Related
Hi!!
I am running StockROM with some little tweaks made by me like doedex and zipalign, some visual chances, but nothing too hard. To have the best battery life possible I installed @sev3n1985 kernel. Everything perfect!!
I was surfing on the web and I discovered that permissive SELinux lets us do a lot more stuff than with the SELinux mode on Enforcing.
Is this truth? If so, is there any way I can change it to permissive permanently?
Regards :*
Sent from my S3 Neo+ (GT-I9301I) running Custom Made StockROM with @sev3n1985 kernel
I think it needs to be built in to kernel, to make it permanent, but you can use some apps and init.d scripts to make it permissive on every boot.
RometVinnal said:
I think it needs to be built in to kernel, to make it permanent, but you can use some apps and init.d scripts to make it permissive on every boot.
Click to expand...
Click to collapse
Could you please teach me how?
Sent from my S3 Neo+ (GT-I9301I) running Custom Made StockROM with @sev3n1985 kernel
The Forgotten said:
Could you please teach me how?
Sent from my S3 Neo+ (GT-I9301I) running Custom Made StockROM with @sev3n1985 kernel
Click to expand...
Click to collapse
How to build a kernel..? Well.. I can't teach you that, but if you know how to do it then:
"Switching between enforcing and permissive mode is possible if the kernel you have booted supports SELinux Development mode (CONFIG_SECURITY_SELINUX_DEVELOP=y). Otherwise, the kernel automatically boots in enforcing mode and you are not able to switch back. Although such kernels are sometimes considered the safest (as a successful intrusion still doesn't allow the attacker to disable SELinux, even if he obtains full administrative access) most distributions keep development mode on."
Checking the information about current status with a terminal command:
Code:
root # sestatus
Switching between permissive and enforcing:
Code:
root #setenforce 1 - makes it enforcing
root #setenforce 0 - makes it permissive
"The default value (enforcing or permissive) when the system boots is defined in the /etc/selinux/config file, through the SELINUX parameter." You could try changing that, but from my understanding you need a kernel, that is configured like that.
Now almost all of that information came from this page:
https://wiki.gentoo.org/wiki/SELinux/Tutorials/Permissive_versus_enforcing
As I stated earlier, I can't teach you how to build a kernel. It's just a thing you need to learn yourself before starting that journey.
Altho, I'm actually working on a lightly debloated and optimized stock rom, I'll maybe even make a custom kernel for it and enable SELinux development mode because Viper4Android needs permissive SELinux mode.
I hope you're having a great day.
The Forgotten said:
Hi!!
I am running StockROM with some little tweaks made by me like doedex and zipalign, some visual chances, but nothing too hard. To have the best battery life possible I installed @sev3n1985 kernel. Everything perfect!!
I was surfing on the web and I discovered that permissive SELinux lets us do a lot more stuff than with the SELinux mode on Enforcing.
Is this truth? If so, is there any way I can change it to permissive permanently?
Regards :*
Sent from my S3 Neo+ (GT-I9301I) running Custom Made StockROM with @sev3n1985 kernel
Click to expand...
Click to collapse
Its really easy......
1. Decompress stock boot.img with Android Imag Kitchen
2. Go into split_img folder
3. Open boot.img-cmdline with a text editor of your choice (except notepad)
4. Add this to the end of the file: androidboot.selinux=permissive
5. Compress the boot.img again and thats it
There are more haX you can do when decompressing a boot.img like adding init.d support , enabling adb at boot ........
oranaise2412 said:
Its really easy......
1. Decompress stock boot.img with Android Imag Kitchen
2. Go into split_img folder
3. Open boot.img-cmdline with a text editor of your choice (except notepad)
4. Add this to the end of the file: androidboot.selinux=permissive
5. Compress the boot.img again and thats it
There are more haX you can do when decompressing a boot.img like adding init.d support , enabling adb at boot ........
Click to expand...
Click to collapse
I did exactly what you said, and I failed...
