1. 10 Apr, 2015 1 commit
    • Tao Bao's avatar
      Update the comments for package installer commands · b07e1f3a
      Tao Bao authored
      These commands are for the communication between the installer and the
      update binary (edify interpreter). Update the comments in sync with the
      codes.
      
      Change-Id: I7390f022b1447049a974b0b45697ef1d2e71d4e0
      b07e1f3a
  2. 08 Apr, 2015 1 commit
    • Tao Bao's avatar
      Rotate logs only when there are actual operations · 682c34bb
      Tao Bao authored
      Currently it rotates the log files every time it boots into the recovery
      mode. We lose useful logs after ten times. This CL changes the rotation
      condition so that it will rotate only if it performs some actual
      operations that modify the flash (installs, wipes, sideloads and etc).
      
      Bug: 19695622
      Change-Id: Ie708ad955ef31aa500b6590c65faa72391705940
      682c34bb
  3. 25 Mar, 2015 1 commit
  4. 28 Jan, 2015 1 commit
  5. 02 Jul, 2014 1 commit
    • Doug Zongker's avatar
      sideload without holding the whole package in RAM · 075ad800
      Doug Zongker authored
      Implement a new method of sideloading over ADB that does not require
      the entire package to be held in RAM (useful for low-RAM devices and
      devices using block OTA where we'd rather have more RAM available for
      binary patching).
      
      We communicate with the host using a new adb service called
      "sideload-host", which makes the host act as a server, sending us
      different parts of the package file on request.
      
      We create a FUSE filesystem that creates a virtual file
      "/sideload/package.zip" that is backed by the ADB connection -- users
      see a normal file, but when they read from the file we're actually
      fetching the data from the adb host.  This file is then passed to the
      verification and installation systems like any other.
      
      To prevent a malicious adb host implementation from serving different
      data to the verification and installation phases of sideloading, the
      FUSE filesystem verifies that the contents of the file don't change
      between reads -- every time we fetch a block from the host we compare
      its hash to the previous hash for that block (if it was read before)
      and cause the read to fail if it changes.
      
      One necessary change is that the minadbd started by recovery in
      sideload mode no longer drops its root privileges (they're needed to
      mount the FUSE filesystem).  We rely on SELinux enforcement to
      restrict the set of things that can be accessed.
      
      Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
      075ad800
  6. 23 May, 2014 1 commit
    • Doug Zongker's avatar
      disable async reboot during package installation · c704e06c
      Doug Zongker authored
      The default recovery UI will reboot the device when the power key is
      pressed 7 times in a row, regardless of what recovery is doing.
      Disable this feature during package installation, to minimize the
      chance of corrupting the device due to a mid-install reboot.  (Debug
      packages can explicitly request that the feature be reenabled.)
      
      Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
      c704e06c
  7. 16 Jan, 2014 1 commit
    • Doug Zongker's avatar
      do verification and extraction on memory, not files · 99916f04
      Doug Zongker authored
      Changes minzip and recovery's file signature verification to work on
      memory regions, rather than files.
      
      For packages which are regular files, install.cpp now mmap()s them
      into memory and then passes the mapped memory to the verifier and to
      the minzip library.
      
      Support for files which are raw block maps (which will be used when we
      have packages written to encrypted data partitions) is present but
      largely untested so far.
      
      Bug: 12188746
      Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
      99916f04
  8. 18 Nov, 2013 1 commit
    • Alistair Strachan's avatar
      Restore default umask after forking for update-binary. · 027429a3
      Alistair Strachan authored
      A system/core change made in Mar 26 2012 6ebf12f "init: Change umask
      of forked processes to 077" changed the default umask of services
      forked from init.
      
      Because recovery is forked from init, it has a umask of 077. Therefore
      when update-binary is forked from recovery, it too has a umask of 077.
      
      This umask is overly restrictive and can cause problems for scripts
      relying on minzip to extract binaries directly into the target
      filesystem. Any directories updated by minzip will have their
      permissions reset to r-x------ and created files will have similarly
      restrictive permissions.
      
