Merge "Fix clang-tidy warnings in bootable/recovery." am: 89bf2bdc85 am: 9968866e86
am: d987fe1d57

Change-Id: Idd53009ad61bb4a0b573febdbedc5dc0eee8265f
diff --git a/Android.mk b/Android.mk
index 41eff4e..6aa29c1 100644
--- a/Android.mk
+++ b/Android.mk
@@ -41,7 +41,6 @@
 LOCAL_SRC_FILES := \
     adb_install.cpp \
     asn1_decoder.cpp \
-    bootloader.cpp \
     device.cpp \
     fuse_sdcard_provider.cpp \
     install.cpp \
@@ -76,6 +75,7 @@
 
 LOCAL_STATIC_LIBRARIES := \
     libbatterymonitor \
+    libbootloader_message \
     libext4_utils_static \
     libsparse_static \
     libminzip \
@@ -101,6 +101,10 @@
 LOCAL_C_INCLUDES += system/extras/ext4_utils
 LOCAL_STATIC_LIBRARIES += libext4_utils_static libz
 
+ifeq ($(AB_OTA_UPDATER),true)
+    LOCAL_CFLAGS += -DAB_OTA_UPDATER=1
+endif
+
 LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/sbin
 
 ifeq ($(TARGET_RECOVERY_UI_LIB),)
@@ -148,14 +152,16 @@
 LOCAL_STATIC_LIBRARIES := libcrypto_utils libcrypto
 include $(BUILD_STATIC_LIBRARY)
 
-include $(LOCAL_PATH)/minui/Android.mk \
-    $(LOCAL_PATH)/minzip/Android.mk \
+include \
+    $(LOCAL_PATH)/applypatch/Android.mk \
+    $(LOCAL_PATH)/bootloader_message/Android.mk \
+    $(LOCAL_PATH)/edify/Android.mk \
     $(LOCAL_PATH)/minadbd/Android.mk \
+    $(LOCAL_PATH)/minui/Android.mk \
+    $(LOCAL_PATH)/minzip/Android.mk \
+    $(LOCAL_PATH)/otafault/Android.mk \
     $(LOCAL_PATH)/tests/Android.mk \
     $(LOCAL_PATH)/tools/Android.mk \
-    $(LOCAL_PATH)/edify/Android.mk \
     $(LOCAL_PATH)/uncrypt/Android.mk \
-    $(LOCAL_PATH)/otafault/Android.mk \
     $(LOCAL_PATH)/updater/Android.mk \
     $(LOCAL_PATH)/update_verifier/Android.mk \
-    $(LOCAL_PATH)/applypatch/Android.mk
diff --git a/bootloader.cpp b/bootloader.cpp
deleted file mode 100644
index 783f56e..0000000
--- a/bootloader.cpp
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <inttypes.h>
-#include <stdio.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include <fs_mgr.h>
-
-#include "bootloader.h"
-#include "common.h"
-#include "roots.h"
-#include <android-base/unique_fd.h>
-
-static int get_bootloader_message_block(bootloader_message* out, const Volume* v);
-static int set_bootloader_message_block(const bootloader_message* in, const Volume* v);
-
-int get_bootloader_message(bootloader_message* out) {
-    Volume* v = volume_for_path("/misc");
-    if (v == nullptr) {
-        LOGE("Cannot load volume /misc!\n");
-        return -1;
-    }
-    if (strcmp(v->fs_type, "emmc") == 0) {
-        return get_bootloader_message_block(out, v);
-    }
-    LOGE("unknown misc partition fs_type \"%s\"\n", v->fs_type);
-    return -1;
-}
-
-int set_bootloader_message(const bootloader_message* in) {
-    Volume* v = volume_for_path("/misc");
-    if (v == nullptr) {
-        LOGE("Cannot load volume /misc!\n");
-        return -1;
-    }
-    if (strcmp(v->fs_type, "emmc") == 0) {
-        return set_bootloader_message_block(in, v);
-    }
-    LOGE("unknown misc partition fs_type \"%s\"\n", v->fs_type);
-    return -1;
-}
-
-// ------------------------------------
-// for misc partitions on block devices
-// ------------------------------------
-
-static void wait_for_device(const char* fn) {
-    int tries = 0;
-    int ret;
-    do {
-        ++tries;
-        struct stat buf;
-        ret = stat(fn, &buf);
-        if (ret == -1) {
-            printf("failed to stat \"%s\" try %d: %s\n", fn, tries, strerror(errno));
-            sleep(1);
-        }
-    } while (ret && tries < 10);
-
-    if (ret) {
-        printf("failed to stat \"%s\"\n", fn);
-    }
-}
-
-static int get_bootloader_message_block(bootloader_message* out,
-                                        const Volume* v) {
-    wait_for_device(v->blk_device);
-    FILE* f = fopen(v->blk_device, "rb");
-    if (f == nullptr) {
-        LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
-        return -1;
-    }
-    bootloader_message temp;
-    int count = fread(&temp, sizeof(temp), 1, f);
-    if (count != 1) {
-        LOGE("failed to read \"%s\": %s\n", v->blk_device, strerror(errno));
-        return -1;
-    }
-    if (fclose(f) != 0) {
-        LOGE("failed to close \"%s\": %s\n", v->blk_device, strerror(errno));
-        return -1;
-    }
-    memcpy(out, &temp, sizeof(temp));
-    return 0;
-}
-
-static int set_bootloader_message_block(const bootloader_message* in,
-                                        const Volume* v) {
-    wait_for_device(v->blk_device);
-    android::base::unique_fd fd(open(v->blk_device, O_WRONLY | O_SYNC));
-    if (fd == -1) {
-        LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
-        return -1;
-    }
-
-    size_t written = 0;
-    const uint8_t* start = reinterpret_cast<const uint8_t*>(in);
-    size_t total = sizeof(*in);
-    while (written < total) {
-        ssize_t wrote = TEMP_FAILURE_RETRY(write(fd, start + written, total - written));
-        if (wrote == -1) {
-            LOGE("failed to write %" PRId64 " bytes: %s\n",
-                 static_cast<off64_t>(written), strerror(errno));
-            return -1;
-        }
-        written += wrote;
-    }
-
-    if (fsync(fd) == -1) {
-        LOGE("failed to fsync \"%s\": %s\n", v->blk_device, strerror(errno));
-        return -1;
-    }
-    return 0;
-}
diff --git a/bootloader.h b/bootloader.h
index 1801705..9c84a1c 100644
--- a/bootloader.h
+++ b/bootloader.h
@@ -14,158 +14,5 @@
  * limitations under the License.
  */
 
