Add a checker for signature boundary in verifier am: 54ea136fde am: 0a34b17c8b am: fb80b4f72d am: d3d5e54a45 am: 6ea9888d51 am: a055eb93c3
am: 15ca2a4763

Change-Id: I5481d39f0d2fdb92c95e964d2a55512f4df3acb3
diff --git a/Android.mk b/Android.mk
index b31f730..65d123a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -14,17 +14,16 @@
 
 LOCAL_PATH := $(call my-dir)
 
-
 include $(CLEAR_VARS)
 
-LOCAL_SRC_FILES := fuse_sideload.c
-
+LOCAL_SRC_FILES := fuse_sideload.cpp
+LOCAL_CLANG := true
 LOCAL_CFLAGS := -O2 -g -DADB_HOST=0 -Wall -Wno-unused-parameter
 LOCAL_CFLAGS += -D_XOPEN_SOURCE -D_GNU_SOURCE
 
 LOCAL_MODULE := libfusesideload
 
-LOCAL_STATIC_LIBRARIES := libcutils libc libmincrypt
+LOCAL_STATIC_LIBRARIES := libcutils libc libcrypto_static
 include $(BUILD_STATIC_LIBRARY)
 
 include $(CLEAR_VARS)
@@ -34,7 +33,7 @@
     asn1_decoder.cpp \
     bootloader.cpp \
     device.cpp \
-    fuse_sdcard_provider.c \
+    fuse_sdcard_provider.cpp \
     install.cpp \
     recovery.cpp \
     roots.cpp \
@@ -42,19 +41,23 @@
     ui.cpp \
     verifier.cpp \
     wear_ui.cpp \
+    wear_touch.cpp \
 
 LOCAL_MODULE := recovery
 
 LOCAL_FORCE_STATIC_EXECUTABLE := true
 
+ifeq ($(TARGET_USERIMAGES_USE_F2FS),true)
 ifeq ($(HOST_OS),linux)
 LOCAL_REQUIRED_MODULES := mkfs.f2fs
 endif
+endif
 
 RECOVERY_API_VERSION := 3
 RECOVERY_FSTAB_VERSION := 2
 LOCAL_CFLAGS += -DRECOVERY_API_VERSION=$(RECOVERY_API_VERSION)
 LOCAL_CFLAGS += -Wno-unused-parameter
+LOCAL_CLANG := true
 
 LOCAL_C_INCLUDES += \
     system/vold \
@@ -62,25 +65,28 @@
     system/core/adb \
 
 LOCAL_STATIC_LIBRARIES := \
+    libbatterymonitor \
     libext4_utils_static \
     libsparse_static \
     libminzip \
     libz \
     libmtdutils \
-    libmincrypt \
     libminadbd \
     libfusesideload \
     libminui \
     libpng \
     libfs_mgr \
+    libcrypto_static \
     libbase \
     libcutils \
+    libutils \
     liblog \
     libselinux \
-    libstdc++ \
     libm \
     libc
 
+LOCAL_HAL_STATIC_LIBRARIES := libhealthd
+
 ifeq ($(TARGET_USERIMAGES_USE_EXT4), true)
     LOCAL_CFLAGS += -DUSE_EXT4
     LOCAL_C_INCLUDES += system/extras/ext4_utils
@@ -95,35 +101,43 @@
   LOCAL_STATIC_LIBRARIES += $(TARGET_RECOVERY_UI_LIB)
 endif
 
+ifeq ($(BOARD_CACHEIMAGE_PARTITION_SIZE),)
+LOCAL_REQUIRED_MODULES := recovery-persist recovery-refresh
+endif
+
+include $(BUILD_EXECUTABLE)
+
+# recovery-persist (system partition dynamic executable run after /data mounts)
+# ===============================
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := recovery-persist.cpp
+LOCAL_MODULE := recovery-persist
+LOCAL_SHARED_LIBRARIES := liblog libbase
+LOCAL_CFLAGS := -Werror
+LOCAL_INIT_RC := recovery-persist.rc
+include $(BUILD_EXECUTABLE)
+
+# recovery-refresh (system partition dynamic executable run at init)
+# ===============================
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := recovery-refresh.cpp
+LOCAL_MODULE := recovery-refresh
+LOCAL_SHARED_LIBRARIES := liblog
+LOCAL_CFLAGS := -Werror
+LOCAL_INIT_RC := recovery-refresh.rc
 include $(BUILD_EXECUTABLE)
 
 # All the APIs for testing
 include $(CLEAR_VARS)
+LOCAL_CLANG := true
 LOCAL_MODULE := libverifier
 LOCAL_MODULE_TAGS := tests
 LOCAL_SRC_FILES := \
-    asn1_decoder.cpp
-include $(BUILD_STATIC_LIBRARY)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := verifier_test
-LOCAL_FORCE_STATIC_EXECUTABLE := true
-LOCAL_MODULE_TAGS := tests
-LOCAL_CFLAGS += -Wno-unused-parameter
-LOCAL_SRC_FILES := \
-    verifier_test.cpp \
     asn1_decoder.cpp \
     verifier.cpp \
     ui.cpp
-LOCAL_STATIC_LIBRARIES := \
-    libmincrypt \
-    libminui \
-    libminzip \
-    libcutils \
-    libstdc++ \
-    libc
-include $(BUILD_EXECUTABLE)
-
+LOCAL_STATIC_LIBRARIES := libcrypto_static
+include $(BUILD_STATIC_LIBRARY)
 
 include $(LOCAL_PATH)/minui/Android.mk \
     $(LOCAL_PATH)/minzip/Android.mk \
@@ -133,5 +147,7 @@
     $(LOCAL_PATH)/tools/Android.mk \
     $(LOCAL_PATH)/edify/Android.mk \
     $(LOCAL_PATH)/uncrypt/Android.mk \
+    $(LOCAL_PATH)/otafault/Android.mk \
     $(LOCAL_PATH)/updater/Android.mk \
+    $(LOCAL_PATH)/update_verifier/Android.mk \
     $(LOCAL_PATH)/applypatch/Android.mk
diff --git a/README.md b/README.md
index bab7e87..01fab94 100644
--- a/README.md
+++ b/README.md
@@ -10,3 +10,20 @@
     # without flashing the recovery partition:
     adb reboot bootloader
     fastboot boot $ANDROID_PRODUCT_OUT/recovery.img
+
+Running the tests
+-----------------
+    # After setting up environment and lunch.
+    mmma -j bootable/recovery
+
+    # Running the tests on device.
+    adb root
+    adb sync data
+
+    # 32-bit device
+    adb shell /data/nativetest/recovery_unit_test/recovery_unit_test
+    adb shell /data/nativetest/recovery_component_test/recovery_component_test
+
+    # Or 64-bit device
+    adb shell /data/nativetest64/recovery_unit_test/recovery_unit_test
+    adb shell /data/nativetest64/recovery_component_test/recovery_component_test
diff --git a/adb_install.cpp b/adb_install.cpp
index e3b94ea..4aed9d4 100644
--- a/adb_install.cpp
+++ b/adb_install.cpp
@@ -91,7 +91,7 @@
     // FUSE_SIDELOAD_HOST_PATHNAME will start to exist once the host
     // connects and starts serving a package.  Poll for its
     // appearance.  (Note that inotify doesn't work with FUSE.)
-    int result;
+    int result = INSTALL_ERROR;
     int status;
     bool waited = false;
     struct stat st;
@@ -113,7 +113,7 @@
                 break;
             }
         }
-        result = install_package(FUSE_SIDELOAD_HOST_PATHNAME, wipe_cache, install_file, false);
+        result = install_package(FUSE_SIDELOAD_HOST_PATHNAME, wipe_cache, install_file, false, 0);
         break;
     }
 
diff --git a/applypatch/Android.mk b/applypatch/Android.mk
index 4984093..887a570 100644
--- a/applypatch/Android.mk
+++ b/applypatch/Android.mk
@@ -13,41 +13,59 @@
 # limitations under the License.
 
 LOCAL_PATH := $(call my-dir)
+
 include $(CLEAR_VARS)
 
-LOCAL_SRC_FILES := applypatch.c bspatch.c freecache.c imgpatch.c utils.c
+LOCAL_CLANG := true
+LOCAL_SRC_FILES := applypatch.cpp bspatch.cpp freecache.cpp imgpatch.cpp utils.cpp
 LOCAL_MODULE := libapplypatch
 LOCAL_MODULE_TAGS := eng
-LOCAL_C_INCLUDES += external/bzip2 external/zlib bootable/recovery
-LOCAL_STATIC_LIBRARIES += libmtdutils libmincrypt libbz libz
+LOCAL_C_INCLUDES += bootable/recovery
+LOCAL_STATIC_LIBRARIES += libbase libotafault libmtdutils libcrypto_static libbz libz
 
 include $(BUILD_STATIC_LIBRARY)
 
 include $(CLEAR_VARS)
 
-LOCAL_SRC_FILES := main.c
+LOCAL_CLANG := true
+LOCAL_SRC_FILES := bspatch.cpp imgpatch.cpp utils.cpp
+LOCAL_MODULE := libimgpatch
+LOCAL_C_INCLUDES += bootable/recovery
+LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include
+LOCAL_STATIC_LIBRARIES += libcrypto_static libbz libz
+
+include $(BUILD_STATIC_LIBRARY)
+
+ifeq ($(HOST_OS),linux)
+include $(CLEAR_VARS)
+
+LOCAL_CLANG := true
+LOCAL_SRC_FILES := bspatch.cpp imgpatch.cpp utils.cpp
+LOCAL_MODULE := libimgpatch
+LOCAL_C_INCLUDES += bootable/recovery
+LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include
+LOCAL_STATIC_LIBRARIES += libcrypto_static libbz libz
+
+include $(BUILD_HOST_STATIC_LIBRARY)
+endif  # HOST_OS == linux
+
+include $(CLEAR_VARS)
+
+LOCAL_CLANG := true
+LOCAL_SRC_FILES := main.cpp
 LOCAL_MODULE := applypatch
 LOCAL_C_INCLUDES += bootable/recovery
-LOCAL_STATIC_LIBRARIES += libapplypatch libmtdutils libmincrypt libbz
-LOCAL_SHARED_LIBRARIES += libz libcutils libstdc++ libc
+LOCAL_STATIC_LIBRARIES += libapplypatch libbase libotafault libmtdutils libcrypto_static libbz \
+                          libedify \
+
+LOCAL_SHARED_LIBRARIES += libz libcutils libc
 
 include $(BUILD_EXECUTABLE)
 
 include $(CLEAR_VARS)
 
-LOCAL_SRC_FILES := main.c
-LOCAL_MODULE := applypatch_static
-LOCAL_FORCE_STATIC_EXECUTABLE := true
-LOCAL_MODULE_TAGS := eng
-LOCAL_C_INCLUDES += bootable/recovery
-LOCAL_STATIC_LIBRARIES += libapplypatch libmtdutils libmincrypt libbz
-LOCAL_STATIC_LIBRARIES += libz libcutils libstdc++ libc
-
-include $(BUILD_EXECUTABLE)
-
-include $(CLEAR_VARS)
-
-LOCAL_SRC_FILES := imgdiff.c utils.c bsdiff.c
+LOCAL_CLANG := true
+LOCAL_SRC_FILES := imgdiff.cpp utils.cpp bsdiff.cpp
 LOCAL_MODULE := imgdiff
 LOCAL_FORCE_STATIC_EXECUTABLE := true
 LOCAL_C_INCLUDES += external/zlib external/bzip2
diff --git a/applypatch/applypatch.c b/applypatch/applypatch.c
deleted file mode 100644
index 2358d42..0000000
--- a/applypatch/applypatch.c
+++ /dev/null
@@ -1,1048 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <errno.h>
-#include <libgen.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/statfs.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <stdbool.h>
-
-#include "mincrypt/sha.h"
-#include "applypatch.h"
-#include "mtdutils/mtdutils.h"
-#include "edify/expr.h"
-
-static int LoadPartitionContents(const char* filename, FileContents* file);
-static ssize_t FileSink(const unsigned char* data, ssize_t len, void* token);
-static int GenerateTarget(FileContents* source_file,
-                          const Value* source_patch_value,
-                          FileContents* copy_file,
-                          const Value* copy_patch_value,
-                          const char* source_filename,
-                          const char* target_filename,
-                          const uint8_t target_sha1[SHA_DIGEST_SIZE],
-                          size_t target_size,
-                          const Value* bonus_data);
-
-static int mtd_partitions_scanned = 0;
-
-// Read a file into memory; store the file contents and associated
-// metadata in *file.
-//
-// Return 0 on success.
-int LoadFileContents(const char* filename, FileContents* file) {
-    file->data = NULL;
-
-    // A special 'filename' beginning with "MTD:" or "EMMC:" means to
-    // load the contents of a partition.
-    if (strncmp(filename, "MTD:", 4) == 0 ||
-        strncmp(filename, "EMMC:", 5) == 0) {
-        return LoadPartitionContents(filename, file);
-    }
-
-    if (stat(filename, &file->st) != 0) {
-        printf("failed to stat \"%s\": %s\n", filename, strerror(errno));
-        return -1;
-    }
-
-    file->size = file->st.st_size;
-    file->data = malloc(file->size);
-
-    FILE* f = fopen(filename, "rb");
-    if (f == NULL) {
-        printf("failed to open \"%s\": %s\n", filename, strerror(errno));
-        free(file->data);
-        file->data = NULL;
-        return -1;
-    }
-
-    ssize_t bytes_read = fread(file->data, 1, file->size, f);
-    if (bytes_read != file->size) {
-        printf("short read of \"%s\" (%ld bytes of %ld)\n",
-               filename, (long)bytes_read, (long)file->size);
-        free(file->data);
-        file->data = NULL;
-        return -1;
-    }
-    fclose(f);
-
-    SHA_hash(file->data, file->size, file->sha1);
-    return 0;
-}
-
-static size_t* size_array;
-// comparison function for qsort()ing an int array of indexes into
-// size_array[].
-static int compare_size_indices(const void* a, const void* b) {
-    int aa = *(int*)a;
-    int bb = *(int*)b;
-    if (size_array[aa] < size_array[bb]) {
-        return -1;
-    } else if (size_array[aa] > size_array[bb]) {
-        return 1;
-    } else {
-        return 0;
-    }
-}
-
-// Load the contents of an MTD or EMMC partition into the provided
-// FileContents.  filename should be a string of the form
-// "MTD:<partition_name>:<size_1>:<sha1_1>:<size_2>:<sha1_2>:..."  (or
-// "EMMC:<partition_device>:...").  The smallest size_n bytes for
-// which that prefix of the partition contents has the corresponding
-// sha1 hash will be loaded.  It is acceptable for a size value to be
-// repeated with different sha1s.  Will return 0 on success.
-//
-// This complexity is needed because if an OTA installation is
-// interrupted, the partition might contain either the source or the
-// target data, which might be of different lengths.  We need to know
-// the length in order to read from a partition (there is no
-// "end-of-file" marker), so the caller must specify the possible
-// lengths and the hash of the data, and we'll do the load expecting
-// to find one of those hashes.
-enum PartitionType { MTD, EMMC };
-
-static int LoadPartitionContents(const char* filename, FileContents* file) {
-    char* copy = strdup(filename);
-    const char* magic = strtok(copy, ":");
-
-    enum PartitionType type;
-
-    if (strcmp(magic, "MTD") == 0) {
-        type = MTD;
-    } else if (strcmp(magic, "EMMC") == 0) {
-        type = EMMC;
-    } else {
-        printf("LoadPartitionContents called with bad filename (%s)\n",
-               filename);
-        return -1;
-    }
-    const char* partition = strtok(NULL, ":");
-
-    int i;
-    int colons = 0;
-    for (i = 0; filename[i] != '\0'; ++i) {
-        if (filename[i] == ':') {
-            ++colons;
-        }
-    }
-    if (colons < 3 || colons%2 == 0) {
-        printf("LoadPartitionContents called with bad filename (%s)\n",
-               filename);
-    }
-
-    int pairs = (colons-1)/2;     // # of (size,sha1) pairs in filename
-    int* index = malloc(pairs * sizeof(int));
-    size_t* size = malloc(pairs * sizeof(size_t));
-    char** sha1sum = malloc(pairs * sizeof(char*));
-
-    for (i = 0; i < pairs; ++i) {
-        const char* size_str = strtok(NULL, ":");
-        size[i] = strtol(size_str, NULL, 10);
-        if (size[i] == 0) {
-            printf("LoadPartitionContents called with bad size (%s)\n", filename);
-            return -1;
-        }
-        sha1sum[i] = strtok(NULL, ":");
-        index[i] = i;
-    }
-
-    // sort the index[] array so it indexes the pairs in order of
-    // increasing size.
-    size_array = size;
-    qsort(index, pairs, sizeof(int), compare_size_indices);
-
-    MtdReadContext* ctx = NULL;
-    FILE* dev = NULL;
-
-    switch (type) {
-        case MTD:
-            if (!mtd_partitions_scanned) {
-                mtd_scan_partitions();
-                mtd_partitions_scanned = 1;
-            }
-
-            const MtdPartition* mtd = mtd_find_partition_by_name(partition);
-            if (mtd == NULL) {
-                printf("mtd partition \"%s\" not found (loading %s)\n",
-                       partition, filename);
-                return -1;
-            }
-
-            ctx = mtd_read_partition(mtd);
-            if (ctx == NULL) {
-                printf("failed to initialize read of mtd partition \"%s\"\n",
-                       partition);
-                return -1;
-            }
-            break;
-
-        case EMMC:
-            dev = fopen(partition, "rb");
-            if (dev == NULL) {
-                printf("failed to open emmc partition \"%s\": %s\n",
-                       partition, strerror(errno));
-                return -1;
-            }
-    }
-
-    SHA_CTX sha_ctx;
-    SHA_init(&sha_ctx);
-    uint8_t parsed_sha[SHA_DIGEST_SIZE];
-
-    // allocate enough memory to hold the largest size.
-    file->data = malloc(size[index[pairs-1]]);
-    char* p = (char*)file->data;
-    file->size = 0;                // # bytes read so far
-
-    for (i = 0; i < pairs; ++i) {
-        // Read enough additional bytes to get us up to the next size
-        // (again, we're trying the possibilities in order of increasing
-        // size).
-        size_t next = size[index[i]] - file->size;
-        size_t read = 0;
-        if (next > 0) {
-            switch (type) {
-                case MTD:
-                    read = mtd_read_data(ctx, p, next);
-                    break;
-
-                case EMMC:
-                    read = fread(p, 1, next, dev);
-                    break;
-            }
-            if (next != read) {
-                printf("short read (%zu bytes of %zu) for partition \"%s\"\n",
-                       read, next, partition);
-                free(file->data);
-                file->data = NULL;
-                return -1;
-            }
-            SHA_update(&sha_ctx, p, read);
-            file->size += read;
-        }
-
-        // Duplicate the SHA context and finalize the duplicate so we can
-        // check it against this pair's expected hash.
-        SHA_CTX temp_ctx;
-        memcpy(&temp_ctx, &sha_ctx, sizeof(SHA_CTX));
-        const uint8_t* sha_so_far = SHA_final(&temp_ctx);
-
-        if (ParseSha1(sha1sum[index[i]], parsed_sha) != 0) {
-            printf("failed to parse sha1 %s in %s\n",
-                   sha1sum[index[i]], filename);
-            free(file->data);
-            file->data = NULL;
-            return -1;
-        }
-
-        if (memcmp(sha_so_far, parsed_sha, SHA_DIGEST_SIZE) == 0) {
-            // we have a match.  stop reading the partition; we'll return
-            // the data we've read so far.
-            printf("partition read matched size %zu sha %s\n",
-                   size[index[i]], sha1sum[index[i]]);
-            break;
-        }
-
-        p += read;
-    }
-
-    switch (type) {
-        case MTD:
-            mtd_read_close(ctx);
-            break;
-
-        case EMMC:
-            fclose(dev);
-            break;
-    }
-
-
-    if (i == pairs) {
-        // Ran off the end of the list of (size,sha1) pairs without
-        // finding a match.
-        printf("contents of partition \"%s\" didn't match %s\n",
-               partition, filename);
-        free(file->data);
-        file->data = NULL;
-        return -1;
-    }
-
-    const uint8_t* sha_final = SHA_final(&sha_ctx);
-    for (i = 0; i < SHA_DIGEST_SIZE; ++i) {
-        file->sha1[i] = sha_final[i];
-    }
-
-    // Fake some stat() info.
-    file->st.st_mode = 0644;
-    file->st.st_uid = 0;
-    file->st.st_gid = 0;
-
-    free(copy);
-    free(index);
-    free(size);
-    free(sha1sum);
-
-    return 0;
-}
-
-
-// Save the contents of the given FileContents object under the given
-// filename.  Return 0 on success.
-int SaveFileContents(const char* filename, const FileContents* file) {
-    int fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR | S_IWUSR);
-    if (fd < 0) {
-        printf("failed to open \"%s\" for write: %s\n",
-               filename, strerror(errno));
-        return -1;
-    }
-
-    ssize_t bytes_written = FileSink(file->data, file->size, &fd);
-    if (bytes_written != file->size) {
-        printf("short write of \"%s\" (%ld bytes of %ld) (%s)\n",
-               filename, (long)bytes_written, (long)file->size,
-               strerror(errno));
-        close(fd);
-        return -1;
-    }
-    if (fsync(fd) != 0) {
-        printf("fsync of \"%s\" failed: %s\n", filename, strerror(errno));
-        return -1;
-    }
-    if (close(fd) != 0) {
-        printf("close of \"%s\" failed: %s\n", filename, strerror(errno));
-        return -1;
-    }
-
-    if (chmod(filename, file->st.st_mode) != 0) {
-        printf("chmod of \"%s\" failed: %s\n", filename, strerror(errno));
-        return -1;
-    }
-    if (chown(filename, file->st.st_uid, file->st.st_gid) != 0) {
-        printf("chown of \"%s\" failed: %s\n", filename, strerror(errno));
-        return -1;
-    }
-
-    return 0;
-}
-
-// Write a memory buffer to 'target' partition, a string of the form
-// "MTD:<partition>[:...]" or "EMMC:<partition_device>:".  Return 0 on
-// success.
-int WriteToPartition(unsigned char* data, size_t len,
-                        const char* target) {
-    char* copy = strdup(target);
-    const char* magic = strtok(copy, ":");
-
-    enum PartitionType type;
-    if (strcmp(magic, "MTD") == 0) {
-        type = MTD;
-    } else if (strcmp(magic, "EMMC") == 0) {
-        type = EMMC;
-    } else {
-        printf("WriteToPartition called with bad target (%s)\n", target);
-        return -1;
-    }
-    const char* partition = strtok(NULL, ":");
-
-    if (partition == NULL) {
-        printf("bad partition target name \"%s\"\n", target);
-        return -1;
-    }
-
-    switch (type) {
-        case MTD:
-            if (!mtd_partitions_scanned) {
-                mtd_scan_partitions();
-                mtd_partitions_scanned = 1;
-            }
-
-            const MtdPartition* mtd = mtd_find_partition_by_name(partition);
-            if (mtd == NULL) {
-                printf("mtd partition \"%s\" not found for writing\n",
-                       partition);
-                return -1;
-            }
-
-            MtdWriteContext* ctx = mtd_write_partition(mtd);
-            if (ctx == NULL) {
-                printf("failed to init mtd partition \"%s\" for writing\n",
-                       partition);
-                return -1;
-            }
-
-            size_t written = mtd_write_data(ctx, (char*)data, len);
-            if (written != len) {
-                printf("only wrote %zu of %zu bytes to MTD %s\n",
-                       written, len, partition);
-                mtd_write_close(ctx);
-                return -1;
-            }
-
-            if (mtd_erase_blocks(ctx, -1) < 0) {
-                printf("error finishing mtd write of %s\n", partition);
-                mtd_write_close(ctx);
-                return -1;
-            }
-
-            if (mtd_write_close(ctx)) {
-                printf("error closing mtd write of %s\n", partition);
-                return -1;
-            }
-            break;
-
-        case EMMC:
-        {
-            size_t start = 0;
-            int success = 0;
-            int fd = open(partition, O_RDWR | O_SYNC);
-            if (fd < 0) {
-                printf("failed to open %s: %s\n", partition, strerror(errno));
-                return -1;
-            }
-            int attempt;
-
-            for (attempt = 0; attempt < 2; ++attempt) {
-                if (TEMP_FAILURE_RETRY(lseek(fd, start, SEEK_SET)) == -1) {
-                    printf("failed seek on %s: %s\n",
-                           partition, strerror(errno));
-                    return -1;
-                }
-                while (start < len) {
-                    size_t to_write = len - start;
-                    if (to_write > 1<<20) to_write = 1<<20;
-
-                    ssize_t written = TEMP_FAILURE_RETRY(write(fd, data+start, to_write));
-                    if (written == -1) {
-                        printf("failed write writing to %s: %s\n", partition, strerror(errno));
-                        return -1;
-                    }
-                    start += written;
-                }
-                if (fsync(fd) != 0) {
-                   printf("failed to sync to %s (%s)\n",
-                          partition, strerror(errno));
-                   return -1;
-                }
-                if (close(fd) != 0) {
-                   printf("failed to close %s (%s)\n",
-                          partition, strerror(errno));
-                   return -1;
-                }
-                fd = open(partition, O_RDONLY);
-                if (fd < 0) {
-                   printf("failed to reopen %s for verify (%s)\n",
-                          partition, strerror(errno));
-                   return -1;
-                }
-
-                // drop caches so our subsequent verification read
-                // won't just be reading the cache.
-                sync();
-                int dc = open("/proc/sys/vm/drop_caches", O_WRONLY);
-                if (TEMP_FAILURE_RETRY(write(dc, "3\n", 2)) == -1) {
-                    printf("write to /proc/sys/vm/drop_caches failed: %s\n", strerror(errno));
-                } else {
-                    printf("  caches dropped\n");
-                }
-                close(dc);
-                sleep(1);
-
-                // verify
-                if (TEMP_FAILURE_RETRY(lseek(fd, 0, SEEK_SET)) == -1) {
-                    printf("failed to seek back to beginning of %s: %s\n",
-                           partition, strerror(errno));
-                    return -1;
-                }
-                unsigned char buffer[4096];
-                start = len;
-                size_t p;
-                for (p = 0; p < len; p += sizeof(buffer)) {
-                    size_t to_read = len - p;
-                    if (to_read > sizeof(buffer)) to_read = sizeof(buffer);
-
-                    size_t so_far = 0;
-                    while (so_far < to_read) {
-                        ssize_t read_count =
-                                TEMP_FAILURE_RETRY(read(fd, buffer+so_far, to_read-so_far));
-                        if (read_count == -1) {
-                            printf("verify read error %s at %zu: %s\n",
-                                   partition, p, strerror(errno));
-                            return -1;
-                        }
-                        if ((size_t)read_count < to_read) {
-                            printf("short verify read %s at %zu: %zd %zu %s\n",
-                                   partition, p, read_count, to_read, strerror(errno));
-                        }
-                        so_far += read_count;
-                    }
-
-                    if (memcmp(buffer, data+p, to_read)) {
-                        printf("verification failed starting at %zu\n", p);
-                        start = p;
-                        break;
-                    }
-                }
-
-                if (start == len) {
-                    printf("verification read succeeded (attempt %d)\n", attempt+1);
-                    success = true;
-                    break;
-                }
-            }
-
-            if (!success) {
-                printf("failed to verify after all attempts\n");
-                return -1;
-            }
-
-            if (close(fd) != 0) {
-                printf("error closing %s (%s)\n", partition, strerror(errno));
-                return -1;
-            }
-            sync();
-            break;
-        }
-    }
-
-    free(copy);
-    return 0;
-}
-
-
-// Take a string 'str' of 40 hex digits and parse it into the 20
-// byte array 'digest'.  'str' may contain only the digest or be of
-// the form "<digest>:<anything>".  Return 0 on success, -1 on any
-// error.
-int ParseSha1(const char* str, uint8_t* digest) {
-    int i;
-    const char* ps = str;
-    uint8_t* pd = digest;
-    for (i = 0; i < SHA_DIGEST_SIZE * 2; ++i, ++ps) {
-        int digit;
-        if (*ps >= '0' && *ps <= '9') {
-            digit = *ps - '0';
-        } else if (*ps >= 'a' && *ps <= 'f') {
-            digit = *ps - 'a' + 10;
-        } else if (*ps >= 'A' && *ps <= 'F') {
-            digit = *ps - 'A' + 10;
-        } else {
-            return -1;
-        }
-        if (i % 2 == 0) {
-            *pd = digit << 4;
-        } else {
-            *pd |= digit;
-            ++pd;
-        }
-    }
-    if (*ps != '\0') return -1;
-    return 0;
-}
-
-// Search an array of sha1 strings for one matching the given sha1.
-// Return the index of the match on success, or -1 if no match is
-// found.
-int FindMatchingPatch(uint8_t* sha1, char* const * const patch_sha1_str,
-                      int num_patches) {
-    int i;
-    uint8_t patch_sha1[SHA_DIGEST_SIZE];
-    for (i = 0; i < num_patches; ++i) {
-        if (ParseSha1(patch_sha1_str[i], patch_sha1) == 0 &&
-            memcmp(patch_sha1, sha1, SHA_DIGEST_SIZE) == 0) {
-            return i;
-        }
-    }
-    return -1;
-}
-
-// Returns 0 if the contents of the file (argv[2]) or the cached file
-// match any of the sha1's on the command line (argv[3:]).  Returns
-// nonzero otherwise.
-int applypatch_check(const char* filename,
-                     int num_patches, char** const patch_sha1_str) {
-    FileContents file;
-    file.data = NULL;
-
-    // It's okay to specify no sha1s; the check will pass if the
-    // LoadFileContents is successful.  (Useful for reading
-    // partitions, where the filename encodes the sha1s; no need to
-    // check them twice.)
-    if (LoadFileContents(filename, &file) != 0 ||
-        (num_patches > 0 &&
-         FindMatchingPatch(file.sha1, patch_sha1_str, num_patches) < 0)) {
-        printf("file \"%s\" doesn't have any of expected "
-               "sha1 sums; checking cache\n", filename);
-
-        free(file.data);
-        file.data = NULL;
-
-        // If the source file is missing or corrupted, it might be because
-        // we were killed in the middle of patching it.  A copy of it
-        // should have been made in CACHE_TEMP_SOURCE.  If that file
-        // exists and matches the sha1 we're looking for, the check still
-        // passes.
-
-        if (LoadFileContents(CACHE_TEMP_SOURCE, &file) != 0) {
-            printf("failed to load cache file\n");
-            return 1;
-        }
-
-        if (FindMatchingPatch(file.sha1, patch_sha1_str, num_patches) < 0) {
-            printf("cache bits don't match any sha1 for \"%s\"\n", filename);
-            free(file.data);
-            return 1;
-        }
-    }
-
-    free(file.data);
-    return 0;
-}
-
-int ShowLicenses() {
-    ShowBSDiffLicense();
-    return 0;
-}
-
-ssize_t FileSink(const unsigned char* data, ssize_t len, void* token) {
-    int fd = *(int *)token;
-    ssize_t done = 0;
-    ssize_t wrote;
-    while (done < (ssize_t) len) {
-        wrote = TEMP_FAILURE_RETRY(write(fd, data+done, len-done));
-        if (wrote == -1) {
-            printf("error writing %d bytes: %s\n", (int)(len-done), strerror(errno));
-            return done;
-        }
-        done += wrote;
-    }
-    return done;
-}
-
-typedef struct {
-    unsigned char* buffer;
-    ssize_t size;
-    ssize_t pos;
-} MemorySinkInfo;
-
-ssize_t MemorySink(const unsigned char* data, ssize_t len, void* token) {
-    MemorySinkInfo* msi = (MemorySinkInfo*)token;
-    if (msi->size - msi->pos < len) {
-        return -1;
-    }
-    memcpy(msi->buffer + msi->pos, data, len);
-    msi->pos += len;
-    return len;
-}
-
-// Return the amount of free space (in bytes) on the filesystem
-// containing filename.  filename must exist.  Return -1 on error.
-size_t FreeSpaceForFile(const char* filename) {
-    struct statfs sf;
-    if (statfs(filename, &sf) != 0) {
-        printf("failed to statfs %s: %s\n", filename, strerror(errno));
-        return -1;
-    }
-    return sf.f_bsize * sf.f_bavail;
-}
-
-int CacheSizeCheck(size_t bytes) {
-    if (MakeFreeSpaceOnCache(bytes) < 0) {
-        printf("unable to make %ld bytes available on /cache\n", (long)bytes);
-        return 1;
-    } else {
-        return 0;
-    }
-}
-
-static void print_short_sha1(const uint8_t sha1[SHA_DIGEST_SIZE]) {
-    int i;
-    const char* hex = "0123456789abcdef";
-    for (i = 0; i < 4; ++i) {
-        putchar(hex[(sha1[i]>>4) & 0xf]);
-        putchar(hex[sha1[i] & 0xf]);
-    }
-}
-
-// This function applies binary patches to files in a way that is safe
-// (the original file is not touched until we have the desired
-// replacement for it) and idempotent (it's okay to run this program
-// multiple times).
-//
-// - if the sha1 hash of <target_filename> is <target_sha1_string>,
-//   does nothing and exits successfully.
-//
-// - otherwise, if the sha1 hash of <source_filename> is one of the
-//   entries in <patch_sha1_str>, the corresponding patch from
-//   <patch_data> (which must be a VAL_BLOB) is applied to produce a
-//   new file (the type of patch is automatically detected from the
-//   blob daat).  If that new file has sha1 hash <target_sha1_str>,
-//   moves it to replace <target_filename>, and exits successfully.
-//   Note that if <source_filename> and <target_filename> are not the
-//   same, <source_filename> is NOT deleted on success.
-//   <target_filename> may be the string "-" to mean "the same as
-//   source_filename".
-//
-// - otherwise, or if any error is encountered, exits with non-zero
-//   status.
-//
-// <source_filename> may refer to a partition to read the source data.
-// See the comments for the LoadPartition Contents() function above
-// for the format of such a filename.
-
-int applypatch(const char* source_filename,
-               const char* target_filename,
-               const char* target_sha1_str,
-               size_t target_size,
-               int num_patches,
-               char** const patch_sha1_str,
-               Value** patch_data,
-               Value* bonus_data) {
-    printf("patch %s: ", source_filename);
-
-    if (target_filename[0] == '-' &&
-        target_filename[1] == '\0') {
-        target_filename = source_filename;
-    }
-
-    uint8_t target_sha1[SHA_DIGEST_SIZE];
-    if (ParseSha1(target_sha1_str, target_sha1) != 0) {
-        printf("failed to parse tgt-sha1 \"%s\"\n", target_sha1_str);
-        return 1;
-    }
-
-    FileContents copy_file;
-    FileContents source_file;
-    copy_file.data = NULL;
-    source_file.data = NULL;
-    const Value* source_patch_value = NULL;
-    const Value* copy_patch_value = NULL;
-
-    // We try to load the target file into the source_file object.
-    if (LoadFileContents(target_filename, &source_file) == 0) {
-        if (memcmp(source_file.sha1, target_sha1, SHA_DIGEST_SIZE) == 0) {
-            // The early-exit case:  the patch was already applied, this file
-            // has the desired hash, nothing for us to do.
-            printf("already ");
-            print_short_sha1(target_sha1);
-            putchar('\n');
-            free(source_file.data);
-            return 0;
-        }
-    }
-
-    if (source_file.data == NULL ||
-        (target_filename != source_filename &&
-         strcmp(target_filename, source_filename) != 0)) {
-        // Need to load the source file:  either we failed to load the
-        // target file, or we did but it's different from the source file.
-        free(source_file.data);
-        source_file.data = NULL;
-        LoadFileContents(source_filename, &source_file);
-    }
-
-    if (source_file.data != NULL) {
-        int to_use = FindMatchingPatch(source_file.sha1,
-                                       patch_sha1_str, num_patches);
-        if (to_use >= 0) {
-            source_patch_value = patch_data[to_use];
-        }
-    }
-
-    if (source_patch_value == NULL) {
-        free(source_file.data);
-        source_file.data = NULL;
-        printf("source file is bad; trying copy\n");
-
-        if (LoadFileContents(CACHE_TEMP_SOURCE, &copy_file) < 0) {
-            // fail.
-            printf("failed to read copy file\n");
-            return 1;
-        }
-
-        int to_use = FindMatchingPatch(copy_file.sha1,
-                                       patch_sha1_str, num_patches);
-        if (to_use >= 0) {
-            copy_patch_value = patch_data[to_use];
-        }
-
-        if (copy_patch_value == NULL) {
-            // fail.
-            printf("copy file doesn't match source SHA-1s either\n");
-            free(copy_file.data);
-            return 1;
-        }
-    }
-
-    int result = GenerateTarget(&source_file, source_patch_value,
-                                &copy_file, copy_patch_value,
-                                source_filename, target_filename,
-                                target_sha1, target_size, bonus_data);
-    free(source_file.data);
-    free(copy_file.data);
-
-    return result;
-}
-
-static int GenerateTarget(FileContents* source_file,
-                          const Value* source_patch_value,
-                          FileContents* copy_file,
-                          const Value* copy_patch_value,
-                          const char* source_filename,
-                          const char* target_filename,
-                          const uint8_t target_sha1[SHA_DIGEST_SIZE],
-                          size_t target_size,
-                          const Value* bonus_data) {
-    int retry = 1;
-    SHA_CTX ctx;
-    int output;
-    MemorySinkInfo msi;
-    FileContents* source_to_use;
-    char* outname;
-    int made_copy = 0;
-
-    // assume that target_filename (eg "/system/app/Foo.apk") is located
-    // on the same filesystem as its top-level directory ("/system").
-    // We need something that exists for calling statfs().
-    char target_fs[strlen(target_filename)+1];
-    char* slash = strchr(target_filename+1, '/');
-    if (slash != NULL) {
-        int count = slash - target_filename;
-        strncpy(target_fs, target_filename, count);
-        target_fs[count] = '\0';
-    } else {
-        strcpy(target_fs, target_filename);
-    }
-
-    do {
-        // Is there enough room in the target filesystem to hold the patched
-        // file?
-
-        if (strncmp(target_filename, "MTD:", 4) == 0 ||
-            strncmp(target_filename, "EMMC:", 5) == 0) {
-            // If the target is a partition, we're actually going to
-            // write the output to /tmp and then copy it to the
-            // partition.  statfs() always returns 0 blocks free for
-            // /tmp, so instead we'll just assume that /tmp has enough
-            // space to hold the file.
-
-            // We still write the original source to cache, in case
-            // the partition write is interrupted.
-            if (MakeFreeSpaceOnCache(source_file->size) < 0) {
-                printf("not enough free space on /cache\n");
-                return 1;
-            }
-            if (SaveFileContents(CACHE_TEMP_SOURCE, source_file) < 0) {
-                printf("failed to back up source file\n");
-                return 1;
-            }
-            made_copy = 1;
-            retry = 0;
-        } else {
-            int enough_space = 0;
-            if (retry > 0) {
-                size_t free_space = FreeSpaceForFile(target_fs);
-                enough_space =
-                    (free_space > (256 << 10)) &&          // 256k (two-block) minimum
-                    (free_space > (target_size * 3 / 2));  // 50% margin of error
-                if (!enough_space) {
-                    printf("target %ld bytes; free space %ld bytes; retry %d; enough %d\n",
-                           (long)target_size, (long)free_space, retry, enough_space);
-                }
-            }
-
-            if (!enough_space) {
-                retry = 0;
-            }
-
-            if (!enough_space && source_patch_value != NULL) {
-                // Using the original source, but not enough free space.  First
-                // copy the source file to cache, then delete it from the original
-                // location.
-
-                if (strncmp(source_filename, "MTD:", 4) == 0 ||
-                    strncmp(source_filename, "EMMC:", 5) == 0) {
-                    // It's impossible to free space on the target filesystem by
-                    // deleting the source if the source is a partition.  If
-                    // we're ever in a state where we need to do this, fail.
-                    printf("not enough free space for target but source "
-                           "is partition\n");
-                    return 1;
-                }
-
-                if (MakeFreeSpaceOnCache(source_file->size) < 0) {
-                    printf("not enough free space on /cache\n");
-                    return 1;
-                }
-
-                if (SaveFileContents(CACHE_TEMP_SOURCE, source_file) < 0) {
-                    printf("failed to back up source file\n");
-                    return 1;
-                }
-                made_copy = 1;
-                unlink(source_filename);
-
-                size_t free_space = FreeSpaceForFile(target_fs);
-                printf("(now %ld bytes free for target) ", (long)free_space);
-            }
-        }
-
-        const Value* patch;
-        if (source_patch_value != NULL) {
-            source_to_use = source_file;
-            patch = source_patch_value;
-        } else {
-            source_to_use = copy_file;
-            patch = copy_patch_value;
-        }
-
-        if (patch->type != VAL_BLOB) {
-            printf("patch is not a blob\n");
-            return 1;
-        }
-
-        SinkFn sink = NULL;
-        void* token = NULL;
-        output = -1;
-        outname = NULL;
-        if (strncmp(target_filename, "MTD:", 4) == 0 ||
-            strncmp(target_filename, "EMMC:", 5) == 0) {
-            // We store the decoded output in memory.
-            msi.buffer = malloc(target_size);
-            if (msi.buffer == NULL) {
-                printf("failed to alloc %ld bytes for output\n",
-                       (long)target_size);
-                return 1;
-            }
-            msi.pos = 0;
-            msi.size = target_size;
-            sink = MemorySink;
-            token = &msi;
-        } else {
-            // We write the decoded output to "<tgt-file>.patch".
-            outname = (char*)malloc(strlen(target_filename) + 10);
-            strcpy(outname, target_filename);
-            strcat(outname, ".patch");
-
-            output = open(outname, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC,
-                S_IRUSR | S_IWUSR);
-            if (output < 0) {
-                printf("failed to open output file %s: %s\n",
-                       outname, strerror(errno));
-                return 1;
-            }
-            sink = FileSink;
-            token = &output;
-        }
-
-        char* header = patch->data;
-        ssize_t header_bytes_read = patch->size;
-
-        SHA_init(&ctx);
-
-        int result;
-
-        if (header_bytes_read >= 8 &&
-            memcmp(header, "BSDIFF40", 8) == 0) {
-            result = ApplyBSDiffPatch(source_to_use->data, source_to_use->size,
-                                      patch, 0, sink, token, &ctx);
-        } else if (header_bytes_read >= 8 &&
-                   memcmp(header, "IMGDIFF2", 8) == 0) {
-            result = ApplyImagePatch(source_to_use->data, source_to_use->size,
-                                     patch, sink, token, &ctx, bonus_data);
-        } else {
-            printf("Unknown patch file format\n");
-            return 1;
-        }
-
-        if (output >= 0) {
-            if (fsync(output) != 0) {
-                printf("failed to fsync file \"%s\" (%s)\n", outname, strerror(errno));
-                result = 1;
-            }
-            if (close(output) != 0) {
-                printf("failed to close file \"%s\" (%s)\n", outname, strerror(errno));
-                result = 1;
-            }
-        }
-
-        if (result != 0) {
-            if (retry == 0) {
-                printf("applying patch failed\n");
-                return result != 0;
-            } else {
-                printf("applying patch failed; retrying\n");
-            }
-            if (outname != NULL) {
-                unlink(outname);
-            }
-        } else {
-            // succeeded; no need to retry
-            break;
-        }
-    } while (retry-- > 0);
-
-    const uint8_t* current_target_sha1 = SHA_final(&ctx);
-    if (memcmp(current_target_sha1, target_sha1, SHA_DIGEST_SIZE) != 0) {
-        printf("patch did not produce expected sha1\n");
-        return 1;
-    } else {
-        printf("now ");
-        print_short_sha1(target_sha1);
-        putchar('\n');
-    }
-
-    if (output < 0) {
-        // Copy the temp file to the partition.
-        if (WriteToPartition(msi.buffer, msi.pos, target_filename) != 0) {
-            printf("write of patched data to %s failed\n", target_filename);
-            return 1;
-        }
-        free(msi.buffer);
-    } else {
-        // Give the .patch file the same owner, group, and mode of the
-        // original source file.
-        if (chmod(outname, source_to_use->st.st_mode) != 0) {
-            printf("chmod of \"%s\" failed: %s\n", outname, strerror(errno));
-            return 1;
-        }
-        if (chown(outname, source_to_use->st.st_uid,
-                  source_to_use->st.st_gid) != 0) {
-            printf("chown of \"%s\" failed: %s\n", outname, strerror(errno));
-            return 1;
-        }
-
-        // Finally, rename the .patch file to replace the target file.
-        if (rename(outname, target_filename) != 0) {
-            printf("rename of .patch to \"%s\" failed: %s\n",
-                   target_filename, strerror(errno));
-            return 1;
-        }
-    }
-
-    // If this run of applypatch created the copy, and we're here, we
-    // can delete it.
-    if (made_copy) unlink(CACHE_TEMP_SOURCE);
-
-    // Success!
-    return 0;
-}
diff --git a/applypatch/applypatch.cpp b/applypatch/applypatch.cpp
new file mode 100644
index 0000000..7985fc0
--- /dev/null
+++ b/applypatch/applypatch.cpp
@@ -0,0 +1,994 @@
+/*
+ * Copyright (C) 2008 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <libgen.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/statfs.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <memory>
+#include <string>
+
+#include <android-base/strings.h>
+
+#include "openssl/sha.h"
+#include "applypatch.h"
+#include "mtdutils/mtdutils.h"
+#include "edify/expr.h"
+#include "ota_io.h"
+#include "print_sha1.h"
+
+static int LoadPartitionContents(const char* filename, FileContents* file);
+static ssize_t FileSink(const unsigned char* data, ssize_t len, void* token);
+static int GenerateTarget(FileContents* source_file,
+                          const Value* source_patch_value,
+                          FileContents* copy_file,
+                          const Value* copy_patch_value,
+                          const char* source_filename,
+                          const char* target_filename,
+                          const uint8_t target_sha1[SHA_DIGEST_LENGTH],
+                          size_t target_size,
+                          const Value* bonus_data);
+
+static bool mtd_partitions_scanned = false;
+
+// Read a file into memory; store the file contents and associated
+// metadata in *file.
+//
+// Return 0 on success.
+int LoadFileContents(const char* filename, FileContents* file) {
+    // A special 'filename' beginning with "MTD:" or "EMMC:" means to
+    // load the contents of a partition.
+    if (strncmp(filename, "MTD:", 4) == 0 ||
+        strncmp(filename, "EMMC:", 5) == 0) {
+        return LoadPartitionContents(filename, file);
+    }
+
+    if (stat(filename, &file->st) != 0) {
+        printf("failed to stat \"%s\": %s\n", filename, strerror(errno));
+        return -1;
+    }
+
+    std::vector<unsigned char> data(file->st.st_size);
+    FILE* f = ota_fopen(filename, "rb");
+    if (f == NULL) {
+        printf("failed to open \"%s\": %s\n", filename, strerror(errno));
+        return -1;
+    }
+
+    size_t bytes_read = ota_fread(data.data(), 1, data.size(), f);
+    if (bytes_read != data.size()) {
+        printf("short read of \"%s\" (%zu bytes of %zd)\n", filename, bytes_read, data.size());
+        ota_fclose(f);
+        return -1;
+    }
+    ota_fclose(f);
+    file->data = std::move(data);
+    SHA1(file->data.data(), file->data.size(), file->sha1);
+    return 0;
+}
+
+// Load the contents of an MTD or EMMC partition into the provided
+// FileContents.  filename should be a string of the form
+// "MTD:<partition_name>:<size_1>:<sha1_1>:<size_2>:<sha1_2>:..."  (or
+// "EMMC:<partition_device>:...").  The smallest size_n bytes for
+// which that prefix of the partition contents has the corresponding
+// sha1 hash will be loaded.  It is acceptable for a size value to be
+// repeated with different sha1s.  Will return 0 on success.
+//
+// This complexity is needed because if an OTA installation is
+// interrupted, the partition might contain either the source or the
+// target data, which might be of different lengths.  We need to know
+// the length in order to read from a partition (there is no
+// "end-of-file" marker), so the caller must specify the possible
+// lengths and the hash of the data, and we'll do the load expecting
+// to find one of those hashes.
+enum PartitionType { MTD, EMMC };
+
+static int LoadPartitionContents(const char* filename, FileContents* file) {
+    std::string copy(filename);
+    std::vector<std::string> pieces = android::base::Split(copy, ":");
+    if (pieces.size() < 4 || pieces.size() % 2 != 0) {
+        printf("LoadPartitionContents called with bad filename (%s)\n", filename);
+        return -1;
+    }
+
+    enum PartitionType type;
+    if (pieces[0] == "MTD") {
+        type = MTD;
+    } else if (pieces[0] == "EMMC") {
+        type = EMMC;
+    } else {
+        printf("LoadPartitionContents called with bad filename (%s)\n", filename);
+        return -1;
+    }
+    const char* partition = pieces[1].c_str();
+
+    size_t pairs = (pieces.size() - 2) / 2;    // # of (size, sha1) pairs in filename
+    std::vector<size_t> index(pairs);
+    std::vector<size_t> size(pairs);
+    std::vector<std::string> sha1sum(pairs);
+
+    for (size_t i = 0; i < pairs; ++i) {
+        size[i] = strtol(pieces[i*2+2].c_str(), NULL, 10);
+        if (size[i] == 0) {
+            printf("LoadPartitionContents called with bad size (%s)\n", filename);
+            return -1;
+        }
+        sha1sum[i] = pieces[i*2+3].c_str();
+        index[i] = i;
+    }
+
+    // Sort the index[] array so it indexes the pairs in order of increasing size.
+    sort(index.begin(), index.end(),
+        [&](const size_t& i, const size_t& j) {
+            return (size[i] < size[j]);
+        }
+    );
+
+    MtdReadContext* ctx = NULL;
+    FILE* dev = NULL;
+
+    switch (type) {
+        case MTD: {
+            if (!mtd_partitions_scanned) {
+                mtd_scan_partitions();
+                mtd_partitions_scanned = true;
+            }
+
+            const MtdPartition* mtd = mtd_find_partition_by_name(partition);
+            if (mtd == NULL) {
+                printf("mtd partition \"%s\" not found (loading %s)\n", partition, filename);
+                return -1;
+            }
+
+            ctx = mtd_read_partition(mtd);
+            if (ctx == NULL) {
+                printf("failed to initialize read of mtd partition \"%s\"\n", partition);
+                return -1;
+            }
+            break;
+        }
+
+        case EMMC:
+            dev = ota_fopen(partition, "rb");
+            if (dev == NULL) {
+                printf("failed to open emmc partition \"%s\": %s\n", partition, strerror(errno));
+                return -1;
+            }
+    }
+
+    SHA_CTX sha_ctx;
+    SHA1_Init(&sha_ctx);
+    uint8_t parsed_sha[SHA_DIGEST_LENGTH];
+
+    // Allocate enough memory to hold the largest size.
+    std::vector<unsigned char> data(size[index[pairs-1]]);
+    char* p = reinterpret_cast<char*>(data.data());
+    size_t data_size = 0;                // # bytes read so far
+    bool found = false;
+
+    for (size_t i = 0; i < pairs; ++i) {
+        // Read enough additional bytes to get us up to the next size. (Again,
+        // we're trying the possibilities in order of increasing size).
+        size_t next = size[index[i]] - data_size;
+        if (next > 0) {
+            size_t read = 0;
+            switch (type) {
+                case MTD:
+                    read = mtd_read_data(ctx, p, next);
+                    break;
+
+                case EMMC:
+                    read = ota_fread(p, 1, next, dev);
+                    break;
+            }
+            if (next != read) {
+                printf("short read (%zu bytes of %zu) for partition \"%s\"\n",
+                       read, next, partition);
+                return -1;
+            }
+            SHA1_Update(&sha_ctx, p, read);
+            data_size += read;
+            p += read;
+        }
+
+        // Duplicate the SHA context and finalize the duplicate so we can
+        // check it against this pair's expected hash.
+        SHA_CTX temp_ctx;
+        memcpy(&temp_ctx, &sha_ctx, sizeof(SHA_CTX));
+        uint8_t sha_so_far[SHA_DIGEST_LENGTH];
+        SHA1_Final(sha_so_far, &temp_ctx);
+
+        if (ParseSha1(sha1sum[index[i]].c_str(), parsed_sha) != 0) {
+            printf("failed to parse sha1 %s in %s\n", sha1sum[index[i]].c_str(), filename);
+            return -1;
+        }
+
+        if (memcmp(sha_so_far, parsed_sha, SHA_DIGEST_LENGTH) == 0) {
+            // we have a match.  stop reading the partition; we'll return
+            // the data we've read so far.
+            printf("partition read matched size %zu sha %s\n",
+                   size[index[i]], sha1sum[index[i]].c_str());
+            found = true;
+            break;
+        }
+    }
+
+    switch (type) {
+        case MTD:
+            mtd_read_close(ctx);
+            break;
+
+        case EMMC:
+            ota_fclose(dev);
+            break;
+    }
+
+
+    if (!found) {
+        // Ran off the end of the list of (size,sha1) pairs without finding a match.
+        printf("contents of partition \"%s\" didn't match %s\n", partition, filename);
+        return -1;
+    }
+
+    SHA1_Final(file->sha1, &sha_ctx);
+
+    data.resize(data_size);
+    file->data = std::move(data);
+    // Fake some stat() info.
+    file->st.st_mode = 0644;
+    file->st.st_uid = 0;
+    file->st.st_gid = 0;
+
+    return 0;
+}
+
+
+// Save the contents of the given FileContents object under the given
+// filename.  Return 0 on success.
+int SaveFileContents(const char* filename, const FileContents* file) {
+    int fd = ota_open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR | S_IWUSR);
+    if (fd < 0) {
+        printf("failed to open \"%s\" for write: %s\n", filename, strerror(errno));
+        return -1;
+    }
+
+    ssize_t bytes_written = FileSink(file->data.data(), file->data.size(), &fd);
+    if (bytes_written != static_cast<ssize_t>(file->data.size())) {
+        printf("short write of \"%s\" (%zd bytes of %zu) (%s)\n",
+               filename, bytes_written, file->data.size(), strerror(errno));
+        ota_close(fd);
+        return -1;
+    }
+    if (ota_fsync(fd) != 0) {
+        printf("fsync of \"%s\" failed: %s\n", filename, strerror(errno));
+        return -1;
+    }
+    if (ota_close(fd) != 0) {
+        printf("close of \"%s\" failed: %s\n", filename, strerror(errno));
+        return -1;
+    }
+
+    if (chmod(filename, file->st.st_mode) != 0) {
+        printf("chmod of \"%s\" failed: %s\n", filename, strerror(errno));
+        return -1;
+    }
+    if (chown(filename, file->st.st_uid, file->st.st_gid) != 0) {
+        printf("chown of \"%s\" failed: %s\n", filename, strerror(errno));
+        return -1;
+    }
+
+    return 0;
+}
+
+// Write a memory buffer to 'target' partition, a string of the form
+// "MTD:<partition>[:...]" or "EMMC:<partition_device>[:...]". The target name
+// might contain multiple colons, but WriteToPartition() only uses the first
+// two and ignores the rest. Return 0 on success.
+int WriteToPartition(const unsigned char* data, size_t len, const char* target) {
+    std::string copy(target);
+    std::vector<std::string> pieces = android::base::Split(copy, ":");
+
+    if (pieces.size() < 2) {
+        printf("WriteToPartition called with bad target (%s)\n", target);
+        return -1;
+    }
+
+    enum PartitionType type;
+    if (pieces[0] == "MTD") {
+        type = MTD;
+    } else if (pieces[0] == "EMMC") {
+        type = EMMC;
+    } else {
+        printf("WriteToPartition called with bad target (%s)\n", target);
+        return -1;
+    }
+    const char* partition = pieces[1].c_str();
+
+    switch (type) {
+        case MTD: {
+            if (!mtd_partitions_scanned) {
+                mtd_scan_partitions();
+                mtd_partitions_scanned = true;
+            }
+
+            const MtdPartition* mtd = mtd_find_partition_by_name(partition);
+            if (mtd == NULL) {
+                printf("mtd partition \"%s\" not found for writing\n", partition);
+                return -1;
+            }
+
+            MtdWriteContext* ctx = mtd_write_partition(mtd);
+            if (ctx == NULL) {
+                printf("failed to init mtd partition \"%s\" for writing\n", partition);
+                return -1;
+            }
+
+            size_t written = mtd_write_data(ctx, reinterpret_cast<const char*>(data), len);
+            if (written != len) {
+                printf("only wrote %zu of %zu bytes to MTD %s\n", written, len, partition);
+                mtd_write_close(ctx);
+                return -1;
+            }
+
+            if (mtd_erase_blocks(ctx, -1) < 0) {
+                printf("error finishing mtd write of %s\n", partition);
+                mtd_write_close(ctx);
+                return -1;
+            }
+
+            if (mtd_write_close(ctx)) {
+                printf("error closing mtd write of %s\n", partition);
+                return -1;
+            }
+            break;
+        }
+
+        case EMMC: {
+            size_t start = 0;
+            bool success = false;
+            int fd = ota_open(partition, O_RDWR | O_SYNC);
+            if (fd < 0) {
+                printf("failed to open %s: %s\n", partition, strerror(errno));
+                return -1;
+            }
+
+            for (size_t attempt = 0; attempt < 2; ++attempt) {
+                if (TEMP_FAILURE_RETRY(lseek(fd, start, SEEK_SET)) == -1) {
+                    printf("failed seek on %s: %s\n", partition, strerror(errno));
+                    return -1;
+                }
+                while (start < len) {
+                    size_t to_write = len - start;
+                    if (to_write > 1<<20) to_write = 1<<20;
+
+                    ssize_t written = TEMP_FAILURE_RETRY(ota_write(fd, data+start, to_write));
+                    if (written == -1) {
+                        printf("failed write writing to %s: %s\n", partition, strerror(errno));
+                        return -1;
+                    }
+                    start += written;
+                }
+                if (ota_fsync(fd) != 0) {
+                   printf("failed to sync to %s (%s)\n", partition, strerror(errno));
+                   return -1;
+                }
+                if (ota_close(fd) != 0) {
+                   printf("failed to close %s (%s)\n", partition, strerror(errno));
+                   return -1;
+                }
+                fd = ota_open(partition, O_RDONLY);
+                if (fd < 0) {
+                   printf("failed to reopen %s for verify (%s)\n", partition, strerror(errno));
+                   return -1;
+                }
+
+                // Drop caches so our subsequent verification read
+                // won't just be reading the cache.
+                sync();
+                int dc = ota_open("/proc/sys/vm/drop_caches", O_WRONLY);
+                if (TEMP_FAILURE_RETRY(ota_write(dc, "3\n", 2)) == -1) {
+                    printf("write to /proc/sys/vm/drop_caches failed: %s\n", strerror(errno));
+                } else {
+                    printf("  caches dropped\n");
+                }
+                ota_close(dc);
+                sleep(1);
+
+                // verify
+                if (TEMP_FAILURE_RETRY(lseek(fd, 0, SEEK_SET)) == -1) {
+                    printf("failed to seek back to beginning of %s: %s\n",
+                           partition, strerror(errno));
+                    return -1;
+                }
+                unsigned char buffer[4096];
+                start = len;
+                for (size_t p = 0; p < len; p += sizeof(buffer)) {
+                    size_t to_read = len - p;
+                    if (to_read > sizeof(buffer)) {
+                        to_read = sizeof(buffer);
+                    }
+
+                    size_t so_far = 0;
+                    while (so_far < to_read) {
+                        ssize_t read_count =
+                                TEMP_FAILURE_RETRY(ota_read(fd, buffer+so_far, to_read-so_far));
+                        if (read_count == -1) {
+                            printf("verify read error %s at %zu: %s\n",
+                                   partition, p, strerror(errno));
+                            return -1;
+                        }
+                        if (static_cast<size_t>(read_count) < to_read) {
+                            printf("short verify read %s at %zu: %zd %zu %s\n",
+                                   partition, p, read_count, to_read, strerror(errno));
+                        }
+                        so_far += read_count;
+                    }
+
+                    if (memcmp(buffer, data+p, to_read) != 0) {
+                        printf("verification failed starting at %zu\n", p);
+                        start = p;
+                        break;
+                    }
+                }
+
+                if (start == len) {
+                    printf("verification read succeeded (attempt %zu)\n", attempt+1);
+                    success = true;
+                    break;
+                }
+            }
+
+            if (!success) {
+                printf("failed to verify after all attempts\n");
+                return -1;
+            }
+
+            if (ota_close(fd) != 0) {
+                printf("error closing %s (%s)\n", partition, strerror(errno));
+                return -1;
+            }
+            sync();
+            break;
+        }
+    }
+
+    return 0;
+}
+
+
+// Take a string 'str' of 40 hex digits and parse it into the 20
+// byte array 'digest'.  'str' may contain only the digest or be of
+// the form "<digest>:<anything>".  Return 0 on success, -1 on any
+// error.
+int ParseSha1(const char* str, uint8_t* digest) {
+    const char* ps = str;
+    uint8_t* pd = digest;
+    for (int i = 0; i < SHA_DIGEST_LENGTH * 2; ++i, ++ps) {
+        int digit;
+        if (*ps >= '0' && *ps <= '9') {
+            digit = *ps - '0';
+        } else if (*ps >= 'a' && *ps <= 'f') {
+            digit = *ps - 'a' + 10;
+        } else if (*ps >= 'A' && *ps <= 'F') {
+            digit = *ps - 'A' + 10;
+        } else {
+            return -1;
+        }
+        if (i % 2 == 0) {
+            *pd = digit << 4;
+        } else {
+            *pd |= digit;
+            ++pd;
+        }
+    }
+    if (*ps != '\0') return -1;
+    return 0;
+}
+
+// Search an array of sha1 strings for one matching the given sha1.
+// Return the index of the match on success, or -1 if no match is
+// found.
+int FindMatchingPatch(uint8_t* sha1, char* const * const patch_sha1_str,
+                      int num_patches) {
+    uint8_t patch_sha1[SHA_DIGEST_LENGTH];
+    for (int i = 0; i < num_patches; ++i) {
+        if (ParseSha1(patch_sha1_str[i], patch_sha1) == 0 &&
+            memcmp(patch_sha1, sha1, SHA_DIGEST_LENGTH) == 0) {
+            return i;
+        }
+    }
+    return -1;
+}
+
+// Returns 0 if the contents of the file (argv[2]) or the cached file
+// match any of the sha1's on the command line (argv[3:]).  Returns
+// nonzero otherwise.
+int applypatch_check(const char* filename, int num_patches,
+                     char** const patch_sha1_str) {
+    FileContents file;
+
+    // It's okay to specify no sha1s; the check will pass if the
+    // LoadFileContents is successful.  (Useful for reading
+    // partitions, where the filename encodes the sha1s; no need to
+    // check them twice.)
+    if (LoadFileContents(filename, &file) != 0 ||
+        (num_patches > 0 &&
+         FindMatchingPatch(file.sha1, patch_sha1_str, num_patches) < 0)) {
+        printf("file \"%s\" doesn't have any of expected "
+               "sha1 sums; checking cache\n", filename);
+
+        // If the source file is missing or corrupted, it might be because
+        // we were killed in the middle of patching it.  A copy of it
+        // should have been made in CACHE_TEMP_SOURCE.  If that file
+        // exists and matches the sha1 we're looking for, the check still
+        // passes.
+
+        if (LoadFileContents(CACHE_TEMP_SOURCE, &file) != 0) {
+            printf("failed to load cache file\n");
+            return 1;
+        }
+
+        if (FindMatchingPatch(file.sha1, patch_sha1_str, num_patches) < 0) {
+            printf("cache bits don't match any sha1 for \"%s\"\n", filename);
+            return 1;
+        }
+    }
+    return 0;
+}
+
+int ShowLicenses() {
+    ShowBSDiffLicense();
+    return 0;
+}
+
+ssize_t FileSink(const unsigned char* data, ssize_t len, void* token) {
+    int fd = *static_cast<int*>(token);
+    ssize_t done = 0;
+    ssize_t wrote;
+    while (done < len) {
+        wrote = TEMP_FAILURE_RETRY(ota_write(fd, data+done, len-done));
+        if (wrote == -1) {
+            printf("error writing %zd bytes: %s\n", (len-done), strerror(errno));
+            return done;
+        }
+        done += wrote;
+    }
+    return done;
+}
+
+ssize_t MemorySink(const unsigned char* data, ssize_t len, void* token) {
+    std::string* s = static_cast<std::string*>(token);
+    s->append(reinterpret_cast<const char*>(data), len);
+    return len;
+}
+
+// Return the amount of free space (in bytes) on the filesystem
+// containing filename.  filename must exist.  Return -1 on error.
+size_t FreeSpaceForFile(const char* filename) {
+    struct statfs sf;
+    if (statfs(filename, &sf) != 0) {
+        printf("failed to statfs %s: %s\n", filename, strerror(errno));
+        return -1;
+    }
+    return sf.f_bsize * sf.f_bavail;
+}
+
+int CacheSizeCheck(size_t bytes) {
+    if (MakeFreeSpaceOnCache(bytes) < 0) {
+        printf("unable to make %ld bytes available on /cache\n", (long)bytes);
+        return 1;
+    } else {
+        return 0;
+    }
+}
+
+// This function applies binary patches to files in a way that is safe
+// (the original file is not touched until we have the desired
+// replacement for it) and idempotent (it's okay to run this program
+// multiple times).
+//
+// - if the sha1 hash of <target_filename> is <target_sha1_string>,
+//   does nothing and exits successfully.
+//
+// - otherwise, if the sha1 hash of <source_filename> is one of the
+//   entries in <patch_sha1_str>, the corresponding patch from
+//   <patch_data> (which must be a VAL_BLOB) is applied to produce a
+//   new file (the type of patch is automatically detected from the
+//   blob data).  If that new file has sha1 hash <target_sha1_str>,
+//   moves it to replace <target_filename>, and exits successfully.
+//   Note that if <source_filename> and <target_filename> are not the
+//   same, <source_filename> is NOT deleted on success.
+//   <target_filename> may be the string "-" to mean "the same as
+//   source_filename".
+//
+// - otherwise, or if any error is encountered, exits with non-zero
+//   status.
+//
+// <source_filename> may refer to a partition to read the source data.
+// See the comments for the LoadPartitionContents() function above
+// for the format of such a filename.
+
+int applypatch(const char* source_filename,
+               const char* target_filename,
+               const char* target_sha1_str,
+               size_t target_size,
+               int num_patches,
+               char** const patch_sha1_str,
+               Value** patch_data,
+               Value* bonus_data) {
+    printf("patch %s: ", source_filename);
+
+    if (target_filename[0] == '-' && target_filename[1] == '\0') {
+        target_filename = source_filename;
+    }
+
+    uint8_t target_sha1[SHA_DIGEST_LENGTH];
+    if (ParseSha1(target_sha1_str, target_sha1) != 0) {
+        printf("failed to parse tgt-sha1 \"%s\"\n", target_sha1_str);
+        return 1;
+    }
+
+    FileContents copy_file;
+    FileContents source_file;
+    const Value* source_patch_value = NULL;
+    const Value* copy_patch_value = NULL;
+
+    // We try to load the target file into the source_file object.
+    if (LoadFileContents(target_filename, &source_file) == 0) {
+        if (memcmp(source_file.sha1, target_sha1, SHA_DIGEST_LENGTH) == 0) {
+            // The early-exit case:  the patch was already applied, this file
+            // has the desired hash, nothing for us to do.
+            printf("already %s\n", short_sha1(target_sha1).c_str());
+            return 0;
+        }
+    }
+
+    if (source_file.data.empty() ||
+        (target_filename != source_filename &&
+         strcmp(target_filename, source_filename) != 0)) {
+        // Need to load the source file:  either we failed to load the
+        // target file, or we did but it's different from the source file.
+        source_file.data.clear();
+        LoadFileContents(source_filename, &source_file);
+    }
+
+    if (!source_file.data.empty()) {
+        int to_use = FindMatchingPatch(source_file.sha1, patch_sha1_str, num_patches);
+        if (to_use >= 0) {
+            source_patch_value = patch_data[to_use];
+        }
+    }
+
+    if (source_patch_value == NULL) {
+        source_file.data.clear();
+        printf("source file is bad; trying copy\n");
+
+        if (LoadFileContents(CACHE_TEMP_SOURCE, &copy_file) < 0) {
+            // fail.
+            printf("failed to read copy file\n");
+            return 1;
+        }
+
+        int to_use = FindMatchingPatch(copy_file.sha1, patch_sha1_str, num_patches);
+        if (to_use >= 0) {
+            copy_patch_value = patch_data[to_use];
+        }
+
+        if (copy_patch_value == NULL) {
+            // fail.
+            printf("copy file doesn't match source SHA-1s either\n");
+            return 1;
+        }
+    }
+
+    return GenerateTarget(&source_file, source_patch_value,
+                          &copy_file, copy_patch_value,
+                          source_filename, target_filename,
+                          target_sha1, target_size, bonus_data);
+}
+
+/*
+ * This function flashes a given image to the target partition. It verifies
+ * the target cheksum first, and will return if target has the desired hash.
+ * It checks the checksum of the given source image before flashing, and
+ * verifies the target partition afterwards. The function is idempotent.
+ * Returns zero on success.
+ */
+int applypatch_flash(const char* source_filename, const char* target_filename,
+                     const char* target_sha1_str, size_t target_size) {
+    printf("flash %s: ", target_filename);
+
+    uint8_t target_sha1[SHA_DIGEST_LENGTH];
+    if (ParseSha1(target_sha1_str, target_sha1) != 0) {
+        printf("failed to parse tgt-sha1 \"%s\"\n", target_sha1_str);
+        return 1;
+    }
+
+    FileContents source_file;
+    std::string target_str(target_filename);
+
+    std::vector<std::string> pieces = android::base::Split(target_str, ":");
+    if (pieces.size() != 2 || (pieces[0] != "MTD" && pieces[0] != "EMMC")) {
+        printf("invalid target name \"%s\"", target_filename);
+        return 1;
+    }
+
+    // Load the target into the source_file object to see if already applied.
+    pieces.push_back(std::to_string(target_size));
+    pieces.push_back(target_sha1_str);
+    std::string fullname = android::base::Join(pieces, ':');
+    if (LoadPartitionContents(fullname.c_str(), &source_file) == 0 &&
+        memcmp(source_file.sha1, target_sha1, SHA_DIGEST_LENGTH) == 0) {
+        // The early-exit case: the image was already applied, this partition
+        // has the desired hash, nothing for us to do.
+        printf("already %s\n", short_sha1(target_sha1).c_str());
+        return 0;
+    }
+
+    if (LoadFileContents(source_filename, &source_file) == 0) {
+        if (memcmp(source_file.sha1, target_sha1, SHA_DIGEST_LENGTH) != 0) {
+            // The source doesn't have desired checksum.
+            printf("source \"%s\" doesn't have expected sha1 sum\n", source_filename);
+            printf("expected: %s, found: %s\n", short_sha1(target_sha1).c_str(),
+                    short_sha1(source_file.sha1).c_str());
+            return 1;
+        }
+    }
+
+    if (WriteToPartition(source_file.data.data(), target_size, target_filename) != 0) {
+        printf("write of copied data to %s failed\n", target_filename);
+        return 1;
+    }
+    return 0;
+}
+
+static int GenerateTarget(FileContents* source_file,
+                          const Value* source_patch_value,
+                          FileContents* copy_file,
+                          const Value* copy_patch_value,
+                          const char* source_filename,
+                          const char* target_filename,
+                          const uint8_t target_sha1[SHA_DIGEST_LENGTH],
+                          size_t target_size,
+                          const Value* bonus_data) {
+    int retry = 1;
+    SHA_CTX ctx;
+    std::string memory_sink_str;
+    FileContents* source_to_use;
+    int made_copy = 0;
+
+    bool target_is_partition = (strncmp(target_filename, "MTD:", 4) == 0 ||
+                                strncmp(target_filename, "EMMC:", 5) == 0);
+    const std::string tmp_target_filename = std::string(target_filename) + ".patch";
+
+    // assume that target_filename (eg "/system/app/Foo.apk") is located
+    // on the same filesystem as its top-level directory ("/system").
+    // We need something that exists for calling statfs().
+    std::string target_fs = target_filename;
+    auto slash_pos = target_fs.find('/', 1);
+    if (slash_pos != std::string::npos) {
+        target_fs.resize(slash_pos);
+    }
+
+    const Value* patch;
+    if (source_patch_value != NULL) {
+        source_to_use = source_file;
+        patch = source_patch_value;
+    } else {
+        source_to_use = copy_file;
+        patch = copy_patch_value;
+    }
+    if (patch->type != VAL_BLOB) {
+        printf("patch is not a blob\n");
+        return 1;
+    }
+    char* header = patch->data;
+    ssize_t header_bytes_read = patch->size;
+    bool use_bsdiff = false;
+    if (header_bytes_read >= 8 && memcmp(header, "BSDIFF40", 8) == 0) {
+        use_bsdiff = true;
+    } else if (header_bytes_read >= 8 && memcmp(header, "IMGDIFF2", 8) == 0) {
+        use_bsdiff = false;
+    } else {
+        printf("Unknown patch file format\n");
+        return 1;
+    }
+
+    do {
+        // Is there enough room in the target filesystem to hold the patched
+        // file?
+
+        if (target_is_partition) {
+            // If the target is a partition, we're actually going to
+            // write the output to /tmp and then copy it to the
+            // partition.  statfs() always returns 0 blocks free for
+            // /tmp, so instead we'll just assume that /tmp has enough
+            // space to hold the file.
+
+            // We still write the original source to cache, in case
+            // the partition write is interrupted.
+            if (MakeFreeSpaceOnCache(source_file->data.size()) < 0) {
+                printf("not enough free space on /cache\n");
+                return 1;
+            }
+            if (SaveFileContents(CACHE_TEMP_SOURCE, source_file) < 0) {
+                printf("failed to back up source file\n");
+                return 1;
+            }
+            made_copy = 1;
+            retry = 0;
+        } else {
+            int enough_space = 0;
+            if (retry > 0) {
+                size_t free_space = FreeSpaceForFile(target_fs.c_str());
+                enough_space =
+                    (free_space > (256 << 10)) &&          // 256k (two-block) minimum
+                    (free_space > (target_size * 3 / 2));  // 50% margin of error
+                if (!enough_space) {
+                    printf("target %zu bytes; free space %zu bytes; retry %d; enough %d\n",
+                           target_size, free_space, retry, enough_space);
+                }
+            }
+
+            if (!enough_space) {
+                retry = 0;
+            }
+
+            if (!enough_space && source_patch_value != NULL) {
+                // Using the original source, but not enough free space.  First
+                // copy the source file to cache, then delete it from the original
+                // location.
+
+                if (strncmp(source_filename, "MTD:", 4) == 0 ||
+                    strncmp(source_filename, "EMMC:", 5) == 0) {
+                    // It's impossible to free space on the target filesystem by
+                    // deleting the source if the source is a partition.  If
+                    // we're ever in a state where we need to do this, fail.
+                    printf("not enough free space for target but source is partition\n");
+                    return 1;
+                }
+
+                if (MakeFreeSpaceOnCache(source_file->data.size()) < 0) {
+                    printf("not enough free space on /cache\n");
+                    return 1;
+                }
+
+                if (SaveFileContents(CACHE_TEMP_SOURCE, source_file) < 0) {
+                    printf("failed to back up source file\n");
+                    return 1;
+                }
+                made_copy = 1;
+                unlink(source_filename);
+
+                size_t free_space = FreeSpaceForFile(target_fs.c_str());
+                printf("(now %zu bytes free for target) ", free_space);
+            }
+        }
+
+
+        SinkFn sink = NULL;
+        void* token = NULL;
+        int output_fd = -1;
+        if (target_is_partition) {
+            // We store the decoded output in memory.
+            sink = MemorySink;
+            token = &memory_sink_str;
+        } else {
+            // We write the decoded output to "<tgt-file>.patch".
+            output_fd = ota_open(tmp_target_filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_SYNC,
+                          S_IRUSR | S_IWUSR);
+            if (output_fd < 0) {
+                printf("failed to open output file %s: %s\n", tmp_target_filename.c_str(),
+                       strerror(errno));
+                return 1;
+            }
+            sink = FileSink;
+            token = &output_fd;
+        }
+
+
+        SHA1_Init(&ctx);
+
+        int result;
+        if (use_bsdiff) {
+            result = ApplyBSDiffPatch(source_to_use->data.data(), source_to_use->data.size(),
+                                      patch, 0, sink, token, &ctx);
+        } else {
+            result = ApplyImagePatch(source_to_use->data.data(), source_to_use->data.size(),
+                                     patch, sink, token, &ctx, bonus_data);
+        }
+
+        if (!target_is_partition) {
+            if (ota_fsync(output_fd) != 0) {
+                printf("failed to fsync file \"%s\" (%s)\n", tmp_target_filename.c_str(),
+                       strerror(errno));
+                result = 1;
+            }
+            if (ota_close(output_fd) != 0) {
+                printf("failed to close file \"%s\" (%s)\n", tmp_target_filename.c_str(),
+                       strerror(errno));
+                result = 1;
+            }
+        }
+
+        if (result != 0) {
+            if (retry == 0) {
+                printf("applying patch failed\n");
+                return result != 0;
+            } else {
+                printf("applying patch failed; retrying\n");
+            }
+            if (!target_is_partition) {
+                unlink(tmp_target_filename.c_str());
+            }
+        } else {
+            // succeeded; no need to retry
+            break;
+        }
+    } while (retry-- > 0);
+
+    uint8_t current_target_sha1[SHA_DIGEST_LENGTH];
+    SHA1_Final(current_target_sha1, &ctx);
+    if (memcmp(current_target_sha1, target_sha1, SHA_DIGEST_LENGTH) != 0) {
+        printf("patch did not produce expected sha1\n");
+        return 1;
+    } else {
+        printf("now %s\n", short_sha1(target_sha1).c_str());
+    }
+
+    if (target_is_partition) {
+        // Copy the temp file to the partition.
+        if (WriteToPartition(reinterpret_cast<const unsigned char*>(memory_sink_str.c_str()),
+                             memory_sink_str.size(), target_filename) != 0) {
+            printf("write of patched data to %s failed\n", target_filename);
+            return 1;
+        }
+    } else {
+        // Give the .patch file the same owner, group, and mode of the
+        // original source file.
+        if (chmod(tmp_target_filename.c_str(), source_to_use->st.st_mode) != 0) {
+            printf("chmod of \"%s\" failed: %s\n", tmp_target_filename.c_str(), strerror(errno));
+            return 1;
+        }
+        if (chown(tmp_target_filename.c_str(), source_to_use->st.st_uid, source_to_use->st.st_gid) != 0) {
+            printf("chown of \"%s\" failed: %s\n", tmp_target_filename.c_str(), strerror(errno));
+            return 1;
+        }
+
+        // Finally, rename the .patch file to replace the target file.
+        if (rename(tmp_target_filename.c_str(), target_filename) != 0) {
+            printf("rename of .patch to \"%s\" failed: %s\n", target_filename, strerror(errno));
+            return 1;
+        }
+    }
+
+    // If this run of applypatch created the copy, and we're here, we
+    // can delete it.
+    if (made_copy) {
+        unlink(CACHE_TEMP_SOURCE);
+    }
+
+    // Success!
+    return 0;
+}
diff --git a/applypatch/applypatch.h b/applypatch/applypatch.h
index edec848..f392c55 100644
--- a/applypatch/applypatch.h
+++ b/applypatch/applypatch.h
@@ -18,20 +18,17 @@
 #define _APPLYPATCH_H
 
 #include <sys/stat.h>
-#include "mincrypt/sha.h"
+
+#include <vector>
+
+#include "openssl/sha.h"
 #include "edify/expr.h"
 
-typedef struct _Patch {
-  uint8_t sha1[SHA_DIGEST_SIZE];
-  const char* patch_filename;
-} Patch;
-
-typedef struct _FileContents {
-  uint8_t sha1[SHA_DIGEST_SIZE];
-  unsigned char* data;
-  ssize_t size;
+struct FileContents {
+  uint8_t sha1[SHA_DIGEST_LENGTH];
+  std::vector<unsigned char> data;
   struct stat st;
-} FileContents;
+};
 
 // When there isn't enough room on the target filesystem to hold the
 // patched version of the file, we copy the original here and delete
@@ -48,6 +45,8 @@
 int CacheSizeCheck(size_t bytes);
 int ParseSha1(const char* str, uint8_t* digest);
 
+int applypatch_flash(const char* source_filename, const char* target_filename,
+                     const char* target_sha1_str, size_t target_size);
 int applypatch(const char* source_filename,
                const char* target_filename,
                const char* target_sha1_str,
@@ -66,22 +65,22 @@
 int FindMatchingPatch(uint8_t* sha1, char* const * const patch_sha1_str,
                       int num_patches);
 
-// bsdiff.c
+// bsdiff.cpp
 void ShowBSDiffLicense();
 int ApplyBSDiffPatch(const unsigned char* old_data, ssize_t old_size,
                      const Value* patch, ssize_t patch_offset,
                      SinkFn sink, void* token, SHA_CTX* ctx);
 int ApplyBSDiffPatchMem(const unsigned char* old_data, ssize_t old_size,
                         const Value* patch, ssize_t patch_offset,
-                        unsigned char** new_data, ssize_t* new_size);
+                        std::vector<unsigned char>* new_data);
 
-// imgpatch.c
+// imgpatch.cpp
 int ApplyImagePatch(const unsigned char* old_data, ssize_t old_size,
                     const Value* patch,
                     SinkFn sink, void* token, SHA_CTX* ctx,
                     const Value* bonus_data);
 
-// freecache.c
+// freecache.cpp
 int MakeFreeSpaceOnCache(size_t bytes_needed);
 
 #endif
diff --git a/applypatch/bsdiff.c b/applypatch/bsdiff.c
deleted file mode 100644
index b6d342b..0000000
--- a/applypatch/bsdiff.c
+++ /dev/null
@@ -1,410 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/*
- * Most of this code comes from bsdiff.c from the bsdiff-4.3
- * distribution, which is:
- */
-
-/*-
- * Copyright 2003-2005 Colin Percival
- * All rights reserved
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted providing that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
- * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <sys/types.h>
-
-#include <bzlib.h>
-#include <err.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#define MIN(x,y) (((x)<(y)) ? (x) : (y))
-
-static void split(off_t *I,off_t *V,off_t start,off_t len,off_t h)
-{
-	off_t i,j,k,x,tmp,jj,kk;
-
-	if(len<16) {
-		for(k=start;k<start+len;k+=j) {
-			j=1;x=V[I[k]+h];
-			for(i=1;k+i<start+len;i++) {
-				if(V[I[k+i]+h]<x) {
-					x=V[I[k+i]+h];
-					j=0;
-				};
-				if(V[I[k+i]+h]==x) {
-					tmp=I[k+j];I[k+j]=I[k+i];I[k+i]=tmp;
-					j++;
-				};
-			};
-			for(i=0;i<j;i++) V[I[k+i]]=k+j-1;
-			if(j==1) I[k]=-1;
-		};
-		return;
-	};
-
-	x=V[I[start+len/2]+h];
-	jj=0;kk=0;
-	for(i=start;i<start+len;i++) {
-		if(V[I[i]+h]<x) jj++;
-		if(V[I[i]+h]==x) kk++;
-	};
-	jj+=start;kk+=jj;
-
-	i=start;j=0;k=0;
-	while(i<jj) {
-		if(V[I[i]+h]<x) {
-			i++;
-		} else if(V[I[i]+h]==x) {
-			tmp=I[i];I[i]=I[jj+j];I[jj+j]=tmp;
-			j++;
-		} else {
-			tmp=I[i];I[i]=I[kk+k];I[kk+k]=tmp;
-			k++;
-		};
-	};
-
-	while(jj+j<kk) {
-		if(V[I[jj+j]+h]==x) {
-			j++;
-		} else {
-			tmp=I[jj+j];I[jj+j]=I[kk+k];I[kk+k]=tmp;
-			k++;
-		};
-	};
-
-	if(jj>start) split(I,V,start,jj-start,h);
-
-	for(i=0;i<kk-jj;i++) V[I[jj+i]]=kk-1;
-	if(jj==kk-1) I[jj]=-1;
-
-	if(start+len>kk) split(I,V,kk,start+len-kk,h);
-}
-
-static void qsufsort(off_t *I,off_t *V,u_char *old,off_t oldsize)
-{
-	off_t buckets[256];
-	off_t i,h,len;
-
-	for(i=0;i<256;i++) buckets[i]=0;
-	for(i=0;i<oldsize;i++) buckets[old[i]]++;
-	for(i=1;i<256;i++) buckets[i]+=buckets[i-1];
-	for(i=255;i>0;i--) buckets[i]=buckets[i-1];
-	buckets[0]=0;
-
-	for(i=0;i<oldsize;i++) I[++buckets[old[i]]]=i;
-	I[0]=oldsize;
-	for(i=0;i<oldsize;i++) V[i]=buckets[old[i]];
-	V[oldsize]=0;
-	for(i=1;i<256;i++) if(buckets[i]==buckets[i-1]+1) I[buckets[i]]=-1;
-	I[0]=-1;
-
-	for(h=1;I[0]!=-(oldsize+1);h+=h) {
-		len=0;
-		for(i=0;i<oldsize+1;) {
-			if(I[i]<0) {
-				len-=I[i];
-				i-=I[i];
-			} else {
-				if(len) I[i-len]=-len;
-				len=V[I[i]]+1-i;
-				split(I,V,i,len,h);
-				i+=len;
-				len=0;
-			};
-		};
-		if(len) I[i-len]=-len;
-	};
-
-	for(i=0;i<oldsize+1;i++) I[V[i]]=i;
-}
-
-static off_t matchlen(u_char *old,off_t oldsize,u_char *new,off_t newsize)
-{
-	off_t i;
-
-	for(i=0;(i<oldsize)&&(i<newsize);i++)
-		if(old[i]!=new[i]) break;
-
-	return i;
-}
-
-static off_t search(off_t *I,u_char *old,off_t oldsize,
-		u_char *new,off_t newsize,off_t st,off_t en,off_t *pos)
-{
-	off_t x,y;
-
-	if(en-st<2) {
-		x=matchlen(old+I[st],oldsize-I[st],new,newsize);
-		y=matchlen(old+I[en],oldsize-I[en],new,newsize);
-
-		if(x>y) {
-			*pos=I[st];
-			return x;
-		} else {
-			*pos=I[en];
-			return y;
-		}
-	};
-
-	x=st+(en-st)/2;
-	if(memcmp(old+I[x],new,MIN(oldsize-I[x],newsize))<0) {
-		return search(I,old,oldsize,new,newsize,x,en,pos);
-	} else {
-		return search(I,old,oldsize,new,newsize,st,x,pos);
-	};
-}
-
-static void offtout(off_t x,u_char *buf)
-{
-	off_t y;
-
-	if(x<0) y=-x; else y=x;
-
-		buf[0]=y%256;y-=buf[0];
-	y=y/256;buf[1]=y%256;y-=buf[1];
-	y=y/256;buf[2]=y%256;y-=buf[2];
-	y=y/256;buf[3]=y%256;y-=buf[3];
-	y=y/256;buf[4]=y%256;y-=buf[4];
-	y=y/256;buf[5]=y%256;y-=buf[5];
-	y=y/256;buf[6]=y%256;y-=buf[6];
-	y=y/256;buf[7]=y%256;
-
-	if(x<0) buf[7]|=0x80;
-}
-
-// This is main() from bsdiff.c, with the following changes:
-//
-//    - old, oldsize, new, newsize are arguments; we don't load this
-//      data from files.  old and new are owned by the caller; we
-//      don't free them at the end.
-//
-//    - the "I" block of memory is owned by the caller, who passes a
-//      pointer to *I, which can be NULL.  This way if we call
-//      bsdiff() multiple times with the same 'old' data, we only do
-//      the qsufsort() step the first time.
-//
-int bsdiff(u_char* old, off_t oldsize, off_t** IP, u_char* new, off_t newsize,
-           const char* patch_filename)
-{
-	int fd;
-	off_t *I;
-	off_t scan,pos,len;
-	off_t lastscan,lastpos,lastoffset;
-	off_t oldscore,scsc;
-	off_t s,Sf,lenf,Sb,lenb;
-	off_t overlap,Ss,lens;
-	off_t i;
-	off_t dblen,eblen;
-	u_char *db,*eb;
-	u_char buf[8];
-	u_char header[32];
-	FILE * pf;
-	BZFILE * pfbz2;
-	int bz2err;
-
-        if (*IP == NULL) {
-            off_t* V;
-            *IP = malloc((oldsize+1) * sizeof(off_t));
-            V = malloc((oldsize+1) * sizeof(off_t));
-            qsufsort(*IP, V, old, oldsize);
-            free(V);
-        }
-        I = *IP;
-
-	if(((db=malloc(newsize+1))==NULL) ||
-		((eb=malloc(newsize+1))==NULL)) err(1,NULL);
-	dblen=0;
-	eblen=0;
-
-	/* Create the patch file */
-	if ((pf = fopen(patch_filename, "w")) == NULL)
-              err(1, "%s", patch_filename);
-
-	/* Header is
-		0	8	 "BSDIFF40"
-		8	8	length of bzip2ed ctrl block
-		16	8	length of bzip2ed diff block
-		24	8	length of new file */
-	/* File is
-		0	32	Header
-		32	??	Bzip2ed ctrl block
-		??	??	Bzip2ed diff block
-		??	??	Bzip2ed extra block */
-	memcpy(header,"BSDIFF40",8);
-	offtout(0, header + 8);
-	offtout(0, header + 16);
-	offtout(newsize, header + 24);
-	if (fwrite(header, 32, 1, pf) != 1)
-		err(1, "fwrite(%s)", patch_filename);
-
-	/* Compute the differences, writing ctrl as we go */
-	if ((pfbz2 = BZ2_bzWriteOpen(&bz2err, pf, 9, 0, 0)) == NULL)
-		errx(1, "BZ2_bzWriteOpen, bz2err = %d", bz2err);
-	scan=0;len=0;
-	lastscan=0;lastpos=0;lastoffset=0;
-	while(scan<newsize) {
-		oldscore=0;
-
-		for(scsc=scan+=len;scan<newsize;scan++) {
-			len=search(I,old,oldsize,new+scan,newsize-scan,
-					0,oldsize,&pos);
-
-			for(;scsc<scan+len;scsc++)
-			if((scsc+lastoffset<oldsize) &&
-				(old[scsc+lastoffset] == new[scsc]))
-				oldscore++;
-
-			if(((len==oldscore) && (len!=0)) ||
-				(len>oldscore+8)) break;
-
-			if((scan+lastoffset<oldsize) &&
-				(old[scan+lastoffset] == new[scan]))
-				oldscore--;
-		};
-
-		if((len!=oldscore) || (scan==newsize)) {
-			s=0;Sf=0;lenf=0;
-			for(i=0;(lastscan+i<scan)&&(lastpos+i<oldsize);) {
-				if(old[lastpos+i]==new[lastscan+i]) s++;
-				i++;
-				if(s*2-i>Sf*2-lenf) { Sf=s; lenf=i; };
-			};
-
-			lenb=0;
-			if(scan<newsize) {
-				s=0;Sb=0;
-				for(i=1;(scan>=lastscan+i)&&(pos>=i);i++) {
-					if(old[pos-i]==new[scan-i]) s++;
-					if(s*2-i>Sb*2-lenb) { Sb=s; lenb=i; };
-				};
-			};
-
-			if(lastscan+lenf>scan-lenb) {
-				overlap=(lastscan+lenf)-(scan-lenb);
-				s=0;Ss=0;lens=0;
-				for(i=0;i<overlap;i++) {
-					if(new[lastscan+lenf-overlap+i]==
-					   old[lastpos+lenf-overlap+i]) s++;
-					if(new[scan-lenb+i]==
-					   old[pos-lenb+i]) s--;
-					if(s>Ss) { Ss=s; lens=i+1; };
-				};
-
-				lenf+=lens-overlap;
-				lenb-=lens;
-			};
-
-			for(i=0;i<lenf;i++)
-				db[dblen+i]=new[lastscan+i]-old[lastpos+i];
-			for(i=0;i<(scan-lenb)-(lastscan+lenf);i++)
-				eb[eblen+i]=new[lastscan+lenf+i];
-
-			dblen+=lenf;
-			eblen+=(scan-lenb)-(lastscan+lenf);
-
-			offtout(lenf,buf);
-			BZ2_bzWrite(&bz2err, pfbz2, buf, 8);
-			if (bz2err != BZ_OK)
-				errx(1, "BZ2_bzWrite, bz2err = %d", bz2err);
-
-			offtout((scan-lenb)-(lastscan+lenf),buf);
-			BZ2_bzWrite(&bz2err, pfbz2, buf, 8);
-			if (bz2err != BZ_OK)
-				errx(1, "BZ2_bzWrite, bz2err = %d", bz2err);
-
-			offtout((pos-lenb)-(lastpos+lenf),buf);
-			BZ2_bzWrite(&bz2err, pfbz2, buf, 8);
-			if (bz2err != BZ_OK)
-				errx(1, "BZ2_bzWrite, bz2err = %d", bz2err);
-
-			lastscan=scan-lenb;
-			lastpos=pos-lenb;
-			lastoffset=pos-scan;
-		};
-	};
-	BZ2_bzWriteClose(&bz2err, pfbz2, 0, NULL, NULL);
-	if (bz2err != BZ_OK)
-		errx(1, "BZ2_bzWriteClose, bz2err = %d", bz2err);
-
-	/* Compute size of compressed ctrl data */
-	if ((len = ftello(pf)) == -1)
-		err(1, "ftello");
-	offtout(len-32, header + 8);
-
-	/* Write compressed diff data */
-	if ((pfbz2 = BZ2_bzWriteOpen(&bz2err, pf, 9, 0, 0)) == NULL)
-		errx(1, "BZ2_bzWriteOpen, bz2err = %d", bz2err);
-	BZ2_bzWrite(&bz2err, pfbz2, db, dblen);
-	if (bz2err != BZ_OK)
-		errx(1, "BZ2_bzWrite, bz2err = %d", bz2err);
-	BZ2_bzWriteClose(&bz2err, pfbz2, 0, NULL, NULL);
-	if (bz2err != BZ_OK)
-		errx(1, "BZ2_bzWriteClose, bz2err = %d", bz2err);
-
-	/* Compute size of compressed diff data */
-	if ((newsize = ftello(pf)) == -1)
-		err(1, "ftello");
-	offtout(newsize - len, header + 16);
-
-	/* Write compressed extra data */
-	if ((pfbz2 = BZ2_bzWriteOpen(&bz2err, pf, 9, 0, 0)) == NULL)
-		errx(1, "BZ2_bzWriteOpen, bz2err = %d", bz2err);
-	BZ2_bzWrite(&bz2err, pfbz2, eb, eblen);
-	if (bz2err != BZ_OK)
-		errx(1, "BZ2_bzWrite, bz2err = %d", bz2err);
-	BZ2_bzWriteClose(&bz2err, pfbz2, 0, NULL, NULL);
-	if (bz2err != BZ_OK)
-		errx(1, "BZ2_bzWriteClose, bz2err = %d", bz2err);
-
-	/* Seek to the beginning, write the header, and close the file */
-	if (fseeko(pf, 0, SEEK_SET))
-		err(1, "fseeko");
-	if (fwrite(header, 32, 1, pf) != 1)
-		err(1, "fwrite(%s)", patch_filename);
-	if (fclose(pf))
-		err(1, "fclose");
-
-	/* Free the memory we used */
-	free(db);
-	free(eb);
-
-	return 0;
-}
diff --git a/applypatch/bsdiff.cpp b/applypatch/bsdiff.cpp
new file mode 100644
index 0000000..55dbe5c
--- /dev/null
+++ b/applypatch/bsdiff.cpp
@@ -0,0 +1,410 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * Most of this code comes from bsdiff.c from the bsdiff-4.3
+ * distribution, which is:
+ */
+
+/*-
+ * Copyright 2003-2005 Colin Percival
+ * All rights reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted providing that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+
+#include <bzlib.h>
+#include <err.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define MIN(x,y) (((x)<(y)) ? (x) : (y))
+
+static void split(off_t *I,off_t *V,off_t start,off_t len,off_t h)
+{
+	off_t i,j,k,x,tmp,jj,kk;
+
+	if(len<16) {
+		for(k=start;k<start+len;k+=j) {
+			j=1;x=V[I[k]+h];
+			for(i=1;k+i<start+len;i++) {
+				if(V[I[k+i]+h]<x) {
+					x=V[I[k+i]+h];
+					j=0;
+				};
+				if(V[I[k+i]+h]==x) {
+					tmp=I[k+j];I[k+j]=I[k+i];I[k+i]=tmp;
+					j++;
+				};
+			};
+			for(i=0;i<j;i++) V[I[k+i]]=k+j-1;
+			if(j==1) I[k]=-1;
+		};
+		return;
+	};
+
+	x=V[I[start+len/2]+h];
+	jj=0;kk=0;
+	for(i=start;i<start+len;i++) {
+		if(V[I[i]+h]<x) jj++;
+		if(V[I[i]+h]==x) kk++;
+	};
+	jj+=start;kk+=jj;
+
+	i=start;j=0;k=0;
+	while(i<jj) {
+		if(V[I[i]+h]<x) {
+			i++;
+		} else if(V[I[i]+h]==x) {
+			tmp=I[i];I[i]=I[jj+j];I[jj+j]=tmp;
+			j++;
+		} else {
+			tmp=I[i];I[i]=I[kk+k];I[kk+k]=tmp;
+			k++;
+		};
+	};
+
+	while(jj+j<kk) {
+		if(V[I[jj+j]+h]==x) {
+			j++;
+		} else {
+			tmp=I[jj+j];I[jj+j]=I[kk+k];I[kk+k]=tmp;
+			k++;
+		};
+	};
+
+	if(jj>start) split(I,V,start,jj-start,h);
+
+	for(i=0;i<kk-jj;i++) V[I[jj+i]]=kk-1;
+	if(jj==kk-1) I[jj]=-1;
+
+	if(start+len>kk) split(I,V,kk,start+len-kk,h);
+}
+
+static void qsufsort(off_t *I,off_t *V,u_char *old,off_t oldsize)
+{
+	off_t buckets[256];
+	off_t i,h,len;
+
+	for(i=0;i<256;i++) buckets[i]=0;
+	for(i=0;i<oldsize;i++) buckets[old[i]]++;
+	for(i=1;i<256;i++) buckets[i]+=buckets[i-1];
+	for(i=255;i>0;i--) buckets[i]=buckets[i-1];
+	buckets[0]=0;
+
+	for(i=0;i<oldsize;i++) I[++buckets[old[i]]]=i;
+	I[0]=oldsize;
+	for(i=0;i<oldsize;i++) V[i]=buckets[old[i]];
+	V[oldsize]=0;
+	for(i=1;i<256;i++) if(buckets[i]==buckets[i-1]+1) I[buckets[i]]=-1;
+	I[0]=-1;
+
+	for(h=1;I[0]!=-(oldsize+1);h+=h) {
+		len=0;
+		for(i=0;i<oldsize+1;) {
+			if(I[i]<0) {
+				len-=I[i];
+				i-=I[i];
+			} else {
+				if(len) I[i-len]=-len;
+				len=V[I[i]]+1-i;
+				split(I,V,i,len,h);
+				i+=len;
+				len=0;
+			};
+		};
+		if(len) I[i-len]=-len;
+	};
+
+	for(i=0;i<oldsize+1;i++) I[V[i]]=i;
+}
+
+static off_t matchlen(u_char *olddata,off_t oldsize,u_char *newdata,off_t newsize)
+{
+	off_t i;
+
+	for(i=0;(i<oldsize)&&(i<newsize);i++)
+		if(olddata[i]!=newdata[i]) break;
+
+	return i;
+}
+
+static off_t search(off_t *I,u_char *old,off_t oldsize,
+		u_char *newdata,off_t newsize,off_t st,off_t en,off_t *pos)
+{
+	off_t x,y;
+
+	if(en-st<2) {
+		x=matchlen(old+I[st],oldsize-I[st],newdata,newsize);
+		y=matchlen(old+I[en],oldsize-I[en],newdata,newsize);
+
+		if(x>y) {
+			*pos=I[st];
+			return x;
+		} else {
+			*pos=I[en];
+			return y;
+		}
+	};
+
+	x=st+(en-st)/2;
+	if(memcmp(old+I[x],newdata,MIN(oldsize-I[x],newsize))<0) {
+		return search(I,old,oldsize,newdata,newsize,x,en,pos);
+	} else {
+		return search(I,old,oldsize,newdata,newsize,st,x,pos);
+	};
+}
+
+static void offtout(off_t x,u_char *buf)
+{
+	off_t y;
+
+	if(x<0) y=-x; else y=x;
+
+		buf[0]=y%256;y-=buf[0];
+	y=y/256;buf[1]=y%256;y-=buf[1];
+	y=y/256;buf[2]=y%256;y-=buf[2];
+	y=y/256;buf[3]=y%256;y-=buf[3];
+	y=y/256;buf[4]=y%256;y-=buf[4];
+	y=y/256;buf[5]=y%256;y-=buf[5];
+	y=y/256;buf[6]=y%256;y-=buf[6];
+	y=y/256;buf[7]=y%256;
+
+	if(x<0) buf[7]|=0x80;
+}
+
+// This is main() from bsdiff.c, with the following changes:
+//
+//    - old, oldsize, newdata, newsize are arguments; we don't load this
+//      data from files.  old and newdata are owned by the caller; we
+//      don't free them at the end.
+//
+//    - the "I" block of memory is owned by the caller, who passes a
+//      pointer to *I, which can be NULL.  This way if we call
+//      bsdiff() multiple times with the same 'old' data, we only do
+//      the qsufsort() step the first time.
+//
+int bsdiff(u_char* old, off_t oldsize, off_t** IP, u_char* newdata, off_t newsize,
+           const char* patch_filename)
+{
+	int fd;
+	off_t *I;
+	off_t scan,pos,len;
+	off_t lastscan,lastpos,lastoffset;
+	off_t oldscore,scsc;
+	off_t s,Sf,lenf,Sb,lenb;
+	off_t overlap,Ss,lens;
+	off_t i;
+	off_t dblen,eblen;
+	u_char *db,*eb;
+	u_char buf[8];
+	u_char header[32];
+	FILE * pf;
+	BZFILE * pfbz2;
+	int bz2err;
+
+        if (*IP == NULL) {
+            off_t* V;
+            *IP = reinterpret_cast<off_t*>(malloc((oldsize+1) * sizeof(off_t)));
+            V = reinterpret_cast<off_t*>(malloc((oldsize+1) * sizeof(off_t)));
+            qsufsort(*IP, V, old, oldsize);
+            free(V);
+        }
+        I = *IP;
+
+	if(((db=reinterpret_cast<u_char*>(malloc(newsize+1)))==NULL) ||
+		((eb=reinterpret_cast<u_char*>(malloc(newsize+1)))==NULL)) err(1,NULL);
+	dblen=0;
+	eblen=0;
+
+	/* Create the patch file */
+	if ((pf = fopen(patch_filename, "w")) == NULL)
+              err(1, "%s", patch_filename);
+
+	/* Header is
+		0	8	 "BSDIFF40"
+		8	8	length of bzip2ed ctrl block
+		16	8	length of bzip2ed diff block
+		24	8	length of new file */
+	/* File is
+		0	32	Header
+		32	??	Bzip2ed ctrl block
+		??	??	Bzip2ed diff block
+		??	??	Bzip2ed extra block */
+	memcpy(header,"BSDIFF40",8);
+	offtout(0, header + 8);
+	offtout(0, header + 16);
+	offtout(newsize, header + 24);
+	if (fwrite(header, 32, 1, pf) != 1)
+		err(1, "fwrite(%s)", patch_filename);
+
+	/* Compute the differences, writing ctrl as we go */
+	if ((pfbz2 = BZ2_bzWriteOpen(&bz2err, pf, 9, 0, 0)) == NULL)
+		errx(1, "BZ2_bzWriteOpen, bz2err = %d", bz2err);
+	scan=0;len=0;
+	lastscan=0;lastpos=0;lastoffset=0;
+	while(scan<newsize) {
+		oldscore=0;
+
+		for(scsc=scan+=len;scan<newsize;scan++) {
+			len=search(I,old,oldsize,newdata+scan,newsize-scan,
+					0,oldsize,&pos);
+
+			for(;scsc<scan+len;scsc++)
+			if((scsc+lastoffset<oldsize) &&
+				(old[scsc+lastoffset] == newdata[scsc]))
+				oldscore++;
+
+			if(((len==oldscore) && (len!=0)) ||
+				(len>oldscore+8)) break;
+
+			if((scan+lastoffset<oldsize) &&
+				(old[scan+lastoffset] == newdata[scan]))
+				oldscore--;
+		};
+
+		if((len!=oldscore) || (scan==newsize)) {
+			s=0;Sf=0;lenf=0;
+			for(i=0;(lastscan+i<scan)&&(lastpos+i<oldsize);) {
+				if(old[lastpos+i]==newdata[lastscan+i]) s++;
+				i++;
+				if(s*2-i>Sf*2-lenf) { Sf=s; lenf=i; };
+			};
+
+			lenb=0;
+			if(scan<newsize) {
+				s=0;Sb=0;
+				for(i=1;(scan>=lastscan+i)&&(pos>=i);i++) {
+					if(old[pos-i]==newdata[scan-i]) s++;
+					if(s*2-i>Sb*2-lenb) { Sb=s; lenb=i; };
+				};
+			};
+
+			if(lastscan+lenf>scan-lenb) {
+				overlap=(lastscan+lenf)-(scan-lenb);
+				s=0;Ss=0;lens=0;
+				for(i=0;i<overlap;i++) {
+					if(newdata[lastscan+lenf-overlap+i]==
+					   old[lastpos+lenf-overlap+i]) s++;
+					if(newdata[scan-lenb+i]==
+					   old[pos-lenb+i]) s--;
+					if(s>Ss) { Ss=s; lens=i+1; };
+				};
+
+				lenf+=lens-overlap;
+				lenb-=lens;
+			};
+
+			for(i=0;i<lenf;i++)
+				db[dblen+i]=newdata[lastscan+i]-old[lastpos+i];
+			for(i=0;i<(scan-lenb)-(lastscan+lenf);i++)
+				eb[eblen+i]=newdata[lastscan+lenf+i];
+
+			dblen+=lenf;
+			eblen+=(scan-lenb)-(lastscan+lenf);
+
+			offtout(lenf,buf);
+			BZ2_bzWrite(&bz2err, pfbz2, buf, 8);
+			if (bz2err != BZ_OK)
+				errx(1, "BZ2_bzWrite, bz2err = %d", bz2err);
+
+			offtout((scan-lenb)-(lastscan+lenf),buf);
+			BZ2_bzWrite(&bz2err, pfbz2, buf, 8);
+			if (bz2err != BZ_OK)
+				errx(1, "BZ2_bzWrite, bz2err = %d", bz2err);
+
+			offtout((pos-lenb)-(lastpos+lenf),buf);
+			BZ2_bzWrite(&bz2err, pfbz2, buf, 8);
+			if (bz2err != BZ_OK)
+				errx(1, "BZ2_bzWrite, bz2err = %d", bz2err);
+
+			lastscan=scan-lenb;
+			lastpos=pos-lenb;
+			lastoffset=pos-scan;
+		};
+	};
+	BZ2_bzWriteClose(&bz2err, pfbz2, 0, NULL, NULL);
+	if (bz2err != BZ_OK)
+		errx(1, "BZ2_bzWriteClose, bz2err = %d", bz2err);
+
+	/* Compute size of compressed ctrl data */
+	if ((len = ftello(pf)) == -1)
+		err(1, "ftello");
+	offtout(len-32, header + 8);
+
+	/* Write compressed diff data */
+	if ((pfbz2 = BZ2_bzWriteOpen(&bz2err, pf, 9, 0, 0)) == NULL)
+		errx(1, "BZ2_bzWriteOpen, bz2err = %d", bz2err);
+	BZ2_bzWrite(&bz2err, pfbz2, db, dblen);
+	if (bz2err != BZ_OK)
+		errx(1, "BZ2_bzWrite, bz2err = %d", bz2err);
+	BZ2_bzWriteClose(&bz2err, pfbz2, 0, NULL, NULL);
+	if (bz2err != BZ_OK)
+		errx(1, "BZ2_bzWriteClose, bz2err = %d", bz2err);
+
+	/* Compute size of compressed diff data */
+	if ((newsize = ftello(pf)) == -1)
+		err(1, "ftello");
+	offtout(newsize - len, header + 16);
+
+	/* Write compressed extra data */
+	if ((pfbz2 = BZ2_bzWriteOpen(&bz2err, pf, 9, 0, 0)) == NULL)
+		errx(1, "BZ2_bzWriteOpen, bz2err = %d", bz2err);
+	BZ2_bzWrite(&bz2err, pfbz2, eb, eblen);
+	if (bz2err != BZ_OK)
+		errx(1, "BZ2_bzWrite, bz2err = %d", bz2err);
+	BZ2_bzWriteClose(&bz2err, pfbz2, 0, NULL, NULL);
+	if (bz2err != BZ_OK)
+		errx(1, "BZ2_bzWriteClose, bz2err = %d", bz2err);
+
+	/* Seek to the beginning, write the header, and close the file */
+	if (fseeko(pf, 0, SEEK_SET))
+		err(1, "fseeko");
+	if (fwrite(header, 32, 1, pf) != 1)
+		err(1, "fwrite(%s)", patch_filename);
+	if (fclose(pf))
+		err(1, "fclose");
+
+	/* Free the memory we used */
+	free(db);
+	free(eb);
+
+	return 0;
+}
diff --git a/applypatch/bspatch.c b/applypatch/bspatch.c
deleted file mode 100644
index b57760e..0000000
--- a/applypatch/bspatch.c
+++ /dev/null
@@ -1,256 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-// This file is a nearly line-for-line copy of bspatch.c from the
-// bsdiff-4.3 distribution; the primary differences being how the
-// input and output data are read and the error handling.  Running
-// applypatch with the -l option will display the bsdiff license
-// notice.
-
-#include <stdio.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <malloc.h>
-#include <unistd.h>
-#include <string.h>
-
-#include <bzlib.h>
-
-#include "mincrypt/sha.h"
-#include "applypatch.h"
-
-void ShowBSDiffLicense() {
-    puts("The bsdiff library used herein is:\n"
-         "\n"
-         "Copyright 2003-2005 Colin Percival\n"
-         "All rights reserved\n"
-         "\n"
-         "Redistribution and use in source and binary forms, with or without\n"
-         "modification, are permitted providing that the following conditions\n"
-         "are met:\n"
-         "1. Redistributions of source code must retain the above copyright\n"
-         "   notice, this list of conditions and the following disclaimer.\n"
-         "2. Redistributions in binary form must reproduce the above copyright\n"
-         "   notice, this list of conditions and the following disclaimer in the\n"
-         "   documentation and/or other materials provided with the distribution.\n"
-         "\n"
-         "THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n"
-         "IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\n"
-         "WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n"
-         "ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n"
-         "DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n"
-         "DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS\n"
-         "OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\n"
-         "HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,\n"
-         "STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING\n"
-         "IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE\n"
-         "POSSIBILITY OF SUCH DAMAGE.\n"
-         "\n------------------\n\n"
-         "This program uses Julian R Seward's \"libbzip2\" library, available\n"
-         "from http://www.bzip.org/.\n"
-        );
-}
-
-static off_t offtin(u_char *buf)
-{
-    off_t y;
-
-    y=buf[7]&0x7F;
-    y=y*256;y+=buf[6];
-    y=y*256;y+=buf[5];
-    y=y*256;y+=buf[4];
-    y=y*256;y+=buf[3];
-    y=y*256;y+=buf[2];
-    y=y*256;y+=buf[1];
-    y=y*256;y+=buf[0];
-
-    if(buf[7]&0x80) y=-y;
-
-    return y;
-}
-
-int FillBuffer(unsigned char* buffer, int size, bz_stream* stream) {
-    stream->next_out = (char*)buffer;
-    stream->avail_out = size;
-    while (stream->avail_out > 0) {
-        int bzerr = BZ2_bzDecompress(stream);
-        if (bzerr != BZ_OK && bzerr != BZ_STREAM_END) {
-            printf("bz error %d decompressing\n", bzerr);
-            return -1;
-        }
-        if (stream->avail_out > 0) {
-            printf("need %d more bytes\n", stream->avail_out);
-        }
-    }
-    return 0;
-}
-
-int ApplyBSDiffPatch(const unsigned char* old_data, ssize_t old_size,
-                     const Value* patch, ssize_t patch_offset,
-                     SinkFn sink, void* token, SHA_CTX* ctx) {
-
-    unsigned char* new_data;
-    ssize_t new_size;
-    if (ApplyBSDiffPatchMem(old_data, old_size, patch, patch_offset,
-                            &new_data, &new_size) != 0) {
-        return -1;
-    }
-
-    if (sink(new_data, new_size, token) < new_size) {
-        printf("short write of output: %d (%s)\n", errno, strerror(errno));
-        return 1;
-    }
-    if (ctx) SHA_update(ctx, new_data, new_size);
-    free(new_data);
-
-    return 0;
-}
-
-int ApplyBSDiffPatchMem(const unsigned char* old_data, ssize_t old_size,
-                        const Value* patch, ssize_t patch_offset,
-                        unsigned char** new_data, ssize_t* new_size) {
-    // Patch data format:
-    //   0       8       "BSDIFF40"
-    //   8       8       X
-    //   16      8       Y
-    //   24      8       sizeof(newfile)
-    //   32      X       bzip2(control block)
-    //   32+X    Y       bzip2(diff block)
-    //   32+X+Y  ???     bzip2(extra block)
-    // with control block a set of triples (x,y,z) meaning "add x bytes
-    // from oldfile to x bytes from the diff block; copy y bytes from the
-    // extra block; seek forwards in oldfile by z bytes".
-
-    unsigned char* header = (unsigned char*) patch->data + patch_offset;
-    if (memcmp(header, "BSDIFF40", 8) != 0) {
-        printf("corrupt bsdiff patch file header (magic number)\n");
-        return 1;
-    }
-
-    ssize_t ctrl_len, data_len;
-    ctrl_len = offtin(header+8);
-    data_len = offtin(header+16);
-    *new_size = offtin(header+24);
-
-    if (ctrl_len < 0 || data_len < 0 || *new_size < 0) {
-        printf("corrupt patch file header (data lengths)\n");
-        return 1;
-    }
-
-    int bzerr;
-
-    bz_stream cstream;
-    cstream.next_in = patch->data + patch_offset + 32;
-    cstream.avail_in = ctrl_len;
-    cstream.bzalloc = NULL;
-    cstream.bzfree = NULL;
-    cstream.opaque = NULL;
-    if ((bzerr = BZ2_bzDecompressInit(&cstream, 0, 0)) != BZ_OK) {
-        printf("failed to bzinit control stream (%d)\n", bzerr);
-    }
-
-    bz_stream dstream;
-    dstream.next_in = patch->data + patch_offset + 32 + ctrl_len;
-    dstream.avail_in = data_len;
-    dstream.bzalloc = NULL;
-    dstream.bzfree = NULL;
-    dstream.opaque = NULL;
-    if ((bzerr = BZ2_bzDecompressInit(&dstream, 0, 0)) != BZ_OK) {
-        printf("failed to bzinit diff stream (%d)\n", bzerr);
-    }
-
-    bz_stream estream;
-    estream.next_in = patch->data + patch_offset + 32 + ctrl_len + data_len;
-    estream.avail_in = patch->size - (patch_offset + 32 + ctrl_len + data_len);
-    estream.bzalloc = NULL;
-    estream.bzfree = NULL;
-    estream.opaque = NULL;
-    if ((bzerr = BZ2_bzDecompressInit(&estream, 0, 0)) != BZ_OK) {
-        printf("failed to bzinit extra stream (%d)\n", bzerr);
-    }
-
-    *new_data = malloc(*new_size);
-    if (*new_data == NULL) {
-        printf("failed to allocate %ld bytes of memory for output file\n",
-               (long)*new_size);
-        return 1;
-    }
-
-    off_t oldpos = 0, newpos = 0;
-    off_t ctrl[3];
-    off_t len_read;
-    int i;
-    unsigned char buf[24];
-    while (newpos < *new_size) {
-        // Read control data
-        if (FillBuffer(buf, 24, &cstream) != 0) {
-            printf("error while reading control stream\n");
-            return 1;
-        }
-        ctrl[0] = offtin(buf);
-        ctrl[1] = offtin(buf+8);
-        ctrl[2] = offtin(buf+16);
-
-        if (ctrl[0] < 0 || ctrl[1] < 0) {
-            printf("corrupt patch (negative byte counts)\n");
-            return 1;
-        }
-
-        // Sanity check
-        if (newpos + ctrl[0] > *new_size) {
-            printf("corrupt patch (new file overrun)\n");
-            return 1;
-        }
-
-        // Read diff string
-        if (FillBuffer(*new_data + newpos, ctrl[0], &dstream) != 0) {
-            printf("error while reading diff stream\n");
-            return 1;
-        }
-
-        // Add old data to diff string
-        for (i = 0; i < ctrl[0]; ++i) {
-            if ((oldpos+i >= 0) && (oldpos+i < old_size)) {
-                (*new_data)[newpos+i] += old_data[oldpos+i];
-            }
-        }
-
-        // Adjust pointers
-        newpos += ctrl[0];
-        oldpos += ctrl[0];
-
-        // Sanity check
-        if (newpos + ctrl[1] > *new_size) {
-            printf("corrupt patch (new file overrun)\n");
-            return 1;
-        }
-
-        // Read extra string
-        if (FillBuffer(*new_data + newpos, ctrl[1], &estream) != 0) {
-            printf("error while reading extra stream\n");
-            return 1;
-        }
-
-        // Adjust pointers
-        newpos += ctrl[1];
-        oldpos += ctrl[2];
-    }
-
-    BZ2_bzDecompressEnd(&cstream);
-    BZ2_bzDecompressEnd(&dstream);
-    BZ2_bzDecompressEnd(&estream);
-    return 0;
-}
diff --git a/applypatch/bspatch.cpp b/applypatch/bspatch.cpp
new file mode 100644
index 0000000..ebb55f1
--- /dev/null
+++ b/applypatch/bspatch.cpp
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) 2008 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This file is a nearly line-for-line copy of bspatch.c from the
+// bsdiff-4.3 distribution; the primary differences being how the
+// input and output data are read and the error handling.  Running
+// applypatch with the -l option will display the bsdiff license
+// notice.
+
+#include <stdio.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <unistd.h>
+#include <string.h>
+
+#include <bzlib.h>
+
+#include "openssl/sha.h"
+#include "applypatch.h"
+
+void ShowBSDiffLicense() {
+    puts("The bsdiff library used herein is:\n"
+         "\n"
+         "Copyright 2003-2005 Colin Percival\n"
+         "All rights reserved\n"
+         "\n"
+         "Redistribution and use in source and binary forms, with or without\n"
+         "modification, are permitted providing that the following conditions\n"
+         "are met:\n"
+         "1. Redistributions of source code must retain the above copyright\n"
+         "   notice, this list of conditions and the following disclaimer.\n"
+         "2. Redistributions in binary form must reproduce the above copyright\n"
+         "   notice, this list of conditions and the following disclaimer in the\n"
+         "   documentation and/or other materials provided with the distribution.\n"
+         "\n"
+         "THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n"
+         "IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\n"
+         "WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n"
+         "ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n"
+         "DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n"
+         "DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS\n"
+         "OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\n"
+         "HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,\n"
+         "STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING\n"
+         "IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE\n"
+         "POSSIBILITY OF SUCH DAMAGE.\n"
+         "\n------------------\n\n"
+         "This program uses Julian R Seward's \"libbzip2\" library, available\n"
+         "from http://www.bzip.org/.\n"
+        );
+}
+
+static off_t offtin(u_char *buf)
+{
+    off_t y;
+
+    y=buf[7]&0x7F;
+    y=y*256;y+=buf[6];
+    y=y*256;y+=buf[5];
+    y=y*256;y+=buf[4];
+    y=y*256;y+=buf[3];
+    y=y*256;y+=buf[2];
+    y=y*256;y+=buf[1];
+    y=y*256;y+=buf[0];
+
+    if(buf[7]&0x80) y=-y;
+
+    return y;
+}
+
+int FillBuffer(unsigned char* buffer, int size, bz_stream* stream) {
+    stream->next_out = (char*)buffer;
+    stream->avail_out = size;
+    while (stream->avail_out > 0) {
+        int bzerr = BZ2_bzDecompress(stream);
+        if (bzerr != BZ_OK && bzerr != BZ_STREAM_END) {
+            printf("bz error %d decompressing\n", bzerr);
+            return -1;
+        }
+        if (stream->avail_out > 0) {
+            printf("need %d more bytes\n", stream->avail_out);
+        }
+    }
+    return 0;
+}
+
+int ApplyBSDiffPatch(const unsigned char* old_data, ssize_t old_size,
+                     const Value* patch, ssize_t patch_offset,
+                     SinkFn sink, void* token, SHA_CTX* ctx) {
+
+    std::vector<unsigned char> new_data;
+    if (ApplyBSDiffPatchMem(old_data, old_size, patch, patch_offset, &new_data) != 0) {
+        return -1;
+    }
+
+    if (sink(new_data.data(), new_data.size(), token) < static_cast<ssize_t>(new_data.size())) {
+        printf("short write of output: %d (%s)\n", errno, strerror(errno));
+        return 1;
+    }
+    if (ctx) SHA1_Update(ctx, new_data.data(), new_data.size());
+    return 0;
+}
+
+int ApplyBSDiffPatchMem(const unsigned char* old_data, ssize_t old_size,
+                        const Value* patch, ssize_t patch_offset,
+                        std::vector<unsigned char>* new_data) {
+    // Patch data format:
+    //   0       8       "BSDIFF40"
+    //   8       8       X
+    //   16      8       Y
+    //   24      8       sizeof(newfile)
+    //   32      X       bzip2(control block)
+    //   32+X    Y       bzip2(diff block)
+    //   32+X+Y  ???     bzip2(extra block)
+    // with control block a set of triples (x,y,z) meaning "add x bytes
+    // from oldfile to x bytes from the diff block; copy y bytes from the
+    // extra block; seek forwards in oldfile by z bytes".
+
+    unsigned char* header = (unsigned char*) patch->data + patch_offset;
+    if (memcmp(header, "BSDIFF40", 8) != 0) {
+        printf("corrupt bsdiff patch file header (magic number)\n");
+        return 1;
+    }
+
+    ssize_t ctrl_len, data_len, new_size;
+    ctrl_len = offtin(header+8);
+    data_len = offtin(header+16);
+    new_size = offtin(header+24);
+
+    if (ctrl_len < 0 || data_len < 0 || new_size < 0) {
+        printf("corrupt patch file header (data lengths)\n");
+        return 1;
+    }
+
+    int bzerr;
+
+    bz_stream cstream;
+    cstream.next_in = patch->data + patch_offset + 32;
+    cstream.avail_in = ctrl_len;
+    cstream.bzalloc = NULL;
+    cstream.bzfree = NULL;
+    cstream.opaque = NULL;
+    if ((bzerr = BZ2_bzDecompressInit(&cstream, 0, 0)) != BZ_OK) {
+        printf("failed to bzinit control stream (%d)\n", bzerr);
+    }
+
+    bz_stream dstream;
+    dstream.next_in = patch->data + patch_offset + 32 + ctrl_len;
+    dstream.avail_in = data_len;
+    dstream.bzalloc = NULL;
+    dstream.bzfree = NULL;
+    dstream.opaque = NULL;
+    if ((bzerr = BZ2_bzDecompressInit(&dstream, 0, 0)) != BZ_OK) {
+        printf("failed to bzinit diff stream (%d)\n", bzerr);
+    }
+
+    bz_stream estream;
+    estream.next_in = patch->data + patch_offset + 32 + ctrl_len + data_len;
+    estream.avail_in = patch->size - (patch_offset + 32 + ctrl_len + data_len);
+    estream.bzalloc = NULL;
+    estream.bzfree = NULL;
+    estream.opaque = NULL;
+    if ((bzerr = BZ2_bzDecompressInit(&estream, 0, 0)) != BZ_OK) {
+        printf("failed to bzinit extra stream (%d)\n", bzerr);
+    }
+
+    new_data->resize(new_size);
+
+    off_t oldpos = 0, newpos = 0;
+    off_t ctrl[3];
+    off_t len_read;
+    int i;
+    unsigned char buf[24];
+    while (newpos < new_size) {
+        // Read control data
+        if (FillBuffer(buf, 24, &cstream) != 0) {
+            printf("error while reading control stream\n");
+            return 1;
+        }
+        ctrl[0] = offtin(buf);
+        ctrl[1] = offtin(buf+8);
+        ctrl[2] = offtin(buf+16);
+
+        if (ctrl[0] < 0 || ctrl[1] < 0) {
+            printf("corrupt patch (negative byte counts)\n");
+            return 1;
+        }
+
+        // Sanity check
+        if (newpos + ctrl[0] > new_size) {
+            printf("corrupt patch (new file overrun)\n");
+            return 1;
+        }
+
+        // Read diff string
+        if (FillBuffer(new_data->data() + newpos, ctrl[0], &dstream) != 0) {
+            printf("error while reading diff stream\n");
+            return 1;
+        }
+
+        // Add old data to diff string
+        for (i = 0; i < ctrl[0]; ++i) {
+            if ((oldpos+i >= 0) && (oldpos+i < old_size)) {
+                (*new_data)[newpos+i] += old_data[oldpos+i];
+            }
+        }
+
+        // Adjust pointers
+        newpos += ctrl[0];
+        oldpos += ctrl[0];
+
+        // Sanity check
+        if (newpos + ctrl[1] > new_size) {
+            printf("corrupt patch (new file overrun)\n");
+            return 1;
+        }
+
+        // Read extra string
+        if (FillBuffer(new_data->data() + newpos, ctrl[1], &estream) != 0) {
+            printf("error while reading extra stream\n");
+            return 1;
+        }
+
+        // Adjust pointers
+        newpos += ctrl[1];
+        oldpos += ctrl[2];
+    }
+
+    BZ2_bzDecompressEnd(&cstream);
+    BZ2_bzDecompressEnd(&dstream);
+    BZ2_bzDecompressEnd(&estream);
+    return 0;
+}
diff --git a/applypatch/freecache.c b/applypatch/freecache.c
deleted file mode 100644
index 9827fda..0000000
--- a/applypatch/freecache.c
+++ /dev/null
@@ -1,172 +0,0 @@
-#include <errno.h>
-#include <libgen.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/statfs.h>
-#include <unistd.h>
-#include <dirent.h>
-#include <ctype.h>
-
-#include "applypatch.h"
-
-static int EliminateOpenFiles(char** files, int file_count) {
-  DIR* d;
-  struct dirent* de;
-  d = opendir("/proc");
-  if (d == NULL) {
-    printf("error opening /proc: %s\n", strerror(errno));
-    return -1;
-  }
-  while ((de = readdir(d)) != 0) {
-    int i;
-    for (i = 0; de->d_name[i] != '\0' && isdigit(de->d_name[i]); ++i);
-    if (de->d_name[i]) continue;
-
-    // de->d_name[i] is numeric
-
-    char path[FILENAME_MAX];
-    strcpy(path, "/proc/");
-    strcat(path, de->d_name);
-    strcat(path, "/fd/");
-
-    DIR* fdd;
-    struct dirent* fdde;
-    fdd = opendir(path);
-    if (fdd == NULL) {
-      printf("error opening %s: %s\n", path, strerror(errno));
-      continue;
-    }
-    while ((fdde = readdir(fdd)) != 0) {
-      char fd_path[FILENAME_MAX];
-      char link[FILENAME_MAX];
-      strcpy(fd_path, path);
-      strcat(fd_path, fdde->d_name);
-
-      int count;
-      count = readlink(fd_path, link, sizeof(link)-1);
-      if (count >= 0) {
-        link[count] = '\0';
-
-        // This is inefficient, but it should only matter if there are
-        // lots of files in /cache, and lots of them are open (neither
-        // of which should be true, especially in recovery).
-        if (strncmp(link, "/cache/", 7) == 0) {
-          int j;
-          for (j = 0; j < file_count; ++j) {
-            if (files[j] && strcmp(files[j], link) == 0) {
-              printf("%s is open by %s\n", link, de->d_name);
-              free(files[j]);
-              files[j] = NULL;
-            }
-          }
-        }
-      }
-    }
-    closedir(fdd);
-  }
-  closedir(d);
-
-  return 0;
-}
-
-int FindExpendableFiles(char*** names, int* entries) {
-  DIR* d;
-  struct dirent* de;
-  int size = 32;
-  *entries = 0;
-  *names = malloc(size * sizeof(char*));
-
-  char path[FILENAME_MAX];
-
-  // We're allowed to delete unopened regular files in any of these
-  // directories.
-  const char* dirs[2] = {"/cache", "/cache/recovery/otatest"};
-
-  unsigned int i;
-  for (i = 0; i < sizeof(dirs)/sizeof(dirs[0]); ++i) {
-    d = opendir(dirs[i]);
-    if (d == NULL) {
-      printf("error opening %s: %s\n", dirs[i], strerror(errno));
-      continue;
-    }
-
-    // Look for regular files in the directory (not in any subdirectories).
-    while ((de = readdir(d)) != 0) {
-      strcpy(path, dirs[i]);
-      strcat(path, "/");
-      strcat(path, de->d_name);
-
-      // We can't delete CACHE_TEMP_SOURCE; if it's there we might have
-      // restarted during installation and could be depending on it to
-      // be there.
-      if (strcmp(path, CACHE_TEMP_SOURCE) == 0) continue;
-
-      struct stat st;
-      if (stat(path, &st) == 0 && S_ISREG(st.st_mode)) {
-        if (*entries >= size) {
-          size *= 2;
-          *names = realloc(*names, size * sizeof(char*));
-        }
-        (*names)[(*entries)++] = strdup(path);
-      }
-    }
-
-    closedir(d);
-  }
-
-  printf("%d regular files in deletable directories\n", *entries);
-
-  if (EliminateOpenFiles(*names, *entries) < 0) {
-    return -1;
-  }
-
-  return 0;
-}
-
-int MakeFreeSpaceOnCache(size_t bytes_needed) {
-  size_t free_now = FreeSpaceForFile("/cache");
-  printf("%ld bytes free on /cache (%ld needed)\n",
-         (long)free_now, (long)bytes_needed);
-
-  if (free_now >= bytes_needed) {
-    return 0;
-  }
-
-  char** names;
-  int entries;
-
-  if (FindExpendableFiles(&names, &entries) < 0) {
-    return -1;
-  }
-
-  if (entries == 0) {
-    // nothing we can delete to free up space!
-    printf("no files can be deleted to free space on /cache\n");
-    return -1;
-  }
-
-  // We could try to be smarter about which files to delete:  the
-  // biggest ones?  the smallest ones that will free up enough space?
-  // the oldest?  the newest?
-  //
-  // Instead, we'll be dumb.
-
-  int i;
-  for (i = 0; i < entries && free_now < bytes_needed; ++i) {
-    if (names[i]) {
-      unlink(names[i]);
-      free_now = FreeSpaceForFile("/cache");
-      printf("deleted %s; now %ld bytes free\n", names[i], (long)free_now);
-      free(names[i]);
-    }
-  }
-
-  for (; i < entries; ++i) {
-    free(names[i]);
-  }
-  free(names);
-
-  return (free_now >= bytes_needed) ? 0 : -1;
-}
diff --git a/applypatch/freecache.cpp b/applypatch/freecache.cpp
new file mode 100644
index 0000000..c84f427
--- /dev/null
+++ b/applypatch/freecache.cpp
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2010 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <errno.h>
+#include <libgen.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/statfs.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <ctype.h>
+
+#include <memory>
+#include <set>
+#include <string>
+
+#include <android-base/parseint.h>
+#include <android-base/stringprintf.h>
+
+#include "applypatch.h"
+
+static int EliminateOpenFiles(std::set<std::string>* files) {
+  std::unique_ptr<DIR, decltype(&closedir)> d(opendir("/proc"), closedir);
+  if (!d) {
+    printf("error opening /proc: %s\n", strerror(errno));
+    return -1;
+  }
+  struct dirent* de;
+  while ((de = readdir(d.get())) != 0) {
+    unsigned int pid;
+    if (!android::base::ParseUint(de->d_name, &pid)) {
+        continue;
+    }
+    std::string path = android::base::StringPrintf("/proc/%s/fd/", de->d_name);
+
+    struct dirent* fdde;
+    std::unique_ptr<DIR, decltype(&closedir)> fdd(opendir(path.c_str()), closedir);
+    if (!fdd) {
+      printf("error opening %s: %s\n", path.c_str(), strerror(errno));
+      continue;
+    }
+    while ((fdde = readdir(fdd.get())) != 0) {
+      std::string fd_path = path + fdde->d_name;
+      char link[FILENAME_MAX];
+
+      int count = readlink(fd_path.c_str(), link, sizeof(link)-1);
+      if (count >= 0) {
+        link[count] = '\0';
+        if (strncmp(link, "/cache/", 7) == 0) {
+          if (files->erase(link) > 0) {
+            printf("%s is open by %s\n", link, de->d_name);
+          }
+        }
+      }
+    }
+  }
+  return 0;
+}
+
+static std::set<std::string> FindExpendableFiles() {
+  std::set<std::string> files;
+  // We're allowed to delete unopened regular files in any of these
+  // directories.
+  const char* dirs[2] = {"/cache", "/cache/recovery/otatest"};
+
+  for (size_t i = 0; i < sizeof(dirs)/sizeof(dirs[0]); ++i) {
+    std::unique_ptr<DIR, decltype(&closedir)> d(opendir(dirs[i]), closedir);
+    if (!d) {
+      printf("error opening %s: %s\n", dirs[i], strerror(errno));
+      continue;
+    }
+
+    // Look for regular files in the directory (not in any subdirectories).
+    struct dirent* de;
+    while ((de = readdir(d.get())) != 0) {
+      std::string path = std::string(dirs[i]) + "/" + de->d_name;
+
+      // We can't delete CACHE_TEMP_SOURCE; if it's there we might have
+      // restarted during installation and could be depending on it to
+      // be there.
+      if (path == CACHE_TEMP_SOURCE) {
+        continue;
+      }
+
+      struct stat st;
+      if (stat(path.c_str(), &st) == 0 && S_ISREG(st.st_mode)) {
+        files.insert(path);
+      }
+    }
+  }
+
+  printf("%zu regular files in deletable directories\n", files.size());
+  if (EliminateOpenFiles(&files) < 0) {
+    return std::set<std::string>();
+  }
+  return files;
+}
+
+int MakeFreeSpaceOnCache(size_t bytes_needed) {
+  size_t free_now = FreeSpaceForFile("/cache");
+  printf("%zu bytes free on /cache (%zu needed)\n", free_now, bytes_needed);
+
+  if (free_now >= bytes_needed) {
+    return 0;
+  }
+  std::set<std::string> files = FindExpendableFiles();
+  if (files.empty()) {
+    // nothing we can delete to free up space!
+    printf("no files can be deleted to free space on /cache\n");
+    return -1;
+  }
+
+  // We could try to be smarter about which files to delete:  the
+  // biggest ones?  the smallest ones that will free up enough space?
+  // the oldest?  the newest?
+  //
+  // Instead, we'll be dumb.
+
+  for (const auto& file : files) {
+    unlink(file.c_str());
+    free_now = FreeSpaceForFile("/cache");
+    printf("deleted %s; now %zu bytes free\n", file.c_str(), free_now);
+    if (free_now < bytes_needed) {
+        break;
+    }
+  }
+  return (free_now >= bytes_needed) ? 0 : -1;
+}
diff --git a/applypatch/imgdiff.c b/applypatch/imgdiff.c
deleted file mode 100644
index 3bac8be..0000000
--- a/applypatch/imgdiff.c
+++ /dev/null
@@ -1,1060 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/*
- * This program constructs binary patches for images -- such as boot.img
- * and recovery.img -- that consist primarily of large chunks of gzipped
- * data interspersed with uncompressed data.  Doing a naive bsdiff of
- * these files is not useful because small changes in the data lead to
- * large changes in the compressed bitstream; bsdiff patches of gzipped
- * data are typically as large as the data itself.
- *
- * To patch these usefully, we break the source and target images up into
- * chunks of two types: "normal" and "gzip".  Normal chunks are simply
- * patched using a plain bsdiff.  Gzip chunks are first expanded, then a
- * bsdiff is applied to the uncompressed data, then the patched data is
- * gzipped using the same encoder parameters.  Patched chunks are
- * concatenated together to create the output file; the output image
- * should be *exactly* the same series of bytes as the target image used
- * originally to generate the patch.
- *
- * To work well with this tool, the gzipped sections of the target
- * image must have been generated using the same deflate encoder that
- * is available in applypatch, namely, the one in the zlib library.
- * In practice this means that images should be compressed using the
- * "minigzip" tool included in the zlib distribution, not the GNU gzip
- * program.
- *
- * An "imgdiff" patch consists of a header describing the chunk structure
- * of the file and any encoding parameters needed for the gzipped
- * chunks, followed by N bsdiff patches, one per chunk.
- *
- * For a diff to be generated, the source and target images must have the
- * same "chunk" structure: that is, the same number of gzipped and normal
- * chunks in the same order.  Android boot and recovery images currently
- * consist of five chunks:  a small normal header, a gzipped kernel, a
- * small normal section, a gzipped ramdisk, and finally a small normal
- * footer.
- *
- * Caveats:  we locate gzipped sections within the source and target
- * images by searching for the byte sequence 1f8b0800:  1f8b is the gzip
- * magic number; 08 specifies the "deflate" encoding [the only encoding
- * supported by the gzip standard]; and 00 is the flags byte.  We do not
- * currently support any extra header fields (which would be indicated by
- * a nonzero flags byte).  We also don't handle the case when that byte
- * sequence appears spuriously in the file.  (Note that it would have to
- * occur spuriously within a normal chunk to be a problem.)
- *
- *
- * The imgdiff patch header looks like this:
- *
- *    "IMGDIFF1"                  (8)   [magic number and version]
- *    chunk count                 (4)
- *    for each chunk:
- *        chunk type              (4)   [CHUNK_{NORMAL, GZIP, DEFLATE, RAW}]
- *        if chunk type == CHUNK_NORMAL:
- *           source start         (8)
- *           source len           (8)
- *           bsdiff patch offset  (8)   [from start of patch file]
- *        if chunk type == CHUNK_GZIP:      (version 1 only)
- *           source start         (8)
- *           source len           (8)
- *           bsdiff patch offset  (8)   [from start of patch file]
- *           source expanded len  (8)   [size of uncompressed source]
- *           target expected len  (8)   [size of uncompressed target]
- *           gzip level           (4)
- *                method          (4)
- *                windowBits      (4)
- *                memLevel        (4)
- *                strategy        (4)
- *           gzip header len      (4)
- *           gzip header          (gzip header len)
- *           gzip footer          (8)
- *        if chunk type == CHUNK_DEFLATE:   (version 2 only)
- *           source start         (8)
- *           source len           (8)
- *           bsdiff patch offset  (8)   [from start of patch file]
- *           source expanded len  (8)   [size of uncompressed source]
- *           target expected len  (8)   [size of uncompressed target]
- *           gzip level           (4)
- *                method          (4)
- *                windowBits      (4)
- *                memLevel        (4)
- *                strategy        (4)
- *        if chunk type == RAW:             (version 2 only)
- *           target len           (4)
- *           data                 (target len)
- *
- * All integers are little-endian.  "source start" and "source len"
- * specify the section of the input image that comprises this chunk,
- * including the gzip header and footer for gzip chunks.  "source
- * expanded len" is the size of the uncompressed source data.  "target
- * expected len" is the size of the uncompressed data after applying
- * the bsdiff patch.  The next five parameters specify the zlib
- * parameters to be used when compressing the patched data, and the
- * next three specify the header and footer to be wrapped around the
- * compressed data to create the output chunk (so that header contents
- * like the timestamp are recreated exactly).
- *
- * After the header there are 'chunk count' bsdiff patches; the offset
- * of each from the beginning of the file is specified in the header.
- *
- * This tool can take an optional file of "bonus data".  This is an
- * extra file of data that is appended to chunk #1 after it is
- * compressed (it must be a CHUNK_DEFLATE chunk).  The same file must
- * be available (and passed to applypatch with -b) when applying the
- * patch.  This is used to reduce the size of recovery-from-boot
- * patches by combining the boot image with recovery ramdisk
- * information that is stored on the system partition.
- */
-
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <sys/types.h>
-
-#include "zlib.h"
-#include "imgdiff.h"
-#include "utils.h"
-
-typedef struct {
-  int type;             // CHUNK_NORMAL, CHUNK_DEFLATE
-  size_t start;         // offset of chunk in original image file
-
-  size_t len;
-  unsigned char* data;  // data to be patched (uncompressed, for deflate chunks)
-
-  size_t source_start;
-  size_t source_len;
-
-  off_t* I;             // used by bsdiff
-
-  // --- for CHUNK_DEFLATE chunks only: ---
-
-  // original (compressed) deflate data
-  size_t deflate_len;
-  unsigned char* deflate_data;
-
-  char* filename;       // used for zip entries
-
-  // deflate encoder parameters
-  int level, method, windowBits, memLevel, strategy;
-
-  size_t source_uncompressed_len;
-} ImageChunk;
-
-typedef struct {
-  int data_offset;
-  int deflate_len;
-  int uncomp_len;
-  char* filename;
-} ZipFileEntry;
-
-static int fileentry_compare(const void* a, const void* b) {
-  int ao = ((ZipFileEntry*)a)->data_offset;
-  int bo = ((ZipFileEntry*)b)->data_offset;
-  if (ao < bo) {
-    return -1;
-  } else if (ao > bo) {
-    return 1;
-  } else {
-    return 0;
-  }
-}
-
-// from bsdiff.c
-int bsdiff(u_char* old, off_t oldsize, off_t** IP, u_char* new, off_t newsize,
-           const char* patch_filename);
-
-unsigned char* ReadZip(const char* filename,
-                       int* num_chunks, ImageChunk** chunks,
-                       int include_pseudo_chunk) {
-  struct stat st;
-  if (stat(filename, &st) != 0) {
-    printf("failed to stat \"%s\": %s\n", filename, strerror(errno));
-    return NULL;
-  }
-
-  unsigned char* img = malloc(st.st_size);
-  FILE* f = fopen(filename, "rb");
-  if (fread(img, 1, st.st_size, f) != st.st_size) {
-    printf("failed to read \"%s\" %s\n", filename, strerror(errno));
-    fclose(f);
-    return NULL;
-  }
-  fclose(f);
-
-  // look for the end-of-central-directory record.
-
-  int i;
-  for (i = st.st_size-20; i >= 0 && i > st.st_size - 65600; --i) {
-    if (img[i] == 0x50 && img[i+1] == 0x4b &&
-        img[i+2] == 0x05 && img[i+3] == 0x06) {
-      break;
-    }
-  }
-  // double-check: this archive consists of a single "disk"
-  if (!(img[i+4] == 0 && img[i+5] == 0 && img[i+6] == 0 && img[i+7] == 0)) {
-    printf("can't process multi-disk archive\n");
-    return NULL;
-  }
-
-  int cdcount = Read2(img+i+8);
-  int cdoffset = Read4(img+i+16);
-
-  ZipFileEntry* temp_entries = malloc(cdcount * sizeof(ZipFileEntry));
-  int entrycount = 0;
-
-  unsigned char* cd = img+cdoffset;
-  for (i = 0; i < cdcount; ++i) {
-    if (!(cd[0] == 0x50 && cd[1] == 0x4b && cd[2] == 0x01 && cd[3] == 0x02)) {
-      printf("bad central directory entry %d\n", i);
-      return NULL;
-    }
-
-    int clen = Read4(cd+20);   // compressed len
-    int ulen = Read4(cd+24);   // uncompressed len
-    int nlen = Read2(cd+28);   // filename len
-    int xlen = Read2(cd+30);   // extra field len
-    int mlen = Read2(cd+32);   // file comment len
-    int hoffset = Read4(cd+42);   // local header offset
-
-    char* filename = malloc(nlen+1);
-    memcpy(filename, cd+46, nlen);
-    filename[nlen] = '\0';
-
-    int method = Read2(cd+10);
-
-    cd += 46 + nlen + xlen + mlen;
-
-    if (method != 8) {  // 8 == deflate
-      free(filename);
-      continue;
-    }
-
-    unsigned char* lh = img + hoffset;
-
-    if (!(lh[0] == 0x50 && lh[1] == 0x4b && lh[2] == 0x03 && lh[3] == 0x04)) {
-      printf("bad local file header entry %d\n", i);
-      return NULL;
-    }
-
-    if (Read2(lh+26) != nlen || memcmp(lh+30, filename, nlen) != 0) {
-      printf("central dir filename doesn't match local header\n");
-      return NULL;
-    }
-
-    xlen = Read2(lh+28);   // extra field len; might be different from CD entry?
-
-    temp_entries[entrycount].data_offset = hoffset+30+nlen+xlen;
-    temp_entries[entrycount].deflate_len = clen;
-    temp_entries[entrycount].uncomp_len = ulen;
-    temp_entries[entrycount].filename = filename;
-    ++entrycount;
-  }
-
-  qsort(temp_entries, entrycount, sizeof(ZipFileEntry), fileentry_compare);
-
-#if 0
-  printf("found %d deflated entries\n", entrycount);
-  for (i = 0; i < entrycount; ++i) {
-    printf("off %10d  len %10d unlen %10d   %p %s\n",
-           temp_entries[i].data_offset,
-           temp_entries[i].deflate_len,
-           temp_entries[i].uncomp_len,
-           temp_entries[i].filename,
-           temp_entries[i].filename);
-  }
-#endif
-
-  *num_chunks = 0;
-  *chunks = malloc((entrycount*2+2) * sizeof(ImageChunk));
-  ImageChunk* curr = *chunks;
-
-  if (include_pseudo_chunk) {
-    curr->type = CHUNK_NORMAL;
-    curr->start = 0;
-    curr->len = st.st_size;
-    curr->data = img;
-    curr->filename = NULL;
-    curr->I = NULL;
-    ++curr;
-    ++*num_chunks;
-  }
-
-  int pos = 0;
-  int nextentry = 0;
-
-  while (pos < st.st_size) {
-    if (nextentry < entrycount && pos == temp_entries[nextentry].data_offset) {
-      curr->type = CHUNK_DEFLATE;
-      curr->start = pos;
-      curr->deflate_len = temp_entries[nextentry].deflate_len;
-      curr->deflate_data = img + pos;
-      curr->filename = temp_entries[nextentry].filename;
-      curr->I = NULL;
-
-      curr->len = temp_entries[nextentry].uncomp_len;
-      curr->data = malloc(curr->len);
-
-      z_stream strm;
-      strm.zalloc = Z_NULL;
-      strm.zfree = Z_NULL;
-      strm.opaque = Z_NULL;
-      strm.avail_in = curr->deflate_len;
-      strm.next_in = curr->deflate_data;
-
-      // -15 means we are decoding a 'raw' deflate stream; zlib will
-      // not expect zlib headers.
-      int ret = inflateInit2(&strm, -15);
-
-      strm.avail_out = curr->len;
-      strm.next_out = curr->data;
-      ret = inflate(&strm, Z_NO_FLUSH);
-      if (ret != Z_STREAM_END) {
-        printf("failed to inflate \"%s\"; %d\n", curr->filename, ret);
-        return NULL;
-      }
-
-      inflateEnd(&strm);
-
-      pos += curr->deflate_len;
-      ++nextentry;
-      ++*num_chunks;
-      ++curr;
-      continue;
-    }
-
-    // use a normal chunk to take all the data up to the start of the
-    // next deflate section.
-
-    curr->type = CHUNK_NORMAL;
-    curr->start = pos;
-    if (nextentry < entrycount) {
-      curr->len = temp_entries[nextentry].data_offset - pos;
-    } else {
-      curr->len = st.st_size - pos;
-    }
-    curr->data = img + pos;
-    curr->filename = NULL;
-    curr->I = NULL;
-    pos += curr->len;
-
-    ++*num_chunks;
-    ++curr;
-  }
-
-  free(temp_entries);
-  return img;
-}
-
-/*
- * Read the given file and break it up into chunks, putting the number
- * of chunks and their info in *num_chunks and **chunks,
- * respectively.  Returns a malloc'd block of memory containing the
- * contents of the file; various pointers in the output chunk array
- * will point into this block of memory.  The caller should free the
- * return value when done with all the chunks.  Returns NULL on
- * failure.
- */
-unsigned char* ReadImage(const char* filename,
-                         int* num_chunks, ImageChunk** chunks) {
-  struct stat st;
-  if (stat(filename, &st) != 0) {
-    printf("failed to stat \"%s\": %s\n", filename, strerror(errno));
-    return NULL;
-  }
-
-  unsigned char* img = malloc(st.st_size + 4);
-  FILE* f = fopen(filename, "rb");
-  if (fread(img, 1, st.st_size, f) != st.st_size) {
-    printf("failed to read \"%s\" %s\n", filename, strerror(errno));
-    fclose(f);
-    return NULL;
-  }
-  fclose(f);
-
-  // append 4 zero bytes to the data so we can always search for the
-  // four-byte string 1f8b0800 starting at any point in the actual
-  // file data, without special-casing the end of the data.
-  memset(img+st.st_size, 0, 4);
-
-  size_t pos = 0;
-
-  *num_chunks = 0;
-  *chunks = NULL;
-
-  while (pos < st.st_size) {
-    unsigned char* p = img+pos;
-
-    if (st.st_size - pos >= 4 &&
-        p[0] == 0x1f && p[1] == 0x8b &&
-        p[2] == 0x08 &&    // deflate compression
-        p[3] == 0x00) {    // no header flags
-      // 'pos' is the offset of the start of a gzip chunk.
-      size_t chunk_offset = pos;
-
-      *num_chunks += 3;
-      *chunks = realloc(*chunks, *num_chunks * sizeof(ImageChunk));
-      ImageChunk* curr = *chunks + (*num_chunks-3);
-
-      // create a normal chunk for the header.
-      curr->start = pos;
-      curr->type = CHUNK_NORMAL;
-      curr->len = GZIP_HEADER_LEN;
-      curr->data = p;
-      curr->I = NULL;
-
-      pos += curr->len;
-      p += curr->len;
-      ++curr;
-
-      curr->type = CHUNK_DEFLATE;
-      curr->filename = NULL;
-      curr->I = NULL;
-
-      // We must decompress this chunk in order to discover where it
-      // ends, and so we can put the uncompressed data and its length
-      // into curr->data and curr->len.
-
-      size_t allocated = 32768;
-      curr->len = 0;
-      curr->data = malloc(allocated);
-      curr->start = pos;
-      curr->deflate_data = p;
-
-      z_stream strm;
-      strm.zalloc = Z_NULL;
-      strm.zfree = Z_NULL;
-      strm.opaque = Z_NULL;
-      strm.avail_in = st.st_size - pos;
-      strm.next_in = p;
-
-      // -15 means we are decoding a 'raw' deflate stream; zlib will
-      // not expect zlib headers.
-      int ret = inflateInit2(&strm, -15);
-
-      do {
-        strm.avail_out = allocated - curr->len;
-        strm.next_out = curr->data + curr->len;
-        ret = inflate(&strm, Z_NO_FLUSH);
-        if (ret < 0) {
-            printf("Error: inflate failed [%s] at file offset [%zu]\n"
-                    "imgdiff only supports gzip kernel compression,"
-                    " did you try CONFIG_KERNEL_LZO?\n",
-                    strm.msg, chunk_offset);
-            free(img);
-            return NULL;
-        }
-        curr->len = allocated - strm.avail_out;
-        if (strm.avail_out == 0) {
-          allocated *= 2;
-          curr->data = realloc(curr->data, allocated);
-        }
-      } while (ret != Z_STREAM_END);
-
-      curr->deflate_len = st.st_size - strm.avail_in - pos;
-      inflateEnd(&strm);
-      pos += curr->deflate_len;
-      p += curr->deflate_len;
-      ++curr;
-
-      // create a normal chunk for the footer
-
-      curr->type = CHUNK_NORMAL;
-      curr->start = pos;
-      curr->len = GZIP_FOOTER_LEN;
-      curr->data = img+pos;
-      curr->I = NULL;
-
-      pos += curr->len;
-      p += curr->len;
-      ++curr;
-
-      // The footer (that we just skipped over) contains the size of
-      // the uncompressed data.  Double-check to make sure that it
-      // matches the size of the data we got when we actually did
-      // the decompression.
-      size_t footer_size = Read4(p-4);
-      if (footer_size != curr[-2].len) {
-        printf("Error: footer size %d != decompressed size %d\n",
-                footer_size, curr[-2].len);
-        free(img);
-        return NULL;
-      }
-    } else {
-      // Reallocate the list for every chunk; we expect the number of
-      // chunks to be small (5 for typical boot and recovery images).
-      ++*num_chunks;
-      *chunks = realloc(*chunks, *num_chunks * sizeof(ImageChunk));
-      ImageChunk* curr = *chunks + (*num_chunks-1);
-      curr->start = pos;
-      curr->I = NULL;
-
-      // 'pos' is not the offset of the start of a gzip chunk, so scan
-      // forward until we find a gzip header.
-      curr->type = CHUNK_NORMAL;
-      curr->data = p;
-
-      for (curr->len = 0; curr->len < (st.st_size - pos); ++curr->len) {
-        if (p[curr->len] == 0x1f &&
-            p[curr->len+1] == 0x8b &&
-            p[curr->len+2] == 0x08 &&
-            p[curr->len+3] == 0x00) {
-          break;
-        }
-      }
-      pos += curr->len;
-    }
-  }
-
-  return img;
-}
-
-#define BUFFER_SIZE 32768
-
-/*
- * Takes the uncompressed data stored in the chunk, compresses it
- * using the zlib parameters stored in the chunk, and checks that it
- * matches exactly the compressed data we started with (also stored in
- * the chunk).  Return 0 on success.
- */
-int TryReconstruction(ImageChunk* chunk, unsigned char* out) {
-  size_t p = 0;
-
-#if 0
-  printf("trying %d %d %d %d %d\n",
-          chunk->level, chunk->method, chunk->windowBits,
-          chunk->memLevel, chunk->strategy);
-#endif
-
-  z_stream strm;
-  strm.zalloc = Z_NULL;
-  strm.zfree = Z_NULL;
-  strm.opaque = Z_NULL;
-  strm.avail_in = chunk->len;
-  strm.next_in = chunk->data;
-  int ret;
-  ret = deflateInit2(&strm, chunk->level, chunk->method, chunk->windowBits,
-                     chunk->memLevel, chunk->strategy);
-  do {
-    strm.avail_out = BUFFER_SIZE;
-    strm.next_out = out;
-    ret = deflate(&strm, Z_FINISH);
-    size_t have = BUFFER_SIZE - strm.avail_out;
-
-    if (memcmp(out, chunk->deflate_data+p, have) != 0) {
-      // mismatch; data isn't the same.
-      deflateEnd(&strm);
-      return -1;
-    }
-    p += have;
-  } while (ret != Z_STREAM_END);
-  deflateEnd(&strm);
-  if (p != chunk->deflate_len) {
-    // mismatch; ran out of data before we should have.
-    return -1;
-  }
-  return 0;
-}
-
-/*
- * Verify that we can reproduce exactly the same compressed data that
- * we started with.  Sets the level, method, windowBits, memLevel, and
- * strategy fields in the chunk to the encoding parameters needed to
- * produce the right output.  Returns 0 on success.
- */
-int ReconstructDeflateChunk(ImageChunk* chunk) {
-  if (chunk->type != CHUNK_DEFLATE) {
-    printf("attempt to reconstruct non-deflate chunk\n");
-    return -1;
-  }
-
-  size_t p = 0;
-  unsigned char* out = malloc(BUFFER_SIZE);
-
-  // We only check two combinations of encoder parameters:  level 6
-  // (the default) and level 9 (the maximum).
-  for (chunk->level = 6; chunk->level <= 9; chunk->level += 3) {
-    chunk->windowBits = -15;  // 32kb window; negative to indicate a raw stream.
-    chunk->memLevel = 8;      // the default value.
-    chunk->method = Z_DEFLATED;
-    chunk->strategy = Z_DEFAULT_STRATEGY;
-
-    if (TryReconstruction(chunk, out) == 0) {
-      free(out);
-      return 0;
-    }
-  }
-
-  free(out);
-  return -1;
-}
-
-/*
- * Given source and target chunks, compute a bsdiff patch between them
- * by running bsdiff in a subprocess.  Return the patch data, placing
- * its length in *size.  Return NULL on failure.  We expect the bsdiff
- * program to be in the path.
- */
-unsigned char* MakePatch(ImageChunk* src, ImageChunk* tgt, size_t* size) {
-  if (tgt->type == CHUNK_NORMAL) {
-    if (tgt->len <= 160) {
-      tgt->type = CHUNK_RAW;
-      *size = tgt->len;
-      return tgt->data;
-    }
-  }
-
-  char ptemp[] = "/tmp/imgdiff-patch-XXXXXX";
-  mkstemp(ptemp);
-
-  int r = bsdiff(src->data, src->len, &(src->I), tgt->data, tgt->len, ptemp);
-  if (r != 0) {
-    printf("bsdiff() failed: %d\n", r);
-    return NULL;
-  }
-
-  struct stat st;
-  if (stat(ptemp, &st) != 0) {
-    printf("failed to stat patch file %s: %s\n",
-            ptemp, strerror(errno));
-    return NULL;
-  }
-
-  unsigned char* data = malloc(st.st_size);
-
-  if (tgt->type == CHUNK_NORMAL && tgt->len <= st.st_size) {
-    unlink(ptemp);
-
-    tgt->type = CHUNK_RAW;
-    *size = tgt->len;
-    return tgt->data;
-  }
-
-  *size = st.st_size;
-
-  FILE* f = fopen(ptemp, "rb");
-  if (f == NULL) {
-    printf("failed to open patch %s: %s\n", ptemp, strerror(errno));
-    return NULL;
-  }
-  if (fread(data, 1, st.st_size, f) != st.st_size) {
-    printf("failed to read patch %s: %s\n", ptemp, strerror(errno));
-    return NULL;
-  }
-  fclose(f);
-
-  unlink(ptemp);
-
-  tgt->source_start = src->start;
-  switch (tgt->type) {
-    case CHUNK_NORMAL:
-      tgt->source_len = src->len;
-      break;
-    case CHUNK_DEFLATE:
-      tgt->source_len = src->deflate_len;
-      tgt->source_uncompressed_len = src->len;
-      break;
-  }
-
-  return data;
-}
-
-/*
- * Cause a gzip chunk to be treated as a normal chunk (ie, as a blob
- * of uninterpreted data).  The resulting patch will likely be about
- * as big as the target file, but it lets us handle the case of images
- * where some gzip chunks are reconstructible but others aren't (by
- * treating the ones that aren't as normal chunks).
- */
-void ChangeDeflateChunkToNormal(ImageChunk* ch) {
-  if (ch->type != CHUNK_DEFLATE) return;
-  ch->type = CHUNK_NORMAL;
-  free(ch->data);
-  ch->data = ch->deflate_data;
-  ch->len = ch->deflate_len;
-}
-
-/*
- * Return true if the data in the chunk is identical (including the
- * compressed representation, for gzip chunks).
- */
-int AreChunksEqual(ImageChunk* a, ImageChunk* b) {
-    if (a->type != b->type) return 0;
-
-    switch (a->type) {
-        case CHUNK_NORMAL:
-            return a->len == b->len && memcmp(a->data, b->data, a->len) == 0;
-
-        case CHUNK_DEFLATE:
-            return a->deflate_len == b->deflate_len &&
-                memcmp(a->deflate_data, b->deflate_data, a->deflate_len) == 0;
-
-        default:
-            printf("unknown chunk type %d\n", a->type);
-            return 0;
-    }
-}
-
-/*
- * Look for runs of adjacent normal chunks and compress them down into
- * a single chunk.  (Such runs can be produced when deflate chunks are
- * changed to normal chunks.)
- */
-void MergeAdjacentNormalChunks(ImageChunk* chunks, int* num_chunks) {
-  int out = 0;
-  int in_start = 0, in_end;
-  while (in_start < *num_chunks) {
-    if (chunks[in_start].type != CHUNK_NORMAL) {
-      in_end = in_start+1;
-    } else {
-      // in_start is a normal chunk.  Look for a run of normal chunks
-      // that constitute a solid block of data (ie, each chunk begins
-      // where the previous one ended).
-      for (in_end = in_start+1;
-           in_end < *num_chunks && chunks[in_end].type == CHUNK_NORMAL &&
-             (chunks[in_end].start ==
-              chunks[in_end-1].start + chunks[in_end-1].len &&
-              chunks[in_end].data ==
-              chunks[in_end-1].data + chunks[in_end-1].len);
-           ++in_end);
-    }
-
-    if (in_end == in_start+1) {
-#if 0
-      printf("chunk %d is now %d\n", in_start, out);
-#endif
-      if (out != in_start) {
-        memcpy(chunks+out, chunks+in_start, sizeof(ImageChunk));
-      }
-    } else {
-#if 0
-      printf("collapse normal chunks %d-%d into %d\n", in_start, in_end-1, out);
-#endif
-
-      // Merge chunks [in_start, in_end-1] into one chunk.  Since the
-      // data member of each chunk is just a pointer into an in-memory
-      // copy of the file, this can be done without recopying (the
-      // output chunk has the first chunk's start location and data
-      // pointer, and length equal to the sum of the input chunk
-      // lengths).
-      chunks[out].type = CHUNK_NORMAL;
-      chunks[out].start = chunks[in_start].start;
-      chunks[out].data = chunks[in_start].data;
-      chunks[out].len = chunks[in_end-1].len +
-        (chunks[in_end-1].start - chunks[in_start].start);
-    }
-
-    ++out;
-    in_start = in_end;
-  }
-  *num_chunks = out;
-}
-
-ImageChunk* FindChunkByName(const char* name,
-                            ImageChunk* chunks, int num_chunks) {
-  int i;
-  for (i = 0; i < num_chunks; ++i) {
-    if (chunks[i].type == CHUNK_DEFLATE && chunks[i].filename &&
-        strcmp(name, chunks[i].filename) == 0) {
-      return chunks+i;
-    }
-  }
-  return NULL;
-}
-
-void DumpChunks(ImageChunk* chunks, int num_chunks) {
-    int i;
-    for (i = 0; i < num_chunks; ++i) {
-        printf("chunk %d: type %d start %d len %d\n",
-               i, chunks[i].type, chunks[i].start, chunks[i].len);
-    }
-}
-
-int main(int argc, char** argv) {
-  int zip_mode = 0;
-
-  if (argc >= 2 && strcmp(argv[1], "-z") == 0) {
-    zip_mode = 1;
-    --argc;
-    ++argv;
-  }
-
-  size_t bonus_size = 0;
-  unsigned char* bonus_data = NULL;
-  if (argc >= 3 && strcmp(argv[1], "-b") == 0) {
-    struct stat st;
-    if (stat(argv[2], &st) != 0) {
-      printf("failed to stat bonus file %s: %s\n", argv[2], strerror(errno));
-      return 1;
-    }
-    bonus_size = st.st_size;
-    bonus_data = malloc(bonus_size);
-    FILE* f = fopen(argv[2], "rb");
-    if (f == NULL) {
-      printf("failed to open bonus file %s: %s\n", argv[2], strerror(errno));
-      return 1;
-    }
-    if (fread(bonus_data, 1, bonus_size, f) != bonus_size) {
-      printf("failed to read bonus file %s: %s\n", argv[2], strerror(errno));
-      return 1;
-    }
-    fclose(f);
-
-    argc -= 2;
-    argv += 2;
-  }
-
-  if (argc != 4) {
-    usage:
-    printf("usage: %s [-z] [-b <bonus-file>] <src-img> <tgt-img> <patch-file>\n",
-            argv[0]);
-    return 2;
-  }
-
-  int num_src_chunks;
-  ImageChunk* src_chunks;
-  int num_tgt_chunks;
-  ImageChunk* tgt_chunks;
-  int i;
-
-  if (zip_mode) {
-    if (ReadZip(argv[1], &num_src_chunks, &src_chunks, 1) == NULL) {
-      printf("failed to break apart source zip file\n");
-      return 1;
-    }
-    if (ReadZip(argv[2], &num_tgt_chunks, &tgt_chunks, 0) == NULL) {
-      printf("failed to break apart target zip file\n");
-      return 1;
-    }
-  } else {
-    if (ReadImage(argv[1], &num_src_chunks, &src_chunks) == NULL) {
-      printf("failed to break apart source image\n");
-      return 1;
-    }
-    if (ReadImage(argv[2], &num_tgt_chunks, &tgt_chunks) == NULL) {
-      printf("failed to break apart target image\n");
-      return 1;
-    }
-
-    // Verify that the source and target images have the same chunk
-    // structure (ie, the same sequence of deflate and normal chunks).
-
-    if (!zip_mode) {
-        // Merge the gzip header and footer in with any adjacent
-        // normal chunks.
-        MergeAdjacentNormalChunks(tgt_chunks, &num_tgt_chunks);
-        MergeAdjacentNormalChunks(src_chunks, &num_src_chunks);
-    }
-
-    if (num_src_chunks != num_tgt_chunks) {
-      printf("source and target don't have same number of chunks!\n");
-      printf("source chunks:\n");
-      DumpChunks(src_chunks, num_src_chunks);
-      printf("target chunks:\n");
-      DumpChunks(tgt_chunks, num_tgt_chunks);
-      return 1;
-    }
-    for (i = 0; i < num_src_chunks; ++i) {
-      if (src_chunks[i].type != tgt_chunks[i].type) {
-        printf("source and target don't have same chunk "
-                "structure! (chunk %d)\n", i);
-        printf("source chunks:\n");
-        DumpChunks(src_chunks, num_src_chunks);
-        printf("target chunks:\n");
-        DumpChunks(tgt_chunks, num_tgt_chunks);
-        return 1;
-      }
-    }
-  }
-
-  for (i = 0; i < num_tgt_chunks; ++i) {
-    if (tgt_chunks[i].type == CHUNK_DEFLATE) {
-      // Confirm that given the uncompressed chunk data in the target, we
-      // can recompress it and get exactly the same bits as are in the
-      // input target image.  If this fails, treat the chunk as a normal
-      // non-deflated chunk.
-      if (ReconstructDeflateChunk(tgt_chunks+i) < 0) {
-        printf("failed to reconstruct target deflate chunk %d [%s]; "
-               "treating as normal\n", i, tgt_chunks[i].filename);
-        ChangeDeflateChunkToNormal(tgt_chunks+i);
-        if (zip_mode) {
-          ImageChunk* src = FindChunkByName(tgt_chunks[i].filename, src_chunks, num_src_chunks);
-          if (src) {
-            ChangeDeflateChunkToNormal(src);
-          }
-        } else {
-          ChangeDeflateChunkToNormal(src_chunks+i);
-        }
-        continue;
-      }
-
-      // If two deflate chunks are identical (eg, the kernel has not
-      // changed between two builds), treat them as normal chunks.
-      // This makes applypatch much faster -- it can apply a trivial
-      // patch to the compressed data, rather than uncompressing and
-      // recompressing to apply the trivial patch to the uncompressed
-      // data.
-      ImageChunk* src;
-      if (zip_mode) {
-        src = FindChunkByName(tgt_chunks[i].filename, src_chunks, num_src_chunks);
-      } else {
-        src = src_chunks+i;
-      }
-
-      if (src == NULL || AreChunksEqual(tgt_chunks+i, src)) {
-        ChangeDeflateChunkToNormal(tgt_chunks+i);
-        if (src) {
-          ChangeDeflateChunkToNormal(src);
-        }
-      }
-    }
-  }
-
-  // Merging neighboring normal chunks.
-  if (zip_mode) {
-    // For zips, we only need to do this to the target:  deflated
-    // chunks are matched via filename, and normal chunks are patched
-    // using the entire source file as the source.
-    MergeAdjacentNormalChunks(tgt_chunks, &num_tgt_chunks);
-  } else {
-    // For images, we need to maintain the parallel structure of the
-    // chunk lists, so do the merging in both the source and target
-    // lists.
-    MergeAdjacentNormalChunks(tgt_chunks, &num_tgt_chunks);
-    MergeAdjacentNormalChunks(src_chunks, &num_src_chunks);
-    if (num_src_chunks != num_tgt_chunks) {
-      // This shouldn't happen.
-      printf("merging normal chunks went awry\n");
-      return 1;
-    }
-  }
-
-  // Compute bsdiff patches for each chunk's data (the uncompressed
-  // data, in the case of deflate chunks).
-
-  DumpChunks(src_chunks, num_src_chunks);
-
-  printf("Construct patches for %d chunks...\n", num_tgt_chunks);
-  unsigned char** patch_data = malloc(num_tgt_chunks * sizeof(unsigned char*));
-  size_t* patch_size = malloc(num_tgt_chunks * sizeof(size_t));
-  for (i = 0; i < num_tgt_chunks; ++i) {
-    if (zip_mode) {
-      ImageChunk* src;
-      if (tgt_chunks[i].type == CHUNK_DEFLATE &&
-          (src = FindChunkByName(tgt_chunks[i].filename, src_chunks,
-                                 num_src_chunks))) {
-        patch_data[i] = MakePatch(src, tgt_chunks+i, patch_size+i);
-      } else {
-        patch_data[i] = MakePatch(src_chunks, tgt_chunks+i, patch_size+i);
-      }
-    } else {
-      if (i == 1 && bonus_data) {
-        printf("  using %d bytes of bonus data for chunk %d\n", bonus_size, i);
-        src_chunks[i].data = realloc(src_chunks[i].data, src_chunks[i].len + bonus_size);
-        memcpy(src_chunks[i].data+src_chunks[i].len, bonus_data, bonus_size);
-        src_chunks[i].len += bonus_size;
-     }
-
-      patch_data[i] = MakePatch(src_chunks+i, tgt_chunks+i, patch_size+i);
-    }
-    printf("patch %3d is %d bytes (of %d)\n",
-           i, patch_size[i], tgt_chunks[i].source_len);
-  }
-
-  // Figure out how big the imgdiff file header is going to be, so
-  // that we can correctly compute the offset of each bsdiff patch
-  // within the file.
-
-  size_t total_header_size = 12;
-  for (i = 0; i < num_tgt_chunks; ++i) {
-    total_header_size += 4;
-    switch (tgt_chunks[i].type) {
-      case CHUNK_NORMAL:
-        total_header_size += 8*3;
-        break;
-      case CHUNK_DEFLATE:
-        total_header_size += 8*5 + 4*5;
-        break;
-      case CHUNK_RAW:
-        total_header_size += 4 + patch_size[i];
-        break;
-    }
-  }
-
-  size_t offset = total_header_size;
-
-  FILE* f = fopen(argv[3], "wb");
-
-  // Write out the headers.
-
-  fwrite("IMGDIFF2", 1, 8, f);
-  Write4(num_tgt_chunks, f);
-  for (i = 0; i < num_tgt_chunks; ++i) {
-    Write4(tgt_chunks[i].type, f);
-
-    switch (tgt_chunks[i].type) {
-      case CHUNK_NORMAL:
-        printf("chunk %3d: normal   (%10d, %10d)  %10d\n", i,
-               tgt_chunks[i].start, tgt_chunks[i].len, patch_size[i]);
-        Write8(tgt_chunks[i].source_start, f);
-        Write8(tgt_chunks[i].source_len, f);
-        Write8(offset, f);
-        offset += patch_size[i];
-        break;
-
-      case CHUNK_DEFLATE:
-        printf("chunk %3d: deflate  (%10d, %10d)  %10d  %s\n", i,
-               tgt_chunks[i].start, tgt_chunks[i].deflate_len, patch_size[i],
-               tgt_chunks[i].filename);
-        Write8(tgt_chunks[i].source_start, f);
-        Write8(tgt_chunks[i].source_len, f);
-        Write8(offset, f);
-        Write8(tgt_chunks[i].source_uncompressed_len, f);
-        Write8(tgt_chunks[i].len, f);
-        Write4(tgt_chunks[i].level, f);
-        Write4(tgt_chunks[i].method, f);
-        Write4(tgt_chunks[i].windowBits, f);
-        Write4(tgt_chunks[i].memLevel, f);
-        Write4(tgt_chunks[i].strategy, f);
-        offset += patch_size[i];
-        break;
-
-      case CHUNK_RAW:
-        printf("chunk %3d: raw      (%10d, %10d)\n", i,
-               tgt_chunks[i].start, tgt_chunks[i].len);
-        Write4(patch_size[i], f);
-        fwrite(patch_data[i], 1, patch_size[i], f);
-        break;
-    }
-  }
-
-  // Append each chunk's bsdiff patch, in order.
-
-  for (i = 0; i < num_tgt_chunks; ++i) {
-    if (tgt_chunks[i].type != CHUNK_RAW) {
-      fwrite(patch_data[i], 1, patch_size[i], f);
-    }
-  }
-
-  fclose(f);
-
-  return 0;
-}
diff --git a/applypatch/imgdiff.cpp b/applypatch/imgdiff.cpp
new file mode 100644
index 0000000..f22502e
--- /dev/null
+++ b/applypatch/imgdiff.cpp
@@ -0,0 +1,1083 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * This program constructs binary patches for images -- such as boot.img
+ * and recovery.img -- that consist primarily of large chunks of gzipped
+ * data interspersed with uncompressed data.  Doing a naive bsdiff of
+ * these files is not useful because small changes in the data lead to
+ * large changes in the compressed bitstream; bsdiff patches of gzipped
+ * data are typically as large as the data itself.
+ *
+ * To patch these usefully, we break the source and target images up into
+ * chunks of two types: "normal" and "gzip".  Normal chunks are simply
+ * patched using a plain bsdiff.  Gzip chunks are first expanded, then a
+ * bsdiff is applied to the uncompressed data, then the patched data is
+ * gzipped using the same encoder parameters.  Patched chunks are
+ * concatenated together to create the output file; the output image
+ * should be *exactly* the same series of bytes as the target image used
+ * originally to generate the patch.
+ *
+ * To work well with this tool, the gzipped sections of the target
+ * image must have been generated using the same deflate encoder that
+ * is available in applypatch, namely, the one in the zlib library.
+ * In practice this means that images should be compressed using the
+ * "minigzip" tool included in the zlib distribution, not the GNU gzip
+ * program.
+ *
+ * An "imgdiff" patch consists of a header describing the chunk structure
+ * of the file and any encoding parameters needed for the gzipped
+ * chunks, followed by N bsdiff patches, one per chunk.
+ *
+ * For a diff to be generated, the source and target images must have the
+ * same "chunk" structure: that is, the same number of gzipped and normal
+ * chunks in the same order.  Android boot and recovery images currently
+ * consist of five chunks:  a small normal header, a gzipped kernel, a
+ * small normal section, a gzipped ramdisk, and finally a small normal
+ * footer.
+ *
+ * Caveats:  we locate gzipped sections within the source and target
+ * images by searching for the byte sequence 1f8b0800:  1f8b is the gzip
+ * magic number; 08 specifies the "deflate" encoding [the only encoding
+ * supported by the gzip standard]; and 00 is the flags byte.  We do not
+ * currently support any extra header fields (which would be indicated by
+ * a nonzero flags byte).  We also don't handle the case when that byte
+ * sequence appears spuriously in the file.  (Note that it would have to
+ * occur spuriously within a normal chunk to be a problem.)
+ *
+ *
+ * The imgdiff patch header looks like this:
+ *
+ *    "IMGDIFF1"                  (8)   [magic number and version]
+ *    chunk count                 (4)
+ *    for each chunk:
+ *        chunk type              (4)   [CHUNK_{NORMAL, GZIP, DEFLATE, RAW}]
+ *        if chunk type == CHUNK_NORMAL:
+ *           source start         (8)
+ *           source len           (8)
+ *           bsdiff patch offset  (8)   [from start of patch file]
+ *        if chunk type == CHUNK_GZIP:      (version 1 only)
+ *           source start         (8)
+ *           source len           (8)
+ *           bsdiff patch offset  (8)   [from start of patch file]
+ *           source expanded len  (8)   [size of uncompressed source]
+ *           target expected len  (8)   [size of uncompressed target]
+ *           gzip level           (4)
+ *                method          (4)
+ *                windowBits      (4)
+ *                memLevel        (4)
+ *                strategy        (4)
+ *           gzip header len      (4)
+ *           gzip header          (gzip header len)
+ *           gzip footer          (8)
+ *        if chunk type == CHUNK_DEFLATE:   (version 2 only)
+ *           source start         (8)
+ *           source len           (8)
+ *           bsdiff patch offset  (8)   [from start of patch file]
+ *           source expanded len  (8)   [size of uncompressed source]
+ *           target expected len  (8)   [size of uncompressed target]
+ *           gzip level           (4)
+ *                method          (4)
+ *                windowBits      (4)
+ *                memLevel        (4)
+ *                strategy        (4)
+ *        if chunk type == RAW:             (version 2 only)
+ *           target len           (4)
+ *           data                 (target len)
+ *
+ * All integers are little-endian.  "source start" and "source len"
+ * specify the section of the input image that comprises this chunk,
+ * including the gzip header and footer for gzip chunks.  "source
+ * expanded len" is the size of the uncompressed source data.  "target
+ * expected len" is the size of the uncompressed data after applying
+ * the bsdiff patch.  The next five parameters specify the zlib
+ * parameters to be used when compressing the patched data, and the
+ * next three specify the header and footer to be wrapped around the
+ * compressed data to create the output chunk (so that header contents
+ * like the timestamp are recreated exactly).
+ *
+ * After the header there are 'chunk count' bsdiff patches; the offset
+ * of each from the beginning of the file is specified in the header.
+ *
+ * This tool can take an optional file of "bonus data".  This is an
+ * extra file of data that is appended to chunk #1 after it is
+ * compressed (it must be a CHUNK_DEFLATE chunk).  The same file must
+ * be available (and passed to applypatch with -b) when applying the
+ * patch.  This is used to reduce the size of recovery-from-boot
+ * patches by combining the boot image with recovery ramdisk
+ * information that is stored on the system partition.
+ */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#include "zlib.h"
+#include "imgdiff.h"
+#include "utils.h"
+
+typedef struct {
+  int type;             // CHUNK_NORMAL, CHUNK_DEFLATE
+  size_t start;         // offset of chunk in original image file
+
+  size_t len;
+  unsigned char* data;  // data to be patched (uncompressed, for deflate chunks)
+
+  size_t source_start;
+  size_t source_len;
+
+  off_t* I;             // used by bsdiff
+
+  // --- for CHUNK_DEFLATE chunks only: ---
+
+  // original (compressed) deflate data
+  size_t deflate_len;
+  unsigned char* deflate_data;
+
+  char* filename;       // used for zip entries
+
+  // deflate encoder parameters
+  int level, method, windowBits, memLevel, strategy;
+
+  size_t source_uncompressed_len;
+} ImageChunk;
+
+typedef struct {
+  int data_offset;
+  int deflate_len;
+  int uncomp_len;
+  char* filename;
+} ZipFileEntry;
+
+static int fileentry_compare(const void* a, const void* b) {
+  int ao = ((ZipFileEntry*)a)->data_offset;
+  int bo = ((ZipFileEntry*)b)->data_offset;
+  if (ao < bo) {
+    return -1;
+  } else if (ao > bo) {
+    return 1;
+  } else {
+    return 0;
+  }
+}
+
+// from bsdiff.c
+int bsdiff(u_char* old, off_t oldsize, off_t** IP, u_char* newdata, off_t newsize,
+           const char* patch_filename);
+
+unsigned char* ReadZip(const char* filename,
+                       int* num_chunks, ImageChunk** chunks,
+                       int include_pseudo_chunk) {
+  struct stat st;
+  if (stat(filename, &st) != 0) {
+    printf("failed to stat \"%s\": %s\n", filename, strerror(errno));
+    return NULL;
+  }
+
+  size_t sz = static_cast<size_t>(st.st_size);
+  unsigned char* img = reinterpret_cast<unsigned char*>(malloc(sz));
+  FILE* f = fopen(filename, "rb");
+  if (fread(img, 1, sz, f) != sz) {
+    printf("failed to read \"%s\" %s\n", filename, strerror(errno));
+    fclose(f);
+    return NULL;
+  }
+  fclose(f);
+
+  // look for the end-of-central-directory record.
+
+  int i;
+  for (i = st.st_size-20; i >= 0 && i > st.st_size - 65600; --i) {
+    if (img[i] == 0x50 && img[i+1] == 0x4b &&
+        img[i+2] == 0x05 && img[i+3] == 0x06) {
+      break;
+    }
+  }
+  // double-check: this archive consists of a single "disk"
+  if (!(img[i+4] == 0 && img[i+5] == 0 && img[i+6] == 0 && img[i+7] == 0)) {
+    printf("can't process multi-disk archive\n");
+    return NULL;
+  }
+
+  int cdcount = Read2(img+i+8);
+  int cdoffset = Read4(img+i+16);
+
+  ZipFileEntry* temp_entries = reinterpret_cast<ZipFileEntry*>(malloc(
+      cdcount * sizeof(ZipFileEntry)));
+  int entrycount = 0;
+
+  unsigned char* cd = img+cdoffset;
+  for (i = 0; i < cdcount; ++i) {
+    if (!(cd[0] == 0x50 && cd[1] == 0x4b && cd[2] == 0x01 && cd[3] == 0x02)) {
+      printf("bad central directory entry %d\n", i);
+      return NULL;
+    }
+
+    int clen = Read4(cd+20);   // compressed len
+    int ulen = Read4(cd+24);   // uncompressed len
+    int nlen = Read2(cd+28);   // filename len
+    int xlen = Read2(cd+30);   // extra field len
+    int mlen = Read2(cd+32);   // file comment len
+    int hoffset = Read4(cd+42);   // local header offset
+
+    char* filename = reinterpret_cast<char*>(malloc(nlen+1));
+    memcpy(filename, cd+46, nlen);
+    filename[nlen] = '\0';
+
+    int method = Read2(cd+10);
+
+    cd += 46 + nlen + xlen + mlen;
+
+    if (method != 8) {  // 8 == deflate
+      free(filename);
+      continue;
+    }
+
+    unsigned char* lh = img + hoffset;
+
+    if (!(lh[0] == 0x50 && lh[1] == 0x4b && lh[2] == 0x03 && lh[3] == 0x04)) {
+      printf("bad local file header entry %d\n", i);
+      return NULL;
+    }
+
+    if (Read2(lh+26) != nlen || memcmp(lh+30, filename, nlen) != 0) {
+      printf("central dir filename doesn't match local header\n");
+      return NULL;
+    }
+
+    xlen = Read2(lh+28);   // extra field len; might be different from CD entry?
+
+    temp_entries[entrycount].data_offset = hoffset+30+nlen+xlen;
+    temp_entries[entrycount].deflate_len = clen;
+    temp_entries[entrycount].uncomp_len = ulen;
+    temp_entries[entrycount].filename = filename;
+    ++entrycount;
+  }
+
+  qsort(temp_entries, entrycount, sizeof(ZipFileEntry), fileentry_compare);
+
+#if 0
+  printf("found %d deflated entries\n", entrycount);
+  for (i = 0; i < entrycount; ++i) {
+    printf("off %10d  len %10d unlen %10d   %p %s\n",
+           temp_entries[i].data_offset,
+           temp_entries[i].deflate_len,
+           temp_entries[i].uncomp_len,
+           temp_entries[i].filename,
+           temp_entries[i].filename);
+  }
+#endif
+
+  *num_chunks = 0;
+  *chunks = reinterpret_cast<ImageChunk*>(malloc((entrycount*2+2) * sizeof(ImageChunk)));
+  ImageChunk* curr = *chunks;
+
+  if (include_pseudo_chunk) {
+    curr->type = CHUNK_NORMAL;
+    curr->start = 0;
+    curr->len = st.st_size;
+    curr->data = img;
+    curr->filename = NULL;
+    curr->I = NULL;
+    ++curr;
+    ++*num_chunks;
+  }
+
+  int pos = 0;
+  int nextentry = 0;
+
+  while (pos < st.st_size) {
+    if (nextentry < entrycount && pos == temp_entries[nextentry].data_offset) {
+      curr->type = CHUNK_DEFLATE;
+      curr->start = pos;
+      curr->deflate_len = temp_entries[nextentry].deflate_len;
+      curr->deflate_data = img + pos;
+      curr->filename = temp_entries[nextentry].filename;
+      curr->I = NULL;
+
+      curr->len = temp_entries[nextentry].uncomp_len;
+      curr->data = reinterpret_cast<unsigned char*>(malloc(curr->len));
+
+      z_stream strm;
+      strm.zalloc = Z_NULL;
+      strm.zfree = Z_NULL;
+      strm.opaque = Z_NULL;
+      strm.avail_in = curr->deflate_len;
+      strm.next_in = curr->deflate_data;
+
+      // -15 means we are decoding a 'raw' deflate stream; zlib will
+      // not expect zlib headers.
+      int ret = inflateInit2(&strm, -15);
+
+      strm.avail_out = curr->len;
+      strm.next_out = curr->data;
+      ret = inflate(&strm, Z_NO_FLUSH);
+      if (ret != Z_STREAM_END) {
+        printf("failed to inflate \"%s\"; %d\n", curr->filename, ret);
+        return NULL;
+      }
+
+      inflateEnd(&strm);
+
+      pos += curr->deflate_len;
+      ++nextentry;
+      ++*num_chunks;
+      ++curr;
+      continue;
+    }
+
+    // use a normal chunk to take all the data up to the start of the
+    // next deflate section.
+
+    curr->type = CHUNK_NORMAL;
+    curr->start = pos;
+    if (nextentry < entrycount) {
+      curr->len = temp_entries[nextentry].data_offset - pos;
+    } else {
+      curr->len = st.st_size - pos;
+    }
+    curr->data = img + pos;
+    curr->filename = NULL;
+    curr->I = NULL;
+    pos += curr->len;
+
+    ++*num_chunks;
+    ++curr;
+  }
+
+  free(temp_entries);
+  return img;
+}
+
+/*
+ * Read the given file and break it up into chunks, putting the number
+ * of chunks and their info in *num_chunks and **chunks,
+ * respectively.  Returns a malloc'd block of memory containing the
+ * contents of the file; various pointers in the output chunk array
+ * will point into this block of memory.  The caller should free the
+ * return value when done with all the chunks.  Returns NULL on
+ * failure.
+ */
+unsigned char* ReadImage(const char* filename,
+                         int* num_chunks, ImageChunk** chunks) {
+  struct stat st;
+  if (stat(filename, &st) != 0) {
+    printf("failed to stat \"%s\": %s\n", filename, strerror(errno));
+    return NULL;
+  }
+
+  size_t sz = static_cast<size_t>(st.st_size);
+  unsigned char* img = reinterpret_cast<unsigned char*>(malloc(sz + 4));
+  FILE* f = fopen(filename, "rb");
+  if (fread(img, 1, sz, f) != sz) {
+    printf("failed to read \"%s\" %s\n", filename, strerror(errno));
+    fclose(f);
+    return NULL;
+  }
+  fclose(f);
+
+  // append 4 zero bytes to the data so we can always search for the
+  // four-byte string 1f8b0800 starting at any point in the actual
+  // file data, without special-casing the end of the data.
+  memset(img+sz, 0, 4);
+
+  size_t pos = 0;
+
+  *num_chunks = 0;
+  *chunks = NULL;
+
+  while (pos < sz) {
+    unsigned char* p = img+pos;
+
+    bool processed_deflate = false;
+    if (sz - pos >= 4 &&
+        p[0] == 0x1f && p[1] == 0x8b &&
+        p[2] == 0x08 &&    // deflate compression
+        p[3] == 0x00) {    // no header flags
+      // 'pos' is the offset of the start of a gzip chunk.
+      size_t chunk_offset = pos;
+
+      *num_chunks += 3;
+      *chunks = reinterpret_cast<ImageChunk*>(realloc(*chunks,
+          *num_chunks * sizeof(ImageChunk)));
+      ImageChunk* curr = *chunks + (*num_chunks-3);
+
+      // create a normal chunk for the header.
+      curr->start = pos;
+      curr->type = CHUNK_NORMAL;
+      curr->len = GZIP_HEADER_LEN;
+      curr->data = p;
+      curr->I = NULL;
+
+      pos += curr->len;
+      p += curr->len;
+      ++curr;
+
+      curr->type = CHUNK_DEFLATE;
+      curr->filename = NULL;
+      curr->I = NULL;
+
+      // We must decompress this chunk in order to discover where it
+      // ends, and so we can put the uncompressed data and its length
+      // into curr->data and curr->len.
+
+      size_t allocated = 32768;
+      curr->len = 0;
+      curr->data = reinterpret_cast<unsigned char*>(malloc(allocated));
+      curr->start = pos;
+      curr->deflate_data = p;
+
+      z_stream strm;
+      strm.zalloc = Z_NULL;
+      strm.zfree = Z_NULL;
+      strm.opaque = Z_NULL;
+      strm.avail_in = sz - pos;
+      strm.next_in = p;
+
+      // -15 means we are decoding a 'raw' deflate stream; zlib will
+      // not expect zlib headers.
+      int ret = inflateInit2(&strm, -15);
+
+      do {
+        strm.avail_out = allocated - curr->len;
+        strm.next_out = curr->data + curr->len;
+        ret = inflate(&strm, Z_NO_FLUSH);
+        if (ret < 0) {
+          if (!processed_deflate) {
+            // This is the first chunk, assume that it's just a spurious
+            // gzip header instead of a real one.
+            break;
+          }
+          printf("Error: inflate failed [%s] at file offset [%zu]\n"
+                 "imgdiff only supports gzip kernel compression,"
+                 " did you try CONFIG_KERNEL_LZO?\n",
+                 strm.msg, chunk_offset);
+          free(img);
+          return NULL;
+        }
+        curr->len = allocated - strm.avail_out;
+        if (strm.avail_out == 0) {
+          allocated *= 2;
+          curr->data = reinterpret_cast<unsigned char*>(realloc(curr->data, allocated));
+        }
+        processed_deflate = true;
+      } while (ret != Z_STREAM_END);
+
+      curr->deflate_len = sz - strm.avail_in - pos;
+      inflateEnd(&strm);
+      pos += curr->deflate_len;
+      p += curr->deflate_len;
+      ++curr;
+
+      // create a normal chunk for the footer
+
+      curr->type = CHUNK_NORMAL;
+      curr->start = pos;
+      curr->len = GZIP_FOOTER_LEN;
+      curr->data = img+pos;
+      curr->I = NULL;
+
+      pos += curr->len;
+      p += curr->len;
+      ++curr;
+
+      // The footer (that we just skipped over) contains the size of
+      // the uncompressed data.  Double-check to make sure that it
+      // matches the size of the data we got when we actually did
+      // the decompression.
+      size_t footer_size = Read4(p-4);
+      if (footer_size != curr[-2].len) {
+        printf("Error: footer size %zu != decompressed size %zu\n",
+            footer_size, curr[-2].len);
+        free(img);
+        return NULL;
+      }
+    } else {
+      // Reallocate the list for every chunk; we expect the number of
+      // chunks to be small (5 for typical boot and recovery images).
+      ++*num_chunks;
+      *chunks = reinterpret_cast<ImageChunk*>(realloc(*chunks, *num_chunks * sizeof(ImageChunk)));
+      ImageChunk* curr = *chunks + (*num_chunks-1);
+      curr->start = pos;
+      curr->I = NULL;
+
+      // 'pos' is not the offset of the start of a gzip chunk, so scan
+      // forward until we find a gzip header.
+      curr->type = CHUNK_NORMAL;
+      curr->data = p;
+
+      for (curr->len = 0; curr->len < (sz - pos); ++curr->len) {
+        if (p[curr->len] == 0x1f &&
+            p[curr->len+1] == 0x8b &&
+            p[curr->len+2] == 0x08 &&
+            p[curr->len+3] == 0x00) {
+          break;
+        }
+      }
+      pos += curr->len;
+    }
+  }
+
+  return img;
+}
+
+#define BUFFER_SIZE 32768
+
+/*
+ * Takes the uncompressed data stored in the chunk, compresses it
+ * using the zlib parameters stored in the chunk, and checks that it
+ * matches exactly the compressed data we started with (also stored in
+ * the chunk).  Return 0 on success.
+ */
+int TryReconstruction(ImageChunk* chunk, unsigned char* out) {
+  size_t p = 0;
+
+#if 0
+  printf("trying %d %d %d %d %d\n",
+          chunk->level, chunk->method, chunk->windowBits,
+          chunk->memLevel, chunk->strategy);
+#endif
+
+  z_stream strm;
+  strm.zalloc = Z_NULL;
+  strm.zfree = Z_NULL;
+  strm.opaque = Z_NULL;
+  strm.avail_in = chunk->len;
+  strm.next_in = chunk->data;
+  int ret;
+  ret = deflateInit2(&strm, chunk->level, chunk->method, chunk->windowBits,
+                     chunk->memLevel, chunk->strategy);
+  do {
+    strm.avail_out = BUFFER_SIZE;
+    strm.next_out = out;
+    ret = deflate(&strm, Z_FINISH);
+    size_t have = BUFFER_SIZE - strm.avail_out;
+
+    if (memcmp(out, chunk->deflate_data+p, have) != 0) {
+      // mismatch; data isn't the same.
+      deflateEnd(&strm);
+      return -1;
+    }
+    p += have;
+  } while (ret != Z_STREAM_END);
+  deflateEnd(&strm);
+  if (p != chunk->deflate_len) {
+    // mismatch; ran out of data before we should have.
+    return -1;
+  }
+  return 0;
+}
+
+/*
+ * Verify that we can reproduce exactly the same compressed data that
+ * we started with.  Sets the level, method, windowBits, memLevel, and
+ * strategy fields in the chunk to the encoding parameters needed to
+ * produce the right output.  Returns 0 on success.
+ */
+int ReconstructDeflateChunk(ImageChunk* chunk) {
+  if (chunk->type != CHUNK_DEFLATE) {
+    printf("attempt to reconstruct non-deflate chunk\n");
+    return -1;
+  }
+
+  size_t p = 0;
+  unsigned char* out = reinterpret_cast<unsigned char*>(malloc(BUFFER_SIZE));
+
+  // We only check two combinations of encoder parameters:  level 6
+  // (the default) and level 9 (the maximum).
+  for (chunk->level = 6; chunk->level <= 9; chunk->level += 3) {
+    chunk->windowBits = -15;  // 32kb window; negative to indicate a raw stream.
+    chunk->memLevel = 8;      // the default value.
+    chunk->method = Z_DEFLATED;
+    chunk->strategy = Z_DEFAULT_STRATEGY;
+
+    if (TryReconstruction(chunk, out) == 0) {
+      free(out);
+      return 0;
+    }
+  }
+
+  free(out);
+  return -1;
+}
+
+/*
+ * Given source and target chunks, compute a bsdiff patch between them
+ * by running bsdiff in a subprocess.  Return the patch data, placing
+ * its length in *size.  Return NULL on failure.  We expect the bsdiff
+ * program to be in the path.
+ */
+unsigned char* MakePatch(ImageChunk* src, ImageChunk* tgt, size_t* size) {
+  if (tgt->type == CHUNK_NORMAL) {
+    if (tgt->len <= 160) {
+      tgt->type = CHUNK_RAW;
+      *size = tgt->len;
+      return tgt->data;
+    }
+  }
+
+  char ptemp[] = "/tmp/imgdiff-patch-XXXXXX";
+  int fd = mkstemp(ptemp);
+
+  if (fd == -1) {
+    printf("MakePatch failed to create a temporary file: %s\n",
+           strerror(errno));
+    return NULL;
+  }
+  close(fd); // temporary file is created and we don't need its file
+             // descriptor
+
+  int r = bsdiff(src->data, src->len, &(src->I), tgt->data, tgt->len, ptemp);
+  if (r != 0) {
+    printf("bsdiff() failed: %d\n", r);
+    return NULL;
+  }
+
+  struct stat st;
+  if (stat(ptemp, &st) != 0) {
+    printf("failed to stat patch file %s: %s\n",
+            ptemp, strerror(errno));
+    return NULL;
+  }
+
+  size_t sz = static_cast<size_t>(st.st_size);
+  // TODO: Memory leak on error return.
+  unsigned char* data = reinterpret_cast<unsigned char*>(malloc(sz));
+
+  if (tgt->type == CHUNK_NORMAL && tgt->len <= sz) {
+    unlink(ptemp);
+
+    tgt->type = CHUNK_RAW;
+    *size = tgt->len;
+    return tgt->data;
+  }
+
+  *size = sz;
+
+  FILE* f = fopen(ptemp, "rb");
+  if (f == NULL) {
+    printf("failed to open patch %s: %s\n", ptemp, strerror(errno));
+    return NULL;
+  }
+  if (fread(data, 1, sz, f) != sz) {
+    printf("failed to read patch %s: %s\n", ptemp, strerror(errno));
+    return NULL;
+  }
+  fclose(f);
+
+  unlink(ptemp);
+
+  tgt->source_start = src->start;
+  switch (tgt->type) {
+    case CHUNK_NORMAL:
+      tgt->source_len = src->len;
+      break;
+    case CHUNK_DEFLATE:
+      tgt->source_len = src->deflate_len;
+      tgt->source_uncompressed_len = src->len;
+      break;
+  }
+
+  return data;
+}
+
+/*
+ * Cause a gzip chunk to be treated as a normal chunk (ie, as a blob
+ * of uninterpreted data).  The resulting patch will likely be about
+ * as big as the target file, but it lets us handle the case of images
+ * where some gzip chunks are reconstructible but others aren't (by
+ * treating the ones that aren't as normal chunks).
+ */
+void ChangeDeflateChunkToNormal(ImageChunk* ch) {
+  if (ch->type != CHUNK_DEFLATE) return;
+  ch->type = CHUNK_NORMAL;
+  free(ch->data);
+  ch->data = ch->deflate_data;
+  ch->len = ch->deflate_len;
+}
+
+/*
+ * Return true if the data in the chunk is identical (including the
+ * compressed representation, for gzip chunks).
+ */
+int AreChunksEqual(ImageChunk* a, ImageChunk* b) {
+    if (a->type != b->type) return 0;
+
+    switch (a->type) {
+        case CHUNK_NORMAL:
+            return a->len == b->len && memcmp(a->data, b->data, a->len) == 0;
+
+        case CHUNK_DEFLATE:
+            return a->deflate_len == b->deflate_len &&
+                memcmp(a->deflate_data, b->deflate_data, a->deflate_len) == 0;
+
+        default:
+            printf("unknown chunk type %d\n", a->type);
+            return 0;
+    }
+}
+
+/*
+ * Look for runs of adjacent normal chunks and compress them down into
+ * a single chunk.  (Such runs can be produced when deflate chunks are
+ * changed to normal chunks.)
+ */
+void MergeAdjacentNormalChunks(ImageChunk* chunks, int* num_chunks) {
+  int out = 0;
+  int in_start = 0, in_end;
+  while (in_start < *num_chunks) {
+    if (chunks[in_start].type != CHUNK_NORMAL) {
+      in_end = in_start+1;
+    } else {
+      // in_start is a normal chunk.  Look for a run of normal chunks
+      // that constitute a solid block of data (ie, each chunk begins
+      // where the previous one ended).
+      for (in_end = in_start+1;
+           in_end < *num_chunks && chunks[in_end].type == CHUNK_NORMAL &&
+             (chunks[in_end].start ==
+              chunks[in_end-1].start + chunks[in_end-1].len &&
+              chunks[in_end].data ==
+              chunks[in_end-1].data + chunks[in_end-1].len);
+           ++in_end);
+    }
+
+    if (in_end == in_start+1) {
+#if 0
+      printf("chunk %d is now %d\n", in_start, out);
+#endif
+      if (out != in_start) {
+        memcpy(chunks+out, chunks+in_start, sizeof(ImageChunk));
+      }
+    } else {
+#if 0
+      printf("collapse normal chunks %d-%d into %d\n", in_start, in_end-1, out);
+#endif
+
+      // Merge chunks [in_start, in_end-1] into one chunk.  Since the
+      // data member of each chunk is just a pointer into an in-memory
+      // copy of the file, this can be done without recopying (the
+      // output chunk has the first chunk's start location and data
+      // pointer, and length equal to the sum of the input chunk
+      // lengths).
+      chunks[out].type = CHUNK_NORMAL;
+      chunks[out].start = chunks[in_start].start;
+      chunks[out].data = chunks[in_start].data;
+      chunks[out].len = chunks[in_end-1].len +
+        (chunks[in_end-1].start - chunks[in_start].start);
+    }
+
+    ++out;
+    in_start = in_end;
+  }
+  *num_chunks = out;
+}
+
+ImageChunk* FindChunkByName(const char* name,
+                            ImageChunk* chunks, int num_chunks) {
+  int i;
+  for (i = 0; i < num_chunks; ++i) {
+    if (chunks[i].type == CHUNK_DEFLATE && chunks[i].filename &&
+        strcmp(name, chunks[i].filename) == 0) {
+      return chunks+i;
+    }
+  }
+  return NULL;
+}
+
+void DumpChunks(ImageChunk* chunks, int num_chunks) {
+    for (int i = 0; i < num_chunks; ++i) {
+        printf("chunk %d: type %d start %zu len %zu\n",
+               i, chunks[i].type, chunks[i].start, chunks[i].len);
+    }
+}
+
+int main(int argc, char** argv) {
+  int zip_mode = 0;
+
+  if (argc >= 2 && strcmp(argv[1], "-z") == 0) {
+    zip_mode = 1;
+    --argc;
+    ++argv;
+  }
+
+  size_t bonus_size = 0;
+  unsigned char* bonus_data = NULL;
+  if (argc >= 3 && strcmp(argv[1], "-b") == 0) {
+    struct stat st;
+    if (stat(argv[2], &st) != 0) {
+      printf("failed to stat bonus file %s: %s\n", argv[2], strerror(errno));
+      return 1;
+    }
+    bonus_size = st.st_size;
+    bonus_data = reinterpret_cast<unsigned char*>(malloc(bonus_size));
+    FILE* f = fopen(argv[2], "rb");
+    if (f == NULL) {
+      printf("failed to open bonus file %s: %s\n", argv[2], strerror(errno));
+      return 1;
+    }
+    if (fread(bonus_data, 1, bonus_size, f) != bonus_size) {
+      printf("failed to read bonus file %s: %s\n", argv[2], strerror(errno));
+      return 1;
+    }
+    fclose(f);
+
+    argc -= 2;
+    argv += 2;
+  }
+
+  if (argc != 4) {
+    usage:
+    printf("usage: %s [-z] [-b <bonus-file>] <src-img> <tgt-img> <patch-file>\n",
+            argv[0]);
+    return 2;
+  }
+
+  int num_src_chunks;
+  ImageChunk* src_chunks;
+  int num_tgt_chunks;
+  ImageChunk* tgt_chunks;
+  int i;
+
+  if (zip_mode) {
+    if (ReadZip(argv[1], &num_src_chunks, &src_chunks, 1) == NULL) {
+      printf("failed to break apart source zip file\n");
+      return 1;
+    }
+    if (ReadZip(argv[2], &num_tgt_chunks, &tgt_chunks, 0) == NULL) {
+      printf("failed to break apart target zip file\n");
+      return 1;
+    }
+  } else {
+    if (ReadImage(argv[1], &num_src_chunks, &src_chunks) == NULL) {
+      printf("failed to break apart source image\n");
+      return 1;
+    }
+    if (ReadImage(argv[2], &num_tgt_chunks, &tgt_chunks) == NULL) {
+      printf("failed to break apart target image\n");
+      return 1;
+    }
+
+    // Verify that the source and target images have the same chunk
+    // structure (ie, the same sequence of deflate and normal chunks).
+
+    if (!zip_mode) {
+        // Merge the gzip header and footer in with any adjacent
+        // normal chunks.
+        MergeAdjacentNormalChunks(tgt_chunks, &num_tgt_chunks);
+        MergeAdjacentNormalChunks(src_chunks, &num_src_chunks);
+    }
+
+    if (num_src_chunks != num_tgt_chunks) {
+      printf("source and target don't have same number of chunks!\n");
+      printf("source chunks:\n");
+      DumpChunks(src_chunks, num_src_chunks);
+      printf("target chunks:\n");
+      DumpChunks(tgt_chunks, num_tgt_chunks);
+      return 1;
+    }
+    for (i = 0; i < num_src_chunks; ++i) {
+      if (src_chunks[i].type != tgt_chunks[i].type) {
+        printf("source and target don't have same chunk "
+                "structure! (chunk %d)\n", i);
+        printf("source chunks:\n");
+        DumpChunks(src_chunks, num_src_chunks);
+        printf("target chunks:\n");
+        DumpChunks(tgt_chunks, num_tgt_chunks);
+        return 1;
+      }
+    }
+  }
+
+  for (i = 0; i < num_tgt_chunks; ++i) {
+    if (tgt_chunks[i].type == CHUNK_DEFLATE) {
+      // Confirm that given the uncompressed chunk data in the target, we
+      // can recompress it and get exactly the same bits as are in the
+      // input target image.  If this fails, treat the chunk as a normal
+      // non-deflated chunk.
+      if (ReconstructDeflateChunk(tgt_chunks+i) < 0) {
+        printf("failed to reconstruct target deflate chunk %d [%s]; "
+               "treating as normal\n", i, tgt_chunks[i].filename);
+        ChangeDeflateChunkToNormal(tgt_chunks+i);
+        if (zip_mode) {
+          ImageChunk* src = FindChunkByName(tgt_chunks[i].filename, src_chunks, num_src_chunks);
+          if (src) {
+            ChangeDeflateChunkToNormal(src);
+          }
+        } else {
+          ChangeDeflateChunkToNormal(src_chunks+i);
+        }
+        continue;
+      }
+
+      // If two deflate chunks are identical (eg, the kernel has not
+      // changed between two builds), treat them as normal chunks.
+      // This makes applypatch much faster -- it can apply a trivial
+      // patch to the compressed data, rather than uncompressing and
+      // recompressing to apply the trivial patch to the uncompressed
+      // data.
+      ImageChunk* src;
+      if (zip_mode) {
+        src = FindChunkByName(tgt_chunks[i].filename, src_chunks, num_src_chunks);
+      } else {
+        src = src_chunks+i;
+      }
+
+      if (src == NULL || AreChunksEqual(tgt_chunks+i, src)) {
+        ChangeDeflateChunkToNormal(tgt_chunks+i);
+        if (src) {
+          ChangeDeflateChunkToNormal(src);
+        }
+      }
+    }
+  }
+
+  // Merging neighboring normal chunks.
+  if (zip_mode) {
+    // For zips, we only need to do this to the target:  deflated
+    // chunks are matched via filename, and normal chunks are patched
+    // using the entire source file as the source.
+    MergeAdjacentNormalChunks(tgt_chunks, &num_tgt_chunks);
+  } else {
+    // For images, we need to maintain the parallel structure of the
+    // chunk lists, so do the merging in both the source and target
+    // lists.
+    MergeAdjacentNormalChunks(tgt_chunks, &num_tgt_chunks);
+    MergeAdjacentNormalChunks(src_chunks, &num_src_chunks);
+    if (num_src_chunks != num_tgt_chunks) {
+      // This shouldn't happen.
+      printf("merging normal chunks went awry\n");
+      return 1;
+    }
+  }
+
+  // Compute bsdiff patches for each chunk's data (the uncompressed
+  // data, in the case of deflate chunks).
+
+  DumpChunks(src_chunks, num_src_chunks);
+
+  printf("Construct patches for %d chunks...\n", num_tgt_chunks);
+  unsigned char** patch_data = reinterpret_cast<unsigned char**>(malloc(
+      num_tgt_chunks * sizeof(unsigned char*)));
+  size_t* patch_size = reinterpret_cast<size_t*>(malloc(num_tgt_chunks * sizeof(size_t)));
+  for (i = 0; i < num_tgt_chunks; ++i) {
+    if (zip_mode) {
+      ImageChunk* src;
+      if (tgt_chunks[i].type == CHUNK_DEFLATE &&
+          (src = FindChunkByName(tgt_chunks[i].filename, src_chunks,
+                                 num_src_chunks))) {
+        patch_data[i] = MakePatch(src, tgt_chunks+i, patch_size+i);
+      } else {
+        patch_data[i] = MakePatch(src_chunks, tgt_chunks+i, patch_size+i);
+      }
+    } else {
+      if (i == 1 && bonus_data) {
+        printf("  using %zu bytes of bonus data for chunk %d\n", bonus_size, i);
+        src_chunks[i].data = reinterpret_cast<unsigned char*>(realloc(src_chunks[i].data,
+            src_chunks[i].len + bonus_size));
+        memcpy(src_chunks[i].data+src_chunks[i].len, bonus_data, bonus_size);
+        src_chunks[i].len += bonus_size;
+     }
+
+      patch_data[i] = MakePatch(src_chunks+i, tgt_chunks+i, patch_size+i);
+    }
+    printf("patch %3d is %zu bytes (of %zu)\n",
+           i, patch_size[i], tgt_chunks[i].source_len);
+  }
+
+  // Figure out how big the imgdiff file header is going to be, so
+  // that we can correctly compute the offset of each bsdiff patch
+  // within the file.
+
+  size_t total_header_size = 12;
+  for (i = 0; i < num_tgt_chunks; ++i) {
+    total_header_size += 4;
+    switch (tgt_chunks[i].type) {
+      case CHUNK_NORMAL:
+        total_header_size += 8*3;
+        break;
+      case CHUNK_DEFLATE:
+        total_header_size += 8*5 + 4*5;
+        break;
+      case CHUNK_RAW:
+        total_header_size += 4 + patch_size[i];
+        break;
+    }
+  }
+
+  size_t offset = total_header_size;
+
+  FILE* f = fopen(argv[3], "wb");
+
+  // Write out the headers.
+
+  fwrite("IMGDIFF2", 1, 8, f);
+  Write4(num_tgt_chunks, f);
+  for (i = 0; i < num_tgt_chunks; ++i) {
+    Write4(tgt_chunks[i].type, f);
+
+    switch (tgt_chunks[i].type) {
+      case CHUNK_NORMAL:
+        printf("chunk %3d: normal   (%10zu, %10zu)  %10zu\n", i,
+               tgt_chunks[i].start, tgt_chunks[i].len, patch_size[i]);
+        Write8(tgt_chunks[i].source_start, f);
+        Write8(tgt_chunks[i].source_len, f);
+        Write8(offset, f);
+        offset += patch_size[i];
+        break;
+
+      case CHUNK_DEFLATE:
+        printf("chunk %3d: deflate  (%10zu, %10zu)  %10zu  %s\n", i,
+               tgt_chunks[i].start, tgt_chunks[i].deflate_len, patch_size[i],
+               tgt_chunks[i].filename);
+        Write8(tgt_chunks[i].source_start, f);
+        Write8(tgt_chunks[i].source_len, f);
+        Write8(offset, f);
+        Write8(tgt_chunks[i].source_uncompressed_len, f);
+        Write8(tgt_chunks[i].len, f);
+        Write4(tgt_chunks[i].level, f);
+        Write4(tgt_chunks[i].method, f);
+        Write4(tgt_chunks[i].windowBits, f);
+        Write4(tgt_chunks[i].memLevel, f);
+        Write4(tgt_chunks[i].strategy, f);
+        offset += patch_size[i];
+        break;
+
+      case CHUNK_RAW:
+        printf("chunk %3d: raw      (%10zu, %10zu)\n", i,
+               tgt_chunks[i].start, tgt_chunks[i].len);
+        Write4(patch_size[i], f);
+        fwrite(patch_data[i], 1, patch_size[i], f);
+        break;
+    }
+  }
+
+  // Append each chunk's bsdiff patch, in order.
+
+  for (i = 0; i < num_tgt_chunks; ++i) {
+    if (tgt_chunks[i].type != CHUNK_RAW) {
+      fwrite(patch_data[i], 1, patch_size[i], f);
+    }
+  }
+
+  fclose(f);
+
+  return 0;
+}
diff --git a/applypatch/imgpatch.c b/applypatch/imgpatch.c
deleted file mode 100644
index 09b0a73..0000000
--- a/applypatch/imgpatch.c
+++ /dev/null
@@ -1,234 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-// See imgdiff.c in this directory for a description of the patch file
-// format.
-
-#include <stdio.h>
-#include <sys/cdefs.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <malloc.h>
-#include <unistd.h>
-#include <string.h>
-
-#include "zlib.h"
-#include "mincrypt/sha.h"
-#include "applypatch.h"
-#include "imgdiff.h"
-#include "utils.h"
-
-/*
- * Apply the patch given in 'patch_filename' to the source data given
- * by (old_data, old_size).  Write the patched output to the 'output'
- * file, and update the SHA context with the output data as well.
- * Return 0 on success.
- */
-int ApplyImagePatch(const unsigned char* old_data, ssize_t old_size __unused,
-                    const Value* patch,
-                    SinkFn sink, void* token, SHA_CTX* ctx,
-                    const Value* bonus_data) {
-    ssize_t pos = 12;
-    char* header = patch->data;
-    if (patch->size < 12) {
-        printf("patch too short to contain header\n");
-        return -1;
-    }
-
-    // IMGDIFF2 uses CHUNK_NORMAL, CHUNK_DEFLATE, and CHUNK_RAW.
-    // (IMGDIFF1, which is no longer supported, used CHUNK_NORMAL and
-    // CHUNK_GZIP.)
-    if (memcmp(header, "IMGDIFF2", 8) != 0) {
-        printf("corrupt patch file header (magic number)\n");
-        return -1;
-    }
-
-    int num_chunks = Read4(header+8);
-
-    int i;
-    for (i = 0; i < num_chunks; ++i) {
-        // each chunk's header record starts with 4 bytes.
-        if (pos + 4 > patch->size) {
-            printf("failed to read chunk %d record\n", i);
-            return -1;
-        }
-        int type = Read4(patch->data + pos);
-        pos += 4;
-
-        if (type == CHUNK_NORMAL) {
-            char* normal_header = patch->data + pos;
-            pos += 24;
-            if (pos > patch->size) {
-                printf("failed to read chunk %d normal header data\n", i);
-                return -1;
-            }
-
-            size_t src_start = Read8(normal_header);
-            size_t src_len = Read8(normal_header+8);
-            size_t patch_offset = Read8(normal_header+16);
-
-            ApplyBSDiffPatch(old_data + src_start, src_len,
-                             patch, patch_offset, sink, token, ctx);
-        } else if (type == CHUNK_RAW) {
-            char* raw_header = patch->data + pos;
-            pos += 4;
-            if (pos > patch->size) {
-                printf("failed to read chunk %d raw header data\n", i);
-                return -1;
-            }
-
-            ssize_t data_len = Read4(raw_header);
-
-            if (pos + data_len > patch->size) {
-                printf("failed to read chunk %d raw data\n", i);
-                return -1;
-            }
-            if (ctx) SHA_update(ctx, patch->data + pos, data_len);
-            if (sink((unsigned char*)patch->data + pos,
-                     data_len, token) != data_len) {
-                printf("failed to write chunk %d raw data\n", i);
-                return -1;
-            }
-            pos += data_len;
-        } else if (type == CHUNK_DEFLATE) {
-            // deflate chunks have an additional 60 bytes in their chunk header.
-            char* deflate_header = patch->data + pos;
-            pos += 60;
-            if (pos > patch->size) {
-                printf("failed to read chunk %d deflate header data\n", i);
-                return -1;
-            }
-
-            size_t src_start = Read8(deflate_header);
-            size_t src_len = Read8(deflate_header+8);
-            size_t patch_offset = Read8(deflate_header+16);
-            size_t expanded_len = Read8(deflate_header+24);
-            size_t target_len = Read8(deflate_header+32);
-            int level = Read4(deflate_header+40);
-            int method = Read4(deflate_header+44);
-            int windowBits = Read4(deflate_header+48);
-            int memLevel = Read4(deflate_header+52);
-            int strategy = Read4(deflate_header+56);
-
-            // Decompress the source data; the chunk header tells us exactly
-            // how big we expect it to be when decompressed.
-
-            // Note: expanded_len will include the bonus data size if
-            // the patch was constructed with bonus data.  The
-            // deflation will come up 'bonus_size' bytes short; these
-            // must be appended from the bonus_data value.
-            size_t bonus_size = (i == 1 && bonus_data != NULL) ? bonus_data->size : 0;
-
-            unsigned char* expanded_source = malloc(expanded_len);
-            if (expanded_source == NULL) {
-                printf("failed to allocate %zu bytes for expanded_source\n",
-                       expanded_len);
-                return -1;
-            }
-
-            z_stream strm;
-            strm.zalloc = Z_NULL;
-            strm.zfree = Z_NULL;
-            strm.opaque = Z_NULL;
-            strm.avail_in = src_len;
-            strm.next_in = (unsigned char*)(old_data + src_start);
-            strm.avail_out = expanded_len;
-            strm.next_out = expanded_source;
-
-            int ret;
-            ret = inflateInit2(&strm, -15);
-            if (ret != Z_OK) {
-                printf("failed to init source inflation: %d\n", ret);
-                return -1;
-            }
-
-            // Because we've provided enough room to accommodate the output
-            // data, we expect one call to inflate() to suffice.
-            ret = inflate(&strm, Z_SYNC_FLUSH);
-            if (ret != Z_STREAM_END) {
-                printf("source inflation returned %d\n", ret);
-                return -1;
-            }
-            // We should have filled the output buffer exactly, except
-            // for the bonus_size.
-            if (strm.avail_out != bonus_size) {
-                printf("source inflation short by %zu bytes\n", strm.avail_out-bonus_size);
-                return -1;
-            }
-            inflateEnd(&strm);
-
-            if (bonus_size) {
-                memcpy(expanded_source + (expanded_len - bonus_size),
-                       bonus_data->data, bonus_size);
-            }
-
-            // Next, apply the bsdiff patch (in memory) to the uncompressed
-            // data.
-            unsigned char* uncompressed_target_data;
-            ssize_t uncompressed_target_size;
-            if (ApplyBSDiffPatchMem(expanded_source, expanded_len,
-                                    patch, patch_offset,
-                                    &uncompressed_target_data,
-                                    &uncompressed_target_size) != 0) {
-                return -1;
-            }
-
-            // Now compress the target data and append it to the output.
-
-            // we're done with the expanded_source data buffer, so we'll
-            // reuse that memory to receive the output of deflate.
-            unsigned char* temp_data = expanded_source;
-            ssize_t temp_size = expanded_len;
-            if (temp_size < 32768) {
-                // ... unless the buffer is too small, in which case we'll
-                // allocate a fresh one.
-                free(temp_data);
-                temp_data = malloc(32768);
-                temp_size = 32768;
-            }
-
-            // now the deflate stream
-            strm.zalloc = Z_NULL;
-            strm.zfree = Z_NULL;
-            strm.opaque = Z_NULL;
-            strm.avail_in = uncompressed_target_size;
-            strm.next_in = uncompressed_target_data;
-            ret = deflateInit2(&strm, level, method, windowBits, memLevel, strategy);
-            do {
-                strm.avail_out = temp_size;
-                strm.next_out = temp_data;
-                ret = deflate(&strm, Z_FINISH);
-                ssize_t have = temp_size - strm.avail_out;
-
-                if (sink(temp_data, have, token) != have) {
-                    printf("failed to write %ld compressed bytes to output\n",
-                           (long)have);
-                    return -1;
-                }
-                if (ctx) SHA_update(ctx, temp_data, have);
-            } while (ret != Z_STREAM_END);
-            deflateEnd(&strm);
-
-            free(temp_data);
-            free(uncompressed_target_data);
-        } else {
-            printf("patch chunk %d is unknown type %d\n", i, type);
-            return -1;
-        }
-    }
-
-    return 0;
-}
diff --git a/applypatch/imgpatch.cpp b/applypatch/imgpatch.cpp
new file mode 100644
index 0000000..d175d63
--- /dev/null
+++ b/applypatch/imgpatch.cpp
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// See imgdiff.c in this directory for a description of the patch file
+// format.
+
+#include <stdio.h>
+#include <sys/cdefs.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <unistd.h>
+#include <string.h>
+
+#include <vector>
+
+#include "zlib.h"
+#include "openssl/sha.h"
+#include "applypatch.h"
+#include "imgdiff.h"
+#include "utils.h"
+
+int ApplyImagePatch(const unsigned char* old_data, ssize_t old_size,
+                    const unsigned char* patch_data, ssize_t patch_size,
+                    SinkFn sink, void* token) {
+  Value patch = {VAL_BLOB, patch_size,
+      reinterpret_cast<char*>(const_cast<unsigned char*>(patch_data))};
+  return ApplyImagePatch(
+      old_data, old_size, &patch, sink, token, nullptr, nullptr);
+}
+
+/*
+ * Apply the patch given in 'patch_filename' to the source data given
+ * by (old_data, old_size).  Write the patched output to the 'output'
+ * file, and update the SHA context with the output data as well.
+ * Return 0 on success.
+ */
+int ApplyImagePatch(const unsigned char* old_data, ssize_t old_size,
+                    const Value* patch,
+                    SinkFn sink, void* token, SHA_CTX* ctx,
+                    const Value* bonus_data) {
+    ssize_t pos = 12;
+    char* header = patch->data;
+    if (patch->size < 12) {
+        printf("patch too short to contain header\n");
+        return -1;
+    }
+
+    // IMGDIFF2 uses CHUNK_NORMAL, CHUNK_DEFLATE, and CHUNK_RAW.
+    // (IMGDIFF1, which is no longer supported, used CHUNK_NORMAL and
+    // CHUNK_GZIP.)
+    if (memcmp(header, "IMGDIFF2", 8) != 0) {
+        printf("corrupt patch file header (magic number)\n");
+        return -1;
+    }
+
+    int num_chunks = Read4(header+8);
+
+    int i;
+    for (i = 0; i < num_chunks; ++i) {
+        // each chunk's header record starts with 4 bytes.
+        if (pos + 4 > patch->size) {
+            printf("failed to read chunk %d record\n", i);
+            return -1;
+        }
+        int type = Read4(patch->data + pos);
+        pos += 4;
+
+        if (type == CHUNK_NORMAL) {
+            char* normal_header = patch->data + pos;
+            pos += 24;
+            if (pos > patch->size) {
+                printf("failed to read chunk %d normal header data\n", i);
+                return -1;
+            }
+
+            size_t src_start = Read8(normal_header);
+            size_t src_len = Read8(normal_header+8);
+            size_t patch_offset = Read8(normal_header+16);
+
+            if (src_start + src_len > static_cast<size_t>(old_size)) {
+                printf("source data too short\n");
+                return -1;
+            }
+            ApplyBSDiffPatch(old_data + src_start, src_len,
+                             patch, patch_offset, sink, token, ctx);
+        } else if (type == CHUNK_RAW) {
+            char* raw_header = patch->data + pos;
+            pos += 4;
+            if (pos > patch->size) {
+                printf("failed to read chunk %d raw header data\n", i);
+                return -1;
+            }
+
+            ssize_t data_len = Read4(raw_header);
+
+            if (pos + data_len > patch->size) {
+                printf("failed to read chunk %d raw data\n", i);
+                return -1;
+            }
+            if (ctx) SHA1_Update(ctx, patch->data + pos, data_len);
+            if (sink((unsigned char*)patch->data + pos,
+                     data_len, token) != data_len) {
+                printf("failed to write chunk %d raw data\n", i);
+                return -1;
+            }
+            pos += data_len;
+        } else if (type == CHUNK_DEFLATE) {
+            // deflate chunks have an additional 60 bytes in their chunk header.
+            char* deflate_header = patch->data + pos;
+            pos += 60;
+            if (pos > patch->size) {
+                printf("failed to read chunk %d deflate header data\n", i);
+                return -1;
+            }
+
+            size_t src_start = Read8(deflate_header);
+            size_t src_len = Read8(deflate_header+8);
+            size_t patch_offset = Read8(deflate_header+16);
+            size_t expanded_len = Read8(deflate_header+24);
+            int level = Read4(deflate_header+40);
+            int method = Read4(deflate_header+44);
+            int windowBits = Read4(deflate_header+48);
+            int memLevel = Read4(deflate_header+52);
+            int strategy = Read4(deflate_header+56);
+
+            if (src_start + src_len > static_cast<size_t>(old_size)) {
+                printf("source data too short\n");
+                return -1;
+            }
+
+            // Decompress the source data; the chunk header tells us exactly
+            // how big we expect it to be when decompressed.
+
+            // Note: expanded_len will include the bonus data size if
+            // the patch was constructed with bonus data.  The
+            // deflation will come up 'bonus_size' bytes short; these
+            // must be appended from the bonus_data value.
+            size_t bonus_size = (i == 1 && bonus_data != NULL) ? bonus_data->size : 0;
+
+            std::vector<unsigned char> expanded_source(expanded_len);
+
+            // inflate() doesn't like strm.next_out being a nullptr even with
+            // avail_out being zero (Z_STREAM_ERROR).
+            if (expanded_len != 0) {
+                z_stream strm;
+                strm.zalloc = Z_NULL;
+                strm.zfree = Z_NULL;
+                strm.opaque = Z_NULL;
+                strm.avail_in = src_len;
+                strm.next_in = (unsigned char*)(old_data + src_start);
+                strm.avail_out = expanded_len;
+                strm.next_out = expanded_source.data();
+
+                int ret;
+                ret = inflateInit2(&strm, -15);
+                if (ret != Z_OK) {
+                    printf("failed to init source inflation: %d\n", ret);
+                    return -1;
+                }
+
+                // Because we've provided enough room to accommodate the output
+                // data, we expect one call to inflate() to suffice.
+                ret = inflate(&strm, Z_SYNC_FLUSH);
+                if (ret != Z_STREAM_END) {
+                    printf("source inflation returned %d\n", ret);
+                    return -1;
+                }
+                // We should have filled the output buffer exactly, except
+                // for the bonus_size.
+                if (strm.avail_out != bonus_size) {
+                    printf("source inflation short by %zu bytes\n", strm.avail_out-bonus_size);
+                    return -1;
+                }
+                inflateEnd(&strm);
+
+                if (bonus_size) {
+                    memcpy(expanded_source.data() + (expanded_len - bonus_size),
+                           bonus_data->data, bonus_size);
+                }
+            }
+
+            // Next, apply the bsdiff patch (in memory) to the uncompressed
+            // data.
+            std::vector<unsigned char> uncompressed_target_data;
+            if (ApplyBSDiffPatchMem(expanded_source.data(), expanded_len,
+                                    patch, patch_offset,
+                                    &uncompressed_target_data) != 0) {
+                return -1;
+            }
+
+            // Now compress the target data and append it to the output.
+
+            // we're done with the expanded_source data buffer, so we'll
+            // reuse that memory to receive the output of deflate.
+            if (expanded_source.size() < 32768U) {
+                expanded_source.resize(32768U);
+            }
+
+            {
+                std::vector<unsigned char>& temp_data = expanded_source;
+
+                // now the deflate stream
+                z_stream strm;
+                strm.zalloc = Z_NULL;
+                strm.zfree = Z_NULL;
+                strm.opaque = Z_NULL;
+                strm.avail_in = uncompressed_target_data.size();
+                strm.next_in = uncompressed_target_data.data();
+                int ret = deflateInit2(&strm, level, method, windowBits, memLevel, strategy);
+                if (ret != Z_OK) {
+                    printf("failed to init uncompressed data deflation: %d\n", ret);
+                    return -1;
+                }
+                do {
+                    strm.avail_out = temp_data.size();
+                    strm.next_out = temp_data.data();
+                    ret = deflate(&strm, Z_FINISH);
+                    ssize_t have = temp_data.size() - strm.avail_out;
+
+                    if (sink(temp_data.data(), have, token) != have) {
+                        printf("failed to write %ld compressed bytes to output\n",
+                               (long)have);
+                        return -1;
+                    }
+                    if (ctx) SHA1_Update(ctx, temp_data.data(), have);
+                } while (ret != Z_STREAM_END);
+                deflateEnd(&strm);
+            }
+        } else {
+            printf("patch chunk %d is unknown type %d\n", i, type);
+            return -1;
+        }
+    }
+
+    return 0;
+}
diff --git a/applypatch/include/applypatch/imgpatch.h b/applypatch/include/applypatch/imgpatch.h
new file mode 100644
index 0000000..64d9aa9
--- /dev/null
+++ b/applypatch/include/applypatch/imgpatch.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _IMGPATCH_H
+#define _IMGPATCH_H
+
+typedef ssize_t (*SinkFn)(const unsigned char*, ssize_t, void*);
+
+int ApplyImagePatch(const unsigned char* old_data, ssize_t old_size,
+                    const unsigned char* patch_data, ssize_t patch_size,
+                    SinkFn sink, void* token);
+
+#endif  //_IMGPATCH_H
diff --git a/applypatch/main.c b/applypatch/main.c
deleted file mode 100644
index 8e9fe80..0000000
--- a/applypatch/main.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "applypatch.h"
-#include "edify/expr.h"
-#include "mincrypt/sha.h"
-
-int CheckMode(int argc, char** argv) {
-    if (argc < 3) {
-        return 2;
-    }
-    return applypatch_check(argv[2], argc-3, argv+3);
-}
-
-int SpaceMode(int argc, char** argv) {
-    if (argc != 3) {
-        return 2;
-    }
-    char* endptr;
-    size_t bytes = strtol(argv[2], &endptr, 10);
-    if (bytes == 0 && endptr == argv[2]) {
-        printf("can't parse \"%s\" as byte count\n\n", argv[2]);
-        return 1;
-    }
-    return CacheSizeCheck(bytes);
-}
-
-// Parse arguments (which should be of the form "<sha1>" or
-// "<sha1>:<filename>" into the new parallel arrays *sha1s and
-// *patches (loading file contents into the patches).  Returns 0 on
-// success.
-static int ParsePatchArgs(int argc, char** argv,
-                          char*** sha1s, Value*** patches, int* num_patches) {
-    *num_patches = argc;
-    *sha1s = malloc(*num_patches * sizeof(char*));
-    *patches = malloc(*num_patches * sizeof(Value*));
-    memset(*patches, 0, *num_patches * sizeof(Value*));
-
-    uint8_t digest[SHA_DIGEST_SIZE];
-
-    int i;
-    for (i = 0; i < *num_patches; ++i) {
-        char* colon = strchr(argv[i], ':');
-        if (colon != NULL) {
-            *colon = '\0';
-            ++colon;
-        }
-
-        if (ParseSha1(argv[i], digest) != 0) {
-            printf("failed to parse sha1 \"%s\"\n", argv[i]);
-            return -1;
-        }
-
-        (*sha1s)[i] = argv[i];
-        if (colon == NULL) {
-            (*patches)[i] = NULL;
-        } else {
-            FileContents fc;
-            if (LoadFileContents(colon, &fc) != 0) {
-                goto abort;
-            }
-            (*patches)[i] = malloc(sizeof(Value));
-            (*patches)[i]->type = VAL_BLOB;
-            (*patches)[i]->size = fc.size;
-            (*patches)[i]->data = (char*)fc.data;
-        }
-    }
-
-    return 0;
-
-  abort:
-    for (i = 0; i < *num_patches; ++i) {
-        Value* p = (*patches)[i];
-        if (p != NULL) {
-            free(p->data);
-            free(p);
-        }
-    }
-    free(*sha1s);
-    free(*patches);
-    return -1;
-}
-
-int PatchMode(int argc, char** argv) {
-    Value* bonus = NULL;
-    if (argc >= 3 && strcmp(argv[1], "-b") == 0) {
-        FileContents fc;
-        if (LoadFileContents(argv[2], &fc) != 0) {
-            printf("failed to load bonus file %s\n", argv[2]);
-            return 1;
-        }
-        bonus = malloc(sizeof(Value));
-        bonus->type = VAL_BLOB;
-        bonus->size = fc.size;
-        bonus->data = (char*)fc.data;
-        argc -= 2;
-        argv += 2;
-    }
-
-    if (argc < 6) {
-        return 2;
-    }
-
-    char* endptr;
-    size_t target_size = strtol(argv[4], &endptr, 10);
-    if (target_size == 0 && endptr == argv[4]) {
-        printf("can't parse \"%s\" as byte count\n\n", argv[4]);
-        return 1;
-    }
-
-    char** sha1s;
-    Value** patches;
-    int num_patches;
-    if (ParsePatchArgs(argc-5, argv+5, &sha1s, &patches, &num_patches) != 0) {
-        printf("failed to parse patch args\n");
-        return 1;
-    }
-
-    int result = applypatch(argv[1], argv[2], argv[3], target_size,
-                            num_patches, sha1s, patches, bonus);
-
-    int i;
-    for (i = 0; i < num_patches; ++i) {
-        Value* p = patches[i];
-        if (p != NULL) {
-            free(p->data);
-            free(p);
-        }
-    }
-    if (bonus) {
-        free(bonus->data);
-        free(bonus);
-    }
-    free(sha1s);
-    free(patches);
-
-    return result;
-}
-
-// This program applies binary patches to files in a way that is safe
-// (the original file is not touched until we have the desired
-// replacement for it) and idempotent (it's okay to run this program
-// multiple times).
-//
-// - if the sha1 hash of <tgt-file> is <tgt-sha1>, does nothing and exits
-//   successfully.
-//
-// - otherwise, if the sha1 hash of <src-file> is <src-sha1>, applies the
-//   bsdiff <patch> to <src-file> to produce a new file (the type of patch
-//   is automatically detected from the file header).  If that new
-//   file has sha1 hash <tgt-sha1>, moves it to replace <tgt-file>, and
-//   exits successfully.  Note that if <src-file> and <tgt-file> are
-//   not the same, <src-file> is NOT deleted on success.  <tgt-file>
-//   may be the string "-" to mean "the same as src-file".
-//
-// - otherwise, or if any error is encountered, exits with non-zero
-//   status.
-//
-// <src-file> (or <file> in check mode) may refer to an MTD partition
-// to read the source data.  See the comments for the
-// LoadMTDContents() function above for the format of such a filename.
-
-int main(int argc, char** argv) {
-    if (argc < 2) {
-      usage:
-        printf(
-            "usage: %s [-b <bonus-file>] <src-file> <tgt-file> <tgt-sha1> <tgt-size> "
-            "[<src-sha1>:<patch> ...]\n"
-            "   or  %s -c <file> [<sha1> ...]\n"
-            "   or  %s -s <bytes>\n"
-            "   or  %s -l\n"
-            "\n"
-            "Filenames may be of the form\n"
-            "  MTD:<partition>:<len_1>:<sha1_1>:<len_2>:<sha1_2>:...\n"
-            "to specify reading from or writing to an MTD partition.\n\n",
-            argv[0], argv[0], argv[0], argv[0]);
-        return 2;
-    }
-
-    int result;
-
-    if (strncmp(argv[1], "-l", 3) == 0) {
-        result = ShowLicenses();
-    } else if (strncmp(argv[1], "-c", 3) == 0) {
-        result = CheckMode(argc, argv);
-    } else if (strncmp(argv[1], "-s", 3) == 0) {
-        result = SpaceMode(argc, argv);
-    } else {
-        result = PatchMode(argc, argv);
-    }
-
-    if (result == 2) {
-        goto usage;
-    }
-    return result;
-}
diff --git a/applypatch/main.cpp b/applypatch/main.cpp
new file mode 100644
index 0000000..9013760
--- /dev/null
+++ b/applypatch/main.cpp
@@ -0,0 +1,200 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <memory>
+#include <vector>
+
+#include "applypatch.h"
+#include "edify/expr.h"
+#include "openssl/sha.h"
+
+static int CheckMode(int argc, char** argv) {
+    if (argc < 3) {
+        return 2;
+    }
+    return applypatch_check(argv[2], argc-3, argv+3);
+}
+
+static int SpaceMode(int argc, char** argv) {
+    if (argc != 3) {
+        return 2;
+    }
+    char* endptr;
+    size_t bytes = strtol(argv[2], &endptr, 10);
+    if (bytes == 0 && endptr == argv[2]) {
+        printf("can't parse \"%s\" as byte count\n\n", argv[2]);
+        return 1;
+    }
+    return CacheSizeCheck(bytes);
+}
+
+// Parse arguments (which should be of the form "<sha1>:<filename>"
+// into the new parallel arrays *sha1s and *files.Returns true on
+// success.
+static bool ParsePatchArgs(int argc, char** argv, std::vector<char*>* sha1s,
+                           std::vector<FileContents>* files) {
+    uint8_t digest[SHA_DIGEST_LENGTH];
+
+    for (int i = 0; i < argc; ++i) {
+        char* colon = strchr(argv[i], ':');
+        if (colon == nullptr) {
+            printf("no ':' in patch argument \"%s\"\n", argv[i]);
+            return false;
+        }
+        *colon = '\0';
+        ++colon;
+        if (ParseSha1(argv[i], digest) != 0) {
+            printf("failed to parse sha1 \"%s\"\n", argv[i]);
+            return false;
+        }
+
+        sha1s->push_back(argv[i]);
+        FileContents fc;
+        if (LoadFileContents(colon, &fc) != 0) {
+            return false;
+        }
+        files->push_back(std::move(fc));
+    }
+    return true;
+}
+
+static int FlashMode(const char* src_filename, const char* tgt_filename,
+                     const char* tgt_sha1, size_t tgt_size) {
+    return applypatch_flash(src_filename, tgt_filename, tgt_sha1, tgt_size);
+}
+
+static int PatchMode(int argc, char** argv) {
+    FileContents bonusFc;
+    Value bonusValue;
+    Value* bonus = nullptr;
+
+    if (argc >= 3 && strcmp(argv[1], "-b") == 0) {
+        if (LoadFileContents(argv[2], &bonusFc) != 0) {
+            printf("failed to load bonus file %s\n", argv[2]);
+            return 1;
+        }
+        bonus = &bonusValue;
+        bonus->type = VAL_BLOB;
+        bonus->size = bonusFc.data.size();
+        bonus->data = reinterpret_cast<char*>(bonusFc.data.data());
+        argc -= 2;
+        argv += 2;
+    }
+
+    if (argc < 4) {
+        return 2;
+    }
+
+    char* endptr;
+    size_t target_size = strtol(argv[4], &endptr, 10);
+    if (target_size == 0 && endptr == argv[4]) {
+        printf("can't parse \"%s\" as byte count\n\n", argv[4]);
+        return 1;
+    }
+
+    // If no <src-sha1>:<patch> is provided, it is in flash mode.
+    if (argc == 5) {
+        if (bonus != nullptr) {
+            printf("bonus file not supported in flash mode\n");
+            return 1;
+        }
+        return FlashMode(argv[1], argv[2], argv[3], target_size);
+    }
+    std::vector<char*> sha1s;
+    std::vector<FileContents> files;
+    if (!ParsePatchArgs(argc-5, argv+5, &sha1s, &files)) {
+        printf("failed to parse patch args\n");
+        return 1;
+    }
+    std::vector<Value> patches(files.size());
+    std::vector<Value*> patch_ptrs(files.size());
+    for (size_t i = 0; i < files.size(); ++i) {
+        patches[i].type = VAL_BLOB;
+        patches[i].size = files[i].data.size();
+        patches[i].data = reinterpret_cast<char*>(files[i].data.data());
+        patch_ptrs[i] = &patches[i];
+    }
+    return applypatch(argv[1], argv[2], argv[3], target_size,
+                      patch_ptrs.size(), sha1s.data(),
+                      patch_ptrs.data(), bonus);
+}
+
+// This program applies binary patches to files in a way that is safe
+// (the original file is not touched until we have the desired
+// replacement for it) and idempotent (it's okay to run this program
+// multiple times).
+//
+// - if the sha1 hash of <tgt-file> is <tgt-sha1>, does nothing and exits
+//   successfully.
+//
+// - otherwise, if no <src-sha1>:<patch> is provided, flashes <tgt-file> with
+//   <src-file>. <tgt-file> must be a partition name, while <src-file> must
+//   be a regular image file. <src-file> will not be deleted on success.
+//
+// - otherwise, if the sha1 hash of <src-file> is <src-sha1>, applies the
+//   bsdiff <patch> to <src-file> to produce a new file (the type of patch
+//   is automatically detected from the file header).  If that new
+//   file has sha1 hash <tgt-sha1>, moves it to replace <tgt-file>, and
+//   exits successfully.  Note that if <src-file> and <tgt-file> are
+//   not the same, <src-file> is NOT deleted on success.  <tgt-file>
+//   may be the string "-" to mean "the same as src-file".
+//
+// - otherwise, or if any error is encountered, exits with non-zero
+//   status.
+//
+// <src-file> (or <file> in check mode) may refer to an MTD partition
+// to read the source data.  See the comments for the
+// LoadMTDContents() function above for the format of such a filename.
+
+int main(int argc, char** argv) {
+    if (argc < 2) {
+      usage:
+        printf(
+            "usage: %s [-b <bonus-file>] <src-file> <tgt-file> <tgt-sha1> <tgt-size> "
+            "[<src-sha1>:<patch> ...]\n"
+            "   or  %s -c <file> [<sha1> ...]\n"
+            "   or  %s -s <bytes>\n"
+            "   or  %s -l\n"
+            "\n"
+            "Filenames may be of the form\n"
+            "  MTD:<partition>:<len_1>:<sha1_1>:<len_2>:<sha1_2>:...\n"
+            "to specify reading from or writing to an MTD partition.\n\n",
+            argv[0], argv[0], argv[0], argv[0]);
+        return 2;
+    }
+
+    int result;
+
+    if (strncmp(argv[1], "-l", 3) == 0) {
+        result = ShowLicenses();
+    } else if (strncmp(argv[1], "-c", 3) == 0) {
+        result = CheckMode(argc, argv);
+    } else if (strncmp(argv[1], "-s", 3) == 0) {
+        result = SpaceMode(argc, argv);
+    } else {
+        result = PatchMode(argc, argv);
+    }
+
+    if (result == 2) {
+        goto usage;
+    }
+    return result;
+}
diff --git a/applypatch/utils.c b/applypatch/utils.c
deleted file mode 100644
index 41ff676..0000000
--- a/applypatch/utils.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <stdio.h>
-
-#include "utils.h"
-
-/** Write a 4-byte value to f in little-endian order. */
-void Write4(int value, FILE* f) {
-  fputc(value & 0xff, f);
-  fputc((value >> 8) & 0xff, f);
-  fputc((value >> 16) & 0xff, f);
-  fputc((value >> 24) & 0xff, f);
-}
-
-/** Write an 8-byte value to f in little-endian order. */
-void Write8(long long value, FILE* f) {
-  fputc(value & 0xff, f);
-  fputc((value >> 8) & 0xff, f);
-  fputc((value >> 16) & 0xff, f);
-  fputc((value >> 24) & 0xff, f);
-  fputc((value >> 32) & 0xff, f);
-  fputc((value >> 40) & 0xff, f);
-  fputc((value >> 48) & 0xff, f);
-  fputc((value >> 56) & 0xff, f);
-}
-
-int Read2(void* pv) {
-    unsigned char* p = pv;
-    return (int)(((unsigned int)p[1] << 8) |
-                 (unsigned int)p[0]);
-}
-
-int Read4(void* pv) {
-    unsigned char* p = pv;
-    return (int)(((unsigned int)p[3] << 24) |
-                 ((unsigned int)p[2] << 16) |
-                 ((unsigned int)p[1] << 8) |
-                 (unsigned int)p[0]);
-}
-
-long long Read8(void* pv) {
-    unsigned char* p = pv;
-    return (long long)(((unsigned long long)p[7] << 56) |
-                       ((unsigned long long)p[6] << 48) |
-                       ((unsigned long long)p[5] << 40) |
-                       ((unsigned long long)p[4] << 32) |
-                       ((unsigned long long)p[3] << 24) |
-                       ((unsigned long long)p[2] << 16) |
-                       ((unsigned long long)p[1] << 8) |
-                       (unsigned long long)p[0]);
-}
diff --git a/applypatch/utils.cpp b/applypatch/utils.cpp
new file mode 100644
index 0000000..4a80be7
--- /dev/null
+++ b/applypatch/utils.cpp
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+
+#include "utils.h"
+
+/** Write a 4-byte value to f in little-endian order. */
+void Write4(int value, FILE* f) {
+  fputc(value & 0xff, f);
+  fputc((value >> 8) & 0xff, f);
+  fputc((value >> 16) & 0xff, f);
+  fputc((value >> 24) & 0xff, f);
+}
+
+/** Write an 8-byte value to f in little-endian order. */
+void Write8(long long value, FILE* f) {
+  fputc(value & 0xff, f);
+  fputc((value >> 8) & 0xff, f);
+  fputc((value >> 16) & 0xff, f);
+  fputc((value >> 24) & 0xff, f);
+  fputc((value >> 32) & 0xff, f);
+  fputc((value >> 40) & 0xff, f);
+  fputc((value >> 48) & 0xff, f);
+  fputc((value >> 56) & 0xff, f);
+}
+
+int Read2(void* pv) {
+    unsigned char* p = reinterpret_cast<unsigned char*>(pv);
+    return (int)(((unsigned int)p[1] << 8) |
+                 (unsigned int)p[0]);
+}
+
+int Read4(void* pv) {
+    unsigned char* p = reinterpret_cast<unsigned char*>(pv);
+    return (int)(((unsigned int)p[3] << 24) |
+                 ((unsigned int)p[2] << 16) |
+                 ((unsigned int)p[1] << 8) |
+                 (unsigned int)p[0]);
+}
+
+long long Read8(void* pv) {
+    unsigned char* p = reinterpret_cast<unsigned char*>(pv);
+    return (long long)(((unsigned long long)p[7] << 56) |
+                       ((unsigned long long)p[6] << 48) |
+                       ((unsigned long long)p[5] << 40) |
+                       ((unsigned long long)p[4] << 32) |
+                       ((unsigned long long)p[3] << 24) |
+                       ((unsigned long long)p[2] << 16) |
+                       ((unsigned long long)p[1] << 8) |
+                       (unsigned long long)p[0]);
+}
diff --git a/bootloader.cpp b/bootloader.cpp
index 600d238..d80c5e7 100644
--- a/bootloader.cpp
+++ b/bootloader.cpp
@@ -14,28 +14,33 @@
  * limitations under the License.
  */
 
+#include <errno.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
 #include <fs_mgr.h>
+
 #include "bootloader.h"
 #include "common.h"
 #include "mtdutils/mtdutils.h"
 #include "roots.h"
+#include "unique_fd.h"
 
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <unistd.h>
+static int get_bootloader_message_mtd(bootloader_message* out, const Volume* v);
+static int set_bootloader_message_mtd(const bootloader_message* in, const Volume* v);
+static int get_bootloader_message_block(bootloader_message* out, const Volume* v);
+static int set_bootloader_message_block(const bootloader_message* in, const Volume* v);
 
-static int get_bootloader_message_mtd(struct bootloader_message *out, const Volume* v);
-static int set_bootloader_message_mtd(const struct bootloader_message *in, const Volume* v);
-static int get_bootloader_message_block(struct bootloader_message *out, const Volume* v);
-static int set_bootloader_message_block(const struct bootloader_message *in, const Volume* v);
-
-int get_bootloader_message(struct bootloader_message *out) {
+int get_bootloader_message(bootloader_message* out) {
     Volume* v = volume_for_path("/misc");
-    if (v == NULL) {
-      LOGE("Cannot load volume /misc!\n");
-      return -1;
+    if (v == nullptr) {
+        LOGE("Cannot load volume /misc!\n");
+        return -1;
     }
     if (strcmp(v->fs_type, "mtd") == 0) {
         return get_bootloader_message_mtd(out, v);
@@ -46,11 +51,11 @@
     return -1;
 }
 
-int set_bootloader_message(const struct bootloader_message *in) {
+int set_bootloader_message(const bootloader_message* in) {
     Volume* v = volume_for_path("/misc");
-    if (v == NULL) {
-      LOGE("Cannot load volume /misc!\n");
-      return -1;
+    if (v == nullptr) {
+        LOGE("Cannot load volume /misc!\n");
+        return -1;
     }
     if (strcmp(v->fs_type, "mtd") == 0) {
         return set_bootloader_message_mtd(in, v);
@@ -68,69 +73,69 @@
 static const int MISC_PAGES = 3;         // number of pages to save
 static const int MISC_COMMAND_PAGE = 1;  // bootloader command is this page
 
-static int get_bootloader_message_mtd(struct bootloader_message *out,
+static int get_bootloader_message_mtd(bootloader_message* out,
                                       const Volume* v) {
     size_t write_size;
     mtd_scan_partitions();
-    const MtdPartition *part = mtd_find_partition_by_name(v->blk_device);
-    if (part == NULL || mtd_partition_info(part, NULL, NULL, &write_size)) {
-        LOGE("Can't find %s\n", v->blk_device);
+    const MtdPartition* part = mtd_find_partition_by_name(v->blk_device);
+    if (part == nullptr || mtd_partition_info(part, nullptr, nullptr, &write_size)) {
+        LOGE("failed to find \"%s\"\n", v->blk_device);
         return -1;
     }
 
-    MtdReadContext *read = mtd_read_partition(part);
-    if (read == NULL) {
-        LOGE("Can't open %s\n(%s)\n", v->blk_device, strerror(errno));
+    MtdReadContext* read = mtd_read_partition(part);
+    if (read == nullptr) {
+        LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
         return -1;
     }
 
     const ssize_t size = write_size * MISC_PAGES;
     char data[size];
     ssize_t r = mtd_read_data(read, data, size);
-    if (r != size) LOGE("Can't read %s\n(%s)\n", v->blk_device, strerror(errno));
+    if (r != size) LOGE("failed to read \"%s\": %s\n", v->blk_device, strerror(errno));
     mtd_read_close(read);
     if (r != size) return -1;
 
     memcpy(out, &data[write_size * MISC_COMMAND_PAGE], sizeof(*out));
     return 0;
 }
-static int set_bootloader_message_mtd(const struct bootloader_message *in,
+static int set_bootloader_message_mtd(const bootloader_message* in,
                                       const Volume* v) {
     size_t write_size;
     mtd_scan_partitions();
-    const MtdPartition *part = mtd_find_partition_by_name(v->blk_device);
-    if (part == NULL || mtd_partition_info(part, NULL, NULL, &write_size)) {
-        LOGE("Can't find %s\n", v->blk_device);
+    const MtdPartition* part = mtd_find_partition_by_name(v->blk_device);
+    if (part == nullptr || mtd_partition_info(part, nullptr, nullptr, &write_size)) {
+        LOGE("failed to find \"%s\"\n", v->blk_device);
         return -1;
     }
 
