(Thanks to my good friend _@bazad who wrote about the
Exynos NPU vulnerability before being taken by the spaceship)
Chapter 3:
Table 3/4-1 - (Linux pseudo filesystems actively
used by Android 11) - Added BinderFS and filled in missing description for FunctionFS:
/dev/binderfs
binderfs
Linux 5.0+: Dynamic Binder devices (q.v. II/8)
/dev/usb-ffs
functionfs
USB functions (Gadget driver)
Chapter 4:
Table 4/2-2 (Qualcomm /vendor/bin) - Added spdaemon which eluded me
because it's not used in Google devices..
spdaemon
Secure Processing Unit (SPU)
manager (on non-Google devices)
Table 4/2-5 (MTK /vendor/bin) - this was left woefully incomplete. Sorry
about that (versioning problem). Here's what it should look like:
… (will add this soon)
Chapter 8:
Added copy_per_lineinit directive (new in
12.0), and that 'critical' (for services) now takes arguments
Table 8/7-1 (cont):
Added snapuserd.rc under "System & Volume Management" right after snapshotctl.rc (which it apparently replaces)
Filled cppreopts.rc in the table (I had omitted that, sorry)
cppreopts.rc
Copy preoptimized files
Chapter 9:
Update of Table 9/5-1 with system_server_dumper
Added:
Android 12 adds the system_server_dumper service. As its name implies, this is a dumpsys only service with no clients, listing the properties of SystemServer (start count and elapsed time), SystemServiceManager (started service classes) and the SystemServerInitThreadPool.
before Figure 9/4-3
Added (Before Table 9/3-3, to expand on "dynamic" service lookup):
The client API of a.os.ServiceManager allows (as of Android 11.0)
the waitFor[Declared]Service(svcName) methods.
Chapter 10:
Table 10/3-6 had some missing fields. Here's all of it:
Table 10/3-6: The elements in
/etc/sysconfig/ and /etc/permissions/
files
Element
Meaning
group
Global group IDs given to packages
(III/2)
permission
Built-in UID to permission mappings
(III/2)
assign-permission
Assign name
permission to uid (III/2)
split-permission
Split name
permission for targetSdk version (III/2)
library
Built-in shared libraries
[unavailable-]feature
Indicate or hide a platform
feature (for <uses-feature>)
allow-in-power-save[-except-idle]
Allow package to operate even device is in different
power modes
allow-in-data-usage-save
allow-unthrottled-location
Allow
continuous location updates
allow-ignore-location-settings
Override location
settings
allow-implicit-broadcast
Exempt broadcast from
8.0 background delivery restrictions
Non-platform apps
allowed access to full private API
allow-association
Allow target
package to interact with allowed package
app-data-isolation-whitelisted-app
Apps enabled
for data isolation
bugreport-whitelisted
Allow package
to generate bug report
install-in-user-type
Install package
in user-type (FULL/PROFILE)
named-actor
Named actors (used by Overlay
service, q.v. II/3)
overlay-config-signature
Package capable of
validating config_signature for overlays (q.v. II/3)
rollback-whitelisted-app
Apps eligible for
enabling rollback
whitelisted-staged-installer
Installers allowed
to commit staged install (II/2)
Chapter 13: Thanks to the wonder of writing in HTML,
the Google Pixel Powerstats coverage wasn't printed:
Google documents the
IPowerStats.hal in the Source
site[psh], and its AIDL is similar. The implementation of
the service for Pixel devices
(android.hardware.power.stats@1.0-service.pixel) can be found
in
open source.[psp] Rails data is collected from
/sys/bus/iio/devices/iio:device#, and the service
recognizes the following power entities:
Table 13/5-3:: The power entities defined by the
Google Pixel powerstats implementation
References: As an appendix (which somehow got omitted
from the first print batch). Now in print and also online at this link
(11/09/2021)
v2.1
Preface:
BTC is down to $38k$50k$47k$55k $66k. Sheesh
Added a GREAT tip for starting ADB with env/startup options specified for
shell - Thanks to @KingOfPhp:
Chapter 1:
Added note: Bionic is also used outside Android (notably in the hardened GrapheneOS),
though Fuchsia's libc is derived from musl[musl].
Updated Figure 1-3/10 to reflect cases where HIDL server doesn't access
hardware directly, but rather through yet another vendor daemon (very popular,
and I discuss it in II/8, but somehow illustration didn't reflect it). So now
it looks like this:
Chapter 2:
Updated Table 2/1-1 for ARMv9 launch (happened after v2.0.1 came out...)