      As it seems unlikely this security measure was intended to have this
      side effect on legacy sideloads that do not have chmods to repair
      the damage done by minzip, this change reverts the umask to 022 in
      the fork made for update-binary.
      
      Change-Id: Ib1a3fc83aa4ecc7480b5d0c00f3c7d0d040d4887
      027429a3
  9. 25 Sep, 2013 1 commit
  10. 21 Aug, 2013 1 commit
    • Doug Zongker's avatar
      recovery: install packages in a known mount environment · 239ac6ab
      Doug Zongker authored
      When installing a package, we should have /tmp and /cache mounted and
      nothing else.  Ensure this is true by explicitly mounting them and
      unmounting everything else as the first step of every install.
      
      Also fix an error in the progress bar that crops up when you do
      multiple package installs in one instance of recovery.
      
      Change-Id: I4837ed707cb419ddd3d9f6188b6355ba1bcfe2b2
      239ac6ab
  11. 09 Jul, 2013 1 commit
    • Doug Zongker's avatar
      recovery: move log output to stdout · fafc85b4
      Doug Zongker authored
      Recovery currently has a random mix of messages printed to stdout and
      messages printed to stderr, which can make logs hard to read.  Move
      everything to stdout.
      
      Change-Id: Ie33bd4a9e1272e731302569cdec918e0534c48a6
      fafc85b4
  12. 10 Apr, 2013 1 commit
  13. 02 Nov, 2012 1 commit
    • Doug Zongker's avatar
      move key loading to verifier code · 6c249f7a
      Doug Zongker authored
      Add an option to verifier_test to load keys from a file, the way the
      recovery does.
      
      Change-Id: Icba0e391164f2c1a9fefeab4b0bcb878e91d17b4
      6c249f7a
  14. 23 Aug, 2012 1 commit
    • Doug Zongker's avatar
      add simple text to recovery UI · 02ec6b88
      Doug Zongker authored
      - recovery takes a --locale argument, which will be passed by the main
        system
      
      - the locale is saved in cache, in case the --locale argument is
        missing (eg, when recovery is started from fastboot)
      
      - we include images that have prerendered text for many locales
      
      - we split the background states into four (installing update,
        erasing, no command, error) so that appropriate text can be shown.
      
      Change-Id: I731b8108e83d5ccc09a4aacfc1dbf7e86b397aaf
      02ec6b88
  15. 25 Jul, 2012 1 commit
  16. 12 Apr, 2012 1 commit
    • Doug Zongker's avatar
      minor recovery changes · e5d5ac76
      Doug Zongker authored
      - add the --just_exit option to make recovery exit normally without doing anything
      - make it possible to build updater extensions in C++
      - add the clear_display command so that the updater binary can request
        recovery switch to the NONE background UI
      
      These are all used to support the notion of using OTA as a factory
      reflash mechanism.
      
      Change-Id: Ib00d1cbf540feff38f52a61a2cf198915b48488c
      e5d5ac76
  17. 31 Oct, 2011 2 commits
    • Doug Zongker's avatar
      refactor ui functions into a class · 211aebc4
      Doug Zongker authored
      Move all the functions in ui.c to be members of a ScreenRecoveryUI
      class, which is a subclass of an abstract RecoveryUI class.  Recovery
      then creates a global singleton instance of this class and then invoke
      the methods to drive the UI.  We use this to allow substitution of a
      different RecoveryUI implementation for devices with radically
      different form factors (eg, that don't have a screen).
      
      Change-Id: I76bdd34eca506149f4cc07685df6a4890473f3d9
      211aebc4
    • Doug Zongker's avatar
      turn recovery into a C++ binary · 28ce47cf
      Doug Zongker authored
      Change-Id: I423a23581048d451d53eef46e5f5eac485b77555
      28ce47cf
  18. 28 Oct, 2011 1 commit
  19. 19 Oct, 2011 1 commit
    • Doug Zongker's avatar
      allow recovery packages to wipe cache · d0181b8f
      Doug Zongker authored
      updater now has a function "wipe_cache();" which causes recovery to
      wipe the cache partition after the successful installation of the
      package.  Move log copying around a bit so logs and the last_install
      flag file are copied to cache after it's wiped.
      
