前言
相比較 Android8.1 而言,9.0 的 root變得更麻煩了,因爲 9.0 開始 google 啓用 avb(Android Verified Boot)2.0,安全等級又提高了,可看這篇Android P(9.0) userdebug 版本執行adb remount失敗,就連直接編譯 userdebug、eng版本都不能直接 push 了,解決辦法就是得 fastboot 解鎖,然後關閉 verity 方能 adb remount 成功。我嘗試和 8.1 一樣增加開機啓動腳本但並未生效,在這耗費了很長時間,就暫時先跳過吧,解鎖是目前來看可靠可行的方案,如果你有更好的方法歡迎留言討論。
一圖勝千言
修改方案
上面的圖就不用我多說了吧,分別用了 ROOT檢測工具、RE文件管理器測試,只要 root 成功都有明顯的提示,
也可以用 AirDroid 來遠程控制測試是否成功 root。
總共修改 11 個文件,新增 3 個文件,一共 14 個
modified: build/make/core/main.mk
modified: device/mediatek/sepolicy/basic/non_plat/file_contexts
modified: device/mediateksample/k62v1_64_bsp/device.mk
modified: system/core/adb/Android.mk
modified: system/core/init/selinux.cpp
modified: system/core/libcutils/fs_config.cpp
modified: system/core/rootdir/init.rc
modified: vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/sec_unlock.c
modified: vendor/mediatek/proprietary/bootable/bootloader/lk/platform/common/boot/vboot_state.c
modified: vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/k62v1_64_bsp/k62v1_64_bsp.mk
modified: vendor/mediatek/proprietary/hardware/fstab/mt6765/fstab.in.mt6765
add device/mediatek/sepolicy/basic/non_plat/suproce.te
add system/extras/su/su
add system/extras/su/suproce.sh
1、讓進程名稱在 AS Logcat 中可見,通過修改 ro.adb.secure 和 ro.secure
ps:這步不是必須的,目的只是在 logcat 中可見進程 pid 和包名,而且打開 USB 調試時默認授權,不再彈授權框
build/make/core/main.mk
tags_to_install :=
ifneq (,$(user_variant))
# Target is secure in user builds.
- ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
+ # ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
ifeq ($(user_variant),user)
- ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+ # ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
endif
ifeq ($(user_variant),userdebug)
@@ -251,7 +253,7 @@ ifneq (,$(user_variant))
tags_to_install += debug
else
# Disable debugging in plain user builds.
- enable_target_debugging :=
+ # enable_target_debugging :=
endif
# Disallow mock locations by default for user builds
2、修改 SELinux權限爲 Permissive
SELinux 常用狀態有兩個 Permissive 和 Enforcing,通過 adb shell getenforce 可查看當前所處模式
9.0 改到了 selinux.cpp 中
system/core/init/selinux.cpp
bool IsEnforcing() {
+ return false;
if (ALLOW_PERMISSIVE_SELINUX) {
return StatusFromCmdline() == SELINUX_ENFORCING;
}
3、修改 system 分區權限爲可讀寫
Dear customer,開啓完整的root 權限需要開通SELinux 權限,這部分修改無法通過CTS 測試。
我司目前不會提供類似的方案給貴司。目前我們只支持USB adb權限。這是 MTK 的官方回覆。
vendor/mediatek/proprietary/hardware/fstab/mt6765/fstab.in.mt6765
#endif
-DEVPATH(system) SYS_MOUNT_POINT __MTK_SYSIMG_FSTYPE ro FSMGR_FLAG_SYSTEM
+DEVPATH(system) SYS_MOUNT_POINT __MTK_SYSIMG_FSTYPE rw FSMGR_FLAG_SYSTEM
#ifdef __VENDOR_PARTITION_SUPPORT
-DEVPATH(vendor) /vendor __MTK_VNDIMG_FSTYPE ro FSMGR_FLAG_SYSTEM
+DEVPATH(vendor) /vendor __MTK_VNDIMG_FSTYPE rw FSMGR_FLAG_SYSTEM
#endif
#ifdef __ODM_PARTITION_SUPPORT
-DEVPATH(odm) /odm __MTK_ODMIMG_FSTYPE ro FSMGR_FLAG_SYSTEM
