作者归档:zhiwei

dalvik.vm.native.bridge

frameworks/base/core/jni/AndroidRuntime.cpp
build/make/target/product/runtime_libart.mk: ro.dalvik.vm.native.bridge=0

out/target/product/generic_x86_64/vendor/build.prop:ro.dalvik.vm.native.bridge=0

编译android qemu内核

git clone git://mirrors.ustc.edu.cn/aosp/kernel/goldfish.git 
cd goldfish
git checkout  android-goldfish-4.4-dev

prebuilts/qemu-kernel/build-kernel.sh  --arch=x86_64  --config=x86_64_ranchu

定制android

0. 准备 repo 程序

mkdir ~/bin
PATH=~/bin:$PATH
curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
chmod a+x ~/bin/repo

1. 下载安装 repo

wget -c https://mirrors.tuna.tsinghua.edu.cn/aosp-monthly/aosp-latest.tar # 下载初始化包
tar xf aosp-latest.tar
cd AOSP  
repo sync

2. 清理

make clobber

3. 安装环境

. build/envsetup.sh

4. 设置 编译 类型

lunch aosp_x86_64-userdebug

5. 编译

make -j4

6. 运行

emulator

编译出的东西在
out/target/product/generic_x86_64

一种修改高通平台手机IMEI的思路

IMEI被设计成出厂只能修改一次, 再次修改 报read only错误
但是 有些中低端芯片, 很多ODM设计公司, 是没有对 IMEI和MEID 修改进行限制

可以考虑把他们的刷机包中的 modem.img 提取出来

动态加载

一加usb网络共享

usb thering 用的是 rndis网络
神经兮兮地用了一个 特别的vid:pid

cat /sys/kernel/debug/usb/devices 


T:  Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=2a70 ProdID=9024 Rev= 4.04
S:  Manufacturer=OnePlus
S:  Product=OnePlus
S:  SerialNumber=24d68a1e
C:* #Ifs= 3 Cfg#= 1 Atr=80 MxPwr=500mA
A:  FirstIf#= 0 IfCount= 2 Cls=ef(misc ) Sub=04 Prot=01
I:* If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=(none)
E:  Ad=81(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=(none)
E:  Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms

不像小米

T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  5 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=2717 ProdID=ff88 Rev= 3.10
S:  Manufacturer=Android
S:  Product=Android
S:  SerialNumber=b1d625aa
C:* #Ifs= 3 Cfg#= 1 Atr=80 MxPwr=500mA
A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03
I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host
E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms




端口4 也有
T:  Bus=01 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#=  7 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=2717 ProdID=ff88 Rev= 3.18
S:  Manufacturer=Android
S:  Product=Android
S:  SerialNumber=2c75d639
C:* #Ifs= 3 Cfg#= 1 Atr=80 MxPwr=500mA
A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03
I:* If#= 0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host
E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms



分析

ls -la /sys/bus/usb/drivers/usbfs/

1-1:1.2 -> ../../../../devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.2
1-5:1.2 -> ../../../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.2

3-1:1.2 -> ../../../../devices/pci0000:00/0000:00:1c.0/0000:02:00.0/0000:03:02.0/0000:38:00.0/usb3/3-1/3-1:1.2

ls -la /sys/bus/usb/drivers/rndis_host

1-1:1.0 -> ../../../../devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0
1-1:1.1 -> ../../../../devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.1

1-5:1.0 -> ../../../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.0
1-5:1.1 -> ../../../../devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5:1.1

将新id加上


echo "3-1:1.0" > /sys/bus/usb/drivers/rndis_host/bind
echo "3-1:1.1" > /sys/bus/usb/drivers/rndis_host/bind

失败
echo '2a70 9024'   > /sys/bus/usb/drivers/rndis_host/new_id

deodex

git clone https://github.com/testwhat/SmaliEx
./gradlew -b smaliex/build.gradle dist

提取odex
java -jar /media/data/github/SmaliEx/smaliex-bin/oat2dex.jar -o oating/ odex boot-raw/boot.oat
然后在 oating 目录下可以看到 core-oj.odex

用原版的baksamli

git clone https://github.com/JesusFreke/smali.git
./gradlew build

./baksmali list dex /dev/shm/7/boot-raw/boot.oat
或者
java -jar /media/data/github/smali/baksmali/build/libs/baksmali-2.2.3-5916586f-fat.jar list dex boot-raw/boot.oat

/system/framework/core-oj.jar

用frida获取和添加一加自带双开的应用白名单

一加5T Android 8.1 自带的 双开比 7.1 的稳定
问题是有个白名单, 有些 im app不在多开范围

Java.perform(function(){
    var  OPOnlineConfigManager = Java.use("com.oneplus.settings.OPOnlineConfigManager");
    //localMultiAppWhiteList
    //multiAppWhiteList
    var x = OPOnlineConfigManager.getMultiAppWhiteList();

    console.log(x.size());
    for( i=0;i

其实, localMultiAppWhiteList 在 Settings/res/values/arrays.xml 里面

com.example.plugindemo1
com.tencent.mm
com.tencent.mobileqq
com.sina.weibo
com.tencent.tmgp.sgame
com.eg.android.AlipayGphone
com.qzone
com.ifreetalk.ftalk
im.yixin
com.alibaba.mobileim
com.p1.mobile.putong
net.iaround
com.renren.mobile.android
com.baidu.tieba
com.zhihu.android
com.tencent.qqlite
com.tencent.tim
com.soft.blued
com.duowan.mobile
com.immomo.momo
com.weico.international
com.linkedin.android
com.facebook.katana
com.facebook.lite
com.facebook.orca
com.whatsapp
com.instagram.android
com.tinder
com.snapchat.android
com.pinterest
com.tumblr
com.linkedin.android
com.myyearbook.m
com.quora.android
com.twitter.android
com.zhiliaoapp.musically
com.badoo.mobile
com.sgiggle.production
jp.naver.line.android
com.kakao.talk
org.telegram.messenger
com.viber.voip
com.skype.raider
com.hellostudio.hellotalk
net.tandem
kik.android
foxycorp.textnow

把叮咚加上

me.dingtone.app
me.talkyou.app

用Xposed更靠谱


    @Override
    public void handleLoadPackage(final XC_LoadPackage.LoadPackageParam lpparam) {

        if (!lpparam.packageName.equals("com.android.settings")) {
            return;
        }

        try {
            XposedHelpers.findAndHookMethod("com.oneplus.settings.apploader.OPApplicationLoader",
                    lpparam.classLoader, "multiAppPackageExcludeFilter", Context.class, String.class,
                     XC_MethodReplacement.returnConstant(true));
        } catch (Exception e) {
            XposedBridge.log(e);
        }
   }

frida枚举android所有加载的类

Java.enumerateLoadedClasses

#!/usr/bin/python3.5

import sys
sys.path.insert(1, '/home/zhiwei/lib/python3.5')
import frida

jscode = """
	Java.perform(function(){
		Java.enumerateLoadedClasses({
			onMatch: function(classname){
				console.log(classname);
			},

			onComplete: function (){
			}
		});
	});
  
"""
       
        
process = frida.get_usb_device().attach('com.android.phone')
script = process.create_script(jscode)

print(' Running Frida ...')
script.load()
sys.stdin.read()     

Open Radio Calibration Toolki

Open Radio Calibration Toolkit, an enhanced Open Source Implementation to replace Qualcomm’s QRCT

https://github.com/linneman/orct

https://github.com/ollseg/usb-device-fuzzing/blob/master/USBFuzz/QCDM.py