Open 309040521 opened 10 months ago
Please send your /vendor/lib64/hw/camera.qcom.so
lib so I can check it out.
Thank you very much for your response. Please use the following link to download this file. Thanks again! https://www.mediafire.com/file/jibpjjwbfpsuyej/camera.qcom.so/file
I can provide remote access for you to investigate.if you don't mind
If there's anything else you need to know, please let me know. I'm more than willing to provide assistance.
Here are the steps: 1.Unlock the bootloader. 2.Flash the ROM and Magisk.v26.3.apk 3.Install: Patch-Enhancer-v0.4.zip LSPosed-v1.9.1-6990-zygisk-release.zip KnoxPatch-v0.6.1.apk 4.After restarting the phone and opening the camera, the buttons within the app work as expected, but the camera screen remains black. The issue persists whether switching between the front and rear cameras. Approximately 30 seconds after the app is opened, an error occurs, and the error message states: 'An error has occurred.
I've already dealt with such an issue in my Galaxy A52s 5G as it has a check in the camera HAL that prevents it to work when the bootloader is unlocked (tho this is limited to devices with a rear SLSI camera sensor). Looks like it is the same in your device:
Give a try to some Magisk/KSU modules that spoof the bootloader unlock prop(s): USNF, MagiskHide Props Config
I have already changed 'ro.boot.verifiedbootstat' to GREEN, but the camera screen remains black. The modification steps were as follows: 1.Installed and activated 'safetynet-fix-v2.4.0-MOD_2.0.zip' and 'MagiskHidePropsConf-v6.1.2.zip' in Magisk. 2.Installed Termux and rebooted the phone. 3.Opened Termux and used 'su' permissions to execute 'props.' 4.Checked that 'ro.boot.verifiedbootstat' is green. 5.The camera screen is still black.
I have already changed 'ro.boot.verifiedbootstat' to GREEN, but the camera screen remains black. The modification steps were as follows: 1.Installed and activated 'safetynet-fix-v2.4.0-MOD_2.0.zip' and 'MagiskHidePropsConf-v6.1.2.zip' in Magisk. 2.Installed Termux and rebooted the phone. 3.Opened Termux and used 'su' permissions to execute 'props.' 4.Checked that 'ro.boot.verifiedbootstat' is green. 5.The camera screen is still black.
Could be the same as here where safetynet-fix spoofs the bootloader props too late at boot and won't apply to the camera HAL: https://github.com/Displax/safetynet-fix/blob/67d1d1b86e145a8ddcd2f023ac878dc6d23ee3db/magisk/service.sh#L27-L46 Try spoofing your device props with MagiskHide Props Config and see if the issue persists.
I've tried, but it's still not working. Could you please help me check if I made a mistake in any of these steps? Thank you!
1.Open Termux and execute 'su' for permissions. 2.Type '4' for 'edit MagiskHide props.' 3.Type '1' for 'ro.boot.verifiedbootstate.' 4.It shows 'currently set to green by this module.
I've come across a strange situation; when I check the system, 'ro.boot.verifiedbootstat' actually indicates 'green' ![Uploading Screenshot_20230928_164323_Termux.jpg…]()
I've come across a strange situation; when I check the system, 'ro.boot.verifiedbootstat' actually indicates 'green'
As I said in https://github.com/BlackMesa123/KnoxPatch/issues/53#issuecomment-1738568932 the issue is due to the prop being spoofed too late at boot by the USNF module. We can try hex patching the lib and eventually integrate the fix in the Enhancer module.
We don't have any experience in this area(try hex patching the lib). Could you please guide us on how to get started? Thank you very much!
We don't have any experience in this area(try hex patching the lib). Could you please guide us on how to get started?
Thank you very much!
On A52s case we replace the bootloader prop in the lib with another one so that the camera lib reads that instead (or SELinux blocks it so it fallsback to the default value). https://github.com/LineageOS/android_device_samsung_a52sxq/blob/999b94dc151b00467c4c287e2b42828200b6e0e2/extract-files.sh#L12 The same can be tested in your device, I'm not at home right now so I can't send you the patched libs to be tested.
We don't have any experience in this area(try hex patching the lib). Could you please guide us on how to get started? Thank you very much!
