SlideShare uma empresa Scribd logo

Timings of Init : Android Ramdisks for the Practical Hacker

Stacy Devino
Stacy Devino

Android Ramdisks basics presented at the Big Android BBQ 2014. Covers some of SElinux for Android, Kernels, Startup Sequences, Services, Classes, and Properties. Even, some practical examples on how they can be used to help your Android embedded or debugging work.

Engenharia
1 de 21
Baixar para ler offline
Timings of Init Android Ramdisks for the practical hacker Big Android BBQ - October 2014 Oceus Networks Inc. Internal
Who Am I? Stacy Wylie (Devino) Username: childofthehorn (Rootzwiki / XDA-developers / IRC / Github) 27 years old, soon to be 28 Yay! Principal Software Engineer at Oceus Networks Partner of OpenBrite LLC, an OSHW / OSS company, creators of the LEDgoes / BriteBlox product line Oceus Networks Inc. 2
What is it and where? Boot Image or Recovery Image (boot.img / recovery.img) contains two pieces:  Kernel (zImage) Ramdisk / Bootdisk / Rootdisk Without it, the kernel doesn't know what to do or how to start the OS. Oceus Networks Inc. 3
Ramdisk / Init in the Boot Sequence Oceus Networks Inc. 4 CHIP BOOT BOOTLOADER / UBOOT KERNEL RAMDISK / BOOTDISK Chip Supplier and Vendor controlled code (usually) $$$
Android vs. Linux Ramdisks  Most Linux Distros use initrd (vs. custom initd in Android)  Linux kills off its ramdisk after main OS boot;  Android keeps the ramdisk active in memory (will appear in / at runtime)  Android core services continue running, controlled by the init.rc scripts  Android Ramdisk + Kernel makes its own mini OS (see Team Win Recovery Project or Clockwork Mod) Oceus Networks Inc. 5
FROM HELL ! Oceus Networks Inc. *devil wears no pants
What was the Problem? The current state of init.rc scripts did not account for larger encryption keys or decryption that would take longer. This was a problem because the current state of initialization had the system and radios initializing separately with no checks. THIS IS NORMAL! Fixing required lots of time and careful monitoring of kernel messages and such from the serial terminal Oceus Networks Inc. 7
Nexus 5 Ramdisk Example (CM) Body text here Oceus Networks Inc. 8
Key Init binary starts  Init binary controls startup plus some other embedded functions like helping “vold” and in Android 4.3+, turning SEpolicy to “enforcing”. Vendors like Samsung and LG may incorporate custom initializations and checks prior to booting certain code.   Init starts the basic init.rc file which includes the imports for the next stage “.rc” files. Upon import (which may be chained through multiple “.rc” files), it immediately has the same startup and capabilities as the base init.rc.  How is this relevant? If having issues with init.rc or trouble finding something which is starting up, it might be in the Init binary and not in the runtime scripts. Oceus Networks Inc. 9
Directories  SBIN – Dedicated SBIN for binaries that may need to exist early in boot sequence or outside of the OS reach (usually executables)   BIN – Maps and links to “/system/bin”. Good place to put .ko files for insmod and .sh files that shouldn't go in “/” of the ramdisk.   “/” - Maps to “/” and contains init.rc files plus .sh files critical to bring-up (usually proprietary bits and radios). Most modern versions put this now in “/system/etc” in the normal system.img of the OS. In Android 4.3+, Sepolicy files used at startup are here (usually OK for most security as /system, boot-up, /proc, /dev, etc. files are what you care about at this point). Oceus Networks Inc. 10
Key Init binary starts  Init binary controls startup plus some other embedded functions like helping “vold” and in Android 4.3+, turning SEpolicy to “enforcing”. Vendors like Samsung and LG may incorporate custom initializations and checks prior to booting certain code.   Init starts the basic init.rc file which includes the imports for the next stage “.rc” files. Upon import (which may be chained through multiple “.rc” files), it immediately has the same startup and capabilities as the base init.rc.  How is this relevant? If having issues with init.rc or trouble finding something which is starting up, it might be in the Init binary and not in the runtime scripts. Oceus Networks Inc. 11
Basic Timing functions in init.rc import – pulls in the other init.xxx.rc files that will be run/running to control startup on early-init - start ueventd and any forks on init - startup actions like /sys properties, partition mounts, and symlinks on fs - partition mounts, chmod operations, yaffs handling in older devices on post-fs - chmod and chown of proc and cache on post-fs-data - permissions for sensors, radios, GPS, NFC, etc. on boot - first actions (permissions for /sys and /dev files, setprops) on post-boot - not normally used, but items that happen on nonencrypted - data is mountable and things relying on /data can now begin startup once it is mounted. on charger - starts the service for the charging binary  *encryption timings – next slide* on property: - normal system properties as triggers. They can be used to start scripts, continue running scripts, binaries, or change port functions (init.usb.rc files and adbd related services are good examples of this) Oceus Networks Inc. 12
Service classes of Init  class core – Always started first and cannot be shut down without serious consequences in most cases  class main – Responsible for services like telephony, radios, critical sensors. Many can be restarted or paused at certain times, but only if absolutely required  class late-start – Happens right before the full system boots and starts becoming available to the user. Stuff that relies on /data will usually have to start here to avoid issues on encryption Oceus Networks Inc. 13
Service Properties of Init oneshot - runs once and turns off. This is especially used for shell scripts. disabled - only can be directly called. It will not be started when the class it belongs to is started. user - uid such as root, shell, system to be run as or that it belongs to group - gid, usually shell, system, root, log Oceus Networks Inc. 14
Decryption and my friend Vold  Encryption “on” property timings and recognition is controlled by vold and its interaction with the Init binary.   After vold has done the mountings for system, boot, etc. then, init tells it to mount /data. Vold sees that /data is encrypted and then starts the decryption sequence   Decryption in Android is somewhat unique, a fake /data partition is mounted and only class main and class core services are run during this time – more on that in later slides.   That fake /data partition allows a “mini system boot” and a special mode to pop up asking for those keys. It then uses keystore and some functions to verify your pin/password, which then releases the encryption keys to be used for decryption. Most of the time, these are at the end of the data partition, but can be inside of media abstracted disks like in the Nexus devices.  Vold gets the action and performs the decryption while the Init binary causes another small boot where some of class main gets restarted and a half-reboot occurs (see boot animation again, but shorter). Basically, restarting where “on nonencrypted” left off. Oceus Networks Inc. 15
Encryption properties and Timings USED IN DECRYPTION ro.crypto.state = "encrypted" => was unable to mount data, now usually there is a system flag to indicate this in more modern android versions. vold.decrypt = 1 => framework begins booting a tmpfs /data disk CRYPTO_ENCRYPTION_IN_PROGRESS flag from cryptfs ran by vold = 0 "cryptfs cryptocomplete" result to vold command listener "cryptfs checkpw" result to vold command listener ro.crypto.fs_crypto_blkdev = 0 => success in decryption vold.decrypt=trigger_reset_main => restarts all services in main vold.post_fs_data_done = 0 => start post_fs-data vold.decrypt=trigger_load_persist_props => loads props vold.decrypt=trigger_post_fs_data => sets on post-fs-data vold.post_fs_data_done = 1 => all is well on mounting the proper /data image vold.decrypt=trigger_restart_framework => starts class main and late_start USED IN ENCRYPTION vold.decrypt=trigger_shutdown_framework => reset class late_start and main unmounts /data vold.decrypt=trigger_restart_min_framework => starts class main services vold.encrypt_progress = 0 => starting to encrypt and CRYPT_ENCRYPTION_IN_PROGRESS 0x2 vold.encrypt_progress = 1 => encryption is done and system will be rebooted Oceus Networks Inc. 16
17 Oceus Networks Inc.
Run a Script on Boot on property:dev.bootcomplete=1 start bootstart service bootstart /system/bin/sh /system/bin/bootscript.sh class late_start user root group root disabled oneshot Oceus Networks Inc. 18
Write your own init.rc Top of init.cm.rc import init.su.rc Full init.superuser.rc # su daemon service su_daemon /system/xbin/su --daemon oneshot on property:persist.sys.root_access=0 stop su_daemon on property:persist.sys.root_access=2 stop su_daemon on property:persist.sys.root_access=1 start su_daemon on property:persist.sys.root_access=3 start su_daemon Oceus Networks Inc. 19
Tools Android Kitchen (linux) Lots of tools, but has auto-split and reassemble with correct memory spots. https://github.com/dsixda/Android-Kitchen Perl and Python scripts (linux) Check goo.im/devs/childofthehorn/tools AOSP (tree) in /device/vendor/rootdir Be sure to modify your “.mk” make files to include any new “.rc” files Oceus Networks Inc. 20
Special Thanks!!! Dees Troy – Ethan CyanogenMod source.android.com Oceus Networks Inc. Internal

