About a year ago, I talked about the past, present and future of ROOT on Android 
https://mp.weixin.qq.com/s?__biz=MjM5Njg5ODU2NA==&mid=2257499009&idx=1&sn=3cfce1ea7deb6e0e4f2ac170cffd7cc1&scene=21#wechat_redirect mentioned in the article:
I think that with the emergence of GKI, the fragmentation of the kernel will gradually disappear, and we can obtain EL1 root by modifying the kernel.
I thought this day would come soon, but I didn't expect that it would be Android 14 soon, and this thing still didn't appear... No way, I had to do it myself! In fact, when I was exploring the situational awareness system of a large-scale 5V5 game , I had already used kernel-related technologies; I changed to a new mobile phone just a few months ago, and the system was shipped with Android 12, and the kernel was based on GKI; so I tried Transplanting this "situational awareness system" to the GKI kernel, during the process of transplantation, the prototype of KernelSU took shape; Now I declare:
KernelSU, a ROOT solution based on kernel technology, is here!
What is KernelSU?
KernelSU, as the name suggests, is a kernel-based SU. It directly grants root privileges to the target process in the kernel by customizing the kernel. For more information about root, please refer to my previous article: What is root? .
In fact, KernelSU was proposed a long time ago. Around 2018, zx2c4 on XDA gave a simple implementation [1]; although the whole implementation is very simple, it does show us another possibility . Later, when the LSPosed team implemented WSA's Magisk solution, it also used KernelSU to root WSA[2].
Because the implementation of KernelSU requires a custom kernel, and the fragmentation of the Android system is extremely serious, and because there is no compatibility between different versions of the Linux kernel; therefore, the previous KernelSU solution is difficult to have universality: you have to give each model The device compiles a custom kernel, which is almost impossible to achieve. In addition, the previous KernelSU implementation did not have an authentication system. Any process in the system can directly access root privileges through su without any authorization; Control your entire phone.
However, the KernelSU I implemented today has solved the above two problems very well.
What did I do?
In order to solve the problem of the previous kernel root solution, I did three things:
The first thing is to wait. I waited until the emergence of GKI. Google unified the kernel of the Android system through GKI. After GKI 2.0, different Android devices can use a common kernel if they are compatible with KMI; although there is still a gap between ideal and reality. There are some gaps, but the versatility of the GKI kernel is no longer the same as that of the fragmented era.
The second thing, I found a KernelSU authentication scheme; the root manager is implemented by scanning the apk of the current process in the kernel, and then verifying its signature; the root manager and the kernel are authorized through a special system call , to ensure that root functions cannot be used by unauthorized processes.
The third thing is that I have adopted a stable system call interception technology; the system call is intercepted through kprobe, and then the communication between the root manager and the kernel is realized, without leaving traces in the file system, and can perfectly hide itself.
FAQ
What devices does KernelSU support?
Devices above kernel version 5.10 support it, but others do not. In the future, it may be possible to backport to the old kernel through static binary instrumentation.
What is the difference between KernelSU and traditional ROOT?
KernelSU mainly works in the kernel space, while traditional ROOTs such as Magisk actually work in the user space.
Can KernelSU have a module function similar to Magisk?
KernelSU will have a module function, but it may be different from Magisk's module; KernelSU will provide a kernel module interface, and its planned module function is mainly used to load code or script files into the kernel space for execution ; instead of providing a file system overlay like Magisk . But in theory, KernelSU can also implement file system overlay.
Can KernelSU modules provide Xposed functionality?
The modules of KernelSU will mainly work in the kernel space in the future, and Xposed is a function of user space; therefore, KernelSU cannot implement Xposed; at present, the injection technology based on ptrace can partially realize the functions of Xposed (such as Shaoyin App), but I It is believed that there may be better solutions in the future.
Can KernelSU perfectly hide root?
I am not sure. But in theory, the kernel is at a privileged level compared to the application, and it has the ability to shield any information from the application; for example, all system calls can be perfectly intercepted in the kernel, which is a nuclear weapon to hide root.
What is the biggest advantage of KernelSU?
KernelSU can provide a HOOK interface for the kernel, and you can intercept almost any function in the kernel; such as intercepting system calls, filtering openat, inofity, etc. Kernel-level HOOK means perfect control over all processes, unless your opponent is also a root process.
Is KernelSU open source?
Yes, open source address: https://github.com/tiann/KernelSU
How do ordinary users use it?
Find out by yourself first, or wait for the tutorial.
epilogue
KernelSU still has a lot of functions to be improved. If you have any questions, please be tolerant and welcome to join the development :)
Finally, I wish you all a good time!
Good night!
quote link
[1] Simple implementation: https://git.zx2c4.com/kernel-assisted-superuser/[2] Root WSA via KernelSU: https://github.com/LSPosed/WSA-Kernel-SU
KernelSU: Android kernel compilation method and development environment construction
All are changed boot. But one is to change the kernel, and magisk is to change the init of the user space.