部队门户网站建设方案,网站建设若干意见,音乐网站开发技术人员配置,C语言也能干大事网站开发pdf看到“生成 keybox.xml”#xff0c;大概率都会联想到 PIF 和 Tricky Store。这里就不多解释它们的用途了。最近在网上看到生成非 AOSP keybox 的教程#xff0c;在这里做一些补充#xff0c;并将代码打包成一个 Python 脚本。
参考自#xff1a;
Idea 提供者#xff1a…看到“生成 keybox.xml”大概率都会联想到 PIF 和 Tricky Store。这里就不多解释它们的用途了。最近在网上看到生成非 AOSP keybox 的教程在这里做一些补充并将代码打包成一个 Python 脚本。
参考自
Idea 提供者https://xdaforums.com/t/tee-hacking.4662185/page-21#post-89847987如果打不开或者被重定向去另一个网页可能要刷新几遍才能正确打开这个网页 该原始 Idea 需要借助一个密码学工具网站RSA 私钥转换https://stackoverflow.com/questions/17733536/how-to-convert-a-private-key-to-an-rsa-private-key。
做出以下调整
直接使用一站式脚本执行自动利用 openssl 生成三个 PEM 文件如果用于预检测的 openssl version 命令执行失败自动尝试通过 sudo apt-get install libssl-dev 进行安装实现对新版 openssl 生成的 RSA 私钥进行识别并从 PKCS8 转换为 PKCS1。
直接上 Python 代码记得以 LF 形式保存换行符并在 Ubuntu 24.04.1 LTS 中运行。
import os
try:os.chdir(os.path.abspath(os.path.dirname(__file__)))
except:pass
EXIT_SUCCESS 0
EXIT_FAILURE 1
EOF (-1)
keyboxFormatter ?xml version1.0?
AndroidAttestation
NumberOfKeyboxes1/NumberOfKeyboxes
Keybox DeviceIDYourDeviceID
Key algorithmecdsa
PrivateKey formatpem
{0}/PrivateKey
CertificateChain
NumberOfCertificates1/NumberOfCertificates
Certificate formatpem
{1}/Certificate
/CertificateChain
/Key
Key algorithmrsa
PrivateKey formatpem
{2}/PrivateKey
/Key
/Keybox
/AndroidAttestationdef execute(commandline:str) - int|None:if isinstance(commandline, str):print($ commandline)return os.system(commandline)else:return Nonedef handleOpenSSL(flag:bool True) - bool|None:if isinstance(flag, bool):errorLevel execute(openssl version)if EXIT_SUCCESS errorLevel:return Trueelif flag: # can try againexecute(sudo apt-get install openssl libssl-dev)return handleOpenSSL(False)else:return Falseelse:return Nonedef pressTheEnterKeyToExit(errorLevel:int|None None):try:print(Please press the enter key to exit ({0}). .format(errorLevel) if isinstance(errorLevel, int) else Please press the enter key to exit. )input()except:passdef main() - int:# Parameters #failureCount 0ecPrivateKeyFilePath ecPrivateKey.pemcertificateFilePath certificate.pemrsaPrivateKeyFilePath rsaPrivateKey.pemoldRsaPrivateKeyFilePath oldRsaPrivateKey.pemkeyboxFilePath keybox.xml# First-phase Generation #failureCount execute(openssl ecparam -name prime256v1 -genkey -noout -out \{0}\.format(ecPrivateKeyFilePath)) ! 0failureCount execute(openssl req -new -x509 -key \{0}\ -out {1} -days 3650 -subj \/CNKeybox\.format(ecPrivateKeyFilePath, certificateFilePath)) ! 0failureCount execute(openssl genrsa -out \{0}\ 2048.format(rsaPrivateKeyFilePath)) ! 0if failureCount 0:print(Cannot generate a sample keybox.xml file since {0} PEM file{1} not generated successfully. .format(failureCount, (s were if failureCount 1 else was)))pressTheEnterKeyToExit(EOF)return EOF# First-phase Reading #try:with open(ecPrivateKeyFilePath, r, encoding utf-8) as f:ecPrivateKey f.read()with open(certificateFilePath, r, encoding utf-8) as f:certificate f.read()with open(rsaPrivateKeyFilePath, r, encoding utf-8) as f:rsaPrivateKey f.read()except BaseException as e:print(Failed to read one or more of the PEM files. Details are as follows. \n{0}.format(e))pressTheEnterKeyToExit(EOF)return EOF# Second-phase Generation #if rsaPrivateKey.startswith(-----BEGIN PRIVATE KEY-----):print(A newer openssl version is used. The RSA private key in the PKCS8 format will be converted to that in the PKCS1 format soon. )failureCount execute(openssl rsa -in \{0}\ -out \{1}\ -traditional.format(rsaPrivateKeyFilePath, oldRsaPrivateKeyFilePath))if failureCount 0:print(Cannot convert the RSA private key in the PKCS8 format to that in the PKCS1 format. )pressTheEnterKeyToExit(EOF)return EOFelse:print(Finished converting the RSA private key in the PKCS8 format to that in the PKCS1 format. )try:with open(oldRsaPrivateKeyFilePath, r, encoding utf-8) as f:rsaPrivateKey f.read()except BaseException as e:print(Failed to update the RSA private key from \{0}\. Details are as follows. \n{1}.format(oldRsaPrivateKeyFilePath, e))pressTheEnterKeyToExit(EOF)return EOF# Keybox Generation #keybox