Foreword
Compared with Android 8.1 and 9.0, rooting in Android 10.0 version has become quite troublesome. The dynamic partition mechanism was introduced in 10.0. Similarly, if you want to completely root adb, you need to unlock fastboot and then turn off verity before adb remount can succeed. I tried to modify the initial values of ro and rw in fstab.in.mt6765 as before, but it could easily cause the computer to fail to boot normally. It took a long time, so I will skip it for now. The apk root is ok.
Environment
| Name | Version |
|---|---|
| Android version | 10.0 |
| Platform | MTK6766 |
Put a picture first
Modify the plan
I don’t need to say more about the above picture. I used the ROOT detection tool and the RE file manager to test it. As long as the root is successful, there will be obvious prompts. A total of 12 files were modified and 3 new files were added, a total of 15
modified: build/make/core/main.mk modified: device/mediatek/sepolicy/basic/non_plat/file_contexts modified: device/mediateksample/k62v1_64_bsp/device.mk modified: vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/k62v1_64_bsp/k62v1_64_bsp.mk modified: system/core/adb/Android.bp modified: system/core/adb/daemon/main.cpp modified: system/core/init/selinux.cpp modified: system/core/libcutils/fs_config.cpp modified: system/core/rootdir/init.rc modified: system/sepolicy/Android.mk modified: system/sepolicy/prebuilts/api/29.0/public/domain.te modified: system/sepolicy/public/domain.te add device/mediatek/sepolicy/basic/non_plat/suproce.te add system/extras/su/su add system/extras/su/suproce.sh
1. Make the process name visible in AS Logcat by modifying ro.adb.secure and ro.secure
ps: This step is not necessary. The purpose is just to see the process pid and package name in logcat, and when USB debugging is turned on, authorization is granted by default and the authorization box will no longer pop up.
build/make/core/main.mk
tags_to_install :=
ifneq (,$(user_variant))
# Target is secure in user builds.
- ADDITIONAL_DEFAULT_PROPERTIES + = ro.secure=1
+ # ADDITIONAL_DEFAULT_PROPERTIES + = ro.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES + = ro.secure=0
ADDITIONAL_DEFAULT_PROPERTIES + = security.perf_harden=1
ifeq ($(user_variant),user)
- ADDITIONAL_DEFAULT_PROPERTIES + = ro.adb.secure=1
+ # ADDITIONAL_DEFAULT_PROPERTIES + = ro.adb.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES + = ro.adb.secure=0
endif
ifeq ($(user_variant),userdebug)
@@ -251,7 + 253,7 @@ ifneq (,$(user_variant))
tags_to_install + = debug
else
# Disable debugging in plain user builds.
- enable_target_debugging :=
+ # enable_target_debugging :=
endif
# Disallow mock locations by default for user builds
2. Modify SELinux permissions to Permissive
There are two common states of SELinux: Permissive and Enforcing. You can check the current mode through adb shell getenforce.
10.0 changed to selinux.cpp
system/core/init/selinux.cpp
bool IsEnforcing() {<!-- -->
+ return false;
if (ALLOW_PERMISSIVE_SELINUX) {<!-- -->
return StatusFromCmdline() == SELINUX_ENFORCING;
}
3. Close DM-verity
vendor/mediatek/proprietary/bootable/bootloader/preloader/custom/k62v1_64_bsp/k62v1_64_bsp.mk
TARGET=k62v1_64_bsp MTK_PLATFORM=MT6765 MTK_SEC_CHIP_SUPPORT=yes -MTK_SEC_USBDL=ATTR_SUSBDL_ONLY_ENABLE_ON_SCHIP -MTK_SEC_BOOT=ATTR_SBOOT_ENABLE + MTK_SEC_USBDL=ATTR_SUSBDL_DISABLE + MTK_SEC_BOOT=ATTR_SBOOT_DISABLE MTK_SEC_MODEM_AUTH=no MTK_SEC_SECRO_AC_SUPPORT=yes #Platform
4. Add su related and ensure apk root permissions
To obtain root permissions from apk, a built-in su file is required. Refer to the previous practice in 8.1 and execute the script when boot_completed in init.rc
The command to execute the script at boot can be added directly to system/core/rootdir/init.rc
To check whether the startup script is executed successfully, you can use adb shell dmesg > dmesg.txt to grab the init log and search for errors or lack of permissions.
