├── README.md ├── module ├── .gitignore ├── src │ └── main │ │ ├── assets │ │ ├── META-INF │ │ │ └── com │ │ │ │ └── google │ │ │ │ └── android │ │ │ │ ├── updater-script │ │ │ │ └── update-binary │ │ ├── system │ │ │ └── product │ │ │ │ └── fonts │ │ │ │ └── MiSansVF.ttf │ │ └── module.prop │ │ └── AndroidManifest.xml ├── jni │ ├── Application.mk │ ├── Android.mk │ ├── module.cpp │ └── zygisk.hpp └── build.gradle.kts ├── hiddenapi ├── .gitignore ├── src │ └── main │ │ ├── AndroidManifest.xml │ │ └── java │ │ └── miui │ │ └── util │ │ └── font │ │ └── FontSettings.java └── build.gradle.kts ├── .gitmodules ├── gradle └── wrapper │ ├── gradle-wrapper.jar │ └── gradle-wrapper.properties ├── .gitignore ├── settings.gradle.kts ├── gradle.properties ├── gradlew.bat └── gradlew /README.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /module/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | /libs 3 | /obj 4 | -------------------------------------------------------------------------------- /hiddenapi/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | /libs 3 | /obj 4 | -------------------------------------------------------------------------------- /module/src/main/assets/META-INF/com/google/android/updater-script: -------------------------------------------------------------------------------- 1 | #MAGISK 2 | -------------------------------------------------------------------------------- /hiddenapi/src/main/AndroidManifest.xml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /module/src/main/AndroidManifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "module/jni/libcxx"] 2 | path = module/jni/libcxx 3 | url = https://github.com/topjohnwu/libcxx 4 | -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YuKongA/DisableMiFontOverlay/HEAD/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.iml 2 | .gradle 3 | /local.properties 4 | /.idea 5 | .DS_Store 6 | /build 7 | /captures 8 | .externalNativeBuild 9 | .cxx 10 | local.properties 11 | -------------------------------------------------------------------------------- /module/src/main/assets/system/product/fonts/MiSansVF.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YuKongA/DisableMiFontOverlay/HEAD/module/src/main/assets/system/product/fonts/MiSansVF.ttf -------------------------------------------------------------------------------- /hiddenapi/src/main/java/miui/util/font/FontSettings.java: -------------------------------------------------------------------------------- 1 | package miui.util.font; 2 | 3 | public class FontSettings { 4 | public static final boolean HAS_MIUI_VAR_FONT = false; 5 | } -------------------------------------------------------------------------------- /module/src/main/assets/module.prop: -------------------------------------------------------------------------------- 1 | id=DisableMiFontOverlay 2 | name=DisableMiFontOverlay 3 | version=%%VERSION%% 4 | versionCode=%%VERSIONCODE%% 5 | author=YuKongA 6 | description=Disable Xiaomi's Font Overlay 7 | -------------------------------------------------------------------------------- /module/jni/Application.mk: -------------------------------------------------------------------------------- 1 | APP_ABI := armeabi-v7a arm64-v8a 2 | APP_CPPFLAGS := -std=c++23 -fno-exceptions -fno-rtti -fvisibility=hidden -fvisibility-inlines-hidden 3 | APP_STL := none 4 | APP_PLATFORM := android-36 5 | -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionUrl=https\://services.gradle.org/distributions/gradle-9.2.0-bin.zip 4 | networkTimeout=10000 5 | validateDistributionUrl=true 6 | zipStoreBase=GRADLE_USER_HOME 7 | zipStorePath=wrapper/dists 8 | -------------------------------------------------------------------------------- /hiddenapi/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("com.android.library") 3 | } 4 | 5 | java { 6 | sourceCompatibility = JavaVersion.VERSION_21 7 | targetCompatibility = JavaVersion.VERSION_21 8 | } 9 | 10 | android { 11 | namespace = "android" 12 | compileSdk = 36 13 | compileSdkMinor = 1 14 | buildToolsVersion = "36.1.0" 15 | ndkVersion = "29.0.14206865" 16 | } -------------------------------------------------------------------------------- /settings.gradle.kts: -------------------------------------------------------------------------------- 1 | @file:Suppress("UnstableApiUsage") 2 | 3 | pluginManagement { 4 | repositories { 5 | google() 6 | mavenCentral() 7 | gradlePluginPortal() 8 | } 9 | } 10 | dependencyResolutionManagement { 11 | repositories { 12 | google() 13 | mavenCentral() 14 | } 15 | } 16 | 17 | rootProject.name = "DisableMiFontOveray" 18 | include(":module",":hiddenapi") 19 | -------------------------------------------------------------------------------- /module/jni/Android.mk: -------------------------------------------------------------------------------- 1 | LOCAL_PATH := $(call my-dir) 2 | 3 | include $(CLEAR_VARS) 4 | LOCAL_MODULE := module 5 | LOCAL_SRC_FILES := module.cpp 6 | LOCAL_STATIC_LIBRARIES := libcxx 7 | LOCAL_LDLIBS := -llog 8 | include $(BUILD_SHARED_LIBRARY) 9 | 10 | include jni/libcxx/Android.mk 11 | 12 | # If you do not want to use libc++, link to system stdc++ 13 | # so that you can at least call the new operator in your code 14 | 15 | # include $(CLEAR_VARS) 16 | # LOCAL_MODULE := example 17 | # LOCAL_SRC_FILES := example.cpp 18 | # LOCAL_LDLIBS := -llog -lstdc++ 19 | # include $(BUILD_SHARED_LIBRARY) 20 | -------------------------------------------------------------------------------- /module/src/main/assets/META-INF/com/google/android/update-binary: -------------------------------------------------------------------------------- 1 | #!