kk Blog —— 通用基础


date [-d @int|str] [+%s|"+%F %T"]
netstat -ltunp
sar -n DEV 1

G9300 kernel

重新加载分区

1
mount -o rw,remount /system

编译

https://opensource.samsung.com/uploadSearch?searchValue=G9300

https://opensource.samsung.com/uploadSearch?searchValue=G9350

较新的ROM没刷成功(8.0.0 BL锁了???),选择 7.0 ROM G9300ZCU2BRD1。

G9300公开的内核最接近的是G9300ZCU2BQI3,但G9350公开的G9350ZCU2BQK3内核更接近G9300ZCU2BRD1,但需要复制G9300的 arch/arm64/boot/dts/samsung/ 到 G9350的arch/arm64/boot/dts/samsung/

参造 build_kernel.sh 编译

编译器用 android-ndk-r20b-linux-x86_64.zip 中的 aarch64-linux-android-4.9。也可以用这个 tools/prebuilts/gcc-cfp-jopp-only/aarch64-linux-android-4.9/ ???

https://github.com/abcdxyzk/aarch64-linux-android-4.9 从 android-ndk-r20b-linux-x86_64.zip 提取的 aarch64-linux-android-4.9

修复wifi目录,它的写法是需要需要获取android版本,我们默认就是 7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
diff --git a/drivers/net/wireless/bcmdhd4359/Makefile b/drivers/net/wireless/bcmdhd4359/Makefile
index 9acd0726..433bb7b1 100755
--- a/drivers/net/wireless/bcmdhd4359/Makefile
+++ b/drivers/net/wireless/bcmdhd4359/Makefile
@@ -271,16 +271,18 @@ FOUND_VERSION_PATH := $(foreach dir,$(CANDIDATE_VERSION_PATH), $(wildcard $(dir)
 FOUND_VERSION_PATH := $(word 1, $(FOUND_VERSION_PATH))
 ifeq ($(FOUND_VERSION_PATH),)
 $(warning Not found Android version file. Set as Legacy mode)
-DHDCFLAGS += -DDHD_LEGACY_FILE_PATH
-DHDCFLAGS += -DDHD_DISABLE_ANDROID_FEATURE_SET
+#DHDCFLAGS += -DDHD_LEGACY_FILE_PATH
+#DHDCFLAGS += -DDHD_DISABLE_ANDROID_FEATURE_SET
+DHDCFLAGS += -DDHD_SET_COUNTRY_SUPPORT
 else
 # Extract version string and get major number
 ANDROID_PLATFORM_VERSION := $(shell grep "PLATFORM_VERSION := " $(FOUND_VERSION_PATH) | cut -d "=" -f 2 | cut -d "." -f 1 | sed 's/ //g')
 $(warning Android Platform Version : $(ANDROID_PLATFORM_VERSION))
 # If Android version lower than 7(Nougat) => Use Legacy File path
 ifeq ($(shell expr $(ANDROID_PLATFORM_VERSION) \< 7),1)
-DHDCFLAGS += -DDHD_LEGACY_FILE_PATH
-DHDCFLAGS += -DDHD_DISABLE_ANDROID_FEATURE_SET
+#DHDCFLAGS += -DDHD_LEGACY_FILE_PATH
+#DHDCFLAGS += -DDHD_DISABLE_ANDROID_FEATURE_SET
+DHDCFLAGS += -DDHD_SET_COUNTRY_SUPPORT
 $(warning Will be use Legacy file path)
 else
 DHDCFLAGS += -DDHD_SET_COUNTRY_SUPPORT

编译后用到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
out/arch/arm64/boot/Image.gz

$ find out/ -name '*.ko'
out/drivers/gator/gator.ko
out/drivers/scsi/ufs/ufs_test.ko
out/drivers/input/evbug.ko
out/drivers/spi/spidev.ko
out/drivers/mmc/card/mmc_block_test.ko
out/drivers/mmc/card/mmc_test.ko
out/drivers/char/rdbg.ko
out/block/test-iosched.ko
out/net/ipv4/tcp_westwood.ko
out/net/ipv4/tcp_htcp.ko
out/net/bridge/br_netfilter.ko

制作img

https://github.com/abcdxyzk/android_system_core

https://github.com/abcdxyzk/BootTools

1
2
3
4
5
6
7
8
9
10
11
12
13
$ ~/kk/BootTools/hdrboot boot.img
Magic: ANDROID!
Kernel size: 0x9D203F (10297407)
  Aligned size: 0x9D3000
Kernel addr: 0x80008000
Ramdisk size: 0x484ED0 (4738768)
Ramdisk addr: 0x82200000
Second size: 0x0 (0)
Second addr: 0x80F00000
Tags addr: 0x82000000
Page size: 0x1000 (4096)
Name: RILPA13A000KU
Cmdline: console=null androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x37 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 cma=24M@0-0xffffffff rcupdate.rcu_expedited=1
1
2
3
4
5
6
7
8
9
10
$ ~/kk/android_system_core/mkbootimg/unpackbootimg -i boot.img
Android magic found at: 0
BOARD_KERNEL_CMDLINE console=null androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x37 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 cma=24M@0-0xffffffff rcupdate.rcu_expedited=1
BOARD_KERNEL_BASE 00008000
BOARD_RAMDISK_OFFSET 02200000
BOARD_SECOND_OFFSET 00f00000
BOARD_TAGS_OFFSET 02000000
BOARD_PAGE_SIZE 4096
BOARD_SECOND_SIZE 0
BOARD_DT_SIZE 7122944

替换 boot.img-zImage,cp out/arch/arm64/boot/Image.gz boot.img-zImage,然后重新制作 boot.img

1
2
3
4
5
6
7
$ ~/kk/android_system_core/mkbootimg/mkbootimg --kernel boot.img-zImage --ramdisk boot.img-ramdisk.gz --base 0x80000000 --ramdisk_offset 0xFF8000 --pagesize 4096 --cmdline "console=null androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x37 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 cma=24M@0-0xffffffff rcupdate.rcu_expedited=1" --ramdisk_offset 0x2200000 --board RILPA13A003KU --tags_offset 0x2000000 --dt boot.img-dt -o my_boot.img

$ echo -n "SEANDROIDENFORCE" >> my_boot.img  # 解决开机出现 Kernel is not Seandroid Enforcing,https://tricksempire.com/kernel-is-not-seandroid-enforcing-android/

$ lz4 -B6 boot.img  # 可选 https://stackoverflow.com/questions/58517762/odin-fail-lz4-is-invalid

