我的编程空间,编程开发者的网络收藏夹
学习永远不晚

android10.0(Q) root MTK 6765 user版本打开root权限(adb root权限和 apk root权限)

短信预约 -IT技能 免费直播动态提醒
省份

北京

  • 北京
  • 上海
  • 天津
  • 重庆
  • 河北
  • 山东
  • 辽宁
  • 黑龙江
  • 吉林
  • 甘肃
  • 青海
  • 河南
  • 江苏
  • 湖北
  • 湖南
  • 江西
  • 浙江
  • 广东
  • 云南
  • 福建
  • 海南
  • 山西
  • 四川
  • 陕西
  • 贵州
  • 安徽
  • 广西
  • 内蒙
  • 西藏
  • 新疆
  • 宁夏
  • 兵团
手机号立即预约

请填写图片验证码后获取短信验证码

看不清楚,换张图片

免费获取短信验证码

android10.0(Q) root MTK 6765 user版本打开root权限(adb root权限和 apk root权限)

前言

everybody,好久不见,我胡汉三又回来了,android10.0 root 安排!!!

相比较 Android8.1、9.0 而言,Q 版本 的 root变得相当麻烦,10.0 中引入了动态分区机制,可看这篇Android10 动态分区介绍,同样的要想完全 adb root,需要 fastboot 解锁,然后关闭 verity 才能 adb remount 成功。我尝试和之前一样修改 fstab.in.mt6765 中的 ro 和 rw 初始值,容易导致无法正常开机,在这耗费了很长时间,就暂时先跳过吧,apk root 是 ok的。如果你有更好的方法欢迎留言讨论。

一图胜千言 JNtqaj.png JNdwwD.png 修改方案

上面的图就不用我多说了吧,分别用了 ROOT检测工具、RE文件管理器测试,只要 root 成功都有明显的提示,

也可以用 AirDroid 来远程控制测试是否成功 root。

总共修改 12 个文件,新增 3 个文件,一共 15 个

	modified:   build/make/core/main.mk
	modified:   device/mediatek/sepolicy/basic/non_plat/file_contexts
	modified:   device/mediateksample/k62v1_64_bsp/device.mk
	modified:   vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/k62v1_64_bsp/k62v1_64_bsp.mk
	modified:   system/core/adb/Android.bp
	modified:   system/core/adb/daemon/main.cpp
	modified:   system/core/init/selinux.cpp
	modified:   system/core/libcutils/fs_config.cpp
	modified:   system/core/rootdir/init.rc
	modified:   system/sepolicy/Android.mk
	modified:   system/sepolicy/prebuilts/api/29.0/public/domain.te
	modified:   system/sepolicy/public/domain.te
	add device/mediatek/sepolicy/basic/non_plat/suproce.te
	add system/extras/su/su
	add system/extras/su/suproce.sh
1、让进程名称在 AS Logcat 中可见,通过修改 ro.adb.secure 和 ro.secure

ps:这步不是必须的,目的只是在 logcat 中可见进程 pid 和包名,而且打开 USB 调试时默认授权,不再弹授权框

build/make/core/main.mk

 tags_to_install :=
 ifneq (,$(user_variant))
   # Target is secure in user builds.
-  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
+  # ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
+  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
   ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
   ifeq ($(user_variant),user)
-    ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+    # ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+    ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
   endif
   ifeq ($(user_variant),userdebug)
@@ -251,7 +253,7 @@ ifneq (,$(user_variant))
     tags_to_install += debug
   else
     # Disable debugging in plain user builds.
-    enable_target_debugging :=
+    # enable_target_debugging :=
   endif
   # Disallow mock locations by default for user builds
2、修改 SELinux权限为 Permissive

SELinux 常用状态有两个 Permissive 和 Enforcing,通过 adb shell getenforce 可查看当前所处模式
10.0 改到了 selinux.cpp 中

system/core/init/selinux.cpp

 bool IsEnforcing() {
+    return false;
     if (ALLOW_PERMISSIVE_SELINUX) {
         return StatusFromCmdline() == SELINUX_ENFORCING;
     }
3、关闭 DM-verity

vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/k62v1_64_bsp/k62v1_64_bsp.mk

