-
-
[原创]一加7t自定义内核编译, 以及android10, syscalltable hook实现
-
发表于: 2021-9-23 08:50
-
op7t
oneplus 7t 自定义内核, 主要目的用于内核层逆向
使用github ci
目前已经使用github ci进行自动化构建, 欢迎fork and star
手机环境
a. oneplus 7t
b. 对应Android版本为Hydrogen OS 10.0.7.HD65
c. 对应版本全量包
1 | OnePlus7THydrogen_14.H.09_OTA_009_all_2001030048_d935aae55ac_1007.zip //一加手机论坛下载 |
Linux编译环境
- 操作系统ubuntu20
1 2 3 4 5 | ➜ /share cat /etc/lsb-releaseDISTRIB_ID=UbuntuDISTRIB_RELEASE=20.04DISTRIB_CODENAME=focalDISTRIB_DESCRIPTION="Ubuntu 20.04 LTS" |
- 依赖安装
1 2 3 4 5 | sudo apt-get install git-core gnupg flex bison build-essential zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 libncurses5-dev lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z1-dev libgl1-mesa-dev libxml2-utils xsltproc unzip fontconfigsudo apt-get install libssl-devsudo apt-get install dos2unixsudo apt-get install libncurses5 |
- 编译依赖
百度网盘整个工程包括编译链
链接: 8b7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3j5h3&6Q4x3X3g2T1j5h3W2V1N6g2)9J5k6h3y4G2L8g2)9J5c8Y4y4Q4x3V1j5I4f1W2q4S2f1q4y4B7e0q4m8z5h3o6V1&6h3p5u0h3b7@1y4m8j5$3!0K9b7b7`.`. 提取码: bbki 复制这段内容后打开百度网盘手机App,操作更方便哦
1 2 3 4 | cd /sharegit clone https://gitee.com/yhnu/op7t.gitcd /share/op7t/buildtooljust c |
- 编译源码
为了简单方便及稳定,我们基于第三方内核进行修改, 57bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2L8X3N6K6N6r3E0Q4x3V1k6G2M7o6N6Q4x3V1k6@1M7X3g2W2i4K6u0r3M7U0M7H3
1 2 3 4 5 6 | cd /share/op7t/blu7tjust csource env.configsource proxy.configjust makejust j16 |
- 打包image
1 | just image |
boot.img提取
1 2 3 4 | curl -L -O https://github.com/yhnu/op7t/releases/download/v1.0/payload_dumper-win64.zipcurl -L -O https://otafsc.h2os.com/patch/CHN/OnePlus7THydrogen/OnePlus7THydrogen_14.H.09_009_2001030048/OnePlus7THydrogen_14.H.09_OTA_009_all_2001030048_d935aae55ac.zipunzip -q OnePlus7THydrogen_14.H.09_009_2001030048/OnePlus7THydrogen_14.H.09_OTA_009_all_2001030048_d935aae55ac.zip# 然后参考payload_dumper的使用说明即可 |
拯救OnePlus7t
开发的路上难免磕磕碰碰, 手机就启动不了, 做好防身技能
1 2 3 4 5 6 7 | curl -L -O https://otafsc.h2os.com/patch/CHN/OnePlus7THydrogen/OnePlus7THydrogen_14.H.09_009_2001030048/OnePlus7THydrogen_14.H.09_OTA_009_all_2001030048_d935aae55ac.zipcurl -L -O https://github.com/yhnu/op7t/releases/download/v1.0/recovery-oneplus7t-3.4.2-10.0-b26.imgfastboot set_active a #is a or bfastboot erase recoveryfastboot.exe flash recovery recovery-oneplus7t-3.4.2-10.0-b26.img fastboot.exe reboot recoveryadb sideload F:\F2021-07\one7t_kernel\OnePlus7THydrogen_14.H.09_OTA_009_all_2001030048_d935aae55ac.zip |
开发记录
2021年9月7日 14:33:03
a. 修改内核源码绕过反调试检测
参考文章:
2021年9月10日 08:56:45
a. 编写hellomod模块
