有時候我們寫的app要用uid=0的方式啟動一個process,framework層和app層是做不到的,只有通過寫腳本,利用am來實現。下面是具體步驟:
1.創建一個包含Main()方法Java project
1.1.創建一個Java project
1.2.添加Main()方法
1.3.導出為jar包
1.4.將java 版本的jar變成android 版本的jar
首先,找到dx工具所在文件夾,如android-sdk/build-tools/20.0.0,並將該文件夾加入到環境變量PATH中;
其次,執行編譯命令dx --dex --output=classes.dex BKTools.jar
最后,將dex文件打包成android版本的jar,aapt add BKTools.jar classes.dex
1.5.將該jar包push到手機的/system/framework目錄下
1.6.修改jar包的權限為777
2.編寫一個linux shell腳本
2.1.新建一個文本,命名為run_bktools.sh
輸入以下代碼:
# Script to start "am" on the device, which has a very rudimentary
# shell.
#
base=/system export CLASSPATH=$base/framework/BKTools.jar exec app_process $base/bin com.larack.bktools.BKMain "$@"
CLASSPATH為jar包的路徑,com.larack.bktools.BKMain為jar包的main函數所在的類,"$@"表示把當前參數傳入到main中。
2.2.將該sh文件run_bktools.sh push到手機/system/bin目錄下,並且修改權限為777
2.3.測試利用sh腳本啟動jar包
OK,啟動成功啦。
3.在android app中啟動shell腳本
3.1.創建一個android project
3.2.用root起shell腳本
package com.larackbkapp; import java.io.DataOutputStream; import java.io.IOException; import android.app.Activity; import android.os.Bundle; import android.util.Log; import android.view.Menu; import android.view.MenuItem; import android.widget.Toast; public class MainActivity extends Activity { private static final String TAG = "AAA"; private static final String CMD = "run_bktools.sh"; @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); int result = -1; result = execRootCmdSilent(CMD); if (-1 == result) Toast.makeText(this, "start fail.", Toast.LENGTH_LONG).show(); else Toast.makeText(this, "start success.", Toast.LENGTH_LONG).show(); } public int execRootCmdSilent(String cmd) { int result = -1; DataOutputStream dos = null; try { Process p = Runtime.getRuntime().exec("su"); dos = new DataOutputStream(p.getOutputStream()); Log.i(TAG, cmd); dos.writeBytes(cmd + "\n"); dos.flush(); dos.writeBytes("exit\n"); dos.flush(); p.waitFor(); result = p.exitValue(); Log.i(TAG, "Success execRootCmdSilent(" + cmd + ")=" + result); } catch (Exception e) { e.printStackTrace(); Log.e(TAG, "execRootCmdSilent(" + cmd + "),Exception:" + e.getMessage()); } finally { if (dos != null) { try { dos.close(); } catch (IOException e) { e.printStackTrace(); } } } return result; } @Override public boolean onCreateOptionsMenu(Menu menu) { // Inflate the menu; this adds items to the action bar if it is present. getMenuInflater().inflate(R.menu.main, menu); return true; } @Override public boolean onOptionsItemSelected(MenuItem item) { // Handle action bar item clicks here. The action bar will // automatically handle clicks on the Home/Up button, so long // as you specify a parent activity in AndroidManifest.xml. int id = item.getItemId(); if (id == R.id.action_settings) { return true; } return super.onOptionsItemSelected(item); } }
3.3.檢驗shell是否成功叫起
將手機連上電腦,編譯執行bkapp,用adb logcat檢查是否打有“Success execRootCmdSilent.."字樣,觀察手機上是否顯示“start success.”
檢驗OK,我就不再截圖了。
此時后台也在執行我們在Jar包中寫的代碼了,如果,我們在Jar包中寫一個自己的 ActivityManagerSerive,PowerManagerSerive或者,其他,都將是以root運行的。