handle_packet() in adb.c didn't check that when an A_WRTE packet is
received, the sender's local-id matches the socket's peer id.
This meant that a compromised adbd server could sent packets to
the host adb server, spoofing the identity of another connected
device if it could "guess" the right host socket id.
This patch gets rid of the issue by enforcing even more checks
to ensure that all packets comply with the description in
protocol.txt.
+ Fix a bug where closing a local socket associated with a
remote one would always send an A_CLSE(0, remote-id, "")
message, though protocol.txt says that should only happen
for failed opens.
The issue was that local_socket_close() called
remote_socket_close() after clearing the remote socket's
'peer' field.
The fix introduces a new asocket optional callback,
named 'shutdown' that is called before that, and is
used to send the A_CLSE() message with the right ID
in remote_socket_shutdown().
Also add some code in handle_packet() to detect
invalid close commands.
Change-Id: I9098bc8c6e81f8809334b060e5dca4fc92e6fbc9
adb connect calls connect() in the event loop. If you pass a wrong ip
address or the server is slow to respond, this will block the event loop
and you can't even kill the adb server with adb kill-server. Handle connect
requests in a service thread instead.
Change-Id: I2ee732869a3dc22a6d3b87cf8ac80acaa7790037
Add a new connection state, so that devices, that require confirmation
to allow adb, appear as "unauthorized" in the adb devices lists.
Change-Id: Ib4264bc5736dedecf05bcf8e31896f4d7a91fad8
Secure adb using a public key authentication, to allow USB debugging
only from authorized hosts.
When a device is connected to an unauthorized host, the adb daemon sends
the user public key to the device. A popup is shown to ask the user to
allow debugging once or permanantly from the host. The public key is
installed on the device in the later case. Other keys may be installed
at build time.
On the host, the user public/private key pair is automatically generated,
if it does not exist, when the adb daemon starts and is stored in
$HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed,
the ADB_KEYS_PATH env variable may be set to a :-separated (; under
Windows) list of private keys, e.g. company-wide or vendor keys.
On the device, vendors public keys are installed at build time in
/adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys.
ADB Protocol change:
If the device needs to authenticate the host, it replies to CNXN
packets with an AUTH packet. The AUTH packet payload is a random token.
The host signs the token with one of its private keys and sends an AUTH(0)
packet. If the signature verification succeeds, the device replies with
a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so
that the host can retry with another private key. Once the host has tried
all its keys, it can send an AUTH(1) packet with a public key as
payload. adbd then sends the public key to the framework (if it has been
started) for confirmation.
Change-Id: I4e84d7621da956f66ff657245901bdaefead8395
Secure adb using a public key authentication, to allow USB debugging
only from authorized hosts.
When a device is connected to an unauthorized host, the adb daemon sends
the user public key to the device. A popup is shown to ask the user to
allow debugging once or permanantly from the host. The public key is
installed on the device in the later case. Other keys may be installed
at build time.
On the host, the user public/private key pair is automatically generated,
if it does not exist, when the adb daemon starts and is stored in
$HOME/.android/adb_key(.pub) or in $ANDROID_SDK_HOME on windows. If needed,
the ADB_KEYS_PATH env variable may be set to a ;-separated list of private
keys, e.g. company-wide or vendor keys.
On the device, vendors public keys are installed at build time in
/adb_keys. User-installed keys are stored in /data/misc/adb/adb_keys.
ADB Protocol change:
If the device needs to authenticate the host, it replies to CNXN
packets with an AUTH packet. The AUTH packet payload is a random token.
The host signs the token with one of its private keys and sends an AUTH(0)
packet. If the signature verification succeeds, the device replies with
a CNXN packet. Otherwise, it sends a new AUTH packet with a new token so
that the host can retry with another private key. Once the host has tried
all its keys, it can send an AUTH(1) packet with a public key as
payload. adbd then sends the public key to the framework (if it has been
started) for confirmation.
Change-Id: Idce931a7bfe4ce878428eaa47838e5184ac6073f
Prior to this change, -s could take either a serial number or a
device path (e.g. "-s 01498B1F02015015" or "-s usb:1-4.2"). This
change extends -s to also allow product, model or device names
(e.g. "-s product:mysid"). These new qualifiers will only be
available on devices that are running an adb daemon that provides
properties in the connect message per Change-Id:
I09200decde4facb8fc9b4056fdae910155f2bcb9
The product, model and device are derived from the
ro.product.name, ro.product.model and ro.product.device
properties respectively. They are prefixed with "product:",
"model:" or "device:" as appropriate. In addition, any
non-alphanumerics in the model are changed to underscores.
