As I wrote before, the kernel routine IP_FORWARD is patched and the decrement of TTL is removed.
Obviously that will work both ways.
From any network to any other.
Every forwarded packet is forwarded AS IS.
Obviously that will work both ways.
From any network to any other.
Every forwarded packet is forwarded AS IS.
Дупал ,что модуль работает,пока не залез в кабинет,тут показывает ,что инет съедается,хотя уведомления от МТС не было ,что это значит ,модуль работает,или нет?
Mod translation: B] I dupal that the module is working until I got into the office, it shows that the Internet is being eaten, although there was no notification from MTS, what does it mean, the module is working or not
Mod translation: B] I dupal that the module is working until I got into the office, it shows that the Internet is being eaten, although there was no notification from MTS, what does it mean, the module is working or not
Last edited by a moderator:
Sorry, everyone, please retry now... the zip file should be fixed.
if you have magisk installed, you can also just download an run only the script:
Install patch:
Remove patch:
(it's even easier)
And merry Christmas to everybody!
if you get "[!] Patch not applied." it can mean 2 things:
1) you already applied it.
2) your phone is not yet supported.
in that case you can send me in a private message your "boot.img" which you will find in /data/local/tmp/ttl_fix/boot.img and I can add a patch for your phone.
Install patch:
Bash:
su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/customize.sh | sh"Remove patch:
Bash:
su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/remove.sh | sh"(it's even easier)
And merry Christmas to everybody!
if you get "[!] Patch not applied." it can mean 2 things:
1) you already applied it.
2) your phone is not yet supported.
in that case you can send me in a private message your "boot.img" which you will find in /data/local/tmp/ttl_fix/boot.img and I can add a patch for your phone.
Last edited:
Added support for ASUS ROG 6
if you have the chance, please try it on other phones .. because it might work on more.. report to me if it works or not and on which phone. (if you provide me the boot.img I can add it)
I would love to get this for a Pixel 7 Pro -- this is certainly the right way to fix the TTL problem!
Pixel 7 Pro has init_boot.img and boot.img, you patch init_boot.img for magisk.
Here are both: https://drive.google.com/drive/folders/1DC1nfICQyPQHtXlXPx9bIjsw_p6lwWpA?usp=share_link
Thanks Zibri
Pixel 7 Pro has init_boot.img and boot.img, you patch init_boot.img for magisk.
Here are both: https://drive.google.com/drive/folders/1DC1nfICQyPQHtXlXPx9bIjsw_p6lwWpA?usp=share_link
Thanks Zibri
The patch already works for your kernel. You must patch boot.img not the init one.
Added support for Pixel6a/7a Asus ROG/oneplus 6/7 And most xiaomi phones.
Please check the patch before asking for support... it might work even if your phone is not listed.
Please report here...
Please check the patch before asking for support... it might work even if your phone is not listed.
Please report here...
Reverse engineering the kernel.
Please spread it in other forums and subforums... the patch should work with almost every phone, perhaps it will need just a few adjustments for some "exotic" models.I just tested it on my Pixel 7 Pro with the January (newest) security patch from google and it appears o be working. Thank you @Zibri
Breaking my 10 year no post streak just to say:
Dude, that's a smooth implementation.
Works on stock Pixel 7 PRO, just as "promised".
I have admiration for you shouldering on without flinching when people are throwing alternatives at you. It seems you knew exactly what you wanted and how to get it, nothing more or less.
Thanks for sharing!
Dude, that's a smooth implementation.
Works on stock Pixel 7 PRO, just as "promised".
I have admiration for you shouldering on without flinching when people are throwing alternatives at you. It seems you knew exactly what you wanted and how to get it, nothing more or less.
Thanks for sharing!
Hi Zibri!After trying nfqttl and failing, I decided to go on my way and, in the process, I found the definitive solution.
