Such a program can be side-loaded into the system at run time (which requires the shell privilege of adb but does not require root), and executed as a daemon process in the background, thus providing immense flexibility if you wish to access certain hidden system service interfaces. For example, Android Studio uses a similar shell program to perform its debugging and CPU/memory monitoring in practice.

Building a Java Shell

Writing Makefile

A normal Java shell program is easy to build in Android. All you need to do is write a simple Main.java file, and provide a main function there. Everything is exactly the same as you would do in building a Java program in PC/server platforms. To make the Java program, you’ll need an Android.mk (or Android.bp for higher Android versions), which should look like this:

# For Android.bp you can always use the androidmk tool provided by AOSP to convert the Android.mk file into bp file
LOCAL_PATH:= $(call my-dir)

include $(CLEAR_VARS)
LOCAL_SRC_FILES := $(call all-subdir-java-files)
LOCAL_MODULE := Mainlib
LOCAL_MODULE_STEM := Main
include $(BUILD_JAVA_LIBRARY)

Creating Android Context

In many cases, your Java program may need to interface with system services. To do this, your program should be more than a traditional Java program but possess an Android context. However, normally such a context is only accessible to an Android app. What you need to do is thus disguising your program as an app process (without loosing higher privileges).

To this end, you should first prepare a main looper upon start and acquire the system context. Note that you should also ensure that the main thread is still running when you use this context to acquire system services. The code should look like this.

public static void main(String[] args) {
    // Prepare the main looper
    Looper.prepareMainLooper();
    Context systemContext = ActivityThread.systemMain().getSystemContext();
    PackageManager packageManager = systemContext.getPackageManager();

    System.out.println("Hello World");

    // This ensures that the main thread keeps running
    // You can also execute your logic in a separate thread 
    // and wait for the thread to finish here, 
    // so that you don't need to call the loop() func
    Looper.loop();
}

Building

To build the Java program, you’ll need the compile utilities in Android source. Thus, it’s necessary that you build the program within AOSP’s code base. To this end, you’ll need first to download and build AOSP’s source code (see the instructions here). And put your Java source and Android.mk in the framework directory. The recommended directory is in frameworks/base/cmds where several built-in shell programs reside. Make your own sub-directory there and put everything in it. And then you can build the program by mmm frameworks/base/cmds/XXX, where XXX is your sub-directory for holding your source and makefile.

Executing the Java Program

To run the Java program you just build, you should write a shell program like this.

base=/data/local/tmp

mkdir /data/local/tmp/dalvik-cache
trap "" HUP
# com.example.hello should be replaced with your actual Java class
ANDROID_DATA=$base app_process -Djava.class.path=$base/classes.dex $base com.example.hello "$@"

Now push the shell script to your phone’s /data/local/tmp path. Then push the classes.dex in your Android build output path (out/target/common/obj/JAVA_LIBRARIES/Mainlib_intermediates) to your phone’s /data/local/tmp path as well. Next you should enter adb shell and chmod +x to grant your shell script the execution right. Finally you can execute the shell script to run the Java program. If you wish to execute your program as a daemon process in the background, you can use the following command to run the shell script.

setsid XXX.sh >/dev/null 2>&1 < /dev/null

Building a Native Shell

For a native shell, the steps should remain largely unchanged. One difference is the makefile, which should look like this now.

LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)

LOCAL_SRC_FILES:= \
	main.cpp

LOCAL_SHARED_LIBRARIES := \
	libbase \
	libutils \
	liblog \
    libcutils \
	libbinder

LOCAL_MODULE:= Main

LOCAL_MULTILIB := both
LOCAL_MODULE_STEM_32 := $(LOCAL_MODULE)32
LOCAL_MODULE_STEM_64 := $(LOCAL_MODULE)64

include $(BUILD_EXECUTABLE)

This makefile should allow building both 32-bit and 64-bit shell programs simultaneously. You can find the built binary (named Main32 and Main64) in out/target/product/generic_x86_64/system/bin . Note that depending on your AOSP lunch target, generic_x86_64 could be other paths.

This binary program does not require an additional shell script to execute. You can directly push the binary to /data/local/tmp and execute it there. To daemonize your program, you can simply call the daemon() function of Linux in your source.

Basic Environment

I test the debugging method in a Linux host environment running an Android emulator (both QEMU-KVM with Android-x86 and Google Android Emulator are fine).

For the host environment, you need to install both LLDB (sudo apt install -y lldb) and Android SDK (installed via Android Studio and the SDK commandline tool).

For the guest (i.e., emulators or real devices running your own Android OS) environment, it’s better if you have root access. No root access is also fine but you cannot debug via apps that are not debuggable. Of course, the guest OS should be compiled by you whose symbol files are thus available to you in the output path of the source base.

Guest Setup

1) Push the lldb-server executable in your Android SDK to the (emulated/real) device you wish to debug. The executable can be found in Sdk/ndk/${NDK_VERSION}/toolchains/llvm/prebuilt/linux-x86_64/lib64/clang/${clang VERSION}/lib/linux/x86_64 as long as you have installed NDK in your SDK path (select NDK in your SDK management page in Android Studio). To push the executable, use the following command:

adb push lldb-server /data/local/tmp

2) Type the following commands to start the server and listens to a unix socket for connections:

adb root # if your device has root access
adb shell "chmod 777 /data/local/tmp/lldb-server"
adb shell "/data/local/tmp/lldb-server p --server --listen unix-abstract:///data/local/tmp/debug.sock"

3) For native components, we are either dealing with a native executable, e.g., a native system service, or a native library. For the former, you can directly obtain its process ID (PID) via top or ps. For the latter, you need to run an app that uses the library and acquire the app’s PID. This post focuses on the latter case.

4) Attaching the debugger to an already running app will be detailed later. Here we’ll first look at how to pause an app process’ startup before the LLDB debugger is attached to it.

This is useful when the component you wish to debug is still quite buggy and can easily crash the app before the debugger can even attach. The Android developer blog gives a detailed introduction of how to realize this via the jdb Java debugger. You can find it here.

An important note is that the jdb attach command will not work if your Android Studio is also running. Because Android Studio continuously monitors and preempts any available jdb connections, rendering your connection attempts useless.

Also, naturally, to realize pausing before LLDB attaching, you should always attach jdb (and let the app continues in the Java layer) after LLDB is attached (to be detailed later).

Host Setup

At the host side, you should have an Android/AOSP code base which matches the Android OS run in your guest machine.

1) Open the Android code base using VS Code.

2) Install the CodeLLDB extension in your VS Code.

3) Click the Run tab of VS Code, select Add configuration, and select LLDB. This will create a launch.json file in your .vscode folder. Replace its content as follows

{
"configurations": [
{
    "initCommands": [
        "settings append target.exec-search-paths ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/lib64/ ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/lib64/hw ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/lib64/egl ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/lib64/extractors ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/vendor/lib64/ ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/vendor/lib64/hw ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/vendor/lib64/egl ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/vendor/lib64/dri ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/vendor/lib64/extractors ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/vendor/lib64/mediacas ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/vendor/lib64/mediadrm ${ANDROID_SRC}/out/target/product/x86_64/symbols/system/vendor/lib64/soundfx",
        "platform select remote-android", 
        "platform connect unix-abstract-connect:///data/local/tmp/debug.sock",
    ], 
    // Map the current path to the Android code base
    "sourceMap": {
        "": "${ANDROID_SRC}", 
        "/b/f/w": "${ANDROID_SRC}", 
        ".": "${ANDROID_SRC}"
    }, 
    "pid": ${PID}, 
    "name": "Remote Android Debug", 
    "relativePathBase": "${ANDROID_SRC}", 
    "request": "attach", 
    "type": "lldb"
}
]
}

where ${ANDROID_SRC} is the path to your Android code base and ${PID} is the process ID of the process you wish to debug. Also, note that the target.exec-search-paths appended in the initCommands are not always the same for different Android versions. You need to check the paths and see if they actually exist, and whether there’re missing folders that are not included.

4) Click the debug button of VS Code to begin debugging. Remember to change the ${PID} for different debuggees.

5) Once the LLDB is attached, your can attach jdb to let the app continue execution. Now you are put breakpoints anywhere in VS Code to realize step debugging.

The solution I use is based on Magisk, which enables patching the readonly system partition and modifies system properties to turn on VoLTE/ViLTE. This method does not require flashing a new Android image, therefore is ready-to-use for stock Pixel devices. However, if you’re interested in building an Android image from source with VoLTE/ViLTE enabled by default, the required steps will also be discussed in the post.

I’ll use a Pixel 3 XL running Android 11 as an example throughout the post. Though the method should be generalizable to other Pixel models and Android versions.

Enable VoLTE/ViLTE with Magisk

Magisk enables systemless root and thus provide a means to modifying the readonly system partition and many system properties. Follow the steps below to install Magisk on your Pixel device and make your own patch to turn on VoLTE/ViLTE.

Magisk Installation

To install Magisk, first make sure you can get your hands on your Pixel’s boot.img image. To this end, I recommend that you download and flash a factory image of your Pixel following the instructions here. After downloading the factory image, you should extract the boot.img file from the image-XXX.zip archive. Once you finish flashing the factory image, install the Magisk app provided here on your Pixel. Then use adb push to send the boot.img file extracted above to your phone’s /sdcard directory (or any writable directory as you see fit). Next open the Magisk app, click install, select Select and Patch a File, and then select the boot.img file sent to the phone to begin installation. Now reboot your device and you’re all set.

Making Magisk Patch

With the above steps, you should be able to see that Magisk is installed and enabled on the device. The next step would be to make a Magisk patch that can be installed to the system through Magisk. I provide an example for Pixel 3 XL in this GitHub [repo] (https://github.com/andylin-hao/Pixel-VoLTE-Patch). Generally, the patch involve modifying system properties and Qualcomm’s mbn component. For system properties, the corresponding modifications are shown in the common/system.prop file of the GitHub repo, which are (inspired by voltenabler)

# Debug Options
persist.dbg.ims_volte_enable=1
persist.dbg.volte_avail_ovr=1
persist.dbg.vt_avail_ovr=1
persist.dbg.wfc_avail_ovr=1

# Data Options
persist.data.iwlan.enable=true
persist.data.iwlan=1
persist.data.iwlan.ipsec.ap=1

# Radio Options
persist.radio.volte.dan_support=true
persist.radio.rat_on=combine
persist.radio.data_ltd_sys_ind=1
persist.radio.data_con_rprt=1
persist.radio.calls.on.ims=1
persist.radio.VT_ENABLE=1

# Other Options
persist.sys.cust.lte_config=true
persist.rcs.supported=1

Apart from system properties, /system/vendor/rfs/msm/mpss/readonly/vendor/mbn/mcfg_sw/mbn_sw.txt should also be modified to include Chinese operators. For example, if you are using a China Unicom SIM card, just add the following to the mbn_sw.txt file.

mcfg_sw/generic/China/CU/Commercial/OpenMkt/mcfg_sw.mbn
mcfg_sw/generic/China/CU/Commercial/VoLTE/mcfg_sw.mbn
mcfg_sw/generic/China/CU/Lab/Test/mcfg_sw.mbn

However, for different devices, the mcfg_sw.mbn files may not lie in the same paths. You should extract the whole mcfg_sw folder from your own phone (which can be found in the same path, i.e., /system/vendor/rfs/msm/mpss/readonly/vendor/mbn/mcfg_sw/ in the phone) and modify the mbn_sw.txt file in the folder according to the mcfg_sw.mbn files included in your generic folder. Also, the mcfg_sw.mbn files provided in my repo are extracted from Pixel 3 XL and not tested on other devices. You should always extract the mcfg_sw.mbn files from your own device, and replace the corresponding mcfg_sw.mbn files in my repo with your own mcfg_sw.mbn files.

Patch Installation

Compress the repo into a zip archive and push it to your device. Open Magisk, click Modules, and install the zip archive you just push. Now reboot, you should see that VoLTE/ViLTE are enabled in your data connection settings. You can also check this by typing *#*#4636#*#* in your Dialer app. However, although everything seems to be on, you may still fail to connect when initializing a video call. This is because you still do not have an ims APN. You should manually add an ims APN in your data connection settings. To do this, fill the Name, APN, APN Type fields with ims, APN protocol filed with IPV4/IPV6, APN roaming protocol field with IPV4, and the other fields as default. Turn on/off airplane mode, and you should be able to make a video call now.

Enable VoLTE/ViLTE when Building an Android Image

When building Android from source, you should be able to do similar modifications to your built images. I’ve successfully done this with LineageOS, but am still working to port to AOSP. For LineageOS, the steps are quite simple. First, modify the device.mk file of your Pixel model and add the above system properties. Next, modify the mbn_sw.txt in the vendor folder (LineageOS will extract this file from your device as well before building).

Prior methods of enable_nativebridge no longer works on Android 8+ of Android-x86 due to missing libraries for downloads. Fortunately, BlissOS has provided an alternative solution by extracting the Houdini libraries from ChromeOS. Here’s how it’s done.

1) Create a vendor/google folder at the root directory if necessary, and run git clone https://github.com/BlissRoms-x86/android_vendor_google_chromeos-x86 vendor/google/chromeos-x86

2) Add the following to device/generic/common/BoardConfig.mk.

  BOARD_SEPOLICY_DIRS += vendor/google/chromeos-x86/sepolicy
  -include vendor/google/chromeos-x86/board/native_bridge_arm_on_x86.mk

3) Remove the hal_drm_widevine.te file at device/generic/common/sepolicy/nonplat.

4) Add the following to device/generic/common/device.mk.

  $(call inherit-product-if-exists, vendor/google/chromeos-x86/target/houdini.mk)
  $(call inherit-product-if-exists, vendor/google/chromeos-x86/target/native_bridge_arm_on_x86.mk)
  $(call inherit-product-if-exists, vendor/google/chromeos-x86/target/widevine.mk)

5) Modify device/generic/common/nativebridge/nativebridge.mk to the following.

  #
  # Copyright (C) 2015 The Android-x86 Open Source Project
  #
  # Licensed under the GNU General Public License Version 2 or later.
  # You may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #      http://www.gnu.org/licenses/gpl.html
  #
  
  # Enable native bridge
  WITH_NATIVE_BRIDGE := true
  
  # Native Bridge ABI List
  NATIVE_BRIDGE_ABI_LIST_32_BIT := armeabi-v7a armeabi
  NATIVE_BRIDGE_ABI_LIST_64_BIT := arm64-v8a
  NATIVE_BRIDGE_ABI_LIST := x86_64 x86 arm64-v8a
  
  LOCAL_SRC_FILES := bin/enable_nativebridge
  
  PRODUCT_COPY_FILES := $(foreach f,$(LOCAL_SRC_FILES),$(LOCAL_PATH)/$(f):system/$(f)) \
      $(LOCAL_PATH)/OEMBlackList:$(TARGET_COPY_OUT_VENDOR)/etc/misc/.OEMBlackList \
      $(LOCAL_PATH)/OEMWhiteList:$(TARGET_COPY_OUT_VENDOR)/etc/misc/.OEMWhiteList \
      $(LOCAL_PATH)/ThirdPartySO:$(TARGET_COPY_OUT_VENDOR)/etc/misc/.ThirdPartySO \
  
  PRODUCT_PROPERTY_OVERRIDES := \
      ro.dalvik.vm.isa.arm=x86 \
      ro.enable.native.bridge.exec=1 \
  
  # ifeq ($(TARGET_SUPPORTS_64_BIT_APPS),true)
  PRODUCT_PROPERTY_OVERRIDES += \
      ro.dalvik.vm.isa.arm64=x86_64 \
      ro.enable.native.bridge.exec64=1
  # endif
  
  PRODUCT_PROPERTY_OVERRIDES := ro.dalvik.vm.native.bridge=libhoudini.so
  
  # ifneq ($(HOUDINI_PREINSTALL),intel)
  # PRODUCT_DEFAULT_PROPERTY_OVERRIDES := ro.dalvik.vm.native.bridge=libnb.so
  
  # PRODUCT_PACKAGES := libnb
  # endif
  
  $(call inherit-product-if-exists,vendor/intel/houdini/houdini.mk)

1) Modify the device information part of init_misc at device/generic/common/init.sh to the following.

  setprop ro.product.manufacturer "samsung"
  setprop ro.product.model "SM-G988N"
  setprop ro.serialno "15c4e1ebc491"

2) Modify the on fs part at device/generic/common/init_x86.rc to mount_all /fstab.android_x86_64.

3) Modify the export_kernel_boot_props at system/core/init/init.cpp by changing ro.hardware’s value to exynos8895.

4) Modify ${ro.hardware} to android_x86_64 at bootable/recovery/etc/init.rc.

5) Make the same modification to system/core/rootdir/init.rc.

6) Modify the following parameters at build/tools/buildinfo.sh.

  echo "ro.product.model=SM-G988N"
  echo "ro.product.brand=samsung"
  echo "ro.product.name=z3qksx"
  echo "ro.product.device=z3q"

7) Modify build/tools/vendor_buildinfo.sh to the following.

  #!/bin/bash
  
  echo "# begin build properties"
  echo "# autogenerated by vendor_buildinfo.sh"
  
  echo "ro.product.board=SM-G988N"
  echo "ro.board.platform=exynos9"
  
  echo "ro.product.vendor.manufacturer=samsung"
  echo "ro.product.vendor.model=SM-G988N"
  echo "ro.product.vendor.brand=samsung"
  echo "ro.product.vendor.name=SM-G988N"
  echo "ro.product.vendor.device=SM-G988N"
  
  echo "# end build properties"

1) Add the following contents to the end of .repo/manifests/defaults.xml.

  <remote name="opengapps" fetch="https://github.com/opengapps/"  />
  <remote name="opengapps-gitlab" fetch="https://gitlab.opengapps.org/opengapps/"  />
  <project path="vendor/opengapps/build" name="aosp_build" revision="master" remote="opengapps" />
  <project path="vendor/opengapps/sources/all" name="all" clone-depth="1" revision="master" remote="opengapps-gitlab" />
  <project path="vendor/opengapps/sources/x86" name="x86" clone-depth="1" revision="master" remote="opengapps-gitlab" />
  <project path="vendor/opengapps/sources/x86_64" name="x86_64" clone-depth="1" revision="master" remote="opengapps-gitlab" />

Note that the above contents may change as OpenGApps upgrades. Check the latest here.

