Android Open Source Project (AOSP)

[anitsh]

Resource

• [ ] https://en.wikipedia.org/wiki/Android_(operating_system)#AOSP
• [ ] https://www.androidauthority.com/aosp-explained-1093505
• [ ] https://lwn.net/Kernel/Index/#Android
• [ ] https://source.android.com/devices/architecture/kernel/generic-kernel-image
• [ ] https://www.androidcentral.com/aosp
• [ ] https://github.com/aosp-mirror
• [ ] https://opensource.googleblog.com/2020/11/welcome-android-open-source-project.html | https://www.infoq.com/news/2020/11/android-aosp-bazel
• [ ] https://www.theregister.com/2021/01/21/android_riscv_port | https://occ.t-head.cn/vendor/cpu/index?spm=a2cl5.14294226.0.0.6700df2098XZyN&id=3806788968558108672
• [ ] https://www.kaspersky.com/blog/triada-trojan/11481 | https://news.drweb.com/show/?i=11390&lng=en
• [ ] https://github.com/Genymobile/scrcpy
• [ ] https://github.com/secretsquirrel/the-backdoor-factory/ | https://tools.kali.org/exploitation-tools/shellnoob
• [ ] https://lwn.net/Articles/836693/ KVM for Android

112 Linux Kernel

[anitsh]

Framework

The main Android platform building blocks are:

Device hardware: Android runs on a wide range of hardware configurations including mobile phones, tablets, watches, automobiles, smart TVs, OTT gaming boxes, and set-top-boxes. Android is processor-agnostic, but it takes advantage of some hardware-specific security capabilities such as ARM eXecute-Never.

Android operating system: The core operating system is built on top of the Linux kernel. All device resources, like camera functions, GPS data, Bluetooth functions, telephony functions, and network connections are accessed through the operating system.

Android Application Runtime: Android apps are most often written in the Java programming language and run in the Android runtime (ART). However, many apps, including core Android services and apps, are native apps or include native libraries. Both ART and native apps run within the same security environment, contained within the Application Sandbox. Apps get a dedicated part of the file system in which they can write private data, including databases and raw files.

Android apps extend the core Android operating system. There are two primary sources for apps:

• Preinstalled apps: Android includes a set of preinstalled apps including phone, email, calendar, web browser, and contacts. These function as user apps and they provide key device capabilities that can be accessed by other apps. Preinstalled apps may be part of the open source Android platform, or they may be developed by a device manufacturer for a specific device.

• User-installed apps: Android provides an open development environment that supports any third-party app. Google Play offers users hundreds of thousands of apps.

• https://forum.xda-developers.com/android/general/info-android-device-partitions-basic-t3586565

• https://source.android.com/security

[anitsh]

Startup Process

PC Boot Process

Power Button Pressed
Power On Self Test (POST); identify the devices present and to report any problems
BIOS / UEFI
Necessary hardware initialization (keyboard, disk etc.)
Disk (MBR)
DOS Compatibility Region code (optional)
Bootloader
Active/boot partition (Boot sector)
Kernel
Initrd / initramfs (init)
Services/daemons/processes

Android Boot Process

There might be a single or multiple bootloaders (to give directions how to boot). For a typical android device (most common Qualcomm SoC / ARM processor), boot sequence is as follows:

1. BootROM (like BIOS on PC). It's integrated with SoC.
2. Processors, bootloaders
3. POST
4. SBL : Parallel loading related stuff from different partitions.
5. Application BootLoader (aboot) 5.1 Primary Boot Mode (if no Kernel detected or if bootloader/download mode key combination applied): Bootloader/Download Mode 5.2 Secondary boot
   • Kernel (hardware detection and populating /sys, /dev/ and /proc directories as the processes start) and initramfs (creating rootfs and other pseudo filesystems on rootfs):
     • Init (first process with PID "1". It initiates further loading of processes and daemons).
     • System / OS (ROM)
   • Recovery (if recovery mode key combination applied. It's a kernel with UI to perform basic troubleshooting operations)

Resource

• [ ] https://forum.xda-developers.com/android/general/info-boot-process-android-vs-linux-t3785254
• [ ] https://www.sitepoint.com/things-know-android-boot-recovery-images

[anitsh]

Bootloader

Bootloader is a piece of code that runs before any operating system is running. Bootloader are used to boot other operating systems, usually each operating system has a set of bootloaders specific for it. Bootloader is like BOIS to your computer. It is the first thing that runs when you boot up your Android device. It packages the instructions to boot operating system kernel.

