mirror/safetynet-fix
1
0
Fork 0
mirror of https://github.com/kdrag0n/safetynet-fix.git synced 2024-07-03 03:29:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

zygisk: Initial module implementation

Browse Source 
- Ported from Riru implementation
- Limited Java payload to com.google.android.gms.unstable as a fix for
  issues caused by model misdetection and flag provisioning
- Root companion process to serve classes.dex over socket
- Forces DenyList unmounting to pass basicIntegrity
This commit is contained in:
Danny Lin 2021-10-30 17:46:59 -07:00
parent 168abee7bc
commit fc5937bec0
No known key found for this signature in database
GPG Key ID: 1988FAA1797EE5AC
4 changed files with 187 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
zygisk/module/jni/Android.mk
View File

@ -1,8 +1,8 @@
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := example
LOCAL_SRC_FILES := example.cpp
LOCAL_MODULE := safetynetfix
LOCAL_SRC_FILES := module.cpp
LOCAL_STATIC_LIBRARIES := libcxx
LOCAL_LDLIBS := -llog
include $(BUILD_SHARED_LIBRARY)

58
zygisk/module/jni/example.cpp
View File

@ -1,58 +0,0 @@
#include <cstdlib>
#include <unistd.h>
#include <fcntl.h>
#include <android/log.h>
#include "zygisk.hpp"
using zygisk::Api;
using zygisk::AppSpecializeArgs;
using zygisk::ServerSpecializeArgs;
#define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, "Magisk", __VA_ARGS__)
class MyModule : public zygisk::ModuleBase {
public:
void onLoad(Api *api, JNIEnv *env) override {
this->api = api;
this->env = env;
}
void preAppSpecialize(AppSpecializeArgs *args) override {
// Use JNI to fetch our process name
const char *process = env->GetStringUTFChars(args->nice_name, nullptr);
preSpecialize(process);
env->ReleaseStringUTFChars(args->nice_name, process);
}
void preServerSpecialize(ServerSpecializeArgs *args) override {
preSpecialize("system_server");
}
private:
Api *api;
JNIEnv *env;
void preSpecialize(const char *process) {
// Demonstrate connecting to to companion process
// We ask the companion for a random number
int r = 0;
int fd = api->connectCompanion();
read(fd, &r, sizeof(r));
close(fd);
LOGD("example: process=[%s], r=[%u]\n", process, r);
}
};
static void companion_handler(int i) {
int fd = open("/dev/urandom", O_RDONLY);
int r;
read(fd, &r, sizeof(r));
close(fd);
LOGD("example: companion r=[%u]\n", r);
write(i, &r, sizeof(r));
}
REGISTER_ZYGISK_MODULE(MyModule)
REGISTER_ZYGISK_COMPANION(companion_handler)

