### Initialize Configuration and File Watching Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Loads configuration files (`target.txt`, `keybox.xml`, `security_patch.txt`) and starts a `FileObserver` for automatic reloading on changes. This is called once after interceptors are attached. ```kotlin // Called once from Main.kt after interceptors are attached PkgConfig.initialize() // After initialization, any write to /data/adb/tricky_store/ is handled automatically: // - target.txt → PkgConfig.updateTargetPackages() // - keybox.xml → KeyBoxUtils.readFromXml() // - security_patch.txt → PkgConfig.updatePatchLevel() ``` -------------------------------- ### Setup and Access Verified Boot Hash with AndroidUtils Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Resolves and persists the device's verified boot hash. It attempts to obtain the hash from system properties, TEE data, or generates a new random value, then stores it back to a system property for session stability. Access resolved values like boot key, patch levels, and OS versions. ```kotlin // Called at daemon startup before interceptors initialize AndroidUtils.setupBootHash() // Access the resolved values directly: val bootHash: ByteArray = AndroidUtils.bootKey // random stable key val hashHex: String? = AndroidUtils.getBootHashFromProp()?.toHex() // e.g. "a3f2c1...64 hex chars..." // Patch levels (respects security_patch.txt overrides): println(AndroidUtils.patchLevel) // e.g. 202411 (system, short) println(AndroidUtils.vendorPatchLevelLong) // e.g. 20241101 (vendor, long) println(AndroidUtils.bootPatchLevel) // e.g. 202411 println(AndroidUtils.osVersion) // e.g. 140000 (Android 14) println(AndroidUtils.attestVersion) // e.g. 300 (KeyMint 3.0) ``` -------------------------------- ### PkgConfig.initialize() Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Loads all configuration files (`target.txt`, `keybox.xml`, `security_patch.txt`) from `/data/adb/tricky_store/`, stores the TEE status, and initiates file watching for automatic configuration reloads. ```APIDOC ## PkgConfig.initialize() ### Description Loads all configuration and starts file watching. Reads `target.txt`, `keybox.xml`, and `security_patch.txt` from `/data/adb/tricky_store/`, stores TEE status, and starts a `FileObserver` that auto-reloads any file on write/move. ### Method Signature ```kotlin PkgConfig.initialize() ``` ### Usage ```kotlin // Called once from Main.kt after interceptors are attached PkgConfig.initialize() // After initialization, any write to /data/adb/tricky_store/ is handled automatically: // - target.txt → PkgConfig.updateTargetPackages() // - keybox.xml → KeyBoxUtils.readFromXml() // - security_patch.txt → PkgConfig.updatePatchLevel() ``` ``` -------------------------------- ### AndroidUtils.setupBootHash() Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Resolves and persists the device's verified boot hash. It attempts to obtain the hash from the `ro.boot.vbmeta.digest` system property, TEE attestation data, or a freshly generated random value. The chosen hash is then persisted back to the system property to ensure stability for the current session. ```APIDOC ## AndroidUtils.setupBootHash() ### Description Resolve and persist verified boot hash. Attempts to obtain the device's verified boot hash from (in order): `ro.boot.vbmeta.digest` system property, TEE attestation data, or a freshly generated random value. Persists the chosen hash back to the system property so it remains stable for the session. ### Method `AndroidUtils.setupBootHash(): Unit` ### Usage Example ```kotlin // Called at daemon startup before interceptors initialize AndroidUtils.setupBootHash() // Access the resolved values directly: val bootHash: ByteArray = AndroidUtils.bootKey // random stable key val hashHex: String? = AndroidUtils.getBootHashFromProp()?.toHex() // e.g. "a3f2c1...64 hex chars..." // Patch levels (respects security_patch.txt overrides): println(AndroidUtils.patchLevel) // e.g. 202411 (system, short) println(AndroidUtils.vendorPatchLevelLong) // e.g. 20241101 (vendor, long) println(AndroidUtils.bootPatchLevel) // e.g. 202411 println(AndroidUtils.osVersion) // e.g. 140000 (Android 14) println(AndroidUtils.attestVersion) // e.g. 300 (KeyMint 3.0) ``` ``` -------------------------------- ### keybox.xml