1 /*
2  * Copyright (C) 2007 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <ctype.h>
18 #include <dirent.h>
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <getopt.h>
22 #include <inttypes.h>
23 #include <limits.h>
24 #include <linux/fs.h>
25 #include <linux/input.h>
26 #include <stdarg.h>
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <sys/klog.h>
31 #include <sys/stat.h>
32 #include <sys/types.h>
33 #include <sys/wait.h>
34 #include <time.h>
35 #include <unistd.h>
36 
37 #include <algorithm>
38 #include <chrono>
39 #include <memory>
40 #include <string>
41 #include <vector>
42 
43 #include <adb.h>
44 #include <android-base/file.h>
45 #include <android-base/logging.h>
46 #include <android-base/parseint.h>
47 #include <android-base/properties.h>
48 #include <android-base/stringprintf.h>
49 #include <android-base/strings.h>
50 #include <android-base/unique_fd.h>
51 #include <bootloader_message/bootloader_message.h>
52 #include <cutils/android_reboot.h>
53 #include <cutils/properties.h> /* for property_list */
54 #include <healthd/BatteryMonitor.h>
55 #include <private/android_logger.h> /* private pmsg functions */
56 #include <private/android_filesystem_config.h>  /* for AID_SYSTEM */
57 #include <selinux/android.h>
58 #include <selinux/label.h>
59 #include <selinux/selinux.h>
60 #include <ziparchive/zip_archive.h>
61 
62 #include "adb_install.h"
63 #include "common.h"
64 #include "device.h"
65 #include "error_code.h"
66 #include "fuse_sdcard_provider.h"
67 #include "fuse_sideload.h"
68 #include "install.h"
69 #include "minadbd/minadbd.h"
70 #include "minui/minui.h"
71 #include "otautil/DirUtil.h"
72 #include "roots.h"
73 #include "rotate_logs.h"
74 #include "screen_ui.h"
75 #include "stub_ui.h"
76 #include "ui.h"
77 
78 static const struct option OPTIONS[] = {
79   { "update_package", required_argument, NULL, 'u' },
80   { "retry_count", required_argument, NULL, 'n' },
81   { "wipe_data", no_argument, NULL, 'w' },
82   { "wipe_cache", no_argument, NULL, 'c' },
83   { "show_text", no_argument, NULL, 't' },
84   { "sideload", no_argument, NULL, 's' },
85   { "sideload_auto_reboot", no_argument, NULL, 'a' },
86   { "just_exit", no_argument, NULL, 'x' },
87   { "locale", required_argument, NULL, 'l' },
88   { "shutdown_after", no_argument, NULL, 'p' },
89   { "reason", required_argument, NULL, 'r' },
90   { "security", no_argument, NULL, 'e'},
91   { "wipe_ab", no_argument, NULL, 0 },
92   { "wipe_package_size", required_argument, NULL, 0 },
93   { "prompt_and_wipe_data", no_argument, NULL, 0 },
94   { NULL, 0, NULL, 0 },
95 };
96 
97 // More bootreasons can be found in "system/core/bootstat/bootstat.cpp".
98 static const std::vector<std::string> bootreason_blacklist {
99   "kernel_panic",
100   "Panic",
101 };
102 
103 static const char *CACHE_LOG_DIR = "/cache/recovery";
104 static const char *COMMAND_FILE = "/cache/recovery/command";
105 static const char *LOG_FILE = "/cache/recovery/log";
106 static const char *LAST_INSTALL_FILE = "/cache/recovery/last_install";
107 static const char *LOCALE_FILE = "/cache/recovery/last_locale";
108 static const char *CONVERT_FBE_DIR = "/tmp/convert_fbe";
109 static const char *CONVERT_FBE_FILE = "/tmp/convert_fbe/convert_fbe";
110 static const char *CACHE_ROOT = "/cache";
111 static const char *DATA_ROOT = "/data";
112 static const char *SDCARD_ROOT = "/sdcard";
113 static const char *TEMPORARY_LOG_FILE = "/tmp/recovery.log";
114 static const char *TEMPORARY_INSTALL_FILE = "/tmp/last_install";
115 static const char *LAST_KMSG_FILE = "/cache/recovery/last_kmsg";
116 static const char *LAST_LOG_FILE = "/cache/recovery/last_log";
117 // We will try to apply the update package 5 times at most in case of an I/O error.
118 static const int EIO_RETRY_COUNT = 4;
119 static const int BATTERY_READ_TIMEOUT_IN_SEC = 10;
120 // GmsCore enters recovery mode to install package when having enough battery
121 // percentage. Normally, the threshold is 40% without charger and 20% with charger.
122 // So we should check battery with a slightly lower limitation.
123 static const int BATTERY_OK_PERCENTAGE = 20;
124 static const int BATTERY_WITH_CHARGER_OK_PERCENTAGE = 15;
125 static constexpr const char* RECOVERY_WIPE = "/etc/recovery.wipe";
126 static constexpr const char* DEFAULT_LOCALE = "en-US";
127 
128 static std::string locale;
129 static bool has_cache = false;
130 
131 RecoveryUI* ui = nullptr;
132 bool modified_flash = false;
133 std::string stage;
134 const char* reason = nullptr;
135 struct selabel_handle* sehandle;
136 
137 /*
138  * The recovery tool communicates with the main system through /cache files.
139  *   /cache/recovery/command - INPUT - command line for tool, one arg per line
140  *   /cache/recovery/log - OUTPUT - combined log file from recovery run(s)
141  *
142  * The arguments which may be supplied in the recovery.command file:
143  *   --update_package=path - verify install an OTA package file
144  *   --wipe_data - erase user data (and cache), then reboot
145  *   --prompt_and_wipe_data - prompt the user that data is corrupt,
146  *       with their consent erase user data (and cache), then reboot
147  *   --wipe_cache - wipe cache (but not user data), then reboot
148  *   --set_encrypted_filesystem=on|off - enables / diasables encrypted fs
149  *   --just_exit - do nothing; exit and reboot
150  *
151  * After completing, we remove /cache/recovery/command and reboot.
152  * Arguments may also be supplied in the bootloader control block (BCB).
153  * These important scenarios must be safely restartable at any point:
154  *
155  * FACTORY RESET
156  * 1. user selects "factory reset"
157  * 2. main system writes "--wipe_data" to /cache/recovery/command
158  * 3. main system reboots into recovery
159  * 4. get_args() writes BCB with "boot-recovery" and "--wipe_data"
160  *    -- after this, rebooting will restart the erase --
161  * 5. erase_volume() reformats /data
162  * 6. erase_volume() reformats /cache
163  * 7. finish_recovery() erases BCB
164  *    -- after this, rebooting will restart the main system --
165  * 8. main() calls reboot() to boot main system
166  *
167  * OTA INSTALL
168  * 1. main system downloads OTA package to /cache/some-filename.zip
169  * 2. main system writes "--update_package=/cache/some-filename.zip"
170  * 3. main system reboots into recovery
171  * 4. get_args() writes BCB with "boot-recovery" and "--update_package=..."
172  *    -- after this, rebooting will attempt to reinstall the update --
173  * 5. install_package() attempts to install the update
174  *    NOTE: the package install must itself be restartable from any point
175  * 6. finish_recovery() erases BCB
176  *    -- after this, rebooting will (try to) restart the main system --
177  * 7. ** if install failed **
178  *    7a. prompt_and_wait() shows an error icon and waits for the user
179  *    7b. the user reboots (pulling the battery, etc) into the main system
180  */
181 
182 // open a given path, mounting partitions as necessary
fopen_path(const char * path,const char * mode)183 FILE* fopen_path(const char *path, const char *mode) {
184     if (ensure_path_mounted(path) != 0) {
185         LOG(ERROR) << "Can't mount " << path;
186         return NULL;
187     }
188 
189     // When writing, try to create the containing directory, if necessary.
190     // Use generous permissions, the system (init.rc) will reset them.
