How to turn on Viewserver on the root phone so that hierachyviewer can connect

Source: Internet
Author: User
Tags tmp folder root access

Pre-Preparation:For what is Hierarchy Viewer, please view the official documentation: Http://developer.android.com/tools/debugging/debugging-ui.html. Personal Understanding: Hierarchy Viewer can obtain the current mobile phone real-time UI information, to the interface designers and automated testers to bring great convenience. Mentioned in the official Android document: To preserve security, Hierarchy Viewer can only connect to devices running a developer version of the and Roid System.that is: For security reasons, the Hierarchy Viewer can only connect to the Android phone or simulator (to be precise, only the ro.secure parameter equals 0 and ro.debuggable equals 1 of the Android system). Hierarchy Viewer when connecting to a mobile phone, a client called View server must be started on the phone to communicate with the socket. In the commercial mobile phone, is unable to open the view server, therefore the Hierarchy Viewer is unable to connect to the ordinary commercial handset.  The Android source code implements this limitation in the following areas:Android Source root directory \frameworks\base\services\java\com\android\server\wm\windowmanageservice.javain the following paragraph:=====================================================================================public boolean startviewserver (int port) {
if (Issystemsecure ()) {
return false;
}

if (!checkcallingpermission (Manifest.permission.DUMP, "Startviewserver")) {
return false;
}....===================================================================================== to check if a mobile phone has the view server turned on:adb Shell Service Call window 3if the return value is:Result:parcel (00000000 00000000 ' ... ') "stating that view server is turned offif the return value is:Result:parcel (00000000 00000001 ' ... ') "indicates that view server is turned on if a phone that can open view server (Android phone, simulator or Follow this step to the system to patch the phone), we can use the following command to open the View SERVER:ADB Shell Service Call window 1 I32 4939 Use the following command to close the View SERVER:ADB Shell service cal L Window 2 i32 4939 implementation steps:after some investigation and practice, I found that as long as root, and equipped with BusyBox mobile phone, by modifying the phone on the/system/framework of some files, it can be opened. This article refers to thehttp://blog.apkudo.com/tag/viewserver/,Here are the specific steps (I am based on windows, if you are a Linux operating system, see the original post directly): The premise is that your phone has root access and has BusyBox also: Please read this post's comments carefully, perhaps you will have a new harvest.  1. Connect the commercial phone to the PC via USB to make sure the ADB service is running 2. Back up the files in/system/framework/on your phone to your PC. When backing up, make sure the folder structure of the backup file on your PC is the same as the/system/framework in your phone for example: Create a new Android_sdk_root\system\framework folder (the android_sdk_root that appears in this article refers to the root directory where you install the Android SDK)then, in cmd, jump to the Android_sdk_root\platform-tools folder and enter the following code to back it up:adb pull/system/frameworkAndroid_sdk_root\system\framework3. Enter adb shell and output Bootclasspath:Recommended Practice:1. Echo $BOOTCLASSPATH >/sdcard/bootclasspath.txt in adb shell2. Go back to Windows cmd and enter adb pull/sdcard/bootclasspath.txt3. Bootclasspath.txt will be saved inC:\Users\ under your user name folderThe contents of this TXT will be used in the 15th step. 4. Download the Baksmali and Smali tools. These two tools are used to decompile and compile the Odex file. :Https://dl.dropboxusercontent.com/u/5055823/baksmali-1.4.2.jarhttps://dl.dropboxusercontent.com/u/5055823/smali-1.4.2.jarLet's say I downloaded all two jars to the Android SDK root directory.   5. Run the Services.odex file under Baksmali decompile \system\framework: Java-jar android_sdk_root\baksmali-1.4.2.jar-a 17-x android_sdk_root\system\framework\services.odex-d ANDROID_ Sdk_root\system\frameworkparameter explanation:What Https://code.google.com/p/smali/wiki/DeodexInstructions want to highlight is the "-a" followed by the number that represents your system's API level (related to your system version). The control relationship between the system version and the API level is as follows:(Besides, you're not going to be able to run Java-jar, are you? Go ahead and install jdk!)If this step succeeds, in the same folder (for me, it is android_sdk_root), there will be an out folder generated here, by the way, explain the Odex file and the Dex file. dex file :Dex is the full name of Dalvik VM executes, the Android Dalvik execution program, not Java bytecode but Dalvik bytecode, 16 binary machine instructions. Odex File: The Dex file is optimized for specific models, resulting in the optimized Dex file, which increases the speed of the software and reduces the RAM footprint when the software is running. Smali File: converts the Dex file into a readable code form and decompile the general format of the file.  6. Open the Out\com\android\server\wm\windowmanagerservice.smali file with eclipseFind. Method Private Issystemsecure () Z This function================================================================. Method Private Issystemsecure () z   . Registers 4     .prologue   . Line 5965  &N Bsp Const-string V0, "1"      const-string v1, "ro.secure"      const-string v2, "1"      Invoke-static {v1, v2}, Landroid/os/systemproperties;->get (ljava/lang/string; ljava/lang/string;) ljava/lang/string;     Move-result-object v1     Invoke-virtual {v0 , v1}, Ljava/lang/string;->equals (ljava/lang/object;) z     Move-result v0     IF-EQZ V0,:cond_22     const-string V0, "0"      const-string v1, "ro.debuggable"    & nbsp Const-string v2, "0"      invoke-static {v1, v2}, Landroid/os/systemproperties;->get (ljava/lang/ String; ljava/lang/string;) ljava/lang/string;     Move-result-object v1     Invoke-virtual {v0 , v1}, Ljava/lang/string;->equals (ljava/lang/object;) z   &NBsp Move-result v0     IF-EQZ v0,:cond_22     CONST/4 V0, 0x1    : goto_21&nbsp ;   return v0    :cond_22    CONST/4 V0, 0x0     goto:goto_21.end method===== =========================================================== add "Const to the bottom 7 of this code, 8 lines": Goto_21 "and" Return V0 " /4 V0, 0x0 " line. This makes the value returned by V0 always be 0x0, that is, false, which skips the judgment of issystemsecure in Windowmanagerservice.java. The. Method private issystemsecure () Z function finally becomes: ================================================================.method Private Issystemsecure () z   . Registers 4     .prologue   . Line 6276    Con St-string V0, "1"      const-string v1, "ro.secure"      const-string v2, "1"    &NB Sp invoke-static {v1, v2}, Landroid/os/systemproperties;->get (ljava/lang/string; ljava/lang/string;) ljava/lang/string;     Move-result-object v1     Invoke-virtual {v0 , v1}, Ljava/lang/string;->equals (ljava/lang/object;) z     Move-result v0     IF-EQZ V0,:cond_22     const-string V0, "0"      const-string v1, "ro.debuggable"    & nbsp Const-string v2, "0"      invoke-static {v1, v2}, Landroid/os/systemproperties;->get (ljava/lang/ String; Ljava/lang/string, ljava/lang/string;     Move-result-object v1     Invoke-virtual {v0, v1}, Ljava/lang/string;->equals (ljava/lang/object;) z     Move-result v0     IF-EQZ v0,:cond_22     CONST/4 V0, 0x1    : goto_21&nbsp ;  CONST/4 V0, 0x0Return v0:cond_22 CONST/4 v0, 0x0 goto:goto_21.end method==================================================== ================================= 7. Now run Smali, recompile: Java-jar smali-1.4.2.jar-o Classes.dex This time, Android_sdk_root file 8 should appear in the Classes.dex folder. Download the Zip tool under Windows: Https://dl.dropboxusercontent.com/u/5055823/zip.exe Suppose, I also put Zip.exe in the Android_sdk_root folder 9. Confirm that the current CMD command line run directory is android_sdk_root, run: Zip.exe Services_hacked.jar./classes.dex this time in the Android_sdk_root folder, There's a packed services_hacked.jar. 10. Enter the ADB shell and input su to get root permissions 11. Re-mount/system and change the/system permission reference step (for reference only, make sure you use the correct method for your phone. Please refer to the following " GALFORDQ's Blog"User's reply":  a. Enter mount to see which partition is attached to the/system, for example my:  B. Type the following command to mount the/system again and change the/system permissions (please "/dev/block/mmcblk0p25 "Replace with your/system mount partition):   mount-o rw,remount-t yaffs2 /dev/block/mmcblk0p25   chmod-r 777/ System allows/system to be arbitrarily modified by US   This step, mainly for the 17th step to replace the Services.odex in the/system/framework. If this step is unsuccessful, there may be insufficient permissions to replace the error (read-only file System)  12 in the 17th step. Download Dexopt-wrapper file https:// Dl.dropboxusercontent.com/u/5055823/dexopt-wrapper We also put the Dexopt-wrapper file in the Android_sdk_root folder  13. The Services _hacked.jar and Dexopt-wrapper copied to the phone's/data/local/tmp folder in ADB push android_sdk_root/services_hacked.jar/data/local/ TMPADB push android_sdk_root/dexopt-wrapper/data/local/tmp 14. Enter the adb shell and enter Su to change the Dexopt-wrapper permissions to 777chmod 777/data/local/tmp/dexopt-wrapper 15. In adb shell, under CD to/data/local/tmp folder, run:./dexopt-wrapper./services_ Hacked.jar./services_hacked.odex < The address of the third step of this post, but to remove the ":/system/framework/services.jar" > This step is the final optimization of the seventh build Dex file into the Odex file. =================================================================================================== For example my command is:./dexopt-wrapper./services_ Hacked.jar./services_hacked.odex/system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/ bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/framework2.jar:/ system/framework/android.policy.jar:/system/framework/apache-xml.jar:/system/framework/htcdev.jar:/system/ framework/htcextension.jar:/system/framework/filterfw.jar:/system/framework/com.htc.android.bluetooth.jar:/ system/framework/wimax.jar:/system/framework/usbnet.jar:/system/framework/ com.orange.authentication.simcard.jar========================================================================== =========================  This, we generated our own odex:services_hacked.odex 16 in the/data/local/tmp folder. Give us the generated Services_hacked.odex signature: busybox dd if=/system/framework/services.odex Of=/data/local/tmp/services_ Hacked.odex Bs=1 count=20 skip=52 seek=52 conv=notruncparameter explanation:if = input fileof = output Filebs = block Size (1 byte) count = number of Blocksskip = input File Offsetseek = output file Offsetconv=notrunc–don ' t truncate the output file. 17. Replace the Services.odex in/system/framework with our own services_hacked.odex! DD If=/data/local/tmp/services_hacked.odex Of=/system/framework/services.odexafter this step ran, after a little while(within 1 minutes) The phone will restart automatically! Wait a moment! 18. After a successful restart, use the following command to open the view Server:ADB Shell Service Call window 1 I32 4939 Use the following command to see if View server is open:adb Shell Service Call window 3The value returned is ifresult:parcel (00000000 00000001 ' ... '), then you're up! (If a step fails, you need to restore the system, refer toStep 16 in http://blog.apkudo.com/tag/viewserver/or contact my email for further discussion: [Email protected])Next, compile and run Hierarchyviewer under Eclipse to see the real-time UI tree for your phone. please refer to:Http://maider.blog.sohu.com/255485243.html

How to turn on the viewserver on the root phone so that the Hierachyviewer can connect (turn)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.