WO2021022729A1 - Procédé et appareil d'attribution de permissions racine, support de stockage, et dispositif terminal - Google Patents

Procédé et appareil d'attribution de permissions racine, support de stockage, et dispositif terminal Download PDF

Info

Publication number
WO2021022729A1
WO2021022729A1 PCT/CN2019/121812 CN2019121812W WO2021022729A1 WO 2021022729 A1 WO2021022729 A1 WO 2021022729A1 CN 2019121812 W CN2019121812 W CN 2019121812W WO 2021022729 A1 WO2021022729 A1 WO 2021022729A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
preset
digital signature
terminal
information
Prior art date
Application number
PCT/CN2019/121812
Other languages
English (en)
Chinese (zh)
Inventor
郑金国
张燕香
Original Assignee
惠州Tcl移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 惠州Tcl移动通信有限公司 filed Critical 惠州Tcl移动通信有限公司
Publication of WO2021022729A1 publication Critical patent/WO2021022729A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Definitions

  • This application relates to the field of communication technology, and in particular to a method, device, storage medium, and terminal device for assigning root permissions.
  • Root is the only super user in the system and has all the permissions in the system, such as starting or stopping a process, deleting or adding users, adding or disabling hardware, etc.
  • Google's Android Android system administrator account is called Root.
  • the Root account has the supreme right of the entire system. It can access and modify almost all files of the terminal device and has the highest level of management authority.
  • the process of rooting a mobile phone is the process of obtaining the highest use permission of the mobile phone (that is, root permission).
  • the process of rooting a mobile phone is actually copying the su executable file to Android In the /system/xbin directory of the system, and the process of modifying the permission to 4755, because more and more Android phones have added various protection functions, such as selinux (Security-Enhanced Linux, mandatory access control security system), users are very It is difficult to write directly to the /system/xbin directory, so that the phone cannot have root privileges.
  • the embodiments of the present application provide a method, device, storage medium, and terminal device for assigning root authority, which can be applied to the assignment of root authority of various terminals with strong reliability.
  • the embodiment of the present application provides a method for allocating root authority, which is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the allocation method includes:
  • the terminal device When the terminal device restarts and enters the first preset stage, acquiring device attribute information from the terminal chip, where the device attribute information includes a device identification code;
  • root permission is assigned to the terminal device based on a preset executable file.
  • controlling the system partition to enter a writable state according to the digital signature information and the device identification code includes:
  • the system partition is controlled to enter a writable state.
  • the judging whether the terminal device is granted modification authority according to the information summary and the decryption summary includes:
  • the device attribute information further includes a terminal model and/or version number, and determining the information digest according to the message digest algorithm and the device identification code includes:
  • a message digest algorithm is used to process the combined code to obtain a message digest.
  • controlling the system partition to enter a writable state includes:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the allocating root authority to the terminal device based on a preset executable file includes:
  • the preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  • the method further includes:
  • the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to download from the Acquiring the device attribute information at the preset offset location, and generating digital signature information according to the device attribute information, and then storing the digital signature information at the preset offset location;
  • the acquiring digital signature information from the target partition includes: acquiring the digital signature information from the preset offset position in the target partition.
  • the embodiment of the present application also provides a root authority distribution device, which is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the distribution device includes:
  • the first obtaining unit is configured to obtain device attribute information from the terminal chip when the terminal device restarts to enter the first preset stage, where the device attribute information includes a device identification code;
  • the second acquiring unit is configured to acquire digital signature information from the target partition
  • a control unit configured to control the system partition to enter a writable state according to the digital signature information and the device identification code
  • the allocation unit is configured to allocate root permissions to the terminal device based on a preset executable file in the writable state.
  • control unit specifically includes:
  • a determining subunit configured to determine a message digest according to a message digest algorithm and the device identification code
  • the decryption subunit is used to decrypt the digital signature information by using the preset public key to obtain a decrypted digest
  • the judging subunit is used for judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
  • the control subunit is used for controlling the system partition to enter the writable state if the modification authority is granted.
  • judgment subunit is specifically used for:
  • the device attribute information further includes a terminal model and/or version number, and the determining subunit is specifically used for:
  • a message digest algorithm is used to process the combined code to obtain a message digest.
  • control subunit is specifically configured to:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • allocation unit is specifically configured to:
  • the preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  • the device for assigning root authority further includes a storage unit for:
  • the terminal device Before acquiring the digital signature information from the target partition, when the terminal device powers on and enters the second preset stage, acquire the device attribute information from the terminal chip, and write the device attribute information into the target partition
  • the preset offset position for the flashing software to obtain the device attribute information from the preset offset position, and generate digital signature information according to the device attribute information, and then store the digital signature information in the At the preset offset position;
  • the second acquiring unit is specifically configured to acquire the digital signature information from the preset offset position in the target partition.
  • An embodiment of the present application also provides a computer-readable storage medium in which a plurality of instructions are stored, and the instructions are suitable for being loaded by a processor to execute any one of the above-mentioned methods for allocating root permissions.
  • An embodiment of the present application also provides a terminal device, including a processor and a memory, the processor is electrically connected to the memory, the memory is used to store instructions and data, and the processor is used to execute any of the above The steps in the method for assigning root permissions.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the terminal device restarts and enters the first preset stage, it obtains the device attribute information from the terminal chip, the device attribute information includes the device identification code, and then obtains the digital signature information from the target partition, and according to the digital signature information and
  • the device identification code controls the system partition to enter a writable state.
  • the terminal device is assigned root authority based on a preset executable file, which can facilitate the acquisition of root authority of various terminals.
  • the method is simple. Wide application range and strong reliability.
  • FIG. 1 is a schematic flowchart of a method for assigning root permissions provided by an embodiment of the application.
  • FIG. 2 is a schematic flowchart of the process of acquiring root authority of a mobile phone according to an embodiment of the application.
  • FIG. 3 is a schematic flowchart of another method for assigning root permissions according to an embodiment of the application.
  • FIG. 4 is a schematic structural diagram of a root authority distribution device provided by an embodiment of the application.
  • FIG. 5 is a schematic diagram of another structure of a root authority distribution device provided by an embodiment of the application.
  • FIG. 6 is a schematic structural diagram of a control unit 30 provided by an embodiment of the application.
  • FIG. 7 is a schematic structural diagram of a terminal device provided by an embodiment of the application.
  • FIG. 8 is a schematic diagram of another structure of a terminal device provided by an embodiment of the application.
  • a method for distributing root authority is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the method for distributing root authority includes: when the terminal device restarts and enters the first In a preset stage, obtain the device attribute information from the terminal chip, the device attribute information includes the device identification code; obtain the digital signature information from the target partition; control the system partition to be writable according to the digital signature information and the device identification code In state; in the writable state, root permissions are assigned to the terminal device based on a preset executable file.
  • controlling the system partition to enter the writable state according to the digital signature information and the device identification code includes:
  • the system partition is controlled to enter a writable state.
  • the judging whether the terminal device is authorized to modify according to the information summary and the decryption summary includes:
  • the device attribute information further includes a terminal model and/or version number, and determining the information digest according to the message digest algorithm and the device identification code includes:
  • a message digest algorithm is used to process the combined code to obtain a message digest.
  • controlling the system partition to enter a writable state includes:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the allocating root permissions to the terminal device based on a preset executable file includes:
  • the preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  • the method before acquiring the digital signature information from the target partition, the method further includes:
  • the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to download from the Acquiring the device attribute information at the preset offset location, and generating digital signature information according to the device attribute information, and then storing the digital signature information at the preset offset location;
  • the acquiring digital signature information from the target partition includes: acquiring the digital signature information from the preset offset position in the target partition.
  • FIG. 1 is a schematic flowchart of a method for allocating root permissions provided by an embodiment of the present application.
  • the method for allocating root permissions is applied to a terminal device, and the terminal device is provided with multiple storage partitions. Including system partition and target partition, the specific process can be as follows:
  • the first preset stage refers to the LK (little kernel) stage, which is the boot stage before the system kernel starts, and is mainly used to initialize hardware, load the kernel, configure initialization registers, command line parameters, and so on.
  • the device attribute information in the terminal chip can be obtained through the system API (Application Programming Interface) of the terminal.
  • the device attribute information mainly refers to the attribute information related to the terminal, such as the device identification code, where the device identification code is the terminal It can be the terminal SN (Serial Number, product serial number) code.
  • the terminal ROM chip can be divided into multiple storage partitions. Different storage partitions are used to store different data and implement different functions. For example, the system partition is used to store system files, the cache partition is used to store cache data, and the userdata partition is used. Used to store user data, etc.
  • the target partition refers to a designated partition in the terminal device other than the system partition, such as the Proinfo partition. It is easy to understand that the digital signature information should be stored in advance, that is, before the above step S102, the root authority distribution method further includes:
  • the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to deviate from the preset.
  • the device attribute information is acquired at the moving location, and digital signature information is generated according to the device attribute information, and then the digital signature information is stored at the preset offset location.
  • the above step S102 specifically includes: acquiring the digital signature information from the preset offset position in the target partition.
  • the preset offset position may be manually set.
  • the preset offset position may be the start storage address where the 8th MB is located.
  • the second preset stage refers to the kernel stage, which is the kernel startup stage, and is mainly used to start some related processes, such as starting idle processes, kernel_init processes, kthreadd processes, etc.
  • the flashing software can be installed on other terminal devices, such as tablet computers.
  • the application software on other terminal devices cannot directly obtain SN information from the terminal chip of this terminal device, but can read the data in the storage partition.
  • the terminal device must store device attribute information such as SN in a target partition other than the system partition in advance.
  • the terminal device can be Each time the boot enters the kernel stage, the native process is run once, in which the system API is used to obtain device attribute information from the terminal chip for storage, so that other terminal devices can obtain the device attribute information, and then other terminal devices It can generate digital signature information, which is processed by asymmetric key encryption technology and digital digest technology.
  • the writable state means that disk read and disk write operations can be performed on the system partition.
  • step S103 may specifically include:
  • the message digest algorithm mainly refers to MD5 (Message-Digest Algorithm) algorithm.
  • the preset public key corresponds to the encryption private key of the digital signature information, that is, the public key and the private key can be stored on the terminal device and other terminal devices respectively.
  • the private key is used to encrypt device attribute information in advance.
  • the public key is used to decrypt the digital signature information when verifying authorization.
  • the information summary can be obtained by directly processing the SN code using the MD5 algorithm.
  • the device property information is also It may include other information, such as the terminal model and/or version number.
  • the determination of the information summary also needs to combine this information, that is, the above step 1-1 may specifically include:
  • the combination method can be set manually. It can be a simple combination of character codes in a prescribed order.
  • the combination sequence can be device identification code, terminal model, version number, or the combination of characters before or after combination.
  • the code undergoes certain processing, such as conversion to decimal or hexadecimal, etc., and then the MD5 algorithm is used to calculate the information digest of the combined code.
  • steps 1-3 may specifically include:
  • the decryption digest and the information digest are equal, it means that the encryption public key and the decryption private key are a pair, and the acquisition of root authority is legal, otherwise it is illegal.
  • control the system partition to enter the writable state specifically include:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to tolerant mode, and the access verification module is turned off, so that the system partition enters a writable state. In permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the configuration of the write protection function is usually processed in the LK stage.
  • the write protection function is realized by setting the EMMC register in the terminal device, which can make each storage partition of the physical EMMC in an unwritable state, and if you want To achieve root, the su executable file must be copied to the system partition. Therefore, at least the write protection function of the system partition must be turned off before copying the files, and the write protection function of other storage partitions can be retained.
  • Access control module selinux security-enhanced linux configuration is usually processed in the kernel stage.
  • selinux is used to check the security context of each object in the system accessing system resources. It includes two modes: Enforcing Mode and Permissive Mode.
  • Enforcing Mode is used to intercept access that is not configured by the system and print out the LOG log.
  • the permissive mode is only used to record the LOG, but does not really block access.
  • the configuration of the access verification module DM-verity (device-mapper-verity) is usually processed in the compiling phase of the kernel phase, which will generate the hash tree of the image file during the compiling phase. If the terminal device is running, the system system is used A piece of data in the partition, the system will automatically detect whether the data matches the record data in the hash tree, if it does not match, this piece of data is not allowed to be used. Under this premise, if you want to write in the system partition Enter the su executable file, you must first close DM-verity.
  • step S104 may specifically include:
  • the preset executable file is mainly the su executable file
  • the target directory is the root directory of the system partition, that is, /system/xbin
  • the preset value is artificially set, for example, 4755.
  • the method for assigning root permissions is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the terminal device restarts and enters the first In the preset stage, by obtaining device attribute information from the terminal chip, the device attribute information includes the device identification code, and then obtaining the digital signature information from the target partition, and controlling the system partition according to the digital signature information and the device identification code Enter the writable state.
  • root permissions are assigned to the terminal device based on the preset executable file, which can facilitate the acquisition of root permissions for various terminals.
  • the method is simple, the scope of application is wide, and the reliability is strong. .
  • the first terminal device is a mobile phone
  • the second terminal device For a computer, the first terminal device is provided with multiple storage partitions, and the multiple storage partitions include a system partition and a target partition.
  • the first terminal device When booting into the second preset stage, the first terminal device obtains device attribute information from its own terminal chip, and writes the device attribute information to a preset offset position in the target partition.
  • the device attribute information includes the device Identification code.
  • it can be set to use the system API in the native process to obtain the SN information in the terminal chip in the native process every time the mobile phone enters the kernel phase, and store it in the designated offset position of the Proinfo partition.
  • the second terminal device obtains the device attribute information from the preset offset position by using the installed flashing software, and generates digital signature information according to the device attribute information, and then stores the digital signature information in the preset offset Location.
  • the user can install the flashing software on the computer and connect the computer to the mobile phone.
  • the flashing software can be downloaded from some platforms, and then the flashing software can obtain the SN code from the preset offset position in the mobile phone, and Sign it with the preset private key, and store the digital signature information in the mobile phone.
  • the first terminal device When restarting and entering the first preset stage, the first terminal device obtains the device attribute information from its own terminal chip, and obtains the digital signature information from the preset offset position.
  • the first terminal device determines an information digest according to the message digest algorithm and the device identification code, and decrypts the digital signature information by using the preset public key to obtain the decrypted digest.
  • the first terminal device judges whether the decryption digest and the information digest are the same, if they are the same, the following step S206 is performed, and if they are not equal, the restart detection is not performed again.
  • the mobile phone can be restarted, and when entering the LK stage, the SN information is obtained from the chip, and the digital signature information is obtained from the specified offset position of the Proinfo partition. , Use the preset public key to decrypt the digital signature information. Under normal circumstances, the decrypted digest obtained by the legal flashing process will be the same as the generated information digest.
