Add runtime_flags and service.sh arguments for late injection

JingMatrix · JingMatrix · commit 6714fe529ae7 · 2026-03-10T11:48:38.000+01:00
Complicated modules, such as LSPosed / Vector, need to be inform about the injection mode, since many of their functions could reply on the exact launching sequence of system services.
diff --git a/loader/src/injector/module.cpp b/loader/src/injector/module.cpp
@@ -320,13 +320,12 @@ void ZygiskContext::run_modules_post() {
         if (m.tryUnload()) modules_unloaded++;
     }
 
-    if (modules.size() > 0) {
+    if (modules.size() > 0 && g_hook != nullptr) {
         LOGV("modules unloaded: %zu/%zu", modules_unloaded, modules.size());
         if (modules.size() == modules_unloaded) clean_libc_trace();
         clean_linker_trace("jit-cache-zygisk", modules.size(), modules_unloaded, true);
-        if (g_hook != nullptr)
-            g_hook->should_spoof_maps =
-                (flags & APP_SPECIALIZE) && (modules.size() - modules_unloaded) > 0;
+        g_hook->should_spoof_maps =
+            (flags & APP_SPECIALIZE) && (modules.size() - modules_unloaded) > 0;
     }
 }
 
diff --git a/loader/src/injector/system_server.cpp b/loader/src/injector/system_server.cpp
@@ -147,7 +147,7 @@ void trigger_system_server_hooks() {
     jint uid = static_cast<jint>(getuid());
     jint gid = static_cast<jint>(getgid());
     jintArray gids = fetch_gids(env);
-    jint runtime_flags = 0;
+    jint runtime_flags = RuntimeFlags::LATE_INJECT;
     jlong permitted_capabilities = 0;
     jlong effective_capabilities = 0;
 
diff --git a/loader/src/injector/system_server.hpp b/loader/src/injector/system_server.hpp
@@ -1,5 +1,6 @@
 #pragma once
 
+#include <cstdint>
 /**
  * @brief Triggers Zygisk module hooks for system_server in late-injection scenarios.
  *
@@ -8,3 +9,9 @@
  * system_server_specialize.
  */
 void trigger_system_server_hooks();
+
+enum RuntimeFlags : uint32_t {
+    // Safely out of the way of AOSP's flags (Bits 0, 14-26)
+    // https://cs.android.com/android/platform/superproject/main/+/main:frameworks/base/core/jni/com_android_internal_os_Zygote.cpp;
+    LATE_INJECT = 1 << 30,
+};
diff --git a/module/src/service.sh b/module/src/service.sh
@@ -9,20 +9,26 @@ fi
 
 cd "$MODDIR"
 
+system_server_pid=$(pidof system_server)
+
 if [ "$(which magisk)" ]; then
 	for file in ../*; do
 		if [ -d "$file" ] && [ -d "$file/zygisk" ] && ! [ -f "$file/disable" ]; then
 			if [ -f "$file/service.sh" ]; then
 				cd "$file"
 				log -p i -t "zygisk-sh" "Manually trigger service.sh for $file"
-				sh "$(realpath ./service.sh)" &
+				if [ -z $system_server_pid ]; then
+					sh "$(realpath ./service.sh)" &
+				else
+					sh "$(realpath ./service.sh)" --late-inject &
+				fi
 				cd "$MODDIR"
 			fi
 		fi
 	done
 fi
 
-if [ ! -z $(pidof system_server) ]; then
-	log -p i -t "zygisk-sh" "Maually inject into system_server $(pidof system_server)"
-	./bin/zygisk-ptrace64 trace $(pidof system_server) --system_server
+if [ ! -z $system_server_pid ]; then
+	log -p i -t "zygisk-sh" "Maually inject into system_server $system_server_pid"
+	./bin/zygisk-ptrace64 trace $system_server_pid --system_server
 fi

Original file line number	Diff line number	Diff line change
`@@ -320,13 +320,12 @@ void ZygiskContext::run_modules_post() {`
`320`	`320`	`if (m.tryUnload()) modules_unloaded++;`
`321`	`321`	`}`
`322`	`322`
`323`		`- if (modules.size() > 0) {`
	`323`	`+ if (modules.size() > 0 && g_hook != nullptr) {`
`324`	`324`	`LOGV("modules unloaded: %zu/%zu", modules_unloaded, modules.size());`
`325`	`325`	`if (modules.size() == modules_unloaded) clean_libc_trace();`
`326`	`326`	`clean_linker_trace("jit-cache-zygisk", modules.size(), modules_unloaded, true);`
`327`		`- if (g_hook != nullptr)`
`328`		`- g_hook->should_spoof_maps =`
`329`		`- (flags & APP_SPECIALIZE) && (modules.size() - modules_unloaded) > 0;`
	`327`	`+ g_hook->should_spoof_maps =`
	`328`	`+ (flags & APP_SPECIALIZE) && (modules.size() - modules_unloaded) > 0;`
`330`	`329`	`}`
`331`	`330`	`}`
`332`	`331`