 TARGET=k62v1_64_bsp
 MTK_PLATFORM=MT6765
 MTK_SEC_CHIP_SUPPORT=yes
-MTK_SEC_USBDL=ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP
-MTK_SEC_BOOT=ATTR_SBOOT_ENABLE
+MTK_SEC_USBDL=ATTR_SUSBDL_DISABLE
+MTK_SEC_BOOT=ATTR_SBOOT_DISABLE
 MTK_SEC_MODEM_AUTH=no
 MTK_SEC_SECRO_AC_SUPPORT=yes
 # Platform
4、增加 su 相关,确保 apk root 权限

apk 获取 root 权限,需要内置 su 文件,参考之前 8.1 的做法,在 init.rc 中 boot_completed 时执行脚本

开机执行脚本的命令可直接加在 system/core/rootdir/init.rc

开机脚本执行是否成功,可通过 adb shell dmesg > dmesg.txt 抓取 init 的日志,搜索是否报错,或者缺少权限。

boot_completed 启动完成时,start suproce

system/core/rootdir/init.rc

     class_reset main
+service suproce  /system/bin/suproce.sh
+    class main
+    user root
+    group root
+    oneshot
+    seclabel u:object_r:suproce_exec:s0
+
+
 on property:sys.boot_completed=1
+    start suproce
     bootchart stop

system/extras/su/suproce.sh

#!/system/bin/sh
mount -o rw,remount /system
chmod 06755 su
su --daemon
echo "su daemon done."

device/mediatek/sepolicy/basic/non_plat/file_contexts

 #hidl process merging
 /(system\/vendor|vendor)/bin/hw/merged_hal_service          u:object_r:merged_hal_service_exec:s0
+
+#suproce
+/system/bin/suproce.sh          u:object_r:suproce_exec:s0

此处写法有变动,suproce.te 中要加 system_file_type,不然编译时报错

out/target/product/k62v1_64_bsp/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests )"
The following types on /system/ must be associated with the "system_file_type" attribute: suproce_exec
checkpolicy:  error(s) encountered while parsing configuration

device/mediatek/sepolicy/basic/non_plat/suproce.te

type suproce, coredomain;
#type suproce_exec, exec_type, vendor_file_type, file_type;
type  suproce_exec, exec_type, file_type, system_file_type;
# permissive suproce;
# allow shell suproce_exec:file { read open getattr execute };
init_daemon_domain(suproce);

改完后继续编译,再次出现新错误,user 版本不允许 permissive domains

[ 19% 1135/5824] build out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy
FAILED: out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy
/bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 		30 -o out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) && (if [ \"user\" = \"user\" -a -s out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then 		echo \"==========\" 1>&2; 		echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; 		echo \"List of invalid domains:\" 1>&2; 		cat out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1>&2; 		exit 1; 		fi ) && (mv out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy )"
device/mediatek/sepolicy/bsp/plat_private/untrusted_app_all.te:7:WARNING 'unrecognized character' at token '' on line 53889:
# Purpose: Make app can get phoneEx

注释下面文件中的 exit 1

system/sepolicy/Android.mk

@@ -518,7 +518,7 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/se
                echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
                echo "List of invalid domains:" 1>&2; \
                cat $@.permissivedomains 1>&2; \
-               exit 1; \
+               # exit 1; \
                fi
        $(hide) mv $@.tmp $@
@@ -562,7 +562,7 @@ $(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpo
                echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
                echo "List of invalid domains:" 1>&2; \
                cat $@.permissivedomains 1>&2; \
-               exit 1; \
+               # exit 1; \
                fi
        $(hide) mv $@.tmp $@

再重新编译,又报错,卧底马,什么情况, 在 system\sepolicy\public\domain.te 中 335 行进行了权限检查

libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11735 of policy.conf) violated by allow aee_aed suproce_exec:file { ioctl };
libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11735 of policy.conf) violated by allow crash_dump suproce_exec:file { ioctl };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11642 of policy.conf) violated by allow aee_aed suproce_exec:file { ioctl };
libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11642 of policy.conf) violated by allow crash_dump suproce_exec:file { ioctl };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy

system\sepolicy\public\domain.te
system/sepolicy/prebuilts/api/29.0/public/domain.te

# All ioctls on file-like objects (except chr_file and blk_file) and
# sockets must be restricted to a whitelist.
# neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };

直接将 neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 这行注释就行,不过需要两个文件都注释,

开始按照忽略原则将 aee_aed、crash_dump 通过 - 的方式修改,又报其它错误(宝宝心里苦啊)

*neverallowxperm { * -aee_aed -crash_dump } :{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; 这样行不通

拷贝 su 文件和开机脚本 suproce.sh 到 system/bin 目录下
device/mediateksample/k62v1_64_bsp/device.mk

@@ -19,6 +19,11 @@ PRODUCT_COPY_FILES += $(LOCAL_PATH)/sbk-kpd.kl:system/usr/keylayout/sbk-kpd.kl:m
                       $(LOCAL_PATH)/sbk-kpd.kcm:system/usr/keychars/sbk-kpd.kcm:mtk
 endif
+PRODUCT_COPY_FILES += \
+       system/extras/su/su:system/bin/su \
+       system/extras/su/suproce.sh:system/bin/suproce.sh
+

