recovery uncrypt功能解析(bootable/recovery/uncrypt/uncrypt.cpp)

我們通常對一個文件可以直接讀寫操作，或者普通的分區(沒有文件系統)也是一樣，直接對/dev/block/boot直接讀寫，就可以獲取里面的數據內容了。

當我們在ota升級的時候，把升級包下載到cache/data分區，然后進入recovery系統后，把cache/data分區mount之后，即可從對應的分區獲取zip升級包升級了， 前提是我們需要掛載對應的分區cache或者data，這樣才能給讀升級包升級，如果不掛載分區，我們能給直接從/dev/block/data獲取升級包升級嗎？

這就是我們今天討論的主題，不掛載data分區，如何從/dev/block/data獲取升級包升級， 這個依賴bootable/recovery/uncrypt/uncrypt.cpp下面的代碼實現了，我們通過獲取update.zip升級包， 是如何在/dev/block/data存儲的。 我們知道了update.zip如何在/dev/block/data存儲的，那么就可以直接從/dev/block/data讀取升級包升級了。下面對uncrypt.cpp源碼分析：

static constexpr int WINDOW_SIZE = 5; static constexpr int FIBMAP_RETRY_LIMIT = 3; // uncrypt provides three services: SETUP_BCB, CLEAR_BCB and UNCRYPT. // // SETUP_BCB and CLEAR_BCB services use socket communication and do not rely // on /cache partitions. They will handle requests to reboot into recovery // (for applying updates for non-A/B devices, or factory resets for all // devices). // // UNCRYPT service still needs files on /cache partition (UNCRYPT_PATH_FILE // and CACHE_BLOCK_MAP). It will be working (and needed) only for non-A/B // devices, on which /cache partitions always exist. static const std::string CACHE_BLOCK_MAP = "/cache/recovery/block.map"; static const std::string UNCRYPT_PATH_FILE = "/cache/recovery/uncrypt_file"; static const std::string UNCRYPT_STATUS = "/cache/recovery/uncrypt_status"; static const std::string UNCRYPT_SOCKET = "uncrypt";

WINDOW_SIZE = 5; 每次當有5個block size大小的數據，就寫一次。

FIBMAP_RETRY_LIMIT = 3;  調用 ioctl(fd, FIBMAP, block) 嘗試的次數。

CACHE_BLOCK_MAP = "/cache/recovery/block.map"  關於升級包的存儲信息及稀疏塊列表的描述文件。

UNCRYPT_PATH_FILE = "/cache/recovery/uncrypt_file";  存儲原始升級包的路徑。

UNCRYPT_STATUS = "/cache/recovery/uncrypt_status";  對升級包uncrypt操作的狀態結果。

UNCRYPT_SOCKET = "uncrypt";    使用 /dev/socket/uncrypt 通信

static int write_at_offset(unsigned char* buffer, size_t size, int wfd, off64_t offset) { if (TEMP_FAILURE_RETRY(lseek64(wfd, offset, SEEK_SET)) == -1) { PLOG(ERROR) << "error seeking to offset " << offset; return -1; } if (!android::base::WriteFully(wfd, buffer, size)) { PLOG(ERROR) << "error writing offset " << offset; return -1; } return 0; }

寫長度為size的buffer數據到wfd偏移offset地方

static void add_block_to_ranges(std::vector<int>& ranges, int new_block) { if (!ranges.empty() && new_block == ranges.back()) { // If the new block comes immediately after the current range, // all we have to do is extend the current range. ++ranges.back(); } else { // We need to start a new range. ranges.push_back(new_block); ranges.push_back(new_block + 1); } }

生成升級包的block塊的稀疏列表， 比如1001 1004， 如果new block為1004， 則稀疏范圍為1001 1005， 如果new block非1004，比如為1120， 則稀疏列表為 1001 1004， 1120 1121。

1001 1004表示為1001 1002 1003三個block，不包含1004

static struct fstab* read_fstab() { fstab = fs_mgr_read_fstab_default(); if (!fstab) { LOG(ERROR) << "failed to read default fstab"; return NULL; } return fstab; }

