# Shizuku Privileged API

{{#include ../../banners/hacktricks-training.md}}

Shizuku ni huduma ya chanzo wazi ambayo **inasababisha mchakato wa Java wenye mamlaka kwa kutumia `app_process`** na inatoa **API za mfumo wa Android kupitia Binder**. Kwa sababu mchakato unazinduliwa kwa uwezo sawa wa **`shell` UID ambao ADB inatumia**, programu yoyote (au terminal) inayounganisha kwenye interface ya AIDL iliyosafirishwa inaweza kufanya vitendo vingi ambavyo kawaida vinahitaji **`WRITE_SECURE_SETTINGS`, `INSTALL_PACKAGES`, I/O ya faili ndani ya `/data`,** nk. – **bila ku-root kifaa**.

Matumizi ya kawaida:
* Ukaguzi wa usalama kutoka kwa simu isiyo na root
* Kuondoa bloatware / kuboresha programu za mfumo
* Kukusanya kumbukumbu, funguo za Wi-Fi, taarifa za mchakato na socket kwa ajili ya timu ya buluu/DFIR
* Kuandaa usanidi wa kifaa kutoka kwa programu za kawaida au skripti za shell

---
## 1. Kuanzisha huduma yenye mamlaka

`moe.shizuku.privileged.api` inaweza kuanzishwa kwa njia tatu tofauti – huduma ya Binder inayotokana inafanya kazi sawa katika zote.

### 1.1 ADB isiyo na waya (Android 11+)
1. Washa **Chaguzi za Mwandishi ➜ Ufuatiliaji usio na waya** na uunganishe kifaa.
2. Ndani ya programu ya Shizuku chagua **“Anza kupitia ufuatiliaji usio na waya”** na nakili msimbo wa kuunganisha.
3. Huduma inakaa hai hadi kuanzishwa tena kwa kifaa (sessions za ufuatiliaji usio na waya zinaondolewa wakati wa kuanzisha). 

### 1.2 USB / ADB ya ndani moja-laini
```bash
adb push start.sh \
/storage/emulated/0/Android/data/moe.shizuku.privileged.api/

# spawn the privileged process
adb shell sh /storage/emulated/0/Android/data/moe.shizuku.privileged.api/start.sh
```
Ile ile script inaweza kutekelezwa kupitia **network ADB** connection (`adb connect <IP>:5555`).

### 1.3 Vifaa vilivyo na root
Ikiwa kifaa tayari kimepata root, endesha:
```bash
su -c sh /data/adb/shizuku/start.sh
```
### 1.4 Kuangalia kama inafanya kazi
```bash
adb shell dumpsys activity service moe.shizuku.privileged.api | head
```
Mwanzo wenye mafanikio unarudisha `Running services (1)` pamoja na PID ya mchakato wa kibali.

---
## 2. Kuweka kutoka kwa programu
Programu za upande wa tatu zinahitaji tu yafuatayo ndani ya `AndroidManifest.xml`:
```xml
<uses-permission android:name="moe.shizuku.manager.permission.API"/>
```
Wakati wa utendaji wanapata binder:
```java
IBinder binder = ShizukuProvider.getBinder();
IPackageManager pm  = IPackageManager.Stub.asInterface(binder);
```
Kuanzia sasa, programu inaweza kuita njia yoyote ambayo mtumiaji wa **`shell`** anaweza kuita – kwa mfano :
```java
pm.installPackage(new Uri("file:///sdcard/app.apk"), null, 0, null);
Settings.Global.putInt(resolver, Settings.Global.ADB_ENABLED, 1);
```
Orodha iliyochaguliwa ya zaidi ya **170 Shizuku-enabled apps** inashikiliwa kwenye [awesome-shizuku](https://github.com/timschneeb/awesome-shizuku).

---
## 3. Rish – elevated shell ndani ya Termux
Screen ya mipangilio ya Shizuku inaonyesha **“Use Shizuku in terminal apps”**. Kuwawezesha inashusha *rish* (`/data/local/tmp/rish`).
```bash
pkg install wget
wget https://rikka.app/rish/latest -O rish && chmod +x rish

# start elevated shell (inherits the binder connection)
./rish
whoami   #  ➜  shell
id       #  uid=2000(shell) gid=2000(shell) groups=... context=u:r:shell:s0
```
### 3.1 Amri muhimu kutoka kwa rish shell
* Orodhesha michakato inayoendesha ya kifurushi fulani:
```bash
ps -A | grep com.facebook.katana
```
* Tambua soketi zinazot listening na ziunganishe na vifurushi (mfano **CVE-2019-6447 ES File Explorer**):
```bash
netstat -tuln
for pid in $(lsof -nP -iTCP -sTCP:LISTEN -t); do
printf "%s -> %s\n" "$pid" "$(cat /proc/$pid/cmdline)";
done
```
* Dump kila log ya programu:
```bash
logcat -d | grep -iE "(error|exception)"
```
* Soma akcredentials za Wi-Fi zilizohifadhiwa (Android 11 +):
```bash
cat /data/misc/wifi/WifiConfigStore.xml | grep -i "<ConfigKey>"
```
* Bulk debloat (mfano):
```bash
pm uninstall --user 0 com.miui.weather2
```

---
## 4. Maoni ya usalama / ugunduzi
1. Shizuku inahitaji **ADB debugging** ruhusa, kwa hivyo _Chaguo za Mwandishi → USB/Wireless debugging_ lazima iwe **imewezeshwa**.
Mashirika yanaweza kuzuia hii kupitia MDM au kupitia `settings put global development_settings_enabled 0`.
2. Huduma inajisajili chini ya jina `moe.shizuku.privileged.api`.
Amri rahisi `adb shell service list | grep shizuku` (au sheria ya Usalama wa Endpoint) inagundua uwepo wake.
3. Uwezo umewekwa mipaka kwa kile ambacho mtumiaji `shell` anaweza tayari kufanya – si **root**.
APIs nyeti zinazohitaji mtumiaji `system` au `root` bado hazipatikani.
4. Sesheni hazidumu **baada ya kuanzisha upya** isipokuwa kifaa kimekuwa rooted na Shizuku imewekwa kama daemon ya kuanzisha.

---
## 5. Kupunguza
* Zima USB/Wireless debugging kwenye vifaa vya uzalishaji.
* Fuata huduma za Binder zinazofichua `moe.shizuku.privileged.api`.
* Tumia sera za SELinux (Android enterprise) kuzuia interface ya AIDL kutoka kwa programu zisizodhibitiwa.

---
## Marejeo

- [Blog – Shizuku: Kufungua Uwezo wa Juu wa Android Bila Root](https://www.mobile-hacker.com/2025/07/14/shizuku-unlocking-advanced-android-capabilities-without-root/)
- [Hati Rasmi za Shizuku](https://shizuku.rikka.app/)
- [awesome-shizuku – orodha ya programu zinazoungwa mkono](https://github.com/timschneeb/awesome-shizuku)
- [rish shell (privileged reverse-adb shell)](https://github.com/RikkaApps/Shizuku/blob/master/RISH.md)

{{#include ../../banners/hacktricks-training.md}}