Environment Configuration
Download Kernel Source Code
Normally, you should be able to find the kernel for Pixel 4 at https://source.android.com/setup/building-kernels.
Pixel 4 (flame) device/google/coral-kernel android-msm-coral-4.14-android13
However, there is a pitfall for newbies here; the official site only provides the kernel for android 13. Where is the android 10 kernel we want to compile? (I fell into a big pit here; I initially thought this git package contained all branches for 4-13, and the most ridiculous thing was that I could still check out the android 10 branch normally.) Visit https://android.googlesource.com/kernel/manifest/+refs to search for android-msm-coral-4.14-android. We can get the following information, with a total of four matching android 10, the differences between them are not very clear. If someone knows, please inform me; thank you in advance. Here, I have tested that android10-qpr3 is usable.
android-msm-coral-4.14-android10
android-msm-coral-4.14-android10-c2f2
android-msm-coral-4.14-android10-qpr1
android-msm-coral-4.14-android10-qpr3
android-msm-coral-4.14-android11
android-msm-coral-4.14-android11-qpr2
android-msm-coral-4.14-android11-qpr3
android-msm-coral-4.14-android12
android-msm-coral-4.14-android12-qpr1
android-msm-coral-4.14-android12-v2-beta-2
android-msm-coral-4.14-android12L
android-msm-coral-4.14-android13
When you can access the internet freely, you can use the following command to get the kernel source code:
repo init -u https://android.googlesource.com/kernel/manifest -b android-msm-coral-4.14-android10-qpr3
To speed up downloads, of course, use a domestic mirror.
echo "REPO_URL='https://gerrit-googlesource.proxy.ustclug.org/git-repo'" >> ~/.bashrc
source ~/.bashrc
Sometimes, even with the above configuration, it may still fail. Here, I choose to modify the repo file directly for a one-time solution. Around line 130, replace https://gerrit.googlesource.com/git-repo with https://gerrit-googlesource.proxy.ustclug.org/git-repo
gedit ~/bin/repo
Disable SSL verification, or it will fail:
git config --global http.sslverify false
git config --global https.sslverify false
Set the target file to pull, here also using a domestic mirror source.
mkdir ~/bin/android-kernel && cd ~/bin/android-kernel
repo init -u git://mirrors.ustc.edu.cn/aosp/kernel/manifest -b android-msm-coral-4.14-android10-qpr3
--------------------------------------------------------------------
Note: The prompt below indicates that the update was successful, not an error.
Downloading Repo source from https://gerrit-googlesource.proxy.ustclug.org/git-repo
repo: Updating release signing keys to keyset ver 2.3
Your identity is: lxz <[email protected]>
If you want to change this, please re-run 'repo init' with --config-name
repo has been initialized in /home/lxz/bin
Pull the kernel source code:
repo sync
Check Phone Kernel Version
To accurately find the kernel version corresponding to our real machine among many kernels, you can enter the following command in the real machine system to query the short commit ID, where the short commit ID is after 4.14.111-g.
flame:/ # cat proc/version
-----------------------------------------------
Linux version 4.14.111-gb3ac0fc2b0f7-ab5912761 (android-build@abfarm-us-east1-c-0082) (Android (5484270 based on r353983c) clang version 9.0.3 (https://android.googlesource.com/toolchain/clang 745b335211bb9eadfa6aa6301f84715cee4b37c5) (https://android.googlesource.com/toolchain/llvm 60cf23e54e46c807513f7a36d0a7b777920b5881) (based on LLVM 9.0.3svn)) #1 SMP PREEMPT Tue Oct 1 23:35:30 UTC 2019
Compile Kernel Source Code
If the current environment has not compiled the android source code, you need to configure the following environmental dependencies; if you have compiled the android source code, you can skip this step.
sudo apt-get install git-core gnupg flex bison build-essential zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 libncurses5 lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z1-dev libgl1-mesa-dev libxml2-utils xsltproc unzip fontconfig libncurses5
After installing the above dependencies, regardless of whether you have compiled the android source code, you still need to install libssl-dev.
sudo apt-get install libssl-dev
Switch to the kernel source branch of the current version of our phone.
cd ~/bin/android-kernel/private/msm-google
git checkout b3ac0fc2b0f7
Execute the compilation script. The compiled image Image.lz4 is stored in the ~/bin/android-kernel/out/android-msm-floral-4.14/dist directory.