讀取分區掛載表

static const char* find_block_device(const char* path, bool* encryptable, bool* encrypted, bool *f2fs_fs) { // Look for a volume whose mount point is the prefix of path and // return its block device. Set encrypted if it's currently // encrypted. // ensure f2fs_fs is set to 0 first. if (f2fs_fs) *f2fs_fs = false; for (int i = 0; i < fstab->num_entries; ++i) { struct fstab_rec* v = &fstab->recs[i]; if (!v->mount_point) { continue; } int len = strlen(v->mount_point); if (strncmp(path, v->mount_point, len) == 0 && (path[len] == '/' || path[len] == 0)) { *encrypted = false; *encryptable = false; if (fs_mgr_is_encryptable(v) || fs_mgr_is_file_encrypted(v)) { *encryptable = true; if (android::base::GetProperty("ro.crypto.state", "") == "encrypted") { *encrypted = true; } } if (f2fs_fs && strcmp(v->fs_type, "f2fs") == 0) *f2fs_fs = true; return v->blk_device; } } return NULL; }

通過升級包路徑（/data/xxx_ota_20180823.zip）獲取升級包對應的device（/dev/block/data）,並且通過解析fstab判斷（data）分區是否加密，*encrypted = true; 是否支持加密， *encryptable = true;

static bool write_status_to_socket(int status, int socket) { // If socket equals -1, uncrypt is in debug mode without socket communication. // Skip writing and return success. if (socket == -1) { return true; } int status_out = htonl(status); return android::base::WriteFully(socket, &status_out, sizeof(int)); }

通過socket保存uncrypt status

// Parse uncrypt_file to find the update package name. static bool find_uncrypt_package(const std::string& uncrypt_path_file, std::string* package_name) { CHECK(package_name != nullptr); std::string uncrypt_path; if (!android::base::ReadFileToString(uncrypt_path_file, &uncrypt_path)) { PLOG(ERROR) << "failed to open \"" << uncrypt_path_file << "\""; return false; } // Remove the trailing '\n' if present. *package_name = android::base::Trim(uncrypt_path); return true; }

通過讀取/cache/recovery/uncrypt_file 獲取原始升級包名字

static int retry_fibmap(const int fd, const char* name, int* block, const int head_block) { CHECK(block != nullptr); for (size_t i = 0; i < FIBMAP_RETRY_LIMIT; i++) { if (fsync(fd) == -1) { PLOG(ERROR) << "failed to fsync \"" << name << "\""; return kUncryptFileSyncError; } if (ioctl(fd, FIBMAP, block) != 0) { PLOG(ERROR) << "failed to find block " << head_block; return kUncryptIoctlError; } if (*block != 0) { return kUncryptNoError; } sleep(1); } LOG(ERROR) << "fibmap of " << head_block << "always returns 0"; return kUncryptIoctlError; }

通過 ioctl(fd, FIBMAP, block) 調用，獲取升級包的每個block的數據，在 /dev/block/data的實際存儲數據的block對應的索引。嘗試三次后返回失敗。

