am 858f0a76: am 8e5e4dad: close update package before installing; allow remount

Merge commit '858f0a763d0f736eb721f54257b6164886bfcbfc'

* commit '858f0a763d0f736eb721f54257b6164886bfcbfc':
  close update package before installing; allow remount
diff --git a/Android.mk b/Android.mk
index b0fefbd..e8e7a79 100644
--- a/Android.mk
+++ b/Android.mk
@@ -24,6 +24,14 @@
 RECOVERY_API_VERSION := 3
 LOCAL_CFLAGS += -DRECOVERY_API_VERSION=$(RECOVERY_API_VERSION)
 
+LOCAL_STATIC_LIBRARIES :=
+
+ifeq ($(TARGET_USERIMAGES_USE_EXT4), true)
+LOCAL_CFLAGS += -DUSE_EXT4
+LOCAL_C_INCLUDES += system/extras/ext4_utils
+LOCAL_STATIC_LIBRARIES += libext4_utils libz
+endif
+
 # This binary is in the recovery ramdisk, which is otherwise a copy of root.
 # It gets copied there in config/Makefile.  LOCAL_MODULE_TAGS suppresses
 # a (redundant) copy of the binary in /system/bin for user builds.
@@ -31,7 +39,6 @@
 
 LOCAL_MODULE_TAGS := eng
 
-LOCAL_STATIC_LIBRARIES :=
 ifeq ($(TARGET_RECOVERY_UI_LIB),)
   LOCAL_SRC_FILES += default_recovery_ui.c
 else
@@ -60,6 +67,7 @@
 
 
 include $(commands_recovery_local_path)/minui/Android.mk
+include $(commands_recovery_local_path)/minelf/Android.mk
 include $(commands_recovery_local_path)/minzip/Android.mk
 include $(commands_recovery_local_path)/mtdutils/Android.mk
 include $(commands_recovery_local_path)/tools/Android.mk
diff --git a/applypatch/Android.mk b/applypatch/Android.mk
index e91e4bf..eff1d77 100644
--- a/applypatch/Android.mk
+++ b/applypatch/Android.mk
@@ -31,7 +31,7 @@
 LOCAL_SRC_FILES := main.c
 LOCAL_MODULE := applypatch
 LOCAL_C_INCLUDES += bootable/recovery
-LOCAL_STATIC_LIBRARIES += libapplypatch libmtdutils libmincrypt libbz
+LOCAL_STATIC_LIBRARIES += libapplypatch libmtdutils libmincrypt libbz libminelf
 LOCAL_SHARED_LIBRARIES += libz libcutils libstdc++ libc
 
 include $(BUILD_EXECUTABLE)
@@ -43,7 +43,7 @@
 LOCAL_FORCE_STATIC_EXECUTABLE := true
 LOCAL_MODULE_TAGS := eng
 LOCAL_C_INCLUDES += bootable/recovery
-LOCAL_STATIC_LIBRARIES += libapplypatch libmtdutils libmincrypt libbz
+LOCAL_STATIC_LIBRARIES += libapplypatch libmtdutils libmincrypt libbz libminelf
 LOCAL_STATIC_LIBRARIES += libz libcutils libstdc++ libc
 
 include $(BUILD_EXECUTABLE)
diff --git a/applypatch/applypatch.c b/applypatch/applypatch.c
index b85b915..1060913 100644
--- a/applypatch/applypatch.c
+++ b/applypatch/applypatch.c
@@ -31,21 +31,27 @@
 #include "edify/expr.h"
 
 int SaveFileContents(const char* filename, FileContents file);
-int LoadMTDContents(const char* filename, FileContents* file);
+static int LoadPartitionContents(const char* filename, FileContents* file);
 int ParseSha1(const char* str, uint8_t* digest);
-ssize_t FileSink(unsigned char* data, ssize_t len, void* token);
+static ssize_t FileSink(unsigned char* data, ssize_t len, void* token);
 
 static int mtd_partitions_scanned = 0;
 
-// Read a file into memory; store it and its associated metadata in
-// *file.  Return 0 on success.
-int LoadFileContents(const char* filename, FileContents* file) {
+// Read a file into memory; optionally (retouch_flag == RETOUCH_DO_MASK) mask
+// the retouched entries back to their original value (such that SHA-1 checks
+// don't fail due to randomization); store the file contents and associated
+// metadata in *file.
+//
+// Return 0 on success.
+int LoadFileContents(const char* filename, FileContents* file,
+                     int retouch_flag) {
     file->data = NULL;
 
-    // A special 'filename' beginning with "MTD:" means to load the
-    // contents of an MTD partition.
-    if (strncmp(filename, "MTD:", 4) == 0) {
-        return LoadMTDContents(filename, file);
+    // A special 'filename' beginning with "MTD:" or "EMMC:" means to
+    // load the contents of a partition.
+    if (strncmp(filename, "MTD:", 4) == 0 ||
+        strncmp(filename, "EMMC:", 5) == 0) {
+        return LoadPartitionContents(filename, file);
     }
 
     if (stat(filename, &file->st) != 0) {
@@ -74,6 +80,20 @@
     }
     fclose(f);
 
+    // apply_patch[_check] functions are blind to randomization. Randomization
+    // is taken care of in [Undo]RetouchBinariesFn. If there is a mismatch
+    // within a file, this means the file is assumed "corrupt" for simplicity.
+    if (retouch_flag) {
+        int32_t desired_offset = 0;
+        if (retouch_mask_data(file->data, file->size,
+                              &desired_offset, NULL) != RETOUCH_DATA_MATCHED) {
+            printf("error trying to mask retouch entries\n");
+            free(file->data);
+            file->data = NULL;
+            return -1;
+        }
+    }
+
     SHA(file->data, file->size, file->sha1);
     return 0;
 }
@@ -98,26 +118,35 @@
     free(file);
 }
 
-// Load the contents of an MTD partition into the provided
+// Load the contents of an MTD or EMMC partition into the provided
 // FileContents.  filename should be a string of the form
-// "MTD:<partition_name>:<size_1>:<sha1_1>:<size_2>:<sha1_2>:...".
-// The smallest size_n bytes for which that prefix of the mtd contents
-// has the corresponding sha1 hash will be loaded.  It is acceptable
-// for a size value to be repeated with different sha1s.  Will return
-// 0 on success.
+// "MTD:<partition_name>:<size_1>:<sha1_1>:<size_2>:<sha1_2>:..."  (or
+// "EMMC:<partition_device>:...").  The smallest size_n bytes for
+// which that prefix of the partition contents has the corresponding
+// sha1 hash will be loaded.  It is acceptable for a size value to be
+// repeated with different sha1s.  Will return 0 on success.
 //
 // This complexity is needed because if an OTA installation is
 // interrupted, the partition might contain either the source or the
 // target data, which might be of different lengths.  We need to know
-// the length in order to read from MTD (there is no "end-of-file"
-// marker), so the caller must specify the possible lengths and the
-// hash of the data, and we'll do the load expecting to find one of
-// those hashes.
-int LoadMTDContents(const char* filename, FileContents* file) {
+// the length in order to read from a partition (there is no
+// "end-of-file" marker), so the caller must specify the possible
+// lengths and the hash of the data, and we'll do the load expecting
+// to find one of those hashes.
+enum PartitionType { MTD, EMMC };
+
+static int LoadPartitionContents(const char* filename, FileContents* file) {
     char* copy = strdup(filename);
     const char* magic = strtok(copy, ":");
-    if (strcmp(magic, "MTD") != 0) {
-        printf("LoadMTDContents called with bad filename (%s)\n",
+
+    enum PartitionType type;
+
+    if (strcmp(magic, "MTD") == 0) {
+        type = MTD;
+    } else if (strcmp(magic, "EMMC") == 0) {
+        type = EMMC;
+    } else {
+        printf("LoadPartitionContents called with bad filename (%s)\n",
                filename);
         return -1;
     }
@@ -131,7 +160,7 @@
         }
     }
     if (colons < 3 || colons%2 == 0) {
-        printf("LoadMTDContents called with bad filename (%s)\n",
+        printf("LoadPartitionContents called with bad filename (%s)\n",
                filename);
     }
 
@@ -144,7 +173,7 @@
         const char* size_str = strtok(NULL, ":");
         size[i] = strtol(size_str, NULL, 10);
         if (size[i] == 0) {
-            printf("LoadMTDContents called with bad size (%s)\n", filename);
+            printf("LoadPartitionContents called with bad size (%s)\n", filename);
             return -1;
         }
         sha1sum[i] = strtok(NULL, ":");
@@ -156,23 +185,38 @@
     size_array = size;
     qsort(index, pairs, sizeof(int), compare_size_indices);
 
-    if (!mtd_partitions_scanned) {
-        mtd_scan_partitions();
-        mtd_partitions_scanned = 1;
-    }
+    MtdReadContext* ctx = NULL;
+    FILE* dev = NULL;
 
-    const MtdPartition* mtd = mtd_find_partition_by_name(partition);
-    if (mtd == NULL) {
-        printf("mtd partition \"%s\" not found (loading %s)\n",
-               partition, filename);
-        return -1;
-    }
+    switch (type) {
+        case MTD:
+            if (!mtd_partitions_scanned) {
+                mtd_scan_partitions();
+                mtd_partitions_scanned = 1;
+            }
 
