MTK Android User版本实现 root 功能 & 可进行APK的删减 和 系统img的替换

最近项目需求,要实现一个功能:"Android在user版本的状态下可以进行烧制system.img 和 可以进行对系统的system/app下面的APK 以及 data/* 下所有的文件进行烧录".拿到需求之后做了大量的调研,不再一一写出,只把调研和修改文件写出来,修改过程中虽然遇到了很多的坑,但功能实现了,为了不让别的同学可能再入此坑,在此记录一下,也方便后期翻阅.

正常的Android debug版本如下可以进行root 

$ adb root
adbd is already running as root
$ adb remount
remount succeeded

在开发的过程中遇到了一个比较奇怪的现象 ,如上图所示,显示都是成功的,但是就是不能进行 push操作,还有删除操作. 最后发现是 bootable/bootloader/lk/app/aboot.c 文件进行了读写权限限制,修改了 aboot.c 文件之后 fastboot flash aboot emmc_appsboot.mbn，然后烧录 bootimage之后重烧bootimg才能生效.

本文基于Android7.1 进行修改.

主要修改文件和patch如下:

主要涉及的文件路径如下:

#device
device/qcom/common/base.mk
device/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
device/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
device/qcom/msmxxx/system.prop

#build
build/core/main.mk

#system
system/core/adb/Android.mk
system/sepolicy/Android.mk

#bootable
bootable/bootloader/lk/app/aboot/aboot.c

将编译user版本的修改成 0

device/qcom/common/base.mk

--- a/qcom/common/base.mk
+++ b/qcom/common/base.mk
@@ -974,7 +974,7 @@
 
 ifeq ($(TARGET_BUILD_VARIANT),user)
 PRODUCT_DEFAULT_PROPERTY_OVERRIDES+= \
-    ro.adb.secure=1
+    ro.adb.secure=0
 endif

 

去掉锁屏和user版上去掉adb授权过程，赋予adb root权限
device/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml

--- /dev/null
+++ b/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
@@ -0,0 +1,4 @@
+
+
+    true
+

device/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml

--- a/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
+++ b/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
@@ -23,4 +23,5 @@
 
     
     com.rjio.slc
+    false
 

添加root权限 和 去掉锁屏adb授权过程
device/qcom/msmxxx/system.prop

--- a/qcom/msmxxx/system.prop
+++ b/qcom/msmxxx/system.prop
@@ -205,3 +205,4 @@
 #zhidao charle
 persist.service.bt.a2dp.sink=true
 persist.service.bt.hfp.client=true
+ro.lockscreen.disable.default=true
+service.adb.root=1

修改 ro.secure和  security.perf_harden 的值

build/core/main.mk

--- a/core/main.mk
+++ b/core/main.mk
@@ -390,11 +390,11 @@
 tags_to_install :=
 ifneq (,$(user_variant))
   # Target is secure in user builds.
-  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
-  ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
+  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
+  ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=0
 
   ifeq ($(user_variant),user)
-    ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+    ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
   endif
 
   ifeq ($(user_variant),userdebug)
@@ -402,7 +402,7 @@
     tags_to_install += debug
   else
     # Disable debugging in plain user builds.
-    enable_target_debugging :=
+    enable_target_debugging := true
   endif
 
   # Disallow mock locations by default for user builds
@@ -426,7 +426,7 @@
   INCLUDE_TEST_OTA_KEYS := true
 else # !enable_target_debugging
   # Target is less debuggable and adbd is off by default
-  ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=0
+  ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=1
 endif # !enable_target_debugging
 
 ## eng ##

修改adb编译所属权限
system/core/adb/Android.mk

--- a/core/adb/Android.mk
+++ b/core/adb/Android.mk
@@ -327,12 +327,12 @@
     -D_GNU_SOURCE \
     -Wno-deprecated-declarations \
 
-LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)
+LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=1
 
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+#ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
 LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1
 LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1
-endif
+#endif
 
 LOCAL_MODULE := adbd

设置车机重启之后的 sepolicy 权限
system/sepolicy/Android.mk

--- a/sepolicy/Android.mk
+++ b/sepolicy/Android.mk
@@ -94,7 +94,7 @@
 	@mkdir -p $(dir $@)
 	$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
 		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
+		-D target_build_variant=eng \
 		-s $^ > $@
 	$(hide) sed '/dontaudit/d' $@ > [email protected]
 
@@ -108,7 +108,6 @@
 		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
 		echo "List of invalid domains:" 1>&2; \
 		cat [email protected] 1>&2; \
-		exit 1; \
 		fi
 	$(hide) mv [email protected] $@
 
@@ -132,7 +131,7 @@
 	@mkdir -p $(dir $@)
 	$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
 		-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
+		-D target_build_variant=eng \
 		-D target_recovery=true \
 		-s $^ > $@
 
@@ -145,7 +144,6 @@
 		echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
 		echo "List of invalid domains:" 1>&2; \
 		cat [email protected] 1>&2; \
-		exit 1; \
 		fi
 	$(hide) mv [email protected] $@
 

到此步骤的时候 连接上adb其实就可以进行adb root和 remount操作了, 但是对 system/   &  data/* 文件夹 不可以进行操作.

修改了 aboot.c 文件之后

可以使用 fast 命令 进行刷机操作同时烧录emmc_appsboot.mbn和bootimg才能生效.
 

bootable/bootloader/lk/app/aboot/aboot.c 

--- a/bootloader/lk/app/aboot/aboot.c
+++ b/bootloader/lk/app/aboot/aboot.c
@@ -845,11 +845,15 @@
 
 #if VERIFIED_BOOT
 	/* Write protect the device info */
+
+	/*
+
 	if (!boot_into_recovery && target_build_variant_user() && devinfo_present && mmc_write_protect("devinfo", 1))
 	{
 		dprintf(INFO, "Failed to write protect dev info\n");
 		ASSERT(0);
 	}
+
+	*/
+
 #endif
 
 	/* Turn off splash screen if enabled */

user  支持 fastboot

bootable/bootloader/lk/makefile
 
#ifeq ($(TARGET_BUILD_VARIANT),user)
#  CFLAGS += -DDISABLE_FASTBOOT_CMDS=1
#endif

fastboot刷机命令

adb reboot bootloader
fastboot flash aboot emmc_appsboot.mbn
fastboot flash boot boot.img
fastboot flash cache cache.img
fastboot flash system system.img
fastboot flash userdata userdata.img
fastboot flash recovery recovery.img
fastboot flash persist persist.img
fastboot reboot

限制adb使用，留用后门供 自己的开发人员使用,在此处也可以修改默认端口值

device/qcom/msmxxx/system.prop

添加
my.adb.myroot=0

添加字段在system/core/adb/services.cpp 添加限制

diff --git a/core/adb/services.cpp b/core/adb/services.cpp
--- a/core/adb/services.cpp
+++ b/core/adb/services.cpp
@@ -80,6 +80,14 @@
             return;
         }
 
+        property_get("my.adb.myroot", value, "0");
+        if (strcmp(value, "0") == 0) {
+            WriteFdExactly(fd, "adbd root cannot run\n");
+            adb_close(fd);
+            return;
+        }
+		
         property_set("service.adb.root", "1");
         WriteFdExactly(fd, "restarting adbd as root\n");
         adb_close(fd);

之后就可以使用命令行进行root后门操作

adb shell setprop my.adb.myroot=1

adb root
adb remount