-    MtdReadContext *read = mtd_read_partition(part);
-    if (read == NULL) {
-        LOGE("Can't open %s\n(%s)\n", v->blk_device, strerror(errno));
+    MtdReadContext* read = mtd_read_partition(part);
+    if (read == nullptr) {
+        LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
         return -1;
     }
 
     ssize_t size = write_size * MISC_PAGES;
     char data[size];
     ssize_t r = mtd_read_data(read, data, size);
-    if (r != size) LOGE("Can't read %s\n(%s)\n", v->blk_device, strerror(errno));
+    if (r != size) LOGE("failed to read \"%s\": %s\n", v->blk_device, strerror(errno));
     mtd_read_close(read);
     if (r != size) return -1;
 
     memcpy(&data[write_size * MISC_COMMAND_PAGE], in, sizeof(*in));
 
-    MtdWriteContext *write = mtd_write_partition(part);
-    if (write == NULL) {
-        LOGE("Can't open %s\n(%s)\n", v->blk_device, strerror(errno));
+    MtdWriteContext* write = mtd_write_partition(part);
+    if (write == nullptr) {
+        LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
         return -1;
     }
     if (mtd_write_data(write, data, size) != size) {
-        LOGE("Can't write %s\n(%s)\n", v->blk_device, strerror(errno));
+        LOGE("failed to write \"%s\": %s\n", v->blk_device, strerror(errno));
         mtd_write_close(write);
         return -1;
     }
     if (mtd_write_close(write)) {
-        LOGE("Can't finish %s\n(%s)\n", v->blk_device, strerror(errno));
+        LOGE("failed to finish \"%s\": %s\n", v->blk_device, strerror(errno));
         return -1;
     }
 
@@ -146,57 +151,67 @@
 static void wait_for_device(const char* fn) {
     int tries = 0;
     int ret;
-    struct stat buf;
     do {
         ++tries;
+        struct stat buf;
         ret = stat(fn, &buf);
-        if (ret) {
-            printf("stat %s try %d: %s\n", fn, tries, strerror(errno));
+        if (ret == -1) {
+            printf("failed to stat \"%s\" try %d: %s\n", fn, tries, strerror(errno));
             sleep(1);
         }
     } while (ret && tries < 10);
+
     if (ret) {
-        printf("failed to stat %s\n", fn);
+        printf("failed to stat \"%s\"\n", fn);
     }
 }
 
-static int get_bootloader_message_block(struct bootloader_message *out,
+static int get_bootloader_message_block(bootloader_message* out,
                                         const Volume* v) {
     wait_for_device(v->blk_device);
     FILE* f = fopen(v->blk_device, "rb");
-    if (f == NULL) {
-        LOGE("Can't open %s\n(%s)\n", v->blk_device, strerror(errno));
+    if (f == nullptr) {
+        LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
         return -1;
     }
-    struct bootloader_message temp;
+    bootloader_message temp;
     int count = fread(&temp, sizeof(temp), 1, f);
     if (count != 1) {
-        LOGE("Failed reading %s\n(%s)\n", v->blk_device, strerror(errno));
+        LOGE("failed to read \"%s\": %s\n", v->blk_device, strerror(errno));
         return -1;
     }
     if (fclose(f) != 0) {
-        LOGE("Failed closing %s\n(%s)\n", v->blk_device, strerror(errno));
+        LOGE("failed to close \"%s\": %s\n", v->blk_device, strerror(errno));
         return -1;
     }
     memcpy(out, &temp, sizeof(temp));
     return 0;
 }
 
-static int set_bootloader_message_block(const struct bootloader_message *in,
+static int set_bootloader_message_block(const bootloader_message* in,
                                         const Volume* v) {
     wait_for_device(v->blk_device);
-    FILE* f = fopen(v->blk_device, "wb");
-    if (f == NULL) {
-        LOGE("Can't open %s\n(%s)\n", v->blk_device, strerror(errno));
+    unique_fd fd(open(v->blk_device, O_WRONLY | O_SYNC));
+    if (fd.get() == -1) {
+        LOGE("failed to open \"%s\": %s\n", v->blk_device, strerror(errno));
         return -1;
     }
-    int count = fwrite(in, sizeof(*in), 1, f);
-    if (count != 1) {
-        LOGE("Failed writing %s\n(%s)\n", v->blk_device, strerror(errno));
-        return -1;
+
+    size_t written = 0;
+    const uint8_t* start = reinterpret_cast<const uint8_t*>(in);
+    size_t total = sizeof(*in);
+    while (written < total) {
+        ssize_t wrote = TEMP_FAILURE_RETRY(write(fd.get(), start + written, total - written));
+        if (wrote == -1) {
+            LOGE("failed to write %" PRId64 " bytes: %s\n",
+                 static_cast<off64_t>(written), strerror(errno));
+            return -1;
+        }
+        written += wrote;
     }
-    if (fclose(f) != 0) {
-        LOGE("Failed closing %s\n(%s)\n", v->blk_device, strerror(errno));
+
+    if (fsync(fd.get()) == -1) {
+        LOGE("failed to fsync \"%s\": %s\n", v->blk_device, strerror(errno));
         return -1;
     }
     return 0;
diff --git a/bootloader.h b/bootloader.h
index c2895dd..742a4ab 100644
--- a/bootloader.h
+++ b/bootloader.h
@@ -17,10 +17,6 @@
 #ifndef _RECOVERY_BOOTLOADER_H
 #define _RECOVERY_BOOTLOADER_H
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /* Bootloader Message
  *
  * This structure describes the content of a block in flash
@@ -43,6 +39,13 @@
  * multiple times, so that the UI can reflect which invocation of the
  * package it is.  If the value is of the format "#/#" (eg, "1/3"),
  * the UI will add a simple indicator of that status.
+ *
+ * The slot_suffix field is used for A/B implementations where the
+ * bootloader does not set the androidboot.ro.boot.slot_suffix kernel
+ * commandline parameter. This is used by fs_mgr to mount /system and
+ * other partitions with the slotselect flag set in fstab. A/B
+ * implementations are free to use all 32 bytes and may store private
+ * data past the first NUL-byte in this field.
  */
 struct bootloader_message {
     char command[32];
@@ -55,7 +58,8 @@
     // stage string (for multistage packages) and possible future
     // expansion.
     char stage[32];
-    char reserved[224];
+    char slot_suffix[32];
+    char reserved[192];
 };
 
 /* Read and write the bootloader command from the "misc" partition.
@@ -64,8 +68,4 @@
 int get_bootloader_message(struct bootloader_message *out);
 int set_bootloader_message(const struct bootloader_message *in);
 
-#ifdef __cplusplus
-}
-#endif
-
 #endif
diff --git a/common.h b/common.h
index b818ceb..de8b409 100644
--- a/common.h
+++ b/common.h
@@ -21,10 +21,6 @@
 #include <stdio.h>
 #include <stdarg.h>
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 #define LOGE(...) ui_print("E:" __VA_ARGS__)
 #define LOGW(...) fprintf(stdout, "W:" __VA_ARGS__)
 #define LOGI(...) fprintf(stdout, "I:" __VA_ARGS__)
@@ -50,8 +46,4 @@
 
 bool is_ro_debuggable();
 
-#ifdef __cplusplus
-}
-#endif
-
 #endif  // RECOVERY_COMMON_H
diff --git a/device.cpp b/device.cpp
index fd1a987..2465b07 100644
--- a/device.cpp
+++ b/device.cpp
@@ -25,6 +25,7 @@
     "Wipe cache partition",
     "Mount /system",
     "View recovery logs",
+    "Run graphics test",
     "Power off",
     NULL
 };
@@ -43,7 +44,8 @@
     case 5: return WIPE_CACHE;
     case 6: return MOUNT_SYSTEM;
     case 7: return VIEW_RECOVERY_LOGS;
-    case 8: return SHUTDOWN;
+    case 8: return RUN_GRAPHICS_TEST;
+    case 9: return SHUTDOWN;
     default: return NO_ACTION;
   }
 }
diff --git a/device.h b/device.h
index f74b6b0..5017782 100644
--- a/device.h
+++ b/device.h
@@ -68,6 +68,7 @@
         SHUTDOWN = 8,
         VIEW_RECOVERY_LOGS = 9,
         MOUNT_SYSTEM = 10,
+        RUN_GRAPHICS_TEST = 11,
     };
 
     // Return the list of menu items (an array of strings,
diff --git a/edify/Android.mk b/edify/Android.mk
index 03c04e4..71cf765 100644
--- a/edify/Android.mk
+++ b/edify/Android.mk
@@ -3,14 +3,9 @@
 LOCAL_PATH := $(call my-dir)
 
 edify_src_files := \
-	lexer.l \
-	parser.y \
-	expr.c
-
-# "-x c" forces the lex/yacc files to be compiled as c the build system
-# otherwise forces them to be c++. Need to also add an explicit -std because the
-# build system will soon default C++ to -std=c++11.
-edify_cflags := -x c -std=gnu89
+	lexer.ll \
+	parser.yy \
+	expr.cpp
 
 #
 # Build the host-side command line tool
@@ -19,12 +14,16 @@
 
 LOCAL_SRC_FILES := \
 		$(edify_src_files) \
-		main.c
+		main.cpp
 
-LOCAL_CFLAGS := $(edify_cflags) -g -O0
+LOCAL_CPPFLAGS := -g -O0
 LOCAL_MODULE := edify
 LOCAL_YACCFLAGS := -v
-LOCAL_CFLAGS += -Wno-unused-parameter
+LOCAL_CPPFLAGS += -Wno-unused-parameter
+LOCAL_CPPFLAGS += -Wno-deprecated-register
+LOCAL_CLANG := true
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/..
+LOCAL_STATIC_LIBRARIES += libbase
 
 include $(BUILD_HOST_EXECUTABLE)
 
@@ -35,8 +34,11 @@
 
 LOCAL_SRC_FILES := $(edify_src_files)
 
-LOCAL_CFLAGS := $(edify_cflags)
-LOCAL_CFLAGS += -Wno-unused-parameter
+LOCAL_CPPFLAGS := -Wno-unused-parameter
+LOCAL_CPPFLAGS += -Wno-deprecated-register
 LOCAL_MODULE := libedify
+LOCAL_CLANG := true
+LOCAL_C_INCLUDES += $(LOCAL_PATH)/..
+LOCAL_STATIC_LIBRARIES += libbase
 
 include $(BUILD_STATIC_LIBRARY)
diff --git a/edify/expr.c b/edify/expr.c
deleted file mode 100644
index 79f6282..0000000
--- a/edify/expr.c
+++ /dev/null
@@ -1,505 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <string.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdarg.h>
-#include <unistd.h>
-
-#include "expr.h"
-
-// Functions should:
-//
-//    - return a malloc()'d string
-//    - if Evaluate() on any argument returns NULL, return NULL.
-
-int BooleanString(const char* s) {
-    return s[0] != '\0';
-}
-
-char* Evaluate(State* state, Expr* expr) {
-    Value* v = expr->fn(expr->name, state, expr->argc, expr->argv);
-    if (v == NULL) return NULL;
-    if (v->type != VAL_STRING) {
-        ErrorAbort(state, "expecting string, got value type %d", v->type);
-        FreeValue(v);
-        return NULL;
-    }
-    char* result = v->data;
-    free(v);
-    return result;
-}
-
-Value* EvaluateValue(State* state, Expr* expr) {
-    return expr->fn(expr->name, state, expr->argc, expr->argv);
-}
-
-Value* StringValue(char* str) {
-    if (str == NULL) return NULL;
-    Value* v = malloc(sizeof(Value));
-    v->type = VAL_STRING;
-    v->size = strlen(str);
-    v->data = str;
-    return v;
-}
-
-void FreeValue(Value* v) {
-    if (v == NULL) return;
-    free(v->data);
-    free(v);
-}
-
-Value* ConcatFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc == 0) {
-        return StringValue(strdup(""));
-    }
-    char** strings = malloc(argc * sizeof(char*));
-    int i;
-    for (i = 0; i < argc; ++i) {
-        strings[i] = NULL;
-    }
-    char* result = NULL;
-    int length = 0;
-    for (i = 0; i < argc; ++i) {
-        strings[i] = Evaluate(state, argv[i]);
-        if (strings[i] == NULL) {
-            goto done;
-        }
-        length += strlen(strings[i]);
-    }
-
-    result = malloc(length+1);
-    int p = 0;
-    for (i = 0; i < argc; ++i) {
-        strcpy(result+p, strings[i]);
-        p += strlen(strings[i]);
-    }
-    result[p] = '\0';
-
-  done:
-    for (i = 0; i < argc; ++i) {
-        free(strings[i]);
-    }
-    free(strings);
-    return StringValue(result);
-}
-
-Value* IfElseFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 2 && argc != 3) {
-        free(state->errmsg);
-        state->errmsg = strdup("ifelse expects 2 or 3 arguments");
-        return NULL;
-    }
-    char* cond = Evaluate(state, argv[0]);
-    if (cond == NULL) {
-        return NULL;
-    }
-
-    if (BooleanString(cond) == true) {
-        free(cond);
-        return EvaluateValue(state, argv[1]);
-    } else {
-        if (argc == 3) {
-            free(cond);
-            return EvaluateValue(state, argv[2]);
-        } else {
-            return StringValue(cond);
-        }
-    }
-}
-
-Value* AbortFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char* msg = NULL;
-    if (argc > 0) {
-        msg = Evaluate(state, argv[0]);
-    }
-    free(state->errmsg);
-    if (msg) {
-        state->errmsg = msg;
-    } else {
-        state->errmsg = strdup("called abort()");
-    }
-    return NULL;
-}
-
-Value* AssertFn(const char* name, State* state, int argc, Expr* argv[]) {
-    int i;
-    for (i = 0; i < argc; ++i) {
-        char* v = Evaluate(state, argv[i]);
-        if (v == NULL) {
-            return NULL;
-        }
-        int b = BooleanString(v);
-        free(v);
-        if (!b) {
-            int prefix_len;
-            int len = argv[i]->end - argv[i]->start;
-            char* err_src = malloc(len + 20);
-            strcpy(err_src, "assert failed: ");
-            prefix_len = strlen(err_src);
-            memcpy(err_src + prefix_len, state->script + argv[i]->start, len);
-            err_src[prefix_len + len] = '\0';
-            free(state->errmsg);
-            state->errmsg = err_src;
-            return NULL;
-        }
-    }
-    return StringValue(strdup(""));
-}
-
-Value* SleepFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char* val = Evaluate(state, argv[0]);
-    if (val == NULL) {
-        return NULL;
-    }
-    int v = strtol(val, NULL, 10);
-    sleep(v);
-    return StringValue(val);
-}
-
-Value* StdoutFn(const char* name, State* state, int argc, Expr* argv[]) {
-    int i;
-    for (i = 0; i < argc; ++i) {
-        char* v = Evaluate(state, argv[i]);
-        if (v == NULL) {
-            return NULL;
-        }
-        fputs(v, stdout);
-        free(v);
-    }
-    return StringValue(strdup(""));
-}
-
-Value* LogicalAndFn(const char* name, State* state,
-                   int argc, Expr* argv[]) {
-    char* left = Evaluate(state, argv[0]);
-    if (left == NULL) return NULL;
-    if (BooleanString(left) == true) {
-        free(left);
-        return EvaluateValue(state, argv[1]);
-    } else {
-        return StringValue(left);
-    }
-}
-
-Value* LogicalOrFn(const char* name, State* state,
-                   int argc, Expr* argv[]) {
-    char* left = Evaluate(state, argv[0]);
-    if (left == NULL) return NULL;
-    if (BooleanString(left) == false) {
-        free(left);
-        return EvaluateValue(state, argv[1]);
-    } else {
-        return StringValue(left);
-    }
-}
-
-Value* LogicalNotFn(const char* name, State* state,
-                    int argc, Expr* argv[]) {
-    char* val = Evaluate(state, argv[0]);
-    if (val == NULL) return NULL;
-    bool bv = BooleanString(val);
-    free(val);
-    return StringValue(strdup(bv ? "" : "t"));
-}
-
-Value* SubstringFn(const char* name, State* state,
-                   int argc, Expr* argv[]) {
-    char* needle = Evaluate(state, argv[0]);
-    if (needle == NULL) return NULL;
-    char* haystack = Evaluate(state, argv[1]);
-    if (haystack == NULL) {
-        free(needle);
-        return NULL;
-    }
-
-    char* result = strdup(strstr(haystack, needle) ? "t" : "");
-    free(needle);
-    free(haystack);
-    return StringValue(result);
-}
-
-Value* EqualityFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char* left = Evaluate(state, argv[0]);
-    if (left == NULL) return NULL;
-    char* right = Evaluate(state, argv[1]);
-    if (right == NULL) {
-        free(left);
-        return NULL;
-    }
-
-    char* result = strdup(strcmp(left, right) == 0 ? "t" : "");
-    free(left);
-    free(right);
-    return StringValue(result);
-}
-
-Value* InequalityFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char* left = Evaluate(state, argv[0]);
-    if (left == NULL) return NULL;
-    char* right = Evaluate(state, argv[1]);
-    if (right == NULL) {
-        free(left);
-        return NULL;
-    }
-
-    char* result = strdup(strcmp(left, right) != 0 ? "t" : "");
-    free(left);
-    free(right);
-    return StringValue(result);
-}
-
-Value* SequenceFn(const char* name, State* state, int argc, Expr* argv[]) {
-    Value* left = EvaluateValue(state, argv[0]);
-    if (left == NULL) return NULL;
-    FreeValue(left);
-    return EvaluateValue(state, argv[1]);
-}
-
-Value* LessThanIntFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 2) {
-        free(state->errmsg);
-        state->errmsg = strdup("less_than_int expects 2 arguments");
-        return NULL;
-    }
-
-    char* left;
-    char* right;
-    if (ReadArgs(state, argv, 2, &left, &right) < 0) return NULL;
-
-    bool result = false;
-    char* end;
-
-    long l_int = strtol(left, &end, 10);
-    if (left[0] == '\0' || *end != '\0') {
-        goto done;
-    }
-
-    long r_int = strtol(right, &end, 10);
-    if (right[0] == '\0' || *end != '\0') {
-        goto done;
-    }
-
-    result = l_int < r_int;
-
-  done:
-    free(left);
-    free(right);
-    return StringValue(strdup(result ? "t" : ""));
-}
-
-Value* GreaterThanIntFn(const char* name, State* state,
-                        int argc, Expr* argv[]) {
-    if (argc != 2) {
-        free(state->errmsg);
-        state->errmsg = strdup("greater_than_int expects 2 arguments");
-        return NULL;
-    }
-
-    Expr* temp[2];
-    temp[0] = argv[1];
-    temp[1] = argv[0];
-
-    return LessThanIntFn(name, state, 2, temp);
-}
-
-Value* Literal(const char* name, State* state, int argc, Expr* argv[]) {
-    return StringValue(strdup(name));
-}
-
-Expr* Build(Function fn, YYLTYPE loc, int count, ...) {
-    va_list v;
-    va_start(v, count);
-    Expr* e = malloc(sizeof(Expr));
-    e->fn = fn;
-    e->name = "(operator)";
-    e->argc = count;
-    e->argv = malloc(count * sizeof(Expr*));
-    int i;
-    for (i = 0; i < count; ++i) {
-        e->argv[i] = va_arg(v, Expr*);
-    }
-    va_end(v);
-    e->start = loc.start;
-    e->end = loc.end;
-    return e;
-}
-
-// -----------------------------------------------------------------
-//   the function table
-// -----------------------------------------------------------------
-
-static int fn_entries = 0;
-static int fn_size = 0;
-NamedFunction* fn_table = NULL;
-
-void RegisterFunction(const char* name, Function fn) {
-    if (fn_entries >= fn_size) {
-        fn_size = fn_size*2 + 1;
-        fn_table = realloc(fn_table, fn_size * sizeof(NamedFunction));
-    }
-    fn_table[fn_entries].name = name;
-    fn_table[fn_entries].fn = fn;
-    ++fn_entries;
-}
-
-static int fn_entry_compare(const void* a, const void* b) {
-    const char* na = ((const NamedFunction*)a)->name;
-    const char* nb = ((const NamedFunction*)b)->name;
-    return strcmp(na, nb);
-}
-
-void FinishRegistration() {
-    qsort(fn_table, fn_entries, sizeof(NamedFunction), fn_entry_compare);
-}
-
-Function FindFunction(const char* name) {
-    NamedFunction key;
-    key.name = name;
-    NamedFunction* nf = bsearch(&key, fn_table, fn_entries,
-                                sizeof(NamedFunction), fn_entry_compare);
-    if (nf == NULL) {
-        return NULL;
-    }
-    return nf->fn;
-}
-
-void RegisterBuiltins() {
-    RegisterFunction("ifelse", IfElseFn);
-    RegisterFunction("abort", AbortFn);
-    RegisterFunction("assert", AssertFn);
-    RegisterFunction("concat", ConcatFn);
-    RegisterFunction("is_substring", SubstringFn);
-    RegisterFunction("stdout", StdoutFn);
-    RegisterFunction("sleep", SleepFn);
-
-    RegisterFunction("less_than_int", LessThanIntFn);
-    RegisterFunction("greater_than_int", GreaterThanIntFn);
-}
-
-
-// -----------------------------------------------------------------
-//   convenience methods for functions
-// -----------------------------------------------------------------
-
-// Evaluate the expressions in argv, giving 'count' char* (the ... is
-// zero or more char** to put them in).  If any expression evaluates
-// to NULL, free the rest and return -1.  Return 0 on success.
-int ReadArgs(State* state, Expr* argv[], int count, ...) {
-    char** args = malloc(count * sizeof(char*));
-    va_list v;
-    va_start(v, count);
-    int i;
-    for (i = 0; i < count; ++i) {
-        args[i] = Evaluate(state, argv[i]);
-        if (args[i] == NULL) {
-            va_end(v);
-            int j;
-            for (j = 0; j < i; ++j) {
-                free(args[j]);
-            }
-            free(args);
-            return -1;
-        }
-        *(va_arg(v, char**)) = args[i];
-    }
-    va_end(v);
-    free(args);
-    return 0;
-}
-
-// Evaluate the expressions in argv, giving 'count' Value* (the ... is
-// zero or more Value** to put them in).  If any expression evaluates
-// to NULL, free the rest and return -1.  Return 0 on success.
-int ReadValueArgs(State* state, Expr* argv[], int count, ...) {
-    Value** args = malloc(count * sizeof(Value*));
-    va_list v;
-    va_start(v, count);
-    int i;
-    for (i = 0; i < count; ++i) {
-        args[i] = EvaluateValue(state, argv[i]);
-        if (args[i] == NULL) {
-            va_end(v);
-            int j;
-            for (j = 0; j < i; ++j) {
-                FreeValue(args[j]);
-            }
-            free(args);
-            return -1;
-        }
-        *(va_arg(v, Value**)) = args[i];
-    }
-    va_end(v);
-    free(args);
-    return 0;
-}
-
-// Evaluate the expressions in argv, returning an array of char*
-// results.  If any evaluate to NULL, free the rest and return NULL.
-// The caller is responsible for freeing the returned array and the
-// strings it contains.
-char** ReadVarArgs(State* state, int argc, Expr* argv[]) {
-    char** args = (char**)malloc(argc * sizeof(char*));
-    int i = 0;
-    for (i = 0; i < argc; ++i) {
-        args[i] = Evaluate(state, argv[i]);
-        if (args[i] == NULL) {
-            int j;
-            for (j = 0; j < i; ++j) {
-                free(args[j]);
-            }
-            free(args);
-            return NULL;
-        }
-    }
-    return args;
-}
-
-// Evaluate the expressions in argv, returning an array of Value*
-// results.  If any evaluate to NULL, free the rest and return NULL.
-// The caller is responsible for freeing the returned array and the
-// Values it contains.
-Value** ReadValueVarArgs(State* state, int argc, Expr* argv[]) {
-    Value** args = (Value**)malloc(argc * sizeof(Value*));
-    int i = 0;
-    for (i = 0; i < argc; ++i) {
-        args[i] = EvaluateValue(state, argv[i]);
-        if (args[i] == NULL) {
-            int j;
-            for (j = 0; j < i; ++j) {
-                FreeValue(args[j]);
-            }
-            free(args);
-            return NULL;
-        }
-    }
-    return args;
-}
-
-// Use printf-style arguments to compose an error message to put into
-// *state.  Returns NULL.
-Value* ErrorAbort(State* state, const char* format, ...) {
-    char* buffer = malloc(4096);
-    va_list v;
-    va_start(v, format);
-    vsnprintf(buffer, 4096, format, v);
-    va_end(v);
-    free(state->errmsg);
-    state->errmsg = buffer;
-    return NULL;
-}
diff --git a/edify/expr.cpp b/edify/expr.cpp
new file mode 100644
index 0000000..cc14fbe
--- /dev/null
+++ b/edify/expr.cpp
@@ -0,0 +1,526 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <string.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <unistd.h>
+
+#include <string>
+
+#include <android-base/stringprintf.h>
+#include <android-base/strings.h>
+
+#include "expr.h"
+
+// Functions should:
+//
+//    - return a malloc()'d string
+//    - if Evaluate() on any argument returns NULL, return NULL.
+
+int BooleanString(const char* s) {
+    return s[0] != '\0';
+}
+
+char* Evaluate(State* state, Expr* expr) {
+    Value* v = expr->fn(expr->name, state, expr->argc, expr->argv);
+    if (v == NULL) return NULL;
+    if (v->type != VAL_STRING) {
+        ErrorAbort(state, kArgsParsingFailure, "expecting string, got value type %d", v->type);
+        FreeValue(v);
+        return NULL;
+    }
+    char* result = v->data;
+    free(v);
+    return result;
+}
+
+Value* EvaluateValue(State* state, Expr* expr) {
+    return expr->fn(expr->name, state, expr->argc, expr->argv);
+}
+
+Value* StringValue(char* str) {
+    if (str == NULL) return NULL;
+    Value* v = reinterpret_cast<Value*>(malloc(sizeof(Value)));
+    v->type = VAL_STRING;
+    v->size = strlen(str);
+    v->data = str;
+    return v;
+}
+
+void FreeValue(Value* v) {
+    if (v == NULL) return;
+    free(v->data);
+    free(v);
+}
+
+Value* ConcatFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc == 0) {
+        return StringValue(strdup(""));
+    }
+    char** strings = reinterpret_cast<char**>(malloc(argc * sizeof(char*)));
+    int i;
+    for (i = 0; i < argc; ++i) {
+        strings[i] = NULL;
+    }
+    char* result = NULL;
+    int length = 0;
+    for (i = 0; i < argc; ++i) {
+        strings[i] = Evaluate(state, argv[i]);
+        if (strings[i] == NULL) {
+            goto done;
+        }
+        length += strlen(strings[i]);
+    }
+
+    result = reinterpret_cast<char*>(malloc(length+1));
+    int p;
+    p = 0;
+    for (i = 0; i < argc; ++i) {
+        strcpy(result+p, strings[i]);
+        p += strlen(strings[i]);
+    }
+    result[p] = '\0';
+
+  done:
+    for (i = 0; i < argc; ++i) {
+        free(strings[i]);
+    }
+    free(strings);
+    return StringValue(result);
+}
+
+Value* IfElseFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 2 && argc != 3) {
+        free(state->errmsg);
+        state->errmsg = strdup("ifelse expects 2 or 3 arguments");
+        return NULL;
+    }
+    char* cond = Evaluate(state, argv[0]);
+    if (cond == NULL) {
+        return NULL;
+    }
+
+    if (BooleanString(cond) == true) {
+        free(cond);
+        return EvaluateValue(state, argv[1]);
+    } else {
+        if (argc == 3) {
+            free(cond);
+            return EvaluateValue(state, argv[2]);
+        } else {
+            return StringValue(cond);
+        }
+    }
+}
+
+Value* AbortFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char* msg = NULL;
+    if (argc > 0) {
+        msg = Evaluate(state, argv[0]);
+    }
+    free(state->errmsg);
+    if (msg) {
+        state->errmsg = msg;
+    } else {
+        state->errmsg = strdup("called abort()");
+    }
+    return NULL;
+}
+
+Value* AssertFn(const char* name, State* state, int argc, Expr* argv[]) {
+    int i;
+    for (i = 0; i < argc; ++i) {
+        char* v = Evaluate(state, argv[i]);
+        if (v == NULL) {
+            return NULL;
+        }
+        int b = BooleanString(v);
+        free(v);
+        if (!b) {
+            int prefix_len;
+            int len = argv[i]->end - argv[i]->start;
+            char* err_src = reinterpret_cast<char*>(malloc(len + 20));
+            strcpy(err_src, "assert failed: ");
+            prefix_len = strlen(err_src);
+            memcpy(err_src + prefix_len, state->script + argv[i]->start, len);
+            err_src[prefix_len + len] = '\0';
+            free(state->errmsg);
+            state->errmsg = err_src;
+            return NULL;
+        }
+    }
+    return StringValue(strdup(""));
+}
+
+Value* SleepFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char* val = Evaluate(state, argv[0]);
+    if (val == NULL) {
+        return NULL;
+    }
+    int v = strtol(val, NULL, 10);
+    sleep(v);
+    return StringValue(val);
+}
+
+Value* StdoutFn(const char* name, State* state, int argc, Expr* argv[]) {
+    int i;
+    for (i = 0; i < argc; ++i) {
+        char* v = Evaluate(state, argv[i]);
+        if (v == NULL) {
+            return NULL;
+        }
+        fputs(v, stdout);
+        free(v);
+    }
+    return StringValue(strdup(""));
+}
+
+Value* LogicalAndFn(const char* name, State* state,
+                   int argc, Expr* argv[]) {
+    char* left = Evaluate(state, argv[0]);
+    if (left == NULL) return NULL;
+    if (BooleanString(left) == true) {
+        free(left);
+        return EvaluateValue(state, argv[1]);
+    } else {
+        return StringValue(left);
+    }
+}
+
+Value* LogicalOrFn(const char* name, State* state,
+                   int argc, Expr* argv[]) {
+    char* left = Evaluate(state, argv[0]);
+    if (left == NULL) return NULL;
+    if (BooleanString(left) == false) {
+        free(left);
+        return EvaluateValue(state, argv[1]);
+    } else {
+        return StringValue(left);
+    }
+}
+
+Value* LogicalNotFn(const char* name, State* state,
+                    int argc, Expr* argv[]) {
+    char* val = Evaluate(state, argv[0]);
+    if (val == NULL) return NULL;
+    bool bv = BooleanString(val);
+    free(val);
+    return StringValue(strdup(bv ? "" : "t"));
+}
+
+Value* SubstringFn(const char* name, State* state,
+                   int argc, Expr* argv[]) {
+    char* needle = Evaluate(state, argv[0]);
+    if (needle == NULL) return NULL;
+    char* haystack = Evaluate(state, argv[1]);
+    if (haystack == NULL) {
+        free(needle);
+        return NULL;
+    }
+
+    char* result = strdup(strstr(haystack, needle) ? "t" : "");
+    free(needle);
+    free(haystack);
+    return StringValue(result);
+}
+
+Value* EqualityFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char* left = Evaluate(state, argv[0]);
+    if (left == NULL) return NULL;
+    char* right = Evaluate(state, argv[1]);
+    if (right == NULL) {
+        free(left);
+        return NULL;
+    }
+
+    char* result = strdup(strcmp(left, right) == 0 ? "t" : "");
+    free(left);
+    free(right);
+    return StringValue(result);
+}
+
+Value* InequalityFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char* left = Evaluate(state, argv[0]);
+    if (left == NULL) return NULL;
+    char* right = Evaluate(state, argv[1]);
+    if (right == NULL) {
+        free(left);
+        return NULL;
+    }
+
+    char* result = strdup(strcmp(left, right) != 0 ? "t" : "");
+    free(left);
+    free(right);
+    return StringValue(result);
+}
+
+Value* SequenceFn(const char* name, State* state, int argc, Expr* argv[]) {
+    Value* left = EvaluateValue(state, argv[0]);
+    if (left == NULL) return NULL;
+    FreeValue(left);
+    return EvaluateValue(state, argv[1]);
+}
+
+Value* LessThanIntFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 2) {
+        free(state->errmsg);
+        state->errmsg = strdup("less_than_int expects 2 arguments");
+        return NULL;
+    }
+
+    char* left;
+    char* right;
+    if (ReadArgs(state, argv, 2, &left, &right) < 0) return NULL;
+
+    bool result = false;
+    char* end;
+
+    long l_int = strtol(left, &end, 10);
+    if (left[0] == '\0' || *end != '\0') {
+        goto done;
+    }
+
+    long r_int;
+    r_int = strtol(right, &end, 10);
+    if (right[0] == '\0' || *end != '\0') {
+        goto done;
+    }
+
+    result = l_int < r_int;
+
+  done:
+    free(left);
+    free(right);
+    return StringValue(strdup(result ? "t" : ""));
+}
+
+Value* GreaterThanIntFn(const char* name, State* state,
+                        int argc, Expr* argv[]) {
+    if (argc != 2) {
+        free(state->errmsg);
+        state->errmsg = strdup("greater_than_int expects 2 arguments");
+        return NULL;
+    }
+
+    Expr* temp[2];
+    temp[0] = argv[1];
+    temp[1] = argv[0];
+
+    return LessThanIntFn(name, state, 2, temp);
+}
+
+Value* Literal(const char* name, State* state, int argc, Expr* argv[]) {
+    return StringValue(strdup(name));
+}
+
+Expr* Build(Function fn, YYLTYPE loc, int count, ...) {
+    va_list v;
+    va_start(v, count);
+    Expr* e = reinterpret_cast<Expr*>(malloc(sizeof(Expr)));
+    e->fn = fn;
+    e->name = "(operator)";
+    e->argc = count;
+    e->argv = reinterpret_cast<Expr**>(malloc(count * sizeof(Expr*)));
+    int i;
+    for (i = 0; i < count; ++i) {
+        e->argv[i] = va_arg(v, Expr*);
+    }
+    va_end(v);
+    e->start = loc.start;
+    e->end = loc.end;
+    return e;
+}
+
+// -----------------------------------------------------------------
+//   the function table
+// -----------------------------------------------------------------
+
+static int fn_entries = 0;
+static int fn_size = 0;
+NamedFunction* fn_table = NULL;
+
+void RegisterFunction(const char* name, Function fn) {
+    if (fn_entries >= fn_size) {
+        fn_size = fn_size*2 + 1;
+        fn_table = reinterpret_cast<NamedFunction*>(realloc(fn_table, fn_size * sizeof(NamedFunction)));
+    }
+    fn_table[fn_entries].name = name;
+    fn_table[fn_entries].fn = fn;
+    ++fn_entries;
+}
+
+static int fn_entry_compare(const void* a, const void* b) {
+    const char* na = ((const NamedFunction*)a)->name;
+    const char* nb = ((const NamedFunction*)b)->name;
+    return strcmp(na, nb);
+}
+
+void FinishRegistration() {
+    qsort(fn_table, fn_entries, sizeof(NamedFunction), fn_entry_compare);
+}
+
+Function FindFunction(const char* name) {
+    NamedFunction key;
+    key.name = name;
+    NamedFunction* nf = reinterpret_cast<NamedFunction*>(bsearch(&key, fn_table, fn_entries,
+            sizeof(NamedFunction), fn_entry_compare));
+    if (nf == NULL) {
+        return NULL;
+    }
+    return nf->fn;
+}
+
+void RegisterBuiltins() {
+    RegisterFunction("ifelse", IfElseFn);
+    RegisterFunction("abort", AbortFn);
+    RegisterFunction("assert", AssertFn);
+    RegisterFunction("concat", ConcatFn);
+    RegisterFunction("is_substring", SubstringFn);
+    RegisterFunction("stdout", StdoutFn);
+    RegisterFunction("sleep", SleepFn);
+
+    RegisterFunction("less_than_int", LessThanIntFn);
+    RegisterFunction("greater_than_int", GreaterThanIntFn);
+}
+
+
+// -----------------------------------------------------------------
+//   convenience methods for functions
+// -----------------------------------------------------------------
+
+// Evaluate the expressions in argv, giving 'count' char* (the ... is
+// zero or more char** to put them in).  If any expression evaluates
+// to NULL, free the rest and return -1.  Return 0 on success.
+int ReadArgs(State* state, Expr* argv[], int count, ...) {
+    char** args = reinterpret_cast<char**>(malloc(count * sizeof(char*)));
+    va_list v;
+    va_start(v, count);
+    int i;
+    for (i = 0; i < count; ++i) {
+        args[i] = Evaluate(state, argv[i]);
+        if (args[i] == NULL) {
+            va_end(v);
+            int j;
+            for (j = 0; j < i; ++j) {
+                free(args[j]);
+            }
+            free(args);
+            return -1;
+        }
+        *(va_arg(v, char**)) = args[i];
+    }
+    va_end(v);
+    free(args);
+    return 0;
+}
+
+// Evaluate the expressions in argv, giving 'count' Value* (the ... is
+// zero or more Value** to put them in).  If any expression evaluates
+// to NULL, free the rest and return -1.  Return 0 on success.
+int ReadValueArgs(State* state, Expr* argv[], int count, ...) {
+    Value** args = reinterpret_cast<Value**>(malloc(count * sizeof(Value*)));
+    va_list v;
+    va_start(v, count);
+    int i;
+    for (i = 0; i < count; ++i) {
+        args[i] = EvaluateValue(state, argv[i]);
+        if (args[i] == NULL) {
+            va_end(v);
+            int j;
+            for (j = 0; j < i; ++j) {
+                FreeValue(args[j]);
+            }
+            free(args);
+            return -1;
+        }
+        *(va_arg(v, Value**)) = args[i];
+    }
+    va_end(v);
+    free(args);
+    return 0;
+}
+
+// Evaluate the expressions in argv, returning an array of char*
+// results.  If any evaluate to NULL, free the rest and return NULL.
+// The caller is responsible for freeing the returned array and the
+// strings it contains.
+char** ReadVarArgs(State* state, int argc, Expr* argv[]) {
+    char** args = (char**)malloc(argc * sizeof(char*));
+    int i = 0;
+    for (i = 0; i < argc; ++i) {
+        args[i] = Evaluate(state, argv[i]);
+        if (args[i] == NULL) {
+            int j;
+            for (j = 0; j < i; ++j) {
+                free(args[j]);
+            }
+            free(args);
+            return NULL;
+        }
+    }
+    return args;
+}
+
+// Evaluate the expressions in argv, returning an array of Value*
+// results.  If any evaluate to NULL, free the rest and return NULL.
+// The caller is responsible for freeing the returned array and the
+// Values it contains.
+Value** ReadValueVarArgs(State* state, int argc, Expr* argv[]) {
+    Value** args = (Value**)malloc(argc * sizeof(Value*));
+    int i = 0;
+    for (i = 0; i < argc; ++i) {
+        args[i] = EvaluateValue(state, argv[i]);
+        if (args[i] == NULL) {
+            int j;
+            for (j = 0; j < i; ++j) {
+                FreeValue(args[j]);
+            }
+            free(args);
+            return NULL;
+        }
+    }
+    return args;
+}
+
+static void ErrorAbortV(State* state, const char* format, va_list ap) {
+    std::string buffer;
+    android::base::StringAppendV(&buffer, format, ap);
+    free(state->errmsg);
+    state->errmsg = strdup(buffer.c_str());
+    return;
+}
+
+// Use printf-style arguments to compose an error message to put into
+// *state.  Returns nullptr.
+Value* ErrorAbort(State* state, const char* format, ...) {
+    va_list ap;
+    va_start(ap, format);
+    ErrorAbortV(state, format, ap);
+    va_end(ap);
+    return nullptr;
+}
+
+Value* ErrorAbort(State* state, CauseCode cause_code, const char* format, ...) {
+    va_list ap;
+    va_start(ap, format);
+    ErrorAbortV(state, format, ap);
+    va_end(ap);
+    state->cause_code = cause_code;
+    return nullptr;
+}
diff --git a/edify/expr.h b/edify/expr.h
index a9ed2f9..8863479 100644
--- a/edify/expr.h
+++ b/edify/expr.h
@@ -19,12 +19,9 @@
 
 #include <unistd.h>
 
+#include "error_code.h"
 #include "yydefs.h"
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 #define MAX_STRING_LEN 1024
 
 typedef struct Expr Expr;
@@ -43,6 +40,17 @@
     // Should be NULL initially, will be either NULL or a malloc'd
     // pointer after Evaluate() returns.
     char* errmsg;
+
+    // error code indicates the type of failure (e.g. failure to update system image)
+    // during the OTA process.
+    ErrorCode error_code = kNoError;
+
+    // cause code provides more detailed reason of an OTA failure (e.g. fsync error)
+    // in addition to the error code.
+    CauseCode cause_code = kNoCause;
+
+    bool is_retry = false;
+
 } State;
 
 #define VAL_STRING  1  // data will be NULL-terminated; size doesn't count null
@@ -59,7 +67,7 @@
 
 struct Expr {
     Function fn;
-    char* name;
+    const char* name;
     int argc;
     Expr** argv;
     int start, end;
@@ -156,7 +164,13 @@
 
 // Use printf-style arguments to compose an error message to put into
 // *state.  Returns NULL.
-Value* ErrorAbort(State* state, const char* format, ...) __attribute__((format(printf, 2, 3)));
+Value* ErrorAbort(State* state, const char* format, ...)
+    __attribute__((format(printf, 2, 3), deprecated));
+
+// ErrorAbort has an optional (but recommended) argument 'cause_code'. If the cause code
+// is set, it will be logged into last_install and provides reason of OTA failures.
+Value* ErrorAbort(State* state, CauseCode cause_code, const char* format, ...)
+    __attribute__((format(printf, 3, 4)));
 
 // Wrap a string into a Value, taking ownership of the string.
 Value* StringValue(char* str);
@@ -166,8 +180,4 @@
 
 int parse_string(const char* str, Expr** root, int* error_count);
 
-#ifdef __cplusplus
-}  // extern "C"
-#endif
-
 #endif  // _EXPRESSION_H
diff --git a/edify/lexer.l b/edify/lexer.l
deleted file mode 100644
index fb2933b..0000000
--- a/edify/lexer.l
+++ /dev/null
@@ -1,112 +0,0 @@
-%{
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <string.h>
-
-#include "expr.h"
-#include "yydefs.h"
-#include "parser.h"
-
-int gLine = 1;
-int gColumn = 1;
-int gPos = 0;
-
-// TODO: enforce MAX_STRING_LEN during lexing
-char string_buffer[MAX_STRING_LEN];
-char* string_pos;
-
-#define ADVANCE do {yylloc.start=gPos; yylloc.end=gPos+yyleng; \
-                    gColumn+=yyleng; gPos+=yyleng;} while(0)
-
-%}
-
-%x STR
-
-%option noyywrap
-
-%%
-
-
-\" {
-    BEGIN(STR);
-    string_pos = string_buffer;
-    yylloc.start = gPos;
-    ++gColumn;
-    ++gPos;
-}
-
-<STR>{
-  \" {
-      ++gColumn;
-      ++gPos;
-      BEGIN(INITIAL);
-      *string_pos = '\0';
-      yylval.str = strdup(string_buffer);
-      yylloc.end = gPos;
-      return STRING;
-  }
-
-  \\n   { gColumn += yyleng; gPos += yyleng; *string_pos++ = '\n'; }
-  \\t   { gColumn += yyleng; gPos += yyleng;  *string_pos++ = '\t'; }
-  \\\"  { gColumn += yyleng; gPos += yyleng;  *string_pos++ = '\"'; }
-  \\\\  { gColumn += yyleng; gPos += yyleng;  *string_pos++ = '\\'; }
-
-  \\x[0-9a-fA-F]{2} {
-      gColumn += yyleng;
-      gPos += yyleng;
-      int val;
-      sscanf(yytext+2, "%x", &val);
-      *string_pos++ = val;
-  }
-
-  \n {
-      ++gLine;
-      ++gPos;
-      gColumn = 1;
-      *string_pos++ = yytext[0];
-  }
-
-  . {
-      ++gColumn;
-      ++gPos;
-      *string_pos++ = yytext[0];
-  }
-}
-
-if                ADVANCE; return IF;
-then              ADVANCE; return THEN;
-else              ADVANCE; return ELSE;
-endif             ADVANCE; return ENDIF;
-
-[a-zA-Z0-9_:/.]+ {
-  ADVANCE;
-  yylval.str = strdup(yytext);
-  return STRING;
-}
-
-\&\&              ADVANCE; return AND;
-\|\|              ADVANCE; return OR;
-==                ADVANCE; return EQ;
-!=                ADVANCE; return NE;
-
-[+(),!;]          ADVANCE; return yytext[0];
-
-[ \t]+            ADVANCE;
-
-(#.*)?\n          gPos += yyleng; ++gLine; gColumn = 1;
-
-.                 return BAD;
diff --git a/edify/lexer.ll b/edify/lexer.ll
new file mode 100644
index 0000000..b764d16
--- /dev/null
+++ b/edify/lexer.ll
@@ -0,0 +1,110 @@
+%{
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <string.h>
+#include <string>
+
+#include "expr.h"
+#include "yydefs.h"
+#include "parser.h"
+
+int gLine = 1;
+int gColumn = 1;
+int gPos = 0;
+
+std::string string_buffer;
+
+#define ADVANCE do {yylloc.start=gPos; yylloc.end=gPos+yyleng; \
+                    gColumn+=yyleng; gPos+=yyleng;} while(0)
+
+%}
+
+%x STR
+
+%option noyywrap
+
+%%
+
+
+\" {
+    BEGIN(STR);
+    string_buffer.clear();
+    yylloc.start = gPos;
+    ++gColumn;
+    ++gPos;
+}
+
+<STR>{
+  \" {
+      ++gColumn;
+      ++gPos;
+      BEGIN(INITIAL);
+      yylval.str = strdup(string_buffer.c_str());
+      yylloc.end = gPos;
+      return STRING;
+  }
+
+  \\n   { gColumn += yyleng; gPos += yyleng; string_buffer.push_back('\n'); }
+  \\t   { gColumn += yyleng; gPos += yyleng; string_buffer.push_back('\t'); }
+  \\\"  { gColumn += yyleng; gPos += yyleng; string_buffer.push_back('\"'); }
+  \\\\  { gColumn += yyleng; gPos += yyleng; string_buffer.push_back('\\'); }
+
+  \\x[0-9a-fA-F]{2} {
+      gColumn += yyleng;
+      gPos += yyleng;
+      int val;
+      sscanf(yytext+2, "%x", &val);
+      string_buffer.push_back(static_cast<char>(val));
+  }
+
+  \n {
+      ++gLine;
+      ++gPos;
+      gColumn = 1;
+      string_buffer.push_back(yytext[0]);
+  }
+
+  . {
+      ++gColumn;
+      ++gPos;
+      string_buffer.push_back(yytext[0]);
+  }
+}
+
+if                ADVANCE; return IF;
+then              ADVANCE; return THEN;
+else              ADVANCE; return ELSE;
+endif             ADVANCE; return ENDIF;
+
+[a-zA-Z0-9_:/.]+ {
+  ADVANCE;
+  yylval.str = strdup(yytext);
+  return STRING;
+}
+
+\&\&              ADVANCE; return AND;
+\|\|              ADVANCE; return OR;
+==                ADVANCE; return EQ;
+!=                ADVANCE; return NE;
+
+[+(),!;]          ADVANCE; return yytext[0];
+
+[ \t]+            ADVANCE;
+
+(#.*)?\n          gPos += yyleng; ++gLine; gColumn = 1;
+
+.                 return BAD;
diff --git a/edify/main.c b/edify/main.c
deleted file mode 100644
index b1baa0b..0000000
--- a/edify/main.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "expr.h"
-#include "parser.h"
-
-extern int yyparse(Expr** root, int* error_count);
-
-int expect(const char* expr_str, const char* expected, int* errors) {
-    Expr* e;
-    char* result;
-
-    printf(".");
-
-    int error_count = parse_string(expr_str, &e, &error_count);
-    if (error_count > 0) {
-        printf("error parsing \"%s\" (%d errors)\n",
-               expr_str, error_count);
-        ++*errors;
-        return 0;
-    }
-
-    State state;
-    state.cookie = NULL;
-    state.script = strdup(expr_str);
-    state.errmsg = NULL;
-
-    result = Evaluate(&state, e);
-    free(state.errmsg);
-    free(state.script);
-    if (result == NULL && expected != NULL) {
-        printf("error evaluating \"%s\"\n", expr_str);
-        ++*errors;
-        return 0;
-    }
-
-    if (result == NULL && expected == NULL) {
-        return 1;
-    }
-
-    if (strcmp(result, expected) != 0) {
-        printf("evaluating \"%s\": expected \"%s\", got \"%s\"\n",
-               expr_str, expected, result);
-        ++*errors;
-        free(result);
-        return 0;
-    }
-
-    free(result);
-    return 1;
-}
-
-int test() {
-    int errors = 0;
-
-    expect("a", "a", &errors);
-    expect("\"a\"", "a", &errors);
-    expect("\"\\x61\"", "a", &errors);
-    expect("# this is a comment\n"
-           "  a\n"
-           "   \n",
-           "a", &errors);
-
-
-    // sequence operator
-    expect("a; b; c", "c", &errors);
-
-    // string concat operator
-    expect("a + b", "ab", &errors);
-    expect("a + \n \"b\"", "ab", &errors);
-    expect("a + b +\nc\n", "abc", &errors);
-
-    // string concat function
-    expect("concat(a, b)", "ab", &errors);
-    expect("concat(a,\n \"b\")", "ab", &errors);
-    expect("concat(a + b,\nc,\"d\")", "abcd", &errors);
-    expect("\"concat\"(a + b,\nc,\"d\")", "abcd", &errors);
-
-    // logical and
-    expect("a && b", "b", &errors);
-    expect("a && \"\"", "", &errors);
-    expect("\"\" && b", "", &errors);
-    expect("\"\" && \"\"", "", &errors);
-    expect("\"\" && abort()", "", &errors);   // test short-circuiting
-    expect("t && abort()", NULL, &errors);
-
-    // logical or
-    expect("a || b", "a", &errors);
-    expect("a || \"\"", "a", &errors);
-    expect("\"\" || b", "b", &errors);
-    expect("\"\" || \"\"", "", &errors);
-    expect("a || abort()", "a", &errors);     // test short-circuiting
-    expect("\"\" || abort()", NULL, &errors);
-
-    // logical not
-    expect("!a", "", &errors);
-    expect("! \"\"", "t", &errors);
-    expect("!!a", "t", &errors);
-
-    // precedence
-    expect("\"\" == \"\" && b", "b", &errors);
-    expect("a + b == ab", "t", &errors);
-    expect("ab == a + b", "t", &errors);
-    expect("a + (b == ab)", "a", &errors);
-    expect("(ab == a) + b", "b", &errors);
-
-    // substring function
-    expect("is_substring(cad, abracadabra)", "t", &errors);
-    expect("is_substring(abrac, abracadabra)", "t", &errors);
-    expect("is_substring(dabra, abracadabra)", "t", &errors);
-    expect("is_substring(cad, abracxadabra)", "", &errors);
-    expect("is_substring(abrac, axbracadabra)", "", &errors);
-    expect("is_substring(dabra, abracadabrxa)", "", &errors);
-
-    // ifelse function
-    expect("ifelse(t, yes, no)", "yes", &errors);
-    expect("ifelse(!t, yes, no)", "no", &errors);
-    expect("ifelse(t, yes, abort())", "yes", &errors);
-    expect("ifelse(!t, abort(), no)", "no", &errors);
-
-    // if "statements"
-    expect("if t then yes else no endif", "yes", &errors);
-    expect("if \"\" then yes else no endif", "no", &errors);
-    expect("if \"\" then yes endif", "", &errors);
-    expect("if \"\"; t then yes endif", "yes", &errors);
-
-    // numeric comparisons
-    expect("less_than_int(3, 14)", "t", &errors);
-    expect("less_than_int(14, 3)", "", &errors);
-    expect("less_than_int(x, 3)", "", &errors);
-    expect("less_than_int(3, x)", "", &errors);
-    expect("greater_than_int(3, 14)", "", &errors);
-    expect("greater_than_int(14, 3)", "t", &errors);
-    expect("greater_than_int(x, 3)", "", &errors);
-    expect("greater_than_int(3, x)", "", &errors);
-
-    printf("\n");
-
-    return errors;
-}
-
-void ExprDump(int depth, Expr* n, char* script) {
-    printf("%*s", depth*2, "");
-    char temp = script[n->end];
-    script[n->end] = '\0';
-    printf("%s %p (%d-%d) \"%s\"\n",
-           n->name == NULL ? "(NULL)" : n->name, n->fn, n->start, n->end,
-           script+n->start);
-    script[n->end] = temp;
-    int i;
-    for (i = 0; i < n->argc; ++i) {
-        ExprDump(depth+1, n->argv[i], script);
-    }
-}
-
-int main(int argc, char** argv) {
-    RegisterBuiltins();
-    FinishRegistration();
-
-    if (argc == 1) {
-        return test() != 0;
-    }
-
-    FILE* f = fopen(argv[1], "r");
-    if (f == NULL) {
-        printf("%s: %s: No such file or directory\n", argv[0], argv[1]);
-        return 1;
-    }
-    char buffer[8192];
-    int size = fread(buffer, 1, 8191, f);
-    fclose(f);
-    buffer[size] = '\0';
-
-    Expr* root;
-    int error_count = 0;
-    int error = parse_string(buffer, &root, &error_count);
-    printf("parse returned %d; %d errors encountered\n", error, error_count);
-    if (error == 0 || error_count > 0) {
-
-        ExprDump(0, root, buffer);
-
-        State state;
-        state.cookie = NULL;
-        state.script = buffer;
-        state.errmsg = NULL;
-
-        char* result = Evaluate(&state, root);
-        if (result == NULL) {
-            printf("result was NULL, message is: %s\n",
-                   (state.errmsg == NULL ? "(NULL)" : state.errmsg));
-            free(state.errmsg);
-        } else {
-            printf("result is [%s]\n", result);
-        }
-    }
-    return 0;
-}
diff --git a/edify/main.cpp b/edify/main.cpp
new file mode 100644
index 0000000..6007a3d
--- /dev/null
+++ b/edify/main.cpp
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <string>
+
+#include "expr.h"
+#include "parser.h"
+
+extern int yyparse(Expr** root, int* error_count);
+
+int expect(const char* expr_str, const char* expected, int* errors) {
+    Expr* e;
+    char* result;
+
+    printf(".");
+
+    int error_count = parse_string(expr_str, &e, &error_count);
+    if (error_count > 0) {
+        printf("error parsing \"%s\" (%d errors)\n",
+               expr_str, error_count);
+        ++*errors;
+        return 0;
+    }
+
+    State state;
+    state.cookie = NULL;
+    state.script = strdup(expr_str);
+    state.errmsg = NULL;
+
+    result = Evaluate(&state, e);
+    free(state.errmsg);
+    free(state.script);
+    if (result == NULL && expected != NULL) {
+        printf("error evaluating \"%s\"\n", expr_str);
+        ++*errors;
+        return 0;
+    }
+
+    if (result == NULL && expected == NULL) {
+        return 1;
+    }
+
+    if (strcmp(result, expected) != 0) {
+        printf("evaluating \"%s\": expected \"%s\", got \"%s\"\n",
+               expr_str, expected, result);
+        ++*errors;
+        free(result);
+        return 0;
+    }
+
+    free(result);
+    return 1;
+}
+
+int test() {
+    int errors = 0;
+
+    expect("a", "a", &errors);
+    expect("\"a\"", "a", &errors);
+    expect("\"\\x61\"", "a", &errors);
+    expect("# this is a comment\n"
+           "  a\n"
+           "   \n",
+           "a", &errors);
+
+
+    // sequence operator
+    expect("a; b; c", "c", &errors);
+
+    // string concat operator
+    expect("a + b", "ab", &errors);
+    expect("a + \n \"b\"", "ab", &errors);
+    expect("a + b +\nc\n", "abc", &errors);
+
+    // string concat function
+    expect("concat(a, b)", "ab", &errors);
+    expect("concat(a,\n \"b\")", "ab", &errors);
+    expect("concat(a + b,\nc,\"d\")", "abcd", &errors);
+    expect("\"concat\"(a + b,\nc,\"d\")", "abcd", &errors);
+
+    // logical and
+    expect("a && b", "b", &errors);
+    expect("a && \"\"", "", &errors);
+    expect("\"\" && b", "", &errors);
+    expect("\"\" && \"\"", "", &errors);
+    expect("\"\" && abort()", "", &errors);   // test short-circuiting
+    expect("t && abort()", NULL, &errors);
+
+    // logical or
+    expect("a || b", "a", &errors);
+    expect("a || \"\"", "a", &errors);
+    expect("\"\" || b", "b", &errors);
+    expect("\"\" || \"\"", "", &errors);
+    expect("a || abort()", "a", &errors);     // test short-circuiting
+    expect("\"\" || abort()", NULL, &errors);
+
+    // logical not
+    expect("!a", "", &errors);
+    expect("! \"\"", "t", &errors);
+    expect("!!a", "t", &errors);
+
+    // precedence
+    expect("\"\" == \"\" && b", "b", &errors);
+    expect("a + b == ab", "t", &errors);
+    expect("ab == a + b", "t", &errors);
+    expect("a + (b == ab)", "a", &errors);
+    expect("(ab == a) + b", "b", &errors);
+
+    // substring function
+    expect("is_substring(cad, abracadabra)", "t", &errors);
+    expect("is_substring(abrac, abracadabra)", "t", &errors);
+    expect("is_substring(dabra, abracadabra)", "t", &errors);
+    expect("is_substring(cad, abracxadabra)", "", &errors);
+    expect("is_substring(abrac, axbracadabra)", "", &errors);
+    expect("is_substring(dabra, abracadabrxa)", "", &errors);
+
+    // ifelse function
+    expect("ifelse(t, yes, no)", "yes", &errors);
+    expect("ifelse(!t, yes, no)", "no", &errors);
+    expect("ifelse(t, yes, abort())", "yes", &errors);
+    expect("ifelse(!t, abort(), no)", "no", &errors);
+
+    // if "statements"
+    expect("if t then yes else no endif", "yes", &errors);
+    expect("if \"\" then yes else no endif", "no", &errors);
+    expect("if \"\" then yes endif", "", &errors);
+    expect("if \"\"; t then yes endif", "yes", &errors);
+
+    // numeric comparisons
+    expect("less_than_int(3, 14)", "t", &errors);
+    expect("less_than_int(14, 3)", "", &errors);
+    expect("less_than_int(x, 3)", "", &errors);
+    expect("less_than_int(3, x)", "", &errors);
+    expect("greater_than_int(3, 14)", "", &errors);
+    expect("greater_than_int(14, 3)", "t", &errors);
+    expect("greater_than_int(x, 3)", "", &errors);
+    expect("greater_than_int(3, x)", "", &errors);
+
+    // big string
+    expect(std::string(8192, 's').c_str(), std::string(8192, 's').c_str(), &errors);
+
+    printf("\n");
+
+    return errors;
+}
+
+void ExprDump(int depth, Expr* n, char* script) {
+    printf("%*s", depth*2, "");
+    char temp = script[n->end];
+    script[n->end] = '\0';
+    printf("%s %p (%d-%d) \"%s\"\n",
+           n->name == NULL ? "(NULL)" : n->name, n->fn, n->start, n->end,
+           script+n->start);
+    script[n->end] = temp;
+    int i;
+    for (i = 0; i < n->argc; ++i) {
+        ExprDump(depth+1, n->argv[i], script);
+    }
+}
+
+int main(int argc, char** argv) {
+    RegisterBuiltins();
+    FinishRegistration();
+
+    if (argc == 1) {
+        return test() != 0;
+    }
+
+    FILE* f = fopen(argv[1], "r");
+    if (f == NULL) {
+        printf("%s: %s: No such file or directory\n", argv[0], argv[1]);
+        return 1;
+    }
+    char buffer[8192];
+    int size = fread(buffer, 1, 8191, f);
+    fclose(f);
+    buffer[size] = '\0';
+
+    Expr* root;
+    int error_count = 0;
+    int error = parse_string(buffer, &root, &error_count);
+    printf("parse returned %d; %d errors encountered\n", error, error_count);
+    if (error == 0 || error_count > 0) {
+
+        ExprDump(0, root, buffer);
+
+        State state;
+        state.cookie = NULL;
+        state.script = buffer;
+        state.errmsg = NULL;
+
+        char* result = Evaluate(&state, root);
+        if (result == NULL) {
+            printf("result was NULL, message is: %s\n",
+                   (state.errmsg == NULL ? "(NULL)" : state.errmsg));
+            free(state.errmsg);
+        } else {
+            printf("result is [%s]\n", result);
+        }
+    }
+    return 0;
+}
diff --git a/edify/parser.y b/edify/parser.y
deleted file mode 100644
index f8fb2d1..0000000
--- a/edify/parser.y
+++ /dev/null
@@ -1,139 +0,0 @@
-%{
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "expr.h"
-#include "yydefs.h"
-#include "parser.h"
-
-extern int gLine;
-extern int gColumn;
-
-void yyerror(Expr** root, int* error_count, const char* s);
-int yyparse(Expr** root, int* error_count);
-
-struct yy_buffer_state;
-void yy_switch_to_buffer(struct yy_buffer_state* new_buffer);
-struct yy_buffer_state* yy_scan_string(const char* yystr);
-
-%}
-
-%locations
-
-%union {
-    char* str;
-    Expr* expr;
-    struct {
-        int argc;
-        Expr** argv;
-    } args;
-}
-
-%token AND OR SUBSTR SUPERSTR EQ NE IF THEN ELSE ENDIF
-%token <str> STRING BAD
-%type <expr> expr
-%type <args> arglist
-
-%parse-param {Expr** root}
-%parse-param {int* error_count}
-%error-verbose
-
-/* declarations in increasing order of precedence */
-%left ';'
-%left ','
-%left OR
-%left AND
-%left EQ NE
-%left '+'
-%right '!'
-
-%%
-
-input:  expr           { *root = $1; }
-;
-
-expr:  STRING {
-    $$ = malloc(sizeof(Expr));
-    $$->fn = Literal;
-    $$->name = $1;
-    $$->argc = 0;
-    $$->argv = NULL;
-    $$->start = @$.start;
-    $$->end = @$.end;
-}
-|  '(' expr ')'                      { $$ = $2; $$->start=@$.start; $$->end=@$.end; }
-|  expr ';'                          { $$ = $1; $$->start=@1.start; $$->end=@1.end; }
-|  expr ';' expr                     { $$ = Build(SequenceFn, @$, 2, $1, $3); }
-|  error ';' expr                    { $$ = $3; $$->start=@$.start; $$->end=@$.end; }
-|  expr '+' expr                     { $$ = Build(ConcatFn, @$, 2, $1, $3); }
-|  expr EQ expr                      { $$ = Build(EqualityFn, @$, 2, $1, $3); }
-|  expr NE expr                      { $$ = Build(InequalityFn, @$, 2, $1, $3); }
-|  expr AND expr                     { $$ = Build(LogicalAndFn, @$, 2, $1, $3); }
-|  expr OR expr                      { $$ = Build(LogicalOrFn, @$, 2, $1, $3); }
-|  '!' expr                          { $$ = Build(LogicalNotFn, @$, 1, $2); }
-|  IF expr THEN expr ENDIF           { $$ = Build(IfElseFn, @$, 2, $2, $4); }
-|  IF expr THEN expr ELSE expr ENDIF { $$ = Build(IfElseFn, @$, 3, $2, $4, $6); }
-| STRING '(' arglist ')' {
-    $$ = malloc(sizeof(Expr));
-    $$->fn = FindFunction($1);
-    if ($$->fn == NULL) {
-        char buffer[256];
-        snprintf(buffer, sizeof(buffer), "unknown function \"%s\"", $1);
-        yyerror(root, error_count, buffer);
-        YYERROR;
-    }
-    $$->name = $1;
-    $$->argc = $3.argc;
-    $$->argv = $3.argv;
-    $$->start = @$.start;
-    $$->end = @$.end;
-}
-;
-
-arglist:    /* empty */ {
-    $$.argc = 0;
-    $$.argv = NULL;
-}
-| expr {
-    $$.argc = 1;
-    $$.argv = malloc(sizeof(Expr*));
-    $$.argv[0] = $1;
-}
-| arglist ',' expr {
-    $$.argc = $1.argc + 1;
-    $$.argv = realloc($$.argv, $$.argc * sizeof(Expr*));
-    $$.argv[$$.argc-1] = $3;
-}
-;
-
-%%
-
-void yyerror(Expr** root, int* error_count, const char* s) {
-  if (strlen(s) == 0) {
-    s = "syntax error";
-  }
-  printf("line %d col %d: %s\n", gLine, gColumn, s);
-  ++*error_count;
-}
-
-int parse_string(const char* str, Expr** root, int* error_count) {
-    yy_switch_to_buffer(yy_scan_string(str));
-    return yyparse(root, error_count);
-}
diff --git a/edify/parser.yy b/edify/parser.yy
new file mode 100644
index 0000000..098a637
--- /dev/null
+++ b/edify/parser.yy
@@ -0,0 +1,139 @@
+%{
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "expr.h"
+#include "yydefs.h"
+#include "parser.h"
+
+extern int gLine;
+extern int gColumn;
+
+void yyerror(Expr** root, int* error_count, const char* s);
+int yyparse(Expr** root, int* error_count);
+
+struct yy_buffer_state;
+void yy_switch_to_buffer(struct yy_buffer_state* new_buffer);
+struct yy_buffer_state* yy_scan_string(const char* yystr);
+
+%}
+
+%locations
+
+%union {
+    char* str;
+    Expr* expr;
+    struct {
+        int argc;
+        Expr** argv;
+    } args;
+}
+
+%token AND OR SUBSTR SUPERSTR EQ NE IF THEN ELSE ENDIF
+%token <str> STRING BAD
+%type <expr> expr
+%type <args> arglist
+
+%parse-param {Expr** root}
+%parse-param {int* error_count}
+%error-verbose
+
+/* declarations in increasing order of precedence */
+%left ';'
+%left ','
+%left OR
+%left AND
+%left EQ NE
+%left '+'
+%right '!'
+
+%%
+
+input:  expr           { *root = $1; }
+;
+
+expr:  STRING {
+    $$ = reinterpret_cast<Expr*>(malloc(sizeof(Expr)));
+    $$->fn = Literal;
+    $$->name = $1;
+    $$->argc = 0;
+    $$->argv = NULL;
+    $$->start = @$.start;
+    $$->end = @$.end;
+}
+|  '(' expr ')'                      { $$ = $2; $$->start=@$.start; $$->end=@$.end; }
+|  expr ';'                          { $$ = $1; $$->start=@1.start; $$->end=@1.end; }
+|  expr ';' expr                     { $$ = Build(SequenceFn, @$, 2, $1, $3); }
+|  error ';' expr                    { $$ = $3; $$->start=@$.start; $$->end=@$.end; }
+|  expr '+' expr                     { $$ = Build(ConcatFn, @$, 2, $1, $3); }
+|  expr EQ expr                      { $$ = Build(EqualityFn, @$, 2, $1, $3); }
+|  expr NE expr                      { $$ = Build(InequalityFn, @$, 2, $1, $3); }
+|  expr AND expr                     { $$ = Build(LogicalAndFn, @$, 2, $1, $3); }
+|  expr OR expr                      { $$ = Build(LogicalOrFn, @$, 2, $1, $3); }
+|  '!' expr                          { $$ = Build(LogicalNotFn, @$, 1, $2); }
+|  IF expr THEN expr ENDIF           { $$ = Build(IfElseFn, @$, 2, $2, $4); }
+|  IF expr THEN expr ELSE expr ENDIF { $$ = Build(IfElseFn, @$, 3, $2, $4, $6); }
+| STRING '(' arglist ')' {
+    $$ = reinterpret_cast<Expr*>(malloc(sizeof(Expr)));
+    $$->fn = FindFunction($1);
+    if ($$->fn == NULL) {
+        char buffer[256];
+        snprintf(buffer, sizeof(buffer), "unknown function \"%s\"", $1);
+        yyerror(root, error_count, buffer);
+        YYERROR;
+    }
+    $$->name = $1;
+    $$->argc = $3.argc;
+    $$->argv = $3.argv;
+    $$->start = @$.start;
+    $$->end = @$.end;
+}
+;
+
+arglist:    /* empty */ {
+    $$.argc = 0;
+    $$.argv = NULL;
+}
+| expr {
+    $$.argc = 1;
+    $$.argv = reinterpret_cast<Expr**>(malloc(sizeof(Expr*)));
+    $$.argv[0] = $1;
+}
+| arglist ',' expr {
+    $$.argc = $1.argc + 1;
+    $$.argv = reinterpret_cast<Expr**>(realloc($$.argv, $$.argc * sizeof(Expr*)));
+    $$.argv[$$.argc-1] = $3;
+}
+;
+
+%%
+
+void yyerror(Expr** root, int* error_count, const char* s) {
+  if (strlen(s) == 0) {
+    s = "syntax error";
+  }
+  printf("line %d col %d: %s\n", gLine, gColumn, s);
+  ++*error_count;
+}
+
+int parse_string(const char* str, Expr** root, int* error_count) {
+    yy_switch_to_buffer(yy_scan_string(str));
+    return yyparse(root, error_count);
+}
diff --git a/error_code.h b/error_code.h
new file mode 100644
index 0000000..259319a
--- /dev/null
+++ b/error_code.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _ERROR_CODE_H_
+#define _ERROR_CODE_H_
+
+enum ErrorCode {
+    kNoError = -1,
+    kLowBattery = 20,
+    kZipVerificationFailure,
+    kZipOpenFailure
+};
+
+enum CauseCode {
+    kNoCause = -1,
+    kArgsParsingFailure = 100,
+    kStashCreationFailure,
+    kFileOpenFailure,
+    kLseekFailure,
+    kFreadFailure,
+    kFwriteFailure,
+    kFsyncFailure,
+    kLibfecFailure,
+    kFileGetPropFailure,
+    kFileRenameFailure,
+    kSymlinkFailure,
+    kSetMetadataFailure,
+    kTune2FsFailure,
+    kRebootFailure,
+    kVendorFailure = 200
+};
+
+#endif
diff --git a/etc/init.rc b/etc/init.rc
index 4277277..5915b8d 100644
--- a/etc/init.rc
+++ b/etc/init.rc
@@ -1,11 +1,13 @@
 import /init.recovery.${ro.hardware}.rc
 
 on early-init
+    # Set the security context of /postinstall if present.
+    restorecon /postinstall
+
     start ueventd
     start healthd
 
 on init
-    export PATH /sbin:/system/bin
     export ANDROID_ROOT /system
     export ANDROID_DATA /data
     export EXTERNAL_STORAGE /sdcard
diff --git a/fuse_sdcard_provider.c b/fuse_sdcard_provider.c
deleted file mode 100644
index 4565c7b..0000000
--- a/fuse_sdcard_provider.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/*
- * Copyright (C) 2014 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <pthread.h>
-#include <sys/mount.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <fcntl.h>
-
-#include "fuse_sideload.h"
-
-struct file_data {
-    int fd;  // the underlying sdcard file
-
-    uint64_t file_size;
-    uint32_t block_size;
-};
-
-static int read_block_file(void* cookie, uint32_t block, uint8_t* buffer, uint32_t fetch_size) {
-    struct file_data* fd = (struct file_data*)cookie;
-
-    off64_t offset = ((off64_t) block) * fd->block_size;
-    if (TEMP_FAILURE_RETRY(lseek64(fd->fd, offset, SEEK_SET)) == -1) {
-        fprintf(stderr, "seek on sdcard failed: %s\n", strerror(errno));
-        return -EIO;
-    }
-
-    while (fetch_size > 0) {
-        ssize_t r = TEMP_FAILURE_RETRY(read(fd->fd, buffer, fetch_size));
-        if (r == -1) {
-            fprintf(stderr, "read on sdcard failed: %s\n", strerror(errno));
-            return -EIO;
-        }
-        fetch_size -= r;
-        buffer += r;
-    }
-
-    return 0;
-}
-
-static void close_file(void* cookie) {
-    struct file_data* fd = (struct file_data*)cookie;
-    close(fd->fd);
-}
-
-struct token {
-    pthread_t th;
-    const char* path;
-    int result;
-};
-
-static void* run_sdcard_fuse(void* cookie) {
-    struct token* t = (struct token*)cookie;
-
-    struct stat sb;
-    if (stat(t->path, &sb) < 0) {
-        fprintf(stderr, "failed to stat %s: %s\n", t->path, strerror(errno));
-        t->result = -1;
-        return NULL;
-    }
-
-    struct file_data fd;
-    struct provider_vtab vtab;
-
-    fd.fd = open(t->path, O_RDONLY);
-    if (fd.fd < 0) {
-        fprintf(stderr, "failed to open %s: %s\n", t->path, strerror(errno));
-        t->result = -1;
-        return NULL;
-    }
-    fd.file_size = sb.st_size;
-    fd.block_size = 65536;
-
-    vtab.read_block = read_block_file;
-    vtab.close = close_file;
-
-    t->result = run_fuse_sideload(&vtab, &fd, fd.file_size, fd.block_size);
-    return NULL;
-}
-
-// How long (in seconds) we wait for the fuse-provided package file to
-// appear, before timing out.
-#define SDCARD_INSTALL_TIMEOUT 10
-
-void* start_sdcard_fuse(const char* path) {
-    struct token* t = malloc(sizeof(struct token));
-
-    t->path = path;
-    pthread_create(&(t->th), NULL, run_sdcard_fuse, t);
-
-    struct stat st;
-    int i;
-    for (i = 0; i < SDCARD_INSTALL_TIMEOUT; ++i) {
-        if (stat(FUSE_SIDELOAD_HOST_PATHNAME, &st) != 0) {
-            if (errno == ENOENT && i < SDCARD_INSTALL_TIMEOUT-1) {
-                sleep(1);
-                continue;
-            } else {
-                return NULL;
-            }
-        }
-    }
-
-    // The installation process expects to find the sdcard unmounted.
-    // Unmount it with MNT_DETACH so that our open file continues to
-    // work but new references see it as unmounted.
-    umount2("/sdcard", MNT_DETACH);
-
-    return t;
-}
-
-void finish_sdcard_fuse(void* cookie) {
-    if (cookie == NULL) return;
-    struct token* t = (struct token*)cookie;
-
-    // Calling stat() on this magic filename signals the fuse
-    // filesystem to shut down.
-    struct stat st;
-    stat(FUSE_SIDELOAD_HOST_EXIT_PATHNAME, &st);
-
-    pthread_join(t->th, NULL);
-    free(t);
-}
diff --git a/fuse_sdcard_provider.cpp b/fuse_sdcard_provider.cpp
new file mode 100644
index 0000000..df96312
--- /dev/null
+++ b/fuse_sdcard_provider.cpp
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include "fuse_sideload.h"
+
+struct file_data {
+    int fd;  // the underlying sdcard file
+
+    uint64_t file_size;
+    uint32_t block_size;
+};
+
+static int read_block_file(void* cookie, uint32_t block, uint8_t* buffer, uint32_t fetch_size) {
+    file_data* fd = reinterpret_cast<file_data*>(cookie);
+
+    off64_t offset = ((off64_t) block) * fd->block_size;
+    if (TEMP_FAILURE_RETRY(lseek64(fd->fd, offset, SEEK_SET)) == -1) {
+        fprintf(stderr, "seek on sdcard failed: %s\n", strerror(errno));
+        return -EIO;
+    }
+
+    while (fetch_size > 0) {
+        ssize_t r = TEMP_FAILURE_RETRY(read(fd->fd, buffer, fetch_size));
+        if (r == -1) {
+            fprintf(stderr, "read on sdcard failed: %s\n", strerror(errno));
+            return -EIO;
+        }
+        fetch_size -= r;
+        buffer += r;
+    }
+
+    return 0;
+}
+
+static void close_file(void* cookie) {
+    file_data* fd = reinterpret_cast<file_data*>(cookie);
+    close(fd->fd);
+}
+
+bool start_sdcard_fuse(const char* path) {
+    struct stat sb;
+    if (stat(path, &sb) == -1) {
+        fprintf(stderr, "failed to stat %s: %s\n", path, strerror(errno));
+        return false;
+    }
+
+    file_data fd;
+    fd.fd = open(path, O_RDONLY);
+    if (fd.fd == -1) {
+        fprintf(stderr, "failed to open %s: %s\n", path, strerror(errno));
+        return false;
+    }
+    fd.file_size = sb.st_size;
+    fd.block_size = 65536;
+
+    provider_vtab vtab;
+    vtab.read_block = read_block_file;
+    vtab.close = close_file;
+
+    // The installation process expects to find the sdcard unmounted.
+    // Unmount it with MNT_DETACH so that our open file continues to
+    // work but new references see it as unmounted.
+    umount2("/sdcard", MNT_DETACH);
+
+    return run_fuse_sideload(&vtab, &fd, fd.file_size, fd.block_size) == 0;
+}
diff --git a/fuse_sdcard_provider.h b/fuse_sdcard_provider.h
index dbfbcd5..bdc60f2 100644
--- a/fuse_sdcard_provider.h
+++ b/fuse_sdcard_provider.h
@@ -17,13 +17,6 @@
 #ifndef __FUSE_SDCARD_PROVIDER_H
 #define __FUSE_SDCARD_PROVIDER_H
 
-#include <sys/cdefs.h>
-
-__BEGIN_DECLS
-
-void* start_sdcard_fuse(const char* path);
-void finish_sdcard_fuse(void* token);
-
-__END_DECLS
+bool start_sdcard_fuse(const char* path);
 
 #endif
diff --git a/fuse_sideload.c b/fuse_sideload.c
deleted file mode 100644
index 48e6cc5..0000000
--- a/fuse_sideload.c
+++ /dev/null
@@ -1,527 +0,0 @@
-/*
- * Copyright (C) 2014 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-// This module creates a special filesystem containing two files.
-//
-// "/sideload/package.zip" appears to be a normal file, but reading
-// from it causes data to be fetched from the adb host.  We can use
-// this to sideload packages over an adb connection without having to
-// store the entire package in RAM on the device.
-//
-// Because we may not trust the adb host, this filesystem maintains
-// the following invariant: each read of a given position returns the
-// same data as the first read at that position.  That is, once a
-// section of the file is read, future reads of that section return
-// the same data.  (Otherwise, a malicious adb host process could
-// return one set of bits when the package is read for signature
-// verification, and then different bits for when the package is
-// accessed by the installer.)  If the adb host returns something
-// different than it did on the first read, the reader of the file
-// will see their read fail with EINVAL.
-//
-// The other file, "/sideload/exit", is used to control the subprocess
-// that creates this filesystem.  Calling stat() on the exit file
-// causes the filesystem to be unmounted and the adb process on the
-// device shut down.
-//
-// Note that only the minimal set of file operations needed for these
-// two files is implemented.  In particular, you can't opendir() or
-// readdir() on the "/sideload" directory; ls on it won't work.
-
-#include <ctype.h>
-#include <dirent.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <limits.h>
-#include <linux/fuse.h>
-#include <pthread.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/inotify.h>
-#include <sys/mount.h>
-#include <sys/param.h>
-#include <sys/resource.h>
-#include <sys/stat.h>
-#include <sys/statfs.h>
-#include <sys/time.h>
-#include <sys/uio.h>
-#include <unistd.h>
-
-#include "mincrypt/sha256.h"
-#include "fuse_sideload.h"
-
-#define PACKAGE_FILE_ID   (FUSE_ROOT_ID+1)
-#define EXIT_FLAG_ID      (FUSE_ROOT_ID+2)
-
-#define NO_STATUS         1
-#define NO_STATUS_EXIT    2
-
-struct fuse_data {
-    int ffd;   // file descriptor for the fuse socket
-
-    struct provider_vtab* vtab;
-    void* cookie;
-
-    uint64_t file_size;     // bytes
-
-    uint32_t block_size;    // block size that the adb host is using to send the file to us
-    uint32_t file_blocks;   // file size in block_size blocks
-
-    uid_t uid;
-    gid_t gid;
-
-    uint32_t curr_block;    // cache the block most recently read from the host
-    uint8_t* block_data;
-
-    uint8_t* extra_block;   // another block of storage for reads that
-                            // span two blocks
-
-    uint8_t* hashes;        // SHA-256 hash of each block (all zeros
-                            // if block hasn't been read yet)
-};
-
-static void fuse_reply(struct fuse_data* fd, __u64 unique, const void *data, size_t len)
-{
-    struct fuse_out_header hdr;
-    struct iovec vec[2];
-    int res;
-
-    hdr.len = len + sizeof(hdr);
-    hdr.error = 0;
-    hdr.unique = unique;
-
-    vec[0].iov_base = &hdr;
-    vec[0].iov_len = sizeof(hdr);
-    vec[1].iov_base = /* const_cast */(void*)(data);
-    vec[1].iov_len = len;
-
-    res = writev(fd->ffd, vec, 2);
-    if (res < 0) {
-        printf("*** REPLY FAILED *** %s\n", strerror(errno));
-    }
-}
-
-static int handle_init(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
-    const struct fuse_init_in* req = data;
-    struct fuse_init_out out;
-    size_t fuse_struct_size;
-
-
-    /* Kernel 2.6.16 is the first stable kernel with struct fuse_init_out
-     * defined (fuse version 7.6). The structure is the same from 7.6 through
-     * 7.22. Beginning with 7.23, the structure increased in size and added
-     * new parameters.
-     */
-    if (req->major != FUSE_KERNEL_VERSION || req->minor < 6) {
-        printf("Fuse kernel version mismatch: Kernel version %d.%d, Expected at least %d.6",
-               req->major, req->minor, FUSE_KERNEL_VERSION);
-        return -1;
-    }
-
-    out.minor = MIN(req->minor, FUSE_KERNEL_MINOR_VERSION);
-    fuse_struct_size = sizeof(out);
-#if defined(FUSE_COMPAT_22_INIT_OUT_SIZE)
-    /* FUSE_KERNEL_VERSION >= 23. */
-
-    /* If the kernel only works on minor revs older than or equal to 22,
-     * then use the older structure size since this code only uses the 7.22
-     * version of the structure. */
-    if (req->minor <= 22) {
-        fuse_struct_size = FUSE_COMPAT_22_INIT_OUT_SIZE;
-    }
-#endif
-
-    out.major = FUSE_KERNEL_VERSION;
-    out.max_readahead = req->max_readahead;
-    out.flags = 0;
-    out.max_background = 32;
-    out.congestion_threshold = 32;
-    out.max_write = 4096;
-    fuse_reply(fd, hdr->unique, &out, fuse_struct_size);
-
-    return NO_STATUS;
-}
-
-static void fill_attr(struct fuse_attr* attr, struct fuse_data* fd,
-                      uint64_t nodeid, uint64_t size, uint32_t mode) {
-    memset(attr, 0, sizeof(*attr));
-    attr->nlink = 1;
-    attr->uid = fd->uid;
-    attr->gid = fd->gid;
-    attr->blksize = 4096;
-
-    attr->ino = nodeid;
-    attr->size = size;
-    attr->blocks = (size == 0) ? 0 : (((size-1) / attr->blksize) + 1);
-    attr->mode = mode;
-}
-
-static int handle_getattr(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
-    const struct fuse_getattr_in* req = data;
-    struct fuse_attr_out out;
-    memset(&out, 0, sizeof(out));
-    out.attr_valid = 10;
-
-    if (hdr->nodeid == FUSE_ROOT_ID) {
-        fill_attr(&(out.attr), fd, hdr->nodeid, 4096, S_IFDIR | 0555);
-    } else if (hdr->nodeid == PACKAGE_FILE_ID) {
-        fill_attr(&(out.attr), fd, PACKAGE_FILE_ID, fd->file_size, S_IFREG | 0444);
-    } else if (hdr->nodeid == EXIT_FLAG_ID) {
-        fill_attr(&(out.attr), fd, EXIT_FLAG_ID, 0, S_IFREG | 0);
-    } else {
-        return -ENOENT;
-    }
-
-    fuse_reply(fd, hdr->unique, &out, sizeof(out));
-    return (hdr->nodeid == EXIT_FLAG_ID) ? NO_STATUS_EXIT : NO_STATUS;
-}
-
-static int handle_lookup(void* data, struct fuse_data* fd,
-                         const struct fuse_in_header* hdr) {
-    struct fuse_entry_out out;
-    memset(&out, 0, sizeof(out));
-    out.entry_valid = 10;
-    out.attr_valid = 10;
-
-    if (strncmp(FUSE_SIDELOAD_HOST_FILENAME, data,
-                sizeof(FUSE_SIDELOAD_HOST_FILENAME)) == 0) {
-        out.nodeid = PACKAGE_FILE_ID;
-        out.generation = PACKAGE_FILE_ID;
-        fill_attr(&(out.attr), fd, PACKAGE_FILE_ID, fd->file_size, S_IFREG | 0444);
-    } else if (strncmp(FUSE_SIDELOAD_HOST_EXIT_FLAG, data,
-                       sizeof(FUSE_SIDELOAD_HOST_EXIT_FLAG)) == 0) {
-        out.nodeid = EXIT_FLAG_ID;
-        out.generation = EXIT_FLAG_ID;
-        fill_attr(&(out.attr), fd, EXIT_FLAG_ID, 0, S_IFREG | 0);
-    } else {
-        return -ENOENT;
-    }
-
-    fuse_reply(fd, hdr->unique, &out, sizeof(out));
-    return (out.nodeid == EXIT_FLAG_ID) ? NO_STATUS_EXIT : NO_STATUS;
-}
-
-static int handle_open(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
-    const struct fuse_open_in* req = data;
-
-    if (hdr->nodeid == EXIT_FLAG_ID) return -EPERM;
-    if (hdr->nodeid != PACKAGE_FILE_ID) return -ENOENT;
-
-    struct fuse_open_out out;
-    memset(&out, 0, sizeof(out));
-    out.fh = 10;  // an arbitrary number; we always use the same handle
-    fuse_reply(fd, hdr->unique, &out, sizeof(out));
-    return NO_STATUS;
-}
-
-static int handle_flush(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
-    return 0;
-}
-
-static int handle_release(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
-    return 0;
-}
-
-// Fetch a block from the host into fd->curr_block and fd->block_data.
-// Returns 0 on successful fetch, negative otherwise.
-static int fetch_block(struct fuse_data* fd, uint32_t block) {
-    if (block == fd->curr_block) {
-        return 0;
-    }
-
-    if (block >= fd->file_blocks) {
-        memset(fd->block_data, 0, fd->block_size);
-        fd->curr_block = block;
-        return 0;
-    }
-
-    size_t fetch_size = fd->block_size;
-    if (block * fd->block_size + fetch_size > fd->file_size) {
-        // If we're reading the last (partial) block of the file,
-        // expect a shorter response from the host, and pad the rest
-        // of the block with zeroes.
-        fetch_size = fd->file_size - (block * fd->block_size);
-        memset(fd->block_data + fetch_size, 0, fd->block_size - fetch_size);
-    }
-
-    int result = fd->vtab->read_block(fd->cookie, block, fd->block_data, fetch_size);
-    if (result < 0) return result;
-
-    fd->curr_block = block;
-
-    // Verify the hash of the block we just got from the host.
-    //
-    // - If the hash of the just-received data matches the stored hash
-    //   for the block, accept it.
-    // - If the stored hash is all zeroes, store the new hash and
-    //   accept the block (this is the first time we've read this
-    //   block).
-    // - Otherwise, return -EINVAL for the read.
-
-    uint8_t hash[SHA256_DIGEST_SIZE];
-    SHA256_hash(fd->block_data, fd->block_size, hash);
-    uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_SIZE;
-    if (memcmp(hash, blockhash, SHA256_DIGEST_SIZE) == 0) {
-        return 0;
-    }
-
-    int i;
-    for (i = 0; i < SHA256_DIGEST_SIZE; ++i) {
-        if (blockhash[i] != 0) {
-            fd->curr_block = -1;
-            return -EIO;
-        }
-    }
-
-    memcpy(blockhash, hash, SHA256_DIGEST_SIZE);
-    return 0;
-}
-
-static int handle_read(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
-    const struct fuse_read_in* req = data;
-    struct fuse_out_header outhdr;
-    struct iovec vec[3];
-    int vec_used;
-    int result;
-
-    if (hdr->nodeid != PACKAGE_FILE_ID) return -ENOENT;
-
-    uint64_t offset = req->offset;
-    uint32_t size = req->size;
-
-    // The docs on the fuse kernel interface are vague about what to
-    // do when a read request extends past the end of the file.  We
-    // can return a short read -- the return structure does include a
-    // length field -- but in testing that caused the program using
-    // the file to segfault.  (I speculate that this is due to the
-    // reading program accessing it via mmap; maybe mmap dislikes when
-    // you return something short of a whole page?)  To fix this we
-    // zero-pad reads that extend past the end of the file so we're
-    // always returning exactly as many bytes as were requested.
-    // (Users of the mapped file have to know its real length anyway.)
-
-    outhdr.len = sizeof(outhdr) + size;
-    outhdr.error = 0;
-    outhdr.unique = hdr->unique;
-    vec[0].iov_base = &outhdr;
-    vec[0].iov_len = sizeof(outhdr);
-
-    uint32_t block = offset / fd->block_size;
-    result = fetch_block(fd, block);
-    if (result != 0) return result;
-
-    // Two cases:
-    //
-    //   - the read request is entirely within this block.  In this
-    //     case we can reply immediately.
-    //
-    //   - the read request goes over into the next block.  Note that
-    //     since we mount the filesystem with max_read=block_size, a
-    //     read can never span more than two blocks.  In this case we
-    //     copy the block to extra_block and issue a fetch for the
-    //     following block.
-
-    uint32_t block_offset = offset - (block * fd->block_size);
-
-    if (size + block_offset <= fd->block_size) {
-        // First case: the read fits entirely in the first block.
-
-        vec[1].iov_base = fd->block_data + block_offset;
-        vec[1].iov_len = size;
-        vec_used = 2;
-    } else {
-        // Second case: the read spills over into the next block.
-
-        memcpy(fd->extra_block, fd->block_data + block_offset,
-               fd->block_size - block_offset);
-        vec[1].iov_base = fd->extra_block;
-        vec[1].iov_len = fd->block_size - block_offset;
-
-        result = fetch_block(fd, block+1);
-        if (result != 0) return result;
-        vec[2].iov_base = fd->block_data;
-        vec[2].iov_len = size - vec[1].iov_len;
-        vec_used = 3;
-    }
-
-    if (writev(fd->ffd, vec, vec_used) < 0) {
-        printf("*** READ REPLY FAILED: %s ***\n", strerror(errno));
-    }
-    return NO_STATUS;
-}
-
-int run_fuse_sideload(struct provider_vtab* vtab, void* cookie,
-                      uint64_t file_size, uint32_t block_size)
-{
-    int result;
-
-    // If something's already mounted on our mountpoint, try to remove
-    // it.  (Mostly in case of a previous abnormal exit.)
-    umount2(FUSE_SIDELOAD_HOST_MOUNTPOINT, MNT_FORCE);
-
-    if (block_size < 1024) {
-        fprintf(stderr, "block size (%u) is too small\n", block_size);
-        return -1;
-    }
-    if (block_size > (1<<22)) {   // 4 MiB
-        fprintf(stderr, "block size (%u) is too large\n", block_size);
-        return -1;
-    }
-
-    struct fuse_data fd;
-    memset(&fd, 0, sizeof(fd));
-    fd.vtab = vtab;
-    fd.cookie = cookie;
-    fd.file_size = file_size;
-    fd.block_size = block_size;
-    fd.file_blocks = (file_size == 0) ? 0 : (((file_size-1) / block_size) + 1);
-
-    if (fd.file_blocks > (1<<18)) {
-        fprintf(stderr, "file has too many blocks (%u)\n", fd.file_blocks);
-        result = -1;
-        goto done;
-    }
-
-    fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_SIZE);
-    if (fd.hashes == NULL) {
-        fprintf(stderr, "failed to allocate %d bites for hashes\n",
-                fd.file_blocks * SHA256_DIGEST_SIZE);
-        result = -1;
-        goto done;
-    }
-
-    fd.uid = getuid();
-    fd.gid = getgid();
-
-    fd.curr_block = -1;
-    fd.block_data = (uint8_t*)malloc(block_size);
-    if (fd.block_data == NULL) {
-        fprintf(stderr, "failed to allocate %d bites for block_data\n", block_size);
-        result = -1;
-        goto done;
-    }
-    fd.extra_block = (uint8_t*)malloc(block_size);
-    if (fd.extra_block == NULL) {
-        fprintf(stderr, "failed to allocate %d bites for extra_block\n", block_size);
-        result = -1;
-        goto done;
-    }
-
-    fd.ffd = open("/dev/fuse", O_RDWR);
-    if (fd.ffd < 0) {
-        perror("open /dev/fuse");
-        result = -1;
-        goto done;
-    }
-
-    char opts[256];
-    snprintf(opts, sizeof(opts),
-             ("fd=%d,user_id=%d,group_id=%d,max_read=%u,"
-              "allow_other,rootmode=040000"),
-             fd.ffd, fd.uid, fd.gid, block_size);
-
-    result = mount("/dev/fuse", FUSE_SIDELOAD_HOST_MOUNTPOINT,
-                   "fuse", MS_NOSUID | MS_NODEV | MS_RDONLY | MS_NOEXEC, opts);
-    if (result < 0) {
-        perror("mount");
-        goto done;
-    }
-    uint8_t request_buffer[sizeof(struct fuse_in_header) + PATH_MAX*8];
-    for (;;) {
-        ssize_t len = TEMP_FAILURE_RETRY(read(fd.ffd, request_buffer, sizeof(request_buffer)));
-        if (len == -1) {
-            perror("read request");
-            if (errno == ENODEV) {
-                result = -1;
-                break;
-            }
-            continue;
-        }
-
-        if ((size_t)len < sizeof(struct fuse_in_header)) {
-            fprintf(stderr, "request too short: len=%zu\n", (size_t)len);
-            continue;
-        }
-
-        struct fuse_in_header* hdr = (struct fuse_in_header*) request_buffer;
-        void* data = request_buffer + sizeof(struct fuse_in_header);
-
-        result = -ENOSYS;
-
-        switch (hdr->opcode) {
-             case FUSE_INIT:
-                result = handle_init(data, &fd, hdr);
-                break;
-
-             case FUSE_LOOKUP:
-                result = handle_lookup(data, &fd, hdr);
-                break;
-
-            case FUSE_GETATTR:
-                result = handle_getattr(data, &fd, hdr);
-                break;
-
-            case FUSE_OPEN:
-                result = handle_open(data, &fd, hdr);
-                break;
-
-            case FUSE_READ:
-                result = handle_read(data, &fd, hdr);
-                break;
-
-            case FUSE_FLUSH:
-                result = handle_flush(data, &fd, hdr);
-                break;
-
-            case FUSE_RELEASE:
-                result = handle_release(data, &fd, hdr);
-                break;
-
-            default:
-                fprintf(stderr, "unknown fuse request opcode %d\n", hdr->opcode);
-                break;
-        }
-
-        if (result == NO_STATUS_EXIT) {
-            result = 0;
-            break;
-        }
-
-        if (result != NO_STATUS) {
-            struct fuse_out_header outhdr;
-            outhdr.len = sizeof(outhdr);
-            outhdr.error = result;
-            outhdr.unique = hdr->unique;
-            TEMP_FAILURE_RETRY(write(fd.ffd, &outhdr, sizeof(outhdr)));
-        }
-    }
-
-  done:
-    fd.vtab->close(fd.cookie);
-
-    result = umount2(FUSE_SIDELOAD_HOST_MOUNTPOINT, MNT_DETACH);
-    if (result < 0) {
-        printf("fuse_sideload umount failed: %s\n", strerror(errno));
-    }
-
-    if (fd.ffd) close(fd.ffd);
-    free(fd.hashes);
-    free(fd.block_data);
-    free(fd.extra_block);
-
-    return result;
-}
diff --git a/fuse_sideload.cpp b/fuse_sideload.cpp
new file mode 100644
index 0000000..1725e88
--- /dev/null
+++ b/fuse_sideload.cpp
@@ -0,0 +1,525 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This module creates a special filesystem containing two files.
+//
+// "/sideload/package.zip" appears to be a normal file, but reading
+// from it causes data to be fetched from the adb host.  We can use
+// this to sideload packages over an adb connection without having to
+// store the entire package in RAM on the device.
+//
+// Because we may not trust the adb host, this filesystem maintains
+// the following invariant: each read of a given position returns the
+// same data as the first read at that position.  That is, once a
+// section of the file is read, future reads of that section return
+// the same data.  (Otherwise, a malicious adb host process could
+// return one set of bits when the package is read for signature
+// verification, and then different bits for when the package is
+// accessed by the installer.)  If the adb host returns something
+// different than it did on the first read, the reader of the file
+// will see their read fail with EINVAL.
+//
+// The other file, "/sideload/exit", is used to control the subprocess
+// that creates this filesystem.  Calling stat() on the exit file
+// causes the filesystem to be unmounted and the adb process on the
+// device shut down.
+//
+// Note that only the minimal set of file operations needed for these
+// two files is implemented.  In particular, you can't opendir() or
+// readdir() on the "/sideload" directory; ls on it won't work.
+
+#include <ctype.h>
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <linux/fuse.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/inotify.h>
+#include <sys/mount.h>
+#include <sys/param.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <sys/statfs.h>
+#include <sys/time.h>
+#include <sys/uio.h>
+#include <unistd.h>
+
+#include <openssl/sha.h>
+
+#include "fuse_sideload.h"
+
+#define PACKAGE_FILE_ID   (FUSE_ROOT_ID+1)
+#define EXIT_FLAG_ID      (FUSE_ROOT_ID+2)
+
+#define NO_STATUS         1
+#define NO_STATUS_EXIT    2
+
+struct fuse_data {
+    int ffd;   // file descriptor for the fuse socket
+
+    struct provider_vtab* vtab;
+    void* cookie;
+
+    uint64_t file_size;     // bytes
+
+    uint32_t block_size;    // block size that the adb host is using to send the file to us
+    uint32_t file_blocks;   // file size in block_size blocks
+
+    uid_t uid;
+    gid_t gid;
+
+    uint32_t curr_block;    // cache the block most recently read from the host
+    uint8_t* block_data;
+
+    uint8_t* extra_block;   // another block of storage for reads that
+                            // span two blocks
+
+    uint8_t* hashes;        // SHA-256 hash of each block (all zeros
+                            // if block hasn't been read yet)
+};
+
+static void fuse_reply(struct fuse_data* fd, __u64 unique, const void *data, size_t len)
+{
+    struct fuse_out_header hdr;
+    struct iovec vec[2];
+    int res;
+
+    hdr.len = len + sizeof(hdr);
+    hdr.error = 0;
+    hdr.unique = unique;
+
+    vec[0].iov_base = &hdr;
+    vec[0].iov_len = sizeof(hdr);
+    vec[1].iov_base = /* const_cast */(void*)(data);
+    vec[1].iov_len = len;
+
+    res = writev(fd->ffd, vec, 2);
+    if (res < 0) {
+        printf("*** REPLY FAILED *** %s\n", strerror(errno));
+    }
+}
+
+static int handle_init(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
+    const struct fuse_init_in* req = reinterpret_cast<const struct fuse_init_in*>(data);
+    struct fuse_init_out out;
+    size_t fuse_struct_size;
+
+
+    /* Kernel 2.6.16 is the first stable kernel with struct fuse_init_out
+     * defined (fuse version 7.6). The structure is the same from 7.6 through
+     * 7.22. Beginning with 7.23, the structure increased in size and added
+     * new parameters.
+     */
+    if (req->major != FUSE_KERNEL_VERSION || req->minor < 6) {
+        printf("Fuse kernel version mismatch: Kernel version %d.%d, Expected at least %d.6",
+               req->major, req->minor, FUSE_KERNEL_VERSION);
+        return -1;
+    }
+
+    out.minor = MIN(req->minor, FUSE_KERNEL_MINOR_VERSION);
+    fuse_struct_size = sizeof(out);
+#if defined(FUSE_COMPAT_22_INIT_OUT_SIZE)
+    /* FUSE_KERNEL_VERSION >= 23. */
+
+    /* If the kernel only works on minor revs older than or equal to 22,
+     * then use the older structure size since this code only uses the 7.22
+     * version of the structure. */
+    if (req->minor <= 22) {
+        fuse_struct_size = FUSE_COMPAT_22_INIT_OUT_SIZE;
+    }
+#endif
+
+    out.major = FUSE_KERNEL_VERSION;
+    out.max_readahead = req->max_readahead;
+    out.flags = 0;
+    out.max_background = 32;
+    out.congestion_threshold = 32;
+    out.max_write = 4096;
+    fuse_reply(fd, hdr->unique, &out, fuse_struct_size);
+
+    return NO_STATUS;
+}
+
+static void fill_attr(struct fuse_attr* attr, struct fuse_data* fd,
+                      uint64_t nodeid, uint64_t size, uint32_t mode) {
+    memset(attr, 0, sizeof(*attr));
+    attr->nlink = 1;
+    attr->uid = fd->uid;
+    attr->gid = fd->gid;
+    attr->blksize = 4096;
+
+    attr->ino = nodeid;
+    attr->size = size;
+    attr->blocks = (size == 0) ? 0 : (((size-1) / attr->blksize) + 1);
+    attr->mode = mode;
+}
+
+static int handle_getattr(void* /* data */, struct fuse_data* fd, const struct fuse_in_header* hdr) {
+    struct fuse_attr_out out;
+    memset(&out, 0, sizeof(out));
+    out.attr_valid = 10;
+
+    if (hdr->nodeid == FUSE_ROOT_ID) {
+        fill_attr(&(out.attr), fd, hdr->nodeid, 4096, S_IFDIR | 0555);
+    } else if (hdr->nodeid == PACKAGE_FILE_ID) {
+        fill_attr(&(out.attr), fd, PACKAGE_FILE_ID, fd->file_size, S_IFREG | 0444);
+    } else if (hdr->nodeid == EXIT_FLAG_ID) {
+        fill_attr(&(out.attr), fd, EXIT_FLAG_ID, 0, S_IFREG | 0);
+    } else {
+        return -ENOENT;
+    }
+
+    fuse_reply(fd, hdr->unique, &out, sizeof(out));
+    return (hdr->nodeid == EXIT_FLAG_ID) ? NO_STATUS_EXIT : NO_STATUS;
+}
+
+static int handle_lookup(void* data, struct fuse_data* fd,
+                         const struct fuse_in_header* hdr) {
+    struct fuse_entry_out out;
+    memset(&out, 0, sizeof(out));
+    out.entry_valid = 10;
+    out.attr_valid = 10;
+
+    if (strncmp(FUSE_SIDELOAD_HOST_FILENAME, reinterpret_cast<const char*>(data),
+                sizeof(FUSE_SIDELOAD_HOST_FILENAME)) == 0) {
+        out.nodeid = PACKAGE_FILE_ID;
+        out.generation = PACKAGE_FILE_ID;
+        fill_attr(&(out.attr), fd, PACKAGE_FILE_ID, fd->file_size, S_IFREG | 0444);
+    } else if (strncmp(FUSE_SIDELOAD_HOST_EXIT_FLAG, reinterpret_cast<const char*>(data),
+                       sizeof(FUSE_SIDELOAD_HOST_EXIT_FLAG)) == 0) {
+        out.nodeid = EXIT_FLAG_ID;
+        out.generation = EXIT_FLAG_ID;
+        fill_attr(&(out.attr), fd, EXIT_FLAG_ID, 0, S_IFREG | 0);
+    } else {
+        return -ENOENT;
+    }
+
+    fuse_reply(fd, hdr->unique, &out, sizeof(out));
+    return (out.nodeid == EXIT_FLAG_ID) ? NO_STATUS_EXIT : NO_STATUS;
+}
+
+static int handle_open(void* /* data */, struct fuse_data* fd, const struct fuse_in_header* hdr) {
+    if (hdr->nodeid == EXIT_FLAG_ID) return -EPERM;
+    if (hdr->nodeid != PACKAGE_FILE_ID) return -ENOENT;
+
+    struct fuse_open_out out;
+    memset(&out, 0, sizeof(out));
+    out.fh = 10;  // an arbitrary number; we always use the same handle
+    fuse_reply(fd, hdr->unique, &out, sizeof(out));
+    return NO_STATUS;
+}
+
+static int handle_flush(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
+    return 0;
+}
+
+static int handle_release(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
+    return 0;
+}
+
+// Fetch a block from the host into fd->curr_block and fd->block_data.
+// Returns 0 on successful fetch, negative otherwise.
+static int fetch_block(struct fuse_data* fd, uint32_t block) {
+    if (block == fd->curr_block) {
+        return 0;
+    }
+
+    if (block >= fd->file_blocks) {
+        memset(fd->block_data, 0, fd->block_size);
+        fd->curr_block = block;
+        return 0;
+    }
+
+    size_t fetch_size = fd->block_size;
+    if (block * fd->block_size + fetch_size > fd->file_size) {
+        // If we're reading the last (partial) block of the file,
+        // expect a shorter response from the host, and pad the rest
+        // of the block with zeroes.
+        fetch_size = fd->file_size - (block * fd->block_size);
+        memset(fd->block_data + fetch_size, 0, fd->block_size - fetch_size);
+    }
+
+    int result = fd->vtab->read_block(fd->cookie, block, fd->block_data, fetch_size);
+    if (result < 0) return result;
+
+    fd->curr_block = block;
+
+    // Verify the hash of the block we just got from the host.
+    //
+    // - If the hash of the just-received data matches the stored hash
+    //   for the block, accept it.
+    // - If the stored hash is all zeroes, store the new hash and
+    //   accept the block (this is the first time we've read this
+    //   block).
+    // - Otherwise, return -EINVAL for the read.
+
+    uint8_t hash[SHA256_DIGEST_LENGTH];
+    SHA256(fd->block_data, fd->block_size, hash);
+    uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_LENGTH;
+    if (memcmp(hash, blockhash, SHA256_DIGEST_LENGTH) == 0) {
+        return 0;
+    }
+
+    int i;
+    for (i = 0; i < SHA256_DIGEST_LENGTH; ++i) {
+        if (blockhash[i] != 0) {
+            fd->curr_block = -1;
+            return -EIO;
+        }
+    }
+
+    memcpy(blockhash, hash, SHA256_DIGEST_LENGTH);
+    return 0;
+}
+
+static int handle_read(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
+    const struct fuse_read_in* req = reinterpret_cast<const struct fuse_read_in*>(data);
+    struct fuse_out_header outhdr;
+    struct iovec vec[3];
+    int vec_used;
+    int result;
+
+    if (hdr->nodeid != PACKAGE_FILE_ID) return -ENOENT;
+
+    uint64_t offset = req->offset;
+    uint32_t size = req->size;
+
+    // The docs on the fuse kernel interface are vague about what to
+    // do when a read request extends past the end of the file.  We
+    // can return a short read -- the return structure does include a
+    // length field -- but in testing that caused the program using
+    // the file to segfault.  (I speculate that this is due to the
+    // reading program accessing it via mmap; maybe mmap dislikes when
+    // you return something short of a whole page?)  To fix this we
+    // zero-pad reads that extend past the end of the file so we're
+    // always returning exactly as many bytes as were requested.
+    // (Users of the mapped file have to know its real length anyway.)
+
+    outhdr.len = sizeof(outhdr) + size;
+    outhdr.error = 0;
+    outhdr.unique = hdr->unique;
+    vec[0].iov_base = &outhdr;
+    vec[0].iov_len = sizeof(outhdr);
+
+    uint32_t block = offset / fd->block_size;
+    result = fetch_block(fd, block);
+    if (result != 0) return result;
+
+    // Two cases:
+    //
+    //   - the read request is entirely within this block.  In this
+    //     case we can reply immediately.
+    //
+    //   - the read request goes over into the next block.  Note that
+    //     since we mount the filesystem with max_read=block_size, a
+    //     read can never span more than two blocks.  In this case we
+    //     copy the block to extra_block and issue a fetch for the
+    //     following block.
+
+    uint32_t block_offset = offset - (block * fd->block_size);
+
+    if (size + block_offset <= fd->block_size) {
+        // First case: the read fits entirely in the first block.
+
+        vec[1].iov_base = fd->block_data + block_offset;
+        vec[1].iov_len = size;
+        vec_used = 2;
+    } else {
+        // Second case: the read spills over into the next block.
+
+        memcpy(fd->extra_block, fd->block_data + block_offset,
+               fd->block_size - block_offset);
+        vec[1].iov_base = fd->extra_block;
+        vec[1].iov_len = fd->block_size - block_offset;
+
+        result = fetch_block(fd, block+1);
+        if (result != 0) return result;
+        vec[2].iov_base = fd->block_data;
+        vec[2].iov_len = size - vec[1].iov_len;
+        vec_used = 3;
+    }
+
+    if (writev(fd->ffd, vec, vec_used) < 0) {
+        printf("*** READ REPLY FAILED: %s ***\n", strerror(errno));
+    }
+    return NO_STATUS;
+}
+
+int run_fuse_sideload(struct provider_vtab* vtab, void* cookie,
+                      uint64_t file_size, uint32_t block_size)
+{
+    int result;
+
+    // If something's already mounted on our mountpoint, try to remove
+    // it.  (Mostly in case of a previous abnormal exit.)
+    umount2(FUSE_SIDELOAD_HOST_MOUNTPOINT, MNT_FORCE);
+
+    if (block_size < 1024) {
+        fprintf(stderr, "block size (%u) is too small\n", block_size);
+        return -1;
+    }
+    if (block_size > (1<<22)) {   // 4 MiB
+        fprintf(stderr, "block size (%u) is too large\n", block_size);
+        return -1;
+    }
+
+    struct fuse_data fd;
+    memset(&fd, 0, sizeof(fd));
+    fd.vtab = vtab;
+    fd.cookie = cookie;
+    fd.file_size = file_size;
+    fd.block_size = block_size;
+    fd.file_blocks = (file_size == 0) ? 0 : (((file_size-1) / block_size) + 1);
+
+    if (fd.file_blocks > (1<<18)) {
+        fprintf(stderr, "file has too many blocks (%u)\n", fd.file_blocks);
+        result = -1;
+        goto done;
+    }
+
+    fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_LENGTH);
+    if (fd.hashes == NULL) {
+        fprintf(stderr, "failed to allocate %d bites for hashes\n",
+                fd.file_blocks * SHA256_DIGEST_LENGTH);
+        result = -1;
+        goto done;
+    }
+
+    fd.uid = getuid();
+    fd.gid = getgid();
+
+    fd.curr_block = -1;
+    fd.block_data = (uint8_t*)malloc(block_size);
+    if (fd.block_data == NULL) {
+        fprintf(stderr, "failed to allocate %d bites for block_data\n", block_size);
+        result = -1;
+        goto done;
+    }
+    fd.extra_block = (uint8_t*)malloc(block_size);
+    if (fd.extra_block == NULL) {
+        fprintf(stderr, "failed to allocate %d bites for extra_block\n", block_size);
+        result = -1;
+        goto done;
+    }
+
+    fd.ffd = open("/dev/fuse", O_RDWR);
+    if (fd.ffd < 0) {
+        perror("open /dev/fuse");
+        result = -1;
+        goto done;
+    }
+
+    char opts[256];
+    snprintf(opts, sizeof(opts),
+             ("fd=%d,user_id=%d,group_id=%d,max_read=%u,"
+              "allow_other,rootmode=040000"),
+             fd.ffd, fd.uid, fd.gid, block_size);
+
+    result = mount("/dev/fuse", FUSE_SIDELOAD_HOST_MOUNTPOINT,
+                   "fuse", MS_NOSUID | MS_NODEV | MS_RDONLY | MS_NOEXEC, opts);
+    if (result < 0) {
+        perror("mount");
+        goto done;
+    }
+    uint8_t request_buffer[sizeof(struct fuse_in_header) + PATH_MAX*8];
+    for (;;) {
+        ssize_t len = TEMP_FAILURE_RETRY(read(fd.ffd, request_buffer, sizeof(request_buffer)));
+        if (len == -1) {
+            perror("read request");
+            if (errno == ENODEV) {
+                result = -1;
+                break;
+            }
+            continue;
+        }
+
+        if ((size_t)len < sizeof(struct fuse_in_header)) {
+            fprintf(stderr, "request too short: len=%zu\n", (size_t)len);
+            continue;
+        }
+
+        struct fuse_in_header* hdr = (struct fuse_in_header*) request_buffer;
+        void* data = request_buffer + sizeof(struct fuse_in_header);
+
+        result = -ENOSYS;
+
+        switch (hdr->opcode) {
+             case FUSE_INIT:
+                result = handle_init(data, &fd, hdr);
+                break;
+
+             case FUSE_LOOKUP:
+                result = handle_lookup(data, &fd, hdr);
+                break;
+
+            case FUSE_GETATTR:
+                result = handle_getattr(data, &fd, hdr);
+                break;
+
+            case FUSE_OPEN:
+                result = handle_open(data, &fd, hdr);
+                break;
+
+            case FUSE_READ:
+                result = handle_read(data, &fd, hdr);
+                break;
+
+            case FUSE_FLUSH:
+                result = handle_flush(data, &fd, hdr);
+                break;
+
+            case FUSE_RELEASE:
+                result = handle_release(data, &fd, hdr);
+                break;
+
+            default:
+                fprintf(stderr, "unknown fuse request opcode %d\n", hdr->opcode);
+                break;
+        }
+
+        if (result == NO_STATUS_EXIT) {
+            result = 0;
+            break;
+        }
+
+        if (result != NO_STATUS) {
+            struct fuse_out_header outhdr;
+            outhdr.len = sizeof(outhdr);
+            outhdr.error = result;
+            outhdr.unique = hdr->unique;
+            TEMP_FAILURE_RETRY(write(fd.ffd, &outhdr, sizeof(outhdr)));
+        }
+    }
+
+  done:
+    fd.vtab->close(fd.cookie);
+
+    result = umount2(FUSE_SIDELOAD_HOST_MOUNTPOINT, MNT_DETACH);
+    if (result < 0) {
+        printf("fuse_sideload umount failed: %s\n", strerror(errno));
+    }
+
+    if (fd.ffd) close(fd.ffd);
+    free(fd.hashes);
+    free(fd.block_data);
+    free(fd.extra_block);
+
+    return result;
+}
diff --git a/fuse_sideload.h b/fuse_sideload.h
index f9e3bf0..c0b16ef 100644
--- a/fuse_sideload.h
+++ b/fuse_sideload.h
@@ -17,10 +17,6 @@
 #ifndef __FUSE_SIDELOAD_H
 #define __FUSE_SIDELOAD_H
 
-#include <sys/cdefs.h>
-
-__BEGIN_DECLS
-
 // define the filenames created by the sideload FUSE filesystem
 #define FUSE_SIDELOAD_HOST_MOUNTPOINT "/sideload"
 #define FUSE_SIDELOAD_HOST_FILENAME "package.zip"
@@ -39,6 +35,4 @@
 int run_fuse_sideload(struct provider_vtab* vtab, void* cookie,
                       uint64_t file_size, uint32_t block_size);
 
-__END_DECLS
-
 #endif
diff --git a/install.cpp b/install.cpp
index c7d382f..5a439a1 100644
--- a/install.cpp
+++ b/install.cpp
@@ -23,22 +23,31 @@
 #include <sys/wait.h>
 #include <unistd.h>
 
+#include <chrono>
+#include <string>
+#include <vector>
+
+#include <android-base/parseint.h>
+#include <android-base/stringprintf.h>
+#include <android-base/strings.h>
+
 #include "common.h"
+#include "error_code.h"
 #include "install.h"
-#include "mincrypt/rsa.h"
 #include "minui/minui.h"
 #include "minzip/SysUtil.h"
 #include "minzip/Zip.h"
 #include "mtdutils/mounts.h"
 #include "mtdutils/mtdutils.h"
 #include "roots.h"
-#include "verifier.h"
 #include "ui.h"
+#include "verifier.h"
 
 extern RecoveryUI* ui;
 
 #define ASSUMED_UPDATE_BINARY_NAME  "META-INF/com/google/android/update-binary"
 #define PUBLIC_KEYS_FILE "/res/keys"
+static constexpr const char* METADATA_PATH = "META-INF/com/android/metadata";
 
 // Default allocation of progress bar segments to operations
 static const int VERIFICATION_PROGRESS_TIME = 60;
@@ -46,9 +55,64 @@
 static const float DEFAULT_FILES_PROGRESS_FRACTION = 0.4;
 static const float DEFAULT_IMAGE_PROGRESS_FRACTION = 0.1;
 
+// This function parses and returns the build.version.incremental
+static int parse_build_number(std::string str) {
+    size_t pos = str.find("=");
+    if (pos != std::string::npos) {
+        std::string num_string = android::base::Trim(str.substr(pos+1));
+        int build_number;
+        if (android::base::ParseInt(num_string.c_str(), &build_number, 0)) {
+            return build_number;
+        }
+    }
+
+    LOGE("Failed to parse build number in %s.\n", str.c_str());
+    return -1;
+}
+
+// Read the build.version.incremental of src/tgt from the metadata and log it to last_install.
+static void read_source_target_build(ZipArchive* zip, std::vector<std::string>& log_buffer) {
+    const ZipEntry* meta_entry = mzFindZipEntry(zip, METADATA_PATH);
+    if (meta_entry == nullptr) {
+        LOGE("Failed to find %s in update package.\n", METADATA_PATH);
+        return;
+    }
+
+    std::string meta_data(meta_entry->uncompLen, '\0');
+    if (!mzReadZipEntry(zip, meta_entry, &meta_data[0], meta_entry->uncompLen)) {
+        LOGE("Failed to read metadata in update package.\n");
+        return;
+    }
+
+    // Examples of the pre-build and post-build strings in metadata:
+    // pre-build-incremental=2943039
+    // post-build-incremental=2951741
+    std::vector<std::string> lines = android::base::Split(meta_data, "\n");
+    for (const std::string& line : lines) {
+        std::string str = android::base::Trim(line);
+        if (android::base::StartsWith(str, "pre-build-incremental")){
+            int source_build = parse_build_number(str);
+            if (source_build != -1) {
+                log_buffer.push_back(android::base::StringPrintf("source_build: %d",
+                        source_build));
+            }
+        } else if (android::base::StartsWith(str, "post-build-incremental")) {
+            int target_build = parse_build_number(str);
+            if (target_build != -1) {
+                log_buffer.push_back(android::base::StringPrintf("target_build: %d",
+                        target_build));
+            }
+        }
+    }
+}
+
 // If the package contains an update binary, extract it and run it.
 static int
-try_update_binary(const char* path, ZipArchive* zip, bool* wipe_cache) {
+try_update_binary(const char* path, ZipArchive* zip, bool* wipe_cache,
+                  std::vector<std::string>& log_buffer, int retry_count)
+{
+    read_source_target_build(zip, log_buffer);
+
     const ZipEntry* binary_entry =
             mzFindZipEntry(zip, ASSUMED_UPDATE_BINARY_NAME);
     if (binary_entry == NULL) {
@@ -121,15 +185,19 @@
     //
     //   - the name of the package zip file.
     //
+    //   - an optional argument "retry" if this update is a retry of a failed
+    //   update attempt.
+    //
 
-    const char** args = (const char**)malloc(sizeof(char*) * 5);
+    const char** args = (const char**)malloc(sizeof(char*) * 6);
     args[0] = binary;
     args[1] = EXPAND(RECOVERY_API_VERSION);   // defined in Android.mk
     char* temp = (char*)malloc(10);
     sprintf(temp, "%d", pipefd[1]);
     args[2] = temp;
     args[3] = (char*)path;
-    args[4] = NULL;
+    args[4] = retry_count > 0 ? "retry" : NULL;
+    args[5] = NULL;
 
     pid_t pid = fork();
     if (pid == 0) {
@@ -142,6 +210,7 @@
     close(pipefd[1]);
 
     *wipe_cache = false;
+    bool retry_update = false;
 
     char buffer[1024];
     FILE* from_child = fdopen(pipefd[0], "r");
@@ -164,9 +233,9 @@
         } else if (strcmp(command, "ui_print") == 0) {
             char* str = strtok(NULL, "\n");
             if (str) {
-                ui->Print("%s", str);
+                ui->PrintOnScreenOnly("%s", str);
             } else {
-                ui->Print("\n");
+                ui->PrintOnScreenOnly("\n");
             }
             fflush(stdout);
         } else if (strcmp(command, "wipe_cache") == 0) {
@@ -178,6 +247,12 @@
             // to be able to reboot during installation (useful for
             // debugging packages that don't exit).
             ui->SetEnableReboot(true);
+        } else if (strcmp(command, "retry_update") == 0) {
+            retry_update = true;
+        } else if (strcmp(command, "log") == 0) {
+            // Save the logging request from updater and write to
+            // last_install later.
+            log_buffer.push_back(std::string(strtok(NULL, "\n")));
         } else {
             LOGE("unknown command [%s]\n", command);
         }
@@ -186,6 +261,9 @@
 
     int status;
     waitpid(pid, &status, 0);
+    if (retry_update) {
+        return INSTALL_RETRY;
+    }
     if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
         LOGE("Error in %s\n(Status %d)\n", path, WEXITSTATUS(status));
         return INSTALL_ERROR;
@@ -195,7 +273,8 @@
 }
 
 static int
-really_install_package(const char *path, bool* wipe_cache, bool needs_mount)
+really_install_package(const char *path, bool* wipe_cache, bool needs_mount,
+                       std::vector<std::string>& log_buffer, int retry_count)
 {
     ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
     ui->Print("Finding update package...\n");
@@ -221,41 +300,46 @@
         return INSTALL_CORRUPT;
     }
 
-    int numKeys;
-    Certificate* loadedKeys = load_keys(PUBLIC_KEYS_FILE, &numKeys);
-    if (loadedKeys == NULL) {
+    // Load keys.
+    std::vector<Certificate> loadedKeys;
+    if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
         LOGE("Failed to load keys\n");
         return INSTALL_CORRUPT;
     }
-    LOGI("%d key(s) loaded from %s\n", numKeys, PUBLIC_KEYS_FILE);
+    LOGI("%zu key(s) loaded from %s\n", loadedKeys.size(), PUBLIC_KEYS_FILE);
 
+    // Verify package.
     ui->Print("Verifying update package...\n");
-
-    int err;
-    err = verify_file(map.addr, map.length, loadedKeys, numKeys);
-    free(loadedKeys);
-    LOGI("verify_file returned %d\n", err);
+    auto t0 = std::chrono::system_clock::now();
+    int err = verify_file(map.addr, map.length, loadedKeys);
+    std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
+    ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
     if (err != VERIFY_SUCCESS) {
         LOGE("signature verification failed\n");
+        log_buffer.push_back(android::base::StringPrintf("error: %d", kZipVerificationFailure));
+
         sysReleaseMap(&map);
         return INSTALL_CORRUPT;
     }
 
-    /* Try to open the package.
-     */
+    // Try to open the package.
     ZipArchive zip;
     err = mzOpenZipArchive(map.addr, map.length, &zip);
     if (err != 0) {
         LOGE("Can't open %s\n(%s)\n", path, err != -1 ? strerror(err) : "bad");
+        log_buffer.push_back(android::base::StringPrintf("error: %d", kZipOpenFailure));
+
         sysReleaseMap(&map);
         return INSTALL_CORRUPT;
     }
 
-    /* Verify and install the contents of the package.
-     */
+    // Verify and install the contents of the package.
     ui->Print("Installing update...\n");
+    if (retry_count > 0) {
+        ui->Print("Retry attempt: %d\n", retry_count);
+    }
     ui->SetEnableReboot(false);
-    int result = try_update_binary(path, &zip, wipe_cache);
+    int result = try_update_binary(path, &zip, wipe_cache, log_buffer, retry_count);
     ui->SetEnableReboot(true);
     ui->Print("\n");
 
@@ -266,9 +350,10 @@
 
 int
 install_package(const char* path, bool* wipe_cache, const char* install_file,
-                bool needs_mount)
+                bool needs_mount, int retry_count)
 {
     modified_flash = true;
+    auto start = std::chrono::system_clock::now();
 
     FILE* install_log = fopen_path(install_file, "w");
     if (install_log) {
@@ -278,15 +363,26 @@
         LOGE("failed to open last_install: %s\n", strerror(errno));
     }
     int result;
+    std::vector<std::string> log_buffer;
     if (setup_install_mounts() != 0) {
         LOGE("failed to set up expected mounts for install; aborting\n");
         result = INSTALL_ERROR;
     } else {
-        result = really_install_package(path, wipe_cache, needs_mount);
+        result = really_install_package(path, wipe_cache, needs_mount, log_buffer, retry_count);
     }
-    if (install_log) {
+    if (install_log != nullptr) {
         fputc(result == INSTALL_SUCCESS ? '1' : '0', install_log);
         fputc('\n', install_log);
+        std::chrono::duration<double> duration = std::chrono::system_clock::now() - start;
+        int count = static_cast<int>(duration.count());
+        // Report the time spent to apply OTA update in seconds.
+        fprintf(install_log, "time_total: %d\n", count);
+        fprintf(install_log, "retry: %d\n", retry_count);
+
+        for (const auto& s : log_buffer) {
+            fprintf(install_log, "%s\n", s.c_str());
+        }
+
         fclose(install_log);
     }
     return result;
diff --git a/install.h b/install.h
index 680499d..66764f5 100644
--- a/install.h
+++ b/install.h
@@ -23,12 +23,13 @@
 extern "C" {
 #endif
 
-enum { INSTALL_SUCCESS, INSTALL_ERROR, INSTALL_CORRUPT, INSTALL_NONE };
+enum { INSTALL_SUCCESS, INSTALL_ERROR, INSTALL_CORRUPT, INSTALL_NONE, INSTALL_SKIPPED,
+        INSTALL_RETRY };
 // Install the package specified by root_path.  If INSTALL_SUCCESS is
 // returned and *wipe_cache is true on exit, caller should wipe the
 // cache partition.
-int install_package(const char* root_path, bool* wipe_cache,
-                    const char* install_file, bool needs_mount);
+int install_package(const char* root_path, bool* wipe_cache, const char* install_file,
+                    bool needs_mount, int retry_count);
 
 #ifdef __cplusplus
 }
diff --git a/interlace-frames.py b/interlace-frames.py
old mode 100644
new mode 100755
index 243e565..6b435aa
--- a/interlace-frames.py
+++ b/interlace-frames.py
@@ -1,3 +1,4 @@
+#!/usr/bin/env python
 # Copyright (C) 2014 The Android Open Source Project
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,42 +13,102 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-"""Script to take a set of frames (PNG files) for a recovery animation
+"""
+Script to take a set of frames (PNG files) for a recovery animation
 and turn it into a single output image which contains the input frames
 interlaced by row.  Run with the names of all the input frames on the
-command line, in order, followed by the name of the output file."""
+command line, in order, followed by the name of the output file.
+"""
 
+from __future__ import print_function
+
+import argparse
+import os.path
 import sys
 try:
   import Image
   import PngImagePlugin
 except ImportError:
-  print "This script requires the Python Imaging Library to be installed."
+  print("This script requires the Python Imaging Library to be installed.")
   sys.exit(1)
 
-frames = [Image.open(fn).convert("RGB") for fn in sys.argv[1:-1]]
-assert len(frames) > 0, "Must have at least one input frame."
-sizes = set()
-for fr in frames:
-  sizes.add(fr.size)
 
-assert len(sizes) == 1, "All input images must have the same size."
-w, h = sizes.pop()
-N = len(frames)
+def interlace(output, inputs):
+  frames = [Image.open(fn).convert("RGB") for fn in inputs]
+  assert len(frames) > 0, "Must have at least one input frame."
+  sizes = set()
+  for fr in frames:
+    sizes.add(fr.size)
 
-out = Image.new("RGB", (w, h*N))
-for j in range(h):
-  for i in range(w):
-    for fn, f in enumerate(frames):
-      out.putpixel((i, j*N+fn), f.getpixel((i, j)))
+  assert len(sizes) == 1, "All input images must have the same size."
+  w, h = sizes.pop()
+  N = len(frames)
 
-# When loading this image, the graphics library expects to find a text
-# chunk that specifies how many frames this animation represents.  If
-# you post-process the output of this script with some kind of
-# optimizer tool (eg pngcrush or zopflipng) make sure that your
-# optimizer preserves this text chunk.
+  out = Image.new("RGB", (w, h*N))
+  for j in range(h):
+    for i in range(w):
+      for fn, f in enumerate(frames):
+        out.putpixel((i, j*N+fn), f.getpixel((i, j)))
 
-meta = PngImagePlugin.PngInfo()
-meta.add_text("Frames", str(N))
+  # When loading this image, the graphics library expects to find a text
+  # chunk that specifies how many frames this animation represents.  If
+  # you post-process the output of this script with some kind of
+  # optimizer tool (eg pngcrush or zopflipng) make sure that your
+  # optimizer preserves this text chunk.
 
