Database Develop

[Q] How best to locate package names containing methods you'd like to hook?

I've been playing with Xposed for a little bit as it's been fun to explore.
As a test, I wanted to write an app that would hook into SMS methods, and change the content of the text.
I managed to do this quite easily with the SMS app I use, as the package name was obviously easy to find, and there weren't a great deal of classes to check.
What I noticed when doing this was that the method I was hooking was little more than a wrapper for a call to an Android library function, namely
Code:
android.telephony.SmsManager.sendSingleSMS()
And I got interested in just hooking that method directly.
The problem is that while I could readily find the source code for SmsManager and its method sendSingleSMS, by downloading Android source code, I couldn't locate the actual package containing them.
I thought this would be as simple as
Code:
if (!lpparam.packageName.equals("android.telephony.SmsManager"))
Or
Code:
if (!lpparam.packageName.equals("android.telephony"))
But these did not work, and even
Code:
if (!lpparam.packageName.contains("tele"))
Fails to find any results.
So in essence, how best can I go about hooking android.telephony.SmsManager.sendSingleSMS()?

The package is android. I'd suggest using initZygote instead of handleLoadPackage for hooking that, though,

GermainZ said:
The package is android. I'd suggest using initZygote instead of handleLoadPackage for hooking that, though,
Click to expand...
Click to collapse
Ah, right I see, that seems obvious now. Thanks

same question about android.os.UserHandle
I'd like to hook UserHandle.getUid(int uid);
to trick system to think my apps uid is system...
but I can't seen to understand what is the package for UserHandle
10X

[Q][Development] XSharedPreferences issue, no entries

For my Xposed Module Play Store Chagenlog an update was released yesterday, this added a GUI as wel as some options. There have been quite a few reports about settings preferences not being applied. After some debugging, I found out that this XSharedPreferences simply doesn't have any entries and thus always returns the default values. I'm 100% sure the options are set (the preferences screen shows them correct and you can see them in the .xml) and the right file is being loaded. There are no errors in the Xposed Log or in the logcat.
I've found a workaround (only tested by me), unchecking and re-checking an option and then the preferences are read correctly. All my modules (actually most of all Xposed Modules) use this way to load an user's preferences, I have absolutely no clue what's causing this behaviour.
The source code is on GitHub, links to relevant files:
PlayStoreChangelog.java
SettingsActivity.java
SettingsFragment.java
settings.xml
For debugging purposes, I've added a snippet to dump the preferences beneath initializing XSharedPreferences. This says it loads the right file, the file exists but it contains no entries (size 0). So when trying to get values (getString, getBoolean etc), it only returns the default values.
Java:
sharedPreferences = new XSharedPreferences(BuildConfig.APPLICATION_ID);
XposedBridge.log(LOG_TAG + sharedPreferences.getFile().getAbsolutePath() + " exists: " + sharedPreferences.getFile().exists());
XposedBridge.log(LOG_TAG + " ---PREFS: " + sharedPreferences.getAll().size() + "---");
Map<String, ?> sortedKeys = new TreeMap<String, Object>(sharedPreferences.getAll());
for (Map.Entry<String, ?> entry : sortedKeys.entrySet()) {
XposedBridge.log(LOG_TAG + entry.getKey() + "=" + entry.getValue().toString());
}
Summary
The app uses a PreferenceFragment to set the preferences and XSharedPreferences to load them. The changes are written to the .xml file and shown in the GUI. The XSharedPreferences instance remains empty and does not contain any entries, thus it always returns the default value. I don't get why it doesn't work, I don't even get why the 'workaround' does work.
I'd really appreciate any help, I'm stuck on this one. No idea what causes it and whether it's a but in my code or something else.
I hope I gave enough information. Thanks in advance.

I'm really stuck on this one, I haven't got a clue what causes this. Maybe @rovo89, @MohammadAG, @GermainZ or @defim, you guys are the most experienced Xposed developers out here. Thanks in advance!

Could something like `sharedPreferences.makeWorldReadable();` (probably needs to be in initZygote) solve your issue? I can't personally think of any reason this might happen except a permission issue.
(Also make sure you're using the latest Xposed Bridge API. I remember there were some commits related to XSharedPreferences, although I can't remember what they were exactly and can't check right now.)

Permission problem sounds reasonable. PSC has for its xml file only set 660, so world readable is mission. After changing it by command line Play Store starts as expected. But i've to say that i use in no app the makeWorldReadable(), Xposed should do it by itself: http://forum.xda-developers.com/showpost.php?p=41976845&postcount=1586 But I also dont use settings fragment, which could cause it...