      Bug: 5314244
      Change-Id: Id35a9eb6dcd626c8f3a3a0076074f462ed3d44bd
      d0181b8f
  20. 12 Apr, 2011 1 commit
    • Doug Zongker's avatar
      save a last_install file with the result of the last package install attempt · 469243e5
      Doug Zongker authored
      When installing a package, create /cache/recovery/last_install, which
      contains the filename of the package and a 1 or 0 for success or
      failure.
      
      Also, don't mount ext4 and vfat filesystems as read-only (on devices
      where /cache is ext4, we need it to be read-write).
      
      Change-Id: I0cf2a1921bbd65e06343aa74e2006577fac77c2c
      469243e5
  21. 21 Sep, 2010 2 commits
    • Doug Zongker's avatar
      remove the notion of "root path"; support mixed flash types · cc8cd3f3
      Doug Zongker authored
      Remove the wacky notion of "roots" and "root paths" (those things that
      look like "FOO:some/path" instead of just "/foo/some/path").  Let each
      device specify its own table of available partitions and how to mount
      them (needed for devices that use both MTD/yaffs2 and EMMC/ext4
      partitions).
      
      (Cherrypicked from gingerbread w/slight edits.)
      
      Change-Id: I2479ce76b13e73f1d12035c89386c3a82b3edf51
      cc8cd3f3
    • Doug Zongker's avatar
      remove the notion of "root path"; support mixed flash types (do not merge) · d4208f9f
      Doug Zongker authored
      Remove the wacky notion of "roots" and "root paths" (those things that
      look like "FOO:some/path" instead of just "/foo/some/path").  Let each
      device specify its own table of available partitions and how to mount
      them (needed for devices that use both MTD/yaffs2 and EMMC/ext4
      partitions).
      
      Change-Id: I18b0a572a71c5e087e0b7ae11b1774388339bfd1
      d4208f9f
  22. 17 Sep, 2010 1 commit
    • Doug Zongker's avatar
      remove unneeded partition roots · d7d42089
      Doug Zongker authored
      Recovery itself no longer needs to access all these partitions;
      manipulation of them is done by the updater binary.  This is a small
      first step towards removing roots entirely.
      
      Change-Id: I3fbcada32079a37db4cc097861dfa91e0a08da30
      d7d42089
  23. 15 Sep, 2010 2 commits
    • Doug Zongker's avatar
      support for ext4/EMMC filesystems in updater binary · 56c5105b
      Doug Zongker authored
      Make the mount and format functions take extra parameters describing
      the filesystem type and add support for mounting and formatting ext4
      filesystems on EMMC.
      
      Change recovery to consistently use stdout for status messages instead
      of mixing stdout and stderr.
      56c5105b
    • Doug Zongker's avatar
      close update package before installing; allow remount · 8e5e4dad
      Doug Zongker authored
      Close the update package before invoking the binary, to allow the
      installer to unmount /cache if it wants to.  Add a function to allow
      remounting of a mount as read-only.
      
      Change-Id: Idfcc96c3da66083295177f729263560be58034e4
      8e5e4dad
  24. 01 Jul, 2010 1 commit
    • Doug Zongker's avatar
      support for ext4/EMMC filesystems in updater binary · 3d177d05
      Doug Zongker authored
      Make the mount and format functions take extra parameters describing
      the filesystem type and add support for mounting and formatting ext4
      filesystems on EMMC.
      
      Change recovery to consistently use stdout for status messages instead
      of mixing stdout and stderr.
      3d177d05
  25. 24 Jun, 2010 1 commit
  26. 03 Feb, 2010 1 commit
    • Doug Zongker's avatar
      bump updater API version to 3; deprecate firmware update command · e08991e0
      Doug Zongker authored
      Remove support for the HTC-specific "firmware" update command and the
      corresponding edify function write_firmware_update().  This
      functionality is now done by an edify extension library that lives in
      vendor/htc.
      
