Welcome back and thanks for hanging in there. It has been a surprisingly long road so far and we're not really very close to having the full picture. To say we've reached the half-way point might be valid though.
Today is where it really starts to get interesting. It is time to really get into what is going on.
Let's recap. We explored the outside from a consumer and general user's view (2, 3). We applied some common network and system admin skills and identified what the Nexus is sending to the world over the network and tried to get in from over the network but found no doors open or ears listening (5). Then we explored the inside by using the developer interface to enable a text based command interface and found a lot of files and commands that were familiar to a *nix admin (6).
Now we're going to take a peek into what the Nexus is doing.
What is causing that to do that?
For us to get the rest of the picture and start to consider what we need and don't need, we have to know what pieces of code are causing all those phenomena we've been experiencing. Since this is Linux based, let's start with a few common command line tools.
To check out the full list of processes on a Linix system, ps is the command to use. There are a lot of flags available and some *nixes take different ones to get the complete view. However, the first thing I noticed is that ps by itself doesn't give me just my processes—which it usually does if you didn't know. So I tried ps aux which commonly gives all the processes and got the same output. Ok...so that's interesting but not terribly.
Snapshots
Now we'll see what we can capture as the Nexus boots and see if we can figure out the order of things. A short looping script to run “adb shell ps” and export it to a file should give us some useful info. We'll also want to use the highest time reporting to ensure we know when something starts.
After a little cleanup, here is a time order view showing all the process running from as soon as adb could connect to when the login screen appeared—which is when I stopped capturing.
|
TIME
|
NANOSECONDS
|
USER
|
PID
|
PPID
|
VSIZE
|
RSS
|
PROCESS
|
|
15:43:17
|
359293944
|
root
|
1
|
0
|
684
|
544
|
/init
|
|
15:43:17
|
359293944
|
root
|
2
|
0
|
0
|
0
|
kthreadd
|
|
15:43:17
|
359293944
|
root
|
3
|
2
|
0
|
0
|
ksoftirqd/0
|
|
15:43:17
|
359293944
|
root
|
4
|
2
|
0
|
0
|
kworker/0:0
|
|
15:43:17
|
359293944
|
root
|
5
|
2
|
0
|
0
|
kworker/u:0
|
|
15:43:17
|
359293944
|
root
|
6
|
2
|
0
|
0
|
migration/0
|
|
15:43:17
|
359293944
|
root
|
16
|
2
|
0
|
0
|
khelper
|
|
15:43:17
|
359293944
|
root
|
17
|
2
|
0
|
0
|
suspend_sys_syn
|
|
15:43:17
|
359293944
|
root
|
18
|
2
|
0
|
0
|
suspend
|
|
15:43:17
|
359293944
|
root
|
19
|
2
|
0
|
0
|
kworker/0:1
|
|
15:43:17
|
359293944
|
root
|
23
|
2
|
0
|
0
|
irq/203-msmdata
|
|
15:43:17
|
359293944
|
root
|
24
|
2
|
0
|
0
|
sync_supers
|
|
15:43:17
|
359293944
|
root
|
25
|
2
|
0
|
0
|
bdi-default
|
|
15:43:17
|
359293944
|
root
|
26
|
2
|
0
|
0
|
kblockd
|
|
15:43:17
|
359293944
|
root
|
27
|
2
|
0
|
0
|
msm_slim_ctrl_r
|
|
15:43:17
|
359293944
|
root
|
28
|
2
|
0
|
0
|
khubd
|
|
15:43:17
|
359293944
|
root
|
29
|
2
|
0
|
0
|
irq/84-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
30
|
2
|
0
|
0
|
irq/84-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
31
|
2
|
0
|
0
|
irq/96-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
32
|
2
|
0
|
0
|
irq/96-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
33
|
2
|
0
|
0
|
irq/94-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
34
|
2
|
0
|
0
|
irq/94-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
35
|
2
|
0
|
0
|
irq/92-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
36
|
2
|
0
|
0
|
irq/92-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
37
|
2
|
0
|
0
|
irq/100-msm_iom
|
|
15:43:17
|
359293944
|
root
|
38
|
2
|
0
|
0
|
irq/100-msm_iom
|
|
15:43:17
|
359293944
|
root
|
39
|
2
|
0
|
0
|
irq/86-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
40
|
2
|
0
|
0
|
irq/86-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
41
|
2
|
0
|
0
|
irq/90-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
42
|
2
|
0
|
0
|
irq/90-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
43
|
2
|
0
|
0
|
irq/88-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
44
|
2
|
0
|
0
|
irq/102-msm_iom
|
|
15:43:17
|
359293944
|
root
|
45
|
2
|
0
|
0
|
irq/102-msm_iom
|
|
15:43:17
|
359293944
|
root
|
46
|
2
|
0
|
0
|
irq/98-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
47
|
2
|
0
|
0
|
irq/98-msm_iomm
|
|
15:43:17
|
359293944
|
root
|
48
|
2
|
0
|
0
|
irq/243-msm_iom
|
|
15:43:17
|
359293944
|
root
|
49
|
2
|
0
|
0
|
irq/243-msm_iom
|
|
15:43:17
|
359293944
|
root
|
50
|
2
|
0
|
0
|
irq/269-msm_iom
|
|
15:43:17
|
359293944
|
root
|
51
|
2
|
0
|
0
|
irq/269-msm_iom
|
|
15:43:17
|
359293944
|
root
|
52
|
2
|
0
|
0
|
l2cap
|
|
15:43:17
|
359293944
|
root
|
53
|
2
|
0
|
0
|
a2mp
|
|
15:43:17
|
359293944
|
root
|
54
|
2
|
0
|
0
|
cfg80211
|
|
15:43:17
|
359293944
|
root
|
55
|
2
|
0
|
0
|
rpciod
|
|
15:43:17
|
359293944
|
root
|
56
|
2
|
0
|
0
|
modem_notifier
|
|
15:43:17
|
359293944
|
root
|
57
|
2
|
0
|
0
|
smd_channel_clo
|
|
15:43:17
|
359293944
|
root
|
58
|
2
|
0
|
0
|
smsm_cb_wq
|
|
15:43:17
|
359293944
|
root
|
59
|
2
|
0
|
0
|
kworker/u:1
|
|
15:43:17
|
359293944
|
root
|
60
|
2
|
0
|
0
|
qmi
|
|
15:43:17
|
359293944
|
root
|
61
|
2
|
0
|
0
|
nmea
|
|
15:43:17
|
359293944
|
root
|
62
|
2
|
0
|
0
|
msm_ipc_router
|
|
15:43:17
|
359293944
|
root
|
63
|
2
|
0
|
0
|
apr_driver
|
|
15:43:17
|
359293944
|
root
|
64
|
2
|
0
|
0
|
kswapd0
|
|
15:43:17
|
359293944
|
root
|
65
|
2
|
0
|
0
|
fsnotify_mark
|
|
15:43:17
|
359293944
|
root
|
66
|
2
|
0
|
0
|
nfsiod
|
|
15:43:17
|
359293944
|
root
|
67
|
2
|
0
|
0
|
cifsiod
|
|
15:43:17
|
359293944
|
root
|
68
|
2
|
0
|
0
|
crypto
|
|
15:43:17
|
359293944
|
root
|
83
|
2
|
0
|
0
|
mdp_dma_wq
|
|
15:43:17
|
359293944
|
root
|
84
|
2
|
0
|
0
|
mdp_vsync_wq
|
|
15:43:17
|
359293944
|
root
|
85
|
2
|
0
|
0
|
mdp_pipe_ctrl_w
|
|
15:43:17
|
359293944
|
root
|
86
|
2
|
0
|
0
|
mdp_cursor_ctrl
|
|
15:43:17
|
359293944
|
root
|
87
|
2
|
0
|
0
|
msmfb_commit_th
|
|
15:43:17
|
359293944
|
root
|
88
|
2
|
0
|
0
|
hdmi_hdcp
|
|
15:43:17
|
359293944
|
root
|
89
|
2
|
0
|
0
|
irq/111-hdmi_ms
|
|
15:43:17
|
359293944
|
root
|
90
|
2
|
0
|
0
|
dtv_work
|
|
15:43:17
|
359293944
|
root
|
91
|
2
|
0
|
0
|
msmfb_commit_th
|
|
15:43:17
|
359293944
|
root
|
92
|
2
|
0
|
0
|
vidc_worker_que
|
|
15:43:17
|
359293944
|
root
|
93
|
2
|
0
|
0
|
vidc_timer_wq
|
|
15:43:17
|
359293944
|
root
|
94
|
2
|
0
|
0
|
smux_notify_wq
|
|
15:43:17
|
359293944
|
root
|
95
|
2
|
0
|
0
|
smux_tx_wq
|
|
15:43:17
|
359293944
|
root
|
96
|
2
|
0
|
0
|
smux_rx_wq
|
|
15:43:17
|
359293944
|
root
|
97
|
2
|
0
|
0
|
smux_loopback_w
|
|
15:43:17
|
359293944
|
root
|
98
|
2
|
0
|
0
|
diag_wq
|
|
15:43:17
|
359293944
|
root
|
99
|
2
|
0
|
0
|
hsic_diag_wq
|
|
15:43:17
|
359293944
|
root
|
100
|
2
|
0
|
0
|
hsic_2_diag_wq
|
|
15:43:17
|
359293944
|
root
|
101
|
2
|
0
|
0
|
smux_diag_wq
|
|
15:43:17
|
359293944
|
root
|
102
|
2
|
0
|
0
|
diag_cntl_wq
|
|
15:43:17
|
359293944
|
root
|
103
|
2
|
0
|
0
|
diag_dci_wq
|
|
15:43:17
|
359293944
|
root
|
104
|
2
|
0
|
0
|
kgsl-3d0
|
|
15:43:17
|
359293944
|
root
|
105
|
2
|
0
|
0
|
anx7808_work
|
|
15:43:17
|
359293944
|
root
|
106
|
2
|
0
|
0
|
irq/295-anx7808
|
|
15:43:17
|
359293944
|
root
|
107
|
2
|
0
|
0
|
kworker/u:2
|
|
15:43:17
|
359293944
|
root
|
108
|
2
|
0
|
0
|
kworker/u:3
|
|
15:43:17
|
359293944
|
root
|
109
|
2
|
0
|
0
|
irq/330-wcd9xxx
|
|
15:43:17
|
359293944
|
root
|
110
|
2
|
0
|
0
|
spi_qsd.0
|
|
15:43:17
|
359293944
|
root
|
113
|
2
|
0
|
0
|
usbnet
|
|
15:43:17
|
359293944
|
root
|
114
|
2
|
0
|
0
|
smb345_wq
|
|
15:43:17
|
359293944
|
root
|
115
|
2
|
0
|
0
|
kworker/0:2
|
|
15:43:17
|
359293944
|
root
|
116
|
2
|
0
|
0
|
bq27541_battery
|
|
15:43:17
|
359293944
|
root
|
117
|
2
|
0
|
0
|
msm_otg_acok_wq
|
|
15:43:17
|
359293944
|
root
|
118
|
2
|
0
|
0
|
msm_otg_id_pin_
|
|
15:43:17
|
359293944
|
root
|
119
|
2
|
0
|
0
|
mdm_bridge
|
|
15:43:17
|
359293944
|
root
|
120
|
2
|
0
|
0
|
ks_bridge:1
|
|
15:43:17
|
359293944
|
root
|
121
|
2
|
0
|
0
|
ks_bridge:2
|
|
15:43:17
|
359293944
|
root
|
122
|
2
|
0
|
0
|
ks_bridge:3
|
|
15:43:17
|
359293944
|
root
|
123
|
2
|
0
|
0
|
ks_bridge:4
|
|
15:43:17
|
359293944
|
root
|
124
|
2
|
0
|
0
|
k_rmnet_mux_wor
|
|
15:43:17
|
359293944
|
root
|
125
|
2
|
0
|
0
|
f_mtp
|
|
15:43:17
|
359293944
|
root
|
126
|
2
|
0
|
0
|
file-storage
|
|
15:43:17
|
359293944
|
root
|
127
|
2
|
0
|
0
|
uether
|
|
15:43:17
|
359293944
|
root
|
128
|
2
|
0
|
0
|
kpsmoused
|
|
15:43:17
|
359293944
|
root
|
129
|
2
|
0
|
0
|
elan_wq
|
|
15:43:17
|
359293944
|
root
|
130
|
2
|
0
|
0
|
i2c_touchsensor
|
|
15:43:17
|
359293944
|
root
|
131
|
2
|
0
|
0
|
lid_wq
|
|
15:43:17
|
359293944
|
root
|
132
|
2
|
0
|
0
|
dvfs_test_workq
|
|
15:43:17
|
359293944
|
root
|
133
|
2
|
0
|
0
|
dbs_sync/0
|
|
15:43:17
|
359293944
|
root
|
134
|
2
|
0
|
0
|
dbs_sync/1
|
|
15:43:17
|
359293944
|
root
|
135
|
2
|
0
|
0
|
dbs_sync/2
|
|
15:43:17
|
359293944
|
root
|
136
|
2
|
0
|
0
|
dbs_sync/3
|
|
15:43:17
|
359293944
|
root
|
137
|
2
|
0
|
0
|
kinteractiveup
|
|
15:43:17
|
359293944
|
root
|
138
|
2
|
0
|
0
|
binder
|
|
15:43:17
|
359293944
|
root
|
139
|
2
|
0
|
0
|
mmcqd/0
|
|
15:43:17
|
359293944
|
root
|
140
|
2
|
0
|
0
|
kworker/u:4
|
|
15:43:17
|
359293944
|
root
|
141
|
2
|
0
|
0
|
detection
|
|
15:43:17
|