191     if (strchr("wa", mode[0])) dirCreateHierarchy(path, 0777, NULL, 1, sehandle);
192 
193     FILE *fp = fopen(path, mode);
194     return fp;
195 }
196 
197 // close a file, log an error if the error indicator is set
check_and_fclose(FILE * fp,const char * name)198 static void check_and_fclose(FILE *fp, const char *name) {
199     fflush(fp);
200     if (fsync(fileno(fp)) == -1) {
201         PLOG(ERROR) << "Failed to fsync " << name;
202     }
203     if (ferror(fp)) {
204         PLOG(ERROR) << "Error in " << name;
205     }
206     fclose(fp);
207 }
208 
is_ro_debuggable()209 bool is_ro_debuggable() {
210     return android::base::GetBoolProperty("ro.debuggable", false);
211 }
212 
reboot(const std::string & command)213 bool reboot(const std::string& command) {
214     std::string cmd = command;
215     if (android::base::GetBoolProperty("ro.boot.quiescent", false)) {
216         cmd += ",quiescent";
217     }
218     return android::base::SetProperty(ANDROID_RB_PROPERTY, cmd);
219 }
220 
redirect_stdio(const char * filename)221 static void redirect_stdio(const char* filename) {
222     int pipefd[2];
223     if (pipe(pipefd) == -1) {
224         PLOG(ERROR) << "pipe failed";
225 
226         // Fall back to traditional logging mode without timestamps.
227         // If these fail, there's not really anywhere to complain...
228         freopen(filename, "a", stdout); setbuf(stdout, NULL);
229         freopen(filename, "a", stderr); setbuf(stderr, NULL);
230 
231         return;
232     }
233 
234     pid_t pid = fork();
235     if (pid == -1) {
236         PLOG(ERROR) << "fork failed";
237 
238         // Fall back to traditional logging mode without timestamps.
239         // If these fail, there's not really anywhere to complain...
240         freopen(filename, "a", stdout); setbuf(stdout, NULL);
241         freopen(filename, "a", stderr); setbuf(stderr, NULL);
242 
243         return;
244     }
245 
246     if (pid == 0) {
247         /// Close the unused write end.
248         close(pipefd[1]);
249 
250         auto start = std::chrono::steady_clock::now();
251 
252         // Child logger to actually write to the log file.
253         FILE* log_fp = fopen(filename, "a");
254         if (log_fp == nullptr) {
255             PLOG(ERROR) << "fopen \"" << filename << "\" failed";
256             close(pipefd[0]);
257             _exit(EXIT_FAILURE);
258         }
259 
260         FILE* pipe_fp = fdopen(pipefd[0], "r");
261         if (pipe_fp == nullptr) {
262             PLOG(ERROR) << "fdopen failed";
263             check_and_fclose(log_fp, filename);
264             close(pipefd[0]);
265             _exit(EXIT_FAILURE);
266         }
267 
268         char* line = nullptr;
269         size_t len = 0;
270         while (getline(&line, &len, pipe_fp) != -1) {
271             auto now = std::chrono::steady_clock::now();
272             double duration = std::chrono::duration_cast<std::chrono::duration<double>>(
273                     now - start).count();
274             if (line[0] == '\n') {
275                 fprintf(log_fp, "[%12.6lf]\n", duration);
276             } else {
277                 fprintf(log_fp, "[%12.6lf] %s", duration, line);
278             }
279             fflush(log_fp);
280         }
281 
282         PLOG(ERROR) << "getline failed";
283 
284         free(line);
285         check_and_fclose(log_fp, filename);
286         close(pipefd[0]);
287         _exit(EXIT_FAILURE);
288     } else {
289         // Redirect stdout/stderr to the logger process.
290         // Close the unused read end.
291         close(pipefd[0]);
292 
293         setbuf(stdout, nullptr);
294         setbuf(stderr, nullptr);
295 
296         if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
297             PLOG(ERROR) << "dup2 stdout failed";
298         }
299         if (dup2(pipefd[1], STDERR_FILENO) == -1) {
300             PLOG(ERROR) << "dup2 stderr failed";
301         }
302 
303         close(pipefd[1]);
304     }
305 }
306 
307 // command line args come from, in decreasing precedence:
308 //   - the actual command line
309 //   - the bootloader control block (one per line, after "recovery")
310 //   - the contents of COMMAND_FILE (one per line)
get_args(const int argc,char ** const argv)311 static std::vector<std::string> get_args(const int argc, char** const argv) {
312   CHECK_GT(argc, 0);
313 
314   bootloader_message boot = {};
315   std::string err;
316   if (!read_bootloader_message(&boot, &err)) {
317     LOG(ERROR) << err;
318     // If fails, leave a zeroed bootloader_message.
319     boot = {};
320   }
321   stage = std::string(boot.stage);
322 
323   if (boot.command[0] != 0) {
324     std::string boot_command = std::string(boot.command, sizeof(boot.command));
325     LOG(INFO) << "Boot command: " << boot_command;
326   }
327 
328   if (boot.status[0] != 0) {
329     std::string boot_status = std::string(boot.status, sizeof(boot.status));
330     LOG(INFO) << "Boot status: " << boot_status;
331   }
332 
333   std::vector<std::string> args(argv, argv + argc);
334 
335   // --- if arguments weren't supplied, look in the bootloader control block
336   if (args.size() == 1) {
337     boot.recovery[sizeof(boot.recovery) - 1] = '\0';  // Ensure termination
338     std::string boot_recovery(boot.recovery);
339     std::vector<std::string> tokens = android::base::Split(boot_recovery, "\n");
340     if (!tokens.empty() && tokens[0] == "recovery") {
341       for (auto it = tokens.begin() + 1; it != tokens.end(); it++) {
342         // Skip empty and '\0'-filled tokens.
343         if (!it->empty() && (*it)[0] != '\0') args.push_back(std::move(*it));
344       }
345       LOG(INFO) << "Got " << args.size() << " arguments from boot message";
346     } else if (boot.recovery[0] != 0) {
347       LOG(ERROR) << "Bad boot message: \"" << boot_recovery << "\"";
348     }
349   }
350 
351   // --- if that doesn't work, try the command file (if we have /cache).
352   if (args.size() == 1 && has_cache) {
353     std::string content;
354     if (ensure_path_mounted(COMMAND_FILE) == 0 &&
355         android::base::ReadFileToString(COMMAND_FILE, &content)) {
356       std::vector<std::string> tokens = android::base::Split(content, "\n");
357       // All the arguments in COMMAND_FILE are needed (unlike the BCB message,
358       // COMMAND_FILE doesn't use filename as the first argument).
359       for (auto it = tokens.begin(); it != tokens.end(); it++) {
360         // Skip empty and '\0'-filled tokens.
361         if (!it->empty() && (*it)[0] != '\0') args.push_back(std::move(*it));
362       }
363       LOG(INFO) << "Got " << args.size() << " arguments from " << COMMAND_FILE;
364     }
365   }
366 
367   // Write the arguments (excluding the filename in args[0]) back into the
368   // bootloader control block. So the device will always boot into recovery to
369   // finish the pending work, until finish_recovery() is called.
370   std::vector<std::string> options(args.cbegin() + 1, args.cend());
371   if (!update_bootloader_message(options, &err)) {
372     LOG(ERROR) << "Failed to set BCB message: " << err;
373   }
374 
375   return args;
376 }
377 
378 // Set the BCB to reboot back into recovery (it won't resume the install from
379 // sdcard though).
set_sdcard_update_bootloader_message()380 static void set_sdcard_update_bootloader_message() {
381   std::vector<std::string> options;
382   std::string err;
383   if (!update_bootloader_message(options, &err)) {
384     LOG(ERROR) << "Failed to set BCB message: " << err;
385   }
386 }
387 
388 // Read from kernel log into buffer and write out to file.
save_kernel_log(const char * destination)389 static void save_kernel_log(const char* destination) {
390     int klog_buf_len = klogctl(KLOG_SIZE_BUFFER, 0, 0);
391     if (klog_buf_len <= 0) {
392         PLOG(ERROR) << "Error getting klog size";
393         return;
394     }
395 
396     std::string buffer(klog_buf_len, 0);
397     int n = klogctl(KLOG_READ_ALL, &buffer[0], klog_buf_len);
398     if (n == -1) {
399         PLOG(ERROR) << "Error in reading klog";
400         return;
401     }
402     buffer.resize(n);
403     android::base::WriteStringToFile(buffer, destination);
404 }
405 
406 // write content to the current pmsg session.
