I've been playing with Xposed for a little bit as it's been fun to explore.
As a test, I wanted to write an app that would hook into SMS methods, and change the content of the text.
I managed to do this quite easily with the SMS app I use, as the package name was obviously easy to find, and there weren't a great deal of classes to check.
What I noticed when doing this was that the method I was hooking was little more than a wrapper for a call to an Android library function, namely
Code:
android.telephony.SmsManager.sendSingleSMS()
And I got interested in just hooking that method directly.
The problem is that while I could readily find the source code for SmsManager and its method sendSingleSMS, by downloading Android source code, I couldn't locate the actual package containing them.
I thought this would be as simple as
Code:
if (!lpparam.packageName.equals("android.telephony.SmsManager"))
Or
Code:
if (!lpparam.packageName.equals("android.telephony"))
But these did not work, and even
Code:
if (!lpparam.packageName.contains("tele"))
Fails to find any results.
So in essence, how best can I go about hooking android.telephony.SmsManager.sendSingleSMS()?
The package is android. I'd suggest using initZygote instead of handleLoadPackage for hooking that, though,
GermainZ said:
The package is android. I'd suggest using initZygote instead of handleLoadPackage for hooking that, though,
Click to expand...
Click to collapse
Ah, right I see, that seems obvious now. Thanks
same question about android.os.UserHandle
I'd like to hook UserHandle.getUid(int uid);
to trick system to think my apps uid is system...
but I can't seen to understand what is the package for UserHandle
10X
Related
I'd like to hook the query() method in ContentProvider in order to get to know which applications are accessing the personal information(e.g: contacts, sms) stored in the device. By reading the tutorial, we know that we can hook methods in app packages. However, what can we do when the methods we want to hook are in those system components? Any suggestion is appreciated.
x11911778 said:
I'd like to hook the query() method in ContentProvider in order to get to know which applications are accessing the personal information(e.g: contacts, sms) stored in the device. By reading the tutorial, we know that we can hook methods in app packages. However, what can we do when the methods we want to hook are in those system components? Any suggestion is appreciated.
Click to expand...
Click to collapse
Well first off, you can't hook ContentProvider.query() because it's an abstract method (at least one of the two variants). So you would have to hook the subclasses that provide an implementation for this method.
You would also need to clarify what you mean with "system components". I think some of these providers are implemented in system apps, so you would hook them like any other app. Others might be part of the system process (system_server), which also hosts all the system services like package manager etc. Simply use the special package name "android" for these, otherwise handle it like a normal app. And then there might be cases where you want to hook a Android framework method on the whole system. You would do that in initZygote().
In all cases, you would first have do identify a good place to hook into, then find out when to place the hook (as described above) and then use findAndHookMethod().
rovo89 said:
Well first off, you can't hook ContentProvider.query() because it's an abstract method (at least one of the two variants). So you would have to hook the subclasses that provide an implementation for this method.
You would also need to clarify what you mean with "system components". I think some of these providers are implemented in system apps, so you would hook them like any other app. Others might be part of the system process (system_server), which also hosts all the system services like package manager etc. Simply use the special package name "android" for these, otherwise handle it like a normal app. And then there might be cases where you want to hook a Android framework method on the whole system. You would do that in initZygote().
In all cases, you would first have do identify a good place to hook into, then find out when to place the hook (as described above) and then use findAndHookMethod().
Click to expand...
Click to collapse
Thanks a lot, that really helps~
Problem
would you mind give me a example (like a code) about how to hook the query() method? I really confused about that. Thanks a lot!!!!
Letts assume there is a method
public static native boolean doSomething(params...);
which gets called by regular Java code.
Can Xposed hook it?
EDIT: I'm wrong, see rovo's answer.
Yes, native methods can be hooked. However, in case this is for an app's code, it has to be done after System.loadLibrary(), otherwise the latter overwrites the hook. Ideally, the framework should take care of this itself, but it's not straight-forward and the has been vey little need for this.
rovo89 said:
Yes, native methods can be hooked. However, in case this is for an app's code, it has to be done after System.loadLibrary(), otherwise the latter overwrites the hook. Ideally, the framework should take care of this itself, but it's not straight-forward and the has been vey little need for this.
Click to expand...