"A bootloader is a vendor-proprietary image responsible for bringing up the kernel on a device. It guards the device state and is responsible for initializing the Trusted Execution Environment (TEE) and binding its root of trust. The bootloader is comprised of many things including splash screen. To start boot, the bootloader may directly flash a new image into an appropriate partition or optionally use recovery to start the reflashing process that will match how it is done for over-the-air (OTA). Some device manufacturers create multi-part bootloaders and then combine them into a single bootloader.img file. At flash time, the bootloader extracts the individual bootloaders and flashes them all." - Google

---

boot.img

Android specific format, that usually consists of the Linux kernel (in modern versions with a dtb appended) and the initramfs. This file gets flashed to the boot or recovery partition of the Android device.

Variations: Some old Samsung devices: boot.img is just a kernel with a baked in initramfs (more) qcdt: boot.img has a dtb appended (instead of appending it to the kernel, more)

dtb

The binary device tree (dtb), this is a file containing a description of the hardware in the device, since phones don't have discoverable busses like x86 platforms. These are created from dts files in the kernel repository and produce a file called zImage-dtb for some Android kernels (older Android kernels do not generate a dtb file at all and have hardcoded the information directly in the kernel source). In mainline kernels, dtb files for all supported boards are created at once.

Flat device tree (fdt). This is just another name for dtb[1]. unpackbootimg generates files ending in .fdt.

https://wiki.postmarketos.org/wiki/Glossary

---

https://source.android.com/devices/bootloader/images

Images

The bootloader relies upon the following images.

• Boot. These images contain a kernel and ramdisk image combined using an unmodified mkbootimg (for the implementation, refer to system/core/mkbootimg. The bootloader reads the bootimg.h header file generated by mkbootimg and updates the kernel header to contain the correct location and size of the ramdisk in flash, base address of the kernel, command line parameters, and more. The bootloader then appends the command line specified in the boot image to the end of the bootloader-generated command line.
• Kernel. These images use a standard Linux format (such as zImage, Image, or Image.gz) and can be flashed independently, combined with ramdisk images, flashed to the boot partition, or booted from memory. When creating kernel images, concatenated device-tree binaries are recommended (instead of a separate partition for the device tree). When using multiple device tree blobs (DTBs) for different board revisions, concatenate multiple DTBs in descending order of board revision.
• Ramdisk. These images contain a root file system suitable for mounting as a rootfs. They are combined with kernel images using mkbootfs then flashed into the boot partition.
• File system. These images include system, userdata, and recovery images and must use Yaffs2 format or sparse image format.

Resource

• [ ] https://source.android.com/devices/bootloader

[anitsh]

Android File System

• /system is the main Android directory for storing immutable components generated by the build of the AOSP. This includes native binaries, native libraries, framework packages, and stock apps. It’s usually mounted read-only from a separate image from the root file system, which is itself mounted from a RAM disk image.

  Android also includes many directories commonly found in any Linux system, such as /dev, /proc, /sys, /sbin, /root, /mnt, and /etc. These directories often serve similar if not identical purposes to the ones they serve on any Linux system, although they are very often trimmed down, as is the case of /sbin and /etc, and in some cases are empty, such as /root.

  More than 150 command-line utilities are scattered throughout Android’s root file system. /system/bin contains the majority of them, but some “extras” are in /system/xbin, and a handful are in /sbin.

• /sbin: In Linux, this would hold binaries essential to the system administrator. In Android, it contains only ueventd and adbd.

• /bin: All native binaries and daemons built as part of the AOSP. All modules built with BUILD_EXECUTABLE are here. The only exception is adbd, which has the LOCAL_MODULE_PATH set to /sbin and is therefore installed there instead.