On A52s case we replace the bootloader prop in the lib with another one so that the camera lib reads that instead (or SELinux blocks it so it fallsback to the default value). https://github.com/LineageOS/android_device_samsung_a52sxq/blob/999b94dc151b00467c4c287e2b42828200b6e0e2/extract-files.sh#L12 The same can be tested in your device, I'm not at home right now so I can't send you the patched libs to be tested.
So, do I need to modify the source code of the 'camera.qcom.so' file to replace the parameters it originally checks?
So, do I need to modify the source code of the 'camera.qcom.so' file to replace the parameters it originally checks?
camera.qcom.so
is a compiled binary without any available source code, so the only way is by patching the lib manually. I sent you the code we use on A52s to rename the prop it uses to check the bootloader lock status.
In our device case, the lib checks for ro.boot.flash.locked
which result is either "0" (unlocked) or "1", when patched it will either read the new prop (ro.camera.notify_nfc
, which value is always 1) or SELinux will block the lib's property_get
call, which will return the default value set in the code (luckily 1 in our case).
Your device's HAL on the other hand reads ro.boot.verifiedbootstate
which result is instead a string, the values of this prop are either "green" (locked) and "orange" (unlocked). I'm still not sure how the check works so I still have to know if renaming the prop just like we do in A52s is enough to bypass the check. To do this backup the original lib and run this in any shell with root permissions:
sed -i 's/ro.boot.verifiedbootstate/ro.bla.blablablablablabla/g' /vendor/lib64/camera.qcom.so
When patching, the length of the new string must be equal to the one of the old string or smaller (by replacing the missing characters with \x00
).
Hello, sir. Modifying these two files seems quite challenging for me. I've come up with another approach, and I'd like to ask for your assessment of its feasibility. Since my 'ro.boot.verifiedbootstat' is currently set to 'GREEN,' could I potentially uninstall the camera app and then reinstall it to make the app read the updated parameters? backup.zip camera.qcom.so=/vendor/lib/hw/camera.qcom.so camera.qcom.so64=/vendor/lib64/hw/camera.qcom.so
Hello, sir. Modifying these two files seems quite challenging for me. I've come up with another approach, and I'd like to ask for your assessment of its feasibility. Since my 'ro.boot.verifiedbootstat' is currently set to 'GREEN,' could I potentially uninstall the camera app and then reinstall it to make the app read the updated parameters? backup.zip camera.qcom.so=/vendor/lib/hw/camera.qcom.so camera.qcom.so64=/vendor/lib64/hw/camera.qcom.so
Uninstalling the camera app does no effect as this code is in the camera HAL, so this applies globally in the system independently of the app you're using. I've applied the patch in https://github.com/BlackMesa123/KnoxPatch/issues/53#issuecomment-1739680130 myself here, give a try to these libs and let me know if it works.
Hello, sir. Modifying these two files seems quite challenging for me. I've come up with another approach, and I'd like to ask for your assessment of its feasibility. Since my 'ro.boot.verifiedbootstat' is currently set to 'GREEN,' could I potentially uninstall the camera app and then reinstall it to make the app read the updated parameters? backup.zip camera.qcom.so=/vendor/lib/hw/camera.qcom.so camera.qcom.so64=/vendor/lib64/hw/camera.qcom.so
Uninstalling the camera app does no effect as this code is in the camera HAL, so this applies globally in the system independently of the app you're using. I've applied the patch in #53 (comment) myself here, give a try to these libs and let me know if it works.
After replacing it, I still can't open the camera. It remains the same even after restarting the phone. Additionally, I've noticed that before the replacement, when I opened the camera, there was a green dot in the top left corner (indicating the camera was in use). However, after the replacement, this notification dot no longer appears.
After replacing it, I still can't open the camera. It remains the same even after restarting the phone. Additionally, I've noticed that before the replacement, when I opened the camera, there was a green dot in the top left corner (indicating the camera was in use). However, after the replacement, this notification dot no longer appears.
Check if you did replace the file correctly (it's not 0 bytes), also make sure the file permissions/secontext is correct.
Could you please help me check if I made any mistakes in the replacement steps? Thank you!
Could you please help me check if I made any mistakes in the replacement steps? Thank you!
Run ls -lZ
on the placed lib files.