359293944
|
root
|
142
|
2
|
0
|
0
|
button_press
|
|
15:43:17
|
359293944
|
root
|
143
|
2
|
0
|
0
|
button_release
|
|
15:43:17
|
359293944
|
root
|
144
|
2
|
0
|
0
|
krfcommd
|
|
15:43:17
|
359293944
|
root
|
145
|
2
|
0
|
0
|
rq_stats
|
|
15:43:17
|
359293944
|
root
|
146
|
2
|
0
|
0
|
deferwq
|
|
15:43:17
|
359293944
|
root
|
147
|
1
|
600
|
328
|
/sbin/ueventd
|
|
15:43:17
|
359293944
|
root
|
149
|
2
|
0
|
0
|
jbd2/mmcblk0p22
|
|
15:43:17
|
359293944
|
root
|
150
|
2
|
0
|
0
|
ext4-dio-unwrit
|
|
15:43:17
|
359293944
|
root
|
153
|
2
|
0
|
0
|
flush-179:0
|
|
15:43:17
|
359293944
|
root
|
155
|
2
|
0
|
0
|
jbd2/mmcblk0p23
|
|
15:43:17
|
359293944
|
root
|
156
|
2
|
0
|
0
|
ext4-dio-unwrit
|
|
15:43:17
|
359293944
|
root
|
160
|
2
|
0
|
0
|
jbd2/mmcblk0p30
|
|
15:43:17
|
359293944
|
root
|
161
|
2
|
0
|
0
|
ext4-dio-unwrit
|
|
15:43:17
|
359293944
|
root
|
162
|
2
|
0
|
0
|
jbd2/mmcblk0p4-
|
|
15:43:17
|
359293944
|
root
|
163
|
2
|
0
|
0
|
ext4-dio-unwrit
|
|
15:43:17
|
359293944
|
root
|
169
|
2
|
0
|
0
|
IPCRTR
|
|
15:43:17
|
359293944
|
root
|
170
|
2
|
0
|
0
|
ipc_rtr_q6_ipcr
|
|
15:43:17
|
359293944
|
root
|
171
|
1
|
1428
|
4
|
/sbin/healthd
|
|
15:43:17
|
359293944
|
system
|
172
|
1
|
1000
|
180
|
/system/bin/servicemanager
|
|
15:43:17
|
359293944
|
root
|
173
|
1
|
4660
|
936
|
/system/bin/vold
|
|
15:43:17
|
359293944
|
root
|
175
|
1
|
9684
|
1072
|
/system/bin/netd
|
|
15:43:17
|
359293944
|
root
|
176
|
1
|
1028
|
240
|
/system/bin/debuggerd
|
|
15:43:17
|
359293944
|
system
|
177
|
1
|
82584
|
6124
|
/system/bin/surfaceflinger
|
|
15:43:17
|
359293944
|
root
|
178
|
1
|
806428
|
10884
|
zygote
|
|
15:43:17
|
359293944
|
drm
|
179
|
1
|
12472
|
4896
|
/system/bin/drmserver
|
|
15:43:17
|
359293944
|
media
|
180
|
1
|
19168
|
6352
|
/system/bin/mediaserver
|
|
15:43:17
|
359293944
|
install
|
181
|
1
|
988
|
220
|
/system/bin/installd
|
|
15:43:17
|
359293944
|
keystore
|
182
|
1
|
3352
|
1036
|
/system/bin/keystore
|
|
15:43:17
|
359293944
|
nobody
|
184
|
1
|
2124
|
320
|
/system/bin/rmt_storage
|
|
15:43:17
|
359293944
|
radio
|
185
|
1
|
3344
|
512
|
/system/bin/bridgemgrd
|
|
15:43:17
|
359293944
|
root
|
187
|
1
|
22844
|
680
|
/system/bin/thermald
|
|
15:43:17
|
359293944
|
root
|
188
|
1
|
7220
|
492
|
/system/bin/mpdecision
|
|
15:43:17
|
359293944
|
root
|
232
|
2
|
0
|
0
|
migration/1
|
|
15:43:17
|
359293944
|
root
|
233
|
2
|
0
|
0
|
kworker/1:0
|
|
15:43:17
|
359293944
|
root
|
234
|
2
|
0
|
0
|
ksoftirqd/1
|
|
15:43:17
|
359293944
|
root
|
235
|
2
|
0
|
0
|
kworker/1:1
|
|
15:43:17
|
359293944
|
root
|
241
|
2
|
0
|
0
|
migration/2
|
|
15:43:17
|
359293944
|
root
|
242
|
2
|
0
|
0
|
kworker/2:0
|
|
15:43:17
|
359293944
|
root
|
243
|
2
|
0
|
0
|
ksoftirqd/2
|
|
15:43:17
|
359293944
|
root
|
246
|
2
|
0
|
0
|
kworker/2:1
|
|
15:43:17
|
359293944
|
root
|
251
|
1
|
7436
|
736
|
/system/bin/sensors.qcom
|
|
15:43:17
|
359293944
|
media_rw
|
252
|
1
|
3500
|
192
|
/system/bin/sdcard
|
|
15:43:17
|
359293944
|
camera
|
253
|
1
|
4168
|
2064
|
/system/bin/mm-qcamera-daemon
|
|
15:43:17
|
359293944
|
system
|
254
|
1
|
2120
|
320
|
/system/bin/qseecomd
|
|
15:43:17
|
359293944
|
system
|
