[Source code compilation] android-13.0.0_r7 for Pixel 4 on ubuntu20.04-server
[Source code compilation] android-12.1.0_r11 for Pixel 4 on ubuntu20.04-server
[Source code compilation] android-11.0.0_r46 for Pixel 4 on ubuntu20 .04-server
[source code compilation] android 10.0.0_r2 for Pixel 2 XL on ubuntu20.04-server
[source code compilation] android-9.0.0_r46 for Pixel 2 XL on ubuntu20.04-server
[source code compilation] android-8.0.0_r21 for Pixel 2 XL on ubuntu20.04-server
content index
- foreword
- Configuration Environment
- choose branch
- download source code
- Import device driver (optional, needed to flash into real device)
- Configure jdk
- build source code
- Flash into the mirror
- Brush into the image (remote server compilation, local Window) (On Xshell 5)
- Compile the Pixel 2 XL kernel
- custom made
-
- Modify system.img
- audit2allow runtime fixes
- root authority
- Enable USB debugging by default (persist.sys.usb.config is still none to prevent usb connection detection)
- make releasekey
- Modify device properties
- Hidden BL Unlock
- System property access trace
- Enable application debuggable (ro.debuggable is still 0)
- Modify the default sleep time of the screen (unit: ms)
- Screen lock defaults to "none"
- Modify the default language to Chinese
- ptrace trace
- getenforce forced to return Enforcing
- More reverse technology exchanges
- reference
foreword
Thanks to Kanxue, Jianshu, CSDN and other senior compilation tutorials on various platforms, thanks to Google for making android compilation easier and easier. In the past, there were basically various problems in compilation, but now it is direct to the end in one step, super smooth
Configuration Environment
- ubuntu20.04-server (Tsinghua mirror has been switched)
- 4 core
- 8G RAM
- 2T disk
- physical host
- Necessary proxy, fast enough, recommended above 20Mb/s
- A Pixel 2 XL phone
- configure proxychains
choose branch
Here I choose android-10.0.0_r2, because I have seen this branch used in several reverse tutorials, so I choose this branch to facilitate reverse analysis. As for the specific reason, I guess that this branch supports more models, and the supported models List: Pixel 3a XL, Pixel 3a, Pixel 3 XL, Pixel 3, Pixel 2 XL, Pixel 2, Pixel XL, Pixel, all supported from Pixel to Pixel3, and I use Pixel 2 XL
Note: The branch needs to match the device model, not all branches can be flashed for one model, see the specific matching list: Here
download source code
sudo apt-get update
sudo apt-get install git-core gnupg flex bison build-essential zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 libncurses5-dev lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z1-dev libgl1-mesa-dev libxml2-utils xsltproc unzip fontconfig python
mkdir ~/bin
export PATH=~/bin:$PATH
proxychains curl https://storage.googleapis.com/git-repo-downloads/repo -o ~/bin/repo
chmod a+x ~/bin/repo
mkdir WORKING_DIRECTORY
cd WORKING_DIRECTORY
git config --global user.name Your Name
git config --global user.email [email protected]
# -b 后面代号选择,访问:https://source.android.com/setup/start/build-numbers#source-code-tags-and-builds
proxychains repo init -u https://android.googlesource.com/platform/manifest -b android-10.0.0_r2
# -j 的数字根据机器性能而定
proxychains repo sync -c -j8
Import device driver (optional, needed to flash into real device)
- Download the corresponding driver file for Pixel 2 XL, address: taimenqp1a.190711.020
- Put the two compressed packages into the source code root directory
- Execute the decompression command
tar -zxvf xxxxx.tgz - Execute the decompressed sh file, usually at
8.e.the end of the line, and at the end will let the inputI ACCEPT, do not press Enter too fast, otherwise it will be skipped directly - After execution, you can find the vector directory in the root directory of the source code
Configure jdk
Before android-8.1.0_r1, you need to install jdk yourself, and then it comes with the source code, path: prebuilts/jdk, so you don’t need to configure jdk after android-8.0.0_r1
build source code
cd WORKING_DIRECTORY
sudo apt-get install libncurses5
export _JAVA_OPTIONS="-Xmx4g"
source build/envsetup.sh
lunch aosp_taimen-user
m
Here, m is executed in a loop, and if an error is reported, it will continue to execute. If there is a repair prompt, follow the prompt, otherwise the default will always be m, as long as the error is not the same every time
Flash into the mirror
cd WORKING_DIRECTORY/out/target/product/taimen/
fastboot flashall -w
Brush into the image (remote server compilation, local Window) (On Xshell 5)
- under xshell
cd WORKING_DIRECTORY/out/target/product/taimen/
sz *.txt
sz *.img
- Under the window
