android 6.0三星5.1.1Root

现在google是越来越不给我们留活路了… 从android 6.0开始, 三星的5.1.1开始. 默认都开启了data分区的forceencryption, 也就是强制加密. 也开启了/system分区验证. 所以目前市面上都没有针对android 6.0和三星5.1.1以上的root方案..

国外的supersu的作者chainfire, 搞cf-auto-root那哥们, 也没有针对三星5.1.1和android 6.0的方案. 不过他私下搞了个修改android内核的root方案.. 这个可能是目前唯一可以root 6.0的办法.

http://forum.xda-developers.com/apps/supersu/wip-android-6-0-marshmellow-t3219344

这个可能也是以后root的办法.. 它是通过修改boot.img也就是Android的内核文件, 对/system分区效验的地方打补丁. 目前我们搞刷机也是用的这个办法. 这个办法有一个弊端, 就是需要修改Android的内核文件. 要针对一台一台机型的做处理. 即使是一键Root也必须这样.

以后Root会越来越难! 即使是有漏洞, 能够提权, 但是不允许修改/system目录的话, 也要针对每一款机型自己做一个打过补丁的sepolicy文件!想来感觉真是有点心寒, google这是要赶尽杀绝的节奏啊!目前只能使用chainfire研究出来的给sepolicy打补丁的办法. 不过他说在弄, 不需要打补丁的办法. 但是还没试验, 另外他说Bugs… Bugs everywhere!

http://www.androidpolice.com/2015/10/31/chainfire-experiment-achieves-android-root-without-touching-the-system-partition/

所以目前可行的办法还是修改boot.img.. 昨天在三星的S5(SM-G900I)上, 成功做出来了一个刷机包可以获取到root权限. 这种办法, 针对android 6.0和三星的5.1.1以上都可以.. 当然如果是锁了bootloader的机器, 那就没办法了! 这里简单说下步骤.

1. 首先根据机型的型号(SM-G900I)和Model number去下载原版的刷机包. 下载包的时候注意基带版本和Build number.

http://samsung-updates.com/

2. 下载一个该机型的(SM-G900I)的自定义recovery. 一般CWM 和TWRP都可以. 只需要有完整的busybox工具就行!

https://www.clockworkmod.com/rommanager

http://teamw.in/Devices/

3. 下载SuperSU-v2.56-20151030013730 底包

SuperSU-v2.56-20151030013730.zip

4. 脚本文件提取. 这个我们就直接从xiao1u修改的S6(SM-G9200)的boot.img里面提取就行. 需要这个包里面的3个脚本文件. startsu.sh init.fixdeepsleep.sh  install-su.sh

http://pan.baidu.com/s/1bnE2nJT 密码: yb1y

这样. 需要的基本资源就可以了.. 下面就是做自己的包了. 所以接下来这几步这样弄.

1. 获取patch过的sepolicy. 这步很关键, 不然即使脚本和SuperSU放进去了, 也启动不了机器. 因为seplicy检测到/system被修改了, 会拒绝启动. 所以刷入自定义的recovery然后进入recovery中执行以下命令.

adb push sepolicy /data/local/tmp/sepolicy
adb shell su -c "supolicy --file /data/local/tmp/sepolicy /data/local/tmp/sepolicy_out"
adb shell su -c "chmod 0644 /data/local/tmp/sepolicy_out"
adb pull /data/local/tmp/sepolicy_out sepolicy_out

sepolicy在下载的原版刷机包里面有, supolicy在SuperSU-v2.56-20151030013730里面. 运行supolicy的时候, 提示缺少库文件libsupol.so所以把libsupol.so上传到/system/lib下面. 上面的命令就可以执行完成了. 输出的sepolicy_out就是patch过的文件. 用这个替换掉boot.img里面的sepolicy就可以关闭检测了.

