Nice work man. Smali is an unreadable b!tch.

Hey, on my device, sailfish, system is mounted as /system/system. A way to detect this in pull-fileset and push-fileset would be appreciated.

I don't know what went wrong, but it's just not working! Followed the steps in the README.md file..
Nothing in the developer options, nothing :/

OPO with sultanxda's lineage ROM

bulk-patch-builder.txt

First of all I want to say incredible job on haystack and DexPatcher!!

I just applied the patches on my OnePlus 5T running OxygenOS (stock), Android 8.0. I ran your signature spoof test app and it confirmed that everything is working.
I then proceeded to installing my target app (a PlayStore stub), which I modified to include the fake signature in the values resource, as well as the permission in AndroidManifest.xml.
When installing the final APK, however, I get the following in logcat:

03-15 13:52:05.052: I/PackageManager(1410): Verification timed out for file:///data/app/vmdl887285932.tmp
03-15 13:52:05.053: I/PackageManager(1410): Continuing with installation of file:///data/app/vmdl887285932.tmp
03-15 13:52:05.177: W/PackageManager(1410): Package com.android.vending signatures do not match the previously installed version; ignoring!
03-15 13:52:05.177: W/PackageManager(1410): [ 03-15 13:52:05.194   976:  976 E/         ]
03-15 13:52:05.177: W/PackageManager(1410): Couldn't opendir /data/app/vmdl887285932.tmp: No such file or directory
03-15 13:52:05.194: E/installd(976): Failed to delete /data/app/vmdl887285932.tmp: No such file or directory
03-15 13:52:05.196: I/PackageManager(1410): error while grant permission
03-15 13:52:05.196: W/System.err(1410): java.lang.NullPointerException: Attempt to read from field 'android.content.pm.ApplicationInfo android.content.pm.PackageParser$Package.applicationInfo' on a null object reference
03-15 13:52:05.196: W/System.err(1410): 	at com.android.server.pm.PackageManagerService$PackageHandler.doHandleMessage(PackageManagerService.java:1796)
03-15 13:52:05.196: W/System.err(1410): 	at com.android.server.pm.PackageManagerService$PackageHandler.handleMessage(PackageManagerService.java:1536)
03-15 13:52:05.196: W/System.err(1410): 	at android.os.Handler.dispatchMessage(Handler.java:105)
03-15 13:52:05.196: W/System.err(1410): 	at android.os.Looper.loop(Looper.java:164)
03-15 13:52:05.196: W/System.err(1410): 	at android.os.HandlerThread.run(HandlerThread.java:65)
03-15 13:52:05.196: W/System.err(1410): 	at com.android.server.ServiceThread.run(ServiceThread.java:46)

Obviously the fake signature I added is the same as the APK currently installed on the device.

Am I doing anything wrong? Thanks!

Is this project still maintained?

When running ./patch-fileset command with the parameters, bash says
cp: illegal option -- t

OS: macOS Monterey 12.5.1
Shell: zsh
Target device: Samsung Galaxy Tab 7 lite/v (T116-ny), Android 7.1.2 (API level 25), Lineage OS

support for Pie is blocked by a javac bug that i describe here. i reported the bug to bugreport.java.com and it has been assigned internal review ID 9059540. the bug is present in both open-jdk 8 and 9.

UPDATE: bug has been accepted here.

(FYI: this report could be related.)

as a workaround you can apply the hook and core patches for android 8 on android 9 and they will provide always-on signature spoofing. but the optional UI patch for Oreo does not apply on Pie.

Log:

./patch-fileset patches/sigspoof-hook-7.0-9.0/ 25 fs-tab-3/
>>> target directory: fs-tab-3__sigspoof-hook-7.0-9.0
>>> apply patch: services.jar
>>> dexpatcher --api-level 25 --verbose --output fs-tab-3__sigspoof-hook-7.0-9.0/tmp/services.jar/patched-dex --multi-dex fs-tab-3/services.jar patches/sigspoof-hook-7.0-9.0/services.jar.dex
DexPatcher version 1.6.2 by Lanchon (https://dexpatcher.github.io/)
info: read 'fs-tab-3/services.jar'
fatal: exception: lanchon.multidexlib2.EmptyMultiDexContainerException: fs-tab-3/services.jar

I'm unsure what else to put in this bug report, consider putting a template. I wish that'd be enough but I have a good feeling it's not so feel free to ask/request any and all things.

Hey, i installed haystack on my sony z3c with lineageos 16 and newest stable magisk, i followed steps in the instruction and the "Signature spoofing" showed in the developers options but when i enable it the checker app still say that signature spoofing is disabled. I don't see allow_fake_signature_global in getprop command, i tried using "setprop allow_fake_signature_global 1" and then it showed in getprop command but it still say that signature spoofing is disabled in the checker app. Is there any way to fix it?

