Frida Learning Journey (1)--ROOT of Google Pixel Phone

Article directory

1 Introduction to Frida and Google Pixel

1.1 why Frida

frida is a hook framework based on python + javascript, which can run on android, ios, linux, windos and other platforms, mainly using dynamic binary instrumentation technology. It provides a simple python interface and a feature-rich js interface, making hook functions and modification so programmable, using frida to obtain process information (module list, thread list, library export function), intercepting specified functions and calling specified functions Functions, code can be injected, and with frida we can perform scalpel profiling of the process module.
All in all, it is a necessary self-defense tool for our Android apk reverse debugging at home and travel.

1.2 Why google Pixel

In terms of mobile phone selection, the priority is to choose the Google series mobile phones, Nexusand Pixelthe series. I happened to have Pixel and Pixel 3 mobile phones on hand, so I directly rooted these two mobile phones. If you are interested, you can start with one for a few hundred dollars. The Pixel 3 root is relatively simple. The author only took 20 minutes to complete it, but the Pixel phone took me a day, and there were countless pitfalls in the middle. I finally succeeded in rooting.

2 Google Pixel Root

2.1 Environmental preparation

In addition to preparing the Google Pixel phone, you also need to prepare a machine, both windows and ubuntu (preferably running on a virtual machine), install and configure the adb environment.

2.2 Unlock the phone

2.2.1 OEM unlock

Find it on your phone 设置→系统→关于手机→版本号, tap 版本号it five times in quick succession, open 开发者选项it, you can enter the developer mode, then enter 设置→系统→开发者选项and open it USB调试选项.
Click on OEM to unlock.

2.2.2 Enter bootloader mode

Connect the mobile phone to the computer through a data cable. When the phone is turned off, press and hold the power button and the volume down button at the same time. Or execute it in the boot state

fastboot flashing unlock
If that doesn't work, try other commands

fastboot oem unlock

fastboot flashing unlock_critical

PS: If the mobile phone OEM unlocking is successful, it will Device isbe displayed unlocked.

During the flashing process, some people often encounter the situation that the flashing fails and the mobile phone becomes a brick. As long as our mobile phone can enter the bootloader mode, there is no need to be afraid. Try a few different versions of the image and push it to the mobile phone memory through the adb push command. Installation is always successful. The author just failed to brush Android 8, and it was not enough to drop to 7, or to 9, and finally changed to Android 8.1 to succeed.

2.3 Mobile phone flashing

2.3.1 Download Google Native System

Go to Google's official factory mirror website , which may require scientific Internet access to open this website. There are some operation guides in the middle of the website, and on the right is a list of mobile phone models. Here we choose Pixelthe model sailfish, the mirror of the Android system Android 8.1, and some versions of the mirror to distinguish the European version and the American version. At this time, you can look at the back of the phone, and it says that G-2PW4100 is the US version, and 4200 is the European version. It can be seen that from Android 7 to Android 9 are supported.

2.3.2 Enter bootloader state

First put the phone into the bootloaderstate and execute the command

adb reboot bootloader

Or manually, the process is as follows:

Disconnect the USBcable and make sure the phone has the 70%above power;
Turn off the phone completely;
Press and hold the volume down button and the power button at the same time;
The phone will enter the BootLoaderstate;

2.3.3 Flash into the official native system`Android 8.1`

Connect the mobile phone to the computer with a USB cable, run the script, and flash the system into the mobile phone

Unzip the system image
Enter the decompression directory and execute the command ./flash-all.sh(Mac/Linux system) or ./flash-all.bat(windows system)
Make a cup of coffee and let the bullets fly for a while

After the flashing is completed, the phone will automatically restart, and after the restart is complete, it will automatically enter the system.

remember to turn it on againUSB调试选项

2.4 TWRP and Magisk download

2.4.1 Download`twrp`

You only need to download the twrp image for the Pixel sailfishmodel and flash it in. The author chose the 3.2.3 version. Remember img, and the zip version should correspond well. What we downloaded is the twrp-3.2.3-0-sailfish.imgmirror file.

twrp-3.2.3-1-sailfish.img

twrp-pixel-installer-sailfish-3.2.3-0.zip

insert image description here

2.4.2 Download Magisk

MagisktopjohnwuIt is a completely open source software developed by Taiwan Province of China root. Its githubproject hosting homepage is here , and everyone can download the release version.

The author still chooses the moderate version prudently:Magisk-v17.3.zip

2.4.3 Pushing files

Copy Magisk-v17.3.zipand twrp-pixel-installer-sailfish-3.2.3-0.zipcopy to the phone /sdcard/directory.

2.5 Dinner root starts

2.5.1 Entering temporary TWRP mode

Then set the phone to bootloadermode
Use the fastboot boot twrp-3.2.3-0-sailfish.imgcommand to flash the image in.

2.5.2 Installing TWRP

On the temporary TWRP mode home page, selectinstall
Go to the /sdcard/directory and click twrp-pixel-installer-sailfish-3.2.3-0.zipinstall
After installation, click the button above to return to the home page and continue the installation

Do not choose to restart

2.5.3 Install Magisk

After installing TWRP, click the top to return to the home page and selectinstall
Go to the /sdcard/directory and click Magisk-v17.3.zipinstall
After installation, reboot to the system
if let choose slot Aor slot B, according to current slotchoice

Once installed, do not select the two default installation options for installing TWRP

3 you're done

3.1 Successful boot

If the phone can be turned on normally at this moment, and the Magisksoftware is installed
At this point, the mobile phone turns on the debug debugging mode, the computer executes adb shelland sutwo instructions, the mobile phone agrees to adb to obtain root privileges, and you are done.

Find it on your phone 设置→系统→关于手机→版本号, tap 版本号it five times, open 开发者选项it, then enter 设置→系统→开发者选项, open it USB调试选项. Then connect the USB to the computer and use the adbcommand to connect. Authorization will appear on your phone, tap the computer that accepts the fingerprint to connect.

$ adb shell
sailfish:/ $
sailfish:/ $
sailfish:/ $ whoami
shell
sailfish:/ $

At this point it is shellpermissions, switch to the rootuser:

sailfish:/ $ su -

MagiskAt this point , the super user request will appear on the phone , click Allow com.android.shellto obtain rootpermission.

After clicking Allow, su -the command will return, and then run the whoamicommand, you can see that it is already rootthere.

sailfish:/ #
sailfish:/ # whoami
root
sailfish:/ #

insert image description here

At this time, you can use rootthe permissions to do some things.

3.2 Infinite restart

The author has encountered this situation many times, and once thought that the mobile phone had become a brick. Fortunately, I was very patient.
Select another factory image, repeat the above steps, then flash the machine again, flash TWRP, install Magisk, repeat
until success

PS. Written at the end, when rooting Pixel 3, it was successful once every 10 minutes. Rooting Pixel took most of the day, hard work paid off, and finally saved a brick.