Sent from my S3 Neo+ (GT-I9301I) running Custom Made StockROM with @sev3n1985 kernel
I have been playing around with kernels (for nexus 5), to add some features to the stock kernel. But I have problem with Samsung. I am trying to build a flashable custom kernel for Samsung S7 edge (G935F). .Steps I followed to create the boot.img are:
Get the stock source code (Samsung openSource)
Modify the kernel (just add/remove some TCP features)
Build the kernel (as per the kernel READ.ME, with aarch64-linux-android-4.9 toolchain)
-->created Image, with no loadable modules (*.ko)
Unpack the boot.img from the stock kernel (abootimg -x )
Create new boot.img replacing the original zImage with the custom kernel Image (abootimg --create . . . )
Make tar.md5 file of the custom boot.img for Odin3
Pushed the custom kernel using Odin3, but it fails to boot ("kernel not enforcing seadnroid"). I have tried using TWRP (install from zip), but it just does bootloop. Can anyone see what I am doing wrong? Am I missing something? I have read most of the "Build kernel from source" dev-threads but have not found a solution for this, nor am I allowed to post my questions there as I am just a junior member.
I would highly appreciate any help, as I have already invested some days with no avail
mdh-labs said:
I have been playing around with kernels (for nexus 5), to add some features to the stock kernel. But I have problem with Samsung. I am trying to build a flashable custom kernel for Samsung S7 edge (G935F). .Steps I followed to create the boot.img are:
Get the stock source code (Samsung openSource)
Modify the kernel (just add/remove some TCP features)
Build the kernel (as per the kernel READ.ME, with aarch64-linux-android-4.9 toolchain)
-->created Image, with no loadable modules (*.ko)
Unpack the boot.img from the stock kernel (abootimg -x )
Create new boot.img replacing the original zImage with the custom kernel Image (abootimg --create . . . )
Make tar.md5 file of the custom boot.img for Odin3
Pushed the custom kernel using Odin3, but it fails to boot ("kernel not enforcing seadnroid"). I have tried using TWRP (install from zip), but it just does bootloop. Can anyone see what I am doing wrong? Am I missing something? I have read most of the "Build kernel from source" dev-threads but have not found a solution for this, nor am I allowed to post my questions there as I am just a junior member.
I would highly appreciate any help, as I have already invested some days with no avail
Click to expand...
Click to collapse
I dont want to tell you something you have already read, if you have been through the Dev forums, But on the off chance:
Have you removed the Fingerprint reader?
The Kernel will fail to boot with it enabled, Unless you know the workaround (EchoTeam)
dave7802 said:
I dont want to tell you something you have already read, if you have been through the Dev forums, But on the off chance:
Have you removed the Fingerprint reader?
The Kernel will fail to boot with it enabled, Unless you know the workaround (EchoTeam)
Click to expand...
Click to collapse
Hmm ... Fingerprint reader? No, I have not removed anything. I was thinking that since I am not adding anything that was not already in the stock kernel source, I do not need to do any modifications. How can I remove this reader?
Here are the temporary solutions.
Way A:
Remove /system/lib/libbauth* , /system/lib64/libbauth*
Way B: (If you want to completely disable (or bypass) TEE)
Remove /system/lib/libbauth* , /system/lib64/libbauth*
Replace /system/lib64/hw/gatekeeper.exynos8890.so,/system/lib64/hw/keystore.exynos8890.so with these i uploaded.
Both of them will make your FP Sensor not working.
(Lock Screen will work)
But,at least,you get a stable custom kernel.
Click to expand...
Click to collapse
http://forum.xda-developers.com/s7-...m-g935f-fd-t3361460/post66762787#post66762787
Thank @Jesse Chan He also fixed the fingerprint too.
dave7802 said:
http://forum.xda-developers.com/s7-...m-g935f-fd-t3361460/post66762787#post66762787
Thank @Jesse Chan He also fixed the fingerprint too.
Click to expand...
Click to collapse
Thanks a lot, I will try that. I have already seen his custom kernel (would love to ask something on his thread but . . . )
mdh-labs said:
Thanks a lot, I will try that. I have already seen his custom kernel (would love to ask something on his thread but . . . )
Click to expand...
Click to collapse
I saw someone mention me.
Well, you must disable all TIMA-related configs as well as KNOX_KAP to get kernel boot.
And then, if you want to get a stable kernel with FP, you must apply my FP fix.(could be found in my Kernel's flashable zip)
Jesse Chan said:
I saw someone mention me.
Well, you must disable all TIMA-related configs as well as KNOX_KAP to get kernel boot.
And then, if you want to get a stable kernel with FP, you must apply my FP fix.(could be found in my Kernel's flashable zip)
Click to expand...
