In fact, the most important thing is to put a binary named su in /system/xbin, because when an app wants to do an operation that requires root permission, the code is usually "su -c xxxcmd". This Sue certainly didn't exist at first, so the question now is actually how to put this matter behind us. Copying directly to the system partition will fail, because the system partition is read-only, so if you want to put the past things in it, you must remount it as writable, but the remount operation must have root permission, which seems to form an infinite loop.

The way to crack it is to give a process power root through a loophole, and then the process fork with root permission will come out to do something similar to remount or start a script to do something similar. For example, some linux kernels or drivers have UAF or overflow vulnerabilities, and one-click root and other software use these vulnerabilities to make their code run in kernel mode, and then change the uid gid of this process to 0 (these have kernel mode, and the user mode cannot be changed directly), then the permission of this process is mentioned as root.

Or you can directly brush a zip package, which contains the contents of boot partition and system partition, and then you can directly put su in the folder of system partition and package it, but some mobile phones have inspection signatures, so you can't brush it when you brush the package. Then you can change the recovery before brushing the zipper.

Hammer T 1 can solve the root problem of v2.0 system with this similar idea.

1. Downloaded to 1.4 version, using kingroot to gain root permissions and put su in the system partition.

2.dd if=newrec.img of=recblock replacement recovery.

3. Brush machine upgrade

4. Select getroot in the recovery, and the recovery will put su into the system partition.

restart

6. ddif = recbackup.imgoff = recblock to restore.