266
|
254
|
4220
|
464
|
/system/bin/qseecomd
|
|
15:43:17
|
359293944
|
graphics
|
412
|
1
|
57656
|
9432
|
/system/bin/bootanimation
|
|
15:43:17
|
546492120
|
nobody
|
251
|
1
|
10548
|
768
|
/system/bin/sensors.qcom
|
|
15:43:17
|
546492120
|
root
|
558
|
2
|
0
|
0
|
workqueue_trust
|
|
15:43:17
|
895549287
|
nobody
|
178
|
1
|
806756
|
20600
|
zygote
|
|
15:43:18
|
898707929
|
root
|
582
|
2
|
0
|
0
|
migration/2
|
|
15:43:18
|
898707929
|
root
|
583
|
2
|
0
|
0
|
kworker/2:0
|
|
15:43:18
|
898707929
|
root
|
584
|
2
|
0
|
0
|
ksoftirqd/2
|
|
15:43:18
|
898707929
|
root
|
585
|
2
|
0
|
0
|
kworker/2:1
|
|
15:43:21
|
234274834
|
root
|
636
|
2
|
0
|
0
|
workqueue_trust
|
|
15:43:21
|
908599062
|
system
|
648
|
178
|
871096
|
25220
|
system_server
|
|
15:43:25
|
569727478
|
root
|
769
|
2
|
0
|
0
|
kworker/1:2
|
|
15:43:26
|
64553600
|
u0_a12
|
789
|
178
|
867380
|
23504
|
com.android.systemui
|
|
15:43:26
|
64553600
|
root
|
803
|
2
|
0
|
0
|
migration/2
|
|
15:43:26
|
64553600
|
root
|
804
|
2
|
0
|
0
|
kworker/2:0
|
|
15:43:26
|
64553600
|
root
|
805
|
2
|
0
|
0
|
ksoftirqd/2
|
|
15:43:26
|
64553600
|
root
|
806
|
2
|
0
|
0
|
migration/3
|
|
15:43:26
|
64553600
|
root
|
807
|
2
|
0
|
0
|
kworker/3:0
|
|
15:43:26
|
64553600
|
root
|
808
|
2
|
0
|
0
|
ksoftirqd/3
|
|
15:43:26
|
64553600
|
root
|
809
|
2
|
0
|
0
|
kworker/2:1
|
|
15:43:26
|
64553600
|
root
|
812
|
2
|
0
|
0
|
kworker/3:1
|
|
15:43:26
|
263419881
|
root
|
855
|
2
|
0
|
0
|
WD_Thread
|
|
15:43:26
|
263419881
|
root
|
856
|
2
|
0
|
0
|
MC_Thread
|
|
15:43:26
|
263419881
|
root
|
857
|
2
|
0
|
0
|
TX_Thread
|
|
15:43:26
|
263419881
|
root
|
858
|
2
|
0
|
0
|
RX_Thread
|
|
15:43:26
|
551881004
|
u0_a3
|
874
|
178
|
867440
|
25056
|
android.process.acore
|
|
15:43:26
|
551881004
|
root
|
886
|
2
|
0
|
0
|
workqueue_trust
|
|
15:43:26
|
551881004
|
root
|
891
|
175
|
1048
|
404
|
/system/bin/ip6tables
|
|
15:43:26
|
661506467
|
root
|
894
|
2
|
0
|
0
|
migration/3
|
|
15:43:26
|
661506467
|
root
|
895
|
2
|
0
|
0
|
kworker/3:2
|
|
15:43:26
|
661506467
|
root
|
896
|
2
|
0
|
0
|
ksoftirqd/3
|
|
15:43:26
|
661506467
|
root
|
901
|
2
|
0
|
0
|
kworker/3:0
|
|
15:43:26
|
661506467
|
root
|
902
|
1
|
856
|
168
|
/system/bin/logwrapper
|
|
15:43:26
|
661506467
|
wifi
|
904
|
902
|
3248
|
1256
|
/system/bin/wpa_supplicant
|
|
15:43:26
|
756267051
|
u0_a6
|
921
|
178
|
866428
|
21376
|
<pre-initialized>
|
|
15:43:26
|
947072530
|
u0_a53
|
942
|
178
|
868688
|
22788
|
com.google.android.inputmethod.latin
|
|
15:43:27
|
146857991
|
root
|
973
|
2
|
0
|
0
|
IPCRTR
|
|
15:43:27
|
146857991
|
root
|
974
|
2
|
0
|
0
|
ipc_rtr_smd_ipc
|
|
15:43:27
|
146857991
|
system
|
982
|
178
|
874604
|
23012
|
com.android.settings
|
|
15:43:27
|
232066522
|
u0_a71
|
1002
|
178
|
866428
|
21340
|
<pre-initialized>
|
|
15:43:27
|
232066522
|
radio
|
1014
|
178
|
866428
|
21344
|
<pre-initialized>
|
|
15:43:27
|
232066522
|
nfc
|
1024
|
178
|
866428
|
21352
|
<pre-initialized>
|
|
15:43:27
|
232066522
|
u0_a13
|
1042
|
178
|
866424
|
21092
|
<pre-initialized>
|
|
15:43:27
|
334578301
|
u0_a66
|
1059
|
178
|
866584
|
22368
|
com.android.printspooler
|
|
15:43:27
|
661882004
|
u0_a51