Recomendados

Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debugging
Utkarsh Mankad
 
Low Level View of Android System Architecture
Low Level View of Android System ArchitectureLow Level View of Android System Architecture
Low Level View of Android System Architecture
National Cheng Kung University
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debugging
Ashish Agrawal
 
Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?
Opersys inc.
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Opersys inc.
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device Driver
Nanik Tolaram
 
Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updates
Gary Bisson
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
 

Recomendados

Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debugging
Utkarsh Mankad
 
Low Level View of Android System Architecture
Low Level View of Android System ArchitectureLow Level View of Android System Architecture
Low Level View of Android System Architecture
National Cheng Kung University
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debugging
Ashish Agrawal
 
Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?Android Treble: Blessing or Trouble?
Android Treble: Blessing or Trouble?
Opersys inc.
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Opersys inc.
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device Driver
Nanik Tolaram
 
Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updates
Gary Bisson
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
Chris Simmonds
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
Kan-Ru Chen
 
Android Storage - Vold
Android Storage - VoldAndroid Storage - Vold
Android Storage - Vold
William Lee
 
Android Internals
Android InternalsAndroid Internals
Android Internals
Opersys inc.
 
Android's HIDL: Treble in the HAL
Android's HIDL: Treble in the HALAndroid's HIDL: Treble in the HAL
Android's HIDL: Treble in the HAL
Opersys inc.
 
Design and Concepts of Android Graphics
Design and Concepts of Android GraphicsDesign and Concepts of Android Graphics
Design and Concepts of Android Graphics
National Cheng Kung University
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting Process
Nanik Tolaram
 
Android's Multimedia Framework
Android's Multimedia FrameworkAndroid's Multimedia Framework
Android's Multimedia Framework
Opersys inc.
 
Android Booting Scenarios
Android Booting ScenariosAndroid Booting Scenarios
Android Booting Scenarios
Amr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
 
Android Binder: Deep Dive
Android Binder: Deep DiveAndroid Binder: Deep Dive
Android Binder: Deep Dive
Zafar Shahid, PhD
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
Opersys inc.
 
Embedded Android : System Development - Part III
Embedded Android : System Development - Part IIIEmbedded Android : System Development - Part III
Embedded Android : System Development - Part III
Emertxe Information Technologies Pvt Ltd
 
Q4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsQ4.11: Porting Android to new Platforms
Q4.11: Porting Android to new Platforms
Linaro
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation Systems
National Cheng Kung University
 
Linux Kernel Module - For NLKB
Linux Kernel Module - For NLKBLinux Kernel Module - For NLKB
Linux Kernel Module - For NLKB
shimosawa
 
Android Binder IPC for Linux
Android Binder IPC for LinuxAndroid Binder IPC for Linux
Android Binder IPC for Linux
Yu-Hsin Hung
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting Sequence
Jayanta Ghoshal
 
Embedded Android : System Development - Part IV (Android System Services)
Embedded Android : System Development - Part IV (Android System Services)Embedded Android : System Development - Part IV (Android System Services)
Embedded Android : System Development - Part IV (Android System Services)
Emertxe Information Technologies Pvt Ltd
 
Android Internals
Android InternalsAndroid Internals
Android Internals
Opersys inc.
 
