Helpful Kirin AOSP development cheat sheet

kirin-aosp-helper.md

Kirin AOSP helper

A helpful cheat sheet for people interested in Huawei Kirin AOSP development
This thing is WIP right now, so please have some patience, thank you!

• Important things to know
• The Partition table
• Basic bringup

Important things to know

• You have to be aware of that all EMUI versions are pretty different in almost all things (kernel, blobs, partition table, dtbs, etc.). Huawei OTAs are also resizing the ptable, so because of that, for example, all EMUI 8 devices (launched or upgraded) got Treble support (In fact EMUI 5 had a vendor partition already but that was smaller than on EMUI 8).
• Huawei likes to "backport" features which aren't even existing on AOSP yet, there are alot of good examples: vendor partition on EMUI 5 (on AOSP since Android 8.0), odm partition on EMUI 8/9 (on AOSP since Android 10), AVB2 with vbmeta partitions (disabled until EMUI 10) on EMUI 8 (on AOSP since Android 9), (pretty unrelated to development but why not) fullscreen gestures on EMUI 8.2(?) and 9.x (on AOSP since Android 10) and way way more things.
• Try to get the latest and most fully functional (!!!) kernel source you can get for your platform, here are some examples: Hi6250 EMUI 5.0: Prague, Hi6250 EMUI 5.1: RNE (RNE has broken tzdriver, port from PRA-5; BND one has broken OMX for some reason), Hi6250 EMUI 8: AGS2 (working calls on recent PRA/WAS firmware with jan 2021 secpatch; broken wifi drivers, port from FIGO-8 or LELAND-8), Hi6250 EMUI 9: AGS2 HarmonyOS 2.0.0 (from November 2021, working fine with ANNE's 9.1.0.401 firmware, aka. Jan 2022 secpatch).
• Unfortunately, we can't reproduce the DTS.img yet, which has the DTBs. This means, we can't change stuff in the kernel device tree, which might be pretty pain in some cases, for example we need hacks like this to kill the device tree fstab which is fucked up anyways, specially on EMUI 8. For more infos about DTS.img, I will do a research repository, which I will link here once it's done.
• Huawei is known to update the kernel version with new Android releases (EMUI 4 uses 3.10, EMUI 5 4.1, EMUI 8 4.4, EMUI 9 4.9, EMUI 10 and newer 4.14). Just slapping EMUI x kernel on EMUI y doesn't work sadly, this requires to use their blobs, and most important, you need the EMUI x's dtbs, meanwhile you can't use EMUI x's DTS.img on EMUI y due to a "different format" (the bootloader rejects it), reproducing DTS.img isn't an option yet, or if you are "pro enough" and you have alot of time to waste and you want to go through the pain, you can either adapt the complaining drivers for EMUI y's dtbs, or the port EMUI y's drivers to EMUI x's kernel. But thats only for big pros, I would say.
• If you need kernel logs because your kernel doesn't work then you only have 1 option: pstore. Pstore is already enabled in the kernel and you will always get one as long as the kernel actually works. Last_kmsg doesn't exist (qcom noises). Sometimes, there might be useful logs in /splash2 partition for alot of things. If that isn't enough, and you need bootloader logs, you can check /proc/balong/log. It gives you the current and last bootloader log.
• Good to know about the fastboot mode, there are 2 types of unlock. User unlock which you can unlock using fastboot oem unlock 1234567890ABCDEF, it always you flash some basic partitions + unsigned images (non stock). Then theres factory unlock / fblock, (only applies to devices older than EMUI 8.x, sometimes EMUI 9.x too) which can be triggered by fastboot oem hwdog certify set 0 on fully unlocked board firmware fastboots, or also using the nvme tool by @R0rt1z2. The unlock "flag" is basically in the nvme partition. As the name tells you already, It allows you to do everything in fastboot.

