Google Pixel XL 刷机解锁BL和Root开启全局调试
1) 查看手机设备确认相关信息
查看设备信息
adb devices -l
List of devices attached
HT77D0201269 device usb:336592896X product:marlin model:Pixel_XL device:marlin transport_id:1
安装爬梯软件
https://github.com/2dust/v2rayNG/releases
adb install v2rayNG_1.6.26.apk
adb push v2rayNG_1.6.26.apk /sdcard/download/
adb shell input text http://key.allin1.xyz/51vpn/51vpn.json
adb shell input text http://key.allin1.xyz/51vpn/51vpn.txt
Vysor 投屏软件
2) 解决原生安卓出现 WiFi 网络受限、网络打×、优化网速、网络无法连接问题
已ROOT方法
已经 ROOT 的安卓机很简单,可以用面具模块、Scene、Captivemgr等工具来修改,这里用的是 Captivemgr 因为可以自定义服务器地址。
默认提供了三个服务器,分别是小米、高通、V2EX,根据延迟选择就行了,然后应用。手机切换飞行模式,再切换回来就OK了。
具体参照:https://www.xiaoyi.vc/captive-portal.html
没有ROOT情况 (adb命令要自行安装与配置)
没有 ROOT 的安卓机可以借助 ADB 命令来修改,首先下载ADB工具包,然后手机开启USB调试模式,接着运行 CMD 输入下面的命令就可以了。
删除默认的地址
adb shell settings delete global captive_portal_https_url
adb shell settings delete global captive_portal_http_url
修改新的地址
adb shell settings put global captive_portal_http_url http://captive.v2ex.co/generate_204
adb shell settings put global captive_portal_https_url https://captive.v2ex.co/generate_204
adb shell settings put global captive_portal_http_url http://connect.rom.miui.com/generate_204
adb shell settings put global captive_portal_https_url https://connect.rom.miui.com/generate_204
adb shell settings get global captive_portal_http_url
adb shell settings get global captive_portal_https_url
修改NTP服务器
执行命令后重启手机:
adb shell getprop persist.sys.timezone
adb shell setprop persist.sys.timezone Asia/Shanghai
adb shell settings put global ntp_server ntp1.aliyun.com
adb shell settings get global ntp_server
adb shell reboot
参考:https://zhuanlan.zhihu.com/p/145266379
3) 获取官方固件和TWRP Recovery、登录谷歌账号
在设置、账号、添加账号
adb shell input text B.Sheepherder@gmail.com
获取 Factory Images for Nexus and Pixel Devices
“marlin” for Pixel XL
https://developers.google.com/android/images#marlin
7.1.0 (NDE63V, Nov 2016)
a66866ba4b8f9f1baa856828d46a747d769098add86098bece50854983ecea3e
https://dl.google.com/dl/android/aosp/marlin-nde63v-factory-a66866ba.zip
10.0.0 (QP1A.191005.007.A3, Dec 2019)
bef6653301371b66bd7fca968cf52013c0bf6862f0c7a70a275b0f0d45ab3888
https://dl.google.com/dl/android/aosp/marlin-qp1a.191005.007.a3-factory-bef66533.zip
获取 Full OTA Images for Nexus and Pixel Devices
“marlin” for Pixel XL
https://developers.google.com/android/ota#marlin
7.1.0 (NDE63V, Nov 2016)
272853b51eefde37e7a8b159f4f4d1ccb125c56da2b81708d6451a5e4d970ecf
https://dl.google.com/dl/android/aosp/marlin-ota-nde63v-272853b5.zip
10.0.0 (QP1A.191005.007.A3, Dec 2019)
23002a57bba0c40219799af473948b878400f0a4efc848d2ef528b132c6ac2ce
https://dl.google.com/dl/android/aosp/marlin-ota-qp1a.191005.007.a3-23002a57.zip
获取 Driver Binaries for Nexus and Pixel Devices
https://developers.google.com/android/drivers#marlin
Pixel binaries for Android 7.1.0 (NDE63V)
https://developers.google.com/android/drivers#sailfishnde63v
Vendor image Google
7734bb3e108e129bc2e77d24eb45c43d8bc3d249fbea63518bed01bd55fbe224
https://dl.google.com/dl/android/aosp/google_devices-marlin-nde63v-4ee91321.tgz
GPS, Audio, Camera, Gestures, Graphics, DRM, Video, Sensors Qualcomm
cfd5740a3564d5be11072826396733ee09f7ce0001ae8153b69f34482e4ee0a4
https://dl.google.com/dl/android/aosp/qcom-marlin-nde63v-707a1970.tgz
Pixel XL binaries for Android 10.0.0 (QP1A.191005.007.A3)
https://developers.google.com/android/drivers#marlinqp1a.191005.007.a3
Vendor image Google
e76c3921f60d02841d623b4e5df2c9c8d23dea7858b58c4d3a6ac7c484f4ef5e
https://dl.google.com/dl/android/aosp/google_devices-marlin-qp1a.191005.007.a3-a8dc46be.tgz