1) 修改/default.prop

修改内容:

ro.secure=1
ro.allow.mock.location=0
ro.debuggable=0
ro.adb.secure=1

>>
ro.secure=0
ro.allow.mock.location=1
ro.debuggable=1
ro.adb.secure=0

2) 修改 /fstab.samsungexynos7420 和 fstab.samsungexynos7420.fwup有可能是
/system 改为不带 verify 的
修改内容:
/dev/block/platform/15570000.ufs/by-name/SYSTEM /system ext4 ro,errors=panic,noload wait,support_scfs,verify
>>
/dev/block/platform/15570000.ufs/by-name/SYSTEM /system ext4 ro,errors=panic,noload wait,support_scfs

有可能是fstab.qcom如果默认不带verify就不需要修改了!

3)修改 /init.rc

3.1)on late-init 后加入:

service injectsu /system/bin/sh /sbin/install-su.sh
class core
user root
oneshot

3.2) ## Daemon processes to be run by init. 中加入

service fixdeep /system/bin/sh /sbin/init.fixdeepsleep.sh
class core
user root
oneshot

3.3)最后加入:

service startsu /system/bin/sh /sbin/startsu.sh
class main
user root
oneshot

4) 增加额外的文件(Superuser,脚本)

$ARCH 可能是 arm64 或者 arm

/sbin/supersu/$ARCH/libsupol.so

/sbin/supersu/$ARCH/su

/sbin/supersu/$ARCH/supolicy

/sbin/supersu/common/99SuperSUDaemon

/sbin/supersu/common/install-recovery.sh

/sbin/supersu/common/Superuser.apk

/sbin/init.fixdeepsleep.sh

/sbin/install-su.sh

/sbin/startsu.sh

注意, 一般来说boot.img分区不是很大, 很容易放入Superuser以后空间就不够了. 这时候可以不放入Superuser. 这样的boot.img刷入以后, 直接输入su就可以提权. 可以进入系统再安装一个Superuser也可以.. 或者放在cache.img.ext4里面也可以.. 然后修改install-su.sh脚本里面的

cp_perm 0 0 0644 $COM/Superuser.apk $APKNAME

改成

cp_perm 0 0 0644 /cache/Superuser.apk $APKNAME

按照这个套路搞好的boot.img刷入系统, 就可以获取到root权限了!

 

网友评论:

  1. como cuidar a un adulto mayor 说:

    There is definately a lot to learn about this subject. I really like all the points you have made.

  2. Di Outdoor 说:

    Wonderful work! That is the kind of information that should be

  3. Nova 4 specs 说:

    Some really great posts on this website , regards for contribution.

  4. Click to read 说:

    Very informative article post.Thanks Again. Really Cool.

  5. https://buylolaccount.com 说:

    This is one awesome blog article.Thanks Again.

  6. Discover More 说:

    I saw a lot of website but I conceive this one has something special in it in it

  7. click here 说:

    Very good article post.Really looking forward to read more.

  8. generic levitra 说:

    Its like you read my mind! You seem to know so much about this, like you

  9. mca make money 说:

    Really enjoyed this article post.Really thank you! Cool.

  10. tui deo cheo nu 说:

    Im obliged for the article post.Thanks Again. Cool. porno gifs

  11. Manifestation Magic Review 说:

    It as not that I want to copy your internet site, but I really like the pattern. Could you let me know which style are you using? Or was it custom made?

  12. for more information 说:

    It is not my first time to pay a quick visit this site,

  13. Lai 说:

    Simply wanna remark that you have a very nice internet site , I love the design and style it really stands out.

  14. Party Bus Toronto 说:

    Wow, awesome blog structure! How long have you ever been blogging for? you make blogging glance easy. The whole look of your web site is fantastic, as well as the content material!

  15. Limo Service Toronto 说:

    This text is priceless. When can I find out more?

  16. trang tri noel 说:

    This is a good tip particularly to those new to the blogosphere. Brief but very precise info Thanks for sharing this one. A must read post!

  17. for more info 说:

    Really appreciate you sharing this post. Great.

  18. pc games free download full version 说:

    Really appreciate you sharing this post.Much thanks again. Really Cool.

  19. کلینیک دندانپزشکی 说:

    Really enjoyed this post.Much thanks again. Want more.

  20. sbobet asia 说:

    so much and I am looking forward to touch you. Will you please drop me a mail? my homepage candy crush saga cheats

发表评论

发表评论前,请选对水果: 葡萄