  • the first terminal device When in the first preset stage, the first terminal device turns off the write protection function of the system partition, and when entering the second preset stage from the first preset stage, the first terminal device sets the access control module Enter the permissive mode, and close the access verification module, so that the system partition enters a writable state, wherein, in the permissive mode, the multiple storage partitions are allowed to illegally access.
  • the authorization status information can be generated in the LK phase, and the authorization status information can be passed to the kernel phase through the command line.
  • the mobile phone can turn off the write protection function of the system partition.
  • the phone can turn off DM-verity.
  • the first terminal device stores the preset executable file in the target directory of the system partition, and modifies the authority parameter to the preset value to assign root authority to the terminal device.
  • the mobile phone can copy the su executable file to the root directory of the system partition, which is /system/xbin, and set the permission to 4755.
  • the mobile phone has root permission, and the user can control any process and user in the mobile phone. Account, hardware, etc. are controlled.
  • a prompt interface can be generated, and the prompt interface can display words such as "root success”. .
  • this embodiment will be further described from the perspective of a root authority distribution device, and the root authority distribution device can be implemented as an independent entity.
  • the embodiment of the present application provides a root authority distribution device, which is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the distribution device includes:
  • the first obtaining unit is configured to obtain device attribute information from the terminal chip when the terminal device restarts to enter the first preset stage, where the device attribute information includes a device identification code;
  • the second acquiring unit is configured to acquire digital signature information from the target partition
  • a control unit configured to control the system partition to enter a writable state according to the digital signature information and the device identification code
  • the allocation unit is configured to allocate root permissions to the terminal device based on a preset executable file in the writable state.
  • control unit specifically includes:
  • a determining subunit configured to determine a message digest according to a message digest algorithm and the device identification code
  • the decryption subunit is used to decrypt the digital signature information by using the preset public key to obtain a decrypted digest
  • the judging subunit is used for judging whether the terminal device is granted modification authority according to the information summary and the decryption summary;
  • the control subunit is used for controlling the system partition to enter the writable state if the modification authority is granted.
  • the judgment subunit is specifically configured to:
  • the device attribute information further includes a terminal model and/or version number, and the determining subunit is specifically configured to:
  • a message digest algorithm is used to process the combined code to obtain a message digest.
  • control subunit is specifically configured to:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the allocation unit is specifically configured to:
  • the preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  • the device for assigning root authority further includes a storage unit for:
  • the terminal device Before acquiring the digital signature information from the target partition, when the terminal device powers on and enters the second preset stage, acquire the device attribute information from the terminal chip, and write the device attribute information into the target partition
  • the preset offset position for the flashing software to obtain the device attribute information from the preset offset position, and generate digital signature information according to the device attribute information, and then store the digital signature information in the At the preset offset position;
  • the second acquiring unit is specifically configured to acquire the digital signature information from the preset offset position in the target partition.
  • the terminal device may include a mobile phone, a tablet computer, a personal PC, etc., and the terminal device has multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition, and the apparatus for assigning root authority may include: a first obtaining unit 10, a second obtaining unit 20, a control unit 30, and a distribution unit 40, wherein:
  • the first acquisition unit 10 The first acquisition unit 10
  • the first obtaining unit 10 is configured to obtain device attribute information from the terminal chip when the terminal device restarts and enters the first preset stage, where the device attribute information includes a device identification code.
  • the first preset stage refers to the LK (little kernel) stage, which is the boot stage before the system kernel starts, and is mainly used to initialize hardware, load the kernel, configure initialization registers, command line parameters, and so on.
  • the device attribute information in the terminal chip can be obtained through the system API (Application Programming Interface) of the terminal.
  • the device attribute information mainly refers to the attribute information related to the terminal, such as the device identification code, where the device identification code is the terminal It can be the terminal SN (Serial Number, product serial number) code.
  • the second obtaining unit 20 is configured to obtain digital signature information from the target partition.
  • the terminal ROM chip can be divided into multiple storage partitions. Different storage partitions are used to store different data and implement different functions. For example, the system partition is used to store system files, the cache partition is used to store cache data, and the userdata partition is used. Used to store user data, etc.
  • the target partition refers to a designated partition in the terminal device other than the system partition, such as the Proinfo partition. It is easy to understand that the digital signature information should be stored in advance, that is, referring to Figure 5, the root authority distribution device further includes a storage unit 50 for:
  • the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset in the target partition. Move the position so that the flashing software obtains the device attribute information from the preset offset position, and generates digital signature information according to the device attribute information, and then stores the digital signature information at the preset offset position.
  • the second obtaining unit 20 is specifically configured to obtain the digital signature information from the preset offset position in the target partition.
  • the preset offset position may be manually set.
  • the preset offset position may be the start storage address where the 8th MB is located.
  • the second preset stage refers to the kernel stage, which is the kernel startup stage, and is mainly used to start some related processes, such as starting idle processes, kernel_init processes, kthreadd processes, etc.
  • the flashing software can be installed on other terminal devices, such as tablet computers.
  • the application software on other terminal devices cannot directly obtain SN information from the terminal chip of this terminal device, but can read the data in the storage partition.
  • the terminal device must store device attribute information such as SN in a target partition other than the system partition in advance.
  • the terminal device can be Each time the boot enters the kernel stage, the native process is run once, in which the system API is used to obtain device attribute information from the terminal chip for storage, so that other terminal devices can obtain the device attribute information, and then other terminal devices It can generate digital signature information, which is processed by asymmetric key encryption technology and digital digest technology.
  • the control unit 30 is configured to control the system partition to enter a writable state according to the digital signature information and the device identification code.
  • the writable state means that disk read and disk write operations can be performed on the system partition.
  • control unit 30 specifically includes:
  • the determining subunit 31 is configured to determine the message digest according to the message digest algorithm and the device identification code;
  • the decryption subunit 32 is used to decrypt the digital signature information by using the preset public key to obtain a decrypted digest
  • the judging subunit 33 is used for judging whether the terminal device is granted modification authority according to the information digest and the decryption digest;
  • the control subunit 34 is configured to control the system partition to enter a writable state if the modification authority is granted.
  • the message digest algorithm mainly refers to MD5 (Message-Digest Algorithm) algorithm.
  • the preset public key corresponds to the encryption private key of the digital signature information, that is, the public key and the private key can be stored on the terminal device and other terminal devices respectively.
  • the private key is used to encrypt device attribute information in advance.
  • the public key is used to decrypt the digital signature information when verifying authorization.
  • the information summary can be obtained by directly processing the SN code using the MD5 algorithm.
  • the device property information is also It may include other information, such as the terminal model and/or version number.
  • the determination of the information summary also needs to combine this information, that is, the device attribute information also includes the terminal model and/or version number.
  • the determination subunit 31 Specifically used for:
  • the combination method can be set manually. It can be a simple combination of character codes in a prescribed order.
  • the combination sequence can be device identification code, terminal model, version number, or the combination of characters before or after combination.
  • the code undergoes certain processing, such as conversion to decimal or hexadecimal, etc., and then the MD5 algorithm is used to calculate the information digest of the combined code.
  • judgment subunit 33 is specifically used for:
  • the decryption digest and the information digest are equal, it means that the encryption public key and the decryption private key are a pair, and the acquisition of root authority is legal, otherwise it is illegal.
  • control subunit 34 is specifically used for:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to tolerant mode, and the access verification module is turned off, so that the system partition enters a writable state. In permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the configuration of the write protection function is usually processed in the LK stage.
  • the write protection function is realized by setting the EMMC register in the terminal device, which can make each storage partition of the physical EMMC in an unwritable state, and if you want To achieve root, the su executable file must be copied to the system partition. Therefore, at least the write protection function of the system partition must be turned off before copying the files, and the write protection function of other storage partitions can be retained.
  • Access control module selinux security-enhanced linux configuration is usually processed in the kernel stage.
  • selinux is used to check the security context of each object in the system accessing system resources. It includes two modes: Enforcing Mode and Permissive Mode.
  • Enforcing Mode is used to intercept access that is not configured by the system and print out the LOG log.
  • the permissive mode is only used to record the LOG, but does not really block access.
  • the configuration of the access verification module DM-verity (device-mapper-verity) is usually processed in the compiling phase of the kernel phase, which will generate the hash tree of the image file during the compiling phase. If the terminal device is running, the system system is used A piece of data in the partition, the system will automatically detect whether the data matches the record data in the hash tree, if it does not match, this piece of data is not allowed to be used. Under this premise, if you want to write in the system partition Enter the su executable file, you must first close DM-verity.
  • the allocation unit 40 is configured to allocate root permissions to the terminal device based on a preset executable file in the writable state.
  • the allocation unit 40 is specifically used for:
  • the preset executable file is mainly the su executable file
  • the target directory is the root directory of the system partition, that is, /system/xbin
  • the preset value is artificially set, for example, 4755.
  • each of the above units can be implemented as an independent entity, or can be combined arbitrarily, and implemented as the same or several entities.
  • each of the above units please refer to the previous method embodiments, which will not be repeated here.
  • the method for assigning root permissions is applied to a terminal device.
  • the terminal device is provided with multiple storage partitions.
  • the multiple storage partitions include a system partition and a target partition.
  • the device attribute information is obtained from the terminal chip through the first obtaining unit 10, and the device attribute information includes the device identification code.
  • the second obtaining unit 20 obtains the digital signature information from the target partition, and the control unit 30 according to The digital signature information and the device identification code control the system partition to enter a writable state.
  • the adjustment module 40 assigns root permissions to the terminal device based on a preset executable file, which can benefit various terminals
  • the method of obtaining root authority is simple, widely applicable, and reliable.
  • the embodiment of the present application also provides a terminal device, which may be a device such as a smart phone or a tablet computer.
  • the terminal device 200 includes a processor 201 and a memory 202. Wherein, the processor 201 and the memory 202 are electrically connected.
  • the processor 201 is the control center of the terminal device 200. It uses various interfaces and lines to connect the various parts of the entire terminal device. It executes the terminal by running or loading the application program stored in the memory 202 and calling the data stored in the memory 202. Various functions and processing data of the equipment, so as to monitor the terminal equipment as a whole.
  • the terminal device 200 is provided with multiple storage partitions, and the multiple storage partitions include a system partition and a target partition.
  • the processor 201 in the terminal device 200 will perform one or more applications according to the following steps
  • the instructions corresponding to the process of the program are loaded into the memory 202, and the processor 201 runs the application programs stored in the memory 202, thereby realizing various functions:
  • the terminal device When the terminal device restarts and enters the first preset stage, obtain device attribute information from the terminal chip, where the device attribute information includes a device identification code;
  • root authority is assigned to the terminal device based on the preset executable file.
  • FIG. 8 shows a specific structural block diagram of a terminal device provided by an embodiment of the present invention, and the terminal device can be used to implement the root authority distribution method provided in the foregoing embodiment.
  • the terminal device 300 may be a smart phone or a tablet computer.
  • the RF circuit 310 is used to receive and send electromagnetic waves, realize the mutual conversion between electromagnetic waves and electrical signals, and communicate with a communication network or other devices.
  • the RF circuit 310 may include various existing circuit elements for performing these functions, for example, an antenna, a radio frequency transceiver, a digital signal processor, an encryption/decryption chip, a subscriber identity module (SIM) card, a memory, and so on.
  • the RF circuit 310 can communicate with various networks such as the Internet, an intranet, and a wireless network, or communicate with other devices through a wireless network.
  • the aforementioned wireless network may include a cellular telephone network, a wireless local area network, or a metropolitan area network.
  • the above-mentioned wireless network can use various communication standards, protocols and technologies, including but not limited to the Global System for Mobile Communications (Global System for Mobile Communication, GSM), enhanced mobile communication technology (Enhanced Data GSM Environment, EDGE), wideband code division multiple access technology (Wideband Code Division Multiple Access, WCDMA), Code Division Multiple Access (Code Division Multiple Access) Access, CDMA), Time Division Multiple Access (TDMA), Wireless Fidelity (Wireless Fidelity, Wi-Fi) (such as the American Institute of Electrical and Electronics Engineers standards IEEE 802.11a, IEEE 802.11b, IEEE 802.11g and/or IEEE 802.11n), Internet telephony (Voice over Internet Protocol, VoIP), Worldwide Interconnection for Microwave Access (Worldwide Interoperability for Microwave Access, Wi-Max), other protocols used for mail, instant messaging and short messages, and any other appropriate communication protocols, even those that have not yet been developed.
  • GSM Global System for Mobile Communication
  • EDGE Enhanced Data GSM Environment
  • WCDMA Wideband Code Division Multiple Access
  • the memory 320 may be used to store software programs and modules, such as the program instructions/modules corresponding to the automatic light-filling system and method for taking pictures of the front camera in the above-mentioned embodiments.
  • the processor 380 executes the software programs and modules stored in the memory 320 by running Various functional applications and data processing, that is, realize the function of automatically filling light when taking pictures with the front camera.
  • the memory 320 may include a high-speed random access memory, and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory.
  • the memory 320 may further include a memory remotely provided with respect to the processor 380, and these remote memories may be connected to the terminal device 300 through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
  • the input unit 330 may be used to receive inputted digital or character information, and generate keyboard, mouse, joystick, optical or trackball signal input related to user settings and function control.
  • the input unit 330 may include a touch-sensitive surface 331 and other input devices 332.
  • the touch-sensitive surface 331 also called a touch screen or a touchpad, can collect user touch operations on or near it (for example, the user uses any suitable objects or accessories such as fingers, stylus, etc.) on or on the touch-sensitive surface 331. Operation near the touch-sensitive surface 331), and drive the corresponding connection device according to the preset program.
  • the touch-sensitive surface 331 may include two parts: a touch detection device and a touch controller.
  • the touch detection device detects the user's touch position, detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into contact coordinates, and then sends it To the processor 380, and can receive and execute the commands sent by the processor 380.
  • the touch-sensitive surface 331 can be realized by various types such as resistive, capacitive, infrared, and surface acoustic wave.
  • the input unit 330 may also include other input devices 332.
  • the other input device 332 may include, but is not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackball, mouse, and joystick.
  • the display unit 340 may be used to display information input by the user or information provided to the user and various graphical user interfaces of the terminal device 300. These graphical user interfaces may be composed of graphics, text, icons, videos, and any combination thereof.
  • the display unit 340 may include a display panel 341.
  • an LCD Liquid
  • the display panel 341 is configured in the form of Crystal Display (liquid crystal display), OLED (Organic Light-Emitting Diode, organic light-emitting diode).
  • the touch-sensitive surface 331 may cover the display panel 341. When the touch-sensitive surface 331 detects a touch operation on or near it, it is transmitted to the processor 380 to determine the type of the touch event, and then the processor 380 responds to the touch event.
  • the type provides corresponding visual output on the display panel 341.
  • the touch-sensitive surface 331 and the display panel 341 are used as two independent components to implement input and output functions, in some embodiments, the touch-sensitive surface 331 and the display panel 341 can be integrated to implement input. And output function.
  • the terminal device 300 may also include at least one sensor 350, such as a light sensor, a motion sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor.
  • the ambient light sensor can adjust the brightness of the display panel 341 according to the brightness of the ambient light, and the proximity sensor can close the display panel 341 when the terminal device 300 is moved to the ear. And/or backlight.
  • the gravity acceleration sensor can detect the magnitude of acceleration in various directions (usually three-axis), and can detect the magnitude and direction of gravity when it is stationary.
  • the terminal device 300 can also be configured with other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc., here No longer.
