This is a repository for open-source Magisk Modules which is run by by IzzyOnDroid (details), currently serving 139 modules. To add it to your MMRL client, use this URL:
https://apt.izzysoft.de/magisk
Note this repo is still in BETA stage, so there might be some glitches and not everything is working as planned yet! Further, other than with our F-Droid repo, there is no extensive scanning framework in place. Modules are taken in directly from their resp. developers.
Last updated: 2026-03-06 20:33 UTC
Txd Tool Android 13 Guide
| Type (1 byte) | Length (2 bytes) | Value (variable) | |---------------|------------------|-------------------|
The paper is written in an academic-style format suitable for a cybersecurity or mobile forensics conference or journal. Author: [Generated for research purposes] Affiliation: Mobile Security Research Lab Date: April 14, 2026 Abstract The TXD (Test eXecution and Debug) tool has re-emerged as a powerful attack surface in Android 13, particularly on devices with MediaTek and Unisoc chipsets. Originally designed for factory testing and hardware validation, TXD leverages proprietary diagnostic ports (e.g., UART, USB Diag, and custom IPC) to execute low-level commands with system-level privileges. This paper analyzes the internal workings of TXD on Android 13, including its bypass of SELinux, interaction with the tz_hypervisor , and ability to unlock bootloaders, reset user data, and disable hardware-backed security (e.g., TrustZone). We present a technical dissection of the TXD protocol, vulnerabilities introduced by inadequate access control on diag char devices, and practical countermeasures for OEMs and enterprise users. Finally, we evaluate the tool’s dual-use nature—legitimate repair vs. forensic exploitation. 1. Introduction Android 13 introduced numerous security enhancements, including stricter BLKIO limits, hardened seccomp filters, and expanded use of Protected Confirmation. However, legacy diagnostic interfaces persist due to hardware manufacturing requirements. The TXD tool, originally developed for chipset validation, has been repurposed by security researchers, forensic analysts, and attackers to gain unauthorized access to Android 13 devices. txd tool android 13
0x10 0x04 0x00 0x00 0x40 0x00 0xC0 0x00 TXD uses a known loophole: The diag device context in some Android 13 kernels (especially pre-June 2025 patches) allows ioctl commands DIAG_SET_DCI and DIAG_GET_DELAYED_RSP from untrusted apps via adb shell . TXD abuses this to elevate from shell UID to system UID, then to root via setns() on vold netns. 4.5 Bootloader Unlock Flow On supported chipsets, TXD sends: | Type (1 byte) | Length (2 bytes)
CMD_OEM_UNLOCK (type 0x81, length 0x04, value 0x5A5A5A5A) If bootloader verification is weak (common in MediaTek MT6789 and Dimensity 9000 series), the unlock flag in secro partition is flipped. | Impact Area | Severity | Android 13 Example | |-------------|----------|--------------------| | Confidentiality | High | Full filesystem extraction without authentication | | Integrity | High | Disable dm-verity, modify system partition | | Availability | Medium | Wipe FRP, brick device via corrupting persist | | Authentication | Critical | Bypass lockscreen, enroll new fingerprint | This paper analyzes the internal workings of TXD
Example – Read physical address 0x4000C000 :
55 53 42 43 01 00 00 00 00 00 00 00 00 00 00 00 The device responds with a configuration descriptor containing max packet size (e.g., 0x200). TXD then requests switch to diag mode via:
