• 1.修改Android设备型号 修改点:关于设备->型号 2.修改内核版本

    1.修改Android设备型号

    关于设备->型号




    2.修改内核版本





    展开全文
  • 修改Android内核配置

    2017-08-14 10:40:30
    源码编译完成后,如果需要修改内核配置,可参考如下方法 先配置 make menuconfig 后保存 make kernel-savedefconfig 具体定义kernel/Android.mk kernel-savedefconfig: $(TARGET_KERNEL_CONFIG)  cp $(TARGET_...
           源码编译完成后,如果需要修改内核配置,可参考如下方法
    先配置
    make kernel-menuconfig
    后保存
    make kernel-savedefconfig

    具体定义kernel/Android.mk
    kernel-savedefconfig: $(TARGET_KERNEL_CONFIG)
            cp $(TARGET_KERNEL_CONFIG) $(KERNEL_CONFIG_FILE)
    kernel-menuconfig:
            $(hide) mkdir -p $(KERNEL_OUT)
            $(MAKE) -C $(KERNEL_DIR) $(KERNEL_MAKE_OPTION) menuconfig
    一般cpu的内核配置文件是
    kernel/arch/xxxx/configs/xxx_defconfig
    编译生成后的配置文件
    out/target/product/xxxxx/obj/KERNEL_OBJ/.config
    对比两份文件有较大的差异,原来还有一部分配置来自Kconfig文件,
    内核会将Kconfig文件的配置加上上去,如config USELIB,配置成CONFIG_USELIB。
    所以看代码的时候,看某个CONFIG_XXX_XXXX的值,要看最终的配置文件out/target/product/xxxxx/obj/KERNEL_OBJ/.config

    在Andoird7.0上,使用make menuconfig会一直卡死,要先在终端敲入export USE_NINJA=false,然后再make menuconfig
    展开全文
  • 0x1.手机设备环境 Model number: Nexus 5 OS Version: Android 4.4.4 KTU84P ...0x2.Android内核提取 查找Android设备的boot分区文件。高通芯片的设备可以通过下面的命令进行查找。 cd /home/androidcode/AndroidDevlop

    本文博客链接:http://blog.csdn.net/qq1084283172/article/details/57086486


    0x1.手机设备环境

    Model number: Nexus 5
    OS Version: Android 4.4.4 KTU84P
    Kernel Version: 3.4.0-gd59db4e



    0x2.Android内核提取

    查找Android设备的boot分区文件。高通芯片的设备可以通过下面的命令进行查找。

    cd /home/androidcode/AndroidDevlop/modifyNexus5Boot
    
    adb shell
    
    ls -al /dev/block/platform/msm_sdcc.1/by-name



    root权限下,用 dd 将其dump到Nexus 5手机的sdcard文件夹下,然后导出到文件 /home/androidcode/AndroidDevlop/modifyNexus5Boot 下:

    adb shell
    su
    
    dd if=/dev/block/mmcblk0p19 of=/sdcard/boot.img
    
    exit
    exit
    
    adb pull /sdcard/boot.img boot.img




    使用abootimg工具对boot.img文件进行解包处理,解包之后得到的 zImage 文件即为Android的内核文件。

    abootimg工具的github地址:https://github.com/ggrandou/abootimg
    abootimg工具的直接安装命令:sudo apt-get install build-essential abootimg  

    abootimg -x boot.img  
      
    ls -al  




    将zImage文件拷贝一份作为文件名为 kernel.gz 的文件,并使用 WinHex 工具查找十六进制 1F 8B 08 00,找到之后把前面的数据部分全删掉,使kernel.gz文件变成标准的gzip压缩文件,这样子就可以使用  gunzip/gzip 命令进行解压内核文件了。

    cp ./zImage  ./kernel.gz
    
    # 去掉解包的内核文件kernel.gz中前面的垃圾数据
    
    gzip -d kernel_new.gz
    
    ls -al

    使用WinHex查找十六进制数据:



    删除掉解包的内核文件kernel.gz中的前面的垃圾数据,然后重新保存修改后的 kernel.gz文件为 kernel_new.gz.



    修改后的gzip格式的 kernel_new.gz 文件的解压得到kernel_new内核文件



    提示:关于gzip格式文件的解压,既可以使用 gzip 命令也可以使用 gunzip 命令,都一样。有关 gzip/gunzip 命令的参数使用说明,如下:

    $ gzip -h
    Usage: gzip [OPTION]... [FILE]...
    Compress or uncompress FILEs (by default, compress FILES in-place).
    
    Mandatory arguments to long options are mandatory for short options too.
    
      -c, --stdout      write on standard output, keep original files unchanged
      -d, --decompress  decompress
      -f, --force       force overwrite of output file and compress links
      -h, --help        give this help
      -k, --keep        keep (don't delete) input files
      -l, --list        list compressed file contents
      -L, --license     display software license
      -n, --no-name     do not save or restore the original name and time stamp
      -N, --name        save or restore the original name and time stamp
      -q, --quiet       suppress all warnings
      -r, --recursive   operate recursively on directories
      -S, --suffix=SUF  use suffix SUF on compressed files
      -t, --test        test compressed file integrity
      -v, --verbose     verbose mode
      -V, --version     display version number
      -1, --fast        compress faster
      -9, --best        compress better
      --rsyncable       Make rsync-friendly archive
    
    With no FILE, or when FILE is -, read standard input.
    
    Report bugs to <bug-gzip@gnu.org>.



    关于gzip文件格式的说明和源码的解析可以参考 gzip文件格式解析及源代码分析,进行深入的研究和学习。




    0x3.Android内核文件的逆向修改

    将解压后的Android内核文件 kernel_new  拖入到IDA Pro 中进行分析,设置处理器类型为ARM Little-endian



     在 ROM start addressLoading address 处填上 0xc0008000,然后点击 OK 。



    IDA显示效果如下图所示,没有函数名,不方便定位代码,显示不友好需要添加Android内核的内核符号。



    为了要获取Android内核中所有的内核符号信息,可以通过在root权限下,修改Andriod设备中的/proc/sys/kernel/kptr_restrict 的值来实现,去掉Android内核符号的信息屏蔽。

    adb shell  
    su  
      
    # 查看默认值  
    cat /proc/sys/kernel/kptr_restrict  
      
    # 关闭内核符号屏蔽  
    echo 0 > /proc/sys/kernel/kptr_restrict   
      
    # 查看修改后的值  
    cat /proc/sys/kernel/kptr_restrict  
      
    cat /proc/kallsyms 


    关闭Android设备的内核符号的屏蔽以后,再次执行 cat /proc/kallsyms ,发现被隐藏的内核符号信息都显示出来了。



    在root权限下,将Android设备中的内核符号信息dump出来,导出到 /home/androidcode/AndroidDevlop/modifyNexus5Boot/syms.txt文件中。因此,Android内核文件的内核符号信息都保存在syms.txt文件中了。

    # cat /proc/kallsyms > /sdcard/syms.txt  
      
    # exit  
    $ exit  
      
    $ adb pull /sdcard/syms.txt syms.txt  


    我们已经将Androd内核文件中的内核符号信息都dump出来,下面将大有用武之地。因此,向IDA中导入之前提取出来的内核符号信息就可以看到对应的函数名称了。需要用到下面的Python脚本:

    ksyms = open("C:\Users\Fly2016\Desktop\Android内核的提取和逆向\syms.txt")  
    for line in ksyms:  
        addr = int(line[0:8],16)  
        name = line[11:]  
        idaapi.set_debug_name(addr,name)  
        MakeNameEx(addr,name,SN_NOWARN)  
        Message("%08X:%sn"%(addr,name))  


    在IDA的 File->Script Command中运行上述python脚本,之后就可以在IDA中成功添加内核符号信息使IDA显示出正确的系统调用的函数名称来。



    Android内核中隐藏的系统函数调用的名称在IDA中显示出来了。



    现在来聊一聊修改Android的内核文件绕过反调试,很多的Android加固都会通过查看当前进程的 /proc/pid/status 的状态信息,来进行判断当前进程是否被调试的依据。如果当前进程被调试器所调试,那么cat /proc/self/status 显示的状态如下图所示,比较常见的Android反调试也就是通过 TracerPid 的值在调试状态和非调试状态的不同且非调试状态该值为0而调试状态为非0,来判断是否被调试器所调试。



    这里修改Android内核绕过反调试也就只是考虑  TracerPid 的值不同的这种情况,真真的也过掉这些检测的反调试还是需要从具体的Android加固的检测逻辑代码入手,没准现在有些Android加固还会检测State的值的不同呢!修改Android内核绕过Android加固的反调试,其实还是要依赖具体的开源的Android内核代码来进行对照着分析,否则根本不知道哪个地方是 /proc/pid/status 的值根据调试状态改变的代码位置,因此这里通过修改Android内核文件绕过反调试还是基于Android内核源码文件 /kernel/msm/fs/proc/array.c 中 的代码实现进行对照着修改的。

    /kernel/msm/fs/proc/array.c文件中,检测调试修改TracerPid的值的Android内核源码:

    /*
     * The task state array is a strange "bitmap" of
     * reasons to sleep. Thus "running" is zero, and
     * you can test for combinations of others with
     * simple bit tests.
     */
    static const char * const task_state_array[] = {
    	"R (running)",		/*   0 */
    	"S (sleeping)",		/*   1 */
    	"D (disk sleep)",	/*   2 */
    	"T (stopped)",		/*   4 */
    	"t (tracing stop)",	/*   8 */
    	"Z (zombie)",		/*  16 */
    	"X (dead)",		/*  32 */
    	"x (dead)",		/*  64 */
    	"K (wakekill)",		/* 128 */
    	"W (waking)",		/* 256 */
    };
    
    static inline const char *get_task_state(struct task_struct *tsk)
    {
    	unsigned int state = (tsk->state & TASK_REPORT) | tsk->exit_state;
    	const char * const *p = &task_state_array[0];
    
    	BUILD_BUG_ON(1 + ilog2(TASK_STATE_MAX) != ARRAY_SIZE(task_state_array));
    
    	while (state) {
    		p++;
    		state >>= 1;
    	}
    	return *p;
    }
    
    static inline void task_state(struct seq_file *m, struct pid_namespace *ns,
    				struct pid *pid, struct task_struct *p)
    {
    	struct group_info *group_info;
    	int g;
    	struct fdtable *fdt = NULL;
    	const struct cred *cred;
    	pid_t ppid, tpid;
    
    	rcu_read_lock();
    	ppid = pid_alive(p) ?
    		task_tgid_nr_ns(rcu_dereference(p->real_parent), ns) : 0;
    	tpid = 0;
    	if (pid_alive(p)) {
    		struct task_struct *tracer = ptrace_parent(p);
    		if (tracer)
    			// 逆向Android内核文件需要关注的地方
    			tpid = task_pid_nr_ns(tracer, ns);
    	}
    	cred = get_task_cred(p);
    	seq_printf(m,
    		"State:\t%s\n"
    		"Tgid:\t%d\n"
    		"Pid:\t%d\n"
    		"PPid:\t%d\n"
    		"TracerPid:\t%d\n"
    		"Uid:\t%d\t%d\t%d\t%d\n"
    		"Gid:\t%d\t%d\t%d\t%d\n",
    		get_task_state(p),
    		task_tgid_nr_ns(p, ns),
    		pid_nr_ns(pid, ns),
    		ppid, tpid,
    		cred->uid, cred->euid, cred->suid, cred->fsuid,
    		cred->gid, cred->egid, cred->sgid, cred->fsgid);
    
    	task_lock(p);
    	if (p->files)
    		fdt = files_fdtable(p->files);
    	seq_printf(m,
    		"FDSize:\t%d\n"
    		"Groups:\t",
    		fdt ? fdt->max_fds : 0);
    	rcu_read_unlock();
    
    	group_info = cred->group_info;
    	task_unlock(p);
    
    	for (g = 0; g < min(group_info->ngroups, NGROUPS_SMALL); g++)
    		seq_printf(m, "%d ", GROUP_AT(group_info, g));
    	put_cred(cred);
    
    	seq_putc(m, '\n');
    }


    因此,通过上面的Android内核源码的实现可以知道,如图所示的位置是我们应该修改的地方:



    通过对Android内核源码的研究知道了我们在Android内核文件中修改的地方,在IDA中通过字符串搜索 TracerPid 即查找上面提到的特征字符串组。



    在IDA中通过对特征字符串的引用功能可以定位到我们需要关注的代码的位置。



    通过IDA的F5功能分析Android内核根据检测调试状态修改TracerPid值的代码位置。



    通过IDA具体细致的看下,我们需要关注的代码位置处的ARM汇编指令。



    通过逆向分析代码的流程可以知道,只要 ROM:C02BA5C0 EC FE FF 0A   BEQ  Jmp_C02BA178  处改为直接跳转到地址C02BA178处执行,没有机会执行下面的代码既可以绕过反调试检测。通过IDA的二进制修改的功能,实现了ARM汇编代码的修改,修改后的代码如下图:



    Android内核文件kernel_new在修改前后的代码的对比结果示意图:





    0x4.将逆向修改的Android内核刷回Android设备

    对修改后的Android内核文件 kernel_new 进行gzip的压缩处理得到压缩文件 kernel_new.gz 

    # -n, --no-name     do not save or restore the original name and time stamp 
    # -f, --force       force overwrite of output file and compress links
    # -9, --best        compress better
    gzip -n -f -9 kernel_new



    使用WinHex工具将kernel_new.gz文件的二进制数据覆盖到原来的zImage文件的 1F 8B 08 00 处的位置开始到结束的地方(新的kernel_new.gz文件必须比原kernel_new.gz文件小,并且回写回去时不能改变原zImage文件的大小及修改原zImage文件中后面的内容,否则会很麻烦),这时得到了zImage文件。

    上面这句话,可能不太好理解,但是也很好理解,可以参考一下作者 lcweik 给出的理解的例子:



    通过WinHex工具查看kernel_new.gz文件的大小为 0x6AB190,zImage文件中 1F 8B 08 00 处的位置起始偏移为0x48B4,因此在zImage文件中kernel_new.gz文件的起始位置偏移为0x48B4,结束位置偏移为0x6AFA43。使用WinHex工具先将zImage文件中0x48B4~0x6AFA43处的数据删除,然后将kernel_new.gz文件中的数据全部拷贝到0x48B4~0x6AFA43的范围中,即zImage文件中偏移0x48B3后面的位置开始覆盖。



    使用abootimg打包工具,重新对解包的boot.img的文件进行打包处理。

    abootimg --create myboot.img -f bootimg.cfg -k zImage -r initrd.img


    将修改后重新打包的 myboot.img镜像 文件,更新到Android设备上。

    adb reboot bootloader
    fastboot flash boot myboot.img




    0x5.手机刷成砖的还原

    直接修改Android内核的二进制文件比较危险,很容易导致Android设备变砖的。如果不幸Android设备变砖了,只需要将前面的步骤中备份的原始boot.img镜像文件重新输入Android设备即可。

    adb reboot bootloader
    fastboot flash boot boot.img


    0x6.逆向修改Android内核的总结。

    这篇博文主要是参考:逆向修改手机内核,绕过反调试,原文的作者方法说的很详细,但是我的操作步骤有些地方和原作者的不同。

    1.找目标代码和目标函数的方法不同,原作者通过关闭Android设备中内核符号屏蔽然后拿到关键函数 proc_pid_status_proc_pid_status_(获取调试器进程的pid)的系统调用的地址,在IDA进行查找定位到需要逆向分析的关键代码的位置。



    2.在修改二进制代码绕过反调试的方法上,我和原作者修改的地方稍有一处不同,原作者的修改如下图。



    3.按照作者的操作步骤,修改Andorid内核成功绕过反调试耳朵检测,但是我按照自己改进后的操作,修改Android内核成功但是刷机重启直接变砖,哈哈。说实话,这么逆向修改Android内核绕过反调试只是提供一种思路吧,实际干活是吃力不讨好而且要真的绕过这种反调试的检测还需要修改其他的地方,而且其他的检测位置修改也不方便。这种open 情况下的反调试检测,其实手动patch内存过掉也是很简单的事情。



    0x7.关于ARM汇编BL指令的计算

    ARM汇编下BL类指令的修改以及偏移的计算具体可以参考:【求助】arm指令BL指令对应的机器码问题ARM中跳转指令BL/BLX偏移值计算规则 ,由于在前面的操作步骤中涉及到B类跳转指令的修改,特此提到一下。提醒两点:1.一定要善于利用IDA能够显示ARM指令机器码的特点,2.在内存中ARM指令的存放是按小尾端存放的。




    参考资料

    逆向修改手机内核,绕过反调试  <主要参考>

    提取Android内核的方法

    【求助】arm指令BL指令对应的机器码问题

    ARM中跳转指令BL/BLX偏移值计算规则


    展开全文
  • Android 内核修改使用到的设备: nexus 6,必须含有root权限。 刷内核须谨慎,请备份重要信息,尽量不要使用自己使用的手机进行测试一、克隆源代码:git clone https://android.googlesource.com/kernel/msmnexus...

    Android 内核修改

    使用到的设备: nexus 6,必须含有root权限。
    刷内核须谨慎,请备份重要信息,尽量不要使用自己使用的手机进行测试

    一、克隆源代码:

    git clone https://android.googlesource.com/kernel/msm
    

    nexus系列的内核源码可以在google的官方内核源码库克隆。

    二、根据自己机型checkout到合适的版本

    如nexus 6对应的型号是shamu,因此可以先查看仓库关于nexus 6的内核分支

    git branch -a | grep shamu
    

    得到结果是:

    remotes/origin/android-msm-shamu-3.10-lollipop-mr1
    remotes/origin/android-msm-shamu-3.10-lollipop-release
    remotes/origin/android-msm-shamu-3.10-m-preview
    remotes/origin/android-msm-shamu-3.10-marshmallow
    remotes/origin/android-msm-shamu-3.10-marshmallow-mr1
    remotes/origin/android-msm-shamu-3.10-marshmallow-mr1-r0.15
    remotes/origin/android-msm-shamu-3.10-marshmallow-mr2
    remotes/origin/android-msm-shamu-3.10-n-preview-1
    remotes/origin/android-msm-shamu-3.10-n-preview-2
    remotes/origin/android-msm-shamu-3.10-n-preview-3
    remotes/origin/android-msm-shamu-3.10-n-preview-4
    remotes/origin/android-msm-shamu-3.10-n-preview-5
    remotes/origin/android-msm-shamu-3.10-nougat-mr0.5
    remotes/origin/android-msm-shamu-3.10-nougat-mr1.2
    remotes/origin/android-msm-shamu-3.10-nougat-mr1.5
    remotes/origin/android-msm-shamu-3.10-nougat-mr1.6
    remotes/origin/android-msm-shamu-3.10-nougat-mr1.7

    根据android的版本,选择一个分支进行checkout,其中lollipop(5.0),marshmallow(6.0),nought(7.0),如:

    git checkout remotes/origin/android-msm-shamu-3.10-marshmallow
    

    checkout后会在当前目录下生成一个msm目录,该目录就是nexus 6的内核源码。

    三、编译器准备

    注意:编译内核前,需要查询清楚内核的位数,因为32位的内核和64位的内核使用一般是使用不同的配置以及编译工具。
    编译工具:交叉编译工具有很多博客有介绍到,这里不详细说,我这里使用到的32位交叉工具是arm-eabi-4.8(git仓库),以及64位交叉编译工具aarch64-linux-android(git仓库),安装完之后加入到系统环境变量中。

    四、编译内核

    进入内核源码所在目录(msm目录),配置在命令行设置编译环境

    # 32位设备,因为nexus 6是32位的设备,因此使用该配置
    $ export ARCH=arm
    $ export CROSS_COMPILE=arm-eabi-
    

    如果是64位设备,可以是

    # 64位设备,如nexus 6p
    $ export ARCH=arm64
    $ export CROSS_COMPILE=aarch64-linux-android-
    

    然后进行内核宏的配置,之后进行编译

    $ make shamu_defconfig # 加载内核配置
    $ make -j8             # 开始进行编译
    

    shamu_defconfig是nexus 6(shamu)默认的宏配置,请根据手机型号指定不同的defconfig,可以去arch/arm/configs,或者arch/arm64/configs,查看是否有包含自己手机型号的defconfig。如果需要对内核的宏进行定制,可以:

    $ make shamu_defconfig # 加载内核配置
    $ make menuconfig      # 根据需要定制内核的宏
    $ make -j8             # 开始进行编译
    

    最后生成的系统镜像文件Image.gz-dtb会保存在arch/arm/boot或者arch/arm64/boot中。

    五、内核移植

    安装mkboot工具:android的内核通过某种格式与分区表等信息打包在一起(boot.img),因此需要通过mkboot工具对内核进行解包和打包。我使用的mkboot工具,进行编译后得到了mkbootimg和unmkbootimg两个可执行文件。

    从目标手机获得手机boot.img文件:通过数据线连接手机,执行

    $ adb shell   #进入手机终端
    $ su          # 转换为超级用户
    cd /dev/block/platform/soc.0/f9824900.sdhci/by-name #中间路径也许不同,但最终是到by-name这个目录
    ls -l boot # 这个文件是一个符号连接,链接到/dev/block下的某个文件
    dd if=/dev/block/mmcblk0p34 of=/sdcard/boot.img #by-name目录下的boot即boot.img,但是它是一个符号链接,因此将符号连接的内容复制出来
    $ adb pull /sdcard/boot.img ~/resource
    

    将自己编译的内核放进boot.img:通过unmkbootimg解压boot.img

    unmkbootimg -i boot.img #输出信息中,有建议怎么去重新打包boot.img
    

    复制unmkbootimg提示的信息,然后将改信息中 --kernel 指定部分换为自己后编译后的内核文件Image.gz-dtb,-o指定新打包的内核名称,其余不需要修改,如:

    mkbootimg --base 0 --pagesize 4096 --kernel_offset 0x00008000 --ramdisk_offset 0x02000000 --second_offset 0x00f00000 --tags_offset 0x01e00000 --cmdline 'androidboot.hardware=angler androidboot.console=ttyHSL0 msm_rtb.filter=0x37 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 boot_cpus=0-3 no_console_suspend buildvariant=user' --kernel Image.gz-dtb --ramdisk ramdisk.cpio.gz -o newboot.img
    

    回车执行后,获得重新打包的内核newboot.img。

    将新boot.img重新刷写入手机
    首先将手机切换到fastboot状态

    $ su                              # 刷入内核需要获取root状态
    adb reboot bootloader             # 切换到fastboot状态
    fastboot flash boot newboot.img   #刷入新内核
    fastboot reboot                   #重启
    

    至此,新手机内核已经刷入完成,手机重启后,可以去设置-关于手机查看内核版本和型号。

    可能会遇到的紧急情况
    如果操作失误,可能会遇到分区表损坏的情况,导致开不了机,也使用不了recovery,这个时候只需要去官方下载官方rom,然后单独刷入recovery就可以重新使用recovery功能,然后重新刷官方rom就可以救砖(数据会全部丢失!!

    展开全文
  • 一、Android内核源码的选择 Android手机设备内核源码的调试需要外部硬件设备的支持,调试步骤比较麻烦。相对来说,Android模拟器内核源码的调试就比较简单了,这里以Android模拟器内核源码的调试为例。首先创建一个...

    本文博客地址:http://blog.csdn.net/qq1084283172/article/details/70500488


    一、Android内核源码的选择

    Android手机设备内核源码的调试需要外部硬件设备的支持,调试步骤比较麻烦。相对来说,Android模拟器内核源码的调试就比较简单了,这里以Android模拟器内核源码的调试为例。首先创建一个Android API 19(Android 4.4.x版本)的Android模拟器,然后运行该Android模拟器。在 ubuntu 14.04.5系统或者 Windows 系统上打开命令行终端,执行下面的命令,获取移动设备使用的芯片即获取移动设备内核源码的版本信息。

    $ adb shell
    
    # 查看设备使用的芯片
    $ ls /dev/block/platform
    windows系统上执行的结果如下图:



    二、Android内核源码的下载

    根据 ls /dev/block/platform 获取到的Android设备的芯片平台为 goldfish ,然后查阅google官方提供的Android内核源码的编译文档,执行下面的命令进行Android内核源码和Android内核源码交叉编译工具链的下载。

    $ git clone https://android.googlesource.com/kernel/goldfish.git
    $ cd goldfish/
    
    # 查看可以下载的Linux内核源码的版本
    $ git branch -a
    * master
      remotes/origin/HEAD -> origin/master
      remotes/origin/android-3.10
      remotes/origin/android-3.18
      remotes/origin/android-goldfish-2.6.29
      remotes/origin/android-goldfish-3.10
      remotes/origin/android-goldfish-3.10-l-mr1-dev
      remotes/origin/android-goldfish-3.10-m-dev
      remotes/origin/android-goldfish-3.10-n-dev
      remotes/origin/android-goldfish-3.18
      remotes/origin/android-goldfish-3.18-dev
      remotes/origin/android-goldfish-3.4
      remotes/origin/android-goldfish-3.4-l-mr1-dev
      remotes/origin/android-goldfish-4.4-dev
      remotes/origin/heads/for/android-goldfish-3.18-dev
      remotes/origin/linux-goldfish-3.0-wip
      remotes/origin/master
    
    # 选择下载android-goldfish-3.4的内核源码
    $ git checkout remotes/origin/android-goldfish-3.4  
    # 或
    $ git checkout -t remotes/origin/android-goldfish-3.4 -b goldfish3.4
    
    # 下载编译工具链
    $ git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-eabi-4.7/  

    三、Android内核源码的配置和编译

    设置环境变量,导出Android内核交叉编译工具的路径,生成内核编译时使用的配置文件。可以将配置的相关命令行保存为脚本文件run_make_config.sh 。有关Android内核源码的编译环境的配置可以参考google官方的文档:https://source.android.com/source/building-kernels#building

    export CROSS_COMPILE=$(pwd)/arm-eabi-4.7/bin/arm-eabi-   
    export ARCH=arm  
    export SUBARCH=arm  
    
    # 生成编译配置文件
    make goldfish_armv7_defconfig
    赋予脚本文件 run_make_config.sh  以可执行权限,然后执行该脚本生成Android内核编译的配置文件 .config 。

    $ chmod +x run_make_config.sh  
    $ source run_make_config.sh  
    提示

    1.根据《Android安全攻防权威指南》中文版第251页的提示了解到,在编译Android内核时要使用 arm-eabi 编译器而不是 arm-linux-androideabi 编译器。使用不正确的 EABI 会导致编译失败。



    2.在生成Android内核编译的配置文件 .config 时,make 命令的选择既可以参考google官方的文档:https://source.android.com/source/building-kernels#building,也可以参考Android内核源码下帮助文件,这里是 /goldfish/README 文件,关于make命令生成编译配置文件的说明如下:



    在当前Android内核源码的根目录下,执行 make help 命令,获取到Android内核编译配置命令的信息。

    $ make help
    Cleaning targets:
      clean		  - Remove most generated files but keep the config and
                        enough build support to build external modules
      mrproper	  - Remove all generated files + config + various backup files
      distclean	  - mrproper + remove editor backup and patch files
    