/sbin/sh 2 | 3 | ################# 4 | # Initialization 5 | ################# 6 | 7 | umask 022 8 | 9 | # echo before loading util_functions 10 | ui_print() { echo "$1"; } 11 | 12 | require_new_magisk() { 13 | ui_print "*******************************" 14 | ui_print " Please install Magisk v20.4+! " 15 | ui_print "*******************************" 16 | exit 1 17 | } 18 | 19 | ######################### 20 | # Load util_functions.sh 21 | ######################### 22 | 23 | OUTFD=$2 24 | ZIPFILE=$3 25 | 26 | mount /data 2>/dev/null 27 | 28 | [ -f /data/adb/magisk/util_functions.sh ] || require_new_magisk 29 | . /data/adb/magisk/util_functions.sh 30 | [ $MAGISK_VER_CODE -lt 20400 ] && require_new_magisk 31 | 32 | install_module 33 | exit 0 34 | -------------------------------------------------------------------------------- /gradle.properties: -------------------------------------------------------------------------------- 1 | # Project-wide Gradle settings. 2 | # IDE (e.g. Android Studio) users: 3 | # Gradle settings configured through the IDE *will override* 4 | # any settings specified in this file. 5 | # For more details on how to configure your build environment visit 6 | # http://www.gradle.org/docs/current/userguide/build_environment.html 7 | # Specifies the JVM arguments used for the daemon process. 8 | # The setting is particularly useful for tweaking memory settings. 9 | org.gradle.jvmargs=-Xmx2048m -Dfile.encoding=UTF-8 10 | # When configured, Gradle will run in incubating parallel mode. 11 | # This option should only be used with decoupled projects. More details, visit 12 | # http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects 13 | # org.gradle.parallel=true 14 | # AndroidX package structure to make it clearer which packages are bundled with the 15 | # Android operating system, and which are packaged with your app"s APK 16 | # https://developer.android.com/topic/libraries/support-library/androidx-rn 17 | android.useAndroidX=true 18 | # Automatically convert third-party libraries to use AndroidX 19 | android.enableJetifier=true 20 | -------------------------------------------------------------------------------- /module/jni/module.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "zygisk.hpp" 7 | 8 | static constexpr auto TAG = "DisableMiFontOverlay"; 9 | 10 | #define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, TAG, __VA_ARGS__) 11 | 12 | class DisableMiFontOverlay : public zygisk::ModuleBase { 13 | public: 14 | void onLoad(zygisk::Api *pApi, JNIEnv *pEnv) override { 15 | this->api = pApi; 16 | this->env = pEnv; 17 | } 18 | 19 | void preAppSpecialize(zygisk::AppSpecializeArgs *args) override { 20 | api->setOption(zygisk::DLCLOSE_MODULE_LIBRARY); 21 | 22 | if (!args) return; 23 | 24 | const char *rawDir = env->GetStringUTFChars(args->app_data_dir, nullptr); 25 | if (!rawDir) return; 26 | 27 | std::string dir(rawDir); 28 | env->ReleaseStringUTFChars(args->app_data_dir, rawDir); 29 | } 30 | 31 | void postAppSpecialize(const zygisk::AppSpecializeArgs *args) override { 32 | injectDex(); 33 | } 34 | 35 | void preServerSpecialize(zygisk::ServerSpecializeArgs *args) override { 36 | api->setOption(zygisk::DLCLOSE_MODULE_LIBRARY); 37 | } 38 | 39 | private: 40 | zygisk::Api *api = nullptr; 41 | JNIEnv *env = nullptr; 42 | 43 | void injectDex() { 44 | jclass fontSettingsClass = env->FindClass("miui/util/font/FontSettings"); 45 | if (fontSettingsClass == nullptr) { 46 | LOGD("Failed to find FontSettings class"); 47 | return; 48 | } 49 | 50 | jfieldID hasCustomFontField = env->GetStaticFieldID(fontSettingsClass, "HAS_MIUI_VAR_FONT", 51 | "Z"); 52 | if (hasCustomFontField == nullptr) { 53 | LOGD("Failed to find HAS_MIUI_VAR_FONT field"); 54 | return; 55 | } 56 | 57 | env->SetStaticBooleanField(fontSettingsClass, hasCustomFontField, JNI_FALSE); 58 | LOGD("Successfully set HAS_MIUI_VAR_FONT to false"); 59 | } 60 | }; 61 | 62 | REGISTER_ZYGISK_MODULE(DisableMiFontOverlay) 63 | -------------------------------------------------------------------------------- /module/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("com.android.application") 3 | } 4 | 5 | val verCode = 5 6 | val verName = "v1.0.5" 7 | val pkgName = "top.yukonga.disableMiFontOverlay" 8 | 9 | java { 10 | sourceCompatibility = JavaVersion.VERSION_21 11 | targetCompatibility = JavaVersion.VERSION_21 12 | } 13 | 14 | android { 15 | compileSdk = 36 16 | namespace = pkgName 17 | externalNativeBuild { 18 | ndkBuild { 19 | path = file("jni/Android.mk") 20 | } 21 | } 22 | defaultConfig { 23 | applicationId = pkgName 24 | minSdk = 33 25 | targetSdk = 36 26 | versionCode = verCode 27 | versionName = verName 28 | ndk { 29 | abiFilters.addAll(mutableSetOf("arm64-v8a", "armeabi-v7a")) 30 | } 31 | } 32 | compileSdkMinor = 1 33 | buildToolsVersion = "36.1.0" 34 | ndkVersion = "29.0.14206865" 35 | } 36 | 37 | dependencies { 38 | compileOnly(project(":hiddenapi")) 39 | } 40 | 41 | tasks.register("assembleModule") { 42 | group = "module" 43 | val zipTree = zipTree(layout.buildDirectory.file("outputs/apk/release/module-release-unsigned.apk").get().asFile) 44 | from(zipTree) { 45 | include("assets/**", "lib/**") 46 | exclude("assets/module.prop") 47 | eachFile { 48 | path = when { 49 | path.startsWith("lib/") -> buildString { 50 | val startIndex = path.indexOf('/') + 1 51 | val endIndex = path.indexOf('/', startIndex) 52 | append("zygisk/") 53 | append(path.substring(startIndex, endIndex)) 54 | append(".so") 55 | } 56 | 57 | path.startsWith("assets/") -> path.replace("assets/", "") 58 | 59 | else -> path 60 | } 61 | } 62 | } 63 | from(file("src/main/assets/module.prop")) { 64 | filter { line -> 65 | line.replace("%%VERSION%%", verName) 66 | .replace("%%VERSIONCODE%%", verCode.toString()) 67 | } 68 | } 69 | destinationDirectory.set(layout.buildDirectory.dir("outputs/module")) 70 | archiveFileName.set("DisableMiFontOverlay_${verName}.zip") 71 | } 72 | 73 | afterEvaluate { 74 | tasks["assembleModule"].dependsOn(tasks["assembleRelease"]) 75 | } 76 | -------------------------------------------------------------------------------- /gradlew.bat: -------------------------------------------------------------------------------- 1 | @rem 2 | @rem Copyright 2015 the original author or authors. 3 | @rem 4 | @rem Licensed under the Apache License, Version 2.0 (the "License"); 5 | @rem you may not use this file except in compliance with the License. 6 | @rem You may obtain a copy of the License at 7 | @rem 8 | @rem https://www.apache.org/licenses/LICENSE-2.0 9 | @rem 10 | @rem Unless required by applicable law or agreed to in writing, software 11 | @rem distributed under the License is distributed on an "AS IS" BASIS, 12 | @rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | @rem See the License for the specific language governing permissions and 14 | @rem limitations under the License. 15 | @rem 16 | @rem SPDX-License-Identifier: Apache-2.0 17 | @rem 18 | 19 | @if "%DEBUG%"=="" @echo off 20 | @rem ########################################################################## 21 | @rem 22 | @rem Gradle startup script for Windows 23 | @rem 24 | @rem ########################################################################## 25 | 26 | @rem Set local scope for the variables with windows NT shell 27 | if "%OS%"=="Windows_NT" setlocal 28 | 29 | set DIRNAME=%~dp0 30 | if "%DIRNAME%"=="" set DIRNAME=. 31 | @rem This is normally unused 32 | set APP_BASE_NAME=%~n0 33 | set APP_HOME=%DIRNAME% 34 | 35 | @rem Resolve any "." and ".." in APP_HOME to make it shorter. 36 | for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi 37 | 38 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 39 | set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" 40 | 41 | @rem Find java.exe 42 | if defined JAVA_HOME goto findJavaFromJavaHome 43 | 44 | set JAVA_EXE=java.exe 45 | %JAVA_EXE% -version >NUL 2>&1 46 | if %ERRORLEVEL% equ 0 goto execute 47 | 48 | echo. 1>&2 49 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 50 | echo. 1>&2 51 | echo Please set the JAVA_HOME variable in your environment to match the 1>&2 52 | echo location of your Java installation. 1>&2 53 | 54 | goto fail 55 | 56 | :findJavaFromJavaHome 57 | set JAVA_HOME=%JAVA_HOME:"=% 58 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 59 | 60 | if exist "%JAVA_EXE%" goto execute 61 | 62 | echo. 1>&2 63 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 64 | echo. 1>&2 65 | echo Please set the JAVA_HOME variable in your environment to match the 1>&2 66 | echo location of your Java installation. 1>&2 67 | 68 | goto fail 69 | 70 | :execute 71 | @rem Setup the command line 72 | 73 | 74 | 75 | @rem Execute Gradle 76 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -jar "%APP_HOME%\gradle\wrapper\gradle-wrapper.jar" %* 77 | 78 | :end 79 | @rem End local scope for the variables with windows NT shell 80 | if %ERRORLEVEL% equ 0 goto mainEnd 81 | 82 | :fail 83 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 84 | rem the _cmd.exe /c_ return code! 85 | set EXIT_CODE=%ERRORLEVEL% 86 | if %EXIT_CODE% equ 0 set EXIT_CODE=1 87 | if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% 88 | exit /b %EXIT_CODE% 89 | 90 | :mainEnd 91 | if "%OS%"=="Windows_NT" endlocal 92 | 93 | :omega 94 | -------------------------------------------------------------------------------- /gradlew: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # 4 | # Copyright © 2015 the original authors. 