Introduction to Android Window System
Introduction to Android Window SystemIntroduction to Android Window System
Introduction to Android Window System
National Cheng Kung University
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSP
Cheng Wig
 
Big Trouble in Little Networks
Big Trouble in Little Networks Big Trouble in Little Networks
Big Trouble in Little Networks
Stacy Devino
 
Init of Android
Init of AndroidInit of Android
Init of Android
Tetsuyuki Kobayashi
 

Mais conteúdo relacionado

Mais procurados

Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
Kan-Ru Chen
 

Mais procurados (20)

Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 
Android Storage - Vold
Android Storage - VoldAndroid Storage - Vold
Android Storage - Vold
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Android's HIDL: Treble in the HAL
Android's HIDL: Treble in the HALAndroid's HIDL: Treble in the HAL
Android's HIDL: Treble in the HAL
 
Design and Concepts of Android Graphics
Design and Concepts of Android GraphicsDesign and Concepts of Android Graphics
Design and Concepts of Android Graphics
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting Process
 
Android's Multimedia Framework
Android's Multimedia FrameworkAndroid's Multimedia Framework
Android's Multimedia Framework
 
Android Booting Scenarios
Android Booting ScenariosAndroid Booting Scenarios
Android Booting Scenarios
 
Android Binder: Deep Dive
Android Binder: Deep DiveAndroid Binder: Deep Dive
Android Binder: Deep Dive
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
 
Embedded Android : System Development - Part III
Embedded Android : System Development - Part IIIEmbedded Android : System Development - Part III
Embedded Android : System Development - Part III
 
Q4.11: Porting Android to new Platforms
Q4.11: Porting Android to new PlatformsQ4.11: Porting Android to new Platforms
Q4.11: Porting Android to new Platforms
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation Systems
 
Linux Kernel Module - For NLKB
Linux Kernel Module - For NLKBLinux Kernel Module - For NLKB
Linux Kernel Module - For NLKB
 
Android Binder IPC for Linux
Android Binder IPC for LinuxAndroid Binder IPC for Linux
Android Binder IPC for Linux
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting Sequence
 
Embedded Android : System Development - Part IV (Android System Services)
Embedded Android : System Development - Part IV (Android System Services)Embedded Android : System Development - Part IV (Android System Services)
Embedded Android : System Development - Part IV (Android System Services)
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Introduction to Android Window System
Introduction to Android Window SystemIntroduction to Android Window System
Introduction to Android Window System
 
Implementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSPImplementing generic JNI hardware control for Kotlin based app on AOSP
Implementing generic JNI hardware control for Kotlin based app on AOSP
 

Destaque

Big Trouble in Little Networks
Big Trouble in Little Networks Big Trouble in Little Networks
Big Trouble in Little Networks
Stacy Devino
 
안드로이드 스터디 Jni 발표 자료 Rev05 송형주
안드로이드 스터디 Jni 발표 자료 Rev05 송형주안드로이드 스터디 Jni 발표 자료 Rev05 송형주
안드로이드 스터디 Jni 발표 자료 Rev05 송형주
iamhjoo (송형주)
 

Destaque (6)

Big Trouble in Little Networks
Big Trouble in Little Networks Big Trouble in Little Networks
Big Trouble in Little Networks
 
Init of Android
Init of AndroidInit of Android
Init of Android
 
An Introduction to Android Internals
An Introduction to Android InternalsAn Introduction to Android Internals
An Introduction to Android Internals
 
Fast-paced Introduction to Android Internals
Fast-paced Introduction to Android InternalsFast-paced Introduction to Android Internals
Fast-paced Introduction to Android Internals
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
 
안드로이드 스터디 Jni 발표 자료 Rev05 송형주
안드로이드 스터디 Jni 발표 자료 Rev05 송형주안드로이드 스터디 Jni 발표 자료 Rev05 송형주
안드로이드 스터디 Jni 발표 자료 Rev05 송형주
 

Semelhante a Timings of Init : Android Ramdisks for the Practical Hacker

Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
the NML project
the NML projectthe NML project
the NML project
Lei Yang
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
guestf1a032
 
Your first dive into systemd!
Your first dive into systemd!Your first dive into systemd!
Your first dive into systemd!
Etsuji Nakai
 
System Imager.20051215
System Imager.20051215System Imager.20051215
System Imager.20051215
guest95b42b
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris Applications
AppZero
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
OWASP
 

Semelhante a Timings of Init : Android Ramdisks for the Practical Hacker (20)

Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
the NML project
the NML projectthe NML project
the NML project
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
 
Your first dive into systemd!
Your first dive into systemd!Your first dive into systemd!
Your first dive into systemd!
 
