The document provides an overview of the Android initialization process and application launch sequence. It discusses how QEMU can be used to emulate Android applications on x86 platforms by intercepting forks or running a second emulated zygote process. It also describes the init system and init.rc file that starts core system services like ril-daemon, zygote, and media server. Finally, it outlines the steps involved in an application launch, from the activity manager sending an intent to the launched activity's onCreate() method being called.

1. Android. Behind The Scenes
R
a
d
u
M
O
I
S
A
N
A

2. Agenda
Android Short Intro
Use-case: QEmu
Android Init System
Application Launch
2

3. Android Short Intro
Home Contacts Phone Browser ...
Applications
Telephon Resourc Notificatio
Activity Location
y e n
Manager Manager
Manager
Manager Manager
Package Window Content View
Manager Manager Providers System
Android Runtime
Android Framework
Core Libraries
Media
Surface Manager SQLite
Framework Dalvik Virtual
Machine
Open GL | ES Free Type Webkit
SGL SSL libc
Libraries
Linux Kernel
Display Camera Flash Memory Binder(IPC)
Driver Driver Driver Driver
Keypad WiFi Audio Power
Driver Driver Drivers Management
3

4. Use-case: QEmu
So what exactly is QEmu?
QEMU is a processor emulator which has two different
operating modes:
full system emulation, which emulates a full system including
the corresponding hard disk image
user mode emulation, which allows you to run a simple
cross-compiled executable
4

5. Use-case: QEmu
mount -t binfmt_misc none /proc/sys/fs/binfmt_misc
echo ":ARM:M:18:(::/data/qemu-arm:" > /proc/sys/fs/binfmt_misc/register
mount -t binfmt_misc none /proc/sys/fs/binfmt_misc
echo ":CLR:M::MZ::/usr/bin/mono:" > /proc/sys/fs/binfmt_misc/register
Name is the name of the binary format
The magic number
program that is to be run with the
matching file as an argument
:name:type:offset:magic:mask:interpreter:
What part of magic number is significant
Where to look for the magic number
E or M
5

6. Use-case: QEmu
Why?
Sandbox binary applications
Debugging/tracing binary applications
Run Android Apps with native arm binary on x86
Platforms
How?
Two approaches:
Intercept the Fork starting the Application Process
Run a second emulated Zygote
6

7. Android Init System
bootl
oader
Linux
kernel
init
init.rc
Init.<machine>.rc
7

8. Android Init file
service ril-daemon /system/bin/rild
socket rild stream 660 root radio
socket rild-debug stream 660 radio system
user root
group radio cache inet misc audio sdcard_rw net_admin net_raw qcom_oncrpc diag
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
socket zygote stream 660 root system
onrestart write /sys/android_power/request_state wake
onrestart write /sys/power/state on
onrestart restart media
onrestart restart netd
service media /system/bin/mediaserver
user media
group system audio camera graphics inet net_bt net_bt_admin net_raw
ioprio rt 4
8

9. Android Init System
Power
bootl Manager
oader Telephon
y App
Registry
Core Activity
Services App
Native Manager
instantiate
Linux Daemons AppRuntime Window
kernel Manager App
...
system_serv
init Zygote er
Mount
Service
Connectivit
Other y
Additional Service
processe Select Location
Services
s Loop Manager
Mode Audio
Service
init.rc
Init.<machine>.rc ...
9

10. Application Launch
Laun Application onCreate()
cher Classes
load
into
ram
Activity bindApplication() Activity
launch activity by intent
callActivityOnCreate()
Thread Instrumentati
Manager thread.attach() Dalvik on
Service
VM
forkAndSpecialize()
Zygote
zygote
Binder socket
10

11. Application Launch
Laun
cher
Activity
launch activity by intent
Manager
Service
zygote forkAndSpecialize()
Zygote
socket
zygote_e
zygote Zygote_e forkAndSpecialize()
mu Zygote
socket mu
socket
Binder
11

12. 12