__pmsg_write(const char * filename,const char * buf,size_t len)407 static ssize_t __pmsg_write(const char *filename, const char *buf, size_t len) {
408     return __android_log_pmsg_file_write(LOG_ID_SYSTEM, ANDROID_LOG_INFO,
409                                          filename, buf, len);
410 }
411 
copy_log_file_to_pmsg(const char * source,const char * destination)412 static void copy_log_file_to_pmsg(const char* source, const char* destination) {
413     std::string content;
414     android::base::ReadFileToString(source, &content);
415     __pmsg_write(destination, content.c_str(), content.length());
416 }
417 
418 // How much of the temp log we have copied to the copy in cache.
419 static off_t tmplog_offset = 0;
420 
copy_log_file(const char * source,const char * destination,bool append)421 static void copy_log_file(const char* source, const char* destination, bool append) {
422     FILE* dest_fp = fopen_path(destination, append ? "a" : "w");
423     if (dest_fp == nullptr) {
424         PLOG(ERROR) << "Can't open " << destination;
425     } else {
426         FILE* source_fp = fopen(source, "r");
427         if (source_fp != nullptr) {
428             if (append) {
429                 fseeko(source_fp, tmplog_offset, SEEK_SET);  // Since last write
430             }
431             char buf[4096];
432             size_t bytes;
433             while ((bytes = fread(buf, 1, sizeof(buf), source_fp)) != 0) {
434                 fwrite(buf, 1, bytes, dest_fp);
435             }
436             if (append) {
437                 tmplog_offset = ftello(source_fp);
438             }
439             check_and_fclose(source_fp, source);
440         }
441         check_and_fclose(dest_fp, destination);
442     }
443 }
444 
copy_logs()445 static void copy_logs() {
446     // We only rotate and record the log of the current session if there are
447     // actual attempts to modify the flash, such as wipes, installs from BCB
448     // or menu selections. This is to avoid unnecessary rotation (and
449     // possible deletion) of log files, if it does not do anything loggable.
450     if (!modified_flash) {
451         return;
452     }
453 
454     // Always write to pmsg, this allows the OTA logs to be caught in logcat -L
455     copy_log_file_to_pmsg(TEMPORARY_LOG_FILE, LAST_LOG_FILE);
456     copy_log_file_to_pmsg(TEMPORARY_INSTALL_FILE, LAST_INSTALL_FILE);
457 
458     // We can do nothing for now if there's no /cache partition.
459     if (!has_cache) {
460         return;
461     }
462 
463     ensure_path_mounted(LAST_LOG_FILE);
464     ensure_path_mounted(LAST_KMSG_FILE);
465     rotate_logs(LAST_LOG_FILE, LAST_KMSG_FILE);
466 
467     // Copy logs to cache so the system can find out what happened.
468     copy_log_file(TEMPORARY_LOG_FILE, LOG_FILE, true);
469     copy_log_file(TEMPORARY_LOG_FILE, LAST_LOG_FILE, false);
470     copy_log_file(TEMPORARY_INSTALL_FILE, LAST_INSTALL_FILE, false);
471     save_kernel_log(LAST_KMSG_FILE);
472     chmod(LOG_FILE, 0600);
473     chown(LOG_FILE, AID_SYSTEM, AID_SYSTEM);
474     chmod(LAST_KMSG_FILE, 0600);
475     chown(LAST_KMSG_FILE, AID_SYSTEM, AID_SYSTEM);
476     chmod(LAST_LOG_FILE, 0640);
477     chmod(LAST_INSTALL_FILE, 0644);
478     sync();
479 }
480 
481 // clear the recovery command and prepare to boot a (hopefully working) system,
482 // copy our log file to cache as well (for the system to read). This function is
483 // idempotent: call it as many times as you like.
finish_recovery()484 static void finish_recovery() {
485     // Save the locale to cache, so if recovery is next started up
486     // without a --locale argument (eg, directly from the bootloader)
487     // it will use the last-known locale.
488     if (!locale.empty() && has_cache) {
489         LOG(INFO) << "Saving locale \"" << locale << "\"";
490 
491         FILE* fp = fopen_path(LOCALE_FILE, "w");
492         if (!android::base::WriteStringToFd(locale, fileno(fp))) {
493             PLOG(ERROR) << "Failed to save locale to " << LOCALE_FILE;
494         }
495         check_and_fclose(fp, LOCALE_FILE);
496     }
497 
498     copy_logs();
499 
500     // Reset to normal system boot so recovery won't cycle indefinitely.
501     std::string err;
502     if (!clear_bootloader_message(&err)) {
503         LOG(ERROR) << "Failed to clear BCB message: " << err;
504     }
505 
506     // Remove the command file, so recovery won't repeat indefinitely.
507     if (has_cache) {
508         if (ensure_path_mounted(COMMAND_FILE) != 0 || (unlink(COMMAND_FILE) && errno != ENOENT)) {
509             LOG(WARNING) << "Can't unlink " << COMMAND_FILE;
510         }
511         ensure_path_unmounted(CACHE_ROOT);
512     }
513 
514     sync();  // For good measure.
515 }
516 
517 struct saved_log_file {
518   std::string name;
519   struct stat sb;
520   std::string data;
521 };
522 
erase_volume(const char * volume)523 static bool erase_volume(const char* volume) {
524   bool is_cache = (strcmp(volume, CACHE_ROOT) == 0);
525   bool is_data = (strcmp(volume, DATA_ROOT) == 0);
526 
527   ui->SetBackground(RecoveryUI::ERASING);
528   ui->SetProgressType(RecoveryUI::INDETERMINATE);
529 
530   std::vector<saved_log_file> log_files;
531 
532   if (is_cache) {
533     // If we're reformatting /cache, we load any past logs
534     // (i.e. "/cache/recovery/last_*") and the current log
535     // ("/cache/recovery/log") into memory, so we can restore them after
536     // the reformat.
537 
538     ensure_path_mounted(volume);
539 
540     struct dirent* de;
541     std::unique_ptr<DIR, decltype(&closedir)> d(opendir(CACHE_LOG_DIR), closedir);
542     if (d) {
543       while ((de = readdir(d.get())) != nullptr) {
544         if (strncmp(de->d_name, "last_", 5) == 0 || strcmp(de->d_name, "log") == 0) {
545           std::string path = android::base::StringPrintf("%s/%s", CACHE_LOG_DIR, de->d_name);
546 
547           struct stat sb;
548           if (stat(path.c_str(), &sb) == 0) {
549             // truncate files to 512kb
550             if (sb.st_size > (1 << 19)) {
551               sb.st_size = 1 << 19;
552             }
553 
554             std::string data(sb.st_size, '\0');
555             FILE* f = fopen(path.c_str(), "rb");
556             fread(&data[0], 1, data.size(), f);
557             fclose(f);
558 
559             log_files.emplace_back(saved_log_file{ path, sb, data });
560           }
561         }
562       }
563     } else {
564       if (errno != ENOENT) {
565         PLOG(ERROR) << "Failed to opendir " << CACHE_LOG_DIR;
566       }
567     }
568   }
569 
570   ui->Print("Formatting %s...\n", volume);
571 
572   ensure_path_unmounted(volume);
573 
574   int result;
575 
576   if (is_data && reason && strcmp(reason, "convert_fbe") == 0) {
577     // Create convert_fbe breadcrumb file to signal to init
578     // to convert to file based encryption, not full disk encryption
579     if (mkdir(CONVERT_FBE_DIR, 0700) != 0) {
580       ui->Print("Failed to make convert_fbe dir %s\n", strerror(errno));
581       return true;
582     }
583     FILE* f = fopen(CONVERT_FBE_FILE, "wb");
584     if (!f) {
585       ui->Print("Failed to convert to file encryption %s\n", strerror(errno));
586       return true;
587     }
588     fclose(f);
589     result = format_volume(volume, CONVERT_FBE_DIR);
590     remove(CONVERT_FBE_FILE);
591     rmdir(CONVERT_FBE_DIR);
592   } else {
593     result = format_volume(volume);
594   }
595 
596   if (is_cache) {
597     // Re-create the log dir and write back the log entries.
598     if (ensure_path_mounted(CACHE_LOG_DIR) == 0 &&
599         dirCreateHierarchy(CACHE_LOG_DIR, 0777, nullptr, false, sehandle) == 0) {
600       for (const auto& log : log_files) {
601         if (!android::base::WriteStringToFile(log.data, log.name, log.sb.st_mode, log.sb.st_uid,
602                                               log.sb.st_gid)) {
603           PLOG(ERROR) << "Failed to write to " << log.name;
604         }
605       }
606     } else {
607       PLOG(ERROR) << "Failed to mount / create " << CACHE_LOG_DIR;
608     }
609 
610     // Any part of the log we'd copied to cache is now gone.
