手上有一台pixel 请问是否能刷

膜拜

菜年richor 同求模拟器怎么导入镜像

同求，模拟器怎么刷镜像

同问模拟器怎么使用

浅笑不语 同问模拟器怎么使用

同问模拟器怎么使用

弱冠甕卿还仓 同求，模拟器怎么刷镜像

同问模拟器怎么使用

感谢分享。

nb

感谢分享，后排膜拜

像Android这种开源系统，脱壳感觉不神秘了，自己定制系统想咋整咋整

 硬核大佬。

太强了

膜拜大佬

有个问题 模拟器镜像怎么刷呀 雷电模拟器没听说能自己刷镜像呀

这寒冰大佬公布的脱壳点有问题呀 一直报错：
/libartd_intermediates/interpreter/interpreter.P; rm -f out/host/linux-x86/obj/SHARED_LIBRARIES/libartd_intermediates/interpreter/interpreter.d )"
art/runtime/interpreter/interpreter.cc:301:17: error: ignoring return value of function declared with warn_unused_result attribute [-Werror,-Wunused-result]
                write(save_path_fd,(void*)begin,(int)size);
                ^~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
art/runtime/interpreter/interpreter.cc:287:8: error: ignoring return value of function declared with warn_unused_result attribute [-Werror,-Wunused-result]
       read(cmd_line_fd,process_name,256);
       ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
art/runtime/interpreter/interpreter.cc:272:29: error: calling function 'GetMethod' requires holding mutex 'mutator_lock_' [-Werror,-Wthread-safety-analysis]
   ArtMethod* art_method =  shadow_frame.GetMethod();
                            ^
art/runtime/interpreter/interpreter.cc:273:30: error: calling function 'GetDexFile' requires holding mutex 'mutator_lock_' [-Werror,-Wthread-safety-analysis]
   const DexFile* dex_file = art_method->GetDexFile();
                             ^
4 errors generated.

还剩这两个错误 不知所云·:
art/runtime/interpreter/interpreter.cc:301:17: error: ignoring return value of function declared with warn_unused_result attribute [-Werror,-Wunused-result]
                write(save_path_fd,(void*)begin,(int)size);
                ^~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
art/runtime/interpreter/interpreter.cc:287:8: error: ignoring return value of function declared with warn_unused_result attribute [-Werror,-Wunused-result]
       read(cmd_line_fd,process_name,256);
       ^~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 errors generated.

亲测：只要增加的脱壳代码中调用了 open write 等函数 make始终不通过 而且报错特别奇怪

Aborting thread:
"main" prio=5 tid=1 Runnable (still starting up)
  | group="" sCount=0 dsCount=0 obj=(nil) self=0x55c9ff60b990
  | sysTid=70575 nice=0 cgrp=default sched=0/0 handle=0x2ab3c0711340
  | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  | stack=0x7ffe2923a000-0x7ffe2923c000 stackSize=8MB
  | held mutexes= "abort lock" "linear alloc" "mutator lock"(shared held)
  native: (backtrace::Unwind failed for thread 70575: No map found)
  (no managed stack frames)
Dumping all threads without appropriate locks held: thread list lock
All threads:
dex2oatd E 70575 70575 art/runtime/base/mutex-inl.h:92] Lock level violation: holding "linear alloc" (level DefaultMutexLevel - 35) while locking "thread list lock" (level ThreadListLock - 49)
dex2oatd E 70575 70575 art/runtime/base/mutex-inl.h:92] Lock level violation: holding "abort lock" (level AbortLock - 5) while locking "thread list lock" (level ThreadListLock - 49)
DALVIK THREADS (8):
dex2oatd E 70575 70575 art/runtime/base/mutex-inl.h:92] Lock level violation: holding "linear alloc" (level DefaultMutexLevel - 35) while locking "thread list lock" (level ThreadListLock - 49)
dex2oatd E 70575 70575 art/runtime/base/mutex-inl.h:92] Lock level violation: holding "abort lock" (level AbortLock - 5) while locking "thread list lock" (level ThreadListLock - 49)
"main" prio=5 tid=1 Runnable (still starting up)
  | group="" sCount=0 dsCount=0 obj=(nil) self=0x55c9ff60b990
  | sysTid=70575 nice=0 cgrp=default sched=0/0 handle=0x2ab3c0711340
  | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  | stack=0x7ffe2923a000-0x7ffe2923c000 stackSize=8MB
  | held mutexes= "abort lock" "linear alloc" "mutator lock"(shared held)
  native: (backtrace::Unwind failed for thread 70575: No map found)
  (no managed stack frames)

