Full TEE Emulation for Rooted Android
Note
Fork of JingMatrix/TEESimulator with native Rust certificate generation, key persistence, and AOSP-compliant attestation behavior. For the upstream project, see the original repo.
TEESimulator intercepts Binder IPC at the ioctl level inside the keystore2 process and generates entire certificate chains from scratch, signed by your keybox, with correct attestation extensions. Apps that verify hardware attestation see a legitimate device.
This is not TrickyStore. TEESimulator replaces TrickyStore and its forks entirely. It shares the same config paths for drop-in compatibility, but the internals are different: native Rust cert generation, binder-level interception via lsplt, per-UID rate limiting, key persistence, and AOSP-spec attestation behavior.
Important
A valid keybox.xml is required for hardware-level attestation. Without one, the module generates software-level certificates that won't pass strict hardware checks.
- Android 10+
- Root manager: KernelSU, Magisk, or APatch
keybox.xmlat/data/adb/tricky_store/keybox.xml
- Download the latest ZIP from Releases
- Install via your root manager and reboot
- Place your keybox at
/data/adb/tricky_store/keybox.xml - Configure targets in
/data/adb/tricky_store/target.txt - Verify with Play Integrity or Key Attestation Demo
Native Cert Generation — libcertgen.so generates X.509 chains in Rust using ring and manual DER encoding. BouncyCastle fallback for unsupported curves (P-224, P-521, Curve25519).
Binder Interception — PLT hook on ioctl() in libc.so via lsplt inside keystore2. Intercepts generateKey, importKey, and getKeyEntry transactions.
AOSP Compliance — Self-signed certs for non-attested keys (matching ta/src/keys.rs), correct AuthorizationList tag ordering, version-guarded extension fields, authorize_create enforcement.
Key Persistence — Generated keys survive reboots. File-backed with file-level locking.
Rate Limiting — Per-UID hardware keygen cap (2/30s window, 2 concurrent). Overflow falls to software certs.
All config files live at /data/adb/tricky_store/ and are hot-reloaded via FileObserver.
Controls which apps get intercepted and the simulation mode.
| Suffix | Mode |
|---|---|
! |
Force software key generation |
? |
Force leaf certificate patching (real TEE key, patched cert) |
| (none) | Automatic selection |
Multi-keybox support via [filename.xml] headers:
com.google.android.gms!
io.github.vvb2060.keyattestation?
[aosp_keybox.xml]
com.google.android.gsf
Override patch levels reported in attestation certificates. Global defaults at top, per-package overrides with [package.name].
| Key | Scope |
|---|---|
system |
OS patch level |
vendor |
Vendor patch level |
boot |
Boot/kernel patch level |
all |
Sets all three |
Special values: today, YYYY-MM-DD templates, no (omit tag), device_default, prop (read from system property).
system=YYYY-MM-05
vendor=device_default
boot=no
[com.google.android.gms]
system=2025-10-01
Prerequisites: JDK 21, Android SDK/NDK 27, Rust stable with aarch64-linux-android target, cargo-ndk.
git clone --recursive https://github.com/Enginex0/TEESimulator-RS.git
cd TEESimulator-RS
./gradlew zipRelease zipDebugOutput ZIPs in out/. Gradle invokes cargo ndk automatically to cross-compile libcertgen.so.
Push to main or use Actions > Build > Run workflow to trigger CI.
| Root Manager | Status |
|---|---|
| KernelSU | Tested (Action button + lifecycle scripts) |
| Magisk | Supported |
| APatch | Supported |
- JingMatrix — original TEESimulator and interception architecture
- 5ec1cff — TrickyStore, the project that pioneered keystore interception
- LSPlt — PLT hook library
- ring — Rust cryptography library
- MhmRdd — AOSP compliance work via upstream PR #157
- fatalcoder524 — contributor and collaborator
- huguangares — collaborator and tester