The following two information are what I need to fix the problem

1. Your boot.img or kernel image

boot.zip

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

log.txt

The following two information are what I need to fix the problem

1. Your boot.img or kernel image

Upload to here or file download path

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path

I report so other people don't try to apply patch and reboot, because doesn't work: boot loop.
If there isn't solution I switched to magisk the best root solution in the world and no one can beat it either kernelsu or apatch.

Boot.img

The following two information are what I need to fix the problem

1. Your boot.img or kernel image
   boot.img

2. The real symbol informations corresponding to your boot.img or kernel
   kallsyms.txt

3. Patch Log
   

The following two information are what I need to fix the problem

1. Your boot.img or kernel image

Upload to here or file download path

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path

Uploading with image file with extra .zip extension added, the file is an image though.
arter97-kernel-r7-boot.img.zip

boot_a.zip

Boot partition of the device

1. Your kernel image. boot.img is too big, you can use 'magiskboot unpack boot.img' to get kernel image (which named 'kernel' after unpack)

kernel.zip

应为

#define sscanf(buf, fmt, ...) kfunc(sscanf)(buf, fmt, ##__VA_ARGS__)

First, confirm whether your kernel has CONFIG_KALLSYMS_ALL=y enabled. If not or cannot be sure, please wait for support.

The following two information are what I need to fix the problem

1. Your boot.img or kernel image

Upload to here or file download path
CrDroid.zip

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path
n/a

The following two information are what I need to fix the problem

1. Your boot.img or kernel image

Upload to here or file download path

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path

The following two information are what I need to fix the problem

1. Your kernel image. boot.img is too big, you can use 'magiskboot unpack boot.img' to get kernel image (which named 'kernel' after unpack)

boot.zip

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

cat kallsyms.txt

After flashing the patched boot image, the device cannot proceed to the boot logo screen and is frozen there. The device is a Motorola G20 unisoc T700 processor.

1. Your boot.img or kernel image

https://mega.nz/file/07dk1DxY#LB0zIlcYYeZxNL4yXWYSYiq9orWFvlSBFUNwvX1JvzI

2. After flashing the patched boot image, the device is frozen on the boot logo screen.

3. KernelPatch logs

APatch_bugreport_2024-01-10_08_07.tar.gz

Device: Xiaomi 13
ROM: HyperOS 1.0.6.0 UMCCNXM
Explanation of the problem: I've tried many ways to make the patched kernel work on my phone. First I tried the advice from the telegram group on bootloop_fix, it didn't help. After that, I tried to patch the kernel with magisk first, and then patch APatch, which also did not give results. Then I took the kernel from KernelSU and also tried to patch it, also no point either. I can't provide logs, because even my recovery doesn't boot and the phone stuck on the phone logo.
If you need to provide the images that I flashed, I can send an archive with the assembly of all boot.img

Example: syscallhook：

info

error1：unsupported RELA relocation: 311
Solution：Add cflag: -fno-PIC

error2：overflow in relocation type R_AARCH64_PREL32 val ffffffecb1c00000"
Solution：Add cflag: -fno-asynchronous-unwind-tables

@bmax121

Makefile：

ifndef KP_DIR
    KP_DIR = ../..
endif

CFLAGS = -O3 -fno-PIC -fno-asynchronous-unwind-tables -fno-stack-protector
CC = ${ANDROID_NDK}/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android31-clang
LD = ${ANDROID_NDK}/toolchains/llvm/prebuilt/linux-x86_64/bin/ld.lld
STRIP = ${ANDROID_NDK}/toolchains/llvm/prebuilt/linux-x86_64/bin/llvm-strip

INCLUDE_DIRS := . include patch/include linux/include linux/arch/arm64/include linux/tools/arch/arm64/include

INCLUDE_FLAGS := $(foreach dir,$(INCLUDE_DIRS),-I$(KP_DIR)/kernel/$(dir))

objs := syscallhook.o

all: syscallhook.kpm

syscallhook.kpm: ${objs}
	${CC} $(CFLAGS) $(INCLUDE_FLAGS) -r -o $@ $^
	${STRIP} -g $@

%.o: %.c
	${CC} $(CFLAGS) $(INCLUDE_FLAGS) -c -o $@ $<

.PHONY: clean
clean:
	rm -rf *.kpm
	find . -name "*.o" | xargs rm -f

boot.zip

1. boot file:https://yushenghan-my.sharepoint.com/:u:/g/personal/han_yushenghan_onmicrosoft_com/EWKKKW-EaXtBkrIYjfCtt38BP1R-oxl9d2bzaXaOLPFcNQ?e=71dNif

2. 

There is no post-fs-data-init in the following log.