The following error is observed:

user@computer:/tmp/haystack-master$ ./pull-fileset spark
>>> target directory: spark
>>> adb pull /system/framework/framework.jar spark/
[100%] /system/framework/framework.jar
>>> adb pull /system/framework/framework2.jar spark/
adb: error: remote object '/system/framework/framework2.jar' does not exist
>>> adb pull /system/framework/core.jar spark/
adb: error: remote object '/system/framework/core.jar' does not exist
>>> adb pull /system/framework/core-libart.jar spark/
[100%] /system/framework/core-libart.jar
>>> adb pull /system/framework/core-oj.jar spark/
[100%] /system/framework/core-oj.jar
>>> adb pull /system/framework/ext.jar spark/
[100%] /system/framework/ext.jar
>>> adb pull /system/framework/services.jar spark/
[100%] /system/framework/services.jar
>>> adb pull /system/priv-app/Settings/Settings.apk spark/
[100%] /system/priv-app/Settings/Settings.apk

*** pull-fileset: success
user@computer:/tmp/haystack-master$ ./patch-fileset patches/sigspoof-hook-7.0/ 24 spark/
>>> target directory: spark__sigspoof-hook-7.0
>>> apply patch: services.jar
>>> dexpatcher --api-level 24 --verbose --output spark__sigspoof-hook-7.0/tmp/services.jar/patched-dex --multi-dex spark/services.jar patches/sigspoof-hook-7.0/services.jar.dex
info: read 'spark/services.jar'
info: read 'patches/sigspoof-hook-7.0/services.jar.dex'
info: write 'spark__sigspoof-hook-7.0/tmp/services.jar/patched-dex'
0 error(s), 0 warning(s)
>>> repack: services.jar
deleting: classes.dex
  adding: classes.dex (deflated 56%)

*** patch-fileset: success
user@computer:/tmp/haystack-master$ ./patch-fileset patches/sigspoof-hook-7.0/ 24 spark__sigspoof-hook-7.0/
>>> target directory: spark__sigspoof-hook-7.0__sigspoof-hook-7.0
>>> apply patch: services.jar
>>> dexpatcher --api-level 24 --verbose --output spark__sigspoof-hook-7.0__sigspoof-hook-7.0/tmp/services.jar/patched-dex --multi-dex spark__sigspoof-hook-7.0/services.jar patches/sigspoof-hook-7.0/services.jar.dex
info: read 'spark__sigspoof-hook-7.0/services.jar'
info: read 'patches/sigspoof-hook-7.0/services.jar.dex'
error: type 'com.android.server.pm.PackageManagerService': direct method 'source_Hook_generatePackageInfo(com.android.server.pm.PackageSetting, int, int):android.content.pm.PackageInfo': (PackageManagerService.java:37): already exists
error: type 'com.android.server.pm.GeneratePackageInfoHook': (GeneratePackageInfoHook.java:0): already exists
2 error(s), 0 warning(s)
user@computer:/tmp/haystack-master$ 

What am I doing wrong?

Not really sure what is going on here.... I'm using a bash script from a project called NanoMod that uses your project as a submodule, it's basically running this command:

>>> dexpatcher --api-level 25 --verbose --output mydevice__sigspoof-hook-7.0/tmp/services.jar/patched-dex --multi-dex /home/xenith/git/NanoMod/haystack/mydevice/services.jar /home/xenith/git/NanoMod/haystack/patches/sigspoof-hook-7.0/services.jar.dex

After which it reports the following errors:

info: read '/home/xenith/git/NanoMod/haystack/mydevice/services.jar'
info: read '/home/xenith/git/NanoMod/haystack/patches/sigspoof-hook-7.0/services.jar.dex'
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x00007f8b9ea1a004, pid=9834, tid=0x00007f8b825ed700
#
# JRE version: OpenJDK Runtime Environment (8.0_121-b14) (build 1.8.0_121-b14)
# Java VM: OpenJDK 64-Bit Server VM (25.121-b14 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# V  [libjvm.so+0xa6b004]
#
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# /home/xenith/git/NanoMod/haystack/hs_err_pid9834.log
#
# Compiler replay data is saved as:
# /home/xenith/git/NanoMod/haystack/replay_pid9834.log
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
#

I verified that this happens regardless of NanoMod, by using your repo directly and running the command via my own script, so the only reason I'm mentioning NanoMod is so you know why the paths are what they are.

replay_pid9834.log.txt
hs_err_pid9834.log.txt

What is the problem here?
How I can solve the issue?
My device is a Galaxy S4 on LOS 14.1 Android 7.1.2

user@PC:~/Downloads/haystack-master$ ./pull-fileset handymister>>> target directory: handymister

adb pull /system/framework/framework.jar handymister/
2152 KB/s (6589501 bytes in 2.989s)
adb pull /system/framework/framework2.jar handymister/
remote object '/system/framework/framework2.jar' does not exist
adb pull /system/framework/core.jar handymister/
remote object '/system/framework/core.jar' does not exist
adb pull /system/framework/core-libart.jar handymister/
1925 KB/s (1619827 bytes in 0.821s)
adb pull /system/framework/core-oj.jar handymister/
1955 KB/s (1829324 bytes in 0.913s)
adb pull /system/framework/ext.jar handymister/
1953 KB/s (2063458 bytes in 1.031s)
adb pull /system/framework/services.jar handymister/
1972 KB/s (3187210 bytes in 1.577s)
adb pull /system/priv-app/Settings/Settings.apk handymister/
2088 KB/s (30372936 bytes in 14.200s)
*** pull-fileset: success

user@PC:~/Downloads/haystack-master$ ./patch-fileset patches/sigspoof-hook-7.0/ 24 handymister/

target directory: handymister__sigspoof-hook-7.0
apply patch: services.jar
dexpatcher --api-level 24 --verbose --output handymister__sigspoof-hook-7.0/tmp/services.jar/patched-dex --multi-dex handymister/services.jar patches/sigspoof-hook-7.0/services.jar.dex
/home/handymister/Downloads/haystack-master/./.global: Zeile 34: java: Befehl nicht gefunden

EDIT: it was a fail from me: false JAVA version was installed

I am receiving an error message when patching sigspoof-ui-global-9.0, however hook and core were "success".