-out.save(sys.argv[-1], pnginfo=meta)
+  meta = PngImagePlugin.PngInfo()
+  meta.add_text("Frames", str(N))
+
+  out.save(output, pnginfo=meta)
+
+
+def deinterlace(output, input):
+  # Truncate the output filename extension if it's '.png'.
+  if os.path.splitext(output)[1].lower() == '.png':
+    output = output[:-4]
+
+  img2 = Image.open(input)
+  print(img2.mode)
+  palette = img2.getpalette()
+  img = img2.convert("RGB")
+  num_frames = int(img.info.get('Frames', 1))
+  print('Found %d frames in %s.' % (num_frames, input))
+  assert num_frames > 0, 'Invalid Frames meta.'
+
+  # palette = img.getpalette()
+  print(palette)
+
+  width, height = img.size
+  height /= num_frames
+  for k in range(num_frames):
+    out = Image.new('RGB', (width, height))
+    out.info = img.info
+    for i in range(width):
+      for j in range(height):
+        out.putpixel((i, j), img.getpixel((i, j * num_frames + k)))
+    # out.putpalette(img.getpalette(), rawmode='RGB')
+    out2 = out.convert(mode='P', palette=palette)
+    #out2 = out
+    print(out2.mode)
+    # out2.putpalette(palette)
+    filename = '%s%02d.png' % (output, k)
+    out2.save(filename)
+    print('Frame %d written to %s.' % (k, filename))
+
+
+def main(argv):
+  parser = argparse.ArgumentParser(description='Parse')
+  parser.add_argument('--deinterlace', '-d', action='store_true')
+  parser.add_argument('--output', '-o', required=True)
+  parser.add_argument('input', nargs='+')
+  args = parser.parse_args(argv)
+
+  if args.deinterlace:
+    # args.input is a list, and we only process the first when deinterlacing.
+    deinterlace(args.output, args.input[0])
+  else:
+    interlace(args.output, args.input)
+
+
+if __name__ == '__main__':
+  main(sys.argv[1:])
diff --git a/minadbd/Android.mk b/minadbd/Android.mk
index a7a3e08..3db3b41 100644
--- a/minadbd/Android.mk
+++ b/minadbd/Android.mk
@@ -15,6 +15,7 @@
     fuse_adb_provider.cpp \
     services.cpp \
 
+LOCAL_CLANG := true
 LOCAL_MODULE := libminadbd
 LOCAL_CFLAGS := $(minadbd_cflags)
 LOCAL_CONLY_FLAGS := -Wimplicit-function-declaration
diff --git a/minadbd/adb_main.cpp b/minadbd/adb_main.cpp
index 7fae99a..0694280 100644
--- a/minadbd/adb_main.cpp
+++ b/minadbd/adb_main.cpp
@@ -19,21 +19,15 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-#define TRACE_TAG TRACE_ADB
-
 #include "sysdeps.h"
 
 #include "adb.h"
 #include "adb_auth.h"
 #include "transport.h"
 
-int adb_main(int is_daemon, int server_port)
-{
-    atexit(usb_cleanup);
-
+int adb_server_main(int is_daemon, int server_port, int /* reply_fd */) {
     adb_device_banner = "sideload";
 
-    // No SIGCHLD. Let the service subproc handle its children.
     signal(SIGPIPE, SIG_IGN);
 
     // We can't require authentication for sideloading. http://b/22025550.
@@ -42,7 +36,7 @@
     init_transport_registration();
     usb_init();
 
-    D("Event loop starting\n");
+    VLOG(ADB) << "Event loop starting";
     fdevent_loop();
 
     return 0;
diff --git a/minadbd/services.cpp b/minadbd/services.cpp
index dd1fd7c..658a43f 100644
--- a/minadbd/services.cpp
+++ b/minadbd/services.cpp
@@ -23,7 +23,6 @@
 
 #include "sysdeps.h"
 
-#define  TRACE_TAG  TRACE_SERVICES
 #include "adb.h"
 #include "fdevent.h"
 #include "fuse_adb_provider.h"
@@ -36,21 +35,21 @@
     void *cookie;
 };
 
-void* service_bootstrap_func(void* x) {
+void service_bootstrap_func(void* x) {
     stinfo* sti = reinterpret_cast<stinfo*>(x);
     sti->func(sti->fd, sti->cookie);
     free(sti);
-    return 0;
 }
 
 static void sideload_host_service(int sfd, void* data) {
-    const char* args = reinterpret_cast<const char*>(data);
+    char* args = reinterpret_cast<char*>(data);
     int file_size;
     int block_size;
     if (sscanf(args, "%d:%d", &file_size, &block_size) != 2) {
         printf("bad sideload-host arguments: %s\n", args);
         exit(1);
     }
+    free(args);
 
     printf("sideload-host file size %d block size %d\n", file_size, block_size);
 
@@ -61,8 +60,7 @@
     exit(result == 0 ? 0 : 1);
 }
 
-static int create_service_thread(void (*func)(int, void *), void *cookie)
-{
+static int create_service_thread(void (*func)(int, void *), void *cookie) {
     int s[2];
     if(adb_socketpair(s)) {
         printf("cannot create service socket pair\n");
@@ -75,8 +73,7 @@
     sti->cookie = cookie;
     sti->fd = s[1];
 
-    adb_thread_t t;
-    if (adb_thread_create( &t, service_bootstrap_func, sti)){
+    if (!adb_thread_create(service_bootstrap_func, sti)) {
         free(sti);
         adb_close(s[0]);
         adb_close(s[1]);
@@ -84,11 +81,11 @@
         return -1;
     }
 
-    D("service thread started, %d:%d\n",s[0], s[1]);
+    VLOG(SERVICES) << "service thread started, " << s[0] << ":" << s[1];
     return s[0];
 }
 
-int service_to_fd(const char* name) {
+int service_to_fd(const char* name, const atransport* transport) {
     int ret = -1;
 
     if (!strncmp(name, "sideload:", 9)) {
@@ -97,7 +94,8 @@
         // sideload-host).
         exit(3);
     } else if (!strncmp(name, "sideload-host:", 14)) {
-        ret = create_service_thread(sideload_host_service, (void*)(name + 14));
+        char* arg = strdup(name + 14);
+        ret = create_service_thread(sideload_host_service, arg);
     }
     if (ret >= 0) {
         close_on_exec(ret);
diff --git a/minui/Android.mk b/minui/Android.mk
index 97724fb..3057f45 100644
--- a/minui/Android.mk
+++ b/minui/Android.mk
@@ -41,6 +41,7 @@
 
 # Used by OEMs for factory test images.
 include $(CLEAR_VARS)
+LOCAL_CLANG := true
 LOCAL_MODULE := libminui
 LOCAL_WHOLE_STATIC_LIBRARIES += libminui
 LOCAL_SHARED_LIBRARIES := libpng
diff --git a/minui/minui.h b/minui/minui.h
index bdde083..fb0bbe1 100644
--- a/minui/minui.h
+++ b/minui/minui.h
@@ -84,6 +84,8 @@
 // Resources
 //
 
+bool matches_locale(const char* prefix, const char* locale);
+
 // res_create_*_surface() functions return 0 if no error, else
 // negative.
 //
@@ -101,8 +103,8 @@
 // should have a 'Frames' text chunk whose value is the number of
 // frames this image represents.  The pixel data itself is interlaced
 // by row.
-int res_create_multi_display_surface(const char* name,
-                                     int* frames, GRSurface*** pSurface);
+int res_create_multi_display_surface(const char* name, int* frames,
+                                     int* fps, GRSurface*** pSurface);
 
 // Load a single alpha surface from a grayscale PNG image.
 int res_create_alpha_surface(const char* name, GRSurface** pSurface);
diff --git a/minui/resources.cpp b/minui/resources.cpp
index 5e47892..40d3c2c 100644
--- a/minui/resources.cpp
+++ b/minui/resources.cpp
@@ -32,8 +32,6 @@
 
 #include "minui.h"
 
-extern char* locale;
-
 #define SURFACE_DATA_ALIGNMENT 8
 
 static GRSurface* malloc_surface(size_t data_size) {
@@ -237,14 +235,14 @@
     return result;
 }
 
-int res_create_multi_display_surface(const char* name, int* frames, GRSurface*** pSurface) {
+int res_create_multi_display_surface(const char* name, int* frames, int* fps,
+        GRSurface*** pSurface) {
     GRSurface** surface = NULL;
     int result = 0;
     png_structp png_ptr = NULL;
     png_infop info_ptr = NULL;
     png_uint_32 width, height;
     png_byte channels;
-    int i;
     png_textp text;
     int num_text;
     unsigned char* p_row;
@@ -257,14 +255,23 @@
     if (result < 0) return result;
 
     *frames = 1;
+    *fps = 20;
     if (png_get_text(png_ptr, info_ptr, &text, &num_text)) {
-        for (i = 0; i < num_text; ++i) {
+        for (int i = 0; i < num_text; ++i) {
             if (text[i].key && strcmp(text[i].key, "Frames") == 0 && text[i].text) {
                 *frames = atoi(text[i].text);
-                break;
+            } else if (text[i].key && strcmp(text[i].key, "FPS") == 0 && text[i].text) {
+                *fps = atoi(text[i].text);
             }
         }
         printf("  found frames = %d\n", *frames);
+        printf("  found fps = %d\n", *fps);
+    }
+
+    if (frames <= 0 || fps <= 0) {
+        printf("bad number of frames (%d) and/or FPS (%d)\n", *frames, *fps);
+        result = -10;
+        goto exit;
     }
 
     if (height % *frames != 0) {
@@ -278,7 +285,7 @@
         result = -8;
         goto exit;
     }
-    for (i = 0; i < *frames; ++i) {
+    for (int i = 0; i < *frames; ++i) {
         surface[i] = init_display_surface(width, height / *frames);
         if (surface[i] == NULL) {
             result = -8;
@@ -307,7 +314,7 @@
 
     if (result < 0) {
         if (surface) {
-            for (i = 0; i < *frames; ++i) {
+            for (int i = 0; i < *frames; ++i) {
                 if (surface[i]) free(surface[i]);
             }
             free(surface);
@@ -363,21 +370,16 @@
     return result;
 }
 
-static int matches_locale(const char* loc, const char* locale) {
-    if (locale == NULL) return 0;
+// This function tests if a locale string stored in PNG (prefix) matches
+// the locale string provided by the system (locale).
+bool matches_locale(const char* prefix, const char* locale) {
+    if (locale == NULL) return false;
 
-    if (strcmp(loc, locale) == 0) return 1;
+    // Return true if the whole string of prefix matches the top part of
+    // locale. For instance, prefix == "en" matches locale == "en_US";
+    // and prefix == "zh_CN" matches locale == "zh_CN_#Hans".
 
-    // if loc does *not* have an underscore, and it matches the start
-    // of locale, and the next character in locale *is* an underscore,
-    // that's a match.  For instance, loc == "en" matches locale ==
-    // "en_US".
-
-    int i;
-    for (i = 0; loc[i] != 0 && loc[i] != '_'; ++i);
-    if (loc[i] == '_') return 0;
-
-    return (strncmp(locale, loc, i) == 0 && locale[i] == '_');
+    return (strncmp(prefix, locale, strlen(prefix)) == 0);
 }
 
 int res_create_localized_alpha_surface(const char* name,
diff --git a/minzip/Android.mk b/minzip/Android.mk
index 045f355..22eabfb 100644
--- a/minzip/Android.mk
+++ b/minzip/Android.mk
@@ -16,6 +16,8 @@
 
 LOCAL_MODULE := libminzip
 
-LOCAL_CFLAGS += -Wall
+LOCAL_CLANG := true
+
+LOCAL_CFLAGS += -Werror -Wall
 
 include $(BUILD_STATIC_LIBRARY)
diff --git a/minzip/Hash.c b/minzip/Hash.c
index 8f8ed68..49bcb31 100644
--- a/minzip/Hash.c
+++ b/minzip/Hash.c
@@ -361,7 +361,7 @@
     {
         const void* data = (const void*)mzHashIterData(&iter);
         int count;
-            
+
         count = countProbes(pHashTable, (*calcFunc)(data), data, cmpFunc);
 
         numEntries++;
@@ -373,7 +373,7 @@
         totalProbe += count;
     }
 
-    LOGI("Probe: min=%d max=%d, total=%d in %d (%d), avg=%.3f\n",
+    LOGV("Probe: min=%d max=%d, total=%d in %d (%d), avg=%.3f\n",
         minProbe, maxProbe, totalProbe, numEntries, pHashTable->tableSize,
         (float) totalProbe / (float) numEntries);
 }
diff --git a/minzip/Hash.h b/minzip/Hash.h
index 8194537..e83eac4 100644
--- a/minzip/Hash.h
+++ b/minzip/Hash.h
@@ -15,6 +15,10 @@
 #include <stdbool.h>
 #include <assert.h>
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* compute the hash of an item with a specific type */
 typedef unsigned int (*HashCompute)(const void* item);
 
@@ -183,4 +187,8 @@
 void mzHashTableProbeCount(HashTable* pHashTable, HashCalcFunc calcFunc,
     HashCompareFunc cmpFunc);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /*_MINZIP_HASH*/
diff --git a/minzip/SysUtil.c b/minzip/SysUtil.c
index b1fb455..e7dd17b 100644
--- a/minzip/SysUtil.c
+++ b/minzip/SysUtil.c
@@ -3,93 +3,51 @@
  *
  * System utilities.
  */
-#include <stdbool.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/mman.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+#include <assert.h>
+#include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
-#include <errno.h>
-#include <assert.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
 
 #define LOG_TAG "sysutil"
 #include "Log.h"
 #include "SysUtil.h"
 
-static int getFileStartAndLength(int fd, off_t *start_, size_t *length_)
-{
-    off_t start, end;
-    size_t length;
-
-    assert(start_ != NULL);
-    assert(length_ != NULL);
-
-    // TODO: isn't start always 0 for the single call site? just use fstat instead?
-
-    start = TEMP_FAILURE_RETRY(lseek(fd, 0L, SEEK_CUR));
-    end = TEMP_FAILURE_RETRY(lseek(fd, 0L, SEEK_END));
-
-    if (TEMP_FAILURE_RETRY(lseek(fd, start, SEEK_SET)) == -1 ||
-                start == (off_t) -1 || end == (off_t) -1) {
-        LOGE("could not determine length of file\n");
-        return -1;
-    }
-
-    length = end - start;
-    if (length == 0) {
-        LOGE("file is empty\n");
-        return -1;
-    }
-
-    *start_ = start;
-    *length_ = length;
-
-    return 0;
-}
-
-/*
- * Map a file (from fd's current offset) into a private, read-only memory
- * segment.  The file offset must be a multiple of the page size.
- *
- * On success, returns 0 and fills out "pMap".  On failure, returns a nonzero
- * value and does not disturb "pMap".
- */
-static int sysMapFD(int fd, MemMapping* pMap)
-{
-    off_t start;
-    size_t length;
-    void* memPtr;
-
+static bool sysMapFD(int fd, MemMapping* pMap) {
     assert(pMap != NULL);
 
-    if (getFileStartAndLength(fd, &start, &length) < 0)
-        return -1;
+    struct stat sb;
+    if (fstat(fd, &sb) == -1) {
+        LOGE("fstat(%d) failed: %s\n", fd, strerror(errno));
+        return false;
+    }
 
-    memPtr = mmap(NULL, length, PROT_READ, MAP_PRIVATE, fd, start);
+    void* memPtr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
     if (memPtr == MAP_FAILED) {
-        LOGW("mmap(%d, R, PRIVATE, %d, %d) failed: %s\n", (int) length,
-            fd, (int) start, strerror(errno));
-        return -1;
+        LOGE("mmap(%d, R, PRIVATE, %d, 0) failed: %s\n", (int) sb.st_size, fd, strerror(errno));
+        return false;
     }
 
     pMap->addr = memPtr;
-    pMap->length = length;
+    pMap->length = sb.st_size;
     pMap->range_count = 1;
     pMap->ranges = malloc(sizeof(MappedRange));
     if (pMap->ranges == NULL) {
         LOGE("malloc failed: %s\n", strerror(errno));
-        munmap(memPtr, length);
-        return -1;
+        munmap(memPtr, sb.st_size);
+        return false;
     }
     pMap->ranges[0].addr = memPtr;
-    pMap->ranges[0].length = length;
+    pMap->ranges[0].length = sb.st_size;
 
-    return 0;
+    return true;
 }
 
 static int sysMapBlockFile(FILE* mapf, MemMapping* pMap)
@@ -102,7 +60,7 @@
     unsigned int i;
 
     if (fgets(block_dev, sizeof(block_dev), mapf) == NULL) {
-        LOGW("failed to read block device from header\n");
+        LOGE("failed to read block device from header\n");
         return -1;
     }
     for (i = 0; i < sizeof(block_dev); ++i) {
@@ -113,7 +71,7 @@
     }
 
     if (fscanf(mapf, "%zu %u\n%u\n", &size, &blksize, &range_count) != 3) {
-        LOGW("failed to parse block map header\n");
+        LOGE("failed to parse block map header\n");
         return -1;
     }
     if (blksize != 0) {
@@ -136,14 +94,14 @@
     unsigned char* reserve;
     reserve = mmap64(NULL, blocks * blksize, PROT_NONE, MAP_PRIVATE | MAP_ANON, -1, 0);
     if (reserve == MAP_FAILED) {
-        LOGW("failed to reserve address space: %s\n", strerror(errno));
+        LOGE("failed to reserve address space: %s\n", strerror(errno));
         free(pMap->ranges);
         return -1;
     }
 
     int fd = open(block_dev, O_RDONLY);
     if (fd < 0) {
-        LOGW("failed to open block device %s: %s\n", block_dev, strerror(errno));
+        LOGE("failed to open block device %s: %s\n", block_dev, strerror(errno));
         munmap(reserve, blocks * blksize);
         free(pMap->ranges);
         return -1;
@@ -155,7 +113,7 @@
     for (i = 0; i < range_count; ++i) {
         size_t start, end;
         if (fscanf(mapf, "%zu %zu\n", &start, &end) != 2) {
-            LOGW("failed to parse range %d in block map\n", i);
+            LOGE("failed to parse range %d in block map\n", i);
             success = false;
             break;
         }
@@ -168,7 +126,7 @@
 
         void* addr = mmap64(next, length, PROT_READ, MAP_PRIVATE | MAP_FIXED, fd, ((off64_t)start)*blksize);
         if (addr == MAP_FAILED) {
-            LOGW("failed to map block %d: %s\n", i, strerror(errno));
+            LOGE("failed to map block %d: %s\n", i, strerror(errno));
             success = false;
             break;
         }
@@ -206,12 +164,12 @@
         // A map of blocks
         FILE* mapf = fopen(fn+1, "r");
         if (mapf == NULL) {
-            LOGV("Unable to open '%s': %s\n", fn+1, strerror(errno));
+            LOGE("Unable to open '%s': %s\n", fn+1, strerror(errno));
             return -1;
         }
 
         if (sysMapBlockFile(mapf, pMap) != 0) {
-            LOGW("Map of '%s' failed\n", fn);
+            LOGE("Map of '%s' failed\n", fn);
             fclose(mapf);
             return -1;
         }
@@ -219,13 +177,13 @@
         fclose(mapf);
     } else {
         // This is a regular file.
-        int fd = open(fn, O_RDONLY, 0);
-        if (fd < 0) {
+        int fd = open(fn, O_RDONLY);
+        if (fd == -1) {
             LOGE("Unable to open '%s': %s\n", fn, strerror(errno));
             return -1;
         }
 
-        if (sysMapFD(fd, pMap) != 0) {
+        if (!sysMapFD(fd, pMap)) {
             LOGE("Map of '%s' failed\n", fn);
             close(fd);
             return -1;
@@ -244,7 +202,7 @@
     int i;
     for (i = 0; i < pMap->range_count; ++i) {
         if (munmap(pMap->ranges[i].addr, pMap->ranges[i].length) < 0) {
-            LOGW("munmap(%p, %d) failed: %s\n",
+            LOGE("munmap(%p, %d) failed: %s\n",
                  pMap->ranges[i].addr, (int)pMap->ranges[i].length, strerror(errno));
         }
     }
diff --git a/minzip/Zip.c b/minzip/Zip.c
index 40712e0..bdb565c 100644
--- a/minzip/Zip.c
+++ b/minzip/Zip.c
@@ -198,10 +198,10 @@
      */
     val = get4LE(pArchive->addr);
     if (val == ENDSIG) {
-        LOGI("Found Zip archive, but it looks empty\n");
+        LOGW("Found Zip archive, but it looks empty\n");
         goto bail;
     } else if (val != LOCSIG) {
-        LOGV("Not a Zip archive (found 0x%08x)\n", val);
+        LOGW("Not a Zip archive (found 0x%08x)\n", val);
         goto bail;
     }
 
@@ -217,7 +217,7 @@
         ptr--;
     }
     if (ptr < (const unsigned char*) pArchive->addr) {
-        LOGI("Could not find end-of-central-directory in Zip\n");
+        LOGW("Could not find end-of-central-directory in Zip\n");
         goto bail;
     }
 
@@ -429,7 +429,7 @@
 
     if (length < ENDHDR) {
         err = -1;
-        LOGV("File '%s' too small to be zip (%zd)\n", fileName, map.length);
+        LOGW("Archive %p is too small to be zip (%zd)\n", pArchive, length);
         goto bail;
     }
 
@@ -438,7 +438,7 @@
 
     if (!parseZipArchive(pArchive)) {
         err = -1;
-        LOGV("Parsing '%s' failed\n", fileName);
+        LOGW("Parsing archive %p failed\n", pArchive);
         goto bail;
     }
 
@@ -506,7 +506,6 @@
     void *cookie)
 {
     long result = -1;
-    unsigned char readBuf[32 * 1024];
     unsigned char procBuf[32 * 1024];
     z_stream zstream;
     int zerr;
@@ -549,7 +548,7 @@
         /* uncompress the data */
         zerr = inflate(&zstream, Z_NO_FLUSH);
         if (zerr != Z_OK && zerr != Z_STREAM_END) {
-            LOGD("zlib inflate call failed (zerr=%d)\n", zerr);
+            LOGW("zlib inflate call failed (zerr=%d)\n", zerr);
             goto z_bail;
         }
 
@@ -603,7 +602,6 @@
     void *cookie)
 {
     bool ret = false;
-    off_t oldOff;
 
     switch (pEntry->compression) {
     case STORED:
@@ -621,13 +619,6 @@
     return ret;
 }
 
-static bool crcProcessFunction(const unsigned char *data, int dataLen,
-        void *crc)
-{
-    *(unsigned long *)crc = crc32(*(unsigned long *)crc, data, dataLen);
-    return true;
-}
-
 typedef struct {
     char *buf;
     int bufLen;
@@ -1016,7 +1007,7 @@
         if (callback != NULL) callback(targetFile, cookie);
     }
 
-    LOGD("Extracted %d file(s)\n", extractCount);
+    LOGV("Extracted %d file(s)\n", extractCount);
 
     free(helper.buf);
     free(zpath);
diff --git a/mtdutils/Android.mk b/mtdutils/Android.mk
index f04355b..b7d35c2 100644
--- a/mtdutils/Android.mk
+++ b/mtdutils/Android.mk
@@ -6,10 +6,12 @@
 	mounts.c
 
 LOCAL_MODULE := libmtdutils
+LOCAL_CLANG := true
 
 include $(BUILD_STATIC_LIBRARY)
 
 include $(CLEAR_VARS)
+LOCAL_CLANG := true
 LOCAL_SRC_FILES := flash_image.c
 LOCAL_MODULE := flash_image
 LOCAL_MODULE_TAGS := eng
diff --git a/mtdutils/mtdutils.c b/mtdutils/mtdutils.c
index cc30334..cd4f52c 100644
--- a/mtdutils/mtdutils.c
+++ b/mtdutils/mtdutils.c
@@ -300,20 +300,20 @@
         if (TEMP_FAILURE_RETRY(lseek64(fd, pos, SEEK_SET)) != pos ||
                     TEMP_FAILURE_RETRY(read(fd, data, size)) != size) {
             printf("mtd: read error at 0x%08llx (%s)\n",
-                    pos, strerror(errno));
+                   (long long)pos, strerror(errno));
         } else if (ioctl(fd, ECCGETSTATS, &after)) {
             printf("mtd: ECCGETSTATS error (%s)\n", strerror(errno));
             return -1;
         } else if (after.failed != before.failed) {
             printf("mtd: ECC errors (%d soft, %d hard) at 0x%08llx\n",
-                    after.corrected - before.corrected,
-                    after.failed - before.failed, pos);
+                   after.corrected - before.corrected,
+                   after.failed - before.failed, (long long)pos);
             // copy the comparison baseline for the next read.
             memcpy(&before, &after, sizeof(struct mtd_ecc_stats));
         } else if ((mgbb = ioctl(fd, MEMGETBADBLOCK, &pos))) {
             fprintf(stderr,
                     "mtd: MEMGETBADBLOCK returned %d at 0x%08llx: %s\n",
-                    mgbb, pos, strerror(errno));
+                    mgbb, (long long)pos, strerror(errno));
         } else {
             return 0;  // Success!
         }
diff --git a/otafault/Android.mk b/otafault/Android.mk
new file mode 100644
index 0000000..ba7add8
--- /dev/null
+++ b/otafault/Android.mk
@@ -0,0 +1,44 @@
+# Copyright 2015 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific languae governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+otafault_static_libs := \
+    libbase \
+    libminzip \
+    libz \
+    libselinux
+
+LOCAL_SRC_FILES := config.cpp ota_io.cpp
+LOCAL_MODULE_TAGS := eng
+LOCAL_MODULE := libotafault
+LOCAL_CLANG := true
+LOCAL_C_INCLUDES := bootable/recovery
+LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)
+LOCAL_WHOLE_STATIC_LIBRARIES := $(otafault_static_libs)
+
+include $(BUILD_STATIC_LIBRARY)
+
+include $(CLEAR_VARS)
+
+LOCAL_SRC_FILES := config.cpp ota_io.cpp test.cpp
+LOCAL_MODULE_TAGS := tests
+LOCAL_MODULE := otafault_test
+LOCAL_STATIC_LIBRARIES := $(otafault_static_libs)
+LOCAL_C_INCLUDES := bootable/recovery
+LOCAL_FORCE_STATIC_EXECUTABLE := true
+
+include $(BUILD_EXECUTABLE)
diff --git a/otafault/config.cpp b/otafault/config.cpp
new file mode 100644
index 0000000..b456739
--- /dev/null
+++ b/otafault/config.cpp
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <map>
+#include <string>
+
+#include <stdio.h>
+#include <unistd.h>
+
+#include <android-base/stringprintf.h>
+
+#include "minzip/Zip.h"
+#include "config.h"
+#include "ota_io.h"
+
+#define OTAIO_MAX_FNAME_SIZE 128
+
+static ZipArchive* archive;
+static std::map<std::string, bool> should_inject_cache;
+
+static std::string get_type_path(const char* io_type) {
+    return android::base::StringPrintf("%s/%s", OTAIO_BASE_DIR, io_type);
+}
+
+void ota_io_init(ZipArchive* za) {
+    archive = za;
+    ota_set_fault_files();
+}
+
+bool should_fault_inject(const char* io_type) {
+    // archive will be NULL if we used an entry point other
+    // than updater/updater.cpp:main
+    if (archive == NULL) {
+        return false;
+    }
+    const std::string type_path = get_type_path(io_type);
+    if (should_inject_cache.find(type_path) != should_inject_cache.end()) {
+        return should_inject_cache[type_path];
+    }
+    const ZipEntry* entry = mzFindZipEntry(archive, type_path.c_str());
+    should_inject_cache[type_path] = entry != nullptr;
+    return entry != NULL;
+}
+
+bool should_hit_cache() {
+    return should_fault_inject(OTAIO_CACHE);
+}
+
+std::string fault_fname(const char* io_type) {
+    std::string type_path = get_type_path(io_type);
+    std::string fname;
+    fname.resize(OTAIO_MAX_FNAME_SIZE);
+    const ZipEntry* entry = mzFindZipEntry(archive, type_path.c_str());
+    mzReadZipEntry(archive, entry, &fname[0], OTAIO_MAX_FNAME_SIZE);
+    return fname;
+}
diff --git a/otafault/config.h b/otafault/config.h
new file mode 100644
index 0000000..4430be3
--- /dev/null
+++ b/otafault/config.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * Read configuration files in the OTA package to determine which files, if any, will trigger errors.
+ *
+ * OTA packages can be modified to trigger errors by adding a top-level
+ * directory called .libotafault, which may optionally contain up to three
+ * files called READ, WRITE, and FSYNC. Each one of these optional files
+ * contains the name of a single file on the device disk which will cause
+ * an IO error on the first call of the appropriate I/O action to that file.
+ *
+ * Example:
+ * ota.zip
+ *   <normal package contents>
+ *   .libotafault
+ *     WRITE
+ *
+ * If the contents of the file WRITE were /system/build.prop, the first write
+ * action to /system/build.prop would fail with EIO. Note that READ and
+ * FSYNC files are absent, so these actions will not cause an error.
+ */
+
+#ifndef _UPDATER_OTA_IO_CFG_H_
+#define _UPDATER_OTA_IO_CFG_H_
+
+#include <string>
+
+#include <stdbool.h>
+
+#include "minzip/Zip.h"
+
+#define OTAIO_BASE_DIR ".libotafault"
+#define OTAIO_READ "READ"
+#define OTAIO_WRITE "WRITE"
+#define OTAIO_FSYNC "FSYNC"
+#define OTAIO_CACHE "CACHE"
+
+/*
+ * Initialize libotafault by providing a reference to the OTA package.
+ */
+void ota_io_init(ZipArchive* za);
+
+/*
+ * Return true if a config file is present for the given IO type.
+ */
+bool should_fault_inject(const char* io_type);
+
+/*
+ * Return true if an EIO should occur on the next hit to /cache/saved.file
+ * instead of the next hit to the specified file.
+ */
+bool should_hit_cache();
+
+/*
+ * Return the name of the file that should cause an error for the
+ * given IO type.
+ */
+std::string fault_fname(const char* io_type);
+
+#endif
diff --git a/otafault/ota_io.cpp b/otafault/ota_io.cpp
new file mode 100644
index 0000000..0445853
--- /dev/null
+++ b/otafault/ota_io.cpp
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <map>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include "config.h"
+#include "ota_io.h"
+
+static std::map<intptr_t, const char*> filename_cache;
+static std::string read_fault_file_name = "";
+static std::string write_fault_file_name = "";
+static std::string fsync_fault_file_name = "";
+
+static bool get_hit_file(const char* cached_path, std::string ffn) {
+    return should_hit_cache()
+        ? !strncmp(cached_path, OTAIO_CACHE_FNAME, strlen(cached_path))
+        : !strncmp(cached_path, ffn.c_str(), strlen(cached_path));
+}
+
+void ota_set_fault_files() {
+    if (should_fault_inject(OTAIO_READ)) {
+        read_fault_file_name = fault_fname(OTAIO_READ);
+    }
+    if (should_fault_inject(OTAIO_WRITE)) {
+        write_fault_file_name = fault_fname(OTAIO_WRITE);
+    }
+    if (should_fault_inject(OTAIO_FSYNC)) {
+        fsync_fault_file_name = fault_fname(OTAIO_FSYNC);
+    }
+}
+
+bool have_eio_error = false;
+
+int ota_open(const char* path, int oflags) {
+    // Let the caller handle errors; we do not care if open succeeds or fails
+    int fd = open(path, oflags);
+    filename_cache[fd] = path;
+    return fd;
+}
+
+int ota_open(const char* path, int oflags, mode_t mode) {
+    int fd = open(path, oflags, mode);
+    filename_cache[fd] = path;
+    return fd; }
+
+FILE* ota_fopen(const char* path, const char* mode) {
+    FILE* fh = fopen(path, mode);
+    filename_cache[(intptr_t)fh] = path;
+    return fh;
+}
+
+int ota_close(int fd) {
+    // descriptors can be reused, so make sure not to leave them in the cache
+    filename_cache.erase(fd);
+    return close(fd);
+}
+
+int ota_fclose(FILE* fh) {
+    filename_cache.erase((intptr_t)fh);
+    return fclose(fh);
+}
+
+size_t ota_fread(void* ptr, size_t size, size_t nitems, FILE* stream) {
+    if (should_fault_inject(OTAIO_READ)) {
+        auto cached = filename_cache.find((intptr_t)stream);
+        const char* cached_path = cached->second;
+        if (cached != filename_cache.end() &&
+                get_hit_file(cached_path, read_fault_file_name)) {
+            read_fault_file_name = "";
+            errno = EIO;
+            have_eio_error = true;
+            return 0;
+        }
+    }
+    size_t status = fread(ptr, size, nitems, stream);
+    if (status != nitems && errno == EIO) {
+        have_eio_error = true;
+    }
+    return status;
+}
+
+ssize_t ota_read(int fd, void* buf, size_t nbyte) {
+    if (should_fault_inject(OTAIO_READ)) {
+        auto cached = filename_cache.find(fd);
+        const char* cached_path = cached->second;
+        if (cached != filename_cache.end()
+                && get_hit_file(cached_path, read_fault_file_name)) {
+            read_fault_file_name = "";
+            errno = EIO;
+            have_eio_error = true;
+            return -1;
+        }
+    }
+    ssize_t status = read(fd, buf, nbyte);
+    if (status == -1 && errno == EIO) {
+        have_eio_error = true;
+    }
+    return status;
+}
+
+size_t ota_fwrite(const void* ptr, size_t size, size_t count, FILE* stream) {
+    if (should_fault_inject(OTAIO_WRITE)) {
+        auto cached = filename_cache.find((intptr_t)stream);
+        const char* cached_path = cached->second;
+        if (cached != filename_cache.end() &&
+                get_hit_file(cached_path, write_fault_file_name)) {
+            write_fault_file_name = "";
+            errno = EIO;
+            have_eio_error = true;
+            return 0;
+        }
+    }
+    size_t status = fwrite(ptr, size, count, stream);
+    if (status != count && errno == EIO) {
+        have_eio_error = true;
+    }
+    return status;
+}
+
+ssize_t ota_write(int fd, const void* buf, size_t nbyte) {
+    if (should_fault_inject(OTAIO_WRITE)) {
+        auto cached = filename_cache.find(fd);
+        const char* cached_path = cached->second;
+        if (cached != filename_cache.end() &&
+                get_hit_file(cached_path, write_fault_file_name)) {
+            write_fault_file_name = "";
+            errno = EIO;
+            have_eio_error = true;
+            return -1;
+        }
+    }
+    ssize_t status = write(fd, buf, nbyte);
+    if (status == -1 && errno == EIO) {
+        have_eio_error = true;
+    }
+    return status;
+}
+
+int ota_fsync(int fd) {
+    if (should_fault_inject(OTAIO_FSYNC)) {
+        auto cached = filename_cache.find(fd);
+        const char* cached_path = cached->second;
+        if (cached != filename_cache.end() &&
+                get_hit_file(cached_path, fsync_fault_file_name)) {
+            fsync_fault_file_name = "";
+            errno = EIO;
+            have_eio_error = true;
+            return -1;
+        }
+    }
+    int status = fsync(fd);
+    if (status == -1 && errno == EIO) {
+        have_eio_error = true;
+    }
+    return status;
+}
+
diff --git a/otafault/ota_io.h b/otafault/ota_io.h
new file mode 100644
index 0000000..84187a7
--- /dev/null
+++ b/otafault/ota_io.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * Provide a series of proxy functions for basic file accessors.
+ * The behavior of these functions can be changed to return different
+ * errors under a variety of conditions.
+ */
+
+#ifndef _UPDATER_OTA_IO_H_
+#define _UPDATER_OTA_IO_H_
+
+#include <stdio.h>
+#include <sys/stat.h>
+
+#define OTAIO_CACHE_FNAME "/cache/saved.file"
+
+void ota_set_fault_files();
+
+int ota_open(const char* path, int oflags);
+
+int ota_open(const char* path, int oflags, mode_t mode);
+
+FILE* ota_fopen(const char* filename, const char* mode);
+
+int ota_close(int fd);
+
+int ota_fclose(FILE* fh);
+
+size_t ota_fread(void* ptr, size_t size, size_t nitems, FILE* stream);
+
+ssize_t ota_read(int fd, void* buf, size_t nbyte);
+
+size_t ota_fwrite(const void* ptr, size_t size, size_t count, FILE* stream);
+
+ssize_t ota_write(int fd, const void* buf, size_t nbyte);
+
+int ota_fsync(int fd);
+
+#endif
diff --git a/otafault/test.cpp b/otafault/test.cpp
new file mode 100644
index 0000000..6514782
--- /dev/null
+++ b/otafault/test.cpp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#include "ota_io.h"
+
+int main(int /* argc */, char** /* argv */) {
+    int fd = open("testdata/test.file", O_RDWR);
+    char buf[8];
+    const char* out = "321";
+    int readv = ota_read(fd, buf, 4);
+    printf("Read returned %d\n", readv);
+    int writev = ota_write(fd, out, 4);
+    printf("Write returned %d\n", writev);
+    close(fd);
+    return 0;
+}
diff --git a/print_sha1.h b/print_sha1.h
new file mode 100644
index 0000000..c7c1f36
--- /dev/null
+++ b/print_sha1.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef RECOVERY_PRINT_SHA1_H
+#define RECOVERY_PRINT_SHA1_H
+
+#include <stdint.h>
+#include <string>
+
+#include "openssl/sha.h"
+
+static std::string print_sha1(const uint8_t* sha1, size_t len) {
+    const char* hex = "0123456789abcdef";
+    std::string result = "";
+    for (size_t i = 0; i < len; ++i) {
+        result.push_back(hex[(sha1[i]>>4) & 0xf]);
+        result.push_back(hex[sha1[i] & 0xf]);
+    }
+    return result;
+}
+
+static std::string print_sha1(const uint8_t sha1[SHA_DIGEST_LENGTH]) {
+    return print_sha1(sha1, SHA_DIGEST_LENGTH);
+}
+
+static std::string short_sha1(const uint8_t sha1[SHA_DIGEST_LENGTH]) {
+    return print_sha1(sha1, 4);
+}
+
+static std::string print_hex(const uint8_t* bytes, size_t len) {
+  return print_sha1(bytes, len);
+}
+
+#endif  // RECOVERY_PRINT_SHA1_H
diff --git a/recovery-persist.cpp b/recovery-persist.cpp
new file mode 100644
index 0000000..25df03f
--- /dev/null
+++ b/recovery-persist.cpp
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define LOG_TAG "recovery-persist"
+
+//
+// Strictly to deal with reboot into system after OTA after /data
+// mounts to pull the last pmsg file data and place it
+// into /data/misc/recovery/ directory, rotating it in.
+//
+// Usage: recovery-persist [--force-persist]
+//
+//    On systems without /cache mount, all file content representing in the
+//    recovery/ directory stored in /sys/fs/pstore/pmsg-ramoops-0 in logger
+//    format that reside in the LOG_ID_SYSTEM buffer at ANDROID_LOG_INFO
+//    priority or higher is transfered to the /data/misc/recovery/ directory.
+//    The content is matched and rotated in as need be.
+//
+//    --force-persist  ignore /cache mount, always rotate in the contents.
+//
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <string>
+
+#include <android/log.h> /* Android Log Priority Tags */
+#include <android-base/file.h>
+#include <log/log.h>
+#include <log/logger.h> /* Android Log packet format */
+#include <private/android_logger.h> /* private pmsg functions */
+
+static const char *LAST_LOG_FILE = "/data/misc/recovery/last_log";
+static const char *LAST_PMSG_FILE = "/sys/fs/pstore/pmsg-ramoops-0";
+static const char *LAST_KMSG_FILE = "/data/misc/recovery/last_kmsg";
+static const char *LAST_CONSOLE_FILE = "/sys/fs/pstore/console-ramoops-0";
+static const char *ALT_LAST_CONSOLE_FILE = "/sys/fs/pstore/console-ramoops";
+
+static const int KEEP_LOG_COUNT = 10;
+
+// close a file, log an error if the error indicator is set
+static void check_and_fclose(FILE *fp, const char *name) {
+    fflush(fp);
+    if (ferror(fp)) SLOGE("%s %s", name, strerror(errno));
+    fclose(fp);
+}
+
+static void copy_file(const char* source, const char* destination) {
+    FILE* dest_fp = fopen(destination, "w");
+    if (dest_fp == nullptr) {
+        SLOGE("%s %s", destination, strerror(errno));
+    } else {
+        FILE* source_fp = fopen(source, "r");
+        if (source_fp != nullptr) {
+            char buf[4096];
+            size_t bytes;
+            while ((bytes = fread(buf, 1, sizeof(buf), source_fp)) != 0) {
+                fwrite(buf, 1, bytes, dest_fp);
+            }
+            check_and_fclose(source_fp, source);
+        }
+        check_and_fclose(dest_fp, destination);
+    }
+}
+
+static bool rotated = false;
+
+// Rename last_log -> last_log.1 -> last_log.2 -> ... -> last_log.$max.
+// Similarly rename last_kmsg -> last_kmsg.1 -> ... -> last_kmsg.$max.
+// Overwrite any existing last_log.$max and last_kmsg.$max.
+static void rotate_logs(int max) {
+    // Logs should only be rotated once.
+
+    if (rotated) {
+        return;
+    }
+    rotated = true;
+
+    for (int i = max-1; i >= 0; --i) {
+        std::string old_log(LAST_LOG_FILE);
+        if (i > 0) {
+          old_log += "." + std::to_string(i);
+        }
+        std::string new_log(LAST_LOG_FILE);
+        new_log += "." + std::to_string(i+1);
+
+        // Ignore errors if old_log doesn't exist.
+        rename(old_log.c_str(), new_log.c_str());
+
+        std::string old_kmsg(LAST_KMSG_FILE);
+        if (i > 0) {
+          old_kmsg += "." + std::to_string(i);
+        }
+        std::string new_kmsg(LAST_KMSG_FILE);
+        new_kmsg += "." + std::to_string(i+1);
+
+        rename(old_kmsg.c_str(), new_kmsg.c_str());
+    }
+}
+
+ssize_t logsave(
+        log_id_t /* logId */,
+        char /* prio */,
+        const char *filename,
+        const char *buf, size_t len,
+        void * /* arg */) {
+
+    std::string destination("/data/misc/");
+    destination += filename;
+
+    std::string buffer(buf, len);
+
+    {
+        std::string content;
+        android::base::ReadFileToString(destination, &content);
+
+        if (buffer.compare(content) == 0) {
+            return len;
+        }
+    }
+
+    // ToDo: Any others that match? Are we pulling in multiple
+    // already-rotated files? Algorithm thus far is KISS: one file,
+    // one rotation allowed.
+
+    rotate_logs(KEEP_LOG_COUNT);
+
+    return android::base::WriteStringToFile(buffer, destination.c_str());
+}
+
+int main(int argc, char **argv) {
+
+    /* Is /cache a mount?, we have been delivered where we are not wanted */
+    /*
+     * Following code halves the size of the executable as compared to:
+     *
+     *    load_volume_table();
+     *    has_cache = volume_for_path(CACHE_ROOT) != nullptr;
+     */
+    bool has_cache = false;
+    static const char mounts_file[] = "/proc/mounts";
+    FILE *fp = fopen(mounts_file, "r");
+    if (!fp) {
+        SLOGV("%s %s", mounts_file, strerror(errno));
+    } else {
+        char *line = NULL;
+        size_t len = 0;
+        ssize_t read;
+        while ((read = getline(&line, &len, fp)) != -1) {
+            if (strstr(line, " /cache ")) {
+                has_cache = true;
+                break;
+            }
+        }
+        free(line);
+        fclose(fp);
+    }
+
+    if (has_cache) {
+        /*
+         * TBD: Future location to move content from
+         * /cache/recovery to /data/misc/recovery/
+         */
+        /* if --force-persist flag, then transfer pmsg data anyways */
+        if ((argc <= 1) || !argv[1] || strcmp(argv[1], "--force-persist")) {
+            return 0;
+        }
+    }
+
+    /* Is there something in pmsg? */
+    if (access(LAST_PMSG_FILE, R_OK)) {
+        return 0;
+    }
+
+    // Take last pmsg file contents and send it off to the logsave
+    __android_log_pmsg_file_read(
+        LOG_ID_SYSTEM, ANDROID_LOG_INFO, "recovery/", logsave, NULL);
+
+    /* Is there a last console log too? */
+    if (rotated) {
+        if (!access(LAST_CONSOLE_FILE, R_OK)) {
+            copy_file(LAST_CONSOLE_FILE, LAST_KMSG_FILE);
+        } else if (!access(ALT_LAST_CONSOLE_FILE, R_OK)) {
+            copy_file(ALT_LAST_CONSOLE_FILE, LAST_KMSG_FILE);
+        }
+    }
+
+    return 0;
+}
diff --git a/recovery-persist.rc b/recovery-persist.rc
new file mode 100644
index 0000000..6761627
--- /dev/null
+++ b/recovery-persist.rc
@@ -0,0 +1,3 @@
+on post-fs-data
+    mkdir /data/misc/recovery 0770 system log
+    exec - system log -- /system/bin/recovery-persist
diff --git a/recovery-refresh.cpp b/recovery-refresh.cpp
new file mode 100644
index 0000000..70adc70
--- /dev/null
+++ b/recovery-refresh.cpp
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define LOG_TAG "recovery-refresh"
+
+//
+// Strictly to deal with reboot into system after OTA, then
+// reboot while in system before boot complete landing us back
+// into recovery to continue with any mitigations with retained
+// log history. This simply refreshes the pmsg files from
+// the last pmsg file contents.
+//
+// Usage:
+//    recovery-refresh [--force-rotate|--rotate]
+//
+//    All file content representing in the recovery/ directory stored in
+//    /sys/fs/pstore/pmsg-ramoops-0 in logger format that reside in the
+//    LOG_ID_SYSTEM buffer at ANDROID_LOG_INFO priority or higher is
+//    refreshed into /dev/pmsg0. This ensures that an unexpected reboot
+//    before recovery-persist is run will still contain the associated
+//    pmsg Android Logger content.
+//
+//    --force-rotate  recovery/last_kmsg and recovery.last_log files are
+//                    rotated with .<number> suffixes upwards.
+//    --rotate        rotated only if rocovery/last_msg or recovery/last_log
+//                    exist, otherwise perform 1:1 refresh.
+//
+
+#include <string.h>
+
+#include <string>
+
+#include <android/log.h> /* Android Log Priority Tags */
+#include <log/logger.h> /* Android Log packet format */
+#include <private/android_logger.h> /* private pmsg functions */
+
+static const char LAST_KMSG_FILE[] = "recovery/last_kmsg";
+static const char LAST_LOG_FILE[] = "recovery/last_log";
+
+static ssize_t logbasename(
+        log_id_t /* logId */,
+        char /* prio */,
+        const char *filename,
+        const char * /* buf */, size_t len,
+        void *arg) {
+    if (strstr(LAST_KMSG_FILE, filename) ||
+            strstr(LAST_LOG_FILE, filename)) {
+        bool *doRotate = reinterpret_cast<bool *>(arg);
+        *doRotate = true;
+    }
+    return len;
+}
+
+static ssize_t logrotate(
+        log_id_t logId,
+        char prio,
+        const char *filename,
+        const char *buf, size_t len,
+        void *arg) {
+    bool *doRotate = reinterpret_cast<bool *>(arg);
+    if (!*doRotate) {
+        return __android_log_pmsg_file_write(logId, prio, filename, buf, len);
+    }
+
+    std::string name(filename);
+    size_t dot = name.find_last_of(".");
+    std::string sub = name.substr(0, dot);
+
+    if (!strstr(LAST_KMSG_FILE, sub.c_str()) &&
+                !strstr(LAST_LOG_FILE, sub.c_str())) {
+        return __android_log_pmsg_file_write(logId, prio, filename, buf, len);
+    }
+
+    // filename rotation
+    if (dot == std::string::npos) {
+        name += ".1";
+    } else {
+        std::string number = name.substr(dot + 1);
+        if (!isdigit(number.data()[0])) {
+            name += ".1";
+        } else {
+            unsigned long long i = std::stoull(number);
+            name = sub + "." + std::to_string(i + 1);
+        }
+    }
+
+    return __android_log_pmsg_file_write(logId, prio, name.c_str(), buf, len);
+}
+
+int main(int argc, char **argv) {
+    static const char filter[] = "recovery/";
+    static const char force_rotate_flag[] = "--force-rotate";
+    static const char rotate_flag[] = "--rotate";
+    ssize_t ret;
+    bool doRotate = false;
+
+    // Take last pmsg contents and rewrite it to the current pmsg session.
+    if ((argc <= 1) || !argv[1] ||
+            (((doRotate = strcmp(argv[1], rotate_flag))) &&
+                strcmp(argv[1], force_rotate_flag))) {
+        doRotate = false;
+    } else if (!doRotate) {
+        // Do we need to rotate?
+        __android_log_pmsg_file_read(
+            LOG_ID_SYSTEM, ANDROID_LOG_INFO, filter,
+            logbasename, &doRotate);
+    }
+
+    // Take action to refresh pmsg contents
+    ret = __android_log_pmsg_file_read(
+        LOG_ID_SYSTEM, ANDROID_LOG_INFO, filter,
+        logrotate, &doRotate);
+
+    return (ret < 0) ? ret : 0;
+}
diff --git a/recovery-refresh.rc b/recovery-refresh.rc
new file mode 100644
index 0000000..14b05cc
--- /dev/null
+++ b/recovery-refresh.rc
@@ -0,0 +1,2 @@
+on post-fs
+    exec - system log -- /system/bin/recovery-refresh
diff --git a/recovery.cpp b/recovery.cpp
index b7a5458..10f8414 100644
--- a/recovery.cpp
+++ b/recovery.cpp
@@ -28,33 +28,44 @@
 #include <sys/klog.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <sys/wait.h>
 #include <time.h>
 #include <unistd.h>
 
-#include <base/file.h>
-#include <base/stringprintf.h>
+#include <chrono>
 
+#include <adb.h>
+#include <android/log.h> /* Android Log Priority Tags */
+#include <android-base/file.h>
+#include <android-base/parseint.h>
+#include <android-base/stringprintf.h>
+#include <cutils/android_reboot.h>
+#include <cutils/properties.h>
+#include <log/logger.h> /* Android Log packet format */
+#include <private/android_logger.h> /* private pmsg functions */
+
+#include <healthd/BatteryMonitor.h>
+
+#include "adb_install.h"
 #include "bootloader.h"
 #include "common.h"
-#include "cutils/properties.h"
-#include "cutils/android_reboot.h"
+#include "device.h"
+#include "error_code.h"
+#include "fuse_sdcard_provider.h"
+#include "fuse_sideload.h"
 #include "install.h"
 #include "minui/minui.h"
 #include "minzip/DirUtil.h"
 #include "roots.h"
 #include "ui.h"
 #include "screen_ui.h"
-#include "device.h"
-#include "adb_install.h"
-#include "adb.h"
-#include "fuse_sideload.h"
-#include "fuse_sdcard_provider.h"
 
 struct selabel_handle *sehandle;
 
 static const struct option OPTIONS[] = {
   { "send_intent", required_argument, NULL, 'i' },
   { "update_package", required_argument, NULL, 'u' },
+  { "retry_count", required_argument, NULL, 'n' },
   { "wipe_data", no_argument, NULL, 'w' },
   { "wipe_cache", no_argument, NULL, 'c' },
   { "show_text", no_argument, NULL, 't' },
@@ -65,6 +76,7 @@
   { "stages", required_argument, NULL, 'g' },
   { "shutdown_after", no_argument, NULL, 'p' },
   { "reason", required_argument, NULL, 'r' },
+  { "security", no_argument, NULL, 'e'},
   { NULL, 0, NULL, 0 },
 };
 
@@ -74,19 +86,31 @@
 static const char *LOG_FILE = "/cache/recovery/log";
 static const char *LAST_INSTALL_FILE = "/cache/recovery/last_install";
 static const char *LOCALE_FILE = "/cache/recovery/last_locale";
+static const char *CONVERT_FBE_DIR = "/tmp/convert_fbe";
+static const char *CONVERT_FBE_FILE = "/tmp/convert_fbe/convert_fbe";
 static const char *CACHE_ROOT = "/cache";
+static const char *DATA_ROOT = "/data";
 static const char *SDCARD_ROOT = "/sdcard";
 static const char *TEMPORARY_LOG_FILE = "/tmp/recovery.log";
 static const char *TEMPORARY_INSTALL_FILE = "/tmp/last_install";
 static const char *LAST_KMSG_FILE = "/cache/recovery/last_kmsg";
 static const char *LAST_LOG_FILE = "/cache/recovery/last_log";
 static const int KEEP_LOG_COUNT = 10;
+// We will try to apply the update package 5 times at most in case of an I/O error.
+static const int EIO_RETRY_COUNT = 4;
+static const int BATTERY_READ_TIMEOUT_IN_SEC = 10;
+// GmsCore enters recovery mode to install package when having enough battery
+// percentage. Normally, the threshold is 40% without charger and 20% with charger.
+// So we should check battery with a slightly lower limitation.
+static const int BATTERY_OK_PERCENTAGE = 20;
+static const int BATTERY_WITH_CHARGER_OK_PERCENTAGE = 15;
 
 RecoveryUI* ui = NULL;
-char* locale = NULL;
+static const char* locale = "en_US";
 char* stage = NULL;
 char* reason = NULL;
 bool modified_flash = false;
+static bool has_cache = false;
 
 /*
  * The recovery tool communicates with the main system through /cache files.
@@ -151,8 +175,7 @@
 static const int MAX_ARGS = 100;
 
 // open a given path, mounting partitions as necessary
-FILE*
-fopen_path(const char *path, const char *mode) {
+FILE* fopen_path(const char *path, const char *mode) {
     if (ensure_path_mounted(path) != 0) {
         LOGE("Can't mount %s\n", path);
         return NULL;
@@ -166,23 +189,102 @@
     return fp;
 }
 
+// close a file, log an error if the error indicator is set
+static void check_and_fclose(FILE *fp, const char *name) {
+    fflush(fp);
+    if (ferror(fp)) LOGE("Error in %s\n(%s)\n", name, strerror(errno));
+    fclose(fp);
+}
+
 bool is_ro_debuggable() {
     char value[PROPERTY_VALUE_MAX+1];
     return (property_get("ro.debuggable", value, NULL) == 1 && value[0] == '1');
 }
 
 static void redirect_stdio(const char* filename) {
-    // If these fail, there's not really anywhere to complain...
-    freopen(filename, "a", stdout); setbuf(stdout, NULL);
-    freopen(filename, "a", stderr); setbuf(stderr, NULL);
-}
+    int pipefd[2];
+    if (pipe(pipefd) == -1) {
+        LOGE("pipe failed: %s\n", strerror(errno));
 
-// close a file, log an error if the error indicator is set
-static void
-check_and_fclose(FILE *fp, const char *name) {
-    fflush(fp);
-    if (ferror(fp)) LOGE("Error in %s\n(%s)\n", name, strerror(errno));
-    fclose(fp);
+        // Fall back to traditional logging mode without timestamps.
+        // If these fail, there's not really anywhere to complain...
+        freopen(filename, "a", stdout); setbuf(stdout, NULL);
+        freopen(filename, "a", stderr); setbuf(stderr, NULL);
+
+        return;
+    }
+
+    pid_t pid = fork();
+    if (pid == -1) {
+        LOGE("fork failed: %s\n", strerror(errno));
+
+        // Fall back to traditional logging mode without timestamps.
+        // If these fail, there's not really anywhere to complain...
+        freopen(filename, "a", stdout); setbuf(stdout, NULL);
+        freopen(filename, "a", stderr); setbuf(stderr, NULL);
+
+        return;
+    }
+
+    if (pid == 0) {
+        /// Close the unused write end.
+        close(pipefd[1]);
+
+        auto start = std::chrono::steady_clock::now();
+
+        // Child logger to actually write to the log file.
+        FILE* log_fp = fopen(filename, "a");
+        if (log_fp == nullptr) {
+            LOGE("fopen \"%s\" failed: %s\n", filename, strerror(errno));
+            close(pipefd[0]);
+            _exit(1);
+        }
+
+        FILE* pipe_fp = fdopen(pipefd[0], "r");
+        if (pipe_fp == nullptr) {
+            LOGE("fdopen failed: %s\n", strerror(errno));
+            check_and_fclose(log_fp, filename);
+            close(pipefd[0]);
+            _exit(1);
+        }
+
+        char* line = nullptr;
+        size_t len = 0;
+        while (getline(&line, &len, pipe_fp) != -1) {
+            auto now = std::chrono::steady_clock::now();
+            double duration = std::chrono::duration_cast<std::chrono::duration<double>>(
+                    now - start).count();
+            if (line[0] == '\n') {
+                fprintf(log_fp, "[%12.6lf]\n", duration);
+            } else {
+                fprintf(log_fp, "[%12.6lf] %s", duration, line);
+            }
+            fflush(log_fp);
+        }
+
+        LOGE("getline failed: %s\n", strerror(errno));
+
+        free(line);
+        check_and_fclose(log_fp, filename);
+        close(pipefd[0]);
+        _exit(1);
+    } else {
+        // Redirect stdout/stderr to the logger process.
+        // Close the unused read end.
+        close(pipefd[0]);
+
+        setbuf(stdout, nullptr);
+        setbuf(stderr, nullptr);
+
+        if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
+            LOGE("dup2 stdout failed: %s\n", strerror(errno));
+        }
+        if (dup2(pipefd[1], STDERR_FILENO) == -1) {
+            LOGE("dup2 stderr failed: %s\n", strerror(errno));
+        }
+
+        close(pipefd[1]);
+    }
 }
 
 // command line args come from, in decreasing precedence:
@@ -221,8 +323,8 @@
         }
     }
 
-    // --- if that doesn't work, try the command file
-    if (*argc <= 1) {
+    // --- if that doesn't work, try the command file (if we have /cache).
+    if (*argc <= 1 && has_cache) {
         FILE *fp = fopen_path(COMMAND_FILE, "r");
         if (fp != NULL) {
             char *token;
@@ -285,6 +387,18 @@
     android::base::WriteStringToFile(buffer, destination);
 }
 
+// write content to the current pmsg session.
+static ssize_t __pmsg_write(const char *filename, const char *buf, size_t len) {
+    return __android_log_pmsg_file_write(LOG_ID_SYSTEM, ANDROID_LOG_INFO,
+                                         filename, buf, len);
+}
+
+static void copy_log_file_to_pmsg(const char* source, const char* destination) {
+    std::string content;
+    android::base::ReadFileToString(source, &content);
+    __pmsg_write(destination, content.c_str(), content.length());
+}
+
 // How much of the temp log we have copied to the copy in cache.
 static long tmplog_offset = 0;
 
@@ -326,14 +440,18 @@
     ensure_path_mounted(LAST_KMSG_FILE);
 
     for (int i = max-1; i >= 0; --i) {
-        std::string old_log = android::base::StringPrintf((i == 0) ? "%s" : "%s.%d",
-                LAST_LOG_FILE, i);
+        std::string old_log = android::base::StringPrintf("%s", LAST_LOG_FILE);
+        if (i > 0) {
+          old_log += "." + std::to_string(i);
+        }
         std::string new_log = android::base::StringPrintf("%s.%d", LAST_LOG_FILE, i+1);
         // Ignore errors if old_log doesn't exist.
         rename(old_log.c_str(), new_log.c_str());
 
-        std::string old_kmsg = android::base::StringPrintf((i == 0) ? "%s" : "%s.%d",
-                LAST_KMSG_FILE, i);
+        std::string old_kmsg = android::base::StringPrintf("%s", LAST_KMSG_FILE);
+        if (i > 0) {
+          old_kmsg += "." + std::to_string(i);
+        }
         std::string new_kmsg = android::base::StringPrintf("%s.%d", LAST_KMSG_FILE, i+1);
         rename(old_kmsg.c_str(), new_kmsg.c_str());
     }
@@ -348,6 +466,15 @@
         return;
     }
 
+    // Always write to pmsg, this allows the OTA logs to be caught in logcat -L
+    copy_log_file_to_pmsg(TEMPORARY_LOG_FILE, LAST_LOG_FILE);
+    copy_log_file_to_pmsg(TEMPORARY_INSTALL_FILE, LAST_INSTALL_FILE);
+
+    // We can do nothing for now if there's no /cache partition.
+    if (!has_cache) {
+        return;
+    }
+
     rotate_logs(KEEP_LOG_COUNT);
 
     // Copy logs to cache so the system can find out what happened.
@@ -371,7 +498,7 @@
 static void
 finish_recovery(const char *send_intent) {
     // By this point, we're ready to return to the main system...
-    if (send_intent != NULL) {
+    if (send_intent != NULL && has_cache) {
         FILE *fp = fopen_path(INTENT_FILE, "w");
         if (fp == NULL) {
             LOGE("Can't open %s\n", INTENT_FILE);
@@ -385,12 +512,16 @@
     // without a --locale argument (eg, directly from the bootloader)
     // it will use the last-known locale.
     if (locale != NULL) {
-        LOGI("Saving locale \"%s\"\n", locale);
-        FILE* fp = fopen_path(LOCALE_FILE, "w");
-        fwrite(locale, 1, strlen(locale), fp);
-        fflush(fp);
-        fsync(fileno(fp));
-        check_and_fclose(fp, LOCALE_FILE);
+        size_t len = strlen(locale);
+        __pmsg_write(LOCALE_FILE, locale, len);
+        if (has_cache) {
+            LOGI("Saving locale \"%s\"\n", locale);
+            FILE* fp = fopen_path(LOCALE_FILE, "w");
+            fwrite(locale, 1, len, fp);
+            fflush(fp);
+            fsync(fileno(fp));
+            check_and_fclose(fp, LOCALE_FILE);
+        }
     }
 
     copy_logs();
@@ -401,12 +532,13 @@
     set_bootloader_message(&boot);
 
     // Remove the command file, so recovery won't repeat indefinitely.
-    if (ensure_path_mounted(COMMAND_FILE) != 0 ||
-        (unlink(COMMAND_FILE) && errno != ENOENT)) {
-        LOGW("Can't unlink %s\n", COMMAND_FILE);
+    if (has_cache) {
+        if (ensure_path_mounted(COMMAND_FILE) != 0 || (unlink(COMMAND_FILE) && errno != ENOENT)) {
+            LOGW("Can't unlink %s\n", COMMAND_FILE);
+        }
+        ensure_path_unmounted(CACHE_ROOT);
     }
 
-    ensure_path_unmounted(CACHE_ROOT);
     sync();  // For good measure.
 }
 
@@ -419,6 +551,7 @@
 
 static bool erase_volume(const char* volume) {
     bool is_cache = (strcmp(volume, CACHE_ROOT) == 0);
+    bool is_data = (strcmp(volume, DATA_ROOT) == 0);
 
     ui->SetBackground(RecoveryUI::ERASING);
     ui->SetProgressType(RecoveryUI::INDETERMINATE);
@@ -473,7 +606,28 @@
     ui->Print("Formatting %s...\n", volume);
 
     ensure_path_unmounted(volume);
-    int result = format_volume(volume);
+
+    int result;
+
+    if (is_data && reason && strcmp(reason, "convert_fbe") == 0) {
+        // Create convert_fbe breadcrumb file to signal to init
+        // to convert to file based encryption, not full disk encryption
+        if (mkdir(CONVERT_FBE_DIR, 0700) != 0) {
+            ui->Print("Failed to make convert_fbe dir %s\n", strerror(errno));
+            return true;
+        }
+        FILE* f = fopen(CONVERT_FBE_FILE, "wb");
+        if (!f) {
+            ui->Print("Failed to convert to file encryption %s\n", strerror(errno));
+            return true;
+        }
+        fclose(f);
+        result = format_volume(volume, CONVERT_FBE_DIR);
+        remove(CONVERT_FBE_FILE);
+        rmdir(CONVERT_FBE_DIR);
+    } else {
+        result = format_volume(volume);
+    }
 
     if (is_cache) {
         while (head) {
@@ -675,7 +829,7 @@
     bool success =
         device->PreWipeData() &&
         erase_volume("/data") &&
-        erase_volume("/cache") &&
+        (has_cache ? erase_volume("/cache") : true) &&
         device->PostWipeData();
     ui->Print("Data wipe %s.\n", success ? "complete" : "failed");
     return success;
@@ -683,6 +837,11 @@
 
 // Return true on success.
 static bool wipe_cache(bool should_confirm, Device* device) {
+    if (!has_cache) {
+        ui->Print("No /cache partition found.\n");
+        return false;
+    }
+
     if (should_confirm && !yes_no(device, "Wipe cache?", "  THIS CAN NOT BE UNDONE!")) {
         return false;
     }
@@ -696,6 +855,11 @@
 }
 
 static void choose_recovery_file(Device* device) {
+    if (!has_cache) {
+        ui->Print("No /cache partition found.\n");
+        return;
+    }
+
     // "Back" + KEEP_LOG_COUNT * 2 + terminating nullptr entry
     char* entries[1 + KEEP_LOG_COUNT * 2 + 1];
     memset(entries, 0, sizeof(entries));
@@ -706,7 +870,10 @@
     // Add LAST_KMSG_FILE + LAST_KMSG_FILE.x
     for (int i = 0; i < KEEP_LOG_COUNT; i++) {
         char* log_file;
-        if (asprintf(&log_file, (i == 0) ? "%s" : "%s.%d", LAST_LOG_FILE, i) == -1) {
+        int ret;
+        ret = (i == 0) ? asprintf(&log_file, "%s", LAST_LOG_FILE) :
+                asprintf(&log_file, "%s.%d", LAST_LOG_FILE, i);
+        if (ret == -1) {
             // memory allocation failure - return early. Should never happen.
             return;
         }
@@ -717,7 +884,9 @@
         }
 
         char* kmsg_file;
-        if (asprintf(&kmsg_file, (i == 0) ? "%s" : "%s.%d", LAST_KMSG_FILE, i) == -1) {
+        ret = (i == 0) ? asprintf(&kmsg_file, "%s", LAST_KMSG_FILE) :
+                asprintf(&kmsg_file, "%s.%d", LAST_KMSG_FILE, i);
+        if (ret == -1) {
             // memory allocation failure - return early. Should never happen.
             return;
         }
@@ -736,10 +905,7 @@
         int chosen_item = get_menu_selection(headers, entries, 1, 0, device);
         if (strcmp(entries[chosen_item], "Back") == 0) break;
 
-        // TODO: do we need to redirect? ShowFile could just avoid writing to stdio.
-        redirect_stdio("/dev/null");
         ui->ShowFile(entries[chosen_item]);
-        redirect_stdio(TEMPORARY_LOG_FILE);
     }
 
     for (size_t i = 0; i < (sizeof(entries) / sizeof(*entries)); i++) {
@@ -747,6 +913,41 @@
     }
 }
 
+static void run_graphics_test(Device* device) {
+    // Switch to graphics screen.
+    ui->ShowText(false);
+
+    ui->SetProgressType(RecoveryUI::INDETERMINATE);
+    ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
+    sleep(1);
+
+    ui->SetBackground(RecoveryUI::ERROR);
+    sleep(1);
+
+    ui->SetBackground(RecoveryUI::NO_COMMAND);
+    sleep(1);
+
+    ui->SetBackground(RecoveryUI::ERASING);
+    sleep(1);
+
+    ui->SetBackground(RecoveryUI::INSTALLING_UPDATE);
+
+    ui->SetProgressType(RecoveryUI::DETERMINATE);
+    ui->ShowProgress(1.0, 10.0);
+    float fraction = 0.0;
+    for (size_t i = 0; i < 100; ++i) {
+      fraction += .01;
+      ui->SetProgress(fraction);
+      usleep(100000);
+    }
+
+    ui->ShowText(true);
+}
+
+// How long (in seconds) we wait for the fuse-provided package file to
+// appear, before timing out.
+#define SDCARD_INSTALL_TIMEOUT 10
+
 static int apply_from_sdcard(Device* device, bool* wipe_cache) {
     modified_flash = true;
 
@@ -758,19 +959,68 @@
     char* path = browse_directory(SDCARD_ROOT, device);
     if (path == NULL) {
         ui->Print("\n-- No package file selected.\n");
+        ensure_path_unmounted(SDCARD_ROOT);
         return INSTALL_ERROR;
     }
 
     ui->Print("\n-- Install %s ...\n", path);
     set_sdcard_update_bootloader_message();
-    void* token = start_sdcard_fuse(path);
 
-    int status = install_package(FUSE_SIDELOAD_HOST_PATHNAME, wipe_cache,
-                                 TEMPORARY_INSTALL_FILE, false);
+    // We used to use fuse in a thread as opposed to a process. Since accessing
+    // through fuse involves going from kernel to userspace to kernel, it leads
+    // to deadlock when a page fault occurs. (Bug: 26313124)
+    pid_t child;
+    if ((child = fork()) == 0) {
+        bool status = start_sdcard_fuse(path);
 
-    finish_sdcard_fuse(token);
+        _exit(status ? EXIT_SUCCESS : EXIT_FAILURE);
+    }
+
+    // FUSE_SIDELOAD_HOST_PATHNAME will start to exist once the fuse in child
+    // process is ready.
+    int result = INSTALL_ERROR;
+    int status;
+    bool waited = false;
+    for (int i = 0; i < SDCARD_INSTALL_TIMEOUT; ++i) {
+        if (waitpid(child, &status, WNOHANG) == -1) {
+            result = INSTALL_ERROR;
+            waited = true;
+            break;
+        }
+
+        struct stat sb;
+        if (stat(FUSE_SIDELOAD_HOST_PATHNAME, &sb) == -1) {
+            if (errno == ENOENT && i < SDCARD_INSTALL_TIMEOUT-1) {
+                sleep(1);
+                continue;
+            } else {
+                LOGE("Timed out waiting for the fuse-provided package.\n");
+                result = INSTALL_ERROR;
+                kill(child, SIGKILL);
+                break;
+            }
+        }
+
+        result = install_package(FUSE_SIDELOAD_HOST_PATHNAME, wipe_cache,
+                                 TEMPORARY_INSTALL_FILE, false, 0/*retry_count*/);
+        break;
+    }
+
+    if (!waited) {
+        // Calling stat() on this magic filename signals the fuse
+        // filesystem to shut down.
+        struct stat sb;
+        stat(FUSE_SIDELOAD_HOST_EXIT_PATHNAME, &sb);
+
+        waitpid(child, &status, 0);
+    }
+
+    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
+        LOGE("Error exit from the fuse process: %d\n", WEXITSTATUS(status));
+    }
+
     ensure_path_unmounted(SDCARD_ROOT);
-    return status;
+    return result;
 }
 
 // Return REBOOT, SHUTDOWN, or REBOOT_BOOTLOADER.  Returning NO_ACTION
@@ -852,10 +1102,29 @@
                 choose_recovery_file(device);
                 break;
 
+            case Device::RUN_GRAPHICS_TEST:
+                run_graphics_test(device);
+                break;
+
             case Device::MOUNT_SYSTEM:
-                if (ensure_path_mounted("/system") != -1) {
-                    ui->Print("Mounted /system.\n");
+                char system_root_image[PROPERTY_VALUE_MAX];
+                property_get("ro.build.system_root_image", system_root_image, "");
+
+                // For a system image built with the root directory (i.e.
+                // system_root_image == "true"), we mount it to /system_root, and symlink /system
+                // to /system_root/system to make adb shell work (the symlink is created through
+                // the build system).
+                // Bug: 22855115
+                if (strcmp(system_root_image, "true") == 0) {
+                    if (ensure_path_mounted_at("/", "/system_root") != -1) {
+                        ui->Print("Mounted /system.\n");
+                    }
+                } else {
+                    if (ensure_path_mounted("/system") != -1) {
+                        ui->Print("Mounted /system.\n");
+                    }
                 }
+
                 break;
         }
     }
@@ -903,11 +1172,145 @@
     }
 }
 
-int
-main(int argc, char **argv) {
-    time_t start = time(NULL);
+static bool is_battery_ok() {
+    struct healthd_config healthd_config = {
+            .batteryStatusPath = android::String8(android::String8::kEmptyString),
+            .batteryHealthPath = android::String8(android::String8::kEmptyString),
+            .batteryPresentPath = android::String8(android::String8::kEmptyString),
+            .batteryCapacityPath = android::String8(android::String8::kEmptyString),
+            .batteryVoltagePath = android::String8(android::String8::kEmptyString),
+            .batteryTemperaturePath = android::String8(android::String8::kEmptyString),
+            .batteryTechnologyPath = android::String8(android::String8::kEmptyString),
+            .batteryCurrentNowPath = android::String8(android::String8::kEmptyString),
+            .batteryCurrentAvgPath = android::String8(android::String8::kEmptyString),
+            .batteryChargeCounterPath = android::String8(android::String8::kEmptyString),
+            .batteryFullChargePath = android::String8(android::String8::kEmptyString),
+            .batteryCycleCountPath = android::String8(android::String8::kEmptyString),
+            .energyCounter = NULL,
+            .boot_min_cap = 0,
+            .screen_on = NULL
+    };
+    healthd_board_init(&healthd_config);
 
-    redirect_stdio(TEMPORARY_LOG_FILE);
+    android::BatteryMonitor monitor;
+    monitor.init(&healthd_config);
+
+    int wait_second = 0;
+    while (true) {
+        int charge_status = monitor.getChargeStatus();
+        // Treat unknown status as charged.
+        bool charged = (charge_status != android::BATTERY_STATUS_DISCHARGING &&
+                        charge_status != android::BATTERY_STATUS_NOT_CHARGING);
+        android::BatteryProperty capacity;
+        android::status_t status = monitor.getProperty(android::BATTERY_PROP_CAPACITY, &capacity);
+        ui_print("charge_status %d, charged %d, status %d, capacity %lld\n", charge_status,
+                 charged, status, capacity.valueInt64);
+        // At startup, the battery drivers in devices like N5X/N6P take some time to load
+        // the battery profile. Before the load finishes, it reports value 50 as a fake
+        // capacity. BATTERY_READ_TIMEOUT_IN_SEC is set that the battery drivers are expected
+        // to finish loading the battery profile earlier than 10 seconds after kernel startup.
+        if (status == 0 && capacity.valueInt64 == 50) {
+            if (wait_second < BATTERY_READ_TIMEOUT_IN_SEC) {
+                sleep(1);
+                wait_second++;
+                continue;
+            }
+        }
+        // If we can't read battery percentage, it may be a device without battery. In this
+        // situation, use 100 as a fake battery percentage.
+        if (status != 0) {
+            capacity.valueInt64 = 100;
+        }
+        return (charged && capacity.valueInt64 >= BATTERY_WITH_CHARGER_OK_PERCENTAGE) ||
+                (!charged && capacity.valueInt64 >= BATTERY_OK_PERCENTAGE);
+    }
+}
+
+static void set_retry_bootloader_message(int retry_count, int argc, char** argv) {
+    struct bootloader_message boot {};
+    strlcpy(boot.command, "boot-recovery", sizeof(boot.command));
+    strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery));
+
+    for (int i = 1; i < argc; ++i) {
+        if (strstr(argv[i], "retry_count") == nullptr) {
+            strlcat(boot.recovery, argv[i], sizeof(boot.recovery));
+            strlcat(boot.recovery, "\n", sizeof(boot.recovery));
+        }
+    }
+
+    // Initialize counter to 1 if it's not in BCB, otherwise increment it by 1.
+    if (retry_count == 0) {
+        strlcat(boot.recovery, "--retry_count=1\n", sizeof(boot.recovery));
+    } else {
+        char buffer[20];
+        snprintf(buffer, sizeof(buffer), "--retry_count=%d\n", retry_count+1);
+        strlcat(boot.recovery, buffer, sizeof(boot.recovery));
+    }
+    set_bootloader_message(&boot);
+}
+
+static ssize_t logbasename(
+        log_id_t /* logId */,
+        char /* prio */,
+        const char *filename,
+        const char * /* buf */, size_t len,
+        void *arg) {
+    if (strstr(LAST_KMSG_FILE, filename) ||
+            strstr(LAST_LOG_FILE, filename)) {
+        bool *doRotate = reinterpret_cast<bool *>(arg);
+        *doRotate = true;
+    }
+    return len;
+}
+
+static ssize_t logrotate(
+        log_id_t logId,
+        char prio,
+        const char *filename,
+        const char *buf, size_t len,
+        void *arg) {
+    bool *doRotate = reinterpret_cast<bool *>(arg);
+    if (!*doRotate) {
+        return __android_log_pmsg_file_write(logId, prio, filename, buf, len);
+    }
+
+    std::string name(filename);
+    size_t dot = name.find_last_of(".");
+    std::string sub = name.substr(0, dot);
+
+    if (!strstr(LAST_KMSG_FILE, sub.c_str()) &&
+                !strstr(LAST_LOG_FILE, sub.c_str())) {
+        return __android_log_pmsg_file_write(logId, prio, filename, buf, len);
+    }
+
+    // filename rotation
+    if (dot == std::string::npos) {
+        name += ".1";
+    } else {
+        std::string number = name.substr(dot + 1);
+        if (!isdigit(number.data()[0])) {
+            name += ".1";
+        } else {
+            unsigned long long i = std::stoull(number);
+            name = sub + "." + std::to_string(i + 1);
+        }
+    }
+
+    return __android_log_pmsg_file_write(logId, prio, name.c_str(), buf, len);
+}
+
+int main(int argc, char **argv) {
+    // Take last pmsg contents and rewrite it to the current pmsg session.
+    static const char filter[] = "recovery/";
+    // Do we need to rotate?
+    bool doRotate = false;
+    __android_log_pmsg_file_read(
+        LOG_ID_SYSTEM, ANDROID_LOG_INFO, filter,
+        logbasename, &doRotate);
+    // Take action to refresh pmsg contents
+    __android_log_pmsg_file_read(
+        LOG_ID_SYSTEM, ANDROID_LOG_INFO, filter,
+        logrotate, &doRotate);
 
     // If this binary is started with the single argument "--adbd",
     // instead of being the normal recovery binary, it turns into kind
@@ -917,13 +1320,21 @@
     // only way recovery should be run with this argument is when it
     // starts a copy of itself from the apply_from_adb() function.
     if (argc == 2 && strcmp(argv[1], "--adbd") == 0) {
-        adb_main(0, DEFAULT_ADB_PORT);
+        adb_server_main(0, DEFAULT_ADB_PORT, -1);
         return 0;
     }
 
+    time_t start = time(NULL);
+
+    // redirect_stdio should be called only in non-sideload mode. Otherwise
+    // we may have two logger instances with different timestamps.
+    redirect_stdio(TEMPORARY_LOG_FILE);
+
     printf("Starting recovery (pid %d) on %s", getpid(), ctime(&start));
 
     load_volume_table();
+    has_cache = volume_for_path(CACHE_ROOT) != nullptr;
+
     get_args(&argc, &argv);
 
     const char *send_intent = NULL;
@@ -935,11 +1346,14 @@
     bool sideload_auto_reboot = false;
     bool just_exit = false;
     bool shutdown_after = false;
+    int retry_count = 0;
+    bool security_update = false;
 
     int arg;
     while ((arg = getopt_long(argc, argv, "", OPTIONS, NULL)) != -1) {
         switch (arg) {
         case 'i': send_intent = optarg; break;
+        case 'n': android::base::ParseInt(optarg, &retry_count, 0); break;
         case 'u': update_package = optarg; break;
         case 'w': should_wipe_data = true; break;
         case 'c': should_wipe_cache = true; break;
@@ -958,13 +1372,14 @@
         }
         case 'p': shutdown_after = true; break;
         case 'r': reason = optarg; break;
+        case 'e': security_update = true; break;
         case '?':
             LOGE("Invalid command argument\n");
             continue;
         }
     }
 
-    if (locale == NULL) {
+    if (locale == nullptr && has_cache) {
         load_locale_from_cache();
     }
     printf("locale is [%s]\n", locale);
@@ -977,6 +1392,9 @@
 
     ui->SetLocale(locale);
     ui->Init();
+    // Set background string to "installing security update" for security update,
+    // otherwise set it to "installing system update".
+    ui->SetSystemUpdateText(security_update);
 
     int st_cur, st_max;
     if (stage != NULL && sscanf(stage, "%d/%d", &st_cur, &st_max) == 2) {
@@ -1011,11 +1429,15 @@
         if (strncmp(update_package, "CACHE:", 6) == 0) {
             int len = strlen(update_package) + 10;
             char* modified_path = (char*)malloc(len);
-            strlcpy(modified_path, "/cache/", len);
-            strlcat(modified_path, update_package+6, len);
-            printf("(replacing path \"%s\" with \"%s\")\n",
-                   update_package, modified_path);
-            update_package = modified_path;
+            if (modified_path) {
+                strlcpy(modified_path, "/cache/", len);
+                strlcat(modified_path, update_package+6, len);
+                printf("(replacing path \"%s\" with \"%s\")\n",
+                       update_package, modified_path);
+                update_package = modified_path;
+            }
+            else
+                printf("modified_path allocation failed\n");
         }
     }
     printf("\n");
@@ -1028,18 +1450,57 @@
     int status = INSTALL_SUCCESS;
 
     if (update_package != NULL) {
-        status = install_package(update_package, &should_wipe_cache, TEMPORARY_INSTALL_FILE, true);
-        if (status == INSTALL_SUCCESS && should_wipe_cache) {
-            wipe_cache(false, device);
-        }
-        if (status != INSTALL_SUCCESS) {
-            ui->Print("Installation aborted.\n");
+        // It's not entirely true that we will modify the flash. But we want
+        // to log the update attempt since update_package is non-NULL.
+        modified_flash = true;
 
-            // If this is an eng or userdebug build, then automatically
-            // turn the text display on if the script fails so the error
-            // message is visible.
-            if (is_ro_debuggable()) {
-                ui->ShowText(true);
+        if (!is_battery_ok()) {
+            ui->Print("battery capacity is not enough for installing package, needed is %d%%\n",
+                      BATTERY_OK_PERCENTAGE);
+            // Log the error code to last_install when installation skips due to
+            // low battery.
+            FILE* install_log = fopen_path(LAST_INSTALL_FILE, "w");
+            if (install_log != nullptr) {
+                fprintf(install_log, "%s\n", update_package);
+                fprintf(install_log, "0\n");
+                fprintf(install_log, "error: %d\n", kLowBattery);
+                fclose(install_log);
+            } else {
+                LOGE("failed to open last_install: %s\n", strerror(errno));
+            }
+            status = INSTALL_SKIPPED;
+        } else {
+            status = install_package(update_package, &should_wipe_cache,
+                                     TEMPORARY_INSTALL_FILE, true, retry_count);
+            if (status == INSTALL_SUCCESS && should_wipe_cache) {
+                wipe_cache(false, device);
+            }
+            if (status != INSTALL_SUCCESS) {
+                ui->Print("Installation aborted.\n");
+                // When I/O error happens, reboot and retry installation EIO_RETRY_COUNT
+                // times before we abandon this OTA update.
+                if (status == INSTALL_RETRY && retry_count < EIO_RETRY_COUNT) {
+                    copy_logs();
+                    set_retry_bootloader_message(retry_count, argc, argv);
+                    // Print retry count on screen.
+                    ui->Print("Retry attempt %d\n", retry_count);
+
+                    // Reboot and retry the update
+                    int ret = property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
+                    if (ret < 0) {
+                        ui->Print("Reboot failed\n");
+                    } else {
+                        while (true) {
+                            pause();
+                        }
+                    }
+                }
+                // If this is an eng or userdebug build, then automatically
+                // turn the text display on if the script fails so the error
+                // message is visible.
+                if (is_ro_debuggable()) {
+                    ui->ShowText(true);
+                }
             }
         }
     } else if (should_wipe_data) {
@@ -1088,7 +1549,8 @@
     }
 