-    MtdReadContext* ctx = mtd_read_partition(mtd);
-    if (ctx == NULL) {
-        printf("failed to initialize read of mtd partition \"%s\"\n",
-               partition);
-        return -1;
+            const MtdPartition* mtd = mtd_find_partition_by_name(partition);
+            if (mtd == NULL) {
+                printf("mtd partition \"%s\" not found (loading %s)\n",
+                       partition, filename);
+                return -1;
+            }
+
+            ctx = mtd_read_partition(mtd);
+            if (ctx == NULL) {
+                printf("failed to initialize read of mtd partition \"%s\"\n",
+                       partition);
+                return -1;
+            }
+            break;
+
+        case EMMC:
+            dev = fopen(partition, "rb");
+            if (dev == NULL) {
+                printf("failed to open emmc partition \"%s\": %s\n",
+                       partition, strerror(errno));
+                return -1;
+            }
     }
 
     SHA_CTX sha_ctx;
@@ -191,7 +235,15 @@
         size_t next = size[index[i]] - file->size;
         size_t read = 0;
         if (next > 0) {
-            read = mtd_read_data(ctx, p, next);
+            switch (type) {
+                case MTD:
+                    read = mtd_read_data(ctx, p, next);
+                    break;
+
+                case EMMC:
+                    read = fread(p, 1, next, dev);
+                    break;
+            }
             if (next != read) {
                 printf("short read (%d bytes of %d) for partition \"%s\"\n",
                        read, next, partition);
@@ -220,7 +272,7 @@
         if (memcmp(sha_so_far, parsed_sha, SHA_DIGEST_SIZE) == 0) {
             // we have a match.  stop reading the partition; we'll return
             // the data we've read so far.
-            printf("mtd read matched size %d sha %s\n",
+            printf("partition read matched size %d sha %s\n",
                    size[index[i]], sha1sum[index[i]]);
             break;
         }
@@ -228,12 +280,21 @@
         p += read;
     }
 
-    mtd_read_close(ctx);
+    switch (type) {
+        case MTD:
+            mtd_read_close(ctx);
+            break;
+
+        case EMMC:
+            fclose(dev);
+            break;
+    }
+
 
     if (i == pairs) {
         // Ran off the end of the list of (size,sha1) pairs without
         // finding a match.
-        printf("contents of MTD partition \"%s\" didn't match %s\n",
+        printf("contents of partition \"%s\" didn't match %s\n",
                partition, filename);
         free(file->data);
         file->data = NULL;
@@ -292,61 +353,87 @@
     return 0;
 }
 
-// Write a memory buffer to target_mtd partition, a string of the form
-// "MTD:<partition>[:...]".  Return 0 on success.
-int WriteToMTDPartition(unsigned char* data, size_t len,
-                        const char* target_mtd) {
-    char* partition = strchr(target_mtd, ':');
+// Write a memory buffer to 'target' partition, a string of the form
+// "MTD:<partition>[:...]" or "EMMC:<partition_device>:".  Return 0 on
+// success.
+int WriteToPartition(unsigned char* data, size_t len,
+                        const char* target) {
+    char* copy = strdup(target);
+    const char* magic = strtok(copy, ":");
+
+    enum PartitionType type;
+    if (strcmp(magic, "MTD") == 0) {
+        type = MTD;
+    } else if (strcmp(magic, "EMMC") == 0) {
+        type = EMMC;
+    } else {
+        printf("WriteToPartition called with bad target (%s)\n", target);
+        return -1;
+    }
+    const char* partition = strtok(NULL, ":");
+
     if (partition == NULL) {
-        printf("bad MTD target name \"%s\"\n", target_mtd);
-        return -1;
-    }
-    ++partition;
-    // Trim off anything after a colon, eg "MTD:boot:blah:blah:blah...".
-    // We want just the partition name "boot".
-    partition = strdup(partition);
-    char* end = strchr(partition, ':');
-    if (end != NULL)
-        *end = '\0';
-
-    if (!mtd_partitions_scanned) {
-        mtd_scan_partitions();
-        mtd_partitions_scanned = 1;
-    }
-
-    const MtdPartition* mtd = mtd_find_partition_by_name(partition);
-    if (mtd == NULL) {
-        printf("mtd partition \"%s\" not found for writing\n", partition);
+        printf("bad partition target name \"%s\"\n", target);
         return -1;
     }
 
-    MtdWriteContext* ctx = mtd_write_partition(mtd);
-    if (ctx == NULL) {
-        printf("failed to init mtd partition \"%s\" for writing\n",
-               partition);
-        return -1;
+    switch (type) {
+        case MTD:
+            if (!mtd_partitions_scanned) {
+                mtd_scan_partitions();
+                mtd_partitions_scanned = 1;
+            }
+
+            const MtdPartition* mtd = mtd_find_partition_by_name(partition);
+            if (mtd == NULL) {
+                printf("mtd partition \"%s\" not found for writing\n",
+                       partition);
+                return -1;
+            }
+
+            MtdWriteContext* ctx = mtd_write_partition(mtd);
+            if (ctx == NULL) {
+                printf("failed to init mtd partition \"%s\" for writing\n",
+                       partition);
+                return -1;
+            }
+
+            size_t written = mtd_write_data(ctx, (char*)data, len);
+            if (written != len) {
+                printf("only wrote %d of %d bytes to MTD %s\n",
+                       written, len, partition);
+                mtd_write_close(ctx);
+                return -1;
+            }
+
+            if (mtd_erase_blocks(ctx, -1) < 0) {
+                printf("error finishing mtd write of %s\n", partition);
+                mtd_write_close(ctx);
+                return -1;
+            }
+
+            if (mtd_write_close(ctx)) {
+                printf("error closing mtd write of %s\n", partition);
+                return -1;
+            }
+            break;
+
+        case EMMC:
+            ;
+            FILE* f = fopen(partition, "wb");
+            if (fwrite(data, 1, len, f) != len) {
+                printf("short write writing to %s (%s)\n",
+                       partition, strerror(errno));
+                return -1;
+            }
+            if (fclose(f) != 0) {
+                printf("error closing %s (%s)\n", partition, strerror(errno));
+                return -1;
+            }
+            break;
     }
 
-    size_t written = mtd_write_data(ctx, (char*)data, len);
-    if (written != len) {
-        printf("only wrote %d of %d bytes to MTD %s\n",
-               written, len, partition);
-        mtd_write_close(ctx);
-        return -1;
-    }
-
-    if (mtd_erase_blocks(ctx, -1) < 0) {
-        printf("error finishing mtd write of %s\n", partition);
-        mtd_write_close(ctx);
-        return -1;
-    }
-
-    if (mtd_write_close(ctx)) {
-        printf("error closing mtd write of %s\n", partition);
-        return -1;
-    }
-
-    free(partition);
+    free(copy);
     return 0;
 }
 
@@ -406,10 +493,10 @@
     file.data = NULL;
 
     // It's okay to specify no sha1s; the check will pass if the
-    // LoadFileContents is successful.  (Useful for reading MTD
+    // LoadFileContents is successful.  (Useful for reading
     // partitions, where the filename encodes the sha1s; no need to
     // check them twice.)
-    if (LoadFileContents(filename, &file) != 0 ||
+    if (LoadFileContents(filename, &file, RETOUCH_DO_MASK) != 0 ||
         (num_patches > 0 &&
          FindMatchingPatch(file.sha1, patch_sha1_str, num_patches) < 0)) {
         printf("file \"%s\" doesn't have any of expected "
@@ -423,7 +510,7 @@
         // exists and matches the sha1 we're looking for, the check still
         // passes.
 
-        if (LoadFileContents(CACHE_TEMP_SOURCE, &file) != 0) {
+        if (LoadFileContents(CACHE_TEMP_SOURCE, &file, RETOUCH_DO_MASK) != 0) {
             printf("failed to load cache file\n");
             return 1;
         }
@@ -518,8 +605,8 @@
 // - otherwise, or if any error is encountered, exits with non-zero
 //   status.
 //
-// <source_filename> may refer to an MTD partition to read the source
-// data.  See the comments for the LoadMTDContents() function above
+// <source_filename> may refer to a partition to read the source data.
+// See the comments for the LoadPartition Contents() function above
 // for the format of such a filename.
 
 int applypatch(const char* source_filename,
@@ -549,7 +636,8 @@
     int made_copy = 0;
 
     // We try to load the target file into the source_file object.
-    if (LoadFileContents(target_filename, &source_file) == 0) {
+    if (LoadFileContents(target_filename, &source_file,
+                         RETOUCH_DO_MASK) == 0) {
         if (memcmp(source_file.sha1, target_sha1, SHA_DIGEST_SIZE) == 0) {
             // The early-exit case:  the patch was already applied, this file
             // has the desired hash, nothing for us to do.
@@ -565,7 +653,8 @@
         // Need to load the source file:  either we failed to load the
         // target file, or we did but it's different from the source file.
         free(source_file.data);
-        LoadFileContents(source_filename, &source_file);
+        LoadFileContents(source_filename, &source_file,
+                         RETOUCH_DO_MASK);
     }
 
     if (source_file.data != NULL) {
@@ -580,7 +669,8 @@
         free(source_file.data);
         printf("source file is bad; trying copy\n");
 
-        if (LoadFileContents(CACHE_TEMP_SOURCE, &copy_file) < 0) {
+        if (LoadFileContents(CACHE_TEMP_SOURCE, &copy_file,
+                             RETOUCH_DO_MASK) < 0) {
             // fail.
             printf("failed to read copy file\n");
             return 1;
@@ -623,14 +713,16 @@
         // Is there enough room in the target filesystem to hold the patched
         // file?
 
-        if (strncmp(target_filename, "MTD:", 4) == 0) {
-            // If the target is an MTD partition, we're actually going to
-            // write the output to /tmp and then copy it to the partition.
-            // statfs() always returns 0 blocks free for /tmp, so instead
-            // we'll just assume that /tmp has enough space to hold the file.
+        if (strncmp(target_filename, "MTD:", 4) == 0 ||
+            strncmp(target_filename, "EMMC:", 5) == 0) {
+            // If the target is a partition, we're actually going to
+            // write the output to /tmp and then copy it to the
+            // partition.  statfs() always returns 0 blocks free for
+            // /tmp, so instead we'll just assume that /tmp has enough
+            // space to hold the file.
 
-            // We still write the original source to cache, in case the MTD
-            // write is interrupted.
+            // We still write the original source to cache, in case
+            // the partition write is interrupted.
             if (MakeFreeSpaceOnCache(source_file.size) < 0) {
                 printf("not enough free space on /cache\n");
                 return 1;
@@ -661,11 +753,13 @@
                 // copy the source file to cache, then delete it from the original
                 // location.
 
-                if (strncmp(source_filename, "MTD:", 4) == 0) {
+                if (strncmp(source_filename, "MTD:", 4) == 0 ||
+                    strncmp(source_filename, "EMMC:", 5) == 0) {
                     // It's impossible to free space on the target filesystem by
-                    // deleting the source if the source is an MTD partition.  If
+                    // deleting the source if the source is a partition.  If
                     // we're ever in a state where we need to do this, fail.
-                    printf("not enough free space for target but source is MTD\n");
+                    printf("not enough free space for target but source "
+                           "is partition\n");
                     return 1;
                 }
 
@@ -704,7 +798,8 @@
         void* token = NULL;
         output = -1;
         outname = NULL;
-        if (strncmp(target_filename, "MTD:", 4) == 0) {
+        if (strncmp(target_filename, "MTD:", 4) == 0 ||
+            strncmp(target_filename, "EMMC:", 5) == 0) {
             // We store the decoded output in memory.
             msi.buffer = malloc(target_size);
             if (msi.buffer == NULL) {
@@ -780,8 +875,8 @@
     }
 
     if (output < 0) {
-        // Copy the temp file to the MTD partition.
-        if (WriteToMTDPartition(msi.buffer, msi.pos, target_filename) != 0) {
+        // Copy the temp file to the partition.
+        if (WriteToPartition(msi.buffer, msi.pos, target_filename) != 0) {
             printf("write of patched data to %s failed\n", target_filename);
             return 1;
         }
diff --git a/applypatch/applypatch.h b/applypatch/applypatch.h
index 10c0125..a78c89b 100644
--- a/applypatch/applypatch.h
+++ b/applypatch/applypatch.h
@@ -19,6 +19,7 @@
 
 #include <sys/stat.h>
 #include "mincrypt/sha.h"
+#include "minelf/Retouch.h"
 #include "edify/expr.h"
 
 typedef struct _Patch {
@@ -59,10 +60,12 @@
                      int num_patches,
                      char** const patch_sha1_str);
 
-// Read a file into memory; store it and its associated metadata in
-// *file.  Return 0 on success.
-int LoadFileContents(const char* filename, FileContents* file);
+int LoadFileContents(const char* filename, FileContents* file,
+                     int retouch_flag);
+int SaveFileContents(const char* filename, FileContents file);
 void FreeFileContents(FileContents* file);
+int FindMatchingPatch(uint8_t* sha1, char** const patch_sha1_str,
+                      int num_patches);
 
 // bsdiff.c
 void ShowBSDiffLicense();
diff --git a/applypatch/main.c b/applypatch/main.c
index 3917f86..7025a2e 100644
--- a/applypatch/main.c
+++ b/applypatch/main.c
@@ -74,7 +74,7 @@
             (*patches)[i] = NULL;
         } else {
             FileContents fc;
-            if (LoadFileContents(colon, &fc) != 0) {
+            if (LoadFileContents(colon, &fc, RETOUCH_DONT_MASK) != 0) {
                 goto abort;
             }
             (*patches)[i] = malloc(sizeof(Value));
diff --git a/bootloader.c b/bootloader.c
index 38b5651..1e66c3e 100644
--- a/bootloader.c
+++ b/bootloader.c
@@ -25,8 +25,6 @@
 
 static const char *CACHE_NAME = "CACHE:";
 static const char *MISC_NAME = "MISC:";
-static const int MISC_PAGES = 3;         // number of pages to save
-static const int MISC_COMMAND_PAGE = 1;  // bootloader command is this page
 
 #ifdef LOG_VERBOSE
 static void dump_data(const char *data, int len) {
@@ -41,6 +39,57 @@
 }
 #endif
 
+#ifdef USE_EXT4
+// Strictly speaking this doesn't have anything to do with ext4; we
+// really just mean "misc is an emmc partition".  We should have a
+// more configurable way have describing partitions, filesystems, etc.
+
+static const char* MISC_PARTITION =
+    "/dev/block/platform/sdhci-tegra.3/by-name/misc";
+
+int get_bootloader_message(struct bootloader_message* out) {
+    FILE* f = fopen(MISC_PARTITION, "rb");
+    if (f == NULL) {
+        LOGE("Can't open %s\n(%s)\n", MISC_PARTITION, strerror(errno));
+        return -1;
+    }
+    struct bootloader_message temp;
+    int count = fread(&temp, sizeof(temp), 1, f);
+    if (count != 1) {
+        LOGE("Failed reading %s\n(%s)\n", MISC_PARTITION, strerror(errno));
+        return -1;
+    }
+    if (fclose(f) != 0) {
+        LOGE("Failed closing %s\n(%s)\n", MISC_PARTITION, strerror(errno));
+        return -1;
+    }
+    memcpy(out, &temp, sizeof(temp));
+    return 0;
+}
+
+int set_bootloader_message(const struct bootloader_message* in) {
+    FILE* f = fopen(MISC_PARTITION, "wb");
+    if (f == NULL) {
+        LOGE("Can't open %s\n(%s)\n", MISC_PARTITION, strerror(errno));
+        return -1;
+    }
+    int count = fwrite(in, sizeof(*in), 1, f);
+    if (count != 1) {
+        LOGE("Failed writing %s\n(%s)\n", MISC_PARTITION, strerror(errno));
+        return -1;
+    }
+    if (fclose(f) != 0) {
+        LOGE("Failed closing %s\n(%s)\n", MISC_PARTITION, strerror(errno));
+        return -1;
+    }
+    return 0;
+}
+
+#else  // MTD partitions
+
+static const int MISC_PAGES = 3;         // number of pages to save
+static const int MISC_COMMAND_PAGE = 1;  // bootloader command is this page
+
 int get_bootloader_message(struct bootloader_message *out) {
     size_t write_size;
     const MtdPartition *part = get_root_mtd_partition(MISC_NAME);
@@ -119,3 +168,5 @@
     LOGI("Set boot command \"%s\"\n", in->command[0] != 255 ? in->command : "");
     return 0;
 }
+
+#endif
diff --git a/common.h b/common.h
index a767b58..0c250f4 100644
--- a/common.h
+++ b/common.h
@@ -37,7 +37,7 @@
 // Display some header text followed by a menu of items, which appears
 // at the top of the screen (in place of any scrolling ui_print()
 // output, if necessary).
-void ui_start_menu(char** headers, char** items);
+void ui_start_menu(char** headers, char** items, int initial_selection);
 // Set the menu highlight to the given index, and return it (capped to
 // the range [0..numitems).
 int ui_menu_select(int sel);
@@ -73,12 +73,12 @@
 void ui_reset_progress();
 
 #define LOGE(...) ui_print("E:" __VA_ARGS__)
-#define LOGW(...) fprintf(stderr, "W:" __VA_ARGS__)
-#define LOGI(...) fprintf(stderr, "I:" __VA_ARGS__)
+#define LOGW(...) fprintf(stdout, "W:" __VA_ARGS__)
+#define LOGI(...) fprintf(stdout, "I:" __VA_ARGS__)
 