Steps:
1) unpack boot.img
2) patch kernel image
3) repack boot.img
Flash
the patch is simple:
In the linux kernet in ip_forward.c this function is called to decrease the TTL of every forwarded packet:
static __always_inline int ip_decrease_ttl(struct iphdr *iph) { u32 check = (__force u32)iph->check; check += (__force u32)htons(0x0100); iph->check = (__force __sum16)(check + (check >= 0xFFFF)); return --iph->ttl; }
All I did is to patch the kernel not to do so.
return iph->ttl;
You can easily do it in this way:
Bash:magiskboot unpack -h boot.img magiskboot hexpatch kernel C9220039C816007968F24039E8002836 1F2003D51F2003D568F24039E8002836 # tested on Redmi Note 10 Pro magiskboot hexpatch kernel A0160079A022403900040051A0220039 1F2003D5A0224039000400511F2003D5 # tested on Redmi 4X magiskboot repack boot.img
Then you can just boot it (for testing) or flash it directly.
fastboot boot new-boot.img
or
fastboot flash boot new-boot.img
result:
pinging google from the phone:
Bash:$ ping google.com PING google.com (142.250.179.142) 56(84) bytes of data. 64 bytes from ams17s10-in-f14.1e100.net (142.250.179.142): icmp_seq=1 ttl=106 time=115 ms
pinging google from windows connected to the phone (works both with wifi or usb tethering)
Code:C:\>ping 142.250.179.142 Pinging 142.250.179.142 with 32 bytes of data: Reply from 142.250.179.142: bytes=32 time=127ms TTL=106
As you can see the TTL is the same.
Before the patch it's one less, obviously.
Magisk module:
If you have magisk installed you can also just copy and paste this line of code in your adb shell:
Install patch:
Bash:su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/customize.sh | sh"
Remove patch:
Bash:su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/remove.sh | sh"
This is AMAZING! I saw your ttl_fix on GitHub repositiory as well.
I noticed that your code only applies to 4 devices.
I'm wondering if you can help me to figure out how I can build it for my device (Samsung Galaxy Tab S5e LTE)? What I need to do to get the codes for the hexpatch?
Thanks in advance!
Cheers,
Taney
that code works already for hundreds of devices.
DID you try it on your boot IMG?
If the none of those patches is applied then send me your boot image in a PM.
My apologies. I just wanted confirmation before flashing since I only saw 4 lines of code.
I just tested it on my Galaxy Tab S5e and it works flawlessly. 55TTL on both device and client.
Thanks so much for your help!
Since it only patches out the decrement, it doesn't overwrite the weird TTLs systems like Windows and Xbox use. It also can't fix routed traffic that has already be decremented before it reached the phone. And it does not do anything for IPv6 afaict, so that would still need to be dropped or disabled. The hoplimit decrements are easy enough to search for at least.
Really cool approach, I like how simple it is and that it's handled in kernel space.
Edit: I was poking around a 32bit kernel and found the function code for ip_decrease_ttl
I think with a little more effort we could patch
to
and get behavior very similar to the xt_HL module. Would just require the patcher to search for the ip_send_check function address so the branch could be calculated.
Really cool approach, I like how simple it is and that it's handled in kernel space.
Edit: I was poking around a 32bit kernel and found the function code for ip_decrease_ttl
C:
u32 check = (__force u32)iph->check;
check += (__force u32)htons(0x0100);
iph->check = (__force __sum16)(check + (check>=0xFFFF));
return --iph->ttl;
C:
iph->ttl = 64;
ip_send_check(iph);
return iph->ttl;
Last edited:
Top Liked Posts
-
There are no posts matching your filters.
-
2After searching through the source code, I found that starting with Android 12 they added IPv4 decrement to the tethering eBPF program here. I think the bpf iptables rules could probably be removed so it's only handled in the kernel or the bytecode could be patched in /system/apex/com.android.tethering/etc/bpf/offload.o
This is also where the HL decrement is and probably why overriding from the kernel has never worked for TCP/UDP traffic.From the source level, we could patch new_ttl_proto to something like thisCode:const int sz2 = sizeof(__be16); const __be16 old_ttl_proto = *(__be16 *)&ip->ttl; const __be16 new_ttl_proto = old_ttl_proto - htons(0x0100); bpf_l3_csum_replace(skb, ETH_IP4_OFFSET(check), old_ttl_proto, new_ttl_proto, sz2); bpf_skb_store_bytes(skb, ETH_IP4_OFFSET(ttl), &new_ttl_proto, sz2, 0);
But that probably needs too many bytes so instead the entire function could be replaced withCode:const __be16 new_ttl_proto = htons(0x4000) + (old_ttl_proto & 0xff)
Code:const int sz2 = sizeof(__u8); const __u8 new_ttl_proto = 0x40 bpf_skb_store_bytes(skb, ETH_IP4_OFFSET(ttl), &new_ttl_proto, sz2, BPF_F_RECOMPUTE_CSUM); -
8After trying nfqttl and failing, I decided to go on my way and, in the process, I found the definitive solution.