Ch04 system administration
Ch04 system administration Ch04 system administration
Ch04 system administration
 
Ch04
Ch04Ch04
Ch04
 
Linux startup
Linux startupLinux startup
Linux startup
 
snortinstallguide
snortinstallguidesnortinstallguide
snortinstallguide
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
 
Slim Server Theory
Slim Server TheorySlim Server Theory
Slim Server Theory
 
System Imager.20051215
System Imager.20051215System Imager.20051215
System Imager.20051215
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
 
Hardening solaris
Hardening solarisHardening solaris
Hardening solaris
 
Legacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris ApplicationsLegacy Lowdown - Options When Migrating Solaris Applications
Legacy Lowdown - Options When Migrating Solaris Applications
 
Project Pt1
Project Pt1Project Pt1
Project Pt1
 
Rooting an Android phone
Rooting an Android phoneRooting an Android phone
Rooting an Android phone
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 

Mais de Stacy Devino

Mais de Stacy Devino (7)

IoT with Firebase : IoT DevFest Phoenix 2018
IoT with Firebase : IoT DevFest Phoenix 2018IoT with Firebase : IoT DevFest Phoenix 2018
IoT with Firebase : IoT DevFest Phoenix 2018
 
Beautiful text spread your wings with Spannables
Beautiful text spread your wings with SpannablesBeautiful text spread your wings with Spannables
Beautiful text spread your wings with Spannables
 
Async task, threads, pools, and executors oh my!
Async task, threads, pools, and executors oh my!Async task, threads, pools, and executors oh my!
Async task, threads, pools, and executors oh my!
 
Intro to Android : Making your first App!
Intro to Android : Making your first App!Intro to Android : Making your first App!
Intro to Android : Making your first App!
 
RetroFit by Square - GDG Dallas 06/09/16
RetroFit by Square - GDG Dallas 06/09/16RetroFit by Square - GDG Dallas 06/09/16
RetroFit by Square - GDG Dallas 06/09/16
 
Big Trouble in Little Networks, new and improved
Big Trouble in Little Networks, new and improvedBig Trouble in Little Networks, new and improved
Big Trouble in Little Networks, new and improved
 
WWC 3D printing basics with stacy devino
WWC 3D printing basics with stacy devinoWWC 3D printing basics with stacy devino
WWC 3D printing basics with stacy devino
 

Último

Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
Kamal Acharya
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdf
Kamal Acharya
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
Kamal Acharya
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Call Girls Mumbai
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
MayuraD1
 

Último (20)

Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Wadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptxWadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptx
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
 
Hospital management system project report.pdf
Hospital management system project report.pdfHospital management system project report.pdf
Hospital management system project report.pdf
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
DeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakesDeepFakes presentation : brief idea of DeepFakes
DeepFakes presentation : brief idea of DeepFakes
 
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLEGEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
GEAR TRAIN- BASIC CONCEPTS AND WORKING PRINCIPLE
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 

