init: Spoof additional props

Change-Id: I3a22f2a923628c54462ed878f2c98a228d355f60 Signed-off-by: Alvin Francis <nivlafx@gmail.com> Signed-off-by: Dmitrii <bankersenator@gmail.com>
init: Don't spoof selinux status
2025-02-28 20:27:17 +00:00 · 2025-02-28 20:27:17 +00:00 · 2025-02-28 20:27:17 +00:00 · 2025-02-28 20:27:07 +00:00 · 2025-02-28 20:26:55 +00:00 · 2025-02-28 20:24:20 +00:00
2 changed files with 89 additions and 50 deletions
--- a/fs_mgr/fs_mgr_remount.cpp
+++ b/fs_mgr/fs_mgr_remount.cpp
@ -634,8 +634,9 @@ int main(int argc, char* argv[]) {
        LOG(ERROR) << "Device must be userdebug build";
        return EXIT_FAILURE;
    }
-
-#if ALLOW_ADBD_DISABLE_VERITY == 0  // "user" build
+#if 0
+    // We already use safety net hacks which spoof to green state.
+    // Remove this check completely.
    if (android::base::GetProperty("ro.boot.verifiedbootstate", "") != "orange") {
        LOG(ERROR) << "Device must be bootloader unlocked";
        return EXIT_FAILURE;
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@ -879,13 +879,19 @@ static const char *snet_prop_key[] = {
    "ro.boot.vbmeta.device_state",
    "ro.boot.verifiedbootstate",
    "ro.boot.flash.locked",
-	"ro.boot.selinux",
    "ro.boot.veritymode",
    "ro.boot.warranty_bit",
    "ro.warranty_bit",
    "ro.debuggable",
    "ro.secure",
+    "ro.bootimage.build.type",
    "ro.build.type",
+    "ro.system.build.type",
+    "ro.system_ext.build.type",
+    "ro.vendor.build.type",
+    "ro.vendor_dlkm.build.type",
+    "ro.product.build.type",
+    "ro.odm.build.type",
    "ro.build.keys",
    "ro.build.tags",
    "ro.system.build.tags",
@ -893,6 +899,9 @@ static const char *snet_prop_key[] = {
    "ro.vendor.warranty_bit",
    "vendor.boot.vbmeta.device_state",
    "vendor.boot.verifiedbootstate",
+    "sys.oem_unlock_allowed",
+    "ro.adb.secure",
+    "ro.force.debuggable",
    NULL
 };

@ -900,13 +909,19 @@ static const char *snet_prop_value[] = {
    "locked", // ro.boot.vbmeta.device_state
    "green", // ro.boot.verifiedbootstate
    "1", // ro.boot.flash.locked
-	"enforcing", // ro.boot.selinux
    "enforcing", // ro.boot.veritymode
    "0", // ro.boot.warranty_bit
    "0", // ro.warranty_bit
    "0", // ro.debuggable
    "1", // ro.secure
+    "user", // ro.bootimage.build.type
    "user", // ro.build.type
+    "user", // ro.system.build.type
+    "user", // ro.system_ext.build.type
+    "user", // ro.vendor.build.type
+    "user", // ro.vendor_dlkm.build.type
+    "user", // ro.product.build.type
+    "user", // ro.odm.build.type
    "release-keys", // ro.build.keys
    "release-keys", // ro.build.tags
    "release-keys", // ro.system.build.tags
@ -914,17 +929,46 @@ static const char *snet_prop_value[] = {
    "0", // ro.vendor.warranty_bit
    "locked", // vendor.boot.vbmeta.device_state
    "green", // vendor.boot.verifiedbootstate
+    "0", // sys.oem_unlock_allowed
+    "1", // ro.adb.secure
+    "0", // ro.force.debuggable
    NULL
 };

 static void workaround_snet_properties() {
+    std::string build_type = android::base::GetProperty("ro.build.type", "");
+
+    // Bail out if this is recovery, fastbootd, or anything other than a normal boot.
+    // fastbootd, in particular, needs the real values so it can allow flashing on
+    // unlocked bootloaders.
+    if (IsRecoveryMode()) {
+        return;
+    }
+
+    // Exit if eng build
+    if (build_type == "eng") {
+        return;
+    }
+
+    // Weaken property override security to set safetynet props
+    weaken_prop_override_security = true;
+
    std::string error;
-	LOG(INFO) << "snet: Hiding sensitive props";

