bootloader will set `boot-rescue` in BCB command field to indicate
booting into rescue mode. This CL adds the matching parsing code.
This CL changes the on-screen UI to display the default image while
waiting for each sideload / rescue command.
It also changes the minadbd reboot handlers to use REBOOT_ instead of
the previous ENTER_ actions. This ensures a reboot going through
bootloader, which may load a newly installed bootloader/recovery.
Bug: 128505466
Test: Boot into rescue mode. Run `adb rescue getprop` and `adb rescue
install`. Check the UI. Then run `adb reboot rescue`.
Change-Id: I5b7de9dfd898ed8e14bea0d4ad7385a9bae26e94
Therefore, libinstall becomes the sole owner to handle the request
from minadbd service.
The change also includes
1. move logging.cpp out of librecovery
2. drop the dependency on common.h
3. now it's more sensible to move the wipe_cache as part of
install_package. move the wipe_cache to the end of the function.
Bug: 130166585
Test: wipe data and cache from menu
Change-Id: I6f356dccdb38015c50acf756bac246f87c30fc1f
This used to be a helper function that allows printing message to UI.
We no longer have any active user in bootable/recovery. Device-specific
code can achieve the same functionality by calling GetUI()->Print()
instead.
Test: mmma -j bootable/recovery
Change-Id: If584fc8a51d1af466f1d94d8ea5faa262603a784
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.
Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
This helps to expose librecovery_ui for device specific RecoveryUi.
Bug: 76436783
Test: mma, unit tests pass
Change-Id: Ic6c3d301d5833e4a592e6ea9d9d059bc4e4919be
(cherry picked from commit b5108c372c)
Move the sdcard installation function and all helper functions to a
separate file, and drop the dependency on common.h.
In the future, we want to move these functions into the install class.
Bug: 127071893
Test: unit tests pass
Change-Id: I0b7f7cbf0b68918e638e13878ca28bfca367088a
The fuse data provider for adb/sdcard shares common code and structures.
This cl creates a FuseDataProvider base class and provides
implementations for adb and sdcard.
In the follow cls, we can kill the provider_vtab struct; and also add
another implementation to parse a block map file and provides data.
Test: unit tests pass, sideload a package, apply a package from sdcard
Change-Id: If8311666a52a2e3c0fbae0ee9688fa6d01e4ad09
The wipe package used to open the zip file directly from the content
string. Switch to use the interface from the new package class instead.
Bug: 127071893
Test: unit tests pass
Change-Id: I990e7f00c5148710722d17140bab2e343eea3b6b
Creates a new class handle the package in memory and package read from fd.
Define the new interface functions, and make approximate changes to the
verify and install functions.
Bug: 127071893
Test: unit tests pass, sideload a package
Change-Id: I66ab00654df92471184536fd147b237a86e9c5b5
This gives us finer control over the partitions to wipe on the host
side.
Bug: 127492427
Test: unit tests pass, install a wipe package on sailfish
Change-Id: I612f8bac743a310f28e365b490ef388b278cfccb
Convert code to use C++ Fstab struct and C++ std::strings.
Bug: 62292478
Bug: 118634720
Test: boots
Change-Id: Ibdc1df5831bc885d7c1574419f41af026e49a137
After we generate the localized confirmation text images for certain dpi,
we can now load these images and display them under recovery. Devices that
cannot load the images will use the backup text strings as before.
Bug: 74397117
Test: check the menu with multiple locales, and check all the images locally
with locale test, check the fall back strings.
Change-Id: Ic31a55670026c909ec7a05cb0bb4a0fc1d5d15c7
Add a get_system_root() function in roots.cpp
which returns / or /system based on fstab.
This factors out the 'if' check from recovery.cpp
and fsck_unshare_blocks.cpp.
Test: boot recovery, mount system
Bug: 118634720
Change-Id: If4947cba3a3f08dbe695fd2b50a9354cd302ee03
The two functions check_wipe_package() and check_newer_ab_build() were
using the same flow; and checked the same device properties against the
metadata file in the package. These properties include: ota_type,
pre-device, and serial number.
Therefore, we can consolidate the checks to a single function; and
continue to check the fingerprint and timestamp only for AB updates.
This change also addresses the need to accept multiple serial number in
the wipe package.
Bug: 118401208
Test: unit tests pass
Change-Id: Ia6bc48fb6effcae059a2ff2cf71764b4136b4c00
Add a function in screenUI to display the pre-generated graphs for
rescue party. If these graphs are not valid, falls back to display
the old text strings.
Right now we haven't generated the localized graphs yet, so the UI
always shows the TextMenu.