 #if 0
-#define LOGV(...) fprintf(stderr, "V:" __VA_ARGS__)
-#define LOGD(...) fprintf(stderr, "D:" __VA_ARGS__)
+#define LOGV(...) fprintf(stdout, "V:" __VA_ARGS__)
+#define LOGD(...) fprintf(stdout, "D:" __VA_ARGS__)
 #else
 #define LOGV(...) do {} while (0)
 #define LOGD(...) do {} while (0)
diff --git a/default_recovery_ui.c b/default_recovery_ui.c
index 409d679..bcba888 100644
--- a/default_recovery_ui.c
+++ b/default_recovery_ui.c
@@ -24,7 +24,7 @@
                          NULL };
 
 char* MENU_ITEMS[] = { "reboot system now",
-                       "apply sdcard:update.zip",
+                       "apply update from external storage",
                        "wipe data/factory reset",
                        "wipe cache partition",
                        NULL };
diff --git a/install.c b/install.c
index 40f182d..2619a0c 100644
--- a/install.c
+++ b/install.c
@@ -112,7 +112,7 @@
     if (pid == 0) {
         close(pipefd[0]);
         execv(binary, args);
-        fprintf(stderr, "E:Can't run %s (%s)\n", binary, strerror(errno));
+        fprintf(stdout, "E:Can't run %s (%s)\n", binary, strerror(errno));
         _exit(-1);
     }
     close(pipefd[1]);
diff --git a/minelf/Android.mk b/minelf/Android.mk
new file mode 100644
index 0000000..0f41ff5
--- /dev/null
+++ b/minelf/Android.mk
@@ -0,0 +1,27 @@
+# Copyright (C) 2009 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+include $(CLEAR_VARS)
+
+LOCAL_SRC_FILES := \
+	Retouch.c
+
+LOCAL_C_INCLUDES += bootable/recovery
+
+LOCAL_MODULE := libminelf
+
+LOCAL_CFLAGS += -Wall
+
+include $(BUILD_STATIC_LIBRARY)
diff --git a/minelf/Retouch.c b/minelf/Retouch.c
new file mode 100644
index 0000000..33809cd
--- /dev/null
+++ b/minelf/Retouch.c
@@ -0,0 +1,406 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <errno.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <strings.h>
+#include "Retouch.h"
+#include "applypatch/applypatch.h"
+
+typedef struct {
+    int32_t mmap_addr;
+    char tag[4]; /* 'P', 'R', 'E', ' ' */
+} prelink_info_t __attribute__((packed));
+
+#define false 0
+#define true 1
+
+static int32_t offs_prev;
+static uint32_t cont_prev;
+
+static void init_compression_state(void) {
+    offs_prev = 0;
+    cont_prev = 0;
+}
+
+// For details on the encoding used for relocation lists, please
+// refer to build/tools/retouch/retouch-prepare.c. The intent is to
+// save space by removing most of the inherent redundancy.
+
+static void decode_bytes(uint8_t *encoded_bytes, int encoded_size,
+                         int32_t *dst_offset, uint32_t *dst_contents) {
+    if (encoded_size == 2) {
+        *dst_offset = offs_prev + (((encoded_bytes[0]&0x60)>>5)+1)*4;
+
+        // if the original was negative, we need to 1-pad before applying delta
+        int32_t tmp = (((encoded_bytes[0] & 0x0000001f) << 8) |
+                       encoded_bytes[1]);
+        if (tmp & 0x1000) tmp = 0xffffe000 | tmp;
+        *dst_contents = cont_prev + tmp;
+    } else if (encoded_size == 3) {
+        *dst_offset = offs_prev + (((encoded_bytes[0]&0x30)>>4)+1)*4;
+
+        // if the original was negative, we need to 1-pad before applying delta
+        int32_t tmp = (((encoded_bytes[0] & 0x0000000f) << 16) |
+                       (encoded_bytes[1] << 8) |
+                       encoded_bytes[2]);
+        if (tmp & 0x80000) tmp = 0xfff00000 | tmp;
+        *dst_contents = cont_prev + tmp;
+    } else {
+        *dst_offset =
+          (encoded_bytes[0]<<24) |
+          (encoded_bytes[1]<<16) |
+          (encoded_bytes[2]<<8) |
+          encoded_bytes[3];
+        if (*dst_offset == 0x3fffffff) *dst_offset = -1;
+        *dst_contents =
+          (encoded_bytes[4]<<24) |
+          (encoded_bytes[5]<<16) |
+          (encoded_bytes[6]<<8) |
+          encoded_bytes[7];
+    }
+}
+
+static uint8_t *decode_in_memory(uint8_t *encoded_bytes,
+                                 int32_t *offset, uint32_t *contents) {
+    int input_size, charIx;
+    uint8_t input[8];
+
+    input[0] = *(encoded_bytes++);
+    if (input[0] & 0x80)
+        input_size = 2;
+    else if (input[0] & 0x40)
+        input_size = 3;
+    else
+        input_size = 8;
+
+    // we already read one byte..
+    charIx = 1;
+    while (charIx < input_size) {
+        input[charIx++] = *(encoded_bytes++);
+    }
+
+    // depends on the decoder state!
+    decode_bytes(input, input_size, offset, contents);
+
+    offs_prev = *offset;
+    cont_prev = *contents;
+
+    return encoded_bytes;
+}
+
+int retouch_mask_data(uint8_t *binary_object,
+                      int32_t binary_size,
+                      int32_t *desired_offset,
+                      int32_t *retouch_offset) {
+    retouch_info_t *r_info;
+    prelink_info_t *p_info;
+
+    int32_t target_offset = 0;
+    if (desired_offset) target_offset = *desired_offset;
+
+    int32_t p_offs = binary_size-sizeof(prelink_info_t); // prelink_info_t
+    int32_t r_offs = p_offs-sizeof(retouch_info_t); // retouch_info_t
+    int32_t b_offs; // retouch data blob
+
+    // If not retouched, we say it was a match. This might get invoked on
+    // non-retouched binaries, so that's why we need to do this.
+    if (retouch_offset != NULL) *retouch_offset = target_offset;
+    if (r_offs < 0) return (desired_offset == NULL) ?
+                      RETOUCH_DATA_NOTAPPLICABLE : RETOUCH_DATA_MATCHED;
+    p_info = (prelink_info_t *)(binary_object+p_offs);
+    r_info = (retouch_info_t *)(binary_object+r_offs);
+    if (strncmp(p_info->tag, "PRE ", 4) ||
+        strncmp(r_info->tag, "RETOUCH ", 8))
+        return (desired_offset == NULL) ?
+          RETOUCH_DATA_NOTAPPLICABLE : RETOUCH_DATA_MATCHED;
+
+    b_offs = r_offs-r_info->blob_size;
+    if (b_offs < 0) {
+        printf("negative binary offset: %d = %d - %d\n",
+               b_offs, r_offs, r_info->blob_size);
+        return RETOUCH_DATA_ERROR;
+    }
+    uint8_t *b_ptr = binary_object+b_offs;
+
+    // Retouched: let's go through the work then.
+    int32_t offset_candidate = target_offset;
+    bool offset_set = false, offset_mismatch = false;
+    init_compression_state();
+    while (b_ptr < (uint8_t *)r_info) {
+        int32_t retouch_entry_offset;
+        uint32_t *retouch_entry;
+        uint32_t retouch_original_value;
+
+        b_ptr = decode_in_memory(b_ptr,
+                                 &retouch_entry_offset,
+                                 &retouch_original_value);
+        if (retouch_entry_offset < (-1) ||
+            retouch_entry_offset >= b_offs) {
+            printf("bad retouch_entry_offset: %d", retouch_entry_offset);
+            return RETOUCH_DATA_ERROR;
+        }
+
+        // "-1" means this is the value in prelink_info_t, which also gets
+        // randomized.
+        if (retouch_entry_offset == -1)
+            retouch_entry = (uint32_t *)&(p_info->mmap_addr);
+        else
+            retouch_entry = (uint32_t *)(binary_object+retouch_entry_offset);
+
+        if (desired_offset)
+            *retouch_entry = retouch_original_value + target_offset;
+
+        // Infer the randomization shift, compare to previously inferred.
+        int32_t offset_of_this_entry = (int32_t)(*retouch_entry-
+                                                 retouch_original_value);
+        if (!offset_set) {
+            offset_candidate = offset_of_this_entry;
+            offset_set = true;
+        } else {
+            if (offset_candidate != offset_of_this_entry) {
+                offset_mismatch = true;
+                printf("offset is mismatched: %d, this entry is %d,"
+                       " original 0x%x @ 0x%x",
+                       offset_candidate, offset_of_this_entry,
+                       retouch_original_value, retouch_entry_offset);
+            }
+        }
+    }
+    if (b_ptr > (uint8_t *)r_info) {
+        printf("b_ptr went too far: %p, while r_info is %p",
+               b_ptr, r_info);
+        return RETOUCH_DATA_ERROR;
+    }
+
+    if (offset_mismatch) return RETOUCH_DATA_MISMATCHED;
+    if (retouch_offset != NULL) *retouch_offset = offset_candidate;
+    return RETOUCH_DATA_MATCHED;
+}
+
+// On success, _override is set to the offset that was actually applied.
+// This implies that once we randomize to an offset we stick with it.
+// This in turn is necessary in order to guarantee recovery after crash.
+bool retouch_one_library(const char *binary_name,
+                         const char *binary_sha1,
+                         int32_t retouch_offset,
+                         int32_t *retouch_offset_override) {
+    bool success = true;
+    int result;
+
+    FileContents file;
+    file.data = NULL;
+
+    char binary_name_atomic[strlen(binary_name)+10];
+    strcpy(binary_name_atomic, binary_name);
+    strcat(binary_name_atomic, ".atomic");
+
+    // We need a path that exists for calling statfs() later.
+    //
+    // Assume that binary_name (eg "/system/app/Foo.apk") is located
+    // on the same filesystem as its top-level directory ("/system").
+    char target_fs[strlen(binary_name)+1];
+    char* slash = strchr(binary_name+1, '/');
+    if (slash != NULL) {
+        int count = slash - binary_name;
+        strncpy(target_fs, binary_name, count);
+        target_fs[count] = '\0';
+    } else {
+        strcpy(target_fs, binary_name);
+    }
+
+    result = LoadFileContents(binary_name, &file, RETOUCH_DONT_MASK);
+
+    if (result == 0) {
+        // Figure out the *apparent* offset to which this file has been
+        // retouched. If it looks good, we will skip processing (we might
+        // have crashed and during this recovery pass we don't want to
+        // overwrite a valuable saved file in /cache---which would happen
+        // if we blindly retouch everything again). NOTE: This implies
+        // that we might have to override the supplied retouch offset. We
+        // can do the override only once though: everything should match
+        // afterward.
+
+        int32_t inferred_offset;
+        int retouch_probe_result = retouch_mask_data(file.data,
+                                                     file.size,
+                                                     NULL,
+                                                     &inferred_offset);
+
+        if (retouch_probe_result == RETOUCH_DATA_MATCHED) {
+            if ((retouch_offset == inferred_offset) ||
+                ((retouch_offset != 0 && inferred_offset != 0) &&
+                 (retouch_offset_override != NULL))) {
+                // This file is OK already and we are allowed to override.
+                // Let's just return the offset override value. It is critical
+                // to skip regardless of override: a broken file might need
+                // recovery down the list and we should not mess up the saved
+                // copy by doing unnecessary retouching.
+                //
+                // NOTE: If retouching was already started with a different
+                // value, we will not be allowed to override. This happens
+                // if on the retouch list there is a patched binary (which is
+                // masked in apply_patch()) before there is a non-patched
+                // binary.
+                if (retouch_offset_override != NULL)
+                    *retouch_offset_override = inferred_offset;
+                success = true;
+                goto out;
+            } else {
+                // Retouch to zero (mask the retouching), to make sure that
+                // the SHA-1 check will pass below.
+                int32_t zero = 0;
+                retouch_mask_data(file.data, file.size, &zero, NULL);
+                SHA(file.data, file.size, file.sha1);
+            }
+        }
+
+        if (retouch_probe_result == RETOUCH_DATA_NOTAPPLICABLE) {
+            // In the case of not retouchable, fake it. We do not want
+            // to do the normal processing and overwrite the backup file:
+            // we might be recovering!
+            //
+            // We return a zero override, which tells the caller that we
+            // simply skipped the file.
+            if (retouch_offset_override != NULL)
+                *retouch_offset_override = 0;
+            success = true;
+            goto out;
+        }
+
+        // If we get here, either there was a mismatch in the offset, or
+        // the file has not been processed yet. Continue with normal
+        // processing.
+    }
+
+    if (result != 0 || FindMatchingPatch(file.sha1, &binary_sha1, 1) < 0) {
+        free(file.data);
+        printf("Attempting to recover source from '%s' ...\n",
+               CACHE_TEMP_SOURCE);
+        result = LoadFileContents(CACHE_TEMP_SOURCE, &file, RETOUCH_DO_MASK);
+        if (result != 0 || FindMatchingPatch(file.sha1, &binary_sha1, 1) < 0) {
+            printf(" failed.\n");
+            success = false;
+            goto out;
+        }
+        printf(" succeeded.\n");
+    }
+
+    // Retouch in-memory before worrying about backing up the original.
+    //
+    // Recovery steps will be oblivious to the actual retouch offset used,
+    // so might as well write out the already-retouched copy. Then, in the
+    // usual case, we will just swap the file locally, with no more writes
+    // needed. In the no-free-space case, we will then write the same to the
+    // original location.
+
+    result = retouch_mask_data(file.data, file.size, &retouch_offset, NULL);
+    if (result != RETOUCH_DATA_MATCHED) {
+        success = false;
+        goto out;
+    }
+    if (retouch_offset_override != NULL)
+        *retouch_offset_override = retouch_offset;
+
+    // How much free space do we need?
+    bool enough_space = false;
+    size_t free_space = FreeSpaceForFile(target_fs);
+    // 50% margin when estimating the space needed.
+    enough_space = (free_space > (file.size * 3 / 2));
+
+    // The experts say we have to allow for a retry of the
+    // whole process to avoid filesystem weirdness.
+    int retry = 1;
+    bool made_copy = false;
+    do {
+        // First figure out where to store a copy of the original.
+        // Ideally leave the original itself intact until the
+        // atomic swap. If no room on the same partition, fall back
+        // to the cache partition and remove the original.
+
+        if (!enough_space) {
+            printf("Target is %ldB; free space is %ldB: not enough.\n",
+                   (long)file.size, (long)free_space);
+
+            retry = 0;
+            if (MakeFreeSpaceOnCache(file.size) < 0) {
+                printf("Not enough free space on '/cache'.\n");
+                success = false;
+                goto out;
+            }
+            if (SaveFileContents(CACHE_TEMP_SOURCE, file) < 0) {
+                printf("Failed to back up source file.\n");
+                success = false;
+                goto out;
+            }
+            made_copy = true;
+            unlink(binary_name);
+
+            size_t free_space = FreeSpaceForFile(target_fs);
+            printf("(now %ld bytes free for target)\n", (long)free_space);
+        }
+
+        result = SaveFileContents(binary_name_atomic, file);
+        if (result != 0) {
+            // Maybe the filesystem was optimistic: retry.
+            enough_space = false;
+            unlink(binary_name_atomic);
+            printf("Saving the retouched contents failed; retrying.\n");
+            continue;
+        }
+
+        // Succeeded; no need to retry.
+        break;
+    } while (retry-- > 0);
+
+    // Give the .atomic file the same owner, group, and mode of the
+    // original source file.
+    if (chmod(binary_name_atomic, file.st.st_mode) != 0) {
+        printf("chmod of \"%s\" failed: %s\n",
+               binary_name_atomic, strerror(errno));
+        success = false;
+        goto out;
+    }
+    if (chown(binary_name_atomic, file.st.st_uid, file.st.st_gid) != 0) {
+        printf("chown of \"%s\" failed: %s\n",
+               binary_name_atomic,
+               strerror(errno));
+        success = false;
+        goto out;
+    }
+
+    // Finally, rename the .atomic file to replace the target file.
+    if (rename(binary_name_atomic, binary_name) != 0) {
+        printf("rename of .atomic to \"%s\" failed: %s\n",
+               binary_name, strerror(errno));
+        success = false;
+        goto out;
+    }
+
+    // If this run created a copy, and we're here, we can delete it.
+    if (made_copy) unlink(CACHE_TEMP_SOURCE);
+
+  out:
+    // clean up
+    free(file.data);
+    unlink(binary_name_atomic);
+
+    return success;
+}
diff --git a/minelf/Retouch.h b/minelf/Retouch.h
new file mode 100644
index 0000000..048d78e
--- /dev/null
+++ b/minelf/Retouch.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _MINELF_RETOUCH
+#define _MINELF_RETOUCH
+
+#include <stdbool.h>
+#include <sys/types.h>
+
+typedef struct {
+  char tag[8];        /* "RETOUCH ", not zero-terminated */
+  uint32_t blob_size; /* in bytes, located right before this struct */
+} retouch_info_t __attribute__((packed));
+
+// Retouch a file. Use CACHED_SOURCE_TEMP to store a copy.
+bool retouch_one_library(const char *binary_name,
+                         const char *binary_sha1,
+                         int32_t retouch_offset,
+                         int32_t *retouch_offset_override);
+
+#define RETOUCH_DONT_MASK           0
+#define RETOUCH_DO_MASK             1
+
+#define RETOUCH_DATA_ERROR          0 // This is bad. Should not happen.
+#define RETOUCH_DATA_MATCHED        1 // Up to an uniform random offset.
+#define RETOUCH_DATA_MISMATCHED     2 // Partially randomized, or total mess.
+#define RETOUCH_DATA_NOTAPPLICABLE  3 // Not retouched. Only when inferring.
+
+// Mask retouching in-memory. Used before apply_patch[_check].
+// Also used to determine status of retouching after a crash.
+//
+// If desired_offset is not NULL, then apply retouching instead,
+// and return that in retouch_offset.
+int retouch_mask_data(uint8_t *binary_object,
+                      int32_t binary_size,
+                      int32_t *desired_offset,
+                      int32_t *retouch_offset);
+#endif
diff --git a/recovery.c b/recovery.c
index f8208ce..779e77d 100644
--- a/recovery.c
+++ b/recovery.c
@@ -28,6 +28,7 @@
 #include <sys/types.h>
 #include <time.h>
 #include <unistd.h>
+#include <dirent.h>
 
 #include "bootloader.h"
 #include "common.h"
@@ -52,7 +53,7 @@
 static const char *COMMAND_FILE = "CACHE:recovery/command";
 static const char *INTENT_FILE = "CACHE:recovery/intent";
 static const char *LOG_FILE = "CACHE:recovery/log";
-static const char *SDCARD_PACKAGE_FILE = "SDCARD:update.zip";
+static const char *EXT_ROOT = "EXT:";
 static const char *TEMPORARY_LOG_FILE = "/tmp/recovery.log";
 static const char *SIDELOAD_TEMP_DIR = "TMP:sideload";
 
@@ -406,7 +407,7 @@
 }
 
 static char**
-prepend_title(char** headers) {
+prepend_title(const char** headers) {
     char* title[] = { "Android system recovery <"
                           EXPAND(RECOVERY_API_VERSION) "e>",
                       "",
@@ -429,13 +430,14 @@
 }
 
 static int
-get_menu_selection(char** headers, char** items, int menu_only) {
+get_menu_selection(char** headers, char** items, int menu_only,
+                   int initial_selection) {
     // throw away keys pressed previously, so user doesn't
     // accidentally trigger menu items.
     ui_clear_key_queue();
 
-    ui_start_menu(headers, items);
-    int selected = 0;
+    ui_start_menu(headers, items, initial_selection);
+    int selected = initial_selection;
     int chosen_item = -1;
 
     while (chosen_item < 0) {
@@ -469,6 +471,132 @@
     return chosen_item;
 }
 
+static int compare_string(const void* a, const void* b) {
+    return strcmp(*(const char**)a, *(const char**)b);
+}
+
+static int
+sdcard_directory(const char* root_path) {
+    // Mount the sdcard when the package selection menu is enabled so
+    // you can "adb push" packages to the sdcard and immediately
+    // install them.
+    if (ensure_root_path_mounted(EXT_ROOT) < 0) {
+        ui_print("Failed to mount external storage.\n");
+        return INSTALL_ERROR;
+    }
+
+    const char* MENU_HEADERS[] = { "Choose a package to install:",
+                                   root_path,
+                                   "",
+                                   NULL };
+    DIR* d;
+    struct dirent* de;
+    char path[PATH_MAX];
+    d = opendir(translate_root_path(root_path, path, sizeof(path)));
+    if (d == NULL) {
+        LOGE("error opening %s: %s\n", path, strerror(errno));
+        ensure_root_path_unmounted(EXT_ROOT);
+        return 0;
+    }
+
+    char** headers = prepend_title(MENU_HEADERS);
+
+    int d_size = 0;
+    int d_alloc = 10;
+    char** dirs = malloc(d_alloc * sizeof(char*));
+    int z_size = 1;
+    int z_alloc = 10;
+    char** zips = malloc(z_alloc * sizeof(char*));
+    zips[0] = strdup("../");
+
+    while ((de = readdir(d)) != NULL) {
+        int name_len = strlen(de->d_name);
+
+        if (de->d_type == DT_DIR) {
+            // skip "." and ".." entries
+            if (name_len == 1 && de->d_name[0] == '.') continue;
+            if (name_len == 2 && de->d_name[0] == '.' &&
+                de->d_name[1] == '.') continue;
+
+            if (d_size >= d_alloc) {
+                d_alloc *= 2;
+                dirs = realloc(dirs, d_alloc * sizeof(char*));
+            }
+            dirs[d_size] = malloc(name_len + 2);
+            strcpy(dirs[d_size], de->d_name);
+            dirs[d_size][name_len] = '/';
+            dirs[d_size][name_len+1] = '\0';
+            ++d_size;
+        } else if (de->d_type == DT_REG &&
+                   name_len >= 4 &&
+                   strncasecmp(de->d_name + (name_len-4), ".zip", 4) == 0) {
+            if (z_size >= z_alloc) {
+                z_alloc *= 2;
+                zips = realloc(zips, z_alloc * sizeof(char*));
+            }
+            zips[z_size++] = strdup(de->d_name);
+        }
+    }
+    closedir(d);
+
+    qsort(dirs, d_size, sizeof(char*), compare_string);
+    qsort(zips, z_size, sizeof(char*), compare_string);
+
+    // append dirs to the zips list
+    if (d_size + z_size + 1 > z_alloc) {
+        z_alloc = d_size + z_size + 1;
+        zips = realloc(zips, z_alloc * sizeof(char*));
+    }
+    memcpy(zips + z_size, dirs, d_size * sizeof(char*));
+    free(dirs);
+    z_size += d_size;
+    zips[z_size] = NULL;
+
+    int result = INSTALL_CORRUPT;
+    int chosen_item = 0;
+    do {
+        chosen_item = get_menu_selection(headers, zips, 1, chosen_item);
+
+        char* item = zips[chosen_item];
+        int item_len = strlen(item);
+        if (chosen_item == 0) {          // item 0 is always "../"
+            // go up but continue browsing (if the caller is sdcard_directory)
+            result = -1;
+            break;
+        } else if (item[item_len-1] == '/') {
+            // recurse down into a subdirectory
+            char new_path[PATH_MAX];
+            strlcpy(new_path, root_path, PATH_MAX);
+            strlcat(new_path, item, PATH_MAX);
+            result = sdcard_directory(new_path);
+            if (result >= 0) break;
+        } else {
+            // selected a zip file:  attempt to install it, and return
+            // the status to the caller.
+            char new_path[PATH_MAX];
+            strlcpy(new_path, root_path, PATH_MAX);
+            strlcat(new_path, item, PATH_MAX);
+
+            ui_print("\n-- Install %s ...\n", new_path);
+            char* copy = copy_sideloaded_package(new_path);
+            if (copy != NULL) {
+                set_sdcard_update_bootloader_message();
+                result = install_package(copy);
+                free(copy);
+            }
+            break;
+        }
+    } while (true);
+
+    int i;
+    for (i = 0; i < z_size; ++i) free(zips[i]);
+    free(zips);
+    free(headers);
+
+    ensure_root_path_unmounted(EXT_ROOT);
+    return result;
+}
+
 static void
 wipe_data(int confirm) {
     if (confirm) {
@@ -479,7 +607,7 @@
                                 "  THIS CAN NOT BE UNDONE.",
                                 "",
                                 NULL };
-            title_headers = prepend_title(headers);
+            title_headers = prepend_title((const char**)headers);
         }
 
         char* items[] = { " No",
@@ -495,7 +623,7 @@
                           " No",
                           NULL };
 
-        int chosen_item = get_menu_selection(title_headers, items, 1);
+        int chosen_item = get_menu_selection(title_headers, items, 1, 0);
         if (chosen_item != 7) {
             return;
         }
@@ -510,13 +638,13 @@
 
 static void
 prompt_and_wait() {
-    char** headers = prepend_title(MENU_HEADERS);
+    char** headers = prepend_title((const char**)MENU_HEADERS);
 
     for (;;) {
         finish_recovery(NULL);
         ui_reset_progress();
 
-        int chosen_item = get_menu_selection(headers, MENU_ITEMS, 0);
+        int chosen_item = get_menu_selection(headers, MENU_ITEMS, 0, 0);
 
         // device-specific code may take some action here.  It may
         // return one of the core actions handled in the switch
@@ -539,22 +667,18 @@
                 if (!ui_text_visible()) return;
                 break;
 
-            case ITEM_APPLY_SDCARD:
-                ui_print("\n-- Install from sdcard...\n");
-                int status = INSTALL_CORRUPT;
-                char* copy = copy_sideloaded_package(SDCARD_PACKAGE_FILE);
-                if (copy != NULL) {
-                  set_sdcard_update_bootloader_message();
-                  status = install_package(copy);
-                  free(copy);
-                }
-                if (status != INSTALL_SUCCESS) {
-                    ui_set_background(BACKGROUND_ICON_ERROR);
-                    ui_print("Installation aborted.\n");
-                } else if (!ui_text_visible()) {
-                    return;  // reboot if logs aren't visible
-                } else {
-                    ui_print("\nInstall from sdcard complete.\n");
+            case ITEM_APPLY_EXT:
+                ;
+                int status = sdcard_directory(EXT_ROOT);
+                if (status >= 0) {
+                    if (status != INSTALL_SUCCESS) {
+                        ui_set_background(BACKGROUND_ICON_ERROR);
+                        ui_print("Installation aborted.\n");
+                    } else if (!ui_text_visible()) {
+                        return;  // reboot if logs aren't visible
+                    } else {
+                        ui_print("\nInstall from sdcard complete.\n");
+                    }
                 }
                 break;
         }
@@ -563,7 +687,7 @@
 
 static void
 print_property(const char *key, const char *name, void *cookie) {
-    fprintf(stderr, "%s=%s\n", key, name);
+    printf("%s=%s\n", key, name);
 }
 
 int
@@ -573,7 +697,7 @@
     // If these fail, there's not really anywhere to complain...
     freopen(TEMPORARY_LOG_FILE, "a", stdout); setbuf(stdout, NULL);
     freopen(TEMPORARY_LOG_FILE, "a", stderr); setbuf(stderr, NULL);
-    fprintf(stderr, "Starting recovery on %s", ctime(&start));
+    printf("Starting recovery on %s", ctime(&start));
 
     ui_init();
     get_args(&argc, &argv);
@@ -604,14 +728,14 @@
 
     device_recovery_start();
 
-    fprintf(stderr, "Command:");
+    printf("Command:");
     for (arg = 0; arg < argc; arg++) {
-        fprintf(stderr, " \"%s\"", argv[arg]);
+        printf(" \"%s\"", argv[arg]);
     }
-    fprintf(stderr, "\n\n");
+    printf("\n\n");
 
     property_list(print_property, NULL);
-    fprintf(stderr, "\n");
+    printf("\n");
 
     int status = INSTALL_SUCCESS;
 
@@ -667,7 +791,9 @@
     }
 
     if (status != INSTALL_SUCCESS) ui_set_background(BACKGROUND_ICON_ERROR);
-    if (status != INSTALL_SUCCESS || ui_text_visible()) prompt_and_wait();
+    if (status != INSTALL_SUCCESS || ui_text_visible()) {
+        prompt_and_wait();
+    }
 
     // Otherwise, get ready to boot the main system...
     finish_recovery(send_intent);
diff --git a/recovery_ui.h b/recovery_ui.h
index e451bdf..77ce7f9 100644
--- a/recovery_ui.h
+++ b/recovery_ui.h
@@ -66,7 +66,8 @@
 #define SELECT_ITEM         -4
 
 #define ITEM_REBOOT          0
-#define ITEM_APPLY_SDCARD    1
+#define ITEM_APPLY_EXT       1
+#define ITEM_APPLY_SDCARD    1  // historical synonym for ITEM_APPLY_EXT
 #define ITEM_WIPE_DATA       2
 #define ITEM_WIPE_CACHE      3
 
diff --git a/roots.c b/roots.c
index d5754db..5369d2f 100644
--- a/roots.c
+++ b/roots.c
@@ -23,6 +23,11 @@
 
 #include "mtdutils/mtdutils.h"
 #include "mtdutils/mounts.h"
+
+#ifdef USE_EXT4
+#include "make_ext4fs.h"
+#endif
+
 #include "minzip/Zip.h"
 #include "roots.h"
 #include "common.h"
@@ -46,20 +51,28 @@
 
 static RootInfo g_roots[] = {
     { "BOOT:", g_mtd_device, NULL, "boot", NULL, g_raw },
-    { "CACHE:", g_mtd_device, NULL, "cache", "/cache", "yaffs2" },
-    { "DATA:", g_mtd_device, NULL, "userdata", "/data", "yaffs2" },
-    { "MISC:", g_mtd_device, NULL, "misc", NULL, g_raw },
     { "PACKAGE:", NULL, NULL, NULL, NULL, g_package_file },
     { "RECOVERY:", g_mtd_device, NULL, "recovery", "/", g_raw },
-    { "SDCARD:", "/dev/block/mmcblk0p1", "/dev/block/mmcblk0", NULL, "/sdcard", "vfat" },
     { "SYSTEM:", g_mtd_device, NULL, "system", "/system", "yaffs2" },
     { "MBM:", g_mtd_device, NULL, "mbm", NULL, g_raw },
     { "TMP:", NULL, NULL, NULL, "/tmp", g_ramdisk },
+
+#ifdef USE_EXT4
+    { "CACHE:", "/dev/block/platform/sdhci-tegra.3/by-name/cache", NULL, NULL,
+      "/cache", "ext4" },
+    { "DATA:", "/dev/block/platform/sdhci-tegra.3/by-name/userdata", NULL, NULL,
+      "/data", "ext4" },
+    { "EXT:", "/dev/block/sda1", NULL, NULL, "/sdcard", "vfat" },
+#else
+    { "CACHE:", g_mtd_device, NULL, "cache", "/cache", "yaffs2" },
+    { "DATA:", g_mtd_device, NULL, "userdata", "/data", "yaffs2" },
+    { "EXT:", "/dev/block/mmcblk0p1", "/dev/block/mmcblk0", NULL, "/sdcard", "vfat" },
+    { "MISC:", g_mtd_device, NULL, "misc", NULL, g_raw },
+#endif
+
 };
 #define NUM_ROOTS (sizeof(g_roots) / sizeof(g_roots[0]))
 
-// TODO: for SDCARD:, try /dev/block/mmcblk0 if mmcblk0p1 fails
-
 static const RootInfo *
 get_root_info_for_path(const char *root_path)
 {
@@ -252,7 +265,7 @@
 
     mkdir(info->mount_point, 0755);  // in case it doesn't already exist
     if (mount(info->device, info->mount_point, info->filesystem,
-            MS_NOATIME | MS_NODEV | MS_NODIRATIME, "")) {
+              MS_NOATIME | MS_NODEV | MS_NODIRATIME, "")) {
         if (info->device2 == NULL) {
             LOGE("Can't mount %s\n(%s)\n", info->device, strerror(errno));
             return -1;
@@ -368,7 +381,23 @@
             }
         }
     }
+
+#ifdef USE_EXT4
+    if (strcmp(info->filesystem, "ext4") == 0) {
+        LOGW("starting to reformat ext4\n");
+        reset_ext4fs_info();
+        int result = make_ext4fs(info->device, NULL, NULL, 0, 0, 0);
+        LOGW("finished reformat ext4: result = %d\n", result);
+        if (result != 0) {
+            LOGW("make_ext4fs failed: %d\n", result);
+            return -1;
+        }
+        return 0;
+    }
+#endif
+
 //TODO: handle other device types (sdcard, etc.)
-    LOGW("format_root_device: can't handle non-mtd device \"%s\"\n", root);
+
+    LOGW("format_root_device: unknown device \"%s\"\n", root);
     return -1;
 }
diff --git a/ui.c b/ui.c
index e2b2a44..84a9b85 100644
--- a/ui.c
+++ b/ui.c
@@ -29,7 +29,7 @@
 #include "minui/minui.h"
 #include "recovery_ui.h"
 
-#define MAX_COLS 64
+#define MAX_COLS 96
 #define MAX_ROWS 32
 
 #define CHAR_WIDTH 10
@@ -404,7 +404,7 @@
     vsnprintf(buf, 256, fmt, ap);
     va_end(ap);
 
-    fputs(buf, stderr);
+    fputs(buf, stdout);
 
     // This can get called before ui_init(), so be careful.
     pthread_mutex_lock(&gUpdateMutex);
@@ -425,7 +425,7 @@
     pthread_mutex_unlock(&gUpdateMutex);
 }
 
-void ui_start_menu(char** headers, char** items) {
+void ui_start_menu(char** headers, char** items, int initial_selection) {
     int i;
     pthread_mutex_lock(&gUpdateMutex);
     if (text_rows > 0 && text_cols > 0) {
@@ -442,7 +442,7 @@
         }
         menu_items = i - menu_top;
         show_menu = 1;
-        menu_sel = 0;
+        menu_sel = initial_selection;
         update_screen_locked();
     }
     pthread_mutex_unlock(&gUpdateMutex);
diff --git a/updater/Android.mk b/updater/Android.mk
index d4a4e33..e3d62bc 100644
--- a/updater/Android.mk
+++ b/updater/Android.mk
@@ -18,9 +18,16 @@
 
 LOCAL_SRC_FILES := $(updater_src_files)
 
-LOCAL_STATIC_LIBRARIES := $(TARGET_RECOVERY_UPDATER_LIBS) $(TARGET_RECOVERY_UPDATER_EXTRA_LIBS)
+ifeq ($(TARGET_USERIMAGES_USE_EXT4), true)
+LOCAL_CFLAGS += -DUSE_EXT4
+LOCAL_C_INCLUDES += system/extras/ext4_utils
+LOCAL_STATIC_LIBRARIES += libext4_utils libz
+endif
+
+LOCAL_STATIC_LIBRARIES += $(TARGET_RECOVERY_UPDATER_LIBS) $(TARGET_RECOVERY_UPDATER_EXTRA_LIBS)
 LOCAL_STATIC_LIBRARIES += libapplypatch libedify libmtdutils libminzip libz
 LOCAL_STATIC_LIBRARIES += libmincrypt libbz
+LOCAL_STATIC_LIBRARIES += libminelf
 LOCAL_STATIC_LIBRARIES += libcutils libstdc++ libc
 LOCAL_C_INCLUDES += $(LOCAL_PATH)/..
 
@@ -45,7 +52,7 @@
 
 junk := $(shell mkdir -p $(dir $(inc));\
 	        echo $(TARGET_RECOVERY_UPDATER_LIBS) > $(inc).temp;\
-	        diff -q $(inc).temp $(inc).list || cp -f $(inc).temp $(inc).list)
+	        diff -q $(inc).temp $(inc).list 2>/dev/null || cp -f $(inc).temp $(inc).list)
 
 $(inc) : libs := $(TARGET_RECOVERY_UPDATER_LIBS)
 $(inc) : $(inc).list
diff --git a/updater/install.c b/updater/install.c
index e869134..685b979 100644
--- a/updater/install.c
+++ b/updater/install.c
@@ -25,35 +25,49 @@
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
+#include <fcntl.h>
+#include <time.h>
 
 #include "cutils/misc.h"
 #include "cutils/properties.h"
 #include "edify/expr.h"
 #include "mincrypt/sha.h"
 #include "minzip/DirUtil.h"
+#include "minelf/Retouch.h"
 #include "mtdutils/mounts.h"
 #include "mtdutils/mtdutils.h"
 #include "updater.h"
 #include "applypatch/applypatch.h"
 
-// mount(type, location, mount_point)
+#ifdef USE_EXT4
+#include "make_ext4fs.h"
+#endif
+
+// mount(fs_type, partition_type, location, mount_point)
 //
-//   what:  type="MTD"   location="<partition>"            to mount a yaffs2 filesystem
-//          type="vfat"  location="/dev/block/<whatever>"  to mount a device
+//    fs_type="yaffs2" partition_type="MTD"     location=partition
+//    fs_type="ext4"   partition_type="EMMC"    location=device
 Value* MountFn(const char* name, State* state, int argc, Expr* argv[]) {
     char* result = NULL;
-    if (argc != 3) {
-        return ErrorAbort(state, "%s() expects 3 args, got %d", name, argc);
+    if (argc != 4) {
+        return ErrorAbort(state, "%s() expects 4 args, got %d", name, argc);
     }
-    char* type;
+    char* fs_type;
+    char* partition_type;
     char* location;
     char* mount_point;
-    if (ReadArgs(state, argv, 3, &type, &location, &mount_point) < 0) {
+    if (ReadArgs(state, argv, 4, &fs_type, &partition_type,
+                 &location, &mount_point) < 0) {
         return NULL;
     }
 
