IDA配套真机ROM修改教程

时间 2019-11-09

标签 ida 配套 rom 修改教程栏目 ROM 繁體版

原文原文链接

模拟器调试的缺点：android

一、android自带emulator，基于ARM架构，缺点启动慢，IDA附加常常下不了断点，权限不够等
二、droid4x（中文名海马玩），基于ARM架构，缺点同上
三、Genymotion，基于X86架构，启动快，缺点对于不支持x86平台的apk没法运行和调试ubuntu

相信若是搭建过模拟器和IDA调试环境的确定被一些问题折腾的够呛，固然IDA附加不上进程，能够用GDB命令行调试，我的测试过是没有问题的。架构

提取boot.img，在/dev/block/platform/目录下有芯片厂商的名字，而后直接DUMPapp

1|root@hammerhead:/proc/cpu # ls -l /dev/block/platform/msm_sdcc.1/by-name/
lrwxrwxrwx root     root              1970-01-13 22:44 DDR -> /dev/block/mmcblk0p24
lrwxrwxrwx root     root              1970-01-13 22:44 aboot -> /dev/block/mmcblk0p6
lrwxrwxrwx root     root              1970-01-13 22:44 abootb -> /dev/block/mmcblk0p11
lrwxrwxrwx root     root              1970-01-13 22:44 boot -> /dev/block/mmcblk0p19
lrwxrwxrwx root     root              1970-01-13 22:44 cache -> /dev/block/mmcblk0p27
lrwxrwxrwx root     root              1970-01-13 22:44 crypto -> /dev/block/mmcblk0p26
lrwxrwxrwx root     root              1970-01-13 22:44 fsc -> /dev/block/mmcblk0p22
lrwxrwxrwx root     root              1970-01-13 22:44 fsg -> /dev/block/mmcblk0p21
lrwxrwxrwx root     root              1970-01-13 22:44 grow -> /dev/block/mmcblk0p29
lrwxrwxrwx root     root              1970-01-13 22:44 imgdata -> /dev/block/mmcblk0p17
lrwxrwxrwx root     root              1970-01-13 22:44 laf -> /dev/block/mmcblk0p18
lrwxrwxrwx root     root              1970-01-13 22:44 metadata -> /dev/block/mmcblk0p14
lrwxrwxrwx root     root              1970-01-13 22:44 misc -> /dev/block/mmcblk0p15
lrwxrwxrwx root     root              1970-01-13 22:44 modem -> /dev/block/mmcblk0p1
lrwxrwxrwx root     root              1970-01-13 22:44 modemst1 -> /dev/block/mmcblk0p12
lrwxrwxrwx root     root              1970-01-13 22:44 modemst2 -> /dev/block/mmcblk0p13
lrwxrwxrwx root     root              1970-01-13 22:44 pad -> /dev/block/mmcblk0p7
lrwxrwxrwx root     root              1970-01-13 22:44 persist -> /dev/block/mmcblk0p16
lrwxrwxrwx root     root              1970-01-13 22:44 recovery -> /dev/block/mmcblk0p20
lrwxrwxrwx root     root              1970-01-13 22:44 rpm -> /dev/block/mmcblk0p3
lrwxrwxrwx root     root              1970-01-13 22:44 rpmb -> /dev/block/mmcblk0p10
lrwxrwxrwx root     root              1970-01-13 22:44 sbl1 -> /dev/block/mmcblk0p2
lrwxrwxrwx root     root              1970-01-13 22:44 sbl1b -> /dev/block/mmcblk0p8
lrwxrwxrwx root     root              1970-01-13 22:44 sdi -> /dev/block/mmcblk0p5
lrwxrwxrwx root     root              1970-01-13 22:44 ssd -> /dev/block/mmcblk0p23
lrwxrwxrwx root     root              1970-01-13 22:44 system -> /dev/block/mmcblk0p25
lrwxrwxrwx root     root              1970-01-13 22:44 tz -> /dev/block/mmcblk0p4
lrwxrwxrwx root     root              1970-01-13 22:44 tzb -> /dev/block/mmcblk0p9
lrwxrwxrwx root     root              1970-01-13 22:44 userdata -> /dev/block/mmcblk0p28

dd if=/dev/block/platform/msm_sdcc.1/by-name/recovery of=/storage/sdcard/recovery.img

废话很少说，仍是真机给力，小菜最近拿到一个三星手机，折腾完能够任意进程IDA附加！
如下操做在ubuntu 12.04 64位下

一、拆包测试

$ perl split_bootimg.pl boot.img

二、查看img信息spa

$ unpackbootimg -i boot.img

三、解压命令行

$ mkdir ramdisk
$ cd ramdisk
$ gzip -dc ../boo.img-ramdisk.gz | cpio -i

四、修改default.propdebug

ro.secure=0
ro.allow.mock.location=0
ro.debuggable=1
ro.adb.secure=0

五、将ramdisk打包，mkbootfs为32位程序，须要安装32位库调试

$ sudo apt-get install lib32s
$ tools/mkbootfs ./ramdisk | gzip > ramdisk-new.gz

六、从新生成boot.img，参数参考步骤2中输出信息code

$ tools/mkbootimg --cmdline 'console=ttyDCC0 androidboot.hardware=xxx' --kernel
$ boot.img-kernel --ramdisk ramdisk-new.gz --base 0x00200000 --pagesize 4096 -o boot-new.img

七、将boot.img从新打包加md5校验

$ tar -cf boot.tar boot.img
$ md5sum -t boot.tar >> boot.tar

八、手机关机从新进入挖煤模式后使用odin将boot.tar刷入手机

重启手机后，使用DDMS就能够看到全部的进程均可以使用Logcat查看，IDA附加能够看到全部app进程均可以调试了！

顺便记录下nexus5刷机流程：

adb reboot bootloader

fastboot flash boot newboot.img

fastboot reboot