1 /*
2 * Copyright (C) 2007 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <ctype.h>
18 #include <dirent.h>
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <getopt.h>
22 #include <inttypes.h>
23 #include <limits.h>
24 #include <linux/fs.h>
25 #include <linux/input.h>
26 #include <stdarg.h>
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <sys/klog.h>
31 #include <sys/stat.h>
32 #include <sys/types.h>
33 #include <sys/wait.h>
34 #include <time.h>
35 #include <unistd.h>
36
37 #include <algorithm>
38 #include <chrono>
39 #include <memory>
40 #include <string>
41 #include <vector>
42
43 #include <android-base/file.h>
44 #include <android-base/logging.h>
45 #include <android-base/parseint.h>
46 #include <android-base/properties.h>
47 #include <android-base/stringprintf.h>
48 #include <android-base/strings.h>
49 #include <android-base/unique_fd.h>
50 #include <bootloader_message/bootloader_message.h>
51 #include <cutils/android_reboot.h>
52 #include <cutils/properties.h> /* for property_list */
53 #include <health2/Health.h>
54 #include <private/android_filesystem_config.h> /* for AID_SYSTEM */
55 #include <private/android_logger.h> /* private pmsg functions */
56 #include <selinux/android.h>
57 #include <selinux/label.h>
58 #include <selinux/selinux.h>
59 #include <ziparchive/zip_archive.h>
60
61 #include "adb_install.h"
62 #include "common.h"
63 #include "device.h"
64 #include "fuse_sdcard_provider.h"
65 #include "fuse_sideload.h"
66 #include "install.h"
67 #include "minadbd/minadbd.h"
68 #include "minui/minui.h"
69 #include "otautil/DirUtil.h"
70 #include "otautil/error_code.h"
71 #include "roots.h"
72 #include "rotate_logs.h"
73 #include "screen_ui.h"
74 #include "stub_ui.h"
75 #include "ui.h"
76
77 static const struct option OPTIONS[] = {
78 { "update_package", required_argument, NULL, 'u' },
79 { "retry_count", required_argument, NULL, 'n' },
80 { "wipe_data", no_argument, NULL, 'w' },
81 { "wipe_cache", no_argument, NULL, 'c' },
82 { "show_text", no_argument, NULL, 't' },
83 { "sideload", no_argument, NULL, 's' },
84 { "sideload_auto_reboot", no_argument, NULL, 'a' },
85 { "just_exit", no_argument, NULL, 'x' },
86 { "locale", required_argument, NULL, 'l' },
87 { "shutdown_after", no_argument, NULL, 'p' },
88 { "reason", required_argument, NULL, 'r' },
89 { "security", no_argument, NULL, 'e'},
90 { "wipe_ab", no_argument, NULL, 0 },
91 { "wipe_package_size", required_argument, NULL, 0 },
92 { "prompt_and_wipe_data", no_argument, NULL, 0 },
93 { NULL, 0, NULL, 0 },
94 };
95
96 // More bootreasons can be found in "system/core/bootstat/bootstat.cpp".
97 static const std::vector<std::string> bootreason_blacklist {
98 "kernel_panic",
99 "Panic",
100 };
101
102 static const char *CACHE_LOG_DIR = "/cache/recovery";
103 static const char *COMMAND_FILE = "/cache/recovery/command";
104 static const char *LOG_FILE = "/cache/recovery/log";
105 static const char *LAST_INSTALL_FILE = "/cache/recovery/last_install";
106 static const char *LOCALE_FILE = "/cache/recovery/last_locale";
107 static const char *CONVERT_FBE_DIR = "/tmp/convert_fbe";
108 static const char *CONVERT_FBE_FILE = "/tmp/convert_fbe/convert_fbe";
109 static const char *CACHE_ROOT = "/cache";
110 static const char *DATA_ROOT = "/data";
111 static const char* METADATA_ROOT = "/metadata";
112 static const char *SDCARD_ROOT = "/sdcard";
113 static const char *TEMPORARY_LOG_FILE = "/tmp/recovery.log";
114 static const char *TEMPORARY_INSTALL_FILE = "/tmp/last_install";
115 static const char *LAST_KMSG_FILE = "/cache/recovery/last_kmsg";
116 static const char *LAST_LOG_FILE = "/cache/recovery/last_log";
117 // We will try to apply the update package 5 times at most in case of an I/O error or
118 // bspatch | imgpatch error.
119 static const int RETRY_LIMIT = 4;
120 static const int BATTERY_READ_TIMEOUT_IN_SEC = 10;
121 // GmsCore enters recovery mode to install package when having enough battery
122 // percentage. Normally, the threshold is 40% without charger and 20% with charger.
123 // So we should check battery with a slightly lower limitation.
124 static const int BATTERY_OK_PERCENTAGE = 20;
125 static const int BATTERY_WITH_CHARGER_OK_PERCENTAGE = 15;
126 static constexpr const char* RECOVERY_WIPE = "/etc/recovery.wipe";
127 static constexpr const char* DEFAULT_LOCALE = "en-US";
128
129 // We define RECOVERY_API_VERSION in Android.mk, which will be picked up by build system and packed
130 // into target_files.zip. Assert the version defined in code and in Android.mk are consistent.
131 static_assert(kRecoveryApiVersion == RECOVERY_API_VERSION, "Mismatching recovery API versions.");
132
133 static std::string locale;
134 static bool has_cache = false;
135
136 RecoveryUI* ui = nullptr;
137 bool modified_flash = false;
138 std::string stage;
139 const char* reason = nullptr;
140 struct selabel_handle* sehandle;
141
142 /*
143 * The recovery tool communicates with the main system through /cache files.
144 * /cache/recovery/command - INPUT - command line for tool, one arg per line
145 * /cache/recovery/log - OUTPUT - combined log file from recovery run(s)
146 *
147 * The arguments which may be supplied in the recovery.command file:
148 * --update_package=path - verify install an OTA package file
149 * --wipe_data - erase user data (and cache), then reboot
150 * --prompt_and_wipe_data - prompt the user that data is corrupt,
151 * with their consent erase user data (and cache), then reboot
152 * --wipe_cache - wipe cache (but not user data), then reboot
153 * --set_encrypted_filesystem=on|off - enables / diasables encrypted fs
154 * --just_exit - do nothing; exit and reboot
155 *
156 * After completing, we remove /cache/recovery/command and reboot.
157 * Arguments may also be supplied in the bootloader control block (BCB).
158 * These important scenarios must be safely restartable at any point:
159 *
160 * FACTORY RESET
161 * 1. user selects "factory reset"
162 * 2. main system writes "--wipe_data" to /cache/recovery/command
163 * 3. main system reboots into recovery
164 * 4. get_args() writes BCB with "boot-recovery" and "--wipe_data"
165 * -- after this, rebooting will restart the erase --
166 * 5. erase_volume() reformats /data
167 * 6. erase_volume() reformats /cache
168 * 7. finish_recovery() erases BCB
169 * -- after this, rebooting will restart the main system --
170 * 8. main() calls reboot() to boot main system
171 *
172 * OTA INSTALL
173 * 1. main system downloads OTA package to /cache/some-filename.zip
174 * 2. main system writes "--update_package=/cache/some-filename.zip"
175 * 3. main system reboots into recovery
176 * 4. get_args() writes BCB with "boot-recovery" and "--update_package=..."
177 * -- after this, rebooting will attempt to reinstall the update --
178 * 5. install_package() attempts to install the update
179 * NOTE: the package install must itself be restartable from any point
180 * 6. finish_recovery() erases BCB
181 * -- after this, rebooting will (try to) restart the main system --
182 * 7. ** if install failed **
183 * 7a. prompt_and_wait() shows an error icon and waits for the user
184 * 7b. the user reboots (pulling the battery, etc) into the main system
185 */
186
187 // Open a given path, mounting partitions as necessary.
fopen_path(const char * path,const char * mode)188 FILE* fopen_path(const char* path, const char* mode) {
189 if (ensure_path_mounted(path) != 0) {
190 LOG(ERROR) << "Can't mount " << path;
191 return nullptr;
192 }
193
194 // When writing, try to create the containing directory, if necessary. Use generous permissions,
195 // the system (init.rc) will reset them.
