Android 台灣中文網
標題:
Kali Nethunter 核心編譯範例
[打印本頁]
作者:
djpvd
時間:
2019-9-12 08:00
標題:
Kali Nethunter 核心編譯範例
本帖最後由 djpvd 於 2019-9-16 20:18 編輯
範例 Samsung Galaxy Note 5
## 下載原始碼
http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=T&menu_item=mobile&classification1=mobile_phone
搜尋 SM-N9208 下載
下載後解壓縮
unzip SM-N9208_TW_NN_Opensource.zip
cd SM-N9208_TW_NN_Opensource
mkdir Kernel && cd Kernel
tar zxvf ../Kernel.tar.gz
cd ..
複製代碼
## 下載編譯工具
git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9 PLATFORM/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9 -b nougat-release --depth=1
複製代碼
## 指定編譯器
修改 Makefile 檔案
CROSS_COMPILE ?= ../PLATFORM/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/bin/aarch64-linux-android-
複製代碼
## 核心配置
cd Kernel
make ARCH=arm64 noblelte_tw_defconfig
make ARCH=arm64 menuconfig
複製代碼
以下驅動選擇自己需要的,不必全選,因為模塊太多,容量可能會不夠。
MAC80211 要使用外接USB無線網卡是必備的。
<*> 是將驅動編進核心
<M> 是將驅動編成模塊 XXX.ko
# MAC80211 網路驅動
模塊 mac80211.ko
Networking support > Wireless
<M> Generic IEEE 802.11 Networking Stack (mac80211)
複製代碼
# USB Modem & USB ATAPI 驅動
這是外接 USB Modem 跟 USB光碟機的驅動
模塊 cdc-acm.ko、ums-freecom.ko
Device Drivers > USB support
<M> USB Modem (CDC ACM) support
<M> Freecom USB/ATAPI Bridge support
複製代碼
# USB 無線網卡驅動
Device Drivers > Network device support > Wireless LAN
選擇需要的驅動
範例: Atheros 晶片無線網卡
<*> Atheros Wireless Cards --->
<M> Atheros 802.11n wireless cards support (Atheros ath9k)
<M> Atheros HTC based wireless cards support (Atheros ath9k HTC)
<M> Linux Community AR9170 802.11n USB support
<M> Atheros mobile chipsets support
<M> Atheros ath6kl SDIO support
<M> Atheros ath6kl USB support
<M> Atheros AR5523 wireless driver support
<M> Atheros 802.11ac wireless cards support (Atheros ath10k)
<M> Qualcomm Atheros WCN3660/3680 support
複製代碼
# USB 藍芽驅動
Networking support > Bluetooth subsystem support > Bluetooth device drivers
<M> HCI USB driver
<M> HCI UART driver
<M> HCI BCM203x USB driver
<M> HCI BPA10x USB driver
<M> HCI BlueFRITZ! USB driver
複製代碼
# USB 網卡驅動
Device Drivers > Network device support > USB Network Adapters
<M> USB Pegasus/Pegasus-II based ethernet device support
<M> USB RTL8150 based ethernet device support
<M> Realtek RTL8152 Based USB 2.0 Ethernet Adapters
複製代碼
# mac80211 注入 Patch
wget https://raw.githubusercontent.com/Mint-Fans/linux-package/kali/mac80211.patch
patch -p0 -i mac80211.patch
複製代碼
## 編譯 Kernel
make -j$(nproc) ARCH=arm64
export INSTALL_PATH=$(pwd)/out
export INSTALL_MOD_PATH=$(pwd)/out
make -j$(nproc) ARCH=arm64 modules_install
make -j$(nproc) ARCH=arm64 install
複製代碼
編譯完成後檔案在 out 目錄下
登錄/註冊後可看大圖
作者:
djpvd
時間:
2019-9-15 06:48
本帖最後由 djpvd 於 2019-9-18 10:21 編輯
三星機種 TIMA 模塊認證繞過補釘
修改目標:核心原始碼
三星要繞過 TIMA 模塊認証,二進位補釘幾乎沒辦法,只能重編核心。
menuconfig 核心配置好之後
* 刪除 .config 裡面的 _TIMA 項目
CONFIG_TIMA=y
CONFIG_TIMA_LKMAUTH=y
CONFIG_TIMA_RKP=y
CONFIG_TIMA_LOG=y
CONFIG_SEC_DEBUG_TIMA_LOG=y
複製代碼
sed 指令刪除:
sed -i "/_TIMA/d" .config
複製代碼
* 替換 module.c
到Linux 官方下載 Linux 核心原始碼 (對應手機核心版本下載)
取出Linux原始碼的 kernel/module.c 替換掉三星原始碼的 kernel/module.c
* 刪除 Makefile 裡面 CONFIG_TIMA 編譯配置
ifeq ($(CONFIG_TIMA_LKMAUTH),y)
