MTK Android User版本实现 root 功能 & 可进行APK的删减 和 系统img的替换
最近项目需求,要实现一个功能:"Android在user版本的状态下可以进行烧制system.img 和 可以进行对系统的system/app下面的APK 以及 data/* 下所有的文件进行烧录".拿到需求之后做了大量的调研,不再一一写出,只把调研和修改文件写出来,修改过程中虽然遇到了很多的坑,但功能实现了,为了不让别的同学可能再入此坑,在此记录一下,也方便后期翻阅.
正常的Android debug版本如下可以进行root
$ adb root
adbd is already running as root
$ adb remount
remount succeeded
在开发的过程中遇到了一个比较奇怪的现象 ,如上图所示,显示都是成功的,但是就是不能进行 push操作,还有删除操作. 最后发现是 bootable/bootloader/lk/app/aboot.c 文件进行了读写权限限制,修改了 aboot.c 文件之后 fastboot flash aboot emmc_appsboot.mbn,然后烧录 bootimage之后重烧bootimg才能生效.
本文基于Android7.1 进行修改.
主要修改文件和patch如下:
主要涉及的文件路径如下:
#device
device/qcom/common/base.mk
device/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
device/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
device/qcom/msmxxx/system.prop
#build
build/core/main.mk
#system
system/core/adb/Android.mk
system/sepolicy/Android.mk
#bootable
bootable/bootloader/lk/app/aboot/aboot.c将编译user版本的修改成 0
device/qcom/common/base.mk
--- a/qcom/common/base.mk
+++ b/qcom/common/base.mk
@@ -974,7 +974,7 @@
ifeq ($(TARGET_BUILD_VARIANT),user)
PRODUCT_DEFAULT_PROPERTY_OVERRIDES+= \
- ro.adb.secure=1
+ ro.adb.secure=0
endif
去掉锁屏和user版上去掉adb授权过程,赋予adb root权限
device/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
--- /dev/null
+++ b/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
@@ -0,0 +1,4 @@
+
+
+ true
+
device/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
--- a/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
+++ b/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
@@ -23,4 +23,5 @@
com.rjio.slc
+ false
添加root权限 和 去掉锁屏adb授权过程
device/qcom/msmxxx/system.prop
--- a/qcom/msmxxx/system.prop
+++ b/qcom/msmxxx/system.prop
@@ -205,3 +205,4 @@
#zhidao charle
persist.service.bt.a2dp.sink=true
persist.service.bt.hfp.client=true
+ro.lockscreen.disable.default=true
+service.adb.root=1修改 ro.secure和 security.perf_harden 的值
build/core/main.mk
--- a/core/main.mk
+++ b/core/main.mk
@@ -390,11 +390,11 @@
tags_to_install :=
ifneq (,$(user_variant))
# Target is secure in user builds.
- ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
- ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
+ ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=0
ifeq ($(user_variant),user)
- ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
endif
ifeq ($(user_variant),userdebug)
@@ -402,7 +402,7 @@
tags_to_install += debug
else
# Disable debugging in plain user builds.
- enable_target_debugging :=
+ enable_target_debugging := true
endif
# Disallow mock locations by default for user builds
@@ -426,7 +426,7 @@
INCLUDE_TEST_OTA_KEYS := true
else # !enable_target_debugging
# Target is less debuggable and adbd is off by default
- ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=0
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=1
endif # !enable_target_debugging
## eng ##修改adb编译所属权限
system/core/adb/Android.mk
--- a/core/adb/Android.mk
+++ b/core/adb/Android.mk
@@ -327,12 +327,12 @@
-D_GNU_SOURCE \
-Wno-deprecated-declarations \
-LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)
+LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=1
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+#ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1
LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1
-endif
+#endif
LOCAL_MODULE := adbd设置车机重启之后的 sepolicy 权限
system/sepolicy/Android.mk
--- a/sepolicy/Android.mk
+++ b/sepolicy/Android.mk
@@ -94,7 +94,7 @@
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_build_variant=eng \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > [email protected]
@@ -108,7 +108,6 @@
echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
echo "List of invalid domains:" 1>&2; \
cat [email protected] 1>&2; \
- exit 1; \
fi
$(hide) mv [email protected] $@
@@ -132,7 +131,7 @@
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_build_variant=eng \
-D target_recovery=true \
-s $^ > $@
@@ -145,7 +144,6 @@
echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
echo "List of invalid domains:" 1>&2; \
cat [email protected] 1>&2; \
- exit 1; \
fi
$(hide) mv [email protected] $@
到此步骤的时候 连接上adb其实就可以进行adb root和 remount操作了, 但是对 system/ & data/* 文件夹 不可以进行操作.
修改了 aboot.c 文件之后
可以使用 fast 命令 进行刷机操作同时烧录emmc_appsboot.mbn和bootimg才能生效.
bootable/bootloader/lk/app/aboot/aboot.c
--- a/bootloader/lk/app/aboot/aboot.c
+++ b/bootloader/lk/app/aboot/aboot.c
@@ -845,11 +845,15 @@
#if VERIFIED_BOOT
/* Write protect the device info */
+
+ /*
+
if (!boot_into_recovery && target_build_variant_user() && devinfo_present && mmc_write_protect("devinfo", 1))
{
dprintf(INFO, "Failed to write protect dev info\n");
ASSERT(0);
}
+
+ */
+
#endif
/* Turn off splash screen if enabled */
user 支持 fastboot
bootable/bootloader/lk/makefile
#ifeq ($(TARGET_BUILD_VARIANT),user)
# CFLAGS += -DDISABLE_FASTBOOT_CMDS=1
#endif
fastboot刷机命令
adb reboot bootloader
fastboot flash aboot emmc_appsboot.mbn
fastboot flash boot boot.img
fastboot flash cache cache.img
fastboot flash system system.img
fastboot flash userdata userdata.img
fastboot flash recovery recovery.img
fastboot flash persist persist.img
fastboot reboot限制adb使用,留用后门供 自己的开发人员使用,在此处也可以修改默认端口值
device/qcom/msmxxx/system.prop
添加
my.adb.myroot=0添加字段在system/core/adb/services.cpp 添加限制
diff --git a/core/adb/services.cpp b/core/adb/services.cpp
--- a/core/adb/services.cpp
+++ b/core/adb/services.cpp
@@ -80,6 +80,14 @@
return;
}
+ property_get("my.adb.myroot", value, "0");
+ if (strcmp(value, "0") == 0) {
+ WriteFdExactly(fd, "adbd root cannot run\n");
+ adb_close(fd);
+ return;
+ }
+
property_set("service.adb.root", "1");
WriteFdExactly(fd, "restarting adbd as root\n");
adb_close(fd);之后就可以使用命令行进行root后门操作
adb shell setprop my.adb.myroot=1
adb root
adb remount