WEBVTT 1 00:00:00.160 --> 00:00:03.200 Have you ever peered beyond the apps and the sleek 2 00:00:03.240 --> 00:00:06.839 interface of your Android phone and wondered what truly makes 3 00:00:06.879 --> 00:00:11.000 it tick? Today, we're not just scratching the surface. We're 4 00:00:11.000 --> 00:00:13.960 taking a deep dive into Android's core internals. 5 00:00:14.080 --> 00:00:16.519 Yeah, getting into the nuts and bolts exactly. 6 00:00:16.760 --> 00:00:19.719 We're going straight to the source with insights from Jonathan 7 00:00:19.800 --> 00:00:25.079 Levin's Android Internals, a Confectioner's cookbook, Volume one. And this 8 00:00:25.160 --> 00:00:28.559 book it's written specifically for you, the power user, right. 9 00:00:28.879 --> 00:00:31.280 And what's truly fascinating about this source, I think is 10 00:00:31.320 --> 00:00:34.920 that it's not some dry technical manual just for developers, 11 00:00:35.159 --> 00:00:37.560 not at all. No, it's more of a conceptual journey. 12 00:00:37.960 --> 00:00:41.000 It's rich with illustrations, and it's really designed to give 13 00:00:41.000 --> 00:00:44.600 you a profound understanding without getting totally lost and lines 14 00:00:44.640 --> 00:00:47.439 and lines of code. Okay, So our mission here is 15 00:00:47.479 --> 00:00:51.359 to distill those essential nuggets of knowledge, basically offer you 16 00:00:51.399 --> 00:00:55.320 a shortcut to mastering the very foundations of well, the 17 00:00:55.359 --> 00:00:57.200 world's most popular operating system. 18 00:00:57.439 --> 00:01:00.520 And what a mission it is. So, whether you're maybe 19 00:01:00.560 --> 00:01:03.320 brushing up for a meeting, exploring a new field, or 20 00:01:03.399 --> 00:01:09.400 just driven by insatiable curiosity, prepare for some genuine aha 21 00:01:09.680 --> 00:01:13.959 moments will navigate Androids a unique design. It's sophisticated file system, 22 00:01:14.400 --> 00:01:19.480 the intricate boot process, and those silent services that keep 23 00:01:19.519 --> 00:01:22.640 it all running smoothly, always with its Linux foundations in mind. 24 00:01:22.680 --> 00:01:24.120 Of course, Absolutely, you're. 25 00:01:23.959 --> 00:01:28.000 About to gain a thorough understanding, hopefully without the information overload. 26 00:01:28.159 --> 00:01:28.959 Yeah, that's the plan. 27 00:01:29.239 --> 00:01:32.840 So to begin, let's consider the unique lens we're getting here. 28 00:01:33.000 --> 00:01:36.120 Jonathan Lovin, our author, He brings a remarkable journey to 29 00:01:36.159 --> 00:01:40.200 this book. We're talking Unix, Linux, Windows, OSX and deep 30 00:01:40.239 --> 00:01:43.480 into security, right, a broad background, and he recognized that 31 00:01:43.640 --> 00:01:48.239 understanding security is and I quote largely a projection of internals, 32 00:01:48.840 --> 00:01:51.640 which is well a profound insight when you think about it, 33 00:01:51.640 --> 00:01:52.159 it really is. 34 00:01:52.239 --> 00:01:54.319 It shapes how you look at security problems. 35 00:01:54.519 --> 00:01:58.079 He's tackled Apple's operating systems before, but this Android book 36 00:01:58.200 --> 00:02:01.840 it's his first self published work, and it's crafted specifically 37 00:02:01.920 --> 00:02:06.760 to give you the power user, this deeper conceptual understanding. 38 00:02:07.280 --> 00:02:10.560 It's a perspective rooted in like decades of hands on 39 00:02:10.719 --> 00:02:11.759 system analysis. 40 00:02:12.080 --> 00:02:16.240 That background is so crucial because it immediately helps us 41 00:02:16.240 --> 00:02:20.240 tackle a common misconception when people say Android is built 42 00:02:20.319 --> 00:02:23.919 on Linux. I mean, how true is that really question. 43 00:02:24.080 --> 00:02:27.520 Levin makes it super clear, it's not just another Linux distribution. 44 00:02:27.639 --> 00:02:28.000 Okay. 45 00:02:28.080 --> 00:02:30.199 Well, the kernel, the absolute core of the OS, it 46 00:02:30.240 --> 00:02:32.520 shares a lot with standard Linux, yes, But the user 47 00:02:32.520 --> 00:02:34.919 mode side, so everything above the kernel, that's where it 48 00:02:34.960 --> 00:02:40.439 diverges significantly. Well, we see two entirely new components that 49 00:02:40.439 --> 00:02:44.159 are pure androidisms, as he calls them. First the Delphic runtime, 50 00:02:44.199 --> 00:02:47.680 which has since evolved into art the Android runtime, and 51 00:02:47.879 --> 00:02:51.120 second the hardware distraction layer usually called the HL. It 52 00:02:51.159 --> 00:02:54.199 basically provides a uniform interface to all the different device 53 00:02:54.240 --> 00:02:55.159 hardware out there. 54 00:02:55.080 --> 00:02:59.000 Like a translator between the software and the specific chips exactly. 55 00:02:59.120 --> 00:03:02.360 And on top of that, Android uses a custom in 56 00:03:02.439 --> 00:03:05.400 it process, not the traditional Linux one, and the BIONICC 57 00:03:05.560 --> 00:03:08.960 library instead of the standard glib. These aren't just minor tweaks. 58 00:03:09.240 --> 00:03:10.879 All sounds fundamental they are. 59 00:03:10.919 --> 00:03:16.840 They're fundamental architectural choices that make Android distinct and uniquely 60 00:03:16.879 --> 00:03:20.400 optimized for the constraints of mobile devices. I think battery 61 00:03:20.439 --> 00:03:22.039 life memory limits. 62 00:03:21.840 --> 00:03:25.960 That distinction Linux foundation, but with its own unique, highly 63 00:03:26.000 --> 00:03:29.599 specialized architecture that's really key. It makes you wonder how 64 00:03:29.599 --> 00:03:34.479 did these early architectural choices shape androids incredibly rapid evolution. 65 00:03:34.759 --> 00:03:35.680 Yeah, it's been fast. 66 00:03:35.879 --> 00:03:38.319 I mean we've seen a dozen major versions, twenty one 67 00:03:38.360 --> 00:03:41.280 API levels in just what seven years since it started? 68 00:03:41.719 --> 00:03:44.120 From a power users standpoint? What were some of those 69 00:03:44.199 --> 00:03:47.000 pivotal system level changes that really made a difference? 70 00:03:47.439 --> 00:03:50.400 Okay, yeah, we connect this to Android's bigger story. Several 71 00:03:50.479 --> 00:03:54.479 versions definitely stand out. They introduce core innovations that fundamentally 72 00:03:54.520 --> 00:03:57.919 altered how Android worked and well how we interact with it. 73 00:03:58.039 --> 00:04:02.000 Which ones Let's start with Froyo twenty ten. This release 74 00:04:02.120 --> 00:04:05.159 wasn't just about giving users more space by letting them 75 00:04:05.159 --> 00:04:07.159 install apps on sd cards tho. 76 00:04:07.240 --> 00:04:08.639 That was big at the time, it. 77 00:04:08.560 --> 00:04:11.000 Was huge, but it was also a critical response to 78 00:04:11.039 --> 00:04:15.680 the exploding app ecosystem, and crucially, it introduced Android Secure 79 00:04:15.719 --> 00:04:17.160 Containers accacs. 80 00:04:17.199 --> 00:04:17.360 Yeah. 81 00:04:17.399 --> 00:04:20.560 I think of ATC as like a secure encrypted vault 82 00:04:20.720 --> 00:04:24.000 for those app files, especially when they're on typically less 83 00:04:24.040 --> 00:04:28.480 secure removable storage. It helped mitigate the new security risks 84 00:04:28.560 --> 00:04:29.959 that came with that flexibility. 85 00:04:30.120 --> 00:04:32.600 Ah, okay, makes sense. What came next? 86 00:04:32.759 --> 00:04:36.040 Then you have Jellybean around twenty twelve twenty thirteen. This 87 00:04:36.079 --> 00:04:39.399 brought multi user support, initially just for tablets, but it 88 00:04:39.439 --> 00:04:40.279 was a massive. 89 00:04:40.000 --> 00:04:43.120 Shift like different logins on one device, exactly. 90 00:04:42.759 --> 00:04:46.040 Separate user interfaces, isolated data just on a desktop. And 91 00:04:46.079 --> 00:04:48.720 for security, it also introduced selnicx to Android. That's a 92 00:04:48.759 --> 00:04:50.480 mandatory access control framework. 93 00:04:50.720 --> 00:04:54.000 Mandatory access control. How's that different from regular permissions? 94 00:04:54.079 --> 00:04:57.519 Well, unlike traditional Linux permissions which are kind of voluntary, 95 00:04:58.360 --> 00:05:02.720 selinicx proactively forces a really strict policy. It's like an 96 00:05:02.720 --> 00:05:06.600 omnipresent security guard, making sure every process only does exactly 97 00:05:06.639 --> 00:05:09.319 what it's explicitly allowed to do, no exceptions. 98 00:05:09.519 --> 00:05:11.920 Wow, okay, sounds strict. 99 00:05:11.759 --> 00:05:16.279 It is and very effective. Jellybean also closed a significant 100 00:05:16.360 --> 00:05:21.959 USB debugging hole by forcing authentication over ADB, another security. 101 00:05:21.480 --> 00:05:24.399 Plus good move. What about KitKat twenty thirteen? 102 00:05:24.600 --> 00:05:28.160 KitKat brought some really clever under the hood optimizations focus 103 00:05:28.199 --> 00:05:28.759 squarely on. 104 00:05:28.759 --> 00:05:31.720 Battery life, always important on mobile definitely. 105 00:05:31.560 --> 00:05:35.160 The implemented timer coalescing and sensor batching. These are intelligent 106 00:05:35.240 --> 00:05:38.959 strategies to basically group together multiple small system events or 107 00:05:39.120 --> 00:05:42.399 sensor readings into single, less frequent operations. 108 00:05:41.879 --> 00:05:43.240 So waking the phone up less. 109 00:05:43.000 --> 00:05:46.199 Often, precisely, instead of waking the system constantly for individual 110 00:05:46.240 --> 00:05:48.360 little updates. Yeah, it would collect them and process them 111 00:05:48.399 --> 00:05:52.480 all at once. Saved significant power Kitcat also introduced dm verity. 112 00:05:52.560 --> 00:05:55.720 Dm verity Yeah, it provides cryptographic integrity checking for the 113 00:05:55.759 --> 00:05:59.720 system partition. It's essentially a digital fingerprint that ensures the 114 00:05:59.720 --> 00:06:02.040 core operating system hasn't been tampered. 115 00:06:01.680 --> 00:06:04.720 With, So checking if the OS files are still the 116 00:06:04.759 --> 00:06:06.040 original trusted. 117 00:06:05.720 --> 00:06:08.240 Ones exactly a really important security feature, okay. 118 00:06:08.240 --> 00:06:11.439 And then Lollipop in twenty fourteen that felt like a huge. 119 00:06:11.160 --> 00:06:16.079 Overhaul, monumental visually, yes, it was material design, but internally 120 00:06:16.480 --> 00:06:19.399 the big news was it fully adopted the Android Run 121 00:06:19.439 --> 00:06:24.759 Time RT, replacing delvic correct and RT was a huge shift. 122 00:06:25.079 --> 00:06:29.040 It compiles application code ahead of time AOT, meaning meaning 123 00:06:29.040 --> 00:06:32.519 it translates the app's code into native machine instructions before 124 00:06:32.560 --> 00:06:34.800 the app even runs, usually during installation. 125 00:06:34.959 --> 00:06:37.959 Ah okay, not just in time like Delva right. 126 00:06:38.120 --> 00:06:41.439 This results in significantly faster application launch times and much 127 00:06:41.439 --> 00:06:44.519 smoother performance overall, especially when paired with its new sixty 128 00:06:44.560 --> 00:06:48.720 four bit architecture support. Lollipop also launched Project. 129 00:06:48.439 --> 00:06:50.360 Volta Volta Battery Improvements again. 130 00:06:50.519 --> 00:06:53.040 Yep, the whole set of improvements for better battery life, 131 00:06:53.120 --> 00:06:55.959 plus more detailed power monitoring tools so you can get 132 00:06:56.000 --> 00:06:58.600 more insight into what's draining your device useful. 133 00:06:59.160 --> 00:07:03.519 And finally, the M Preview in twenty fifteen, M, which. 134 00:07:03.319 --> 00:07:08.000 Became Marshmallow, built further on power management. It introduced dose mode. 135 00:07:08.319 --> 00:07:08.639 Dose. 136 00:07:08.839 --> 00:07:11.519 Yeah, this clever feature detects when your device has been 137 00:07:11.560 --> 00:07:13.920 idle for a long time, like sitting on your nightstand overnight. 138 00:07:14.279 --> 00:07:16.839 It puts it into a much deeper sleep state. Okay, 139 00:07:17.160 --> 00:07:21.439 it only allows brief periodic wakeups for really essential app sinking, 140 00:07:21.959 --> 00:07:25.879 dramatically improving battery life during those long idle periods. M 141 00:07:25.959 --> 00:07:30.040 also extended full data encryption to external storage, boosting overall 142 00:07:30.120 --> 00:07:30.920 data security. 143 00:07:31.199 --> 00:07:33.959 That's a fascinating evolution. You can really see it being 144 00:07:34.000 --> 00:07:37.240 driven by both user demands like more storage and better battery, 145 00:07:37.279 --> 00:07:39.959 and also the unique constraints of mobile computing. 146 00:07:40.040 --> 00:07:41.759 Absolutely, it's a constant balancing act. 147 00:07:42.000 --> 00:07:45.759 So with all these unique components RTHL, the specialized services 148 00:07:45.759 --> 00:07:48.600 and the apps we install, where do they actually live 149 00:07:48.639 --> 00:07:52.759 on the device? Let's crack open? Metaphorically speaking, Android's internal 150 00:07:52.759 --> 00:07:55.439 filing system you said is far more sophisticated than a 151 00:07:55.480 --> 00:07:56.600 simple desktop OS. 152 00:07:56.959 --> 00:08:01.519 It really is. Android uses a complex moultipartition storage scheme. 153 00:08:01.879 --> 00:08:05.199 The specifics might vary a bit between manufacturers or even devices. 154 00:08:05.519 --> 00:08:08.319 But you will primarily encounter three critical partitions. 155 00:08:08.439 --> 00:08:09.360 Okay, what are they? 156 00:08:09.639 --> 00:08:13.560 First, there's system. This is the heart of Android. It's 157 00:08:13.600 --> 00:08:16.319 home to the core OS, all the Google supplied binaries, 158 00:08:16.480 --> 00:08:20.079 the core frameworks, everything that makes Android androids right. Crucially, 159 00:08:20.120 --> 00:08:23.680 it's designed to be mounted read only for security. 160 00:08:23.279 --> 00:08:26.519 So apps can't just change core OS file exactly. 161 00:08:26.720 --> 00:08:29.160 And as we mentioned with KitKat, dm verity, which is 162 00:08:29.160 --> 00:08:31.600 actually a feature of the Linux device map or subsystem, 163 00:08:32.039 --> 00:08:35.080 acts like that, cryptographic checks them. It ensures the system 164 00:08:35.120 --> 00:08:38.200 partition hasn't been tampered with. It's a significant defense and 165 00:08:38.240 --> 00:08:38.960 depth measure. 166 00:08:39.159 --> 00:08:41.759 Okay, system is the read only OS core. What else? 167 00:08:41.879 --> 00:08:44.240 Then? You have data. This is your space. It houses 168 00:08:44.279 --> 00:08:48.559 all your user data, your installed applications, their private data settings, everything. 169 00:08:48.279 --> 00:08:50.080 My photos, my app settings. 170 00:08:49.720 --> 00:08:52.279 All that stuff. And within data data, each app gets 171 00:08:52.320 --> 00:08:56.480 its own unique reverse DNS name subdirectory like comm dot 172 00:08:56.480 --> 00:09:00.480 example dot myapp. This provides script isolation between app. 173 00:09:00.519 --> 00:09:03.639 So one app can't easily peek into another's private files. 174 00:09:03.879 --> 00:09:06.759 Not easily, No, that's the point. And to protect your 175 00:09:06.759 --> 00:09:10.799 privacy further, this entire data partition can be encrypted. This 176 00:09:10.840 --> 00:09:14.399 feature was enabled by default starting with Lollipop using another 177 00:09:14.440 --> 00:09:18.679 device mapp or mechanism called dmcrypt. It encrypts data before 178 00:09:18.720 --> 00:09:20.519 it's even written to the physical. 179 00:09:20.120 --> 00:09:24.080 Storage, so even if someone physically gets the storage chip, 180 00:09:24.360 --> 00:09:26.840 the data is scrambled pretty much. 181 00:09:26.919 --> 00:09:28.200 Yes, without the key, it's just. 182 00:09:28.200 --> 00:09:30.399 Noise, okay, system data. What's through one. 183 00:09:30.480 --> 00:09:33.720 The third main one is cash. It's often overlooked, but 184 00:09:33.799 --> 00:09:37.440 it's vital for things like over the air or OTA 185 00:09:37.519 --> 00:09:41.320 updates and system recovery. It's where validated update packages are 186 00:09:41.320 --> 00:09:43.279 temporarily stored before they get installed. 187 00:09:43.360 --> 00:09:45.480 Ah, temporary storage for updates. 188 00:09:45.600 --> 00:09:48.120 Right and beyond these main partitions, we also have something 189 00:09:48.120 --> 00:09:51.240 called opaque binary blobs or obb's. 190 00:09:51.600 --> 00:09:54.360 OBB sounds mysterious, ah a little. 191 00:09:54.600 --> 00:09:58.279 They weren't true partitions themselves. They basically allow developers to 192 00:09:58.320 --> 00:10:01.080 package up large amounts of additional data up to two 193 00:10:01.120 --> 00:10:04.600 GB for their apps. Think big game assets, high res maps, 194 00:10:04.679 --> 00:10:06.120 multimedia files. 195 00:10:05.840 --> 00:10:09.159 Stuff that doesn't fit easily in the main app package exactly. 196 00:10:09.320 --> 00:10:13.759 These are typically encrypted vfat filesystem images. They get mounted 197 00:10:13.799 --> 00:10:16.679 on demand by a background service, a demon called vold, 198 00:10:17.039 --> 00:10:20.480 again leveraging the kernel's device mapper. It all happens pretty 199 00:10:20.480 --> 00:10:22.279 transparently to the application itself. 200 00:10:22.440 --> 00:10:26.000 Interesting. So we have these real storage partitions backed by 201 00:10:26.039 --> 00:10:30.480 physical flash memory. But you also mentioned pseudo filesystems. That 202 00:10:30.720 --> 00:10:34.919 sounds different. What exactly are those and what vital role 203 00:10:35.080 --> 00:10:35.720 do they play. 204 00:10:35.799 --> 00:10:40.159 Pseudo filesystems are indeed fascinating and really important for understanding 205 00:10:40.159 --> 00:10:44.120 how Android works under the hood. Unlike system or data, 206 00:10:44.240 --> 00:10:46.200 they aren't backed by physical storage at all. 207 00:10:46.320 --> 00:10:48.200 No files on a chip somewhere, nope. 208 00:10:48.440 --> 00:10:52.200 Instead, they're maintained dynamically directly by the kernel using in 209 00:10:52.320 --> 00:10:55.879 memory data structures and special functions called callbacks. Think of 210 00:10:55.879 --> 00:10:58.679 them as dynamic windows into the kernel's live operations in 211 00:10:58.759 --> 00:11:02.320 current state, like a live That's a great analogy. For instance, 212 00:11:02.639 --> 00:11:05.080 prof SIMS. The process file system is essential for tools 213 00:11:05.120 --> 00:11:07.519 like top or profits. It gives you a live view 214 00:11:07.559 --> 00:11:10.720 and all the running processes and threads, their memory usage, 215 00:11:10.799 --> 00:11:15.320 CPU time, et cetera. Then there's CYFTS. This allows userspace programs, 216 00:11:15.480 --> 00:11:19.360 even simple shell commands, to directly query and sometimes interact 217 00:11:19.360 --> 00:11:22.919 with hardware devices managed by the kernel like how well. 218 00:11:22.919 --> 00:11:26.440 For example, you could potentially control your device's vibrator by 219 00:11:26.440 --> 00:11:30.679 simply writing a millisecond value to a specific file within CIFTS. 220 00:11:31.240 --> 00:11:34.360 Maybe something like cysclass dons output vibrator or noble. 221 00:11:34.480 --> 00:11:36.879 Seriously, you can just write to a file to make 222 00:11:36.919 --> 00:11:37.519 the phone. 223 00:11:37.360 --> 00:11:41.080 Vibrate in many cases. Yes. Other important ones include debugs 224 00:11:41.080 --> 00:11:44.840 for debugging kernel features and selenics for interacting with the 225 00:11:44.879 --> 00:11:48.840 Selenic security subsystem. The key thing is these file systems 226 00:11:48.879 --> 00:11:51.440 always reflect the most up to date data from the kernel, 227 00:11:51.960 --> 00:11:55.679 and changes made to writeable files here often take effect immediately, 228 00:11:55.960 --> 00:11:58.159 though they usually don't persist across reboots. 229 00:11:58.240 --> 00:12:00.759 So wow, we have these distinct partitions for the OS 230 00:12:00.759 --> 00:12:04.399 and user data, physical storage obbs for extra app data 231 00:12:04.440 --> 00:12:07.559 in these dynamic pseudo filesystems, reflecting the live kernel state 232 00:12:08.080 --> 00:12:10.480 with all its complexity. How does an Android device even 233 00:12:10.519 --> 00:12:13.480 begin to start up? It sounds like an incredibly intricate 234 00:12:13.600 --> 00:12:15.600 dance to bring the whole system online. 235 00:12:15.799 --> 00:12:19.039 It truly is an intricate choreography, as Levin puts it, 236 00:12:19.279 --> 00:12:21.679 and it starts long before you even see the Android 237 00:12:21.679 --> 00:12:22.360 logo pop. 238 00:12:22.240 --> 00:12:23.679 Up, Before Android itself. 239 00:12:23.799 --> 00:12:27.240 Yeah, the process begins deep down to the device's firmware. 240 00:12:27.440 --> 00:12:30.000 This is somewhat like a PC's BIOS or U e 241 00:12:30.159 --> 00:12:34.519 fi on modern system on chip or soaky devices. This 242 00:12:34.720 --> 00:12:38.519 initial phase is actually quite complex. It involves various specialized 243 00:12:38.559 --> 00:12:43.799 subprocessors working together like Qualcom's RPM create cores, Adrino GPU, 244 00:12:44.039 --> 00:12:48.240 Hexagon DSP, each managing critical hardware tasks, making sure the 245 00:12:48.240 --> 00:12:51.480 basic system is stable and ready before the main Android 246 00:12:51.519 --> 00:12:53.320 bootloader even gets loaded. 247 00:12:53.279 --> 00:12:56.240 So the chip itself has its own little startup sequence exactly. 248 00:12:56.559 --> 00:12:59.799 This initial firmware then loads a secondary bootloader, which eventually 249 00:13:00.279 --> 00:13:02.679 control off to Android's own bootloader. 250 00:13:02.879 --> 00:13:05.080 Okay, now we're getting closer to Android. 251 00:13:04.759 --> 00:13:07.759 Right, and most Android bootloaders support the fast boot protocol. 252 00:13:08.159 --> 00:13:10.440 This is a simple text based mechanism that works over 253 00:13:10.480 --> 00:13:11.360 a USB connection. 254 00:13:11.679 --> 00:13:14.759 Ah, I've heard a fast boot for flashing realms and stuff. 255 00:13:14.799 --> 00:13:17.879 Precisely, it's how power users can flash new system images, 256 00:13:18.039 --> 00:13:21.279 update individual components like the radio, firmware, or even oma, 257 00:13:21.360 --> 00:13:22.639 unlock their device. 258 00:13:22.600 --> 00:13:23.639 Unlocking the bootloader. 259 00:13:23.759 --> 00:13:26.879 Kiss and it's important to remember while unlocking, freeze your 260 00:13:26.919 --> 00:13:29.559 phone to load custom firmware and allows for all sorts 261 00:13:29.600 --> 00:13:33.000 of modifications. It also completely wipes your data. 262 00:13:32.759 --> 00:13:34.759 Partition wipes everything wire. 263 00:13:34.600 --> 00:13:37.759 For security, it prevents an attacker from just unlocking your 264 00:13:37.759 --> 00:13:40.799 device to bypass your PI or password and then copying 265 00:13:40.799 --> 00:13:43.600 off all your personal data from data. It's a critical safeguard. 266 00:13:43.759 --> 00:13:46.120 Makes sense so after the bootloader does its thing. 267 00:13:46.480 --> 00:13:49.480 After its work, the bootloader loads the boot image. This 268 00:13:49.559 --> 00:13:52.879 series typically contains two key things, right, the Linux kernel 269 00:13:52.919 --> 00:13:56.799 itself and an initial RAM disc or any tramps. 270 00:13:56.840 --> 00:13:58.879 Any tramps like a temporary file. 271 00:13:58.679 --> 00:14:01.440 System sort of. But unlike traditional Linux, where the an 272 00:14:01.559 --> 00:14:04.200 TRAMS is usually discarded after the real root file system 273 00:14:04.279 --> 00:14:07.679 is mounted, Android keeps this inny trams resident in memory. 274 00:14:07.879 --> 00:14:11.279 It actually provides the initial root file system environment. Okay, 275 00:14:11.600 --> 00:14:14.159 And from within this inne trams environment, the kernel then 276 00:14:14.240 --> 00:14:18.399 launches the pivotal INNY process. This process gets process ID 277 00:14:18.519 --> 00:14:19.600 one or PID one. 278 00:14:19.639 --> 00:14:21.360 PID one the first one. 279 00:14:21.200 --> 00:14:24.440 The very first user space process started by the kernel. 280 00:14:25.000 --> 00:14:27.879 It's responsible for launching basically everything else in the user 281 00:14:27.919 --> 00:14:32.360 mode world, and famously in Unix like systems, PID one 282 00:14:32.639 --> 00:14:36.279 is special. You can't kill it. This marks that critical 283 00:14:36.320 --> 00:14:39.519 transition from kernel mode operation to user mode operation. 284 00:14:39.879 --> 00:14:43.080 Right, that transition from kernel to user mode orchestrated by 285 00:14:43.080 --> 00:14:45.879 in knit as PID one, that's where the Android system 286 00:14:45.919 --> 00:14:49.080 we actually interact with really begins to take shape. You 287 00:14:49.159 --> 00:14:52.320 called it the progenitor of all other processes. What are 288 00:14:52.360 --> 00:14:55.320 the core responsibilities of this innit process? Why is it 289 00:14:55.360 --> 00:14:56.200 so foundational? 290 00:14:56.480 --> 00:14:58.799 In it is absolutely foundational, I mean just like it's 291 00:14:58.919 --> 00:15:02.080 Unix namesake. Its primary job is to bring the rest 292 00:15:02.080 --> 00:15:03.360 of the system up in user mode. 293 00:15:03.399 --> 00:15:04.360 How does it know what to do? 294 00:15:04.720 --> 00:15:08.039 It achieves this by parsing its configuration files. These are 295 00:15:08.080 --> 00:15:10.240 known as dot rc files, typically found in the root 296 00:15:10.279 --> 00:15:13.639 directory and system mets in it. These files are essentially scripts. 297 00:15:13.679 --> 00:15:16.080 They contain commands and declarations that tell an in which 298 00:15:16.080 --> 00:15:20.080 services to start, which filesystems mounting, system read only and 299 00:15:20.159 --> 00:15:23.039 data read write, and what permissions and ownership to set 300 00:15:23.080 --> 00:15:24.679 on various files and device nodes. 301 00:15:24.960 --> 00:15:28.559 So it's like the master script for booting Android pretty much. 302 00:15:28.639 --> 00:15:32.559 Yeah. It also manages system properties. These are dynamic configuration 303 00:15:32.679 --> 00:15:35.759 values kind of like global variables for the system. They 304 00:15:35.759 --> 00:15:39.360 get read initially from files like default dot prop and 305 00:15:39.519 --> 00:15:42.720 system build dot prop. That build dot prop file contains 306 00:15:42.879 --> 00:15:46.039 tons of info about your specific device bill okay and 307 00:15:46.080 --> 00:15:49.399 beyond just starting things, and it takes on additional critical roles. 308 00:15:49.519 --> 00:15:53.120 It acts as evented listening for kernel events, signaling hardware 309 00:15:53.200 --> 00:15:56.279 changes like when you plug in headphones or a USB drive, 310 00:15:56.519 --> 00:16:00.200 and takes appropriate action. It also incorporates watchdog functionality to 311 00:16:00.240 --> 00:16:03.759 monitor system health and potentially reboot if things get stuck. 312 00:16:03.960 --> 00:16:07.559 So it starts everything, manages configuration, and keeps an eye 313 00:16:07.600 --> 00:16:09.200 on hardware and system health. 314 00:16:09.360 --> 00:16:12.559 In essence, yes, and it dictates how the entire Android 315 00:16:12.639 --> 00:16:15.759 system starts up and ensures that vital services are launched 316 00:16:15.759 --> 00:16:19.399 and maintained. It's designed to be incredibly robust, and importantly, 317 00:16:19.440 --> 00:16:22.080 its operation can't be easily altered from user space. Once 318 00:16:22.120 --> 00:16:26.159 the system is running, any significant modification usually requires flashing 319 00:16:26.159 --> 00:16:28.279 a new, properly signed boot image. 320 00:16:28.399 --> 00:16:31.600 Okay, so in it is the grand conductor for the 321 00:16:31.639 --> 00:16:37.000 whole startup orchestra. But beyond that initial orchestrator, Android runs 322 00:16:37.360 --> 00:16:42.000 countless background services. These demons that handle everything from network 323 00:16:42.000 --> 00:16:45.519 connections to crash reports. Let's maybe highlight a few of 324 00:16:45.559 --> 00:16:48.360 the most critical ones that keep your phone running seamlessly 325 00:16:48.440 --> 00:16:49.279 behind the scenes. 326 00:16:49.480 --> 00:16:53.240 Absolutely, these demons are the silent workhourses. You're right, They 327 00:16:53.279 --> 00:16:56.360 operate tirelessly in the background, and you often only notice 328 00:16:56.360 --> 00:16:58.279 them well when something goes wrong. 329 00:16:58.440 --> 00:16:59.519 Which ones are essential? 330 00:16:59.639 --> 00:17:03.759 Okay? First up service manager. Think of this as Android's 331 00:17:03.919 --> 00:17:07.160 central phone book or directory for almost all other operating 332 00:17:07.200 --> 00:17:10.799 system services. The phone book, Yeah, any application or system 333 00:17:10.839 --> 00:17:13.559 component that needs to interact with another core service. Say 334 00:17:13.880 --> 00:17:16.799 asking the location manager for GPS data, or telling the 335 00:17:16.839 --> 00:17:19.960 window manager to draw something, or accessing the camera service, 336 00:17:20.319 --> 00:17:24.240 it must first consult Service Manager. It asks service manager 337 00:17:24.279 --> 00:17:27.440 for a reference like a handle to that specific service, 338 00:17:27.519 --> 00:17:31.000 so it connects everything. It's the central hub for finding services. Yes, 339 00:17:31.680 --> 00:17:36.279 Without it, interprocess communication or IPC would be severely crippled. 340 00:17:36.920 --> 00:17:39.680 Services couldn't even register their presence within the system for 341 00:17:39.759 --> 00:17:43.240 others to find them. Its actual code is surprisingly small, 342 00:17:43.599 --> 00:17:46.759 but its importance to the entire Android framework is immense. 343 00:17:46.960 --> 00:17:50.000 Okay, service Manager is the connector what else next? 344 00:17:50.400 --> 00:17:53.759 Zygote. This is one of Android's most unique and highly 345 00:17:53.799 --> 00:17:57.480 optimized innovations, specifically for launching applications quickly. 346 00:17:57.759 --> 00:17:59.880 Zygote like the biological. 347 00:17:59.319 --> 00:18:03.240 Term exactly because it forks. Instead of each app starting 348 00:18:03.240 --> 00:18:06.640 its own full Java virtual machine from scratch, which would 349 00:18:06.640 --> 00:18:11.119 be slow in memory intensive, Zygote preloads the core libraries 350 00:18:11.559 --> 00:18:14.279 it starts up early in the boat process, initializes a 351 00:18:14.359 --> 00:18:17.720 Dalvic VM or now IRT, and preloads all the common 352 00:18:17.759 --> 00:18:20.039 Android framework classes and resources into. 353 00:18:19.880 --> 00:18:21.920 Memory, so it gets everything ready beforehand. 