What is a modded APK?

You might ask yourself why is it necessary to modify an APK* released for an Android 9 based Zidoo Player (Z9X, Z10 Pro, Z1000 Pro, UHD3000) to get it work on Zidoo Players running Android 6 (X8, X9S, X10)/7.1 (Z9S, Z10, X20, X20 Pro, Z1000, UHD2000) and what has to be modified.

To answer this question I’ve to explain a little bit about the technical background of Android.

It all depends on APK Signature Signing sheme for JAR signing. With Android 6, 7.1 and 9 Google introduced several security improvements.

  • Android 6 support only APK signing scheme v1*
  • Android 7.1 support only APK signing scheme v2*
  • Android 9 support APK signing scheme v2 and v3*

Media Center 3.8.1 from firmware X8, X9S or X10 v2.1.42 has been signed with Signature Signing sheme v1

01. zidoo_file_3.8.1.apk

        VERIFY
        file: apks\Media Center\Android 6\zidoo_file_3.8.1.apk (7.71 MiB)
        checksum: 7a1b77652635a8bcf9c9909c73aa28e985844ad793a5cae2f90ffb0333522a2b (sha256)
        - zipalign verified
        - signature verified [v1]
                13 warnings
                Subject: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
                SHA256: c8a2e9bccf597c2fb6dc66bee293fc13f2fc47ec77bc6b2b0d52c11f51192ab8 / MD5withRSA
                Expires: Sun Sep 02 00:40:50 CEST 2035

Media Center 3.8.1 from firmware Z9S, Z10, X20, X20 Pro, Z1000 or UHD2000 v4.0.25 has beed signed with Signature Signing sheme v1 and v2

01. zidoo_file_3.8.1.apk

        VERIFY
        file: apks\Media Center\Android 7.1\zidoo_file_3.8.1.apk (7.7 MiB)
        checksum: 68b6a5e0bd7d4dc6e6e8bbad773de3b3c349a616b186a2e98ae0eb8e1568f340 (sha256)
        - zipalign verified
        - signature verified [v1, v2]
                13 warnings
                Subject: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
                SHA256: c8a2e9bccf597c2fb6dc66bee293fc13f2fc47ec77bc6b2b0d52c11f51192ab8 / MD5withRSA
                Expires: Sun Sep 02 00:40:50 CEST 2035

Media Center 3.8.1 from firmware Z9X, Z10 Pro or Z1000 Pro v6.0.35 has been signed with Signature Signing sheme v1, v2 and v3

01. zidoo_file_3.8.1.apk

        VERIFY
        file: apks\Media Center\Android 9\zidoo_file_3.8.1.apk (1.81 MiB)
        checksum: 2480cbba69fda94a193a68dc35b75f310fe12c62c097dcf3e7ec442dea4e4f45 (sha256)
        - zipalign verified
        - signature verified [v1, v2, v3]
                13 warnings
                Subject: EMAILADDRESS=zidoo@zidoo.tv, CN=ZIDOO Media Player, OU=ZIDOO Media, O=ZIDOO, L=Shenzhen, ST=Guangdong, C=CN
                SHA256: a6db62fc18096547a441cfed1f0e20da1342301c388f48da03bb719ca0b65bbe / SHA256withRSA
                Expires: Tue Apr 23 12:21:05 CEST 2047

To install an APK on Android 6, 7.1 or 9 it has to be signed with a valid certificate. Validating a signed APK is to make sure it hasn’t been modified between signing and installing e.g. to prevent malware.

So why it isn’t possible to install an APK from firmware Z9X, Z10 Pro or Z1000 Pro with APK Signature Signing sheme v1, v2 and v3 on the Android 6 or 7.1 devices?

Let’s take a deeper look into the design of on APK file.

An APK file is pretty much the same as a ZIP* archive or a Java archive (JAR*). So nearly any Archive Tool out there should be able to open an APK file.

