Article directory
1 Introduction to Frida and Google Pixel
1.1 why Frida
frida is a hook framework based on python + javascript, which can run on android, ios, linux, windos and other platforms, mainly using dynamic binary instrumentation technology. It provides a simple python interface and a feature-rich js interface, making hook functions and modification so programmable, using frida to obtain process information (module list, thread list, library export function), intercepting specified functions and calling specified functions Functions, code can be injected, and with frida we can perform scalpel profiling of the process module.
All in all, it is a necessary self-defense tool for our Android apk reverse debugging at home and travel.
1.2 Why google Pixel
In terms of mobile phone selection, the priority is to choose the Google series mobile phones, Nexus
and Pixel
the series. I happened to have Pixel and Pixel 3 mobile phones on hand, so I directly rooted these two mobile phones. If you are interested, you can start with one for a few hundred dollars. The Pixel 3 root is relatively simple. The author only took 20 minutes to complete it, but the Pixel phone took me a day, and there were countless pitfalls in the middle. I finally succeeded in rooting.
2 Google Pixel Root
2.1 Environmental preparation
In addition to preparing the Google Pixel phone, you also need to prepare a machine, both windows and ubuntu (preferably running on a virtual machine), install and configure the adb environment.
2.2 Unlock the phone
2.2.1 OEM unlock
- Find it on your phone
设置→系统→关于手机→版本号
, tap版本号
it five times in quick succession, open开发者选项
it, you can enter the developer mode, then enter设置→系统→开发者选项
and open itUSB调试选项
. - Click on OEM to unlock.
2.2.2 Enter bootloader mode
-
Connect the mobile phone to the computer through a data cable. When the phone is turned off, press and hold the power button and the volume down button at the same time. Or execute it in the boot state
fastboot flashing unlock
-
If that doesn't work, try other commands
fastboot oem unlock
fastboot flashing unlock_critical
PS: If the mobile phone OEM unlocking is successful, it will
Device is
be displayedunlocked
.
During the flashing process, some people often encounter the situation that the flashing fails and the mobile phone becomes a brick. As long as our mobile phone can enter the bootloader mode, there is no need to be afraid. Try a few different versions of the image and push it to the mobile phone memory through the adb push command. Installation is always successful. The author just failed to brush Android 8, and it was not enough to drop to 7, or to 9, and finally changed to Android 8.1 to succeed.
2.3 Mobile phone flashing
2.3.1 Download Google Native System
Go to Google's official factory mirror website , which may require scientific Internet access to open this website. There are some operation guides in the middle of the website, and on the right is a list of mobile phone models. Here we choose Pixel
the model sailfish
, the mirror of the Android system Android 8.1
, and some versions of the mirror to distinguish the European version and the American version. At this time, you can look at the back of the phone, and it says that G-2PW4100 is the US version, and 4200 is the European version. It can be seen that from Android 7 to Android 9 are supported.
2.3.2 Enter bootloader state
First put the phone into the bootloader
state and execute the command
adb reboot bootloader
Or manually, the process is as follows:
- Disconnect the
USB
cable and make sure the phone has the70%
above power; - Turn off the phone completely;
- Press and hold the volume down button and the power button at the same time;
- The phone will enter the
BootLoader
state;
2.3.3 Flash into the official native systemAndroid 8.1
Connect the mobile phone to the computer with a USB cable, run the script, and flash the system into the mobile phone
- Unzip the system image
- Enter the decompression directory and execute the command
./flash-all.sh
(Mac/Linux system) or./flash-all.bat
(windows system) - Make a cup of coffee and let the bullets fly for a while
After the flashing is completed, the phone will automatically restart, and after the restart is complete, it will automatically enter the system.
remember to turn it on again
USB调试选项
2.4 TWRP and Magisk download
2.4.1 Downloadtwrp
You only need to download the twrp image for the Pixel sailfish
model and flash it in. The author chose the 3.2.3 version. Remember img, and the zip version should correspond well. What we downloaded is the twrp-3.2.3-0-sailfish.img
mirror file.
twrp-3.2.3-1-sailfish.img
twrp-pixel-installer-sailfish-3.2.3-0.zip
2.4.2 Download Magisk
Magisk
topjohnwu
It is a completely open source software developed by Taiwan Province of China root
. Its github
project hosting homepage is here , and everyone can download the release version.
The author still chooses the moderate version prudently:
Magisk-v17.3.zip
2.4.3 Pushing files
Copy Magisk-v17.3.zip
and twrp-pixel-installer-sailfish-3.2.3-0.zip
copy to the phone /sdcard/
directory.
2.5 Dinner root starts
2.5.1 Entering temporary TWRP mode
- Then set the phone to
bootloader
mode - Use the
fastboot boot twrp-3.2.3-0-sailfish.img
command to flash the image in.
2.5.2 Installing TWRP
- On the temporary TWRP mode home page, select
install
- Go to the
/sdcard/
directory and clicktwrp-pixel-installer-sailfish-3.2.3-0.zip
install - After installation, click the button above to return to the home page and continue the installation
Do not choose to restart
2.5.3 Install Magisk
- After installing TWRP, click the top to return to the home page and select
install
- Go to the
/sdcard/
directory and clickMagisk-v17.3.zip
install - After installation, reboot to the system
- if let choose
slot A
orslot B
, according tocurrent slot
choice
Once installed, do not select the two default installation options for installing TWRP
3 you're done
3.1 Successful boot
- If the phone can be turned on normally at this moment, and the
Magisk
software is installed - At this point, the mobile phone turns on the debug debugging mode, the computer executes
adb shell
andsu
two instructions, the mobile phone agrees to adb to obtain root privileges, and you are done.
Find it on your phone 设置→系统→关于手机→版本号
, tap 版本号
it five times, open 开发者选项
it, then enter 设置→系统→开发者选项
, open it USB调试选项
. Then connect the USB to the computer and use the adb
command to connect. Authorization will appear on your phone, tap the computer that accepts the fingerprint to connect.
$ adb shell
sailfish:/ $
sailfish:/ $
sailfish:/ $ whoami
shell
sailfish:/ $
At this point it is shell
permissions, switch to the root
user:
sailfish:/ $ su -
Magisk
At this point , the super user request will appear on the phone , click Allow com.android.shell
to obtain root
permission.
After clicking Allow, su -
the command will return, and then run the whoami
command, you can see that it is already root
there.
sailfish:/ #
sailfish:/ # whoami
root
sailfish:/ #
At this time, you can use root
the permissions to do some things.
3.2 Infinite restart
- The author has encountered this situation many times, and once thought that the mobile phone had become a brick. Fortunately, I was very patient.
- Select another factory image, repeat the above steps, then flash the machine again, flash TWRP, install Magisk, repeat
- until success
PS. Written at the end, when rooting Pixel 3, it was successful once every 10 minutes. Rooting Pixel took most of the day, hard work paid off, and finally saved a brick.