篇幅有限 完整内容及源码关注公众号:ReverseCode,发送 冲
环境 frida pixel(salfish)+官方8.1.0_r1+twrp3.3.0+Magisk+Frida pixel(salfish)+twrp3.3.0+lineage16.0+addonsu16.0 xposed pixel(salfish)+官方7.1.2_r8+twrp3.2.1-0+SuperSU+XposedInstaller fart同aosp pixel(salfish)+最新fastboot+fart8.1.0 n6p(angler)+老fastboot+fart8.1.0 NetHunter n6p(angler)+原生8.1.0_r1+twrp3.3.1+SuoerSU 编译aosp刷机 环境准备 1 2 3 4 5 6 7 8 9 # apt update # git config --global user.email "you@example.com" # git config --global user.name "Your Name" # apt install bison tree # dpkg --add-architecture i386 # apt update # apt install libc6:i386 libncurses5:i386 libstdc++6:i386 # apt install libxml2-utils apt install nethogs 查看流量由哪个进程产生
android版本列表
同步清华 同步中科大 编译内存不足加swap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 dd if=/dev/zero of=swapfile bs=1024 count=10240000 使用dd创建swapfile作为swap分区空间 mkswap swapfile mkswap创建交换文件 ## 下载repo工具 mkdir ~/bin PATH=~/bin:$PATH curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo ## 如果上述 URL 不可访问,可以用下面的: ## curl -sSL 'https://gerrit-googlesource.proxy.ustclug.org/git-repo/+/master/repo?format=TEXT' |base64 -d > ~/bin/repo chmod a+x ~/bin/repo mkdir COMPILE cd COMPILE ## 初始化仓库: repo init -u git://mirrors.ustc.edu.cn/aosp/platform/manifest ## 如果提示无法连接到 gerrit.googlesource.com,可以编辑 ~/bin/repo,把 REPO_URL 一行替换成下面的: ## REPO_URL = 'https://gerrit-googlesource.proxy.ustclug.org/git-repo' ## 如果需要某个特定的 Android 版本: repo init -u git://mirrors.ustc.edu.cn/aosp/platform/manifest -b android-7.1.2_r8 或者 wget https://mirrors.tuna.tsinghua.edu.cn/aosp-monthly/aosp-latest.tar tar xf aosp-latest.tar ## 同步源码树(以后只需执行这条命令来同步): ## 默认线程数4,可增加 repo sync -j8 # 下载java8 或者 apt install openjdk-8-jdk wget https://download.java.net/openjdk/jdk8u41/ri/openjdk-8u41-b04-linux-x64-14_jan_2020.tar.gz # 解压到/home/kali/Desktop/openjdk8/ #修改.zshrc nano ~/.zshrc # 在zshrc中加入下面内容 export JAVA_HOME=/home/kali/Desktop/openjdk8/java-se-8u41-ri export PATH=$JAVA_HOME/bin:$PATH export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
编译刷机 7z x aosp712r8 7.62g
驱动下载 注意版本一致,在aosp712r8目录下解压安装 ./extrace-google_devices-sailfish.sh 和./extrace-qcom-sailfish.sh不装驱动,编译后没有vender
1 2 3 4 export LC_ALL=C 编译前执行命令去除本地化设置 cd COMPILE/aosp712r8 source build/envsetup.sh 导入环境变量 chsh -s /bin/bash 提示只支持bash,但kali2021默认是zsh,用zsh可能会导致编译版本不对,需要改成bash
重启-选择设备
1 2 3 4 lunch 选择版本18 aosp_sailfish_userdebug # j后面参数可以选则核心数*2 make -j8 开始,编译完成的系统镜像位于当前目录的out/target/product/sailfish/下包括各个img which fastboot 查看fastboot位置
关机+音量- 进入fastboot
unzip sailfish-n2g47o-factory-f2bc8024.zip 将上面编译好的boot.img,ramdisk.img,ramdisk-recovery.img,system.img,system_other.img,userdata.img拷贝到解压后的image-sailfish-n2g47o.zip 删除所有镜像,保留android-info.txt,压缩image-sailfish-n2g47o下所有内容,压缩包名称与flash-all.sh里的内容匹配,压缩包内不要有文件夹zip -j image-sailfish-n2g47o.zip ./image-sailfish-n2g47o/*
./flush-all.sh 开始刷机
记一次安卓系统源码下载过程
记一次安卓系统源码编译刷机过程
记一次安卓内核源码编译刷机过程(修改反调试标志位)
编译原版Xposed刷机 XPOSED魔改一:获取特征
1 2 3 4 5 6 mkdir XPOSED git clone https://github.com/rovo89/XposedInstaller.git xposed框架安装工具 git clone https://github.com/rovo89/XposedBridge.git xposed框架java部分 git clone https://github.com/rovo89/android_art.git android 5.0及以上用art虚拟机,对这部分的修改 git clone https://github.com/rovo89/XposedTools.git 打包编译xposed框架 git clone https://github.com/rovo89/Xposed.git xposed框架native部分
android-studio编译XposedInstaller
1 2 3 4 cd ~/Android/Sdk/build-tools/23.0.3 ./aapt apt-file search libz.so.1 apt install lib32z1
下载的android_art 复制到aosp712r8目录,用android_art替换原art重命名为art文件夹
1 2 3 4 export LC_ALL=C source build/envsetup.sh lunch 18 make -j8
XposedBridge编译生成的apk改名为XposedBridge.jar放到/root/Desktop/COMPILE/aosp712r8/out/java/