./patch-fileset patches/sigspoof-ui-global-9.0/ 28 miuiphone__sigspoof-hook-7.0-9.0__sigspoof-core/
>>> target directory: miuiphone__sigspoof-hook-7.0-9.0__sigspoof-core__sigspoof-ui-global-9.0
>>> apply patch: services.jar
>>> dexpatcher --api-level 28 --verbose --output miuiphone__sigspoof-hook-7.0-9.0__sigspoof-core__sigspoof-ui-global-9.0/tmp/services.jar/patched-dex --multi-dex miuiphone__sigspoof-hook-7.0-9.0__sigspoof-core/services.jar patches/sigspoof-ui-global-9.0/services.jar.dex
DexPatcher version 1.6.2 by Lanchon (https://dexpatcher.github.io/)
info: read 'miuiphone__sigspoof-hook-7.0-9.0__sigspoof-core/services.jar'
info: read 'patches/sigspoof-ui-global-9.0/services.jar.dex'
info: type 'com.android.server.pm.GeneratePackageInfoHook': method '<init>():void': implicit ignore of trivial default constructor
info: write 'miuiphone__sigspoof-hook-7.0-9.0__sigspoof-core__sigspoof-ui-global-9.0/tmp/services.jar/patched-dex'
0 error(s), 0 warning(s)
>>> repack: services.jar
deleting: classes.dex
  adding: classes.dex (stored 0%)
>>> apply patch: Settings.apk
>>> dexpatcher --api-level 28 --verbose --output miuiphone__sigspoof-hook-7.0-9.0__sigspoof-core__sigspoof-ui-global-9.0/tmp/Settings.apk/patched-dex --multi-dex miuiphone__sigspoof-hook-7.0-9.0__sigspoof-core/Settings.apk patches/sigspoof-ui-global-9.0/Settings.apk.dex
DexPatcher version 1.6.2 by Lanchon (https://dexpatcher.github.io/)
info: read 'miuiphone__sigspoof-hook-7.0-9.0__sigspoof-core/Settings.apk'
info: read 'patches/sigspoof-ui-global-9.0/Settings.apk.dex'
error: type 'com.android.settings.development.DevelopmentSettingsDashboardFragment': method 'buildPreferenceControllers(android.content.Context, android.app.Activity, com.android.settingslib.core.lifecycle.Lifecycle, com.android.settings.development.DevelopmentSettingsDashboardFragment, com.android.settings.development.BluetoothA2dpConfigStore):java.util.List': target not found
1 error(s), 0 warning(s)

Hi @Lanchon

For first sorry for bad english

Suggestion:
Modify and improve patches for android 6+ (if it is possible) to make them check if android.permission.FAKE_PACKAGE_SIGNATURE declared in ROM then behave accordingly to system features.

I made small fake app for @Nanolx NanoDroid patcher that add info about signatire spoofing and declares FAKE_PACKAGE_SIGNATURE permission.

That is what I'm talking about https://gitlab.com/Nanolx/NanoDroid/issues/53

So, if we change android:protectionLevel in AndroidManifest.xml from normal to dangerous it became possible to ask, grant, deny and manage this permission, but patched system ignores this and grant this permission by default to all apps. (Anyway, we can still see ask permission dialog for this permission if protectionLevel is dangerous)

It would be great if patched system will check if fake pachage signature permission is allready declared in system (and managable) and grant this permission according to settings to each app like other dangerous permissions and grant by default to all if not declared or declared as normal and so on.

If it possible it will be FULL signsture spoofing support patch with managing :)

Thanks

I am trying to build microg rom for cosmo communicator, but i got stuck on patching services.jar, or to rather say, I deodex it, apply patches sigspoof-hook-7.0-9.0/services.jar.dex and sigspoof-core/services.jar.dex, but Signature Spoofing Checker says spoofing is disabled.

May I ask you for advice what is wrong as I am stuck. I am using HEAD from this repo.

I have wrote a little script to do it automatically (trying to build microg rom for cosmo communicator), are the main part.

