Resolve OEM inline hook veneers to prevent infinite recursion by JingMatrix · Pull Request #579 · JingMatrix/LSPosed

JingMatrix · 2026-03-20T19:53:33Z

On heavily customized Android ROMs, the OEM dynamically hotpatches libart.so methods using a 16-byte ARM64 veneer (ldr x16/17, pc+8; br x16/17).

When Dobby attempts to hook these pre-applied veneers, its literal relocator handles the ldr x, pc+offset instruction incorrectly by reading the overwritten literal pool at runtime, resulting in an infinite recursion loop and a SIGSEGV (stack overflow) in system_server.

This commit introduces a workaround for ARM64: we actively check if the target address starts with this known trampoline signature. If found, we extract the absolute address from pc+8 and apply our hook directly to the OEM's real implementation.

This safely chains our hooks onto the OEM's hotpatch framework. Currently experimental and primarily for testing purposes.

On heavily customized Android ROMs, the OEM dynamically hotpatches libart.so methods using a 16-byte ARM64 veneer (`ldr x16/17, pc+8; br x16/17`). When Dobby attempts to hook these pre-applied veneers, its literal relocator handles the `ldr x, pc+offset` instruction incorrectly by reading the overwritten literal pool at runtime, resulting in an infinite recursion loop and a SIGSEGV (stack overflow) in system_server. This commit introduces a workaround for ARM64: we actively check if the target address starts with this known trampoline signature. If found, we extract the absolute address from `pc+8` and apply our hook directly to the OEM's real implementation. This safely chains our hooks onto the OEM's hotpatch framework. Currently experimental and primarily for testing purposes.

JingMatrix · 2026-03-20T19:55:03Z

This pull-request is unlikely to be merged, we however provide local logs to illustrate the issues addressed here:

[ 2026-03-20T14:40:40.363     1000:  1259:  1259 W/VectorNative    ] OEM veneer (x17) detected at 0x7cc5e9206c, resolving to 0x7b9e427a9c
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 D/VectorNative    ] native_api.h:152 (int vector::native::HookInline(void *, void *, void **)): Dobby hooking (unknown symbol) (0x7b9e427a9c) from /data/misc/dg/patch/user/lib/lib/arm64/libcore.so (0x7b9e40d000)
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] ----- [DobbyHook:0x7b9e427a9c] -----
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [trampoline] use [adrp, add, br]
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [memory allocator] allocate exec memory at: 0x7f808ea020, size: 0x1c
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [insn relocate] origin 0x7b9e427a9c - 12
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] ff0301d1fe5702a9f50300aa
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [insn relocate] relocated 0x7f808ea020 - 28
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] ff0301d1fe5702a9f50300aa5100005820021fd6a87a429e7b000000
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [intercept routing] active
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 W/VectorNative    ] OEM veneer (x17) detected at 0x7cc5e9232c, resolving to 0x7b9e427d4c
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 D/VectorNative    ] native_api.h:152 (int vector::native::HookInline(void *, void *, void **)): Dobby hooking (unknown symbol) (0x7b9e427d4c) from /data/misc/dg/patch/user/lib/lib/arm64/libcore.so (0x7b9e40d000)
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] ----- [DobbyHook:0x7b9e427d4c] -----
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [trampoline] use [adrp, add, br]
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [memory allocator] allocate exec memory at: 0x7f808ea03c, size: 0x1c
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [insn relocate] origin 0x7b9e427d4c - 12
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] fe57bea9f50300aae00302aa
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [insn relocate] relocated 0x7f808ea03c - 28
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] fe57bea9f50300aae00302aa5100005820021fd6587d429e7b000000
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [intercept routing] active
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 W/VectorNative    ] OEM veneer (x17) detected at 0x7cc5e926bc, resolving to 0x7b9e427e6c
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 D/VectorNative    ] native_api.h:152 (int vector::native::HookInline(void *, void *, void **)): Dobby hooking (unknown symbol) (0x7b9e427e6c) from /data/misc/dg/patch/user/lib/lib/arm64/libcore.so (0x7b9e40d000)
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] ----- [DobbyHook:0x7b9e427e6c] -----
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [trampoline] use [adrp, add, br]
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] 0:relo <b_bl> at 0x7b9e427e70
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [memory allocator] allocate exec memory at: 0x7f808ea058, size: 0x28
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [insn relocate] origin 0x7b9e427e6c - 12
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] fe0f1ef83a080094e00302aa
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [insn relocate] relocated 0x7f808ea058 - 40
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] fe0f1ef8b100005820023fd6e00302aa9100005820021fd6589f429e7b000000787e429e7b000000
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [intercept routing] active
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 D/VectorNative    ] native_api.h:152 (int vector::native::HookInline(void *, void *, void **)): Dobby hooking (unknown symbol) (0x7cc5ec77c0) from /apex/com.android.art/lib64/libart.so (0x7cc5c00000)
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] ----- [DobbyHook:0x7cc5ec77c0] -----
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [trampoline] use [ldr, br, #label]
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [memory allocator] allocate exec memory at: 0x7f808ea080, size: 0x20
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [insn relocate] origin 0x7cc5ec77c0 - 16
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] 3f2303d5ff0303d1fd7b06a9fd830191
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [insn relocate] relocated 0x7f808ea080 - 32
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] 3f2303d5ff0303d1fd7b06a9fd8301915100005820021fd6d077ecc57c000000
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 I/Dobby           ] [intercept routing] active
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 D/LSPlant         ] class_linker.cxx:218: art_quick_to_interpreter_bridge = 0x7cc5e00090
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 W/VectorNative    ] OEM veneer (x17) detected at 0x7cc601c414, resolving to 0x7b9e427f64
[ 2026-03-20T14:40:40.363     1000:  1259:  1259 D/VectorNative    ] native_api.h:152 (int vector::native::HookInline(void *, void *, void **)): Dobby hooking (unknown symbol) (0x7b9e427f64) from /data/misc/dg/patch/user/lib/lib/arm64/libcore.so (0x7b9e40d000)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Resolve OEM inline hook veneers to prevent infinite recursion#579

Resolve OEM inline hook veneers to prevent infinite recursion#579
JingMatrix wants to merge 1 commit intomasterfrom
veneer

JingMatrix commented Mar 20, 2026

Uh oh!

JingMatrix commented Mar 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

JingMatrix commented Mar 20, 2026

Uh oh!

JingMatrix commented Mar 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant