We have seen one case when bspatch failed likely due to patch
corruption. Since the package has passed verification before, we want
to reboot and retry the patch command again since there's no
alternative for users.
We won't delete the stash before reboot, and the src has passed SHA1
check. If there's an error on the patch, it will fail the package
verification during retry.
Bug: 37855643
Test: angler reboots and retries the update when bspatch fails.
Change-Id: I2ebac9621bd1f0649bb301b9a28a0dd079ed4e1d
We're not updating argc & argv during get_args(), so some boot
arguments missed when we set the boot message for retry.
Bug: 38383406
Test: boot command sets correctly during retry attempt.
Change-Id: Ie8583a22fad5e0084245e3431d4018518d508dfd
This reverts commit ec9706738f.
Reason for revert: It's not a good idea to put RECOVERY_API_VERSION in
common.h, which might be included by device-specific codes (but with
RECOVERY_API_VERSION undefined).
Change-Id: I9feb9c64a5af3e9165164622a59b043aa28a8b8c
They are error-prone by putting anything into a string (e.g.
EXPAND(RECOVERY_API_VERSION) would become "RECOVER_API_VERSION" if we
forgot to pass -DRECOVERY_API_VERSION=3).
RECOVERY_API_VERSION is the only user (in bootable/recovery) that gets
stringified. Assign it to a typed var and sanity check the value.
Don't see other reference to the macros from device-specific recovery
directories (they can still define that locally if really needed).
Test: recovery_component_test
Test: Sideload an OTA on angler and marlin respectively.
Change-Id: I358bbdf8f0a99db5ce4c7bc2fdcafe8013501b64
It's already a global declared in common.h which is included by
adb_install.cpp.
Remove '#include "minadbd/fuse_adb_provider.h"' that's not needed by
adb_install.cpp (minadbd takes care of that).
Test: mmma bootable/recovery
Change-Id: I6d08b7abc706b4b05de2ef46a57ced2204ad297e
recovery.cpp doesn't have a direct dependency on adb.h (only minadbd
does). 'adb.h' was once needed for DEFAULT_ADB_PORT, until being killed
by commit acb2a2fa4c.
Test: mmma bootable/recovery
Change-Id: I84f87988d01c3f0c3d1383cc3cffde2e7d5e7aea
Users can't do much after the install fails with the device showing
"error" under recovery. So our best choice is to reboot the device
since sometimes the system image is still bootable (i.e. on package
verification failure). At worst the device would stuck in a boot loop
where the users need the same professional knowledge to recover as
before.
Behaviors after installation failure (including data wipe):
If recovery text is visible:
No change.
If recovery text is not visible:
Old behavior: Wait under "error" screen. Reboot after UI timeout (120s)
if not connected to usb charger.
New behavior: Wait for 5s (shortens from the 120s timeout) under "error"
screen and reboot (w or w/o charger).
sideload-auto-reboot (only available for userdebug):
Old behavior: Reboot immediately after installation failure.
New behavior: Wait for 5s under "error" screen and reboot.
Bug: 35386985
Test: On angler user, device auto reboots 5s after a failing OTA.
Change-Id: I3ff0ead86e2ccec9445d6a2865bc2c463855f23c
Bug: 37401320
Test: build and push OTA and hit adb reboot recovery,quiescent. The screen should remain off throughout the upgrade process.
Change-Id: Ibed3795c09e26c4fa73684d40b94e40c78394d3f
Switch the locale header in the png files from Locale.toString() to
Locale.toLanguageTag(). For example, en_US --> en-us and sr__#Latn
--> sr-Latn. Also clean up recovery a bit to expect the new locale
format.
Bug: 35215015
Test: sr-Latn shows correctly under graphic tests && recovery tests pass
Change-Id: Ic62bab7756cdc6e5f98f26076f7c2dd046f811db
The call to read_metadata_from_package() is broken due to being passed
an invalid pointer (ZipArchiveHandle vs ZipArchiveHandle*). It's
introduced when switching from minzip to libziparchive. Compiler didn't
complain, because ZipArchiveHandle is typedef'd as void*, which legitly
accepts a void**.