Wrong permission/secontexts are set for your libs. Fix them using these cmds:
chmod 644 /vendor/lib/hw/camera.qcom.so
chmod 644 /vendor/lib64/hw/camera.qcom.so
chcon u:object_r:vendor_file:s0 /vendor/lib/hw/camera.qcom.so
chcon u:object_r:vendor_file:s0 /vendor/lib64/hw/camera.qcom.so
I executed the commands you provided, and after restarting the phone, a green indicator dot appeared in the top right corner when I opened the camera. However, the camera screen itself is still black.
Today is our country's annual Mid-Autumn Festival, and I would like to extend my heartfelt greetings to you. I wish you good health and a happy family. Once again, thank you for your guidance over these past few days. Thank you.
I executed the commands you provided, and after restarting the phone, a green indicator dot appeared in the top right corner when I opened the camera. However, the camera screen itself is still black.
Mind sharing some logs so I can see if there's any specific error in the background? I'm currently adding the necessary code to integrate the fix in the Enhancer module (https://github.com/BlackMesa123/KnoxPatch/commit/37c77b69d6cc3cec79261dfb04a588ab46aba4be), but it still needs to handle devices with the ro.boot.verifiedbootstate
prop check. Wanna make sure the prop rename patch works well on those devices.
Today is our country's annual Mid-Autumn Festival, and I would like to extend my heartfelt greetings to you. I wish you good health and a happy family. Once again, thank you for your guidance over these past few days. Thank you.
It's always a pleasure! I willingly reciprocate your good wishes.
I executed the commands you provided, and after restarting the phone, a green indicator dot appeared in the top right corner when I opened the camera. However, the camera screen itself is still black.
Mind sharing some logs so I can see if there's any specific error in the background? I'm currently adding the necessary code to integrate the fix in the Enhancer module (37c77b6), but it still needs to handle devices with the
ro.boot.verifiedbootstate
prop check. Wanna make sure the prop rename patch works well on those devices.Today is our country's annual Mid-Autumn Festival, and I would like to extend my heartfelt greetings to you. I wish you good health and a happy family. Once again, thank you for your guidance over these past few days. Thank you.
It's always a pleasure! I willingly reciprocate your good wishes.
It's my honor to help advance this matter. Please instruct me on how to obtain the logs you need.
It's my honor to help advance this matter. Please instruct me on how to obtain the logs you need.
Download adb (platform-tools) and use logcat to obtain logs. Start the command (eg. adb logcat > logs
), trigger the bug then interrupt the command (CTRL+C).
Please find the attached log files for troubleshooting. Thank you. logs.zip
Please find the attached log files for troubleshooting. Thank you. logs.zip
Wanna make sure it's an issue in the HAL specific for your variant. I've uploaded here the stock camera HAL/firmware from the intentational Z Fold 3 firmware which from what I saw online has no camera restrictions. Mind giving it a try? As always make sure the files are copied correctly (checking the checksum would be better) and that they match the same permissions/secontext as the stock vendor files.
Please find the attached log files for troubleshooting. Thank you. logs.zip
Wanna make sure it's an issue in the HAL specific for your variant. I've uploaded here the stock camera HAL/firmware from the intentational Z Fold 3 firmware which from what I saw online has no camera restrictions. Mind giving it a try? As always make sure the files are copied correctly (checking the checksum would be better) and that they match the same permissions/secontext as the stock vendor files.
After replacing and restarting the phone, a green indicator dot appears in the top right corner when I open the camera. However, the camera screen itself is still black.
I've double-checked the related file permissions/secontext, but I didn't find any omissions.
I've regenerated the log files in the hope that they can be of assistance. Thanks! logs_2227.zip
Hello, sir. I hope this message finds you well. While reviewing the log (logs_2227.log), I encountered an issue on line 214,502 involving 'tombstone_17' attempting to access 'u:object_r:bootloader_prop:s0.' Unfortunately, when I attempted to open this file, it appeared as garbled text. Is there a way to view its contents? I apologize for any inconvenience, and your assistance would be greatly appreciated. ASI.zip
Hello, sir. I hope this message finds you well. While reviewing the log (logs_2227.log), I encountered an issue on line 214,502 involving 'tombstone_17' attempting to access 'u:object_r:bootloader_prop:s0.' Unfortunately, when I attempted to open this file, it appeared as garbled text. Is there a way to view its contents? I apologize for any inconvenience, and your assistance would be greatly appreciated. ASI.zip
I'm a Samsung Z Fold 3 (SM-F926N) user and I'm also currently having camera issues after lifting the BL restriction.