, switch to the directory downloaded by the sz command, open cmd in this directory, and execute the following command
set ANDROID_PRODUCT_OUT=./
fastboot flashall -w
Compile the Pixel 2 XL kernel
The kernel source code is not in aosp, it needs to be downloaded separately, about 4.35GB,
the kernel of each model is different, for details, please refer to: https://source.android.google.cn/setup/build/building-kernels?hl=zh-cn
download source code
mkdir android-msm-wahoo-4.4-android10-qpr3
cd android-msm-wahoo-4.4-android10-qpr3
proxychains repo init -u https://android.googlesource.com/kernel/manifest -b android-msm-wahoo-4.4-android10-qpr3
proxychains repo sync -c -j8
Switch to the specified commitId
This commitId can be obtained by checking the kernel version of the mobile phone, usually in the form of -g{commitId}
- Display the commit details, full_commitId is included in the details
repo forall -c 'git show $commitId'
- switch to this commit
repo forall -c 'git reset --hard $full_commitId'
Compile the source code
# openssl/bio.h file not found
sudo apt-get install libssl-dev
# soong_zip: cammand not found
export PATH=/mnt/d/tool/android/android-10.0.0_r2/out/soong/host/linux-x86/bin:$PATH
build/build.sh
replace the aosp kernel
Replace the compiled kernel above in aosp, which is specified by the environment variable TARGET_PREBUILT_KERNEL to facilitate dynamic switching of kernels. For details, see: https://source.android.google.cn/setup/build/building-kernels?hl=zh-cn# running
cd android-10.0.0_r2
# 先初始化aosp编译环境,具体看上面构建aosp源码步骤
export TARGET_PREBUILT_KERNEL=/mnt/d/tool/android/kernel/android-msm-wahoo-4.4-android10-qpr3/out/android-msm-wahoo-4.4/dist/Image.lz4-dtb
m bootimage
After that, follow the above <Flash into image> steps to flash in normally
custom made
- modify the code
m <target module>make snod(compile system.img, ignore dependencies)m- system log check when customizing
dmesg | grep <tag>orcat /proc/kmsg | grep <tag>
The <target module> here refers to the module name in the bp file. If the executable file is a module with the cc_binary{} structure in the bp, its name attribute is the module name. If it is a library, look for the one starting with cc_library, if it is an app, look for the one starting with android_app...etc
Modify system.img
Since the module must be occupied when the system is running, it cannot be overwritten at this time. Of course, you can also directly overwrite the entire system.img file, but the official Google firmware is definitely different from the firmware we compiled. You can see the difference. It should be that some private things have been added to the original system source code. Of course, you can also try to overwrite files in recovery mode, but after actually testing twrp into recovery mode, many problems will occur. Data partition encryption requires a format changed, the system cannot be mounted and so on.
In the end, the only feasible solution is to modify the system.img file.
audit2allow runtime fixes
sudo apt-get install python2
rm -rf /usr/bin/python
sudo ln -s /usr/bin/python2 /usr/bin/python
root authority
// see reference
Enable USB debugging by default (persist.sys.usb.config is still none to prevent usb connection detection)
- Enable USB debugging
//android-10.0.0_r2/frameworks/base/services/core/java/com/android/server/adb/AdbService.java#119
// mAdbEnabled = containsFunction(
// SystemProperties.get(USB_PERSISTENT_CONFIG_PROPERTY, ""),
// UsbManager.USB_FUNCTION_ADB);
mAdbEnabled = true;
- Automatically handle USB verification
//android-10.0.0_r2/frameworks/base/packages/SystemUI/src/com/android/systemui/usb/UsbDebuggingActivity.java#onCreate()
@Override
public void onCreate(Bundle icicle) {
//......
setupAlert();
//....
mAlert.getButton(BUTTON_POSITIVE).setOnTouchListener(filterTouchListener);
//add code
try {
IBinder b = ServiceManager.getService(ADB_SERVICE);
IAdbManager service = IAdbManager.Stub.asInterface(b);
service.allowDebugging(true, mKey);
} catch (Exception e) {
Log.e(TAG, "Unable to notify Usb service", e);
}
finish();
}
make releasekey
- Create create_key.sh in the root directory of the source code
#create_key.sh
subject='/C=CN/ST=Shanghai/L=Shanghai/O=marto/OU=marto/CN=marto.cc/[email protected]'
for x in releasekey platform shared media networkstack;
do
./development/tools/make_key ~/.android-certs/$x "$subject";
done
- Source code root directory execution
cp -r ~/.android-certs/releasekey.* build/target/product/security/ testkey->releasekey
# build/core/config.mk
# The default key if not set as LOCAL_CERTIFICATE
ifdef PRODUCT_DEFAULT_DEV_CERTIFICATE
DEFAULT_SYSTEM_DEV_CERTIFICATE := $(PRODUCT_DEFAULT_DEV_CERTIFICATE)