196 if (strchr("wa", mode[0])) {
197 mkdir_recursively(path, 0777, true, sehandle);
198 }
199 return fopen(path, mode);
200 }
201
202 // close a file, log an error if the error indicator is set
check_and_fclose(FILE * fp,const char * name)203 static void check_and_fclose(FILE *fp, const char *name) {
204 fflush(fp);
205 if (fsync(fileno(fp)) == -1) {
206 PLOG(ERROR) << "Failed to fsync " << name;
207 }
208 if (ferror(fp)) {
209 PLOG(ERROR) << "Error in " << name;
210 }
211 fclose(fp);
212 }
213
is_ro_debuggable()214 bool is_ro_debuggable() {
215 return android::base::GetBoolProperty("ro.debuggable", false);
216 }
217
reboot(const std::string & command)218 bool reboot(const std::string& command) {
219 std::string cmd = command;
220 if (android::base::GetBoolProperty("ro.boot.quiescent", false)) {
221 cmd += ",quiescent";
222 }
223 return android::base::SetProperty(ANDROID_RB_PROPERTY, cmd);
224 }
225
redirect_stdio(const char * filename)226 static void redirect_stdio(const char* filename) {
227 int pipefd[2];
228 if (pipe(pipefd) == -1) {
229 PLOG(ERROR) << "pipe failed";
230
231 // Fall back to traditional logging mode without timestamps.
232 // If these fail, there's not really anywhere to complain...
233 freopen(filename, "a", stdout); setbuf(stdout, NULL);
234 freopen(filename, "a", stderr); setbuf(stderr, NULL);
235
236 return;
237 }
238
239 pid_t pid = fork();
240 if (pid == -1) {
241 PLOG(ERROR) << "fork failed";
242
243 // Fall back to traditional logging mode without timestamps.
244 // If these fail, there's not really anywhere to complain...
245 freopen(filename, "a", stdout); setbuf(stdout, NULL);
246 freopen(filename, "a", stderr); setbuf(stderr, NULL);
247
248 return;
249 }
250
251 if (pid == 0) {
252 /// Close the unused write end.
253 close(pipefd[1]);
254
255 auto start = std::chrono::steady_clock::now();
256
257 // Child logger to actually write to the log file.
258 FILE* log_fp = fopen(filename, "ae");
259 if (log_fp == nullptr) {
260 PLOG(ERROR) << "fopen \"" << filename << "\" failed";
261 close(pipefd[0]);
262 _exit(EXIT_FAILURE);
263 }
264
265 FILE* pipe_fp = fdopen(pipefd[0], "r");
266 if (pipe_fp == nullptr) {
267 PLOG(ERROR) << "fdopen failed";
268 check_and_fclose(log_fp, filename);
269 close(pipefd[0]);
270 _exit(EXIT_FAILURE);
271 }
272
273 char* line = nullptr;
274 size_t len = 0;
275 while (getline(&line, &len, pipe_fp) != -1) {
276 auto now = std::chrono::steady_clock::now();
277 double duration = std::chrono::duration_cast<std::chrono::duration<double>>(
278 now - start).count();
279 if (line[0] == '\n') {
280 fprintf(log_fp, "[%12.6lf]\n", duration);
281 } else {
282 fprintf(log_fp, "[%12.6lf] %s", duration, line);
283 }
284 fflush(log_fp);
285 }
286
287 PLOG(ERROR) << "getline failed";
288
289 free(line);
290 check_and_fclose(log_fp, filename);
291 close(pipefd[0]);
292 _exit(EXIT_FAILURE);
293 } else {
294 // Redirect stdout/stderr to the logger process.
295 // Close the unused read end.
296 close(pipefd[0]);
297
298 setbuf(stdout, nullptr);
299 setbuf(stderr, nullptr);
300
301 if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
302 PLOG(ERROR) << "dup2 stdout failed";
303 }
304 if (dup2(pipefd[1], STDERR_FILENO) == -1) {
305 PLOG(ERROR) << "dup2 stderr failed";
306 }
307
308 close(pipefd[1]);
309 }
310 }
311
312 // command line args come from, in decreasing precedence:
313 // - the actual command line
314 // - the bootloader control block (one per line, after "recovery")
315 // - the contents of COMMAND_FILE (one per line)
get_args(const int argc,char ** const argv)316 static std::vector<std::string> get_args(const int argc, char** const argv) {
317 CHECK_GT(argc, 0);
318
319 bootloader_message boot = {};
320 std::string err;
321 if (!read_bootloader_message(&boot, &err)) {
322 LOG(ERROR) << err;
323 // If fails, leave a zeroed bootloader_message.
324 boot = {};
325 }
326 stage = std::string(boot.stage);
327
328 if (boot.command[0] != 0) {
329 std::string boot_command = std::string(boot.command, sizeof(boot.command));
330 LOG(INFO) << "Boot command: " << boot_command;
331 }
332
333 if (boot.status[0] != 0) {
334 std::string boot_status = std::string(boot.status, sizeof(boot.status));
335 LOG(INFO) << "Boot status: " << boot_status;
336 }
337
338 std::vector<std::string> args(argv, argv + argc);
339
340 // --- if arguments weren't supplied, look in the bootloader control block
341 if (args.size() == 1) {
342 boot.recovery[sizeof(boot.recovery) - 1] = '\0'; // Ensure termination
343 std::string boot_recovery(boot.recovery);
344 std::vector<std::string> tokens = android::base::Split(boot_recovery, "\n");
345 if (!tokens.empty() && tokens[0] == "recovery") {
346 for (auto it = tokens.begin() + 1; it != tokens.end(); it++) {
347 // Skip empty and '\0'-filled tokens.
348 if (!it->empty() && (*it)[0] != '\0') args.push_back(std::move(*it));
349 }
350 LOG(INFO) << "Got " << args.size() << " arguments from boot message";
351 } else if (boot.recovery[0] != 0) {
352 LOG(ERROR) << "Bad boot message: \"" << boot_recovery << "\"";
353 }
354 }
355
356 // --- if that doesn't work, try the command file (if we have /cache).
357 if (args.size() == 1 && has_cache) {
358 std::string content;
359 if (ensure_path_mounted(COMMAND_FILE) == 0 &&
360 android::base::ReadFileToString(COMMAND_FILE, &content)) {
361 std::vector<std::string> tokens = android::base::Split(content, "\n");
362 // All the arguments in COMMAND_FILE are needed (unlike the BCB message,
363 // COMMAND_FILE doesn't use filename as the first argument).
364 for (auto it = tokens.begin(); it != tokens.end(); it++) {
365 // Skip empty and '\0'-filled tokens.
366 if (!it->empty() && (*it)[0] != '\0') args.push_back(std::move(*it));
367 }
368 LOG(INFO) << "Got " << args.size() << " arguments from " << COMMAND_FILE;
369 }
370 }
371
372 // Write the arguments (excluding the filename in args[0]) back into the
373 // bootloader control block. So the device will always boot into recovery to
374 // finish the pending work, until finish_recovery() is called.
375 std::vector<std::string> options(args.cbegin() + 1, args.cend());
376 if (!update_bootloader_message(options, &err)) {
377 LOG(ERROR) << "Failed to set BCB message: " << err;
378 }
379
380 return args;
381 }
382
383 // Set the BCB to reboot back into recovery (it won't resume the install from
384 // sdcard though).
set_sdcard_update_bootloader_message()385 static void set_sdcard_update_bootloader_message() {
386 std::vector<std::string> options;
387 std::string err;
388 if (!update_bootloader_message(options, &err)) {
389 LOG(ERROR) << "Failed to set BCB message: " << err;
390 }
391 }
392
393 // Read from kernel log into buffer and write out to file.
save_kernel_log(const char * destination)394 static void save_kernel_log(const char* destination) {
395 int klog_buf_len = klogctl(KLOG_SIZE_BUFFER, 0, 0);
396 if (klog_buf_len <= 0) {
397 PLOG(ERROR) << "Error getting klog size";
398 return;
399 }
400
401 std::string buffer(klog_buf_len, 0);
402 int n = klogctl(KLOG_READ_ALL, &buffer[0], klog_buf_len);
403 if (n == -1) {
404 PLOG(ERROR) << "Error in reading klog";
405 return;
406 }
407 buffer.resize(n);
408 android::base::WriteStringToFile(buffer, destination);
409 }
410
411 // write content to the current pmsg session.
__pmsg_write(const char * filename,const char * buf,size_t len)412 static ssize_t __pmsg_write(const char *filename, const char *buf, size_t len) {
413 return __android_log_pmsg_file_write(LOG_ID_SYSTEM, ANDROID_LOG_INFO,
414 filename, buf, len);
415 }
416
copy_log_file_to_pmsg(const char * source,const char * destination)417 static void copy_log_file_to_pmsg(const char* source, const char* destination) {
418 std::string content;
419 android::base::ReadFileToString(source, &content);
420 __pmsg_write(destination, content.c_str(), content.length());
421 }
422
423 // How much of the temp log we have copied to the copy in cache.