2) Locate the following content at device/generic/common/device.mk.

  # Get GMS
  GAPPS_VARIANT ?= pico
  $(call inherit-product-if-exists,$(if $(wildcard vendor/google/products/gms.mk),vendor/google/products/gms.mk,vendor/opengapps/build/opengapps-packages.mk))

3) Modify it to the following.

  # Get GMS
  GAPPS_VARIANT := pico
  $(call inherit-product-if-exists,$(if $(wildcard vendor/google/products/gms.mk),vendor/google/products/gms.mk,vendor/opengapps/build/opengapps-packages.mk))

4) Run repo sync, git lfs install, and repo forall -c git lfs pull at the root directory of your Android-x86 source.

5) Add a CleanSpec.mk at vendor/opengapps/build with the following contents.

  $(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/priv-app/*)
  $(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/app/*)

6) Add a Android.mk at vendor/opengapps/build/modules with the following contents so as to avoid building ActionServices which only provides ARM source.

  include $(call all-named-subdir-makefiles,$(GAPPS_PRODUCT_PACKAGES))

7) Remove the following from vendor/opengapps/build/opengapps-packages.mk.

  MarkupGoogle \
  GoogleCamera \
  SetupWizard \ # This is the boot-time setup wizard. You can keep it in Android 9, but do remove it in Android 10 as it incurs issues at boot time.

8) make your Android-x86 image.

Hope you’ll find it useful.

Overview

Before we get started, I’ll just throw an architectural graph at you for three purposes:

1) for you to have some basic ideas of the graphics stack’s various components to be discussed in this post, 2) for you to reference each component’s position in the whole stack when reading the parts to follow, and 3) for you to understand the chaos and challenges ahead.

Here it comes:

Note that this graph only demonstrates a common architecture of today’s Linux graphics stack built upon the Direct Rendering Infrastructure (DRI). As other architectures are now rarely used, they are out of this post’s scope.

Now you are familiarized with the architecture, I’ll next introduce the components within and their rationale behind by walking you through the history and showing you the reasons they came to be in the first place.

Indirect Rendering

Nothing is complex in the beginning. The same goes for the Linux graphics. In the early days, only one software in the system is responsible for graphics rendering and communicating with the GPU — X server. Applications use libX11 to tell the X server how to render graphics. After the X server receives hardware-independent rendering commands (defined in the X11 protocol, thus known as Device-Independent X, or DIX) from applications, it then translates these commands into hardware languages that the GPU can understand (e.g., register writes and memory allocations). This translation software module inside the X server is commonly referred to as Device-Dependent X driver, or DDX driver. Here “driver” is a graphic argot that differs from what you have probably learned in OS design — the DDX driver actually operates in the user space rather than in the kernel space as most OS drivers do. Intuitively, to accommodate heterogeneous GPUs, many DDX drivers should be developed accordingly.

At that time, only 2D rendering is necessary for computer graphics. Therefore, the initial libX11 only includes 2D-related operations. However, with the advent of 3D graphics, the above-described architecture soon fails to satisfy people’s needs. To perform 3D rendering on heterogeneous hardware, OpenGL is developed as the new GPU-agnostic interfaces for 3D operations. Specifically, OpenGL is only a series of function specifications that dictate only “what they do” but do not restrict “how to do it”. Thus, the actual OpenGL implementation is totally delegated to the system, which normally can be found in the libGL.so your 3D applications link to.

To avoid complete refactoring of the whole stack, the initial implementation of OpenGL is built upon the 2D X server architecture. The technique that makes this possible is what we call the GL eXtenstion (GLX) of the X11 protocol. GLX is a wapper that wraps OpenGL function calls in X11. The X server then similarly receives X11 commands and translates them into the hardware language as before. Since this process involves wrapping into X11 and intervention of the X server rather than directly asks GPU to perform 3D operations, it is thus later known as indirect rendering (the left path of our architecture graph).

Unfortunately, soon this indirect approach became insufficient for emerging 3D-intensive applications (e.g., 3D games) as it takes unnecessary detour to reach hardware. To address this, direct rendering is proposed.

Direct Rendering

Direct Rendering Infrastructure

The idea of direct rendering is allowing OpenGL implementation to directly interface the hardware GPU without the intervention of X. To this end, the OpenGL library libGL’s implementation should know how to deal with the hardware interfaces. However, libGL is often a user-space library, which should not be given the privilege to handle hardware interactions. Instead, a dedicated kernel-space driver is developed to manipulate the GPU instead, while providing user-space interfaces for libGL and other graphics libraries to use. Given that the driver is devised under the direct rendering framework, it is often referred to as Direct Rendering Manager, or DRM for short. The above framework, including the user-space OpenGL library and the kernel-space DRM, is often dubbed as Direct Rendering Infrastructure (DRI).

Kernel Space: Direct Rendering Manager

The kernel-space DRM driver is responsible for allocating graphics memory, submitting drawing commands, and transferring graphics data, etc. Nowadays, even X interacts with the GPU through DRM. With DRM, First, the OpenGL library and other graphics libraries directly used by applications can still reside in the user space so that applications’ frequent interactions with it do not incur frequent user/kernel switch, and Note that DRM is not the only implementation exist out there. Hardware GPU vendors like NVIDIA also has their own implementations of kernel-space drivers for interacting with the hardware, which share similar functionalities as those of DRM. For example, NVIDIA has open-sourced its Linux kernel driver.

User Space: Mesa OpenGL Library

Apart from the kernel-space driver, another important part of DRI is the user-space library libGL. To implement the user-space library, an issue is that different hardware platforms expose different interfaces and thus should come with different libGL implementations. However, naturally, different implementations still share a large amount of code and incur severe code duplications if managed separately.

To address this, a generic framework is proposed to hold all open-source graphics libraries of Linux, which is Mesa. Mesa abstracts capabilities of a graphics library so that different implementations for different hardware platforms can share as much code as possible. As shown in the graph above, the Mesa framework usually involves state tracker, pipe driver and WinSys driver. Specifically, state tracker abstracts the state management in various graphics languages (e.g., OpenGL and Direct3D), allowing Mesa to extend supports for languages beyond OpenGL. Pipe driver and WinSys driver abstract OS-specific interactions such as managing window. This unique architecture allows Mesa to hold OpenGL (and even Direct3D) libraries for GPUs of myriad vendors such as Intel, AMD, and NVIDIA. In fact, many virtualization-based GPU drivers such as those of VMware and QEMU virtio-gpu are also built within the Mesa framework. What a miracle!

• The first step is installing VS Code of course. I’ll simply skip this step for any experienced developers.
• Now search and install the C/C++ Extension in VS Code’s extension market.
• Build the kernel before you do anything else.
• Use a magical script named gen_compile_commands.py in the kernel/script file. If it does not exist, you can find it in the upstream Linux kernel repository (https://github.com/torvalds/linux/blob/master/scripts/gen_compile_commands.py).
• Run the command by python gen_compile_commands.py -d ${path-to-kernel-build-directory}. In the case of Android-x86, the corresponding kernel build path is out/target/product/{x86_64}/obj/kernel ({} denotes that this name can vary depending on your chosen build target).
• After that you can find you compile_commands.json in the kernel build path.
• Now go back to VS Code and enter Ctrl+Shift+P to initiate command execution.
• Enter >C/C++: Edit Configurations (UI) (you should get prompted even if you have not finished the command).
• Now open Advanced Settings and find the Compile commands setting.
• Enter the path to your compile_commands.json and you are good to go! Enjoy your VS Code journey.

Environment

• Android version: Android-x86 (q-x86, x86_64_userdebug)
• QEMU: 5.1
• Host: Ubuntu 20.04

A Demo Driver

• Create a new directory in ${android-source-root}/kernel/drivers named hello

• cd ${android-source-root}/kernel/drivers/hello

• Create a new C file named hello.c, with the following content:

  #include <linux/module.h>  
  #include <linux/kernel.h>  
  #include <linux/fs.h>  
  #include <linux/miscdevice.h>  
    
  MODULE_LICENSE("GPL");  
  MODULE_AUTHOR("AndyLin");  
  MODULE_DESCRIPTION("Hello Kernel Device");  
  MODULE_VERSION("1.0");  
    
  #define CMD_COMMAND 0x1336  
    
  long hello_ioctl(struct file *filp,
      unsigned int cmd,  
      unsigned long arg){  
      switch(cmd){  
      case CMD_COMMAND:  
          printk("Hello Module hello_ioctl() exced");  
          break;  
      default:  
          printk("Hello Module unknown ioctl cmd");  
      }  
      return 0;  
  }  
    
  struct file_operations hello_fops = {
      unlocked_ioctl: hello_ioctl  
  };  
    
  static struct miscdevice hello_device = {
      minor: MISC_DYNAMIC_MINOR,  
      name: "hello",  
      fops: &hello_fops,  
      mode: 777
  };  
    
  static int hello_begin(void){  
      int ret;  
      ret = misc_register(&hello_device);
      if(ret)  
          printk("Failed to register misc device");  
      else  
          printk("Hello Module successfully loaded");  
    
      return ret;  
  }  
    
  static void hello_exit(void){  
      misc_deregister(&hello_device);
      printk("Hello module exit"); 
      return; 
  }  
    
  module_init(hello_begin);
  module_exit(hello_exit); 
  