GermainZ said:
Could something like `sharedPreferences.makeWorldReadable();` (probably needs to be in initZygote) solve your issue? I can't personally think of any reason this might happen except a permission issue.
(Also make sure you're using the latest Xposed Bridge API. I remember there were some commits related to XSharedPreferences, although I can't remember what they were exactly and can't check right now.)
Click to expand...
Click to collapse
defim said:
Permission problem sounds reasonable. PSC has for its xml file only set 660, so world readable is mission. After changing it by command line Play Store starts as expected. But i've to say that i use in no app the makeWorldReadable(), Xposed should do it by itself: http://forum.xda-developers.com/showpost.php?p=41976845&postcount=1586 But I also dont use settings fragment, which could cause it...
Click to expand...
Click to collapse
First of al, both thanks you for your response, it's highly appreciated.
I've been testing with permissions, it indeed looks like a permission problem, because makeWorldReadable() solved it. I use the following line the SettingsFragment to make it World Readable, which has always worked, even though Context.MODE_WORLD_READABLE is officially deprecated because if security reasons:
Java:
getPreferenceManager().setSharedPreferencesMode(Context.MODE_WORLD_READABLE);
It creates a file with 660 permissions, with makeWorldReadable in initZygote it sets it to 664. This is my initZygote:
Java:
@Override
public void initZygote(StartupParam startupParam) throws Throwable {
sharedPreferences = new XSharedPreferences(BuildConfig.APPLICATION_ID);
XposedBridge.log(LOG_TAG + "Readable before: " + sharedPreferences.getFile().canRead());
sharedPreferences.makeWorldReadable();
XposedBridge.log(LOG_TAG + "Readable after: " + sharedPreferences.getFile().canRead());
}
The weird thing is, both readable before and after return true, which indicates it has the permission to read the file before makeWorldReadable(). But... it doesn't work without it
In the end, I created a snippet in SettingsFragment to solve it where the problem arises, instead of makeWorldReadable():
Code:
File sharedPrefsDir = new File(getActivity().getFilesDir(), "../shared_prefs");
File sharedPrefsFile = new File(sharedPrefsDir, getPreferenceManager().getSharedPreferencesName() + ".xml");
if (sharedPrefsFile.exists()) {
sharedPrefsFile.setReadable(true, false);
}
This still needs setSharedPreferencesMode(Context.MODE_WORLD_READABLE), otherwise the permissions will be reset to 660 when a preference changes, now they stay 664. So basically al it does it make it readable for others in addition to the setSharedPreferenceMode().
Thanks again for your replies, it really helped. I still think it's weird, especially since File.canRead() returns true, while it obviously can't read it. I hope it'll help others in the future.

I think I use the deprecated SettingsActivity for this reason. I can override getSharedPreferences so it always returns a world readable file, this avoids the permissions resetting when a preference changes.
Sent from my HTC One_M8 using Tapatalk

MohammadAG said:
I think I use the deprecated SettingsActivity for this reason. I can override getSharedPreferences so it always returns a world readable file, this avoids the permissions resetting when a preference changes.
Sent from my HTC One_M8 using Tapatalk
Click to expand...
Click to collapse
Thanks for your response, just checked out one of your modules, saw you were using getPreferenceManager().setSharedPreferencesMode(MODE_WORLD_READABLE); too. (and indeed SettingsActivity). This has always been sufficient for me using PreferenceFragment. To be sure it's world readable I now manually set the permissions on onPause as a workaround. Still weird because it has always worked flawless for me.

P1nGu1n_ said:
Thanks for your response, just checked out one of your modules, saw you were using getPreferenceManager().setSharedPreferencesMode(MODE_WORLD_READABLE); too. (and indeed SettingsActivity). This has always been sufficient for me using PreferenceFragment. To be sure it's world readable I now manually set the permissions on onPause as a workaround. Still weird because it has always worked flawless for me.
Click to expand...
Click to collapse
Yeah, I also override getSharedPreferences in PreferenceActivity, that allows it to stay world readable.
Sent from my HTC One_M8 using Tapatalk

Sam code works for me in XInstaller. Try check it out, it is open source.

Be aware that using XSharedPreferences will probably lead to problems on Lollipop caused by more stringent SELinux rules.

