ANDROID BOOTUP PROCESS

SHIBIN GEORGE

Date last updated 112017

AGENDA

bull ANDROID BOOTLOADER

bull KERNEL BOOTUP PROCESS

bull INIT

bull SERVICEMANAGER

bull ZYGOTE

bull SYSTEM-SERVER

bull LAUNCHER

bull BOOTANIMATION

bull BOOT_COMPLETED

httpswwwlinkedincominsg1993 2georgeshibin1993gmailcom

BOOTUP OVERVIEW

ANDROID BOOTLOADERbull (L)ittle (K)ernel based Android bootloader

bull Android bootloader is developed on top of an open source project on kernelorg ndash named (L)ittle(K)ernel project

bull It does hardware initialization reading the Linux kernel amp ramdisk loading it up to RAM setting up initial registers and command line arguments for Linux kernel and jumps to the kernel

bull For normal bootup mode lk loads bootimg and for recovery mode it loads recoveryimg

bull UEFI-ABL is used as Bootloader for recent chipsets

httpswwwlinkedincominsg1993 4georgeshibin1993gmailcom

KERNEL BOOTUP PROCESS

bull Boot image is a raw partition ie there is no underlying filesystem like ext4FAT

bull Boot image(bootimg) = The kernel binary + ramdisk The bootloader loads kernel binary onto memory and then executes it

bull The first hardware independent piece of code that runs in kernel is start_kernel()

bull start_kernel() initializes various kernel subsystems and data structures These include the scheduler memory zones time keeping and so on

bull At the end of start_kernel() rest_init() is invoked

bull In rest_init() we start a kernel thread(kernel_init) that eventually becomes lsquoinitrsquo (with pid=1)

httpopengrokqualcommcomsourcexrefLAUM00kernelmsm-318initmainc396

static noinline void __init_refok rest_init(void)

int pid rcu_scheduler_starting()

smpboot_thread_init() s

We need to spawn init first so that it obtains pid 1 however

the init task will end up wanting to create kthreads which if

we schedule it before we create kthreadd will OOPS

kernel_thread(kernel_init NULL CLONE_FS)

httpswwwlinkedincominsg1993 5georgeshibin1993gmailcom

AGENDA

bull ANDROID BOOTLOADER

bull KERNEL BOOTUP PROCESS

bull INIT

bull SERVICEMANAGER

bull ZYGOTE

bull SYSTEM-SERVER

bull LAUNCHER

bull BOOTANIMATION

bull BOOT_COMPLETED

httpswwwlinkedincominsg1993 2georgeshibin1993gmailcom

BOOTUP OVERVIEW

ANDROID BOOTLOADERbull (L)ittle (K)ernel based Android bootloader

bull Android bootloader is developed on top of an open source project on kernelorg ndash named (L)ittle(K)ernel project

bull It does hardware initialization reading the Linux kernel amp ramdisk loading it up to RAM setting up initial registers and command line arguments for Linux kernel and jumps to the kernel

bull For normal bootup mode lk loads bootimg and for recovery mode it loads recoveryimg

bull UEFI-ABL is used as Bootloader for recent chipsets

httpswwwlinkedincominsg1993 4georgeshibin1993gmailcom

KERNEL BOOTUP PROCESS

bull Boot image is a raw partition ie there is no underlying filesystem like ext4FAT

bull Boot image(bootimg) = The kernel binary + ramdisk The bootloader loads kernel binary onto memory and then executes it

bull The first hardware independent piece of code that runs in kernel is start_kernel()

bull start_kernel() initializes various kernel subsystems and data structures These include the scheduler memory zones time keeping and so on

bull At the end of start_kernel() rest_init() is invoked

bull In rest_init() we start a kernel thread(kernel_init) that eventually becomes lsquoinitrsquo (with pid=1)

httpopengrokqualcommcomsourcexrefLAUM00kernelmsm-318initmainc396

static noinline void __init_refok rest_init(void)

int pid rcu_scheduler_starting()

smpboot_thread_init() s

We need to spawn init first so that it obtains pid 1 however

the init task will end up wanting to create kthreads which if

we schedule it before we create kthreadd will OOPS

kernel_thread(kernel_init NULL CLONE_FS)

httpswwwlinkedincominsg1993 5georgeshibin1993gmailcom

BOOTUP OVERVIEW

ANDROID BOOTLOADERbull (L)ittle (K)ernel based Android bootloader

bull Android bootloader is developed on top of an open source project on kernelorg ndash named (L)ittle(K)ernel project

bull It does hardware initialization reading the Linux kernel amp ramdisk loading it up to RAM setting up initial registers and command line arguments for Linux kernel and jumps to the kernel

bull For normal bootup mode lk loads bootimg and for recovery mode it loads recoveryimg

