android [experimental]: add xposed based hooking

2026-02-03 08:39:12 +00:00 · 2025-03-27 00:01:43 +05:30
parent 13340485b1
commit a206e04ba2
20 changed files with 1732 additions and 49 deletions
--- a/android/app/src/main/cpp/CMakeLists.txt
+++ b/android/app/src/main/cpp/CMakeLists.txt
@@ -0,0 +1,12 @@
+cmake_minimum_required(VERSION 3.22.1)
+
+project("l2c_fcr_hook")
+set(CMAKE_CXX_STANDARD 23)
+
+add_library(${CMAKE_PROJECT_NAME} SHARED
+        l2c_fcr_hook.cpp
+        l2c_fcr_hook.h)
+
+target_link_libraries(${CMAKE_PROJECT_NAME}
+        android
+        log)
--- a/android/app/src/main/cpp/l2c_fcr_hook.cpp
+++ b/android/app/src/main/cpp/l2c_fcr_hook.cpp
@@ -0,0 +1,140 @@
+/*
+ * AirPods like Normal (ALN) - Bringing Apple-only features to Linux and Android for seamless AirPods functionality!
+ *
+ * Copyright (C) 2024 Kavish Devar
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <cstdint>
+#include <cstring>
+#include <dlfcn.h>
+#include <android/log.h>
+#include <fstream>
+#include <string>
+#include <sys/system_properties.h>
+#include "l2c_fcr_hook.h"
+
+#define LOG_TAG "AirPodsHook"
+#define LOGI(...) __android_log_print(ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__)
+#define LOGE(...) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)
+
+static HookFunType hook_func = nullptr;
+
+static uint8_t (*original_l2c_fcr_chk_chan_modes)(void* p_ccb) = nullptr;
+
+uint8_t fake_l2c_fcr_chk_chan_modes([[maybe_unused]] void* p_ccb) {
+    LOGI("l2c_fcr_chk_chan_modes hooked! Always returning true");
+    return 1;
+}
+
+uintptr_t loadHookOffset([[maybe_unused]] const char* package_name) {
+    const char* property_name = "persist.aln.hook_offset";
+    char value[PROP_VALUE_MAX] = {0};
+
+    int len = __system_property_get(property_name, value);
+    if (len > 0) {
+        LOGI("Read hook offset from property: %s", value);
+
+        uintptr_t offset = 0;
+        if (value[0] == '0' && (value[1] == 'x' || value[1] == 'X')) {
+            sscanf(value + 2, "%x", &offset);
+        } else {
+            sscanf(value, "%x", &offset);
+        }
+
+        if (offset > 0) {
+            LOGI("Parsed offset: 0x%x", offset);
+            return offset;
+        }
+    }
+
+    LOGI("Failed to read offset from property, using hardcoded fallback");
+    return 0x00a55e30;
+}
+
+uintptr_t getModuleBase(const char *module_name) {
+    FILE *fp;
+    char line[1024];
+    uintptr_t base_addr = 0;
+
+    fp = fopen("/proc/self/maps", "r");
+    if (!fp) {
+        LOGE("Failed to open /proc/self/maps");
+        return 0;
+    }
+
+    while (fgets(line, sizeof(line), fp)) {
+        if (strstr(line, module_name)) {
+            char *start_addr_str = line;
+            char *end_addr_str = strchr(line, '-');
+            if (end_addr_str) {
+                *end_addr_str = '\0';
+                base_addr = strtoull(start_addr_str, nullptr, 16);
+                break;
+            }
+        }
+    }
+
+    fclose(fp);
+    return base_addr;
+}
+
+bool findAndHookFunction([[maybe_unused]] const char *library_path) {
+    if (!hook_func) {
+        LOGE("Hook function not initialized");
+        return false;
+    }
+
+    uintptr_t base_addr = getModuleBase("libbluetooth_jni.so");
+    if (!base_addr) {
+        LOGE("Failed to get base address of libbluetooth_jni.so");
+        return false;
+    }
+
+    uintptr_t offset = loadHookOffset(nullptr);
+
+    void* target = reinterpret_cast<void*>(base_addr + offset);
+    LOGI("Using offset: 0x%x, base: %p, target: %p", offset, (void*)base_addr, target);
+
+    int result = hook_func(target, (void*)fake_l2c_fcr_chk_chan_modes, (void**)&original_l2c_fcr_chk_chan_modes);
+
+    if (result == 0) {
+        LOGI("Successfully hooked l2c_fcr_chk_chan_modes");
+        return true;
+    } else {
+        LOGE("Failed to hook function, error: %d", result);
+        return false;
+    }
+}
+
+void on_library_loaded(const char *name, [[maybe_unused]] void *handle) {
+    if (strstr(name, "libbluetooth_jni.so")) {
+        LOGI("Detected Bluetooth library: %s", name);
+
+        bool hooked = findAndHookFunction(name);
+        if (!hooked) {
+            LOGE("Failed to hook Bluetooth library function");
+        }
+    }
+}
+
+extern "C" [[gnu::visibility("default")]] [[gnu::used]]
+NativeOnModuleLoaded native_init(const NativeAPIEntries* entries) {
+    LOGI("L2C FCR Hook module initialized");
+
+    hook_func = entries->hook_func;
+
+    return on_library_loaded;
+}
+
--- a/android/app/src/main/cpp/l2c_fcr_hook.h
+++ b/android/app/src/main/cpp/l2c_fcr_hook.h
@@ -0,0 +1,21 @@
+#pragma once
+
+#include <cstdint>
+#include <vector>
+
+typedef int (*HookFunType)(void *func, void *replace, void **backup);
+
+typedef int (*UnhookFunType)(void *func);
+
+typedef void (*NativeOnModuleLoaded)(const char *name, void *handle);
+
+typedef struct {
+    uint32_t version;
+    HookFunType hook_func;
+    UnhookFunType unhook_func;
+} NativeAPIEntries;
+
+[[maybe_unused]] typedef NativeOnModuleLoaded (*NativeInit)(const NativeAPIEntries *entries);
+
+uintptr_t loadHookOffset(const char* package_name);
+uintptr_t getModuleBase(const char *module_name);