Skip to content

Commit

Permalink
Yay
Browse files Browse the repository at this point in the history
Updated stuff for Android 14 (API 34) root CA trust proxy thing
  • Loading branch information
Yogehi committed Oct 18, 2023
1 parent b677735 commit 14aeb8c
Show file tree
Hide file tree
Showing 5 changed files with 77 additions and 14 deletions.
1 change: 1 addition & 0 deletions build.py
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ def getLastGithubRelease(yayrepoyay):
zip_object.write('./META-INF/com/google/android/updater-script')
zip_object.write('./system/etc/security/cacerts/yayplaceholderyay')
zip_object.write('./system/bin/yayplaceholderyay')
zip_object.write('./data/local/tmp/yaytmpcayay/yayplaceholderyay')
zip_object.write('./module.prop')
zip_object.write('./post-fs-data.sh')
zip_object.write('./service.sh')
3 changes: 3 additions & 0 deletions data/local/tmp/yaytmpcayay/yayplaceholderyay
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
yayplaceholderyay

temp area to store root CAs
6 changes: 3 additions & 3 deletions module.prop.gold
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
id=YayPentestMagiskModuleYay
name=YayPentestMagiskModuleYay
version=1.1
versionCode=2
author=Yogehi
version=1.7
versionCode=8
author=Yogehi / Malicious Erection LLC
description=Magisk Module to configure a device specifically for pentesting
27 changes: 16 additions & 11 deletions post-fs-data.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,21 +4,26 @@ MODDIR=${0%/*}

# copy certificates from User Store to System Store

cp -f /data/misc/user/0/cacerts-added/* $MODDIR/system/etc/security/cacerts
chown -R 0:0 $MODDIR/system/etc/security/cacerts
yayandroidversionyay=$(getprop ro.build.version.sdk)

[ "$(getenforce)" = "Enforcing" ] || exit 0
if [ $yayandroidversionyay -lt 34 ]; then
# android version is 33 or lower
cp -f /data/misc/user/0/cacerts-added/* $MODDIR/system/etc/security/cacerts
chown -R 0:0 $MODDIR/system/etc/security/cacerts

default_selinux_context=u:object_r:system_file:s0
selinux_context=$(ls -Zd /system/etc/security/cacerts | awk '{print $1}')
[ "$(getenforce)" = "Enforcing" ] || exit 0

if [ -n "$selinux_context" ] && [ "$selinux_context" != "?" ]; then
chcon -R $selinux_context $MODDIR/system/etc/security/cacerts
else
chcon -R $default_selinux_context $MODDIR/system/etc/security/cacerts
fi
default_selinux_context=u:object_r:system_file:s0
selinux_context=$(ls -Zd /system/etc/security/cacerts | awk '{print $1}')

rm $MODDIR/system/etc/security/cacerts/yayplaceholderyay
if [ -n "$selinux_context" ] && [ "$selinux_context" != "?" ]; then
chcon -R $selinux_context $MODDIR/system/etc/security/cacerts
else
chcon -R $default_selinux_context $MODDIR/system/etc/security/cacerts
fi

rm $MODDIR/system/etc/security/cacerts/yayplaceholderyay
fi

# put frida-server on device

Expand Down
54 changes: 54 additions & 0 deletions service.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,60 @@ done
# ensure boot has actually completed
sleep 5

# if android 34 or above, use new way to install custom root CAs
# credit: https://httptoolkit.com/blog/android-14-install-system-ca-certificate/
yayandroidversionyay=$(getprop ro.build.version.sdk)
if [ $yayandroidversionyay -gt 33 ]; then
# android version is above 33
echo "yay in yay" > /data/local/tmp/yay.txt

# create temp dir
mkdir -p -m 700 /data/local/tmp/yaytmpcayay

# copy system CAs
cp -f /apex/com.android.conscrypt/cacerts/* /data/local/tmp/yaytmpcayay/

# mount temp directory into memory
mount -t tmpfs tmpfs /system/etc/security/cacerts

# copy system CAs into old CA directory
cp -f /data/local/tmp/yaytmpcayay/* /system/etc/security/cacerts/

# copy user CAs into old CA directory
cp -f /data/misc/user/0/cacerts-added/* /system/etc/security/cacerts/

# update permissions
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*

# get zygote processes
ZYGOTE_PID=$(pidof zygote || true)
ZYGOTE64_PID=$(pidof zygote64 || true)

# mount old CA directory into newly spawned process from zygote
for Z_PID in "$ZYGOTE_PID" "$ZYGOTE64_PID"; do
if [ -n "$Z_PID" ]; then
nsenter --mount=/proc/$Z_PID/ns/mnt -- \
/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
fi
done

# mount old CA directory into all already running zygote processes
APP_PIDS=$(
echo "$ZYGOTE_PID $ZYGOTE64_PID" | \
xargs -n1 ps -o 'PID' -P | \
grep -v PID
)
for PID in $APP_PIDS; do
nsenter --mount=/proc/$PID/ns/mnt -- \
/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts &
done
wait # Launched in parallel - wait for completion here

echo "yaydoneyay"
fi

# start frida server / restart on crash
while true; do
frida-server
Expand Down

0 comments on commit 14aeb8c

Please sign in to comment.