1 根據avc log自動生成Android Selinux策略
1.1 生成policy文本文件
1)提取所有的avc log
adb shell "cat /proc/kmsg | grep avc" > avc_log.txt
or
adb shell
dmesg | grep avc > /dev/avc_log.txt
adb pull /dev/avc_log.txt .
2)使用audit2allow直接生成policy
sudo apt-get install policycoreutils
audit2allow -i avc_log.txt -o output_pol.te
vi output_pol.te
1.2 直接插入到sepolicy文件中
adb shell
dmesg > /dev/kern_msg.txt
adb pull /dev/kern_msg.txt .
cat kern_msg.log | audit2allow -p out/target/product/<device>/root/sepolicy
2 Architecture
adbd版本號宏:ADB_SERVER_VERSION
Figure 2-1 adb Data Flow
3 添加USB VID到白名單
%HOMEDRIVE%%HOMEPATH%:表示CMD進入後的初始位置
查看環境變量方法:
echo "%HOMEDRIVE%%HOMEPATH%"
echo "%path%"
md "%HOMEDRIVE%%HOMEPATH%\.android"
echo 0xabcd >> "%HOMEDRIVE%%HOMEPATH%\.android\adb_usb.ini"
或者
md "%USERPROFILE%\.android"
echo 0xabcd >> "%USERPROFILE%\.android\adb_usb.ini"
4 adb調試
Windows:
adb kill-server
set ADB_TRACE=all / ADB_TRACE=
adb shell
echo %Temp% --- adb.log文件
Android:
setprop persist.adb.trace_mask all / setprop persist.adb.trace_mask ""
stop adbd
start adbd
logcat | grep adbd
5 編譯Windows版本的adb
1)apt-get install mingw32
2)make USE_MINGW=y adb
3)make USE_MINGW=y fastboot
6 在Makefile中定義字符串傳給C/C++源碼使用
Android.mk定義C/C++字符串宏
https://blog.csdn.net/jymfist/article/details/52840239
在Makefile定義軟件版本傳給C/C++源碼使用
https://blog.csdn.net/fightingtony/article/details/81836349
7 Adb Root Patch
7.1 源代碼修改
diff --git a/adb/Android.mk b/adb/Android.mk
index a815c77..56b66d8 100644
--- a/adb/Android.mk
+++ b/adb/Android.mk
@@ -121,7 +121,7 @@ endif
LOCAL_CFLAGS := -O2 -g -DADB_HOST=0 -Wall -Wno-unused-parameter -Werror
LOCAL_CFLAGS += -D_XOPEN_SOURCE -D_GNU_SOURCE
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ifneq (,$(filter userdebug eng user,$(TARGET_BUILD_VARIANT)))
LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1
endif
diff --git a/adb/adb.c b/adb/adb.c
index 4300754..d2aa962 100644
--- a/adb/adb.c
+++ b/adb/adb.c
@@ -1280,7 +1280,7 @@ static int should_drop_privileges() {
// ... except we allow running as root in userdebug builds if the
// service.adb.root property has been set by the "adb root" command
property_get("ro.debuggable", value, "");
- if (strcmp(value, "1") == 0) {
+ if (1) {//strcmp(value, "1") == 0) {
property_get("service.adb.root", value, "");
if (strcmp(value, "1") == 0) {
secure = 0;
diff --git a/adb/services.c b/adb/services.c
index e61371a..cdf68f4 100644
--- a/adb/services.c
+++ b/adb/services.c
@@ -61,6 +61,7 @@ void restart_root_service(int fd, void *cookie)
{
char buf[100];
char value[PROPERTY_VALUE_MAX];
+ const char *oem_pwd = "123456";
if (getuid() == 0) {
snprintf(buf, sizeof(buf), "adbd is already running as root\n");
@@ -68,17 +69,22 @@ void restart_root_service(int fd, void *cookie)
adb_close(fd);
} else {
property_get("ro.debuggable", value, "");
- if (strcmp(value, "1") != 0) {
+ if ((cookie != NULL) && !strcmp((char *)cookie, oem_pwd)) {
+ property_set("service.adb.root", "1");
+ snprintf(buf, sizeof(buf), "restarting adbd as root\n");
+ writex(fd, buf, strlen(buf));
+ adb_close(fd);
+ } else if (strcmp(value, "1") != 0) {
snprintf(buf, sizeof(buf), "adbd cannot run as root in production builds\n");
writex(fd, buf, strlen(buf));
adb_close(fd);
return;
- }
-
- property_set("service.adb.root", "1");
- snprintf(buf, sizeof(buf), "restarting adbd as root\n");
- writex(fd, buf, strlen(buf));
- adb_close(fd);
+ } else {
+ snprintf(buf, sizeof(buf), "adbd cannot run as root, pwd error\n");
+ writex(fd, buf, strlen(buf));
+ adb_close(fd);
+ return;
+ }
}
}
@@ -434,7 +440,7 @@ int service_to_fd(const char *name)
if (arg == NULL) return -1;
ret = create_service_thread(reboot_service, arg);
} else if(!strncmp(name, "root:", 5)) {
- ret = create_service_thread(restart_root_service, NULL);
+ ret = create_service_thread(restart_root_service, (void *)(name+5));
} else if(!strncmp(name, "backup:", 7)) {
char* arg = strdup(name + 7);
if (arg == NULL) return -1;
diff --git a/adb/sockets.c b/adb/sockets.c
index faa9564..6e0a32e 100644
--- a/adb/sockets.c
+++ b/adb/sockets.c
@@ -455,7 +455,7 @@ asocket *create_local_service_socket(const char *name)
property_get("ro.debuggable", debug, "");
if ((!strncmp(name, "root:", 5) && getuid() != 0
- && strcmp(debug, "1") == 0)
+ /*&& strcmp(debug, "1") == 0*/)
|| !strncmp(name, "usb:", 4)
|| !strncmp(name, "tcpip:", 6)) {
D("LS(%d): enabling exit_on_close\n", s->id);