611     // Reset the pointer so we copy from the beginning of the temp
612     // log.
613     tmplog_offset = 0;
614     copy_logs();
615   }
616 
617   return (result == 0);
618 }
619 
620 // Display a menu with the specified 'headers' and 'items'. Device specific HandleMenuKey() may
621 // return a positive number beyond the given range. Caller sets 'menu_only' to true to ensure only
622 // a menu item gets selected. 'initial_selection' controls the initial cursor location. Returns the
623 // (non-negative) chosen item number, or -1 if timed out waiting for input.
get_menu_selection(const char * const * headers,const char * const * items,bool menu_only,int initial_selection,Device * device)624 static int get_menu_selection(const char* const* headers, const char* const* items, bool menu_only,
625                               int initial_selection, Device* device) {
626   // Throw away keys pressed previously, so user doesn't accidentally trigger menu items.
627   ui->FlushKeys();
628 
629   ui->StartMenu(headers, items, initial_selection);
630 
631   int selected = initial_selection;
632   int chosen_item = -1;
633   while (chosen_item < 0) {
634     int key = ui->WaitKey();
635     if (key == -1) {  // WaitKey() timed out.
636       if (ui->WasTextEverVisible()) {
637         continue;
638       } else {
639         LOG(INFO) << "Timed out waiting for key input; rebooting.";
640         ui->EndMenu();
641         return -1;
642       }
643     }
644 
645     bool visible = ui->IsTextVisible();
646     int action = device->HandleMenuKey(key, visible);
647 
648     if (action < 0) {
649       switch (action) {
650         case Device::kHighlightUp:
651           selected = ui->SelectMenu(--selected);
652           break;
653         case Device::kHighlightDown:
654           selected = ui->SelectMenu(++selected);
655           break;
656         case Device::kInvokeItem:
657           chosen_item = selected;
658           break;
659         case Device::kNoAction:
660           break;
661       }
662     } else if (!menu_only) {
663       chosen_item = action;
664     }
665   }
666 
667   ui->EndMenu();
668   return chosen_item;
669 }
670 
671 // Returns the selected filename, or an empty string.
browse_directory(const std::string & path,Device * device)672 static std::string browse_directory(const std::string& path, Device* device) {
673   ensure_path_mounted(path.c_str());
674 
675   std::unique_ptr<DIR, decltype(&closedir)> d(opendir(path.c_str()), closedir);
676   if (!d) {
677     PLOG(ERROR) << "error opening " << path;
678     return "";
679   }
680 
681   std::vector<std::string> dirs;
682   std::vector<std::string> zips = { "../" };  // "../" is always the first entry.
683 
684   dirent* de;
685   while ((de = readdir(d.get())) != nullptr) {
686     std::string name(de->d_name);
687 
688     if (de->d_type == DT_DIR) {
689       // Skip "." and ".." entries.
690       if (name == "." || name == "..") continue;
691       dirs.push_back(name + "/");
692     } else if (de->d_type == DT_REG && android::base::EndsWithIgnoreCase(name, ".zip")) {
693       zips.push_back(name);
694     }
695   }
696 
697   std::sort(dirs.begin(), dirs.end());
698   std::sort(zips.begin(), zips.end());
699 
700   // Append dirs to the zips list.
701   zips.insert(zips.end(), dirs.begin(), dirs.end());
702 
703   const char* entries[zips.size() + 1];
704   entries[zips.size()] = nullptr;
705   for (size_t i = 0; i < zips.size(); i++) {
706     entries[i] = zips[i].c_str();
707   }
708 
709   const char* headers[] = { "Choose a package to install:", path.c_str(), nullptr };
710 
711   int chosen_item = 0;
712   while (true) {
713     chosen_item = get_menu_selection(headers, entries, true, chosen_item, device);
714 
715     const std::string& item = zips[chosen_item];
716     if (chosen_item == 0) {
717       // Go up but continue browsing (if the caller is browse_directory).
718       return "";
719     }
720 
721     std::string new_path = path + "/" + item;
722     if (new_path.back() == '/') {
723       // Recurse down into a subdirectory.
724       new_path.pop_back();
725       std::string result = browse_directory(new_path, device);
726       if (!result.empty()) return result;
727     } else {
728       // Selected a zip file: return the path to the caller.
729       return new_path;
730     }
731   }
732 
733   // Unreachable.
734 }
735 
yes_no(Device * device,const char * question1,const char * question2)736 static bool yes_no(Device* device, const char* question1, const char* question2) {
737     const char* headers[] = { question1, question2, NULL };
738     const char* items[] = { " No", " Yes", NULL };
739 
740     int chosen_item = get_menu_selection(headers, items, true, 0, device);
741     return (chosen_item == 1);
742 }
743 
ask_to_wipe_data(Device * device)744 static bool ask_to_wipe_data(Device* device) {
745     return yes_no(device, "Wipe all user data?", "  THIS CAN NOT BE UNDONE!");
746 }
747 
748 // Return true on success.
wipe_data(Device * device)749 static bool wipe_data(Device* device) {
750     modified_flash = true;
751 
752     ui->Print("\n-- Wiping data...\n");
753     bool success =
754         device->PreWipeData() &&
755         erase_volume("/data") &&
756         (has_cache ? erase_volume("/cache") : true) &&
757         device->PostWipeData();
758     ui->Print("Data wipe %s.\n", success ? "complete" : "failed");
759     return success;
760 }
761 
prompt_and_wipe_data(Device * device)762 static bool prompt_and_wipe_data(Device* device) {
763   const char* const headers[] = {
764     "Can't load Android system. Your data may be corrupt.",
765     "If you continue to get this message, you may need to",
766     "perform a factory data reset and erase all user data",
767     "stored on this device.",
768     NULL
769   };
770   const char* const items[] = {
771     "Try again",
772     "Factory data reset",
773     NULL
774   };
775   for (;;) {
776     int chosen_item = get_menu_selection(headers, items, true, 0, device);
777     if (chosen_item != 1) {
778       return true;  // Just reboot, no wipe; not a failure, user asked for it
779     }
780     if (ask_to_wipe_data(device)) {
781       return wipe_data(device);
782     }
783   }
784 }
785 
786 // Return true on success.
wipe_cache(bool should_confirm,Device * device)787 static bool wipe_cache(bool should_confirm, Device* device) {
788     if (!has_cache) {
789         ui->Print("No /cache partition found.\n");
790         return false;
791     }
792 
793     if (should_confirm && !yes_no(device, "Wipe cache?", "  THIS CAN NOT BE UNDONE!")) {
794         return false;
795     }
796 
797     modified_flash = true;
798 
799     ui->Print("\n-- Wiping cache...\n");
800     bool success = erase_volume("/cache");
801     ui->Print("Cache wipe %s.\n", success ? "complete" : "failed");
802     return success;
803 }
804 
805 // Secure-wipe a given partition. It uses BLKSECDISCARD, if supported. Otherwise, it goes with
806 // BLKDISCARD (if device supports BLKDISCARDZEROES) or BLKZEROOUT.
secure_wipe_partition(const std::string & partition)807 static bool secure_wipe_partition(const std::string& partition) {
808   android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(partition.c_str(), O_WRONLY)));
809   if (fd == -1) {
810     PLOG(ERROR) << "Failed to open \"" << partition << "\"";
811     return false;
812   }
813 
814   uint64_t range[2] = { 0, 0 };
815   if (ioctl(fd, BLKGETSIZE64, &range[1]) == -1 || range[1] == 0) {
816     PLOG(ERROR) << "Failed to get partition size";
817     return false;
818   }
819   LOG(INFO) << "Secure-wiping \"" << partition << "\" from " << range[0] << " to " << range[1];
820 
821   LOG(INFO) << "  Trying BLKSECDISCARD...";
822   if (ioctl(fd, BLKSECDISCARD, &range) == -1) {
823     PLOG(WARNING) << "  Failed";
824 
825     // Use BLKDISCARD if it zeroes out blocks, otherwise use BLKZEROOUT.
