|
|
EDA365欢迎您登录!
您需要 登录 才可以下载或查看,没有帐号?注册
x
9 Y9 E9 ]$ v. K) r6 j0 V关闭selinux+ O5 Q. P8 k I) ]% H6 J3 u4 V
修改此文件("+"号为修改内容)0 T+ M9 I+ [8 d$ Z$ K, ^+ A
( x t, d/ m$ g, n5 Bdevice/rockchip/common/BoardConfig.mk- G- q( v% D4 V- M5 f5 z
BOARD_BOOT_HEADER_VERSION ?= 2
% K& t* [6 t4 Y$ A; `- I' j) ?BOARD_MKBOOTIMG_ARGS :=' z! j2 {! P9 x& s' P, W- a
BOARD_PREBUILT_DTBOIMAGE ?= $(TARGET_DEVICE_DIR)/dtbo.img
Y9 q& y# G! y! Y5 L( O1 lBOARD_ROCKCHIP_VIRTUAL_AB_ENABLE ?= false
0 t6 z- S# K3 |! I* `5 T-BOARD_SELINUX_ENFORCING ?= true
) u7 \% f$ Z0 m1 ^: l5 z+BOARD_SELINUX_ENFORCING ?= false/ G `0 w p3 }9 p7 s- _0 x
( e0 c- v0 e+ b4 y9 K6 w8 \, j5 b3 @! o( C
9 t, H2 o/ N; r- n# e, d& F
注释用户组权限检测2 [) N/ a8 o+ I1 D# J2 U, ?2 u
修改此文件("+"号为修改内容), _ {* \' n3 X# q h7 e
2 b G* E o U( a! T$ Qsystem/extras/su/su.cpp' j: D* C: P1 A C, \& Z2 m
" W* g$ M8 {" {5 W' g# ?void extract_uidgids(const char* uidgids, uid_t* uid, gid_t*
" w# \, v' l! q/ q7 N! S, ?gid, gid_t* gids, i
; y% A: R- y; K5 j1 q}
8 i. X( E" X) n0 C8 ^, q. vint main(int argc, char** argv) {9 \7 ?$ j6 X" h0 {' ]* |+ P7 v9 M- |
- uid_t current_uid = getuid();4 H8 ~$ E' W. Z7 {; c' Q8 y; s
- if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "notallowed");
4 k% k9 f% t2 M, c' `9 ^- v+ //uid_t current_uid = getuid();
+ Q* {! y4 Q+ Y+ //if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "notallowed");
; Q+ |0 X2 V2 j% ~3 g p* e/ n1 I5 e, N& l- u1 z
* i) s8 {) ?( I7 n6 o2 j( D0 } @
给su文件默认授予root权限
% n8 K. V- t$ M" s) j1 f修改此文件("+"号为修改内容)6 c) W* F; v# X6 {# R
system/core/libcutils/fs_config.cpp8 ~' L. ^2 R: |0 T }1 t5 F7 q
9 F4 [& Y4 ]# `
static const struct fs_path_config android_dirs[] = {
$ W$ G( I; d: b9 I6 Q6 L; s9 f3 ? { 00751, AID_ROOT, AID_SHELL, 0, "system/bin" },3 |9 Z: R, U. F9 Y3 m4 o' }/ w
{ 00755, AID_ROOT, AID_ROOT, 0, "system/etc/ppp" },
1 }9 P- `2 o6 r7 O1 U7 b { 00755, AID_ROOT, AID_SHELL, 0, "system/vendor" },4 g- H8 ^1 N W- Y
- { 00750, AID_ROOT, AID_SHELL, 0, "system/xbin" },
7 \/ d7 u, X. H- u6 T+ { 00755, AID_ROOT, AID_SHELL, 0, "system/xbin" },
- y7 i4 N2 n9 ] { 00751, AID_ROOT, AID_SHELL, 0, "system/apex/*/bin" },
# i/ y W# u- ?% I9 y { 00751, AID_ROOT, AID_SHELL, 0, "system_ext/bin" },
3 v1 X; M* w/ c6 [4 i { 00751, AID_ROOT, AID_SHELL, 0, "system_ext/apex/*/bin" },) P9 B2 M2 R! E6 o, G7 `- e
static const struct fs_path_config android_files[] = {
& A- M: p4 ~/ w+ w' I( w // the following two files are INTENTIONALLY set-uid, but they# Z! i$ X' q3 o
// are NOT included on user builds.
