Reverse mobile phone kernel, add debugging support and reverse debugging, and add and debug mobile phone Kernel
0x00 Preface
An android application can be debugged only when AndroidManifest is used. the xml display specifies android: debuggable = "true". If the android: debuggable value is not set, the default android: debuggable = "false" is used. Therefore, most published applications cannot be debugged, if debugging is required, You Need To unpackage the package, modify the attributes, and re-package them. This is very troublesome and inefficient. The second condition is the default Kernel configuration file. properties of prop ro. debuggable = 1, so you don't have to worry about the attributes set in the application. It seems to be a good solution. We only need to modify the kernel once and for all.
A common anti-debugging method for Android applications is to view information under/proc/[pid]/status. If the information is in the debugging status, the TracerPid value is the Pid of the debugging process, then the program will conduct the corresponding behavior for anti-debugging.
0x01 kernel Extraction
View the partition where the boot is located
ls -l /dev/block/platform/msm_sdcc.1/by-name
Extract Kernel
dd if= /dev/block/mmcblk0p17 of=/data/local/boot.imgadb pull /data/local/boot.img boot.img
Unpackage Kernel
bootimg.exe --unpack-bootimg
File structure after unpacking
0x02 modify ro. debuggable
Modify ro. debuggable = 1 in the initrd/default. prop File
0x03 modify the kernel File
Copy a copy of kernelto zimage.gz for later modification
Use 010editorto open zimage.gz to search for the hex 1F 8B 08 00, delete all the preceding data, and convert the file into a standard gzip compressed file. In this way, you can use gunzip to unpack the file.
gunzip zImage.gz
The zImage generated by unpacking is the kernel binary file.
Open the file with IDA and set the processor type to ARM Little-endian.
Set ROM start address and Loading address to 0xc0008000
Disable symbol shielding on the android root Terminal
echo 0 > /proc/sys/kernel/kptr_restrict
View the proc_pid_status and _ task_pid_nr_ns function addresses.
cat /proc/kallsyms | grep proc_pid_status
cat /proc/kallsyms | grep __task_pid_nr_ns
Why are we looking for these two functions? Let's take a look at the source code/kernel/msm/fs/proc/array. c.
The proc_pid_status function is used to inline the task_state function. In the task_state inline function, the tracerpid is obtained through the function _ task_pid_nr_ns and printed out.
Press the shortcut key g in IDA to jump to the function c0187f88 (_ task_pid_nr_ns), Press x to reference the search box, and find the function c02764b8 (proc_pid_status)
Check that the local call is
You can see that the call results are stored in R11. Therefore, modify the command MOV R11, R0 to MOV R11, #0, and machine code 00 B0 A0 E3, the file offset is (0xC02765F8-0xC0008000 = 26E5F8)
Re-compress zImage
gzip -n -f -9 zImage
The kernel file is small, and the size of the original kernel File and the content after the original kernel File cannot be changed during the write-back process. Otherwise, it will be very troublesome.) At this time, the kernel file is obtained.
Add the first 3DEB long data
Place a placeholder first, and then copy the first data to the header
Add tail data
Replace the original kernel File and regenerate the new boot. img
bootimg.exe --repack-bootimg
0x04 fl new kernel
Restart the mobile phone to the bootloader Mode
adb reboot bootloader
New boot
fastboot flash boot boot-new.img
Restart
fastboot reboot
If the phone cannot start, refresh the old kernel.
fastboot flash boot boot-old.img
0x05 Summary
A basic debugging environment is very helpful for reverse learning. Because many mobile phone manufacturers do not release the source code of the mobile phone system, they can only adopt the reverse kernel method for modification. If mobile phone manufacturers release the source code of the system, the source code compilation will be more refined and more kernel features can be customized. If the mobile phone supports open-source Android systems, such as lineage OS or CM, you can also choose these excellent open-source code for compilation.
Refer:
Reversely modifies the phone kernel and bypasses reverse debugging.
Android reverse trip-application "reverse debugging" Solution Analysis (additional modification of IDA debug port and kernel information)
[Original] Support for bootimg.exe for boot/recovery.imgin packaging in windows, and support for automatic unpacking/packaging of dt. img, added to MTK model support
Android anti-debugging notes