XposedTools目录,cp build.conf.example ./build.conf修改配置文件build.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 [General] # 输出目录 outdir = /root/Desktop/COMPILE/aosp712r8/out/ # xposedBridge.jar目录 javadir = /root/Desktop/COMPILE/aosp712r8/out/java/ [Build] # Please keep the base version number and add your custom suffix # 版本 version = 89 (custom build by xyz / %s) # 编译时线程数 makeflags = -j8 [GPG] sign = release user = 852109AA! # Root directories of the AOSP source tree per SDK version [AospDir] # api版本和aosp源码目录 25 = /root/Desktop/COMPILE/aosp712r8/ # SDKs to be used for compiling BusyBox # Needs https://github.com/rovo89/android_external_busybox [BusyBox] # api版本一致 arm = 25 x86 = 25 armv5 = 25
下载Xposed 复制到 aosp712r87/frameworks/base/cmds目录
安装perl包
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 apt-get install libauthen-ntlm-perl apt-get install libclass-load-perl apt-get install libcrypt-ssleay-perl apt-get install libdata-uniqid-perl apt-get install libdigest-hmac-perl apt-get install libdist-checkconflicts-perl apt-get install libfile-copy-recursive-perl apt-get install libfile-tail-perl apt-get install libconfig-inifiles-perl perl -MCPAN -e 'install Config::IniFiles' perl -MCPAN -e 'install File::ReadBackwards' perl -MCPAN -e 'install File::Tail' cpan install Archive::Zip exit ./build.pl -t arm64:25
hook远程url,修改xposed下载源
1 2 3 4 frida-ps -U | grep -i xposed objection -g de.robv.android.xposed.installer explore android hooking watch class de.robv.android.xposed.installer.util.DownloadsUtil --dump-args --dump-backtrace --dump-return android hooking watch class_method de.robv.android.xposed.installer.util.DownloadsUtil.getDownloadTargetForUrl --dump-args --dump-backtrace --dump-return 点击install触发打印调用栈
修改DownloadsUtil是setUrl方法中的mUrl的值为本地的zip地址,zip包目录:aosp712r8/out/sdk25/arm64/,apt install lighttpd
Android.mk没找到ART.mk,路径问题,修改Android.mk最下面ART.mk路径改成绝对路径
魔改Xposed去特征 定制Xposed框架
XposedBridge通过Gradle工具jarStubs和jarStubsSource编译生成的XposedBridge/app/build/api/api.jar替换xposed的项目的libs下的api.jar
build.gradle compileOnly files('libs/api.jar')
修改XposedInstaller 中的包名xposed为xppsed,所有的de.robv.android.xposed.installer改成de.robv.android.xppsed.installer,所有的/su/xposed/xposed.prop和/system/xposed.prop的xposed.prop改成xppsed.prop
修改XposedBridged 的包名xposed改为xppsed,所有的de.robv.android.xposed改成所有的de.robv.android.xppsed,build好后的XposedBridge后包app-release-unsigned.apk的名字改成XppsedBridge.jar
进入aosp712r87/frameworks/base/cmds/xposed /
修改libxposed_common.h
1 2 3 #define CLASS_XPOSED_BRIDGE "de/robv/android/xppsed/XposedBridge" #define CLASS_ZYGOTE_SERVICE "de/robv/android/xppsed/services/ZygoteService" #define CLASS_FILE_RESULT "de/robv/android/xppsed/services/FileResult"
修改xposed.h
1 2 3 4 5 #define XPOSED_PROP_FILE "/system/xppsed.prop" #define XPOSED_LIB_ART XPOSED_LIB_DIR "libxppsed_art.so" #define XPOSED_JAR "/system/framework/XppsedBridge.jar" #define XPOSED_CLASS_DOTS_ZYGOTE "de.robv.android.xppsed.XposedBridge" #define XPOSED_CLASS_DOTS_TOOLS "de.robv.android.xppsed.XposedBridge$ToolEntryPoint"
修改xposed_service.cpp
1 IMPLEMENT_META_INTERFACE(XposedService, "de.robv.android.xppsed.IXposedService");
修改xposed_shared.h
1 2 #define XPOSED_DIR "/data/user_de/0/de.robv.android.xppsed.installer/" #define XPOSED_DIR "/data/data/de.robv.android.xppsed.installer/"
修改libxposed_art.cpp名为libxppsed_art.cpp
修改ART.mk
libxposed_art改成libxppsed_art
进入XposedTools
修改build.pl
xposed.prop改成xppsed.prop
XposedBridge.jar改成XppsedBridge.jar
libxposed_art改成libxppsed_art
grep -ril “xposedbridge.jar” * 找到所有包含的文件flash-script.sh等文件中的有上述xposed.prop,XposedBridge.jar,libxposed_art改掉即可。
1 ./build.pl -t arm64:25 重新编译生成路径aosp712r8/out/sdk25/arm64下的zip包改成xposed-v89-sdk25-arm64.zip
apt install lighttpd && service lighttpd start
cp xposed-v89-sdk25-arm64.zip /var/www/html/
手机端访问192.168.0.102/xposed-v89-sdk25-arm64.zip (虚拟机) 可以直接下载
安装XposedInstaller(DownloadsUtil下的setUrl的mUrl改为虚拟机下载)进入Install界面进行安装xposed框架
adb install xposed_checker_app 过检测
开发新的xposed模块时,移除libs下的api.jar使用XposedBridge通过jarStubs生成的api.jar,更改代码中的de.robv.android.xppsed…