$ tar cf my-7.0.0-9350-boot-mptcp.tar boot.img

G9300 ROM包相关及降级原理-BL

修改内核

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
$ diff arch/arm64/configs/hero2qlte_chn_open_defconfig out/.config
3c3
< # Linux/arm64 3.18.31 Kernel Configuration 
---
> # Linux/arm64 3.18.31-13341302 Kernel Configuration
325,336c325,337
< # CONFIG_SEC_HEROQLTE_PROJECT is not set   
< CONFIG_SEC_HERO2QLTE_PROJECT=y
< # CONFIG_MACH_HERO2QLTE_ATT is not set
< CONFIG_MACH_HERO2QLTE_CHNZC=y
< # CONFIG_MACH_HERO2QLTE_SPR is not set
< # CONFIG_MACH_HERO2QLTE_TMO is not set
< # CONFIG_MACH_HERO2QLTE_USC is not set
< # CONFIG_MACH_HERO2QLTE_VZW is not set
< # CONFIG_MACH_HERO2QLTE_DCM is not set
< # CONFIG_MACH_HERO2QLTE_KDI is not set
< # CONFIG_MACH_HERO2QLTE_SED is not set
< # CONFIG_MACH_HERO2QLTE_SINGLE is not set  
---
> CONFIG_SEC_HEROQLTE_PROJECT=y
> # CONFIG_MACH_HEROQLTE_ACG is not set
> # CONFIG_MACH_HEROQLTE_ATT is not set
> CONFIG_MACH_HEROQLTE_CHNZC=y
> # CONFIG_MACH_HEROQLTE_DCM is not set
> # CONFIG_MACH_HEROQLTE_KDI is not set
> # CONFIG_MACH_HEROQLTE_SPR is not set
> # CONFIG_MACH_HEROQLTE_TMO is not set
> # CONFIG_MACH_HEROQLTE_USC is not set
> # CONFIG_MACH_HEROQLTE_VZW is not set
> # CONFIG_MACH_HEROQLTE_MTR is not set
> # CONFIG_MACH_HEROQLTE_SED is not set
> # CONFIG_SEC_HERO2QLTE_PROJECT is not set
582c583
< CONFIG_RKP_CFP=y
---
> # CONFIG_RKP_CFP is not set
584,585c585,586
< CONFIG_RKP_CFP_JOPP=y
< CONFIG_RKP_CFP_JOPP_MAGIC=0x00be7bad
---
> # CONFIG_RKP_CFP_JOPP is not set
> CONFIG_RKP_CFP_JOPP_MAGIC=0xb3ea3bad
592,595c593
< CONFIG_TIMA_RKP=y
< CONFIG_RKP_KDP=y
< CONFIG_RKP_NS_PROT=y
< CONFIG_RKP_DMAP_PROT=y
---
> # CONFIG_TIMA_RKP is not set
1243c1241
< CONFIG_KNOX_KAP=y
---
> # CONFIG_KNOX_KAP is not set
1431d1428
< CONFIG_DM_BUFIO=y
1445,1446c1442
< CONFIG_DM_VERITY=y
< CONFIG_DM_VERITY_FEC=y
---
> # CONFIG_DM_VERITY is not set
4026,4032c4022,4024
< CONFIG_TIMA_RKP_L1_TABLES=y
< CONFIG_TIMA_RKP_L2_TABLES=y
< CONFIG_TIMA_RKP_LAZY_MMU=y
< # CONFIG_TIMA_RKP_DEBUG is not set
< CONFIG_TIMA=y
< CONFIG_TIMA_LKMAUTH=y
< CONFIG_TIMA_LKMAUTH_CODE_PROT=y
---
> # CONFIG_TIMA is not set
> # CONFIG_TIMA_LKMAUTH is not set
> # CONFIG_TIMA_LKMAUTH_CODE_PROT is not set 
4034d4025
< CONFIG_TIMA_UEVENT=y

模块警告

内核比较严格,未使用变量都是ERROR

1
EXTRA_CFLAGS += -g -Wno-unused-function -Wno-unused-variable

G9300 ROM包相关及降级原理-BL, 刷机流程

https://zhuanlan.zhihu.com/p/102050317

http://romup.com/

https://www.sammobile.com/samsung/galaxy-s7/firmware/SM-G9300/CHC/download/G9300ZCU2BRD1/216945/

https://www.netded.com/a/jishuyingyong/2016/0305/31324.html


能否降级原理 就是看BL(bootloader版本)

1
2
3
4
5
6
2018-10-16   8.0.0   G9300ZCS3CRI1
2018-09-02    8.0.0   G9300ZCU3CRH1
2018-08-06    8.0.0   G9300ZCU3CRG3
2018-06-26    8.0.0   G9300ZCU2CRF5
2018-04-25    7.0 G9300ZCU2BRD1
2018-01-17    7.0 G9300ZCU2BQL3

看中间的 S3, U3, U2, 其中 S3=U3。数字不能下降,数字相同的可以降级,例如从 G9300ZCU2CRF5(8.0.0) 降到 G9300ZCU2BRD1(7.0)


刷 TRWP 和 root

原始来源是这里 https://dl.twrp.me/heroqltechn/ ???

