Android Internals - Change Log

Volume I:

The Android Volume I Change Log
  • Preface: (BTC is $59k, only a month and a half later.. :-)
  • Chapter 1: Table 1/1-1 - Android versions, with %ages - updated to March 2021 (previous was Feb 2021, though mistakenly said May 2020)
  • Chapter 2:
    • Table 2/4-5 (Samsung Exynos devices) - Added NPU device
      sr100drivers/uwb/sr100.c S21 Ultra: Ultra Wide Band (UWB)
      (Thanks to my good friend _@bazad who wrote about the Exynos NPU vulnerability before being taken by the spaceship)
  • Chapter 3:
    • Table 3/4-1 - (Linux pseudo filesystems actively used by Android 11) - Added BinderFS and filled in missing description for FunctionFS:
      /dev/binderfsbinderfsLinux 5.0+: Dynamic Binder devices (q.v. II/8)
      /dev/usb-ffsfunctionfsUSB functions (Gadget driver)
  • Chapter 4:
    • Table 4/2-2 (Qualcomm /vendor/bin) - Added spdaemon which eluded me because it's not used in Google devices..
      spdaemonSecure Processing Unit (SPU) manager (on non-Google devices)
    • Table 4/2-5 (MTK /vendor/bin) - this was left woefully incomplete. Sorry about that (versioning problem). Here's what it should look like: … (will add this soon)
  • Chapter 8:
    • Added copy_per_line init directive (new in 12.0), and that 'critical' (for services) now takes arguments
    • Table 8/7-1 (cont):
      • Added snapuserd.rc under "System & Volume Management" right after snapshotctl.rc (which it apparently replaces)
      • Filled cppreopts.rc in the table (I had omitted that, sorry)
        cppreopts.rcCopy preoptimized files
  • Chapter 9:
    • Update of Table 9/5-1 with system_server_dumper
    • Added:

      Android 12 adds the system_server_dumper service. As its name implies, this is a dumpsys only service with no clients, listing the properties of SystemServer (start count and elapsed time), SystemServiceManager (started service classes) and the SystemServerInitThreadPool.

      before Figure 9/4-3
    • Added (Before Table 9/3-3, to expand on "dynamic" service lookup):

      The client API of a.os.ServiceManager allows (as of Android 11.0) the waitFor[Declared]Service(svcName) methods.

  • Chapter 10:
    • Table 10/3-6 had some missing fields. Here's all of it:
      Table 10/3-6: The elements in /etc/sysconfig/ and /etc/permissions/ files
      groupGlobal group IDs given to packages (III/2)
      permissionBuilt-in UID to permission mappings (III/2)
      assign-permissionAssign name permission to uid (III/2)
      split-permissionSplit name permission for targetSdk version (III/2)
      library Built-in shared libraries
      [unavailable-]featureIndicate or hide a platform feature (for <uses-feature>)
      allow-in-power-save[-except-idle]Allow package to operate even device is in different power modes
      allow-unthrottled-locationAllow continuous location updates
      allow-ignore-location-settings Override location settings
      allow-implicit-broadcastExempt broadcast from 8.0 background delivery restrictions
      app-linkAndroid application link (II/3)
      system-user-[black|white]listed-appApp may (or may not) run as system user
      default-enabled-vr-appDefault VR Apps
      component-overrideEnabled component overrides
      backup-transport-whitelisted-servicePermitted backup transport service components
      Disabled apps
      [privapp/oem]-permissionsAssign extra permissions
      hidden-api-whitelisted-appNon-platform apps allowed access to full private API
      allow-associationAllow target package to interact with allowed package
      app-data-isolation-whitelisted-appApps enabled for data isolation
      bugreport-whitelistedAllow package to generate bug report
      install-in-user-typeInstall package in user-type (FULL/PROFILE)
      named-actorNamed actors (used by Overlay service, q.v. II/3)
      overlay-config-signaturePackage capable of validating config_signature for overlays (q.v. II/3)
      rollback-whitelisted-appApps eligible for enabling rollback
      whitelisted-staged-installerInstallers allowed to commit staged install (II/2)
  • Chapter 13: Thanks to the wonder of writing in HTML, the Google Pixel Powerstats coverage wasn't printed:

    Google documents the IPowerStats.hal in the Source site[psh], and its AIDL is similar. The implementation of the service for Pixel devices (android.hardware.power.stats@1.0-service.pixel) can be found in open source.[psp] Rails data is collected from /sys/bus/iio/devices/iio:device#, and the service recognizes the following power entities:

    Table 13/5-3:: The power entities defined by the Google Pixel powerstats implementation
    EntityProvider path
    Pixel Visual Core (AirBrush)/sys/devices/platform/soc/soc:abc-sm/state_stats
    Oslo/dev/iaxxx-module-celldrv (via IAXXX_SENSOR_MODE_STATS ioctl(2))
    IAXXX/dev/iaxxx-module-celldrv (via IAXXX_POWER_STATS_COUNT ioctl(2))
    Citadel (Titan M)AIDL to Citadel service
  • References: As an appendix (which somehow got omitted from the first print batch). Now in print and also online at this link
(not yet) v2.0.2
  • Preface: BTC is down to $38k $50k $47k. Sheesh
  • Chapter 1:
    • Added note: Bionic is also used outside Android (notably in the hardened GrapheneOS), though Fuchsia's libc is derived from musl[musl].
  • Chapter 2:
    • Updated Table 2/1-1 for ARMv9 launch (happened after v2.0.1 came out...)
      v9A510, A710Confidential Compute Architecture (CCA), SVE2, Transactional Memory Extension (TME)
    • Updated Mediatek chipset table: Dimensity 1000 is UFS 2.2, 1200 is UFS 3.1 and now has Realme devices:

      Dimensity 1000/L/+ (MT6887/9)CPU: 4xA77@2.6Ghz + 4xA55@2.2Ghz
      GPU: ARM Mali-G77 MC9@800Mhz (UFS 2.2)
      6-core APU 3.0
      Oppo Reno3 5G,
      Vivo IQOO Z1 5G
      Dimensity 1200 (MT6893) CPU: 1x A78 3x A77@2.6Ghz + 4xA55@2.2Ghz
      GPU: ARM Mali-G77 MC9@800Mhz (UFS 3.1)
      6-core APU 3.0
      Realme GT Neo, X9 Pro
    • Also adding /dev/rpmsg_ctrl# - for Linux Remote Processor Messaging, used by QCom
    • Added footnote for Huawei -

      * - The US imposed ban, along with a worldwide chip shortage in 2021, continue to take its toll on Huawei - it's P50 line of phones not only uses the Qualcomm SnapDragon 888 chipset, but further ships without 5G capabilities. The phones ship with HarmonyOS 2.0.
  • Chapter 3: Android 11 mandates kernels not support debugfs. Somehow I missed that in the A11 release notes, but learned this the hard way trying to run bindump on a redfin (Pixel 5), which comes with A11 as stock. This breaks my bindump tool.
  • Chapter 5:
    • Added Google's APEX link:
      Google maintains a comprehensive list for these "modular system components"[msc]
    • Changed Table 5/4-1 (Standard directories created by Android on SD-Cards) to an output
  • Chapter 9:
    • Added a table of the Binder default transactions I had originally set for Volume II/7 in place of the paragraph listing them (it made sense, now that 11.0 and 12.0 add even more):

      Table 9/1-2-b: Default Transaction Codes supported by (almost) all Binder objects
      ConstantValueDefault Behavior
      DUMP_TRANSACTION_DMP (1598311760)Requests full dump of service state to specified fd according to optional arguments. Used by dumpsys
      INTERFACE_TRANSACTION_NTF (1598968902)Requests interface of service object behind handle.
      Expects UTF-16 interface name as reply
      SHELL_COMMAND_TRANSACTION_CMD (1598246212)Command interface for /system/bin/cmd
      SYSPROPS_TRANSACTION_SPR (1599295570)Deprecated: Calls libutils's report_sysprop_change() and any property callbacks
      PING_TRANSACTION_PNG (1599098439)Null transaction ensuring service object is alive.
      EXTENSION_TRANSACTION_EXT (1598380116)11.0: Pass an extension BBinder for object
      DEBUG_PID_TRANSACTION_PID (1599097156)11.0: Return service's process identifier (i.e. getpid())
      SET_RPC_CLIENT_TRANSACTION_RPC (1599230019)12.0 (debug builds, #if BINDER_RPC_DEV_SERVERS,) set socket FD
    • Also added a footnote:
      * - Using interfaces could ostensibly enable a design in which a single service endpoint could support multiple interfaces or "personalities", though in practice Binder associates a single interface name with an endpoint.
    • @TODO: I'll update Output 9/4-4 (Threads of system_server for new service threads in 12 once the dust settles)
    • Added NativeTombstoneManager to LocalServices table (9/5-4) (realized I had missed it earlier since it came into 11.0 but I now discuss tombstones now in II/1):

      c.a.s.os.NativeTombstoneManager11.0: Manage tombstones and parse protobuf (.pb) tombstones (II/1)
  • Chapter 11: In 2.4 (Task profiles), after 11/2-16:

    On kernels which support it, libprocessgroup also adjust /proc/pid/timerslack_ns, whi ch helps coalesce task wakeups, conserving battery life.

  • Chapter 12: android.hardware.dumpstate@1.1:IDumpstateDevice.hal is version 1.1
  • Chapter 13: (before 13/4-5, after mention of msm_adreno_tz) added "… and other governors in /sys/kernel/gpu/gpu_available_governor"
  • (thankfully very few) typos found by James H (thank you! - see below)
  • on page 291 paragraph 3, it is stated that "ps -t" on Android will list Thread. Should be "-T"... (Thanks, John Zou!)

*Sigh* Typos: (These don't get you the BTC bounty, but I still appreciate them!)