~/bin/android-kernel/build/build.sh
Compilation error encountered:
./security/selinux/include/classmap.h:245:2: error: #error New address family defined, please update secclass_map.
#error New address family defined, please update secclass_map.
-git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c:
Solution reference: Compilation error error New address family defined, please update secclass_map. (https://blog.csdn.net/zhangpengfei991023/article/details/109672491)
◆ Find the genheaders.c file and mdp.c file indicated in the error, and remove the #include <sys/socket.h> from the header references of both files.
gedit ~/bin/android-kernel/private/msm-google/scripts/selinux/genheaders/genheaders.cgedit ~/bin/android-kernel/private/msm-google/scripts/selinux/mdp/mdp.c
◆ Find the classmap.h file indicated in the error message, and add #include <linux/socket.h> at the third line.
gedit ~/bin/android-kernel/private/msm-google/security/selinux/include/classmap.h
Fix Touch Screen
If you directly replace the Image.lz4 file with the Image.lz4 in aosp, you will get a Pixel 4 with a non-functional touch screen, so some processing is needed. The method mainly refers to eBPF on Android – Compiling Kernel and Patching (Solving Touch and WIFI Failure Issues) (https://bbs.kanxue.com/thread-274790.htm#msg_header_h3_2), where the big guy’s post has a detailed analysis of the repair principle. Thanks to seeeseee for sharing, but the big guy’s post includes enabling eBPF, which we do not need for now. The steps will be simplified. My philosophy is to operate step by step; if you encounter problems, you can discover them immediately. If you operate too many things at once, it will be difficult to locate the issue once a problem occurs. Therefore, I suggest you first make the touch screen non-functional phone come to life and then solve the touch screen failure issue.
Unpack boot.img
Use Android-Image-Kitchen (http://gofile.me/6J4EF/rFpSP9VvC) to unpack the current boot.img used by the phone (just drag boot.img to unpackimg.bat), at this point, we can get the following information (copy this information for future use), as well as split_img\boot.img-ramdisk.cpio.gz. We manually decompress split_img\boot.img-ramdisk.cpio.gz and copy the resulting boot.img-ramdisk.cpio file to the ~/bin/android-kernel directory.
ANDROID! magic found at: 0
BOARD_KERNEL_CMDLINE console=ttyMSM0,115200n8 androidboot.console=ttyMSM0 printk.devkmsg=on msm_rtb.filter=0x237 ehci-hcd.park=3 service_locator.enable=1 androidboot.memcg=1 cgroup.memory=nokmem usbcore.autosuspend=7 androidboot.usbcontroller=a600000.dwc3 swiotlb=2048 androidboot.boot_devices=soc/1d84000.ufshc buildvariant=userdebug
BOARD_KERNEL_BASE 0x00000000
BOARD_NAME
BOARD_PAGE_SIZE 4096
BOARD_HASH_TYPE sha1
BOARD_KERNEL_OFFSET 0x00008000
BOARD_RAMDISK_OFFSET 0x01000000
BOARD_SECOND_OFFSET 0x00f00000
BOARD_TAGS_OFFSET 0x00000100
BOARD_OS_VERSION 10.0.0
BOARD_OS_PATCH_LEVEL 2019-10
BOARD_HEADER_VERSION 2
BOARD_HEADER_SIZE 1660
BOARD_DTB_SIZE 1002744
BOARD_DTB_OFFSET 0x01f00000
Configure mkbootimg Script
Copy mkbootimg.py (http://gofile.me/6J4EF/8REF95rwg) to the /home/lxz/bin/android-kernel directory.
Modify Script File
Open the script file build.sh.
gedit ~/bin/android-kernel/build/build.sh
Add code around line 396, which serves to copy boot.img-ramdisk.cpio to the product directory to participate in subsequent packaging.
