android11.0(R) root MTK 6771 user版本打开root权限(adb root权限和 apk root权限)

文摘 Android 2021-03-5 阅读:14766

前言

老弟们,还是我,将 root 进行到底!android11.0 root 安排!!!

大体沿用之前 10.0 的修改方法,adb 想要 remount 成功,必须进行 fastboot 解锁,解锁后无需在进行 adb disable-verity

操作,直接 adb remount 就能成功,且可以执行 push 或者 rm

修改方案

总共修改 15 个文件,新增 3 个文件,一共 18 个

modified:   build/make/core/main.mk

modified:   build/make/target/product/base_system.mk

modified:  device/mediateksample/tcl98/device.mk

modified:   frameworks/base/services/usb/java/com/android/server/usb/UsbDeviceManager.java

modified:   system/core/adb/Android.bp

modified:   system/core/adb/daemon/main.cpp

modified:   system/core/init/selinux.cpp

modified:   system/core/libcutils/fs_config.cpp

modified:   system/core/rootdir/init.rc

modified:   system/core/fs_mgr/Android.bp

modified:   system/sepolicy/Android.mk

modified:   system/sepolicy/definitions.mk

modified:   system/sepolicy/prebuilts/api/29.0/public/domain.te

modified:   system/sepolicy/public/domain.te

modified:   vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tcl98/tcl98.mk

add device/mediatek/sepolicy/basic/non_plat/suproce.te

add system/extras/su/su

add system/extras/su/suproce.sh

1、让进程名称在 AS Logcat 中可见,通过修改 ro.adb.secure 和 ro.secure

ps:这步不是必须的,目的只是在 logcat 中可见进程 pid 和包名,而且打开 USB 调试时默认授权,不再弹授权框

build/make/core/main.mk

tags_to_install :=

 ifneq (,$(user_variant))

   # Target is secure in user builds.

-  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1

+  # ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1

+  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0

   ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1

   ifeq ($(user_variant),user)

-    ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1

+    # ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1

+    ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0

   endif

   ifeq ($(user_variant),userdebug)

@@ -251,7 +253,7 @@ ifneq (,$(user_variant))

     tags_to_install += debug

   else

     # Disable debugging in plain user builds.

-    enable_target_debugging :=

+    # enable_target_debugging :=

   endif

   # Disallow mock locations by default for user builds

2、修改 SELinux 权限为 Permissive

这玩意不能改,改了烧写后系统起不来

按照之前的改法, system/core/init/selinux.cpp 的 IsEnforcing 直接 return false 后

可以看到如下的串口 log security_setenforce(false) failed: Invalid argument

[ 4.303004] <5>.(5)[1:init]init: Loading SELinux policy

[ 4.373219] <2>.(2)[1:init]SELinux: policy capability network_peer_controls=1

[ 4.374141] <2>.(2)[1:init]SELinux: policy capability open_perms=1

[ 4.374930] <2>.(2)[1:init]SELinux: policy capability extended_socket_class=1

[ 4.375838] <2>.(2)[1:init]SELinux: policy capability always_check_network=0

[ 4.376736] <2>.(2)[1:init]SELinux: policy capability cgroup_seclabel=0

[ 4.377604] <2>.(2)[1:init]SELinux: policy capability nnp_nosuid_transition=1

[ 4.472632] <3>.(3)[53:kauditd]audit: type=1403 audit(1262304007.580:2): auid=4294967295 ses=4294967295 lsm=selinux res=1

[ 4.472953] <2>.(2)[1:init]selinux: SELinux: Loaded policy from /vendor/etc/selinux/precompiled_sepolicy

[ 4.475251] <2>.(2)[1:init]selinux:

[ 4.475989] <2>.(2)[1:init]init: security_setenforce(false) failed: Invalid argument

[ 4.478040] <2>.(2)[1:init]init: InitFatalReboot: signal 6

ass=dir permissive=0

if (security_setenforce(is_enforcing)) {

PLOG(FATAL) << "security_setenforce(" << (is_enforcing ? "true" : "false") << ") failed";

}

直接进入 fastboot 模式了,显然在 User 模式下,不予许关闭 selinux

这个地方排查耗费了一上午,selinux 我们就放过它吧,以后遇到缺少相应的权限就乖乖去 te 文件中补充吧。

3、关闭 DM-verity

vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/tcl98/tcl98.mk

TARGET=tcl98

 MTK_PLATFORM=MT6771

 MTK_SEC_CHIP_SUPPORT=yes

-MTK_SEC_USBDL=ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP

-MTK_SEC_BOOT=ATTR_SBOOT_ENABLE

+MTK_SEC_USBDL=ATTR_SUSBDL_DISABLE

+MTK_SEC_BOOT=ATTR_SBOOT_DISABLE

 MTK_SEC_MODEM_AUTH=no

 MTK_SEC_SECRO_AC_SUPPORT=yes

 # Platform

4、增加 su 相关,确保 apk root 权限

apk 获取 root 权限,需要内置 su 文件,参考之前 8.1 的做法,在 init.rc 中 boot_completed 时执行脚本

开机执行脚本的命令可直接加在 system/core/rootdir/init.rc

开机脚本执行是否成功,可通过 adb shell dmesg > dmesg.txt 抓取 init 的日志,搜索是否报错,或者缺少权限。

boot_completed 启动完成时,start suproce

system/core/rootdir/init.rc
class_reset main

+service suproce  /system/bin/suproce.sh

+    class main

+    user root

+    group root

+    oneshot

+    seclabel u:object_r:suproce_exec:s0

+

+

 on property:sys.boot_completed=1

+    start suproce

     bootchart stop
system/extras/su/suproce.sh
#!/system/bin/sh

mount -o rw,remount /system

chmod 06755 su

su --daemon

echo "su daemon done."
device/mediatek/sepolicy/basic/non_plat/file_contexts
#hidl process merging

 /(system\/vendor|vendor)/bin/hw/merged_hal_service          u:object_r:merged_hal_service_exec:s0

+

+#suproce

+/system/bin/suproce.sh          u:object_r:suproce_exec:s0

此处写法有变动,suproce.te 中要加 system_file_type,不然编译时报错

out/target/product/k62v1_64_bsp/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests )"

The following types on /system/ must be associated with the "system_file_type" attribute: suproce_exec

checkpolicy:  error(s) encountered while parsing configuration
device/mediatek/sepolicy/basic/non_plat/suproce.te
type suproce, coredomain;

#type suproce_exec, exec_type, vendor_file_type, file_type;

type  suproce_exec, exec_type, file_type, system_file_type;

# permissive suproce;

# allow shell suproce_exec:file { read open getattr execute };

init_daemon_domain(suproce);

改完后继续编译,再次出现新错误,user 版本不允许 permissive domains

[ 19% 1135/5824] build out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy

FAILED: out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy

/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ \"user\" = \"user\" -a -s out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then echo \"==========\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2; exit 1; fi ) && (mv out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy )"

device/mediatek/sepolicy/bsp/plat_private/untrusted_app_all.te:7:WARNING 'unrecognized character' at token '' on line 53889:

# Purpose: Make app can get phoneEx

注释下面文件中的 exit 1

system/sepolicy/Android.mk

@@ -518,7 +518,7 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/se

                echo "ERROR: permissive domains not allowed in user builds" 1>&2;

                echo "List of invalid domains:" 1>&2;

                cat $@.permissivedomains 1>&2;

-               exit 1;

+               # exit 1;

                fi

        $(hide) mv $@.tmp $@

@@ -562,7 +562,7 @@ $(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpo

                echo "ERROR: permissive domains not allowed in user builds" 1>&2;

                echo "List of invalid domains:" 1>&2;

                cat $@.permissivedomains 1>&2;

-               exit 1;

+               # exit 1;

                fi

        $(hide) mv $@.tmp $@

再重新编译,又报错,卧底马,什么情况, 在 systemsepolicypublicdomain.te 中 335 行进行了权限检查


libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11735 of policy.conf) violated by allow aee_aed suproce_exec:file { ioctl };

libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11735 of policy.conf) violated by allow crash_dump suproce_exec:file { ioctl };

libsepol.check_assertions: 2 neverallow failures occurred

Error while expanding policy

libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11642 of policy.conf) violated by allow aee_aed suproce_exec:file { ioctl };

libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11642 of policy.conf) violated by allow crash_dump suproce_exec:file { ioctl };

libsepol.check_assertions: 2 neverallow failures occurred

Error while expanding policy
systemsepolicypublicdomain.te
systemsepolicyprebuiltsapi30.0publicdomain.te
# All ioctls on file-like objects (except chr_file and blk_file) and

# sockets must be restricted to a whitelist.

# neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };

直接将 neverallowxperm :{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 这行注释就行,不过需要两个文件都注释,

开始按照忽略原则将 aee_aed、crash_dump 通过 - 的方式修改,又报其它错误(宝宝心里苦啊)

neverallowxperm { -aee_aed -crash_dump } :{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 这样行不通

拷贝 su 文件和开机脚本 suproce.sh 到 system/bin 目录下

device/mediateksample/tcl98/device.mk
@@ -19,6 +19,11 @@ PRODUCT_COPY_FILES += $(LOCAL_PATH)/sbk-kpd.kl:system/usr/keylayout/sbk-kpd.kl:m

                       $(LOCAL_PATH)/sbk-kpd.kcm:system/usr/keychars/sbk-kpd.kcm:mtk

 endif

+PRODUCT_COPY_FILES +=

+       system/extras/su/su:system/bin/su

+       system/extras/su/suproce.sh:system/bin/suproce.sh

+

给 su 文件增加权限

system/core/libcutils/fs_config.cpp
@@ -166,7 +168,9 @@ static const struct fs_path_config android_files[] = {

     // the following two files are INTENTIONALLY set-uid, but they

     // are NOT included on user builds.

     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },

-    { 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },

+    { 06755, AID_ROOT,      AID_SHELL,     0, "system/bin/su" },

     // the following files have enhanced capabilities and ARE included

     // in user builds.

5、解锁 fastboot,并关闭 verity 按需操作


system/core/adb/Android.bp
@@ -76,7 +76,15 @@ cc_defaults {

cc_defaults {

    name: "adbd_defaults",

    defaults: ["adb_defaults"],

-   cflags: ["-UADB_HOST", "-DADB_HOST=0"],

+    //cflags: ["-UADB_HOST", "-DADB_HOST=0"],

+    cflags: [

+        "-UADB_HOST",

+        "-DADB_HOST=0",

+        "-UALLOW_ADBD_ROOT",

+        "-DALLOW_ADBD_ROOT=1",

+        "-DALLOW_ADBD_DISABLE_VERITY",

+        "-DALLOW_ADBD_NO_AUTH",

    ],

}

cc_library {

    name: "libadbd_services",

    defaults: ["adbd_defaults", "host_adbd_supported"],

    recovery_available: true,

    compile_multilib: "both",

....

+  required: [ "remount",],

    target: {

        android: {

            srcs: [

                "daemon/abb_service.cpp",

system/core/adb/daemon/main.cpp

static void drop_privileges(int server_port) {

    ScopedMinijail jail(minijail_new());

    // Add extra groups:

    // AID_ADB to access the USB driver

    // AID_LOG to read system logs (adb logcat)

    // AID_INPUT to diagnose input issues (getevent)

    // AID_INET to diagnose network issues (ping)

    // AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump)

    // AID_SDCARD_R to allow reading from the SD card

    // AID_SDCARD_RW to allow writing to the SD card

    // AID_NET_BW_STATS to read out qtaguid statistics

    // AID_READPROC for reading /proc entries across UID boundaries

    // AID_UHID for using 'hid' command to read/write to /dev/uhid

    gid_t groups[] = {AID_ADB,          AID_LOG,          AID_INPUT,    AID_INET,

                      AID_NET_BT,       AID_NET_BT_ADMIN, AID_SDCARD_R, AID_SDCARD_RW,

                      AID_NET_BW_STATS, AID_READPROC,     AID_UHID};

    minijail_set_supplementary_gids(jail.get(), arraysize(groups), groups);

    // Don't listen on a port (default 5037) if running in secure mode.

    // Don't run as root if running in secure mode.

    if (should_drop_privileges()) {

-const bool should_drop_caps = !__android_log_is_debuggable();

        +//const bool should_drop_caps = !__android_log_is_debuggable();

        +const bool should_drop_caps = false;

        if (should_drop_caps) {

            minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));

        }
system/core/fs_mgr/Android.bp
+++ b/alps/system/core/fs_mgr/Android.bp

@@ -76,7 +76,8 @@ 

cc_defaults {

    name: "libfs_mgr_defaults",

    defaults: ["fs_mgr_defaults"],

.......

         "libfstab",

     ],

     cppflags: [

-        "-DALLOW_ADBD_DISABLE_VERITY=0",

+        "-UALLOW_ADBD_DISABLE_VERITY",

+        "-DALLOW_ADBD_DISABLE_VERITY=1",

     ],

     product_variables: {

         debuggable: {

@@ -133,7 +134,8 @@ 

cc_binary {

    name: "remount",

    defaults: ["fs_mgr_defaults"],

    static_libs: [

.....

     cppflags: [

-        "-DALLOW_ADBD_DISABLE_VERITY=0",

+        "-UALLOW_ADBD_DISABLE_VERITY",

+        "-DALLOW_ADBD_DISABLE_VERITY=1",

     ],

     product_variables: {

         debuggable: {

user 版本启用 overlayfs 来装载 remount 对应分区

system/sepolicy/Android.mk

@@ -1104,7 +1104,8 @@ endif

 ifneq ($(filter address,$(SANITIZE_TARGET)),)

   local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))

 endif

-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))

+ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))

   local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))

 endif

 ifeq ($(TARGET_FLATTEN_APEX),true)

@@ -1166,7 +1167,9 @@ file_contexts.device.tmp :=

 file_contexts.local.tmp :=

system/sepolicy/definitions.mk
+++ b/alps/system/sepolicy/definitions.mk

@@ -1,10 +1,11 @@

 # Command to turn collection of policy files into a policy.conf file to be

 # processed by checkpolicy

 define transform-policy-to-conf

 @mkdir -p $(dir $@)

 $(hide) m4 --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS)

        -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS)

-       -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT)

+       -D target_build_variant=eng

        -D target_with_dexpreopt=$(WITH_DEXPREOPT)

        -D target_arch=$(PRIVATE_TGT_ARCH)

6、默认开启 OEM 和去除 OEM 解锁警告提示


默认开启 OEM 解锁选项

frameworks/base/services/usb/java/com/android/server/usb/UsbDeviceManager.java
+++ b/alps/frameworks/base/services/usb/java/com/android/server/usb/UsbDeviceManager.java

@@ -995,6 +995,10 @@ public class UsbDeviceManager implements ActivityTaskManagerInternal.ScreenObser

         }

         protected void finishBoot() {

+            android.service.oemlock.OemLockManager mOemLockManager 

+            = (android.service.oemlock.OemLockManager) mContext.getSystemService(Context.OEM_LOCK_SERVICE);

+            mOemLockManager.setOemUnlockAllowedByUser(true);

+

             if (mBootCompleted && mCurrentUsbFunctionsReceived && mSystemReady) {

                 if (mPendingBootBroadcast) {

                     updateUsbStateBroadcastIfNeeded(getAppliedFunctions(mCurrentFunctions));

去除 oem 解锁后每次开机提示 Your device has been unlocked and can't be trusted 警告字眼

vendor/mediatek/proprietary/bootable/bootloader/lk/platform/common/boot/vboot_state.c
@@ -133,9 +133,10 @@ int orange_state_warning(void)

        video_clean_screen();

        video_set_cursor(video_get_rows() / 2, 0);

-       video_printf(title_msg);

-       video_printf("Your device has been unlocked and can't be trusted\n");

-       video_printf("Your device will boot in 5 seconds\n");

+       // video_printf(title_msg);

+       // video_printf("Your device has been unlocked and can't be trusted\n");

+       // video_printf("Your device will boot in 5 seconds\n");

        mtk_wdt_restart();

        mdelay(5000);

        mtk_wdt_restart();

编译成功重新烧写,执行命令结果如下

C:> adb root

adbd is already running as root

C:> adb remount

/system/bin/sh: remount: inaccessible or not found

卧底马,remount 命令不存在,莫不是来搞笑的。别慌,我们有工程版本来对比下,发现

编译后 out 目录中缺少对应 remount 可执行文件,呐,就是这货

在 out 目录下搜索得到结果

./symbols/system/bin/remount

./system/bin/remount

./obj/EXECUTABLES/remount_intermediates/remount

而在 user 版本对应 out 目录中不存在,所以 adb remount 是提示 /system/bin/sh: remount: inaccessible or not found

由此可以推测 user 版本并不编译 remount 对应模块

在 build 目录下搜索 remount 关键字,找到对应地方

build/make/target/product/base_system.mk
+PRODUCT_PACKAGES +=

+    remount

# Packages included only for eng or userdebug builds, previously debug tagged

PRODUCT_PACKAGES_DEBUG :=

    adb_keys

    arping

    gdbserver

    idlcli

    init-debug.rc

    iotop

    iperf3

    iw

    logpersist.start

    logtagd.rc

    procrank

    remount

    showmap

    sqlite3



可以看到 remount 模块对应编译写的是 PRODUCT_PACKAGES_DEBUG,user 版本是不会编译的,

和猜想一致,在上方增加 PRODUCT_PACKAGES 让在 user 版本下也编译即可。

再次编译成功重新烧写,remount 指令可成功执行,进行 oem 解锁后,remount 即可成功。

C:> adb root

adbd is already running as root

C:> adb remount

Skipping /system for remount

Skipping /vendor for remount

Skipping /product for remount

No partitions to remount

remount failed

C:> adb reboot bootloader

C:> fastboot flashing unlock

(bootloader) Start unlock flow

Finished. Total time: 7.568s

C:> fastboot reboot

Rebooting OKAY [ 0.000s]

Finished. Total time: 0.003s

解锁成功后,执行 remount 操作貌似已经自动 disable-verity 了

C:> adb remount

Using overlayfs for /system

Disabling verity for /vendor

Using overlayfs for /vendor

Disabling verity for /product

Now reboot your device for settings to take effect

tcl98:/ # cd sys

tcl98:/ # cd syste

system/ system_ext/

tcl98:/ # cd system/system_ext/priv-app/Mt

MtkContacts/ MtkEmergencyInfo/ MtkSettings/ MtkSystemUI/

tcl98:/ # cd system/system_ext/priv-app/MtkSettings/

tcl98:/system/system_ext/priv-app/MtkSettings # ls

MtkSettings.apk

tcl98:/system/system_ext/priv-app/MtkSettings # exit

C:> adb push outtargetproducttcl98systemsystem_extpriv-appMtkSettingsMtkSettings.apk /system/system_ext/priv-app/MtkSettings

adb: error: failed to copy 'outtargetproducttcl98systemsystem_extpriv-appMtkSettingsMtkSettings.apk' to '/system/system_ext/priv-app/MtkSettings/MtkSettings.apk': remote couldn't create file: Read-only file system

outtargetproducttcl98systemsyst...ile pushed, 0 skipped. 4.9 MB/s (43420831 bytes in 8.368s)

remount 后需要再次重启一次才能成功 push 操作

C:> adb reboot

C:> adb root

adbd is already running as root

C:> adb remount

Using overlayfs for /system

Now reboot your device for settings to take effect

remount succeeded

C:> adb push outtargetproducttcl98systemsystem_extpriv-appMtkSettingsMtkSettings.apk /system/system_ext/priv-app/MtkSettings

outtargetproducttcl98systemsyst...ile pushed, 0 skipped. 5.2 MB/s (43420831 bytes in 7.981s)

C:> adb reboot

C:> adb root

adbd is already running as root

C:> adb remount

Using overlayfs for /system

Now reboot your device for settings to take effect

remount succeeded

C:> adb shell

tcl98:/ # rm -r syste

system/ system_ext/

tcl98:/ # rm -r system/system_ext/priv-app/FMRadio/

tcl98:/ # reboot

好了,终于大功告成,一时 root 一时爽,一直 root 一直爽

su 和 apk下载


版权声明:本文为CSDN博主「android UGG」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。

原文链接:https://blog.csdn.net/u012932409/article/details/114360037



0条评论

© 2022 芯缘异码. Powered by Typecho