破解卡米 && 刷机包(ROM)的解包与打包过程

Android 同时被 2 个专栏收录
2 篇文章 0 订阅
13 篇文章 0 订阅
解决:系统删除系统自带应用(以及改官方刷机包)不开机问题。
  • 环境:Ubuntu,Python,Java;
$ python3 --version
Python 3.8.5

$ java --version
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing)
  • 工具:

Apktool(https://bitbucket.org/iBotPeaches/apktool/downloads/);
brotli(sudo apt install brotli);
sdat2img(https://github.com/xpirt/sdat2img或者https://github.com/wangkunlin/sdat2img);
rimg2sdat(https://github.com/jazchen/rimg2sdat)。

  • 操作实例:设备:红米note7;
  • 镜像(卡刷包):miui_LAVENDER_V12.0.3.0.QFGCNXM_fe51c5198b_10.0.zip
  • 修改位置:/system/framework/services.jar

第一步-解包

  1. 解压刷机包:
$ unzip miui_LAVENDER_V12.0.3.0.QFGCNXM_fe51c5198b_10.0.zip
  1. 解压后的目录结构如下:
$ ll miui_LAVENDER_V12.0.3.0.QFGCNXM_fe51c5198b_10.0
total 2296326
drwxrwxrwx 1 root root       4096 614 20:06 ./
drwxrwxrwx 1 root root       4096 614 20:05 ../
-rwxrwxrwx 1 root root   67108864 11  2009 boot.img*
-rwxrwxrwx 1 root root       7503 11  2009 compatibility.zip*
drwxrwxrwx 1 root root       4096 614 20:03 firmware-update/
drwxrwxrwx 1 root root          0 614 20:03 META-INF/
-rwxrwxrwx 1 root root 1862310910 11  2009 system.new.dat.br*
-rwxrwxrwx 1 root root          0 11  2009 system.patch.dat*
-rwxrwxrwx 1 root root      16900 11  2009 system.transfer.list*
-rwxrwxrwx 1 root root  421975174 11  2009 vendor.new.dat.br*
-rwxrwxrwx 1 root root          0 11  2009 vendor.patch.dat*
-rwxrwxrwx 1 root root       4941 11  2009 vendor.transfer.list*
  1. 将system.new.dat.br转为system.new.dat:
$ brotli -d system.new.dat.br
-rwxrwxrwx 1 root root 3293814784 11  2009 system.new.dat*
  1. system.new.dat转为system.img:
$ python3 ../sdat2img/sdat2img.py system.transfer.list system.new.dat
sdat2img binary - version: 1.2
Android Nougat 7.x / Oreo 8.x detected!
Skipping command erase...
Copying 555 blocks into position 0...
Copying 469 blocks into position 728...
Done! Output image: /mnt/hgfs/D/Ubuntu/miui_LAVENDER_V12.0.3.0.QFGCNXM_fe51c5198b_10.0/system.img
-rwxrwxrwx 1 root root 3758096384 614 20:17 system.img*

第二步-挂载system.img

(将system镜像挂载并修改,省得再去打包img镜像)

