Android adb調試問題集錦

1 根據avc log自動生成Android Selinux策略
1.1 生成policy文本文件
1）提取所有的avc log
adb shell "cat /proc/kmsg | grep avc" > avc_log.txt

or

adb shell
dmesg | grep avc > /dev/avc_log.txt
adb pull /dev/avc_log.txt .

2）使用audit2allow直接生成policy
sudo apt-get install policycoreutils
audit2allow -i avc_log.txt -o output_pol.te

vi output_pol.te

1.2 直接插入到sepolicy文件中
adb shell
dmesg > /dev/kern_msg.txt
adb pull /dev/kern_msg.txt .

cat kern_msg.log | audit2allow -p out/target/product/<device>/root/sepolicy

2 Architecture
adbd版本號宏：ADB_SERVER_VERSION

Figure 2-1 adb Data Flow


3 添加USB VID到白名單
%HOMEDRIVE%%HOMEPATH%：表示CMD進入後的初始位置

查看環境變量方法：
echo "%HOMEDRIVE%%HOMEPATH%"
echo "%path%"

md "%HOMEDRIVE%%HOMEPATH%\.android"
echo 0xabcd >> "%HOMEDRIVE%%HOMEPATH%\.android\adb_usb.ini"
或者
md "%USERPROFILE%\.android"
echo 0xabcd >> "%USERPROFILE%\.android\adb_usb.ini"

4 adb調試
Windows:
adb kill-server
set ADB_TRACE=all / ADB_TRACE=
adb shell
echo %Temp% --- adb.log文件

Android:
setprop persist.adb.trace_mask all / setprop persist.adb.trace_mask ""
stop adbd
start adbd
logcat | grep adbd

5 編譯Windows版本的adb
1）apt-get install mingw32
2）make USE_MINGW=y adb
3）make USE_MINGW=y fastboot

6 在Makefile中定義字符串傳給C/C++源碼使用
Android.mk定義C/C++字符串宏
https://blog.csdn.net/jymfist/article/details/52840239

在Makefile定義軟件版本傳給C/C++源碼使用
https://blog.csdn.net/fightingtony/article/details/81836349

7 Adb Root Patch
7.1 源代碼修改

diff --git a/adb/Android.mk b/adb/Android.mk
index a815c77..56b66d8 100644
--- a/adb/Android.mk
+++ b/adb/Android.mk
@@ -121,7 +121,7 @@ endif
 LOCAL_CFLAGS := -O2 -g -DADB_HOST=0 -Wall -Wno-unused-parameter -Werror
 LOCAL_CFLAGS += -D_XOPEN_SOURCE -D_GNU_SOURCE
 
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ifneq (,$(filter userdebug eng user,$(TARGET_BUILD_VARIANT)))
 LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1
 endif
 
diff --git a/adb/adb.c b/adb/adb.c
index 4300754..d2aa962 100644
--- a/adb/adb.c
+++ b/adb/adb.c
@@ -1280,7 +1280,7 @@ static int should_drop_privileges() {
             // ... except we allow running as root in userdebug builds if the
             // service.adb.root property has been set by the "adb root" command
             property_get("ro.debuggable", value, "");
-            if (strcmp(value, "1") == 0) {
+            if (1) {//strcmp(value, "1") == 0) {
                 property_get("service.adb.root", value, "");
                 if (strcmp(value, "1") == 0) {
                     secure = 0;
diff --git a/adb/services.c b/adb/services.c
index e61371a..cdf68f4 100644
--- a/adb/services.c
+++ b/adb/services.c
@@ -61,6 +61,7 @@ void restart_root_service(int fd, void *cookie)
 {
     char buf[100];
     char value[PROPERTY_VALUE_MAX];
+    const char *oem_pwd = "123456";
 
     if (getuid() == 0) {
         snprintf(buf, sizeof(buf), "adbd is already running as root\n");
@@ -68,17 +69,22 @@ void restart_root_service(int fd, void *cookie)
         adb_close(fd);
     } else {
         property_get("ro.debuggable", value, "");
-        if (strcmp(value, "1") != 0) {
+    if ((cookie != NULL) && !strcmp((char *)cookie, oem_pwd)) {
+        property_set("service.adb.root", "1");
+        snprintf(buf, sizeof(buf), "restarting adbd as root\n");
+        writex(fd, buf, strlen(buf));
+        adb_close(fd);
+        } else if (strcmp(value, "1") != 0) {
             snprintf(buf, sizeof(buf), "adbd cannot run as root in production builds\n");
             writex(fd, buf, strlen(buf));
             adb_close(fd);
             return;
-        }
-
-        property_set("service.adb.root", "1");
-        snprintf(buf, sizeof(buf), "restarting adbd as root\n");
-        writex(fd, buf, strlen(buf));
-        adb_close(fd);
+        } else {
+            snprintf(buf, sizeof(buf), "adbd cannot run as root, pwd error\n");
+            writex(fd, buf, strlen(buf));
+            adb_close(fd);
+            return;
+    }
     }
 }
 
@@ -434,7 +440,7 @@ int service_to_fd(const char *name)
         if (arg == NULL) return -1;
         ret = create_service_thread(reboot_service, arg);
     } else if(!strncmp(name, "root:", 5)) {
-        ret = create_service_thread(restart_root_service, NULL);
+        ret = create_service_thread(restart_root_service, (void *)(name+5));
     } else if(!strncmp(name, "backup:", 7)) {
         char* arg = strdup(name + 7);
         if (arg == NULL) return -1;
diff --git a/adb/sockets.c b/adb/sockets.c
index faa9564..6e0a32e 100644
--- a/adb/sockets.c
+++ b/adb/sockets.c
@@ -455,7 +455,7 @@ asocket *create_local_service_socket(const char *name)
         property_get("ro.debuggable", debug, "");
 
     if ((!strncmp(name, "root:", 5) && getuid() != 0
-        && strcmp(debug, "1") == 0)
+        /*&& strcmp(debug, "1") == 0*/)
         || !strncmp(name, "usb:", 4)
         || !strncmp(name, "tcpip:", 6)) {
         D("LS(%d): enabling exit_on_close\n", s->id);