    // Hide all sensitive props 
+    LOG(INFO) << "snet: Hiding sensitive props";
    for (int i = 0; snet_prop_key[i]; ++i) {
        PropertySetNoSocket(snet_prop_key[i], snet_prop_value[i], &error);
    }
+
+    // Extra pops
+    std::string build_flavor_key = "ro.build.flavor";
+    std::string build_flavor_value = android::base::GetProperty(build_flavor_key, "");
+    build_flavor_value = android::base::StringReplace(build_flavor_value, "userdebug", "user", false);
+    PropertySetNoSocket(build_flavor_key, build_flavor_value, &error);
+
+    // Restore the normal property override security after safetynet props have been set
+    weaken_prop_override_security = false;
 }

 // If the ro.product.[brand|device|manufacturer|model|name] properties have not been explicitly
@ -1296,9 +1340,6 @@ void PropertyLoadBootDefaults() {
        }
    }

-    // Weaken property override security during execution of the vendor init extension
-    weaken_prop_override_security = true;
-
    // Update with vendor-specific property runtime overrides
    vendor_load_properties();

@ -1313,9 +1354,6 @@ void PropertyLoadBootDefaults() {

    // Workaround SafetyNet
    workaround_snet_properties();
-
-    // Restore the normal property override security after init extension is executed
-    weaken_prop_override_security = false;
 }

 void PropertyLoadDerivedDefaults() {
Author	SHA1	Message	Date
chiteroman	49c47fe59e	init: Spoof additional props Change-Id: I3a22f2a923628c54462ed878f2c98a228d355f60 Signed-off-by: Alvin Francis <nivlafx@gmail.com> Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-02-28 20:27:17 +00:00
someone5678	c6a14badbc	init: Don't spoof selinux status * So that Android correctly reports selinux status e.g. selinux status in Settings Change-Id: Iff9754c3f6fed586de6247ba3076f7959f7c274e Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-02-28 20:27:17 +00:00
Vishalcj17	3a5ea0faf2	fs_mgr: Remove bootloader restrictions for adb remount Change-Id: Iac550fc2ed01da220bf6cd472d0dd1905e78221d Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-02-28 20:27:17 +00:00
xyyx	f37c6338e8	SafetyNet: Add sys.oem_unlock_allowed Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-02-28 20:27:07 +00:00
Albert I	e4cb78116f	init: Use `IsRecoveryMode()` for normal boot checks Checking androidboot.mode properties will never work on devices where this property is always absent, primarily non-Pixel devices. Use existing IsRecoveryMode() check instead which is ugly, but works for this very purpose. Change-Id: Idc79fb2bf45f0416b242a1e1aa12bdb07bcf56b9 Signed-off-by: Albert I <kras@raphielgang.org> Signed-off-by: Alexander Winkowski <dereference23@outlook.com> Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-02-28 20:26:55 +00:00
jhenrique09	750a8b7d71	init: Spoof more props Change-Id: Ic0ddbd6a0dd40c877248f7864082eddab2b32366 Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-02-28 20:24:20 +00:00
Danny Lin	c82d044828	init: Check for fastbootd before spoofing safetynet props The real prop values must be retained in recovery/fastbootd in order for fastbootd to allow/deny flashing correctly based on the bootloader lock state. This is accomplished by checking androidboot keys in the kernel cmdline and bootconfig (necessary on Pixel 6), and not spoofing anything if the boot isn't a normal full-blown Android boot. @jhenrique09 - Adapt to PE Change-Id: I8795b16a90eea4e5a03f64a7a56478f01144256b Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-02-28 20:24:20 +00:00
jhenrique09	9e3b852283	core: Add more props for snet spoofing Also reformat code Change-Id: I4c0bcb61fea5a7b051c3a770d34a3a09f17db1c4 Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-02-28 20:24:20 +00:00
jhenrique09	81934d1186	init: Only set safetynet props if not eng build Change-Id: I5c675e3391cc48a95ab9186047e9e9effca95406 Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-02-28 20:24:20 +00:00
jhenrique09	bb72489b5c	init: Weaken property override security only when spoofing safetynet Change-Id: I1664b3b3fa0fc87bda683d53a56645f6d974ce01 Signed-off-by: Dmitrii <bankersenator@gmail.com>	2025-02-28 20:24:20 +00:00