KernelSU


Understandable, but can you might consider adding a fake certificate extensions? There are apps like CIB which checks if your bootloader is unlocked via hardware, even with fresh install and no root, these apps will crash or don't let you open them.

I created this PoC using Xposed API: link
It's just hook the certificate extension method and patch the RootOfTrust, specifically, "deviceLocked" and "verifiedBootState".

The problem is that it needs LSPosed and it's very easy to detect it, also it needs Magisk/KernelSU and Zygisk enabled. The correct way is patching Conscrypt APEX file to include this "bypass" like we do to fake device fingerprint and pass Play Integrity/Safetynet.

It may be too early to implement it now as there are very few apps that verify this, but it would be good to keep it in mind in the future when many apps (especially banking apps) start to implement it.

Or maybe you can do something with that Strong bypass that only your roms have XD.
I'll need more details regarding what exactly those "patterns" in that module are, and what the side effects are going to be.
 
  • Like
Reactions: swer45
That byte array patterns search for certificate extensions in the certificate signed by TEE. Here is an example of the method's return:
06-14 13:30:04.193 1015 6217 I LSPosed-Bridge: OID: 1.3.6.1.4.1.11129.2.1.17 byte array lenght: 361
06-14 13:30:04.200 1015 6217 I LSPosed-Bridge: Original bytes (RETURNED BY METHOD): [4, -126, 1, 101, 48, -126, 1, 97, 2, 1, 3, 10, 1, 1, 2, 1, 41, 10, 1, 1, 4, 34, 87, 101, 100, 32, 74, 117, 110, 32, 49, 52, 32, 49, 51, 58, 51, 48, 58, 48, 52, 32, 71, 77, 84, 43, 48, 50, 58, 48, 48, 32, 50, 48, 50, 51, 4, 0, 48, -127, -123, -65, -125, 16, 8, 2, 6, 1, -120, -71, -85, 126, -3, -65, -125, 17, 8, 2, 6, 1, -120, -71, -70, -63, 61, -65, -125, 18, 8, 2, 6, 1, -120, -71, -54, 3, 125, -65, -123, 61, 8, 2, 6, 1, -120, -71, -85, -126, 72, -65, -123, 69, 81, 4, 79, 48, 77, 49, 39, 48, 37, 4, 32, 105, 111, 46, 103, 105, 116, 104, 117, 98, 46, 118, 118, 98, 50, 48, 54, 48, 46, 107, 101, 121, 97, 116, 116, 101, 115, 116, 97, 116, 105, 111, 110, 2, 1, 107, 49, 34, 4, 32, 31, 101, 14, -60, 16, 62, 60, -54, -83, -8, -54, -30, 10, -127, 105, 59, -111, 119, -18, -92, -88, -13, 94, -96, -32, -82, 20, -21, -6, 114, -60, -7, 48, -127, -92, -95, 5, 49, 3, 2, 1, 2, -94, 3, 2, 1, 3, -93, 4, 2, 2, 1, 0, -91, 8, 49, 6, 2, 1, 0, 2, 1, 4, -86, 3, 2, 1, 1, -65, -125, 119, 2, 5, 0, -65, -123, 62, 3, 2, 1, 0, -65, -123, 64, 76, 48, 74, 4, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 10, 1, 2, 4, 32, 26, 94, -88, -76, 10, -2, 47, -77, 72, 35, -59, -77, 72, 114, 46, 35, -3, -44, -71, 21, -21, -4, 41, -42, -103, 101, 123, -6, -25, 76, 38, -52, -65, -123, 65, 5, 2, 3, 1, -5, -48, -65, -123, 66, 5, 2, 3, 3, 22, 65, -65, -123, 78, 6, 2, 4, 1, 52, -79, 101, -65, -123, 79, 6, 2, 4, 1, 52, -79, 101]

Well, the correct pattern should be: 48, 74, 4, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 10, 1, ?

-> 48, 74, 4, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 => It's "verifiedBootKey"
-> 1, 1, 0 => It's "deviceLocked"
-> 10, 1, ? => It's "verifiedBootState"

If you change 1, 1, 0 to 1, 1, 1 and 10, 1, ? to 10, 1, 0 you will spoof a locked bootloader with a verified boot.

More info about certificate extension in the official Google documentation: link

And I updated the Java code in my repo using Bouncy Castle but I don't know if it's possible to include this library in Conscrypt APEX.
This is the best way, because it isn't depends on patterns. Link
Ok, if you are the same, you did successfully install KSU to Poco X3 Pro (Vayu) with Xiaomi.eu v14.0.3
https://forum.xda-developers.com/t/discussion-magisk-the-age-of-zygisk.4393877/post-88737809

Since your Vayu has Kernel v4.14.271 (not v5.10 as required for official support from KernelSU.org, did you manually cook your kernel based on the Vayu kernel/link from:

---

Btw, support for KSU is growing, there is Zygisk for KSU module:
https://github.com/Dr-TSNG/ZygiskOnKernelSU

It supports then Shamiko and LSPosed (for Zygisk), hence the modules for LSPosed will then work, too

Latest AML and James DSP also support KernelSU:
(there is no Releases but install.zip is available from View Code)
(also, look for install.zip under View Code)

And there is 'Systemless" hosts for KSU:
 
Last edited:
So I'm looking for KernelSU for Lisa (Mi Lite 5G NE), for,Xiaomi.eu Stable 14.0.10, kernel 5 4.210 qki

Ie, must be for Lisa, for MIUI 14/A13, MKI version 4.2 qki

That kernel version is not officially supported by KernelSU.org (they support 5.10 kernels for various phones) but I followed their links and found one for Lisa, kernel 5 4.226 but for AOSP

Nevertheless I unpacked my boot ing,, replaced the kernel and repacked and tested the repacked new-boot img by (just booting to, not flashing to avoid a risk for bricking the phone):
fastboot boot new-boot.img

The phone booted but keyboard did not work to enter the pin

Hence looking now for the proper KernelSU for Lisa but for MIUI 14 - if somebody finds
 
I tried at my own risk! My question is of a general nature. I reset everything and the system works, but...
Does anyone know or could tell me what could have caused the error that:
Previous week release + kernelsu + AnyKernel3-android14-6.1.25_2023-10 = works, ok.
Latest weekly release + kernelsu + AnyKernel3-android14-6.1.25_2023-10 = bootloop.

I tried it at my own risk, it didn't start, I would like to understand why it didn't start. Since then, I have installed it in clean mode, no root, everything is fine, but I would be interested in why the caused test issue came up.
Xiaomi 14