    Configuration targets:
      config	  - Update current config utilising a line-oriented program
      nconfig         - Update current config utilising a ncurses menu based program
      menuconfig	  - Update current config utilising a menu based program
      xconfig	  - Update current config utilising a QT based front-end
      gconfig	  - Update current config utilising a GTK based front-end
      oldconfig	  - Update current config utilising a provided .config as base
      localmodconfig  - Update current config disabling modules not loaded
      localyesconfig  - Update current config converting local mods to core
      silentoldconfig - Same as oldconfig, but quietly, additionally update deps
      defconfig	  - New config with default from ARCH supplied defconfig
      savedefconfig   - Save current config as ./defconfig (minimal config)
      allnoconfig	  - New config where all options are answered with no
      allyesconfig	  - New config where all options are accepted with yes
      allmodconfig	  - New config selecting modules when possible
      alldefconfig    - New config with all symbols set to default
      randconfig	  - New config with random answer to all options
      listnewconfig   - List new options
      oldnoconfig     - Same as silentoldconfig but set new symbols to n (unset)
    
    Other generic targets:
      all		  - Build all targets marked with [*]
    * vmlinux	  - Build the bare kernel
    * modules	  - Build all modules
      modules_install - Install all modules to INSTALL_MOD_PATH (default: /)
      firmware_install- Install all firmware to INSTALL_FW_PATH
                        (default: $(INSTALL_MOD_PATH)/lib/firmware)
      dir/            - Build all files in dir and below
      dir/file.[oisS] - Build specified target only
      dir/file.lst    - Build specified mixed source/assembly target only
                        (requires a recent binutils and recent build (System.map))
      dir/file.ko     - Build module including final link
      modules_prepare - Set up for building external modules
      tags/TAGS	  - Generate tags file for editors
      cscope	  - Generate cscope index
      gtags           - Generate GNU GLOBAL index
      kernelrelease	  - Output the release version string
      kernelversion	  - Output the version stored in Makefile
      headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH
                        (default: /home/fly2016/Android4.4.4r1/goldfish-kernel-3.4/goldfish/usr)
    
    Static analysers
      checkstack      - Generate a list of stack hogs
      namespacecheck  - Name space analysis on compiled kernel
      versioncheck    - Sanity check on version.h usage
      includecheck    - Check for duplicate included header files
      export_report   - List the usages of all exported symbols
      headers_check   - Sanity check on exported headers
      headerdep       - Detect inclusion cycles in headers
      coccicheck      - Check with Coccinelle.
    
    Kernel packaging:
      rpm-pkg             - Build both source and binary RPM kernel packages
      binrpm-pkg          - Build only the binary kernel package
      deb-pkg             - Build the kernel as a deb package
      tar-pkg             - Build the kernel as an uncompressed tarball
      targz-pkg           - Build the kernel as a gzip compressed tarball
      tarbz2-pkg          - Build the kernel as a bzip2 compressed tarball
      tarxz-pkg           - Build the kernel as a xz compressed tarball
      perf-tar-src-pkg    - Build perf-3.4.67.tar source tarball
      perf-targz-src-pkg  - Build perf-3.4.67.tar.gz source tarball
      perf-tarbz2-src-pkg - Build perf-3.4.67.tar.bz2 source tarball
      perf-tarxz-src-pkg  - Build perf-3.4.67.tar.xz source tarball
    
    Documentation targets:
     Linux kernel internal documentation in different formats:
      htmldocs        - HTML
      pdfdocs         - PDF
      psdocs          - Postscript
      xmldocs         - XML DocBook
      mandocs         - man pages
      installmandocs  - install man pages generated by mandocs
      cleandocs       - clean all generated DocBook files
    
    Architecture specific targets (arm):
    * zImage        - Compressed kernel image (arch/arm/boot/zImage)
      Image         - Uncompressed kernel image (arch/arm/boot/Image)
    * xipImage      - XIP kernel image, if configured (arch/arm/boot/xipImage)
      uImage        - U-Boot wrapped zImage
      bootpImage    - Combined zImage and initial RAM disk
                      (supply initrd image via make variable INITRD=<path>)
      dtbs          - Build device tree blobs for enabled boards
      install       - Install uncompressed kernel
      zinstall      - Install compressed kernel
      uinstall      - Install U-Boot wrapped compressed kernel
                      Install using (your) ~/bin/installkernel or
                      (distribution) /sbin/installkernel or
                      install to $(INSTALL_PATH) and run lilo
    
      acs5k_defconfig          - Build for acs5k
      acs5k_tiny_defconfig     - Build for acs5k_tiny
      afeb9260_defconfig       - Build for afeb9260
      ag5evm_defconfig         - Build for ag5evm
      am200epdkit_defconfig    - Build for am200epdkit
      ap4evb_defconfig         - Build for ap4evb
      assabet_defconfig        - Build for assabet
      at91rm9200_defconfig     - Build for at91rm9200
      at91sam9260_defconfig    - Build for at91sam9260
      at91sam9261_defconfig    - Build for at91sam9261
      at91sam9263_defconfig    - Build for at91sam9263
      at91sam9g20_defconfig    - Build for at91sam9g20
      at91sam9g45_defconfig    - Build for at91sam9g45
      at91sam9rl_defconfig     - Build for at91sam9rl
      at91x40_defconfig        - Build for at91x40
      badge4_defconfig         - Build for badge4
      bcmring_defconfig        - Build for bcmring
      bonito_defconfig         - Build for bonito
      cam60_defconfig          - Build for cam60
      cerfcube_defconfig       - Build for cerfcube
      cm_x2xx_defconfig        - Build for cm_x2xx
      cm_x300_defconfig        - Build for cm_x300
      cns3420vb_defconfig      - Build for cns3420vb
      colibri_pxa270_defconfig - Build for colibri_pxa270
      colibri_pxa300_defconfig - Build for colibri_pxa300
      collie_defconfig         - Build for collie
      corgi_defconfig          - Build for corgi
      cpu9260_defconfig        - Build for cpu9260
      cpu9g20_defconfig        - Build for cpu9g20
      da8xx_omapl_defconfig    - Build for da8xx_omapl
      davinci_all_defconfig    - Build for davinci_all
      dove_defconfig           - Build for dove
      ebsa110_defconfig        - Build for ebsa110
      edb7211_defconfig        - Build for edb7211
      em_x270_defconfig        - Build for em_x270
      ep93xx_defconfig         - Build for ep93xx
      eseries_pxa_defconfig    - Build for eseries_pxa
      exynos4_defconfig        - Build for exynos4
      ezx_defconfig            - Build for ezx
      footbridge_defconfig     - Build for footbridge
      fortunet_defconfig       - Build for fortunet
      g3evm_defconfig          - Build for g3evm
      g4evm_defconfig          - Build for g4evm
      goldfish_armv7_defconfig - Build for goldfish_armv7
      goldfish_defconfig       - Build for goldfish
      h3600_defconfig          - Build for h3600
      h5000_defconfig          - Build for h5000
      h7201_defconfig          - Build for h7201
      h7202_defconfig          - Build for h7202
      hackkit_defconfig        - Build for hackkit
      imote2_defconfig         - Build for imote2
      imx_v4_v5_defconfig      - Build for imx_v4_v5
      imx_v6_v7_defconfig      - Build for imx_v6_v7
      integrator_defconfig     - Build for integrator
      iop13xx_defconfig        - Build for iop13xx
      iop32x_defconfig         - Build for iop32x
      iop33x_defconfig         - Build for iop33x
      ixp2000_defconfig        - Build for ixp2000
      ixp23xx_defconfig        - Build for ixp23xx
      ixp4xx_defconfig         - Build for ixp4xx
      jornada720_defconfig     - Build for jornada720
      kirkwood_defconfig       - Build for kirkwood
      kota2_defconfig          - Build for kota2
      ks8695_defconfig         - Build for ks8695
      lart_defconfig           - Build for lart
      lpc32xx_defconfig        - Build for lpc32xx
      lpd270_defconfig         - Build for lpd270
      lubbock_defconfig        - Build for lubbock
      mackerel_defconfig       - Build for mackerel
      magician_defconfig       - Build for magician
      mainstone_defconfig      - Build for mainstone
      marzen_defconfig         - Build for marzen
      mini2440_defconfig       - Build for mini2440
      mmp2_defconfig           - Build for mmp2
      msm_defconfig            - Build for msm
      mv78xx0_defconfig        - Build for mv78xx0
      mxs_defconfig            - Build for mxs
      neponset_defconfig       - Build for neponset
      netwinder_defconfig      - Build for netwinder
      netx_defconfig           - Build for netx
      nhk8815_defconfig        - Build for nhk8815
      nuc910_defconfig         - Build for nuc910
      nuc950_defconfig         - Build for nuc950
      nuc960_defconfig         - Build for nuc960
      omap1_defconfig          - Build for omap1
      omap2plus_defconfig      - Build for omap2plus
      orion5x_defconfig        - Build for orion5x
      palmz72_defconfig        - Build for palmz72
      pcm027_defconfig         - Build for pcm027
      pleb_defconfig           - Build for pleb
      pnx4008_defconfig        - Build for pnx4008
      pxa168_defconfig         - Build for pxa168
      pxa255-idp_defconfig     - Build for pxa255-idp
      pxa3xx_defconfig         - Build for pxa3xx
      pxa910_defconfig         - Build for pxa910
      qil-a9260_defconfig      - Build for qil-a9260
      raumfeld_defconfig       - Build for raumfeld
      realview_defconfig       - Build for realview
      realview-smp_defconfig   - Build for realview-smp
      rpc_defconfig            - Build for rpc
      s3c2410_defconfig        - Build for s3c2410
      s3c6400_defconfig        - Build for s3c6400
      s5p64x0_defconfig        - Build for s5p64x0
      s5pc100_defconfig        - Build for s5pc100
      s5pv210_defconfig        - Build for s5pv210
      sam9_l9260_defconfig     - Build for sam9_l9260
      shannon_defconfig        - Build for shannon
      shark_defconfig          - Build for shark
      simpad_defconfig         - Build for simpad
      spear3xx_defconfig       - Build for spear3xx
      spear6xx_defconfig       - Build for spear6xx
      spitz_defconfig          - Build for spitz
      stamp9g20_defconfig      - Build for stamp9g20
      tct_hammer_defconfig     - Build for tct_hammer
      tegra_defconfig          - Build for tegra
      trizeps4_defconfig       - Build for trizeps4
      u300_defconfig           - Build for u300
      u8500_defconfig          - Build for u8500
      usb-a9260_defconfig      - Build for usb-a9260
      versatile_defconfig      - Build for versatile
      vexpress_defconfig       - Build for vexpress
      viper_defconfig          - Build for viper
      xcep_defconfig           - Build for xcep
      zeus_defconfig           - Build for zeus
    
      make V=0|1 [targets] 0 => quiet build (default), 1 => verbose build
      make V=2   [targets] 2 => give reason for rebuild of target
      make O=dir [targets] Locate all output files in "dir", including .config
      make C=1   [targets] Check all c source with $CHECK (sparse by default)
      make C=2   [targets] Force check of all c source with $CHECK
      make RECORDMCOUNT_WARN=1 [targets] Warn about ignored mcount sections
      make W=n   [targets] Enable extra gcc checks, n=1,2,3 where
    		1: warnings which may be relevant and do not occur too often
    		2: warnings which occur quite often but may still be relevant
    		3: more obscure warnings, can most likely be ignored
    		Multiple levels can be combined with W=12 or W=123
    
    Execute "make" or "make all" to build all targets marked with [*] 
    For further info see the ./README file
    
    当前Android内核源码的帮助文件 README 的全部内容信息:

    	Linux kernel release 3.x <http://kernel.org/>
    
    These are the release notes for Linux version 3.  Read them carefully,
    as they tell you what this is all about, explain how to install the
    kernel, and what to do if something goes wrong. 
    
    WHAT IS LINUX?
    
      Linux is a clone of the operating system Unix, written from scratch by
      Linus Torvalds with assistance from a loosely-knit team of hackers across
      the Net. It aims towards POSIX and Single UNIX Specification compliance.
    
      It has all the features you would expect in a modern fully-fledged Unix,
      including true multitasking, virtual memory, shared libraries, demand
      loading, shared copy-on-write executables, proper memory management,
      and multistack networking including IPv4 and IPv6.
    
      It is distributed under the GNU General Public License - see the
      accompanying COPYING file for more details. 
    
    ON WHAT HARDWARE DOES IT RUN?
    
      Although originally developed first for 32-bit x86-based PCs (386 or higher),
      today Linux also runs on (at least) the Compaq Alpha AXP, Sun SPARC and
      UltraSPARC, Motorola 68000, PowerPC, PowerPC64, ARM, Hitachi SuperH, Cell,
      IBM S/390, MIPS, HP PA-RISC, Intel IA-64, DEC VAX, AMD x86-64, AXIS CRIS,
      Xtensa, Tilera TILE, AVR32 and Renesas M32R architectures.
    
      Linux is easily portable to most general-purpose 32- or 64-bit architectures
      as long as they have a paged memory management unit (PMMU) and a port of the
      GNU C compiler (gcc) (part of The GNU Compiler Collection, GCC). Linux has
      also been ported to a number of architectures without a PMMU, although
      functionality is then obviously somewhat limited.
      Linux has also been ported to itself. You can now run the kernel as a
      userspace application - this is called UserMode Linux (UML).
    
    DOCUMENTATION:
    
     - There is a lot of documentation available both in electronic form on
       the Internet and in books, both Linux-specific and pertaining to
       general UNIX questions.  I'd recommend looking into the documentation
       subdirectories on any Linux FTP site for the LDP (Linux Documentation
       Project) books.  This README is not meant to be documentation on the
       system: there are much better sources available.
    
