Last updated at 2019-11-12

Motivation

Reversing apps on a stock ROM can be challenging. Not only that we have to fight against unfriendly logics within the app, but also have to deal with various security restrictions (e.g. SELinux, debuggable flag) that the system once used to protect its innocent users.

Fortunately, Android is open-sourced and we are granted to modify whatever parts that we are not happy with. This write-up aims to provide an up-to-date guide on creating a customised Android build dedicated for reverse engineering purposes.

We use the folloing code branches/environments when writing this article, although most techniques should be easily applicable to a wide range of Android versions.

• Android 9 Generic System Image(GSI), branch pie-gsi , built withaosp_x86_64-userdebug
• Goldfish kernel, branch android-goldfish-4.4-dev, built with x86_x64-ranchu-defconfig
• Virtural device Pixel 3 XL (without Play Store) initialised with system image Pie x86_x64 Android 9.0 (without Google APIs)

Features & Progress

There are a few goals that we want to achieve in this custom build:

• To make debugging easier and less constrained (Hide TracerPid, enable global debugging)
• To add/support third party reversing tools/scripts (ltrace, SuperSU, custom kernel modules)
• To enable instrumentation with context (strace is great but we want to know more, such as system calls, JNI invocation, loading of dynamic libraries)

The list below summaries the progress so far. Features labelled with "Done" will be available in our precompiled images.

Downloads

Precompiled images, AOSP 9.0 + Kernel, x86_x64

Updated at: 2019-11-12

https://drive.google.com/drive/u/1/folders/1NtMzWtppHCfxFA7NKXMWL2J_YdKRc9xC

Known issues:

• (Investigating) GameGuardian failed to run its daemon and complained "Unable to obtain root access". But our tests shows root is readily available:

  generic_x86_64:/ # su u0_a68
  generic_x86_64:/ $ whoami
  u0_a68
  generic_x86_64:/ $ /system/xbin/su
  generic_x86_64:/ # whoami
  root