OPPO.1107刷机笔记

手动 转移任意APP为系统APP的方法流程简述

宗旨: 保持和系统原本同目录下的文件各种设置(权限,所有者,SE上下文),目录结构保持一致即可!

  1.  /data/app/里将对应的APP文件移动到 /system/app 里.

    Android 5.0 之后的系统在APP目录里可能存在 AppName/AppName.apk 目录等,都需要全部移动走.

  2. 设置APP的文件权限为(0644)
  3. 所有者为(0:0,root:root)
  4. SE上下文为u:object_r:system_file:s0(部分系统开启了SELinux子系统时才需要设置)

  5. 重启即可

将任意APP转换为OPPO的Color OS 系统APP方法步骤:

由于OPPO的ColorOS系统定制了系统底层,使之无法识别在系统目录里的非OPPO应用.

所以需要将需要转换的APP包名增加到OPPO应用白名单里才能保证转移后开机识别到.

  1. 使用 加密文件 **pl.fs** 生成算法 将任意APP的PackageName包名增加进去得到新pl.fs

  2. 将新pl.fs文件替换老的/system/etc/security/pl.fs文件

  3. 使用钛备份幸运破解器手动将任意APP - 转换为系统应用即可.

包含Oppo所有APP应用程序包名列表的 加密文件 pl.fs 生成算法

try
{
        //生成加密文件
        mOppoApkList.add("cn.asiontang.launcher");
        StringBuilder stringBuilder = new StringBuilder();
        for (String p : mOppoApkList)
            stringBuilder.append(p).append("\n");
        final byte[] bytes = stringBuilder.toString().getBytes("UTF-8");
        for (int i = 0; i < bytes.length; i++)
        {
            bytes[i] = (byte) (~bytes[i]);
            bytes[i] = (byte) (bytes[i] ^ a);
        }
        new FileOutputStream(new File(Environment.getExternalStorageDirectory(), "pl.fs")).write(bytes);
}
catch (Exception e)
{
    e.printStackTrace();
}

ReadEncryptFile 读取 mOppoApkList 关键的解密函数(翻译为JAVA代码)

try
{
    final InputStream open = getResources().getAssets().open("pl.fs");
    byte[] pl = new byte[open.available()];
    final byte[] a = "a".getBytes("UTF-8");
    final int read = open.read(pl);
    for (int i = 0; i < read; i++)
    {
        pl[i] = (byte) (pl[i] ^ a[0]);
        pl[i] = (byte) (~pl[i]);
    }
    final String s = new String(pl, 0, read);
    final String[] split = s.split("\n");
    mOppoApkList.addAll(Arrays.asList(split));
}
catch (Exception e)
{
    e.printStackTrace();
}

ReadEncryptFile 读取 mOppoApkList 关键的解密函数(反编译为 .smali 代码)