826     unsigned int zeroes;
827     if (ioctl(fd, BLKDISCARDZEROES, &zeroes) == 0 && zeroes != 0) {
828       LOG(INFO) << "  Trying BLKDISCARD...";
829       if (ioctl(fd, BLKDISCARD, &range) == -1) {
830         PLOG(ERROR) << "  Failed";
831         return false;
832       }
833     } else {
834       LOG(INFO) << "  Trying BLKZEROOUT...";
835       if (ioctl(fd, BLKZEROOUT, &range) == -1) {
836         PLOG(ERROR) << "  Failed";
837         return false;
838       }
839     }
840   }
841 
842   LOG(INFO) << "  Done";
843   return true;
844 }
845 
846 // Check if the wipe package matches expectation:
847 // 1. verify the package.
848 // 2. check metadata (ota-type, pre-device and serial number if having one).
check_wipe_package(size_t wipe_package_size)849 static bool check_wipe_package(size_t wipe_package_size) {
850     if (wipe_package_size == 0) {
851         LOG(ERROR) << "wipe_package_size is zero";
852         return false;
853     }
854     std::string wipe_package;
855     std::string err_str;
856     if (!read_wipe_package(&wipe_package, wipe_package_size, &err_str)) {
857         PLOG(ERROR) << "Failed to read wipe package";
858         return false;
859     }
860     if (!verify_package(reinterpret_cast<const unsigned char*>(wipe_package.data()),
861                         wipe_package.size())) {
862         LOG(ERROR) << "Failed to verify package";
863         return false;
864     }
865 
866     // Extract metadata
867     ZipArchiveHandle zip;
868     int err = OpenArchiveFromMemory(static_cast<void*>(&wipe_package[0]), wipe_package.size(),
869                                     "wipe_package", &zip);
870     if (err != 0) {
871         LOG(ERROR) << "Can't open wipe package : " << ErrorCodeString(err);
872         return false;
873     }
874     std::string metadata;
875     if (!read_metadata_from_package(zip, &metadata)) {
876         CloseArchive(zip);
877         return false;
878     }
879     CloseArchive(zip);
880 
881     // Check metadata
882     std::vector<std::string> lines = android::base::Split(metadata, "\n");
883     bool ota_type_matched = false;
884     bool device_type_matched = false;
885     bool has_serial_number = false;
886     bool serial_number_matched = false;
887     for (const auto& line : lines) {
888         if (line == "ota-type=BRICK") {
889             ota_type_matched = true;
890         } else if (android::base::StartsWith(line, "pre-device=")) {
891             std::string device_type = line.substr(strlen("pre-device="));
892             std::string real_device_type = android::base::GetProperty("ro.build.product", "");
893             device_type_matched = (device_type == real_device_type);
894         } else if (android::base::StartsWith(line, "serialno=")) {
895             std::string serial_no = line.substr(strlen("serialno="));
896             std::string real_serial_no = android::base::GetProperty("ro.serialno", "");
897             has_serial_number = true;
898             serial_number_matched = (serial_no == real_serial_no);
899         }
900     }
901     return ota_type_matched && device_type_matched && (!has_serial_number || serial_number_matched);
902 }
903 
904 // Wipe the current A/B device, with a secure wipe of all the partitions in
905 // RECOVERY_WIPE.
wipe_ab_device(size_t wipe_package_size)906 static bool wipe_ab_device(size_t wipe_package_size) {
907     ui->SetBackground(RecoveryUI::ERASING);
908     ui->SetProgressType(RecoveryUI::INDETERMINATE);
909 
910     if (!check_wipe_package(wipe_package_size)) {
911         LOG(ERROR) << "Failed to verify wipe package";
912         return false;
913     }
914     std::string partition_list;
915     if (!android::base::ReadFileToString(RECOVERY_WIPE, &partition_list)) {
916         LOG(ERROR) << "failed to read \"" << RECOVERY_WIPE << "\"";
917         return false;
918     }
919 
920     std::vector<std::string> lines = android::base::Split(partition_list, "\n");
921     for (const std::string& line : lines) {
922         std::string partition = android::base::Trim(line);
923         // Ignore '#' comment or empty lines.
924         if (android::base::StartsWith(partition, "#") || partition.empty()) {
925             continue;
926         }
927 
928         // Proceed anyway even if it fails to wipe some partition.
929         secure_wipe_partition(partition);
930     }
931     return true;
932 }
933 
choose_recovery_file(Device * device)934 static void choose_recovery_file(Device* device) {
935   std::vector<std::string> entries;
936   if (has_cache) {
937     for (int i = 0; i < KEEP_LOG_COUNT; i++) {
938       auto add_to_entries = [&](const char* filename) {
939         std::string log_file(filename);
940         if (i > 0) {
941           log_file += "." + std::to_string(i);
942         }
943 
944         if (ensure_path_mounted(log_file.c_str()) == 0 && access(log_file.c_str(), R_OK) == 0) {
945           entries.push_back(std::move(log_file));
946         }
947       };
948 
949       // Add LAST_LOG_FILE + LAST_LOG_FILE.x
950       add_to_entries(LAST_LOG_FILE);
951 
952       // Add LAST_KMSG_FILE + LAST_KMSG_FILE.x
953       add_to_entries(LAST_KMSG_FILE);
954     }
955   } else {
956     // If cache partition is not found, view /tmp/recovery.log instead.
957     if (access(TEMPORARY_LOG_FILE, R_OK) == -1) {
958       return;
959     } else {
960       entries.push_back(TEMPORARY_LOG_FILE);
961     }
962   }
963 
964   entries.push_back("Back");
965 
966   std::vector<const char*> menu_entries(entries.size());
967   std::transform(entries.cbegin(), entries.cend(), menu_entries.begin(),
968                  [](const std::string& entry) { return entry.c_str(); });
969   menu_entries.push_back(nullptr);
970 
971   const char* headers[] = { "Select file to view", nullptr };
972 
973   int chosen_item = 0;
974   while (true) {
975     chosen_item = get_menu_selection(headers, menu_entries.data(), true, chosen_item, device);
976     if (entries[chosen_item] == "Back") break;
977 
978     ui->ShowFile(entries[chosen_item].c_str());
979   }
980 }
981 
run_graphics_test()982 static void run_graphics_test() {
983   // Switch to graphics screen.
984   ui->ShowText(false);
985 
986   ui->SetProgressType(RecoveryUI::INDETERMINATE);
987   ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
988   sleep(1);
989 
990   ui->SetBackground(RecoveryUI::ERROR);
991   sleep(1);
992 
993   ui->SetBackground(RecoveryUI::NO_COMMAND);
994   sleep(1);
995 
996   ui->SetBackground(RecoveryUI::ERASING);
997   sleep(1);
998 
999   // Calling SetBackground() after SetStage() to trigger a redraw.
1000   ui->SetStage(1, 3);
1001   ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1002   sleep(1);
1003   ui->SetStage(2, 3);
1004   ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1005   sleep(1);
1006   ui->SetStage(3, 3);
1007   ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1008   sleep(1);
1009 
1010   ui->SetStage(-1, -1);
1011   ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
1012 
1013   ui->SetProgressType(RecoveryUI::DETERMINATE);
1014   ui->ShowProgress(1.0, 10.0);
1015   float fraction = 0.0;
1016   for (size_t i = 0; i < 100; ++i) {
1017     fraction += .01;
1018     ui->SetProgress(fraction);
1019     usleep(100000);
1020   }
1021 
1022   ui->ShowText(true);
1023 }
1024 
1025 // How long (in seconds) we wait for the fuse-provided package file to
1026 // appear, before timing out.
1027 #define SDCARD_INSTALL_TIMEOUT 10
1028 
apply_from_sdcard(Device * device,bool * wipe_cache)1029 static int apply_from_sdcard(Device* device, bool* wipe_cache) {
1030     modified_flash = true;
1031 
1032     if (ensure_path_mounted(SDCARD_ROOT) != 0) {
1033         ui->Print("\n-- Couldn't mount %s.\n", SDCARD_ROOT);
1034         return INSTALL_ERROR;
1035     }
1036 
1037     std::string path = browse_directory(SDCARD_ROOT, device);
1038     if (path.empty()) {
1039         ui->Print("\n-- No package file selected.\n");
1040         ensure_path_unmounted(SDCARD_ROOT);
1041         return INSTALL_ERROR;
1042     }
1043 
1044     ui->Print("\n-- Install %s ...\n", path.c_str());
1045     set_sdcard_update_bootloader_message();
1046 
1047     // We used to use fuse in a thread as opposed to a process. Since accessing
1048     // through fuse involves going from kernel to userspace to kernel, it leads
1049     // to deadlock when a page fault occurs. (Bug: 26313124)
1050     pid_t child;
1051     if ((child = fork()) == 0) {
1052         bool status = start_sdcard_fuse(path.c_str());
1053 
1054         _exit(status ? EXIT_SUCCESS : EXIT_FAILURE);
1055     }
1056 
1057     // FUSE_SIDELOAD_HOST_PATHNAME will start to exist once the fuse in child
1058     // process is ready.
