The recovery system behaves a little bit differently on userdebug or
eng builds by presenting error reports to the user in the ui.
This is controlled by checking the build fingerprint for the string
:userdebug/ or :eng/. But with AOSP version numbers most AOSP
builds blows the 92 char limit of ro.build.fingerprint and therefore
the property is not set, so this condition will always be evaluated
to false, for most builds.
Instead of depending on the flaky ro.build.fingerprint this change
uses ro.debuggable.
Change-Id: I74bc00c655ac596aaf4b488ecea58f0a8de9c26b
Create a new recovery UI option to allow the user to view
/cache/recovery/last_log for their device. This gives enhanced
debugging information which may be necessary when a failed
OTA occurs.
Bug: 18094012
Change-Id: Ic3228de96e9bfc2a0141c7aab4ce392a38140cf3
We need to wipe the challenges on this partition
if OEM unlock is enabled, as this is a signal that
the user has opted out of factory reset protection.
go/factory-reset
Bug: 16633064
Change-Id: Icb8f1433bf99ca57813f5b72d5a3dd15fa94a263
Make a fuse filesystem that sits on top of the selected package file
on the sdcard, so we can verify that the file contents don't change
while being read and avoid copying the file to /tmp (that is, RAM)
before verifying and installing it.
Change-Id: Ifd982aa68bfe469eda5f839042648654bf7386a1
Drop support for sideloading OTA packages of the cache partition (a
half-solution that's long since been deprecated by "adb sideload").
Refactor the code to sideload OTA packages from SD cards: remove the
installation code from the file browser.
Change-Id: Id0dff6b27c4a5837546f174f50e2e1d0379c43db
Implement a new method of sideloading over ADB that does not require
the entire package to be held in RAM (useful for low-RAM devices and
devices using block OTA where we'd rather have more RAM available for
binary patching).
We communicate with the host using a new adb service called
"sideload-host", which makes the host act as a server, sending us
different parts of the package file on request.
We create a FUSE filesystem that creates a virtual file
"/sideload/package.zip" that is backed by the ADB connection -- users
see a normal file, but when they read from the file we're actually
fetching the data from the adb host. This file is then passed to the
verification and installation systems like any other.
To prevent a malicious adb host implementation from serving different
data to the verification and installation phases of sideloading, the
FUSE filesystem verifies that the contents of the file don't change
between reads -- every time we fetch a block from the host we compare
its hash to the previous hash for that block (if it was read before)
and cause the read to fail if it changes.
One necessary change is that the minadbd started by recovery in
sideload mode no longer drops its root privileges (they're needed to
mount the FUSE filesystem). We rely on SELinux enforcement to
restrict the set of things that can be accessed.
Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
The "--shutdown_after" option causes recovery to power down the device
on completion rather than rebooting.
Removes the last vestiges of the "--previous_runs" argument, which
doesn't seem to be used for anything.
Change-Id: I465eda2ef59d367e2b1c79a8dc69831263c69a4d
Reduce the number of copies of libpng boilerplate. Rename
res_create_* functions to be more clear. Make explicit the use of the
framebuffer pixel format for images, and handle more combinations of
input and output (eg, loading a grayscale image for display rather
than use as a text alpha channel).
Change-Id: I3d41c800a8f4c22b2f0167967ce6ee4d6b2b8846
In order to support multi-stage recovery packages, we add the
set_stage() and get_stage() functions, which store a short string
somewhere it can be accessed across invocations of recovery. We also
add reboot_now() which updater can invoke to immediately reboot the
device, without doing normal recovery cleanup. (It can also choose
whether to boot off the boot or recovery partition.)
If the stage string is of the form "#/#", recovery's UI will be
augmented with a simple indicator of what stage you're in, so it
doesn't look like a reboot loop.
Change-Id: I62f7ff0bc802b549c9bcf3cc154a6bad99f94603
Change I84c0513acb549720cb0e8c9fcbda0050f5c396f5 moved reboot
functionality into init but did not update the recovery partition; so
"adb reboot" and /system/bin/reboot in recovery are both broken.
Change-Id: Ie2d14627a686ffb5064256b6c399723636dff116
When installing a package, we should have /tmp and /cache mounted and
nothing else. Ensure this is true by explicitly mounting them and
unmounting everything else as the first step of every install.
Also fix an error in the progress bar that crops up when you do
multiple package installs in one instance of recovery.
Change-Id: I4837ed707cb419ddd3d9f6188b6355ba1bcfe2b2
Recovery changes:
- add a method to the UI class that is called when a key is held down
long enough to be a "long press" (but before it is released).
Device-specific subclasses can override this to indicate a long
press.
- do color selection for ScreenRecoveryUI's menu-and-log drawing
function. Subclasses can override this to customize the colors they
use for various elements.
- Include the value of ro.build.display.id in the menu headers, so you
can see on the screen what version of recovery you are running.
Change-Id: I426a6daf892b9011638e2035aebfa2831d4f596d
When doing a cache wipe or a factory reset (which includes a cache
wipe), save any last* log files in the /cache/recovery directory and
write them back after reformatting the partition, so that wiping data
doesn't lose useful log information.
Change-Id: I1f52ae9131760b5e752e136645c19f71b7b166ee
Recovery currently has a random mix of messages printed to stdout and
messages printed to stderr, which can make logs hard to read. Move
everything to stdout.
Change-Id: Ie33bd4a9e1272e731302569cdec918e0534c48a6
Copy logs to /cache immediately upon a package installation failure;
don't wait for recovery to finish. (If the user reboots without
exiting recovery the "right" way, the logs never get copied at all.)
Change-Id: Iee342944e7ded63da5a4af33d11ebc876f6c0835
Extends the last_log mechanism to save logs from the last six
invocations of recovery, so that we're more likely to have useful logs
even if the device has repeatedly booted into recovery.
Change-Id: I08ae7a09553ada45f9e0733fe1e55e5a22efd9f9
Hopefully this will reduce the number of OTA "bugs" reported that are
really just someone having changed their system partition,
invalidating future incremental OTAs.
Also fixes a longstanding TODO about putting LOGE() output in the
on-screen display.
Change-Id: I44e5be65b2dee7ebce2cce28ccd920dc3d6e522e
Get rid of the notion of a font's "ascent"; the reference point for
drawing is the top-left corner of the character box rather than the
baseline. Add some more space between the menu entries and make the
highlight bar around the text.
Replace the default font.png with two images; the build system will
include one or the other based on the resolutions of the device.
Restore the original compiled-in bitmap font, to fall back on when
font.png can't be found (eg, in the charger binary).
Add support for bold text (when a font.png image is used).
Change-Id: I6d211a486a3636f20208502b1cd2aeae8b9f5b02
At load_locale_from_cache() function, LOCALE_FILE must get closed
after it is opened and used. Otherwise it causes a failure to
unmount "/cache" after load_locale_from_cache() function is called.
Change-Id: I9cec0f29a8ec4452c8a6a52e2f3c8ce9930d5372
Signed-off-by: Iliyan Malchev <malchev@google.com>
We need prompt_with_wait() to show either the ERROR or NO_COMMAND
state as appropriate.
Bug: 7221068
Change-Id: I191526cf12630d08b7a8250a2a81e724a4a5d972
Add images of text for all locales we support. Make the progress bar
fill the correct way for RTL languages. (Flip the direction the
spinner turns, too, just for good measure.)
Bug: 7064142
Change-Id: I5dddb26e02ee5275c57c4dc4a03c6d68432ac7ba
- change locale filename to "last_locale" so the main system doesn't
delete it
- clean up some chatty logging
- update images with real German (other languages TBD)
Change-Id: I2ebb4ed4e054bd1808a3042d9efbb2c18f3a044d
- recovery takes a --locale argument, which will be passed by the main
system
- the locale is saved in cache, in case the --locale argument is
missing (eg, when recovery is started from fastboot)
- we include images that have prerendered text for many locales
- we split the background states into four (installing update,
erasing, no command, error) so that appropriate text can be shown.
Change-Id: I731b8108e83d5ccc09a4aacfc1dbf7e86b397aaf
- add the --just_exit option to make recovery exit normally without doing anything
- make it possible to build updater extensions in C++
- add the clear_display command so that the updater binary can request
recovery switch to the NONE background UI
These are all used to support the notion of using OTA as a factory
reflash mechanism.
Change-Id: Ib00d1cbf540feff38f52a61a2cf198915b48488c
The contribution of SELinux things to AOSP had a call to the old
ui_print that merged cleanly. This changes that call into the newer
call so it will actually compile when enabled.
Change-Id: I8368e937219b01d0bef06007fa46302415256d07
Rather than depending on the existence of some place to store a file
that is accessible to users on an an unbootable device (eg, a physical
sdcard, external USB drive, etc.), add support for sideloading
packages sent to the device with adb.
This change adds a "minimal adbd" which supports nothing but receiving
a package over adb (with the "adb sideload" command) and storing it to
a fixed filename in the /tmp ramdisk, from where it can be verified
and sideloaded in the usual way. This should be leave available even
on locked user-build devices.
The user can select "apply package from ADB" from the recovery menu,
which starts minimal-adb mode (shutting down any real adbd that may be
running). Once minimal-adb has received a package it exits
(restarting real adbd if appropriate) and then verification and
installation of the received package proceeds.
always initialize usb product, vendor, etc. for adb in recovery
Set these values even on non-debuggable builds, so that the mini-adb
now in recovery can work.
Rather than depending on the existence of some place to store a file
that is accessible to users on an an unbootable device (eg, a physical
sdcard, external USB drive, etc.), add support for sideloading
packages sent to the device with adb.
This change adds a "minimal adbd" which supports nothing but receiving
a package over adb (with the "adb sideload" command) and storing it to
a fixed filename in the /tmp ramdisk, from where it can be verified
and sideloaded in the usual way. This should be leave available even
on locked user-build devices.
The user can select "apply package from ADB" from the recovery menu,
which starts minimal-adb mode (shutting down any real adbd that may be
running). Once minimal-adb has received a package it exits
(restarting real adbd if appropriate) and then verification and
installation of the received package proceeds.
Change-Id: I6fe13161ca064a98d06fa32104e1f432826582f5