重刷官方ROM之後可以關閉BL修復攝像頭問題,但我想用root, so sad~
Hello, sir. I hope this message finds you well. While reviewing the log (logs_2227.log), I encountered an issue on line 214,502 involving 'tombstone_17' attempting to access 'u:object_r:bootloader_prop:s0.' Unfortunately, when I attempted to open this file, it appeared as garbled text. Is there a way to view its contents? I apologize for any inconvenience, and your assistance would be greatly appreciated. ASI.zip
I'm a Samsung Z Fold 3 (SM-F926N) user and I'm also currently having camera issues after lifting the BL restriction.
重刷官方ROM之後可以關閉BL修復攝像頭問題,但我想用root, so sad~
哈?你是中国人,我用的是韩版 Fold 3,现在是备用机了已经,所以 Root 掉,结果没办法用摄像头。
是的,我是用港版 zfold3 ,现在也是用备机,但我还没放弃修复BL后无法使用摄像头问题. 这个项目的开发者大佬给过的几个思路我觉得都可行,但是我只靠自己很难继续下去,再联系这个大佬他已经没回覆我了.T_T 1.修改ROM包实现启动时载入ro.boot.verifiedbootstat=GREEN -这个需要大量学习,进行中,但觉得没1-2个月学习不会有结果. 2.修改.so文件实现启动摄像头时检查别的参数 这个最有可能,但是需要大佬指导,我没弄过,自己搞像大海捞针 3.使用KnoxPatch的新补丁 -正在测试,今天会有结果.
Hello, sir. I hope this message finds you well. While reviewing the log (logs_2227.log), I encountered an issue on line 214,502 involving 'tombstone_17' attempting to access 'u:object_r:bootloader_prop:s0.' Unfortunately, when I attempted to open this file, it appeared as garbled text. Is there a way to view its contents? I apologize for any inconvenience, and your assistance would be greatly appreciated. ASI.zip
I'm a Samsung Z Fold 3 (SM-F926N) user and I'm also currently having camera issues after lifting the BL restriction.
重刷官方ROM之後可以關閉BL修復攝像頭問題,但我想用root, so sad~
哈?你是中国人,我用的是韩版 Fold 3,现在是备用机了已经,所以 Root 掉,结果没办法用摄像头。
是的,我是用港版 zfold3 ,现在也是用备机,但我还没放弃修复BL后无法使用摄像头问题. 这个项目的开发者大佬给过的几个思路我觉得都可行,但是我只靠自己很难继续下去,再联系这个大佬他已经没回覆我了.T_T 1.修改ROM包实现启动时载入ro.boot.verifiedbootstat=GREEN -这个需要大量学习,进行中,但觉得没1-2个月学习不会有结果. 2.修改.so文件实现启动摄像头时检查别的参数 这个最有可能,但是需要大佬指导,我没弄过,自己搞像大海捞针 3.使用KnoxPatch的新补丁 -正在测试,今天会有结果.
结果出来了吗。
第3个方向试了,不行
So, do I need to modify the source code of the 'camera.qcom.so' file to replace the parameters it originally checks?
camera.qcom.so
is a compiled binary without any available source code, so the only way is by patching the lib manually. I sent you the code we use on A52s to rename the prop it uses to check the bootloader lock status. In our device case, the lib checks forro.boot.flash.locked
which result is either "0" (unlocked) or "1", when patched it will either read the new prop (ro.camera.notify_nfc
, which value is always 1) or SELinux will block the lib'sproperty_get
call, which will return the default value set in the code (luckily 1 in our case). Your device's HAL on the other hand readsro.boot.verifiedbootstate
which result is instead a string, the values of this prop are either "green" (locked) and "orange" (unlocked). I'm still not sure how the check works so I still have to know if renaming the prop just like we do in A52s is enough to bypass the check. To do this backup the original lib and run this in any shell with root permissions:sed -i 's/ro.boot.verifiedbootstate/ro.bla.blablablablablabla/g' /vendor/lib64/camera.qcom.so
When patching, the length of the new string must be equal to the one of the old string or smaller (by replacing the missing characters with
\x00
).
