VPS

生成服务端公私钥

apt install wireguard
cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey

编写配置文件

cd /etc/wireguard
vim wg0.conf

[Interface]
PrivateKey = 服务生成的私钥
Address = 10.100.0.1/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; 
PostUp = iptables -A FORWARD -o %i -j ACCEPT; 
PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT;
PostDown = iptables -D FORWARD -o %i -j ACCEPT; 
PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = 客户端公钥
AllowedIPs = 10.100.0.2/32
PersistentKeepalive = 15

systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

iptables转发端口

iptables -t nat -A PREROUTING -p tcp --dport 50022 -j DNAT --to-destination 10.100.0.2:22
iptables -t nat -A POSTROUTING -p tcp -d 10.100.0.2 --dport 22 -j SNAT --to-source 服务器自己公网IP
iptables-save > /etc/iptables/rules.v4

客户端

生成客户端公私钥

apt install wireguard
cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey

编写配置文件

cd /etc/wireguard
vim wg0.conf
[Interface]
PrivateKey = 客户端生成的私钥
Address = 10.100.0.2/24

[Peer]
PublicKey = 服务端公钥
Endpoint = 服务器自己公网IP:51820
AllowedIPs = 10.100.0.0/24
PersistentKeepalive = 15

systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

系统中又存在NetworkManager又存在systemd-networkd两个网络管理系统，冲突，关闭一个

systemctl stop NetworkManager
systemctl disable NetworkManager

root@cyber-aib:~/android_docker# brctl show
bridge name    bridge id        STP enabled    interfaces
docker0        8000.5ebab53304ca    no    

发现interfaces为空，所以手动

root@cyber-aib:~/android_docker# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 2e:42:2f:7e:37:0b brd ff:ff:ff:ff:ff:ff
    altname enP4p65s0
    inet 192.168.2.118/24 metric 100 brd 192.168.2.255 scope global dynamic eth0
       valid_lft 77250sec preferred_lft 77250sec
    inet6 fe80::2c42:2fff:fe7e:370b/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether de:2d:49:53:8e:e4 brd ff:ff:ff:ff:ff:ff
    altname enP3p49s0
20: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 5e:ba:b5:33:04:ca brd ff:ff:ff:ff:ff:ff
    inet 172.17.10.1/24 brd 172.17.10.255 scope global docker0
       valid_lft forever preferred_lft forever
22: vethfa386c9@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 5e:ba:23:97:5c:97 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::5cba:23ff:fe97:5c97/64 scope link 
       valid_lft forever preferred_lft forever
       
//下面这行是关键
root@cyber-aib:~/android_docker# sudo ip link set vethfa386c9 master docker0
//或者brctl addif docker0 vethfa386c9

root@cyber-aib:~/android_docker# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 2e:42:2f:7e:37:0b brd ff:ff:ff:ff:ff:ff
    altname enP4p65s0
    inet 192.168.2.118/24 metric 100 brd 192.168.2.255 scope global dynamic eth0
       valid_lft 77226sec preferred_lft 77226sec
    inet6 fe80::2c42:2fff:fe7e:370b/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether de:2d:49:53:8e:e4 brd ff:ff:ff:ff:ff:ff
    altname enP3p49s0
20: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 5e:ba:b5:33:04:ca brd ff:ff:ff:ff:ff:ff
    inet 172.17.10.1/24 brd 172.17.10.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::5cba:b5ff:fe33:4ca/64 scope link 
       valid_lft forever preferred_lft forever
22: vethfa386c9@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 5e:ba:23:97:5c:97 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::5cba:23ff:fe97:5c97/64 scope link 
       valid_lft forever preferred_lft forever

执行完后发现docker0状态原来为DOWN的立马UP起来了

service docker stop  
ip link set dev docker0 down  
brctl delbr docker0  
iptables -t nat -F POSTROUTING  


brctl addbr docker0  
ip addr add 172.17.10.1/24 dev docker0  
ip link set dev docker0 up  

vim /etc/docker/daemon.json
{
  "insecure-registries":["x.x.x"],
  "bip": "172.17.10.1/24"
} 


systemctl  restart  docker

活了。

注意：/data/local/tmp目录不小心被删除了，只要改owner和访问权限是够的，这是个特殊目录，还需要改selinux权限

chcon -R u:object_r:shell_data_file:s0 /data/local/tmp

frida-gadget持久化

未ROOT设备采用smail增加System.loadlibray("frida-gadget")方式注入，缺点就是打包检测兼容问题。

ROOT设备如果有类似libmsaoaidsec线程检测
hook dlopen查看加载顺序，找个libmsaoaidsec之前加载的so注入改导入表。

pip install lief

#!/usr/bin/env python3
import lief
libnative = lief.parse("libmmkv.so")
libnative.add_library("gad.so")
libnative.write("libmmkv.so")

adb shell pm path 包名
找到路径将gad.so和libmmkv.so放进lib/arm64
并且创建gad.config.so启动自动加载js

{
    "interaction": {
        "type": "script",
        "path": "/data/local/tmp/hook.js"
    }
}

1,安装内核模块支持

apt install linux-modules-extra-`uname -r`
modprobe binder_linux devices="binder,hwbinder,vndbinder" #进程通信模块
modprobe ashmem_linux #内存共享模块

echo "binder_linux" > /etc/modules-load.d/redroid.conf
echo "ashmem_linux" >> /etc/modules-load.d/redroid.conf
echo 'options binder_linux devices="binder,hwbinder,vndbinder"' >> /etc/modprobe.d/redroid.conf

2,安装docker

原始方法:
curl -fsSL https://get.docker.com | bash

替代方法:

export DOWNLOAD_URL=“https://mirrors.tuna.tsinghua.edu.cn/docker-ce”
复制https://get.docker.com/内容保存本地docker.sh
chmod +x ./docker.sh && ./docker.sh

3,拉取镜像

替代方法:

vi /etc/docker/daemon.json
{
    "registry-mirrors": ["https://docker.1panel.live", "https://hub.rat.dev/", "https://docker.chenby.cn", "https://docker.m.daocloud.io"]
}
systemctl stop docker
systemctl daemon-reload
systemctl start docker

4 安装redroid,scrcpy-web,nginx

git clone https://github.com/geziliu/android_docker
生成密码
1,openssl passwd -1 xxxx生成密码修改nginx/passwd_scrcpy_web
2,安装android-redroid容器参数可以加上-p 127.0.0.1:5555:5555  容器暴露容器给本地，这样就可以用ssh -L隧道本地scrcpy客户端去连接了。
3,scrcpy客户端启动时增加--audio-codec=raw有声音（必须安卓11或以上）
start.sh        #启动并创建容器，自动安装scrcpy-web/apk下的安装包(目前放了应用宝、豌豆荚、via浏览器，作为初始环境应该够用了，需要其它应用可以自己将apk放在这个目录里)
stop.sh         #关闭容器
restart.sh      #重启容器
stop_and_rm.sh  #关闭并删除容器

1,安装VA解码层

sudo pacman -S libva-nvidia-driver

2,配置系统默认解码器参数

NVD_BACKEND=direct
MOZ_DISABLE_RDD_SANDBOX=1
LIBVA_DRIVER_NAME=nvidia
_EGL_VENDOR_LIBRARY_FILENAMES=/usr/share/glvnd/egl_vendor.d/10_nvidia.json

3,启动modeset支持

echo "options nvidia_drm modeset=1" >> /etc/modprobe.d/nv.conf
echo "options nvidia NVreg_PreserveVideoMemoryAllocations=1" >> /etc/modprobe.d/nv.conf

再重启，检测是否开启

sudo cat /sys/module/nvidia_drm/parameters/modeset

结果为Y 上面第3步开启成功

（安装libva-utils使用vainfo可查看显卡支持哪些硬件解码格式）

4,配置firefox

about:config
media.ffmpeg.vaapi.enabled设置为true

about:support
查看<媒体>->硬件解码，有支持就已经成功了。

使用firefox播放支持硬件解码的格式视频，再使用nvidia-settings，查看GPU/Video Engnie Utilization应该有百分比说明解码成功。