424 static off_t tmplog_offset = 0;
425
copy_log_file(const char * source,const char * destination,bool append)426 static void copy_log_file(const char* source, const char* destination, bool append) {
427 FILE* dest_fp = fopen_path(destination, append ? "ae" : "we");
428 if (dest_fp == nullptr) {
429 PLOG(ERROR) << "Can't open " << destination;
430 } else {
431 FILE* source_fp = fopen(source, "re");
432 if (source_fp != nullptr) {
433 if (append) {
434 fseeko(source_fp, tmplog_offset, SEEK_SET); // Since last write
435 }
436 char buf[4096];
437 size_t bytes;
438 while ((bytes = fread(buf, 1, sizeof(buf), source_fp)) != 0) {
439 fwrite(buf, 1, bytes, dest_fp);
440 }
441 if (append) {
442 tmplog_offset = ftello(source_fp);
443 }
444 check_and_fclose(source_fp, source);
445 }
446 check_and_fclose(dest_fp, destination);
447 }
448 }
449
copy_logs()450 static void copy_logs() {
451 // We only rotate and record the log of the current session if there are
452 // actual attempts to modify the flash, such as wipes, installs from BCB
453 // or menu selections. This is to avoid unnecessary rotation (and
454 // possible deletion) of log files, if it does not do anything loggable.
455 if (!modified_flash) {
456 return;
457 }
458
459 // Always write to pmsg, this allows the OTA logs to be caught in logcat -L
460 copy_log_file_to_pmsg(TEMPORARY_LOG_FILE, LAST_LOG_FILE);
461 copy_log_file_to_pmsg(TEMPORARY_INSTALL_FILE, LAST_INSTALL_FILE);
462
463 // We can do nothing for now if there's no /cache partition.
464 if (!has_cache) {
465 return;
466 }
467
468 ensure_path_mounted(LAST_LOG_FILE);
469 ensure_path_mounted(LAST_KMSG_FILE);
470 rotate_logs(LAST_LOG_FILE, LAST_KMSG_FILE);
471
472 // Copy logs to cache so the system can find out what happened.
473 copy_log_file(TEMPORARY_LOG_FILE, LOG_FILE, true);
474 copy_log_file(TEMPORARY_LOG_FILE, LAST_LOG_FILE, false);
475 copy_log_file(TEMPORARY_INSTALL_FILE, LAST_INSTALL_FILE, false);
476 save_kernel_log(LAST_KMSG_FILE);
477 chmod(LOG_FILE, 0600);
478 chown(LOG_FILE, AID_SYSTEM, AID_SYSTEM);
479 chmod(LAST_KMSG_FILE, 0600);
480 chown(LAST_KMSG_FILE, AID_SYSTEM, AID_SYSTEM);
481 chmod(LAST_LOG_FILE, 0640);
482 chmod(LAST_INSTALL_FILE, 0644);
483 sync();
484 }
485
486 // Clear the recovery command and prepare to boot a (hopefully working) system,
487 // copy our log file to cache as well (for the system to read). This function is
488 // idempotent: call it as many times as you like.
finish_recovery()489 static void finish_recovery() {
490 // Save the locale to cache, so if recovery is next started up without a '--locale' argument
491 // (e.g., directly from the bootloader) it will use the last-known locale.
492 if (!locale.empty() && has_cache) {
493 LOG(INFO) << "Saving locale \"" << locale << "\"";
494 if (ensure_path_mounted(LOCALE_FILE) != 0) {
495 LOG(ERROR) << "Failed to mount " << LOCALE_FILE;
496 } else if (!android::base::WriteStringToFile(locale, LOCALE_FILE)) {
497 PLOG(ERROR) << "Failed to save locale to " << LOCALE_FILE;
498 }
499 }
500
501 copy_logs();
502
503 // Reset to normal system boot so recovery won't cycle indefinitely.
504 std::string err;
505 if (!clear_bootloader_message(&err)) {
506 LOG(ERROR) << "Failed to clear BCB message: " << err;
507 }
508
509 // Remove the command file, so recovery won't repeat indefinitely.
510 if (has_cache) {
511 if (ensure_path_mounted(COMMAND_FILE) != 0 || (unlink(COMMAND_FILE) && errno != ENOENT)) {
512 LOG(WARNING) << "Can't unlink " << COMMAND_FILE;
513 }
514 ensure_path_unmounted(CACHE_ROOT);
515 }
516
517 sync(); // For good measure.
518 }
519
520 struct saved_log_file {
521 std::string name;
522 struct stat sb;
523 std::string data;
524 };
525
erase_volume(const char * volume)526 static bool erase_volume(const char* volume) {
527 bool is_cache = (strcmp(volume, CACHE_ROOT) == 0);
528 bool is_data = (strcmp(volume, DATA_ROOT) == 0);
529
530 ui->SetBackground(RecoveryUI::ERASING);
531 ui->SetProgressType(RecoveryUI::INDETERMINATE);
532
533 std::vector<saved_log_file> log_files;
534
535 if (is_cache) {
536 // If we're reformatting /cache, we load any past logs
537 // (i.e. "/cache/recovery/last_*") and the current log
538 // ("/cache/recovery/log") into memory, so we can restore them after
539 // the reformat.
540
541 ensure_path_mounted(volume);
542
543 struct dirent* de;
544 std::unique_ptr<DIR, decltype(&closedir)> d(opendir(CACHE_LOG_DIR), closedir);
545 if (d) {
546 while ((de = readdir(d.get())) != nullptr) {
547 if (strncmp(de->d_name, "last_", 5) == 0 || strcmp(de->d_name, "log") == 0) {
548 std::string path = android::base::StringPrintf("%s/%s", CACHE_LOG_DIR, de->d_name);
549
550 struct stat sb;
551 if (stat(path.c_str(), &sb) == 0) {
552 // truncate files to 512kb
553 if (sb.st_size > (1 << 19)) {
554 sb.st_size = 1 << 19;
555 }
556
557 std::string data(sb.st_size, '\0');
558 FILE* f = fopen(path.c_str(), "rbe");
559 fread(&data[0], 1, data.size(), f);
560 fclose(f);
561
562 log_files.emplace_back(saved_log_file{ path, sb, data });
563 }
564 }
565 }
566 } else {
567 if (errno != ENOENT) {
568 PLOG(ERROR) << "Failed to opendir " << CACHE_LOG_DIR;
569 }
570 }
571 }
572
573 ui->Print("Formatting %s...\n", volume);
574
575 ensure_path_unmounted(volume);
576
577 int result;
578
579 if (is_data && reason && strcmp(reason, "convert_fbe") == 0) {
580 // Create convert_fbe breadcrumb file to signal to init
581 // to convert to file based encryption, not full disk encryption
582 if (mkdir(CONVERT_FBE_DIR, 0700) != 0) {
583 ui->Print("Failed to make convert_fbe dir %s\n", strerror(errno));
584 return true;
585 }
586 FILE* f = fopen(CONVERT_FBE_FILE, "wbe");
587 if (!f) {
588 ui->Print("Failed to convert to file encryption %s\n", strerror(errno));
589 return true;
590 }
591 fclose(f);
592 result = format_volume(volume, CONVERT_FBE_DIR);
593 remove(CONVERT_FBE_FILE);
594 rmdir(CONVERT_FBE_DIR);
595 } else {
596 result = format_volume(volume);
597 }
598
599 if (is_cache) {
600 // Re-create the log dir and write back the log entries.
601 if (ensure_path_mounted(CACHE_LOG_DIR) == 0 &&
602 mkdir_recursively(CACHE_LOG_DIR, 0777, false, sehandle) == 0) {
603 for (const auto& log : log_files) {
604 if (!android::base::WriteStringToFile(log.data, log.name, log.sb.st_mode, log.sb.st_uid,
605 log.sb.st_gid)) {
606 PLOG(ERROR) << "Failed to write to " << log.name;
607 }
608 }
609 } else {
610 PLOG(ERROR) << "Failed to mount / create " << CACHE_LOG_DIR;
611 }
612
613 // Any part of the log we'd copied to cache is now gone.
614 // Reset the pointer so we copy from the beginning of the temp
615 // log.
