首先写这篇文章的情景,今天武汉测试反馈说大神F2无法刷写recovery和无法无法进入recovery.让我帮忙解决下,doraning建议我写篇文章,我就只好献丑了.看武汉测试是用fastboot命令在fastboot模式刷写recovery,这个肯定是错误的,大神F2是非常特别的机型不仅在recovery刷写方面还有root权限方面.下面介绍这个两个特别之处,再写几种方法刷写recovery.
刷写recovery问题
在适配大神F2初期并没有适配我们自己的recovery,所以找一个第三方用着,有一次偷懒用刷机精灵刷,当时进入的是刷机精灵的recovery,但是刷机成功,我重启到recovery发现,还是我自己当时用的recovery,而且ROM并没有内置recovery,当时觉得很奇怪,后来问了刷机精灵官方人员才知道他们用了什么方法,在下面的刷写recovery教程中再介绍
root权限问题
酷派系类手机难root问题,早有耳闻,各种方法防止获取root权限,这也是这次准备公测的大神F2隐藏管理中心的root授权原因,酷派系列手机只有官方root方案才能root,而且root之后开始第一屏会显示root字眼,如下图.
只要第一屏显示有root之后我们就可以用其他root方案获取root权限并使用自己的授权管理.
我目前所知道酷派系列的手机防止root方案有三种
- 在boot.img中动手脚,内核中有一个专门的脚本来删除su和授权管理软件.
- 在libandroidruntime.so动手脚.这个由于是二进制文件,所以不知道里面动了什么手脚.
- 现在大神F2没有以上两种方案,而是在内核中sbin文件夹下有coolsec文件,怀疑这个有猫腻.
由于手机已经用官方root方案root过所以没法验证第三种方案的可行性.不过论坛有部分机友也指出这个文件就是大神F2防root的根源.
下面介绍刷写recovery的各种方法总的来说刷写recovery有两种方案.
- 手机有root权限通过命令行刷写
- 手机有线刷模式,通过线刷工具或者fastboot命令刷写.
通用性的刷写方案
这种方案比较普遍,基本上适用全部手机,但是魅族mx3 mx2不适用.但是依赖的条件比较多.下面列举需要明确的各种前提.
- 手机必须先获取root权限.
- 知道recovery分区对应的节点文件.
- 需要打开adb 调试.
获取root权限的方法用很多,这个可以通过转各大论坛找专门的root方案,不多说.
recovery分区对应的分区节点
这个获取方法有两种,现在大-部分手机都有by-name方法标识那个是对应的recovery分区.下面给出大神F2获取对应分区的节点文件的方法.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
| 16:29 ~ $ adb shell shell@Coolpad8675-A:/ $ su root@Coolpad8675-A:/ # cd dev/block/bootdevice/by-name root@Coolpad8675-A:/dev/block/bootdevice/by-name # ls -l lrwxrwxrwx root root 1970-01-26 00:30 DDR -> /dev/block/mmcblk0p21 lrwxrwxrwx root root 1970-01-26 00:30 aboot -> /dev/block/mmcblk0p2 lrwxrwxrwx root root 1970-01-26 00:30 abootbak -> /dev/block/mmcblk0p3 lrwxrwxrwx root root 1970-01-26 00:30 autobak -> /dev/block/mmcblk0p19 lrwxrwxrwx root root 1970-01-26 00:30 boot -> /dev/block/mmcblk0p20yi lrwxrwxrwx root root 1970-01-26 00:30 cache -> /dev/block/mmcblk0p26 lrwxrwxrwx root root 1970-01-26 00:30 config -> /dev/block/mmcblk0p28 lrwxrwxrwx root root 1970-01-26 00:30 fsc -> /dev/block/mmcblk0p15 lrwxrwxrwx root root 1970-01-26 00:30 fsg -> /dev/block/mmcblk0p22 lrwxrwxrwx root root 1970-01-26 00:30 hyp -> /dev/block/mmcblk0p10 lrwxrwxrwx root root 1970-01-26 00:30 hypbak -> /dev/block/mmcblk0p11 lrwxrwxrwx root root 1970-01-26 00:30 keystore -> /dev/block/mmcblk0p27 lrwxrwxrwx root root 1970-01-26 00:30 misc -> /dev/block/mmcblk0p14 lrwxrwxrwx root root 1970-01-26 00:30 modem -> /dev/block/mmcblk0p1 lrwxrwxrwx root root 1970-01-26 00:30 modemst1 -> /dev/block/mmcblk0p12 lrwxrwxrwx root root 1970-01-26 00:30 modemst2 -> /dev/block/mmcblk0p13 lrwxrwxrwx root root 1970-01-26 00:30 oem -> /dev/block/mmcblk0p29 lrwxrwxrwx root root 19$70-01-26 00:30 panic -> /dev/block/mmcblk0p18 lrwxrwxrwx root root 1970-01-26 00:30 params -> /dev/block/mmcblk0p17 lrwxrwxrwx root root 1970-01-26 00:30 persist -> /dev/block/mmcblk0p25 lrwxrwxrwx root root 1970-01-26 00:30 recovery -> /dev/block/mmcblk0p24 lrwxrwxrwx root root 1970-01-26 00:30 rpm -> /dev/block/mmcblk0p6 lrwxrwxrwx root root 1970-01-26 00:30 rpmbak -> /dev/block/mmcblk0p7 lrwxrwxrwx root root 1970-01-26 00:30 sbl1 -> /dev/block/mmcblk0p4 lrwxrwxrwx root root 1970-01-26 00:30 sbl1bak -> /dev/block/mmcblk0p5 lrwxrwxrwx root root 1970-01-26 00:30 sec -> /dev/block/mmcblk0p23 lrwxrwxrwx root root 1970-01-26 00:30 ssd -> /dev/block/mmcblk0p16 lrwxrwxrwx $root root 1970-01-26 00:30 system -> /dev/block/mmcblk0p30 lrwxrwxrwx root root 1970-01-26 00:30 tz -> /dev/block/mmcblk0p8 lrwxrwxrwx root root 1970-01-26 00:30 tzbak -> /dev/block/mmcblk0p9 lrwxrwxrwx root root 1970-01-26 00:30 userdata -> /dev/block/mmcblk0p31
|
从上面可以知道recovery分区对应的节点文件是
可以看出/dev/block/bootdevice/by-name/recovery是链接到/dev/block/mmcblk0p24,所以访问/dev/block/bootdevice/by-name/recovery等同与访问/dev/block/mmcblk0p24节点文件.by-name这种写法是最近这两年才有的,比较老的机型可能没有.所以还有另一种方法获取节点路径方法.
解开官方的recovery.img至于这个文件怎么得到,不多做介绍,如果只为了获取节点文件是什么,当然也可以解开相应机型第三方的recovery.img通过recovery.fstab文件得到相应的参数.
