系列文章
MTK 6735/6739/6755/6763 android8.1 user版本打开root权限(adb root权限和 apk root权限)
相比较 android8.1 而言,6.0 的要简单很多
1、首先 6.0 不需要关闭 DM-verity,只需开发 adb root 后就能成功 remount,对 system 分区 rw 操作
2、6.0 无需添加在 init.rc 中增加启动完成脚本,只需安装 SuperSU2.7,
然后按照更新提示选择常规方式更新 SU 二进制文件,这样再次重启 su daemon 进程就默认启动了
一图胜千言
修改方案
因为少了两个大步骤,所以修改的文件少了很多
总共修改 11 个文件,新增 1 个文件,一共 12 个。
modified: build/core/main.mk
modified: device/eastaeon/aeon6737t_66_m0/device.mk
modified: external/sepolicy/Android.mk
modified: frameworks/base/cmds/app_process/app_main.cpp
modified: frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
modified: kernel-3.18/security/commoncap.c
modified: system/core/adb/Android.mk
modified: system/core/adb/adb_main.cpp
modified: system/core/init/init.cpp
modified: system/core/libcutils/fs_config.c
modified: system/extras/su/su.c
add system/extras/su/su
1、让进程名称在 AS Logcat 中可见,通过修改 ro.adb.secure 和 ro.secure
ps:这步不是必须的,目的只是在 logcat 中可见进程 pid 和包名,而且打开 USB 调试时默认授权,不再弹授权框
build/make/core/main.mk
tags_to_install :=
ifneq (,$(user_variant))
# Target is secure in user builds.
- ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
+ # ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
ifeq ($(user_variant),user)
- ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+ # ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
endif
ifeq ($(user_variant),userdebug)
@@ -251,7 +253,7 @@ ifneq (,$(user_variant))
tags_to_install += debug
else
# Disable debugging in plain user builds.
- enable_target_debugging :=
+ # enable_target_debugging :=
endif
# Disallow mock locations by default for user builds
2、修改 SELinux权限为 Permissive
SELinux 常用状态有两个 Permissive 和 Enforcing,通过 adb shell getenforce 可查看当前所处模式
system/core/init/init.cpp
static bool selinux_is_enforcing(void)
{
+return false;
if (ALLOW_PERMISSIVE_SELINUX) {
return selinux_status_from_cmdline() == SELINUX_ENFORCING;
}
return true;
}
3、修改 adb root 权限,解除 zygote 和 adbd 对 Root Capabilities BoundSet 的限制
kernel-3.18/security/commoncap.c
@@ -840,6 +840,16 @@ static int cap_prctl_drop(unsigned long cap)
{
struct cred *new;
+ //
+ if (!strncmp(current->comm, "zygote", 16)) {
+ return -EINVAL;
+ }
+
+ if (!strncmp(current->comm, "adbd", 16)) {
+ return -EINVAL;
+ }
+ //
+
if (!ns_capable(current_user_ns(), CAP_SETPCAP))
return -EPERM;
if (!cap_valid(cap))
system/core/adb/Android.mk
@@ -351,9 +351,9 @@ LOCAL_CFLAGS := \
-D_GNU_SOURCE \
-Wno-deprecated-declarations \
-LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)
+LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter user userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))
LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1
LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1
endif
system/core/adb/adb_main.cpp
@@ -83,13 +83,15 @@ void adb_set_affinity(void)
#else /* ADB_HOST */
static const char *root_seclabel = NULL;
+
static void drop_capabilities_bounding_set_if_needed() {
#ifdef ALLOW_ADBD_ROOT
- char value[PROPERTY_VALUE_MAX];
+ return;
+ /*char value[PROPERTY_VALUE_MAX];
property_get("ro.debuggable", value, "");
if (strcmp(value, "1") == 0) {
return;
- }
+ }*/
#endif
int i;
system/sepolicy/Android.mk
@@ -61,7 +61,7 @@ $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
$(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files))
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_build_variant=eng \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -116,7 +116,7 @@ $(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=user \
+ -D target_build_variant=eng \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
frameworks/base/cmds/app_process/app_main.cpp
@@ -185,14 +185,14 @@ static const char ZYGOTE_NICE_NAME[] = "zygote";
int main(int argc, char* const argv[])
{
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
+ /*if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
// Older kernels don't understand PR_SET_NO_NEW_PRIVS and return
// EINVAL. Don't die on such kernels.
if (errno != EINVAL) {
LOG_ALWAYS_FATAL("PR_SET_NO_NEW_PRIVS failed: %s", strerror(errno));
return 12;
}
- }
+ }*/
AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
// Process command line arguments
frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
static void DropCapabilitiesBoundingSet(JNIEnv* env) {
- for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
+ //
+ /*for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
if (rc == -1) {
if (errno == EINVAL) {
@@ -237,7 +238,7 @@ static void DropCapabilitiesBoundingSet(JNIEnv* env) {
RuntimeAbort(env);
}
}
- }
+ }*/
}
4、增加 su 相关,确保 apk root 权限
上面修改完后,user 版本的 adb root 就已经 ok了。apk 获取 root 权限,需要内置 su 文件,
一般都搭配 SuperSU 来进行权限管理,也就是我们常见的那个弹框,上文的图中可见。
6.0 中不需要额外增加 init.rc 自启动脚本来启动 su daemon 进程,通过 SuperSU2.7
常规方式更新 su 二进制文件重启就自动启动 su daemon 进程了。
ps -ef 在 6.0 看不到系统进程
拷贝 su 文件到 system/bin 和 system/xbin 目录下
device/eastaeon/aeon6737t_66_m0/device.mk
@@ -19,6 +19,11 @@ PRODUCT_COPY_FILES += $(LOCAL_PATH)/sbk-kpd.kl:system/usr/keylayout/sbk-kpd.kl:m
$(LOCAL_PATH)/sbk-kpd.kcm:system/usr/keychars/sbk-kpd.kcm:mtk
endif
+PRODUCT_COPY_FILES += \
+ system/extras/su/su:system/bin/su \
+ system/extras/su/su:system/xbin/su
+
给 su 文件增加权限
system/core/libcutils/fs_config.c
@@ -124,7 +124,8 @@ static const struct fs_path_config android_files[] = {
/* the following five files are INTENTIONALLY set-uid, but they
* are NOT included on user builds. */
- { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
+ //{ 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
+ { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/su" },
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/librank" },
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procrank" },
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },
去除 su.c 中的 uid 检查
system/extras/su/su.c
@@ -81,8 +81,8 @@ void extract_uidgids(const char* uidgids, uid_t* uid, gid_t* gid, gid_t* gids, i
}
int main(int argc, char** argv) {
- uid_t current_uid = getuid();
- if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
+ //uid_t current_uid = getuid();
+ //if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
// Handle -h and --help.
++argv;
好了,终于大功告成,一时 root 一时爽,一直 root 一直爽。
参考文章
SEAndroid
ANDROID权限说明 SYSTEM权限 ROOT权限
Android编译版本eng、user和userdebug的区别
Android模拟器获取Root权限
Android 6.0 如何默认打开user版本的root权限
Android 修改源码使app获取root权限
