本文为看雪论坛优秀文章
看雪论坛作者ID:seeeseee
一
前言
-
eBPF on Android之打补丁和编译内核
-
修改Linux Kernel defconfig的标准方法
二
环境
-
Pixel 4XL -
coral-tp1a.220905.004 最新版系统,Android 13 -
Linux localhost 4.14.276-ge333cb8619d0-ab8811257 #1 SMP PREEMPT Fri Jul 8 12:00:53 UTC 2022 aarch64 Toybox -
Ubuntu 20.04
三
步骤
准备环境和同步代码
https://source.android.com/setup/build/initializing
sudo apt-get install git-core gnupg flex bison build-essential zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 libncurses5 lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z1-dev libgl1-mesa-dev libxml2-utils xsltproc unzip fontconfigmkdir ~/Desktop/p4xlexport WORK_DIR=~/Desktop/p4xlcd ${WORK_DIR}
repo init -u https://android.googlesource.com/kernel/manifest -b android-msm-coral-4.14-android13repo sync
cd prebuiltsgit clone https://android.googlesource.com/kernel/prebuilts/build-toolsmv build-tools kernel-build-toolsexport PATH=${WORK_DIR}/prebuilts/kernel-build-tools/linux-x86/bin:$PATH
git checkout e333cb8619d0修改编译脚本和准备文件
脚本分析
magic found at: 0BOARD_KERNEL_CMDLINE console=ttyMSM0,115200n8 androidboot.console=ttyMSM0 printk.devkmsg=on msm_rtb.filter=0x237 ehci-hcd.park=3 service_locator.enable=1 androidboot.memcg=1 cgroup.memory=nokmem usbcore.autosuspend=7 androidboot.usbcontroller=a600000.dwc3 swiotlb=2048 androidboot.boot_devices=soc/1d84000.ufshc loop.max_part=7 buildvariant=userBOARD_KERNEL_BASE 0x00000000BOARD_NAMEBOARD_PAGE_SIZE 4096BOARD_HASH_TYPE sha1BOARD_KERNEL_OFFSET 0x00008000BOARD_RAMDISK_OFFSET 0x01000000BOARD_SECOND_OFFSET 0x00000000BOARD_TAGS_OFFSET 0x00000100BOARD_OS_VERSION 13.0.0BOARD_OS_PATCH_LEVEL 2022-09BOARD_HEADER_VERSION 2BOARD_HEADER_SIZE 1660BOARD_DTB_SIZE 1048284BOARD_DTB_OFFSET 0x01f00000
git clone https://android.googlesource.com/platform/system/tools/mkbootimgName of the vendor ramdisk binary which includes the device-specific components of ramdisk like the fstab file and the device-specific rc files.
脚本修改
if [ -f "${VENDOR_RAMDISK_BINARY}" ]; thencp ${VENDOR_RAMDISK_BINARY} ${DIST_DIR}fi
准备文件
将手机当前的boot.img用Android-Image-Kitchen解包。
将解包出来的boot.img-ramdisk.cpio.gz解压,得到boot.img-ramdisk.cpio,放在${WORK_DIR},也就是整个代码的根目录下面。
同步官方的代码或者直接下载mkbootimg.py,同样放到${WORK_DIR},也就是整个代码的根目录下面。
git clone https://android.googlesource.com/platform/system/tools/mkbootimg编译命令
BUILD_CONFIG=private/msm-google/build.config.floral BUILD_BOOT_IMG=1 MKBOOTIMG_PATH=mkbootimg.py VENDOR_RAMDISK_BINARY=boot.img-ramdisk.cpio KERNEL_BINARY=Image.lz4 BOOT_IMAGE_HEADER_VERSION=2 KERNEL_CMDLINE="console=ttyMSM0,115200n8 androidboot.console=ttyMSM0 printk.devkmsg=on msm_rtb.filter=0x237 ehci-hcd.park=3 service_locator.enable=1 androidboot.memcg=1 cgroup.memory=nokmem usbcore.autosuspend=7 androidboot.usbcontroller=a600000.dwc3 swiotlb=2048 androidboot.boot_devices=soc/1d84000.ufshc loop.max_part=7 buildvariant=user" BASE_ADDRESS=0x00000000 PAGE_SIZE=4096 build/build.sh添加bpf_probe_read_user