1059     int result = INSTALL_ERROR;
1060     int status;
1061     bool waited = false;
1062     for (int i = 0; i < SDCARD_INSTALL_TIMEOUT; ++i) {
1063         if (waitpid(child, &status, WNOHANG) == -1) {
1064             result = INSTALL_ERROR;
1065             waited = true;
1066             break;
1067         }
1068 
1069         struct stat sb;
1070         if (stat(FUSE_SIDELOAD_HOST_PATHNAME, &sb) == -1) {
1071             if (errno == ENOENT && i < SDCARD_INSTALL_TIMEOUT-1) {
1072                 sleep(1);
1073                 continue;
1074             } else {
1075                 LOG(ERROR) << "Timed out waiting for the fuse-provided package.";
1076                 result = INSTALL_ERROR;
1077                 kill(child, SIGKILL);
1078                 break;
1079             }
1080         }
1081 
1082         result = install_package(FUSE_SIDELOAD_HOST_PATHNAME, wipe_cache,
1083                                  TEMPORARY_INSTALL_FILE, false, 0/*retry_count*/);
1084         break;
1085     }
1086 
1087     if (!waited) {
1088         // Calling stat() on this magic filename signals the fuse
1089         // filesystem to shut down.
1090         struct stat sb;
1091         stat(FUSE_SIDELOAD_HOST_EXIT_PATHNAME, &sb);
1092 
1093         waitpid(child, &status, 0);
1094     }
1095 
1096     if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
1097         LOG(ERROR) << "Error exit from the fuse process: " << WEXITSTATUS(status);
1098     }
1099 
1100     ensure_path_unmounted(SDCARD_ROOT);
1101     return result;
1102 }
1103 
1104 // Returns REBOOT, SHUTDOWN, or REBOOT_BOOTLOADER. Returning NO_ACTION means to take the default,
1105 // which is to reboot or shutdown depending on if the --shutdown_after flag was passed to recovery.
prompt_and_wait(Device * device,int status)1106 static Device::BuiltinAction prompt_and_wait(Device* device, int status) {
1107   for (;;) {
1108     finish_recovery();
1109     switch (status) {
1110       case INSTALL_SUCCESS:
1111       case INSTALL_NONE:
1112         ui->SetBackground(RecoveryUI::NO_COMMAND);
1113         break;
1114 
1115       case INSTALL_ERROR:
1116       case INSTALL_CORRUPT:
1117         ui->SetBackground(RecoveryUI::ERROR);
1118         break;
1119     }
1120     ui->SetProgressType(RecoveryUI::EMPTY);
1121 
1122     int chosen_item = get_menu_selection(nullptr, device->GetMenuItems(), false, 0, device);
1123 
1124     // Device-specific code may take some action here. It may return one of the core actions
1125     // handled in the switch statement below.
1126     Device::BuiltinAction chosen_action =
1127         (chosen_item == -1) ? Device::REBOOT : device->InvokeMenuItem(chosen_item);
1128 
1129     bool should_wipe_cache = false;
1130     switch (chosen_action) {
1131       case Device::NO_ACTION:
1132         break;
1133 
1134       case Device::REBOOT:
1135       case Device::SHUTDOWN:
1136       case Device::REBOOT_BOOTLOADER:
1137         return chosen_action;
1138 
1139       case Device::WIPE_DATA:
1140         if (ui->IsTextVisible()) {
1141           if (ask_to_wipe_data(device)) {
1142             wipe_data(device);
1143           }
1144         } else {
1145           wipe_data(device);
1146           return Device::NO_ACTION;
1147         }
1148         break;
1149 
1150       case Device::WIPE_CACHE:
1151         wipe_cache(ui->IsTextVisible(), device);
1152         if (!ui->IsTextVisible()) return Device::NO_ACTION;
1153         break;
1154 
1155       case Device::APPLY_ADB_SIDELOAD:
1156       case Device::APPLY_SDCARD:
1157         {
1158           bool adb = (chosen_action == Device::APPLY_ADB_SIDELOAD);
1159           if (adb) {
1160             status = apply_from_adb(ui, &should_wipe_cache, TEMPORARY_INSTALL_FILE);
1161           } else {
1162             status = apply_from_sdcard(device, &should_wipe_cache);
1163           }
1164 
1165           if (status == INSTALL_SUCCESS && should_wipe_cache) {
1166             if (!wipe_cache(false, device)) {
1167               status = INSTALL_ERROR;
1168             }
1169           }
1170 
1171           if (status != INSTALL_SUCCESS) {
1172             ui->SetBackground(RecoveryUI::ERROR);
1173             ui->Print("Installation aborted.\n");
1174             copy_logs();
1175           } else if (!ui->IsTextVisible()) {
1176             return Device::NO_ACTION;  // reboot if logs aren't visible
1177           } else {
1178             ui->Print("\nInstall from %s complete.\n", adb ? "ADB" : "SD card");
1179           }
1180         }
1181         break;
1182 
1183       case Device::VIEW_RECOVERY_LOGS:
1184         choose_recovery_file(device);
1185         break;
1186 
1187       case Device::RUN_GRAPHICS_TEST:
1188         run_graphics_test();
1189         break;
1190 
1191       case Device::MOUNT_SYSTEM:
1192         // For a system image built with the root directory (i.e. system_root_image == "true"), we
1193         // mount it to /system_root, and symlink /system to /system_root/system to make adb shell
1194         // work (the symlink is created through the build system). (Bug: 22855115)
1195         if (android::base::GetBoolProperty("ro.build.system_root_image", false)) {
1196           if (ensure_path_mounted_at("/", "/system_root") != -1) {
1197             ui->Print("Mounted /system.\n");
1198           }
1199         } else {
1200           if (ensure_path_mounted("/system") != -1) {
1201             ui->Print("Mounted /system.\n");
1202           }
1203         }
1204         break;
1205     }
1206   }
1207 }
1208 
1209 static void
print_property(const char * key,const char * name,void * cookie)1210 print_property(const char *key, const char *name, void *cookie) {
1211     printf("%s=%s\n", key, name);
1212 }
1213 
load_locale_from_cache()1214 static std::string load_locale_from_cache() {
1215     if (ensure_path_mounted(LOCALE_FILE) != 0) {
1216         LOG(ERROR) << "Can't mount " << LOCALE_FILE;
1217         return "";
1218     }
1219 
1220     std::string content;
1221     if (!android::base::ReadFileToString(LOCALE_FILE, &content)) {
1222         PLOG(ERROR) << "Can't read " << LOCALE_FILE;
1223         return "";
1224     }
1225 
1226     return android::base::Trim(content);
1227 }
1228 
ui_print(const char * format,...)1229 void ui_print(const char* format, ...) {
1230     std::string buffer;
1231     va_list ap;
1232     va_start(ap, format);
1233     android::base::StringAppendV(&buffer, format, ap);
1234     va_end(ap);
1235 
1236     if (ui != nullptr) {
1237         ui->Print("%s", buffer.c_str());
1238     } else {
1239         fputs(buffer.c_str(), stdout);
1240     }
1241 }
1242 
1243 static constexpr char log_characters[] = "VDIWEF";
1244 
UiLogger(android::base::LogId id,android::base::LogSeverity severity,const char * tag,const char * file,unsigned int line,const char * message)1245 void UiLogger(android::base::LogId id, android::base::LogSeverity severity,
1246                const char* tag, const char* file, unsigned int line,
1247                const char* message) {
1248     if (severity >= android::base::ERROR && ui != nullptr) {
1249         ui->Print("E:%s\n", message);
1250     } else {
1251         fprintf(stdout, "%c:%s\n", log_characters[severity], message);
1252     }
1253 }
1254 
is_battery_ok()1255 static bool is_battery_ok() {
1256     struct healthd_config healthd_config = {
1257             .batteryStatusPath = android::String8(android::String8::kEmptyString),
1258             .batteryHealthPath = android::String8(android::String8::kEmptyString),
1259             .batteryPresentPath = android::String8(android::String8::kEmptyString),
1260             .batteryCapacityPath = android::String8(android::String8::kEmptyString),
1261             .batteryVoltagePath = android::String8(android::String8::kEmptyString),
1262             .batteryTemperaturePath = android::String8(android::String8::kEmptyString),
1263             .batteryTechnologyPath = android::String8(android::String8::kEmptyString),
1264             .batteryCurrentNowPath = android::String8(android::String8::kEmptyString),
1265             .batteryCurrentAvgPath = android::String8(android::String8::kEmptyString),
1266             .batteryChargeCounterPath = android::String8(android::String8::kEmptyString),
1267             .batteryFullChargePath = android::String8(android::String8::kEmptyString),
1268             .batteryCycleCountPath = android::String8(android::String8::kEmptyString),
1269             .energyCounter = NULL,
1270             .boot_min_cap = 0,
1271             .screen_on = NULL
1272     };
1273     healthd_board_init(&healthd_config);
1274 
1275     android::BatteryMonitor monitor;
1276     monitor.init(&healthd_config);
1277 
1278     int wait_second = 0;
1279     while (true) {
1280         int charge_status = monitor.getChargeStatus();
1281         // Treat unknown status as charged.
1282         bool charged = (charge_status != android::BATTERY_STATUS_DISCHARGING &&
1283                         charge_status != android::BATTERY_STATUS_NOT_CHARGING);
1284         android::BatteryProperty capacity;
1285         android::status_t status = monitor.getProperty(android::BATTERY_PROP_CAPACITY, &capacity);
1286         ui_print("charge_status %d, charged %d, status %d, capacity %lld\n", charge_status,
1287                  charged, status, capacity.valueInt64);
1288         // At startup, the battery drivers in devices like N5X/N6P take some time to load
1289         // the battery profile. Before the load finishes, it reports value 50 as a fake
1290         // capacity. BATTERY_READ_TIMEOUT_IN_SEC is set that the battery drivers are expected
1291         // to finish loading the battery profile earlier than 10 seconds after kernel startup.
1292         if (status == 0 && capacity.valueInt64 == 50) {
1293             if (wait_second < BATTERY_READ_TIMEOUT_IN_SEC) {
1294                 sleep(1);
1295                 wait_second++;
1296                 continue;
1297             }
1298         }
1299         // If we can't read battery percentage, it may be a device without battery. In this
1300         // situation, use 100 as a fake battery percentage.
1301         if (status != 0) {
1302             capacity.valueInt64 = 100;
1303         }
1304         return (charged && capacity.valueInt64 >= BATTERY_WITH_CHARGER_OK_PERCENTAGE) ||
1305                 (!charged && capacity.valueInt64 >= BATTERY_OK_PERCENTAGE);
1306     }
1307 }
1308 
set_retry_bootloader_message(int retry_count,const std::vector<std::string> & args)1309 static void set_retry_bootloader_message(int retry_count, const std::vector<std::string>& args) {
1310   std::vector<std::string> options;
1311   for (const auto& arg : args) {
1312     if (!android::base::StartsWith(arg, "--retry_count")) {
1313       options.push_back(arg);
1314     }
1315   }
1316 
1317   // Increment the retry counter by 1.
1318   options.push_back(android::base::StringPrintf("--retry_count=%d", retry_count + 1));
1319   std::string err;
1320   if (!update_bootloader_message(options, &err)) {
1321     LOG(ERROR) << err;
1322   }
1323 }
1324 
bootreason_in_blacklist()1325 static bool bootreason_in_blacklist() {
1326   std::string bootreason = android::base::GetProperty("ro.boot.bootreason", "");
1327   if (!bootreason.empty()) {
1328     for (const auto& str : bootreason_blacklist) {
1329       if (strcasecmp(str.c_str(), bootreason.c_str()) == 0) {
1330         return true;
1331       }
1332     }
1333   }
1334   return false;
1335 }
1336 
log_failure_code(ErrorCode code,const char * update_package)1337 static void log_failure_code(ErrorCode code, const char *update_package) {
1338     std::vector<std::string> log_buffer = {
1339         update_package,
1340         "0",  // install result
1341         "error: " + std::to_string(code),
1342     };
1343     std::string log_content = android::base::Join(log_buffer, "\n");
1344     if (!android::base::WriteStringToFile(log_content, TEMPORARY_INSTALL_FILE)) {
1345         PLOG(ERROR) << "failed to write " << TEMPORARY_INSTALL_FILE;
1346     }
1347 
1348     // Also write the info into last_log.
1349     LOG(INFO) << log_content;
1350 }
1351 
main(int argc,char ** argv)1352 int main(int argc, char **argv) {
1353     // We don't have logcat yet under recovery; so we'll print error on screen and
1354     // log to stdout (which is redirected to recovery.log) as we used to do.
1355     android::base::InitLogging(argv, &UiLogger);
1356 
1357     // Take last pmsg contents and rewrite it to the current pmsg session.
1358     static const char filter[] = "recovery/";
1359     // Do we need to rotate?
1360     bool doRotate = false;
1361 
1362     __android_log_pmsg_file_read(
1363         LOG_ID_SYSTEM, ANDROID_LOG_INFO, filter,
1364         logbasename, &doRotate);
1365     // Take action to refresh pmsg contents
1366     __android_log_pmsg_file_read(
1367         LOG_ID_SYSTEM, ANDROID_LOG_INFO, filter,
1368         logrotate, &doRotate);
1369 
1370     // If this binary is started with the single argument "--adbd",
1371     // instead of being the normal recovery binary, it turns into kind
1372     // of a stripped-down version of adbd that only supports the
1373     // 'sideload' command.  Note this must be a real argument, not
1374     // anything in the command file or bootloader control block; the
1375     // only way recovery should be run with this argument is when it
1376     // starts a copy of itself from the apply_from_adb() function.
1377     if (argc == 2 && strcmp(argv[1], "--adbd") == 0) {
1378         minadbd_main();
1379         return 0;
1380     }
1381 
1382     time_t start = time(NULL);
1383 
1384     // redirect_stdio should be called only in non-sideload mode. Otherwise
1385     // we may have two logger instances with different timestamps.
1386     redirect_stdio(TEMPORARY_LOG_FILE);
1387 
1388     printf("Starting recovery (pid %d) on %s", getpid(), ctime(&start));
1389 
1390     load_volume_table();
1391     has_cache = volume_for_path(CACHE_ROOT) != nullptr;
1392 
1393     std::vector<std::string> args = get_args(argc, argv);
1394     std::vector<char*> args_to_parse(args.size());
1395     std::transform(args.cbegin(), args.cend(), args_to_parse.begin(),
1396                    [](const std::string& arg) { return const_cast<char*>(arg.c_str()); });
1397 
1398     const char *update_package = NULL;
1399     bool should_wipe_data = false;
1400     bool should_prompt_and_wipe_data = false;
1401     bool should_wipe_cache = false;
1402     bool should_wipe_ab = false;
1403     size_t wipe_package_size = 0;
1404     bool show_text = false;
1405     bool sideload = false;
1406     bool sideload_auto_reboot = false;
1407     bool just_exit = false;
1408     bool shutdown_after = false;
1409     int retry_count = 0;
1410     bool security_update = false;
1411 
1412     int arg;
1413     int option_index;
1414     while ((arg = getopt_long(args_to_parse.size(), args_to_parse.data(), "", OPTIONS,
1415                               &option_index)) != -1) {
1416         switch (arg) {
1417         case 'n': android::base::ParseInt(optarg, &retry_count, 0); break;
1418         case 'u': update_package = optarg; break;
1419         case 'w': should_wipe_data = true; break;
1420         case 'c': should_wipe_cache = true; break;
1421         case 't': show_text = true; break;
1422         case 's': sideload = true; break;
1423         case 'a': sideload = true; sideload_auto_reboot = true; break;
1424         case 'x': just_exit = true; break;
1425         case 'l': locale = optarg; break;
1426         case 'p': shutdown_after = true; break;
1427         case 'r': reason = optarg; break;
1428         case 'e': security_update = true; break;
1429         case 0: {
1430             std::string option = OPTIONS[option_index].name;
1431             if (option == "wipe_ab") {
1432                 should_wipe_ab = true;
1433             } else if (option == "wipe_package_size") {
1434                 android::base::ParseUint(optarg, &wipe_package_size);
1435             } else if (option == "prompt_and_wipe_data") {
1436                 should_prompt_and_wipe_data = true;
1437             }
1438             break;
1439         }
1440         case '?':
1441             LOG(ERROR) << "Invalid command argument";
1442             continue;
1443         }
1444     }
1445 
1446     if (locale.empty()) {
1447         if (has_cache) {
1448             locale = load_locale_from_cache();
1449         }
1450 
1451         if (locale.empty()) {
1452             locale = DEFAULT_LOCALE;
1453         }
1454     }
1455 
1456     printf("locale is [%s]\n", locale.c_str());
1457     printf("stage is [%s]\n", stage.c_str());
1458     printf("reason is [%s]\n", reason);
1459 
1460     Device* device = make_device();
1461     if (android::base::GetBoolProperty("ro.boot.quiescent", false)) {
1462         printf("Quiescent recovery mode.\n");
1463         ui = new StubRecoveryUI();
1464     } else {
1465         ui = device->GetUI();
1466 
1467         if (!ui->Init(locale)) {
1468             printf("Failed to initialize UI, use stub UI instead.\n");
1469             ui = new StubRecoveryUI();
1470         }
1471     }
1472 
1473     // Set background string to "installing security update" for security update,
1474     // otherwise set it to "installing system update".