Deodexing:

./vdexExtractor --input=${vdex} --output=${tmpdir}
./compact_dex_converter -v ${tmpdir}/services_classes.cdex
zip -j -u ${tmpdir}/services.jar ${tmpdir}/classes*.dex

The process completes and services.jar has classes.dex file inside. This is the output:

Deodexing system.img/system/framework/oat/arm64/services.vdex...
[INFO] Processing 1 file(s) from system.img/system/framework/oat/arm64/services.vdex
[INFO] 1 out of 1 Vdex files have been processed
[INFO] 1 Dex files have been extracted in total
[INFO] Extracted Dex files are available in 'tmp'
Converting cdex tmp/services_classes.cdex to classes.dex...
Opened 'tmp/services_classes.cdex', DEX version '001'
compact_dex_converter W 07-12 15:57:28 26283 26283 dex_file_verifier.cc:318] Ignoring bad checksum (e39ab0e5, expected 891d674b)
compact_dex_converter W 07-12 15:57:28 26283 26283 dex_file_verifier.cc:318] Ignoring bad checksum (e39ab0e5, expected 891d674b)
compact_dex_converter I 07-12 15:57:29 26283 26283 compact_dex_converter_main.cc:175] StandardDex file successfully extracted to tmp/services_classes.cdex.new
Injecting classes.dex into tmp/services.jar
updating: classes.dex (deflated 55%)

Patching:

apilevel="28"
mkdir -p ${tmpdir}/patch_hook
java -jar ${dexpatcher} \
    --api-level ${apilevel} \
    --verbose \
    --output ${tmpdir}/patch_hook/ \
    --multi-dex \
    ${tmpdir}/services.jar \
    ${patch_hook}
zip -j -u ${tmpdir}/services.jar ${tmpdir}/patch_hook/classes*.dex

java -jar ${dexpatcher} \
    --api-level ${apilevel} \
    --verbose \
    --output ${tmpdir}/patch_core/ \
    --multi-dex \
    ${tmpdir}/services.jar \
    ${patch_core}
zip -j -u ${tmpdir}/services.jar ${tmpdir}/patch_core/classes*.dex

Again everything passes fine, 0 errors, 0 warnings:

Patching tmp/services.jar with ./haystack/sigspoof-hook-7.0-9.0/services.jar.dex
DexPatcher version 1.8.0-beta1 by Lanchon (https://dexpatcher.github.io/)
info: read 'tmp/services.jar'
info: read './haystack/sigspoof-hook-7.0-9.0/services.jar.dex'
info: type 'com.android.server.pm.PackageManagerService': method '<init>():void': implicit ignore of trivial default constructor
info: write 'tmp/patch_hook'
0 error(s), 0 warning(s)
Injecting  tmp/patch_hook/classes.dex into tmp/services.jar
updating: classes.dex (deflated 56%)
Patching tmp/services.jar with ./haystack/sigspoof-core/services.jar.dex
DexPatcher version 1.8.0-beta1 by Lanchon (https://dexpatcher.github.io/)
info: read 'tmp/services.jar'
info: read './haystack/sigspoof-core/services.jar.dex'
info: type 'com.android.server.pm.GeneratePackageInfoHook': method '<init>():void': implicit ignore of trivial default constructor
info: write 'tmp/patch_core'
0 error(s), 0 warning(s)
Injecting  tmp/patch_core/classes.dex into tmp/services.jar
updating: classes.dex (deflated 56%)

cp services.jar  system.img/system/framework/services.jar
rm -f system.img/system/framework/oat/arm64/services.*

The ROM is flashed to the device but the Signature Spoofing Checker says
"Signature Spoofing: DISABLED"

getprop allow_fake_signature_global

returns empty line

I have searched for a potential reason a lot but as most people have issues with deodexing which is not case here...

Thank you for any help in advance.

Keep getting this error:

$ ./dedex-fileset fs-galaxy fs-dedexed-galaxy
'>>>' target directory: fs-dedexed-galaxy
/path/to/haystack-master/./.global: line 44: d2j-dex2jar: command not found

Any ideas why?

I'm trying to patch the pulled fileset on macOS, but I'm getting the following error:

./patch-fileset patches/sigspoof-hook-7.0/ 23 fs-oneplus3t/
readlink: illegal option -- f
usage: readlink [-n] [file ...]
readlink: illegal option -- f
usage: readlink [-n] [file ...]
>>> target directory: fs-oneplus3t__sigspoof-hook-7.0
cp: illegal option -- t
usage: cp [-R [-H | -L | -P]] [-fi | -n] [-apvX] source_file target_file
       cp [-R [-H | -L | -P]] [-fi | -n] [-apvX] source_file ... target_directory

It seems like readlink is deprecated on macOS or something, how should I proceed?

Hi this is first time i hear about faking google signature
my phone is too slow with google apps ( playstore and playservices )
i really want to use this patch , i need this patch , i try many times but get error

can you do patch for me?
here is the files
https://mega.nz/#!cAdGlKzA!JAdAvJ1Z674BFMCyXX0dT-BDG_uj-F_zguf_39rO46s

thanks alot for your help

Thanks for making this piece of software!

I'd like to use it with CopperheadOS, which does not support making modifications to their signed images unless you repackage it and sign it with your own key (source: 2. answer). (In other words: the adb method will not work.)