     - There are various README files in the Documentation/ subdirectory:
       these typically contain kernel-specific installation notes for some 
       drivers for example. See Documentation/00-INDEX for a list of what
       is contained in each file.  Please read the Changes file, as it
       contains information about the problems, which may result by upgrading
       your kernel.
    
     - The Documentation/DocBook/ subdirectory contains several guides for
       kernel developers and users.  These guides can be rendered in a
       number of formats:  PostScript (.ps), PDF, HTML, & man-pages, among others.
       After installation, "make psdocs", "make pdfdocs", "make htmldocs",
       or "make mandocs" will render the documentation in the requested format.
    
    INSTALLING the kernel source:
    
     - If you install the full sources, put the kernel tarball in a
       directory where you have permissions (eg. your home directory) and
       unpack it:
    
    		gzip -cd linux-3.X.tar.gz | tar xvf -
    
       or
    		bzip2 -dc linux-3.X.tar.bz2 | tar xvf -
    
    
       Replace "XX" with the version number of the latest kernel.
    
       Do NOT use the /usr/src/linux area! This area has a (usually
       incomplete) set of kernel headers that are used by the library header
       files.  They should match the library, and not get messed up by
       whatever the kernel-du-jour happens to be.
    
     - You can also upgrade between 3.x releases by patching.  Patches are
       distributed in the traditional gzip and the newer bzip2 format.  To
       install by patching, get all the newer patch files, enter the
       top level directory of the kernel source (linux-3.x) and execute:
    
    		gzip -cd ../patch-3.x.gz | patch -p1
    
       or
    		bzip2 -dc ../patch-3.x.bz2 | patch -p1
    
       (repeat xx for all versions bigger than the version of your current
       source tree, _in_order_) and you should be ok.  You may want to remove
       the backup files (xxx~ or xxx.orig), and make sure that there are no
       failed patches (xxx# or xxx.rej). If there are, either you or me has
       made a mistake.
    
       Unlike patches for the 3.x kernels, patches for the 3.x.y kernels
       (also known as the -stable kernels) are not incremental but instead apply
       directly to the base 3.x kernel.  Please read
       Documentation/applying-patches.txt for more information.
    
       Alternatively, the script patch-kernel can be used to automate this
       process.  It determines the current kernel version and applies any
       patches found.
    
    		linux/scripts/patch-kernel linux
    
       The first argument in the command above is the location of the
       kernel source.  Patches are applied from the current directory, but
       an alternative directory can be specified as the second argument.
    
     - If you are upgrading between releases using the stable series patches
       (for example, patch-3.x.y), note that these "dot-releases" are
       not incremental and must be applied to the 3.x base tree. For
       example, if your base kernel is 3.0 and you want to apply the
       3.0.3 patch, you do not and indeed must not first apply the
       3.0.1 and 3.0.2 patches. Similarly, if you are running kernel
       version 3.0.2 and want to jump to 3.0.3, you must first
       reverse the 3.0.2 patch (that is, patch -R) _before_ applying
       the 3.0.3 patch.
       You can read more on this in Documentation/applying-patches.txt
    
     - Make sure you have no stale .o files and dependencies lying around:
    
    		cd linux
    		make mrproper
    
       You should now have the sources correctly installed.
    
    SOFTWARE REQUIREMENTS
    
       Compiling and running the 3.x kernels requires up-to-date
       versions of various software packages.  Consult
       Documentation/Changes for the minimum version numbers required
       and how to get updates for these packages.  Beware that using
       excessively old versions of these packages can cause indirect
       errors that are very difficult to track down, so don't assume that
       you can just update packages when obvious problems arise during
       build or operation.
    
    BUILD directory for the kernel:
    
       When compiling the kernel all output files will per default be
       stored together with the kernel source code.
       Using the option "make O=output/dir" allow you to specify an alternate
       place for the output files (including .config).
       Example:
         kernel source code:	/usr/src/linux-3.N
         build directory:		/home/name/build/kernel
    
       To configure and build the kernel use:
       cd /usr/src/linux-3.N
       make O=/home/name/build/kernel menuconfig
       make O=/home/name/build/kernel
       sudo make O=/home/name/build/kernel modules_install install
    
       Please note: If the 'O=output/dir' option is used then it must be
       used for all invocations of make.
    
    CONFIGURING the kernel:
    
       Do not skip this step even if you are only upgrading one minor
       version.  New configuration options are added in each release, and
       odd problems will turn up if the configuration files are not set up
       as expected.  If you want to carry your existing configuration to a
       new version with minimal work, use "make oldconfig", which will
       only ask you for the answers to new questions.
    
     - Alternate configuration commands are:
    	"make config"      Plain text interface.
    	"make menuconfig"  Text based color menus, radiolists & dialogs.
    	"make nconfig"     Enhanced text based color menus.
    	"make xconfig"     X windows (Qt) based configuration tool.
    	"make gconfig"     X windows (Gtk) based configuration tool.
    	"make oldconfig"   Default all questions based on the contents of
    			   your existing ./.config file and asking about
    			   new config symbols.
    	"make silentoldconfig"
    			   Like above, but avoids cluttering the screen
    			   with questions already answered.
    			   Additionally updates the dependencies.
    	"make defconfig"   Create a ./.config file by using the default
    			   symbol values from either arch/$ARCH/defconfig
    			   or arch/$ARCH/configs/${PLATFORM}_defconfig,
    			   depending on the architecture.
    	"make ${PLATFORM}_defconfig"
    			  Create a ./.config file by using the default
    			  symbol values from
    			  arch/$ARCH/configs/${PLATFORM}_defconfig.
    			  Use "make help" to get a list of all available
    			  platforms of your architecture.
    	"make allyesconfig"
    			   Create a ./.config file by setting symbol
    			   values to 'y' as much as possible.
    	"make allmodconfig"
    			   Create a ./.config file by setting symbol
    			   values to 'm' as much as possible.
    	"make allnoconfig" Create a ./.config file by setting symbol
    			   values to 'n' as much as possible.
    	"make randconfig"  Create a ./.config file by setting symbol
    			   values to random values.
    
       You can find more information on using the Linux kernel config tools
       in Documentation/kbuild/kconfig.txt.
    
    	NOTES on "make config":
    	- having unnecessary drivers will make the kernel bigger, and can
    	  under some circumstances lead to problems: probing for a
    	  nonexistent controller card may confuse your other controllers
    	- compiling the kernel with "Processor type" set higher than 386
    	  will result in a kernel that does NOT work on a 386.  The
    	  kernel will detect this on bootup, and give up.
    	- A kernel with math-emulation compiled in will still use the
    	  coprocessor if one is present: the math emulation will just
    	  never get used in that case.  The kernel will be slightly larger,
    	  but will work on different machines regardless of whether they
    	  have a math coprocessor or not. 
    	- the "kernel hacking" configuration details usually result in a
    	  bigger or slower kernel (or both), and can even make the kernel
    	  less stable by configuring some routines to actively try to
    	  break bad code to find kernel problems (kmalloc()).  Thus you
    	  should probably answer 'n' to the questions for
              "development", "experimental", or "debugging" features.
    
    COMPILING the kernel:
    
     - Make sure you have at least gcc 3.2 available.
       For more information, refer to Documentation/Changes.
    
       Please note that you can still run a.out user programs with this kernel.
    
     - Do a "make" to create a compressed kernel image. It is also
       possible to do "make install" if you have lilo installed to suit the
       kernel makefiles, but you may want to check your particular lilo setup first.
    
       To do the actual install you have to be root, but none of the normal
       build should require that. Don't take the name of root in vain.
    
     - If you configured any of the parts of the kernel as `modules', you
       will also have to do "make modules_install".
    
     - Verbose kernel compile/build output:
    
       Normally the kernel build system runs in a fairly quiet mode (but not
       totally silent).  However, sometimes you or other kernel developers need
       to see compile, link, or other commands exactly as they are executed.
       For this, use "verbose" build mode.  This is done by inserting
       "V=1" in the "make" command.  E.g.:
    
    	make V=1 all
    
       To have the build system also tell the reason for the rebuild of each
       target, use "V=2".  The default is "V=0".
    
     - Keep a backup kernel handy in case something goes wrong.  This is 
       especially true for the development releases, since each new release
       contains new code which has not been debugged.  Make sure you keep a
       backup of the modules corresponding to that kernel, as well.  If you
       are installing a new kernel with the same version number as your
       working kernel, make a backup of your modules directory before you
       do a "make modules_install".
       Alternatively, before compiling, use the kernel config option
       "LOCALVERSION" to append a unique suffix to the regular kernel version.
       LOCALVERSION can be set in the "General Setup" menu.
    
     - In order to boot your new kernel, you'll need to copy the kernel
       image (e.g. .../linux/arch/i386/boot/bzImage after compilation)
       to the place where your regular bootable kernel is found. 
    
     - Booting a kernel directly from a floppy without the assistance of a
       bootloader such as LILO, is no longer supported.
    
       If you boot Linux from the hard drive, chances are you use LILO which
       uses the kernel image as specified in the file /etc/lilo.conf.  The
       kernel image file is usually /vmlinuz, /boot/vmlinuz, /bzImage or
       /boot/bzImage.  To use the new kernel, save a copy of the old image
       and copy the new image over the old one.  Then, you MUST RERUN LILO
       to update the loading map!! If you don't, you won't be able to boot
       the new kernel image.
    
       Reinstalling LILO is usually a matter of running /sbin/lilo. 
       You may wish to edit /etc/lilo.conf to specify an entry for your
       old kernel image (say, /vmlinux.old) in case the new one does not
       work.  See the LILO docs for more information. 
    
       After reinstalling LILO, you should be all set.  Shutdown the system,
       reboot, and enjoy!
    
       If you ever need to change the default root device, video mode,
       ramdisk size, etc.  in the kernel image, use the 'rdev' program (or
       alternatively the LILO boot options when appropriate).  No need to
       recompile the kernel to change these parameters. 
    
     - Reboot with the new kernel and enjoy. 
    
    IF SOMETHING GOES WRONG:
    
     - If you have problems that seem to be due to kernel bugs, please check
       the file MAINTAINERS to see if there is a particular person associated
       with the part of the kernel that you are having trouble with. If there
       isn't anyone listed there, then the second best thing is to mail
       them to me (torvalds@linux-foundation.org), and possibly to any other
       relevant mailing-list or to the newsgroup.
    
     - In all bug-reports, *please* tell what kernel you are talking about,
       how to duplicate the problem, and what your setup is (use your common
       sense).  If the problem is new, tell me so, and if the problem is
       old, please try to tell me when you first noticed it.
    
     - If the bug results in a message like
    
    	unable to handle kernel paging request at address C0000010
    	Oops: 0002
    	EIP:   0010:XXXXXXXX
    	eax: xxxxxxxx   ebx: xxxxxxxx   ecx: xxxxxxxx   edx: xxxxxxxx
    	esi: xxxxxxxx   edi: xxxxxxxx   ebp: xxxxxxxx
    	ds: xxxx  es: xxxx  fs: xxxx  gs: xxxx
    	Pid: xx, process nr: xx
    	xx xx xx xx xx xx xx xx xx xx
    
       or similar kernel debugging information on your screen or in your
       system log, please duplicate it *exactly*.  The dump may look
       incomprehensible to you, but it does contain information that may
       help debugging the problem.  The text above the dump is also
       important: it tells something about why the kernel dumped code (in
       the above example it's due to a bad kernel pointer). More information
       on making sense of the dump is in Documentation/oops-tracing.txt
    
     - If you compiled the kernel with CONFIG_KALLSYMS you can send the dump
       as is, otherwise you will have to use the "ksymoops" program to make
       sense of the dump (but compiling with CONFIG_KALLSYMS is usually preferred).
       This utility can be downloaded from
       ftp://ftp.<country>.kernel.org/pub/linux/utils/kernel/ksymoops/ .
       Alternately you can do the dump lookup by hand:
    
     - In debugging dumps like the above, it helps enormously if you can
       look up what the EIP value means.  The hex value as such doesn't help
       me or anybody else very much: it will depend on your particular
       kernel setup.  What you should do is take the hex value from the EIP
       line (ignore the "0010:"), and look it up in the kernel namelist to
       see which kernel function contains the offending address.
    
       To find out the kernel function name, you'll need to find the system
       binary associated with the kernel that exhibited the symptom.  This is
       the file 'linux/vmlinux'.  To extract the namelist and match it against
       the EIP from the kernel crash, do:
    
    		nm vmlinux | sort | less
    
       This will give you a list of kernel addresses sorted in ascending
       order, from which it is simple to find the function that contains the
       offending address.  Note that the address given by the kernel
       debugging messages will not necessarily match exactly with the
       function addresses (in fact, that is very unlikely), so you can't
       just 'grep' the list: the list will, however, give you the starting
       point of each kernel function, so by looking for the function that
       has a starting address lower than the one you are searching for but
       is followed by a function with a higher address you will find the one
       you want.  In fact, it may be a good idea to include a bit of
       "context" in your problem report, giving a few lines around the
       interesting one. 
    
       If you for some reason cannot do the above (you have a pre-compiled
       kernel image or similar), telling me as much about your setup as
       possible will help.  Please read the REPORTING-BUGS document for details.
    
     - Alternately, you can use gdb on a running kernel. (read-only; i.e. you
       cannot change values or set break points.) To do this, first compile the
       kernel with -g; edit arch/i386/Makefile appropriately, then do a "make
       clean". You'll also need to enable CONFIG_PROC_FS (via "make config").
    
       After you've rebooted with the new kernel, do "gdb vmlinux /proc/kcore".
       You can now use all the usual gdb commands. The command to look up the
       point where your system crashed is "l *0xXXXXXXXX". (Replace the XXXes
       with the EIP value.)
    
       gdb'ing a non-running kernel currently fails because gdb (wrongly)
       disregards the starting offset for which the kernel is compiled.

    修改生成的Android内核编译配置文件.config,增加Android内核编译的config选项。默认的 make goldfish_armv7_defconfig 配置没有打开调试选项,也没有使用HIGHMEM等选项,因此为了使用 kgdb 调试Android内核必须增加这些选项。这里手动打开goldfish/.config文件,增加调试相关的选项配置。

    # 打开Android内核编译的配置文件
    $ gedit .config
    增加的编译配置选项:

    # 设置模拟器的运行内存-可选参数
    CONFIG_HIGHMEM=y  
    
    CONFIG_DEBUG_KERNEL=y  
    CONFIG_KGDB=y  
    CONFIG_DEBUG_INFO=y
    
    # 真机设备调试需要设置这一项,模拟器不需要
    #CONFIG_KGDB_SERIAL_CONSOLE=y
    
    # 可以是直接在配置文件中去掉这一项
    CONFIG_DEBUG_RODATA=n

    具体每一个配置选项的作用,可以参考这篇博文《用 kGDB 调试 Linux 内核》,简单的描述如下图,其中打开 CONFIG_HIGHMEM=y  这个选项后,启动模拟器时 emulator -memory 参数才能发挥作用即可以设置Android模拟器启动时的运行内存的大小,是一个可选的参数,因为可以直接使用  Adt-bundle-x86_64 或者 Android Studio 提供的创建Andorid模拟器的工具设置,不需要手动添加 -memory参数 进行修改。



    执行修改Android内核编译配置文件.config的结果如下图所示:



    Android内核编译配置文件的修改也可以通过执行 make menuconfig 命令进行修改,只不过麻烦一下。上面修改.config完成以后,保存和关闭.config文件,然后执行下面的命令进行Android内核源码的编译。由于前面修改Android内核编译配置时,增加了几个配置,因此编译一开始会有提示让选择配置选项记得相关的配置全部选 y 就可以了。Android内核编译完成后,goldfish/arch/arm/boot/zImage文件出现,这个文件就是Android内核文件了。

    $ make -j4
    Android内核源码编译成功后的结果截图如下:



    四、Android内核的调试

    1.使用 Adt-bundle-x86_64 或者 Android Studio 开发Android程序时搭建的环境中的Android模拟器 emulator 来加载上面编译成功的Android内核镜像文件。根据Android内核源码 android-goldfish-3.4 支持的Android系统的版本,来创建Android 模拟器命名为 Debug_Kernel 。这里根据实际情况创建Android 4.4.4 API 19 版本的Android模拟器。首先使用Android综合开发工具 Android Studio 创建名称为 Debug_Kernel 的Android模拟器,设参数置如下图,后面用创建的这个模拟器来加载上面编译成功的Android内核镜像文件 goldfish/arch/arm/boot/zImage,进行Android内核的调试。



    提示

    1.在进行后面的实践中,需要添加Android  SDK到系统的环境变量中,否则执行 emulator 命令时需要使用全路径比较麻烦,下面是添加 Android SDK 到环境变量中的操作命令:

    # 编辑环境变量配置文件
    $ sudo gedit /etc/profile  
    
    # 添加到环境变量配置文件/etc/profile中的内容
    
    # Android SDK
    export ANDROID_SDK=/home/fly2016/Android/Sdk
    export PATH=$PATH:${ANDROID_SDK}/platform-tools:${ANDROID_SDK}/tools
    
    # Android NDK(顺便添加)
    export ANDROID_NDK=/home/fly2016/Android/Sdk/ndk-bundle
    export PATH=$PATH:${ANDROID_NDK}
    
    # 更新系统环境变量
    $ source /etc/profile 
    
    # 测试Android SDK是否配置成功的命令
    $ adb verison
    $ emulator -help
    
    # 测试Android NDK是否配置成功的命令
    $ ndk-build
    2.这里是用Android Studio的工具创建的Android虚拟机 Debug_Kernel,当然使用 Adt-bundle-x86_64的工具创建Android 虚拟机  Debug_Kernel 是可以的,甚至是使用 android create avd 命令进行Android模拟器的创建也是可以的。有关 android create avd 命令创建Android 虚拟机的使用帮助如下:

    $ android create avd
    Error: The parameters --name, --target must be defined for action 'create avd'
    
           Usage:
           android [global options] create avd [action options]
           Global options:
      -h --help       : Help on a specific command.
      -v --verbose    : Verbose mode, shows errors, warnings and all messages.
         --clear-cache: Clear the SDK Manager repository manifest cache.
      -s --silent     : Silent mode, shows errors only.
    
                         Action "create avd":
      Creates a new Android Virtual Device.
    Options:
      -g --tag     : The sys-img tag to use for the AVD. The default is to
                     auto-select if the platform has only one tag for its system
                     images.
      -c --sdcard  : Path to a shared SD card image, or size of a new sdcard for
                     the new AVD.
      -n --name    : Name of the new AVD. [required]
      -a --snapshot: Place a snapshots file in the AVD, to enable persistence.
      -p --path    : Directory where the new AVD will be created.
      -f --force   : Forces creation (overwrites an existing AVD)
      -s --skin    : Skin for the new AVD.
      -t --target  : Target ID of the new AVD. [required]
      -b --abi     : The ABI to use for the AVD. The default is to auto-select the
                     ABI if the platform has only one ABI for its system images.
      -d --device  : The optional device definition to use. Can be a device index
                     or id.

    使用 android create avd 命令,创建Android模拟器Debug_Kernel的示例,如下:

    # 查看本地下载的Android SDK
    $ android list targets
    	 
    # 创建Android模拟器 Debug_Kernel
    $ android create avd -n Debug_Kernel -t android-19 -b default/armeabi-v7a -s HVGA

    Android API 19的Android模拟器 Debug_Kernel 创建成功以后,使用下面的命令检查新创建的Android模拟器 Debug_Kernel 能否正常启动成功。

    # 查看已经创建的Android模拟器
    $ emulator -list-avds  
    
    # 启动运行创建的Android模拟器Debug_Kernel
    $ emulator -avd Debug_Kernel -gpu mesa

    Android模拟器 Debug_Kernel 启动成功,说明准备工作已经做好了。现在可以在 Android内核源码的根目录下 执行下面的命令,以 -kernel参数 指定加载前面编译成功的Android内核镜像文件 goldfish/arch/arm/boot/zImage ,并以等待调试模式启动Android模拟器 Debug_Kernel 。
    $ emulator -avd Debug_Kernel -verbose -netfast -show-kernel -kernel ./arch/arm/boot/zImage  -gpu mesa -qemu -s -S 

    调试内核一般不需要显示图形界面和声音,因此增加启动选项 -no-window, no-audio ,增加 -verbose -show-kernel 选项 可以看到内核的详细输出信息,-kernel 选项 指定加载的内核镜像文件为前面编译的Android内核镜像文件,增加 -qemu -s -S 选项 启动调试监听即Android内核启动以后会监听端口 1234 ,暂停等待调试,这时需要打开另一个命令终端运行 gdb 程序,对Android内核进行调试,还可以增加 -memory 2048 选项 设置运行的内存大小,增加运行内存使调试运行更流畅。


    执行结果输出信息,如下所示:

    fly2016@ubuntu:~/Desktop/Android4.4.4r1/goldfish-kernel-3.4/goldfish$ emulator -avd Debug_Kernel -verbose -netfast -show-kernel -kernel ./arch/arm/boot/zImage  -gpu mesa -qemu -s -S     
    emulator:Found AVD name 'Debug_Kernel'
    emulator:Found AVD target architecture: arm
    emulator:  Found directory: /home/fly2016/Android/Sdk/system-images/android-19/default/armeabi-v7a/
    
    emulator:Probing for /home/fly2016/Android/Sdk/system-images/android-19/default/armeabi-v7a//kernel-ranchu: file missing
    emulator:Auto-config: -engine classic (based on configuration)
    emulator:  Found directory: /home/fly2016/Android/Sdk/system-images/android-19/default/armeabi-v7a/
    
    emulator:Looking for emulator-arm to emulate 'arm' CPU
    emulator:Probing program: /home/fly2016/Android/Sdk/tools/emulator64-arm
    emulator:return result: /home/fly2016/Android/Sdk/tools/emulator64-arm
    emulator:Found target-specific 64-bit emulator binary: /home/fly2016/Android/Sdk/tools/emulator64-arm
    emulator:Adding library search path: '/home/fly2016/Android/Sdk/tools/lib64'
    emulator:Adding library search path: '/home/fly2016/Android/Sdk/tools/lib64/libstdc++'
    emulator:  Found directory: /home/fly2016/Android/Sdk/system-images/android-19/default/armeabi-v7a/
    
    emulator:  Found directory: /home/fly2016/Android/Sdk/system-images/android-19/default/armeabi-v7a/
    
    emulator:GPU emulation enabled using 'mesa' mode
    WARNING: The Mesa software renderer is deprecated. Use Swiftshader (-gpu swiftshader) for software rendering.
    emulator: Adding library search path for Qt: '/home/fly2016/Android/Sdk/tools/lib64/qt/lib'
    emulator: Setting Qt plugin search path: QT_QPA_PLATFORM_PLUGIN_PATH=/home/fly2016/Android/Sdk/tools/lib64/qt/plugins
    emulator: Running :/home/fly2016/Android/Sdk/tools/emulator64-arm
    emulator: qemu backend: argv[00] = "/home/fly2016/Android/Sdk/tools/emulator64-arm"
    emulator: qemu backend: argv[01] = "-avd"
    emulator: qemu backend: argv[02] = "Debug_Kernel"
    emulator: qemu backend: argv[03] = "-verbose"
    emulator: qemu backend: argv[04] = "-netfast"
    emulator: qemu backend: argv[05] = "-show-kernel"
    emulator: qemu backend: argv[06] = "-kernel"
    emulator: qemu backend: argv[07] = "./arch/arm/boot/zImage"
    emulator: qemu backend: argv[08] = "-gpu"
    emulator: qemu backend: argv[09] = "mesa"
    emulator: qemu backend: argv[10] = "-qemu"
    emulator: qemu backend: argv[11] = "-s"
    emulator: qemu backend: argv[12] = "-S"
    emulator: Concatenated backend parameters:
     /home/fly2016/Android/Sdk/tools/emulator64-arm -avd Debug_Kernel -verbose -netfast -show-kernel -kernel ./arch/arm/boot/zImage -gpu mesa -qemu -s -S
    emulator: Android virtual device file at: /home/fly2016/.android/avd/Debug_Kernel.ini
    emulator: virtual device content at /home/fly2016/.android/avd/Debug_Kernel.avd
    emulator: virtual device config file: /home/fly2016/.android/avd/Debug_Kernel.avd/config.ini
    emulator: using core hw config path: /home/fly2016/.android/avd/Debug_Kernel.avd/hardware-qemu.ini
    emulator: Found AVD target API level: 19
    emulator: Read property file at /home/fly2016/Android/Sdk/system-images/android-19/default/armeabi-v7a//build.prop
    emulator: No boot.prop property file found.
    emulator: found skin 'nexus_5' in directory: /opt/android-studio/plugins/android/lib/device-art-resources/
    emulator: autoconfig: -skin nexus_5
    emulator: autoconfig: -skindir /opt/android-studio/plugins/android/lib/device-art-resources/
    emulator: Auto-detect: Kernel image requires legacy device naming scheme.
    emulator: Auto-detect: Kernel does support YAFFS2 partitions.
    emulator: autoconfig: -ramdisk /home/fly2016/Android/Sdk/system-images/android-19/default/armeabi-v7a//ramdisk.img
    emulator: Using initial system image: /home/fly2016/Android/Sdk/system-images/android-19/default/armeabi-v7a//system.img
    emulator: autoconfig: -initdata /home/fly2016/.android/avd/Debug_Kernel.avd/userdata.img
    emulator: autoconfig: -cache /home/fly2016/.android/avd/Debug_Kernel.avd/cache.img
    emulator: autoconfig: -sdcard /home/fly2016/.android/avd/Debug_Kernel.avd/sdcard.img
    emulator: Physical RAM size: 1536MB
    
    emulator: VM heap size 64MB is below hardware specified minimum of 384MB,setting it to that value
    emulator: System image is read only
    emulator: GPU emulation enabled using 'mesa' mode
    emulator: Found 1 DNS servers: 192.168.170.2
    emulator: trying to load skin file '/opt/android-studio/plugins/android/lib/device-art-resources//nexus_5/layout'
    emulator: Found 1 DNS servers: 192.168.170.2
    emulator: WARNING: Classic qemu does not support SMP. The hw.cpu.ncore option from your config file is ignored.
    Content of hardware configuration file:
      hw.cpu.arch = arm
      hw.cpu.model = cortex-a8
      hw.cpu.ncore = 2
      hw.ramSize = 1536
      hw.screen = touch
      hw.mainKeys = false
      hw.trackBall = false
      hw.keyboard = true
      hw.keyboard.lid = false
      hw.keyboard.charmap = qwerty2
      hw.dPad = false
      hw.gsmModem = true
      hw.gps = true
      hw.battery = true
      hw.accelerometer = true
      hw.audioInput = true
      hw.audioOutput = true
      hw.sdCard = true
      hw.sdCard.path = /home/fly2016/.android/avd/Debug_Kernel.avd/sdcard.img
      disk.cachePartition = true
      disk.cachePartition.path = /home/fly2016/.android/avd/Debug_Kernel.avd/cache.img
      disk.cachePartition.size = 66m
      hw.lcd.width = 1080
      hw.lcd.height = 1920
      hw.lcd.depth = 16
      hw.lcd.density = 480
      hw.lcd.backlight = true
      hw.gpu.enabled = true
      hw.gpu.mode = mesa
      hw.gpu.blacklisted = no
      hw.initialOrientation = portrait
      hw.camera.back = none
      hw.camera.front = none
      vm.heapSize = 384
      hw.sensors.light = true
      hw.sensors.pressure = true
      hw.sensors.humidity = true
      hw.sensors.proximity = true
      hw.sensors.magnetic_field = true
      hw.sensors.orientation = true
      hw.sensors.temperature = true
      hw.useext4 = true
      kernel.path = ./arch/arm/boot/zImage
      kernel.newDeviceNaming = no
      kernel.supportsYaffs2 = yes
      disk.ramdisk.path = /home/fly2016/Android/Sdk/system-images/android-19/default/armeabi-v7a//ramdisk.img
      disk.systemPartition.initPath = /home/fly2016/Android/Sdk/system-images/android-19/default/armeabi-v7a//system.img
      disk.systemPartition.size = 550m
      disk.dataPartition.path = /home/fly2016/.android/avd/Debug_Kernel.avd/userdata-qemu.img
      disk.dataPartition.initPath = /home/fly2016/.android/avd/Debug_Kernel.avd/userdata.img
      disk.dataPartition.size = 550m
      avd.name = Debug_Kernel
    .
    emulator: WARNING: CPU acceleration only works with x86/x86_64 system images.
    QEMU options list:
    emulator: argv[00] = "/home/fly2016/Android/Sdk/tools/emulator64-arm"
    emulator: argv[01] = "-netfast"
    emulator: argv[02] = "-dns-server"
    emulator: argv[03] = "192.168.170.2"
    emulator: argv[04] = "-serial"
    emulator: argv[05] = "android-kmsg"
    emulator: argv[06] = "-serial"
    emulator: argv[07] = "null"
    emulator: argv[08] = "-android-hw"
    emulator: argv[09] = "/home/fly2016/.android/avd/Debug_Kernel.avd/hardware-qemu.ini"
    emulator: argv[10] = "-s"
    emulator: argv[11] = "-S"
    emulator: argv[12] = "-append"
    emulator: argv[13] = "qemu=1 androidboot.hardware=goldfish console=ttyS0 android.qemud=1 android.checkjni=1 qemu.gles=1"
    Concatenated QEMU options:
     /home/fly2016/Android/Sdk/tools/emulator64-arm -netfast -dns-server 192.168.170.2 -serial android-kmsg -serial null -android-hw /home/fly2016/.android/avd/Debug_Kernel.avd/hardware-qemu.ini -s -S -append 'qemu=1 androidboot.hardware=goldfish console=ttyS0 android.qemud=1 android.checkjni=1 qemu.gles=1'
    emulator: Starting QEMU main loop
    emulator: registered 'boot-properties' qemud service
    emulator: Using kernel serial device prefix: ttyS
    emulator: AVD Name: Debug_Kernel
    emulator: Ramdisk image contains fstab.goldfish file
    emulator: Found format of system partition: 'ext4'
    emulator: Found format of userdata partition: 'ext4'
    emulator: Found format of cache partition: 'ext4'
    emulator: system partition format: ext4
    emulator: nand_add_dev: system,size=0x22600000,file=/home/fly2016/Android/Sdk/system-images/android-19/default/armeabi-v7a//system.img,pagesize=512,extrasize=0,readonly
    emulator: userdata partition format: ext4
    emulator: nand_add_dev: userdata,size=0x22600000,file=/home/fly2016/.android/avd/Debug_Kernel.avd/userdata-qemu.img,pagesize=512,extrasize=0
    emulator: cache partition format: ext4
    emulator: Creating empty cache partition image at: /home/fly2016/.android/avd/Debug_Kernel.avd/cache.img
    Creating filesystem with parameters:
        Size: 69206016
        Block size: 4096
        Blocks per group: 32768
        Inodes per group: 4224
        Inode size: 256
        Journal blocks: 1024
        Label: 
        Blocks: 16896
        Block groups: 1
        Reserved block group size: 7
    Created filesystem with 11/4224 inodes and 1302/16896 blocks
    emulator: nand_add_dev: cache,size=0x4200000,file=/home/fly2016/.android/avd/Debug_Kernel.avd/cache.img,pagesize=512,extrasize=0
    emulator: Adding boot property: 'dalvik.vm.heapsize' = '384m'
    emulator: Adding boot property: 'qemu.sf.lcd_density' = '480'
    emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
    emulator: Adding boot property: 'qemu.sf.fake_camera' = 'none'
    emulator: Found 1 DNS servers: 192.168.170.2
    emulator: Adding boot property: 'ro.opengles.version' = '131072'
    emulator: Initializing hardware OpenGLES emulation support
    emulator: Kernel parameters: qemu=1 androidboot.hardware=goldfish console=ttyS0 android.qemud=1 android.checkjni=1 qemu.gles=1
    emulator: ro.adb.qemud invalid or not found, API >= 16, defaulting ro.adb.qemud = 0
    emulator: (setup_console_and_adb_ports) trying console port 5554, adb port 5555 (legacy: true)
    emulator: (android_console_start) initializing on port 5554
    bind: Transport endpoint is not connected
    emulator: (setup_console_and_adb_ports) trying console port 5556, adb port 5557 (legacy: true)
    emulator: (android_console_start) initializing on port 5556
    emulator: control console listening on port 5556, ADB on port 5557
    emulator: sent '0012host:emulator:5557' to ADB server
    emulator: Listening for console connections on port: 5556
    emulator: Serial number of this emulator (for ADB): emulator-5556
    emulator: android_hw_fingerprint_init: fingerprint qemud listen service initialized
    
    emulator: Skipping metrics reporting: No user opt-in.

    Android模拟器 emulator  命令的使用帮助说明如下,上面Android模拟器的各个启动参数的意思,可以参考下面命令帮助。

    $ emulator -help
    sh: 1: glxinfo: not found
    Android Emulator usage: emulator [options] [-qemu args]
      options:
        -list-avds                     list available AVDs
        -sysdir <dir>                  search for system disk images in <dir>
        -system <file>                 read initial system image from <file>
        -writable-system               make system image writable after 'adb remount'
        -datadir <dir>                 write user data into <dir>
        -kernel <file>                 use specific emulated kernel
        -ramdisk <file>                ramdisk image (default <system>/ramdisk.img
        -image <file>                  obsolete, use -system <file> instead
        -initdata <file>               same as '-init-data <file>'
        -data <file>                   data image (default <datadir>/userdata-qemu.img
        -partition-size <size>         system/data partition size in MBs
        -cache <file>                  cache partition image (default is temporary file)
        -cache-size <size>             cache partition size in MBs
        -no-cache                      disable the cache partition
        -nocache                       same as -no-cache
        -sdcard <file>                 SD card image (default <datadir>/sdcard.img
        -snapstorage <file>            file that contains all state snapshots (default <datadir>/snapshots.img)
        -no-snapstorage                do not mount a snapshot storage file (this disables all snapshot functionality)
        -snapshot <name>               name of snapshot within storage file for auto-start and auto-save (default 'default-boot')
        -no-snapshot                   perform a full boot and do not do not auto-save, but qemu vmload and vmsave operate on snapstorage
        -no-snapshot-save              do not auto-save to snapshot on exit: abandon changed state
        -no-snapshot-load              do not auto-start from snapshot: perform a full boot
        -snapshot-list                 show a list of available snapshots
        -no-snapshot-update-time       do not do try to correct snapshot time on restore
        -wipe-data                     reset the user data image (copy it from initdata)
        -avd <name>                    use a specific android virtual device
        -skindir <dir>                 search skins in <dir> (default <system>/skins)
        -skin <name>                   select a given skin
        -no-skin                       deprecated: create an AVD with no skin instead
        -noskin                        same as -no-skin
        -memory <size>                 physical RAM size in MBs
        -accel <mode>                  Configure emulation acceleration
        -no-accel                      Same as '-accel off'
        -ranchu                        Use new emulator backend instead of the classic one
        -engine <engine>               Select engine. auto|classic|qemu2
        -netspeed <speed>              maximum network download/upload speeds
        -netdelay <delay>              network latency emulation
        -netfast                       disable network shaping
        -code-profile <name>           enable code profiling
        -show-kernel                   display kernel messages
        -shell                         enable root shell on current terminal
        -no-jni                        disable JNI checks in the Dalvik runtime
        -nojni                         same as -no-jni
        -logcat <tags>                 enable logcat output with given tags
        -use-system-libs               Use system libstdc++ instead of bundled one
        -no-audio                      disable audio support
        -noaudio                       same as -no-audio
        -audio <backend>               use specific audio backend
        -raw-keys                      disable Unicode keyboard reverse-mapping (deprecated)
        -radio <device>                redirect radio modem interface to character device
        -port <port>                   TCP port that will be used for the console
        -ports <consoleport>,<adbport> TCP ports used for the console and adb bridge
        -onion <image>                 use overlay PNG image over screen
        -onion-alpha <%age>            specify onion-skin translucency
        -onion-rotation 0|1|2|3        specify onion-skin rotation
        -dpi-device <dpi>              specify device's resolution in dpi (default 165)
        -scale <scale>                 scale emulator window (deprecated)
        -http-proxy <proxy>            make TCP connections through a HTTP/HTTPS proxy
        -timezone <timezone>           use this timezone instead of the host's default
        -dns-server <servers>          use this DNS server(s) in the emulated system
        -cpu-delay <cpudelay>          throttle CPU emulation
        -no-boot-anim                  disable animation for faster boot
        -no-window                     disable graphical window display
        -version                       display emulator version number
        -report-console <socket>       report console port to remote socket
        -gps <device>                  redirect NMEA GPS to character device
        -keyset <name>                 specify keyset file name
        -shell-serial <device>         specific character device for root shell
        -tcpdump <file>                capture network packets to file
        -bootchart <timeout>           enable bootcharting
        -charmap <file>                use specific key character map
        -prop <name>=<value>           set system property on boot
        -shared-net-id <number>        join the shared network, using IP address 10.1.2.<number>
        -nand-limits <nlimits>         enforce NAND/Flash read/write thresholds
        -gpu <mode>                    set hardware OpenGLES emulation mode
        -camera-back <mode>            set emulation mode for a camera facing back
        -camera-front <mode>           set emulation mode for a camera facing front
        -webcam-list                   lists web cameras available for emulation
        -screen <mode>                 set emulated screen mode
        -force-32bit                   always use 32-bit emulator
        -selinux <disabled|permissive> Set SELinux to either disabled or permissive mode
        -unix-pipe <path>              Add <path> to the list of allowed Unix pipes
        -fixed-scale                   Use fixed 1:1 scale for the initial emulator window.
    
         -qemu args...                 pass arguments to qemu
         -qemu -h                      display qemu help
    
         -verbose                      same as '-debug-init'
         -debug <tags>                 enable/disable debug messages
         -debug-<tag>                  enable specific debug messages
         -debug-no-<tag>               disable specific debug messages
    
         -help                         print this help
         -help-<option>                print option-specific help
    
         -help-disk-images             about disk images
         -help-keys                    supported key bindings
         -help-debug-tags              debug tags for -debug <tags>
         -help-char-devices            character <device> specification
         -help-environment             environment variables
         -help-keyset-file             key bindings configuration file
         -help-virtual-device          virtual device management
         -help-sdk-images              about disk images when using the SDK
         -help-build-images            about disk images when building Android
         -help-all                     prints all help content

    其实Android模拟器 emulator 就是 基于qemu虚拟机 开发的,因此Android模拟器 emulator 在运行的时候也支持qemu虚拟机的命令,在上面以 调试模式启动 Android虚拟机 Debug_Kernel 时使用的启动选项 -qemu -s -S的作用,可以参考命令行的帮助,如下图:



    Android模拟器 emulator 使用qemu虚拟机命令行参数 的详细帮助参考如下:

    fly2016@ubuntu:~$ emulator -qemu -h
    sh: 1: glxinfo: not found
    QEMU emulator version 2.2.0 , Copyright (c) 2003-2008 Fabrice Bellard
    usage: qemu-system-i386 [options] [disk_image]
    
