最近項目需求,要實現一個功能:"Android在user版本的狀態下可以進行燒製system.img 和 可以進行對系統的system/app下面的APK 以及 data/* 下所有的文件進行燒錄".拿到需求之後做了大量的調研,不再一一寫出,只把調研和修改文件寫出來,修改過程中雖然遇到了很多的坑,但功能實現了,爲了不讓別的同學可能再入此坑,在此記錄一下,也方便後期翻閱.
正常的Android debug版本如下可以進行root
$ adb root
adbd is already running as root
$ adb remount
remount succeeded
在開發的過程中遇到了一個比較奇怪的現象 ,如上圖所示,顯示都是成功的,但是就是不能進行 push操作,還有刪除操作. 最後發現是 bootable/bootloader/lk/app/aboot.c 文件進行了讀寫權限限制,修改了 aboot.c 文件之後 fastboot flash aboot emmc_appsboot.mbn,然後燒錄 bootimage之後重燒bootimg才能生效.
本文基於Android7.1 進行修改.
主要修改文件和patch如下:
主要涉及的文件路徑如下:
#device
device/qcom/common/base.mk
device/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
device/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
device/qcom/msmxxx/system.prop
#build
build/core/main.mk
#system
system/core/adb/Android.mk
system/sepolicy/Android.mk
#bootable
bootable/bootloader/lk/app/aboot/aboot.c
將編譯user版本的修改成 0
device/qcom/common/base.mk
--- a/qcom/common/base.mk
+++ b/qcom/common/base.mk
@@ -974,7 +974,7 @@
ifeq ($(TARGET_BUILD_VARIANT),user)
PRODUCT_DEFAULT_PROPERTY_OVERRIDES+= \
- ro.adb.secure=1
+ ro.adb.secure=0
endif
去掉鎖屏和user版上去掉adb授權過程,賦予adb root權限
device/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
--- /dev/null
+++ b/qcom/msmxxx/overlay/frameworks/base/packages/SettingsProvider/res/values/defaults.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+ <bool name="def_lockscreen_disabled">true</bool>
+</resources>
device/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
--- a/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
+++ b/qcom/msmxxx/overlay/frameworks/base/packages/SystemUI/res/values/config.xml
@@ -23,4 +23,5 @@
<resources>
<!-- string that specifies the package name of SLC[Subsidy Lock Client] -->
<string name="config_slc_package_name" translatable="false">com.rjio.slc</string>
+ <bool name="config_enableKeyguardService">false</bool>
</resources>
添加root權限 和 去掉鎖屏adb授權過程
device/qcom/msmxxx/system.prop
--- a/qcom/msmxxx/system.prop
+++ b/qcom/msmxxx/system.prop
@@ -205,3 +205,4 @@
#zhidao charle
persist.service.bt.a2dp.sink=true
persist.service.bt.hfp.client=true
+ro.lockscreen.disable.default=true
+service.adb.root=1
修改 ro.secure和 security.perf_harden 的值
build/core/main.mk
--- a/core/main.mk
+++ b/core/main.mk
@@ -390,11 +390,11 @@
tags_to_install :=
ifneq (,$(user_variant))
# Target is secure in user builds.
- ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
- ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
+ ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=0
ifeq ($(user_variant),user)
- ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
endif
ifeq ($(user_variant),userdebug)
@@ -402,7 +402,7 @@
tags_to_install += debug
else
# Disable debugging in plain user builds.
- enable_target_debugging :=
+ enable_target_debugging := true
endif
# Disallow mock locations by default for user builds
@@ -426,7 +426,7 @@
INCLUDE_TEST_OTA_KEYS := true
else # !enable_target_debugging
# Target is less debuggable and adbd is off by default
- ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=0
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=1
endif # !enable_target_debugging
## eng ##
修改adb編譯所屬權限
system/core/adb/Android.mk
--- a/core/adb/Android.mk
+++ b/core/adb/Android.mk
@@ -327,12 +327,12 @@
-D_GNU_SOURCE \
-Wno-deprecated-declarations \
-LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)
+LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=1
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+#ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1
LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1
-endif
+#endif
LOCAL_MODULE := adbd
設置車機重啓之後的 sepolicy 權限
system/sepolicy/Android.mk
--- a/sepolicy/Android.mk
+++ b/sepolicy/Android.mk
@@ -94,7 +94,7 @@
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_build_variant=eng \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > [email protected]
@@ -108,7 +108,6 @@
echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
echo "List of invalid domains:" 1>&2; \
cat [email protected] 1>&2; \
- exit 1; \
fi
$(hide) mv [email protected] $@
@@ -132,7 +131,7 @@
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_build_variant=eng \
-D target_recovery=true \
-s $^ > $@
@@ -145,7 +144,6 @@
echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
echo "List of invalid domains:" 1>&2; \
cat [email protected] 1>&2; \
- exit 1; \
fi
$(hide) mv [email protected] $@
到此步驟的時候 連接上adb其實就可以進行adb root和 remount操作了, 但是對 system/ & data/* 文件夾 不可以進行操作.
修改了 aboot.c 文件之後
可以使用 fast 命令 進行刷機操作同時燒錄emmc_appsboot.mbn和bootimg才能生效.
bootable/bootloader/lk/app/aboot/aboot.c
--- a/bootloader/lk/app/aboot/aboot.c
+++ b/bootloader/lk/app/aboot/aboot.c
@@ -845,11 +845,15 @@
#if VERIFIED_BOOT
/* Write protect the device info */
+
+ /*
+
if (!boot_into_recovery && target_build_variant_user() && devinfo_present && mmc_write_protect("devinfo", 1))
{
dprintf(INFO, "Failed to write protect dev info\n");
ASSERT(0);
}
+
+ */
+
#endif
/* Turn off splash screen if enabled */
fastboot刷機命令
adb reboot bootloader
fastboot flash aboot emmc_appsboot.mbn
fastboot flash boot boot.img
fastboot flash cache cache.img
fastboot flash system system.img
fastboot flash userdata userdata.img
fastboot flash recovery recovery.img
fastboot flash persist persist.img
fastboot reboot