相关基础信息:
adb | 5038 | ADB_HOST=1 ADB_HOST_ON_TARGET=1 |
adb_sysdeps_init适用于linux和windows的版本 adb_trace_init adb_commandline |
adb client | 提供HOST端运行的命令 | ||
adb service | HOST端上的一个后台进程 | ||
adb daemon | 5037 设备开机启动 |
ADB_HOST=0 ALLOW_ADBD_ROOT=1 |
adb_qemu_trace_init start_device_log adb_main |
Android中adb源码路径:system/core/adb,核心源码列表:
adb BUILD_EXECUTABLE | adbd BUILD_EXECUTABLE | |
adb.c \ | √ | √ |
adb_auth_client.c \ | √ | |
adb_auth_host.c \ | √ | |
adb_client.c \ | √ | |
backup_service.c \ | √ | |
commandline.c \ | √ | |
console.c \ | √ | |
fdevent.c \ | √ | √ |
file_sync_client.c \ | √ | √ |
framebuffer_service.c \ | √ | |
get_my_path_linux.c \ | √ | |
jdwp_service.c \ | √ | |
log_service.c \ | √ | |
remount_service.c \ | √ | |
services.c \ | √ | √ |
sockets.c \ | √ | √ |
transport.c \ | √ | √ |
transport_local.c \ | √ | √ |
transport_usb.c \ | √ | √ |
usb_linux.c \ | √ | |
usb_linux_client.c \ | √ | |
usb_vendors.c | √ | |
utils.c \ | √ | √ |
$(EXTRA_SRCS) \ | ||
$(USB_SRCS) \ |
Android启动过程adb相关服务及系统属性信息:
1 | # create basic filesystem structure |
公私钥认证机制,只允许授权主机使用USB调试接口。保存路径/data/misc/adb/adb_keys | |
mkdir /data/misc/adb 02750 system shell | |
2 | # Enable adb security for JB4.2.2 |
设置是否启用adb公私钥认证机制,0禁用1启用 | |
setprop ro.adb.secure 0 | |
3 | # adbd is controlled via property triggers in init.<platform>.usb.rc |
service adbd /sbin/adbd | |
class core | |
socket adbd stream 660 system system | |
disabled | |
seclabel u:r:adbd:s0 | |
4 | # adbd on at boot in emulator |
on property:ro.kernel.qemu=1 | |
start adbd |
以下为linux版adb工具执行过程分析(实用环境可能在机顶盒或车载机上):
1、命令行执行adb devices,主程序入口,main -> adb_commandline
system/core/ktadb/adb.c::main():Handling commandline() system/core/ktadb/commandline.c::adb_commandline():getenv ANDROID_SERIAL=(null) ANDROID_ADB_SERVER_PORT=(null) server_port=5038 system/core/ktadb/commandline.c::adb_commandline():adb_commandline() para[0]=devices system/core/ktadb/commandline.c::adb_commandline():is_server=0 no_daemon=0 is_daemon=0
2、执行函数adb_query()
system/core/ktadb/adb_client.c::adb_query():adb_query: host:devices
a. 验证版本
a.1 验证成功
system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: host:version 30303063 000c 686f73743a76657273696f6e host:version system/core/ktadb/transport.c::writex():writex: fd=3 len=4: system/core/ktadb/transport.c::writex():writex: fd=3 len=12: system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 got=4 4f4b4159 OKAY system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: return fd 3 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 got=4 30303034 0004 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 got=4 30303166 001f 版本号31
发送4字节+host:version指令,读取OKAY返回结果,读取结果长度及结果内容。
a.2 验证失败
system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: host:version adb_server_name=(null) system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: socket_loopback_client system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: return fd -2 system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: error message cannot connect to daemon system/core/ktadb/adb_client.c::adb_connect():adb_connect: service host:devices, _adb_connect_ret=-2