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # https://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | # SPDX-License-Identifier: Apache-2.0 19 | # 20 | 21 | ############################################################################## 22 | # 23 | # Gradle start up script for POSIX generated by Gradle. 24 | # 25 | # Important for running: 26 | # 27 | # (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is 28 | # noncompliant, but you have some other compliant shell such as ksh or 29 | # bash, then to run this script, type that shell name before the whole 30 | # command line, like: 31 | # 32 | # ksh Gradle 33 | # 34 | # Busybox and similar reduced shells will NOT work, because this script 35 | # requires all of these POSIX shell features: 36 | # * functions; 37 | # * expansions «$var», «${var}», «${var:-default}», «${var+SET}», 38 | # «${var#prefix}», «${var%suffix}», and «$( cmd )»; 39 | # * compound commands having a testable exit status, especially «case»; 40 | # * various built-in commands including «command», «set», and «ulimit». 41 | # 42 | # Important for patching: 43 | # 44 | # (2) This script targets any POSIX shell, so it avoids extensions provided 45 | # by Bash, Ksh, etc; in particular arrays are avoided. 46 | # 47 | # The "traditional" practice of packing multiple parameters into a 48 | # space-separated string is a well documented source of bugs and security 49 | # problems, so this is (mostly) avoided, by progressively accumulating 50 | # options in "$@", and eventually passing that to Java. 51 | # 52 | # Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, 53 | # and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; 54 | # see the in-line comments for details. 55 | # 56 | # There are tweaks for specific operating systems such as AIX, CygWin, 57 | # Darwin, MinGW, and NonStop. 58 | # 59 | # (3) This script is generated from the Groovy template 60 | # https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt 61 | # within the Gradle project. 62 | # 63 | # You can find Gradle at https://github.com/gradle/gradle/. 64 | # 65 | ############################################################################## 66 | 67 | # Attempt to set APP_HOME 68 | 69 | # Resolve links: $0 may be a link 70 | app_path=$0 71 | 72 | # Need this for daisy-chained symlinks. 73 | while 74 | APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path 75 | [ -h "$app_path" ] 76 | do 77 | ls=$( ls -ld "$app_path" ) 78 | link=${ls#*' -> '} 79 | case $link in #( 80 | /*) app_path=$link ;; #( 81 | *) app_path=$APP_HOME$link ;; 82 | esac 83 | done 84 | 85 | # This is normally unused 86 | # shellcheck disable=SC2034 87 | APP_BASE_NAME=${0##*/} 88 | # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) 89 | APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit 90 | 91 | # Use the maximum available, or set MAX_FD != -1 to use that value. 92 | MAX_FD=maximum 93 | 94 | warn () { 95 | echo "$*" 96 | } >&2 97 | 98 | die () { 99 | echo 100 | echo "$*" 101 | echo 102 | exit 1 103 | } >&2 104 | 105 | # OS specific support (must be 'true' or 'false'). 106 | cygwin=false 107 | msys=false 108 | darwin=false 109 | nonstop=false 110 | case "$( uname )" in #( 111 | CYGWIN* ) cygwin=true ;; #( 112 | Darwin* ) darwin=true ;; #( 113 | MSYS* | MINGW* ) msys=true ;; #( 114 | NONSTOP* ) nonstop=true ;; 115 | esac 116 | 117 | 118 | 119 | # Determine the Java command to use to start the JVM. 120 | if [ -n "$JAVA_HOME" ] ; then 121 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 122 | # IBM's JDK on AIX uses strange locations for the executables 123 | JAVACMD=$JAVA_HOME/jre/sh/java 124 | else 125 | JAVACMD=$JAVA_HOME/bin/java 126 | fi 127 | if [ ! -x "$JAVACMD" ] ; then 128 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME 129 | 130 | Please set the JAVA_HOME variable in your environment to match the 131 | location of your Java installation." 132 | fi 133 | else 134 | JAVACMD=java 135 | if ! command -v java >/dev/null 2>&1 136 | then 137 | die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 138 | 139 | Please set the JAVA_HOME variable in your environment to match the 140 | location of your Java installation." 141 | fi 142 | fi 143 | 144 | # Increase the maximum file descriptors if we can. 145 | if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then 146 | case $MAX_FD in #( 147 | max*) 148 | # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. 149 | # shellcheck disable=SC2039,SC3045 150 | MAX_FD=$( ulimit -H -n ) || 151 | warn "Could not query maximum file descriptor limit" 152 | esac 153 | case $MAX_FD in #( 154 | '' | soft) :;; #( 155 | *) 156 | # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. 157 | # shellcheck disable=SC2039,SC3045 158 | ulimit -n "$MAX_FD" || 159 | warn "Could not set maximum file descriptor limit to $MAX_FD" 160 | esac 161 | fi 162 | 163 | # Collect all arguments for the java command, stacking in reverse order: 164 | # * args from the command line 165 | # * the main class name 166 | # * -classpath 167 | # * -D...appname settings 168 | # * --module-path (only if needed) 169 | # * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. 