G9300_twrp-3.0.2-0-heroqltechn.img.tar

SuperSU-v2.82.zip

https://build.nethunter.com/android-tools/no-verity-opt-encrypt/

https://www.muzisoft.com/shuaji/223499.html

先刷 TWRP 再刷 supersu。supersu 也会去除 verity,不需要再刷 no-verity-opt-encrypt

解决wifi无法保存密码 或 多次尝试才能打开 的情况

https://forum.xda-developers.com/samsung-a-series-2017/how-to/guide-fix-bluetooth-losing-pairings-t3798262

Fix_Bluetooth.zip

https://github.com/Magisk-Modules-Repo/libsecure_storage

https://github.com/rovo89/Xposed/issues/294

1
2
3
4
5
6
7
$ vim /system/build.prop
ro.securestorage.support=true 改成 ro.securestorage.support=false

$ cp Fix_Bluetooth/system/lib/libsecure_storage.so   /system/vendor/lib/libsecure_storage.so
$ cp Fix_Bluetooth/system/lib64/libsecure_storage.so /system/vendor/lib64/libsecure_storage.so

修改后的明文密码保存在 data/misc/wifi/wpa_supplicant.conf

file_contexts.bin和file_contexts转换

https://github.com/rkhat2/android-rom-repacker/releases/tag/android-7-v3

android-rom-repacker-20180401-610b6d2.tar.gz

1
2
3
./sefcontext_decompile file_contexts.bin -o file_contexts

./sefcontext_compile file_contexts -o file_contexts.bin_new

第三方 ROM

http://blog.sina.com.cn/s/blog_6de000c20102z9ur.html

http://rom.tomatolei.com/g9300.html

可能有用

https://android.stackexchange.com/questions/69954/how-to-unpack-and-edit-boot-img-for-rom-porting

http://i.lckiss.com/?p=1345

制作卡刷 ROM

META-INF.tar

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ cat META-INF/com/google/android/updater-script
ui_print("+------------start--------------+");

#ifelse(is_mounted("/system"), unmount("/system"));
#ui_print("+------------umount /system--------------+");

#format("ext4", "EMMC", "/dev/block/bootdevice/by-name/system");
#run_program("/sbin/sleep", "2");
#ui_print("+------------format /system--------------+");

#mount("ext4", "EMMC", "/dev/block/bootdevice/by-name/system", "/system");
#ui_print("+------------mount /system--------------+");

package_extract_file("system.img", "/dev/block/bootdevice/by-name/system");
ui_print("+------------copied /system--------------+");

ui_print("Done!");