1475     ui->SetSystemUpdateText(security_update);
1476 
1477     int st_cur, st_max;
1478     if (!stage.empty() && sscanf(stage.c_str(), "%d/%d", &st_cur, &st_max) == 2) {
1479         ui->SetStage(st_cur, st_max);
1480     }
1481 
1482     ui->SetBackground(RecoveryUI::NONE);
1483     if (show_text) ui->ShowText(true);
1484 
1485     sehandle = selinux_android_file_context_handle();
1486     selinux_android_set_sehandle(sehandle);
1487     if (!sehandle) {
1488         ui->Print("Warning: No file_contexts\n");
1489     }
1490 
1491     device->StartRecovery();
1492 
1493     printf("Command:");
1494     for (const auto& arg : args) {
1495         printf(" \"%s\"", arg.c_str());
1496     }
1497     printf("\n\n");
1498 
1499     property_list(print_property, NULL);
1500     printf("\n");
1501 
1502     ui->Print("Supported API: %d\n", RECOVERY_API_VERSION);
1503 
1504     int status = INSTALL_SUCCESS;
1505 
1506     if (update_package != NULL) {
1507         // It's not entirely true that we will modify the flash. But we want
1508         // to log the update attempt since update_package is non-NULL.
1509         modified_flash = true;
1510 
1511         if (!is_battery_ok()) {
1512             ui->Print("battery capacity is not enough for installing package, needed is %d%%\n",
1513                       BATTERY_OK_PERCENTAGE);
1514             // Log the error code to last_install when installation skips due to
1515             // low battery.
1516             log_failure_code(kLowBattery, update_package);
1517             status = INSTALL_SKIPPED;
1518         } else if (bootreason_in_blacklist()) {
1519             // Skip update-on-reboot when bootreason is kernel_panic or similar
1520             ui->Print("bootreason is in the blacklist; skip OTA installation\n");
1521             log_failure_code(kBootreasonInBlacklist, update_package);
1522             status = INSTALL_SKIPPED;
1523         } else {
1524             status = install_package(update_package, &should_wipe_cache,
1525                                      TEMPORARY_INSTALL_FILE, true, retry_count);
1526             if (status == INSTALL_SUCCESS && should_wipe_cache) {
1527                 wipe_cache(false, device);
1528             }
1529             if (status != INSTALL_SUCCESS) {
1530                 ui->Print("Installation aborted.\n");
1531                 // When I/O error happens, reboot and retry installation EIO_RETRY_COUNT
1532                 // times before we abandon this OTA update.
1533                 if (status == INSTALL_RETRY && retry_count < EIO_RETRY_COUNT) {
1534                     copy_logs();
1535                     set_retry_bootloader_message(retry_count, args);
1536                     // Print retry count on screen.
1537                     ui->Print("Retry attempt %d\n", retry_count);
1538 
1539                     // Reboot and retry the update
1540                     if (!reboot("reboot,recovery")) {
1541                         ui->Print("Reboot failed\n");
1542                     } else {
1543                         while (true) {
1544                             pause();
1545                         }
1546                     }
1547                 }
1548                 // If this is an eng or userdebug build, then automatically
1549                 // turn the text display on if the script fails so the error
1550                 // message is visible.
1551                 if (is_ro_debuggable()) {
1552                     ui->ShowText(true);
1553                 }
1554             }
1555         }
1556     } else if (should_wipe_data) {
1557         if (!wipe_data(device)) {
1558             status = INSTALL_ERROR;
1559         }
1560     } else if (should_prompt_and_wipe_data) {
1561         ui->ShowText(true);
1562         ui->SetBackground(RecoveryUI::ERROR);
1563         if (!prompt_and_wipe_data(device)) {
1564             status = INSTALL_ERROR;
1565         }
1566         ui->ShowText(false);
1567     } else if (should_wipe_cache) {
1568         if (!wipe_cache(false, device)) {
1569             status = INSTALL_ERROR;
1570         }
1571     } else if (should_wipe_ab) {
1572         if (!wipe_ab_device(wipe_package_size)) {
1573             status = INSTALL_ERROR;
1574         }
1575     } else if (sideload) {
1576         // 'adb reboot sideload' acts the same as user presses key combinations
1577         // to enter the sideload mode. When 'sideload-auto-reboot' is used, text
1578         // display will NOT be turned on by default. And it will reboot after
1579         // sideload finishes even if there are errors. Unless one turns on the
1580         // text display during the installation. This is to enable automated
1581         // testing.
1582         if (!sideload_auto_reboot) {
1583             ui->ShowText(true);
1584         }
1585         status = apply_from_adb(ui, &should_wipe_cache, TEMPORARY_INSTALL_FILE);
1586         if (status == INSTALL_SUCCESS && should_wipe_cache) {
1587             if (!wipe_cache(false, device)) {
1588                 status = INSTALL_ERROR;
1589             }
1590         }
1591         ui->Print("\nInstall from ADB complete (status: %d).\n", status);
1592         if (sideload_auto_reboot) {
1593             ui->Print("Rebooting automatically.\n");
1594         }
1595     } else if (!just_exit) {
1596         status = INSTALL_NONE;  // No command specified
1597         ui->SetBackground(RecoveryUI::NO_COMMAND);
1598 
1599         // http://b/17489952
1600         // If this is an eng or userdebug build, automatically turn on the
1601         // text display if no command is specified.
1602         if (is_ro_debuggable()) {
1603             ui->ShowText(true);
1604         }
1605     }
1606 
1607     if (!sideload_auto_reboot && (status == INSTALL_ERROR || status == INSTALL_CORRUPT)) {
1608         copy_logs();
1609         ui->SetBackground(RecoveryUI::ERROR);
1610     }
1611 
1612     Device::BuiltinAction after = shutdown_after ? Device::SHUTDOWN : Device::REBOOT;
1613     if ((status != INSTALL_SUCCESS && status != INSTALL_SKIPPED && !sideload_auto_reboot) ||
1614             ui->IsTextVisible()) {
1615         Device::BuiltinAction temp = prompt_and_wait(device, status);
1616         if (temp != Device::NO_ACTION) {
1617             after = temp;
1618         }
1619     }
1620 
1621     // Save logs and clean up before rebooting or shutting down.
1622     finish_recovery();
1623 
1624     switch (after) {
1625         case Device::SHUTDOWN:
1626             ui->Print("Shutting down...\n");
1627             android::base::SetProperty(ANDROID_RB_PROPERTY, "shutdown,");
1628             break;
1629 
1630         case Device::REBOOT_BOOTLOADER:
1631             ui->Print("Rebooting to bootloader...\n");
1632             android::base::SetProperty(ANDROID_RB_PROPERTY, "reboot,bootloader");
1633             break;
1634 
1635         default:
1636             ui->Print("Rebooting...\n");
1637             reboot("reboot,");
1638             break;
1639     }
1640     while (true) {
1641         pause();
1642     }
1643     // Should be unreachable.
1644     return EXIT_SUCCESS;
1645 }
1646