下面给出大神F2对应的recovery.fstab,至于怎么解开recovery.img这里不做介绍.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
| # Copyright (c) 2013, The Linux Foundation. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are # met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above # copyright notice, this list of conditions and the following # disclaimer in the documentation and/or other materials provided # with the distribution. # * Neither the name of The Linux Foundation nor the names of its # contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORSnian # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DnianAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #device mount point fstype [device2] [length=] /dev/block/mmcblk0p30 /system ext4 rw,barrier=1,discard wait /dev/block/mmcblk0p31 /data ext4 noatime,nosuid,nodev,barrier=1,data=ordered,noauto_da_alloc wait,check /dev/block/mmcblk0p26 /cache ext4 noatime,nosuid,nodev,barrier=1,data=ordered wait,check /dev/block/mmcblk0p14 /misc emmc defaults defaults /dev/block/mmcblk0p20 /boot emmc defaults defaults /dev/block/mmcblk0p24 /recovery emmc defaults defaults #extSDcard /devices/soc.0/7864900.sdhci/mmc_host/mmc1 /storage/sdcard1 auto defaults voldmanaged=sdcard1:auto
|
可以看出recovery对应的是/dev/block/mmcblk0p24
下面给出刷写步骤
1 2 3 4 5 6 7 8 9 10
| 16:43 ~/SVN/Coolpad8675-A-4.4.4/target_files/BOOTABLE_IMAGES $ adb push recovery.img /data/local/tmp renyuan3702 KB/s (10878976 bytes in 2.869s) 16:43 ~/SVN/Coolpad8675-A-4.4.4/target_files/BOOTABLE_IMAGES $ adb shell shell@Coolpad8675-A:/ $ su root@Coolpad8675-A:/ # cd data/local/tmp root@Coolpad8675-A:/ # dd if=recovery.img of=/dev/block/mmcblk0p24 21248+0 records in 21248+0 records out 10878976 bytes transferred in 2.798 secs (3888125 bytes/sec) root@Coolpad8675-A:/data/local/tmp # reboot recovery
|
到此通用性刷写recovery方案已经讲完.
fastboot命令或者线刷工具刷写
其中线刷工具三星的基本都一样有专门的教程这里不多做解释.至于fastboot,需要分场合才能使用.
首先拿N5的线刷为例,因为N5解锁bootloader很简单只需几个命令就可以刷写.
1 2 3
| adb reboot bootloader fastboot oem unlock fastboot flash recovery recovery.img
|
这只持针对N5 这类机型,可以很容易的解锁bootloader ,对于HTC机型需要申请解锁码方能刷写recovery.img .可以使用刷机精灵解锁,比较方便.
其实还有一种临时刷写recovery的方法,也就是我上面我所提的大神F2用刷机精灵刷机,刷机过程使用的是刷机精灵的recovery,但是开机重启进入recovery确是我原先的,之后问了刷机精灵的官方人员才知道端倪,其实大神F2也有fastboot模式,但是不能用fastboot命令进行通讯,需要用官方的线刷工具才行,至于刷机精灵怎么刷写临时recovery却不知道.
临时刷写方案
首先看些fastboot命令支持的各种参数.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
| 17:17 ~ $ fastboot usage: fastboot [ <option> ] <command> commands: update <filename> reflash device from update.zip flashall flash boot + recovery + system flash <partition> [ <filename> ] write a file to a flash partition erase <partition> erase a flash partition format <partition> format a flash partition getvar <variable> display a bootloader variable boot <kernel> [ <ramdisk> ] download and boot kernel flash:raw boot <kernel> [ <ramdisk> ] create bootimage and flash it devices list all connected devices continue continue with autoboot reboot reboot device normally reboot-bootloader reboot device into bootloader help show this help message options: -w erase userdata and cache (and format if supported by partition type) xie -u do not first erase partition before formatting -s <specific device> specify device serial number or path to device port -l with "devices", lists device paths -p <product> specify product name -c <cmdline> override kernel commandline -i <vendor id> specify a custom USB vendor id -b <base_addr> specify a custom kernel base address. default: 0x10000000 -n <page size> specify the nand page size. default: 2048 -S <size>[K|M|G] automatically sparse files greater than size. 0 to disable ``` 其中 boot <kernel> [ <ramdisk> ] download and boot kernel 这个很显眼,从解释上可以看出是传输个本地内核上去然后执行开机的流程.抱着好奇的心态我试了试我的中兴天机确实可以通过这个方法进入recovery.而且可以刷机.通过以下的命令. ``` shell adb reboot bootloader fastboot boot recovery.img
|
其他刷写方式
还有一种是flash_image命令在手机在有root权限的刷下,这种仅仅适用高通平台,具体源码实现并不知,该文件可以从CM ROM中提取,刷写过程的命令如下
1 2 3 4 5 6 7
| adb push flash_image /data/local/tmp adb push recovery.img /data/local/tmp adb shell cd /data/local/tmp su chmod 755 flash_image ./flash_image recovery recovery.img
|