  • the audio circuit 360, the speaker 361, and the microphone 362 can provide an audio interface between the user and the terminal device 300.
  • the audio circuit 360 can transmit the electric signal converted from the received audio data to the speaker 361, and the speaker 361 converts it into a sound signal for output; on the other hand, the microphone 362 converts the collected sound signal into an electric signal, and the audio circuit 360 After being received, it is converted into audio data, and then processed by the audio data output processor 380, and then sent to, for example, another terminal via the RF circuit 310, or the audio data is output to the memory 320 for further processing.
  • the audio circuit 360 may also include an earplug jack to provide communication between a peripheral earphone and the terminal device 300.
  • the terminal device 300 can help users send and receive emails, browse web pages, and access streaming media through the transmission module 370 (such as a Wi-Fi module), and it provides users with wireless broadband Internet access.
  • the transmission module 370 such as a Wi-Fi module
  • FIG. 8 shows the transmission module 370, it is understandable that it is not a necessary component of the terminal device 300 and can be omitted as needed without changing the essence of the invention.
  • the processor 380 is the control center of the terminal device 300, which uses various interfaces and lines to connect the various parts of the entire mobile phone, runs or executes software programs and/or modules stored in the memory 320, and calls data stored in the memory 320 , Perform various functions of the terminal device 300 and process data, thereby monitoring the mobile phone as a whole.
  • the processor 380 may include one or more processing cores; in some embodiments, the processor 380 may integrate an application processor and a modem processor, where the application processor mainly processes the operating system, user interface, and For application programs, the modem processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 380.
  • the terminal device 300 also includes a power source 390 (such as a battery) for supplying power to various components.
  • the power source may be logically connected to the processor 380 through a power management system, so as to manage charging, discharging, and power consumption through the power management system. Management and other functions.
  • the power supply 190 may also include one or more DC or AC power supplies, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and any other components.
  • the terminal device 300 may also include a camera (such as a front camera, a rear camera), a Bluetooth module, etc., which will not be repeated here.
  • the display unit of the terminal device is a touch screen display, and the terminal device also includes a memory and one or more programs.
  • One or more programs are stored in the memory and configured to be configured by one or more programs.
  • the above processor executes one or more programs including instructions for performing the following operations:
  • the terminal device When the terminal device restarts and enters the first preset stage, obtain device attribute information from the terminal chip, where the device attribute information includes a device identification code;
  • root authority is assigned to the terminal device based on the preset executable file.
  • controlling the system partition to enter the writable state according to the digital signature information and the device identification code includes:
  • the system partition is controlled to enter a writable state.
  • the judging whether the terminal device is authorized to modify according to the information summary and the decryption summary includes:
  • the device attribute information further includes a terminal model and/or version number, and determining the information digest according to the message digest algorithm and the device identification code includes:
  • a message digest algorithm is used to process the combined code to obtain a message digest.
  • controlling the system partition to enter a writable state includes:
  • the access control module When the terminal device enters the second preset stage from the first preset stage, the access control module is set to the permissive mode, and the access verification module is turned off, so that the system partition enters the writable state, wherein In the permissive mode, the multiple storage partitions are allowed to be accessed illegally.
  • the allocating root permissions to the terminal device based on a preset executable file includes:
  • the preset executable file is stored in the target directory of the system partition, and the authority parameter is modified to a preset value to assign root authority to the terminal device.
  • the method before acquiring the digital signature information from the target partition, the method further includes:
  • the device attribute information is obtained from the terminal chip, and the device attribute information is written into the preset offset position in the target partition for the flashing software to download from the Acquiring the device attribute information at the preset offset location, and generating digital signature information according to the device attribute information, and then storing the digital signature information at the preset offset location;
  • the acquiring digital signature information from the target partition includes: acquiring the digital signature information from the preset offset position in the target partition.
  • each of the above modules can be implemented as an independent entity, or can be combined arbitrarily, and implemented as the same or several entities.
  • each of the above modules please refer to the previous method embodiments, which will not be repeated here.
  • an embodiment of the present invention provides a storage medium in which a plurality of instructions are stored, and the instructions can be loaded by a processor to execute the steps in any root permission allocation method provided in the embodiments of the present invention.
  • the storage medium may include: read-only memory (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), disk or CD, etc.
  • any root permission distribution method provided in the embodiment of the present invention can be implemented.
  • any root permission distribution method provided in the embodiment of the present invention can be implemented.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé et un appareil d'attribution de permissions racine, un support de stockage, et un dispositif terminal. Le dispositif terminal comprend une partition système et une partition cible. Le procédé consiste à : acquérir, lorsqu'un dispositif terminal est redémarré et entre dans un premier stade prédéfini, un code d'identification de dispositif à partir d'une puce de terminal ; acquérir des informations de signature numérique à partir d'une partition cible ; commander, sur la base des informations de signature numérique et du code d'identification de dispositif, à une partition système d'entrer dans un état inscriptible ; et attribuer des permissions racine au dispositif terminal selon un fichier exécutable prédéfini.
PCT/CN2019/121812 2019-08-06 2019-11-29 Procédé et appareil d'attribution de permissions racine, support de stockage, et dispositif terminal WO2021022729A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910720524.0A CN110457894B (zh) 2019-08-06 2019-08-06 root权限的分配方法、装置、存储介质及终端设备
CN201910720524.0 2019-08-06

