Something is leaving behind wipe commands in the BCB area of the /misc
partition. We don't know what is doing that. It should always be
safe to zero out that area from uncrypt, though (because if uncrypt is
running then it's got the command we want in the recovery command file
rather than the BCB).
Bug: 16715412
Change-Id: Iad01124287f13b80ff71d6371db6371f43c43211
We need to wipe the challenges on this partition
if OEM unlock is enabled, as this is a signal that
the user has opted out of factory reset protection.
go/factory-reset
Bug: 16633064
Change-Id: Icb8f1433bf99ca57813f5b72d5a3dd15fa94a263
These error messages include empty parens after each string
substition. Ill-advised cut and paste, probably.
Bug: 16467401
Change-Id: Ib623172d6228354afdcc2e33442cc53a07f0ecbc
Sometimes renames will move a file into a directory
that does not yet exist. This will create the
parent directories, using the same symlink logic,
to ensure that there is a valid destination.
Change-Id: Iaa005a12ce800c39f4db20f7c25a2a68cb40a52d
Make a fuse filesystem that sits on top of the selected package file
on the sdcard, so we can verify that the file contents don't change
while being read and avoid copying the file to /tmp (that is, RAM)
before verifying and installing it.
Change-Id: Ifd982aa68bfe469eda5f839042648654bf7386a1
Split the adb-specific portions (fetching a block from the adb host
and closing the connections) out from the rest of the FUSE filesystem
code, so that we can reuse the fuse stuff for installing off sdcards
as well.
Change-Id: I0ba385fd35999c5f5cad27842bc82024a264dd14
Drop support for sideloading OTA packages of the cache partition (a
half-solution that's long since been deprecated by "adb sideload").
Refactor the code to sideload OTA packages from SD cards: remove the
installation code from the file browser.
Change-Id: Id0dff6b27c4a5837546f174f50e2e1d0379c43db
Implement a new method of sideloading over ADB that does not require
the entire package to be held in RAM (useful for low-RAM devices and
devices using block OTA where we'd rather have more RAM available for
binary patching).
We communicate with the host using a new adb service called
"sideload-host", which makes the host act as a server, sending us
different parts of the package file on request.
We create a FUSE filesystem that creates a virtual file
"/sideload/package.zip" that is backed by the ADB connection -- users
see a normal file, but when they read from the file we're actually
fetching the data from the adb host. This file is then passed to the
verification and installation systems like any other.
To prevent a malicious adb host implementation from serving different
data to the verification and installation phases of sideloading, the
FUSE filesystem verifies that the contents of the file don't change
between reads -- every time we fetch a block from the host we compare
its hash to the previous hash for that block (if it was read before)
and cause the read to fail if it changes.
One necessary change is that the minadbd started by recovery in
sideload mode no longer drops its root privileges (they're needed to
mount the FUSE filesystem). We rely on SELinux enforcement to
restrict the set of things that can be accessed.
Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
Duplicate changes made to init.rc for https://android-review.googlesource.com/98852
in the init.rc used for recovery mode.
Bug 15849856
Change-Id: Ia376ddf6373a28718653f7fb1435bf7ecb33d813
This adds F2FS support
- for wiping a device
- for the install "format" command.
Note: crypto data in "footer" with a default/negative length
is not supported, unlike with "ext4".
Change-Id: I8d141a0d4d14df9fe84d3b131484e9696fcd8870
Signed-off-by: JP Abgrall <jpa@google.com>
While executing syspatch and package_extract_file() calls with don't
care maps (both of which are used to rewrite the system image in
incremental and full block OTAs, respectively), pass a progress
callback in and use it to update the visible progress bar.
Change-Id: I1d3742d167c1bb2130571eb5103b7795c65ff371
Checks for keys pressed return random results because of an uninitialized data
structure.
Change-Id: Ic8b3d453d62347921aa893403079b374c16a092e
Signed-off-by: Mihai Serban <mihai.serban@intel.com>
Since we don't have quantum assets for recovery yet, go back to the
holo appearance (dark background, blue glowing progress bar) for
lmp-preview.
Change-Id: Id4d3f23e0a6251a12aa42f3793cff347f38b4243
The default recovery UI will reboot the device when the power key is
pressed 7 times in a row, regardless of what recovery is doing.
Disable this feature during package installation, to minimize the
chance of corrupting the device due to a mid-install reboot. (Debug
packages can explicitly request that the feature be reenabled.)
Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
The re-designed recovery graphics code only supports RGB{_,X,A}
framebuffer, and this patch adds support for BGRA framebuffer.
Change-Id: I3780c8288088f497fa248f3492c54f43834a8598
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Reviewed-by: Jovanovic, Radivoje <radivoje.jovanovic@intel.com>
Reviewed-by: Parkinson, TimothyX L <timothyx.l.parkinson@intel.com>
Tested-by: Parkinson, TimothyX L <timothyx.l.parkinson@intel.com>
Reviewed-by: Boie, Andrew P <andrew.p.boie@intel.com>
Reviewed-by: Gumbel, Matthew K <matthew.k.gumbel@intel.com>
Patches with control data tuples with negative numbers in the first
and/or second can cause bspatch to write to arbitrary locations in the
heap.
Change-Id: I8c5d81948be773e6483241131d3d166b6da27cb8
Currently, the writeProcessFunction fails when
there are zero bytes to write, potentially returning
errno from a previous operation, or hanging
indefinitely while it waits for a >0 result on a
write of size 0. This happens when the output
file is intended to be zero bytes in size.
Change-Id: Ib3cfcaf66d82942bc89e5f5c64697862403b38da
