TEESimulator v3.2

🚀 Release: TEESimulator v3.2 (Hotfix)

TEESimulator v3.2 is rolling out today as an hotfix. This release was pushed ahead of schedule because our recent GitHub build artifacts were expiring, and a severe Google Play Services (GMS) log flooding bug was significantly degrading device performance for many users. 📱⚡

⚠️ Important Development Update:

• Detections: Due to time constraints, we haven't patched all the new detections currently in the wild. However, this hotfix does successfully address a few critical detection points. 🛡️
• LSPosed ➡️ Vector: I (JingMatrix) am currently dedicating my efforts to refactoring LSPosed into Vector. Consequently, TEESimulator's development pace will temporarily slow down. Please stay tuned and monitor the commit history to follow along with our progress! 🛠️👀

Here is the changelog for this release:

🔧 Stability & Performance

• 🛑 GMS Log Flooding: Mitigated massive log spam and battery drain (especially noticeable on WearOS or Nearby Share) by safely bypassing list hooks for GMS.
• 💥 Binder Leak Resolved: Squashed a critical strong reference memory leak during binder transaction interception that caused random crashes.

🛡️ Anti-Detection & Emulation

• 🔑 Pre-Existing Key Override: TEESimulator now detects and replaces hardware keys that apps managed to request before the module was installed, ensuring all future operations remain under control.
• 🧩 Accurate module_hash: Completely aligned the APEX module hashing logic with the official Android keystore2 implementation (including direct /apex filesystem scanning and exact ASN.1 DER sorting).
• 📜 Certificate KeyUsage Fix: Dynamically sets X.509 KeyUsage bits based on the actual key purpose to properly adhere to Android HAL specifications (the first contribution of @Enginex0!).
• ⚙️ Core Improvements: Enhanced KeyMint logging (parsing ORIGIN, OS_VERSION, etc.) and fixed Parcel position resets for cleaner internal error handling.

TEESimulator v3.1

🎉 TEESimulator v3.1: Legacy Support & Resilience

This release marks a significant step forward in our mission, focusing on breathing life into devices with broken TEEs and extending full support to older Android versions (Android 10–12).

🛡️ Enhanced Keystore2 Emulation

We have implemented critical APIs to support devices where the hardware TEE is broken or for applications configured to use key generation mode. These improvements directly address detection vectors identified in v3.0 (collaborated with @XiaoTong6666 ):

• ✅ Full Crypto Operations (createOperation): The simulator now correctly handles SIGN, VERIFY, ENCRYPT, and DECRYPT purposes for software-generated keys.
• 🔗 Certificate Chain Updates (updateSubcomponent): Added support for applications updating the certificate chain of virtual keys (e.g., via KeyStore.setKeyEntry).
• 📋 Enumeration Support (listEntries): Generated keys are now properly visible in enumeration APIs like KeyStore.aliases(), thanks to the implementation of listEntries and listEntriesBatched.

🔧 Compatibility & Stability

We’ve ironed out crashes and architecture-specific bugs to ensure a smooth experience across more devices:

• Android 10: Fixed a crash caused by the missing waitForService method.
• Android 11: Implemented environment initialization and daemon UID spoofing to successfully bypass keystore generation permission checks.
• ARM 32-bit (Android 12): Resolved ptrace compatibility issues by falling back to PTRACE_GETREGS and PTRACE_SETREGS.
• x86_64 Emulators: Enforced respect for the stack pointer "red zone" and added a staging fallback mechanism for file descriptor transfering of libTEESimulator.so.

🚀 The Road Ahead

We are aware of the remaining detection vectors (see the issues list) and have clear solutions mapped out for the next release.

Google's aggressive push for Remote Key Provisioning (RKP) and the drying up of leaked keyboxes is not the end for TEESimulator. Our ultimate goal remains unchanged: defeating Keystore attestation without relying on a valid keybox.

We are inching closer to this milestone, but the fight for device freedom is complex and resource-intensive. Your patience and support (both time and financial) are vital as we conquer these new challenges.

TEESimulator v3.0

TEESimulator 3.0 is a significant update focused on powerful new configuration options, major improvements to stealth, and enhanced stability.

