Android Internals::A Confectioner's Cookbook TOC Online Index ChangeLog Device Database

Android Internals - Change Log

Volume I:

Volume II

The Android Volume I Change Log
  • Preface: (BTC is $59k, only a month and a half later.. :-)
  • Chapter 1: Table 1/1-1 - Android versions, with %ages - updated to March 2021 (previous was Feb 2021, though mistakenly said May 2020)
  • Chapter 2:
    • Table 2/4-5 (Samsung Exynos devices) - Added NPU device
      sr100drivers/uwb/sr100.c S21 Ultra: Ultra Wide Band (UWB)
      (Thanks to my good friend _@bazad who wrote about the Exynos NPU vulnerability before being taken by the spaceship)
  • Chapter 3:
    • Table 3/4-1 - (Linux pseudo filesystems actively used by Android 11) - Added BinderFS and filled in missing description for FunctionFS:
      /dev/binderfsbinderfsLinux 5.0+: Dynamic Binder devices (q.v. II/8)
      /dev/usb-ffsfunctionfsUSB functions (Gadget driver)
  • Chapter 4:
    • Table 4/2-2 (Qualcomm /vendor/bin) - Added spdaemon which eluded me because it's not used in Google devices..
      spdaemonSecure Processing Unit (SPU) manager (on non-Google devices)
    • Table 4/2-5 (MTK /vendor/bin) - this was left woefully incomplete. Sorry about that (versioning problem). Here's what it should look like: … (will add this soon)
  • Chapter 8:
    • Added copy_per_line init directive (new in 12.0), and that 'critical' (for services) now takes arguments
    • Table 8/7-1 (cont):
      • Added snapuserd.rc under "System & Volume Management" right after snapshotctl.rc (which it apparently replaces)
      • Filled cppreopts.rc in the table (I had omitted that, sorry)
        cppreopts.rcCopy preoptimized files
  • Chapter 9:
    • Update of Table 9/5-1 with system_server_dumper
    • Added:

      Android 12 adds the system_server_dumper service. As its name implies, this is a dumpsys only service with no clients, listing the properties of SystemServer (start count and elapsed time), SystemServiceManager (started service classes) and the SystemServerInitThreadPool.

      before Figure 9/4-3
    • Added (Before Table 9/3-3, to expand on "dynamic" service lookup):

      The client API of a.os.ServiceManager allows (as of Android 11.0) the waitFor[Declared]Service(svcName) methods.

  • Chapter 10:
    • Table 10/3-6 had some missing fields. Here's all of it:
      Table 10/3-6: The elements in /etc/sysconfig/ and /etc/permissions/ files
      groupGlobal group IDs given to packages (III/2)
      permissionBuilt-in UID to permission mappings (III/2)
      assign-permissionAssign name permission to uid (III/2)
      split-permissionSplit name permission for targetSdk version (III/2)
      library Built-in shared libraries
      [unavailable-]featureIndicate or hide a platform feature (for <uses-feature>)
      allow-in-power-save[-except-idle]Allow package to operate even device is in different power modes
      allow-unthrottled-locationAllow continuous location updates
      allow-ignore-location-settings Override location settings
      allow-implicit-broadcastExempt broadcast from 8.0 background delivery restrictions
      app-linkAndroid application link (II/3)
      system-user-[black|white]listed-appApp may (or may not) run as system user
      default-enabled-vr-appDefault VR Apps
      component-overrideEnabled component overrides
      backup-transport-whitelisted-servicePermitted backup transport service components
      Disabled apps
      [privapp/oem]-permissionsAssign extra permissions
      hidden-api-whitelisted-appNon-platform apps allowed access to full private API
      allow-associationAllow target package to interact with allowed package
      app-data-isolation-whitelisted-appApps enabled for data isolation
      bugreport-whitelistedAllow package to generate bug report
      install-in-user-typeInstall package in user-type (FULL/PROFILE)
      named-actorNamed actors (used by Overlay service, q.v. II/3)
      overlay-config-signaturePackage capable of validating config_signature for overlays (q.v. II/3)
      rollback-whitelisted-appApps eligible for enabling rollback
      whitelisted-staged-installerInstallers allowed to commit staged install (II/2)
  • Chapter 13: Thanks to the wonder of writing in HTML, the Google Pixel Powerstats coverage wasn't printed:

    Google documents the IPowerStats.hal in the Source site[psh], and its AIDL is similar. The implementation of the service for Pixel devices (android.hardware.power.stats@1.0-service.pixel) can be found in open source.[psp] Rails data is collected from /sys/bus/iio/devices/iio:device#, and the service recognizes the following power entities:

    Table 13/5-3:: The power entities defined by the Google Pixel powerstats implementation
    EntityProvider path
    Pixel Visual Core (AirBrush)/sys/devices/platform/soc/soc:abc-sm/state_stats
    Oslo/dev/iaxxx-module-celldrv (via IAXXX_SENSOR_MODE_STATS ioctl(2))
    IAXXX/dev/iaxxx-module-celldrv (via IAXXX_POWER_STATS_COUNT ioctl(2))
    Citadel (Titan M)AIDL to Citadel service
  • References: As an appendix (which somehow got omitted from the first print batch). Now in print and also online at this link
(11/09/2021) v2.1
  • Preface:
    • BTC is down to $38k $50k$47k $55k $66k. Sheesh
    • Added a GREAT tip for starting ADB with env/startup options specified for shell - Thanks to @KingOfPhp:
  • Chapter 1:
    • Added note: Bionic is also used outside Android (notably in the hardened GrapheneOS), though Fuchsia's libc is derived from musl[musl].
    • Updated Figure 1-3/10 to reflect cases where HIDL server doesn't access hardware directly, but rather through yet another vendor daemon (very popular, and I discuss it in II/8, but somehow illustration didn't reflect it). So now it looks like this:
  • Chapter 2:
    • Updated Table 2/1-1 for ARMv9 launch (happened after v2.0.1 came out...)
      v9A510, A710Confidential Compute Architecture (CCA), SVE2, Transactional Memory Extension (TME)
    • Updated Mediatek chipset table: Dimensity 1000 is UFS 2.2, 1200 is UFS 3.1 and now has Realme devices:

      Dimensity 1000/L/+ (MT6887/9)CPU: 4xA77@2.6Ghz + 4xA55@2.2Ghz
      GPU: ARM Mali-G77 MC9@800Mhz (UFS 2.2)
      6-core APU 3.0
      Oppo Reno3 5G,
      Vivo IQOO Z1 5G
      Dimensity 1200 (MT6893) CPU: 1x A78 3x A77@2.6Ghz + 4xA55@2.2Ghz
      GPU: ARM Mali-G77 MC9@800Mhz (UFS 3.1)
      6-core APU 3.0
      Realme GT Neo, X9 Pro
    • Update Samsung Chipset table with Pixel 6[XL]
    • Also adding /dev/rpmsg_ctrl# - for Linux Remote Processor Messaging, used by QCom
    • 2/4.1.1 - Google Devices (up to but not including Pixel 6) use Qualcomm Chipsets
    • Added footnote for Huawei -

      * - The US imposed ban, along with a worldwide chip shortage in 2021, continue to take its toll on Huawei - it's P50 line of phones not only uses the Qualcomm SnapDragon 888 chipset, but further ships without 5G capabilities. The phones ship with HarmonyOS 2.0.
  • Chapter 3:
    • Android 11 mandates kernels not support debugfs. Somehow I missed that in the A11 release notes, but learned this the hard way trying to run bindump on a redfin (Pixel 5), which comes with A11 as stock. This breaks my bindump tool.
    • Note that packages.xml is now ABX! (also, @@TODO no <perms> element)
  • Chapter 5:
    • Added Google's APEX link:
      Google maintains a comprehensive list for these "modular system components"[msc]
    • Changed Table 5/4-1 (Standard directories created by Android on SD-Cards) to an output
    • Output 5/1-2: The loop mounts of apexd - added ls -l /sys/devices (Thanks, Woody!)