7.2 sepolicy修改
diff --git a/adbd.te b/adbd.te
index 5fcaf69..0ed7649 100644
--- a/adbd.te
+++ b/adbd.te
@@ -2,10 +2,10 @@
# it lives in the rootfs and has no unique file type.
type adbd, domain;
-userdebug_or_eng(`
+#userdebug_or_eng(`
allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
-')
+#')
domain_auto_trans(adbd, shell_exec, shell)
@@ -74,3 +74,5 @@ allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
allow adbd kernel:security read_policy;
+
+allow adbd init:process sigchld;
diff --git a/su.te b/su.te
index 73ca514..3c1801c 100644
--- a/su.te
+++ b/su.te
@@ -1,7 +1,7 @@
# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;
-userdebug_or_eng(`
+#userdebug_or_eng(`
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
@@ -41,4 +41,4 @@ userdebug_or_eng(`
dontaudit su domain:peer *;
dontaudit su domain:binder *;
dontaudit su property_type:property_service *;
-')
+#')
8 Android 8.0 adb device keeps unauthorized after authorization
1) Phone: Check if you have a file called adb_keys located at:
/data/misc/adb/adb_keys. If you have it, i would recommend you to backup the file. (I didn't have it.)
2) Windows: You'll need to have a file called adbkey.pub located at
C:/users/UserAccount/.android/
3) Boot into recovery mode.
4) Plug your phone into PC.
5) Open cmd and run adb devices. It would show "recovery" instead "unauthorized".
6) Create a new file called adb_keys file on your PC:
type NUL > adb_keys
7) Now you need to copy the contents from the adbkey.pub to adb_keys, the new
file you just created: adbkey.pub is located at C:/users/UserAccount/.android/ (Needless to say you need to replace "UserAccount" when running the command)
type c:\users\UserAccount\.android\adbkey.pub > adb_keys
8) Upload the adb_keys file to your phone:
adb push adb_keys /data/misc/adb/adb_keys
9) Reboot and run adb devices. It should be working now.
Android 8.0 adb device keeps unauthorized after authorisation
https://stackoverflow.com/questions/50826577/android-8-0-adb-device-keeps-unauthorized-after-authorisation
9 superuser
9.1 mount參數suid和nosuid
mount時的參數nosuid會禁止該分區的程序執行setuid()和setgid()切換到root的權限。
su的源碼中,有對文件系統mount時候掛載了suid特性的檢測,由此可知setuid特性可以在mount的-o(options)中關閉掉。具體可以參考man 2 setuid,man mount等等。
9.2 data分區執行su
set BAT_PATH=%~dp0
adb push %BAT_PATH%su /data/
adb shell "chgrp shell /data/su"
adb shell "chmod a+x /data/su"
adb shell "chmod +s /data/su"
adb shell "chcon u:object_r:su_exec:s0 /data/su"
:: let su get the permission to run setuid() and setgid()
adb shell "mount -o remount,rw,seclabel,suid,nodev,noatime,discard,noauto_da_alloc,errors=panic,data=ordered /data"
9.3 URLs
find . -perm /6000
如何在Linux中查找具有SUID和SGID權限的文件
https://www.howtoing.com/how-to-find-files-with-suid-and-sgid-permissions-in-linux
10 iptables防火牆規則
如果遇到網絡adb不能使用的問題,需要用以下的命令查看下iptables的配置。
iptables-save -c:dump已配置的規則,格式是[packets, bytes];可以用“>”重定向到一個文件中,格式是[packets, bytes]
iptables -D xxx:-D與-A對應,表示刪除一條規則
11 Abbreviations
ARC:Argonant RISC Core
AT91SAM9260:SAM means Smart ARM-based Microcontroller
ATMEL SAMBA:ATMEL Smart ARM-based Microcontroller Boot Assistant
CC2530:TI ChipCon2530
DWC2:Design Ware Controller 2,Apple的嵌入式設備,包括iPad和iPhone都是使用的DWC2
ISP1161:Philips' Integrated host Solution Pairs 1161,“Firms introduce USB host controllers”,https://www.eetimes.com/document.asp?doc_id=1290054
Quirks:the attributes of a device that are considered to be noncompliant with expected operation
SL811HS:Cypress/ScanLogic 811 Host/Slave,性能上與ISP1161(Integrated host Solution Pairs 1161)相當
TDI:TransDimension Inc.,該公司首先發明瞭將TT集成到EHCI RootHub中的方法,這樣對於嵌入式系統來說,就省去了OHCI/UHCI的硬件,同時降低了成本,作爲對該公司的紀念,Linux內核定義了宏ehci_is_TDI(ehci);產品UHC124表示USB Host Controller;收購了ARC USB技術;現已被chipidea收購,chipidea又被mips收購
TLV:TI Low Value,高性價比
TPS:TI Performance Solution
TT:Transaction Translator(事務轉換器,將USB2.0的包轉換成USB1.1的包)
Android adb調試問題集錦
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.