We update `LSPosedBridge` to align with upstream API changes, which have replaced annotation-based hooker discovery with a naming convention.
The `doHook` implementation has been refactored to:
- Remove dependencies on the deleted `io.github.libxposed.api.annotations` package (`XposedHooker`, `BeforeInvocation`, `AfterInvocation`).
- Scan for public static methods explicitly named `before` and `after` instead of relying on annotations.
- Enforce validation on these named methods to ensure they match the required signatures.
To adapt to this change, existing Hooker classes are refactored by removing the deprecated annotations and renaming their callback methods to `before` and `after` respectively.
Co-authored-by: frknkrc44 <krc440002@gmail.com>
Unlike the existing `newInstance` variants which allocate and return a new object, these new APIs execute constructor logic on an existing, pre-allocated instance (`thisObject`). This separation of allocation and initialization allows for invoking original or super constructors within hook callbacks where the object reference is already established.
The implementation leverages the existing JNI `HookBridge` methods, as `invokeOriginalMethod` and `invokeSpecialMethod` already support void-return signatures required for constructor execution.
Co-authored-by: frknkrc44 <krc440002@gmail.com>
The `chattr0` method, which attempts to clear special file attributes (like 'i' for immutable) using `ioctl`, can fail with an `ErrnoException` and the error code `ENOTSUP` (Operation not supported) on certain filesystems or Android environments (e.g., noted on a Android 11 device).
When `ioctl` fails with `ENOTSUP`, it means the underlying filesystem does not support the operation of setting/clearing these attributes. In this case, we can safely assume the file/directory is not immutable via this mechanism and treat the operation as a successful non-action.
This commit updates `chattr0` to catch `ErrnoException` specifically and return `true` if the error is `OsConstants.ENOTSUP`, preventing unexpected failures in config file management.
Previously, the daemon determined the architecture of the target `dex2oat` binary based on its own process architecture (`Process.is64Bit()`).
On Android 10, `/apex/com.android.runtime/bin/dex2oat` is frequently a 32-bit binary, even on 64-bit devices.
This caused the daemon to incorrectly treat the target as 64-bit and mount the 64-bit wrapper (`bin/dex2oat64`). Consequently, the wrapper attempted to execute the 32-bit binary using `linker64`, resulting in a crash: `error: "/apex/.../dex2oat" is 32-bit instead of 64-bit`
This commit changes the logic to inspect the ELF header of the target binary. We now explicitly check `e_ident[EI_CLASS]` to determine if the file is 32-bit or 64-bit and assign it to the correct mounting slot. This ensures the 32-bit wrapper is mounted over 32-bit targets, preventing the linker mismatch.
Manual library path injection via LD_LIBRARY_PATH has become unreliable due to symbol mismatches in core libraries (e.g., `libc++`) between the system and APEX partitions. Recent updates to `liblog` and `libbase` (in Android 16) have resulted in missing symbols like `__hash_memory` or `fmt` when the ART APEX binaries are forced to load system-partition shims.
This commit switches the wrapper to execute the runtime APEX linker directly (e.g., `/apex/com.android.runtime/bin/linker64`). By passing the dex2oat binary to the linker via `/proc/self/fd/`, the linker can properly initialize internal namespaces and resolve dependencies from the correct APEX and bootstrap locations.
Moreover, for the OatHeader hook, a bug introduced in 6703b45350 is now fixed, where the target functions of PLT hooks are overwritten by the our helper functions.
Details of the refactored project are explained in README.
Centralize dependencies and migrate to submodules
Move `apache` and `axml` modules to a unified `external` directory and migrate libxposed API and service interfaces from Maven dependencies to Git submodules.
Included changes:
- Updated .gitmodules with new paths.
- Simplified core.yml CI workflow.
- Updated Gradle project references to use the new directory structure.
- Added documentation for external components.
User reports that system server injection can still fail even when the daemon is started in service mode.
Hence, we add argument `--system-server-max-retry=3` to address this problem.
In the LSPosedDexParser constructor, the methodIds array is allocated correctly, but the loop condition is wrong: its length is divided by 3 twice.