Bug: 116655889
Test: check rescue party under recovery
Change-Id: I0558cb536b659cdc25c8b7946d3a39820935b003
If there is a "/system" in the fstab, then can not be a
system as root image.
Test: compile
Bug: 109821005
Change-Id: I2c852dcbdcf6de437d39039937799feeef949516
This allows recording the reason string that prompts user for a data
wipe, even if user selects 'Try again'.
Test: Inject an error into framework to trigger RescueParty. Select
'Try again' and check the recovery log post-boot.
Change-Id: I0d7d5afcf38cae5019e2ce0a46d3cd1ac3e83a03
Bug: 114065789
Test: Able to use 'adb reboot fastboot' to switch to fastboot
from recovery when a userdata wipe is required to boot.
Change-Id: Ice6950444656f8d8857808531af030078f544b88
Add a fastboot mode to recovery that can be
entered with command line args or with the ui.
Add usb property triggers to switch between
fastboot and adb configurations.
Allow switching between fastboot and adb through
usb commands by opening a unix socket. adbd/fastbootd
writes to this socket, which interrupts the ui and
switches to the new mode.
Test: Use fastboot mode
Bug: 78793464
Change-Id: I7891bb84427ec734a21a872036629b95ab3fb13c
recovery is_battery_ok function uses get_health_service(),
which calls IHealth::getService("default") then
IHealth::getService("backup").
- An OEM can provide the default instance by installing
android.hardware.health@2.0-impl-<device>.so to recovery
partition.
- If that's not found, the "backup" instance is provided
to the recovery partition by default.
Test: call is_battery_ok() in recovery, successfully
get battery information.
Bug: 80132328
Change-Id: Ibfee80636325a07bc20b24d044d007a60b3dd7c2
Normally calling a UI method will block
indefinitely until the UI is actually
used. This creates a method to interrupt
the UI, causing waitKey to return -2. This
in turn, will cause ShowMenu to return -2.
This allows switching between recovery and
fastbootd via usb commands.
Test: adb shell /data/nativetest64/recovery_unit_test/recovery_unit_test
Bug: 78793464
Change-Id: I4c6c9aa18d79070877841a5c9818acf723fa6096
The getopt_long(3) implementation in Android (upstream freebsd) expects
a null-terminated array while parsing long options with required args.
if (long_options[match].has_arg == required_argument) {
optarg = nargv[optind++];
}
...
if (long_options[match].has_arg == required_argument && optarg == NULL) {
return (BADARG);
}
This seems to make sense in practice, as getopt(3) takes the first two
arguments of argc and argv that are "as passed to the main() function on
program invocation", and both of C and C++ spec say "the value of
argv[argc] shall be 0".
Prior to the CL, we may run into undefined behavior on malformed input
command line (e.g. missing arg for an option that requires one). This CL
fixes the issue by always appending a nullptr to the argument list (but
without counting that into argc).
Test: Build and boot into recovery with commands.
Change-Id: Ic6c37548f4db2f30aeabd40f387ca916eeca5392
Now recovery mode is self-contained, which means we don't need to mount
system.img to run shell, etc. What is needed in recovery mode is all in
the recovery ramdisk image.
Since we no longer use /system as the mount point for the system.img,
this allows us to have identical filesystem layout as the system.img.
Executables and libs are installed to /system/bin and /system/lib.
Right now, we only have adbd, sh, toybox in /system/bin but will move
static executables from /sbin to /system/bin as soon as they are
converted to dynamic executables.
system.img is mounted to /mnt/system instead.
Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Test: `adb root && adb shell` and then
$ lsof -p `pidof adbd` shows that libm.so, libc.so, etc. are loaded from
the /lib directory.
Change-Id: I801ebd18f3e0a112db3d9a11e4fbb4e49181652a
Allow "adb remount" on deduplicated filesystems to reboot into recovery
and run e2fsck to undo deduplication. The e2fsck binary is copied from
the system partition into tmpfs, and the system partition is unmounted
so e2fsck can run safely.
Bug: 64109868
Test: recovery with --fsck_unshare_blocks; adb remount
Change-Id: I7558749b018b58f3c4339e51a95831dbd5be1ae3
Add the ability to change the contents of
the title lines, displayed at the top of
the screen. Once set, the same lines are
displayed for all menus until changed again.
Test: Recovery works
Bug: 78793464
Change-Id: I7ef5594b0d76dbbd2e01ad7508863af1270b2a2a
The getopt library exposes optind which is the
next index to be processed. When scanning is
restarted, optind has to be reset to 1.
Test: Recovery works
Bug: 78793464
Change-Id: I1efca3fb985ffbdfe91e43767469733cda6e7d5b
Move more common setup into the main function.
Main() handles all 1 time setup, such as ui,
logging, and secontext. Recovery_main()
takes in command line arguments, does any
necessary recovery work, and can be called
multiple times from main().
Test: Recovery works
Bug: 78793464
Change-Id: I2d2595fc342b4ddfa80f4e06b30e44263132acd9
Merged-In: I2d2595fc342b4ddfa80f4e06b30e44263132acd9
Move more common setup into the main function.
Main() handles all 1 time setup, such as ui,
logging, and secontext. Recovery_main()
takes in command line arguments, does any
necessary recovery work, and can be called
multiple times from main().
Test: Recovery works
Bug: 78793464
Change-Id: I2d2595fc342b4ddfa80f4e06b30e44263132acd9
Drop the dependency on build time flag of AB_OTA_UPDATER when compiling
device.cpp. Note that AB_OTA_UPDATER still guards the package install
behavior (install.cpp).
This can be extended to cover the entry of "Apply update from SD card".
Test: Build and boot into recovery on angler and walleye respectively.
Check the recovery menu.
Change-Id: I36a6a6b4101ba61d4d374e32353c36cc5716f9ce
ScreenRecoveryUI already has the info in locale_.
Also when showing "Current locale: X/Y" on screen, use 1-based index for
X, so that we have 1 <= X <= Y.
Test: Build anf flash recovery image on aosp_bullhead-userdebug. Choose
`Run locale test` from UI.
Change-Id: I5dd4de82e63890ddf755f4e23cd2290ad5d50ece
This removes some reliance on the global
locale and ui variables.
Test: Recovery works
Bug: 78793464
Change-Id: I78f1a2b321f5d50aa58b10735a73ae137283353a
Move common logging related functions to
rotate_logs.cpp, and rename that to logging.cpp.
Test: Recovery works
Bug: 78793464
Merged-In: I00f20a79a296680122b8437d54a87897c5cb2fc7
Change-Id: I00f20a79a296680122b8437d54a87897c5cb2fc7
Move common logging related functions to
rotate_logs.cpp, and rename that to logging.cpp.
Test: Recovery works
Bug: 78793464
Change-Id: I00f20a79a296680122b8437d54a87897c5cb2fc7
(cherry picked from commit 3c3f211d1e)
This breaks the dependency on common.h (which belongs to
recovery/librecovery) from librecovery_ui. reboot() is now owned by
libotautil, which is expected to be a leaf node to be depended on.
With the change, recovery and updater also share the same reboot() code
now.
Test: mmma -j bootable/recovery
Change-Id: I1cc5d702cfe49302048db33d31c9c87ddc97ac71
Test: mmma -j bootable/recovery
Test: Run recovery_unit_test on marlin.
Test: Build and boot into recovery image on angler. Check the UI that
shows menu ('View recovery log', 'Wipe data', 'Run locale test').
Test: Start recovery with '--prompt_and_wipe_data'. Check the UI.
Change-Id: If8a4209e0bb4ca64f719f9f9465d3b3589a69cdc
Remove the use of fopen_path() in screen_ui.cpp, as this is the only
place that requires the dependency on common.h. The mounting work should
be done by the caller.
Also change the parameter in RecoveryUI::ShowFile() from const char* to
const std::string&.
Test: mmma -j bootable/recovery
Test: Build and boot into recovery image on angler. Choose 'View
recovery logs'.
Change-Id: I8e63f14a8e2b12b856e5a92476e4226cd6ea39fb
From caller's PoV, RecoveryUI::{Start,Select,End}Menu should always be
used together, i.e. to show a menu and get user's selection. This CL
provides ShowMenu() as one-stop service (which is based on
get_menu_selection() from recovery.cpp).
Also move RecoveryUI::{Start,Select,End}Menu into ScreenRecoveryUI, with
a dropped access level from public to protected.
Due to the dependency on recovery / librecovery refactoring, will add
testcases in follow-up CLs.
Test: Build and boot into recovery image. Check the menus (main menu,
'View recovery logs', 'Wipe data/factory reset').
Change-Id: Ie17aa78144871a12affd6f9075e045f76608a0ba
This prepares for moving more codes from recovery into librecovery, so
that they will become more easily testable. recovery_main.cpp will be
the source code for recovery module, with the rest moved into
librecovery. recovery_main.cpp mainly does the initializations, such as
setting up the logger.
Test: mmma -j bootable/recovery
Test: recovery_component_test
Test: Build and boot into recovery image on marlin.