170 | 171 | # For Cygwin or MSYS, switch paths to Windows format before running java 172 | if "$cygwin" || "$msys" ; then 173 | APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) 174 | 175 | JAVACMD=$( cygpath --unix "$JAVACMD" ) 176 | 177 | # Now convert the arguments - kludge to limit ourselves to /bin/sh 178 | for arg do 179 | if 180 | case $arg in #( 181 | -*) false ;; # don't mess with options #( 182 | /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath 183 | [ -e "$t" ] ;; #( 184 | *) false ;; 185 | esac 186 | then 187 | arg=$( cygpath --path --ignore --mixed "$arg" ) 188 | fi 189 | # Roll the args list around exactly as many times as the number of 190 | # args, so each arg winds up back in the position where it started, but 191 | # possibly modified. 192 | # 193 | # NB: a `for` loop captures its iteration list before it begins, so 194 | # changing the positional parameters here affects neither the number of 195 | # iterations, nor the values presented in `arg`. 196 | shift # remove old arg 197 | set -- "$@" "$arg" # push replacement arg 198 | done 199 | fi 200 | 201 | 202 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 203 | DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' 204 | 205 | # Collect all arguments for the java command: 206 | # * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, 207 | # and any embedded shellness will be escaped. 208 | # * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be 209 | # treated as '${Hostname}' itself on the command line. 210 | 211 | set -- \ 212 | "-Dorg.gradle.appname=$APP_BASE_NAME" \ 213 | -jar "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" \ 214 | "$@" 215 | 216 | # Stop when "xargs" is not available. 217 | if ! command -v xargs >/dev/null 2>&1 218 | then 219 | die "xargs is not available" 220 | fi 221 | 222 | # Use "xargs" to parse quoted args. 223 | # 224 | # With -n1 it outputs one arg per line, with the quotes and backslashes removed. 225 | # 226 | # In Bash we could simply go: 227 | # 228 | # readarray ARGS < <( xargs -n1 <<<"$var" ) && 229 | # set -- "${ARGS[@]}" "$@" 230 | # 231 | # but POSIX shell has neither arrays nor command substitution, so instead we 232 | # post-process each arg (as a line of input to sed) to backslash-escape any 233 | # character that might be a shell metacharacter, then use eval to reverse 234 | # that process (while maintaining the separation between arguments), and wrap 235 | # the whole thing up as a single "set" statement. 236 | # 237 | # This will of course break if any of these variables contains a newline or 238 | # an unmatched quote. 239 | # 240 | 241 | eval "set -- $( 242 | printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | 243 | xargs -n1 | 244 | sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | 245 | tr '\n' ' ' 246 | )" '"$@"' 247 | 248 | exec "$JAVACMD" "$@" 249 | -------------------------------------------------------------------------------- /module/jni/zygisk.hpp: -------------------------------------------------------------------------------- 1 | /* Copyright 2022-2023 John "topjohnwu" Wu 2 | * 3 | * Permission to use, copy, modify, and/or distribute this software for any 4 | * purpose with or without fee is hereby granted. 5 | * 6 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH 7 | * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 8 | * AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, 9 | * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 10 | * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 11 | * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 12 | * PERFORMANCE OF THIS SOFTWARE. 13 | */ 14 | 15 | // This is the public API for Zygisk modules. 16 | // DO NOT MODIFY ANY CODE IN THIS HEADER. 17 | 18 | #pragma once 19 | 20 | #include 21 | 22 | #define ZYGISK_API_VERSION 4 23 | 24 | /* 25 | 26 | *************** 27 | * Introduction 28 | *************** 29 | 30 | On Android, all app processes are forked from a special daemon called "Zygote". 31 | For each new app process, zygote will fork a new process and perform "specialization". 32 | This specialization operation enforces the Android security sandbox on the newly forked 33 | process to make sure that 3rd party application code is only loaded after it is being 34 | restricted within a sandbox. 35 | 36 | On Android, there is also this special process called "system_server". This single 37 | process hosts a significant portion of system services, which controls how the 38 | Android operating system and apps interact with each other. 39 | 40 | The Zygisk framework provides a way to allow developers to build modules and run custom 41 | code before and after system_server and any app processes' specialization. 42 | This enable developers to inject code and alter the behavior of system_server and app processes. 