boot_completed When boot is completed, start suproce
system/core/rootdir/init.rc
class_reset main
+ service suproce /system/bin/suproce.sh
+ class main
+ user root
+ group root
+ oneshot
+ seclabel u:object_r:suproce_exec:s0
+
+
on property:sys.boot_completed=1
+ start suproce
bootchart stop
system/extras/su/suproce.sh
#!/system/bin/sh mount -o rw,remount /system chmod 06755 su su --daemon echo "su daemon done."
device/mediatek/sepolicy/basic/non_plat/file_contexts
#hidl process merging /(system\/vendor|vendor)/bin/hw/merged_hal_service u:object_r:merged_hal_service_exec:s0 + + #suproce + /system/bin/suproce.sh u:object_r:suproce_exec:s0
There is a change in the writing here. System_file_type must be added to suproce.te, otherwise an error will occur during compilation.
out/target/product/k62v1_64_bsp/obj/ETC/sepolicy_tests_intermediates/sepolicy_tests )" The following types on /system/ must be associated with the "system_file_type" attribute: suproce_exec checkpolicy: error(s) encountered while parsing configuration
device/mediatek/sepolicy/basic/non_plat/suproce.te
type suproce, coredomain;
#type suproce_exec, exec_type, vendor_file_type, file_type;
type suproce_exec, exec_type, file_type, system_file_type;
# permissive suproce;
# allow shell suproce_exec:file { read open getattr execute };
init_daemon_domain(suproce);
After the modification, the compilation continued, but a new error occurred again. The user version does not allow permissive domains.
[ 19% 1135/5824] build out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy FAILED: out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy /bin/bash -c "(ASAN_OPTIONS=detect_leaks=0 out/host/linux-x86/bin/checkpolicy -M -c 30 -o out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery.conf ) & amp; & amp; (out/host/linux-x86/bin/sepolicy-analyze out/target/product/k62v1_64_bsp/ obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp permissive > out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ) & amp; & amp; (if [ "user" = " user" -a -s out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains ]; then echo "==========" 1> & amp;2 ; echo "ERROR: permissive domains not allowed in user builds" 1> & amp;2; echo "List of invalid domains:" 1> & amp;2; cat out/target/product/k62v1_64_bsp/obj/ ETC/sepolicy.recovery_intermediates/sepolicy.permissivedomains 1> & amp;2; exit 1; fi ) & amp; & amp; (mv out/target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy.tmp out/ target/product/k62v1_64_bsp/obj/ETC/sepolicy.recovery_intermediates/sepolicy )" device/mediatek/sepolicy/bsp/plat_private/untrusted_app_all.te:7:WARNING 'unrecognized character' at token '' on line 53889: # Purpose: Make app can get phoneEx
Comment exit 1 in the file below
system/sepolicy/Android.mk
@@ -518,7 + 518,7 @@ $(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/se
echo "ERROR: permissive domains not allowed in user builds" 1> & amp;2; \
echo "List of invalid domains:" 1> & amp;2; \
cat [email protected] 1> & amp;2; \
- exit 1; \
+ # exit 1; \
fi
$(hide) mv [email protected] $@
@@ -562,7 + 562,7 @@ $(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpo
echo "ERROR: permissive domains not allowed in user builds" 1> & amp;2; \
echo "List of invalid domains:" 1> & amp;2; \
cat [email protected] 1> & amp;2; \
- exit 1; \
+ # exit 1; \
fi
$(hide) mv [email protected] $@
Recompiled again, and another error was reported. Undercover horse, what happened? The permissions were checked on line 335 in system/sepolicy/public/domain.te
libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11735 of policy.conf) violated by allow aee_aed suproce_exec:file {<!-- --> ioctl };
libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11735 of policy.conf) violated by allow crash_dump suproce_exec:file {<!-- --> ioctl };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11642 of policy.conf) violated by allow aee_aed suproce_exec:file {<!-- --> ioctl };
libsepol.report_assertion_extended_permissions: neverallowxperm on line 335 of system/sepolicy/public/domain.te (or line 11642 of policy.conf) violated by allow crash_dump suproce_exec:file {<!-- --> ioctl };