-    if (strlen(type) == 0) {
-        ErrorAbort(state, "type argument to %s() can't be empty", name);
+    if (strlen(fs_type) == 0) {
+        ErrorAbort(state, "fs_type argument to %s() can't be empty", name);
+        goto done;
+    }
+    if (strlen(partition_type) == 0) {
+        ErrorAbort(state, "partition_type argument to %s() can't be empty",
+                   name);
         goto done;
     }
     if (strlen(location) == 0) {
@@ -67,7 +81,7 @@
 
     mkdir(mount_point, 0755);
 
-    if (strcmp(type, "MTD") == 0) {
+    if (strcmp(partition_type, "MTD") == 0) {
         mtd_scan_partitions();
         const MtdPartition* mtd;
         mtd = mtd_find_partition_by_name(location);
@@ -77,7 +91,7 @@
             result = strdup("");
             goto done;
         }
-        if (mtd_mount_partition(mtd, mount_point, "yaffs2", 0 /* rw */) != 0) {
+        if (mtd_mount_partition(mtd, mount_point, fs_type, 0 /* rw */) != 0) {
             fprintf(stderr, "mtd mount of %s failed: %s\n",
                     location, strerror(errno));
             result = strdup("");
@@ -85,7 +99,7 @@
         }
         result = mount_point;
     } else {
-        if (mount(location, mount_point, type,
+        if (mount(location, mount_point, fs_type,
                   MS_NOATIME | MS_NODEV | MS_NODIRATIME, "") < 0) {
             fprintf(stderr, "%s: failed to mount %s at %s: %s\n",
                     name, location, mount_point, strerror(errno));
@@ -96,7 +110,8 @@
     }
 
 done:
-    free(type);
+    free(fs_type);
+    free(partition_type);
     free(location);
     if (result != mount_point) free(mount_point);
     return StringValue(result);
@@ -162,22 +177,29 @@
 }
 
 
-// format(type, location)
+// format(fs_type, partition_type, location)
 //
-//    type="MTD"  location=partition
+//    fs_type="yaffs2" partition_type="MTD"     location=partition
+//    fs_type="ext4"   partition_type="EMMC"    location=device
 Value* FormatFn(const char* name, State* state, int argc, Expr* argv[]) {
     char* result = NULL;
-    if (argc != 2) {
-        return ErrorAbort(state, "%s() expects 2 args, got %d", name, argc);
+    if (argc != 3) {
+        return ErrorAbort(state, "%s() expects 3 args, got %d", name, argc);
     }
-    char* type;
+    char* fs_type;
+    char* partition_type;
     char* location;
-    if (ReadArgs(state, argv, 2, &type, &location) < 0) {
+    if (ReadArgs(state, argv, 3, &fs_type, &partition_type, &location) < 0) {
         return NULL;
     }
 
-    if (strlen(type) == 0) {
-        ErrorAbort(state, "type argument to %s() can't be empty", name);
+    if (strlen(fs_type) == 0) {
+        ErrorAbort(state, "fs_type argument to %s() can't be empty", name);
+        goto done;
+    }
+    if (strlen(partition_type) == 0) {
+        ErrorAbort(state, "partition_type argument to %s() can't be empty",
+                   name);
         goto done;
     }
     if (strlen(location) == 0) {
@@ -185,7 +207,7 @@
         goto done;
     }
 
-    if (strcmp(type, "MTD") == 0) {
+    if (strcmp(partition_type, "MTD") == 0) {
         mtd_scan_partitions();
         const MtdPartition* mtd = mtd_find_partition_by_name(location);
         if (mtd == NULL) {
@@ -212,12 +234,26 @@
             goto done;
         }
         result = location;
+#ifdef USE_EXT4
+    } else if (strcmp(fs_type, "ext4") == 0) {
+        reset_ext4fs_info();
+        int status = make_ext4fs(location, NULL, NULL, 0, 0, 0);
+        if (status != 0) {
+            fprintf(stderr, "%s: make_ext4fs failed (%d) on %s",
+                    name, status, location);
+            result = strdup("");
+            goto done;
+        }
+        result = location;
+#endif
     } else {
-        fprintf(stderr, "%s: unsupported type \"%s\"", name, type);
+        fprintf(stderr, "%s: unsupported fs_type \"%s\" partition_type \"%s\"",
+                name, fs_type, partition_type);
     }
 
 done:
-    free(type);
+    free(fs_type);
+    free(partition_type);
     if (result != location) free(location);
     return StringValue(result);
 }
@@ -396,6 +432,121 @@
 }
 
 
+// retouch_binaries(lib1, lib2, ...)
+Value* RetouchBinariesFn(const char* name, State* state,
+                         int argc, Expr* argv[]) {
+    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
+
+    char **retouch_entries  = ReadVarArgs(state, argc, argv);
+    if (retouch_entries == NULL) {
+        return StringValue(strdup("t"));
+    }
+
+    // some randomness from the clock
+    int32_t override_base;
+    bool override_set = false;
+    int32_t random_base = time(NULL) % 1024;
+    // some more randomness from /dev/random
+    FILE *f_random = fopen("/dev/random", "rb");
+    uint16_t random_bits = 0;
+    if (f_random != NULL) {
+        fread(&random_bits, 2, 1, f_random);
+        random_bits = random_bits % 1024;
+        fclose(f_random);
+    }
+    random_base = (random_base + random_bits) % 1024;
+    fprintf(ui->cmd_pipe, "ui_print Random offset: 0x%x\n", random_base);
+    fprintf(ui->cmd_pipe, "ui_print\n");
+
+    // make sure we never randomize to zero; this let's us look at a file
+    // and know for sure whether it has been processed; important in the
+    // crash recovery process
+    if (random_base == 0) random_base = 1;
+    // make sure our randomization is page-aligned
+    random_base *= -0x1000;
+    override_base = random_base;
+
+    int i = 0;
+    bool success = true;
+    while (i < (argc - 1)) {
+        success = success && retouch_one_library(retouch_entries[i],
+                                                 retouch_entries[i+1],
+                                                 random_base,
+                                                 override_set ?
+                                                   NULL :
+                                                   &override_base);
+        if (!success)
+            ErrorAbort(state, "Failed to retouch '%s'.", retouch_entries[i]);
+
+        free(retouch_entries[i]);
+        free(retouch_entries[i+1]);
+        i += 2;
+
+        if (success && override_base != 0) {
+            random_base = override_base;
+            override_set = true;
+        }
+    }
+    if (i < argc) {
+        free(retouch_entries[i]);
+        success = false;
+    }
+    free(retouch_entries);
+
+    if (!success) {
+      Value* v = malloc(sizeof(Value));
+      v->type = VAL_STRING;
+      v->data = NULL;
+      v->size = -1;
+      return v;
+    }
+    return StringValue(strdup("t"));
+}
+
+
+// undo_retouch_binaries(lib1, lib2, ...)
+Value* UndoRetouchBinariesFn(const char* name, State* state,
+                             int argc, Expr* argv[]) {
+    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
+
+    char **retouch_entries  = ReadVarArgs(state, argc, argv);
+    if (retouch_entries == NULL) {
+        return StringValue(strdup("t"));
+    }
+
+    int i = 0;
+    bool success = true;
+    int32_t override_base;
+    while (i < (argc-1)) {
+        success = success && retouch_one_library(retouch_entries[i],
+                                                 retouch_entries[i+1],
+                                                 0 /* undo => offset==0 */,
+                                                 NULL);
+        if (!success)
+            ErrorAbort(state, "Failed to unretouch '%s'.",
+                       retouch_entries[i]);
+
+        free(retouch_entries[i]);
+        free(retouch_entries[i+1]);
+        i += 2;
+    }
+    if (i < argc) {
+        free(retouch_entries[i]);
+        success = false;
+    }
+    free(retouch_entries);
+
+    if (!success) {
+      Value* v = malloc(sizeof(Value));
+      v->type = VAL_STRING;
+      v->data = NULL;
+      v->size = -1;
+      return v;
+    }
+    return StringValue(strdup("t"));
+}
+
+
 // symlink target src1 src2 ...
 //    unlinks any previously existing src1, src2, etc before creating symlinks.
 Value* SymlinkFn(const char* name, State* state, int argc, Expr* argv[]) {
@@ -974,7 +1125,7 @@
     return args[i];
 }
 
-// Read a local file and return its contents (the char* returned
+// Read a local file and return its contents (the Value* returned
 // is actually a FileContents*).
 Value* ReadFileFn(const char* name, State* state, int argc, Expr* argv[]) {
     if (argc != 1) {
@@ -987,7 +1138,7 @@
     v->type = VAL_BLOB;
 
     FileContents fc;
-    if (LoadFileContents(filename, &fc) != 0) {
+    if (LoadFileContents(filename, &fc, RETOUCH_DONT_MASK) != 0) {
         ErrorAbort(state, "%s() loading \"%s\" failed: %s",
                    name, filename, strerror(errno));
         free(filename);
@@ -1014,6 +1165,8 @@
     RegisterFunction("delete_recursive", DeleteFn);
     RegisterFunction("package_extract_dir", PackageExtractDirFn);
     RegisterFunction("package_extract_file", PackageExtractFileFn);
+    RegisterFunction("retouch_binaries", RetouchBinariesFn);
+    RegisterFunction("undo_retouch_binaries", UndoRetouchBinariesFn);
     RegisterFunction("symlink", SymlinkFn);
     RegisterFunction("set_perm", SetPermFn);
     RegisterFunction("set_perm_recursive", SetPermFn);