Hello, BOSS. Just as you previously fixed the case, you replaced the 'ro.boot.flash.locked' keyword in the Galaxy A52s 5G device's .so file to achieve the fix.
May I kindly inquire how you determined that your device's .so file was fetching the 'ro.boot.flash.locked' keyword?
I attempted to modify the 'customize.sh' file, but encountered a failure upon application. customize.zip
May I kindly inquire how you determined that your device's .so file was fetching the 'ro.boot.flash.locked' keyword?
This was actually found by @DavidArsene, but you can clearly see how the check happens if you disassemble the lib:
I attempted to modify the 'customize.sh' file, but encountered a failure upon application. customize.zip
ro.boot.product.vendor.sku
is one byte longer than ro.boot.verifiedbootstate
, your new prop must have the same exact length as the old one (or shorter by replacing the missing chars with \x00
). You also forgot to apply 77bcca884b00ad86fe28521f5976e4c967e9284d.
In reference to the discussion in commit https://github.com/BlackMesa123/KnoxPatch/commit/77bcca884b00ad86fe28521f5976e4c967e9284d, I changed 's/ro.boot.verifiedbootstate/ro.com.android.mobiledata/g' to ensure that 'ro.boot.verifiedbootstate' and 'ro.com.android.mobiledata' have the same length, and 'green' matches 'false' in length. However, the test results still show a black screen.log_customize.sh.zip
Is it possible that there are additional conditional checks within 'camera.qcom.so' that we haven't identified yet? Could you please provide guidance on how to discover them, or even a general area to look into? I'm willing to try them one by one. Thank you!
第3个方向试了,不行
提交给 ChatGPT 看看?
据我了解,ChatGPT还不支持修改2进制文件.
Hello, sir. With my very limited reverse engineering skills, I've only found the following section of code related to 'bootstate':
Within this snippet, I believe that the code highlighted in red is critical for determining whether the phone's bootloader is unlocked.
Could you please confirm if my understanding is correct? If there are any mistakes, I'd greatly appreciate your guidance. Thank you very much!
I took the initiative to modify your 'customize.sh' based on the ideas mentioned above, but when I open the camera, it crashes. Did I miss something in my changes? customize.zip
I took the initiative to modify your 'customize.sh' based on the ideas mentioned above, but when I open the camera, it crashes. Did I miss something in my changes? customize.zip
You are trying to replace pseudo code a binary.
Tthe v385 you focus on is just a flag whether ro.boot.verifiedbootstate is orange
, which can be ignored if you replaced property name properly.
I took the initiative to modify your 'customize.sh' based on the ideas mentioned above, but when I open the camera, it crashes. Did I miss something in my changes? customize.zip
You are trying to replace pseudo code a binary. Tthe v385 you focus on is just a flag whether ro.boot.verifiedbootstate is
orange
, which can be ignored if you replaced property name properly.
As the content in https://github.com/BlackMesa123/KnoxPatch/issues/53#issuecomment-1760982927, we've correctly replaced the property name, but the camera is still showing a black screen. It appears that there is another check mechanism in place. Could you please guide me on how to locate it?
Could you please guide me on how to locate it?
I have no idea, but you can try to read logcat for more information about what CamX thinking.
Log.zip After comparing these two logs, I suspect that there's another monitoring mechanism in 'camxhal3module.cpp.' However, it's strange because the error message clearly mentions this file in the logs, but I can't seem to locate it on the phone. 20231013.log => unlocked bootloader and root nullroot1005_2.log => locked bootloader and unroot
Dear ALL, Could you please help me see if there's any possibility in the following two directions? 1、Continue attempting to modify the 'camera.qcom.so' file to bypass the BL check of the camera application. Based on the modifications made in the last month, I have reason to suspect that Samsung has added BL checks not only in 'camera.qcom.so'. Another detection mechanism may be in 'camxhal3module.cpp', but I can't find this file at phone. 2、Try flashing the European version of the F926B firmware. There are forum posts on the XDA indicating that in the European F926B version, the camera can be used. However, my phone is the Hong Kong version:F9260, and after BL unlocking, it disables the camera. But I'm not sure if this could potentially damage the hardware. I'd like to ask for your advice on this.
@BlackMesa123, do you think this issue is beyond the scope of the KnoxPatch application? If so, I'll close this case. Thank you for your guidance and assistance during this time!
