Android5.0 Recovery源代码分析与定制(一)
微信公众号:嵌入式开发圈
关注可了解更多的教程。问题或建议,请公众号留言;
如果你觉得本文对你有帮助,欢迎赞赏
▲长按图片保存可分享至朋友圈
Android的系统升级,Android的线刷,卡刷,格式化究竟有什么奇妙的地方呢?它又是怎么实现的呢?今天我将为大家揭开它的面纱!我们以Tiny4412的Recovery源代码为例,虽然4412并没有支持Recovery系统,但弄明白它的原理,我们也可以开发或者移植一个出来。其实,在recovery.cpp中开头就已经做了详细的说明,我们来看看。
1/*
2 * The recovery tool communicates with the main system through /cache files.
3 * /cache/recovery/command - INPUT - command line for tool, one arg per line
4 * /cache/recovery/log - OUTPUT - combined log file from recovery run(s)
5 * /cache/recovery/intent - OUTPUT - intent that was passed in
6 *
7 * The arguments which may be supplied in the recovery.command file:
8 * --send_intent=anystring - write the text out to recovery.intent
9 * --update_package=path - verify install an OTA package file
10 * --wipe_data - erase user data (and cache), then reboot
11 * --wipe_cache - wipe cache (but not user data), then reboot
12 * --set_encrypted_filesystem=on|off - enables / diasables encrypted fs
13 * --just_exit - do nothing; exit and reboot
14 *
15 * After completing, we remove /cache/recovery/command and reboot.
16 * Arguments may also be supplied in the bootloader control block (BCB).
17 * These important scenarios must be safely restartable at any point:
18 *
19 * FACTORY RESET
20 * 1. user selects "factory reset"
21 * 2. main system writes "--wipe_data" to /cache/recovery/command
22 * 3. main system reboots into recovery
23 * 4. get_args() writes BCB with "boot-recovery" and "--wipe_data"
24 * -- after this, rebooting will restart the erase --
25 * 5. erase_volume() reformats /data
26 * 6. erase_volume() reformats /cache
27 * 7. finish_recovery() erases BCB
28 * -- after this, rebooting will restart the main system --
29 * 8. main() calls reboot() to boot main system
30 *
31 * OTA INSTALL
32 * 1. main system downloads OTA package to /cache/some-filename.zip
33 * 2. main system writes "--update_package=/cache/some-filename.zip"
34 * 3. main system reboots into recovery
35 * 4. get_args() writes BCB with "boot-recovery" and "--update_package=..."
36 * -- after this, rebooting will attempt to reinstall the update --
37 * 5. install_package() attempts to install the update
38 * NOTE: the package install must itself be restartable from any point
39 * 6. finish_recovery() erases BCB
40 * -- after this, rebooting will (try to) restart the main system --
41 * 7. ** if install failed **
42 * 7a. prompt_and_wait() shows an error icon and waits for the user
43 * 7b; the user reboots (pulling the battery, etc) into the main system
44 * 8. main() calls maybe_install_firmware_update()
45 * ** if the update contained radio/hboot firmware **:
46 * 8a. m_i_f_u() writes BCB with "boot-recovery" and "--wipe_cache"
47 * -- after this, rebooting will reformat cache & restart main system --
48 * 8b. m_i_f_u() writes firmware image into raw cache partition
49 * 8c. m_i_f_u() writes BCB with "update-radio/hboot" and "--wipe_cache"
50 * -- after this, rebooting will attempt to reinstall firmware --
51 * 8d. bootloader tries to flash firmware
52 * 8e. bootloader writes BCB with "boot-recovery" (keeping "--wipe_cache")
53 * -- after this, rebooting will reformat cache & restart main system --
54 * 8f. erase_volume() reformats /cache
55 * 8g. finish_recovery() erases BCB
56 * -- after this, rebooting will (try to) restart the main system --
57 * 9. main() calls reboot() to boot main system
58 */
在这段英文注释里,详细的说明了factory_reset(Android的恢复出厂设置功能)的流程以及OTA系统更新的流程。在这段注释得最前面说得很明白,我们只要往/cache/recovery/command中写入相应的命令即可完成对应的功能。
1* The arguments which may be supplied in the recovery.command file:
2 * --send_intent=anystring - write the text out to recovery.intent
3 * --update_package=path - verify install an OTA package file
4 * --wipe_data - erase user data (and cache), then reboot
5 * --wipe_cache - wipe cache (but not user data), then reboot
6 * --set_encrypted_filesystem=on|off - enables / diasables encrypted fs
7 * --just_exit - do nothing; exit and reboot
比如写入:
1--update_package=path(对应的OTA更新的路径)
例如:
1--update_package=/mnt/external_sd/xxx.zip
将这条命令写入后,再重启Android系统,recovery检测到有这个命令存在,就会去搜索这个路径,然后将这个路径做路径转换,接下来获取转换后的路径后,就挂载这个路径,然后挂载这个路径,获取OTA包,解包,校验,然后最后实现真正的更新。
如果我们往这个文件写入: --wipe_data那么就会做出厂设置,格式化/data分区的内容。接下来,我们来看看代码,从main函数开始分析:进入main函数后,会将recovery产生的log信息重定向到/tmp/recovery.log这个文件里,具体代码实现如下:
1//重定向标准输出和标准出错到/tmp/recovery.log 这个文件里
2//static const char *TEMPORARY_LOG_FILE = "/tmp/recovery.log";
3redirect_stdio(TEMPORARY_LOG_FILE);
redirect_stdio函数源代码实现:
1static void redirect_stdio(const char* filename) {
2 // If these fail, there's not really anywhere to complain...
3 freopen(filename, "a", stdout); setbuf(stdout, NULL);
4 freopen(filename, "a", stderr); setbuf(stderr, NULL);
5}
我们看到,所有产生来自stdout和stderr的信息会使用freopen这个函数重定向到/tmp/recovery.log这个文件里。stdout就是标准输出,stdout就是标准出错。标准输出就是我们平时使用的printf输出的信息。
当然也可以使用fprintf(stdout,"hello world\n");也是一样的标准出错就是fprintf(stderr,"hello world!\n");类似的代码。接下下来,将会判断是否使用adb的sideload来传入,通过参数--adbd来判断:
1 // If this binary is started with the single argument "--adbd",
2 // instead of being the normal recovery binary, it turns into kind
3 // of a stripped-down version of adbd that only supports the
4 // 'sideload' command. Note this must be a real argument, not
5 // anything in the command file or bootloader control block; the
6 // only way recovery should be run with this argument is when it
7 // starts a copy of itself from the apply_from_adb() function.
8 if (argc == 2 && strcmp(argv[1], "--adbd") == 0) {
9 adb_main();
10 return 0;
11 }
做完这些步骤以后,会初始化并装载recovery的分区表recovery.fstab,然后挂载/cache/recovery/last_log这个文件,用来输出log。
1 printf("Starting recovery (pid %d) on %s", getpid(), ctime(&start));
2 //装载recovery的分区表recovery.fstab
3 load_volume_table();
4 //在recovery中挂载/cache/recovery/last_log这个文件
5 //#define LAST_LOG_FILE "/cache/recovery/last_log"
6 ensure_path_mounted(LAST_LOG_FILE);
7 rotate_last_logs(KEEP_LOG_COUNT);
这里主要看如何装载分区表的流程,先来看看recovery.fstab
1/dev/block/by-name/boot /boot emmc defaults defaults
2/dev/block/by-name/recovery /recovery emmc defaults defaults
3/dev/block/by-name/splashscreen /splashscreen emmc defaults defaults
4/dev/block/by-name/fastboot /fastboot emmc defaults defaults
5/dev/block/by-name/misc /misc emmc defaults defaults
6/dev/block/by-name/system /system ext4 ro,noatime wait
7/dev/block/by-name/cache /cache ext4 nosuid,nodev,noatime,barrier=1,data=ordered wait,check
8/dev/block/by-name/userdata /data ext4 nosuid,nodev,noatime,discard,barrier=1,data=ordered,noauto_da_alloc wait,check
9/dev/block/by-name/factory /factory ext4 nosuid,nodev,noatime,barrier=1,data=ordered wait
1void load_volume_table()
2{
3 int i;
4 int ret;
5 //读recovery.fstab 这个分区表