• /xbin: “Extra” binaries generated by some of the packages that are built within the AOSP but aren’t essential to the system’s operation.

[anitsh]

Android Common Kernels

A device kernel is comprised of:

• Upstream: The Linux kernel from kernel.org
• AOSP: Additional Android-specific patches from AOSP common kernels
• Vendor: SoC and peripheral enablement and optimization patches from vendors
• OEM/device: Additional device drivers and customization

Resource

• [ ] https://source.android.com/devices/architecture/kernel/generic-kernel-image

[anitsh]

Fastboot

The fastboot protocol is a mechanism for communicating with bootloaders over USB or ethernet. It is designed to be very straightforward to implement, to allow it to be used across a wide range of devices and from hosts running Linux, macOS, or Windows.

https://android.googlesource.com/platform/system/core/+/master/fastboot

Fastboot can modify many of the system files on the phone for you. This can be a modification of the Operating System, the Kernel, or even the simple Splash Screen during your Startup. The possibilities are endless. However, for most of these changes, you’ll need to unlock your Bootloader first.

Some of the things which we can do with Fastboot: Unlocking your Bootloader. Flashing a Custom Recovery (Which is essential for flashing ROMs or rooting the device.) Flashing a Cellular Radio. Flashing a System Image. Flashing the Stock Firmware. Flash a Boot Image.

To use Fastboot, the android phone should be in a separate state which needs to be activated during the initial boot process. The best part about this mode is, you don’t need to have the operating system installed to access this mode. To make modifications to system level files, you’ll need to have an unlocked bootloader.

Commands

fastboot devices: List devices connected in Fastboot mode.

fastboot flash fastboot flash newfirmware.zip: to flash new firmware fastboot flash recovery twrp.img: to flash recovery images fastboot flash boot bootimage.img: The boot image contains the kernel of the device. Use the Fastboot Flash boot command to replace the stock kernel with a custom kernel of your choice. This command would replace the boot partition of the device. It might look simple, but could be risky if you flash a wrong boot image. There are chances that your device might not boot or might get stuck in a Bootloop. The only way to recover if you mess up with this would be flashing the stock boot image.

fastboot erase: Wipe data from different partitions on device. This command is generally used before flashing a new ROM, as it wipes the existing data and makes space for the new files to be written. This command deletes all your data from the partitions. Take a backup before you running it. fastboot erase system: To erase system partition fastboot erase boot: To erase boot partition fastboot erase cache: To erase cache partition fastboot erase userdata: To erase user data partition fastboot erase recovery: To erase recovery partition

fastboot format: Completely format the flash partitions. This will allocate new blocks of data to your device partition and that makes it different from fastboot erase. A full backup of device data is always recommended as it can wipe your entire data. fastboot format system: To format system partition fastboot format boot; To format boot partition fastboot format cache: To format cache partition fastboot format userdata: To format user data partition fastboot format recovery: To format recovery partition

Display given bootloader variable. fastboot getvar [NAME] fastboot getvar version fastboot getvar version-bootloader fastboot getvar version-baseband fastboot getvar version-cpld fastboot getvar version-microp fastboot getvar version-main fastboot getvar version-misc fastboot getvar serialno fastboot getvar imei fastboot getvar meid fastboot getvar product fastboot getvar platform fastboot getvar modelid fastboot getvar cidnum fastboot getvar battery-status fastboot getvar battery-voltage fastboot getvar partition-layout fastboot getvar security fastboot getvar build-mode fastboot getvar boot-mode fastboot getvar gencheckpt

fastboot oem: Original Equipment Manufacturer(oem) fastboot oem unlock: Unlock the bootloader. Running the unlock command in the command prompt will wipe your entire data on the phone. fastboot oem writecid fastboot oem writeimei fastboot oem get_identifier_token fastboot flash unlocktoken unlock_code.bin (for htc devices, learn more: at htcdev.com) fastboot oem unlock-go fastboot oem lock fastboot oem device-info preflash fastboot oem enable-charger-screen fastboot oem disable-charger-screen fastboot oem off-mode-charge fastboot oem select-display-panel fastboot oem bootlog fastboot oem getvar fastboot oem mmcinfo fastboot oem info fastboot oem securewipe https://forum.xda-developers.com/t/fastboot-oem-commands.2300654