The Partition table

Now we gonna look at some huawei partitions. First important side note

• EMUI 5 and older uses regular boot.img and recovery(2).img, since EMUI 8 they are splitted up into kernel, ramdisk (only 8, 10 and newer), (e)recovery_ramdisk and (e)recovery_vendor. Those images are basically regular bootimages with either kernel+cmdline, real offsets (which the bootloader cares about!!!!) and no ramdisk or a normal bootimage with ramdisk, the "default" offsets (they dont matter) and dummy kernel+cmdline. Those splitups are resolved on both EMUI 8 and EMUI 9 platform using a custom mkbootimg makefile. The "HW_MKBOOTIMG" is a edited mkbootimg by huawei which is in the kernel source to reproduce the 100% same offsets for the kernel.img. Now I'm going to list some partitions on huawei devices:
• xloader: part of the bootloader, erase in fastboot to get into USB SER (IDT/Testpoint) mode.
• fastboot: the main part of the bootloader, DO NOT ERASE IT OR FLASH ONE WHICH DOESNT MATCH WITH THE XLOADER, ELSE YOUR DEVICE WILL BRICK AND ONLY TESTPOINTING WILL SAVE YOU!!!
• fw_lpm3, fw_hifi, sensorhub: firmware
• teeos, trustfirmware, sec_storage: TEE
• splash2: logs
• cust, version: EMUI parts (unused on AOSP)
• product: contains EMUI parts and on EMUI 5 also device specific configs etc., this will be fun when doing Pie and newer..., partition too small for AOSP product, can just be dropped on EMUI 8 and newer.
• odm (EMUI 8 and newer): contains device specific configs, instead in product like on EMUI 5, can be built from src.
• preas (EMUI 8 and newer): contains Google apps on EU firmware and some launcher stuff (gets mounted by dt fstab)
• preavs (EMUI 8 and newer): contains the widevine hal (move it to vendor, gets mounted by dt fstab)
• preload (EMUI 9 and newer): preinstalled apps I guess, mounted by dt fstab.
• nvme: contains device infos like SN, macs, unlock code, etc. DO NOT TOUCH!!
• oeminfo: contains device model and region, on newer phones (k970) also stuff from nvme and imeis, DON'T TOUCH!!!
• modem_fw, modemnvm_update: modem firmware
• modemnvm_*: contains your imei and other ril related stuff, DO NOT TOUCH!!!

Basic bringup

I'm building a custom ROM based on AOSP 15 with minimal configuration, but the system gets stuck before showing the boot logo and reboots after ~70 seconds. The logs repeatedly show the following errors:

[  11.405s][init] Control message: Could not find 'aidl/android.security.maintenance' for ctl.interface_start from pid: 521 (/system/bin/servicemanager)
[  11.483s][init] Control message: Could not find '[email protected]::IKeymasterDevice/default' for ctl.interface_start from pid: 522 (/system/system_ext/bin/hwservicemanager)
...
[  12.405s][init] Control message: Could not find 'aidl/android.security.maintenance' for ctl.interface_start from pid: 521 (/system/bin/servicemanager)
[  12.483s][init] Control message: Could not find '[email protected]::IKeymasterDevice/default' for ctl.interface_start from pid: 522 (/system/system_ext/bin/hwservicemanager)

I fixed the keymaster error by adding [email protected] and [email protected] to PRODUCT_PACKAGES, and that part of the log is now gone.

However, the aidl/android.security.maintenance error persists:

[  11.637s][init] Control message: Could not find 'aidl/android.security.maintenance' for ctl.interface_start from pid: 520 (/system/bin/servicemanager)
...
[  69.678s][init] Control message: Could not find 'aidl/android.security.maintenance' for ctl.interface_start from pid: 520 (/system/bin/servicemanager)
[  70.459s][init] Control message: Could not find 'aidl/android.security.maintenance' for ctl.interface_start from pid: 520 (/system/bin/servicemanager)
[  70.459s][init] InitFatalReboot: signal 6

I’ve tried adding both keystore2 and android.security.maintenance-rust to PRODUCT_PACKAGES, but it didn’t help. Building targets like android.security.maintenance or android.security.maintenance-service using m fails with "unknown target".

Also, m fails entirely due to:

Cannot find framework matrix at FCM version 3: No such file or directory

despite specifying both manifest.xml and compatibility_matrix.xml.

So I build using make systemimage vendorimage, which completes successfully, but the device still fails to boot.

Has anyone faced a similar issue?

Hey,do you know the usb dload mode of Huawei?When you go into erecovery or press all the hardware buttons to power on,then connect usb cable between computer and phone.You will see DBAdapter Reserved Interface Port and PCUI port.Have anyone analyzed these ports?I have seen some paid tools use these port to write imei and send update.app to devices to achieve flashing stock firmware.
I use Wireshark to get the communication between host and phone when using these paid device.

It will send image header first for each image stored in update.app.

Then after receiving the response from phone,the tool starts sending the real image to the phone.But the sended data is different from the data from update.app.
Such as CRC.img,the tool sends

But in update.app,the CRC.img's actually data is

It is completely different!I think the tool encrypts the data before sending the data to the phone.But I don't know what encryption algorithm it uses.
Have anyone know any information about DBAdapter port or the usb dload mode in erecovery?
There is almost no information about them on the Internet.
Need help!Thanks!

Hey,do you know the usb dload mode of Huawei?When you go into erecovery or press all the hardware buttons to power on,then connect usb cable between computer and phone.You will see DBAdapter Reserved Interface Port and PCUI port.Have anyone analyzed these ports?I have seen some paid tools use these port to write imei and send update.app to devices to achieve flashing stock firmware. I use Wireshark to get the communication between host and phone when using these paid device. It will send image header first for each image stored in update.app. Then after receiving the response from phone,the tool starts sending the real image to the phone.But the sended data is different from the data from update.app. Such as CRC.img,the tool sends But in update.app,the CRC.img's actually data is It is completely different!I think the tool encrypts the data before sending the data to the phone.But I don't know what encryption algorithm it uses. Have anyone know any information about DBAdapter port or the usb dload mode in erecovery? There is almost no information about them on the Internet. Need help!Thanks!

Hi,

It’s possible that a paid tool unpacks UPDATE.APP into separate .img files — similar to what Huawei Update Extractor or Android Utility Pro do.

Try extracting UPDATE.APP this way, and then inspect crc.img using:

hexdump -C crc.img

Then compare the result with what the tool is sending (as shown in your third screenshot).

Hey,do you know the usb dload mode of Huawei?When you go into erecovery or press all the hardware buttons to power on,then connect usb cable between computer and phone.You will see DBAdapter Reserved Interface Port and PCUI port.Have anyone analyzed these ports?I have seen some paid tools use these port to write imei and send update.app to devices to achieve flashing stock firmware. I use Wireshark to get the communication between host and phone when using these paid device. It will send image header first for each image stored in update.app. Then after receiving the response from phone,the tool starts sending the real image to the phone.But the sended data is different from the data from update.app. Such as CRC.img,the tool sends But in update.app,the CRC.img's actually data is It is completely different!I think the tool encrypts the data before sending the data to the phone.But I don't know what encryption algorithm it uses. Have anyone know any information about DBAdapter port or the usb dload mode in erecovery? There is almost no information about them on the Internet. Need help!Thanks!

Hi,

It’s possible that a paid tool unpacks UPDATE.APP into separate .img files — similar to what Huawei Update Extractor or Android Utility Pro do.

Try extracting UPDATE.APP this way, and then inspect crc.img using:

hexdump -C crc.img

Then compare the result with what the tool is sending (as shown in your third screenshot).

No,It is also different from CRC.img.

Unfortunately, it seems that we, along with other users, have received too little input data to analyze this issue properly. For example, to unlock the bootloader on devices with a Kirin chip, you can use Android Utility Pro or PotatoNV. Searching for a new flashing method only makes sense if it allows us to flash any custom .img images. Otherwise, we won’t be able to install open-source firmware. Unlocking the bootloader or enabling partition writing is just a small part of the success.

For instance, my phone runs a 4.9.148 kernel from an EMUI 9 firmware, and GSI Android 10 works well with it. However, newer versions of system.img can’t find the 28.cil policy file in the system partition, and booting fails. Because of this, I have to build a custom vendor.img. My issue with 'aidl/android.security.maintenance' might be related to the fact that AOSP 15 can’t register the service through the Binder IPC interface due to the old kernel. The source code for a newer Huawei kernel is available, but I don’t know how to compile it.

As far as I understand, in AOSP, the kernel used for booting is located in boot.img, whereas in Huawei devices, it’s in a separate kernel.img partition limited to 24 MB. It’s unclear whether the kernel can be built separately using toolchains, or if it’s necessary to follow the official guide at https://source.android.com/docs/setup/build/building-kernels, downloading the full environment and placing the kernel source directory into it. Alternatively, maybe there's a way to build it using the AOSP 15 project environment itself — but I’m not sure how to approach it.

