1 /*
2 * Copyright (C) 2007 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <ctype.h>
18 #include <dirent.h>
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <getopt.h>
22 #include <inttypes.h>
23 #include <limits.h>
24 #include <linux/fs.h>
25 #include <linux/input.h>
26 #include <stdarg.h>
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <sys/klog.h>
31 #include <sys/stat.h>
32 #include <sys/types.h>
33 #include <sys/wait.h>
34 #include <time.h>
35 #include <unistd.h>
36
37 #include <algorithm>
38 #include <chrono>
39 #include <memory>
40 #include <string>
41 #include <vector>
42
43 #include <android-base/file.h>
44 #include <android-base/logging.h>
45 #include <android-base/parseint.h>
46 #include <android-base/properties.h>
47 #include <android-base/stringprintf.h>
48 #include <android-base/strings.h>
49 #include <android-base/unique_fd.h>
50 #include <bootloader_message/bootloader_message.h>
51 #include <cutils/android_reboot.h>
52 #include <cutils/properties.h> /* for property_list */
53 #include <healthd/BatteryMonitor.h>
54 #include <private/android_logger.h> /* private pmsg functions */
55 #include <private/android_filesystem_config.h> /* for AID_SYSTEM */
56 #include <selinux/android.h>
57 #include <selinux/label.h>
58 #include <selinux/selinux.h>
59 #include <ziparchive/zip_archive.h>
60
61 #include "adb_install.h"
62 #include "common.h"
63 #include "device.h"
64 #include "error_code.h"
65 #include "fuse_sdcard_provider.h"
66 #include "fuse_sideload.h"
67 #include "install.h"
68 #include "minadbd/minadbd.h"
69 #include "minui/minui.h"
70 #include "otautil/DirUtil.h"
71 #include "roots.h"
72 #include "rotate_logs.h"
73 #include "screen_ui.h"
74 #include "stub_ui.h"
75 #include "ui.h"
76
77 static const struct option OPTIONS[] = {
78 { "update_package", required_argument, NULL, 'u' },
79 { "retry_count", required_argument, NULL, 'n' },
80 { "wipe_data", no_argument, NULL, 'w' },
81 { "wipe_cache", no_argument, NULL, 'c' },
82 { "show_text", no_argument, NULL, 't' },
83 { "sideload", no_argument, NULL, 's' },
84 { "sideload_auto_reboot", no_argument, NULL, 'a' },
85 { "just_exit", no_argument, NULL, 'x' },
86 { "locale", required_argument, NULL, 'l' },
87 { "shutdown_after", no_argument, NULL, 'p' },
88 { "reason", required_argument, NULL, 'r' },
89 { "security", no_argument, NULL, 'e'},
90 { "wipe_ab", no_argument, NULL, 0 },
91 { "wipe_package_size", required_argument, NULL, 0 },
92 { "prompt_and_wipe_data", no_argument, NULL, 0 },
93 { NULL, 0, NULL, 0 },
94 };
95
96 // More bootreasons can be found in "system/core/bootstat/bootstat.cpp".
97 static const std::vector<std::string> bootreason_blacklist {
98 "kernel_panic",
99 "Panic",
100 };
101
102 static const char *CACHE_LOG_DIR = "/cache/recovery";
103 static const char *COMMAND_FILE = "/cache/recovery/command";
104 static const char *LOG_FILE = "/cache/recovery/log";
105 static const char *LAST_INSTALL_FILE = "/cache/recovery/last_install";
106 static const char *LOCALE_FILE = "/cache/recovery/last_locale";
107 static const char *CONVERT_FBE_DIR = "/tmp/convert_fbe";
108 static const char *CONVERT_FBE_FILE = "/tmp/convert_fbe/convert_fbe";
109 static const char *CACHE_ROOT = "/cache";
110 static const char *DATA_ROOT = "/data";
111 static const char *SDCARD_ROOT = "/sdcard";
112 static const char *TEMPORARY_LOG_FILE = "/tmp/recovery.log";
113 static const char *TEMPORARY_INSTALL_FILE = "/tmp/last_install";
114 static const char *LAST_KMSG_FILE = "/cache/recovery/last_kmsg";
115 static const char *LAST_LOG_FILE = "/cache/recovery/last_log";
116 // We will try to apply the update package 5 times at most in case of an I/O error or
117 // bspatch | imgpatch error.
118 static const int RETRY_LIMIT = 4;
119 static const int BATTERY_READ_TIMEOUT_IN_SEC = 10;
120 // GmsCore enters recovery mode to install package when having enough battery
121 // percentage. Normally, the threshold is 40% without charger and 20% with charger.
122 // So we should check battery with a slightly lower limitation.
123 static const int BATTERY_OK_PERCENTAGE = 20;
124 static const int BATTERY_WITH_CHARGER_OK_PERCENTAGE = 15;
125 static constexpr const char* RECOVERY_WIPE = "/etc/recovery.wipe";
126 static constexpr const char* DEFAULT_LOCALE = "en-US";
127
128 static std::string locale;
129 static bool has_cache = false;
130
131 RecoveryUI* ui = nullptr;
132 bool modified_flash = false;
133 std::string stage;
134 const char* reason = nullptr;
135 struct selabel_handle* sehandle;
136
137 /*
138 * The recovery tool communicates with the main system through /cache files.
139 * /cache/recovery/command - INPUT - command line for tool, one arg per line
140 * /cache/recovery/log - OUTPUT - combined log file from recovery run(s)
141 *
142 * The arguments which may be supplied in the recovery.command file:
143 * --update_package=path - verify install an OTA package file
144 * --wipe_data - erase user data (and cache), then reboot
145 * --prompt_and_wipe_data - prompt the user that data is corrupt,
146 * with their consent erase user data (and cache), then reboot
147 * --wipe_cache - wipe cache (but not user data), then reboot
148 * --set_encrypted_filesystem=on|off - enables / diasables encrypted fs
149 * --just_exit - do nothing; exit and reboot
150 *
151 * After completing, we remove /cache/recovery/command and reboot.
152 * Arguments may also be supplied in the bootloader control block (BCB).
153 * These important scenarios must be safely restartable at any point:
154 *
155 * FACTORY RESET
156 * 1. user selects "factory reset"
157 * 2. main system writes "--wipe_data" to /cache/recovery/command
158 * 3. main system reboots into recovery
159 * 4. get_args() writes BCB with "boot-recovery" and "--wipe_data"
160 * -- after this, rebooting will restart the erase --
161 * 5. erase_volume() reformats /data
162 * 6. erase_volume() reformats /cache
163 * 7. finish_recovery() erases BCB
164 * -- after this, rebooting will restart the main system --
165 * 8. main() calls reboot() to boot main system
166 *
167 * OTA INSTALL
168 * 1. main system downloads OTA package to /cache/some-filename.zip
169 * 2. main system writes "--update_package=/cache/some-filename.zip"
170 * 3. main system reboots into recovery
171 * 4. get_args() writes BCB with "boot-recovery" and "--update_package=..."
172 * -- after this, rebooting will attempt to reinstall the update --
173 * 5. install_package() attempts to install the update
174 * NOTE: the package install must itself be restartable from any point
175 * 6. finish_recovery() erases BCB
176 * -- after this, rebooting will (try to) restart the main system --
177 * 7. ** if install failed **
178 * 7a. prompt_and_wait() shows an error icon and waits for the user
179 * 7b. the user reboots (pulling the battery, etc) into the main system
180 */
181
182 // open a given path, mounting partitions as necessary
fopen_path(const char * path,const char * mode)183 FILE* fopen_path(const char *path, const char *mode) {
184 if (ensure_path_mounted(path) != 0) {
185 LOG(ERROR) << "Can't mount " << path;
186 return NULL;
187 }
188
189 // When writing, try to create the containing directory, if necessary.
190 // Use generous permissions, the system (init.rc) will reset them.
191 if (strchr("wa", mode[0])) dirCreateHierarchy(path, 0777, NULL, 1, sehandle);
192
193 FILE *fp = fopen(path, mode);
194 return fp;
195 }
196
197 // close a file, log an error if the error indicator is set
check_and_fclose(FILE * fp,const char * name)198 static void check_and_fclose(FILE *fp, const char *name) {
199 fflush(fp);
200 if (fsync(fileno(fp)) == -1) {
201 PLOG(ERROR) << "Failed to fsync " << name;
202 }
203 if (ferror(fp)) {
204 PLOG(ERROR) << "Error in " << name;
205 }
206 fclose(fp);
207 }
208
is_ro_debuggable()209 bool is_ro_debuggable() {
210 return android::base::GetBoolProperty("ro.debuggable", false);
211 }
212
reboot(const std::string & command)213 bool reboot(const std::string& command) {
214 std::string cmd = command;
215 if (android::base::GetBoolProperty("ro.boot.quiescent", false)) {
216 cmd += ",quiescent";
217 }
218 return android::base::SetProperty(ANDROID_RB_PROPERTY, cmd);
219 }
220
redirect_stdio(const char * filename)221 static void redirect_stdio(const char* filename) {
222 int pipefd[2];
223 if (pipe(pipefd) == -1) {
224 PLOG(ERROR) << "pipe failed";
225
226 // Fall back to traditional logging mode without timestamps.
227 // If these fail, there's not really anywhere to complain...
228 freopen(filename, "a", stdout); setbuf(stdout, NULL);
229 freopen(filename, "a", stderr); setbuf(stderr, NULL);
230
231 return;
232 }
233
234 pid_t pid = fork();
235 if (pid == -1) {
236 PLOG(ERROR) << "fork failed";
237
238 // Fall back to traditional logging mode without timestamps.
239 // If these fail, there's not really anywhere to complain...
240 freopen(filename, "a", stdout); setbuf(stdout, NULL);
241 freopen(filename, "a", stderr); setbuf(stderr, NULL);
242
243 return;
244 }
245
246 if (pid == 0) {
247 /// Close the unused write end.
248 close(pipefd[1]);
249
250 auto start = std::chrono::steady_clock::now();
251
252 // Child logger to actually write to the log file.
253 FILE* log_fp = fopen(filename, "ae");
254 if (log_fp == nullptr) {
255 PLOG(ERROR) << "fopen \"" << filename << "\" failed";
256 close(pipefd[0]);
257 _exit(EXIT_FAILURE);
258 }
259
260 FILE* pipe_fp = fdopen(pipefd[0], "r");
261 if (pipe_fp == nullptr) {
262 PLOG(ERROR) << "fdopen failed";
263 check_and_fclose(log_fp, filename);
264 close(pipefd[0]);
265 _exit(EXIT_FAILURE);
266 }
267
268 char* line = nullptr;
269 size_t len = 0;
270 while (getline(&line, &len, pipe_fp) != -1) {
271 auto now = std::chrono::steady_clock::now();
272 double duration = std::chrono::duration_cast<std::chrono::duration<double>>(
273 now - start).count();
274 if (line[0] == '\n') {
275 fprintf(log_fp, "[%12.6lf]\n", duration);
276 } else {
277 fprintf(log_fp, "[%12.6lf] %s", duration, line);
278 }
279 fflush(log_fp);
280 }
281
282 PLOG(ERROR) << "getline failed";
283
284 free(line);
285 check_and_fclose(log_fp, filename);
286 close(pipefd[0]);
287 _exit(EXIT_FAILURE);
288 } else {
289 // Redirect stdout/stderr to the logger process.
290 // Close the unused read end.
291 close(pipefd[0]);
292
293 setbuf(stdout, nullptr);
294 setbuf(stderr, nullptr);
295
296 if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
297 PLOG(ERROR) << "dup2 stdout failed";
298 }
299 if (dup2(pipefd[1], STDERR_FILENO) == -1) {
300 PLOG(ERROR) << "dup2 stderr failed";
301 }
302
303 close(pipefd[1]);
304 }
305 }
306
307 // command line args come from, in decreasing precedence:
308 // - the actual command line
309 // - the bootloader control block (one per line, after "recovery")
310 // - the contents of COMMAND_FILE (one per line)
get_args(const int argc,char ** const argv)311 static std::vector<std::string> get_args(const int argc, char** const argv) {
312 CHECK_GT(argc, 0);
313
314 bootloader_message boot = {};
315 std::string err;
316 if (!read_bootloader_message(&boot, &err)) {
317 LOG(ERROR) << err;
318 // If fails, leave a zeroed bootloader_message.
319 boot = {};
320 }
321 stage = std::string(boot.stage);
322
323 if (boot.command[0] != 0) {
324 std::string boot_command = std::string(boot.command, sizeof(boot.command));
325 LOG(INFO) << "Boot command: " << boot_command;
326 }
327
328 if (boot.status[0] != 0) {
329 std::string boot_status = std::string(boot.status, sizeof(boot.status));
330 LOG(INFO) << "Boot status: " << boot_status;
331 }
332
333 std::vector<std::string> args(argv, argv + argc);
334
335 // --- if arguments weren't supplied, look in the bootloader control block
336 if (args.size() == 1) {
337 boot.recovery[sizeof(boot.recovery) - 1] = '\0'; // Ensure termination
338 std::string boot_recovery(boot.recovery);
339 std::vector<std::string> tokens = android::base::Split(boot_recovery, "\n");
340 if (!tokens.empty() && tokens[0] == "recovery") {
341 for (auto it = tokens.begin() + 1; it != tokens.end(); it++) {
342 // Skip empty and '\0'-filled tokens.
343 if (!it->empty() && (*it)[0] != '\0') args.push_back(std::move(*it));
344 }
345 LOG(INFO) << "Got " << args.size() << " arguments from boot message";
346 } else if (boot.recovery[0] != 0) {
347 LOG(ERROR) << "Bad boot message: \"" << boot_recovery << "\"";
348 }
349 }
350
351 // --- if that doesn't work, try the command file (if we have /cache).
352 if (args.size() == 1 && has_cache) {
353 std::string content;
354 if (ensure_path_mounted(COMMAND_FILE) == 0 &&
355 android::base::ReadFileToString(COMMAND_FILE, &content)) {
356 std::vector<std::string> tokens = android::base::Split(content, "\n");
357 // All the arguments in COMMAND_FILE are needed (unlike the BCB message,
358 // COMMAND_FILE doesn't use filename as the first argument).
359 for (auto it = tokens.begin(); it != tokens.end(); it++) {
360 // Skip empty and '\0'-filled tokens.
361 if (!it->empty() && (*it)[0] != '\0') args.push_back(std::move(*it));
362 }
363 LOG(INFO) << "Got " << args.size() << " arguments from " << COMMAND_FILE;
364 }
365 }
366
367 // Write the arguments (excluding the filename in args[0]) back into the
368 // bootloader control block. So the device will always boot into recovery to
369 // finish the pending work, until finish_recovery() is called.
370 std::vector<std::string> options(args.cbegin() + 1, args.cend());
371 if (!update_bootloader_message(options, &err)) {
372 LOG(ERROR) << "Failed to set BCB message: " << err;
373 }
374
375 return args;
376 }
377
378 // Set the BCB to reboot back into recovery (it won't resume the install from
379 // sdcard though).
set_sdcard_update_bootloader_message()380 static void set_sdcard_update_bootloader_message() {
381 std::vector<std::string> options;
382 std::string err;
383 if (!update_bootloader_message(options, &err)) {
384 LOG(ERROR) << "Failed to set BCB message: " << err;
385 }
386 }
387
388 // Read from kernel log into buffer and write out to file.
save_kernel_log(const char * destination)389 static void save_kernel_log(const char* destination) {
390 int klog_buf_len = klogctl(KLOG_SIZE_BUFFER, 0, 0);
391 if (klog_buf_len <= 0) {
392 PLOG(ERROR) << "Error getting klog size";
393 return;
394 }
395
396 std::string buffer(klog_buf_len, 0);
397 int n = klogctl(KLOG_READ_ALL, &buffer[0], klog_buf_len);
398 if (n == -1) {
399 PLOG(ERROR) << "Error in reading klog";
400 return;
401 }
402 buffer.resize(n);
403 android::base::WriteStringToFile(buffer, destination);
404 }
405
406 // write content to the current pmsg session.
__pmsg_write(const char * filename,const char * buf,size_t len)407 static ssize_t __pmsg_write(const char *filename, const char *buf, size_t len) {
408 return __android_log_pmsg_file_write(LOG_ID_SYSTEM, ANDROID_LOG_INFO,
409 filename, buf, len);
410 }
411
copy_log_file_to_pmsg(const char * source,const char * destination)412 static void copy_log_file_to_pmsg(const char* source, const char* destination) {
413 std::string content;
414 android::base::ReadFileToString(source, &content);
415 __pmsg_write(destination, content.c_str(), content.length());
416 }
417
418 // How much of the temp log we have copied to the copy in cache.