bull UEFI-ABL is used as Bootloader for recent chipsets

httpswwwlinkedincominsg1993 4georgeshibin1993gmailcom

KERNEL BOOTUP PROCESS

bull Boot image is a raw partition ie there is no underlying filesystem like ext4FAT

bull Boot image(bootimg) = The kernel binary + ramdisk The bootloader loads kernel binary onto memory and then executes it

bull The first hardware independent piece of code that runs in kernel is start_kernel()

bull start_kernel() initializes various kernel subsystems and data structures These include the scheduler memory zones time keeping and so on

bull At the end of start_kernel() rest_init() is invoked

bull In rest_init() we start a kernel thread(kernel_init) that eventually becomes lsquoinitrsquo (with pid=1)

httpopengrokqualcommcomsourcexrefLAUM00kernelmsm-318initmainc396

static noinline void __init_refok rest_init(void)

int pid rcu_scheduler_starting()

smpboot_thread_init() s

We need to spawn init first so that it obtains pid 1 however

the init task will end up wanting to create kthreads which if

we schedule it before we create kthreadd will OOPS

kernel_thread(kernel_init NULL CLONE_FS)

httpswwwlinkedincominsg1993 5georgeshibin1993gmailcom

ANDROID BOOTLOADERbull (L)ittle (K)ernel based Android bootloader

bull Android bootloader is developed on top of an open source project on kernelorg ndash named (L)ittle(K)ernel project

bull It does hardware initialization reading the Linux kernel amp ramdisk loading it up to RAM setting up initial registers and command line arguments for Linux kernel and jumps to the kernel

bull For normal bootup mode lk loads bootimg and for recovery mode it loads recoveryimg

bull UEFI-ABL is used as Bootloader for recent chipsets

httpswwwlinkedincominsg1993 4georgeshibin1993gmailcom

KERNEL BOOTUP PROCESS

bull Boot image is a raw partition ie there is no underlying filesystem like ext4FAT

bull Boot image(bootimg) = The kernel binary + ramdisk The bootloader loads kernel binary onto memory and then executes it

bull The first hardware independent piece of code that runs in kernel is start_kernel()

bull start_kernel() initializes various kernel subsystems and data structures These include the scheduler memory zones time keeping and so on

bull At the end of start_kernel() rest_init() is invoked

bull In rest_init() we start a kernel thread(kernel_init) that eventually becomes lsquoinitrsquo (with pid=1)

httpopengrokqualcommcomsourcexrefLAUM00kernelmsm-318initmainc396

static noinline void __init_refok rest_init(void)

int pid rcu_scheduler_starting()

smpboot_thread_init() s

We need to spawn init first so that it obtains pid 1 however

the init task will end up wanting to create kthreads which if

we schedule it before we create kthreadd will OOPS

kernel_thread(kernel_init NULL CLONE_FS)

httpswwwlinkedincominsg1993 5georgeshibin1993gmailcom

KERNEL BOOTUP PROCESS

bull Boot image is a raw partition ie there is no underlying filesystem like ext4FAT

bull Boot image(bootimg) = The kernel binary + ramdisk The bootloader loads kernel binary onto memory and then executes it

bull The first hardware independent piece of code that runs in kernel is start_kernel()

bull start_kernel() initializes various kernel subsystems and data structures These include the scheduler memory zones time keeping and so on

bull At the end of start_kernel() rest_init() is invoked

bull In rest_init() we start a kernel thread(kernel_init) that eventually becomes lsquoinitrsquo (with pid=1)

httpopengrokqualcommcomsourcexrefLAUM00kernelmsm-318initmainc396

static noinline void __init_refok rest_init(void)

int pid rcu_scheduler_starting()

smpboot_thread_init() s

We need to spawn init first so that it obtains pid 1 however

the init task will end up wanting to create kthreads which if

we schedule it before we create kthreadd will OOPS

kernel_thread(kernel_init NULL CLONE_FS)

httpswwwlinkedincominsg1993 5georgeshibin1993gmailcom

KERNEL BOOTUP PROCESS

bull Kernel_init at do_mountsc mounts ramdisk at lsquorsquo (root location) this is where init binary and other init scripts reside

bull This thread tries to execute init (thefirst user-mode process) in the following order init sbininit etcinit bininit and binsh If all fail kernel panics

bull But what happens to the thread that spawned init

bull That thread is known as the sched or swapper thread and has pid 0 (it does not appear in ps output but does appear as ppid of init) At the end of rest_init() this thread calls schedule() (to kickstart task scheduling) Then it enters idle loop here

httpopengrokqualcommcomsourcexrefLAUM00kernelmsm-318initmainc950

if (ramdisk_execute_command)

ret = run_init_process(ramdisk_execute_command)