解压 META-INF.tar,编辑 system.img,将 META-INF 和 system.img 一起打包成 zip,卡刷。

BUG:刷完后需要进官方recovery再执行一些升级操作,但是改了system后,官方recovery会校验失败,导致升级失败,会在设置里出现多余内容。。。

试了第三方的ROM可以升级,所以单纯删除system.img的一些东西还是不够的

刷机流程

1. crom1.0.8.apk 解锁手机bootloader

2. 刷rom, G9300ZCU2BRD1_G9300CHC2BRD1_CHC

3. 刷kernel, my-7.0.0-9350-boot-mptcp.tar

4. 刷recovery, twrp-3.2.1-0-heroqltechn.img.tar

5. 进入recovery, 刷root, SuperSU-v2.82.zip

6. ROM 简化命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
set -x

mount -o rw,remount /system

rm -rf /system/app/AllshareFileShare
rm -rf /system/app/AllshareMediaShare
rm -rf /system/app/ApexService
rm -rf /system/app/BBCAgent
rm -rf /system/app/Bluetooth
rm -rf /system/app/BluetoothMidiService
rm -rf /system/app/BluetoothTest
rm -rf /system/app/BookmarkProvider
rm -rf /system/app/CoreApps_SDK_2017
rm -rf /system/app/GearManagerStub
rm -rf /system/app/HongbaoAssistant
rm -rf /system/app/Kaiti
rm -rf /system/app/KnoxAppsUpdateAgent
rm -rf /system/app/KnoxAttestationAgent
rm -rf /system/app/KnoxFolderContainer2
rm -rf /system/app/KnoxRemoteContentsProvider
rm -rf /system/app/KnoxSetupWizardClient
rm -rf /system/app/KnoxSwitcher
rm -rf /system/app/Miao
rm -rf /system/app/MirrorLink
rm -rf /system/app/MobilePrintSvc_Samsung
rm -rf /system/app/MoreServices
rm -rf /system/app/QuickConnect
rm -rf /system/app/RemoteControl
rm -rf /system/app/SamsungDLPService
rm -rf /system/app/SBrowser_5.0
rm -rf /system/app/SearchBoxBaidu_OPEN_V8.0
rm -rf /system/app/SecurityLogAgent
rm -rf /system/app/ShaoNv
rm -rf /system/app/ShareLink
rm -rf /system/app/SmartSwitchAgent
rm -rf /system/app/SPrintSpooler7
rm -rf /system/app/UniversalMDMClient
rm -rf /system/app/Weather2017_SE
rm -rf /system/app/WeatherWidget2017_SE
rm -rf /system/app/WeChatWifiService
rm -rf /system/container/ContainerAgent2
rm -rf /system/container/KnoxBBCProvider
rm -rf /system/container/KnoxBluetooth
rm -rf /system/container/KnoxKeyguard
rm -rf /system/container/KnoxShortcuts
rm -rf /system/container/KnoxTrustAgent
rm -rf /system/container/resources
rm -rf /system/container/SharedDeviceKeyguard
rm -rf /system/dummy/OnlineMusicChinaDummy
rm -rf /system/dummy/SecEmail_N
rm -rf /system/dummy/SHealth5
rm -rf /system/dummy/SRoaming_v11_N
rm -rf /system/preload/GalaxyCare_CHN_Deletable
rm -rf /system/preload/MM_Phone_V5.0_M
rm -rf /system/preload/mm_safe_5.0_M
rm -rf /system/preload/OnlineMusicChina
rm -rf /system/preload/SamsungOnlineVideo
rm -rf /system/preload/SAssistant_downloadable
rm -rf /system/preload/SecEmail_N_R
rm -rf /system/preload/SHealthDeletable5.9
rm -rf /system/preload/SmartSwitch
rm -rf /system/preload/SRoaming_v12_N_Deletable
rm -rf /system/priv-app/Alipay_Service
rm -rf /system/priv-app/DiagMonAgent
rm -rf /system/priv-app/FotaAgent
rm -rf /system/priv-app/GalaxyApps_3xh
rm -rf /system/priv-app/GalaxyAppsWidget_Phone_Hero
rm -rf /system/priv-app/GalaxyThemes
rm -rf /system/priv-app/GameHome
rm -rf /system/priv-app/GameTools
rm -rf /system/priv-app/GearManager
rm -rf /system/priv-app/HancomOfficeEditor
rm -rf /system/priv-app/HealthService
rm -rf /system/priv-app/KLMSAgent
rm -rf /system/priv-app/NetworkLocation_Autonavi
rm -rf /system/priv-app/NSFusedLocation_v2.2
rm -rf /system/priv-app/OfflineNetworkLocation_Baidu
rm -rf /system/priv-app/RNB
rm -rf /system/priv-app/RNBShell
rm -rf /system/priv-app/SamsungAccount_Dream
rm -rf /system/priv-app/SamsungBilling
rm -rf /system/priv-app/SamsungCloud
rm -rf /system/priv-app/SamsungPayStub
rm -rf /system/priv-app/SamsungUpdates
rm -rf /system/priv-app/SEMFactoryApp
rm -rf /system/priv-app/SKMSAgent
rm -rf /system/priv-app/SOAgent
rm -rf /system/priv-app/SPPPushClient_Prod
rm -rf /system/priv-app/VRSetupWizardStub