Here's what I do instead of pull-files (for reproducing):

# download and extract system.img
wget "https://builds.copperhead.co/builds/bullhead-factory-2016.11.10.09.53.38.tar.xz"
tar -xvf bullhead-factory-2016.11.10.09.53.38.tar.xz
mkdir bullhead-nbd91p
cd bullhead-nbd91p
unzip ../bullhead-nbd91p/image-bullhead-nbd91p.zip
simg2img system.img system.raw.img

# mount it
sudo mkdir /mnt/copperheados
sudo mount -t ext4 -o loop system.raw.img /mnt/copperheados

# copy over all files
PATCHME=(
        framework/framework.jar
        framework/core-libart.jar
        framework/core-oj.jar
        framework/ext.jar
        framework/services.jar
        priv-app/Settings/Settings.apk
)
mkdir patchdir-bullhead-nbd91p
for file in "${PATCHME[@]}"; do
        cp -v /mnt/copperheados/$file patchdir-bullhead-nbd91p
done

patch-fileset fails now:

~ ./patch-fileset patches/sigspoof-hook-7.0/ 24 /home/builder/Downloads/CopperheadOS/patchdir-bullhead-nbd91p --dry-run
>>> apply patch: services.jar
>>> dexpatcher --api-level 24 --verbose --dry-run --multi-dex /home/builder/Downloads/CopperheadOS/patchdir-bullhead-nbd91p/services.jar patches/sigspoof-hook-7.0/services.jar.dex
info: read '/home/builder/Downloads/CopperheadOS/patchdir-bullhead-nbd91p/services.jar'
info: read 'patches/sigspoof-hook-7.0/services.jar.dex'
error: type 'com.android.server.pm.PackageManagerService': (PackageManagerService.java:0): target not found
1 error(s), 0 warning(s)

~ ./patch-fileset patches/sigspoof-core/ 24 /mnt/image-bullhead-nbd91p-system/framework/ --dry-run
>>> apply patch: services.jar
>>> dexpatcher --api-level 24 --verbose --dry-run --multi-dex /mnt/image-bullhead-nbd91p-system/framework/services.jar patches/sigspoof-core/services.jar.dex
info: read '/mnt/image-bullhead-nbd91p-system/framework/services.jar'
info: read 'patches/sigspoof-core/services.jar.dex'
error: type 'com.android.server.pm.GeneratePackageInfoHook': (GeneratePackageInfoHook.java:0): target not found
1 error(s), 0 warning(s)

~ ./patch-fileset patches/sigspoof-ui-global-7.0/ 24 /home/builder/Downloads/CopperheadOS/patchdir-bullhead-nbd91p/ --dry-run
>>> apply patch: Settings.apk
>>> dexpatcher --api-level 24 --verbose --dry-run --multi-dex /home/builder/Downloads/CopperheadOS/patchdir-bullhead-nbd91p/Settings.apk patches/sigspoof-ui-global-7.0/Settings.apk.dex
info: read '/home/builder/Downloads/CopperheadOS/patchdir-bullhead-nbd91p/Settings.apk'
info: read 'patches/sigspoof-ui-global-7.0/Settings.apk.dex'
error: type 'com.android.settings.DevelopmentSettings': (DevelopmentSettings.java:0): target not found
1 error(s), 0 warning(s)

What does this mean? Is there a fix or workaround?
Thanks a lot!

When I apply the UI patches on LineageOS 14.1 for the Amazon Fire 7 tablet (https://xdaforums.com/t/rom-unlocked-ford-austin-lineage-14-1-21-jun-2023.3962457/) this error appears:

fatal: exception: org.jf.dexlib2.dexbacked.DexBackedDexFile$NotADexFile: Not a valid dex magic value: 50 4b 03 04 0a 00 00 08

Huawei EMUI 4.1.1 (Android 6.0)

[root@root haystack-master]# ./patch-fileset patches/sigspoof-ui-global-4.1-6.0/ 23 files__sigspoof-hook-4.1-6.0__sigspoof-core/

target directory: files__sigspoof-hook-4.1-6.0__sigspoof-core__sigspoof-ui-global-4.1-6.0
apply patch: Settings.apk
dexpatcher --api-level 23 --verbose --output files__sigspoof-hook-4.1-6.0__sigspoof-core__sigspoof-ui-global-4.1-6.0/tmp/Settings.apk/patched-dex --multi-dex files__sigspoof-hook-4.1-6.0__sigspoof-core/Settings.apk patches/sigspoof-ui-global-4.1-6.0/Settings.apk.dex
info: read 'files__sigspoof-hook-4.1-6.0__sigspoof-core/Settings.apk'
info: read 'patches/sigspoof-ui-global-4.1-6.0/Settings.apk.dex'
error: type 'com.android.settings.DevelopmentSettings': direct method 'source_FakeSignatureGlobalUI_updateAllOptions():void': target 'updateAllOptions': (DevelopmentSettings.java:152): target not found
1 error(s), 0 warning(s)

Script Suggestion

Just wanted to give some suggestions for modifications.

Firstly in the .global file, shouldn't the array "fs_framework_jars" include more values? Like so:

fs_framework_jars=( ext.jar services.jar core-libart.jar core-oj.jar core.jar )

This would mitigate the need for some of the code in pulling/pushing certain files by name. And actually it seems that framework.jar and framework2.jar should be in there as well. I tested this on a push command and it successfully pushed all jar files.

