incomplete analysis of adb protocol

I am using the source code of version 4.2.2 as example, which is also what my Nexus 4 is running on.

 

reference adb source code: https://android.googlesource.com/platform/system/core/+/android-4.2.2_r1.2/adb/

another helpful article: http://blog.youkuaiyun.com/liranke/article/details/4999210

 

1. how does adb communicate with debugger

For the overview, visit: https://android.googlesource.com/platform/system/core/+/android-4.2.2_r1.2/adb/OVERVIEW.TXT

adb has 3 components:

(1) adb daemon (adbd): running like a ghost or daemon on the very low level of android system. It listens to the debug port and communicates with jdwp.

(2) adb server: running on the pc side, listens to the client command via local tcp packets, and communicates with adbd via tcp/ip or usb.

(3) adb client: this is the commandline based adb tool in android sdk. When the client starts, it tries to communicate with the adb server, and creates one if it isn't running.

(4) ddms: another type of adb client which also communicates with the adb host, but with gui and other functionalities designed to assist the debugger.

(5) debugger: user-friendly debugger, such eclipse

|--------------|        |--------------------------------------------------------|

| (device)   |        | (pc)                 |---> adb client                    |

|       adbd  |<--->| adb server <---|---> ddms <---> debugger |

|--------------|        |--------------------------------------------------------|

 

2. enabling adbd

In release mode, adbd is disabled by default.

https://android.googlesource.com/platform/system/core/+/android-4.2.2_r1.2/rootdir/init.rc, line 397.

# adbd is controlled via property triggers in init.<platform>.usb.rc
service adbd /sbin/adbd
    class core
    socket adbd stream 660 system system
    disabled
    seclabel u:r:adbd:s0

# adbd on at boot in emulator
on property:ro.kernel.qemu=1
    start adbd

When the user enables the usb debugging, somehow the following code is executed:

https://android.googlesource.com/platform/system/core/+/android-4.2.2_r1.2/init/init.c, line 89.

void notify_service_state(const char *name, const char *state)
{
    char pname[PROP_NAME_MAX];
    int len = strlen(name);
    if ((len + 10) > PROP_NAME_MAX)
        return;
    snprintf(pname, sizeof(pname), "init.svc.%s", name);
    property_set(pname, state);
}

And the init.svc.adbd property is set to 1.

 

3. communication port

Both adbd and server use prot 5037 to communicate, except that when adbd and server are both running on the same device, adb server uses 5038 instead.

https://android.googlesource.com/platform/system/core/+/android-4.2.2_r1.2/adb/adb.h, line 425.

#if ADB_HOST_ON_TARGET
/* adb and adbd are coexisting on the target, so use 5038 for adb
 * to avoid conflicting with adbd's usage of 5037
 */
#  define DEFAULT_ADB_PORT 5038
#else
#  define DEFAULT_ADB_PORT 5037
#endif

4. authentication

https://android.googlesource.com/platform/system/core/+/android-4.2.2_r1.2/adb/adb.c, line 1120.

    property_get("ro.adb.secure", value, "0");
    auth_enabled = !strcmp(value, "1");
    if (auth_enabled)
        adb_auth_init();

It seems that starting from 4.2.2, for security reason, the ro.adb.secure property is readonly and cannot be modified by setprop, or manually modifying /default.prop, whether rooted or not, unless you modify the boot image to override its readonly property. (See http://stackoverflow.com/questions/15225991/android-4-2-2-rsa-disabling).

 

 

 

to be continued ...