     Device::BuiltinAction after = shutdown_after ? Device::SHUTDOWN : Device::REBOOT;
-    if ((status != INSTALL_SUCCESS && !sideload_auto_reboot) || ui->IsTextVisible()) {
+    if ((status != INSTALL_SUCCESS && status != INSTALL_SKIPPED && !sideload_auto_reboot) ||
+            ui->IsTextVisible()) {
         Device::BuiltinAction temp = prompt_and_wait(device, status);
         if (temp != Device::NO_ACTION) {
             after = temp;
@@ -1114,6 +1576,9 @@
             property_set(ANDROID_RB_PROPERTY, "reboot,");
             break;
     }
-    sleep(5); // should reboot before this finishes
+    while (true) {
+      pause();
+    }
+    // Should be unreachable.
     return EXIT_SUCCESS;
 }
diff --git a/res-560dpi b/res-560dpi
new file mode 120000
index 0000000..1db3a2e
--- /dev/null
+++ b/res-560dpi
@@ -0,0 +1 @@
+res-xxxhdpi
\ No newline at end of file
diff --git a/res-hdpi/images/erasing_text.png b/res-hdpi/images/erasing_text.png
index 774244c..e500d02 100644
--- a/res-hdpi/images/erasing_text.png
+++ b/res-hdpi/images/erasing_text.png
Binary files differ
diff --git a/res-hdpi/images/error_text.png b/res-hdpi/images/error_text.png
index 64a57ec..9a3597b 100644
--- a/res-hdpi/images/error_text.png
+++ b/res-hdpi/images/error_text.png
Binary files differ
diff --git a/res-hdpi/images/icon_installing.png b/res-hdpi/images/icon_installing.png
deleted file mode 100644
index c2c0201..0000000
--- a/res-hdpi/images/icon_installing.png
+++ /dev/null
Binary files differ
diff --git a/res-hdpi/images/installing_security_text.png b/res-hdpi/images/installing_security_text.png
new file mode 100644
index 0000000..76e7474
--- /dev/null
+++ b/res-hdpi/images/installing_security_text.png
Binary files differ
diff --git a/res-hdpi/images/installing_text.png b/res-hdpi/images/installing_text.png
index 33b54f1..5d2a5fa 100644
--- a/res-hdpi/images/installing_text.png
+++ b/res-hdpi/images/installing_text.png
Binary files differ
diff --git a/res-hdpi/images/loop00000.png b/res-hdpi/images/loop00000.png
new file mode 100644
index 0000000..030fa2b
--- /dev/null
+++ b/res-hdpi/images/loop00000.png
Binary files differ
diff --git a/res-hdpi/images/loop00001.png b/res-hdpi/images/loop00001.png
new file mode 100644
index 0000000..546a102
--- /dev/null
+++ b/res-hdpi/images/loop00001.png
Binary files differ
diff --git a/res-hdpi/images/loop00002.png b/res-hdpi/images/loop00002.png
new file mode 100644
index 0000000..262be3f
--- /dev/null
+++ b/res-hdpi/images/loop00002.png
Binary files differ
diff --git a/res-hdpi/images/loop00003.png b/res-hdpi/images/loop00003.png
new file mode 100644
index 0000000..1282fb3
--- /dev/null
+++ b/res-hdpi/images/loop00003.png
Binary files differ
diff --git a/res-hdpi/images/loop00004.png b/res-hdpi/images/loop00004.png
new file mode 100644
index 0000000..2ff7678
--- /dev/null
+++ b/res-hdpi/images/loop00004.png
Binary files differ
diff --git a/res-hdpi/images/loop00005.png b/res-hdpi/images/loop00005.png
new file mode 100644
index 0000000..20b4d81
--- /dev/null
+++ b/res-hdpi/images/loop00005.png
Binary files differ
diff --git a/res-hdpi/images/loop00006.png b/res-hdpi/images/loop00006.png
new file mode 100644
index 0000000..0f5b28d
--- /dev/null
+++ b/res-hdpi/images/loop00006.png
Binary files differ
diff --git a/res-hdpi/images/loop00007.png b/res-hdpi/images/loop00007.png
new file mode 100644
index 0000000..008acc8
--- /dev/null
+++ b/res-hdpi/images/loop00007.png
Binary files differ
diff --git a/res-hdpi/images/loop00008.png b/res-hdpi/images/loop00008.png
new file mode 100644
index 0000000..ca1309d
--- /dev/null
+++ b/res-hdpi/images/loop00008.png
Binary files differ
diff --git a/res-hdpi/images/loop00009.png b/res-hdpi/images/loop00009.png
new file mode 100644
index 0000000..b2730f1
--- /dev/null
+++ b/res-hdpi/images/loop00009.png
Binary files differ
diff --git a/res-hdpi/images/loop00010.png b/res-hdpi/images/loop00010.png
new file mode 100644
index 0000000..3867e9c
--- /dev/null
+++ b/res-hdpi/images/loop00010.png
Binary files differ
diff --git a/res-hdpi/images/loop00011.png b/res-hdpi/images/loop00011.png
new file mode 100644
index 0000000..2761d8f
--- /dev/null
+++ b/res-hdpi/images/loop00011.png
Binary files differ
diff --git a/res-hdpi/images/loop00012.png b/res-hdpi/images/loop00012.png
new file mode 100644
index 0000000..2d976ef
--- /dev/null
+++ b/res-hdpi/images/loop00012.png
Binary files differ
diff --git a/res-hdpi/images/loop00013.png b/res-hdpi/images/loop00013.png
new file mode 100644
index 0000000..5c96bb5
--- /dev/null
+++ b/res-hdpi/images/loop00013.png
Binary files differ
diff --git a/res-hdpi/images/loop00014.png b/res-hdpi/images/loop00014.png
new file mode 100644
index 0000000..d481ec5
--- /dev/null
+++ b/res-hdpi/images/loop00014.png
Binary files differ
diff --git a/res-hdpi/images/loop00015.png b/res-hdpi/images/loop00015.png
new file mode 100644
index 0000000..47716ed
--- /dev/null
+++ b/res-hdpi/images/loop00015.png
Binary files differ
diff --git a/res-hdpi/images/loop00016.png b/res-hdpi/images/loop00016.png
new file mode 100644
index 0000000..c0cffe8
--- /dev/null
+++ b/res-hdpi/images/loop00016.png
Binary files differ
diff --git a/res-hdpi/images/loop00017.png b/res-hdpi/images/loop00017.png
new file mode 100644
index 0000000..a0dc2e5
--- /dev/null
+++ b/res-hdpi/images/loop00017.png
Binary files differ
diff --git a/res-hdpi/images/loop00018.png b/res-hdpi/images/loop00018.png
new file mode 100644
index 0000000..c8eefc5
--- /dev/null
+++ b/res-hdpi/images/loop00018.png
Binary files differ
diff --git a/res-hdpi/images/loop00019.png b/res-hdpi/images/loop00019.png
new file mode 100644
index 0000000..0d9d8e0
--- /dev/null
+++ b/res-hdpi/images/loop00019.png
Binary files differ
diff --git a/res-hdpi/images/loop00020.png b/res-hdpi/images/loop00020.png
new file mode 100644
index 0000000..b4909a8
--- /dev/null
+++ b/res-hdpi/images/loop00020.png
Binary files differ
diff --git a/res-hdpi/images/loop00021.png b/res-hdpi/images/loop00021.png
new file mode 100644
index 0000000..b3c5274
--- /dev/null
+++ b/res-hdpi/images/loop00021.png
Binary files differ
diff --git a/res-hdpi/images/loop00022.png b/res-hdpi/images/loop00022.png
new file mode 100644
index 0000000..827c937
--- /dev/null
+++ b/res-hdpi/images/loop00022.png
Binary files differ
diff --git a/res-hdpi/images/loop00023.png b/res-hdpi/images/loop00023.png
new file mode 100644
index 0000000..84440fe
--- /dev/null
+++ b/res-hdpi/images/loop00023.png
Binary files differ
diff --git a/res-hdpi/images/loop00024.png b/res-hdpi/images/loop00024.png
new file mode 100644
index 0000000..cfc4c5b
--- /dev/null
+++ b/res-hdpi/images/loop00024.png
Binary files differ
diff --git a/res-hdpi/images/loop00025.png b/res-hdpi/images/loop00025.png
new file mode 100644
index 0000000..fd048fd
--- /dev/null
+++ b/res-hdpi/images/loop00025.png
Binary files differ
diff --git a/res-hdpi/images/loop00026.png b/res-hdpi/images/loop00026.png
new file mode 100644
index 0000000..6825187
--- /dev/null
+++ b/res-hdpi/images/loop00026.png
Binary files differ
diff --git a/res-hdpi/images/loop00027.png b/res-hdpi/images/loop00027.png
new file mode 100644
index 0000000..238dad6
--- /dev/null
+++ b/res-hdpi/images/loop00027.png
Binary files differ
diff --git a/res-hdpi/images/loop00028.png b/res-hdpi/images/loop00028.png
new file mode 100644
index 0000000..55e058d
--- /dev/null
+++ b/res-hdpi/images/loop00028.png
Binary files differ
diff --git a/res-hdpi/images/loop00029.png b/res-hdpi/images/loop00029.png
new file mode 100644
index 0000000..fc76137
--- /dev/null
+++ b/res-hdpi/images/loop00029.png
Binary files differ
diff --git a/res-hdpi/images/loop00030.png b/res-hdpi/images/loop00030.png
new file mode 100644
index 0000000..920634f
--- /dev/null
+++ b/res-hdpi/images/loop00030.png
Binary files differ
diff --git a/res-hdpi/images/loop00031.png b/res-hdpi/images/loop00031.png
new file mode 100644
index 0000000..f548464
--- /dev/null
+++ b/res-hdpi/images/loop00031.png
Binary files differ
diff --git a/res-hdpi/images/loop00032.png b/res-hdpi/images/loop00032.png
new file mode 100644
index 0000000..4cff5c4
--- /dev/null
+++ b/res-hdpi/images/loop00032.png
Binary files differ
diff --git a/res-hdpi/images/loop00033.png b/res-hdpi/images/loop00033.png
new file mode 100644
index 0000000..5d2d272
--- /dev/null
+++ b/res-hdpi/images/loop00033.png
Binary files differ
diff --git a/res-hdpi/images/loop00034.png b/res-hdpi/images/loop00034.png
new file mode 100644
index 0000000..b4d7341
--- /dev/null
+++ b/res-hdpi/images/loop00034.png
Binary files differ
diff --git a/res-hdpi/images/loop00035.png b/res-hdpi/images/loop00035.png
new file mode 100644
index 0000000..49025b8
--- /dev/null
+++ b/res-hdpi/images/loop00035.png
Binary files differ
diff --git a/res-hdpi/images/loop00036.png b/res-hdpi/images/loop00036.png
new file mode 100644
index 0000000..b3aa58d
--- /dev/null
+++ b/res-hdpi/images/loop00036.png
Binary files differ
diff --git a/res-hdpi/images/loop00037.png b/res-hdpi/images/loop00037.png
new file mode 100644
index 0000000..ff47e85
--- /dev/null
+++ b/res-hdpi/images/loop00037.png
Binary files differ
diff --git a/res-hdpi/images/loop00038.png b/res-hdpi/images/loop00038.png
new file mode 100644
index 0000000..8039b92
--- /dev/null
+++ b/res-hdpi/images/loop00038.png
Binary files differ
diff --git a/res-hdpi/images/loop00039.png b/res-hdpi/images/loop00039.png
new file mode 100644
index 0000000..e76d4bc
--- /dev/null
+++ b/res-hdpi/images/loop00039.png
Binary files differ
diff --git a/res-hdpi/images/loop00040.png b/res-hdpi/images/loop00040.png
new file mode 100644
index 0000000..963cce7
--- /dev/null
+++ b/res-hdpi/images/loop00040.png
Binary files differ
diff --git a/res-hdpi/images/loop00041.png b/res-hdpi/images/loop00041.png
new file mode 100644
index 0000000..dcd5f11
--- /dev/null
+++ b/res-hdpi/images/loop00041.png
Binary files differ
diff --git a/res-hdpi/images/loop00042.png b/res-hdpi/images/loop00042.png
new file mode 100644
index 0000000..72fe63a
--- /dev/null
+++ b/res-hdpi/images/loop00042.png
Binary files differ
diff --git a/res-hdpi/images/loop00043.png b/res-hdpi/images/loop00043.png
new file mode 100644
index 0000000..c109af8
--- /dev/null
+++ b/res-hdpi/images/loop00043.png
Binary files differ
diff --git a/res-hdpi/images/loop00044.png b/res-hdpi/images/loop00044.png
new file mode 100644
index 0000000..6648ec2
--- /dev/null
+++ b/res-hdpi/images/loop00044.png
Binary files differ
diff --git a/res-hdpi/images/loop00045.png b/res-hdpi/images/loop00045.png
new file mode 100644
index 0000000..90bf431
--- /dev/null
+++ b/res-hdpi/images/loop00045.png
Binary files differ
diff --git a/res-hdpi/images/loop00046.png b/res-hdpi/images/loop00046.png
new file mode 100644
index 0000000..50473f0
--- /dev/null
+++ b/res-hdpi/images/loop00046.png
Binary files differ
diff --git a/res-hdpi/images/loop00047.png b/res-hdpi/images/loop00047.png
new file mode 100644
index 0000000..db47023
--- /dev/null
+++ b/res-hdpi/images/loop00047.png
Binary files differ
diff --git a/res-hdpi/images/loop00048.png b/res-hdpi/images/loop00048.png
new file mode 100644
index 0000000..462a421
--- /dev/null
+++ b/res-hdpi/images/loop00048.png
Binary files differ
diff --git a/res-hdpi/images/loop00049.png b/res-hdpi/images/loop00049.png
new file mode 100644
index 0000000..f86af40
--- /dev/null
+++ b/res-hdpi/images/loop00049.png
Binary files differ
diff --git a/res-hdpi/images/loop00050.png b/res-hdpi/images/loop00050.png
new file mode 100644
index 0000000..8c0af52
--- /dev/null
+++ b/res-hdpi/images/loop00050.png
Binary files differ
diff --git a/res-hdpi/images/loop00051.png b/res-hdpi/images/loop00051.png
new file mode 100644
index 0000000..2360fc0
--- /dev/null
+++ b/res-hdpi/images/loop00051.png
Binary files differ
diff --git a/res-hdpi/images/loop00052.png b/res-hdpi/images/loop00052.png
new file mode 100644
index 0000000..dd52200
--- /dev/null
+++ b/res-hdpi/images/loop00052.png
Binary files differ
diff --git a/res-hdpi/images/loop00053.png b/res-hdpi/images/loop00053.png
new file mode 100644
index 0000000..c7f0c18
--- /dev/null
+++ b/res-hdpi/images/loop00053.png
Binary files differ
diff --git a/res-hdpi/images/loop00054.png b/res-hdpi/images/loop00054.png
new file mode 100644
index 0000000..7f16eff
--- /dev/null
+++ b/res-hdpi/images/loop00054.png
Binary files differ
diff --git a/res-hdpi/images/loop00055.png b/res-hdpi/images/loop00055.png
new file mode 100644
index 0000000..b9af0ce
--- /dev/null
+++ b/res-hdpi/images/loop00055.png
Binary files differ
diff --git a/res-hdpi/images/loop00056.png b/res-hdpi/images/loop00056.png
new file mode 100644
index 0000000..40b9e9b
--- /dev/null
+++ b/res-hdpi/images/loop00056.png
Binary files differ
diff --git a/res-hdpi/images/loop00057.png b/res-hdpi/images/loop00057.png
new file mode 100644
index 0000000..51068cb
--- /dev/null
+++ b/res-hdpi/images/loop00057.png
Binary files differ
diff --git a/res-hdpi/images/loop00058.png b/res-hdpi/images/loop00058.png
new file mode 100644
index 0000000..eba4486
--- /dev/null
+++ b/res-hdpi/images/loop00058.png
Binary files differ
diff --git a/res-hdpi/images/loop00059.png b/res-hdpi/images/loop00059.png
new file mode 100644
index 0000000..28761ac
--- /dev/null
+++ b/res-hdpi/images/loop00059.png
Binary files differ
diff --git a/res-hdpi/images/loop00060.png b/res-hdpi/images/loop00060.png
new file mode 100644
index 0000000..6532eb9
--- /dev/null
+++ b/res-hdpi/images/loop00060.png
Binary files differ
diff --git a/res-hdpi/images/loop00061.png b/res-hdpi/images/loop00061.png
new file mode 100644
index 0000000..fbe2e2e
--- /dev/null
+++ b/res-hdpi/images/loop00061.png
Binary files differ
diff --git a/res-hdpi/images/loop00062.png b/res-hdpi/images/loop00062.png
new file mode 100644
index 0000000..54341e3
--- /dev/null
+++ b/res-hdpi/images/loop00062.png
Binary files differ
diff --git a/res-hdpi/images/loop00063.png b/res-hdpi/images/loop00063.png
new file mode 100644
index 0000000..cfe9c80
--- /dev/null
+++ b/res-hdpi/images/loop00063.png
Binary files differ
diff --git a/res-hdpi/images/loop00064.png b/res-hdpi/images/loop00064.png
new file mode 100644
index 0000000..e1fe674
--- /dev/null
+++ b/res-hdpi/images/loop00064.png
Binary files differ
diff --git a/res-hdpi/images/loop00065.png b/res-hdpi/images/loop00065.png
new file mode 100644
index 0000000..efa35b6
--- /dev/null
+++ b/res-hdpi/images/loop00065.png
Binary files differ
diff --git a/res-hdpi/images/loop00066.png b/res-hdpi/images/loop00066.png
new file mode 100644
index 0000000..d8c20fe
--- /dev/null
+++ b/res-hdpi/images/loop00066.png
Binary files differ
diff --git a/res-hdpi/images/loop00067.png b/res-hdpi/images/loop00067.png
new file mode 100644
index 0000000..ddf1ea4
--- /dev/null
+++ b/res-hdpi/images/loop00067.png
Binary files differ
diff --git a/res-hdpi/images/loop00068.png b/res-hdpi/images/loop00068.png
new file mode 100644
index 0000000..827cfc6
--- /dev/null
+++ b/res-hdpi/images/loop00068.png
Binary files differ
diff --git a/res-hdpi/images/loop00069.png b/res-hdpi/images/loop00069.png
new file mode 100644
index 0000000..6ab833f
--- /dev/null
+++ b/res-hdpi/images/loop00069.png
Binary files differ
diff --git a/res-hdpi/images/loop00070.png b/res-hdpi/images/loop00070.png
new file mode 100644
index 0000000..a4cc06f
--- /dev/null
+++ b/res-hdpi/images/loop00070.png
Binary files differ
diff --git a/res-hdpi/images/loop00071.png b/res-hdpi/images/loop00071.png
new file mode 100644
index 0000000..96653c1
--- /dev/null
+++ b/res-hdpi/images/loop00071.png
Binary files differ
diff --git a/res-hdpi/images/loop00072.png b/res-hdpi/images/loop00072.png
new file mode 100644
index 0000000..44a15f8
--- /dev/null
+++ b/res-hdpi/images/loop00072.png
Binary files differ
diff --git a/res-hdpi/images/loop00073.png b/res-hdpi/images/loop00073.png
new file mode 100644
index 0000000..8352c7c
--- /dev/null
+++ b/res-hdpi/images/loop00073.png
Binary files differ
diff --git a/res-hdpi/images/loop00074.png b/res-hdpi/images/loop00074.png
new file mode 100644
index 0000000..914f1b7
--- /dev/null
+++ b/res-hdpi/images/loop00074.png
Binary files differ
diff --git a/res-hdpi/images/loop00075.png b/res-hdpi/images/loop00075.png
new file mode 100644
index 0000000..372b871
--- /dev/null
+++ b/res-hdpi/images/loop00075.png
Binary files differ
diff --git a/res-hdpi/images/loop00076.png b/res-hdpi/images/loop00076.png
new file mode 100644
index 0000000..ffbf285
--- /dev/null
+++ b/res-hdpi/images/loop00076.png
Binary files differ
diff --git a/res-hdpi/images/loop00077.png b/res-hdpi/images/loop00077.png
new file mode 100644
index 0000000..8dc6a40
--- /dev/null
+++ b/res-hdpi/images/loop00077.png
Binary files differ
diff --git a/res-hdpi/images/loop00078.png b/res-hdpi/images/loop00078.png
new file mode 100644
index 0000000..cf1ea61
--- /dev/null
+++ b/res-hdpi/images/loop00078.png
Binary files differ
diff --git a/res-hdpi/images/loop00079.png b/res-hdpi/images/loop00079.png
new file mode 100644
index 0000000..8674c82
--- /dev/null
+++ b/res-hdpi/images/loop00079.png
Binary files differ
diff --git a/res-hdpi/images/loop00080.png b/res-hdpi/images/loop00080.png
new file mode 100644
index 0000000..3d84259
--- /dev/null
+++ b/res-hdpi/images/loop00080.png
Binary files differ
diff --git a/res-hdpi/images/loop00081.png b/res-hdpi/images/loop00081.png
new file mode 100644
index 0000000..aed44c5
--- /dev/null
+++ b/res-hdpi/images/loop00081.png
Binary files differ
diff --git a/res-hdpi/images/loop00082.png b/res-hdpi/images/loop00082.png
new file mode 100644
index 0000000..a39769b
--- /dev/null
+++ b/res-hdpi/images/loop00082.png
Binary files differ
diff --git a/res-hdpi/images/loop00083.png b/res-hdpi/images/loop00083.png
new file mode 100644
index 0000000..905355d
--- /dev/null
+++ b/res-hdpi/images/loop00083.png
Binary files differ
diff --git a/res-hdpi/images/loop00084.png b/res-hdpi/images/loop00084.png
new file mode 100644
index 0000000..c86deea
--- /dev/null
+++ b/res-hdpi/images/loop00084.png
Binary files differ
diff --git a/res-hdpi/images/loop00085.png b/res-hdpi/images/loop00085.png
new file mode 100644
index 0000000..3744ab7
--- /dev/null
+++ b/res-hdpi/images/loop00085.png
Binary files differ
diff --git a/res-hdpi/images/loop00086.png b/res-hdpi/images/loop00086.png
new file mode 100644
index 0000000..0bb9b09
--- /dev/null
+++ b/res-hdpi/images/loop00086.png
Binary files differ
diff --git a/res-hdpi/images/loop00087.png b/res-hdpi/images/loop00087.png
new file mode 100644
index 0000000..83f97bd
--- /dev/null
+++ b/res-hdpi/images/loop00087.png
Binary files differ
diff --git a/res-hdpi/images/loop00088.png b/res-hdpi/images/loop00088.png
new file mode 100644
index 0000000..6fd3790
--- /dev/null
+++ b/res-hdpi/images/loop00088.png
Binary files differ
diff --git a/res-hdpi/images/loop00089.png b/res-hdpi/images/loop00089.png
new file mode 100644
index 0000000..09500f8
--- /dev/null
+++ b/res-hdpi/images/loop00089.png
Binary files differ
diff --git a/res-hdpi/images/loop00090.png b/res-hdpi/images/loop00090.png
new file mode 100644
index 0000000..030fa2b
--- /dev/null
+++ b/res-hdpi/images/loop00090.png
Binary files differ
diff --git a/res-hdpi/images/no_command_text.png b/res-hdpi/images/no_command_text.png
index 9927ecb..a567ad1 100644
--- a/res-hdpi/images/no_command_text.png
+++ b/res-hdpi/images/no_command_text.png
Binary files differ
diff --git a/res-hdpi/images/progress_empty.png b/res-hdpi/images/progress_empty.png
index 7258183..96c4bf6 100644
--- a/res-hdpi/images/progress_empty.png
+++ b/res-hdpi/images/progress_empty.png
Binary files differ
diff --git a/res-hdpi/images/progress_fill.png b/res-hdpi/images/progress_fill.png
index becf87b..1717be8 100644
--- a/res-hdpi/images/progress_fill.png
+++ b/res-hdpi/images/progress_fill.png
Binary files differ
diff --git a/res-mdpi/images/erasing_text.png b/res-mdpi/images/erasing_text.png
index fd86c3f..ad68a19 100644
--- a/res-mdpi/images/erasing_text.png
+++ b/res-mdpi/images/erasing_text.png
Binary files differ
diff --git a/res-mdpi/images/error_text.png b/res-mdpi/images/error_text.png
index f1b44c9..8ea5acb 100644
--- a/res-mdpi/images/error_text.png
+++ b/res-mdpi/images/error_text.png
Binary files differ
diff --git a/res-mdpi/images/icon_installing.png b/res-mdpi/images/icon_installing.png
deleted file mode 100644
index c2c0201..0000000
--- a/res-mdpi/images/icon_installing.png
+++ /dev/null
Binary files differ
diff --git a/res-mdpi/images/installing_security_text.png b/res-mdpi/images/installing_security_text.png
new file mode 100644
index 0000000..615b9b7
--- /dev/null
+++ b/res-mdpi/images/installing_security_text.png
Binary files differ
diff --git a/res-mdpi/images/installing_text.png b/res-mdpi/images/installing_text.png
index 064b2a3..6cf8716 100644
--- a/res-mdpi/images/installing_text.png
+++ b/res-mdpi/images/installing_text.png
Binary files differ
diff --git a/res-mdpi/images/loop00000.png b/res-mdpi/images/loop00000.png
new file mode 100644
index 0000000..d7092b6
--- /dev/null
+++ b/res-mdpi/images/loop00000.png
Binary files differ
diff --git a/res-mdpi/images/loop00001.png b/res-mdpi/images/loop00001.png
new file mode 100644
index 0000000..e04a525
--- /dev/null
+++ b/res-mdpi/images/loop00001.png
Binary files differ
diff --git a/res-mdpi/images/loop00002.png b/res-mdpi/images/loop00002.png
new file mode 100644
index 0000000..e2a7831
--- /dev/null
+++ b/res-mdpi/images/loop00002.png
Binary files differ
diff --git a/res-mdpi/images/loop00003.png b/res-mdpi/images/loop00003.png
new file mode 100644
index 0000000..28f79bf
--- /dev/null
+++ b/res-mdpi/images/loop00003.png
Binary files differ
diff --git a/res-mdpi/images/loop00004.png b/res-mdpi/images/loop00004.png
new file mode 100644
index 0000000..e4bec80
--- /dev/null
+++ b/res-mdpi/images/loop00004.png
Binary files differ
diff --git a/res-mdpi/images/loop00005.png b/res-mdpi/images/loop00005.png
new file mode 100644
index 0000000..de673e0
--- /dev/null
+++ b/res-mdpi/images/loop00005.png
Binary files differ
diff --git a/res-mdpi/images/loop00006.png b/res-mdpi/images/loop00006.png
new file mode 100644
index 0000000..71d4203
--- /dev/null
+++ b/res-mdpi/images/loop00006.png
Binary files differ
diff --git a/res-mdpi/images/loop00007.png b/res-mdpi/images/loop00007.png
new file mode 100644
index 0000000..dee70b3
--- /dev/null
+++ b/res-mdpi/images/loop00007.png
Binary files differ
diff --git a/res-mdpi/images/loop00008.png b/res-mdpi/images/loop00008.png
new file mode 100644
index 0000000..9eccc7f
--- /dev/null
+++ b/res-mdpi/images/loop00008.png
Binary files differ
diff --git a/res-mdpi/images/loop00009.png b/res-mdpi/images/loop00009.png
new file mode 100644
index 0000000..d6672ac
--- /dev/null
+++ b/res-mdpi/images/loop00009.png
Binary files differ
diff --git a/res-mdpi/images/loop00010.png b/res-mdpi/images/loop00010.png
new file mode 100644
index 0000000..1bb8f5c
--- /dev/null
+++ b/res-mdpi/images/loop00010.png
Binary files differ
diff --git a/res-mdpi/images/loop00011.png b/res-mdpi/images/loop00011.png
new file mode 100644
index 0000000..849ce3d
--- /dev/null
+++ b/res-mdpi/images/loop00011.png
Binary files differ
diff --git a/res-mdpi/images/loop00012.png b/res-mdpi/images/loop00012.png
new file mode 100644
index 0000000..cee9dcf
--- /dev/null
+++ b/res-mdpi/images/loop00012.png
Binary files differ
diff --git a/res-mdpi/images/loop00013.png b/res-mdpi/images/loop00013.png
new file mode 100644
index 0000000..1ef61d7
--- /dev/null
+++ b/res-mdpi/images/loop00013.png
Binary files differ
diff --git a/res-mdpi/images/loop00014.png b/res-mdpi/images/loop00014.png
new file mode 100644
index 0000000..bc84637
--- /dev/null
+++ b/res-mdpi/images/loop00014.png
Binary files differ
diff --git a/res-mdpi/images/loop00015.png b/res-mdpi/images/loop00015.png
new file mode 100644
index 0000000..f5607f2
--- /dev/null
+++ b/res-mdpi/images/loop00015.png
Binary files differ
diff --git a/res-mdpi/images/loop00016.png b/res-mdpi/images/loop00016.png
new file mode 100644
index 0000000..235527c
--- /dev/null
+++ b/res-mdpi/images/loop00016.png
Binary files differ
diff --git a/res-mdpi/images/loop00017.png b/res-mdpi/images/loop00017.png
new file mode 100644
index 0000000..88307a6
--- /dev/null
+++ b/res-mdpi/images/loop00017.png
Binary files differ
diff --git a/res-mdpi/images/loop00018.png b/res-mdpi/images/loop00018.png
new file mode 100644
index 0000000..02472d7
--- /dev/null
+++ b/res-mdpi/images/loop00018.png
Binary files differ
diff --git a/res-mdpi/images/loop00019.png b/res-mdpi/images/loop00019.png
new file mode 100644
index 0000000..f06bdaa
--- /dev/null
+++ b/res-mdpi/images/loop00019.png
Binary files differ
diff --git a/res-mdpi/images/loop00020.png b/res-mdpi/images/loop00020.png
new file mode 100644
index 0000000..dc522c0
--- /dev/null
+++ b/res-mdpi/images/loop00020.png
Binary files differ
diff --git a/res-mdpi/images/loop00021.png b/res-mdpi/images/loop00021.png
new file mode 100644
index 0000000..3a53ee5
--- /dev/null
+++ b/res-mdpi/images/loop00021.png
Binary files differ
diff --git a/res-mdpi/images/loop00022.png b/res-mdpi/images/loop00022.png
new file mode 100644
index 0000000..09b8eea
--- /dev/null
+++ b/res-mdpi/images/loop00022.png
Binary files differ
diff --git a/res-mdpi/images/loop00023.png b/res-mdpi/images/loop00023.png
new file mode 100644
index 0000000..ebc677d
--- /dev/null
+++ b/res-mdpi/images/loop00023.png
Binary files differ
diff --git a/res-mdpi/images/loop00024.png b/res-mdpi/images/loop00024.png
new file mode 100644
index 0000000..a4fd8e5
--- /dev/null
+++ b/res-mdpi/images/loop00024.png
Binary files differ
diff --git a/res-mdpi/images/loop00025.png b/res-mdpi/images/loop00025.png
new file mode 100644
index 0000000..9435624
--- /dev/null
+++ b/res-mdpi/images/loop00025.png
Binary files differ
diff --git a/res-mdpi/images/loop00026.png b/res-mdpi/images/loop00026.png
new file mode 100644
index 0000000..b7e8081
--- /dev/null
+++ b/res-mdpi/images/loop00026.png
Binary files differ
diff --git a/res-mdpi/images/loop00027.png b/res-mdpi/images/loop00027.png
new file mode 100644
index 0000000..757d8ed
--- /dev/null
+++ b/res-mdpi/images/loop00027.png
Binary files differ
diff --git a/res-mdpi/images/loop00028.png b/res-mdpi/images/loop00028.png
new file mode 100644
index 0000000..8eefa3a
--- /dev/null
+++ b/res-mdpi/images/loop00028.png
Binary files differ
diff --git a/res-mdpi/images/loop00029.png b/res-mdpi/images/loop00029.png
new file mode 100644
index 0000000..8d890de
--- /dev/null
+++ b/res-mdpi/images/loop00029.png
Binary files differ
diff --git a/res-mdpi/images/loop00030.png b/res-mdpi/images/loop00030.png
new file mode 100644
index 0000000..8e0eeb6
--- /dev/null
+++ b/res-mdpi/images/loop00030.png
Binary files differ
diff --git a/res-mdpi/images/loop00031.png b/res-mdpi/images/loop00031.png
new file mode 100644
index 0000000..178b29d
--- /dev/null
+++ b/res-mdpi/images/loop00031.png
Binary files differ
diff --git a/res-mdpi/images/loop00032.png b/res-mdpi/images/loop00032.png
new file mode 100644
index 0000000..39192c7
--- /dev/null
+++ b/res-mdpi/images/loop00032.png
Binary files differ
diff --git a/res-mdpi/images/loop00033.png b/res-mdpi/images/loop00033.png
new file mode 100644
index 0000000..0647e50
--- /dev/null
+++ b/res-mdpi/images/loop00033.png
Binary files differ
diff --git a/res-mdpi/images/loop00034.png b/res-mdpi/images/loop00034.png
new file mode 100644
index 0000000..d6bc079
--- /dev/null
+++ b/res-mdpi/images/loop00034.png
Binary files differ
diff --git a/res-mdpi/images/loop00035.png b/res-mdpi/images/loop00035.png
new file mode 100644
index 0000000..68352e8
--- /dev/null
+++ b/res-mdpi/images/loop00035.png
Binary files differ
diff --git a/res-mdpi/images/loop00036.png b/res-mdpi/images/loop00036.png
new file mode 100644
index 0000000..92d9da2
--- /dev/null
+++ b/res-mdpi/images/loop00036.png
Binary files differ
diff --git a/res-mdpi/images/loop00037.png b/res-mdpi/images/loop00037.png
new file mode 100644
index 0000000..a0e4d33
--- /dev/null
+++ b/res-mdpi/images/loop00037.png
Binary files differ
diff --git a/res-mdpi/images/loop00038.png b/res-mdpi/images/loop00038.png
new file mode 100644
index 0000000..c523173
--- /dev/null
+++ b/res-mdpi/images/loop00038.png
Binary files differ
diff --git a/res-mdpi/images/loop00039.png b/res-mdpi/images/loop00039.png
new file mode 100644
index 0000000..aae7765
--- /dev/null
+++ b/res-mdpi/images/loop00039.png
Binary files differ
diff --git a/res-mdpi/images/loop00040.png b/res-mdpi/images/loop00040.png
new file mode 100644
index 0000000..af9e018
--- /dev/null
+++ b/res-mdpi/images/loop00040.png
Binary files differ
diff --git a/res-mdpi/images/loop00041.png b/res-mdpi/images/loop00041.png
new file mode 100644
index 0000000..8e089c2
--- /dev/null
+++ b/res-mdpi/images/loop00041.png
Binary files differ
diff --git a/res-mdpi/images/loop00042.png b/res-mdpi/images/loop00042.png
new file mode 100644
index 0000000..e3e3b8a
--- /dev/null
+++ b/res-mdpi/images/loop00042.png
Binary files differ
diff --git a/res-mdpi/images/loop00043.png b/res-mdpi/images/loop00043.png
new file mode 100644
index 0000000..cc8acba
--- /dev/null
+++ b/res-mdpi/images/loop00043.png
Binary files differ
diff --git a/res-mdpi/images/loop00044.png b/res-mdpi/images/loop00044.png
new file mode 100644
index 0000000..9a3a9b9
--- /dev/null
+++ b/res-mdpi/images/loop00044.png
Binary files differ
diff --git a/res-mdpi/images/loop00045.png b/res-mdpi/images/loop00045.png
new file mode 100644
index 0000000..ec5e3c4
--- /dev/null
+++ b/res-mdpi/images/loop00045.png
Binary files differ
diff --git a/res-mdpi/images/loop00046.png b/res-mdpi/images/loop00046.png
new file mode 100644
index 0000000..925e2b7
--- /dev/null
+++ b/res-mdpi/images/loop00046.png
Binary files differ
diff --git a/res-mdpi/images/loop00047.png b/res-mdpi/images/loop00047.png
new file mode 100644
index 0000000..62fff88
--- /dev/null
+++ b/res-mdpi/images/loop00047.png
Binary files differ
diff --git a/res-mdpi/images/loop00048.png b/res-mdpi/images/loop00048.png
new file mode 100644
index 0000000..46efe70
--- /dev/null
+++ b/res-mdpi/images/loop00048.png
Binary files differ
diff --git a/res-mdpi/images/loop00049.png b/res-mdpi/images/loop00049.png
new file mode 100644
index 0000000..678dce4
--- /dev/null
+++ b/res-mdpi/images/loop00049.png
Binary files differ
diff --git a/res-mdpi/images/loop00050.png b/res-mdpi/images/loop00050.png
new file mode 100644
index 0000000..cbc6fdb
--- /dev/null
+++ b/res-mdpi/images/loop00050.png
Binary files differ
diff --git a/res-mdpi/images/loop00051.png b/res-mdpi/images/loop00051.png
new file mode 100644
index 0000000..afa9066
--- /dev/null
+++ b/res-mdpi/images/loop00051.png
Binary files differ
diff --git a/res-mdpi/images/loop00052.png b/res-mdpi/images/loop00052.png
new file mode 100644
index 0000000..4d2d98c
--- /dev/null
+++ b/res-mdpi/images/loop00052.png
Binary files differ
diff --git a/res-mdpi/images/loop00053.png b/res-mdpi/images/loop00053.png
new file mode 100644
index 0000000..48136a5
--- /dev/null
+++ b/res-mdpi/images/loop00053.png
Binary files differ
diff --git a/res-mdpi/images/loop00054.png b/res-mdpi/images/loop00054.png
new file mode 100644
index 0000000..09f706a
--- /dev/null
+++ b/res-mdpi/images/loop00054.png
Binary files differ
diff --git a/res-mdpi/images/loop00055.png b/res-mdpi/images/loop00055.png
new file mode 100644
index 0000000..7565a1c
--- /dev/null
+++ b/res-mdpi/images/loop00055.png
Binary files differ
diff --git a/res-mdpi/images/loop00056.png b/res-mdpi/images/loop00056.png
new file mode 100644
index 0000000..2765831
--- /dev/null
+++ b/res-mdpi/images/loop00056.png
Binary files differ
diff --git a/res-mdpi/images/loop00057.png b/res-mdpi/images/loop00057.png
new file mode 100644
index 0000000..de440e0
--- /dev/null
+++ b/res-mdpi/images/loop00057.png
Binary files differ
diff --git a/res-mdpi/images/loop00058.png b/res-mdpi/images/loop00058.png
new file mode 100644
index 0000000..67d49c7
--- /dev/null
+++ b/res-mdpi/images/loop00058.png
Binary files differ
diff --git a/res-mdpi/images/loop00059.png b/res-mdpi/images/loop00059.png
new file mode 100644
index 0000000..a622f45
--- /dev/null
+++ b/res-mdpi/images/loop00059.png
Binary files differ
diff --git a/res-mdpi/images/loop00060.png b/res-mdpi/images/loop00060.png
new file mode 100644
index 0000000..06d6eec
--- /dev/null
+++ b/res-mdpi/images/loop00060.png
Binary files differ
diff --git a/res-mdpi/images/loop00061.png b/res-mdpi/images/loop00061.png
new file mode 100644
index 0000000..7f11945
--- /dev/null
+++ b/res-mdpi/images/loop00061.png
Binary files differ
diff --git a/res-mdpi/images/loop00062.png b/res-mdpi/images/loop00062.png
new file mode 100644
index 0000000..8197c94
--- /dev/null
+++ b/res-mdpi/images/loop00062.png
Binary files differ
diff --git a/res-mdpi/images/loop00063.png b/res-mdpi/images/loop00063.png
new file mode 100644
index 0000000..4093c9b
--- /dev/null
+++ b/res-mdpi/images/loop00063.png
Binary files differ
diff --git a/res-mdpi/images/loop00064.png b/res-mdpi/images/loop00064.png
new file mode 100644
index 0000000..d09bd1e
--- /dev/null
+++ b/res-mdpi/images/loop00064.png
Binary files differ
diff --git a/res-mdpi/images/loop00065.png b/res-mdpi/images/loop00065.png
new file mode 100644
index 0000000..cbb6c1b
--- /dev/null
+++ b/res-mdpi/images/loop00065.png
Binary files differ
diff --git a/res-mdpi/images/loop00066.png b/res-mdpi/images/loop00066.png
new file mode 100644
index 0000000..aed0a70
--- /dev/null
+++ b/res-mdpi/images/loop00066.png
Binary files differ
diff --git a/res-mdpi/images/loop00067.png b/res-mdpi/images/loop00067.png
new file mode 100644
index 0000000..dd0da79
--- /dev/null
+++ b/res-mdpi/images/loop00067.png
Binary files differ
diff --git a/res-mdpi/images/loop00068.png b/res-mdpi/images/loop00068.png
new file mode 100644
index 0000000..161802c
--- /dev/null
+++ b/res-mdpi/images/loop00068.png
Binary files differ
diff --git a/res-mdpi/images/loop00069.png b/res-mdpi/images/loop00069.png
new file mode 100644
index 0000000..4ee0372
--- /dev/null
+++ b/res-mdpi/images/loop00069.png
Binary files differ
diff --git a/res-mdpi/images/loop00070.png b/res-mdpi/images/loop00070.png
new file mode 100644
index 0000000..41a64ff
--- /dev/null
+++ b/res-mdpi/images/loop00070.png
Binary files differ
diff --git a/res-mdpi/images/loop00071.png b/res-mdpi/images/loop00071.png
new file mode 100644
index 0000000..c4793d7
--- /dev/null
+++ b/res-mdpi/images/loop00071.png
Binary files differ
diff --git a/res-mdpi/images/loop00072.png b/res-mdpi/images/loop00072.png
new file mode 100644
index 0000000..9399d19
--- /dev/null
+++ b/res-mdpi/images/loop00072.png
Binary files differ
diff --git a/res-mdpi/images/loop00073.png b/res-mdpi/images/loop00073.png
new file mode 100644
index 0000000..d4e55ad
--- /dev/null
+++ b/res-mdpi/images/loop00073.png
Binary files differ
diff --git a/res-mdpi/images/loop00074.png b/res-mdpi/images/loop00074.png
new file mode 100644
index 0000000..f29a0af
--- /dev/null
+++ b/res-mdpi/images/loop00074.png
Binary files differ
diff --git a/res-mdpi/images/loop00075.png b/res-mdpi/images/loop00075.png
new file mode 100644
index 0000000..020568e
--- /dev/null
+++ b/res-mdpi/images/loop00075.png
Binary files differ
diff --git a/res-mdpi/images/loop00076.png b/res-mdpi/images/loop00076.png
new file mode 100644
index 0000000..51a54cc
--- /dev/null
+++ b/res-mdpi/images/loop00076.png
Binary files differ
diff --git a/res-mdpi/images/loop00077.png b/res-mdpi/images/loop00077.png
new file mode 100644
index 0000000..f6e80a9
--- /dev/null
+++ b/res-mdpi/images/loop00077.png
Binary files differ
diff --git a/res-mdpi/images/loop00078.png b/res-mdpi/images/loop00078.png
new file mode 100644
index 0000000..9444521
--- /dev/null
+++ b/res-mdpi/images/loop00078.png
Binary files differ
diff --git a/res-mdpi/images/loop00079.png b/res-mdpi/images/loop00079.png
new file mode 100644
index 0000000..b1ef2c3
--- /dev/null
+++ b/res-mdpi/images/loop00079.png
Binary files differ
diff --git a/res-mdpi/images/loop00080.png b/res-mdpi/images/loop00080.png
new file mode 100644
index 0000000..8a911fb
--- /dev/null
+++ b/res-mdpi/images/loop00080.png
Binary files differ
diff --git a/res-mdpi/images/loop00081.png b/res-mdpi/images/loop00081.png
new file mode 100644
index 0000000..f848df4
--- /dev/null
+++ b/res-mdpi/images/loop00081.png
Binary files differ
diff --git a/res-mdpi/images/loop00082.png b/res-mdpi/images/loop00082.png
new file mode 100644
index 0000000..35b1325
--- /dev/null
+++ b/res-mdpi/images/loop00082.png
Binary files differ
diff --git a/res-mdpi/images/loop00083.png b/res-mdpi/images/loop00083.png
new file mode 100644
index 0000000..1571fb5
--- /dev/null
+++ b/res-mdpi/images/loop00083.png
Binary files differ
diff --git a/res-mdpi/images/loop00084.png b/res-mdpi/images/loop00084.png
new file mode 100644
index 0000000..92b5295
--- /dev/null
+++ b/res-mdpi/images/loop00084.png
Binary files differ
diff --git a/res-mdpi/images/loop00085.png b/res-mdpi/images/loop00085.png
new file mode 100644
index 0000000..cde8880
--- /dev/null
+++ b/res-mdpi/images/loop00085.png
Binary files differ
diff --git a/res-mdpi/images/loop00086.png b/res-mdpi/images/loop00086.png
new file mode 100644
index 0000000..45889e5
--- /dev/null
+++ b/res-mdpi/images/loop00086.png
Binary files differ
diff --git a/res-mdpi/images/loop00087.png b/res-mdpi/images/loop00087.png
new file mode 100644
index 0000000..9cad9aa
--- /dev/null
+++ b/res-mdpi/images/loop00087.png
Binary files differ
diff --git a/res-mdpi/images/loop00088.png b/res-mdpi/images/loop00088.png
new file mode 100644
index 0000000..dcf98c8
--- /dev/null
+++ b/res-mdpi/images/loop00088.png
Binary files differ
diff --git a/res-mdpi/images/loop00089.png b/res-mdpi/images/loop00089.png
new file mode 100644
index 0000000..584cb89
--- /dev/null
+++ b/res-mdpi/images/loop00089.png
Binary files differ
diff --git a/res-mdpi/images/loop00090.png b/res-mdpi/images/loop00090.png
new file mode 100644
index 0000000..d7092b6
--- /dev/null
+++ b/res-mdpi/images/loop00090.png
Binary files differ
diff --git a/res-mdpi/images/no_command_text.png b/res-mdpi/images/no_command_text.png
index 1f29b89..5cc6b37 100644
--- a/res-mdpi/images/no_command_text.png
+++ b/res-mdpi/images/no_command_text.png
Binary files differ
diff --git a/res-mdpi/images/progress_empty.png b/res-mdpi/images/progress_empty.png
index 7258183..96c4bf6 100644
--- a/res-mdpi/images/progress_empty.png
+++ b/res-mdpi/images/progress_empty.png
Binary files differ
diff --git a/res-mdpi/images/progress_fill.png b/res-mdpi/images/progress_fill.png
index becf87b..1717be8 100644
--- a/res-mdpi/images/progress_fill.png
+++ b/res-mdpi/images/progress_fill.png
Binary files differ
diff --git a/res-xhdpi/images/erasing_text.png b/res-xhdpi/images/erasing_text.png
index f88e0e6..01176e8 100644
--- a/res-xhdpi/images/erasing_text.png
+++ b/res-xhdpi/images/erasing_text.png
Binary files differ
diff --git a/res-xhdpi/images/error_text.png b/res-xhdpi/images/error_text.png
index c3a4cc6..4f890fa 100644
--- a/res-xhdpi/images/error_text.png
+++ b/res-xhdpi/images/error_text.png
Binary files differ
diff --git a/res-xhdpi/images/icon_installing.png b/res-xhdpi/images/icon_installing.png
deleted file mode 100644
index c2c0201..0000000
--- a/res-xhdpi/images/icon_installing.png
+++ /dev/null
Binary files differ
diff --git a/res-xhdpi/images/installing_security_text.png b/res-xhdpi/images/installing_security_text.png
new file mode 100644
index 0000000..6192832
--- /dev/null
+++ b/res-xhdpi/images/installing_security_text.png
Binary files differ
diff --git a/res-xhdpi/images/installing_text.png b/res-xhdpi/images/installing_text.png
index a4dacd0..4413529 100644
--- a/res-xhdpi/images/installing_text.png
+++ b/res-xhdpi/images/installing_text.png
Binary files differ
diff --git a/res-xhdpi/images/loop00000.png b/res-xhdpi/images/loop00000.png
new file mode 100644
index 0000000..f5bf7a7
--- /dev/null
+++ b/res-xhdpi/images/loop00000.png
Binary files differ
diff --git a/res-xhdpi/images/loop00001.png b/res-xhdpi/images/loop00001.png
new file mode 100644
index 0000000..95c14eb
--- /dev/null
+++ b/res-xhdpi/images/loop00001.png
Binary files differ
diff --git a/res-xhdpi/images/loop00002.png b/res-xhdpi/images/loop00002.png
new file mode 100644
index 0000000..5910fd1
--- /dev/null
+++ b/res-xhdpi/images/loop00002.png
Binary files differ
diff --git a/res-xhdpi/images/loop00003.png b/res-xhdpi/images/loop00003.png
new file mode 100644
index 0000000..e6861d2
--- /dev/null
+++ b/res-xhdpi/images/loop00003.png
Binary files differ
diff --git a/res-xhdpi/images/loop00004.png b/res-xhdpi/images/loop00004.png
new file mode 100644
index 0000000..453cdc6
--- /dev/null
+++ b/res-xhdpi/images/loop00004.png
Binary files differ
diff --git a/res-xhdpi/images/loop00005.png b/res-xhdpi/images/loop00005.png
new file mode 100644
index 0000000..12157c9
--- /dev/null
+++ b/res-xhdpi/images/loop00005.png
Binary files differ
diff --git a/res-xhdpi/images/loop00006.png b/res-xhdpi/images/loop00006.png
new file mode 100644
index 0000000..5e78385
--- /dev/null
+++ b/res-xhdpi/images/loop00006.png
Binary files differ
diff --git a/res-xhdpi/images/loop00007.png b/res-xhdpi/images/loop00007.png
new file mode 100644
index 0000000..c69abf4
--- /dev/null
+++ b/res-xhdpi/images/loop00007.png
Binary files differ
diff --git a/res-xhdpi/images/loop00008.png b/res-xhdpi/images/loop00008.png
new file mode 100644
index 0000000..78c3b99
--- /dev/null
+++ b/res-xhdpi/images/loop00008.png
Binary files differ
diff --git a/res-xhdpi/images/loop00009.png b/res-xhdpi/images/loop00009.png
new file mode 100644
index 0000000..e510b6b
--- /dev/null
+++ b/res-xhdpi/images/loop00009.png
Binary files differ
diff --git a/res-xhdpi/images/loop00010.png b/res-xhdpi/images/loop00010.png
new file mode 100644
index 0000000..9d775fa
--- /dev/null
+++ b/res-xhdpi/images/loop00010.png
Binary files differ
diff --git a/res-xhdpi/images/loop00011.png b/res-xhdpi/images/loop00011.png
new file mode 100644
index 0000000..36c0195
--- /dev/null
+++ b/res-xhdpi/images/loop00011.png
Binary files differ
diff --git a/res-xhdpi/images/loop00012.png b/res-xhdpi/images/loop00012.png
new file mode 100644
index 0000000..ac65096
--- /dev/null
+++ b/res-xhdpi/images/loop00012.png
Binary files differ
diff --git a/res-xhdpi/images/loop00013.png b/res-xhdpi/images/loop00013.png
new file mode 100644
index 0000000..e3fdaaf
--- /dev/null
+++ b/res-xhdpi/images/loop00013.png
Binary files differ
diff --git a/res-xhdpi/images/loop00014.png b/res-xhdpi/images/loop00014.png
new file mode 100644
index 0000000..6e85108
--- /dev/null
+++ b/res-xhdpi/images/loop00014.png
Binary files differ
diff --git a/res-xhdpi/images/loop00015.png b/res-xhdpi/images/loop00015.png
new file mode 100644
index 0000000..9e60329
--- /dev/null
+++ b/res-xhdpi/images/loop00015.png
Binary files differ
diff --git a/res-xhdpi/images/loop00016.png b/res-xhdpi/images/loop00016.png
new file mode 100644
index 0000000..68417aa
--- /dev/null
+++ b/res-xhdpi/images/loop00016.png
Binary files differ
diff --git a/res-xhdpi/images/loop00017.png b/res-xhdpi/images/loop00017.png
new file mode 100644
index 0000000..4ac5dde
--- /dev/null
+++ b/res-xhdpi/images/loop00017.png
Binary files differ
diff --git a/res-xhdpi/images/loop00018.png b/res-xhdpi/images/loop00018.png
new file mode 100644
index 0000000..d651128
--- /dev/null
+++ b/res-xhdpi/images/loop00018.png
Binary files differ
diff --git a/res-xhdpi/images/loop00019.png b/res-xhdpi/images/loop00019.png
new file mode 100644
index 0000000..3742735
--- /dev/null
+++ b/res-xhdpi/images/loop00019.png
Binary files differ
diff --git a/res-xhdpi/images/loop00020.png b/res-xhdpi/images/loop00020.png
new file mode 100644
index 0000000..04489a1
--- /dev/null
+++ b/res-xhdpi/images/loop00020.png
Binary files differ
diff --git a/res-xhdpi/images/loop00021.png b/res-xhdpi/images/loop00021.png
new file mode 100644
index 0000000..59c7016
--- /dev/null
+++ b/res-xhdpi/images/loop00021.png
Binary files differ
diff --git a/res-xhdpi/images/loop00022.png b/res-xhdpi/images/loop00022.png
new file mode 100644
index 0000000..0b9a59f
--- /dev/null
+++ b/res-xhdpi/images/loop00022.png
Binary files differ
diff --git a/res-xhdpi/images/loop00023.png b/res-xhdpi/images/loop00023.png
new file mode 100644
index 0000000..31abae7
--- /dev/null
+++ b/res-xhdpi/images/loop00023.png
Binary files differ
diff --git a/res-xhdpi/images/loop00024.png b/res-xhdpi/images/loop00024.png
new file mode 100644
index 0000000..98d8ee3
--- /dev/null
+++ b/res-xhdpi/images/loop00024.png
Binary files differ
diff --git a/res-xhdpi/images/loop00025.png b/res-xhdpi/images/loop00025.png
new file mode 100644
index 0000000..9f074d2
--- /dev/null
+++ b/res-xhdpi/images/loop00025.png
Binary files differ
diff --git a/res-xhdpi/images/loop00026.png b/res-xhdpi/images/loop00026.png
new file mode 100644
index 0000000..063fca2
--- /dev/null
+++ b/res-xhdpi/images/loop00026.png
Binary files differ
diff --git a/res-xhdpi/images/loop00027.png b/res-xhdpi/images/loop00027.png
new file mode 100644
index 0000000..67e503a
--- /dev/null
+++ b/res-xhdpi/images/loop00027.png
Binary files differ
diff --git a/res-xhdpi/images/loop00028.png b/res-xhdpi/images/loop00028.png
new file mode 100644
index 0000000..7e76be8
--- /dev/null
+++ b/res-xhdpi/images/loop00028.png
Binary files differ
diff --git a/res-xhdpi/images/loop00029.png b/res-xhdpi/images/loop00029.png
new file mode 100644
index 0000000..4902f6b
--- /dev/null
+++ b/res-xhdpi/images/loop00029.png
Binary files differ
diff --git a/res-xhdpi/images/loop00030.png b/res-xhdpi/images/loop00030.png
new file mode 100644
index 0000000..387b893
--- /dev/null
+++ b/res-xhdpi/images/loop00030.png
Binary files differ
diff --git a/res-xhdpi/images/loop00031.png b/res-xhdpi/images/loop00031.png
new file mode 100644
index 0000000..ad11628
--- /dev/null
+++ b/res-xhdpi/images/loop00031.png
Binary files differ
diff --git a/res-xhdpi/images/loop00032.png b/res-xhdpi/images/loop00032.png
new file mode 100644
index 0000000..7d809e6
--- /dev/null
+++ b/res-xhdpi/images/loop00032.png
Binary files differ
diff --git a/res-xhdpi/images/loop00033.png b/res-xhdpi/images/loop00033.png
new file mode 100644
index 0000000..59fcdc1
--- /dev/null
+++ b/res-xhdpi/images/loop00033.png
Binary files differ
diff --git a/res-xhdpi/images/loop00034.png b/res-xhdpi/images/loop00034.png
new file mode 100644
index 0000000..cb4301c
--- /dev/null
+++ b/res-xhdpi/images/loop00034.png
Binary files differ
diff --git a/res-xhdpi/images/loop00035.png b/res-xhdpi/images/loop00035.png
new file mode 100644
index 0000000..6b16878
--- /dev/null
+++ b/res-xhdpi/images/loop00035.png
Binary files differ
diff --git a/res-xhdpi/images/loop00036.png b/res-xhdpi/images/loop00036.png
new file mode 100644
index 0000000..3aa7850
--- /dev/null
+++ b/res-xhdpi/images/loop00036.png
Binary files differ
diff --git a/res-xhdpi/images/loop00037.png b/res-xhdpi/images/loop00037.png
new file mode 100644
index 0000000..a60e851
--- /dev/null
+++ b/res-xhdpi/images/loop00037.png
Binary files differ
diff --git a/res-xhdpi/images/loop00038.png b/res-xhdpi/images/loop00038.png
new file mode 100644
index 0000000..50107f3
--- /dev/null
+++ b/res-xhdpi/images/loop00038.png
Binary files differ
diff --git a/res-xhdpi/images/loop00039.png b/res-xhdpi/images/loop00039.png
new file mode 100644
index 0000000..c85201e
--- /dev/null
+++ b/res-xhdpi/images/loop00039.png
Binary files differ
diff --git a/res-xhdpi/images/loop00040.png b/res-xhdpi/images/loop00040.png
new file mode 100644
index 0000000..6ae1612
--- /dev/null
+++ b/res-xhdpi/images/loop00040.png
Binary files differ
diff --git a/res-xhdpi/images/loop00041.png b/res-xhdpi/images/loop00041.png
new file mode 100644
index 0000000..7602b04
--- /dev/null
+++ b/res-xhdpi/images/loop00041.png
Binary files differ
diff --git a/res-xhdpi/images/loop00042.png b/res-xhdpi/images/loop00042.png
new file mode 100644
index 0000000..054da6d
--- /dev/null
+++ b/res-xhdpi/images/loop00042.png
Binary files differ
diff --git a/res-xhdpi/images/loop00043.png b/res-xhdpi/images/loop00043.png
new file mode 100644
index 0000000..d28be8b
--- /dev/null
+++ b/res-xhdpi/images/loop00043.png
Binary files differ
diff --git a/res-xhdpi/images/loop00044.png b/res-xhdpi/images/loop00044.png
new file mode 100644
index 0000000..8327126
--- /dev/null
+++ b/res-xhdpi/images/loop00044.png
Binary files differ
diff --git a/res-xhdpi/images/loop00045.png b/res-xhdpi/images/loop00045.png
new file mode 100644
index 0000000..d749e22
--- /dev/null
+++ b/res-xhdpi/images/loop00045.png
Binary files differ
diff --git a/res-xhdpi/images/loop00046.png b/res-xhdpi/images/loop00046.png
new file mode 100644
index 0000000..60025d1
--- /dev/null
+++ b/res-xhdpi/images/loop00046.png
Binary files differ
diff --git a/res-xhdpi/images/loop00047.png b/res-xhdpi/images/loop00047.png
new file mode 100644
index 0000000..b0be5c6
--- /dev/null
+++ b/res-xhdpi/images/loop00047.png
Binary files differ
diff --git a/res-xhdpi/images/loop00048.png b/res-xhdpi/images/loop00048.png
new file mode 100644
index 0000000..be926d9
--- /dev/null
+++ b/res-xhdpi/images/loop00048.png
Binary files differ
diff --git a/res-xhdpi/images/loop00049.png b/res-xhdpi/images/loop00049.png
new file mode 100644
index 0000000..4560854
--- /dev/null
+++ b/res-xhdpi/images/loop00049.png
Binary files differ
diff --git a/res-xhdpi/images/loop00050.png b/res-xhdpi/images/loop00050.png
new file mode 100644
index 0000000..967dd87
--- /dev/null
+++ b/res-xhdpi/images/loop00050.png
Binary files differ
diff --git a/res-xhdpi/images/loop00051.png b/res-xhdpi/images/loop00051.png
new file mode 100644
index 0000000..c169859
--- /dev/null
+++ b/res-xhdpi/images/loop00051.png
Binary files differ
diff --git a/res-xhdpi/images/loop00052.png b/res-xhdpi/images/loop00052.png
new file mode 100644
index 0000000..27c2383
--- /dev/null
+++ b/res-xhdpi/images/loop00052.png
Binary files differ
diff --git a/res-xhdpi/images/loop00053.png b/res-xhdpi/images/loop00053.png
new file mode 100644
index 0000000..cd2ca21
--- /dev/null
+++ b/res-xhdpi/images/loop00053.png
Binary files differ
diff --git a/res-xhdpi/images/loop00054.png b/res-xhdpi/images/loop00054.png
new file mode 100644
index 0000000..588586b
--- /dev/null
+++ b/res-xhdpi/images/loop00054.png
Binary files differ
diff --git a/res-xhdpi/images/loop00055.png b/res-xhdpi/images/loop00055.png
new file mode 100644
index 0000000..0984d01
--- /dev/null
+++ b/res-xhdpi/images/loop00055.png
Binary files differ
diff --git a/res-xhdpi/images/loop00056.png b/res-xhdpi/images/loop00056.png
new file mode 100644
index 0000000..bab2998
--- /dev/null
+++ b/res-xhdpi/images/loop00056.png
Binary files differ
diff --git a/res-xhdpi/images/loop00057.png b/res-xhdpi/images/loop00057.png
new file mode 100644
index 0000000..4acfce5
--- /dev/null
+++ b/res-xhdpi/images/loop00057.png
Binary files differ
diff --git a/res-xhdpi/images/loop00058.png b/res-xhdpi/images/loop00058.png
new file mode 100644
index 0000000..d49fea4
--- /dev/null
+++ b/res-xhdpi/images/loop00058.png
Binary files differ
diff --git a/res-xhdpi/images/loop00059.png b/res-xhdpi/images/loop00059.png
new file mode 100644
index 0000000..fdd75c6
--- /dev/null
+++ b/res-xhdpi/images/loop00059.png
Binary files differ
diff --git a/res-xhdpi/images/loop00060.png b/res-xhdpi/images/loop00060.png
new file mode 100644
index 0000000..06ac591
--- /dev/null
+++ b/res-xhdpi/images/loop00060.png
Binary files differ
diff --git a/res-xhdpi/images/loop00061.png b/res-xhdpi/images/loop00061.png
new file mode 100644
index 0000000..63be536
--- /dev/null
+++ b/res-xhdpi/images/loop00061.png
Binary files differ
diff --git a/res-xhdpi/images/loop00062.png b/res-xhdpi/images/loop00062.png
new file mode 100644
index 0000000..e25c906
--- /dev/null
+++ b/res-xhdpi/images/loop00062.png
Binary files differ
diff --git a/res-xhdpi/images/loop00063.png b/res-xhdpi/images/loop00063.png
new file mode 100644
index 0000000..1fcaefe
--- /dev/null
+++ b/res-xhdpi/images/loop00063.png
Binary files differ
diff --git a/res-xhdpi/images/loop00064.png b/res-xhdpi/images/loop00064.png
new file mode 100644
index 0000000..fe373d0
--- /dev/null
+++ b/res-xhdpi/images/loop00064.png
Binary files differ
diff --git a/res-xhdpi/images/loop00065.png b/res-xhdpi/images/loop00065.png
new file mode 100644
index 0000000..c5feed6
--- /dev/null
+++ b/res-xhdpi/images/loop00065.png
Binary files differ
diff --git a/res-xhdpi/images/loop00066.png b/res-xhdpi/images/loop00066.png
new file mode 100644
index 0000000..bc336e7
--- /dev/null
+++ b/res-xhdpi/images/loop00066.png
Binary files differ
diff --git a/res-xhdpi/images/loop00067.png b/res-xhdpi/images/loop00067.png
new file mode 100644
index 0000000..a4cdcae
--- /dev/null
+++ b/res-xhdpi/images/loop00067.png
Binary files differ
diff --git a/res-xhdpi/images/loop00068.png b/res-xhdpi/images/loop00068.png
new file mode 100644
index 0000000..65d41a2
--- /dev/null
+++ b/res-xhdpi/images/loop00068.png
Binary files differ
diff --git a/res-xhdpi/images/loop00069.png b/res-xhdpi/images/loop00069.png
new file mode 100644
index 0000000..5707b62
--- /dev/null
+++ b/res-xhdpi/images/loop00069.png
Binary files differ
diff --git a/res-xhdpi/images/loop00070.png b/res-xhdpi/images/loop00070.png
new file mode 100644
index 0000000..50ea159
--- /dev/null
+++ b/res-xhdpi/images/loop00070.png
Binary files differ
diff --git a/res-xhdpi/images/loop00071.png b/res-xhdpi/images/loop00071.png
new file mode 100644
index 0000000..244a910
--- /dev/null
+++ b/res-xhdpi/images/loop00071.png
Binary files differ
diff --git a/res-xhdpi/images/loop00072.png b/res-xhdpi/images/loop00072.png
new file mode 100644
index 0000000..e5ee2ab
--- /dev/null
+++ b/res-xhdpi/images/loop00072.png
Binary files differ
diff --git a/res-xhdpi/images/loop00073.png b/res-xhdpi/images/loop00073.png
new file mode 100644
index 0000000..fced739
--- /dev/null
+++ b/res-xhdpi/images/loop00073.png
Binary files differ
diff --git a/res-xhdpi/images/loop00074.png b/res-xhdpi/images/loop00074.png
new file mode 100644
index 0000000..1b739d3
--- /dev/null
+++ b/res-xhdpi/images/loop00074.png
Binary files differ
diff --git a/res-xhdpi/images/loop00075.png b/res-xhdpi/images/loop00075.png
new file mode 100644
index 0000000..989144f
--- /dev/null
+++ b/res-xhdpi/images/loop00075.png
Binary files differ
diff --git a/res-xhdpi/images/loop00076.png b/res-xhdpi/images/loop00076.png
new file mode 100644
index 0000000..458c2a9
--- /dev/null
+++ b/res-xhdpi/images/loop00076.png
Binary files differ
diff --git a/res-xhdpi/images/loop00077.png b/res-xhdpi/images/loop00077.png
new file mode 100644
index 0000000..9cecb1d
--- /dev/null
+++ b/res-xhdpi/images/loop00077.png
Binary files differ
diff --git a/res-xhdpi/images/loop00078.png b/res-xhdpi/images/loop00078.png
new file mode 100644
index 0000000..c2c8dee
--- /dev/null
+++ b/res-xhdpi/images/loop00078.png
Binary files differ
diff --git a/res-xhdpi/images/loop00079.png b/res-xhdpi/images/loop00079.png
new file mode 100644
index 0000000..4f4fdd1
--- /dev/null
+++ b/res-xhdpi/images/loop00079.png
Binary files differ
diff --git a/res-xhdpi/images/loop00080.png b/res-xhdpi/images/loop00080.png
new file mode 100644
index 0000000..b224378
--- /dev/null
+++ b/res-xhdpi/images/loop00080.png
Binary files differ
diff --git a/res-xhdpi/images/loop00081.png b/res-xhdpi/images/loop00081.png
new file mode 100644
index 0000000..57d9587
--- /dev/null
+++ b/res-xhdpi/images/loop00081.png
Binary files differ
diff --git a/res-xhdpi/images/loop00082.png b/res-xhdpi/images/loop00082.png
new file mode 100644
index 0000000..c00f82a
--- /dev/null
+++ b/res-xhdpi/images/loop00082.png
Binary files differ
diff --git a/res-xhdpi/images/loop00083.png b/res-xhdpi/images/loop00083.png
new file mode 100644
index 0000000..078311f
--- /dev/null
+++ b/res-xhdpi/images/loop00083.png
Binary files differ
diff --git a/res-xhdpi/images/loop00084.png b/res-xhdpi/images/loop00084.png
new file mode 100644
index 0000000..cac1708
--- /dev/null
+++ b/res-xhdpi/images/loop00084.png
Binary files differ
diff --git a/res-xhdpi/images/loop00085.png b/res-xhdpi/images/loop00085.png
new file mode 100644
index 0000000..2ea4b0a
--- /dev/null
+++ b/res-xhdpi/images/loop00085.png
Binary files differ
diff --git a/res-xhdpi/images/loop00086.png b/res-xhdpi/images/loop00086.png
new file mode 100644
index 0000000..9ba6ca6
--- /dev/null
+++ b/res-xhdpi/images/loop00086.png
Binary files differ
diff --git a/res-xhdpi/images/loop00087.png b/res-xhdpi/images/loop00087.png
new file mode 100644
index 0000000..75694a3
--- /dev/null
+++ b/res-xhdpi/images/loop00087.png
Binary files differ
diff --git a/res-xhdpi/images/loop00088.png b/res-xhdpi/images/loop00088.png
new file mode 100644
index 0000000..971e508
--- /dev/null
+++ b/res-xhdpi/images/loop00088.png
Binary files differ
diff --git a/res-xhdpi/images/loop00089.png b/res-xhdpi/images/loop00089.png
new file mode 100644
index 0000000..41b6ce6
--- /dev/null
+++ b/res-xhdpi/images/loop00089.png
Binary files differ
diff --git a/res-xhdpi/images/loop00090.png b/res-xhdpi/images/loop00090.png
new file mode 100644
index 0000000..f5bf7a7
--- /dev/null
+++ b/res-xhdpi/images/loop00090.png
Binary files differ
diff --git a/res-xhdpi/images/no_command_text.png b/res-xhdpi/images/no_command_text.png
index eb34e94..9f74037 100644
--- a/res-xhdpi/images/no_command_text.png
+++ b/res-xhdpi/images/no_command_text.png
Binary files differ
diff --git a/res-xhdpi/images/progress_empty.png b/res-xhdpi/images/progress_empty.png
index 7258183..96c4bf6 100644
--- a/res-xhdpi/images/progress_empty.png
+++ b/res-xhdpi/images/progress_empty.png
Binary files differ
diff --git a/res-xhdpi/images/progress_fill.png b/res-xhdpi/images/progress_fill.png
index becf87b..1717be8 100644
--- a/res-xhdpi/images/progress_fill.png
+++ b/res-xhdpi/images/progress_fill.png
Binary files differ
diff --git a/res-xxhdpi/images/erasing_text.png b/res-xxhdpi/images/erasing_text.png
index c87fd52..b8653eb 100644
--- a/res-xxhdpi/images/erasing_text.png
+++ b/res-xxhdpi/images/erasing_text.png
Binary files differ
diff --git a/res-xxhdpi/images/error_text.png b/res-xxhdpi/images/error_text.png
index 486e951..d77ee50 100644
--- a/res-xxhdpi/images/error_text.png
+++ b/res-xxhdpi/images/error_text.png
Binary files differ
diff --git a/res-xxhdpi/images/icon_installing.png b/res-xxhdpi/images/icon_installing.png
deleted file mode 100644
index c2c0201..0000000
--- a/res-xxhdpi/images/icon_installing.png
+++ /dev/null
Binary files differ
diff --git a/res-xxhdpi/images/installing_security_text.png b/res-xxhdpi/images/installing_security_text.png
new file mode 100644
index 0000000..ca0c191
--- /dev/null
+++ b/res-xxhdpi/images/installing_security_text.png
Binary files differ
diff --git a/res-xxhdpi/images/installing_text.png b/res-xxhdpi/images/installing_text.png
index ef6e8f3..a76a174 100644
--- a/res-xxhdpi/images/installing_text.png
+++ b/res-xxhdpi/images/installing_text.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00000.png b/res-xxhdpi/images/loop00000.png
new file mode 100644
index 0000000..c517262
--- /dev/null
+++ b/res-xxhdpi/images/loop00000.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00001.png b/res-xxhdpi/images/loop00001.png
new file mode 100644
index 0000000..1b1ce73
--- /dev/null
+++ b/res-xxhdpi/images/loop00001.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00002.png b/res-xxhdpi/images/loop00002.png
new file mode 100644
index 0000000..e984a24
--- /dev/null
+++ b/res-xxhdpi/images/loop00002.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00003.png b/res-xxhdpi/images/loop00003.png
new file mode 100644
index 0000000..b11dddc
--- /dev/null
+++ b/res-xxhdpi/images/loop00003.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00004.png b/res-xxhdpi/images/loop00004.png
new file mode 100644
index 0000000..10272b2
--- /dev/null
+++ b/res-xxhdpi/images/loop00004.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00005.png b/res-xxhdpi/images/loop00005.png
new file mode 100644
index 0000000..9558d7e
--- /dev/null
+++ b/res-xxhdpi/images/loop00005.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00006.png b/res-xxhdpi/images/loop00006.png
new file mode 100644
index 0000000..0e6c92d
--- /dev/null
+++ b/res-xxhdpi/images/loop00006.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00007.png b/res-xxhdpi/images/loop00007.png
new file mode 100644
index 0000000..0a353ad
--- /dev/null
+++ b/res-xxhdpi/images/loop00007.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00008.png b/res-xxhdpi/images/loop00008.png
new file mode 100644
index 0000000..2f0c162
--- /dev/null
+++ b/res-xxhdpi/images/loop00008.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00009.png b/res-xxhdpi/images/loop00009.png
new file mode 100644
index 0000000..960d683
--- /dev/null
+++ b/res-xxhdpi/images/loop00009.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00010.png b/res-xxhdpi/images/loop00010.png
new file mode 100644
index 0000000..b65c301
--- /dev/null
+++ b/res-xxhdpi/images/loop00010.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00011.png b/res-xxhdpi/images/loop00011.png
new file mode 100644
index 0000000..21444fa
--- /dev/null
+++ b/res-xxhdpi/images/loop00011.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00012.png b/res-xxhdpi/images/loop00012.png
new file mode 100644
index 0000000..587db09
--- /dev/null
+++ b/res-xxhdpi/images/loop00012.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00013.png b/res-xxhdpi/images/loop00013.png
new file mode 100644
index 0000000..57f2f66
--- /dev/null
+++ b/res-xxhdpi/images/loop00013.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00014.png b/res-xxhdpi/images/loop00014.png
new file mode 100644
index 0000000..d308a65
--- /dev/null
+++ b/res-xxhdpi/images/loop00014.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00015.png b/res-xxhdpi/images/loop00015.png
new file mode 100644
index 0000000..3585fac
--- /dev/null
+++ b/res-xxhdpi/images/loop00015.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00016.png b/res-xxhdpi/images/loop00016.png
new file mode 100644
index 0000000..fd5089c
--- /dev/null
+++ b/res-xxhdpi/images/loop00016.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00017.png b/res-xxhdpi/images/loop00017.png
new file mode 100644
index 0000000..2c8c6a4
--- /dev/null
+++ b/res-xxhdpi/images/loop00017.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00018.png b/res-xxhdpi/images/loop00018.png
new file mode 100644
index 0000000..23d7ca2
--- /dev/null
+++ b/res-xxhdpi/images/loop00018.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00019.png b/res-xxhdpi/images/loop00019.png
new file mode 100644
index 0000000..cdefe2c
--- /dev/null
+++ b/res-xxhdpi/images/loop00019.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00020.png b/res-xxhdpi/images/loop00020.png
new file mode 100644
index 0000000..ae78e4c
--- /dev/null
+++ b/res-xxhdpi/images/loop00020.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00021.png b/res-xxhdpi/images/loop00021.png
new file mode 100644
index 0000000..ad83cfe
--- /dev/null
+++ b/res-xxhdpi/images/loop00021.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00022.png b/res-xxhdpi/images/loop00022.png
new file mode 100644
index 0000000..850076a
--- /dev/null
+++ b/res-xxhdpi/images/loop00022.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00023.png b/res-xxhdpi/images/loop00023.png
new file mode 100644
index 0000000..cd30b39
--- /dev/null
+++ b/res-xxhdpi/images/loop00023.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00024.png b/res-xxhdpi/images/loop00024.png
new file mode 100644
index 0000000..e7ae4b2
--- /dev/null
+++ b/res-xxhdpi/images/loop00024.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00025.png b/res-xxhdpi/images/loop00025.png
new file mode 100644
index 0000000..4e24bd1
--- /dev/null
+++ b/res-xxhdpi/images/loop00025.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00026.png b/res-xxhdpi/images/loop00026.png
new file mode 100644
index 0000000..27713cc
--- /dev/null
+++ b/res-xxhdpi/images/loop00026.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00027.png b/res-xxhdpi/images/loop00027.png
new file mode 100644
index 0000000..34e4ade
--- /dev/null
+++ b/res-xxhdpi/images/loop00027.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00028.png b/res-xxhdpi/images/loop00028.png
new file mode 100644
index 0000000..0e6fdee
--- /dev/null
+++ b/res-xxhdpi/images/loop00028.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00029.png b/res-xxhdpi/images/loop00029.png
new file mode 100644
index 0000000..21c1c63
--- /dev/null
+++ b/res-xxhdpi/images/loop00029.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00030.png b/res-xxhdpi/images/loop00030.png
new file mode 100644
index 0000000..984c24f
--- /dev/null
+++ b/res-xxhdpi/images/loop00030.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00031.png b/res-xxhdpi/images/loop00031.png
new file mode 100644
index 0000000..25fe1de
--- /dev/null
+++ b/res-xxhdpi/images/loop00031.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00032.png b/res-xxhdpi/images/loop00032.png
new file mode 100644
index 0000000..c089cb8
--- /dev/null
+++ b/res-xxhdpi/images/loop00032.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00033.png b/res-xxhdpi/images/loop00033.png
new file mode 100644
index 0000000..82a2d9b
--- /dev/null
+++ b/res-xxhdpi/images/loop00033.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00034.png b/res-xxhdpi/images/loop00034.png
new file mode 100644
index 0000000..1aa76b9
--- /dev/null
+++ b/res-xxhdpi/images/loop00034.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00035.png b/res-xxhdpi/images/loop00035.png
new file mode 100644
index 0000000..4399143
--- /dev/null
+++ b/res-xxhdpi/images/loop00035.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00036.png b/res-xxhdpi/images/loop00036.png
new file mode 100644
index 0000000..975ae66
--- /dev/null
+++ b/res-xxhdpi/images/loop00036.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00037.png b/res-xxhdpi/images/loop00037.png
new file mode 100644
index 0000000..dcf9a90
--- /dev/null
+++ b/res-xxhdpi/images/loop00037.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00038.png b/res-xxhdpi/images/loop00038.png
new file mode 100644
index 0000000..f10b8b7
--- /dev/null
+++ b/res-xxhdpi/images/loop00038.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00039.png b/res-xxhdpi/images/loop00039.png
new file mode 100644
index 0000000..9c0d1e3
--- /dev/null
+++ b/res-xxhdpi/images/loop00039.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00040.png b/res-xxhdpi/images/loop00040.png
new file mode 100644
index 0000000..b6b4908
--- /dev/null
+++ b/res-xxhdpi/images/loop00040.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00041.png b/res-xxhdpi/images/loop00041.png
new file mode 100644
index 0000000..12a1a1e
--- /dev/null
+++ b/res-xxhdpi/images/loop00041.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00042.png b/res-xxhdpi/images/loop00042.png
new file mode 100644
index 0000000..f1fc35b
--- /dev/null
+++ b/res-xxhdpi/images/loop00042.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00043.png b/res-xxhdpi/images/loop00043.png
new file mode 100644
index 0000000..50ac99e
--- /dev/null
+++ b/res-xxhdpi/images/loop00043.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00044.png b/res-xxhdpi/images/loop00044.png
new file mode 100644
index 0000000..f115dcc
--- /dev/null
+++ b/res-xxhdpi/images/loop00044.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00045.png b/res-xxhdpi/images/loop00045.png
new file mode 100644
index 0000000..adf7a67
--- /dev/null
+++ b/res-xxhdpi/images/loop00045.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00046.png b/res-xxhdpi/images/loop00046.png
new file mode 100644
index 0000000..588eeb3
--- /dev/null
+++ b/res-xxhdpi/images/loop00046.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00047.png b/res-xxhdpi/images/loop00047.png
new file mode 100644
index 0000000..9dea770
--- /dev/null
+++ b/res-xxhdpi/images/loop00047.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00048.png b/res-xxhdpi/images/loop00048.png
new file mode 100644
index 0000000..d5eaeb1
--- /dev/null
+++ b/res-xxhdpi/images/loop00048.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00049.png b/res-xxhdpi/images/loop00049.png
new file mode 100644
index 0000000..fb83729
--- /dev/null
+++ b/res-xxhdpi/images/loop00049.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00050.png b/res-xxhdpi/images/loop00050.png
new file mode 100644
index 0000000..72441db
--- /dev/null
+++ b/res-xxhdpi/images/loop00050.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00051.png b/res-xxhdpi/images/loop00051.png
new file mode 100644
index 0000000..bf7170a
--- /dev/null
+++ b/res-xxhdpi/images/loop00051.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00052.png b/res-xxhdpi/images/loop00052.png
new file mode 100644
index 0000000..c512b56
--- /dev/null
+++ b/res-xxhdpi/images/loop00052.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00053.png b/res-xxhdpi/images/loop00053.png
new file mode 100644
index 0000000..6ac3ca6
--- /dev/null
+++ b/res-xxhdpi/images/loop00053.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00054.png b/res-xxhdpi/images/loop00054.png
new file mode 100644
index 0000000..ba194a6
--- /dev/null
+++ b/res-xxhdpi/images/loop00054.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00055.png b/res-xxhdpi/images/loop00055.png
new file mode 100644
index 0000000..9623f0d
--- /dev/null
+++ b/res-xxhdpi/images/loop00055.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00056.png b/res-xxhdpi/images/loop00056.png
new file mode 100644
index 0000000..e785e69
--- /dev/null
+++ b/res-xxhdpi/images/loop00056.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00057.png b/res-xxhdpi/images/loop00057.png
new file mode 100644
index 0000000..9a5747a
--- /dev/null
+++ b/res-xxhdpi/images/loop00057.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00058.png b/res-xxhdpi/images/loop00058.png
new file mode 100644
index 0000000..9a097cf
--- /dev/null
+++ b/res-xxhdpi/images/loop00058.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00059.png b/res-xxhdpi/images/loop00059.png
new file mode 100644
index 0000000..fee2db1
--- /dev/null
+++ b/res-xxhdpi/images/loop00059.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00060.png b/res-xxhdpi/images/loop00060.png
new file mode 100644
index 0000000..0e00e70
--- /dev/null
+++ b/res-xxhdpi/images/loop00060.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00061.png b/res-xxhdpi/images/loop00061.png
new file mode 100644
index 0000000..0ecce17
--- /dev/null
+++ b/res-xxhdpi/images/loop00061.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00062.png b/res-xxhdpi/images/loop00062.png
new file mode 100644
index 0000000..0a296d1
--- /dev/null
+++ b/res-xxhdpi/images/loop00062.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00063.png b/res-xxhdpi/images/loop00063.png
new file mode 100644
index 0000000..56c3b8b
--- /dev/null
+++ b/res-xxhdpi/images/loop00063.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00064.png b/res-xxhdpi/images/loop00064.png
new file mode 100644
index 0000000..e6d639a
--- /dev/null
+++ b/res-xxhdpi/images/loop00064.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00065.png b/res-xxhdpi/images/loop00065.png
new file mode 100644
index 0000000..02e382b
--- /dev/null
+++ b/res-xxhdpi/images/loop00065.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00066.png b/res-xxhdpi/images/loop00066.png
new file mode 100644
index 0000000..fe89ed0
--- /dev/null
+++ b/res-xxhdpi/images/loop00066.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00067.png b/res-xxhdpi/images/loop00067.png
new file mode 100644
index 0000000..a8f6ce5
--- /dev/null
+++ b/res-xxhdpi/images/loop00067.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00068.png b/res-xxhdpi/images/loop00068.png
new file mode 100644
index 0000000..f9b7fb1
--- /dev/null
+++ b/res-xxhdpi/images/loop00068.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00069.png b/res-xxhdpi/images/loop00069.png
new file mode 100644
index 0000000..d0dc507
--- /dev/null
+++ b/res-xxhdpi/images/loop00069.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00070.png b/res-xxhdpi/images/loop00070.png
new file mode 100644
index 0000000..63f9e4d
--- /dev/null
+++ b/res-xxhdpi/images/loop00070.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00071.png b/res-xxhdpi/images/loop00071.png
new file mode 100644
index 0000000..5ba3972
--- /dev/null
+++ b/res-xxhdpi/images/loop00071.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00072.png b/res-xxhdpi/images/loop00072.png
new file mode 100644
index 0000000..de834e3
--- /dev/null
+++ b/res-xxhdpi/images/loop00072.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00073.png b/res-xxhdpi/images/loop00073.png
new file mode 100644
index 0000000..4be2aed
--- /dev/null
+++ b/res-xxhdpi/images/loop00073.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00074.png b/res-xxhdpi/images/loop00074.png
new file mode 100644
index 0000000..235e9a2
--- /dev/null
+++ b/res-xxhdpi/images/loop00074.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00075.png b/res-xxhdpi/images/loop00075.png
new file mode 100644
index 0000000..f6d806d
--- /dev/null
+++ b/res-xxhdpi/images/loop00075.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00076.png b/res-xxhdpi/images/loop00076.png
new file mode 100644
index 0000000..1e916d7
--- /dev/null
+++ b/res-xxhdpi/images/loop00076.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00077.png b/res-xxhdpi/images/loop00077.png
new file mode 100644
index 0000000..0dbac74
--- /dev/null
+++ b/res-xxhdpi/images/loop00077.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00078.png b/res-xxhdpi/images/loop00078.png
new file mode 100644
index 0000000..504d34a
--- /dev/null
+++ b/res-xxhdpi/images/loop00078.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00079.png b/res-xxhdpi/images/loop00079.png
new file mode 100644
index 0000000..51f4e8d
--- /dev/null
+++ b/res-xxhdpi/images/loop00079.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00080.png b/res-xxhdpi/images/loop00080.png
new file mode 100644
index 0000000..6ef03b8
--- /dev/null
+++ b/res-xxhdpi/images/loop00080.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00081.png b/res-xxhdpi/images/loop00081.png
new file mode 100644
index 0000000..e2ebc39
--- /dev/null
+++ b/res-xxhdpi/images/loop00081.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00082.png b/res-xxhdpi/images/loop00082.png
new file mode 100644
index 0000000..9de83a7
--- /dev/null
+++ b/res-xxhdpi/images/loop00082.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00083.png b/res-xxhdpi/images/loop00083.png
new file mode 100644
index 0000000..c5c0099
--- /dev/null
+++ b/res-xxhdpi/images/loop00083.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00084.png b/res-xxhdpi/images/loop00084.png
new file mode 100644
index 0000000..84c794f
--- /dev/null
+++ b/res-xxhdpi/images/loop00084.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00085.png b/res-xxhdpi/images/loop00085.png
new file mode 100644
index 0000000..29a40c6
--- /dev/null
+++ b/res-xxhdpi/images/loop00085.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00086.png b/res-xxhdpi/images/loop00086.png
new file mode 100644
index 0000000..89a4717
--- /dev/null
+++ b/res-xxhdpi/images/loop00086.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00087.png b/res-xxhdpi/images/loop00087.png
new file mode 100644
index 0000000..ef8d4d5
--- /dev/null
+++ b/res-xxhdpi/images/loop00087.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00088.png b/res-xxhdpi/images/loop00088.png
new file mode 100644
index 0000000..5fc6c62
--- /dev/null
+++ b/res-xxhdpi/images/loop00088.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00089.png b/res-xxhdpi/images/loop00089.png
new file mode 100644
index 0000000..d6d99f4
--- /dev/null
+++ b/res-xxhdpi/images/loop00089.png
Binary files differ
diff --git a/res-xxhdpi/images/loop00090.png b/res-xxhdpi/images/loop00090.png
new file mode 100644
index 0000000..c517262
--- /dev/null
+++ b/res-xxhdpi/images/loop00090.png
Binary files differ
diff --git a/res-xxhdpi/images/no_command_text.png b/res-xxhdpi/images/no_command_text.png
index cc98bb1..5e363e3 100644
--- a/res-xxhdpi/images/no_command_text.png
+++ b/res-xxhdpi/images/no_command_text.png
Binary files differ
diff --git a/res-xxhdpi/images/progress_empty.png b/res-xxhdpi/images/progress_empty.png
index 7258183..96c4bf6 100644
--- a/res-xxhdpi/images/progress_empty.png
+++ b/res-xxhdpi/images/progress_empty.png
Binary files differ
diff --git a/res-xxhdpi/images/progress_fill.png b/res-xxhdpi/images/progress_fill.png
index becf87b..1717be8 100644
--- a/res-xxhdpi/images/progress_fill.png
+++ b/res-xxhdpi/images/progress_fill.png
Binary files differ
diff --git a/res-xxxhdpi/images/erasing_text.png b/res-xxxhdpi/images/erasing_text.png
index 612e7a3..f4a4661 100644
--- a/res-xxxhdpi/images/erasing_text.png
+++ b/res-xxxhdpi/images/erasing_text.png
Binary files differ
diff --git a/res-xxxhdpi/images/error_text.png b/res-xxxhdpi/images/error_text.png
index 50d2fad..317a771 100644
--- a/res-xxxhdpi/images/error_text.png
+++ b/res-xxxhdpi/images/error_text.png
Binary files differ
diff --git a/res-xxxhdpi/images/icon_installing.png b/res-xxxhdpi/images/icon_installing.png
deleted file mode 100644
index c2c0201..0000000
--- a/res-xxxhdpi/images/icon_installing.png
+++ /dev/null
Binary files differ
diff --git a/res-xxxhdpi/images/installing_security_text.png b/res-xxxhdpi/images/installing_security_text.png
new file mode 100644
index 0000000..c99c907
--- /dev/null
+++ b/res-xxxhdpi/images/installing_security_text.png
Binary files differ
diff --git a/res-xxxhdpi/images/installing_text.png b/res-xxxhdpi/images/installing_text.png
index 9bd093b..91d8330 100644
--- a/res-xxxhdpi/images/installing_text.png
+++ b/res-xxxhdpi/images/installing_text.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00000.png b/res-xxxhdpi/images/loop00000.png
new file mode 100644
index 0000000..1bc9db5
--- /dev/null
+++ b/res-xxxhdpi/images/loop00000.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00001.png b/res-xxxhdpi/images/loop00001.png
new file mode 100644
index 0000000..f835b85
--- /dev/null
+++ b/res-xxxhdpi/images/loop00001.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00002.png b/res-xxxhdpi/images/loop00002.png
new file mode 100644
index 0000000..e3bff32
--- /dev/null
+++ b/res-xxxhdpi/images/loop00002.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00003.png b/res-xxxhdpi/images/loop00003.png
new file mode 100644
index 0000000..d864c15
--- /dev/null
+++ b/res-xxxhdpi/images/loop00003.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00004.png b/res-xxxhdpi/images/loop00004.png
new file mode 100644
index 0000000..5d861c9
--- /dev/null
+++ b/res-xxxhdpi/images/loop00004.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00005.png b/res-xxxhdpi/images/loop00005.png
new file mode 100644
index 0000000..e9e860c
--- /dev/null
+++ b/res-xxxhdpi/images/loop00005.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00006.png b/res-xxxhdpi/images/loop00006.png
new file mode 100644
index 0000000..d7c516e
--- /dev/null
+++ b/res-xxxhdpi/images/loop00006.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00007.png b/res-xxxhdpi/images/loop00007.png
new file mode 100644
index 0000000..fa6d397
--- /dev/null
+++ b/res-xxxhdpi/images/loop00007.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00008.png b/res-xxxhdpi/images/loop00008.png
new file mode 100644
index 0000000..888d3a2
--- /dev/null
+++ b/res-xxxhdpi/images/loop00008.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00009.png b/res-xxxhdpi/images/loop00009.png
new file mode 100644
index 0000000..9e6ead2
--- /dev/null
+++ b/res-xxxhdpi/images/loop00009.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00010.png b/res-xxxhdpi/images/loop00010.png
new file mode 100644
index 0000000..30e13e0
--- /dev/null
+++ b/res-xxxhdpi/images/loop00010.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00011.png b/res-xxxhdpi/images/loop00011.png
new file mode 100644
index 0000000..d8abc2b
--- /dev/null
+++ b/res-xxxhdpi/images/loop00011.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00012.png b/res-xxxhdpi/images/loop00012.png
new file mode 100644
index 0000000..2d88cfb
--- /dev/null
+++ b/res-xxxhdpi/images/loop00012.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00013.png b/res-xxxhdpi/images/loop00013.png
new file mode 100644
index 0000000..0250f74
--- /dev/null
+++ b/res-xxxhdpi/images/loop00013.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00014.png b/res-xxxhdpi/images/loop00014.png
new file mode 100644
index 0000000..c3d9239
--- /dev/null
+++ b/res-xxxhdpi/images/loop00014.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00015.png b/res-xxxhdpi/images/loop00015.png
new file mode 100644
index 0000000..644c9c6
--- /dev/null
+++ b/res-xxxhdpi/images/loop00015.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00016.png b/res-xxxhdpi/images/loop00016.png
new file mode 100644
index 0000000..eff6e5b
--- /dev/null
+++ b/res-xxxhdpi/images/loop00016.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00017.png b/res-xxxhdpi/images/loop00017.png
new file mode 100644
index 0000000..b472a86
--- /dev/null
+++ b/res-xxxhdpi/images/loop00017.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00018.png b/res-xxxhdpi/images/loop00018.png
new file mode 100644
index 0000000..b17b6ce
--- /dev/null
+++ b/res-xxxhdpi/images/loop00018.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00019.png b/res-xxxhdpi/images/loop00019.png
new file mode 100644
index 0000000..d89b4da
--- /dev/null
+++ b/res-xxxhdpi/images/loop00019.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00020.png b/res-xxxhdpi/images/loop00020.png
new file mode 100644
index 0000000..7e757b8
--- /dev/null
+++ b/res-xxxhdpi/images/loop00020.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00021.png b/res-xxxhdpi/images/loop00021.png
new file mode 100644
index 0000000..1a8ce3e
--- /dev/null
+++ b/res-xxxhdpi/images/loop00021.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00022.png b/res-xxxhdpi/images/loop00022.png
new file mode 100644
index 0000000..e9ab39a
--- /dev/null
+++ b/res-xxxhdpi/images/loop00022.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00023.png b/res-xxxhdpi/images/loop00023.png
new file mode 100644
index 0000000..e1a7bf7
--- /dev/null
+++ b/res-xxxhdpi/images/loop00023.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00024.png b/res-xxxhdpi/images/loop00024.png
new file mode 100644
index 0000000..f77f70c
--- /dev/null
+++ b/res-xxxhdpi/images/loop00024.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00025.png b/res-xxxhdpi/images/loop00025.png
new file mode 100644
index 0000000..8348cdf
--- /dev/null
+++ b/res-xxxhdpi/images/loop00025.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00026.png b/res-xxxhdpi/images/loop00026.png
new file mode 100644
index 0000000..55fecc8
--- /dev/null
+++ b/res-xxxhdpi/images/loop00026.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00027.png b/res-xxxhdpi/images/loop00027.png
new file mode 100644
index 0000000..f4edf06
--- /dev/null
+++ b/res-xxxhdpi/images/loop00027.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00028.png b/res-xxxhdpi/images/loop00028.png
new file mode 100644
index 0000000..6dbe904
--- /dev/null
+++ b/res-xxxhdpi/images/loop00028.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00029.png b/res-xxxhdpi/images/loop00029.png
new file mode 100644
index 0000000..764f27a
--- /dev/null
+++ b/res-xxxhdpi/images/loop00029.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00030.png b/res-xxxhdpi/images/loop00030.png
new file mode 100644
index 0000000..2d21569
--- /dev/null
+++ b/res-xxxhdpi/images/loop00030.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00031.png b/res-xxxhdpi/images/loop00031.png
new file mode 100644
index 0000000..e02db9c
--- /dev/null
+++ b/res-xxxhdpi/images/loop00031.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00032.png b/res-xxxhdpi/images/loop00032.png
new file mode 100644
index 0000000..03f0456
--- /dev/null
+++ b/res-xxxhdpi/images/loop00032.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00033.png b/res-xxxhdpi/images/loop00033.png
new file mode 100644
index 0000000..5bdbbdb
--- /dev/null
+++ b/res-xxxhdpi/images/loop00033.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00034.png b/res-xxxhdpi/images/loop00034.png
new file mode 100644
index 0000000..c8164e2
--- /dev/null
+++ b/res-xxxhdpi/images/loop00034.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00035.png b/res-xxxhdpi/images/loop00035.png
new file mode 100644
index 0000000..ed5721d
--- /dev/null
+++ b/res-xxxhdpi/images/loop00035.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00036.png b/res-xxxhdpi/images/loop00036.png
new file mode 100644
index 0000000..08dffd2
--- /dev/null
+++ b/res-xxxhdpi/images/loop00036.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00037.png b/res-xxxhdpi/images/loop00037.png
new file mode 100644
index 0000000..583b665
--- /dev/null
+++ b/res-xxxhdpi/images/loop00037.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00038.png b/res-xxxhdpi/images/loop00038.png
new file mode 100644
index 0000000..cc2933d
--- /dev/null
+++ b/res-xxxhdpi/images/loop00038.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00039.png b/res-xxxhdpi/images/loop00039.png
new file mode 100644
index 0000000..1f0496a
--- /dev/null
+++ b/res-xxxhdpi/images/loop00039.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00040.png b/res-xxxhdpi/images/loop00040.png
new file mode 100644
index 0000000..05bf335
--- /dev/null
+++ b/res-xxxhdpi/images/loop00040.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00041.png b/res-xxxhdpi/images/loop00041.png
new file mode 100644
index 0000000..a868c7b
--- /dev/null
+++ b/res-xxxhdpi/images/loop00041.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00042.png b/res-xxxhdpi/images/loop00042.png
new file mode 100644
index 0000000..7c7220f
--- /dev/null
+++ b/res-xxxhdpi/images/loop00042.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00043.png b/res-xxxhdpi/images/loop00043.png
new file mode 100644
index 0000000..30336a7
--- /dev/null
+++ b/res-xxxhdpi/images/loop00043.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00044.png b/res-xxxhdpi/images/loop00044.png
new file mode 100644
index 0000000..80d3735
--- /dev/null
+++ b/res-xxxhdpi/images/loop00044.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00045.png b/res-xxxhdpi/images/loop00045.png
new file mode 100644
index 0000000..71a52c2
--- /dev/null
+++ b/res-xxxhdpi/images/loop00045.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00046.png b/res-xxxhdpi/images/loop00046.png
new file mode 100644
index 0000000..b3b3702
--- /dev/null
+++ b/res-xxxhdpi/images/loop00046.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00047.png b/res-xxxhdpi/images/loop00047.png
new file mode 100644
index 0000000..6ce2b37
--- /dev/null
+++ b/res-xxxhdpi/images/loop00047.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00048.png b/res-xxxhdpi/images/loop00048.png
new file mode 100644
index 0000000..0b428cd
--- /dev/null
+++ b/res-xxxhdpi/images/loop00048.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00049.png b/res-xxxhdpi/images/loop00049.png
new file mode 100644
index 0000000..53c1a47
--- /dev/null
+++ b/res-xxxhdpi/images/loop00049.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00050.png b/res-xxxhdpi/images/loop00050.png
new file mode 100644
index 0000000..0e17bbd
--- /dev/null
+++ b/res-xxxhdpi/images/loop00050.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00051.png b/res-xxxhdpi/images/loop00051.png
new file mode 100644
index 0000000..78a99dc
--- /dev/null
+++ b/res-xxxhdpi/images/loop00051.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00052.png b/res-xxxhdpi/images/loop00052.png
new file mode 100644
index 0000000..efd0df5
--- /dev/null
+++ b/res-xxxhdpi/images/loop00052.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00053.png b/res-xxxhdpi/images/loop00053.png
new file mode 100644
index 0000000..0c417ee
--- /dev/null
+++ b/res-xxxhdpi/images/loop00053.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00054.png b/res-xxxhdpi/images/loop00054.png
new file mode 100644
index 0000000..072077e
--- /dev/null
+++ b/res-xxxhdpi/images/loop00054.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00055.png b/res-xxxhdpi/images/loop00055.png
new file mode 100644
index 0000000..693083a
--- /dev/null
+++ b/res-xxxhdpi/images/loop00055.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00056.png b/res-xxxhdpi/images/loop00056.png
new file mode 100644
index 0000000..07cbd75
--- /dev/null
+++ b/res-xxxhdpi/images/loop00056.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00057.png b/res-xxxhdpi/images/loop00057.png
new file mode 100644
index 0000000..cc98ab2
--- /dev/null
+++ b/res-xxxhdpi/images/loop00057.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00058.png b/res-xxxhdpi/images/loop00058.png
new file mode 100644
index 0000000..f55d218
--- /dev/null
+++ b/res-xxxhdpi/images/loop00058.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00059.png b/res-xxxhdpi/images/loop00059.png
new file mode 100644
index 0000000..4bfed35
--- /dev/null
+++ b/res-xxxhdpi/images/loop00059.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00060.png b/res-xxxhdpi/images/loop00060.png
new file mode 100644
index 0000000..59f158b
--- /dev/null
+++ b/res-xxxhdpi/images/loop00060.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00061.png b/res-xxxhdpi/images/loop00061.png
new file mode 100644
index 0000000..fd0dc55
--- /dev/null
+++ b/res-xxxhdpi/images/loop00061.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00062.png b/res-xxxhdpi/images/loop00062.png
new file mode 100644
index 0000000..2c316ce
--- /dev/null
+++ b/res-xxxhdpi/images/loop00062.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00063.png b/res-xxxhdpi/images/loop00063.png
new file mode 100644
index 0000000..5b83c81
--- /dev/null
+++ b/res-xxxhdpi/images/loop00063.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00064.png b/res-xxxhdpi/images/loop00064.png
new file mode 100644
index 0000000..ced0a9a
--- /dev/null
+++ b/res-xxxhdpi/images/loop00064.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00065.png b/res-xxxhdpi/images/loop00065.png
new file mode 100644
index 0000000..6e699dd
--- /dev/null
+++ b/res-xxxhdpi/images/loop00065.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00066.png b/res-xxxhdpi/images/loop00066.png
new file mode 100644
index 0000000..8853cff
--- /dev/null
+++ b/res-xxxhdpi/images/loop00066.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00067.png b/res-xxxhdpi/images/loop00067.png
new file mode 100644
index 0000000..24d11d1
--- /dev/null
+++ b/res-xxxhdpi/images/loop00067.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00068.png b/res-xxxhdpi/images/loop00068.png
new file mode 100644
index 0000000..d54fff0
--- /dev/null
+++ b/res-xxxhdpi/images/loop00068.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00069.png b/res-xxxhdpi/images/loop00069.png
new file mode 100644
index 0000000..67f8d78
--- /dev/null
+++ b/res-xxxhdpi/images/loop00069.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00070.png b/res-xxxhdpi/images/loop00070.png
new file mode 100644
index 0000000..d56fb78
--- /dev/null
+++ b/res-xxxhdpi/images/loop00070.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00071.png b/res-xxxhdpi/images/loop00071.png
new file mode 100644
index 0000000..e787b8a
--- /dev/null
+++ b/res-xxxhdpi/images/loop00071.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00072.png b/res-xxxhdpi/images/loop00072.png
new file mode 100644
index 0000000..81f2e4c
--- /dev/null
+++ b/res-xxxhdpi/images/loop00072.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00073.png b/res-xxxhdpi/images/loop00073.png
new file mode 100644
index 0000000..ad46ed1
--- /dev/null
+++ b/res-xxxhdpi/images/loop00073.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00074.png b/res-xxxhdpi/images/loop00074.png
new file mode 100644
index 0000000..d835a2b
--- /dev/null
+++ b/res-xxxhdpi/images/loop00074.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00075.png b/res-xxxhdpi/images/loop00075.png
new file mode 100644
index 0000000..aa35a84
--- /dev/null
+++ b/res-xxxhdpi/images/loop00075.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00076.png b/res-xxxhdpi/images/loop00076.png
new file mode 100644
index 0000000..6ea547e
--- /dev/null
+++ b/res-xxxhdpi/images/loop00076.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00077.png b/res-xxxhdpi/images/loop00077.png
new file mode 100644
index 0000000..c809383
--- /dev/null
+++ b/res-xxxhdpi/images/loop00077.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00078.png b/res-xxxhdpi/images/loop00078.png
new file mode 100644
index 0000000..827a75c
--- /dev/null
+++ b/res-xxxhdpi/images/loop00078.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00079.png b/res-xxxhdpi/images/loop00079.png
new file mode 100644
index 0000000..18dc1cf
--- /dev/null
+++ b/res-xxxhdpi/images/loop00079.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00080.png b/res-xxxhdpi/images/loop00080.png
new file mode 100644
index 0000000..df06b56
--- /dev/null
+++ b/res-xxxhdpi/images/loop00080.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00081.png b/res-xxxhdpi/images/loop00081.png
new file mode 100644
index 0000000..a5ba603
--- /dev/null
+++ b/res-xxxhdpi/images/loop00081.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00082.png b/res-xxxhdpi/images/loop00082.png
new file mode 100644
index 0000000..e3298c5
--- /dev/null
+++ b/res-xxxhdpi/images/loop00082.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00083.png b/res-xxxhdpi/images/loop00083.png
new file mode 100644
index 0000000..c395662
--- /dev/null
+++ b/res-xxxhdpi/images/loop00083.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00084.png b/res-xxxhdpi/images/loop00084.png
new file mode 100644
index 0000000..f80af8e
--- /dev/null
+++ b/res-xxxhdpi/images/loop00084.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00085.png b/res-xxxhdpi/images/loop00085.png
new file mode 100644
index 0000000..c896758
--- /dev/null
+++ b/res-xxxhdpi/images/loop00085.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00086.png b/res-xxxhdpi/images/loop00086.png
new file mode 100644
index 0000000..9771692
--- /dev/null
+++ b/res-xxxhdpi/images/loop00086.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00087.png b/res-xxxhdpi/images/loop00087.png
new file mode 100644
index 0000000..e805dfa
--- /dev/null
+++ b/res-xxxhdpi/images/loop00087.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00088.png b/res-xxxhdpi/images/loop00088.png
new file mode 100644
index 0000000..aa1a88e
--- /dev/null
+++ b/res-xxxhdpi/images/loop00088.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00089.png b/res-xxxhdpi/images/loop00089.png
new file mode 100644
index 0000000..5bf7781
--- /dev/null
+++ b/res-xxxhdpi/images/loop00089.png
Binary files differ
diff --git a/res-xxxhdpi/images/loop00090.png b/res-xxxhdpi/images/loop00090.png
new file mode 100644
index 0000000..1bc9db5
--- /dev/null
+++ b/res-xxxhdpi/images/loop00090.png
Binary files differ
diff --git a/res-xxxhdpi/images/no_command_text.png b/res-xxxhdpi/images/no_command_text.png
index 6354e6a..b6eb964 100644
--- a/res-xxxhdpi/images/no_command_text.png
+++ b/res-xxxhdpi/images/no_command_text.png
Binary files differ
diff --git a/res-xxxhdpi/images/progress_empty.png b/res-xxxhdpi/images/progress_empty.png
index 7258183..96c4bf6 100644
--- a/res-xxxhdpi/images/progress_empty.png
+++ b/res-xxxhdpi/images/progress_empty.png
Binary files differ
diff --git a/res-xxxhdpi/images/progress_fill.png b/res-xxxhdpi/images/progress_fill.png
index becf87b..1717be8 100644
--- a/res-xxxhdpi/images/progress_fill.png
+++ b/res-xxxhdpi/images/progress_fill.png
Binary files differ
diff --git a/roots.cpp b/roots.cpp
index 2bd457e..f361cb8 100644
--- a/roots.cpp
+++ b/roots.cpp
@@ -30,10 +30,8 @@
 #include "roots.h"
 #include "common.h"
 #include "make_ext4fs.h"
-extern "C" {
 #include "wipe.h"
 #include "cryptfs.h"
-}
 
 static struct fstab *fstab = NULL;
 
@@ -72,7 +70,8 @@
     return fs_mgr_get_entry_for_mount_point(fstab, path);
 }
 
-int ensure_path_mounted(const char* path) {
+// Mount the volume specified by path at the given mount_point.
+int ensure_path_mounted_at(const char* path, const char* mount_point) {
     Volume* v = volume_for_path(path);
     if (v == NULL) {
         LOGE("unknown volume for path [%s]\n", path);
@@ -90,14 +89,18 @@
         return -1;
     }
 
+    if (!mount_point) {
+        mount_point = v->mount_point;
+    }
+
     const MountedVolume* mv =
-        find_mounted_volume_by_mount_point(v->mount_point);
+        find_mounted_volume_by_mount_point(mount_point);
     if (mv) {
         // volume is already mounted
         return 0;
     }
 
-    mkdir(v->mount_point, 0755);  // in case it doesn't already exist
+    mkdir(mount_point, 0755);  // in case it doesn't already exist
 
     if (strcmp(v->fs_type, "yaffs2") == 0) {
         // mount an MTD partition as a YAFFS2 filesystem.
@@ -106,25 +109,30 @@
         partition = mtd_find_partition_by_name(v->blk_device);
         if (partition == NULL) {
             LOGE("failed to find \"%s\" partition to mount at \"%s\"\n",
-                 v->blk_device, v->mount_point);
+                 v->blk_device, mount_point);
             return -1;
         }
-        return mtd_mount_partition(partition, v->mount_point, v->fs_type, 0);
+        return mtd_mount_partition(partition, mount_point, v->fs_type, 0);
     } else if (strcmp(v->fs_type, "ext4") == 0 ||
                strcmp(v->fs_type, "squashfs") == 0 ||
                strcmp(v->fs_type, "vfat") == 0) {
-        result = mount(v->blk_device, v->mount_point, v->fs_type,
+        result = mount(v->blk_device, mount_point, v->fs_type,
                        v->flags, v->fs_options);
         if (result == 0) return 0;
 
-        LOGE("failed to mount %s (%s)\n", v->mount_point, strerror(errno));
+        LOGE("failed to mount %s (%s)\n", mount_point, strerror(errno));
         return -1;
     }
 
-    LOGE("unknown fs_type \"%s\" for %s\n", v->fs_type, v->mount_point);
+    LOGE("unknown fs_type \"%s\" for %s\n", v->fs_type, mount_point);
     return -1;
 }
 
+int ensure_path_mounted(const char* path) {
+    // Mount at the default mount point.
+    return ensure_path_mounted_at(path, nullptr);
+}
+
 int ensure_path_unmounted(const char* path) {
     Volume* v = volume_for_path(path);
     if (v == NULL) {
@@ -167,7 +175,7 @@
     return WEXITSTATUS(status);
 }
 
-int format_volume(const char* volume) {
+int format_volume(const char* volume, const char* directory) {
     Volume* v = volume_for_path(volume);
     if (v == NULL) {
         LOGE("unknown volume \"%s\"\n", volume);
@@ -233,7 +241,7 @@
         }
         int result;
         if (strcmp(v->fs_type, "ext4") == 0) {
-            result = make_ext4fs(v->blk_device, length, volume, sehandle);
+            result = make_ext4fs_directory(v->blk_device, length, volume, sehandle, directory);
         } else {   /* Has to be f2fs because we checked earlier. */
             if (v->key_loc != NULL && strcmp(v->key_loc, "footer") == 0 && length < 0) {
                 LOGE("format_volume: crypt footer + negative length (%zd) not supported on %s\n", length, v->fs_type);
@@ -265,6 +273,10 @@
     return -1;
 }
 
+int format_volume(const char* volume) {
+    return format_volume(volume, NULL);
+}
+
 int setup_install_mounts() {
     if (fstab == NULL) {
         LOGE("can't set up install mounts: no fstab loaded\n");
diff --git a/roots.h b/roots.h
index 230d9de..a14b7d9 100644
--- a/roots.h
+++ b/roots.h
@@ -19,10 +19,6 @@
 
 #include "common.h"
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 // Load and parse volume data from /etc/recovery.fstab.
 void load_volume_table();
 
@@ -33,7 +29,10 @@
 // success (volume is mounted).
 int ensure_path_mounted(const char* path);
 
-// Make sure that the volume 'path' is on is mounted.  Returns 0 on
+// Similar to ensure_path_mounted, but allows one to specify the mount_point.
+int ensure_path_mounted_at(const char* path, const char* mount_point);
+
+// Make sure that the volume 'path' is on is unmounted.  Returns 0 on
 // success (volume is unmounted);
 int ensure_path_unmounted(const char* path);
 
@@ -42,12 +41,14 @@
 // it is mounted.
 int format_volume(const char* volume);
 
+// Reformat the given volume (must be the mount point only, eg
+// "/cache"), no paths permitted.  Attempts to unmount the volume if
+// it is mounted.
+// Copies 'directory' to root of the newly formatted volume
+int format_volume(const char* volume, const char* directory);
+
 // Ensure that all and only the volumes that packages expect to find
 // mounted (/tmp and /cache) are mounted.  Returns 0 on success.
 int setup_install_mounts();
 
-#ifdef __cplusplus
-}
-#endif
-
 #endif  // RECOVERY_ROOTS_H_
diff --git a/screen_ui.cpp b/screen_ui.cpp
index ff95915..85f789f 100644
--- a/screen_ui.cpp
+++ b/screen_ui.cpp
@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+#include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/input.h>
@@ -30,16 +31,17 @@
 
 #include <vector>
 
-#include "base/strings.h"
-#include "cutils/properties.h"
+#include <android-base/strings.h>
+#include <android-base/stringprintf.h>
+#include <cutils/properties.h>
+
 #include "common.h"
 #include "device.h"
 #include "minui/minui.h"
 #include "screen_ui.h"
 #include "ui.h"
 
-static int char_width;
-static int char_height;
+#define TEXT_INDENT     4
 
 // Return the current time as a double (including fractions of a second).
 static double now() {
@@ -50,9 +52,9 @@
 
 ScreenRecoveryUI::ScreenRecoveryUI() :
     currentIcon(NONE),
-    installingFrame(0),
     locale(nullptr),
-    rtl_locale(false),
+    intro_done(false),
+    current_frame(0),
     progressBarType(EMPTY),
     progressScopeStart(0),
     progressScopeSize(0),
@@ -71,83 +73,114 @@
     menu_items(0),
     menu_sel(0),
     file_viewer_text_(nullptr),
-    animation_fps(20),
-    installing_frames(-1),
+    intro_frames(0),
+    loop_frames(0),
+    animation_fps(30), // TODO: there's currently no way to infer this.
     stage(-1),
-    max_stage(-1) {
+    max_stage(-1),
+    updateMutex(PTHREAD_MUTEX_INITIALIZER),
+    rtl_locale(false) {
+}
 
-    for (int i = 0; i < 5; i++) {
-        backgroundIcon[i] = nullptr;
+GRSurface* ScreenRecoveryUI::GetCurrentFrame() {
+    if (currentIcon == INSTALLING_UPDATE || currentIcon == ERASING) {
+        return intro_done ? loopFrames[current_frame] : introFrames[current_frame];
     }
-    pthread_mutex_init(&updateMutex, nullptr);
+    return error_icon;
+}
+
+GRSurface* ScreenRecoveryUI::GetCurrentText() {
+    switch (currentIcon) {
+        case ERASING: return erasing_text;
+        case ERROR: return error_text;
+        case INSTALLING_UPDATE: return installing_text;
+        case NO_COMMAND: return no_command_text;
+        case NONE: abort();
+    }
+}
+
+int ScreenRecoveryUI::PixelsFromDp(int dp) {
+    return dp * density_;
+}
+
+// Here's the intended layout:
+
+//          | regular     large
+// ---------+--------------------
+//          |   220dp     366dp
+// icon     |  (200dp)   (200dp)
+//          |    68dp      68dp
+// text     |   (14sp)    (14sp)
+//          |    32dp      32dp
+// progress |    (2dp)     (2dp)
+//          |   194dp     340dp
+
+// Note that "baseline" is actually the *top* of each icon (because that's how our drawing
+// routines work), so that's the more useful measurement for calling code.
+
+int ScreenRecoveryUI::GetAnimationBaseline() {
+    return GetTextBaseline() - PixelsFromDp(68) - gr_get_height(loopFrames[0]);
+}
+
+int ScreenRecoveryUI::GetTextBaseline() {
+    return GetProgressBaseline() - PixelsFromDp(32) - gr_get_height(installing_text);
+}
+
+int ScreenRecoveryUI::GetProgressBaseline() {
+    return gr_fb_height() - PixelsFromDp(is_large_ ? 340 : 194) - gr_get_height(progressBarFill);
 }
 
 // Clear the screen and draw the currently selected background icon (if any).
 // Should only be called with updateMutex locked.
-void ScreenRecoveryUI::draw_background_locked(Icon icon) {
+void ScreenRecoveryUI::draw_background_locked() {
     pagesIdentical = false;
     gr_color(0, 0, 0, 255);
     gr_clear();
 
-    if (icon) {
-        GRSurface* surface = backgroundIcon[icon];
-        if (icon == INSTALLING_UPDATE || icon == ERASING) {
-            surface = installation[installingFrame];
-        }
-        GRSurface* text_surface = backgroundText[icon];
-
-        int iconWidth = gr_get_width(surface);
-        int iconHeight = gr_get_height(surface);
-        int textWidth = gr_get_width(text_surface);
-        int textHeight = gr_get_height(text_surface);
-        int stageHeight = gr_get_height(stageMarkerEmpty);
-
-        int sh = (max_stage >= 0) ? stageHeight : 0;
-
-        iconX = (gr_fb_width() - iconWidth) / 2;
-        iconY = (gr_fb_height() - (iconHeight+textHeight+40+sh)) / 2;
-
-        int textX = (gr_fb_width() - textWidth) / 2;
-        int textY = ((gr_fb_height() - (iconHeight+textHeight+40+sh)) / 2) + iconHeight + 40;
-
-        gr_blit(surface, 0, 0, iconWidth, iconHeight, iconX, iconY);
-        if (stageHeight > 0) {
-            int sw = gr_get_width(stageMarkerEmpty);
+    if (currentIcon != NONE) {
+        if (max_stage != -1) {
+            int stage_height = gr_get_height(stageMarkerEmpty);
+            int stage_width = gr_get_width(stageMarkerEmpty);
             int x = (gr_fb_width() - max_stage * gr_get_width(stageMarkerEmpty)) / 2;
-            int y = iconY + iconHeight + 20;
+            int y = gr_fb_height() - stage_height;
             for (int i = 0; i < max_stage; ++i) {
-                gr_blit((i < stage) ? stageMarkerFill : stageMarkerEmpty,
-                        0, 0, sw, stageHeight, x, y);
-                x += sw;
+                GRSurface* stage_surface = (i < stage) ? stageMarkerFill : stageMarkerEmpty;
+                gr_blit(stage_surface, 0, 0, stage_width, stage_height, x, y);
+                x += stage_width;
             }
         }
 
+        GRSurface* text_surface = GetCurrentText();
+        int text_x = (gr_fb_width() - gr_get_width(text_surface)) / 2;
+        int text_y = GetTextBaseline();
         gr_color(255, 255, 255, 255);
-        gr_texticon(textX, textY, text_surface);
+        gr_texticon(text_x, text_y, text_surface);
     }
 }
 
-// Draw the progress bar (if any) on the screen.  Does not flip pages.
+// Draws the animation and progress bar (if any) on the screen.
+// Does not flip pages.
 // Should only be called with updateMutex locked.
-void ScreenRecoveryUI::draw_progress_locked() {
-    if (currentIcon == ERROR) return;
-
-    if (currentIcon == INSTALLING_UPDATE || currentIcon == ERASING) {
-        GRSurface* icon = installation[installingFrame];
-        gr_blit(icon, 0, 0, gr_get_width(icon), gr_get_height(icon), iconX, iconY);
+void ScreenRecoveryUI::draw_foreground_locked() {
+    if (currentIcon != NONE) {
+        GRSurface* frame = GetCurrentFrame();
+        int frame_width = gr_get_width(frame);
+        int frame_height = gr_get_height(frame);
+        int frame_x = (gr_fb_width() - frame_width) / 2;
+        int frame_y = GetAnimationBaseline();
+        gr_blit(frame, 0, 0, frame_width, frame_height, frame_x, frame_y);
     }
 
     if (progressBarType != EMPTY) {
-        int iconHeight = gr_get_height(backgroundIcon[INSTALLING_UPDATE]);
         int width = gr_get_width(progressBarEmpty);
         int height = gr_get_height(progressBarEmpty);
 
-        int dx = (gr_fb_width() - width)/2;
-        int dy = (3*gr_fb_height() + iconHeight - 2*height)/4;
+        int progress_x = (gr_fb_width() - width)/2;
+        int progress_y = GetProgressBaseline();
 
         // Erase behind the progress bar (in case this was a progress-only update)
         gr_color(0, 0, 0, 255);
-        gr_fill(dx, dy, width, height);
+        gr_fill(progress_x, progress_y, width, height);
 
         if (progressBarType == DETERMINATE) {
             float p = progressScopeStart + progress * progressScopeSize;
@@ -156,18 +189,20 @@
             if (rtl_locale) {
                 // Fill the progress bar from right to left.
                 if (pos > 0) {
-                    gr_blit(progressBarFill, width-pos, 0, pos, height, dx+width-pos, dy);
+                    gr_blit(progressBarFill, width-pos, 0, pos, height,
+                            progress_x+width-pos, progress_y);
                 }
                 if (pos < width-1) {
-                    gr_blit(progressBarEmpty, 0, 0, width-pos, height, dx, dy);
+                    gr_blit(progressBarEmpty, 0, 0, width-pos, height, progress_x, progress_y);
                 }
             } else {
                 // Fill the progress bar from left to right.
                 if (pos > 0) {
-                    gr_blit(progressBarFill, 0, 0, pos, height, dx, dy);
+                    gr_blit(progressBarFill, 0, 0, pos, height, progress_x, progress_y);
                 }
                 if (pos < width-1) {
-                    gr_blit(progressBarEmpty, pos, 0, width-pos, height, dx+pos, dy);
+                    gr_blit(progressBarEmpty, pos, 0, width-pos, height,
+                            progress_x+pos, progress_y);
                 }
             }
         }
@@ -211,14 +246,14 @@
     *y += 4;
 }
 
-void ScreenRecoveryUI::DrawTextLine(int* y, const char* line, bool bold) {
-    gr_text(4, *y, line, bold);
-    *y += char_height + 4;
+void ScreenRecoveryUI::DrawTextLine(int x, int* y, const char* line, bool bold) {
+    gr_text(x, *y, line, bold);
+    *y += char_height_ + 4;
 }
 
-void ScreenRecoveryUI::DrawTextLines(int* y, const char* const* lines) {
+void ScreenRecoveryUI::DrawTextLines(int x, int* y, const char* const* lines) {
     for (size_t i = 0; lines != nullptr && lines[i] != nullptr; ++i) {
-        DrawTextLine(y, lines[i], false);
+        DrawTextLine(x, y, lines[i], false);
     }
 }
 
@@ -237,8 +272,8 @@
 // Should only be called with updateMutex locked.
 void ScreenRecoveryUI::draw_screen_locked() {
     if (!show_text) {
-        draw_background_locked(currentIcon);
-        draw_progress_locked();
+        draw_background_locked();
+        draw_foreground_locked();
     } else {
         gr_color(0, 0, 0, 255);
         gr_clear();
@@ -249,14 +284,14 @@
             property_get("ro.bootimage.build.fingerprint", recovery_fingerprint, "");
 
             SetColor(INFO);
-            DrawTextLine(&y, "Android Recovery", true);
+            DrawTextLine(TEXT_INDENT, &y, "Android Recovery", true);
             for (auto& chunk : android::base::Split(recovery_fingerprint, ":")) {
-                DrawTextLine(&y, chunk.c_str(), false);
+                DrawTextLine(TEXT_INDENT, &y, chunk.c_str(), false);
             }
-            DrawTextLines(&y, HasThreeButtons() ? REGULAR_HELP : LONG_PRESS_HELP);
+            DrawTextLines(TEXT_INDENT, &y, HasThreeButtons() ? REGULAR_HELP : LONG_PRESS_HELP);
 
             SetColor(HEADER);
-            DrawTextLines(&y, menu_headers_);
+            DrawTextLines(TEXT_INDENT, &y, menu_headers_);
 
             SetColor(MENU);
             DrawHorizontalRule(&y);
@@ -265,7 +300,7 @@
                 if (i == menu_sel) {
                     // Draw the highlight bar.
                     SetColor(IsLongPress() ? MENU_SEL_BG_ACTIVE : MENU_SEL_BG);
-                    gr_fill(0, y - 2, gr_fb_width(), y + char_height + 2);
+                    gr_fill(0, y - 2, gr_fb_width(), y + char_height_ + 2);
                     // Bold white text for the selected item.
                     SetColor(MENU_SEL_FG);
                     gr_text(4, y, menu_[i], true);
@@ -273,7 +308,7 @@
                 } else {
                     gr_text(4, y, menu_[i], false);
                 }
-                y += char_height + 4;
+                y += char_height_ + 4;
             }
             DrawHorizontalRule(&y);
         }
@@ -284,9 +319,9 @@
         SetColor(LOG);
         int row = (text_top_ + text_rows_ - 1) % text_rows_;
         size_t count = 0;
-        for (int ty = gr_fb_height() - char_height;
+        for (int ty = gr_fb_height() - char_height_;
              ty >= y && count < text_rows_;
-             ty -= char_height, ++count) {
+             ty -= char_height_, ++count) {
             gr_text(0, ty, text_[row], false);
             --row;
             if (row < 0) row = text_rows_ - 1;
@@ -308,7 +343,7 @@
         draw_screen_locked();    // Must redraw the whole screen
         pagesIdentical = true;
     } else {
-        draw_progress_locked();  // Draw only the progress bar and overlays
+        draw_foreground_locked();  // Draw only the progress bar and overlays
     }
     gr_flip();
 }
@@ -325,14 +360,23 @@
         double start = now();
         pthread_mutex_lock(&updateMutex);
 
-        int redraw = 0;
+        bool redraw = false;
 
         // update the installation animation, if active
         // skip this if we have a text overlay (too expensive to update)
-        if ((currentIcon == INSTALLING_UPDATE || currentIcon == ERASING) &&
-            installing_frames > 0 && !show_text) {
-            installingFrame = (installingFrame + 1) % installing_frames;
-            redraw = 1;
+        if ((currentIcon == INSTALLING_UPDATE || currentIcon == ERASING) && !show_text) {
+            if (!intro_done) {
+                if (current_frame == intro_frames - 1) {
+                    intro_done = true;
+                    current_frame = 0;
+                } else {
+                    ++current_frame;
+                }
+            } else {
+                current_frame = (current_frame + 1) % loop_frames;
+            }
+
+            redraw = true;
         }
 
         // move the progress bar forward on timed intervals, if configured
@@ -343,7 +387,7 @@
             if (p > 1.0) p = 1.0;
             if (p > progress) {
                 progress = p;
-                redraw = 1;
+                redraw = true;
             }
         }
 
@@ -361,21 +405,14 @@
 void ScreenRecoveryUI::LoadBitmap(const char* filename, GRSurface** surface) {
     int result = res_create_display_surface(filename, surface);
     if (result < 0) {
-        LOGE("missing bitmap %s\n(Code %d)\n", filename, result);
-    }
-}
-
-void ScreenRecoveryUI::LoadBitmapArray(const char* filename, int* frames, GRSurface*** surface) {
-    int result = res_create_multi_display_surface(filename, frames, surface);
-    if (result < 0) {
-        LOGE("missing bitmap %s\n(Code %d)\n", filename, result);
+        LOGE("couldn't load bitmap %s (error %d)\n", filename, result);
     }
 }
 
 void ScreenRecoveryUI::LoadLocalizedBitmap(const char* filename, GRSurface** surface) {
     int result = res_create_localized_alpha_surface(filename, locale, surface);
     if (result < 0) {
-        LOGE("missing bitmap %s\n(Code %d)\n", filename, result);
+        LOGE("couldn't load bitmap %s (error %d)\n", filename, result);
     }
 }
 
@@ -388,12 +425,25 @@
     return result;
 }
 
+// Choose the right background string to display during update.
+void ScreenRecoveryUI::SetSystemUpdateText(bool security_update) {
+    if (security_update) {
+        LoadLocalizedBitmap("installing_security_text", &installing_text);
+    } else {
+        LoadLocalizedBitmap("installing_text", &installing_text);
+    }
+    Redraw();
+}
+
 void ScreenRecoveryUI::Init() {
     gr_init();
 
-    gr_font_size(&char_width, &char_height);
-    text_rows_ = gr_fb_height() / char_height;
-    text_cols_ = gr_fb_width() / char_width;
+    density_ = static_cast<float>(property_get_int32("ro.sf.lcd_density", 160)) / 160.f;
+    is_large_ = gr_fb_height() > PixelsFromDp(800);
+
+    gr_font_size(&char_width_, &char_height_);
+    text_rows_ = gr_fb_height() / char_height_;
+    text_cols_ = gr_fb_width() / char_width_;
 
     text_ = Alloc2d(text_rows_, text_cols_ + 1);
     file_viewer_text_ = Alloc2d(text_rows_, text_cols_ + 1);
@@ -402,31 +452,64 @@
     text_col_ = text_row_ = 0;
     text_top_ = 1;
 
-    backgroundIcon[NONE] = nullptr;
-    LoadBitmapArray("icon_installing", &installing_frames, &installation);
-    backgroundIcon[INSTALLING_UPDATE] = installing_frames ? installation[0] : nullptr;
-    backgroundIcon[ERASING] = backgroundIcon[INSTALLING_UPDATE];
-    LoadBitmap("icon_error", &backgroundIcon[ERROR]);
-    backgroundIcon[NO_COMMAND] = backgroundIcon[ERROR];
+    LoadBitmap("icon_error", &error_icon);
 
     LoadBitmap("progress_empty", &progressBarEmpty);
     LoadBitmap("progress_fill", &progressBarFill);
+
     LoadBitmap("stage_empty", &stageMarkerEmpty);
     LoadBitmap("stage_fill", &stageMarkerFill);
 
-    LoadLocalizedBitmap("installing_text", &backgroundText[INSTALLING_UPDATE]);
-    LoadLocalizedBitmap("erasing_text", &backgroundText[ERASING]);
-    LoadLocalizedBitmap("no_command_text", &backgroundText[NO_COMMAND]);
-    LoadLocalizedBitmap("error_text", &backgroundText[ERROR]);
+    // Background text for "installing_update" could be "installing update"
+    // or "installing security update". It will be set after UI init according
+    // to commands in BCB.
+    installing_text = nullptr;
+    LoadLocalizedBitmap("erasing_text", &erasing_text);
+    LoadLocalizedBitmap("no_command_text", &no_command_text);
+    LoadLocalizedBitmap("error_text", &error_text);
+
+    LoadAnimation();
 
     pthread_create(&progress_thread_, nullptr, ProgressThreadStartRoutine, this);
 
     RecoveryUI::Init();
 }
 
+void ScreenRecoveryUI::LoadAnimation() {
+    // How many frames of intro and loop do we have?
+    std::unique_ptr<DIR, decltype(&closedir)> dir(opendir("/res/images"), closedir);
+    dirent* de;
+    while ((de = readdir(dir.get())) != nullptr) {
+        int value;
+        if (sscanf(de->d_name, "intro%d", &value) == 1 && intro_frames < (value + 1)) {
+            intro_frames = value + 1;
+        } else if (sscanf(de->d_name, "loop%d", &value) == 1 && loop_frames < (value + 1)) {
+            loop_frames = value + 1;
+        }
+    }
+
+    // It's okay to not have an intro.
+    if (intro_frames == 0) intro_done = true;
+    // But you must have an animation.
+    if (loop_frames == 0) abort();
+
+    introFrames = new GRSurface*[intro_frames];
+    for (int i = 0; i < intro_frames; ++i) {
+        // TODO: remember the names above, so we don't have to hard-code the number of 0s.
+        LoadBitmap(android::base::StringPrintf("intro%05d", i).c_str(), &introFrames[i]);
+    }
+
+    loopFrames = new GRSurface*[loop_frames];
+    for (int i = 0; i < loop_frames; ++i) {
+        LoadBitmap(android::base::StringPrintf("loop%05d", i).c_str(), &loopFrames[i]);
+    }
+}
+
 void ScreenRecoveryUI::SetLocale(const char* new_locale) {
-    if (new_locale) {
-        this->locale = new_locale;
+    this->locale = new_locale;
+    this->rtl_locale = false;
+
+    if (locale) {
         char* lang = strdup(locale);
         for (char* p = lang; *p; ++p) {
             if (*p == '_') {
@@ -435,8 +518,7 @@
             }
         }
 
-        // A bit cheesy: keep an explicit list of supported languages
-        // that are RTL.
+        // A bit cheesy: keep an explicit list of supported RTL languages.
         if (strcmp(lang, "ar") == 0 ||   // Arabic
             strcmp(lang, "fa") == 0 ||   // Persian (Farsi)
             strcmp(lang, "he") == 0 ||   // Hebrew (new language code)
@@ -445,8 +527,6 @@
             rtl_locale = true;
         }
         free(lang);
-    } else {
-        new_locale = nullptr;
     }
 }
 
@@ -506,18 +586,17 @@
     pthread_mutex_unlock(&updateMutex);
 }
 
-void ScreenRecoveryUI::Print(const char *fmt, ...) {
-    char buf[256];
-    va_list ap;
-    va_start(ap, fmt);
-    vsnprintf(buf, 256, fmt, ap);
-    va_end(ap);
+void ScreenRecoveryUI::PrintV(const char* fmt, bool copy_to_stdout, va_list ap) {
+    std::string str;
+    android::base::StringAppendV(&str, fmt, ap);
 
-    fputs(buf, stdout);
+    if (copy_to_stdout) {
+        fputs(str.c_str(), stdout);
+    }
 
     pthread_mutex_lock(&updateMutex);
     if (text_rows_ > 0 && text_cols_ > 0) {
-        for (const char* ptr = buf; *ptr != '\0'; ++ptr) {
+        for (const char* ptr = str.c_str(); *ptr != '\0'; ++ptr) {
             if (*ptr == '\n' || text_col_ >= text_cols_) {
                 text_[text_row_][text_col_] = '\0';
                 text_col_ = 0;
@@ -532,6 +611,20 @@
     pthread_mutex_unlock(&updateMutex);
 }
 
+void ScreenRecoveryUI::Print(const char* fmt, ...) {
+    va_list ap;
+    va_start(ap, fmt);
+    PrintV(fmt, true, ap);
+    va_end(ap);
+}
+
+void ScreenRecoveryUI::PrintOnScreenOnly(const char *fmt, ...) {
+    va_list ap;
+    va_start(ap, fmt);
+    PrintV(fmt, false, ap);
+    va_end(ap);
+}
+
 void ScreenRecoveryUI::PutChar(char ch) {
     pthread_mutex_lock(&updateMutex);
     if (ch != '\n') text_[text_row_][text_col_++] = ch;
@@ -566,7 +659,7 @@
     bool show_prompt = false;
     while (true) {
         if (show_prompt) {
-            Print("--(%d%% of %d bytes)--",
+            PrintOnScreenOnly("--(%d%% of %d bytes)--",
                   static_cast<int>(100 * (double(ftell(fp)) / double(sb.st_size))),
                   static_cast<int>(sb.st_size));
             Redraw();
diff --git a/screen_ui.h b/screen_ui.h
index ea05bf1..4319b76 100644
--- a/screen_ui.h
+++ b/screen_ui.h
@@ -34,6 +34,7 @@
 
     // overall recovery state ("background image")
     void SetBackground(Icon icon);
+    void SetSystemUpdateText(bool security_update);
 
     // progress indicator
     void SetProgressType(ProgressType type);
@@ -49,6 +50,7 @@
 
     // printing messages
     void Print(const char* fmt, ...) __printflike(2, 3);
+    void PrintOnScreenOnly(const char* fmt, ...) __printflike(2, 3);
     void ShowFile(const char* filename);
 
     // menu display
@@ -66,16 +68,28 @@
     };
     void SetColor(UIElement e);
 
-  private:
+  protected:
     Icon currentIcon;
-    int installingFrame;
-    const char* locale;
-    bool rtl_locale;
 
-    pthread_mutex_t updateMutex;
-    GRSurface* backgroundIcon[5];
-    GRSurface* backgroundText[5];
-    GRSurface** installation;
+    const char* locale;
+    bool intro_done;
+    int current_frame;
+
+    // The scale factor from dp to pixels. 1.0 for mdpi, 4.0 for xxxhdpi.
+    float density_;
+    // True if we should use the large layout.
+    bool is_large_;
+
+    GRSurface* error_icon;
+
+    GRSurface* erasing_text;
+    GRSurface* error_text;
+    GRSurface* installing_text;
+    GRSurface* no_command_text;
+
+    GRSurface** introFrames;
+    GRSurface** loopFrames;
+
     GRSurface* progressBarEmpty;
     GRSurface* progressBarFill;
     GRSurface* stageMarkerEmpty;
@@ -108,33 +122,49 @@
 
     pthread_t progress_thread_;
 
-    int animation_fps;
-    int installing_frames;
+    // Number of intro frames and loop frames in the animation.
+    int intro_frames;
+    int loop_frames;
 
-    int iconX, iconY;
+    // Number of frames per sec (default: 30) for both parts of the animation.
+    int animation_fps;
 
     int stage, max_stage;
 
-    void draw_background_locked(Icon icon);
-    void draw_progress_locked();
+    int char_width_;
+    int char_height_;
+    pthread_mutex_t updateMutex;
+    bool rtl_locale;
+
+    void draw_background_locked();
+    void draw_foreground_locked();
     void draw_screen_locked();
     void update_screen_locked();
     void update_progress_locked();
 
+    GRSurface* GetCurrentFrame();
+    GRSurface* GetCurrentText();
+
     static void* ProgressThreadStartRoutine(void* data);
     void ProgressThreadLoop();
 
     void ShowFile(FILE*);
+    void PrintV(const char*, bool, va_list);
     void PutChar(char);
     void ClearText();
 
-    void DrawHorizontalRule(int* y);
-    void DrawTextLine(int* y, const char* line, bool bold);
-    void DrawTextLines(int* y, const char* const* lines);
-
+    void LoadAnimation();
     void LoadBitmap(const char* filename, GRSurface** surface);
-    void LoadBitmapArray(const char* filename, int* frames, GRSurface*** surface);
     void LoadLocalizedBitmap(const char* filename, GRSurface** surface);
+
+    int PixelsFromDp(int dp);
+    int GetAnimationBaseline();
+    int GetProgressBaseline();
+    int GetTextBaseline();
+
+    void DrawHorizontalRule(int* y);
+    void DrawTextLine(int x, int* y, const char* line, bool bold);
+    void DrawTextLines(int x, int* y, const char* const* lines);
 };
 
 #endif  // RECOVERY_UI_H
diff --git a/tests/Android.mk b/tests/Android.mk
index 02a272a..a66991b 100644
--- a/tests/Android.mk
+++ b/tests/Android.mk
@@ -16,10 +16,54 @@
 
 LOCAL_PATH := $(call my-dir)
 
