When developing apps that requires root, the most common method is to run some commands in the su shell. For example, there is app uses pm enable/disable
command to enable/disable components.
This method has very big disadvantages:
- Extremely slow (Multiple process creation)
- Needs to process texts (Super unreliable)
- The possibility is limited to available commands
- Even if adb has sufficient permissions, the app requires root privileges to run
Shizuku uses a completely different way. See detailed description below.
First, we need to talk about how app use system APIs. For example, if the app want to get installed apps, we all know we should use PackageManager#getInstalledPackages()
. This is actually an interprocess communication (IPC) process of the app process and system server process, just the Android framework did the inner works for us.
Android uses binder
to do this type of IPC. Binder
allows server side to learn the uid and pid of client side, so that the system server can check if the app has the permission to do the operation.
Usually, if there is a "manager" (e.g., PackageManager
) for apps to use, there should be a "service" (e.g., PackageManagerService
) in the system server process. We can simply think if the app holds the binder
of the "service", it can communicate with the "service". The app process will receive binders of system services on start.
Shizuku guide users to run a process, Shizuku server, with root or adb first. When the app starts, the binder
to Shizuku server will also be sent to the app.
The most important feature Shizuku provides is something like be a middle man to receive requests from the app, sent to the system server, and send back the results. You can see transactRemote
method in moe.shizuku.server.ShizukuService
class, and moe.shizuku.api.ShizukuBinderWrapper
class for the detail.
So that, we reached our goal, use system APIs with higher permission. And to the app, it is almost identical to the use system APIs directly.
Note, something is not mentioned below, please be sure to read the sample.
-
Add dependency
maven { url 'https://dl.bintray.com/rikkaw/Shizuku' }
// replace <latest version> to the version below implementation 'moe.shizuku.privilege:api:<latest version>'
-
Add
ShizukuProvider
Add to your
AndroidManifest.xml
<provider android:name="moe.shizuku.api.ShizukuProvider" android:authorities="${applicationId}.shizuku" android:multiprocess="false" android:enabled="true" android:exported="true" android:permission="android.permission.INTERACT_ACROSS_USERS_FULL" />
-
Request permission
Request
moe.shizuku.manager.permission.API_V23
permission like other runtime permissions. -
Use
See sample.
-
Adb permissions are limited
Adb has limited permissions, and different on various system versions. You can see permissions granted to adb here.
Before calling the API, you can use
ShizukuService#getUid
to check if Shizuku is running user adb, or useShizukuService#checkPermission
to check if server has sufficient permissions. -
Hidden API limitation from Android 9
As of Android 9, the usage of the hidden APIs is limited for normal apps. Please use other methods (such as https://github.com/tiann/FreeReflection).
-
Android 8.0 & adb
At present, the way Shizuku service gets the app process is to combine
IActivityManager#registerProcessObserver
andIActivityManager#registerUidObserver
(26+) to ensure that the app process will be sent when the app starts. However, on API 26, adb lacks permissions to useregisterUidObserver
, so if you need to use Shizuku in a process that might not be started by an Activity, it is recommended to trigger the send binder by starting a transparent activity. -
Direct use of
transactRemote
requires attention-
The API may be different under different Android versions, please be sure to check it carefully. In addition,
android.app.IActivityManager
has the aidl form in API 26 and later, andandroid.app.IActivityManager$Stub
exists only on API 26. -
SystemServiceHelper.getTransactionCode
may not get the correct transaction code, such asandroid.content.pm.IPackageManager$Stub.TRANSACTION_getInstalledPackages
does not exist on API 25 and there isandroid.content.pm.IPackageManager$Stub.TRANSACTION_getInstalledPackages_47
(this situation has been dealt with, but it is not excluded that there may be other circumstances). This problem is not encountered with theShizukuBinderWrapper
method.
-
The :server:assembleDebug
task generates debuggable server. You can attach debugger to shizuku_server
to debug server.
This project is available under the Apache-2.0 license.
-
You are FORBIDDEN to use image files listed below in any way (unless for displaying Shizuku itself).
manager/src/main/res/mipmap-hdpi/ic_launcher.png manager/src/main/res/mipmap-hdpi/ic_launcher_background.png manager/src/main/res/mipmap-hdpi/ic_launcher_foreground.png manager/src/main/res/mipmap-xhdpi/ic_launcher.png manager/src/main/res/mipmap-xhdpi/ic_launcher_background.png manager/src/main/res/mipmap-xhdpi/ic_launcher_foreground.png manager/src/main/res/mipmap-xxhdpi/ic_launcher.png manager/src/main/res/mipmap-xxhdpi/ic_launcher_background.png manager/src/main/res/mipmap-xxhdpi/ic_launcher_foreground.png manager/src/main/res/mipmap-xxxhdpi/ic_launcher.png manager/src/main/res/mipmap-xxxhdpi/ic_launcher_background.png manager/src/main/res/mipmap-xxxhdpi/ic_launcher_foreground.png
-
You are FORBIDDEN to distribute the apk compiled by you (including modified, e.g., rename "Shizuku" to something else) to any store (IBNLT Google Play Store, etc.).