-#ifndef _RECOVERY_BOOTLOADER_H
-#define _RECOVERY_BOOTLOADER_H
-
-#include <assert.h>
-
-/* Bootloader Message (2-KiB)
- *
- * This structure describes the content of a block in flash
- * that is used for recovery and the bootloader to talk to
- * each other.
- *
- * The command field is updated by linux when it wants to
- * reboot into recovery or to update radio or bootloader firmware.
- * It is also updated by the bootloader when firmware update
- * is complete (to boot into recovery for any final cleanup)
- *
- * The status field is written by the bootloader after the
- * completion of an "update-radio" or "update-hboot" command.
- *
- * The recovery field is only written by linux and used
- * for the system to send a message to recovery or the
- * other way around.
- *
- * The stage field is written by packages which restart themselves
- * multiple times, so that the UI can reflect which invocation of the
- * package it is.  If the value is of the format "#/#" (eg, "1/3"),
- * the UI will add a simple indicator of that status.
- *
- * We used to have slot_suffix field for A/B boot control metadata in
- * this struct, which gets unintentionally cleared by recovery or
- * uncrypt. Move it into struct bootloader_message_ab to avoid the
- * issue.
- */
-struct bootloader_message {
-    char command[32];
-    char status[32];
-    char recovery[768];
-
-    // The 'recovery' field used to be 1024 bytes.  It has only ever
-    // been used to store the recovery command line, so 768 bytes
-    // should be plenty.  We carve off the last 256 bytes to store the
-    // stage string (for multistage packages) and possible future
-    // expansion.
-    char stage[32];
-
-    // The 'reserved' field used to be 224 bytes when it was initially
-    // carved off from the 1024-byte recovery field. Bump it up to
-    // 1184-byte so that the entire bootloader_message struct rounds up
-    // to 2048-byte.
-    char reserved[1184];
-};
-
-/**
- * We must be cautious when changing the bootloader_message struct size,
- * because A/B-specific fields may end up with different offsets.
- */
-#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus)
-static_assert(sizeof(struct bootloader_message) == 2048,
-              "struct bootloader_message size changes, which may break A/B devices");
-#endif
-
-/**
- * The A/B-specific bootloader message structure (4-KiB).
- *
- * We separate A/B boot control metadata from the regular bootloader
- * message struct and keep it here. Everything that's A/B-specific
- * stays after struct bootloader_message, which should be managed by
- * the A/B-bootloader or boot control HAL.
- *
- * The slot_suffix field is used for A/B implementations where the
- * bootloader does not set the androidboot.ro.boot.slot_suffix kernel
- * commandline parameter. This is used by fs_mgr to mount /system and
- * other partitions with the slotselect flag set in fstab. A/B
- * implementations are free to use all 32 bytes and may store private
- * data past the first NUL-byte in this field. It is encouraged, but
- * not mandatory, to use 'struct bootloader_control' described below.
- */
-struct bootloader_message_ab {
-    struct bootloader_message message;
-    char slot_suffix[32];
-
-    // Round up the entire struct to 4096-byte.
-    char reserved[2016];
-};
-
-/**
- * Be cautious about the struct size change, in case we put anything post
- * bootloader_message_ab struct (b/29159185).
- */
-#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus)
-static_assert(sizeof(struct bootloader_message_ab) == 4096,
-              "struct bootloader_message_ab size changes");
-#endif
-
-#define BOOT_CTRL_MAGIC   0x42414342 /* Bootloader Control AB */
-#define BOOT_CTRL_VERSION 1
-
-struct slot_metadata {
-    // Slot priority with 15 meaning highest priority, 1 lowest
-    // priority and 0 the slot is unbootable.
-    uint8_t priority : 4;
-    // Number of times left attempting to boot this slot.
-    uint8_t tries_remaining : 3;
-    // 1 if this slot has booted successfully, 0 otherwise.
-    uint8_t successful_boot : 1;
-    // 1 if this slot is corrupted from a dm-verity corruption, 0
-    // otherwise.
-    uint8_t verity_corrupted : 1;
-    // Reserved for further use.
-    uint8_t reserved : 7;
-} __attribute__((packed));
-
-/* Bootloader Control AB
- *
- * This struct can be used to manage A/B metadata. It is designed to
- * be put in the 'slot_suffix' field of the 'bootloader_message'
- * structure described above. It is encouraged to use the
- * 'bootloader_control' structure to store the A/B metadata, but not
- * mandatory.
- */
-struct bootloader_control {
-    // NUL terminated active slot suffix.
-    char slot_suffix[4];
-    // Bootloader Control AB magic number (see BOOT_CTRL_MAGIC).
-    uint32_t magic;
-    // Version of struct being used (see BOOT_CTRL_VERSION).
-    uint8_t version;
-    // Number of slots being managed.
-    uint8_t nb_slot : 3;
-    // Number of times left attempting to boot recovery.
-    uint8_t recovery_tries_remaining : 3;
-    // Ensure 4-bytes alignment for slot_info field.
-    uint8_t reserved0[2];
-    // Per-slot information.  Up to 4 slots.
-    struct slot_metadata slot_info[4];
-    // Reserved for further use.
-    uint8_t reserved1[8];
-    // CRC32 of all 28 bytes preceding this field (little endian
-    // format).
-    uint32_t crc32_le;
-} __attribute__((packed));
-
-#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus)
-static_assert(sizeof(struct bootloader_control) ==
-              sizeof(((struct bootloader_message_ab *)0)->slot_suffix),
-              "struct bootloader_control has wrong size");
-#endif
-
-/* Read and write the bootloader command from the "misc" partition.
- * These return zero on success.
- */
-int get_bootloader_message(struct bootloader_message *out);
-int set_bootloader_message(const struct bootloader_message *in);
-
-#endif
+// TODO: Remove this file once we remove all places that include this file.
+#include "bootloader_message/include/bootloader_message/bootloader_message.h"
diff --git a/bootloader_message/Android.mk b/bootloader_message/Android.mk
new file mode 100644
index 0000000..815ac67
--- /dev/null
+++ b/bootloader_message/Android.mk
@@ -0,0 +1,24 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_CLANG := true
+LOCAL_SRC_FILES := bootloader_message.cpp
+LOCAL_MODULE := libbootloader_message
+LOCAL_STATIC_LIBRARIES := libbase libfs_mgr
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/include
+LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include
+include $(BUILD_STATIC_LIBRARY)
diff --git a/bootloader_message/bootloader_message.cpp b/bootloader_message/bootloader_message.cpp
new file mode 100644
index 0000000..9de7dff
--- /dev/null
+++ b/bootloader_message/bootloader_message.cpp
@@ -0,0 +1,181 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <bootloader_message/bootloader_message.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/system_properties.h>
+
+#include <string>
+#include <vector>
+
+#include <android-base/file.h>
+#include <android-base/stringprintf.h>
+#include <android-base/unique_fd.h>
+#include <fs_mgr.h>
+
+static struct fstab* read_fstab(std::string* err) {
+  // The fstab path is always "/fstab.${ro.hardware}".
+  std::string fstab_path = "/fstab.";
+  char value[PROP_VALUE_MAX];
+  if (__system_property_get("ro.hardware", value) == 0) {
+    *err = "failed to get ro.hardware";
+    return nullptr;
+  }
+  fstab_path += value;
+  struct fstab* fstab = fs_mgr_read_fstab(fstab_path.c_str());
+  if (fstab == nullptr) {
+    *err = "failed to read " + fstab_path;
+  }
+  return fstab;
+}
+
+static std::string get_misc_blk_device(std::string* err) {
+  struct fstab* fstab = read_fstab(err);
+  if (fstab == nullptr) {
+    return "";
+  }
+  fstab_rec* record = fs_mgr_get_entry_for_mount_point(fstab, "/misc");
+  if (record == nullptr) {
+    *err = "failed to find /misc partition";
+    return "";
+  }
+  return record->blk_device;
+}
+
+// In recovery mode, recovery can get started and try to access the misc
+// device before the kernel has actually created it.
+static bool wait_for_device(const std::string& blk_device, std::string* err) {
+  int tries = 0;
+  int ret;
+  err->clear();
+  do {
+    ++tries;
+    struct stat buf;
+    ret = stat(blk_device.c_str(), &buf);
+    if (ret == -1) {
+      *err += android::base::StringPrintf("failed to stat %s try %d: %s\n",
+                                          blk_device.c_str(), tries, strerror(errno));
+      sleep(1);
+    }
+  } while (ret && tries < 10);
+
+  if (ret) {
+    *err += android::base::StringPrintf("failed to stat %s\n", blk_device.c_str());
+  }
+  return ret == 0;
+}
+
+static bool read_misc_partition(void* p, size_t size, size_t offset, std::string* err) {
+  std::string misc_blk_device = get_misc_blk_device(err);
+  if (misc_blk_device.empty()) {
+    return false;
+  }
+  if (!wait_for_device(misc_blk_device, err)) {
+    return false;
+  }
+  android::base::unique_fd fd(open(misc_blk_device.c_str(), O_RDONLY));
+  if (fd.get() == -1) {
+    *err = android::base::StringPrintf("failed to open %s: %s", misc_blk_device.c_str(),
+                                       strerror(errno));
+    return false;
+  }
+  if (lseek(fd.get(), static_cast<off_t>(offset), SEEK_SET) != static_cast<off_t>(offset)) {
+    *err = android::base::StringPrintf("failed to lseek %s: %s", misc_blk_device.c_str(),
+                                       strerror(errno));
+    return false;
+  }
+  if (!android::base::ReadFully(fd.get(), p, size)) {
+    *err = android::base::StringPrintf("failed to read %s: %s", misc_blk_device.c_str(),
+                                       strerror(errno));
+    return false;
+  }
+  return true;
+}
+
+static bool write_misc_partition(const void* p, size_t size, size_t offset, std::string* err) {
+  std::string misc_blk_device = get_misc_blk_device(err);
+  if (misc_blk_device.empty()) {
+    return false;
+  }
+  android::base::unique_fd fd(open(misc_blk_device.c_str(), O_WRONLY | O_SYNC));
+  if (fd.get() == -1) {
+    *err = android::base::StringPrintf("failed to open %s: %s", misc_blk_device.c_str(),
+                                       strerror(errno));
+    return false;
+  }
+  if (lseek(fd.get(), static_cast<off_t>(offset), SEEK_SET) != static_cast<off_t>(offset)) {
+    *err = android::base::StringPrintf("failed to lseek %s: %s", misc_blk_device.c_str(),
+                                       strerror(errno));
+    return false;
+  }
+  if (!android::base::WriteFully(fd.get(), p, size)) {
+    *err = android::base::StringPrintf("failed to write %s: %s", misc_blk_device.c_str(),
+                                       strerror(errno));
+    return false;
+  }
+
+  // TODO: O_SYNC and fsync duplicates each other?
+  if (fsync(fd.get()) == -1) {
+    *err = android::base::StringPrintf("failed to fsync %s: %s", misc_blk_device.c_str(),
+                                       strerror(errno));
+    return false;
+  }
+  return true;
+}
+
+bool read_bootloader_message(bootloader_message* boot, std::string* err) {
+  return read_misc_partition(boot, sizeof(*boot), BOOTLOADER_MESSAGE_OFFSET_IN_MISC, err);
+}
+
+bool write_bootloader_message(const bootloader_message& boot, std::string* err) {
+  return write_misc_partition(&boot, sizeof(boot), BOOTLOADER_MESSAGE_OFFSET_IN_MISC, err);
+}
+
+bool clear_bootloader_message(std::string* err) {
+  bootloader_message boot = {};
+  return write_bootloader_message(boot, err);
+}
+
+bool write_bootloader_message(const std::vector<std::string>& options, std::string* err) {
+  bootloader_message boot = {};
+  strlcpy(boot.command, "boot-recovery", sizeof(boot.command));
+  strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery));
+  for (const auto& s : options) {
+    strlcat(boot.recovery, s.c_str(), sizeof(boot.recovery));
+    if (s.back() != '\n') {
+      strlcat(boot.recovery, "\n", sizeof(boot.recovery));
+    }
+  }
+  return write_bootloader_message(boot, err);
+}
+
+bool read_wipe_package(std::string* package_data, size_t size, std::string* err) {
+  package_data->resize(size);
+  return read_misc_partition(&(*package_data)[0], size, WIPE_PACKAGE_OFFSET_IN_MISC, err);
+}
+
+bool write_wipe_package(const std::string& package_data, std::string* err) {
+  return write_misc_partition(package_data.data(), package_data.size(),
+                              WIPE_PACKAGE_OFFSET_IN_MISC, err);
+}
+
+extern "C" bool write_bootloader_message(const char* options) {
+  std::string err;
+  return write_bootloader_message({options}, &err);
+}
diff --git a/bootloader_message/include/bootloader_message/bootloader_message.h b/bootloader_message/include/bootloader_message/bootloader_message.h
new file mode 100644
index 0000000..f343c64
--- /dev/null
+++ b/bootloader_message/include/bootloader_message/bootloader_message.h
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2008 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _BOOTLOADER_MESSAGE_H
+#define _BOOTLOADER_MESSAGE_H
+
+#include <assert.h>
+#include <stddef.h>
+#include <stdint.h>
+
+// Spaces used by misc partition are as below:
+// 0   - 2K     For bootloader_message
+// 2K  - 16K    Used by Vendor's bootloader (the 2K - 4K range may be optionally used
+//              as bootloader_message_ab struct)
+// 16K - 64K    Used by uncrypt and recovery to store wipe_package for A/B devices
+// Note that these offsets are admitted by bootloader,recovery and uncrypt, so they
+// are not configurable without changing all of them.
+static const size_t BOOTLOADER_MESSAGE_OFFSET_IN_MISC = 0;
+static const size_t WIPE_PACKAGE_OFFSET_IN_MISC = 16 * 1024;
+
+/* Bootloader Message (2-KiB)
+ *
+ * This structure describes the content of a block in flash
+ * that is used for recovery and the bootloader to talk to
+ * each other.
+ *
+ * The command field is updated by linux when it wants to
+ * reboot into recovery or to update radio or bootloader firmware.
+ * It is also updated by the bootloader when firmware update
+ * is complete (to boot into recovery for any final cleanup)
+ *
+ * The status field is written by the bootloader after the
+ * completion of an "update-radio" or "update-hboot" command.
+ *
+ * The recovery field is only written by linux and used
+ * for the system to send a message to recovery or the
+ * other way around.
+ *
+ * The stage field is written by packages which restart themselves
+ * multiple times, so that the UI can reflect which invocation of the
+ * package it is.  If the value is of the format "#/#" (eg, "1/3"),
+ * the UI will add a simple indicator of that status.
+ *
+ * We used to have slot_suffix field for A/B boot control metadata in
+ * this struct, which gets unintentionally cleared by recovery or
+ * uncrypt. Move it into struct bootloader_message_ab to avoid the
+ * issue.
+ */
+struct bootloader_message {
+    char command[32];
+    char status[32];
+    char recovery[768];
+
+    // The 'recovery' field used to be 1024 bytes.  It has only ever
+    // been used to store the recovery command line, so 768 bytes
+    // should be plenty.  We carve off the last 256 bytes to store the
+    // stage string (for multistage packages) and possible future
+    // expansion.
+    char stage[32];
+
+    // The 'reserved' field used to be 224 bytes when it was initially
+    // carved off from the 1024-byte recovery field. Bump it up to
+    // 1184-byte so that the entire bootloader_message struct rounds up
+    // to 2048-byte.
+    char reserved[1184];
+};
+
+/**
+ * We must be cautious when changing the bootloader_message struct size,
+ * because A/B-specific fields may end up with different offsets.
+ */
+#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus)
+static_assert(sizeof(struct bootloader_message) == 2048,
+              "struct bootloader_message size changes, which may break A/B devices");
+#endif
+
+/**
+ * The A/B-specific bootloader message structure (4-KiB).
+ *
+ * We separate A/B boot control metadata from the regular bootloader
+ * message struct and keep it here. Everything that's A/B-specific
+ * stays after struct bootloader_message, which should be managed by
+ * the A/B-bootloader or boot control HAL.
+ *
+ * The slot_suffix field is used for A/B implementations where the
+ * bootloader does not set the androidboot.ro.boot.slot_suffix kernel
+ * commandline parameter. This is used by fs_mgr to mount /system and
+ * other partitions with the slotselect flag set in fstab. A/B
+ * implementations are free to use all 32 bytes and may store private
+ * data past the first NUL-byte in this field. It is encouraged, but
+ * not mandatory, to use 'struct bootloader_control' described below.
+ */
+struct bootloader_message_ab {
+    struct bootloader_message message;
+    char slot_suffix[32];
+
+    // Round up the entire struct to 4096-byte.
+    char reserved[2016];
+};
+
+/**
+ * Be cautious about the struct size change, in case we put anything post
+ * bootloader_message_ab struct (b/29159185).
+ */
+#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus)
+static_assert(sizeof(struct bootloader_message_ab) == 4096,
+              "struct bootloader_message_ab size changes");
+#endif
+
+#define BOOT_CTRL_MAGIC   0x42414342 /* Bootloader Control AB */
+#define BOOT_CTRL_VERSION 1
+
+struct slot_metadata {
+    // Slot priority with 15 meaning highest priority, 1 lowest
+    // priority and 0 the slot is unbootable.
+    uint8_t priority : 4;
+    // Number of times left attempting to boot this slot.
+    uint8_t tries_remaining : 3;
+    // 1 if this slot has booted successfully, 0 otherwise.
+    uint8_t successful_boot : 1;
+    // 1 if this slot is corrupted from a dm-verity corruption, 0
+    // otherwise.
+    uint8_t verity_corrupted : 1;
+    // Reserved for further use.
+    uint8_t reserved : 7;
+} __attribute__((packed));
+
+/* Bootloader Control AB
+ *
+ * This struct can be used to manage A/B metadata. It is designed to
+ * be put in the 'slot_suffix' field of the 'bootloader_message'
+ * structure described above. It is encouraged to use the
+ * 'bootloader_control' structure to store the A/B metadata, but not
+ * mandatory.
+ */
+struct bootloader_control {
+    // NUL terminated active slot suffix.
+    char slot_suffix[4];
+    // Bootloader Control AB magic number (see BOOT_CTRL_MAGIC).
+    uint32_t magic;
+    // Version of struct being used (see BOOT_CTRL_VERSION).
+    uint8_t version;
+    // Number of slots being managed.
+    uint8_t nb_slot : 3;
+    // Number of times left attempting to boot recovery.
+    uint8_t recovery_tries_remaining : 3;
+    // Ensure 4-bytes alignment for slot_info field.
+    uint8_t reserved0[2];
+    // Per-slot information.  Up to 4 slots.
+    struct slot_metadata slot_info[4];
+    // Reserved for further use.
+    uint8_t reserved1[8];
+    // CRC32 of all 28 bytes preceding this field (little endian
+    // format).
+    uint32_t crc32_le;
+} __attribute__((packed));
+
+#if (__STDC_VERSION__ >= 201112L) || defined(__cplusplus)
+static_assert(sizeof(struct bootloader_control) ==
+              sizeof(((struct bootloader_message_ab *)0)->slot_suffix),
+              "struct bootloader_control has wrong size");
+#endif
+
+#ifdef __cplusplus
+
+#include <string>
+#include <vector>
+
+bool read_bootloader_message(bootloader_message* boot, std::string* err);
+bool write_bootloader_message(const bootloader_message& boot, std::string* err);
+bool write_bootloader_message(const std::vector<std::string>& options, std::string* err);
+bool clear_bootloader_message(std::string* err);
+
+bool read_wipe_package(std::string* package_data, size_t size, std::string* err);
+bool write_wipe_package(const std::string& package_data, std::string* err);
+
+#else
+
+#include <stdbool.h>
+
+// C Interface.
+bool write_bootloader_message(const char* options);
+
+#endif  // ifdef __cplusplus
+
+#endif  // _BOOTLOADER_MESSAGE_H
diff --git a/device.cpp b/device.cpp
index 2465b07..e717ddd 100644
--- a/device.cpp
+++ b/device.cpp
@@ -22,32 +22,42 @@
     "Apply update from ADB",
     "Apply update from SD card",
     "Wipe data/factory reset",
+#ifndef AB_OTA_UPDATER
     "Wipe cache partition",
+#endif  // !AB_OTA_UPDATER
     "Mount /system",
     "View recovery logs",
     "Run graphics test",
     "Power off",
-    NULL
+    NULL,
 };
 
+static const Device::BuiltinAction MENU_ACTIONS[] = {
+    Device::REBOOT,
+    Device::REBOOT_BOOTLOADER,
+    Device::APPLY_ADB_SIDELOAD,
+    Device::APPLY_SDCARD,
+    Device::WIPE_DATA,
+#ifndef AB_OTA_UPDATER
+    Device::WIPE_CACHE,
+#endif  // !AB_OTA_UPDATER
+    Device::MOUNT_SYSTEM,
+    Device::VIEW_RECOVERY_LOGS,
+    Device::RUN_GRAPHICS_TEST,
+    Device::SHUTDOWN,
+};
+
+static_assert(sizeof(MENU_ITEMS) / sizeof(MENU_ITEMS[0]) ==
+              sizeof(MENU_ACTIONS) / sizeof(MENU_ACTIONS[0]) + 1,
+              "MENU_ITEMS and MENU_ACTIONS should have the same length, "
+              "except for the extra NULL entry in MENU_ITEMS.");
+
 const char* const* Device::GetMenuItems() {
   return MENU_ITEMS;
 }
 
 Device::BuiltinAction Device::InvokeMenuItem(int menu_position) {
-  switch (menu_position) {
-    case 0: return REBOOT;
-    case 1: return REBOOT_BOOTLOADER;
-    case 2: return APPLY_ADB_SIDELOAD;
-    case 3: return APPLY_SDCARD;
-    case 4: return WIPE_DATA;
-    case 5: return WIPE_CACHE;
-    case 6: return MOUNT_SYSTEM;
-    case 7: return VIEW_RECOVERY_LOGS;
-    case 8: return RUN_GRAPHICS_TEST;
-    case 9: return SHUTDOWN;
-    default: return NO_ACTION;
-  }
+  return menu_position < 0 ? NO_ACTION : MENU_ACTIONS[menu_position];
 }
 
 int Device::HandleMenuKey(int key, int visible) {
diff --git a/error_code.h b/error_code.h
index 259319a..fe38ba4 100644
--- a/error_code.h
+++ b/error_code.h
@@ -21,7 +21,8 @@
     kNoError = -1,
     kLowBattery = 20,
     kZipVerificationFailure,
-    kZipOpenFailure
+    kZipOpenFailure,
+    kBootreasonInBlacklist
 };
 
 enum CauseCode {
diff --git a/install.cpp b/install.cpp
index 10a90a0..afc3c92 100644
--- a/install.cpp
+++ b/install.cpp
@@ -17,6 +17,7 @@
 #include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <inttypes.h>
 #include <limits.h>
 #include <string.h>
 #include <sys/stat.h>
@@ -24,12 +25,15 @@
 #include <unistd.h>
 
 #include <chrono>
+#include <limits>
+#include <map>
 #include <string>
 #include <vector>
 
 #include <android-base/parseint.h>
 #include <android-base/stringprintf.h>
 #include <android-base/strings.h>
+#include <cutils/properties.h>
 
 #include "common.h"
 #include "error_code.h"
@@ -44,6 +48,8 @@
 extern RecoveryUI* ui;
 
 #define ASSUMED_UPDATE_BINARY_NAME  "META-INF/com/google/android/update-binary"
+static constexpr const char* AB_OTA_PAYLOAD_PROPERTIES = "payload_properties.txt";
+static constexpr const char* AB_OTA_PAYLOAD = "payload.bin";
 #define PUBLIC_KEYS_FILE "/res/keys"
 static constexpr const char* METADATA_PATH = "META-INF/com/android/metadata";
 
@@ -68,20 +74,27 @@
     return -1;
 }
 
-// Read the build.version.incremental of src/tgt from the metadata and log it to last_install.
-static void read_source_target_build(ZipArchive* zip, std::vector<std::string>& log_buffer) {
+bool read_metadata_from_package(ZipArchive* zip, std::string* meta_data) {
     const ZipEntry* meta_entry = mzFindZipEntry(zip, METADATA_PATH);
     if (meta_entry == nullptr) {
         LOGE("Failed to find %s in update package.\n", METADATA_PATH);
-        return;
+        return false;
     }
 
-    std::string meta_data(meta_entry->uncompLen, '\0');
-    if (!mzReadZipEntry(zip, meta_entry, &meta_data[0], meta_entry->uncompLen)) {
+    meta_data->resize(meta_entry->uncompLen, '\0');
+    if (!mzReadZipEntry(zip, meta_entry, &(*meta_data)[0], meta_entry->uncompLen)) {
         LOGE("Failed to read metadata in update package.\n");
+        return false;
+    }
+    return true;
+}
+
+// Read the build.version.incremental of src/tgt from the metadata and log it to last_install.
+static void read_source_target_build(ZipArchive* zip, std::vector<std::string>& log_buffer) {
+    std::string meta_data;
+    if (!read_metadata_from_package(zip, &meta_data)) {
         return;
     }
-
     // Examples of the pre-build and post-build strings in metadata:
     // pre-build-incremental=2943039
     // post-build-incremental=2951741
@@ -104,17 +117,152 @@
     }
 }
 
-// If the package contains an update binary, extract it and run it.
+// Extract the update binary from the open zip archive |zip| located at |path|
+// and store into |cmd| the command line that should be called. The |status_fd|
+// is the file descriptor the child process should use to report back the
+// progress of the update.
 static int
-try_update_binary(const char* path, ZipArchive* zip, bool* wipe_cache,
-                  std::vector<std::string>& log_buffer, int retry_count)
-{
-    read_source_target_build(zip, log_buffer);
+update_binary_command(const char* path, ZipArchive* zip, int retry_count,
+                      int status_fd, std::vector<std::string>* cmd);
 