419 static off_t tmplog_offset = 0;
420
copy_log_file(const char * source,const char * destination,bool append)421 static void copy_log_file(const char* source, const char* destination, bool append) {
422 FILE* dest_fp = fopen_path(destination, append ? "ae" : "we");
423 if (dest_fp == nullptr) {
424 PLOG(ERROR) << "Can't open " << destination;
425 } else {
426 FILE* source_fp = fopen(source, "re");
427 if (source_fp != nullptr) {
428 if (append) {
429 fseeko(source_fp, tmplog_offset, SEEK_SET); // Since last write
430 }
431 char buf[4096];
432 size_t bytes;
433 while ((bytes = fread(buf, 1, sizeof(buf), source_fp)) != 0) {
434 fwrite(buf, 1, bytes, dest_fp);
435 }
436 if (append) {
437 tmplog_offset = ftello(source_fp);
438 }
439 check_and_fclose(source_fp, source);
440 }
441 check_and_fclose(dest_fp, destination);
442 }
443 }
444
copy_logs()445 static void copy_logs() {
446 // We only rotate and record the log of the current session if there are
447 // actual attempts to modify the flash, such as wipes, installs from BCB
448 // or menu selections. This is to avoid unnecessary rotation (and
449 // possible deletion) of log files, if it does not do anything loggable.
450 if (!modified_flash) {
451 return;
452 }
453
454 // Always write to pmsg, this allows the OTA logs to be caught in logcat -L
455 copy_log_file_to_pmsg(TEMPORARY_LOG_FILE, LAST_LOG_FILE);
456 copy_log_file_to_pmsg(TEMPORARY_INSTALL_FILE, LAST_INSTALL_FILE);
457
458 // We can do nothing for now if there's no /cache partition.
459 if (!has_cache) {
460 return;
461 }
462
463 ensure_path_mounted(LAST_LOG_FILE);
464 ensure_path_mounted(LAST_KMSG_FILE);
465 rotate_logs(LAST_LOG_FILE, LAST_KMSG_FILE);
466
467 // Copy logs to cache so the system can find out what happened.
468 copy_log_file(TEMPORARY_LOG_FILE, LOG_FILE, true);
469 copy_log_file(TEMPORARY_LOG_FILE, LAST_LOG_FILE, false);
470 copy_log_file(TEMPORARY_INSTALL_FILE, LAST_INSTALL_FILE, false);
471 save_kernel_log(LAST_KMSG_FILE);
472 chmod(LOG_FILE, 0600);
473 chown(LOG_FILE, AID_SYSTEM, AID_SYSTEM);
474 chmod(LAST_KMSG_FILE, 0600);
475 chown(LAST_KMSG_FILE, AID_SYSTEM, AID_SYSTEM);
476 chmod(LAST_LOG_FILE, 0640);
477 chmod(LAST_INSTALL_FILE, 0644);
478 sync();
479 }
480
481 // Clear the recovery command and prepare to boot a (hopefully working) system,
482 // copy our log file to cache as well (for the system to read). This function is
483 // idempotent: call it as many times as you like.
finish_recovery()484 static void finish_recovery() {
485 // Save the locale to cache, so if recovery is next started up without a '--locale' argument
486 // (e.g., directly from the bootloader) it will use the last-known locale.
487 if (!locale.empty() && has_cache) {
488 LOG(INFO) << "Saving locale \"" << locale << "\"";
489 if (ensure_path_mounted(LOCALE_FILE) != 0) {
490 LOG(ERROR) << "Failed to mount " << LOCALE_FILE;
491 } else if (!android::base::WriteStringToFile(locale, LOCALE_FILE)) {
492 PLOG(ERROR) << "Failed to save locale to " << LOCALE_FILE;
493 }
494 }
495
496 copy_logs();
497
498 // Reset to normal system boot so recovery won't cycle indefinitely.
499 std::string err;
500 if (!clear_bootloader_message(&err)) {
501 LOG(ERROR) << "Failed to clear BCB message: " << err;
502 }
503
504 // Remove the command file, so recovery won't repeat indefinitely.
505 if (has_cache) {
506 if (ensure_path_mounted(COMMAND_FILE) != 0 || (unlink(COMMAND_FILE) && errno != ENOENT)) {
507 LOG(WARNING) << "Can't unlink " << COMMAND_FILE;
508 }
509 ensure_path_unmounted(CACHE_ROOT);
510 }
511
512 sync(); // For good measure.
513 }
514
515 struct saved_log_file {
516 std::string name;
517 struct stat sb;
518 std::string data;
519 };
520
erase_volume(const char * volume)521 static bool erase_volume(const char* volume) {
522 bool is_cache = (strcmp(volume, CACHE_ROOT) == 0);
523 bool is_data = (strcmp(volume, DATA_ROOT) == 0);
524
525 ui->SetBackground(RecoveryUI::ERASING);
526 ui->SetProgressType(RecoveryUI::INDETERMINATE);
527
528 std::vector<saved_log_file> log_files;
529
530 if (is_cache) {
531 // If we're reformatting /cache, we load any past logs
532 // (i.e. "/cache/recovery/last_*") and the current log
533 // ("/cache/recovery/log") into memory, so we can restore them after
534 // the reformat.
535
536 ensure_path_mounted(volume);
537
538 struct dirent* de;
539 std::unique_ptr<DIR, decltype(&closedir)> d(opendir(CACHE_LOG_DIR), closedir);
540 if (d) {
541 while ((de = readdir(d.get())) != nullptr) {
542 if (strncmp(de->d_name, "last_", 5) == 0 || strcmp(de->d_name, "log") == 0) {
543 std::string path = android::base::StringPrintf("%s/%s", CACHE_LOG_DIR, de->d_name);
544
545 struct stat sb;
546 if (stat(path.c_str(), &sb) == 0) {
547 // truncate files to 512kb
548 if (sb.st_size > (1 << 19)) {
549 sb.st_size = 1 << 19;
550 }
551
552 std::string data(sb.st_size, '\0');
553 FILE* f = fopen(path.c_str(), "rbe");
554 fread(&data[0], 1, data.size(), f);
555 fclose(f);
556
557 log_files.emplace_back(saved_log_file{ path, sb, data });
558 }
559 }
560 }
561 } else {
562 if (errno != ENOENT) {
563 PLOG(ERROR) << "Failed to opendir " << CACHE_LOG_DIR;
564 }
565 }
566 }
567
568 ui->Print("Formatting %s...\n", volume);
569
570 ensure_path_unmounted(volume);
571
572 int result;
573
574 if (is_data && reason && strcmp(reason, "convert_fbe") == 0) {
575 // Create convert_fbe breadcrumb file to signal to init
576 // to convert to file based encryption, not full disk encryption
577 if (mkdir(CONVERT_FBE_DIR, 0700) != 0) {
578 ui->Print("Failed to make convert_fbe dir %s\n", strerror(errno));
579 return true;
580 }
581 FILE* f = fopen(CONVERT_FBE_FILE, "wbe");
582 if (!f) {
583 ui->Print("Failed to convert to file encryption %s\n", strerror(errno));
584 return true;
585 }
586 fclose(f);
587 result = format_volume(volume, CONVERT_FBE_DIR);
588 remove(CONVERT_FBE_FILE);
589 rmdir(CONVERT_FBE_DIR);
590 } else {
591 result = format_volume(volume);
592 }
593
594 if (is_cache) {
595 // Re-create the log dir and write back the log entries.
596 if (ensure_path_mounted(CACHE_LOG_DIR) == 0 &&
597 dirCreateHierarchy(CACHE_LOG_DIR, 0777, nullptr, false, sehandle) == 0) {
598 for (const auto& log : log_files) {
599 if (!android::base::WriteStringToFile(log.data, log.name, log.sb.st_mode, log.sb.st_uid,
600 log.sb.st_gid)) {
601 PLOG(ERROR) << "Failed to write to " << log.name;
602 }
603 }
604 } else {
605 PLOG(ERROR) << "Failed to mount / create " << CACHE_LOG_DIR;
606 }
607
608 // Any part of the log we'd copied to cache is now gone.
