Centralize dependencies and migrate to submodules
Move `apache` and `axml` modules to a unified `external` directory and migrate libxposed API and service interfaces from Maven dependencies to Git submodules.
Included changes:
- Updated .gitmodules with new paths.
- Simplified core.yml CI workflow.
- Updated Gradle project references to use the new directory structure.
- Added documentation for external components.
User reports that system server injection can still fail even when the daemon is started in service mode.
Hence, we add argument `--system-server-max-retry=3` to address this problem.
In the LSPosedDexParser constructor, the methodIds array is allocated correctly, but the loop condition is wrong: its length is divided by 3 twice.
We rewrite this class in Kotlin, marking the first commit of refactoring LSPosed into Vector.
Co-authored-by: Willian Wang <git@willian.wang>
- When the Step 2 (r-xp) mode is not found, implement the lookup logic to fall back to the first r--p segment
- On android 10 Step 1 to Step 2 doesn't match any pattern, but r--p does have a libart.so address
- Log
findModuleBase(): Found 4 filtered map entries for libart.so:
findModuleBase(): 0x70991e8000 r--p /apex/com.android.runtime/lib64/libart.so
findModuleBase(): 0x7099327000 --xp /apex/com.android.runtime/lib64/libart.so
findModuleBase(): 0x70997de000 rw-p /apex/com.android.runtime/lib64/libart.so
findModuleBase(): 0x70997e1000 r--p /apex/com.android.runtime/lib64/libart.so
findModuleBase(): `r--p` -> `r-xp` pattern not found. Falling back to first `r-xp` entry.
findModuleBase(): `r-xp` pattern not found. Falling back to first `r--p` entry.
findModuleBase(): Found first `r--p` block at 0x70991e8000
findModuleBase(): get module base /apex/com.android.runtime/lib64/libart.so: 0x70991e8000
findModuleBase(): update path: /apex/com.android.runtime/lib64/libart.so
This reverts partially commit c622d0f1f9.
In my test device (Pixel 6, Android 16 qpr2, KernelSU), calling twice LSPosed daemon results a detection based on `mount_id` values. In `com.reveny.nativecheck` 7.6.1, it is named as `Detected Magic Mount`.
Of course, this naming is incorrect and misleading. We refer to https://github.com/JingMatrix/NeoZygisk/pull/39 for details of this detection point.
This commit attempts to resolve an issue reported by users on recent OnePlus software updates where LSPosed modules are no longer able to hook the `Application#attach` method.
Android Runtime (ART) on these devices has become more aggressive with method inlining. This optimization can cause the relatively small `Application#attach` method to be directly embedded into its (indirect) calling methods, which makes it invisible to the hooking framework.
This approach is adapted from a reportedly successful commit in a community fork (LSPosed-Irena). It identifies `makeApplication` and `makeApplicationInner` within the `android.app.LoadedApk` class as the key callers to deoptimize. By adding these methods to the `BOOT_IMAGE` list, the goal is to prevent ART from inlining them, thus preserving `Application#attach` as a distinct and hookable method.
Co-authored-by: Irena <140869597+re-zero001@users.noreply.github.com>
After reboot, the SELinux context labels for files located in `/data/adb` are reset to `u:object_r:adb_data_file:s0`.
To fully address the issue in ed1f61d2, we should always compare the SELinux context and reset it when necessary.
Starting with Android 14 (API level 34), the Android Runtime (ART) Service handles on-device Ahead-Of-Time (AOT) compilation, also known as `dexopt`.
As a result, in Android 16 beta qpr2, the method `performDexOptMode` is removed.
See https://source.android.com/docs/core/runtime/configure/package-manager for details.
For trace cleaning modules to work properly, such as the DenyList feature of NeoZygisk, it is better to execute modules mount (`dex2oat` for the case of LSPosed) at post-fs-data.sh.
Moreover, the `logd` daemon of LSPosed should start as early as possible.
This reverts commit 92cbed418e (pull-request #57).
The original pull-request claimed a `PlayIntegrityFix` break, but was not reproducible on other devices.
Reworks the `initDB` function to resolve critical failures.
- Prevents a "no such table: configs" crash on fresh installs by
deferring the compilation of CREATE TABLE statements until their
dependencies are met.
- Fixes a "duplicate column" error by correcting the initial schema
and letting migration logic add new columns.
- Replaces the fragile fall-through switch and nested transactions with a
robust, sequential upgrade process inside a single atomic transaction.
We used to hook functions `OatHeader::GetKeyValueStore` and `OatHeader::GetKeyValueStoreSize` to clean the `dex2oat` trace introduced by LSPosed. However, in recent versions of Android, these two functions are no longer exported. Moreover, the `OatHeader` structure has changed, which now sets certain entries to have fixed length by padding zeros.
To address these two changes, we hook `OatHeader::ComputeChecksum` as an entrypoint (fallback), and then employ the header file of `OatHeader` copied from AOSP to precisely locate its fields. Using this strategy, we modify `key_value_store` in memory, depending on whether the entry `dex2oat-cmdline` is padded.
Resolves a `SIGSEGV` crash that occurs when co-instrumenting with recent versions of Frida.
The root cause was that the previous parsing logic would select the first memory mapping matching the library name. When Frida is active, it can temporarily create a transient, read-only mapping at a lower address than the real library. This would cause our parser to select the wrong base address.
This commit refactors the `findModuleBase` function to be structurally aware. It now filters all mappings for the target library and specifically searches for the pattern of a read-only (`r--p`) segment immediately followed by an executable (`r-xp`) segment. This allows it to correctly identify the real library mapping and ignore transient artifacts from other instrumentation frameworks.
Having a WebUI simply duplicating the current function of the Action button is unnecessary.
Since most users are migrated to root implementations which realize the Action button feature, we revert commit f8409ad34b to remove the WebUI integration of LSPosed.
The function signature of `getUsers` in class `android.os.IUserManager` is changed to `getUsers(Z)Ljava/util/List;` in Android 16 QPR Beta 3.
The corresponding calls to this function are updated to fix this incompatibility, which was initially observed on Android Canary.
1. Magisk manager cuts off the full changelog, it is thus better to move my personal note to the end. Add emoji for easier understanding.
2. Fix locating the generated javascript file. In Parcel 2, this file now has prefix `generate`.
3. Fix the author name, use JingMatrix for accuracy.
UI should reflect correctly current module scope.
Fix the problem that after clicking on menu_select_none, recommended apps are still checked even though the scope database is already updated.
This bug was introduced due to the inconsistent designs in 1339fc7d3c and 7be4e66b98.
User has reported `dex2oat` failure with SELinux log:
```
W dex2oat64: type=1400 audit(0.0:922): avc: denied { read } for path="/data/adb/modules/zygisk_lsposed/bin/liboat_hook64.so" dev="dm-58" ino=91204 scontext=u:r:dex2oat:s0 tcontext=u:object_r:adb_data_file:s0 tclass=file permissive=0
```
Hence, we now set the SELinux context of `liboat_hook.so` in Dex2OatService.
Moreover, by the pull-request #194, we have to move `putenv` out of the if block by testing.
Indeed, if we call `putenv` inside the if block, then it is no longer valid out of the block.
1. Close#159 as fixed, though it points to the removal of warning `Unsupported class loader`, for which we can do later.
2. Take the commit from JingMatrix/LSPlant to fix the bug https://github.com/JingMatrix/LSPlant/issues/2.
3. Add another commit of JingMatrix/LSPlant in pull-request #203
On some devices `dex2oat` cannot access files (fd) received from sockets due to SELinux restrictions.
Hence, we add a new rule according to the avc logs, which showed that permissions `open` and `getattr` were needed.
1. The SELinux context label `magisk_file` is widely used by Zygisk implementation modules. It is improper for LSPosed to abuse this label for its own files. We replace it by `xposed_file`.
2. A new rule added according to the SELinux logs, which is needed to write to the mangaer's SharedPreference.
3. `xposed_data` is a new SELinux context label for XSharedPreference files, it is not meant to provide MAC restricted access but to conform with Android's rule: https://developer.android.com/about/versions/pie/android-9.0-changes-28#per-app-selinux.
4. We add attribute `mlstrustedobject` to ignore the `Multi-Level and Multi-Category Security` enforced on Android.
1. Set log buffer size for system
2. Increase buffer size to 128 Kb
3. Record also logs for APatch, KernelSU and SELinux
4. Add installation tasks for APatch
With inline hook, we no longer need to scan process virtual maps.
Moreover, I can no longer justify the point 3 stated in commit
156c6ae855 by experiments, which is
mysterious given my previous experiments done for the commit
3c020a9cd7.
Currently, only one thing is sure: reading `/proc/self/map` can be
detected by Holmes. Hence, it is always a good practice to not inject
unnecessary codes during the preAppSpecialize API.
JingMatrix
dev
dependabot[bot]
Qing_Feng
Furkan Karcıoğlu
Steven Xu