init: Spoof additional props

Change-Id: I3a22f2a923628c54462ed878f2c98a228d355f60 Signed-off-by: Alvin Francis <nivlafx@gmail.com> Signed-off-by: Dmitrii <bankersenator@gmail.com>
init: Don't spoof selinux status
2025-04-10 21:15:05 +00:00 · 2025-04-10 21:15:05 +00:00 · 2025-04-10 21:15:05 +00:00 · 2025-04-10 21:15:05 +00:00 · 2025-04-10 21:15:05 +00:00 · 2025-04-10 21:15:05 +00:00
2 changed files with 89 additions and 50 deletions
--- a/fs_mgr/fs_mgr_remount.cpp
+++ b/fs_mgr/fs_mgr_remount.cpp
@ -634,8 +634,9 @@ int main(int argc, char* argv[]) {
        LOG(ERROR) << "Device must be userdebug build";
        return EXIT_FAILURE;
    }
-
+#if 0
-#if ALLOW_ADBD_DISABLE_VERITY == 0  // "user" build
+    // We already use safety net hacks which spoof to green state.
    // Remove this check completely.
    if (android::base::GetProperty("ro.boot.verifiedbootstate", "") != "orange") {
        LOG(ERROR) << "Device must be bootloader unlocked";
        return EXIT_FAILURE;
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@ -879,13 +879,19 @@ static const char *snet_prop_key[] = {
    "ro.boot.vbmeta.device_state",
    "ro.boot.verifiedbootstate",
    "ro.boot.flash.locked",
 	"ro.boot.selinux",
    "ro.boot.veritymode",
    "ro.boot.warranty_bit",
    "ro.warranty_bit",
    "ro.debuggable",
    "ro.secure",
    "ro.bootimage.build.type",
    "ro.build.type",
    "ro.system.build.type",
    "ro.system_ext.build.type",
    "ro.vendor.build.type",
    "ro.vendor_dlkm.build.type",
    "ro.product.build.type",
    "ro.odm.build.type",
    "ro.build.keys",
    "ro.build.tags",
    "ro.system.build.tags",
@ -893,6 +899,9 @@ static const char *snet_prop_key[] = {
    "ro.vendor.warranty_bit",
    "vendor.boot.vbmeta.device_state",
    "vendor.boot.verifiedbootstate",
    "sys.oem_unlock_allowed",
    "ro.adb.secure",
    "ro.force.debuggable",
    NULL
 };
@ -900,13 +909,19 @@ static const char *snet_prop_value[] = {
    "locked", // ro.boot.vbmeta.device_state
    "green", // ro.boot.verifiedbootstate
    "1", // ro.boot.flash.locked
 	"enforcing", // ro.boot.selinux
    "enforcing", // ro.boot.veritymode
    "0", // ro.boot.warranty_bit
    "0", // ro.warranty_bit
    "0", // ro.debuggable
    "1", // ro.secure
    "user", // ro.bootimage.build.type
    "user", // ro.build.type
    "user", // ro.system.build.type
    "user", // ro.system_ext.build.type
    "user", // ro.vendor.build.type
    "user", // ro.vendor_dlkm.build.type
    "user", // ro.product.build.type
    "user", // ro.odm.build.type
    "release-keys", // ro.build.keys
    "release-keys", // ro.build.tags
    "release-keys", // ro.system.build.tags
@ -914,17 +929,46 @@ static const char *snet_prop_value[] = {
    "0", // ro.vendor.warranty_bit
    "locked", // vendor.boot.vbmeta.device_state
    "green", // vendor.boot.verifiedbootstate
    "0", // sys.oem_unlock_allowed
    "1", // ro.adb.secure
    "0", // ro.force.debuggable
    NULL
 };
 static void workaround_snet_properties() {
    std::string build_type = android::base::GetProperty("ro.build.type", "");
    // Bail out if this is recovery, fastbootd, or anything other than a normal boot.