[    0.000000] KP Kernel pa: 80080000
[    0.000000] KP Kernel va: ffffff8008080000
[    0.000000] KP Kernel Version: 40499
[    0.000000] KP Kernel Patch Version: a00
[    0.000000] KP Kernel Patch Config: 2
[    0.000000] KP Kernel Patch Compile Time: 06:23:21 Feb 23 2024
......
[    3.752198] KP exec /init first stage
[    3.752203] KP write kpatch to /dev/kpatch
[    3.752418] KP after kernel_init ...
[    3.826939] KP exec /init second stage 1
[    3.870921] KP redirect rc file: 10
[    3.870933] KP restore rc file: 1b
[    3.870938] [+] KP V Wrap func pointer remove: ffffff80090021c0, ffffff8105f929e0, ffffff8105f92734
[    3.870945] [+] KP V Unwrap func pointer: ffffff80090021c0, ffffff8105f929e0, ffffff8105f92734
[    6.388467] [+] KP I commit_su: pid: 626, tgid: 0, to_uid: 0, sctx: (null), via_hook: 1
[    6.389158] [+] KP I commit_su: pid: 627, tgid: 0, to_uid: 0, sctx: (null), via_hook: 1
[    6.394095] [+] KP I hello1158
[    6.394118] [+] KP I commit_su: pid: 627, tgid: 0, to_uid: 0, sctx: u:r:magisk:s0, via_hook: 1
[    6.781948] [+] KP I user log: 627 wait /data/adb/apd post-fs-data  status: 0x0
[    6.808291] [+] KP I user log: 627 wait dmesg status: 0x0
[    7.862346] [+] KP I commit_su: pid: 992, tgid: 0, to_uid: 0, sctx: (null), via_hook: 1
[    7.868713] [+] KP I hello1158
[    7.868748] [+] KP I commit_su: pid: 992, tgid: 0, to_uid: 0, sctx: u:r:magisk:s0, via_hook: 1
[    7.895479] [+] KP I user log: 992 wait /data/adb/apd services  status: 0x0
[    8.026224] [+] KP I user log: 992 wait dmesg status: 0x0
[   22.869895] [+] KP I commit_su: pid: 3149, tgid: 0, to_uid: 0, sctx: (null), via_hook: 1
[   22.884905] [+] KP I hello1158
[   22.884933] [+] KP I commit_su: pid: 3149, tgid: 0, to_uid: 0, sctx: u:r:magisk:s0, via_hook: 1
[   22.894944] [+] KP I user log: 3149 wait /data/adb/apd boot-completed  status: 0x0
[   22.965873] [+] KP I user log: 3149 wait dmesg status: 0x0
[   35.154332] KP exec app_process, /data prepared, second_stage: 1

The /dev/kpatch file is successfully extracted, but does not exist.

[    3.752203] KP write kpatch to /dev/kpatch

sagit:/data/adb/ap # ls -al /dev/kpatch
ls: /dev/kpatch: No such file or directory

log file:
kpatch_0.log

[    6.388122] init: starting service 'exec 6 (/system/bin/truncate a12345678 /dev/kpatch a12345678 android_user post-fs-data-init -k)'...
[    6.388467] [+] KP I commit_su: pid: 626, tgid: 0, to_uid: 0, sctx: (null), via_hook: 1
[    6.388505] init: SVC_EXEC pid 626 (uid 0 gid 0+0 context default) started; waiting...
[    6.388508] init: cannot execve('/system/bin/truncate'): No such file or directory
[    6.388772] init: Service 'exec 6 (/system/bin/truncate a12345678 /dev/kpatch a12345678 android_user post-fs-data-init -k)' (pid 626) exited with status 127 waiting took 0.000000 seconds
[    6.388888] init: starting service 'exec 7 (/system/bin/truncate a12345678 /data/adb/kpatch a12345678 android_user post-fs-data -k)'...
[    6.389158] [+] KP I commit_su: pid: 627, tgid: 0, to_uid: 0, sctx: (null), via_hook: 1
[    6.389201] init: SVC_EXEC pid 627 (uid 0 gid 0+0 context default) started; waiting...
[    6.394095] [+] KP I hello1158

Currently, there is no immediate solution. You need to troubleshoot it yourself or provide the device to me for further investigation.