keyboxFormatter.format(ecPrivateKey, certificate, rsaPrivateKey)print(keybox)try:with open(keyboxFilePath, w, encoding utf-8) as f:f.write(keybox)print(Successfully wrote the keybox to \{0}\. .format(keyboxFilePath))pressTheEnterKeyToExit(EXIT_SUCCESS)return EXIT_SUCCESSexcept BaseException as e:print(Failed to write the keybox to \{0}\. Details are as follows. \n{1}.format(keyboxFilePath, e))pressTheEnterKeyToExit(EXIT_FAILURE)return EXIT_FAILUREif __main__ __name__:exit(main())替换 /data/adb/tricky_store/keybox.xml 之前记得先将原来的 keybox.xml刷入 tricky_store 时自带的那个基于 AOSP 的 keybox.xml备份为 keybox.xml.bak。 12月14日凌晨做了一些更新
支持粗略检查三个子密钥文件内容支持 OpenSSL 私钥转 RSA 私钥如果文件存在程序会提示是否覆盖设备ID随机生成。
import os
from random import randint, choice
from base64 import b64decode
try:os.chdir(os.path.abspath(os.path.dirname(__file__)))
except:pass
EXIT_SUCCESS 0
EXIT_FAILURE 1
EOF (-1)
LB 2 # the lower bound of the length of the device ID
UB 12 # the upper bound of the length of the device ID
CHARSET ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
keyboxFormatter ?xml version1.0?
AndroidAttestation
NumberOfKeyboxes1/NumberOfKeyboxes
Keybox DeviceID{0}
Key algorithmecdsa
PrivateKey formatpem
{1}/PrivateKey
CertificateChain
NumberOfCertificates1/NumberOfCertificates
Certificate formatpem
{2}/Certificate
/CertificateChain
/Key
Key algorithmrsa
PrivateKey formatpem
{3}/PrivateKey
/Key
/Keybox
/AndroidAttestation
def canOverwrite(flags:list, idx:int, prompts:str|tuple|list|set) - bool:if isinstance(flags, list) and isinstance(idx, int) and -len(flags) idx len(flags) and isinstance(prompts, (str, tuple, list, set)):try:if isinstance(prompts, str):print(\{0}\.format(prompts))choice input(The file mentioned above exists. Overwrite or not [aYn]? )else:print(prompts)choice input(At least one of the files mentioned above exists. Overwrite or not [aYn]? )if choice.upper() A:for i in range((idx if idx 0 else len(flags) idx), len(flags)): # overwirte the current file and all the following necessary files no matter whether they existflags[i] Truereturn Trueelif choice.upper() N:return Falseelse:flags[idx] Truereturn Trueexcept BaseException as e:print(e)return Falseelse:input(#)return Falsedef execute(commandline:str) - int|None:if isinstance(commandline, str):print($ commandline)return os.system(commandline)else:return Nonedef handleOpenSSL(flag:bool True) - bool|None:if isinstance(flag, bool):errorLevel execute(openssl version)if EXIT_SUCCESS errorLevel:return Trueelif flag: # can try againexecute(sudo apt-get install openssl libssl-dev)return handleOpenSSL(False)else:return Falseelse:return Nonedef pressTheEnterKeyToExit(errorLevel:int|None None):try:print(Please press the enter key to exit ({0}). .format(errorLevel) if isinstance(errorLevel, int) else Please press the enter key to exit. )input()except:passdef main() - int:# Parameters #failureCount 0deviceID .join([choice(CHARSET) for _ in range(randint(LB, UB))]) # or specify the device ID manually like YourDeviceIDecPrivateKeyFilePath ecPrivateKey.pemcertificateFilePath certificate.pemrsaPrivateKeyFilePath rsaPrivateKey.pemkeyboxFilePath keybox.xml # None for no files writtenflags [not (os.path.isfile(ecPrivateKeyFilePath) or os.path.isfile(certificateFilePath)), not os.path.isfile(rsaPrivateKeyFilePath), not os.path.isfile(keyboxFilePath)]# First-phase Generation #if flags[0] or canOverwrite(flags, 0, (ecPrivateKeyFilePath, certificateFilePath)):failureCount execute(openssl ecparam -name prime256v1 -genkey -noout -out \{0}\.format(ecPrivateKeyFilePath)) ! 0if flags[0] or not os.path.isfile(certificateFilePath):failureCount execute(openssl req -new -x509 -key \{0}\ -out {1} -days 3650 -subj \/CNKeybox\.format(ecPrivateKeyFilePath, certificateFilePath)) ! 0if flags[1] or canOverwrite(flags, 1, rsaPrivateKeyFilePath):failureCount execute(openssl genrsa -out \{0}\ 2048.format(rsaPrivateKeyFilePath)) ! 