Vector daemon crashes on Android 17 — AbstractMethodError on IServiceConnection.connected (4-arg signature with IBinderSession) on Xiaomi HyperOS

[sonicman]

Steps to reproduce/复现步骤

1. Flash KernelSU 3.2.4 + Zygisk Next 1.3.4 (746) + Vector v2.0 (3043) on a Xiaomi device running HyperOS 4.0 / Android 17 (OS4.0.260515.2.XPCCNXM.DEV, fingerprint Xiaomi/pudding/pudding:17/CP2A.260330.003/OS4.0.260515.2.XPCCNXM.DEV:user/test-keys). Reboot.

2. adb shell pm install -r my-xposed-module.apk (any module — minimal repro reproduces with just the Vector Manager installed and no third-party modules).

3. Open the Vector Manager UI:

   adb shell am start -c org.lsposed.manager.LAUNCH_MANAGER \
       com.android.shell/.BugreportWarningActivity
   

4. Try to enable any module / tick a scope.

5. Reboot, observe lspd is not running (ps -ef | grep lspd empty), /data/adb/lspd/config/modules_config.db mtime is unchanged from initial install, and no Xposed modules are loaded into Zygote.

Expected behaviour/预期行为

lspd daemon stays alive after the Manager binds to it. Module enable / scope edits persist to modules_config.db. Xposed modules load on next process spawn.

(Verified working on Pixel 9 Pro XL / Android 16 with the same Vector v2.0 (3043) + Zygisk Next 1.3.4 + KernelSU 3.2.4.)

Actual behaviour/实际行为

The moment system_server calls back into Vector's IServiceConnection.Stub after bindService, the daemon hits java.lang.AbstractMethodError and System.exit(1) is called. The Manager UI looks responsive but writes nothing — modules_config.db stays at its post-install state forever, and no module ever activates.

Failing call path (from /data/adb/lspd/log/verbose_*.log):

[VectorZygiskBridge] onTransact: action=GET_BINDER, callerUid=2000
[VectorDeopter] Skipping deopt for android.app.Instrumentation#newApplication
[JavaBinder] *** Uncaught remote exception! Exceptions are not yet supported across processes. Client PID 0 UID 1000.
java.lang.AbstractMethodError: abstract method "void android.app.IServiceConnection.connected(android.content.ComponentName, android.os.IBinder, android.app.IBinderSession, boolean)" on receiver java.lang.Class<cf>
    at android.app.IServiceConnection$Stub.onTransact(IServiceConnection.java:90)
    at android.os.Binder.execTransactInternal(Binder.java:1376)
    at android.os.Binder.execTransact(Binder.java:1330)
[AndroidRuntime] FATAL EXCEPTION: binder:3131_5
[VectorDaemon] Uncaught exception in Daemon
[lspd] System.exit called, status: 1

Root cause

daemon/src/main/kotlin/org/matrix/vector/daemon/ipc/ManagerService.kt:56-58 (master HEAD cf1153e):

private val connection =
    object : android.app.IServiceConnection.Stub() {
      override fun connected(name: ComponentName?, service: IBinder?, dead: Boolean) {}
    }

This 3-arg override does not match Android 17 (OS4.0 HyperOS at minimum) AIDL — the framework now declares:

void connected(in ComponentName name, in IBinder service, in IBinderSession session, boolean dead);

IBinderSession is a new framework interface in this Android revision, used to scope which session a Binder belongs to. Because Vector's stub doesn't override the 4-arg form, dispatch via onTransact lands on the abstract method and crashes.

Suggested fix

Add a 4-arg override alongside the 3-arg one (both no-ops, since ManagerGuard only relies on binderDied() for liveness):

private val connection =
    object : android.app.IServiceConnection.Stub() {
      // Android 8 .. 16
      override fun connected(name: ComponentName?, service: IBinder?, dead: Boolean) {}
      // Android 17+ — new IBinderSession positional arg
      fun connected(name: ComponentName?, service: IBinder?, session: Any?, dead: Boolean) {}
    }

hiddenapi/stubs/src/main/java/android/app/IServiceConnection.java will likely need a sibling stub for the 4-arg form so the compiler picks up override. I'm happy to test patches.

Xposed Module List/Xposed 模块列表

$ adb shell pm list packages | grep -i xposed
package:com.deepdiveaweme.apmactivator   # custom in-house module

# /data/adb/lspd/config/modules_config.db (modules table) is EMPTY
# beyond the default `lspd` placeholder, because the daemon crashes
# before any module-enable IPC can complete:
$ sqlite3 modules_config.db "SELECT mid, module_pkg_name, enabled FROM modules;"
1|lspd|0

Root implementation/Root 方案

KernelSU 3.2.4 (manager APK me.weishu.kernelsu versionName v3.2.4; ksud 3.2.4; kernel module 32457).

System Module List/系统模块列表

$ ksud module list
[
  {
    "name": "Zygisk Next",
    "id": "zygisksu",
    "version": "1.3.4 (746-d1b76b3-release)",
    "versionCode": "746",
    "author": "5ec1cff, Nullptr",
    "enabled": "true",
    "description": "[✅zygote, Root: ✅KernelSU (32457), ZL] Standalone implementation of Zygisk."
  },
  {
    "name": "Vector",
    "id": "zygisk_vector",
    "version": "v2.0 (3043)",
    "versionCode": "3043",
    "author": "JingMatrix",
    "enabled": "true",
    "description": "A modern, Xposed-compatible framework for Android application hooking. (Android 8.1 ~ 16)"
  }
]

LSPosed version/LSPosed 版本

3043 (master HEAD cf1153e, which git rev-list --count refs/remotes/origin/master → 3043; matches the GitHub Actions debug build).

Android version/Android 版本

Android 17 (SDK 37, build CP2A.26xxxx.00x, security patch 2026-04-05) on Xiaomi HyperOS 4.0 (Vxxx / OS4.0 / branch pudding_dev, custom OS). Detailed device fingerprint: - Model: 2xxxxx (Xiaomi codename pudding) - SoC: Qualcomm SM8850 - Build fingerprint: Xiaomi/pudding/pudding:17/CP2A.26xxxx.00x/OS4.0.26xxxx.2.XXXX:user/test-keys - HyperOS version: OS4.0.26xxxx.x.xxx.DEV (CN region, dev/internal channel) - MIUI version: Vxxx (code xxx)

Version requirement/版本要求

• I am using the latest debug build from GitHub Actions./我正在使用 GitHub Actions 中最新的调试版本。

Logs/日志

Supplemental: lspd_logs.tgz (239 KB — /data/adb/lspd/log + log.old + config/modules_config.db*, useful if you want the verbose log without unzipping the full bugreport).

Side notes — context from my own pre-filing search (master cf1153e):

• Searched issues/PRs/commits for IBinderSession → 0 hits.
• Closest open issue: crash and reboot issue android 17 qpr1 beta 3 #737 "crash and reboot issue android 17 qpr1 beta 3" — different stacktrace, no resolution.
• I have a Pixel 9 / Android 16 with identical Vector + Zygisk Next + KernelSU + same custom Xposed module — works flawlessly there. Issue is fully reproducible on Xiaomi pudding / HyperOS 4.0 / Android 17.
• Happy to test patches, share full bugreport snippets on request, or run repro on a stock build if you point me at a CI artifact to try.

lspd_logs.tgz