+#ifdef AB_OTA_UPDATER
+
+// Parses the metadata of the OTA package in |zip| and checks whether we are
+// allowed to accept this A/B package. Downgrading is not allowed unless
+// explicitly enabled in the package and only for incremental packages.
+static int check_newer_ab_build(ZipArchive* zip)
+{
+    std::string metadata_str;
+    if (!read_metadata_from_package(zip, &metadata_str)) {
+        return INSTALL_CORRUPT;
+    }
+    std::map<std::string, std::string> metadata;
+    for (const std::string& line : android::base::Split(metadata_str, "\n")) {
+        size_t eq = line.find('=');
+        if (eq != std::string::npos) {
+            metadata[line.substr(0, eq)] = line.substr(eq + 1);
+        }
+    }
+    char value[PROPERTY_VALUE_MAX];
+
+    property_get("ro.product.device", value, "");
+    const std::string& pkg_device = metadata["pre-device"];
+    if (pkg_device != value || pkg_device.empty()) {
+        LOGE("Package is for product %s but expected %s\n",
+             pkg_device.c_str(), value);
+        return INSTALL_ERROR;
+    }
+
+    // We allow the package to not have any serialno, but if it has a non-empty
+    // value it should match.
+    property_get("ro.serialno", value, "");
+    const std::string& pkg_serial_no = metadata["serialno"];
+    if (!pkg_serial_no.empty() && pkg_serial_no != value) {
+        LOGE("Package is for serial %s\n", pkg_serial_no.c_str());
+        return INSTALL_ERROR;
+    }
+
+    if (metadata["ota-type"] != "AB") {
+        LOGE("Package is not A/B\n");
+        return INSTALL_ERROR;
+    }
+
+    // Incremental updates should match the current build.
+    property_get("ro.build.version.incremental", value, "");
+    const std::string& pkg_pre_build = metadata["pre-build-incremental"];
+    if (!pkg_pre_build.empty() && pkg_pre_build != value) {
+        LOGE("Package is for source build %s but expected %s\n",
+             pkg_pre_build.c_str(), value);
+        return INSTALL_ERROR;
+    }
+    property_get("ro.build.fingerprint", value, "");
+    const std::string& pkg_pre_build_fingerprint = metadata["pre-build"];
+    if (!pkg_pre_build_fingerprint.empty() &&
+        pkg_pre_build_fingerprint != value) {
+        LOGE("Package is for source build %s but expected %s\n",
+             pkg_pre_build_fingerprint.c_str(), value);
+        return INSTALL_ERROR;
+    }
+
+    // Check for downgrade version.
+    int64_t build_timestampt = property_get_int64(
+            "ro.build.date.utc", std::numeric_limits<int64_t>::max());
+    int64_t pkg_post_timespampt = 0;
+    // We allow to full update to the same version we are running, in case there
+    // is a problem with the current copy of that version.
+    if (metadata["post-timestamp"].empty() ||
+        !android::base::ParseInt(metadata["post-timestamp"].c_str(),
+                                 &pkg_post_timespampt) ||
+        pkg_post_timespampt < build_timestampt) {
+        if (metadata["ota-downgrade"] != "yes") {
+            LOGE("Update package is older than the current build, expected a "
+                 "build newer than timestamp %" PRIu64 " but package has "
+                 "timestamp %" PRIu64 " and downgrade not allowed.\n",
+                 build_timestampt, pkg_post_timespampt);
+            return INSTALL_ERROR;
+        }
+        if (pkg_pre_build_fingerprint.empty()) {
+            LOGE("Downgrade package must have a pre-build version set, not "
+                 "allowed.\n");
+            return INSTALL_ERROR;
+        }
+    }
+
+    return 0;
+}
+
+static int
+update_binary_command(const char* path, ZipArchive* zip, int retry_count,
+                      int status_fd, std::vector<std::string>* cmd)
+{
+    int ret = check_newer_ab_build(zip);
+    if (ret) {
+        return ret;
+    }
+
+    // For A/B updates we extract the payload properties to a buffer and obtain
+    // the RAW payload offset in the zip file.
+    const ZipEntry* properties_entry =
+            mzFindZipEntry(zip, AB_OTA_PAYLOAD_PROPERTIES);
+    if (!properties_entry) {
+        LOGE("Can't find %s\n", AB_OTA_PAYLOAD_PROPERTIES);
+        return INSTALL_CORRUPT;
+    }
+    std::vector<unsigned char> payload_properties(
+            mzGetZipEntryUncompLen(properties_entry));
+    if (!mzExtractZipEntryToBuffer(zip, properties_entry,
+                                   payload_properties.data())) {
+        LOGE("Can't extract %s\n", AB_OTA_PAYLOAD_PROPERTIES);
+        return INSTALL_CORRUPT;
+    }
+
+    const ZipEntry* payload_entry = mzFindZipEntry(zip, AB_OTA_PAYLOAD);
+    if (!payload_entry) {
+        LOGE("Can't find %s\n", AB_OTA_PAYLOAD);
+        return INSTALL_CORRUPT;
+    }
+    long payload_offset = mzGetZipEntryOffset(payload_entry);
+    *cmd = {
+        "/sbin/update_engine_sideload",
+        android::base::StringPrintf("--payload=file://%s", path),
+        android::base::StringPrintf("--offset=%ld", payload_offset),
+        "--headers=" + std::string(payload_properties.begin(),
+                                   payload_properties.end()),
+        android::base::StringPrintf("--status_fd=%d", status_fd),
+    };
+    return 0;
+}
+
+#else  // !AB_OTA_UPDATER
+
+static int
+update_binary_command(const char* path, ZipArchive* zip, int retry_count,
+                      int status_fd, std::vector<std::string>* cmd)
+{
+    // On traditional updates we extract the update binary from the package.
     const ZipEntry* binary_entry =
             mzFindZipEntry(zip, ASSUMED_UPDATE_BINARY_NAME);
     if (binary_entry == NULL) {
-        mzCloseZipArchive(zip);
         return INSTALL_CORRUPT;
     }
 
@@ -122,22 +270,48 @@
     unlink(binary);
     int fd = creat(binary, 0755);
     if (fd < 0) {
-        mzCloseZipArchive(zip);
         LOGE("Can't make %s\n", binary);
         return INSTALL_ERROR;
     }
     bool ok = mzExtractZipEntryToFile(zip, binary_entry, fd);
     close(fd);
-    mzCloseZipArchive(zip);
 
     if (!ok) {
         LOGE("Can't copy %s\n", ASSUMED_UPDATE_BINARY_NAME);
         return INSTALL_ERROR;
     }
 
+    *cmd = {
+        binary,
+        EXPAND(RECOVERY_API_VERSION),   // defined in Android.mk
+        std::to_string(status_fd),
+        path,
+    };
+    if (retry_count > 0)
+        cmd->push_back("retry");
+    return 0;
+}
+#endif  // !AB_OTA_UPDATER
+
+// If the package contains an update binary, extract it and run it.
+static int
+try_update_binary(const char* path, ZipArchive* zip, bool* wipe_cache,
+                  std::vector<std::string>& log_buffer, int retry_count)
+{
+    read_source_target_build(zip, log_buffer);
+
     int pipefd[2];
     pipe(pipefd);
 
+    std::vector<std::string> args;
+    int ret = update_binary_command(path, zip, retry_count, pipefd[1], &args);
+    mzCloseZipArchive(zip);
+    if (ret) {
+        close(pipefd[0]);
+        close(pipefd[1]);
+        return ret;
+    }
+
     // When executing the update binary contained in the package, the
     // arguments passed are:
     //
@@ -187,22 +361,19 @@
     //   update attempt.
     //
 
-    const char* args[6];
-    args[0] = binary;
-    args[1] = EXPAND(RECOVERY_API_VERSION);   // defined in Android.mk
-    char temp[16];
-    snprintf(temp, sizeof(temp), "%d", pipefd[1]);
-    args[2] = temp;
-    args[3] = path;
-    args[4] = retry_count > 0 ? "retry" : NULL;
-    args[5] = NULL;
+    // Convert the vector to a NULL-terminated char* array suitable for execv.
+    const char* chr_args[args.size() + 1];
+    chr_args[args.size()] = NULL;
+    for (size_t i = 0; i < args.size(); i++) {
+        chr_args[i] = args[i].c_str();
+    }
 
     pid_t pid = fork();
     if (pid == 0) {
         umask(022);
         close(pipefd[0]);
-        execv(binary, const_cast<char**>(args));
-        fprintf(stdout, "E:Can't run %s (%s)\n", binary, strerror(errno));
+        execv(chr_args[0], const_cast<char**>(chr_args));
+        fprintf(stdout, "E:Can't run %s (%s)\n", chr_args[0], strerror(errno));
         _exit(-1);
     }
     close(pipefd[1]);
@@ -298,32 +469,16 @@
         return INSTALL_CORRUPT;
     }
 
-    // Load keys.
-    std::vector<Certificate> loadedKeys;
-    if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
-        LOGE("Failed to load keys\n");
-        sysReleaseMap(&map);
-        return INSTALL_CORRUPT;
-    }
-    LOGI("%zu key(s) loaded from %s\n", loadedKeys.size(), PUBLIC_KEYS_FILE);
-
     // Verify package.
-    ui->Print("Verifying update package...\n");
-    auto t0 = std::chrono::system_clock::now();
-    int err = verify_file(map.addr, map.length, loadedKeys);
-    std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
-    ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
-    if (err != VERIFY_SUCCESS) {
-        LOGE("signature verification failed\n");
+    if (!verify_package(map.addr, map.length)) {
         log_buffer.push_back(android::base::StringPrintf("error: %d", kZipVerificationFailure));
-
         sysReleaseMap(&map);
         return INSTALL_CORRUPT;
     }
 
     // Try to open the package.
     ZipArchive zip;
-    err = mzOpenZipArchive(map.addr, map.length, &zip);
+    int err = mzOpenZipArchive(map.addr, map.length, &zip);
     if (err != 0) {
         LOGE("Can't open %s\n(%s)\n", path, err != -1 ? strerror(err) : "bad");
         log_buffer.push_back(android::base::StringPrintf("error: %d", kZipOpenFailure));
@@ -386,3 +541,25 @@
     }
     return result;
 }
+
+bool verify_package(const unsigned char* package_data, size_t package_size) {
+    std::vector<Certificate> loadedKeys;
+    if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
+        LOGE("Failed to load keys\n");
+        return false;
+    }
+    LOGI("%zu key(s) loaded from %s\n", loadedKeys.size(), PUBLIC_KEYS_FILE);
+
+    // Verify package.
+    ui->Print("Verifying update package...\n");
+    auto t0 = std::chrono::system_clock::now();
+    int err = verify_file(const_cast<unsigned char*>(package_data), package_size, loadedKeys);
+    std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
+    ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
+    if (err != VERIFY_SUCCESS) {
+        LOGE("Signature verification failed\n");
+        LOGE("error: %d\n", kZipVerificationFailure);
+        return false;
+    }
+    return true;
+}
diff --git a/install.h b/install.h
index 66764f5..14de225 100644
--- a/install.h
+++ b/install.h
@@ -17,11 +17,10 @@
 #ifndef RECOVERY_INSTALL_H_
 #define RECOVERY_INSTALL_H_
 
-#include "common.h"
+#include <string>
 
-#ifdef __cplusplus
-extern "C" {
-#endif
+#include "common.h"
+#include "minzip/Zip.h"
 
 enum { INSTALL_SUCCESS, INSTALL_ERROR, INSTALL_CORRUPT, INSTALL_NONE, INSTALL_SKIPPED,
         INSTALL_RETRY };
@@ -31,8 +30,12 @@
 int install_package(const char* root_path, bool* wipe_cache, const char* install_file,
                     bool needs_mount, int retry_count);
 
-#ifdef __cplusplus
-}
-#endif
+// Verify the package by ota keys. Return true if the package is verified successfully,
+// otherwise return false.
+bool verify_package(const unsigned char* package_data, size_t package_size);
+
+// Read meta data file of the package, write its content in the string pointed by meta_data.
+// Return true if succeed, otherwise return false.
+bool read_metadata_from_package(ZipArchive* zip, std::string* meta_data);
 
 #endif  // RECOVERY_INSTALL_H_
diff --git a/minui/font_10x18.h b/minui/font_10x18.h
index 29d7053..30dfb9c 100644
--- a/minui/font_10x18.h
+++ b/minui/font_10x18.h
@@ -1,14 +1,14 @@
 struct {
   unsigned width;
   unsigned height;
-  unsigned cwidth;
-  unsigned cheight;
+  unsigned char_width;
+  unsigned char_height;
   unsigned char rundata[2973];
 } font = {
   .width = 960,
   .height = 18,
-  .cwidth = 10,
-  .cheight = 18,
+  .char_width = 10,
+  .char_height = 18,
   .rundata = {
 0x7f,0x7f,0x7f,0x7f,0x7f,0x7f,0x7f,0x55,0x82,0x06,0x82,0x02,0x82,0x10,0x82,
 0x11,0x83,0x08,0x82,0x0a,0x82,0x04,0x82,0x46,0x82,0x08,0x82,0x07,0x84,0x06,
diff --git a/minui/graphics.cpp b/minui/graphics.cpp
index c0eea9e..43ec83f 100644
--- a/minui/graphics.cpp
+++ b/minui/graphics.cpp
@@ -35,12 +35,6 @@
 #include "minui.h"
 #include "graphics.h"
 
-struct GRFont {
-    GRSurface* texture;
-    int cwidth;
-    int cheight;
-};
-
 static GRFont* gr_font = NULL;
 static minui_backend* gr_backend = NULL;
 
@@ -60,15 +54,20 @@
     return x < 0 || x >= gr_draw->width || y < 0 || y >= gr_draw->height;
 }
 
-int gr_measure(const char *s)
+const GRFont* gr_sys_font()
 {
-    return gr_font->cwidth * strlen(s);
+    return gr_font;
 }
 
-void gr_font_size(int *x, int *y)
+int gr_measure(const GRFont* font, const char *s)
 {
-    *x = gr_font->cwidth;
-    *y = gr_font->cheight;
+    return font->char_width * strlen(s);
+}
+
+void gr_font_size(const GRFont* font, int *x, int *y)
+{
+    *x = font->char_width;
+    *y = font->char_height;
 }
 
 static void text_blend(unsigned char* src_p, int src_row_bytes,
@@ -103,34 +102,32 @@
     }
 }
 
-void gr_text(int x, int y, const char *s, bool bold)
+void gr_text(const GRFont* font, int x, int y, const char *s, bool bold)
 {
-    GRFont* font = gr_font;
-
     if (!font->texture || gr_current_a == 0) return;
 
-    bold = bold && (font->texture->height != font->cheight);
+    bold = bold && (font->texture->height != font->char_height);
 
     x += overscan_offset_x;
     y += overscan_offset_y;
 
     unsigned char ch;
     while ((ch = *s++)) {
-        if (outside(x, y) || outside(x+font->cwidth-1, y+font->cheight-1)) break;
+        if (outside(x, y) || outside(x+font->char_width-1, y+font->char_height-1)) break;
 
         if (ch < ' ' || ch > '~') {
             ch = '?';
         }
 
-        unsigned char* src_p = font->texture->data + ((ch - ' ') * font->cwidth) +
-                               (bold ? font->cheight * font->texture->row_bytes : 0);
+        unsigned char* src_p = font->texture->data + ((ch - ' ') * font->char_width) +
+                               (bold ? font->char_height * font->texture->row_bytes : 0);
         unsigned char* dst_p = gr_draw->data + y*gr_draw->row_bytes + x*gr_draw->pixel_bytes;
 
         text_blend(src_p, font->texture->row_bytes,
                    dst_p, gr_draw->row_bytes,
-                   font->cwidth, font->cheight);
+                   font->char_width, font->char_height);
 
-        x += font->cwidth;
+        x += font->char_width;
     }
 }
 
@@ -267,40 +264,51 @@
     return surface->height;
 }
 
+int gr_init_font(const char* name, GRFont* dest) {
+    int res = res_create_alpha_surface(name, &(dest->texture));
+    if (res < 0) {
+        return res;
+    }
+
+    // The font image should be a 96x2 array of character images.  The
+    // columns are the printable ASCII characters 0x20 - 0x7f.  The
+    // top row is regular text; the bottom row is bold.
+    dest->char_width = dest->texture->width / 96;
+    dest->char_height = dest->texture->height / 2;
+
+    return 0;
+}
+
 static void gr_init_font(void)
 {
     gr_font = reinterpret_cast<GRFont*>(calloc(sizeof(*gr_font), 1));
 
-    int res = res_create_alpha_surface("font", &(gr_font->texture));
+    int res = gr_init_font("font", gr_font);
     if (res == 0) {
-        // The font image should be a 96x2 array of character images.  The
-        // columns are the printable ASCII characters 0x20 - 0x7f.  The
-        // top row is regular text; the bottom row is bold.
-        gr_font->cwidth = gr_font->texture->width / 96;
-        gr_font->cheight = gr_font->texture->height / 2;
-    } else {
-        printf("failed to read font: res=%d\n", res);
-
-        // fall back to the compiled-in font.
-        gr_font->texture = reinterpret_cast<GRSurface*>(malloc(sizeof(*gr_font->texture)));
-        gr_font->texture->width = font.width;
-        gr_font->texture->height = font.height;
-        gr_font->texture->row_bytes = font.width;
-        gr_font->texture->pixel_bytes = 1;
-
-        unsigned char* bits = reinterpret_cast<unsigned char*>(malloc(font.width * font.height));
-        gr_font->texture->data = reinterpret_cast<unsigned char*>(bits);
-
-        unsigned char data;
-        unsigned char* in = font.rundata;
-        while((data = *in++)) {
-            memset(bits, (data & 0x80) ? 255 : 0, data & 0x7f);
-            bits += (data & 0x7f);
-        }
-
-        gr_font->cwidth = font.cwidth;
-        gr_font->cheight = font.cheight;
+        return;
     }
+
+    printf("failed to read font: res=%d\n", res);
+
+    // fall back to the compiled-in font.
+    gr_font->texture = reinterpret_cast<GRSurface*>(malloc(sizeof(*gr_font->texture)));
+    gr_font->texture->width = font.width;
+    gr_font->texture->height = font.height;
+    gr_font->texture->row_bytes = font.width;
+    gr_font->texture->pixel_bytes = 1;
+
+    unsigned char* bits = reinterpret_cast<unsigned char*>(malloc(font.width * font.height));
+    gr_font->texture->data = reinterpret_cast<unsigned char*>(bits);
+
+    unsigned char data;
+    unsigned char* in = font.rundata;
+    while((data = *in++)) {
+        memset(bits, (data & 0x80) ? 255 : 0, data & 0x7f);
+        bits += (data & 0x7f);
+    }
+
+    gr_font->char_width = font.char_width;
+    gr_font->char_height = font.char_height;
 }
 
 #if 0
diff --git a/minui/minui.h b/minui/minui.h
index 5362d3f..f6b42c6 100644
--- a/minui/minui.h
+++ b/minui/minui.h
@@ -33,6 +33,12 @@
     unsigned char* data;
 };
 
+struct GRFont {
+    GRSurface* texture;
+    int char_width;
+    int char_height;
+};
+
 int gr_init();
 void gr_exit();
 
@@ -45,10 +51,14 @@
 void gr_clear();  // clear entire surface to current color
 void gr_color(unsigned char r, unsigned char g, unsigned char b, unsigned char a);
 void gr_fill(int x1, int y1, int x2, int y2);
-void gr_text(int x, int y, const char *s, bool bold);
+
 void gr_texticon(int x, int y, GRSurface* icon);
-int gr_measure(const char *s);
-void gr_font_size(int *x, int *y);
+
+const GRFont* gr_sys_font();
+int gr_init_font(const char* name, GRFont* dest);
+void gr_text(const GRFont* font, int x, int y, const char *s, bool bold);
+int gr_measure(const GRFont* font, const char *s);
+void gr_font_size(const GRFont* font, int *x, int *y);
 
 void gr_blit(GRSurface* source, int sx, int sy, int w, int h, int dx, int dy);
 unsigned int gr_get_width(GRSurface* surface);
diff --git a/recovery.cpp b/recovery.cpp
index 45a6fe9..6989fe0 100644
--- a/recovery.cpp
+++ b/recovery.cpp
@@ -45,6 +45,7 @@
 #include <android-base/stringprintf.h>
 #include <android-base/strings.h>
 #include <android-base/unique_fd.h>
+#include <bootloader_message/bootloader_message.h>
 #include <cutils/android_reboot.h>
 #include <cutils/properties.h>
 #include <healthd/BatteryMonitor.h>
@@ -54,7 +55,6 @@
 #include <selinux/selinux.h>
 
 #include "adb_install.h"
-#include "bootloader.h"
 #include "common.h"
 #include "device.h"
 #include "error_code.h"
@@ -63,6 +63,7 @@
 #include "install.h"
 #include "minui/minui.h"
 #include "minzip/DirUtil.h"
+#include "minzip/Zip.h"
 #include "roots.h"
 #include "ui.h"
 #include "screen_ui.h"
@@ -83,10 +84,17 @@
   { "shutdown_after", no_argument, NULL, 'p' },
   { "reason", required_argument, NULL, 'r' },
   { "security", no_argument, NULL, 'e'},
-  { "brick", no_argument, NULL, 0 },
+  { "wipe_ab", no_argument, NULL, 0 },
+  { "wipe_package_size", required_argument, NULL, 0 },
   { NULL, 0, NULL, 0 },
 };
 
+// More bootreasons can be found in "system/core/bootstat/bootstat.cpp".
+static const std::vector<std::string> bootreason_blacklist {
+  "kernel_panic",
+  "Panic",
+};
+
 static const char *CACHE_LOG_DIR = "/cache/recovery";
 static const char *COMMAND_FILE = "/cache/recovery/command";
 static const char *LOG_FILE = "/cache/recovery/log";
@@ -110,7 +118,7 @@
 // So we should check battery with a slightly lower limitation.
 static const int BATTERY_OK_PERCENTAGE = 20;
 static const int BATTERY_WITH_CHARGER_OK_PERCENTAGE = 15;
-constexpr const char* RECOVERY_BRICK = "/etc/recovery.brick";
+constexpr const char* RECOVERY_WIPE = "/etc/recovery.wipe";
 
 RecoveryUI* ui = NULL;
 static const char* locale = "en_US";
@@ -298,9 +306,13 @@
 //   - the contents of COMMAND_FILE (one per line)
 static void
 get_args(int *argc, char ***argv) {
-    struct bootloader_message boot;
-    memset(&boot, 0, sizeof(boot));
-    get_bootloader_message(&boot);  // this may fail, leaving a zeroed structure
+    bootloader_message boot = {};
+    std::string err;
+    if (!read_bootloader_message(&boot, &err)) {
+        LOGE("%s\n", err.c_str());
+        // If fails, leave a zeroed bootloader_message.
+        memset(&boot, 0, sizeof(boot));
+    }
     stage = strndup(boot.stage, sizeof(boot.stage));
 
     if (boot.command[0] != 0 && boot.command[0] != 255) {
@@ -362,16 +374,20 @@
         strlcat(boot.recovery, (*argv)[i], sizeof(boot.recovery));
         strlcat(boot.recovery, "\n", sizeof(boot.recovery));
     }
-    set_bootloader_message(&boot);
+    if (!write_bootloader_message(boot, &err)) {
+        LOGE("%s\n", err.c_str());
+    }
 }
 
 static void
 set_sdcard_update_bootloader_message() {
-    struct bootloader_message boot;
-    memset(&boot, 0, sizeof(boot));
+    bootloader_message boot = {};
     strlcpy(boot.command, "boot-recovery", sizeof(boot.command));
     strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery));
-    set_bootloader_message(&boot);
+    std::string err;
+    if (!write_bootloader_message(boot, &err)) {
+        LOGE("%s\n", err.c_str());
+    }
 }
 
 // Read from kernel log into buffer and write out to file.
@@ -522,9 +538,11 @@
     copy_logs();
 
     // Reset to normal system boot so recovery won't cycle indefinitely.
-    struct bootloader_message boot;
-    memset(&boot, 0, sizeof(boot));
-    set_bootloader_message(&boot);
+    bootloader_message boot = {};
+    std::string err;
+    if (!write_bootloader_message(boot, &err)) {
+        LOGE("%s\n", err.c_str());
+    }
 
     // Remove the command file, so recovery won't repeat indefinitely.
     if (has_cache) {
@@ -892,15 +910,79 @@
     return true;
 }
 
-// Brick the current device, with a secure wipe of all the partitions in
-// RECOVERY_BRICK.
-static bool brick_device() {
+// Check if the wipe package matches expectation:
+// 1. verify the package.
+// 2. check metadata (ota-type, pre-device and serial number if having one).
+static bool check_wipe_package(size_t wipe_package_size) {
+    if (wipe_package_size == 0) {
+        LOGE("wipe_package_size is zero.\n");
+        return false;
+    }
+    std::string wipe_package;
+    std::string err_str;
+    if (!read_wipe_package(&wipe_package, wipe_package_size, &err_str)) {
+        LOGE("Failed to read wipe package: %s\n", err_str.c_str());
+        return false;
+    }
+    if (!verify_package(reinterpret_cast<const unsigned char*>(wipe_package.data()),
+                        wipe_package.size())) {
+        LOGE("Failed to verify package.\n");
+        return false;
+    }
+
+    // Extract metadata
+    ZipArchive zip;
+    int err = mzOpenZipArchive(reinterpret_cast<unsigned char*>(&wipe_package[0]),
+                               wipe_package.size(), &zip);
+    if (err != 0) {
+        LOGE("Can't open wipe package: %s\n", err != -1 ? strerror(err) : "bad");
+        return false;
+    }
+    std::string metadata;
+    if (!read_metadata_from_package(&zip, &metadata)) {
+        mzCloseZipArchive(&zip);
+        return false;
+    }
+    mzCloseZipArchive(&zip);
+
+    // Check metadata
+    std::vector<std::string> lines = android::base::Split(metadata, "\n");
+    bool ota_type_matched = false;
+    bool device_type_matched = false;
+    bool has_serial_number = false;
+    bool serial_number_matched = false;
+    for (const auto& line : lines) {
+        if (line == "ota-type=BRICK") {
+            ota_type_matched = true;
+        } else if (android::base::StartsWith(line, "pre-device=")) {
+            std::string device_type = line.substr(strlen("pre-device="));
+            char real_device_type[PROPERTY_VALUE_MAX];
+            property_get("ro.build.product", real_device_type, "");
+            device_type_matched = (device_type == real_device_type);
+        } else if (android::base::StartsWith(line, "serialno=")) {
+            std::string serial_no = line.substr(strlen("serialno="));
+            char real_serial_no[PROPERTY_VALUE_MAX];
+            property_get("ro.serialno", real_serial_no, "");
+            has_serial_number = true;
+            serial_number_matched = (serial_no == real_serial_no);
+        }
+    }
+    return ota_type_matched && device_type_matched && (!has_serial_number || serial_number_matched);
+}
+
+// Wipe the current A/B device, with a secure wipe of all the partitions in
+// RECOVERY_WIPE.
+static bool wipe_ab_device(size_t wipe_package_size) {
     ui->SetBackground(RecoveryUI::ERASING);
     ui->SetProgressType(RecoveryUI::INDETERMINATE);
 
+    if (!check_wipe_package(wipe_package_size)) {
+        LOGE("Failed to verify wipe package\n");
+        return false;
+    }
     std::string partition_list;
-    if (!android::base::ReadFileToString(RECOVERY_BRICK, &partition_list)) {
-        LOGE("failed to read \"%s\".\n", RECOVERY_BRICK);
+    if (!android::base::ReadFileToString(RECOVERY_WIPE, &partition_list)) {
+        LOGE("failed to read \"%s\".\n", RECOVERY_WIPE);
         return false;
     }
 
@@ -1296,7 +1378,7 @@
 }
 
 static void set_retry_bootloader_message(int retry_count, int argc, char** argv) {
-    struct bootloader_message boot {};
+    bootloader_message boot = {};
     strlcpy(boot.command, "boot-recovery", sizeof(boot.command));
     strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery));
 
@@ -1315,7 +1397,34 @@
         snprintf(buffer, sizeof(buffer), "--retry_count=%d\n", retry_count+1);
         strlcat(boot.recovery, buffer, sizeof(boot.recovery));
     }
-    set_bootloader_message(&boot);
+    std::string err;
+    if (!write_bootloader_message(boot, &err)) {
+        LOGE("%s\n", err.c_str());
+    }
+}
+
+static bool bootreason_in_blacklist() {
+    char bootreason[PROPERTY_VALUE_MAX];
+    if (property_get("ro.boot.bootreason", bootreason, nullptr) > 0) {
+        for (const auto& str : bootreason_blacklist) {
+            if (strcasecmp(str.c_str(), bootreason) == 0) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+static void log_failure_code(ErrorCode code, const char *update_package) {
+    FILE* install_log = fopen_path(TEMPORARY_INSTALL_FILE, "w");
+    if (install_log != nullptr) {
+        fprintf(install_log, "%s\n", update_package);
+        fprintf(install_log, "0\n");
+        fprintf(install_log, "error: %d\n", code);
+        fclose(install_log);
+    } else {
+        LOGE("failed to open last_install: %s\n", strerror(errno));
+    }
 }
 
 static ssize_t logbasename(
@@ -1409,7 +1518,8 @@
     const char *update_package = NULL;
     bool should_wipe_data = false;
     bool should_wipe_cache = false;
-    bool should_brick = false;
+    bool should_wipe_ab = false;
+    size_t wipe_package_size = 0;
     bool show_text = false;
     bool sideload = false;
     bool sideload_auto_reboot = false;
@@ -1443,8 +1553,11 @@
         case 'r': reason = optarg; break;
         case 'e': security_update = true; break;
         case 0: {
-            if (strcmp(OPTIONS[option_index].name, "brick") == 0) {
-                should_brick = true;
+            if (strcmp(OPTIONS[option_index].name, "wipe_ab") == 0) {
+                should_wipe_ab = true;
+                break;
+            } else if (strcmp(OPTIONS[option_index].name, "wipe_package_size") == 0) {
+                android::base::ParseUint(optarg, &wipe_package_size);
                 break;
             }
             break;
@@ -1535,15 +1648,12 @@
                       BATTERY_OK_PERCENTAGE);
             // Log the error code to last_install when installation skips due to
             // low battery.
-            FILE* install_log = fopen_path(LAST_INSTALL_FILE, "w");
-            if (install_log != nullptr) {
-                fprintf(install_log, "%s\n", update_package);
-                fprintf(install_log, "0\n");
-                fprintf(install_log, "error: %d\n", kLowBattery);
-                fclose(install_log);
-            } else {
-                LOGE("failed to open last_install: %s\n", strerror(errno));
-            }
+            log_failure_code(kLowBattery, update_package);
+            status = INSTALL_SKIPPED;
+        } else if (bootreason_in_blacklist()) {
+            // Skip update-on-reboot when bootreason is kernel_panic or similar
+            ui->Print("bootreason is in the blacklist; skip OTA installation\n");
+            log_failure_code(kBootreasonInBlacklist, update_package);
             status = INSTALL_SKIPPED;
         } else {
             status = install_package(update_package, &should_wipe_cache,
@@ -1587,8 +1697,8 @@
         if (!wipe_cache(false, device)) {
             status = INSTALL_ERROR;
         }
-    } else if (should_brick) {
-        if (!brick_device()) {
+    } else if (should_wipe_ab) {
+        if (!wipe_ab_device(wipe_package_size)) {
             status = INSTALL_ERROR;
         }
     } else if (sideload) {
diff --git a/screen_ui.cpp b/screen_ui.cpp
index 3697554..4866873 100644
--- a/screen_ui.cpp
+++ b/screen_ui.cpp
@@ -105,29 +105,41 @@
 
 // Here's the intended layout:
 
-//          | regular     large
-// ---------+--------------------
-//          |   220dp     366dp
-// icon     |  (200dp)   (200dp)
-//          |    68dp      68dp
-// text     |   (14sp)    (14sp)
-//          |    32dp      32dp
-// progress |    (2dp)     (2dp)
-//          |   194dp     340dp
+//          | portrait    large        landscape      large
+// ---------+-------------------------------------------------
+//      gap |   220dp     366dp            142dp      284dp
+// icon     |                   (200dp)
+//      gap |    68dp      68dp             56dp      112dp
+// text     |                    (14sp)
+//      gap |    32dp      32dp             26dp       52dp
+// progress |                     (2dp)
+//      gap |   194dp     340dp            131dp      262dp
 
 // Note that "baseline" is actually the *top* of each icon (because that's how our drawing
 // routines work), so that's the more useful measurement for calling code.
 