168
zygisk/module/jni/module.cpp Normal file
View File

@ -0,0 +1,168 @@
#include <cstdlib>
#include <string>
#include <vector>
#include <unistd.h>
#include <fcntl.h>
#include <sys/sendfile.h>
#include <android/log.h>
#include "zygisk.hpp"
#include "module.h"
namespace safetynetfix {
class SafetyNetFixModule : public zygisk::ModuleBase {
public:
void onLoad(zygisk::Api *api, JNIEnv *env) override {
this->api = api;
this->env = env;
}
void preAppSpecialize(zygisk::AppSpecializeArgs *args) override {
const char *rawProcess = env->GetStringUTFChars(args->nice_name, nullptr);
std::string process(rawProcess);
env->ReleaseStringUTFChars(args->nice_name, rawProcess);
preSpecialize(process);
}
private:
zygisk::Api *api;
JNIEnv *env;
std::vector<char> moduleDex;
static int receiveFile(int remote_fd, std::vector<char>& buf) {
off_t size;
int ret = read(remote_fd, &size, sizeof(size));
if (ret < 0) {
LOGE("Failed to read size");
return -1;
}
buf.resize(size);
int bytesReceived = 0;
while (bytesReceived < size) {
ret = read(remote_fd, buf.data() + bytesReceived, size - bytesReceived);
if (ret < 0) {
LOGE("Failed to read data");
return -1;
}
bytesReceived += ret;
}
return bytesReceived;
}
void loadPayload() {
int fd = api->connectCompanion();
auto size = receiveFile(fd, moduleDex);
LOGD("Loaded module payload: %d bytes", size);
close(fd);
}
void preSpecialize(std::string process) {
// Only take action for GMS, otherwise unload
if (process.rfind("com.google.android.gms", 0) != 0) {
// If this isn't GMS, bail out and unload.
api->setOption(zygisk::DLCLOSE_MODULE_LIBRARY);
return;
}
// Force DenyList unmounting for all GMS processes
api->setOption(zygisk::FORCE_DENYLIST_UNMOUNT);
// The unstable process is where SafetyNet attestation actually runs, so we only need to
// spoof the model in that process. Leaving other processes alone fixes various issues
// caused by model detection and flag provisioning, such as broken weather with the new
// smartspace on Android 12.
if (process == "com.google.android.gms.unstable") {
// This is post-fork, so just inject the payload now
loadPayload();
injectPayload();
LOGI("Payload injected");
}
}
void injectPayload() {
// First, get the system classloader
LOGD("get system classloader");
jclass clClass = env->FindClass("java/lang/ClassLoader");
jmethodID getSystemClassLoader = env->GetStaticMethodID(clClass, "getSystemClassLoader",
"()Ljava/lang/ClassLoader;");
jobject systemClassLoader = env->CallStaticObjectMethod(clClass, getSystemClassLoader);
// Assuming we have a valid mapped module, load it. This is similar to the approach used for
// Dynamite modules in GmsCompat, except we can use InMemoryDexClassLoader directly instead of
// tampering with DelegateLastClassLoader's DexPathList.
LOGD("create buffer");
jobject buf = env->NewDirectByteBuffer(moduleDex.data(), moduleDex.size());
LOGD("create class loader");
jclass dexClClass = env->FindClass("dalvik/system/InMemoryDexClassLoader");
jmethodID dexClInit = env->GetMethodID(dexClClass, "<init>",
"(Ljava/nio/ByteBuffer;Ljava/lang/ClassLoader;)V");
jobject dexCl = env->NewObject(dexClClass, dexClInit, buf, systemClassLoader);
// Load the class
LOGD("load class");
jmethodID loadClass = env->GetMethodID(clClass, "loadClass",
"(Ljava/lang/String;)Ljava/lang/Class;");
jstring entryClassName = env->NewStringUTF("dev.kdrag0n.safetynetriru.EntryPoint");
jobject entryClassObj = env->CallObjectMethod(dexCl, loadClass, entryClassName);
// Call init. Static initializers don't run when merely calling loadClass from JNI.
LOGD("call init");
auto entryClass = (jclass) entryClassObj;
jmethodID entryInit = env->GetStaticMethodID(entryClass, "init", "()V");
env->CallStaticVoidMethod(entryClass, entryInit);
}
};
static off_t sendFile(int remote_fd, const std::string& path) {
int in_fd = open(path.c_str(), O_RDONLY);
if (in_fd < 0) {
LOGE("Failed to open file %s: %d (%s)", path.c_str(), errno, strerror(errno));
return -1;
}
auto size = lseek(in_fd, 0, SEEK_END);
if (size < 0) {
LOGERRNO("Failed to get file size");
close(in_fd);
return -1;
}
lseek(in_fd, 0, SEEK_SET);
// Send size first for buffer allocation
int ret = write(remote_fd, &size, sizeof(size));
if (ret < 0) {
LOGERRNO("Failed to send size");
close(in_fd);
return -1;
}
ret = sendfile(remote_fd, in_fd, nullptr, size);
if (ret < 0) {
LOGERRNO("Failed to send data");
close(in_fd);
return -1;
}
close(in_fd);
return size;
}
static void companionHandler(int remote_fd) {
// Serve module dex
auto size = sendFile(remote_fd, "/data/adb/modules/safetynet-fix/classes.dex");
LOGD("Sent module payload: %ld bytes", size);
}
}
REGISTER_ZYGISK_COMPANION(safetynetfix::companionHandler)
REGISTER_ZYGISK_MODULE(safetynetfix::SafetyNetFixModule)

17
zygisk/module/jni/module.h Normal file
View File

@ -0,0 +1,17 @@
#pragma once
namespace safetynetfix {
static constexpr auto TAG = "SafetyNetFix/JNI";
#ifdef NDEBUG
#define LOGD(...)
#else
#define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, TAG, __VA_ARGS__)
#endif
#define LOGI(...) __android_log_print(ANDROID_LOG_INFO, TAG, __VA_ARGS__)
#define LOGE(...) __android_log_print(ANDROID_LOG_ERROR, TAG, __VA_ARGS__)
#define LOGERRNO(...) __android_log_print(ANDROID_LOG_ERROR, TAG, __VA_ARGS__ ": %d (%s)", errno, strerror(errno))
}