Root refers to the technology that allows users to obtain Super User permissions for the Android operating system. Through root, users can bypass the restrictions imposed by mobile phone manufacturers, uninstall certain applications preinstalled by mobile phone manufacturers, and run some applications that require superuser privileges. At the same time,root can also make phones “insecure” (not that root makes phones insecure, but that some user habits can make phones dangerous after root).

I. Basic explanation

Permissions on the status quo

But starting with Marshmallow (Android 6.0), Google basically blocked the root approach that was most popular in previous versions — that is, placing the SU daemon in the /system partition and getting the required permissions at startup. A foot higher, a foot higher, hence systemless root mode, because it does not modify the /system partition in any way.

Flash purpose

  • Android development debugging needs
  • System customization and modification

Environmental statement

  • Mac
  • Pixel 2 XL
  • Android 9

The main content

  • flash
    • Equipment to unlock
  • ROOT operation
    • Brush TWRP
    • Brush into the mask
  • ROOT development
    • The ADB install
    • caught
    • operation

A basic understanding of

Video Tutorial

www.bilibili.com/video/BV1Ly…

Download resources

If the device is the same as my mobile phone, you can use the resources I share (other models need to collect by yourself) :

  • Pixel 2 XL Android 9

2. Device unlocking

In general, there is an option called “OEM Unlock” in the developer’s options. Except for a small number of foreign operators that enter the Chinese market, this option can be opened by users.

After unlocking the Bootloader, all data in the phone will be wiped immediately. However, this is also the first step of many games. It is recommended to start it as soon as possible. Unlocking the Bootloader also means that the security of private devices such as mobile phones is greatly reduced, and many manufacturers will attach many clauses to their unlocking policies.

Once you confirm that your FastBoot connection is ok, run the unlock bootloader command:

fastboot flashing unlock
Copy the code

Or:

fastboot oem unlock
Copy the code

You should now see an action screen on your phone asking you to confirm the action, scroll to select using the volume button and use the power button to confirm if you are sure to continue.

Allow the process to complete, then type this command to restart:

fastboot reboot
Copy the code

Successfully unlock the Bootloader! After unlocking the bootloader, you will see a warning every time the phone starts up. This is nothing to worry about, this is normal!

Three, flash

Brush pack resources

Google Pixel

www.jianshu.com/go-wild?ac=…

Take the Pixel2 XL for example:

Download link

The downloaded directory structure is as follows:

All steps

Here, Pixel2 XL line brush is taken as an example. The core process is as follows:

  • Enable the device debugging mode
  • Into thebootloaderinterface
  • Execute script brush

Enable the device debugging mode

Executing adb shell to connect to the device is successful

Enter thebootloaderinterface

Methods a

Turn off the mobile phone and hold down the power key + reduce and Reduce two keys at the same time, the mobile phone can also enter the bootloader page

The page before swiping is:

Way 2

Can link ADB cases, execute:

adb reboot bootloader
Copy the code

Begin to flash

Enter the terminal, CD to the current brush package directory, and execute:

flash-all.sh
Copy the code

What follows is a wait of nearly two minutes:

Iv. Brush mask (Magisk)

What is a Magisk

Magisk is an Android framework developed by @TopjohnWu, a Taiwanese student. Magisk is a generic third-party Systemless interface that implements some powerful functions in this way. Magisk’s genius is that it implements a way to bypass SafetyNet’s use of root. Because it doesn’t change your System partition in any way. This means that you can still install official OTA updates without losing root.

function

  • Obtaining and managing ROOT permission

For example, if /system/xbin does not have su, we can get root by brushing into the corresponding module and mapping su to /system/xbin during the initial system startup

  • Mount various extension modules with various functions

As we all know replacement system fonts, fingerprint effects, boot animation and so on

Supported version: Android 5.0+

Realize the principle of

Magisk is essentially a file mount system. What Magisk does is create hooks in boot and bind mount to build a file system that can be replaced, added, and deleted on a system basis. No changes are actually made to the System partition (that is, the Systemless interface, to modify the system in a way that does not touch the system). All operations are done at startup, and what Magisk does during startup:

1. In preparation, /data/magisk.img will be attached to /magisk. It also traverses the magisk directory to see if the module is enabled and records.

2. Create the skeleton system file system (since bind mount must have a target file), all built by mkdir and touch

3. Bind each file in /magisk/$MODID/system marked as enabled to the skeleton system

4. Run the script in the customized module

5. Go through the remaining files in the skeleton that have not been mounted and bind them to the real system file.

Prepare a mask

From Magisk 22, there is no longer any difference between the.zip package used for writing and the.apk application installation package used for installing the manager. The two packages are provided with the.apk package by default and can be written after changing the suffix to.zip.

resource

Github.com/topjohnwu/M…

Transfer to device

The adb push Magisk - v24.2. Zip/sdcard/Download /Copy the code

Brush TWRP (Recovery)

The resource bundle

TWRP. Me/Google/goog…

Red rice K20 PRO

Use temporary TWRP

Before executing the command, you need to enter the bootloader interface and run the following name. After executing the command, the device will automatically restart and enter the TWRP menu at last:

Fastboot boot ~ Downloads/TWRP - 3.6.0 _9-0 - Raphael. The imgCopy the code

Menu effect:

Install mask (Magisk)

Menu path: install ->

Save the installation package to /sdcard/Download/, and the installation is complete

Restart the system and open related

Four, the application

Magisk plugin introduction

There are some custom functions that can be implemented based on Magisk, and plug-ins are designed to do just that

Plug-in development

tutorial

www.coolapk.com/feed/160569…

Template file

Github.com/Pinkdoge/ma…

The ADB Shell operation

Mount the System partition

Adb shell link device first, then run su to obtain system permission, there is no system partition write permission, then run:

#adb shell
#su
mount -o rw,remount /  
mount -o rw,remount /system
Copy the code

Now you have permission to write to the system partition.

Viewing protected Files

Common users cannot view files in the system partition. You need to perform operations as super users, for example:

adb shell su -c "ls /etc/security/cacerts"
Copy the code

Request caught

Starting with Android Nougat, apps no longer trust user credentials by default. Developers can still choose to accept user certificates by configuring the networkSecurityConfig attribute in the application’s Androidmanifest.xml file, but they are no longer trusted by default.

Caught software

The basic usage method of packet capture is not clear, the download link and configuration are as follows.

Software Download link

📎 Charles – Settings. The XML

Certificate of configuration

The resources

Github.com/Magisk-Modu…

Github.com/Magisk-Modu…

Github.com/NVISOsecuri…

Obtain the HASH value of the certificate

openssl x509 -inform PEM -subject_hash_old -in charles-ssl-proxying-certificate.pem | head -1
Copy the code

To generate a file named HASH, such as the HASH value generated above:

Cp, Charles - SSL - proxying - certificate. Pem/etc/security/cacerts / 92 ac25d5. 0Copy the code

Copy data to cell phone

adb push 6fbe4e0f.0 /sdcard/Download/6fbe4e0f.0
Copy the code

Copy to the system directory

Note Sytem does not have write permission. For details, see Mounting the System partition

Cp/sdcard/Download / 92 ac25d5. 0 / etc/security/cacerts / 92 ac25d5. 0 chmod 644 / etc/security/cacerts / 92 ac25d5. 0Copy the code

Finally, restart the device to confirm whether the packet can be captured normally!

The ROOT application

reference

Topjohnwu ROOT operation library

Github.com/topjohnwu/l…

application

Based on this base library, it is relatively easy to implement ROOT permission operations.

For example, IF I want to implement a quick copy of the certificate to the system directory, the steps are as follows:

  • Generate the Hash file of the certificate

Refer to Request Packet capture

  • Direct operating system files
private fun deleteCertificate(sourcePath: String) { var targetPath = "/system/etc/security/cacerts/" + sourcePath Shell.cmd( "su", "mount -o rw,remount /", "mount -o rw,remount /system", "rm -f ${targetPath}", Submit {result -> updateUI(result) if (result. IsSuccess) {logger. log(" ${sourcePath}")} else {submit {result -> updateUI(result) if (result. Logger.log(" Delete certificate failed :${sourcePath}")}}}Copy the code