static int produce_block_map(const char* path, const char* map_file, const char* blk_dev, bool encrypted, bool f2fs_fs, int socket) { std::string err; if (!android::base::RemoveFileIfExists(map_file, &err)) { LOG(ERROR) << "failed to remove the existing map file " << map_file << ": " << err; return kUncryptFileRemoveError; } std::string tmp_map_file = std::string(map_file) + ".tmp"; android::base::unique_fd mapfd(open(tmp_map_file.c_str(), O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR)); if (mapfd == -1) { PLOG(ERROR) << "failed to open " << tmp_map_file; return kUncryptFileOpenError; } // Make sure we can write to the socket. if (!write_status_to_socket(0, socket)) { LOG(ERROR) << "failed to write to socket " << socket; return kUncryptSocketWriteError; } struct stat sb; if (stat(path, &sb) != 0) { LOG(ERROR) << "failed to stat " << path; return kUncryptFileStatError; } LOG(INFO) << " block size: " << sb.st_blksize << " bytes"; int blocks = ((sb.st_size-1) / sb.st_blksize) + 1; LOG(INFO) << " file size: " << sb.st_size << " bytes, " << blocks << " blocks"; std::vector<int> ranges; std::string s = android::base::StringPrintf("%s\n%" PRId64 " %" PRId64 "\n", blk_dev, static_cast<int64_t>(sb.st_size), static_cast<int64_t>(sb.st_blksize)); if (!android::base::WriteStringToFd(s, mapfd)) { PLOG(ERROR) << "failed to write " << tmp_map_file; return kUncryptWriteError; } std::vector<std::vector<unsigned char>> buffers; if (encrypted) { buffers.resize(WINDOW_SIZE, std::vector<unsigned char>(sb.st_blksize)); } int head_block = 0; int head = 0, tail = 0; android::base::unique_fd fd(open(path, O_RDONLY)); if (fd == -1) { PLOG(ERROR) << "failed to open " << path << " for reading"; return kUncryptFileOpenError; } android::base::unique_fd wfd; if (encrypted) { wfd.reset(open(blk_dev, O_WRONLY)); if (wfd == -1) { PLOG(ERROR) << "failed to open " << blk_dev << " for writing"; return kUncryptBlockOpenError; } } #ifndef F2FS_IOC_SET_DONTMOVE #ifndef F2FS_IOCTL_MAGIC #define F2FS_IOCTL_MAGIC 0xf5 #endif #define F2FS_IOC_SET_DONTMOVE _IO(F2FS_IOCTL_MAGIC, 13) #endif if (f2fs_fs && ioctl(fd, F2FS_IOC_SET_DONTMOVE) < 0) { PLOG(ERROR) << "Failed to set non-movable file for f2fs: " << path << " on " << blk_dev; return kUncryptIoctlError; } off64_t pos = 0; int last_progress = 0; while (pos < sb.st_size) { // Update the status file, progress must be between [0, 99]. int progress = static_cast<int>(100 * (double(pos) / double(sb.st_size))); if (progress > last_progress) { last_progress = progress; write_status_to_socket(progress, socket); } if ((tail+1) % WINDOW_SIZE == head) { // write out head buffer int block = head_block; if (ioctl(fd, FIBMAP, &block) != 0) { PLOG(ERROR) << "failed to find block " << head_block; return kUncryptIoctlError; } if (block == 0) { LOG(ERROR) << "failed to find block " << head_block << ", retrying"; int error = retry_fibmap(fd, path, &block, head_block); if (error != kUncryptNoError) { return error; } } add_block_to_ranges(ranges, block); if (encrypted) { if (write_at_offset(buffers[head].data(), sb.st_blksize, wfd, static_cast<off64_t>(sb.st_blksize) * block) != 0) { return kUncryptWriteError; } } head = (head + 1) % WINDOW_SIZE; ++head_block; } // read next block to tail if (encrypted) { size_t to_read = static_cast<size_t>( std::min(static_cast<off64_t>(sb.st_blksize), sb.st_size - pos)); if (!android::base::ReadFully(fd, buffers[tail].data(), to_read)) { PLOG(ERROR) << "failed to read " << path; return kUncryptReadError; } pos += to_read; } else { // If we're not encrypting; we don't need to actually read // anything, just skip pos forward as if we'd read a // block. pos += sb.st_blksize; } tail = (tail+1) % WINDOW_SIZE; } while (head != tail) { // write out head buffer int block = head_block; if (ioctl(fd, FIBMAP, &block) != 0) { PLOG(ERROR) << "failed to find block " << head_block; return kUncryptIoctlError; } if (block == 0) { LOG(ERROR) << "failed to find block " << head_block << ", retrying"; int error = retry_fibmap(fd, path, &block, head_block); if (error != kUncryptNoError) { return error; } } add_block_to_ranges(ranges, block); if (encrypted) { if (write_at_offset(buffers[head].data(), sb.st_blksize, wfd, static_cast<off64_t>(sb.st_blksize) * block) != 0) { return kUncryptWriteError; } } head = (head + 1) % WINDOW_SIZE; ++head_block; } if (!android::base::WriteStringToFd( android::base::StringPrintf("%zu\n", ranges.size() / 2), mapfd)) { PLOG(ERROR) << "failed to write " << tmp_map_file; return kUncryptWriteError; } for (size_t i = 0; i < ranges.size(); i += 2) { if (!android::base::WriteStringToFd( android::base::StringPrintf("%d %d\n", ranges[i], ranges[i+1]), mapfd)) { PLOG(ERROR) << "failed to write " << tmp_map_file; return kUncryptWriteError; } } if (fsync(mapfd) == -1) { PLOG(ERROR) << "failed to fsync \"" << tmp_map_file << "\""; return kUncryptFileSyncError; } if (close(mapfd.release()) == -1) { PLOG(ERROR) << "failed to close " << tmp_map_file; return kUncryptFileCloseError; } if (encrypted) { if (fsync(wfd) == -1) { PLOG(ERROR) << "failed to fsync \"" << blk_dev << "\""; return kUncryptFileSyncError; } if (close(wfd.release()) == -1) { PLOG(ERROR) << "failed to close " << blk_dev; return kUncryptFileCloseError; } } if (rename(tmp_map_file.c_str(), map_file) == -1) { PLOG(ERROR) << "failed to rename " << tmp_map_file << " to " << map_file; return kUncryptFileRenameError; } // Sync dir to make rename() result written to disk. std::string file_name = map_file; std::string dir_name = dirname(&file_name[0]); android::base::unique_fd dfd(open(dir_name.c_str(), O_RDONLY | O_DIRECTORY)); if (dfd == -1) { PLOG(ERROR) << "failed to open dir " << dir_name; return kUncryptFileOpenError; } if (fsync(dfd) == -1) { PLOG(ERROR) << "failed to fsync " << dir_name; return kUncryptFileSyncError; } if (close(dfd.release()) == -1) { PLOG(ERROR) << "failed to close " << dir_name; return kUncryptFileCloseError; } return 0; }

