Android Internals
Android Montreal November 3rd 2010 Karim Yaghmour / @karimyaghmour
Overall Architecture System startup Linux Kernel Hardware Support Native User-Space Dalvik JNI System Server
Activity Manager Binder Stock Android Apps Hacking
�Overall Architecture
�Arch vs. Tools
SDK, Eclipse, .apk
Manifest: Perms / SDK ver.
.dex, ddms NDK, rootfs, initrc, adb GNU toolchain (fastboot)
�System Startup
Bootloader Kernel Init Zygote System Server Activity Manager Launcher (Home)
�Startup - Bootloader
CPU fetches first instruction from bootloader Bootloader boots kernel from flash:
0x0000038600000x000003900000:"misc" 0x0000039000000x000003e00000:"recovery" 0x000003e000000x000004300000:"boot" 0x0000043000000x00000c300000:"system" 0x00000c3000000x0000183c0000:"userdata" 0x0000183c00000x00001dd20000:"cache" 0x00001dd200000x00001df20000:"kpanic" 0x00001df200000x00001df60000:"dinfo" 0x00001df600000x00001dfc0000:"setupdata" 0x00001dfc00000x00001e040000:"splash1" 0x0000003000000x000001680000:"modem" From Acer Liquid-E Kernel /system /data /cache
�Startup - Kernel
Core kernel initialization Device drivers initialization Root filesystem mounting Execution of /init
�Startup - Init
Open, parses, and runs /init.rc:
Create mountpoints and mount filesystems Set up filesystem permissions Set OOM adjustments properties Start daemons:
adbd servicemanager (binder) vold netd rild app_process -Xzygote (Zygote) mediaserver ...
�Startup Zygote, etc.
app_main:
runtime.start(com.android.internal.os.Zygote, ...)
startVM() Call Zygote's main() preloadClasses() startSystemServer() ... magic ... Call SystemServer's run() Start all system services/managers Start ActivityManager: Send Intent.CATEGORY_HOME Launcher2 kicks in
�Linux Kernel Generic Features
�Linux Kernel - Androidisms
Wakelocks lowmem handler Binder RAM console Logger ...
�Hardware Support
Bluetooth GPS Wifi Display Keymaps and Keyboards Lights Backlight Keyboard Buttons Battery Notifications Attention Audio Camera Power Management Sensors Accelerometer Magnetic Field Orientation Gyroscope Light Pressure Temperature Proximity Radio Layer Interface BlueZ through D-BUS IPC (to avoid GPL contamination it seems) Manufacturer-provided libgps.so wpa_supplicant Std framebuffer driver (/dev/fb0) Std input event (/dev/event0) Manufacturer-provided liblights.so
Manufacturer-provided libaudio.so (could use ALSA underneath ... at least as illustrated in t Manufacturer-provided libcamera.so (could use V4L2 kernel driver underneath ... again as Wakelocks kernel patch Manufacturer-provided libsensors.so
Manufacturer-provided libril-<companyname>-<RIL version>.so
�Native User-Space
Rootfs:
/system /data
Libs: Bionic, SQLite, SSL, OpenGL|ES, Non-Posix: limited Pthreads support, no SysV IPC
Toolbox Daemons: vold, rild, netd, adbd, ...
�Dalvik
Sun-Java = Java language + JVM + JDK libs Android Java = Java language + Dalvik + Apache Harmony Target:
Slow CPU Relatively low RAM OS without swap space Battery powered
Now has JIT
�Dalvik's .dex files
JVM munches on .class files Dalvik munches on .dex files .dex file = .class files post-processed by dx utility Uncompressed .dex = 0.5 * Uncompressed .jar
�JNI Java Native Interface
Call gate for other languages, such as C, C++ Equivalent to .NET's pinvoke Usage: include and call native code from App Tools = NDK ... samples included Check out JNI Programmer's Guide and Specification - freely available PDF
�System Server
Entropy Service Power Manager Activity Manager Telephone Registry Package Manager Account Manager Content Manager System Content Providers Battery Service Lights Service Vibrator Service Alarm Manager Init Watchdog Sensor Service Window Manager Bluetooth Service Device Policy Status Bar Clipboard Service Input Method Service NetStat Service NetworkManagement Service Connectivity Service Throttle Service Accessibility Manager Mount Service Notification Manager Device Storage Monitor Location Manager Search Service DropBox Service Wallpaper Service Audio Service Headset Observer Dock Observer UI Mode Manager Service Backup Service AppWidget Service Recognition Service Status Bar Icons DiskStats Service ADB Settings Observer
�Activity Manager
Start new Activities, Services Fetch Content Providers Intent broadcasting OOM adj. maintenance Application Not Responding Ex. starting new app from Launcher: onClick(Launcher)->startActivity(Activity.java)>Binder->ActivityManagerService>startViaZygote(Process.java)->Socket->Zygote
�Binder
CORBA/COM-like IPC Data sent through parcels in transactions Kernel-supported mechanism Check /proc/binder/*
�Stock Android Apps from AOSP
/packages/apps AccountsAndSettings AlarmClock Bluetooth Browser Calculator Calendar Camera CertInstaller Contacts DeskClock Email Gallery HTMLViewer Launcher2 Mms Music PackageInstaller Protips Provision QuickSearchBox Settings SoundRecorder SpeechRecorder Stk VoiceDialer /packages/providers ApplicationProvider CalendarProvider ContactsProvider DownloadProvider DrmProvider GoogleContactsProvider MediaProvider TelephonyProvider UserDictionaryProvider /packages/inputmethods LatinIME OpenWnn PinyinIME
�Hacking
Source:
AOSP -- source.android.com / android.git.kernel.org Cyanogenmod -- www.cyanogenmod.com Moders sites ... aplenty ... repo / git fastboot recovery Kernel privilege escalation exploits -- one-click root ...
Tools:
�AOSP contents
bionic bootable build cts dalvik development device external frameworks hardware libcore ndk packages prebuilt sdk system C library replacement Reference bootloader Build system Compatibility Test Suite Dalvik VM Development tools Device-specific files and components Copy of external projects used by AOSP System services, android.*, Android-related cmds, etc. Hardware support libs Apache Harmony The NDK Stock Android apps, providers, etc. Prebuilt binaries The SDK pieces of the world that are the core of the embedded linux platform at the heart of Android.
