Android内核漏洞调试:编译android4.4.4源码和内核

前言

android kernel漏洞进行源码调试需要编译aosp源码和内核,本文就其详细过程进行了图文讲解。

准备工作

一些碎碎念……本来因为想在mac上编译的,还专门买了一个外置的移动硬盘,然后自己按照官网和搜到的无数篇博客精心研究了很久很久,耗时三天,还是GG,但是基本上…xcode是个大坑,算了算了……反正最后始终没弄好,然后,虚拟机走起吧……

首先,虚拟机用的是mac上的parallels desktop,然后镜像是Ubuntu 12.04.5 Desktop (64-bit)

然后android源码在这里下载,我没有用repo,直接从百度云取的,用的是android4.4.4_r1

这样一共只需要下载2G多点……而不是70G(死目

mac上虚拟机快速配置就可以快速安装好系统,不过记得安装好后,修改一下硬件,空间给128G,内存改4096M,核数改2-4随便

安装Java JDK 1.6

jdk版本:jdk-6u45-linux-x64.bin
下载地址:http://app.nidc.kr/java/jdk-6u45-linux-x64.bin

我们先在 /usr/local/目录下创建java文件夹:

cd /usr/local
sudo mkdir java
sudo cp [jdk-6u45-linux-x64.bin路径]  /usr/local/java
sudo chmod 777 jdk-6u45-linux-x64.bin
sudo ./jdk-6u45-linux-x64.bin

安装成功后,java文件夹下多了一个文件夹:jdk1.6.0_45/
然后配置环境变量,用vim打开/ect/profile 文件,嗯,我不会用gedit,日常vim,这个其实随意。

sudo vim /etc/profile

添加下面的环境变量,要根据安装目录修改,并保存

# Java Environment
export JAVA_HOME=/usr/local/java/jdk1.6.0_45  

export JRE_HOME=/usr/local/java/jdk1.6.0_45/jre  

export CLASSPATH=.:$JAVA_HOME/lib:$JRE_HOME/lib:$CLASSPATH  

export PATH=$JAVA_HOME/bin:$JRE_HOME/bin:$JAVA_HOME:$PATH

重启后使其生效并进行验证
也可使用下面的命令不重启使其生效,不过只针对当前域有效。

source /etc/profile

其实我是没重启的,直接source就行了,只要不另在终端里开标签或者重启终端就可以。
输入java -version 进行验证安装,成功后返回如下

java version "1.6.0_45"
Java(TM) SE Runtime Environment (build 1.6.0_45-b06)
Java HotSpot(TM) 64-Bit Server VM (build 20.45-b01, mixed mode)

安装依赖

sudo apt-get install git gnupg flex bison gperf build-essential 
  zip curl libc6-dev libncurses5-dev:i386 x11proto-core-dev 
  libx11-dev:i386 libreadline6-dev:i386 libgl1-mesa-glx:i386 
  libgl1-mesa-dev g++-multilib mingw32 tofrodos 
  python-markdown libxml2-utils xsltproc zlib1g-dev:i386

sudo ln -s /usr/lib/i386-linux-gnu/mesa/libGL.so.1 /usr/lib/i386-linux-gnu/libGL.so

必须提到的是!我之前一直遇到很坑的问题,那就是虚拟机重启后打不开,始终没有解决,直到我不死心的尝试第n次,然后搜到了这个。
http://www.cnblogs.com/wangzehuaw/p/4057604.html
划重点

$ sudo apt-get install git gnupg flex bison gperf build-essential 
>   zip curl libc6-dev libncurses5-dev:i386 x11proto-core-dev 
>   libx11-dev:i386 libreadline6-dev:i386 libgl1-mesa-glx:i386 
>   libgl1-mesa-dev g++-multilib mingw32 tofrodos 
>   python-markdown libxml2-utils xsltproc zlib1g-dev:i386
Reading package lists... Done
Building dependency tree       
Reading state information... Done
zip is already the newest version.
zip set to manually installed.
gnupg is already the newest version.
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libgl1-mesa-glx:i386 : Depends: libglapi-mesa:i386 (= 8.0.4-0ubuntu0.6)
                        Recommends: libgl1-mesa-dri:i386 (>= 7.2)
E: Unable to correct problems, you have held broken packages.

提示信息说缺少依赖库无法安装libgl1-mesa-glx:i386,那么就不要安装这个库了,从上面的install列表中减去这个库。
libgl1-mesa-glx:i386。如果强制安装了这个库会导致重启或关机后无法进入ubuntu问题,很严重。
如果也遇到了无法进入ubuntu系统的问题,请重装系统时不要安装这个库。

我真的第一次见到会break desktop的库……服了服了。

就因为这个坑了我三天!!!

所以像我一样直接去掉吧。

sudo apt-get install git gnupg flex bison gperf build-essential zip curl libc6-dev libncurses5-dev:i386 x11proto-core-dev libx11-dev:i386 libreadline6-dev:i386 libgl1-mesa-dev g++-multilib mingw32 tofrodos python-markdown libxml2-utils xsltproc zlib1g-dev:i386
sudo ln -s /usr/lib/i386-linux-gnu/mesa/libGL.so.1 /usr/lib/i386-linux-gnu/libGL.so

解压源码

把之前下载的源码的7z包解压,比如我是建了个目录aosp,然后解压后,就有个android-4.4.4_r1的文件夹。

7z文件需要下一个东西来解压

sudo apt-get install p7zip-full
7z x android-4.4.4_r1.7z

解压好之后,进入源码路径,如果你的目录结构和我一样,就是

cd ~/aosp/android-4.4.4_r1

编译源码

清理

命令删除所有以前编译操作的已有输出:

make clobber

设置环境

使用build目录中的envsetup.sh脚本初始化环境

source build/envsetup.sh

选择目标

因为我不下载到实体机里,就直接输入lunch,然后回车即可。
默认选择第一个,即lunch aosp_arm-eng,该命令表示针对模拟器进行完整编译,并且所有调试功能均处于启用状态。

进行编译

编译前先看看你配置了几个核,然后make -j(核数✖2)

cat /proc/cpuinfo | grep processor


可看到自己创建的虚拟机CPU核心共有2个,所以make -j4
编译后输出的文件都放在了源码根目录下的out文件中。

启动模拟器

emulator -partition-size 300

导入android源码进android studio

网上的做法比较乱,我只写一下我是怎么做的。
1.在整个Android源码全编成功之后,然后编译idegen模块,用以生成Android studio的工程配置文件,编译成功之后就生成了idegen.jar(out/host/darwin-x86/framework/idegen.jar),运行如下命令:

source build/ensetup.sh
mmm development/tools/idegen/


2.在源码根目录生成对应的android.ipr、android.iml IEDA工程配置文件。以便于AndroidStudio可以打开项目

development/tools/idegen/idegen.sh


3.下载android studio并启动

cd ~/android-studio/bin
./studio.sh

第一次启动要安装sdk,所以记得翻墙。

4.导入
打开 Android studio,选择刚刚生成的 android.ipr 打开,等待加载好了就可以了。

下载源代码

https://source.android.com/source/building-kernels
承接之前编译的android4.4.4的系统源码,所以说是模拟平台,用goldfish

sakura@ubuntu:~$ git clone https://aosp.tuna.tsinghua.edu.cn/kernel/goldfish

查看各种版本的goldfish

sakura@ubuntu:~$ cd goldfish/
sakura@ubuntu:~/goldfish$ git branch -a
* master
  remotes/origin/HEAD -> origin/master
  remotes/origin/android-3.10
  remotes/origin/android-3.18
  remotes/origin/android-3.4
  remotes/origin/android-goldfish-2.6.29
  remotes/origin/android-goldfish-3.10
  remotes/origin/android-goldfish-3.10-k-dev
  remotes/origin/android-goldfish-3.10-l-mr1-dev
  remotes/origin/android-goldfish-3.10-m-dev
  remotes/origin/android-goldfish-3.10-n-dev
  remotes/origin/android-goldfish-3.18
  remotes/origin/android-goldfish-3.18-dev
  remotes/origin/android-goldfish-3.4
  remotes/origin/android-goldfish-3.4-l-mr1-dev
  remotes/origin/android-goldfish-4.4-dev
  remotes/origin/heads/for/android-goldfish-3.18-dev
  remotes/origin/linux-goldfish-3.0-wip
  remotes/origin/master
sakura@ubuntu:~/goldfish$

