BRENE v0.0.00
SuSFS v0.0.0+
Kernel Version Loading...
..5.u.S Status Loading... SuSFS redirects the sus path to a supposed not-existing path named '..5.u.S', and this is the only way to settle the cross check of returned errno from various syscalls, but one disadvantage is that if the path itself can be written/created by the app (MANAGE_EXTERNAL_STORAGE granted), then it is futile to hide it
susfs4ksu-module Status: Not installed ✅
SuSFS Manager Status: Not installed ✅
Developer Options Enable or disable developer options
USB Debugging Enable or disable USB debugging
Wireless Debugging Enable or disable wireless debugging
Important Notes: Only effective for umounted process with uid ≥ 10.000
Non-standard /sdcard Standard Paths: Alarms, Android, Audiobooks, DCIM, Documents, Download, Movies, Music, Notifications, Pictures, Podcasts, Recordings, Ringtones (MIUI) Example of detections: /sdcard/MT2 /sdcard/TWRP /sdcard/AppManager
Non-standard /sdcard/Android Standard Paths: data, media, obb Example of detections: /sdcard/Android/fas-rs
/data/local/tmp Example of detections: /data/local/tmp/main.jar /data/local/tmp/DebugAssistant.log
/sdcard/Android/[data | media | obb] Example of detections: /sdcard/Android/data/ io.github.muntashirakon.AppManager /sdcard/Android/media/ io.github.muntashirakon.AppManager /sdcard/Android/obb/ io.github.muntashirakon.AppManager
Hide Suspicious Mounts For Non-su Processes Prevent zygote from caching the sus mounts in memory, and to keep them hidden from /proc/self/[mounts|mountinfo|mountstat] for non-su processes Example of detections: Holmes: - Futile Trace Hide Native Test: - Futile Hide (08)
Hide Suspicious PTYs Example of detections: Duck Detector: - Found ROOT PTY
Umount Suspicious Mounts (2B) Example of detections: Native Detector: - Detected Suspicious Mount - Detected Inconsistent Mount - Detected modified Hosts file
Umount Suspicious Mounts (500K, old SuSFS patches) Example of detections: Native Detector: - Detected Suspicious Mount - Detected Inconsistent Mount - Detected modified Hosts file
Injections Hiding Only effective for umounted process with uid ≥ 10.000 Example of detections: Native Detector: - Found Injection Disclosure: - Found suspicious memory mapping (inconsistent inode)
Important Notes: Only effective for umounted process with uid ≥ 10.000 SUS MAP Added real file path which gets mmapped will be hidden from /proc/self/[maps|smaps|smaps_rollup|map_files|mem|pagemap] Important Notes: - It does NOT support hiding for anon memory. - It does NOT hide any inline hooks or plt hooks cause by the injected library itself - It may not be able to evade detections by apps that implement a good injection detection Example: /system/fonts/Roboto-Regular.ttf /data/adb/modules/my_module/zygisk/arm64-v8a.so SUS PATH Added path and all its sub-paths will be hidden for umounted app process from several syscalls Please be reminded that if the target path has upper mounts then make sure the proper layer is added, otherwise it may not be effective for the target process For paths that are read-only all the time, add them via 'add_sus_path' Example: /system/addon.d /system/bin/install-recovery.sh SUS PATH LOOP The only difference to add_sus_path is that the added sus_path via this cli will be flagged as SUS_PATH again for the app process when it is being spawned by zygote and marked umounted Also it does not check if the path is existed or not, instead it checks for empty string only, so be careful what to add For paths that are frequently modified, we can add them via 'add_sus_path_loop' Example: /sdcard/TWRP /data/local/tmp/main.jar
MAP PATH PATH LOOP
>
AVC Log Spoofing Spoof the sus tcontext 'su' with 'u:r:priv_app:s0:c512,c768' shown in avc log in kernel Enabling this may sometimes make developers hard to identify the cause when they are debugging with some permission or selinux issues, so users are advised to disable this when doing so
/proc/cmdline or /proc/bootconfig Spoofing Spoof the output of /proc/cmdline (non-gki) or /proc/bootconfig (gki) from a text file No root process detects it for now, and this spoofing won't help much actually Example: androidboot.warranty_bit = "0" androidboot.verifiedbootstate = "green"
Android System Properties Spoofing Spoof some android system properties Example: [ro.build.type]: [user] [ro.build.tags]: [release-keys]
Uname Spoofing Spoof uname for all processes Only 'release' and 'version' are spoofed as others are no longer needed Example: Kernel Release: 5.10.123-android12-9-g690101101069 Kernel Version: #1 SMP PREEMPT Wed Jun 9 03:20:30 UTC 2069 Example of detections: Duck Detector: - Build time drift Holmes: - Abnormal Environment (03) Native Detector: - Detected Custom Kernel Disclosure: - Custom kernel detected (build date...)
Custom Uname Spoofing Spoof uname for all processes, set string to 'default' to imply the function to use original string
RESET APPLY
APPLY
Remove Custom ROM Properties Some Custom ROM properties
Remove Play Integrity Fix Properties Some Play Integrity Fix properties
BRENE Logs Enable or disable BRENE Logs
SuSFS Logs Enable or disable SuSFS log in kernel
SELinux Enforcing Always use the SELinux enforcing mode
SU Compat SU Compatibility Mode - allows authorized apps to gain root via traditional 'su' command WARNING: Old SuSFS patches need this option enabled to work
Kernel Umount Kernel Umount - controls whether kernel automatically unmounts modules when not needed WARNING: - Old SuSFS patches need this option enabled to work - Umount Suspicious Mounts need this option enabled to work
Disable Modules Enable Modules