Android Root principle

Overview: Read this article to gain a deep understanding of how and why root access is available in Android systems. This article describes in detail the purpose of root, the principle and the specific implementation of the code hierarchy. Android Root Introduction:

1. Root Purpose

After the phone has root privileges, the user can fully have the highest privileges of the mobile system, the equivalent of the root account in the Linux system, the equivalent of administrator account in the Windows system. Because the Android system is Linux-based, it is called root permissions.

With the root permission, users can freely delete some of the system's own useless software, replace the switch ring, remove the status bar pop-up ads and the common software embedded in the third-party advertising platform display advertising interference, so that your mobile phone arbitrary, no longer be disturbed, In a word, root allows you to truly enjoy the feeling of a mobile owner.

2. Introduction to Root principle

The principle of the root of the phone is roughly divided into three steps: Step one, copy the Su file to the/system/bin/directory. Step two, put the superuser.apk under the/system/app/directory. Step three, set/system/bin/su to allow any user to run and have Set_uid and Set_gid permissions.

Of course, these operators will not easily allow us to do so, so we need to take advantage of the various vulnerabilities of the Android operating system to achieve these operations, the use of these vulnerabilities to complete the above three steps of the process is the root process.

Su–switch user to switch users.

3. Root Method Introduction

from the root principle we learned that it takes three steps to root:

1. ADB push Su/system/bin-xbin is easy to use by putting some gadgets
2. ADB push Superuser.apk/system/app
3. adb shell chmod 4755/system/bin/su (about chmod xxx can come here to learn about http://hi.baidu.com/angivo/item/345af44260142b09e9350416)

If the system is in English, then after the three steps above, root is done, and by installing the root Explorer software you can create a delete file in the root directory. But the domestic mobile phone system has been modified by the manufacturer of Chinese version, through the above three steps is not possible, the reasons for the following three points:

1. The Chinese version of the/system path is read-only and we are unable to complete the Write or copy operation
2. The chmod command is required to have root permission to be used, we do not have root access in the operation, so this command is not used in our root process
3. Some vendor-customized systems will automatically change the SU's permissions from 4755 to 755 when the system restarts or directly remove Su, because of this reason we often encounter, obviously we are already root of the cell phone, but after the phone restarts there is no root authority. This is only a temporary root privilege.

For the above three points, how can we be sure to get permanent root privileges? One solution is to burn an English version of boot.img, brush an English version of the system and then root OK. Another option is to monitor the existence of existing SU files in the System/bin directory in real time and copy a past if they do not exist.

4. Deep Understanding of the Root mechanism

The root invocation process is as follows:

1. Su is called by the user
2. SU creates a socket listener, builds a channel to complete the communication
3. SU informs Superuser by radio that there is currently an application to use root
4. SU waits for socket data communication to complete, usually with timeout processing
5. Superuser will pop up a dialog box on the screen after receiving the broadcast, interacting with the user, asking the user whether to give root permission
6. Superuser the user's selection results back to SU via the socket
7. Su According to the results of the socket to do the corresponding processing judgment should not continue to root permissions
8. Complete this authorization process

superuser.apk This application is rooted successfully, specifically used to manage root permissions, to prevent malicious application abuse. You can go to this place to download the official Superuser source and Su files: http://superuser.googlecode.com/svn/trunk/can open the Superuser code on Eclipse, complete the compilation and installation.

The principle of communication between Superuser and Su:

Superuser used to run in a Java virtual machine, and Su is a real process running on Linux, and the two of them communicate superuser this application to do most of the work, Superuser altogether has two activity: one is superuseractivity another is superuserrequestactivity, in which superuseractivity is used to manage the whitelist, Used to remember that those applications have been allowed to use root permissions, so that the white list of applications again, there is no need to bother the user to choose. The superuserrequestactivity is used to take care of the pop-up dialog asking the user whether the current app request uses root permissions to allow the user to complete the selection grant or not grant. If the user chooses to permanently grant root privileges, the application will be written to the whitelist via superuseractivity. The whitelist is actually a SQLite database to hold the list of apps that the user chooses to permanently grant root privileges. The whitelist location in the database is:

/data/data/com.koushikdutta.superuser/databases/superuser.sqlite

As mentioned above, the essence of root is to devolve a su file to the/system/bin/directory, and to the Su file 4755 permissions, any user has the right to call Su, so the ordinary program can call the SU to run the root command. In the superuser.apk, one of these SU programs is brought in. At first Superuser will detect whether/SYSTEM/BIN/SU exists:

File su = New File ("/system/bin/su");

// Detection su whether the file exists , returns directly if it does not exist

if (!  su.exists ()) {

Toast toast = Toast.maketext (This, "unable to find/system/bin/su.",

Toast.length_long);

Toast.show ();

return;

}

If the size is the same, the su file is considered correct and returned directly.

if (su.length () = = Sustream.available ())

{

Sustream.close ();

return;

}

If the/system/bin/su file is detected to be present, but is not in the wrong place, write the own su to "/data/data/com.koushikdutta.superuser/su "

Write again to/system/bin/su.

byte [] bytes = new byte[sustream.available ()];

DataInputStream dis = new datainputstream (Sustream);

dis.readfully (bytes);

FileOutputStream Suoutstream = new

FileOutputStream ("/data/data/com.koushikdutta.superuser/su");

Suoutstream.write (bytes);

Suoutstream.close ();

Process process = Runtime.getruntime (). EXEC ("su");

DataOutputStream OS = new

DataOutputStream (Process.getoutputstream ());

Os.writebytes ("mount-oremount,rw/dev/block/mtdblock3/system\n");

Os.writebytes ("BusyBox cp/data/data/com.koushikdutta.superuser/su/system/bin/su\n");

Os.writebytes ("BusyBox chown 0:0/system/bin/su\n");

Os.writebytes ("chmod 4755/system/bin/su\n");

Os.writebytes ("exit\n");

Os.flush ();

There are processes using root permissions, how Superuser know, the key is sentence:

sprintf (SYSCMD, "AM start-a android.intent.action.main-n Com.koushikdutta.superuser/com.koushikdutta.superuser.s Uperuserre questactivity--ei uid%d--ei pid%d >/dev/null ", G_puid, Ppid);

if (System (SYSCMD))

Return Executionfailure ("AM.");

Superuser Operation Whitelist Code:

static int checkwhitelist ()

{

Sqlite3 *db;

int rc = SQLITE3_OPEN_V2 (DBPATH, &db, Sqlite_open_readwrite, NULL);

if (!RC)

{

Char *errormessage;

Char query[1024];

sprintf (Query, "SELECT * from whitelist where _id=%d limit 1;", g_puid);

struct Whitelistcallinfo callinfo;

Callinfo.count = 0;

callinfo.db = db;

rc = sqlite3_exec (db, Query, Whitelistcallback, &callinfo, &errormessage);

if (rc! = SQLITE_OK)

{

Sqlite3_close (DB);

return 0;

}

Sqlite3_close (DB);

return callinfo.count;

}

Sqlite3_close (DB);

return 0;

}

5. access to resource files

Get the source code from the source address above, replace the system system/extras/su/below the SU.C and android.mk files, use the Compile command./MK TD28 u ADR system/extras/su/build after successful compilation Out/target /PRODUCT/HSDROID/SYSTEM/XBIN/SU files, and superuser.apk is the normal apk file, all in the source address can be downloaded, download and pour into eclipse can run directly.