a R* v$ ` V. R { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },2 I2 a ?4 ^# c" Q, B/ _: o l9 @
- { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
) |/ [8 |: a& |% C+ { 06755, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },# U! E% r" q$ }$ ]
然后修改此文件("+"号为修改内容)* M; d2 C4 j& n) G7 d4 p6 n7 z
frameworks/base/core/jni/com_android_internal_os_Zygote.cpp5 K1 ]( @' ?2 _' T6 J1 l
static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {: }; K: X4 S+ l; S4 v& F) H
+/*8 z( @- Q4 K1 a, ~
for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;
: \" N) c5 s3 q- ]8 M" z if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) {
5 k/ m+ \: W6 v0 Z8 h if (errno == EINVAL) {
/ t0 T- M" G* Y5 b8 l5 G$ ]5 W ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "
# G d- F/ u0 U# d/ C% R- w. M "your kernel is compiled with file capabilities support");* ?9 l5 K) g3 f1 l* B
} else {, [ b7 H _- _$ G
fail_fn(CREATE_ERROR("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno)));
1 J. i' a" }) u9 }6 @) R* x6 l } b2 e: T+ o# T! |/ E! ~/ [2 p
}: ^9 o3 { ~- M! z9 o
}5 H ~" w1 E3 ~% |; R
+ */
- s5 H+ H1 y2 r}
& L& _* S* D7 B- S- {最后修改此文件("+"号为修改内容)
) l: y' \+ W. g- ]8 O- H8 \" z' Kkernel-5.10/security/commoncap.c
& b9 B F/ h7 |int cap_task_setnice(struct task_struct *p, int nice). Y2 ^7 j. R; d/ K9 A# F/ N
static int cap_prctl_drop(unsigned long cap)& c$ ?. D* G) M n. S" T4 ~
{. H( W+ g# \$ [% N* X
struct cred *new;
! v. ^; s' a9 x* P, S# V+/*
+ A) K1 e+ q7 t2 x* T1 Q h if (!ns_capable(current_user_ns(), CAP_SETPCAP))
" n \8 P/ @# \5 x6 ^) F* O4 X: b return -EPERM;
% R: m6 q1 ^5 E2 M- a( R if (!cap_valid(cap))
' m2 U8 t$ R- _: D return -EINVAL;9 j( e: w% d4 _$ D1 W6 d, o( x
-& \. X7 g" ]& a1 {
+*/
6 q0 r0 h) ?" f' K- J9 m$ s( Vnew = prepare_creds(); |. \ d7 E1 z, A$ g% a) M$ D
! S; K2 c: \' t& p
+ K' ~+ u: a% {
5 ?' y' U9 C3 p' S( Y源码编译并验证固件是否ROOT, m2 O Q5 R+ N# H; m
修改完上面三个步骤的文件后,重新编译内核和安卓源码,执行以下命令:) g) u# Y5 w- @- N7 ?# }$ [2 G
# make -j4
6 U7 B% } v7 P) q: e! y下载RootChecker测试APK软件包(自行下载),可通过ADB命令或者U盘安装,安装后按照提示点击按钮检查root。
6 ~5 ^+ M8 `4 |* F: V) ]* n![]() 1 g B X$ ~, I, \) r. ?
root成功如图: ![]()
* k$ L1 L. e: [- U5 h' `- N$ }
$ v% {& j! g; A7 V6 M |
|
/1 
楼主
收藏
淘帖
支持!
反对!
发表于 2025-1-8 15:49