GitLab

Copy a sideloaded package into /tmp, then verify and install the copy,
to prevent malicious users from overwriting the package between
verification and install.

Bug: 2826890 package can be replaced during verification
Bug: 2058160 Recovery should copy sideloaded (sd card) update ...
Change-Id: I3de148b0f1a671f1974782b6855527caeaefda23

Merge commit 'ecc76ba5' into gingerbread

* commit 'ecc76ba5':
  Set adbd to be disabled by default in recovery

Change-Id: I74fa6edc4b001247b20be52e8301d18407fede2c

Fix potential string format bug.

Change-Id: Ie05aac53b2c45a48bd68e340b76ccb21edfd28b7

Change-Id: Iad448bc1608f88c5db2108475f35b88ea2877b07

Merge commit '97ca48e7' into kraken

* commit '97ca48e7':
  generic_x86 support

Add in Makefiles and support files for x86 builds
  Based on changes by: wonjong.lee <wonjong.lee@windriver.com>
  Additional changes by: Mark Gross <mark.gross@intel.com>
  Additional changes by: Bruce Beare <brucex.j.beare@intel.com>

Change-Id: I71fcf58f116e4e9047e7d03fdb28e3308553ce5c

Encrypted File Systems integration. Recovery changes.

Change-Id: I932f73a6f937aac061128e1134eab08c30f0471d

am 2654f5aa: (-s ours) DO NOT MERGE Removing unused recovey options. Please refer to Bug#2502219 for more info.

Merge commit '2654f5aa' into kraken

* commit '2654f5aa':
  DO NOT MERGE

Removing unused recovey options.
Please refer to Bug#2502219 for more info.

Change-Id: I2fe3cdb0c8b93ed7e1cc4093824fbe181f5f0aea

Change-Id: Icd177bd26120e0c8929faa8d1007f6c5bd446cb8

The docs say "don't do this", but it's trivial to make safe.  Make
StringValue(NULL) return NULL instead of crashing.

Change-Id: I2221bcb4c98d8adb4e25c764d7bdcfa787822bcf

Change the applypatch function to take meaningful arguments instead of
argc and argv.  Move all the parsing of arguments into main.c (for the
standalone binary) and into install.c (for the updater function).
applypatch() takes patches as Value objects, so we can pass in blobs
extracted from the package without ever writing them to temp files.

The patching code is changed to read the patch from memory instead of
a file.

A bunch of compiler warnings (mostly about signed vs unsigned types)
are fixed.

Support for the IMGDIFF1 format is dropped.  (We've been generating
IMGDIFF2 packages for some time now.)

Change-Id: I217563c500012750f27110db821928a06211323f

Change-Id: Id2712940c4929f3a8b3ba5d4e9e03bb8034747ee

- Move applypatch to this package (from build).

- Add a rudimentary type system to edify:  instead of just returning a
  char*, functions now return a Value*, which is a struct that can
  carry different types of value (currently just STRING and BLOB).
  Convert all functions to this new scheme.

- Change the one-argument form of package_extract_file to return a
  Value of the new BLOB type.

- Add read_file() to load a local file and return a blob, and
  sha1_check() to test a blob (or string) against a set of possible
  sha1s.  read_file() uses the file-loading code from applypatch so it
  can read MTD partitions as well.

This is the start of better integration between applypatch and the
rest of edify.

b/2361316 - VZW Issue PP628: Continuous reset to Droid logo:
            framework-res.apk update failed (CR LIBtt59130)

Change-Id: Ibd038074749a4d515de1f115c498c6c589ee91e5

Make sure file is valid before we try to read it. Also free all the
strings we allocate in various functions so we don't leak memory.

Change-Id: Ica3c8dae992e73718c79c12ff5d7e315c290caea

Merge commit 'da846fcf'

* commit 'da846fcf':
  android-2.1_r1 snapshot

Merge commit '4c382b13' into eclair-plus-aosp

* commit '4c382b13':
  android-2.1_r1 snapshot

Remove support for the HTC-specific "firmware" update command and the
corresponding edify function write_firmware_update().  This
functionality is now done by an edify extension library that lives in
vendor/htc.

Change-Id: I80858951ff10ed8dfff98aefb796bef009e05efb

Remove (or at least stop calling) the HTC-specific mechanism for
preserving the recovery log from before a radio or hboot update.
Replace it with a generic device_recovery_start() function which each
device's code can implement to do whatever it wants on recovery
startup.

Change-Id: If3cca4b498c0b1cf0565236404ecf56a1fc46123

Add a version of package_extract_file that returns the file data as
its return value (to be consumed by some other edify function that
expects to receive a bunch of binary data as an argument).  Lets us
avoid having two copies of a big file in memory (extracting it into
/tmp, which is a ramdisk, and then having something load it into
memory) when doing things like radio updates.

Change-Id: Ie26ece5fbae457eb0ddcd8a13d74d78a769fbc70

%i can't be used to read unsigned ints (though it happens to work with
bionic).  Change to %x and %u as appropriate.

Change-Id: I8ea9ca16a939501757cf70fc5953abee26c8231c
http://b/2402231 - Parser for /res/keys interprets n0inv as a signed int

When doing a firmware (radio or hboot) update on HTC devices, save the
recovery log in block 1 of the cache partition, before the firmware
image and the UI bitmaps.  When we boot back into recovery after the
firmware update to reformat the cache partition, copy that log out of
cache before reformatting it and dump it into the current invocation's
log.

The practical upshot of all this is that we can see the log output
from radio and hboot updates.

Change-Id: Ie0e89566754c88f4bed6a90d8a0aa04047b01a27

Merge commit '4e9332cb'

* commit '4e9332cb':
  make offsets in firmware update header not point to bad blocks

Merge commit '22d79a5c' into eclair-plus-aosp

* commit '22d79a5c':
  make offsets in firmware update header not point to bad blocks

(This is being cherry-picked from master.)

hboot will apparently fail to install if the first block of the image
(the one pointed to by the offset in the block 0 header) is a bad
block.  (Hopefully it handles subsequent bad blocks.)

This change makes the MTD write code keep track of the bad blocks it
has skipped over, so that the offset in the header can be adjusted to
be the address of the first successfully written block.

http://b/2358012 - passion: failure to flash hboot (bad blocks?)

hboot will apparently fail to install if the first block of the image
(the one pointed to by the offset in the block 0 header) is a bad
block.  (Hopefully it handles subsequent bad blocks.)

This change makes the MTD write code keep track of the bad blocks it
has skipped over, so that the offset in the header can be adjusted to
be the address of the first successfully written block.

Change-Id: I45d58e32a36d0c1dbc0a7f871bd5985b6c8ff524
http://b/2358012 - passion: failure to flash hboot (bad blocks?)

Merge commit '158657bc'

* commit '158657bc':
  Security: Fix typo in recovery EOCD detection.

Merge commit 'd36308c2'

* commit 'd36308c2':
  use MEMGETBADBLOCK to look for bad blocks when reading MTD partitions

Merge commit '17a47098' into eclair-plus-aosp

* commit '17a47098':
  use MEMGETBADBLOCK to look for bad blocks when reading MTD partitions

Merge commit '9b430e11'

* commit '9b430e11':
  add a simple unit test for the OTA package verifier

Merge commit '73ae31ce' into eclair-mr2-plus-aosp

* commit '73ae31ce':
  add a simple unit test for the OTA package verifier

* changes:
  Recovery changes for Encrypted File Systems. This change enables/disables the Encrypted file systems feature. It reads some properties form the data partition, wipes the partition out, and then rewrites the proper properties again into the data partition to signal that encrypted FS are enabled.