首页
社区
课程
招聘
[分享]解决magisk adb root失败 开启系统调试模式
发表于: 2023-4-20 01:36 15989

[分享]解决magisk adb root失败 开启系统调试模式

2023-4-20 01:36
15989

打工人打工魂打工都是人上人

打工人们好
前言:

  1. 最近工作中遇到需要Android执行sh脚本,app调试等问题.
  2. 官方的系统镜像安装magisk之后adb root之后报adbd cannot run as root in production builds

尝试查看系统源码解决

  1. packages/modules/adb/daemon/restart_service.cpp中找到报错信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
void restart_root_service(unique_fd fd) {
    if (getuid() == 0) {
        WriteFdExactly(fd.get(), "adbd is already running as root\n");
        return;
    }
    if (!__android_log_is_debuggable()) {
        WriteFdExactly(fd.get(), "adbd cannot run as root in production builds\n");
        return;
    }
 
    LOG(INFO) << "adbd restarting as root";
    android::base::SetProperty("service.adb.root", "1");
    WriteFdExactly(fd.get(), "restarting adbd as root\n");
}
1
可以看到`__android_log_is_debuggable()` 校验了`ro.debuggable` 我尝试通过`magisk resetprop ro.debuggable 1 和 stop && start` 结果并没有成功.

解决方案

方案一 修改adb daemon 使其不降权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
static void drop_privileges(int server_port) {
    ScopedMinijail jail(minijail_new());
 
    gid_t groups[] = {AID_ADB,          AID_LOG,          AID_INPUT,    AID_INET,
                      AID_NET_BT,       AID_NET_BT_ADMIN, AID_SDCARD_R, AID_SDCARD_RW,
                      AID_NET_BW_STATS, AID_READPROC,     AID_UHID,     AID_EXT_DATA_RW,
                      AID_EXT_OBB_RW,   AID_READTRACEFS};
    minijail_set_supplementary_gids(jail.get(), arraysize(groups), groups);
 
    // Don't listen on a port (default 5037) if running in secure mode.
    // Don't run as root if running in secure mode.
    if (should_drop_privileges()) { // 判断是否降权 修改false 就行
        const bool should_drop_caps = !__android_log_is_debuggable();
 
        if (should_drop_caps) {
            minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));
        }
 
        minijail_change_gid(jail.get(), AID_SHELL);
        minijail_change_uid(jail.get(), AID_SHELL);
        // minijail_enter() will abort if any priv-dropping step fails.
        minijail_enter(jail.get());
 
        // Whenever ambient capabilities are being used, minijail cannot
        // simultaneously drop the bounding capability set to just
        // CAP_SETUID|CAP_SETGID while clearing the inheritable, effective,
        // and permitted sets. So we need to do that in two steps.
        using ScopedCaps =
            std::unique_ptr<std::remove_pointer<cap_t>::type, std::function<void(cap_t)>>;
        ScopedCaps caps(cap_get_proc(), &cap_free);
        if (cap_clear_flag(caps.get(), CAP_INHERITABLE) == -1) {
            PLOG(FATAL) << "cap_clear_flag(INHERITABLE) failed";
        }
        if (cap_clear_flag(caps.get(), CAP_EFFECTIVE) == -1) {
            PLOG(FATAL) << "cap_clear_flag(PEMITTED) failed";
        }
        if (cap_clear_flag(caps.get(), CAP_PERMITTED) == -1) {
            PLOG(FATAL) << "cap_clear_flag(PEMITTED) failed";
        }
        if (cap_set_proc(caps.get()) != 0) {
            PLOG(FATAL) << "cap_set_proc() failed";
        }
 
        D("Local port disabled");
    } else {
        // minijail_enter() will abort if any priv-dropping step fails.
        minijail_enter(jail.get());
 
        if (root_seclabel != nullptr) {
            if (selinux_android_setcon(root_seclabel) < 0) {
                // If we failed to become root, don't try again to avoid a
                // restart loop.
                android::base::SetProperty("service.adb.root", "0");
                LOG(FATAL) << "Could not set SELinux context";
            }
        }
    }
}
1
这种方式对于我这种打工人来说时间成本考虑还是略显臃肿不优雅

方案二 通过magisk模块去支持

这里参考了一篇大佬的分析文章Magisk 环境下增加 adb root 功能,文章提供了一段sh脚本亲测有效

1
2
3
4
5
6
7
8
#!/system/bin/sh
su -c "resetprop ro.debuggable 1"
su -c "resetprop ro.boot.verifiedbootstate orange" # 修改解锁状态
su -c "resetprop service.adb.root 1" # 减少调用 adb root
su -c "magiskpolicy --live 'allow adbd adbd process setcurrent'" # 配置缺少的权限
su -c "magiskpolicy --live 'allow adbd su process dyntransition'" # 配置缺少的权限
su -c "magiskpolicy --live 'permissive { su }'" # 将 su 配置为 permissive,防止后续命令执行缺少权限
su -c "pkill -9 adbd" # 杀掉 adbd

刚好之前研究过magisk模块编写于是打算写成一个模块fixadbroot下载地址
这里有一个坑由于我使用了Shamiko模块导致ro.debuggable=0 加上最近经常需要调试app,修改了Shamiko模块修改为可调试版本.

 

注意
如果安装了shamiko 需关闭才可生效.由于shamiko模块中有校验完整性暂时不处理.

也有一个小小问题

在看大佬文章的时候,有个疑问,应该是dmesg但是我没触发或者发现

  1. 缺少 SELinux 权限 下面这段信息是从哪获取到的,我尝试dmesg logcat都没有发现
    1
    2
    [ 5252.630174] type=1400 audit(1626010790.323:6145): avc: denied { setcurrent } for comm="adbd" scontext=u:r:adbd:s0 tcontext=u:r:adbd:s0 tclass=process permissive=1
    [ 5252.630353] type=1400 audit(1626010790.323:6146): avc: denied { dyntransition } for comm="adbd" scontext=u:r:adbd:s0 tcontext=u:r:su:s0 tclass=process permissive=1

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2023-4-21 00:29 被iyue_t编辑 ,原因: so还存在校验,暂时不处理.
上传的附件:
收藏
免费 2
支持
分享
最新回复 (3)
雪    币: 2428
活跃值: (10698)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
TQL
2023-4-20 09:26
0
雪    币: 1671
活跃值: (215852)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
3
tql
2023-4-20 11:30
0
雪    币: 0
活跃值: (738)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
感谢分享
2023-11-30 15:57
0
游客
登录 | 注册 方可回帖
返回
//