  1. 因为挂载到目录需要ROOT权限,所以切换为ROOT用户:
$ sudo su
  1. 创建system目录,并挂载system.img:
# mkdir system
# mount ./system.img ./system
  1. 1 目录结构如下:
# ll ./system
total 220
drwxr-xr-x. 21 root root  4096 11  2009 ./
drwxrwxrwx   1 root root  4096 614 20:23 ../
drwxr-xr-x.  2 root root  4096 11  2009 acct/
drwxr-xr-x.  2 root root  4096 11  2009 apex/
lrw-r--r--.  1 root root    11 11  2009 bin -> /system/bin
lrw-r--r--.  1 root root    50 11  2009 bugreports -> /data/user_de/0/com.android.shell/files/bugreports
drwxrwx---.  2 wxk  2001  4096 11  2009 cache/
lrw-r--r--.  1 root root    19 11  2009 charger -> /system/bin/charger
dr-xr-xr-x.  2 root root  4096 11  2009 config/
drwxr-xr-x.  2 root root  4096 11  2009 cust/
lrw-r--r--.  1 root root    17 11  2009 d -> /sys/kernel/debug/
drwxrwx--x.  2 wxk  wxk   4096 11  2009 data/
drwxr-xr-x.  2 root root  4096 11  2009 debug_ramdisk/
lrw-------.  1 root root    23 11  2009 default.prop -> system/etc/prop.default
drwxr-xr-x.  2 root root  4096 11  2009 dev/
lrw-r--r--.  1 root root    11 11  2009 etc -> /system/etc
lrwxr-x---.  1 root 2000    16 11  2009 init -> /system/bin/init
-rwxr-x---.  1 root 2000  2215 11  2009 init.environ.rc*
-rwxr-x---.  1 root 2000     0 11  2009 init.exaid.hardware.rc*
-rwxr-x---.  1 root 2000   642 11  2009 init.miui.cust.rc*
-rwxr-x---.  1 root 2000  3740 11  2009 init.miui.early_boot.sh*
-rwxr-x---.  1 root 2000    57 11  2009 init.miui.google_revenue_share.rc*
-rwxr-x---.  1 root 2000    57 11  2009 init.miui.google_revenue_share_v2.rc*
-rwxr-x---.  1 root 2000   342 11  2009 init.miui.nativedebug.rc*
-rwxr-x---.  1 root 2000   545 11  2009 init.miui.post_boot.sh*
-rwxr-x---.  1 root 2000   100 11  2009 init.miui.qadaemon.rc*
-rwxr-x---.  1 root 2000 10896 11  2009 init.miui.rc*
-rwxr-x---.  1 root 2000 38028 11  2009 init.rc*
-rwxr-x---.  1 root 2000   335 11  2009 init.recovery.hardware.rc*
-rwxr-x---.  1 root 2000  3171 11  2009 init.recovery.qcom.rc*
-rwxr-x---.  1 root 2000  7690 11  2009 init.usb.configfs.rc*
-rwxr-x---.  1 root 2000  5649 11  2009 init.usb.rc*
-rwxr-x---.  1 root 2000   611 11  2009 init.zygote32.rc*
-rwxr-x---.  1 root 2000  1029 11  2009 init.zygote64_32.rc*
drwx------.  2 root root 16384 11  2009 lost+found/
drwxr-xr-x.  2 root wxk   4096 11  2009 mnt/
drwxr-xr-x.  2 root root  4096 11  2009 odm/
drwxr-xr-x.  2 root root  4096 11  2009 oem/
drwxr-xr-x.  2 root root  4096 11  2009 proc/
lrw-r--r--.  1 root root    15 11  2009 product -> /system/product
lrw-r--r--.  1 root root    24 11  2009 product_services -> /system/product_services
drwxr-xr-x.  3 root root  4096 11  2009 res/
drwxr-x---.  2 root 2000  4096 11  2009 sbin/
lrw-r--r--.  1 root root    21 11  2009 sdcard -> /storage/self/primary
drwxr-x--x.  2 root 1028  4096 11  2009 storage/
drwxr-xr-x.  2 root root  4096 11  2009 sys/
drwxr-xr-x. 17 root root  4096 11  2009 system/
-rw-r--r--.  1 root root  2712 11  2009 ueventd.rc
drwxr-xr-x.  2 root 2000  4096 11  2009 vendor/
-rw-r--r--.  1 root root   524 11  2009 verity_key

第三步-修改

  1. 反编译:system/system/framework/services.jar
# java -jar ../apktool_2.5.0.jar d -r -o ./services/ system/system/framework/services.jar -f
I: Using Apktool 2.5.0 on services.jar
I: Baksmaling classes.dex...
I: Baksmaling classes2.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

