BootloaderSpoofer

Android devices have a bootloader, which is the software that starts up before the operating system loads. When the bootloader is "locked," it means the device has not been modified from its factory state. Some apps check this status using a process called local attestation, where the device produces a certificate claiming whether it is in a verified or modified state. This module is designed to make that certificate report a locked bootloader, even if the device's bootloader is actually unlocked.

The README is explicit about the scope: this only affects local attestation, which is a check the app performs on-device. If an app sends the certificate to a server for verification, this module does nothing useful and will not pass that check. The authors point to a different tool called TrickyStore for online attestation scenarios.

There are two modes. The first, called leaf_hack, works on devices where the secure hardware (TEE) is functional. It lets the device generate a real certificate, then rewrites one specific field in it to claim the bootloader is locked, and re-signs the modified certificate using a keybox key. The second mode, cert_generate, is for devices where the secure hardware is broken or absent. It generates a fresh certificate entirely in software, bypassing the hardware keystore. This mode has limitations: apps that look up the key a second time through the standard Android API will find nothing, and the secure hardware status field is not altered.

The module ships with a publicly known test keybox from Google that is not backed by real hardware and will not pass any server-side check against Google's official attestation roots. Users can supply their own keybox in a documented XML format if they have one.

This is a technical Android module requiring root access and a compatible hook framework to install.