Spoofing by patching the target app requiring GCM, instead of microG itself?

[ccaapton]

Hi, microG works perfectly on my previous phone with LineageOS and haystack patch. However I recently changed to a new xiaomi mi6 without GMS preinstalled, and I do not intend to root or use a 3rd-party ROM.

Correct me if I'm wrong, every app that utilize GCM come with a little piece of google sdk code inside their apk. This piece of code would be very similar across all apps, and it is exactly this code asking for the signature of microG and check it against the correct one(which must be a static value inside the code). If we can decompile the and patch the target app (for instance, search/replace the static signature with microg's sig, or something more straightforward), repackage and install it, it should work with microg. The result apk will have different signature, but it can be managed.

I have over 100 app on my phone, but the ones that really need with GCM are less than 10. If we can automate this repackage process(termux have apktool so this process could be done on android), we can enjoy GCM without root/spoofing/bloatware, on any phones.

I would like to try this idea first with the search/replace trick, but I don't know google's original signature, so I can not search/replace. Could anyone give me the google signature that need to be replaced?

[jiangyida96]

Hi are you using China ROM or Global ROM?

[ale5000-git]

You can also apply the signature spoofing patch for the ROM from the recovery (it may work without root).

[tryptophan0]

Could anyone give me the google signature that need to be replaced?

I think you will find the original signature here https://github.com/thermatk/FakeGApps/blob/master/app/src/main/java/com/thermatk/android/xf/fakegapps/FakeSignatures.java

[ccaapton]

@tryptophan0 Thanks for the tip, I will try it.

@WillsonChiang I know there are ways to get GMS even on China ROM, but I do not intend to do that, it's too battery unfriendly.

@ale5000-git Thanks for your suggestion, but I don't want even unlock my bootloader. Instead I want to take a cleanest experimental approach in terms of rom-modification, and see how it goes. Wish me good luck!

[ale5000-git]

@ccaapton: You can also unlock, patch and relock (I have never tried but I suppose it works).

PS: I don't know how to search/replace the signature but you can see the faked signature also from the sources of microG here.

[jiangyida96]

@ccaapton Yes I have installed GMS on my China ROM and everything works perfectly except for GCM services, besides it doesn't seem to kill battery a lot.

[ale5000-git]

@WillsonChiang: My microG unofficial installer support installation also on China ROMs and should fix all problems automatically.

[ccaapton]

Good news, I just patched this GCM app: PushNotificationTester(com.firstrowria.pushnotificationtester), and installed it along with microG on a unmodified rom. Then I could successfully receive push from Google server!

This is what I did:

1. Install apktool on my computer
2. Decompile it: apktool d com.firstrowria.pushnotificationtester.apk -o pushnotificationtester
3. Edit pushnotificationtester/smali/com/google/android/gms/common/j$a.smali, at line 204, change

   :goto_0
   return v0

   into

   :goto_0
   const/4 v0, 0x1
   return v0

   The logic is to always return true when the google SDK is checking for signature of microG. I spend just 10 minutes to locate this critical cut-point, and all GCM apps should be quite similar. I also tried whatsapp, which use firebase, so the file is a bit different: ./smali/com/google/android/search/verification/client/SearchActionVerificationClientUtil.smali, and the smali code is even simpler with very little obfuscation. The cut-point position is at line 273, method signature is public static isPackageGoogleSigned(Landroid/content/Context;Ljava/lang/String;) . If anyone is interested, I suggest you can read that file.

4. Repackage with apktool, re-sign the apk with jarsign.

The tools are on Linux PC though. If we can find a way to automate the patching process on android, then every android user will be able to enjoy microG without rooting, customized recovery or what so ever!

[ale5000-git]

@ccaapton: Good start but I think it would be better to check microG signature instead of just skip signature check.

[chuppito]

@ccaapton Hello is there a way to do the same for waze? Thank you