GPS, Audio, Camera, Gestures, Graphics, DRM, Video, Sensors Qualcomm
039d6436d635e6859b7f6dd568b82cff41640d0b2baf47be7903ed86786b0a74
https://dl.google.com/dl/android/aosp/qcom-marlin-qp1a.191005.007.a3-10ca9ca3.tgz
4) 刷机安装面具 TWRP Recovery 和 Magisk
https://dl.twrp.me/marlin/twrp-pixel-installer-marlin-3.3.0-0.zip
https://dl.twrp.me/marlin/twrp-3.3.0-0-marlin.img
https://dl.twrp.me/marlin/twrp-3.6.1_9-0-marlin.img
https://github.com/topjohnwu/Magisk/releases/download/v23.0/Magisk-v23.0.apk
https://github.com/topjohnwu/Magisk/releases/download/v21.4/Magisk-v21.4.zip
https://github.com/topjohnwu/Magisk/releases/download/v17.2/Magisk-v17.2.zip
手机OEM解锁
在手机”开发者选项”中打开”OEM解锁”开关;手机连接电脑之后,执行如下命令解锁bootloader
1 | adb reboot bootloader |
检查是否已经解锁,执行 fastboot oem device-info
1 | fastboot oem device-info |
锁BL后状态如下图:
下载 Magisk-v21.4.zip
https://github.com/topjohnwu/Magisk/releases/tag/v21.4
https://github.com/topjohnwu/Magisk/releases/download/v21.4/Magisk-v21.4.zip
https://github.com/topjohnwu/Magisk/releases/download/v21.4/Magisk-uninstaller-20210117.zip
将 Magisk-v21.4.zip 拷到手机SD卡根目录或者Download目录下
在目录下,执行 adb reboot bootloader
执行 fastboot boot twrp-3.3.0-0-marlin.img
或者 fastboot boot twrp-3.6.1_9-0-marlin.img
1 | fastboot boot twrp-3.6.1_9-0-marlin.img |
在手机上找到 Magisk-v21.4.zip,安装,重启后就能够了。
adb reboot-bootloader
fastboot boot twrp-3.3.0-0-marlin.img
adb shell twrp sideload
adb sideload twrp-pixel-installer-marlin-3.3.0-0.zip
手机解锁成功之后,安装 twrp recovery
手机开机情况下执行 adb reboot bootloader,进入fastboot模式或者关机状态下同时长按“音量加键”+“开机键”。
执行如下命令刷入 Pixel XL twrp recovery 镜像
fastboot flash recovery
安装 xposed (for Android 7.1.2)
https://blog.csdn.net/freeking101/article/details/120582833
https://www.jianshu.com/p/a059b69656f4
Magisk 里搜索 xposed 安装版本v89 v90
需要爬梯下载 或者把已缓存的下载的包framework.zip 解压到
/storage/emulated/0/Android/data/de.robv.android.xposed.installer/cache/downloads/framework/
解决未激活
需要手动把
/storage/emulated/0/Android/data/de.robv.android.xposed.installer/cache/downloads/framework/xposed-v89-sdk25-arm64.zip
里的 system 目录下的 xposed.prop 复制到设备 /system/xposed.prop
和 framework/XposedBridge.jar 复制到设备 /system/framework/XposedBridge.jar
然后重启设备
5) Google Pixel/Pixel XL 已有 Root 机方法
按照压缩包里的说明文档刷入boot
Pixle Root Zip
https://download.chainfire.eu/1007/CF-Root/CF-Auto-Root/root-sailfish-pixel.zip
Pixel XL Root Zip
https://download.chainfire.eu/1008/CF-Root/CF-Auto-Root/root-marlin-pixelxl.zip
adb reboot bootloader
fastboot boot boot-to-root.img
从 image-marlin-nde63v.zip 提取 boot.img 然后用 magisk 补丁出文件 magisk_patched-22100_kJMW0.img
adb reboot-bootloader
fastboot boot magisk_patched-22100_kJMW0.img
adb shell su -c ls -al /dev/block/
lrwxrwxrwx 1 root root 36 1970-01-01 10:31 bootdevice -> /dev/block/platform/soc/624000.ufshc
adb shell su -c ls -al /dev/block/platform
adb shell su -c ls -al /dev/block/bootdevice/by-name/
lrwxrwxrwx 1 root root 16 1970-01-01 10:31 boot_a -> /dev/block/sda19
lrwxrwxrwx 1 root root 16 1970-01-01 10:31 boot_b -> /dev/block/sda20
输入以下命令
adb shell su -c cat proc/partitions
查看boot分区的大小
adb shell su -c “dd if=/dev/block/sda19 of=/sdcard/boot_a.img bs=1024 count=32768”
adb shell su -c “dd if=/dev/block/sda20 of=/sdcard/boot_b.img bs=1024 count=32768”
adb shell su -c “cat /dev/block/bootdevice/by-name/boot_a >/sdcard/boot_a1.img”
adb shell su -c “cat /dev/block/bootdevice/by-name/boot_b >/sdcard/boot_b1.img”
adb shell su -c “cat /dev/block/bootdevice/by-name/system_a >/sdcard/system_a.img”
adb shell su -c “cat /dev/block/bootdevice/by-name/system_b >/sdcard/system_b.img”
Nexus 5
adb shell su -c ls -al /dev/block/platform/msm_sdcc.1/by-name