If the -s parameter matches multiple devices, the result will be
the same as when multiple devices are connected but no -d, -e or
-s option is specified. In general, this means the user will get
"error: more than one device". However for get-state,
get-devpath and get-serialno, they will get "unknown".
The format of "devices -l" was changed to list all of the
qualifiers that are available. The following example output
(with the last digits of the serial numbers replaced with X's) is
with a Galaxy Prime with an older adb daemon and another Galaxy
Prime and Galaxy S both with the enhanced adb daemons:
List of devices attached
016B75D60A0060XX device usb:2-5 product:mysid model:Galaxy_Nexus device:toro
3731B535FAC200XX device usb:1-4.2 product:soju model:Nexus_S device:crespo
01498B1F020150XX device usb:1-4.1
Note that the serial number and state are now column oriented
instead of tab delimited. After the serial number and state, all
qualifiers are listed with each preceded by a space. The output
of the original devices command (without -l) is unchanged.
Change-Id: Iceeb2789874effc25a630d514a375d6f1889dc56
Signed-off-by: Scott Anderson <saa@android.com>
protocol.txt says that the connect message should have three
fields:
<systemtype>:<serialno>:<banner>
In reality, what is transmitted is simply:
<systemtype>::
The serialno is obtained via other means so doesn't really need
to be a part of the connect message. This change puts the
ro.product.name, ro.product.model and ro.product.device
properties in the <banner> for devices. Each property is
terminated by a semicolon (;) with the key and value separated by
an equals sign (=). Example message:
device::ro.product.name=<prd>;ro.product.model=<mdl>;ro.product.device=<dev>;
Making this change will enable the device list to provide more
information to the user and to give the potential for being able
to select which device to talk to with the -s option.
Change-Id: I09200decde4facb8fc9b4056fdae910155f2bcb9
Signed-off-by: Scott Anderson <saa@android.com>
This is the second version of a patch which demonstrates the possibility
of using adbd (Android Debug Bridge daemon) with a generic FunctionFS gadget
instead of a custom adb usb gadget in the Linux kernel. It contains changes
introduced after Benoit's review - thank you Benoit.
The patch adds a new usb access layer to adbd using FunctionFS. The former
usb access method is still available. The method is chosen at runtime
depending if /dev/usb-ffs/adb/ep0 or /dev/android_adb is accessible.
How to use on the target device:
$ insmod g_ffs.ko idVendor=<vendor ID> iSerialNumber=<some string>
$ mount -t functionfs adb /dev/usb-ffs/adb -o uid=2000,gid=2000
$ ./adbd
This patch requires a patch to bionic which adds <linux/usb_functionfs.h>
which is an exact copy of the relevant file in the linux kernel.
Change-Id: I4b42eb267ffa50fca7a5fba46f388a2f083e8b2d
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
[benoit@android.com: detect at runtime if functionfs is mounted
or fallback using f_adb]
Signed-off-by: Benoit Goby <benoit@android.com>
For manufacturing and testing, there is a need to talk to
whatever device is connected to a given port on the host. This
change modifies adb's "-s" option to take either a serial
number or a device path. The device paths of the connected
devices can be listed using "adb devices -l" whose output
will resemble:
List of devices attached
016B75D60A00600D usb:2-5 device
3031D0B2E71D00EC usb:1-4.3 device
The second column lists the device paths. If the -l option is
not given, the output from "adb devices" will be the same as
it used to be (i.e. the paths will not be printed).
The device path can also be obtained with the get-devpath
command:
$adb -s 3031D0B2E71D00EC get-devpath
usb:1-4.3
Note that the format of the device paths are platform dependent.
The example above is from Linux. On OS-X, the paths will be
"usb:" followed by hex digits. For other platforms, the device
paths will be printed as "????????????" and the -s option will
not be able to select a device until someone implements the
underlying functionality.
Change-Id: I057d5d9f8c5bb72eddf5b8088aae110763f809d7
Signed-off-by: Scott Anderson <saa@android.com>
Services that cause adbd to reboot are currently implemented this way:
write(fd, response)
close(fd)
sleep(1)
exit(1)
sleep(1) is necessary to leave time for the transport to transmit
the response before the daemon exits. This is slow and unreliable.
