编译 EVA-AL10 华为 P9 EMUI8.0 Android8.0 内核源码 ptrace

  • 编译环境 Ubuntu 16.04 x64
  • EMUI 8 EVA-AL10 8.0.0.566(C00)

安装工具链

1
2
3
4
5
mkdir toolchain
wget https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/+archive/6d851c172f90ecb1f4f8c6543efa63755956db3e.tar.gz
tar xzf 6d851c172f90ecb1f4f8c6543efa63755956db3e.tar.gz -C toolchain
export PATH=$PATH:$TOOLCHAIN_PATH
export CROSS_COMPILE=aarch64-linux-android-

下载内核源码

1
2
wget https://download-c1.huawei.com/download/downloadCenter?downloadId=E9A537E13D8D72A481D35C90DE9D7F1A&version=2C22E512BA0E1564B546B69EB8D03F5C&siteCode=worldwide -O EVA_OREO_EMUI8.0_opensource.tar.gz
tar zxf EVA_OREO_EMUI8.0_opensource.tar.gz

修改源码

../kernel/fs/proc/array.c Line 115

1
2
3
4
5
6
7
8
9
10
static const char * const task_state_array[] = {
    "R (running)",        /*   0 */
    "S (sleeping)",        /*   1 */
    "D (disk sleep)",    /*   2 */
    "T (stopped)",        /*   4 */
    "S (sleeping)",        /*   1 */  // The second step is to add one more row to keep the array size unchanged
    // "t (tracing stop)",    /*   8 */   // The first step is to comment out (or delete) this line
    "X (dead)",        /*  16 */
    "Z (zombie)",        /*  32 */
};

../kernel/fs/proc/array.c Line 172

添加此行,重新分配 tpid 为 0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
tpid = 0;
seq_printf(m,
        "State:\t%s\n"
        "Tgid:\t%d\n"
        "Ngid:\t%d\n"
        "Pid:\t%d\n"
        "PPid:\t%d\n"
        "TracerPid:\t%d\n"
        "Uid:\t%d\t%d\t%d\t%d\n"
        "Gid:\t%d\t%d\t%d\t%d\n"
        "FDSize:\t%d\nGroups:\t",
        get_task_state(p),
        tgid, ngid, pid_nr_ns(pid, ns), ppid, tpid,
        from_kuid_munged(user_ns, cred->uid),
        from_kuid_munged(user_ns, cred->euid),
        from_kuid_munged(user_ns, cred->suid),
        from_kuid_munged(user_ns, cred->fsuid),
        from_kgid_munged(user_ns, cred->gid),
        from_kgid_munged(user_ns, cred->egid),
        from_kgid_munged(user_ns, cred->sgid),
        from_kgid_munged(user_ns, cred->fsgid),
        max_fds);
.....

../kernel/fs/proc/base.c Line 425

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns,
                          struct pid *pid, struct task_struct *task)
{
        unsigned long wchan;
        char symname[KSYM_NAME_LEN];

        wchan = get_wchan(task);

        if (wchan && ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)
                        && !lookup_symbol_name(wchan, symname)) {
                            if (strstr(symname, "trace")) {
                                seq_printf(m, "%s", "sys_epoll_wait");
                            }
                            seq_printf(m, "%s", symname);
                        }
        else
                seq_putc(m, '0');

        return 0;
}

如果你想修改内核的一些信息,可修改
../kernel/scripts/mkcompile_h

继续修改 ../kernel/arch/arm64/configs/merge_hi3650_defconfig

CONFIG_HUAWEI_PTRACE_POKE_ON 改为 CONFIG_HUAWEI_PTRACE_POKE_ON=y

编译

1
2
3
4
5
cd ${KERNEL_SOURCE}/Code_Opensource
mkdir out
cd kernel
make ARCH=arm64 O=../out merge_hi3650_defconfig
make ARCH=arm64 O=../out -j8

制作镜像文件

下载 AIK 

1
2
wget https://forum.xda-developers.com/attachments/aik-linux-v3-8-all-tar-gz.5300923/
tar xzf AIK-Linux-v3.8-ALL.tar.gz

读取从官方包里提取的 kernel.img 信息

1
./unpackimg.sh kernel.img

输出例如下方信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Android Image Kitchen - UnpackImg Script
by osm0sis @ xda-developers
 
Supplied image: KERNEL.img
 
Setting up work folders...
 
Image type: AOSP
 
Signature with "AVBv2" type detected.
 
Splitting image to "split_img/"...
ANDROID! magic found at: 4096
BOARD_KERNEL_CMDLINE loglevel=4 initcall_debug=n page_tracker=on slub_min_objects=12 unmovable_isolate1=2:192M,3:224M,4:256M printktimer=0xfff0a000,0x534,0x538 androidboot.selinux=enforcing buildvariant=user
BOARD_KERNEL_BASE 0x00478000
BOARD_NAME 
BOARD_PAGE_SIZE 2048
BOARD_HASH_TYPE sha1
BOARD_KERNEL_OFFSET 0x00008000
BOARD_RAMDISK_OFFSET 0x07b88000
BOARD_SECOND_OFFSET 0x00e88000
BOARD_TAGS_OFFSET 0x07988000
BOARD_OS_VERSION 8.0.0
BOARD_OS_PATCH_LEVEL 2020-07
BOARD_HEADER_VERSION 0
 
Warning: No ramdisk found to be unpacked!
 
Done!

根据上面的信息,修改 ../kernel/tools/pack_kernerimage_cmd.sh 的信息

1
2
#!/bin/bash
./mkbootimg --kernel kernel --base 0x00478000 --cmdline "loglevel=4 initcall_debug=n page_tracker=on slub_min_objects=12 unmovable_isolate1=2:192M,3:224M,4:256M printktimer=0xfff0a000,0x534,0x538 androidboot.selinux=enforcing buildvariant=user" --tags_offset 0x07988000 --kernel_offset 0x00008000 --ramdisk_offset 0x07b88000 --os_version 8.0.0 --os_patch_level 2020-07-01  --output kernel.img

复制编译好的文件

1
2
3
cp ../out/arch/arm64/boot/Image.gz ../kernel/tools
mv Image.gz kernel
./pack_kernerimage_cmd.sh

刷入内核镜像

1
2
3
adb reboot bootloader
fastboot flash kernel kernel.img
fastboot reboot
Disassembler
#逆向
编译 EVA-AL10 华为 P9 EMUI8.0 Android8.0 内核源码 ptrace
https://blog.forgiveher.cn/posts/863210018/
Author
Mikey
Posted on
May 26, 2023
Licensed under