      Change-Id: I80858951ff10ed8dfff98aefb796bef009e05efb
      e08991e0
  27. 29 Jan, 2010 1 commit
    • Doug Zongker's avatar
      fix parsing of dumpkeys output · aa062531
      Doug Zongker authored
      %i can't be used to read unsigned ints (though it happens to work with
      bionic).  Change to %x and %u as appropriate.
      
      Change-Id: I8ea9ca16a939501757cf70fc5953abee26c8231c
      http://b/2402231 - Parser for /res/keys interprets n0inv as a signed int
      aa062531
  28. 13 Nov, 2009 1 commit
  29. 17 Aug, 2009 1 commit
  30. 15 Aug, 2009 1 commit
  31. 14 Jul, 2009 1 commit
    • Doug Zongker's avatar
      remove amend · 64893ccc
      Doug Zongker authored
      Yank all the code to install OTA packages out of the recovery binary
      itself.  Now packages are installed by a binary included in the
      package (run as a child of recovery), so we can make improvements in
      the installation process without waiting for a new release to use
      them.
      64893ccc
  32. 24 Jun, 2009 1 commit
    • Doug Zongker's avatar
      improve updater progress bar · fbf3c10e
      Doug Zongker authored
      Let recovery accept set_progress commands to control progress over the
      'current segment' of the bar.  Add a set_progress() builtin to the
      updater binary.
      fbf3c10e
  33. 18 Jun, 2009 1 commit
    • Doug Zongker's avatar
      let the "firmware" command take the file straight from the package · fb2e3af3
      Doug Zongker authored
      To do a firmware-install-on-reboot, the update binary tells recovery
      what file to install before rebooting.  Let this file be specified as
      "PACKAGE:<foo>" to indicate taking the file out of the OTA package,
      avoiding an extra copy to /tmp.  Bump the API version number to
      reflect this change.
      fb2e3af3
  34. 12 Jun, 2009 2 commits
    • Doug Zongker's avatar
      fixes to edify and updater script · d9c9d10d
      Doug Zongker authored
      A few more changes to edify:
      
        - fix write_raw_image(); my last change neglected to close the write
          context, so the written image was corrupt.
      
        - each expression tracks the span of the source code from which it
          was compiled, so that assert()'s error message can include the
          source of the expression that failed.
      
        - the 'cookie' argument to each Function is replaced with a State
          object, which contains the cookie, the source script (for use with
          the above spans), and the current error message (replacing the
          global variables that were used for this purpose).
      
        - in the recovery image, a new command "ui_print" can be sent back
          through the command pipe to cause text to appear on the screen.
          Add a new ui_print() function to print things from scripts.
          Rename existing "print" function to "stdout".
      d9c9d10d
    • Doug Zongker's avatar
      edify extensions for OTA package installation, part 2 · 8edb00c9
      Doug Zongker authored
      Adds more edify functions for OTAs:
      
        is_mounted getprop apply_patch apply_patch_check apply_patch_space
        write_raw_image write_firmware_image package_extract_file
      
      This allows us to install radios, hboots, boot images, and install
      incremental OTA packages.
      
      Fixes a couple of dumb bugs in edify itself:
      
        - we were doubling the size of the function table each time it was
          *not* full, rather than each time it was full
      
        - "no such function" errors weren't visible to the parser, so they
          didn't prevent execution of the script.
      8edb00c9
  35. 11 Jun, 2009 1 commit
    • Doug Zongker's avatar
      edify extensions for OTA package installation, part 1 · 9931f7f3
      Doug Zongker authored
      Adds the following edify functions:
      
        mount unmount format show_progress delete delete_recursive
        package_extract symlink set_perm set_perm_recursive
      
      This set is enough to extract and install the system part of a (full)
      OTA package.
      
      Adds the updater binary that extracts an edify script from the OTA
      package and then executes it.  Minor changes to the edify core (adds a
      sleep() builtin for debugging, adds "." to the set of characters that
      can appear in an unquoted string).
      9931f7f3
  36. 04 Jun, 2009 1 commit