• In the ${android-source-root}, run the following commands to build the kernel first:

  source build/envsetup.sh
  lunch android_x86_64-userdebug
  make kernel -j${thread_num}
  

• Create a MakeFile in the hello directory:

  obj-m := hello.o  
    
  // This is why we build kernel first -- in order to generate the kernel directory
  KERNELDIR := ${android-source-root}/out/target/product/x86_64/obj/kernel/
  PWD :=$(shell pwd)  
  ARCH=x86_64
  CROSS_COMPILE=${android-source-root}/prebuilts/gcc/linux-x86/x86/x86_64-linux-android-4.9/bin/x86_64-linux-android-  
  CC=$(CROSS_COMPILE)gcc  
  LD=$(CROSS_COMPILE)ld  
  CFLAGS_MODULE=-fno-pic  
    
  all:  
  	make -C $(KERNELDIR) ARCH=$(ARCH) CROSS_COMPILE=$(CROSS_COMPILE) M=$(PWD) modules
  clean:    
  	rm *.o *.ko *.mod.c *.order *.symvers
  

• Now we can finally make

• After make, you can see a hello.ko file in the directory

• Now you can build your Android-x86 and run it atop QEMU (you might run into compilation errors due to dirty kernel directory caused by make kernel; if that happens, you can first run make mrproper in the kernel directory before building the entire system)

• Connect to the system via adb (note that you should first turn on your WiFi in Android, and you can connect to it by running adb connect localhost:4444, if your QEMU booting command contains the following: -net nic -net user,hostfwd=tcp::4444-:555

• Use adb to push the hello.ko to Android’s any directory as you please

• In adb shell, run insmod ${path-to-the-hello.ko-file}

• Now you are all done! You can use dmesg | grep Hello to check the output in the driver’s code

Guest端

• 操作系统启动时遍历PCI总线树，virtio-gpu作为一个PCI设备被OS检测到并注册

• virtio_pci_common.c中的virtio_pci_probe函数会根据PCI设备号创建virtio_pci_device，并将其添加到virtio_bus

• 在/sys/bus/virtio/drivers中可以看到virtio-gpu设备

• 运行一个OpenGL应用，此时该应用会调用OpenGL库进行图形绘制

• OpenGL指令会送至内核中的DRM（Direct Rendering Management）图形驱动，DRM驱动向GPU下达相应的图形指令（着色、光栅化、贴图什么的），具体的OpenGL->DRM->GPU流程看这里https://www.cnblogs.com/shoemaker/p/linux_graphics01.html

• Guest端的virtio-gpu设备截获DRM的相关指令，然后转换分解为自己定义的一套指令（具体指令类型见后）

• 将指令放到virtqueue中，然后告知QEMU：

  virtqueue_notify
      vq->notify(_vq) <-- vp_notify
      iowrite16(vq->index, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_NOTIFY)
  

  方法是Guest写I/O寄存器，触发VM Exit进入到KVM中处理，进入到Host端流程

Host端

• KVM无法处理而退出，处理退出原因发现是KVM_EXIT_IO，进而调用相应的Handle函数

  int kvm_cpu_exec(CPUArchState *env)
  {
      do {
          run_ret = kvm_vcpu_ioctl(env, KVM_RUN, 0);
          switch (run->exit_reason) { /* 处理退出原因 */
          case KVM_EXIT_IO:
              kvm_handle_io();
              ...
  }
  

• kvm_handle_io通过write eventfd将等待poll的QEMU主线程唤醒，然后一步步走到virtio-gpu的I/O handlers。其中与virtio-gpu有关的virtqueue有两个：ctrl_vq负责交换图形命令，cursor_vq负责交换光标信息；

  从而相应也有两个handlers：virtio_gpu_handle_ctrl和virtio_gpu_handle_cursor，两个函数在hw/display/virtio-gpu.c；

  handler的注册在GCC编译时设定为在main函数前执行，位于virtio_gpu_device_realize函数中，具体见QOM编程模型https://blog.csdn.net/u011364612/article/details/53581411和相关的GCC trickhttps://blog.csdn.net/u011364612/article/details/53581501

  main  main_loop main_loop_wait
      os_host_main_loop_wait
          glib_pollfds_poll
              g_main_context_dispatch 
                  aio_ctx_dispatch    aio_dispatch
                      virtio_queue_host_notifier_read
                          virtio_queue_notify_vq 
                              virtio_gpu_handle_ctrl virtio_gpu_handle_cursor
  

• 以virtio_gpu_handle_ctrl继续向下，到virtio_gpu_handle_ctrl，其首先从virtqueue中取出Guest端传来的命令，然后进行处理

  void virtio_gpu_process_cmdq(VirtIOGPU *g)
  {
      struct virtio_gpu_ctrl_command *cmd;
    
      while (!QTAILQ_EMPTY(&g->cmdq)) {
          /* 取命令 */
          cmd = QTAILQ_FIRST(&g->cmdq);
            
          ...
    