+# Unit tests
 include $(CLEAR_VARS)
+LOCAL_CLANG := true
+LOCAL_MODULE := recovery_unit_test
 LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk
-LOCAL_STATIC_LIBRARIES := libverifier
-LOCAL_SRC_FILES := asn1_decoder_test.cpp
-LOCAL_MODULE := asn1_decoder_test
-LOCAL_C_INCLUDES := $(LOCAL_PATH)/..
+LOCAL_STATIC_LIBRARIES := \
+    libverifier \
+    libminui
+
+LOCAL_SRC_FILES := unit/asn1_decoder_test.cpp
+LOCAL_SRC_FILES += unit/recovery_test.cpp
+LOCAL_SRC_FILES += unit/locale_test.cpp
+LOCAL_C_INCLUDES := bootable/recovery
+LOCAL_SHARED_LIBRARIES := liblog
+include $(BUILD_NATIVE_TEST)
+
+# Component tests
+include $(CLEAR_VARS)
+LOCAL_CLANG := true
+LOCAL_CFLAGS += -Wno-unused-parameter
+LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk
+LOCAL_MODULE := recovery_component_test
+LOCAL_C_INCLUDES := bootable/recovery
+LOCAL_SRC_FILES := \
+    component/verifier_test.cpp \
+    component/applypatch_test.cpp
+LOCAL_FORCE_STATIC_EXECUTABLE := true
+LOCAL_STATIC_LIBRARIES := \
+    libapplypatch \
+    libotafault \
+    libmtdutils \
+    libbase \
+    libverifier \
+    libcrypto_static \
+    libminui \
+    libminzip \
+    libcutils \
+    libbz \
+    libz \
+    libc
+
+testdata_out_path := $(TARGET_OUT_DATA_NATIVE_TESTS)/recovery
+testdata_files := $(call find-subdir-files, testdata/*)
+
+GEN := $(addprefix $(testdata_out_path)/, $(testdata_files))
+$(GEN): PRIVATE_PATH := $(LOCAL_PATH)
+$(GEN): PRIVATE_CUSTOM_TOOL = cp $< $@
+$(GEN): $(testdata_out_path)/% : $(LOCAL_PATH)/%
+	$(transform-generated-source)
+LOCAL_GENERATED_SOURCES += $(GEN)
 include $(BUILD_NATIVE_TEST)
diff --git a/tests/common/test_constants.h b/tests/common/test_constants.h
new file mode 100644
index 0000000..3490f68
--- /dev/null
+++ b/tests/common/test_constants.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agree to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef _OTA_TEST_CONSTANTS_H
+#define _OTA_TEST_CONSTANTS_H
+
+#if defined(__LP64__)
+#define NATIVE_TEST_PATH "/nativetest64"
+#else
+#define NATIVE_TEST_PATH "/nativetest"
+#endif
+
+#endif
diff --git a/tests/component/applypatch_test.cpp b/tests/component/applypatch_test.cpp
new file mode 100644
index 0000000..b44ddd1
--- /dev/null
+++ b/tests/component/applypatch_test.cpp
@@ -0,0 +1,392 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agree to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <fcntl.h>
+#include <gtest/gtest.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/statvfs.h>
+#include <sys/types.h>
+#include <time.h>
+
+#include <string>
+
+#include <android-base/file.h>
+#include <android-base/stringprintf.h>
+#include <android-base/test_utils.h>
+
+#include "applypatch/applypatch.h"
+#include "common/test_constants.h"
+#include "openssl/sha.h"
+#include "print_sha1.h"
+
+static const std::string DATA_PATH = getenv("ANDROID_DATA");
+static const std::string TESTDATA_PATH = "/recovery/testdata";
+static const std::string WORK_FS = "/data";
+
+static std::string sha1sum(const std::string& fname) {
+    uint8_t digest[SHA_DIGEST_LENGTH];
+    std::string data;
+    android::base::ReadFileToString(fname, &data);
+
+    SHA1((const uint8_t*)data.c_str(), data.size(), digest);
+    return print_sha1(digest);
+}
+
+static void mangle_file(const std::string& fname) {
+    FILE* fh = fopen(&fname[0], "w");
+    int r;
+    for (int i=0; i < 1024; i++) {
+        r = rand();
+        fwrite(&r, sizeof(short), 1, fh);
+    }
+    fclose(fh);
+}
+
+static bool file_cmp(std::string& f1, std::string& f2) {
+    std::string c1;
+    std::string c2;
+    android::base::ReadFileToString(f1, &c1);
+    android::base::ReadFileToString(f2, &c2);
+    return c1 == c2;
+}
+
+static std::string from_testdata_base(const std::string fname) {
+    return android::base::StringPrintf("%s%s%s/%s",
+            &DATA_PATH[0],
+            &NATIVE_TEST_PATH[0],
+            &TESTDATA_PATH[0],
+            &fname[0]);
+}
+
+class ApplyPatchTest : public ::testing::Test {
+    public:
+        static void SetUpTestCase() {
+            // set up files
+            old_file = from_testdata_base("old.file");
+            new_file = from_testdata_base("new.file");
+            patch_file = from_testdata_base("patch.bsdiff");
+            rand_file = "/cache/applypatch_test_rand.file";
+            cache_file = "/cache/saved.file";
+
+            // write stuff to rand_file
+            android::base::WriteStringToFile("hello", rand_file);
+
+            // set up SHA constants
+            old_sha1 = sha1sum(old_file);
+            new_sha1 = sha1sum(new_file);
+            srand(time(NULL));
+            bad_sha1_a = android::base::StringPrintf("%040x", rand());
+            bad_sha1_b = android::base::StringPrintf("%040x", rand());
+
+            struct stat st;
+            stat(&new_file[0], &st);
+            new_size = st.st_size;
+        }
+
+        static std::string old_file;
+        static std::string new_file;
+        static std::string rand_file;
+        static std::string cache_file;
+        static std::string patch_file;
+
+        static std::string old_sha1;
+        static std::string new_sha1;
+        static std::string bad_sha1_a;
+        static std::string bad_sha1_b;
+
+        static size_t new_size;
+};
+
+std::string ApplyPatchTest::old_file;
+std::string ApplyPatchTest::new_file;
+
+static void cp(std::string src, std::string tgt) {
+    std::string cmd = android::base::StringPrintf("cp %s %s",
+            &src[0],
+            &tgt[0]);
+    system(&cmd[0]);
+}
+
+static void backup_old() {
+    cp(ApplyPatchTest::old_file, ApplyPatchTest::cache_file);
+}
+
+static void restore_old() {
+    cp(ApplyPatchTest::cache_file, ApplyPatchTest::old_file);
+}
+
+class ApplyPatchCacheTest : public ApplyPatchTest {
+    public:
+        virtual void SetUp() {
+            backup_old();
+        }
+
+        virtual void TearDown() {
+            restore_old();
+        }
+};
+
+class ApplyPatchFullTest : public ApplyPatchCacheTest {
+    public:
+        static void SetUpTestCase() {
+            ApplyPatchTest::SetUpTestCase();
+            unsigned long free_kb = FreeSpaceForFile(&WORK_FS[0]);
+            ASSERT_GE(free_kb * 1024, new_size * 3 / 2);
+            output_f = new TemporaryFile();
+            output_loc = std::string(output_f->path);
+
+            struct FileContents fc;
+
+            ASSERT_EQ(0, LoadFileContents(&rand_file[0], &fc));
+            Value* patch1 = new Value();
+            patch1->type = VAL_BLOB;
+            patch1->size = fc.data.size();
+            patch1->data = static_cast<char*>(malloc(fc.data.size()));
+            memcpy(patch1->data, fc.data.data(), fc.data.size());
+            patches.push_back(patch1);
+
+            ASSERT_EQ(0, LoadFileContents(&patch_file[0], &fc));
+            Value* patch2 = new Value();
+            patch2->type = VAL_BLOB;
+            patch2->size = fc.st.st_size;
+            patch2->data = static_cast<char*>(malloc(fc.data.size()));
+            memcpy(patch2->data, fc.data.data(), fc.data.size());
+            patches.push_back(patch2);
+        }
+        static void TearDownTestCase() {
+            delete output_f;
+            for (auto it = patches.begin(); it != patches.end(); ++it) {
+                free((*it)->data);
+                delete *it;
+            }
+            patches.clear();
+        }
+
+        static std::vector<Value*> patches;
+        static TemporaryFile* output_f;
+        static std::string output_loc;
+};
+
+class ApplyPatchDoubleCacheTest : public ApplyPatchFullTest {
+    public:
+        virtual void SetUp() {
+            ApplyPatchCacheTest::SetUp();
+            cp(cache_file, "/cache/reallysaved.file");
+        }
+
+        virtual void TearDown() {
+            cp("/cache/reallysaved.file", cache_file);
+            ApplyPatchCacheTest::TearDown();
+        }
+};
+
+std::string ApplyPatchTest::rand_file;
+std::string ApplyPatchTest::patch_file;
+std::string ApplyPatchTest::cache_file;
+std::string ApplyPatchTest::old_sha1;
+std::string ApplyPatchTest::new_sha1;
+std::string ApplyPatchTest::bad_sha1_a;
+std::string ApplyPatchTest::bad_sha1_b;
+
+size_t ApplyPatchTest::new_size;
+
+std::vector<Value*> ApplyPatchFullTest::patches;
+TemporaryFile* ApplyPatchFullTest::output_f;
+std::string ApplyPatchFullTest::output_loc;
+
+TEST_F(ApplyPatchTest, CheckModeSingle) {
+    char* s = &old_sha1[0];
+    ASSERT_EQ(0, applypatch_check(&old_file[0], 1, &s));
+}
+
+TEST_F(ApplyPatchTest, CheckModeMultiple) {
+    char* argv[3] = {
+        &bad_sha1_a[0],
+        &old_sha1[0],
+        &bad_sha1_b[0]
+    };
+    ASSERT_EQ(0, applypatch_check(&old_file[0], 3, argv));
+}
+
+TEST_F(ApplyPatchTest, CheckModeFailure) {
+    char* argv[2] = {
+        &bad_sha1_a[0],
+        &bad_sha1_b[0]
+    };
+    ASSERT_NE(0, applypatch_check(&old_file[0], 2, argv));
+}
+
+TEST_F(ApplyPatchCacheTest, CheckCacheCorruptedSingle) {
+    mangle_file(old_file);
+    char* s = &old_sha1[0];
+    ASSERT_EQ(0, applypatch_check(&old_file[0], 1, &s));
+}
+
+TEST_F(ApplyPatchCacheTest, CheckCacheCorruptedMultiple) {
+    mangle_file(old_file);
+    char* argv[3] = {
+        &bad_sha1_a[0],
+        &old_sha1[0],
+        &bad_sha1_b[0]
+    };
+    ASSERT_EQ(0, applypatch_check(&old_file[0], 3, argv));
+}
+
+TEST_F(ApplyPatchCacheTest, CheckCacheCorruptedFailure) {
+    mangle_file(old_file);
+    char* argv[2] = {
+        &bad_sha1_a[0],
+        &bad_sha1_b[0]
+    };
+    ASSERT_NE(0, applypatch_check(&old_file[0], 2, argv));
+}
+
+TEST_F(ApplyPatchCacheTest, CheckCacheMissingSingle) {
+    unlink(&old_file[0]);
+    char* s = &old_sha1[0];
+    ASSERT_EQ(0, applypatch_check(&old_file[0], 1, &s));
+}
+
+TEST_F(ApplyPatchCacheTest, CheckCacheMissingMultiple) {
+    unlink(&old_file[0]);
+    char* argv[3] = {
+        &bad_sha1_a[0],
+        &old_sha1[0],
+        &bad_sha1_b[0]
+    };
+    ASSERT_EQ(0, applypatch_check(&old_file[0], 3, argv));
+}
+
+TEST_F(ApplyPatchCacheTest, CheckCacheMissingFailure) {
+    unlink(&old_file[0]);
+    char* argv[2] = {
+        &bad_sha1_a[0],
+        &bad_sha1_b[0]
+    };
+    ASSERT_NE(0, applypatch_check(&old_file[0], 2, argv));
+}
+
+TEST_F(ApplyPatchFullTest, ApplyInPlace) {
+    std::vector<char*> sha1s;
+    sha1s.push_back(&bad_sha1_a[0]);
+    sha1s.push_back(&old_sha1[0]);
+
+    int ap_result = applypatch(&old_file[0],
+            "-",
+            &new_sha1[0],
+            new_size,
+            2,
+            sha1s.data(),
+            patches.data(),
+            nullptr);
+    ASSERT_EQ(0, ap_result);
+    ASSERT_TRUE(file_cmp(old_file, new_file));
+    // reapply, applypatch is idempotent so it should succeed
+    ap_result = applypatch(&old_file[0],
+            "-",
+            &new_sha1[0],
+            new_size,
+            2,
+            sha1s.data(),
+            patches.data(),
+            nullptr);
+    ASSERT_EQ(0, ap_result);
+    ASSERT_TRUE(file_cmp(old_file, new_file));
+}
+
+TEST_F(ApplyPatchFullTest, ApplyInNewLocation) {
+    std::vector<char*> sha1s;
+    sha1s.push_back(&bad_sha1_a[0]);
+    sha1s.push_back(&old_sha1[0]);
+    int ap_result = applypatch(&old_file[0],
+            &output_loc[0],
+            &new_sha1[0],
+            new_size,
+            2,
+            sha1s.data(),
+            patches.data(),
+            nullptr);
+    ASSERT_EQ(0, ap_result);
+    ASSERT_TRUE(file_cmp(output_loc, new_file));
+    ap_result = applypatch(&old_file[0],
+            &output_loc[0],
+            &new_sha1[0],
+            new_size,
+            2,
+            sha1s.data(),
+            patches.data(),
+            nullptr);
+    ASSERT_EQ(0, ap_result);
+    ASSERT_TRUE(file_cmp(output_loc, new_file));
+}
+
+TEST_F(ApplyPatchFullTest, ApplyCorruptedInNewLocation) {
+    mangle_file(old_file);
+    std::vector<char*> sha1s;
+    sha1s.push_back(&bad_sha1_a[0]);
+    sha1s.push_back(&old_sha1[0]);
+    int ap_result = applypatch(&old_file[0],
+            &output_loc[0],
+            &new_sha1[0],
+            new_size,
+            2,
+            sha1s.data(),
+            patches.data(),
+            nullptr);
+    ASSERT_EQ(0, ap_result);
+    ASSERT_TRUE(file_cmp(output_loc, new_file));
+    ap_result = applypatch(&old_file[0],
+            &output_loc[0],
+            &new_sha1[0],
+            new_size,
+            2,
+            sha1s.data(),
+            patches.data(),
+            nullptr);
+    ASSERT_EQ(0, ap_result);
+    ASSERT_TRUE(file_cmp(output_loc, new_file));
+}
+
+TEST_F(ApplyPatchDoubleCacheTest, ApplyDoubleCorruptedInNewLocation) {
+    mangle_file(old_file);
+    mangle_file(cache_file);
+
+    std::vector<char*> sha1s;
+    sha1s.push_back(&bad_sha1_a[0]);
+    sha1s.push_back(&old_sha1[0]);
+    int ap_result = applypatch(&old_file[0],
+            &output_loc[0],
+            &new_sha1[0],
+            new_size,
+            2,
+            sha1s.data(),
+            patches.data(),
+            nullptr);
+    ASSERT_NE(0, ap_result);
+    ASSERT_FALSE(file_cmp(output_loc, new_file));
+    ap_result = applypatch(&old_file[0],
+            &output_loc[0],
+            &new_sha1[0],
+            new_size,
+            2,
+            sha1s.data(),
+            patches.data(),
+            nullptr);
+    ASSERT_NE(0, ap_result);
+    ASSERT_FALSE(file_cmp(output_loc, new_file));
+}
diff --git a/tests/component/verifier_test.cpp b/tests/component/verifier_test.cpp
new file mode 100644
index 0000000..780ff28
--- /dev/null
+++ b/tests/component/verifier_test.cpp
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agree to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <gtest/gtest.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include <openssl/sha.h>
+
+#include <android-base/stringprintf.h>
+
+#include "common.h"
+#include "common/test_constants.h"
+#include "minzip/SysUtil.h"
+#include "ui.h"
+#include "verifier.h"
+
+static const char* DATA_PATH = getenv("ANDROID_DATA");
+static const char* TESTDATA_PATH = "/recovery/testdata/";
+
+RecoveryUI* ui = NULL;
+
+class MockUI : public RecoveryUI {
+    void Init() { }
+    void SetStage(int, int) { }
+    void SetLocale(const char*) { }
+    void SetBackground(Icon icon) { }
+    void SetSystemUpdateText(bool security_update) { }
+
+    void SetProgressType(ProgressType determinate) { }
+    void ShowProgress(float portion, float seconds) { }
+    void SetProgress(float fraction) { }
+
+    void ShowText(bool visible) { }
+    bool IsTextVisible() { return false; }
+    bool WasTextEverVisible() { return false; }
+    void Print(const char* fmt, ...) {
+        va_list ap;
+        va_start(ap, fmt);
+        vfprintf(stderr, fmt, ap);
+        va_end(ap);
+    }
+    void PrintOnScreenOnly(const char* fmt, ...) {
+        va_list ap;
+        va_start(ap, fmt);
+        vfprintf(stderr, fmt, ap);
+        va_end(ap);
+    }
+    void ShowFile(const char*) { }
+
+    void StartMenu(const char* const * headers, const char* const * items,
+                           int initial_selection) { }
+    int SelectMenu(int sel) { return 0; }
+    void EndMenu() { }
+};
+
+void
+ui_print(const char* format, ...) {
+    va_list ap;
+    va_start(ap, format);
+    vfprintf(stdout, format, ap);
+    va_end(ap);
+}
+
+class VerifierTest : public testing::TestWithParam<std::vector<std::string>> {
+  public:
+    MemMapping memmap;
+    std::vector<Certificate> certs;
+
+    virtual void SetUp() {
+        std::vector<std::string> args = GetParam();
+        std::string package =
+            android::base::StringPrintf("%s%s%s%s", DATA_PATH, NATIVE_TEST_PATH,
+                                        TESTDATA_PATH, args[0].c_str());
+        if (sysMapFile(package.c_str(), &memmap) != 0) {
+            FAIL() << "Failed to mmap " << package << ": " << strerror(errno)
+                   << "\n";
+        }
+
+        for (auto it = ++(args.cbegin()); it != args.cend(); ++it) {
+            if (it->substr(it->length() - 3, it->length()) == "256") {
+                if (certs.empty()) {
+                    FAIL() << "May only specify -sha256 after key type\n";
+                }
+                certs.back().hash_len = SHA256_DIGEST_LENGTH;
+            } else {
+                std::string public_key_file = android::base::StringPrintf(
+                    "%s%s%stest_key_%s.txt", DATA_PATH, NATIVE_TEST_PATH,
+                    TESTDATA_PATH, it->c_str());
+                ASSERT_TRUE(load_keys(public_key_file.c_str(), certs));
+                certs.back().hash_len = SHA_DIGEST_LENGTH;
+            }
+        }
+        if (certs.empty()) {
+            std::string public_key_file = android::base::StringPrintf(
+                "%s%s%stest_key_e3.txt", DATA_PATH, NATIVE_TEST_PATH,
+                TESTDATA_PATH);
+            ASSERT_TRUE(load_keys(public_key_file.c_str(), certs));
+            certs.back().hash_len = SHA_DIGEST_LENGTH;
+        }
+    }
+
+    static void SetUpTestCase() {
+        ui = new MockUI();
+    }
+};
+
+class VerifierSuccessTest : public VerifierTest {
+};
+
+class VerifierFailureTest : public VerifierTest {
+};
+
+TEST_P(VerifierSuccessTest, VerifySucceed) {
+    ASSERT_EQ(verify_file(memmap.addr, memmap.length, certs), VERIFY_SUCCESS);
+}
+
+TEST_P(VerifierFailureTest, VerifyFailure) {
+    ASSERT_EQ(verify_file(memmap.addr, memmap.length, certs), VERIFY_FAILURE);
+}
+
+INSTANTIATE_TEST_CASE_P(SingleKeySuccess, VerifierSuccessTest,
+        ::testing::Values(
+            std::vector<std::string>({"otasigned.zip", "e3"}),
+            std::vector<std::string>({"otasigned_f4.zip", "f4"}),
+            std::vector<std::string>({"otasigned_sha256.zip", "e3", "sha256"}),
+            std::vector<std::string>({"otasigned_f4_sha256.zip", "f4", "sha256"}),
+            std::vector<std::string>({"otasigned_ecdsa_sha256.zip", "ec", "sha256"})));
+
+INSTANTIATE_TEST_CASE_P(MultiKeySuccess, VerifierSuccessTest,
+        ::testing::Values(
+            std::vector<std::string>({"otasigned.zip", "f4", "e3"}),
+            std::vector<std::string>({"otasigned_f4.zip", "ec", "f4"}),
+            std::vector<std::string>({"otasigned_sha256.zip", "ec", "e3", "e3", "sha256"}),
+            std::vector<std::string>({"otasigned_f4_sha256.zip", "ec", "sha256", "e3", "f4", "sha256"}),
+            std::vector<std::string>({"otasigned_ecdsa_sha256.zip", "f4", "sha256", "e3", "ec", "sha256"})));
+
+INSTANTIATE_TEST_CASE_P(WrongKey, VerifierFailureTest,
+        ::testing::Values(
+            std::vector<std::string>({"otasigned.zip", "f4"}),
+            std::vector<std::string>({"otasigned_f4.zip", "e3"}),
+            std::vector<std::string>({"otasigned_ecdsa_sha256.zip", "e3", "sha256"})));
+
+INSTANTIATE_TEST_CASE_P(WrongHash, VerifierFailureTest,
+        ::testing::Values(
+            std::vector<std::string>({"otasigned.zip", "e3", "sha256"}),
+            std::vector<std::string>({"otasigned_f4.zip", "f4", "sha256"}),
+            std::vector<std::string>({"otasigned_sha256.zip"}),
+            std::vector<std::string>({"otasigned_f4_sha256.zip", "f4"}),
+            std::vector<std::string>({"otasigned_ecdsa_sha256.zip"})));
+
+INSTANTIATE_TEST_CASE_P(BadPackage, VerifierFailureTest,
+        ::testing::Values(
+            std::vector<std::string>({"random.zip"}),
+            std::vector<std::string>({"fake-eocd.zip"}),
+            std::vector<std::string>({"alter-metadata.zip"}),
+            std::vector<std::string>({"alter-footer.zip"})));
diff --git a/testdata/alter-footer.zip b/tests/testdata/alter-footer.zip
similarity index 100%
rename from testdata/alter-footer.zip
rename to tests/testdata/alter-footer.zip
Binary files differ
diff --git a/testdata/alter-metadata.zip b/tests/testdata/alter-metadata.zip
similarity index 100%
rename from testdata/alter-metadata.zip
rename to tests/testdata/alter-metadata.zip
Binary files differ
diff --git a/testdata/fake-eocd.zip b/tests/testdata/fake-eocd.zip
similarity index 100%
rename from testdata/fake-eocd.zip
rename to tests/testdata/fake-eocd.zip
Binary files differ
diff --git a/testdata/jarsigned.zip b/tests/testdata/jarsigned.zip
similarity index 100%
rename from testdata/jarsigned.zip
rename to tests/testdata/jarsigned.zip
Binary files differ
diff --git a/tests/testdata/new.file b/tests/testdata/new.file
new file mode 100644
index 0000000..cdeb8fd
--- /dev/null
+++ b/tests/testdata/new.file
Binary files differ
diff --git a/tests/testdata/old.file b/tests/testdata/old.file
new file mode 100644
index 0000000..166c873
--- /dev/null
+++ b/tests/testdata/old.file
Binary files differ
diff --git a/testdata/otasigned.zip b/tests/testdata/otasigned.zip
similarity index 100%
rename from testdata/otasigned.zip
rename to tests/testdata/otasigned.zip
Binary files differ
diff --git a/testdata/otasigned_ecdsa_sha256.zip b/tests/testdata/otasigned_ecdsa_sha256.zip
similarity index 100%
rename from testdata/otasigned_ecdsa_sha256.zip
rename to tests/testdata/otasigned_ecdsa_sha256.zip
Binary files differ
diff --git a/testdata/otasigned_f4.zip b/tests/testdata/otasigned_f4.zip
similarity index 100%
rename from testdata/otasigned_f4.zip
rename to tests/testdata/otasigned_f4.zip
Binary files differ
diff --git a/testdata/otasigned_f4_sha256.zip b/tests/testdata/otasigned_f4_sha256.zip
similarity index 100%
rename from testdata/otasigned_f4_sha256.zip
rename to tests/testdata/otasigned_f4_sha256.zip
Binary files differ
diff --git a/testdata/otasigned_sha256.zip b/tests/testdata/otasigned_sha256.zip
similarity index 100%
rename from testdata/otasigned_sha256.zip
rename to tests/testdata/otasigned_sha256.zip
Binary files differ
diff --git a/tests/testdata/patch.bsdiff b/tests/testdata/patch.bsdiff
new file mode 100644
index 0000000..b78d385
--- /dev/null
+++ b/tests/testdata/patch.bsdiff
Binary files differ
diff --git a/testdata/random.zip b/tests/testdata/random.zip
similarity index 100%
rename from testdata/random.zip
rename to tests/testdata/random.zip
Binary files differ
diff --git a/testdata/test_f4.pk8 b/tests/testdata/test_f4.pk8
similarity index 100%
rename from testdata/test_f4.pk8
rename to tests/testdata/test_f4.pk8
Binary files differ
diff --git a/testdata/test_f4.x509.pem b/tests/testdata/test_f4.x509.pem
similarity index 100%
rename from testdata/test_f4.x509.pem
rename to tests/testdata/test_f4.x509.pem
diff --git a/testdata/test_f4_sha256.x509.pem b/tests/testdata/test_f4_sha256.x509.pem
similarity index 100%
rename from testdata/test_f4_sha256.x509.pem
rename to tests/testdata/test_f4_sha256.x509.pem
diff --git a/tests/testdata/test_key_e3.txt b/tests/testdata/test_key_e3.txt
new file mode 100644
index 0000000..53f5297
--- /dev/null
+++ b/tests/testdata/test_key_e3.txt
@@ -0,0 +1 @@
+{64,0xc926ad21,{1795090719,2141396315,950055447,2581568430,4268923165,1920809988,546586521,3498997798,1776797858,3740060814,1805317999,1429410244,129622599,1422441418,1783893377,1222374759,2563319927,323993566,28517732,609753416,1826472888,215237850,4261642700,4049082591,3228462402,774857746,154822455,2497198897,2758199418,3019015328,2794777644,87251430,2534927978,120774784,571297800,3695899472,2479925187,3811625450,3401832990,2394869647,3267246207,950095497,555058928,414729973,1136544882,3044590084,465547824,4058146728,2731796054,1689838846,3890756939,1048029507,895090649,247140249,178744550,3547885223,3165179243,109881576,3944604415,1044303212,3772373029,2985150306,3737520932,3599964420},{3437017481,3784475129,2800224972,3086222688,251333580,2131931323,512774938,325948880,2657486437,2102694287,3820568226,792812816,1026422502,2053275343,2800889200,3113586810,165549746,4273519969,4065247892,1902789247,772932719,3941848426,3652744109,216871947,3164400649,1942378755,3996765851,1055777370,964047799,629391717,2232744317,3910558992,191868569,2758883837,3682816752,2997714732,2702529250,3570700455,3776873832,3924067546,3555689545,2758825434,1323144535,61311905,1997411085,376844204,213777604,4077323584,9135381,1625809335,2804742137,2952293945,1117190829,4237312782,1825108855,3013147971,1111251351,2568837572,1684324211,2520978805,367251975,810756730,2353784344,1175080310}}
diff --git a/tests/testdata/test_key_ec.txt b/tests/testdata/test_key_ec.txt
new file mode 100644
index 0000000..72b4395
--- /dev/null
+++ b/tests/testdata/test_key_ec.txt
@@ -0,0 +1 @@
+v5 {32,{36,250,86,214,202,22,20,147,198,120,2,28,76,190,78,23,106,35,24,96,86,22,186,69,132,93,192,232,0,213,14,103},{222,154,23,13,125,130,22,76,146,185,140,159,138,255,105,143,32,16,27,72,175,145,141,121,233,184,77,24,217,141,132,181}}
diff --git a/tests/testdata/test_key_f4.txt b/tests/testdata/test_key_f4.txt
new file mode 100644
index 0000000..54ddbba
--- /dev/null
+++ b/tests/testdata/test_key_f4.txt
@@ -0,0 +1 @@
+v2 {64,0xc9bd1f21,{293133087,3210546773,865313125,250921607,3158780490,943703457,1242806226,2986289859,2942743769,2457906415,2719374299,1783459420,149579627,3081531591,3440738617,2788543742,2758457512,1146764939,3699497403,2446203424,1744968926,1159130537,2370028300,3978231572,3392699980,1487782451,1180150567,2841334302,3753960204,961373345,3333628321,748825784,2978557276,1566596926,1613056060,2600292737,1847226629,50398611,1890374404,2878700735,2286201787,1401186359,619285059,731930817,2340993166,1156490245,2992241729,151498140,318782170,3480838990,2100383433,4223552555,3628927011,4247846280,1759029513,4215632601,2719154626,3490334597,1751299340,3487864726,3668753795,4217506054,3748782284,3150295088},{1772626313,445326068,3477676155,1758201194,2986784722,491035581,3922936562,702212696,2979856666,3324974564,2488428922,3056318590,1626954946,664714029,398585816,3964097931,3356701905,2298377729,2040082097,3025491477,539143308,3348777868,2995302452,3602465520,212480763,2691021393,1307177300,704008044,2031136606,1054106474,3838318865,2441343869,1477566916,700949900,2534790355,3353533667,336163563,4106790558,2701448228,1571536379,1103842411,3623110423,1635278839,1577828979,910322800,715583630,138128831,1017877531,2289162787,447994798,1897243165,4121561445,4150719842,2131821093,2262395396,3305771534,980753571,3256525190,3128121808,1072869975,3507939515,4229109952,118381341,2209831334}}
diff --git a/testdata/testkey.pk8 b/tests/testdata/testkey.pk8
similarity index 100%
rename from testdata/testkey.pk8
rename to tests/testdata/testkey.pk8
Binary files differ
diff --git a/testdata/testkey.x509.pem b/tests/testdata/testkey.x509.pem
similarity index 100%
rename from testdata/testkey.x509.pem
rename to tests/testdata/testkey.x509.pem
diff --git a/testdata/testkey_ecdsa.pk8 b/tests/testdata/testkey_ecdsa.pk8
similarity index 100%
rename from testdata/testkey_ecdsa.pk8
rename to tests/testdata/testkey_ecdsa.pk8
Binary files differ
diff --git a/testdata/testkey_ecdsa.x509.pem b/tests/testdata/testkey_ecdsa.x509.pem
similarity index 100%
rename from testdata/testkey_ecdsa.x509.pem
rename to tests/testdata/testkey_ecdsa.x509.pem
diff --git a/testdata/testkey_sha256.x509.pem b/tests/testdata/testkey_sha256.x509.pem
similarity index 100%
rename from testdata/testkey_sha256.x509.pem
rename to tests/testdata/testkey_sha256.x509.pem
diff --git a/testdata/unsigned.zip b/tests/testdata/unsigned.zip
similarity index 100%
rename from testdata/unsigned.zip
rename to tests/testdata/unsigned.zip
Binary files differ
diff --git a/tests/asn1_decoder_test.cpp b/tests/unit/asn1_decoder_test.cpp
similarity index 100%
rename from tests/asn1_decoder_test.cpp
rename to tests/unit/asn1_decoder_test.cpp
diff --git a/tests/unit/locale_test.cpp b/tests/unit/locale_test.cpp
new file mode 100644
index 0000000..0e515f8
--- /dev/null
+++ b/tests/unit/locale_test.cpp
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <gtest/gtest.h>
+
+#include "minui/minui.h"
+
+TEST(LocaleTest, Misc) {
+    EXPECT_TRUE(matches_locale("zh_CN", "zh_CN_#Hans"));
+    EXPECT_TRUE(matches_locale("zh", "zh_CN_#Hans"));
+    EXPECT_FALSE(matches_locale("zh_HK", "zh_CN_#Hans"));
+    EXPECT_TRUE(matches_locale("en_GB", "en_GB"));
+    EXPECT_TRUE(matches_locale("en", "en_GB"));
+    EXPECT_FALSE(matches_locale("en_GB", "en"));
+    EXPECT_FALSE(matches_locale("en_GB", "en_US"));
+}
diff --git a/tests/unit/recovery_test.cpp b/tests/unit/recovery_test.cpp
new file mode 100644
index 0000000..f397f25
--- /dev/null
+++ b/tests/unit/recovery_test.cpp
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <fcntl.h>
+#include <string.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <android/log.h>
+#include <gtest/gtest.h>
+#include <log/logger.h>
+#include <private/android_logger.h>
+
+static const char myFilename[] = "/data/misc/recovery/inject.txt";
+static const char myContent[] = "Hello World\nWelcome to my recovery\n";
+
+// Failure is expected on systems that do not deliver either the
+// recovery-persist or recovery-refresh executables. Tests also require
+// a reboot sequence of test to truly verify.
+
+static ssize_t __pmsg_fn(log_id_t logId, char prio, const char *filename,
+                         const char *buf, size_t len, void *arg) {
+    EXPECT_EQ(LOG_ID_SYSTEM, logId);
+    EXPECT_EQ(ANDROID_LOG_INFO, prio);
+    EXPECT_EQ(0, NULL == strstr(myFilename,filename));
+    EXPECT_EQ(0, strcmp(myContent, buf));
+    EXPECT_EQ(sizeof(myContent), len);
+    EXPECT_EQ(0, NULL != arg);
+    return len;
+}
+
+// recovery.refresh - May fail. Requires recovery.inject, two reboots,
+//                    then expect success after second reboot.
+TEST(recovery, refresh) {
+    EXPECT_EQ(0, access("/system/bin/recovery-refresh", F_OK));
+
+    ssize_t ret = __android_log_pmsg_file_read(
+        LOG_ID_SYSTEM, ANDROID_LOG_INFO, "recovery/", __pmsg_fn, NULL);
+    if (ret == -ENOENT) {
+        EXPECT_LT(0, __android_log_pmsg_file_write(
+            LOG_ID_SYSTEM, ANDROID_LOG_INFO,
+            myFilename, myContent, sizeof(myContent)));
+        fprintf(stderr, "injected test data, "
+                        "requires two intervening reboots "
+                        "to check for replication\n");
+    }
+    EXPECT_EQ((ssize_t)sizeof(myContent), ret);
+}
+
+// recovery.persist - Requires recovery.inject, then a reboot, then
+//                    expect success after for this test on that boot.
+TEST(recovery, persist) {
+    EXPECT_EQ(0, access("/system/bin/recovery-persist", F_OK));
+
+    ssize_t ret = __android_log_pmsg_file_read(
+        LOG_ID_SYSTEM, ANDROID_LOG_INFO, "recovery/", __pmsg_fn, NULL);
+    if (ret == -ENOENT) {
+        EXPECT_LT(0, __android_log_pmsg_file_write(
+            LOG_ID_SYSTEM, ANDROID_LOG_INFO,
+            myFilename, myContent, sizeof(myContent)));
+        fprintf(stderr, "injected test data, "
+                        "requires intervening reboot "
+                        "to check for storage\n");
+    }
+
+    int fd = open(myFilename, O_RDONLY);
+    EXPECT_LE(0, fd);
+
+    char buf[sizeof(myContent) + 32];
+    ret = read(fd, buf, sizeof(buf));
+    close(fd);
+    EXPECT_EQ(ret, (ssize_t)sizeof(myContent));
+    EXPECT_EQ(0, strcmp(myContent, buf));
+    if (fd >= 0) {
+        fprintf(stderr, "Removing persistent test data, "
+                        "check if reconstructed on reboot\n");
+    }
+    EXPECT_EQ(0, unlink(myFilename));
+}
diff --git a/tools/recovery_l10n/Android.mk b/tools/recovery_l10n/Android.mk
new file mode 100644
index 0000000..937abd1
--- /dev/null
+++ b/tools/recovery_l10n/Android.mk
@@ -0,0 +1,12 @@
+# Copyright 2012 Google Inc. All Rights Reserved.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_PACKAGE_NAME := RecoveryLocalizer
+LOCAL_MODULE_TAGS := optional
+
+LOCAL_SRC_FILES := $(call all-java-files-under, src)
+
+include $(BUILD_PACKAGE)
diff --git a/tools/recovery_l10n/AndroidManifest.xml b/tools/recovery_l10n/AndroidManifest.xml
new file mode 100644
index 0000000..8c51a4e
--- /dev/null
+++ b/tools/recovery_l10n/AndroidManifest.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+          package="com.android.recovery_l10n">
+
+  <application android:label="Recovery Localizer">
+    <activity android:name="Main"
+              android:label="Recovery Localizer">
+      <intent-filter>
+        <action android:name="android.intent.action.MAIN" />
+        <category android:name="android.intent.category.LAUNCHER" />
+      </intent-filter>
+    </activity>
+  </application>
+
+</manifest>
+
+
diff --git a/tools/recovery_l10n/res/layout/main.xml b/tools/recovery_l10n/res/layout/main.xml
new file mode 100644
index 0000000..05a16e1
--- /dev/null
+++ b/tools/recovery_l10n/res/layout/main.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+              android:orientation="vertical"
+              android:layout_width="fill_parent"
+              android:layout_height="wrap_content"
+              >
+
+  <Spinner android:id="@+id/which"
+           android:layout_width="wrap_content"
+           android:layout_height="wrap_content"
+           />
+
+  <Button android:id="@+id/go"
+          android:layout_width="wrap_content"
+          android:layout_height="wrap_content"
+          android:text="@string/go"
+          />
+
+  <TextView android:id="@+id/text"
+            android:layout_width="wrap_content"
+            android:layout_height="wrap_content"
+            android:fontFamily="sans-serif-medium"
+            android:textColor="#fff5f5f5"
+            android:textSize="14sp"
+            android:background="#ff000000"
+            android:maxWidth="480px"
+            android:gravity="center"
+            />
+
+
+</LinearLayout>
+
+
diff --git a/tools/recovery_l10n/res/values-af/strings.xml b/tools/recovery_l10n/res/values-af/strings.xml
new file mode 100644
index 0000000..b1974da
--- /dev/null
+++ b/tools/recovery_l10n/res/values-af/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Installeer tans stelselopdatering"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Vee tans uit"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Geen opdrag nie"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Fout!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Installeer tans sekuriteitopdatering"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-am/strings.xml b/tools/recovery_l10n/res/values-am/strings.xml
new file mode 100644
index 0000000..75c17fb
--- /dev/null
+++ b/tools/recovery_l10n/res/values-am/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"የሥርዓት ዝማኔን በመጫን ላይ…"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"በመደምሰስ ላይ"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"ምንም ትዕዛዝ የለም"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"ስህተት!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"የደህንነት ዝማኔ በመጫን ላይ"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ar/strings.xml b/tools/recovery_l10n/res/values-ar/strings.xml
new file mode 100644
index 0000000..601b583
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ar/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"جارٍ تثبيت تحديث النظام"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"جارٍ محو البيانات"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"ليس هناك أي أمر"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"خطأ!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"جارٍ تثبيت تحديث الأمان"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-az-rAZ/strings.xml b/tools/recovery_l10n/res/values-az-rAZ/strings.xml
new file mode 100644
index 0000000..c6765a9
--- /dev/null
+++ b/tools/recovery_l10n/res/values-az-rAZ/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Sistem güncəlləməsi quraşdırılır..."</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Silinir"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Əmr yoxdur"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Xəta!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Təhlükəsizlik güncəlləməsi yüklənir"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-b+sr+Latn/strings.xml b/tools/recovery_l10n/res/values-b+sr+Latn/strings.xml
new file mode 100644
index 0000000..c2d8f22
--- /dev/null
+++ b/tools/recovery_l10n/res/values-b+sr+Latn/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Ažuriranje sistema se instalira"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Briše se"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nema komande"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Greška!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Instalira se bezbednosno ažuriranje"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-be-rBY/strings.xml b/tools/recovery_l10n/res/values-be-rBY/strings.xml
new file mode 100644
index 0000000..7c0954d
--- /dev/null
+++ b/tools/recovery_l10n/res/values-be-rBY/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Усталёўка абнаўлення сістэмы"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Сціранне"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Няма каманды"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Памылка"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Усталёўка абнаўлення сістэмы бяспекі"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-bg/strings.xml b/tools/recovery_l10n/res/values-bg/strings.xml
new file mode 100644
index 0000000..9e628a2
--- /dev/null
+++ b/tools/recovery_l10n/res/values-bg/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Системната актуализация се инсталира"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Изтрива се"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Без команда"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Грешка!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Актуализацията на сигурносттa се инсталира"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-bn-rBD/strings.xml b/tools/recovery_l10n/res/values-bn-rBD/strings.xml
new file mode 100644
index 0000000..0a481fa
--- /dev/null
+++ b/tools/recovery_l10n/res/values-bn-rBD/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"সিস্টেম আপডেট ইনস্টল করা হচ্ছে"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"মোছা হচ্ছে"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"কোনো আদেশ নেই"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"ত্রুটি!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"নিরাপত্তার আপডেট ইনস্টল করা হচ্ছে"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-bs-rBA/strings.xml b/tools/recovery_l10n/res/values-bs-rBA/strings.xml
new file mode 100644
index 0000000..412cf02
--- /dev/null
+++ b/tools/recovery_l10n/res/values-bs-rBA/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Ažuriranje sistema…"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Brisanje u toku"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nema komande"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Greška!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Instaliranje sigurnosnog ažuriranja…"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ca/strings.xml b/tools/recovery_l10n/res/values-ca/strings.xml
new file mode 100644
index 0000000..3f266d2
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ca/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"S\'està instal·lant una actualització del sistema"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"S\'està esborrant"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"No hi ha cap ordre"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"S\'ha produït un error"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"S\'està instal·lant una actualització de seguretat"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-cs/strings.xml b/tools/recovery_l10n/res/values-cs/strings.xml
new file mode 100644
index 0000000..eb436a8
--- /dev/null
+++ b/tools/recovery_l10n/res/values-cs/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Instalace aktualizace systému"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Mazání"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Žádný příkaz"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Chyba!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Instalace aktualizace zabezpečení"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-da/strings.xml b/tools/recovery_l10n/res/values-da/strings.xml
new file mode 100644
index 0000000..c6e64a2
--- /dev/null
+++ b/tools/recovery_l10n/res/values-da/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Installerer systemopdateringen"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Sletter"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Ingen kommando"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Fejl!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Installerer sikkerhedsopdateringen"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-de/strings.xml b/tools/recovery_l10n/res/values-de/strings.xml
new file mode 100644
index 0000000..6b6726a
--- /dev/null
+++ b/tools/recovery_l10n/res/values-de/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Systemupdate wird installiert"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Wird gelöscht"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Kein Befehl"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Fehler"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Sicherheitsupdate wird installiert"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-el/strings.xml b/tools/recovery_l10n/res/values-el/strings.xml
new file mode 100644
index 0000000..4cb2da5
--- /dev/null
+++ b/tools/recovery_l10n/res/values-el/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Εγκατάσταση ενημέρωσης συστήματος"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Διαγραφή"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Καμία εντολή"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Σφάλμα!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Εγκατάσταση ενημέρωσης ασφαλείας"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-en-rAU/strings.xml b/tools/recovery_l10n/res/values-en-rAU/strings.xml
new file mode 100644
index 0000000..dc75c23
--- /dev/null
+++ b/tools/recovery_l10n/res/values-en-rAU/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Installing system update"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Erasing"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"No command"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Error!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Installing security update"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-en-rGB/strings.xml b/tools/recovery_l10n/res/values-en-rGB/strings.xml
new file mode 100644
index 0000000..dc75c23
--- /dev/null
+++ b/tools/recovery_l10n/res/values-en-rGB/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Installing system update"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Erasing"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"No command"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Error!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Installing security update"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-en-rIN/strings.xml b/tools/recovery_l10n/res/values-en-rIN/strings.xml
new file mode 100644
index 0000000..dc75c23
--- /dev/null
+++ b/tools/recovery_l10n/res/values-en-rIN/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Installing system update"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Erasing"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"No command"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Error!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Installing security update"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-es-rUS/strings.xml b/tools/recovery_l10n/res/values-es-rUS/strings.xml
new file mode 100644
index 0000000..06b8606
--- /dev/null
+++ b/tools/recovery_l10n/res/values-es-rUS/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Instalando actualización del sistema"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Borrando"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Ningún comando"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Error"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Instalando actualización de seguridad"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-es/strings.xml b/tools/recovery_l10n/res/values-es/strings.xml
new file mode 100644
index 0000000..d8618f2
--- /dev/null
+++ b/tools/recovery_l10n/res/values-es/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Instalando actualización del sistema"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Borrando"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Sin comandos"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Error"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Instalando actualización de seguridad"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-et-rEE/strings.xml b/tools/recovery_l10n/res/values-et-rEE/strings.xml
new file mode 100644
index 0000000..072a9ef
--- /dev/null
+++ b/tools/recovery_l10n/res/values-et-rEE/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Süsteemivärskenduse installimine"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Kustutamine"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Käsk puudub"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Viga!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Turvavärskenduse installimine"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-eu-rES/strings.xml b/tools/recovery_l10n/res/values-eu-rES/strings.xml
new file mode 100644
index 0000000..5540469
--- /dev/null
+++ b/tools/recovery_l10n/res/values-eu-rES/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Sistemaren eguneratzea instalatzen"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Eduki guztia ezabatzen"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Ez dago agindurik"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Errorea"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Segurtasun-eguneratzea instalatzen"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-fa/strings.xml b/tools/recovery_l10n/res/values-fa/strings.xml
new file mode 100644
index 0000000..cc390ae
--- /dev/null
+++ b/tools/recovery_l10n/res/values-fa/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"در حال نصب به‌روزرسانی سیستم"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"در حال پاک کردن"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"فرمانی وجود ندارد"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"خطا!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"در حال نصب به‌روزرسانی امنیتی"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-fi/strings.xml b/tools/recovery_l10n/res/values-fi/strings.xml
new file mode 100644
index 0000000..5141642
--- /dev/null
+++ b/tools/recovery_l10n/res/values-fi/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Asennetaan järjestelmäpäivitystä"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Tyhjennetään"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Ei komentoa"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Virhe!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Asennetaan tietoturvapäivitystä"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-fr-rCA/strings.xml b/tools/recovery_l10n/res/values-fr-rCA/strings.xml
new file mode 100644
index 0000000..b241529
--- /dev/null
+++ b/tools/recovery_l10n/res/values-fr-rCA/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Installation de la mise à jour du système en cours…"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Suppression en cours..."</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Aucune commande"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Erreur!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Installation de la mise à jour de sécurité en cours..."</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-fr/strings.xml b/tools/recovery_l10n/res/values-fr/strings.xml
new file mode 100644
index 0000000..f0472b5
--- /dev/null
+++ b/tools/recovery_l10n/res/values-fr/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Installation de la mise à jour du système…"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Suppression…"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Aucune commande"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Erreur !"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Installation de la mise à jour de sécurité…"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-gl-rES/strings.xml b/tools/recovery_l10n/res/values-gl-rES/strings.xml
new file mode 100644
index 0000000..42b2016
--- /dev/null
+++ b/tools/recovery_l10n/res/values-gl-rES/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Instalando actualización do sistema"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Borrando"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Non hai ningún comando"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Erro"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Instalando actualización de seguranza"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-gu-rIN/strings.xml b/tools/recovery_l10n/res/values-gu-rIN/strings.xml
new file mode 100644
index 0000000..2355a0f
--- /dev/null
+++ b/tools/recovery_l10n/res/values-gu-rIN/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"સિસ્ટમ અપડેટ ઇન્સ્ટૉલ કરી રહ્યાં છે"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"કાઢી નાખી રહ્યું છે"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"કોઈ આદેશ નથી"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"ભૂલ!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"સુરક્ષા અપડેટ ઇન્સ્ટૉલ કરી રહ્યાં છે"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-hi/strings.xml b/tools/recovery_l10n/res/values-hi/strings.xml
new file mode 100644
index 0000000..de87578
--- /dev/null
+++ b/tools/recovery_l10n/res/values-hi/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"सिस्टम अपडेट इंस्टॉल किया जा रहा है"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"मिटाया जा रहा है"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"कोई आदेश नहीं"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"त्रुटि!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"सुरक्षा अपडेट इंस्टॉल किया जा रहा है"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-hr/strings.xml b/tools/recovery_l10n/res/values-hr/strings.xml
new file mode 100644
index 0000000..3b75ff1
--- /dev/null
+++ b/tools/recovery_l10n/res/values-hr/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Instaliranje ažuriranja sustava"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Brisanje"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nema naredbe"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Pogreška!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Instaliranje sigurnosnog ažuriranja"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-hu/strings.xml b/tools/recovery_l10n/res/values-hu/strings.xml
new file mode 100644
index 0000000..12d4d9f
--- /dev/null
+++ b/tools/recovery_l10n/res/values-hu/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Rendszerfrissítés telepítése"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Törlés"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nincs parancs"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Hiba!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Biztonsági frissítés telepítése"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-hy-rAM/strings.xml b/tools/recovery_l10n/res/values-hy-rAM/strings.xml
new file mode 100644
index 0000000..9d62bb7
--- /dev/null
+++ b/tools/recovery_l10n/res/values-hy-rAM/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Համակարգի թարմացման տեղադրում"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Ջնջում"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Հրամանը տրված չէ"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Սխալ"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Անվտանգության թարմացման տեղադրում"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-in/strings.xml b/tools/recovery_l10n/res/values-in/strings.xml
new file mode 100644
index 0000000..0e56e0d
--- /dev/null
+++ b/tools/recovery_l10n/res/values-in/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Memasang pembaruan sistem"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Menghapus"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Tidak ada perintah"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Error!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Memasang pembaruan keamanan"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-is-rIS/strings.xml b/tools/recovery_l10n/res/values-is-rIS/strings.xml
new file mode 100644
index 0000000..5065b65
--- /dev/null
+++ b/tools/recovery_l10n/res/values-is-rIS/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Setur upp kerfisuppfærslu"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Eyðir"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Engin skipun"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Villa!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Setur upp öryggisuppfærslu"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-it/strings.xml b/tools/recovery_l10n/res/values-it/strings.xml
new file mode 100644
index 0000000..2c0364e
--- /dev/null
+++ b/tools/recovery_l10n/res/values-it/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Installazione aggiornamento di sistema…"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Cancellazione…"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nessun comando"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Errore!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Installazione aggiornamento sicurezza…"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-iw/strings.xml b/tools/recovery_l10n/res/values-iw/strings.xml
new file mode 100644
index 0000000..ea5e6f2
--- /dev/null
+++ b/tools/recovery_l10n/res/values-iw/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"מתקין עדכון מערכת"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"מוחק"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"אין פקודה"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"שגיאה!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"מתקין עדכון אבטחה"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ja/strings.xml b/tools/recovery_l10n/res/values-ja/strings.xml
new file mode 100644
index 0000000..36e029b
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ja/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"システム アップデートをインストールしています"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"消去しています"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"コマンドが指定されていません"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"エラーが発生しました。"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"セキュリティ アップデートをインストールしています"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ka-rGE/strings.xml b/tools/recovery_l10n/res/values-ka-rGE/strings.xml
new file mode 100644
index 0000000..6a46b36
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ka-rGE/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"მიმდინარეობს სისტემის განახლების ინსტალაცია"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"მიმდინარეობს ამოშლა"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"ბრძანება არ არის"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"წარმოიქმნა შეცდომა!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"მიმდინარეობს უსაფრთხოების განახლების ინსტალაცია"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-kk-rKZ/strings.xml b/tools/recovery_l10n/res/values-kk-rKZ/strings.xml
new file mode 100644
index 0000000..a4bd86e
--- /dev/null
+++ b/tools/recovery_l10n/res/values-kk-rKZ/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Жүйе жаңартуы орнатылуда"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Өшірілуде"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Пәрмен жоқ"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Қате!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Қауіпсіздік жаңартуы орнатылуда"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-km-rKH/strings.xml b/tools/recovery_l10n/res/values-km-rKH/strings.xml
new file mode 100644
index 0000000..313c0f4
--- /dev/null
+++ b/tools/recovery_l10n/res/values-km-rKH/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"កំពុងអាប់ដេតប្រព័ន្ធ"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"លុប"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"គ្មានពាក្យបញ្ជាទេ"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"កំហុស!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"កំពុងដំឡើងការអាប់ដេតសុវត្ថិភាព"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-kn-rIN/strings.xml b/tools/recovery_l10n/res/values-kn-rIN/strings.xml
new file mode 100644
index 0000000..5bf6260
--- /dev/null
+++ b/tools/recovery_l10n/res/values-kn-rIN/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"ಸಿಸ್ಟಂ ಅಪ್‌ಡೇಟ್‌ ಸ್ಥಾಪಿಸಲಾಗುತ್ತಿದೆ"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"ಅಳಿಸಲಾಗುತ್ತಿದೆ"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"ಯಾವುದೇ ಆದೇಶವಿಲ್ಲ"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"ದೋಷ!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"ಭದ್ರತೆಯ ಅಪ್‌ಡೇಟ್‌ ಸ್ಥಾಪಿಸಲಾಗುತ್ತಿದೆ"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ko/strings.xml b/tools/recovery_l10n/res/values-ko/strings.xml
new file mode 100644
index 0000000..aca13bb
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ko/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"시스템 업데이트 설치"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"지우는 중"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"명령어 없음"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"오류!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"보안 업데이트 설치 중"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ky-rKG/strings.xml b/tools/recovery_l10n/res/values-ky-rKG/strings.xml
new file mode 100644
index 0000000..0a6bd78
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ky-rKG/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Тутум жаңыртуусу орнотулууда"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Тазаланууда"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Буйрук берилген жок"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Ката!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Коопсуздук жаңыртуусу орнотулууда"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-lo-rLA/strings.xml b/tools/recovery_l10n/res/values-lo-rLA/strings.xml
new file mode 100644
index 0000000..d3dbb39
--- /dev/null
+++ b/tools/recovery_l10n/res/values-lo-rLA/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"ກຳລັງຕິດຕັ້ງການອັບເດດລະບົບ"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"ກຳລັງລຶບ"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"ບໍ່ມີຄຳສັ່ງ"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"ຜິດພາດ!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"ກຳລັງຕິດຕັ້ງອັບເດດຄວາມປອດໄພ"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-lt/strings.xml b/tools/recovery_l10n/res/values-lt/strings.xml
new file mode 100644
index 0000000..d5d5e88
--- /dev/null
+++ b/tools/recovery_l10n/res/values-lt/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Diegiamas sistemos naujinys"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Ištrinama"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nėra jokių komandų"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Klaida!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Diegiamas saugos naujinys"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-lv/strings.xml b/tools/recovery_l10n/res/values-lv/strings.xml
new file mode 100644
index 0000000..d877f6a
--- /dev/null
+++ b/tools/recovery_l10n/res/values-lv/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Notiek sistēmas atjauninājuma instalēšana"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Notiek dzēšana"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nav nevienas komandas"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Kļūda!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Notiek drošības atjauninājuma instalēšana"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-mk-rMK/strings.xml b/tools/recovery_l10n/res/values-mk-rMK/strings.xml
new file mode 100644
index 0000000..3514597
--- /dev/null
+++ b/tools/recovery_l10n/res/values-mk-rMK/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Се инсталира ажурирање на системот"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Се брише"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Нема наредба"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Грешка!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Се инсталира безбедносно ажурирање"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ml-rIN/strings.xml b/tools/recovery_l10n/res/values-ml-rIN/strings.xml
new file mode 100644
index 0000000..b506e25
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ml-rIN/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"സിസ്റ്റം അപ്‌ഡേറ്റ് ഇൻസ്റ്റാൾ ചെയ്യുന്നു"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"മായ്‌ക്കുന്നു"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"കമാൻഡ് ഒന്നുമില്ല"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"പിശക്!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"സുരക്ഷാ അപ്ഡേറ്റ് ഇൻസ്റ്റാൾ ചെയ്യുന്നു"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-mn-rMN/strings.xml b/tools/recovery_l10n/res/values-mn-rMN/strings.xml
new file mode 100644
index 0000000..e3dd2e9
--- /dev/null
+++ b/tools/recovery_l10n/res/values-mn-rMN/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Системийн шинэчлэлтийг суулгаж байна"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Устгаж байна"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Тушаал байхгүй"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Алдаа!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Аюулгүй байдлын шинэчлэлтийг суулгаж байна"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-mr-rIN/strings.xml b/tools/recovery_l10n/res/values-mr-rIN/strings.xml
new file mode 100644
index 0000000..8cf86f7
--- /dev/null
+++ b/tools/recovery_l10n/res/values-mr-rIN/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"सिस्टम अद्यतन स्थापित करीत आहे"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"मिटवत आहे"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"कोणताही आदेश नाही"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"त्रुटी!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"सुरक्षा अद्यतन स्थापित करीत आहे"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ms-rMY/strings.xml b/tools/recovery_l10n/res/values-ms-rMY/strings.xml
new file mode 100644
index 0000000..0e24ac4
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ms-rMY/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Memasang kemas kini sistem"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Memadam"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Tiada perintah"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Ralat!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Memasang kemas kini keselamatan"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-my-rMM/strings.xml b/tools/recovery_l10n/res/values-my-rMM/strings.xml
new file mode 100644
index 0000000..f137524
--- /dev/null
+++ b/tools/recovery_l10n/res/values-my-rMM/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"စနစ်အပ်ဒိတ်ကို ထည့်သွင်းနေသည်"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"ဖျက်နေသည်"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"ညွှန်ကြားချက်မပေးထားပါ"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"မှားနေပါသည်!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"လုံခြုံရေး အပ်ဒိတ်ကို ထည့်သွင်းနေသည်"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-nb/strings.xml b/tools/recovery_l10n/res/values-nb/strings.xml
new file mode 100644
index 0000000..ad6f20e
--- /dev/null
+++ b/tools/recovery_l10n/res/values-nb/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Installerer systemoppdateringen"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Tømmer"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Ingen kommandoer"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Feil!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Installerer sikkerhetsoppdateringen"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ne-rNP/strings.xml b/tools/recovery_l10n/res/values-ne-rNP/strings.xml
new file mode 100644
index 0000000..1880e80
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ne-rNP/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"प्रणालीको अद्यावधिकलाई स्थापना गर्दै"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"मेटाउँदै"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"कुनै आदेश छैन"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"त्रुटि!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"सुरक्षा सम्बन्धी अद्यावधिकलाई स्थापना गर्दै"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-nl/strings.xml b/tools/recovery_l10n/res/values-nl/strings.xml
new file mode 100644
index 0000000..0d6c15a
--- /dev/null
+++ b/tools/recovery_l10n/res/values-nl/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Systeemupdate installeren"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Wissen"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Geen opdracht"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Fout!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Beveiligingsupdate installeren"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-pa-rIN/strings.xml b/tools/recovery_l10n/res/values-pa-rIN/strings.xml
new file mode 100644
index 0000000..8564c9c
--- /dev/null
+++ b/tools/recovery_l10n/res/values-pa-rIN/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"ਸਿਸਟਮ ਅੱਪਡੇਟ ਸਥਾਪਤ ਕੀਤੀ ਜਾ ਰਹੀ ਹੈ"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"ਮਿਟਾਈ ਜਾ ਰਹੀ ਹੈ"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"ਕੋਈ ਕਮਾਂਡ ਨਹੀਂ"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"ਅਸ਼ੁੱਧੀ!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"ਸੁਰੱਖਿਆ ਅੱਪਡੇਟ ਸਥਾਪਤ ਕੀਤੀ ਜਾ ਰਹੀ ਹੈ"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-pl/strings.xml b/tools/recovery_l10n/res/values-pl/strings.xml
new file mode 100644
index 0000000..8d6db38
--- /dev/null
+++ b/tools/recovery_l10n/res/values-pl/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Instaluję aktualizację systemu"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Kasuję"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Brak polecenia"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Błąd"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Instaluję aktualizację zabezpieczeń"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-pt-rBR/strings.xml b/tools/recovery_l10n/res/values-pt-rBR/strings.xml
new file mode 100644
index 0000000..b727043
--- /dev/null
+++ b/tools/recovery_l10n/res/values-pt-rBR/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Instalando atualização do sistema"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Apagando"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nenhum comando"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Erro!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Instalando atualização de segurança"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-pt-rPT/strings.xml b/tools/recovery_l10n/res/values-pt-rPT/strings.xml
new file mode 100644
index 0000000..9814637
--- /dev/null
+++ b/tools/recovery_l10n/res/values-pt-rPT/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"A instalar atualização do sistema"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"A apagar"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nenhum comando"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Erro!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"A instalar atualização de segurança"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-pt/strings.xml b/tools/recovery_l10n/res/values-pt/strings.xml
new file mode 100644
index 0000000..b727043
--- /dev/null
+++ b/tools/recovery_l10n/res/values-pt/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Instalando atualização do sistema"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Apagando"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nenhum comando"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Erro!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Instalando atualização de segurança"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ro/strings.xml b/tools/recovery_l10n/res/values-ro/strings.xml
new file mode 100644
index 0000000..8032865
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ro/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Se instalează actualizarea de sistem"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Se șterge"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nicio comandă"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Eroare!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Se instalează actualizarea de securitate"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ru/strings.xml b/tools/recovery_l10n/res/values-ru/strings.xml
new file mode 100644
index 0000000..feebecf
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ru/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Установка обновления системы…"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Удаление…"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Команды нет"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Ошибка"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Установка обновления системы безопасности…"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-si-rLK/strings.xml b/tools/recovery_l10n/res/values-si-rLK/strings.xml
new file mode 100644
index 0000000..456cdc5
--- /dev/null
+++ b/tools/recovery_l10n/res/values-si-rLK/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"පද්ධති යාවත්කාලීනය ස්ථාපනය කරමින්"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"මකමින්"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"විධානයක් නොමැත"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"දෝෂය!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"ආරක්ෂක යාවත්කාලීනය ස්ථාපනය කරමින්"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-sk/strings.xml b/tools/recovery_l10n/res/values-sk/strings.xml
new file mode 100644
index 0000000..b15f380
--- /dev/null
+++ b/tools/recovery_l10n/res/values-sk/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Inštaluje sa aktualizácia systému"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Prebieha vymazávanie"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Žiadny príkaz"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Chyba!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Inštaluje sa bezpečnostná aktualizácia"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-sl/strings.xml b/tools/recovery_l10n/res/values-sl/strings.xml
new file mode 100644
index 0000000..d608b75
--- /dev/null
+++ b/tools/recovery_l10n/res/values-sl/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Nameščanje posodobitve sistema"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Brisanje"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Ni ukaza"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Napaka"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Nameščanje varnostne posodobitve"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-sq-rAL/strings.xml b/tools/recovery_l10n/res/values-sq-rAL/strings.xml
new file mode 100644
index 0000000..1156931
--- /dev/null
+++ b/tools/recovery_l10n/res/values-sq-rAL/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Po instalon përditësimin e sistemit"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Po spastron"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Nuk ka komanda"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Gabim!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Po instalon përditësimin e sigurisë"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-sr/strings.xml b/tools/recovery_l10n/res/values-sr/strings.xml
new file mode 100644
index 0000000..a593d8f
--- /dev/null
+++ b/tools/recovery_l10n/res/values-sr/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Ажурирање система се инсталира"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Брише се"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Нема команде"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Грешка!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Инсталира се безбедносно ажурирање"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-sv/strings.xml b/tools/recovery_l10n/res/values-sv/strings.xml
new file mode 100644
index 0000000..b33ce25
--- /dev/null
+++ b/tools/recovery_l10n/res/values-sv/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Systemuppdatering installeras"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Rensar"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Inget kommando"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Fel!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Säkerhetsuppdatering installeras"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-sw/strings.xml b/tools/recovery_l10n/res/values-sw/strings.xml
new file mode 100644
index 0000000..1567658
--- /dev/null
+++ b/tools/recovery_l10n/res/values-sw/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Inasakinisha sasisho la mfumo"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Inafuta"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Hakuna amri"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Hitilafu fulani imetokea!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Inasakinisha sasisho la usalama"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ta-rIN/strings.xml b/tools/recovery_l10n/res/values-ta-rIN/strings.xml
new file mode 100644
index 0000000..d49186d
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ta-rIN/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"முறைமைப் புதுப்பிப்பை நிறுவுகிறது"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"அழிக்கிறது"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"கட்டளை இல்லை"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"பிழை!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"பாதுகாப்புப் புதுப்பிப்பை நிறுவுகிறது"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-te-rIN/strings.xml b/tools/recovery_l10n/res/values-te-rIN/strings.xml
new file mode 100644
index 0000000..cfb02c9
--- /dev/null
+++ b/tools/recovery_l10n/res/values-te-rIN/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"సిస్టమ్ నవీకరణను ఇన్‍స్టాల్ చేస్తోంది"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"డేటాను తొలగిస్తోంది"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"ఆదేశం లేదు"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"లోపం సంభవించింది!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"భద్రతా నవీకరణను ఇన్‌స్టాల్ చేస్తోంది"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-th/strings.xml b/tools/recovery_l10n/res/values-th/strings.xml
new file mode 100644
index 0000000..155affe
--- /dev/null
+++ b/tools/recovery_l10n/res/values-th/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"กำลังติดตั้งการอัปเดตระบบ"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"กำลังลบ"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"ไม่มีคำสั่ง"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"ข้อผิดพลาด!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"กำลังติดตั้งการอัปเดตความปลอดภัย"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-tl/strings.xml b/tools/recovery_l10n/res/values-tl/strings.xml
new file mode 100644
index 0000000..555b42b
--- /dev/null
+++ b/tools/recovery_l10n/res/values-tl/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Nag-i-install ng pag-update ng system"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Binubura"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Walang command"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Error!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Nag-i-install ng update sa seguridad"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-tr/strings.xml b/tools/recovery_l10n/res/values-tr/strings.xml
new file mode 100644
index 0000000..5387cb2
--- /dev/null
+++ b/tools/recovery_l10n/res/values-tr/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Sistem güncellemesi yükleniyor"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Siliniyor"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Komut yok"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Hata!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Güvenlik güncellemesi yükleniyor"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-uk/strings.xml b/tools/recovery_l10n/res/values-uk/strings.xml
new file mode 100644
index 0000000..0c2fa16
--- /dev/null
+++ b/tools/recovery_l10n/res/values-uk/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Установлюється оновлення системи"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Стирання"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Немає команди"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Помилка!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Установлюється оновлення системи безпеки"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-ur-rPK/strings.xml b/tools/recovery_l10n/res/values-ur-rPK/strings.xml
new file mode 100644
index 0000000..12e32fb
--- /dev/null
+++ b/tools/recovery_l10n/res/values-ur-rPK/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"سسٹم اپ ڈیٹ انسٹال ہو رہی ہے"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"صاف ہو رہا ہے"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"کوئی کمانڈ نہیں ہے"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"خرابی!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"سیکیورٹی اپ ڈیٹ انسٹال ہو رہی ہے"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-uz-rUZ/strings.xml b/tools/recovery_l10n/res/values-uz-rUZ/strings.xml
new file mode 100644
index 0000000..2c309d6
--- /dev/null
+++ b/tools/recovery_l10n/res/values-uz-rUZ/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Tizim yangilanishi o‘rnatilmoqda"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Tozalanmoqda…"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Buyruq yo‘q"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Xato!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Xavfsizlik yangilanishi o‘rnatilmoqda"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-vi/strings.xml b/tools/recovery_l10n/res/values-vi/strings.xml
new file mode 100644
index 0000000..c77d0c8
--- /dev/null
+++ b/tools/recovery_l10n/res/values-vi/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Đang cài đặt bản cập nhật hệ thống"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Đang xóa"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Không có lệnh nào"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Lỗi!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Đang cài đặt bản cập nhật bảo mật"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-zh-rCN/strings.xml b/tools/recovery_l10n/res/values-zh-rCN/strings.xml
new file mode 100644
index 0000000..e061497
--- /dev/null
+++ b/tools/recovery_l10n/res/values-zh-rCN/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"正在安装系统更新"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"正在清空"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"无命令"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"出错了!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"正在安装安全更新"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-zh-rHK/strings.xml b/tools/recovery_l10n/res/values-zh-rHK/strings.xml
new file mode 100644
index 0000000..ec3315d
--- /dev/null
+++ b/tools/recovery_l10n/res/values-zh-rHK/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"正在安裝系統更新"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"正在清除"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"沒有指令"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"錯誤!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"正在安裝安全性更新"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-zh-rTW/strings.xml b/tools/recovery_l10n/res/values-zh-rTW/strings.xml
new file mode 100644
index 0000000..78eae24
--- /dev/null
+++ b/tools/recovery_l10n/res/values-zh-rTW/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"正在安裝系統更新"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"清除中"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"沒有指令"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"錯誤!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"正在安裝安全性更新"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values-zu/strings.xml b/tools/recovery_l10n/res/values-zu/strings.xml
new file mode 100644
index 0000000..6b815e1
--- /dev/null
+++ b/tools/recovery_l10n/res/values-zu/strings.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<resources xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+    <string name="recovery_installing" msgid="2013591905463558223">"Ifaka isibuyekezo sesistimu"</string>
+    <string name="recovery_erasing" msgid="7334826894904037088">"Iyasula"</string>
+    <string name="recovery_no_command" msgid="4465476568623024327">"Awukho umyalo"</string>
+    <string name="recovery_error" msgid="5748178989622716736">"Iphutha!"</string>
+    <string name="recovery_installing_security" msgid="9184031299717114342">"Ifaka isibuyekezo sokuphepha"</string>
+</resources>
diff --git a/tools/recovery_l10n/res/values/strings.xml b/tools/recovery_l10n/res/values/strings.xml
new file mode 100644
index 0000000..971e038
--- /dev/null
+++ b/tools/recovery_l10n/res/values/strings.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+  <!-- Do not translate. -->
+  <string translatable="false" name="go">Go</string>
+
+  <!-- Do not translate. -->
+  <string-array translatable="false" name="string_options">
+    <item>installing</item>
+    <item>erasing</item>
+    <item>no_command</item>
+    <item>error</item>
+  </string-array>
+
+  <!-- Displayed on the screen beneath the animated android while the
+       system is installing an update. [CHAR LIMIT=60] -->
+  <string name="recovery_installing">Installing system update</string>
+
+  <!-- Displayed on the screen beneath the animated android while the
+       system is erasing a partition (either a data wipe aka "factory
+       reset", or a cache wipe). [CHAR LIMIT=60] -->
+  <string name="recovery_erasing">Erasing</string>
+
+  <!-- Displayed on the screen when the user has gotten into recovery
+       mode without a command to run.  Will not normally happen, but
+       users (especially developers) may boot into recovery mode
+       manually via special key combinations.  [CHAR LIMIT=60] -->
+  <string name="recovery_no_command">No command</string>
+
+  <!-- Displayed on the triangle-! screen when a system update
+       installation or data wipe procedure encounters an error.  [CHAR
+       LIMIT=60] -->
+  <string name="recovery_error">Error!</string>
+
+  <!-- Displayed on the screen beneath the animation while the
+       system is installing a security update. [CHAR LIMIT=60] -->
+  <string name="recovery_installing_security">Installing security update</string>
+
+</resources>
diff --git a/tools/recovery_l10n/src/com/android/recovery_l10n/Main.java b/tools/recovery_l10n/src/com/android/recovery_l10n/Main.java
new file mode 100644
index 0000000..817a3ad
--- /dev/null
+++ b/tools/recovery_l10n/src/com/android/recovery_l10n/Main.java
@@ -0,0 +1,316 @@
+/*
+ * Copyright (C) 2012 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.recovery_l10n;
+
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.content.res.AssetManager;
+import android.content.res.Configuration;
+import android.content.res.Resources;
+import android.graphics.Bitmap;
+import android.os.Bundle;
+import android.os.RemoteException;
+import android.util.DisplayMetrics;
+import android.util.Log;
+import android.view.View;
+import android.widget.Button;
+import android.widget.TextView;
+import android.widget.Spinner;
+import android.widget.ArrayAdapter;
+import android.widget.AdapterView;
+
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Locale;
+
+/**
+ * This activity assists in generating the specially-formatted bitmaps
+ * of text needed for recovery's localized text display.  Each image
+ * contains all the translations of a single string; above each
+ * translation is a "header row" that encodes that subimage's width,
+ * height, and locale using pixel values.
+ *
+ * To use this app to generate new translations:
+ *
+ *   - Update the string resources in res/values-*
+ *
+ *   - Build and run the app.  Select the string you want to
+ *     translate, and press the "Go" button.
+ *
+ *   - Wait for it to finish cycling through all the strings, then
+ *     pull /data/data/com.android.recovery_l10n/files/text-out.png
+ *     from the device.
+ *
+ *   - "pngcrush -c 0 text-out.png output.png"
+ *
+ *   - Put output.png in bootable/recovery/res/images/ (renamed
+ *     appropriately).
+ *
+ * Recovery expects 8-bit 1-channel images (white text on black
+ * background).  pngcrush -c 0 will convert the output of this program
+ * to such an image.  If you use any other image handling tools,
+ * remember that they must be lossless to preserve the exact values of
+ * pixels in the header rows; don't convert them to jpeg or anything.
+ */
+
+public class Main extends Activity {
+    private static final String TAG = "RecoveryL10N";
+
+    HashMap<Locale, Bitmap> savedBitmaps;
+    TextView mText;
+    int mStringId = R.string.recovery_installing;
+
+    public class TextCapture implements Runnable {
+        private Locale nextLocale;
+        private Locale thisLocale;
+        private Runnable next;
+
+        TextCapture(Locale thisLocale, Locale nextLocale, Runnable next) {
+            this.nextLocale = nextLocale;
+            this.thisLocale = thisLocale;
+            this.next = next;
+        }
+
+        public void run() {
+            Bitmap b = mText.getDrawingCache();
+            savedBitmaps.put(thisLocale, b.copy(Bitmap.Config.ARGB_8888, false));
+
+            if (nextLocale != null) {
+                switchTo(nextLocale);
+            }
+
+            if (next != null) {
+                mText.postDelayed(next, 200);
+            }
+        }
+    }
+
+    private void switchTo(Locale locale) {
+        Resources standardResources = getResources();
+        AssetManager assets = standardResources.getAssets();
+        DisplayMetrics metrics = standardResources.getDisplayMetrics();
+        Configuration config = new Configuration(standardResources.getConfiguration());
+        config.locale = locale;
+        Resources defaultResources = new Resources(assets, metrics, config);
+
+        mText.setText(mStringId);
+
+        mText.setDrawingCacheEnabled(false);
+        mText.setDrawingCacheEnabled(true);
+        mText.setDrawingCacheQuality(View.DRAWING_CACHE_QUALITY_HIGH);
+    }
+
+    @Override
+    public void onCreate(Bundle savedInstance) {
+        super.onCreate(savedInstance);
+        setContentView(R.layout.main);
+
+        savedBitmaps = new HashMap<Locale, Bitmap>();
+
+        Spinner spinner = (Spinner) findViewById(R.id.which);
+        ArrayAdapter<CharSequence> adapter = ArrayAdapter.createFromResource(
+            this, R.array.string_options, android.R.layout.simple_spinner_item);
+        adapter.setDropDownViewResource(android.R.layout.simple_spinner_dropdown_item);
+        spinner.setAdapter(adapter);
+        spinner.setOnItemSelectedListener(new AdapterView.OnItemSelectedListener() {
+            @Override
+            public void onItemSelected(AdapterView parent, View view,
+                                       int pos, long id) {
+                switch (pos) {
+                    case 0: mStringId = R.string.recovery_installing; break;
+                    case 1: mStringId = R.string.recovery_erasing; break;
+                    case 2: mStringId = R.string.recovery_no_command; break;
+                    case 3: mStringId = R.string.recovery_error; break;
+                }
+            }
+            @Override public void onNothingSelected(AdapterView parent) { }
+            });
+
+        mText = (TextView) findViewById(R.id.text);
+
+        String[] localeNames = getAssets().getLocales();
+        Arrays.sort(localeNames);
+        ArrayList<Locale> locales = new ArrayList<Locale>();
+        for (String localeName : localeNames) {
+            Log.i(TAG, "locale = " + localeName);
+            locales.add(Locale.forLanguageTag(localeName));
+        }
+
+        final Runnable seq = buildSequence(locales.toArray(new Locale[0]));
+
+        Button b = (Button) findViewById(R.id.go);
+        b.setOnClickListener(new View.OnClickListener() {
+            @Override
+            public void onClick(View ignore) {
+                mText.post(seq);
+            }
+            });
+    }
+
+    private Runnable buildSequence(final Locale[] locales) {
+        Runnable head = new Runnable() { public void run() { mergeBitmaps(locales); } };
+        Locale prev = null;
+        for (Locale loc : locales) {
+            head = new TextCapture(loc, prev, head);
+            prev = loc;
+        }
+        final Runnable fhead = head;
+        final Locale floc = prev;
+        return new Runnable() { public void run() { startSequence(fhead, floc); } };
+    }
+
+    private void startSequence(Runnable firstRun, Locale firstLocale) {
+        savedBitmaps.clear();
+        switchTo(firstLocale);
+        mText.postDelayed(firstRun, 200);
+    }
+
+    private void saveBitmap(Bitmap b, String filename) {
+        try {
+            FileOutputStream fos = openFileOutput(filename, 0);
+            b.compress(Bitmap.CompressFormat.PNG, 100, fos);
+            fos.close();
+        } catch (IOException e) {
+            Log.i(TAG, "failed to write PNG", e);
+        }
+    }
+
+    private int colorFor(byte b) {
+        return 0xff000000 | (b<<16) | (b<<8) | b;
+    }
+
+    private int colorFor(int b) {
+        return 0xff000000 | (b<<16) | (b<<8) | b;
+    }
+
+    private void mergeBitmaps(final Locale[] locales) {
+        HashMap<String, Integer> countByLanguage = new HashMap<String, Integer>();
+
+        int height = 2;
+        int width = 10;
+        int maxHeight = 0;
+        for (Locale loc : locales) {
+            Bitmap b = savedBitmaps.get(loc);
+            int h = b.getHeight();
+            int w = b.getWidth();
+            height += h+1;
+            if (h > maxHeight) maxHeight = h;
+            if (w > width) width = w;
+
+            String lang = loc.getLanguage();
+            if (countByLanguage.containsKey(lang)) {
+                countByLanguage.put(lang, countByLanguage.get(lang)+1);
+            } else {
+                countByLanguage.put(lang, 1);
+            }
+        }
+
+        Log.i(TAG, "output bitmap is " + width + " x " + height);
+        Bitmap out = Bitmap.createBitmap(width, height, Bitmap.Config.ARGB_8888);
+        out.eraseColor(0xff000000);
+        int[] pixels = new int[maxHeight * width];
+
+        int p = 0;
+        for (Locale loc : locales) {
+            Bitmap bm = savedBitmaps.get(loc);
+            int h = bm.getHeight();
+            int w = bm.getWidth();
+
+            bm.getPixels(pixels, 0, w, 0, 0, w, h);
+
+            // Find the rightmost and leftmost columns with any
+            // nonblack pixels; we'll copy just that region to the
+            // output image.
+
+            int right = w;
+            while (right > 1) {
+                boolean all_black = true;
+                for (int j = 0; j < h; ++j) {
+                    if (pixels[j*w+right-1] != 0xff000000) {
+                        all_black = false;
+                        break;
+                    }
+                }
+                if (all_black) {
+                    --right;
+                } else {
+                    break;
+                }
+            }
+
+            int left = 0;
+            while (left < right-1) {
+                boolean all_black = true;
+                for (int j = 0; j < h; ++j) {
+                    if (pixels[j*w+left] != 0xff000000) {
+                        all_black = false;
+                        break;
+                    }
+                }
+                if (all_black) {
+                    ++left;
+                } else {
+                    break;
+                }
+            }
+
+            // Make the last country variant for a given language be
+            // the catch-all for that language (because recovery will
+            // take the first one that matches).
+            String lang = loc.getLanguage();
+            if (countByLanguage.get(lang) > 1) {
+                countByLanguage.put(lang, countByLanguage.get(lang)-1);
+                lang = loc.toString();
+            }
+            int tw = right - left;
+            Log.i(TAG, "encoding \"" + loc + "\" as \"" + lang + "\": " + tw + " x " + h);
+            byte[] langBytes = lang.getBytes();
+            out.setPixel(0, p, colorFor(tw & 0xff));
+            out.setPixel(1, p, colorFor(tw >>> 8));
+            out.setPixel(2, p, colorFor(h & 0xff));
+            out.setPixel(3, p, colorFor(h >>> 8));
+            out.setPixel(4, p, colorFor(langBytes.length));
+            int x = 5;
+            for (byte b : langBytes) {
+                out.setPixel(x, p, colorFor(b));
+                x++;
+            }
+            out.setPixel(x, p, colorFor(0));
+
+            p++;
+
+            out.setPixels(pixels, left, w, 0, p, tw, h);
+            p += h;
+        }
+
+        // if no languages match, suppress text display by using a
+        // single black pixel as the image.
+        out.setPixel(0, p, colorFor(1));
+        out.setPixel(1, p, colorFor(0));
+        out.setPixel(2, p, colorFor(1));
+        out.setPixel(3, p, colorFor(0));
+        out.setPixel(4, p, colorFor(0));
+        p++;
+
+        saveBitmap(out, "text-out.png");
+        Log.i(TAG, "wrote text-out.png");
+    }
+}
diff --git a/ui.cpp b/ui.cpp
index 1a0b079..2efb759 100644
--- a/ui.cpp
+++ b/ui.cpp
@@ -28,6 +28,7 @@
 #include <time.h>
 #include <unistd.h>
 
+#include <cutils/properties.h>
 #include <cutils/android_reboot.h>
 
 #include "common.h"
@@ -174,7 +175,8 @@
 
           case RecoveryUI::REBOOT:
             if (reboot_enabled) {
-                android_reboot(ANDROID_RB_RESTART, 0, 0);
+                property_set(ANDROID_RB_PROPERTY, "reboot,");
+                while (true) { pause(); }
             }
             break;
 
diff --git a/ui.h b/ui.h
index 4dcaa0f..82d95a3 100644
--- a/ui.h
+++ b/ui.h
@@ -39,6 +39,7 @@
     // Set the overall recovery state ("background image").
     enum Icon { NONE, INSTALLING_UPDATE, ERASING, NO_COMMAND, ERROR };
     virtual void SetBackground(Icon icon) = 0;
+    virtual void SetSystemUpdateText(bool security_update) = 0;
 
     // --- progress indicator ---
     enum ProgressType { EMPTY, INDETERMINATE, DETERMINATE };
@@ -62,8 +63,10 @@
     virtual bool WasTextEverVisible() = 0;
 
     // Write a message to the on-screen log (shown if the user has
-    // toggled on the text display).
+    // toggled on the text display). Print() will also dump the message
+    // to stdout / log file, while PrintOnScreenOnly() not.
     virtual void Print(const char* fmt, ...) __printflike(2, 3) = 0;
+    virtual void PrintOnScreenOnly(const char* fmt, ...) __printflike(2, 3) = 0;
 
     virtual void ShowFile(const char* filename) = 0;
 
diff --git a/uncrypt/Android.mk b/uncrypt/Android.mk
index c7d4d37..09cfdfc 100644
--- a/uncrypt/Android.mk
+++ b/uncrypt/Android.mk
@@ -15,11 +15,27 @@
 LOCAL_PATH := $(call my-dir)
 
 include $(CLEAR_VARS)
+LOCAL_CLANG := true
+LOCAL_SRC_FILES := bootloader_message_writer.cpp
+LOCAL_MODULE := libbootloader_message_writer
+LOCAL_STATIC_LIBRARIES := libbase libfs_mgr
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/..
+LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH)/include
+include $(BUILD_STATIC_LIBRARY)
+
+include $(CLEAR_VARS)
+
+LOCAL_CLANG := true
 
 LOCAL_SRC_FILES := uncrypt.cpp
 
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/..
+
 LOCAL_MODULE := uncrypt
 
-LOCAL_STATIC_LIBRARIES := libbase liblog libfs_mgr libcutils
+LOCAL_STATIC_LIBRARIES := libbootloader_message_writer libbase \
+                          liblog libfs_mgr libcutils \
+
+LOCAL_INIT_RC := uncrypt.rc
 
 include $(BUILD_EXECUTABLE)
diff --git a/uncrypt/bootloader_message_writer.cpp b/uncrypt/bootloader_message_writer.cpp
new file mode 100644
index 0000000..3bb106a
--- /dev/null
+++ b/uncrypt/bootloader_message_writer.cpp
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/system_properties.h>
+
+#include <string>
+#include <vector>
+
+#include <android-base/file.h>
+#include <android-base/stringprintf.h>
+#include <android-base/unique_fd.h>
+#include <fs_mgr.h>
+
+#include "bootloader.h"
+
+static struct fstab* read_fstab(std::string* err) {
+  // The fstab path is always "/fstab.${ro.hardware}".
+  std::string fstab_path = "/fstab.";
+  char value[PROP_VALUE_MAX];
+  if (__system_property_get("ro.hardware", value) == 0) {
+    *err = "failed to get ro.hardware";
+    return nullptr;
+  }
+  fstab_path += value;
+  struct fstab* fstab = fs_mgr_read_fstab(fstab_path.c_str());
+  if (fstab == nullptr) {
+    *err = "failed to read " + fstab_path;
+  }
+  return fstab;
+}
+
+static std::string get_misc_blk_device(std::string* err) {
+  struct fstab* fstab = read_fstab(err);
+  if (fstab == nullptr) {
+    return "";
+  }
+  fstab_rec* record = fs_mgr_get_entry_for_mount_point(fstab, "/misc");
+  if (record == nullptr) {
+    *err = "failed to find /misc partition";
+    return "";
+  }
+  return record->blk_device;
+}
+
+static bool write_bootloader_message(const bootloader_message& boot, std::string* err) {
+  std::string misc_blk_device = get_misc_blk_device(err);
+  if (misc_blk_device.empty()) {
+    return false;
+  }
+  android::base::unique_fd fd(open(misc_blk_device.c_str(), O_WRONLY | O_SYNC));
+  if (fd.get() == -1) {
+    *err = android::base::StringPrintf("failed to open %s: %s", misc_blk_device.c_str(),
+                                       strerror(errno));
+    return false;
+  }
+  if (!android::base::WriteFully(fd.get(), &boot, sizeof(boot))) {
+    *err = android::base::StringPrintf("failed to write %s: %s", misc_blk_device.c_str(),
+                                       strerror(errno));
+    return false;
+  }
+  // TODO: O_SYNC and fsync duplicates each other?
+  if (fsync(fd.get()) == -1) {
+    *err = android::base::StringPrintf("failed to fsync %s: %s", misc_blk_device.c_str(),
+                                       strerror(errno));
+    return false;
+  }
+  return true;
+}
+
+bool clear_bootloader_message(std::string* err) {
+  bootloader_message boot = {};
+  return write_bootloader_message(boot, err);
+}
+
+bool write_bootloader_message(const std::vector<std::string>& options, std::string* err) {
+  bootloader_message boot = {};
+  strlcpy(boot.command, "boot-recovery", sizeof(boot.command));
+  strlcpy(boot.recovery, "recovery\n", sizeof(boot.recovery));
+  for (const auto& s : options) {
+    strlcat(boot.recovery, s.c_str(), sizeof(boot.recovery));
+    if (s.back() != '\n') {
+      strlcat(boot.recovery, "\n", sizeof(boot.recovery));
+    }
+  }
+  return write_bootloader_message(boot, err);
+}
+
+extern "C" bool write_bootloader_message(const char* options) {
+  std::string err;
+  return write_bootloader_message({options}, &err);
+}
diff --git a/uncrypt/include/bootloader_message_writer.h b/uncrypt/include/bootloader_message_writer.h
new file mode 100644
index 0000000..e0ca3f4
--- /dev/null
+++ b/uncrypt/include/bootloader_message_writer.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BOOTLOADER_MESSAGE_WRITER_H
+#define BOOTLOADER_MESSAGE_WRITER_H
+
+#ifdef __cplusplus
+#include <string>
+#include <vector>
+
+bool clear_bootloader_message(std::string* err);
+
+bool write_bootloader_message(const std::vector<std::string>& options, std::string* err);
+
+#else
+#include <stdbool.h>
+
+// C Interface.
+bool write_bootloader_message(const char* options);
+#endif
+
+#endif  // BOOTLOADER_MESSAGE_WRITER_H
diff --git a/uncrypt/uncrypt.cpp b/uncrypt/uncrypt.cpp
index 46da86d..d7105a0 100644
--- a/uncrypt/uncrypt.cpp
+++ b/uncrypt/uncrypt.cpp
@@ -39,75 +39,126 @@
 // Recovery can take this block map file and retrieve the underlying
 // file data to use as an update package.
 
+/**
+ * In addition to the uncrypt work, uncrypt also takes care of setting and
+ * clearing the bootloader control block (BCB) at /misc partition.
+ *
+ * uncrypt is triggered as init services on demand. It uses socket to
+ * communicate with its caller (i.e. system_server). The socket is managed by
+ * init (i.e. created prior to the service starts, and destroyed when uncrypt
+ * exits).
+ *
+ * Below is the uncrypt protocol.
+ *
+ *    a. caller                 b. init                    c. uncrypt
+ * ---------------            ------------               --------------
+ *  a1. ctl.start:
+ *    setup-bcb /
+ *    clear-bcb /
+ *    uncrypt
+ *
+ *                         b2. create socket at
+ *                           /dev/socket/uncrypt
+ *
+ *                                                   c3. listen and accept
+ *
+ *  a4. send a 4-byte int
+ *    (message length)
+ *                                                   c5. receive message length
+ *  a6. send message
+ *                                                   c7. receive message
+ *                                                   c8. <do the work; may send
+ *                                                      the progress>
+ *  a9. <may handle progress>
+ *                                                   c10. <upon finishing>
+ *                                                     send "100" or "-1"
+ *
+ *  a11. receive status code
+ *  a12. send a 4-byte int to
+ *    ack the receive of the
+ *    final status code
+ *                                                   c13. receive and exit
+ *
+ *                          b14. destroy the socket
+ *
+ * Note that a12 and c13 are necessary to ensure a11 happens before the socket
+ * gets destroyed in b14.
+ */
+
+#include <arpa/inet.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <inttypes.h>
+#include <libgen.h>
 #include <linux/fs.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/mman.h>
+#include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
 
-#include <base/file.h>
-#include <base/strings.h>
+#include <algorithm>
+#include <memory>
+#include <vector>
+
+#include <android-base/file.h>
+#include <android-base/logging.h>
+#include <android-base/stringprintf.h>
+#include <android-base/strings.h>
+#include <bootloader_message_writer.h>
+#include <cutils/android_reboot.h>
 #include <cutils/properties.h>
+#include <cutils/sockets.h>
 #include <fs_mgr.h>
+
 #define LOG_TAG "uncrypt"
 #include <log/log.h>
 
+#include "unique_fd.h"
+
 #define WINDOW_SIZE 5
 
-static const std::string cache_block_map = "/cache/recovery/block.map";
-static const std::string status_file = "/cache/recovery/uncrypt_status";
-static const std::string uncrypt_file = "/cache/recovery/uncrypt_file";
+// uncrypt provides three services: SETUP_BCB, CLEAR_BCB and UNCRYPT.
+//
+// SETUP_BCB and CLEAR_BCB services use socket communication and do not rely
+// on /cache partitions. They will handle requests to reboot into recovery
+// (for applying updates for non-A/B devices, or factory resets for all
+// devices).
+//
+// UNCRYPT service still needs files on /cache partition (UNCRYPT_PATH_FILE
+// and CACHE_BLOCK_MAP). It will be working (and needed) only for non-A/B
+// devices, on which /cache partitions always exist.
+static const std::string CACHE_BLOCK_MAP = "/cache/recovery/block.map";
+static const std::string UNCRYPT_PATH_FILE = "/cache/recovery/uncrypt_file";
+static const std::string UNCRYPT_SOCKET = "uncrypt";
 
-static struct fstab* fstab = NULL;
+static struct fstab* fstab = nullptr;
 
 static int write_at_offset(unsigned char* buffer, size_t size, int wfd, off64_t offset) {
     if (TEMP_FAILURE_RETRY(lseek64(wfd, offset, SEEK_SET)) == -1) {
-        ALOGE("error seeking to offset %lld: %s\n", offset, strerror(errno));
+        ALOGE("error seeking to offset %" PRId64 ": %s", offset, strerror(errno));
         return -1;
     }
-    size_t written = 0;
-    while (written < size) {
-        ssize_t wrote = TEMP_FAILURE_RETRY(write(wfd, buffer + written, size - written));
-        if (wrote == -1) {
-            ALOGE("error writing offset %lld: %s\n", (offset + written), strerror(errno));
-            return -1;
-        }
-        written += wrote;
+    if (!android::base::WriteFully(wfd, buffer, size)) {
+        ALOGE("error writing offset %" PRId64 ": %s", offset, strerror(errno));
+        return -1;
     }
     return 0;
 }
 
-static void add_block_to_ranges(int** ranges, int* range_alloc, int* range_used, int new_block) {
-    // If the current block start is < 0, set the start to the new
-    // block.  (This only happens for the very first block of the very
-    // first range.)
-    if ((*ranges)[*range_used*2-2] < 0) {
-        (*ranges)[*range_used*2-2] = new_block;
-        (*ranges)[*range_used*2-1] = new_block;
-    }
-
-    if (new_block == (*ranges)[*range_used*2-1]) {
+static void add_block_to_ranges(std::vector<int>& ranges, int new_block) {
+    if (!ranges.empty() && new_block == ranges.back()) {
         // If the new block comes immediately after the current range,
         // all we have to do is extend the current range.
-        ++(*ranges)[*range_used*2-1];
+        ++ranges.back();
     } else {
         // We need to start a new range.
-
-        // If there isn't enough room in the array, we need to expand it.
-        if (*range_used >= *range_alloc) {
-            *range_alloc *= 2;
-            *ranges = reinterpret_cast<int*>(realloc(*ranges, *range_alloc * 2 * sizeof(int)));
-        }
-
-        ++*range_used;
-        (*ranges)[*range_used*2-2] = new_block;
-        (*ranges)[*range_used*2-1] = new_block+1;
+        ranges.push_back(new_block);
+        ranges.push_back(new_block + 1);
     }
 }
 
@@ -117,13 +168,13 @@
     // The fstab path is always "/fstab.${ro.hardware}".
     char fstab_path[PATH_MAX+1] = "/fstab.";
     if (!property_get("ro.hardware", fstab_path+strlen(fstab_path), "")) {
-        ALOGE("failed to get ro.hardware\n");
+        ALOGE("failed to get ro.hardware");
         return NULL;
     }
 
     fstab = fs_mgr_read_fstab(fstab_path);
     if (!fstab) {
-        ALOGE("failed to read %s\n", fstab_path);
+        ALOGE("failed to read %s", fstab_path);
         return NULL;
     }
 
@@ -159,101 +210,108 @@
     return NULL;
 }
 
+static bool write_status_to_socket(int status, int socket) {
+    int status_out = htonl(status);
+    return android::base::WriteFully(socket, &status_out, sizeof(int));
+}
+
 // Parse uncrypt_file to find the update package name.
-static bool find_uncrypt_package(std::string& package_name)
-{
-    if (!android::base::ReadFileToString(uncrypt_file, &package_name)) {
-        ALOGE("failed to open \"%s\": %s\n", uncrypt_file.c_str(), strerror(errno));
+static bool find_uncrypt_package(const std::string& uncrypt_path_file, std::string* package_name) {
+    CHECK(package_name != nullptr);
+    std::string uncrypt_path;
+    if (!android::base::ReadFileToString(uncrypt_path_file, &uncrypt_path)) {
+        ALOGE("failed to open \"%s\": %s", uncrypt_path_file.c_str(), strerror(errno));
         return false;
     }
 
     // Remove the trailing '\n' if present.
-    package_name = android::base::Trim(package_name);
-
+    *package_name = android::base::Trim(uncrypt_path);
     return true;
 }
 
 static int produce_block_map(const char* path, const char* map_file, const char* blk_dev,
-                             bool encrypted, int status_fd) {
-    int mapfd = open(map_file, O_WRONLY | O_CREAT | O_SYNC, S_IRUSR | S_IWUSR);
-    if (mapfd == -1) {
-        ALOGE("failed to open %s\n", map_file);
+                             bool encrypted, int socket) {
+    std::string err;
+    if (!android::base::RemoveFileIfExists(map_file, &err)) {
+        ALOGE("failed to remove the existing map file %s: %s", map_file, err.c_str());
         return -1;
     }
-    FILE* mapf = fdopen(mapfd, "w");
+    std::string tmp_map_file = std::string(map_file) + ".tmp";
+    unique_fd mapfd(open(tmp_map_file.c_str(), O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR));
+    if (!mapfd) {
+        ALOGE("failed to open %s: %s\n", tmp_map_file.c_str(), strerror(errno));
+        return -1;
+    }
 
-    // Make sure we can write to the status_file.
-    if (!android::base::WriteStringToFd("0\n", status_fd)) {
-        ALOGE("failed to update \"%s\"\n", status_file.c_str());
+    // Make sure we can write to the socket.
+    if (!write_status_to_socket(0, socket)) {
+        ALOGE("failed to write to socket %d\n", socket);
         return -1;
     }
 
     struct stat sb;
-    int ret = stat(path, &sb);
-    if (ret != 0) {
-        ALOGE("failed to stat %s\n", path);
+    if (stat(path, &sb) != 0) {
+        ALOGE("failed to stat %s", path);
         return -1;
     }
 
-    ALOGI(" block size: %ld bytes\n", (long)sb.st_blksize);
+    ALOGI(" block size: %ld bytes", static_cast<long>(sb.st_blksize));
 
     int blocks = ((sb.st_size-1) / sb.st_blksize) + 1;
-    ALOGI("  file size: %lld bytes, %d blocks\n", (long long)sb.st_size, blocks);
+    ALOGI("  file size: %" PRId64 " bytes, %d blocks", sb.st_size, blocks);
 
-    int range_alloc = 1;
-    int range_used = 1;
-    int* ranges = reinterpret_cast<int*>(malloc(range_alloc * 2 * sizeof(int)));
-    ranges[0] = -1;
-    ranges[1] = -1;
+    std::vector<int> ranges;
 
-    fprintf(mapf, "%s\n%lld %lu\n", blk_dev, (long long)sb.st_size, (unsigned long)sb.st_blksize);
+    std::string s = android::base::StringPrintf("%s\n%" PRId64 " %ld\n",
+                       blk_dev, sb.st_size, static_cast<long>(sb.st_blksize));
+    if (!android::base::WriteStringToFd(s, mapfd.get())) {
+        ALOGE("failed to write %s: %s", tmp_map_file.c_str(), strerror(errno));
+        return -1;
+    }
 
-    unsigned char* buffers[WINDOW_SIZE];
+    std::vector<std::vector<unsigned char>> buffers;
     if (encrypted) {
-        for (size_t i = 0; i < WINDOW_SIZE; ++i) {
-            buffers[i] = reinterpret_cast<unsigned char*>(malloc(sb.st_blksize));
-        }
+        buffers.resize(WINDOW_SIZE, std::vector<unsigned char>(sb.st_blksize));
     }
     int head_block = 0;
     int head = 0, tail = 0;
-    size_t pos = 0;
 
-    int fd = open(path, O_RDONLY);
-    if (fd < 0) {
-        ALOGE("failed to open fd for reading: %s\n", strerror(errno));
+    unique_fd fd(open(path, O_RDONLY));
+    if (!fd) {
+        ALOGE("failed to open %s for reading: %s", path, strerror(errno));
         return -1;
     }
 
-    int wfd = -1;
+    unique_fd wfd(-1);
     if (encrypted) {
-        wfd = open(blk_dev, O_WRONLY | O_SYNC);
-        if (wfd < 0) {
-            ALOGE("failed to open fd for writing: %s\n", strerror(errno));
+        wfd = open(blk_dev, O_WRONLY);
+        if (!wfd) {
+            ALOGE("failed to open fd for writing: %s", strerror(errno));
             return -1;
         }
     }
 
+    off64_t pos = 0;
     int last_progress = 0;
     while (pos < sb.st_size) {
         // Update the status file, progress must be between [0, 99].
         int progress = static_cast<int>(100 * (double(pos) / double(sb.st_size)));
         if (progress > last_progress) {
-          last_progress = progress;
-          android::base::WriteStringToFd(std::to_string(progress) + "\n", status_fd);
+            last_progress = progress;
+            write_status_to_socket(progress, socket);
         }
 
         if ((tail+1) % WINDOW_SIZE == head) {
             // write out head buffer
             int block = head_block;
-            ret = ioctl(fd, FIBMAP, &block);
-            if (ret != 0) {
-                ALOGE("failed to find block %d\n", head_block);
+            if (ioctl(fd.get(), FIBMAP, &block) != 0) {
+                ALOGE("failed to find block %d", head_block);
                 return -1;
             }
-            add_block_to_ranges(&ranges, &range_alloc, &range_used, block);
+            add_block_to_ranges(ranges, block);
             if (encrypted) {
-                if (write_at_offset(buffers[head], sb.st_blksize, wfd,
-                        (off64_t)sb.st_blksize * block) != 0) {
+                if (write_at_offset(buffers[head].data(), sb.st_blksize, wfd.get(),
+                        static_cast<off64_t>(sb.st_blksize) * block) != 0) {
                     return -1;
                 }
             }
@@ -263,17 +321,13 @@
 
         // read next block to tail
         if (encrypted) {
-            size_t so_far = 0;
-            while (so_far < sb.st_blksize && pos < sb.st_size) {
-                ssize_t this_read =
-                        TEMP_FAILURE_RETRY(read(fd, buffers[tail] + so_far, sb.st_blksize - so_far));
-                if (this_read == -1) {
-                    ALOGE("failed to read: %s\n", strerror(errno));
-                    return -1;
-                }
-                so_far += this_read;
-                pos += this_read;
+            size_t to_read = static_cast<size_t>(
+                    std::min(static_cast<off64_t>(sb.st_blksize), sb.st_size - pos));
+            if (!android::base::ReadFully(fd.get(), buffers[tail].data(), to_read)) {
+                ALOGE("failed to read: %s", strerror(errno));
+                return -1;
             }
+            pos += to_read;
         } else {
             // If we're not encrypting; we don't need to actually read
             // anything, just skip pos forward as if we'd read a
@@ -286,15 +340,14 @@
     while (head != tail) {
         // write out head buffer
         int block = head_block;
-        ret = ioctl(fd, FIBMAP, &block);
-        if (ret != 0) {
-            ALOGE("failed to find block %d\n", head_block);
+        if (ioctl(fd.get(), FIBMAP, &block) != 0) {
+            ALOGE("failed to find block %d", head_block);
             return -1;
         }
-        add_block_to_ranges(&ranges, &range_alloc, &range_used, block);
+        add_block_to_ranges(ranges, block);
         if (encrypted) {
-            if (write_at_offset(buffers[head], sb.st_blksize, wfd,
-                    (off64_t)sb.st_blksize * block) != 0) {
+            if (write_at_offset(buffers[head].data(), sb.st_blksize, wfd.get(),
+                    static_cast<off64_t>(sb.st_blksize) * block) != 0) {
                 return -1;
             }
         }
@@ -302,68 +355,66 @@
         ++head_block;
     }
 
-    fprintf(mapf, "%d\n", range_used);
-    for (int i = 0; i < range_used; ++i) {
-        fprintf(mapf, "%d %d\n", ranges[i*2], ranges[i*2+1]);
-    }
-
-    if (fsync(mapfd) == -1) {
-        ALOGE("failed to fsync \"%s\": %s\n", map_file, strerror(errno));
+    if (!android::base::WriteStringToFd(
+            android::base::StringPrintf("%zu\n", ranges.size() / 2), mapfd.get())) {
+        ALOGE("failed to write %s: %s", tmp_map_file.c_str(), strerror(errno));
         return -1;
     }
-    fclose(mapf);
-    close(fd);
-    if (encrypted) {
-        if (fsync(wfd) == -1) {
-            ALOGE("failed to fsync \"%s\": %s\n", blk_dev, strerror(errno));
+    for (size_t i = 0; i < ranges.size(); i += 2) {
+        if (!android::base::WriteStringToFd(
+                android::base::StringPrintf("%d %d\n", ranges[i], ranges[i+1]), mapfd.get())) {
+            ALOGE("failed to write %s: %s", tmp_map_file.c_str(), strerror(errno));
             return -1;
         }
-        close(wfd);
     }
 
+    if (fsync(mapfd.get()) == -1) {
+        ALOGE("failed to fsync \"%s\": %s", tmp_map_file.c_str(), strerror(errno));
+        return -1;
+    }
+    if (close(mapfd.get()) == -1) {
+        ALOGE("failed to close %s: %s", tmp_map_file.c_str(), strerror(errno));
+        return -1;
+    }
+    mapfd = -1;
+
+    if (encrypted) {
+        if (fsync(wfd.get()) == -1) {
+            ALOGE("failed to fsync \"%s\": %s", blk_dev, strerror(errno));
+            return -1;
+        }
+        if (close(wfd.get()) == -1) {
+            ALOGE("failed to close %s: %s", blk_dev, strerror(errno));
+            return -1;
+        }
+        wfd = -1;
+    }
+
+    if (rename(tmp_map_file.c_str(), map_file) == -1) {
+        ALOGE("failed to rename %s to %s: %s", tmp_map_file.c_str(), map_file, strerror(errno));
+        return -1;
+    }
+    // Sync dir to make rename() result written to disk.
+    std::string file_name = map_file;
+    std::string dir_name = dirname(&file_name[0]);
+    unique_fd dfd(open(dir_name.c_str(), O_RDONLY | O_DIRECTORY));
+    if (!dfd) {
+        ALOGE("failed to open dir %s: %s", dir_name.c_str(), strerror(errno));
+        return -1;
+    }
+    if (fsync(dfd.get()) == -1) {
+        ALOGE("failed to fsync %s: %s", dir_name.c_str(), strerror(errno));
+        return -1;
+    }
+    if (close(dfd.get()) == -1) {
+        ALOGE("failed to close %s: %s", dir_name.c_str(), strerror(errno));
+        return -1;
+    }
+    dfd = -1;
     return 0;
 }
 
-static void wipe_misc() {
-    ALOGI("removing old commands from misc");
-    for (int i = 0; i < fstab->num_entries; ++i) {
-        struct fstab_rec* v = &fstab->recs[i];
-        if (!v->mount_point) continue;
-        if (strcmp(v->mount_point, "/misc") == 0) {
-            int fd = open(v->blk_device, O_WRONLY | O_SYNC);
-            uint8_t zeroes[1088];   // sizeof(bootloader_message) from recovery
-            memset(zeroes, 0, sizeof(zeroes));
-
-            size_t written = 0;
-            size_t size = sizeof(zeroes);
-            while (written < size) {
-                ssize_t w = TEMP_FAILURE_RETRY(write(fd, zeroes, size-written));
-                if (w == -1) {
-                    ALOGE("zero write failed: %s\n", strerror(errno));
-                    return;
-                } else {
-                    written += w;
-                }
-            }
-            if (fsync(fd) == -1) {
-                ALOGE("failed to fsync \"%s\": %s\n", v->blk_device, strerror(errno));
-                close(fd);
-                return;
-            }
-            close(fd);
-        }
-    }
-}
-
-static void reboot_to_recovery() {
-    ALOGI("rebooting to recovery");
-    property_set("sys.powerctl", "reboot,recovery");
-    sleep(10);
-    ALOGE("reboot didn't succeed?");
-}
-
-int uncrypt(const char* input_path, const char* map_file, int status_fd) {
-
+static int uncrypt(const char* input_path, const char* map_file, const int socket) {
     ALOGI("update package is \"%s\"", input_path);
 
     // Turn the name of the file we're supposed to convert into an
@@ -374,10 +425,6 @@
         return 1;
     }
 
-    if (read_fstab() == NULL) {
-        return 1;
-    }
-
     bool encryptable;
     bool encrypted;
     const char* blk_dev = find_block_device(path, &encryptable, &encrypted);
@@ -389,8 +436,8 @@
     // If the filesystem it's on isn't encrypted, we only produce the
     // block map, we don't rewrite the file contents (it would be
     // pointless to do so).
-    ALOGI("encryptable: %s\n", encryptable ? "yes" : "no");
-    ALOGI("  encrypted: %s\n", encrypted ? "yes" : "no");
+    ALOGI("encryptable: %s", encryptable ? "yes" : "no");
+    ALOGI("  encrypted: %s", encrypted ? "yes" : "no");
 
     // Recovery supports installing packages from 3 paths: /cache,
     // /data, and /sdcard.  (On a particular device, other locations
@@ -401,7 +448,7 @@
     // and /sdcard we leave the file alone.
     if (strncmp(path, "/data/", 6) == 0) {
         ALOGI("writing block map %s", map_file);
-        if (produce_block_map(path, map_file, blk_dev, encrypted, status_fd) != 0) {
+        if (produce_block_map(path, map_file, blk_dev, encrypted, socket) != 0) {
             return 1;
         }
     }
@@ -409,57 +456,141 @@
     return 0;
 }
 
-int main(int argc, char** argv) {
-    const char* input_path;
-    const char* map_file;
+static bool uncrypt_wrapper(const char* input_path, const char* map_file, const int socket) {
+    std::string package;
+    if (input_path == nullptr) {
+        if (!find_uncrypt_package(UNCRYPT_PATH_FILE, &package)) {
+            write_status_to_socket(-1, socket);
+            return false;
+        }
+        input_path = package.c_str();
+    }
+    CHECK(map_file != nullptr);
+    int status = uncrypt(input_path, map_file, socket);
+    if (status != 0) {
+        write_status_to_socket(-1, socket);
+        return false;
+    }
+    write_status_to_socket(100, socket);
+    return true;
+}
 
-    if (argc != 3 && argc != 1 && (argc == 2 && strcmp(argv[1], "--reboot") != 0)) {
-        fprintf(stderr, "usage: %s [--reboot] [<transform_path> <map_file>]\n", argv[0]);
+static bool clear_bcb(const int socket) {
+    std::string err;
+    if (!clear_bootloader_message(&err)) {
+        ALOGE("failed to clear bootloader message: %s", err.c_str());
+        write_status_to_socket(-1, socket);
+        return false;
+    }
+    write_status_to_socket(100, socket);
+    return true;
+}
+
+static bool setup_bcb(const int socket) {
+    // c5. receive message length
+    int length;
+    if (!android::base::ReadFully(socket, &length, 4)) {
+        ALOGE("failed to read the length: %s", strerror(errno));
+        return false;
+    }
+    length = ntohl(length);
+
+    // c7. receive message
+    std::string content;
+    content.resize(length);
+    if (!android::base::ReadFully(socket, &content[0], length)) {
+        ALOGE("failed to read the length: %s", strerror(errno));
+        return false;
+    }
+    ALOGI("  received command: [%s] (%zu)", content.c_str(), content.size());
+
+    // c8. setup the bcb command
+    std::string err;
+    if (!write_bootloader_message({content}, &err)) {
+        ALOGE("failed to set bootloader message: %s", err.c_str());
+        write_status_to_socket(-1, socket);
+        return false;
+    }
+    // c10. send "100" status
+    write_status_to_socket(100, socket);
+    return true;
+}
+
+static void usage(const char* exename) {
+    fprintf(stderr, "Usage of %s:\n", exename);
+    fprintf(stderr, "%s [<package_path> <map_file>]  Uncrypt ota package.\n", exename);
+    fprintf(stderr, "%s --clear-bcb  Clear BCB data in misc partition.\n", exename);
+    fprintf(stderr, "%s --setup-bcb  Setup BCB data by command file.\n", exename);
+}
+
+int main(int argc, char** argv) {
+    enum { UNCRYPT, SETUP_BCB, CLEAR_BCB } action;
+    const char* input_path = nullptr;
+    const char* map_file = CACHE_BLOCK_MAP.c_str();
+
+    if (argc == 2 && strcmp(argv[1], "--clear-bcb") == 0) {
+        action = CLEAR_BCB;
+    } else if (argc == 2 && strcmp(argv[1], "--setup-bcb") == 0) {
+        action = SETUP_BCB;
+    } else if (argc == 1) {
+        action = UNCRYPT;
+    } else if (argc == 3) {
+        input_path = argv[1];
+        map_file = argv[2];
+        action = UNCRYPT;
+    } else {
+        usage(argv[0]);
         return 2;
     }
 
-    // When uncrypt is started with "--reboot", it wipes misc and reboots.
-    // Otherwise it uncrypts the package and writes the block map.
-    if (argc == 2) {
-        if (read_fstab() == NULL) {
-            return 1;
-        }
-        wipe_misc();
-        reboot_to_recovery();
-    } else {
-        // The pipe has been created by the system server.
-        int status_fd = open(status_file.c_str(), O_WRONLY | O_CREAT | O_SYNC, S_IRUSR | S_IWUSR);
-        if (status_fd == -1) {
-            ALOGE("failed to open pipe \"%s\": %s\n", status_file.c_str(), strerror(errno));
-            return 1;
-        }
-
-        if (argc == 3) {
-            // when command-line args are given this binary is being used
-            // for debugging.
-            input_path = argv[1];
-            map_file = argv[2];
-        } else {
-            std::string package;
-            if (!find_uncrypt_package(package)) {
-                android::base::WriteStringToFd("-1\n", status_fd);
-                close(status_fd);
-                return 1;
-            }
-            input_path = package.c_str();
-            map_file = cache_block_map.c_str();
-        }
-
-        int status = uncrypt(input_path, map_file, status_fd);
-        if (status != 0) {
-            android::base::WriteStringToFd("-1\n", status_fd);
-            close(status_fd);
-            return 1;
-        }
-
-        android::base::WriteStringToFd("100\n", status_fd);
-        close(status_fd);
+    if ((fstab = read_fstab()) == nullptr) {
+        return 1;
     }
 
-    return 0;
+    // c3. The socket is created by init when starting the service. uncrypt
+    // will use the socket to communicate with its caller.
+    unique_fd service_socket(android_get_control_socket(UNCRYPT_SOCKET.c_str()));
+    if (!service_socket) {
+        ALOGE("failed to open socket \"%s\": %s", UNCRYPT_SOCKET.c_str(), strerror(errno));
+        return 1;
+    }
+    fcntl(service_socket.get(), F_SETFD, FD_CLOEXEC);
+
+    if (listen(service_socket.get(), 1) == -1) {
+        ALOGE("failed to listen on socket %d: %s", service_socket.get(), strerror(errno));
+        return 1;
+    }
+
+    unique_fd socket_fd(accept4(service_socket.get(), nullptr, nullptr, SOCK_CLOEXEC));
+    if (!socket_fd) {
+        ALOGE("failed to accept on socket %d: %s", service_socket.get(), strerror(errno));
+        return 1;
+    }
+
+    bool success = false;
+    switch (action) {
+        case UNCRYPT:
+            success = uncrypt_wrapper(input_path, map_file, socket_fd.get());
+            break;
+        case SETUP_BCB:
+            success = setup_bcb(socket_fd.get());
+            break;
+        case CLEAR_BCB:
+            success = clear_bcb(socket_fd.get());
+            break;
+        default:  // Should never happen.
+            ALOGE("Invalid uncrypt action code: %d", action);
+            return 1;
+    }
+
+    // c13. Read a 4-byte code from the client before uncrypt exits. This is to
+    // ensure the client to receive the last status code before the socket gets
+    // destroyed.
+    int code;
+    if (android::base::ReadFully(socket_fd.get(), &code, 4)) {
+        ALOGI("  received %d, exiting now", code);
+    } else {
+        ALOGE("failed to read the code: %s", strerror(errno));
+    }
+    return success ? 0 : 1;
 }
diff --git a/uncrypt/uncrypt.rc b/uncrypt/uncrypt.rc
new file mode 100644
index 0000000..52f564e
--- /dev/null
+++ b/uncrypt/uncrypt.rc
@@ -0,0 +1,17 @@
+service uncrypt /system/bin/uncrypt
+    class main
+    socket uncrypt stream 600 system system
+    disabled
+    oneshot
+
+service setup-bcb /system/bin/uncrypt --setup-bcb
+    class main
+    socket uncrypt stream 600 system system
+    disabled
+    oneshot
+
+service clear-bcb /system/bin/uncrypt --clear-bcb
+    class main
+    socket uncrypt stream 600 system system
+    disabled
+    oneshot
diff --git a/unique_fd.h b/unique_fd.h
new file mode 100644
index 0000000..cc85383
--- /dev/null
+++ b/unique_fd.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef UNIQUE_FD_H
+#define UNIQUE_FD_H
+
+#include <stdio.h>
+
+#include <memory>
+
+class unique_fd {
+  public:
+    unique_fd(int fd) : fd_(fd) { }
+
+    unique_fd(unique_fd&& uf) {
+        fd_ = uf.fd_;
+        uf.fd_ = -1;
+    }
+
+    ~unique_fd() {
+        if (fd_ != -1) {
+            close(fd_);
+        }
+    }
+
+    int get() {
+        return fd_;
+    }
+
+    // Movable.
+    unique_fd& operator=(unique_fd&& uf) {
+        fd_ = uf.fd_;
+        uf.fd_ = -1;
+        return *this;
+    }
+
+    explicit operator bool() const {
+        return fd_ != -1;
+    }
+
+  private:
+    int fd_;
+
+    // Non-copyable.
+    unique_fd(const unique_fd&) = delete;
+    unique_fd& operator=(const unique_fd&) = delete;
+};
+
+#endif  // UNIQUE_FD_H
diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk
new file mode 100644
index 0000000..7f28bce
--- /dev/null
+++ b/update_verifier/Android.mk
@@ -0,0 +1,24 @@
+# Copyright (C) 2015 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_CLANG := true
+LOCAL_SRC_FILES := update_verifier.cpp
+LOCAL_MODULE := update_verifier
+LOCAL_SHARED_LIBRARIES := libhardware liblog
+
+include $(BUILD_EXECUTABLE)
diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp
new file mode 100644
index 0000000..be70cec
--- /dev/null
+++ b/update_verifier/update_verifier.cpp
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * This program verifies the integrity of the partitions after an A/B OTA
+ * update. It gets invoked by init, and will only perform the verification if
+ * it's the first boot post an A/B OTA update.
+ *
+ * It relies on dm-verity to capture any corruption on the partitions being
+ * verified. dm-verity must be in enforcing mode, so that it will reboot the
+ * device on dm-verity failures. When that happens, the bootloader should
+ * mark the slot as unbootable and stops trying. We should never see a device
+ * started in dm-verity logging mode but with isSlotMarkedSuccessful equals to
+ * 0.
+ *
+ * The current slot will be marked as having booted successfully if the
+ * verifier reaches the end after the verification.
+ *
+ * TODO: The actual verification part will be added later after we have the
+ * A/B OTA package format in place.
+ */
+
+#include <string.h>
+
+#include <hardware/boot_control.h>
+
+#define LOG_TAG       "update_verifier"
+#include <log/log.h>
+
+int main(int argc, char** argv) {
+  for (int i = 1; i < argc; i++) {
+    SLOGI("Started with arg %d: %s\n", i, argv[i]);
+  }
+
+  const hw_module_t* hw_module;
+  if (hw_get_module("bootctrl", &hw_module) != 0) {
+    SLOGE("Error getting bootctrl module.\n");
+    return -1;
+  }
+
+  boot_control_module_t* module = reinterpret_cast<boot_control_module_t*>(
+      const_cast<hw_module_t*>(hw_module));
+  module->init(module);
+
+  unsigned current_slot = module->getCurrentSlot(module);
+  int is_successful= module->isSlotMarkedSuccessful(module, current_slot);
+  SLOGI("Booting slot %u: isSlotMarkedSuccessful=%d\n", current_slot, is_successful);
+
+  if (is_successful == 0) {
+    // The current slot has not booted successfully.
+
+    // TODO: Add the actual verification after we have the A/B OTA package
+    // format in place.
+
+    // TODO: Assert the dm-verity mode. Bootloader should never boot a newly
+    // flashed slot (isSlotMarkedSuccessful == 0) with dm-verity logging mode.
+
+    int ret = module->markBootSuccessful(module);
+    if (ret != 0) {
+      SLOGE("Error marking booted successfully: %s\n", strerror(-ret));
+      return -1;
+    }
+    SLOGI("Marked slot %u as booted successfully.\n", current_slot);
+  }
+
+  SLOGI("Leaving update_verifier.\n");
+  return 0;
+}
diff --git a/updater/Android.mk b/updater/Android.mk
index ff02a33..d7aa613 100644
--- a/updater/Android.mk
+++ b/updater/Android.mk
@@ -1,11 +1,23 @@
 # Copyright 2009 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 LOCAL_PATH := $(call my-dir)
 
 updater_src_files := \
-	install.c \
-	blockimg.c \
-	updater.c
+	install.cpp \
+	blockimg.cpp \
+	updater.cpp
 
 #
 # Build a statically-linked binary to include in OTA packages
@@ -17,22 +29,25 @@
 # needed only for OTA packages.)
 LOCAL_MODULE_TAGS := eng
 
+LOCAL_CLANG := true
+
 LOCAL_SRC_FILES := $(updater_src_files)
 
+LOCAL_STATIC_LIBRARIES += libfec libfec_rs libext4_utils_static libsquashfs_utils libcrypto_static
+
 ifeq ($(TARGET_USERIMAGES_USE_EXT4), true)
 LOCAL_CFLAGS += -DUSE_EXT4
 LOCAL_CFLAGS += -Wno-unused-parameter
 LOCAL_C_INCLUDES += system/extras/ext4_utils
 LOCAL_STATIC_LIBRARIES += \
-    libext4_utils_static \
     libsparse_static \
     libz
 endif
 
