逆向修改android 内核

https://www.jianshu.com/p/cd3a8df896d0

 

环境:
linux
工具:
abooting: https://github.com/gerasiov/abootimg-android

参考:
https://bbs.pediy.com/thread-207538.htm

1.提取zImage 文件

root@hammerhead:/ # ls -l /dev/block/platform/msm_sdcc.1/by-name/ |grep boot   
lrwxrwxrwx root     root              1970-07-08 20:42 aboot -> /dev/block/mmcblk0p6
lrwxrwxrwx root     root              1970-07-08 20:42 abootb -> /dev/block/mmcblk0p11
lrwxrwxrwx root     root              1970-07-08 20:42 boot -> /dev/block/mmcblk0p19
root@hammerhead:/ # dd if=/dev/block/mmcblk0p19 of=/data/data/tmp/boot.img

在主机上对boot.img 进行解压

➜  kernel adb pull /data/local/tmp/boot.img .
/data/local/tmp/boot.img: 1 file pulled. 6.4 MB/s (23068672 bytes in 3.459s)
➜  kernel ls
abootimg  abootimg-android  boot.img
➜  kernel 
➜  kernel 
➜  kernel 
➜  kernel ll
total 22560
-rwxrwxrwx 1 z3r0 z3r0    29680 Oct 31 15:32 abootimg
drwxrwxrwx 1 z3r0 z3r0      448 Oct 31 15:32 abootimg-android
-rwxrwxrwx 1 z3r0 z3r0 23068672 Oct 31 15:38 boot.img
➜  kernel abootimg-android/
➜  kernel ./abootimg -x boot.img 
writing boot image config in bootimg.cfg
extracting kernel in zImage
extracting ramdisk in initrd.img
➜  kernel ls
abootimg  abootimg-android  boot.img  bootimg.cfg  initrd.img  zImage
➜  kernel 

关闭符号屏蔽

root@hammerhead:/ # echo 0 > /proc/sys/kernel/kptr_restrict                    
[1] + Done (1)             cat /proc/kallsyms |
      Done                 less 
root@hammerhead:/ #                 

找到这两函数的地址

root@hammerhead:/ # cat /proc/kallsyms |grep proc_pid_status                   
c02ba04c T proc_pid_status
root@hammerhead:/ # cat /proc/kallsyms |grep __task_pid_nr_ns                  
c01b0884 T __task_pid_nr_ns

将zImage 复制为z.gz ,并且再用010editor 编辑,

4.png

去掉1f 88 08 00 前面的数据后,再用gunzip 解压得到 z

![Uploading 6_233342.png . . .]
  1. ida 修改
    使用ida 打开z, 处理器选择ARM little ,并设置
3.png

在找proc_pid_status 函数时,ida 无法识别为代码,所以p 来自定义函数,之后通过__task_pid_nr_ns 函数的地址来交叉引用找到位置或者通过字符串

7.png

找到引用的位置,修改其机器码

8.png

mov r0,#0 的机器码为 00 00 a0 e3
mov R10, #0 的机器码 为00 a0 a0 e3

9.png

修改后

10.png
  1. 重新写入
    1.将z 重新压缩gzip -n -f -9 z
  2. 将z.gz 覆盖原zImage
    z.gz 替换前和替换后
total 114409
-rwxrwxrwx 1 z3r0 z3r0    29680 Oct 31 15:32 abootimg
drwxrwxrwx 1 z3r0 z3r0     4096 Oct 31 15:32 abootimg-android
-rwxrwxrwx 1 z3r0 z3r0 23068672 Oct 31 15:38 boot.img
-rwxrwxrwx 1 z3r0 z3r0      252 Oct 31 15:38 bootimg.cfg
-rwxrwxrwx 1 z3r0 z3r0   500854 Oct 31 15:38 initrd.img
-rwxrwxrwx 1 z3r0 z3r0  6992288 Oct 31 15:57 z.gz
-rwxrwxrwx 1 z3r0 z3r0 78136638 Oct 31 16:38 z.idb
-rwxrwxrwx 1 z3r0 z3r0  8405280 Oct 31 15:38 zImage
➜  kernel ll
total 113045
-rwxrwxrwx 1 z3r0 lifenad   29680 Oct 31 15:32 abootimg
drwxrwxrwx 1 z3r0 z3r0     4096 Oct 31 15:32 abootimg-android
-rwxrwxrwx 1 z3r0 z3r0 23068672 Oct 31 15:38 boot.img
-rwxrwxrwx 1 z3r0 z3r0      252 Oct 31 15:38 bootimg.cfg
-rwxrwxrwx 1 z3r0 z3r0   500854 Oct 31 15:38 initrd.img
-rwxrwxrwx 1 z3r0 z3r0  6992288 Oct 31 15:57 z.gz
-rwxrwxrwx 1 z3r0 z3r0 78136638 Oct 31 16:38 z.idb
-rwxrwxrwx 1 z3r0 z3r0  8405280 Oct 31 16:49 zImage

注意这里zImage 的大小要和原来的一样,不然刷回去会变转

重新生成boot.img

abootimg --create boot.img -f bootimg.cfg -k zImage -r initrd.img

使用fastboot 重新刷boot.img


发表评论

电子邮件地址不会被公开。 必填项已用*标注