"Compiler driver thread pool worker thread 0" prio=5 tid=2 Native (still starting up)
  | group="" sCount=1 dsCount=0 obj=(nil) self=0x2ab3c80008c0
  | sysTid=70584 nice=0 cgrp=default sched=0/0 handle=0x2ab3c7e29700
  | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  | stack=0x2ab3c7d29000-0x2ab3c7d2b000 stackSize=1028KB
  | held mutexes=
  kernel: (couldn't read /proc/self/task/70584/stack)
  native: (backtrace::Unwind failed for thread 70584: No map found)
  (no managed stack frames)

"Compiler driver thread pool worker thread 1" prio=5 tid=3 Native (still starting up)
  | group="" sCount=1 dsCount=0 obj=(nil) self=0x2ab3d00008c0
  | sysTid=70585 nice=0 cgrp=default sched=0/0 handle=0x2ab3c7f2a700
  | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  | stack=0x2ab3c7e2a000-0x2ab3c7e2c000 stackSize=1028KB
  | held mutexes=
  kernel: (couldn't read /proc/self/task/70585/stack)
  native: (backtrace::Unwind failed for thread 70585: No map found)
  (no managed stack frames)

"Compiler driver thread pool worker thread 3" prio=5 tid=4 Native (still starting up)
  | group="" sCount=1 dsCount=0 obj=(nil) self=0x2ab3d40008c0
  | sysTid=70587 nice=0 cgrp=default sched=0/0 handle=0x2ab3cc201700
  | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  | stack=0x2ab3cc101000-0x2ab3cc103000 stackSize=1028KB
  | held mutexes=
  kernel: (couldn't read /proc/self/task/70587/stack)
  native: (backtrace::Unwind failed for thread 70587: No map found)
  (no managed stack frames)

"Compiler driver thread pool worker thread 4" prio=5 tid=5 Native (still starting up)
  | group="" sCount=1 dsCount=0 obj=(nil) self=0x2ab3d80008c0
  | sysTid=70588 nice=0 cgrp=default sched=0/0 handle=0x2ab3cc302700
  | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  | stack=0x2ab3cc202000-0x2ab3cc204000 stackSize=1028KB
  | held mutexes=
  kernel: (couldn't read /proc/self/task/70588/stack)
  native: (backtrace::Unwind failed for thread 70588: No map found)
  (no managed stack frames)

"Compiler driver thread pool worker thread 2" prio=5 tid=6 Native (still starting up)
  | group="" sCount=1 dsCount=0 obj=(nil) self=0x2ab3dc0008c0
  | sysTid=70586 nice=0 cgrp=default sched=0/0 handle=0x2ab3cc100700
  | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  | stack=0x2ab3cc000000-0x2ab3cc002000 stackSize=1028KB
  | held mutexes=
  kernel: (couldn't read /proc/self/task/70586/stack)
  native: (backtrace::Unwind failed for thread 70586: No map found)
  (no managed stack frames)

"Compiler driver thread pool worker thread 5" prio=5 tid=7 Native (still starting up)
  | group="" sCount=1 dsCount=0 obj=(nil) self=0x2ab3e00008c0
  | sysTid=70589 nice=0 cgrp=default sched=0/0 handle=0x2ab3cc403700
  | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  | stack=0x2ab3cc303000-0x2ab3cc305000 stackSize=1028KB
  | held mutexes=
  kernel: (couldn't read /proc/self/task/70589/stack)
  native: (backtrace::Unwind failed for thread 70589: No map found)
  (no managed stack frames)

"Compiler driver thread pool worker thread 6" prio=5 tid=8 Native (still starting up)
  | group="" sCount=1 dsCount=0 obj=(nil) self=0x2ab3e40008c0
  | sysTid=70590 nice=0 cgrp=default sched=0/0 handle=0x2ab3cc504700
  | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
  | stack=0x2ab3cc404000-0x2ab3cc406000 stackSize=1028KB
  | held mutexes=
  kernel: (couldn't read /proc/self/task/70590/stack)
  native: (backtrace::Unwind failed for thread 70590: No map found)
  (no managed stack frames)

