#!/sbin/sh ########################################################################################## # # NanoDroid Patcher (Haystack Frontend) # by Nanolx # ########################################################################################## VERSION=23.2.99999999 MAGISKBASE=/data/adb MODID=NanoDroid_Patcher TMPDIR=/dev/tmp/install PATCHER_ADDOND_DATA=/system/addon.d/nanodroid_patcher ########################################################################################## # Generic Functions ########################################################################################## show_banner () { ui_print " " ui_print "********************************" ui_print " NanoDroid " ui_print " Framework Patcher " ui_print " Powered by DexPatcher " ui_print " ${VERSION} " ui_print "********************************" ui_print " " } ui_print() { ${BOOTMODE} && echo "${1}" || \ echo -e "ui_print ${1}\nui_print" >> /proc/self/fd/${OUTFD} } is_mounted () { grep -q " $(readlink -f ${1}) " /proc/mounts 2>/dev/null return $? } # taken from Magisk, with modifications for NanoDroid mount_apex_loop () { local number=0 local minorx=1 local loop [ -e /dev/block/loop1 ] && minorx=$(stat -Lc '%T' /dev/block/loop1) apex_mount="${1}" while [ ${number} -lt 64 ]; do loop=/dev/block/loop${number} [ -e ${loop} ] || mknod ${loop} b 7 $((number * minorx)) if losetup "${loop}" /apex/apex_payload.img 2>/dev/null; then if mount -text4 -oro,noatime "${loop}" "${apex_mount}"; then rm -f /apex/apex_payload.img break fi fi number=$((number + 1)) done } # taken from Magisk, with modifications for NanoDroid mount_apex () { mkdir -p /apex APEX_LD="" for apex in /system/apex/*; do apex_mount="/apex/$(basename ${apex} .apex)" apex_loop="/dev/loop_apex_$(basename ${apex} .apex)" [ "${apex_mount}" == /apex/com.android.runtime.release ] && apex_mount=/apex/com.android.runtime [ "${apex_mount}" == /apex/com.android.runtime.debug ] && apex_mount=/apex/com.android.runtime [ "${apex_mount}" == /apex/com.android.art.release ] && apex_mount=/apex/com.android.art [ "${apex_mount}" == /apex/com.android.art.debug ] && apex_mount=/apex/com.android.art APEX_LD="${apex_mount}/lib:${APEX_LD}" APEX_LD_64="${apex_mount}/lib64:${APEX_LD_64}" mkdir -p "${apex_mount}" if [ -f "${apex}" ]; then unzip -oq "${apex}" apex_payload.img -d /apex mount_apex_loop "${apex_mount}" || error "APEX loop setup failed!" elif [ -d "${apex}" ]; then mount -o bind "${apex}" "${apex_mount}" fi done echo " INFO: #10 [APEX [ALL]] $(ls /system/apex/*)" } # taken from Magisk, with minor modifications for NanoDroid toupper() { echo "$@" | tr '[:lower:]' '[:upper:]' } find_block () { local block tmp partname devname device block=${1}${SLOT} device=$(find /dev/block \( -type b -o -type c -o -type l \) -name ${block} | head -n 1) if [ ! -z ${device} ]; then readlink -f ${device} return 0 fi for uevent in /sys/dev/block/*/uevent; do partname=$(awk -F= '/PARTNAME/{print $2}' ${uevent}) devname=$(awk -F= '/DEVNAME/{print $2}' ${uevent}) if [ "$(toupper ${block})" = "$(toupper ${partname})" ]; then echo /dev/block/${devname} return 0 fi done device=$(find /dev \( -type b -o -type c -o -type l \) -maxdepth 1 -iname ${block} | head -n 1) if [ ! -z ${device} ]; then readlink -f ${device} return 0 fi return 1 } mount_partitions () { if ! ${BOOTMODE}; then VENDOR_COMPAT=FALSE SYSTEM_AS_ROOT=FALSE SLOT=$(grep_cmdline androidboot.slot_suffix) if [ -z ${SLOT} ]; then SLOT=$(grep_cmdline androidboot.slot) [ -z ${SLOT} ] || SLOT=_${SLOT} fi [ -z ${SLOT} ] && DEVICE_AB=FALSE || DEVICE_AB=TRUE echo " INFO: #1 [SLOT] ${SLOT}" is_mounted /data || mount /data || echo "failed to mount /data!" mount -o bind /dev/urandom /dev/random SYSTEM_BLOCK=$(find_block system) echo " INFO: #5 [SYSTEM_BLOCK] ${SYSTEM_BLOCK}" if is_mounted /system_root; then umount /system 2&>/dev/null umount /system_root 2&>/dev/null fi mkdir -p /system /system_root mount -o rw ${SYSTEM_BLOCK} /system if [ -f /system/build.prop ]; then SYSTEM=/system elif [ -f /system/system/build.prop -o -f /system/init -o -L /system/init ]; then SYSTEM_AS_ROOT=true SYSTEM=/system/system if ! mount --move /system /system_root; then umount /system umount -l /system mount -o rw ${SYSTEM_BLOCK} /system_root fi mount -o bind /system_root/system /system fi VENDOR_BLOCK=$(find_block vendor) echo " INFO: #7 [VENDOR_BLOCK] ${VENDOR_BLOCK}" ! is_mounted /vendor && mount -o ro /vendor ! is_mounted /vendor && mount -o ro ${VENDOR_BLOCK} /vendor if [[ ! $(is_mounted /vendor) && -d /system/vendor ]]; then ### XXX work-around required for some devices VENDOR_COMPAT=TRUE ln -sf /system/vendor /vendor >/dev/null fi echo " " mount | sed -e '/magisk/d' | awk '{print $1 " on " $3 " params: " $6}' echo " " echo " INFO: #8 [prop]" ls -l /system/*.prop [ -d /system/apex ] && mount_apex fi [ ! -f /system/build.prop ] && error "failed to mount /system (unsupported A/B device?)" if [ -d /apex/com.android.art ]; then export ANDROID_ART_ROOT=/apex/com.android.art export ANDROID_RUNTIME_ROOT=${ANDROID_ART_ROOT} elif [ -d /apex/com.android.runtime ]; then export ANDROID_RUNTIME_ROOT=/apex/com.android.runtime fi export ANDROID_TZDATA_ROOT=/apex/com.android.tzdata export ANDROID_I18N_ROOT=/apex/com.android.i18n } umount_partitions () { umount -l /system_root 2>/dev/null umount -l /system 2>/dev/null umount -l /vendor 2>/dev/null umount -l /dev/random 2>/dev/null mount | awk '/ \/apex/{print $1 " " $3}' | while read apex_loop apex_mount; do umount -l "${apex_mount}" 2>/dev/null losetup -d "${apex_loop}" 2>/dev/null done unset ANDROID_RUNTIME_ROOT unset ANDROID_ART_ROOT unset ANDROID_TZDATA_ROOT unset BOOTCLASSPATH rm -rf /apex } error () { ui_print " " ui_print " !! ${@}" ui_print " " ${BOOTMODE} || umount_partitions exit 1 } set_perm () { chown ${2}:${3} ${1} || error "failed change owner for ${1}" chmod ${4} ${1} || error "failed to change mode for ${1}" if [ -n "${5}" ]; then chcon ${5} ${1} 2>/dev/null else chcon 'u:object_r:system_file:s0' ${1} 2>/dev/null fi } set_perm_recursive() { find ${1} -type d 2>/dev/null | while read dir; do set_perm ${dir} ${2} ${3} ${4} ${6} done find ${1} -type f 2>/dev/null | while read file; do set_perm ${file} ${2} ${3} ${5} ${6} done } set_perm_data () { if [ "${1}" = "-r" ]; then echo " perm: data [recursive] {${2}}" set_perm_recursive ${2} 0 0 0755 0644 else echo " perm: data [single] {${1}}" set_perm ${1} 0 0 0644 fi } ########################################################################################## # Device Functions ########################################################################################## detect_outfd () { if [ -z $OUTFD ] || readlink /proc/$$/fd/$OUTFD | grep -q /tmp; then # We will have to manually find out OUTFD for FD in `ls /proc/$$/fd`; do if readlink /proc/$$/fd/$FD | grep -q pipe; then if ps | grep -v grep | grep -q " 3 $FD "; then OUTFD=$FD break fi fi done fi } detect_mode () { MODE=SYSTEM [ -f /data/adb/magisk/util_functions.sh ] && MODE=MAGISK ui_print " > installation mode: ${MODE}" ui_print " " } detect_bootmode () { [ -z $BOOTMODE ] && ps | grep zygote | grep -qv grep && BOOTMODE=true [ -z $BOOTMODE ] && ps -A 2>/dev/null | grep zygote | grep -qv grep && BOOTMODE=true [ -z $BOOTMODE ] && BOOTMODE=false } grep_prop() { sed -n "s/^${1}=//p" /system/build.prop ${2} | head -n 1 } grep_cmdline() { local REGEX="s/^${1}=//p" sed -E 's/ +/\n/g' /proc/cmdline | \ sed -n "${REGEX}" 2>/dev/null } detect_odex () { SERVICES_JAR_DEX=$(unzip -lq /system/framework/services.jar | grep classes.dex) if [ -n "$(find '/system/framework/' -name 'services.vdex')" ]; then ROM_DEX_STATUS=VDEX elif [ -n "$(find '/system/framework/' -name 'services.odex')" ]; then ROM_DEX_STATUS=ODEX else ROM_DEX_STATUS=UNKOWN fi [ "${SERVICES_JAR_DEX}" ] && ROM_DEX_STATUS=DEODEX ui_print " " ui_print " ++" ui_print " ++ services.jar status: ${ROM_DEX_STATUS}" ui_print " ++" [ "${SDK_VERSION}" -gt 27 -a "${ROM_DEX_STATUS}" != "DEODEX" ] && \ error "Android 9 or newer is only supported on de-odexed ROMs currently" } ########################################################################################## # Setup Busybox ########################################################################################## setup_busybox () { case $(uname -m) in arm* | aarch* ) local bb_arch=arm ;; x86* ) local bb_arch=x86 ;; * ) error "arch \"$(uname -m)\" is not supported" esac if [ -f ${TMPDIR}/busybox.${bb_arch} ]; then BUSY=${TMPDIR}/busybox.${bb_arch} else BUSY=${BASEDIR}/busybox.${bb_arch} fi chmod 0755 ${BUSY} rm -rf ${BASEDIR}/busybox mkdir -p ${BASEDIR}/busybox ln -sf ${BUSY} ${BASEDIR}/busybox/busybox ${BUSY} --install -s ${BASEDIR}/busybox/ export PATH="${BASEDIR}/busybox:/system/bin:/system/xbin" } detect_arch () { ABI=$(grep_prop ro.product.cpu.abi | cut -c-3) ABI2=$(grep_prop ro.product.cpu.abi2 | cut -c-3) ABILONG=$(grep_prop ro.product.cpu.abi) ARCH=arm [ "$ABI" = "x86" ] && ARCH=x86 [ "$ABI2" = "x86" ] && ARCH=x86 [ "$ABILONG" = "arm64-v8a" ] && ARCH=arm64 [ "$ABILONG" = "x86_64" ] && ARCH=x86_64 case ${ARCH} in arm | arm64 ) ZIPB=${BASEDIR}/zip.arm FILE=${BASEDIR}/file.arm ;; x86 | x86_64 ) ZIPB=${BASEDIR}/zip.x86 FILE=${BASEDIR}/file.x86 ;; esac V_EX=${BASEDIR}/vdexExtractor.