UP | HOME
../../

Android init

Table of Contents

1 Expectations of init

  1. Services (aka Daemons) are processes that should start early and be working until system shutdown.
  2. Start the services. Watch over them. Should they die (crash), restart.
  3. Dependencies: Start the services in a certain order

2 Linux Init

  1. Linux OS kernel invokes the first program (named init) and hence first process (pid == 1)
  2. /sbin/init standard location
  3. In the Linux/Unix world, there are many designs + implementations that can be used as "init": A few famous ones: System V, upstart, systemd.
  4. SystemD
    1. /sbin/init sym-linked to /lib/systemd/systemd
    2. % file /lib/systemd/systemd

      /lib/systemd/systemd: ELF 64-bit LSB shared object, x86-64, version 1
      (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
      BuildID[sha1]=aa6c50276fb566c9fd3a3b22dd4e3a69a9fc938a, for GNU/Linux
      3.2.0, stripped
      
  5. All inits are driven by their configuration files.

3 Android Init Overview

  1. Android's init is located at the volume-root ("/") level.
  2. Overall functionality matches that of Linux's init.
  3. Android's init is designed independantly of Linux's many inits.
  4. Android's init is written in C++.

3.2 init files on a Phone with Android [6.x.x]

  1. Note the prompt root@x5max:/. I am "logged" into my rooted Doogee X5Max phone using adb shell as root.
  2. root@x5max:/ # file init

    init: ELF executable, 32-bit LSB arm, static
    
    
  3. root@x5max:/ # ls -l *init*

    Wed Sep 27 10:44:43 EDT 2017
    -rwxr-x---   1 root   root   689208 1969-12-31 19:00 init
    -rwxr-x---   1 root   root      673 1969-12-31 19:00 init.aee.rc
    -rwxr-x---   1 root   root     9922 1969-12-31 19:00 init.aokp.rc
    -rwxr-x---   1 root   root     1112 1969-12-31 19:00 init.environ.rc
    -rwxr-x---   1 root   root     4458 1969-12-31 19:00 init.modem.rc
    -rwxr-x---   1 root   root    51738 1969-12-31 19:00 init.mt6580.rc
    -rwxr-x---   1 root   root    24962 1969-12-31 19:00 init.mt6580.usb.rc
    -rwxr-x---   1 root   root      476 1969-12-31 19:00 init.nvdata.rc
    -rwxr-x---   1 root   root     5358 1969-12-31 19:00 init.performance.rc
    -rwxr-x---   1 root   root     4247 1969-12-31 19:00 init.project.rc
    -rwxr-x---   1 root   root    29601 1969-12-31 19:00 init.rc
    -rwxr-x---   1 root   root     1327 1969-12-31 19:00 init.recovery.usb.rc
    -rwxr-x---   1 root   root      484 1969-12-31 19:00 init.supersu.rc
    -rwxr-x---   1 root   root      332 1969-12-31 19:00 init.superuser.rc
    -rwxr-x---   1 root   root     2091 1969-12-31 19:00 init.trace.rc
    -rwxr-x---   1 root   root     9283 1969-12-31 19:00 init.usb.configfs.rc
    -rwxr-x---   1 root   root     5339 1969-12-31 19:00 init.usb.rc
    -rwxr-x---   1 root   root      583 1969-12-31 19:00 init.xlog.rc
    -rwxr-x---   1 root   root      342 1969-12-31 19:00 init.zygote32.rc
    -rw-r--r--   1 root   root     1318 1969-12-31 19:00 meta_init.modem.rc
    -rw-r--r--   1 root   root      700 1969-12-31 19:00 meta_init.project.rc
    -rw-r--r--   1 root   root    14305 1969-12-31 19:00 meta_init.rc
    
  4. Do a similar listing on your own AVD/real device.
  5. Study init.rc
  6. For your curiosity: What is this 1969-12-31 19:00 ancient timestamp doing here?

4 Init Architecture

  1. Lecture using Init excerpts from Embedded Linux
    1. Configuration Files
    2. Property-based triggers
    3. Action commands.
    4. Service definitions
    5. Main init.rc
    6. ueventd

5 Analyzing Android Bootup

  1. https://developer.android.com/studio/command-line/logcat.html dumps a log of system messages, including stack traces when the device throws an error and messages written with the Log class.
  2. root@x5max:/ # logcat -d -b events | grep boot
  3. root@x5max:/ # logcat -d -b events | grep preload

5.1 Android Bootchart

  1. "Bootchart is a system designed to show a graphical display of the activity of a system during boot.
  2. http://elinux.org/Using_Bootchart_on_Android Describes how to use Bootchart with Android. Generating log files that can be processed by www.bootchart.org.

5.2 Analyzing Android Bootup #1: using strace

  1. You can use strace as a wrapper for a program in init.rc, and save the results to a file.
    1. Here is an example of using strace to follow the startup of zygote, and the apps that are forked from it.
    2. Read about the flags of strace: man strace

5.3 Analyzing Android Bootup #2: strace zygote

  1. Replace:

    service zygote /system/bin/app_process -Xzygote /system/bin\
       --zygote --start-system-server
    
    

    with

    service zygote /system/xbin/strace -f -tt\
       -o /cache/debug/boot.strace \
       /system/bin/app_process -Xzygote /system/bin\
       --zygote --start-system-server
    
    

6 Init Vulnerabilities

  1. Example: CVE-2013-6124: During the device start-up phase, several init shell scripts are executed with root privileges to configure various aspects of the system. During this process, standard toolchain commands such as chown or chmod are used to, e.g., change the owner of the sensor settings file to the system user. As these commands follow symbolic links (symlinks), an attacker with write access to these resources is able to conduct symlink attacks and thus change for example the owner of an arbitrary file to system. This flaw can be used to, e.g., elevate privileges.
  2. https://www.google.com/search?q=android+init+cve

7 References

  1. http://elinux.org/Android_Booting
  2. Karim Yaghmour, "Embedded Android", O'Reilly Media, Inc., 2013, 412 pp; WSU Safari Books Online 9781449327958; Android Init PDF excerpts, Chapter 6. Required Reading.
  3. Android Init Language, 201x. Describes the language. https://www.google.com/search?q=Android+Init+Language Web Search. Reference.

8 End


Copyright © 2019 www.wright.edu/~pmateti • 2019-03-14