Click to collapse
I appreciate that you have had the time to look at my question. I've tried the tricks you suggested but my kernel still cannot boot. Modified the .config file (with menuconfig):
disabled
# CONFIG_KNOX_KAP is not set
# CONFIG_TIMA is not set
# CONFIG_TIMA_LKMAUTH is not set
not in config anymore
-CONFIG_TIMA_LOG=y
-CONFIG_TIMA_RKP=y
Then built a custom boot.img as mentioned in my question and added the META and mcRegistry folders from your flashable zip file to create a zip file out of the three.
I have also tried by removing the libbauth* files from system/lib/ and system/lib64 directories?
One more thing, does it matter whether I get just an Image file or zImage from kernel build (I get only Image and .gz of it)?
I've just got a new Samsung Galaxy TAB A 7.0 LTE SM-T285, For some reason I can't seem to find any resources for this hardware yet in this forum, anyone know where I could find one? I'll try to find out if the current methods (custom recovery and root) for other tab versions work on this.
CUSTOM ROMS
============
Android 5.1.1 Lollipop (Stock)
Tinker V5 Edition based on the Samsung Stock Rom SM-T280/T285
Android 6.0 Marshmallow
Cyanogenmod 13 for the SM-T285 Only
OMNIRom for the SM-T285 Only
Android 7.1 Nougat
Cyanogenmod 14.1 for the SM-T285 Only (Experimental, things are broken, depcrated in favor of LOS 14.1)
LineageOS 14.1 for the SM-T285 Only
Other Operating systems
Porting for Sailfish OS is currently in progress for the SM-T285, stay tuned
TWRP RECOVERY AND ROOT
=======================
TWRP is available for both the T280 and T285. You should find the relevant threads in this Galaxy Tab A forum.
If you want to root stock, easiest way is to install TWRP and go for SuperSU. Please see the TWRP threads for SM-T280/T285 on how to root after TWRP is installed.
KERNEL
======
Custom kernel with working sources for the SM-T285 can be found Here
DEVELOPMENT
============
If you want to build LineageOS 14.1 on your SM-T285 LTE device, you can use this manifest, not that this is still a work in progress:
https://github.com/jedld/android.git
UPDATE 10/06/2016
================
After a couple of weeks of trial and error and tinkering, I've been able to compile a kernel for the SM-T285 from source and so far it seems to work flawlessly!
Screenshot here: http://imgur.com/a/HRgsq
link to my kernel sources here: https://github.com/jedld/kernel_samsung_gtexslte.git
You can also thank samsung for giving us a "broken by default" kernel source. I had to mix and match defconfigs from their other kernel releases just to make this thing work. Download modified boot.img here:
http://forum.xda-developers.com/galaxy-tab-a/development/kernel-galaxy-tab-7-0-2016-lte-sm-t285-t3474967
UPDATE 09/20/2016
================
This device is now ROOTED!
http://forum.xda-developers.com/galaxy-tab-a/help/resources-samsung-galaxy-tab-7-0-2016-t3431022/post68777842#post68777842
Download Pre-rooted Tinker Edition V5 in this thread: Tinker Edition Thread
Post Root Post Mortem Analysis for the SM-T285 (09/21/2016)
=========================
Q: How were you able to find root? What did you do?
A: Surprisingly the SM-T285 bootloader isn't actually locked like we thought it was (Once you OEM unlock of course and disable FRP). The bottomline is that
we simply needed patches to mkbootimg to properly package a boot image for this device as there were additional fields and sections not found on a normal boot image. There were even minor breaking difference between the tab 4 and the boot image for this device.
Q: I thought the bootloader was locked?? Why did it take so long?
A: I blame it on the really vague errors the bootloader shows when loading an improperly packaged boot image. What helped was my faith to open up a hex editor when I needed to, and really look at the stock images and the images we were making. What really pushed me to investigate further was the fact that I was able to make a really small modification to the ramdisk and use the abootimg -u update function instead of the create options.
Q: So the bootloader doesn't really check the image?
A: Yup, The bootloader doesn't do any check. I haven't checked if that is the case for the recovery partition though. Even without the SELINUXENFORCE headers at the end it still continues like other samsung devices do.
Q: So the mkbootimg patches are all that we need?
A: Yup, if you have CM, AOSP build env ready you can simply add the modified mkbootimg to system/core:
https://github.com/jedld/degas-mkbootimg/commit/b63ae38e2ab7040cc7ddaef777652a56b2e48322
Sample usage below:
Code:
degas-mkbootimg -o boot.img --base 0 --pagesize 2048 \
--kernel boot.img-zImage --cmdline "console=ttyS1,115200n8" --ramdisk boot_kitchen/boot.img-ramdisk-new.gz --dt boot.img-dt
Next challenge will be getting Cyanogenmod on this device as well as TWRP.