Unfortunately, it seems that we, along with other users, have received too little input data to analyze this issue properly. For example, to unlock the bootloader on devices with a Kirin chip, you can use Android Utility Pro or PotatoNV. Searching for a new flashing method only makes sense if it allows us to flash any custom images. Otherwise, we won’t be able to install open-source firmware. Unlocking the bootloader or enabling partition writing is just a small part of the success..img

For instance, my phone runs a 4.9.148 kernel from an EMUI 9 firmware, and GSI Android 10 works well with it. However, newer versions of can’t find the policy file in the system partition, and booting fails. Because of this, I have to build a custom . My issue with might be related to the fact that AOSP 15 can’t register the service through the Binder IPC interface due to the old kernel. The source code for a newer Huawei kernel is available, but I don’t know how to compile it.system.img``28.cil``vendor.img``'aidl/android.security.maintenance'

As far as I understand, in AOSP, the kernel used for booting is located in , whereas in Huawei devices, it’s in a separate partition limited to 24 MB. It’s unclear whether the kernel can be built separately using toolchains, or if it’s necessary to follow the official guide at https://source.android.com/docs/setup/build/building-kernels, downloading the full environment and placing the kernel source directory into it. Alternatively, maybe there's a way to build it using the AOSP 15 project environment itself — but I’m not sure how to approach it.boot.img``kernel.img

Hey,I know a bootrom exploit which allows you to get temporary bootloader unlock without any paid tools.
And if oem unlock commands exists,you can patch fastboot to force it unlock your device!
So we can work together to makecan opensource tool.

Unfortunately, it seems that we, along with other users, have received too little input data to analyze this issue properly. For example, to unlock the bootloader on devices with a Kirin chip, you can use Android Utility Pro or PotatoNV. Searching for a new flashing method only makes sense if it allows us to flash any custom images. Otherwise, we won’t be able to install open-source firmware. Unlocking the bootloader or enabling partition writing is just a small part of the success..img
For instance, my phone runs a 4.9.148 kernel from an EMUI 9 firmware, and GSI Android 10 works well with it. However, newer versions of can’t find the policy file in the system partition, and booting fails. Because of this, I have to build a custom . My issue with might be related to the fact that AOSP 15 can’t register the service through the Binder IPC interface due to the old kernel. The source code for a newer Huawei kernel is available, but I don’t know how to compile it. system.img28.cilvendor.img'aidl/android.security.maintenance' As far as I understand, in AOSP, the kernel used for booting is located in , whereas in Huawei devices, it’s in a separate partition limited to 24 MB. It’s unclear whether the kernel can be built separately using toolchains, or if it’s necessary to follow the official guide at https://source.android.com/docs/setup/build/building-kernels, downloading the full environment and placing the kernel source directory into it. Alternatively, maybe there's a way to build it using the AOSP 15 project environment itself — but I’m not sure how to approach it. boot.imgkernel.img

Hey,I know a bootrom exploit which allows you to get temporary bootloader unlock without any paid tools. And if oem unlock commands exists,you can patch fastboot to force it unlock your device! So we can work together to makecan opensource tool.

@hicode002, hi. I can try to help with developing the utility, but I can’t promise much — I probably have less experience in this area than you do.
I’m not sure how to contact you outside of GitHub to communicate in a more convenient way.

Unfortunately, it seems that we, along with other users, have received too little input data to analyze this issue properly. For example, to unlock the bootloader on devices with a Kirin chip, you can use Android Utility Pro or PotatoNV. Searching for a new flashing method only makes sense if it allows us to flash any custom images. Otherwise, we won’t be able to install open-source firmware. Unlocking the bootloader or enabling partition writing is just a small part of the success..img
For instance, my phone runs a 4.9.148 kernel from an EMUI 9 firmware, and GSI Android 10 works well with it. However, newer versions of can’t find the policy file in the system partition, and booting fails. Because of this, I have to build a custom . My issue with might be related to the fact that AOSP 15 can’t register the service through the Binder IPC interface due to the old kernel. The source code for a newer Huawei kernel is available, but I don’t know how to compile it. system.img28.cilvendor.img'aidl/android.security.maintenance' As far as I understand, in AOSP, the kernel used for booting is located in , whereas in Huawei devices, it’s in a separate partition limited to 24 MB. It’s unclear whether the kernel can be built separately using toolchains, or if it’s necessary to follow the official guide at https://source.android.com/docs/setup/build/building-kernels, downloading the full environment and placing the kernel source directory into it. Alternatively, maybe there's a way to build it using the AOSP 15 project environment itself — but I’m not sure how to approach it. boot.imgkernel.img

Hey,I know a bootrom exploit which allows you to get temporary bootloader unlock without any paid tools. And if oem unlock commands exists,you can patch fastboot to force it unlock your device! So we can work together to makecan opensource tool.