43 | 44 | Please note that modules will only be loaded after zygote has forked the child process. 45 | THIS MEANS ALL OF YOUR CODE RUNS IN THE APP/SYSTEM_SERVER PROCESS, NOT THE ZYGOTE DAEMON! 46 | 47 | ********************* 48 | * Development Guide 49 | ********************* 50 | 51 | Define a class and inherit zygisk::ModuleBase to implement the functionality of your module. 52 | Use the macro REGISTER_ZYGISK_MODULE(className) to register that class to Zygisk. 53 | 54 | Example code: 55 | 56 | static jint (*orig_logger_entry_max)(JNIEnv *env); 57 | static jint my_logger_entry_max(JNIEnv *env) { return orig_logger_entry_max(env); } 58 | 59 | class ExampleModule : public zygisk::ModuleBase { 60 | public: 61 | void onLoad(zygisk::Api *api, JNIEnv *env) override { 62 | this->api = api; 63 | this->env = env; 64 | } 65 | void preAppSpecialize(zygisk::AppSpecializeArgs *args) override { 66 | JNINativeMethod methods[] = { 67 | { "logger_entry_max_payload_native", "()I", (void*) my_logger_entry_max }, 68 | }; 69 | api->hookJniNativeMethods(env, "android/util/Log", methods, 1); 70 | *(void **) &orig_logger_entry_max = methods[0].fnPtr; 71 | } 72 | private: 73 | zygisk::Api *api; 74 | JNIEnv *env; 75 | }; 76 | 77 | REGISTER_ZYGISK_MODULE(ExampleModule) 78 | 79 | ----------------------------------------------------------------------------------------- 80 | 81 | Since your module class's code runs with either Zygote's privilege in pre[XXX]Specialize, 82 | or runs in the sandbox of the target process in post[XXX]Specialize, the code in your class 83 | never runs in a true superuser environment. 84 | 85 | If your module require access to superuser permissions, you can create and register 86 | a root companion handler function. This function runs in a separate root companion 87 | daemon process, and an Unix domain socket is provided to allow you to perform IPC between 88 | your target process and the root companion process. 89 | 90 | Example code: 91 | 92 | static void example_handler(int socket) { ... } 93 | 94 | REGISTER_ZYGISK_COMPANION(example_handler) 95 | 96 | */ 97 | 98 | namespace zygisk { 99 | 100 | struct Api; 101 | struct AppSpecializeArgs; 102 | struct ServerSpecializeArgs; 103 | 104 | class ModuleBase { 105 | public: 106 | 107 | // This method is called as soon as the module is loaded into the target process. 108 | // A Zygisk API handle will be passed as an argument. 109 | virtual void onLoad([[maybe_unused]] Api *api, [[maybe_unused]] JNIEnv *env) {} 110 | 111 | // This method is called before the app process is specialized. 112 | // At this point, the process just got forked from zygote, but no app specific specialization 113 | // is applied. This means that the process does not have any sandbox restrictions and 114 | // still runs with the same privilege of zygote. 115 | // 116 | // All the arguments that will be sent and used for app specialization is passed as a single 117 | // AppSpecializeArgs object. You can read and overwrite these arguments to change how the app 118 | // process will be specialized. 119 | // 120 | // If you need to run some operations as superuser, you can call Api::connectCompanion() to 121 | // get a socket to do IPC calls with a root companion process. 122 | // See Api::connectCompanion() for more info. 123 | virtual void preAppSpecialize([[maybe_unused]] AppSpecializeArgs *args) {} 124 | 125 | // This method is called after the app process is specialized. 126 | // At this point, the process has all sandbox restrictions enabled for this application. 127 | // This means that this method runs with the same privilege of the app's own code. 128 | virtual void postAppSpecialize([[maybe_unused]] const AppSpecializeArgs *args) {} 129 | 130 | // This method is called before the system server process is specialized. 131 | // See preAppSpecialize(args) for more info. 132 | virtual void preServerSpecialize([[maybe_unused]] ServerSpecializeArgs *args) {} 133 | 134 | // This method is called after the system server process is specialized. 135 | // At this point, the process runs with the privilege of system_server. 136 | virtual void postServerSpecialize([[maybe_unused]] const ServerSpecializeArgs *args) {} 137 | }; 138 | 139 | struct AppSpecializeArgs { 140 | // Required arguments. These arguments are guaranteed to exist on all Android versions. 141 | jint &uid; 142 | jint &gid; 143 | jintArray &gids; 144 | jint &runtime_flags; 145 | jobjectArray &rlimits; 146 | jint &mount_external; 147 | jstring &se_info; 148 | jstring &nice_name; 149 | jstring &instruction_set; 150 | jstring &app_data_dir; 151 | 152 | // Optional arguments. Please check whether the pointer is null before de-referencing 153 | jintArray *const fds_to_ignore; 154 | jboolean *const is_child_zygote; 155 | jboolean *const is_top_app; 156 | jobjectArray *const pkg_data_info_list; 157 | jobjectArray *const whitelisted_data_info_list; 158 | jboolean *const mount_data_dirs; 159 | jboolean *const mount_storage_dirs; 160 | 161 | AppSpecializeArgs() = delete; 162 | }; 163 | 164 | struct ServerSpecializeArgs { 165 | jint &uid; 166 | jint &gid; 167 | jintArray &gids; 168 | jint &runtime_flags; 169 | jlong &permitted_capabilities; 170 | jlong &effective_capabilities; 171 | 172 | ServerSpecializeArgs() = delete; 173 | }; 174 | 175 | namespace internal { 176 | struct api_table; 177 | template void entry_impl(api_table *, JNIEnv *); 178 | } 179 | 180 | // These values are used in Api::setOption(Option) 181 | enum Option : int { 182 | // Force Magisk's denylist unmount routines to run on this process. 