We rewrite this class in Kotlin, marking the first commit of refactoring LSPosed into Vector.
Co-authored-by: Willian Wang <git@willian.wang>
- When the Step 2 (r-xp) mode is not found, implement the lookup logic to fall back to the first r--p segment
- On android 10 Step 1 to Step 2 doesn't match any pattern, but r--p does have a libart.so address
- Log
findModuleBase(): Found 4 filtered map entries for libart.so:
findModuleBase(): 0x70991e8000 r--p /apex/com.android.runtime/lib64/libart.so
findModuleBase(): 0x7099327000 --xp /apex/com.android.runtime/lib64/libart.so
findModuleBase(): 0x70997de000 rw-p /apex/com.android.runtime/lib64/libart.so
findModuleBase(): 0x70997e1000 r--p /apex/com.android.runtime/lib64/libart.so
findModuleBase(): `r--p` -> `r-xp` pattern not found. Falling back to first `r-xp` entry.
findModuleBase(): `r-xp` pattern not found. Falling back to first `r--p` entry.
findModuleBase(): Found first `r--p` block at 0x70991e8000
findModuleBase(): get module base /apex/com.android.runtime/lib64/libart.so: 0x70991e8000
findModuleBase(): update path: /apex/com.android.runtime/lib64/libart.so
This reverts partially commit c622d0f1f9.
In my test device (Pixel 6, Android 16 qpr2, KernelSU), calling twice LSPosed daemon results a detection based on `mount_id` values. In `com.reveny.nativecheck` 7.6.1, it is named as `Detected Magic Mount`.
Of course, this naming is incorrect and misleading. We refer to https://github.com/JingMatrix/NeoZygisk/pull/39 for details of this detection point.
This commit attempts to resolve an issue reported by users on recent OnePlus software updates where LSPosed modules are no longer able to hook the `Application#attach` method.
Android Runtime (ART) on these devices has become more aggressive with method inlining. This optimization can cause the relatively small `Application#attach` method to be directly embedded into its (indirect) calling methods, which makes it invisible to the hooking framework.
This approach is adapted from a reportedly successful commit in a community fork (LSPosed-Irena). It identifies `makeApplication` and `makeApplicationInner` within the `android.app.LoadedApk` class as the key callers to deoptimize. By adding these methods to the `BOOT_IMAGE` list, the goal is to prevent ART from inlining them, thus preserving `Application#attach` as a distinct and hookable method.
Co-authored-by: Irena <140869597+re-zero001@users.noreply.github.com>
After reboot, the SELinux context labels for files located in `/data/adb` are reset to `u:object_r:adb_data_file:s0`.
To fully address the issue in ed1f61d2, we should always compare the SELinux context and reset it when necessary.
Starting with Android 14 (API level 34), the Android Runtime (ART) Service handles on-device Ahead-Of-Time (AOT) compilation, also known as `dexopt`.
As a result, in Android 16 beta qpr2, the method `performDexOptMode` is removed.
See https://source.android.com/docs/core/runtime/configure/package-manager for details.
For trace cleaning modules to work properly, such as the DenyList feature of NeoZygisk, it is better to execute modules mount (`dex2oat` for the case of LSPosed) at post-fs-data.sh.
Moreover, the `logd` daemon of LSPosed should start as early as possible.
This reverts commit 92cbed418e (pull-request #57).
The original pull-request claimed a `PlayIntegrityFix` break, but was not reproducible on other devices.
Reworks the `initDB` function to resolve critical failures.
- Prevents a "no such table: configs" crash on fresh installs by
deferring the compilation of CREATE TABLE statements until their
dependencies are met.
- Fixes a "duplicate column" error by correcting the initial schema
and letting migration logic add new columns.
- Replaces the fragile fall-through switch and nested transactions with a
robust, sequential upgrade process inside a single atomic transaction.
We used to hook functions `OatHeader::GetKeyValueStore` and `OatHeader::GetKeyValueStoreSize` to clean the `dex2oat` trace introduced by LSPosed. However, in recent versions of Android, these two functions are no longer exported. Moreover, the `OatHeader` structure has changed, which now sets certain entries to have fixed length by padding zeros.
