Table of contents
Android is a mobile operating system based on the Linux kernel. In Unix systems like Linux, there are usually two accounts, one is the ordinary user and the other is the root user. Generally speaking, we are ordinary users on Android phones. Because there are many good and bad apps on the market, for security reasons, only developers will obtain the permission to change the entire operating system. Ordinary users do not have advanced permissions.
For us, gaining access to the entire Android device is crucial for app reversal and protocol analysis. Whether it is applications such as Frida, Xposed or Cydia Substrate, developers need to have full control over their own file systems, so in this article we will learn about Android flashing and rooting.
1. Recommendation of Android reverse engineering equipment
If you just do Android reverse engineering, the computer requirements are not high, but the end of Android reverse engineering is to play with the system and the kernel. If you want to compile the Android system, modify the Android system and flash it on your phone to assist you. For reverse engineering, the computer requirements will be slightly higher. Here is a Google article on the installation system compilation equipment requirements:https://source.android.google.cn/docs/ setup/start/requirements?hl=zh-cn Recommended computer configuration:
① Can install VMware virtual machine: the snapshot function is very easy to use
② Memory that can be allocated to the virtual machine: 16G or more, 32G is recommended (Google recommends 64G) My own computer memory is 64G:
③ Hard disk that can be allocated to the virtual machine: 1T is recommended for 500G and above (both mechanical hard disk and solid state are acceptable, hard disks are cheap now)
Recommended mobile phone devices (the use of simulators is not recommended): It is recommended to use Google pixel model mobile phones, which can be purchased from the Taobao store of a certain Baobao citizen. Those with more money can use pixel6 (you can flash KernelSU and use eBpf (the support is better), it is better to use, the only disadvantage is that it is more expensive to use for testing), and pixel4 is recommended, which can flash Android13 system , kernel version 4.14, you can flash KernelSU, but the support for eBpf is not very good, and pixel1 is recommended, which is relatively cheap and completely broken. The highest official system version can only be flashed 10, and then the kernel version is 3.18, KernelSU and Even eBpf cannot be done, but ordinary Android reverse engineering and system customization are possible. The advantage is that the price is low. I recommend novice friends to use pixel1. This article also uses pixel1 for demonstration (the author compares poverty).
KernelSU:https://kernelsu.org/zh_CN/guide/installation.html
https://zhuanlan.zhihu.com/p/595985936
eBpf:https://tech.meituan.com/2022/04/07/how-to-detect-bad-ebpf-used-in-linux.html
https://cloudnative.to/blog/bpf-intro/
2. Real machine environment configuration (basic tutorial on flashing the machine)
2.1 Classification of flashing methods
Cable brushing: Plug in the USB cable, the brushing is relatively thorough, you can brush the bootloader, radio - it can save the bricks
Card brushing: Get the installation package into the mobile phone's SD card, and finish brushing Finally, double clearing, three clearing, four clearing, etc. are required. Generally used to flash third-party systems lineage os (dual clear)
2.2 Classification of flash packages
According to the different flashing methods, flashing packages are divided into two categories:
- Line brush package/factory image package (this article uses this)
- Card swipe package/OTA full package/OTA incremental package
2.3 Google Phone Factory Image
Download address:https://developers.google.com/android/images?hl=zh-cn
Note: "sailfish" The version that can be flashed for Pixel is determined by Version. If the corresponding version is not found under Version, it means that the machine cannot flash this system. Just wait patiently for downloading, as shown in the figure below:
If the download is slow, I have put it into Baidu network disk, with the following The link can be downloaded directly from the network disk:
链接:https://pan.baidu.com/s/1McsNzU_9b-9MRVTKMs6Dgw
提取码:dtwh
--来自百度网盘超级会员V9的分享
2.4 Simple configuration
The phone is connected to the computer via USB, which requires adb. The flash package is flashed into the phone through a wire flash, which requires fastboot. These two things are included in the Android SDK, and the path is SDK\platform-tools. Add to System environment variables are enough, you can refer to the article:https://blog.csdn.net/xw1680/article/details/133411112
https://blog .csdn.net/xw1680/article/details/133853222
Enable developer options: Select设置 --> 关于手机 --> 版本号 and click on the version number continuously Turn on开发者模式(具体需要点击几次,系统是会有提示的) If it is an English system, the boss can solve it by himself.
Enable USB debugging: Select 设置 --> 系统 --> 高级--> 开发者选项, turn on USB 调试, the old rule, if it is an English system, please pass Baidu or Google translate it yourself.
