search

Lanchon / haystack

Signature Spoofing Patcher for Android
GNU General Public License v3.0
234 stars 45 forks source link

Android 9: services.jar deodexed, patched but spoofing disabled #33

Open stiray opened 4 years ago

stiray commented 4 years ago

I am trying to build microg rom for cosmo communicator, but i got stuck on patching services.jar, or to rather say, I deodex it, apply patches sigspoof-hook-7.0-9.0/services.jar.dex and sigspoof-core/services.jar.dex, but Signature Spoofing Checker says spoofing is disabled.

May I ask you for advice what is wrong as I am stuck. I am using HEAD from this repo.

I have wrote a little script to do it automatically (trying to build microg rom for cosmo communicator), are the main part.

Deodexing:

./vdexExtractor --input=${vdex} --output=${tmpdir}
./compact_dex_converter -v ${tmpdir}/services_classes.cdex
zip -j -u ${tmpdir}/services.jar ${tmpdir}/classes*.dex

The process completes and services.jar has classes.dex file inside. This is the output:

Deodexing system.img/system/framework/oat/arm64/services.vdex...
[INFO] Processing 1 file(s) from system.img/system/framework/oat/arm64/services.vdex
[INFO] 1 out of 1 Vdex files have been processed
[INFO] 1 Dex files have been extracted in total
[INFO] Extracted Dex files are available in 'tmp'
Converting cdex tmp/services_classes.cdex to classes.dex...
Opened 'tmp/services_classes.cdex', DEX version '001'
compact_dex_converter W 07-12 15:57:28 26283 26283 dex_file_verifier.cc:318] Ignoring bad checksum (e39ab0e5, expected 891d674b)
compact_dex_converter W 07-12 15:57:28 26283 26283 dex_file_verifier.cc:318] Ignoring bad checksum (e39ab0e5, expected 891d674b)
compact_dex_converter I 07-12 15:57:29 26283 26283 compact_dex_converter_main.cc:175] StandardDex file successfully extracted to tmp/services_classes.cdex.new
Injecting classes.dex into tmp/services.jar
updating: classes.dex (deflated 55%)

Patching:

apilevel="28"
mkdir -p ${tmpdir}/patch_hook
java -jar ${dexpatcher} \
    --api-level ${apilevel} \
    --verbose \
    --output ${tmpdir}/patch_hook/ \
    --multi-dex \
    ${tmpdir}/services.jar \
    ${patch_hook}
zip -j -u ${tmpdir}/services.jar ${tmpdir}/patch_hook/classes*.dex

java -jar ${dexpatcher} \
    --api-level ${apilevel} \
    --verbose \
    --output ${tmpdir}/patch_core/ \
    --multi-dex \
    ${tmpdir}/services.jar \
    ${patch_core}
zip -j -u ${tmpdir}/services.jar ${tmpdir}/patch_core/classes*.dex

Again everything passes fine, 0 errors, 0 warnings:

Patching tmp/services.jar with ./haystack/sigspoof-hook-7.0-9.0/services.jar.dex
DexPatcher version 1.8.0-beta1 by Lanchon (https://dexpatcher.github.io/)
info: read 'tmp/services.jar'
info: read './haystack/sigspoof-hook-7.0-9.0/services.jar.dex'
info: type 'com.android.server.pm.PackageManagerService': method '<init>():void': implicit ignore of trivial default constructor
info: write 'tmp/patch_hook'
0 error(s), 0 warning(s)
Injecting  tmp/patch_hook/classes.dex into tmp/services.jar
updating: classes.dex (deflated 56%)
Patching tmp/services.jar with ./haystack/sigspoof-core/services.jar.dex
DexPatcher version 1.8.0-beta1 by Lanchon (https://dexpatcher.github.io/)
info: read 'tmp/services.jar'
info: read './haystack/sigspoof-core/services.jar.dex'
info: type 'com.android.server.pm.GeneratePackageInfoHook': method '<init>():void': implicit ignore of trivial default constructor
info: write 'tmp/patch_core'
0 error(s), 0 warning(s)
Injecting  tmp/patch_core/classes.dex into tmp/services.jar
updating: classes.dex (deflated 56%)
cp services.jar  system.img/system/framework/services.jar
rm -f system.img/system/framework/oat/arm64/services.*

The ROM is flashed to the device but the Signature Spoofing Checker says "Signature Spoofing: DISABLED"

getprop allow_fake_signature_global

returns empty line

I have searched for a potential reason a lot but as most people have issues with deodexing which is not case here...

Thank you for any help in advance.

stiray commented 4 years ago

I have decompiled the code and checking patch... the GeneratePackageInfoHook is there but generatePackageInfo has a bit strange flow. It only calls GeneratePackageHook if generatePackageInfo$wrapSource didnt return its own object. Is this code part of patch? (generatePackageInfo$wrapSource is original function while this generatePackageInfo is patch stub, first calling the original function and then patched code?

The .method private generatePackageInfo(Lcom/android/server/pm/PackageSetting;II)Landroid/content/pm/PackageInfo;
    .locals 3

    invoke-direct {p0, p1, p2, p3}, Lcom/android/server/pm/PackageManagerService;->generatePackageInfo__$wrapSource(Lcom/android/server/pm/PackageSetting;II)Landroid/content/pm/PackageInfo;

    move-result-object v0

    if-eqz p1, :cond_0

    if-eqz v0, :cond_0

    iget-object v1, p1, Lcom/android/server/pm/PackageSetting;->pkg:Landroid/content/pm/PackageParser$Package;

    if-eqz v1, :cond_0

    iget-object v2, p0, Lcom/android/server/pm/PackageManagerService;->mContext:Landroid/content/Context;

    invoke-static {v0, v2, v1, p2, p3}, Lcom/android/server/pm/GeneratePackageInfoHook;->hook(Landroid/content/pm/PackageInfo;Landroid/content/Context;Landroid/content/pm/PackageParser$Package;II)Landroid/content/pm/PackageInfo;

    move-result-object v0

    :cond_0
    return-object v0
.end method
Lanchon commented 4 years ago

Is this code part of patch?

yes it is, you can see the patch java sources in this repo.

first, it is a mistake to deodex part of the rom. you must deodex the complete rom or stuff may break. so yeah, it can be deodexing thing.

once that is done, if you still have issues, you can choose to patch without the UI, which is optional, and test the result.

also, make sure you are using checker version 1.1 or results can be incorrect.