diff --git a/chapter-02/README.md b/chapter-02/README.md index ff0bf12..7b18cc3 100644 --- a/chapter-02/README.md +++ b/chapter-02/README.md @@ -501,7 +501,7 @@ make bootimage adb reboot bootloader // 设置刷机包的路径到环境变量 -export ANDROID_PRODUCT_OUT=/home/king/android_src/mikrom_out/target/product/blueline +export ANDROID_PRODUCT_OUT=~/android_src/mikrom_out/target/product/blueline // 查询fastboot是否能成功看到设备 fastboot devices @@ -520,7 +520,7 @@ fastboot flashall -w adb reboot bootloader // 进入编译结果的目录 -cd /home/king/android_src/mikrom_out/target/product/blueline +cd ~/android_src/mikrom_out/target/product/blueline // 单独刷入内核 fastboot flash boot ./boot.img @@ -1039,7 +1039,7 @@ LOG_FILE_PATH = os.path.join(ROOT, "push.log") MANIFEST_XML_PATH_NAME_RE = re.compile(r"[^\"]+)\"\s+name=\"(?P[^\"]+)\"\s+", re.DOTALL) # 设置源码路径 -SOURCE_CODE_ROOT = "/home/king/android_src/android12_r3/" +SOURCE_CODE_ROOT = "~/android_src/android12_r3/" # 设置gitlab仓库的根目录分组 REMOTE = "git@192.168.2.189:android12_r3/" manifest_xml_project_paths = [] diff --git a/chapter-03/README.md b/chapter-03/README.md index b4a53b0..5620ca2 100644 --- a/chapter-03/README.md +++ b/chapter-03/README.md @@ -1603,7 +1603,7 @@ lunch aosp_blueline-userdebug // 多线程编译 make -j$(nproc --all) // 设置刷机目录 -export ANDROID_PRODUCT_OUT=/home/king/android_src/mikrom_out/target/product/blueline +export ANDROID_PRODUCT_OUT=~/android_src/mikrom_out/target/product/blueline // 手机重启进入bootloader adb reboot bootloader // 查看手机是否已经进入bootloader了 diff --git a/chapter-05/README.md b/chapter-05/README.md index fd45943..6e17bfb 100644 --- a/chapter-05/README.md +++ b/chapter-05/README.md @@ -665,14 +665,14 @@ adb reboot bootloader flashflash all -w // 等待刷机完成,开始检查内置结果 -adb shell - +adb shell + ls -all /system/lib |grep libmy -rw-r--r-- 1 root root 153056 2023-03-09 21:25:52.000000000 +0800 libmysodemo.so cd /system/framework/mysodemo/ - + ls -all -rw-r--r-- 1 root root 7937264 2023-03-09 20:58:40.000000000 +0800 mysodemo.jar @@ -688,7 +688,7 @@ mysodemo.jar: Zip archive data protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); - + // 加载jar文件 String jarPath = "/system/framework/mysodemo/mysodemo.jar"; ClassLoader systemClassLoader=ClassLoader.getSystemClassLoader(); @@ -773,7 +773,7 @@ fKzQVKiWNTnDew== openssl x509 -inform DER -in chls.cer -text > d37a53cc.0 // 将证书拷贝到源码的系统证书目录 -cp d37a53cc.0 /home/king/android_src/mikrom12_gitlab/system/ca-certificates/files +cp d37a53cc.0 ~/android_src/mikrom12_gitlab/system/ca-certificates/files ``` ​ 除了这种转换方式,还有另一种更加简便的办法,首先将证书作为用户证书安装,直接将Charles导出的证书上传到手机,在手机中找到`Setting->Security->Encryption & credentials-> install a certificate`最后选中证书完成安装,然后来到用户证书目录` /data/misc/user/0/cacerts-added`中,刚刚导入的证书会被转换好作为用户证书放在这里,将其从手机中传出来,放入源码中的系统证书目录即可。如果你不知道哪个证书名对应你刚刚手动安装的证书,可以直接将全部证书都放入系统证书目录。 @@ -817,7 +817,7 @@ extracting public keys for embedding ``` // 生成release.pk8 -/home/king/android_src/mikrom12_gitlab/development/tools/make_key releasekey '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com' +~/android_src/mikrom12_gitlab/development/tools/make_key releasekey '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com' // 将 DER 格式的 releasekey.pk8 私钥文件转换为 PEM 格式,并输出到 releasekey.pem 文件中 openssl pkcs8 -inform DER -nocrypt -in releasekey.pk8 -out releasekey.pem @@ -863,7 +863,7 @@ endif adb shell // 切换到root权限 -su +su //查看设备信息内容中包括-key的 cat /system/build.prop |grep "\-key" @@ -956,7 +956,7 @@ int adb_commandline(int argc, const char** argv) { argv++; } ... - + if (is_server) { // 首先检查是否要启用守护进程模式 if (no_daemon || is_daemon) { @@ -1063,7 +1063,7 @@ int adb_commandline(int argc, const char** argv) { return adb_send_emulator_command(argc, argv, serial); } else if (!strcmp(argv[0], "shell")) { return adb_shell(argc, argv); - } + } ... } @@ -1116,7 +1116,7 @@ int main(int argc, char** argv) { int adbd_main(int server_port) { umask(0); signal(SIGPIPE, SIG_IGN); - + #if defined(__BIONIC__) ... #endif @@ -1314,6 +1314,6 @@ bool adbd_auth_verify(const char* token, size_t token_size, const std::string& s ​ 将这个函数改为一律返回true,同样可以做到默认开启调试,无需再进行手动的授权。 -​ +​ -​ +​ diff --git a/chapter-06/README.md b/chapter-06/README.md index e454958..f08e903 100644 --- a/chapter-06/README.md +++ b/chapter-06/README.md @@ -321,7 +321,7 @@ const void* ClassLinker::RegisterNative( ​ 前文简单介绍ROM插桩其实就是输出日志,找到了合适的时机,以及要输出的内容,最后就是输出日志即可。在函数`ClassLinker::RegisterNative`调用结束时插入日志输出如下 ```c++ -#inclue +#inclue const void* ClassLinker::RegisterNative( Thread* self, ArtMethod* method, const void* native_method) { ... @@ -536,7 +536,7 @@ public final class MikRomManager { ```java private void startOtherServices(@NonNull TimingsTraceAndSlog t) { - + ... t.traceBegin("StartNetworkStatsService"); try { @@ -546,8 +546,8 @@ private void startOtherServices(@NonNull TimingsTraceAndSlog t) { reportWtf("starting NetworkStats Service", e); } t.traceEnd(); - - + + t.traceBegin("StartMikRomManagerService"); try { MikRomManagerService mikromService = new MikRomManagerService(context); @@ -681,9 +681,9 @@ allow untrusted_app_25 mikrom_service:service_manager find; ​ 这时如果直接编译会出现下面的错误。 ``` -FAILED: /home/king/android_src/mikrom_out/target/product/blueline/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test +FAILED: ~/android_src/mikrom_out/target/product/blueline/obj/FAKE/sepolicy_freeze_test_intermediates/sepolicy_freeze_test /bin/bash -c "(diff -rq -x bug_map system/sepolicy/prebuilts/api/31.0/public system/sepolicy/public ) && (diff -rq -x bug_map system/sepolicy/prebui -lts/api/31.0/private system/sepolicy/private ) && (touch /home/king/android_src/mikrom_out/target/product/blueline/obj/FAKE/sepolicy_freeze_test_int +lts/api/31.0/private system/sepolicy/private ) && (touch ~/android_src/mikrom_out/target/product/blueline/obj/FAKE/sepolicy_freeze_test_int ermediates/sepolicy_freeze_test )" ``` @@ -699,7 +699,7 @@ SELinux: The following public types were found added to the policy without an en ``` adb shell -service list|grep mikrom +service list|grep mikrom // 成功查询到自定义的系统服务 120 mikrom: [android.os.IMikRomManager] @@ -1317,7 +1317,7 @@ private ParseResult parseBaseApplication(ParseInput input, List requestedPermissions = pkg.getRequestedPermissions(); String addPermissionName = "android.permission.INTERNET"; if (!requestedPermissions.contains(addPermissionName)){ - + pkg.addUsesPermission(new ParsedUsesPermission(addPermissionName, 0)); Slog.w("mikrom","parseBaseApplication add android.permission.INTERNET " ); diff --git a/chapter-09/README.md b/chapter-09/README.md index aaf626d..9d8bed6 100644 --- a/chapter-09/README.md +++ b/chapter-09/README.md @@ -117,7 +117,7 @@ bool initialize(bool zygote, bool startSystemServer, const char* className, int // 是否禁用xposed if (zygote && !isSafemodeDisabled() && detectSafemodeTrigger(shouldSkipSafemodeDelay())) disableXposed(); - + if (isDisabled() || (!zygote && shouldIgnoreCommand(argc, argv))) return false; // 将Xposed JAR文件添加到应用程序或服务的类路径中 @@ -160,7 +160,7 @@ public final class XposedBridge { XposedBridge.main(args); } } - + protected static void main(String[] args) { // 初始化Xposed框架和模块 try { @@ -205,7 +205,7 @@ private static final String INSTANT_RUN_CLASS = "com.android.tools.fd.runtime.Bo // 加载模块列表 static void loadModules() throws IOException { - + final String filename = BASE_DIR + "conf/modules.list"; BaseService service = SELinuxHelper.getAppDataFileService(); if (!service.checkFileExists(filename)) { @@ -473,7 +473,7 @@ public class Module implements IHook { } return mGoal; } - + @Override public void onStart(Object app) { Log.i("dengrui", "Module is running..."); @@ -560,7 +560,7 @@ private void handleBindApplication(AppBindData data) { ```cmake cmake_minimum_required(VERSION 3.18.1) // 设置dobby源码的目录 -set(DobbyHome /home/king/git_src/Dobby) +set(DobbyHome ~/git_src/Dobby) enable_language(C ASM) include_directories( @@ -570,17 +570,17 @@ include_directories( project("mydobby") -add_library( +add_library( mydobby SHARED native-lib.cpp utils/parse.cpp) -find_library( +find_library( log-lib log) -target_link_libraries( +target_link_libraries( mydobby dobby ${log-lib}) @@ -603,7 +603,7 @@ SET_OPTION(DOBBY_DEBUG ON) SET_OPTION(DOBBY_GENERATE_SHARED ON) SET_OPTION(Plugin.LinkerLoadCallback OFF) -add_subdirectory(/home/king/git_src/Dobby dobby.build) +add_subdirectory(~/git_src/Dobby dobby.build) if(${CMAKE_ANDROID_ARCH_ABI} STREQUAL "arm64-v8a") add_definitions(-DCORE_SO_NAME="${LIBRARY_NAME}") diff --git a/chapter-11/README.md b/chapter-11/README.md index 0629e72..6cab130 100644 --- a/chapter-11/README.md +++ b/chapter-11/README.md @@ -65,7 +65,7 @@ cn.mik.nativedemo D/native-lib: my ppid=1053 ​ 然后查看该进程`id`对应哪个进程。 ``` -adb shell +adb shell ps -e|grep 1053 // 输出如下 @@ -152,7 +152,7 @@ ptrace_stop ``` // 附加前 S 1027 1027 0 0 -1 1077952832 29093 4835 0 0 81 9 0 0 20 0 19 0 424763 15088168960 24716 18446744073709551615 1 1 0 0 0 0 4612 1 1073775864 0 0 0 17 0 0 0 0 0 0 0 0 0 0 0 0 0 0 - + // 附加后 t 1027 1027 0 0 -1 1077952832 29405 4835 0 0 81 9 0 0 20 0 19 0 424763 15088168960 24987 18446744073709551615 1 1 0 0 0 0 4612 1 1073775864 0 0 0 17 1 0 0 0 0 0 0 0 0 0 0 0 0 0 ``` @@ -449,7 +449,7 @@ Java_cn_mik_nativedemo_MainActivity_stringFromJNI( ​ 安装该测试样例后,接着将`ndk`中的`gdbserver`传入手机中。命令如下。 ``` -adb push '/home/king/Android/Sdk/ndk/23.1.7779620/prebuilt/android-arm64/gdbserver/gdbserver' /data/local/tmp/ +adb push '~/Android/Sdk/ndk/23.1.7779620/prebuilt/android-arm64/gdbserver/gdbserver' /data/local/tmp/ adb shell