Click to collapse
I've always assumed this wasn't the case. Just to clarify, Xposed is able to hook native functions, but not (native) C/C++ code/libraries? I've read more than once it can't so I'm a bit confused. Thanks for the correction.
GermainZ said:
Just to clarify, Xposed is able to hook native functions, but not (native) C/C++ code/libraries?
Click to expand...
Click to collapse
Correct. Only JNI functions can be hooked, i.e. those which are declared in and called by Java code.
How to do it "after System.loadLibrary()"?
How you go about hooking such methods? I am trying to hook some API methods, mainly the ones declared in the "Connectivity" class one such example is "isTetheringSupported" however I am struggling to do so as when I hook the method directly, the hook is never executed as I believe it is being called via the java.lang.reflect.Method invoke method, and when I try and hook that method I get the following error "java.lang.NoSuchMethodError: java.lang.reflect.Method#invoke()#exact"
hwhh_1 said:
How you go about hooking such methods? I am trying to hook some API methods, mainly the ones declared in the "Connectivity" class one such example is "isTetheringSupported" however I am struggling to do so as when I hook the method directly, the hook is never executed as I believe it is being called via the java.lang.reflect.Method invoke method, and when I try and hook that method I get the following error "java.lang.NoSuchMethodError: java.lang.reflect.Method#invoke()#exact"
Click to expand...
Click to collapse
Are you talking about EdXposed? If so it should be noted that hook not working for a particular method can also be a result of art compiler optimizations. E.g. if the method is simple and not called from many places, compiler will include body of such method directly into methods that call that method. It's called inlining. So while you can see method at source code level, during runtime it's empty and never called as original body became part of another method. To overcome this you have to find a different strategy, e.g. hook such methods that are less likely to become inlined.
C3C076 said:
Are you talking about EdXposed? If so it should be noted that hook not working for a particular method can also be a result of art compiler optimizations. E.g. if the method is simple and not called from many places, compiler will include body of such method directly into methods that call that method. It's called inlining. So while you can see method at source code level, during runtime it's empty and never called as original body became part of another method. To overcome this you have to find a different strategy, e.g. hook such methods that are less likely to become inlined.
Click to expand...
Click to collapse
In order to see if it inlined, there is a setting in EDXPOSED to deoptimize boot image.
Hello!
I am sorry if this may be confusing as I am quite sure I don't use the right terms. What I want to do is hook native library calls/syscalls made from native code within an app. I want to use xposed to launch the code that hooks the library/system call - but I do not know how to do and how the android system will complicate things for me.
Also, it seems to me that this has not been done. So my main thought with this thread is to get some input that can help me avoid some obvious pitfalls before I start trial and error.
What would my options be if I want to modify/interact with native code from a xposed module?
If it was a normal program I could simply use ptrace or LD_PRELOAD to get the kind of access I need. But as I want to do this from an xposed module I get worried by the android system.
If I for example hook the startup of the app, and then from the xposed hook use jni to ptrace myself - would that be possible, would I need to give the original app sudo permissions, and would my ptrace survive hiding/opening the app again?
Another thought was to, as previously at the startup of the app launch jni code. But in this case find the local symbol table and modify it to jump to my hook - but I am not sure if different jni code run in the same memory space and have access to mess with each other. [And also, how often would I need to redo this modification, would android reload/restart of the app destroy my changes]
Hopefully I didn't come off as too confusing. Thanks for the help!
I think you asked me this in my thread but Ill answer it here.
Also, it seems to me that this has not been done. So my main thought with this thread is to get some input that can help me avoid some obvious pitfalls before I start trial and error.
I have hooked native code with xposed and LD_PRELOAD, you can manipulate the data via your LD_PRELOAD lib. I do not know if its been linked to public code yet. LD_PRELOAD does not require Xposed to work(just makes it easier to manage imo). Also note that i have not tested this using the newer Android OS'es(>4.4). Not (yet)necessary for my use case. I would recommend getting LD_PRELOAD to work without Xposed first. Then add the Xposed integration
What would my options be if I want to modify/interact with native code from a xposed module?
If it was a normal program I could simply use ptrace or LD_PRELOAD to get the kind of access I need. But as I want to do this from an xposed module I get worried by the android system.