183 | // 184 | // Setting this option only makes sense in preAppSpecialize. 185 | // The actual unmounting happens during app process specialization. 186 | // 187 | // Set this option to force all Magisk and modules' files to be unmounted from the 188 | // mount namespace of the process, regardless of the denylist enforcement status. 189 | FORCE_DENYLIST_UNMOUNT = 0, 190 | 191 | // When this option is set, your module's library will be dlclose-ed after post[XXX]Specialize. 192 | // Be aware that after dlclose-ing your module, all of your code will be unmapped from memory. 193 | // YOU MUST NOT ENABLE THIS OPTION AFTER HOOKING ANY FUNCTIONS IN THE PROCESS. 194 | DLCLOSE_MODULE_LIBRARY = 1, 195 | }; 196 | 197 | // Bit masks of the return value of Api::getFlags() 198 | enum StateFlag : uint32_t { 199 | // The user has granted root access to the current process 200 | PROCESS_GRANTED_ROOT = (1u << 0), 201 | 202 | // The current process was added on the denylist 203 | PROCESS_ON_DENYLIST = (1u << 1), 204 | }; 205 | 206 | // All API methods will stop working after post[XXX]Specialize as Zygisk will be unloaded 207 | // from the specialized process afterwards. 208 | struct Api { 209 | 210 | // Connect to a root companion process and get a Unix domain socket for IPC. 211 | // 212 | // This API only works in the pre[XXX]Specialize methods due to SELinux restrictions. 213 | // 214 | // The pre[XXX]Specialize methods run with the same privilege of zygote. 215 | // If you would like to do some operations with superuser permissions, register a handler 216 | // function that would be called in the root process with REGISTER_ZYGISK_COMPANION(func). 217 | // Another good use case for a companion process is that if you want to share some resources 218 | // across multiple processes, hold the resources in the companion process and pass it over. 219 | // 220 | // The root companion process is ABI aware; that is, when calling this method from a 32-bit 221 | // process, you will be connected to a 32-bit companion process, and vice versa for 64-bit. 222 | // 223 | // Returns a file descriptor to a socket that is connected to the socket passed to your 224 | // module's companion request handler. Returns -1 if the connection attempt failed. 225 | int connectCompanion(); 226 | 227 | // Get the file descriptor of the root folder of the current module. 228 | // 229 | // This API only works in the pre[XXX]Specialize methods. 230 | // Accessing the directory returned is only possible in the pre[XXX]Specialize methods 231 | // or in the root companion process (assuming that you sent the fd over the socket). 232 | // Both restrictions are due to SELinux and UID. 233 | // 234 | // Returns -1 if errors occurred. 235 | int getModuleDir(); 236 | 237 | // Set various options for your module. 238 | // Please note that this method accepts one single option at a time. 239 | // Check zygisk::Option for the full list of options available. 240 | void setOption(Option opt); 241 | 242 | // Get information about the current process. 243 | // Returns bitwise-or'd zygisk::StateFlag values. 244 | uint32_t getFlags(); 245 | 246 | // Exempt the provided file descriptor from being automatically closed. 247 | // 248 | // This API only make sense in preAppSpecialize; calling this method in any other situation 249 | // is either a no-op (returns true) or an error (returns false). 250 | // 251 | // When false is returned, the provided file descriptor will eventually be closed by zygote. 252 | bool exemptFd(int fd); 253 | 254 | // Hook JNI native methods for a class 255 | // 256 | // Lookup all registered JNI native methods and replace it with your own methods. 257 | // The original function pointer will be saved in each JNINativeMethod's fnPtr. 258 | // If no matching class, method name, or signature is found, that specific JNINativeMethod.fnPtr 259 | // will be set to nullptr. 260 | void hookJniNativeMethods(JNIEnv *env, const char *className, JNINativeMethod *methods, int numMethods); 261 | 262 | // Hook functions in the PLT (Procedure Linkage Table) of ELFs loaded in memory. 263 | // 264 | // Parsing /proc/[PID]/maps will give you the memory map of a process. As an example: 265 | // 266 | //