lrwxrwxrwx 1 root root 20 1970-01-01 10:44 aboot -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root 21 1970-01-01 10:44 abootb -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 root root 21 1970-01-01 10:44 boot -> /dev/block/mmcblk0p19
adb shell su -c “ls -l /dev/block/by-name”
lrwxrwxrwx 1 root root 20 1970-01-07 07:50 aboot -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root 21 1970-01-07 07:50 abootb -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 root root 21 1970-01-07 07:50 boot -> /dev/block/mmcblk0p19
lrwxrwxrwx 1 root root 21 1970-01-07 07:50 recovery -> /dev/block/mmcblk0p20
lrwxrwxrwx 1 root root 21 1970-01-07 07:50 system -> /dev/block/mmcblk0p25
adb shell su -c cat proc/partitions
adb shell su -c “dd if=/dev/block/mmcblk0p20 of=/sdcard/magisk_recovery.img bs=1024 count=22528”
adb shell su -c “dd if=/dev/block/mmcblk0p19 of=/sdcard/magisk_boot.img bs=1024 count=22528”
adb pull /sdcard/magisk_boot.img
adb pull /apex/com.android.runtime/bin/linker
BSdeMacBook-Pro:Nexus5 idone$ adb shell cat /proc/cpuinfo
Processor : ARMv7 Processor rev 0 (v7l)
processor : 0
BogoMIPS : 38.40
processor : 1
BogoMIPS : 38.40
processor : 2
BogoMIPS : 38.40
processor : 3
BogoMIPS : 38.40
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt
CPU implementer : 0x51
CPU architecture: 7
CPU variant : 0x2
CPU part : 0x06f
CPU revision : 0
Hardware : Qualcomm MSM 8974 HAMMERHEAD (Flattened Device Tree)
Revision : 000b
Serial : 0000000000000000
adb shell su -c “getprop |grep abi”
adb shell su -c “getprop ro.product.cpu.abi”
adb shell su -c “getprop ro.product.cpu.abilist”
6) 使用面具 Magisk 打开全局调试 ro.debuggable
刷入 magisk 后每次都执行如下命令后通过 stop;start; 软重启才能生效(正常重启失效)
1 | adb shell |
1 | adb shell su -c magisk resetprop ro.debuggable 1 |
刷入 magisk 后安装 MagiskHiden props Config
https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf/releases/download/v5.2.5/MagiskHidePropsConf-v5.2.5.zip
https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf/releases/download/v6.1.2/MagiskHidePropsConf-v6.1.2.zip
adb shell
marlin:/ $ props
下载 Android_boot_image_editor 工具
git clone https://github.com/cfig/Android_boot_image_editor.git
cd Android_boot_image_editor
cp 你提取的 boot.img ./boot.img
然后执行如下命令 解开 img
1 | ./gradlew unpack |
修改 ./Android_boot_image_editor/build/unzip_boot/root/default.prop 如下
ro.secure=0
ro.adb.secure=0
ro.debuggable=1
增加
service.adb.root=1
执行
‘’’
./gradlew pack1
2
3
4
5
6
打包 修改后的 boot 得 ./Android_boot_image_editor/boot.img.signed
将其刷入手机的 boot 分区
adb reboot bootloader
fastboot flash boot boot.img.signed1
fastboot flash boot_a boot.img.signed
fastboot flash boot_b boot.img.signed
```
查看 是否开启了 永久全局调试 标识
adb shell getprop ro.debuggable
假如出现无限重启,无限恢复模式刷入官方线刷包 bootloader-*.img
fastboot flash bootloader bootloader-marlin-8996-012001-1704121145.img
Sending ‘bootloader_a’ (32380 KB) OKAY [ 0.911s]
Writing ‘bootloader_a’ (bootloader) Valid bootloader version.
(bootloader) Flashing active slot “_a”
(bootloader) Flashing active slot “_a”
OKAY [ 2.051s]
Finished. Total time: 3.144s
adb shell su -c “getprop |grep ro.product”
[ro.product.model]: [Pixel XL]
adb shell su -c “getprop |grep ro.build”
[ro.build.date]: [Thu Jun 29 18:12:29 UTC 2017]
[ro.build.description]: [marlin-user 7.1.2 NJH47F 4146041 release-keys]
https://www.androidtcpdump.com/download/4.99.1.1.10.1/tcpdump
https://www.androidtcpdump.com/download/64bit/4.99.1.1.10.1/tcpdump
https://github.com/ViRb3/magisk-frida
https://github.com/ViRb3/magisk-frida/releases/download/15.1.17-1/MagiskFrida-15.1.17-1.zip