354 00:18:22.000 --> 00:18:24.359 Precisely, when you tap an app icon to launch it, 355 00:18:24.640 --> 00:18:27.319 the system doesn't start a new VM. Instead it tells 356 00:18:27.400 --> 00:18:30.440 Zygot to fork itself. Forking creates a near instant copy 357 00:18:30.480 --> 00:18:34.200 of the zydote process, inheriting all that preloaded goodness. This 358 00:18:34.240 --> 00:18:36.960 new process then specializes itself into the app you wanted 359 00:18:36.960 --> 00:18:37.359 to run. 360 00:18:37.680 --> 00:18:40.079 Ah, so it's like having a runner already warmed up 361 00:18:40.119 --> 00:18:41.559 and waiting right at the finish line. 362 00:18:41.599 --> 00:18:45.079 That's a perfect analogy. Camping by the finish line. It 363 00:18:45.200 --> 00:18:49.559 dramatically decreases application startup time by maximizing shared memory. This 364 00:18:49.720 --> 00:18:53.440 makes Android incredibly efficient, especially considering its application layer is 365 00:18:53.519 --> 00:18:57.559 largely Java based, and modern Android with sixty four bit 366 00:18:57.599 --> 00:19:01.160 support actually maintains both thirty two and sixty four bit 367 00:19:01.279 --> 00:19:04.880 Zygo instances for compatibility with all the different apps out there. 368 00:19:04.920 --> 00:19:08.559 Oh that's clever. Okay, service manager's zygot. What about when 369 00:19:08.559 --> 00:19:09.279 things go wrong? 370 00:19:10.039 --> 00:19:13.119 Apps crash sometimes inevitably, Yes, yeah, and that's where debugger 371 00:19:13.200 --> 00:19:17.440 comes in. This is androids building crash reporting mechanism. Conceptually, 372 00:19:17.480 --> 00:19:19.880 it's similar to crash reporter on iOS. 373 00:19:19.480 --> 00:19:21.400 Or macOS, so it catches crashes. 374 00:19:21.599 --> 00:19:24.480 Yeah. When an application receives a fatal signal like a 375 00:19:24.519 --> 00:19:27.640 segmentation fault where it tries to access memory it shouldn't, 376 00:19:28.079 --> 00:19:31.400 or an the illegal instruction. Debuggered automatically steps in. It 377 00:19:31.440 --> 00:19:34.960 attaches to the feeling process, inspects its memory state, gathers 378 00:19:35.000 --> 00:19:37.680 information about the threads, registers and the call stack leading 379 00:19:37.759 --> 00:19:41.359 up to the crash. Okay, and then it generates a tombstone. 380 00:19:40.839 --> 00:19:43.720 At tombstone morbid name a. 381 00:19:43.640 --> 00:19:47.039 Little yeah, but it's basically a compact crash report. It 382 00:19:47.039 --> 00:19:50.519 gets saved in a specific directory, usually dated tombstones. It 383 00:19:50.519 --> 00:19:54.440 provides essential autopsy services what went wrong, where and maybe why, 384 00:19:54.799 --> 00:19:58.480 without needing to generate huge, multi megabyte core dump files, 385 00:19:58.960 --> 00:20:02.319 which just aren't practic on mobile devices with limited storage. 386 00:20:02.440 --> 00:20:04.640 So a quick summary of the crash scene. 387 00:20:04.400 --> 00:20:07.759 Exactly, very useful for developers and sometimes for power users 388 00:20:07.759 --> 00:20:08.880 trying to diagnose issues. 389 00:20:08.960 --> 00:20:10.680 Okay, one more critical demon. 390 00:20:11.039 --> 00:20:14.759 Let's talk about Installed. This demon is responsible for the 391 00:20:15.920 --> 00:20:19.759 rather intricate process of installing and removing application packages the 392 00:20:19.839 --> 00:20:20.759 APK files. 393 00:20:21.000 --> 00:20:23.000 You mean it just copies the APK file. 394 00:20:23.039 --> 00:20:25.480 Oh, it's much more than that. Installed sets up and 395 00:20:25.559 --> 00:20:29.799 maintains the complex directory structure needed for each app. For example, 396 00:20:30.039 --> 00:20:32.880 it creates the apps private data directory under data data, 397 00:20:33.119 --> 00:20:36.279 sets the correct Linux user ID and group ID ownership, 398 00:20:36.599 --> 00:20:40.279 and applies the right file permissions. It also handles placing 399 00:20:40.319 --> 00:20:43.680 the ATK itself maybe in data app and managing private 400 00:20:43.680 --> 00:20:45.000 app libraries. 401 00:20:44.559 --> 00:20:47.799