6 fstab = fs_mgr_read_fstab("/etc/recovery.fstab");
7 if (!fstab) {
8 LOGE("failed to read /etc/recovery.fstab\n");
9 return;
10 }
11 //将对应的信息加入到一条链表中
12 ret = fs_mgr_add_entry(fstab, "/tmp", "ramdisk", "ramdisk");
13 //如果load到的分区表为空,后面做释放操作
14 if (ret < 0 ) {
15 LOGE("failed to add /tmp entry to fstab\n");
16 fs_mgr_free_fstab(fstab);
17 fstab = NULL;
18 return;
19 }
20
21 printf("recovery filesystem table\n");
22 printf("=========================\n");
23 //到这一步,打印分区表信息,这类信息在
24 //recovery启动的时候的log可以看到
25 //分别是以下
26 //编号| 挂载节点| 文件系统类型| 块设备| 长度
27 for (i = 0; i < fstab->num_entries; ++i) {
28 Volume* v = &fstab->recs[i];
29 printf(" %d %s %s %s %lld\n", i, v->mount_point, v->fs_type,
30 v->blk_device, v->length);
31 }
32 printf("\n");
33}
挂载完相应的分区以后,就需要获取命令参数,因为只有挂载了对应的分区,才能访问到前面要写入command的这个文件,这样我们才能正确的打开文件,如果分区都没找到,那么当然就找不到分区上的文件,上面这个步骤是至关重要的。
1//获取参数
2 //这个参数也可能是从/cache/recovery/command文件中得到相应的命令
3 //也就是可以往command这个文件写入对应的格式的命令即可
4 get_args(&argc, &argv);
5
6 const char *send_intent = NULL;
7 const char *update_package = NULL;
8 int wipe_data = 0, wipe_cache = 0, show_text = 0;
9 bool just_exit = false;
10 bool shutdown_after = false;
11
12 int arg;
13 //参数有擦除分区,OTA更新等
14 while ((arg = getopt_long(argc, argv, "", OPTIONS, NULL)) != -1) {
15 switch (arg) {
16 case 's': send_intent = optarg; break;
17 case 'u': update_package = optarg; break;
18 case 'w': wipe_data = wipe_cache = 1; break;
19 case 'c': wipe_cache = 1; break;
20 case 't': show_text = 1; break;
21 case 'x': just_exit = true; break;
22 case 'l': locale = optarg; break;
23 case 'g': {
24 if (stage == NULL || *stage == '\0') {
25 char buffer[20] = "1/";
26 strncat(buffer, optarg, sizeof(buffer)-3);
27 stage = strdup(buffer);
28 }
29 break;
30 }
31 case 'p': shutdown_after = true; break;
32 case 'r': reason = optarg; break;
33 case '?':
34 LOGE("Invalid command argument\n");
35 continue;
36 }
37 }
获取到对应的命令,就会执行对应的标志,后面会根据标志来执行对应的操作。
做完以上的流程后,下面就是创建设备,设置语言信息,初始化recovery的UI界面,设置Selinux权限,代码如下:
1//设置语言
2 if (locale == NULL) {
3 load_locale_from_cache();
4 }
5 printf("locale is [%s]\n", locale);
6 printf("stage is [%s]\n", stage);
7 printf("reason is [%s]\n", reason);
8 //创建设备
9 Device* device = make_device();
10 //获取UI
11 ui = device->GetUI();
12 //设置当前的UI
13 gCurrentUI = ui;
14 //设置UI的语言信息
15 ui->SetLocale(locale);
16 //UI初始化
17 ui->Init();
18
19 int st_cur, st_max;
20 if (stage != NULL && sscanf(stage, "%d/%d", &st_cur, &st_max) == 2) {
21 ui->SetStage(st_cur, st_max);
22 }
23 //设置recovery的背景图
24 ui->SetBackground(RecoveryUI::NONE);
25 //设置界面上是否能够显示字符,使能ui->print函数开关
26 if (show_text) ui->ShowText(true);
27 //设置selinux权限,一般我会把selinux 给disabled
28 struct selinux_opt seopts[] = {
29 { SELABEL_OPT_PATH, "/file_contexts" }
30 };
31
32 sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1);
33
34 if (!sehandle) {
35 ui->Print("Warning: No file_contexts\n");
36 }
37 //虚函数,没有做什么流程
38 device->StartRecovery();
39
40 printf("Command:");
41 for (arg = 0; arg < argc; arg++) {
42 printf(" \"%s\"", argv[arg]);
43 }
44 printf("\n");
接下来是重要的环节,这个环节将会根据上面命令参数来做真正的事情了,比如恢复出厂设置,OTA更新等。
1//如果update_package(也就是要升级的OTA包)不为空的情况下
2 //这里要对升级包的路径做一下路径转换,这里可以自由定制自己升级包的路径
3 if (update_package) {
4 // For backwards compatibility on the cache partition only, if
5 // we're given an old 'root' path "CACHE:foo", change it to
6 // "/cache/foo".
