- Do you often see some game assistants claiming that they have an exclusive kernel driver that supports all models and ignores game detection .
- This article will guide you to compile your own Android kernel driver from 0 .
- Through this article: You will change from a junior game assistant developer to a so-called exclusive kernel author
- This article only involves detection and other content, and does not involve auxiliary writing. If you are interested in auxiliary writing, please see my previous article.
How to read this article:
Please make sure you have strong hands-on skills and a strong interest in game-aided development.
Please go directly to the kernel compilation section
The pre-knowledge section is like an appendix to a dictionary, you can come back and look it up when you need it. As the saying goes: know what it is, know why it is.
Pre-knowledge
What is a kernel driver
For a driver, the most important thing is 3
a file:
- source code
- Kconfig
- Makefile
As long as 3
this , linux
the kernel's compilation script can ensure that our driver is compiled into it.
There are two ways to compile a kernel module:
- compiled into the kernel;
- Compile as an independent driver module;
First, we open the makefile in the rwProcMem module
What this code means is:
# 定义模块名
MODULE_NAME := rwProcMem37
# 定义内核对象文件
RESMAN_CORE_OBJS:=sys.o
# 定义空的 glue 对象文件
RESMAN_GLUE_OBJS:=
# 如果已经在内核构建过程中了
ifneq ($(KERNELRELEASE),)
# 指定需要链接的对象文件
$(MODULE_NAME)-objs:=$(RESMAN_GLUE_OBJS) $(RESMAN_CORE_OBJS)
# 声明需要编译成模块的源文件
obj-m := rwProcMem37.o
else
# 如果不在内核构建过程中,则定义内核路径
KDIR := /cepheus-q-oss/out
all:
# 切换到内核路径并编译模块
make -C $(KDIR) M=$(PWD) ARCH=arm64 SUBARCH=arm64 modules
clean:
# 清理生成的文件
rm -f *.ko *.o *.mod.o *.mod.c *.symvers *.order
endif
In fact, this is a fixed way of writing. It means that the compilation method of this module is: enter rwProcMem37
the directory, and only compile this driver module.
Android kernel boot
Android is different from the general embedded Linux system environment firmware (booloader+kernel+rootfs), which packs the kernel, ramdisk (rootfs), second stage (dtb, kernel.logd, etc.) into a boot.img file
And our operation of the kernel undoubtedly requires the boot.img file.
The following will introduce the method of obtaining the boot.img file for general models
Get the boot.img file
First, please download the complete package of the current version of your model. Wire brush bag and card brush bag are all available.
Take Mi 12pro as an example
In the upper right corner, you can see the words Download the latest full package.
Download the latest full package and transfer it to your computer.
Next we will use the tool payload_dumper.exe to unpack it.
[Download URL][https://shuj.lanzoue.com/i79XB0s5bf0f]
Create a new folder and put the unpacking tool in it
Create two folders again and name them payload_input and payload_output
The final folder structure is shown in the figure
Unzip the latest version of the complete package just downloaded with the decompression tool that comes with the computer .
Find the payload.bin file and put it in the payload_input folder
Then run the unpacking tool, you can find the decompressed boot.img in the payload_output folder
Adapt your pure c project to kernel overdetection technology
In the rwProcMem33 project, a complete memory read and write technology is provided
//驱动_打开进程
uint64_t hProcess = rwDriver.OpenProcess(pid);
printf("调用驱动 OpenProcess 返回值:%" PRIu64 "\n", hProcess);
if (!hProcess) {
printf("调用驱动 OpenProcess 失败\n");
fflush(stdout);
return 0;
}
//驱动_读取进程内存
char readBuf[1024] = { 0 };
size_t real_read = 0;
//如果是单线程读内存,还可另选用极速版函数:ReadProcessMemory_Fast
BOOL read_res = rwDriver.ReadProcessMemory(hProcess, (uint64_t)pBuf, &readBuf, sizeof(readBuf), &real_read, FALSE);
printf("调用驱动 ReadProcessMemory 读取内存地址:%p,返回值:%d,读取到的内容:%s,实际读取大小:%zu\n", pBuf, read_res, readBuf, real_read);
//驱动_写入进程内存
memset(readBuf, 0, sizeof(readBuf));
snprintf(readBuf, sizeof(readBuf), "%s", "写入456");
size_t real_write = 0;
//如果是单线程写内存,还可另选用极速版函数:WriteProcessMemory_Fast
BOOL write_res = rwDriver.WriteProcessMemory(hProcess, (uint64_t)pBuf, &readBuf, sizeof(readBuf), &real_write, FALSE);
printf("调用驱动 WriteProcessMemory 写入内存地址:%p,返回值:%d,写入的内容:%s,实际写入大小:%zu\n", pBuf, write_res, readBuf, real_write);
printf("当前缓冲区内容 :%s,当前缓冲区的内存地址:%p\n", szBuf, pBuf);
Just replace the pure C memory read-write module, and other parts do not need to be changed
recompile pure c afterwards
Compile pure c on the win side
1. Download NDK
NDK download
-
Download and pay attention to distinguish between 32-bit and 64-bit
-
Unzip directly after the download is complete
-
If you need to download the latest NDK version, you may need to go to Google's official website to download
-
If you want to compile pure c, please do not download the latest version of ndk, the latest version of ndk has stopped supporting gcc. Please download android-ndk-r17c version
2. Environment variables
Environment variable setting: enter the path of NDK
3. Check whether NDK can run correctly
If you confirm that the environment variable path configuration is correct, but the command line still cannot recognize the ndk-build command, you can try to restart the computer or the command line
4. Compile pure c
In the testko directory, open the cmd command line
enter
ndk-build
In the libs directory, you can find the pure c files that have been successfully compiled
Download the corresponding version of the kernel source code
First download the adb tool . If you are not good at English, you can download a computer version of the machine assistant to open adb. Then connect your phone. implement
adb shell cat /proc/version
Check the kernel version number of your phone
As shown below
The kernel version number of my phone is Linux version 4.14.180-perf-g11d81629da33
Then go to https://source.android.com/setup/build/building-kernels to view your source code branch here
And download the source code
repo init -u https://android.googlesource.com/kernel/manifest -b
android-msm-coral-4.14-android12
repo sync
to be used in subsequent steps
Compile the kernel driver module~
Environment configuration
It is recommended to use ubuntu virtual machine or cloud host.