Instead, add a flag to the asocket to make it exit the daemon only
after the socket is closed.
Change-Id: I9df45ea6221f0d9b828703b9b2316a5d4fe59352
When running inside the emulator, guest's adbd can connect to 'adb-debug' qemud
service that can display adb trace messages on condition that emulator has been
started with '-debug adb' option.
This CL enables that functionality in ADB code.
Change-Id: I59b4a76d3c887ad28b8aa8e2a01dfa814e75faa1
Recovery will soon support a minimal implementation of adbd which will
do nothing but accept downloads from the "adb sideload" command and
install them. This is the client side command (mostly resurrected out
of the old circa-2007 "adb recover" command) and the new connection
state.
Change-Id: I4f67b63f1b3b38d28c285d1278d46782679762a2
This reverts commit d15e6ac95d.
Also increment adb version to 1.0.29
Change-Id: I890643f0c18a2fe90f170134df039c54116cecda
Signed-off-by: Mike Lockwood <lockwood@android.com>
This is needed because the USB driver on the device no longer resets the bus
when exits and restarts.
Since the host side adb no longer detects that adbd has restarted we need
to reset the connection on the host side now.
Change-Id: I1a8eabd292e8b45c34fa07a8a8b8c609cc15648d
Signed-off-by: Mike Lockwood <lockwood@android.com>
It won't actually do anything until the 'bu' tool and framework are
updated to respond properly, but this is the adb side of the
necessary infrastructure: we copy the tarfile into the socket pointed
at the device, using the existing mechanisms.
Change-Id: Ic3b5779ade256bd1ad989a94b0685f7b1a7d59d2
* Add support for correctly handling subprocess termination in shell service (b/3400254 b/3482112 b/2249397)
- have a waitpid() track the subprocess, then notify the fdevent via a socket
- force an eof on the pty master in fdevent's new subproc handler.
- modify fdevent to force-read the pty after an exit.
* Migrate the "shell:blabla" handling to "#if !ADB_HOST" sections, where it
belongs.
* Fix the race around OOM adjusting.
- Do it in the child before exec() instead of the in the parent as the
child could already have started or not (no /proc/pid/... yet).
* Allow for multi-threaded D() invocations to not clobber each other.
- Allow locks across object files.
- Add lock within D()
- Make sure sysdesp init (mutex init also) is called early.
* Add some missing close(fd) calls
- Match similar existing practices near dup2()
* Add extra D() invocations related to FD handling.
* Warn about using debugging as stderr/stdout is used for protocol.
* Fix some errno handling and make D() correctly handle it.
* Add new adb trace_mask: services.
* Make fdevent_loop's handle BADFDs more gracefully (could occur some subproc closed its pts explicitely).
* Remove obsolete commandline args reported in help. (b/3509092)
Change-Id: I928287fdf4f1a86777e22ce105f9581685f46e35
This is for http://b/3482112 "adb interactions with device causing test harness failures".
This reverts commit 69c5c4c45b.
Change-Id: I630bf2e04d2ecf0223bd2af4e87136754ff880d3
* Handling of the subprocess and its FD.
This fixes http://b/3400254 "Many bugreports getting hung at the end in monkey"
- Start up a service thread that waits on the subprocess to terminate,
then closes the FD associated with it.
- Have the event handler select() with a timeout so that it can
detect the closed FD. Select() with no timeout does not return when an FD is closed.
- Have the event handler force a read on the closed FD to trigger the close sequence.
- Migrate the "shell:blabla" handling to "#if !ADB_HOST" sections.
* Fix the race around OOM adjusting.
- Do it in the child before exec() instead of the in the parent as the
child could already have started or not (no /proc/pid/... yet).
* Allow for multi-threaded D() invocations to not clobber each other.
- Allow locks across object files.
- Add lock within D()
* Add some missing close(fd) calls
- Match similar existing practices near dup2()
* Add extra D() invocations related to FD handling.
* Warn about using debugging as stderr/stdout is used for protocol.
Change-Id: Ie5c4a5e6bfbe3f22201adf5f9a205d32e069bf9d
Signed-off-by: JP Abgrall <jpa@google.com>
Added a new target for adb, so that the adb
host executable is built for the target as
well. This allows the target to connect to
any Android devices which are attached to it.
Bug: 3022194
Change-Id: Ib01983e70b75cec40a9ee161da7f4cf1343eecf2
Port number is now optional. Will use default port 5555 if not specified.