We try each of these until one succeeds

The Bourne shell can be used instead of init if we are

trying to recover a really broken machine

if (try_to_run_init_process(sbininit) ||

try_to_run_init_process(etcinit) ||

try_to_run_init_process(bininit) ||

try_to_run_init_process(binsh))

return 0

panic(No working init found Try passing init= option to kernel

See Linux Documentationinittxt for guidance)

httpswwwlinkedincominsg1993 6georgeshibin1993gmailcom

bull The init processrsquos code resides here systemcoreinit

bull Basically all init does is the seemingly simple task of starting servicesdaemons and restarting some in case they are stopped It reads some configuration files ie rc files to figure out what to do when The rc files are written in initrsquos own language

bull The Android Init Language consists of five broad classes of statements - Actions Commands Services Options and Imports

INIT

httpswwwlinkedincominsg1993 7georgeshibin1993gmailcom

INIT RC FILE LINGObull Services are definitions of servicesdaemons etc that you want init to run

bull These are generally run when certain events are triggered

bull Options are modifiers to services Some important modifiers are-

bull critical ndash If it exits more than four times in four minutes the device will reboot into recovery mode (example critical)

bull disabled - This service will not automatically start with its class (ex bootanim)

bull socket ndash a socket at devsocketname will be created when the service starts (example devsocketzygote)

bull oneshot ndash Do not restart the service if it exits Most of important services will NOT have this modifier

bull class ndash 3 major classes of services ndash coremainlate-start

bull onrestart ndash execute the command following this when service restarts (example in zygotersquos rc onrestart restart cameraserver)

httpswwwlinkedincominsg1993 8georgeshibin1993gmailcom

INIT RC FILE LINGObull Triggers are strings which are used to match certain events

bull on ltpatterngt lthelliphellipgt - if the pattern is triggered by someone this is executed (ex on early-init)

bull on propertya=b ndash command is executed when property a is set to b

bull Commands are executed when predefined events are triggered (ie on lttriggergt)

bull trigger write chmod chown start stop restart setprop etc

bull Actions are of the form

bull For an action to be executed it is therefore necessary for an event to be triggered

bull Import statements are used to tell init to parse rc files present in different locations

on lttriggergt

ltcommandgt

ltcommandgt

ltcommandgt

httpswwwlinkedincominsg1993 9georgeshibin1993gmailcom

INIT

httpandroidxrefcom700_r1xrefsystemcorerootdirinitrc

on late-inittrigger early-fstrigger fstrigger post-fshelliptrigger early-boottrigger boot

on bootsetprop nettcpdefault_init_rwnd 60class_start core

httpswwwlinkedincominsg1993 10georgeshibin1993gmailcom

INIT RC FILE LINGObull Triggers are strings which are used to match certain events

bull on ltpatterngt lthelliphellipgt - if the pattern is triggered by someone this is executed (ex on early-init)

bull on propertya=b ndash command is executed when property a is set to b

bull Commands are executed when predefined events are triggered (ie on lttriggergt)

bull trigger write chmod chown start stop restart setprop etc

bull Actions are of the form

bull For an action to be executed it is therefore necessary for an event to be triggered

bull Import statements are used to tell init to parse rc files present in different locations

on lttriggergt

ltcommandgt

ltcommandgt

ltcommandgt

httpswwwlinkedincominsg1993 9georgeshibin1993gmailcom

INIT

httpandroidxrefcom700_r1xrefsystemcorerootdirinitrc

on late-inittrigger early-fstrigger fstrigger post-fshelliptrigger early-boottrigger boot

on bootsetprop nettcpdefault_init_rwnd 60class_start core

httpswwwlinkedincominsg1993 10georgeshibin1993gmailcom

INIT

httpandroidxrefcom700_r1xrefsystemcorerootdirinitrc

on late-inittrigger early-fstrigger fstrigger post-fshelliptrigger early-boottrigger boot

on bootsetprop nettcpdefault_init_rwnd 60class_start core

httpswwwlinkedincominsg1993 10georgeshibin1993gmailcom

INITbull After some initial setup init first proceeds to parse initrc which is the primary rc file

bull All the other rc files are parsed using import statements in initrc

bull Once parsing is done to kickstart execution of servicesdaemons a few triggers have to be explicitly triggered by init itself

bull The first one of these is early-init

bull early-init is the cue to start ueventd for instance as defined in initrc

bull Init now has to start native daemonsservices like Surfaceflinger vold servicemanager healthd etc

httpandroidxrefcom700_r1xrefsystemcoreinitinitcpp688

parserParseConfig(initrc)

hellip

amQueueEventTrigger(early-init)

httpopengrokqualcommcomsourcexrefLAUM00systemcorerootdirinitrc13

on early-init

hellip

start ueventd

httpswwwlinkedincominsg1993 11georgeshibin1993gmailcom

INITbull Init also explicitly triggers event init and late-init When late-init is triggered it triggers event fs which is

