fix(props): skip non-existent props to prevent bootloader detection

check_reset_prop was unconditionally creating props via resetprop even
when they didn't exist on the device. On a Xiaomi, this injected
Realme/OnePlus-specific props (ro.boot.realmebootstate, ro.is_ever_orange)
that attestor apps flag as tampering evidence. Now returns early when the
prop value is empty, matching stock device behavior.

Also fixes ro.boot.vbmeta.avb_version 1.3→1.0, removes three Rust-only
props that don't exist on most devices, and moves ro.oem_unlock_supported
and ro.secureboot.devicelock inside the ZeroMount guard.

Author: Enginex0

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## v5.24.0 (2026-03-11)
+
+### Bug Fixes
+- **Bootloader detection by TrustAttestor** — `check_reset_prop` was creating props on devices where they don't naturally exist (e.g. Realme/OnePlus-specific props on Xiaomi), giving attestor apps a clear tampering signal. Now skips non-existent props instead of blindly injecting them, matching stock behavior
+- **AVB version mismatch** — `ro.boot.vbmeta.avb_version` was set to `1.3` (non-standard) instead of `1.0`, creating a detectable inconsistency with the actual AVB stack
+- **Extra props in Rust backend** — removed `ro.bootimage.build.tags`, `ro.boot.verifiedbooterror`, and `ro.boot.veritymode.managed` from the Rust prop list since they don't exist on most devices and would be created unnecessarily
+- **Unconditional prop injection** — `ro.oem_unlock_supported` and `ro.secureboot.devicelock` were set outside the ZeroMount guard, now properly gated
+
+---
+
 ## v5.23.0 (2026-03-11)
 
 ### Features

common/common.sh

@@ -99,6 +99,7 @@ check_reset_prop() {
     local name="$1" expected="$2"
     local val
     val=$(resetprop "$name")
+    [ -z "$val" ] && return 0
     [ "$val" = "$expected" ] && return 0
     if resetprop -n "$name" "$expected" 2>/dev/null; then
         _PROP_SPOOF_COUNT=$((_PROP_SPOOF_COUNT + 1))

prop.sh

@@ -61,10 +61,10 @@ if [ "$_ZEROMOUNT_ACTIVE" != "true" ]; then
 
     check_reset_prop "ro.crypto.state" "encrypted"
     check_reset_prop "ro.is_ever_orange" "0"
-fi
 
-check_reset_prop "ro.oem_unlock_supported" "0"
-check_reset_prop "ro.secureboot.devicelock" "1"
+    check_reset_prop "ro.oem_unlock_supported" "0"
+    check_reset_prop "ro.secureboot.devicelock" "1"
+fi
 
 # MIUI region enforcement — restore device-snapshotted values from config
 _region_enabled=$(read_config region.enabled true)
@@ -126,7 +126,7 @@ if [ "$_ZEROMOUNT_ACTIVE" != "true" ]; then
 
     ensure_prop "ro.boot.vbmeta.device_state" "locked"
     ensure_prop "ro.boot.vbmeta.invalidate_on_error" "yes"
-    ensure_prop "ro.boot.vbmeta.avb_version" "1.3"
+    ensure_prop "ro.boot.vbmeta.avb_version" "1.0"
     ensure_prop "ro.boot.vbmeta.hash_alg" "sha256"
 
     slot_suffix=$(getprop ro.boot.slot_suffix 2>/dev/null)

rust/src/props/mod.rs

@@ -30,15 +30,12 @@ const BOOT_PROPS: &[(&str, &str)] = &[
     ("ro.boot.realme.lockstate", "1"),
     ("ro.crypto.state", "encrypted"),
     ("ro.is_ever_orange", "0"),
-    ("ro.bootimage.build.tags", "release-keys"),
-    ("ro.boot.verifiedbooterror", ""),
-    ("ro.boot.veritymode.managed", "yes"),
 ];
 
 const VBMETA_PROPS: &[(&str, &str)] = &[
     ("ro.boot.vbmeta.device_state", "locked"),
     ("ro.boot.vbmeta.invalidate_on_error", "yes"),
-    ("ro.boot.vbmeta.avb_version", "1.3"),
+    ("ro.boot.vbmeta.avb_version", "1.0"),
     ("ro.boot.vbmeta.hash_alg", "sha256"),
 ];
 
@@ -151,10 +148,13 @@ fn zeromount_active() -> bool {
 }
 
 fn check_reset_prop(sys: &PropSystem, name: &str, expected: &str) -> Result<bool> {
-    if let Some(current) = getprop(sys, name) {
-        if current == expected {
-            return Ok(false);
-        }
+    let current = match getprop(sys, name) {
+        Some(v) if v.is_empty() => return Ok(false),
+        Some(v) => v,
+        None => return Ok(false),
+    };
+    if current == expected {
+        return Ok(false);
     }
     set(sys, name, expected)?;
     debug!("spoofed {name} = {expected}");