a.2.launch_server fork()
* daemon not running. starting it now on port 5038 * system/core/ktadb/adb_client.c::adb_connect():fd == -2 adb_connect:launch_server() launch_server():fork() system/core/ktadb/adb.c::main():Handling commandline() system/core/ktadb/commandline.c::adb_commandline():getenv ANDROID_SERIAL=(null) ANDROID_ADB_SERVER_PORT=(null) server_port=5038 system/core/ktadb/commandline.c::adb_commandline():adb_commandline() para[0]=-P system/core/ktadb/commandline.c::adb_commandline():adb_commandline() para[1]=5038 system/core/ktadb/commandline.c::adb_commandline():is_server=1 no_daemon=0 is_daemon=1 system/core/ktadb/commandline.c::adb_commandline():adb_commandline::adb_main system/core/ktadb/adb.c::adb_main():adb.c::adb_main()
a.2.launch_server usb_vendors_init()
每个设备厂家都会定义一个VID(vender id)来标识自己的usb 设备,ADB service端只会连接已知的VID,这个函数的作用就是初始化一个VID的数组,初始化后这个数组中将包含adb代码中内建的一些厂家的ID以及HOST端的android配置文件中定义的ID。
a.2.launch_server usb_init()
创建一个线程,线程处理函数device_poll_thread,进入一个循环,每隔1s执行一次find_usb_device和kick_disconnected_devices,find_usb_device搜索所有的usb设备,判断VID是否在上面初始化的列表中,如果是,则将该usb设备注册到一个handle_list中。调用register_usb_transport基于这个fd构造一个atransport类型的对象,再基于这个atransport对象调用register_transport构造一个tmsg类型的对象。
最后,将这个tmsg对象写到transport_registration_send这个fd,将触发相应的socket监控。kick_disconnected_devices函数判断adb设备是否还正常,不正常的话从handle_list中去掉。
a.2.launch_server local_init(DEFAULT_ADB_LOCAL_TRANSPORT_PORT);
system/core/ktadb/usb_linux.c::device_poll_thread():Created device thread system/core/ktadb/transport_local.c::local_init():transport: local client init on port 5555
创建一个线程,尝试连接HOST端5555-5585端口,如果连接成功,则返回一个fd,register_socket_transport基于这个fd构造一个atransport类型的对象,再基于这个atransport对象调用register_transport构造一个tmsg类型的对象。最后,将这个tmsg对象写 transport_registration_send这个fd,将触发相应的socket监控。
a.2.launch_server adb_auth_init();
ystem/core/ktadb/adb_auth_host.c::adb_auth_init():adb_auth_init system/core/ktadb/adb_auth_host.c::get_user_keyfilepath():home '/data' system/core/ktadb/transport_local.c::client_socket_thread():transport: client_socket_thread() starting system/core/ktadb/adb_auth_host.c::get_user_key():user key '/data/.android/adbkey' system/core/ktadb/adb_auth_host.c::read_key():read_key '/data/.android/adbkey'
adbkey.pub文件内容
QAAAAOcgswwpDbwD9nP4IsrHRVTPBcHn3g6cIIoK9+OBBRoll6C7ASYw7+tRV3QisHhR+fWToXocEeSJeZrevInAI5wlqKBVIqa9RiHafVGcWEWXXZ0T7t2zmVT5Yrkvw1OegeHICaZpzZieI7ii5SDHFrXxMejZsU+vVkxEy6tnRldywTxcKSpQ11fLyeDqR8fmr/R06uK3Tjet/98zGStWdsvDcN95ZxpGjfkj9Sv83+NXBWYZWQzBqTTJiWRQWbe9mi3RpqgKpLXHQDzYTQbJRWvTOt4QR50rt0kQf1SUdilO0ap1eGf/KXQALx72ivk/9fhU5L+IDKUyP/EsspUqc01KD8GzkPvUMdUbXdStc4uEjzoHNERB+PD5EioRoeYwXzqIRJGycP1+Xvn1ek9CnoTU8Fqno8KkiMtbeB8T0I0cpQv0J52IoL/yN3tST+RZzAFspOv2CAhY7bvNAZ035+amfkI6O9sF7Mq+cLsHXKX3elcydpVnLAabBPAD/pnX46p44UZT4L9OY7+3JkMwu0yolKvO8ku0fqckitkE1p0DBLzZByjKqD6VqSTpzMQi63GSDBdV6d9MWt4BuuhwLuTO1UMolJv0h+lTKA40GzeNuNF9xw9AH2GJIESjxtJaKe8dUOcpxpbJ1Su74TnjdubBRgvkeYId1/VdUySrbviBnghOpwEAAQA= unknown@localhost
a.2.launch_server build_local_name(local_name, sizeof(local_name), server_port)
a.2.launch_server install_listener(local_name, "*smartsocket*", NULL, 0)
system/core/ktadb/usb_linux.c::register_device():[ usb located new device /dev/bus/usb/002/025 (131/3/1) ] system/core/ktadb/usb_linux.c::register_device():[ usb open /dev/bus/usb/002/025fd = 12]
监听"tcp:5037",adb client与adb service之间的通讯端口。
a.2.launch_server start_logging()
将stdin重写向到/dev/null,将stdout、stderr重定向/tmp/adb.log,然后输出"adb starting"到stderr。
a.2.launch_server fdevent_loop()
前面通过fdinstall()注册了几个fde,这里就通过一个无限循环epoll相应的fd,有相应的事件则调用fdinstall时注册的处理函数。
a.2.launch_server usb_cleanup()
usb相关的清理工作,对应linux平台的实现目前为空。
* daemon started successfully *
b.获取列表
b.1 设备正常
system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: host:devices 30303063 000c 686f73743a64657669636573 host:devices system/core/ktadb/transport.c::writex():writex: fd=3 len=4: system/core/ktadb/transport.c::writex():writex: fd=3 len=12: system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 got=4 4f4b4159 OKAY system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: return fd 3 system/core/ktadb/adb_client.c::adb_connect():adb_connect: return fd 3 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 got=4 30303230 0020 结果长度32 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=32 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=32 got=32 31343833453130303531334644303130 1483E100513FD010 List of devices attached 1483E100513FD0100_MTPADB device
发送4字节+host:devices指令,读取OKAY返回结果,读取结果长度及结果内容。
b.2 设备未授权
system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: host:devices (null) 30303063 000c 686f73743a64657669636573 host:devices system/core/ktadb/transport.c::writex():writex: fd=3 len=4: system/core/ktadb/transport.c::writex():writex: fd=3 len=12: system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 got=4 4f4b4159 OKAY system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: return fd 3 system/core/ktadb/adb_client.c::adb_connect():adb_connect: return fd 3 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 got=4 30303136 0016 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=22 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=22 got=22 373964373561656309756e617574686f 79d75aec.unautho List of devices attached 79d75aec unauthorized
b.3 无设备
system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: host:devices adb_server_name=(null) system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: socket_loopback_client 30303063 000c 686f73743a64657669636573 host:devices system/core/ktadb/transport.c::writex():writex: fd=3 len=4: system/core/ktadb/transport.c::writex():writex: fd=3 len=12: system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 got=4 4f4b4159 OKAY system/core/ktadb/adb_client.c::_adb_connect():_adb_connect: return fd 3 system/core/ktadb/adb_client.c::adb_connect():adb_connect: return fd 3 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=4 got=4 30303030 0000 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=0 system/core/ktadb/transport.c::readx():readx: fd=3 wanted=0 got=0 List of devices attached
主机端 | ||
平台 | Win 7 | Linux |
公钥 | %USERPROFILE%\.android\adbkey.pub | /data/.android/adbkey.pub |
私钥 | %USERPROFILE%\.android\adbkey | /data/.android/adbkey |
手机 | 手机弹出主机公钥的指纹(MD5),询问是否允许 | |
已验证通过的主机保存在 /data/misc/adb/adb_keys |