dex2oatd E 70575 70575 art/runtime/thread-inl.h:108] holding "linear alloc" at point where thread suspension is expected
dex2oatd E 70575 70575 art/runtime/thread-inl.h:108] holding "abort lock" at point where thread suspension is expected
dex2oatd E 70575 70575 art/runtime/base/mutex-inl.h:92] Lock level violation: holding "linear alloc" (level DefaultMutexLevel - 35) while locking "mutator lock" (level MutatorLock - 60)
dex2oatd E 70575 70575 art/runtime/base/mutex-inl.h:92] Lock level violation: holding "abort lock" (level AbortLock - 5) while locking "mutator lock" (level MutatorLock - 60)
dex2oatd F 70575 70575 art/runtime/runtime_linux.cc:336]*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Fatal signal 6 (SIGABRT), code -6 (SI_TKILL)
OS: Linux 4.4.0-142-generic (x86_64)
Cmdline: out/host/linux-x86/bin/dex2oatd --runtime-arg -Xms64m --runtime-arg -Xmx64m --image-classes=frameworks/base/preloaded-classes --dex-file=out/target/common/obj/JAVA_LIBRARIES/core-oj_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/core-libart_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/conscrypt_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/okhttp_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/core-junit_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/bouncycastle_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/ext_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/framework_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/telephony-common_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/voip-common_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/ims-common_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/apache-xml_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/org.apache.http.legacy.boot_intermediates/javalib.jar --dex-location=/system/framework/core-oj.jar --dex-location=/system/framework/core-libart.jar --dex-location=/system/framework/conscrypt.jar --dex-location=/system/framework/okhttp.jar --dex-location=/system/framework/core-junit.jar --dex-location=/system/framework/bouncycastle.jar --dex-location=/system/framework/ext.jar --dex-location=/system/framework/framework.jar --dex-location=/system/framework/telephony-common.jar --dex-location=/system/framework/voip-common.jar --dex-location=/system/framework/ims-common.jar --dex-location=/system/framework/apache-xml.jar --dex-location=/system/framework/org.apache.http.legacy.boot.jar --oat-symbols=out/target/product/bullhead/symbols/system/framework/arm/boot.oat --oat-file=out/target/product/bullhead/dex_bootjars/system/framework/arm/boot.oat --oat-location=/system/framework/arm/boot.oat --image=out/target/product/bullhead/dex_bootjars/system/framework/arm/boot.art --base=0x70000000 --instruction-set=arm --instruction-set-variant=cortex-a53.a57 --instruction-set-features=default --android-root=out/target/product/bullhead/system --include-patch-information --runtime-arg -Xnorelocate --no-generate-debug-info --multi-image --no-inline-from=core-oj.jar --generate-mini-debug-info --generate-mini-debug-info --compile-pic --compiled-classes=frameworks/base/compiled-classes-phone
Thread: 70575 "<unknown>"
Registers:
    rax: 0x0000000000000000    rbx: 0x00000000000113af    rcx: 0x00002ab3c1d3b3c9    rdx: 0x0000000000000006
    rdi: 0x00000000000113af    rsi: 0x00000000000113af    rbp: 0x00007ffe29a38430    rsp: 0x00007ffe29a383e8
    r8 : 0x000055c9fe450310    r9 : 0x000055c9fe450310    r10: 0x20726f746174756d    r11: 0x0000000000000246
    r12: 0x000055c9ff43e0c1    r13: 0x00007ffe29a38528    r14: 0x000055ca0027afa0    r15: 0x00000000000113af
    rip: 0x00002ab3c1d3b3c9    eflags: 0x00000246 [ PF ZF IF ]
     cs: 0x00000033     gs: 0x00000000     fs: 0x00000000

Backtrace:
       (backtrace::Unwind failed for thread 70575: No map found)
dex2oatd F 70575 70575 art/runtime/runtime_linux.cc:359]Fault message: /bin/bash: line 1: 70575 Aborted                 (core dumped) ( ANDROID_LOG_TAGS="*:e" out/host/linux-x86/bin/dex2oatd --runtime-arg -Xms64m --runtime-arg -Xmx64m --image-classes=frameworks/base/preloaded-classes --dex-file=out/target/common/obj/JAVA_LIBRARIES/core-oj_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/core-libart_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/conscrypt_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/okhttp_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/core-junit_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/bouncycastle_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/ext_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/framework_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/telephony-common_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/voip-common_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/ims-common_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/apache-xml_intermediates/javalib.jar --dex-file=out/target/common/obj/JAVA_LIBRARIES/org.apache.http.legacy.boot_intermediates/javalib.jar --dex-location=/system/framework/core-oj.jar --dex-location=/system/framework/core-libart.jar --dex-location=/system/framework/conscrypt.jar --dex-location=/system/framework/okhttp.jar --dex-location=/system/framework/core-junit.jar --dex-location=/system/framework/bouncycastle.jar --dex-location=/system/framework/ext.jar --dex-location=/system/framework/framework.jar --dex-location=/system/framework/telephony-common.jar --dex-location=/system/framework/voip-common.jar --dex-location=/system/framework/ims-common.jar --dex-location=/system/framework/apache-xml.jar --dex-location=/system/framework/org.apache.http.legacy.boot.jar --oat-symbols=out/target/product/bullhead/symbols/system/framework/arm/boot.oat --oat-file=out/target/product/bullhead/dex_bootjars/system/framework/arm/boot.oat --oat-location=/system/framework/arm/boot.oat --image=out/target/product/bullhead/dex_bootjars/system/framework/arm/boot.art --base=0x70000000 --instruction-set=arm --instruction-set-variant=cortex-a53.a57 --instruction-set-features=default --android-root=out/target/product/bullhead/system --include-patch-information --runtime-arg -Xnorelocate --no-generate-debug-info --multi-image --no-inline-from=core-oj.jar --generate-mini-debug-info --generate-mini-debug-info --compile-pic --compiled-classes=frameworks/base/compiled-classes-phone )
ninja: build stopped: subcommand failed.
make: *** [ninja_wrapper] Error 1