If the following command reports an error, please solve it by yourself, no matter what method you use, as long as it reaches the description before the command.
- Change the software source to Ali source
sudo cp /etc/apt/sources.list /etc/apt/sources.list_backup
sudo gedit /etc/apt/sources.list
# 阿里云源
deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted
universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-security main
restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main
restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main
restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main
restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted
universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main
restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main
restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main
restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main
restricted universe multiverse
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install build-essential
- install git, curl, python
sudo apt-get install git
git config --global user.email "[email protected]"
git config --global user.name "xxx"
##安装git
sudo apt-get install curl
mkdir ~/bin
PATH=~/bin:$PATH
curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo
chmod a+x ~/bin/repo
##安装curl
add-apt-repository ppa:deadsnakes/ppa
sudo apt install python3.9
sudo ln -s /usr/bin/python3 /usr/bin/python
##安装python
- Modify the size of the swap area
sudo swapoff /swapfile
sudo rm /swapfile
# 设置了32g交换区, 防止编译失败
sudo dd if=/dev/zero of=/swapfile bs=1GB count=32
sudo chmod 600 /swapfile
sudo mkswap -f /swapfile
sudo swapon /swapfile
Compile the source code
The following starts with the operation of the mobile phone kernel. Be sure to follow the instructions step-by-step. Otherwise there will be a risk of bricking
Use android-image-kitchen to decompress boot
[Download link][https://forum.xda-developers.com/attachments/android-image-kitchen-v3-8-win32-zip.5300919/]
Put boot.img under its folder, run unpackimg.bat to get command line parameters
Note: The folder path cannot have Chinese characters
Get the command line parameters as follows
Please do not close the command line, the obtained parameters will be used
Also found under the split_img file is a file called boot.img-ramdisk.cpio.gz . As shown below
Unzip this file into the downloaded kernel source code. If you still don’t know how to download the kernel source code of your corresponding model, please refer to the source code download section in the pre-knowledge
Add some private goods to the source code
Download [private goods][http://aospxref.com/android-11.0.0_r21/xref/system/tools/mkbootimg/mkbootimg.py]
to the root directory of the source code
Modify build/build.sh, add before echo "Files copied to ${DIST_DIR}"
if [ -f "${VENDOR_RAMDISK_BINARY}" ]; then
cp ${VENDOR_RAMDISK_BINARY} ${DIST_DIR}
fi
Download the kernel driver source code
Most of the kernel projects on the market use the source code of rwProcMem33
obj-m += rwProcMem.o
Add a line to the Makefile in the drivers directory
obj-m += rwProcMem/
Modify ver_control.h, and use the macro definition of pagemap to enable
Just uncomment the second macro in ver-control.h
start compiling
The parameters can be replaced according to the modifications unpacked by android-image-kitchen
BUILD_CONFIG=private/msm-google/build.config.floral
BUILD_BOOT_IMG=1 MKBOOTIMG_PATH=mkbootimg.py
VENDOR_RAMDISK_BINARY=boot.img-ramdisk.cpio KERNEL_BINARY=Image.lz4
BOOT_IMAGE_HEADER_VERSION=2
KERNEL_CMDLINE="console=ttyMSM0,115200n8
androidboot.console=ttyMSM0 printk.devkmsg=on msm_rtb.filter=0x237
ehci-hcd.park=3 service_locator.enable=1 androidboot.memcg=1
cgroup.memory=nokmem usbcore.autosuspend=7
androidboot.usbcontroller=a600000.dwc3 swiotlb=2048
androidboot.boot_devices=soc/1d84000.ufshc loop.max_part=7
buildvariant=user" BASE_ADDRESS=0x00000000 PAGE_SIZE=4096
build/build.sh
After the compilation is complete, the folder is obtained
The boot.img in the folder is the new kernel for embedded memory reading and writing
Flash into the kernel
use command
flash boot boot.img
You can flash in. With the modification of the pure c reading and writing method in the pre-knowledge, most of the games can be streaked.
Seeing this, I believe you have successfully compiled your own kernel.
For problems in kernel compilation, you can send messages to my mailbox [email protected] to leave a message about the problems you encounter. And attach a screenshot, see I will reply in time.