Reverse mobile phone kernel, add debugging support and reverse debugging, and add and debug mobile phone Kernel

Reverse mobile phone kernel, add debugging support and reverse debugging, and add and debug mobile phone Kernel

 

0x00 Preface
An android application can be debugged only when AndroidManifest is used. the xml display specifies android: debuggable = "true". If the android: debuggable value is not set, the default android: debuggable = "false" is used. Therefore, most published applications cannot be debugged, if debugging is required, You Need To unpackage the package, modify the attributes, and re-package them. This is very troublesome and inefficient. The second condition is the default Kernel configuration file. properties of prop ro. debuggable = 1, so you don't have to worry about the attributes set in the application. It seems to be a good solution. We only need to modify the kernel once and for all.
A common anti-debugging method for Android applications is to view information under/proc/[pid]/status. If the information is in the debugging status, the TracerPid value is the Pid of the debugging process, then the program will conduct the corresponding behavior for anti-debugging.

 

0x01 kernel Extraction

View the partition where the boot is located

ls -l /dev/block/platform/msm_sdcc.1/by-name

Extract Kernel

dd if= /dev/block/mmcblk0p17 of=/data/local/boot.imgadb pull /data/local/boot.img boot.img

Unpackage Kernel

bootimg.exe --unpack-bootimg

File structure after unpacking

 

0x02 modify ro. debuggable

Modify ro. debuggable = 1 in the initrd/default. prop File

 

0x03 modify the kernel File

Copy a copy of kernelto zimage.gz for later modification

Use 010editorto open zimage.gz to search for the hex 1F 8B 08 00, delete all the preceding data, and convert the file into a standard gzip compressed file. In this way, you can use gunzip to unpack the file.

 

gunzip zImage.gz

The zImage generated by unpacking is the kernel binary file.

Open the file with IDA and set the processor type to ARM Little-endian.

Set ROM start address and Loading address to 0xc0008000

Disable symbol shielding on the android root Terminal

echo 0 > /proc/sys/kernel/kptr_restrict

View the proc_pid_status and _ task_pid_nr_ns function addresses.

cat /proc/kallsyms | grep proc_pid_status

cat /proc/kallsyms | grep __task_pid_nr_ns

Why are we looking for these two functions? Let's take a look at the source code/kernel/msm/fs/proc/array. c.

The proc_pid_status function is used to inline the task_state function. In the task_state inline function, the tracerpid is obtained through the function _ task_pid_nr_ns and printed out.

Press the shortcut key g in IDA to jump to the function c0187f88 (_ task_pid_nr_ns), Press x to reference the search box, and find the function c02764b8 (proc_pid_status)

Check that the local call is

You can see that the call results are stored in R11. Therefore, modify the command MOV R11, R0 to MOV R11, #0, and machine code 00 B0 A0 E3, the file offset is (0xC02765F8-0xC0008000 = 26E5F8)

Re-compress zImage

gzip -n -f -9 zImage

The kernel file is small, and the size of the original kernel File and the content after the original kernel File cannot be changed during the write-back process. Otherwise, it will be very troublesome.) At this time, the kernel file is obtained.

Add the first 3DEB long data

Place a placeholder first, and then copy the first data to the header

Add tail data

Replace the original kernel File and regenerate the new boot. img

bootimg.exe --repack-bootimg

 

0x04 fl new kernel

Restart the mobile phone to the bootloader Mode

adb reboot bootloader

New boot

fastboot flash boot boot-new.img

Restart

fastboot reboot

If the phone cannot start, refresh the old kernel.

fastboot flash boot boot-old.img

 

0x05 Summary

A basic debugging environment is very helpful for reverse learning. Because many mobile phone manufacturers do not release the source code of the mobile phone system, they can only adopt the reverse kernel method for modification. If mobile phone manufacturers release the source code of the system, the source code compilation will be more refined and more kernel features can be customized. If the mobile phone supports open-source Android systems, such as lineage OS or CM, you can also choose these excellent open-source code for compilation.

 

Refer:

Reversely modifies the phone kernel and bypasses reverse debugging.

Android reverse trip-application "reverse debugging" Solution Analysis (additional modification of IDA debug port and kernel information)

[Original] Support for bootimg.exe for boot/recovery.imgin packaging in windows, and support for automatic unpacking/packaging of dt. img, added to MTK model support

Android anti-debugging notes