Hook uname to spoof kernel release version string

Co-authored-by: chiteroman <98092901+chiteroman@users.noreply.github.com>
2025-09-06 06:37:06 +00:00 · 2024-01-28 22:32:16 -04:00
parent fc8e5108de
commit 7997954f74
1 changed files with 52 additions and 10 deletions
--- a/app/src/main/cpp/main.cpp
+++ b/app/src/main/cpp/main.cpp
@@ -1,10 +1,11 @@
 #include <android/log.h>
 #include <sys/system_properties.h>
+#include <sys/utsname.h>
 #include <unistd.h>

 #include "zygisk.hpp"
-#include "dobby.h"
 #include "json.hpp"
+#include "dobby.h"

 #define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, "PIF/Native", __VA_ARGS__)

@@ -17,12 +18,13 @@ static int VERBOSE_LOGS = 0;

 static std::map<std::string, std::string> jsonProps;

+static std::string unameRelease;
+
 typedef void (*T_Callback)(void *, const char *, const char *, uint32_t);

 static std::map<void *, T_Callback> callbacks;

 static void modify_callback(void *cookie, const char *name, const char *value, uint32_t serial) {
-
    if (cookie == nullptr || name == nullptr || value == nullptr || !callbacks.contains(cookie)) return;

    const char *oldValue = value;
@@ -50,7 +52,7 @@ static void modify_callback(void *cookie, const char *name, const char *value, u
    }

    if (oldValue == value) {
-        if (VERBOSE_LOGS > 99) LOGD("[%s]: %s (unchanged)", name, value);
+        if (VERBOSE_LOGS > 99) LOGD("[%s]: %s (unchanged)", name, oldValue);
    } else {
        LOGD("[%s]: %s -> %s", name, oldValue, value);
    }
@@ -68,18 +70,46 @@ static void my_system_property_read_callback(const prop_info *pi, T_Callback cal
    return o_system_property_read_callback(pi, modify_callback, cookie);
 }

-static void doHook() {
+static int (*o_uname_callback)(struct utsname *);
+
+static int my_uname_callback(struct utsname *buf) {
+    auto ret = o_uname_callback(buf);
+
+    if (buf && ret == 0) {
+        const char *value = unameRelease.c_str();
+        const char *oldValue = buf->release;
+
+        if (unameRelease.empty() || oldValue == value) {
+            if (VERBOSE_LOGS > 2) LOGD("[uname_release]: %s (unchanged)", oldValue);
+        } else if (unameRelease.size() < SYS_NMLN) {
+            LOGD("[uname_release]: %s -> %s", oldValue, value);
+            strncpy(buf->release, value, unameRelease.size());
+        }
+    }
+
+    return ret;
+}
+
+static void doPropHook() {
    void *handle = DobbySymbolResolver(nullptr, "__system_property_read_callback");
    if (handle == nullptr) {
        LOGD("Couldn't find '__system_property_read_callback' handle");
        return;
    }
    LOGD("Found '__system_property_read_callback' handle at %p", handle);
-    DobbyHook(
-        handle,
-        reinterpret_cast<dobby_dummy_func_t>(my_system_property_read_callback),
-        reinterpret_cast<dobby_dummy_func_t *>(&o_system_property_read_callback)
-    );
+    DobbyHook(handle, reinterpret_cast<dobby_dummy_func_t>(my_system_property_read_callback),
+        reinterpret_cast<dobby_dummy_func_t *>(&o_system_property_read_callback));
+}
+
+static void doUnameHook() {
+    void *handle = DobbySymbolResolver(nullptr, "uname");
+    if (handle == nullptr) {
+        LOGD("Couldn't find 'uname' handle");
+        return;
+    }
+    LOGD("Found 'uname' handle at %p", handle);
+    DobbyHook(handle, reinterpret_cast<dobby_dummy_func_t>(my_uname_callback),
+        reinterpret_cast<dobby_dummy_func_t *>(&o_uname_callback));
 }

 class PlayIntegrityFix : public zygisk::ModuleBase {
@@ -168,7 +198,8 @@ public:
        if (dexVector.empty() || json.empty()) return;

        readJson();
-        doHook();
+        doPropHook();
+        doUnameHook();
        inject();

        dexVector.clear();
@@ -199,6 +230,17 @@ private:
            json.erase("VERBOSE_LOGS");
        }

+        // Parse kernel uname release string as a special case (neither field or property)
+        if (json.contains("uname_release")) {
+            if (VERBOSE_LOGS > 1) LOGD("Parsing uname_release");
+            if (!json["uname_release"].is_null() && json["uname_release"].is_string() && json["uname_release"] != "") {
+                unameRelease = json["uname_release"].get<std::string>();
+            } else {
+                LOGD("Error parsing uname_release!");
+            }
+            json.erase("uname_release");
+        }
+
        std::vector<std::string> eraseKeys;
        for (auto &jsonList: json.items()) {
            if (VERBOSE_LOGS > 1) LOGD("Parsing %s", jsonList.key().c_str());