Also adding /dev/rpmsg_ctrl# - for Linux Remote Processor
Messaging, used by QCom
2/4.1.1 - Google Devices (up to but not including Pixel 6) use
Qualcomm Chipsets
Added footnote for Huawei -
* - The US imposed ban, along with a worldwide chip shortage in 2021, continue
to take its toll on Huawei - it's P50 line of phones not only uses the
Qualcomm SnapDragon 888 chipset, but further ships without 5G capabilities.
The phones ship with HarmonyOS 2.0.
Chapter 3:
Android 11 mandates kernels not support
debugfs. Somehow I missed that in the A11 release notes, but learned this the hard way trying to run bindump on a redfin
(Pixel 5), which comes with A11 as stock. This breaks my bindump
tool.
Note that packages.xml is now ABX! (also, @@TODO no <perms>
element)
Changed Table 5/4-1 (Standard directories created by Android on
SD-Cards) to an output
Output 5/1-2: The loop mounts of apexd - added ls -l
/sys/devices
(Thanks, Woody!)
Output 5/1-2: The loop mounts of
apexd
#
# filter '@version' entries, differentiating from non-versioned bind
mounts
#
flame:/ $ mount | grep loop | grep @
/dev/block/loop6 on /apex/com.android.cellbroadcast@300900702
type ext4 (ro,dirsync,seclabel,nodev,noatime)
..
/dev/block/loop27 on /apex/com.android.os.statsd@300900700
type ext4 (ro,dirsync,seclabel,nodev,noatime)
#
# The loop-mounted image can be found through the /sys filesystem
# (though this requires root)
#
flame:/ # cat
/sys/devices/virtual/block/loop10/loop/backing_file
/system/apex/com.google.android.scheduling.apex
Chapter 6: Pixel 6[XL] and onward use FBPKv2
Chapter 9:
Added a table of the Binder default transactions I had originally set for
Volume II/7 in place of the paragraph listing them (it made sense, now that 11.0 and 12.0 add even more):
Table 9/1-2-b: Default Transaction Codes supported by
(almost) all Binder objects
Constant
Value
Default Behavior
DUMP_TRANSACTION
_DMP
(1598311760)
Requests full dump of service state to specified
fd according to optional arguments. Used by
dumpsys
INTERFACE_TRANSACTION
_NTF
(1598968902)
Requests interface of service object behind handle.
Expects UTF-16 interface name as reply
SHELL_COMMAND_TRANSACTION
_CMD
(1598246212)
Command interface for
/system/bin/cmd
SYSPROPS_TRANSACTION
_SPR
(1599295570)
Deprecated: Calls libutils's
report_sysprop_change() and any property callbacks
PING_TRANSACTION
_PNG
(1599098439)
Null transaction ensuring service object is alive.
EXTENSION_TRANSACTION
_EXT (1598380116)
11.0: Pass
an extension BBinder for object
DEBUG_PID_TRANSACTION
_PID
(1599097156)
11.0: Return service's process
identifier (i.e. getpid())
SET_RPC_CLIENT_TRANSACTION
_RPC
(1599230019)
12.0 (debug builds, #if
BINDER_RPC_DEV_SERVERS,) set socket FD
Also emphasized webview_zygotedoes not randomize its
address space relative to other Zygote[64] instances.
Also added a footnote:
* - Using interfaces could ostensibly enable a design in which a single service endpoint could support multiple interfaces or
"personalities", though in practice Binder associates a single interface name
with an endpoint.
@TODO: I'll update Output 9/4-4 (Threads of system_server for
new service threads in 12 once the dust settles)
Added NativeTombstoneManager to LocalServices table (9/5-4)
(realized I had missed it earlier since it came into 11.0 but I now discuss tombstones now in II/1):
c.a.s.os.NativeTombstoneManager
11.0:
Manage tombstones and parse protobuf (.pb) tombstones (II/1)
Chapter 10: Added people service
Chapter 11:
In 2.4 (Task profiles), after 11/2-16:
On kernels which support it, libprocessgroup also adjust
/proc/pid/timerslack_ns, which helps coalesce task wakeups, conserving battery life.
In lmkd:
The daemon can thus adjust the "killability" of processes based on the activity state, or other factors (background threads, application services, etc). Google describes the considerations in the ActivityManagerService's
OOMAdjuster documentation.[ooma]
Added performance_hint details (IHintSession,
etc. and dumpsys performance_hint from a Pixel 6)
Chapter 12:android.hardware.dumpstate@1.1:IDumpstateDevice.hal is version 1.1
Chapter 13: (before 13/4-5, after mention of
msm_adreno_tz) added "… and other governors
in /sys/kernel/gpu/gpu_available_governor"
(thankfully very few) typos found by James H (thank you! - see below)
on page 291 paragraph 3, it is stated that "ps -t" on Android will list
Thread. Should be "-T"... (Thanks, John Zou!)
v2.2
10/25/2022
Book-wide: All refs to II/.. corrected with final chapter
numbers and some moved to "IV" (sorry...)
Chapter 1::
Android 13 , obviously
Table 1/1-1 updated for September 2022, with statistics from Statista
Chapter 2:
Expanded with ARMv8.6/8.7 and ARMv9.x
Table 2/1-3 now has snapdragon 8 Gen 1. Under ARM Cortex, three rows:
CPU part
Core Type
0xD46
Cortex-A510
0xD47
Cortex-A710
0xD48
Cortex-X2
Also made note under ARMv8.3 ARMv8.5 and ARMv8.6 that the first chipsets to
support MTE, when enabled in kernel) is the 8Gen1 and Dimensity 9000
Make note of
/vendor/bin/rebalance_interrupts-vendor in Pixel 6
Note Dimensity 9000 (just announced) and SnapDragon 8 Gen 1. Wen eta
Exynos? :-P
Chapter 3: EROFS - noted that some vendors (notably,
XiaoMi with the Mi 12 filesystem images) have begun to follow in adoption, as
well as Google's adoption in 13.0 native phones for r/o filesystems
Chapter 4: Table 4/1-8
: Added
uinput
11.0: Simulate input events with UHID
Chapter 5: Made note that several APEX bundles come from
AOSP's packages/modules. Tie to II/1. Also noted "capex" in
Android 13 DP1 (WHY, GOOGL, WHY? Unzipping a double signed payload wasn't
enough??):
Android 12 (practically, 13) adds support for compressed
APEX files[capex], identified by their .capex
extension. As with normal APEX, these are ZIP files containing the manifest (in
protobuf and XML form) as well as the apex_pubkey, with the
original (i.e. normally archived but otherwise uncompressed) APEX deflated
inside. This aims to reduce the space taken for /system/apex,
under the
assumption that the APEXes within it will inevitably be updated (and thus,
loaded from /data/apex, obviating the need for the
pre-installed versions).
Chapter 9: Table 9/5-1 - added "attention" under
Application Services (yes, I know, it slipped my attention. meh). Also
corrected binder_calls_stats (erroneously listed as
"…call_stats" and mentioned twice in table..)
Chapter 10: Table 10/3-6 accidentally omitted "feature" - that's where PMS
gets its getSystemAvailableFeatures() AIDL method (which is noted below table)
Chapter 12: mention dumpstate logs in (/data/user_de/0/com.android.shell/files/bugreports)
Android 13 changes (ongoing list before I integrate it into next book
update:
ARMv9 devices (SD 8Gen1, and 2022+ chipsets) - can also support
ARMv8.5 MTE. Made note about support in hw and :
Android 13 native devices (late 2022) are expected to offer MTE
(through ARMv9, and thus v8.5 compatible chipsets), and AOSP supports
setting it
through the bootloader, android:memtagMode Manifest tag,
and arm64.memtag.process.* properties,
as
documented by Google [amte] and discussed in III.
Chapter 7: Added, after Listing 7/3-4:
Android 13 extends the misc_system_space_layout with a
misc_memtag_message, identifiable by its magic of 0x5afefe5a, to provide the ARMv8.5 MTE hint for the
OS, as discussed in III.
safety_center: [android.safetycenter.ISafetyCenterManager]
virtualdevice: [android.companion.virtual.IVirtualDeviceManager]
(EXCITING! - Either for Vol III or IV, not sure)
selection_toolbar: [android.view.selectiontoolbar.ISelectionToolbarManager]
ambient_context: snore/cough detection, really????
IGameService... (will go into IV)
IAttestationVerification[Manager]Service.aidl (will go into III)
Chapter 10: Added ISystemConfig to Table 10/3-7:
Table 10/3-7: The methods exposed by the
android.os.ISystemConfig AIDL
Method
Notes
...
...
int[] getSystemPermissionUids(perm)
12.0:
Get UIDs holding perm
ListgetEnabledComponentOverrides(pkgName)
13.0:
Get enabled component overrides (in pkgName)
Chapter 11: Added description of the tare ("The Android
Resource Economy") service with dumpsys and link to very detailed README.md in
sources
Chapter 12: ILogcatManagerService detail (too long to list
here)
*Sigh* Typos: (These don't get you the BTC bounty, but I still
appreciate them!)
Fixed in v2.0.2 (thanks to James H!):
Page 24, 3.9.2 (Androidisms), ASHMem bullet, second sentence, 'created' to 'create'
Page 24. 3.9.2 (Androidisms), ASHMem bullet, third sentence, 'require' to 'required'
page 87, 4.4 (debugfs), First paragraph, second sentence, sentence terminates without a complete thought: which (as with the other pseudo-filesystems)
page 113, 3 (/data), third bullet point, first sentence, 'but would greatly mitigating' to 'but would greatly mitigate'
page 164, 1 (Android Device Images), second paragraph, second sentence, 'OTA images are arrive at' to 'OTA images arrive at' page 165, 1.1 (Factory Images), first paragraph, second sentence, 'All are all Qualcomm' to 'All are Qualcomm'
page 197, 1.3 (TrustZone/Hypervisor), second paragraph, first sentence, 'ennvironment' to 'environment'
page 198, 1.4.1 (Little Kernel), Apps bullet, first sentence, 'in a full kernel-drive OS' to 'in a full kernel driven OS'
page 214, 1 (The roles and responsibilities of init), first paragraph, second sentence, 'which read' to 'which reads'
page 236, 6 (Zygote), third paragraph, second sentence, 'suchlrequests' to 'such requests'
page 239, 7 (Android Daemons, at a glance), third paragraph, last sentence, 'so that the daemon be able to connect' to 'so that the daemon is able to connect'
page 250, 3 (The servicemanager), fourth paragraph, third sentence, 'to establishes' to 'to establish'
page 259, 5 (A bird's eye view of framework services), last paragraph, 'aims to tackles' to 'aims to tackle'
page 268, 1.2 (The user service), second paragraph, first line, 'inintially' to 'initially'
page 278, 3.3 (The settings service), last paragraph, first line, missing a parethesis
page 280, 3.5 (Server Configurable Flags), first paragraph, first line, 'especciallyl' to 'especially'
page 286, 1.2 (The cmdline and comm), second to last paragraph in experiment, second line, Mentions /lib64 for 32-bit apps.
page 293, 1.5.2 (Thread states and context switches), last paragraph, last
sentence, 'The Zombies are also find peace' to 'The Zombies also find peace' [Aside: your description of Zombies
was rather amusing] page 339, 1.2 (DropBox), first paragraph, last sentence, extra comma at
beginning of sentence and 'logs' to 'log' later in the sentence.
page 343, 2.13 (The shell interface), second paragraph, last sentence, 'manny' to 'many'
page 345, 2.16 (Output files), table 12/2-9, first row, @TODO entry? Intentional?
page 347, 2.4 (dumpstate/bugreport), second paragraph, second sentence, 'onsists' to 'consists'
page 391, 4.4 (Idle Governors), first paragraph of experiment section, missing a parenthesis
Volume II:
Output 4/3-2 (detailing app spawning by jtraceing Zygote)
somehow had the red-on-black misprinted, thus missing the Zygote arguments. Sorry about that. Here is
what it should look like:
Android 13 Changes for Vol II (again, running list, not yet in book)
@TODO: AMS's internal services (cacheinfo, processinfo, etc maybe need
their own detail? Not sure about that since they're really so basic)
@JavaDerive(equals = true, toString = true) AIDL annotation -
e.g. Identity.aid l
Bionic, Chapter 2, on MTE:
MTE is supported by Bionic as of 12. As v2.2 of this book goes to
print, Android 13 makes MTE support formal, adding it as a bootloader provided
option and/or configurable system property. This remarkably not only catches
up with Apple Silicon (which adopted ARMv8.3 PAC three years earlier), but
also leaves it behind, as iOS16 on the latest Apple chipset (A16) does not use
MTE.
Chapter 5: Added update_lock (really minor service, but.. in the interest
of catching 'em all..)
IPMS:
request[Package]Checksums (renamed),
getLaunchIntentSenderForPackage
make[Provider/Uid]Visible
grantImplicitAccess(removed)
canPackageQuery/code>
boolean runBackgroundDexoptJob(in List packageNames); - removed