There is an unclear error message if we run
`fastboot --disable-verification flash boot boot.img` on a
AVB-disabled device without a /vbmeta partition.
Error message:
terminating with uncaught exception of type std::out_of_range: basic_string
Aborted
This is because the buf->fd of the loaded boot.img is not reset,
before returning from function copy_boot_avb_footer().
Also reset some changes in copy_boot_avb_footer() from commit
If83f785e235569ee8ef0de2b37f11dbd2a9a71f4, to prevent the
unnecessary read of the boot vbmeta if no need to copy the
boot image avb footer.
Bug: 191903922
Test: `fastboot --disable-verification flash boot boot.img` on a device
without /vbmeta and without setting BOARD_AVB_ENABLE to true.
Change-Id: If84f08f1b2e12c4c6ded5cafda2bd1d30e75c662
As per the bug, this option has been obsolete for years
and only causes confusion.
Bug: 167694738
Test: fastboot can still wipe
Change-Id: I24a21cb6110d61dec4af800a1fab0bcedc0a3d5c
Add the OUT_FILE parameter to the documentation of fetch which fails if
used as currently (erroneously) documented:
$ fastboot fetch boot
fastboot: usage: expected argument
Test: fastboot help
Change-Id: Ia06d40c2f754e1a55a2052cb84e81f96e71b4573
Allow using --force to bypass flashing requirements
from android-info.txt.
We often provide builds to deviceholders who don't have
an exact matching bootloader or radio image and it is
unimportant. Having the option to override is useful.
This shouldn't affect bootloader.img so should never
prevent a device from returning to fastboot in case of
gross error.
Test: Downloaded a build w/ different radio.
Got the following output:
...
Checking 'version-baseband' FAILED
Device version-baseband is 'xyz'.
Update requires 'abc' or '123'.
requirements not met! but proceeding due to --force
Setting current slot to 'a' OKAY [ 0.065s]
Bug: 184661990
Change-Id: I8680b8275b854304026cff3b2e663b7ef2594383
Change mkbootimg() to return void, as we already have a |out| parameter.
Bug: 183455415
Test: Presubmit
Change-Id: I51439e273752ab9e21f8d7138e900ea55bdfdfc0
Do not use the implicit cast from unique_fd to int so
that it is clearer to the reader what the ownership model
is.
Test: pass
Change-Id: Iaf40a6eed3fcfd001651980c865ed5efb85ac0eb
load_sparse_files assumes that the client maintains
the lifetime of the input fd is longer than
the output sparse_file handle.
Bug: 183409401
Bug: 183223098
Test: flash super image
Change-Id: I295b912c665577b5767a133f3148e58a22733998
When a user issues `fastboot flash vendor_boot:foo ramdisk.img`, the fastboot driver
fetches the vendor_boot image from the device,
determines if `foo` is a valid vendor ramdisk fragment,
repacks a new vendor boot image, then
flash the vendor boot image back.
This requires vendor boot header V4.
As a convinent alias, `fastboot flash vendor_boot:default ramdisk.img`
flashes the whole vendor ramdisk image. This works on vendor boot header
V3 & 4.
Fixes: 173654501
Test: pass
Change-Id: I42b2483a736ea8aa9fd9372b960502a642934cdc
If fastboot flash vendor_boot:default, only
call has-slot on the first token, and append slot
to the first token only.
Test: fastboot flash vendor_boot:default
Bug: 173654501
Change-Id: I8ff7b3a0bafb964792ab8a788d64d14bc47ae83d
The `fastboot fetch` command is a wrapper around
the fetch protocol. It:
- getvar max-fetch-size
- get the size of the partition
- read the data by chunks, chunk size = max-fetch-size.
The name of the partition is passed directly to the device
(with the usual has-slot magic for flashing etc.) If we support
fetching partitions other than vendor_boot in the future, no change
in the driver is needed.
Bug: 173654501
Test: manual
Change-Id: Ie576eea668234df236b096a372e65c5e91c1e48c
fastboot_buffer owns the fd. Make ImageSource::Open()
returns a unique_fd and pass ownership all the way
down to the fastboot_buffer to avoid leaking fds.
Test: none
Change-Id: I9e7e176fc1da74c532a86d0fdba0113bdc81a166
Some devices, such as the Essential PH-1, don't have an
updated bootloader and the bootloader is appending an extra
underscore.
This patch works around that issue by sanitizing the slot to be
inline with modern expectations.