Change-Id: I8e846524546b6f3f0e32ed869e851f62261eef23
Merged-In: I8e846524546b6f3f0e32ed869e851f62261eef23
This prepares for moving more codes from recovery into librecovery, so
that they will become more easily testable. recovery_main.cpp will be
the source code for recovery module, with the rest moved into
librecovery. recovery_main.cpp mainly does the initializations, such as
setting up the logger.
Test: mmma -j bootable/recovery
Test: recovery_component_test
Test: Build and boot into recovery image on marlin.
Change-Id: I8e846524546b6f3f0e32ed869e851f62261eef23
(cherry picked from commit c241cb662440551eb0d2f42345f7ee08cf60a7dd)
Test: Build and flash aosp_angler-userdebug. Choose 'Convert to file
encryption' from Developer Options. Converting to FBE still works.
Change-Id: I75ac0e266af2d00bfaff0664f8bcee74a5f16b41
`recovery` is not a command line tool, and these short options don't
have the common meanings that are used elsewhere.
In the platform code, we're not actively using the short forms.
- bootable/recovery/uncrypt/uncrypt.cpp
- bootable/recovery/updater/install.cpp
- frameworks/base/core/java/android/os/RecoverySystem.java
- system/core/adb/services.cpp
- system/core/init/builtins.cpp
- system/update_engine/hardware_android.cc
- system/vold/cryptfs.cpp
(Callers must have used libbootloader_message.)
'--show_text' and '--just_exit' are not that obvious from the initial
commit messages. They appear to be used by vendor code (e.g.
'--show_text' is optionally used by bootloader, as in the noted bug). So
this CL keeps them as is for now.
Test: `mmma -j bootable/recovery`
Test: Check the code search for possible callers to recovery.
Change-Id: I8a87f5fb50131d647dfc8290381ca47a60f543fa
It should be one of BATTERY_OK_PERCENTAGE (20) and
BATTERY_WITH_CHARGER_OK_PERCENTAGE (15), depending on the charger state.
Also move the battery level related constants next to their users.
Test: mmma -j bootable/recovery
Test: Build and boot into recovery with a pending OTA. Check the log.
Change-Id: I7513f59c4718ec8e2db16c5266928470c2308648
(cherry picked from commit f2ea6d7999)
It should be one of BATTERY_OK_PERCENTAGE (20) and
BATTERY_WITH_CHARGER_OK_PERCENTAGE (15), depending on the charger state.
Also move the battery level related constants next to their users.
Test: mmma -j bootable/recovery
Test: Build and boot into recovery with a pending OTA. Check the log.
Change-Id: I7513f59c4718ec8e2db16c5266928470c2308648
Merged-In: I7513f59c4718ec8e2db16c5266928470c2308648
And fix an issue as a result of the change.
Test: mmma -j bootable/recovery
Change-Id: I94e6384a1f39e9c37a8ed029d235142738d6e5d3
Merged-In: I94e6384a1f39e9c37a8ed029d235142738d6e5d3
We have a general need for overriding more paths (e.g. "/tmp"), mostly
for testing purpose. Rename CacheLocation to Paths, and use that to
manage TEMPORARY_{INSTALL,LOG}_FILE.
Test: mmma -j bootable/recovery
Test: recovery_component_test
Change-Id: Ia8ce8e5695df37ca434f13ac4d3206de1e8e9396
Bug: 78469201
Test: Wipe from recovery menu, check that wipe is logged correctly
and boot works as expected.
Change-Id: I5bc8ef1b83d78de8b5edba6cc17882edcc744356
We used to skip the update installation if the battery doesn't reach the
threshold or the boot reason is in blacklist. Afterwards, we just cleared
the BCB and reboot/shutdown the device. However, this leaves the device
in a brick state if the update is a retry; because a subsequent reboot
won't resume the update after the BCB gets cleared.
This CL skips the battery and bootreason check on retries. An alternative
solution is to conduct the check and shutdown the device without clearing the
BCB on INSTALL_SKIPPED; but users who don't have context may reboot the
device manually anyway.
Bug: 65288661
Test: Trigger the INSTALL_SKIPPED with insufficient battery, and check
the behavior with retry_count.
Change-Id: I0bd8ae9cee0e35aeeec3df469a78cec9ee1b8db8
An interrupted update may stash extra blocks in /cache, leading to a
failure when checking the cache size. We can save the incremented
retry_count in the BCB before installing the update; and distinguish
a fresh update from an interrupted one this way.
Bug: 68679601
Test: An interrupted update reapplies successfully.
Change-Id: Ic1403e1fd25a937c91ef34c14b92a0f6c8f1c0f4
This reverts commit 26436d6d60 to re-land
"Move error_code.h into otautil.".
This way it stops requiring relative path ".." in LOCAL_C_INCLUDES
(uncrypt and edify). Soong doesn't accept non-local ".." in
"local_include_dirs".
This CL needs to land with device-specific module changes (e.g. adding
the dependency on libotautil).
Test: lunch aosp_{angler,bullhead,dragon,fugu,sailfish}-userdebug;
mmma bootable/recovery
Change-Id: If193241801af2dae73eccd31ce57cd2b81c9fd96
This way it stops requiring relative path ".." in LOCAL_C_INCLUDES
(uncrypt and edify). Soong doesn't accept non-local ".." in
"local_include_dirs".
Test: mmma bootable/recovery
Change-Id: Ia4649789cef2aaeb2785483660e9ea5a8b389c62
The earlier commit in 2dfc1a3898
unintentionally changed the behavior. It gives a different result when
looking up non-existent mount points (e.g. /cache on marlin).
The logic behind volume_for_path("/xyz") is unclear:
- It's fine to return non-null value if it's called by
ensure_path_mounted() before accessing that file "/xyz". (Just based
on the function name, we're not actually having this case.)
- It should return nullptr if the caller is interested in the existence
of that particular mount point "/xyz".
This CL renames the function to volume_for_mount_point(), which does an
exact match by querying the given mount point from libfs_mgr. The former
volume_for_path() has been moved down to function scope for serving
ensure_path_mounted() only.
Test: Build and boot into recovery on bullhead and marlin respectively.
'View recovery logs'.
Test: 'Mount /system'
Test: 'Apply update from ADB'
Change-Id: I1a16390f57540cae08a2b8f3d439d17886975217
Add a new option "Run locale test" to check the background text
images (i.e. texts for "erasing", "error", "no_command" and "installing"
with different locales.)
Use volume up/down button to cycle through all the locales embedded in
the png file, and power button to go back to recovery main menu.
Test: Run locale test with bullhead.
Change-Id: Ib16e119f372110cdb5e611ef497b0f9b9b418f51
This reverts commit 8be0f39fec to reland
the change that removes EXPAND/STRINGIFY macros.
It's error-prone by putting anything into a string (e.g.
EXPAND(RECOVERY_API_VERSION) would become "RECOVER_API_VERSION" if we
forgot to pass -DRECOVERY_API_VERSION=3).
The initial attempt put RECOVERY_API_VERSION into common.h, which might
be included by device-specific codes but without defining that when
compiling the module. This CL avoids the issue by using a constant
in the header, with a static_assert in recovery.cpp that guards the
consistency.
Test: recovery_component_test
Test: Sideload OTAs on bullhead and sailfish respectively.
Change-Id: I12af3f73392a85554ba703f04970ec9d984ccbaa
This CL adds ScreenRecoveryUI::DrawWrappedTextLines() to better handle
long menu header texts. It does a word wrap at spaces, if available.
This avoids fixed-length menu headers being truncated on small screens.
Bug: 64293520
Test: On bullhead, boot into recovery with --prompt_and_wipe_data, and
check the prompt texts.
Change-Id: Ia22746583516dd230567a267584aca558429395e
- Changed to std::string based implementation (mostly moved from the
former make_parents() in updater/install.cpp);
- Removed the timestamp parameter, which is only neeed by file-based OTA;
- Changed the type of mode from int to mode_t;
- Renamed dirCreateHierarchy() to mkdir_recursively().
Test: recovery_unit_test passes.
Test: No external user of dirCreateHierarchy() in code search.
Change-Id: I71f8c4b29bab625513bbc3af6d0d1ecdc3a2719a
When there's no command specified when booting into debuggable builds
(such as using `adb reboot recovery`), we turn on the text mode (i.e.
recovery menu) directly. This CL fixes the issue to avoid showing the
background image in a flash while turning on the text mode.
Bug: 63985334
Test: `fastboot boot $OUT/recovery.img` and it shows the recovery menu
directly without the no command image in a flash.
Change-Id: Id86bbe346ab76c8defc95e2b423e695a86774b09
When /cache is unwritable, recovery hits a crash loop. Because it
passes nullptr to fileno(3) when writing back the locale file. This
prevents user from recovering a device - it cannot boot far enough to
recovery menu which allows wiping /cache.
Bug: 63927337
Test: Corrupt /cache and boot into recovery on bullhead:
1. m -j recoveryimage
2. fastboot erase cache
3. fastboot boot $OUT/recovery.img
4. recovery menu shows up.
Change-Id: I1407743f802049eb48add56a36298b665cb86139