609 // Reset the pointer so we copy from the beginning of the temp
610 // log.
611 tmplog_offset = 0;
612 copy_logs();
613 }
614
615 return (result == 0);
616 }
617
618 // Display a menu with the specified 'headers' and 'items'. Device specific HandleMenuKey() may
619 // return a positive number beyond the given range. Caller sets 'menu_only' to true to ensure only
620 // a menu item gets selected. 'initial_selection' controls the initial cursor location. Returns the
621 // (non-negative) chosen item number, or -1 if timed out waiting for input.
get_menu_selection(const char * const * headers,const char * const * items,bool menu_only,int initial_selection,Device * device)622 static int get_menu_selection(const char* const* headers, const char* const* items, bool menu_only,
623 int initial_selection, Device* device) {
624 // Throw away keys pressed previously, so user doesn't accidentally trigger menu items.
625 ui->FlushKeys();
626
627 ui->StartMenu(headers, items, initial_selection);
628
629 int selected = initial_selection;
630 int chosen_item = -1;
631 while (chosen_item < 0) {
632 int key = ui->WaitKey();
633 if (key == -1) { // WaitKey() timed out.
634 if (ui->WasTextEverVisible()) {
635 continue;
636 } else {
637 LOG(INFO) << "Timed out waiting for key input; rebooting.";
638 ui->EndMenu();
639 return -1;
640 }
641 }
642
643 bool visible = ui->IsTextVisible();
644 int action = device->HandleMenuKey(key, visible);
645
646 if (action < 0) {
647 switch (action) {
648 case Device::kHighlightUp:
649 selected = ui->SelectMenu(--selected);
650 break;
651 case Device::kHighlightDown:
652 selected = ui->SelectMenu(++selected);
653 break;
654 case Device::kInvokeItem:
655 chosen_item = selected;
656 break;
657 case Device::kNoAction:
658 break;
659 }
660 } else if (!menu_only) {
661 chosen_item = action;
662 }
663 }
664
665 ui->EndMenu();
666 return chosen_item;
667 }
668
669 // Returns the selected filename, or an empty string.
browse_directory(const std::string & path,Device * device)670 static std::string browse_directory(const std::string& path, Device* device) {
671 ensure_path_mounted(path.c_str());
672
673 std::unique_ptr<DIR, decltype(&closedir)> d(opendir(path.c_str()), closedir);
674 if (!d) {
675 PLOG(ERROR) << "error opening " << path;
676 return "";
677 }
678
679 std::vector<std::string> dirs;
680 std::vector<std::string> zips = { "../" }; // "../" is always the first entry.
681
682 dirent* de;
683 while ((de = readdir(d.get())) != nullptr) {
684 std::string name(de->d_name);
685
686 if (de->d_type == DT_DIR) {
687 // Skip "." and ".." entries.
688 if (name == "." || name == "..") continue;
689 dirs.push_back(name + "/");
690 } else if (de->d_type == DT_REG && android::base::EndsWithIgnoreCase(name, ".zip")) {
691 zips.push_back(name);
692 }
693 }
694
695 std::sort(dirs.begin(), dirs.end());
696 std::sort(zips.begin(), zips.end());
697
698 // Append dirs to the zips list.
699 zips.insert(zips.end(), dirs.begin(), dirs.end());
700
701 const char* entries[zips.size() + 1];
702 entries[zips.size()] = nullptr;
703 for (size_t i = 0; i < zips.size(); i++) {
704 entries[i] = zips[i].c_str();
705 }
706
707 const char* headers[] = { "Choose a package to install:", path.c_str(), nullptr };
708
709 int chosen_item = 0;
710 while (true) {
711 chosen_item = get_menu_selection(headers, entries, true, chosen_item, device);
712
713 const std::string& item = zips[chosen_item];
714 if (chosen_item == 0) {
715 // Go up but continue browsing (if the caller is browse_directory).
716 return "";
717 }
718
719 std::string new_path = path + "/" + item;
720 if (new_path.back() == '/') {
721 // Recurse down into a subdirectory.
722 new_path.pop_back();
723 std::string result = browse_directory(new_path, device);
724 if (!result.empty()) return result;
725 } else {
726 // Selected a zip file: return the path to the caller.
727 return new_path;
728 }
729 }
730
731 // Unreachable.
732 }
733
yes_no(Device * device,const char * question1,const char * question2)734 static bool yes_no(Device* device, const char* question1, const char* question2) {
735 const char* headers[] = { question1, question2, NULL };
736 const char* items[] = { " No", " Yes", NULL };
737
738 int chosen_item = get_menu_selection(headers, items, true, 0, device);
739 return (chosen_item == 1);
740 }
741
ask_to_wipe_data(Device * device)742 static bool ask_to_wipe_data(Device* device) {
743 return yes_no(device, "Wipe all user data?", " THIS CAN NOT BE UNDONE!");
744 }
745
746 // Return true on success.
wipe_data(Device * device)747 static bool wipe_data(Device* device) {
748 modified_flash = true;
749
750 ui->Print("\n-- Wiping data...\n");
751 bool success =
752 device->PreWipeData() &&
753 erase_volume("/data") &&
754 (has_cache ? erase_volume("/cache") : true) &&
755 device->PostWipeData();
756 ui->Print("Data wipe %s.\n", success ? "complete" : "failed");
757 return success;
758 }
759
prompt_and_wipe_data(Device * device)760 static bool prompt_and_wipe_data(Device* device) {
761 // Use a single string and let ScreenRecoveryUI handles the wrapping.
762 const char* const headers[] = {
763 "Can't load Android system. Your data may be corrupt. "
764 "If you continue to get this message, you may need to "
765 "perform a factory data reset and erase all user data "
766 "stored on this device.",
767 nullptr
768 };
769 const char* const items[] = {
770 "Try again",
771 "Factory data reset",
772 NULL
773 };
774 for (;;) {
775 int chosen_item = get_menu_selection(headers, items, true, 0, device);
776 if (chosen_item != 1) {
777 return true; // Just reboot, no wipe; not a failure, user asked for it
778 }
779 if (ask_to_wipe_data(device)) {
780 return wipe_data(device);
781 }
782 }
783 }
784
785 // Return true on success.
wipe_cache(bool should_confirm,Device * device)786 static bool wipe_cache(bool should_confirm, Device* device) {
787 if (!has_cache) {
788 ui->Print("No /cache partition found.\n");
789 return false;
790 }
791
792 if (should_confirm && !yes_no(device, "Wipe cache?", " THIS CAN NOT BE UNDONE!")) {
793 return false;
794 }
795
796 modified_flash = true;
797
798 ui->Print("\n-- Wiping cache...\n");
799 bool success = erase_volume("/cache");
800 ui->Print("Cache wipe %s.\n", success ? "complete" : "failed");
801 return success;
802 }
803
804 // Secure-wipe a given partition. It uses BLKSECDISCARD, if supported. Otherwise, it goes with
805 // BLKDISCARD (if device supports BLKDISCARDZEROES) or BLKZEROOUT.
secure_wipe_partition(const std::string & partition)806 static bool secure_wipe_partition(const std::string& partition) {
807 android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(partition.c_str(), O_WRONLY)));
808 if (fd == -1) {
809 PLOG(ERROR) << "Failed to open \"" << partition << "\"";
810 return false;
811 }
812
813 uint64_t range[2] = { 0, 0 };
814 if (ioctl(fd, BLKGETSIZE64, &range[1]) == -1 || range[1] == 0) {
815 PLOG(ERROR) << "Failed to get partition size";
816 return false;
817 }
818 LOG(INFO) << "Secure-wiping \"" << partition << "\" from " << range[0] << " to " << range[1];
819
820 LOG(INFO) << " Trying BLKSECDISCARD...";
821 if (ioctl(fd, BLKSECDISCARD, &range) == -1) {
822 PLOG(WARNING) << " Failed";
823
824 // Use BLKDISCARD if it zeroes out blocks, otherwise use BLKZEROOUT.
