Skip to content

#ASOP内核编译

查看手机信息

信息类型命令示例输出
设备型号adb shell getprop ro.product.modelPixel 3
设备品牌adb shell getprop ro.product.brandgoogle
设备制造商adb shell getprop ro.product.manufacturerGoogle
操作系统版本adb shell getprop ro.build.version.release12
硬件信息adb shell getprop ro.hardwareblueline
产品名称adb shell getprop ro.product.nameraven
Build IDadb shell getprop ro.build.idSP1A.210812.016.C2
构建版本号adb shell getprop ro.build.version.incremental8618562
构建描述adb shell getprop ro.build.descriptionblueline-user 12 SP1A.210812.016.C2 8618562 release-keys
构建日期adb shell getprop ro.build.dateThu May 19 23:02:57 UTC 2022
内核版本uname -aLinux localhost 4.9.270-g862f51bac900-ab7613625 #0 SMP PREEMPT Thu Aug 5 07:04:42 UTC 2021 aarch64

根据build id 获取pixel系列手机对应的aosp分支

https://source.android.com/docs/setup/about/build-numbers?hl=zh-cn

Build Id标记版本支持的设备安全补丁级别
SP1A.210812.016.C2android-12.0.0_r34Android12Pixel 3、Pixel 3 XL2021-10-05

搜索build id获取驱动 https://developers.google.cn/android/drivers?hl=zh-cn

搜索 pixel3 + android 12 获取对应的刷机镜像 https://developers.google.cn/android/images?hl=zh-cn

检索Piexl3对应的内核版本代号 https://source.android.com/docs/setup/build/building-pixel-kernels?hl=zh-cnhttps://source.android.com/docs/setup/build/building-pixel-kernels?hl=zh-cn#legacy-kernel-branches

设备AOSP 树中的二进制文件路径仓库分支
Pixel 3 (blueline) Pixel 3 XL (crosshatch)device/google/crosshatch-kernelandroid-msm-crosshatch-4.9-android12

编译软件

sh
sudo apt-get install git-core gnupg flex bison build-essential zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 libncurses5 lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z1-dev libgl1-mesa-dev libxml2-utils xsltproc unzip fontconfig

##/home/kpa/pixel3_kernel/private/msm-google/scripts/extract-cert.c:21:10: fatal error: 'openssl/bio.h' file not found
#include <openssl/bio.h>
#安装ssl可解决
sudo apt-get install libssl-dev

下载内核源码

sh
#下载源码切换到对应分支
mkdir pixel3_kernel && cd pixel3_kernel
repo init -u git://mirrors.ustc.edu.cn/aosp/kernel/manifest -b android-msm-crosshatch-4.9-android12
repo sync

添加编译工具

sh
cd ~/pixel3_kernel/prebuilts
git clone https://android.googlesource.com/kernel/prebuilts/build-tools
mv build-tools kernel-build-tools
export PATH=~/pixel3_kernel/prebuilts/kernel-build-tools/linux-x86/bin:$PATH

同步到和手机一样的commit

4.9.270-g862f51bac900-ab7613625 g后面的数字862f51bac900就是commit

sh
cd ~/pixel3_kernel/private/msm-google
git checkout 862f51bac900

解包Boot Img

无ASOP源码编译,需要合并原厂的驱动进来

下载刷机镜像解包

这个工具要在windows上用 Android-Image-Kitchen 我用了下不能解包pixel3

这里参阅了下KernelSu的文档使用了magiskboot_build https://github.com/osm0sis/Android-Image-Kitchenhttps://kernelsu.org/zh_CN/guide/installation.htmlhttps://github.com/ookiineko/magiskboot_build/releases/tag/last-ci

sh

pixel3\blueline-sp1a.210812.016.c2\magiskboot
.\magiskboot.exe unpack .\boot.img
Parsing boot image: [.\boot.img]
HEADER_VER      [2]
KERNEL_SZ       [19835242]
RAMDISK_SZ      [14206167]
SECOND_SZ       [0]
RECOV_DTBO_SZ   [0]
DTB_SZ          [863100]
OS_VERSION      [12.0.0]
OS_PATCH_LEVEL  [2021-10]
PAGESIZE        [4096]
NAME            []
CMDLINE         [console=ttyMSM0,115200n8 androidboot.console=ttyMSM0 printk.devkmsg=on msm_rtb.filter=0x237 ehci-hcd.park=3 service_locator.enable=1 cgroup.memory=nokmem lpm_levels.sleep_disabled=1 usbcore.autosuspend=7 loop.max_part=7 androidboot.boot_devices=soc/1d84000.ufshc androidboot.super_partition=system buildvariant=user]
CHECKSUM        [3cf8dcecd74daab132c9561129cdd59b5ab4e972000000000000000000000000]
KERNEL_FMT      [lz4]
RAMDISK_FMT     [gzip]
unexpected ASN.1 DER tag: expected SEQUENCE, got APPLICATION [1] (primitive)
VBMETA

解压后得到一个 ramdisk.cpio 复制到 ~/pixel3_kernel目录下

使用官方解压工具解压

sh
kpa@ubuntu:~/pixel3_kernel/tools/mkbootimg$ ./unpack_bootimg.py --boot_img boot.img --out vendor_boot_out
boot magic: ANDROID!
kernel_size: 19835242
kernel load address: 0x00008000
ramdisk size: 14206167
ramdisk load address: 0x01000000
second bootloader size: 0
second bootloader load address: 0x00000000
kernel tags load address: 0x00000100
page size: 4096
os version: 12.0.0
os patch level: 2021-10
boot image header version: 2
product name:
command line args: console=ttyMSM0,115200n8 androidboot.console=ttyMSM0 printk.devkmsg=on msm_rtb.filter=0x237 ehci-hcd.park=3 service_locator.enable=1 cgroup.memory=nokmem lpm_levels.sleep_disabled=1 usbcore.autosuspend=7 loop.max_part=7 androidboot.boot_devices=soc/1d84000.ufshc androidboot.super_partition=system buildvariant=user
additional command line args:
recovery dtbo size: 0
recovery dtbo offset: 0x0000000000000000
boot header size: 1660
dtb size: 863100
dtb address: 0x0000000001f00000

解压后得到一个 ramdisk 复制到 ~/pixel3_kernel目录下

添加mkbooting文件

sh
#build/build.sh 需要这个脚本,源码里没有
if [ -z "${MKBOOTIMG_PATH}" ]; then
    MKBOOTIMG_PATH="tools/mkbootimg/mkbootimg.py"
fi
if [ ! -f "$MKBOOTIMG_PATH" ]; then
    echo "mkbootimg.py script not found. MKBOOTIMG_PATH = $MKBOOTIMG_PATH"
    exit 1
fi
sh
cd ~/pixel3_kernel
mkdir tools &&cd tools
git clone https://android.googlesource.com/platform/system/tools/mkbootimg

修改build/build.sh

找到 ~/pixel_kernel/build/build.sh

sh
if [ -z "${SKIP_CP_KERNEL_HDR}" ] ; then
  echo "========================================================"
  KERNEL_HEADERS_TAR=${DIST_DIR}/kernel-headers.tar.gz
  echo " Copying kernel headers to ${KERNEL_HEADERS_TAR}"
  pushd $ROOT_DIR/$KERNEL_DIR
    find arch include $OUT_DIR -name *.h -print0               \
            | tar -czf $KERNEL_HEADERS_TAR                     \
              --absolute-names                                 \
              --dereference                                    \
              --transform "s,.*$OUT_DIR,,"                     \
              --transform "s,^,kernel-headers/,"               \
              --null -T -
  popd
fi

#++修改部分 添加以下内容
if [ -f "${VENDOR_RAMDISK_BINARY}" ]; then
  cp ${VENDOR_RAMDISK_BINARY} ${DIST_DIR}
fi
#++修改部分

echo "========================================================"
echo " Files copied to ${DIST_DIR}"

配置编译变量

~/pixel_kernel/build_bluecross.sh 软连接到真实的文件是 ~/pixel_kernel/private/msm-google/build_bluecross.sh

修改 ~/pixel_kernel/build_bluecross.sh 如下配置

需要根据解包的内容修改

MKBOOTIMG_PATH 对应刚才下载的工具 BASE_ADDRESS 对应解包kernel load address: 0x00008000

sh
BUILD_CONFIG=private/msm-google/build.config.bluecross_no-cfi \
    BUILD_BOOT_IMG=1 \
    MKBOOTIMG_PATH="tools/mkbootimg/mkbootimg.py" \
    VENDOR_RAMDISK_BINARY=ramdisk \
    KERNEL_BINARY=Image.lz4 \
    BOOT_IMAGE_HEADER_VERSION=2 \
    KERNEL_CMDLINE="console=ttyMSM0,115200n8 androidboot.console=ttyMSM0 printk.devkmsg=on msm_rtb.filter=0x237 ehci-hcd.park=3 service_locator.enable=1 cgroup.memory=nokmem lpm_levels.sleep_disabled=1 usbcore.autosuspend=7 loop.max_part=7 androidboot.boot_devices=soc/1d84000.ufshc androidboot.super_partition=system buildvariant=user" \
    BASE_ADDRESS=0x00008000 \
    PAGE_SIZE=4096 \
    build/build.sh "$@"