 LOCAL_STATIC_LIBRARIES += $(TARGET_RECOVERY_UPDATER_LIBS) $(TARGET_RECOVERY_UPDATER_EXTRA_LIBS)
-LOCAL_STATIC_LIBRARIES += libapplypatch libedify libmtdutils libminzip libz
-LOCAL_STATIC_LIBRARIES += libmincrypt libbz
-LOCAL_STATIC_LIBRARIES += libcutils liblog libstdc++ libc
+LOCAL_STATIC_LIBRARIES += libapplypatch libbase libotafault libedify libmtdutils libminzip libz
+LOCAL_STATIC_LIBRARIES += libbz
+LOCAL_STATIC_LIBRARIES += libcutils liblog libc
 LOCAL_STATIC_LIBRARIES += libselinux
 tune2fs_static_libraries := \
  libext2_com_err \
diff --git a/updater/blockimg.c b/updater/blockimg.c
deleted file mode 100644
index b006d10..0000000
--- a/updater/blockimg.c
+++ /dev/null
@@ -1,1953 +0,0 @@
-/*
- * Copyright (C) 2014 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <ctype.h>
-#include <errno.h>
-#include <dirent.h>
-#include <fcntl.h>
-#include <inttypes.h>
-#include <libgen.h>
-#include <pthread.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <sys/ioctl.h>
-#include <time.h>
-#include <unistd.h>
-
-#include "applypatch/applypatch.h"
-#include "edify/expr.h"
-#include "mincrypt/sha.h"
-#include "minzip/Hash.h"
-#include "updater.h"
-
-#define BLOCKSIZE 4096
-
-// Set this to 0 to interpret 'erase' transfers to mean do a
-// BLKDISCARD ioctl (the normal behavior).  Set to 1 to interpret
-// erase to mean fill the region with zeroes.
-#define DEBUG_ERASE  0
-
-#ifndef BLKDISCARD
-#define BLKDISCARD _IO(0x12,119)
-#endif
-
-#define STASH_DIRECTORY_BASE "/cache/recovery"
-#define STASH_DIRECTORY_MODE 0700
-#define STASH_FILE_MODE 0600
-
-char* PrintSha1(const uint8_t* digest);
-
-typedef struct {
-    int count;
-    int size;
-    int pos[0];
-} RangeSet;
-
-static RangeSet* parse_range(char* text) {
-    char* save;
-    int num;
-    num = strtol(strtok_r(text, ",", &save), NULL, 0);
-
-    RangeSet* out = malloc(sizeof(RangeSet) + num * sizeof(int));
-    if (out == NULL) {
-        fprintf(stderr, "failed to allocate range of %zu bytes\n",
-                sizeof(RangeSet) + num * sizeof(int));
-        exit(1);
-    }
-    out->count = num / 2;
-    out->size = 0;
-    int i;
-    for (i = 0; i < num; ++i) {
-        out->pos[i] = strtol(strtok_r(NULL, ",", &save), NULL, 0);
-        if (i%2) {
-            out->size += out->pos[i];
-        } else {
-            out->size -= out->pos[i];
-        }
-    }
-
-    return out;
-}
-
-static int range_overlaps(RangeSet* r1, RangeSet* r2) {
-    int i, j, r1_0, r1_1, r2_0, r2_1;
-
-    if (!r1 || !r2) {
-        return 0;
-    }
-
-    for (i = 0; i < r1->count; ++i) {
-        r1_0 = r1->pos[i * 2];
-        r1_1 = r1->pos[i * 2 + 1];
-
-        for (j = 0; j < r2->count; ++j) {
-            r2_0 = r2->pos[j * 2];
-            r2_1 = r2->pos[j * 2 + 1];
-
-            if (!(r2_0 >= r1_1 || r1_0 >= r2_1)) {
-                return 1;
-            }
-        }
-    }
-
-    return 0;
-}
-
-static int read_all(int fd, uint8_t* data, size_t size) {
-    size_t so_far = 0;
-    while (so_far < size) {
-        ssize_t r = TEMP_FAILURE_RETRY(read(fd, data+so_far, size-so_far));
-        if (r == -1) {
-            fprintf(stderr, "read failed: %s\n", strerror(errno));
-            return -1;
-        }
-        so_far += r;
-    }
-    return 0;
-}
-
-static int write_all(int fd, const uint8_t* data, size_t size) {
-    size_t written = 0;
-    while (written < size) {
-        ssize_t w = TEMP_FAILURE_RETRY(write(fd, data+written, size-written));
-        if (w == -1) {
-            fprintf(stderr, "write failed: %s\n", strerror(errno));
-            return -1;
-        }
-        written += w;
-    }
-
-    if (fsync(fd) == -1) {
-        fprintf(stderr, "fsync failed: %s\n", strerror(errno));
-        return -1;
-    }
-
-    return 0;
-}
-
-static bool check_lseek(int fd, off64_t offset, int whence) {
-    off64_t rc = TEMP_FAILURE_RETRY(lseek64(fd, offset, whence));
-    if (rc == -1) {
-        fprintf(stderr, "lseek64 failed: %s\n", strerror(errno));
-        return false;
-    }
-    return true;
-}
-
-static void allocate(size_t size, uint8_t** buffer, size_t* buffer_alloc) {
-    // if the buffer's big enough, reuse it.
-    if (size <= *buffer_alloc) return;
-
-    free(*buffer);
-
-    *buffer = (uint8_t*) malloc(size);
-    if (*buffer == NULL) {
-        fprintf(stderr, "failed to allocate %zu bytes\n", size);
-        exit(1);
-    }
-    *buffer_alloc = size;
-}
-
-typedef struct {
-    int fd;
-    RangeSet* tgt;
-    int p_block;
-    size_t p_remain;
-} RangeSinkState;
-
-static ssize_t RangeSinkWrite(const uint8_t* data, ssize_t size, void* token) {
-    RangeSinkState* rss = (RangeSinkState*) token;
-
-    if (rss->p_remain <= 0) {
-        fprintf(stderr, "range sink write overrun");
-        return 0;
-    }
-
-    ssize_t written = 0;
-    while (size > 0) {
-        size_t write_now = size;
-
-        if (rss->p_remain < write_now) {
-            write_now = rss->p_remain;
-        }
-
-        if (write_all(rss->fd, data, write_now) == -1) {
-            break;
-        }
-
-        data += write_now;
-        size -= write_now;
-
-        rss->p_remain -= write_now;
-        written += write_now;
-
-        if (rss->p_remain == 0) {
-            // move to the next block
-            ++rss->p_block;
-            if (rss->p_block < rss->tgt->count) {
-                rss->p_remain = (rss->tgt->pos[rss->p_block * 2 + 1] -
-                                 rss->tgt->pos[rss->p_block * 2]) * BLOCKSIZE;
-
-                if (!check_lseek(rss->fd, (off64_t)rss->tgt->pos[rss->p_block*2] * BLOCKSIZE,
-                                 SEEK_SET)) {
-                    break;
-                }
-            } else {
-                // we can't write any more; return how many bytes have
-                // been written so far.
-                break;
-            }
-        }
-    }
-
-    return written;
-}
-
-// All of the data for all the 'new' transfers is contained in one
-// file in the update package, concatenated together in the order in
-// which transfers.list will need it.  We want to stream it out of the
-// archive (it's compressed) without writing it to a temp file, but we
-// can't write each section until it's that transfer's turn to go.
-//
-// To achieve this, we expand the new data from the archive in a
-// background thread, and block that threads 'receive uncompressed
-// data' function until the main thread has reached a point where we
-// want some new data to be written.  We signal the background thread
-// with the destination for the data and block the main thread,
-// waiting for the background thread to complete writing that section.
-// Then it signals the main thread to wake up and goes back to
-// blocking waiting for a transfer.
-//
-// NewThreadInfo is the struct used to pass information back and forth
-// between the two threads.  When the main thread wants some data
-// written, it sets rss to the destination location and signals the
-// condition.  When the background thread is done writing, it clears
-// rss and signals the condition again.
-
-typedef struct {
-    ZipArchive* za;
-    const ZipEntry* entry;
-
-    RangeSinkState* rss;
-
-    pthread_mutex_t mu;
-    pthread_cond_t cv;
-} NewThreadInfo;
-
-static bool receive_new_data(const unsigned char* data, int size, void* cookie) {
-    NewThreadInfo* nti = (NewThreadInfo*) cookie;
-
-    while (size > 0) {
-        // Wait for nti->rss to be non-NULL, indicating some of this
-        // data is wanted.
-        pthread_mutex_lock(&nti->mu);
-        while (nti->rss == NULL) {
-            pthread_cond_wait(&nti->cv, &nti->mu);
-        }
-        pthread_mutex_unlock(&nti->mu);
-
-        // At this point nti->rss is set, and we own it.  The main
-        // thread is waiting for it to disappear from nti.
-        ssize_t written = RangeSinkWrite(data, size, nti->rss);
-        data += written;
-        size -= written;
-
-        if (nti->rss->p_block == nti->rss->tgt->count) {
-            // we have written all the bytes desired by this rss.
-
-            pthread_mutex_lock(&nti->mu);
-            nti->rss = NULL;
-            pthread_cond_broadcast(&nti->cv);
-            pthread_mutex_unlock(&nti->mu);
-        }
-    }
-
-    return true;
-}
-
-static void* unzip_new_data(void* cookie) {
-    NewThreadInfo* nti = (NewThreadInfo*) cookie;
-    mzProcessZipEntryContents(nti->za, nti->entry, receive_new_data, nti);
-    return NULL;
-}
-
-static int ReadBlocks(RangeSet* src, uint8_t* buffer, int fd) {
-    int i;
-    size_t p = 0;
-    size_t size;
-
-    if (!src || !buffer) {
-        return -1;
-    }
-
-    for (i = 0; i < src->count; ++i) {
-        if (!check_lseek(fd, (off64_t) src->pos[i * 2] * BLOCKSIZE, SEEK_SET)) {
-            return -1;
-        }
-
-        size = (src->pos[i * 2 + 1] - src->pos[i * 2]) * BLOCKSIZE;
-
-        if (read_all(fd, buffer + p, size) == -1) {
-            return -1;
-        }
-
-        p += size;
-    }
-
-    return 0;
-}
-
-static int WriteBlocks(RangeSet* tgt, uint8_t* buffer, int fd) {
-    int i;
-    size_t p = 0;
-    size_t size;
-
-    if (!tgt || !buffer) {
-        return -1;
-    }
-
-    for (i = 0; i < tgt->count; ++i) {
-        if (!check_lseek(fd, (off64_t) tgt->pos[i * 2] * BLOCKSIZE, SEEK_SET)) {
-            return -1;
-        }
-
-        size = (tgt->pos[i * 2 + 1] - tgt->pos[i * 2]) * BLOCKSIZE;
-
-        if (write_all(fd, buffer + p, size) == -1) {
-            return -1;
-        }
-
-        p += size;
-    }
-
-    return 0;
-}
-
-// Do a source/target load for move/bsdiff/imgdiff in version 1.
-// 'wordsave' is the save_ptr of a strtok_r()-in-progress.  We expect
-// to parse the remainder of the string as:
-//
-//    <src_range> <tgt_range>
-//
-// The source range is loaded into the provided buffer, reallocating
-// it to make it larger if necessary.  The target ranges are returned
-// in *tgt, if tgt is non-NULL.
-
-static int LoadSrcTgtVersion1(char** wordsave, RangeSet** tgt, int* src_blocks,
-                               uint8_t** buffer, size_t* buffer_alloc, int fd) {
-    char* word;
-    int rc;
-
-    word = strtok_r(NULL, " ", wordsave);
-    RangeSet* src = parse_range(word);
-
-    if (tgt != NULL) {
-        word = strtok_r(NULL, " ", wordsave);
-        *tgt = parse_range(word);
-    }
-
-    allocate(src->size * BLOCKSIZE, buffer, buffer_alloc);
-    rc = ReadBlocks(src, *buffer, fd);
-    *src_blocks = src->size;
-
-    free(src);
-    return rc;
-}
-
-static int VerifyBlocks(const char *expected, const uint8_t *buffer,
-                        size_t blocks, int printerror) {
-    char* hexdigest = NULL;
-    int rc = -1;
-    uint8_t digest[SHA_DIGEST_SIZE];
-
-    if (!expected || !buffer) {
-        return rc;
-    }
-
-    SHA_hash(buffer, blocks * BLOCKSIZE, digest);
-    hexdigest = PrintSha1(digest);
-
-    if (hexdigest != NULL) {
-        rc = strcmp(expected, hexdigest);
-
-        if (rc != 0 && printerror) {
-            fprintf(stderr, "failed to verify blocks (expected %s, read %s)\n",
-                expected, hexdigest);
-        }
-
-        free(hexdigest);
-    }
-
-    return rc;
-}
-
-static char* GetStashFileName(const char* base, const char* id, const char* postfix) {
-    char* fn;
-    int len;
-    int res;
-
-    if (base == NULL) {
-        return NULL;
-    }
-
-    if (id == NULL) {
-        id = "";
-    }
-
-    if (postfix == NULL) {
-        postfix = "";
-    }
-
-    len = strlen(STASH_DIRECTORY_BASE) + 1 + strlen(base) + 1 + strlen(id) + strlen(postfix) + 1;
-    fn = malloc(len);
-
-    if (fn == NULL) {
-        fprintf(stderr, "failed to malloc %d bytes for fn\n", len);
-        return NULL;
-    }
-
-    res = snprintf(fn, len, STASH_DIRECTORY_BASE "/%s/%s%s", base, id, postfix);
-
-    if (res < 0 || res >= len) {
-        fprintf(stderr, "failed to format file name (return value %d)\n", res);
-        free(fn);
-        return NULL;
-    }
-
-    return fn;
-}
-
-typedef void (*StashCallback)(const char*, void*);
-
-// Does a best effort enumeration of stash files. Ignores possible non-file
-// items in the stash directory and continues despite of errors. Calls the
-// 'callback' function for each file and passes 'data' to the function as a
-// parameter.
-
-static void EnumerateStash(const char* dirname, StashCallback callback, void* data) {
-    char* fn;
-    DIR* directory;
-    int len;
-    int res;
-    struct dirent* item;
-
-    if (dirname == NULL || callback == NULL) {
-        return;
-    }
-
-    directory = opendir(dirname);
-
-    if (directory == NULL) {
-        if (errno != ENOENT) {
-            fprintf(stderr, "opendir \"%s\" failed: %s\n", dirname, strerror(errno));
-        }
-        return;
-    }
-
-    while ((item = readdir(directory)) != NULL) {
-        if (item->d_type != DT_REG) {
-            continue;
-        }
-
-        len = strlen(dirname) + 1 + strlen(item->d_name) + 1;
-        fn = malloc(len);
-
-        if (fn == NULL) {
-            fprintf(stderr, "failed to malloc %d bytes for fn\n", len);
-            continue;
-        }
-
-        res = snprintf(fn, len, "%s/%s", dirname, item->d_name);
-
-        if (res < 0 || res >= len) {
-            fprintf(stderr, "failed to format file name (return value %d)\n", res);
-            free(fn);
-            continue;
-        }
-
-        callback(fn, data);
-        free(fn);
-    }
-
-    if (closedir(directory) == -1) {
-        fprintf(stderr, "closedir \"%s\" failed: %s\n", dirname, strerror(errno));
-    }
-}
-
-static void UpdateFileSize(const char* fn, void* data) {
-    int* size = (int*) data;
-    struct stat st;
-
-    if (!fn || !data) {
-        return;
-    }
-
-    if (stat(fn, &st) == -1) {
-        fprintf(stderr, "stat \"%s\" failed: %s\n", fn, strerror(errno));
-        return;
-    }
-
-    *size += st.st_size;
-}
-
-// Deletes the stash directory and all files in it. Assumes that it only
-// contains files. There is nothing we can do about unlikely, but possible
-// errors, so they are merely logged.
-
-static void DeleteFile(const char* fn, void* data) {
-    if (fn) {
-        fprintf(stderr, "deleting %s\n", fn);
-
-        if (unlink(fn) == -1 && errno != ENOENT) {
-            fprintf(stderr, "unlink \"%s\" failed: %s\n", fn, strerror(errno));
-        }
-    }
-}
-
-static void DeletePartial(const char* fn, void* data) {
-    if (fn && strstr(fn, ".partial") != NULL) {
-        DeleteFile(fn, data);
-    }
-}
-
-static void DeleteStash(const char* base) {
-    char* dirname;
-
-    if (base == NULL) {
-        return;
-    }
-
-    dirname = GetStashFileName(base, NULL, NULL);
-
-    if (dirname == NULL) {
-        return;
-    }
-
-    fprintf(stderr, "deleting stash %s\n", base);
-    EnumerateStash(dirname, DeleteFile, NULL);
-
-    if (rmdir(dirname) == -1) {
-        if (errno != ENOENT && errno != ENOTDIR) {
-            fprintf(stderr, "rmdir \"%s\" failed: %s\n", dirname, strerror(errno));
-        }
-    }
-
-    free(dirname);
-}
-
-static int LoadStash(const char* base, const char* id, int verify, int* blocks, uint8_t** buffer,
-        size_t* buffer_alloc, int printnoent) {
-    char *fn = NULL;
-    int blockcount = 0;
-    int fd = -1;
-    int rc = -1;
-    int res;
-    struct stat st;
-
-    if (!base || !id || !buffer || !buffer_alloc) {
-        goto lsout;
-    }
-
-    if (!blocks) {
-        blocks = &blockcount;
-    }
-
-    fn = GetStashFileName(base, id, NULL);
-
-    if (fn == NULL) {
-        goto lsout;
-    }
-
-    res = stat(fn, &st);
-
-    if (res == -1) {
-        if (errno != ENOENT || printnoent) {
-            fprintf(stderr, "stat \"%s\" failed: %s\n", fn, strerror(errno));
-        }
-        goto lsout;
-    }
-
-    fprintf(stderr, " loading %s\n", fn);
-
-    if ((st.st_size % BLOCKSIZE) != 0) {
-        fprintf(stderr, "%s size %zd not multiple of block size %d", fn, st.st_size, BLOCKSIZE);
-        goto lsout;
-    }
-
-    fd = TEMP_FAILURE_RETRY(open(fn, O_RDONLY));
-
-    if (fd == -1) {
-        fprintf(stderr, "open \"%s\" failed: %s\n", fn, strerror(errno));
-        goto lsout;
-    }
-
-    allocate(st.st_size, buffer, buffer_alloc);
-
-    if (read_all(fd, *buffer, st.st_size) == -1) {
-        goto lsout;
-    }
-
-    *blocks = st.st_size / BLOCKSIZE;
-
-    if (verify && VerifyBlocks(id, *buffer, *blocks, 1) != 0) {
-        fprintf(stderr, "unexpected contents in %s\n", fn);
-        DeleteFile(fn, NULL);
-        goto lsout;
-    }
-
-    rc = 0;
-
-lsout:
-    if (fd != -1) {
-        close(fd);
-    }
-
-    if (fn) {
-        free(fn);
-    }
-
-    return rc;
-}
-
-static int WriteStash(const char* base, const char* id, int blocks, uint8_t* buffer,
-        int checkspace, int *exists) {
-    char *fn = NULL;
-    char *cn = NULL;
-    int fd = -1;
-    int rc = -1;
-    int dfd = -1;
-    int res;
-    struct stat st;
-
-    if (base == NULL || buffer == NULL) {
-        goto wsout;
-    }
-
-    if (checkspace && CacheSizeCheck(blocks * BLOCKSIZE) != 0) {
-        fprintf(stderr, "not enough space to write stash\n");
-        goto wsout;
-    }
-
-    fn = GetStashFileName(base, id, ".partial");
-    cn = GetStashFileName(base, id, NULL);
-
-    if (fn == NULL || cn == NULL) {
-        goto wsout;
-    }
-
-    if (exists) {
-        res = stat(cn, &st);
-
-        if (res == 0) {
-            // The file already exists and since the name is the hash of the contents,
-            // it's safe to assume the contents are identical (accidental hash collisions
-            // are unlikely)
-            fprintf(stderr, " skipping %d existing blocks in %s\n", blocks, cn);
-            *exists = 1;
-            rc = 0;
-            goto wsout;
-        }
-
-        *exists = 0;
-    }
-
-    fprintf(stderr, " writing %d blocks to %s\n", blocks, cn);
-
-    fd = TEMP_FAILURE_RETRY(open(fn, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, STASH_FILE_MODE));
-
-    if (fd == -1) {
-        fprintf(stderr, "failed to create \"%s\": %s\n", fn, strerror(errno));
-        goto wsout;
-    }
-
-    if (write_all(fd, buffer, blocks * BLOCKSIZE) == -1) {
-        goto wsout;
-    }
-
-    if (fsync(fd) == -1) {
-        fprintf(stderr, "fsync \"%s\" failed: %s\n", fn, strerror(errno));
-        goto wsout;
-    }
-
-    if (rename(fn, cn) == -1) {
-        fprintf(stderr, "rename(\"%s\", \"%s\") failed: %s\n", fn, cn, strerror(errno));
-        goto wsout;
-    }
-
-    const char* dname;
-    dname = dirname(cn);
-    dfd = TEMP_FAILURE_RETRY(open(dname, O_RDONLY | O_DIRECTORY));
-
-    if (dfd == -1) {
-        fprintf(stderr, "failed to open \"%s\" failed: %s\n", dname, strerror(errno));
-        goto wsout;
-    }
-
-    if (fsync(dfd) == -1) {
-        fprintf(stderr, "fsync \"%s\" failed: %s\n", dname, strerror(errno));
-        goto wsout;
-    }
-
-    rc = 0;
-
-wsout:
-    if (fd != -1) {
-        close(fd);
-    }
-
-    if (dfd != -1) {
-        close(dfd);
-    }
-
-    if (fn) {
-        free(fn);
-    }
-
-    if (cn) {
-        free(cn);
-    }
-
-    return rc;
-}
-
-// Creates a directory for storing stash files and checks if the /cache partition
-// hash enough space for the expected amount of blocks we need to store. Returns
-// >0 if we created the directory, zero if it existed already, and <0 of failure.
-
-static int CreateStash(State* state, int maxblocks, const char* blockdev, char** base) {
-    char* dirname = NULL;
-    const uint8_t* digest;
-    int rc = -1;
-    int res;
-    int size = 0;
-    SHA_CTX ctx;
-    struct stat st;
-
-    if (blockdev == NULL || base == NULL) {
-        goto csout;
-    }
-
-    // Stash directory should be different for each partition to avoid conflicts
-    // when updating multiple partitions at the same time, so we use the hash of
-    // the block device name as the base directory
-    SHA_init(&ctx);
-    SHA_update(&ctx, blockdev, strlen(blockdev));
-    digest = SHA_final(&ctx);
-    *base = PrintSha1(digest);
-
-    if (*base == NULL) {
-        goto csout;
-    }
-
-    dirname = GetStashFileName(*base, NULL, NULL);
-
-    if (dirname == NULL) {
-        goto csout;
-    }
-
-    res = stat(dirname, &st);
-
-    if (res == -1 && errno != ENOENT) {
-        ErrorAbort(state, "stat \"%s\" failed: %s\n", dirname, strerror(errno));
-        goto csout;
-    } else if (res != 0) {
-        fprintf(stderr, "creating stash %s\n", dirname);
-        res = mkdir(dirname, STASH_DIRECTORY_MODE);
-
-        if (res != 0) {
-            ErrorAbort(state, "mkdir \"%s\" failed: %s\n", dirname, strerror(errno));
-            goto csout;
-        }
-
-        if (CacheSizeCheck(maxblocks * BLOCKSIZE) != 0) {
-            ErrorAbort(state, "not enough space for stash\n");
-            goto csout;
-        }
-
-        rc = 1; // Created directory
-        goto csout;
-    }
-
-    fprintf(stderr, "using existing stash %s\n", dirname);
-
-    // If the directory already exists, calculate the space already allocated to
-    // stash files and check if there's enough for all required blocks. Delete any
-    // partially completed stash files first.
-
-    EnumerateStash(dirname, DeletePartial, NULL);
-    EnumerateStash(dirname, UpdateFileSize, &size);
-
-    size = (maxblocks * BLOCKSIZE) - size;
-
-    if (size > 0 && CacheSizeCheck(size) != 0) {
-        ErrorAbort(state, "not enough space for stash (%d more needed)\n", size);
-        goto csout;
-    }
-
-    rc = 0; // Using existing directory
-
-csout:
-    if (dirname) {
-        free(dirname);
-    }
-
-    return rc;
-}
-
-static int SaveStash(const char* base, char** wordsave, uint8_t** buffer, size_t* buffer_alloc,
-                      int fd, int usehash, int* isunresumable) {
-    char *id = NULL;
-    int res = -1;
-    int blocks = 0;
-
-    if (!wordsave || !buffer || !buffer_alloc || !isunresumable) {
-        return -1;
-    }
-
-    id = strtok_r(NULL, " ", wordsave);
-
-    if (id == NULL) {
-        fprintf(stderr, "missing id field in stash command\n");
-        return -1;
-    }
-
-    if (usehash && LoadStash(base, id, 1, &blocks, buffer, buffer_alloc, 0) == 0) {
-        // Stash file already exists and has expected contents. Do not
-        // read from source again, as the source may have been already
-        // overwritten during a previous attempt.
-        return 0;
-    }
-
-    if (LoadSrcTgtVersion1(wordsave, NULL, &blocks, buffer, buffer_alloc, fd) == -1) {
-        return -1;
-    }
-
-    if (usehash && VerifyBlocks(id, *buffer, blocks, 1) != 0) {
-        // Source blocks have unexpected contents. If we actually need this
-        // data later, this is an unrecoverable error. However, the command
-        // that uses the data may have already completed previously, so the
-        // possible failure will occur during source block verification.
-        fprintf(stderr, "failed to load source blocks for stash %s\n", id);
-        return 0;
-    }
-
-    fprintf(stderr, "stashing %d blocks to %s\n", blocks, id);
-    return WriteStash(base, id, blocks, *buffer, 0, NULL);
-}
-
-static int FreeStash(const char* base, const char* id) {
-    char *fn = NULL;
-
-    if (base == NULL || id == NULL) {
-        return -1;
-    }
-
-    fn = GetStashFileName(base, id, NULL);
-
-    if (fn == NULL) {
-        return -1;
-    }
-
-    DeleteFile(fn, NULL);
-    free(fn);
-
-    return 0;
-}
-
-static void MoveRange(uint8_t* dest, RangeSet* locs, const uint8_t* source) {
-    // source contains packed data, which we want to move to the
-    // locations given in *locs in the dest buffer.  source and dest
-    // may be the same buffer.
-
-    int start = locs->size;
-    int i;
-    for (i = locs->count-1; i >= 0; --i) {
-        int blocks = locs->pos[i*2+1] - locs->pos[i*2];
-        start -= blocks;
-        memmove(dest + (locs->pos[i*2] * BLOCKSIZE), source + (start * BLOCKSIZE),
-                blocks * BLOCKSIZE);
-    }
-}
-
-// Do a source/target load for move/bsdiff/imgdiff in version 2.
-// 'wordsave' is the save_ptr of a strtok_r()-in-progress.  We expect
-// to parse the remainder of the string as one of:
-//
-//    <tgt_range> <src_block_count> <src_range>
-//        (loads data from source image only)
-//
-//    <tgt_range> <src_block_count> - <[stash_id:stash_range] ...>
-//        (loads data from stashes only)
-//
-//    <tgt_range> <src_block_count> <src_range> <src_loc> <[stash_id:stash_range] ...>
-//        (loads data from both source image and stashes)
-//
-// On return, buffer is filled with the loaded source data (rearranged
-// and combined with stashed data as necessary).  buffer may be
-// reallocated if needed to accommodate the source data.  *tgt is the
-// target RangeSet.  Any stashes required are loaded using LoadStash.
-
-static int LoadSrcTgtVersion2(char** wordsave, RangeSet** tgt, int* src_blocks,
-                               uint8_t** buffer, size_t* buffer_alloc, int fd,
-                               const char* stashbase, int* overlap) {
-    char* word;
-    char* colonsave;
-    char* colon;
-    int id;
-    int res;
-    RangeSet* locs;
-    size_t stashalloc = 0;
-    uint8_t* stash = NULL;
-
-    if (tgt != NULL) {
-        word = strtok_r(NULL, " ", wordsave);
-        *tgt = parse_range(word);
-    }
-
-    word = strtok_r(NULL, " ", wordsave);
-    *src_blocks = strtol(word, NULL, 0);
-
-    allocate(*src_blocks * BLOCKSIZE, buffer, buffer_alloc);
-
-    word = strtok_r(NULL, " ", wordsave);
-    if (word[0] == '-' && word[1] == '\0') {
-        // no source ranges, only stashes
-    } else {
-        RangeSet* src = parse_range(word);
-        res = ReadBlocks(src, *buffer, fd);
-
-        if (overlap && tgt) {
-            *overlap = range_overlaps(src, *tgt);
-        }
-
-        free(src);
-
-        if (res == -1) {
-            return -1;
-        }
-
-        word = strtok_r(NULL, " ", wordsave);
-        if (word == NULL) {
-            // no stashes, only source range
-            return 0;
-        }
-
-        locs = parse_range(word);
-        MoveRange(*buffer, locs, *buffer);
-        free(locs);
-    }
-
-    while ((word = strtok_r(NULL, " ", wordsave)) != NULL) {
-        // Each word is a an index into the stash table, a colon, and
-        // then a rangeset describing where in the source block that
-        // stashed data should go.
-        colonsave = NULL;
-        colon = strtok_r(word, ":", &colonsave);
-
-        res = LoadStash(stashbase, colon, 0, NULL, &stash, &stashalloc, 1);
-
-        if (res == -1) {
-            // These source blocks will fail verification if used later, but we
-            // will let the caller decide if this is a fatal failure
-            fprintf(stderr, "failed to load stash %s\n", colon);
-            continue;
-        }
-
-        colon = strtok_r(NULL, ":", &colonsave);
-        locs = parse_range(colon);
-
-        MoveRange(*buffer, locs, stash);
-        free(locs);
-    }
-
-    if (stash) {
-        free(stash);
-    }
-
-    return 0;
-}
-
-// Parameters for transfer list command functions
-typedef struct {
-    char* cmdname;
-    char* cpos;
-    char* freestash;
-    char* stashbase;
-    int canwrite;
-    int createdstash;
-    int fd;
-    int foundwrites;
-    int isunresumable;
-    int version;
-    int written;
-    NewThreadInfo nti;
-    pthread_t thread;
-    size_t bufsize;
-    uint8_t* buffer;
-    uint8_t* patch_start;
-} CommandParameters;
-
-// Do a source/target load for move/bsdiff/imgdiff in version 3.
-//
-// Parameters are the same as for LoadSrcTgtVersion2, except for 'onehash', which
-// tells the function whether to expect separate source and targe block hashes, or
-// if they are both the same and only one hash should be expected, and
-// 'isunresumable', which receives a non-zero value if block verification fails in
-// a way that the update cannot be resumed anymore.
-//
-// If the function is unable to load the necessary blocks or their contents don't
-// match the hashes, the return value is -1 and the command should be aborted.
-//
-// If the return value is 1, the command has already been completed according to
-// the contents of the target blocks, and should not be performed again.
-//
-// If the return value is 0, source blocks have expected content and the command
-// can be performed.
-
-static int LoadSrcTgtVersion3(CommandParameters* params, RangeSet** tgt, int* src_blocks,
-                              int onehash, int* overlap) {
-    char* srchash = NULL;
-    char* tgthash = NULL;
-    int stash_exists = 0;
-    int overlap_blocks = 0;
-    int rc = -1;
-    uint8_t* tgtbuffer = NULL;
-
-    if (!params|| !tgt || !src_blocks || !overlap) {
-        goto v3out;
-    }
-
-    srchash = strtok_r(NULL, " ", &params->cpos);
-
-    if (srchash == NULL) {
-        fprintf(stderr, "missing source hash\n");
-        goto v3out;
-    }
-
-    if (onehash) {
-        tgthash = srchash;
-    } else {
-        tgthash = strtok_r(NULL, " ", &params->cpos);
-
-        if (tgthash == NULL) {
-            fprintf(stderr, "missing target hash\n");
-            goto v3out;
-        }
-    }
-
-    if (LoadSrcTgtVersion2(&params->cpos, tgt, src_blocks, &params->buffer, &params->bufsize,
-            params->fd, params->stashbase, overlap) == -1) {
-        goto v3out;
-    }
-
-    tgtbuffer = (uint8_t*) malloc((*tgt)->size * BLOCKSIZE);
-
-    if (tgtbuffer == NULL) {
-        fprintf(stderr, "failed to allocate %d bytes\n", (*tgt)->size * BLOCKSIZE);
-        goto v3out;
-    }
-
-    if (ReadBlocks(*tgt, tgtbuffer, params->fd) == -1) {
-        goto v3out;
-    }
-
-    if (VerifyBlocks(tgthash, tgtbuffer, (*tgt)->size, 0) == 0) {
-        // Target blocks already have expected content, command should be skipped
-        rc = 1;
-        goto v3out;
-    }
-
-    if (VerifyBlocks(srchash, params->buffer, *src_blocks, 1) == 0) {
-        // If source and target blocks overlap, stash the source blocks so we can
-        // resume from possible write errors
-        if (*overlap) {
-            fprintf(stderr, "stashing %d overlapping blocks to %s\n", *src_blocks,
-                srchash);
-
-            if (WriteStash(params->stashbase, srchash, *src_blocks, params->buffer, 1,
-                    &stash_exists) != 0) {
-                fprintf(stderr, "failed to stash overlapping source blocks\n");
-                goto v3out;
-            }
-
-            // Can be deleted when the write has completed
-            if (!stash_exists) {
-                params->freestash = srchash;
-            }
-        }
-
-        // Source blocks have expected content, command can proceed
-        rc = 0;
-        goto v3out;
-    }
-
-    if (*overlap && LoadStash(params->stashbase, srchash, 1, NULL, &params->buffer,
-                        &params->bufsize, 1) == 0) {
-        // Overlapping source blocks were previously stashed, command can proceed.
-        // We are recovering from an interrupted command, so we don't know if the
-        // stash can safely be deleted after this command.
-        rc = 0;
-        goto v3out;
-    }
-
-    // Valid source data not available, update cannot be resumed
-    fprintf(stderr, "partition has unexpected contents\n");
-    params->isunresumable = 1;
-
-v3out:
-    if (tgtbuffer) {
-        free(tgtbuffer);
-    }
-
-    return rc;
-}
-
-static int PerformCommandMove(CommandParameters* params) {
-    int blocks = 0;
-    int overlap = 0;
-    int rc = -1;
-    int status = 0;
-    RangeSet* tgt = NULL;
-
-    if (!params) {
-        goto pcmout;
-    }
-
-    if (params->version == 1) {
-        status = LoadSrcTgtVersion1(&params->cpos, &tgt, &blocks, &params->buffer,
-                    &params->bufsize, params->fd);
-    } else if (params->version == 2) {
-        status = LoadSrcTgtVersion2(&params->cpos, &tgt, &blocks, &params->buffer,
-                    &params->bufsize, params->fd, params->stashbase, NULL);
-    } else if (params->version >= 3) {
-        status = LoadSrcTgtVersion3(params, &tgt, &blocks, 1, &overlap);
-    }
-
-    if (status == -1) {
-        fprintf(stderr, "failed to read blocks for move\n");
-        goto pcmout;
-    }
-
-    if (status == 0) {
-        params->foundwrites = 1;
-    } else if (params->foundwrites) {
-        fprintf(stderr, "warning: commands executed out of order [%s]\n", params->cmdname);
-    }
-
-    if (params->canwrite) {
-        if (status == 0) {
-            fprintf(stderr, "  moving %d blocks\n", blocks);
-
-            if (WriteBlocks(tgt, params->buffer, params->fd) == -1) {
-                goto pcmout;
-            }
-        } else {
-            fprintf(stderr, "skipping %d already moved blocks\n", blocks);
-        }
-
-    }
-
-    if (params->freestash) {
-        FreeStash(params->stashbase, params->freestash);
-        params->freestash = NULL;
-    }
-
-    params->written += tgt->size;
-    rc = 0;
-
-pcmout:
-    if (tgt) {
-        free(tgt);
-    }
-
-    return rc;
-}
-
-static int PerformCommandStash(CommandParameters* params) {
-    if (!params) {
-        return -1;
-    }
-
-    return SaveStash(params->stashbase, &params->cpos, &params->buffer, &params->bufsize,
-                params->fd, (params->version >= 3), &params->isunresumable);
-}
-
-static int PerformCommandFree(CommandParameters* params) {
-    if (!params) {
-        return -1;
-    }
-
-    if (params->createdstash || params->canwrite) {
-        return FreeStash(params->stashbase, params->cpos);
-    }
-
-    return 0;
-}
-
-static int PerformCommandZero(CommandParameters* params) {
-    char* range = NULL;
-    int i;
-    int j;
-    int rc = -1;
-    RangeSet* tgt = NULL;
-
-    if (!params) {
-        goto pczout;
-    }
-
-    range = strtok_r(NULL, " ", &params->cpos);
-
-    if (range == NULL) {
-        fprintf(stderr, "missing target blocks for zero\n");
-        goto pczout;
-    }
-
-    tgt = parse_range(range);
-
-    fprintf(stderr, "  zeroing %d blocks\n", tgt->size);
-
-    allocate(BLOCKSIZE, &params->buffer, &params->bufsize);
-    memset(params->buffer, 0, BLOCKSIZE);
-
-    if (params->canwrite) {
-        for (i = 0; i < tgt->count; ++i) {
-            if (!check_lseek(params->fd, (off64_t) tgt->pos[i * 2] * BLOCKSIZE, SEEK_SET)) {
-                goto pczout;
-            }
-
-            for (j = tgt->pos[i * 2]; j < tgt->pos[i * 2 + 1]; ++j) {
-                if (write_all(params->fd, params->buffer, BLOCKSIZE) == -1) {
-                    goto pczout;
-                }
-            }
-        }
-    }
-
-    if (params->cmdname[0] == 'z') {
-        // Update only for the zero command, as the erase command will call
-        // this if DEBUG_ERASE is defined.
-        params->written += tgt->size;
-    }
-
-    rc = 0;
-
-pczout:
-    if (tgt) {
-        free(tgt);
-    }
-
-    return rc;
-}
-
-static int PerformCommandNew(CommandParameters* params) {
-    char* range = NULL;
-    int rc = -1;
-    RangeSet* tgt = NULL;
-    RangeSinkState rss;
-
-    if (!params) {
-        goto pcnout;
-    }
-
-    range = strtok_r(NULL, " ", &params->cpos);
-
-    if (range == NULL) {
-        goto pcnout;
-    }
-
-    tgt = parse_range(range);
-
-    if (params->canwrite) {
-        fprintf(stderr, " writing %d blocks of new data\n", tgt->size);
-
-        rss.fd = params->fd;
-        rss.tgt = tgt;
-        rss.p_block = 0;
-        rss.p_remain = (tgt->pos[1] - tgt->pos[0]) * BLOCKSIZE;
-
-        if (!check_lseek(params->fd, (off64_t) tgt->pos[0] * BLOCKSIZE, SEEK_SET)) {
-            goto pcnout;
-        }
-
-        pthread_mutex_lock(&params->nti.mu);
-        params->nti.rss = &rss;
-        pthread_cond_broadcast(&params->nti.cv);
-
-        while (params->nti.rss) {
-            pthread_cond_wait(&params->nti.cv, &params->nti.mu);
-        }
-
-        pthread_mutex_unlock(&params->nti.mu);
-    }
-
-    params->written += tgt->size;
-    rc = 0;
-
-pcnout:
-    if (tgt) {
-        free(tgt);
-    }
-
-    return rc;
-}
-
-static int PerformCommandDiff(CommandParameters* params) {
-    char* logparams = NULL;
-    char* value = NULL;
-    int blocks = 0;
-    int overlap = 0;
-    int rc = -1;
-    int status = 0;
-    RangeSet* tgt = NULL;
-    RangeSinkState rss;
-    size_t len = 0;
-    size_t offset = 0;
-    Value patch_value;
-
-    if (!params) {
-        goto pcdout;
-    }
-
-    logparams = strdup(params->cpos);
-    value = strtok_r(NULL, " ", &params->cpos);
-
-    if (value == NULL) {
-        fprintf(stderr, "missing patch offset for %s\n", params->cmdname);
-        goto pcdout;
-    }
-
-    offset = strtoul(value, NULL, 0);
-
-    value = strtok_r(NULL, " ", &params->cpos);
-
-    if (value == NULL) {
-        fprintf(stderr, "missing patch length for %s\n", params->cmdname);
-        goto pcdout;
-    }
-
-    len = strtoul(value, NULL, 0);
-
-    if (params->version == 1) {
-        status = LoadSrcTgtVersion1(&params->cpos, &tgt, &blocks, &params->buffer,
-                    &params->bufsize, params->fd);
-    } else if (params->version == 2) {
-        status = LoadSrcTgtVersion2(&params->cpos, &tgt, &blocks, &params->buffer,
-                    &params->bufsize, params->fd, params->stashbase, NULL);
-    } else if (params->version >= 3) {
-        status = LoadSrcTgtVersion3(params, &tgt, &blocks, 0, &overlap);
-    }
-
-    if (status == -1) {
-        fprintf(stderr, "failed to read blocks for diff\n");
-        goto pcdout;
-    }
-
-    if (status == 0) {
-        params->foundwrites = 1;
-    } else if (params->foundwrites) {
-        fprintf(stderr, "warning: commands executed out of order [%s]\n", params->cmdname);
-    }
-
-    if (params->canwrite) {
-        if (status == 0) {
-            fprintf(stderr, "patching %d blocks to %d\n", blocks, tgt->size);
-
-            patch_value.type = VAL_BLOB;
-            patch_value.size = len;
-            patch_value.data = (char*) (params->patch_start + offset);
-
-            rss.fd = params->fd;
-            rss.tgt = tgt;
-            rss.p_block = 0;
-            rss.p_remain = (tgt->pos[1] - tgt->pos[0]) * BLOCKSIZE;
-
-            if (!check_lseek(params->fd, (off64_t) tgt->pos[0] * BLOCKSIZE, SEEK_SET)) {
-                goto pcdout;
-            }
-
-            if (params->cmdname[0] == 'i') {      // imgdiff
-                ApplyImagePatch(params->buffer, blocks * BLOCKSIZE, &patch_value,
-                    &RangeSinkWrite, &rss, NULL, NULL);
-            } else {
-                ApplyBSDiffPatch(params->buffer, blocks * BLOCKSIZE, &patch_value,
-                    0, &RangeSinkWrite, &rss, NULL);
-            }
-
-            // We expect the output of the patcher to fill the tgt ranges exactly.
-            if (rss.p_block != tgt->count || rss.p_remain != 0) {
-                fprintf(stderr, "range sink underrun?\n");
-            }
-        } else {
-            fprintf(stderr, "skipping %d blocks already patched to %d [%s]\n",
-                blocks, tgt->size, logparams);
-        }
-    }
-
-    if (params->freestash) {
-        FreeStash(params->stashbase, params->freestash);
-        params->freestash = NULL;
-    }
-
-    params->written += tgt->size;
-    rc = 0;
-
-pcdout:
-    if (logparams) {
-        free(logparams);
-    }
-
-    if (tgt) {
-        free(tgt);
-    }
-
-    return rc;
-}
-
-static int PerformCommandErase(CommandParameters* params) {
-    char* range = NULL;
-    int i;
-    int rc = -1;
-    RangeSet* tgt = NULL;
-    struct stat st;
-    uint64_t blocks[2];
-
-    if (DEBUG_ERASE) {
-        return PerformCommandZero(params);
-    }
-
-    if (!params) {
-        goto pceout;
-    }
-
-    if (fstat(params->fd, &st) == -1) {
-        fprintf(stderr, "failed to fstat device to erase: %s\n", strerror(errno));
-        goto pceout;
-    }
-
-    if (!S_ISBLK(st.st_mode)) {
-        fprintf(stderr, "not a block device; skipping erase\n");
-        goto pceout;
-    }
-
-    range = strtok_r(NULL, " ", &params->cpos);
-
-    if (range == NULL) {
-        fprintf(stderr, "missing target blocks for zero\n");
-        goto pceout;
-    }
-
-    tgt = parse_range(range);
-
-    if (params->canwrite) {
-        fprintf(stderr, " erasing %d blocks\n", tgt->size);
-
-        for (i = 0; i < tgt->count; ++i) {
-            // offset in bytes
-            blocks[0] = tgt->pos[i * 2] * (uint64_t) BLOCKSIZE;
-            // length in bytes
-            blocks[1] = (tgt->pos[i * 2 + 1] - tgt->pos[i * 2]) * (uint64_t) BLOCKSIZE;
-
-            if (ioctl(params->fd, BLKDISCARD, &blocks) == -1) {
-                fprintf(stderr, "BLKDISCARD ioctl failed: %s\n", strerror(errno));
-                goto pceout;
-            }
-        }
-    }
-
-    rc = 0;
-
-pceout:
-    if (tgt) {
-        free(tgt);
-    }
-
-    return rc;
-}
-
-// Definitions for transfer list command functions
-typedef int (*CommandFunction)(CommandParameters*);
-
-typedef struct {
-    const char* name;
-    CommandFunction f;
-} Command;
-
-// CompareCommands and CompareCommandNames are for the hash table
-
-static int CompareCommands(const void* c1, const void* c2) {
-    return strcmp(((const Command*) c1)->name, ((const Command*) c2)->name);
-}
-
-static int CompareCommandNames(const void* c1, const void* c2) {
-    return strcmp(((const Command*) c1)->name, (const char*) c2);
-}
-
-// HashString is used to hash command names for the hash table
-
-static unsigned int HashString(const char *s) {
-    unsigned int hash = 0;
-    if (s) {
-        while (*s) {
-            hash = hash * 33 + *s++;
-        }
-    }
-    return hash;
-}
-
-// args:
-//    - block device (or file) to modify in-place
-//    - transfer list (blob)
-//    - new data stream (filename within package.zip)
-//    - patch stream (filename within package.zip, must be uncompressed)
-
-static Value* PerformBlockImageUpdate(const char* name, State* state, int argc, Expr* argv[],
-            const Command* commands, int cmdcount, int dryrun) {
-
-    char* line = NULL;
-    char* linesave = NULL;
-    char* logcmd = NULL;
-    char* transfer_list = NULL;
-    CommandParameters params;
-    const Command* cmd = NULL;
-    const ZipEntry* new_entry = NULL;
-    const ZipEntry* patch_entry = NULL;
-    FILE* cmd_pipe = NULL;
-    HashTable* cmdht = NULL;
-    int i;
-    int res;
-    int rc = -1;
-    int stash_max_blocks = 0;
-    int total_blocks = 0;
-    pthread_attr_t attr;
-    unsigned int cmdhash;
-    UpdaterInfo* ui = NULL;
-    Value* blockdev_filename = NULL;
-    Value* new_data_fn = NULL;
-    Value* patch_data_fn = NULL;
-    Value* transfer_list_value = NULL;
-    ZipArchive* za = NULL;
-
-    memset(&params, 0, sizeof(params));
-    params.canwrite = !dryrun;
-
-    fprintf(stderr, "performing %s\n", dryrun ? "verification" : "update");
-
-    if (ReadValueArgs(state, argv, 4, &blockdev_filename, &transfer_list_value,
-            &new_data_fn, &patch_data_fn) < 0) {
-        goto pbiudone;
-    }
-
-    if (blockdev_filename->type != VAL_STRING) {
-        ErrorAbort(state, "blockdev_filename argument to %s must be string", name);
-        goto pbiudone;
-    }
-    if (transfer_list_value->type != VAL_BLOB) {
-        ErrorAbort(state, "transfer_list argument to %s must be blob", name);
-        goto pbiudone;
-    }
-    if (new_data_fn->type != VAL_STRING) {
-        ErrorAbort(state, "new_data_fn argument to %s must be string", name);
-        goto pbiudone;
-    }
-    if (patch_data_fn->type != VAL_STRING) {
-        ErrorAbort(state, "patch_data_fn argument to %s must be string", name);
-        goto pbiudone;
-    }
-
-    ui = (UpdaterInfo*) state->cookie;
-
-    if (ui == NULL) {
-        goto pbiudone;
-    }
-
-    cmd_pipe = ui->cmd_pipe;
-    za = ui->package_zip;
-
-    if (cmd_pipe == NULL || za == NULL) {
-        goto pbiudone;
-    }
-
-    patch_entry = mzFindZipEntry(za, patch_data_fn->data);
-
-    if (patch_entry == NULL) {
-        fprintf(stderr, "%s(): no file \"%s\" in package", name, patch_data_fn->data);
-        goto pbiudone;
-    }
-
-    params.patch_start = ui->package_zip_addr + mzGetZipEntryOffset(patch_entry);
-    new_entry = mzFindZipEntry(za, new_data_fn->data);
-
-    if (new_entry == NULL) {
-        fprintf(stderr, "%s(): no file \"%s\" in package", name, new_data_fn->data);
-        goto pbiudone;
-    }
-
-    params.fd = TEMP_FAILURE_RETRY(open(blockdev_filename->data, O_RDWR));
-
-    if (params.fd == -1) {
-        fprintf(stderr, "open \"%s\" failed: %s\n", blockdev_filename->data, strerror(errno));
-        goto pbiudone;
-    }
-
-    if (params.canwrite) {
-        params.nti.za = za;
-        params.nti.entry = new_entry;
-
-        pthread_mutex_init(&params.nti.mu, NULL);
-        pthread_cond_init(&params.nti.cv, NULL);
-        pthread_attr_init(&attr);
-        pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE);
-
-        int error = pthread_create(&params.thread, &attr, unzip_new_data, &params.nti);
-        if (error != 0) {
-            fprintf(stderr, "pthread_create failed: %s\n", strerror(error));
-            goto pbiudone;
-        }
-    }
-
-    // The data in transfer_list_value is not necessarily null-terminated, so we need
-    // to copy it to a new buffer and add the null that strtok_r will need.
-    transfer_list = malloc(transfer_list_value->size + 1);
-
-    if (transfer_list == NULL) {
-        fprintf(stderr, "failed to allocate %zd bytes for transfer list\n",
-            transfer_list_value->size + 1);
-        goto pbiudone;
-    }
-
-    memcpy(transfer_list, transfer_list_value->data, transfer_list_value->size);
-    transfer_list[transfer_list_value->size] = '\0';
-
-    // First line in transfer list is the version number
-    line = strtok_r(transfer_list, "\n", &linesave);
-    params.version = strtol(line, NULL, 0);
-
-    if (params.version < 1 || params.version > 3) {
-        fprintf(stderr, "unexpected transfer list version [%s]\n", line);
-        goto pbiudone;
-    }
-
-    fprintf(stderr, "blockimg version is %d\n", params.version);
-
-    // Second line in transfer list is the total number of blocks we expect to write
-    line = strtok_r(NULL, "\n", &linesave);
-    total_blocks = strtol(line, NULL, 0);
-
-    if (total_blocks < 0) {
-        ErrorAbort(state, "unexpected block count [%s]\n", line);
-        goto pbiudone;
-    } else if (total_blocks == 0) {
-        rc = 0;
-        goto pbiudone;
-    }
-
-    if (params.version >= 2) {
-        // Third line is how many stash entries are needed simultaneously
-        line = strtok_r(NULL, "\n", &linesave);
-        fprintf(stderr, "maximum stash entries %s\n", line);
-
-        // Fourth line is the maximum number of blocks that will be stashed simultaneously
-        line = strtok_r(NULL, "\n", &linesave);
-        stash_max_blocks = strtol(line, NULL, 0);
-
-        if (stash_max_blocks < 0) {
-            ErrorAbort(state, "unexpected maximum stash blocks [%s]\n", line);
-            goto pbiudone;
-        }
-
-        if (stash_max_blocks >= 0) {
-            res = CreateStash(state, stash_max_blocks, blockdev_filename->data,
-                    &params.stashbase);
-
-            if (res == -1) {
-                goto pbiudone;
-            }
-
-            params.createdstash = res;
-        }
-    }
-
-    // Build a hash table of the available commands
-    cmdht = mzHashTableCreate(cmdcount, NULL);
-
-    for (i = 0; i < cmdcount; ++i) {
-        cmdhash = HashString(commands[i].name);
-        mzHashTableLookup(cmdht, cmdhash, (void*) &commands[i], CompareCommands, true);
-    }
-
-    // Subsequent lines are all individual transfer commands
-    for (line = strtok_r(NULL, "\n", &linesave); line;
-         line = strtok_r(NULL, "\n", &linesave)) {
-
-        logcmd = strdup(line);
-        params.cmdname = strtok_r(line, " ", &params.cpos);
-
-        if (params.cmdname == NULL) {
-            fprintf(stderr, "missing command [%s]\n", line);
-            goto pbiudone;
-        }
-
-        cmdhash = HashString(params.cmdname);
-        cmd = (const Command*) mzHashTableLookup(cmdht, cmdhash, params.cmdname,
-                                    CompareCommandNames, false);
-
-        if (cmd == NULL) {
-            fprintf(stderr, "unexpected command [%s]\n", params.cmdname);
-            goto pbiudone;
-        }
-
-        if (cmd->f != NULL && cmd->f(&params) == -1) {
-            fprintf(stderr, "failed to execute command [%s]\n",
-                logcmd ? logcmd : params.cmdname);
-            goto pbiudone;
-        }
-
-        if (logcmd) {
-            free(logcmd);
-            logcmd = NULL;
-        }
-
-        if (params.canwrite) {
-            fprintf(cmd_pipe, "set_progress %.4f\n", (double) params.written / total_blocks);
-            fflush(cmd_pipe);
-        }
-    }
-
-    if (params.canwrite) {
-        pthread_join(params.thread, NULL);
-
-        fprintf(stderr, "wrote %d blocks; expected %d\n", params.written, total_blocks);
-        fprintf(stderr, "max alloc needed was %zu\n", params.bufsize);
-
-        // Delete stash only after successfully completing the update, as it
-        // may contain blocks needed to complete the update later.
-        DeleteStash(params.stashbase);
-    } else {
-        fprintf(stderr, "verified partition contents; update may be resumed\n");
-    }
-
-    rc = 0;
-
-pbiudone:
-    if (params.fd != -1) {
-        if (fsync(params.fd) == -1) {
-            fprintf(stderr, "fsync failed: %s\n", strerror(errno));
-        }
-        close(params.fd);
-    }
-
-    if (logcmd) {
-        free(logcmd);
-    }
-
-    if (cmdht) {
-        mzHashTableFree(cmdht);
-    }
-
-    if (params.buffer) {
-        free(params.buffer);
-    }
-
-    if (transfer_list) {
-        free(transfer_list);
-    }
-
-    if (blockdev_filename) {
-        FreeValue(blockdev_filename);
-    }
-
-    if (transfer_list_value) {
-        FreeValue(transfer_list_value);
-    }
-
-    if (new_data_fn) {
-        FreeValue(new_data_fn);
-    }
-
-    if (patch_data_fn) {
-        FreeValue(patch_data_fn);
-    }
-
-    // Only delete the stash if the update cannot be resumed, or it's
-    // a verification run and we created the stash.
-    if (params.isunresumable || (!params.canwrite && params.createdstash)) {
-        DeleteStash(params.stashbase);
-    }
-
-    if (params.stashbase) {
-        free(params.stashbase);
-    }
-
-    return StringValue(rc == 0 ? strdup("t") : strdup(""));
-}
-
-// The transfer list is a text file containing commands to
-// transfer data from one place to another on the target
-// partition.  We parse it and execute the commands in order:
-//
-//    zero [rangeset]
-//      - fill the indicated blocks with zeros
-//
-//    new [rangeset]
-//      - fill the blocks with data read from the new_data file
-//
-//    erase [rangeset]
-//      - mark the given blocks as empty
-//
-//    move <...>
-//    bsdiff <patchstart> <patchlen> <...>
-//    imgdiff <patchstart> <patchlen> <...>
-//      - read the source blocks, apply a patch (or not in the
-//        case of move), write result to target blocks.  bsdiff or
-//        imgdiff specifies the type of patch; move means no patch
-//        at all.
-//
-//        The format of <...> differs between versions 1 and 2;
-//        see the LoadSrcTgtVersion{1,2}() functions for a
-//        description of what's expected.
-//
-//    stash <stash_id> <src_range>
-//      - (version 2+ only) load the given source range and stash
-//        the data in the given slot of the stash table.
-//
-// The creator of the transfer list will guarantee that no block
-// is read (ie, used as the source for a patch or move) after it
-// has been written.
-//
-// In version 2, the creator will guarantee that a given stash is
-// loaded (with a stash command) before it's used in a
-// move/bsdiff/imgdiff command.
-//
-// Within one command the source and target ranges may overlap so
-// in general we need to read the entire source into memory before
-// writing anything to the target blocks.
-//
-// All the patch data is concatenated into one patch_data file in
-// the update package.  It must be stored uncompressed because we
-// memory-map it in directly from the archive.  (Since patches are
-// already compressed, we lose very little by not compressing
-// their concatenation.)
-//
-// In version 3, commands that read data from the partition (i.e.
-// move/bsdiff/imgdiff/stash) have one or more additional hashes
-// before the range parameters, which are used to check if the
-// command has already been completed and verify the integrity of
-// the source data.
-
-Value* BlockImageVerifyFn(const char* name, State* state, int argc, Expr* argv[]) {
-    // Commands which are not tested are set to NULL to skip them completely
-    const Command commands[] = {
-        { "bsdiff",     PerformCommandDiff  },
-        { "erase",      NULL                },
-        { "free",       PerformCommandFree  },
-        { "imgdiff",    PerformCommandDiff  },
-        { "move",       PerformCommandMove  },
-        { "new",        NULL                },
-        { "stash",      PerformCommandStash },
-        { "zero",       NULL                }
-    };
-
-    // Perform a dry run without writing to test if an update can proceed
-    return PerformBlockImageUpdate(name, state, argc, argv, commands,
-                sizeof(commands) / sizeof(commands[0]), 1);
-}
-
-Value* BlockImageUpdateFn(const char* name, State* state, int argc, Expr* argv[]) {
-    const Command commands[] = {
-        { "bsdiff",     PerformCommandDiff  },
-        { "erase",      PerformCommandErase },
-        { "free",       PerformCommandFree  },
-        { "imgdiff",    PerformCommandDiff  },
-        { "move",       PerformCommandMove  },
-        { "new",        PerformCommandNew   },
-        { "stash",      PerformCommandStash },
-        { "zero",       PerformCommandZero  }
-    };
-
-    return PerformBlockImageUpdate(name, state, argc, argv, commands,
-                sizeof(commands) / sizeof(commands[0]), 0);
-}
-
-Value* RangeSha1Fn(const char* name, State* state, int argc, Expr* argv[]) {
-    Value* blockdev_filename;
-    Value* ranges;
-    const uint8_t* digest = NULL;
-    if (ReadValueArgs(state, argv, 2, &blockdev_filename, &ranges) < 0) {
-        return NULL;
-    }
-
-    if (blockdev_filename->type != VAL_STRING) {
-        ErrorAbort(state, "blockdev_filename argument to %s must be string", name);
-        goto done;
-    }
-    if (ranges->type != VAL_STRING) {
-        ErrorAbort(state, "ranges argument to %s must be string", name);
-        goto done;
-    }
-
-    int fd = open(blockdev_filename->data, O_RDWR);
-    if (fd < 0) {
-        ErrorAbort(state, "open \"%s\" failed: %s", blockdev_filename->data, strerror(errno));
-        goto done;
-    }
-
-    RangeSet* rs = parse_range(ranges->data);
-    uint8_t buffer[BLOCKSIZE];
-
-    SHA_CTX ctx;
-    SHA_init(&ctx);
-
-    int i, j;
-    for (i = 0; i < rs->count; ++i) {
-        if (!check_lseek(fd, (off64_t)rs->pos[i*2] * BLOCKSIZE, SEEK_SET)) {
-            ErrorAbort(state, "failed to seek %s: %s", blockdev_filename->data,
-                strerror(errno));
-            goto done;
-        }
-
-        for (j = rs->pos[i*2]; j < rs->pos[i*2+1]; ++j) {
-            if (read_all(fd, buffer, BLOCKSIZE) == -1) {
-                ErrorAbort(state, "failed to read %s: %s", blockdev_filename->data,
-                    strerror(errno));
-                goto done;
-            }
-
-            SHA_update(&ctx, buffer, BLOCKSIZE);
-        }
-    }
-    digest = SHA_final(&ctx);
-    close(fd);
-
-  done:
-    FreeValue(blockdev_filename);
-    FreeValue(ranges);
-    if (digest == NULL) {
-        return StringValue(strdup(""));
-    } else {
-        return StringValue(PrintSha1(digest));
-    }
-}
-
-void RegisterBlockImageFunctions() {
-    RegisterFunction("block_image_verify", BlockImageVerifyFn);
-    RegisterFunction("block_image_update", BlockImageUpdateFn);
-    RegisterFunction("range_sha1", RangeSha1Fn);
-}
diff --git a/updater/blockimg.cpp b/updater/blockimg.cpp
new file mode 100644
index 0000000..a80180a
--- /dev/null
+++ b/updater/blockimg.cpp
@@ -0,0 +1,1918 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <ctype.h>
+#include <errno.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <linux/fs.h>
+#include <pthread.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <time.h>
+#include <unistd.h>
+#include <fec/io.h>
+
+#include <map>
+#include <memory>
+#include <string>
+#include <vector>
+
+#include <android-base/parseint.h>
+#include <android-base/strings.h>
+
+#include "applypatch/applypatch.h"
+#include "edify/expr.h"
+#include "error_code.h"
+#include "install.h"
+#include "openssl/sha.h"
+#include "minzip/Hash.h"
+#include "ota_io.h"
+#include "print_sha1.h"
+#include "unique_fd.h"
+#include "updater.h"
+
+#define BLOCKSIZE 4096
+
+// Set this to 0 to interpret 'erase' transfers to mean do a
+// BLKDISCARD ioctl (the normal behavior).  Set to 1 to interpret
+// erase to mean fill the region with zeroes.
+#define DEBUG_ERASE  0
+
+#define STASH_DIRECTORY_BASE "/cache/recovery"
+#define STASH_DIRECTORY_MODE 0700
+#define STASH_FILE_MODE 0600
+
+struct RangeSet {
+    size_t count;             // Limit is INT_MAX.
+    size_t size;
+    std::vector<size_t> pos;  // Actual limit is INT_MAX.
+};
+
+static CauseCode failure_type = kNoCause;
+static bool is_retry = false;
+static std::map<std::string, RangeSet> stash_map;
+
+static void parse_range(const std::string& range_text, RangeSet& rs) {
+
+    std::vector<std::string> pieces = android::base::Split(range_text, ",");
+    if (pieces.size() < 3) {
+        goto err;
+    }
+
+    size_t num;
+    if (!android::base::ParseUint(pieces[0].c_str(), &num, static_cast<size_t>(INT_MAX))) {
+        goto err;
+    }
+
+    if (num == 0 || num % 2) {
+        goto err; // must be even
+    } else if (num != pieces.size() - 1) {
+        goto err;
+    }
+
+    rs.pos.resize(num);
+    rs.count = num / 2;
+    rs.size = 0;
+
+    for (size_t i = 0; i < num; i += 2) {
+        if (!android::base::ParseUint(pieces[i+1].c_str(), &rs.pos[i],
+                                      static_cast<size_t>(INT_MAX))) {
+            goto err;
+        }
+
+        if (!android::base::ParseUint(pieces[i+2].c_str(), &rs.pos[i+1],
+                                      static_cast<size_t>(INT_MAX))) {
+            goto err;
+        }
+
+        if (rs.pos[i] >= rs.pos[i+1]) {
+            goto err; // empty or negative range
+        }
+
+        size_t sz = rs.pos[i+1] - rs.pos[i];
+        if (rs.size > SIZE_MAX - sz) {
+            goto err; // overflow
+        }
+
+        rs.size += sz;
+    }
+
+    return;
+
+err:
+    fprintf(stderr, "failed to parse range '%s'\n", range_text.c_str());
+    exit(1);
+}
+
+static bool range_overlaps(const RangeSet& r1, const RangeSet& r2) {
+    for (size_t i = 0; i < r1.count; ++i) {
+        size_t r1_0 = r1.pos[i * 2];
+        size_t r1_1 = r1.pos[i * 2 + 1];
+
+        for (size_t j = 0; j < r2.count; ++j) {
+            size_t r2_0 = r2.pos[j * 2];
+            size_t r2_1 = r2.pos[j * 2 + 1];
+
+            if (!(r2_0 >= r1_1 || r1_0 >= r2_1)) {
+                return true;
+            }
+        }
+    }
+
+    return false;
+}
+
+static int read_all(int fd, uint8_t* data, size_t size) {
+    size_t so_far = 0;
+    while (so_far < size) {
+        ssize_t r = TEMP_FAILURE_RETRY(ota_read(fd, data+so_far, size-so_far));
+        if (r == -1) {
+            failure_type = kFreadFailure;
+            fprintf(stderr, "read failed: %s\n", strerror(errno));
+            return -1;
+        }
+        so_far += r;
+    }
+    return 0;
+}
+
+static int read_all(int fd, std::vector<uint8_t>& buffer, size_t size) {
+    return read_all(fd, buffer.data(), size);
+}
+
+static int write_all(int fd, const uint8_t* data, size_t size) {
+    size_t written = 0;
+    while (written < size) {
+        ssize_t w = TEMP_FAILURE_RETRY(ota_write(fd, data+written, size-written));
+        if (w == -1) {
+            failure_type = kFwriteFailure;
+            fprintf(stderr, "write failed: %s\n", strerror(errno));
+            return -1;
+        }
+        written += w;
+    }
+
+    return 0;
+}
+
+static int write_all(int fd, const std::vector<uint8_t>& buffer, size_t size) {
+    return write_all(fd, buffer.data(), size);
+}
+
+static bool discard_blocks(int fd, off64_t offset, uint64_t size) {
+    // Don't discard blocks unless the update is a retry run.
+    if (!is_retry) {
+        return true;
+    }
+
+    uint64_t args[2] = {static_cast<uint64_t>(offset), size};
+    int status = ioctl(fd, BLKDISCARD, &args);
+    if (status == -1) {
+        fprintf(stderr, "BLKDISCARD ioctl failed: %s\n", strerror(errno));
+        return false;
+    }
+    return true;
+}
+
+static bool check_lseek(int fd, off64_t offset, int whence) {
+    off64_t rc = TEMP_FAILURE_RETRY(lseek64(fd, offset, whence));
+    if (rc == -1) {
+        failure_type = kLseekFailure;
+        fprintf(stderr, "lseek64 failed: %s\n", strerror(errno));
+        return false;
+    }
+    return true;
+}
+
+static void allocate(size_t size, std::vector<uint8_t>& buffer) {
+    // if the buffer's big enough, reuse it.
+    if (size <= buffer.size()) return;
+
+    buffer.resize(size);
+}
+
+struct RangeSinkState {
+    RangeSinkState(RangeSet& rs) : tgt(rs) { };
+
+    int fd;
+    const RangeSet& tgt;
+    size_t p_block;
+    size_t p_remain;
+};
+
+static ssize_t RangeSinkWrite(const uint8_t* data, ssize_t size, void* token) {
+    RangeSinkState* rss = reinterpret_cast<RangeSinkState*>(token);
+
+    if (rss->p_remain == 0) {
+        fprintf(stderr, "range sink write overrun");
+        return 0;
+    }
+
+    ssize_t written = 0;
+    while (size > 0) {
+        size_t write_now = size;
+
+        if (rss->p_remain < write_now) {
+            write_now = rss->p_remain;
+        }
+
+        if (write_all(rss->fd, data, write_now) == -1) {
+            break;
+        }
+
+        data += write_now;
+        size -= write_now;
+
+        rss->p_remain -= write_now;
+        written += write_now;
+
+        if (rss->p_remain == 0) {
+            // move to the next block
+            ++rss->p_block;
+            if (rss->p_block < rss->tgt.count) {
+                rss->p_remain = (rss->tgt.pos[rss->p_block * 2 + 1] -
+                                 rss->tgt.pos[rss->p_block * 2]) * BLOCKSIZE;
+
+                off64_t offset = static_cast<off64_t>(rss->tgt.pos[rss->p_block*2]) * BLOCKSIZE;
+                if (!discard_blocks(rss->fd, offset, rss->p_remain)) {
+                    break;
+                }
+
+                if (!check_lseek(rss->fd, offset, SEEK_SET)) {
+                    break;
+                }
+
+            } else {
+                // we can't write any more; return how many bytes have
+                // been written so far.
+                break;
+            }
+        }
+    }
+
+    return written;
+}
+
+// All of the data for all the 'new' transfers is contained in one
+// file in the update package, concatenated together in the order in
+// which transfers.list will need it.  We want to stream it out of the
+// archive (it's compressed) without writing it to a temp file, but we
+// can't write each section until it's that transfer's turn to go.
+//
+// To achieve this, we expand the new data from the archive in a
+// background thread, and block that threads 'receive uncompressed
+// data' function until the main thread has reached a point where we
+// want some new data to be written.  We signal the background thread
+// with the destination for the data and block the main thread,
+// waiting for the background thread to complete writing that section.
+// Then it signals the main thread to wake up and goes back to
+// blocking waiting for a transfer.
+//
+// NewThreadInfo is the struct used to pass information back and forth
+// between the two threads.  When the main thread wants some data
+// written, it sets rss to the destination location and signals the
+// condition.  When the background thread is done writing, it clears
+// rss and signals the condition again.
+
+struct NewThreadInfo {
+    ZipArchive* za;
+    const ZipEntry* entry;
+
+    RangeSinkState* rss;
+
+    pthread_mutex_t mu;
+    pthread_cond_t cv;
+};
+
+static bool receive_new_data(const unsigned char* data, int size, void* cookie) {
+    NewThreadInfo* nti = reinterpret_cast<NewThreadInfo*>(cookie);
+
+    while (size > 0) {
+        // Wait for nti->rss to be non-null, indicating some of this
+        // data is wanted.
+        pthread_mutex_lock(&nti->mu);
+        while (nti->rss == nullptr) {
+            pthread_cond_wait(&nti->cv, &nti->mu);
+        }
+        pthread_mutex_unlock(&nti->mu);
+
+        // At this point nti->rss is set, and we own it.  The main
+        // thread is waiting for it to disappear from nti.
+        ssize_t written = RangeSinkWrite(data, size, nti->rss);
+        data += written;
+        size -= written;
+
+        if (nti->rss->p_block == nti->rss->tgt.count) {
+            // we have written all the bytes desired by this rss.
+
+            pthread_mutex_lock(&nti->mu);
+            nti->rss = nullptr;
+            pthread_cond_broadcast(&nti->cv);
+            pthread_mutex_unlock(&nti->mu);
+        }
+    }
+
+    return true;
+}
+
+static void* unzip_new_data(void* cookie) {
+    NewThreadInfo* nti = (NewThreadInfo*) cookie;
+    mzProcessZipEntryContents(nti->za, nti->entry, receive_new_data, nti);
+    return nullptr;
+}
+
+static int ReadBlocks(const RangeSet& src, std::vector<uint8_t>& buffer, int fd) {
+    size_t p = 0;
+    uint8_t* data = buffer.data();
+
+    for (size_t i = 0; i < src.count; ++i) {
+        if (!check_lseek(fd, (off64_t) src.pos[i * 2] * BLOCKSIZE, SEEK_SET)) {
+            return -1;
+        }
+
+        size_t size = (src.pos[i * 2 + 1] - src.pos[i * 2]) * BLOCKSIZE;
+
+        if (read_all(fd, data + p, size) == -1) {
+            return -1;
+        }
+
+        p += size;
+    }
+
+    return 0;
+}
+
+static int WriteBlocks(const RangeSet& tgt, const std::vector<uint8_t>& buffer, int fd) {
+    const uint8_t* data = buffer.data();
+
+    size_t p = 0;
+    for (size_t i = 0; i < tgt.count; ++i) {
+        off64_t offset = static_cast<off64_t>(tgt.pos[i * 2]) * BLOCKSIZE;
+        size_t size = (tgt.pos[i * 2 + 1] - tgt.pos[i * 2]) * BLOCKSIZE;
+        if (!discard_blocks(fd, offset, size)) {
+            return -1;
+        }
+
+        if (!check_lseek(fd, offset, SEEK_SET)) {
+            return -1;
+        }
+
+        if (write_all(fd, data + p, size) == -1) {
+            return -1;
+        }
+
+        p += size;
+    }
+
+    return 0;
+}
+
+// Parameters for transfer list command functions
+struct CommandParameters {
+    std::vector<std::string> tokens;
+    size_t cpos;
+    const char* cmdname;
+    const char* cmdline;
+    std::string freestash;
+    std::string stashbase;
+    bool canwrite;
+    int createdstash;
+    int fd;
+    bool foundwrites;
+    bool isunresumable;
+    int version;
+    size_t written;
+    size_t stashed;
+    NewThreadInfo nti;
+    pthread_t thread;
+    std::vector<uint8_t> buffer;
+    uint8_t* patch_start;
+};
+
+// Do a source/target load for move/bsdiff/imgdiff in version 1.
+// We expect to parse the remainder of the parameter tokens as:
+//
+//    <src_range> <tgt_range>
+//
+// The source range is loaded into the provided buffer, reallocating
+// it to make it larger if necessary.
+
+static int LoadSrcTgtVersion1(CommandParameters& params, RangeSet& tgt, size_t& src_blocks,
+        std::vector<uint8_t>& buffer, int fd) {
+
+    if (params.cpos + 1 >= params.tokens.size()) {
+        fprintf(stderr, "invalid parameters\n");
+        return -1;
+    }
+
+    // <src_range>
+    RangeSet src;
+    parse_range(params.tokens[params.cpos++], src);
+
+    // <tgt_range>
+    parse_range(params.tokens[params.cpos++], tgt);
+
+    allocate(src.size * BLOCKSIZE, buffer);
+    int rc = ReadBlocks(src, buffer, fd);
+    src_blocks = src.size;
+
+    return rc;
+}
+
+static int VerifyBlocks(const std::string& expected, const std::vector<uint8_t>& buffer,
+        const size_t blocks, bool printerror) {
+    uint8_t digest[SHA_DIGEST_LENGTH];
+    const uint8_t* data = buffer.data();
+
+    SHA1(data, blocks * BLOCKSIZE, digest);
+
+    std::string hexdigest = print_sha1(digest);
+
+    if (hexdigest != expected) {
+        if (printerror) {
+            fprintf(stderr, "failed to verify blocks (expected %s, read %s)\n",
+                    expected.c_str(), hexdigest.c_str());
+        }
+        return -1;
+    }
+
+    return 0;
+}
+
+static std::string GetStashFileName(const std::string& base, const std::string& id,
+        const std::string& postfix) {
+    if (base.empty()) {
+        return "";
+    }
+
+    std::string fn(STASH_DIRECTORY_BASE);
+    fn += "/" + base + "/" + id + postfix;
+
+    return fn;
+}
+
+typedef void (*StashCallback)(const std::string&, void*);
+
+// Does a best effort enumeration of stash files. Ignores possible non-file
+// items in the stash directory and continues despite of errors. Calls the
+// 'callback' function for each file and passes 'data' to the function as a
+// parameter.
+
+static void EnumerateStash(const std::string& dirname, StashCallback callback, void* data) {
+    if (dirname.empty() || callback == nullptr) {
+        return;
+    }
+
+    std::unique_ptr<DIR, int(*)(DIR*)> directory(opendir(dirname.c_str()), closedir);
+
+    if (directory == nullptr) {
+        if (errno != ENOENT) {
+            fprintf(stderr, "opendir \"%s\" failed: %s\n", dirname.c_str(), strerror(errno));
+        }
+        return;
+    }
+
+    struct dirent* item;
+    while ((item = readdir(directory.get())) != nullptr) {
+        if (item->d_type != DT_REG) {
+            continue;
+        }
+
+        std::string fn = dirname + "/" + std::string(item->d_name);
+        callback(fn, data);
+    }
+}
+
+static void UpdateFileSize(const std::string& fn, void* data) {
+    if (fn.empty() || !data) {
+        return;
+    }
+
+    struct stat sb;
+    if (stat(fn.c_str(), &sb) == -1) {
+        fprintf(stderr, "stat \"%s\" failed: %s\n", fn.c_str(), strerror(errno));
+        return;
+    }
+
+    int* size = reinterpret_cast<int*>(data);
+    *size += sb.st_size;
+}
+
+// Deletes the stash directory and all files in it. Assumes that it only
+// contains files. There is nothing we can do about unlikely, but possible
+// errors, so they are merely logged.
+
+static void DeleteFile(const std::string& fn, void* /* data */) {
+    if (!fn.empty()) {
+        fprintf(stderr, "deleting %s\n", fn.c_str());
+
+        if (unlink(fn.c_str()) == -1 && errno != ENOENT) {
+            fprintf(stderr, "unlink \"%s\" failed: %s\n", fn.c_str(), strerror(errno));
+        }
+    }
+}
+
+static void DeletePartial(const std::string& fn, void* data) {
+    if (android::base::EndsWith(fn, ".partial")) {
+        DeleteFile(fn, data);
+    }
+}
+
+static void DeleteStash(const std::string& base) {
+    if (base.empty()) {
+        return;
+    }
+
+    fprintf(stderr, "deleting stash %s\n", base.c_str());
+
+    std::string dirname = GetStashFileName(base, "", "");
+    EnumerateStash(dirname, DeleteFile, nullptr);
+
+    if (rmdir(dirname.c_str()) == -1) {
+        if (errno != ENOENT && errno != ENOTDIR) {
+            fprintf(stderr, "rmdir \"%s\" failed: %s\n", dirname.c_str(), strerror(errno));
+        }
+    }
+}
+
+static int LoadStash(CommandParameters& params, const std::string& base, const std::string& id,
+        bool verify, size_t* blocks, std::vector<uint8_t>& buffer, bool printnoent) {
+    // In verify mode, if source range_set was saved for the given hash,
+    // check contents in the source blocks first. If the check fails,
+    // search for the stashed files on /cache as usual.
+    if (!params.canwrite) {
+        if (stash_map.find(id) != stash_map.end()) {
+            const RangeSet& src = stash_map[id];
+            allocate(src.size * BLOCKSIZE, buffer);
+
+            if (ReadBlocks(src, buffer, params.fd) == -1) {
+                fprintf(stderr, "failed to read source blocks in stash map.\n");
+                return -1;
+            }
+            if (VerifyBlocks(id, buffer, src.size, true) != 0) {
+                fprintf(stderr, "failed to verify loaded source blocks in stash map.\n");
+                return -1;
+            }
+            return 0;
+        }
+    }
+
+    if (base.empty()) {
+        return -1;
+    }
+
+    size_t blockcount = 0;
+
+    if (!blocks) {
+        blocks = &blockcount;
+    }
+
+    std::string fn = GetStashFileName(base, id, "");
+
+    struct stat sb;
+    int res = stat(fn.c_str(), &sb);
+
+    if (res == -1) {
+        if (errno != ENOENT || printnoent) {
+            fprintf(stderr, "stat \"%s\" failed: %s\n", fn.c_str(), strerror(errno));
+        }
+        return -1;
+    }
+
+    fprintf(stderr, " loading %s\n", fn.c_str());
+
+    if ((sb.st_size % BLOCKSIZE) != 0) {
+        fprintf(stderr, "%s size %" PRId64 " not multiple of block size %d",
+                fn.c_str(), static_cast<int64_t>(sb.st_size), BLOCKSIZE);
+        return -1;
+    }
+
+    int fd = TEMP_FAILURE_RETRY(open(fn.c_str(), O_RDONLY));
+    unique_fd fd_holder(fd);
+
+    if (fd == -1) {
+        fprintf(stderr, "open \"%s\" failed: %s\n", fn.c_str(), strerror(errno));
+        return -1;
+    }
+
+    allocate(sb.st_size, buffer);
+
+    if (read_all(fd, buffer, sb.st_size) == -1) {
+        return -1;
+    }
+
+    *blocks = sb.st_size / BLOCKSIZE;
+
+    if (verify && VerifyBlocks(id, buffer, *blocks, true) != 0) {
+        fprintf(stderr, "unexpected contents in %s\n", fn.c_str());
+        DeleteFile(fn, nullptr);
+        return -1;
+    }
+
+    return 0;
+}
+
+static int WriteStash(const std::string& base, const std::string& id, int blocks,
+        std::vector<uint8_t>& buffer, bool checkspace, bool *exists) {
+    if (base.empty()) {
+        return -1;
+    }
+
+    if (checkspace && CacheSizeCheck(blocks * BLOCKSIZE) != 0) {
+        fprintf(stderr, "not enough space to write stash\n");
+        return -1;
+    }
+
+    std::string fn = GetStashFileName(base, id, ".partial");
+    std::string cn = GetStashFileName(base, id, "");
+
+    if (exists) {
+        struct stat sb;
+        int res = stat(cn.c_str(), &sb);
+
+        if (res == 0) {
+            // The file already exists and since the name is the hash of the contents,
+            // it's safe to assume the contents are identical (accidental hash collisions
+            // are unlikely)
+            fprintf(stderr, " skipping %d existing blocks in %s\n", blocks, cn.c_str());
+            *exists = true;
+            return 0;
+        }
+
+        *exists = false;
+    }
+
+    fprintf(stderr, " writing %d blocks to %s\n", blocks, cn.c_str());
+
+    int fd = TEMP_FAILURE_RETRY(open(fn.c_str(), O_WRONLY | O_CREAT | O_TRUNC, STASH_FILE_MODE));
+    unique_fd fd_holder(fd);
+
+    if (fd == -1) {
+        fprintf(stderr, "failed to create \"%s\": %s\n", fn.c_str(), strerror(errno));
+        return -1;
+    }
+
+    if (write_all(fd, buffer, blocks * BLOCKSIZE) == -1) {
+        return -1;
+    }
+
+    if (ota_fsync(fd) == -1) {
+        failure_type = kFsyncFailure;
+        fprintf(stderr, "fsync \"%s\" failed: %s\n", fn.c_str(), strerror(errno));
+        return -1;
+    }
+
+    if (rename(fn.c_str(), cn.c_str()) == -1) {
+        fprintf(stderr, "rename(\"%s\", \"%s\") failed: %s\n", fn.c_str(), cn.c_str(),
+                strerror(errno));
+        return -1;
+    }
+
+    std::string dname = GetStashFileName(base, "", "");
+    int dfd = TEMP_FAILURE_RETRY(open(dname.c_str(), O_RDONLY | O_DIRECTORY));
+    unique_fd dfd_holder(dfd);
+
+    if (dfd == -1) {
+        failure_type = kFileOpenFailure;
+        fprintf(stderr, "failed to open \"%s\" failed: %s\n", dname.c_str(), strerror(errno));
+        return -1;
+    }
+
+    if (ota_fsync(dfd) == -1) {
+        failure_type = kFsyncFailure;
+        fprintf(stderr, "fsync \"%s\" failed: %s\n", dname.c_str(), strerror(errno));
+        return -1;
+    }
+
+    return 0;
+}
+
+// Creates a directory for storing stash files and checks if the /cache partition
+// hash enough space for the expected amount of blocks we need to store. Returns
+// >0 if we created the directory, zero if it existed already, and <0 of failure.
+
+static int CreateStash(State* state, int maxblocks, const char* blockdev, std::string& base) {
+    if (blockdev == nullptr) {
+        return -1;
+    }
+
+    // Stash directory should be different for each partition to avoid conflicts
+    // when updating multiple partitions at the same time, so we use the hash of
+    // the block device name as the base directory
+    uint8_t digest[SHA_DIGEST_LENGTH];
+    SHA1(reinterpret_cast<const uint8_t*>(blockdev), strlen(blockdev), digest);
+    base = print_sha1(digest);
+
+    std::string dirname = GetStashFileName(base, "", "");
+    struct stat sb;
+    int res = stat(dirname.c_str(), &sb);
+
+    if (res == -1 && errno != ENOENT) {
+        ErrorAbort(state, kStashCreationFailure, "stat \"%s\" failed: %s\n",
+                   dirname.c_str(), strerror(errno));
+        return -1;
+    } else if (res != 0) {
+        fprintf(stderr, "creating stash %s\n", dirname.c_str());
+        res = mkdir(dirname.c_str(), STASH_DIRECTORY_MODE);
+
+        if (res != 0) {
+            ErrorAbort(state, kStashCreationFailure, "mkdir \"%s\" failed: %s\n",
+                       dirname.c_str(), strerror(errno));
+            return -1;
+        }
+
+        if (CacheSizeCheck(maxblocks * BLOCKSIZE) != 0) {
+            ErrorAbort(state, kStashCreationFailure, "not enough space for stash\n");
+            return -1;
+        }
+
+        return 1;  // Created directory
+    }
+
+    fprintf(stderr, "using existing stash %s\n", dirname.c_str());
+
+    // If the directory already exists, calculate the space already allocated to
+    // stash files and check if there's enough for all required blocks. Delete any
+    // partially completed stash files first.
+
+    EnumerateStash(dirname, DeletePartial, nullptr);
+    int size = 0;
+    EnumerateStash(dirname, UpdateFileSize, &size);
+
+    size = maxblocks * BLOCKSIZE - size;
+
+    if (size > 0 && CacheSizeCheck(size) != 0) {
+        ErrorAbort(state, kStashCreationFailure, "not enough space for stash (%d more needed)\n",
+                   size);
+        return -1;
+    }
+
+    return 0; // Using existing directory
+}
+
+static int SaveStash(CommandParameters& params, const std::string& base,
+        std::vector<uint8_t>& buffer, int fd, bool usehash) {
+
+    // <stash_id> <src_range>
+    if (params.cpos + 1 >= params.tokens.size()) {
+        fprintf(stderr, "missing id and/or src range fields in stash command\n");
+        return -1;
+    }
+    const std::string& id = params.tokens[params.cpos++];
+
+    size_t blocks = 0;
+    if (usehash && LoadStash(params, base, id, true, &blocks, buffer, false) == 0) {
+        // Stash file already exists and has expected contents. Do not
+        // read from source again, as the source may have been already
+        // overwritten during a previous attempt.
+        return 0;
+    }
+
+    RangeSet src;
+    parse_range(params.tokens[params.cpos++], src);
+
+    allocate(src.size * BLOCKSIZE, buffer);
+    if (ReadBlocks(src, buffer, fd) == -1) {
+        return -1;
+    }
+    blocks = src.size;
+
+    if (usehash && VerifyBlocks(id, buffer, blocks, true) != 0) {
+        // Source blocks have unexpected contents. If we actually need this
+        // data later, this is an unrecoverable error. However, the command
+        // that uses the data may have already completed previously, so the
+        // possible failure will occur during source block verification.
+        fprintf(stderr, "failed to load source blocks for stash %s\n", id.c_str());
+        return 0;
+    }
+
+    // In verify mode, save source range_set instead of stashing blocks.
+    if (!params.canwrite && usehash) {
+        stash_map[id] = src;
+        return 0;
+    }
+
+    fprintf(stderr, "stashing %zu blocks to %s\n", blocks, id.c_str());
+    params.stashed += blocks;
+    return WriteStash(base, id, blocks, buffer, false, nullptr);
+}
+
+static int FreeStash(const std::string& base, const std::string& id) {
+    if (base.empty() || id.empty()) {
+        return -1;
+    }
+
+    std::string fn = GetStashFileName(base, id, "");
+    DeleteFile(fn, nullptr);
+
+    return 0;
+}
+
+static void MoveRange(std::vector<uint8_t>& dest, const RangeSet& locs,
+        const std::vector<uint8_t>& source) {
+    // source contains packed data, which we want to move to the
+    // locations given in locs in the dest buffer.  source and dest
+    // may be the same buffer.
+
+    const uint8_t* from = source.data();
+    uint8_t* to = dest.data();
+    size_t start = locs.size;
+    for (int i = locs.count-1; i >= 0; --i) {
+        size_t blocks = locs.pos[i*2+1] - locs.pos[i*2];
+        start -= blocks;
+        memmove(to + (locs.pos[i*2] * BLOCKSIZE), from + (start * BLOCKSIZE),
+                blocks * BLOCKSIZE);
+    }
+}
+
+// Do a source/target load for move/bsdiff/imgdiff in version 2.
+// We expect to parse the remainder of the parameter tokens as one of:
+//
+//    <tgt_range> <src_block_count> <src_range>
+//        (loads data from source image only)
+//
+//    <tgt_range> <src_block_count> - <[stash_id:stash_range] ...>
+//        (loads data from stashes only)
+//
+//    <tgt_range> <src_block_count> <src_range> <src_loc> <[stash_id:stash_range] ...>
+//        (loads data from both source image and stashes)
+//
+// On return, buffer is filled with the loaded source data (rearranged
+// and combined with stashed data as necessary).  buffer may be
+// reallocated if needed to accommodate the source data.  *tgt is the
+// target RangeSet.  Any stashes required are loaded using LoadStash.
+
+static int LoadSrcTgtVersion2(CommandParameters& params, RangeSet& tgt, size_t& src_blocks,
+        std::vector<uint8_t>& buffer, int fd, const std::string& stashbase, bool* overlap) {
+
+    // At least it needs to provide three parameters: <tgt_range>,
+    // <src_block_count> and "-"/<src_range>.
+    if (params.cpos + 2 >= params.tokens.size()) {
+        fprintf(stderr, "invalid parameters\n");
+        return -1;
+    }
+
+    // <tgt_range>
+    parse_range(params.tokens[params.cpos++], tgt);
+
+    // <src_block_count>
+    const std::string& token = params.tokens[params.cpos++];
+    if (!android::base::ParseUint(token.c_str(), &src_blocks)) {
+        fprintf(stderr, "invalid src_block_count \"%s\"\n", token.c_str());
+        return -1;
+    }
+
+    allocate(src_blocks * BLOCKSIZE, buffer);
+
+    // "-" or <src_range> [<src_loc>]
+    if (params.tokens[params.cpos] == "-") {
+        // no source ranges, only stashes
+        params.cpos++;
+    } else {
+        RangeSet src;
+        parse_range(params.tokens[params.cpos++], src);
+        int res = ReadBlocks(src, buffer, fd);
+
+        if (overlap) {
+            *overlap = range_overlaps(src, tgt);
+        }
+
+        if (res == -1) {
+            return -1;
+        }
+
+        if (params.cpos >= params.tokens.size()) {
+            // no stashes, only source range
+            return 0;
+        }
+
+        RangeSet locs;
+        parse_range(params.tokens[params.cpos++], locs);
+        MoveRange(buffer, locs, buffer);
+    }
+
+    // <[stash_id:stash_range]>
+    while (params.cpos < params.tokens.size()) {
+        // Each word is a an index into the stash table, a colon, and
+        // then a rangeset describing where in the source block that
+        // stashed data should go.
+        std::vector<std::string> tokens = android::base::Split(params.tokens[params.cpos++], ":");
+        if (tokens.size() != 2) {
+            fprintf(stderr, "invalid parameter\n");
+            return -1;
+        }
+
+        std::vector<uint8_t> stash;
+        int res = LoadStash(params, stashbase, tokens[0], false, nullptr, stash, true);
+
+        if (res == -1) {
+            // These source blocks will fail verification if used later, but we
+            // will let the caller decide if this is a fatal failure
+            fprintf(stderr, "failed to load stash %s\n", tokens[0].c_str());
+            continue;
+        }
+
+        RangeSet locs;
+        parse_range(tokens[1], locs);
+
+        MoveRange(buffer, locs, stash);
+    }
+
+    return 0;
+}
+
+// Do a source/target load for move/bsdiff/imgdiff in version 3.
+//
+// Parameters are the same as for LoadSrcTgtVersion2, except for 'onehash', which
+// tells the function whether to expect separate source and targe block hashes, or
+// if they are both the same and only one hash should be expected, and
+// 'isunresumable', which receives a non-zero value if block verification fails in
+// a way that the update cannot be resumed anymore.
+//
+// If the function is unable to load the necessary blocks or their contents don't
+// match the hashes, the return value is -1 and the command should be aborted.
+//
+// If the return value is 1, the command has already been completed according to
+// the contents of the target blocks, and should not be performed again.
+//
+// If the return value is 0, source blocks have expected content and the command
+// can be performed.
+
+static int LoadSrcTgtVersion3(CommandParameters& params, RangeSet& tgt, size_t& src_blocks,
+        bool onehash, bool& overlap) {
+
+    if (params.cpos >= params.tokens.size()) {
+        fprintf(stderr, "missing source hash\n");
+        return -1;
+    }
+
+    std::string srchash = params.tokens[params.cpos++];
+    std::string tgthash;
+
+    if (onehash) {
+        tgthash = srchash;
+    } else {
+        if (params.cpos >= params.tokens.size()) {
+            fprintf(stderr, "missing target hash\n");
+            return -1;
+        }
+        tgthash = params.tokens[params.cpos++];
+    }
+
+    if (LoadSrcTgtVersion2(params, tgt, src_blocks, params.buffer, params.fd, params.stashbase,
+            &overlap) == -1) {
+        return -1;
+    }
+
+    std::vector<uint8_t> tgtbuffer(tgt.size * BLOCKSIZE);
+
+    if (ReadBlocks(tgt, tgtbuffer, params.fd) == -1) {
+        return -1;
+    }
+
+    if (VerifyBlocks(tgthash, tgtbuffer, tgt.size, false) == 0) {
+        // Target blocks already have expected content, command should be skipped
+        return 1;
+    }
+
+    if (VerifyBlocks(srchash, params.buffer, src_blocks, true) == 0) {
+        // If source and target blocks overlap, stash the source blocks so we can
+        // resume from possible write errors. In verify mode, we can skip stashing
+        // because the source blocks won't be overwritten.
+        if (overlap && params.canwrite) {
+            fprintf(stderr, "stashing %zu overlapping blocks to %s\n", src_blocks,
+                    srchash.c_str());
+
+            bool stash_exists = false;
+            if (WriteStash(params.stashbase, srchash, src_blocks, params.buffer, true,
+                           &stash_exists) != 0) {
+                fprintf(stderr, "failed to stash overlapping source blocks\n");
+                return -1;
+            }
+
+            params.stashed += src_blocks;
+            // Can be deleted when the write has completed
+            if (!stash_exists) {
+                params.freestash = srchash;
+            }
+        }
+
+        // Source blocks have expected content, command can proceed
+        return 0;
+    }
+
+    if (overlap && LoadStash(params, params.stashbase, srchash, true, nullptr, params.buffer,
+                             true) == 0) {
+        // Overlapping source blocks were previously stashed, command can proceed.
+        // We are recovering from an interrupted command, so we don't know if the
+        // stash can safely be deleted after this command.
+        return 0;
+    }
+
+    // Valid source data not available, update cannot be resumed
+    fprintf(stderr, "partition has unexpected contents\n");
+    params.isunresumable = true;
+
+    return -1;
+}
+
+static int PerformCommandMove(CommandParameters& params) {
+    size_t blocks = 0;
+    bool overlap = false;
+    int status = 0;
+    RangeSet tgt;
+
+    if (params.version == 1) {
+        status = LoadSrcTgtVersion1(params, tgt, blocks, params.buffer, params.fd);
+    } else if (params.version == 2) {
+        status = LoadSrcTgtVersion2(params, tgt, blocks, params.buffer, params.fd,
+                params.stashbase, nullptr);
+    } else if (params.version >= 3) {
+        status = LoadSrcTgtVersion3(params, tgt, blocks, true, overlap);
+    }
+
+    if (status == -1) {
+        fprintf(stderr, "failed to read blocks for move\n");
+        return -1;
+    }
+
+    if (status == 0) {
+        params.foundwrites = true;
+    } else if (params.foundwrites) {
+        fprintf(stderr, "warning: commands executed out of order [%s]\n", params.cmdname);
+    }
+
+    if (params.canwrite) {
+        if (status == 0) {
+            fprintf(stderr, "  moving %zu blocks\n", blocks);
+
+            if (WriteBlocks(tgt, params.buffer, params.fd) == -1) {
+                return -1;
+            }
+        } else {
+            fprintf(stderr, "skipping %zu already moved blocks\n", blocks);
+        }
+
+    }
+
+    if (!params.freestash.empty()) {
+        FreeStash(params.stashbase, params.freestash);
+        params.freestash.clear();
+    }
+
+    params.written += tgt.size;
+
+    return 0;
+}
+
+static int PerformCommandStash(CommandParameters& params) {
+    return SaveStash(params, params.stashbase, params.buffer, params.fd,
+            (params.version >= 3));
+}
+
+static int PerformCommandFree(CommandParameters& params) {
+    // <stash_id>
+    if (params.cpos >= params.tokens.size()) {
+        fprintf(stderr, "missing stash id in free command\n");
+        return -1;
+    }
+
+    const std::string& id = params.tokens[params.cpos++];
+
+    if (!params.canwrite && stash_map.find(id) != stash_map.end()) {
+        stash_map.erase(id);
+        return 0;
+    }
+
+    if (params.createdstash || params.canwrite) {
+        return FreeStash(params.stashbase, id);
+    }
+
+    return 0;
+}
+
+static int PerformCommandZero(CommandParameters& params) {
+
+    if (params.cpos >= params.tokens.size()) {
+        fprintf(stderr, "missing target blocks for zero\n");
+        return -1;
+    }
+
+    RangeSet tgt;
+    parse_range(params.tokens[params.cpos++], tgt);
+
+    fprintf(stderr, "  zeroing %zu blocks\n", tgt.size);
+
+    allocate(BLOCKSIZE, params.buffer);
+    memset(params.buffer.data(), 0, BLOCKSIZE);
+
+    if (params.canwrite) {
+        for (size_t i = 0; i < tgt.count; ++i) {
+            off64_t offset = static_cast<off64_t>(tgt.pos[i * 2]) * BLOCKSIZE;
+            size_t size = (tgt.pos[i * 2 + 1] - tgt.pos[i * 2]) * BLOCKSIZE;
+            if (!discard_blocks(params.fd, offset, size)) {
+                return -1;
+            }
+
+            if (!check_lseek(params.fd, offset, SEEK_SET)) {
+                return -1;
+            }
+
+            for (size_t j = tgt.pos[i * 2]; j < tgt.pos[i * 2 + 1]; ++j) {
+                if (write_all(params.fd, params.buffer, BLOCKSIZE) == -1) {
+                    return -1;
+                }
+            }
+        }
+    }
+
+    if (params.cmdname[0] == 'z') {
+        // Update only for the zero command, as the erase command will call
+        // this if DEBUG_ERASE is defined.
+        params.written += tgt.size;
+    }
+
+    return 0;
+}
+
+static int PerformCommandNew(CommandParameters& params) {
+
+    if (params.cpos >= params.tokens.size()) {
+        fprintf(stderr, "missing target blocks for new\n");
+        return -1;
+    }
+
+    RangeSet tgt;
+    parse_range(params.tokens[params.cpos++], tgt);
+
+    if (params.canwrite) {
+        fprintf(stderr, " writing %zu blocks of new data\n", tgt.size);
+
+        RangeSinkState rss(tgt);
+        rss.fd = params.fd;
+        rss.p_block = 0;
+        rss.p_remain = (tgt.pos[1] - tgt.pos[0]) * BLOCKSIZE;
+
+        off64_t offset = static_cast<off64_t>(tgt.pos[0]) * BLOCKSIZE;
+        if (!discard_blocks(params.fd, offset, tgt.size * BLOCKSIZE)) {
+            return -1;
+        }
+
+        if (!check_lseek(params.fd, offset, SEEK_SET)) {
+            return -1;
+        }
+
+        pthread_mutex_lock(&params.nti.mu);
+        params.nti.rss = &rss;
+        pthread_cond_broadcast(&params.nti.cv);
+
+        while (params.nti.rss) {
+            pthread_cond_wait(&params.nti.cv, &params.nti.mu);
+        }
+
+        pthread_mutex_unlock(&params.nti.mu);
+    }
+
+    params.written += tgt.size;
+
+    return 0;
+}
+
+static int PerformCommandDiff(CommandParameters& params) {
+
+    // <offset> <length>
+    if (params.cpos + 1 >= params.tokens.size()) {
+        fprintf(stderr, "missing patch offset or length for %s\n", params.cmdname);
+        return -1;
+    }
+
+    size_t offset;
+    if (!android::base::ParseUint(params.tokens[params.cpos++].c_str(), &offset)) {
+        fprintf(stderr, "invalid patch offset\n");
+        return -1;
+    }
+
+    size_t len;
+    if (!android::base::ParseUint(params.tokens[params.cpos++].c_str(), &len)) {
+        fprintf(stderr, "invalid patch offset\n");
+        return -1;
+    }
+
+    RangeSet tgt;
+    size_t blocks = 0;
+    bool overlap = false;
+    int status = 0;
+    if (params.version == 1) {
+        status = LoadSrcTgtVersion1(params, tgt, blocks, params.buffer, params.fd);
+    } else if (params.version == 2) {
+        status = LoadSrcTgtVersion2(params, tgt, blocks, params.buffer, params.fd,
+                params.stashbase, nullptr);
+    } else if (params.version >= 3) {
+        status = LoadSrcTgtVersion3(params, tgt, blocks, false, overlap);
+    }
+
+    if (status == -1) {
+        fprintf(stderr, "failed to read blocks for diff\n");
+        return -1;
+    }
+
+    if (status == 0) {
+        params.foundwrites = true;
+    } else if (params.foundwrites) {
+        fprintf(stderr, "warning: commands executed out of order [%s]\n", params.cmdname);
+    }
+
+    if (params.canwrite) {
+        if (status == 0) {
+            fprintf(stderr, "patching %zu blocks to %zu\n", blocks, tgt.size);
+
+            Value patch_value;
+            patch_value.type = VAL_BLOB;
+            patch_value.size = len;
+            patch_value.data = (char*) (params.patch_start + offset);
+
+            RangeSinkState rss(tgt);
+            rss.fd = params.fd;
+            rss.p_block = 0;
+            rss.p_remain = (tgt.pos[1] - tgt.pos[0]) * BLOCKSIZE;
+
+            off64_t offset = static_cast<off64_t>(tgt.pos[0]) * BLOCKSIZE;
+            if (!discard_blocks(params.fd, offset, rss.p_remain)) {
+                return -1;
+            }
+
+            if (!check_lseek(params.fd, offset, SEEK_SET)) {
+                return -1;
+            }
+
+            if (params.cmdname[0] == 'i') {      // imgdiff
+                if (ApplyImagePatch(params.buffer.data(), blocks * BLOCKSIZE, &patch_value,
+                        &RangeSinkWrite, &rss, nullptr, nullptr) != 0) {
+                    fprintf(stderr, "Failed to apply image patch.\n");
+                    return -1;
+                }
+            } else {
+                if (ApplyBSDiffPatch(params.buffer.data(), blocks * BLOCKSIZE, &patch_value,
+                        0, &RangeSinkWrite, &rss, nullptr) != 0) {
+                    fprintf(stderr, "Failed to apply bsdiff patch.\n");
+                    return -1;
+                }
+            }
+
+            // We expect the output of the patcher to fill the tgt ranges exactly.
+            if (rss.p_block != tgt.count || rss.p_remain != 0) {
+                fprintf(stderr, "range sink underrun?\n");
+            }
+        } else {
+            fprintf(stderr, "skipping %zu blocks already patched to %zu [%s]\n",
+                blocks, tgt.size, params.cmdline);
+        }
+    }
+
+    if (!params.freestash.empty()) {
+        FreeStash(params.stashbase, params.freestash);
+        params.freestash.clear();
+    }
+
+    params.written += tgt.size;
+
+    return 0;
+}
+
+static int PerformCommandErase(CommandParameters& params) {
+    if (DEBUG_ERASE) {
+        return PerformCommandZero(params);
+    }
+
+    struct stat sb;
+    if (fstat(params.fd, &sb) == -1) {
+        fprintf(stderr, "failed to fstat device to erase: %s\n", strerror(errno));
+        return -1;
+    }
+
+    if (!S_ISBLK(sb.st_mode)) {
+        fprintf(stderr, "not a block device; skipping erase\n");
+        return -1;
+    }
+
+    if (params.cpos >= params.tokens.size()) {
+        fprintf(stderr, "missing target blocks for erase\n");
+        return -1;
+    }
+
+    RangeSet tgt;
+    parse_range(params.tokens[params.cpos++], tgt);
+
+    if (params.canwrite) {
+        fprintf(stderr, " erasing %zu blocks\n", tgt.size);
+
+        for (size_t i = 0; i < tgt.count; ++i) {
+            uint64_t blocks[2];
+            // offset in bytes
+            blocks[0] = tgt.pos[i * 2] * (uint64_t) BLOCKSIZE;
+            // length in bytes
+            blocks[1] = (tgt.pos[i * 2 + 1] - tgt.pos[i * 2]) * (uint64_t) BLOCKSIZE;
+
+            if (ioctl(params.fd, BLKDISCARD, &blocks) == -1) {
+                fprintf(stderr, "BLKDISCARD ioctl failed: %s\n", strerror(errno));
+                return -1;
+            }
+        }
+    }
+
+    return 0;
+}
+
+// Definitions for transfer list command functions
+typedef int (*CommandFunction)(CommandParameters&);
+
+struct Command {
+    const char* name;
+    CommandFunction f;
+};
+
+// CompareCommands and CompareCommandNames are for the hash table
+
+static int CompareCommands(const void* c1, const void* c2) {
+    return strcmp(((const Command*) c1)->name, ((const Command*) c2)->name);
+}
+
+static int CompareCommandNames(const void* c1, const void* c2) {
+    return strcmp(((const Command*) c1)->name, (const char*) c2);
+}
+
+// HashString is used to hash command names for the hash table
+
+static unsigned int HashString(const char *s) {
+    unsigned int hash = 0;
+    if (s) {
+        while (*s) {
+            hash = hash * 33 + *s++;
+        }
+    }
+    return hash;
+}
+
+// args:
+//    - block device (or file) to modify in-place
+//    - transfer list (blob)
+//    - new data stream (filename within package.zip)
+//    - patch stream (filename within package.zip, must be uncompressed)
+
+static Value* PerformBlockImageUpdate(const char* name, State* state, int /* argc */, Expr* argv[],
+        const Command* commands, size_t cmdcount, bool dryrun) {
+    CommandParameters params;
+    memset(&params, 0, sizeof(params));
+    params.canwrite = !dryrun;
+
+    fprintf(stderr, "performing %s\n", dryrun ? "verification" : "update");
+    if (state->is_retry) {
+        is_retry = true;
+        fprintf(stderr, "This update is a retry.\n");
+    }
+
+    Value* blockdev_filename = nullptr;
+    Value* transfer_list_value = nullptr;
+    Value* new_data_fn = nullptr;
+    Value* patch_data_fn = nullptr;
+    if (ReadValueArgs(state, argv, 4, &blockdev_filename, &transfer_list_value,
+            &new_data_fn, &patch_data_fn) < 0) {
+        return StringValue(strdup(""));
+    }
+    std::unique_ptr<Value, decltype(&FreeValue)> blockdev_filename_holder(blockdev_filename,
+            FreeValue);
+    std::unique_ptr<Value, decltype(&FreeValue)> transfer_list_value_holder(transfer_list_value,
+            FreeValue);
+    std::unique_ptr<Value, decltype(&FreeValue)> new_data_fn_holder(new_data_fn, FreeValue);
+    std::unique_ptr<Value, decltype(&FreeValue)> patch_data_fn_holder(patch_data_fn, FreeValue);
+
+    if (blockdev_filename->type != VAL_STRING) {
+        ErrorAbort(state, kArgsParsingFailure, "blockdev_filename argument to %s must be string",
+                   name);
+        return StringValue(strdup(""));
+    }
+    if (transfer_list_value->type != VAL_BLOB) {
+        ErrorAbort(state, kArgsParsingFailure, "transfer_list argument to %s must be blob", name);
+        return StringValue(strdup(""));
+    }
+    if (new_data_fn->type != VAL_STRING) {
+        ErrorAbort(state, kArgsParsingFailure, "new_data_fn argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+    if (patch_data_fn->type != VAL_STRING) {
+        ErrorAbort(state, kArgsParsingFailure, "patch_data_fn argument to %s must be string",
+                   name);
+        return StringValue(strdup(""));
+    }
+
+    UpdaterInfo* ui = reinterpret_cast<UpdaterInfo*>(state->cookie);
+
+    if (ui == nullptr) {
+        return StringValue(strdup(""));
+    }
+
+    FILE* cmd_pipe = ui->cmd_pipe;
+    ZipArchive* za = ui->package_zip;
+
+    if (cmd_pipe == nullptr || za == nullptr) {
+        return StringValue(strdup(""));
+    }
+
+    const ZipEntry* patch_entry = mzFindZipEntry(za, patch_data_fn->data);
+    if (patch_entry == nullptr) {
+        fprintf(stderr, "%s(): no file \"%s\" in package", name, patch_data_fn->data);
+        return StringValue(strdup(""));
+    }
+
+    params.patch_start = ui->package_zip_addr + mzGetZipEntryOffset(patch_entry);
+    const ZipEntry* new_entry = mzFindZipEntry(za, new_data_fn->data);
+    if (new_entry == nullptr) {
+        fprintf(stderr, "%s(): no file \"%s\" in package", name, new_data_fn->data);
+        return StringValue(strdup(""));
+    }
+
+    params.fd = TEMP_FAILURE_RETRY(open(blockdev_filename->data, O_RDWR));
+    unique_fd fd_holder(params.fd);
+
+    if (params.fd == -1) {
+        fprintf(stderr, "open \"%s\" failed: %s\n", blockdev_filename->data, strerror(errno));
+        return StringValue(strdup(""));
+    }
+
+    if (params.canwrite) {
+        params.nti.za = za;
+        params.nti.entry = new_entry;
+
+        pthread_mutex_init(&params.nti.mu, nullptr);
+        pthread_cond_init(&params.nti.cv, nullptr);
+        pthread_attr_t attr;
+        pthread_attr_init(&attr);
+        pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE);
+
+        int error = pthread_create(&params.thread, &attr, unzip_new_data, &params.nti);
+        if (error != 0) {
+            fprintf(stderr, "pthread_create failed: %s\n", strerror(error));
+            return StringValue(strdup(""));
+        }
+    }
+
+    // Copy all the lines in transfer_list_value into std::string for
+    // processing.
+    const std::string transfer_list(transfer_list_value->data, transfer_list_value->size);
+    std::vector<std::string> lines = android::base::Split(transfer_list, "\n");
+    if (lines.size() < 2) {
+        ErrorAbort(state, kArgsParsingFailure, "too few lines in the transfer list [%zd]\n",
+                   lines.size());
+        return StringValue(strdup(""));
+    }
+
+    // First line in transfer list is the version number
+    if (!android::base::ParseInt(lines[0].c_str(), &params.version, 1, 4)) {
+        fprintf(stderr, "unexpected transfer list version [%s]\n", lines[0].c_str());
+        return StringValue(strdup(""));
+    }
+
+    fprintf(stderr, "blockimg version is %d\n", params.version);
+
+    // Second line in transfer list is the total number of blocks we expect to write
+    int total_blocks;
+    if (!android::base::ParseInt(lines[1].c_str(), &total_blocks, 0)) {
+        ErrorAbort(state, kArgsParsingFailure, "unexpected block count [%s]\n", lines[1].c_str());
+        return StringValue(strdup(""));
+    }
+
+    if (total_blocks == 0) {
+        return StringValue(strdup("t"));
+    }
+
+    size_t start = 2;
+    if (params.version >= 2) {
+        if (lines.size() < 4) {
+            ErrorAbort(state, kArgsParsingFailure, "too few lines in the transfer list [%zu]\n",
+                       lines.size());
+            return StringValue(strdup(""));
+        }
+
+        // Third line is how many stash entries are needed simultaneously
+        fprintf(stderr, "maximum stash entries %s\n", lines[2].c_str());
+
+        // Fourth line is the maximum number of blocks that will be stashed simultaneously
+        int stash_max_blocks;
+        if (!android::base::ParseInt(lines[3].c_str(), &stash_max_blocks, 0)) {
+            ErrorAbort(state, kArgsParsingFailure, "unexpected maximum stash blocks [%s]\n",
+                       lines[3].c_str());
+            return StringValue(strdup(""));
+        }
+
+        int res = CreateStash(state, stash_max_blocks, blockdev_filename->data, params.stashbase);
+        if (res == -1) {
+            return StringValue(strdup(""));
+        }
+
+        params.createdstash = res;
+
+        start += 2;
+    }
+
+    // Build a hash table of the available commands
+    HashTable* cmdht = mzHashTableCreate(cmdcount, nullptr);
+    std::unique_ptr<HashTable, decltype(&mzHashTableFree)> cmdht_holder(cmdht, mzHashTableFree);
+
+    for (size_t i = 0; i < cmdcount; ++i) {
+        unsigned int cmdhash = HashString(commands[i].name);
+        mzHashTableLookup(cmdht, cmdhash, (void*) &commands[i], CompareCommands, true);
+    }
+
+    int rc = -1;
+
+    // Subsequent lines are all individual transfer commands
+    for (auto it = lines.cbegin() + start; it != lines.cend(); it++) {
+        const std::string& line_str(*it);
+        if (line_str.empty()) {
+            continue;
+        }
+
+        params.tokens = android::base::Split(line_str, " ");
+        params.cpos = 0;
+        params.cmdname = params.tokens[params.cpos++].c_str();
+        params.cmdline = line_str.c_str();
+
+        unsigned int cmdhash = HashString(params.cmdname);
+        const Command* cmd = reinterpret_cast<const Command*>(mzHashTableLookup(cmdht, cmdhash,
+                const_cast<char*>(params.cmdname), CompareCommandNames,
+                false));
+
+        if (cmd == nullptr) {
+            fprintf(stderr, "unexpected command [%s]\n", params.cmdname);
+            goto pbiudone;
+        }
+
+        if (cmd->f != nullptr && cmd->f(params) == -1) {
+            fprintf(stderr, "failed to execute command [%s]\n", line_str.c_str());
+            goto pbiudone;
+        }
+
+        if (params.canwrite) {
+            if (ota_fsync(params.fd) == -1) {
+                failure_type = kFsyncFailure;
+                fprintf(stderr, "fsync failed: %s\n", strerror(errno));
+                goto pbiudone;
+            }
+            fprintf(cmd_pipe, "set_progress %.4f\n", (double) params.written / total_blocks);
+            fflush(cmd_pipe);
+        }
+    }
+
+    if (params.canwrite) {
+        pthread_join(params.thread, nullptr);
+
+        fprintf(stderr, "wrote %zu blocks; expected %d\n", params.written, total_blocks);
+        fprintf(stderr, "stashed %zu blocks\n", params.stashed);
+        fprintf(stderr, "max alloc needed was %zu\n", params.buffer.size());
+
+        const char* partition = strrchr(blockdev_filename->data, '/');
+        if (partition != nullptr && *(partition+1) != 0) {
+            fprintf(cmd_pipe, "log bytes_written_%s: %zu\n", partition + 1,
+                    params.written * BLOCKSIZE);
+            fprintf(cmd_pipe, "log bytes_stashed_%s: %zu\n", partition + 1,
+                    params.stashed * BLOCKSIZE);
+            fflush(cmd_pipe);
+        }
+        // Delete stash only after successfully completing the update, as it
+        // may contain blocks needed to complete the update later.
+        DeleteStash(params.stashbase);
+    } else {
+        fprintf(stderr, "verified partition contents; update may be resumed\n");
+    }
+
+    rc = 0;
+
+pbiudone:
+    if (ota_fsync(params.fd) == -1) {
+        failure_type = kFsyncFailure;
+        fprintf(stderr, "fsync failed: %s\n", strerror(errno));
+    }
+    // params.fd will be automatically closed because of the fd_holder above.
+
+    // Only delete the stash if the update cannot be resumed, or it's
+    // a verification run and we created the stash.
+    if (params.isunresumable || (!params.canwrite && params.createdstash)) {
+        DeleteStash(params.stashbase);
+    }
+
+    if (failure_type != kNoCause && state->cause_code == kNoCause) {
+        state->cause_code = failure_type;
+    }
+
+    return StringValue(rc == 0 ? strdup("t") : strdup(""));
+}
+
+// The transfer list is a text file containing commands to
+// transfer data from one place to another on the target
+// partition.  We parse it and execute the commands in order:
+//
+//    zero [rangeset]
+//      - fill the indicated blocks with zeros
+//
+//    new [rangeset]
+//      - fill the blocks with data read from the new_data file
+//
+//    erase [rangeset]
+//      - mark the given blocks as empty
+//
+//    move <...>
+//    bsdiff <patchstart> <patchlen> <...>
+//    imgdiff <patchstart> <patchlen> <...>
+//      - read the source blocks, apply a patch (or not in the
+//        case of move), write result to target blocks.  bsdiff or
+//        imgdiff specifies the type of patch; move means no patch
+//        at all.
+//
+//        The format of <...> differs between versions 1 and 2;
+//        see the LoadSrcTgtVersion{1,2}() functions for a
+//        description of what's expected.
+//
+//    stash <stash_id> <src_range>
+//      - (version 2+ only) load the given source range and stash
+//        the data in the given slot of the stash table.
+//
+//    free <stash_id>
+//      - (version 3+ only) free the given stash data.
+//
+// The creator of the transfer list will guarantee that no block
+// is read (ie, used as the source for a patch or move) after it
+// has been written.
+//
+// In version 2, the creator will guarantee that a given stash is
+// loaded (with a stash command) before it's used in a
+// move/bsdiff/imgdiff command.
+//
+// Within one command the source and target ranges may overlap so
+// in general we need to read the entire source into memory before
+// writing anything to the target blocks.
+//
+// All the patch data is concatenated into one patch_data file in
+// the update package.  It must be stored uncompressed because we
+// memory-map it in directly from the archive.  (Since patches are
+// already compressed, we lose very little by not compressing
+// their concatenation.)
+//
+// In version 3, commands that read data from the partition (i.e.
+// move/bsdiff/imgdiff/stash) have one or more additional hashes
+// before the range parameters, which are used to check if the
+// command has already been completed and verify the integrity of
+// the source data.
+
+Value* BlockImageVerifyFn(const char* name, State* state, int argc, Expr* argv[]) {
+    // Commands which are not tested are set to nullptr to skip them completely
+    const Command commands[] = {
+        { "bsdiff",     PerformCommandDiff  },
+        { "erase",      nullptr             },
+        { "free",       PerformCommandFree  },
+        { "imgdiff",    PerformCommandDiff  },
+        { "move",       PerformCommandMove  },
+        { "new",        nullptr             },
+        { "stash",      PerformCommandStash },
+        { "zero",       nullptr             }
+    };
+
+    // Perform a dry run without writing to test if an update can proceed
+    return PerformBlockImageUpdate(name, state, argc, argv, commands,
+                sizeof(commands) / sizeof(commands[0]), true);
+}
+
+Value* BlockImageUpdateFn(const char* name, State* state, int argc, Expr* argv[]) {
+    const Command commands[] = {
+        { "bsdiff",     PerformCommandDiff  },
+        { "erase",      PerformCommandErase },
+        { "free",       PerformCommandFree  },
+        { "imgdiff",    PerformCommandDiff  },
+        { "move",       PerformCommandMove  },
+        { "new",        PerformCommandNew   },
+        { "stash",      PerformCommandStash },
+        { "zero",       PerformCommandZero  }
+    };
+
+    return PerformBlockImageUpdate(name, state, argc, argv, commands,
+                sizeof(commands) / sizeof(commands[0]), false);
+}
+
+Value* RangeSha1Fn(const char* name, State* state, int /* argc */, Expr* argv[]) {
+    Value* blockdev_filename;
+    Value* ranges;
+
+    if (ReadValueArgs(state, argv, 2, &blockdev_filename, &ranges) < 0) {
+        return StringValue(strdup(""));
+    }
+    std::unique_ptr<Value, decltype(&FreeValue)> ranges_holder(ranges, FreeValue);
+    std::unique_ptr<Value, decltype(&FreeValue)> blockdev_filename_holder(blockdev_filename,
+            FreeValue);
+
+    if (blockdev_filename->type != VAL_STRING) {
+        ErrorAbort(state, kArgsParsingFailure, "blockdev_filename argument to %s must be string",
+                   name);
+        return StringValue(strdup(""));
+    }
+    if (ranges->type != VAL_STRING) {
+        ErrorAbort(state, kArgsParsingFailure, "ranges argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+
+    int fd = open(blockdev_filename->data, O_RDWR);
+    unique_fd fd_holder(fd);
+    if (fd < 0) {
+        ErrorAbort(state, kFileOpenFailure, "open \"%s\" failed: %s", blockdev_filename->data,
+                   strerror(errno));
+        return StringValue(strdup(""));
+    }
+
+    RangeSet rs;
+    parse_range(ranges->data, rs);
+
+    SHA_CTX ctx;
+    SHA1_Init(&ctx);
+
+    std::vector<uint8_t> buffer(BLOCKSIZE);
+    for (size_t i = 0; i < rs.count; ++i) {
+        if (!check_lseek(fd, (off64_t)rs.pos[i*2] * BLOCKSIZE, SEEK_SET)) {
+            ErrorAbort(state, kLseekFailure, "failed to seek %s: %s", blockdev_filename->data,
+                       strerror(errno));
+            return StringValue(strdup(""));
+        }
+
+        for (size_t j = rs.pos[i*2]; j < rs.pos[i*2+1]; ++j) {
+            if (read_all(fd, buffer, BLOCKSIZE) == -1) {
+                ErrorAbort(state, kFreadFailure, "failed to read %s: %s", blockdev_filename->data,
+                        strerror(errno));
+                return StringValue(strdup(""));
+            }
+
+            SHA1_Update(&ctx, buffer.data(), BLOCKSIZE);
+        }
+    }
+    uint8_t digest[SHA_DIGEST_LENGTH];
+    SHA1_Final(digest, &ctx);
+
+    return StringValue(strdup(print_sha1(digest).c_str()));
+}
+
+// This function checks if a device has been remounted R/W prior to an incremental
+// OTA update. This is an common cause of update abortion. The function reads the
+// 1st block of each partition and check for mounting time/count. It return string "t"
+// if executes successfully and an empty string otherwise.
+
+Value* CheckFirstBlockFn(const char* name, State* state, int argc, Expr* argv[]) {
+    Value* arg_filename;
+
+    if (ReadValueArgs(state, argv, 1, &arg_filename) < 0) {
+        return nullptr;
+    }
+    std::unique_ptr<Value, decltype(&FreeValue)> filename(arg_filename, FreeValue);
+
+    if (filename->type != VAL_STRING) {
+        ErrorAbort(state, kArgsParsingFailure, "filename argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+
+    int fd = open(arg_filename->data, O_RDONLY);
+    unique_fd fd_holder(fd);
+    if (fd == -1) {
+        ErrorAbort(state, kFileOpenFailure, "open \"%s\" failed: %s", arg_filename->data,
+                   strerror(errno));
+        return StringValue(strdup(""));
+    }
+
+    RangeSet blk0 {1 /*count*/, 1/*size*/, std::vector<size_t> {0, 1}/*position*/};
+    std::vector<uint8_t> block0_buffer(BLOCKSIZE);
+
+    if (ReadBlocks(blk0, block0_buffer, fd) == -1) {
+        ErrorAbort(state, kFreadFailure, "failed to read %s: %s", arg_filename->data,
+                strerror(errno));
+        return StringValue(strdup(""));
+    }
+
+    // https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout
+    // Super block starts from block 0, offset 0x400
+    //   0x2C: len32 Mount time
+    //   0x30: len32 Write time
+    //   0x34: len16 Number of mounts since the last fsck
+    //   0x38: len16 Magic signature 0xEF53
+
+    time_t mount_time = *reinterpret_cast<uint32_t*>(&block0_buffer[0x400+0x2C]);
+    uint16_t mount_count = *reinterpret_cast<uint16_t*>(&block0_buffer[0x400+0x34]);
+
+    if (mount_count > 0) {
+        uiPrintf(state, "Device was remounted R/W %d times\n", mount_count);
+        uiPrintf(state, "Last remount happened on %s", ctime(&mount_time));
+    }
+
+    return StringValue(strdup("t"));
+}
+
+
+Value* BlockImageRecoverFn(const char* name, State* state, int argc, Expr* argv[]) {
+    Value* arg_filename;
+    Value* arg_ranges;
+
+    if (ReadValueArgs(state, argv, 2, &arg_filename, &arg_ranges) < 0) {
+        return NULL;
+    }
+
+    std::unique_ptr<Value, decltype(&FreeValue)> filename(arg_filename, FreeValue);
+    std::unique_ptr<Value, decltype(&FreeValue)> ranges(arg_ranges, FreeValue);
+
+    if (filename->type != VAL_STRING) {
+        ErrorAbort(state, kArgsParsingFailure, "filename argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+    if (ranges->type != VAL_STRING) {
+        ErrorAbort(state, kArgsParsingFailure, "ranges argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+
+    // Output notice to log when recover is attempted
+    fprintf(stderr, "%s image corrupted, attempting to recover...\n", filename->data);
+
+    // When opened with O_RDWR, libfec rewrites corrupted blocks when they are read
+    fec::io fh(filename->data, O_RDWR);
+
+    if (!fh) {
+        ErrorAbort(state, kLibfecFailure, "fec_open \"%s\" failed: %s", filename->data,
+                   strerror(errno));
+        return StringValue(strdup(""));
+    }
+
+    if (!fh.has_ecc() || !fh.has_verity()) {
+        ErrorAbort(state, kLibfecFailure, "unable to use metadata to correct errors");
+        return StringValue(strdup(""));
+    }
+
+    fec_status status;
+
+    if (!fh.get_status(status)) {
+        ErrorAbort(state, kLibfecFailure, "failed to read FEC status");
+        return StringValue(strdup(""));
+    }
+
+    RangeSet rs;
+    parse_range(ranges->data, rs);
+
+    uint8_t buffer[BLOCKSIZE];
+
+    for (size_t i = 0; i < rs.count; ++i) {
+        for (size_t j = rs.pos[i * 2]; j < rs.pos[i * 2 + 1]; ++j) {
+            // Stay within the data area, libfec validates and corrects metadata
+            if (status.data_size <= (uint64_t)j * BLOCKSIZE) {
+                continue;
+            }
+
+            if (fh.pread(buffer, BLOCKSIZE, (off64_t)j * BLOCKSIZE) != BLOCKSIZE) {
+                ErrorAbort(state, kLibfecFailure, "failed to recover %s (block %zu): %s",
+                           filename->data, j, strerror(errno));
+                return StringValue(strdup(""));
+            }
+
+            // If we want to be able to recover from a situation where rewriting a corrected
+            // block doesn't guarantee the same data will be returned when re-read later, we
+            // can save a copy of corrected blocks to /cache. Note:
+            //
+            //  1. Maximum space required from /cache is the same as the maximum number of
+            //     corrupted blocks we can correct. For RS(255, 253) and a 2 GiB partition,
+            //     this would be ~16 MiB, for example.
+            //
+            //  2. To find out if this block was corrupted, call fec_get_status after each
+            //     read and check if the errors field value has increased.
+        }
+    }
+    fprintf(stderr, "...%s image recovered successfully.\n", filename->data);
+    return StringValue(strdup("t"));
+}
+
+void RegisterBlockImageFunctions() {
+    RegisterFunction("block_image_verify", BlockImageVerifyFn);
+    RegisterFunction("block_image_update", BlockImageUpdateFn);
+    RegisterFunction("block_image_recover", BlockImageRecoverFn);
+    RegisterFunction("check_first_block", CheckFirstBlockFn);
+    RegisterFunction("range_sha1", RangeSha1Fn);
+}
diff --git a/updater/install.c b/updater/install.c
deleted file mode 100644
index 01a5dd2..0000000
--- a/updater/install.c
+++ /dev/null
@@ -1,1625 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/mount.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <time.h>
-#include <selinux/selinux.h>
-#include <ftw.h>
-#include <sys/capability.h>
-#include <sys/xattr.h>
-#include <linux/xattr.h>
-#include <inttypes.h>
-
-#include "bootloader.h"
-#include "applypatch/applypatch.h"
-#include "cutils/android_reboot.h"
-#include "cutils/misc.h"
-#include "cutils/properties.h"
-#include "edify/expr.h"
-#include "mincrypt/sha.h"
-#include "minzip/DirUtil.h"
-#include "mtdutils/mounts.h"
-#include "mtdutils/mtdutils.h"
-#include "updater.h"
-#include "install.h"
-#include "tune2fs.h"
-
-#ifdef USE_EXT4
-#include "make_ext4fs.h"
-#include "wipe.h"
-#endif
-
-void uiPrint(State* state, char* buffer) {
-    char* line = strtok(buffer, "\n");
-    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
-    while (line) {
-        fprintf(ui->cmd_pipe, "ui_print %s\n", line);
-        line = strtok(NULL, "\n");
-    }
-    fprintf(ui->cmd_pipe, "ui_print\n");
-}
-
-__attribute__((__format__(printf, 2, 3))) __nonnull((2))
-void uiPrintf(State* state, const char* format, ...) {
-    char error_msg[1024];
-    va_list ap;
-    va_start(ap, format);
-    vsnprintf(error_msg, sizeof(error_msg), format, ap);
-    va_end(ap);
-    uiPrint(state, error_msg);
-}
-
-// Take a sha-1 digest and return it as a newly-allocated hex string.
-char* PrintSha1(const uint8_t* digest) {
-    char* buffer = malloc(SHA_DIGEST_SIZE*2 + 1);
-    int i;
-    const char* alphabet = "0123456789abcdef";
-    for (i = 0; i < SHA_DIGEST_SIZE; ++i) {
-        buffer[i*2] = alphabet[(digest[i] >> 4) & 0xf];
-        buffer[i*2+1] = alphabet[digest[i] & 0xf];
-    }
-    buffer[i*2] = '\0';
-    return buffer;
-}
-
-// mount(fs_type, partition_type, location, mount_point)
-//
-//    fs_type="yaffs2" partition_type="MTD"     location=partition
-//    fs_type="ext4"   partition_type="EMMC"    location=device
-Value* MountFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char* result = NULL;
-    if (argc != 4 && argc != 5) {
-        return ErrorAbort(state, "%s() expects 4-5 args, got %d", name, argc);
-    }
-    char* fs_type;
-    char* partition_type;
-    char* location;
-    char* mount_point;
-    char* mount_options;
-    bool has_mount_options;
-    if (argc == 5) {
-        has_mount_options = true;
-        if (ReadArgs(state, argv, 5, &fs_type, &partition_type,
-                 &location, &mount_point, &mount_options) < 0) {
-            return NULL;
-        }
-    } else {
-        has_mount_options = false;
-        if (ReadArgs(state, argv, 4, &fs_type, &partition_type,
-                 &location, &mount_point) < 0) {
-            return NULL;
-        }
-    }
-
-    if (strlen(fs_type) == 0) {
-        ErrorAbort(state, "fs_type argument to %s() can't be empty", name);
-        goto done;
-    }
-    if (strlen(partition_type) == 0) {
-        ErrorAbort(state, "partition_type argument to %s() can't be empty",
-                   name);
-        goto done;
-    }
-    if (strlen(location) == 0) {
-        ErrorAbort(state, "location argument to %s() can't be empty", name);
-        goto done;
-    }
-    if (strlen(mount_point) == 0) {
-        ErrorAbort(state, "mount_point argument to %s() can't be empty", name);
-        goto done;
-    }
-
-    char *secontext = NULL;
-
-    if (sehandle) {
-        selabel_lookup(sehandle, &secontext, mount_point, 0755);
-        setfscreatecon(secontext);
-    }
-
-    mkdir(mount_point, 0755);
-
-    if (secontext) {
-        freecon(secontext);
-        setfscreatecon(NULL);
-    }
-
-    if (strcmp(partition_type, "MTD") == 0) {
-        mtd_scan_partitions();
-        const MtdPartition* mtd;
-        mtd = mtd_find_partition_by_name(location);
-        if (mtd == NULL) {
-            uiPrintf(state, "%s: no mtd partition named \"%s\"",
-                    name, location);
-            result = strdup("");
-            goto done;
-        }
-        if (mtd_mount_partition(mtd, mount_point, fs_type, 0 /* rw */) != 0) {
-            uiPrintf(state, "mtd mount of %s failed: %s\n",
-                    location, strerror(errno));
-            result = strdup("");
-            goto done;
-        }
-        result = mount_point;
-    } else {
-        if (mount(location, mount_point, fs_type,
-                  MS_NOATIME | MS_NODEV | MS_NODIRATIME,
-                  has_mount_options ? mount_options : "") < 0) {
-            uiPrintf(state, "%s: failed to mount %s at %s: %s\n",
-                    name, location, mount_point, strerror(errno));
-            result = strdup("");
-        } else {
-            result = mount_point;
-        }
-    }
-
-done:
-    free(fs_type);
-    free(partition_type);
-    free(location);
-    if (result != mount_point) free(mount_point);
-    if (has_mount_options) free(mount_options);
-    return StringValue(result);
-}
-
-
-// is_mounted(mount_point)
-Value* IsMountedFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char* result = NULL;
-    if (argc != 1) {
-        return ErrorAbort(state, "%s() expects 1 arg, got %d", name, argc);
-    }
-    char* mount_point;
-    if (ReadArgs(state, argv, 1, &mount_point) < 0) {
-        return NULL;
-    }
-    if (strlen(mount_point) == 0) {
-        ErrorAbort(state, "mount_point argument to unmount() can't be empty");
-        goto done;
-    }
-
-    scan_mounted_volumes();
-    const MountedVolume* vol = find_mounted_volume_by_mount_point(mount_point);
-    if (vol == NULL) {
-        result = strdup("");
-    } else {
-        result = mount_point;
-    }
-
-done:
-    if (result != mount_point) free(mount_point);
-    return StringValue(result);
-}
-
-
-Value* UnmountFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char* result = NULL;
-    if (argc != 1) {
-        return ErrorAbort(state, "%s() expects 1 arg, got %d", name, argc);
-    }
-    char* mount_point;
-    if (ReadArgs(state, argv, 1, &mount_point) < 0) {
-        return NULL;
-    }
-    if (strlen(mount_point) == 0) {
-        ErrorAbort(state, "mount_point argument to unmount() can't be empty");
-        goto done;
-    }
-
-    scan_mounted_volumes();
-    const MountedVolume* vol = find_mounted_volume_by_mount_point(mount_point);
-    if (vol == NULL) {
-        uiPrintf(state, "unmount of %s failed; no such volume\n", mount_point);
-        result = strdup("");
-    } else {
-        int ret = unmount_mounted_volume(vol);
-        if (ret != 0) {
-           uiPrintf(state, "unmount of %s failed (%d): %s\n",
-                    mount_point, ret, strerror(errno));
-        }
-        result = mount_point;
-    }
-
-done:
-    if (result != mount_point) free(mount_point);
-    return StringValue(result);
-}
-
-static int exec_cmd(const char* path, char* const argv[]) {
-    int status;
-    pid_t child;
-    if ((child = vfork()) == 0) {
-        execv(path, argv);
-        _exit(-1);
-    }
-    waitpid(child, &status, 0);
-    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
-        printf("%s failed with status %d\n", path, WEXITSTATUS(status));
-    }
-    return WEXITSTATUS(status);
-}
-
-
-// format(fs_type, partition_type, location, fs_size, mount_point)
-//
-//    fs_type="yaffs2" partition_type="MTD"     location=partition fs_size=<bytes> mount_point=<location>
-//    fs_type="ext4"   partition_type="EMMC"    location=device    fs_size=<bytes> mount_point=<location>
-//    fs_type="f2fs"   partition_type="EMMC"    location=device    fs_size=<bytes> mount_point=<location>
-//    if fs_size == 0, then make fs uses the entire partition.
-//    if fs_size > 0, that is the size to use
-//    if fs_size < 0, then reserve that many bytes at the end of the partition (not for "f2fs")
-Value* FormatFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char* result = NULL;
-    if (argc != 5) {
-        return ErrorAbort(state, "%s() expects 5 args, got %d", name, argc);
-    }
-    char* fs_type;
-    char* partition_type;
-    char* location;
-    char* fs_size;
-    char* mount_point;
-
-    if (ReadArgs(state, argv, 5, &fs_type, &partition_type, &location, &fs_size, &mount_point) < 0) {
-        return NULL;
-    }
-
-    if (strlen(fs_type) == 0) {
-        ErrorAbort(state, "fs_type argument to %s() can't be empty", name);
-        goto done;
-    }
-    if (strlen(partition_type) == 0) {
-        ErrorAbort(state, "partition_type argument to %s() can't be empty",
-                   name);
-        goto done;
-    }
-    if (strlen(location) == 0) {
-        ErrorAbort(state, "location argument to %s() can't be empty", name);
-        goto done;
-    }
-
-    if (strlen(mount_point) == 0) {
-        ErrorAbort(state, "mount_point argument to %s() can't be empty", name);
-        goto done;
-    }
-
-    if (strcmp(partition_type, "MTD") == 0) {
-        mtd_scan_partitions();
-        const MtdPartition* mtd = mtd_find_partition_by_name(location);
-        if (mtd == NULL) {
-            printf("%s: no mtd partition named \"%s\"",
-                    name, location);
-            result = strdup("");
-            goto done;
-        }
-        MtdWriteContext* ctx = mtd_write_partition(mtd);
-        if (ctx == NULL) {
-            printf("%s: can't write \"%s\"", name, location);
-            result = strdup("");
-            goto done;
-        }
-        if (mtd_erase_blocks(ctx, -1) == -1) {
-            mtd_write_close(ctx);
-            printf("%s: failed to erase \"%s\"", name, location);
-            result = strdup("");
-            goto done;
-        }
-        if (mtd_write_close(ctx) != 0) {
-            printf("%s: failed to close \"%s\"", name, location);
-            result = strdup("");
-            goto done;
-        }
-        result = location;
-#ifdef USE_EXT4
-    } else if (strcmp(fs_type, "ext4") == 0) {
-        int status = make_ext4fs(location, atoll(fs_size), mount_point, sehandle);
-        if (status != 0) {
-            printf("%s: make_ext4fs failed (%d) on %s",
-                    name, status, location);
-            result = strdup("");
-            goto done;
-        }
-        result = location;
-    } else if (strcmp(fs_type, "f2fs") == 0) {
-        char *num_sectors;
-        if (asprintf(&num_sectors, "%lld", atoll(fs_size) / 512) <= 0) {
-            printf("format_volume: failed to create %s command for %s\n", fs_type, location);
-            result = strdup("");
-            goto done;
-        }
-        const char *f2fs_path = "/sbin/mkfs.f2fs";
-        const char* const f2fs_argv[] = {"mkfs.f2fs", "-t", "-d1", location, num_sectors, NULL};
-        int status = exec_cmd(f2fs_path, (char* const*)f2fs_argv);
-        free(num_sectors);
-        if (status != 0) {
-            printf("%s: mkfs.f2fs failed (%d) on %s",
-                    name, status, location);
-            result = strdup("");
-            goto done;
-        }
-        result = location;
-#endif
-    } else {
-        printf("%s: unsupported fs_type \"%s\" partition_type \"%s\"",
-                name, fs_type, partition_type);
-    }
-
-done:
-    free(fs_type);
-    free(partition_type);
-    if (result != location) free(location);
-    return StringValue(result);
-}
-
-Value* RenameFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char* result = NULL;
-    if (argc != 2) {
-        return ErrorAbort(state, "%s() expects 2 args, got %d", name, argc);
-    }
-
-    char* src_name;
-    char* dst_name;
-
-    if (ReadArgs(state, argv, 2, &src_name, &dst_name) < 0) {
-        return NULL;
-    }
-    if (strlen(src_name) == 0) {
-        ErrorAbort(state, "src_name argument to %s() can't be empty", name);
-        goto done;
-    }
-    if (strlen(dst_name) == 0) {
-        ErrorAbort(state, "dst_name argument to %s() can't be empty", name);
-        goto done;
-    }
-    if (make_parents(dst_name) != 0) {
-        ErrorAbort(state, "Creating parent of %s failed, error %s",
-          dst_name, strerror(errno));
-    } else if (access(dst_name, F_OK) == 0 && access(src_name, F_OK) != 0) {
-        // File was already moved
-        result = dst_name;
-    } else if (rename(src_name, dst_name) != 0) {
-        ErrorAbort(state, "Rename of %s to %s failed, error %s",
-          src_name, dst_name, strerror(errno));
-    } else {
-        result = dst_name;
-    }
-
-done:
-    free(src_name);
-    if (result != dst_name) free(dst_name);
-    return StringValue(result);
-}
-
-Value* DeleteFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char** paths = malloc(argc * sizeof(char*));
-    int i;
-    for (i = 0; i < argc; ++i) {
-        paths[i] = Evaluate(state, argv[i]);
-        if (paths[i] == NULL) {
-            int j;
-            for (j = 0; j < i; ++i) {
-                free(paths[j]);
-            }
-            free(paths);
-            return NULL;
-        }
-    }
-
-    bool recursive = (strcmp(name, "delete_recursive") == 0);
-
-    int success = 0;
-    for (i = 0; i < argc; ++i) {
-        if ((recursive ? dirUnlinkHierarchy(paths[i]) : unlink(paths[i])) == 0)
-            ++success;
-        free(paths[i]);
-    }
-    free(paths);
-
-    char buffer[10];
-    sprintf(buffer, "%d", success);
-    return StringValue(strdup(buffer));
-}
-
-
-Value* ShowProgressFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 2) {
-        return ErrorAbort(state, "%s() expects 2 args, got %d", name, argc);
-    }
-    char* frac_str;
-    char* sec_str;
-    if (ReadArgs(state, argv, 2, &frac_str, &sec_str) < 0) {
-        return NULL;
-    }
-
-    double frac = strtod(frac_str, NULL);
-    int sec = strtol(sec_str, NULL, 10);
-
-    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
-    fprintf(ui->cmd_pipe, "progress %f %d\n", frac, sec);
-
-    free(sec_str);
-    return StringValue(frac_str);
-}
-
-Value* SetProgressFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 1) {
-        return ErrorAbort(state, "%s() expects 1 arg, got %d", name, argc);
-    }
-    char* frac_str;
-    if (ReadArgs(state, argv, 1, &frac_str) < 0) {
-        return NULL;
-    }
-
-    double frac = strtod(frac_str, NULL);
-
-    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
-    fprintf(ui->cmd_pipe, "set_progress %f\n", frac);
-
-    return StringValue(frac_str);
-}
-
-// package_extract_dir(package_path, destination_path)
-Value* PackageExtractDirFn(const char* name, State* state,
-                          int argc, Expr* argv[]) {
-    if (argc != 2) {
-        return ErrorAbort(state, "%s() expects 2 args, got %d", name, argc);
-    }
-    char* zip_path;
-    char* dest_path;
-    if (ReadArgs(state, argv, 2, &zip_path, &dest_path) < 0) return NULL;
-
-    ZipArchive* za = ((UpdaterInfo*)(state->cookie))->package_zip;
-
-    // To create a consistent system image, never use the clock for timestamps.
-    struct utimbuf timestamp = { 1217592000, 1217592000 };  // 8/1/2008 default
-
-    bool success = mzExtractRecursive(za, zip_path, dest_path,
-                                      &timestamp,
-                                      NULL, NULL, sehandle);
-    free(zip_path);
-    free(dest_path);
-    return StringValue(strdup(success ? "t" : ""));
-}
-
-
-// package_extract_file(package_path, destination_path)
-//   or
-// package_extract_file(package_path)
-//   to return the entire contents of the file as the result of this
-//   function (the char* returned is actually a FileContents*).
-Value* PackageExtractFileFn(const char* name, State* state,
-                           int argc, Expr* argv[]) {
-    if (argc < 1 || argc > 2) {
-        return ErrorAbort(state, "%s() expects 1 or 2 args, got %d",
-                          name, argc);
-    }
-    bool success = false;
-
-    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
-
-    if (argc == 2) {
-        // The two-argument version extracts to a file.
-
-        ZipArchive* za = ((UpdaterInfo*)(state->cookie))->package_zip;
-
-        char* zip_path;
-        char* dest_path;
-        if (ReadArgs(state, argv, 2, &zip_path, &dest_path) < 0) return NULL;
-
-        const ZipEntry* entry = mzFindZipEntry(za, zip_path);
-        if (entry == NULL) {
-            printf("%s: no %s in package\n", name, zip_path);
-            goto done2;
-        }
-
-        FILE* f = fopen(dest_path, "wb");
-        if (f == NULL) {
-            printf("%s: can't open %s for write: %s\n",
-                    name, dest_path, strerror(errno));
-            goto done2;
-        }
-        success = mzExtractZipEntryToFile(za, entry, fileno(f));
-        fclose(f);
-
-      done2:
-        free(zip_path);
-        free(dest_path);
-        return StringValue(strdup(success ? "t" : ""));
-    } else {
-        // The one-argument version returns the contents of the file
-        // as the result.
-
-        char* zip_path;
-        Value* v = malloc(sizeof(Value));
-        v->type = VAL_BLOB;
-        v->size = -1;
-        v->data = NULL;
-
-        if (ReadArgs(state, argv, 1, &zip_path) < 0) return NULL;
-
-        ZipArchive* za = ((UpdaterInfo*)(state->cookie))->package_zip;
-        const ZipEntry* entry = mzFindZipEntry(za, zip_path);
-        if (entry == NULL) {
-            printf("%s: no %s in package\n", name, zip_path);
-            goto done1;
-        }
-
-        v->size = mzGetZipEntryUncompLen(entry);
-        v->data = malloc(v->size);
-        if (v->data == NULL) {
-            printf("%s: failed to allocate %ld bytes for %s\n",
-                    name, (long)v->size, zip_path);
-            goto done1;
-        }
-
-        success = mzExtractZipEntryToBuffer(za, entry,
-                                            (unsigned char *)v->data);
-
-      done1:
-        free(zip_path);
-        if (!success) {
-            free(v->data);
-            v->data = NULL;
-            v->size = -1;
-        }
-        return v;
-    }
-}
-
-// Create all parent directories of name, if necessary.
-static int make_parents(char* name) {
-    char* p;
-    for (p = name + (strlen(name)-1); p > name; --p) {
-        if (*p != '/') continue;
-        *p = '\0';
-        if (make_parents(name) < 0) return -1;
-        int result = mkdir(name, 0700);
-        if (result == 0) printf("created [%s]\n", name);
-        *p = '/';
-        if (result == 0 || errno == EEXIST) {
-            // successfully created or already existed; we're done
-            return 0;
-        } else {
-            printf("failed to mkdir %s: %s\n", name, strerror(errno));
-            return -1;
-        }
-    }
-    return 0;
-}
-
-// symlink target src1 src2 ...
-//    unlinks any previously existing src1, src2, etc before creating symlinks.
-Value* SymlinkFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc == 0) {
-        return ErrorAbort(state, "%s() expects 1+ args, got %d", name, argc);
-    }
-    char* target;
-    target = Evaluate(state, argv[0]);
-    if (target == NULL) return NULL;
-
-    char** srcs = ReadVarArgs(state, argc-1, argv+1);
-    if (srcs == NULL) {
-        free(target);
-        return NULL;
-    }
-
-    int bad = 0;
-    int i;
-    for (i = 0; i < argc-1; ++i) {
-        if (unlink(srcs[i]) < 0) {
-            if (errno != ENOENT) {
-                printf("%s: failed to remove %s: %s\n",
-                        name, srcs[i], strerror(errno));
-                ++bad;
-            }
-        }
-        if (make_parents(srcs[i])) {
-            printf("%s: failed to symlink %s to %s: making parents failed\n",
-                    name, srcs[i], target);
-            ++bad;
-        }
-        if (symlink(target, srcs[i]) < 0) {
-            printf("%s: failed to symlink %s to %s: %s\n",
-                    name, srcs[i], target, strerror(errno));
-            ++bad;
-        }
-        free(srcs[i]);
-    }
-    free(srcs);
-    if (bad) {
-        return ErrorAbort(state, "%s: some symlinks failed", name);
-    }
-    return StringValue(strdup(""));
-}
-
-struct perm_parsed_args {
-    bool has_uid;
-    uid_t uid;
-    bool has_gid;
-    gid_t gid;
-    bool has_mode;
-    mode_t mode;
-    bool has_fmode;
-    mode_t fmode;
-    bool has_dmode;
-    mode_t dmode;
-    bool has_selabel;
-    char* selabel;
-    bool has_capabilities;
-    uint64_t capabilities;
-};
-
-static struct perm_parsed_args ParsePermArgs(State * state, int argc, char** args) {
-    int i;
-    struct perm_parsed_args parsed;
-    int bad = 0;
-    static int max_warnings = 20;
-
-    memset(&parsed, 0, sizeof(parsed));
-
-    for (i = 1; i < argc; i += 2) {
-        if (strcmp("uid", args[i]) == 0) {
-            int64_t uid;
-            if (sscanf(args[i+1], "%" SCNd64, &uid) == 1) {
-                parsed.uid = uid;
-                parsed.has_uid = true;
-            } else {
-                uiPrintf(state, "ParsePermArgs: invalid UID \"%s\"\n", args[i + 1]);
-                bad++;
-            }
-            continue;
-        }
-        if (strcmp("gid", args[i]) == 0) {
-            int64_t gid;
-            if (sscanf(args[i+1], "%" SCNd64, &gid) == 1) {
-                parsed.gid = gid;
-                parsed.has_gid = true;
-            } else {
-                uiPrintf(state, "ParsePermArgs: invalid GID \"%s\"\n", args[i + 1]);
-                bad++;
-            }
-            continue;
-        }
-        if (strcmp("mode", args[i]) == 0) {
-            int32_t mode;
-            if (sscanf(args[i+1], "%" SCNi32, &mode) == 1) {
-                parsed.mode = mode;
-                parsed.has_mode = true;
-            } else {
-                uiPrintf(state, "ParsePermArgs: invalid mode \"%s\"\n", args[i + 1]);
-                bad++;
-            }
-            continue;
-        }
-        if (strcmp("dmode", args[i]) == 0) {
-            int32_t mode;
-            if (sscanf(args[i+1], "%" SCNi32, &mode) == 1) {
-                parsed.dmode = mode;
-                parsed.has_dmode = true;
-            } else {
-                uiPrintf(state, "ParsePermArgs: invalid dmode \"%s\"\n", args[i + 1]);
-                bad++;
-            }
-            continue;
-        }
-        if (strcmp("fmode", args[i]) == 0) {
-            int32_t mode;
-            if (sscanf(args[i+1], "%" SCNi32, &mode) == 1) {
-                parsed.fmode = mode;
-                parsed.has_fmode = true;
-            } else {
-                uiPrintf(state, "ParsePermArgs: invalid fmode \"%s\"\n", args[i + 1]);
-                bad++;
-            }
-            continue;
-        }
-        if (strcmp("capabilities", args[i]) == 0) {
-            int64_t capabilities;
-            if (sscanf(args[i+1], "%" SCNi64, &capabilities) == 1) {
-                parsed.capabilities = capabilities;
-                parsed.has_capabilities = true;
-            } else {
-                uiPrintf(state, "ParsePermArgs: invalid capabilities \"%s\"\n", args[i + 1]);
-                bad++;
-            }
-            continue;
-        }
-        if (strcmp("selabel", args[i]) == 0) {
-            if (args[i+1][0] != '\0') {
-                parsed.selabel = args[i+1];
-                parsed.has_selabel = true;
-            } else {
-                uiPrintf(state, "ParsePermArgs: invalid selabel \"%s\"\n", args[i + 1]);
-                bad++;
-            }
-            continue;
-        }
-        if (max_warnings != 0) {
-            printf("ParsedPermArgs: unknown key \"%s\", ignoring\n", args[i]);
-            max_warnings--;
-            if (max_warnings == 0) {
-                printf("ParsedPermArgs: suppressing further warnings\n");
-            }
-        }
-    }
-    return parsed;
-}
-
-static int ApplyParsedPerms(
-        State * state,
-        const char* filename,
-        const struct stat *statptr,
-        struct perm_parsed_args parsed)
-{
-    int bad = 0;
-
-    if (parsed.has_selabel) {
-        if (lsetfilecon(filename, parsed.selabel) != 0) {
-            uiPrintf(state, "ApplyParsedPerms: lsetfilecon of %s to %s failed: %s\n",
-                    filename, parsed.selabel, strerror(errno));
-            bad++;
-        }
-    }
-
-    /* ignore symlinks */
-    if (S_ISLNK(statptr->st_mode)) {
-        return bad;
-    }
-
-    if (parsed.has_uid) {
-        if (chown(filename, parsed.uid, -1) < 0) {
-            uiPrintf(state, "ApplyParsedPerms: chown of %s to %d failed: %s\n",
-                    filename, parsed.uid, strerror(errno));
-            bad++;
-        }
-    }
-
-    if (parsed.has_gid) {
-        if (chown(filename, -1, parsed.gid) < 0) {
-            uiPrintf(state, "ApplyParsedPerms: chgrp of %s to %d failed: %s\n",
-                    filename, parsed.gid, strerror(errno));
-            bad++;
-        }
-    }
-
-    if (parsed.has_mode) {
-        if (chmod(filename, parsed.mode) < 0) {
-            uiPrintf(state, "ApplyParsedPerms: chmod of %s to %d failed: %s\n",
-                    filename, parsed.mode, strerror(errno));
-            bad++;
-        }
-    }
-
-    if (parsed.has_dmode && S_ISDIR(statptr->st_mode)) {
-        if (chmod(filename, parsed.dmode) < 0) {
-            uiPrintf(state, "ApplyParsedPerms: chmod of %s to %d failed: %s\n",
-                    filename, parsed.dmode, strerror(errno));
-            bad++;
-        }
-    }
-
-    if (parsed.has_fmode && S_ISREG(statptr->st_mode)) {
-        if (chmod(filename, parsed.fmode) < 0) {
-            uiPrintf(state, "ApplyParsedPerms: chmod of %s to %d failed: %s\n",
-                   filename, parsed.fmode, strerror(errno));
-            bad++;
-        }
-    }
-
-    if (parsed.has_capabilities && S_ISREG(statptr->st_mode)) {
-        if (parsed.capabilities == 0) {
-            if ((removexattr(filename, XATTR_NAME_CAPS) == -1) && (errno != ENODATA)) {
-                // Report failure unless it's ENODATA (attribute not set)
-                uiPrintf(state, "ApplyParsedPerms: removexattr of %s to %" PRIx64 " failed: %s\n",
-                       filename, parsed.capabilities, strerror(errno));
-                bad++;
-            }
-        } else {
-            struct vfs_cap_data cap_data;
-            memset(&cap_data, 0, sizeof(cap_data));
-            cap_data.magic_etc = VFS_CAP_REVISION | VFS_CAP_FLAGS_EFFECTIVE;
-            cap_data.data[0].permitted = (uint32_t) (parsed.capabilities & 0xffffffff);
-            cap_data.data[0].inheritable = 0;
-            cap_data.data[1].permitted = (uint32_t) (parsed.capabilities >> 32);
-            cap_data.data[1].inheritable = 0;
-            if (setxattr(filename, XATTR_NAME_CAPS, &cap_data, sizeof(cap_data), 0) < 0) {
-                uiPrintf(state, "ApplyParsedPerms: setcap of %s to %" PRIx64 " failed: %s\n",
-                        filename, parsed.capabilities, strerror(errno));
-                bad++;
-            }
-        }
-    }
-
-    return bad;
-}
-
-// nftw doesn't allow us to pass along context, so we need to use
-// global variables.  *sigh*
-static struct perm_parsed_args recursive_parsed_args;
-static State* recursive_state;
-
-static int do_SetMetadataRecursive(const char* filename, const struct stat *statptr,
-        int fileflags, struct FTW *pfwt) {
-    return ApplyParsedPerms(recursive_state, filename, statptr, recursive_parsed_args);
-}
-
-static Value* SetMetadataFn(const char* name, State* state, int argc, Expr* argv[]) {
-    int i;
-    int bad = 0;
-    static int nwarnings = 0;
-    struct stat sb;
-    Value* result = NULL;
-
-    bool recursive = (strcmp(name, "set_metadata_recursive") == 0);
-
-    if ((argc % 2) != 1) {
-        return ErrorAbort(state, "%s() expects an odd number of arguments, got %d",
-                          name, argc);
-    }
-
-    char** args = ReadVarArgs(state, argc, argv);
-    if (args == NULL) return NULL;
-
-    if (lstat(args[0], &sb) == -1) {
-        result = ErrorAbort(state, "%s: Error on lstat of \"%s\": %s", name, args[0], strerror(errno));
-        goto done;
-    }
-
-    struct perm_parsed_args parsed = ParsePermArgs(state, argc, args);
-
-    if (recursive) {
-        recursive_parsed_args = parsed;
-        recursive_state = state;
-        bad += nftw(args[0], do_SetMetadataRecursive, 30, FTW_CHDIR | FTW_DEPTH | FTW_PHYS);
-        memset(&recursive_parsed_args, 0, sizeof(recursive_parsed_args));
-        recursive_state = NULL;
-    } else {
-        bad += ApplyParsedPerms(state, args[0], &sb, parsed);
-    }
-
-done:
-    for (i = 0; i < argc; ++i) {
-        free(args[i]);
-    }
-    free(args);
-
-    if (result != NULL) {
-        return result;
-    }
-
-    if (bad > 0) {
-        return ErrorAbort(state, "%s: some changes failed", name);
-    }
-
-    return StringValue(strdup(""));
-}
-
-Value* GetPropFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 1) {
-        return ErrorAbort(state, "%s() expects 1 arg, got %d", name, argc);
-    }
-    char* key;
-    key = Evaluate(state, argv[0]);
-    if (key == NULL) return NULL;
-
-    char value[PROPERTY_VALUE_MAX];
-    property_get(key, value, "");
-    free(key);
-
-    return StringValue(strdup(value));
-}
-
-
-// file_getprop(file, key)
-//
-//   interprets 'file' as a getprop-style file (key=value pairs, one
-//   per line. # comment lines,blank lines, lines without '=' ignored),
-//   and returns the value for 'key' (or "" if it isn't defined).
-Value* FileGetPropFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char* result = NULL;
-    char* buffer = NULL;
-    char* filename;
-    char* key;
-    if (ReadArgs(state, argv, 2, &filename, &key) < 0) {
-        return NULL;
-    }
-
-    struct stat st;
-    if (stat(filename, &st) < 0) {
-        ErrorAbort(state, "%s: failed to stat \"%s\": %s",
-                   name, filename, strerror(errno));
-        goto done;
-    }
-
-#define MAX_FILE_GETPROP_SIZE    65536
-
-    if (st.st_size > MAX_FILE_GETPROP_SIZE) {
-        ErrorAbort(state, "%s too large for %s (max %d)",
-                   filename, name, MAX_FILE_GETPROP_SIZE);
-        goto done;
-    }
-
-    buffer = malloc(st.st_size+1);
-    if (buffer == NULL) {
-        ErrorAbort(state, "%s: failed to alloc %lld bytes", name, (long long)st.st_size+1);
-        goto done;
-    }
-
-    FILE* f = fopen(filename, "rb");
-    if (f == NULL) {
-        ErrorAbort(state, "%s: failed to open %s: %s",
-                   name, filename, strerror(errno));
-        goto done;
-    }
-
-    if (fread(buffer, 1, st.st_size, f) != st.st_size) {
-        ErrorAbort(state, "%s: failed to read %lld bytes from %s",
-                   name, (long long)st.st_size+1, filename);
-        fclose(f);
-        goto done;
-    }
-    buffer[st.st_size] = '\0';
-
-    fclose(f);
-
-    char* line = strtok(buffer, "\n");
-    do {
-        // skip whitespace at start of line
-        while (*line && isspace(*line)) ++line;
-
-        // comment or blank line: skip to next line
-        if (*line == '\0' || *line == '#') continue;
-
-        char* equal = strchr(line, '=');
-        if (equal == NULL) {
-            continue;
-        }
-
-        // trim whitespace between key and '='
-        char* key_end = equal-1;
-        while (key_end > line && isspace(*key_end)) --key_end;
-        key_end[1] = '\0';
-
-        // not the key we're looking for
-        if (strcmp(key, line) != 0) continue;
-
-        // skip whitespace after the '=' to the start of the value
-        char* val_start = equal+1;
-        while(*val_start && isspace(*val_start)) ++val_start;
-
-        // trim trailing whitespace
-        char* val_end = val_start + strlen(val_start)-1;
-        while (val_end > val_start && isspace(*val_end)) --val_end;
-        val_end[1] = '\0';
-
-        result = strdup(val_start);
-        break;
-
-    } while ((line = strtok(NULL, "\n")));
-
-    if (result == NULL) result = strdup("");
-
-  done:
-    free(filename);
-    free(key);
-    free(buffer);
-    return StringValue(result);
-}
-
-
-static bool write_raw_image_cb(const unsigned char* data,
-                               int data_len, void* ctx) {
-    int r = mtd_write_data((MtdWriteContext*)ctx, (const char *)data, data_len);
-    if (r == data_len) return true;
-    printf("%s\n", strerror(errno));
-    return false;
-}
-
-// write_raw_image(filename_or_blob, partition)
-Value* WriteRawImageFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char* result = NULL;
-
-    Value* partition_value;
-    Value* contents;
-    if (ReadValueArgs(state, argv, 2, &contents, &partition_value) < 0) {
-        return NULL;
-    }
-
-    char* partition = NULL;
-    if (partition_value->type != VAL_STRING) {
-        ErrorAbort(state, "partition argument to %s must be string", name);
-        goto done;
-    }
-    partition = partition_value->data;
-    if (strlen(partition) == 0) {
-        ErrorAbort(state, "partition argument to %s can't be empty", name);
-        goto done;
-    }
-    if (contents->type == VAL_STRING && strlen((char*) contents->data) == 0) {
-        ErrorAbort(state, "file argument to %s can't be empty", name);
-        goto done;
-    }
-
-    mtd_scan_partitions();
-    const MtdPartition* mtd = mtd_find_partition_by_name(partition);
-    if (mtd == NULL) {
-        printf("%s: no mtd partition named \"%s\"\n", name, partition);
-        result = strdup("");
-        goto done;
-    }
-
-    MtdWriteContext* ctx = mtd_write_partition(mtd);
-    if (ctx == NULL) {
-        printf("%s: can't write mtd partition \"%s\"\n",
-                name, partition);
-        result = strdup("");
-        goto done;
-    }
-
-    bool success;
-
-    if (contents->type == VAL_STRING) {
-        // we're given a filename as the contents
-        char* filename = contents->data;
-        FILE* f = fopen(filename, "rb");
-        if (f == NULL) {
-            printf("%s: can't open %s: %s\n",
-                    name, filename, strerror(errno));
-            result = strdup("");
-            goto done;
-        }
-
-        success = true;
-        char* buffer = malloc(BUFSIZ);
-        int read;
-        while (success && (read = fread(buffer, 1, BUFSIZ, f)) > 0) {
-            int wrote = mtd_write_data(ctx, buffer, read);
-            success = success && (wrote == read);
-        }
-        free(buffer);
-        fclose(f);
-    } else {
-        // we're given a blob as the contents
-        ssize_t wrote = mtd_write_data(ctx, contents->data, contents->size);
-        success = (wrote == contents->size);
-    }
-    if (!success) {
-        printf("mtd_write_data to %s failed: %s\n",
-                partition, strerror(errno));
-    }
-
-    if (mtd_erase_blocks(ctx, -1) == -1) {
-        printf("%s: error erasing blocks of %s\n", name, partition);
-    }
-    if (mtd_write_close(ctx) != 0) {
-        printf("%s: error closing write of %s\n", name, partition);
-    }
-
-    printf("%s %s partition\n",
-           success ? "wrote" : "failed to write", partition);
-
-    result = success ? partition : strdup("");
-
-done:
-    if (result != partition) FreeValue(partition_value);
-    FreeValue(contents);
-    return StringValue(result);
-}
-
-// apply_patch_space(bytes)
-Value* ApplyPatchSpaceFn(const char* name, State* state,
-                         int argc, Expr* argv[]) {
-    char* bytes_str;
-    if (ReadArgs(state, argv, 1, &bytes_str) < 0) {
-        return NULL;
-    }
-
-    char* endptr;
-    size_t bytes = strtol(bytes_str, &endptr, 10);
-    if (bytes == 0 && endptr == bytes_str) {
-        ErrorAbort(state, "%s(): can't parse \"%s\" as byte count\n\n",
-                   name, bytes_str);
-        free(bytes_str);
-        return NULL;
-    }
-
-    return StringValue(strdup(CacheSizeCheck(bytes) ? "" : "t"));
-}
-
-// apply_patch(file, size, init_sha1, tgt_sha1, patch)
-
-Value* ApplyPatchFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc < 6 || (argc % 2) == 1) {
-        return ErrorAbort(state, "%s(): expected at least 6 args and an "
-                                 "even number, got %d",
-                          name, argc);
-    }
-
-    char* source_filename;
-    char* target_filename;
-    char* target_sha1;
-    char* target_size_str;
-    if (ReadArgs(state, argv, 4, &source_filename, &target_filename,
-                 &target_sha1, &target_size_str) < 0) {
-        return NULL;
-    }
-
-    char* endptr;
-    size_t target_size = strtol(target_size_str, &endptr, 10);
-    if (target_size == 0 && endptr == target_size_str) {
-        ErrorAbort(state, "%s(): can't parse \"%s\" as byte count",
-                   name, target_size_str);
-        free(source_filename);
-        free(target_filename);
-        free(target_sha1);
-        free(target_size_str);
-        return NULL;
-    }
-
-    int patchcount = (argc-4) / 2;
-    Value** patches = ReadValueVarArgs(state, argc-4, argv+4);
-
-    int i;
-    for (i = 0; i < patchcount; ++i) {
-        if (patches[i*2]->type != VAL_STRING) {
-            ErrorAbort(state, "%s(): sha-1 #%d is not string", name, i);
-            break;
-        }
-        if (patches[i*2+1]->type != VAL_BLOB) {
-            ErrorAbort(state, "%s(): patch #%d is not blob", name, i);
-            break;
-        }
-    }
-    if (i != patchcount) {
-        for (i = 0; i < patchcount*2; ++i) {
-            FreeValue(patches[i]);
-        }
-        free(patches);
-        return NULL;
-    }
-
-    char** patch_sha_str = malloc(patchcount * sizeof(char*));
-    for (i = 0; i < patchcount; ++i) {
-        patch_sha_str[i] = patches[i*2]->data;
-        patches[i*2]->data = NULL;
-        FreeValue(patches[i*2]);
-        patches[i] = patches[i*2+1];
-    }
-
-    int result = applypatch(source_filename, target_filename,
-                            target_sha1, target_size,
-                            patchcount, patch_sha_str, patches, NULL);
-
-    for (i = 0; i < patchcount; ++i) {
-        FreeValue(patches[i]);
-    }
-    free(patch_sha_str);
-    free(patches);
-
-    return StringValue(strdup(result == 0 ? "t" : ""));
-}
-
-// apply_patch_check(file, [sha1_1, ...])
-Value* ApplyPatchCheckFn(const char* name, State* state,
-                         int argc, Expr* argv[]) {
-    if (argc < 1) {
-        return ErrorAbort(state, "%s(): expected at least 1 arg, got %d",
-                          name, argc);
-    }
-
-    char* filename;
-    if (ReadArgs(state, argv, 1, &filename) < 0) {
-        return NULL;
-    }
-
-    int patchcount = argc-1;
-    char** sha1s = ReadVarArgs(state, argc-1, argv+1);
-
-    int result = applypatch_check(filename, patchcount, sha1s);
-
-    int i;
-    for (i = 0; i < patchcount; ++i) {
-        free(sha1s[i]);
-    }
-    free(sha1s);
-
-    return StringValue(strdup(result == 0 ? "t" : ""));
-}
-
-Value* UIPrintFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char** args = ReadVarArgs(state, argc, argv);
-    if (args == NULL) {
-        return NULL;
-    }
-
-    int size = 0;
-    int i;
-    for (i = 0; i < argc; ++i) {
-        size += strlen(args[i]);
-    }
-    char* buffer = malloc(size+1);
-    size = 0;
-    for (i = 0; i < argc; ++i) {
-        strcpy(buffer+size, args[i]);
-        size += strlen(args[i]);
-        free(args[i]);
-    }
-    free(args);
-    buffer[size] = '\0';
-    uiPrint(state, buffer);
-    return StringValue(buffer);
-}
-
-Value* WipeCacheFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 0) {
-        return ErrorAbort(state, "%s() expects no args, got %d", name, argc);
-    }
-    fprintf(((UpdaterInfo*)(state->cookie))->cmd_pipe, "wipe_cache\n");
-    return StringValue(strdup("t"));
-}
-
-Value* RunProgramFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc < 1) {
-        return ErrorAbort(state, "%s() expects at least 1 arg", name);
-    }
-    char** args = ReadVarArgs(state, argc, argv);
-    if (args == NULL) {
-        return NULL;
-    }
-
-    char** args2 = malloc(sizeof(char*) * (argc+1));
-    memcpy(args2, args, sizeof(char*) * argc);
-    args2[argc] = NULL;
-
-    printf("about to run program [%s] with %d args\n", args2[0], argc);
-
-    pid_t child = fork();
-    if (child == 0) {
-        execv(args2[0], args2);
-        printf("run_program: execv failed: %s\n", strerror(errno));
-        _exit(1);
-    }
-    int status;
-    waitpid(child, &status, 0);
-    if (WIFEXITED(status)) {
-        if (WEXITSTATUS(status) != 0) {
-            printf("run_program: child exited with status %d\n",
-                    WEXITSTATUS(status));
-        }
-    } else if (WIFSIGNALED(status)) {
-        printf("run_program: child terminated by signal %d\n",
-                WTERMSIG(status));
-    }
-
-    int i;
-    for (i = 0; i < argc; ++i) {
-        free(args[i]);
-    }
-    free(args);
-    free(args2);
-
-    char buffer[20];
-    sprintf(buffer, "%d", status);
-
-    return StringValue(strdup(buffer));
-}
-
-// sha1_check(data)
-//    to return the sha1 of the data (given in the format returned by
-//    read_file).
-//
-// sha1_check(data, sha1_hex, [sha1_hex, ...])
-//    returns the sha1 of the file if it matches any of the hex
-//    strings passed, or "" if it does not equal any of them.
-//
-Value* Sha1CheckFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc < 1) {
-        return ErrorAbort(state, "%s() expects at least 1 arg", name);
-    }
-
-    Value** args = ReadValueVarArgs(state, argc, argv);
-    if (args == NULL) {
-        return NULL;
-    }
-
-    if (args[0]->size < 0) {
-        return StringValue(strdup(""));
-    }
-    uint8_t digest[SHA_DIGEST_SIZE];
-    SHA_hash(args[0]->data, args[0]->size, digest);
-    FreeValue(args[0]);
-
-    if (argc == 1) {
-        return StringValue(PrintSha1(digest));
-    }
-
-    int i;
-    uint8_t* arg_digest = malloc(SHA_DIGEST_SIZE);
-    for (i = 1; i < argc; ++i) {
-        if (args[i]->type != VAL_STRING) {
-            printf("%s(): arg %d is not a string; skipping",
-                    name, i);
-        } else if (ParseSha1(args[i]->data, arg_digest) != 0) {
-            // Warn about bad args and skip them.
-            printf("%s(): error parsing \"%s\" as sha-1; skipping",
-                   name, args[i]->data);
-        } else if (memcmp(digest, arg_digest, SHA_DIGEST_SIZE) == 0) {
-            break;
-        }
-        FreeValue(args[i]);
-    }
-    if (i >= argc) {
-        // Didn't match any of the hex strings; return false.
-        return StringValue(strdup(""));
-    }
-    // Found a match; free all the remaining arguments and return the
-    // matched one.
-    int j;
-    for (j = i+1; j < argc; ++j) {
-        FreeValue(args[j]);
-    }
-    return args[i];
-}
-
-// Read a local file and return its contents (the Value* returned
-// is actually a FileContents*).
-Value* ReadFileFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 1) {
-        return ErrorAbort(state, "%s() expects 1 arg, got %d", name, argc);
-    }
-    char* filename;
-    if (ReadArgs(state, argv, 1, &filename) < 0) return NULL;
-
-    Value* v = malloc(sizeof(Value));
-    v->type = VAL_BLOB;
-
-    FileContents fc;
-    if (LoadFileContents(filename, &fc) != 0) {
-        free(filename);
-        v->size = -1;
-        v->data = NULL;
-        free(fc.data);
-        return v;
-    }
-
-    v->size = fc.size;
-    v->data = (char*)fc.data;
-
-    free(filename);
-    return v;
-}
-
-// Immediately reboot the device.  Recovery is not finished normally,
-// so if you reboot into recovery it will re-start applying the
-// current package (because nothing has cleared the copy of the
-// arguments stored in the BCB).
-//
-// The argument is the partition name passed to the android reboot
-// property.  It can be "recovery" to boot from the recovery
-// partition, or "" (empty string) to boot from the regular boot
-// partition.
-Value* RebootNowFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 2) {
-        return ErrorAbort(state, "%s() expects 2 args, got %d", name, argc);
-    }
-
-    char* filename;
-    char* property;
-    if (ReadArgs(state, argv, 2, &filename, &property) < 0) return NULL;
-
-    char buffer[80];
-
-    // zero out the 'command' field of the bootloader message.
-    memset(buffer, 0, sizeof(((struct bootloader_message*)0)->command));
-    FILE* f = fopen(filename, "r+b");
-    fseek(f, offsetof(struct bootloader_message, command), SEEK_SET);
-    fwrite(buffer, sizeof(((struct bootloader_message*)0)->command), 1, f);
-    fclose(f);
-    free(filename);
-
-    strcpy(buffer, "reboot,");
-    if (property != NULL) {
-        strncat(buffer, property, sizeof(buffer)-10);
-    }
-
-    property_set(ANDROID_RB_PROPERTY, buffer);
-
-    sleep(5);
-    free(property);
-    ErrorAbort(state, "%s() failed to reboot", name);
-    return NULL;
-}
-
-// Store a string value somewhere that future invocations of recovery
-// can access it.  This value is called the "stage" and can be used to
-// drive packages that need to do reboots in the middle of
-// installation and keep track of where they are in the multi-stage
-// install.
-//
-// The first argument is the block device for the misc partition
-// ("/misc" in the fstab), which is where this value is stored.  The
-// second argument is the string to store; it should not exceed 31
-// bytes.
-Value* SetStageFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 2) {
-        return ErrorAbort(state, "%s() expects 2 args, got %d", name, argc);
-    }
-
-    char* filename;
-    char* stagestr;
-    if (ReadArgs(state, argv, 2, &filename, &stagestr) < 0) return NULL;
-
-    // Store this value in the misc partition, immediately after the
-    // bootloader message that the main recovery uses to save its
-    // arguments in case of the device restarting midway through
-    // package installation.
-    FILE* f = fopen(filename, "r+b");
-    fseek(f, offsetof(struct bootloader_message, stage), SEEK_SET);
-    int to_write = strlen(stagestr)+1;
-    int max_size = sizeof(((struct bootloader_message*)0)->stage);
-    if (to_write > max_size) {
-        to_write = max_size;
-        stagestr[max_size-1] = 0;
-    }
-    fwrite(stagestr, to_write, 1, f);
-    fclose(f);
-
-    free(stagestr);
-    return StringValue(filename);
-}
-
-// Return the value most recently saved with SetStageFn.  The argument
-// is the block device for the misc partition.
-Value* GetStageFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 1) {
-        return ErrorAbort(state, "%s() expects 1 arg, got %d", name, argc);
-    }
-
-    char* filename;
-    if (ReadArgs(state, argv, 1, &filename) < 0) return NULL;
-
-    char buffer[sizeof(((struct bootloader_message*)0)->stage)];
-    FILE* f = fopen(filename, "rb");
-    fseek(f, offsetof(struct bootloader_message, stage), SEEK_SET);
-    fread(buffer, sizeof(buffer), 1, f);
-    fclose(f);
-    buffer[sizeof(buffer)-1] = '\0';
-
-    return StringValue(strdup(buffer));
-}
-
-Value* WipeBlockDeviceFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 2) {
-        return ErrorAbort(state, "%s() expects 2 args, got %d", name, argc);
-    }
-
-    char* filename;
-    char* len_str;
-    if (ReadArgs(state, argv, 2, &filename, &len_str) < 0) return NULL;
-
-    size_t len = strtoull(len_str, NULL, 0);
-    int fd = open(filename, O_WRONLY, 0644);
-    int success = wipe_block_device(fd, len);
-
-    free(filename);
-    free(len_str);
-
-    close(fd);
-
-    return StringValue(strdup(success ? "t" : ""));
-}
-
-Value* EnableRebootFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc != 0) {
-        return ErrorAbort(state, "%s() expects no args, got %d", name, argc);
-    }
-    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
-    fprintf(ui->cmd_pipe, "enable_reboot\n");
-    return StringValue(strdup("t"));
-}
-
-Value* Tune2FsFn(const char* name, State* state, int argc, Expr* argv[]) {
-    if (argc == 0) {
-        return ErrorAbort(state, "%s() expects args, got %d", name, argc);
-    }
-
-    char** args = ReadVarArgs(state, argc, argv);
-    if (args == NULL) {
-        return ErrorAbort(state, "%s() could not read args", name);
-    }
-
-    int i;
-    char** args2 = malloc(sizeof(char*) * (argc+1));
-    // Tune2fs expects the program name as its args[0]
-    args2[0] = strdup(name);
-    for (i = 0; i < argc; ++i) {
-       args2[i + 1] = args[i];
-    }
-    int result = tune2fs_main(argc + 1, args2);
-    for (i = 0; i < argc; ++i) {
-        free(args[i]);
-    }
-    free(args);
-
-    free(args2[0]);
-    free(args2);
-    if (result != 0) {
-        return ErrorAbort(state, "%s() returned error code %d", name, result);
-    }
-    return StringValue(strdup("t"));
-}
-
-void RegisterInstallFunctions() {
-    RegisterFunction("mount", MountFn);
-    RegisterFunction("is_mounted", IsMountedFn);
-    RegisterFunction("unmount", UnmountFn);
-    RegisterFunction("format", FormatFn);
-    RegisterFunction("show_progress", ShowProgressFn);
-    RegisterFunction("set_progress", SetProgressFn);
-    RegisterFunction("delete", DeleteFn);
-    RegisterFunction("delete_recursive", DeleteFn);
-    RegisterFunction("package_extract_dir", PackageExtractDirFn);
-    RegisterFunction("package_extract_file", PackageExtractFileFn);
-    RegisterFunction("symlink", SymlinkFn);
-
-    // Usage:
-    //   set_metadata("filename", "key1", "value1", "key2", "value2", ...)
-    // Example:
-    //   set_metadata("/system/bin/netcfg", "uid", 0, "gid", 3003, "mode", 02750, "selabel", "u:object_r:system_file:s0", "capabilities", 0x0);
-    RegisterFunction("set_metadata", SetMetadataFn);
-
-    // Usage:
-    //   set_metadata_recursive("dirname", "key1", "value1", "key2", "value2", ...)
-    // Example:
-    //   set_metadata_recursive("/system", "uid", 0, "gid", 0, "fmode", 0644, "dmode", 0755, "selabel", "u:object_r:system_file:s0", "capabilities", 0x0);
-    RegisterFunction("set_metadata_recursive", SetMetadataFn);
-
-    RegisterFunction("getprop", GetPropFn);
-    RegisterFunction("file_getprop", FileGetPropFn);
-    RegisterFunction("write_raw_image", WriteRawImageFn);
-
-    RegisterFunction("apply_patch", ApplyPatchFn);
-    RegisterFunction("apply_patch_check", ApplyPatchCheckFn);
-    RegisterFunction("apply_patch_space", ApplyPatchSpaceFn);
-
-    RegisterFunction("wipe_block_device", WipeBlockDeviceFn);
-
-    RegisterFunction("read_file", ReadFileFn);
-    RegisterFunction("sha1_check", Sha1CheckFn);
-    RegisterFunction("rename", RenameFn);
-
-    RegisterFunction("wipe_cache", WipeCacheFn);
-
-    RegisterFunction("ui_print", UIPrintFn);
-
-    RegisterFunction("run_program", RunProgramFn);
-
-    RegisterFunction("reboot_now", RebootNowFn);
-    RegisterFunction("get_stage", GetStageFn);
-    RegisterFunction("set_stage", SetStageFn);
-
-    RegisterFunction("enable_reboot", EnableRebootFn);
-    RegisterFunction("tune2fs", Tune2FsFn);
-}
diff --git a/updater/install.cpp b/updater/install.cpp
new file mode 100644
index 0000000..1a647df
--- /dev/null
+++ b/updater/install.cpp
@@ -0,0 +1,1643 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <time.h>
+#include <selinux/selinux.h>
+#include <ftw.h>
+#include <sys/capability.h>
+#include <sys/xattr.h>
+#include <linux/xattr.h>
+#include <inttypes.h>
+
+#include <memory>
+#include <vector>
+
+#include <android-base/parseint.h>
+#include <android-base/strings.h>
+#include <android-base/stringprintf.h>
+
+#include "bootloader.h"
+#include "applypatch/applypatch.h"
+#include "cutils/android_reboot.h"
+#include "cutils/misc.h"
+#include "cutils/properties.h"
+#include "edify/expr.h"
+#include "error_code.h"
+#include "minzip/DirUtil.h"
+#include "mtdutils/mounts.h"
+#include "mtdutils/mtdutils.h"
+#include "openssl/sha.h"
+#include "ota_io.h"
+#include "updater.h"
+#include "install.h"
+#include "tune2fs.h"
+
+#ifdef USE_EXT4
+#include "make_ext4fs.h"
+#include "wipe.h"
+#endif
+
+// Send over the buffer to recovery though the command pipe.
+static void uiPrint(State* state, const std::string& buffer) {
+    UpdaterInfo* ui = reinterpret_cast<UpdaterInfo*>(state->cookie);
+
+    // "line1\nline2\n" will be split into 3 tokens: "line1", "line2" and "".
+    // So skip sending empty strings to UI.
+    std::vector<std::string> lines = android::base::Split(buffer, "\n");
+    for (auto& line: lines) {
+        if (!line.empty()) {
+            fprintf(ui->cmd_pipe, "ui_print %s\n", line.c_str());
+            fprintf(ui->cmd_pipe, "ui_print\n");
+        }
+    }
+
+    // On the updater side, we need to dump the contents to stderr (which has
+    // been redirected to the log file). Because the recovery will only print
+    // the contents to screen when processing pipe command ui_print.
+    fprintf(stderr, "%s", buffer.c_str());
+}
+
+__attribute__((__format__(printf, 2, 3))) __nonnull((2))
+void uiPrintf(State* state, const char* format, ...) {
+    std::string error_msg;
+
+    va_list ap;
+    va_start(ap, format);
+    android::base::StringAppendV(&error_msg, format, ap);
+    va_end(ap);
+
+    uiPrint(state, error_msg);
+}
+
+// Take a sha-1 digest and return it as a newly-allocated hex string.
+char* PrintSha1(const uint8_t* digest) {
+    char* buffer = reinterpret_cast<char*>(malloc(SHA_DIGEST_LENGTH*2 + 1));
+    const char* alphabet = "0123456789abcdef";
+    size_t i;
+    for (i = 0; i < SHA_DIGEST_LENGTH; ++i) {
+        buffer[i*2] = alphabet[(digest[i] >> 4) & 0xf];
+        buffer[i*2+1] = alphabet[digest[i] & 0xf];
+    }
+    buffer[i*2] = '\0';
+    return buffer;
+}
+
+// mount(fs_type, partition_type, location, mount_point)
+//
+//    fs_type="yaffs2" partition_type="MTD"     location=partition
+//    fs_type="ext4"   partition_type="EMMC"    location=device
+Value* MountFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char* result = NULL;
+    if (argc != 4 && argc != 5) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 4-5 args, got %d", name, argc);
+    }
+    char* fs_type;
+    char* partition_type;
+    char* location;
+    char* mount_point;
+    char* mount_options;
+    bool has_mount_options;
+    if (argc == 5) {
+        has_mount_options = true;
+        if (ReadArgs(state, argv, 5, &fs_type, &partition_type,
+                 &location, &mount_point, &mount_options) < 0) {
+            return NULL;
+        }
+    } else {
+        has_mount_options = false;
+        if (ReadArgs(state, argv, 4, &fs_type, &partition_type,
+                 &location, &mount_point) < 0) {
+            return NULL;
+        }
+    }
+
+    if (strlen(fs_type) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "fs_type argument to %s() can't be empty", name);
+        goto done;
+    }
+    if (strlen(partition_type) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "partition_type argument to %s() can't be empty",
+                   name);
+        goto done;
+    }
+    if (strlen(location) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "location argument to %s() can't be empty", name);
+        goto done;
+    }
+    if (strlen(mount_point) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "mount_point argument to %s() can't be empty",
+                   name);
+        goto done;
+    }
+
+    {
+        char *secontext = NULL;
+
+        if (sehandle) {
+            selabel_lookup(sehandle, &secontext, mount_point, 0755);
+            setfscreatecon(secontext);
+        }
+
+        mkdir(mount_point, 0755);
+
+        if (secontext) {
+            freecon(secontext);
+            setfscreatecon(NULL);
+        }
+    }
+
+    if (strcmp(partition_type, "MTD") == 0) {
+        mtd_scan_partitions();
+        const MtdPartition* mtd;
+        mtd = mtd_find_partition_by_name(location);
+        if (mtd == NULL) {
+            uiPrintf(state, "%s: no mtd partition named \"%s\"\n",
+                    name, location);
+            result = strdup("");
+            goto done;
+        }
+        if (mtd_mount_partition(mtd, mount_point, fs_type, 0 /* rw */) != 0) {
+            uiPrintf(state, "mtd mount of %s failed: %s\n",
+                    location, strerror(errno));
+            result = strdup("");
+            goto done;
+        }
+        result = mount_point;
+    } else {
+        if (mount(location, mount_point, fs_type,
+                  MS_NOATIME | MS_NODEV | MS_NODIRATIME,
+                  has_mount_options ? mount_options : "") < 0) {
+            uiPrintf(state, "%s: failed to mount %s at %s: %s\n",
+                    name, location, mount_point, strerror(errno));
+            result = strdup("");
+        } else {
+            result = mount_point;
+        }
+    }
+
+done:
+    free(fs_type);
+    free(partition_type);
+    free(location);
+    if (result != mount_point) free(mount_point);
+    if (has_mount_options) free(mount_options);
+    return StringValue(result);
+}
+
+
+// is_mounted(mount_point)
+Value* IsMountedFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char* result = NULL;
+    if (argc != 1) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 1 arg, got %d", name, argc);
+    }
+    char* mount_point;
+    if (ReadArgs(state, argv, 1, &mount_point) < 0) {
+        return NULL;
+    }
+    if (strlen(mount_point) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "mount_point argument to unmount() can't be empty");
+        goto done;
+    }
+
+    scan_mounted_volumes();
+    {
+        const MountedVolume* vol = find_mounted_volume_by_mount_point(mount_point);
+        if (vol == NULL) {
+            result = strdup("");
+        } else {
+            result = mount_point;
+        }
+    }
+
+done:
+    if (result != mount_point) free(mount_point);
+    return StringValue(result);
+}
+
+
+Value* UnmountFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char* result = NULL;
+    if (argc != 1) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 1 arg, got %d", name, argc);
+    }
+    char* mount_point;
+    if (ReadArgs(state, argv, 1, &mount_point) < 0) {
+        return NULL;
+    }
+    if (strlen(mount_point) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "mount_point argument to unmount() can't be empty");
+        goto done;
+    }
+
+    scan_mounted_volumes();
+    {
+        const MountedVolume* vol = find_mounted_volume_by_mount_point(mount_point);
+        if (vol == NULL) {
+            uiPrintf(state, "unmount of %s failed; no such volume\n", mount_point);
+            result = strdup("");
+        } else {
+            int ret = unmount_mounted_volume(vol);
+            if (ret != 0) {
+                uiPrintf(state, "unmount of %s failed (%d): %s\n",
+                         mount_point, ret, strerror(errno));
+            }
+            result = mount_point;
+        }
+    }
+
+done:
+    if (result != mount_point) free(mount_point);
+    return StringValue(result);
+}
+
+static int exec_cmd(const char* path, char* const argv[]) {
+    int status;
+    pid_t child;
+    if ((child = vfork()) == 0) {
+        execv(path, argv);
+        _exit(-1);
+    }
+    waitpid(child, &status, 0);
+    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
+        printf("%s failed with status %d\n", path, WEXITSTATUS(status));
+    }
+    return WEXITSTATUS(status);
+}
+
+
+// format(fs_type, partition_type, location, fs_size, mount_point)
+//
+//    fs_type="yaffs2" partition_type="MTD"     location=partition fs_size=<bytes> mount_point=<location>
+//    fs_type="ext4"   partition_type="EMMC"    location=device    fs_size=<bytes> mount_point=<location>
+//    fs_type="f2fs"   partition_type="EMMC"    location=device    fs_size=<bytes> mount_point=<location>
+//    if fs_size == 0, then make fs uses the entire partition.
+//    if fs_size > 0, that is the size to use
+//    if fs_size < 0, then reserve that many bytes at the end of the partition (not for "f2fs")
+Value* FormatFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char* result = NULL;
+    if (argc != 5) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 5 args, got %d", name, argc);
+    }
+    char* fs_type;
+    char* partition_type;
+    char* location;
+    char* fs_size;
+    char* mount_point;
+
+    if (ReadArgs(state, argv, 5, &fs_type, &partition_type, &location, &fs_size, &mount_point) < 0) {
+        return NULL;
+    }
+
+    if (strlen(fs_type) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "fs_type argument to %s() can't be empty", name);
+        goto done;
+    }
+    if (strlen(partition_type) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "partition_type argument to %s() can't be empty",
+                   name);
+        goto done;
+    }
+    if (strlen(location) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "location argument to %s() can't be empty", name);
+        goto done;
+    }
+
+    if (strlen(mount_point) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "mount_point argument to %s() can't be empty",
+                   name);
+        goto done;
+    }
+
+    if (strcmp(partition_type, "MTD") == 0) {
+        mtd_scan_partitions();
+        const MtdPartition* mtd = mtd_find_partition_by_name(location);
+        if (mtd == NULL) {
+            printf("%s: no mtd partition named \"%s\"",
+                    name, location);
+            result = strdup("");
+            goto done;
+        }
+        MtdWriteContext* ctx = mtd_write_partition(mtd);
+        if (ctx == NULL) {
+            printf("%s: can't write \"%s\"", name, location);
+            result = strdup("");
+            goto done;
+        }
+        if (mtd_erase_blocks(ctx, -1) == -1) {
+            mtd_write_close(ctx);
+            printf("%s: failed to erase \"%s\"", name, location);
+            result = strdup("");
+            goto done;
+        }
+        if (mtd_write_close(ctx) != 0) {
+            printf("%s: failed to close \"%s\"", name, location);
+            result = strdup("");
+            goto done;
+        }
+        result = location;
+#ifdef USE_EXT4
+    } else if (strcmp(fs_type, "ext4") == 0) {
+        int status = make_ext4fs(location, atoll(fs_size), mount_point, sehandle);
+        if (status != 0) {
+            printf("%s: make_ext4fs failed (%d) on %s",
+                    name, status, location);
+            result = strdup("");
+            goto done;
+        }
+        result = location;
+    } else if (strcmp(fs_type, "f2fs") == 0) {
+        char *num_sectors;
+        if (asprintf(&num_sectors, "%lld", atoll(fs_size) / 512) <= 0) {
+            printf("format_volume: failed to create %s command for %s\n", fs_type, location);
+            result = strdup("");
+            goto done;
+        }
+        const char *f2fs_path = "/sbin/mkfs.f2fs";
+        const char* const f2fs_argv[] = {"mkfs.f2fs", "-t", "-d1", location, num_sectors, NULL};
+        int status = exec_cmd(f2fs_path, (char* const*)f2fs_argv);
+        free(num_sectors);
+        if (status != 0) {
+            printf("%s: mkfs.f2fs failed (%d) on %s",
+                    name, status, location);
+            result = strdup("");
+            goto done;
+        }
+        result = location;
+#endif
+    } else {
+        printf("%s: unsupported fs_type \"%s\" partition_type \"%s\"",
+                name, fs_type, partition_type);
+    }
+
+done:
+    free(fs_type);
+    free(partition_type);
+    if (result != location) free(location);
+    return StringValue(result);
+}
+
+Value* RenameFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char* result = NULL;
+    if (argc != 2) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 2 args, got %d", name, argc);
+    }
+
+    char* src_name;
+    char* dst_name;
+
+    if (ReadArgs(state, argv, 2, &src_name, &dst_name) < 0) {
+        return NULL;
+    }
+    if (strlen(src_name) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "src_name argument to %s() can't be empty", name);
+        goto done;
+    }
+    if (strlen(dst_name) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "dst_name argument to %s() can't be empty", name);
+        goto done;
+    }
+    if (make_parents(dst_name) != 0) {
+        ErrorAbort(state, kFileRenameFailure, "Creating parent of %s failed, error %s",
+          dst_name, strerror(errno));
+    } else if (access(dst_name, F_OK) == 0 && access(src_name, F_OK) != 0) {
+        // File was already moved
+        result = dst_name;
+    } else if (rename(src_name, dst_name) != 0) {
+        ErrorAbort(state, kFileRenameFailure, "Rename of %s to %s failed, error %s",
+          src_name, dst_name, strerror(errno));
+    } else {
+        result = dst_name;
+    }
+
+done:
+    free(src_name);
+    if (result != dst_name) free(dst_name);
+    return StringValue(result);
+}
+
+Value* DeleteFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char** paths = reinterpret_cast<char**>(malloc(argc * sizeof(char*)));
+    for (int i = 0; i < argc; ++i) {
+        paths[i] = Evaluate(state, argv[i]);
+        if (paths[i] == NULL) {
+            for (int j = 0; j < i; ++j) {
+                free(paths[j]);
+            }
+            free(paths);
+            return NULL;
+        }
+    }
+
+    bool recursive = (strcmp(name, "delete_recursive") == 0);
+
+    int success = 0;
+    for (int i = 0; i < argc; ++i) {
+        if ((recursive ? dirUnlinkHierarchy(paths[i]) : unlink(paths[i])) == 0)
+            ++success;
+        free(paths[i]);
+    }
+    free(paths);
+
+    char buffer[10];
+    sprintf(buffer, "%d", success);
+    return StringValue(strdup(buffer));
+}
+
+
+Value* ShowProgressFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 2) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 2 args, got %d", name, argc);
+    }
+    char* frac_str;
+    char* sec_str;
+    if (ReadArgs(state, argv, 2, &frac_str, &sec_str) < 0) {
+        return NULL;
+    }
+
+    double frac = strtod(frac_str, NULL);
+    int sec;
+    android::base::ParseInt(sec_str, &sec);
+
+    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
+    fprintf(ui->cmd_pipe, "progress %f %d\n", frac, sec);
+
+    free(sec_str);
+    return StringValue(frac_str);
+}
+
+Value* SetProgressFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 1) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 1 arg, got %d", name, argc);
+    }
+    char* frac_str;
+    if (ReadArgs(state, argv, 1, &frac_str) < 0) {
+        return NULL;
+    }
+
+    double frac = strtod(frac_str, NULL);
+
+    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
+    fprintf(ui->cmd_pipe, "set_progress %f\n", frac);
+
+    return StringValue(frac_str);
+}
+
+// package_extract_dir(package_path, destination_path)
+Value* PackageExtractDirFn(const char* name, State* state,
+                          int argc, Expr* argv[]) {
+    if (argc != 2) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 2 args, got %d", name, argc);
+    }
+    char* zip_path;
+    char* dest_path;
+    if (ReadArgs(state, argv, 2, &zip_path, &dest_path) < 0) return NULL;
+
+    ZipArchive* za = ((UpdaterInfo*)(state->cookie))->package_zip;
+
+    // To create a consistent system image, never use the clock for timestamps.
+    struct utimbuf timestamp = { 1217592000, 1217592000 };  // 8/1/2008 default
+
+    bool success = mzExtractRecursive(za, zip_path, dest_path,
+                                      &timestamp,
+                                      NULL, NULL, sehandle);
+    free(zip_path);
+    free(dest_path);
+    return StringValue(strdup(success ? "t" : ""));
+}
+
+
+// package_extract_file(package_path, destination_path)
+//   or
+// package_extract_file(package_path)
+//   to return the entire contents of the file as the result of this
+//   function (the char* returned is actually a FileContents*).
+Value* PackageExtractFileFn(const char* name, State* state,
+                           int argc, Expr* argv[]) {
+    if (argc < 1 || argc > 2) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 1 or 2 args, got %d",
+                          name, argc);
+    }
+    bool success = false;
+
+    if (argc == 2) {
+        // The two-argument version extracts to a file.
+
+        ZipArchive* za = ((UpdaterInfo*)(state->cookie))->package_zip;
+
+        char* zip_path;
+        char* dest_path;
+        if (ReadArgs(state, argv, 2, &zip_path, &dest_path) < 0) return NULL;
+
+        const ZipEntry* entry = mzFindZipEntry(za, zip_path);
+        if (entry == NULL) {
+            printf("%s: no %s in package\n", name, zip_path);
+            goto done2;
+        }
+
+        {
+            int fd = TEMP_FAILURE_RETRY(ota_open(dest_path, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC,
+                  S_IRUSR | S_IWUSR));
+            if (fd == -1) {
+                printf("%s: can't open %s for write: %s\n", name, dest_path, strerror(errno));
+                goto done2;
+            }
+            success = mzExtractZipEntryToFile(za, entry, fd);
+            if (ota_fsync(fd) == -1) {
+                printf("fsync of \"%s\" failed: %s\n", dest_path, strerror(errno));
+                success = false;
+            }
+            if (ota_close(fd) == -1) {
+                printf("close of \"%s\" failed: %s\n", dest_path, strerror(errno));
+                success = false;
+            }
+        }
+
+      done2:
+        free(zip_path);
+        free(dest_path);
+        return StringValue(strdup(success ? "t" : ""));
+    } else {
+        // The one-argument version returns the contents of the file
+        // as the result.
+
+        char* zip_path;
+        if (ReadArgs(state, argv, 1, &zip_path) < 0) return NULL;
+
+        Value* v = reinterpret_cast<Value*>(malloc(sizeof(Value)));
+        v->type = VAL_BLOB;
+        v->size = -1;
+        v->data = NULL;
+
+        ZipArchive* za = ((UpdaterInfo*)(state->cookie))->package_zip;
+        const ZipEntry* entry = mzFindZipEntry(za, zip_path);
+        if (entry == NULL) {
+            printf("%s: no %s in package\n", name, zip_path);
+            goto done1;
+        }
+
+        v->size = mzGetZipEntryUncompLen(entry);
+        v->data = reinterpret_cast<char*>(malloc(v->size));
+        if (v->data == NULL) {
+            printf("%s: failed to allocate %ld bytes for %s\n",
+                    name, (long)v->size, zip_path);
+            goto done1;
+        }
+
+        success = mzExtractZipEntryToBuffer(za, entry,
+                                            (unsigned char *)v->data);
+
+      done1:
+        free(zip_path);
+        if (!success) {
+            free(v->data);
+            v->data = NULL;
+            v->size = -1;
+        }
+        return v;
+    }
+}
+
+// Create all parent directories of name, if necessary.
+static int make_parents(char* name) {
+    char* p;
+    for (p = name + (strlen(name)-1); p > name; --p) {
+        if (*p != '/') continue;
+        *p = '\0';
+        if (make_parents(name) < 0) return -1;
+        int result = mkdir(name, 0700);
+        if (result == 0) printf("created [%s]\n", name);
+        *p = '/';
+        if (result == 0 || errno == EEXIST) {
+            // successfully created or already existed; we're done
+            return 0;
+        } else {
+            printf("failed to mkdir %s: %s\n", name, strerror(errno));
+            return -1;
+        }
+    }
+    return 0;
+}
+
+// symlink target src1 src2 ...
+//    unlinks any previously existing src1, src2, etc before creating symlinks.
+Value* SymlinkFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc == 0) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 1+ args, got %d", name, argc);
+    }
+    char* target;
+    target = Evaluate(state, argv[0]);
+    if (target == NULL) return NULL;
+
+    char** srcs = ReadVarArgs(state, argc-1, argv+1);
+    if (srcs == NULL) {
+        free(target);
+        return NULL;
+    }
+
+    int bad = 0;
+    int i;
+    for (i = 0; i < argc-1; ++i) {
+        if (unlink(srcs[i]) < 0) {
+            if (errno != ENOENT) {
+                printf("%s: failed to remove %s: %s\n",
+                        name, srcs[i], strerror(errno));
+                ++bad;
+            }
+        }
+        if (make_parents(srcs[i])) {
+            printf("%s: failed to symlink %s to %s: making parents failed\n",
+                    name, srcs[i], target);
+            ++bad;
+        }
+        if (symlink(target, srcs[i]) < 0) {
+            printf("%s: failed to symlink %s to %s: %s\n",
+                    name, srcs[i], target, strerror(errno));
+            ++bad;
+        }
+        free(srcs[i]);
+    }
+    free(srcs);
+    if (bad) {
+        return ErrorAbort(state, kSymlinkFailure, "%s: some symlinks failed", name);
+    }
+    return StringValue(strdup(""));
+}
+
+struct perm_parsed_args {
+    bool has_uid;
+    uid_t uid;
+    bool has_gid;
+    gid_t gid;
+    bool has_mode;
+    mode_t mode;
+    bool has_fmode;
+    mode_t fmode;
+    bool has_dmode;
+    mode_t dmode;
+    bool has_selabel;
+    char* selabel;
+    bool has_capabilities;
+    uint64_t capabilities;
+};
+
+static struct perm_parsed_args ParsePermArgs(State * state, int argc, char** args) {
+    int i;
+    struct perm_parsed_args parsed;
+    int bad = 0;
+    static int max_warnings = 20;
+
+    memset(&parsed, 0, sizeof(parsed));
+
+    for (i = 1; i < argc; i += 2) {
+        if (strcmp("uid", args[i]) == 0) {
+            int64_t uid;
+            if (sscanf(args[i+1], "%" SCNd64, &uid) == 1) {
+                parsed.uid = uid;
+                parsed.has_uid = true;
+            } else {
+                uiPrintf(state, "ParsePermArgs: invalid UID \"%s\"\n", args[i + 1]);
+                bad++;
+            }
+            continue;
+        }
+        if (strcmp("gid", args[i]) == 0) {
+            int64_t gid;
+            if (sscanf(args[i+1], "%" SCNd64, &gid) == 1) {
+                parsed.gid = gid;
+                parsed.has_gid = true;
+            } else {
+                uiPrintf(state, "ParsePermArgs: invalid GID \"%s\"\n", args[i + 1]);
+                bad++;
+            }
+            continue;
+        }
+        if (strcmp("mode", args[i]) == 0) {
+            int32_t mode;
+            if (sscanf(args[i+1], "%" SCNi32, &mode) == 1) {
+                parsed.mode = mode;
+                parsed.has_mode = true;
+            } else {
+                uiPrintf(state, "ParsePermArgs: invalid mode \"%s\"\n", args[i + 1]);
+                bad++;
+            }
+            continue;
+        }
+        if (strcmp("dmode", args[i]) == 0) {
+            int32_t mode;
+            if (sscanf(args[i+1], "%" SCNi32, &mode) == 1) {
+                parsed.dmode = mode;
+                parsed.has_dmode = true;
+            } else {
+                uiPrintf(state, "ParsePermArgs: invalid dmode \"%s\"\n", args[i + 1]);
+                bad++;
+            }
+            continue;
+        }
+        if (strcmp("fmode", args[i]) == 0) {
+            int32_t mode;
+            if (sscanf(args[i+1], "%" SCNi32, &mode) == 1) {
+                parsed.fmode = mode;
+                parsed.has_fmode = true;
+            } else {
+                uiPrintf(state, "ParsePermArgs: invalid fmode \"%s\"\n", args[i + 1]);
+                bad++;
+            }
+            continue;
+        }
+        if (strcmp("capabilities", args[i]) == 0) {
+            int64_t capabilities;
+            if (sscanf(args[i+1], "%" SCNi64, &capabilities) == 1) {
+                parsed.capabilities = capabilities;
+                parsed.has_capabilities = true;
+            } else {
+                uiPrintf(state, "ParsePermArgs: invalid capabilities \"%s\"\n", args[i + 1]);
+                bad++;
+            }
+            continue;
+        }
+        if (strcmp("selabel", args[i]) == 0) {
+            if (args[i+1][0] != '\0') {
+                parsed.selabel = args[i+1];
+                parsed.has_selabel = true;
+            } else {
+                uiPrintf(state, "ParsePermArgs: invalid selabel \"%s\"\n", args[i + 1]);
+                bad++;
+            }
+            continue;
+        }
+        if (max_warnings != 0) {
+            printf("ParsedPermArgs: unknown key \"%s\", ignoring\n", args[i]);
+            max_warnings--;
+            if (max_warnings == 0) {
+                printf("ParsedPermArgs: suppressing further warnings\n");
+            }
+        }
+    }
+    return parsed;
+}
+
+static int ApplyParsedPerms(
+        State * state,
+        const char* filename,
+        const struct stat *statptr,
+        struct perm_parsed_args parsed)
+{
+    int bad = 0;
+
+    if (parsed.has_selabel) {
+        if (lsetfilecon(filename, parsed.selabel) != 0) {
+            uiPrintf(state, "ApplyParsedPerms: lsetfilecon of %s to %s failed: %s\n",
+                    filename, parsed.selabel, strerror(errno));
+            bad++;
+        }
+    }
+
+    /* ignore symlinks */
+    if (S_ISLNK(statptr->st_mode)) {
+        return bad;
+    }
+
+    if (parsed.has_uid) {
+        if (chown(filename, parsed.uid, -1) < 0) {
+            uiPrintf(state, "ApplyParsedPerms: chown of %s to %d failed: %s\n",
+                    filename, parsed.uid, strerror(errno));
+            bad++;
+        }
+    }
+
+    if (parsed.has_gid) {
+        if (chown(filename, -1, parsed.gid) < 0) {
+            uiPrintf(state, "ApplyParsedPerms: chgrp of %s to %d failed: %s\n",
+                    filename, parsed.gid, strerror(errno));
+            bad++;
+        }
+    }
+
+    if (parsed.has_mode) {
+        if (chmod(filename, parsed.mode) < 0) {
+            uiPrintf(state, "ApplyParsedPerms: chmod of %s to %d failed: %s\n",
+                    filename, parsed.mode, strerror(errno));
+            bad++;
+        }
+    }
+
+    if (parsed.has_dmode && S_ISDIR(statptr->st_mode)) {
+        if (chmod(filename, parsed.dmode) < 0) {
+            uiPrintf(state, "ApplyParsedPerms: chmod of %s to %d failed: %s\n",
+                    filename, parsed.dmode, strerror(errno));
+            bad++;
+        }
+    }
+
+    if (parsed.has_fmode && S_ISREG(statptr->st_mode)) {
+        if (chmod(filename, parsed.fmode) < 0) {
+            uiPrintf(state, "ApplyParsedPerms: chmod of %s to %d failed: %s\n",
+                   filename, parsed.fmode, strerror(errno));
+            bad++;
+        }
+    }
+
+    if (parsed.has_capabilities && S_ISREG(statptr->st_mode)) {
+        if (parsed.capabilities == 0) {
+            if ((removexattr(filename, XATTR_NAME_CAPS) == -1) && (errno != ENODATA)) {
+                // Report failure unless it's ENODATA (attribute not set)
+                uiPrintf(state, "ApplyParsedPerms: removexattr of %s to %" PRIx64 " failed: %s\n",
+                       filename, parsed.capabilities, strerror(errno));
+                bad++;
+            }
+        } else {
+            struct vfs_cap_data cap_data;
+            memset(&cap_data, 0, sizeof(cap_data));
+            cap_data.magic_etc = VFS_CAP_REVISION | VFS_CAP_FLAGS_EFFECTIVE;
+            cap_data.data[0].permitted = (uint32_t) (parsed.capabilities & 0xffffffff);
+            cap_data.data[0].inheritable = 0;
+            cap_data.data[1].permitted = (uint32_t) (parsed.capabilities >> 32);
+            cap_data.data[1].inheritable = 0;
+            if (setxattr(filename, XATTR_NAME_CAPS, &cap_data, sizeof(cap_data), 0) < 0) {
+                uiPrintf(state, "ApplyParsedPerms: setcap of %s to %" PRIx64 " failed: %s\n",
+                        filename, parsed.capabilities, strerror(errno));
+                bad++;
+            }
+        }
+    }
+
+    return bad;
+}
+
+// nftw doesn't allow us to pass along context, so we need to use
+// global variables.  *sigh*
+static struct perm_parsed_args recursive_parsed_args;
+static State* recursive_state;
+
+static int do_SetMetadataRecursive(const char* filename, const struct stat *statptr,
+        int fileflags, struct FTW *pfwt) {
+    return ApplyParsedPerms(recursive_state, filename, statptr, recursive_parsed_args);
+}
+
+static Value* SetMetadataFn(const char* name, State* state, int argc, Expr* argv[]) {
+    int bad = 0;
+    struct stat sb;
+    Value* result = NULL;
+
+    bool recursive = (strcmp(name, "set_metadata_recursive") == 0);
+
+    if ((argc % 2) != 1) {
+        return ErrorAbort(state, kArgsParsingFailure,
+                          "%s() expects an odd number of arguments, got %d", name, argc);
+    }
+
+    char** args = ReadVarArgs(state, argc, argv);
+    if (args == NULL) return NULL;
+
+    if (lstat(args[0], &sb) == -1) {
+        result = ErrorAbort(state, kSetMetadataFailure, "%s: Error on lstat of \"%s\": %s",
+                            name, args[0], strerror(errno));
+        goto done;
+    }
+
+    {
+        struct perm_parsed_args parsed = ParsePermArgs(state, argc, args);
+
+        if (recursive) {
+            recursive_parsed_args = parsed;
+            recursive_state = state;
+            bad += nftw(args[0], do_SetMetadataRecursive, 30, FTW_CHDIR | FTW_DEPTH | FTW_PHYS);
+            memset(&recursive_parsed_args, 0, sizeof(recursive_parsed_args));
+            recursive_state = NULL;
+        } else {
+            bad += ApplyParsedPerms(state, args[0], &sb, parsed);
+        }
+    }
+
+done:
+    for (int i = 0; i < argc; ++i) {
+        free(args[i]);
+    }
+    free(args);
+
+    if (result != NULL) {
+        return result;
+    }
+
+    if (bad > 0) {
+        return ErrorAbort(state, kSetMetadataFailure, "%s: some changes failed", name);
+    }
+
+    return StringValue(strdup(""));
+}
+
+Value* GetPropFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 1) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 1 arg, got %d", name, argc);
+    }
+    char* key = Evaluate(state, argv[0]);
+    if (key == NULL) return NULL;
+
+    char value[PROPERTY_VALUE_MAX];
+    property_get(key, value, "");
+    free(key);
+
+    return StringValue(strdup(value));
+}
+
+
+// file_getprop(file, key)
+//
+//   interprets 'file' as a getprop-style file (key=value pairs, one
+//   per line. # comment lines,blank lines, lines without '=' ignored),
+//   and returns the value for 'key' (or "" if it isn't defined).
+Value* FileGetPropFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char* result = NULL;
+    char* buffer = NULL;
+    char* filename;
+    char* key;
+    if (ReadArgs(state, argv, 2, &filename, &key) < 0) {
+        return NULL;
+    }
+
+    struct stat st;
+    if (stat(filename, &st) < 0) {
+        ErrorAbort(state, kFileGetPropFailure, "%s: failed to stat \"%s\": %s", name, filename,
+                   strerror(errno));
+        goto done;
+    }
+
+#define MAX_FILE_GETPROP_SIZE    65536
+
+    if (st.st_size > MAX_FILE_GETPROP_SIZE) {
+        ErrorAbort(state, kFileGetPropFailure, "%s too large for %s (max %d)", filename, name,
+                   MAX_FILE_GETPROP_SIZE);
+        goto done;
+    }
+
+    buffer = reinterpret_cast<char*>(malloc(st.st_size+1));
+    if (buffer == NULL) {
+        ErrorAbort(state, kFileGetPropFailure, "%s: failed to alloc %lld bytes", name,
+                   (long long)st.st_size+1);
+        goto done;
+    }
+
+    FILE* f;
+    f = fopen(filename, "rb");
+    if (f == NULL) {
+        ErrorAbort(state, kFileOpenFailure, "%s: failed to open %s: %s", name, filename,
+                   strerror(errno));
+        goto done;
+    }
+
+    if (ota_fread(buffer, 1, st.st_size, f) != static_cast<size_t>(st.st_size)) {
+        ErrorAbort(state, kFreadFailure, "%s: failed to read %lld bytes from %s",
+                   name, (long long)st.st_size+1, filename);
+        fclose(f);
+        goto done;
+    }
+    buffer[st.st_size] = '\0';
+
+    fclose(f);
+
+    char* line;
+    line = strtok(buffer, "\n");
+    do {
+        // skip whitespace at start of line
+        while (*line && isspace(*line)) ++line;
+
+        // comment or blank line: skip to next line
+        if (*line == '\0' || *line == '#') continue;
+
+        char* equal = strchr(line, '=');
+        if (equal == NULL) {
+            continue;
+        }
+
+        // trim whitespace between key and '='
+        char* key_end = equal-1;
+        while (key_end > line && isspace(*key_end)) --key_end;
+        key_end[1] = '\0';
+
+        // not the key we're looking for
+        if (strcmp(key, line) != 0) continue;
+
+        // skip whitespace after the '=' to the start of the value
+        char* val_start = equal+1;
+        while(*val_start && isspace(*val_start)) ++val_start;
+
+        // trim trailing whitespace
+        char* val_end = val_start + strlen(val_start)-1;
+        while (val_end > val_start && isspace(*val_end)) --val_end;
+        val_end[1] = '\0';
+
+        result = strdup(val_start);
+        break;
+
+    } while ((line = strtok(NULL, "\n")));
+
+    if (result == NULL) result = strdup("");
+
+  done:
+    free(filename);
+    free(key);
+    free(buffer);
+    return StringValue(result);
+}
+
+// write_raw_image(filename_or_blob, partition)
+Value* WriteRawImageFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char* result = NULL;
+
+    Value* partition_value;
+    Value* contents;
+    if (ReadValueArgs(state, argv, 2, &contents, &partition_value) < 0) {
+        return NULL;
+    }
+
+    char* partition = NULL;
+    if (partition_value->type != VAL_STRING) {
+        ErrorAbort(state, kArgsParsingFailure, "partition argument to %s must be string", name);
+        goto done;
+    }
+    partition = partition_value->data;
+    if (strlen(partition) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "partition argument to %s can't be empty", name);
+        goto done;
+    }
+    if (contents->type == VAL_STRING && strlen((char*) contents->data) == 0) {
+        ErrorAbort(state, kArgsParsingFailure, "file argument to %s can't be empty", name);
+        goto done;
+    }
+
+    mtd_scan_partitions();
+    const MtdPartition* mtd;
+    mtd = mtd_find_partition_by_name(partition);
+    if (mtd == NULL) {
+        printf("%s: no mtd partition named \"%s\"\n", name, partition);
+        result = strdup("");
+        goto done;
+    }
+
+    MtdWriteContext* ctx;
+    ctx = mtd_write_partition(mtd);
+    if (ctx == NULL) {
+        printf("%s: can't write mtd partition \"%s\"\n",
+                name, partition);
+        result = strdup("");
+        goto done;
+    }
+
+    bool success;
+
+    if (contents->type == VAL_STRING) {
+        // we're given a filename as the contents
+        char* filename = contents->data;
+        FILE* f = ota_fopen(filename, "rb");
+        if (f == NULL) {
+            printf("%s: can't open %s: %s\n", name, filename, strerror(errno));
+            result = strdup("");
+            goto done;
+        }
+
+        success = true;
+        char* buffer = reinterpret_cast<char*>(malloc(BUFSIZ));
+        int read;
+        while (success && (read = ota_fread(buffer, 1, BUFSIZ, f)) > 0) {
+            int wrote = mtd_write_data(ctx, buffer, read);
+            success = success && (wrote == read);
+        }
+        free(buffer);
+        ota_fclose(f);
+    } else {
+        // we're given a blob as the contents
+        ssize_t wrote = mtd_write_data(ctx, contents->data, contents->size);
+        success = (wrote == contents->size);
+    }
+    if (!success) {
+        printf("mtd_write_data to %s failed: %s\n",
+                partition, strerror(errno));
+    }
+
+    if (mtd_erase_blocks(ctx, -1) == -1) {
+        printf("%s: error erasing blocks of %s\n", name, partition);
+    }
+    if (mtd_write_close(ctx) != 0) {
+        printf("%s: error closing write of %s\n", name, partition);
+    }
+
+    printf("%s %s partition\n",
+           success ? "wrote" : "failed to write", partition);
+
+    result = success ? partition : strdup("");
+
+done:
+    if (result != partition) FreeValue(partition_value);
+    FreeValue(contents);
+    return StringValue(result);
+}
+
+// apply_patch_space(bytes)
+Value* ApplyPatchSpaceFn(const char* name, State* state,
+                         int argc, Expr* argv[]) {
+    char* bytes_str;
+    if (ReadArgs(state, argv, 1, &bytes_str) < 0) {
+        return NULL;
+    }
+
+    size_t bytes;
+    if (!android::base::ParseUint(bytes_str, &bytes)) {
+        ErrorAbort(state, kArgsParsingFailure, "%s(): can't parse \"%s\" as byte count\n\n",
+                   name, bytes_str);
+        free(bytes_str);
+        return nullptr;
+    }
+
+    return StringValue(strdup(CacheSizeCheck(bytes) ? "" : "t"));
+}
+
+// apply_patch(file, size, init_sha1, tgt_sha1, patch)
+
+Value* ApplyPatchFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc < 6 || (argc % 2) == 1) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s(): expected at least 6 args and an "
+                                 "even number, got %d", name, argc);
+    }
+
+    char* source_filename;
+    char* target_filename;
+    char* target_sha1;
+    char* target_size_str;
+    if (ReadArgs(state, argv, 4, &source_filename, &target_filename,
+                 &target_sha1, &target_size_str) < 0) {
+        return NULL;
+    }
+
+    size_t target_size;
+    if (!android::base::ParseUint(target_size_str, &target_size)) {
+        ErrorAbort(state, kArgsParsingFailure, "%s(): can't parse \"%s\" as byte count",
+                   name, target_size_str);
+        free(source_filename);
+        free(target_filename);
+        free(target_sha1);
+        free(target_size_str);
+        return nullptr;
+    }
+
+    int patchcount = (argc-4) / 2;
+    std::unique_ptr<Value*, decltype(&free)> arg_values(ReadValueVarArgs(state, argc-4, argv+4),
+                                                        free);
+    if (!arg_values) {
+        return nullptr;
+    }
+    std::vector<std::unique_ptr<Value, decltype(&FreeValue)>> patch_shas;
+    std::vector<std::unique_ptr<Value, decltype(&FreeValue)>> patches;
+    // Protect values by unique_ptrs first to get rid of memory leak.
+    for (int i = 0; i < patchcount * 2; i += 2) {
+        patch_shas.emplace_back(arg_values.get()[i], FreeValue);
+        patches.emplace_back(arg_values.get()[i+1], FreeValue);
+    }
+
+    for (int i = 0; i < patchcount; ++i) {
+        if (patch_shas[i]->type != VAL_STRING) {
+            ErrorAbort(state, kArgsParsingFailure, "%s(): sha-1 #%d is not string", name, i);
+            return nullptr;
+        }
+        if (patches[i]->type != VAL_BLOB) {
+            ErrorAbort(state, kArgsParsingFailure, "%s(): patch #%d is not blob", name, i);
+            return nullptr;
+        }
+    }
+
+    std::vector<char*> patch_sha_str;
+    std::vector<Value*> patch_ptrs;
+    for (int i = 0; i < patchcount; ++i) {
+        patch_sha_str.push_back(patch_shas[i]->data);
+        patch_ptrs.push_back(patches[i].get());
+    }
+
+    int result = applypatch(source_filename, target_filename,
+                            target_sha1, target_size,
+                            patchcount, patch_sha_str.data(), patch_ptrs.data(), NULL);
+
+    return StringValue(strdup(result == 0 ? "t" : ""));
+}
+
+// apply_patch_check(file, [sha1_1, ...])
+Value* ApplyPatchCheckFn(const char* name, State* state,
+                         int argc, Expr* argv[]) {
+    if (argc < 1) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s(): expected at least 1 arg, got %d",
+                          name, argc);
+    }
+
+    char* filename;
+    if (ReadArgs(state, argv, 1, &filename) < 0) {
+        return NULL;
+    }
+
+    int patchcount = argc-1;
+    char** sha1s = ReadVarArgs(state, argc-1, argv+1);
+
+    int result = applypatch_check(filename, patchcount, sha1s);
+
+    int i;
+    for (i = 0; i < patchcount; ++i) {
+        free(sha1s[i]);
+    }
+    free(sha1s);
+
+    return StringValue(strdup(result == 0 ? "t" : ""));
+}
+
+// This is the updater side handler for ui_print() in edify script. Contents
+// will be sent over to the recovery side for on-screen display.
+Value* UIPrintFn(const char* name, State* state, int argc, Expr* argv[]) {
+    char** args = ReadVarArgs(state, argc, argv);
+    if (args == NULL) {
+        return NULL;
+    }
+
+    std::string buffer;
+    for (int i = 0; i < argc; ++i) {
+        buffer += args[i];
+        free(args[i]);
+    }
+    free(args);
+
+    buffer += "\n";
+    uiPrint(state, buffer);
+    return StringValue(strdup(buffer.c_str()));
+}
+
+Value* WipeCacheFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 0) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects no args, got %d", name, argc);
+    }
+    fprintf(((UpdaterInfo*)(state->cookie))->cmd_pipe, "wipe_cache\n");
+    return StringValue(strdup("t"));
+}
+
+Value* RunProgramFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc < 1) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects at least 1 arg", name);
+    }
+    char** args = ReadVarArgs(state, argc, argv);
+    if (args == NULL) {
+        return NULL;
+    }
+
+    char** args2 = reinterpret_cast<char**>(malloc(sizeof(char*) * (argc+1)));
+    memcpy(args2, args, sizeof(char*) * argc);
+    args2[argc] = NULL;
+
+    printf("about to run program [%s] with %d args\n", args2[0], argc);
+
+    pid_t child = fork();
+    if (child == 0) {
+        execv(args2[0], args2);
+        printf("run_program: execv failed: %s\n", strerror(errno));
+        _exit(1);
+    }
+    int status;
+    waitpid(child, &status, 0);
+    if (WIFEXITED(status)) {
+        if (WEXITSTATUS(status) != 0) {
+            printf("run_program: child exited with status %d\n",
+                    WEXITSTATUS(status));
+        }
+    } else if (WIFSIGNALED(status)) {
+        printf("run_program: child terminated by signal %d\n",
+                WTERMSIG(status));
+    }
+
+    int i;
+    for (i = 0; i < argc; ++i) {
+        free(args[i]);
+    }
+    free(args);
+    free(args2);
+
+    char buffer[20];
+    sprintf(buffer, "%d", status);
+
+    return StringValue(strdup(buffer));
+}
+
+// sha1_check(data)
+//    to return the sha1 of the data (given in the format returned by
+//    read_file).
+//
+// sha1_check(data, sha1_hex, [sha1_hex, ...])
+//    returns the sha1 of the file if it matches any of the hex
+//    strings passed, or "" if it does not equal any of them.
+//
+Value* Sha1CheckFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc < 1) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects at least 1 arg", name);
+    }
+
+    std::unique_ptr<Value*, decltype(&free)> arg_values(ReadValueVarArgs(state, argc, argv), free);
+    if (arg_values == nullptr) {
+        return nullptr;
+    }
+    std::vector<std::unique_ptr<Value, decltype(&FreeValue)>> args;
+    for (int i = 0; i < argc; ++i) {
+        args.emplace_back(arg_values.get()[i], FreeValue);
+    }
+
+    if (args[0]->size < 0) {
+        return StringValue(strdup(""));
+    }
+    uint8_t digest[SHA_DIGEST_LENGTH];
+    SHA1(reinterpret_cast<uint8_t*>(args[0]->data), args[0]->size, digest);
+
+    if (argc == 1) {
+        return StringValue(PrintSha1(digest));
+    }
+
+    int i;
+    uint8_t arg_digest[SHA_DIGEST_LENGTH];
+    for (i = 1; i < argc; ++i) {
+        if (args[i]->type != VAL_STRING) {
+            printf("%s(): arg %d is not a string; skipping",
+                    name, i);
+        } else if (ParseSha1(args[i]->data, arg_digest) != 0) {
+            // Warn about bad args and skip them.
+            printf("%s(): error parsing \"%s\" as sha-1; skipping",
+                   name, args[i]->data);
+        } else if (memcmp(digest, arg_digest, SHA_DIGEST_LENGTH) == 0) {
+            break;
+        }
+    }
+    if (i >= argc) {
+        // Didn't match any of the hex strings; return false.
+        return StringValue(strdup(""));
+    }
+    // Found a match.
+    return args[i].release();
+}
+
+// Read a local file and return its contents (the Value* returned
+// is actually a FileContents*).
+Value* ReadFileFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 1) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 1 arg, got %d", name, argc);
+    }
+    char* filename;
+    if (ReadArgs(state, argv, 1, &filename) < 0) return NULL;
+
+    Value* v = static_cast<Value*>(malloc(sizeof(Value)));
+    if (v == nullptr) {
+        return nullptr;
+    }
+    v->type = VAL_BLOB;
+    v->size = -1;
+    v->data = nullptr;
+
+    FileContents fc;
+    if (LoadFileContents(filename, &fc) != 0) {
+        v->data = static_cast<char*>(malloc(fc.data.size()));
+        if (v->data != nullptr) {
+            memcpy(v->data, fc.data.data(), fc.data.size());
+            v->size = fc.data.size();
+        }
+    }
+    free(filename);
+    return v;
+}
+
+// Immediately reboot the device.  Recovery is not finished normally,
+// so if you reboot into recovery it will re-start applying the
+// current package (because nothing has cleared the copy of the
+// arguments stored in the BCB).
+//
+// The argument is the partition name passed to the android reboot
+// property.  It can be "recovery" to boot from the recovery
+// partition, or "" (empty string) to boot from the regular boot
+// partition.
+Value* RebootNowFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 2) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 2 args, got %d", name, argc);
+    }
+
+    char* filename;
+    char* property;
+    if (ReadArgs(state, argv, 2, &filename, &property) < 0) return NULL;
+
+    char buffer[80];
+
+    // zero out the 'command' field of the bootloader message.
+    memset(buffer, 0, sizeof(((struct bootloader_message*)0)->command));
+    FILE* f = fopen(filename, "r+b");
+    fseek(f, offsetof(struct bootloader_message, command), SEEK_SET);
+    ota_fwrite(buffer, sizeof(((struct bootloader_message*)0)->command), 1, f);
+    fclose(f);
+    free(filename);
+
+    strcpy(buffer, "reboot,");
+    if (property != NULL) {
+        strncat(buffer, property, sizeof(buffer)-10);
+    }
+
+    property_set(ANDROID_RB_PROPERTY, buffer);
+
+    sleep(5);
+    free(property);
+    ErrorAbort(state, kRebootFailure, "%s() failed to reboot", name);
+    return NULL;
+}
+
+// Store a string value somewhere that future invocations of recovery
+// can access it.  This value is called the "stage" and can be used to
+// drive packages that need to do reboots in the middle of
+// installation and keep track of where they are in the multi-stage
+// install.
+//
+// The first argument is the block device for the misc partition
+// ("/misc" in the fstab), which is where this value is stored.  The
+// second argument is the string to store; it should not exceed 31
+// bytes.
+Value* SetStageFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 2) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 2 args, got %d", name, argc);
+    }
+
+    char* filename;
+    char* stagestr;
+    if (ReadArgs(state, argv, 2, &filename, &stagestr) < 0) return NULL;
+
+    // Store this value in the misc partition, immediately after the
+    // bootloader message that the main recovery uses to save its
+    // arguments in case of the device restarting midway through
+    // package installation.
+    FILE* f = fopen(filename, "r+b");
+    fseek(f, offsetof(struct bootloader_message, stage), SEEK_SET);
+    int to_write = strlen(stagestr)+1;
+    int max_size = sizeof(((struct bootloader_message*)0)->stage);
+    if (to_write > max_size) {
+        to_write = max_size;
+        stagestr[max_size-1] = 0;
+    }
+    ota_fwrite(stagestr, to_write, 1, f);
+    fclose(f);
+
+    free(stagestr);
+    return StringValue(filename);
+}
+
+// Return the value most recently saved with SetStageFn.  The argument
+// is the block device for the misc partition.
+Value* GetStageFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 1) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 1 arg, got %d", name, argc);
+    }
+
+    char* filename;
+    if (ReadArgs(state, argv, 1, &filename) < 0) return NULL;
+
+    char buffer[sizeof(((struct bootloader_message*)0)->stage)];
+    FILE* f = fopen(filename, "rb");
+    fseek(f, offsetof(struct bootloader_message, stage), SEEK_SET);
+    ota_fread(buffer, sizeof(buffer), 1, f);
+    fclose(f);
+    buffer[sizeof(buffer)-1] = '\0';
+
+    return StringValue(strdup(buffer));
+}
+
+Value* WipeBlockDeviceFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 2) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects 2 args, got %d", name, argc);
+    }
+
+    char* filename;
+    char* len_str;
+    if (ReadArgs(state, argv, 2, &filename, &len_str) < 0) return NULL;
+
+    size_t len;
+    android::base::ParseUint(len_str, &len);
+    int fd = ota_open(filename, O_WRONLY, 0644);
+    int success = wipe_block_device(fd, len);
+
+    free(filename);
+    free(len_str);
+
+    ota_close(fd);
+
+    return StringValue(strdup(success ? "t" : ""));
+}
+
+Value* EnableRebootFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc != 0) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects no args, got %d", name, argc);
+    }
+    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
+    fprintf(ui->cmd_pipe, "enable_reboot\n");
+    return StringValue(strdup("t"));
+}
+
+Value* Tune2FsFn(const char* name, State* state, int argc, Expr* argv[]) {
+    if (argc == 0) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() expects args, got %d", name, argc);
+    }
+
+    char** args = ReadVarArgs(state, argc, argv);
+    if (args == NULL) {
+        return ErrorAbort(state, kArgsParsingFailure, "%s() could not read args", name);
+    }
+
+    char** args2 = reinterpret_cast<char**>(malloc(sizeof(char*) * (argc+1)));
+    // Tune2fs expects the program name as its args[0]
+    args2[0] = strdup(name);
+    for (int i = 0; i < argc; ++i) {
+       args2[i + 1] = args[i];
+    }
+    int result = tune2fs_main(argc + 1, args2);
+    for (int i = 0; i < argc; ++i) {
+        free(args[i]);
+    }
+    free(args);
+
+    free(args2[0]);
+    free(args2);
+    if (result != 0) {
+        return ErrorAbort(state, kTune2FsFailure, "%s() returned error code %d",
+                          name, result);
+    }
+    return StringValue(strdup("t"));
+}
+
+void RegisterInstallFunctions() {
+    RegisterFunction("mount", MountFn);
+    RegisterFunction("is_mounted", IsMountedFn);
+    RegisterFunction("unmount", UnmountFn);
+    RegisterFunction("format", FormatFn);
+    RegisterFunction("show_progress", ShowProgressFn);
+    RegisterFunction("set_progress", SetProgressFn);
+    RegisterFunction("delete", DeleteFn);
+    RegisterFunction("delete_recursive", DeleteFn);
+    RegisterFunction("package_extract_dir", PackageExtractDirFn);
+    RegisterFunction("package_extract_file", PackageExtractFileFn);
+    RegisterFunction("symlink", SymlinkFn);
+
+    // Usage:
+    //   set_metadata("filename", "key1", "value1", "key2", "value2", ...)
+    // Example:
+    //   set_metadata("/system/bin/netcfg", "uid", 0, "gid", 3003, "mode", 02750, "selabel", "u:object_r:system_file:s0", "capabilities", 0x0);
+    RegisterFunction("set_metadata", SetMetadataFn);
+
+    // Usage:
+    //   set_metadata_recursive("dirname", "key1", "value1", "key2", "value2", ...)
+    // Example:
+    //   set_metadata_recursive("/system", "uid", 0, "gid", 0, "fmode", 0644, "dmode", 0755, "selabel", "u:object_r:system_file:s0", "capabilities", 0x0);
+    RegisterFunction("set_metadata_recursive", SetMetadataFn);
+
+    RegisterFunction("getprop", GetPropFn);
+    RegisterFunction("file_getprop", FileGetPropFn);
+    RegisterFunction("write_raw_image", WriteRawImageFn);
+
+    RegisterFunction("apply_patch", ApplyPatchFn);
+    RegisterFunction("apply_patch_check", ApplyPatchCheckFn);
+    RegisterFunction("apply_patch_space", ApplyPatchSpaceFn);
+
+    RegisterFunction("wipe_block_device", WipeBlockDeviceFn);
+
+    RegisterFunction("read_file", ReadFileFn);
+    RegisterFunction("sha1_check", Sha1CheckFn);
+    RegisterFunction("rename", RenameFn);
+
+    RegisterFunction("wipe_cache", WipeCacheFn);
+
+    RegisterFunction("ui_print", UIPrintFn);
+
+    RegisterFunction("run_program", RunProgramFn);
+
+    RegisterFunction("reboot_now", RebootNowFn);
+    RegisterFunction("get_stage", GetStageFn);
+    RegisterFunction("set_stage", SetStageFn);
+
+    RegisterFunction("enable_reboot", EnableRebootFn);
+    RegisterFunction("tune2fs", Tune2FsFn);
+}
diff --git a/updater/install.h b/updater/install.h
index 659c8b4..70e3434 100644
--- a/updater/install.h
+++ b/updater/install.h
@@ -19,6 +19,9 @@
 
