Didn't work for me on Tmobile REVVL 6 Pro.
I was not able to install/run with Magisk, but I was able to run the commands from your script with magiskboot.
I suspect my kernel is different from yours and not taking the patches.
Would you be able to patch my boot.img file if I upload it to you?
Or could you tell me in noob terms how to find the hex values to change and patch it myself?
I was not able to install/run with Magisk, but I was able to run the commands from your script with magiskboot.
I suspect my kernel is different from yours and not taking the patches.
Would you be able to patch my boot.img file if I upload it to you?
Or could you tell me in noob terms how to find the hex values to change and patch it myself?
did you test pinging the same ip from the phone (via adb) and from an attached pc?
try this for example: 108.177.15.127
the TTL should be the same if it worked.
What you call "hash pattern" is machine language code.
I search for the instruction preceding or around the ones I need to patch to disable the TTL decrease.
To do so, you have to reverse engineer (decompile) the whole kernel, find the function and nullify the decrementation.
Send me the boot.img and I can give it a try.
Ok so on my other phone Samsung Galaxy a32 I have this magisk module which imma send a picture of it somehow was set to 65 and disabled tether notification from being sent to carrier any ideas on how to make that work with your current module as in disabling notification 65 I have no idea why 65 either
Added support for pixel6a:
I got unzip error when trying to install. I tried unpack and repack the zip file, no luck on thatAdded support for pixel6a:
Top Liked Posts
-
There are no posts matching your filters.
-
2After searching through the source code, I found that starting with Android 12 they added IPv4 decrement to the tethering eBPF program here. I think the bpf iptables rules could probably be removed so it's only handled in the kernel or the bytecode could be patched in /system/apex/com.android.tethering/etc/bpf/offload.o
This is also where the HL decrement is and probably why overriding from the kernel has never worked for TCP/UDP traffic.From the source level, we could patch new_ttl_proto to something like thisCode:const int sz2 = sizeof(__be16); const __be16 old_ttl_proto = *(__be16 *)&ip->ttl; const __be16 new_ttl_proto = old_ttl_proto - htons(0x0100); bpf_l3_csum_replace(skb, ETH_IP4_OFFSET(check), old_ttl_proto, new_ttl_proto, sz2); bpf_skb_store_bytes(skb, ETH_IP4_OFFSET(ttl), &new_ttl_proto, sz2, 0);
But that probably needs too many bytes so instead the entire function could be replaced withCode:const __be16 new_ttl_proto = htons(0x4000) + (old_ttl_proto & 0xff)
Code:const int sz2 = sizeof(__u8); const __u8 new_ttl_proto = 0x40 bpf_skb_store_bytes(skb, ETH_IP4_OFFSET(ttl), &new_ttl_proto, sz2, BPF_F_RECOMPUTE_CSUM); -
8After trying nfqttl and failing, I decided to go on my way and, in the process, I found the definitive solution.
Steps:
1) unpack boot.img
2) patch kernel image
3) repack boot.img
Flash
the patch is simple:
In the linux kernet in ip_forward.c this function is called to decrease the TTL of every forwarded packet:
static __always_inline int ip_decrease_ttl(struct iphdr *iph) { u32 check = (__force u32)iph->check; check += (__force u32)htons(0x0100); iph->check = (__force __sum16)(check + (check >= 0xFFFF)); return --iph->ttl; }
All I did is to patch the kernel not to do so.
return iph->ttl;
You can easily do it in this way:
Bash:magiskboot unpack -h boot.img magiskboot hexpatch kernel C9220039C816007968F24039E8002836 1F2003D51F2003D568F24039E8002836 # tested on Redmi Note 10 Pro magiskboot hexpatch kernel A0160079A022403900040051A0220039 1F2003D5A0224039000400511F2003D5 # tested on Redmi 4X magiskboot repack boot.img
Then you can just boot it (for testing) or flash it directly.
fastboot boot new-boot.img
or
fastboot flash boot new-boot.img
result:
pinging google from the phone:
Bash:$ ping google.com PING google.com (142.250.179.142) 56(84) bytes of data. 64 bytes from ams17s10-in-f14.1e100.net (142.250.179.142): icmp_seq=1 ttl=106 time=115 ms
pinging google from windows connected to the phone (works both with wifi or usb tethering)
Code:C:\>ping 142.250.179.142 Pinging 142.250.179.142 with 32 bytes of data: Reply from 142.250.179.142: bytes=32 time=127ms TTL=106
As you can see the TTL is the same.
Before the patch it's one less, obviously.
Magisk module:
If you have magisk installed you can also just copy and paste this line of code in your adb shell:
Install patch:
Bash:su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/customize.sh | sh"
Remove patch:
Bash:su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/remove.sh | sh"3if you have magisk installed, you can also just download an run only the script:
Install patch:
Bash:su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/customize.sh | sh"
Remove patch:
Bash:su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/remove.sh | sh"
(it's even easier)
And merry Christmas to everybody!
if you get "[!] Patch not applied." it can mean 2 things:
1) you already applied it.
2) your phone is not yet supported.
in that case you can send me in a private message your "boot.img" which you will find in /data/local/tmp/ttl_fix/boot.img and I can add a patch for your phone.3I got a patch request in my PMs, so I'm sharing the patcher I wrote so people can do it themselves. It's a generic patcher that should work for the vast majority of devices, but only supports ARM64 little-endian kernels. This does the TTL 64 patch rather than the decrement patch from the OP. Run the patcher with Python 3 in the same directory you unpacked your boot image with magiskboot to patch. You can do this on your computer or with the Termux app from F-Droid after installing the python3 package.
It generates the byte patches found and a patched kernel named 'kernel.patched'. Rename it to 'kernel' before repacking. It will patch 5.x kernels without complaining, but only partially works in my testing.Code:$ python3 ttl_patcher.py Opening file 'kernel' for patching... ip_send_check signature matched - 0x1054680 - ['1f140079', '08400091', '0a004039', '093040a9'] ip_decrease_ttl signature matched - 0x1052ecc - ['678a4179', 'a0ff9f52', '1601078b', 'c3164079', 'c1224039', '7f00006b', '6094831a', '02040011', ' 23040051', 'c2160079', 'c3220039'] 678a4179a0ff9f521601078bc3164079c12240397f00006b6094831a0204001123040051c2160079c3220039 678a41791601078b08088052e00316aac8220039e80500941f2003d51f2003d51f2003d51f2003d51f2003d5 File patched! Saved to 'kernel.patched'
Edit: improved patch generation3Updated and tested the zip file.. now it works.
2
here you go...
magisk module just made.. please tell me if there are any problems.
