During automatic tests, we sometimes want to reboot the device out of
the rescue party remotely. And per http://go/recovery-adb-access, one
option is to start adbd in user build if the device has an unlocked
bootloader. This should not add more surface of attack. Because verified
boot is off with the unlocked bootloader, and the user can always flash
a custom recovery image that always starts adbd.
Bug: 141247819
Test: check adbd doesn't start in user build, unlock bootloader, and
check adbd starts.
Change-Id: I851746245f862cb4dfb01e6c3ad035f2c9f9ccec
Now these are in the main image, there's some chance of code assuming
they're present in recovery too (or command-line users using them out
of habit).
Bug: http://b/31824379
Test: builds
Change-Id: Ia19272cd1959685765099f3e15d1d1e63babd279
Add a fastboot mode to recovery that can be
entered with command line args or with the ui.
Add usb property triggers to switch between
fastboot and adb configurations.
Allow switching between fastboot and adb through
usb commands by opening a unix socket. adbd/fastbootd
writes to this socket, which interrupts the ui and
switches to the new mode.
Test: Use fastboot mode
Bug: 78793464
Change-Id: I7891bb84427ec734a21a872036629b95ab3fb13c
Executables should be in /system/bin
rather than sbin.
Bug: 78793464
Test: boot into recovery, try adb sideload
Change-Id: I194589119a099d29e56b0648f0906a5ae2aa6770
Now recovery mode is self-contained, which means we don't need to mount
system.img to run shell, etc. What is needed in recovery mode is all in
the recovery ramdisk image.
Since we no longer use /system as the mount point for the system.img,
this allows us to have identical filesystem layout as the system.img.
Executables and libs are installed to /system/bin and /system/lib.
Right now, we only have adbd, sh, toybox in /system/bin but will move
static executables from /sbin to /system/bin as soon as they are
converted to dynamic executables.
system.img is mounted to /mnt/system instead.
Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Test: `adb root && adb shell` and then
$ lsof -p `pidof adbd` shows that libm.so, libc.so, etc. are loaded from
the /lib directory.
Change-Id: I801ebd18f3e0a112db3d9a11e4fbb4e49181652a
This is necessary to support kernel changes
that allow for multiple ffs functions. Some
kernels require aliases in order to name
function instances before mount time.
Test: Reboot into recovery, verify adb works
Bug: 34070894
Change-Id: I8376304d92af9b3e8c734fdb8cc77f0dc8bc4850
This is necessary to support kernel changes
that allow for multiple ffs functions. Some
kernels require aliases in order to name
function instances before mount time.
Test: Reboot into recovery, verify adb works
Bug: 34070894
Change-Id: I8376304d92af9b3e8c734fdb8cc77f0dc8bc4850
This is triggered by changes in healthd which spits out 2 binaries.
Recovery needs to use static binary which is now renamed to 'charger'.
So, change the .rc file to match the rename.
Update the seclable according to new healthd-charger split
Test: Tested recovery on angler using 'reboot recovery' to ensure
healthd is working as before
Change-Id: I9e6018156e677e7224dd2e5894941ed2a7cac1d0
Signed-off-by: Sandeep Patil <sspatil@google.com>
Starting healthd in early-init is not needed and can delay coldboot done
Now healthd is starting at boot as usual service.
Test: check kmsg that healthd starting after /dev/.coldboot_done
Bug: 30292927
Change-Id: I367d022f5885122da49181db3db536012e83f564
This patch mirrors what was done in the main init.rc to relabel
/postinstall.
Bug: 27178350
Bug: 27177071
Change-Id: I39cd03f3c55a42c03367957e8c259c9a3155203c
File level encryption must get the key between mounting userdata and
calling post_fs_data when the directories are created. This requires
access to keymaster, which in turn is found from a system property.
Split property loaded into system and data, and load in right order.
Bug: 22233063
Change-Id: I409c12e3f4a8cef474eb48818e96760fe292cc49
File level encryption must get the key between mounting userdata and
calling post_fs_data when the directories are created. This requires
access to keymaster, which in turn is found from a system property.
Split property loaded into system and data, and load in right order.
Bug: 22233063
Change-Id: I409c12e3f4a8cef474eb48818e96760fe292cc49
ueventd will wait for /dev/.booting to go away before giving up
on loading firmware.
The issue was introduced in Ifdd5dd1e95d7e064dde5c80b70198882d949a710
which forgot to update recovery's init.rc
Bug: 17993625
Change-Id: I91205fe6eea50aaef9b401d650ec8d6843a92a57
Implement a new method of sideloading over ADB that does not require
the entire package to be held in RAM (useful for low-RAM devices and
devices using block OTA where we'd rather have more RAM available for
binary patching).
We communicate with the host using a new adb service called
"sideload-host", which makes the host act as a server, sending us
different parts of the package file on request.
We create a FUSE filesystem that creates a virtual file
"/sideload/package.zip" that is backed by the ADB connection -- users
see a normal file, but when they read from the file we're actually
fetching the data from the adb host. This file is then passed to the
verification and installation systems like any other.
To prevent a malicious adb host implementation from serving different
data to the verification and installation phases of sideloading, the
FUSE filesystem verifies that the contents of the file don't change
between reads -- every time we fetch a block from the host we compare
its hash to the previous hash for that block (if it was read before)
and cause the read to fail if it changes.
One necessary change is that the minadbd started by recovery in
sideload mode no longer drops its root privileges (they're needed to
mount the FUSE filesystem). We rely on SELinux enforcement to
restrict the set of things that can be accessed.
Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
Duplicate changes made to init.rc for https://android-review.googlesource.com/98852
in the init.rc used for recovery mode.
Bug 15849856
Change-Id: Ia376ddf6373a28718653f7fb1435bf7ecb33d813
In kernel 3.10, f_adb has been removed and adbd can use functionfs
instead. Mount functionfs on boot for adbd. On older kernels, mount
will fail silently and adbd will revert to f_adb.
Change-Id: I5db57aaf35b35859ea88c7d0e0661d8c553e5811
When adbd runs as root, it should transition into the
su domain. This is needed to run the adbd and shell
domains in enforcing on userdebug / eng devices without
breaking developer workflows.
Use the new device_banner command line option.
Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
The syntax of init's mount command changed in April 2008 but
recovery's init.rc was never updated, so recovery's /tmp has been on
the root fs all this time. Fix.
Also add /system/bin to the PATH in recovery, which is handy for
debugging.
Change-Id: I39f7ae435a8ce3bad691e4b7c307db0bd8de1302
Otherwise everything is left running in the kernel domain when
booting recovery.
Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Recovery's init.rc was missing a line (added to the main system's
init.rc in change Ic97fd464440ff4a29fc9da7ad15949ac5215ade3) is
required for secure adb to work.
Change-Id: Id79b94d2abb4cbe3cca7cabeb4bc5faf7205e56b
Change I84c0513acb549720cb0e8c9fcbda0050f5c396f5 moved reboot
functionality into init but did not update the recovery partition; so
"adb reboot" and /system/bin/reboot in recovery are both broken.
Change-Id: Ie2d14627a686ffb5064256b6c399723636dff116
Some devices need hardware specific services started in recovery, for
example watchdogd. Import init.recovery.${ro.hardware}.rc from the
recovery init.rc.
Bug: 6953625
Change-Id: I4a4cee210238150ffaabe774a44340ec3c8ff78c
Make minadbd drop its root privileges after initializing. We need to
make the /tmp directory writable by the shell group so that it can
drop the sideloaded file there.
Change-Id: I67b292cf769383f0f67fb934e5a80d408a4c131d