-
Star
(176)
You must be signed in to star a gist -
Fork
(29)
You must be signed in to fork a gist
-
-
Save pwlin/8a0d01e6428b7a96e2eb to your computer and use it in GitHub Desktop.
| https://code.google.com/p/android/issues/detail?id=32696#c5 | |
| If you have a certificate that is not | |
| trusted by Android, when you add it, it goes in the personal cert store. | |
| When you add a cert in this personal cert store, the system requires a | |
| higher security level to unlock the device. But if you manage to add your | |
| cert to the system store then you don't have this requirement. Obviously, | |
| root is required to add a certificate to the system store, but it is quiet | |
| easy. | |
| Here is how to do it : | |
| 1 - add your cert normally, it will be stored in your personal store and | |
| android will ask you a pin/password... Proceed | |
| 2 - With a file manager with root capabilities, browse files | |
| in /data/misc/keychain/cacerts-added. You should see a file here, it's the | |
| certificate you have added at step 1. If you can not find it in that path, look in /data/misc/user/0/cacerts-added/ | |
| 3 - Move this file to system/etc/security/cacerts (you will need to mount | |
| the system partition r/w) | |
| 4 - Reboot the phone | |
| 5 - You are now able to clear the pin/password you have set to unlock the | |
| device. | |
| I Think that this will only work for Root or Intermediate CA. | |
| I got the idea by reading this : | |
| http://nelenkov.blogspot.fr/2011/12/ics-trust-store-implementation.html |
Good news: Adguard found a solution to make their custom cert work on Android 14 i.e.
/apex/com.android.conscrypt/cacerts.See here: AdguardTeam/adguardcert/module/post-fs-data.sh#L50-L73 Just replace Adguard's certificate with your own certificate in this module and you're good to go.
So I tried this and it didn't work... but looking at the code I feel like I'm missing something because I don't see how it could work?
If I'm following the logic: That block of code creates a seperate directory to store certs in at /data/local/tmp/adg-ca-copy, then it copies the system certs (As well as whatever "extra" CA certs we're trying to add) into that folder by doing cp -f /apex/com.android.conscrypt/cacerts/* /data/local/tmp/adg-ca-copy/ and then mounts the new directory over the existing folder by doing mount --bind /data/local/tmp/adg-ca-copy /apex/com.android.conscrypt/cacerts
This all makes sense so far... Now we have a new /apex/com.android.conscrypt/cacerts that has all of the normal CA certs plus the one we're trying to inject...
But here's where it loses me: The next step is to unmount and delete this new folder... and then don't we have to reboot the emulator to make it pick these up? This new folder is not automatically remounted so it doesn't load the new certs, so how is this supposed to work?
Another issue I ran into is my emulator (API 34) does not have a "set_context" command, so that step of the script doesn't work. I tried googling to see what this command does but I cannot find any reference to "set_context" being a valid Linux command anywhere...
@jeremyakers Did you try @pwnlogs's module?
No, I looked at it and it required Magisk which I didn't feel like going down another rabbit hole, so I just stepped down to API 33 which doesn't use the /apex folder and was able to install my CA cert no problem that way.
I adopted the Adguard module and wrote Cert-Fixer for installing custom CA certificates.
The module copies user certificates installed on the phone to system certificate store during boot. I've tested and verified it on an AVD emulator
Pixel 8, Android 15 (API 35)andPixel 8, Android 14 (API 34).No intense testing was done on this. So if you get an error, copy the logs from
/data/local/tmp/cert-fixer.logand ping me.