825 unsigned int zeroes;
826 if (ioctl(fd, BLKDISCARDZEROES, &zeroes) == 0 && zeroes != 0) {
827 LOG(INFO) << " Trying BLKDISCARD...";
828 if (ioctl(fd, BLKDISCARD, &range) == -1) {
829 PLOG(ERROR) << " Failed";
830 return false;
831 }
832 } else {
833 LOG(INFO) << " Trying BLKZEROOUT...";
834 if (ioctl(fd, BLKZEROOUT, &range) == -1) {
835 PLOG(ERROR) << " Failed";
836 return false;
837 }
838 }
839 }
840
841 LOG(INFO) << " Done";
842 return true;
843 }
844
845 // Check if the wipe package matches expectation:
846 // 1. verify the package.
847 // 2. check metadata (ota-type, pre-device and serial number if having one).
check_wipe_package(size_t wipe_package_size)848 static bool check_wipe_package(size_t wipe_package_size) {
849 if (wipe_package_size == 0) {
850 LOG(ERROR) << "wipe_package_size is zero";
851 return false;
852 }
853 std::string wipe_package;
854 std::string err_str;
855 if (!read_wipe_package(&wipe_package, wipe_package_size, &err_str)) {
856 PLOG(ERROR) << "Failed to read wipe package";
857 return false;
858 }
859 if (!verify_package(reinterpret_cast<const unsigned char*>(wipe_package.data()),
860 wipe_package.size())) {
861 LOG(ERROR) << "Failed to verify package";
862 return false;
863 }
864
865 // Extract metadata
866 ZipArchiveHandle zip;
867 int err = OpenArchiveFromMemory(static_cast<void*>(&wipe_package[0]), wipe_package.size(),
868 "wipe_package", &zip);
869 if (err != 0) {
870 LOG(ERROR) << "Can't open wipe package : " << ErrorCodeString(err);
871 return false;
872 }
873 std::string metadata;
874 if (!read_metadata_from_package(zip, &metadata)) {
875 CloseArchive(zip);
876 return false;
877 }
878 CloseArchive(zip);
879
880 // Check metadata
881 std::vector<std::string> lines = android::base::Split(metadata, "\n");
882 bool ota_type_matched = false;
883 bool device_type_matched = false;
884 bool has_serial_number = false;
885 bool serial_number_matched = false;
886 for (const auto& line : lines) {
887 if (line == "ota-type=BRICK") {
888 ota_type_matched = true;
889 } else if (android::base::StartsWith(line, "pre-device=")) {
890 std::string device_type = line.substr(strlen("pre-device="));
891 std::string real_device_type = android::base::GetProperty("ro.build.product", "");
892 device_type_matched = (device_type == real_device_type);
893 } else if (android::base::StartsWith(line, "serialno=")) {
894 std::string serial_no = line.substr(strlen("serialno="));
895 std::string real_serial_no = android::base::GetProperty("ro.serialno", "");
896 has_serial_number = true;
897 serial_number_matched = (serial_no == real_serial_no);
898 }
899 }
900 return ota_type_matched && device_type_matched && (!has_serial_number || serial_number_matched);
901 }
902
903 // Wipe the current A/B device, with a secure wipe of all the partitions in
904 // RECOVERY_WIPE.
wipe_ab_device(size_t wipe_package_size)905 static bool wipe_ab_device(size_t wipe_package_size) {
906 ui->SetBackground(RecoveryUI::ERASING);
907 ui->SetProgressType(RecoveryUI::INDETERMINATE);
908
909 if (!check_wipe_package(wipe_package_size)) {
910 LOG(ERROR) << "Failed to verify wipe package";
911 return false;
912 }
913 std::string partition_list;
914 if (!android::base::ReadFileToString(RECOVERY_WIPE, &partition_list)) {
915 LOG(ERROR) << "failed to read \"" << RECOVERY_WIPE << "\"";
916 return false;
917 }
918
919 std::vector<std::string> lines = android::base::Split(partition_list, "\n");
920 for (const std::string& line : lines) {
921 std::string partition = android::base::Trim(line);
922 // Ignore '#' comment or empty lines.
923 if (android::base::StartsWith(partition, "#") || partition.empty()) {
924 continue;
925 }
926
927 // Proceed anyway even if it fails to wipe some partition.
928 secure_wipe_partition(partition);
929 }
930 return true;
931 }
932
choose_recovery_file(Device * device)933 static void choose_recovery_file(Device* device) {
934 std::vector<std::string> entries;
935 if (has_cache) {
936 for (int i = 0; i < KEEP_LOG_COUNT; i++) {
937 auto add_to_entries = [&](const char* filename) {
938 std::string log_file(filename);
939 if (i > 0) {
940 log_file += "." + std::to_string(i);
941 }
942
943 if (ensure_path_mounted(log_file.c_str()) == 0 && access(log_file.c_str(), R_OK) == 0) {
944 entries.push_back(std::move(log_file));
945 }
946 };
947
948 // Add LAST_LOG_FILE + LAST_LOG_FILE.x
949 add_to_entries(LAST_LOG_FILE);
950
951 // Add LAST_KMSG_FILE + LAST_KMSG_FILE.x
952 add_to_entries(LAST_KMSG_FILE);
953 }
954 } else {
955 // If cache partition is not found, view /tmp/recovery.log instead.
956 if (access(TEMPORARY_LOG_FILE, R_OK) == -1) {
957 return;
958 } else {
959 entries.push_back(TEMPORARY_LOG_FILE);
960 }
961 }
962
963 entries.push_back("Back");
964
965 std::vector<const char*> menu_entries(entries.size());
966 std::transform(entries.cbegin(), entries.cend(), menu_entries.begin(),
967 [](const std::string& entry) { return entry.c_str(); });
968 menu_entries.push_back(nullptr);
969
970 const char* headers[] = { "Select file to view", nullptr };
971
972 int chosen_item = 0;
973 while (true) {
974 chosen_item = get_menu_selection(headers, menu_entries.data(), true, chosen_item, device);
975 if (entries[chosen_item] == "Back") break;
976
977 ui->ShowFile(entries[chosen_item].c_str());
978 }
979 }
980
run_graphics_test()981 static void run_graphics_test() {
982 // Switch to graphics screen.
983 ui->ShowText(false);
984
985 ui->SetProgressType(RecoveryUI::INDETERMINATE);
986 ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
987 sleep(1);
988
989 ui->SetBackground(RecoveryUI::ERROR);
990 sleep(1);
991
992 ui->SetBackground(RecoveryUI::NO_COMMAND);
993 sleep(1);
994
995 ui->SetBackground(RecoveryUI::ERASING);
996 sleep(1);
997
998 // Calling SetBackground() after SetStage() to trigger a redraw.
999 ui->SetStage(1, 3);
1000 ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1001 sleep(1);
1002 ui->SetStage(2, 3);
1003 ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1004 sleep(1);
1005 ui->SetStage(3, 3);
1006 ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1007 sleep(1);
1008
1009 ui->SetStage(-1, -1);
1010 ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1011
1012 ui->SetProgressType(RecoveryUI::DETERMINATE);
1013 ui->ShowProgress(1.0, 10.0);
1014 float fraction = 0.0;
1015 for (size_t i = 0; i < 100; ++i) {
1016 fraction += .01;
1017 ui->SetProgress(fraction);
1018 usleep(100000);
1019 }
1020
1021 ui->ShowText(true);
1022 }
1023
1024 // How long (in seconds) we wait for the fuse-provided package file to
1025 // appear, before timing out.
1026 #define SDCARD_INSTALL_TIMEOUT 10
1027
apply_from_sdcard(Device * device,bool * wipe_cache)1028 static int apply_from_sdcard(Device* device, bool* wipe_cache) {
1029 modified_flash = true;
1030
1031 if (ensure_path_mounted(SDCARD_ROOT) != 0) {
1032 ui->Print("\n-- Couldn't mount %s.\n", SDCARD_ROOT);
1033 return INSTALL_ERROR;
1034 }
1035
1036 std::string path = browse_directory(SDCARD_ROOT, device);
1037 if (path.empty()) {
1038 ui->Print("\n-- No package file selected.\n");
1039 ensure_path_unmounted(SDCARD_ROOT);
1040 return INSTALL_ERROR;
1041 }
1042
1043 ui->Print("\n-- Install %s ...\n", path.c_str());
1044 set_sdcard_update_bootloader_message();
1045
1046 // We used to use fuse in a thread as opposed to a process. Since accessing
1047 // through fuse involves going from kernel to userspace to kernel, it leads
1048 // to deadlock when a page fault occurs. (Bug: 26313124)
1049 pid_t child;
1050 if ((child = fork()) == 0) {
1051 bool status = start_sdcard_fuse(path.c_str());
1052
1053 _exit(status ? EXIT_SUCCESS : EXIT_FAILURE);
1054 }
1055
1056 // FUSE_SIDELOAD_HOST_PATHNAME will start to exist once the fuse in child
1057 // process is ready.