WinRAR zidoo_file_3.8.1.apk Android 6
WinRAR zidoo_file_3.8.1.apk Android 7.1
WinRAR zidoo_file_3.8.1.apk Android 9

The Android 6 version of the APK is quite equal to the Android 7.1 version except the META-INF folder. In the META-INF folder the signing information is stored. An APK contains assets like images, sounds or fonts, resources like language files and bytecode. The bytecode is stored in dex* files.

The Android 9 version of the APK is much smaller in file size 1.8MB vs 7.7MB because the dex files are missing. With Android 8 Google replaced dex files with the new file formats vdex and odex*. These files are stored next to the APK in the file system.

apks\Media Center\Android 9\zidoo_file_3.8.1\zidoo_file_3.8.1.apk
apks\Media Center\Android 9\zidoo_file_3.8.1\oat
apks\Media Center\Android 9\zidoo_file_3.8.1\oat\arm
apks\Media Center\Android 9\zidoo_file_3.8.1\oat\arm\zidoo_file.odex
apks\Media Center\Android 9\zidoo_file_3.8.1\oat\arm\zidoo_file.vdex

With the right tool chain it is possible to convert the bytecode from the Android 8+ vdex format to the legacy Android 6/7.1 dex format and to downgrade from API level 28 to API level 23*.

Adding those newly created dex files into the Android 9 based APK invalidates the signing so the APK is not installable anymore.

As you can imagine I don’t have Zidoo’s certificate to sign the APK but I can use my own.

01. zidoo_file_3.8.1-McBluna-signed.apk

        VERIFY
        file: apks\Media Center\Android 9\zidoo_file_3.8.1\zidoo_file_3.8.1-McBluna-signed.apk (6.78 MiB)
        checksum: 8454996f2f8c5371a66bbad6ff0a14569aef257936500d47abf3aad46754d45b (sha256)
        - zipalign verified
        - signature verified [v1, v2, v3]
                1 warnings
                Subject: CN=www.mcbluna.net
                SHA256: 7ecc19453d16f43c897c989620951271b63ab4ab53f20ed46c043cd30ed30074 / SHA256withRSA
                Expires: Wed Apr 28 01:59:59 CEST 2021

Let’s try to install the APK via GUI

Let’s try it again via shell

kylin32:/ # pm install /sdcard/Download/zidoo_file_3.8.1-McBluna-signed.apk
Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE: Package com.zidoo.fileexplorer signatures do not match the previously installed version; ignoring!]

It doesn’t work because Media Center is already installed and signed with Zidoo’s certificate.

Media Center is a system application and can not be easily uninstalled because there’s is no uninstall button

Guide: How to uninstall a system application on Zidoo Android 6/7.1 based devices

After successfully uninstalling Media Center let’s try again to install the modded version

kylin32:/ # su
 kylin32:/ # pm install -g /sdcard/Download/zidoo_file_3.8.1-McBluna-signed.apk>
 Failure [INSTALL_FAILED_SHARED_USER_INCOMPATIBLE: Package couldn't be installed in /data/app/com.zidoo.fileexplorer-1: Package com.zidoo.fileexplorer has no signatures that match those in shared user android.uid.system; ignoring!]

As a security mechanism Android prevent application A from accessing data from application B. Per default Androids creates a uid per application. Two applications sharing the same uid are permitted to access each others data. The certificate of the first application which uses a new uid is related to it and can not be replaced.

The uid for the modded application has to be changed by modifying the App Manifest file* of the APK.

kylin32:/ # pm install -g /sdcard/Download/zidoo_file_3.8.1-McBluna-signed.apk>
Success

Upgrade to v3.8.6

For any reason the Permissions are not set for my modded apks. Please keep in mind that you’ve to repeat this procedure each time you delete the application data.

I recommend to assign the System Settings to one of the colored buttons on your remote control for quick access.

goto System Settings/Apps

Let’s checkout the new UPNP funtion of v3.8.6

Media Center
1. Increase UPNP function.
2. Optimize NAS boot and mount speed.
3. Optimize UI.

6 thoughts on “What is a modded APK?”

Leave a Comment