ifeq ($(CONFIG_TIMA),y)
KBUILD_CFLAGS += -DTIMA_LKM_AUTH_ENABLED -Idrivers/gud/gud-exynos7420/MobiCoreKernelApi/include/
KBUILD_AFLAGS += -DTIMA_LKM_AUTH_ENABLED
endif
endif
複製代碼
這是三星機種獨有的,好在三星核心有開放原始碼。
刷進重編的核心之後,手機會不斷提出安全性警告,把 SecurityLogAgent 凍結或刪除即可。
APK 位置:/system/app/SecurityLogAgent/SecurityLogAgent.apk
作者:
djpvd
時間:
2019-9-15 07:04
本帖最後由 djpvd 於 2019-9-18 10:13 編輯
模塊 vermagic 繞過補釘
kernel/module.c
* 找到函數 check_version
static int check_version(Elf_Shdr *sechdrs,
unsigned int versindex,
const char *symname,
struct module *mod,
const unsigned long *crc,
const struct module *crc_owner)
{
unsigned int i, num_versions;
struct modversion_info *versions;
/* Exporting module didn"t supply crcs? OK, we"re already tainted. */
if (!crc)
return 1;
/* No versions at all? modprobe --force does this. */
if (versindex == 0)
return try_to_force_load(mod, symname) == 0;
versions = (void *) sechdrs[versindex].sh_addr;
num_versions = sechdrs[versindex].sh_size
/ sizeof(struct modversion_info);
for (i = 0; i < num_versions; i++) {
if (strcmp(versions[i].name, symname) != 0)
continue;
if (versions[i].crc == maybe_relocated(*crc, crc_owner))
return 1;
pr_debug("Found checksum %lX vs module %lX
",
maybe_relocated(*crc, crc_owner), versions[i].crc);
goto bad_version;
}
printk(KERN_WARNING "%s: no symbol version for %s
",
mod->name, symname);
return 0;
bad_version:
printk("%s: disagrees about version of symbol %s
",
mod->name, symname);
return 0;
}
複製代碼
改成
static int check_version(Elf_Shdr *sechdrs,
unsigned int versindex,
const char *symname,
struct module *mod,
const unsigned long *crc,
const struct module *crc_owner)
{
return 1;
}
複製代碼
* 找到函數 check_modstruct_version
static inline int check_modstruct_version(Elf_Shdr *sechdrs,
unsigned int versindex,
struct module *mod)
{
const unsigned long *crc;
/* Since this should be found in kernel (which can"t be removed),
* no locking is necessary. */
if (!find_symbol(VMLINUX_SYMBOL_STR(module_layout), NULL,
&crc, true, false))
BUG();
return check_version(sechdrs, versindex,
VMLINUX_SYMBOL_STR(module_layout), mod, crc,
NULL);
}
複製代碼
改成
static inline int check_modstruct_version(Elf_Shdr *sechdrs,
unsigned int versindex,
struct module *mod)
{
return 1;
}
複製代碼
* 找到函數 check_modinfo
static int check_modinfo
將以下內容刪除或註解掉
int err;
/* This is allowed: modprobe --force will invalidate it. */
if (!modmagic) {
err = try_to_force_load(mod, "bad vermagic");
if (err)
return err;
} else if (!same_magic(modmagic, vermagic, info->index.vers)) {
printk(KERN_ERR "%s: version magic "%s" should be "%s"
",
mod->name, modmagic, vermagic);
return -ENOEXEC;
}
複製代碼
* 找到函數 try_to_force_load
整段刪除或註解掉。
static int try_to_force_load(struct module *mod, const char *reason)
{
#ifdef CONFIG_MODULE_FORCE_LOAD
if (!test_taint(TAINT_FORCED_MODULE))
printk(KERN_WARNING "%s: %s: kernel tainted.
",
mod->name, reason);
add_taint_module(mod, TAINT_FORCED_MODULE, LOCKDEP_NOW_UNRELIABLE);
return 0;
#else
return -ENOEXEC;
#endif
}
複製代碼
這樣一來才能自由添加驅動模塊。
歡迎光臨 Android 台灣中文網 (https://apk.tw/)
Powered by Discuz! X3.1