rm -rf /system/priv-app/SmartManager_v5_DeviceSecurity

rm -rf /system/hidden/Common_app/*

rm -rf /data/misc/profiles/cur/0/com.mobilesrepublic.sohu.launcher
rm -rf /data/misc/profiles/ref/com.mobilesrepublic.sohu.launcher
rm -rf /data/data/com.mobilesrepublic.sohu.launcher
rm -rf /data/app/com.mobilesrepublic.sohu.launcher-1
rm -rf /data/user_de/0/com.mobilesrepublic.sohu.launcher

rm -rf /data/data/com.sec.android.app.SecSetupWizard/shared_prefs/chn.BaiduLocationActivity.xml
rm -rf /data/data/com.speedsoftware.rootexplorer/shared_prefs
rm -rf /data/media/0/Android/data/com.baidu.searchbox_samsung


cp Fix_Bluetooth/system/lib/libsecure_storage.so   /system/vendor/lib/libsecure_storage.so
cp Fix_Bluetooth/system/lib64/libsecure_storage.so /system/vendor/lib64/libsecure_storage.so

cp build.prop /system/build.prop

TIME-WAIT

1. tw_reuse,tw_recycle 必须在客户端和服务端 timestamps 开启时才管用

1
cat /proc/sys/net/ipv4/tcp_timestamps

2. tw_reuse 只对客户端起作用

开启后超过1s的time-wait sk被reuse, 如下代码。否则inet_hash_connect会继续尝试寻在可用端口。

tcp_v4_connect() -> inet_hash_connect() -> __inet_check_established() -> twsk_unique() -> tcp_twsk_unique()

vim net/ipv4/tcp_ipv4.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp)
{
        const struct tcp_timewait_sock *tcptw = tcp_twsk(sktw);
        struct tcp_sock *tp = tcp_sk(sk);

        if (tcptw->tw_ts_recent_stamp &&
            (twp == NULL || (sysctl_tcp_tw_reuse &&
                             get_seconds() - tcptw->tw_ts_recent_stamp > 1))) {
                tp->write_seq = tcptw->tw_snd_nxt + 65535 + 2;
                if (tp->write_seq == 0)
                        tp->write_seq = 1;
                tp->rx_opt.ts_recent       = tcptw->tw_ts_recent;
                tp->rx_opt.ts_recent_stamp = tcptw->tw_ts_recent_stamp;
                sock_hold(sktw);
                return 1;
        }

        return 0;
}

3. tw_recycle 和 TCP_TIMEWAIT_LEN

tw_recycle 对客户端和服务器同时起作用,有两个作用:
a) 开启后在 3*RTO 后回收 sk。没开启在 TCP_TIMEWAIT_LEN = 60 后回收 sk。
b) tcp会缓存每个连接最新的时间戳,后续请求中如果时间戳小于缓存的时间戳,相应的数据包会被丢弃。如果多个客户端在NAT后面就会出问题。

有些内核删除了b功能,如tlinux。 https://github.com/torvalds/linux/commit/4396e46187ca5070219b81773c4e65088dac50cc

最新的内核删除了a、b两个功能,且 TCP_TIMEWAIT_LEN 不可配置。。。

4. tcp_max_tw_buckets

1
cat /proc/sys/net/ipv4/tcp_max_tw_buckets

time-wait sk 的最大数量。

设置成0就部不分配time-wait sk,只回一个ack,如果ack丢了下次就只能回rst了,测试的时候可以用。

5. 服务端处于 time-wait 时收包处理

TIME_WAIT状态下对接收到的数据包如何处理