Timings of Init : Android Ramdisks for the Practical Hacker

  • 1. Timings of Init Android Ramdisks for the practical hacker Big Android BBQ - October 2014 Oceus Networks Inc. Internal
  • 2. Who Am I? Stacy Wylie (Devino) Username: childofthehorn (Rootzwiki / XDA-developers / IRC / Github) 27 years old, soon to be 28 Yay! Principal Software Engineer at Oceus Networks Partner of OpenBrite LLC, an OSHW / OSS company, creators of the LEDgoes / BriteBlox product line Oceus Networks Inc. 2
  • 3. What is it and where? Boot Image or Recovery Image (boot.img / recovery.img) contains two pieces:  Kernel (zImage) Ramdisk / Bootdisk / Rootdisk Without it, the kernel doesn't know what to do or how to start the OS. Oceus Networks Inc. 3
  • 4. Ramdisk / Init in the Boot Sequence Oceus Networks Inc. 4 CHIP BOOT BOOTLOADER / UBOOT KERNEL RAMDISK / BOOTDISK Chip Supplier and Vendor controlled code (usually) $$$
  • 5. Android vs. Linux Ramdisks  Most Linux Distros use initrd (vs. custom initd in Android)  Linux kills off its ramdisk after main OS boot;  Android keeps the ramdisk active in memory (will appear in / at runtime)  Android core services continue running, controlled by the init.rc scripts  Android Ramdisk + Kernel makes its own mini OS (see Team Win Recovery Project or Clockwork Mod) Oceus Networks Inc. 5
  • 6. FROM HELL ! Oceus Networks Inc. *devil wears no pants
  • 7. What was the Problem? The current state of init.rc scripts did not account for larger encryption keys or decryption that would take longer. This was a problem because the current state of initialization had the system and radios initializing separately with no checks. THIS IS NORMAL! Fixing required lots of time and careful monitoring of kernel messages and such from the serial terminal Oceus Networks Inc. 7
  • 8. Nexus 5 Ramdisk Example (CM) Body text here Oceus Networks Inc. 8
  • 9. Key Init binary starts  Init binary controls startup plus some other embedded functions like helping “vold” and in Android 4.3+, turning SEpolicy to “enforcing”. Vendors like Samsung and LG may incorporate custom initializations and checks prior to booting certain code.   Init starts the basic init.rc file which includes the imports for the next stage “.rc” files. Upon import (which may be chained through multiple “.rc” files), it immediately has the same startup and capabilities as the base init.rc.  How is this relevant? If having issues with init.rc or trouble finding something which is starting up, it might be in the Init binary and not in the runtime scripts. Oceus Networks Inc. 9
  • 10. Directories  SBIN – Dedicated SBIN for binaries that may need to exist early in boot sequence or outside of the OS reach (usually executables)   BIN – Maps and links to “/system/bin”. Good place to put .ko files for insmod and .sh files that shouldn't go in “/” of the ramdisk.   “/” - Maps to “/” and contains init.rc files plus .sh files critical to bring-up (usually proprietary bits and radios). Most modern versions put this now in “/system/etc” in the normal system.img of the OS. In Android 4.3+, Sepolicy files used at startup are here (usually OK for most security as /system, boot-up, /proc, /dev, etc. files are what you care about at this point). Oceus Networks Inc. 10
  • 11. Key Init binary starts  Init binary controls startup plus some other embedded functions like helping “vold” and in Android 4.3+, turning SEpolicy to “enforcing”. Vendors like Samsung and LG may incorporate custom initializations and checks prior to booting certain code.   Init starts the basic init.rc file which includes the imports for the next stage “.rc” files. Upon import (which may be chained through multiple “.rc” files), it immediately has the same startup and capabilities as the base init.rc.  How is this relevant? If having issues with init.rc or trouble finding something which is starting up, it might be in the Init binary and not in the runtime scripts. Oceus Networks Inc. 11
  • 12. Basic Timing functions in init.rc import – pulls in the other init.xxx.rc files that will be run/running to control startup on early-init - start ueventd and any forks on init - startup actions like /sys properties, partition mounts, and symlinks on fs - partition mounts, chmod operations, yaffs handling in older devices on post-fs - chmod and chown of proc and cache on post-fs-data - permissions for sensors, radios, GPS, NFC, etc. on boot - first actions (permissions for /sys and /dev files, setprops) on post-boot - not normally used, but items that happen on nonencrypted - data is mountable and things relying on /data can now begin startup once it is mounted. on charger - starts the service for the charging binary  *encryption timings – next slide* on property: - normal system properties as triggers. They can be used to start scripts, continue running scripts, binaries, or change port functions (init.usb.rc files and adbd related services are good examples of this) Oceus Networks Inc. 12