Pixel (XL) compatibility

Unfortunately the remount command doesn't work the same on the Pixel (XL) phones. ADB isn't the issue, it's the phones themselves. However if you reboot into TWRP and manually mount system then the script works fine except for one thing, the different folder structure.

On the Pixel (XL), when in TWRP recovery, the actual root of "system" is "/system/system/" (not just "/system/"). The pull command works fine when the device is booted to the OS (and properly rooted), but the push command fails when trying to push files after a false indication of a successful remount. Below is a rewritten "push-fileset" script for Pixel (XL) - to be used in TWRP after manually mounting /system.

push-fileset (modified)

#!/bin/bash

set -e

base_suffix=.
source "$(dirname "$(readlink -f "$0")")/$base_suffix/.global"

if [ "$1" == "" ]; then
    usage "push-fileset <fileset-dir> [ <adb-option> ... ]"
fi

fileset_dir="${1%/}"
adb_options=( "${@:2}" )

check_fileset "$fileset_dir"
check_adb

run_adb root || true
#run_adb wait-for-device
run_adb remount || true

run_adb push "$fileset_dir/framework.jar" "/system/system/framework/" ||
echo ""

if [ -f "$fileset_dir/framework2.jar" ]; then
    run_adb push "$fileset_dir/framework2.jar" "/system/system/framework/"
    echo ""
fi

# TODO: Support the two versions of core jars that KK devices have.

for file in "${fs_framework_jars[@]}"; do
    run_adb push "$fileset_dir/$file" "/system/system/framework/" ||
    echo ""
done

for file in "${fs_priv_apps[@]}"; do
    run_adb push "$fileset_dir/$file" "/system/system/priv-app/${file%.apk}/" ||
        run_adb push "$fileset_dir/$file" "/system/priv-app/" ||
        run_adb push "$fileset_dir/$file" "/system/app/"
        echo ""
done

for file in "${fs_non_priv_apps[@]}"; do
    run_adb push "$fileset_dir/$file" "/system/app/${file%.apk}/" ||
        run_adb push "$fileset_dir/$file" "/system/system/app/${file%.apk}/" ||
        run_adb push "$fileset_dir/$file" "/system/app/"
        echo ""
done

echo
echo "*** push-fileset: success"

The will not likely work as expected for all other devices. This modification allows compatibility for the Pixel and Pixel XL as long as you are in TWRP with /system mounted as rw. Note that you will also want to modify the fs_framework_jars array I mentioned above in the .global file. (You'll need to enable hidden files to see it - CTRL+H in Ubuntu with default file browser).

As a side project, I intend to try my skills at learning bash on a deeper level and rewriting the 3 main scripts to better account for different possibilities, and I'll probably rewrite the intent for using TWRP, or add options to choose TWRP or "in-OS" functionality.

I'm hopelessly tied to MicroG and all its awesomeness so I need signature spoofing!! Further developing these scripts to be slightly easier to use will greatly benefit my future "custom ROM fashing" endeavors anyways!

I'll post them once I have a complete set.

There might be a case where there is a critical upgrade for a bug but you don't have a computer around so you have to chose between a OS update or MicroG services support. The question is, if we have root why can't we patch these files on the device itself?

Back in late 2016 I put the official CM 10 on my Sony Ericsson Xperia Mini, added UnifiedNLP, MicroG, modified settings.apk so that signature spoofing worked as confirmed in the small test app. I has worked well since. Now I just got a second device to test out the unofficial 13.0 build as this android 6.0.1 allows certain apps which otherwise seem to fail or not install on android 4.2. Can't remember what I used to patch it back then but have just tried to use haystack to do it now with 13.

So here some links about this ROM:

https://forum.xda-developers.com/xperia-arc/development/dev-2011-unofficial-cyanogenmod-13-0-t3323975

https://github.com/LegacyXperia/Wiki/wiki/Installing-Marshmallow

They seem to want you to flash GAPPS during the initial installation. I refrained. The OS looks really nice, everything seems to work including apps which would not work on CM-10, but am now wanting to set up signature spoofing, MicroG for play services and unifiedNLP for network location.

Here's what happened when I tried:

$ ./pull-fileset fs-oneplus2
>>> target directory: fs-oneplus2
>>> adb pull /system/framework/framework.jar fs-oneplus2/
7 KB/s (310 bytes in 0.040s)
>>> adb pull /system/framework/framework2.jar fs-oneplus2/
remote object '/system/framework/framework2.jar' does not exist
>>> adb pull /system/framework/core.jar fs-oneplus2/
remote object '/system/framework/core.jar' does not exist
>>> adb pull /system/framework/core-libart.jar fs-oneplus2/
231 KB/s (19887 bytes in 0.083s)
>>> adb pull /system/framework/core-oj.jar fs-oneplus2/
remote object '/system/framework/core-oj.jar' does not exist
>>> adb pull /system/framework/ext.jar fs-oneplus2/
5175 KB/s (1596347 bytes in 0.301s)
>>> adb pull /system/framework/services.jar fs-oneplus2/
7 KB/s (310 bytes in 0.043s)
>>> adb pull /system/priv-app/Settings/Settings.apk fs-oneplus2/
7626 KB/s (26284269 bytes in 3.365s)