267 | // 56b4346000-56b4347000 r-xp 00002000 fe:00 235 /system/bin/app_process64 268 | // (More details: https://man7.org/linux/man-pages/man5/proc.5.html) 269 | // 270 | // The `dev` and `inode` pair uniquely identifies a file being mapped into memory. 271 | // For matching ELFs loaded in memory, replace function `symbol` with `newFunc`. 272 | // If `oldFunc` is not nullptr, the original function pointer will be saved to `oldFunc`. 273 | void pltHookRegister(dev_t dev, ino_t inode, const char *symbol, void *newFunc, void **oldFunc); 274 | 275 | // Commit all the hooks that was previously registered. 276 | // Returns false if an error occurred. 277 | bool pltHookCommit(); 278 | 279 | private: 280 | internal::api_table *tbl; 281 | template friend void internal::entry_impl(internal::api_table *, JNIEnv *); 282 | }; 283 | 284 | // Register a class as a Zygisk module 285 | 286 | #define REGISTER_ZYGISK_MODULE(clazz) \ 287 | void zygisk_module_entry(zygisk::internal::api_table *table, JNIEnv *env) { \ 288 | zygisk::internal::entry_impl(table, env); \ 289 | } 290 | 291 | // Register a root companion request handler function for your module 292 | // 293 | // The function runs in a superuser daemon process and handles a root companion request from 294 | // your module running in a target process. The function has to accept an integer value, 295 | // which is a Unix domain socket that is connected to the target process. 296 | // See Api::connectCompanion() for more info. 297 | // 298 | // NOTE: the function can run concurrently on multiple threads. 299 | // Be aware of race conditions if you have globally shared resources. 300 | 301 | #define REGISTER_ZYGISK_COMPANION(func) \ 302 | void zygisk_companion_entry(int client) { func(client); } 303 | 304 | /********************************************************* 305 | * The following is internal ABI implementation detail. 306 | * You do not have to understand what it is doing. 307 | *********************************************************/ 308 | 309 | namespace internal { 310 | 311 | struct module_abi { 312 | long api_version; 313 | ModuleBase *impl; 314 | 315 | void (*preAppSpecialize)(ModuleBase *, AppSpecializeArgs *); 316 | void (*postAppSpecialize)(ModuleBase *, const AppSpecializeArgs *); 317 | void (*preServerSpecialize)(ModuleBase *, ServerSpecializeArgs *); 318 | void (*postServerSpecialize)(ModuleBase *, const ServerSpecializeArgs *); 319 | 320 | module_abi(ModuleBase *module) : api_version(ZYGISK_API_VERSION), impl(module) { 321 | preAppSpecialize = [](auto m, auto args) { m->preAppSpecialize(args); }; 322 | postAppSpecialize = [](auto m, auto args) { m->postAppSpecialize(args); }; 323 | preServerSpecialize = [](auto m, auto args) { m->preServerSpecialize(args); }; 324 | postServerSpecialize = [](auto m, auto args) { m->postServerSpecialize(args); }; 325 | } 326 | }; 327 | 328 | struct api_table { 329 | // Base 330 | void *impl; 331 | bool (*registerModule)(api_table *, module_abi *); 332 | 333 | void (*hookJniNativeMethods)(JNIEnv *, const char *, JNINativeMethod *, int); 334 | void (*pltHookRegister)(dev_t, ino_t, const char *, void *, void **); 335 | bool (*exemptFd)(int); 336 | bool (*pltHookCommit)(); 337 | int (*connectCompanion)(void * /* impl */); 338 | void (*setOption)(void * /* impl */, Option); 339 | int (*getModuleDir)(void * /* impl */); 340 | uint32_t (*getFlags)(void * /* impl */); 341 | }; 342 | 343 | template 344 | void entry_impl(api_table *table, JNIEnv *env) { 345 | static Api api; 346 | api.tbl = table; 347 | static T module; 348 | ModuleBase *m = &module; 349 | static module_abi abi(m); 350 | if (!table->registerModule(table, &abi)) return; 351 | m->onLoad(&api, env); 352 | } 353 | 354 | } // namespace internal 355 | 356 | inline int Api::connectCompanion() { 357 | return tbl->connectCompanion ? tbl->connectCompanion(tbl->impl) : -1; 358 | } 359 | inline int Api::getModuleDir() { 360 | return tbl->getModuleDir ? tbl->getModuleDir(tbl->impl) : -1; 361 | } 362 | inline void Api::setOption(Option opt) { 363 | if (tbl->setOption) tbl->setOption(tbl->impl, opt); 364 | } 365 | inline uint32_t Api::getFlags() { 366 | return tbl->getFlags ? tbl->getFlags(tbl->impl) : 0; 367 | } 368 | inline bool Api::exemptFd(int fd) { 369 | return tbl->exemptFd != nullptr && tbl->exemptFd(fd); 370 | } 371 | inline void Api::hookJniNativeMethods(JNIEnv *env, const char *className, JNINativeMethod *methods, int numMethods) { 372 | if (tbl->hookJniNativeMethods) tbl->hookJniNativeMethods(env, className, methods, numMethods); 373 | } 374 | inline void Api::pltHookRegister(dev_t dev, ino_t inode, const char *symbol, void *newFunc, void **oldFunc) { 375 | if (tbl->pltHookRegister) tbl->pltHookRegister(dev, inode, symbol, newFunc, oldFunc); 376 | } 377 | inline bool Api::pltHookCommit() { 378 | return tbl->pltHookCommit != nullptr && tbl->pltHookCommit(); 379 | } 380 | 381 | } // namespace zygisk 382 | 383 | extern "C" { 384 | 385 | [[gnu::visibility("default"), maybe_unused]] 386 | void zygisk_module_entry(zygisk::internal::api_table *, JNIEnv *); 387 | 388 | [[gnu::visibility("default"), maybe_unused]] 389 | void zygisk_companion_entry(int); 390 | 391 | } // extern "C" --------------------------------------------------------------------------------