¶compile
1 | export PATH=/opt/android-ndk-r12b:$PATH |
¶kallsyms
¶Method(rooted)
1 | echo 0 > /proc/sys/kernel/kptr_restrict sysctl |
¶import kallsyms to IDA
import_symbols.py:
1 | import idaapi |
File->Script file->import
¶unpack zImage
- find offset of “1F8B08”
- dd if=zImage of=image.gz bs=1 skip=OFFSET
- gzip -d image.gz
¶hack steps
¶disable selinux
- selinux_enforce=0
- selinux_enabled=0
- selinux_disabled=1
¶hack capable check
security_ops->capable return 0
ffffffff838ce4b0 + 0x50
replace with (strnstr)
¶disable selinux on start
androidboot.selinux=permissive (cmdline)
¶get stock recovery of FMB19
1 | applypatch -b /system/etc/recovery-resource.dat /data/local/tmp/boot.img /data/local/tmp/recovery.img 93900d13238fc8badc374756434aac1f5efd2d2c 12563768 20a80f3b8e17f0dbbc196082299b26bf6d816a90:/system/recovery-from-boot.p |
¶create recovery image
1 | in ramdisk folder |
¶Trouble shoot
¶usb not recognized in recovery
idVendor&idProduct Table:
| Mode | idVendor | idProduct |
|---|---|---|
| fastboot | 8707 | 0fff |
| sideload | 8087 | 0a5d |
| adb,mtp | 0489 | 1ab1 |
| mtp | 0489 | 1ab0 |
| adb | 18d1 | 4ee7 |
¶Appendix
¶ROM Download url
国行版本A5CNXXX下载:
● A5CN114 ;彩 蛋 (原始)2014-11-18
● A5CN204 ;316M (完整)2015-02-04
● A5CN20C ;17.4M (补丁)2015-02-09
● A5CN21B ;21.6M (补丁)2015-02-25
● A5CN30B ;14.9M (补丁)2015-03-09
● A5CN315 ;18.6M (补丁)2015-03-21
● A5CN403 ;32.3M (补丁)2015-04-02
● A5CN410 ;312M (完整)2015-04-16
● A5CN507 ;348M (完整)2015-05-07
● A5CN51C ;19.9M (补丁)2015-05-27
★ A5CN701 ;471M (完整)2015-07-01
★ A5CNA13 ;67.98M (补丁)2015-10-19
★ A5CNB19 ;479.01M (完整)2015-11-25
台版A5FMXXX下载:
● A5FM508 ;625.59M (完整)2015-05-08
● 5FM51C ;16.8M (补丁)2015-05-28
★ A5FM91E ;848.38M (完整)2015-09-30
★ A5FMB19 ;816.04M (完整)2015-11-25