To address these two changes, we hook `OatHeader::ComputeChecksum` as an entrypoint (fallback), and then employ the header file of `OatHeader` copied from AOSP to precisely locate its fields. Using this strategy, we modify `key_value_store` in memory, depending on whether the entry `dex2oat-cmdline` is padded.
Resolves a `SIGSEGV` crash that occurs when co-instrumenting with recent versions of Frida.
The root cause was that the previous parsing logic would select the first memory mapping matching the library name. When Frida is active, it can temporarily create a transient, read-only mapping at a lower address than the real library. This would cause our parser to select the wrong base address.
This commit refactors the `findModuleBase` function to be structurally aware. It now filters all mappings for the target library and specifically searches for the pattern of a read-only (`r--p`) segment immediately followed by an executable (`r-xp`) segment. This allows it to correctly identify the real library mapping and ignore transient artifacts from other instrumentation frameworks.
Having a WebUI simply duplicating the current function of the Action button is unnecessary.
Since most users are migrated to root implementations which realize the Action button feature, we revert commit f8409ad34b to remove the WebUI integration of LSPosed.
The function signature of `getUsers` in class `android.os.IUserManager` is changed to `getUsers(Z)Ljava/util/List;` in Android 16 QPR Beta 3.
The corresponding calls to this function are updated to fix this incompatibility, which was initially observed on Android Canary.
1. Magisk manager cuts off the full changelog, it is thus better to move my personal note to the end. Add emoji for easier understanding.
2. Fix locating the generated javascript file. In Parcel 2, this file now has prefix `generate`.
3. Fix the author name, use JingMatrix for accuracy.
UI should reflect correctly current module scope.
Fix the problem that after clicking on menu_select_none, recommended apps are still checked even though the scope database is already updated.
This bug was introduced due to the inconsistent designs in 1339fc7d3c and 7be4e66b98.
User has reported `dex2oat` failure with SELinux log:
```
W dex2oat64: type=1400 audit(0.0:922): avc: denied { read } for path="/data/adb/modules/zygisk_lsposed/bin/liboat_hook64.so" dev="dm-58" ino=91204 scontext=u:r:dex2oat:s0 tcontext=u:object_r:adb_data_file:s0 tclass=file permissive=0
```
Hence, we now set the SELinux context of `liboat_hook.so` in Dex2OatService.
Moreover, by the pull-request #194, we have to move `putenv` out of the if block by testing.
Indeed, if we call `putenv` inside the if block, then it is no longer valid out of the block.
1. Close#159 as fixed, though it points to the removal of warning `Unsupported class loader`, for which we can do later.
2. Take the commit from JingMatrix/LSPlant to fix the bug https://github.com/JingMatrix/LSPlant/issues/2.
3. Add another commit of JingMatrix/LSPlant in pull-request #203
On some devices `dex2oat` cannot access files (fd) received from sockets due to SELinux restrictions.
Hence, we add a new rule according to the avc logs, which showed that permissions `open` and `getattr` were needed.
1. The SELinux context label `magisk_file` is widely used by Zygisk implementation modules. It is improper for LSPosed to abuse this label for its own files. We replace it by `xposed_file`.
2. A new rule added according to the SELinux logs, which is needed to write to the mangaer's SharedPreference.
3. `xposed_data` is a new SELinux context label for XSharedPreference files, it is not meant to provide MAC restricted access but to conform with Android's rule: https://developer.android.com/about/versions/pie/android-9.0-changes-28#per-app-selinux.
4. We add attribute `mlstrustedobject` to ignore the `Multi-Level and Multi-Category Security` enforced on Android.
1. Set log buffer size for system
2. Increase buffer size to 128 Kb
3. Record also logs for APatch, KernelSU and SELinux
4. Add installation tasks for APatch
JingMatrix
dev
dependabot[bot]
Qing_Feng
Furkan Karcıoğlu
Steven Xu