* Android IPC
- Intent -> AIDL -> Binder
- cat /sys/kernel/debug/binder 可以觀察相關資訊
- Parcel打包概念
- binder 是去shared memory 撈service
- 所有service透過binder 相互聯繫
* Android debuggerd
- Android 攔胡process segmentation fault signal,發生不正常錯誤時透過socket通知debuggerd
- debuggerd在logcat中顯示的address是上次跑完的address
- lr -> register for storing return address in ARM
- 可以比照crash log和/proc/pid/maps
- 參考:https://wiki.linaro.org/WorkingGroup...nwindDebuggerd
* Dynamic linker/program interpreter
- ls-linux.so.2 (Linux下)
- 可執行
- 同一個 root file system 底下可有兩個以上的 ELF interpreter
- Android下面不同的版本/system/bin/linker的address可能不同
+ 安全性考量以及performance因素
- X86
+ Entry: libc_start_main
+ library: libc
+ linker: ls-linux.so.2 (可以執行)
- Android
+ Entry: __libc_init
+ library: bionic
+ linker: /system/bin/linker
- 沒有正確處理 stack & calling convention,會發生 SegFault
* bionic
- __init_libc有static和dynamic 兩種方式
- init process (pid 1 那個)用static,不可用malloc
- 相關說明可以參考AOSP下面的文件(有點過期)
- adbd 是static (?)
- 看interpreter資訊
- objdump -s -j .interp filename
* memory map of a process
- cat /proc/pid/maps
+ 欄位說明:
- address
- perms
+ r = read
+ w = write
+ x = execute
+ s = shared
+ p = private (copy on write)
- offset
- dev
- inode
- pathname
- 相同的path有兩個以上可能是text/data的差別
adb shell cat /proc/18696/maps (投影片剪貼)
00008000-00009000 r-xp 00000000 b3:02 8959 /data/local/hello
00009000-0000a000 rwxp 00001000 b3:02 8959 /data/local/hello
b0001000-b0009000 r-xp 00001000 b3:01 128 /system/bin/linker
b0009000-b000a000 rwxp 00009000 b3:01 128 /system/bin/linker
b000a000-b0015000 rwxp 00000000 00:00 0
beb07000-beb28000 rw-p 00000000 00:00 0 [stack]
ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors
- heap是由address往後面增加
- stack是由address往前面增加
- 可以用來逆向以及trace程式
* ABI
- readelf可以讀出來
$ readelf -h ../libs/armeabi/a
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x8540
Start of program headers: 52 (bytes into file)
Start of section headers: 7592 (bytes into file)
Flags: 0x5000002, has entry point, Version5 EABI
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 7
Size of section headers: 40 (bytes)
Number of section headers: 22
Section header string table index: 21
- eabi/oabi: e for embedded, o for old
- 不同的ABI (包含ABI版本)對於data type的size定義有可能不同
+ sizeof (char)
- EABI: 1
- OABI: 4
+ sizeof (struct empty_struct{};)
- EABI: 1
- x86沒有ABI版本的問題
- Embedded的ABI不同的原因可能是
+ 改板
+ 商業考量,故意讓其他產品不能相容
+ 效率
+ ref: http://wiki.debian.org/ArmEabiPort
- ARM EABI 基本上已大一統了
* Start a process
- create a process
- load executable file
- setup runtime
- page valid (?)
* Before Hello World..
- UID/GID
- Signal
- load ld.so
- mmap
- random
- load libstdc++.so
- ...
* Android GDB
- adb forward tcp:port tcp:port
- symbol 可能在
- ${PWD}/out/target/product/product_name/symbols/system/bin
* LD debug
- export LD_DEBUG=files
- LD_DEBUG=help /lib/ld-2.13.so
* Hear Say/忘記是記啥的
- BUILD_ID
+ Issue tracking
- 忘記講的是ELF還是AOSP/Cyanogenmod
- NDK的進版本和Android SDK進板有關聯
- mm -b => make clean; make
- 有些elf執行檔沒有main的進入點
+ pypy
- 2010年開始ELF加入build ID
- abort()
- ptrace
- addr2line -e [file]
- Android重寫了libc/linker,size減少,代價就是功能也減少
- libunwind
- ELF section的offset一般來說會和/proc/pid/maps會有點差別,主要是安全考量
- ANR
+ Android Not Responding
+ 執行很久的程式碼,建議放在 Service 中
- Android中把東西mix起來就叫flinger
+ Surface flinger
+ service flinger
+ ...