我们选择3.4版本

切换分支

sakura@ubuntu:~/goldfish$ git checkout remotes/origin/android-goldfish-3.4 -b goldfish3.4
Checking out files: 100% (38854/38854), done.
Branch goldfish3.4 set up to track remote branch android-3.4 from origin.
Switched to a new branch 'goldfish3.4'

配置交叉编译链

首先,要翻墙,mac及其虚拟机可以参考我的博客
然后获取交叉编译链

sakura@ubuntu:~$ git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-eabi-4.6

设置环境变量

sakura@ubuntu:~$ sudo vim /etc/profile

在打开的文件最末添加

export PATH=/home/sakura/arm-eabi-4.6/bin:$PATH

然后使配置生效

sakura@ubuntu:~$ source /etc/profile

确认一下

sakura@ubuntu:~$ echo $PATH
/home/sakura/arm-eabi-4.6/bin:/home/sakura/Android/Sdk/platform-tools:/usr/local/java/jdk1.6.0_45/bin:/usr/local/java/jdk1.6.0_45/jre/bin:/usr/local/java/jdk1.6.0_45:/home/sakura/Android/Sdk/platform-tools:/usr/local/java/jdk1.6.0_45/bin:/usr/local/java/jdk1.6.0_45/jre/bin:/usr/local/java/jdk1.6.0_45:/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

配置编译选项,进行编译

sakura@ubuntu:~/goldfish$ export ARCH=arm
sakura@ubuntu:~/goldfish$ export CROSS_COMPILE=arm-eabi-
sakura@ubuntu:~/goldfish$ export SUBARCH=arm
sakura@ubuntu:~/goldfish$ make goldfish_armv7_defconfig
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/kconfig/conf.o
  SHIPPED scripts/kconfig/zconf.tab.c
  SHIPPED scripts/kconfig/zconf.lex.c
  SHIPPED scripts/kconfig/zconf.hash.c
  HOSTCC  scripts/kconfig/zconf.tab.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#

增加内核编译选项,修改goldfish/.config配置文件

sakura@ubuntu:~/goldfish$ vim /home/sakura/goldfish/.config

添加以下两行

CONFIG_DEBUG_INFO=y #显示vmlinux符号
CONFIG_KGDB=y #开启kgdb

执行 make 命令进行编译

sakura@ubuntu:~/goldfish$ make

启动

编译成功后会显示

  OBJCOPY arch/arm/boot/Image
  Kernel: arch/arm/boot/Image is ready
  AS      arch/arm/boot/compressed/head.o
  GZIP    arch/arm/boot/compressed/piggy.gzip
  AS      arch/arm/boot/compressed/piggy.gzip.o
  CC      arch/arm/boot/compressed/misc.o
  CC      arch/arm/boot/compressed/decompress.o
  CC      arch/arm/boot/compressed/string.o
  SHIPPED arch/arm/boot/compressed/lib1funcs.S
  AS      arch/arm/boot/compressed/lib1funcs.o
  SHIPPED arch/arm/boot/compressed/ashldi3.S
  AS      arch/arm/boot/compressed/ashldi3.o
  LD      arch/arm/boot/compressed/vmlinux
  OBJCOPY arch/arm/boot/zImage
  Kernel: arch/arm/boot/zImage is ready

以指定的内核启动模拟器

 emulator -verbose -show-kernel -kernel ~/goldfish/arch/arm/boot/zImage

错误处理

输入emulator的时候报错

No command 'emulator' found, did you mean:
 Command 'qemulator' from package 'qemulator' (universe)
emulator: command not found

我至今不知道为什么经常emulator就没了。。但是只要输入lunch,然后再make一下,几分钟就好了……

参考链接

https://source.android.com/source/initializing#installing-required-packages-ubuntu-1204
https://source.android.com/source/requirements#older-versions
https://bbs.pediy.com/thread-218366.htm
https://bbs.pediy.com/thread-218513.htm

(完)