這個是最核心的函數了，主要就是通過這個函數來完成稀疏列表的生成，我們先看下函數的參數：

const char* path：  升級包路徑，eg：/data/xxxx.zip

const char* map_file： map文件， eg：/cache/recovery/block.map

const char* blk_dev:    device設備， eg： /dev/block/data

bool encrypted:  是否加密

bool f2fs_fs： 是否是f2fs

int socket： socket句柄

把升級包/data/xxxx.zip生成稀疏的描述文件，保存在/cache/recovery/block.map， 即本函數的目的。

函數代碼比較多，從上至下，主要的功能如下：

（1）刪除/cache/recovery/block.map, 新建/cache/recovery/block.map.tmp文件

（2）確認對socket句柄對應的/dev/socket/uncrypt 有寫的權限

（3）確認升級包存在

（4）block.map第一行保存為：/dev/block/data

                          第二行保存為：352268727 4096    （升級包大小， block大小）

（5）申請 5個block size大小的buffer空間。

（6）打開升級包（/data/xxxx.zip），句柄為fd, 打開device /dev/block/data,句柄為wfd。

（7）循環按照block size大小，通過偏移指定的block，獲取每個block數據在device的實際block索引，保存升級包的實際存儲block的稀疏列表。 如果data分區是加密的，那么每次獲取每個block實際索引時，讀取解密后的block數據到buffer， 每當有5個block數據時，然后把buffer數據寫到實際的對應的索引block里。這樣實際索引的block里存儲的就是解密后的數據。

（8）最后把不足5個block數據的buffer寫到對應的實際的block中去，這樣稀疏列表包含的block中保存的就是解密后的升級包數據。

（9）把稀疏列表寫到/cache/recovery/block.map.tmp

（10）關閉相關所有的句柄，/cache/recovery/block.map.tmp重名為/cache/recovery/block.map，fsync數據同步到磁盤。

static int uncrypt(const char* input_path, const char* map_file, const int socket) { LOG(INFO) << "update package is \"" << input_path << "\""; // Turn the name of the file we're supposed to convert into an absolute path, so we can find // what filesystem it's on. char path[PATH_MAX+1]; if (realpath(input_path, path) == nullptr) { PLOG(ERROR) << "failed to convert \"" << input_path << "\" to absolute path"; return kUncryptRealpathFindError; } bool encryptable; bool encrypted; bool f2fs_fs; const char* blk_dev = find_block_device(path, &encryptable, &encrypted, &f2fs_fs); if (blk_dev == nullptr) { LOG(ERROR) << "failed to find block device for " << path; return kUncryptBlockDeviceFindError; } // If the filesystem it's on isn't encrypted, we only produce the // block map, we don't rewrite the file contents (it would be // pointless to do so). LOG(INFO) << "encryptable: " << (encryptable ? "yes" : "no"); LOG(INFO) << " encrypted: " << (encrypted ? "yes" : "no"); // Recovery supports installing packages from 3 paths: /cache, // /data, and /sdcard. (On a particular device, other locations // may work, but those are three we actually expect.) // // On /data we want to convert the file to a block map so that we // can read the package without mounting the partition. On /cache // and /sdcard we leave the file alone. if (strncmp(path, "/data/", 6) == 0) { LOG(INFO) << "writing block map " << map_file; return produce_block_map(path, map_file, blk_dev, encrypted, f2fs_fs, socket); } return 0; }

uncrypt的函數接口:

 （1）獲取升級包的絕對路徑

（2）通過升級包路徑，獲取升級包存儲的device（/dev/block/data）

（3）判斷路徑，如果存儲在/data 分區，則調用produce_block_map函數生成block.map

static void log_uncrypt_error_code(UncryptErrorCode error_code) { if (!android::base::WriteStringToFile(android::base::StringPrintf( "uncrypt_error: %d\n", error_code), UNCRYPT_STATUS)) { PLOG(WARNING) << "failed to write to " << UNCRYPT_STATUS; } }