  • 13. Service classes of Init  class core – Always started first and cannot be shut down without serious consequences in most cases  class main – Responsible for services like telephony, radios, critical sensors. Many can be restarted or paused at certain times, but only if absolutely required  class late-start – Happens right before the full system boots and starts becoming available to the user. Stuff that relies on /data will usually have to start here to avoid issues on encryption Oceus Networks Inc. 13
  • 14. Service Properties of Init oneshot - runs once and turns off. This is especially used for shell scripts. disabled - only can be directly called. It will not be started when the class it belongs to is started. user - uid such as root, shell, system to be run as or that it belongs to group - gid, usually shell, system, root, log Oceus Networks Inc. 14
  • 15. Decryption and my friend Vold  Encryption “on” property timings and recognition is controlled by vold and its interaction with the Init binary.   After vold has done the mountings for system, boot, etc. then, init tells it to mount /data. Vold sees that /data is encrypted and then starts the decryption sequence   Decryption in Android is somewhat unique, a fake /data partition is mounted and only class main and class core services are run during this time – more on that in later slides.   That fake /data partition allows a “mini system boot” and a special mode to pop up asking for those keys. It then uses keystore and some functions to verify your pin/password, which then releases the encryption keys to be used for decryption. Most of the time, these are at the end of the data partition, but can be inside of media abstracted disks like in the Nexus devices.  Vold gets the action and performs the decryption while the Init binary causes another small boot where some of class main gets restarted and a half-reboot occurs (see boot animation again, but shorter). Basically, restarting where “on nonencrypted” left off. Oceus Networks Inc. 15
  • 16. Encryption properties and Timings USED IN DECRYPTION ro.crypto.state = "encrypted" => was unable to mount data, now usually there is a system flag to indicate this in more modern android versions. vold.decrypt = 1 => framework begins booting a tmpfs /data disk CRYPTO_ENCRYPTION_IN_PROGRESS flag from cryptfs ran by vold = 0 "cryptfs cryptocomplete" result to vold command listener "cryptfs checkpw" result to vold command listener ro.crypto.fs_crypto_blkdev = 0 => success in decryption vold.decrypt=trigger_reset_main => restarts all services in main vold.post_fs_data_done = 0 => start post_fs-data vold.decrypt=trigger_load_persist_props => loads props vold.decrypt=trigger_post_fs_data => sets on post-fs-data vold.post_fs_data_done = 1 => all is well on mounting the proper /data image vold.decrypt=trigger_restart_framework => starts class main and late_start USED IN ENCRYPTION vold.decrypt=trigger_shutdown_framework => reset class late_start and main unmounts /data vold.decrypt=trigger_restart_min_framework => starts class main services vold.encrypt_progress = 0 => starting to encrypt and CRYPT_ENCRYPTION_IN_PROGRESS 0x2 vold.encrypt_progress = 1 => encryption is done and system will be rebooted Oceus Networks Inc. 16
  • 18. Run a Script on Boot on property:dev.bootcomplete=1 start bootstart service bootstart /system/bin/sh /system/bin/bootscript.sh class late_start user root group root disabled oneshot Oceus Networks Inc. 18
  • 19. Write your own init.rc Top of init.cm.rc import init.su.rc Full init.superuser.rc # su daemon service su_daemon /system/xbin/su --daemon oneshot on property:persist.sys.root_access=0 stop su_daemon on property:persist.sys.root_access=2 stop su_daemon on property:persist.sys.root_access=1 start su_daemon on property:persist.sys.root_access=3 start su_daemon Oceus Networks Inc. 19
  • 20. Tools Android Kitchen (linux) Lots of tools, but has auto-split and reassemble with correct memory spots. https://github.com/dsixda/Android-Kitchen Perl and Python scripts (linux) Check goo.im/devs/childofthehorn/tools AOSP (tree) in /device/vendor/rootdir Be sure to modify your “.mk” make files to include any new “.rc” files Oceus Networks Inc. 20
  • 21. Special Thanks!!! Dees Troy – Ethan CyanogenMod source.android.com Oceus Networks Inc. Internal