2. Introduction
• https://svmp.github.io
• Configuration: x86 Android VMs on x86 server
• VM Platform: support KVM, VirtualBox, VMware…
• Cloud Controller: support OpenStack, Amazon EC2…
• Remote Protocol: WebRTC + SVMP Wire Protocol
• Client: Android/iOS app
• Storage (user data) is separated from VM
3. Components
• Client Application: an unprivileged Android/iOS application with WebRTC
peer connection and SVMP protocol messages, similar to clients for VNC
and RDP
• SVMP Overseer: receive login request, perform authentication, and
manage VMs on the cloud
• SVMP Server: routing input message from client connections to SVMP
daemons running inside virtual devices
• SVMP daemon: primary entry point of client user input to the virtual device
• Virtual Device: Virtual Device Image (SVMP Gold Image) + User Data
Volume
• Cloud Controller: support OpenStack, Amazon EC2…
7. SVMP Wire Protocol
• SVMP/svmp-protocol-def repository
• Request: client->server
• Response: server->client
• JSON Payload: a type attribute and up to one optional
attribute associated with that subtype, e.g.
{“type”:”ROTATIONINFO”,”rotationInfo":{"rotation":0}}
• Protocol Buffers: protocols are defined using “Protocol
Buffers” - Google's data interchange format, and Java
class definitions are generated by protocol buffer compiler
8. SVMP daemon
• SVMP/android_external_svmp_eventserver repository
• An user-level Android background service, launched when
BroadcastReceiver catches BOOT_COMPLETED Intent
• EventServer: many handlers to handle different events (touch,
sensor, notification…)
• LogHandler: logcat message forwarding
• DatabaseHandler: GPS location service subscription
• WifiSpoofer: spoof that Wi-Fi connection is active
• details in next few pages…
9. SVMP daemon
• proxy socket: a Java server socket to listen events from client
• sensor socket: initialized in init.rc as /dev/socket/svmp_sensors
• Handlers:
• SensorHandler
• LocationHandler
• IntentHandler
• NotificationHandler
• KeyHandler
• ConfigHandler: only keyboard configurations
• LauncherHandler: for single app mode
10. Touch&screen injection
• EventServer.java
• SCREENINFO packet: sync screen resolution
• TOUCHEVENT packet: translate coordinates X, Y
and inject by Android InputManager (native support)
• ROTATION_INFO packet: rotation info is injected by
sending custom broadcast
ROTATION_CHANGED_ACTION, received by
modified framework
11. IntentHandler
• IntentHandler.java
• Android Intent: an abstract description of an operation to
be performed
• Currently support two kinds of intent forwarding
• outgoing call: forward ACTION_NEW_OUTGOING_CALL
from server to client and dial using client’s SIM card
• activity action: forward ACTION_VIEW from client to
server and open URL inside the VM
12. LocationHandler
• LocationHandler.java
• Android natively support mocked location
• Catch custom Intent LOCATION_SUBSCRIBE_ACTION
(sent by modified framework) and forward location request
to client
• Maintain location subscription in DatabaseHandler (single-
shot or not)
• Inject client’s GPS location to VM by spoofing test provider
LocationManager.setTestProviderLocation()
14. SensorHandler
• BaseServer.java
• SENSOREVENT packet: forwarded to /dev/socket/
svmp_sensors socket
• Client keep listening to all the available sensors
• Use delay time mechanism to prevent spammy sensor
messages
• SVMP HAL module libsensors listens on the svmp_sensors
socket then processes the actual sensor events, the HAL
interfaces are defined in AOSP hardware/sensors.h
16. Android Framework
modification
• InputManagerService.java
• Natively support injecting key events (KeyHandler.java in
SVMP daemon)
• Create a BroadcastReceiver to listen custom intent for hard
keyboard, attach two virtual keyboards when hard keyboard
attached to client
• NotificationManager.java
• Intercept notification by preventing enqueue it and send a
INTERCEPT_NOTIFICATION broadcast, caught by SVMP
daemon
17. Android Framework
modification
• WindowOrientationListener.java
• Create a BroadcastReceiver to listen custom
ROTATION_CHANGED intent and inject the
rotation info
• LocationManager.java
• Intercept location request and send a
LOCATION_SUBSCRIBE_ACTION broadcast,
caught by SVMP daemon then redirected to client
18. Android System Core
modification
• BatteryMonitor.cpp
• Battery injection
• Battery status is always charging
• Battery health is always good
• Battery level is always 100%
19. Android Device Driver
• Lots of things, still tracing…
• Virtual Frame Buffer
• VM write frame to VFB device instead of real video device
• Android surfaceflinger library generates a VSYNC event when
writing
• When VSYNC event occurs, each frame is fed into the WebRTC
subsystem
• Virtual Sensors: libsensors/sensors.cpp
• Re-implement the interface defined by AOSP