Created
February 28, 2021 19:51
-
-
Save nickrbogdanov/5390d0ee1a84c5fc5b09a5ec98f0c63d to your computer and use it in GitHub Desktop.
MicroG signature spoofing patch with hardcoded SHA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 428b4b8a2b27995e6fa768704f341bc7384a4792 Mon Sep 17 00:00:00 2001 | |
From: Dylanger Daly <dylanger@diagnostix.io> | |
Date: Fri, 27 Nov 2020 22:55:16 +1000 | |
Subject: [PATCH] Add Graphene Sig Spoof support | |
Allows Google Cert Spoofing, matching on the sha256 hash of Graphene's Cert | |
--- | |
.../android/content/pm/PackageParser.java | 32 +++++++++++++++++++ | |
.../server/pm/PackageManagerService.java | 24 ++++++++++++-- | |
2 files changed, 54 insertions(+), 2 deletions(-) | |
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java | |
index 70e4e6cbf622..71d3d49a1043 100644 | |
--- a/core/java/android/content/pm/PackageParser.java | |
+++ b/core/java/android/content/pm/PackageParser.java | |
@@ -6450,6 +6450,38 @@ public class PackageParser { | |
return false; | |
} | |
+ /** | |
+ * Return the Cerificate's Digest | |
+ */ | |
+ public @Nullable String getSha256Certificate() { | |
+ return getSha256CertificateInternal(); | |
+ } | |
+ | |
+ private @Nullable String getSha256CertificateInternal() { | |
+ String digest; | |
+ if (this == UNKNOWN) { | |
+ return null; | |
+ } | |
+ if (hasPastSigningCertificates()) { | |
+ | |
+ // check all past certs, except for the last one, which automatically gets all | |
+ // capabilities, since it is the same as the current signature, and is checked below | |
+ for (int i = 0; i < pastSigningCertificates.length - 1; i++) { | |
+ digest = PackageUtils.computeSha256Digest( | |
+ pastSigningCertificates[i].toByteArray()); | |
+ return digest; | |
+ } | |
+ } | |
+ | |
+ // not in previous certs signing history, just check the current signer | |
+ if (signatures.length == 1) { | |
+ digest = | |
+ PackageUtils.computeSha256Digest(signatures[0].toByteArray()); | |
+ return digest; | |
+ } | |
+ return null; | |
+ } | |
+ | |
/** Returns true if the signatures in this and other match exactly. */ | |
public boolean signaturesMatchExactly(SigningDetails other) { | |
return Signature.areExactMatch(this.signatures, other.signatures); | |
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java | |
index 99e1388dcd52..9c62787f5c4b 100644 | |
--- a/services/core/java/com/android/server/pm/PackageManagerService.java | |
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java | |
@@ -705,6 +705,12 @@ public class PackageManagerService extends IPackageManager.Stub | |
private static final String RANDOM_DIR_PREFIX = "~~"; | |
+ /** | |
+ * The Google signature faked for Graphene signed apps. | |
+ */ | |
+ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a"; | |
+ private static final String GRAPHENEHASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165"; | |
+ | |
final ServiceThread mHandlerThread; | |
final Handler mHandler; | |
@@ -4405,8 +4411,9 @@ public class PackageManagerService extends IPackageManager.Stub | |
}); | |
} | |
- PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags, | |
- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps); | |
+ PackageInfo packageInfo = fakeSignature(p, PackageInfoUtils.generate(p, gids, flags, | |
+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps), | |
+ permissions); | |
if (packageInfo == null) { | |
return null; | |
@@ -4442,6 +4449,19 @@ public class PackageManagerService extends IPackageManager.Stub | |
} | |
} | |
+ private PackageInfo fakeSignature(AndroidPackage p, PackageInfo pi, | |
+ Set<String> permissions) { | |
+ String hash = p.getSigningDetails().getSha256Certificate(); | |
+ try { | |
+ if (hash.equals(GRAPHENEHASH)) { | |
+ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)}; | |
+ } | |
+ } catch (Throwable t) { | |
+ Log.w("Unable to fake signature!", t); | |
+ } | |
+ return pi; | |
+ } | |
+ | |
@Override | |
public void checkPackageStartable(String packageName, int userId) { | |
final int callingUid = Binder.getCallingUid(); | |
-- | |
2.28.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment