WO2021022729A1 - Root permission assignment method and apparatus, storage medium, and terminal device - Google Patents

Root permission assignment method and apparatus, storage medium, and terminal device Download PDF

Info

Publication number
WO2021022729A1
WO2021022729A1 PCT/CN2019/121812 CN2019121812W WO2021022729A1 WO 2021022729 A1 WO2021022729 A1 WO 2021022729A1 CN 2019121812 W CN2019121812 W CN 2019121812W WO 2021022729 A1 WO2021022729 A1 WO 2021022729A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
preset
digital signature
terminal
information
Prior art date
Application number
PCT/CN2019/121812
Other languages
French (fr)
Chinese (zh)
Inventor
郑金国
张燕香
Original Assignee
惠州Tcl移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 惠州Tcl移动通信有限公司 filed Critical 惠州Tcl移动通信有限公司
Publication of WO2021022729A1 publication Critical patent/WO2021022729A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Definitions

  • This application relates to the field of communication technology, and in particular to a method, device, storage medium, and terminal device for assigning root permissions.
  • Root is the only super user in the system and has all the permissions in the system, such as starting or stopping a process, deleting or adding users, adding or disabling hardware, etc.
  • Google's Android Android system administrator account is called Root.
  • the Root account has the supreme right of the entire system. It can access and modify almost all files of the terminal device and has the highest level of management authority.
  • the process of rooting a mobile phone is the process of obtaining the highest use permission of the mobile phone (that is, root permission).
  • the process of rooting a mobile phone is actually copying the su executable file to Android In the /system/xbin directory of the system, and the process of modifying the permission to 4755, because more and more Android phones have added various protection functions, such as selinux (Security-Enhanced Linux, mandatory access control security system), users are very It is difficult to write directly to the /system/xbin directory, so that the phone cannot have root privileges.
  • the embodiments of the present application provide a method, device, storage medium, and terminal device for assigning root authority, which can be applied to the assignment of root authority of various terminals with strong reliability.
  • the embodiment of the present application provides a method for allocating root authority, which is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the allocation method includes:
  • the terminal device When the terminal device restarts and enters the first preset stage, acquiring device attribute information from the terminal chip, where the device attribute information includes a device identification code;
  • root permission is assigned to the terminal device based on a preset executable file.
  • controlling the system partition to enter a writable state according to the digital signature information and the device identification code includes:
  • the system partition is controlled to enter a writable state.
  • the judging whether the terminal device is granted modification authority according to the information summary and the decryption summary includes:
  • the device attribute information further includes a terminal model and/or version number, and determining the information digest according to the message digest algorithm and the device identification code includes:
  • a message digest algorithm is used to process the combined code to obtain a message digest.
  • controlling the system partition to enter a writable state includes:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the allocating root authority to the terminal device based on a preset executable file includes:
  • the preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  • the method further includes:
  • the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to download from the Acquiring the device attribute information at the preset offset location, and generating digital signature information according to the device attribute information, and then storing the digital signature information at the preset offset location;
  • the acquiring digital signature information from the target partition includes: acquiring the digital signature information from the preset offset position in the target partition.
  • the embodiment of the present application also provides a root authority distribution device, which is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the distribution device includes:
  • the first obtaining unit is configured to obtain device attribute information from the terminal chip when the terminal device restarts to enter the first preset stage, where the device attribute information includes a device identification code;
  • the second acquiring unit is configured to acquire digital signature information from the target partition
  • a control unit configured to control the system partition to enter a writable state according to the digital signature information and the device identification code
  • the allocation unit is configured to allocate root permissions to the terminal device based on a preset executable file in the writable state.
  • control unit specifically includes:
  • a determining subunit configured to determine a message digest according to a message digest algorithm and the device identification code
  • the decryption subunit is used to decrypt the digital signature information by using the preset public key to obtain a decrypted digest
  • the judging subunit is used for judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
  • the control subunit is used for controlling the system partition to enter the writable state if the modification authority is granted.
  • judgment subunit is specifically used for:
  • the device attribute information further includes a terminal model and/or version number, and the determining subunit is specifically used for:
  • a message digest algorithm is used to process the combined code to obtain a message digest.
  • control subunit is specifically configured to:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • allocation unit is specifically configured to:
  • the preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  • the device for assigning root authority further includes a storage unit for:
  • the terminal device Before acquiring the digital signature information from the target partition, when the terminal device powers on and enters the second preset stage, acquire the device attribute information from the terminal chip, and write the device attribute information into the target partition
  • the preset offset position for the flashing software to obtain the device attribute information from the preset offset position, and generate digital signature information according to the device attribute information, and then store the digital signature information in the At the preset offset position;
  • the second acquiring unit is specifically configured to acquire the digital signature information from the preset offset position in the target partition.
  • An embodiment of the present application also provides a computer-readable storage medium in which a plurality of instructions are stored, and the instructions are suitable for being loaded by a processor to execute any one of the above-mentioned methods for allocating root permissions.
  • An embodiment of the present application also provides a terminal device, including a processor and a memory, the processor is electrically connected to the memory, the memory is used to store instructions and data, and the processor is used to execute any of the above The steps in the method for assigning root permissions.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the terminal device restarts and enters the first preset stage, it obtains the device attribute information from the terminal chip, the device attribute information includes the device identification code, and then obtains the digital signature information from the target partition, and according to the digital signature information and
  • the device identification code controls the system partition to enter a writable state.
  • the terminal device is assigned root authority based on a preset executable file, which can facilitate the acquisition of root authority of various terminals.
  • the method is simple. Wide application range and strong reliability.
  • FIG. 1 is a schematic flowchart of a method for assigning root permissions provided by an embodiment of the application.
  • FIG. 2 is a schematic flowchart of the process of acquiring root authority of a mobile phone according to an embodiment of the application.
  • FIG. 3 is a schematic flowchart of another method for assigning root permissions according to an embodiment of the application.
  • FIG. 4 is a schematic structural diagram of a root authority distribution device provided by an embodiment of the application.
  • FIG. 5 is a schematic diagram of another structure of a root authority distribution device provided by an embodiment of the application.
  • FIG. 6 is a schematic structural diagram of a control unit 30 provided by an embodiment of the application.
  • FIG. 7 is a schematic structural diagram of a terminal device provided by an embodiment of the application.
  • FIG. 8 is a schematic diagram of another structure of a terminal device provided by an embodiment of the application.
  • a method for distributing root authority is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the method for distributing root authority includes: when the terminal device restarts and enters the first In a preset stage, obtain the device attribute information from the terminal chip, the device attribute information includes the device identification code; obtain the digital signature information from the target partition; control the system partition to be writable according to the digital signature information and the device identification code In state; in the writable state, root permissions are assigned to the terminal device based on a preset executable file.
  • controlling the system partition to enter the writable state according to the digital signature information and the device identification code includes:
  • the system partition is controlled to enter a writable state.
  • the judging whether the terminal device is authorized to modify according to the information summary and the decryption summary includes:
  • the device attribute information further includes a terminal model and/or version number, and determining the information digest according to the message digest algorithm and the device identification code includes:
  • a message digest algorithm is used to process the combined code to obtain a message digest.
  • controlling the system partition to enter a writable state includes:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the allocating root permissions to the terminal device based on a preset executable file includes:
  • the preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  • the method before acquiring the digital signature information from the target partition, the method further includes:
  • the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to download from the Acquiring the device attribute information at the preset offset location, and generating digital signature information according to the device attribute information, and then storing the digital signature information at the preset offset location;
  • the acquiring digital signature information from the target partition includes: acquiring the digital signature information from the preset offset position in the target partition.
  • FIG. 1 is a schematic flowchart of a method for allocating root permissions provided by an embodiment of the present application.
  • the method for allocating root permissions is applied to a terminal device, and the terminal device is provided with multiple storage partitions. Including system partition and target partition, the specific process can be as follows:
  • the first preset stage refers to the LK (little kernel) stage, which is the boot stage before the system kernel starts, and is mainly used to initialize hardware, load the kernel, configure initialization registers, command line parameters, and so on.
  • the device attribute information in the terminal chip can be obtained through the system API (Application Programming Interface) of the terminal.
  • the device attribute information mainly refers to the attribute information related to the terminal, such as the device identification code, where the device identification code is the terminal It can be the terminal SN (Serial Number, product serial number) code.
  • the terminal ROM chip can be divided into multiple storage partitions. Different storage partitions are used to store different data and implement different functions. For example, the system partition is used to store system files, the cache partition is used to store cache data, and the userdata partition is used. Used to store user data, etc.
  • the target partition refers to a designated partition in the terminal device other than the system partition, such as the Proinfo partition. It is easy to understand that the digital signature information should be stored in advance, that is, before the above step S102, the root authority distribution method further includes:
  • the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to deviate from the preset.
  • the device attribute information is acquired at the moving location, and digital signature information is generated according to the device attribute information, and then the digital signature information is stored at the preset offset location.
  • the above step S102 specifically includes: acquiring the digital signature information from the preset offset position in the target partition.
  • the preset offset position may be manually set.
  • the preset offset position may be the start storage address where the 8th MB is located.
  • the second preset stage refers to the kernel stage, which is the kernel startup stage, and is mainly used to start some related processes, such as starting idle processes, kernel_init processes, kthreadd processes, etc.
  • the flashing software can be installed on other terminal devices, such as tablet computers.
  • the application software on other terminal devices cannot directly obtain SN information from the terminal chip of this terminal device, but can read the data in the storage partition.
  • the terminal device must store device attribute information such as SN in a target partition other than the system partition in advance.
  • the terminal device can be Each time the boot enters the kernel stage, the native process is run once, in which the system API is used to obtain device attribute information from the terminal chip for storage, so that other terminal devices can obtain the device attribute information, and then other terminal devices It can generate digital signature information, which is processed by asymmetric key encryption technology and digital digest technology.
  • the writable state means that disk read and disk write operations can be performed on the system partition.
  • step S103 may specifically include:
  • the message digest algorithm mainly refers to MD5 (Message-Digest Algorithm) algorithm.
  • the preset public key corresponds to the encryption private key of the digital signature information, that is, the public key and the private key can be stored on the terminal device and other terminal devices respectively.
  • the private key is used to encrypt device attribute information in advance.
  • the public key is used to decrypt the digital signature information when verifying authorization.
  • the information summary can be obtained by directly processing the SN code using the MD5 algorithm.
  • the device property information is also It may include other information, such as the terminal model and/or version number.
  • the determination of the information summary also needs to combine this information, that is, the above step 1-1 may specifically include:
  • the combination method can be set manually. It can be a simple combination of character codes in a prescribed order.
  • the combination sequence can be device identification code, terminal model, version number, or the combination of characters before or after combination.
  • the code undergoes certain processing, such as conversion to decimal or hexadecimal, etc., and then the MD5 algorithm is used to calculate the information digest of the combined code.
  • steps 1-3 may specifically include:
  • the decryption digest and the information digest are equal, it means that the encryption public key and the decryption private key are a pair, and the acquisition of root authority is legal, otherwise it is illegal.
  • control the system partition to enter the writable state specifically include:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to tolerant mode, and the access verification module is turned off, so that the system partition enters a writable state. In permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the configuration of the write protection function is usually processed in the LK stage.
  • the write protection function is realized by setting the EMMC register in the terminal device, which can make each storage partition of the physical EMMC in an unwritable state, and if you want To achieve root, the su executable file must be copied to the system partition. Therefore, at least the write protection function of the system partition must be turned off before copying the files, and the write protection function of other storage partitions can be retained.
  • Access control module selinux security-enhanced linux configuration is usually processed in the kernel stage.
  • selinux is used to check the security context of each object in the system accessing system resources. It includes two modes: Enforcing Mode and Permissive Mode.
  • Enforcing Mode is used to intercept access that is not configured by the system and print out the LOG log.
  • the permissive mode is only used to record the LOG, but does not really block access.
  • the configuration of the access verification module DM-verity (device-mapper-verity) is usually processed in the compiling phase of the kernel phase, which will generate the hash tree of the image file during the compiling phase. If the terminal device is running, the system system is used A piece of data in the partition, the system will automatically detect whether the data matches the record data in the hash tree, if it does not match, this piece of data is not allowed to be used. Under this premise, if you want to write in the system partition Enter the su executable file, you must first close DM-verity.
  • step S104 may specifically include:
  • the preset executable file is mainly the su executable file
  • the target directory is the root directory of the system partition, that is, /system/xbin
  • the preset value is artificially set, for example, 4755.
  • the method for assigning root permissions is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the terminal device restarts and enters the first In the preset stage, by obtaining device attribute information from the terminal chip, the device attribute information includes the device identification code, and then obtaining the digital signature information from the target partition, and controlling the system partition according to the digital signature information and the device identification code Enter the writable state.
  • root permissions are assigned to the terminal device based on the preset executable file, which can facilitate the acquisition of root permissions for various terminals.
  • the method is simple, the scope of application is wide, and the reliability is strong. .
  • the first terminal device is a mobile phone
  • the second terminal device For a computer, the first terminal device is provided with multiple storage partitions, and the multiple storage partitions include a system partition and a target partition.
  • the first terminal device When booting into the second preset stage, the first terminal device obtains device attribute information from its own terminal chip, and writes the device attribute information to a preset offset position in the target partition.
  • the device attribute information includes the device Identification code.
  • it can be set to use the system API in the native process to obtain the SN information in the terminal chip in the native process every time the mobile phone enters the kernel phase, and store it in the designated offset position of the Proinfo partition.
  • the second terminal device obtains the device attribute information from the preset offset position by using the installed flashing software, and generates digital signature information according to the device attribute information, and then stores the digital signature information in the preset offset Location.
  • the user can install the flashing software on the computer and connect the computer to the mobile phone.
  • the flashing software can be downloaded from some platforms, and then the flashing software can obtain the SN code from the preset offset position in the mobile phone, and Sign it with the preset private key, and store the digital signature information in the mobile phone.
  • the first terminal device When restarting and entering the first preset stage, the first terminal device obtains the device attribute information from its own terminal chip, and obtains the digital signature information from the preset offset position.
  • the first terminal device determines an information digest according to the message digest algorithm and the device identification code, and decrypts the digital signature information by using the preset public key to obtain the decrypted digest.
  • the first terminal device judges whether the decryption digest and the information digest are the same, if they are the same, the following step S206 is performed, and if they are not equal, the restart detection is not performed again.
  • the mobile phone can be restarted, and when entering the LK stage, the SN information is obtained from the chip, and the digital signature information is obtained from the specified offset position of the Proinfo partition. , Use the preset public key to decrypt the digital signature information. Under normal circumstances, the decrypted digest obtained by the legal flashing process will be the same as the generated information digest.
  • the first terminal device When in the first preset stage, the first terminal device turns off the write protection function of the system partition, and when entering the second preset stage from the first preset stage, the first terminal device sets the access control module Enter the permissive mode, and close the access verification module, so that the system partition enters a writable state, wherein, in the permissive mode, the multiple storage partitions are allowed to illegally access.
  • the authorization status information can be generated in the LK phase, and the authorization status information can be passed to the kernel phase through the command line.
  • the mobile phone can turn off the write protection function of the system partition.
  • the phone can turn off DM-verity.
  • the first terminal device stores the preset executable file in the target directory of the system partition, and modifies the authority parameter to the preset value to assign root authority to the terminal device.
  • the mobile phone can copy the su executable file to the root directory of the system partition, which is /system/xbin, and set the permission to 4755.
  • the mobile phone has root permission, and the user can control any process and user in the mobile phone. Account, hardware, etc. are controlled.
  • a prompt interface can be generated, and the prompt interface can display words such as "root success”. .
  • this embodiment will be further described from the perspective of a root authority distribution device, and the root authority distribution device can be implemented as an independent entity.
  • the embodiment of the present application provides a root authority distribution device, which is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the distribution device includes:
  • the first obtaining unit is configured to obtain device attribute information from the terminal chip when the terminal device restarts to enter the first preset stage, where the device attribute information includes a device identification code;
  • the second acquiring unit is configured to acquire digital signature information from the target partition
  • a control unit configured to control the system partition to enter a writable state according to the digital signature information and the device identification code
  • the allocation unit is configured to allocate root permissions to the terminal device based on a preset executable file in the writable state.
  • control unit specifically includes:
  • a determining subunit configured to determine a message digest according to a message digest algorithm and the device identification code
  • the decryption subunit is used to decrypt the digital signature information by using the preset public key to obtain a decrypted digest
  • the judging subunit is used for judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
  • the control subunit is used for controlling the system partition to enter the writable state if the modification authority is granted.
  • the judgment subunit is specifically configured to:
  • the device attribute information further includes a terminal model and/or version number, and the determining subunit is specifically configured to:
  • a message digest algorithm is used to process the combined code to obtain a message digest.
  • control subunit is specifically configured to:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the allocation unit is specifically configured to:
  • the preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  • the device for assigning root authority further includes a storage unit for:
  • the terminal device Before acquiring the digital signature information from the target partition, when the terminal device powers on and enters the second preset stage, acquire the device attribute information from the terminal chip, and write the device attribute information into the target partition
  • the preset offset position for the flashing software to obtain the device attribute information from the preset offset position, and generate digital signature information according to the device attribute information, and then store the digital signature information in the At the preset offset position;
  • the second acquiring unit is specifically configured to acquire the digital signature information from the preset offset position in the target partition.
  • the terminal device may include a mobile phone, a tablet computer, a personal PC, etc., and the terminal device has multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition, and the apparatus for assigning root authority may include: a first obtaining unit 10, a second obtaining unit 20, a control unit 30, and a distribution unit 40, wherein:
  • the first acquisition unit 10 The first acquisition unit 10
  • the first obtaining unit 10 is configured to obtain device attribute information from the terminal chip when the terminal device restarts and enters the first preset stage, where the device attribute information includes a device identification code.
  • the first preset stage refers to the LK (little kernel) stage, which is the boot stage before the system kernel starts, and is mainly used to initialize hardware, load the kernel, configure initialization registers, command line parameters, and so on.
  • the device attribute information in the terminal chip can be obtained through the system API (Application Programming Interface) of the terminal.
  • the device attribute information mainly refers to the attribute information related to the terminal, such as the device identification code, where the device identification code is the terminal It can be the terminal SN (Serial Number, product serial number) code.
  • the second obtaining unit 20 is configured to obtain digital signature information from the target partition.
  • the terminal ROM chip can be divided into multiple storage partitions. Different storage partitions are used to store different data and implement different functions. For example, the system partition is used to store system files, the cache partition is used to store cache data, and the userdata partition is used. Used to store user data, etc.
  • the target partition refers to a designated partition in the terminal device other than the system partition, such as the Proinfo partition. It is easy to understand that the digital signature information should be stored in advance, that is, referring to Figure 5, the root authority distribution device further includes a storage unit 50 for:
  • the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset in the target partition. Move the position so that the flashing software obtains the device attribute information from the preset offset position, and generates digital signature information according to the device attribute information, and then stores the digital signature information at the preset offset position.
  • the second obtaining unit 20 is specifically configured to obtain the digital signature information from the preset offset position in the target partition.
  • the preset offset position may be manually set.
  • the preset offset position may be the start storage address where the 8th MB is located.
  • the second preset stage refers to the kernel stage, which is the kernel startup stage, and is mainly used to start some related processes, such as starting idle processes, kernel_init processes, kthreadd processes, etc.
  • the flashing software can be installed on other terminal devices, such as tablet computers.
  • the application software on other terminal devices cannot directly obtain SN information from the terminal chip of this terminal device, but can read the data in the storage partition.
  • the terminal device must store device attribute information such as SN in a target partition other than the system partition in advance.
  • the terminal device can be Each time the boot enters the kernel stage, the native process is run once, in which the system API is used to obtain device attribute information from the terminal chip for storage, so that other terminal devices can obtain the device attribute information, and then other terminal devices It can generate digital signature information, which is processed by asymmetric key encryption technology and digital digest technology.
  • the control unit 30 is configured to control the system partition to enter a writable state according to the digital signature information and the device identification code.
  • the writable state means that disk read and disk write operations can be performed on the system partition.
  • control unit 30 specifically includes:
  • the determining subunit 31 is configured to determine the message digest according to the message digest algorithm and the device identification code;
  • the decryption subunit 32 is used to decrypt the digital signature information by using the preset public key to obtain a decrypted digest
  • the judging subunit 33 is used for judging whether the terminal device is granted modification authority according to the information digest and the decryption digest;
  • the control subunit 34 is configured to control the system partition to enter a writable state if the modification authority is granted.
  • the message digest algorithm mainly refers to MD5 (Message-Digest Algorithm) algorithm.
  • the preset public key corresponds to the encryption private key of the digital signature information, that is, the public key and the private key can be stored on the terminal device and other terminal devices respectively.
  • the private key is used to encrypt device attribute information in advance.
  • the public key is used to decrypt the digital signature information when verifying authorization.
  • the information summary can be obtained by directly processing the SN code using the MD5 algorithm.
  • the device property information is also It may include other information, such as the terminal model and/or version number.
  • the determination of the information summary also needs to combine this information, that is, the device attribute information also includes the terminal model and/or version number.
  • the determination subunit 31 Specifically used for:
  • the combination method can be set manually. It can be a simple combination of character codes in a prescribed order.
  • the combination sequence can be device identification code, terminal model, version number, or the combination of characters before or after combination.
  • the code undergoes certain processing, such as conversion to decimal or hexadecimal, etc., and then the MD5 algorithm is used to calculate the information digest of the combined code.
  • judgment subunit 33 is specifically used for:
  • the decryption digest and the information digest are equal, it means that the encryption public key and the decryption private key are a pair, and the acquisition of root authority is legal, otherwise it is illegal.
  • control subunit 34 is specifically used for:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to tolerant mode, and the access verification module is turned off, so that the system partition enters a writable state. In permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the configuration of the write protection function is usually processed in the LK stage.
  • the write protection function is realized by setting the EMMC register in the terminal device, which can make each storage partition of the physical EMMC in an unwritable state, and if you want To achieve root, the su executable file must be copied to the system partition. Therefore, at least the write protection function of the system partition must be turned off before copying the files, and the write protection function of other storage partitions can be retained.
  • Access control module selinux security-enhanced linux configuration is usually processed in the kernel stage.
  • selinux is used to check the security context of each object in the system accessing system resources. It includes two modes: Enforcing Mode and Permissive Mode.
  • Enforcing Mode is used to intercept access that is not configured by the system and print out the LOG log.
  • the permissive mode is only used to record the LOG, but does not really block access.
  • the configuration of the access verification module DM-verity (device-mapper-verity) is usually processed in the compiling phase of the kernel phase, which will generate the hash tree of the image file during the compiling phase. If the terminal device is running, the system system is used A piece of data in the partition, the system will automatically detect whether the data matches the record data in the hash tree, if it does not match, this piece of data is not allowed to be used. Under this premise, if you want to write in the system partition Enter the su executable file, you must first close DM-verity.
  • the allocation unit 40 is configured to allocate root permissions to the terminal device based on a preset executable file in the writable state.
  • the allocation unit 40 is specifically used for:
  • the preset executable file is mainly the su executable file
  • the target directory is the root directory of the system partition, that is, /system/xbin
  • the preset value is artificially set, for example, 4755.
  • each of the above units can be implemented as an independent entity, or can be combined arbitrarily, and implemented as the same or several entities.
  • each of the above units please refer to the previous method embodiments, which will not be repeated here.
  • the method for assigning root permissions is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the device attribute information is obtained from the terminal chip through the first obtaining unit 10, and the device attribute information includes the device identification code.
  • the second obtaining unit 20 obtains the digital signature information from the target partition, and the control unit 30 according to The digital signature information and the device identification code control the system partition to enter a writable state.
  • the adjustment module 40 assigns root permissions to the terminal device based on a preset executable file, which can benefit various terminals
  • the method of obtaining root authority is simple, widely applicable, and reliable.
  • the embodiment of the present application also provides a terminal device, which may be a device such as a smart phone or a tablet computer.
  • the terminal device 200 includes a processor 201 and a memory 202. Wherein, the processor 201 and the memory 202 are electrically connected.
  • the processor 201 is the control center of the terminal device 200. It uses various interfaces and lines to connect the various parts of the entire terminal device. It executes the terminal by running or loading the application program stored in the memory 202 and calling the data stored in the memory 202. Various functions and processing data of the equipment, so as to monitor the terminal equipment as a whole.
  • the terminal device 200 is provided with multiple storage partitions, and the multiple storage partitions include a system partition and a target partition.
  • the processor 201 in the terminal device 200 will perform one or more applications according to the following steps
  • the instructions corresponding to the process of the program are loaded into the memory 202, and the processor 201 runs the application programs stored in the memory 202, thereby realizing various functions:
  • the terminal device When the terminal device restarts and enters the first preset stage, obtain device attribute information from the terminal chip, where the device attribute information includes a device identification code;
  • root authority is assigned to the terminal device based on the preset executable file.
  • FIG. 8 shows a specific structural block diagram of a terminal device provided by an embodiment of the present invention, and the terminal device can be used to implement the root authority distribution method provided in the foregoing embodiment.
  • the terminal device 300 may be a smart phone or a tablet computer.
  • the RF circuit 310 is used to receive and send electromagnetic waves, realize the mutual conversion between electromagnetic waves and electrical signals, and communicate with a communication network or other devices.
  • the RF circuit 310 may include various existing circuit elements for performing these functions, for example, an antenna, a radio frequency transceiver, a digital signal processor, an encryption/decryption chip, a subscriber identity module (SIM) card, a memory, and so on.
  • the RF circuit 310 can communicate with various networks such as the Internet, an intranet, and a wireless network, or communicate with other devices through a wireless network.
  • the aforementioned wireless network may include a cellular telephone network, a wireless local area network, or a metropolitan area network.
  • the above-mentioned wireless network can use various communication standards, protocols and technologies, including but not limited to the Global System for Mobile Communications (Global System for Mobile Communication, GSM), enhanced mobile communication technology (Enhanced Data GSM Environment, EDGE), wideband code division multiple access technology (Wideband Code Division Multiple Access, WCDMA), Code Division Multiple Access (Code Division Multiple Access) Access, CDMA), Time Division Multiple Access (TDMA), Wireless Fidelity (Wireless Fidelity, Wi-Fi) (such as the American Institute of Electrical and Electronics Engineers standards IEEE 802.11a, IEEE 802.11b, IEEE 802.11g and/or IEEE 802.11n), Internet telephony (Voice over Internet Protocol, VoIP), Worldwide Interconnection for Microwave Access (Worldwide Interoperability for Microwave Access, Wi-Max), other protocols used for mail, instant messaging and short messages, and any other appropriate communication protocols, even those that have not yet been developed.
  • GSM Global System for Mobile Communication
  • EDGE Enhanced Data GSM Environment
  • WCDMA Wideband Code Division Multiple Access
  • the memory 320 may be used to store software programs and modules, such as the program instructions/modules corresponding to the automatic light-filling system and method for taking pictures of the front camera in the above-mentioned embodiments.
  • the processor 380 executes the software programs and modules stored in the memory 320 by running Various functional applications and data processing, that is, realize the function of automatically filling light when taking pictures with the front camera.
  • the memory 320 may include a high-speed random access memory, and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory.
  • the memory 320 may further include a memory remotely provided with respect to the processor 380, and these remote memories may be connected to the terminal device 300 through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
  • the input unit 330 may be used to receive inputted digital or character information, and generate keyboard, mouse, joystick, optical or trackball signal input related to user settings and function control.
  • the input unit 330 may include a touch-sensitive surface 331 and other input devices 332.
  • the touch-sensitive surface 331 also called a touch screen or a touchpad, can collect user touch operations on or near it (for example, the user uses any suitable objects or accessories such as fingers, stylus, etc.) on or on the touch-sensitive surface 331. Operation near the touch-sensitive surface 331), and drive the corresponding connection device according to the preset program.
  • the touch-sensitive surface 331 may include two parts: a touch detection device and a touch controller.
  • the touch detection device detects the user's touch position, detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into contact coordinates, and then sends it To the processor 380, and can receive and execute the commands sent by the processor 380.
  • the touch-sensitive surface 331 can be realized by various types such as resistive, capacitive, infrared, and surface acoustic wave.
  • the input unit 330 may also include other input devices 332.
  • the other input device 332 may include, but is not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackball, mouse, and joystick.
  • the display unit 340 may be used to display information input by the user or information provided to the user and various graphical user interfaces of the terminal device 300. These graphical user interfaces may be composed of graphics, text, icons, videos, and any combination thereof.
  • the display unit 340 may include a display panel 341.
  • an LCD Liquid
  • the display panel 341 is configured in the form of Crystal Display (liquid crystal display), OLED (Organic Light-Emitting Diode, organic light-emitting diode).
  • the touch-sensitive surface 331 may cover the display panel 341. When the touch-sensitive surface 331 detects a touch operation on or near it, it is transmitted to the processor 380 to determine the type of the touch event, and then the processor 380 responds to the touch event.
  • the type provides corresponding visual output on the display panel 341.
  • the touch-sensitive surface 331 and the display panel 341 are used as two independent components to implement input and output functions, in some embodiments, the touch-sensitive surface 331 and the display panel 341 can be integrated to implement input. And output function.
  • the terminal device 300 may also include at least one sensor 350, such as a light sensor, a motion sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor.
  • the ambient light sensor can adjust the brightness of the display panel 341 according to the brightness of the ambient light, and the proximity sensor can close the display panel 341 when the terminal device 300 is moved to the ear. And/or backlight.
  • the gravity acceleration sensor can detect the magnitude of acceleration in various directions (usually three-axis), and can detect the magnitude and direction of gravity when it is stationary.
  • the terminal device 300 can also be configured with other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc., here No longer.
  • the audio circuit 360, the speaker 361, and the microphone 362 can provide an audio interface between the user and the terminal device 300.
  • the audio circuit 360 can transmit the electric signal converted from the received audio data to the speaker 361, and the speaker 361 converts it into a sound signal for output; on the other hand, the microphone 362 converts the collected sound signal into an electric signal, and the audio circuit 360 After being received, it is converted into audio data, and then processed by the audio data output processor 380, and then sent to, for example, another terminal via the RF circuit 310, or the audio data is output to the memory 320 for further processing.
  • the audio circuit 360 may also include an earplug jack to provide communication between a peripheral earphone and the terminal device 300.
  • the terminal device 300 can help users send and receive emails, browse web pages, and access streaming media through the transmission module 370 (such as a Wi-Fi module), and it provides users with wireless broadband Internet access.
  • the transmission module 370 such as a Wi-Fi module
  • FIG. 8 shows the transmission module 370, it is understandable that it is not a necessary component of the terminal device 300 and can be omitted as needed without changing the essence of the invention.
  • the processor 380 is the control center of the terminal device 300, which uses various interfaces and lines to connect the various parts of the entire mobile phone, runs or executes software programs and/or modules stored in the memory 320, and calls data stored in the memory 320 , Perform various functions of the terminal device 300 and process data, thereby monitoring the mobile phone as a whole.
  • the processor 380 may include one or more processing cores; in some embodiments, the processor 380 may integrate an application processor and a modem processor, where the application processor mainly processes the operating system, user interface, and For application programs, the modem processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 380.
  • the terminal device 300 also includes a power source 390 (such as a battery) for supplying power to various components.
  • the power source may be logically connected to the processor 380 through a power management system, so as to manage charging, discharging, and power consumption through the power management system. Management and other functions.
  • the power supply 190 may also include one or more DC or AC power supplies, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and any other components.
  • the terminal device 300 may also include a camera (such as a front camera, a rear camera), a Bluetooth module, etc., which will not be repeated here.
  • the display unit of the terminal device is a touch screen display, and the terminal device also includes a memory and one or more programs.
  • One or more programs are stored in the memory and configured to be configured by one or more programs.
  • the above processor executes one or more programs including instructions for performing the following operations:
  • the terminal device When the terminal device restarts and enters the first preset stage, obtain device attribute information from the terminal chip, where the device attribute information includes a device identification code;
  • root authority is assigned to the terminal device based on the preset executable file.
  • controlling the system partition to enter the writable state according to the digital signature information and the device identification code includes:
  • the system partition is controlled to enter a writable state.
  • the judging whether the terminal device is authorized to modify according to the information summary and the decryption summary includes:
  • the device attribute information further includes a terminal model and/or version number, and determining the information digest according to the message digest algorithm and the device identification code includes:
  • a message digest algorithm is used to process the combined code to obtain a message digest.
  • controlling the system partition to enter a writable state includes:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the allocating root permissions to the terminal device based on a preset executable file includes:
  • the preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  • the method before acquiring the digital signature information from the target partition, the method further includes:
  • the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to download from the Acquiring the device attribute information at the preset offset location, and generating digital signature information according to the device attribute information, and then storing the digital signature information at the preset offset location;
  • the acquiring digital signature information from the target partition includes: acquiring the digital signature information from the preset offset position in the target partition.
  • each of the above modules can be implemented as an independent entity, or can be combined arbitrarily, and implemented as the same or several entities.
  • each of the above modules please refer to the previous method embodiments, which will not be repeated here.
  • an embodiment of the present invention provides a storage medium in which a plurality of instructions are stored, and the instructions can be loaded by a processor to execute the steps in any root permission allocation method provided in the embodiments of the present invention.
  • the storage medium may include: read-only memory (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), disk or CD, etc.
  • any root permission distribution method provided in the embodiment of the present invention can be implemented.
  • any root permission distribution method provided in the embodiment of the present invention can be implemented.

Abstract

Disclosed are a root permission assignment method and apparatus, a storage medium, and a terminal device. The terminal device comprises a system partition and a target partition. The method comprises: when a terminal device is restarted and enters a first pre-set stage, acquiring a device identification code from a terminal chip; acquiring digital signature information from a target partition; controlling, according to the digital signature information and the device identification code, a system partition to enter a writable state; and assigning root permissions to the terminal device according to a pre-set executable file.

Description

root权限的分配方法、装置、存储介质及终端设备Root authority distribution method, device, storage medium and terminal equipment
本申请要求于2019年8月6日提交中国专利局、申请号为201910720524.0、发明名称为“root权限的分配方法、装置、存储介质及终端设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201910720524.0, and the invention title is "root authority distribution method, device, storage medium and terminal equipment" on August 6, 2019. The reference is incorporated in this application.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种root权限的分配方法、装置、存储介质及终端设备。This application relates to the field of communication technology, and in particular to a method, device, storage medium, and terminal device for assigning root permissions.
背景技术Background technique
Root是系统中唯一的超级用户,具有系统中所有的权限,如启动或停止一个进程,删除或增加用户,增加或者禁用硬件等等。例如:谷歌的Android安卓系统管理员账户就叫做Root,所述Root帐户拥有整个系统至高无上的权利,它可以访问和修改终端设备的几乎所有的文件,具备最高级别的管理权限。Root is the only super user in the system and has all the permissions in the system, such as starting or stopping a process, deleting or adding users, adding or disabling hardware, etc. For example: Google's Android Android system administrator account is called Root. The Root account has the supreme right of the entire system. It can access and modify almost all files of the terminal device and has the highest level of management authority.
Root手机(也称获取手机的Root权限)的过程也就是获得手机最高使用权限(也即root权限)的过程,其中,对于Android安卓系统,Root手机的过程其实就是将su可执行文件复制到Android系统的/system/xbin目录下,并修改权限为4755的过程,但是由于越来越多的安卓手机加入了各种保护功能,比如selinux(Security-Enhanced Linux,强制访问控制安全系统),用户很难直接对/system/xbin目录进行写入了,从而无法使手机具有root权限。The process of rooting a mobile phone (also known as obtaining the root permission of the mobile phone) is the process of obtaining the highest use permission of the mobile phone (that is, root permission). For the Android system, the process of rooting a mobile phone is actually copying the su executable file to Android In the /system/xbin directory of the system, and the process of modifying the permission to 4755, because more and more Android phones have added various protection functions, such as selinux (Security-Enhanced Linux, mandatory access control security system), users are very It is difficult to write directly to the /system/xbin directory, so that the phone cannot have root privileges.
技术问题technical problem
本申请实施例提供一种root权限的分配方法、装置、存储介质及终端设备,能适用于各种终端的root权限分配,可靠性强。The embodiments of the present application provide a method, device, storage medium, and terminal device for assigning root authority, which can be applied to the assignment of root authority of various terminals with strong reliability.
技术解决方案Technical solutions
本申请实施例提供了一种root权限的分配方法,应用于终端设备,所述终端设备设有多个存储分区,所述多个存储分区包括系统分区和目标分区,所述分配方法包括:The embodiment of the present application provides a method for allocating root authority, which is applied to a terminal device. The terminal device is provided with multiple storage partitions. The multiple storage partitions include a system partition and a target partition. The allocation method includes:
当所述终端设备重启进入第一预设阶段时,从终端芯片中获取设备属性信息,所述设备属性信息包括设备标识码;When the terminal device restarts and enters the first preset stage, acquiring device attribute information from the terminal chip, where the device attribute information includes a device identification code;
从所述目标分区中获取数字签名信息;Obtaining digital signature information from the target partition;
根据所述数字签名信息和设备标识码控制所述系统分区进入可写入状态;Controlling the system partition to enter a writable state according to the digital signature information and the device identification code;
在所述可写入状态下,基于预设可执行文件为所述终端设备分配root权限。In the writable state, root permission is assigned to the terminal device based on a preset executable file.
进一步地,所述根据所述数字签名信息和设备标识码控制所述系统分区进入可写入状态,包括:Further, the controlling the system partition to enter a writable state according to the digital signature information and the device identification code includes:
根据消息摘要算法和所述设备标识码确定信息摘要;Determining the message digest according to the message digest algorithm and the device identification code;
利用预设公钥对所述数字签名信息进行解密,得到解密摘要;Decrypt the digital signature information by using a preset public key to obtain a decrypted digest;
根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限;Judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
若被授予修改权限,则控制所述系统分区进入可写入状态。If the modification authority is granted, the system partition is controlled to enter a writable state.
进一步地,所述根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限,包括:Further, the judging whether the terminal device is granted modification authority according to the information summary and the decryption summary includes:
判断所述解密摘要和信息摘要是否相同;Determine whether the decrypted digest and the information digest are the same;
若相同,则判断出所述终端设备被授予修改权限;If they are the same, it is determined that the terminal device is granted modification authority;
若不相同,则判断出所述终端设备未被授予修改权限。If they are not the same, it is determined that the terminal device has not been granted modification authority.
进一步地,所述设备属性信息还包括终端型号和/或版本号,所述根据消息摘要算法和所述设备标识码确定信息摘要,包括:Further, the device attribute information further includes a terminal model and/or version number, and determining the information digest according to the message digest algorithm and the device identification code includes:
将所述设备标识码与所述终端型号和/或版本号进行组合,得到组合码;Combine the device identification code with the terminal model and/or version number to obtain a combination code;
利用消息摘要算法对所述组合码进行处理,得到信息摘要。A message digest algorithm is used to process the combined code to obtain a message digest.
进一步地,所述控制所述系统分区进入可写入状态,包括:Further, the controlling the system partition to enter a writable state includes:
当所述终端设备处于所述第一预设阶段时,关闭所述系统分区的写保护功能;When the terminal device is in the first preset stage, turn off the write protection function of the system partition;
当所述终端设备由所述第一预设阶段进入第二预设阶段时,将访问控制模块设置成宽容模式,并关闭访问校验模块,以使所述系统分区进入可写入状态,其中,在所述宽容模式下,所述多个存储分区被允许非法访问。When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
进一步地,所述基于预设可执行文件为所述终端设备分配root权限,包括:Further, the allocating root authority to the terminal device based on a preset executable file includes:
将预设可执行文件存储到所述系统分区的目标目录下,并将权限参数修改为预设数值,以为所述终端设备分配root权限。The preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
进一步地,在从所述目标分区中获取数字签名信息之前,还包括:Further, before acquiring the digital signature information from the target partition, the method further includes:
当所述终端设备开机进入第二预设阶段时,从终端芯片中获取所述设备属性信息,并将所述设备属性信息写入目标分区中的预设偏移位置,以供刷机软件从所述预设偏移位置处获取所述设备属性信息,并根据所述设备属性信息生成数字签名信息,之后将所述数字签名信息存储在所述预设偏移位置处;When the terminal device is powered on and enters the second preset stage, the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to download from the Acquiring the device attribute information at the preset offset location, and generating digital signature information according to the device attribute information, and then storing the digital signature information at the preset offset location;
所述从所述目标分区中获取数字签名信息,包括:从所述目标分区中的所述预设偏移位置处获取所述数字签名信息。The acquiring digital signature information from the target partition includes: acquiring the digital signature information from the preset offset position in the target partition.
本申请实施例还提供了一种root权限的分配装置,应用于终端设备,所述终端设备设有多个存储分区,所述多个存储分区包括系统分区和目标分区,所述分配装置包括:The embodiment of the present application also provides a root authority distribution device, which is applied to a terminal device. The terminal device is provided with multiple storage partitions. The multiple storage partitions include a system partition and a target partition. The distribution device includes:
第一获取单元,用于当所述终端设备重启进入第一预设阶段时,从终端芯片中获取设备属性信息,所述设备属性信息包括设备标识码;The first obtaining unit is configured to obtain device attribute information from the terminal chip when the terminal device restarts to enter the first preset stage, where the device attribute information includes a device identification code;
第二获取单元,用于从所述目标分区中获取数字签名信息;The second acquiring unit is configured to acquire digital signature information from the target partition;
控制单元,用于根据所述数字签名信息和设备标识码控制所述系统分区进入可写入状态;A control unit, configured to control the system partition to enter a writable state according to the digital signature information and the device identification code;
分配单元,用于在所述可写入状态下,基于预设可执行文件为所述终端设备分配root权限。The allocation unit is configured to allocate root permissions to the terminal device based on a preset executable file in the writable state.
进一步地,所述控制单元具体包括:Further, the control unit specifically includes:
确定子单元,用于根据消息摘要算法和所述设备标识码确定信息摘要;A determining subunit, configured to determine a message digest according to a message digest algorithm and the device identification code;
解密子单元,用于利用预设公钥对所述数字签名信息进行解密,得到解密摘要;The decryption subunit is used to decrypt the digital signature information by using the preset public key to obtain a decrypted digest;
判断子单元,用于根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限;The judging subunit is used for judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
控制子单元,用于若被授予修改权限,则控制所述系统分区进入可写入状态。The control subunit is used for controlling the system partition to enter the writable state if the modification authority is granted.
进一步地,所述判断子单元具体用于:Further, the judgment subunit is specifically used for:
判断所述解密摘要和信息摘要是否相同;Determine whether the decrypted digest and the information digest are the same;
若相同,则判断出所述终端设备被授予修改权限;If they are the same, it is determined that the terminal device is granted modification authority;
若不相同,则判断出所述终端设备未被授予修改权限。If they are not the same, it is determined that the terminal device has not been granted modification authority.
进一步地,所述设备属性信息还包括终端型号和/或版本号,所述确定子单元具体用于:Further, the device attribute information further includes a terminal model and/or version number, and the determining subunit is specifically used for:
将所述设备标识码与所述终端型号和/或版本号进行组合,得到组合码;Combine the device identification code with the terminal model and/or version number to obtain a combination code;
利用消息摘要算法对所述组合码进行处理,得到信息摘要。A message digest algorithm is used to process the combined code to obtain a message digest.
进一步地,所述控制子单元具体用于:Further, the control subunit is specifically configured to:
当所述终端设备处于所述第一预设阶段时,关闭所述系统分区的写保护功能;When the terminal device is in the first preset stage, turn off the write protection function of the system partition;
当所述终端设备由所述第一预设阶段进入第二预设阶段时,将访问控制模块设置成宽容模式,并关闭访问校验模块,以使所述系统分区进入可写入状态,其中,在所述宽容模式下,所述多个存储分区被允许非法访问。When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
进一步地,所述分配单元具体用于:Further, the allocation unit is specifically configured to:
将预设可执行文件存储到所述系统分区的目标目录下,并将权限参数修改为预设数值,以为所述终端设备分配root权限。The preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
进一步地,所述root权限的分配装置还包括存储单元,用于:Further, the device for assigning root authority further includes a storage unit for:
在从所述目标分区中获取数字签名信息之前,当所述终端设备开机进入第二预设阶段时,从终端芯片中获取所述设备属性信息,并将所述设备属性信息写入目标分区中的预设偏移位置,以供刷机软件从所述预设偏移位置处获取所述设备属性信息,并根据所述设备属性信息生成数字签名信息,之后将所述数字签名信息存储在所述预设偏移位置处;Before acquiring the digital signature information from the target partition, when the terminal device powers on and enters the second preset stage, acquire the device attribute information from the terminal chip, and write the device attribute information into the target partition The preset offset position for the flashing software to obtain the device attribute information from the preset offset position, and generate digital signature information according to the device attribute information, and then store the digital signature information in the At the preset offset position;
所述第二获取单元具体用于:从所述目标分区中的所述预设偏移位置处获取所述数字签名信息。The second acquiring unit is specifically configured to acquire the digital signature information from the preset offset position in the target partition.
本申请实施例还提供了一种计算机可读存储介质,所述存储介质中存储有多条指令,所述指令适于由处理器加载以执行上述任一项root权限的分配方法。An embodiment of the present application also provides a computer-readable storage medium in which a plurality of instructions are stored, and the instructions are suitable for being loaded by a processor to execute any one of the above-mentioned methods for allocating root permissions.
本申请实施例还提供了一种终端设备,包括处理器和存储器,所述处理器与所述存储器电性连接,所述存储器用于存储指令和数据,所述处理器用于执行上述任一项所述的root权限的分配方法中的步骤。An embodiment of the present application also provides a terminal device, including a processor and a memory, the processor is electrically connected to the memory, the memory is used to store instructions and data, and the processor is used to execute any of the above The steps in the method for assigning root permissions.
有益效果Beneficial effect
相较于现有技术,本申请提供的root权限的分配方法、装置及存储介质,应用于终端设备,该终端设备设有多个存储分区,该多个存储分区包括系统分区和目标分区,当该终端设备重启进入第一预设阶段时,通过从终端芯片中获取设备属性信息,该设备属性信息包括设备标识码,接着,从该目标分区中获取数字签名信息,并根据该数字签名信息和设备标识码控制该系统分区进入可写入状态,在该可写入状态下,基于预设可执行文件为该终端设备分配root权限,从而能有利于各种终端root权限的获取,方法简单,适用范围广,可靠性强。Compared with the prior art, the root authority distribution method, device, and storage medium provided in this application are applied to a terminal device. The terminal device is provided with multiple storage partitions. The multiple storage partitions include a system partition and a target partition. When the terminal device restarts and enters the first preset stage, it obtains the device attribute information from the terminal chip, the device attribute information includes the device identification code, and then obtains the digital signature information from the target partition, and according to the digital signature information and The device identification code controls the system partition to enter a writable state. In the writable state, the terminal device is assigned root authority based on a preset executable file, which can facilitate the acquisition of root authority of various terminals. The method is simple. Wide application range and strong reliability.
附图说明Description of the drawings
下面结合附图,通过对本申请的具体实施方式详细描述,将使本申请的技术方案及其它有益效果显而易见。The following describes the specific implementations of the present application in detail with reference to the accompanying drawings, which will make the technical solutions and other beneficial effects of the present application obvious.
图1为本申请实施例提供的root权限的分配方法的流程示意图。FIG. 1 is a schematic flowchart of a method for assigning root permissions provided by an embodiment of the application.
图2为本申请实施例提供的手机root权限获取过程的流程示意图。FIG. 2 is a schematic flowchart of the process of acquiring root authority of a mobile phone according to an embodiment of the application.
图3为本申请实施例提供的root权限的分配方法的另一流程示意图。FIG. 3 is a schematic flowchart of another method for assigning root permissions according to an embodiment of the application.
图4为本申请实施例提供的root权限的分配装置的结构示意图。FIG. 4 is a schematic structural diagram of a root authority distribution device provided by an embodiment of the application.
图5为本申请实施例提供的root权限的分配装置的另一结构示意图。FIG. 5 is a schematic diagram of another structure of a root authority distribution device provided by an embodiment of the application.
图6为本申请实施例提供的控制单元30的结构示意图。FIG. 6 is a schematic structural diagram of a control unit 30 provided by an embodiment of the application.
图7为本申请实施例提供的终端设备的结构示意图。FIG. 7 is a schematic structural diagram of a terminal device provided by an embodiment of the application.
图8为本申请实施例提供的终端设备的另一结构示意图。FIG. 8 is a schematic diagram of another structure of a terminal device provided by an embodiment of the application.
本发明的实施方式Embodiments of the invention
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, rather than all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art without creative work are within the protection scope of this application.
一种root权限的分配方法,应用于终端设备,该终端设备设有多个存储分区,该多个存储分区包括系统分区和目标分区,该root权限的分配方法包括:当该终端设备重启进入第一预设阶段时,从终端芯片中获取设备属性信息,该设备属性信息包括设备标识码;从该目标分区中获取数字签名信息;根据该数字签名信息和设备标识码控制该系统分区进入可写入状态;在该可写入状态下,基于预设可执行文件为该终端设备分配root权限。A method for distributing root authority is applied to a terminal device. The terminal device is provided with multiple storage partitions. The multiple storage partitions include a system partition and a target partition. The method for distributing root authority includes: when the terminal device restarts and enters the first In a preset stage, obtain the device attribute information from the terminal chip, the device attribute information includes the device identification code; obtain the digital signature information from the target partition; control the system partition to be writable according to the digital signature information and the device identification code In state; in the writable state, root permissions are assigned to the terminal device based on a preset executable file.
在一些实施例中,所述根据所述数字签名信息和设备标识码控制所述系统分区进入可写入状态,包括:In some embodiments, the controlling the system partition to enter the writable state according to the digital signature information and the device identification code includes:
根据消息摘要算法和所述设备标识码确定信息摘要;Determining the message digest according to the message digest algorithm and the device identification code;
利用预设公钥对所述数字签名信息进行解密,得到解密摘要;Decrypt the digital signature information by using a preset public key to obtain a decrypted digest;
根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限;Judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
若被授予修改权限,则控制所述系统分区进入可写入状态。If the modification authority is granted, the system partition is controlled to enter a writable state.
在一些实施例中,所述根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限,包括:In some embodiments, the judging whether the terminal device is authorized to modify according to the information summary and the decryption summary includes:
判断所述解密摘要和信息摘要是否相同;Determine whether the decrypted digest and the information digest are the same;
若相同,则判断出所述终端设备被授予修改权限;If they are the same, it is determined that the terminal device is granted modification authority;
若不相同,则判断出所述终端设备未被授予修改权限。If they are not the same, it is determined that the terminal device has not been granted modification authority.
在一些实施例中,所述设备属性信息还包括终端型号和/或版本号,所述根据消息摘要算法和所述设备标识码确定信息摘要,包括:In some embodiments, the device attribute information further includes a terminal model and/or version number, and determining the information digest according to the message digest algorithm and the device identification code includes:
将所述设备标识码与所述终端型号和/或版本号进行组合,得到组合码;Combine the device identification code with the terminal model and/or version number to obtain a combination code;
利用消息摘要算法对所述组合码进行处理,得到信息摘要。A message digest algorithm is used to process the combined code to obtain a message digest.
在一些实施例中,所述控制所述系统分区进入可写入状态,包括:In some embodiments, the controlling the system partition to enter a writable state includes:
当所述终端设备处于所述第一预设阶段时,关闭所述系统分区的写保护功能;When the terminal device is in the first preset stage, turn off the write protection function of the system partition;
当所述终端设备由所述第一预设阶段进入第二预设阶段时,将访问控制模块设置成宽容模式,并关闭访问校验模块,以使所述系统分区进入可写入状态,其中,在所述宽容模式下,所述多个存储分区被允许非法访问。When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
在一些实施例中,所述基于预设可执行文件为所述终端设备分配root权限,包括:In some embodiments, the allocating root permissions to the terminal device based on a preset executable file includes:
将预设可执行文件存储到所述系统分区的目标目录下,并将权限参数修改为预设数值,以为所述终端设备分配root权限。The preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
在一些实施例中,在从所述目标分区中获取数字签名信息之前,还包括:In some embodiments, before acquiring the digital signature information from the target partition, the method further includes:
当所述终端设备开机进入第二预设阶段时,从终端芯片中获取所述设备属性信息,并将所述设备属性信息写入目标分区中的预设偏移位置,以供刷机软件从所述预设偏移位置处获取所述设备属性信息,并根据所述设备属性信息生成数字签名信息,之后将所述数字签名信息存储在所述预设偏移位置处;When the terminal device is powered on and enters the second preset stage, the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to download from the Acquiring the device attribute information at the preset offset location, and generating digital signature information according to the device attribute information, and then storing the digital signature information at the preset offset location;
所述从所述目标分区中获取数字签名信息,包括:从所述目标分区中的所述预设偏移位置处获取所述数字签名信息。The acquiring digital signature information from the target partition includes: acquiring the digital signature information from the preset offset position in the target partition.
如图1所示,图1是本申请实施例提供的root权限的分配方法的流程示意图,该root权限的分配方法应用于终端设备,该终端设备设有多个存储分区,该多个存储分区包括系统分区和目标分区,具体流程可以如下:As shown in FIG. 1, FIG. 1 is a schematic flowchart of a method for allocating root permissions provided by an embodiment of the present application. The method for allocating root permissions is applied to a terminal device, and the terminal device is provided with multiple storage partitions. Including system partition and target partition, the specific process can be as follows:
S101.当该终端设备重启进入第一预设阶段时,从终端芯片中获取设备属性信息,该设备属性信息包括设备标识码。S101. When the terminal device restarts and enters the first preset stage, obtain device attribute information from the terminal chip, where the device attribute information includes a device identification code.
本实施例中,该第一预设阶段是指LK(little kernel)阶段,其是系统内核启动前的引导阶段,主要用于初始化硬件、载入内核、配置初始化寄存器和命令行参数等等。可以通过终端的系统API(Application Programming Interface,应用程序编程接口)获取终端芯片中的设备属性信息,该设备属性信息主要指和终端有关的属性信息,比如设备标识码,其中该设备标识码是终端的唯一识别码,其可以是终端SN(Serial Number,产品序列号)码。In this embodiment, the first preset stage refers to the LK (little kernel) stage, which is the boot stage before the system kernel starts, and is mainly used to initialize hardware, load the kernel, configure initialization registers, command line parameters, and so on. The device attribute information in the terminal chip can be obtained through the system API (Application Programming Interface) of the terminal. The device attribute information mainly refers to the attribute information related to the terminal, such as the device identification code, where the device identification code is the terminal It can be the terminal SN (Serial Number, product serial number) code.
S102.从该目标分区中获取数字签名信息。S102. Obtain digital signature information from the target partition.
本实施例中,终端rom芯片可以被划分成多个存储分区,不同存储分区用于存储不同数据,实现不同功能,比如system系统分区用于存储系统文件,cache分区用于存储缓存数据,userdata分区用于存储用户数据等。该目标分区是指终端设备中除system系统分区之外的某个指定分区,比如Proinfo分区。容易理解的是,该数字签名信息应当是提前存储好的,也即,在上述步骤S102之前,该root权限的分配方法还包括:In this embodiment, the terminal ROM chip can be divided into multiple storage partitions. Different storage partitions are used to store different data and implement different functions. For example, the system partition is used to store system files, the cache partition is used to store cache data, and the userdata partition is used. Used to store user data, etc. The target partition refers to a designated partition in the terminal device other than the system partition, such as the Proinfo partition. It is easy to understand that the digital signature information should be stored in advance, that is, before the above step S102, the root authority distribution method further includes:
当该终端设备开机进入第二预设阶段时,从终端芯片中获取该设备属性信息,并将该设备属性信息写入目标分区中的预设偏移位置,以供刷机软件从该预设偏移位置处获取该设备属性信息,并根据该设备属性信息生成数字签名信息,之后将该数字签名信息存储在该预设偏移位置处。When the terminal device is powered on and enters the second preset stage, the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to deviate from the preset. The device attribute information is acquired at the moving location, and digital signature information is generated according to the device attribute information, and then the digital signature information is stored at the preset offset location.
此时,上述步骤S102具体包括:从该目标分区中的该预设偏移位置处获取该数字签名信息。At this time, the above step S102 specifically includes: acquiring the digital signature information from the preset offset position in the target partition.
本实施例中,该预设偏移位置可以人为设定,比如假设目标分区存储容量为10M,则预设偏移位置可以是第8M所在的起始存储地址。该第二预设阶段是指kernel阶段,其是内核启动阶段,主要用于启动一些相关进程,比如启动idle空闲进程、kernel_init进程、kthreadd进程等。In this embodiment, the preset offset position may be manually set. For example, assuming that the storage capacity of the target partition is 10M, the preset offset position may be the start storage address where the 8th MB is located. The second preset stage refers to the kernel stage, which is the kernel startup stage, and is mainly used to start some related processes, such as starting idle processes, kernel_init processes, kthreadd processes, etc.
该刷机软件可以安装在其他终端设备上,比如平板电脑,通常,其他终端设备上的应用软件并不能直接从该本终端设备的终端芯片中获取SN信息,但可以读取存储分区内的数据,而考虑到system系统分区只有在具有root权限时才能写入数据,所以本终端设备必须提前将SN等设备属性信息存储在除system系统分区之外的目标分区中,具体的,本终端设备可以在每次开机进入到kernel阶段时,运行一次native进程,在该native进程中利用系统API从终端芯片中获取设备属性信息进行存储,以便其他终端设备能获取到该设备属性信息,之后,其他终端设备可以生成数字签名信息,该数字签名信息是利用非对称密钥加密技术与数字摘要技术处理得到的。The flashing software can be installed on other terminal devices, such as tablet computers. Generally, the application software on other terminal devices cannot directly obtain SN information from the terminal chip of this terminal device, but can read the data in the storage partition. Considering that the system partition can only write data when it has root privileges, the terminal device must store device attribute information such as SN in a target partition other than the system partition in advance. Specifically, the terminal device can be Each time the boot enters the kernel stage, the native process is run once, in which the system API is used to obtain device attribute information from the terminal chip for storage, so that other terminal devices can obtain the device attribute information, and then other terminal devices It can generate digital signature information, which is processed by asymmetric key encryption technology and digital digest technology.
S103.根据该数字签名信息和设备标识码控制该系统分区进入可写入状态。S103. Control the system partition to enter a writable state according to the digital signature information and the device identification code.
本实施例中,该可写入状态是指可以对系统分区进行读盘和写盘操作。In this embodiment, the writable state means that disk read and disk write operations can be performed on the system partition.
例如,上述步骤S103具体可以包括:For example, the above step S103 may specifically include:
1-1根据消息摘要算法和该设备标识码确定信息摘要;1-1 Determine the message digest according to the message digest algorithm and the device identification code;
1-2利用预设公钥对该数字签名信息进行解密,得到解密摘要;1-2 Use the preset public key to decrypt the digital signature information to obtain the decrypted digest;
1-3根据该信息摘要和解密摘要判断该终端设备是否被授予修改权限;1-3 Determine whether the terminal device is authorized to modify according to the information summary and decryption summary;
1-4若被授予修改权限,则控制该系统分区进入可写入状态。1-4 If the modification authority is granted, control the system partition into a writable state.
本实施例中,该消息摘要算法主要指MD5(Message-Digest Algorithm)算法。该预设公钥和数字签名信息的加密私钥相对应,也即可以在本终端设备和其他终端设备上分别存储公钥和私钥,该私钥用于提前对设备属性信息进行加密,该公钥用于验证授权时对数字签名信息解密。In this embodiment, the message digest algorithm mainly refers to MD5 (Message-Digest Algorithm) algorithm. The preset public key corresponds to the encryption private key of the digital signature information, that is, the public key and the private key can be stored on the terminal device and other terminal devices respectively. The private key is used to encrypt device attribute information in advance. The public key is used to decrypt the digital signature information when verifying authorization.
具体的,当设备属性信息只有设备标识码(也即SN码)时,该信息摘要可以是直接利用MD5算法对SN码处理得到,而为增强验证难度,提高验证安全性,该设备属性信息还可以包括其他信息,比如终端型号和/或版本号,此时,该信息摘要的确定也需要结合这些信息,也即,上述步骤1-1具体可以包括:Specifically, when the device attribute information only has the device identification code (ie SN code), the information summary can be obtained by directly processing the SN code using the MD5 algorithm. In order to enhance the verification difficulty and improve the verification security, the device property information is also It may include other information, such as the terminal model and/or version number. In this case, the determination of the information summary also needs to combine this information, that is, the above step 1-1 may specifically include:
将该设备标识码与该终端型号和/或版本号进行组合,得到组合码;Combine the device identification code with the terminal model and/or version number to obtain a combination code;
利用消息摘要算法对该组合码进行处理,得到信息摘要。Use the message digest algorithm to process the combined code to obtain the message digest.
本实施例中,该组合方式可以人为设定,其可以是按照规定顺序将各个字符码简单组合,组合顺序可以为设备标识码、终端型号、版本号,也可以在组合前或者组合后对字符码进行一定处理,比如变换成十进制或者十六进制等等,之后,利用MD5算法计算组合码的信息摘要。In this embodiment, the combination method can be set manually. It can be a simple combination of character codes in a prescribed order. The combination sequence can be device identification code, terminal model, version number, or the combination of characters before or after combination. The code undergoes certain processing, such as conversion to decimal or hexadecimal, etc., and then the MD5 algorithm is used to calculate the information digest of the combined code.
其中,上述步骤1-3具体可以包括:Wherein, the above steps 1-3 may specifically include:
判断该解密摘要和信息摘要是否相同;Determine whether the decrypted digest and the information digest are the same;
若相同,则判断出该终端设备被授予修改权限;If they are the same, it is determined that the terminal device is granted modification authority;
若不相同,则判断出该终端设备未被授予修改权限。If they are not the same, it is determined that the terminal device has not been granted modification authority.
本实施例中,当解密摘要和信息摘要相等时,说明加密公钥和解密私钥是一对,root权限的获取是合法的,否则不合法。In this embodiment, when the decryption digest and the information digest are equal, it means that the encryption public key and the decryption private key are a pair, and the acquisition of root authority is legal, otherwise it is illegal.
其中,上述步骤“控制该系统分区进入可写入状态”具体包括:Among them, the above steps "control the system partition to enter the writable state" specifically include:
当该终端设备处于该第一预设阶段时,关闭该系统分区的写保护功能;When the terminal device is in the first preset stage, turn off the write protection function of the system partition;
当该终端设备由该第一预设阶段进入第二预设阶段时,将访问控制模块设置成宽容模式,并关闭访问校验模块,以使该系统分区进入可写入状态,其中,在该宽容模式下,该多个存储分区被允许非法访问。When the terminal device enters the second preset stage from the first preset stage, the access control module is set to tolerant mode, and the access verification module is turned off, so that the system partition enters a writable state. In permissive mode, the multiple storage partitions are allowed to be accessed illegally.
本实施例中,写保护功能的配置通常是在LK阶段处理,写保护功能是通过在终端设备中设置EMMC寄存器来实现,其可使物理EMMC的各个存储分区处于不可写的状态,而若想要实现root,必须将su可执行文件复制到system系统分区里,因此,必须在复制文件前至少关闭system系统分区的写保护功能,其他存储分区的写保护功能可以保留。In this embodiment, the configuration of the write protection function is usually processed in the LK stage. The write protection function is realized by setting the EMMC register in the terminal device, which can make each storage partition of the physical EMMC in an unwritable state, and if you want To achieve root, the su executable file must be copied to the system partition. Therefore, at least the write protection function of the system partition must be turned off before copying the files, and the write protection function of other storage partitions can be retained.
访问控制模块selinux(security-enhanced linux)的配置通常是在kernel阶段处理,selinux用于对系统中每一个对象访问系统的资源进行安全上下文审查,其包括两种模式:Enforcing Mode强制模式和Permissive Mode宽容模式,默认情况下selinux处于强制模式,其中,强制模式用于拦截系统没有配置的访问,并打印出LOG日志,宽容模式只用于记录LOG, 但不真正拦截访问。由于在强制模式下,无法遍历查询或修改分区目录,故无法将su可执行文件复制到系统的/system/xbin目录下,因此,在复制文件前必须将selinux设置为宽容模式。具体的,可以修改编译ALLOW_PERMISSIVE_SELINUX=1,这样kernel阶段启动selinux时,就会从androidboot.selinux来获取,而不是默认配置为强制模式。Access control module selinux (security-enhanced linux) configuration is usually processed in the kernel stage. selinux is used to check the security context of each object in the system accessing system resources. It includes two modes: Enforcing Mode and Permissive Mode. By default, selinux is in Compulsory mode, where the compulsory mode is used to intercept access that is not configured by the system and print out the LOG log. The permissive mode is only used to record the LOG, but does not really block access. In forced mode, it is impossible to traverse query or modify partition directories, so the su executable file cannot be copied to the system's /system/xbin directory. Therefore, selinux must be set to permissive mode before copying files. Specifically, you can modify and compile ALLOW_PERMISSIVE_SELINUX=1, so that when selinux is started in the kernel phase, it will be obtained from androidboot.selinux instead of being configured as mandatory mode by default.
访问校验模块DM-verity(device-mapper-verity)的配置通常是在kernel阶段中的编译阶段处理,其会在编译阶段生成镜像文件的哈希树,若终端设备运行时要用到system系统分区里的某块数据,系统会自动检测该数据与该哈希树里的记录数据是否匹配,不匹配的话则不允许使用这块数据,在这种前提下,若要在system系统分区里写入su执行文件,则必须先关闭DM-verity。The configuration of the access verification module DM-verity (device-mapper-verity) is usually processed in the compiling phase of the kernel phase, which will generate the hash tree of the image file during the compiling phase. If the terminal device is running, the system system is used A piece of data in the partition, the system will automatically detect whether the data matches the record data in the hash tree, if it does not match, this piece of data is not allowed to be used. Under this premise, if you want to write in the system partition Enter the su executable file, you must first close DM-verity.
S104. 在该可写入状态下,基于预设可执行文件为该终端设备分配root权限。S104. In the writable state, assign root permissions to the terminal device based on a preset executable file.
例如,上述步骤S104具体可以包括:For example, the above step S104 may specifically include:
将预设可执行文件存储到该系统分区的目标目录下,并将权限参数修改为预设数值,以为该终端设备分配root权限。Store the preset executable file in the target directory of the system partition, and modify the authority parameter to the preset value to assign root authority to the terminal device.
本实施例中,该预设可执行文件主要是su执行文件,该目标目录为system系统分区的根目录,也即/system/xbin,该预设数值人为设定,比如为4755。In this embodiment, the preset executable file is mainly the su executable file, the target directory is the root directory of the system partition, that is, /system/xbin, and the preset value is artificially set, for example, 4755.
由上述可知,本实施例提供的root权限的分配方法,应用于终端设备,该终端设备设有多个存储分区,该多个存储分区包括系统分区和目标分区,当该终端设备重启进入第一预设阶段时,通过从终端芯片中获取设备属性信息,该设备属性信息包括设备标识码,接着,从该目标分区中获取数字签名信息,并根据该数字签名信息和设备标识码控制该系统分区进入可写入状态,在该可写入状态下,基于预设可执行文件为该终端设备分配root权限,从而能有利于各种终端root权限的获取,方法简单,适用范围广,可靠性强。It can be seen from the above that the method for assigning root permissions provided in this embodiment is applied to a terminal device. The terminal device is provided with multiple storage partitions. The multiple storage partitions include a system partition and a target partition. When the terminal device restarts and enters the first In the preset stage, by obtaining device attribute information from the terminal chip, the device attribute information includes the device identification code, and then obtaining the digital signature information from the target partition, and controlling the system partition according to the digital signature information and the device identification code Enter the writable state. In the writable state, root permissions are assigned to the terminal device based on the preset executable file, which can facilitate the acquisition of root permissions for various terminals. The method is simple, the scope of application is wide, and the reliability is strong. .
请参见图2和图3,以下将以root权限的分配方法应用于第一终端设备和第二终端设备中为例,对其进行详细说明,其中,第一终端设备为手机,第二终端设备为电脑,该第一终端设备设有多个存储分区,该多个存储分区包括系统分区和目标分区。Please refer to Figures 2 and 3, the following will take the root permission distribution method applied to the first terminal device and the second terminal device as an example to describe it in detail, where the first terminal device is a mobile phone, and the second terminal device For a computer, the first terminal device is provided with multiple storage partitions, and the multiple storage partitions include a system partition and a target partition.
S201. 当开机进入第二预设阶段时,第一终端设备从自身终端芯片中获取设备属性信息,并将该设备属性信息写入目标分区中的预设偏移位置,该设备属性信息包括设备标识码。S201. When booting into the second preset stage, the first terminal device obtains device attribute information from its own terminal chip, and writes the device attribute information to a preset offset position in the target partition. The device attribute information includes the device Identification code.
譬如,可以设定手机每次开机进入kernel阶段时,均在native进程中用系统API获取终端芯片中的SN信息,并将其存储到Proinfo分区的指定偏移位置。For example, it can be set to use the system API in the native process to obtain the SN information in the terminal chip in the native process every time the mobile phone enters the kernel phase, and store it in the designated offset position of the Proinfo partition.
S202.第二终端设备利用已安装的刷机软件从该预设偏移位置处获取该设备属性信息,并根据该设备属性信息生成数字签名信息,之后将该数字签名信息存储在该预设偏移位置处。S202. The second terminal device obtains the device attribute information from the preset offset position by using the installed flashing software, and generates digital signature information according to the device attribute information, and then stores the digital signature information in the preset offset Location.
譬如,用户可以在电脑上安装刷机软件,并将电脑与手机连接,该刷机软件可以是从一些平台下载的,之后刷机软件可以从手机中该预设偏移位置处获取该SN码,并对利用预设私钥对其进行签名,得到数字签名信息后存储在手机中。For example, the user can install the flashing software on the computer and connect the computer to the mobile phone. The flashing software can be downloaded from some platforms, and then the flashing software can obtain the SN code from the preset offset position in the mobile phone, and Sign it with the preset private key, and store the digital signature information in the mobile phone.
S203. 当重启进入第一预设阶段时,第一终端设备从自身终端芯片中获取该设备属性信息,并从该预设偏移位置处获取该数字签名信息。S203. When restarting and entering the first preset stage, the first terminal device obtains the device attribute information from its own terminal chip, and obtains the digital signature information from the preset offset position.
S204. 第一终端设备根据消息摘要算法和该设备标识码确定信息摘要,并利用预设公钥对该数字签名信息进行解密,得到解密摘要。S204. The first terminal device determines an information digest according to the message digest algorithm and the device identification code, and decrypts the digital signature information by using the preset public key to obtain the decrypted digest.
S205. 第一终端设备判断该解密摘要和信息摘要是否相同,若相同,则执行下述步骤S206,若不相等,则不执行重新进行重启检测。S205. The first terminal device judges whether the decryption digest and the information digest are the same, if they are the same, the following step S206 is performed, and if they are not equal, the restart detection is not performed again.
譬如,当电脑端在手机中设置好数字签名信息之后,可以对手机进行重启,并在进入LK阶段时,从芯片中获取SN信息,同时从Proinfo分区的指定偏移位置获取数字签名信息,之后,利用预设公钥对数字签名信息进行解密,正常情况下,合法的刷机流程得到的解密摘要和生成的信息摘要会相同。For example, after the computer has set the digital signature information in the mobile phone, the mobile phone can be restarted, and when entering the LK stage, the SN information is obtained from the chip, and the digital signature information is obtained from the specified offset position of the Proinfo partition. , Use the preset public key to decrypt the digital signature information. Under normal circumstances, the decrypted digest obtained by the legal flashing process will be the same as the generated information digest.
S206. 当处于该第一预设阶段时,第一终端设备关闭该系统分区的写保护功能,当由该第一预设阶段进入第二预设阶段时,第一终端设备将访问控制模块设置成宽容模式,并关闭访问校验模块,以使该系统分区进入可写入状态,其中,在该宽容模式下,该多个存储分区被允许非法访问。S206. When in the first preset stage, the first terminal device turns off the write protection function of the system partition, and when entering the second preset stage from the first preset stage, the first terminal device sets the access control module Enter the permissive mode, and close the access verification module, so that the system partition enters a writable state, wherein, in the permissive mode, the multiple storage partitions are allowed to illegally access.
譬如,当解密摘要和信息摘要相同时,说明该权限修改是被授权的,此时,可以在LK阶段生成授权状态信息,并将该授权状态信息通过command line命令行传递给kernel阶段,而在授权状态的LK阶段,手机可以关闭对system系统分区的写保护功能,在授权状态的kernel阶段,手机可以修改编译ALLOW_PERMISSIVE_SELINUX=1,这样kernel阶段启动selinux时,就会从androidboot.selinux来获取,以将selinux配置成Permissive Mode宽容模式,而不是默认的Enforcing Mode强制模式,同时在编译阶段,手机可以关闭DM-verity。For example, when the decryption digest and the information digest are the same, it means that the permission modification is authorized. At this time, the authorization status information can be generated in the LK phase, and the authorization status information can be passed to the kernel phase through the command line. In the LK stage of the authorization state, the mobile phone can turn off the write protection function of the system partition. In the kernel stage of the authorization state, the mobile phone can modify and compile ALLOW_PERMISSIVE_SELINUX=1, so that when selinux is started in the kernel stage, it will be obtained from androidboot.selinux. Configure selinux to Permissive Mode instead of the default Enforcing Mode is mandatory mode. At the same time, during the compilation phase, the phone can turn off DM-verity.
S207. 在该可写入状态下,第一终端设备将预设可执行文件存储到该系统分区的目标目录下,并将权限参数修改为预设数值,以为该终端设备分配root权限。S207. In the writable state, the first terminal device stores the preset executable file in the target directory of the system partition, and modifies the authority parameter to the preset value to assign root authority to the terminal device.
譬如,手机可以将su执行文件复制到system系统分区的根目录,也即/system/xbin中,并设置权限为4755,此时,手机具备了root权限,用户可以对手机中的任何进程、用户账户、硬件等进行控制,当然,为告知用户刷机结果,可以生成一个提示界面,该提示界面上可以显示“root成功”等文字。。For example, the mobile phone can copy the su executable file to the root directory of the system partition, which is /system/xbin, and set the permission to 4755. At this time, the mobile phone has root permission, and the user can control any process and user in the mobile phone. Account, hardware, etc. are controlled. Of course, in order to inform the user of the result of the flashing, a prompt interface can be generated, and the prompt interface can display words such as "root success". .
根据上述实施例所描述的方法,本实施例将从root权限的分配装置的角度进一步进行描述,该root权限的分配装置具体可以作为独立的实体来实现。According to the method described in the foregoing embodiment, this embodiment will be further described from the perspective of a root authority distribution device, and the root authority distribution device can be implemented as an independent entity.
本申请实施例提供了一种root权限的分配装置,应用于终端设备,所述终端设备设有多个存储分区,所述多个存储分区包括系统分区和目标分区,所述分配装置包括:The embodiment of the present application provides a root authority distribution device, which is applied to a terminal device. The terminal device is provided with multiple storage partitions. The multiple storage partitions include a system partition and a target partition. The distribution device includes:
第一获取单元,用于当所述终端设备重启进入第一预设阶段时,从终端芯片中获取设备属性信息,所述设备属性信息包括设备标识码;The first obtaining unit is configured to obtain device attribute information from the terminal chip when the terminal device restarts to enter the first preset stage, where the device attribute information includes a device identification code;
第二获取单元,用于从所述目标分区中获取数字签名信息;The second acquiring unit is configured to acquire digital signature information from the target partition;
控制单元,用于根据所述数字签名信息和设备标识码控制所述系统分区进入可写入状态;A control unit, configured to control the system partition to enter a writable state according to the digital signature information and the device identification code;
分配单元,用于在所述可写入状态下,基于预设可执行文件为所述终端设备分配root权限。The allocation unit is configured to allocate root permissions to the terminal device based on a preset executable file in the writable state.
在一些实施例中,所述控制单元具体包括:In some embodiments, the control unit specifically includes:
确定子单元,用于根据消息摘要算法和所述设备标识码确定信息摘要;A determining subunit, configured to determine a message digest according to a message digest algorithm and the device identification code;
解密子单元,用于利用预设公钥对所述数字签名信息进行解密,得到解密摘要;The decryption subunit is used to decrypt the digital signature information by using the preset public key to obtain a decrypted digest;
判断子单元,用于根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限;The judging subunit is used for judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
控制子单元,用于若被授予修改权限,则控制所述系统分区进入可写入状态。The control subunit is used for controlling the system partition to enter the writable state if the modification authority is granted.
在一些实施例中,所述判断子单元具体用于:In some embodiments, the judgment subunit is specifically configured to:
判断所述解密摘要和信息摘要是否相同;Determine whether the decrypted digest and the information digest are the same;
若相同,则判断出所述终端设备被授予修改权限;If they are the same, it is determined that the terminal device is granted modification authority;
若不相同,则判断出所述终端设备未被授予修改权限。If they are not the same, it is determined that the terminal device has not been granted modification authority.
在一些实施例中,所述设备属性信息还包括终端型号和/或版本号,所述确定子单元具体用于:In some embodiments, the device attribute information further includes a terminal model and/or version number, and the determining subunit is specifically configured to:
将所述设备标识码与所述终端型号和/或版本号进行组合,得到组合码;Combine the device identification code with the terminal model and/or version number to obtain a combination code;
利用消息摘要算法对所述组合码进行处理,得到信息摘要。A message digest algorithm is used to process the combined code to obtain a message digest.
在一些实施例中,所述控制子单元具体用于:In some embodiments, the control subunit is specifically configured to:
当所述终端设备处于所述第一预设阶段时,关闭所述系统分区的写保护功能;When the terminal device is in the first preset stage, turn off the write protection function of the system partition;
当所述终端设备由所述第一预设阶段进入第二预设阶段时,将访问控制模块设置成宽容模式,并关闭访问校验模块,以使所述系统分区进入可写入状态,其中,在所述宽容模式下,所述多个存储分区被允许非法访问。When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
在一些实施例中,所述分配单元具体用于:In some embodiments, the allocation unit is specifically configured to:
将预设可执行文件存储到所述系统分区的目标目录下,并将权限参数修改为预设数值,以为所述终端设备分配root权限。The preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
在一些实施例中,所述root权限的分配装置还包括存储单元,用于:In some embodiments, the device for assigning root authority further includes a storage unit for:
在从所述目标分区中获取数字签名信息之前,当所述终端设备开机进入第二预设阶段时,从终端芯片中获取所述设备属性信息,并将所述设备属性信息写入目标分区中的预设偏移位置,以供刷机软件从所述预设偏移位置处获取所述设备属性信息,并根据所述设备属性信息生成数字签名信息,之后将所述数字签名信息存储在所述预设偏移位置处;Before acquiring the digital signature information from the target partition, when the terminal device powers on and enters the second preset stage, acquire the device attribute information from the terminal chip, and write the device attribute information into the target partition The preset offset position for the flashing software to obtain the device attribute information from the preset offset position, and generate digital signature information according to the device attribute information, and then store the digital signature information in the At the preset offset position;
所述第二获取单元具体用于:从所述目标分区中的所述预设偏移位置处获取所述数字签名信息。The second acquiring unit is specifically configured to acquire the digital signature information from the preset offset position in the target partition.
请参阅图4,图4具体描述了本申请实施例提供的root权限的分配装置,应用于终端设备,该终端设备可以包括手机、平板电脑、个人PC等,该终端设备设有多个存储分区,该多个存储分区包括系统分区和目标分区,该root权限的分配装置可以包括:第一获取单元10、第二获取单元20、控制单元30和分配单元40,其中:Please refer to FIG. 4, which specifically describes the root authority distribution device provided by an embodiment of the present application, which is applied to a terminal device. The terminal device may include a mobile phone, a tablet computer, a personal PC, etc., and the terminal device has multiple storage partitions. The multiple storage partitions include a system partition and a target partition, and the apparatus for assigning root authority may include: a first obtaining unit 10, a second obtaining unit 20, a control unit 30, and a distribution unit 40, wherein:
(1)第一获取单元10(1) The first acquisition unit 10
第一获取单元10,用于当该终端设备重启进入第一预设阶段时,从终端芯片中获取设备属性信息,该设备属性信息包括设备标识码。The first obtaining unit 10 is configured to obtain device attribute information from the terminal chip when the terminal device restarts and enters the first preset stage, where the device attribute information includes a device identification code.
本实施例中,该第一预设阶段是指LK(little kernel)阶段,其是系统内核启动前的引导阶段,主要用于初始化硬件、载入内核、配置初始化寄存器和命令行参数等等。可以通过终端的系统API(Application Programming Interface,应用程序编程接口)获取终端芯片中的设备属性信息,该设备属性信息主要指和终端有关的属性信息,比如设备标识码,其中该设备标识码是终端的唯一识别码,其可以是终端SN(Serial Number,产品序列号)码。In this embodiment, the first preset stage refers to the LK (little kernel) stage, which is the boot stage before the system kernel starts, and is mainly used to initialize hardware, load the kernel, configure initialization registers, command line parameters, and so on. The device attribute information in the terminal chip can be obtained through the system API (Application Programming Interface) of the terminal. The device attribute information mainly refers to the attribute information related to the terminal, such as the device identification code, where the device identification code is the terminal It can be the terminal SN (Serial Number, product serial number) code.
(2)第二获取单元20(2) The second acquisition unit 20
第二获取单元20,用于从该目标分区中获取数字签名信息。The second obtaining unit 20 is configured to obtain digital signature information from the target partition.
本实施例中,终端rom芯片可以被划分成多个存储分区,不同存储分区用于存储不同数据,实现不同功能,比如system系统分区用于存储系统文件,cache分区用于存储缓存数据,userdata分区用于存储用户数据等。该目标分区是指终端设备中除system系统分区之外的某个指定分区,比如Proinfo分区。容易理解的是,该数字签名信息应当是提前存储好的,也即,请参见图5,该root权限的分配装置还包括存储单元50,用于:In this embodiment, the terminal ROM chip can be divided into multiple storage partitions. Different storage partitions are used to store different data and implement different functions. For example, the system partition is used to store system files, the cache partition is used to store cache data, and the userdata partition is used. Used to store user data, etc. The target partition refers to a designated partition in the terminal device other than the system partition, such as the Proinfo partition. It is easy to understand that the digital signature information should be stored in advance, that is, referring to Figure 5, the root authority distribution device further includes a storage unit 50 for:
在从该目标分区中获取数字签名信息之前,当该终端设备开机进入第二预设阶段时,从终端芯片中获取该设备属性信息,并将该设备属性信息写入目标分区中的预设偏移位置,以供刷机软件从该预设偏移位置处获取该设备属性信息,并根据该设备属性信息生成数字签名信息,之后将该数字签名信息存储在该预设偏移位置处。Before obtaining the digital signature information from the target partition, when the terminal device is booted into the second preset stage, the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset in the target partition. Move the position so that the flashing software obtains the device attribute information from the preset offset position, and generates digital signature information according to the device attribute information, and then stores the digital signature information at the preset offset position.
此时,该第二获取单元20具体用于:从该目标分区中的该预设偏移位置处获取该数字签名信息。At this time, the second obtaining unit 20 is specifically configured to obtain the digital signature information from the preset offset position in the target partition.
本实施例中,该预设偏移位置可以人为设定,比如假设目标分区存储容量为10M,则预设偏移位置可以是第8M所在的起始存储地址。该第二预设阶段是指kernel阶段,其是内核启动阶段,主要用于启动一些相关进程,比如启动idle空闲进程、kernel_init进程、kthreadd进程等。In this embodiment, the preset offset position may be manually set. For example, assuming that the storage capacity of the target partition is 10M, the preset offset position may be the start storage address where the 8th MB is located. The second preset stage refers to the kernel stage, which is the kernel startup stage, and is mainly used to start some related processes, such as starting idle processes, kernel_init processes, kthreadd processes, etc.
该刷机软件可以安装在其他终端设备上,比如平板电脑,通常,其他终端设备上的应用软件并不能直接从该本终端设备的终端芯片中获取SN信息,但可以读取存储分区内的数据,而考虑到system系统分区只有在具有root权限时才能写入数据,所以本终端设备必须提前将SN等设备属性信息存储在除system系统分区之外的目标分区中,具体的,本终端设备可以在每次开机进入到kernel阶段时,运行一次native进程,在该native进程中利用系统API从终端芯片中获取设备属性信息进行存储,以便其他终端设备能获取到该设备属性信息,之后,其他终端设备可以生成数字签名信息,该数字签名信息是利用非对称密钥加密技术与数字摘要技术处理得到的。The flashing software can be installed on other terminal devices, such as tablet computers. Generally, the application software on other terminal devices cannot directly obtain SN information from the terminal chip of this terminal device, but can read the data in the storage partition. Considering that the system partition can only write data when it has root privileges, the terminal device must store device attribute information such as SN in a target partition other than the system partition in advance. Specifically, the terminal device can be Each time the boot enters the kernel stage, the native process is run once, in which the system API is used to obtain device attribute information from the terminal chip for storage, so that other terminal devices can obtain the device attribute information, and then other terminal devices It can generate digital signature information, which is processed by asymmetric key encryption technology and digital digest technology.
(3)控制单元30(3) Control unit 30
控制单元30,用于根据该数字签名信息和设备标识码控制该系统分区进入可写入状态。The control unit 30 is configured to control the system partition to enter a writable state according to the digital signature information and the device identification code.
本实施例中,该可写入状态是指可以对系统分区进行读盘和写盘操作。In this embodiment, the writable state means that disk read and disk write operations can be performed on the system partition.
例如,请参见图6,该控制单元30具体包括:For example, referring to FIG. 6, the control unit 30 specifically includes:
确定子单元31,用于根据消息摘要算法和该设备标识码确定信息摘要;The determining subunit 31 is configured to determine the message digest according to the message digest algorithm and the device identification code;
解密子单元32,用于利用预设公钥对该数字签名信息进行解密,得到解密摘要;The decryption subunit 32 is used to decrypt the digital signature information by using the preset public key to obtain a decrypted digest;
判断子单元33,用于根据该信息摘要和解密摘要判断该终端设备是否被授予修改权限;The judging subunit 33 is used for judging whether the terminal device is granted modification authority according to the information digest and the decryption digest;
控制子单元34,用于若被授予修改权限,则控制该系统分区进入可写入状态。The control subunit 34 is configured to control the system partition to enter a writable state if the modification authority is granted.
本实施例中,该消息摘要算法主要指MD5(Message-Digest Algorithm)算法。该预设公钥和数字签名信息的加密私钥相对应,也即可以在本终端设备和其他终端设备上分别存储公钥和私钥,该私钥用于提前对设备属性信息进行加密,该公钥用于验证授权时对数字签名信息解密。In this embodiment, the message digest algorithm mainly refers to MD5 (Message-Digest Algorithm) algorithm. The preset public key corresponds to the encryption private key of the digital signature information, that is, the public key and the private key can be stored on the terminal device and other terminal devices respectively. The private key is used to encrypt device attribute information in advance. The public key is used to decrypt the digital signature information when verifying authorization.
具体的,当设备属性信息只有设备标识码(也即SN码)时,该信息摘要可以是直接利用MD5算法对SN码处理得到,而为增强验证难度,提高验证安全性,该设备属性信息还可以包括其他信息,比如终端型号和/或版本号,此时,该信息摘要的确定也需要结合这些信息,也即,该设备属性信息还包括终端型号和/或版本号,该确定子单元31具体用于:Specifically, when the device attribute information only has the device identification code (ie SN code), the information summary can be obtained by directly processing the SN code using the MD5 algorithm. In order to enhance the verification difficulty and improve the verification security, the device property information is also It may include other information, such as the terminal model and/or version number. At this time, the determination of the information summary also needs to combine this information, that is, the device attribute information also includes the terminal model and/or version number. The determination subunit 31 Specifically used for:
将该设备标识码与该终端型号和/或版本号进行组合,得到组合码;Combine the device identification code with the terminal model and/or version number to obtain a combination code;
利用消息摘要算法对该组合码进行处理,得到信息摘要。Use the message digest algorithm to process the combined code to obtain the message digest.
本实施例中,该组合方式可以人为设定,其可以是按照规定顺序将各个字符码简单组合,组合顺序可以为设备标识码、终端型号、版本号,也可以在组合前或者组合后对字符码进行一定处理,比如变换成十进制或者十六进制等等,之后,利用MD5算法计算组合码的信息摘要。In this embodiment, the combination method can be set manually. It can be a simple combination of character codes in a prescribed order. The combination sequence can be device identification code, terminal model, version number, or the combination of characters before or after combination. The code undergoes certain processing, such as conversion to decimal or hexadecimal, etc., and then the MD5 algorithm is used to calculate the information digest of the combined code.
其中,该判断子单元33具体用于:Wherein, the judgment subunit 33 is specifically used for:
判断该解密摘要和信息摘要是否相同;Determine whether the decrypted digest and the information digest are the same;
若相同,则判断出该终端设备被授予修改权限;If they are the same, it is determined that the terminal device is granted modification authority;
若不相同,则判断出该终端设备未被授予修改权限。If they are not the same, it is determined that the terminal device has not been granted modification authority.
本实施例中,当解密摘要和信息摘要相等时,说明加密公钥和解密私钥是一对,root权限的获取是合法的,否则不合法。In this embodiment, when the decryption digest and the information digest are equal, it means that the encryption public key and the decryption private key are a pair, and the acquisition of root authority is legal, otherwise it is illegal.
其中,该控制子单元34具体用于:Wherein, the control subunit 34 is specifically used for:
当该终端设备处于该第一预设阶段时,关闭该系统分区的写保护功能;When the terminal device is in the first preset stage, turn off the write protection function of the system partition;
当该终端设备由该第一预设阶段进入第二预设阶段时,将访问控制模块设置成宽容模式,并关闭访问校验模块,以使该系统分区进入可写入状态,其中,在该宽容模式下,该多个存储分区被允许非法访问。When the terminal device enters the second preset stage from the first preset stage, the access control module is set to tolerant mode, and the access verification module is turned off, so that the system partition enters a writable state. In permissive mode, the multiple storage partitions are allowed to be accessed illegally.
本实施例中,写保护功能的配置通常是在LK阶段处理,写保护功能是通过在终端设备中设置EMMC寄存器来实现,其可使物理EMMC的各个存储分区处于不可写的状态,而若想要实现root,必须将su可执行文件复制到system系统分区里,因此,必须在复制文件前至少关闭system系统分区的写保护功能,其他存储分区的写保护功能可以保留。In this embodiment, the configuration of the write protection function is usually processed in the LK stage. The write protection function is realized by setting the EMMC register in the terminal device, which can make each storage partition of the physical EMMC in an unwritable state, and if you want To achieve root, the su executable file must be copied to the system partition. Therefore, at least the write protection function of the system partition must be turned off before copying the files, and the write protection function of other storage partitions can be retained.
访问控制模块selinux(security-enhanced linux)的配置通常是在kernel阶段处理,selinux用于对系统中每一个对象访问系统的资源进行安全上下文审查,其包括两种模式:Enforcing Mode强制模式和Permissive Mode宽容模式,默认情况下selinux处于强制模式,其中,强制模式用于拦截系统没有配置的访问,并打印出LOG日志,宽容模式只用于记录LOG, 但不真正拦截访问。由于在强制模式下,无法遍历查询或修改分区目录,故无法将su可执行文件复制到系统的/system/xbin目录下,因此,在复制文件前必须将selinux设置为宽容模式。具体的,可以修改编译ALLOW_PERMISSIVE_SELINUX=1,这样kernel阶段启动selinux时,就会从androidboot.selinux来获取,而不是默认配置为强制模式。Access control module selinux (security-enhanced linux) configuration is usually processed in the kernel stage. selinux is used to check the security context of each object in the system accessing system resources. It includes two modes: Enforcing Mode and Permissive Mode. By default, selinux is in Compulsory mode, where the compulsory mode is used to intercept access that is not configured by the system and print out the LOG log. The permissive mode is only used to record the LOG, but does not really block access. In forced mode, it is impossible to traverse query or modify partition directories, so the su executable file cannot be copied to the system's /system/xbin directory. Therefore, selinux must be set to permissive mode before copying files. Specifically, you can modify and compile ALLOW_PERMISSIVE_SELINUX=1, so that when selinux is started in the kernel phase, it will be obtained from androidboot.selinux instead of being configured as mandatory mode by default.
访问校验模块DM-verity(device-mapper-verity)的配置通常是在kernel阶段中的编译阶段处理,其会在编译阶段生成镜像文件的哈希树,若终端设备运行时要用到system系统分区里的某块数据,系统会自动检测该数据与该哈希树里的记录数据是否匹配,不匹配的话则不允许使用这块数据,在这种前提下,若要在system系统分区里写入su执行文件,则必须先关闭DM-verity。The configuration of the access verification module DM-verity (device-mapper-verity) is usually processed in the compiling phase of the kernel phase, which will generate the hash tree of the image file during the compiling phase. If the terminal device is running, the system system is used A piece of data in the partition, the system will automatically detect whether the data matches the record data in the hash tree, if it does not match, this piece of data is not allowed to be used. Under this premise, if you want to write in the system partition Enter the su executable file, you must first close DM-verity.
(4)分配单元40(4) Distribution unit 40
分配单元40,用于在该可写入状态下,基于预设可执行文件为该终端设备分配root权限。The allocation unit 40 is configured to allocate root permissions to the terminal device based on a preset executable file in the writable state.
例如,该分配单元40具体用于:For example, the allocation unit 40 is specifically used for:
将预设可执行文件存储到该系统分区的目标目录下,并将权限参数修改为预设数值,以为该终端设备分配root权限。Store the preset executable file in the target directory of the system partition, and modify the authority parameter to the preset value to assign root authority to the terminal device.
本实施例中,该预设可执行文件主要是su执行文件,该目标目录为system系统分区的根目录,也即/system/xbin,该预设数值人为设定,比如为4755。In this embodiment, the preset executable file is mainly the su executable file, the target directory is the root directory of the system partition, that is, /system/xbin, and the preset value is artificially set, for example, 4755.
具体实施时,以上各个单元可以作为独立的实体来实现,也可以进行任意组合,作为同一或若干个实体来实现,以上各个单元的具体实施可参见前面的方法实施例,在此不再赘述。During specific implementation, each of the above units can be implemented as an independent entity, or can be combined arbitrarily, and implemented as the same or several entities. For the specific implementation of each of the above units, please refer to the previous method embodiments, which will not be repeated here.
由上述可知,本实施例提供的root权限的分配方法,应用于终端设备,该终端设备设有多个存储分区,该多个存储分区包括系统分区和目标分区,当该终端设备重启进入第一预设阶段时,通过第一获取单元10从终端芯片中获取设备属性信息,该设备属性信息包括设备标识码,接着,第二获取单元20从该目标分区中获取数字签名信息,控制单元30根据该数字签名信息和设备标识码控制该系统分区进入可写入状态,在该可写入状态下,调整模块40基于预设可执行文件为该终端设备分配root权限,从而能有利于各种终端root权限的获取,方法简单,适用范围广,可靠性强。It can be seen from the above that the method for assigning root permissions provided in this embodiment is applied to a terminal device. The terminal device is provided with multiple storage partitions. The multiple storage partitions include a system partition and a target partition. When the terminal device restarts and enters the first In the preset stage, the device attribute information is obtained from the terminal chip through the first obtaining unit 10, and the device attribute information includes the device identification code. Then, the second obtaining unit 20 obtains the digital signature information from the target partition, and the control unit 30 according to The digital signature information and the device identification code control the system partition to enter a writable state. In the writable state, the adjustment module 40 assigns root permissions to the terminal device based on a preset executable file, which can benefit various terminals The method of obtaining root authority is simple, widely applicable, and reliable.
另外,本申请实施例还提供一种终端设备,该终端设备可以是智能手机、平板电脑等设备。如图7所示,终端设备200包括处理器201、存储器202。其中,处理器201与存储器202电性连接。In addition, the embodiment of the present application also provides a terminal device, which may be a device such as a smart phone or a tablet computer. As shown in FIG. 7, the terminal device 200 includes a processor 201 and a memory 202. Wherein, the processor 201 and the memory 202 are electrically connected.
处理器201是终端设备200的控制中心,利用各种接口和线路连接整个终端设备的各个部分,通过运行或加载存储在存储器202内的应用程序,以及调用存储在存储器202内的数据,执行终端设备的各种功能和处理数据,从而对终端设备进行整体监控。The processor 201 is the control center of the terminal device 200. It uses various interfaces and lines to connect the various parts of the entire terminal device. It executes the terminal by running or loading the application program stored in the memory 202 and calling the data stored in the memory 202. Various functions and processing data of the equipment, so as to monitor the terminal equipment as a whole.
在本实施例中,该终端设备200设有多个存储分区,该多个存储分区包括系统分区和目标分区,终端设备200中的处理器201会按照如下的步骤,将一个或一个以上的应用程序的进程对应的指令加载到存储器202中,并由处理器201来运行存储在存储器202中的应用程序,从而实现各种功能:In this embodiment, the terminal device 200 is provided with multiple storage partitions, and the multiple storage partitions include a system partition and a target partition. The processor 201 in the terminal device 200 will perform one or more applications according to the following steps The instructions corresponding to the process of the program are loaded into the memory 202, and the processor 201 runs the application programs stored in the memory 202, thereby realizing various functions:
当该终端设备重启进入第一预设阶段时,从终端芯片中获取设备属性信息,该设备属性信息包括设备标识码;When the terminal device restarts and enters the first preset stage, obtain device attribute information from the terminal chip, where the device attribute information includes a device identification code;
从该目标分区中获取数字签名信息;Obtain digital signature information from the target partition;
根据该数字签名信息和设备标识码控制该系统分区进入可写入状态;Control the system partition to enter the writable state according to the digital signature information and the device identification code;
在该可写入状态下,基于预设可执行文件为该终端设备分配root权限。In the writable state, root authority is assigned to the terminal device based on the preset executable file.
图8示出了本发明实施例提供的终端设备的具体结构框图,该终端设备可以用于实施上述实施例中提供的root权限的分配方法。该终端设备300可以为智能手机或平板电脑。FIG. 8 shows a specific structural block diagram of a terminal device provided by an embodiment of the present invention, and the terminal device can be used to implement the root authority distribution method provided in the foregoing embodiment. The terminal device 300 may be a smart phone or a tablet computer.
RF电路310用于接收以及发送电磁波,实现电磁波与电信号的相互转换,从而与通讯网络或者其他设备进行通讯。RF电路310可包括各种现有的用于执行这些功能的电路元件,例如,天线、射频收发器、数字信号处理器、加密/解密芯片、用户身份模块(SIM)卡、存储器等等。RF电路310可与各种网络如互联网、企业内部网、无线网络进行通讯或者通过无线网络与其他设备进行通讯。上述的无线网络可包括蜂窝式电话网、无线局域网或者城域网。上述的无线网络可以使用各种通信标准、协议及技术,包括但并不限于全球移动通信系统(Global System for Mobile Communication, GSM)、增强型移动通信技术(Enhanced Data GSM Environment, EDGE),宽带码分多址技术(Wideband Code Division Multiple Access, WCDMA),码分多址技术(Code Division Access, CDMA)、时分多址技术(Time Division Multiple Access, TDMA),无线保真技术(Wireless Fidelity, Wi-Fi)(如美国电气和电子工程师协会标准 IEEE 802.11a, IEEE 802.11b, IEEE802.11g 和/或 IEEE 802.11n)、网络电话(Voice over Internet Protocol, VoIP)、全球微波互联接入(Worldwide Interoperability for Microwave Access, Wi-Max)、其他用于邮件、即时通讯及短消息的协议,以及任何其他合适的通讯协议,甚至可包括那些当前仍未被开发出来的协议。The RF circuit 310 is used to receive and send electromagnetic waves, realize the mutual conversion between electromagnetic waves and electrical signals, and communicate with a communication network or other devices. The RF circuit 310 may include various existing circuit elements for performing these functions, for example, an antenna, a radio frequency transceiver, a digital signal processor, an encryption/decryption chip, a subscriber identity module (SIM) card, a memory, and so on. The RF circuit 310 can communicate with various networks such as the Internet, an intranet, and a wireless network, or communicate with other devices through a wireless network. The aforementioned wireless network may include a cellular telephone network, a wireless local area network, or a metropolitan area network. The above-mentioned wireless network can use various communication standards, protocols and technologies, including but not limited to the Global System for Mobile Communications (Global System for Mobile Communication, GSM), enhanced mobile communication technology (Enhanced Data GSM Environment, EDGE), wideband code division multiple access technology (Wideband Code Division Multiple Access, WCDMA), Code Division Multiple Access (Code Division Multiple Access) Access, CDMA), Time Division Multiple Access (TDMA), Wireless Fidelity (Wireless Fidelity, Wi-Fi) (such as the American Institute of Electrical and Electronics Engineers standards IEEE 802.11a, IEEE 802.11b, IEEE 802.11g and/or IEEE 802.11n), Internet telephony (Voice over Internet Protocol, VoIP), Worldwide Interconnection for Microwave Access (Worldwide Interoperability for Microwave Access, Wi-Max), other protocols used for mail, instant messaging and short messages, and any other appropriate communication protocols, even those that have not yet been developed.
存储器320可用于存储软件程序以及模块,如上述实施例中前置摄像头拍照自动补光系统、方法对应的程序指令/模块,处理器380通过运行存储在存储器320内的软件程序以及模块,从而执行各种功能应用以及数据处理,即实现前置摄像头拍照自动补光的功能。存储器320可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器320可进一步包括相对于处理器380远程设置的存储器,这些远程存储器可以通过网络连接至终端设备300。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 320 may be used to store software programs and modules, such as the program instructions/modules corresponding to the automatic light-filling system and method for taking pictures of the front camera in the above-mentioned embodiments. The processor 380 executes the software programs and modules stored in the memory 320 by running Various functional applications and data processing, that is, realize the function of automatically filling light when taking pictures with the front camera. The memory 320 may include a high-speed random access memory, and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 320 may further include a memory remotely provided with respect to the processor 380, and these remote memories may be connected to the terminal device 300 through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
输入单元330可用于接收输入的数字或字符信息,以及产生与用户设置以及功能控制有关的键盘、鼠标、操作杆、光学或者轨迹球信号输入。具体地,输入单元330可包括触敏表面331以及其他输入设备332。触敏表面331,也称为触摸显示屏或者触控板,可收集用户在其上或附近的触摸操作(比如用户使用手指、触笔等任何适合的物体或附件在触敏表面331上或在触敏表面331附近的操作),并根据预先设定的程式驱动相应的连接装置。可选的,触敏表面331可包括触摸检测装置和触摸控制器两个部分。其中,触摸检测装置检测用户的触摸方位,并检测触摸操作带来的信号,将信号传送给触摸控制器;触摸控制器从触摸检测装置上接收触摸信息,并将它转换成触点坐标,再送给处理器380,并能接收处理器380发来的命令并加以执行。此外,可以采用电阻式、电容式、红外线以及表面声波等多种类型实现触敏表面331。除了触敏表面331,输入单元330还可以包括其他输入设备332。具体地,其他输入设备332可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。The input unit 330 may be used to receive inputted digital or character information, and generate keyboard, mouse, joystick, optical or trackball signal input related to user settings and function control. Specifically, the input unit 330 may include a touch-sensitive surface 331 and other input devices 332. The touch-sensitive surface 331, also called a touch screen or a touchpad, can collect user touch operations on or near it (for example, the user uses any suitable objects or accessories such as fingers, stylus, etc.) on or on the touch-sensitive surface 331. Operation near the touch-sensitive surface 331), and drive the corresponding connection device according to the preset program. Optionally, the touch-sensitive surface 331 may include two parts: a touch detection device and a touch controller. Among them, the touch detection device detects the user's touch position, detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into contact coordinates, and then sends it To the processor 380, and can receive and execute the commands sent by the processor 380. In addition, the touch-sensitive surface 331 can be realized by various types such as resistive, capacitive, infrared, and surface acoustic wave. In addition to the touch-sensitive surface 331, the input unit 330 may also include other input devices 332. Specifically, the other input device 332 may include, but is not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackball, mouse, and joystick.
显示单元340可用于显示由用户输入的信息或提供给用户的信息以及终端设备300的各种图形用户接口,这些图形用户接口可以由图形、文本、图标、视频和其任意组合来构成。显示单元340可包括显示面板341,可选的,可以采用LCD(Liquid Crystal Display,液晶显示器)、OLED(Organic Light-Emitting Diode,有机发光二极管)等形式来配置显示面板341。进一步的,触敏表面331可覆盖显示面板341,当触敏表面331检测到在其上或附近的触摸操作后,传送给处理器380以确定触摸事件的类型,随后处理器380根据触摸事件的类型在显示面板341上提供相应的视觉输出。虽然在图8中,触敏表面331与显示面板341是作为两个独立的部件来实现输入和输出功能,但是在某些实施例中,可以将触敏表面331与显示面板341集成而实现输入和输出功能。The display unit 340 may be used to display information input by the user or information provided to the user and various graphical user interfaces of the terminal device 300. These graphical user interfaces may be composed of graphics, text, icons, videos, and any combination thereof. The display unit 340 may include a display panel 341. Optionally, an LCD (Liquid The display panel 341 is configured in the form of Crystal Display (liquid crystal display), OLED (Organic Light-Emitting Diode, organic light-emitting diode). Further, the touch-sensitive surface 331 may cover the display panel 341. When the touch-sensitive surface 331 detects a touch operation on or near it, it is transmitted to the processor 380 to determine the type of the touch event, and then the processor 380 responds to the touch event. The type provides corresponding visual output on the display panel 341. Although in FIG. 8, the touch-sensitive surface 331 and the display panel 341 are used as two independent components to implement input and output functions, in some embodiments, the touch-sensitive surface 331 and the display panel 341 can be integrated to implement input. And output function.
终端设备300还可包括至少一种传感器350,比如光传感器、运动传感器以及其他传感器。具体地,光传感器可包括环境光传感器及接近传感器,其中,环境光传感器可根据环境光线的明暗来调节显示面板341的亮度,接近传感器可在终端设备300移动到耳边时,关闭显示面板341和/或背光。作为运动传感器的一种,重力加速度传感器可检测各个方向上(一般为三轴)加速度的大小,静止时可检测出重力的大小及方向,可用于识别手机姿态的应用(比如横竖屏切换、相关游戏、磁力计姿态校准)、振动识别相关功能(比如计步器、敲击)等; 至于终端设备300还可配置的陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。The terminal device 300 may also include at least one sensor 350, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor. The ambient light sensor can adjust the brightness of the display panel 341 according to the brightness of the ambient light, and the proximity sensor can close the display panel 341 when the terminal device 300 is moved to the ear. And/or backlight. As a kind of motion sensor, the gravity acceleration sensor can detect the magnitude of acceleration in various directions (usually three-axis), and can detect the magnitude and direction of gravity when it is stationary. It can be used to identify mobile phone posture applications (such as horizontal and vertical screen switching, related Games, magnetometer posture calibration), vibration recognition related functions (such as pedometer, percussion), etc.; as for the terminal device 300 that can also be configured with other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc., here No longer.
音频电路360、扬声器361,传声器362可提供用户与终端设备300之间的音频接口。音频电路360可将接收到的音频数据转换后的电信号,传输到扬声器361,由扬声器361转换为声音信号输出;另一方面,传声器362将收集的声音信号转换为电信号,由音频电路360接收后转换为音频数据,再将音频数据输出处理器380处理后,经RF电路310以发送给比如另一终端,或者将音频数据输出至存储器320以便进一步处理。音频电路360还可能包括耳塞插孔,以提供外设耳机与终端设备300的通信。The audio circuit 360, the speaker 361, and the microphone 362 can provide an audio interface between the user and the terminal device 300. The audio circuit 360 can transmit the electric signal converted from the received audio data to the speaker 361, and the speaker 361 converts it into a sound signal for output; on the other hand, the microphone 362 converts the collected sound signal into an electric signal, and the audio circuit 360 After being received, it is converted into audio data, and then processed by the audio data output processor 380, and then sent to, for example, another terminal via the RF circuit 310, or the audio data is output to the memory 320 for further processing. The audio circuit 360 may also include an earplug jack to provide communication between a peripheral earphone and the terminal device 300.
终端设备300通过传输模块370(例如Wi-Fi模块)可以帮助用户收发电子邮件、浏览网页和访问流式媒体等,它为用户提供了无线的宽带互联网访问。虽然图8示出了传输模块370,但是可以理解的是,其并不属于终端设备300的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。The terminal device 300 can help users send and receive emails, browse web pages, and access streaming media through the transmission module 370 (such as a Wi-Fi module), and it provides users with wireless broadband Internet access. Although FIG. 8 shows the transmission module 370, it is understandable that it is not a necessary component of the terminal device 300 and can be omitted as needed without changing the essence of the invention.
处理器380是终端设备300的控制中心,利用各种接口和线路连接整个手机的各个部分,通过运行或执行存储在存储器320内的软件程序和/或模块,以及调用存储在存储器320内的数据,执行终端设备300的各种功能和处理数据,从而对手机进行整体监控。可选的,处理器380可包括一个或多个处理核心;在一些实施例中,处理器380可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器380中。The processor 380 is the control center of the terminal device 300, which uses various interfaces and lines to connect the various parts of the entire mobile phone, runs or executes software programs and/or modules stored in the memory 320, and calls data stored in the memory 320 , Perform various functions of the terminal device 300 and process data, thereby monitoring the mobile phone as a whole. Optionally, the processor 380 may include one or more processing cores; in some embodiments, the processor 380 may integrate an application processor and a modem processor, where the application processor mainly processes the operating system, user interface, and For application programs, the modem processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 380.
终端设备300还包括给各个部件供电的电源390(比如电池),在一些实施例中,电源可以通过电源管理系统与处理器380逻辑相连,从而通过电源管理系统实现管理充电、放电、以及功耗管理等功能。电源190还可以包括一个或一个以上的直流或交流电源、再充电系统、电源故障检测电路、电源转换器或者逆变器、电源状态指示器等任意组件。The terminal device 300 also includes a power source 390 (such as a battery) for supplying power to various components. In some embodiments, the power source may be logically connected to the processor 380 through a power management system, so as to manage charging, discharging, and power consumption through the power management system. Management and other functions. The power supply 190 may also include one or more DC or AC power supplies, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and any other components.
尽管未示出,终端设备300还可以包括摄像头(如前置摄像头、后置摄像头)、蓝牙模块等,在此不再赘述。具体在本实施例中,终端设备的显示单元是触摸屏显示器,终端设备还包括有存储器,以及一个或者一个以上的程序,其中一个或者一个以上程序存储于存储器中,且经配置以由一个或者一个以上处理器执行一个或者一个以上程序包含用于进行以下操作的指令:Although not shown, the terminal device 300 may also include a camera (such as a front camera, a rear camera), a Bluetooth module, etc., which will not be repeated here. Specifically, in this embodiment, the display unit of the terminal device is a touch screen display, and the terminal device also includes a memory and one or more programs. One or more programs are stored in the memory and configured to be configured by one or more programs. The above processor executes one or more programs including instructions for performing the following operations:
当该终端设备重启进入第一预设阶段时,从终端芯片中获取设备属性信息,该设备属性信息包括设备标识码;When the terminal device restarts and enters the first preset stage, obtain device attribute information from the terminal chip, where the device attribute information includes a device identification code;
从该目标分区中获取数字签名信息;Obtain digital signature information from the target partition;
根据该数字签名信息和设备标识码控制该系统分区进入可写入状态;Control the system partition to enter the writable state according to the digital signature information and the device identification code;
在该可写入状态下,基于预设可执行文件为该终端设备分配root权限。In the writable state, root authority is assigned to the terminal device based on the preset executable file.
在一些实施例中,所述根据所述数字签名信息和设备标识码控制所述系统分区进入可写入状态,包括:In some embodiments, the controlling the system partition to enter the writable state according to the digital signature information and the device identification code includes:
根据消息摘要算法和所述设备标识码确定信息摘要;Determining the message digest according to the message digest algorithm and the device identification code;
利用预设公钥对所述数字签名信息进行解密,得到解密摘要;Decrypt the digital signature information by using a preset public key to obtain a decrypted digest;
根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限;Judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
若被授予修改权限,则控制所述系统分区进入可写入状态。If the modification authority is granted, the system partition is controlled to enter a writable state.
在一些实施例中,所述根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限,包括:In some embodiments, the judging whether the terminal device is authorized to modify according to the information summary and the decryption summary includes:
判断所述解密摘要和信息摘要是否相同;Determine whether the decrypted digest and the information digest are the same;
若相同,则判断出所述终端设备被授予修改权限;If they are the same, it is determined that the terminal device is granted modification authority;
若不相同,则判断出所述终端设备未被授予修改权限。If they are not the same, it is determined that the terminal device has not been granted modification authority.
在一些实施例中,所述设备属性信息还包括终端型号和/或版本号,所述根据消息摘要算法和所述设备标识码确定信息摘要,包括:In some embodiments, the device attribute information further includes a terminal model and/or version number, and determining the information digest according to the message digest algorithm and the device identification code includes:
将所述设备标识码与所述终端型号和/或版本号进行组合,得到组合码;Combine the device identification code with the terminal model and/or version number to obtain a combination code;
利用消息摘要算法对所述组合码进行处理,得到信息摘要。A message digest algorithm is used to process the combined code to obtain a message digest.
在一些实施例中,所述控制所述系统分区进入可写入状态,包括:In some embodiments, the controlling the system partition to enter a writable state includes:
当所述终端设备处于所述第一预设阶段时,关闭所述系统分区的写保护功能;When the terminal device is in the first preset stage, turn off the write protection function of the system partition;
当所述终端设备由所述第一预设阶段进入第二预设阶段时,将访问控制模块设置成宽容模式,并关闭访问校验模块,以使所述系统分区进入可写入状态,其中,在所述宽容模式下,所述多个存储分区被允许非法访问。When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
在一些实施例中,所述基于预设可执行文件为所述终端设备分配root权限,包括:In some embodiments, the allocating root permissions to the terminal device based on a preset executable file includes:
将预设可执行文件存储到所述系统分区的目标目录下,并将权限参数修改为预设数值,以为所述终端设备分配root权限。The preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
在一些实施例中,在从所述目标分区中获取数字签名信息之前,还包括:In some embodiments, before acquiring the digital signature information from the target partition, the method further includes:
当所述终端设备开机进入第二预设阶段时,从终端芯片中获取所述设备属性信息,并将所述设备属性信息写入目标分区中的预设偏移位置,以供刷机软件从所述预设偏移位置处获取所述设备属性信息,并根据所述设备属性信息生成数字签名信息,之后将所述数字签名信息存储在所述预设偏移位置处;When the terminal device is powered on and enters the second preset stage, the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to download from the Acquiring the device attribute information at the preset offset location, and generating digital signature information according to the device attribute information, and then storing the digital signature information at the preset offset location;
所述从所述目标分区中获取数字签名信息,包括:从所述目标分区中的所述预设偏移位置处获取所述数字签名信息。The acquiring digital signature information from the target partition includes: acquiring the digital signature information from the preset offset position in the target partition.
具体实施时,以上各个模块可以作为独立的实体来实现,也可以进行任意组合,作为同一或若干个实体来实现,以上各个模块的具体实施可参见前面的方法实施例,在此不再赘述。During specific implementation, each of the above modules can be implemented as an independent entity, or can be combined arbitrarily, and implemented as the same or several entities. For the specific implementation of each of the above modules, please refer to the previous method embodiments, which will not be repeated here.
本领域普通技术人员可以理解,上述实施例的各种方法中的全部或部分步骤可以通过指令来完成,或通过指令控制相关的硬件来完成,该指令可以存储于一计算机可读存储介质中,并由处理器进行加载和执行。为此,本发明实施例提供一种存储介质,其中存储有多条指令,该指令能够被处理器进行加载,以执行本发明实施例所提供的任一种root权限的分配方法中的步骤。A person of ordinary skill in the art can understand that all or part of the steps in the various methods of the foregoing embodiments can be completed by instructions, or by instructions to control related hardware. The instructions can be stored in a computer-readable storage medium. And loaded and executed by the processor. To this end, an embodiment of the present invention provides a storage medium in which a plurality of instructions are stored, and the instructions can be loaded by a processor to execute the steps in any root permission allocation method provided in the embodiments of the present invention.
其中,该存储介质可以包括:只读存储器(ROM,Read Only Memory)、随机存取记忆体(RAM,Random Access Memory)、磁盘或光盘等。Wherein, the storage medium may include: read-only memory (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), disk or CD, etc.
由于该存储介质中所存储的指令,可以执行本发明实施例所提供的任一种root权限的分配方法中的步骤,因此,可以实现本发明实施例所提供的任一种root权限的分配方法所能实现的有益效果,详见前面的实施例,在此不再赘述。Because the instructions stored in the storage medium can execute the steps of any root permission distribution method provided in the embodiment of the present invention, any root permission distribution method provided in the embodiment of the present invention can be implemented. For the beneficial effects that can be achieved, refer to the previous embodiment for details, which will not be repeated here.
以上各个操作的具体实施可参见前面的实施例,在此不再赘述。For the specific implementation of the above operations, please refer to the previous embodiments, which will not be repeated here.
综上所述,虽然本申请已以优选实施例揭露如上,但上述优选实施例并非用以限制本申请,本领域的普通技术人员,在不脱离本申请的精神和范围内,均可作各种更动与润饰,因此本申请的保护范围以权利要求界定的范围为准。In summary, although the application has been disclosed as above in preferred embodiments, the above-mentioned preferred embodiments are not intended to limit the application, and those of ordinary skill in the art can make various decisions without departing from the spirit and scope of the application. Such changes and modifications, so the protection scope of this application is subject to the scope defined by the claims.

Claims (20)

  1. 一种root权限的分配方法,应用于终端设备,其中,所述终端设备设有多个存储分区,所述多个存储分区包括系统分区和目标分区,所述root权限的分配方法包括:A method for assigning root authority is applied to a terminal device, wherein the terminal device is provided with multiple storage partitions, the multiple storage partitions include a system partition and a target partition, and the method for assigning root authority includes:
    当所述终端设备重启进入第一预设阶段时,从终端芯片中获取设备属性信息,所述设备属性信息包括设备标识码;When the terminal device restarts and enters the first preset stage, acquiring device attribute information from the terminal chip, where the device attribute information includes a device identification code;
    从所述目标分区中获取数字签名信息;Obtaining digital signature information from the target partition;
    根据所述数字签名信息和设备标识码控制所述系统分区进入可写入状态;Controlling the system partition to enter a writable state according to the digital signature information and the device identification code;
    在所述可写入状态下,基于预设可执行文件为所述终端设备分配root权限。In the writable state, root permission is assigned to the terminal device based on a preset executable file.
  2. 根据权利要求1所述的root权限的分配方法,其中,所述根据所述数字签名信息和设备标识码控制所述系统分区进入可写入状态,包括:The method for distributing root authority according to claim 1, wherein the controlling the system partition to enter the writable state according to the digital signature information and the device identification code comprises:
    根据消息摘要算法和所述设备标识码确定信息摘要;Determining the message digest according to the message digest algorithm and the device identification code;
    利用预设公钥对所述数字签名信息进行解密,得到解密摘要;Decrypt the digital signature information by using a preset public key to obtain a decrypted digest;
    根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限;Judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
    若被授予修改权限,则控制所述系统分区进入可写入状态。If the modification authority is granted, the system partition is controlled to enter a writable state.
  3. 根据权利要求2所述的root权限的分配方法,其中,所述根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限,包括:The method for distributing root authority according to claim 2, wherein the judging whether the terminal device is granted modification authority according to the information digest and the decryption digest comprises:
    判断所述解密摘要和信息摘要是否相同;Determine whether the decrypted digest and the information digest are the same;
    若相同,则判断出所述终端设备被授予修改权限;If they are the same, it is determined that the terminal device is granted modification authority;
    若不相同,则判断出所述终端设备未被授予修改权限。If they are not the same, it is determined that the terminal device has not been granted modification authority.
  4. 根据权利要求2所述的root权限的分配方法,其中,所述设备属性信息还包括终端型号和/或版本号,所述根据消息摘要算法和所述设备标识码确定信息摘要,包括:The method for distributing root authority according to claim 2, wherein the device attribute information further includes a terminal model and/or version number, and the determining the information digest according to the message digest algorithm and the device identification code includes:
    将所述设备标识码与所述终端型号和/或版本号进行组合,得到组合码;Combine the device identification code with the terminal model and/or version number to obtain a combination code;
    利用消息摘要算法对所述组合码进行处理,得到信息摘要。A message digest algorithm is used to process the combined code to obtain a message digest.
  5. 根据权利要求2所述的root权限的分配方法,其中,所述控制所述系统分区进入可写入状态,包括:The method for distributing root authority according to claim 2, wherein said controlling said system partition to enter a writable state comprises:
    当所述终端设备处于所述第一预设阶段时,关闭所述系统分区的写保护功能;When the terminal device is in the first preset stage, turn off the write protection function of the system partition;
    当所述终端设备由所述第一预设阶段进入第二预设阶段时,将访问控制模块设置成宽容模式,并关闭访问校验模块,以使所述系统分区进入可写入状态,其中,在所述宽容模式下,所述多个存储分区被允许非法访问。When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  6. 根据权利要求1所述的root权限的分配方法,其中,所述基于预设可执行文件为所述终端设备分配root权限,包括:The method for assigning root authority according to claim 1, wherein the assigning root authority to the terminal device based on a preset executable file comprises:
    将预设可执行文件存储到所述系统分区的目标目录下,并将权限参数修改为预设数值,以为所述终端设备分配root权限。The preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  7. 根据权利要求1所述的root权限的分配方法,其中,在从所述目标分区中获取数字签名信息之前,还包括:The method for distributing root authority according to claim 1, wherein before obtaining the digital signature information from the target partition, the method further comprises:
    当所述终端设备开机进入第二预设阶段时,从终端芯片中获取所述设备属性信息,并将所述设备属性信息写入目标分区中的预设偏移位置,以供刷机软件从所述预设偏移位置处获取所述设备属性信息,并根据所述设备属性信息生成数字签名信息,之后将所述数字签名信息存储在所述预设偏移位置处;When the terminal device is powered on and enters the second preset stage, the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to download from the Acquiring the device attribute information at the preset offset location, and generating digital signature information according to the device attribute information, and then storing the digital signature information at the preset offset location;
    所述从所述目标分区中获取数字签名信息,包括:从所述目标分区中的所述预设偏移位置处获取所述数字签名信息。The acquiring digital signature information from the target partition includes: acquiring the digital signature information from the preset offset position in the target partition.
  8. 一种root权限的分配装置,应用于终端设备,其中,所述终端设备设有多个存储分区,所述多个存储分区包括系统分区和目标分区,所述分配装置包括:A root authority distribution device is applied to a terminal device, wherein the terminal device is provided with multiple storage partitions, the multiple storage partitions include a system partition and a target partition, and the distribution device includes:
    第一获取单元,用于当所述终端设备重启进入第一预设阶段时,从终端芯片中获取设备属性信息,所述设备属性信息包括设备标识码;The first obtaining unit is configured to obtain device attribute information from the terminal chip when the terminal device restarts to enter the first preset stage, where the device attribute information includes a device identification code;
    第二获取单元,用于从所述目标分区中获取数字签名信息;The second acquiring unit is configured to acquire digital signature information from the target partition;
    控制单元,用于根据所述数字签名信息和设备标识码控制所述系统分区进入可写入状态;A control unit, configured to control the system partition to enter a writable state according to the digital signature information and the device identification code;
    分配单元,用于在所述可写入状态下,基于预设可执行文件为所述终端设备分配root权限。The allocation unit is configured to allocate root permissions to the terminal device based on a preset executable file in the writable state.
  9. 根据权利要求8所述的root权限的分配装置,其中,所述控制单元具体包括:The root authority distribution device according to claim 8, wherein the control unit specifically comprises:
    确定子单元,用于根据消息摘要算法和所述设备标识码确定信息摘要;A determining subunit, configured to determine a message digest according to a message digest algorithm and the device identification code;
    解密子单元,用于利用预设公钥对所述数字签名信息进行解密,得到解密摘要;The decryption subunit is used to decrypt the digital signature information by using the preset public key to obtain a decrypted digest;
    判断子单元,用于根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限;The judging subunit is used for judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
    控制子单元,用于若被授予修改权限,则控制所述系统分区进入可写入状态。The control subunit is used for controlling the system partition to enter the writable state if the modification authority is granted.
  10. 根据权利要求9所述的root权限的分配装置,其中,所述判断子单元具体用于:The device for assigning root authority according to claim 9, wherein the judging subunit is specifically configured to:
    判断所述解密摘要和信息摘要是否相同;Determine whether the decrypted digest and the information digest are the same;
    若相同,则判断出所述终端设备被授予修改权限;If they are the same, it is determined that the terminal device is granted modification authority;
    若不相同,则判断出所述终端设备未被授予修改权限。If they are not the same, it is determined that the terminal device has not been granted modification authority.
  11. 根据权利要求9所述的root权限的分配装置,其中,所述设备属性信息还包括终端型号和/或版本号,所述确定子单元具体用于:The apparatus for assigning root authority according to claim 9, wherein the device attribute information further includes a terminal model and/or version number, and the determining subunit is specifically used for:
    将所述设备标识码与所述终端型号和/或版本号进行组合,得到组合码;Combine the device identification code with the terminal model and/or version number to obtain a combination code;
    利用消息摘要算法对所述组合码进行处理,得到信息摘要。A message digest algorithm is used to process the combined code to obtain a message digest.
  12. 根据权利要求9所述的root权限的分配装置,其中,所述控制子单元具体用于:The root authority distribution device according to claim 9, wherein the control subunit is specifically configured to:
    当所述终端设备处于所述第一预设阶段时,关闭所述系统分区的写保护功能;When the terminal device is in the first preset stage, turn off the write protection function of the system partition;
    当所述终端设备由所述第一预设阶段进入第二预设阶段时,将访问控制模块设置成宽容模式,并关闭访问校验模块,以使所述系统分区进入可写入状态,其中,在所述宽容模式下,所述多个存储分区被允许非法访问。When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  13. 根据权利要求8所述的root权限的分配装置,其中,所述分配单元具体用于:The root authority distribution device according to claim 8, wherein the distribution unit is specifically configured to:
    将预设可执行文件存储到所述系统分区的目标目录下,并将权限参数修改为预设数值,以为所述终端设备分配root权限。The preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  14. 根据权利要求8所述的root权限的分配装置,其中,所述root权限的分配装置还包括存储单元,用于:The device for assigning root authority according to claim 8, wherein the device for assigning root authority further comprises a storage unit for:
    在从所述目标分区中获取数字签名信息之前,当所述终端设备开机进入第二预设阶段时,从终端芯片中获取所述设备属性信息,并将所述设备属性信息写入目标分区中的预设偏移位置,以供刷机软件从所述预设偏移位置处获取所述设备属性信息,并根据所述设备属性信息生成数字签名信息,之后将所述数字签名信息存储在所述预设偏移位置处;Before acquiring the digital signature information from the target partition, when the terminal device powers on and enters the second preset stage, acquire the device attribute information from the terminal chip, and write the device attribute information into the target partition The preset offset position for the flashing software to obtain the device attribute information from the preset offset position, and generate digital signature information according to the device attribute information, and then store the digital signature information in the At the preset offset position;
    所述第二获取单元具体用于:从所述目标分区中的所述预设偏移位置处获取所述数字签名信息。The second acquiring unit is specifically configured to acquire the digital signature information from the preset offset position in the target partition.
  15. 一种计算机可读存储介质,其中,所述存储介质中存储有多条指令,所述指令适于由处理器加载以执行权利要求1所述的root权限的分配方法。A computer-readable storage medium, wherein a plurality of instructions are stored in the storage medium, and the instructions are adapted to be loaded by a processor to execute the method for allocating root authority according to claim 1.
  16. 一种终端设备,其中,包括处理器和存储器,所述处理器与所述存储器电性连接,所述存储器用于存储指令和数据,所述处理器用于执行权利要求1所述的root权限的分配方法中的步骤。A terminal device, comprising a processor and a memory, the processor is electrically connected to the memory, the memory is used to store instructions and data, and the processor is used to execute the root authority of claim 1 Steps in the allocation method.
  17. 根据权利要求16所述的终端设备,其中,所述处理器具体用于执行:The terminal device according to claim 16, wherein the processor is specifically configured to execute:
    根据消息摘要算法和所述设备标识码确定信息摘要;Determining the message digest according to the message digest algorithm and the device identification code;
    利用预设公钥对所述数字签名信息进行解密,得到解密摘要;Decrypt the digital signature information by using a preset public key to obtain a decrypted digest;
    根据所述信息摘要和解密摘要判断所述终端设备是否被授予修改权限;Judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
    若被授予修改权限,则控制所述系统分区进入可写入状态。If the modification authority is granted, the system partition is controlled to enter a writable state.
  18. 根据权利要求17所述的终端设备,其中,所述处理器具体用于执行:The terminal device according to claim 17, wherein the processor is specifically configured to execute:
    判断所述解密摘要和信息摘要是否相同;Determine whether the decrypted digest and the information digest are the same;
    若相同,则判断出所述终端设备被授予修改权限;If they are the same, it is determined that the terminal device is granted modification authority;
    若不相同,则判断出所述终端设备未被授予修改权限。If they are not the same, it is determined that the terminal device has not been granted modification authority.
  19. 根据权利要求17所述的终端设备,其中,所述设备属性信息还包括终端型号和/或版本号,所述处理器具体用于执行:The terminal device according to claim 17, wherein the device attribute information further includes a terminal model and/or version number, and the processor is specifically configured to execute:
    将所述设备标识码与所述终端型号和/或版本号进行组合,得到组合码;Combine the device identification code with the terminal model and/or version number to obtain a combination code;
    利用消息摘要算法对所述组合码进行处理,得到信息摘要。A message digest algorithm is used to process the combined code to obtain a message digest.
  20. 根据权利要求17所述的终端设备,其中,所述处理器具体用于执行:The terminal device according to claim 17, wherein the processor is specifically configured to execute:
    当所述终端设备处于所述第一预设阶段时,关闭所述系统分区的写保护功能;When the terminal device is in the first preset stage, turn off the write protection function of the system partition;
    当所述终端设备由所述第一预设阶段进入第二预设阶段时,将访问控制模块设置成宽容模式,并关闭访问校验模块,以使所述系统分区进入可写入状态,其中,在所述宽容模式下,所述多个存储分区被允许非法访问。When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
PCT/CN2019/121812 2019-08-06 2019-11-29 Root permission assignment method and apparatus, storage medium, and terminal device WO2021022729A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910720524.0A CN110457894B (en) 2019-08-06 2019-08-06 root authority distribution method and device, storage medium and terminal equipment
CN201910720524.0 2019-08-06

Publications (1)

Publication Number Publication Date
WO2021022729A1 true WO2021022729A1 (en) 2021-02-11

Family

ID=68485016

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/121812 WO2021022729A1 (en) 2019-08-06 2019-11-29 Root permission assignment method and apparatus, storage medium, and terminal device

Country Status (2)

Country Link
CN (1) CN110457894B (en)
WO (1) WO2021022729A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114465805A (en) * 2022-02-18 2022-05-10 深圳市优博讯科技股份有限公司 Active identification control method and system
CN114760621A (en) * 2022-03-23 2022-07-15 深圳市普渡科技有限公司 Terminal flashing method and device, computer equipment and storage medium

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110457894B (en) * 2019-08-06 2021-08-03 惠州Tcl移动通信有限公司 root authority distribution method and device, storage medium and terminal equipment
CN111045737B (en) * 2019-11-29 2023-09-19 惠州Tcl移动通信有限公司 Equipment identifier acquisition method, device, terminal equipment and storage medium
CN117131519A (en) * 2023-02-27 2023-11-28 荣耀终端有限公司 Information protection method and equipment
CN116402475A (en) * 2023-06-06 2023-07-07 北京建科研软件技术有限公司 Method and system for generating hand-written signature by gradually locking regional and regional rights

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105975864A (en) * 2016-04-29 2016-09-28 北京小米移动软件有限公司 Operation system starting method and device, and terminal
CN107153792A (en) * 2017-04-06 2017-09-12 北京安云世纪科技有限公司 A kind of data safety processing method, device and mobile terminal
CN107729755A (en) * 2017-09-28 2018-02-23 努比亚技术有限公司 A kind of terminal safety management method, terminal and computer-readable recording medium
CN109657448A (en) * 2018-12-21 2019-04-19 惠州Tcl移动通信有限公司 A kind of method, apparatus, electronic equipment and storage medium obtaining Root authority
CN110457894A (en) * 2019-08-06 2019-11-15 惠州Tcl移动通信有限公司 Distribution method, device, storage medium and the terminal device of root authority

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102981835B (en) * 2012-11-02 2015-06-10 福州博远无线网络科技有限公司 Android application program permanent Root permission acquiring method
CN105975818A (en) * 2015-11-06 2016-09-28 乐视移动智能信息技术(北京)有限公司 Method and device for obtaining super user permission

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105975864A (en) * 2016-04-29 2016-09-28 北京小米移动软件有限公司 Operation system starting method and device, and terminal
CN107153792A (en) * 2017-04-06 2017-09-12 北京安云世纪科技有限公司 A kind of data safety processing method, device and mobile terminal
CN107729755A (en) * 2017-09-28 2018-02-23 努比亚技术有限公司 A kind of terminal safety management method, terminal and computer-readable recording medium
CN109657448A (en) * 2018-12-21 2019-04-19 惠州Tcl移动通信有限公司 A kind of method, apparatus, electronic equipment and storage medium obtaining Root authority
CN110457894A (en) * 2019-08-06 2019-11-15 惠州Tcl移动通信有限公司 Distribution method, device, storage medium and the terminal device of root authority

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114465805A (en) * 2022-02-18 2022-05-10 深圳市优博讯科技股份有限公司 Active identification control method and system
CN114760621A (en) * 2022-03-23 2022-07-15 深圳市普渡科技有限公司 Terminal flashing method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN110457894A (en) 2019-11-15
CN110457894B (en) 2021-08-03

Similar Documents

Publication Publication Date Title
CN110457894B (en) root authority distribution method and device, storage medium and terminal equipment
US20210336780A1 (en) Key updating method, apparatus, and system
CN109964227B (en) Method and terminal for updating SELinux security policy
EP3479243B1 (en) Fault-tolerant variable region repaving during firmware over the air update
CN110023941B (en) System on chip and method for realizing switching of safety operation system
WO2021036706A1 (en) Trusted application operation method and information processing and memory allocation method and apparatus
CN109657448B (en) Method and device for acquiring Root authority, electronic equipment and storage medium
EP3543884A1 (en) Method and system for protecting system partition key data, and terminal
US20130031631A1 (en) Detection of unauthorized device access or modifications
US10185553B2 (en) Fault-tolerant variable region repaving during firmware over the air update
US11579899B2 (en) Method and device for dynamically managing kernel node
WO2019010863A1 (en) Method and terminal for controlling trusted application access
WO2013159632A1 (en) Method, firewall, terminal and readable storage medium for implementing security protection
US10764038B2 (en) Method and apparatus for generating terminal key
US20230221784A1 (en) System and method for power state enforced subscription management
CN108090345B (en) Linux system external command execution method and device
WO2018082289A1 (en) Method and device for managing application and computer storage medium
CN108460251B (en) Method, device and system for running application program
US9380040B1 (en) Method for downloading preauthorized applications to desktop computer using secure connection
CN106484481B (en) Configuration method and device for multi-open application and terminal
US20090187898A1 (en) Method for securely updating an autorun program and portable electronic entity executing it
CN113961246A (en) Permission configuration method and device on micro control chip and storage medium
CN116594698A (en) System control method, device and readable storage medium
CN116915411A (en) Data read-back method, device and storage medium
KR20140132663A (en) Electro device for managing memory resource and method for controlling thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19940746

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19940746

Country of ref document: EP

Kind code of ref document: A1