Publications (1)

Publication Number Publication Date
WO2021022729A1 true WO2021022729A1 (fr) 2021-02-11

Family

ID=68485016

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/121812 WO2021022729A1 (fr) 2019-08-06 2019-11-29 Procédé et appareil d'attribution de permissions racine, support de stockage, et dispositif terminal

Country Status (2)

Country Link
CN (1) CN110457894B (fr)
WO (1) WO2021022729A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114465805A (zh) * 2022-02-18 2022-05-10 深圳市优博讯科技股份有限公司 主动标识管控方法及系统
CN114760621A (zh) * 2022-03-23 2022-07-15 深圳市普渡科技有限公司 终端刷机方法、装置、计算机设备及存储介质

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110457894B (zh) * 2019-08-06 2021-08-03 惠州Tcl移动通信有限公司 root权限的分配方法、装置、存储介质及终端设备
CN111045737B (zh) * 2019-11-29 2023-09-19 惠州Tcl移动通信有限公司 设备标识获取方法、装置、终端设备和存储介质
CN112069494A (zh) * 2020-06-30 2020-12-11 西安万像电子科技有限公司 一种零终端的权限操作方法及系统
CN117131519B (zh) * 2023-02-27 2024-06-11 荣耀终端有限公司 一种信息的保护方法及设备
CN116402475A (zh) * 2023-06-06 2023-07-07 北京建科研软件技术有限公司 一种分区域分权限逐步锁定的手写签名生成方法和系统
CN118070344A (zh) * 2024-04-25 2024-05-24 浪潮云信息技术股份公司 基于敏感标记的关系数据库权限控制方法及装置、介质、设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105975864A (zh) * 2016-04-29 2016-09-28 北京小米移动软件有限公司 操作系统的启动方法、装置及终端
CN107153792A (zh) * 2017-04-06 2017-09-12 北京安云世纪科技有限公司 一种数据安全处理方法、装置及移动终端
CN107729755A (zh) * 2017-09-28 2018-02-23 努比亚技术有限公司 一种终端安全管理方法、终端及计算机可读存储介质
CN109657448A (zh) * 2018-12-21 2019-04-19 惠州Tcl移动通信有限公司 一种获取Root权限的方法、装置、电子设备及存储介质
CN110457894A (zh) * 2019-08-06 2019-11-15 惠州Tcl移动通信有限公司 root权限的分配方法、装置、存储介质及终端设备

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102981835B (zh) * 2012-11-02 2015-06-10 福州博远无线网络科技有限公司 安卓应用程序永久获取Root权限的方法
CN105975818A (zh) * 2015-11-06 2016-09-28 乐视移动智能信息技术(北京)有限公司 一种获取超级用户权限的方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105975864A (zh) * 2016-04-29 2016-09-28 北京小米移动软件有限公司 操作系统的启动方法、装置及终端
CN107153792A (zh) * 2017-04-06 2017-09-12 北京安云世纪科技有限公司 一种数据安全处理方法、装置及移动终端
CN107729755A (zh) * 2017-09-28 2018-02-23 努比亚技术有限公司 一种终端安全管理方法、终端及计算机可读存储介质
CN109657448A (zh) * 2018-12-21 2019-04-19 惠州Tcl移动通信有限公司 一种获取Root权限的方法、装置、电子设备及存储介质
CN110457894A (zh) * 2019-08-06 2019-11-15 惠州Tcl移动通信有限公司 root权限的分配方法、装置、存储介质及终端设备

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114465805A (zh) * 2022-02-18 2022-05-10 深圳市优博讯科技股份有限公司 主动标识管控方法及系统
CN114760621A (zh) * 2022-03-23 2022-07-15 深圳市普渡科技有限公司 终端刷机方法、装置、计算机设备及存储介质

Also Published As

Publication number Publication date
CN110457894B (zh) 2021-08-03
CN110457894A (zh) 2019-11-15

Similar Documents

Publication Publication Date Title
CN110457894B (zh) root权限的分配方法、装置、存储介质及终端设备
US20210336780A1 (en) Key updating method, apparatus, and system
CN109964227B (zh) 更新SELinux安全策略的方法及终端
EP3479243B1 (fr) Repavage de région variable tolérants aux pannes pendant une mise à jour de micrologiciel par liaison radio
CN109657448B (zh) 一种获取Root权限的方法、装置、电子设备及存储介质
US9584494B2 (en) Terminal and server for applying security policy, and method of controlling the same
WO2021036706A1 (fr) Procédé d'opération d'application de confiance et procédé et appareil de traitement d'informations et d'attribution de mémoire
US20130031631A1 (en) Detection of unauthorized device access or modifications
WO2019010863A1 (fr) Procédé et terminal permettant de contrôler un accès à une application de confiance
US20200218816A1 (en) Method and device for dynamically managing kernel node
US10185553B2 (en) Fault-tolerant variable region repaving during firmware over the air update
WO2013159632A1 (fr) Procédé, pare-feu, terminal et support de stockage lisible pour l'implémentation d'une protection de sécurité
US10764038B2 (en) Method and apparatus for generating terminal key
US20230221784A1 (en) System and method for power state enforced subscription management
CN108090345B (zh) linux系统外部命令执行方法及装置
WO2018082289A1 (fr) Procédé et dispositif de gestion d'application, et support d'informations pour ordinateur
CN108460251B (zh) 运行应用程序的方法、装置及系统
US9380040B1 (en) Method for downloading preauthorized applications to desktop computer using secure connection
CN106484481B (zh) 一种多开应用的配置方法、装置及终端
US20090187898A1 (en) Method for securely updating an autorun program and portable electronic entity executing it
CN113961246A (zh) 微控制芯片上的权限配置方法、装置及存储介质
CN116594698A (zh) 一种系统控制方法、装置和可读存储介质
CN116915411A (zh) 数据回读方法、装置及存储介质
KR20140132663A (ko) 메모리 자원을 관리하는 전자 장치 및 그 제어 방법
CN114138547A (zh) 一种系统启动的方法及终端

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19940746

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19940746

Country of ref document: EP

Kind code of ref document: A1