          /* 处理命令 */
          VIRGL(g, virtio_gpu_virgl_process_cmd, virtio_gpu_simple_process_cmd,
                g, cmd);
          QTAILQ_REMOVE(&g->cmdq, cmd, next);
          ...
      }
  }
  

  virtio_gpu_ctrl_command为Guest端解析DRM驱动指令重新构成的virtio命令格式

  struct virtio_gpu_ctrl_command {
      VirtQueueElement elem;                       // 取出的命令被映射到这里
      VirtQueue *vq;                               // Host/Guest共享的队列
      struct virtio_gpu_ctrl_hdr cmd_hdr;          // 命令指定的header，指定了命令类型
      uint32_t error;
      bool finished;
      QTAILQ_ENTRY(virtio_gpu_ctrl_command) next;
  };
  

• 处理命令的VIRGL宏如下，这里用了libvirglrenderer

  #ifdef CONFIG_VIRGL
  #include <virglrenderer.h>
  #define VIRGL(_g, _virgl, _simple, ...)                     \
      do {                                                    \
          if (_g->parent_obj.use_virgl_renderer) {            \
              _virgl(__VA_ARGS__);                            \
          } else {                                            \
              _simple(__VA_ARGS__);                           \
          }                                                   \
      } while (0)
  #else
  #define VIRGL(_g, _virgl, _simple, ...)                 \
      do {                                                \
          _simple(__VA_ARGS__);                           \
      } while (0)
  #endif
  

  有virgl支持则能进行3D加速，否则只能进行2D加速，在Windows上目前直接使用virtio-vga会黑屏可能是已经没有所谓的2D加速这种东西了吧

• _simple对应virtio_gpu_simple_process_cmd，3D加速对应的函数差不多

  static void virtio_gpu_simple_process_cmd(VirtIOGPU *g,
                                            struct virtio_gpu_ctrl_command *cmd)
  {
      VIRTIO_GPU_FILL_CMD(cmd->cmd_hdr);
      virtio_gpu_ctrl_hdr_bswap(&cmd->cmd_hdr);
    
      switch (cmd->cmd_hdr.type) { //type就是命令类型
      case VIRTIO_GPU_CMD_GET_DISPLAY_INFO:
          virtio_gpu_get_display_info(g, cmd);
          break;
      case VIRTIO_GPU_CMD_GET_EDID:
          virtio_gpu_get_edid(g, cmd);
          break;
      case VIRTIO_GPU_CMD_RESOURCE_CREATE_2D:          // 创建2D资源，仅有长宽和格式，没有像素信息，像素信息单独传
          virtio_gpu_resource_create_2d(g, cmd);
          break;
      case VIRTIO_GPU_CMD_RESOURCE_UNREF:
          virtio_gpu_resource_unref(g, cmd);
          break;
      case VIRTIO_GPU_CMD_RESOURCE_FLUSH:             // 将处理好的图形送到显示器
          virtio_gpu_resource_flush(g, cmd);
          break;
      case VIRTIO_GPU_CMD_TRANSFER_TO_HOST_2D:        // 交给Host的pixman库进行图形处理，比如明暗、光栅化处理
          virtio_gpu_transfer_to_host_2d(g, cmd);
          break;
      case VIRTIO_GPU_CMD_SET_SCANOUT:
          virtio_gpu_set_scanout(g, cmd);
          break;
      case VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING:    // 获取像素信息并和2D资源绑定
          virtio_gpu_resource_attach_backing(g, cmd);
          break;
      case VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING:
          virtio_gpu_resource_detach_backing(g, cmd);
          break;
      default:
          cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
          break;
      }
      if (!cmd->finished) {
          virtio_gpu_ctrl_response_nodata(g, cmd, cmd->error ? cmd->error :
                                          VIRTIO_GPU_RESP_OK_NODATA);
      }
  }
  

  具体的各流程和结构体解释见https://blog.csdn.net/huang987246510/article/details/106254294/

• pixman库处理完后由dpy_gfx_update刷新显示器