Format Source: https://github.com/beakthoven/trickystoreoss/blob/main/README.md Defines the structure for the hardware keybox.xml file, including private keys and certificate chains. ```xml 1 -----BEGIN EC PRIVATE KEY----- ... -----END EC PRIVATE KEY----- ... -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- ... more certificates ... ``` -------------------------------- ### Generate X.509 Attestation Certificate Chain Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Builds a full X.509 attestation certificate chain. Requires KeyGenParameters and a generated key pair. The leaf certificate includes a Key Description extension signed by the keybox key. ```kotlin // Build key parameters from raw KeyParameter array (Keystore2 / KeyMint API): val params = CertificateGen.KeyGenParameters(keyParameterArray) // Or build manually: val params = CertificateGen.KeyGenParameters().apply { algorithm = Algorithm.EC keySize = 256 ecCurve = EcCurve.P_256 purpose = mutableListOf(KeyPurpose.SIGN) digest = mutableListOf(Digest.SHA_2_256) attestationChallenge = challengeBytes } // Generate the software key pair: val keyPair: KeyPair = CertificateGen.generateKeyPair(params)!! // Build the full chain (leaf + keybox CA chain): val chain: List? = CertificateGen.generateChain( uid = callingUid, params = params, keyPair = keyPair, securityLevel = SecurityLevel.TRUSTED_ENVIRONMENT // 1 ) // chain[0] = DER-encoded leaf certificate with attestation extension // chain[1..n] = DER-encoded keybox CA certificates ``` -------------------------------- ### Configure Target Packages for Attestation Mode Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Lists package names that should be intercepted by the module. Suffixes '!' and '?' force certificate generation or leaf-hack mode, respectively. No suffix selects automatic mode. ```plaintext # /data/adb/tricky_store/target.txt # Automatic mode — module picks best strategy com.google.android.gsf com.android.vending # Force certificate generation (TEE-broken devices or stronger spoofing) com.google.android.gms! # Force leaf certificate hacking only io.github.vvb2060.keyattestation? ``` -------------------------------- ### Target Packages Configuration Source: https://github.com/beakthoven/trickystoreoss/blob/main/README.md Customizes the mode of operation for specific packages in target.txt. Use '!' for certificate generation, '?' for leaf hacking, and no symbol for automatic mode. ```text # target.txt # use automatic mode for gsf com.google.android.gsf # use leaf certificate hacking mode for key attestation App io.github.vvb2060.keyattestation? # use certificate generating mode for gms com.google.android.gms! ``` -------------------------------- ### Query Per-UID Attestation Mode with PkgConfig Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Checks if a given UID requires generate or hack operations based on package configuration. Use inside a Binder interceptor's onPreTransact. ```kotlin val uid = callingUid // supplied by the interceptor framework when { PkgConfig.needGenerate(uid) -> { // Full synthetic certificate chain — used when TEE is broken // or package is marked with '!' } PkgConfig.needHack(uid) -> { // Leaf certificate hacking — TEE produces the leaf, // module replaces its signing chain and Root-of-Trust // package is marked with '?' or AUTO with working TEE } else -> { // Package not in target.txt — pass through unmodified } } ``` -------------------------------- ### Simple Security Patch Level Source: https://github.com/beakthoven/trickystoreoss/blob/main/README.md Sets a simple security patch level for the system, vendor, or boot partitions in security_patch.txt. ```text # Hack os/vendor/boot security patch level 20241101 ``` -------------------------------- ### PkgConfig.needHack(callingUid) / PkgConfig.needGenerate(callingUid) Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Queries the attestation mode for a given UID. `needGenerate` returns true if the package requires a full synthetic certificate chain, while `needHack` returns true if leaf certificate hacking is required. This is useful for determining the appropriate security measure based on the calling application's UID. ```APIDOC ## PkgConfig.needHack(callingUid) / PkgConfig.needGenerate(callingUid) ### Description