libsepol.check_assertions: 2 neverallow failures occurred
Error while expanding policy
system/sepolicy/public/domain.te
system/sepolicy/prebuilts/api/29.0/public/domain.te
# All ioctls on file-like objects (except chr_file and blk_file) and
# sockets must be restricted to a whitelist.
# neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
Directly comment neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; this line will do, but both files need to be commented.
I started to modify aee_aed and crash_dump using – in accordance with the ignore principle, and other errors were reported (the baby felt miserable)
*neverallowxperm { * -aee_aed -crash_dump } :{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; This doesn’t work
Copy the su file and startup script suproce.sh to the system/bin directory
device/mediateksample/k62v1_64_bsp/device.mk
@@ -19,6 + 19,11 @@ PRODUCT_COPY_FILES + = $(LOCAL_PATH)/sbk-kpd.kl:system/usr/keylayout/sbk-kpd.kl:m
$(LOCAL_PATH)/sbk-kpd.kcm:system/usr/keychars/sbk-kpd.kcm:mtk
endif
+ PRODUCT_COPY_FILES + = \
+ system/extras/su/su:system/bin/su \
+ system/extras/su/suproce.sh:system/bin/suproce.sh
Add permissions to su file
system/core/libcutils/fs_config.cpp
@@ -166,7 + 168,9 @@ static const struct fs_path_config android_files[] = {<!-- -->
// the following two files are INTENTIONALLY set-uid, but they
// are NOT included on user builds.
{<!-- --> 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },
- {<!-- --> 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
+ {<!-- --> 06755, AID_ROOT, AID_SHELL, 0, "system/bin/su" },
// the following files have enhanced capabilities and ARE included
// in user builds.
5. Unlock fastboot and turn off verity on-demand operation
system/core/adb/Android.bp
@@ -76,7 + 76,15 @@ cc_defaults {<!-- -->
name: "adbd_defaults",
defaults: ["adb_defaults"],
- cflags: ["-UADB_HOST", "-DADB_HOST=0"],
+ //cflags: ["-UADB_HOST", "-DADB_HOST=0"],
+ cflags: [
+ "-UADB_HOST",
+ "-DADB_HOST=0",
+ "-UALLOW_ADBD_ROOT",
+ "-DALLOW_ADBD_ROOT=1",
+ "-DALLOW_ADBD_DISABLE_VERITY",
+ "-DALLOW_ADBD_NO_AUTH",
+ ],
product_variables: {<!-- -->
debuggable: {<!-- -->
cflags: [
system/core/adb/daemon/main.cpp
@@ -63,12 + 63,13 @@ static inline bool is_device_unlocked() {<!-- -->
}
static bool should_drop_capabilities_bounding_set() {<!-- -->
- if (ALLOW_ADBD_ROOT || is_device_unlocked()) {<!-- -->
+ /*if (ALLOW_ADBD_ROOT || is_device_unlocked()) {<!-- -->
if (__android_log_is_debuggable()) {<!-- -->
return false;
}
}
- return true;
+ return true;*/
+ return false;
}
static bool should_drop_privileges() {<!-- -->
The volume up button may not take effect when unlocked, in which case it needs to be swapped.