|
1102
|
178
|
870464
|
24100
|
com.google.android.keep
|
|
15:43:27
|
766677453
|
u0_a8
|
1136
|
178
|
866432
|
21776
|
<pre-initialized>
|
|
15:43:28
|
167879589
|
u0_a8
|
1161
|
178
|
879264
|
23628
|
com.google.android.gms
|
|
15:43:28
|
493332567
|
u0_a8
|
1186
|
178
|
882244
|
26976
|
com.google.process.location
|
|
15:43:29
|
65402242
|
u0_a33
|
1231
|
178
|
874576
|
23572
|
com.google.android.apps.currents
|
|
15:43:29
|
561481178
|
u0_a56
|
1271
|
178
|
874704
|
23096
|
com.google.android.apps.magazines
|
|
15:43:30
|
368523679
|
u0_a1
|
1346
|
178
|
866432
|
21928
|
com.android.providers.calendar
|
|
15:43:30
|
885314118
|
root
|
1415
|
2
|
0
|
0
|
workqueue_trust
|
|
15:43:30
|
998569441
|
root
|
1419
|
2
|
0
|
0
|
kworker/2:2
|
|
15:43:31
|
656901622
|
root
|
1434
|
2
|
0
|
0
|
migration/1
|
|
15:43:31
|
656901622
|
root
|
1435
|
2
|
0
|
0
|
kworker/1:0
|
|
15:43:31
|
656901622
|
root
|
1436
|
2
|
0
|
0
|
ksoftirqd/1
|
|
15:43:31
|
656901622
|
root
|
1437
|
2
|
0
|
0
|
migration/2
|
|
15:43:31
|
656901622
|
root
|
1438
|
2
|
0
|
0
|
kworker/2:0
|
|
15:43:31
|
656901622
|
root
|
1439
|
2
|
0
|
0
|
ksoftirqd/2
|
|
15:43:31
|
656901622
|
root
|
1440
|
2
|
0
|
0
|
migration/3
|
|
15:43:31
|
656901622
|
root
|
1441
|
2
|
0
|
0
|
kworker/3:0
|
|
15:43:31
|
656901622
|
root
|
1442
|
2
|
0
|
0
|
ksoftirqd/3
|
|
15:43:31
|
656901622
|
u0_a2
|
1443
|
178
|
869076
|
24068
|
com.google.android.configupdater
|
|
15:43:31
|
656901622
|
root
|
1457
|
2
|
0
|
0
|
kworker/1:1
|
|
15:43:31
|
656901622
|
root
|
1458
|
2
|
0
|
0
|
kworker/3:1
|
|
15:43:31
|
656901622
|
root
|
1459
|
2
|
0
|
0
|
kworker/2:1
|
|
15:43:31
|
758081527
|
u0_a10
|
1475
|
178
|
868048
|
23132
|
com.google.android.onetimeinitializer
|
|
15:43:31
|
758081527
|
u0_a11
|
1491
|
178
|
866824
|
23116
|
com.google.android.partnersetup
|
|
15:43:32
|
559882930
|
u0_a15
|
1542
|
178
|
866832
|
22528
|
com.google.android.nfcprovision
|
|
15:43:32
|
663882328
|
u0_a16
|
1557
|
178
|
875436
|
24880
|
com.android.vending
|
|
15:43:33
|
134494338
|
u0_a21
|
1614
|
178
|
884016
|
24628
|
com.google.android.googlequicksearchbox:search
|
|
15:43:33
|
346633815
|
u0_a29
|
1641
|
178
|
866428
|
21408
|
<pre-initialized>
|
|
15:43:33
|
734448704
|
root
|
1667
|
2
|
0
|
0
|
workqueue_trust
|
|
15:43:33
|
734448704
|
root
|
1669
|
2
|
0
|
0
|
workqueue_trust
|
|
15:43:34
|
835711371
|
root
|
1698
|
2
|
0
|
0
|
kworker/1:2
|
|
15:43:34
|
968920210
|
root
|
1699
|
2
|
0
|
0
|
migration/2
|
|
15:43:34
|
968920210
|
root
|
1700
|
2
|
0
|
0
|
kworker/2:0
|
|
15:43:34
|
968920210
|
root
|
1701
|
2
|
0
|
0
|
ksoftirqd/2
|
|
15:43:34
|
968920210
|
root
|
1704
|
2
|
0
|
0
|
kworker/2:1
|
|
15:43:35
|
177291750
|
root
|
1707
|
2
|
0
|
0
|
workqueue_trust
|
|
15:43:41
|
135705526
|
root
|
1811
|
2
|
0
|
0
|
flush-0:18
|
|
15:43:41
|
270104949
|
root
|
1812
|
2
|
0
|
0
|
migration/2
|
|
15:43:41
|
270104949
|
root
|
1813
|
2
|
0
|
0
|
kworker/2:0
|
|
15:43:41
|
270104949
|
root
|
1814
|
2
|
0
|
0
|
ksoftirqd/2
|
|
15:43:41
|
270104949
|
root
|
1815
|
2
|
0
|
0
|
migration/3
|
|
15:43:41
|
270104949
|
root
|
1816
|
2
|
0
|
0
|
kworker/3:0
|
|
15:43:41
|
270104949
|
root
|
1817
|
