Language/日本語
Android 14 and later make it difficult to install a trusted Root certificate on the system.
Describe the steps to bypass.
API-34 has been reading certificates from "/apex/com.android.conscrypt/cacerts" in the process of reading system certificates. However, when the system property is set to "system.certs.enabled", the code is to retrieve certificates from "/system/etc/security/cacerts/".
private static File getDirectory() {
if ((System.getProperty("system.certs.enabled") != null)
&& (System.getProperty("system.certs.enabled")).equals("true")) {
return new File(System.getenv("ANDROID_ROOT") + "/etc/security/cacerts");
}
File updatable_dir = new File("/apex/com.android.conscrypt/cacerts");
if (updatable_dir.exists()
&& !(updatable_dir.list().length == 0)) {
return updatable_dir;
}
return new File(System.getenv("ANDROID_ROOT") + "/etc/security/cacerts");
}Use this specification for bypass processing.
Script by Frida to rewrite the system property "system.certs.enabled".
setImmediate(function () {
console.log("[*] Starting script");
Java.perform(function () {
var systemClass = Java.use("java.lang.System");
systemClass.setProperty("system.certs.enabled","true");
})
})In this case, the Frida script must be specified at startup. It is also inconvenient for use with multiple applications.
Android XposedModule has created an always available application.
The created XposedModule app is placed in the "OverrideSysPropModule/app/release" folder.
For emulators, install Magisk according to the following procedure.
- Do a git clone from https://github.com/newbit1/rootAVD
git clone https://github.com/newbit1/rootAVD.git
- Start the emulator.
- Execute the following command from PowerShell on the administration screen to confirm the ADV to be installed.
.\rootAVD.bat ListAllAVDs
...
Command Examples:
rootAVD.bat
rootAVD.bat ListAllAVDs
rootAVD.bat InstallApps
rootAVD.bat system-images\android-34\google_apis_playstore\x86_64\ramdisk.img
rootAVD.bat system-images\android-34\google_apis_playstore\x86_64\ramdisk.img FAKEBOOTIMG
rootAVD.bat system-images\android-34\google_apis_playstore\x86_64\ramdisk.img DEBUG PATCHFSTAB GetUSBHPmodZ
rootAVD.bat system-images\android-34\google_apis_playstore\x86_64\ramdisk.img restore
rootAVD.bat system-images\android-34\google_apis_playstore\x86_64\ramdisk.img InstallKernelModules
rootAVD.bat system-images\android-34\google_apis_playstore\x86_64\ramdisk.img InstallPrebuiltKernelModules
rootAVD.bat system-images\android-34\google_apis_playstore\x86_64\ramdisk.img InstallPrebuiltKernelModules GetUSBHPmodZ PATCHFSTAB DEBUG- run ADV corresponding to API
.\rootAVD.bat system-images\android-34\google_apis_playstore\x86_64\ramdisk.img FAKEBOOTIMG- A 60-second wait is performed, which is terminated by pressing the Enter key.
[!] Temporarily installing Magisk
[*] Detecting current user
[-] Current user 0
[-] Starting Magisk
[*] Install/Patch /sdcard/Download/fakeboot.img and hit Enter when done(max. 60s)- Download Magisk
- Install the latest Magisk
adb install Magisk.v2x.x.apk-
Select "/sdcard/Download/fakeboot.img" from Select and Patch a File in Magisk Install to create the patch.
-
re-run ADV corresponding to API
.\rootAVD.bat system-images\android-34\google_apis_playstore\x86_64\ramdisk.img FAKEBOOTIMG-
Enable "Zygisk" and "Enforce DenyList".
-
Reboot the system.
- Install Magisk Module.
- https://github.com/NVISOsecurity/MagiskTrustUserCerts/releases
- https://github.com/LSPosed/LSPosed/releases (Install zygisk version)
Install as needed
- Install Xposed Module in the "OverrideSysPropModule" folder.
cd OverrideSysPropModule\app\release
adb install OverrideSysprop.apk-
Install a Root certificate such as Burp for user certificates.
-
Enable the Module for the application to which you want to apply it.
TIP: After enabling Xposed Module, it may not be recognized properly unless the Android device is rebooted.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent