开启adb root 选项后，执行如下代码：

packages/apps/Settings/src/com/android/settings/development/AdbRootPreferenceController.java

mADBRootService = new ADBRootService();   @Override
public boolean onPreferenceChange(Preference preference, Object newValue) {final boolean rootEnabled = (Boolean) newValue;mADBRootService.setEnabled(rootEnabled);return true;
}

ADBRootService类位于 frameworks/base/core/java/android/adb/ADBRootService.java

public void setEnabled(boolean enable) {try {final IADBRootService svc = getService();if (svc != null) {svc.setEnabled(enable);}} catch (RemoteException e) {throw e.rethrowFromSystemServer();}
}

实际调用 IADBRootService 服务的 setEnabled 

adb_root服务的入口函数位于 system/core/adb/root/main.cpp 

void ADBRootService::Register() {auto service = ndk::SharedRefBase::make<ADBRootService>();binder_status_t status = AServiceManager_addService(service->asBinder().get(), getServiceName());if (status != STATUS_OK) {LOG(FATAL) << "Could not register adbroot service: " << status;}
}ndk::ScopedAStatus ADBRootService::setEnabled(bool enabled) {uid_t uid = AIBinder_getCallingUid();if (uid != AID_SYSTEM) {return SecurityException("Caller must be system");}AutoMutex _l(lock_);if (enabled_ != enabled) {enabled_ = enabled;WriteStringToFile(std::to_string(enabled), kStoragePath + kEnabled);// Turning off adb root, restart adbd.if (!enabled) {SetProperty("service.adb.root", "0");SetProperty("ctl.restart", "adbd");}}return ndk::ScopedAStatus::ok();
}

mian函数执行时，调用 Register 将native层的 ADBRootService 注册到名为 adbroot_service 的系统服务

执行 adb root命令时， 调用  restart_root_service

void restart_root_service(unique_fd fd) {if (getuid() == 0) {WriteFdExactly(fd.get(), "adbd is already running as root\n");return;}#if defined(__ANDROID__) && !defined(__ANDROID_RECOVERY__)ndk::SpAIBinder binder = ndk::SpAIBinder(AServiceManager_getService("adbroot_service"));std::shared_ptr<aidl::android::adbroot::IADBRootService> service =aidl::android::adbroot::IADBRootService::fromBinder(binder);if (!service) {LOG(ERROR) << "Failed to get adbroot_service interface";return;}
#endif#if defined(__ANDROID__) && !defined(__ANDROID_RECOVERY__)bool enabled = false;if (auto status = service->getEnabled(&enabled); !status.isOk()) {
#endifif (!__android_log_is_debuggable()) {WriteFdExactly(fd.get(), "adbd cannot run as root in production builds\n");return;}
#if defined(__ANDROID__) && !defined(__ANDROID_RECOVERY__)}if (!enabled) {WriteFdExactly(fd, "ADB Root access is disabled by system setting - ""enable in Settings -> System -> Developer options\n");return;}
#endifLOG(INFO) << "adbd restarting as root";android::base::SetProperty("service.adb.root", "1");WriteFdExactly(fd.get(), "restarting adbd as root\n");
}

主要作用 设置属性  service.adb.root = 1

ADB ROOT必要条件分析

开发者选项： development_settings_enabled

adb调试：adb_enabled

上述字段通过 getString 获取

1、开发者选项中adb root是否显示取决于 ro.debuggable属性：

当 ro.debuggable = 0 时， 开发者选项界面不显示开启adb root 选项

2、adb始终以root权限运行

adb 服务被 init进程拉起时，是以root权限运行，拉起后会进行降权操作。

system/core/adb/daemon/main.cpp

static bool should_drop_privileges() {// The properties that affect `adb root` and `adb unroot` are ro.secure and// ro.debuggable. In this context the names don't make the expected behavior// particularly obvious.//// ro.debuggable://   Allowed to become root, but not necessarily the default. Set to 1 on//   eng and userdebug builds.//// ro.secure://   Drop privileges by default. Set to 1 on userdebug and user builds.bool ro_secure = android::base::GetBoolProperty("ro.secure", true);bool ro_debuggable = __android_log_is_debuggable();// Drop privileges if ro.secure is set...bool drop = ro_secure;// ... except "adb root" lets you keep privileges in a debuggable build.std::string prop = android::base::GetProperty("service.adb.root", "");bool adb_root = (prop == "1");bool adb_unroot = (prop == "0");if (ro_debuggable && adb_root) {drop = false;}// ... and "adb unroot" lets you explicitly drop privileges.if (adb_unroot) {drop = true;}return false; //不降权，始终以root权限运行
}

 当  service.adb.root 属性为 1 且 ro.debuggable = 1 时，会继续保持root权限运行