此为 Shizuku 的 分支版本。若您需寻找 Rikka 开发的官方 Shizuku,此处并非正确渠道。
请访问 官方仓库
随机化/data/local/tmp/shizuku目录名称自动删除/data/local/tmp/shizuku_starter文件- 在 userdebug ROM 上启用 ADB root 权限
- 支持非 Root 设备自启动
- 支持自定义 ADB TCP/IP 端口
- 按照无线 ADB 配对流程配置 Shizuku
- 在
设置中启用开机启动(无线调试)- 启用前需先授予
WRITE_SECURE_SETTINGS权限(可通过rish或使用电脑通过 ADB 完成 / 在 Shizuku 启动时通过 Manager 自动授权) - 执行以下命令
adb shell pm grant moe.shizuku.privileged.api android.permission.WRITE_SECURE_SETTINGS
- 启用前需先授予
Caution
WRITE_SECURE_SETTINGS 为高危权限,仅建议明确风险后启用。开发者对后续可能产生的后果不承担责任。
Note
服务自动重启功能未经充分测试
When developing apps that requires root, the most common method is to run some commands in the su shell. For example, there is an app that uses the pm enable/disable command to enable/disable components.
This method has very big disadvantages:
- Extremely slow (Multiple process creation)
- Needs to process texts (Super unreliable)
- The possibility is limited to available commands
- Even if ADB has sufficient permissions, the app requires root privileges to run
Shizuku uses a completely different way. See detailed description below.
First, we need to talk about how app use system APIs. For example, if the app wants to get installed apps, we all know we should use PackageManager#getInstalledPackages(). This is actually an interprocess communication (IPC) process of the app process and system server process, just the Android framework did the inner works for us.
Android uses binder to do this type of IPC. Binder allows the server-side to learn the uid and pid of the client-side, so that the system server can check if the app has the permission to do the operation.
Usually, if there is a "manager" (e.g., PackageManager) for apps to use, there should be a "service" (e.g., PackageManagerService) in the system server process. We can simply think if the app holds the binder of the "service", it can communicate with the "service". The app process will receive binders of system services on start.
Shizuku guides users to run a process, Shizuku server, with root or ADB first. When the app starts, the binder to Shizuku server will also be sent to the app.
The most important feature Shizuku provides is something like be a middle man to receive requests from the app, sent them to the system server, and send back the results. You can see the transactRemote method in rikka.shizuku.server.ShizukuService class, and moe.shizuku.api.ShizukuBinderWrapper class for the detail.
So, we reached our goal, to use system APIs with higher permission. And to the app, it is almost identical to the use of system APIs directly.
https://github.com/RikkaApps/Shizuku-API
Existing applications still works, of course.
-
ADB permissions are limited
ADB has limited permissions and different on various system versions. You can see permissions granted to ADB here.
Before calling the API, you can use
ShizukuService#getUidto check if Shizuku is running user ADB, or useShizukuService#checkPermissionto check if the server has sufficient permissions. -
Hidden API limitation from Android 9
As of Android 9, the usage of the hidden APIs is limited for normal apps. Please use other methods (such as https://github.com/LSPosed/AndroidHiddenApiBypass).
-
Android 8.0 & ADB
At present, the way Shizuku service gets the app process is to combine
IActivityManager#registerProcessObserverandIActivityManager#registerUidObserver(26+) to ensure that the app process will be sent when the app starts. However, on API 26, ADB lacks permissions to useregisterUidObserver, so if you need to use Shizuku in a process that might not be started by an Activity, it is recommended to trigger the send binder by starting a transparent activity. -
Direct use of
transactRemoterequires attention-
The API may be different under different Android versions, please be sure to check it carefully. Also, the
android.app.IActivityManagerhas the aidl form in API 26 and later, andandroid.app.IActivityManager$Stubexists only on API 26. -
SystemServiceHelper.getTransactionCodemay not get the correct transaction code, such asandroid.content.pm.IPackageManager$Stub.TRANSACTION_getInstalledPackagesdoes not exist on API 25 and there isandroid.content.pm.IPackageManager$Stub.TRANSACTION_getInstalledPackages_47(this situation has been dealt with, but it is not excluded that there may be other circumstances). This problem is not encountered with theShizukuBinderWrappermethod.
-
- Clone with
git clone --recurse-submodules - Run gradle task
:manager:assembleDebugor:manager:assembleRelease
The :manager:assembleDebug task generates a debuggable server. You can attach a debugger to shizuku_server to debug the server. Be aware that, in Android Studio, "Run/Debug configurations" - "Always install with package manager" should be checked, so that the server will use the latest code.
All code files in this project are licensed under Apache 2.0
Under Apache 2.0 section 6, specifically:
-
You are FORBIDDEN to use
manager/src/main/res/mipmap*/ic_launcher*.pngimage files, unless for displaying Shizuku itself. -
You are FORBIDDEN to use
Shizukuas app name or usemoe.shizuku.privileged.apias application id or declaremoe.shizuku.manager.permission.*permission.