I have not tried via ptrace, also note that some apps will ptrace itself for protection against reversing. LD_PRELOAD works fine for me. Personally I use LD_PRELOAD to modify the arguments and the return values but most of the time just for logging information.
If I for example hook the startup of the app, and then from the xposed hook use jni to ptrace myself - would that be possible, would I need to give the original app sudo permissions, and would my ptrace survive hiding/opening the app again?
Ptrace to me sounds more complex but it does sound cool to attempt. No sudo is needed for the app that you are hooking using LD_PRELOAD.
t436h05t said:
I think you asked me this in my thread but Ill answer it here.
Also, it seems to me that this has not been done. So my main thought with this thread is to get some input that can help me avoid some obvious pitfalls before I start trial and error.
I have hooked native code with xposed and LD_PRELOAD, you can manipulate the data via your LD_PRELOAD lib. I do not know if its been linked to public code yet. LD_PRELOAD does not require Xposed to work(just makes it easier to manage imo). Also note that i have not tested this using the newer Android OS'es(>4.4). Not (yet)necessary for my use case. I would recommend getting LD_PRELOAD to work without Xposed first. Then add the Xposed integration
What would my options be if I want to modify/interact with native code from a xposed module?
If it was a normal program I could simply use ptrace or LD_PRELOAD to get the kind of access I need. But as I want to do this from an xposed module I get worried by the android system.
I have not tried via ptrace, also note that some apps will ptrace itself for protection against reversing. LD_PRELOAD works fine for me. Personally I use LD_PRELOAD to modify the arguments and the return values but most of the time just for logging information.
If I for example hook the startup of the app, and then from the xposed hook use jni to ptrace myself - would that be possible, would I need to give the original app sudo permissions, and would my ptrace survive hiding/opening the app again?
Ptrace to me sounds more complex but it does sound cool to attempt. No sudo is needed for the app that you are hooking using LD_PRELOAD.
Click to expand...
Click to collapse
Thanks! Is there a nice way to set LD_PRELOAD on app startup using Xposed or do you simply run the shell command when configuring which apps to hook?
Wropzter said:
Thanks! Is there a nice way to set LD_PRELOAD on app startup using Xposed or do you simply run the shell command when configuring which apps to hook?
Click to expand...
Click to collapse
Hooking the app and setting your native hooks is easy in Xposed, after you hook your package just load your lib with your hooks.
System.load("/data/data/org.xxx.app/lib/xxx.so");
The application will default use the preloaded lib you injected(same as LD_PRELOAD without the mess of bash).
It took more time to write code that would enable and disable the hooks inside the hook lib.
Now I have got it working with LD_PRELOAD manually, but using Xposed I do not seem to be able to load the library before libc - that is my replacement function is never called as the symbol was already loaded. Are you using the deprecated IXposedHookCmdInit to be able to load the package earlier? [If I remember correctly you were also hooking libc]
This is my code for the Xposed App.
if (lpparam.packageName.equals("app.to.hook")) {
System.load("/data/data/app.to.hook/lib/hook.so");
XposedBridge.log("Loaded native hook");
}
the problem is, i use OP5T, and none of any 8.0/8.1 stock custom rom does support 18:9 scaling feature like in OOS, this feature named as "Full Screen Apps" under app category.
after a few googling, i came up with these method:
1.) add/inject/force this into manifest file of every installed app. or maybe doing some workaround with the packagemanager
<meta-data android:name="android.max_aspect" android:value="2.1" />
Click to expand...
Click to collapse
2.) playing inside AOSP source code, parsePackage method.
frameworks/base/core/java/android/content/pm/PackageParser.java.
Click to expand...
Click to collapse
i know nothing of creating xposed module, but before starting my journey, is it possible to do the first method with xposed?
after seeing module like Xinstaller, App Settings, and XAspect. i thought it may be possible with xposed to approach this.
really appreciate every kind of help, thanks before
I can see at least two solutions there.
The first one, probably the most simple.
1)
Hook parseMetaData method to add
android.max_aspect to returned bundle in after hook (if doesn't already exist)
2)
Hook setMaxAspectRatio
Get mAppMetaData of passed Package (owner.mAppMetaData) in before hook and add android.max_aspect to it (if doesn't already exist)
Edit: Apart from <meta-data> app dev can also specify aspect ratio within <Activity> element in the manifest.
