Android Recovery模式
(muddogxp 原創(chuàng)�����,轉(zhuǎn)載請注明)
Recovery簡介
Android利用Recovery模式�����,進(jìn)行恢復(fù)出廠設(shè)置�����,OTA升級(jí),patch升級(jí)及firmware升級(jí)�����。
升級(jí)一般通過運(yùn)行升級(jí)包中的META-INF/com/google/android/update-script腳本來執(zhí)行自定義升級(jí)����,腳本中是一組recovery系統(tǒng)能識(shí)別的UI控制,文件系統(tǒng)操作命令����,例如write_raw_image(寫FLASH分區(qū))����,copy_dir(復(fù)制目錄)。該包一般被下載至SDCARD和CACHE分區(qū)下����。如果對該包內(nèi)容感興趣,可以從http://forum./showthread.php?t=442480下載JF升級(jí)包來看看�����。
升級(jí)中還涉及到包的數(shù)字簽名��,簽名方式和普通JAR文件簽名差不錯(cuò)�。公鑰會(huì)被硬編譯入recovery,編譯時(shí)生成在:out/target/product/XX/obj/PACKAGING/ota_keys_inc_intermediates/keys.inc
G1中的三種啟動(dòng)模式
MAGIC KEY:
-
camera + power:bootloader模式��,ADP里則可以使用fastboot模式
-
home + power:recovery模式
-
正常啟動(dòng)
Bootloader正常啟動(dòng)�����,又有三種方式����,按照BCB(Bootloader Control Block, 下節(jié)介紹)中的command分類:
-
command == 'boot-recovery' → 啟動(dòng)recovery.img�。recovery模式
-
command == 'update-radio/hboot' → 更新firmware(bootloader)
-
其他 → 啟動(dòng)boot.img
Recovery涉及到的其他系統(tǒng)及文件
Recovery 工具通過NAND cache分區(qū)上的三個(gè)文件和主系統(tǒng)打交道����。主系統(tǒng)(包括恢復(fù)出廠設(shè)置和OTA升級(jí))可以寫入recovery所需的命令�,讀出recovery過程中的LOG和intent。
-
/cache/recovery/command: recovery命令�����,由主系統(tǒng)寫入��。所有命令如下:
-
--send_intent=anystring - write the text out to recovery.intent
-
--update_package=root:path - verify install an OTA package file
-
--wipe_data - erase user data (and cache), then reboot
-
--wipe_cache - wipe cache (but not user data), then reboot
-
/cache/recovery/log:recovery過程日志���,由主系統(tǒng)讀出
-
/cache/recovery/intent:recovery輸出的intent
-
MISC分區(qū)內(nèi)容
Bootloader Control Block (BCB) 存放recovery bootloader message����。結(jié)構(gòu)如下:
struct bootloader_message {
char command[32];
char status[32]; // 未知用途
char recovery[1024];
};
-
command可以有以下兩個(gè)值
“boot-recovery”:標(biāo)示recovery正在進(jìn)行�����,或指示bootloader應(yīng)該進(jìn)入recovery mode
“update-hboot/radio”:指示bootloader更新firmware
-
recovery內(nèi)容
“recovery\n
<recovery command>\n
<recovery command>”
其中recovery command為CACHE:/recovery/command命令
兩種Recovery Case
-
FACTORY RESET(恢復(fù)出廠設(shè)置)
-
用戶選擇“恢復(fù)出廠設(shè)置”
-
設(shè)置系統(tǒng)將"--wipe_data"命令寫入/cache/recovery/command
-
系統(tǒng)重啟�����,并進(jìn)入recover模式(/sbin/recovery)
-
get_args() 將 "boot-recovery"和"--wipe_data"寫入BCB
-
erase_root() 格式化(擦除)DATA分區(qū)
-
erase_root() 格式化(擦除)CACHE分區(qū)
-
finish_recovery() 擦除BCB
-
重啟系統(tǒng)
-
升級(jí)系統(tǒng)下載 OTA包到/cache/some-filename.zip
-
升級(jí)系統(tǒng)寫入recovery命令"--update_package=CACHE:some-filename.zip"
-
重啟�,并進(jìn)入recovery模式
-
get_args() 將"boot-recovery" 和 "--update_package=..." 寫入BCB
-
install_package() 作升級(jí)
-
finish_recovery() 擦除 BCB
-
** 如果安裝包失敗 ** prompt_and_wait() 等待用戶操作,選擇ALT+S或ALT+W 升級(jí)或恢復(fù)出廠設(shè)置
-
main() 調(diào)用 maybe_install_firmware_update()
-
如果包里有hboot/radio的firmware則繼續(xù)�����,否則返回
-
將 "boot-recovery" 和 "--wipe_cache" 寫入BCB
-
將 firmware image寫入cache分區(qū)
-
將 "update-radio/hboot" 和 "--wipe_cache" 寫入BCB
-
重啟系統(tǒng)
-
bootloader自身更新firmware
-
bootloader 將 "boot-recovery" 寫入BCB
-
erase_root() 擦除CACHE分區(qū)
-
清除 BCB
-
main() 調(diào)用 reboot() 重啟系統(tǒng)
Recovery模式流程
/init → init.rc → /sbin/recovery →
main():recovery.c
-
ui_init():ui.c [UI initialize]
-
gr_init():minui/graphics.c [set tty0 to graphic mode, open fb0]
-
ev_init():minui/events.c [open /dev/input/event*]
-
res_create_surface:minui/resource.c [create surfaces for all bitmaps used later, include icons, bmps]
-
create 2 threads: progress/input_thread [create progress show and input event handler thread]
-
get_args():recovery.c
-
get_bootloader_message():bootloader.c [read mtdblock0(misc partition) 2nd page for commandline]
-
check if nand misc partition has boot message. If yes, fill argc/argv.
-
If no, get arguments from /cache/recovery/command, and fill argc/argv.
-
set_bootloader_message():bootloader.c [set bootloader message back to mtdblock0]
-
Parser argv[] filled above
-
register_update_commands():commands.c [ register all commands with name and hook function ]
-
install_package():
-
translate_root_path():roots.c [ "SYSTEM:lib" and turns it into a string like "/system/lib", translate the updater.zip path ]
-
mzOpenZipArchive():zip.c [ open updater.zip file (uncompass) ]
-
handle_update_package():install.c
-
verify_jar_signature():verifier.c [ verify signature with keys.inc key; verify manifest and zip package archive ]
-
verifySignature() [ verify the signature file: CERT.sf/rsa. ]
-
digestEntry():verifier.c [ get SHA-1 digest of CERT.sf file ]
-
RSA_verify(public
key:keys.inc, signature:CERT.rsa, CERT.sf's digest):libc/rsa.c [ Verify
a 2048 bit RSA PKCS1.5 signature against an expected SHA-1 hash. Use
public key to decrypt the CERT.rsa to get original SHA digest, then
compare to digest of CERT.sf ]
-
verifyManifest() [ Get manifest SHA1-Digest from CERT.sf. Then do digest to MANIFEST.MF. Compare them ]
-
verifyArchive() [ verify all the files in update.zip with digest listed in MANIFEST.MF ]
-
find_update_script():install.c [ find META-INF/com/google/android/update-script updater script ]
-
handle_update_script():install.c [ read cmds from script file, and do parser, exec ]
-
erase DATA/CACHE partition
-
prompt_and_wait():recovery.c [ wait for user input: 1) reboot 2) update.zip 3) wipe data ]
-
ui_key_xxx get ALT+x keys
-
1) do nothing
-
2) install_package('SDCARD:update.zip')
-
3) erase_root() → format_root_device() DATA/CACHE
-
may_install_firmware_update():firmware.c
[ remember_firmware_update() is called by write_hboot/radio_image
command, it stores the bootloader image to CACHE partition, and write
update-hboot/radio command to MISC partition for bootloader message to
let bootloader update itself after reboot ]
-
finish_recovery():recovery.c
[ clear the recovery command and prepare to boot a (hopefully working)
system, copy our log file to cache as well (for the system to read), and
record any intent we were asked to communicate back to the system. ]
-
reboot()
Recovery模式流程圖
以下流程圖繪制了系統(tǒng)從啟動(dòng)加載bootloader后的行為流程�����。
|
