android 9.0user版本如何开启root，打开su_安卓9root

作者：从前慢现在也慢 | 2024-07-26 09:30:14

踩

安卓9root

在默认情况下，adbd是以uid root的权限启动的。不过它确实还会通过函数drop_privileges()主动把自己降到uid shell : shell，如下：

# /system/core/adb/daemon/main.cpp

static void drop_privileges(int server_port) {
    ScopedMinijail jail(minijail_new());

    // Add extra groups:
    // AID_ADB to access the USB driver
    // AID_LOG to read system logs (adb logcat)
    // AID_INPUT to diagnose input issues (getevent)
    // AID_INET to diagnose network issues (ping)
    // AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump)
    // AID_SDCARD_R to allow reading from the SD card
    // AID_SDCARD_RW to allow writing to the SD card
    // AID_NET_BW_STATS to read out qtaguid statistics
    // AID_READPROC for reading /proc entries across UID boundaries
    // AID_UHID for using 'hid' command to read/write to /dev/uhid
    gid_t groups[] = {AID_ADB,          AID_LOG,          AID_INPUT,    AID_INET,
                      AID_NET_BT,       AID_NET_BT_ADMIN, AID_SDCARD_R, AID_SDCARD_RW,
                      AID_NET_BW_STATS, AID_READPROC,     AID_UHID};
    minijail_set_supplementary_gids(jail.get(), arraysize(groups), groups);

    // Don't listen on a port (default 5037) if running in secure mode.
    // Don't run as root if running in secure mode.
    if (should_drop_privileges()) {
        const bool should_drop_caps = should_drop_capabilities_bounding_set();

        if (should_drop_caps) {
            minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));
        }

        minijail_change_gid(jail.get(), AID_SHELL);
        minijail_change_uid(jail.get(), AID_SHELL);
        // minijail_enter() will abort if any priv-dropping step fails.
        minijail_enter(jail.get());
        ...
}        
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

再看下should_drop_privileges()方法，这个函数来判断是否要降级，返回false就是使用root权限

# /system/core/adb/daemon/main.cpp

static bool should_drop_privileges() {
#if defined(ALLOW_ADBD_ROOT)
    // The properties that affect `adb root` and `adb unroot` are ro.secure and
    // ro.debuggable. In this context the names don't make the expected behavior
    // particularly obvious.
    //
    // ro.debuggable:
    //   Allowed to become root, but not necessarily the default. Set to 1 on
    //   eng and userdebug builds.
    //
    // ro.secure:
    //   Drop privileges by default. Set to 1 on userdebug and user builds.
    bool ro_secure = android::base::GetBoolProperty("ro.secure", true);
    bool ro_debuggable = __android_log_is_debuggable();
     // Drop privileges if ro.secure is set...
    bool drop = ro_secure;

    // ... except "adb root" lets you keep privileges in a debuggable build.
    std::string prop = android::base::GetProperty("service.adb.root", "");
    bool adb_root = (prop == "1");
    bool adb_unroot = (prop == "0");
    if (ro_debuggable && adb_root) {
        drop = false;
    }
    // ... and "adb unroot" lets you explicitly drop privileges.
    if (adb_unroot) {
        drop = true;
    }

    return drop;
#else
    return true; // "adb root" not allowed, always drop privileges.
#endif // ALLOW_ADBD_ROOT
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

1.开启adbd的root的权限

第一种方式
①.修改 /system/core/adb/daemon/main.cpp

static bool should_drop_privileges() {
  // 注释方法内代码,添加如下代码
  std::string prop = android::base::GetProperty("service.adb.root", "");
  if (prop == "1"){
 	  return false;
  }
  return true;
}
1
2
3
4
5
6
7
8

第二种方式
①修改 /build/core/main.mk

## user/userdebug ##

user_variant := $(filter user userdebug,$(TARGET_BUILD_VARIANT))
enable_target_debugging := true
tags_to_install :=
ifneq (,$(user_variant))
  # Target is secure in user builds.
  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
  ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
    ...
将·ro.secure=1 修改为ro.secure=0
1
2
3
4
5
6
7
8
9
10
11

②修改 /system/core/adb/Android.mk

- ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))
  LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1
  LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1
  endif
1
2
3
4
5

2.添加su

①去掉root，shell的判断

# /system/extras/su/su.cpp

int main(int argc, char** argv) {
+    #if 0
     uid_t current_uid = getuid();
     if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
+    #endif
     // Handle -h and --help.
1
2
3
4
5
6
7
8

②修改su权限

# /system/core/rootdir/init.rc

+    chmod 6755 /system/xbin/su
+ 
     # Assume SMP uses shared cpufreq policy for all CPUs
     
# /system/core/libcutils/fs_config.cpp 

-    { 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
+    { 06755, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
1
2
3
4
5
6
7
8
9
10

③修改su模块在所有模式下都编译

# /system/extras/su/Android.mk

- LOCAL_MODULE_TAGS := debug
+ LOCAL_MODULE_TAGS := optional
1
2
3
4

④修改 /frameworks/base/core/jni/com_android_internal_os_Zygote.cpp

 static bool DropCapabilitiesBoundingSet(std::string* error_msg) {
+  #if 0
   for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
    int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
    if (rc == -1) {
      if (errno == EINVAL) {
        ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "
              "your kernel is compiled with file capabilities support");
      } else {
        *error_msg = CREATE_ERROR("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno));
        return false;
      }
    }
  }
+ #endif
   return true;
 }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

⑤在device.mk下添加su模块

# /device/mediatek/common/device.mk

PRODUCT_PACKAGES += su
1
2
3

3.关闭selinux

① Android 8.1

  # /system/core/init/init.cpp
 static bool selinux_is_enforcing(void){   
    return false; //add to close selinux
    if (ALLOW_PERMISSIVE_SELINUX) {
        return selinux_status_from_cmdline() == SELINUX_ENFORCING;
    }
    return true;
 }
1
2
3
4
5
6
7
8

② Android 9.0

  # /system/core/init/selinux.cpp
 bool IsEnforcing() {
 	return false; //add to close selinux
  	if (ALLOW_PERMISSIVE_SELINUX) {
    	return StatusFromCmdline() == SELINUX_ENFORCING;
   	}
  	return true;
 }
1
2
3
4
5
6
7
8

最后，app验证su功能

private boolean silentInstall(File apkPath){
        boolean result = false;
        DataOutputStream dataOutputStream = null;
        BufferedReader errorStream = null;
        try {
            Process process = Runtime.getRuntime().exec("su");
            dataOutputStream = new DataOutputStream(process.getOutputStream());
            // 执行pm install命令
            String command = "pm install -r " + apkPath + "\n";
            dataOutputStream.write(command.getBytes(Charset.forName("utf-8")));
            dataOutputStream.flush();
            dataOutputStream.writeBytes("exit\n");
            dataOutputStream.flush();
            process.waitFor();
            errorStream = new BufferedReader(new InputStreamReader(process.getErrorStream()));
            String msg = "";
            String line;
             while ((line = errorStream.readLine()) != null) {
                msg += line;
            }
           
            if (!msg.contains("Failure")) {
                result = true;
            }
        } catch (Exception e) {
            LogUtil.e(" "+ e.getMessage());
        } finally {
        	try {
                if (dataOutputStream != null) {
                    dataOutputStream.close();
                }
                if (errorStream != null) {
                    errorStream.close();
                }
            } catch (IOException e) {
                LogUtil.d("  "+e.getMessage());
            }
        }
        return result;
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

本文内容由网友自发贡献，转载请注明出处：https://www.wpsshop.cn/w/从前慢现在也慢/article/detail/884582?site