616 tmplog_offset = 0;
617 copy_logs();
618 }
619
620 return (result == 0);
621 }
622
623 // Display a menu with the specified 'headers' and 'items'. Device specific HandleMenuKey() may
624 // return a positive number beyond the given range. Caller sets 'menu_only' to true to ensure only
625 // a menu item gets selected. 'initial_selection' controls the initial cursor location. Returns the
626 // (non-negative) chosen item number, or -1 if timed out waiting for input.
get_menu_selection(const char * const * headers,const char * const * items,bool menu_only,int initial_selection,Device * device)627 static int get_menu_selection(const char* const* headers, const char* const* items, bool menu_only,
628 int initial_selection, Device* device) {
629 // Throw away keys pressed previously, so user doesn't accidentally trigger menu items.
630 ui->FlushKeys();
631
632 ui->StartMenu(headers, items, initial_selection);
633
634 int selected = initial_selection;
635 int chosen_item = -1;
636 while (chosen_item < 0) {
637 int key = ui->WaitKey();
638 if (key == -1) { // WaitKey() timed out.
639 if (ui->WasTextEverVisible()) {
640 continue;
641 } else {
642 LOG(INFO) << "Timed out waiting for key input; rebooting.";
643 ui->EndMenu();
644 return -1;
645 }
646 }
647
648 bool visible = ui->IsTextVisible();
649 int action = device->HandleMenuKey(key, visible);
650
651 if (action < 0) {
652 switch (action) {
653 case Device::kHighlightUp:
654 selected = ui->SelectMenu(--selected);
655 break;
656 case Device::kHighlightDown:
657 selected = ui->SelectMenu(++selected);
658 break;
659 case Device::kInvokeItem:
660 chosen_item = selected;
661 break;
662 case Device::kNoAction:
663 break;
664 }
665 } else if (!menu_only) {
666 chosen_item = action;
667 }
668 }
669
670 ui->EndMenu();
671 return chosen_item;
672 }
673
674 // Returns the selected filename, or an empty string.
browse_directory(const std::string & path,Device * device)675 static std::string browse_directory(const std::string& path, Device* device) {
676 ensure_path_mounted(path.c_str());
677
678 std::unique_ptr<DIR, decltype(&closedir)> d(opendir(path.c_str()), closedir);
679 if (!d) {
680 PLOG(ERROR) << "error opening " << path;
681 return "";
682 }
683
684 std::vector<std::string> dirs;
685 std::vector<std::string> zips = { "../" }; // "../" is always the first entry.
686
687 dirent* de;
688 while ((de = readdir(d.get())) != nullptr) {
689 std::string name(de->d_name);
690
691 if (de->d_type == DT_DIR) {
692 // Skip "." and ".." entries.
693 if (name == "." || name == "..") continue;
694 dirs.push_back(name + "/");
695 } else if (de->d_type == DT_REG && android::base::EndsWithIgnoreCase(name, ".zip")) {
696 zips.push_back(name);
697 }
698 }
699
700 std::sort(dirs.begin(), dirs.end());
701 std::sort(zips.begin(), zips.end());
702
703 // Append dirs to the zips list.
704 zips.insert(zips.end(), dirs.begin(), dirs.end());
705
706 const char* entries[zips.size() + 1];
707 entries[zips.size()] = nullptr;
708 for (size_t i = 0; i < zips.size(); i++) {
709 entries[i] = zips[i].c_str();
710 }
711
712 const char* headers[] = { "Choose a package to install:", path.c_str(), nullptr };
713
714 int chosen_item = 0;
715 while (true) {
716 chosen_item = get_menu_selection(headers, entries, true, chosen_item, device);
717
718 const std::string& item = zips[chosen_item];
719 if (chosen_item == 0) {
720 // Go up but continue browsing (if the caller is browse_directory).
721 return "";
722 }
723
724 std::string new_path = path + "/" + item;
725 if (new_path.back() == '/') {
726 // Recurse down into a subdirectory.
727 new_path.pop_back();
728 std::string result = browse_directory(new_path, device);
729 if (!result.empty()) return result;
730 } else {
731 // Selected a zip file: return the path to the caller.
732 return new_path;
733 }
734 }
735
736 // Unreachable.
737 }
738
yes_no(Device * device,const char * question1,const char * question2)739 static bool yes_no(Device* device, const char* question1, const char* question2) {
740 const char* headers[] = { question1, question2, NULL };
741 const char* items[] = { " No", " Yes", NULL };
742
743 int chosen_item = get_menu_selection(headers, items, true, 0, device);
744 return (chosen_item == 1);
745 }
746
ask_to_wipe_data(Device * device)747 static bool ask_to_wipe_data(Device* device) {
748 return yes_no(device, "Wipe all user data?", " THIS CAN NOT BE UNDONE!");
749 }
750
751 // Return true on success.
wipe_data(Device * device)752 static bool wipe_data(Device* device) {
753 modified_flash = true;
754
755 ui->Print("\n-- Wiping data...\n");
756 bool success = device->PreWipeData();
757 if (success) {
758 success &= erase_volume(DATA_ROOT);
759 if (has_cache) {
760 success &= erase_volume(CACHE_ROOT);
761 }
762 if (volume_for_mount_point(METADATA_ROOT) != nullptr) {
763 success &= erase_volume(METADATA_ROOT);
764 }
765 }
766 if (success) {
767 success &= device->PostWipeData();
768 }
769 ui->Print("Data wipe %s.\n", success ? "complete" : "failed");
770 return success;
771 }
772
prompt_and_wipe_data(Device * device)773 static bool prompt_and_wipe_data(Device* device) {
774 // Use a single string and let ScreenRecoveryUI handles the wrapping.
775 const char* const headers[] = {
776 "Can't load Android system. Your data may be corrupt. "
777 "If you continue to get this message, you may need to "
778 "perform a factory data reset and erase all user data "
779 "stored on this device.",
780 nullptr
781 };
782 const char* const items[] = {
783 "Try again",
784 "Factory data reset",
785 NULL
786 };
787 for (;;) {
788 int chosen_item = get_menu_selection(headers, items, true, 0, device);
789 if (chosen_item != 1) {
790 return true; // Just reboot, no wipe; not a failure, user asked for it
791 }
792 if (ask_to_wipe_data(device)) {
793 return wipe_data(device);
794 }
795 }
796 }
797
798 // Return true on success.
wipe_cache(bool should_confirm,Device * device)799 static bool wipe_cache(bool should_confirm, Device* device) {
800 if (!has_cache) {
801 ui->Print("No /cache partition found.\n");
802 return false;
803 }
804
805 if (should_confirm && !yes_no(device, "Wipe cache?", " THIS CAN NOT BE UNDONE!")) {
806 return false;
807 }
808
809 modified_flash = true;
810
811 ui->Print("\n-- Wiping cache...\n");
812 bool success = erase_volume("/cache");
813 ui->Print("Cache wipe %s.\n", success ? "complete" : "failed");
814 return success;
815 }
816
817 // Secure-wipe a given partition. It uses BLKSECDISCARD, if supported. Otherwise, it goes with
818 // BLKDISCARD (if device supports BLKDISCARDZEROES) or BLKZEROOUT.
secure_wipe_partition(const std::string & partition)819 static bool secure_wipe_partition(const std::string& partition) {
820 android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(partition.c_str(), O_WRONLY)));
821 if (fd == -1) {
822 PLOG(ERROR) << "Failed to open \"" << partition << "\"";
823 return false;
824 }
825
826 uint64_t range[2] = { 0, 0 };
827 if (ioctl(fd, BLKGETSIZE64, &range[1]) == -1 || range[1] == 0) {
828 PLOG(ERROR) << "Failed to get partition size";
829 return false;
830 }
831 LOG(INFO) << "Secure-wiping \"" << partition << "\" from " << range[0] << " to " << range[1];
832
833 LOG(INFO) << " Trying BLKSECDISCARD...";
834 if (ioctl(fd, BLKSECDISCARD, &range) == -1) {
835 PLOG(WARNING) << " Failed";
836
837 // Use BLKDISCARD if it zeroes out blocks, otherwise use BLKZEROOUT.
838 unsigned int zeroes;
839 if (ioctl(fd, BLKDISCARDZEROES, &zeroes) == 0 && zeroes != 0) {
840 LOG(INFO) << " Trying BLKDISCARD...";
841 if (ioctl(fd, BLKDISCARD, &range) == -1) {
842 PLOG(ERROR) << " Failed";
843 return false;
844 }
845 } else {
846 LOG(INFO) << " Trying BLKZEROOUT...";
847 if (ioctl(fd, BLKZEROOUT, &range) == -1) {
848 PLOG(ERROR) << " Failed";
849 return false;
850 }
851 }
852 }
853
854 LOG(INFO) << " Done";
855 return true;
856 }
857
858 // Check if the wipe package matches expectation:
859 // 1. verify the package.