when init parses fstab(qcom) entries to mount remaining partitions (system data misc) here

bull After that init basically runs in an infinite while loop on the lookout for services that might need restarting here

bull Among the services started by init one is particularly important for IPC to happen

bull Lets find out more about ServiceManager

httpopengrokqualcommcomsourcexrefLAUM00deviceqcommsm8937_64inittargetrc42

on fs

hellip

mount_all fstabqcom

httpswwwlinkedincominsg1993 12georgeshibin1993gmailcom

A LITTLE SOMETHING ABOUT SERVICEMANAGER

bull Binder is the core of Android and forms the foundation of the IPC mechanism

bull OpenBinder was developed by Be Inc (later Palm Inc) (Tidbit Palm Inc designed the worldrsquos first PDA and one of the first smartphones)

bull Google developed the Binder framework for Android on the basis of OpenBinder

bull OpenBinder allows processes to present interfaces which may be called by other threads Each process maintains a thread pool which may be used to service such requests

bull In OpenBinder an entity called context manager exists maintains all services handles and returns the service handle to client on request

httpswwwlinkedincominsg1993 13georgeshibin1993gmailcom

A LITTLE SOMETHING ABOUT SERVICEMANAGER

bull If a client wants to publishadd a service it has to invoke an entity called context manager If a client wants to get a reference to a service it again has to query the context manager

bull The Context Manager in Android is called the ServiceManager

bull Since ServiceManager is essential for IPC in android it is started as a ldquocriticalrdquo service

bull Source-code at - frameworksnativecmdsservicemanager

bull During initialization ServiceManager itself calls binder_become_context_manager() to inform the binder driver that it is the contextManager

httpswwwlinkedincominsg1993 14georgeshibin1993gmailcom

A LITTLE SOMETHING ABOUT SERVICEMANAGER

bull The kernel binder driver on receiving this ioctl creates a binder node 0

bull Once this is done clients can now query ServiceManager Internally this happens via ioctl(fd paramscmd=GET srv=ldquoSERVICE_NAMErdquo target=0 hellip)

httpopengrokqualcommcomsourcexrefLAUM00kernelmsm-

318driversstagingandroidbinderc2729

binder_context_mgr_node = binder_new_node(proc 0 0)

httpopengrokqualcommcomsourcexrefLAUM00frameworksnativecmdsservicemanagerbinder

c146

int binder_become_context_manager(struct binder_state bs)

return ioctl(bs-gtfd BINDER_SET_CONTEXT_MGR 0)

httpswwwlinkedincominsg1993 15georgeshibin1993gmailcom

A LITTLE SOMETHING ABOUT SERVICEMANAGER01-01 071603022 0 0 I init Starting service ueventd

01-01 071604958 0 0 I init Starting service logd

01-01 071606345 0 0 I init Starting service vold

01-01 071606871 0 0 I init Starting service exec 1 (systembintzdatacheck)

01-01 071608191 0 0 I init Starting service exec 2 (initqcomearly_bootsh)

01-01 071609225 0 0 I init Starting service healthd

01-01 071609290 0 0 I init Starting service cs-early-boot

01-01 071609296 0 0 I init Starting service esepmdaemon

01-01 071609302 0 0 I init Starting service qcom-usb-sh

01-01 071609309 0 0 I init Starting service qseecomd

01-01 071609315 0 0 I init Starting service per_mgr

01-01 071609321 0 0 I init Starting service lmkd

01-01 071609327 0 0 I init Starting service servicemanager01-01 071609335 0 0 I init Starting service surfaceflinger

01-01 071610101 0 0 I init Starting service bootanim

01-01 071612563 0 0 I init Starting service logd-reinit

01-01 071612777 0 0 I init Starting service exec 4 (systembintzdatacheck)

01-01 071612903 0 0 I init Starting service carrier_switcher

01-01 071612911 0 0 I init Starting service exec 5 (systembinbootstat)

01-01 071612977 0 0 I init Starting service qcomsysd

01-01 071612983 0 0 I init Starting service qcom-c_main-sh

01-01 071612990 0 0 I init Starting service cnd

01-01 071612996 0 0 I init Starting service ptt_socket_app

01-01 071613002 0 0 I init Starting service cnss_diag

01-01 071613028 0 0 I init Starting service thermal-engine

01-01 071613034 0 0 I init Starting service wcnss-service

01-01 071613041 0 0 I init Starting service imsstarter

01-01 071613048 0 0 I init Starting service adsprpcd

01-01 071613054 0 0 I init Starting service hvdcp_opti

01-01 071613062 0 0 I init Starting service zygote01-01 071613069 0 0 I init Starting service zygote_secondary