${ARCH} DALVIKVM_ARCH=$("${FILE}" -m "${BASEDIR}/magic.mgc" -L /system/bin/dalvikvm) case ${DALVIKVM_ARCH} in *32-bit* ) export LD_LIBRARY_PATH="/system/lib:/vendor/lib:/system/vendor/lib:/product/lib:/system/product/lib:${APEX_LD}" ;; *64-bit* ) export LD_LIBRARY_PATH="/system/lib64:/vendor/lib64:/system/vendor/lib64:/product/lib64:/system/product/lib64:${APEX_LD_64}" ;; esac if [ -f ${ANDROID_RUNTIME_ROOT}/etc/ld.config.txt ]; then export LD_CONFIG_FILE="${ANDROID_RUNTIME_ROOT}/etc/ld.config.txt" elif [ -f ${ANDROID_RUNTIME_ROOT}/etc/ld.config.${SDK_VERSION}.txt ]; then export LD_CONFIG_FILE="${ANDROID_RUNTIME_ROOT}/etc/ld.config.${SDK_VERSION}.txt" fi unset LD_PRELOAD echo " *** LD_CONFIG_FILE=${LD_CONFIG_FILE}" ui_print " > device architecture: ${ARCH}" } detect_sdk () { SDK_VERSION=$(grep_prop ro.build.version.sdk) [ "${SDK_VERSION}" -gt 30 ] && \ error "Android versions beyond Android 11 are not yet supported" [ "${SDK_VERSION}" -lt 16 ] && \ error "Android versions before Jelly Bean are not supported" if [ "${SDK_VERSION}" -gt 25 ]; then BAKSMALI="${BASEDIR}/baksmali_26.dex" SMALI="${BASEDIR}/smali_26.dex" elif [ "${SDK_VERSION}" -gt 23 ]; then BAKSMALI="${BASEDIR}/baksmali_24.dex" SMALI="${BASEDIR}/smali_24.dex" else BAKSMALI="${BASEDIR}/baksmali_19.dex" SMALI="${BASEDIR}/smali_19.dex" fi if [ "${SDK_VERSION}" -gt 25 ]; then DEXPATCHER="${BASEDIR}/dexpatcher_26.dex" else DEXPATCHER="${BASEDIR}/dexpatcher_19.dex" fi PATCH_CORE="${BASEDIR}/core_services.jar.dex" if [ "${SDK_VERSION}" -lt 24 ]; then ui_print " > Android 4.1 - 6.0 (SDK ${SDK_VERSION}) detected" PATCH_HOOK="${BASEDIR}/hook_4.1-6.0_services.jar.dex" else ui_print " > Android 7.0 - 10.0 (SDK ${SDK_VERSION}) detected" PATCH_HOOK="${BASEDIR}/hook_7.0-10.0_services.jar.dex" fi [ "${SDK_VERSION}" -gt 21 ] && DEX_OPTS="--multi-dex-threaded" } ########################################################################################## # check if ROM has native fake signature spoofing support # origingally by @ale5000 - revised by me ########################################################################################## check_fake_package_signature () { PERMISSION=android.permission.FAKE_PACKAGE_SIGNATURE PERMISSION_OD=$(echo -n "${PERMISSION}" | od -A n -t x1 | tr -d '\n' | sed -e 's/^ //g;s/ /00/g') PATCH_TYPE="" FRAMEWORKRES_PATCH=false SERVICESJAR_PATCH=false mkdir -p ${TMPDIR}/sigcheck # natively patched ROM: only framework-res.apk patched (old) # natively patched ROM: both framework-res.apk and services.jar patched (new) # self patched ROM: only services.jar patched # check framework-res.apk for the patch unzip -oq /system/framework/framework-res.apk -d "${TMPDIR}/sigcheck" \ || error "failed to unpack framework-res.apk" grep -qF "${PERMISSION}" "${TMPDIR}"/sigcheck/AndroidManifest.xml && FRAMEWORKRES_PATCH=true od -A n -t x1 "${TMPDIR}"/sigcheck/AndroidManifest.xml | tr -d ' \n' | grep -qF "${PERMISSION_OD}" && FRAMEWORKRES_PATCH=true # check services.jar for the patch unzip -oq /system/framework/services.jar -d "${TMPDIR}/sigcheck" \ || error "failed to unpack services.jar" grep -qF "${PERMISSION}" "${TMPDIR}"/sigcheck/*.dex && SERVICESJAR_PATCH=true od -A n -t x1 "${TMPDIR}"/sigcheck/*.dex | tr -d ' \n' | grep -qF "${PERMISSION_OD}" && SERVICESJAR_PATCH=true # we don't use this anywhere (except in SysTest log), # but