M66B said:
Be aware that using XSharedPreferences will probably lead to problems on Lollipop caused by more stringent SELinux rules.
Click to expand...
Click to collapse
Good point, but it's too early to say. I'll wait for Xposed to be compatible (hope it will), than I'll look into what changes it'll require. That's something almost every Xposed developer will face ;p
Sent from my phone, please forgive any tpyos.

Yes, I think also Xposed should then handle with LOL XResources properly

Breaking XSharedPreferences means that *almost* every module is not going to work on Lollipop.

I also migrated my project to use PreferenceFragment and getPreferenceManager().setSharedPreferencesMode(Context.MODE_WORLD_READABLE) pretty much does nothing. After I change any setting, prefs file lose "world available" mode.

I checked out P1ngu1n_'s implementation using PreferenceFragment, but it still doesn't work for me. Do any of you have an idea why?
Here is my source
The only difference I can see is that I don't have an xml file for the preferences and that I'm adding the keys in the fragment.
I even checked the permissions and they seem to be fine.

asdfasdfvful said:
I checked out P1ngu1n_'s implementation using PreferenceFragment, but it still doesn't work for me. Do any of you have an idea why?
Here is my source
The only difference I can see is that I don't have an xml file for the preferences and that I'm adding the keys in the fragment.
I even checked the permissions and they seem to be fine.
Click to expand...
Click to collapse
If the permissions seem to be fine, than what doesn't work?

P1nGu1n_ said:
If the permissions seem to be fine, than what doesn't work?
Click to expand...
Click to collapse
That's what confuses me. I have the xml file under shared_prefs and it definitely has values. However, xposed won't read it unless I open the app itself.
Sent from my Nexus 5 using Tapatalk

Put Settings from hook

Hook is in PhoneWindowManager class, I need to put a value to Settings.System. ContentResolver from the available mContext variable is used.
I get the following:
Code:
InvocationTargetError: java.lang.SecurityException: Package android does not belong to 10036
10036 is UID of my module.

- Which context did you use to get content resolver?
- Depends on where your hook is.
Although your hook is in phone window manager, it still depends from where method you are hooking was called from. If it was called from different package that has different permissions (such as your module app), you will have to clear an identity of calling package while using system settings.
Something like:
Code:
long ident = Binder.clearCallingIdentity();
try {
// store to system settings or whatever
} finally {
Binder.restoreCallingIdentity(ident);
}
- Another option is to add necessary permission to your module's manifest

My module already has WRITE_SETTINGS permission. I use mContext variable that is available in PhoneWindowManager, never had a problem with it. Calling from a separate thread that is created in screenTurnedOff() method.
PhoneWindowManager has a lot of similar code involving Settings.System:
Code:
android.provider.Settings.System.putIntForUser(mContext.getContentResolver(), "screen_brightness_mode", 0, -3);
I tried ...ForUser methods with -2, -3 and 1000 UIDs - still the same error. Regular methods should use current process UID, so it's 1000 anyway.
No idea how it still knows that Xposed module is involved, code is supposed to be executed as if it's a part of a hooked app.
But I guess it knows) so clearing calling identity works perfectly, thanks.

I assume thread in screenTurnedOff you mentioned is your own you created? If yes, then for some reason thread in which runs phone window manager is thinking it's some kind of a foreign thread although created within phone window manager. Question is where screenTurnedOff was called from. If it's an IPC call then it's clear it has different identity. If it's not that case then it's definitely strange.

C3C076 said:
Question is where screenTurnedOff was called from. If it's an IPC call then it's clear it has different identity. If it's not that case then it's definitely strange.
Click to expand...
Click to collapse
screenTurnedOff is a stock method, it's called whenever it's called Definitely not from my module. I bet there is an explanation, something complicated)

[Q] Add/Inject/Force <meta-data> line into manifest of every installed app

the problem is, i use OP5T, and none of any 8.0/8.1 stock custom rom does support 18:9 scaling feature like in OOS, this feature named as "Full Screen Apps" under app category.
after a few googling, i came up with these method:
1.) add/inject/force this into manifest file of every installed app. or maybe doing some workaround with the packagemanager
<meta-data android:name="android.max_aspect" android:value="2.1" />
Click to expand...
Click to collapse
2.) playing inside AOSP source code, parsePackage method.
frameworks/base/core/java/android/content/pm/PackageParser.java.
Click to expand...
Click to collapse
i know nothing of creating xposed module, but before starting my journey, is it possible to do the first method with xposed?
after seeing module like Xinstaller, App Settings, and XAspect. i thought it may be possible with xposed to approach this.
really appreciate every kind of help, thanks before