vendor/mediatek/proprietary/bootable/bootloader/lk/app/mt_boot/sec_unlock.c
unlock_warranty();
while (1) {<!-- -->
- if (mtk_detect_key(MT65XX_MENU_SELECT_KEY)) {<!-- --> //VOL_UP
+ //if (mtk_detect_key(MT65XX_MENU_SELECT_KEY)) { //VOL_UP
+ if (mtk_detect_key(MT65XX_MENU_OK_KEY)) {<!-- --> //VOL_DOWN
fastboot_info("Start unlock flow\
");
//Invoke security check after confirming "yes" by user
ret = fastboot_get_unlock_perm( & amp;unlock_allowed);
@@ -374,7 + 375,8 @@ void fastboot_oem_unlock(const char *arg, void *data, unsigned sz)
fastboot_okay("");
}
break;
- } else if (mtk_detect_key(MT65XX_MENU_OK_KEY)) {<!-- --> //VOL_DOWN
+ //} else if (mtk_detect_key(MT65XX_MENU_OK_KEY)) { //VOL_DOWN
+ } else if (mtk_detect_key(MT65XX_MENU_SELECT_KEY)) {<!-- --> //VOL_UP
video_printf("return to fastboot in 3s\
");
mdelay(3000);
fastboot_boot_menu();
Remove the warning word Your device has been unlocked and can’t be trusted that appears every time you boot up after OEM unlocking
vendor/mediatek/proprietary/bootable/bootloader/lk/platform/common/boot/vboot_state.c
@@ -133,9 + 133,10 @@ int orange_state_warning(void)
video_clean_screen();
video_set_cursor(video_get_rows() / 2, 0);
- video_printf(title_msg);
- video_printf("Your device has been unlocked and can't be trusted\
");
- video_printf("Your device will boot in 5 seconds\
");
+ //20191206 annotation
+ // video_printf(title_msg);
+ // video_printf("Your device has been unlocked and can't be trusted\
");
+ // video_printf("Your device will boot in 5 seconds\
");
mtk_wdt_restart();
mdelay(5000);
mtk_wdt_restart();
Obtain adb root permissions. The user version cannot be remounted successfully yet, but the userdebug version can be remounted successfully.
Subsequent user versions of adb will continue to be updated after success. The following is a comparison of operations.
=user========== C:>adb root C:>adb remount /system/bin/remount exited with status 2 remount failed C:>adb disable-verity Device is locked. Please unlock the device first C:>adb reboot bootloader C:>fastboot flashing unlock … (bootloader) Start unlock flow OKAY [12.394s] finished. total time: 12.398s C:>fastboot reboot rebooting… finished. total time: 0.003s C:>adb root C:>adb disable-verity Successfully disabled verity Now reboot your device for settings to take effect C:>adb reboot C:>adb root C:>adb remount /system/bin/remount exited with status 2 remount failed =userdebug========== C:>adb root C:>adb remount E Skipping/system E Skipping/vendor E Skipping/product W No partitions to remount /system/bin/remount exited with status 7 remount failed C:>adb disable-verity Device is locked. Please unlock the device first C:>adb reboot bootloader C:>fastboot flashing unlock … (bootloader) Start unlock flow OKAY [12.394s] finished. total time: 12.398s C:>fastboot reboot rebooting… finished. total time: 0.003s C:>adb root C:>adb disable-verity Successfully disabled verity Now reboot your device for settings to take effect C:>adb reboot C:>adb root C:>adb remount remount succeeded
The user version has successfully obtained adb root
6. Modify the adb root permissions and compile the userdebug version for comparison
The difference between user and userdebug is that the places you go when remounting are different. The logs printed by userdebug when remounting come from system\core\fs_mgr\fs_mgr_remount.cpp
The idea is to just let the user version print the same log when remounting.