1058 int result = INSTALL_ERROR;
1059 int status;
1060 bool waited = false;
1061 for (int i = 0; i < SDCARD_INSTALL_TIMEOUT; ++i) {
1062 if (waitpid(child, &status, WNOHANG) == -1) {
1063 result = INSTALL_ERROR;
1064 waited = true;
1065 break;
1066 }
1067
1068 struct stat sb;
1069 if (stat(FUSE_SIDELOAD_HOST_PATHNAME, &sb) == -1) {
1070 if (errno == ENOENT && i < SDCARD_INSTALL_TIMEOUT-1) {
1071 sleep(1);
1072 continue;
1073 } else {
1074 LOG(ERROR) << "Timed out waiting for the fuse-provided package.";
1075 result = INSTALL_ERROR;
1076 kill(child, SIGKILL);
1077 break;
1078 }
1079 }
1080
1081 result = install_package(FUSE_SIDELOAD_HOST_PATHNAME, wipe_cache,
1082 TEMPORARY_INSTALL_FILE, false, 0/*retry_count*/);
1083 break;
1084 }
1085
1086 if (!waited) {
1087 // Calling stat() on this magic filename signals the fuse
1088 // filesystem to shut down.
1089 struct stat sb;
1090 stat(FUSE_SIDELOAD_HOST_EXIT_PATHNAME, &sb);
1091
1092 waitpid(child, &status, 0);
1093 }
1094
1095 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
1096 LOG(ERROR) << "Error exit from the fuse process: " << WEXITSTATUS(status);
1097 }
1098
1099 ensure_path_unmounted(SDCARD_ROOT);
1100 return result;
1101 }
1102
1103 // Returns REBOOT, SHUTDOWN, or REBOOT_BOOTLOADER. Returning NO_ACTION means to take the default,
1104 // which is to reboot or shutdown depending on if the --shutdown_after flag was passed to recovery.
prompt_and_wait(Device * device,int status)1105 static Device::BuiltinAction prompt_and_wait(Device* device, int status) {
1106 for (;;) {
1107 finish_recovery();
1108 switch (status) {
1109 case INSTALL_SUCCESS:
1110 case INSTALL_NONE:
1111 ui->SetBackground(RecoveryUI::NO_COMMAND);
1112 break;
1113
1114 case INSTALL_ERROR:
1115 case INSTALL_CORRUPT:
1116 ui->SetBackground(RecoveryUI::ERROR);
1117 break;
1118 }
1119 ui->SetProgressType(RecoveryUI::EMPTY);
1120
1121 int chosen_item = get_menu_selection(nullptr, device->GetMenuItems(), false, 0, device);
1122
1123 // Device-specific code may take some action here. It may return one of the core actions
1124 // handled in the switch statement below.
1125 Device::BuiltinAction chosen_action =
1126 (chosen_item == -1) ? Device::REBOOT : device->InvokeMenuItem(chosen_item);
1127
1128 bool should_wipe_cache = false;
1129 switch (chosen_action) {
1130 case Device::NO_ACTION:
1131 break;
1132
1133 case Device::REBOOT:
1134 case Device::SHUTDOWN:
1135 case Device::REBOOT_BOOTLOADER:
1136 return chosen_action;
1137
1138 case Device::WIPE_DATA:
1139 if (ui->IsTextVisible()) {
1140 if (ask_to_wipe_data(device)) {
1141 wipe_data(device);
1142 }
1143 } else {
1144 wipe_data(device);
1145 return Device::NO_ACTION;
1146 }
1147 break;
1148
1149 case Device::WIPE_CACHE:
1150 wipe_cache(ui->IsTextVisible(), device);
1151 if (!ui->IsTextVisible()) return Device::NO_ACTION;
1152 break;
1153
1154 case Device::APPLY_ADB_SIDELOAD:
1155 case Device::APPLY_SDCARD:
1156 {
1157 bool adb = (chosen_action == Device::APPLY_ADB_SIDELOAD);
1158 if (adb) {
1159 status = apply_from_adb(&should_wipe_cache, TEMPORARY_INSTALL_FILE);
1160 } else {
1161 status = apply_from_sdcard(device, &should_wipe_cache);
1162 }
1163
1164 if (status == INSTALL_SUCCESS && should_wipe_cache) {
1165 if (!wipe_cache(false, device)) {
1166 status = INSTALL_ERROR;
1167 }
1168 }
1169
1170 if (status != INSTALL_SUCCESS) {
1171 ui->SetBackground(RecoveryUI::ERROR);
1172 ui->Print("Installation aborted.\n");
1173 copy_logs();
1174 } else if (!ui->IsTextVisible()) {
1175 return Device::NO_ACTION; // reboot if logs aren't visible
1176 } else {
1177 ui->Print("\nInstall from %s complete.\n", adb ? "ADB" : "SD card");
1178 }
1179 }
1180 break;
1181
1182 case Device::VIEW_RECOVERY_LOGS:
1183 choose_recovery_file(device);
1184 break;
1185
1186 case Device::RUN_GRAPHICS_TEST:
1187 run_graphics_test();
1188 break;
1189
1190 case Device::MOUNT_SYSTEM:
1191 // For a system image built with the root directory (i.e. system_root_image == "true"), we
1192 // mount it to /system_root, and symlink /system to /system_root/system to make adb shell
1193 // work (the symlink is created through the build system). (Bug: 22855115)
1194 if (android::base::GetBoolProperty("ro.build.system_root_image", false)) {
1195 if (ensure_path_mounted_at("/", "/system_root") != -1) {
1196 ui->Print("Mounted /system.\n");
1197 }
1198 } else {
1199 if (ensure_path_mounted("/system") != -1) {
1200 ui->Print("Mounted /system.\n");
1201 }
1202 }
1203 break;
1204 }
1205 }
1206 }
1207
1208 static void
print_property(const char * key,const char * name,void * cookie)1209 print_property(const char *key, const char *name, void *cookie) {
1210 printf("%s=%s\n", key, name);
1211 }
1212
load_locale_from_cache()1213 static std::string load_locale_from_cache() {
1214 if (ensure_path_mounted(LOCALE_FILE) != 0) {
1215 LOG(ERROR) << "Can't mount " << LOCALE_FILE;
1216 return "";
1217 }
1218
1219 std::string content;
1220 if (!android::base::ReadFileToString(LOCALE_FILE, &content)) {
1221 PLOG(ERROR) << "Can't read " << LOCALE_FILE;
1222 return "";
1223 }
1224
1225 return android::base::Trim(content);
1226 }
1227
ui_print(const char * format,...)1228 void ui_print(const char* format, ...) {
1229 std::string buffer;
1230 va_list ap;
1231 va_start(ap, format);
1232 android::base::StringAppendV(&buffer, format, ap);
1233 va_end(ap);
1234
1235 if (ui != nullptr) {
1236 ui->Print("%s", buffer.c_str());
1237 } else {
1238 fputs(buffer.c_str(), stdout);
1239 }
1240 }
1241
1242 static constexpr char log_characters[] = "VDIWEF";
1243
UiLogger(android::base::LogId id,android::base::LogSeverity severity,const char * tag,const char * file,unsigned int line,const char * message)1244 void UiLogger(android::base::LogId id, android::base::LogSeverity severity,
1245 const char* tag, const char* file, unsigned int line,
1246 const char* message) {
1247 if (severity >= android::base::ERROR && ui != nullptr) {
1248 ui->Print("E:%s\n", message);
1249 } else {
1250 fprintf(stdout, "%c:%s\n", log_characters[severity], message);
1251 }
1252 }
1253
is_battery_ok()1254 static bool is_battery_ok() {
1255 struct healthd_config healthd_config = {
1256 .batteryStatusPath = android::String8(android::String8::kEmptyString),
1257 .batteryHealthPath = android::String8(android::String8::kEmptyString),
1258 .batteryPresentPath = android::String8(android::String8::kEmptyString),
1259 .batteryCapacityPath = android::String8(android::String8::kEmptyString),
1260 .batteryVoltagePath = android::String8(android::String8::kEmptyString),
1261 .batteryTemperaturePath = android::String8(android::String8::kEmptyString),
1262 .batteryTechnologyPath = android::String8(android::String8::kEmptyString),
1263 .batteryCurrentNowPath = android::String8(android::String8::kEmptyString),
1264 .batteryCurrentAvgPath = android::String8(android::String8::kEmptyString),
1265 .batteryChargeCounterPath = android::String8(android::String8::kEmptyString),
1266 .batteryFullChargePath = android::String8(android::String8::kEmptyString),
1267 .batteryCycleCountPath = android::String8(android::String8::kEmptyString),
1268 .energyCounter = NULL,
1269 .boot_min_cap = 0,
1270 .screen_on = NULL
1271 };
1272 healthd_board_init(&healthd_config);
1273
1274 android::BatteryMonitor monitor;
1275 monitor.init(&healthd_config);
1276
1277 int wait_second = 0;
1278 while (true) {
1279 int charge_status = monitor.getChargeStatus();
1280 // Treat unknown status as charged.
