本文详细介绍了如何在Android应用中使用su命令获取root权限,并通过示例代码展示了如何执行su命令及读取其输出。同时,文章还记录了su命令执行过程中的一些关键信息,包括权限检查流程和文件权限设置。
用法:
1 Runtime.getRuntime().exec("su , tinymix"); 要连在一起写,或者写一脚本
public void onClick(View v) {
Log.d("test by Wade", "su test start");
Process p = null;
try {
p = Runtime.getRuntime().exec("su , tinymix");
String data = null;
/**/
BufferedReader ie = new BufferedReader(new InputStreamReader(p.getErrorStream()));
BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));
String error = null;
while ((error = ie.readLine()) != null
&& !error.equals("null")) {
data += error + "\n";
}
String line = null;
while ((line = in.readLine()) != null
&& !line.equals("null")) {
data += line + "\n";
}
// Log.v("ls", data);
Log.d("test by Wade", "su test 111" + data );
/**/
p = Runtime.getRuntime().exec("ls /data/data");
BufferedReader ie1 = new BufferedReader(new InputStreamReader(p.getErrorStream()));
BufferedReader in1 = new BufferedReader(new InputStreamReader(p.getInputStream()));
String error1 = null;
while ((error1 = ie1.readLine()) != null
&& !error1.equals("null")) {
data += error1 + "\n";
}
String line1 = null;
while ((line1 = in1.readLine()) != null
&& !line1.equals("null")) {
data += line1 + "\n";
}
// Log.v("ls", data);
Log.d("test by Wade", "su test 222" + data);
} catch (IOException e) {
Log.d("test by Wade", "error at IOException" );
e.printStackTrace();
}
}
2 log ,可以看出在同一个Runtime里,能执行成功。再写另外一个 runtime 是不行的,如另外一个 ls /data/data
D/Wade_arm_net_set( 176): ni= 512
D/Wade_arm_net_set( 176): internet not ok
W/gralloc ( 155): Debugmem The fd=57, in vmalloc !!!! Ishwc=0
W/AudioTrack( 460): AUDIO_OUTPUT_FLAG_FAST denied by client
D/test by Wade(10715): su test start
W/AppOps ( 460): Bad call: specified package media under uid 1000 but it is really 1013
I/su (10759): type=1400 audit(0.0:62): avc: denied { setgid } for capability=6 scontext=u:r:untrusted_app:s0 tcontext=u:r:untrusted_app:s0 tclass=capability permissive=1
I/su (10759): type=1400 audit(0.0:63): avc: denied { setuid } for capability=7 scontext=u:r:untrusted_app:s0 tcontext=u:r:untrusted_app:s0 tclass=capability permissive=1
I/tinymix (10759): type=1400 audit(0.0:64): avc: denied { dac_override } for capability=1 scontext=u:r:untrusted_app:s0 tcontext=u:r:untrusted_app:s0 tclass=capability permissive=1
D/test by Wade(10715): su test 111nullsu: uid 10052 not allowed to su by wade
D/test by Wade(10715): Mixer name: 'RK_ES8323'
D/test by Wade(10715): Number of controls: 29
D/test by Wade(10715): ctl type num name value
D/test by Wade(10715): 0 ENUM 1 3D Mode 2
D/test by Wade(10715): 1 INT 1 ALC Capture Target Volume 12
D/test by Wade(10715): 2 INT 1 ALC Capture Max PGA 5
D/test by Wade(10715): 3 INT 1 ALC Capture Min PGA 2
D/test by Wade(10715): 4 ENUM 1 ALC Capture Function Stereo
D/test by Wade(10715): 5 BOOL 1 ALC Capture ZC Switch Off
D/test by Wade(10715): 6 INT 1 ALC Capture Hold Time 0
D/test by Wade(10715): 7 INT 1 ALC Capture Decay Time 0
D/test by Wade(10715): 8 INT 1 ALC Capture Attack Time 5
D/test by Wade(10715): 9 INT 1 ALC Capture NG Threshold 10
D/test by Wade(10715): 10 ENUM 1 ALC Capture NG Type Mute ADC Output
D/test by Wade(10715): 11 BOOL 1 ALC Capture NG Switch On
D/test by Wade(10715): 12 BOOL 1 ZC Timeout Switch Off
D/test by Wade(10715): 13 INT 2 Capture Digital Volume 255 255
D/test by Wade(10715): 14 BOOL 1 Capture Mute Off
D/test by Wade(10715): 15 INT 1 Left Channel Capture Volume 8
D/test by Wade(10715): 16 INT 1 Right Channel Capture Volume 8
D/test by Wade(10715): 17 ENUM 1 Playback De-emphasis None
D/test by Wade(10715): 18 ENUM 1 Capture Polarity Normal
D/test by Wade(10715): 19 INT 2 PCM Volume 255 255
D/test by Wade(10715): 20 INT 1 Left Mixer Left Bypass Volume 0
D/test by Wade(10715): 21 INT 1 Right Mixer Right Bypass Volume 0