2
|
0
|
0
|
ksoftirqd/3
|
|
15:43:41
|
270104949
|
root
|
1818
|
2
|
0
|
0
|
kworker/2:1
|
|
15:43:41
|
270104949
|
root
|
1819
|
2
|
0
|
0
|
kworker/3:1
|
|
15:43:41
|
485537931
|
root
|
1829
|
2
|
0
|
0
|
workqueue_trust
|
|
15:43:42
|
604790805
|
root
|
1851
|
2
|
0
|
0
|
kworker/0:3
|
|
15:43:44
|
642309753
|
u0_a34
|
1880
|
178
|
870420
|
26048
|
com.google.android.deskclock
|
|
15:43:44
|
642309753
|
u0_a37
|
1897
|
178
|
868604
|
22812
|
com.google.android.email
|
|
15:43:44
|
963457016
|
u0_a38
|
1923
|
178
|
866432
|
21684
|
<pre-initialized>
|
|
15:43:45
|
60022508
|
u0_a41
|
1940
|
178
|
865364
|
21360
|
<pre-initialized>
|
|
15:43:45
|
364369450
|
root
|
1973
|
2
|
0
|
0
|
migration/2
|
|
15:43:45
|
364369450
|
root
|
1974
|
2
|
0
|
0
|
kworker/2:0
|
|
15:43:45
|
364369450
|
root
|
1975
|
2
|
0
|
0
|
ksoftirqd/2
|
|
15:43:45
|
364369450
|
root
|
1978
|
2
|
0
|
0
|
migration/3
|
|
15:43:45
|
364369450
|
root
|
1979
|
2
|
0
|
0
|
kworker/3:0
|
|
15:43:45
|
364369450
|
root
|
1980
|
2
|
0
|
0
|
ksoftirqd/3
|
|
15:43:45
|
364369450
|
u0_a49
|
1981
|
178
|
866400
|
21096
|
<pre-initialized>
|
|
15:43:45
|
364369450
|
root
|
1982
|
2
|
0
|
0
|
kworker/3:1
|
|
15:43:45
|
364369450
|
root
|
1987
|
2
|
0
|
0
|
kworker/2:1
|
|
15:43:45
|
758617071
|
u0_a72
|
2020
|
178
|
874812
|
25200
|
com.google.android.youtube
|
|
15:43:46
|
276984176
|
root
|
2079
|
2
|
0
|
0
|
workqueue_trust
|
|
15:43:46
|
504124932
|
root
|
2094
|
2
|
0
|
0
|
migration/3
|
|
15:43:46
|
504124932
|
root
|
2095
|
2
|
0
|
0
|
kworker/3:0
|
|
15:43:46
|
504124932
|
root
|
2096
|
2
|
0
|
0
|
ksoftirqd/3
|
|
15:43:46
|
504124932
|
root
|
2098
|
2
|
0
|
0
|
kworker/3:1
|
|
15:43:46
|
614772382
|
u0_a58
|
2101
|
178
|
873812
|
26008
|
com.google.android.music:main
|
|
15:43:46
|
722056695
|
root
|
2121
|
2
|
0
|
0
|
workqueue_trust
|
|
15:43:47
|
259060249
|
root
|
2154
|
2
|
0
|
0
|
workqueue_trust
|
Thoughts are good
A cursory analysis of the results
identifies a few interesting details to consider:
- There were 270 processes running by the time adb could connect and pull the first process list.
- Assuming Android uses the same process ID ordering scheme as Linix, there were 253 processes that started and died before I could access through adb.
- 2 processes start as root and change to nobody permissions. This is a technique used when a process needs to start in the context of root so it can access resources that only root can access (e.g. to start a network service below port 1024). It then switches to running as a less privileged userID to enable stronger security. The popular unix web server Apache does this to make the app less vulnerable to external attacks should the attack break through into the processes' user space. It will pay to investigate these processes if only to better understand why they need to be protected.
- There were 39 users running services or applications. 26 of the users were distinct. All except 18 of these were running distinctly different processes. The other 8 were running a process identified as “<pre-initialized>”. More research will be needed to see if this is really a file in the system or some state indicator like “defunct”.
