-
Notifications
You must be signed in to change notification settings - Fork 42
Setup
To hook Binder, which is a statically compiled kernel driver, we must recompile the kernel with our hooking code in it. We can then flash the new kernel image onto an Android device. This step preserves user information, apps, and state, and requires an unlocked bootloader and root access.
The following process has been tested on a Google Nexus 7 (2013- flo).
Reading this link to learn a lot more about the process to cross compile the Linux Kernel for Android.
You need two git repos: kernel source for your device and a cross-compiling gcc
-
Determine which version you need from here. Then, clone that kernel. For me it was 'msm':
git clone https://android.googlesource.com/kernel/msm.git -
git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-eabi-4.6
OSX has problems with header files, specifically elf.h and its dependencies, I compiled on Ubuntu in VirtualBox. If you are downloading the sources into a VirtualBox shared folder with Windows, that folder will not be on a case-sensitive filesystem, which will prevent you from compiling the kernel. Your best bet is to download the sources onto a Linux (non VirtualBox shared folder) fs).
$ git clone https://android.googlesource.com/kernel/msm
$ git log --max-count=1 flo-kernel/kernel | grep "Linux version" | cut -d' ' -f7
$ > 3.4.0-g8ba2631 (branch is what's after the -g)
$ git clone https://android.googlesource.com/kernel/msm.git
$ cd msm/ (i.e. the git directory for your kernel source)
$ git checkout 8ba2631
Set your env vars accordingly. This gets the correct cross-compiling gcc.
$ export ARCH=arm
$ export SUBARCH=arm
$ export CROSS_COMPILE=arm-eabi-
$ export PATH={PATH_TO_BINDERFILTER_PROJECT}/resources/libexec/gcc/arm-linux-androideabi/4.9.x-google:{PATH_TO_BINDERFILTER_PROJECT}/resources/arm-eabi-4.6/bin:$PATH
$ arm-eabi-gcc --version
$ > should give 4.6.x-google etc
$ cc1 --version
$ > should give no errors
Prepare to make the kernel source with the specific Kernel and Android version you're targetting
$ cd msm/ (for me it's /media/sf_msm)
$ make flo_defconfig (replace flo with your kernel name)
$ make prepare
Edit .config and add the following flags to play nice with our BinderFilter driver.
$ vi .config
CONFIG_MODULES=y
CONFIG_MODULE_FORCE_LOAD=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODVERSIONS=y
Copy over BinderFilter files (working directory should be msm/)
rm ./drivers/staging/android/binder.c
rm ./drivers/staging/android/Kconfig
rm ./drivers/staging/android/Makefile
cp {PATH_TO_BINDERFILTER_PROJECT}/src/binder.c ./drivers/staging/android/binder.c
cp {PATH_TO_BINDERFILTER_PROJECT}/src/binder_filter.c ./drivers/staging/android/binder_filter.c
cp {PATH_TO_BINDERFILTER_PROJECT}/src/binder_filter.h ./drivers/staging/android/binder_filter.h
cp {PATH_TO_BINDERFILTER_PROJECT}/src/Kconfig ./drivers/staging/android/Kconfig
cp {PATH_TO_BINDERFILTER_PROJECT}/src/Makefile ./drivers/staging/android/Makefile
Finally, make the damn project
$ make
Building the kernel puts the kernel image (zImage) at msm/arch/arm/boot/zImage Get existing boot image from phone:
adb shell
su
cd /sdcard/Download
dd if=/dev/block/platform/*/by-name/boot of=cur-boot.img
chmod 644 cur-boot.img
exit
exit
adb pull /sdcard/Download/cur-boot.img .
Add recently built kernel to that image
cp msm/arch/arm/boot/zImage .
(sudo apt-get abootimg)
abootimg -u cur-boot.img -k zImage
Flash to phone
adb reboot bootloader
sudo fastboot flash boot cur-boot.img
You should see output like this:
reading kernel from /home/dwu/msm/arch/arm/boot/zImage
Writing Boot Image /home/dwu/cur-boot.img
< waiting for any device >
target didn't report max-download-size
sending 'boot' (16384 KB)...
OKAY [ 3.668s]
writing 'boot'...
OKAY [ 0.606s]
finished. total time: 4.274s
After the copy finishes, start up the device. After the device reboots, you've (hopefully) got BinderFilter on your device!