1 原理说明

User版本默认是没有root权限和remount功能的，一般该方法用于调试性能相关问题。如果使用debug版本对照，差异过大，因此就有了这样的需求。

修改的核心原理就是调整adbd及相关属性中的一些判定，即user和debug版本的区别点入手。另外就是user版本中本身是没有remount的，需要单独添加才行。同时也需要修改should_drop_privileges的返回值以防止降低adbd进程的权限等限制。

2 修改方案（Android S）

2.1 在packages/modules下的修改

在packages/modules/adb/Android.bp文件中修改：

//...
cc_binary {name: "adbd",defaults: ["adbd_defaults", "host_adbd_supported", "libadbd_binary_dependencies"],recovery_available: true,apex_available: ["com.android.adbd"],srcs: ["daemon/main.cpp",],cflags: ["-D_GNU_SOURCE","-Wno-deprecated-declarations",],strip: {keep_symbols: true,},static_libs: ["libadbd","libadbd_services","libasyncio","libcap","liblz4","libminijail","libssl",],shared_libs: ["libadb_protos","libadbd_auth",],target: {recovery: {exclude_shared_libs: ["libadb_pairing_auth","libadb_pairing_connection",],}},
+    required: [
+        "libadbd_auth",
+        "libadbd_fs",
+        "remount",
+    ],
}
//...

在packages/modules/adb/daemon/main.cpp文件中修改：

//...
//should_drop_privileges直接返回false，目的是防止因此降低adbd进程的权限
static bool should_drop_privileges() {
+    return false;//...
}
//...
int adbd_main(int server_port) {umask(0);signal(SIGPIPE, SIG_IGN);#if defined(__BIONIC__)auto fdsan_level = android_fdsan_get_error_level();if (fdsan_level == ANDROID_FDSAN_ERROR_LEVEL_DISABLED) {android_fdsan_set_error_level(ANDROID_FDSAN_ERROR_LEVEL_WARN_ONCE);}
#endifinit_transport_registration();// We need to call this even if auth isn't enabled because the file// descriptor will always be open.adbd_cloexec_auth_socket();#if defined(__ANDROID__)// If we're on userdebug/eng or the device is unlocked, permit no-authentication.
-    bool device_unlocked = "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", "");
+      bool device_unlocked = true;if (__android_log_is_debuggable() || device_unlocked) {
-      auth_required = android::base::GetBoolProperty("ro.adb.secure", false);
+      auth_required = false;}
#endif
//...

至此，package下的修改就结束了。接下来是system部分的修改。

2.2 system下的修改

在system/core/fs_mgr/Android.bp文件中修改：

//...
cc_defaults {name: "libfs_mgr_defaults",defaults: ["fs_mgr_defaults"],export_include_dirs: ["include"],include_dirs: ["system/vold"],cflags: ["-D_FILE_OFFSET_BITS=64",],srcs: ["blockdev.cpp","file_wait.cpp","fs_mgr.cpp","fs_mgr_format.cpp","fs_mgr_verity.cpp","fs_mgr_dm_linear.cpp","fs_mgr_overlayfs.cpp","fs_mgr_roots.cpp","fs_mgr_vendor_overlay.cpp",":libfiemap_srcs",],shared_libs: ["libbase","libcrypto","libcrypto_utils","libcutils","libext4_utils","libfec","liblog","liblp","libselinux",],static_libs: ["libavb","libfs_avb","libfstab","libdm","libgsi",],export_static_lib_headers: ["libfs_avb","libfstab","libdm",],export_shared_lib_headers: ["liblp",],whole_static_libs: ["liblogwrap","libdm","libext2_uuid","libfscrypt","libfstab",],cppflags: [
-        "-DALLOW_ADBD_DISABLE_VERITY=0",
+        "-UALLOW_ADBD_DISABLE_VERITY",
+        "-DALLOW_ADBD_DISABLE_VERITY=1",],
-    product_variables: {
-        debuggable: {
-            cppflags: [
-                "-UALLOW_ADBD_DISABLE_VERITY",
-                "-DALLOW_ADBD_DISABLE_VERITY=1",
-            ],
-        },
-    },header_libs: ["libfiemap_headers","libstorage_literals_headers",],export_header_lib_headers: ["libfiemap_headers",],required: ["e2freefrag","e2fsdroid",],
//...
cc_binary {name: "remount",defaults: ["fs_mgr_defaults"],static_libs: ["libavb_user","libgsid","libutils","libvold_binder",],shared_libs: ["libbootloader_message","libbase","libbinder","libcutils","libcrypto","libext4_utils","libfec","libfs_mgr_binder","liblog","liblp","libselinux",],header_libs: ["libcutils_headers",],srcs: ["fs_mgr_remount.cpp",],cppflags: [
-        "-DALLOW_ADBD_DISABLE_VERITY=0",
+       "-UALLOW_ADBD_DISABLE_VERITY",
+        "-DALLOW_ADBD_DISABLE_VERITY=1",],
-    product_variables: {
-        debuggable: {
-            cppflags: [
-                "-UALLOW_ADBD_DISABLE_VERITY",
-                "-DALLOW_ADBD_DISABLE_VERITY=1",
-            ],
-        },
-    },required: ["clean_scratch_files",],
}
//...

这里-DALLOW_ADBD_DISABLE_VERITY=1的含义是允许adbd进程关闭Verity检查。

在system/core/fs_mgr/fs_mgr_remount.cpp文件中修改：

//...
static int do_remount(int argc, char* argv[]) {RemountStatus retval = REMOUNT_SUCCESS;// If somehow this executable is delivered on a "user" build, it can// not function, so providing a clear message to the caller rather than// letting if fall through and provide a lot of confusing failure messages.
-    if (!ALLOW_ADBD_DISABLE_VERITY || (android::base::GetProperty("ro.debuggable", "0") != "1")) {
+    if (!ALLOW_ADBD_DISABLE_VERITY) {LOG(ERROR) << "only functions on userdebug or eng builds";return NOT_USERDEBUG;}const char* fstab_file = nullptr;auto can_reboot = false;//...
}
//...

在core/init/property_service.cpp文件中修改：

//...static void update_sys_usb_config() {
-    bool is_debuggable = android::base::GetBoolProperty("ro.debuggable", false);
+    bool is_debuggable = true;std::string config = android::base::GetProperty("persist.sys.usb.config", "");// b/150130503, add (config == "none") condition here to prevent appending// ",adb" if "none" is explicitly defined in default prop.//...
}

在system/core/set-verity-state/set-verity-state.cpp文件中修改：

static bool overlayfs_setup(bool enable) {auto change = false;
+#if 0errno = 0;if (enable ? fs_mgr_overlayfs_teardown(nullptr, &change): fs_mgr_overlayfs_setup(nullptr, nullptr, &change)) {if (change) {printf("%s overlayfs\n", enable ? "disabling" : "using");}} else if (errno) {printf("Overlayfs %s failed with error %s\n", enable ? "teardown" : "setup", strerror(errno));suggest_run_adb_root();}
+#endif
+  printf("overlayfs_setup(%d)",enable); //fix build errorreturn change;
}

至此，system部分的修改也结束了。