You won't because it has a locked bootloader, therefore not currently rootable and certainly no custom recovery.
jaritico said:
any idea to unlock bootloader?
Click to expand...
Click to collapse
Not unless Samsung provides one.
jaritico said:
any idea to unlock bootloader?
Click to expand...
Click to collapse
Probably no hope for root. the PIT, boot and recovery are basically untouchable, selinux enforcing enabled also does not help. You can still debloat and customize the system partition though:
http://forum.xda-developers.com/android/development/guide-samsung-galaxy-tab-7-0-sm-t285-t3438296
I'm working on getting CM 12.1 to run on this device.
jedld said:
Probably no hope for root. the PIT, boot and recovery are basically untouchable, selinux enforcing enabled also does not help. You can still debloat and customize the system partition though:
http://forum.xda-developers.com/android/development/guide-samsung-galaxy-tab-7-0-sm-t285-t3438296
I'm working on getting CM 12.1 to run on this device.
Click to expand...
Click to collapse
Yes at least the saving grace is that Samsung left Dm-verity off for this device.
If only they'd have left out the root restriction in the kernel too we'd have a rootable device.
I have an idea for this that I haven't tried yet.
Basically Samsung sends out security Policy updates via OTA, they recently released an SEPOLICY update to most devices breaking root. Chainfire patched this.
As this policy is stored in DATA and over rides the one in the boot.img it may be possible to use a patched SEPOLICY by creating a flashable DATA image with the patched SEPOLICY thereby removing the SElinux root restriction.
I ran it by Chainfire and he said in theory it should work except for that fact that the SEPOLICY in DATA is signed.
I have yet to try this out.
I think it would be difficult to get CM running as the kernel may need some patches and as we know that can't be touched.
ashyx said:
Yes at least the saving grace is that Samsung left Dm-verity off for this device.
If only they'd have left out the root restriction in the kernel too we'd have a rootable device.
I have an idea for this that I haven't tried yet.
Basically Samsung sends out security Policy updates via OTA, they recently released an SEPOLICY update to most devices breaking root. Chainfire patched this.
As this policy is stored in DATA and over rides the one in the boot.img it may be possible to use a patched SEPOLICY by creating a flashable DATA image with the patched SEPOLICY thereby removing the SElinux root restriction.
I ran it by Chainfire and he said in theory it should work except for that fact that the SEPOLICY in DATA is signed.
I have yet to try this out.
I think it would be difficult to get CM running as the kernel may need some patches and as we know that can't be touched.
Click to expand...
Click to collapse
I ran it by Chainfire and he said in theory it should work except for that fact that the SEPOLICY in DATA is signed.
I have yet to try this out.
Click to expand...
Click to collapse
Would probably need to brush up on se policies in linux. If there are already files available that I just need to flash over to /data I can try it out and also a means to test it if it works.
I've created a petition here:
https://www.change.org/p/samsung-unlock-the-bootloader-for-the-samsung-galaxy-tab-a-7-0-2016?recruiter=286570213&utm_source=petitions_show_components_action_panel_wrapper&utm_medium=copylink&recuruit_context=copylink_long
Not sure if samsung is the type that listens to this sort of thing though.
ashyx said:
As this policy is stored in DATA and over rides the one in the boot.img it may be possible to use a patched SEPOLICY by creating a flashable DATA image with the patched SEPOLICY thereby removing the SElinux root restriction.
I ran it by Chainfire and he said in theory it should work except for that fact that the SEPOLICY in DATA is signed.
I have yet to try this out.
Click to expand...
Click to collapse
I made an attempt to patch sepolicy using data however all I got in the logs was
Code:
E/SELinux ( 733): Function: fileToArray, File Open Unsuccessful:
E/SELinux ( 733): Function: getVersionhash, signature is NULL
I/SELinux ( 733): Function: selinux_init_verify_sepolicy, getVersionhash return false
E/SELinux ( 733): Function: VerifyPolicy , selinux_init_verify_sepolicy is failed
So far I have no indication that my patch worked
Code:
sepolicy-inject -s shell -t system -c file -p read -P sepolicy -o sepolicy
The error above only comes up if I place sepolicy in /data/security and sepolicy_version in /data/security/spota
sha256 hashes were also updated in the version file so I'm not sure what I'm missing.