给 su 文件增加权限

system/core/libcutils/fs_config.cpp

@@ -166,7 +168,9 @@ static const struct fs_path_config android_files[] = {
     // the following two files are INTENTIONALLY set-uid, but they
     // are NOT included on user builds.
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },
-    { 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
+    { 06755, AID_ROOT,      AID_SHELL,     0, "system/bin/su" },
     // the following files have enhanced capabilities and ARE included
     // in user builds.
5、解锁 fastboot,并关闭 verity 按需操作

system/core/adb/Android.bp

@@ -76,7 +76,15 @@ cc_defaults {
     name: "adbd_defaults",
     defaults: ["adb_defaults"],
-    cflags: ["-UADB_HOST", "-DADB_HOST=0"],
+    //cflags: ["-UADB_HOST", "-DADB_HOST=0"],
+    cflags: [
+        "-UADB_HOST",
+        "-DADB_HOST=0",
+        "-UALLOW_ADBD_ROOT",
+        "-DALLOW_ADBD_ROOT=1",
+        "-DALLOW_ADBD_DISABLE_VERITY",
+        "-DALLOW_ADBD_NO_AUTH",
+    ],
     product_variables: {
         debuggable: {
             cflags: [

system/core/adb/daemon/main.cpp

@@ -63,12 +63,13 @@ static inline bool is_device_unlocked() {
 }
 static bool should_drop_capabilities_bounding_set() {
-    if (ALLOW_ADBD_ROOT || is_device_unlocked()) {
+    
+    return false;
 }
 static bool should_drop_privileges() {

解锁时可能音量上键不生效,那需要进行对调

vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/sec_unlock.c

        unlock_warranty();
        while (1) {
-               if (mtk_detect_key(MT65XX_MENU_SELECT_KEY)) { //VOL_UP
+               //if (mtk_detect_key(MT65XX_MENU_SELECT_KEY)) { //VOL_UP
+               if (mtk_detect_key(MT65XX_MENU_OK_KEY)) { //VOL_DOWN
                        fastboot_info("Start unlock flow\n");
                        //Invoke security check after confirming "yes" by user
                        ret = fastboot_get_unlock_perm(&unlock_allowed);
@@ -374,7 +375,8 @@ void fastboot_oem_unlock(const char *arg, void *data, unsigned sz)
                                fastboot_okay("");
                        }
                        break;
-               } else if (mtk_detect_key(MT65XX_MENU_OK_KEY)) { //VOL_DOWN
+               //} else if (mtk_detect_key(MT65XX_MENU_OK_KEY)) { //VOL_DOWN
+               } else if (mtk_detect_key(MT65XX_MENU_SELECT_KEY)) { //VOL_UP
                        video_printf("return to fastboot in 3s\n");
                        mdelay(3000);
                        fastboot_boot_menu();

去除 oem 解锁后每次开机提示 Your device has been unlocked and can’t be trusted 警告字眼

vendor/mediatek/proprietary/bootable/bootloader/lk/platform/common/boot/vboot_state.c

@@ -133,9 +133,10 @@ int orange_state_warning(void)
        video_clean_screen();
        video_set_cursor(video_get_rows() / 2, 0);
-       video_printf(title_msg);
-       video_printf("Your device has been unlocked and can't be trusted\n");
-       video_printf("Your device will boot in 5 seconds\n");
+       //20191206  annotaion 
+       // video_printf(title_msg);
+       // video_printf("Your device has been unlocked and can't be trusted\n");
+       // video_printf("Your device will boot in 5 seconds\n");
        mtk_wdt_restart();
        mdelay(5000);
        mtk_wdt_restart();

编译成功重新烧写,按照 解锁方法

获取 adb root 权限, user 版本目前还不能 remount 成功, userdebug 版本可成功 remount,

后续 user 版本 adb 成功后会持续更新,以下是操作比对

=user==========
C:>adb root

C:>adb remount
/system/bin/remount exited with status 2
remount failed

C:>adb disable-verity
Device is locked. Please unlock the device first

C:>adb reboot bootloader

C:>fastboot flashing unlock

(bootloader) Start unlock flow

OKAY [ 12.394s]
finished. total time: 12.398s

C:>fastboot reboot
rebooting…

finished. total time: 0.003s

C:>adb root

C:>adb disable-verity
Successfully disabled verity
Now reboot your device for settings to take effect