"adb disconnect" with no additional arguments will disconnect all TCP devices.
Change-Id: I7fc26528ed85e66a73b8f6254cea7bf83d98109f
Signed-off-by: Mike Lockwood <lockwood@android.com>
- adb can now connect to an emulator configured with an arbitrary
pair of <console port, adb port>. These two ports do not have to be
adjacent.
This can be done from the commandline at any time using
adb connect emu:<console_port>,<adb_port>
- Emulators running on ports outside the normal range
(5554/5555-5584/5585) register themselves on startup if they follow
the convention "console port+1==abd port".
- Emulators outside the normal port range will not be auto-detected on
adb startup as these ports are not probed.
- The index into local_transports[] array in transport_local.c does no
longer indicate the port number of the local transport. Use the altered
atransport struct to get the port number.
- I have chosen not to document the adb connect emu:console_port,adb_port
syntax on adb's help screen as this might be confusing to most readers
and useful to very few.
- I don't expect this to introduce any (backwards) compatibility issues.
Change-Id: Iad3eccb2dcdde174b24ef0644d705ecfbff6e59d
Signed-off-by: Mike Lockwood <lockwood@android.com>
This is the first CL of a somewhat larger effort which, among other things,
will involve changing the emulator and ddms to talk to adb running on a
configurable port.
The port can be configured using environment variable ANDROID_ADB_SERVER_PORT.
Further CLs will also address the set of ports used for the local transport.
Change-Id: Ib2f431801f0adcd9f2dd290a28005644a36a780a
This helps us recover when things go wrong during automated testing.
Change-Id: I006dbfaff7f70d51398ff12fbddcaee751453b78
Signed-off-by: Mike Lockwood <lockwood@android.com>
Also check that device is not already connected in "adb connect"
Change-Id: I5f84b56b63d8c6932f23791cac319fd6bc39d36c
Signed-off-by: Mike Lockwood <lockwood@android.com>
Added new commands:
adb connect <host>:<port> (to connect to a device via TCP/IP)
adb tcpip <port> (to restart adbd on the device to listen on TCP/IP)
adb usb (to restart adbd on the device to listen USB)
Signed-off-by: Mike Lockwood <lockwood@android.com>
adb devices will now list devices without adequate file system permissions in /dev/bus/usb as:
List of devices attached
???????????? no permissions
Signed-off-by: Mike Lockwood <lockwood@android.com>
This will allow rebooting the device via adb on any build, including user builds.
An optional argument can be provided
(for example, "adb reboot bootloader" or adb reboot recovery")
Signed-off-by: Mike Lockwood <lockwood@android.com>
It was pointed out that we should have done this when we added the "adb root" command.
And doing this will also force people to pick up the recent Linux USB serial number fix.
Signed-off-by: Mike Lockwood <lockwood@android.com>
To enable logging, set the property persist.adb.trace_mask to a hex value
containing the bitmask for adb_trace_mask (see the TRACE_* enum values in adb.h).
This will result in adb writing log output to a file in /data/adb/
No logging will occur if persist.adb.trace_mask is not set or has a value
that cannot be parsed as a hex integer.
The property is read once only at startup, so you must reboot or restart adbd
for changes in the property to take effect.
Signed-off-by: Mike Lockwood <lockwood@android.com>
Vendor IDs are read from ~/.android/adb_usb.ini. The format is very simple:
1 number per line. First number is ID count, followed by the ID themselves.
Lines starting with # are considered comments.
Other misc changes: moved VENDOR_ID_* to usb_vendors.c to prevent direct
access. Made transport_usb.c reuse the USB constant introduced in usb_osx
(moved them to adb.h)
Added usb_vendors.* which handles creating (and deleting) a list of vendor ids.
This list is meant to be used everywhere the built-in lists (usb_osx), or the
built-in vendor IDs (transport_usb) were used.
For now the list is only built with the built-in VENDOR_ID_*. Next step
is to read a small file created from all the SDK add-on.
Other misc changes: made is_adb_interface present only if ADB_HOST is true
to prevent accessing a list that doesn't exist (usb_vendors is only
compiled for the host version of adb).
Enumerating all vendor+product id combinations is not practical.
This modifies the matching algorithm to use the adb interface
subclass/protocol instead (0x42/0x1).
Signed-off-by: Dima Zavin <dima@android.com>