7
8 //这里就是做转换的方法
9 //先比较传进来的recovery参数的前6个byte是否是CACHE
10 //如果是将其路径转化为/cache/CACHE: ......
11 if (strncmp(update_package, "CACHE:", 6) == 0) {
12 int len = strlen(update_package) + 10;
13 char* modified_path = (char*)malloc(len);
14 strlcpy(modified_path, "/cache/", len);
15 strlcat(modified_path, update_package+6, len);
16 printf("(replacing path \"%s\" with \"%s\")\n",
17 update_package, modified_path);
18 //这个update_package就是转换后的路径
19 update_package = modified_path;
20 }
21 }
22 printf("\n");
23 property_list(print_property, NULL);
24 //获取属性,这里应该是从一个文件中找到ro.build.display.id
25 //获取recovery的版本信息
26 property_get("ro.build.display.id", recovery_version, "");
27 printf("\n");
28
29 //定义一个安装成功的标志位INSTALL_SUCCESS ----> 其实是个枚举,值为0
30 int status = INSTALL_SUCCESS;
31 //判断转换后的OTA升级包的路径是否不为空,如果不为空
32 //执行install_package 函数进行升级
33 if (update_package != NULL) {
34 status = install_package(update_package, &wipe_cache, TEMPORARY_INSTALL_FILE, true);
35 //判断是否升级成功
36 if (status == INSTALL_SUCCESS && wipe_cache) {
37 //擦除这个路径,相当于删除了这个路径下的OTA升级包
38 if (erase_volume("/cache")) {
39 LOGE("Cache wipe (requested by package) failed.");
40 }
41 }
42 //如果安装不成功
43 if (status != INSTALL_SUCCESS) {
44 ui->Print("Installation aborted.\n");
45
46 // If this is an eng or userdebug build, then automatically
47 // turn the text display on if the script fails so the error
48 // message is visible.
49 char buffer[PROPERTY_VALUE_MAX+1];
50 property_get("ro.build.fingerprint", buffer, "");
51 if (strstr(buffer, ":userdebug/") || strstr(buffer, ":eng/")) {
52 ui->ShowText(true);
53 }
54 }
55 }
56 //如果跑的是格式化数据区,那么就走这个流程
57 else if (wipe_data) {
58 if (device->WipeData()) status = INSTALL_ERROR;
59 //格式化/data分区
60 if (erase_volume("/data")) status = INSTALL_ERROR;
61 if (wipe_cache && erase_volume("/cache")) status = INSTALL_ERROR;
62 if (erase_persistent_partition() == -1 ) status = INSTALL_ERROR;
63 if (status != INSTALL_SUCCESS) ui->Print("Data wipe failed.\n");
64 }
65 //格式化cache分区
66 else if (wipe_cache) {
67 if (wipe_cache && erase_volume("/cache")) status = INSTALL_ERROR;
68 if (status != INSTALL_SUCCESS) ui->Print("Cache wipe failed.\n");
69 }
70 else if (!just_exit) {
71 status = INSTALL_NONE; // No command specified
72 ui->SetBackground(RecoveryUI::NO_COMMAND);
73 }
74 //如果安装失败或者。。。
75 if (status == INSTALL_ERROR || status == INSTALL_CORRUPT) {
76 copy_logs();
77 //显示错误的LOGO
78 ui->SetBackground(RecoveryUI::ERROR);
79 }
80 Device::BuiltinAction after = shutdown_after ? Device::SHUTDOWN : Device::REBOOT;
81 if (status != INSTALL_SUCCESS || ui->IsTextVisible()) {
82 Device::BuiltinAction temp = prompt_and_wait(device, status);
83 if (temp != Device::NO_ACTION) after = temp;
84 }
85
86 // Save logs and clean up before rebooting or shutting down.
