mirror of
https://github.com/topjohnwu/Magisk.git
synced 2024-12-11 18:54:30 +00:00
68442f38ac
- actions: Update all actions/checkout references to v4 - magiskboot: Add missing new line to dtb help message - docs: Update documents, fix some errors and remove outdated info
325 lines
14 KiB
Markdown
325 lines
14 KiB
Markdown
# Magisk Tools
|
|
|
|
Magisk comes with a huge collections of tools for installation, daemons, and utilities for developers. This documentation covers the 4 binaries and all included applets. The binaries and applets are shown below:
|
|
|
|
```
|
|
magiskboot /* binary */
|
|
magiskinit /* binary */
|
|
magiskpolicy /* binary */
|
|
supolicy -> magiskpolicy
|
|
magisk /* binary */
|
|
resetprop -> magisk
|
|
su -> magisk
|
|
```
|
|
|
|
### magiskboot
|
|
|
|
A tool to unpack / repack boot images, parse / patch / extract cpio, patch dtb, hex patch binaries, and compress / decompress files with multiple algorithms.
|
|
|
|
`magiskboot` natively supports (which means it does not rely on external tools) common compression formats including `gzip`, `lz4`, `lz4_legacy` , `lz4_lg` ([the LG edition](https://events.static.linuxfound.org/sites/events/files/lcjpcojp13_klee.pdf) of `lz4_legacy`, only used on LG), `lzma`, `xz`, and `bzip2`.
|
|
|
|
The concept of `magiskboot` is to make boot image modification simpler. For unpacking, it parses the header and extracts all sections in the image, decompressing on-the-fly if compression is detected in any sections. For repacking, the original boot image is required so the original headers can be used, changing only the necessary entries such as section sizes and checksum. All sections will be compressed back to the original format if required. The tool also supports many CPIO and DTB operations.
|
|
|
|
```
|
|
Usage: ./magiskboot <action> [args...]
|
|
|
|
Supported actions:
|
|
unpack [-n] [-h] <bootimg>
|
|
Unpack <bootimg> to its individual components, each component to
|
|
a file with its corresponding file name in the current directory.
|
|
Supported components: kernel, kernel_dtb, ramdisk.cpio, second,
|
|
dtb, extra, and recovery_dtbo.
|
|
By default, each component will be automatically decompressed
|
|
on-the-fly before writing to the output file.
|
|
If '-n' is provided, all decompression operations will be skipped;
|
|
each component will remain untouched, dumped in its original format.
|
|
If '-h' is provided, the boot image header information will be
|
|
dumped to the file 'header', which can be used to modify header
|
|
configurations during repacking.
|
|
Return values:
|
|
0:valid 1:error 2:chromeos
|
|
|
|
repack [-n] <origbootimg> [outbootimg]
|
|
Repack boot image components using files from the current directory
|
|
to [outbootimg], or 'new-boot.img' if not specified.
|
|
<origbootimg> is the original boot image used to unpack the components.
|
|
By default, each component will be automatically compressed using its
|
|
corresponding format detected in <origbootimg>. If a component file
|
|
in the current directory is already compressed, then no addition
|
|
compression will be performed for that specific component.
|
|
If '-n' is provided, all compression operations will be skipped.
|
|
If env variable PATCHVBMETAFLAG is set to true, all disable flags in
|
|
the boot image's vbmeta header will be set.
|
|
|
|
verify <bootimg> [x509.pem]
|
|
Check whether the boot image is signed with AVB 1.0 signature.
|
|
Optionally provide a certificate to verify whether the image is
|
|
signed by the public key certificate.
|
|
Return value:
|
|
0:valid 1:error
|
|
|
|
sign <bootimg> [name] [x509.pem pk8]
|
|
Sign <bootimg> with AVB 1.0 signature.
|
|
Optionally provide the name of the image (default: '/boot').
|
|
Optionally provide the certificate/private key pair for signing.
