最近项目需求,要实现一个功能:"Android在user版本的状态下可以进行烧制system.img和 可以进行对系统的system/app下面的APK 以及 data/* 下所有的文件进行烧录".拿到需求之后做了大量的调研,不再一一写出,只把调研和修改文件写出来,修改过程中虽然遇到了很多的坑,但功能实现了,为了不让别的同学可能再入此坑,在此记录一下,也方便后期翻阅.
正常的Android debug版本如下可以进行root
$ adb rootadbd is already running as root$ adb remountremount succeeded
在开发的过程中遇到了一个比较奇怪的现象 ,如上图所示,显示都是成功的,但是就是不能进行 push操作,还有删除操作. 最后发现是bootable/bootloader/lk/app/aboot.c 文件进行了读写权限限制,修改了aboot.c 文件之后 fastboot flash aboot emmc_appsboot.mbn,然后烧录 bootimage之后重烧bootimg才能生效.
本文基于Android7.1 进行修改.
主要修改文件和patch如下:
主要涉及的文件路径如下:
#devicedevice/qcom/common/base.mkdevice/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xmldevice/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xmldevice/qcom/msmxxx/system.prop#buildbuild/core/main.mk#systemsystem/core/adb/Android.mksystem/sepolicy/Android.mk#bootablebootable/bootloader/lk/app/aboot/aboot.c
将编译user版本的修改成 0
device/qcom/common/base.mk
--- a/qcom/common/base.mk+++ b/qcom/common/base.mk@@ -974,7 +974,7 @@ifeq ($(TARGET_BUILD_VARIANT),user)PRODUCT_DEFAULT_PROPERTY_OVERRIDES+= \- ro.adb.secure=1+ ro.adb.secure=0endif
去掉锁屏和user版上去掉adb授权过程,赋予adb root权限
device/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
--- /dev/null+++ b/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml@@ -0,0 +1,4 @@+<?xml version="1.0" encoding="utf-8"?>+<resources>+ <bool name="def_lockscreen_disabled">true</bool>+</resources>
device/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
--- a/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml+++ b/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml@@ -23,4 +23,5 @@<resources><!-- string that specifies the package name of SLC[Subsidy Lock Client] --><string name="config_slc_package_name" translatable="false">com.rjio.slc</string>+ <bool name="config_enableKeyguardService">false</bool></resources>
添加root权限 和去掉锁屏adb授权过程
device/qcom/msmxxx/system.prop
--- a/qcom/msmxxx/system.prop+++ b/qcom/msmxxx/system.prop@@ -205,3 +205,4 @@#zhidao charlepersist.service.bt.a2dp.sink=truepersist.service.bt.hfp.client=true+ro.lockscreen.disable.default=true+service.adb.root=1
修改ro.secure和 security.perf_harden 的值
build/core/main.mk
--- a/core/main.mk+++ b/core/main.mk@@ -390,11 +390,11 @@tags_to_install :=ifneq (,$(user_variant))# Target is secure in user builds.- ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1- ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1+ ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0+ ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=0ifeq ($(user_variant),user)- ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1+ ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0endififeq ($(user_variant),userdebug)@@ -402,7 +402,7 @@tags_to_install += debugelse# Disable debugging in plain user builds.- enable_target_debugging :=+ enable_target_debugging := trueendif# Disallow mock locations by default for user builds@@ -426,7 +426,7 @@INCLUDE_TEST_OTA_KEYS := trueelse # !enable_target_debugging# Target is less debuggable and adbd is off by default- ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=0+ ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=1endif # !enable_target_debugging## eng ##
修改adb编译所属权限 system/core/adb/Android.mk
--- a/core/adb/Android.mk+++ b/core/adb/Android.mk@@ -327,12 +327,12 @@-D_GNU_SOURCE \-Wno-deprecated-declarations \-LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)+LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=1-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))+#ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1-endif+#endifLOCAL_MODULE := adbd
设置车机重启之后的 sepolicy 权限 system/sepolicy/Android.mk
--- a/sepolicy/Android.mk+++ b/sepolicy/Android.mk@@ -94,7 +94,7 @@@mkdir -p $(dir $@)$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \--D target_build_variant=$(TARGET_BUILD_VARIANT) \+-D target_build_variant=eng \-s $^ > $@$(hide) sed '/dontaudit/d' $@ > $@.dontaudit@@ -108,7 +108,6 @@echo "ERROR: permissive domains not allowed in user builds" 1>&2; \echo "List of invalid domains:" 1>&2; \cat $@.permissivedomains 1>&2; \-exit 1; \fi$(hide) mv $@.tmp $@@@ -132,7 +131,7 @@@mkdir -p $(dir $@)$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \--D target_build_variant=$(TARGET_BUILD_VARIANT) \+-D target_build_variant=eng \-D target_recovery=true \-s $^ > $@@@ -145,7 +144,6 @@echo "ERROR: permissive domains not allowed in user builds" 1>&2; \echo "List of invalid domains:" 1>&2; \cat $@.permissivedomains 1>&2; \-exit 1; \fi$(hide) mv $@.tmp $@
到此步骤的时候 连接上adb其实就可以进行adb root和 remount操作了, 但是对 system/ & data/* 文件夹 不可以进行操作.
修改了aboot.c 文件之后
可以使用 fast 命令 进行刷机操作同时烧录emmc_appsboot.mbn和bootimg才能生效.
bootable/bootloader/lk/app/aboot/aboot.c
--- a/bootloader/lk/app/aboot/aboot.c+++ b/bootloader/lk/app/aboot/aboot.c@@ -845,11 +845,15 @@#if VERIFIED_BOOT/* Write protect the device info */++/*+if (!boot_into_recovery && target_build_variant_user() && devinfo_present && mmc_write_protect("devinfo", 1)){dprintf(INFO, "Failed to write protect dev info\n");ASSERT(0);}++*/+#endif/* Turn off splash screen if enabled */
user 支持 fastboot
bootable/bootloader/lk/makefile#ifeq ($(TARGET_BUILD_VARIANT),user)# CFLAGS += -DDISABLE_FASTBOOT_CMDS=1#endif
fastboot刷机命令
adb reboot bootloaderfastboot flash aboot emmc_appsboot.mbnfastboot flash boot boot.imgfastboot flash cache cache.imgfastboot flash system system.imgfastboot flash userdata userdata.imgfastboot flash recovery recovery.imgfastboot flash persist persist.imgfastboot reboot
限制adb使用,留用后门供 自己的开发人员使用,在此处也可以修改默认端口值
device/qcom/msmxxx/system.prop添加my.adb.myroot=0
添加字段在system/core/adb/services.cpp 添加限制
diff --git a/core/adb/services.cpp b/core/adb/services.cpp--- a/core/adb/services.cpp+++ b/core/adb/services.cpp@@ -80,6 +80,14 @@return;}+ property_get("my.adb.myroot", value, "0");+ if (strcmp(value, "0") == 0) {+ WriteFdExactly(fd, "adbd root cannot run\n");+ adb_close(fd);+ return;+ }+property_set("service.adb.root", "1");WriteFdExactly(fd, "restarting adbd as root\n");adb_close(fd);
之后就可以使用命令行进行root后门操作
adb shell setprop my.adb.myroot=1adb rootadb remount