#### make failed to build some targets (01:22 (mm:ss)) ####

万里星河 Aborting thread: "main" prio=5 tid=1 Runnable (still starting up) | group="" ...

不调用这些函数一切正常

万里星河 亲测：只要增加的脱壳代码中调用了 open write 等函数 make始终不通过 而且报错特别奇怪

不调用这些函数一切正常

卧槽 玄学了 为毛修改的函数居然在make的时候会自己执行呀？我无意间加了个printf 居然在make的过程中输出了 还输出了很多很多次 不应该啊卧槽 ./art/runtime/interpreter/interpreter.cc的Execute函数在make期间还会自己执行？ 这尼玛

static inline JValue Execute(Thread* self,const DexFile::CodeItem* code_item,ShadowFrame& shadow_frame,JValue result_register,bool stay_in_interpreter = false) SHARED_REQUIRES (Locks::mutator_lock_) {
   //add my code start
   int pid = getpid();
   printf("pid:%d\n",pid);
   ArtMethod* art_method =  shadow_frame.GetMethod();
   const DexFile* dex_file = art_method->GetDexFile();
   //const uint8_t* Begin() const;
   const uint8_t* begin = dex_file->Begin();
   printf("begin:%p\n",begin);
   //size_t largest range of specific target
   //size_t Size() const;
   size_t size = dex_file->Size();
   printf("size:%d\n",(int)size);
   char* save_path = (char*)malloc(sizeof(char) * 1000);
   if(save_path != nullptr){
     char* cmd_line = (char*)malloc(sizeof(char) * 64);
     char* process_name = (char*)malloc(sizeof(char) * 128);
     sprintf(cmd_line,"/proc/%d/cmdline",pid);
     //int cmd_line_fd = open(cmd_line,O_RDONLY);
     free(cmd_line);
     free(process_name);
     //if(cmd_line_fd != -1){
       //int ret = read(cmd_line_fd,process_name,256);
       //printf("read bytes:%d",ret);
       //close(cmd_line_fd);
       //if(*process_name){
          //memset(save_path,0,1000);
          //sprintf(save_path,"/sdcard/%s_%d_dexfile.dex",process_name,(int)size);
          //free(process_name);
          //int save_path_fd = open(save_path,O_RDONLY,0666);
          //if(save_path_fd != -1){
             // close(save_path_fd);
              //free(save_path);  
         // }else{
              //save_path_fd = open(save_path,O_CREAT|O_APPEND|O_RDWR,0666);
              //free(save_path);
              //if(save_path_fd != -1){
                //if(write(save_path_fd,(char*)begin,(int)size) == (int)size){
                   //fsync(save_path_fd);
                   //close(save_path_fd);
                //}else{
                  // fsync(save_path_fd);
                   //close(save_path_fd);
               //}
             //}
         //}
       //}
    //}
  }
  //add my code end
}

[ 44% 179/402] build out/target/product/bullhead/obj/APPS/PrintSpooler_intermediates/oat/arm64/package.odex
pid:85847
begin:0x71718034
size:3557104
pid:85847
begin:0x71718034
size:3557104
pid:85847
begin:0x70dc5030
size:4021036
pid:85847
begin:0x70dc5030
size:4021036
[ 45% 181/402] build out/target/product/bullhead/obj/APPS/WAPPushManager_intermediates/oat/arm64/package.odex
pid:85913
begin:0x71718034
size:3557104
pid:85913
begin:0x71718034
size:3557104
pid:85913
begin:0x70dc5030
size:4021036
pid:85913
begin:0x70dc5030
size:4021036
[ 45% 183/402] build out/target/product/bullhead/obj/APPS/WallpaperBackup_intermediates/oat/arm64/package.odex

大概知道为啥了 这个编译好了在build的过程中居然真的会调用 从而去optimize系统自身的dex

那为啥加了open会编译不通过呀