      Output 5/1-2: The loop mounts of apexd
      # filter '@version' entries, differentiating from  non-versioned bind
      flame:/ $ mount | grep loop | grep @
      /dev/block/loop6 on /apex/
      type ext4 (ro,dirsync,seclabel,nodev,noatime)
      /dev/block/loop27 on /apex/
      type ext4 (ro,dirsync,seclabel,nodev,noatime)
      # The loop-mounted image can be found through the /sys filesystem
      # (though this requires root)
      flame:/ # cat
  • Chapter 6: Pixel 6[XL] and onward use FBPKv2
  • Chapter 9:
    • Added a table of the Binder default transactions I had originally set for Volume II/7 in place of the paragraph listing them (it made sense, now that 11.0 and 12.0 add even more):

      Table 9/1-2-b: Default Transaction Codes supported by (almost) all Binder objects
      ConstantValueDefault Behavior
      DUMP_TRANSACTION_DMP (1598311760)Requests full dump of service state to specified fd according to optional arguments. Used by dumpsys
      INTERFACE_TRANSACTION_NTF (1598968902)Requests interface of service object behind handle.
      Expects UTF-16 interface name as reply
      SHELL_COMMAND_TRANSACTION_CMD (1598246212)Command interface for /system/bin/cmd
      SYSPROPS_TRANSACTION_SPR (1599295570)Deprecated: Calls libutils's report_sysprop_change() and any property callbacks
      PING_TRANSACTION_PNG (1599098439)Null transaction ensuring service object is alive.
      EXTENSION_TRANSACTION_EXT (1598380116)11.0: Pass an extension BBinder for object
      DEBUG_PID_TRANSACTION_PID (1599097156)11.0: Return service's process identifier (i.e. getpid())
      SET_RPC_CLIENT_TRANSACTION_RPC (1599230019)12.0 (debug builds, #if BINDER_RPC_DEV_SERVERS,) set socket FD
    • Also emphasized webview_zygote does not randomize its address space relative to other Zygote[64] instances.
    • Also added a footnote:
      * - Using interfaces could ostensibly enable a design in which a single service endpoint could support multiple interfaces or "personalities", though in practice Binder associates a single interface name with an endpoint.
    • @TODO: I'll update Output 9/4-4 (Threads of system_server for new service threads in 12 once the dust settles)
    • Added NativeTombstoneManager to LocalServices table (9/5-4) (realized I had missed it earlier since it came into 11.0 but I now discuss tombstones now in II/1):

      c.a.s.os.NativeTombstoneManager11.0: Manage tombstones and parse protobuf (.pb) tombstones (II/1)
  • Chapter 10: Added people service
  • Chapter 11:
    • In 2.4 (Task profiles), after 11/2-16:

      On kernels which support it, libprocessgroup also adjust /proc/pid/timerslack_ns, which helps coalesce task wakeups, conserving battery life.

    • In lmkd:

      The daemon can thus adjust the "killability" of processes based on the activity state, or other factors (background threads, application services, etc). Google describes the considerations in the ActivityManagerService's OOMAdjuster documentation.[ooma]

