鸿蒙调试

鸿蒙调试

参考

https://mp.weixin.qq.com/s/YQan1T26eoWJblKrRkKoPA

DevEco Studio-鸿蒙应用集成开发环境(IDE)-华为开发者联盟

ide

image

初始化选择5.10的版本 安装完成提取镜像修改

image

进入虚拟机 挂载

1
2
3

mkdir -p /mnt/harmony
mount -o loop,offset=0 /system.img  /mnt/harmony

image

1
2
cd /mnt/harmony
ls

image

修改/system/etc/param/ohos.para

1
2
3
4
5
6
7

//修改前
const.secure=1
const.debuggable=0
//修改后
const.secure=0
const.debuggable=1

image

修改system/etc/param/hdc.para

1
2
3
4
5
6
7
修改前:
const.hdc.version = "Ver: 3.0.0b"
修改后
const.hdc.version = "Ver: 3.2.0b"
persist.hdc.mode.usb = "enable"
persist.hdc.mode.tcp = "disable"
persist.hdc.mode.uart = "disable"

image

修改/system/etc/init/hdcd.cfg

地址https://gitee.com/openharmony/developtools_hdc/blob/OpenHarmony-6.0-Release/src/daemon/etc/hdcd.root.cfg

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
{
    "jobs" : [{
            "name" : "post-fs-data",
            "cmds" : [
                "mkdir /data/service/el1/public/hdc 0775 root shell",
                "restorecon /data/service/el1/public/hdc"
            ]
        },{
            "name" : "param:persist.hdc.control=false",
            "condition" : "persist.hdc.control=false",
            "cmds" : [
                "setparam persist.hdc.control.shell false",
                "setparam persist.hdc.control.file false",
                "setparam persist.hdc.control.fport false"
            ]
        },{
            "name" : "param:persist.hdc.control=true",
            "condition" : "persist.hdc.control=true",
            "cmds" : [
                "setparam persist.hdc.control.shell true",
                "setparam persist.hdc.control.file true",
                "setparam persist.hdc.control.fport true"
            ]
        },{
            "name" : "param:persist.hdc.control_system=true",
            "condition" : "persist.hdc.control_system=true",
            "cmds" : [
                "setparam persist.hdc.control true"
            ]
        },{
            "name" : "param:persist.hdc.control_system=false",
            "condition" : "persist.hdc.control_system=false",
            "cmds" : [
                "setparam persist.hdc.control false"
            ]
        },{
            "name" : "param:persist.hdc.replace=true",
            "condition" : "persist.hdc.replace=true",
            "cmds" : [
                "stop hdcd",
                "chmod 0755 /data/hdcd",
                "chmod 0644 /data/libuv.so",
                "chmod 0644 /data/libhdc.dylib.so",
                "chmod 0644 /data/libylong_runtime.dylib.so",
                "sleep 1",
                "copy /data/hdcd /system/bin/hdcd",
                "copy /data/libuv.so /system/lib64/libuv.so",
                "copy /data/libuv.so /system/lib/libuv.so",
                "copy /data/libhdc.dylib.so /system/lib64/libhdc.dylib.so",
                "copy /data/libhdc.dylib.so /system/lib/libhdc.dylib.so",
                "copy /data/libylong_runtime.dylib.so /system/lib64/libylong_runtime.dylib.so",
                "copy /data/libylong_runtime.dylib.so /system/lib/libylong_runtime.dylib.so",
                "start hdcd",
                "setparam persist.hdc.replace false"
            ]
        },{
            "name" : "boot && param:const.hdc.secure=0",
            "condition" : "boot && const.secure=0",
            "cmds" : [
                "setparam const.hdc.secure 0"
            ]
        },{
            "name" : "param:persist.hdc.mode.tcp=disable && param:persist.hdc.mode.usb=disable",
            "condition" : "persist.hdc.mode.tcp=disable && persist.hdc.mode.usb=disable",
            "cmds" : [
                "stop hdcd"
            ]
        },{
            "name" : "param:persist.hdc.mode.tcp=disable && param:persist.hdc.mode.usb=enable",
            "condition" : "persist.hdc.mode.tcp=disable && persist.hdc.mode.usb=enable",
            "cmds" : [
                "reset hdcd"
            ]
        },{
            "name" : "param:persist.hdc.mode.tcp=enable && param:persist.hdc.mode.usb=disable",
            "condition" : "persist.hdc.mode.tcp=enable && persist.hdc.mode.usb=disable",
            "cmds" : [
                "reset hdcd"
            ]
        },{
             "name" : "param:persist.hdc.mode.tcp=enable && param:persist.hdc.mode.usb=enable",
            "condition" : "persist.hdc.mode.tcp=enable && persist.hdc.mode.usb=enable",
            "cmds" : [
                "reset hdcd"
            ]
        }
    ],
    "services" : [{
            "name" : "hdcd",
            "path" : ["/system/bin/hdcd"],
            "uid" : "root",
            "gid" : [ "root", "shell", "log", "readproc", "file_manager" ],
            "setuid" : true,
            "socket" : [{
                "name" : "hdcd",
                "family" : "AF_UNIX",
                "type" : "SOCK_SEQPACKET",
                "protocol" : "default",
                "permissions" : "0660",
                "uid" : "root",
                "gid" : "shell"
            }],
            "critical" : [ 0, 10, 10 ],
            "apl" : "normal",
            "permission" : [
                "ohos.permission.CHANGE_ABILITY_ENABLED_STATE",
                "ohos.permission.DUMP",
                "ohos.permission.GET_BUNDLE_INFO_PRIVILEGED",
                "ohos.permission.INSTALL_BUNDLE",
                "ohos.permission.REMOVE_CACHE_FILES",
                "ohos.permission.ACCELEROMETER",
                "ohos.permission.CLEAN_BACKGROUND_PROCESSES",
                "ohos.permission.START_ABILITIES_FROM_BACKGROUND",
                "ohos.permission.PERMISSION_USED_STATS",
                "ohos.permission.NOTIFICATION_CONTROLLER",
                "ohos.permission.PUBLISH_SYSTEM_COMMON_EVENT",
                "ohos.permission.CLEAN_APPLICATION_DATA",
                "ohos.permission.START_SYSTEM_DIALOG",
                "ohos.permission.GET_RUNNING_INFO",
                "ohos.permission.CONTROL_SVC_CMD",
                "ohos.permission.SET_WIFI_INFO",
                "ohos.permission.MANAGE_WIFI_CONNECTION",
                "ohos.permission.HIVIEW_TRACE_MANAGE",
                "ohos.permission.INSTALL_PLUGIN_BUNDLE",
                "ohos.permission.UNINSTALL_PLUGIN_BUNDLE",
                "ohos.permission.NETWORK_SIMULATE",
                "ohos.permission.GET_WIFI_INFO",
                "ohos.permission.SET_WIFI_CONFIG",
                "ohos.permission.GET_WIFI_INFO_INTERNAL",
                "ohos.permission.MANAGE_ENTERPRISE_WIFI_CONNECTION"
            ],
            "permission_acls" : [
                "ohos.permission.CHANGE_ABILITY_ENABLED_STATE",
                "ohos.permission.DUMP",
                "ohos.permission.GET_BUNDLE_INFO_PRIVILEGED",
                "ohos.permission.INSTALL_BUNDLE",
                "ohos.permission.REMOVE_CACHE_FILES",
                "ohos.permission.START_ABILITIES_FROM_BACKGROUND",
                "ohos.permission.PERMISSION_USED_STATS",
                "ohos.permission.NOTIFICATION_CONTROLLER",
                "ohos.permission.PUBLISH_SYSTEM_COMMON_EVENT",
                "ohos.permission.CLEAN_APPLICATION_DATA",
                "ohos.permission.START_SYSTEM_DIALOG",
                "ohos.permission.GET_RUNNING_INFO",
                "ohos.permission.CONTROL_SVC_CMD",
                "ohos.permission.MANAGE_WIFI_CONNECTION",
                "ohos.permission.HIVIEW_TRACE_MANAGE",
                "ohos.permission.INSTALL_PLUGIN_BUNDLE",
                "ohos.permission.UNINSTALL_PLUGIN_BUNDLE",
                "ohos.permission.NETWORK_SIMULATE",
                "ohos.permission.SET_WIFI_CONFIG",
                "ohos.permission.GET_WIFI_INFO_INTERNAL",
                "ohos.permission.MANAGE_ENTERPRISE_WIFI_CONNECTION"
            ],
            "sandbox" : 0,
            "start-mode" : "condition",
            "secon" : "u:r:hdcd:s0",
            "disabled" : 1
        }
    ]
}

修改/system/etc/selinux/system_common.cil

1
2
3
4
修改前
(type sh)
修改后
(typepermissive sh)

取消挂载

1
umount /mnt/harmony

重新启动模拟器

image

逆向Emulator.exe

image

搜索CheckSign

image

image

跟进找到返回值的地方

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
__int64 __fastcall sub_1405F58D0(__int64 a1, __int64 a2)
{
  __int64 result; // rax
  char *v5; // rax
  char *v6; // rsi
  int v7; // eax
  __int64 v8; // rcx
  int v9; // eax
  __int64 v10; // [rsp+38h] [rbp-70h] BYREF
  int v11; // [rsp+44h] [rbp-64h] BYREF
  __int64 p_n72; // [rsp+48h] [rbp-60h] BYREF
  __int128 v13; // [rsp+50h] [rbp-58h]
  __int128 v14; // [rsp+60h] [rbp-48h]
  __int128 v15; // [rsp+70h] [rbp-38h]
  __int128 v16; // [rsp+80h] [rbp-28h]

  v10 = 0;
  v16 = 0;
  v15 = 0;
  v14 = 0;
  v13 = 0;
  p_n72 = 72;
  v11 = 0;
  result = 2282749953LL;
  if ( a1 != 0 && a2 != 0 )
  {
    result = sub_14075A2E0(&v10, &p_n72);
    if ( !result )
    {
      result = sub_14075B660(v10, 2);
      if ( !result )
      {
        v5 = malloc(0x5AFu);
        if ( !v5 )
        {
          sub_14075B360(v10);
          return 0;
        }
        v6 = v5;
        memcpy(v5, &unk_145A81E10, 0x588u);
        *(v6 + 1447) = 0xAA3C126C77A8B9E6uLL;
        *(v6 + 1416) = xmmword_145A81DE0;
        *(v6 + 1432) = xmmword_145A81DF0;
        v7 = sub_14075A5D0(v10, v6, 1455);
        v8 = v10;
        if ( v7 )
          goto LABEL_12;
        v9 = sub_14075AA60(v10, a2, a1, &v11);
        if ( v9 )
        {
          if ( n2 <= 2 )
            sub_1404DF5C0(
              "E",
              "..\\emulator\\emulator-ui\\utils\\sign\\CheckSign.c",
              "VerifyReleaseCmsFile",
              182,
              "verify signature error, code %08x.\r\n",
              v9);
          v8 = v10;
LABEL_12:
          sub_14075B360(v8);
          free(v6);
          return 0;
        }
        if ( v11 != 1 && n2 <= 2 )
          sub_1404DF5C0(
            "E",
            "..\\emulator\\emulator-ui\\utils\\sign\\CheckSign.c",
            "VerifyReleaseCmsFile",
            189,
            "verify signature not match.\r\n");
        sub_14075B360(v10);
        free(v6);
        return 0;
      }
    }
  }
  return result;
}

修改完成 保存 替换回去 重新启动

image

开机成功

image

安全下机 后面再接着搞