+DEVPATH(odm) /odm __MTK_ODMIMG_FSTYPE rw FSMGR_FLAG_SYSTEM
#endif
DEVPATH(userdata) /data __MTK_DATAIMG_FSTYPE FS_FLAG_DATA FSMGR_FLAG_DATA
4、關閉 DM-verity,確保 system 分區真正可讀寫
vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/k62v1_64_bsp/k62v1_64_bsp.mk
TARGET=k62v1_64_bsp
MTK_PLATFORM=MT6765
MTK_SEC_CHIP_SUPPORT=yes
-MTK_SEC_USBDL=ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP
-MTK_SEC_BOOT=ATTR_SBOOT_ENABLE
+MTK_SEC_USBDL=ATTR_SUSBDL_DISABLE
+MTK_SEC_BOOT=ATTR_SBOOT_DISABLE
MTK_SEC_MODEM_AUTH=no
MTK_SEC_SECRO_AC_SUPPORT=yes
# Platform
5、增加 su 相關,確保 apk root 權限
apk 獲取 root 權限,需要內置 su 文件,參考之前 8.1 的做法,在 init.rc 中 boot_completed 時執行腳本
開機執行腳本的命令可直接加在 system/core/rootdir/init.rc
開機腳本執行是否成功,可通過 adb shell dmesg > dmesg.txt 抓取 init 的日誌,搜索是否報錯,或者缺少權限。
ps: 這步我目前並未執行成功,但沒有影響 su 的使用
boot_completed 啓動完成時,start suproce
system/core/rootdir/init.rc
class_reset main
+service suproce /system/bin/sh /system/bin/suproce.sh
+ class main
+ user root
+ group root
+ oneshot
+ seclabel u:object_r:suproce_exec:s0
+
+
on property:sys.boot_completed=1
+ start suproce
bootchart stop
system/extras/su/suproce.sh
#!/system/bin/sh
mount -o rw,remount /system
chmod 06755 su
su --daemon
echo "su daemon done."
此處寫法有變動,不能加 vendor,因爲在 system\sepolicy\public\domain.te 中 1015 行進行了權限檢查,編譯時報錯,這個問題也是困擾了好幾天,各種嘗試後將 file_contexts 中的 vendor 配置去掉編譯通過了。
#line 5
libsepol.report_failure: neverallow on line 1015 of system/sepolicy/public/domain.te (or line 11403 of policy.conf) violated by allow suproce suproce_exec:file { execute };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/k62v1_64_bsp/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
[ 0% 48/41921] ATF build: out/target/product/k62v1_64_bsp/trustzone/ATF_OBJ/debug/bl31.bin
device/mediatek/sepolicy/basic/non_plat/file_contexts
#hidl process merging
/(system\/vendor|vendor)/bin/hw/merged_hal_service u:object_r:merged_hal_service_exec:s0
+
+#suproce
+#/(system\/vendor|vendor)/bin/suproce.sh u:object_r:suproce_exec:s0
+/system\/vendor|vendor)/bin/suproce.sh u:object_r:suproce_exec:s0
device/mediatek/sepolicy/basic/non_plat/suproce.te
type suproce, coredomain;
type suproce_exec, exec_type, vendor_file_type, file_type;
# permissive suproce;
# allow shell suproce_exec:file { read open getattr execute };
init_daemon_domain(suproce);
拷貝 su 文件和開機腳本 suproce.sh 到 system/bin 目錄下
device/mediateksample/k62v1_64_bsp/device.mk
@@ -19,6 +19,11 @@ PRODUCT_COPY_FILES += $(LOCAL_PATH)/sbk-kpd.kl:system/usr/keylayout/sbk-kpd.kl:m
$(LOCAL_PATH)/sbk-kpd.kcm:system/usr/keychars/sbk-kpd.kcm:mtk
endif
+PRODUCT_COPY_FILES += \
+ system/extras/su/su:system/bin/su \
+ system/extras/su/suproce.sh:system/bin/suproce.sh
+
給 su 文件增加權限
system/core/libcutils/fs_config.cpp
@@ -166,7 +168,9 @@ static const struct fs_path_config android_files[] = {
// the following two files are INTENTIONALLY set-uid, but they
// are NOT included on user builds.