860 // 2. check metadata (ota-type, pre-device and serial number if having one).
check_wipe_package(size_t wipe_package_size)861 static bool check_wipe_package(size_t wipe_package_size) {
862 if (wipe_package_size == 0) {
863 LOG(ERROR) << "wipe_package_size is zero";
864 return false;
865 }
866 std::string wipe_package;
867 std::string err_str;
868 if (!read_wipe_package(&wipe_package, wipe_package_size, &err_str)) {
869 PLOG(ERROR) << "Failed to read wipe package";
870 return false;
871 }
872 if (!verify_package(reinterpret_cast<const unsigned char*>(wipe_package.data()),
873 wipe_package.size())) {
874 LOG(ERROR) << "Failed to verify package";
875 return false;
876 }
877
878 // Extract metadata
879 ZipArchiveHandle zip;
880 int err = OpenArchiveFromMemory(static_cast<void*>(&wipe_package[0]), wipe_package.size(),
881 "wipe_package", &zip);
882 if (err != 0) {
883 LOG(ERROR) << "Can't open wipe package : " << ErrorCodeString(err);
884 return false;
885 }
886 std::string metadata;
887 if (!read_metadata_from_package(zip, &metadata)) {
888 CloseArchive(zip);
889 return false;
890 }
891 CloseArchive(zip);
892
893 // Check metadata
894 std::vector<std::string> lines = android::base::Split(metadata, "\n");
895 bool ota_type_matched = false;
896 bool device_type_matched = false;
897 bool has_serial_number = false;
898 bool serial_number_matched = false;
899 for (const auto& line : lines) {
900 if (line == "ota-type=BRICK") {
901 ota_type_matched = true;
902 } else if (android::base::StartsWith(line, "pre-device=")) {
903 std::string device_type = line.substr(strlen("pre-device="));
904 std::string real_device_type = android::base::GetProperty("ro.build.product", "");
905 device_type_matched = (device_type == real_device_type);
906 } else if (android::base::StartsWith(line, "serialno=")) {
907 std::string serial_no = line.substr(strlen("serialno="));
908 std::string real_serial_no = android::base::GetProperty("ro.serialno", "");
909 has_serial_number = true;
910 serial_number_matched = (serial_no == real_serial_no);
911 }
912 }
913 return ota_type_matched && device_type_matched && (!has_serial_number || serial_number_matched);
914 }
915
916 // Wipe the current A/B device, with a secure wipe of all the partitions in
917 // RECOVERY_WIPE.
wipe_ab_device(size_t wipe_package_size)918 static bool wipe_ab_device(size_t wipe_package_size) {
919 ui->SetBackground(RecoveryUI::ERASING);
920 ui->SetProgressType(RecoveryUI::INDETERMINATE);
921
922 if (!check_wipe_package(wipe_package_size)) {
923 LOG(ERROR) << "Failed to verify wipe package";
924 return false;
925 }
926 std::string partition_list;
927 if (!android::base::ReadFileToString(RECOVERY_WIPE, &partition_list)) {
928 LOG(ERROR) << "failed to read \"" << RECOVERY_WIPE << "\"";
929 return false;
930 }
931
932 std::vector<std::string> lines = android::base::Split(partition_list, "\n");
933 for (const std::string& line : lines) {
934 std::string partition = android::base::Trim(line);
935 // Ignore '#' comment or empty lines.
936 if (android::base::StartsWith(partition, "#") || partition.empty()) {
937 continue;
938 }
939
940 // Proceed anyway even if it fails to wipe some partition.
941 secure_wipe_partition(partition);
942 }
943 return true;
944 }
945
choose_recovery_file(Device * device)946 static void choose_recovery_file(Device* device) {
947 std::vector<std::string> entries;
948 if (has_cache) {
949 for (int i = 0; i < KEEP_LOG_COUNT; i++) {
950 auto add_to_entries = [&](const char* filename) {
951 std::string log_file(filename);
952 if (i > 0) {
953 log_file += "." + std::to_string(i);
954 }
955
956 if (ensure_path_mounted(log_file.c_str()) == 0 && access(log_file.c_str(), R_OK) == 0) {
957 entries.push_back(std::move(log_file));
958 }
959 };
960
961 // Add LAST_LOG_FILE + LAST_LOG_FILE.x
962 add_to_entries(LAST_LOG_FILE);
963
964 // Add LAST_KMSG_FILE + LAST_KMSG_FILE.x
965 add_to_entries(LAST_KMSG_FILE);
966 }
967 } else {
968 // If cache partition is not found, view /tmp/recovery.log instead.
969 if (access(TEMPORARY_LOG_FILE, R_OK) == -1) {
970 return;
971 } else {
972 entries.push_back(TEMPORARY_LOG_FILE);
973 }
974 }
975
976 entries.push_back("Back");
977
978 std::vector<const char*> menu_entries(entries.size());
979 std::transform(entries.cbegin(), entries.cend(), menu_entries.begin(),
980 [](const std::string& entry) { return entry.c_str(); });
981 menu_entries.push_back(nullptr);
982
983 const char* headers[] = { "Select file to view", nullptr };
984
985 int chosen_item = 0;
986 while (true) {
987 chosen_item = get_menu_selection(headers, menu_entries.data(), true, chosen_item, device);
988 if (entries[chosen_item] == "Back") break;
989
990 ui->ShowFile(entries[chosen_item].c_str());
991 }
992 }
993
run_graphics_test()994 static void run_graphics_test() {
995 // Switch to graphics screen.
996 ui->ShowText(false);
997
998 ui->SetProgressType(RecoveryUI::INDETERMINATE);
999 ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1000 sleep(1);
1001
1002 ui->SetBackground(RecoveryUI::ERROR);
1003 sleep(1);
1004
1005 ui->SetBackground(RecoveryUI::NO_COMMAND);
1006 sleep(1);
1007
1008 ui->SetBackground(RecoveryUI::ERASING);
1009 sleep(1);
1010
1011 // Calling SetBackground() after SetStage() to trigger a redraw.
1012 ui->SetStage(1, 3);
1013 ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1014 sleep(1);
1015 ui->SetStage(2, 3);
1016 ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1017 sleep(1);
1018 ui->SetStage(3, 3);
1019 ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1020 sleep(1);
1021
1022 ui->SetStage(-1, -1);
1023 ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1024
1025 ui->SetProgressType(RecoveryUI::DETERMINATE);
1026 ui->ShowProgress(1.0, 10.0);
1027 float fraction = 0.0;
1028 for (size_t i = 0; i < 100; ++i) {
1029 fraction += .01;
1030 ui->SetProgress(fraction);
1031 usleep(100000);
1032 }
1033
1034 ui->ShowText(true);
1035 }
1036
1037 // How long (in seconds) we wait for the fuse-provided package file to
1038 // appear, before timing out.
1039 #define SDCARD_INSTALL_TIMEOUT 10
1040
apply_from_sdcard(Device * device,bool * wipe_cache)1041 static int apply_from_sdcard(Device* device, bool* wipe_cache) {
1042 modified_flash = true;
1043
1044 if (ensure_path_mounted(SDCARD_ROOT) != 0) {
1045 ui->Print("\n-- Couldn't mount %s.\n", SDCARD_ROOT);
1046 return INSTALL_ERROR;
1047 }
1048
1049 std::string path = browse_directory(SDCARD_ROOT, device);
1050 if (path.empty()) {
1051 ui->Print("\n-- No package file selected.\n");
1052 ensure_path_unmounted(SDCARD_ROOT);
1053 return INSTALL_ERROR;
1054 }
1055
1056 ui->Print("\n-- Install %s ...\n", path.c_str());
1057 set_sdcard_update_bootloader_message();
1058
1059 // We used to use fuse in a thread as opposed to a process. Since accessing
1060 // through fuse involves going from kernel to userspace to kernel, it leads
1061 // to deadlock when a page fault occurs. (Bug: 26313124)
1062 pid_t child;
1063 if ((child = fork()) == 0) {
1064 bool status = start_sdcard_fuse(path.c_str());
1065
1066 _exit(status ? EXIT_SUCCESS : EXIT_FAILURE);
1067 }
1068
1069 // FUSE_SIDELOAD_HOST_PATHNAME will start to exist once the fuse in child
1070 // process is ready.
