Android Internals - Change Log
The Android Volume I Change Log
- Preface: (BTC is $59k, only a month and a half later..
- Chapter 1: Table 1/1-1 - Android versions, with %ages -
updated to March 2021 (previous was Feb 2021, though mistakenly said May
- Chapter 2:
- Table 2/4-5 (Samsung Exynos devices) - Added NPU device
(Thanks to my good friend _@bazad who wrote about the
Exynos NPU vulnerability before being taken by the spaceship)
||S21 Ultra: Ultra Wide Band (UWB)|
- Chapter 3:
- Table 3/4-1 - (Linux pseudo filesystems actively
used by Android 11) - Added BinderFS and filled in missing description for FunctionFS:
|Linux 5.0+: Dynamic Binder devices (q.v. II/8)|
|USB functions (Gadget driver)|
- Chapter 4:
- Table 4/2-2 (Qualcomm /vendor/bin) - Added spdaemon which eluded me
because it's not used in Google devices..
|spdaemon||Secure Processing Unit (SPU)
manager (on non-Google devices)|
- Table 4/2-5 (MTK /vendor/bin) - this was left woefully incomplete. Sorry
about that (versioning problem). Here's what it should look like:
… (will add this soon)
- Chapter 8:
init directive (new in
12.0), and that 'critical' (for services) now takes arguments
- Table 8/7-1 (cont):
- Added snapuserd.rc under "System & Volume Management" right after snapshotctl.rc (which it apparently replaces)
- Filled cppreopts.rc in the table (I had omitted that, sorry)
|cppreopts.rc||Copy preoptimized files|
- Update of Table 9/5-1 with
Android 12 adds the before Figure 9/4-3
system_server_dumper service. As its name implies, this is a
dumpsys only service with no clients, listing the properties of
SystemServer (start count and elapsed time),
SystemServiceManager (started service classes) and the
- Added (Before Table 9/3-3, to expand on "dynamic" service lookup):
The client API of
a.os.ServiceManager allows (as of Android 11.0)
Chapter 13: Thanks to the wonder of writing in HTML,
the Google Pixel Powerstats coverage wasn't printed:
Table 10/3-6 had some missing fields. Here's all of it:
Table 10/3-6: The elements in
/etc/sysconfig/ and /etc/permissions/
|Global group IDs given to packages
|Built-in UID to permission mappings
targetSdk version (III/2)
| Built-in shared libraries |
|Indicate or hide a platform
feature (for |
package to operate even device is in different
continuous location updates|
| Override location
|Exempt broadcast from
8.0 background delivery restrictions|
|Android application link
|App may (or
may not) run as |
|Default VR Apps|
backup transport service components|
allowed access to full private API|
package to interact with
for data isolation|
to generate bug report
|Named actors (used by Overlay
service, q.v. II/3)|
|Package capable of
config_signature for overlays (q.v. II/3)
|Apps eligible for
to commit staged install (II/2)|
Google documents the
IPowerStats.hal in the Source
site[psh], and its AIDL is similar. The implementation of
the service for Pixel devices
email@example.com) can be found
open source.[psp] Rails data is collected from
/sys/bus/iio/devices/iio:device#, and the service
recognizes the following power entities:
Table 13/5-3:: The power entities defined by the
Google Pixel powerstats implementation
References: As an appendix (which somehow got omitted
from the first print batch). Now in print and also online at this link
|Pixel Visual Core
|Citadel (Titan M)||AIDL to Citadel
|(any day now, 10/12/2021)|| v2.0.2||
- BTC is down to
$50k $47k $55k. Sheesh
- Added a GREAT tip for starting ADB with env/startup options specified for
shell - Thanks to @KingOfPhp:
- Chapter 1:
- Added note: Bionic is also used outside Android (notably in the hardened GrapheneOS),
though Fuchsia's libc is derived from musl[musl].
- Updated Figure 1-3/10 to reflect cases where HIDL server doesn't access
hardware directly, but rather through yet another vendor daemon (very popular,
and I discuss it in II/8, but somehow illustration didn't reflect it). So now
it looks like this:
- Chapter 2:
- Updated Table 2/1-1 for ARMv9 launch (happened after v2.0.1 came out...)
|v9||A510, A710||Confidential Compute
Architecture (CCA), SVE2, Transactional Memory Extension (TME)|
- Updated Mediatek chipset table: Dimensity 1000 is UFS 2.2,
1200 is UFS 3.1 and now has Realme devices:
|Dimensity 1000/L/+ (MT6887/9)||CPU: 4xA77@2.6Ghz +
GPU: ARM Mali-G77 MC9@800Mhz (UFS 2.2)
6-core APU 3.0
|Oppo Reno3 5G, |
Vivo IQOO Z1
|Dimensity 1200 (MT6893) ||CPU: 1x A78 3x A77@2.6Ghz +
GPU: ARM Mali-G77 MC9@800Mhz (UFS 3.1)
6-core APU 3.0
|Realme GT Neo, X9 Pro|
- Also adding
/dev/rpmsg_ctrl# - for Linux Remote Processor
Messaging, used by QCom
- Added footnote for Huawei -
* - The US imposed ban, along with a worldwide chip shortage in 2021, continue
to take its toll on Huawei - it's P50 line of phones not only uses the
Qualcomm SnapDragon 888 chipset, but further ships without 5G capabilities.
