zoukankan      html  css  js  c++  java
  • Root Android and Install Recovery linux shell script & Android root原理

    文件来自cnblogs 黑暗伯爵,文章地址:http://www.cnblogs.com/hangxin1940/archive/2011/07/10/2102087.html

    之前是windows版的一个shell,黑暗伯爵改成了linux版本的,这是完整的包:/Files/super119/AndroidRootAndRecovery.zip

    从脚本来看,最关键的就是这个程序了:rageagainstthecage。粗粗google了一下,貌似这个程序以hack的方式,将运行在终端设备上的adbd daemon进程以root的身份重启,这样设备上的adbd就变成root权限,从而我们可以在PC上通过adb来做很多root才能做的事情了 -- 比如,将/system挂载成rw,拷贝su, busybox这些玩意到ROM里面,安装recovery等等。

    至于rageagainstthecage的hack方式,是通过不停的fork进程到进程数上限,然后设备上adbd会重启(有一定的几率,是否会一定重启到adbd),然后adbd重启之后,在调用setuid将自己设置成非root用户的时候,setuid会失败,但是Android的adbd的代码并没有检测setuid是否失败了,于是,最终adbd以root身份运行了。下面是找到的英文解释,有空去看下adbd的代码,自己跟一下就清楚了:

    First the code will check that there is an NPROC setting. This is the maximum number of simultaneous processes which the system will allow. A quick “ulimit -a” once connected over adb should show you this setting for your device (this is set to 3301 processes on a Droid Incredible). The code will then try to find the process ID of the currently running adb daemon on the device. After that, the attack starts a loop to generated processes until it can no longer fork any more processes. Once the limit is hit, one process is killed off and the adb daemon process is restarted. As the code comment points out, this is a bit of a race at this point to make sure the adb can restart, but the number of processes stays maxed out. When the adb daemon starts up on an Android device, it is running as root. The code will later check if it should stay as root, or run in “secure” mode which drops its privileges to the “shell” account. This attack attemps to max out the process so that when the adb daemon attempts to call “setuid” in its code, the call will fail. The current adb code does not check if the setuid call was successful or not, so will happily keep running as root even if this fails.
     

  • 相关阅读:
    逻辑智力题【更新中】
    每天进步一点点_抽奖程序
    GDC2016【For Honor-荣耀战魂】的次世代动画技术
    GDC2016【彩虹六号:围攻 】使丰富的“突破”成为可能的破坏系统
    GDC2016 【巫师3 狂猎】的游戏事件工作流
    GDC 2016 神秘海域4中使用Substance制作Texture
    GDC2016【全境封锁(Tom Clancy's The Division)】对为何对应Eye Tracked System,以及各种优点的演讲报告
    【FFXV】中物理模拟的结构以及游戏业界的乐趣
    龙珠 超宇宙 [Dragon Ball Xenoverse]
    如龙0
  • 原文地址:https://www.cnblogs.com/super119/p/2211210.html
Copyright © 2011-2022 走看看