httpswwwlinkedincominsg1993 16georgeshibin1993gmailcom

INITZYGOTE - STARTUP

bull Just like init is parent of all init-services system-server amp every app is spawned by zygote An executable called app_process(3264) is executed which is then known to others as zygote

bull It belongs to main class of services ie if userdata-encryption is enabled once you enter password zygote is restarted

httpandroidxrefcom700_r1xrefsystemcorerootdirinitzygote64_32rc

service zygote systembinapp_process64 -Xzygote systembin --zygote --start-system-server --socket-name=zygote

class main

socket zygote stream 660 root system

onrestart write sysandroid_powerrequest_state wake

onrestart write syspowerstate on

onrestart restart audioserver

onrestart restart cameraserver

onrestart restart media

onrestart restart netd

writepid devcpusetforegroundtasks sysfscgroupstuneforegroundtasks

service zygote_secondary systembinapp_process32 -Xzygote systembin --zygote --socket-name=zygote_secondary

class main

socket zygote_secondary stream 660 root system

onrestart restart zygote

writepid devcpusetforegroundtasks devstuneforegroundtasks

httpswwwlinkedincominsg1993 17georgeshibin1993gmailcom

INITZYGOTE - STARTUP

bull Just like init is parent of all init-services system-server amp every app is spawned by zygote An executable called app_process(3264) is executed which is then known to others as zygote

bull It belongs to main class of services ie if userdata-encryption is enabled once you enter password zygote is restarted

httpandroidxrefcom700_r1xrefsystemcorerootdirinitzygote64_32rc

service zygote systembinapp_process64 -Xzygote systembin --zygote --start-system-server --socket-name=zygote

class main

socket zygote stream 660 root system

onrestart write sysandroid_powerrequest_state wake

onrestart write syspowerstate on

onrestart restart audioserver

onrestart restart cameraserver

onrestart restart media

onrestart restart netd

writepid devcpusetforegroundtasks sysfscgroupstuneforegroundtasks

service zygote_secondary systembinapp_process32 -Xzygote systembin --zygote --socket-name=zygote_secondary

class main

socket zygote_secondary stream 660 root system

onrestart restart zygote

writepid devcpusetforegroundtasks devstuneforegroundtasks

httpswwwlinkedincominsg1993 17georgeshibin1993gmailcom

ZYGOTE

bull App_process is a native proc (written in C++) Source for app_process resides here

bull ndashzygote option passed is to rename the process name from app_process to zygote here

bull comandroidinternalosZygoteInitjava is called (through runtimestart()) which starts systemServer and then polls

bull ndashstart-system_server option passed makes the zygote spawn system_server

bull Zygote uses an entity called ldquoAndroidRuntimerdquo that starts a VM to run Java Runtimestart() starts a new virtual machine As you know all code written in Java runs in a VM

bull Interesting tidbit the main() of ZygoteInitjava is the first piece of Java code that runs since the device was turned on (Reason is that this is the first time VM was created and java bytecode runs in VM)

httpandroidxrefcom700_r1xrefframeworksbasecmdsapp_processapp_maincpp306

if (zygote)

runtimestart(comandroidinternalosZygoteInit args zygote)

httpandroidxrefcom700_r1xrefframeworksbasecorejavacomandroidinternalosZygoteInitjava746

if (startSystemServer)

startSystemServer(abiList socketName)

httpswwwlinkedincominsg1993 18georgeshibin1993gmailcom

ZYGOTE

bull The most important reason behind Zygotersquos existence can be summarized in this one line of code

bull Zygote preloads classes (as in java class files) resources some shared libraries (so files) etc

bull You can find the list of these classes to be preloaded here on your device at systemetcpreloaded-classes Zygote reads this file here

bull On my device running Android Nougat the total number of preloaded classes alone is 4165 to be exact

httpandroidxrefcom700_r1xrefframeworksbasecorejavacomandroidinternalosZygoteInitjava722

preload()

httpswwwlinkedincominsg1993 19georgeshibin1993gmailcom

ZYGOTE

bull So how exactly is preloading helping

bull To know this we come back to one of the important tasks of zygote ie spawning each and every single application process (remember it is the parent process of all application processes)

bull After starting system_server zygote runs in an infinite while loop here

bull It keeps on polling a socket ndash devsocketzygote When you launch an application the request to create a new process comes from system_server to Zygote on this socket The call reaches hereand then it executes a fork system call as shown below

httpandroidxrefcom700_r1xrefframeworksbasecorejavacomandroidinternalosZygoteConnectionjava225

pid = ZygoteforkAndSpecialize(parsedArgsuid parsedArgsgid parsedArgsgids

parsedArgsdebugFlags rlimits parsedArgsmountExternal parsedArgsseInfo

parsedArgsniceName fdsToClose parsedArgsinstructionSet

parsedArgsappDataDir)