    'disk_image' is a raw hard disk image for IDE hard disk 0
    
    Standard options:
    -h or -help     display this help and exit
    -version        display version information and exit
    -machine [type=]name[,prop[=value][,...]]
                    selects emulated machine ('-machine help' for list)
                    property accel=accel1[:accel2[:...]] selects accelerator
                    supported accelerators are kvm, xen, tcg (default: tcg)
                    kernel_irqchip=on|off controls accelerated irqchip support
                    vmport=on|off|auto controls emulation of vmport (default: auto)
                    kvm_shadow_mem=size of KVM shadow MMU
                    dump-guest-core=on|off include guest memory in a core dump (default=on)
                    mem-merge=on|off controls memory merge support (default: on)
                    iommu=on|off controls emulated Intel IOMMU (VT-d) support (default=off)
    -cpu cpu        select CPU ('-cpu help' for list)
    -smp [cpus=]n[,maxcpus=cpus][,cores=cores][,threads=threads][,sockets=sockets]
                    set the number of CPUs to 'n' [default=1]
                    maxcpus= maximum number of total cpus, including
                    offline CPUs for hotplug, etc
                    cores= number of CPU cores on one socket
                    threads= number of threads on one CPU core
                    sockets= number of discrete sockets in the system
    -numa node[,mem=size][,cpus=cpu[-cpu]][,nodeid=node]
    -numa node[,memdev=id][,cpus=cpu[-cpu]][,nodeid=node]
    -add-fd fd=fd,set=set[,opaque=opaque]
                    Add 'fd' to fd 'set'
    -set group.id.arg=value
                    set <arg> parameter for item <id> of type <group>
                    i.e. -set drive.$id.file=/path/to/image
    -global driver.prop=value
                    set a global default for a driver property
    -boot [order=drives][,once=drives][,menu=on|off]
          [,splash=sp_name][,splash-time=sp_time][,reboot-timeout=rb_time][,strict=on|off]
                    'drives': floppy (a), hard disk (c), CD-ROM (d), network (n)
                    'sp_name': the file's name that would be passed to bios as logo picture, if menu=on
                    'sp_time': the period that splash picture last if menu=on, unit is ms
                    'rb_timeout': the timeout before guest reboot when boot failed, unit is ms
    -m[emory] [size=]megs[,slots=n,maxmem=size]
                    configure guest RAM
                    size: initial amount of guest memory (default: 128MiB)
                    slots: number of hotplug slots (default: none)
                    maxmem: maximum amount of guest memory (default: none)
    NOTE: Some architectures might enforce a specific granularity
    -mem-path FILE  provide backing storage for guest RAM
    -mem-prealloc   preallocate guest memory (use with -mem-path)
    -k language     use keyboard layout (for example 'fr' for French)
    -audio-help     print list of audio drivers and their options
    -soundhw c1,... enable audio support
                    and only specified sound cards (comma separated list)
                    use '-soundhw help' to get the list of supported cards
                    use '-soundhw all' to enable all of them
    -balloon none   disable balloon device
    -balloon virtio[,addr=str]
                    enable virtio balloon device (default)
    -device driver[,prop[=value][,...]]
                    add device (based on driver)
                    prop=value,... sets driver properties
                    use '-device help' to print all possible drivers
                    use '-device driver,help' to print all possible properties
    -name string1[,process=string2][,debug-threads=on|off]
                    set the name of the guest
                    string1 sets the window title and string2 the process name (on Linux)
                    When debug-threads is enabled, individual threads are given a separate name (on Linux)
                    NOTE: The thread names are for debugging and not a stable API.
    -uuid %08x-%04x-%04x-%04x-%012x
                    specify machine UUID
    
    Block device options:
    -fda/-fdb file  use 'file' as floppy disk 0/1 image
    -hda/-hdb file  use 'file' as IDE hard disk 0/1 image
    -hdc/-hdd file  use 'file' as IDE hard disk 2/3 image
    -cdrom file     use 'file' as IDE cdrom image (cdrom is ide1 master)
    -drive [file=file][,if=type][,bus=n][,unit=m][,media=d][,index=i]
           [,cyls=c,heads=h,secs=s[,trans=t]][,snapshot=on|off]
           [,cache=writethrough|writeback|none|directsync|unsafe][,format=f]
           [,serial=s][,addr=A][,rerror=ignore|stop|report]
           [,werror=ignore|stop|report|enospc][,id=name][,aio=threads|native]
           [,readonly=on|off][,copy-on-read=on|off]
           [,discard=ignore|unmap][,detect-zeroes=on|off|unmap]
           [[,bps=b]|[[,bps_rd=r][,bps_wr=w]]]
           [[,iops=i]|[[,iops_rd=r][,iops_wr=w]]]
           [[,bps_max=bm]|[[,bps_rd_max=rm][,bps_wr_max=wm]]]
           [[,iops_max=im]|[[,iops_rd_max=irm][,iops_wr_max=iwm]]]
           [[,iops_size=is]]
                    use 'file' as a drive image
    -mtdblock file  use 'file' as on-board Flash memory image
    -sd file        use 'file' as SecureDigital card image
    -pflash file    use 'file' as a parallel flash image
    -snapshot       write to temporary files instead of disk image files
    -hdachs c,h,s[,t]
                    force hard disk 0 physical geometry and the optional BIOS
                    translation (t=none or lba) (usually QEMU can guess them)
    -fsdev fsdriver,id=id[,path=path,][security_model={mapped-xattr|mapped-file|passthrough|none}]
     [,writeout=immediate][,readonly][,socket=socket|sock_fd=sock_fd]
    -virtfs local,path=path,mount_tag=tag,security_model=[mapped-xattr|mapped-file|passthrough|none]
            [,writeout=immediate][,readonly][,socket=socket|sock_fd=sock_fd]
    -virtfs_synth Create synthetic file system image
    
    USB options:
    -usb            enable the USB driver (will be the default soon)
    -usbdevice name add the host or guest USB device 'name'
    
    Display options:
    -display sdl[,frame=on|off][,alt_grab=on|off][,ctrl_grab=on|off]
                [,window_close=on|off]|curses|none|
                gtk[,grab_on_hover=on|off]|
                vnc=<display>[,<optargs>]
                    select display type
    -nographic      disable graphical output and redirect serial I/Os to console
    -curses         use a curses/ncurses interface instead of SDL
    -no-frame       open SDL window without a frame and window decorations
    -alt-grab       use Ctrl-Alt-Shift to grab mouse (instead of Ctrl-Alt)
    -ctrl-grab      use Right-Ctrl to grab mouse (instead of Ctrl-Alt)
    -no-quit        disable SDL window close capability
    -sdl            enable SDL
    -spice [port=port][,tls-port=secured-port][,x509-dir=<dir>]
           [,x509-key-file=<file>][,x509-key-password=<file>]
           [,x509-cert-file=<file>][,x509-cacert-file=<file>]
           [,x509-dh-key-file=<file>][,addr=addr][,ipv4|ipv6]
           [,tls-ciphers=<list>]
           [,tls-channel=[main|display|cursor|inputs|record|playback]]
           [,plaintext-channel=[main|display|cursor|inputs|record|playback]]
           [,sasl][,password=<secret>][,disable-ticketing]
           [,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]
           [,jpeg-wan-compression=[auto|never|always]]
           [,zlib-glz-wan-compression=[auto|never|always]]
           [,streaming-video=[off|all|filter]][,disable-copy-paste]
           [,disable-agent-file-xfer][,agent-mouse=[on|off]]
           [,playback-compression=[on|off]][,seamless-migration=[on|off]]
       enable spice
       at least one of {port, tls-port} is mandatory
    -portrait       rotate graphical output 90 deg left (only PXA LCD)
    -rotate <deg>   rotate graphical output some deg left (only PXA LCD)
    -vga [std|cirrus|vmware|qxl|xenfb|tcx|cg3|none]
                    select video card type
    -full-screen    start in full screen
    -vnc display    start a VNC server on display
    
    i386 target only:
    -win2k-hack     use it when installing Windows 2000 to avoid a disk full bug
    -no-fd-bootchk  disable boot signature checking for floppy disks
    -no-acpi        disable ACPI
    -no-hpet        disable HPET
    -acpitable [sig=str][,rev=n][,oem_id=str][,oem_table_id=str][,oem_rev=n][,asl_compiler_id=str][,asl_compiler_rev=n][,{data|file}=file1[:file2]...]
                    ACPI table description
    -smbios file=binary
                    load SMBIOS entry from binary file
    -smbios type=0[,vendor=str][,version=str][,date=str][,release=%d.%d][,uefi=on|off]
                    specify SMBIOS type 0 fields
    -smbios type=1[,manufacturer=str][,product=str][,version=str][,serial=str]
                  [,uuid=uuid][,sku=str][,family=str]
                    specify SMBIOS type 1 fields
    
    Network options:
    -net nic[,vlan=n][,macaddr=mac][,model=type][,name=str][,addr=str][,vectors=v]
                    create a new Network Interface Card and connect it to VLAN 'n'
    -net user[,vlan=n][,name=str][,net=addr[/mask]][,host=addr][,restrict=on|off]
             [,hostname=host][,dhcpstart=addr][,dns=addr][,dnssearch=domain][,tftp=dir]
             [,bootfile=f][,hostfwd=rule][,guestfwd=rule][,smb=dir[,smbserver=addr]]
                    connect the user mode network stack to VLAN 'n', configure its
                    DHCP server and enabled optional services
    -net tap[,vlan=n][,name=str][,fd=h][,fds=x:y:...:z][,ifname=name][,script=file][,downscript=dfile][,helper=helper][,sndbuf=nbytes][,vnet_hdr=on|off][,vhost=on|off][,vhostfd=h][,vhostfds=x:y:...:z][,vhostforce=on|off][,queues=n]
                    connect the host TAP network interface to VLAN 'n'
                    use network scripts 'file' (default=/etc/qemu-ifup)
                    to configure it and 'dfile' (default=/etc/qemu-ifdown)
                    to deconfigure it
                    use '[down]script=no' to disable script execution
                    use network helper 'helper' (default=/opt2/digit/repo/studio-dev/prebuilts/android-emulator-build/qemu-android-deps/linux-x86_64/libexec/qemu-bridge-helper) to
                    configure it
                    use 'fd=h' to connect to an already opened TAP interface
                    use 'fds=x:y:...:z' to connect to already opened multiqueue capable TAP interfaces
                    use 'sndbuf=nbytes' to limit the size of the send buffer (the
                    default is disabled 'sndbuf=0' to enable flow control set 'sndbuf=1048576')
                    use vnet_hdr=off to avoid enabling the IFF_VNET_HDR tap flag
                    use vnet_hdr=on to make the lack of IFF_VNET_HDR support an error condition
                    use vhost=on to enable experimental in kernel accelerator
                        (only has effect for virtio guests which use MSIX)
                    use vhostforce=on to force vhost on for non-MSIX virtio guests
                    use 'vhostfd=h' to connect to an already opened vhost net device
                    use 'vhostfds=x:y:...:z to connect to multiple already opened vhost net devices
                    use 'queues=n' to specify the number of queues to be created for multiqueue TAP
    -net bridge[,vlan=n][,name=str][,br=bridge][,helper=helper]
                    connects a host TAP network interface to a host bridge device 'br'
                    (default=br0) using the program 'helper'
                    (default=/opt2/digit/repo/studio-dev/prebuilts/android-emulator-build/qemu-android-deps/linux-x86_64/libexec/qemu-bridge-helper)
    -net l2tpv3[,vlan=n][,name=str],src=srcaddr,dst=dstaddr[,srcport=srcport][,dstport=dstport],txsession=txsession[,rxsession=rxsession][,ipv6=on/off][,udp=on/off][,cookie64=on/off][,counter][,pincounter][,txcookie=txcookie][,rxcookie=rxcookie][,offset=offset]
                    connect the VLAN to an Ethernet over L2TPv3 pseudowire
                    Linux kernel 3.3+ as well as most routers can talk
                    L2TPv3. This transport allows connecting a VM to a VM,
                    VM to a router and even VM to Host. It is a nearly-universal
                    standard (RFC3391). Note - this implementation uses static
                    pre-configured tunnels (same as the Linux kernel).
                    use 'src=' to specify source address
                    use 'dst=' to specify destination address
                    use 'udp=on' to specify udp encapsulation
                    use 'srcport=' to specify source udp port
                    use 'dstport=' to specify destination udp port
                    use 'ipv6=on' to force v6
                    L2TPv3 uses cookies to prevent misconfiguration as
                    well as a weak security measure
                    use 'rxcookie=0x012345678' to specify a rxcookie
                    use 'txcookie=0x012345678' to specify a txcookie
                    use 'cookie64=on' to set cookie size to 64 bit, otherwise 32
                    use 'counter=off' to force a 'cut-down' L2TPv3 with no counter
                    use 'pincounter=on' to work around broken counter handling in peer
                    use 'offset=X' to add an extra offset between header and data
    -net socket[,vlan=n][,name=str][,fd=h][,listen=[host]:port][,connect=host:port]
                    connect the vlan 'n' to another VLAN using a socket connection
    -net socket[,vlan=n][,name=str][,fd=h][,mcast=maddr:port[,localaddr=addr]]
                    connect the vlan 'n' to multicast maddr and port
                    use 'localaddr=addr' to specify the host address to send packets from
    -net socket[,vlan=n][,name=str][,fd=h][,udp=host:port][,localaddr=host:port]
                    connect the vlan 'n' to another VLAN using an UDP tunnel
    -net dump[,vlan=n][,file=f][,len=n]
                    dump traffic on vlan 'n' to file 'f' (max n bytes per packet)
    -net none       use it alone to have zero network devices. If no -net option
                    is provided, the default is '-net nic -net user'
    -netdev [user|tap|bridge|vhost-user|socket|hubport],id=str[,option][,option][,...]
    