*** pull-fileset: success

$ ls -la fs-oneplus2
insgesamt 27268
drwxr-xr-x  2 aktivkole aktivkole     4096 Jan  2 09:13 .
drwxr-xr-x 11 aktivkole aktivkole     4096 Jan  2 09:29 ..
-rw-r--r--  1 aktivkole aktivkole    19887 Jan  2 09:13 core-libart.jar
-rw-r--r--  1 aktivkole aktivkole  1596347 Jan  2 09:13 ext.jar
-rw-r--r--  1 aktivkole aktivkole      310 Jan  2 09:13 framework.jar
-rw-r--r--  1 aktivkole aktivkole      310 Jan  2 09:13 services.jar
-rw-r--r--  1 aktivkole aktivkole 26284269 Jan  2 09:13 Settings.apk


 $ ./patch-fileset patches/sigspoof-hook-4.1-6.0/ 23 fs-oneplus2/
>>> target directory: fs-oneplus2__sigspoof-hook-4.1-6.0
>>> apply patch: services.jar
>>> dexpatcher --api-level 23 --verbose --output fs-oneplus2__sigspoof-hook-4.1-6.0/tmp/services.jar/patched-dex --multi-dex fs-oneplus2/services.jar patches/sigspoof-hook-4.1-6.0/services.jar.dex
info: read 'fs-oneplus2/services.jar'
fatal: exception: lanchon.multidexlib2.EmptyMultiDexContainerException: fs-oneplus2/services.jar

So yes, I kept it easy by using your direcory name fs-oneplus2 but it has crashed with the message that services.jar is empty. Any ideas how to fix this? Would really like to get it to work..

Versions

• OS: Android Oreo 8.1.0 / LineageOS 15.1
• Haystack Version version: 9fcfa61 on 1 Oct 2017

Steps to reproduce the problem

1. System with Android Oreo 8.1.0 / LineageOS 15.1
2. Unlock developer settings by tapping build number
3. Activate USB Debugging and ADB Root
4. Use haystack to patch the files
5. Search for additional Signature Spoofing switch in Developer settings ==> MISSING
6. Install Singature Spoofing Checker App https://github.com/Lanchon/sigspoof-checker
7. Check Siganture Spoofing with the App ==> NO SIGNATURE SPOOFING

Expected behavior

• Signature Spoofing switch in developer settings
• Signature spoofing activateable

Actual behavior

• No Signature Spoofing setting in Developer settings
• No signature spoofing possible

Background information

• Android changed the menu structure of the settings, so that the setting patching "haystack/patches-src/sigspoof-ui-global-7.0-7.1/Settings.apk/DevelopmentSettings.java" does not work anymore

Tried solutions:

• (failed) Evasion: Do not check for the Signature Spoofing setting and activate always
  • "haystack/patches-src/sigspoof-core/services.jar/GeneratePackageInfoHook.java"
  • Exchange lines 42, 43:
    return Settings.Secure.getInt(context.getContentResolver(), FakeSignatureGlobalUI.SECURE_SETTING, 0) != 0;
    by
    return true;
  • Execute "haystack/bulk-patch-builder/build-all"
  • Try patching of system files via haystack on a new system (without prior haystack patching)
  • Result: Signature spoofing app ==> NO SIGNATURE SPOOFING
  • Result: Test signaure spoofing with microg and app requiring GSF ==> NOT WORKING

Is it theoretically possible to run Haystack directly on a rooted Android device?

Which command can I use to enable signature spoofing without UI part? It's disabled by default. Can I use a shell command for that, such as adb shell setprop allow_fake_signature_global 1 (doesn't work just in case)?

Hi, I was attempting to patch my ROM with haystack and after some tinkering I got the pull-fileset command to run without any issues. But whenever I go to apply a patch, I consistently get this error:

error: type 'com.android.server.pm.GeneratePackageInfoHook': target not found

I have no clue what this means or how to fix it, and any help would be appreciated.

In case its relevant, I'm trying to patch an LG K20 running stock ROM that I have successfully deodexed. I had to use Amaze File Explorer to go into system/priv-app and rename "LGSettings" to "Settings" for the pull-fileset command to work properly. The patch I'm trying to apply is sigspoof-ui-global-7.0-7.1, but I get the same error with sigspoof-core and sigspoof-hook-7.0-9.0. Here's the full output of the command:

target directory: fs-k20__sigspoof-ui-global-7.0-7.1
apply patch: services.jar
dexpatcher --api-level 24 --verbose --output fs-k20__sigspoof-ui-global-7.0-7.1/tmp/services.jar/patched-dex --multi-dex fs-k20/services.jar patches/sigspoof-ui-global-7.0-7.1/services.jar.dex
DexPatcher version 1.6.2 by Lanchon (https://dexpatcher.github.io/)
info: read 'fs-k20/services.jar'
info: read 'patches/sigspoof-ui-global-7.0-7.1/services.jar.dex'
error: type 'com.android.server.pm.GeneratePackageInfoHook': target not found
1 error(s), 0 warning(s)

I'm not sure if this error is a result of the stock ROM being too customized to patch or something along those lines, but just in case it's something else, I figured I'd ask. Once again, any help is appreciated, thank you!

