• Android adb root权限


    方法:

    修改./default.prop

    把ro.secure设为0,persist.service.adb.enable设为1,adbd进程就会以root用户的身份启动。

    原理:

    可以看一下Android系统根目录下的/init.rc的片段:

    ... ...

    # adbd is controlled by the persist.service.adb.enable system property

    service adbd /sbin/adbd

        disabled

    # adbd on at boot in emulator

    on property:ro.kernel.qemu=1

        start adbd

    on property:persist.service.adb.enable=1

        start adbd

    on property:persist.service.adb.enable=0

        stop adbd

    ... ...

    这里定义了一个触发器,只要persist.service.adb.enable值被置为1,就会启动/sbin/adbd。

    在build目录下搜索一下,发现了main.mk中有这样的代码片段

    ## user/userdebug ##

    user_variant := $(filter userdebug user,$(TARGET_BUILD_VARIANT))

    enable_target_debugging := true

    ifneq (,$(user_variant))

      # Target is secure in user builds.

      ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1

      tags_to_install := user

      ifeq ($(user_variant),userdebug)

        # Pick up some extra useful tools

        tags_to_install += debug

      else

        # Disable debugging in plain user builds.

        enable_target_debugging :=

      endif

      # TODO: Always set WITH_DEXPREOPT (for user builds) once it works on OSX.

      # Also, remove the corresponding block in config/product_config.make.

      ifeq ($(HOST_OS)-$(WITH_DEXPREOPT_buildbot),linux-true)

        WITH_DEXPREOPT := true

      endif

      # Disallow mock locations by default for user builds

      ADDITIONAL_DEFAULT_PROPERTIES += ro.allow.mock.location=0

    else # !user_variant

      # Turn on checkjni for non-user builds.

      ADDITIONAL_BUILD_PROPERTIES += ro.kernel.android.checkjni=1

      # Set device insecure for non-user builds.

      ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0

      # Allow mock locations by default for non user builds

      ADDITIONAL_DEFAULT_PROPERTIES += ro.allow.mock.location=1

    endif # !user_variant

    ifeq (true,$(strip $(enable_target_debugging)))

      # Target is more debuggable and adbd is on by default

      ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=1 persist.service.adb.enable=1

      # Include the debugging/testing OTA keys in this build.

      INCLUDE_TEST_OTA_KEYS := true

    else # !enable_target_debugging

      # Target is less debuggable and adbd is off by default

      ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=0 persist.service.adb.enable=0

    endif # !enable_target_debugging

    这段代码我大致解释一下:

    主要通过判断当前的编译模式来给几个属性赋予不同的值,然后把属性存储在ADDITIONAL_DEFAULT_PROPERTIES这个变量中,这个变量在后面是要写到根目录下的/default.prop中去,在系统启动时被属性服务加载的。也就是说我们在/default.prop中看到的几个属性的值是在这里设置的。

    只看两个属性ro.secure,persist.service.adb.enable。当前是user模式的话,编译系统会把ro.secure置为1,把persist.service.adb.enable置为0.也就是说,用user模式编译出来的系统运行在安全模式下,adbd默认关闭。即使通过设置属性的方式打开,adbd进程的用户也是shell,不具有root权限。这样,普通用户或者开发者拿到一个机器后,通过PC运行adb shell时,是以shell用户登录机器的。

    好了,现在把ro.secure置为0,再重新编译,只要设置属性persist.service.adb.enable的值为1,adbd进程就会以root用户的身份启动。

  • 相关阅读:
    php求2个文件相对路径
    [JZOJ 5818] 做运动
    [JZOJ 5819] 大逃杀
    [JZOJ 5852] 相交
    [JZOJ 5817] 抄代码
    [JZOJ 5791] 阶乘
    [转载](asp.net大型项目实践)
    [转载](你必须知道的.net)
    [转载](闲话WPF)
    .net之 HtmlInputFile
  • 原文地址:https://www.cnblogs.com/myitm/p/2341441.html
Copyright © 2020-2023  润新知