The following two information are what I need to fix the problem

1. Your boot.img or kernel image

Upload to here or file download path

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path

I tried to study code, and change kernel/patch/android/kpuserd.c,

diff --git a/kernel/patch/android/kpuserd.c b/kernel/patch/android/kpuserd.c
index aba3099..359dc50 100644
--- a/kernel/patch/android/kpuserd.c
+++ b/kernel/patch/android/kpuserd.c
@@ -1,5 +1,5 @@
 /* SPDX-License-Identifier: GPL-2.0-or-later */
-/* 
+/*
  * Copyright (C) 2023 bmax121. All Rights Reserved.
  */
 
@@ -36,7 +36,8 @@ const char replace_rc_file[] = "/dev/.atrace.rc";
 
 static const char patch_rc[] = ""
                                "on late-init\n"
-                               "    rm %s \n"
+                               "    ls %s \n"
+                               "    touch /sdcard/Download/touch1.txt\n"
                                "on post-fs-data\n"
                                "    start logd\n"
                                "    exec -- " KPATCH_SHADOW_PATH " %s android_user init -k\n"
@@ -46,7 +47,7 @@ static const char patch_rc[] = ""
                                "on property:vold.decrypt=trigger_restart_framework\n"
                                "    exec -- " KPATCH_SHADOW_PATH " %s android_user services -k'\n"
                                "on property:sys.boot_completed=1\n"
-                               "    exec -- " KPATCH_SHADOW_PATH " %s android_user boot-completed -k'\n"
+                               "    exec -- /data/adb/boot-completed.d/hello\n"
                                "\n"
                                "";
 
@@ -276,4 +277,4 @@ int kpuserd_init()
 
 out:
     return rc;
-}
\ No newline at end of file
+

I want to take over boot-complete event directly, but it does not work. Why ? I want to know, please help.

hello handler is:

cat /data/adb/boot-completed.d/hello
am start -p com.miui.notes
date > /sdcard/Download/magic.txt

BTW, If I revert the above patch, boot complete trigger can launch miui notes APP with help of apd shipped by Apatch, but it's not 100% successful upon each reboot.

dump_kallsyms.txt

boot.img.zip
apatch_10282_xdyx_boot.img.zip

Compile kernel with enable kallsyms.

First, confirm whether your kernel has CONFIG_KALLSYMS_ALL=y enabled. If not or cannot be sure, please wait for support.

The following two information are what I need to fix the problem

1. Your boot.img or kernel image

Upload to here or file download path
boot.zip

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path
log.txt

When reporting problems with various systems/third-party apps, users will be asked to upload log files. If there is a superkey in the log, there is a risk of leakage.

example:
[ 6.388122] init: starting service 'exec 6 (/system/bin/truncate a12345678 /dev/kpatch a12345678 android_user post-fs-data-init -k)'...

市面上很少用存c实现的inlinehook ，还有各种内核相关的工具库。我最近也在搞这块，发现能用的很少。

作者你好，目前发现kpatch似乎存在部分问题。
1.使用abd shell命令，insmod xxx.ko显示成功，但是无法通过sh使用驱动读取数据。
2.在使用termux安装ko驱动后，使用sh脚本读取游戏数据的过程中，似乎su权限不是持续的或者ko驱动在安装一段时间后会无效，导致sh脚本在十多分钟后会被关闭😂请问会有机会修复这个问题吗。

The following two information are what I need to fix the problem

1. Your boot.img or kernel image

Upload to here or file download path

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path
boot.img.zip

Hello, I want you to provide a bin which has the utility of patching the boot from the recovery since I am a recovery builder and until now I can't get it together because I don't fully understand your tool

dmesg.log

The following two information are what I need to fix the problem

1. Your kernel image. boot.img is too big, you can use 'magiskboot unpack boot.img' to get kernel image (which named 'kernel' after unpack)

Upload to here or file download path

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path

Attached screenshots and files:

APatch_bugreport_2023-12-29_06_53.tar.gz

kernel.zip

boot.img
source code
Error message

The following two information are what I need to fix the problem

1. Your kernel image. boot.img is too big, you can use 'magiskboot unpack boot.img' to get kernel image (which named 'kernel' after unpack)

!!!This is a 7zip file and you should rename it to kernel.7z and open it!!!

kernel.7z.zip

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

!!!This is a 7zip file and you should rename it to kallsyms.7z and open it!!!

kallsyms.7z.zip

Redmi Note 10 Pro named as 'chopin'. A MTK cpu device which has version 4.14.186 kernel.
kernel config is here:

CONFIG_KALLSYMS=y
# CONFIG_KALLSYMS_ALL is not set
# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set
# CONFIG_KALLSYMS_BASE_RELATIVE is not set

I can use the app to retrieve the patched file, which I named aboot.img. But when I flash it in fastboot mode, I cannot boot up properly. And can only stay on the fastboot interface
Here are the files I prepared after seeing your reply。
Kernel: 4.14.83-perf+
Log.txt
MY boot.zip
aboot.zip

Currently, there is no immediate solution. You need to troubleshoot it yourself or provide the device to me for further investigation.
https://pixeldrain.com/u/xCEeb3gM
untitled.txt

https://github.com/HookCode/file/releases/tag/ap
详细资料在上面

使用以下版本
APatch_10433-3-g486b44a_10436-release-signed.apk
APatch_10433-2-gbd8cbdf_10435-release-signed.apk

please forgive me to use "Feature request" type to issue this.