I followed your instructions and used the API level 23. However I am using nougat and I realized the latest api is 25.

When I try to run the script again, it says error already exists

error: type 'com.android.server.pm.GeneratePackageInfoHook': direct method 'getGlobalEnable(android.content.pm.PackageInfo, android.content.Context, android.content.pm.PackageParser$Package, int, int):boolean': (GeneratePackageInfoHook.java:50): already exists
error: type 'com.android.server.pm.GeneratePackageInfoHook': direct method 'getPerAppEnable(android.content.pm.PackageInfo, android.content.Context, android.content.pm.PackageParser$Package, int, int):boolean': (GeneratePackageInfoHook.java:45): already exists
error: type 'com.android.server.pm.GeneratePackageInfoHook$FakeSignatureCore': (GeneratePackageInfoHook.java:0): already exists

How do I recompile the patch with an updated api level to 25? I tried pull-fileset again but it pulls the already patched files, I didn't make a backup of the original.

More importantly, will using API 25 instead of 23 on Nougat make any difference? Thanks

Hi!

Thank you for this great tool. I am trying to patch (the rooted) Android 7.1.1 on my Xperia Z5 compact. Pulling the files worked without problems, but when I applied the patch for the hook using

./patch-fileset patches/sigspoof-hook-7.0-7.1/ 25 kompakt/

I get the following error message:

info: read 'kompakt/services.jar'
fatal: exception: lanchon.multidexlib2.EmptyMultiDexContainerException: kompakt/services.jar

I have to admit that I have no idea what this means. Could you please help me to solve this?

Thank you,
Matthias

This isn't an issue, but I couldn't find a way to post feedback on GitHub, there is only an Issues section. Anyway, for the longest time I used Tingle, and it "just worked".....but it only patches framework.jar. The Haystack patch covers every framework JAR file that is involved in sig spoofing, and even gives an UI for toggling it on/off! Very nice, Tingle doesnt do that. I am a convert! It takes a few more minutes and a few more commands, but if you follow the instructions carefully it will work. I got it right on the first try, I primarily use Windows but have an intermediate level of skill with multiple Linux distros.

Downsides:

1. This patch is primarily geared towards Linux users, not so easy to apply if you run Windows. Tingle ran just fine in Windows since it only uses Java and Python. You should consider making it easier to use for people who run the world's most dominant PC OS.

2. Gives a global on/off toggle in developer settings, which seems to grant sig spoofing perms to any/all apps without confirmation. Like for instance, after applying your patch and installing sig spoof checker, it makes no difference whether I click deny or accept, the checker always shows that spoofing is enabled. Whereas before the patch it would say disabled if I clicked deny and enabled if I clicked accept. You might be wondering, if my ROM already had the sigspoof patch, then why run Haystack? Well, mainly because the devs half-assed it. When installing the MicroG app, I just have to click a button in self-check and MicroG says that spoofing is enabled. But it doesn't work for Play Store, MicroG says that Play Store doesn't have the right sig, which means that spoofing perm isn't granted to it. And there is no way to grant it, through an interface or whatever. I would like to see a refined interface that gives a way to grant/deny spoofing perm per app, like a list of installed apps (including system apps), then the user can just toggle it on for those that need it but have no way to request it. A global toggle is convenient but would seem to pose a security risk.

Thanks for your work!

Maciek@SkyNet2 /cygdrive/c/Users/Maciek/Desktop/haystack-master
$ ./patch-fileset patches/sigspoof-hook-4.1-6.0/ 25 d855/
>>> target directory: d855__sigspoof-hook-4.1-6.0
>>> apply patch: services.jar
>>> dexpatcher --api-level 25 --verbose --output d855__sigspoof-hook-4.1-6.0/tmp/services.jar/patched-dex --multi-dex d855/services.jar patches/sigspoof-hook-4.1-6.0/services.jar.dex
Error: Unable to access jarfile /cygdrive/c/Users/Maciek/Desktop/haystack-master/./dexpatcher/dexpatcher-1.2.0-beta2.1.jar

Running on Windows 8.1 with Cygwin. Tried with jdk 1.8.0_121 x86_64 and i586.

There is Unified NLP as a part of MicroG. Since Android N, Unified NLP is not loaded because Android OS no longer loads GPS providers from non /system/app folder. @danielegobbetti has created and @mar-v-in has accepted a patch changing android_frameworks_base in an attempt to address this. Can you please also add it?

Am very impressed by how these scripts run, but it seems that settings.apk is being pulled from one place by the scripts and pushed back to somewhere else, so after reboot, all apps take time to renew themselves, but can't find anything new in settings or developer options. Of course the spoofing detector app is showing red for no spoofing.

The attached file shows the all the commands and their outputs from my terminal window. I tried to put the file manually where it came from but it didn't seem to want to go.

The device is a Sony Ericsson Xperia Mini with Cyanogenmod 10 and Android 4.2. Would be great to get this signature spoofing to work for MicroG, just flashed 10 back onto it for this. The inspiration to install MicroG btw came after @ale-5000-git suggested it here

Any idea how to fix this?
haystack_log2.txt