httpswwwlinkedincominsg1993 20georgeshibin1993gmailcom

ZYGOTEbull Here is where you will appreciate the virtue of a great design

bull When a process forks it creates a clone of itself It replicates itself in another memory space When this happens to Zygote it creates a clean new Dalvik VM preloaded with all necessary classes and resources that any App will need (the same 4165 I mentioned earlier)

bull Except that it is never copied

bull You see the Linux Kernel implements a strategy called Copy On Write (COW) With COW Linux doesnrsquot actually copy anything Instead it maps the pages of the new process over to those of the parent process and makes copies only when the new process writes to a page But the classeslibrariesresources preloaded by Zygote are all read-only and not modified by any application This means that all processes forked from Zygote are using the exact same copy of the system classes and resources till EOL These preloaded objects live in the Zygote heap

bull This is what saves the time when apps are launched Also the memory saved is worth mentioning as no matter how many applications are started only one copy of the system classes and the resources is ever loaded in RAM

bull Personally I think the reason we still need Zygote (and cannot be replaced by system_server) is because we would like a process that does almost nothing other than fork() so that COW can do its magic Something like system_server would be counterproductive as its own heap and loaded classes would be huge

httpswwwlinkedincominsg1993 21georgeshibin1993gmailcom

ZYGOTEbull Thats pretty much what Zygote does during its lifetime Lets move onto system_server Notice the class name passed

as argument to Zygotersquos fork call for system_server

bull Just like in Zygotersquos case the AndroidRuntime knows how to execute the main() function in comandroidserverSystemServerjava

httpandroidxrefcom700_r1xrefframeworksbasecorejavacomandroidinternalosZygoteInitjava632

String args[] =

--setuid=1000

--setgid=1000

--setgroups=10011002100310041005100610071008100910101018102110323001300230033006300730093010

--capabilities= + capabilities + + capabilities

--nice-name=system_server

--runtime-args

comandroidserverSystemServer

httpandroidxrefcom700_r1xrefframeworksbaseservicesjavacomandroidserverSystemServerjava205

The main entry point from zygote

public static void main(String[] args)

new SystemServer()run()

httpswwwlinkedincominsg1993 22georgeshibin1993gmailcom

ZYGOTEbull Thats pretty much what Zygote does during its lifetime Lets move onto system_server Notice the class name passed

as argument to Zygotersquos fork call for system_server

bull Just like in Zygotersquos case the AndroidRuntime knows how to execute the main() function in comandroidserverSystemServerjava

httpandroidxrefcom700_r1xrefframeworksbasecorejavacomandroidinternalosZygoteInitjava632

String args[] =

--setuid=1000

--setgid=1000

--setgroups=10011002100310041005100610071008100910101018102110323001300230033006300730093010

--capabilities= + capabilities + + capabilities

--nice-name=system_server

--runtime-args

comandroidserverSystemServer

httpandroidxrefcom700_r1xrefframeworksbaseservicesjavacomandroidserverSystemServerjava205

The main entry point from zygote

public static void main(String[] args)

new SystemServer()run()

httpswwwlinkedincominsg1993 22georgeshibin1993gmailcom

SYSTEM-SERVERbull The run() of system_server starts bootstrap-services core-services and some other services

bull Bootstrap-services are a small number of critical services

bull These are ActivityManagerService PowerManagerService DisplayManagerService PackageManagerService UserManagerService and sSensorService Bootstrap services are started almost together as they have internal dependencies with each other

bull Core services are some essential services that do not have dependencies on bootstrap services so can be started some time later One of these is the WindowManagerService

bull After that a couple of services which are not as critical as the above two classes Infact some of them even need not be started for device bootup

httpandroidxrefcom700_r1xrefframeworksbaseservicesjavacomandroidserverSystemServerjava320

try

TracetraceBegin(TraceTRACE_TAG_SYSTEM_SERVER StartServices)

startBootstrapServices()

startCoreServices()

startOtherServices()

httpswwwlinkedincominsg1993 23georgeshibin1993gmailcom

SYSTEM-SERVERbull Later down the line after starting almost all of the criticalcore services the system_server

(ie its main thread) proceeds to notify ActivityManagerService that the system is now ready to execute third-party code (read apps) The ActivityManagerService does some initializations before it can start applications

bull The callback reaches back to system_server main thread where it starts the first app comandroidsystemui here (specifically SystemUiService of systemui component)

bull We are now mostly done with this thread of system_server (the main thread mainly deals with handling messages from other components and redirecting them)

httpandroidxrefcom700_r1xrefframeworksbaseservicesjavacomandroidserverSystemServerjava1275

mActivityManagerServicesystemReady(new Runnable()