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },
- { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
+ { 06755, AID_ROOT, AID_SHELL, 0, "system/bin/su" },
+ { 06755, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
+ //{ 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
// the following files have enhanced capabilities and ARE included
// in user builds.
6、修改 adb root 權限(需要解鎖 fastboot,並關閉 verity) 按需操作
system/core/adb/Android.mk
@@ -351,9 +351,9 @@ LOCAL_CFLAGS := \
-D_GNU_SOURCE \
-Wno-deprecated-declarations \
-LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)
+LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter user userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))
LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1
LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1
endif
解鎖時可能音量上鍵不生效,那需要進行對調
vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/sec_unlock.c
unlock_warranty();
while (1) {
- if (mtk_detect_key(MT65XX_MENU_SELECT_KEY)) { //VOL_UP
+ //if (mtk_detect_key(MT65XX_MENU_SELECT_KEY)) { //VOL_UP
+ if (mtk_detect_key(MT65XX_MENU_OK_KEY)) { //VOL_DOWN
fastboot_info("Start unlock flow\n");
//Invoke security check after confirming "yes" by user
ret = fastboot_get_unlock_perm(&unlock_allowed);
@@ -374,7 +375,8 @@ void fastboot_oem_unlock(const char *arg, void *data, unsigned sz)
fastboot_okay("");
}
break;
- } else if (mtk_detect_key(MT65XX_MENU_OK_KEY)) { //VOL_DOWN
+ //} else if (mtk_detect_key(MT65XX_MENU_OK_KEY)) { //VOL_DOWN
+ } else if (mtk_detect_key(MT65XX_MENU_SELECT_KEY)) { //VOL_UP
video_printf("return to fastboot in 3s\n");
mdelay(3000);
fastboot_boot_menu();
去除 oem 解鎖後每次開機提示 Your device has been unlocked and can’t be trusted 警告字眼
vendor/mediatek/proprietary/bootable/bootloader/lk/platform/common/boot/vboot_state.c
@@ -133,9 +133,10 @@ int orange_state_warning(void)
video_clean_screen();
video_set_cursor(video_get_rows() / 2, 0);
- video_printf(title_msg);
- video_printf("Your device has been unlocked and can't be trusted\n");
- video_printf("Your device will boot in 5 seconds\n");
+ //20191206 annotaion
+ // video_printf(title_msg);
+ // video_printf("Your device has been unlocked and can't be trusted\n");
+ // video_printf("Your device will boot in 5 seconds\n");
mtk_wdt_restart();
mdelay(5000);
mtk_wdt_restart();
編譯成功重新燒寫,按照 解鎖方法
獲取 adb root 權限。
C:>adb root
C:>adb remount
remount of the / superblock failed: Permission denied
remount failed
C:>adb disable-verity
Device is locked. Please unlock the device first
C:>adb reboot bootloader
C:>fastboot flashing unlock
…
(bootloader) Start unlock flow
OKAY [ 12.394s]
finished. total time: 12.398s
C:>fastboot reboot
rebooting…
finished. total time: 0.003s
C:>adb root
C:>adb disable-verity
Successfully disabled verity
Now reboot your device for settings to take effect
C:>adb reboot
C:>adb root
C:>adb remount
remount succeeded
C:>
好了,終於大功告成,一時 root 一時爽,一直 root 一直爽。
參考文章
Android開機啓動shell腳本(Android 8.0測試OK)
爲 Android 8.0 添加開機啓動腳本
Android系統init進程啓動及init.rc全解析
android文件系統掛載分析(1)—正常開機掛載
Android 8.1 啓動篇(一) – 深入研究 init
SEAndroid
ANDROID權限說明 SYSTEM權限 ROOT權限
Android編譯版本eng、user和userdebug的區別
Android模擬器獲取Root權限
MTK android8.1添加root權限
MTK Android user版本如何打開root權限