Skip to content
/ android-framework-jar-patching Public

Bash scripts, instructions and Magisk module for patching android system JAR and SO files

8 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AsenOsen/android-framework-jar-patching

BranchesTags

Repository files navigation

What is it?

This is a set of bash scripts and Magisk module for patching system JAR files of Android.

Magisk module does following things:

  • substitutes JAR in /system/framework dir
  • remounts folders in /apex/ to be writeable (why? read APEX section)

Why?

Sometimes tools like Frida or XPosed/LSPosed got detected by app under research, so we need to use some uncommon techniques to bypass detection. One of such technique is patching system libraries (.jar files, .so files) to execute code from them as soon as app load them into memory.

How to use this repo?

  1. Download latest apktool.jar and put it in this folder
  2. Choose JAR file you want to modify on your Android from /system/framework
  3. Download JAR from device (via ADB) and put it in this folder
  4. Modify variables in *.sh files according to comments on top
  5. Run ./jar_to_smali.sh, after run you will get your-jar-file.jar.smali folder
  6. Modify SMALI files in your-jar-file.jar.smali as you wish
  7. Run smali_to_jar.sh to build JAR from updated SMALI files (updated JAR will be located in magisk_module/system/framework/)
  8. Build Magisk module for replacing origina JAR in /system/framework: ./build_magisk_module.sh
  9. Push built magisk module (jarpatcher.zip) to device (via ADB) and install ZIP via Magisk on device
  10. Enjoy modified JAR!

APEX

Why we need APEX at all?

Well, most of interesting JARs since Android 10 are distributed in APEX format, which contains .img with .jar and .so libraries. Best explanation of APEX format you may find here. As far as we want to be able to modify all system libraries, we have to be able to modify libraries provided by APEXes as well.

For example, default Java classes like java.lang.String or java.net.URL provided to all Android apps via /apex/com.android.art/javalib/core-oj.jar library.

Native utility for interaction with APEX - apexd

We can interact with APEXes manually via apexd binary available on every modern Android:

  1. stop (stop zygote and all apps which are using files from /apex/*)
  2. apexd --unmount-all (unmount all apex filders)
  3. apexd --otachroot-bootstrap (mounts all apexes back)
  4. start (start zygote with user space)

How this project can help?

By default, Magisk module from this project contains service.sh which remounts some of most interesting APEXes after file system got initialized. This lets you to do substitute JAR's and SO's in runtime like this:

  1. stop (stop zygote and all apps which are using files from /apex/*)
  2. cp /sdcard/patched-core-oj.jar /apex/com.android.art/javalib/core-oj.jar
  3. start (start zygote with user space)

After system boots patched version of core-oj.jar will be loaded in all apps.

If you need some extra APEXes, modify service.sh (follow comments).

Extra advices

  1. Enable Magisk Hide ("magisk modifications are reverted for processes on hidelist") and install PlayIntegrityFix module to stay stealth.
  2. Add researchable app to Magisk Hide list

What to do if you catch a bootloop after your patching?

  1. Flash TWRP into recovery partition
  2. Boot TWRP
  3. In TWRP go to Advanced -> File Manager
  4. Remove Magisk module folder /data/adb/modules/jarpatcher
  5. Reboot to system

Additional readings

  1. Magisk module structure guide
  2. APEX format

About

Bash scripts, instructions and Magisk module for patching android system JAR and SO files

Topics

android jar android-framework magisk magisk-module android-patcher android-customization android-system-framework jar-patcher

Resources

Readme
Activity

Stars

8 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages