| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change was original made in cw-f-dev but caused failures in
nyc-mr1-dev-plus-aosp due to lack of support for 'LOGE'
This version of the change uses the new 'LOG(ERROR)' style logging
instead.
See bug b/31395655
Test: attempt a memory intensive incremental OTA on a low-memory device
Change-Id: Ia87d989a66b0ce3f48e862abf9b9d6943f70e554
(cherry picked from commit c8db4817809e163d887f7955a03ad0f97159f12b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables sideloading an OTA on A/B devices while running from
recovery. Recovery accepts the same OTA package format as recent
versions of GMS, which consists of .zip file with the payload in it.
Bug: 27178350
TEST=`adb sideload` successfully a full OTA (*)
TEST=Failed to take several invalid payloads (wrong product,
fingerprint, update type, serial, etc).
<small>(*) with no postinstall script.</small>
Change-Id: I951869340100feb5a37e41fac0ee59c10095659e
(cherry picked from commit 4344d636d4f8687054593f88ddd7509ff8581419)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 8584fcf677dd45b30121bd0490b06297e6be1871.
This CL re-lands commit c0319b60f56d445c2d1c74f551e01f069b028fe6.
The "stage" and "reason" variables are now declared as global by
dropping the static qualifier, because they may be used by vendor
recovery libraries.
Test: lunch aosp_angler-userdebug; mmma bootable/recovery
Test: lunch aosp_dragon-userdebug; mmma bootable/recovery
Change-Id: I252c346f450079478cff22bbff01590b8ab2e2b3
|
|
|
|
|
|
|
|
| |
This reverts commit c0319b60f56d445c2d1c74f551e01f069b028fe6.
Reason for revert: Broke builds.
Change-Id: I82aa880b83de5ae6c36fd7567cb001920559a972
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Remove the duplicate gCurrentUI variable in recovery.cpp;
- Refactor the load/save of locale functions;
- Clean up ui_print() to get rid of 256-byte buffer limit;
- Declare ui in common.h;
- Move the typedef of Volume into roots.h.
Test: Build and boot into recovery image.
Change-Id: Ia28c116858ca754133127a5ff9c722af67ad55b7
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To increase the security of wiping A/B devices, let uncrypt write
wipe package in misc partition. Then recovery verifies the wipe
package before wiping the device.
Based on the original cherrypick, this CL also has additional changes to
address the LOG statements and libziparchive changes.
Bug: 29159185
Test: Build and boot into recovery.
Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
(cherry picked from commit 6faf0265c9b58db2c15b53f6d29025629d52f882)
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up the duplicated codes that handle the zip files in
bootable/recovery; and rename the library of the remaining
utility functions to libotautil.
Test: Update package installed successfully on angler.
Bug: 19472796
Change-Id: Iea8962fcf3004473cb0322b6bb3a9ea3ca7f679e
|
|
|
|
|
|
|
|
|
| |
Also change its logging statement from PLOG to LOG, since
android::base::StartsWith() doesn't set errno.
Test: Build and reboot into recovery image. Check last_log.
Change-Id: I55ac7eec24228db76a13580958b4a4330b06cf57
|
|
|
|
|
|
|
|
|
| |
Add the error codes for uncrypt and report the failure details in
uncrypt_status.
Test: uncrypt_error logs correctly in last_install
Bug: 31603820
Change-Id: I8e0de845ce1707b6f8f5ae84564c5e93fd5f5ef5
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we save the OTA metrics in last_install, which keeps the data
for the _last_ install only. This CL logs the same content into last_log
so that we keep the metrics for every install.
Bug: 31607469
Test: Apply an update (via OTA and sideload) and check last_log and last_install.
Change-Id: Id8f174d79534fddc9f06d72a4e69b2b1d8ab186c
|
|
|
|
|
| |
Bug: 31383361
Change-Id: I0de920916da213528d73b742e4823b4a98c63ea1
|
|
|
|
|
|
|
|
|
|
|
| |
Save the uncrypt time cost to /cache/recovery/uncrypt_status. Recovery
reads the file and saves its contents to last_install.
Bug: 31383361
Test: Tested on angler and uncrypt_time reports correctly.
Change-Id: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833
Merged-In: I5cd3f7b6ca069d69086d09acfea8fc4f1215c833
|
|
|
|
|
|
|
|
| |
Clean up the recovery image and switch to libbase logging.
Bug: 28191554
Change-Id: Icd999c3cc832f0639f204b5c36cea8afe303ad35
Merged-In: Icd999c3cc832f0639f204b5c36cea8afe303ad35
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Use const reference type for read-only parameters.
Bug: 30407689
* Use faster overloaded string find function.
Bug: 30411878
* Add parentheses around macro parameters.
Bug: 28705665
Test: build with WITH_TIDY=1
Change-Id: I4e8e5748bfa4ae89871f1fb5fa4624d372530d75
|
|\
| |
| |
| |
| |
| | |
am: f599414aec
Change-Id: Id96153c211ca1fcc1cd78d6e662b0b48795c0d76
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Keys for package verification is loaded after the update
package is mmaped into memory. This mmaped area needs
to be freed when exiting the function.
Another approach would be to mmap after loading the keys.
Change-Id: Ib77711a8acd5c363b5517da12dc311fb8f9f4605
Signed-off-by: WiZarD <WiZarD.Devel@gmail.com>
|
|\|
| |
| |
| | |
Change-Id: Iba5aec266444cabf83f600f2bdb45a3c027e5995
|
| |
| |
| |
| |
| | |
Bug: http://b/29250988
Change-Id: Ia97ba9082a165c37f74d6e1c3f71a367adc59945
|
|\ \
| | |
| | |
| | |
| | |
| | | |
am: b0ddae55e5
Change-Id: Ifd9e006588de8bea233a4e90a5c80ed6b894054a
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Parse the build.version.incremental from the metadata of the update
package; and log it to last_install.
Example:
In metadata we read:
post-build-incremental=2951741
pre-build-incremental=2943039
In last install we log:
source_build: 2943039
target_build: 2951741
Bug: 28658632
Change-Id: I0a9cc2d01644846e18bda31f4193ff40e8924486
|
|\| |
| | |
| | |
| | | |
Change-Id: I2194d1170281f58eb508f2ef63b39c8729125f76
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If the update is a retry, ioctl(BLKDISCARD) the destination blocks before
writing to these blocks.
Bug: 28990135
Change-Id: I1e703808e68ebb1292cd66afd76be8fd6946ee59
|
|\| |
| | |
| | |
| | | |
Change-Id: I42c127f7946e678acf6596f6352f090abc0ca019
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Write error code, cause code, and retry count into last_install. So we
can have more information about the reason of a failed OTA.
Example of new last_install:
@/cache/recovery/block.map package name
0 install result
retry: 1 retry count (new)
error: 30 error code (new)
cause: 12 error cause (new)
Details in:
go/android-ota-errorcode
Bug: 28471955
Change-Id: I00e7153c821e7355c1be81a86c7f228108f3dc37
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
am: dd874b1c87
* commit 'dd874b1c87eb04f28db0db2629df0adde568a74c':
Add time and I/O info to last_install
Change-Id: I02aa858d5ce488d3acbf5400811e2565cf7d9c75
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
One example of last_install is:
/sideload/package.zip
1
time_total: 101
bytes_written_system: 14574000
bytes_stashed_system: 100
bytes_written_vendor: 5107400
bytes_stashed_vendor: 0
Bug: 28658632
Change-Id: I4bf79ea71a609068d38fbce6b41bcb892524aa7a
|
|\| |
| |/
|/|
| | |
Change-Id: I423937b4b20a2079714aa38ab7f8b199782df689
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.
Cherry-pick of 452df6d99c81c4eeee3d2c7b2171901e8b7bc54a, with
merge conflict resolution, extra logging in verifier.cpp, and
an increase in the hash chunk size from 4KiB to 1MiB.
Bug: http://b/28135231
Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When I/O error happens, reboot and retry installation two times
before we abort this OTA update.
Bug: 25633753
Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
(cherry picked from commit 3c62b67faf8a25f1dd1c44dc19759c3997fdfd36)
|
| |
| |
| |
| |
| |
| |
| | |
This changes the verification code in bootable/recovery to use
BoringSSL instead of mincrypt.
Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
|
| |
| |
| |
| |
| |
| |
| |
| | |
When I/O error happens, reboot and retry installation two times
before we abort this OTA update.
Bug: 25633753
Change-Id: Iba6d4203a343a725aa625a41d237606980d62f69
|
|/
|
|
|
| |
Bug: 26906328
Change-Id: Iebaf03db0cb3054f91715f8c849be6087d01b27b
|
|
|
|
|
|
|
|
| |
Move to using std::vector and std::unique_ptr to manage key
certificates to stop memory leaks.
Bug: 26908001
Change-Id: Ia5f799bc8dcc036a0ffae5eaa8d9f6e09abd031c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although stdout and stderr are both redirected to log file with no
buffering, we are seeing some outputs are mixed in random order.
This is because ui_print commands from the updater are passed to the
recovery binary via a pipe, which may interleave with other outputs
that go to stderr directly.
In recovery, adding ui::PrintOnScreenOnly() function to handle
ui_print command, which skips printing to stdout. Meanwhile, updater
prints the contents to stderr in addition to piping them to recovery.
Change-Id: Idda93ea940d2e23a0276bb8ead4aa70a3cb97700
|
|
|
|
|
|
|
|
| |
These commands are for the communication between the installer and the
update binary (edify interpreter). Update the comments in sync with the
codes.
Change-Id: I7390f022b1447049a974b0b45697ef1d2e71d4e0
|
|
|
|
|
|
|
|
|
|
| |
Currently it rotates the log files every time it boots into the recovery
mode. We lose useful logs after ten times. This CL changes the rotation
condition so that it will rotate only if it performs some actual
operations that modify the flash (installs, wipes, sideloads and etc).
Bug: 19695622
Change-Id: Ie708ad955ef31aa500b6590c65faa72391705940
|
|
|
|
| |
Change-Id: Ia897aa43e44d115bde6de91789b35723826ace22
|
|
|
|
| |
Change-Id: I0737456e0221ebe9cc854d65c95a7d37d0869d56
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement a new method of sideloading over ADB that does not require
the entire package to be held in RAM (useful for low-RAM devices and
devices using block OTA where we'd rather have more RAM available for
binary patching).
We communicate with the host using a new adb service called
"sideload-host", which makes the host act as a server, sending us
different parts of the package file on request.
We create a FUSE filesystem that creates a virtual file
"/sideload/package.zip" that is backed by the ADB connection -- users
see a normal file, but when they read from the file we're actually
fetching the data from the adb host. This file is then passed to the
verification and installation systems like any other.
To prevent a malicious adb host implementation from serving different
data to the verification and installation phases of sideloading, the
FUSE filesystem verifies that the contents of the file don't change
between reads -- every time we fetch a block from the host we compare
its hash to the previous hash for that block (if it was read before)
and cause the read to fail if it changes.
One necessary change is that the minadbd started by recovery in
sideload mode no longer drops its root privileges (they're needed to
mount the FUSE filesystem). We rely on SELinux enforcement to
restrict the set of things that can be accessed.
Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
|
|
|
|
|
|
|
|
|
|
| |
The default recovery UI will reboot the device when the power key is
pressed 7 times in a row, regardless of what recovery is doing.
Disable this feature during package installation, to minimize the
chance of corrupting the device due to a mid-install reboot. (Debug
packages can explicitly request that the feature be reenabled.)
Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes minzip and recovery's file signature verification to work on
memory regions, rather than files.
For packages which are regular files, install.cpp now mmap()s them
into memory and then passes the mapped memory to the verifier and to
the minzip library.
Support for files which are raw block maps (which will be used when we
have packages written to encrypted data partitions) is present but
largely untested so far.
Bug: 12188746
Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A system/core change made in Mar 26 2012 6ebf12f "init: Change umask
of forked processes to 077" changed the default umask of services
forked from init.
Because recovery is forked from init, it has a umask of 077. Therefore
when update-binary is forked from recovery, it too has a umask of 077.
This umask is overly restrictive and can cause problems for scripts
relying on minzip to extract binaries directly into the target
filesystem. Any directories updated by minzip will have their
permissions reset to r-x------ and created files will have similarly
restrictive permissions.
As it seems unlikely this security measure was intended to have this
side effect on legacy sideloads that do not have chmods to repair
the damage done by minzip, this change reverts the umask to 022 in
the fork made for update-binary.
Change-Id: Ib1a3fc83aa4ecc7480b5d0c00f3c7d0d040d4887
|
|
|
|
|
|
|
|
|
|
|
| |
When installing a package, we should have /tmp and /cache mounted and
nothing else. Ensure this is true by explicitly mounting them and
unmounting everything else as the first step of every install.
Also fix an error in the progress bar that crops up when you do
multiple package installs in one instance of recovery.
Change-Id: I4837ed707cb419ddd3d9f6188b6355ba1bcfe2b2
|
|
|
|
|
|
|
|
| |
Recovery currently has a random mix of messages printed to stdout and
messages printed to stderr, which can make logs hard to read. Move
everything to stdout.
Change-Id: Ie33bd4a9e1272e731302569cdec918e0534c48a6
|
|
|
|
| |
Change-Id: Ifd5a29d459acf101311fa1c220f728c3d0ac2e4e
|
|
|
|
|
|
|
| |
Add an option to verifier_test to load keys from a file, the way the
recovery does.
Change-Id: Icba0e391164f2c1a9fefeab4b0bcb878e91d17b4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- recovery takes a --locale argument, which will be passed by the main
system
- the locale is saved in cache, in case the --locale argument is
missing (eg, when recovery is started from fastboot)
- we include images that have prerendered text for many locales
- we split the background states into four (installing update,
erasing, no command, error) so that appropriate text can be shown.
Change-Id: I731b8108e83d5ccc09a4aacfc1dbf7e86b397aaf
|
|
|
|
| |
Change-Id: I9849c69777d513bb12926c8c622d1c12d2da568a
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add the --just_exit option to make recovery exit normally without doing anything
- make it possible to build updater extensions in C++
- add the clear_display command so that the updater binary can request
recovery switch to the NONE background UI
These are all used to support the notion of using OTA as a factory
reflash mechanism.
Change-Id: Ib00d1cbf540feff38f52a61a2cf198915b48488c
|
|
|
|
|
|
|
|
|
|
|
| |
Move all the functions in ui.c to be members of a ScreenRecoveryUI
class, which is a subclass of an abstract RecoveryUI class. Recovery
then creates a global singleton instance of this class and then invoke
the methods to drive the UI. We use this to allow substitution of a
different RecoveryUI implementation for devices with radically
different form factors (eg, that don't have a screen).
Change-Id: I7fd8b2949d0db5a3f47c52978bca183966c86f33
|
|
Change-Id: I68a67a4c8edec9a74463b3d4766005ce27b51316
|