- Netd starts one process, the ip6tables (IPv6 firewall). Initially I was thinking this would be the equivalent of inetd but the fact it is only running the IPv6 process is odd. Also interesting is that there is no iptables suggesting that the IP protocol baseline is IPv6. The historically more common IPv4 iptables is on the system though so we'll have to see what happens if we disable IPv6.
- A process called zygote appears to start all user space services. Except for 4 processes, all are the unique user processes. Zygote is one of the processes and starts as root. This makes sense since it starts the user processes. 2 of the other processes are running as the system user which is privileged and 2 are running as what I'm guessing are users with hardware privilege (nfc and radio). Judging by what I could capture in sequential captures of ps output, the zygote process does not start any processes in the time between when it starts as root and when it switches to running as nobody. The period between this switch is 536255343 nanoseconds and I pulled 4 ps outputs between the first instance including zygote (the first one) and the one with zygote's user context switched to nobody. So if it starts anything, the processes die very quickly. I will have to investigate the privileges nobody has in the system that might explain why it can start other processes outside it's own context. I don't expect much if the Linux architecture is similar enough. It more likely is a process that needs to start up other processes so it needs some ability to jump to or create other user contexts.
- qseecomd is running as the system user spawns a duplicate of itself. This isn't a common *nix process so will have to investigate this one.
- The logwrapper process (running as root) spawns the wpa_supplicant process. This is very interesting as I've typically only seen wpa_supplicant started by root via the init process so it runs independently.
- The kworker process has 4 unbounded threads and the rest are bound. It will be interesting to see if we can find more information on what these are actually doing.
- Nfsiod, rpciod and cifsiod are running. A search of the user accessible files does not identify any file system sharing capabilities though except mount which could be used to mount remote filesystems. My first thought is this has something to do with the rmt_storage process running as nobody. Since Android platforms typically have very little space to use it makes sense that there will have to be some remote storage protocols available. Will have to see what can be seen once I have root.
Conclusion – A lot still to unpack
Now we have solid confirmation that
this is a *nix based system based on the services it has in common
and the way it starts its functions. We found some processes that
suggest security features may be in play. We also found how blind
we really are by just using ps over adb so we need to find a better
way to see what is going on.
Next we will do just that through the
Dalvik
Debug Monitor Server.
Exit questions: What did you see that
I missed? What else would you have looked for?
No comments:
Post a Comment