I can see at least two solutions there.
The first one, probably the most simple.
1)
Hook parseMetaData method to add
android.max_aspect to returned bundle in after hook (if doesn't already exist)
2)
Hook setMaxAspectRatio
Get mAppMetaData of passed Package (owner.mAppMetaData) in before hook and add android.max_aspect to it (if doesn't already exist)
Edit: Apart from <meta-data> app dev can also specify aspect ratio within <Activity> element in the manifest.
This has higher priority over <meta-data> so the best solution would be to hook setMaxAspectRatio of Activity class and modify maxAspectRatio parameter to desired value in before hook.

Question What is the current state of unlocking fastboot?

Have decided to rejoin XDA after a while off to see what sort of response I get to this.
A browse of the forum tells me that there is no known way to unlock fastboot, I was wondering what methods had been explored in an attempt to do this?
More specifically there are 2 potential methods I'd like to ask about.
1: I have seen mentioned in a comment here a tool I stumbled across a few months ago while messing around with another device,
edl/README.md at master · bkerler/edl
Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :) - edl/README.md at master · bkerler/edl
github.com
There is one option in particular that I think is of interest,
edl modules oemunlock enable -> Unlocks OEM if partition "config" exists, fastboot oem unlock is still needed afterwards
2: After a quick browse of the disassembled Oppo deeptesting app I can see a number of references to a class that is only accessible via reflection 'android.engineer.OplusEngineerManager'
and it contains a method 'fastbootUnlock'. Has anyone tried to access this class and its methods at all?
Maybe none of these things will be of any use, but before I spend too much time exploring them, I was interested to hear if anyone else had explored these at all? If so what progress was or wasn't made?

A little update for anyone who is interested:
So I have spent a little bit of time this morning seeing what I can do with the 'OplusEngineerManager' class. I made very simple app to see what access I could get to this class. After adding a library to allow the use of reflection to access non sdk classes I was able to get a list methods from the class, but so far have not been successfully invoke any of them, despite there being no exceptions caught.

User154 said:
A little update for anyone who is interested:
So I have spent a little bit of time this morning seeing what I can do with the 'OplusEngineerManager' class. I made very simple app to see what access I could get to this class. After adding a library to allow the use of reflection to access non sdk classes I was able to get a list methods from the class, but so far have not been successfully invoke any of them, despite there being no exceptions caught.
Click to expand...
Click to collapse
I took a look at the fastbootUnlock method itself (at /system/framework/oplus-framework.jar) and I believe that even if we could invoke it, it wouldn't work because it uses some sort of token (generated be Oppo?). I might be wrong though, I don't have much experience working with decompiled code, and the code I looked at was Realme one (I guess its same as Oppo).

daniml3 said:
I took a look at the fastbootUnlock method itself (at /system/framework/oplus-framework.jar) and I believe that even if we could invoke it, it wouldn't work because it uses some sort of token (generated be Oppo?). I might be wrong though, I don't have much experience working with decompiled code, and the code I looked at was Realme one (I guess its same as Oppo).
Click to expand...
Click to collapse
Its great that someone else is looking at this! I hadn't posted another update as I haven't made a huge amount of progress, and I wasn't sure anybody would be interested.
The fastbootUnlock method returns a boolean and takes 2 parameters, a byte array and an int. From what I can see it is the only method of the OplusEngineerManager class that the deeptesting app calls. It contains 2 calls to the fastbootUnlock method. Once where it calls it with an empty byte array and the int is 1. I was actually able to invoke the method from my test app in this way and got a false return value (rather than just getting null like the other methods I tried to invoke). The second is contained within a method of the deeptesting app that takes a string as its parameter. It then converts this string to a byte array which it passes as the paramter for the fastbootUnlock method along with the int of 1.
Edit:
The second call to fastbootUnlock uses the length of the byte array as the int and not 1. Please forgive me it was late when I wrote this and I was not looking at the source.
Thats about as far as I am with it at the moment, the next task is to find out what that string it passes is exactly, and is it something that needs to be generated by Oppo.
I would imagine the realme framework woukd be similar, if you would like to compare I can provide the full list of methods from the OplusEngineerManager class?