Is it possible to run kpatch in android directly, like in adb shell ?

I try to download kpatch to /data/bootchart, then assign exec permission by 'chmod +x kpatch', but failed.

venus:/data/bootchart $ ls -l
total 28
-rwxrwx--x 1 shell shell 27352 2024-01-20 20:45 kpatch
venus:/data/bootchart $ ./kpatch
/system/bin/sh: ./kpatch: can't execute: Permission denied

The following two information are what I need to fix the problem

1. Your boot.img or kernel image

Upload to here or file download path

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path
Kallsyms.txt
https://drive.google.com/drive/folders/1J0GKGqAR8rwLGC5gT7xzsv7XfsbCnWjt

The following two information are what I need to fix the problem

1. Your kernel image. boot.img is too big, you can use 'magiskboot unpack boot.img' to get kernel image (which named 'kernel' after unpack)

boot下载链接：https://wwp.lanzoui.com/isObk1qz4h6f

Upload to here or file download path

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

1.txt

Upload to here or file download path

untitled.txt
First, confirm whether your kernel has CONFIG_KALLSYMS_ALL=y enabled. If not or cannot be sure, please wait for support.

The following two information are what I need to fix the problem

1. Your boot.img or kernel image

Upload to here or file download path

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

untitled.txt
https://drive.google.com/drive/folders/1J0GKGqAR8rwLGC5gT7xzsv7XfsbCnWjt

Upload to here or file download path

the same issue : #12

boot.img.7z: https://pixeldrain.com/u/7iXJhxpd

The following two information are what I need to fix the problem

1. Your boot.img or kernel image

Upload to here or file download path

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path
untitled.txt
https://drive.google.com/drive/folders/1J0GKGqAR8rwLGC5gT7xzsv7XfsbCnWjt

大佬，求

The following two information are what I need to fix the problem

1. Your kernel image. boot.img is too big, you can use 'magiskboot unpack boot.img' to get kernel image (which named 'kernel' after unpack)

Upload to here or file download path
Image.zip
kallsyms.txt

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path
config.gz

I see that KernelPatch can hook kernel symbols in before_rest_init:

Is it also possible to hook symbols after the kernel has loaded, e.g. via a module that is loaded with --load_kpm (once that is implemented)?
Or does all hooking/patching need to be done before the kernel started? If so why?

Thank you for this project, it looks very promising and useful!

参考一些说法和实现：

• marin-m/vmlinux-to-elf#24
• https://github.com/msm8953-mainline/lk2nd/blob/75a9de82b3032314ea495f8aa9ff012022666a1d/app/aboot/aboot.c#L2045

可知该文件头由 UNCOMPRESSED_IMG + 4字节kernel文件大小（不包含 UNCOMPRESSED_IMG和这4字节共20字节）。

虽然在 kallsym.c image.c 中有一部分针对该文件头的处理，但另有一些部分（patch_update_img 的大部分内容）并没有遵照这个来。

举例而言 4字节kernel文件大小 没有得到修改、setup_offset 是含开头20字节的（导致 setup 结束 br x16 实际上并没有跳到 开头B 指令上去，而是跳到了这个位置-20字节）。

造成的结果（我使用的设备是xiaomi 9）是，aboot 根据 4字节 kernel 文件大小算出来的 dtb_offset 错误，后续对dtb的检查失败，因此没有启动系统，直接回到了 fastboot 页面。

经测试，手动去掉前20直接进行patch，然后写上正确的前20字节（含新kernel文件大小），能够正确启动。

因此建议不要patch的每个部分代码都考虑这玩意（容易错漏），开头检测到有就去掉，结尾补上就行。

When my kernel upgrade, my kernel doesn't auto patch.

When my upgrade kernel, my Linux will make vmlinux and initramfs, but I need repatch it kernel,

or we can write hook, when kernel upgrade auto use kernelpatch patch.

I want to patch Linux kernel, because the will can use AndroidPatch on Waydroid.

First, confirm whether your kernel has CONFIG_KALLSYMS_ALL=y enabled. If not or cannot be sure, please wait for support.

The following two information are what I need to fix the problem

1. Your boot.img or kernel image

https://t.me/APatch_CN_Group/60093

Upload to here or file download path

2. The real symbol informations corresponding to your boot.img or kernel
   It can be obtained through the following two commands under root.

echo 1 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms

Upload to here or file download path

1.txt

• 手机是oneplus9p

• 内核版本是5.4.233-qgki-g31dce7dbd8de

• 修补boot的时候，我手机当前boot是【https://t.me/APatch_CN_Group/60045】版本，要修补的是【https://t.me/APatch_CN_Group/60093】版

• 截图

  1. 使用10446-26-gcbdda9a(10472)版本修补时候是
     

  2. 使用【https://github.com/Admirepowered/APatch/actions/runs/7685449272】版本