.method public static ReadEncryptFile()I
          .registers 15
00000000  const/4             v12, 0
00000002  const/4             v11, -1
00000004  const/4             v3, 0
:6
00000006  const-string        v13, "ColorPackageManager"
0000000A  const-string        v14, "ReadEncryptFile!!!"
0000000E  invoke-static       Slog->d(String, String)I, v13, v14
00000014  new-instance        v9, File
00000018  const-string        v13, "/system/etc/security/pl.fs"
0000001C  invoke-direct       File-><init>(String)V, v9, v13
00000022  invoke-virtual-quick vtaboff@19, v9
:28
00000028  move-result         v13
0000002A  if-nez              v13, :3A
:2E
0000002E  if-eqz              v3, :38
:32
00000032  invoke-virtual-quick vtaboff@12, v3
:38
00000038  return              v11
:3A
0000003A  invoke-virtual-quick vtaboff@36, v9
00000040  move-result-wide    v13
00000042  long-to-int         v7, v13
00000044  new-array           v1, v7, [B
00000048  const-string        v13, "a"
0000004C  const-string        v14, "UTF-8"
00000050  invoke-virtual-quick vtaboff@27, v13, v14
00000056  move-result-object  v0
00000058  new-instance        v4, FileInputStream
0000005C  invoke-direct       FileInputStream-><init>(File)V, v4, v9
:62
00000062  invoke-virtual-quick vtaboff@16, v4, v1
00000068  const/4             v5, 0
:6A
0000006A  if-ge               v5, v7, :94
:6E
0000006E  aget-byte           v13, v1, v5
00000072  const/4             v14, 0
00000074  aget-byte           v14, v0, v14
00000078  xor-int/2addr       v13, v14
0000007A  int-to-byte         v13, v13
0000007C  aput-byte           v13, v1, v5
00000080  aget-byte           v13, v1, v5
00000084  xor-int/lit8        v13, v13, -0x01
00000088  int-to-byte         v13, v13
0000008A  aput-byte           v13, v1, v5
0000008E  add-int/lit8        v5, v5, 0x01
00000092  goto                :6A
:94
00000094  new-instance        v10, String
00000098  const/4             v13, 0
0000009A  invoke-direct       String-><init>([B, I, I)V, v10, v1, v13, v7
000000A0  const-string        v13, "\n"
000000A4  invoke-virtual-quick vtaboff@49, v10, v13
000000AA  move-result-object  v8
000000AC  const/4             v6, 0
:AE
000000AE  array-length        v13, v8
000000B0  if-ge               v6, v13, :10C
:B4
000000B4  sget-object         v13, ColorPackageManagerHelper->mOppoApkList:ArrayList
000000B8  aget-object         v14, v8, v6
000000BC  invoke-virtual-quick vtaboff@11, v13, v14
:C2
000000C2  add-int/lit8        v6, v6, 0x01
000000C6  goto                :AE
:C8
000000C8  move-exception      v2
:CA
000000CA  invoke-virtual-quick vtaboff@19, v2
:D0
000000D0  if-eqz              v3, :38
:D4
000000D4  invoke-virtual-quick vtaboff@12, v3
:DA
000000DA  goto                :38
:DC
000000DC  move-exception      v2
:DE
000000DE  invoke-virtual-quick vtaboff@19, v2
000000E4  goto                :38
:E6
000000E6  move-exception      v2
:E8
000000E8  invoke-virtual-quick vtaboff@19, v2
:EE
000000EE  if-eqz              v3, :38
:F2
000000F2  invoke-virtual-quick vtaboff@12, v3
:F8
000000F8  goto                :38
:FA
000000FA  move-exception      v2
000000FC  goto                :DE
:FE
000000FE  move-exception      v11
:100
00000100  if-eqz              v3, :10A
:104
00000104  invoke-virtual-quick vtaboff@12, v3
:10A
0000010A  throw               v11
:10C
0000010C  if-eqz              v4, :116
:110
00000110  invoke-virtual-quick vtaboff@12, v4
:116
00000116  move                v11, v12
00000118  goto                :38
:11A
0000011A  move-exception      v2
0000011C  invoke-virtual-quick vtaboff@19, v2
00000122  goto                :10A
:124
00000124  move-exception      v2
00000126  goto                :DE
:128
00000128  move-exception      v2
0000012A  invoke-virtual-quick vtaboff@19, v2
00000130  goto                :116
:132
00000132  move-exception      v11
00000134  move-object         v3, v4
00000136  goto                :100
:138
00000138  move-exception      v2
0000013A  move-object         v3, v4
0000013C  goto                :E8
:13E
0000013E  move-exception      v2
00000140  move-object         v3, v4
00000142  goto                :CA
          .catch FileNotFoundException {:6 .. :28} :C8
          .catch IOException {:6 .. :28} :E6
          .catchall {:6 .. :28} :FE
          .catch IOException {:32 .. :38} :124
          .catch FileNotFoundException {:3A .. :62} :C8
          .catch IOException {:3A .. :62} :E6
          .catchall {:3A .. :62} :FE
          .catch FileNotFoundException {:62 .. :C2} :13E
          .catch IOException {:62 .. :C2} :138
          .catchall {:62 .. :C2} :132
          .catchall {:CA .. :D0} :FE
          .catch IOException {:D4 .. :DA} :DC
          .catchall {:E8 .. :EE} :FE
          .catch IOException {:F2 .. :F8} :FA
          .catch IOException {:104 .. :10A} :11A
          .catch IOException {:110 .. :116} :128
.end method

为啥无论是通过软件还是手动移植APP到系统System APP目录下都无法生效?同样的手法别的手机却可以.

费尽千辛万苦终于找到原因为:

PackageManager: This is not oppo app, so skip it :/system/app/cn.xx.launcher-1.apk

反编译ROM里的 services.odex - PackageManagerService.java - ColorPackageManagerHelper.java - IsOppoApkList- ReadEncryptFile - 加密的"/system/etc/security/pl.fs"文件

OPPO 1107 移动定制版本的区别 和 刷机包的选择

原来的系统开机启动时会有移动 4G LTE 的LOGO,刷了 1107_11_A.20_OTA_020_all_201512151836.zip 版本(OPPO 论坛官网下载的)之后,就没有了。功能则基本测试都正常。

移动定制版本 1107_11_B.03_XXXXXX ROM版本没公开的市场版本ROM新.就没测试.

SELinux 如何修改权限

  1. 使用 ls -Z 可以查看文件的 各种权限

  2. 使用 chcon u:object_r:system_file:s0 XX.APK 修改SE上下文

  3. 使用 Root Explorer 可以修改所有者,权限,SE上下文.

Root 后卸载 KingRoot 换用 SuperSu 的方法

  1. 通过刷机精灵 或者 RootGenius Root精灵 成功 Root 掉 OPPO 1107 设备
  2. 此时系统里安装的是 KingRoot APP来管理 Root权限

  3. 然后安装第三方 Recovery

    如可通过 'Official TWRP App' APP 即可刷入 第三方Recovery镜像.

  4. 然后进入 Recovery 卡刷完整 ROM包 1107_11_A.20_OTA_020_all_201512151836.zip

  5. 在重启时,会提示"是否禁止还原到官方Recovery" 选择 "否"

    如果选择是,则第三方 Recovery 还将保留,但是 无法进入下一个选择"是否Root"的界面了.

  6. 然后弹出"是否Root" 选择 "是"

  7. 重启之后,安装 SuperSu APP即可.

支持将APK软件 ODEX 化的APP有:

  1. 幸运破解器

    点击指定APP - 工具箱 - Odex化此应用

  2. 钛备份

    点击指定APP - 转换为系统程序

  3. Link2SD ??

    点击指定APP - ??

posted @ 2017-08-17 11:42  Asion Tang  阅读(1167)  评论(1编辑  收藏  举报