may still come in hand in the future if ${FRAMEWORKRES_PATCH} && ! ${SERVICESJAR_PATCH}; then PATCH_TYPE="native_old" elif ${FRAMEWORKRES_PATCH} && ${SERVICESJAR_PATCH}; then PATCH_TYPE="native_new" elif ! ${FRAMEWORKRES_PATCH} && ${SERVICESJAR_PATCH}; then PATCH_TYPE="self_patched" fi [ -n "${PATCH_TYPE}" ] && return 0 || return 1 } ########################################################################################## # Patcher Functions ########################################################################################## setup_patcher () { ui_print " > preparing environment" rm -rf ${TMPDIR} mkdir -p ${TMPDIR} unzip -oq "${ZIP}" -d ${TMPDIR} || \ error "failed to prepare environment" BASEDIR="${TMPDIR}/dexpatcher" for bin in zip.arm zip.x86 \ vdexExtractor.arm vdexExtractor.x86 \ vdexExtractor.arm64 vdexExtractor.x86_64 \ file.arm file.x86; do chmod 0755 "${BASEDIR}/${bin}" || \ error "failed to prepare environment" done } call_dalvikvm () { if [ -z "${ND_BOOTCLASSPATH}" ]; then DALVIKVM_OPTS="" if ! ${BOOTMODE}; then for jar in /system/framework/*.jar; do ND_BOOTCLASSPATH="${jar}:${ND_BOOTCLASSPATH}" done for jar in /apex/*/javalib/*.jar; do ND_BOOTCLASSPATH="${jar}:${ND_BOOTCLASSPATH}" done export BOOTCLASSPATH=${ND_BOOTCLASSPATH} fi supported_opts=$(/system/bin/dalvikvm --help 2>&1) echo "${supported_opts}" | grep -q "\[no\]image-dex2oat" && DALVIKVM_OPTS="${DALVIKVM_OPTS} -Xnoimage-dex2oat" echo "${supported_opts}" | grep -q "verbose:.*gc" && DALVIKVM_OPTS="${DALVIKVM_OPTS} -verbose:gc" echo "${supported_opts}" | grep -q "verbose:.*jit" && DALVIKVM_OPTS="${DALVIKVM_OPTS} -verbose:jit" echo "${supported_opts}" | grep -q "verbose:.*jni" && DALVIKVM_OPTS="${DALVIKVM_OPTS} -verbose:jni" echo "${supported_opts}" | grep -q "verbose:.*class" && DALVIKVM_OPTS="${DALVIKVM_OPTS} -verbose:class" echo " *** BOOTCLASSPATH=${BOOTCLASSPATH}" echo " *** DALVIKVM_OPTS=${DALVIKVM_OPTS}" fi /system/bin/dalvikvm -Xnoimage-dex2oat ${DALVIKVM_OPTS} "${@}" } deodex_vdex () { ui_print " >> deodexing services.jar [VDEX]" cp /system/framework/oat/${ARCH}/services.vdex \ ${BASEDIR}/services.vdex || \ error "failed to copy services.vdex" ${V_EX} -i ${BASEDIR}/services.vdex \ --ignore-crc-error --debug=4 || \ error "failed to deodex services.vdex" mv ${BASEDIR}/services.apk_classes.dex ${BASEDIR}/classes.dex || \ error "failed to deodex services.vdex" ${ZIPB} -j "${BASEDIR}/services.jar" \ "${BASEDIR}/classes.dex" || \ error "zip failed" } deodex_odex () { ui_print " >> deodexing services.jar [ODEX]" cp "/system/framework/oat/${ARCH}/services.odex" "${BASEDIR}" # baksmali/smali options switches (version dependent) if [ "${SDK_VERSION}" -lt 24 ]; then MAIN=main DEODEX="-x" ASSEMBLE= BOOTCLASSPATH="-c" else MAIN=Main DEODEX="x" ASSEMBLE="a" BOOTCLASSPATH="-b" CLASSPATHDIR="-d" fi ui_print " [1] baksmali services.odex" call_dalvikvm \ -classpath "${BAKSMALI}" \ org.jf.baksmali.${MAIN} \ ${DEODEX} \ ${BOOTCLASSPATH} "/system/framework/${ARCH}/boot.oat" \ ${CLASSPATHDIR} "/system/framework/${ARCH}" \ ${CLASSPATHDIR} "/system/framework" \ -o "${BASEDIR}/services.jar-deodex" \ "${BASEDIR}/services.odex" || \ error "failed to deodex services.jar" ui_print " [2] smali services.odex" call_dalvikvm \ -classpath "${SMALI}" \ org.jf.smali.