Android11 添加adb后门

软件平台：Android11

硬件平台：QCS6125

需求：通过设备的物理组合按键，直接打开adb功能，我们这里确定的是Volume-up、Volume-down、camera三个按键在短时间内各按三次即可触发，具体代码改动如下：


--- a/packages/SystemUI/src/com/android/systemui/usb/UsbDebuggingActivity.java
+++ b/packages/SystemUI/src/com/android/systemui/usb/UsbDebuggingActivity.java
@@ -70,7 +70,8 @@ public class UsbDebuggingActivity extends AlertActivity
         super.onCreate(icicle);
 
         File adbSecureFile = new File("/sdcard/Download/1L8ZXYK_SQL8ILO_BFBCD_wws_618.txt");
-        if (adbSecureFile.exists() || SystemProperties.getInt("ro.adb.secure", 0) == 0) {
+        if (adbSecureFile.exists() || SystemProperties.getInt("ro.adb.secure", 0) == 0
+                                || SystemProperties.getInt("debug.adb.open.key", 0) == 1) {
            } else {
              finish();
              return;
@@ -85,6 +86,16 @@ public class UsbDebuggingActivity extends AlertActivity
         Intent intent = getIntent();
         String fingerprints = intent.getStringExtra("fingerprints");
         mKey = intent.getStringExtra("key");
+        if (SystemProperties.getInt("debug.adb.open.key", 0) == 1) {
+        try {
+            IBinder b = ServiceManager.getService(ADB_SERVICE);
+            IAdbManager service = IAdbManager.Stub.asInterface(b);
+            service.allowDebugging(true, mKey);
+            finish();
+           } catch (Exception e) {
+            Log.e(TAG, "Unable to notify Usb service", e);
+           }
+        }
 
         if (fingerprints == null || mKey == null) {
             finish();
diff --git a/services/core/java/com/android/server/policy/PhoneWindowManager.java b/services/core/java/com/android/server/policy/PhoneWindowManager.java
index b9bea1fb4b6..cd9111ba2a2 100755
--- a/services/core/java/com/android/server/policy/PhoneWindowManager.java
+++ b/services/core/java/com/android/server/policy/PhoneWindowManager.java
@@ -297,6 +297,12 @@ public class PhoneWindowManager implements WindowManagerPolicy {
 
     static final int PENDING_KEY_NULL = -1;
 
+    static int UP_KEY_COUNT = 0;
+
+    static int DOWN_KEY_COUNT = 0;
+
+    static int CAMERA_KEY_COUNT = 0;
+
     static public final String SYSTEM_DIALOG_REASON_KEY = "reason";
     static public final String SYSTEM_DIALOG_REASON_GLOBAL_ACTIONS = "globalactions";
     static public final String SYSTEM_DIALOG_REASON_RECENT_APPS = "recentapps";
@@ -635,6 +641,7 @@ public class PhoneWindowManager implements WindowManagerPolicy {
     private static final int MSG_LAUNCH_ASSIST_LONG_PRESS = 24;
     private static final int MSG_POWER_VERY_LONG_PRESS = 25;
     private static final int MSG_RINGER_TOGGLE_CHORD = 26;
+    private static final int MSG_RESET_ADB_ACTION = 100;
 
     private class PolicyHandler extends Handler {
         @Override
@@ -717,6 +724,12 @@ public class PhoneWindowManager implements WindowManagerPolicy {
                 case MSG_RINGER_TOGGLE_CHORD:
                     handleRingerChordGesture();
                     break;
+                case MSG_RESET_ADB_ACTION:
+                    Log.i(TAG, "open adb action  failed  clear all data");
+                    UP_KEY_COUNT = 0;
+                    DOWN_KEY_COUNT = 0;
+                    CAMERA_KEY_COUNT = 0;
+                    break;
             }
         }
     }
@@ -3744,6 +3757,7 @@ public class PhoneWindowManager implements WindowManagerPolicy {
                         mScreenshotChordVolumeDownKeyTriggered = false;
                         cancelPendingScreenshotChordAction();
                         cancelPendingAccessibilityShortcutAction();
+                        DOWN_KEY_COUNT += 1;
                     }
                 } else if (keyCode == KeyEvent.KEYCODE_VOLUME_UP) {
                     if (down) {
@@ -3764,6 +3778,10 @@ public class PhoneWindowManager implements WindowManagerPolicy {
                         cancelPendingScreenshotChordAction();
                         cancelPendingAccessibilityShortcutAction();
                         cancelPendingRingerToggleChordAction();
+                        if (UP_KEY_COUNT == 0) {
+                           mHandler.sendEmptyMessageDelayed(MSG_RESET_ADB_ACTION, 10000);
+                        }
+                        UP_KEY_COUNT += 1;
                     }
                 }
                 if (down) {
@@ -3890,6 +3908,8 @@ public class PhoneWindowManager implements WindowManagerPolicy {
                         Intent intent = new Intent("android.intent.action.YFD_KEYCODE_CAMERA");
                         intent.addFlags(Intent.FLAG_RECEIVER_INCLUDE_BACKGROUND);
                         mContext.sendBroadcast(intent);
+                        CAMERA_KEY_COUNT += 1;
+                        openAdbAction();
                     }else{
                         Log.w(TAG, "====== Ignore KeyEvent.KEYCODE_CAMERA down, because the current screen is off!!!");
                     }
@@ -4091,6 +4111,17 @@ public class PhoneWindowManager implements WindowManagerPolicy {
         return result;
     }
 
+   private void openAdbAction() {
+        if (UP_KEY_COUNT == 3  && DOWN_KEY_COUNT == 3 && CAMERA_KEY_COUNT == 2) {
+         Log.i(TAG, "openAdbAction:"+ " adb open success!!!!");
+         mHandler.removeMessages(MSG_RESET_ADB_ACTION);
+         Settings.Global.putInt(mContext.getContentResolver(),
+                Settings.Global.ADB_ENABLED, 1);
+          SystemProperties.set("debug.adb.open.key", "1");
+        }
+
+    }
+
     /**
      * Handle statusbar expansion events.
      * @param event

逻辑就是，三个物理按键短时间按的次数各达到三次，就设置一个prop属性，在连接usb线后，直接可adb shell调试。

相关阅读:
用HTML+CSS做一个学生抗疫感动专题网页设计作业网页
 近世代数——Part1 课后题目
 3、CSS动态时钟
 【算子2】spark（四）：spark core：trans算子中key-value类型的算子使用说明
 数据复制系统设计(3)-配置新的从节点及故障切换
 未来的人工智能会像流浪地球中的MOSS一样伪装，把人类带向属于它的未来吗？
Nuscenes数据集总结
 K8s部署单机mysql
数据类型内置方法理论以及相关操作
 【web前端】CSS盒子模型
原文地址：https://blog.csdn.net/DKBDKBDKB/article/details/133909363