Reprogram-TEE-on-Qualcomm-devices icon indicating copy to clipboard operation
Reprogram-TEE-on-Qualcomm-devices copied to clipboard

Published 20 hours ago verified publisher icon chiteroman

Can we do it with Root access (Magisk) without PC need?

Open DineshValor opened this issue 1 year ago • 4 comments

Is it possible?

DineshValor avatar Jan 02 '24 20:01 DineshValor

so you can't read or what

halt-spesn avatar Jan 03 '24 11:01 halt-spesn

so you can't read or what

R u blind 😂? I just asked, is it possible or not! Can we do cmd process via local terminal such as Termux with su permission.

DineshValor avatar Jan 03 '24 11:01 DineshValor

so you can't read or what

R u blind 😂? I just asked, is it possible or not! Can we do cmd process via local terminal such as Termux with su permission.

you are blind, it's literally written that you need at least eng rom for your device

halt-spesn avatar Jan 03 '24 12:01 halt-spesn

bhai moment

AdrianoA3 avatar Jan 03 '24 12:01 AdrianoA3

Has anyone tried a oneplus device?

pcraciunoiu avatar Jan 04 '24 15:01 pcraciunoiu

Has anyone tried a oneplus device?

I have OnePlus device but not yet tried due to out of station.

DineshValor avatar Jan 04 '24 15:01 DineshValor

It's possible with root access only

OP5929L1:/data/nativetest64/qti_keymaster_tests # LD_LIBRARY_PATH=/vendor/lib64/hw KmInstallKeybox keybox.xml X705F100000000 false
Number of keyboxes 1
myDeviceID: X705F100000000
keyboxCtx.device_id.data: X705F100000000
KeyMaster Attestation Key Provisioning success for KeyIDX705F100000000
TEE done
InstallKeybox is done!

but not work for OnePlus device (OP5929L1 is OnePlus 12, non-eng rom), after install attestation still fail

OPlus's Qualcomm devices (include OPPO, OnePlus, Realme, Nothing) blocked TEE Attestation call after unlock (just block, not self-destruct)

This method should only works on losted keys phone (Error code Key Attestation Demo is not -10003)

If you received -10003 in Key Attestation Demo, that's means your TEE is fully self-destructed (Hardware level like Samsung Knox), you can usually see this code in Xiaomi, POCO, and Redmi devices. This is a restriction added by Xiaomi to stop users from flashing their phones and security needs.

TEE-related features will be permanently damaged. There is no way to restore other than by replacing the motherboard.

if TEE is already self-destructed, like my Xiaomi 10 (eng rom), KmInstallKeybox will fail with code -10004, like #3

umi:/data/nativetest64/qti_keymaster_tests # LD_LIBRARY_PATH=/vendor/lib64/hw KmInstallKeybox keybox.xml X705F100000000 false
Number of keyboxes 1
myDeviceID: X705F100000000
keyboxCtx.device_id.data: X705F100000000
KeyMasterInstallKeybox error-10004
InstallKeybox Failed!-2000

so DO NOT TRY THIS METHOD IN YOUR ONEPLUS PHONE, NOT WORK BUT ORIGINAL KEYS IN TEE WILL LOST

MlgmXyysd avatar Jan 05 '24 10:01 MlgmXyysd

if TEE is already self-destructed, like my Xiaomi 10 (eng rom), KmInstallKeybox will fail with code -10004, like #3

umi:/data/nativetest64/qti_keymaster_tests # LD_LIBRARY_PATH=/vendor/lib64/hw KmInstallKeybox keybox.xml X705F100000000 false
Number of keyboxes 1
myDeviceID: X705F100000000
keyboxCtx.device_id.data: X705F100000000
KeyMasterInstallKeybox error-10004
InstallKeybox Failed!-2000

Try on another umi, install success, attestation pass

MlgmXyysd avatar Jan 05 '24 12:01 MlgmXyysd

Should be NOT possible.

chiteroman avatar Jan 11 '24 16:01 chiteroman

@MlgmXyysd Try to execute:

qseecom_sample_client v smplap64 14 1

Write 2 and enter to check if key is provisioned. If not, execute again, write 1 and check if it works now.

chiteroman avatar Jan 11 '24 16:01 chiteroman

@MlgmXyysd Try to execute:

qseecom_sample_client v smplap64 14 1

Write 2 and enter to check if key is provisioned. If not, execute again, write 1 and check if it works now.

umi:/ # qseecom_sample_client v smplap64 14 1
Note: Command line arguments do not belong to legacy test
        -------------------------------------------------------
         WARNING!!! You are about to provision the RPMB key.
         This is a ONE time operation and CANNOT be reversed.
        -------------------------------------------------------
         0 -> Provision Production key
         1 -> Provision Test key
         2 -> Check RPMB key provision status
        -------------------------------------------------------
         Select an option to proceed: 2
RMPB Key status: RPMB_KEY_PROVISIONED_AND_OK (0)

MlgmXyysd avatar Jan 11 '24 17:01 MlgmXyysd

if TEE is already self-destructed, like my Xiaomi 10 (eng rom), KmInstallKeybox will fail with code -10004, like #3

What happen if you try this:

LD_LIBRARY_PATH=/vendor/lib64/hw KmInstallKeybox keybox.xml X705F100000000 true keybox.xml X705F100000000 true

Should have StrongBox, maybe it works :o

chiteroman avatar Jan 11 '24 23:01 chiteroman

if TEE is already self-destructed, like my Xiaomi 10 (eng rom), KmInstallKeybox will fail with code -10004, like #3

What happen if you try this:

LD_LIBRARY_PATH=/vendor/lib64/hw KmInstallKeybox keybox.xml X705F100000000 true keybox.xml X705F100000000 true

Should have StrongBox, maybe it works :o

I don't think it supoort StrongBox, first supported SoC in Qualcomm Snapdragon is 8 Gen 3, but umi is Snapdragon 865.

MlgmXyysd avatar Jan 15 '24 09:01 MlgmXyysd