else
DEFAULT_SYSTEM_DEV_CERTIFICATE := build/target/product/security/releasekey
endif
.KATI_READONLY := DEFAULT_SYSTEM_DEV_CERTIFICATE
# build/core/Makefile
# The "test-keys" tag marks builds signed with the old test keys,
# which are available in the SDK. "dev-keys" marks builds signed with
# non-default dev keys (usually private keys from a vendor directory).
# Both of these tags will be removed and replaced with "release-keys"
# when the target-files is signed in a post-build step.
ifeq ($(DEFAULT_SYSTEM_DEV_CERTIFICATE),build/target/product/security/releasekey)
BUILD_KEYS := release-keys
else
BUILD_KEYS := dev-keys
endif
m -j4recompile
Modify device properties
Hidden BL Unlock
System property access trace
//bionic/libc/bionic/system_property_api.cpp
#include <async_safe/log.h>
__BIONIC_WEAK_FOR_NATIVE_BRIDGE
const prop_info* __system_property_find(const char* name) {
char value[PROP_VALUE_MAX] = {
0};
system_properties.Get(name, value);
async_safe_format_log(ANDROID_LOG_ERROR,
"marto","call __system_property_find %s -> %s",name,value);
return system_properties.Find(name);
}
__BIONIC_WEAK_FOR_NATIVE_BRIDGE
int __system_property_read(const prop_info* pi, char* name, char* value) {
int ret= system_properties.Read(pi, name, value);
async_safe_format_log(ANDROID_LOG_ERROR,
"marto","call __system_property_read %s -> %s",name,value);
return ret;
}
__BIONIC_WEAK_FOR_NATIVE_BRIDGE
int __system_property_get(const char* name, char* value) {
int ret= system_properties.Get(name, value);
async_safe_format_log(ANDROID_LOG_ERROR,
"marto","call __system_property_get %s -> %s",name,value);
return ret;
}
Enable application debuggable (ro.debuggable is still 0)
//frameworks/base/core/java/android/content/pm/PackageParser.java#parseBaseApplication()
// if (sa.getBoolean(
// com.android.internal.R.styleable.AndroidManifestApplication_debuggable,
// false)) {
ai.flags |= ApplicationInfo.FLAG_DEBUGGABLE;
// Debuggable implies profileable
ai.privateFlags |= ApplicationInfo.PRIVATE_FLAG_PROFILEABLE_BY_SHELL;
// }
Modify the default sleep time of the screen (unit: ms)
<!-- frameworks/base/packages/SettingsProvider/res/values/defaults.xml -->
<integer name="def_screen_off_timeout">36000000</integer>
Screen lock defaults to "none"
<!-- frameworks/base/packages/SettingsProvider/res/values/defaults.xml -->
<bool name="def_lockscreen_disabled">true</bool>
Modify the default language to Chinese
# build/tools/buildinfo.sh
# ..........
echo "# end build properties"
echo "# custom build properties"
echo "# default language"
echo "ro.product.locale=zh_CN"
echo "ro.product.locale.language=zh"
echo "ro.product.locale.region=CN"
echo "persist.sys.language=zh"
echo "persist.sys.country=CN"
echo "persist.sys.timezone=Asia/Shanghai"
echo "# end custom build properties"
ptrace trace
//bionic/libc/bionic/ptrace.cpp
#include <async_safe/log.h>
long ptrace(int req, ...) {
//......
va_end(args);
async_safe_format_log(ANDROID_LOG_ERROR,
"marto","call ptrace pid:%d,addr:0x%p",pid,addr);
long result = __ptrace(req, pid, addr, data);
if (is_peek && result == 0) {
return peek_result;
}
return result;
}
getenforce forced to return Enforcing
More reverse technology exchanges
Join the planet " Reverse Hunting "
reference
- https://source.android.com/setup/develop
- Download and compile Android source code (Google)
- Android10 source code customization (1) Make a complete root version
- Generation and replacement of AOSP system signature
- https://source.android.com/devices/tech/ota/sign_builds
- https://source.android.com/devices/bootloader/locking_unlocking?hl=zh-cn
- Android 7.1 modifies the default sleep time
- aosp change default language, time zone issue
- SELinux policy file
- Build the Pixel2 core
- Print the Android kernel debugging log information in real time through the serial port
- How does adb print the kernel output log
- Chapter 3 Kernel Printing of Kernel Debugging Methods
- http://www.juneleo.cn/47a3736f9762/
- [run_soong_ui] Error 1
- Source Code Compilation (1) - Detailed Explanation of Android6.0 Source Code Compilation