0if failureCount 0:print(Cannot generate a sample keybox.xml file since {0} PEM file{1} not generated successfully. .format(failureCount, (s were if failureCount 1 else was)))pressTheEnterKeyToExit(11)return 11# First-phase Reading #try:with open(ecPrivateKeyFilePath, r, encoding utf-8) as f:ecPrivateKey f.read()with open(certificateFilePath, r, encoding utf-8) as f:certificate f.read()with open(rsaPrivateKeyFilePath, r, encoding utf-8) as f:rsaPrivateKey f.read()except BaseException as e:print(Failed to read one or more of the PEM files. Details are as follows. \n{0}.format(e))pressTheEnterKeyToExit(12)return 12# Second-phase Generation #if flags[1]: # only updates the key content when the original key is newly generated or updating is allowedif rsaPrivateKey.startswith(-----BEGIN PRIVATE KEY-----) and rsaPrivateKey.rstrip().endswith(-----END PRIVATE KEY-----):print(A newer openssl version is used. The RSA private key in the PKCS8 format will be converted to that in the PKCS1 format soon. )failureCount execute(openssl rsa -in \{0}\ -out \{0}\ -traditional.format(rsaPrivateKeyFilePath))if failureCount 0:print(Cannot convert the RSA private key in the PKCS8 format to that in the PKCS1 format. )pressTheEnterKeyToExit(13)return 13else:print(Finished converting the RSA private key in the PKCS8 format to that in the PKCS1 format. )try:with open(rsaPrivateKeyFilePath, r, encoding utf-8) as f:rsaPrivateKey f.read()except BaseException as e:print(Failed to update the RSA private key from \{0}\. Details are as follows. \n{1}.format(rsaPrivateKeyFilePath, e))pressTheEnterKeyToExit(14)return 14elif rsaPrivateKey.startswith(-----BEGIN OPENSSH PRIVATE KEY-----) and rsaPrivateKey.rstrip().endswith(-----END OPENSSH PRIVATE KEY-----):print(An OpenSSL private key is detected, which will be converted to the RSA private key soon. )failureCount execute(ssh-keygen -p -m PEM -f \{0}\ -N \\.format(rsaPrivateKeyFilePath))if failureCount 0:print(Cannot convert the OpenSSL private key to the RSA private key. )pressTheEnterKeyToExit(15)return 15else:print(Finished converting the OpenSSL private key to the RSA private key. )try:with open(rsaPrivateKeyFilePath, r, encoding utf-8) as f: # the ssh-keygen overwrites the file though no obvious output filepaths specifiedrsaPrivateKey f.read()except BaseException as e:print(Failed to update the RSA private key from \{0}\. Details are as follows. \n{1}.format(rsaPrivateKeyFilePath, e))pressTheEnterKeyToExit(16)return 16# Brief Checks #if not (ecPrivateKey.startswith(-----BEGIN EC PRIVATE KEY-----) and ecPrivateKey.rstrip().endswith(-----END EC PRIVATE KEY-----)):print(An invalid EC private key is detected. Please try to use the latest key generation tools to solve this issue. )pressTheEnterKeyToExit(17)return 17if not (certificate.startswith(-----BEGIN CERTIFICATE-----) and certificate.rstrip().endswith(-----END CERTIFICATE-----)):print(An invalid certificate is detected. Please try to use the latest key generation tools to solve this issue. )pressTheEnterKeyToExit(18)return 18if not (rsaPrivateKey.startswith(-----BEGIN RSA PRIVATE KEY-----) and rsaPrivateKey.rstrip().endswith(-----END RSA PRIVATE KEY-----)):print(An invalid final RSA private key is detected. Please try to use the latest key generation tools to solve this issue. )pressTheEnterKeyToExit(19)return 19# Keybox Generation #keybox keyboxFormatter.format(deviceID, ecPrivateKey, certificate, rsaPrivateKey)print(Generated keybox with a length of {0}: .format(len(keybox)))print(keybox)if keyboxFilePath is not None and (flags[2] or canOverwrite(flags, 2, keyboxFilePath)):try:with open(keyboxFilePath, w, encoding utf-8) as f:f.write(keybox)print(Successfully wrote the keybox to \{0}\. .format(keyboxFilePath))pressTheEnterKeyToExit(EXIT_SUCCESS)return EXIT_SUCCESSexcept BaseException as e:print(Failed to write the keybox to \{0}\. Details are as follows. \n{1}.format(keyboxFilePath, e))pressTheEnterKeyToExit(20)return 20else:print(The keybox has not been written to any files. Please refer to the text above. )pressTheEnterKeyToExit(EXIT_FAILURE)return EXIT_FAILUREif __main__ __name__:exit(main())