|
|
If the certificate/private key pair is not provided, the AOSP
|
|
verity key bundled in the executable will be used.
|
|
|
|
extract <payload.bin> [partition] [outfile]
|
|
Extract [partition] from <payload.bin> to [outfile].
|
|
If [outfile] is not specified, then output to '[partition].img'.
|
|
If [partition] is not specified, then attempt to extract either
|
|
'init_boot' or 'boot'. Which partition was chosen can be determined
|
|
by whichever 'init_boot.img' or 'boot.img' exists.
|
|
<payload.bin> can be '-' to be STDIN.
|
|
|
|
hexpatch <file> <hexpattern1> <hexpattern2>
|
|
Search <hexpattern1> in <file>, and replace it with <hexpattern2>
|
|
|
|
cpio <incpio> [commands...]
|
|
Do cpio commands to <incpio> (modifications are done in-place)
|
|
Each command is a single argument, add quotes for each command.
|
|
Supported commands:
|
|
exists ENTRY
|
|
Return 0 if ENTRY exists, else return 1
|
|
rm [-r] ENTRY
|
|
Remove ENTRY, specify [-r] to remove recursively
|
|
mkdir MODE ENTRY
|
|
Create directory ENTRY in permissions MODE
|
|
ln TARGET ENTRY
|
|
Create a symlink to TARGET with the name ENTRY
|
|
mv SOURCE DEST
|
|
Move SOURCE to DEST
|
|
add MODE ENTRY INFILE
|
|
Add INFILE as ENTRY in permissions MODE; replaces ENTRY if exists
|
|
extract [ENTRY OUT]
|
|
Extract ENTRY to OUT, or extract all entries to current directory
|
|
test
|
|
Test the cpio's status
|
|
Return value is 0 or bitwise or-ed of following values:
|
|
0x1:Magisk 0x2:unsupported 0x4:Sony
|
|
patch
|
|
Apply ramdisk patches
|
|
Configure with env variables: KEEPVERITY KEEPFORCEENCRYPT
|
|
backup ORIG
|
|
Create ramdisk backups from ORIG
|
|
restore
|
|
Restore ramdisk from ramdisk backup stored within incpio
|
|
|
|
dtb <file> <action> [args...]
|
|
Do dtb related actions to <file>
|
|
Supported actions:
|
|
print [-f]
|
|
Print all contents of dtb for debugging
|
|
Specify [-f] to only print fstab nodes
|
|
patch
|
|
Search for fstab and remove verity/avb
|
|
Modifications are done directly to the file in-place
|
|
Configure with env variables: KEEPVERITY
|
|
test
|
|
Test the fstab's status
|
|
Return values:
|
|
0:valid 1:error
|
|
|
|
split <file>
|
|
Split image.*-dtb into kernel + kernel_dtb
|
|
|
|
sha1 <file>
|
|
Print the SHA1 checksum for <file>
|
|
|
|
cleanup
|
|
Cleanup the current working directory
|
|
|
|
compress[=format] <infile> [outfile]
|
|
Compress <infile> with [format] to [outfile].
|
|
<infile>/[outfile] can be '-' to be STDIN/STDOUT.
|
|
If [format] is not specified, then gzip will be used.
|
|
If [outfile] is not specified, then <infile> will be replaced
|
|
with another file suffixed with a matching file extension.
|
|
Supported formats: gzip zopfli xz lzma bzip2 lz4 lz4_legacy lz4_lg
|
|
|
|
decompress <infile> [outfile]
|
|
Detect format and decompress <infile> to [outfile].
|
|
<infile>/[outfile] can be '-' to be STDIN/STDOUT.
|
|
If [outfile] is not specified, then <infile> will be replaced
|
|
with another file removing its archive format file extension.