7.2 sepolicy修改

diff --git a/adbd.te b/adbd.te
index 5fcaf69..0ed7649 100644
--- a/adbd.te
+++ b/adbd.te
@@ -2,10 +2,10 @@
 # it lives in the rootfs and has no unique file type.
 type adbd, domain;
 
-userdebug_or_eng(`
+#userdebug_or_eng(`
   allow adbd self:process setcurrent;
   allow adbd su:process dyntransition;
-')
+#')
 
 domain_auto_trans(adbd, shell_exec, shell)
 
@@ -74,3 +74,5 @@ allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;
 
 allow adbd kernel:security read_policy;
+
+allow adbd init:process sigchld;
diff --git a/su.te b/su.te
index 73ca514..3c1801c 100644
--- a/su.te
+++ b/su.te
@@ -1,7 +1,7 @@
 # File types must be defined for file_contexts.
 type su_exec, exec_type, file_type;
 
-userdebug_or_eng(`
+#userdebug_or_eng(`
   # Domain used for su processes, as well as for adbd and adb shell
   # after performing an adb root command.  The domain definition is
   # wrapped to ensure that it does not exist at all on -user builds.
@@ -41,4 +41,4 @@ userdebug_or_eng(`
   dontaudit su domain:peer *;
   dontaudit su domain:binder *;
   dontaudit su property_type:property_service *;
-')
+#')

8 Android 8.0 adb device keeps unauthorized after authorization
1) Phone: Check if you have a file called adb_keys located at:  
    /data/misc/adb/adb_keys. If you have it, i would recommend you to backup the file. (I didn't have it.)

2) Windows: You'll need to have a file called adbkey.pub located at
    C:/users/UserAccount/.android/

3) Boot into recovery mode.
4) Plug your phone into PC.
5) Open cmd and run adb devices. It would show "recovery" instead "unauthorized".
6) Create a new file called adb_keys file on your PC:
    type NUL > adb_keys

7) Now you need to copy the contents from the adbkey.pub to adb_keys, the new  
 file you just created: adbkey.pub is located at C:/users/UserAccount/.android/ (Needless to say you need to replace "UserAccount" when running the command)

type c:\users\UserAccount\.android\adbkey.pub > adb_keys

8) Upload the adb_keys file to your phone:
    adb push adb_keys /data/misc/adb/adb_keys

9) Reboot and run adb devices. It should be working now.

Android 8.0 adb device keeps unauthorized after authorisation
https://stackoverflow.com/questions/50826577/android-8-0-adb-device-keeps-unauthorized-after-authorisation

9 superuser
9.1 mount參數suid和nosuid
mount時的參數nosuid會禁止該分區的程序執行setuid()和setgid()切換到root的權限。

su的源碼中，有對文件系統mount時候掛載了suid特性的檢測，由此可知setuid特性可以在mount的-o（options）中關閉掉。具體可以參考man 2 setuid，man mount等等。

9.2 data分區執行su
set BAT_PATH=%~dp0

adb push %BAT_PATH%su /data/
adb shell "chgrp shell /data/su"
adb shell "chmod a+x /data/su"
adb shell "chmod +s /data/su"
adb shell "chcon u:object_r:su_exec:s0 /data/su"

:: let su get the permission to run setuid() and setgid()
adb shell "mount -o remount,rw,seclabel,suid,nodev,noatime,discard,noauto_da_alloc,errors=panic,data=ordered /data"

9.3 URLs
find . -perm /6000

如何在Linux中查找具有SUID和SGID權限的文件
https://www.howtoing.com/how-to-find-files-with-suid-and-sgid-permissions-in-linux

10 iptables防火牆規則
如果遇到網絡adb不能使用的問題，需要用以下的命令查看下iptables的配置。
iptables-save -c：dump已配置的規則，格式是[packets, bytes]；可以用“>”重定向到一個文件中，格式是[packets, bytes]
iptables -D xxx：-D與-A對應，表示刪除一條規則

11 Abbreviations
ARC：Argonant RISC Core
AT91SAM9260：SAM means Smart ARM-based Microcontroller
ATMEL SAMBA：ATMEL Smart ARM-based Microcontroller Boot Assistant
CC2530：TI ChipCon2530
DWC2：Design Ware Controller 2，Apple的嵌入式設備，包括iPad和iPhone都是使用的DWC2
ISP1161：Philips' Integrated host Solution Pairs 1161，“Firms introduce USB host controllers”，https://www.eetimes.com/document.asp?doc_id=1290054
Quirks：the attributes of a device that are considered to be noncompliant with expected operation
SL811HS：Cypress/ScanLogic 811 Host/Slave，性能上與ISP1161（Integrated host Solution Pairs 1161）相當
TDI：TransDimension Inc.，該公司首先發明瞭將TT集成到EHCI RootHub中的方法，這樣對於嵌入式系統來說，就省去了OHCI/UHCI的硬件，同時降低了成本，作爲對該公司的紀念，Linux內核定義了宏ehci_is_TDI(ehci)；產品UHC124表示USB Host Controller；收購了ARC USB技術；現已被chipidea收購，chipidea又被mips收購
TLV：TI Low Value，高性價比
TPS：TI Performance Solution
TT：Transaction Translator（事務轉換器，將USB2.0的包轉換成USB1.1的包）