Per-UID attestation mode query. Resolves a calling UID to its package names via `IPackageManager`, then checks the configured `Mode` for each package. Returns `true` if any package for that UID requires the respective operation. ### Method `PkgConfig.needHack(callingUid: Int): Boolean` `PkgConfig.needGenerate(callingUid: Int): Boolean` ### Parameters #### Path Parameters - **callingUid** (Int) - Required - The unique identifier of the calling application. ### Usage Example ```kotlin // Inside a Binder interceptor's onPreTransact: val uid = callingUid // supplied by the interceptor framework when { PkgConfig.needGenerate(uid) -> { // Full synthetic certificate chain — used when TEE is broken // or package is marked with '!' } PkgConfig.needHack(uid) -> { // Leaf certificate hacking — TEE produces the leaf, // module replaces its signing chain and Root-of-Trust // package is marked with '?' or AUTO with working TEE } else -> { // Package not in target.txt — pass through unmodified } } ``` ``` -------------------------------- ### CertificateGen.generateChain Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Generates a complete X.509 attestation certificate chain from scratch using the supplied KeyGenParameters and a freshly generated key pair. The leaf certificate contains a fully constructed Key Description ASN.1 extension. ```APIDOC ## CertificateGen.generateChain(uid, params, keyPair, securityLevel) ### Description Builds a full synthetic attestation chain, including the leaf certificate with a Key Description extension signed by a loaded keybox key. ### Method `CertificateGen.generateChain` ### Parameters - **uid** (Int) - The calling UID. - **params** (CertificateGen.KeyGenParameters) - Key generation parameters. - **keyPair** (KeyPair) - The generated key pair. - **securityLevel** (SecurityLevel) - The security level (e.g., TRUSTED_ENVIRONMENT). ### Returns - `List?` - A list of DER-encoded certificates, where the first element is the leaf certificate and subsequent elements are CA certificates. Returns null if generation fails. ``` -------------------------------- ### Replace Root-of-Trust in Certificate Chain with CertificateHack Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Replaces the Root-of-Trust in a TEE-produced certificate chain. It strips the attestation extension from the leaf, substitutes the device's boot key and hash, updates patch levels, and re-signs the leaf using a loaded keybox private key while preserving the original public key. Use after getKeyEntry returns a real chain. ```kotlin // Used in Keystore2Interceptor.onPostTransact after getKeyEntry returns a real chain: val realChain: Array = response.getCertificateChain()!! val hackedChain: Array = CertificateHack.hackCertificateChain(realChain) // hackedChain[0] = re-signed leaf with spoofed Root-of-Trust // hackedChain[1..n] = certificates from the loaded keybox (replacing Google's chain) response.putCertificateChain(hackedChain).getOrThrow() // The response is returned to the calling app with the modified chain ``` -------------------------------- ### Parse and Store Keybox Material with KeyBoxUtils Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Parses an AndroidAttestation XML string to extract ECDSA/RSA key pairs and certificate chains, storing them in KeyBoxUtils.keyboxes. Clears existing keyboxes before loading new ones. Use KeyBoxUtils.hasKeyboxes() to check if any keybox is loaded. ```kotlin val xmlContent: String = File("/data/adb/tricky_store/keybox.xml").readText() KeyBoxUtils.readFromXml(xmlContent) // KeyBoxUtils.keyboxes["EC"] → KeyBox(pemKeyPair, keyPair, certificates) // KeyBoxUtils.keyboxes["RSA"] → KeyBox(pemKeyPair, keyPair, certificates) // Check if any keybox is loaded before intercepting: if (KeyBoxUtils.hasKeyboxes()) { // proceed with hack/generate } // Clear all keyboxes (e.g. keybox.xml deleted): KeyBoxUtils.readFromXml(null) ``` -------------------------------- ### Provide Hardware Attestation Key Material Source: https://context7.com/beakthoven/trickystoreoss/llms.txt An XML file containing private keys and their certificate chains (ECDSA or RSA) used to re-sign spoofed leaf certificates or generate synthetic chains. The module reloads this file automatically on write. ```xml 1 -----BEGIN EC PRIVATE KEY----- MHQCAQEEIBkg4LKCO... -----END EC PRIVATE KEY----- 3 -----BEGIN CERTIFICATE----- MIICpDCCAYwCCQD... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICpDCCAYwCCQD... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICpDCCAYwCCQD... -----END CERTIFICATE----- ``` -------------------------------- ### Advanced Security Patch Level Source: https://github.com/beakthoven/trickystoreoss/blob/main/README.md Provides advanced configuration for security patch levels, allowing specific settings for os, vendor, and boot partitions, or using system properties. ```text # os security patch level is 202411 system=202411 # do not hack boot patch level boot=no # vendor patch level is 20241101 (another format) vendor=2024-11-01 # default value # all=20241101 # keep consistent with system prop # system=prop ``` -------------------------------- ### AttestUtils.TEEStatus Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Performs a lazy check of the Trusted Execution Environment (TEE) liveness. It attempts to generate an EC key pair within the hardware-backed `AndroidKeyStore` with an attestation challenge. Returns `true` if the TEE can produce an attested leaf certificate, indicating it's functional for operations like leaf hacking. Returns `false` otherwise. The result is cached for the process lifetime. ```APIDOC ## AttestUtils.TEEStatus ### Description Lazy TEE liveness check. Generates a real EC key pair inside the hardware-backed `AndroidKeyStore` with an attestation challenge. Returns `true` if the TEE can produce an attested leaf certificate, `false` otherwise. Result is cached for the process lifetime. ### Method `AttestUtils.TEEStatus: Boolean` ### Return Value - **Boolean** - `true` if the TEE is functional, `false` otherwise. ### Usage Example ```kotlin // Evaluated once at module startup val teeWorking: Boolean = AttestUtils.TEEStatus // true → device TEE is functional; leaf hacking is possible // false → TEE is broken/unavailable; certificate generation must be used // Cached attestation data (verifiedBootHash, versions) from the probe key: val data: AttestUtils.AttestationData? = AttestUtils.CachedAttestData data?.let { println("attestVersion = ${it.attestVersion}") // e.g. 300 (KeyMint 3.0) println("keymasterVersion= ${it.keymasterVersion}") println("osVersion = ${it.osVersion}") // e.g. 140000 println("bootHash = ${it.verifiedBootHash?.toHex()}") } ``` ``` -------------------------------- ### SecurityLevelInterceptor.onPreTransact Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Intercepts `generateKey` transactions at the security-level interface, bypassing hardware for packages in generate mode. ```APIDOC ## SecurityLevelInterceptor.onPreTransact ### Description Handles `generateKey` transactions on `IKeystoreSecurityLevel`. For packages in generate mode, it generates a key pair, stores it, and returns a synthetic metadata reply, bypassing hardware. ### Context This method is part of the `SecurityLevelInterceptor` and specifically intercepts the `generateKey` transaction. ### Behavior - Parses `KeyGenParameters` from the `Parcel`. - Calls `CertificateGen.generateKeyPair`. - Caches the generated key pair and response metadata. - Returns a synthetic metadata reply to the caller, bypassing hardware. ``` -------------------------------- ### Implement Binder Transaction Interceptor Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Abstract base class for intercepting Binder transactions. Override onPreTransact and onPostTransact to hook into transaction lifecycle. Use Skip, Continue, OverrideReply, or OverrideData to control transaction flow. ```kotlin class MyInterceptor : BinderInterceptor() { override fun onPreTransact( target: IBinder, code: Int, flags: Int, callingUid: Int, callingPid: Int, data: Parcel ): Result { return if (code == MY_TRANSACTION_CODE && shouldIntercept(callingUid)) { val reply = Parcel.obtain() reply.writeNoException() reply.writeTypedObject(buildFakeResponse(), 0) OverrideReply(code = 0, reply = reply) } else { Skip // let the real keystore handle it } } override fun onPostTransact( target: IBinder, code: Int, flags: Int, callingUid: Int, callingPid: Int, data: Parcel, reply: Parcel?, resultCode: Int ): Result { if (reply == null || reply.hasException()) return Skip // Modify reply in place and return an OverrideReply, or just return Skip return Skip } } // Register the interceptor via the native backdoor: val backdoor: IBinder = BinderInterceptor.getBinderBackdoor(keystoreBinder)!! BinderInterceptor.registerBinderInterceptor(backdoor, targetBinder, MyInterceptor()) ``` -------------------------------- ### Parse XML Node with Dot-Notation Path Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Parses an XML document and navigates to a node using a dot-separated path. Supports indexed access for repeated elements. Returns attributes and text content of the resolved node. ```kotlin val xml = File("/data/adb/tricky_store/keybox.xml").readText() val parser = XmlParser(xml) // Navigate to a specific node: when (val result = parser.obtainPath("AndroidAttestation.NumberOfKeyboxes")) { is XmlParser.ParseResult.Success -> { val count = result.attributes["text"]?.toInt() ?: 0 println("Keyboxes: $count") // e.g. "Keyboxes: 1" } is XmlParser.ParseResult.Error -> println("Error: ${result.message}") } // Indexed access for repeated elements: when (val result = parser.obtainPath("AndroidAttestation.Keybox.Key[0]")) { is XmlParser.ParseResult.Success -> println("Algorithm: ${result.attributes["algorithm"]}") // "ecdsa" is XmlParser.ParseResult.Error -> println("Error: ${result.message}") } ``` -------------------------------- ### BinderInterceptor Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Abstract base class for Binder transaction hooks. Allows intercepting and modifying Binder transactions. ```APIDOC ## BinderInterceptor ### Description Abstract base class for Binder transaction hooks. Subclasses override `onPreTransact` and `onPostTransact` to intercept and potentially modify Binder calls. ### Methods - `onPreTransact(target: IBinder, code: Int, flags: Int, callingUid: Int, callingPid: Int, data: Parcel): Result` - Called before the real binder call is forwarded. - `onPostTransact(target: IBinder, code: Int, flags: Int, callingUid: Int, callingPid: Int, data: Parcel, reply: Parcel?, resultCode: Int): Result` - Called after the binder call returns. ### Result Types - `Skip` - Pass through unchanged. - `Continue` - Forward with original data. - `OverrideReply` - Substitute the reply entirely. - `OverrideData` - Modify the request data. ### Static Methods - `getBinderBackdoor(keystoreBinder: IBinder): IBinder?` - Retrieves the binder backdoor. - `registerBinderInterceptor(backdoor: IBinder, targetBinder: IBinder, interceptor: BinderInterceptor)` - Registers an interceptor. ``` -------------------------------- ### Intercept generateKey at Security Level Interface Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Handles generateKey transactions on IKeystoreSecurityLevel. For specific packages, it bypasses hardware by generating keys in software, caching them, and returning only metadata. ```kotlin // generateKey transaction interception (simplified): if (code == generateKeyTransaction && PkgConfig.needGenerate(callingUid)) { val kgp = CertificateGen.KeyGenParameters(params) // parse from Parcel val pair = CertificateGen.generateKeyPair( uid = callingUid, descriptor = keyDescriptor, attestKeyDescriptor = attestKeyDescriptor, // may be null params = kgp, securityLevel = level // TRUSTED_ENVIRONMENT or STRONGBOX ) ?: return@runCatching // Cache for later getKeyEntry retrieval: keyPairs[Key(callingUid, keyDescriptor.alias)] = Pair(pair.first, pair.second) val response = buildResponse(pair.second, kgp, keyDescriptor) keys[Key(callingUid, keyDescriptor.alias)] = Info(pair.first, response) // Return only metadata to the caller (no certificate yet): val p = Parcel.obtain() p.writeNoException() p.writeTypedObject(response.metadata, 0) return OverrideReply(0, p) } ``` -------------------------------- ### Check TEE Liveness with AttestUtils.TEEStatus Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Performs a lazy check of the Trusted Execution Environment (TEE) liveness by attempting to generate an EC key pair with attestation. The result is cached for the process lifetime. Returns true if the TEE is functional, false otherwise. ```kotlin // Evaluated once at module startup val teeWorking: Boolean = AttestUtils.TEEStatus // true → device TEE is functional; leaf