Override

public void run()

hellip

try

startSystemUi(context)

catch (Throwable e)

reportWtf(starting System UI e)

httpswwwlinkedincominsg1993 24georgeshibin1993gmailcom

BOOTANIMATION

bull Wondering what is being displayed on the screen during this entire process

bull After init starts what you see is bootanimation

bull The bootanim is a service that displays the bootanimation and is started by init

bull The rc file is parsed by init during startup But init does not start it right away (Notice the disabled)

bull This also means that someone has to explicitly start bootanim This is done by SurfaceFlinger in its init()

httpandroidxrefcom700_r1xrefframeworksbasecmdsbootanimationbootanimrc

service bootanim systembinbootanimation

class core

user graphics

group graphics audio

disabled

oneshot

httpandroidxrefcom700_r1xrefframeworksbaseservicesjavacomandroidserverSystemServerjava1275

start boot animation

startBootAnim()

httpandroidxrefcom700_r1xrefframeworksnativeservicessurfaceflingerSurfaceFlingercpp506

void SurfaceFlingerstartBootAnim()

start boot animation

property_set(servicebootanimexit 0)

property_set(ctlstart bootanim)

httpswwwlinkedincominsg1993 25georgeshibin1993gmailcom

BOOTANIMATION

bull Note that SF doesnrsquot directly spawnfork a process Rather it sets a property ctlstart to bootanim

bull ctl is special because there is no actual property named ctlstartstop (it wonrsquot appear in getprop output)

bull Note the special handling of a property if the property_name starts with ctl

httpandroidxrefcom700_r1xrefsystemcoreinitproperty_servicecpp280

case PROP_MSG_SETPROP

hellip

if(memcmp(msgnamectl4) == 0)

hellip

if (check_control_mac_perms(msgvalue source_ctx ampcr))

handle_control_message((char) msgname + 4 (char) msgvalue)

hellip

else

if (check_mac_perms(msgname source_ctx ampcr))

property_set((char) msgname (char) msgvalue)

hellip

httpswwwlinkedincominsg1993 26georgeshibin1993gmailcom

LAUNCHER

bull When the call reaches init it starts the service which is assigned to ctlstart

bull So when SF sets ctlstart to bootanim init starts the service bootanim

bull Bootanim gets the media files from systemmediabootanimationzip

bull But who stops bootanim Lets get back to system_server to find that out

bull Remember we informed ActivityManagerService that we are ready to executelaunch 3rd party codeapplications here

bull AMS on executing this calls startHomeActivityLocked() Internally this sends an Intent with category IntentCATEGORY_HOME This intent category is special because if an app registers for this intent it means that the application is a Launcher-appHome-screen replacement app

bull On receving this intent Launcher is started as it had registered for the same (see Manifest)

bull Ok Launcher has started but you are still not seeing it on the display

httpswwwlinkedincominsg1993 27georgeshibin1993gmailcom

LAUNCHERbull For Launcher to be displayed bootanimation has to be stopped There is only one entity that can tell SF to stop

bootanim via a binder transaction ie WindowManagerService WindowManagerServicersquosperformEnableScreen() API needs to be invoked

httpandroidxrefcom700_r1xrefframeworksbaseservicescorejavacomandroidserverwmWindowManagerServicejava5866

if (mBootAnimationStopped)

Do this one time

TraceasyncTraceBegin(TraceTRACE_TAG_WINDOW_MANAGER Stop bootanim 0)

try

IBinder surfaceFlinger = ServiceManagergetService(SurfaceFlinger)

if (surfaceFlinger = null)

Slogi(TAG_WM TELLING SURFACE FLINGER WE ARE BOOTED)

Parcel data = Parcelobtain()

datawriteInterfaceToken(androiduiISurfaceComposer)

surfaceFlingertransact(IBinderFIRST_CALL_TRANSACTION BOOT_FINISHED

data null 0)

datarecycle()

catch (RemoteException ex)

Sloge(TAG_WM Boot completed SurfaceFlinger is dead)

mBootAnimationStopped = true

httpswwwlinkedincominsg1993 28georgeshibin1993gmailcom

bull So SF receives a binder call from WindowManagerService with the code IBinderFIRST_CALL_TRANSACTION SurfaceFlinger Binder IPC interface has defined the following

bull The call ultimately reaches bootFinished()

httpandroidxrefcom700_r1xrefframeworksnativeincludeguiISurfaceComposerh177

Note BOOT_FINISHED must remain this value it is called from

Java by ActivityManagerService

BOOT_FINISHED = IBinderFIRST_CALL_TRANSACTION

httpandroidxrefcom700_r1xrefframeworksnativeservicessurfaceflingerSurfaceFlingercpp292

void SurfaceFlingerbootFinished()

hellip

ALOGI(Boot is finished (ld ms) long(ns2ms(duration)) )

mBootFinished = true

stop boot animation

formerly we would just kill the process but we now ask it to exit so it

can choose where to stop the animation

property_set(servicebootanimexit 1)