87 //完成recovery升级
88 finish_recovery(send_intent);
89
90 switch (after) {
91 case Device::SHUTDOWN:
92 ui->Print("Shutting down...\n");
93 property_set(ANDROID_RB_PROPERTY, "shutdown,");
94 break;
95
96 case Device::REBOOT_BOOTLOADER:
97 ui->Print("Rebooting to bootloader...\n");
98 property_set(ANDROID_RB_PROPERTY, "reboot,bootloader");
99 break;
100
101 default:
102 ui->Print("Rebooting...\n");
103 property_set(ANDROID_RB_PROPERTY, "reboot,");
104 break;
105 }
106 sleep(5); // should reboot before this finishes
107 return EXIT_SUCCESS;
在这里面,我们最常用的即是OTA更新和恢复出厂设置,先来说说恢复出厂设置,这个功能就是所谓的手机双清,众所周知,Android手机在使用很久后,由于垃圾数据,以及其它的因素会导致手机的反应越来越慢,这让人烦恼不已,所以就需要双清,双清一般就是清除/data分区和/cache分区,代码流程很详细,有兴趣可以自己去分析。
接下来看看OTA是如何实现更新的,我们看到install_ota_package这个函数,执行到这个函数,看到源码:
1//安装更新包
2int
3install_package(const char* path, int* wipe_cache, const char* install_file,
4 bool needs_mount)
5{
6 FILE* install_log = fopen_path(install_file, "w");
7 if (install_log) {
8 fputs(path, install_log);
9 fputc('\n', install_log);
10 } else {
11 LOGE("failed to open last_install: %s\n", strerror(errno));
12 }
13 int result;
14 //设置安装挂载对应的节点
15 //这一步是关键
16 if (setup_install_mounts() != 0) {
17 LOGE("failed to set up expected mounts for install; aborting\n");
18 result = INSTALL_ERROR;
19 } else {
20 //到这里才是真正的去安装OTA包
21 result = really_install_package(path, wipe_cache, needs_mount);
22 }
23 //如果返回结果为0,那么安装就成功了
24 if (install_log) {
25 fputc(result == INSTALL_SUCCESS ? '1' : '0', install_log);
26 fputc('\n', install_log);
27 fclose(install_log);
28 }
29 return result;
30}
其实到了really_install_package这一步,才是真正做到OTA更新,但是在OTA更新之前至关重要的一步就是设置安装挂载对应的节点了,我曾经掉入此坑,现在拿出来分析一下,我们来看看setup_install_mounts这个函数:
1//设置安装挂载的节点
2int setup_install_mounts() {
3 if (fstab == NULL) {
4 LOGE("can't set up install mounts: no fstab loaded\n");
5 return -1;
6 }
7 for (int i = 0; i < fstab->num_entries; ++i) {
8 Volume* v = fstab->recs + i;
9 //如果判断挂载的路径是/tmp 或者/cache
10 //那么就挂载对应的节点,而其它的节点都不会去挂载
11 if (strcmp(v->mount_point, "/tmp") == 0 ||
12 strcmp(v->mount_point, "/cache") == 0) {
13 if (ensure_path_mounted(v->mount_point) != 0) {
14 LOGE("failed to mount %s\n", v->mount_point);
15 return -1;
16 }
17
18 }
19 //如果不是/tmp或者/cache这两个节点,则默认就会卸载所有的挂载节点
20 else {
21 //卸载所有的挂载节点
22 if (ensure_path_unmounted(v->mount_point) != 0) {
23 LOGE("failed to unmount %s\n", v->mount_point);
24 return -1;
25 }
26 }
27 }
28 return 0;
29}
如果在安装更新的时候,OTA包经过路径转换后不是放在/tmp和/cache这个路径下的时候,那么就会走else分支,从而卸载所有的挂载节点,这样就会导致,传的路径正确,却OTA更新不成功,如果是做自己定制的路径,这一步一定要小心,我们可以在这里继续添加定制的挂载点。那么,执行完设置挂载节点的函数后,接下来就是执行真正的OTA更新了,我们来看看:
1static int
2really_install_package(const char *path, int* wipe_cache, bool needs_mount)
3{
4 //设置更新时的背景
5 ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
6 ui->Print("Finding update package...\n");
7 // Give verification half the progress bar...