If I could have a copy of a samsung ota that actually updates the policies I can probably have better direction
jedld said:
I made an attempt to patch sepolicy using data however all I got in the logs was
Code:
E/SELinux ( 733): Function: fileToArray, File Open Unsuccessful:
E/SELinux ( 733): Function: getVersionhash, signature is NULL
I/SELinux ( 733): Function: selinux_init_verify_sepolicy, getVersionhash return false
E/SELinux ( 733): Function: VerifyPolicy , selinux_init_verify_sepolicy is failed
So far I have no indication that my patch worked
Code:
sepolicy-inject -s shell -t system -c file -p read -P sepolicy -o sepolicy
The error above only comes up if I place sepolicy in /data/security and sepolicy_version in /data/security/spota
sha256 hashes were also updated in the version file so I'm not sure what I'm missing.
If I could have a copy of a samsung ota that actually updates the policies I can probably have better direction
Click to expand...
Click to collapse
Finally found a way to patch the kernel on this device. Stay tuned...
jedld said:
Finally found a way to patch the kernel on this device. Stay tuned...
Click to expand...
Click to collapse
Turns out I was just able to modify files in the boot.img, though when I try to update the sepolicy itself, it won't boot.
jedld said:
Turns out I was just able to modify files in the boot.img, though when I try to update the sepolicy itself, it won't boot.
Click to expand...
Click to collapse
Can you at least explain a bit further?
What modifications allow you to create a boot able image?
How have you overcome image signing?
Only way I can think of is hex editing the signature, however I was under the impression this was crc based.
ashyx said:
Can you at least explain a bit further?
What modifications allow you to create a boot able image?
How have you overcome image signing?
Only way I can think of is hex editing the signature, however I was under the impression this was crc based.
Click to expand...
Click to collapse
Yeah I was able to flash a modified boot.img using heimdall, turns out that you just need to use abootimg -u boot.img -r yourmodifiedramdisk so that you don't overwrite the SELINUXENFORCE headers appended at the end of the boot.img file, it appears the bootloader only checks for the presence of those headers but does not actually compute the sig.
Modifying ramdisk works, haven't tried modifying the kernel itself.
I tried to modify the sepolicy files after using sepolicy-inject but it throws a KERNEL not SEnforced error. I am not certain if this is just a blanket error if the kernel doesn't boot due to modifying the policy files incorrectly or if there is legit checking going on. Nevertheless I am able to modify the init.rc files now.
jedld said:
I tried to modify the sepolicy files after using sepolicy-inject but it throws a KERNEL not SEnforced error. I am not certain if this is just a blanket error if the kernel doesn't boot due to modifying the policy files incorrectly or if there is legit checking going on. Nevertheless I am able to modify the init.rc files now.
Click to expand...
Click to collapse
Continued checking it out. So even though I can modify the ramdisk, I am unable to add more than 1000 - 2000 bytes before setting off the SEAndroid enforce error on bootup. Might be some headers on the boot.img that I fail to update when the ramdisk size gets bigger. Trying to modify the sepolicy in any way even if there is minimal change in size prevents it from booting. I have no idea what is checking it, I'll try to hexedit and see what happens.
jedld said:
Continued checking it out. So even though I can modify the ramdisk, I am unable to add more than 1000 - 2000 bytes before setting off the SEAndroid enforce error on bootup. Might be some headers on the boot.img that I fail to update when the ramdisk size gets bigger. Trying to modify the sepolicy in any way even if there is minimal change in size prevents it from booting. I have no idea what is checking it, I'll try to hexedit and see what happens.
Click to expand...
Click to collapse
So I used a hexedit on the sepolicy file and was able to modify one byte of it effectively changing its sha256sum... and it worked. So the sepolicy file CAN be changed, however current sepolicy-inject and supolicy tools does something to it that trips it, looks like samsung has again added a proprietary modification sepolicy format.
I've never known a kernel not boot due to the kernel not SEANDROID enforcing warning.
It's a meaningless warning and easily bypassed.
However this is on bootloader unlocked devices.
So just let me get this straight, you have been able to repack the boot.img with modifications to the ramdisk then force flash it via Heimdall and it still boots?
ashyx said:
I've never known a kernel not boot due to the kernel not SEANDROID enforcing warning.
It's a meaningless warning and easily bypassed.
However this is on bootloader unlocked devices.
