[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-82008":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":16,"lastSyncTime":27,"discoverSource":28},82008,"BootloaderSpoofer","takattowo\u002FBootloaderSpoofer","takattowo","Spoof locked bootloader on local attestations.","",null,"Java",28,1,23,0,2,4,0.9,"GNU General Public License v3.0",false,"main",true,[],"2026-06-12 02:04:22","# Bootloader Spoofer\n\nSpoofs a locked bootloader state for local attestation checks. Only enable it for apps that merely verify whether the bootloader is unlocked. Avoid hooking Google apps or the system framework unless you want Play Integrity checks to fail. If an app sends attestation certificates to a secure backend for verification, this module will not help and becomes ineffective.\n\nSupports devices with broken TEE. **This module is intended only for local attestation**. For online attestation, use `TrickyStore` instead.\n\nThis project was made possible thanks to `chiteroman` and `5ec1cff`.\n\n## Modes\n\nSelectable in the UI; persisted to `mode.txt` in the module's data dir.\n\n### `leaf_hack` (requires a working TEE)\n\nLets the real AndroidKeyStore generate the leaf, then in `engineGetCertificateChain` rewrites the leaf's RoT extension to claim verified-boot green \u002F locked \u002F state=0 and re-signs the leaf with the keybox intermediate's private key. The rest of the chain is replaced with the keybox CA chain.\n\nThis is the cleanest path: leaf serial number, validity period, subject, public key all come from the real cert. Only the RoT bytes change.\n\n### `cert_generate` (works on broken TEE)\n\nGenerates a fresh `KeyPair` in `AndroidOpenSSL` \u002F `Conscrypt` (skipping AndroidKeyStore), builds the leaf cert from scratch with a full RoT extension (purpose, algorithm, keySize, digest, ecCurve, noAuthRequired, origin, verifiedBoot fields, OS version, OS patch level, applicationID, vendor patch level, boot patch level), signs with the keybox intermediate. Caches chain by `KeystoreAlias` so `engineGetCertificateChain(alias)` returns the synthesized chain on later lookup.\n\nDoes **not** require AndroidKeyStore to produce a real chain; works when keymaster HAL \u002F TEE is broken or absent.\n\nLimitations vs leaf-hack:\n- The generated keypair is **not** actually in the AndroidKeyStore. Apps that re-fetch via `KeyStore.getEntry(alias)` get `null`.\n- `KeyInfo.isInsideSecureHardware()` is not hooked; returns the device's real value (false on broken TEE, so app may know).\n- `applicationID` is best-effort; built from the current process's own package signatures.\n\n## Keybox\n\nShips with the public Google Android Software Attestation Root test keybox (the same EC + RSA keys\u002Fcerts every prior fork embeds). These are public, not TEE-backed, and will **not** beat any online check that validates against Google's hardware attestation root or revocation list. Local attestation only.\n\n### Supply your own\n\nXML format (TrickyStore-compatible subset):\n\n```xml\n\u003C?xml version=\"1.0\"?>\n\u003CAndroidAttestation>\n  \u003CNumberOfKeyboxes>1\u003C\u002FNumberOfKeyboxes>\n  \u003CKeybox DeviceID=\"any\">\n    \u003CKey algorithm=\"ecdsa\">\n      \u003CPrivateKey format=\"pem\">-----BEGIN EC PRIVATE KEY-----\n... your EC private key ...\n-----END EC PRIVATE KEY-----\u003C\u002FPrivateKey>\n      \u003CCertificateChain>\n        \u003CNumberOfCertificates>3\u003C\u002FNumberOfCertificates>\n        \u003CCertificate format=\"pem\">-----BEGIN CERTIFICATE-----\n... intermediate ...\n-----END CERTIFICATE-----\u003C\u002FCertificate>\n        \u003CCertificate format=\"pem\">-----BEGIN CERTIFICATE-----\n... root ...\n-----END CERTIFICATE-----\u003C\u002FCertificate>\n      \u003C\u002FCertificateChain>\n    \u003C\u002FKey>\n    \u003CKey algorithm=\"rsa\">\n      \u003CPrivateKey format=\"pem\">... RSA private key ...\u003C\u002FPrivateKey>\n      \u003CCertificateChain>\n        ... RSA chain ...\n      \u003C\u002FCertificateChain>\n    \u003C\u002FKey>\n  \u003C\u002FKeybox>\n\u003C\u002FAndroidAttestation>\n```\n\n## Build (local)\n\n```\ngradle :app:assembleRelease\n```\n","BootloaderSpoofer 是一个用于在本地认证检查中模拟锁定引导加载程序状态的工具。其核心功能在于通过修改证书链中的RoT扩展来欺骗应用程序，使其认为设备的引导加载程序是锁定的。该项目支持两种模式：`leaf_hack` 和 `cert_generate`，分别适用于具有正常和损坏可信执行环境（TEE）的设备。`leaf_hack` 模式下，项目会重写真实的AndroidKeyStore生成的叶子证书的部分内容；而`cert_generate`模式则完全绕过AndroidKeyStore生成新的密钥对及证书链。此项目特别适合于那些仅需验证引导加载程序是否解锁的应用场景，但不适用于需要将认证证书发送至安全后端进行在线验证的情况。","2026-06-11 04:07:28","CREATED_QUERY"]