Day 1 |
1. |
Introduction - The Android Architecture |
|
5-6 hours |
|
Introduction to the Android architecture. We discuss the design and implementation of the various subsystems, at a modular "black box" level, without going into the source code level (yet).
- Android features
- Android vs. Linux vs. Embedded Linux
- Filesystem layout and directories
- The Runtime Environment
- The Frameworks
- Dalvik (Java)
- Version differences - 1.5 through L (5.0) to Android T (13.0)
- User-Mode and Kernel-Mode Architecture
- Android Kernel modifications
- Recompiling the Kernel
|
2. |
Android's Hardware Abstraction Layer |
|
1 hours |
|
The Android Hardware Abstraction Layer is a key component in Android. It enables the operating system to be adapted to different devices. The basic devices of a phone or tablet - the leds, power, vibrator and others - are abstracted by libhardware into virtual hardware devices, and we discuss them here.
- The need for a hardware abstraction layer
- The basic devices
- Camera
- Flashlight
- GPS
- Leds
- Sensors
- Vibrator
- The User Event Daemon
- HAL stubs
- The last stretch - from HAL to the driver
- Android O HAL modifications ("Project Treble")
|
Day 2 |
3. |
Partitions & Filesystems |
|
2 hours |
|
Unlike in a PC or Mac, Android devices have upwards of 20 partitions, and sometimes even double that - with some dozen partitions for Android common across all devices, and the rest vendor dependent. We explore both types, focusing on maintaining the partitions, the files in them, and more.
- UFS vs. eMMC devices
- Device Partition Layout and the GPT
- Android standard partitions
- Vendor Specific Partitions (QCom, Samsung, MTK)
- A tour of the Android filesystems (/system, /vendor, /data)
|
|
System startup and initialization - Walk through the various stages, from boot loader through kernel startup to basic setup of user mode processes. We also describe the modification of the boot loaders.
- The Boot loader, and FastBoot
- Samsung Odin
- ARM TrustZone (32-bit) and ELx (64-bit)
- Kernel Startup
- User mode init - /init and /init.rc
- Boot-to-root: Rooting techniques by unlocking the bootloader
|
Day 3 |
6. |
Native Services |
|
2 hours |
|
Describing the native services started by init - we walk through each and every one of the AOSP services, as well as some common vendor ones. The list includes:
- adbd
- servicemanager
- healthd (K +)
- logd (L +)
- lmkd (L +)
- keystore
- keymaster (M +)
- zygote/app_process
- debuggerd
|
|
Android's IPC mechanism is based on Binder, with some UNIX domain sockets on the side. We detail the inner workings of Binder, including:
- IPC and RPC basics
- The servicemanager
- Binder by layers:
- Java: AIDL
- Frameworks: android.os.Binder
- Native level: libBinder, BBinder, BpBinder
- Kernel interface: ProcessState and IPCThreadState
- Kernel implementation: ioctl(2) codes and protocol
- hwbinder, vnbinder and other O improvements
- Other communication mechanisms: Sockets and socketpairs
Exercises include:
- Debugging and Tracing Binder IPC
|
8. |
The Input Architecture |
|
2 hours |
|
Android has a complex stack to manage various input sources, such as the touch screen, sensors, and external devices. This module traverses that stack, covering each layer in turn:
- The Linux Kernel Input Model
- The EventHub
- The InputReader
- The InputDispatcher
- The Activity Views
Exercises include:
- Injecting Events
- Monitoring and Capturing Input Events
|
Day 4 |
|
Google would have you believe that Dalvik, the virtual machine architecture, is no longer relevant now that L and later versions use the Android RunTime (ART) by default. This couldn't be further from the truth. In this module, we discuss:
- The Dalvik VM architecture
- The DEX file format
- The DEX OpCode and instruction format
- Optimizing DEX
- Reversing DEX
- Obfuscating DEX
- The JNI model
Exercises include:
- Using dexdump and dextra to reverse a Dalvik APK's classes.dex all the way to Java source
|
|
Since its inception as a "preview" in KitKat (4.4), ART has become the de facto standard for Android's application runtime. It has, however, changed with every version, up to and including the N Preview:
- The concepts behind ART
- Advantages over Dalvik
- The evolution - from 5.0 to the present day
- Reversing ART
- ART Memory Management
- Return of the (profiled) JIT
- The JNI implementation
|
Day 5 |
11. |
Android Kernel tweaks |
|
1 hours |
|
Android is, at the kernel level, almost identical to the common Linux kernel. There are, however, idiosyncrasies and modifications, which optimize the kernel to the mobile environments - low memory conditions, power management considerations, and more. In this chapter, we dig deep into these modifications, by examining each in detail, at the source code level. Specifically, we discuss:
- ASHmem - Android's Anonymous Shared Memory mechanism
- PMem - Physical contiguous memory for non scatter/gather capable hardware
- Low memory killer - Allowing customized Linux OOM behavior from user space
- Wakelocks - and the enhancements to Power Management
- The RAM Console and pstore - Used in Android to save Panic data across reboot
- Timed GPIO/Output
- Recompiling the kernel
- Kernel level debugging and tracing
|
|
- Java level modifiers: Private and Public
- Java level Permissions
- UNIX/native level Permissions
- Digital Signatures (code signing, etc)
- Key storage and encryption
- Service Hooks
- Protected APIs
- Kernel mode security
- The Linux Capabilities model
- Linux Security Modules (LSM) and SELinux ("SEAndroid")
- Android Verified Boot (AVB) v1 and v2
- Kernel buffer overflow protection - ExecShield and randomization
- Extensions and improvements in Oreo, Pie and 10 (e.g. seccomp-bpf, Webview-Zygote)
- Why it all fails - Android Exploitation
|
13. |
Connectivity (Optional) |
|
2 hours |
|
An examination of Android's connectivity mechanisms:
- The Network Stack (+ netd and ConnectivityManager)
- BlueTooth
- RILd
- VPNs
- The USB Stack
|