1071 int result = INSTALL_ERROR;
1072 int status;
1073 bool waited = false;
1074 for (int i = 0; i < SDCARD_INSTALL_TIMEOUT; ++i) {
1075 if (waitpid(child, &status, WNOHANG) == -1) {
1076 result = INSTALL_ERROR;
1077 waited = true;
1078 break;
1079 }
1080
1081 struct stat sb;
1082 if (stat(FUSE_SIDELOAD_HOST_PATHNAME, &sb) == -1) {
1083 if (errno == ENOENT && i < SDCARD_INSTALL_TIMEOUT-1) {
1084 sleep(1);
1085 continue;
1086 } else {
1087 LOG(ERROR) << "Timed out waiting for the fuse-provided package.";
1088 result = INSTALL_ERROR;
1089 kill(child, SIGKILL);
1090 break;
1091 }
1092 }
1093
1094 result = install_package(FUSE_SIDELOAD_HOST_PATHNAME, wipe_cache,
1095 TEMPORARY_INSTALL_FILE, false, 0/*retry_count*/);
1096 break;
1097 }
1098
1099 if (!waited) {
1100 // Calling stat() on this magic filename signals the fuse
1101 // filesystem to shut down.
1102 struct stat sb;
1103 stat(FUSE_SIDELOAD_HOST_EXIT_PATHNAME, &sb);
1104
1105 waitpid(child, &status, 0);
1106 }
1107
1108 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
1109 LOG(ERROR) << "Error exit from the fuse process: " << WEXITSTATUS(status);
1110 }
1111
1112 ensure_path_unmounted(SDCARD_ROOT);
1113 return result;
1114 }
1115
1116 // Returns REBOOT, SHUTDOWN, or REBOOT_BOOTLOADER. Returning NO_ACTION means to take the default,
1117 // which is to reboot or shutdown depending on if the --shutdown_after flag was passed to recovery.
prompt_and_wait(Device * device,int status)1118 static Device::BuiltinAction prompt_and_wait(Device* device, int status) {
1119 for (;;) {
1120 finish_recovery();
1121 switch (status) {
1122 case INSTALL_SUCCESS:
1123 case INSTALL_NONE:
1124 ui->SetBackground(RecoveryUI::NO_COMMAND);
1125 break;
1126
1127 case INSTALL_ERROR:
1128 case INSTALL_CORRUPT:
1129 ui->SetBackground(RecoveryUI::ERROR);
1130 break;
1131 }
1132 ui->SetProgressType(RecoveryUI::EMPTY);
1133
1134 int chosen_item = get_menu_selection(nullptr, device->GetMenuItems(), false, 0, device);
1135
1136 // Device-specific code may take some action here. It may return one of the core actions
1137 // handled in the switch statement below.
1138 Device::BuiltinAction chosen_action =
1139 (chosen_item == -1) ? Device::REBOOT : device->InvokeMenuItem(chosen_item);
1140
1141 bool should_wipe_cache = false;
1142 switch (chosen_action) {
1143 case Device::NO_ACTION:
1144 break;
1145
1146 case Device::REBOOT:
1147 case Device::SHUTDOWN:
1148 case Device::REBOOT_BOOTLOADER:
1149 return chosen_action;
1150
1151 case Device::WIPE_DATA:
1152 if (ui->IsTextVisible()) {
1153 if (ask_to_wipe_data(device)) {
1154 wipe_data(device);
1155 }
1156 } else {
1157 wipe_data(device);
1158 return Device::NO_ACTION;
1159 }
1160 break;
1161
1162 case Device::WIPE_CACHE:
1163 wipe_cache(ui->IsTextVisible(), device);
1164 if (!ui->IsTextVisible()) return Device::NO_ACTION;
1165 break;
1166
1167 case Device::APPLY_ADB_SIDELOAD:
1168 case Device::APPLY_SDCARD:
1169 {
1170 bool adb = (chosen_action == Device::APPLY_ADB_SIDELOAD);
1171 if (adb) {
1172 status = apply_from_adb(&should_wipe_cache, TEMPORARY_INSTALL_FILE);
1173 } else {
1174 status = apply_from_sdcard(device, &should_wipe_cache);
1175 }
1176
1177 if (status == INSTALL_SUCCESS && should_wipe_cache) {
1178 if (!wipe_cache(false, device)) {
1179 status = INSTALL_ERROR;
1180 }
1181 }
1182
1183 if (status != INSTALL_SUCCESS) {
1184 ui->SetBackground(RecoveryUI::ERROR);
1185 ui->Print("Installation aborted.\n");
1186 copy_logs();
1187 } else if (!ui->IsTextVisible()) {
1188 return Device::NO_ACTION; // reboot if logs aren't visible
1189 } else {
1190 ui->Print("\nInstall from %s complete.\n", adb ? "ADB" : "SD card");
1191 }
1192 }
1193 break;
1194
1195 case Device::VIEW_RECOVERY_LOGS:
1196 choose_recovery_file(device);
1197 break;
1198
1199 case Device::RUN_GRAPHICS_TEST:
1200 run_graphics_test();
1201 break;
1202
1203 case Device::RUN_LOCALE_TEST: {
1204 ScreenRecoveryUI* screen_ui = static_cast<ScreenRecoveryUI*>(ui);
1205 screen_ui->CheckBackgroundTextImages(locale);
1206 break;
1207 }
1208 case Device::MOUNT_SYSTEM:
1209 // For a system image built with the root directory (i.e. system_root_image == "true"), we
1210 // mount it to /system_root, and symlink /system to /system_root/system to make adb shell
1211 // work (the symlink is created through the build system). (Bug: 22855115)
1212 if (android::base::GetBoolProperty("ro.build.system_root_image", false)) {
1213 if (ensure_path_mounted_at("/", "/system_root") != -1) {
1214 ui->Print("Mounted /system.\n");
1215 }
1216 } else {
1217 if (ensure_path_mounted("/system") != -1) {
1218 ui->Print("Mounted /system.\n");
1219 }
1220 }
1221 break;
1222 }
1223 }
1224 }
1225
print_property(const char * key,const char * name,void *)1226 static void print_property(const char* key, const char* name, void* /* cookie */) {
1227 printf("%s=%s\n", key, name);
1228 }
1229
load_locale_from_cache()1230 static std::string load_locale_from_cache() {
1231 if (ensure_path_mounted(LOCALE_FILE) != 0) {
1232 LOG(ERROR) << "Can't mount " << LOCALE_FILE;
1233 return "";
1234 }
1235
1236 std::string content;
1237 if (!android::base::ReadFileToString(LOCALE_FILE, &content)) {
1238 PLOG(ERROR) << "Can't read " << LOCALE_FILE;
1239 return "";
1240 }
1241
1242 return android::base::Trim(content);
1243 }
1244
ui_print(const char * format,...)1245 void ui_print(const char* format, ...) {
1246 std::string buffer;
1247 va_list ap;
1248 va_start(ap, format);
1249 android::base::StringAppendV(&buffer, format, ap);
1250 va_end(ap);
1251
1252 if (ui != nullptr) {
1253 ui->Print("%s", buffer.c_str());
1254 } else {
1255 fputs(buffer.c_str(), stdout);
1256 }
1257 }
1258
1259 static constexpr char log_characters[] = "VDIWEF";
1260
UiLogger(android::base::LogId,android::base::LogSeverity severity,const char *,const char *,unsigned int,const char * message)1261 void UiLogger(android::base::LogId /* id */, android::base::LogSeverity severity,
1262 const char* /* tag */, const char* /* file */, unsigned int /* line */,
1263 const char* message) {
1264 if (severity >= android::base::ERROR && ui != nullptr) {
1265 ui->Print("E:%s\n", message);
1266 } else {
1267 fprintf(stdout, "%c:%s\n", log_characters[severity], message);
1268 }
1269 }
1270
is_battery_ok()1271 static bool is_battery_ok() {
1272 using android::hardware::health::V1_0::BatteryStatus;
1273 using android::hardware::health::V2_0::Result;
1274 using android::hardware::health::V2_0::toString;
1275 using android::hardware::health::V2_0::implementation::Health;
1276
1277 struct healthd_config healthd_config = {
1278 .batteryStatusPath = android::String8(android::String8::kEmptyString),
1279 .batteryHealthPath = android::String8(android::String8::kEmptyString),
1280 .batteryPresentPath = android::String8(android::String8::kEmptyString),
1281 .batteryCapacityPath = android::String8(android::String8::kEmptyString),
1282 .batteryVoltagePath = android::String8(android::String8::kEmptyString),
1283 .batteryTemperaturePath = android::String8(android::String8::kEmptyString),
1284 .batteryTechnologyPath = android::String8(android::String8::kEmptyString),
1285 .batteryCurrentNowPath = android::String8(android::String8::kEmptyString),
1286 .batteryCurrentAvgPath = android::String8(android::String8::kEmptyString),
1287 .batteryChargeCounterPath = android::String8(android::String8::kEmptyString),
1288 .batteryFullChargePath = android::String8(android::String8::kEmptyString),
1289 .batteryCycleCountPath = android::String8(android::String8::kEmptyString),
1290 .energyCounter = NULL,
1291 .boot_min_cap = 0,
1292 .screen_on = NULL
1293 };
1294
1295 auto health =
1296 android::hardware::health::V2_0::implementation::Health::initInstance(&healthd_config);
1297
1298 int wait_second = 0;
1299 while (true) {
1300 auto charge_status = BatteryStatus::UNKNOWN;
1301 health
1302 ->getChargeStatus([&charge_status](auto res, auto out_status) {
1303 if (res == Result::SUCCESS) {
1304 charge_status = out_status;
1305 }
1306 })
1307 .isOk(); // should not have transport error
1308
1309 // Treat unknown status as charged.