    // fastbootd, in particular, needs the real values so it can allow flashing on
    // unlocked bootloaders.
    if (IsRecoveryMode()) {
        return;
    }
    // Exit if eng build
    if (build_type == "eng") {
        return;
    }
    // Weaken property override security to set safetynet props
    weaken_prop_override_security = true;
    std::string error;
 	LOG(INFO) << "snet: Hiding sensitive props";
    // Hide all sensitive props 
    LOG(INFO) << "snet: Hiding sensitive props";
    for (int i = 0; snet_prop_key[i]; ++i) {
        PropertySetNoSocket(snet_prop_key[i], snet_prop_value[i], &error);
    }
    // Extra pops
    std::string build_flavor_key = "ro.build.flavor";
    std::string build_flavor_value = android::base::GetProperty(build_flavor_key, "");
    build_flavor_value = android::base::StringReplace(build_flavor_value, "userdebug", "user", false);
    PropertySetNoSocket(build_flavor_key, build_flavor_value, &error);
    // Restore the normal property override security after safetynet props have been set
    weaken_prop_override_security = false;
 }
 // If the ro.product.[brand|device|manufacturer|model|name] properties have not been explicitly
@ -1296,9 +1340,6 @@ void PropertyLoadBootDefaults() {
        }
    }
    // Weaken property override security during execution of the vendor init extension
    weaken_prop_override_security = true;
    // Update with vendor-specific property runtime overrides
    vendor_load_properties();
@ -1313,9 +1354,6 @@ void PropertyLoadBootDefaults() {
    // Workaround SafetyNet
    workaround_snet_properties();
    // Restore the normal property override security after init extension is executed
    weaken_prop_override_security = false;
 }
 void PropertyLoadDerivedDefaults() {
Author	SHA1	Message	Date
chiteroman	0dc5fa6662	init: Spoof additional props Change-Id: I3a22f2a923628c54462ed878f2c98a228d355f60 Signed-off-by: Alvin Francis <nivlafx@gmail.com> Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-04-10 21:15:05 +00:00
someone5678	bcad38901f	init: Don't spoof selinux status * So that Android correctly reports selinux status e.g. selinux status in Settings Change-Id: Iff9754c3f6fed586de6247ba3076f7959f7c274e Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-04-10 21:15:05 +00:00
Vishalcj17	a6eee98f56	fs_mgr: Remove bootloader restrictions for adb remount Change-Id: Iac550fc2ed01da220bf6cd472d0dd1905e78221d Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-04-10 21:15:05 +00:00
xyyx	4bda3033a5	SafetyNet: Add sys.oem_unlock_allowed Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-04-10 21:15:05 +00:00
Albert I	a8336b8c24	init: Use `IsRecoveryMode()` for normal boot checks Checking androidboot.mode properties will never work on devices where this property is always absent, primarily non-Pixel devices. Use existing IsRecoveryMode() check instead which is ugly, but works for this very purpose. Change-Id: Idc79fb2bf45f0416b242a1e1aa12bdb07bcf56b9 Signed-off-by: Albert I <kras@raphielgang.org> Signed-off-by: Alexander Winkowski <dereference23@outlook.com> Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-04-10 21:15:05 +00:00
jhenrique09	5f1bc32f1d	init: Spoof more props Change-Id: Ic0ddbd6a0dd40c877248f7864082eddab2b32366 Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-04-10 21:15:05 +00:00
Danny Lin	ba5eacc109	init: Check for fastbootd before spoofing safetynet props The real prop values must be retained in recovery/fastbootd in order for fastbootd to allow/deny flashing correctly based on the bootloader lock state. This is accomplished by checking androidboot keys in the kernel cmdline and bootconfig (necessary on Pixel 6), and not spoofing anything if the boot isn't a normal full-blown Android boot. @jhenrique09 - Adapt to PE Change-Id: I8795b16a90eea4e5a03f64a7a56478f01144256b Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-04-10 21:15:05 +00:00
jhenrique09	d89d544fce	core: Add more props for snet spoofing Also reformat code Change-Id: I4c0bcb61fea5a7b051c3a770d34a3a09f17db1c4 Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-04-10 21:15:05 +00:00
jhenrique09	d6b4dccb42	init: Only set safetynet props if not eng build Change-Id: I5c675e3391cc48a95ab9186047e9e9effca95406 Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-04-10 21:15:05 +00:00
jhenrique09	df046af0e8	init: Weaken property override security only when spoofing safetynet Change-Id: I1664b3b3fa0fc87bda683d53a56645f6d974ce01 Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-04-10 21:15:05 +00:00