httpswwwlinkedincominsg1993 29georgeshibin1993gmailcom

BOOTANIMATION

bull SF sets the property serviebootanim to 1 How does this stop bootanim

bull All this while since the time it was started bootanim has been executing playAnimation()

bull While doing so it also periodically calls checkExit()

bull On detecting that this property is set to 1 bootanim gracefully exits

httpandroidxrefcom700_r1xrefframeworksbasecmdsbootanimationBootAnimationcpp387

Allow surface flinger to gracefully request shutdown

char value[PROPERTY_VALUE_MAX]

property_get(servicebootanimexit value 0)

int exitnow = atoi(value)

if (exitnow)

requestExit()

if (mAudioPlayer = NULL)

mAudioPlayer-gtrequestExit()

httpswwwlinkedincominsg1993 30georgeshibin1993gmailcom

BOOT_COMPLETEDbull WindowManager invoked binder transaction to tell SF to stop bootanim

bull After that it calls ActivityManagerrsquos bootAnimationComplete() function

bull In ActivityManagerService finishBooting() is invoked where the property sysboot_completed is set to 1 This property is important because it is the ldquoofficialrdquo way of letting native-servicesdaemons know that boot is now complete

bull After this AMS tells UserController (which is a helper class for handling multi-user functionality) to send the 2 criticalimportant intents

bull Before you unlockswipe the lock screen the intent IntentACTION_LOCKED_BOOT_COMPLETED is sent here

bull Once the user is unlocked (by entering PINswiping-the-lock screen) the intent IntentACTION_BOOT_COMPLETED is sent here This intent is important because it lets Java-services3rd-party apps know that system boot-up is now officially complete and that user is now in the home screen

httpandroidxrefcom700_r1xrefframeworksbaseservicescorejavacomandroidserverwmWindowManagerServicejav

a5899

try

mActivityManagerbootAnimationComplete()

catch (RemoteException e)

httpswwwlinkedincominsg1993 31georgeshibin1993gmailcom

Aaaaand you are now in Home screen

httpswwwlinkedincominsg1993 32georgeshibin1993gmailcom

REFERENCES

bull My highlights on Karim Yaghmourrsquos famous book (Embedded Android) httpswwwsafaribooksonlinecomu001o000000YZt6HAATembedded-android9781449327958

bull Kernel boot process

bull httpduartesorggustavoblogpostkernel-boot-process

bull https0xaxgitbooksiolinux-insidescontentInitializationlinux-initialization-4html

bull httposr507docxinuoscomenPERFORMprocess_stateshtml

bull httpstackoverflowcomquestions464483why-do-we-need-a-swapper-task-in-linux

bull httpunixstackexchangecomquestions83322which-process-has-pid-0

bull BinderServiceManager

bull httpwwwmacrobugcomblog20071215decoding-a-service-call-in-android

bull httpwwwcubridorgblogdev-platformbinder-communication-mechanism-of-android-processes

bull httpwwwprogrameringcomaMjMyMDMwATQhtml

And most importantly httpandroidxrefcom700_r1xref

httpswwwlinkedincominsg1993 33georgeshibin1993gmailcom

REFERENCES

bull My highlights on Karim Yaghmourrsquos famous book (Embedded Android) httpswwwsafaribooksonlinecomu001o000000YZt6HAATembedded-android9781449327958

bull Kernel boot process

bull httpduartesorggustavoblogpostkernel-boot-process

bull https0xaxgitbooksiolinux-insidescontentInitializationlinux-initialization-4html

bull httposr507docxinuoscomenPERFORMprocess_stateshtml

bull httpstackoverflowcomquestions464483why-do-we-need-a-swapper-task-in-linux

bull httpunixstackexchangecomquestions83322which-process-has-pid-0

bull BinderServiceManager

bull httpwwwmacrobugcomblog20071215decoding-a-service-call-in-android

bull httpwwwcubridorgblogdev-platformbinder-communication-mechanism-of-android-processes

bull httpwwwprogrameringcomaMjMyMDMwATQhtml

And most importantly httpandroidxrefcom700_r1xref

httpswwwlinkedincominsg1993 33georgeshibin1993gmailcom

Thank You for reading this far

httpswwwlinkedincominsg1993 34

Disclaimer

Almost none (okay fine absolutely zilch) of the information that I put up is proprietary to Qualcomm Inc

Some of the source-code hyperlinks to Qualcommrsquos internal repository which is not accessible to others anyway

For all the other stuff I have provided Android-xref links and is openly accessible to all

However I wonrsquot vouch for the correctness of all information presented here Nope

You are welcome to correcteditpresent this material according to your needs

However it would be nice if you could shoot me a mail (at georgeshibin1993gmailcom) andor provide a

reference to the original material Just sayinghellip it would be nice

georgeshibin1993gmailcom