Reboot fastboot reboot: To reboot your device. Will help you to boot your device normally to OS. On entering the reboot command you’ll be booting the system partition of your device. fastboot reboot-bootloader: To reboot your device to fastboot mode. Will take you back to bootloader mode followed by a reboot

[anitsh]

Android Debugging Bridge(adb)

adb is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device. It is a client-server program that includes three components: A client, which sends commands. The client runs on your development machine. You can invoke a client from a command-line terminal by issuing an adb command. A daemon (adbd), which runs commands on a device. The daemon runs as a background process on each device. A server, which manages communication between the client and the daemon. The server runs as a background process on your development machine.

Commands

adb devices: List of devices that are attached to your computer with their serial number. This command is generally used by people to check if the ADB on PC is being able to communicate with the device. If you get a response with your device and serial number, it means that your device is properly connected and you could execute other adb commands as well.

adb help

adb connect ip-address : Connect ADB over Wi-Fi

adb root/unroot: Elevate user as root or disable as root.

adb start-server/kill-server : Start or stop ADB server. At first start-server happens in the background.

adb instal/luninstall: Install/Uninstall APKs on your phone

adb reboot: Generally used after unlocking the bootloader or flashing a recovery. adb reboot bootloader: Boot device into “Bootloader mode” or “Fastboot mode”. adb reboot recovery: Boot device into recovery mode.

adb get-state: get the current state of your device adb get-devpath : Help ADB on your PC find out the path of ADB on device.

adb sideload %.zip FILE PATH%: Flash the over-the-air (OTA) zips on your device and upgrade.

adb remount: Helps adb to remount the /system, /oem, and /vendor partitions in read-write mode on your device.

adb push %SOURCE PATH% %DESTINATION PATH% : Push file to device adb pull %SOURCE PATH% %DESTINATION PATH% : Get file from the device

adb sync: Synchronize data between computer and device if the same data has been modified in PC. By default, the command will synchronize /data and /system files. For the command to operate properly, a system variable $ANDROID_PRODUCT_OUT must be created and defined, i.e. $ANDROID_PRODUCT_OUT=/out/target/device/oneplus3. adb sync is commonly used when you build a ROM from Android platform source. So mostly it’s the ROM developers that will be using this command.

adb backup/restore %Path to backup file name%: Take entire backup of your device. Stores as backup.adb by default. Options:

• apk : backup of all the installed APKs
• shared : backup of the external storage device as well
• all option to backup all the files, however, using -all won’t backup the APKs adb restore .apk from the path.

adb forward %local port% %remote port%; Port forwarding. adb forward tcp:8080 tcp:9000 adb reverse %device port% %host port%: It is basically the opposite of adb forward. It allows you to forward ports from your device to the host.

adb logcat > %PATH WHERE YOU WANT TO STORE THE LOG% : Save log in .txt. Logs can be useful for OEM or ROM developer. adb bugreport %PATH where you want to save the report%: Just like adb logcat, this command is also used for debugging. A bug report output will have device logs, stack traces, and other diagnostic information to help you find and fix bugs.

adb shell or : Execute Linux commands

• adb shell: Login to Linux shell
• pm list packages: List packages. Limit search with | findstr "fdroid" or grep or other Linux commands.
• screencap -p "/path/to/screenshot.png": Take screenshot
• screenrecord "/path/to/record.mp4"

adb enable-verity/disable-verity dm-verity is a security measure to check the integrity of your device. disable-verity will disable dm-verity protection which lives in the kernel. These commands are generally used by ROM developers for user debug builds.

adb keygen %filename%: Creates an adb public/private key pair in a user-specified file. This is also used to create new adb keys or rotate existing keys. RSA key pair is needed when we use adb to connect using USB for the first time. You have to accept the host computer’s RSA key to explicitly grant ADB access to the device. The extension of the file name is generally .pub.