1、Continue attempting to modify the 'camera.qcom.so' file to bypass the BL check of the camera application. Based on the modifications made in the last month, I have reason to suspect that Samsung has added BL checks not only in 'camera.qcom.so'. Another detection mechanism may be in 'camxhal3module.cpp', but I can't find this file at phone.
I'm pretty sure you saw this in the logs:
10-13 14:23:13.893 1313 1313 I CamX : [CORE_CFG][HAL ] camxhal3module.cpp:506 HAL3Module() ***************************************************
10-13 14:23:13.893 1313 1313 I CamX : [CORE_CFG][HAL ] camxhal3module.cpp:507 HAL3Module() SHA1:
10-13 14:23:13.893 1313 1313 I CamX : [CORE_CFG][HAL ] camxhal3module.cpp:508 HAL3Module() COMMITID:
10-13 14:23:13.895 1313 1313 I CamX : [CORE_CFG][HAL ] camxhal3module.cpp:509 HAL3Module() BUILD TS: 8/11/2023 14:28:25
10-13 14:23:13.895 1313 1313 I CamX : [CORE_CFG][HAL ] camxhal3module.cpp:510 HAL3Module() ***************************************************
You can't find this file simply because it doesn't exists. The original file is part of the source code of the camera.qcom.so
binary, and is mentioned (along side with the line of code) as extra debug info for developers, but as I already explained the camera HAL code is private and only Qualcomm/Samsung owns it.
2、Try flashing the European version of the F926B firmware. There are forum posts on the XDA indicating that in the European F926B version, the camera can be used. However, my phone is the Hong Kong version:F9260, and after BL unlocking, it disables the camera. But I'm not sure if this could potentially damage the hardware. I'd like to ask for your advice on this.
I've already sent you the F926B camera files in https://github.com/BlackMesa123/KnoxPatch/issues/53#issuecomment-1741761485, those are the only different files/binaries that differ from the international firmware and the Korean one. You could also try flashing the F926B super.img firmware and see if camera works fine rather than manually replacing the camera files just in case.
@BlackMesa123, do you think this issue is beyond the scope of the KnoxPatch application? If so, I'll close this case. Thank you for your guidance and assistance during this time!
camera-fix branch already has the camera fix patch for A52s (ro.boot.flash.locked
case) implemented in the Enhancer Magisk module, as soon as someone figures out a way to patch your device's camera HAL as well (since you reported replacing the prop isn't enough) I'll be happy to include the complete fix in the next release.
Another detection mechanism may be in 'camxhal3module.cpp', but I can't find this file at phone.·
camxhal3module.cpp
is one of the source files of camera.qcom.so
, you can continue to inspect camera.qcom.so
.
Try flashing the European version of the F926B firmware.
According to XDA thread, you may not get the camera back to work even using F926B firmware.
nullroot1005_2.log => locked bootloader and unroot
BTW, where's nullroot1005_2.log
? I'm trying to compare them but you didn't published it.
All in all, thanks for your support of Samsung, buy a Pixel fold next time.
BTW, where's
nullroot1005_2.log
? I'm trying to compare them but you didn't published it.
I'm sorry, I missed the upload. Please see https://github.com/BlackMesa123/KnoxPatch/issues/53#issuecomment-1770147870
看作者提交的新 Actions,似乎已经解决了摄像头黑屏的问题。
https://github.com/BlackMesa123/KnoxPatch/issues/53#issuecomment-1776680946:
camera-fix branch already has the camera fix patch for A52s (
ro.boot.flash.locked
case) implemented in the Enhancer Magisk module, as soon as someone figures out a way to patch your device's camera HAL as well (since you reported replacing the prop isn't enough) I'll be happy to include the complete fix in the next release.
Can you please add support for the Samsung device's active cameras functionality after BootLoader? I greatly appreciate it. I can assist with testing and provide logs.
My device model: Samsung Z Fold3 5G ROM: AP_F9260ZCU4GWH5_F9260ZCU4GWH5_MQB69290723_REV00_user_low_ship_MULTI_CERT_meta_OS13.tar CSC_CHC_F9260CHC4GWH5_MQB69290723_REV00_user_low_ship_MULTI_CERT.tar
可否增加支持Zfold设备BootLoader之后可正常打开摄像头的功能,非常感谢,我可以协助测试及日志提供.