    • Added performance_hint details (IHintSession, etc. and dumpsys performance_hint from a Pixel 6)
  • Chapter 12: android.hardware.dumpstate@1.1:IDumpstateDevice.hal is version 1.1
  • Chapter 13: (before 13/4-5, after mention of msm_adreno_tz) added "… and other governors in /sys/kernel/gpu/gpu_available_governor"
  • (thankfully very few) typos found by James H (thank you! - see below)
  • on page 291 paragraph 3, it is stated that "ps -t" on Android will list Thread. Should be "-T"... (Thanks, John Zou!)
  • Book-wide: All refs to II/.. corrected with final chapter numbers and some moved to "IV" (sorry...)
  • Chapter 1::
    • Android 13 , obviously
    • Table 1/1-1 updated for September 2022, with statistics from Statista
  • Chapter 2:
    • Expanded with ARMv8.6/8.7 and ARMv9.x
    • Table 2/1-3 now has snapdragon 8 Gen 1. Under ARM Cortex, three rows:
      CPU partCore Type
      Also made note under ARMv8.3 ARMv8.5 and ARMv8.6 that the first chipsets to support MTE, when enabled in kernel) is the 8Gen1 and Dimensity 9000
    • Make note of /vendor/bin/rebalance_interrupts-vendor in Pixel 6
    • Note Dimensity 9000 (just announced) and SnapDragon 8 Gen 1. Wen eta Exynos? :-P
  • Chapter 3: EROFS - noted that some vendors (notably, XiaoMi with the Mi 12 filesystem images) have begun to follow in adoption, as well as Google's adoption in 13.0 native phones for r/o filesystems
  • Chapter 4: Table 4/1-8 : Added
    uinput11.0: Simulate input events with UHID
  • Chapter 5: Made note that several APEX bundles come from AOSP's packages/modules. Tie to II/1. Also noted "capex" in Android 13 DP1 (WHY, GOOGL, WHY? Unzipping a double signed payload wasn't enough??):

    Android 12 (practically, 13) adds support for compressed APEX files[capex], identified by their .capex extension. As with normal APEX, these are ZIP files containing the manifest (in protobuf and XML form) as well as the apex_pubkey, with the original (i.e. normally archived but otherwise uncompressed) APEX deflated inside. This aims to reduce the space taken for /system/apex, under the assumption that the APEXes within it will inevitably be updated (and thus, loaded from /data/apex, obviating the need for the pre-installed versions).

  • Chapter 9: Table 9/5-1 - added "attention" under Application Services (yes, I know, it slipped my attention. meh). Also corrected binder_calls_stats (erroneously listed as "…call_stats" and mentioned twice in table..)
  • Chapter 10: Table 10/3-6 accidentally omitted "feature" - that's where PMS gets its getSystemAvailableFeatures() AIDL method (which is noted below table)
  • Chapter 12: mention dumpstate logs in (/data/user_de/0/

  • Android 13 changes (ongoing list before I integrate it into next book update:

    • ARMv9 devices (SD 8Gen1, and 2022+ chipsets) - can also support ARMv8.5 MTE. Made note about support in hw and :

      Android 13 native devices (late 2022) are expected to offer MTE (through ARMv9, and thus v8.5 compatible chipsets), and AOSP supports setting it through the bootloader, android:memtagMode Manifest tag, and arm64.memtag.process.* properties, as documented by Google [amte] and discussed in III.

    • Chapter 7: Added, after Listing 7/3-4:

      Android 13 extends the misc_system_space_layout with a misc_memtag_message, identifiable by its magic of 0x5afefe5a, to provide the ARMv8.5 MTE hint for the OS, as discussed in III.