# Copy the abi_${arch}.xml file from the sources into the dist dir
if [ -n "${ABI_DEFINITION}" ]; then
echo "========================================================"
echo " Copying abi definition to ${DIST_DIR}/abi.xml"
pushd $ROOT_DIR/$KERNEL_DIR
cp "${ABI_DEFINITION}" ${DIST_DIR}/abi.xml
popd
fi
# //add
if [ -f "${VENDOR_RAMDISK_BINARY}" ]; then
cp ${VENDOR_RAMDISK_BINARY} ${DIST_DIR}
fi
# //add
echo "========================================================"
echo " Files copied to ${DIST_DIR}"
Compile Kernel
Values for KERNEL_CMDLINE, BASE_ADDRESS, PAGE_SIZE come from the unpacking information above; during the process, it will pause for a while at LTO vmlinux.o and warn. Just wait a bit, and the compiled image Image.lz4 will be stored in the ~/bin/android-kernel/out/android-msm-floral-4.14/dist directory.
cd ~/bin/android-kernel
BUILD_CONFIG=private/msm-google/build.config BUILD_BOOT_IMG=1 MKBOOTIMG_PATH=mkbootimg.py VENDOR_RAMDISK_BINARY=boot.img-ramdisk.cpio KERNEL_BINARY=Image.lz4 BOOT_IMAGE_HEADER_VERSION=2 KERNEL_CMDLINE="console=ttyMSM0,115200n8 androidboot.console=ttyMSM0 printk.devkmsg=on msm_rtb.filter=0x237 ehci-hcd.park=3 service_locator.enable=1 androidboot.memcg=1 cgroup.memory=nokmem usbcore.autosuspend=7 androidboot.usbcontroller=a600000.dwc3 swiotlb=2048 androidboot.boot_devices=soc/1d84000.ufshc buildvariant=userdebug" BASE_ADDRESS=0x00000000 PAGE_SIZE=4096 build/build.sh
Repackage boot.img
Rename Image.lz4 to boot.img-kernel, copy it to the Android Image Kitchen\split_img directory to replace the original boot.img-kernel, at this point, execute repackimg.bat to get image-new.img, and execute the following command to flash it to the phone, then wait for the phone to restart.
adb reboot bootloader
fastboot flash image-new.img
fastboot reboot
Add Log
Since we have successfully compiled the kernel, we have reason to leave some of our own kernel logs, for example, by modifying the function do_sys_open.
gedit ~/bin/android-kernel/private/msm-google/fs/open.c
long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode)
{
struct open_flags op;
int fd = build_open_flags(flags, mode, &op);
struct filename *tmp;
// add
const struct cred *cred = current_cred();
kuid_t uid = cred->uid;
int pid = current->pid;
int myuid = uid.val;
if(myuid > 10000) {
char bufname[256]={0};
strncpy_from_user(bufname, filename, 255);
printk("lxzLog do_sys_open pathname:%s uid:%d pid:%d\n", bufname, myuid, pid);
}
// add
if (fd)
return fd;
tmp = getname(filename);
if (IS_ERR(tmp))
return PTR_ERR(tmp);
fd = get_unused_fd_flags(flags);
if (fd >= 0) {
struct file *f = do_filp_open(dfd, tmp, &op);
if (IS_ERR(f)) {
put_unused_fd(fd);
fd = PTR_ERR(f);
} else {
fsnotify_open(f);
fd_install(fd, f);
}
}
putname(tmp);
return fd;
}
Recompile the kernel and flash it into the phone. In cmd (power shell does not support &), directly use the following command to view your own kernel logs.
adb root & adb shell dmesg | findstr lxzLog
--------------------------------------------------------------------
[5.973256] lxzLog do_sys_open pathname:/proc/1662/timerslack_ns uid:10094 pid:1662
[5.973305] lxzLog do_sys_open pathname:/proc/thread-self/attr/current uid:10094 pid:1662
[5.973454] lxzLog do_sys_open pathname:/sys/fs/selinux/context uid:10094 pid:1662
[5.974109] lxzLog do_sys_open pathname:/proc/thread-self/attr/current uid:10094 pid:1662
[5.975541] lxzLog do_sys_open pathname:/sys/devices/system/cpu/online uid:10094 pid:1662
[5.978139] lxzLog do_sys_open pathname:/proc/self/cmdline uid:10094 pid:1662
[5.979101] lxzLog do_sys_open pathname:/dev/binder uid:10094 pid:1662
Kanxue ID: Simple Simple
https://bbs.kanxue.com/user-home-950902.htm
# Previous Recommendations
1、Blockchain Smart Contract Reverse – Contract Creation – Call Execution Process Analysis
2、Using VS2022’s MSVC to compile LLVM16 on Windows platform
3、God Blocking God – Uncover the Mystery of the World’s First Mobile Game Protection nProtect
4、Why DLL files loaded in different processes have the same base address under ASLR mechanism
5、2022QWB final RDP
6、Huawei Cup Graduate National Competition adv_lua
Share the Ball
Like the Ball
Watching the Ball