Android Internals - Change Log

Volume I:

The Android Volume I Change Log
  • Preface: (BTC is $59k, only a month and a half later.. :-)
  • Chapter 1: Table 1/1-1 - Android versions, with %ages - updated to March 2021 (previous was Feb 2021, though mistakenly said May 2020)
  • Chapter 2:
    • Table 2/4-5 (Samsung Exynos devices) - Added NPU device
      sr100drivers/uwb/sr100.c S21 Ultra: Ultra Wide Band (UWB)
      (Thanks to my good friend _@bazad who wrote about the Exynos NPU vulnerability before being taken by the spaceship)
  • Chapter 3:
    • Table 3/4-1 - (Linux pseudo filesystems actively used by Android 11) - Added BinderFS and filled in missing description for FunctionFS:
      /dev/binderfsbinderfsLinux 5.0+: Dynamic Binder devices (q.v. II/8)
      /dev/usb-ffsfunctionfsUSB functions (Gadget driver)
  • Chapter 4:
    • Table 4/2-2 (Qualcomm /vendor/bin) - Added spdaemon which eluded me because it's not used in Google devices..
      spdaemonSecure Processing Unit (SPU) manager (on non-Google devices)
    • Table 4/2-5 (MTK /vendor/bin) - this was left woefully incomplete. Sorry about that (versioning problem). Here's what it should look like: … (will add this soon)
  • Chapter 8:
    • Added copy_per_line init directive (new in 12.0), and that 'critical' (for services) now takes arguments
    • Table 8/7-1 (cont):
      • Added snapuserd.rc under "System & Volume Management" right after snapshotctl.rc (which it apparently replaces)
      • Filled cppreopts.rc in the table (I had omitted that, sorry)
        cppreopts.rcCopy preoptimized files
  • Chapter 9:
    • Update of Table 9/5-1 with system_server_dumper
    • Added:

      Android 12 adds the system_server_dumper service. As its name implies, this is a dumpsys only service with no clients, listing the properties of SystemServer (start count and elapsed time), SystemServiceManager (started service classes) and the SystemServerInitThreadPool.

      before Figure 9/4-3
  • Chapter 10:
    • Table 10/3-6 had some missing fields. Here's all of it:
      Table 10/3-6: The elements in /etc/sysconfig/ and /etc/permissions/ files
      groupGlobal group IDs given to packages (III/2)
      permissionBuilt-in UID to permission mappings (III/2)
      assign-permissionAssign name permission to uid (III/2)
      split-permissionSplit name permission for targetSdk version (III/2)
      library Built-in shared libraries
      [unavailable-]featureIndicate or hide a platform feature (for <uses-feature>)
      allow-in-power-save[-except-idle]Allow package to operate even device is in different power modes
      allow-unthrottled-locationAllow continuous location updates
      allow-ignore-location-settings Override location settings
      allow-implicit-broadcastExempt broadcast from 8.0 background delivery restrictions
      app-linkAndroid application link (II/3)
      system-user-[black|white]listed-appApp may (or may not) run as system user
      default-enabled-vr-appDefault VR Apps
      component-overrideEnabled component overrides
      backup-transport-whitelisted-servicePermitted backup transport service components
      Disabled apps
      [privapp/oem]-permissionsAssign extra permissions
      hidden-api-whitelisted-appNon-platform apps allowed access to full private API
      allow-associationAllow target package to interact with allowed package
      app-data-isolation-whitelisted-appApps enabled for data isolation
      bugreport-whitelistedAllow package to generate bug report
      install-in-user-typeInstall package in user-type (FULL/PROFILE)
      named-actorNamed actors (used by Overlay service, q.v. II/3)
      overlay-config-signaturePackage capable of validating config_signature for overlays (q.v. II/3)
      rollback-whitelisted-appApps eligible for enabling rollback
      whitelisted-staged-installerInstallers allowed to commit staged install (II/2)
  • Chapter 13: Thanks to the wonder of writing in HTML, the Google Pixel Powerstats coverage wasn't printed:

    Google documents the IPowerStats.hal in the Source site[psh], and its AIDL is similar. The implementation of the service for Pixel devices (android.hardware.power.stats@1.0-service.pixel) can be found in open source.[psp] Rails data is collected from /sys/bus/iio/devices/iio:device#, and the service recognizes the following power entities:

    Table 13/5-3:: The power entities defined by the Google Pixel powerstats implementation
    EntityProvider path
    Pixel Visual Core (AirBrush)/sys/devices/platform/soc/soc:abc-sm/state_stats
    Oslo/dev/iaxxx-module-celldrv (via IAXXX_SENSOR_MODE_STATS ioctl(2))
    IAXXX/dev/iaxxx-module-celldrv (via IAXXX_POWER_STATS_COUNT ioctl(2))
    Citadel (Titan M)AIDL to Citadel service
  • References: As an appendix (which somehow got omitted from the first print batch). Now in print and also online at this link
(not yet) v2.0.2
  • Chapter 1:
    • Added note: Bionic is also used outside Android (notably in the hardened GrapheneOS), though Fuchsia's libc is derived from musl[musl].
  • Chapter 2:
    • Updated Mediatek chipset table: Dimensity 1000 is UFS 2.2, 1200 is UFS 3.1 and now has Realme devices:

      Dimensity 1000/L/+ (MT6887/9)CPU: 4xA77@2.6Ghz + 4xA55@2.2Ghz
      GPU: ARM Mali-G77 MC9@800Mhz (UFS 2.2)
      6-core APU 3.0
      Oppo Reno3 5G,
      Vivo IQOO Z1 5G
      Dimensity 1200 (MT6893) CPU: 1x A78 3x A77@2.6Ghz + 4xA55@2.2Ghz
      GPU: ARM Mali-G77 MC9@800Mhz (UFS 3.1)
      6-core APU 3.0
      Realme GT Neo, X9 Pro
    • Also adding /dev/rpmsg_ctrl# - for Linux Remote Processor Messaging, used by QCom
  • Chapter 3: Android 11 mandates kernels not support debugfs. Somehow I missed that in the A11 release notes, but learned this the hard way trying to run bindump on a redfin (Pixel 5), which comes with A11 as stock. This breaks my bindump tool.
  • Chapter 5: Added Google's APEX link:
    Google maintains a comprehensive list for these "modular system components"[msc]
  • Chapter 9:
    • Added NativeTombstoneManager to LocalServices table (9/5-4) (realized I had missed it earlier since it came into 11.0 but I now discuss tombstones now in II/1):

      c.a.s.os.NativeTombstoneManager11.0: Manage tombstones and parse protobuf (.pb) tombstone
  • (thankfully very few) typos found by James H (thank you! - see below)
  • on page 291 paragraph 3, it is stated that "ps -t" on Android will list Thread. Should be "-T"... (Thanks, John Zou!)

*Sigh* Typos: (These don't get you the BTC bounty, but I still appreciate them!)