Android OTA Firmware Analysis
The OTA file is a zip file with various files inside, the one file we care about is payload.bin.
Payload.bin contains the filesystem images such as system.img and boot.img.
check_ota.py script unpacks an OTA file and runs FwAnalyzer on every filesystem image extracted from the OTA file.
The OTA check script requires separate FwAnalyzer configuration files for each filesystem image that is extracted from the OTA file.
check_ota.py script expects a directory that contains FwAnalyzer config files with the same name as the filesystem image but
the toml extensions. For example the config file for system.img needs to be named system.toml.
OTA images contain system.img, vendor.img, dsp.img, and boot.img.
All images besides the boot.img are ext4 filesystems and therefore the config file needs to have
FsType set to
The boot.img will be unpacked to a directory (using the
mkboot tool), therefore, the boot.toml file needs to have
FsType set to
The files android_user_build_checks.toml
are a collection of very simple checks for Android production builds (user builds).
The config file can be included in custom FwAnalyzer config using the
The android_properties.toml file is a collection of
statements that will extract Android properties from various parts of an Android firmware image.
The OTA check fails if FwAnalyzer reports an Offender in any of the filesystem images. The reports generated by FwAnalyzer are written to IMAGENAME_out.json (e.g. system_out.json).
--otastring : path to ota file
--reportstring : path to report file (will be overwritten)
--cfg-pathstring : path to directory containing fwanalyzer config files
--cfg-include-pathstring : path to directory containing fwanalyzer config include files
--fwanalyzer-binstring : path to fwanalyzer binary
--keep-unpacked: keep unpacked data
--targetsstring : filesystem targets (e.g.: system boot)
$ ls system.toml $ check_ota.py -ota update-ota.zip -cfg-path . -cfg-include-path . --targets system