Skip to content

Resolve side-channel detection from com.reveny.nativecheck#655

Merged
JingMatrix merged 3 commits intomasterfrom
detection
Apr 12, 2026
Merged

Resolve side-channel detection from com.reveny.nativecheck#655
JingMatrix merged 3 commits intomasterfrom
detection

Conversation

@JingMatrix
Copy link
Copy Markdown
Owner

@JingMatrix JingMatrix commented Apr 12, 2026

This side-channel attack is obvious from the repeating logs:

[ 2026-04-12T11:27:03.720        0:  7196:  7196 V/zygisk-core64   ] pre specialize [com.reveny.nativecheck:iso:com.reveny.nativecheck.app.isolated.IsolatedService:iso.detections]
[ 2026-04-12T11:27:03.720        0:  7196:  7196 V/zygisk-core64   ] Found isolated service [uid:10220, data_dir:/data/user/0/com.reveny.nativecheck]
[ 2026-04-12T11:27:08.747     1000:  1706:  4352 D/VectorZygiskBridge ] onTransact: action=GET_BINDER, callerUid=10220
...
[ 2026-04-12T11:27:08.825     1000:  1706:  1816 D/VectorZygiskBridge ] onTransact: action=GET_BINDER, callerUid=10220
[ 2026-04-12T11:27:08.826        0:  1349:  1558 D/VectorService   ] Skipped lsp23.probe/10220
[ 2026-04-12T11:27:08.826     1000:  1706:  4352 D/VectorZygiskBridge ] onTransact: action=GET_BINDER, callerUid=10220
[ 2026-04-12T11:27:08.826        0:  1349:  1558 D/VectorService   ] Skipped lsp23.probe/10220
[ 2026-04-12T11:27:08.826     1000:  1706:  1816 D/VectorZygiskBridge ] onTransact: action=GET_BINDER, callerUid=10220
[ 2026-04-12T11:27:08.826        0:  1349:  1558 D/VectorService   ] Skipped lsp23.probe/10220
[ 2026-04-12T11:27:08.826     1000:  1706:  4352 D/VectorZygiskBridge ] onTransact: action=GET_BINDER, callerUid=10220
[ 2026-04-12T11:27:08.827        0:  1349:  1558 D/VectorService   ] Skipped lsp23.probe/10220
[ 2026-04-12T11:27:10.234        0:   981:   981 W/zygiskd64       ] zygiskd::zygiskd: Error handling connection: failed to fill whole buffer

We will address this soon in ipc_bridge.cpp.

@JingMatrix JingMatrix linked an issue Apr 12, 2026 that may be closed by this pull request
System crashes when opening Native Detector #654
Closed
1 task
@JingMatrix
Fix Binder IPC side-channel detection in CallBooleanMethodV hook
8f9d34d 
This side-channel attack is obvious from the repeating logs: An isolated service (`com.reveny.nativecheck.app.isolated.IsolatedService`) intentionally spams Binder transactions to trigger our IPC hook.

In the previous implementation, if a transaction failed, the caller's ID was stored in `g_last_failed_id`. However, the state was immediately cleared on the caller's next transaction. This created a predictable, alternating loop (Intercept -> Fail -> Bypass/Clear -> Intercept) that allowed the isolated process to detect the presence of the hook via timing/behavioral observation.

We fix the flaw by keeping the failing caller in a persistent bypassed state. `g_last_failed_id` is now only reset when a different caller attempts a transaction. This effectively breaks the loop and silences the side-channel leak against continuous transaction spam.

Additionally, this commit includes minor fixes discovered during debugging:
- module.cpp: Fix invalid fmt placeholder (`%d` -> `{}`) in isolated process log.
- ManagerService.kt: Fix logical order to save verbose logging preference before applying the LogcatMonitor state.
@JingMatrix JingMatrix changed the title [WIP] Resolve side-channel detection from com.reveny.nativecheck Resolve side-channel detection from com.reveny.nativecheck Apr 12, 2026
@JingMatrix JingMatrix marked this pull request as ready for review April 12, 2026 10:13
This was referenced Apr 12, 2026
Closed
Closed
@JingMatrix
Improve logic for resetting g_last_failed_id
d6f0cb0 
We only explicitly reset it to ~0 when the brigde approves the last connection.
@JingMatrix
[skip ci] simplify if condition
ae29207
@JingMatrix JingMatrix merged commit ddcfa3d into master Apr 12, 2026
@JingMatrix JingMatrix deleted the detection branch April 12, 2026 19:17
larsmartens pushed a commit to larsmartens/Vector that referenced this pull request Apr 12, 2026
@JingMatrix @lars-martens
Fix Binder IPC side-channel detection in CallBooleanMethodV hook (Jin…
c5528ce 
…gMatrix#655)

This side-channel attack is obvious from the repeating logs: An isolated service (`com.reveny.nativecheck.app.isolated.IsolatedService`) of `Android-Native-Root-Detector` v7.7.0 intentionally spams Binder transactions to trigger our IPC hook.

In the previous implementation, if a transaction failed, the caller's ID was stored in `g_last_failed_id`. However, the state was immediately cleared on the caller's next transaction. This created a predictable, alternating loop (Intercept -> Fail -> Bypass/Clear -> Intercept) that allowed the isolated process to detect the presence of the hook via timing/behavioral observation.

We fix the flaw by keeping the failing caller in a persistent bypassed state. `g_last_failed_id` is now only reset when when the brigde approves the last connection. This effectively breaks the loop and silences the side-channel leak against continuous transaction spam.

Additionally, this commit includes minor fixes discovered during debugging:
- module.cpp: Fix invalid fmt placeholder (`%d` -> `{}`) in isolated process log.
- ManagerService.kt: Fix logical order to save verbose logging preference before applying the LogcatMonitor state.

(cherry picked from commit ddcfa3d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

System crashes when opening Native Detector

1 participant

@JingMatrix