C:>adb reboot

C:>adb root

C:>adb remount
/system/bin/remount exited with status 2
remount failed

=userdebug==========

C:>adb root

C:>adb remount
E Skipping /system
E Skipping /vendor
E Skipping /product
W No partitions to remount
/system/bin/remount exited with status 7
remount failed

C:>adb disable-verity
Device is locked. Please unlock the device first

C:>adb reboot bootloader

C:>fastboot flashing unlock

(bootloader) Start unlock flow

OKAY [ 12.394s]
finished. total time: 12.398s

C:>fastboot reboot
rebooting…

finished. total time: 0.003s

C:>adb root

C:>adb disable-verity
Successfully disabled verity
Now reboot your device for settings to take effect

C:>adb reboot

C:>adb root

C:>adb remount
remount succeeded

su 和 apk下载


作者:cczhengv


免责声明:

① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。

② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341

android10.0(Q) root MTK 6765 user版本打开root权限(adb root权限和 apk root权限)

下载Word文档到电脑,方便收藏和打印~

下载Word文档

猜你喜欢

android10.0(Q) root MTK 6765 user版本打开root权限(adb root权限和 apk root权限)

前言 everybody,好久不见,我胡汉三又回来了,android10.0 root 安排!!! 相比较 Android8.1、9.0 而言,Q 版本 的 root变得相当麻烦,10.0 中引入了动态分区机制,可看这篇Android10
2022-06-06

编程热搜

  • Android:VolumeShaper
    VolumeShaper(支持版本改一下,minsdkversion:26,android8.0(api26)进一步学习对声音的编辑,可以让音频的声音有变化的播放 VolumeShaper.Configuration的三个参数 durati
    Android:VolumeShaper
  • Android崩溃异常捕获方法
    开发中最让人头疼的是应用突然爆炸,然后跳回到桌面。而且我们常常不知道这种状况会何时出现,在应用调试阶段还好,还可以通过调试工具的日志查看错误出现在哪里。但平时使用的时候给你闹崩溃,那你就欲哭无泪了。 那么今天主要讲一下如何去捕捉系统出现的U
    Android崩溃异常捕获方法
  • android开发教程之获取power_profile.xml文件的方法(android运行时能耗值)
    系统的设置–>电池–>使用情况中,统计的能耗的使用情况也是以power_profile.xml的value作为基础参数的1、我的手机中power_profile.xml的内容: HTC t328w代码如下:
    android开发教程之获取power_profile.xml文件的方法(android运行时能耗值)
  • Android SQLite数据库基本操作方法
    程序的最主要的功能在于对数据进行操作,通过对数据进行操作来实现某个功能。而数据库就是很重要的一个方面的,Android中内置了小巧轻便,功能却很强的一个数据库–SQLite数据库。那么就来看一下在Android程序中怎么去操作SQLite数
    Android SQLite数据库基本操作方法
  • ubuntu21.04怎么创建桌面快捷图标?ubuntu软件放到桌面的技巧
    工作的时候为了方便直接打开编辑文件,一些常用的软件或者文件我们会放在桌面,但是在ubuntu20.04下直接直接拖拽文件到桌面根本没有效果,在进入桌面后发现软件列表中的软件只能收藏到面板,无法复制到桌面使用,不知道为什么会这样,似乎并不是很
    ubuntu21.04怎么创建桌面快捷图标?ubuntu软件放到桌面的技巧
  • android获取当前手机号示例程序
    代码如下: public String getLocalNumber() { TelephonyManager tManager =
    android获取当前手机号示例程序
  • Android音视频开发(三)TextureView
    简介 TextureView与SurfaceView类似,可用于显示视频或OpenGL场景。 与SurfaceView的区别 SurfaceView不能使用变换和缩放等操作,不能叠加(Overlay)两个SurfaceView。 Textu
    Android音视频开发(三)TextureView
  • android获取屏幕高度和宽度的实现方法
    本文实例讲述了android获取屏幕高度和宽度的实现方法。分享给大家供大家参考。具体分析如下: 我们需要获取Android手机或Pad的屏幕的物理尺寸,以便于界面的设计或是其他功能的实现。下面就介绍讲一讲如何获取屏幕的物理尺寸 下面的代码即
    android获取屏幕高度和宽度的实现方法
  • Android自定义popupwindow实例代码
    先来看看效果图:一、布局
  • Android第一次实验
    一、实验原理 1.1实验目标 编程实现用户名与密码的存储与调用。 1.2实验要求 设计用户登录界面、登录成功界面、用户注册界面,用户注册时,将其用户名、密码保存到SharedPreference中,登录时输入用户名、密码,读取SharedP
    Android第一次实验

目录