|
|
Supported formats: gzip zopfli xz lzma bzip2 lz4 lz4_legacy lz4_lg
|
|
```
|
|
|
|
### magiskinit
|
|
|
|
This binary will replace `init` in the ramdisk of a Magisk patched boot image. It is originally created for supporting devices using system-as-root, but the tool is extended to support all devices and became a crucial part of Magisk. More details can be found in the **Pre-Init** section in [Magisk Booting Process](details.md#magisk-booting-process).
|
|
|
|
### magiskpolicy
|
|
|
|
(This tool is aliased to `supolicy` for compatibility with SuperSU's sepolicy tool)
|
|
|
|
This tool could be used for advanced developers to modify SELinux policies. In common scenarios like Linux server admins, they would directly modify the SELinux policy sources (`*.te`) and recompile the `sepolicy` binary, but here on Android we directly patch the binary file (or runtime policies).
|
|
|
|
All processes spawned from the Magisk daemon, including root shells and all its forks, are running in the context `u:r:magisk:s0`. The rule used on all Magisk installed systems can be viewed as stock `sepolicy` with these patches: `magiskpolicy --magisk 'allow magisk * * *'`.
|
|
|
|
```
|
|
Usage: ./magiskpolicy [--options...] [policy statements...]
|
|
|
|
Options:
|
|
--help show help message for policy statements
|
|
--load FILE load monolithic sepolicy from FILE
|
|
--load-split load from precompiled sepolicy or compile
|
|
split cil policies
|
|
--compile-split compile split cil policies
|
|
--save FILE dump monolithic sepolicy to FILE
|
|
--live immediately load sepolicy into the kernel
|
|
--magisk apply built-in Magisk sepolicy rules
|
|
--apply FILE apply rules from FILE, read and parsed
|
|
line by line as policy statements
|
|
(multiple --apply are allowed)
|
|
|
|
If neither --load, --load-split, nor --compile-split is specified,
|
|
it will load from current live policies (/sys/fs/selinux/policy)
|
|
|
|
One policy statement should be treated as one parameter;
|
|
this means each policy statement should be enclosed in quotes.
|
|
Multiple policy statements can be provided in a single command.
|
|
|
|
Statements has a format of "<rule_name> [args...]".
|
|
Arguments labeled with (^) can accept one or more entries. Multiple
|
|
entries consist of a space separated list enclosed in braces ({}).
|
|
Arguments labeled with (*) are the same as (^), but additionally
|
|
support the match-all operator (*).
|
|
|
|
Example: "allow { s1 s2 } { t1 t2 } class *"
|
|
Will be expanded to:
|
|
|
|
allow s1 t1 class { all-permissions-of-class }
|
|
allow s1 t2 class { all-permissions-of-class }
|
|
allow s2 t1 class { all-permissions-of-class }
|
|
allow s2 t2 class { all-permissions-of-class }
|
|
|
|
Supported policy statements:
|
|
|
|
"allow *source_type *target_type *class *perm_set"
|
|
"deny *source_type *target_type *class *perm_set"
|
|
"auditallow *source_type *target_type *class *perm_set"
|
|
"dontaudit *source_type *target_type *class *perm_set"
|
|
|
|
"allowxperm *source_type *target_type *class operation xperm_set"
|
|
"auditallowxperm *source_type *target_type *class operation xperm_set"
|
|
"dontauditxperm *source_type *target_type *class operation xperm_set"
|
|
- The only supported operation is 'ioctl'
|
|
- xperm_set format is either 'low-high', 'value', or '*'.
|
|
'*' will be treated as '0x0000-0xFFFF'.
|
|
All values should be written in hexadecimal.
|
|
|
|
"permissive ^type"
|
|
"enforce ^type"
|
|
|
|
"typeattribute ^type ^attribute"
|
|
|
|
"type type_name ^(attribute)"
|
|
- Argument 'attribute' is optional, default to 'domain'
|
|
|
|
"attribute attribute_name"
|
|
|
|
"type_transition source_type target_type class default_type (object_name)"
|
|
- Argument 'object_name' is optional
|
|
|
|
"type_change source_type target_type class default_type"
|
|
"type_member source_type target_type class default_type"
|
|
|
|
"genfscon fs_name partial_path fs_context"
|
|
```
|
|
|
|
### magisk
|
|
|
|
When the magisk binary is called with the name `magisk`, it works as a utility tool with many helper functions and the entry points for several Magisk services.