Connect the mobile phone to the computer through the data cable. The USB debugging application will pop up on the mobile phone. Just allow it, as shown in the figure below:
Open the successful sign, cmd Enter adb devices in, as shown below:
2.5 Enter Bootloader mode
There are two default ways to enter the Bootloader, as follows:
① When the power is off 按住音量减少键 + 电源键 Use this method without turning it on 开发者选项以及 USB 调试
② When the computer is powered on, enter the adb reboot bootloader through the adb command in cmd. As shown in the figure below, the bootloader unlocking is successful:
We also need to ensure that the mobile device can be successfully recognized using the fastboot devices command. If nothing is found after executing this command, it means that the driver is not installed and we need to find it manually. Install the driver according to the location of the driver, as shown in the figure below:
Install the driver as follows: Install the Google USB driver, which can be downloaded in AndriodStudio. Note: To flash the machine, you must first unlock the Bootloader, and To unlock the Bootloader, you must first enable OEM unlocking. However, if my mobile phone is a second-hand mobile phone bought by a certain mobile phone, the first generation mobile phone has basically unlocked the BL lock. So I will skip oem unlocking and bootloader unlocking directly here. Friends who need it can go to Baidu. I will simply write down the process here, but it may not guarantee successful unlocking (because I have not tried it): When the command fastboot devices is entered again in the console, as shown in the figure below (a miracle happened): directly, as shown in the figure below : After selecting, click View the USB-connected mobile phone in Windows Device Manager, as shown in the figure below: command, and click the OK button to open the device manager, as shown in the following figure: to open the run window and enter the How to check has been explained in the article and will not be repeated here. First press the shortcut key https://blog.csdn.net/xw1680/article/details/133411112Win+Rdevmgmt.msc
下一页
- Log out of the Google account on the phone first, cancel the lock screen, fingerprint recognition, etc.
- Remove the sim card from the mobile device
- Turn on developer options
- Turn on USB debugging
- Turn on OEM unlocking (this option is also in the developer options, but requires scientific Internet access)
- Connect the mobile phone to the computer and enter Bootloader mode (the entry method is given above)
- Enter fastboot oem unlock or fastboot flashing unlock in cmd
- In the Bootloader unlocking interface, use the volume keys
+/-to control the cursor, select [Yes] and press the power button to unlock the Bootloader - After confirmation, wait a moment. Restart the phone through fastboot reboot command
After successfully unlocking the bootloader, an English warning page with white text on a black background will appear every time the phone is started, prompting Your device software can’t be checked for corruption. Please lock the bootloader. This just reminds you that the bootloader has been unlocked, so just ignore it.
2.6 Detailed explanation of flashing
Flashing the original system requires subsequent root and other configuration operations, learn 2. Real machine environment configuration (root) and a>3. Real machine environment configuration (others) Just follow the section. I will flash my customized system here.
Brush a customized flash package, which has functions such as shelling and preventing various detections. Customized flashing packages will be updated frequently, so flashing requires proficiency. The test equipment is pixel and pixel3. It is not recommended to flash the official package because KernelSU currently does not support kernel versions that are too low, and the root method of Magisk will be detected. Flash the official system and aosp system ⇒ user, userdebug and eng. You can contact the author if necessary. The test device is from another device. You need to find the corresponding flash package and root yourself. If you cannot root, it is recommended to change to a Google series mobile phone.
Extract the original system flash package or the customized system flash package after downloading from 2.3 Google Mobile Factory Image, and the composition of the flash package As shown in the picture below: Obviously the bootloader we enter needs this thing. The baseband, is an Android system. With the previous steps laid out, flashing is very simple. The phone enters bootloader mode. Double-click flash-all.bat on Windows systems. Run flash-all.sh on Linux and mac systems. I entered Bootloader mode at 2.5 The bootloader mode has been entered in the section, and I am on Windows, so I double-click flash-all.bat at this moment, as shown below: Wait patiently for a few minutes, and the flashing is completed as shown below As shown: There are many img images in the zip compressed package. In fact, some of them are not necessary to flash. If you have compiled Android system, you will know (I really should have learned Android when I was a junior in college. This illustrates the truth. Be prepared and don’t think that the knowledge you learn is useless. Maybe it will come in handy one day in the future!). Similarly, when we modify the system, we can only flash a few of the modified img images separately. Flashing related commands:
bootloader-sailfish-8996-012001-1908071822.imgimage-sailfish-qp1a.191005.007.a3.zip
// ① adb reboot(重启手机到系统) 和 adb reboot bootloader(重启手机到bootloader模式) ⇒ 这两个命令是在开机状态下
// ② fastboot reboot(重启手机到系统) 和 fastboot reboot bootloader(重启手机回到bootloader模式)
// ③ fastboot flash bootloader bootloader.img 往bootloader分区刷入bootloader镜像
// ④ fastboot flash radio radio.img 往radio分区刷入radio镜像
// ⑤ fastboot -w update image-sailfish-qp1a.191005.007.a3.zip
// ⑥ 单独刷某个分区镜像(分开刷要注意各分区镜像是否兼容)
// 6.1 fastboot flash boot boot.img
// 6.2 fastboot flash system system.img
// ps:system.img与system_other.img是刷在不同分区的
// 6.3 fastboot flash system_b system_other.img 看你此时处于什么分区,如果是在a分区,就要往b分区刷,反之同理,在b刷a
// 6.4 fastboot flash vendor vendor.img
// ⑦ 批量刷某些分区 fastboot flashall -w 需要设置ANDROID_PRODUCT_OUT环境变量,指向镜像所在目录
// ⑧ fastboot set_active other 切换活动槽
// ⑨ fastboot --slot=other flash bootloader bootloader.img 往另外的分区刷bootloader
// ps:为了更大程度的防止黑砖,通常会将bootloader_a和bootloader_b都刷入对应的bootloader镜像
Note: Brush separately and pay attention to whether the images of each partition are compatible. The above content is an extension. We can use the simplest method directly, double-click flash-all.bat or execute flash-all.sh. After the flashing is completed, follow the above method to enter the developer mode and enable USB debugging.