D/test by Wade(10715): 22 INT 2 Output 1 Playback Volume 21 21
D/test by Wade(10715): 23 INT 2 Output 2 Playback Volume 30 30
D/test by Wade(10715): 24 BOOL 1 Right Mixer Right Playback Switch On
D/test by Wade(10715): 25 BOOL 1 Right Mixer Right Bypass Switch Off
D/test by Wade(10715): 26 BOOL 1 Left Mixer Left Playback Switch On
D/test by Wade(10715): 27 BOOL 1 Left Mixer Left Bypass Switch Off
D/test by Wade(10715): 28 ENUM 1 Route Stereo
D/test by Wade(10715): su test 222nullsu: uid 10052 not allowed to su by wade
D/test by Wade(10715): Mixer name: 'RK_ES8323'
D/test by Wade(10715): Number of controls: 29
D/test by Wade(10715): ctl type num name value
D/test by Wade(10715): 0 ENUM 1 3D Mode 2
D/test by Wade(10715): 1 INT 1 ALC Capture Target Volume 12
D/test by Wade(10715): 2 INT 1 ALC Capture Max PGA 5
D/test by Wade(10715): 3 INT 1 ALC Capture Min PGA 2
D/test by Wade(10715): 4 ENUM 1 ALC Capture Function Stereo
D/test by Wade(10715): 5 BOOL 1 ALC Capture ZC Switch Off
D/test by Wade(10715): 6 INT 1 ALC Capture Hold Time 0
D/test by Wade(10715): 7 INT 1 ALC Capture Decay Time 0
D/test by Wade(10715): 8 INT 1 ALC Capture Attack Time 5
D/test by Wade(10715): 9 INT 1 ALC Capture NG Threshold 10
D/test by Wade(10715): 10 ENUM 1 ALC Capture NG Type Mute ADC Output
D/test by Wade(10715): 11 BOOL 1 ALC Capture NG Switch On
D/test by Wade(10715): 12 BOOL 1 ZC Timeout Switch Off
D/test by Wade(10715): 13 INT 2 Capture Digital Volume 255 255
D/test by Wade(10715): 14 BOOL 1 Capture Mute Off
D/test by Wade(10715): 15 INT 1 Left Channel Capture Volume 8
D/test by Wade(10715): 16 INT 1 Right Channel Capture Volume 8
D/test by Wade(10715): 17 ENUM 1 Playback De-emphasis None
D/test by Wade(10715): 18 ENUM 1 Capture Polarity Normal
D/test by Wade(10715): 19 INT 2 PCM Volume 255 255
D/test by Wade(10715): 20 INT 1 Left Mixer Left Bypass Volume 0
D/test by Wade(10715): 21 INT 1 Right Mixer Right Bypass Volume 0
D/test by Wade(10715): 22 INT 2 Output 1 Playback Volume 21 21
D/test by Wade(10715): 23 INT 2 Output 2 Playback Volume 30 30
D/test by Wade(10715): 24 BOOL 1 Right Mixer Right Playback Switch On
D/test by Wade(10715): 25 BOOL 1 Right Mixer Right Bypass Switch Off
D/test by Wade(10715): 26 BOOL 1 Left Mixer Left Playback Switch On
D/test by Wade(10715): 27 BOOL 1 Left Mixer Left Bypass Switch Off
D/test by Wade(10715): 28 ENUM 1 Route Stereo
D/test by Wade(10715): opendir failed, Permission denied
D/DisplayManager(10715): getDisplayInfo: displayId=0, info=DisplayInfo{"鍐呯疆灞忓箷", uniqueId "local:0", app 1280 x 800, real 1280 x 800, largest app 1280 x 1280, smallest app 800 x 800, 113.95901 fps, supportedRefreshRates [113.95901], rotation 0, density 160 (160.15764 x 160.0) dpi, layerStack 0, appVsyncOff 0, presDeadline 9775085, type BUILT_IN, state ON, FLAG_SECURE, FLAG_SUPPORTS_PROTECTED_BUFFERS}
W/AppOps ( 460): Bad call: specified package media under uid 1000 but it is really 1013
D/AudioHardwareTiny( 170): start_output_stream
D/AudioHardwareTiny( 170): Device : 0x80400
D/AudioHardwareTiny( 170): SampleRate : 44100
D/AudioHardwareTiny( 170): Channels : 2
D/AudioHardwareTiny( 170): Formate : 0
D/AudioHardwareTiny( 170): PreiodSize : 2048
W/gralloc ( 155): Debugmem The fd=32, in vmalloc !!!! Ishwc=0
D/ViewRootImpl(10715): onAttachToWindow register content observer attrs=WM.LayoutParams{(0,64)(wrapxwrap)mPosX=0mPosY=0mHScale=1.0mVScale=1.0 align=UNDEFINE taskId=-1 gr=#51 ty=2005 fl=#98 compatible=true pfl=0x80 fmt=-3 wanim=0x1030004 surfaceInsets=Rect(0, 0 - 0, 0)packageName=com.practice.sensortoken=null}
D/ViewRootImpl(10715): 131<<<<<< BACK FROM relayoutWM.LayoutParams{(0,64)(wrapxwrap)mPosX=0mPosY=0mHScale=1.0mVScale=1.0 align=UNDEFINE taskId=-1 gr=#51 sim=#20 ty=2005 fl=#98 compatible=true pfl=0x80 fmt=-3 wanim=0x1030004 surfaceInsets=Rect(0, 0 - 0, 0)packageName=com.practice.sensortoken=null}