|
|
|
|
```
|
|
Usage: magisk [applet [arguments]...]
|
|
or: magisk [options]...
|
|
|
|
Options:
|
|
-c print current binary version
|
|
-v print running daemon version
|
|
-V print running daemon version code
|
|
--list list all available applets
|
|
--remove-modules [-n] remove all modules, reboot if -n is not provided
|
|
--install-module ZIP install a module zip file
|
|
|
|
Advanced Options (Internal APIs):
|
|
--daemon manually start magisk daemon
|
|
--stop remove all magisk changes and stop daemon
|
|
--[init trigger] callback on init triggers. Valid triggers:
|
|
post-fs-data, service, boot-complete, zygote-restart
|
|
--unlock-blocks set BLKROSET flag to OFF for all block devices
|
|
--restorecon restore selinux context on Magisk files
|
|
--clone-attr SRC DEST clone permission, owner, and selinux context
|
|
--clone SRC DEST clone SRC to DEST
|
|
--sqlite SQL exec SQL commands to Magisk database
|
|
--path print Magisk tmpfs mount path
|
|
--denylist ARGS denylist config CLI
|
|
--preinit-device resolve a device to store preinit files
|
|
|
|
Available applets:
|
|
su, resetprop
|
|
|
|
Usage: magisk --denylist [action [arguments...] ]
|
|
Actions:
|
|
status Return the enforcement status
|
|
enable Enable denylist enforcement
|
|
disable Disable denylist enforcement
|
|
add PKG [PROC] Add a new target to the denylist
|
|
rm PKG [PROC] Remove target(s) from the denylist
|
|
ls Print the current denylist
|
|
exec CMDs... Execute commands in isolated mount
|
|
namespace and do all unmounts
|
|
```
|
|
|
|
### su
|
|
|
|
An applet of `magisk`, the MagiskSU entry point. Good old `su` command.
|
|
|
|
```
|
|
Usage: su [options] [-] [user [argument...]]
|
|
|
|
Options:
|
|
-c, --command COMMAND Pass COMMAND to the invoked shell
|
|
-g, --group GROUP Specify the primary group
|
|
-G, --supp-group GROUP Specify a supplementary group.
|
|
The first specified supplementary group is also used
|
|
as a primary group if the option -g is not specified.
|
|
-Z, --context CONTEXT Change SELinux context
|
|
-t, --target PID PID to take mount namespace from
|
|
-h, --help Display this help message and exit
|
|
-, -l, --login Pretend the shell to be a login shell
|
|
-m, -p,
|
|
--preserve-environment Preserve the entire environment
|
|
-s, --shell SHELL Use SHELL instead of the default /system/bin/sh
|
|
-v, --version Display version number and exit
|
|
-V Display version code and exit
|
|
-mm, -M,
|
|
--mount-master Force run in the global mount namespace
|
|
```
|
|
|
|
### resetprop
|
|
|
|
An applet of `magisk`. An advanced system property manipulation utility. Check the [Resetprop Details](details.md#resetprop) for more background information.
|
|
|
|
```
|
|
Usage: resetprop [flags] [options...]
|
|
|
|
Options:
|
|
-h, --help show this message
|
|
(no arguments) print all properties
|
|
NAME get property
|
|
NAME VALUE set property entry NAME with VALUE
|
|
--file FILE load props from FILE
|
|
--delete NAME delete property
|
|
|
|
Flags:
|
|
-v print verbose output to stderr
|
|
-n set props without going through property_service
|
|
(this flag only affects setprop)
|
|
-p read/write props from/to persistent storage
|
|
(this flag only affects getprop and delprop)
|
|
```
|