Android recovery 系统

  • 格式:docx
  • 大小:135.78 KB
  • 文档页数:8

Android recovery 系统(转载)Android Recovery模式(muddogxp 原创,转载请注明)Recovery简介Android利用Recovery模式,进行恢复出厂设置,OTA升级,patch升级及firmware升级。

升级一般通过运行升级包中的META-INF/com/google/android/update-script脚本来执行自定义升级,脚本中是一组recovery系统能识别的UI控制,文件系统操作命令,例如write_raw_image(写FLASH分区),copy_dir (复制目录)。

该包一般被下载至SDCARD和CACHE分区下。

如果对该包内容感兴趣,可以从/showthread.php?t=442480下载JF升级包来看看。

升级中还涉及到包的数字签名,签名方式和普通JAR文件签名差不错。

公钥会被硬编译入recovery,编译时生成在:out/target/product/XX/obj/PACKAGING/ota_keys_inc_intermediates/keys.incG1中的三种启动模式MAGIC KEY:∙camera + power:bootloader模式,ADP里则可以使用fastboot模式∙home + power:recovery模式∙正常启动Bootloader正常启动,又有三种方式,按照BCB(Bootloader Control Block, 下节介绍)中的command分类:∙command == 'boot-recovery' →启动recovery.img。

recovery模式∙command == 'update-radio/hboot' →更新firmware(bootloader)∙其他→启动boot.imgRecovery涉及到的其他系统及文件∙CACHE分区文件Recovery 工具通过NAND cache分区上的三个文件和主系统打交道。

主系统(包括恢复出厂设置和OTA升级)可以写入recovery所需的命令,读出recovery过程中的LOG和intent。

o/cache/recovery/command: recovery命令,由主系统写入。

所有命令如下:▪--send_intent=anystring - write the text out to recovery.intent▪--update_package=root:path - verify install an OTA package file▪--wipe_data - erase user data (and cache), then reboot▪--wipe_cache - wipe cache (but not user data), then rebooto/cache/recovery/log:recovery过程日志,由主系统读出o/cache/recovery/intent:recovery输出的intentMISC分区内容Bootloader Control Block (BCB) 存放recovery bootloader message。

结构如下:structbootloader_message {char command[32];char status[32]; // 未知用途char recovery[1024];};o command可以有以下两个值“boot-recovery”:标示recovery正在进行,或指示bootloader应该进入recovery mode“update-hboot/radio”:指示bootloader更新firmwareo recovery内容“recovery\n<recovery command>\n<recovery command>”其中recovery command为CACHE:/recovery/command命令两种Recovery Case∙FACTORY RESET(恢复出厂设置)1.用户选择“恢复出厂设置”2.设置系统将"--wipe_data"命令写入/cache/recovery/command3.系统重启,并进入recover模式(/sbin/recovery)4.get_args() 将 "boot-recovery"和"--wipe_data"写入BCB5.erase_root() 格式化(擦除)DATA分区6.erase_root() 格式化(擦除)CACHE分区7.finish_recovery() 擦除BCB8.重启系统∙OTA INSTALL(OTA升级)1.升级系统下载 OTA包到/cache/some-filename.zip2.升级系统写入recovery命令"--update_package=CACHE:some-filename.zip"3.重启,并进入recovery模式4.get_args() 将"boot-recovery" 和 "--update_package=..." 写入BCB5.install_package() 作升级6.finish_recovery() 擦除 BCB7.** 如果安装包失败 ** prompt_and_wait() 等待用户操作,选择ALT+S或ALT+W 升级或恢复出厂设置8.main() 调用 maybe_install_firmware_update()1.如果包里有hboot/radio的firmware则继续,否则返回2.将 "boot-recovery" 和 "--wipe_cache" 写入BCB3.将 firmware image写入cache分区4.将 "update-radio/hboot" 和 "--wipe_cache" 写入BCB5.重启系统6.bootloader自身更新firmware7.bootloader 将 "boot-recovery" 写入BCB8.erase_root() 擦除CACHE分区9.清除 BCB9.main() 调用 reboot() 重启系统Recovery模式流程/init → init.rc → /sbin/recovery →main():recovery.c∙ui_init():ui.c [UI initialize]o gr_init():minui/graphics.c [set tty0 to graphic mode, open fb0]o ev_init():minui/events.c [open /dev/input/event*]o res_create_surface:minui/resource.c [create surfaces for all bitmaps used later, include icons, bmps]o create 2 threads: progress/input_thread [create progress show and input event handler thread]∙get_args():recovery.co get_bootloader_message():bootloader.c [read mtdblock0(misc partition) 2nd page for commandline]o check if nandmisc partition has boot message. If yes, fill argc/argv.o If no, get arguments from /cache/recovery/command, and fill argc/argv.o set_bootloader_message():bootloader.c [set bootloader message back to mtdblock0]∙Parser argv[] filled above∙register_update_commands():commands.c [ register all commands with name and hook function ]o registerCommand():commands.c▪Register command with name, hook, type, cookie.▪Commands, e.g: assert, delete, copy_dir, symlink, write_raw_image.o registerFunction():commands.c▪Register function with name, hook, cookie.▪Function, e.g: get_mark, matches, getprop, file_contains∙install_package():o translate_root_path():roots.c [ "SYSTEM:lib" and turns it into a string like "/system/lib", translate the updater.zip path ]o mzOpenZipArchive():zip.c [ open updater.zip file (uncompass) ]o handle_update_package():install.c▪verify_jar_signature():verifier.c [ verify signature with keys.inc key; verify manifest and zip package archive ]▪verifySignature() [ verify the signature file: CERT.sf/rsa. ]▪digestEntry():verifier.c [ get SHA-1 digest of CERT.sf file ]▪RSA_verify(public key:keys.inc, signature:CERT.rsa, CERT.sf's digest):libc/rsa.c [ Verify a 2048 bit RSA PKCS1.5 signature against an expected SHA-1 hash. Use public key to decrypt the CERT.rsa to get original SHA digest, then compare to digest of CERT.sf ]▪verifyManifest() [ Get manifest SHA1-Digest from CERT.sf. Then do digest to MANIFEST.MF. Compare them ]▪verifyArchive() [ verify all the files in update.zip with digest listed in MANIFEST.MF ]▪find_update_script():install.c [ find META-INF/com/google/android/update-script updater script ]▪handle_update_script():install.c [ read cmds from script file, and do parser, exec ]▪parseAmendScript():amend.c [ call yyparse() to parse to command ]▪exeCommandList():install.c▪exeCommand():execute.c [ call command hook function ]∙erase DATA/CACHE partition∙prompt_and_wait():recovery.c [ wait for user input: 1) reboot 2) update.zip 3) wipe data ]o ui_key_xxx get ALT+x keyso1) do nothingo2) install_package('SDCARD:update.zip')o3) erase_root() → format_root_device() DATA/CACHE∙may_install_firmware_update():firmware.c [ remember_firmware_update() is called by write_hboot/radio_image command, it stores the bootloader image to CACHE partition, and writeupdate-hboot/radio command to MISC partition for bootloader message to let bootloader update itself after reboot ]o set_bootloader_message()o write_update_for_bootloader():bootloader.c [ write firmware image into CACHE partition with update_header, busyimage and failimage ]∙finish_recovery():recovery.c [ clear the recovery command and prepare to boot a (hopefully working) system, copy our log file to cache as well (for the system to read), and record any intent we were asked to communicate back to the system. ]∙reboot()Recovery模式流程图以下流程图绘制了系统从启动加载bootloader后的行为流程。