1) root奪取可能なファームに初期化
2) rootkitでsu放り込む
3) OTA
起動したらadbで
$ adb shell
$ su
# dd if=/dev/block/mmcblk0p4 of=/data/local/tmp/boot.img
# chown shell.shell /data/local/tmp/boot.img
# chmod 0644 /data/local/tmp/boot.img
# exit
$ exit
$ adb pull /data/local/tmp/boot.img
$ su
# dd if=/dev/block/mmcblk0p4 of=/data/local/tmp/boot.img
# chown shell.shell /data/local/tmp/boot.img
# chmod 0644 /data/local/tmp/boot.img
# exit
$ exit
$ adb pull /data/local/tmp/boot.img
kernelゲット?
adbで
$adb shell
$ su
# dd if=/dev/block/mmcblk0p12 of=/data/local/tmp/system.ext4.img
# chown shell.shell /data/local/tmp/system.ext4.img
# chmod 0644 /data/local/tmp/system.ext4.img
# exit
$ exit
$ adb pull /data/local/tmp/system.ext4.img
$ su
# dd if=/dev/block/mmcblk0p12 of=/data/local/tmp/system.ext4.img
# chown shell.shell /data/local/tmp/system.ext4.img
# chmod 0644 /data/local/tmp/system.ext4.img
# exit
$ exit
$ adb pull /data/local/tmp/system.ext4.img
prerootedなイメージゲット?
AROMAはわかんないからupdater-script
ui_print("");
ui_print("--- Prerooted system ---");
#ui_print("");
#ui_print("--- Format systems ---");
#format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "/system");
#format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/userdata", "/data");
#format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/cache", "/cache");
#format("ext4", "EMMC", "/dev/block/mmcblk0p12", "/system");
#format("ext4", "EMMC", "/dev/block/mmcblk0p13", "/cache");
#format("ext4", "EMMC", "/dev/block/mmcblk0p14", "/data");
#ui_print("");
#ui_print("--- Mounting systems ---");
#run_program("/sbin/busybox", "mount", "/system");
#run_program("/sbin/busybox", "mount", "/data");
#ui_print("");
#ui_print("--- Cleaning Dalvik-Cache ---");
#delete_recurdsive("/data/dalvik-cache");
ui_print("");
ui_print("--- Writing kernel image ---");
package_extract_file("boot.img", "/dev/block/platform/msm_sdcc.1/by-name/kernel");
#package_extract_file("boot.img", "/dev/block/mmcblk0p4");
ui_print("");
ui_print("--- Writing system image ---");
package_extract_file("system.ext4.img", "/dev/block/platform/msm_sdcc.1/by-name/system");
#package_extract_file("system.ext4.img", "/dev/block/mmcblk0p12");
#ui_print("");
#ui_print("--- Unmounting systems ---");
#unmount("/system");
#unmount("/data");
ui_print("");
ui_print("--- DONE ---");
ui_print("--- Prerooted system ---");
#ui_print("");
#ui_print("--- Format systems ---");
#format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "/system");
#format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/userdata", "/data");
#format("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/cache", "/cache");
#format("ext4", "EMMC", "/dev/block/mmcblk0p12", "/system");
#format("ext4", "EMMC", "/dev/block/mmcblk0p13", "/cache");
#format("ext4", "EMMC", "/dev/block/mmcblk0p14", "/data");
#ui_print("");
#ui_print("--- Mounting systems ---");
#run_program("/sbin/busybox", "mount", "/system");
#run_program("/sbin/busybox", "mount", "/data");
#ui_print("");
#ui_print("--- Cleaning Dalvik-Cache ---");
#delete_recurdsive("/data/dalvik-cache");
ui_print("");
ui_print("--- Writing kernel image ---");
package_extract_file("boot.img", "/dev/block/platform/msm_sdcc.1/by-name/kernel");
#package_extract_file("boot.img", "/dev/block/mmcblk0p4");
ui_print("");
ui_print("--- Writing system image ---");
package_extract_file("system.ext4.img", "/dev/block/platform/msm_sdcc.1/by-name/system");
#package_extract_file("system.ext4.img", "/dev/block/mmcblk0p12");
#ui_print("");
#ui_print("--- Unmounting systems ---");
#unmount("/system");
#unmount("/data");
ui_print("");
ui_print("--- DONE ---");
これでいいのか?
zipに固める。
$ 7z a unsigned.zip META-INF system.ext4.img boot.img
$ signapk unsigned.zip SO-01E_9.1.C.1.103_Prerooted.zip
$ signapk unsigned.zip SO-01E_9.1.C.1.103_Prerooted.zip
フォーマットすれば初期化と同じだよなと
TWRPとか動けばどのファームでも焼けるよなと
その前に焼けるのか?
0 件のコメント:
コメントを投稿