This has higher priority over <meta-data> so the best solution would be to hook setMaxAspectRatio of Activity class and modify maxAspectRatio parameter to desired value in before hook.
Have decided to rejoin XDA after a while off to see what sort of response I get to this.
A browse of the forum tells me that there is no known way to unlock fastboot, I was wondering what methods had been explored in an attempt to do this?
More specifically there are 2 potential methods I'd like to ask about.
1: I have seen mentioned in a comment here a tool I stumbled across a few months ago while messing around with another device,
edl/README.md at master · bkerler/edl
Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :) - edl/README.md at master · bkerler/edl
github.com
There is one option in particular that I think is of interest,
edl modules oemunlock enable -> Unlocks OEM if partition "config" exists, fastboot oem unlock is still needed afterwards
2: After a quick browse of the disassembled Oppo deeptesting app I can see a number of references to a class that is only accessible via reflection 'android.engineer.OplusEngineerManager'
and it contains a method 'fastbootUnlock'. Has anyone tried to access this class and its methods at all?
Maybe none of these things will be of any use, but before I spend too much time exploring them, I was interested to hear if anyone else had explored these at all? If so what progress was or wasn't made?
A little update for anyone who is interested:
So I have spent a little bit of time this morning seeing what I can do with the 'OplusEngineerManager' class. I made very simple app to see what access I could get to this class. After adding a library to allow the use of reflection to access non sdk classes I was able to get a list methods from the class, but so far have not been successfully invoke any of them, despite there being no exceptions caught.
User154 said:
A little update for anyone who is interested:
So I have spent a little bit of time this morning seeing what I can do with the 'OplusEngineerManager' class. I made very simple app to see what access I could get to this class. After adding a library to allow the use of reflection to access non sdk classes I was able to get a list methods from the class, but so far have not been successfully invoke any of them, despite there being no exceptions caught.
Click to expand...
Click to collapse
I took a look at the fastbootUnlock method itself (at /system/framework/oplus-framework.jar) and I believe that even if we could invoke it, it wouldn't work because it uses some sort of token (generated be Oppo?). I might be wrong though, I don't have much experience working with decompiled code, and the code I looked at was Realme one (I guess its same as Oppo).
daniml3 said:
I took a look at the fastbootUnlock method itself (at /system/framework/oplus-framework.jar) and I believe that even if we could invoke it, it wouldn't work because it uses some sort of token (generated be Oppo?). I might be wrong though, I don't have much experience working with decompiled code, and the code I looked at was Realme one (I guess its same as Oppo).
Click to expand...
Click to collapse
Its great that someone else is looking at this! I hadn't posted another update as I haven't made a huge amount of progress, and I wasn't sure anybody would be interested.
The fastbootUnlock method returns a boolean and takes 2 parameters, a byte array and an int. From what I can see it is the only method of the OplusEngineerManager class that the deeptesting app calls. It contains 2 calls to the fastbootUnlock method. Once where it calls it with an empty byte array and the int is 1. I was actually able to invoke the method from my test app in this way and got a false return value (rather than just getting null like the other methods I tried to invoke). The second is contained within a method of the deeptesting app that takes a string as its parameter. It then converts this string to a byte array which it passes as the paramter for the fastbootUnlock method along with the int of 1.
Edit:
The second call to fastbootUnlock uses the length of the byte array as the int and not 1. Please forgive me it was late when I wrote this and I was not looking at the source.
Thats about as far as I am with it at the moment, the next task is to find out what that string it passes is exactly, and is it something that needs to be generated by Oppo.
I would imagine the realme framework woukd be similar, if you would like to compare I can provide the full list of methods from the OplusEngineerManager class?
Hey guys, I would be interested in helping you somehow.
I have no prior experience with unlocking a device. (besides actually doing it with the tools provided by anyone else).
But I own an oppo find x3 pro, if you need me to do some testing for you, let me know
Thank you for your reaserch and trying to unlock the fastboot!
xarf903 said:
Hey guys, I would be interested in helping you somehow.
I have no prior experience with unlocking a device. (besides actually doing it with the tools provided by anyone else).