2. Real machine environment configuration (root)
Download the software package fromhttps://github.com/topjohnwu/Magisk/releases, as shown below:
Baidu network disk download address:
链接:https://pan.baidu.com/s/1roHtYtN5yv0BBNtQyuBkOg
提取码:vahm
--来自百度网盘超级会员V9的分享
Use adb to install Magisk-v25.2.apk, as shown in the figure below:
The installation is successful, view it on the mobile phone, as shown in the figure below:
Click the Magisk icon to open the software, and click Install (select Allow in the pop-up box), as shown in the figure below:
Replace the image-sailfish-qp1a.191005.007.a3.zip Drag the boot.img inside to the desktop, as shown in the figure below:
Push the boot.img from the desktop to the sd card of the phone, As shown in the figure below:
Command: adb push C:\Users\AmoXiang\Desktop\boot.img /sdcard/
After the push is completed, check it on the phone. As shown in the figure below:
Drag the file to the desktop, as shown in the figure below:
Command: adb pull /sdcard/Download/magisk_patched-25200_z3qMB.img a>
View the desktop, as shown below:
The phone enters Bootloader mode again: adb reboot bootloader, fastboot devices, fastboot flash boot C:\Users\AmoXiang\Desktop\magisk_patched -25200_z3qMB.img, as shown below:
Then restart the phone. Click to open the Magisk software, as shown below:
Console test, as shown below:
3. Real machine environment configuration (others)
3.1 Adjustment time
After modifying the boot flash, adjust the time in the settings. If the time is wrong, there will be problems accessing the network. The current time is as shown in the picture below:
Connect to Wifi and access Baidu. An error occurs, as shown in the picture below:
Correct the time as shown in the picture below: a> You can see that after correcting the time, we can access the Internet normally.
Re-visit Baidu, as shown in the figure below:
3.2 Turn off × on wifi signal
After the 7.0 system, a × will appear when connecting to wifi (it always says that my connection is limited), This is due to the native Android system verification Whether the wifi is valid is determined by accessing Google's server, as shown in the figure below:
Run the command: adb shell settings put global captive_portal_mode 0, then turn on airplane mode, and then turn off airplane mode That’s it! As shown below:
3.3 Deactivate the setup wizard
Settings:
Apps and notifications:
View all 28 apps:
Show system programs: a> That’s it for today’s study This is over. The author hereby declares that the author only writes articles for learning and communication, so that more readers who learn Android reverse engineering can avoid detours and save time. It is not used for other purposes. If there is any infringement, please contact the blogger to delete it. Can. Thank you for reading this blog post. I hope this article can be a guide on your programming journey. Happy reading! Deactivation application: Deactivation:
Andriod setup wizard:
I never get tired of reading a good book a hundred times, and I will know myself after reading the lessons thoroughly. And if I want to be the most handsome guy in the room, I must persist in acquiring more knowledge through learning, use knowledge to change my destiny, use my blog to witness my growth, and use my actions to prove that I am working hard.
If my blog is helpful to you, if you like my blog content, please点赞,评论,收藏me!
Coding is not easy, and everyone’s support is what keeps me going. Don’t forget to like Three consecutive hits with one click! I heard that those who like it will not have bad luck and will be full of energy every day! If you really want to have sex for nothing, then I wish you a happy day every day, and you are welcome to visit my blog often.关注