Also clean up secure_wipe_partition() logs a bit by using android-base
logging.
Bug: 36427762
Test: Send a wipe package.
Change-Id: I791a0f09a066f1c257dae890e7ae13d02a02e78b
It used to return a REBOOT action on timeout, until the CL in commit
daefc1d442 that redefined the return value
of get_menu_selection() (changing from action to a menu index).
Prior to this CL, it was returning 0 (i.e. the value of Device::REBOOT)
to trigger the reboot. This CL specifies a return value of -1 to
indicate the timeout.
Test: Boot into a user build recovery; it reboots automatically on
timeout (120 sec).
Change-Id: I4aedb7a4628bf258017078fe73eb8b48a21d0ea8
Most of the changes are trivial.
Also update a dead reference to device_handle_key() in device.h comment,
and add some comments to get_menu_selection() function.
Test: `mmma bootable/recovery`
Change-Id: I59ef9213ec88ab35c0e7b8a7813ccf9c56dbd5c5
This was introduced in commit c87bab1018.
But the stage info should be passed through BCB only (there's a
dedicated field in struct bootloader_message).
This CL removes it from recovery arguments, and also moves 'stage'
variable to std::string.
Test: 'stage' variable is not used by any device-specific recovery code.
Test: Code search shows no hit of '--stages' use.
Change-Id: Iccbde578a13255f2b55dd4a928e9ecf487f16b97
This allows a quicker test for stage UI.
Bug: 27804510
Test: 'Run graphices test' with the new recovery image.
Change-Id: I47689ae8e4cac6d7e5d1f6a10b9e393d50d713f3
After reading one log entry, it should stay at the same menu position.
Test: 'View recovery logs' -> Read -> Exit
Change-Id: I4b579be4c2fe1e3a1dcc4873e128fd0b2d619ba3
People have been confused by the message and thought that's an error.
Test: Boot recovery on sailfish; choose 'View recovery logs'.
Change-Id: I2c540f18d6493c1a129233d10ecbc96823dd3601
Get rid of the malloc/realloc/free'd menus.
browse_directory() will only be called on devices with SD card. Tested
the CL by temporarily setting SDCARD_ROOT to a different location.
Test: See above.
Change-Id: I935e1bf4bad0273e3dff87fa2536924f1219adb5
-1 is not a valid exit status.
Also replace a few exit(1) with exit(EXIT_FAILURE).
Test: mmma bootable/recovery
Change-Id: I4596c8328b770bf95acccc06a4401bd5cabd4bfd
Test: Apply two A/B incremental OTAs with the new recovery image. The
one with incorrect pre-build should be blocked, while the other
works fine.
Change-Id: I94d97eb8798599da1630f66343fb603e87464187
Commit f0ed159f48 unintentionally changed
the behavior when parsing the arguments from BCB and command file. It
should only parse the command file for arguments if BCB doesn't supply
any.
As a result, it shows the following from the log:
I:Got 2 arguments from boot message
I:Got 3 arguments from /cache/recovery/command
Test: Set arguments in BCB and command file both. It should only use the
arguments from BCB.
Change-Id: Idf371137aa9177f1b2dfdfecf0c9f46959d2ee76
UI text is broken (doesn't show any text during FDR) due to commit
d530449e54, which reordered the calls to
RecoveryUI::SetLocale() and RecoveryUI::Init().
Because Init() uses the locale info to load the localized texts (from
images), the locale must be set prior to that via SetLocale(). This CL
refactors Init() to take the locale parameter, and removes the odd
SetLocale() API.
Bug: 34029338
Test: 'Run graphics test' under recovery.
Change-Id: I620394a3d4e3705e9af5a1f6299285d143ae1b01
In the event of a catastrophic data error which should never happen,
ask the user before wiping the device.
Test: Cause an init builtin to fail and generate this error, observe.
Bug: 28693324
Change-Id: I38a2b815157d816cba1f30ad37eb4cdcc01db582
This is a retry of commit 7e31f421a5.
Commit bd56f1590c switches to calling
write_bootloader_message(<options>) in get_args(), which
unintentionally resets the stage field thus breaks two-step OTAs.
This CL adds update_bootloader_message(<options>), which only sets
the command field (to "boot-recovery") and the recovery field (with
the specified options).
Bug: 33534933
Test: Apply a two-step package.
Test: recovery_component_test passes.
Change-Id: Ie0b1ed4053d2d3c97d9cb84310d616b28fcfc72e
This allows recovery to work on devices without screen.
The stub recovery UI does nothing except print to stdout.
Test: write 'recovery\n--wipe_data\n--reason=wipe_data_from_ota\n'
to misc and boot to recovery on a device without screen.
Bug: 33175036
Change-Id: Icde698aa2e2e29f4b3d0532dfd3c6a939ac2bc63
The passing of "--update_package=CACHE:foo" format has been removed
in Gingerbread, with commit 4baf641e7d96375eba3f9a3aff5400b9e3d28cd6
in frameworks/base (core/java/android/os/RecoverySystem.java).
Test: Recovery image with --update_package still works.
Change-Id: I37b56ccf98f62cadf2a3975bbc38b16fea6fe9a1
Commit f0ed159f48 didn't ensure mounting
COMMAND_FILE (i.e. /cache) prior to reading. Also the first argument in
COMMAND_FILE should not be dropped (unlike the first "recovery" argument
in BCB message).
Bug: 33431888
Test: Push /cache/recovery/command and recovery imag parses the
arguments successfully.
Change-Id: Ica3157a0bb03a2355315123354617eaf3fff15a4
This reverts commit 8584fcf677.
This CL re-lands commit c0319b60f5.
The "stage" and "reason" variables are now declared as global by
dropping the static qualifier, because they may be used by vendor
recovery libraries.
Test: lunch aosp_angler-userdebug; mmma bootable/recovery
Test: lunch aosp_dragon-userdebug; mmma bootable/recovery
Change-Id: I252c346f450079478cff22bbff01590b8ab2e2b3
- Remove the duplicate gCurrentUI variable in recovery.cpp;
- Refactor the load/save of locale functions;
- Clean up ui_print() to get rid of 256-byte buffer limit;
- Declare ui in common.h;
- Move the typedef of Volume into roots.h.
Test: Build and boot into recovery image.
Change-Id: Ia28c116858ca754133127a5ff9c722af67ad55b7
Skip the OTA installation when bootreason is 'kernel_panic',
'Panic' etc.
Change-Id: Ic1202492bffefa1a9d8d0e691b5af979285e552c
Test: On angler, ota installation skips for one bootreason in the blacklist.
Bug: 29978689
(cherry picked from commit 27b9fc8a36)
To increase the security of wiping A/B devices, let uncrypt write
wipe package in misc partition. Then recovery verifies the wipe
package before wiping the device.
Based on the original cherrypick, this CL also has additional changes to
address the LOG statements and libziparchive changes.
Bug: 29159185
Test: Build and boot into recovery.
Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
(cherry picked from commit 6faf0265c9)
bootloader_messages merges bootloader_message_writer
and bootloader.cpp, so we can use the same library to
manage bootloader_message in normal boot and recovery mode.
Bug: 29582118
Change-Id: I9efdf776ef8f02b53911ff43a518e035e0c29618
(cherry picked from commit 2f272c0551)
Clean up the duplicated codes that handle the zip files in
bootable/recovery; and rename the library of the remaining
utility functions to libotautil.
Test: Update package installed successfully on angler.
Bug: 19472796
Change-Id: Iea8962fcf3004473cb0322b6bb3a9ea3ca7f679e