Hey guys, I would be interested in helping you somehow.
I have no prior experience with unlocking a device. (besides actually doing it with the tools provided by anyone else).
But I own an oppo find x3 pro, if you need me to do some testing for you, let me know
Thank you for your reaserch and trying to unlock the fastboot!

xarf903 said:
Hey guys, I would be interested in helping you somehow.
I have no prior experience with unlocking a device. (besides actually doing it with the tools provided by anyone else).
But I own an oppo find x3 pro, if you need me to do some testing for you, let me know
Thank you for your reaserch and trying to unlock the fastboot!
Click to expand...
Click to collapse
Hi, thanks for your reply. At the moment there isn't too nuch to test, but if I do manage to find a way I will need plenty of testers, so thank you

A small update:
I have found that the method in the deep testing app which takes a string and then ends up invoking the reflected fastbootUnlock method is called by a handler associated with one of the app's activities.
The handler gets the string extra from the intent which starts the activity, and then passes that as the parameter when calling the method.
The next problem is that I cannot find anywhere in the deep testing app that starts this activity. I can see as part of, what I believe to be, the normal flow of the deep testing app that an activity in the startup wizard is called, so I wonder if the startup wizard then starts the activity of interest in the deep testing app. This will be the next thing I look into
Edit:
I have looked into this more and it turns out most of this is wrong. The activity is started from within the deeptesting app and not the startup wizard

User154 said:
A small update:
I have found that the method in the deep testing app which takes a string and then ends up invoking the reflected fastbootUnlock method is called by a handler associated with one of the app's activities.
The handler gets the string extra from the intent which starts the activity, and then passes that as the parameter when calling the method.
The next problem is that I cannot find anywhere in the deep testing app that starts this activity. I can see as part of, what I believe to be, the normal flow of the deep testing app that an activity in the startup wizard is called, so I wonder if the startup wizard then starts the activity of interest in the deep testing app. This will be the next thing I look into
Click to expand...
Click to collapse
Great, from my side I tried running the fastbootUnlock method as you did, and got the same result (false). I looked at the logs and there was a selinux denial for finding the engineering service as my app is an untrusted app, so our only way to run the fastbootUnlock method is through the deep testing app I guess.

daniml3 said:
Great, from my side I tried running the fastbootUnlock method as you did, and got the same result (false). I looked at the logs and there was a selinux denial for finding the engineering service as my app is an untrusted app, so our only way to run the fastbootUnlock method is through the deep testing app I guess.
Click to expand...
Click to collapse
Do you mind if I see the logs? I have had no such denial that I can see.
How have you enabled access to hidden apis?
Have you used any of the permissions from the deeptesting app?

User154 said:
Do you mind if I see the logs? I have had no such denial that I can see.
How have you enabled access to hidden apis?
Have you used any of the permissions from the deeptesting app?
Click to expand...
Click to collapse
2022-08-30 14:30:02.115 669-669/? E/SELinux: avc: denied { find } for pid=22831 uid=10866 name=engineer scontext=u:r:untrusted_app_29:s0:c98,c259,c512,c768 tcontext=u:object_r:engineer_service:s0 tclass=service_manager permissive=0
2022-08-30 14:30:02.115 22831-22831/com.danieml.unlockme E/Unlockme: False
There are the logs. I enabled hidden apis, yes, didn't add any extra permissions though. By the way, did you use some specific keys for signing the app (platform keys for example)?

daniml3 said:
2022-08-30 14:30:02.115 669-669/? E/SELinux: avc: denied { find } for pid=22831 uid=10866 name=engineer scontext=u:r:untrusted_app_29:s0:c98,c259,c512,c768 tcontext=u:object_r:engineer_service:s0 tclass=service_manager permissive=0
2022-08-30 14:30:02.115 22831-22831/com.danieml.unlockme E/Unlockme: False
There are the logs. I enabled hidden apis, yes, didn't add any extra permissions though. By the way, did you use some specific keys for signing the app (platform keys for example)?
Click to expand...
Click to collapse
I had a closer look at the logs and I can see that sadly I am getting the same SELinux error.
I can't see much of a way around it at the moment.

I have made a thread in general should anyone wish to discuss this further. Most of this is applicable to all Oppo devices and there are people that have looked at this in different ways and found different things out when trying to unlock fastboot on other devices. I think it would be useful to have somewhere to discuss unlocking fastboot on Oppo devices in general.
[DISCUSSION] A thread to collate and share what is known about unlocking fastboot on Oppo devices
Admin: Please move/delete this thread if it is in the wrong place or against the rules. I wanted to create a thread to discuss unlocking fastboot mode on Oppo devices in general, rather than discussing it in terms of any one device in...
forum.xda-developers.com