W/gralloc ( 155): Debugmem The fd=56, in vmalloc !!!! Ishwc=0
D/ViewRootImpl(10715): 131<<<<<< BACK FROM relayoutnull
W/gralloc ( 155): Debugmem The fd=69, in vmalloc !!!! Ishwc=0
W/AppOps ( 460): Bad call: specified package media under uid 1000 but it is really 1013
D/ViewRootImpl(10715): onDetachedFromWindow ungister contentObserver
D/Wade_arm_net_set( 176): ni= 512
D/Wade_arm_net_set( 176): internet not ok
D/AudioHardwareTiny( 170): close device
W/AppOps ( 460): Bad call: specified package media under uid 1000 but it is really 1013
^C
C:\Users\pc>
3 代码修改
diff --git a/system/extras/su/su.c b/system/extras/su/su.c
index 8365379..5388470 100644
--- a/system/extras/su/su.c
+++ b/system/extras/su/su.c
@@ -108,8 +108,8 @@ int main(int argc, char **argv)
/* Until we have something better, only root and the shell can use su. */
myuid = getuid();
if (myuid != AID_ROOT && myuid != AID_SHELL) {
- fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
- return 1;
+ fprintf(stderr,"su: uid %d not allowed to su by wade\n", myuid);
+ //return 1;
}
if(argc < 2) {
diff --git a/frameworks/base/cmds/app_process/app_main.cpp b/frameworks/base/cmds/app_process/app_main.cpp
index 1bb28c3..a92a561 100644
--- a/frameworks/base/cmds/app_process/app_main.cpp
+++ b/frameworks/base/cmds/app_process/app_main.cpp
@@ -185,6 +185,7 @@ static const char ZYGOTE_NICE_NAME[] = "zygote";
int main(int argc, char* const argv[])
{
+ /*
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
// Older kernels don't understand PR_SET_NO_NEW_PRIVS and return
// EINVAL. Don't die on such kernels.
@@ -192,7 +193,7 @@ int main(int argc, char* const argv[])
LOG_ALWAYS_FATAL("PR_SET_NO_NEW_PRIVS failed: %s", strerror(errno));
return 12;
}
- }
+ } */
AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
// Process command line arguments
diff --git a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp b/frameworks/base/core/jni/com_android_interna
index 3af968d..6236438 100644
--- a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
+++ b/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
@@ -208,6 +208,7 @@ static void EnableKeepCapabilities(JNIEnv* env) {
}
static void DropCapabilitiesBoundingSet(JNIEnv* env) {
+ /*
for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
if (rc == -1) {
@@ -219,7 +220,7 @@ static void DropCapabilitiesBoundingSet(JNIEnv* env) {
RuntimeAbort(env);
}
}
- }
+ } */
}
diff --git a/system/core/include/private/android_filesystem_config.h b/system/core/include/private/android_filesystem_c
index 7a4c943..2b987e1 100644
--- a/system/core/include/private/android_filesystem_config.h
+++ b/system/core/include/private/android_filesystem_config.h
@@ -245,7 +245,7 @@ static const struct fs_path_config android_files[] = {
/* the following five files are INTENTIONALLY set-uid, but they
* are NOT included on user builds. */
- { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
+ { 06755, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/vm" },
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/librank" },
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procrank" },
4 参考文章
https://blog.youkuaiyun.com/kangear/article/details/51872653
https://blog.youkuaiyun.com/kangear/article/details/51868077
一些记录:
写一个app 查看 id
root@nanopi2:/ # ps | grep com.example.helloroot
u0_a50 1283 121 1233532 40640 ffffffff b6e791c4 S com.example.helloroot
root@nanopi2:/ #
其中u0_a50就是HelloRoot的Application user id了,这个id在下面步骤中会用到;
切换到u0_a50用户下并运行su命令
root@nanopi2:/ # su u0_a50
root@nanopi2:/ $ id
uid=10050(u0_a50) gid=10050(u0_a50) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:su:s0
# 以u0_a50身份运行su命令,正常情况下会再切到root权限下,相当于该APP在调用su命令了。
root@nanopi2:/ $ su
root@nanopi2:/ #
扫一扫
2488
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