${MAIN} \ ${ASSEMBLE} \ -o "${BASEDIR}/services.jar-deodex/classes.dex" \ "${BASEDIR}/services.jar-deodex" || \ error "failed to rebuild classes.dex" ${ZIPB} -j "${BASEDIR}/services.jar" \ "${BASEDIR}/services.jar-deodex"/classes*.dex || \ error "zip failed" rm -rf "${BASEDIR}/services.jar-deodex" } patch_services () { ui_print " " ui_print " > patching signature spoofing support" ui_print " " cp /system/framework/services.jar \ ${BASEDIR}/services.jar || \ error "failed to copy services.jar" if [ "${ROM_DEX_STATUS}" = "VDEX" ]; then deodex_vdex elif [ "${ROM_DEX_STATUS}" = "ODEX" ]; then deodex_odex fi mkdir -p "${BASEDIR}/services.jar-mod" PATCHES="${PATCH_HOOK} ${PATCH_CORE}" ui_print " >> patching services.jar" call_dalvikvm \ -classpath "${DEXPATCHER}" \ lanchon.dexpatcher.Main \ ${DEX_OPTS} --api-level "${SDK_VERSION}" \ --verbose --debug \ --output ${BASEDIR}/services.jar-mod \ ${BASEDIR}/services.jar ${PATCHES} || \ error "failed to apply patches" ${ZIPB} -d "${BASEDIR}/services.jar" \ 'classes*.dex' || \ error "zip failed" ${ZIPB} -j "${BASEDIR}/services.jar" \ "${BASEDIR}/services.jar-mod"/classes*.dex || \ error "zip failed" } install_services () { install_path="" ui_print " " if [ "${MODE}" = "MAGISK" ]; then if [ -d "${MAGISKBASE}/modules/${MODID}" ]; then install_path="${MAGISKBASE}/modules_update/${MODID}" else install_path="${MAGISKBASE}/modules/${MODID}" fi fi ui_print " << installing patched files to: ${install_path}" mkdir -p "${install_path}/system/framework" cp ${BASEDIR}/services.jar "${install_path}/system/framework/" \ || error "failed to install services.jar" set_perm_data "${install_path}/system/framework/services.jar" cp "${BASEDIR}/org.spoofing.apk" "${install_path}/system/framework/" set_perm_data "${install_path}/system/framework/org.spoofing.apk" if [ "${MODE}" = "MAGISK" ]; then cp -af "${BASEDIR}/module.prop" "${install_path}" if ${BOOTMODE}; then touch "${MAGISKBASE}/modules/${MODID}/update" 2>/dev/null cp -af "${BASEDIR}/module.prop" "${MAGISKBASE}/${MODID}/module.prop" 2>/dev/null fi fi } ########################################################################################## # addon.d ########################################################################################## install_addond () { ui_print " " ui_print " Installing addon.d restoration setup" rm -rf ${PATCHER_ADDOND_DATA} mkdir -p ${PATCHER_ADDOND_DATA} for file in core_services.jar.dex dexpatcher_19.dex dexpatcher_26.dex \ hook_4.1-6.0_services.jar.dex hook_7.0-10.0_services.jar.dex \ baksmali_19.dex baksmali_24.dex baksmali_26.dex \ smali_19.dex smali_24.dex smali_26.dex \ magic.mgc org.spoofing.apk; do cp "${BASEDIR}/${file}" ${PATCHER_ADDOND_DATA}/ done cp /dev/tmp/CommonPatcher ${PATCHER_ADDOND_DATA}/ for file in ${ZIPB} ${V_EX} ${BUSY} ${FILE}; do cp ${file} ${PATCHER_ADDOND_DATA}/ chmod 0755 ${PATCHER_ADDOND_DATA}/$(basename "${file}") done cp "${BASEDIR}/70-nanodroidpatcher.sh" /system/addon.d/ chmod 0755 /system/addon.d/70-nanodroidpatcher.sh }