From c80de8d3fe21eb071b23b94edf4daea2dd242924 Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Thu, 22 Aug 2019 00:35:41 +0200
Subject: [PATCH] Add phh-securize.sh to switch to `user` build, copy vendor
 fingerprint, and tighten adb security

---
 base.mk         |  6 ++++++
 phh-securize.sh | 15 +++++++++++++++
 rw-system.sh    | 40 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 61 insertions(+)
 create mode 100644 phh-securize.sh

diff --git a/base.mk b/base.mk
index c6cc99a..8636247 100644
--- a/base.mk
+++ b/base.mk
@@ -132,3 +132,9 @@ PRODUCT_PACKAGES += \
 
 PRODUCT_PACKAGES += \
 	Stk
+
+PRODUCT_PACKAGES += \
+	resetprop
+PRODUCT_COPY_FILES += \
+	device/phh/treble/phh-securize.sh:system/bin/phh-securize.sh \
+
diff --git a/phh-securize.sh b/phh-securize.sh
new file mode 100644
index 0000000..cffd828
--- /dev/null
+++ b/phh-securize.sh
@@ -0,0 +1,15 @@
+#!/system/bin/sh
+
+mount -o remount,rw /
+mount -o remount,rw /system
+
+touch /system/phh/secure
+umount -l /system/xbin/su
+rm /system/xbin/su
+rm /system/bin/phh-su
+rm /system/etc/init/su.rc
+rm -Rf /system/bin/me.phh.superuser/
+mount -o remount,ro /
+mount -o remount,ro /system
+sync
+reboot
diff --git a/rw-system.sh b/rw-system.sh
index 1fb7d7a..5c27c96 100644
--- a/rw-system.sh
+++ b/rw-system.sh
@@ -366,4 +366,44 @@ if getprop ro.vendor.build.fingerprint | grep -qiE '^samsung/' && [ "$vndk" -ge
 
 		chown system:system /sys/class/sec/tsp/input/enabled
 	fi
+
+fi
+
+if [ -f /system/phh/secure ];then
+    copyprop() {
+        p="$(getprop "$2")"
+        if [ "$p" ]; then
+            resetprop "$1" "$(getprop "$2")"
+        fi
+    }
+
+    copyprop ro.build.device ro.vendor.build.device
+    copyprop ro.bootimage.build.fingerprint ro.vendor.build.fingerprint
+    copyprop ro.build.fingerprint ro.vendor.build.fingerprint
+    copyprop ro.build.device ro.vendor.product.device
+    copyprop ro.product.device ro.vendor.product.device
+    copyprop ro.product.device ro.product.vendor.device
+    copyprop ro.product.name ro.vendor.product.name
+    copyprop ro.product.name ro.product.vendor.device
+    copyprop ro.product.brand ro.vendor.product.brand
+    copyprop ro.product.model ro.vendor.product.model
+    copyprop ro.product.model ro.product.vendor.model
+    copyprop ro.build.product ro.vendor.product.model
+    copyprop ro.build.product ro.product.vendor.model
+    copyprop ro.product.manufacturer ro.vendor.product.manufacturer
+    copyprop ro.product.manufacturer ro.product.vendor.manufacturer
+    resetprop ro.build.tags release-keys
+    resetprop ro.boot.vbmeta.device_state locked
+    resetprop ro.boot.verifiedbootstate green
+    resetprop ro.boot.flash.locked 1
+    resetprop ro.boot.veritymode enforcing
+    resetprop ro.boot.warranty_bit 0
+    resetprop ro.warranty_bit 0
+    resetprop ro.debuggable 0
+    resetprop ro.secure 1
+    resetprop ro.build.type user
+    resetprop ro.build.selinux 0
+
+    resetprop ro.adb.secure 1
+    setprop ctl.restart adbd
 fi