1310 bool charged = (charge_status != BatteryStatus::DISCHARGING &&
1311 charge_status != BatteryStatus::NOT_CHARGING);
1312
1313 Result res = Result::UNKNOWN;
1314 int32_t capacity = INT32_MIN;
1315 health
1316 ->getCapacity([&res, &capacity](auto out_res, auto out_capacity) {
1317 res = out_res;
1318 capacity = out_capacity;
1319 })
1320 .isOk(); // should not have transport error
1321
1322 ui_print("charge_status %d, charged %d, status %s, capacity %" PRId32 "\n", charge_status,
1323 charged, toString(res).c_str(), capacity);
1324 // At startup, the battery drivers in devices like N5X/N6P take some time to load
1325 // the battery profile. Before the load finishes, it reports value 50 as a fake
1326 // capacity. BATTERY_READ_TIMEOUT_IN_SEC is set that the battery drivers are expected
1327 // to finish loading the battery profile earlier than 10 seconds after kernel startup.
1328 if (res == Result::SUCCESS && capacity == 50) {
1329 if (wait_second < BATTERY_READ_TIMEOUT_IN_SEC) {
1330 sleep(1);
1331 wait_second++;
1332 continue;
1333 }
1334 }
1335 // If we can't read battery percentage, it may be a device without battery. In this
1336 // situation, use 100 as a fake battery percentage.
1337 if (res != Result::SUCCESS) {
1338 capacity = 100;
1339 }
1340 return (charged && capacity >= BATTERY_WITH_CHARGER_OK_PERCENTAGE) ||
1341 (!charged && capacity >= BATTERY_OK_PERCENTAGE);
1342 }
1343 }
1344
1345 // Set the retry count to |retry_count| in BCB.
set_retry_bootloader_message(int retry_count,const std::vector<std::string> & args)1346 static void set_retry_bootloader_message(int retry_count, const std::vector<std::string>& args) {
1347 std::vector<std::string> options;
1348 for (const auto& arg : args) {
1349 if (!android::base::StartsWith(arg, "--retry_count")) {
1350 options.push_back(arg);
1351 }
1352 }
1353
1354 // Update the retry counter in BCB.
1355 options.push_back(android::base::StringPrintf("--retry_count=%d", retry_count));
1356 std::string err;
1357 if (!update_bootloader_message(options, &err)) {
1358 LOG(ERROR) << err;
1359 }
1360 }
1361
bootreason_in_blacklist()1362 static bool bootreason_in_blacklist() {
1363 std::string bootreason = android::base::GetProperty("ro.boot.bootreason", "");
1364 if (!bootreason.empty()) {
1365 for (const auto& str : bootreason_blacklist) {
1366 if (strcasecmp(str.c_str(), bootreason.c_str()) == 0) {
1367 return true;
1368 }
1369 }
1370 }
1371 return false;
1372 }
1373
log_failure_code(ErrorCode code,const char * update_package)1374 static void log_failure_code(ErrorCode code, const char *update_package) {
1375 std::vector<std::string> log_buffer = {
1376 update_package,
1377 "0", // install result
1378 "error: " + std::to_string(code),
1379 };
1380 std::string log_content = android::base::Join(log_buffer, "\n");
1381 if (!android::base::WriteStringToFile(log_content, TEMPORARY_INSTALL_FILE)) {
1382 PLOG(ERROR) << "failed to write " << TEMPORARY_INSTALL_FILE;
1383 }
1384
1385 // Also write the info into last_log.
1386 LOG(INFO) << log_content;
1387 }
1388
main(int argc,char ** argv)1389 int main(int argc, char **argv) {
1390 // We don't have logcat yet under recovery; so we'll print error on screen and
1391 // log to stdout (which is redirected to recovery.log) as we used to do.
1392 android::base::InitLogging(argv, &UiLogger);
1393
1394 // Take last pmsg contents and rewrite it to the current pmsg session.
1395 static const char filter[] = "recovery/";
1396 // Do we need to rotate?
1397 bool doRotate = false;
1398
1399 __android_log_pmsg_file_read(LOG_ID_SYSTEM, ANDROID_LOG_INFO, filter, logbasename, &doRotate);
1400 // Take action to refresh pmsg contents
1401 __android_log_pmsg_file_read(LOG_ID_SYSTEM, ANDROID_LOG_INFO, filter, logrotate, &doRotate);
1402
1403 // If this binary is started with the single argument "--adbd",
1404 // instead of being the normal recovery binary, it turns into kind
1405 // of a stripped-down version of adbd that only supports the
1406 // 'sideload' command. Note this must be a real argument, not
1407 // anything in the command file or bootloader control block; the
1408 // only way recovery should be run with this argument is when it
1409 // starts a copy of itself from the apply_from_adb() function.
1410 if (argc == 2 && strcmp(argv[1], "--adbd") == 0) {
1411 minadbd_main();
1412 return 0;
1413 }
1414
1415 time_t start = time(nullptr);
1416
1417 // redirect_stdio should be called only in non-sideload mode. Otherwise
1418 // we may have two logger instances with different timestamps.
1419 redirect_stdio(TEMPORARY_LOG_FILE);
1420
1421 printf("Starting recovery (pid %d) on %s", getpid(), ctime(&start));
1422
1423 load_volume_table();
1424 has_cache = volume_for_mount_point(CACHE_ROOT) != nullptr;
1425
1426 std::vector<std::string> args = get_args(argc, argv);
1427 std::vector<char*> args_to_parse(args.size());
1428 std::transform(args.cbegin(), args.cend(), args_to_parse.begin(),
1429 [](const std::string& arg) { return const_cast<char*>(arg.c_str()); });
1430
1431 const char* update_package = nullptr;
1432 bool should_wipe_data = false;
1433 bool should_prompt_and_wipe_data = false;
1434 bool should_wipe_cache = false;
1435 bool should_wipe_ab = false;
1436 size_t wipe_package_size = 0;
1437 bool show_text = false;
1438 bool sideload = false;
1439 bool sideload_auto_reboot = false;
1440 bool just_exit = false;
1441 bool shutdown_after = false;
1442 int retry_count = 0;
1443 bool security_update = false;
1444
1445 int arg;
1446 int option_index;
1447 while ((arg = getopt_long(args_to_parse.size(), args_to_parse.data(), "", OPTIONS,
1448 &option_index)) != -1) {
1449 switch (arg) {
1450 case 'n':
1451 android::base::ParseInt(optarg, &retry_count, 0);
1452 break;
1453 case 'u':
1454 update_package = optarg;
1455 break;
1456 case 'w':
1457 should_wipe_data = true;
1458 break;
1459 case 'c':
1460 should_wipe_cache = true;
1461 break;
1462 case 't':
1463 show_text = true;
1464 break;
1465 case 's':
1466 sideload = true;
1467 break;
1468 case 'a':
1469 sideload = true;
1470 sideload_auto_reboot = true;
1471 break;
1472 case 'x':
1473 just_exit = true;
1474 break;
1475 case 'l':
1476 locale = optarg;
1477 break;
1478 case 'p':
1479 shutdown_after = true;
1480 break;
1481 case 'r':
1482 reason = optarg;
1483 break;
1484 case 'e':
1485 security_update = true;
1486 break;
1487 case 0: {
1488 std::string option = OPTIONS[option_index].name;
1489 if (option == "wipe_ab") {
1490 should_wipe_ab = true;
1491 } else if (option == "wipe_package_size") {
1492 android::base::ParseUint(optarg, &wipe_package_size);
1493 } else if (option == "prompt_and_wipe_data") {
1494 should_prompt_and_wipe_data = true;
1495 }
1496 break;
1497 }
1498 case '?':
1499 LOG(ERROR) << "Invalid command argument";
1500 continue;
1501 }
1502 }
1503
1504 if (locale.empty()) {
1505 if (has_cache) {
1506 locale = load_locale_from_cache();
1507 }
1508
1509 if (locale.empty()) {
1510 locale = DEFAULT_LOCALE;
1511 }
1512 }
1513
1514 printf("locale is [%s]\n", locale.c_str());
1515 printf("stage is [%s]\n", stage.c_str());
1516 printf("reason is [%s]\n", reason);
1517
1518 Device* device = make_device();
1519 if (android::base::GetBoolProperty("ro.boot.quiescent", false)) {
1520 printf("Quiescent recovery mode.\n");
1521 ui = new StubRecoveryUI();
1522 } else {
1523 ui = device->GetUI();
1524
1525 if (!ui->Init(locale)) {
1526 printf("Failed to initialize UI, use stub UI instead.\n");
1527 ui = new StubRecoveryUI();
1528 }
1529 }
1530
1531 // Set background string to "installing security update" for security update,
1532 // otherwise set it to "installing system update".