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | # Code wrire : yhnu# code date : 2021年9月10日 09:46:05# e-mail : buutuud@gmail.com## THis Makefile is a demo only for ARM-architecture#MODULE_NAME := helloifneq ($(KERNELRELEASE),) obj-m := hello.oelse CROSS_COMPILE := /share/op7t/buildtool/aarch64-linux-android-4.9-uber-master/bin/aarch64-linux-android- #CC = CROSS_COMPILE #KERNELDIR ?= /lib/modules/$(shell uname -r)/build PWD :=$(shell pwd) KDIR := /share/op7t/blu7t/op7-r70/outmodules: make -C $(KDIR) REAL_CC=$(GITHUB_WORKSPACE)/buildtool/toolchains/llvm-Snapdragon_LLVM_for_Android_8.0/prebuilt/linux-x86_64/bin/clang CROSS_COMPILE=/share/op7t/buildtool/aarch64-linux-android-4.9-uber-master/bin/aarch64-linux-android- CLANG_TRIPLE=aarch64-linux-gnu- ARCH=arm64 M=$(PWD) modules CONFIG_MODULE_UNLOAD=y CONFIG_RETPOLINE=yclean: rm -rf *.o *.order *.symvers *.ko *.mod* .*.cmd .*.*.cmd .*.*.*.cmd @rm -fr .tmp_versions Module.symvers modules.orderendif |
b. 注意:
因为内核编译使用的是Clang编译, 因此对应module的编译也需要使用Clang编译
1 2 3 4 5 6 7 | triple 的一般格式为<arch><sub>-<vendor>-<sys>-<abi>,其中:arch = x86_64、i386、arm、thumb、mips等。sub = v5, v6m, v7a, v7m等。vendor = pc, apple, nvidia, ibm,等。sys = none, linux, win32, darwin, cuda等。abi = eabi, gnu, android, macho, elf等。 |
2021年9月10日 16:33:14
a. linux设备驱动开发学习经典教程
2021年9月11日 21:14:44
查看KernelLog
1 | adb logcat -b kernel,default |
2021年9月17日 09:01:09
krhook模块开发
c42K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6&6K9r3&6#2i4K6u0r3L8%4l9%4N6q4)9J5c8Y4c8J5k6h3g2Q4x3V1k6V1k6i4k6Q4x3V1k6C8M7X3S2G2L8$3D9`.
参考链接:
https://bbs.pediy.com/thread-267004.htm
现在Android 手机大都使用了 MSM 平台 和 kernel, 高通下面的一个patch 引入了 kernel 代码段内存RO 属性. 因此需要做一些修改
2021年9月17日 14:28:50
友人提醒可以直接通过下面的编译器进行编译,不用改代码Makefile
86aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6V1k6i4k6W2L8r3!0H3k6i4u0Q4x3X3g2S2M7X3#2Q4x3X3g2U0L8$3#2Q4x3V1k6@1L8$3!0D9M7#2)9J5k6r3q4F1k6q4)9J5k6s2y4G2k6Y4c8%4j5i4u0W2i4K6u0r3L8%4m8W2L8W2)9J5k6s2y4G2N6i4u0U0k6g2)9J5k6s2y4G2k6Y4c8%4j5i4u0W2i4K6u0r3k6r3g2$3k6h3I4G2M7r3g2J5i4K6u0V1N6r3!0G2L8s2y4Q4x3V1k6Y4L8Y4g2Q4x3X3c8@1L8$3!0D9j5$3S2S2K9h3&6Q4x3V1k6Y4L8Y4g2Q4x3X3c8S2i4K6u0r3k6r3!0%4L8X3I4G2j5h3c8K6
2021年9月17日 16:28:58
/sys/fs/pstore 内核崩溃日志信息存放的位置
linux使用lwp机制, 导致task_struct的pid在线程中是线程id,需要使用tgid,或者使用uid进行识别
e57K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3!0H3k6h3&6K6L8%4g2J5j5$3g2X3L8%4u0#2i4K6u0W2j5$3!0E0i4K6u0r3x3U0l9I4x3g2)9J5c8U0l9^5i4K6u0r3L8r3W2Y4K9s2c8Q4x3X3c8%4k6h3W2Y4K9s2c8Q4x3X3c8H3M7X3!0U0k6i4y4K6k6i4y4Q4x3X3c8V1K9i4y4K6k6h3y4@1K9h3&6Y4i4K6u0V1L8r3W2F1N6i4S2Q4x3X3c8@1K9s2u0W2j5h3c8K6i4K6u0r3
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
如果仅仅只想使用, 建议看这个 8c1K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6&6K9r3&6#2i4K6u0r3L8%4l9%4N6q4)9J5c8Y4c8J5k6h3g2Q4x3V1k6V1k6i4k6Q4x3V1k6C8M7W2)9#2k6X3!0X3k6X3I4A6L8X3f1`. |
