opensslx509-informDER-inburp_cacert.der-outburp_cacert.pemCERTHASHNAME="`opensslx509-informPEM-subject_hash_old-inburp_cacert.pem|head-1`.0"mvburp_cacert.pem $CERTHASHNAME #Correct nameadbroot&&sleep2&&adbremount#Allow to write on /systeadbpush $CERTHASHNAME /sdcard/#Upload certificateadbshellmv/sdcard/$CERTHASHNAME /system/etc/security/cacerts/#Move to correct locationadbshellchmod644/system/etc/security/cacerts/$CERTHASHNAME #Assign privilegesadbreboot#Now, reboot the machine
# Create a separate temp directory, to hold the current certificates# Otherwise, when we add the mount we can't read the current certs anymore.mkdir-p-m700/data/local/tmp/tmp-ca-copy# Copy out the existing certificatescp/apex/com.android.conscrypt/cacerts/*/data/local/tmp/tmp-ca-copy/# Create the in-memory mount on top of the system certs foldermount-ttmpfstmpfs/system/etc/security/cacerts# Copy the existing certs back into the tmpfs, so we keep trusting themmv/data/local/tmp/tmp-ca-copy/*/system/etc/security/cacerts/# Copy our new cert in, so we trust that toomv $CERTIFICATE_PATH /system/etc/security/cacerts/# Update the perms & selinux context labelschownroot:root/system/etc/security/cacerts/*chmod644/system/etc/security/cacerts/*chconu:object_r:system_file:s0/system/etc/security/cacerts/*# Deal with the APEX overrides, which need injecting into each namespace:# First we get the Zygote process(es), which launch each appZYGOTE_PID=$(pidofzygote||true)ZYGOTE64_PID=$(pidofzygote64||true)# N.b. some devices appear to have both!# Apps inherit the Zygote's mounts at startup, so we inject here to ensure# all newly started apps will see these certs straight away:for Z_PID in"$ZYGOTE_PID""$ZYGOTE64_PID"; doif [ -n"$Z_PID" ]; thennsenter--mount=/proc/$Z_PID/ns/mnt-- \/bin/mount --bind/system/etc/security/cacerts/apex/com.android.conscrypt/cacertsfidone# Then we inject the mount into all already running apps, so they# too see these CA certs immediately:# Get the PID of every process whose parent is one of the Zygotes:APP_PIDS=$(echo"$ZYGOTE_PID $ZYGOTE64_PID"| \xargs-n1ps-o'PID'-P| \grep-vPID)# Inject into the mount namespace of each of those apps:for PID in $APP_PIDS; donsenter--mount=/proc/$PID/ns/mnt-- \/bin/mount --bind/system/etc/security/cacerts/apex/com.android.conscrypt/cacerts&donewait# Launched in parallel - wait for completion hereecho"System certificate injected"
