1 <html devsite> 2 <head> 3 <title>Block-Based OTAs</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>You can enable block-based over-the-air (OTA) updates for new devices 27 running Android 5.0. OTA is the mechanism by which OEMs remotely update the 28 system partition of a device:</p> 29 <ul> 30 <li><b>Android 5.0</b> and later versions use block OTA updates to ensure that 31 each device uses the exact same partition. Instead of comparing individual 32 files and computing binary patches, block OTA handles the entire partition as 33 one file and computes a single binary patch, ensuring the resultant partition 34 contains exactly the intended bits. This allows the device system image to 35 achieve the same state via fastboot or OTA.</li> 36 <li><b>Android 4.4</b> and earlier versions used file OTA updates, which 37 ensured devices contained similar file contents, permissions, and modes, but 38 allowed metadata such as timestamps and the layout of the underlying storage 39 to vary between devices based on the update method.</li> 40 41 </ul> 42 <p>Because block OTA ensures that each device uses the same partition, it 43 enables the use of dm-verity to cryptographically sign the system partition. 44 For details on dm-verity, see 45 <a href="/security/verifiedboot/index.html">Verified Boot</a>. 46 </p> 47 48 <p class="note"><strong>Note:</strong> You must have a working block OTA 49 system before using dm-verity.</p> 50 51 <h2 id="Recommendations">Recommendations</h2> 52 53 <p>For devices launching with Android 5.0 or later, use block OTA updates in 54 the factory ROM. To generate a block-based OTA for subsequent updates, pass 55 the <code>--block</code> option to <code>ota_from_target_files</code>.</p> 56 57 <p>For devices that launched with Android 4.4 or earlier, use file OTA 58 updates. While it is possible to transition devices by sending a full block 59 OTA of Android 5.0 or later, it requires sending out a full OTA that is 60 significantly larger than an incremental OTA (and is therefore discouraged). 61 </p> 62 63 <p>Because dm-verity requires bootloader support found only in new devices 64 shipping with Android 5.0 or later, you <i>cannot</i> enable dm-verity for 65 existing devices.</p> 66 67 <p>Developers working on the Android OTA system (the recovery image and the 68 scripts that generate OTAs) can keep up with changes by subscribing to the 69 <a href="https://groups.google.com/forum/#!forum/android-ota">android-ota (a] googlegroups.com</a> 70 mailing list.</p> 71 72 <h2 id="File vs. Block OTAs">File vs. Block OTAs</h2> 73 74 <p>During a file-based OTA, Android attempts to change the contents of the 75 system partition at the filesystem layer (on a file-by-file basis). The update 76 is not guaranteed to write files in a consistent order, have a consistent last 77 modified time or superblock, or even place the blocks in the same location on 78 the block device. For this reason, file-based OTAs fail on a dm-verity-enabled 79 device; after the OTA attempt, the device does not boot.</p> 80 <p>During a block-based OTA, Android serves the device the difference between 81 the two block images (rather than two sets of files). The update checks a 82 device build against the corresponding build server at the block level (below 83 the filesystem) using one of the following methods:</p> 84 <ul> 85 <li><b>Full update</b>. Copying the full system image is simple and makes 86 patch generation easy but also generates large images that can make applying 87 patches expensive.</li> 88 <li><b>Incremental update</b>. Using a binary differ tool generates smaller 89 images and makes patch application easy, but is memory-intensive when 90 generating the patch itself.</li> 91 </ul> 92 93 <p class="note"><strong>Note:</strong> <code>adb fastboot</code> places the 94 exact same bits on the device as a full OTA, so flashing is compatible with 95 block OTA.</p> 96 97 <h3 id="Unmodified Systems">Updating unmodified systems</h3> 98 99 <p>For devices with <i>unmodified</i> system partitions running Android 5.0, 100 the download and install process for a block OTA remains the same as for a 101 file OTA. However, the OTA update itself might include one or more of the 102 following differences:</p> 103 <ul> 104 <li><b>Download size</b>. Full block OTA updates are approximately the same 105 size as full file OTA updates, and incremental updates can be just a few 106 megabytes larger.</p> 107 108 <img src="../images/ota_size_comparison.png" alt="comparison of OTA sizes"> 109 110 <p class="img-caption"><strong>Figure 1.</strong> Compare Nexus 6 OTA sizes 111 between Android 5.0 and Android 5.1 releases (varying target build changes)</p> 112 113 <p>In general, incremental block OTA updates are larger than incremental file 114 OTA updates due to:</p> 115 <ul> 116 <li><i>Data preservation</i>. Block-based OTAs preserve more data (file 117 metadata, dm-verity data, ext4 layout, etc.) than file-based OTA.</li> 118 <li><i>Computation algorithm differences</i>. In a file OTA update, if a file 119 path is identical in both builds, the OTA package contains no data for that 120 file. In a block OTA update, determining little or no change in a file depends 121 on the quality of the patch computation algorithm and layout of file data in 122 both source and target system.</li> 123 </ul> 124 </li> 125 <li><b>Sensitivity to faulty flash and RAM</b>. If a file is corrupted, a file 126 OTA succeeds as long as it doesn't touch the corrupted file, but a block OTA 127 fails if it detects any corruption on the system partition.</li> 128 </ul> 129 130 <h3 id="Modified Systems">Updating modified systems</h3> 131 <p>For devices with <i>modified</i> system partitions running Android 5.0:</p> 132 <ul> 133 <li><b>Incremental block OTA updates fail</b>. A system partition might be 134 modified during an <code>adb remount</code> or as a result of malware. File 135 OTA tolerates some changes to the partition, such as the addition of files 136 that are not part of the source or target build. However, block OTA does not 137 tolerate additions to the partition, so users will need to install a full OTA 138 overwriting any system partition modifications) or flash a new system image to 139 enable future OTAs.</li> 140 <li><b>Attempts to change modified files cause update failure</b>. For both 141 file and block OTA updates, if the OTA attempts to change a file that has been 142 modified, the OTA update fails.</li> 143 <li><b>Attempts to access modified files generate errors </b><i>(dm-verity 144 only)</i>. For both file and block OTA updates, if dm-verity is enabled and 145 the OTA attempts to access modified parts of the system filesystem, the OTA 146 generates an error.</li> 147 </ul> 148 149 </body> 150 </html> 151