But I own an oppo find x3 pro, if you need me to do some testing for you, let me know
Thank you for your reaserch and trying to unlock the fastboot!
Click to expand...
Click to collapse
Hi, thanks for your reply. At the moment there isn't too nuch to test, but if I do manage to find a way I will need plenty of testers, so thank you
A small update:
I have found that the method in the deep testing app which takes a string and then ends up invoking the reflected fastbootUnlock method is called by a handler associated with one of the app's activities.
The handler gets the string extra from the intent which starts the activity, and then passes that as the parameter when calling the method.
The next problem is that I cannot find anywhere in the deep testing app that starts this activity. I can see as part of, what I believe to be, the normal flow of the deep testing app that an activity in the startup wizard is called, so I wonder if the startup wizard then starts the activity of interest in the deep testing app. This will be the next thing I look into
Edit:
I have looked into this more and it turns out most of this is wrong. The activity is started from within the deeptesting app and not the startup wizard
User154 said:
A small update:
I have found that the method in the deep testing app which takes a string and then ends up invoking the reflected fastbootUnlock method is called by a handler associated with one of the app's activities.
The handler gets the string extra from the intent which starts the activity, and then passes that as the parameter when calling the method.
The next problem is that I cannot find anywhere in the deep testing app that starts this activity. I can see as part of, what I believe to be, the normal flow of the deep testing app that an activity in the startup wizard is called, so I wonder if the startup wizard then starts the activity of interest in the deep testing app. This will be the next thing I look into
Click to expand...
Click to collapse
Great, from my side I tried running the fastbootUnlock method as you did, and got the same result (false). I looked at the logs and there was a selinux denial for finding the engineering service as my app is an untrusted app, so our only way to run the fastbootUnlock method is through the deep testing app I guess.
daniml3 said:
Great, from my side I tried running the fastbootUnlock method as you did, and got the same result (false). I looked at the logs and there was a selinux denial for finding the engineering service as my app is an untrusted app, so our only way to run the fastbootUnlock method is through the deep testing app I guess.
Click to expand...
Click to collapse
Do you mind if I see the logs? I have had no such denial that I can see.
How have you enabled access to hidden apis?
Have you used any of the permissions from the deeptesting app?
User154 said:
Do you mind if I see the logs? I have had no such denial that I can see.
How have you enabled access to hidden apis?
Have you used any of the permissions from the deeptesting app?
Click to expand...
Click to collapse
2022-08-30 14:30:02.115 669-669/? E/SELinux: avc: denied { find } for pid=22831 uid=10866 name=engineer scontext=u:r:untrusted_app_29:s0:c98,c259,c512,c768 tcontext=u:object_r:engineer_service:s0 tclass=service_manager permissive=0
2022-08-30 14:30:02.115 22831-22831/com.danieml.unlockme E/Unlockme: False
There are the logs. I enabled hidden apis, yes, didn't add any extra permissions though. By the way, did you use some specific keys for signing the app (platform keys for example)?
daniml3 said:
2022-08-30 14:30:02.115 669-669/? E/SELinux: avc: denied { find } for pid=22831 uid=10866 name=engineer scontext=u:r:untrusted_app_29:s0:c98,c259,c512,c768 tcontext=u:object_r:engineer_service:s0 tclass=service_manager permissive=0
2022-08-30 14:30:02.115 22831-22831/com.danieml.unlockme E/Unlockme: False
There are the logs. I enabled hidden apis, yes, didn't add any extra permissions though. By the way, did you use some specific keys for signing the app (platform keys for example)?
Click to expand...
Click to collapse
I had a closer look at the logs and I can see that sadly I am getting the same SELinux error.
I can't see much of a way around it at the moment.
I have made a thread in general should anyone wish to discuss this further. Most of this is applicable to all Oppo devices and there are people that have looked at this in different ways and found different things out when trying to unlock fastboot on other devices. I think it would be useful to have somewhere to discuss unlocking fastboot on Oppo devices in general.
[DISCUSSION] A thread to collate and share what is known about unlocking fastboot on Oppo devices
Admin: Please move/delete this thread if it is in the wrong place or against the rules. I wanted to create a thread to discuss unlocking fastboot mode on Oppo devices in general, rather than discussing it in terms of any one device in...
forum.xda-developers.com