Modify file list
modified: system/core/adb/Android.bp modified: system/core/fs_mgr/Android.bp modified: system/sepolicy/Android.mk modified: system/sepolicy/definitions.mk modified: frameworks/base/services/usb/java/com/android/server/usb/UsbDeviceManager.java
system/core/adb/Android.bp
+ + + b/alps/system/core/adb/Android.bp
@@ -412,6 + 412,8 @@ cc_library {<!-- -->
"liblog",
],
+ required: [ "remount",],
+
product_variables: {<!-- -->
debuggable: {<!-- -->
required: [
system/core/fs_mgr/Android.bp
+ + + b/alps/system/core/fs_mgr/Android.bp
@@ -76,7 + 76,8 @@ cc_library {<!-- -->
"libfstab",
],
cppflags: [
- "-DALLOW_ADBD_DISABLE_VERITY=0",
+ "-UALLOW_ADBD_DISABLE_VERITY",
+ "-DALLOW_ADBD_DISABLE_VERITY=1",
],
product_variables: {<!-- -->
debuggable: {<!-- -->
@@ -133,7 + 134,8 @@ cc_binary {<!-- -->
"fs_mgr_remount.cpp",
],
cppflags: [
- "-DALLOW_ADBD_DISABLE_VERITY=0",
+ "-UALLOW_ADBD_DISABLE_VERITY",
+ "-DALLOW_ADBD_DISABLE_VERITY=1",
],
product_variables: {<!-- -->
debuggable: {<!-- -->
The user version enables overlayfs to mount remount corresponding partitions
system/sepolicy/Android.mk
+ + + b/alps/system/sepolicy/Android.mk
@@ -309,7 + 309,7 @@ LOCAL_REQUIRED_MODULES + = \
endif
-ifneq ($(TARGET_BUILD_VARIANT), user)
+ ifneq ($(TARGET_BUILD_VARIANT), eng)
LOCAL_REQUIRED_MODULES + = \
selinux_denial_metadata \
@@ -1104,7 + 1104,8 @@ endif
ifneq ($(filter address,$(SANITIZE_TARGET)),)
local_fc_files + = $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
endif
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))
local_fc_files + = $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
ifeq ($(TARGET_FLATTEN_APEX),true)
@@ -1166,7 + 1167,9 @@ file_contexts.device.tmp :=
file_contexts.local.tmp :=
##################################
-ifneq ($(TARGET_BUILD_VARIANT), user)
+ # ifneq ($(TARGET_BUILD_VARIANT), user)
+ ifneq ($(TARGET_BUILD_VARIANT), eng)
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_denial_metadata
system/sepolicy/definitions.mk
+ + + b/alps/system/sepolicy/definitions.mk
@@ -1,10 + 1,11 @@
# Command to turn collection of policy files into a policy.conf file to be
# processed by checkpolicy
define transform-policy-to-conf
@mkdir -p $(dir $@)
$(hide) m4 --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
+ -D target_build_variant=eng \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
OEM unlock option enabled by default
frameworks/base/services/usb/java/com/android/server/usb/UsbDeviceManager.java
+ + + b/alps/frameworks/base/services/usb/java/com/android/server/usb/UsbDeviceManager.java
@@ -995,6 + 995,10 @@ public class UsbDeviceManager implements ActivityTaskManagerInternal.ScreenObser
}
protected void finishBoot() {<!-- -->
+ android.service.oemlock.OemLockManager mOemLockManager
+ = (android.service.oemlock.OemLockManager) mContext.getSystemService(Context.OEM_LOCK_SERVICE);
+ mOemLockManager.setOemUnlockAllowedByUser(true);
+
if (mBootCompleted & amp; & amp; mCurrentUsbFunctionsReceived & amp; & amp; mSystemReady) {<!-- -->
if (mPendingBootBroadcast) {<!-- -->
updateUsbStateBroadcastIfNeeded(getAppliedFunctions(mCurrentFunctions));
C:>adb root C:>adb remount W DM_DEV_STATUS failed for scratch: No such device or address E [liblp]No device named scratch [liblp]Partition scratch will resize from 0 bytes to 1315950592 bytes [liblp]Updated logical partition table at slot 0 on device /dev/block/by-name/super [libfs_mgr]Created logical partition scratch on device /dev/block/dm-3 [libfs_mgr]superblock s_max_mnt_count:65535,/dev/block/dm-3 [libfs_mgr]__mount(source=/dev/block/dm-3,target=/mnt/scratch,type=ext4)=0: Success Using overlayfs for /system Using overlayfs for /vendor Using overlayfs for /product [libfs_mgr]__mount(source=overlay,target=/system,type=overlay,upperdir=/mnt/scratch/overlay/system/upper)=0 [libfs_mgr]__mount(source=overlay,target=/vendor,type=overlay,upperdir=/mnt/scratch/overlay/vendor/upper)=0 [libfs_mgr]__mount(source=overlay,target=/product,type=overlay,upperdir=/mnt/scratch/overlay/product/upper)=0 remount succeeded