1533 ui->SetSystemUpdateText(security_update);
1534
1535 int st_cur, st_max;
1536 if (!stage.empty() && sscanf(stage.c_str(), "%d/%d", &st_cur, &st_max) == 2) {
1537 ui->SetStage(st_cur, st_max);
1538 }
1539
1540 ui->SetBackground(RecoveryUI::NONE);
1541 if (show_text) ui->ShowText(true);
1542
1543 sehandle = selinux_android_file_context_handle();
1544 selinux_android_set_sehandle(sehandle);
1545 if (!sehandle) {
1546 ui->Print("Warning: No file_contexts\n");
1547 }
1548
1549 device->StartRecovery();
1550
1551 printf("Command:");
1552 for (const auto& arg : args) {
1553 printf(" \"%s\"", arg.c_str());
1554 }
1555 printf("\n\n");
1556
1557 property_list(print_property, nullptr);
1558 printf("\n");
1559
1560 ui->Print("Supported API: %d\n", kRecoveryApiVersion);
1561
1562 int status = INSTALL_SUCCESS;
1563
1564 if (update_package != nullptr) {
1565 // It's not entirely true that we will modify the flash. But we want
1566 // to log the update attempt since update_package is non-NULL.
1567 modified_flash = true;
1568
1569 if (!is_battery_ok()) {
1570 ui->Print("battery capacity is not enough for installing package, needed is %d%%\n",
1571 BATTERY_OK_PERCENTAGE);
1572 // Log the error code to last_install when installation skips due to
1573 // low battery.
1574 log_failure_code(kLowBattery, update_package);
1575 status = INSTALL_SKIPPED;
1576 } else if (bootreason_in_blacklist()) {
1577 // Skip update-on-reboot when bootreason is kernel_panic or similar
1578 ui->Print("bootreason is in the blacklist; skip OTA installation\n");
1579 log_failure_code(kBootreasonInBlacklist, update_package);
1580 status = INSTALL_SKIPPED;
1581 } else {
1582 // It's a fresh update. Initialize the retry_count in the BCB to 1; therefore we can later
1583 // identify the interrupted update due to unexpected reboots.
1584 if (retry_count == 0) {
1585 set_retry_bootloader_message(retry_count + 1, args);
1586 }
1587
1588 status = install_package(update_package, &should_wipe_cache, TEMPORARY_INSTALL_FILE, true,
1589 retry_count);
1590 if (status == INSTALL_SUCCESS && should_wipe_cache) {
1591 wipe_cache(false, device);
1592 }
1593 if (status != INSTALL_SUCCESS) {
1594 ui->Print("Installation aborted.\n");
1595 // When I/O error happens, reboot and retry installation RETRY_LIMIT
1596 // times before we abandon this OTA update.
1597 if (status == INSTALL_RETRY && retry_count < RETRY_LIMIT) {
1598 copy_logs();
1599 retry_count += 1;
1600 set_retry_bootloader_message(retry_count, args);
1601 // Print retry count on screen.
1602 ui->Print("Retry attempt %d\n", retry_count);
1603
1604 // Reboot and retry the update
1605 if (!reboot("reboot,recovery")) {
1606 ui->Print("Reboot failed\n");
1607 } else {
1608 while (true) {
1609 pause();
1610 }
1611 }
1612 }
1613 // If this is an eng or userdebug build, then automatically
1614 // turn the text display on if the script fails so the error
1615 // message is visible.
1616 if (is_ro_debuggable()) {
1617 ui->ShowText(true);
1618 }
1619 }
1620 }
1621 } else if (should_wipe_data) {
1622 if (!wipe_data(device)) {
1623 status = INSTALL_ERROR;
1624 }
1625 } else if (should_prompt_and_wipe_data) {
1626 ui->ShowText(true);
1627 ui->SetBackground(RecoveryUI::ERROR);
1628 if (!prompt_and_wipe_data(device)) {
1629 status = INSTALL_ERROR;
1630 }
1631 ui->ShowText(false);
1632 } else if (should_wipe_cache) {
1633 if (!wipe_cache(false, device)) {
1634 status = INSTALL_ERROR;
1635 }
1636 } else if (should_wipe_ab) {
1637 if (!wipe_ab_device(wipe_package_size)) {
1638 status = INSTALL_ERROR;
1639 }
1640 } else if (sideload) {
1641 // 'adb reboot sideload' acts the same as user presses key combinations
1642 // to enter the sideload mode. When 'sideload-auto-reboot' is used, text
1643 // display will NOT be turned on by default. And it will reboot after
1644 // sideload finishes even if there are errors. Unless one turns on the
1645 // text display during the installation. This is to enable automated
1646 // testing.
1647 if (!sideload_auto_reboot) {
1648 ui->ShowText(true);
1649 }
1650 status = apply_from_adb(&should_wipe_cache, TEMPORARY_INSTALL_FILE);
1651 if (status == INSTALL_SUCCESS && should_wipe_cache) {
1652 if (!wipe_cache(false, device)) {
1653 status = INSTALL_ERROR;
1654 }
1655 }
1656 ui->Print("\nInstall from ADB complete (status: %d).\n", status);
1657 if (sideload_auto_reboot) {
1658 ui->Print("Rebooting automatically.\n");
1659 }
1660 } else if (!just_exit) {
1661 // If this is an eng or userdebug build, automatically turn on the text display if no command
1662 // is specified. Note that this should be called before setting the background to avoid
1663 // flickering the background image.
1664 if (is_ro_debuggable()) {
1665 ui->ShowText(true);
1666 }
1667 status = INSTALL_NONE; // No command specified
1668 ui->SetBackground(RecoveryUI::NO_COMMAND);
1669 }
1670
1671 if (status == INSTALL_ERROR || status == INSTALL_CORRUPT) {
1672 ui->SetBackground(RecoveryUI::ERROR);
1673 if (!ui->IsTextVisible()) {
1674 sleep(5);
1675 }
1676 }
1677
1678 Device::BuiltinAction after = shutdown_after ? Device::SHUTDOWN : Device::REBOOT;
1679 // 1. If the recovery menu is visible, prompt and wait for commands.
1680 // 2. If the state is INSTALL_NONE, wait for commands. (i.e. In user build, manually reboot into
1681 // recovery to sideload a package.)
1682 // 3. sideload_auto_reboot is an option only available in user-debug build, reboot the device
1683 // without waiting.
1684 // 4. In all other cases, reboot the device. Therefore, normal users will observe the device
1685 // reboot after it shows the "error" screen for 5s.
1686 if ((status == INSTALL_NONE && !sideload_auto_reboot) || ui->IsTextVisible()) {
1687 Device::BuiltinAction temp = prompt_and_wait(device, status);
1688 if (temp != Device::NO_ACTION) {
1689 after = temp;
1690 }
1691 }
1692
1693 // Save logs and clean up before rebooting or shutting down.
1694 finish_recovery();
1695
1696 switch (after) {
1697 case Device::SHUTDOWN:
1698 ui->Print("Shutting down...\n");
1699 android::base::SetProperty(ANDROID_RB_PROPERTY, "shutdown,");
1700 break;
1701
1702 case Device::REBOOT_BOOTLOADER:
1703 ui->Print("Rebooting to bootloader...\n");
1704 android::base::SetProperty(ANDROID_RB_PROPERTY, "reboot,bootloader");
1705 break;
1706
1707 default:
1708 ui->Print("Rebooting...\n");
1709 reboot("reboot,");
1710 break;
1711 }
1712 while (true) {
1713 pause();
1714 }
1715 // Should be unreachable.
1716 return EXIT_SUCCESS;
1717 }
1718