    Character device options:
    -chardev null,id=id[,mux=on|off]
    -chardev socket,id=id[,host=host],port=port[,to=to][,ipv4][,ipv6][,nodelay][,reconnect=seconds]
             [,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off] (tcp)
    -chardev socket,id=id,path=path[,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off] (unix)
    -chardev udp,id=id[,host=host],port=port[,localaddr=localaddr]
             [,localport=localport][,ipv4][,ipv6][,mux=on|off]
    -chardev msmouse,id=id[,mux=on|off]
    -chardev vc,id=id[[,width=width][,height=height]][[,cols=cols][,rows=rows]]
             [,mux=on|off]
    -chardev ringbuf,id=id[,size=size]
    -chardev file,id=id,path=path[,mux=on|off]
    -chardev pipe,id=id,path=path[,mux=on|off]
    -chardev pty,id=id[,mux=on|off]
    -chardev stdio,id=id[,mux=on|off][,signal=on|off]
    -chardev serial,id=id,path=path[,mux=on|off]
    -chardev tty,id=id,path=path[,mux=on|off]
    -chardev parallel,id=id,path=path[,mux=on|off]
    -chardev parport,id=id,path=path[,mux=on|off]
    
    Device URL Syntax:
    -iscsi [user=user][,password=password]
           [,header-digest=CRC32C|CR32C-NONE|NONE-CRC32C|NONE
           [,initiator-name=initiator-iqn][,id=target-iqn]
                    iSCSI session parameters
    Bluetooth(R) options:
    -bt hci,null    dumb bluetooth HCI - doesn't respond to commands
    -bt hci,host[:id]
                    use host's HCI with the given name
    -bt hci[,vlan=n]
                    emulate a standard HCI in virtual scatternet 'n'
    -bt vhci[,vlan=n]
                    add host computer to virtual scatternet 'n' using VHCI
    -bt device:dev[,vlan=n]
                    emulate a bluetooth device 'dev' in scatternet 'n'
    
    TPM device options:
    -tpmdev passthrough,id=id[,path=path][,cancel-path=path]
                    use path to provide path to a character device; default is /dev/tpm0
                    use cancel-path to provide path to TPM's cancel sysfs entry; if
                    not provided it will be searched for in /sys/class/misc/tpm?/device
    
    Linux/Multiboot boot specific:
    -kernel bzImage use 'bzImage' as kernel image
    -append cmdline use 'cmdline' as kernel command line
    -initrd file    use 'file' as initial ram disk
    -dtb    file    use 'file' as device tree image
    
    Debug/Expert options:
    -serial dev     redirect the serial port to char device 'dev'
    -parallel dev   redirect the parallel port to char device 'dev'
    -monitor dev    redirect the monitor to char device 'dev'
    -qmp dev        like -monitor but opens in 'control' mode
    -mon [chardev=]name[,mode=readline|control][,default]
    -debugcon dev   redirect the debug console to char device 'dev'
    -pidfile file   write PID to 'file'
    -singlestep     always run in singlestep mode
    -S              freeze CPU at startup (use 'c' to start execution)
    -realtime [mlock=on|off]
                    run qemu with realtime features
                    mlock=on|off controls mlock support (default: on)
    -gdb dev        wait for gdb connection on 'dev'
    -s              shorthand for -gdb tcp::1234
    -d item1,...    enable logging of specified items (use '-d help' for a list of log items)
    -D logfile      output log to logfile (default stderr)
    -L path         set the directory for the BIOS, VGA BIOS and keymaps
    -bios file      set the filename for the BIOS
    -enable-kvm     enable KVM full virtualization support
    -enable-hax     enable HAX virtualization support
    -xen-domid id   specify xen guest domain id
    -xen-create     create domain using xen hypercalls, bypassing xend
                    warning: should not be used when xend is in use
    -xen-attach     attach to existing xen domain
                    xend will use this when starting QEMU
    -no-reboot      exit instead of rebooting
    -no-shutdown    stop before shutdown
    -loadvm [tag|id]
                    start right away with a saved state (loadvm in monitor)
    -daemonize      daemonize QEMU after initializing
    -option-rom rom load a file, rom, into the option ROM space
    -rtc [base=utc|localtime|date][,clock=host|rt|vm][,driftfix=none|slew]
                    set the RTC base and clock, enable drift fix for clock ticks (x86 only)
    -icount [shift=N|auto][,align=on|off]
                    enable virtual instruction counter with 2^N clock ticks per
                    instruction and enable aligning the host and virtual clocks
    -watchdog i6300esb|ib700
                    enable virtual hardware watchdog [default=none]
    -watchdog-action reset|shutdown|poweroff|pause|debug|none
                    action when watchdog fires [default=reset]
    -echr chr       set terminal escape character instead of ctrl-a
    -virtioconsole c
                    set virtio console
    -show-cursor    show cursor
    -tb-size n      set TB size
    -incoming p     prepare for incoming migration, listen on port p
    -nodefaults     don't create default devices
    -chroot dir     chroot to dir just before starting the VM
    -runas user     change to user id user just before starting the VM
    -sandbox <arg>  Enable seccomp mode 2 system call filter (default 'off').
    -readconfig <file>
    -writeconfig <file>
                    read/write config file
    -nodefconfig
                    do not load default config files at startup
    -no-user-config
                    do not load user-provided config files at startup
    -trace [events=<file>][,file=<file>]
                    specify tracing options
    -enable-fips    enable FIPS 140-2 compliance
    -object TYPENAME[,PROP1=VALUE1,...]
                    create an new object of type TYPENAME setting properties
                    in the order they are specified.  Note that the 'id'
                    property must be set.  These objects are placed in the
                    '/objects' path.
    -msg timestamp[=on|off]
                    change the format of messages
                    on|off controls leading timestamps (default:on)
    -dump-vmstate <file>
                    Output vmstate information in JSON format to file.
                    Use the scripts/vmstate-static-checker.py file to
                    check for possible regressions in migration code
                    by comparing two such vmstate dumps.
    -netspeed <speed> maximum network download/upload speeds
    -netdelay <delay> network latency emulation
    -netfast disable network shaping
    -boot-property <name>=<value> set system property on boot
    -lcd-density density
                    select lcd display density value (default is 160)
    -android-ports <consoleport>,<adbport> TCP ports used for the emulator instance and adb bridge
    -android-report-console <socket> report console port to remote socket
    -http-proxy <proxy> make TCP connections through a HTTP/HTTPS proxy
    -dns-server <servers> use this DNS server(s) in the emulated system
    -list-webcam    list web cameras available for emulation
    -android-hw <file>
                    specify the hw config ini file location
    
    During emulation, the following keys are useful:
    ctrl-alt-f      toggle full screen
    ctrl-alt-n      switch to virtual console 'n'
    ctrl-alt        toggle mouse and keyboard grab
    
    When using -nographic, press 'ctrl-a h' to get some help.
    Android模拟器 Debug_Kernel 暂停运行,等待 gdb 连接调试。gdb 使用前面编译Android内核时下载的交叉编译工具链 arm-eabi-4.7 提供的 arm-eabi-gdb 。Android4.4.4r1的源码和Android NDK都提供了 gdb 工具,也可以使用他们提供的。为了方面起见,将 arm-eabi-gdb 工具的文件路径添加到ubuntu系统的环境变量中,如下所示:

    # 编辑环境变量配置文件  
    $ sudo gedit /etc/profile    
      
    # 添加到环境变量配置文件/etc/profile中的内容  
    export ANDROID_TOOLCHAIN=/home/fly2016/Android4.4.4r1/goldfish-kernel-3.4/goldfish/arm-eabi-4.7
    export PATH=$PATH:${ANDROID_TOOLCHAIN}/bin/
    
    # 更新系统环境变量  
    $ source /etc/profile   
    
    # 测试是否配置成功
    $ arm-eabi-gdb
    OK,arm-eabi-gdb 工具的问题解决了,下面在Android内核源码的根目录下,执行下面的命令进行Android内核的源码调试:

    # 在Android内核源码的根目录下执行
     
    # 加载内核符号信息 
    $ arm-eabi-gdb vmlinux  
    
    # 连接远端的调试器
    $ target remote :1234 
    
    # 测试命令
    $ list
    
    $ n
    前面在 配置config选项 时,设置 CONFIG_DEBUG_INFO=y,因此加载 vmlinux 后包含了内核符号信息,在 gdb 中可以进行源码级调试,执行结果如下图:



    五、gdb的使用帮助

    有关 gdb 的使用帮助可以参考文档 《GDBCheatSheet.pdf》,也可以参考 gdb 的命令帮助。《GNU GDB Debugger Command Cheat Sheet》也不错,资料比较详细,也可以好好参考和学习一下。

    GDBCheatSheet 的具体内容见下图所示:




    gdb 工具的命令使用帮助如下:

    $ arm-eabi-gdb --help
    This is the GNU debugger.  Usage:
    
        gdb [options] [executable-file [core-file or process-id]]
        gdb [options] --args executable-file [inferior-arguments ...]
    
    Options:
    
      --args             Arguments after executable-file are passed to inferior
      -b BAUDRATE        Set serial port baud rate used for remote debugging.
      --batch            Exit after processing options.
      --batch-silent     As for --batch, but suppress all gdb stdout output.
      --return-child-result
                         GDB exit code will be the child's exit code.
      --cd=DIR           Change current directory to DIR.
      --command=FILE, -x Execute GDB commands from FILE.
      --eval-command=COMMAND, -ex
                         Execute a single GDB command.
                         May be used multiple times and in conjunction
                         with --command.
      --core=COREFILE    Analyze the core dump COREFILE.
      --pid=PID          Attach to running process PID.
      --dbx              DBX compatibility mode.
      --directory=DIR    Search for source files in DIR.
      --epoch            Output information used by epoch emacs-GDB interface.
      --exec=EXECFILE    Use EXECFILE as the executable.
      --fullname         Output information used by emacs-GDB interface.
      --help             Print this message.
      --interpreter=INTERP
                         Select a specific interpreter / user interface
      -l TIMEOUT         Set timeout in seconds for remote debugging.
      --nw		     Do not use a window interface.
      --nx               Do not read .gdbinit file.
      --quiet            Do not print version number on startup.
      --readnow          Fully read symbol files on first access.
      --se=FILE          Use FILE as symbol file and executable file.
      --symbols=SYMFILE  Read symbols from SYMFILE.
      --tty=TTY          Use TTY for input/output by the program being debugged.
      --tui              Use a terminal user interface.
      --version          Print version information and then exit.
      -w                 Use a window interface.
      --write            Set writing into executable and core files.
      --xdb              XDB compatibility mode.
      --disable-gdb-index
                         Disable the use of the .gdb_index section.
    
    At startup, GDB reads the following init files and executes their commands:
    
    For more information, type "help" from within GDB, or consult the
    GDB manual (available as on-line info or a printed manual).
    Report bugs to "<http://source.android.com/source/report-bugs.html>".


    参考文档

    Android内核编译调试
    android 内核调试

    Android Linux内核编译调试


    展开全文
  • 已经有一些的文章介绍Android内核了,本系列篇将从Linux内核的角度来分析Android的内核,希望给初学... Android内核是基于Linux 2.6内核的(目前最新开发版本是2.6.31),它是一个增强内核版本,除了修改部分Bug外,它提
  • 改教程主要是针对安卓5.0以上版本的root,root方式为破解boot.img内核文件。 所需工具:1.booting.exe 访问密码 b34a 2.notepad++ 你需要获取boot.img文件,这个文件通常包含在厂商提供的线刷包中,然后将...
  • 2018.11.15 Android设备都基于linux内核,但是这些设备从一开始并没有跑主线内核,因为添加了很多不在主线上的代码,这些主线外...Android内核从主线LTS内核而来,添加了Android指定代码来得到Android Common K...
  • 已经有一些的文章介绍Android内核了,本系列篇将从Linux内核的角度来分析Android的内核,希望给初学者提够...Android内核是基于Linux 2.6内核的(目前最新开发版本是2.6.31),它是一个增强内核版本,除了修改部分...
  • 如果我们仅仅对Android内核感兴趣,我们可以选择合适的Android内核下载并编译。 可供选择的内核源码有很多版本: [plain] view plaincopy $ git clone ...
  •  Android内核是基于Linux 2.6内核的(目前最新开发版本是2.6.31),它是一个增强内核版本,除了修改部分Bug外,它提供了用于支持Android平台的设备驱动,其核心驱动主要包括:  Android
  • Mac编译android内核

    2016-05-06 22:13:28
    一,android内核下载 android内核下载和源码下载是分开的,android内核就是一个git仓库,直接使用git下载,推荐中科大镜像。git clone https://aosp.tuna.tsinghua.edu.cn/kernel/goldfish.git下载之后 运行 git ...
  • 编译Android内核

    2015-08-20 14:11:37
    首先需要知道自己android内核的版本,我们android系统是android 4.0.1,内核版本为2.6.29.由于我们在下载android源代码的时候默认是不带内核源码的,因为他内置了一个编译好的zImage内核镜像,所以,如果要编译内核...
  • 什么是Android内核

    2014-07-14 09:38:14
    1. 什么是Android内核 Android操作系统是基于Linux实现的,然而Android的核心价值却不是Linux,所以说,Android的内核不是指Linux,本书不是一本介绍Linux的书。这就好比苹果的操作系统iOS是基于Unix实现的,然而...
  • 我想很多初学者或许跟我一样,看完Android源码下载相关的文章以后,就开始兴致勃勃地去下载Android源码了,但是下载完了源码后,有没有像我一样产生如下几个困惑呢?(1) Android版本有哪些分支可用?每个分支的TAG...
  • 标 题: 【分享】安卓源码+内核修改编译(修改内核调试标志绕过反调试) 作 者: koflfy 时 间: 2016-10-26,18:05:19 链 接: http://bbs.pediy.com/showthread.php?t=213481 历经两天时间,终于完整的编译完安卓...
  • Android内核和驱动程序

    2010-10-29 20:51:00
    2.1 Android内核特性 Android内核是基于Linux 2.6内核的(目前最新开发版本是2.6.31),它是一个增强内核版本,除了修改部分Bug外,它提供了用于支持Android平台的设备驱动,主要包括:And
  • 1、下载android内核源代码 采用git下载; #mkdir kernel; #cd kernel; #git clone http://andorid.googlesource.com/kernel/goldfish.git; #git branch -a ; // 查看所有分支 #git checkout remotes/origin/...
  •  Android内核 Android内核学习笔记- http://blog.csdn.net/imyfriend/article/details/9946821 0、Android系统启动 《Android系统启动流程 -- bootloader》 《The Android boot process from power on》 ...
1 2 3 4 5 ... 20
收藏数 40,060
精华内容 16,024
关键字:

修改android 内核