在默認情況下，adbd是以uid root的權限啟動的。不過它確實還會通過函數drop_privileges()主動把自己降到uid shell : shell，如下：

# /system/core/adb/daemon/main.cppstatic void drop_privileges(int server_port) {ScopedMinijail jail(minijail_new());// Add extra groups:// AID_ADB to access the USB driver// AID_LOG to read system logs (adb logcat)// AID_INPUT to diagnose input issues (getevent)// AID_INET to diagnose network issues (ping)// AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump)// AID_SDCARD_R to allow reading from the SD card// AID_SDCARD_RW to allow writing to the SD card// AID_NET_BW_STATS to read out qtaguid statistics// AID_READPROC for reading /proc entries across UID boundaries// AID_UHID for using 'hid' command to read/write to /dev/uhidgid_t groups[] = {AID_ADB, AID_LOG, AID_INPUT, AID_INET,AID_NET_BT, AID_NET_BT_ADMIN, AID_SDCARD_R, AID_SDCARD_RW,AID_NET_BW_STATS, AID_READPROC, AID_UHID};minijail_set_supplementary_gids(jail.get(), arraysize(groups), groups);// Don't listen on a port (default 5037) if running in secure mode.// Don't run as root if running in secure mode.if (should_drop_privileges()) {const bool should_drop_caps = should_drop_capabilities_bounding_set();if (should_drop_caps) {minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));}minijail_change_gid(jail.get(), AID_SHELL);minijail_change_uid(jail.get(), AID_SHELL);// minijail_enter() will abort if any priv-dropping step fails.minijail_enter(jail.get());... }

再看下should_drop_privileges()方法，這個函數來判斷是否要降級，返回false就是使用root權限

# /system/core/adb/daemon/main.cppstatic bool should_drop_privileges() { #if defined(ALLOW_ADBD_ROOT)// The properties that affect `adb root` and `adb unroot` are ro.secure and// ro.debuggable. In this context the names don't make the expected behavior// particularly obvious.//// ro.debuggable:// Allowed to become root, but not necessarily the default. Set to 1 on// eng and userdebug builds.//// ro.secure:// Drop privileges by default. Set to 1 on userdebug and user builds.bool ro_secure = android::base::GetBoolProperty("ro.secure", true);bool ro_debuggable = __android_log_is_debuggable();// Drop privileges if ro.secure is set...bool drop = ro_secure;// ... except "adb root" lets you keep privileges in a debuggable build.std::string prop = android::base::GetProperty("service.adb.root", "");bool adb_root = (prop == "1");bool adb_unroot = (prop == "0");if (ro_debuggable && adb_root) {drop = false;}// ... and "adb unroot" lets you explicitly drop privileges.if (adb_unroot) {drop = true;}return drop; #elsereturn true; // "adb root" not allowed, always drop privileges. #endif // ALLOW_ADBD_ROOT }

1.開啟adbd的root的權限

第一種方式
①.修改 /system/core/adb/daemon/main.cpp

static bool should_drop_privileges() {// 注釋方法內代碼,添加如下代碼std::string prop = android::base::GetProperty("service.adb.root", "");if (prop == "1"){return false;}return true; }

第二種方式
①修改 /build/core/main.mk

## user/userdebug ##user_variant := $(filter user userdebug,$(TARGET_BUILD_VARIANT)) enable_target_debugging := true tags_to_install := ifneq (,$(user_variant))# Target is secure in user builds.ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1... 將·ro.secure=1 修改為ro.secure=0

②修改 /system/core/adb/Android.mk

- ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) + ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1endif

2.添加su

①去掉root，shell的判斷

# /system/extras/su/su.cppint main(int argc, char** argv) { + #if 0uid_t current_uid = getuid();if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed"); + #endif// Handle -h and --help.

②修改su權限

# /system/core/rootdir/init.rc+ chmod 6755 /system/xbin/su + # Assume SMP uses shared cpufreq policy for all CPUs# /system/core/libcutils/fs_config.cpp - { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" }, + { 06755, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },

③修改su模塊在所有模式下都編譯

# /system/extras/su/Android.mk- LOCAL_MODULE_TAGS := debug + LOCAL_MODULE_TAGS := optional

④修改 /frameworks/base/core/jni/com_android_internal_os_Zygote.cpp

static bool DropCapabilitiesBoundingSet(std::string* error_msg) { + #if 0for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);if (rc == -1) {if (errno == EINVAL) {ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify ""your kernel is compiled with file capabilities support");} else {*error_msg = CREATE_ERROR("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno));return false;}}} + #endifreturn true;}

⑤在device.mk下添加su模塊

# /device/mediatek/common/device.mkPRODUCT_PACKAGES += su

3.關閉selinux

① Android 8.1

# /system/core/init/init.cppstatic bool selinux_is_enforcing(void){ return false; //add to close selinuxif (ALLOW_PERMISSIVE_SELINUX) {return selinux_status_from_cmdline() == SELINUX_ENFORCING;}return true;}

② Android 9.0

# /system/core/init/selinux.cppbool IsEnforcing() {return false; //add to close selinuxif (ALLOW_PERMISSIVE_SELINUX) {return StatusFromCmdline() == SELINUX_ENFORCING;}return true;}

最后，app驗證su功能

private boolean silentInstall(File apkPath){boolean result = false;DataOutputStream dataOutputStream = null;BufferedReader errorStream = null;try {Process process = Runtime.getRuntime().exec("su");dataOutputStream = new DataOutputStream(process.getOutputStream());// 執行pm install命令String command = "pm install -r " + apkPath + "\n";dataOutputStream.write(command.getBytes(Charset.forName("utf-8")));dataOutputStream.flush();dataOutputStream.writeBytes("exit\n");dataOutputStream.flush();process.waitFor();errorStream = new BufferedReader(new InputStreamReader(process.getErrorStream()));String msg = "";String line;while ((line = errorStream.readLine()) != null) {msg += line;}if (!msg.contains("Failure")) {result = true;}} catch (Exception e) {LogUtil.e(" "+ e.getMessage());} finally {try {if (dataOutputStream != null) {dataOutputStream.close();}if (errorStream != null) {errorStream.close();}} catch (IOException e) {LogUtil.d(" "+e.getMessage());}}return result;}

總結

以上是生活随笔為你收集整理的android 9.0user版本如何开启root，打开su的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。