024-07-05
Tricky Store will hack the leaf certificate by default. On TEE broken devices, this will not work because we can't retrieve the leaf certificate from TEE. You can add a ! after a package name to enable generate certificate support for this package.
For example:
# target.txt
# use leaf certificate hacking mode for KeyAttestation App
io.github.vvb2060.keyattestation
# use certificate generating mode for gms
com.google.android.gms!
- App Attest Key is not supported.
- StrongBox is not supported.