尝试编译

sh
#尝试编译下
./build_bluecross.sh

卡在 LTO vmlinux.o CPU不转了
再次执行 ./build_bluecross.sh V=1 输出详细的日志 然后查资料看了半天,又继续编译下去了 编译很慢,耐心等待吧

碰见了python错误,检查了下当前用的是python 2.7 升级下python到3+版本

log
+ python tools/mkbootimg/mkbootimg.py --kernel /home/kpa/pixel3_kernel/out/android-msm-pixel-4.9/dist/Image.lz4 --header_version 2 --base 0x00008000 --pagesize 4096 --cmdline 'console=ttyMSM0,115200n8 androidboot.console=ttyMSM0 printk.devkmsg=on msm_rtb.filter=0x237 ehci-hcd.park=3 service_locator.enable=1 cgroup.memory=nokmem lpm_levels.sleep_disabled=1 usbcore.autosuspend=7 loop.max_part=7 androidboot.boot_devices=soc/1d84000.ufshc androidboot.super_partition=system buildvariant=user' --dtb /home/kpa/pixel3_kernel/out/android-msm-pixel-4.9/dist/dtb.img --ramdisk /home/kpa/pixel3_kernel/out/android-msm-pixel-4.9/dist/ramdisk.gz -o /home/kpa/pixel3_kernel/out/android-msm-pixel-4.9/dist/boot.img
  File "tools/mkbootimg/mkbootimg.py", line 120
    args.output.write(pack(f'{BOOT_MAGIC_SIZE}s', BOOT_MAGIC.encode()))
                                               ^
SyntaxError: invalid syntax

修改~/pixel_kernel/build/build.sh 中 python 换成python3

sh
set -x
python3 "$MKBOOTIMG_PATH" --kernel "${DIST_DIR}/${KERNEL_BINARY}" \
    --header_version "${BOOT_IMAGE_HEADER_VERSION}" \
    "${MKBOOTIMG_ARGS[@]}" -o "${DIST_DIR}/boot.img"
set +x

编译后输出,表示成功了 boot image created at /home/kpa/pixel3_kernel/out/android-msm-pixel-4.9/dist/boot.img

sh

adb reboot bootloader

fastboot devices
#写入手机
#这个是临时的,重启就恢复,建议测试下没问题
fastboot boot boot.img

#这个是永久的 慎用,确认编译无误后,在进行烧写
fastboot flash boot boot.img


#确认版本,写入成功
> adb shell
blueline:/ $ cat /proc/version
Linux version 4.9.270-dirty (kpa@ubuntu) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee)) #1 repo:android-msm-crosshatch-4.9-android12 SMP PREEMPT Fri Jun

开启内核选项

查看源码目录下build.config DEFCONFIG=b1c1_defconfig 这里对应的 bluecross的配置文件路径在 ~/pixel_kernel/private/msm-google/arch/arm64/configs/b1c1_defconfig

奇怪这个文件竟然不叫blueline 别人的都是和代号一样的

sh
cd private/msm-google
#生成deconfig
make ARCH=arm64 b1c1_defconfig
#打开配置UI
make ARCH=arm64 menuconfig
#按键 / 可以搜索

#保存配置文件 会在private/msm-google目录下面生成一个deconfig 复制到下面的厂商目录中去
make ARCH=arm64 savedefconfig

#覆盖配置
cd ~/pixel_kernel/private/msm-google/arch/arm64/configs/

#编译错了话,进入msm-google 目录 make mrproper清理下,因为有配置文件残留

建议开启以下选项

sh
来源
https://evilpan.com/2022/01/03/kernel-tracing/
为了能够支持 KPROBES、UPROBES、TRACEPOINTS 等功能,需要在内核的配置中添加以下选项:
禁用内核的安全特性,开启调试支持:


-e CONFIG_KPROBES \
-e CONFIG_BLK_DEV_IO_TRACE \
-e CONFIG_PROBE_EVENTS \
-e CONFIG_KPROBE_EVENT \


-d CONFIG_LTO \
-d CONFIG_LTO_CLANG \
-d CONFIG_CFI_CLANG \
-d CFI_PERMISSIVE \
-d CFI_CLANG \
-e CONFIG_IRQSOFF_TRACER \
-e CONFIG_PREEMPT_TRACER \
-e CONFIG_DEBUG_FS \
-e CONFIG_CHECKPOINT_RESTORE \
-d CONFIG_RANDOMIZE_BASE \

开启 eBPF 支持:
-e CONFIG_BPF \
-e CONFIG_BPF_SYSCALL \
-e CONFIG_BPF_JIT \
-e CONFIG_HAVE_EBPF_JIT \
-e CONFIG_IKHEADERS \

开启 kretprobe 支持:
-e CONFIG_KRETPROBES \
-e CONFIG_HAVE_KRETPROBES \
-d CONFIG_SHADOW_CALL_STACK \
-e CONFIG_ROP_PROTECTION_NONE \

开启 ftrace 支持:
-e CONFIG_FTRACE_SYSCALLS \
-e CONFIG_FUNCTION_TRACER \
-e CONFIG_HAVE_DYNAMIC_FTRACE \
-e CONFIG_DYNAMIC_FTRACE \


开启 uprobes 支持:
-e CONFIG_UPROBES \
-e CONFIG_UPROBE_EVENT \
-e CONFIG_BPF_EVENTS \


BCC 建议设置的选项:
-e CONFIG_DEBUG_PREEMPT \
-e CONFIG_PREEMPTIRQ_EVENTS \
-d CONFIG_PROVE_LOCKING \
-d CONFIG_LOCKDEP

选项太多了,懒得一个一个改

查看./build_bluecross.sh中对应的BUILD_CONFIG=private/msm-google/build.config.bluecross_no-cfi 直接修改build.config.bluecross_no-cfi 最好备份下

sh
DEFCONFIG=b1c1_defconfig
KERNEL_DIR=private/msm-google
. ${ROOT_DIR}/${KERNEL_DIR}/build.config.common.clang
POST_DEFCONFIG_CMDS="check_defconfig && update_nocfi_config"

function update_nocfi_config() {
  # Disable clang-specific options
  ${KERNEL_DIR}/scripts/config --file ${OUT_DIR}/.config \
    -d LTO \
    -d LTO_CLANG \
    -d CFI \
    -d CFI_PERMISSIVE \
    -d CFI_CLANG \
    -d CONFIG_LTO \
    -d CONFIG_LTO_CLANG \
    -d CONFIG_CFI_CLANG \
    -d CFI_PERMISSIVE \
    -d CFI_CLANG \
    -e CONFIG_IRQSOFF_TRACER \
    -e CONFIG_PREEMPT_TRACER \
    -e CONFIG_DEBUG_FS \
    -e CONFIG_CHECKPOINT_RESTORE \
    -d CONFIG_RANDOMIZE_BASE \
    -e CONFIG_BPF \
    -e CONFIG_BPF_SYSCALL \
    -e CONFIG_BPF_JIT \
    -e CONFIG_HAVE_EBPF_JIT \
    -e CONFIG_IKHEADERS \
    -e CONFIG_KRETPROBES \
    -e CONFIG_HAVE_KRETPROBES \
    -d CONFIG_SHADOW_CALL_STACK \
    -e CONFIG_ROP_PROTECTION_NONE \
    -e CONFIG_FTRACE_SYSCALLS \
    -e CONFIG_FUNCTION_TRACER \
    -e CONFIG_HAVE_DYNAMIC_FTRACE \
    -e CONFIG_DYNAMIC_FTRACE \
    -e CONFIG_UPROBES \
    -e CONFIG_UPROBE_EVENT \
    -e CONFIG_BPF_EVENTS \
    -e CONFIG_DEBUG_PREEMPT \
    -e CONFIG_PREEMPTIRQ_EVENTS \
    -d CONFIG_PROVE_LOCKING \
    -d CONFIG_LOCKDEP

  (cd ${OUT_DIR} && \
   make ${CC_LD_ARG} O=${OUT_DIR} olddefconfig)
}

再次编译下看看选项开启了没

sh
adb shell zcat /proc/config.gz | grep CONFIG_PERF_EVENTS

凉凉

https://github.com/tiann/KernelSU/discussions/956

开启 CONFIG_KPROBE_EVENT 选项开机就死机 4.9内核好像不支持 看了相关文章4.9是早于UPROBES之前的版本,需要反向添加已支持手机

这里暂告一段落,只能作为别的机型配置参考

参考

https://bbs.kanxue.com/thread-274790.htmhttps://blog.seeflower.dev/archives/17/https://blog.arstercz.com/introduction_to_linux_dynamic_tracing/https://evilpan.com/2022/01/03/kernel-tracing/