The phones ship with HarmonyOS 2.0.
- Chapter 3:
- Android 11 mandates kernels not support
debugfs. Somehow I missed that in the A11 release notes, but learned this the hard way trying to run bindump on a redfin
(Pixel 5), which comes with A11 as stock. This breaks my
- Note that packages.xml is now ABX! (also, @@TODO no <perms>
- Chapter 5:
- Added Google's APEX link:
Google maintains a comprehensive list for these "modular
- Changed Table 5/4-1 (Standard directories created by Android on
SD-Cards) to an output
- Chapter 9:
- Added a table of the Binder default transactions I had originally set for
Volume II/7 in place of the paragraph listing them (it made sense, now that 11.0 and 12.0 add even more):
Table 9/1-2-b: Default Transaction Codes supported by
(almost) all Binder objects
|Requests full dump of service state to specified
fd according to optional arguments. Used by
|Requests interface of service object behind handle.
Expects UTF-16 interface name as reply
|Command interface for
|Deprecated: Calls |
report_sysprop_change() and any property callbacks
|Null transaction ensuring service object is alive.
an extension |
BBinder for object
|11.0: Return service's process
identifier (i.e. |
|12.0 (debug builds, |
BINDER_RPC_DEV_SERVERS,) set socket FD
- Also added a footnote:
- @TODO: I'll update Output 9/4-4 (Threads of
new service threads in 12 once the dust settles)
- Added NativeTombstoneManager to LocalServices table (9/5-4)
(realized I had missed it earlier since it came into 11.0 but I now discuss tombstones now in II/1):
Manage tombstones and parse protobuf (.pb) tombstones (II/1)|
- Chapter 11:
- In 2.4 (Task profiles), after 11/2-16:
On kernels which support it,
libprocessgroup also adjust
/proc/pid/timerslack_ns, which helps coalesce task wakeups, conserving battery life.
- In lmkd:
The daemon can thus adjust the "killability" of processes based on the activity state, or other factors (background threads, application services, etc). Google describes the considerations in the
- Chapter 12:
firstname.lastname@example.org:IDumpstateDevice.hal is version 1.1
- Chapter 13: (before 13/4-5, after mention of
msm_adreno_tz) added "… and other governors
- (thankfully very few) typos found by James H (thank you! - see below)
- on page 291 paragraph 3, it is stated that "ps -t" on Android will list
Thread. Should be "-T"... (Thanks, John Zou!)
*Sigh* Typos: (These don't get you the BTC bounty, but I still
- Fixed in v2.0.2 (thanks to James H!):
Page 24, 3.9.2 (Androidisms), ASHMem bullet, second sentence, 'created' to 'create'
Page 24. 3.9.2 (Androidisms), ASHMem bullet, third sentence, 'require' to 'required'
page 87, 4.4 (debugfs), First paragraph, second sentence, sentence terminates without a complete thought: which (as with the other pseudo-filesystems)
page 113, 3 (/data), third bullet point, first sentence, 'but would greatly mitigating' to 'but would greatly mitigate'
page 164, 1 (Android Device Images), second paragraph, second sentence, 'OTA images are arrive at' to 'OTA images arrive at' page 165, 1.1 (Factory Images), first paragraph, second sentence, 'All are all Qualcomm' to 'All are Qualcomm'
page 197, 1.3 (TrustZone/Hypervisor), second paragraph, first sentence, 'ennvironment' to 'environment'
page 198, 1.4.1 (Little Kernel), Apps bullet, first sentence, 'in a full kernel-drive OS' to 'in a full kernel driven OS'
page 214, 1 (The roles and responsibilities of init), first paragraph, second sentence, 'which read' to 'which reads'
page 236, 6 (Zygote), third paragraph, second sentence, 'suchlrequests' to 'such requests'
page 239, 7 (Android Daemons, at a glance), third paragraph, last sentence, 'so that the daemon be able to connect' to 'so that the daemon is able to connect'
page 250, 3 (The servicemanager), fourth paragraph, third sentence, 'to establishes' to 'to establish'
page 259, 5 (A bird's eye view of framework services), last paragraph, 'aims to tackles' to 'aims to tackle'
page 268, 1.2 (The user service), second paragraph, first line, 'inintially' to 'initially'
page 278, 3.3 (The settings service), last paragraph, first line, missing a parethesis
page 280, 3.5 (Server Configurable Flags), first paragraph, first line, 'especciallyl' to 'especially'
page 286, 1.2 (The cmdline and comm), second to last paragraph in experiment, second line, Mentions /lib64 for 32-bit apps.
page 293, 1.5.2 (Thread states and context switches), last paragraph, last
sentence, 'The Zombies are also find peace' to 'The Zombies also find peace' [Aside: your description of Zombies
was rather amusing] page 339, 1.2 (DropBox), first paragraph, last sentence, extra comma at
beginning of sentence and 'logs' to 'log' later in the sentence.
page 343, 2.13 (The shell interface), second paragraph, last sentence, 'manny' to 'many'
page 345, 2.16 (Output files), table 12/2-9, first row, @TODO entry? Intentional?
page 347, 2.4 (dumpstate/bugreport), second paragraph, second sentence, 'onsists' to 'consists'
page 391, 4.4 (Idle Governors), first paragraph of experiment section, missing a parenthesis