1281 bool charged = (charge_status != android::BATTERY_STATUS_DISCHARGING &&
1282 charge_status != android::BATTERY_STATUS_NOT_CHARGING);
1283 android::BatteryProperty capacity;
1284 android::status_t status = monitor.getProperty(android::BATTERY_PROP_CAPACITY, &capacity);
1285 ui_print("charge_status %d, charged %d, status %d, capacity %lld\n", charge_status,
1286 charged, status, capacity.valueInt64);
1287 // At startup, the battery drivers in devices like N5X/N6P take some time to load
1288 // the battery profile. Before the load finishes, it reports value 50 as a fake
1289 // capacity. BATTERY_READ_TIMEOUT_IN_SEC is set that the battery drivers are expected
1290 // to finish loading the battery profile earlier than 10 seconds after kernel startup.
1291 if (status == 0 && capacity.valueInt64 == 50) {
1292 if (wait_second < BATTERY_READ_TIMEOUT_IN_SEC) {
1293 sleep(1);
1294 wait_second++;
1295 continue;
1296 }
1297 }
1298 // If we can't read battery percentage, it may be a device without battery. In this
1299 // situation, use 100 as a fake battery percentage.
1300 if (status != 0) {
1301 capacity.valueInt64 = 100;
1302 }
1303 return (charged && capacity.valueInt64 >= BATTERY_WITH_CHARGER_OK_PERCENTAGE) ||
1304 (!charged && capacity.valueInt64 >= BATTERY_OK_PERCENTAGE);
1305 }
1306 }
1307
set_retry_bootloader_message(int retry_count,const std::vector<std::string> & args)1308 static void set_retry_bootloader_message(int retry_count, const std::vector<std::string>& args) {
1309 std::vector<std::string> options;
1310 for (const auto& arg : args) {
1311 if (!android::base::StartsWith(arg, "--retry_count")) {
1312 options.push_back(arg);
1313 }
1314 }
1315
1316 // Increment the retry counter by 1.
1317 options.push_back(android::base::StringPrintf("--retry_count=%d", retry_count + 1));
1318 std::string err;
1319 if (!update_bootloader_message(options, &err)) {
1320 LOG(ERROR) << err;
1321 }
1322 }
1323
bootreason_in_blacklist()1324 static bool bootreason_in_blacklist() {
1325 std::string bootreason = android::base::GetProperty("ro.boot.bootreason", "");
1326 if (!bootreason.empty()) {
1327 for (const auto& str : bootreason_blacklist) {
1328 if (strcasecmp(str.c_str(), bootreason.c_str()) == 0) {
1329 return true;
1330 }
1331 }
1332 }
1333 return false;
1334 }
1335
log_failure_code(ErrorCode code,const char * update_package)1336 static void log_failure_code(ErrorCode code, const char *update_package) {
1337 std::vector<std::string> log_buffer = {
1338 update_package,
1339 "0", // install result
1340 "error: " + std::to_string(code),
1341 };
1342 std::string log_content = android::base::Join(log_buffer, "\n");
1343 if (!android::base::WriteStringToFile(log_content, TEMPORARY_INSTALL_FILE)) {
1344 PLOG(ERROR) << "failed to write " << TEMPORARY_INSTALL_FILE;
1345 }
1346
1347 // Also write the info into last_log.
1348 LOG(INFO) << log_content;
1349 }
1350
main(int argc,char ** argv)1351 int main(int argc, char **argv) {
1352 // We don't have logcat yet under recovery; so we'll print error on screen and
1353 // log to stdout (which is redirected to recovery.log) as we used to do.
1354 android::base::InitLogging(argv, &UiLogger);
1355
1356 // Take last pmsg contents and rewrite it to the current pmsg session.
1357 static const char filter[] = "recovery/";
1358 // Do we need to rotate?
1359 bool doRotate = false;
1360
1361 __android_log_pmsg_file_read(
1362 LOG_ID_SYSTEM, ANDROID_LOG_INFO, filter,
1363 logbasename, &doRotate);
1364 // Take action to refresh pmsg contents
1365 __android_log_pmsg_file_read(
1366 LOG_ID_SYSTEM, ANDROID_LOG_INFO, filter,
1367 logrotate, &doRotate);
1368
1369 // If this binary is started with the single argument "--adbd",
1370 // instead of being the normal recovery binary, it turns into kind
1371 // of a stripped-down version of adbd that only supports the
1372 // 'sideload' command. Note this must be a real argument, not
1373 // anything in the command file or bootloader control block; the
1374 // only way recovery should be run with this argument is when it
1375 // starts a copy of itself from the apply_from_adb() function.
1376 if (argc == 2 && strcmp(argv[1], "--adbd") == 0) {
1377 minadbd_main();
1378 return 0;
1379 }
1380
1381 time_t start = time(NULL);
1382
1383 // redirect_stdio should be called only in non-sideload mode. Otherwise
1384 // we may have two logger instances with different timestamps.
1385 redirect_stdio(TEMPORARY_LOG_FILE);
1386
1387 printf("Starting recovery (pid %d) on %s", getpid(), ctime(&start));
1388
1389 load_volume_table();
1390 has_cache = volume_for_path(CACHE_ROOT) != nullptr;
1391
1392 std::vector<std::string> args = get_args(argc, argv);
1393 std::vector<char*> args_to_parse(args.size());
1394 std::transform(args.cbegin(), args.cend(), args_to_parse.begin(),
1395 [](const std::string& arg) { return const_cast<char*>(arg.c_str()); });
1396
1397 const char *update_package = NULL;
1398 bool should_wipe_data = false;
1399 bool should_prompt_and_wipe_data = false;
1400 bool should_wipe_cache = false;
1401 bool should_wipe_ab = false;
1402 size_t wipe_package_size = 0;
1403 bool show_text = false;
1404 bool sideload = false;
1405 bool sideload_auto_reboot = false;
1406 bool just_exit = false;
1407 bool shutdown_after = false;
1408 int retry_count = 0;
1409 bool security_update = false;
1410
1411 int arg;
1412 int option_index;
1413 while ((arg = getopt_long(args_to_parse.size(), args_to_parse.data(), "", OPTIONS,
1414 &option_index)) != -1) {
1415 switch (arg) {
1416 case 'n': android::base::ParseInt(optarg, &retry_count, 0); break;
1417 case 'u': update_package = optarg; break;
1418 case 'w': should_wipe_data = true; break;
1419 case 'c': should_wipe_cache = true; break;
1420 case 't': show_text = true; break;
1421 case 's': sideload = true; break;
1422 case 'a': sideload = true; sideload_auto_reboot = true; break;
1423 case 'x': just_exit = true; break;
1424 case 'l': locale = optarg; break;
1425 case 'p': shutdown_after = true; break;
1426 case 'r': reason = optarg; break;
1427 case 'e': security_update = true; break;
1428 case 0: {
1429 std::string option = OPTIONS[option_index].name;
1430 if (option == "wipe_ab") {
1431 should_wipe_ab = true;
1432 } else if (option == "wipe_package_size") {
1433 android::base::ParseUint(optarg, &wipe_package_size);
1434 } else if (option == "prompt_and_wipe_data") {
1435 should_prompt_and_wipe_data = true;
1436 }
1437 break;
1438 }
1439 case '?':
1440 LOG(ERROR) << "Invalid command argument";
1441 continue;
1442 }
1443 }
1444
1445 if (locale.empty()) {
1446 if (has_cache) {
1447 locale = load_locale_from_cache();
1448 }
1449
1450 if (locale.empty()) {
1451 locale = DEFAULT_LOCALE;
1452 }
1453 }
1454
1455 printf("locale is [%s]\n", locale.c_str());
1456 printf("stage is [%s]\n", stage.c_str());
1457 printf("reason is [%s]\n", reason);
1458
1459 Device* device = make_device();
1460 if (android::base::GetBoolProperty("ro.boot.quiescent", false)) {
1461 printf("Quiescent recovery mode.\n");
1462 ui = new StubRecoveryUI();
1463 } else {
1464 ui = device->GetUI();
1465
1466 if (!ui->Init(locale)) {
1467 printf("Failed to initialize UI, use stub UI instead.\n");
1468 ui = new StubRecoveryUI();
1469 }
1470 }
1471
1472 // Set background string to "installing security update" for security update,
1473 // otherwise set it to "installing system update".