8 //设置进度条的类型
9 ui->SetProgressType(RecoveryUI::DETERMINATE);
10 //显示进度条
11 ui->ShowProgress(VERIFICATION_PROGRESS_FRACTION, VERIFICATION_PROGRESS_TIME);
12 LOGI("Update location: %s\n", path);
13 //在屏幕上打印 Opening update package..
14 // Map the update package into memory.
15 ui->Print("Opening update package...\n");
16 //patch是OTA的路径,need_mount参数表示是否需要挂载,1挂载,0,不挂载
17 if (path && needs_mount) {
18 if (path[0] == '@') {
19 ensure_path_mounted(path+1);
20 } else {
21 //挂载OTA升级包的路径------> 一般是执行这个流程
22 ensure_path_mounted(path);
23 }
24 }
25
26 MemMapping map;
27 if (sysMapFile(path, &map) != 0) {
28 LOGE("failed to map file\n");
29 return INSTALL_CORRUPT;
30 }
31
32 int numKeys;
33 //获取校验公钥文件
34 Certificate* loadedKeys = load_keys(PUBLIC_KEYS_FILE, &numKeys);
35 if (loadedKeys == NULL) {
36 LOGE("Failed to load keys\n");
37 return INSTALL_CORRUPT;
38 }
39 LOGI("%d key(s) loaded from %s\n", numKeys, PUBLIC_KEYS_FILE);
40
41 ui->Print("Verifying update package...\n");
42
43 int err;
44 //校验文件
45 err = verify_file(map.addr, map.length, loadedKeys, numKeys);
46 free(loadedKeys);
47 LOGI("verify_file returned %d\n", err);
48 //如果校验不成功
49 if (err != VERIFY_SUCCESS) {
50 //打印签名失败
51 LOGE("signature verification failed\n");
52 sysReleaseMap(&map);
53 return INSTALL_CORRUPT;
54 }
55
56 /* Try to open the package.
57 */
58 //尝试去打开ota压缩包
59 ZipArchive zip;
60 err = mzOpenZipArchive(map.addr, map.length, &zip);
61 if (err != 0) {
62 LOGE("Can't open %s\n(%s)\n", path, err != -1 ? strerror(err) : "bad");
63 sysReleaseMap(&map);
64 return INSTALL_CORRUPT;
65 }
66
67 /* Verify and install the contents of the package.
68 */
69 //开始安装升级包
70 ui->Print("Installing update...\n");
71 ui->SetEnableReboot(false);
72 int result = try_update_binary(path, &zip, wipe_cache);
73 //安装成功后自动重启
74 ui->SetEnableReboot(true);
75 ui->Print("\n");
76
77 sysReleaseMap(&map);
78 //返回结果
79 return result;
80}
关于recovery的大致流程,我们分析至此,关于如何像MTK平台一样,定制recovery,这就需要读者能够读懂recovery的流程,然后加入自己的代码进行定制,当然我们也会看到,一些recovery花样百出,很多UI做了自己的,而不是用安卓系统原生态的,安卓系统recovery原生态的UI如下:
如何定制相应的UI,后续我们会对recovery源代码中的UI显示做进一步的分析。。。。
另外推荐相关课程:
韦东山老师优质嵌入式学习干货推荐:包括ARM裸机开发、Linux设备驱动程序、Linux应用程序开发、Android系统学习、Linux设备树等。