Module scripts fixes/improvements

- add back check_resetprop but rename functions to make their use more clear (thanks HuskyDG) - combine system.prop (runs at post-fs-data) entries into service.sh so that they're only set if needed (note that they therefore wouldn't need to be late props) - use a uniform style in all scripts (only necessary quoting and brackets, add trailing newlines, spaces not tabs :P) - remove GMS data pif.prop/pif.json files left over from previous releases to ensure they don't trigger detection at some point (these lines can be removed again in a later release once we're satisfied everyone affected has this resolved)
2025-01-19 03:22:39 +02:00 · 2023-11-28 23:58:58 -04:00 · 2023-11-28 23:58:58 -04:00 · 875cf42f4c
commit 875cf42f4c
parent fc6fb5e83a
4 changed files with 64 additions and 54 deletions
--- a/module/customize.sh
+++ b/module/customize.sh
@ -1,10 +1,14 @@
 # Error on < Android 8
 if [ "$API" -lt 26 ]; then
-    abort "!!! You can't use this module on Android < 8.0."
+    abort "!!! You can't use this module on Android < 8.0"
 fi
-# safetynet-fix module is incompatible
+# Remove safetynet-fix module if installed
-if [ -d "/data/adb/modules/safetynet-fix" ]; then
+if [ -d /data/adb/modules/safetynet-fix ]; then
-    touch "/data/adb/modules/safetynet-fix/remove"
+    touch /data/adb/modules/safetynet-fix/remove
-	ui_print "- 'safetynet-fix' module will be removed in next reboot."
+    ui_print "- 'safetynet-fix' module will be removed on next reboot"
-fi
+fi
 # Clean up any leftover files from previous deprecated methods
 rm -f /data/data/com.google.android.gms/cache/pif.prop /data/data/com.google.android.gms/pif.prop
 rm -f /data/data/com.google.android.gms/cache/pif.json /data/data/com.google.android.gms/pif.json
--- a/module/post-fs-data.sh
+++ b/module/post-fs-data.sh
@ -1,9 +1,9 @@
-# Remove Play Services from the Magisk Denylist when set to enforcing
+# Remove Play Services from Magisk Denylist when set to enforcing
 if magisk --denylist status; then
    magisk --denylist rm com.google.android.gms
 fi
-# Check if safetynet-fix is installed
+# Remove safetynet-fix module if installed
-if [ -d "/data/adb/modules/safetynet-fix" ]; then
+if [ -d /data/adb/modules/safetynet-fix ]; then
-    touch "/data/adb/modules/safetynet-fix/remove"
+    touch /data/adb/modules/safetynet-fix/remove
-fi
+fi
--- a/module/service.sh
+++ b/module/service.sh
@ -1,46 +1,68 @@
-# Sensitive properties
+# Conditional sensitive properties
-maybe_set_prop() {
+resetprop_if_diff() {
-    local prop="$1"
+    local NAME=$1
-    local contains="$2"
+    local EXPECTED=$2
-    local value="$3"
+    local CURRENT=$(resetprop $NAME)
-    if [[ "$(getprop "$prop")" == *"$contains"* ]]; then
+    [ -z "$CURRENT" ] || [ "$CURRENT" == "$EXPECTED" ] || resetprop $NAME $EXPECTED
-        resetprop "$prop" "$value"
+}
-    fi
+resetprop_if_match() {
    local NAME=$1
    local CONTAINS=$2
    local VALUE=$3
    [[ "$(resetprop $NAME)" == *"$CONTAINS"* ]] && resetprop $NAME $VALUE
 }
 # RootBeer, Microsoft
 resetprop_if_diff ro.build.tags release-keys
 # Samsung
 resetprop_if_diff ro.boot.warranty_bit 0
 resetprop_if_diff ro.vendor.boot.warranty_bit 0
 resetprop_if_diff ro.vendor.warranty_bit 0
 resetprop_if_diff ro.warranty_bit 0
 # OnePlus
 resetprop_if_diff ro.is_ever_orange 0
 # Other
 resetprop_if_diff ro.build.type user
 resetprop_if_diff ro.debuggable 0
 resetprop_if_diff ro.secure 1
 # Magisk recovery mode
-maybe_set_prop ro.bootmode recovery unknown
+resetprop_if_match ro.bootmode recovery unknown
-maybe_set_prop ro.boot.mode recovery unknown
+resetprop_if_match ro.boot.mode recovery unknown
-maybe_set_prop vendor.boot.mode recovery unknown
+resetprop_if_match vendor.boot.mode recovery unknown
-# Hiding SELinux | Permissive status
+# SELinux
 resetprop --delete ro.build.selinux
-
+# use toybox to protect *stat* access time reading
-# Hiding SELinux | Use toybox to protect *stat* access time reading
+if [ "$(toybox cat /sys/fs/selinux/enforce)" == "0" ]; then
 if [[ "$(toybox cat /sys/fs/selinux/enforce)" == "0" ]]; then
    chmod 640 /sys/fs/selinux/enforce
    chmod 440 /sys/fs/selinux/policy
 fi
-# Late props which must be set after boot_completed
+# SafetyNet/Play Integrity
 {
-    until [[ "$(getprop sys.boot_completed)" == "1" ]]; do
+    # late props which must be set after boot_completed for various OEMs
    until [ "$(getprop sys.boot_completed)" == "1" ]; do
        sleep 1
    done
-    # SafetyNet/Play Integrity | Avoid breaking Realme fingerprint scanners
+    # Avoid breaking Realme fingerprint scanners
-    resetprop ro.boot.flash.locked 1
+    resetprop_if_diff ro.boot.flash.locked 1
-    # SafetyNet/Play Integrity | Avoid breaking Oppo fingerprint scanners
+    # Avoid breaking Oppo fingerprint scanners
-    resetprop ro.boot.vbmeta.device_state locked
+    resetprop_if_diff ro.boot.vbmeta.device_state locked
-    # SafetyNet/Play Integrity | Avoid breaking OnePlus display modes/fingerprint scanners
+    # Avoid breaking OnePlus display modes/fingerprint scanners
-    resetprop vendor.boot.verifiedbootstate green
+    resetprop_if_diff vendor.boot.verifiedbootstate green
-    # SafetyNet/Play Integrity | Avoid breaking OnePlus display modes/fingerprint scanners on OOS 12
+    # Avoid breaking OnePlus/Oppo display fingerprint scanners on OOS/ColorOS 12+
-    resetprop ro.boot.verifiedbootstate green
+    resetprop_if_diff ro.boot.verifiedbootstate green
-    resetprop ro.boot.veritymode enforcing
+    resetprop_if_diff ro.boot.veritymode enforcing
-    resetprop vendor.boot.vbmeta.device_state locked
+    resetprop_if_diff vendor.boot.vbmeta.device_state locked
 }&
--- a/module/system.prop
+++ b/module/system.prop
@ -1,16 +0,0 @@
 # RootBeer, Microsoft
 ro.build.tags=release-keys
 # Samsung
 ro.boot.warranty_bit=0
 ro.vendor.boot.warranty_bit=0
 ro.vendor.warranty_bit=0
 ro.warranty_bit=0
 # OnePlus
 ro.is_ever_orange=0
 # Other
 ro.build.type=user
 ro.debuggable=0
 ro.secure=1