KernelSU has revolutionized the way Android power users interact with their device’s kernel, offering a powerful and flexible framework for kernel-level modifications. Unlike traditional root solutions that primarily modify the user space, KernelSU operates directly within the kernel context, enabling unprecedented control over the operating system’s core functionalities. This guide delves into advanced KernelSU usage, focusing on how to inject custom code and modify kernel behavior to unlock a new realm of possibilities for developers and enthusiasts.

Understanding the KernelSU Advantage

KernelSU achieves its power by running its root processes directly in the kernel, specifically using an LRU (Least Recently Used) list to store root capabilities. This allows modules to interact with the kernel in ways that are simply not possible from user space, offering a robust platform for everything from tweaking performance parameters to implementing custom security features or even adding new hardware support. The key takeaway is its ability to load and execute kernel modules, giving you direct access to the kernel’s internal mechanisms.

Prerequisites for Advanced KernelSU Development

Before diving into code injection, ensure you have a solid foundation:

• A device with KernelSU successfully installed and operational.
• Basic understanding of Linux kernel architecture and C programming.
• Access to your device’s kernel source code or at least the kernel headers matching your running kernel version. This is crucial for compiling kernel modules.
• A Linux development environment (e.g., Ubuntu, Debian) with necessary cross-compilation tools (arm-linux-gnueabi-gcc or aarch64-linux-gnu-gcc, depending on your device’s architecture).
• Familiarity with adb and basic shell commands.

Developing Your First KernelSU Module: A SysFS Entry Example

One of the most powerful ways to modify kernel behavior is by creating a custom kernel module that exposes new interfaces via sysfs. This allows user-space applications (including shell scripts) to read from and write to kernel parameters you define. Let’s create a module that adds a simple read/write string to /sys/kernel/ksu_advanced/message.

Step 1: Kernel Module Source Code (ksu_advanced_module.c)

#include <linux/module.h>#include <linux/kernel.h>#include <linux/init.h>#include <linux/sysfs.h>#include <linux/kobject.h>#include <linux/string.h>static struct kobject *ksu_advanced_kobj;static char ksu_message[PAGE_SIZE] = "Hello from KernelSU Advanced Module!";static ssize_t message_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf){    return sprintf(buf, "%sn", ksu_message);}static ssize_t message_store(struct kobject *kobj, struct kobj_attribute *attr, const char *buf, size_t count){    size_t len = count;    if (len >= PAGE_SIZE)        len = PAGE_SIZE - 1;    strncpy(ksu_message, buf, len);    ksu_message[len] = '';    return len;}static struct kobj_attribute message_attribute = __ATTR(message, 0664, message_show, message_store);static int __init ksu_advanced_init(void){    int error = 0;    ksu_advanced_kobj = kobject_create_and_add("ksu_advanced", kernel_kobj);    if (!ksu_advanced_kobj)        return -ENOMEM;    error = sysfs_create_file(ksu_advanced_kobj, &message_attribute.attr);    if (error) {        pr_err("failed to create the message file in sysfsn");    }    pr_info("KernelSU Advanced Module loaded!n");    return error;}static void __exit ksu_advanced_exit(void){    kobject_put(ksu_advanced_kobj);    pr_info("KernelSU Advanced Module unloaded!n");}module_init(ksu_advanced_init);module_exit(ksu_advanced_exit);MODULE_LICENSE("GPL");MODULE_AUTHOR("Your Name");MODULE_DESCRIPTION("An advanced KernelSU module for demonstration.");

Step 2: Makefile for Compilation

Create a Makefile in the same directory:

obj-m := ksu_advanced_module.oKDIR := /path/to/your/kernel/source/LINUX_COMPILER := aarch64-linux-gnu-gcc # Or arm-linux-gnueabi-gcc if 32-bitARCH := arm64 # Or armCROSS_COMPILE := aarch64-linux-gnu-# KERNEL_HEADERS := /path/to/your/kernel/headers (if using pre-compiled headers)all: $(MAKE) -C $(KDIR) M=$(PWD) ARCH=$(ARCH) CROSS_COMPILE=$(CROSS_COMPILE) modulesclean: $(MAKE) -C $(KDIR) M=$(PWD) ARCH=$(ARCH) CROSS_COMPILE=$(CROSS_COMPILE) clean

Replace /path/to/your/kernel/source/ with the actual path to your device’s kernel source code. This is critical for successful compilation against the correct kernel version.

Step 3: Compile the Module

Execute make in your development environment. This will produce ksu_advanced_module.ko.

make

Step 4: Package for KernelSU

KernelSU modules are typically distributed as a .zip file, similar to Magisk modules. Create a directory structure:

my_advanced_module/├── module.prop└── service.sh└── system/    └── lib/        └── modules/            └── ksu_advanced_module.ko

module.prop (essential information):

id=ksu_advanced_module_examplename=KSU Advanced Module Exampleversion=v1.0versionCode=1author=Your Name For KSUdescription=Demonstrates sysfs entry creation with KernelSU.

service.sh (optional, runs on boot):

#!/system/bin/sh# This script runs after the module is loaded# Add any post-load commands here, e.g., logging or further configurationecho "KSU Advanced Module service.sh executed!" > /dev/kmsg

Zip the contents of my_advanced_module/:

cd my_advanced_module/zip -r ../my_advanced_module.zip .

Step 5: Install and Test

Transfer my_advanced_module.zip to your Android device and install it via the KernelSU Manager app. Reboot your device.

After reboot, open a terminal (e.g., Termux or adb shell) and gain root access (su).

su# Read the default messagecat /sys/kernel/ksu_advanced/message# Modify the messageecho "New message from userspace!" > /sys/kernel/ksu_advanced/message# Read again to confirmcat /sys/kernel/ksu_advanced/message

You should see the original message, then the new message after modification. This demonstrates direct kernel interaction from user space via your custom module.

Leveraging ksud for On-Device Kernel Operations

ksud is a powerful command-line utility provided by KernelSU that allows you to interact with the kernel in privileged ways directly on the device. While module development provides persistent changes, ksud is excellent for one-off commands or debugging tasks that require kernel-level permissions.

Executing Commands with Kernel Privileges

You can use ksud to run any command as if it were executed from within the kernel context, effectively bypassing many user-space restrictions. For instance, if you wanted to directly access a kernel function or read a kernel memory address (with extreme caution):

# This is a hypothetical example and requires deep kernel knowledge# and debugging capabilities; direct memory access can crash your system.# DO NOT execute without understanding the risks.su# Get help for ksud usageksud --help# Attempt to read from a kernel memory address (highly dangerous!)ksud cat /proc/kpageflags # (This specific command might not need ksud but illustrates privilege)

A more practical, safer example for system management could involve direct interaction with kernel tracing or debugging facilities that might be restricted even to `root` from user space without KernelSU’s `ksud` integration.

Injecting Data into Kernel Structures

While ksud doesn’t directly offer a simple