    • Chapter 9: Added services to table
    • ILogcatManagerService - logcat privileged requests narc
    • safety_center: [android.safetycenter.ISafetyCenterManager] virtualdevice: [android.companion.virtual.IVirtualDeviceManager] (EXCITING! - Either for Vol III or IV, not sure) selection_toolbar: [android.view.selectiontoolbar.ISelectionToolbarManager] ambient_context: snore/cough detection, really???? IGameService... (will go into IV) IAttestationVerification[Manager]Service.aidl (will go into III)
    • Chapter 10: Added ISystemConfig to Table 10/3-7:
      Table 10/3-7: The methods exposed by the android.os.ISystemConfig AIDL
      int[] getSystemPermissionUids(perm)12.0: Get UIDs holding perm
      List getEnabledComponentOverrides(pkgName)13.0: Get enabled component overrides (in pkgName)
    • Chapter 11: Added description of the tare ("The Android Resource Economy") service with dumpsys and link to very detailed in sources
    • Chapter 12: ILogcatManagerService detail (too long to list here)
    Chapter 2
    • Updated ARM processor table IDs to include Cortex X4, A520, A720
    • Updated QCom chipset table to include SD8650 (8 Gen 3)
    Chapter 10
    Table 10/3-6: The elements in /etc/sysconfig/ and /etc/permissions/ files - updates:
    allow-adas-location-settings13.0: package and attributionTag
    bg-restriction-exemption13.0: allow package bg
    automatic-rollback-denylisted-app14.0: Prevent apps from being rolled back
    install-constraints-allowed14.0: impose installation constraints
    update-ownership14.0: Set package installer
    initial-package-state14.0: Set package to stopped
    asl-file14.0: package and path

    *Sigh* Typos: (These don't get you the BTC bounty, but I still appreciate them!)

    Volume II:

    Chapter 4 - AMS

    Output 4/3-2 (detailing app spawning by jtraceing Zygote) somehow had the red-on-black misprinted, thus missing the Zygote arguments. Sorry about that. Here is what it should look like:

    Chapter R -

    Added the Online References for the book

    Chapter 1 - AOSP & Bionic
    • Bionic now compilable for Risc-V!
    • Updated all APEX packages in 14.0: *-I'll need to update Vol I for mgmt and config - new full chapter coming soon, from the looks of things..
      ConfigInfrastructure14.0: Device configuration support (I*)
      CrashRecovery14.0: currently empty
      DeviceLock14.0: Device locking (III)
      HealthFitness14.0: Health & Fitness (OOS)
      ImsMedia14.0: IMS Media (IV)
      OnDevicePersonalization14.0: User-oriented feature customization (I*)
      RemoteKeyProvisioning14.0: Remote Key Provisioning (III)
      ThreadNetwork14.0: Thread (networking) protocol support (IV)
    • Added Output 1/1-13: Demonstrating new API calls in Bionic, for API level 34, after mention of the __INTRODUCED_IN[/_ARM/_x86/_32/_64](apiLevel) note.
    • M_PURGE_ALL (-104)
    • (Not in book but still noted here , from their md documentation)
      * `close_range` and `copy_file_range` (Linux-specific GNU extensions).
      * `memset_explicit` in  (C23 addition).
      * `__freadahead` in  (in musl but not glibc).
      * `posix_spawn_file_actions_addchdir_np` and
      `posix_spawn_file_actions_addfchdir_np` in  (in musl/glibc and macOS,
      but not iOS).
    Chapter 7 - ART
    • ART/OAT: 108/230 , respectively. @@TODO: update Dextra
    • Added artd section to Volume II (note: artd was technically introduced in 13.0, but its AIDL then only had “isAlive()”, so wasn’t worth a mention in the book. The book considers it to be officially introduced in 14.0.
    • Android 14 introduces artd as a helper daemon to facilitate ART profiling and general maintenance, including invoking dex2oat (still referred to as dexopt). The main aim is to outsource the tasks requiring elevated permissions from system_server to this daemon. The documentation states this is method is the default from 14.0 onwards, but refers to the previous method of invocation directly from the PackageManager (in 4.1) as a "legacy implementation", which will be removed in 15.0

    • Note in DEX/ART Management (3/3.3.4) about eventual deprecation
    • Note "safer" DCL (ensure read only)

    Added in 1.4, after note on VDEX:

    Overall, there are some 14 ART/OAT files, making up the full runtime and Android framework support. Although they are separate files, they are rife with cross file links - from ARTs to OATs (and vice versa), and to other ARTs/OATs (notably, back references to and boot.oat). The system_server additionally loads services.[art/oat], with code from f/b/services.