修改内核编译配置并编译
修改内核编译配置
cd private/msm-googlemake ARCH=arm64 floral_defconfigmake ARCH=arm64 menuconfig
make ARCH=arm64 savedefconfigcp defconfig arch/arm64/configs/floral_defconfigrm .config正式编译
BUILD_CONFIG=private/msm-google/build.config.floral BUILD_BOOT_IMG=1 MKBOOTIMG_PATH=mkbootimg.py VENDOR_RAMDISK_BINARY=boot.img-ramdisk.cpio KERNEL_BINARY=Image.lz4 BOOT_IMAGE_HEADER_VERSION=2 KERNEL_CMDLINE="console=ttyMSM0,115200n8 androidboot.console=ttyMSM0 printk.devkmsg=on msm_rtb.filter=0x237 ehci-hcd.park=3 service_locator.enable=1 androidboot.memcg=1 cgroup.memory=nokmem usbcore.autosuspend=7 androidboot.usbcontroller=a600000.dwc3 swiotlb=2048 androidboot.boot_devices=soc/1d84000.ufshc loop.max_part=7 buildvariant=user" BASE_ADDRESS=0x00000000 PAGE_SIZE=4096 build/build.sh
四
总结
使用Android-Image-Kitchen解包手机当前的boot.img
从boot.img-ramdisk.cpio.gz解压得到boot.img-ramdisk.cpio
下载mkbootimg.py
修改build/build.sh,作用是将boot.img-ramdisk.cpio复制到产物目录下,参与后续打包
同步内核源代码
把boot.img-ramdisk.cpio和mkbootimg.py均放到内核项目根目录
修改内核编译配置,注意指定架构
cd private/msm-google
make ARCH=arm64 floral_defconfig
make ARCH=arm64 menuconfig
make ARCH=arm64 savedefconfig
cp defconfig arch/arm64/configs/floral_defconfig
rm .config
cd ../../
根据原始boot.img解包信息修改好编译命令
BUILD_CONFIG=private/msm-google/build.config.floral BUILD_BOOT_IMG=1 MKBOOTIMG_PATH=mkbootimg.py VENDOR_RAMDISK_BINARY=boot.img-ramdisk.cpio KERNEL_BINARY=Image.lz4 BOOT_IMAGE_HEADER_VERSION=2 KERNEL_CMDLINE=”…” BASE_ADDRESS=0x00000000 PAGE_SIZE=4096 build/build.sh
完成编译,得到修改了内核选项的、可正常使用的boot.img
参考
修改Linux Kernel defconfig的标准方法
https://adtxl.com/index.php/archives/124.html
aosp12内核编译开启硬件断点和kprobes记录
https://missking.cc/2022/09/05/kernel1-0/
eBPF on Android之打补丁和编译内核
https://blog.seeflower.dev/archives/139
刷自编译内核导致屏幕触控失灵的问题 Google pixel 4XL
https://www.akr-developers.com/d/440
Pixel3 Aosp自编译内核如何正确的驱动设备正常运行
https://www.akr-developers.com/d/526
求助:刷入内核后触摸屏失灵
https://www.akr-developers.com/d/469
实操篇- pixel 2 刷8.0.0/8.1.0 AOSP +4.4 Kernel (重点解决刷完触屏失灵问题)
https://bbs.pediy.com/thread-264295.htm
编译内核(Pixel 2)
https://bbs.pediy.com/thread-255846.htm
android内核编译问题,多谢
https://bbs.pediy.com/thread-273148.htm
bpf_probe_read_user returns error (-14) on Android 11, Kernel 4.14, ARM64
看雪ID:seeeseee
https://bbs.pediy.com/user-home-941366.htm
看雪CTF官网:https://ctf.pediy.com/
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
原文始发于微信公众号(看雪学苑):eBPF on Android之编译内核与打补丁(解决触摸和WIFI失效问题)