1474 ui->SetSystemUpdateText(security_update);
1475
1476 int st_cur, st_max;
1477 if (!stage.empty() && sscanf(stage.c_str(), "%d/%d", &st_cur, &st_max) == 2) {
1478 ui->SetStage(st_cur, st_max);
1479 }
1480
1481 ui->SetBackground(RecoveryUI::NONE);
1482 if (show_text) ui->ShowText(true);
1483
1484 sehandle = selinux_android_file_context_handle();
1485 selinux_android_set_sehandle(sehandle);
1486 if (!sehandle) {
1487 ui->Print("Warning: No file_contexts\n");
1488 }
1489
1490 device->StartRecovery();
1491
1492 printf("Command:");
1493 for (const auto& arg : args) {
1494 printf(" \"%s\"", arg.c_str());
1495 }
1496 printf("\n\n");
1497
1498 property_list(print_property, NULL);
1499 printf("\n");
1500
1501 ui->Print("Supported API: %d\n", RECOVERY_API_VERSION);
1502
1503 int status = INSTALL_SUCCESS;
1504
1505 if (update_package != NULL) {
1506 // It's not entirely true that we will modify the flash. But we want
1507 // to log the update attempt since update_package is non-NULL.
1508 modified_flash = true;
1509
1510 if (!is_battery_ok()) {
1511 ui->Print("battery capacity is not enough for installing package, needed is %d%%\n",
1512 BATTERY_OK_PERCENTAGE);
1513 // Log the error code to last_install when installation skips due to
1514 // low battery.
1515 log_failure_code(kLowBattery, update_package);
1516 status = INSTALL_SKIPPED;
1517 } else if (bootreason_in_blacklist()) {
1518 // Skip update-on-reboot when bootreason is kernel_panic or similar
1519 ui->Print("bootreason is in the blacklist; skip OTA installation\n");
1520 log_failure_code(kBootreasonInBlacklist, update_package);
1521 status = INSTALL_SKIPPED;
1522 } else {
1523 status = install_package(update_package, &should_wipe_cache,
1524 TEMPORARY_INSTALL_FILE, true, retry_count);
1525 if (status == INSTALL_SUCCESS && should_wipe_cache) {
1526 wipe_cache(false, device);
1527 }
1528 if (status != INSTALL_SUCCESS) {
1529 ui->Print("Installation aborted.\n");
1530 // When I/O error happens, reboot and retry installation RETRY_LIMIT
1531 // times before we abandon this OTA update.
1532 if (status == INSTALL_RETRY && retry_count < RETRY_LIMIT) {
1533 copy_logs();
1534 set_retry_bootloader_message(retry_count, args);
1535 // Print retry count on screen.
1536 ui->Print("Retry attempt %d\n", retry_count);
1537
1538 // Reboot and retry the update
1539 if (!reboot("reboot,recovery")) {
1540 ui->Print("Reboot failed\n");
1541 } else {
1542 while (true) {
1543 pause();
1544 }
1545 }
1546 }
1547 // If this is an eng or userdebug build, then automatically
1548 // turn the text display on if the script fails so the error
1549 // message is visible.
1550 if (is_ro_debuggable()) {
1551 ui->ShowText(true);
1552 }
1553 }
1554 }
1555 } else if (should_wipe_data) {
1556 if (!wipe_data(device)) {
1557 status = INSTALL_ERROR;
1558 }
1559 } else if (should_prompt_and_wipe_data) {
1560 ui->ShowText(true);
1561 ui->SetBackground(RecoveryUI::ERROR);
1562 if (!prompt_and_wipe_data(device)) {
1563 status = INSTALL_ERROR;
1564 }
1565 ui->ShowText(false);
1566 } else if (should_wipe_cache) {
1567 if (!wipe_cache(false, device)) {
1568 status = INSTALL_ERROR;
1569 }
1570 } else if (should_wipe_ab) {
1571 if (!wipe_ab_device(wipe_package_size)) {
1572 status = INSTALL_ERROR;
1573 }
1574 } else if (sideload) {
1575 // 'adb reboot sideload' acts the same as user presses key combinations
1576 // to enter the sideload mode. When 'sideload-auto-reboot' is used, text
1577 // display will NOT be turned on by default. And it will reboot after
1578 // sideload finishes even if there are errors. Unless one turns on the
1579 // text display during the installation. This is to enable automated
1580 // testing.
1581 if (!sideload_auto_reboot) {
1582 ui->ShowText(true);
1583 }
1584 status = apply_from_adb(&should_wipe_cache, TEMPORARY_INSTALL_FILE);
1585 if (status == INSTALL_SUCCESS && should_wipe_cache) {
1586 if (!wipe_cache(false, device)) {
1587 status = INSTALL_ERROR;
1588 }
1589 }
1590 ui->Print("\nInstall from ADB complete (status: %d).\n", status);
1591 if (sideload_auto_reboot) {
1592 ui->Print("Rebooting automatically.\n");
1593 }
1594 } else if (!just_exit) {
1595 // If this is an eng or userdebug build, automatically turn on the text display if no command
1596 // is specified. Note that this should be called before setting the background to avoid
1597 // flickering the background image.
1598 if (is_ro_debuggable()) {
1599 ui->ShowText(true);
1600 }
1601 status = INSTALL_NONE; // No command specified
1602 ui->SetBackground(RecoveryUI::NO_COMMAND);
1603 }
1604
1605 if (status == INSTALL_ERROR || status == INSTALL_CORRUPT) {
1606 ui->SetBackground(RecoveryUI::ERROR);
1607 if (!ui->IsTextVisible()) {
1608 sleep(5);
1609 }
1610 }
1611
1612 Device::BuiltinAction after = shutdown_after ? Device::SHUTDOWN : Device::REBOOT;
1613 // 1. If the recovery menu is visible, prompt and wait for commands.
1614 // 2. If the state is INSTALL_NONE, wait for commands. (i.e. In user build, manually reboot into
1615 // recovery to sideload a package.)
1616 // 3. sideload_auto_reboot is an option only available in user-debug build, reboot the device
1617 // without waiting.
1618 // 4. In all other cases, reboot the device. Therefore, normal users will observe the device
1619 // reboot after it shows the "error" screen for 5s.
1620 if ((status == INSTALL_NONE && !sideload_auto_reboot) || ui->IsTextVisible()) {
1621 Device::BuiltinAction temp = prompt_and_wait(device, status);
1622 if (temp != Device::NO_ACTION) {
1623 after = temp;
1624 }
1625 }
1626
1627 // Save logs and clean up before rebooting or shutting down.
1628 finish_recovery();
1629
1630 switch (after) {
1631 case Device::SHUTDOWN:
1632 ui->Print("Shutting down...\n");
1633 android::base::SetProperty(ANDROID_RB_PROPERTY, "shutdown,");
1634 break;
1635
1636 case Device::REBOOT_BOOTLOADER:
1637 ui->Print("Rebooting to bootloader...\n");
1638 android::base::SetProperty(ANDROID_RB_PROPERTY, "reboot,bootloader");
1639 break;
1640
1641 default:
1642 ui->Print("Rebooting...\n");
1643 reboot("reboot,");
1644 break;
1645 }
1646 while (true) {
1647 pause();
1648 }
1649 // Should be unreachable.
1650 return EXIT_SUCCESS;
1651 }
1652