    All ARTs are loaded and decompressed (i.e, into a read/write anonymous mapping) at fixed addresses in the 0x7xxxxxxx range (but adjusted by a runtime slide), next to their corresponding OATs. The ARTs are also mmap(2)ed (in a read-only, uncompressed mapping) at a higher address. Table 7/1-1 shows the ARTs, by their usual load order:

    Table 7/1-1: The ART files loaded into Zygote
    ART fileContains
    /system/framework/boot.artMain runtime
    /system/framework/boot-core-libart.artCore support classes
    /system/framework/boot-okhttp.artOK HTTP
    /system/framework/boot-bouncycastle.artBouncy Castle crytpo support
    /system/framework/boot-apache-xml.artApache XML support
    /system/framework/boot-framework.artRuntime frameworks
    /system/framework/boot-framework-graphics.artRuntime Graphics support
    /system/framework/boot-ext.artBoot extensions
    /system/framework/boot-telephony-common.artTelephony support (See IV)
    /system/framework/boot-voip-common.artVoIP/SIP (see IV)
    /system/framework/boot-ims-common.artInternet Multimedia Services (see IV)
    /system/framework/boot-core-icu4j.artUnicode support classes
    /system/framework/boot-framework-adservices.art14.0: Ad services
    Chapter 8
  • (btw, JTrace is now up to date with these changes)
    • Added BINDER_GET_EXTENDED_ERROR to Table 8/5-2: Binder ioctl(2) codes
    • Updated Figure 8/5-7: The binder_transaction_data structure to shown TF_UPDATE_TXN flag (0x40), and emphasized sender_* fields are set/overwritten by driver (a major tenet for Binder security..)
    • Added BR_TRANSACTION_PENDING_FROZEN (in Table 8/5-6: Binder reply (i.e. driver → user) codes):
      TRANSACTION_PENDING_FROZEN0x0000721414.0: pending on frozen target

  • Android 13 Changes for Vol II (again, running list, not yet in book)

  • @TODO: AMS's internal services (cacheinfo, processinfo, etc maybe need their own detail? Not sure about that since they're really so basic)
  • @JavaDerive(equals = true, toString = true) AIDL annotation - e.g. Identity.aid l
  • Bionic, Chapter 2, on MTE:

    MTE is supported by Bionic as of 12. As v2.2 of this book goes to print, Android 13 makes MTE support formal, adding it as a bootloader provided option and/or configurable system property. This remarkably not only catches up with Apple Silicon (which adopted ARMv8.3 PAC three years earlier), but also leaves it behind, as iOS16 on the latest Apple chipset (A16) does not use MTE.

  • Chapter 5: Added update_lock (really minor service, but.. in the interest of catching 'em all..)
  • IPMS:

    Running list of Android 14 changes

    (The tables look a lot better in book, with shading for 13.0 and 14.0 rows..) Volume I:
  • 10String[] getUpdatableNames(apexName)14.0: Get all instances updatable by the apexName
    (Google preaches Stable AIDL, but their own AIDLs aren’t so stable, after all..)
  • 11/2.7. - TARE: Service responds to getEnabledMode() as of 14

  • Volume II:
  • Chapter 4:
  • Chapter 5:

  • Volume IV:
  • 14: DISALLOW_ULTRA_WIDEBAND_RADIO (for vol 1 chapter 10)
  • IUserManager:
  • <     boolean isUserSwitcherEnabled(int mUserId);
    <     boolean setUserEphemeral(int userId, boolean enableEphemeral);

    New Services in A14:
    > services_manager: []
    > background_install_control: []
    > credential: [android.credentials.ICredentialManager]
    > device_lock: [android.devicelock.IDeviceLockService] - for III
    > grammatical_inflection: []
    > healthconnect: []
    > nfc: [android.nfc.INfcAdapter]
    > ondevicepersonalization_system_service: []
    > remote_provisioning: []
    > selection_toolbar: [android.view.selectiontoolbar.ISelectionToolbarManager]
    > wearable_sensing: []