hacking is possible // false → TEE is broken/unavailable; certificate generation must be used // Cached attestation data (verifiedBootHash, versions) from the probe key: val data: AttestUtils.AttestationData? = AttestUtils.CachedAttestData data?.let { println("attestVersion = ${it.attestVersion}") // e.g. 300 (KeyMint 3.0) println("keymasterVersion= ${it.keymasterVersion}") println("osVersion = ${it.osVersion}") // e.g. 140000 println("bootHash = ${it.verifiedBootHash?.toHex()}") } ``` -------------------------------- ### KeyBoxUtils.readFromXml(xmlData) Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Parses an `AndroidAttestation` XML string to extract key pairs and certificate chains, storing them in `KeyBoxUtils.keyboxes`. This function first clears any previously loaded keyboxes before loading the new ones. It supports both ECDSA and RSA key types. ```APIDOC ## KeyBoxUtils.readFromXml(xmlData) ### Description Parse and store keybox material. Parses an `AndroidAttestation` XML string, extracting all contained ECDSA/RSA key pairs and certificate chains. Stores them in `KeyBoxUtils.keyboxes` (a `ConcurrentHashMap` keyed by JCA algorithm name). Clears all previously loaded keyboxes before loading new ones. ### Method `KeyBoxUtils.readFromXml(xmlData: String?): Unit` ### Parameters #### Request Body - **xmlData** (String?) - Optional - The XML content containing keybox material. If null, all keyboxes are cleared. ### Usage Example ```kotlin val xmlContent: String = File("/data/adb/tricky_store/keybox.xml").readText() KeyBoxUtils.readFromXml(xmlContent) // KeyBoxUtils.keyboxes["EC"] → KeyBox(pemKeyPair, keyPair, certificates) // KeyBoxUtils.keyboxes["RSA"] → KeyBox(pemKeyPair, keyPair, certificates) // Check if any keybox is loaded before intercepting: if (KeyBoxUtils.hasKeyboxes()) { // proceed with hack/generate } // Clear all keyboxes (e.g. keybox.xml deleted): KeyBoxUtils.readFromXml(null) ``` ``` -------------------------------- ### CertificateHack.hackCertificateChain(chain) Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Replaces the Root-of-Trust in an existing certificate chain. This function takes a TEE-produced certificate chain, modifies the leaf's attestation extension to include the device's resolved boot key and boot hash, updates patch levels, and re-signs the leaf using a private key from the loaded keybox while preserving the original public key. ```APIDOC ## CertificateHack.hackCertificateChain(chain) ### Description Replace Root-of-Trust in existing chain. Takes a real TEE-produced certificate chain, strips the Root-of-Trust from the leaf's attestation extension, substitutes the device's resolved boot key and boot hash, updates patch levels, and re-signs the leaf using the loaded keybox private key. The original public key is preserved. ### Method `CertificateHack.hackCertificateChain(chain: Array): Array` ### Parameters #### Path Parameters - **chain** (Array) - Required - The original certificate chain produced by the TEE. ### Return Value - **Array** - The modified certificate chain with a spoofed Root-of-Trust. ### Usage Example ```kotlin // Used in Keystore2Interceptor.onPostTransact after getKeyEntry returns a real chain: val realChain: Array = response.getCertificateChain()!! val hackedChain: Array = CertificateHack.hackCertificateChain(realChain) // hackedChain[0] = re-signed leaf with spoofed Root-of-Trust // hackedChain[1..n] = certificates from the loaded keybox (replacing Google's chain) response.putCertificateChain(hackedChain).getOrThrow() // The response is returned to the calling app with the modified chain ``` ``` -------------------------------- ### Override Security Patch Levels for Attestation Certificates Source: https://context7.com/beakthoven/trickystoreoss/llms.txt Overrides the OS/vendor/boot security patch levels embedded in attestation certificates. Affects only KeyAttestation output and does not modify live system properties. ```plaintext # /data/adb/tricky_store/security_patch.txt # Simple — apply one date to all components 20241101 # Advanced — control each component independently system=202411 vendor=2024-11-01 boot=no # leave boot patch level unchanged # system=prop # use the actual system prop value ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.