Steps:
1) unpack boot.img
2) patch kernel image
3) repack boot.img
Flash
the patch is simple:
In the linux kernet in ip_forward.c this function is called to decrease the TTL of every forwarded packet:
static __always_inline int ip_decrease_ttl(struct iphdr *iph) { u32 check = (__force u32)iph->check; check += (__force u32)htons(0x0100); iph->check = (__force __sum16)(check + (check >= 0xFFFF)); return --iph->ttl; }
All I did is to patch the kernel not to do so.
return iph->ttl;
You can easily do it in this way:
Bash:magiskboot unpack -h boot.img magiskboot hexpatch kernel C9220039C816007968F24039E8002836 1F2003D51F2003D568F24039E8002836 # tested on Redmi Note 10 Pro magiskboot hexpatch kernel A0160079A022403900040051A0220039 1F2003D5A0224039000400511F2003D5 # tested on Redmi 4X magiskboot repack boot.img
Then you can just boot it (for testing) or flash it directly.
fastboot boot new-boot.img
or
fastboot flash boot new-boot.img
result:
pinging google from the phone:
Bash:$ ping google.com PING google.com (142.250.179.142) 56(84) bytes of data. 64 bytes from ams17s10-in-f14.1e100.net (142.250.179.142): icmp_seq=1 ttl=106 time=115 ms
pinging google from windows connected to the phone (works both with wifi or usb tethering)
Code:C:\>ping 142.250.179.142 Pinging 142.250.179.142 with 32 bytes of data: Reply from 142.250.179.142: bytes=32 time=127ms TTL=106
As you can see the TTL is the same.
Before the patch it's one less, obviously.
Magisk module:
If you have magisk installed you can also just copy and paste this line of code in your adb shell:
Install patch:
Bash:su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/customize.sh | sh"
Remove patch:
Bash:su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/remove.sh | sh"3if you have magisk installed, you can also just download an run only the script:
Install patch:
Bash:su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/customize.sh | sh"
Remove patch:
Bash:su -c "curl -s https://raw.githubusercontent.com/Zibri/ttl_fix/master/remove.sh | sh"
(it's even easier)
And merry Christmas to everybody!
if you get "[!] Patch not applied." it can mean 2 things:
1) you already applied it.
2) your phone is not yet supported.
in that case you can send me in a private message your "boot.img" which you will find in /data/local/tmp/ttl_fix/boot.img and I can add a patch for your phone.3I got a patch request in my PMs, so I'm sharing the patcher I wrote so people can do it themselves. It's a generic patcher that should work for the vast majority of devices, but only supports ARM64 little-endian kernels. This does the TTL 64 patch rather than the decrement patch from the OP. Run the patcher with Python 3 in the same directory you unpacked your boot image with magiskboot to patch. You can do this on your computer or with the Termux app from F-Droid after installing the python3 package.
It generates the byte patches found and a patched kernel named 'kernel.patched'. Rename it to 'kernel' before repacking. It will patch 5.x kernels without complaining, but only partially works in my testing.Code:$ python3 ttl_patcher.py Opening file 'kernel' for patching... ip_send_check signature matched - 0x1054680 - ['1f140079', '08400091', '0a004039', '093040a9'] ip_decrease_ttl signature matched - 0x1052ecc - ['678a4179', 'a0ff9f52', '1601078b', 'c3164079', 'c1224039', '7f00006b', '6094831a', '02040011', ' 23040051', 'c2160079', 'c3220039'] 678a4179a0ff9f521601078bc3164079c12240397f00006b6094831a0204001123040051c2160079c3220039 678a41791601078b08088052e00316aac8220039e80500941f2003d51f2003d51f2003d51f2003d51f2003d5 File patched! Saved to 'kernel.patched'
Edit: improved patch generation3Updated and tested the zip file.. now it works.
2
here you go...
magisk module just made.. please tell me if there are any problems.