@hicode002, hi. I can try to help with developing the utility, but I can’t promise much — I probably have less experience in this area than you do. I’m not sure how to contact you outside of GitHub to communicate in a more convenient way.

Hey,you can telegram me.
t.me/hicode002

Unfortunately, it seems that we, along with other users, have received too little input data to analyze this issue properly. For example, to unlock the bootloader on devices with a Kirin chip, you can use Android Utility Pro or PotatoNV. Searching for a new flashing method only makes sense if it allows us to flash any custom images. Otherwise, we won’t be able to install open-source firmware. Unlocking the bootloader or enabling partition writing is just a small part of the success..img
For instance, my phone runs a 4.9.148 kernel from an EMUI 9 firmware, and GSI Android 10 works well with it. However, newer versions of can’t find the policy file in the system partition, and booting fails. Because of this, I have to build a custom . My issue with might be related to the fact that AOSP 15 can’t register the service through the Binder IPC interface due to the old kernel. The source code for a newer Huawei kernel is available, but I don’t know how to compile it. system.img28.cilvendor.img'aidl/android.security.maintenance' As far as I understand, in AOSP, the kernel used for booting is located in , whereas in Huawei devices, it’s in a separate partition limited to 24 MB. It’s unclear whether the kernel can be built separately using toolchains, or if it’s necessary to follow the official guide at https://source.android.com/docs/setup/build/building-kernels, downloading the full environment and placing the kernel source directory into it. Alternatively, maybe there's a way to build it using the AOSP 15 project environment itself — but I’m not sure how to approach it. boot.imgkernel.img

Hey,I know a bootrom exploit which allows you to get temporary bootloader unlock without any paid tools. And if oem unlock commands exists,you can patch fastboot to force it unlock your device! So we can work together to makecan opensource tool.

@hicode002, hi. I can try to help with developing the utility, but I can’t promise much — I probably have less experience in this area than you do. I’m not sure how to contact you outside of GitHub to communicate in a more convenient way.

Hey,you can telegram me. t.me/hicode002

Hi @hicode002! I tried using your Telegram contact, but it seems like the account is currently suspended or unavailable. Just wanted to check in — is everything alright?

Unfortunately, it seems that we, along with other users, have received too little input data to analyze this issue properly. For example, to unlock the bootloader on devices with a Kirin chip, you can use Android Utility Pro or PotatoNV. Searching for a new flashing method only makes sense if it allows us to flash any custom images. Otherwise, we won’t be able to install open-source firmware. Unlocking the bootloader or enabling partition writing is just a small part of the success..img
For instance, my phone runs a 4.9.148 kernel from an EMUI 9 firmware, and GSI Android 10 works well with it. However, newer versions of can’t find the policy file in the system partition, and booting fails. Because of this, I have to build a custom . My issue with might be related to the fact that AOSP 15 can’t register the service through the Binder IPC interface due to the old kernel. The source code for a newer Huawei kernel is available, but I don’t know how to compile it. system.img28.cilvendor.img'aidl/android.security.maintenance' As far as I understand, in AOSP, the kernel used for booting is located in , whereas in Huawei devices, it’s in a separate partition limited to 24 MB. It’s unclear whether the kernel can be built separately using toolchains, or if it’s necessary to follow the official guide at https://source.android.com/docs/setup/build/building-kernels, downloading the full environment and placing the kernel source directory into it. Alternatively, maybe there's a way to build it using the AOSP 15 project environment itself — but I’m not sure how to approach it. boot.imgkernel.img

Hey,I know a bootrom exploit which allows you to get temporary bootloader unlock without any paid tools. And if oem unlock commands exists,you can patch fastboot to force it unlock your device! So we can work together to makecan opensource tool.

@hicode002, hi. I can try to help with developing the utility, but I can’t promise much — I probably have less experience in this area than you do. I’m not sure how to contact you outside of GitHub to communicate in a more convenient way.

Hey,you can telegram me. t.me/hicode002

Hi @hicode002! I tried using your Telegram contact, but it seems like the account is currently suspended or unavailable. Just wanted to check in — is everything alright?

t.me/hicode003