+enum Layout { PORTRAIT = 0, PORTRAIT_LARGE = 1, LANDSCAPE = 2, LANDSCAPE_LARGE = 3, LAYOUT_MAX };
+enum Dimension { PROGRESS = 0, TEXT = 1, ICON = 2, DIMENSION_MAX };
+static constexpr int kLayouts[LAYOUT_MAX][DIMENSION_MAX] = {
+    { 194,  32,  68, }, // PORTRAIT
+    { 340,  32,  68, }, // PORTRAIT_LARGE
+    { 131,  26,  56, }, // LANDSCAPE
+    { 262,  52, 112, }, // LANDSCAPE_LARGE
+};
+
 int ScreenRecoveryUI::GetAnimationBaseline() {
-    return GetTextBaseline() - PixelsFromDp(68) - gr_get_height(loopFrames[0]);
+    return GetTextBaseline() - PixelsFromDp(kLayouts[layout_][ICON]) -
+            gr_get_height(loopFrames[0]);
 }
 
 int ScreenRecoveryUI::GetTextBaseline() {
-    return GetProgressBaseline() - PixelsFromDp(32) - gr_get_height(installing_text);
+    return GetProgressBaseline() - PixelsFromDp(kLayouts[layout_][TEXT]) -
+            gr_get_height(installing_text);
 }
 
 int ScreenRecoveryUI::GetProgressBaseline() {
-    return gr_fb_height() - PixelsFromDp(is_large_ ? 340 : 194) - gr_get_height(progressBarFill);
+    return gr_fb_height() - PixelsFromDp(kLayouts[layout_][PROGRESS]) -
+            gr_get_height(progressBarFill);
 }
 
 // Clear the screen and draw the currently selected background icon (if any).
@@ -247,7 +259,7 @@
 }
 
 void ScreenRecoveryUI::DrawTextLine(int x, int* y, const char* line, bool bold) {
-    gr_text(x, *y, line, bold);
+    gr_text(gr_sys_font(), x, *y, line, bold);
     *y += char_height_ + 4;
 }
 
@@ -303,10 +315,10 @@
                     gr_fill(0, y - 2, gr_fb_width(), y + char_height_ + 2);
                     // Bold white text for the selected item.
                     SetColor(MENU_SEL_FG);
-                    gr_text(4, y, menu_[i], true);
+                    gr_text(gr_sys_font(), 4, y, menu_[i], true);
                     SetColor(MENU);
                 } else {
-                    gr_text(4, y, menu_[i], false);
+                    gr_text(gr_sys_font(), 4, y, menu_[i], false);
                 }
                 y += char_height_ + 4;
             }
@@ -322,7 +334,7 @@
         for (int ty = gr_fb_height() - char_height_;
              ty >= y && count < text_rows_;
              ty -= char_height_, ++count) {
-            gr_text(0, ty, text_[row], false);
+            gr_text(gr_sys_font(), 0, ty, text_[row], false);
             --row;
             if (row < 0) row = text_rows_ - 1;
         }
@@ -439,9 +451,13 @@
     gr_init();
 
     density_ = static_cast<float>(property_get_int32("ro.sf.lcd_density", 160)) / 160.f;
-    is_large_ = gr_fb_height() > PixelsFromDp(800);
 
-    gr_font_size(&char_width_, &char_height_);
+    // Are we portrait or landscape?
+    layout_ = (gr_fb_width() > gr_fb_height()) ? LANDSCAPE : PORTRAIT;
+    // Are we the large variant of our base layout?
+    if (gr_fb_height() > PixelsFromDp(800)) ++layout_;
+
+    gr_font_size(gr_sys_font(), &char_width_, &char_height_);
     text_rows_ = gr_fb_height() / char_height_;
     text_cols_ = gr_fb_width() / char_width_;
 
diff --git a/screen_ui.h b/screen_ui.h
index 4319b76..8987757 100644
--- a/screen_ui.h
+++ b/screen_ui.h
@@ -77,8 +77,8 @@
 
     // The scale factor from dp to pixels. 1.0 for mdpi, 4.0 for xxxhdpi.
     float density_;
-    // True if we should use the large layout.
-    bool is_large_;
+    // The layout to use.
+    int layout_;
 
     GRSurface* error_icon;
 
diff --git a/uncrypt/Android.mk b/uncrypt/Android.mk
index 09cfdfc..bb276ed 100644
--- a/uncrypt/Android.mk
+++ b/uncrypt/Android.mk
@@ -15,15 +15,6 @@
 LOCAL_PATH := $(call my-dir)
 
 include $(CLEAR_VARS)
-LOCAL_CLANG := true
-LOCAL_SRC_FILES := bootloader_message_writer.cpp
-LOCAL_MODULE := libbootloader_message_writer
-LOCAL_STATIC_LIBRARIES := libbase libfs_mgr
-LOCAL_C_INCLUDES := $(LOCAL_PATH)/..
-LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include
-include $(BUILD_STATIC_LIBRARY)
-
-include $(CLEAR_VARS)
 
 LOCAL_CLANG := true
 
@@ -33,7 +24,7 @@
 
 LOCAL_MODULE := uncrypt
 
-LOCAL_STATIC_LIBRARIES := libbootloader_message_writer libbase \
+LOCAL_STATIC_LIBRARIES := libbootloader_message libbase \
                           liblog libfs_mgr libcutils \
 
 LOCAL_INIT_RC := uncrypt.rc
diff --git a/uncrypt/bootloader_message_writer.cpp b/uncrypt/bootloader_message_writer.cpp
deleted file mode 100644
index 3bb106a..0000000
--- a/uncrypt/bootloader_message_writer.cpp
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <string.h>
-#include <sys/system_properties.h>
-
-#include <string>
-#include <vector>
-
-#include <android-base/file.h>
-#include <android-base/stringprintf.h>
-#include <android-base/unique_fd.h>
-#include <fs_mgr.h>
-
-#include "bootloader.h"
-
-static struct fstab* read_fstab(std::string* err) {
-  // The fstab path is always "/fstab.${ro.hardware}".
-  std::string fstab_path = "/fstab.";
-  char value[PROP_VALUE_MAX];
-  if (__system_property_get("ro.hardware", value) == 0) {
-    *err = "failed to get ro.hardware";
-    return nullptr;
-  }
-  fstab_path += value;
-  struct fstab* fstab = fs_mgr_read_fstab(fstab_path.c_str());
-  if (fstab == nullptr) {
-    *err = "failed to read " + fstab_path;
-  }
-  return fstab;
-}
-
-static std::string get_misc_blk_device(std::string* err) {
-  struct fstab* fstab = read_fstab(err);
-  if (fstab == nullptr) {
-    return "";
-  }
-  fstab_rec* record = fs_mgr_get_entry_for_mount_point(fstab, "/misc");
-  if (record == nullptr) {
-    *err = "failed to find /misc partition";
-    return "";
-  }
-  return record->blk_device;
-}
-
-static bool write_bootloader_message(const bootloader_message& boot, std::string* err) {
-  std::string misc_blk_device = get_misc_blk_device(err);
-  if (misc_blk_device.empty()) {
-    return false;
-  }
-  android::base::unique_fd fd(open(misc_blk_device.c_str(), O_WRONLY | O_SYNC));
-  if (fd.get() == -1) {
-    *err = android::base::StringPrintf("failed to open %s: %s", misc_blk_device.c_str(),
-                                       strerror(errno));
-    return false;
-  }
-  if (!android::base::WriteFully(fd.get(), &boot, sizeof(boot))) {
-    *err = android::base::StringPrintf("failed to write %s: %s", misc_blk_device.c_str(),
-                                       strerror(errno));
-    return false;
-  }
-  // TODO: O_SYNC and fsync duplicates each other?
-  if (fsync(fd.get()) == -1) {
-    *err = android::base::StringPrintf("failed to fsync %s: %s", misc_blk_device.c_str(),
-                                       strerror(errno));
-    return false;
-  }
-  return true;
-}
-
-bool clear_bootloader_message(std::string* err) {
-  bootloader_message boot = {};
-  return write_bootloader_message(boot, err);
-}
-
-bool write_bootloader_message(const std::vector<std::string>& options, std::string* err) {
-  bootloader_message boot = {};
-  strlcpy(boot.command, "boot-recovery", sizeof(boot.command));
-  strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery));
-  for (const auto& s : options) {
-    strlcat(boot.recovery, s.c_str(), sizeof(boot.recovery));
-    if (s.back() != '\n') {
-      strlcat(boot.recovery, "\n", sizeof(boot.recovery));
-    }
-  }
-  return write_bootloader_message(boot, err);
-}
-
-extern "C" bool write_bootloader_message(const char* options) {
-  std::string err;
-  return write_bootloader_message({options}, &err);
-}
diff --git a/uncrypt/include/bootloader_message_writer.h b/uncrypt/include/bootloader_message_writer.h
deleted file mode 100644
index e0ca3f4..0000000
--- a/uncrypt/include/bootloader_message_writer.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef BOOTLOADER_MESSAGE_WRITER_H
-#define BOOTLOADER_MESSAGE_WRITER_H
-
-#ifdef __cplusplus
-#include <string>
-#include <vector>
-
-bool clear_bootloader_message(std::string* err);
-
-bool write_bootloader_message(const std::vector<std::string>& options, std::string* err);
-
-#else
-#include <stdbool.h>
-
-// C Interface.
-bool write_bootloader_message(const char* options);
-#endif
-
-#endif  // BOOTLOADER_MESSAGE_WRITER_H
diff --git a/uncrypt/uncrypt.cpp b/uncrypt/uncrypt.cpp
index 5697712..c19943f 100644
--- a/uncrypt/uncrypt.cpp
+++ b/uncrypt/uncrypt.cpp
@@ -110,7 +110,7 @@
 #include <android-base/stringprintf.h>
 #include <android-base/strings.h>
 #include <android-base/unique_fd.h>
-#include <bootloader_message_writer.h>
+#include <bootloader_message/bootloader_message.h>
 #include <cutils/android_reboot.h>
 #include <cutils/properties.h>
 #include <cutils/sockets.h>
@@ -501,14 +501,31 @@
         return false;
     }
     ALOGI("  received command: [%s] (%zu)", content.c_str(), content.size());
+    std::vector<std::string> options = android::base::Split(content, "\n");
+    std::string wipe_package;
+    for (auto& option : options) {
+        if (android::base::StartsWith(option, "--wipe_package=")) {
+            std::string path = option.substr(strlen("--wipe_package="));
+            if (!android::base::ReadFileToString(path, &wipe_package)) {
+                ALOGE("failed to read %s: %s", path.c_str(), strerror(errno));
+                return false;
+            }
+            option = android::base::StringPrintf("--wipe_package_size=%zu", wipe_package.size());
+        }
+    }
 