把uncrypt的錯誤code寫到/cache/recovery/uncrypt_status

static bool uncrypt_wrapper(const char* input_path, const char* map_file, const int socket) { // Initialize the uncrypt error to kUncryptErrorPlaceholder. log_uncrypt_error_code(kUncryptErrorPlaceholder); std::string package; if (input_path == nullptr) { if (!find_uncrypt_package(UNCRYPT_PATH_FILE, &package)) { write_status_to_socket(-1, socket); // Overwrite the error message. log_uncrypt_error_code(kUncryptPackageMissingError); return false; } input_path = package.c_str(); } CHECK(map_file != nullptr); auto start = std::chrono::system_clock::now(); int status = uncrypt(input_path, map_file, socket); std::chrono::duration<double> duration = std::chrono::system_clock::now() - start; int count = static_cast<int>(duration.count()); std::string uncrypt_message = android::base::StringPrintf("uncrypt_time: %d\n", count); if (status != 0) { // Log the time cost and error code if uncrypt fails. uncrypt_message += android::base::StringPrintf("uncrypt_error: %d\n", status); if (!android::base::WriteStringToFile(uncrypt_message, UNCRYPT_STATUS)) { PLOG(WARNING) << "failed to write to " << UNCRYPT_STATUS; } write_status_to_socket(-1, socket); return false; } if (!android::base::WriteStringToFile(uncrypt_message, UNCRYPT_STATUS)) { PLOG(WARNING) << "failed to write to " << UNCRYPT_STATUS; } write_status_to_socket(100, socket); return true; } 

uncrypt功能的入口函數， 根據 input_path 指定路徑的升級包（如果input_path為空， 讀取/cache/recovery/uncrypt_file），生成map_file文件。

static bool clear_bcb(const int socket) { std::string err; if (!clear_bootloader_message(&err)) { LOG(ERROR) << "failed to clear bootloader message: " << err; write_status_to_socket(-1, socket); return false; } write_status_to_socket(100, socket); return true; } static bool setup_bcb(const int socket) { // c5. receive message length int length; if (!android::base::ReadFully(socket, &length, 4)) { PLOG(ERROR) << "failed to read the length"; return false; } length = ntohl(length); // c7. receive message std::string content; content.resize(length); if (!android::base::ReadFully(socket, &content[0], length)) { PLOG(ERROR) << "failed to read the message"; return false; } LOG(INFO) << " received command: [" << content << "] (" << content.size() << ")"; std::vector<std::string> options = android::base::Split(content, "\n"); std::string wipe_package; for (auto& option : options) { if (android::base::StartsWith(option, "--wipe_package=")) { std::string path = option.substr(strlen("--wipe_package=")); if (!android::base::ReadFileToString(path, &wipe_package)) { PLOG(ERROR) << "failed to read " << path; return false; } option = android::base::StringPrintf("--wipe_package_size=%zu", wipe_package.size()); } } // c8. setup the bcb command std::string err; if (!write_bootloader_message(options, &err)) { LOG(ERROR) << "failed to set bootloader message: " << err; write_status_to_socket(-1, socket); return false; } if (!wipe_package.empty() && !write_wipe_package(wipe_package, &err)) { PLOG(ERROR) << "failed to set wipe package: " << err; write_status_to_socket(-1, socket); return false; } // c10. send "100" status write_status_to_socket(100, socket); return true; }

uncrypt --clear-bcb  清除bcb數據

uncrypt --setup-bcb 設置bcb數據

static void usage(const char* exename) { fprintf(stderr, "Usage of %s:\n", exename); fprintf(stderr, "%s [<package_path> <map_file>] Uncrypt ota package.\n", exename); fprintf(stderr, "%s --clear-bcb Clear BCB data in misc partition.\n", exename); fprintf(stderr, "%s --setup-bcb Setup BCB data by command file.\n", exename); } int main(int argc, char** argv) { ...... }

usage 與 main 函數就不再解釋了，沒啥好解釋的了，到此uncrypt.cpp所有的功能函數都解釋了。

 

我們使用uncrypt生成一個block.map試試

uncrypt /data/ota.zip /cache/recovery/block.map 

console:/ # cat /cache/recovery/block.map /dev/block/data 352268727 4096 7 1098851 1098867 38064 38080 38112 38144 38208 38400 43520 63744 65536 98304 100352 133108

即把/data/ota.zip 生成了 /cache/recovery/block.map文件， 通過/cache/recovery/block.map中的block稀疏描述，就可以獲取升級包升級了。