So just let me get this straight, you have been able to repack the boot.img with modifications to the ramdisk then force flash it via Heimdall and it still boots?
Click to expand...
Click to collapse
yup. that's correct. I'll post my modified boot.img in a while
jedld said:
yup. that's correct. I'll post my modified boot.img in a while
Click to expand...
Click to collapse
note that using the update only method of abootimg "abootimg -u boot.img -r xxxxxx " is the only one that works for repacking the ramdisk. Trying to build the boot.img from scratch using any other method has so far failed for me.
Here is a flashable boot.img for the SM-T285.
It contains the following modifications to the ramdisk:
a file at /this_device_is_owned
and a modified init.rc that creates a /tmp folder
jedld said:
Here is a flashable boot.img for the SM-T285.
It contains the following modifications to the ramdisk:
a file at /this_device_is_owned
and a modified init.rc that creates a /tmp folder
Click to expand...
Click to collapse
now managed to patch sepolicy using chainfire's supolicy tool. needed to use a customized mkbootimg due to changes in the Tab A image format for this. now attempting to root the device... wish me luck
Hello to all, I want to change Selinux enforncing to Permissive, I'm making a new rom and need change it.
Does anyone know how to do it?. my device is G900M. Sorry for my English
Thank you very much.
Im not sure but... I think the SELinux is part of the kernel, and you cant change it without modding the kernel so... I think thats what you have to do, but im not sure about this. BTW, if you dont need to change the kernel to do this you can just do a init.d script with this line:
setenforce 0
Or add it to the finish of the "init.qcom.post_boot.sh" like this:
#SELinux Permissive
setenforce 0
Stock kernels will not allow it no matter what, you need a custom kernel that is not seandroid enforcing
this does not belong in the Dev section please have a mod move the thread
I wanted to install Viper4android on stock 7.0 march but was unable to do so after following 2-3 different methods. Is there anyone successfully using viper4android on stock? And if not successful them suggest any other sound mod fully working and compatible with stock 7.0 march. I am rooted, elementalX 1.04 + busybox also installed :silly:
You intent with Viper4Aprise?
most of these require permissive selinux and i dont want to do that.
Why? I dont know for what flash permissive, what Is this?
JassyelZ said:
Why? I dont know for what flash permissive, what Is this?
Click to expand...
Click to collapse
selinux can be "enforcing" which is more secure or "permissive" which is less secure. V4A does require permissive kernel generally.
so anyone found a working sound mod for stock rom with selinux enforcing?
nitish_namdev said:
so anyone found a working sound mod for stock rom with selinux enforcing?
Click to expand...
Click to collapse
I've got ARISE running on my device (NPJS25.93-14.4, ElementalX, magisk v13). Note, I'm just running the core modules, any other addons I do not know if you need to tweak further. I have not changed ElementalX's SE Linux permissions, and running 'su getenforce' in a terminal returns as 'enforcing'.
My setup: XT1642, updated to NPJS25.93-14.4, ElementalX, magisk v12/v13 (think if you have SuperSU, should be okay too).
1) Downloaded ARISE Magnum Opus from here: https://forum.xda-developers.com/android/software/r-s-e-sound-systems-auditory-research-t3379709 (I currently have the 05/06 build). The download link is the Magnum Opus TM. Also, as I'm using magisk, I downloaded the magisk compatibility module. https://forum.xda-developers.com/an...y-research-t3379709/post71569390#post71569390
2) To configure ARISE before flashing, I extracted arise_customize.prop to /sdcard, and configured install.core to = true, install.v4a_2.5.0.5= to be true (and later found out I needed delete.deep_buffer to = true). Saved the ARISE customise file (I've uploaded my prop file if you want to see my modifications. If you wish to use this file, delete the .txt in the file name so the extension is .prop).
3)Rebooted to TWRP. Backed up. Flashed ARISE Magnum Opus - as configured, it should flash the 2.5.0.5 core module and delete the deep buffer (without deleting deep buffer, I found that ARISE did not process output).
3a)After ARISE, flashed the magisk compatibility module (if you're on SuperSU, you may not have to flash this). With magisk v13, this does not trigger Safety Net.
4)Wipe cache/Dalvik and reboot.
5)As I'm using Poweramp, I had to go to Poweramp Settings > Audio > Advanced Tweaks and disable Direct Volume Control. Also, I disabled the main Equalizer.
Now, ARISE processes headphone output as per the ARISE settings.