Offending commit: 42b18a518b
Most of the commit above is not needed because an underscore + slot
is automatically appended when flashing to a partition. Normally, this
would result in something like boot__b instead of boot_b, where b is the
current slot.
Test: flash an image on mata without specifying slot, boots
Change-Id: Ia0b7cee603a4f9ba2e3a61ce6e369ca8c07a7caf
The pvmfw partition holds the protected VM firmware that is used by
Protected KVM to bootstrap the trust in protected VMs. Teach fastboot
about the partition so it gets flashed with flashall.
pvmfw is an AVB chained partition so is marked as BootCritical to allow
ABL's AVB verification to pass.
Test: tab complete and flashall
Bug: 171280178
Change-Id: Ie4cc478de25a945bc510488d87c2bee3aa5031f2
If the flashed boot image is smaller than the block device, the AVB
footer will not be at the end of the partition. Although images are
normally created to match the partition size the GKI boot.img must work
on all devices, and the size of the boot partition will vary.
Copy the AVB footer to the end of the partition before flashing, if it
is not there already.
Bug: 159377163
Change-Id: I5a5e25fb54dc9d6a2930fda63434968808ffa1f0
Status() is called with an empty string to handle `fastboot oem`
commands. This currently emits a set of spaces and sets
last_start_time such that the epilog can track the time spent in this
command. Emitting the spaces is problematic however, since it results
in the follow:
$ fastboot oem device-info
(bootloader) Verity mode: false
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: true
(bootloader) Charger screen enabled: true
OKAY [ 0.000s]
Finished. Total time: 0.000s
If we skip emitting the spaces, then we get the correct result:
$ fastboot oem device-info
(bootloader) Verity mode: false
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: true
(bootloader) Charger screen enabled: true
OKAY [ 0.001s]
Finished. Total time: 0.001s
There are no other uses of Status() with an empty string, so this
changes won't impact other commands.
Bug: 158310284
Test: fastboot formats this and other commands correctly.
Change-Id: I6294acefc65a8399160c0944b3fbc2f2ace919ed
The Nexus 7 bootloader just returns the empty string for unknown
variables, which confused the new snapshot code.
Bug: https://issuetracker.google.com/158232468
Test: no Nexus 7 available during covid-19 :-(
Change-Id: I35ff8889b27944e8b7426eca4f513d9fa562c6d4
It's not possible to programmatically determine which fastboot mode a
device is in, without sending a getvar:is-userspace query. Unfortunately
this is not possible asynchronously, and may interrupt other queries
being processed.
This patch changes fastbootd's USB interface name to "fastbootd". Note
that tools use the protocol number/class and not this string, so it
should be safe to extend. When using "fastboot devices", the interface
name is now listed if set. Note that currently only the Linux version of
the fastboot tool is capable of reading the interface name.
Bug: 156966319
Test: fastboot devices on Linux
Change-Id: I57ccf2bec1dda573fe3ac628a646624b76f45905
Support v3 header format when changing the command line with
fastboot boot or using flash:raw.
Bug: 151750405
Test: fastboot boot and flash:raw with updated cmdline and v3 header
Change-Id: Ibf396e2d18d8b22cad50db290f3fd4e46ff85d9b
When a snapshot is applied or is merging, requests to erase or flash
userdata, metadata, or misc must be protected. In addition, the
set_active command must be restricted when a merge is in progress.
In addition, introduce a "snapshot-update merge" command for assisting
with erase requests when a merge is in progress. As in recovery, this
will force a merge to complete.
Bug: 139154945
Test: apply update
fastboot erase userdata
fastboot erase metadata
fastboot erase misc
fastboot set_active
Change-Id: I152446464335c62c39ffb4cc6366be9de19eac30
This introduces two new commands to the fastboot protocol:
- getvar snapshot-update-status - Return "none", "snapshotted", or
"merging" depending on the current status set by the boot control
HAL.
- snapshot-update [cancel] - Cancel any pending snapshot-based updates
via the boot control HAL. After this, the HAL should return
MergeStatus::CANCELLED and "update-merge-status" should be "none".
If no argument is specified, the snapshot-update-status is returned
via an INFO response.
Bootloaders are expected to implement this in a manner consistent with
the boot control HAL.
Fastboot-based tooling should expect wipes of userdata to fail when
update-merge-status returns "merging". Thus, the force flag now cancel
any pending snapshots.
Bug: 139154945
Test: fastboot getvar snapshot-update-status
fastboot snapshot-update cancel
fastboot snapshot-update
Change-Id: Idc423fe7656b212e929e64eb0e6b85b453e0e8dc
If top-level vbmeta struct is in 'boot' partition,
the "flags" element offset of top-level vbmeta header
from the beginning of boot partition is 123 plus
top-level vbmeta offset recorded in the boot image footer.
Bug: 139639521
Test: m fastboot
Test: fastboot --disable-verification flashall
Test: fastboot --disable-verification flash boot boot.img, checks the
flag isn't changed if the device has vbmeta partition
Test: fastboot --disable-verification flash vbmeta vbmeta.img
Change-Id: Ibf73c9330639e971ee3873ac19f072cf7baed55b
load_buf_fd() attempts to find the size of the file that it is about
to load by first calling sparse_file_import_auto() then using
sparse_file_len() upon success or falling back to the file size on the
filesystem on failure.
This is problematic however as sparse_file_import_auto() creates a
sparse_file out of the normal file, but does not resparse it, so an
assertion fails during the sparse_file_len() call.
This is fixed by using sparse_file_import() instead. This will fail
in the case that the file is not sparse and the call to
sparse_file_len() will be properly skipped.
Bug: 140538105
Test: flash blueline factory image with assertions enabled in
libsparse/sparse.cpp
Change-Id: I0283be33563a3301ce5b09bde41105a20f91086c
originally if wants_wipe=true, program will erase and format partitions,
but after fb->Erase(), partition type should be raw(all 0xFFs),
then following fb_perform_format() will miss its original partition_type
Now we call fb_perform_format() with original fs type to keep the
partition consistent after wiping.
Change-Id: Ic778850588d5dd6fee23169d20c26bcbaa510627
The vendor_boot partition has been created, so add it to the list of
images which may be flashed.
Bug: 137297791
Change-Id: I27eaa16656a83dbcb8289680844bf58dd1fccf24
Update adb, fastboot and mount point
Bug: 134359158
Test: build and check if system_ext.img can be flashed
Change-Id: I6219f72242c5fe42a508008c0b1fd218d74da5b6
Usage: fastboot wipe-super [super_empty.img]
This command will read the given super_empty.img (using the default one
in ANDROID_PRODUCT_OUT if not specified), and flash by generating a
temporary super.img with no partition data. This command will even work
on retrofit devices.
This command is intended to be used either during device bringup or with
scripts that will manually flash individual dynamic partitions, in place
of using "fastboot flashall".
Bug: 136282057
Test: fastboot wipe-super on retrofit and non-retrofit device
Change-Id: Icab368a63ff36fcce9ac9304eb3966dd38bd78c4
Currently, during a 'fastboot flashall/fastboot update', the 'getvar
max-download-size' command is issued once to the device when it is in
bootloader mode and the same value is used even after the device boots
into fastbootd. If the max-download-size returned by bootloader is
greater than the max-download-size in fastbootd, this could break flash
as large images are broken down into chunks before downloading by using
the max-download-size variable. This will cause fastbootd to return
an error since it checks whether the buffer being downloaded has a size
greater than the max-download-size limit.
Test: fastboot flashall
Bug: 536870912
Change-Id: Ife7c1ec0583d80d4a31ecf01f1fc14a8365afe0d
Switch FindEntry and the ZipString constructor to std::string_view. This
lets us accept an over-long name so that we can reject it as too long.
Also fastboot changes to track the API change.
Bug: http://b/129068177
Test: treehugger
Change-Id: I7df7acd1fe2c46380b789c25f8909e0553e2d55e
This is required for read() to function correctly
in Windows since it behaves differently in text mode and
binary mode and may cause unpredictable behavior depending
on the contents of the image file.
Bug: 129281908
Test: fastboot.exe flashall
Change-Id: I64370af44a050bafea60ff1b0b2be18cc531480a
The function do_for_partitions() takes a const std::string
reference, so it's inefficient to pass a std::string::c_str().
Test: TreeHugger
Change-Id: Ia84ed9ec691ee2f524c61dd25a81b2995bb0bb33
This command erroneously reports that no GSI is installed, because
/metadata is not mounted in recovery. To address this, temporarily mount
/metadata when the gsi command is invoked.
Bug: 122556707
Test: fastboot gsi disable
fastboot gsi wipe
Change-Id: Ib21971b49b46fd580b902ff75f01cfb96192afc0