# ll ./services/
total 5
drwxrwxrwx 1 root root    0 614 20:30 ./
drwxrwxrwx 1 root root 4096 614 20:29 ../
-rwxrwxrwx 1 root root  299 614 20:30 apktool.yml*
drwxrwxrwx 1 root root    0 614 20:30 original/
drwxrwxrwx 1 root root    0 614 20:29 smali/
drwxrwxrwx 1 root root    0 614 20:30 smali_classes2/
  1. 修改SecurityManagerService.smali文件:
# vi ./services/smali_classes2/com/miui/server/SecurityManagerService.smali

搜索“method private checkSystemSelfProtection(Z)V”这行代码,会看到如下这段:

.method private checkSystemSelfProtection(Z)V
    .locals 1
    .param p1, "onlyCore"    # Z

    .line 676
    new-instance v0, Lcom/miui/server/SecurityManagerService$1;

    invoke-direct {v0, p0, p1}, Lcom/miui/server/SecurityManagerService$1;-><init>(Lcom/miui/server/SecurityManagerService;Z)V

    .line 746
    invoke-virtual {v0}, Lcom/miui/server/SecurityManagerService$1;->start()V

    .line 747
    return-void
.end method

改为如下(删除了.locals 1和return-void之间的内容):

.method private checkSystemSelfProtection(Z)V
    .locals 1
    return-void
.end method
  1. 编译生成新的services.jar覆盖原来的:
# java -jar ../apktool_2.5.0.jar b -o ./system/system/framework/services.jar ./services/ -f
I: Using Apktool 2.5.0
I: Smaling smali folder into classes.dex...
I: Smaling smali_classes2 folder into classes2.dex...
W: Could not find resources
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk...

# ll ./system/system/framework/services.jar && date
-rw-r--r-- 1 root root 13076817 614 20:39 ./system/system/framework/services.jar
2021年 06月 14日 星期一 20:40:59 CST

第四步-打包

(和解包方向相反,沿着来时的路再走回去)

  1. 卸载system:
# umount ./system
  1. 将system.img转为system.new.dat:
# python3 ../rimg2sdat/rimg2sdat.py system.img
  Convert to sparse Android data image completed, use 340 seconds
  1. 将system.new.dat转为system.new.dat.br:
# brotli -0 sshellystem.new.dat
  1. 压缩为zip包:
# ll
total 2573480
drwxrwxrwx 1 root root       4096 614 20:59 ./
drwxrwxrwx 1 root root       4096 614 20:05 ../
-rwxrwxrwx 1 root root   67108864 11  2009 boot.img*
-rwxrwxrwx 1 root root       7503 11  2009 compatibility.zip*
drwxrwxrwx 1 root root       4096 614 20:03 firmware-update/
drwxrwxrwx 1 root root          0 614 20:03 META-INF/
-rwxrwxrwx 1 root root 2146116197 614 20:54 system.new.dat.br*
-rwxrwxrwx 1 root root          0 11  2009 system.patch.dat*
-rwxrwxrwx 1 root root      16835 614 20:54 system.transfer.list*
-rwxrwxrwx 1 root root  421975174 11  2009 vendor.new.dat.br*
-rwxrwxrwx 1 root root          0 11  2009 vendor.patch.dat*
-rwxrwxrwx 1 root root       4941 11  2009 vendor.transfer.list*
  1. 1 将当前目录全部内容压缩到当前目录下的miui_jeisuo.zip:
# zip -q -r miui_jeisuo.zip *

# ll miui_jeisuo.zip
-rwxrwxrwx 1 root root 2655638106 614 21:06 miui_jeisuo.zip*

最后的最后,刷机时不要忘了去除AVB校验和DM校验:
在这里插入图片描述

  • 1
    点赞
  • 0
    评论
  • 3
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

©️2021 CSDN 皮肤主题: 创作都市 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值