     // c8. setup the bcb command
     std::string err;
-    if (!write_bootloader_message({content}, &err)) {
+    if (!write_bootloader_message(options, &err)) {
         ALOGE("failed to set bootloader message: %s", err.c_str());
         write_status_to_socket(-1, socket);
         return false;
     }
+    if (!wipe_package.empty() && !write_wipe_package(wipe_package, &err)) {
+        ALOGE("failed to set wipe package: %s", err.c_str());
+        write_status_to_socket(-1, socket);
+        return false;
+    }
     // c10. send "100" status
     write_status_to_socket(100, socket);
     return true;
diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk
index 7f28bce..2bfd016 100644
--- a/update_verifier/Android.mk
+++ b/update_verifier/Android.mk
@@ -18,7 +18,10 @@
 
 LOCAL_CLANG := true
 LOCAL_SRC_FILES := update_verifier.cpp
+
 LOCAL_MODULE := update_verifier
-LOCAL_SHARED_LIBRARIES := libhardware liblog
+LOCAL_SHARED_LIBRARIES := libbase libcutils libhardware liblog
+
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/..
 
 include $(BUILD_EXECUTABLE)
diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp
index be70cec..5cff8be 100644
--- a/update_verifier/update_verifier.cpp
+++ b/update_verifier/update_verifier.cpp
@@ -22,24 +22,123 @@
  * It relies on dm-verity to capture any corruption on the partitions being
  * verified. dm-verity must be in enforcing mode, so that it will reboot the
  * device on dm-verity failures. When that happens, the bootloader should
- * mark the slot as unbootable and stops trying. We should never see a device
- * started in dm-verity logging mode but with isSlotMarkedSuccessful equals to
- * 0.
+ * mark the slot as unbootable and stops trying. Other dm-verity modes (
+ * for example, veritymode=EIO) are not accepted and simply lead to a
+ * verification failure.
  *
  * The current slot will be marked as having booted successfully if the
  * verifier reaches the end after the verification.
  *
- * TODO: The actual verification part will be added later after we have the
- * A/B OTA package format in place.
  */
 
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
 #include <string.h>
 
-#include <hardware/boot_control.h>
+#include <string>
+#include <vector>
 
+#include <android-base/file.h>
+#include <android-base/parseint.h>
+#include <android-base/strings.h>
+#include <android-base/unique_fd.h>
+#include <cutils/properties.h>
+#include <hardware/boot_control.h>
 #define LOG_TAG       "update_verifier"
 #include <log/log.h>
 
+constexpr auto CARE_MAP_FILE = "/data/ota_package/care_map.txt";
+constexpr int BLOCKSIZE = 4096;
+
+static bool read_blocks(const std::string& blk_device_prefix, const std::string& range_str) {
+    char slot_suffix[PROPERTY_VALUE_MAX];
+    property_get("ro.boot.slot_suffix", slot_suffix, "");
+    std::string blk_device = blk_device_prefix + std::string(slot_suffix);
+    android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(blk_device.c_str(), O_RDONLY)));
+    if (fd.get() == -1) {
+        SLOGE("Error reading partition %s: %s\n", blk_device.c_str(), strerror(errno));
+        return false;
+    }
+
+    // For block range string, first integer 'count' equals 2 * total number of valid ranges,
+    // followed by 'count' number comma separated integers. Every two integers reprensent a
+    // block range with the first number included in range but second number not included.
+    // For example '4,64536,65343,74149,74150' represents: [64536,65343) and [74149,74150).
+    std::vector<std::string> ranges = android::base::Split(range_str, ",");
+    size_t range_count;
+    bool status = android::base::ParseUint(ranges[0].c_str(), &range_count);
+    if (!status || (range_count == 0) || (range_count % 2 != 0) ||
+            (range_count != ranges.size()-1)) {
+        SLOGE("Error in parsing range string.\n");
+        return false;
+    }
+
+    size_t blk_count = 0;
+    for (size_t i = 1; i < ranges.size(); i += 2) {
+        unsigned int range_start, range_end;
+        bool parse_status = android::base::ParseUint(ranges[i].c_str(), &range_start);
+        parse_status = parse_status && android::base::ParseUint(ranges[i+1].c_str(), &range_end);
+        if (!parse_status || range_start >= range_end) {
+            SLOGE("Invalid range pair %s, %s.\n", ranges[i].c_str(), ranges[i+1].c_str());
+            return false;
+        }
+
+        if (lseek64(fd.get(), static_cast<off64_t>(range_start) * BLOCKSIZE, SEEK_SET) == -1) {
+            SLOGE("lseek to %u failed: %s.\n", range_start, strerror(errno));
+            return false;
+        }
+
+        size_t size = (range_end - range_start) * BLOCKSIZE;
+        std::vector<uint8_t> buf(size);
+        if (!android::base::ReadFully(fd.get(), buf.data(), size)) {
+            SLOGE("Failed to read blocks %u to %u: %s.\n", range_start, range_end,
+                  strerror(errno));
+            return false;
+        }
+        blk_count += (range_end - range_start);
+    }
+
+    SLOGI("Finished reading %zu blocks on %s.\n", blk_count, blk_device.c_str());
+    return true;
+}
+
+static bool verify_image(const std::string& care_map_name) {
+    android::base::unique_fd care_map_fd(TEMP_FAILURE_RETRY(open(care_map_name.c_str(), O_RDONLY)));
+    // If the device is flashed before the current boot, it may not have care_map.txt
+    // in /data/ota_package. To allow the device to continue booting in this situation,
+    // we should print a warning and skip the block verification.
+    if (care_map_fd.get() == -1) {
+        SLOGI("Warning: care map %s not found.\n", care_map_name.c_str());
+        return true;
+    }
+    // Care map file has four lines (two lines if vendor partition is not present):
+    // First line has the block device name, e.g./dev/block/.../by-name/system.
+    // Second line holds all ranges of blocks to verify.
+    // The next two lines have the same format but for vendor partition.
+    std::string file_content;
+    if (!android::base::ReadFdToString(care_map_fd.get(), &file_content)) {
+        SLOGE("Error reading care map contents to string.\n");
+        return false;
+    }
+
+    std::vector<std::string> lines;
+    lines = android::base::Split(android::base::Trim(file_content), "\n");
+    if (lines.size() != 2 && lines.size() != 4) {
+        SLOGE("Invalid lines in care_map: found %zu lines, expecting 2 or 4 lines.\n",
+              lines.size());
+        return false;
+    }
+
+    for (size_t i = 0; i < lines.size(); i += 2) {
+        if (!read_blocks(lines[i], lines[i+1])) {
+            return false;
+        }
+    }
+
+    return true;
+}
+
 int main(int argc, char** argv) {
   for (int i = 1; i < argc; i++) {
     SLOGI("Started with arg %d: %s\n", i, argv[i]);
@@ -58,15 +157,24 @@
   unsigned current_slot = module->getCurrentSlot(module);
   int is_successful= module->isSlotMarkedSuccessful(module, current_slot);
   SLOGI("Booting slot %u: isSlotMarkedSuccessful=%d\n", current_slot, is_successful);
-
   if (is_successful == 0) {
     // The current slot has not booted successfully.
-
-    // TODO: Add the actual verification after we have the A/B OTA package
-    // format in place.
-
-    // TODO: Assert the dm-verity mode. Bootloader should never boot a newly
-    // flashed slot (isSlotMarkedSuccessful == 0) with dm-verity logging mode.
+    char verity_mode[PROPERTY_VALUE_MAX];
+    if (property_get("ro.boot.veritymode", verity_mode, "") == -1) {
+      SLOGE("Failed to get dm-verity mode");
+      return -1;
+    } else if (strcasecmp(verity_mode, "eio") == 0) {
+      // We shouldn't see verity in EIO mode if the current slot hasn't booted
+      // successfully before. Therefore, fail the verification when veritymode=eio.
+      SLOGE("Found dm-verity in EIO mode, skip verification.");
+      return -1;
+    } else if (strcmp(verity_mode, "enforcing") != 0) {
+      SLOGE("Unexpected dm-verity mode : %s, expecting enforcing.", verity_mode);
+      return -1;
+    } else if (!verify_image(CARE_MAP_FILE)) {
+      SLOGE("Failed to verify all blocks in care map file.\n");
+      return -1;
+    }
 
     int ret = module->markBootSuccessful(module);
     if (ret != 0) {
diff --git a/wear_ui.cpp b/wear_ui.cpp
index e078134..7ca879b 100644
--- a/wear_ui.cpp
+++ b/wear_ui.cpp
@@ -177,7 +177,7 @@
             // items don't fit on the screen.
             if (menu_items > menu_end - menu_start) {
                 sprintf(cur_selection_str, "Current item: %d/%d", menu_sel + 1, menu_items);
-                gr_text(x+4, y, cur_selection_str, 1);
+                gr_text(gr_sys_font(), x+4, y, cur_selection_str, 1);
                 y += char_height_+4;
             }
 
@@ -192,10 +192,10 @@
                     gr_fill(x, y-2, gr_fb_width()-x, y+char_height_+2);
                     // white text of selected item
                     SetColor(MENU_SEL_FG);
-                    if (menu[i][0]) gr_text(x+4, y, menu[i], 1);
+                    if (menu[i][0]) gr_text(gr_sys_font(), x+4, y, menu[i], 1);
                     SetColor(MENU);
-                } else {
-                    if (menu[i][0]) gr_text(x+4, y, menu[i], 0);
+                } else if (menu[i][0]) {
+                    gr_text(gr_sys_font(), x+4, y, menu[i], 0);
                 }
                 y += char_height_+4;
             }
@@ -216,7 +216,7 @@
         for (int ty = gr_fb_height() - char_height_ - outer_height;
              ty > y+2 && count < text_rows;
              ty -= char_height_, ++count) {
-            gr_text(x+4, ty, text[row], 0);
+            gr_text(gr_sys_font(), x+4, ty, text[row], 0);
             --row;
             if (row < 0) row = text_rows-1;
         }
@@ -285,7 +285,7 @@
 {
     gr_init();
 
-    gr_font_size(&char_width_, &char_height_);
+    gr_font_size(gr_sys_font(), &char_width_, &char_height_);
 
     text_col = text_row = 0;
     text_rows = (gr_fb_height()) / char_height_;