✨ Highlights & New Features

• 🎯 Per-App Security Patch Configuration: Gain ultimate control by setting security patch levels on a per-package basis. Define a global default in security_patch.txt and override it for specific apps like [com.google.android.gms]. Moreover, your configuration is now alive! Use the today keyword to always report the current date, or create rolling dates with templates like YYYY-MM-05. Be sure to check README for more details.
• 🕰️ Full Software Emulation on Android 11: We've implemented a complete, software-based key generation and attestation flow for the legacy IKeystoreService API, bringing full emulation capabilities to older devices.

🛡️ Stealth & Evasion Upgrades

• ⛓️ Consistent Certificate Signatures: Say goodbye to a major detection vector in icu.nullptr.nativetest. Patched certificates are now cached, ensuring that every request for a key returns a byte-for-byte identical certificate, just like a real TEE.
• 🔑 Authentic Device Properties: To appear more genuine, the simulator now sources and uses your device's real verifiedBootHash and moduleHash, moving away from placeholder values.
• 📜 Structurally Sound Certificates: The patching logic has been rewritten to be less intrusive. It now modifies the attestation extension in-place, preserving the original order of other extensions and preventing duplicates to avoid suspicion.

🐛 Bug Fixes & Reliability

• ✅ Robust Crypto Engine: Fixed critical crashes related to cryptographic provider conflicts. The signing logic is now more explicit and the KeyBox parser is more resilient against malformed files.
• ➡️ Improved Compatibility: Resolved a native crash on Android 11 devices.

🚀 The Road Ahead

Our work to fix detection vectors and provide full support for TEE-broken devices and Android 10/11 is ongoing. We welcome your feedback! Please report any issues or contribute a pull request on our GitHub.

TEESimulator v2.1

🚀 TEESimulator v2.1 Hotfix Release is Live! 🚀

This urgent hotfix addresses several critical issues identified in the previous v2.0 release.

The v2.0 update, a significant refactoring effort, unfortunately introduced a few unexpected behaviors and bugs that we are now rectifying.

Key fixes in this release include:

1. Google Play Integrity: Resolved an issue preventing the attainment of STRONG integrity for Google Play verdicts, caused by an incorrect vendor patch level format. ✅
2. Application Stability: Fixed a critical crash related to an incorrect signature for the SystemProperties.set stub method. 🐛
3. Stealth Enhancement: Implemented a fix to bypass detection by the Android Native Detector. 👻

🔬 We are actively investigating a recent detection method to further enhance stealth capabilities.

🙏 Support for TEE-broken devices and Android 10/11 remains an area of ongoing improvement. We highly encourage you to submit any issues you encounter to help us refine these aspects! 🤝

TEESimulator v2.0

Key Highlights:

• 🚀 Complete Refactoring: TEESimulator v2.0 has been entirely rebuilt and is no longer based on its predecessors, TrickyStore and TrickyStoreOSS, resulting in a more streamlined and maintainable codebase.

• 🛡️ Enhanced Bypass Capabilities: The simulator now successfully bypasses well-known detection mechanisms, including TamperedAttestation and KeyAttestation.

• 💳 Revolut Detection Bypass: With a valid keybox, users can now circumvent the detection measures implemented in the Revolut application.

Current Limitations:

• ⚠️ Google Play Verdict: Bypassing the detections within the Google Play verdict remains an unresolved challenge. We are actively seeking solutions and welcome any insights from the community regarding potential system module-based bypasses.

Platform Support:

• 📱 Android 10 & 11: TEESimulator v2.0 has not yet been tested on Android 10 or 11. We encourage users on these platforms to report any issues and provide logs to help us improve compatibility.

Contributing:

• 🤝 We welcome and encourage community contributions. Please feel free to submit issues and pull requests to help improve the project.

TEESimulator v1.0

Initial release of TEESimulator

TEESimulator is forked from TrickyStoreOSS with the ambitious plan to fully simulate TEE.

Current release only marks the beginning of this project.
A new feature is added, which allows users to configure multiple keybox files.