 void RegisterInstallFunctions();
 
+// uiPrintf function prints msg to screen as well as logs
+void uiPrintf(State* state, const char* format, ...);
+
 static int make_parents(char* name);
 
 #endif
diff --git a/updater/updater.c b/updater/updater.c
deleted file mode 100644
index 661f695..0000000
--- a/updater/updater.c
+++ /dev/null
@@ -1,169 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "edify/expr.h"
-#include "updater.h"
-#include "install.h"
-#include "blockimg.h"
-#include "minzip/Zip.h"
-#include "minzip/SysUtil.h"
-
-// Generated by the makefile, this function defines the
-// RegisterDeviceExtensions() function, which calls all the
-// registration functions for device-specific extensions.
-#include "register.inc"
-
-// Where in the package we expect to find the edify script to execute.
-// (Note it's "updateR-script", not the older "update-script".)
-#define SCRIPT_NAME "META-INF/com/google/android/updater-script"
-
-struct selabel_handle *sehandle;
-
-int main(int argc, char** argv) {
-    // Various things log information to stdout or stderr more or less
-    // at random (though we've tried to standardize on stdout).  The
-    // log file makes more sense if buffering is turned off so things
-    // appear in the right order.
-    setbuf(stdout, NULL);
-    setbuf(stderr, NULL);
-
-    if (argc != 4) {
-        printf("unexpected number of arguments (%d)\n", argc);
-        return 1;
-    }
-
-    char* version = argv[1];
-    if ((version[0] != '1' && version[0] != '2' && version[0] != '3') ||
-        version[1] != '\0') {
-        // We support version 1, 2, or 3.
-        printf("wrong updater binary API; expected 1, 2, or 3; "
-                        "got %s\n",
-                argv[1]);
-        return 2;
-    }
-
-    // Set up the pipe for sending commands back to the parent process.
-
-    int fd = atoi(argv[2]);
-    FILE* cmd_pipe = fdopen(fd, "wb");
-    setlinebuf(cmd_pipe);
-
-    // Extract the script from the package.
-
-    const char* package_filename = argv[3];
-    MemMapping map;
-    if (sysMapFile(package_filename, &map) != 0) {
-        printf("failed to map package %s\n", argv[3]);
-        return 3;
-    }
-    ZipArchive za;
-    int err;
-    err = mzOpenZipArchive(map.addr, map.length, &za);
-    if (err != 0) {
-        printf("failed to open package %s: %s\n",
-               argv[3], strerror(err));
-        return 3;
-    }
-
-    const ZipEntry* script_entry = mzFindZipEntry(&za, SCRIPT_NAME);
-    if (script_entry == NULL) {
-        printf("failed to find %s in %s\n", SCRIPT_NAME, package_filename);
-        return 4;
-    }
-
-    char* script = malloc(script_entry->uncompLen+1);
-    if (!mzReadZipEntry(&za, script_entry, script, script_entry->uncompLen)) {
-        printf("failed to read script from package\n");
-        return 5;
-    }
-    script[script_entry->uncompLen] = '\0';
-
-    // Configure edify's functions.
-
-    RegisterBuiltins();
-    RegisterInstallFunctions();
-    RegisterBlockImageFunctions();
-    RegisterDeviceExtensions();
-    FinishRegistration();
-
-    // Parse the script.
-
-    Expr* root;
-    int error_count = 0;
-    int error = parse_string(script, &root, &error_count);
-    if (error != 0 || error_count > 0) {
-        printf("%d parse errors\n", error_count);
-        return 6;
-    }
-
-    struct selinux_opt seopts[] = {
-      { SELABEL_OPT_PATH, "/file_contexts" }
-    };
-
-    sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1);
-
-    if (!sehandle) {
-        fprintf(cmd_pipe, "ui_print Warning: No file_contexts\n");
-    }
-
-    // Evaluate the parsed script.
-
-    UpdaterInfo updater_info;
-    updater_info.cmd_pipe = cmd_pipe;
-    updater_info.package_zip = &za;
-    updater_info.version = atoi(version);
-    updater_info.package_zip_addr = map.addr;
-    updater_info.package_zip_len = map.length;
-
-    State state;
-    state.cookie = &updater_info;
-    state.script = script;
-    state.errmsg = NULL;
-
-    char* result = Evaluate(&state, root);
-    if (result == NULL) {
-        if (state.errmsg == NULL) {
-            printf("script aborted (no error message)\n");
-            fprintf(cmd_pipe, "ui_print script aborted (no error message)\n");
-        } else {
-            printf("script aborted: %s\n", state.errmsg);
-            char* line = strtok(state.errmsg, "\n");
-            while (line) {
-                fprintf(cmd_pipe, "ui_print %s\n", line);
-                line = strtok(NULL, "\n");
-            }
-            fprintf(cmd_pipe, "ui_print\n");
-        }
-        free(state.errmsg);
-        return 7;
-    } else {
-        fprintf(cmd_pipe, "ui_print script succeeded: result was [%s]\n", result);
-        free(result);
-    }
-
-    if (updater_info.package_zip) {
-        mzCloseZipArchive(updater_info.package_zip);
-    }
-    sysReleaseMap(&map);
-    free(script);
-
-    return 0;
-}
diff --git a/updater/updater.cpp b/updater/updater.cpp
new file mode 100644
index 0000000..e956dd5
--- /dev/null
+++ b/updater/updater.cpp
@@ -0,0 +1,203 @@
+/*
+ * Copyright (C) 2009 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "edify/expr.h"
+#include "updater.h"
+#include "install.h"
+#include "blockimg.h"
+#include "minzip/Zip.h"
+#include "minzip/SysUtil.h"
+#include "config.h"
+
+// Generated by the makefile, this function defines the
+// RegisterDeviceExtensions() function, which calls all the
+// registration functions for device-specific extensions.
+#include "register.inc"
+
+// Where in the package we expect to find the edify script to execute.
+// (Note it's "updateR-script", not the older "update-script".)
+#define SCRIPT_NAME "META-INF/com/google/android/updater-script"
+
+extern bool have_eio_error;
+
+struct selabel_handle *sehandle;
+
+int main(int argc, char** argv) {
+    // Various things log information to stdout or stderr more or less
+    // at random (though we've tried to standardize on stdout).  The
+    // log file makes more sense if buffering is turned off so things
+    // appear in the right order.
+    setbuf(stdout, NULL);
+    setbuf(stderr, NULL);
+
+    if (argc != 4 && argc != 5) {
+        printf("unexpected number of arguments (%d)\n", argc);
+        return 1;
+    }
+
+    char* version = argv[1];
+    if ((version[0] != '1' && version[0] != '2' && version[0] != '3') ||
+        version[1] != '\0') {
+        // We support version 1, 2, or 3.
+        printf("wrong updater binary API; expected 1, 2, or 3; "
+                        "got %s\n",
+                argv[1]);
+        return 2;
+    }
+
+    // Set up the pipe for sending commands back to the parent process.
+
+    int fd = atoi(argv[2]);
+    FILE* cmd_pipe = fdopen(fd, "wb");
+    setlinebuf(cmd_pipe);
+
+    // Extract the script from the package.
+
+    const char* package_filename = argv[3];
+    MemMapping map;
+    if (sysMapFile(package_filename, &map) != 0) {
+        printf("failed to map package %s\n", argv[3]);
+        return 3;
+    }
+    ZipArchive za;
+    int err;
+    err = mzOpenZipArchive(map.addr, map.length, &za);
+    if (err != 0) {
+        printf("failed to open package %s: %s\n",
+               argv[3], strerror(err));
+        return 3;
+    }
+    ota_io_init(&za);
+
+    const ZipEntry* script_entry = mzFindZipEntry(&za, SCRIPT_NAME);
+    if (script_entry == NULL) {
+        printf("failed to find %s in %s\n", SCRIPT_NAME, package_filename);
+        return 4;
+    }
+
+    char* script = reinterpret_cast<char*>(malloc(script_entry->uncompLen+1));
+    if (!mzReadZipEntry(&za, script_entry, script, script_entry->uncompLen)) {
+        printf("failed to read script from package\n");
+        return 5;
+    }
+    script[script_entry->uncompLen] = '\0';
+
+    // Configure edify's functions.
+
+    RegisterBuiltins();
+    RegisterInstallFunctions();
+    RegisterBlockImageFunctions();
+    RegisterDeviceExtensions();
+    FinishRegistration();
+
+    // Parse the script.
+
+    Expr* root;
+    int error_count = 0;
+    int error = parse_string(script, &root, &error_count);
+    if (error != 0 || error_count > 0) {
+        printf("%d parse errors\n", error_count);
+        return 6;
+    }
+
+    struct selinux_opt seopts[] = {
+      { SELABEL_OPT_PATH, "/file_contexts" }
+    };
+
+    sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1);
+
+    if (!sehandle) {
+        fprintf(cmd_pipe, "ui_print Warning: No file_contexts\n");
+    }
+
+    // Evaluate the parsed script.
+
+    UpdaterInfo updater_info;
+    updater_info.cmd_pipe = cmd_pipe;
+    updater_info.package_zip = &za;
+    updater_info.version = atoi(version);
+    updater_info.package_zip_addr = map.addr;
+    updater_info.package_zip_len = map.length;
+
+    State state;
+    state.cookie = &updater_info;
+    state.script = script;
+    state.errmsg = NULL;
+
+    if (argc == 5) {
+        if (strcmp(argv[4], "retry") == 0) {
+            state.is_retry = true;
+        } else {
+            printf("unexpected argument: %s", argv[4]);
+        }
+    }
+
+    char* result = Evaluate(&state, root);
+
+    if (have_eio_error) {
+        fprintf(cmd_pipe, "retry_update\n");
+    }
+
+    if (result == NULL) {
+        if (state.errmsg == NULL) {
+            printf("script aborted (no error message)\n");
+            fprintf(cmd_pipe, "ui_print script aborted (no error message)\n");
+        } else {
+            printf("script aborted: %s\n", state.errmsg);
+            char* line = strtok(state.errmsg, "\n");
+            while (line) {
+                // Parse the error code in abort message.
+                // Example: "E30: This package is for bullhead devices."
+                if (*line == 'E') {
+                    if (sscanf(line, "E%u: ", &state.error_code) != 1) {
+                         printf("Failed to parse error code: [%s]\n", line);
+                    }
+                }
+                fprintf(cmd_pipe, "ui_print %s\n", line);
+                line = strtok(NULL, "\n");
+            }
+            fprintf(cmd_pipe, "ui_print\n");
+        }
+
+        if (state.error_code != kNoError) {
+            fprintf(cmd_pipe, "log error: %d\n", state.error_code);
+            // Cause code should provide additional information about the abort;
+            // report only when an error exists.
+            if (state.cause_code != kNoCause) {
+                fprintf(cmd_pipe, "log cause: %d\n", state.cause_code);
+            }
+        }
+
+        free(state.errmsg);
+        return 7;
+    } else {
+        fprintf(cmd_pipe, "ui_print script succeeded: result was [%s]\n", result);
+        free(result);
+    }
+
+    if (updater_info.package_zip) {
+        mzCloseZipArchive(updater_info.package_zip);
+    }
+    sysReleaseMap(&map);
+    free(script);
+
+    return 0;
+}
diff --git a/verifier.cpp b/verifier.cpp
index bf7071d..2d1b0e7 100644
--- a/verifier.cpp
+++ b/verifier.cpp
@@ -14,25 +14,27 @@
  * limitations under the License.
  */
 
-#include "asn1_decoder.h"
-#include "common.h"
-#include "ui.h"
-#include "verifier.h"
-
-#include "mincrypt/dsa_sig.h"
-#include "mincrypt/p256.h"
-#include "mincrypt/p256_ecdsa.h"
-#include "mincrypt/rsa.h"
-#include "mincrypt/sha.h"
-#include "mincrypt/sha256.h"
-
 #include <errno.h>
 #include <malloc.h>
 #include <stdio.h>
 #include <string.h>
 
+#include <algorithm>
+#include <memory>
+
+#include <openssl/ecdsa.h>
+#include <openssl/obj_mac.h>
+
+#include "asn1_decoder.h"
+#include "common.h"
+#include "print_sha1.h"
+#include "ui.h"
+#include "verifier.h"
+
 extern RecoveryUI* ui;
 
+static constexpr size_t MiB = 1024 * 1024;
+
 /*
  * Simple version of PKCS#7 SignedData extraction. This extracts the
  * signature OCTET STRING to be used for signature verification.
@@ -113,7 +115,7 @@
 // or no key matches the signature).
 
 int verify_file(unsigned char* addr, size_t length,
-                const Certificate* pKeys, unsigned int numKeys) {
+                const std::vector<Certificate>& keys) {
     ui->SetProgress(0.0);
 
     // An archive with a whole-file signature will end in six bytes:
@@ -182,8 +184,7 @@
         return VERIFY_FAILURE;
     }
 
-    size_t i;
-    for (i = 4; i < eocd_size-3; ++i) {
+    for (size_t i = 4; i < eocd_size-3; ++i) {
         if (eocd[i  ] == 0x50 && eocd[i+1] == 0x4b &&
             eocd[i+2] == 0x05 && eocd[i+3] == 0x06) {
             // if the sequence $50 $4b $05 $06 appears anywhere after
@@ -195,30 +196,30 @@
         }
     }
 
-#define BUFFER_SIZE 4096
-
     bool need_sha1 = false;
     bool need_sha256 = false;
-    for (i = 0; i < numKeys; ++i) {
-        switch (pKeys[i].hash_len) {
-            case SHA_DIGEST_SIZE: need_sha1 = true; break;
-            case SHA256_DIGEST_SIZE: need_sha256 = true; break;
+    for (const auto& key : keys) {
+        switch (key.hash_len) {
+            case SHA_DIGEST_LENGTH: need_sha1 = true; break;
+            case SHA256_DIGEST_LENGTH: need_sha256 = true; break;
         }
     }
 
     SHA_CTX sha1_ctx;
     SHA256_CTX sha256_ctx;
-    SHA_init(&sha1_ctx);
-    SHA256_init(&sha256_ctx);
+    SHA1_Init(&sha1_ctx);
+    SHA256_Init(&sha256_ctx);
 
     double frac = -1.0;
     size_t so_far = 0;
     while (so_far < signed_len) {
-        size_t size = signed_len - so_far;
-        if (size > BUFFER_SIZE) size = BUFFER_SIZE;
+        // On a Nexus 5X, experiment showed 16MiB beat 1MiB by 6% faster for a
+        // 1196MiB full OTA and 60% for an 89MiB incremental OTA.
+        // http://b/28135231.
+        size_t size = std::min(signed_len - so_far, 16 * MiB);
 
-        if (need_sha1) SHA_update(&sha1_ctx, addr + so_far, size);
-        if (need_sha256) SHA256_update(&sha256_ctx, addr + so_far, size);
+        if (need_sha1) SHA1_Update(&sha1_ctx, addr + so_far, size);
+        if (need_sha256) SHA256_Update(&sha256_ctx, addr + so_far, size);
         so_far += size;
 
         double f = so_far / (double)signed_len;
@@ -228,15 +229,22 @@
         }
     }
 
-    const uint8_t* sha1 = SHA_final(&sha1_ctx);
-    const uint8_t* sha256 = SHA256_final(&sha256_ctx);
+    uint8_t sha1[SHA_DIGEST_LENGTH];
+    SHA1_Final(sha1, &sha1_ctx);
+    uint8_t sha256[SHA256_DIGEST_LENGTH];
+    SHA256_Final(sha256, &sha256_ctx);
 
-    uint8_t* sig_der = NULL;
+    uint8_t* sig_der = nullptr;
     size_t sig_der_length = 0;
 
+    uint8_t* signature = eocd + eocd_size - signature_start;
     size_t signature_size = signature_start - FOOTER_SIZE;
-    if (!read_pkcs7(eocd + eocd_size - signature_start, signature_size, &sig_der,
-            &sig_der_length)) {
+
+    LOGI("signature (offset: 0x%zx, length: %zu): %s\n",
+            length - signature_start, signature_size,
+            print_hex(signature, signature_size).c_str());
+
+    if (!read_pkcs7(signature, signature_size, &sig_der, &sig_der_length)) {
         LOGE("Could not find signature DER block\n");
         return VERIFY_FAILURE;
     }
@@ -246,25 +254,28 @@
      * any key can match, we need to try each before determining a verification
      * failure has happened.
      */
-    for (i = 0; i < numKeys; ++i) {
+    size_t i = 0;
+    for (const auto& key : keys) {
         const uint8_t* hash;
-        switch (pKeys[i].hash_len) {
-            case SHA_DIGEST_SIZE: hash = sha1; break;
-            case SHA256_DIGEST_SIZE: hash = sha256; break;
-            default: continue;
+        int hash_nid;
+        switch (key.hash_len) {
+            case SHA_DIGEST_LENGTH:
+                hash = sha1;
+                hash_nid = NID_sha1;
+                break;
+            case SHA256_DIGEST_LENGTH:
+                hash = sha256;
+                hash_nid = NID_sha256;
+                break;
+            default:
+                continue;
         }
 
         // The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that
         // the signing tool appends after the signature itself.
-        if (pKeys[i].key_type == Certificate::RSA) {
-            if (sig_der_length < RSANUMBYTES) {
-                // "signature" block isn't big enough to contain an RSA block.
-                LOGI("signature is too short for RSA key %zu\n", i);
-                continue;
-            }
-
-            if (!RSA_verify(pKeys[i].rsa, sig_der, RSANUMBYTES,
-                            hash, pKeys[i].hash_len)) {
+        if (key.key_type == Certificate::KEY_TYPE_RSA) {
+            if (!RSA_verify(hash_nid, hash, key.hash_len, sig_der,
+                            sig_der_length, key.rsa.get())) {
                 LOGI("failed to verify against RSA key %zu\n", i);
                 continue;
             }
@@ -272,18 +283,10 @@
             LOGI("whole-file signature verified against RSA key %zu\n", i);
             free(sig_der);
             return VERIFY_SUCCESS;
-        } else if (pKeys[i].key_type == Certificate::EC
-                && pKeys[i].hash_len == SHA256_DIGEST_SIZE) {
-            p256_int r, s;
-            if (!dsa_sig_unpack(sig_der, sig_der_length, &r, &s)) {
-                LOGI("Not a DSA signature block for EC key %zu\n", i);
-                continue;
-            }
-
-            p256_int p256_hash;
-            p256_from_bin(hash, &p256_hash);
-            if (!p256_ecdsa_verify(&(pKeys[i].ec->x), &(pKeys[i].ec->y),
-                                   &p256_hash, &r, &s)) {
+        } else if (key.key_type == Certificate::KEY_TYPE_EC
+                && key.hash_len == SHA256_DIGEST_LENGTH) {
+            if (!ECDSA_verify(0, hash, key.hash_len, sig_der,
+                              sig_der_length, key.ec.get())) {
                 LOGI("failed to verify against EC key %zu\n", i);
                 continue;
             }
@@ -292,14 +295,160 @@
             free(sig_der);
             return VERIFY_SUCCESS;
         } else {
-            LOGI("Unknown key type %d\n", pKeys[i].key_type);
+            LOGI("Unknown key type %d\n", key.key_type);
         }
+        i++;
+    }
+
+    if (need_sha1) {
+        LOGI("SHA-1 digest: %s\n", print_hex(sha1, SHA_DIGEST_LENGTH).c_str());
+    }
+    if (need_sha256) {
+        LOGI("SHA-256 digest: %s\n", print_hex(sha256, SHA256_DIGEST_LENGTH).c_str());
     }
     free(sig_der);
     LOGE("failed to verify whole-file signature\n");
     return VERIFY_FAILURE;
 }
 
+std::unique_ptr<RSA, RSADeleter> parse_rsa_key(FILE* file, uint32_t exponent) {
+    // Read key length in words and n0inv. n0inv is a precomputed montgomery
+    // parameter derived from the modulus and can be used to speed up
+    // verification. n0inv is 32 bits wide here, assuming the verification logic
+    // uses 32 bit arithmetic. However, BoringSSL may use a word size of 64 bits
+    // internally, in which case we don't have a valid n0inv. Thus, we just
+    // ignore the montgomery parameters and have BoringSSL recompute them
+    // internally. If/When the speedup from using the montgomery parameters
+    // becomes relevant, we can add more sophisticated code here to obtain a
+    // 64-bit n0inv and initialize the montgomery parameters in the key object.
+    uint32_t key_len_words = 0;
+    uint32_t n0inv = 0;
+    if (fscanf(file, " %i , 0x%x", &key_len_words, &n0inv) != 2) {
+        return nullptr;
+    }
+
+    if (key_len_words > 8192 / 32) {
+        LOGE("key length (%d) too large\n", key_len_words);
+        return nullptr;
+    }
+
+    // Read the modulus.
+    std::unique_ptr<uint32_t[]> modulus(new uint32_t[key_len_words]);
+    if (fscanf(file, " , { %u", &modulus[0]) != 1) {
+        return nullptr;
+    }
+    for (uint32_t i = 1; i < key_len_words; ++i) {
+        if (fscanf(file, " , %u", &modulus[i]) != 1) {
+            return nullptr;
+        }
+    }
+
+    // Cconvert from little-endian array of little-endian words to big-endian
+    // byte array suitable as input for BN_bin2bn.
+    std::reverse((uint8_t*)modulus.get(),
+                 (uint8_t*)(modulus.get() + key_len_words));
+
+    // The next sequence of values is the montgomery parameter R^2. Since we
+    // generally don't have a valid |n0inv|, we ignore this (see comment above).
+    uint32_t rr_value;
+    if (fscanf(file, " } , { %u", &rr_value) != 1) {
+        return nullptr;
+    }
+    for (uint32_t i = 1; i < key_len_words; ++i) {
+        if (fscanf(file, " , %u", &rr_value) != 1) {
+            return nullptr;
+        }
+    }
+    if (fscanf(file, " } } ") != 0) {
+        return nullptr;
+    }
+
+    // Initialize the key.
+    std::unique_ptr<RSA, RSADeleter> key(RSA_new());
+    if (!key) {
+      return nullptr;
+    }
+
+    key->n = BN_bin2bn((uint8_t*)modulus.get(),
+                       key_len_words * sizeof(uint32_t), NULL);
+    if (!key->n) {
+      return nullptr;
+    }
+
+    key->e = BN_new();
+    if (!key->e || !BN_set_word(key->e, exponent)) {
+      return nullptr;
+    }
+
+    return key;
+}
+
+struct BNDeleter {
+  void operator()(BIGNUM* bn) {
+    BN_free(bn);
+  }
+};
+
+std::unique_ptr<EC_KEY, ECKEYDeleter> parse_ec_key(FILE* file) {
+    uint32_t key_len_bytes = 0;
+    if (fscanf(file, " %i", &key_len_bytes) != 1) {
+        return nullptr;
+    }
+
+    std::unique_ptr<EC_GROUP, void (*)(EC_GROUP*)> group(
+        EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1), EC_GROUP_free);
+    if (!group) {
+        return nullptr;
+    }
+
+    // Verify that |key_len| matches the group order.
+    if (key_len_bytes != BN_num_bytes(EC_GROUP_get0_order(group.get()))) {
+        return nullptr;
+    }
+
+    // Read the public key coordinates. Note that the byte order in the file is
+    // little-endian, so we convert to big-endian here.
+    std::unique_ptr<uint8_t[]> bytes(new uint8_t[key_len_bytes]);
+    std::unique_ptr<BIGNUM, BNDeleter> point[2];
+    for (int i = 0; i < 2; ++i) {
+        unsigned int byte = 0;
+        if (fscanf(file, " , { %u", &byte) != 1) {
+            return nullptr;
+        }
+        bytes[key_len_bytes - 1] = byte;
+
+        for (size_t i = 1; i < key_len_bytes; ++i) {
+            if (fscanf(file, " , %u", &byte) != 1) {
+                return nullptr;
+            }
+            bytes[key_len_bytes - i - 1] = byte;
+        }
+
+        point[i].reset(BN_bin2bn(bytes.get(), key_len_bytes, nullptr));
+        if (!point[i]) {
+            return nullptr;
+        }
+
+        if (fscanf(file, " }") != 0) {
+            return nullptr;
+        }
+    }
+
+    if (fscanf(file, " } ") != 0) {
+        return nullptr;
+    }
+
+    // Create and initialize the key.
+    std::unique_ptr<EC_KEY, ECKEYDeleter> key(EC_KEY_new());
+    if (!key || !EC_KEY_set_group(key.get(), group.get()) ||
+        !EC_KEY_set_public_key_affine_coordinates(key.get(), point[0].get(),
+                                                  point[1].get())) {
+        return nullptr;
+    }
+
+    return key;
+}
+
 // Reads a file containing one or more public keys as produced by
 // DumpPublicKey:  this is an RSAPublicKey struct as it would appear
 // as a C source literal, eg:
@@ -329,140 +478,85 @@
 //       4: 2048-bit RSA key with e=65537 and SHA-256 hash
 //       5: 256-bit EC key using the NIST P-256 curve parameters and SHA-256 hash
 //
-// Returns NULL if the file failed to parse, or if it contain zero keys.
-Certificate*
-load_keys(const char* filename, int* numKeys) {
-    Certificate* out = NULL;
-    *numKeys = 0;
-
-    FILE* f = fopen(filename, "r");
-    if (f == NULL) {
+// Returns true on success, and appends the found keys (at least one) to certs.
+// Otherwise returns false if the file failed to parse, or if it contains zero
+// keys. The contents in certs would be unspecified on failure.
+bool load_keys(const char* filename, std::vector<Certificate>& certs) {
+    std::unique_ptr<FILE, decltype(&fclose)> f(fopen(filename, "r"), fclose);
+    if (!f) {
         LOGE("opening %s: %s\n", filename, strerror(errno));
-        goto exit;
+        return false;
     }
 
-    {
-        int i;
-        bool done = false;
-        while (!done) {
-            ++*numKeys;
-            out = (Certificate*)realloc(out, *numKeys * sizeof(Certificate));
-            Certificate* cert = out + (*numKeys - 1);
-            memset(cert, '\0', sizeof(Certificate));
+    while (true) {
+        certs.emplace_back(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr);
+        Certificate& cert = certs.back();
+        uint32_t exponent = 0;
 
-            char start_char;
-            if (fscanf(f, " %c", &start_char) != 1) goto exit;
-            if (start_char == '{') {
-                // a version 1 key has no version specifier.
-                cert->key_type = Certificate::RSA;
-                cert->rsa = (RSAPublicKey*)malloc(sizeof(RSAPublicKey));
-                cert->rsa->exponent = 3;
-                cert->hash_len = SHA_DIGEST_SIZE;
-            } else if (start_char == 'v') {
-                int version;
-                if (fscanf(f, "%d {", &version) != 1) goto exit;
-                switch (version) {
-                    case 2:
-                        cert->key_type = Certificate::RSA;
-                        cert->rsa = (RSAPublicKey*)malloc(sizeof(RSAPublicKey));
-                        cert->rsa->exponent = 65537;
-                        cert->hash_len = SHA_DIGEST_SIZE;
-                        break;
-                    case 3:
-                        cert->key_type = Certificate::RSA;
-                        cert->rsa = (RSAPublicKey*)malloc(sizeof(RSAPublicKey));
-                        cert->rsa->exponent = 3;
-                        cert->hash_len = SHA256_DIGEST_SIZE;
-                        break;
-                    case 4:
-                        cert->key_type = Certificate::RSA;
-                        cert->rsa = (RSAPublicKey*)malloc(sizeof(RSAPublicKey));
-                        cert->rsa->exponent = 65537;
-                        cert->hash_len = SHA256_DIGEST_SIZE;
-                        break;
-                    case 5:
-                        cert->key_type = Certificate::EC;
-                        cert->ec = (ECPublicKey*)calloc(1, sizeof(ECPublicKey));
-                        cert->hash_len = SHA256_DIGEST_SIZE;
-                        break;
-                    default:
-                        goto exit;
-                }
+        char start_char;
+        if (fscanf(f.get(), " %c", &start_char) != 1) return false;
+        if (start_char == '{') {
+            // a version 1 key has no version specifier.
+            cert.key_type = Certificate::KEY_TYPE_RSA;
+            exponent = 3;
+            cert.hash_len = SHA_DIGEST_LENGTH;
+        } else if (start_char == 'v') {
+            int version;
+            if (fscanf(f.get(), "%d {", &version) != 1) return false;
+            switch (version) {
+                case 2:
+                    cert.key_type = Certificate::KEY_TYPE_RSA;
+                    exponent = 65537;
+                    cert.hash_len = SHA_DIGEST_LENGTH;
+                    break;
+                case 3:
+                    cert.key_type = Certificate::KEY_TYPE_RSA;
+                    exponent = 3;
+                    cert.hash_len = SHA256_DIGEST_LENGTH;
+                    break;
+                case 4:
+                    cert.key_type = Certificate::KEY_TYPE_RSA;
+                    exponent = 65537;
+                    cert.hash_len = SHA256_DIGEST_LENGTH;
+                    break;
+                case 5:
+                    cert.key_type = Certificate::KEY_TYPE_EC;
+                    cert.hash_len = SHA256_DIGEST_LENGTH;
+                    break;
+                default:
+                    return false;
+            }
+        }
+
+        if (cert.key_type == Certificate::KEY_TYPE_RSA) {
+            cert.rsa = parse_rsa_key(f.get(), exponent);
+            if (!cert.rsa) {
+              return false;
             }
 
-            if (cert->key_type == Certificate::RSA) {
-                RSAPublicKey* key = cert->rsa;
-                if (fscanf(f, " %i , 0x%x , { %u",
-                           &(key->len), &(key->n0inv), &(key->n[0])) != 3) {
-                    goto exit;
-                }
-                if (key->len != RSANUMWORDS) {
-                    LOGE("key length (%d) does not match expected size\n", key->len);
-                    goto exit;
-                }
-                for (i = 1; i < key->len; ++i) {
-                    if (fscanf(f, " , %u", &(key->n[i])) != 1) goto exit;
-                }
-                if (fscanf(f, " } , { %u", &(key->rr[0])) != 1) goto exit;
-                for (i = 1; i < key->len; ++i) {
-                    if (fscanf(f, " , %u", &(key->rr[i])) != 1) goto exit;
-                }
-                fscanf(f, " } } ");
-
-                LOGI("read key e=%d hash=%d\n", key->exponent, cert->hash_len);
-            } else if (cert->key_type == Certificate::EC) {
-                ECPublicKey* key = cert->ec;
-                int key_len;
-                unsigned int byte;
-                uint8_t x_bytes[P256_NBYTES];
-                uint8_t y_bytes[P256_NBYTES];
-                if (fscanf(f, " %i , { %u", &key_len, &byte) != 2) goto exit;
-                if (key_len != P256_NBYTES) {
-                    LOGE("Key length (%d) does not match expected size %d\n", key_len, P256_NBYTES);
-                    goto exit;
-                }
-                x_bytes[P256_NBYTES - 1] = byte;
-                for (i = P256_NBYTES - 2; i >= 0; --i) {
-                    if (fscanf(f, " , %u", &byte) != 1) goto exit;
-                    x_bytes[i] = byte;
-                }
-                if (fscanf(f, " } , { %u", &byte) != 1) goto exit;
-                y_bytes[P256_NBYTES - 1] = byte;
-                for (i = P256_NBYTES - 2; i >= 0; --i) {
-                    if (fscanf(f, " , %u", &byte) != 1) goto exit;
-                    y_bytes[i] = byte;
-                }
-                fscanf(f, " } } ");
-                p256_from_bin(x_bytes, &key->x);
-                p256_from_bin(y_bytes, &key->y);
-            } else {
-                LOGE("Unknown key type %d\n", cert->key_type);
-                goto exit;
+            LOGI("read key e=%d hash=%d\n", exponent, cert.hash_len);
+        } else if (cert.key_type == Certificate::KEY_TYPE_EC) {
+            cert.ec = parse_ec_key(f.get());
+            if (!cert.ec) {
+              return false;
             }
+        } else {
+            LOGE("Unknown key type %d\n", cert.key_type);
+            return false;
+        }
 
-            // if the line ends in a comma, this file has more keys.
-            switch (fgetc(f)) {
-            case ',':
-                // more keys to come.
-                break;
-
-            case EOF:
-                done = true;
-                break;
-
-            default:
-                LOGE("unexpected character between keys\n");
-                goto exit;
-            }
+        // if the line ends in a comma, this file has more keys.
+        int ch = fgetc(f.get());
+        if (ch == ',') {
+            // more keys to come.
+            continue;
+        } else if (ch == EOF) {
+            break;
+        } else {
+            LOGE("unexpected character between keys\n");
+            return false;
         }
     }
 
-    fclose(f);
-    return out;
-
-exit:
-    if (f) fclose(f);
-    free(out);
-    *numKeys = 0;
-    return NULL;
+    return true;
 }
diff --git a/verifier.h b/verifier.h
index 15f8d98..58083fe 100644
--- a/verifier.h
+++ b/verifier.h
@@ -17,25 +17,46 @@
 #ifndef _RECOVERY_VERIFIER_H
 #define _RECOVERY_VERIFIER_H
 
-#include "mincrypt/p256.h"
-#include "mincrypt/rsa.h"
+#include <memory>
+#include <vector>
 
-typedef struct {
-    p256_int x;
-    p256_int y;
-} ECPublicKey;
+#include <openssl/ec_key.h>
+#include <openssl/rsa.h>
+#include <openssl/sha.h>
 
-typedef struct {
+struct RSADeleter {
+  void operator()(RSA* rsa) {
+    RSA_free(rsa);
+  }
+};
+
+struct ECKEYDeleter {
+  void operator()(EC_KEY* ec_key) {
+    EC_KEY_free(ec_key);
+  }
+};
+
+struct Certificate {
     typedef enum {
-        RSA,
-        EC,
+        KEY_TYPE_RSA,
+        KEY_TYPE_EC,
     } KeyType;
 
-    int hash_len;  // SHA_DIGEST_SIZE (SHA-1) or SHA256_DIGEST_SIZE (SHA-256)
+    Certificate(int hash_len_,
+                KeyType key_type_,
+                std::unique_ptr<RSA, RSADeleter>&& rsa_,
+                std::unique_ptr<EC_KEY, ECKEYDeleter>&& ec_)
+        : hash_len(hash_len_),
+          key_type(key_type_),
+          rsa(std::move(rsa_)),
+          ec(std::move(ec_)) {}
+
+    // SHA_DIGEST_LENGTH (SHA-1) or SHA256_DIGEST_LENGTH (SHA-256)
+    int hash_len;
     KeyType key_type;
-    RSAPublicKey* rsa;
-    ECPublicKey* ec;
-} Certificate;
+    std::unique_ptr<RSA, RSADeleter> rsa;
+    std::unique_ptr<EC_KEY, ECKEYDeleter> ec;
+};
 
 /* addr and length define a an update package file that has been
  * loaded (or mmap'ed, or whatever) into memory.  Verify that the file
@@ -43,9 +64,9 @@
  * one of the constants below.
  */
 int verify_file(unsigned char* addr, size_t length,
-                const Certificate *pKeys, unsigned int numKeys);
+                const std::vector<Certificate>& keys);
 
-Certificate* load_keys(const char* filename, int* numKeys);
+bool load_keys(const char* filename, std::vector<Certificate>& certs);
 
 #define VERIFY_SUCCESS        0
 #define VERIFY_FAILURE        1
diff --git a/verifier_test.cpp b/verifier_test.cpp
deleted file mode 100644
index 82546ed..0000000
--- a/verifier_test.cpp
+++ /dev/null
@@ -1,256 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include "common.h"
-#include "verifier.h"
-#include "ui.h"
-#include "mincrypt/sha.h"
-#include "mincrypt/sha256.h"
-#include "minzip/SysUtil.h"
-
-// This is build/target/product/security/testkey.x509.pem after being
-// dumped out by dumpkey.jar.
-RSAPublicKey test_key =
-    { 64, 0xc926ad21,
-      { 0x6afee91fu, 0x7fa31d5bu, 0x38a0b217u, 0x99df9baeu,
-        0xfe72991du, 0x727d3c04u, 0x20943f99u, 0xd08e7826u,
-        0x69e7c8a2u, 0xdeeccc8eu, 0x6b9af76fu, 0x553311c4u,
-        0x07b9e247u, 0x54c8bbcau, 0x6a540d81u, 0x48dbf567u,
-        0x98c92877u, 0x134fbfdeu, 0x01b32564u, 0x24581948u,
-        0x6cddc3b8u, 0x0cd444dau, 0xfe0381ccu, 0xf15818dfu,
-        0xc06e6d42u, 0x2e2f6412u, 0x093a6737u, 0x94d83b31u,
-        0xa466c87au, 0xb3f284a0u, 0xa694ec2cu, 0x053359e6u,
-        0x9717ee6au, 0x0732e080u, 0x220d5008u, 0xdc4af350u,
-        0x93d0a7c3u, 0xe330c9eau, 0xcac3da1eu, 0x8ebecf8fu,
-        0xc2be387fu, 0x38a14e89u, 0x211586f0u, 0x18b846f5u,
-        0x43be4c72u, 0xb578c204u, 0x1bbfb230u, 0xf1e267a8u,
-        0xa2d3e656u, 0x64b8e4feu, 0xe7e83d4bu, 0x3e77a943u,
-        0x3559ffd9u, 0x0ebb0f99u, 0x0aa76ce6u, 0xd3786ea7u,
-        0xbca8cd6bu, 0x068ca8e8u, 0xeb1de2ffu, 0x3e3ecd6cu,
-        0xe0d9d825u, 0xb1edc762u, 0xdec60b24u, 0xd6931904u},
-      { 0xccdcb989u, 0xe19281f9u, 0xa6e80accu, 0xb7f40560u,
-        0x0efb0bccu, 0x7f12b0bbu, 0x1e90531au, 0x136d95d0u,
-        0x9e660665u, 0x7d54918fu, 0xe3b93ea2u, 0x2f415d10u,
-        0x3d2df6e6u, 0x7a627ecfu, 0xa6f22d70u, 0xb995907au,
-        0x09de16b2u, 0xfeb8bd61u, 0xf24ec294u, 0x716a427fu,
-        0x2e12046fu, 0xeaf3d56au, 0xd9b873adu, 0x0ced340bu,
-        0xbc9cec09u, 0x73c65903u, 0xee39ce9bu, 0x3eede25au,
-        0x397633b7u, 0x2583c165u, 0x8514f97du, 0xe9166510u,
-        0x0b6fae99u, 0xa47139fdu, 0xdb8352f0u, 0xb2ad7f2cu,
-        0xa11552e2u, 0xd4d490a7u, 0xe11e8568u, 0xe9e484dau,
-        0xd3ef8449u, 0xa47055dau, 0x4edd9557u, 0x03a78ba1u,
-        0x770e130du, 0x16762facu, 0x0cbdfcc4u, 0xf3070540u,
-        0x008b6515u, 0x60e7e1b7u, 0xa72cf7f9u, 0xaff86e39u,
-        0x4296faadu, 0xfc90430eu, 0x6cc8f377u, 0xb398fd43u,
-        0x423c5997u, 0x991d59c4u, 0x6464bf73u, 0x96431575u,
-        0x15e3d207u, 0x30532a7au, 0x8c4be618u, 0x460a4d76u },
-      3
-    };
-
-RSAPublicKey test_f4_key =
-    { 64, 0xc9bd1f21,
-      { 0x1178db1fu, 0xbf5d0e55u, 0x3393a165u, 0x0ef4c287u,
-        0xbc472a4au, 0x383fc5a1u, 0x4a13b7d2u, 0xb1ff2ac3u,
-        0xaf66b4d9u, 0x9280acefu, 0xa2165bdbu, 0x6a4d6e5cu,
-        0x08ea676bu, 0xb7ac70c7u, 0xcd158139u, 0xa635ccfeu,
-        0xa46ab8a8u, 0x445a3e8bu, 0xdc81d9bbu, 0x91ce1a20u,
-        0x68021cdeu, 0x4516eda9u, 0x8d43c30cu, 0xed1eff14u,
-        0xca387e4cu, 0x58adc233u, 0x4657ab27u, 0xa95b521eu,
-        0xdfc0e30cu, 0x394d64a1u, 0xc6b321a1u, 0x2ca22cb8u,
-        0xb1892d5cu, 0x5d605f3eu, 0x6025483cu, 0x9afd5181u,
-        0x6e1a7105u, 0x03010593u, 0x70acd304u, 0xab957cbfu,
-        0x8844abbbu, 0x53846837u, 0x24e98a43u, 0x2ba060c1u,
-        0x8b88b88eu, 0x44eea405u, 0xb259fc41u, 0x0907ad9cu,
-        0x13003adau, 0xcf79634eu, 0x7d314ec9u, 0xfbbe4c2bu,
-        0xd84d0823u, 0xfd30fd88u, 0x68d8a909u, 0xfb4572d9u,
-        0xa21301c2u, 0xd00a4785u, 0x6862b50cu, 0xcfe49796u,
-        0xdaacbd83u, 0xfb620906u, 0xdf71e0ccu, 0xbbc5b030u },
-      { 0x69a82189u, 0x1a8b22f4u, 0xcf49207bu, 0x68cc056au,
-        0xb206b7d2u, 0x1d449bbdu, 0xe9d342f2u, 0x29daea58u,
-        0xb19d011au, 0xc62f15e4u, 0x9452697au, 0xb62bb87eu,
-        0x60f95cc2u, 0x279ebb2du, 0x17c1efd8u, 0xec47558bu,
-        0xc81334d1u, 0x88fe7601u, 0x79992eb1u, 0xb4555615u,
-        0x2022ac8cu, 0xc79a4b8cu, 0xb288b034u, 0xd6b942f0u,
-        0x0caa32fbu, 0xa065ba51u, 0x4de9f154u, 0x29f64f6cu,
-        0x7910af5eu, 0x3ed4636au, 0xe4c81911u, 0x9183f37du,
-        0x5811e1c4u, 0x29c7a58cu, 0x9715d4d3u, 0xc7e2dce3u,
-        0x140972ebu, 0xf4c8a69eu, 0xa104d424u, 0x5dabbdfbu,
-        0x41cb4c6bu, 0xd7f44717u, 0x61785ff7u, 0x5e0bc273u,
-        0x36426c70u, 0x2aa6f08eu, 0x083badbfu, 0x3cab941bu,
-        0x8871da23u, 0x1ab3dbaeu, 0x7115a21du, 0xf5aa0965u,
-        0xf766f562u, 0x7f110225u, 0x86d96a04u, 0xc50a120eu,
-        0x3a751ca3u, 0xc21aa186u, 0xba7359d0u, 0x3ff2b257u,
-        0xd116e8bbu, 0xfc1318c0u, 0x070e5b1du, 0x83b759a6u },
-      65537
-    };
-
-ECPublicKey test_ec_key =
-    {
-       {
-         {0xd656fa24u, 0x931416cau, 0x1c0278c6u, 0x174ebe4cu,
-          0x6018236au, 0x45ba1656u, 0xe8c05d84u, 0x670ed500u}
-      },
-      {
-        {0x0d179adeu, 0x4c16827du, 0x9f8cb992u, 0x8f69ff8au,
-         0x481b1020u, 0x798d91afu, 0x184db8e9u, 0xb5848dd9u}
-      }
-    };
-
-RecoveryUI* ui = NULL;
-
-// verifier expects to find a UI object; we provide one that does
-// nothing but print.
-class FakeUI : public RecoveryUI {
-    void Init() { }
-    void SetStage(int, int) { }
-    void SetLocale(const char*) { }
-    void SetBackground(Icon icon) { }
-
-    void SetProgressType(ProgressType determinate) { }
-    void ShowProgress(float portion, float seconds) { }
-    void SetProgress(float fraction) { }
-
-    void ShowText(bool visible) { }
-    bool IsTextVisible() { return false; }
-    bool WasTextEverVisible() { return false; }
-    void Print(const char* fmt, ...) {
-        va_list ap;
-        va_start(ap, fmt);
-        vfprintf(stderr, fmt, ap);
-        va_end(ap);
-    }
-    void ShowFile(const char*) { }
-
-    void StartMenu(const char* const * headers, const char* const * items,
-                           int initial_selection) { }
-    int SelectMenu(int sel) { return 0; }
-    void EndMenu() { }
-};
-
-void
-ui_print(const char* format, ...) {
-    va_list ap;
-    va_start(ap, format);
-    vfprintf(stdout, format, ap);
-    va_end(ap);
-}
-
-static Certificate* add_certificate(Certificate** certsp, int* num_keys,
-        Certificate::KeyType key_type) {
-    int i = *num_keys;
-    *num_keys = *num_keys + 1;
-    *certsp = (Certificate*) realloc(*certsp, *num_keys * sizeof(Certificate));
-    Certificate* certs = *certsp;
-    certs[i].rsa = NULL;
-    certs[i].ec = NULL;
-    certs[i].key_type = key_type;
-    certs[i].hash_len = SHA_DIGEST_SIZE;
-    return &certs[i];
-}
-
-int main(int argc, char **argv) {
-    if (argc < 2) {
-        fprintf(stderr, "Usage: %s [-sha256] [-ec | -f4 | -file <keys>] <package>\n", argv[0]);
-        return 2;
-    }
-    Certificate* certs = NULL;
-    int num_keys = 0;
-
-    int argn = 1;
-    while (argn < argc) {
-        if (strcmp(argv[argn], "-sha256") == 0) {
-            if (num_keys == 0) {
-                fprintf(stderr, "May only specify -sha256 after key type\n");
-                return 2;
-            }
-            ++argn;
-            Certificate* cert = &certs[num_keys - 1];
-            cert->hash_len = SHA256_DIGEST_SIZE;
-        } else if (strcmp(argv[argn], "-ec") == 0) {
-            ++argn;
-            Certificate* cert = add_certificate(&certs, &num_keys, Certificate::EC);
-            cert->ec = &test_ec_key;
-        } else if (strcmp(argv[argn], "-e3") == 0) {
-            ++argn;
-            Certificate* cert = add_certificate(&certs, &num_keys, Certificate::RSA);
-            cert->rsa = &test_key;
-        } else if (strcmp(argv[argn], "-f4") == 0) {
-            ++argn;
-            Certificate* cert = add_certificate(&certs, &num_keys, Certificate::RSA);
-            cert->rsa = &test_f4_key;
-        } else if (strcmp(argv[argn], "-file") == 0) {
-            if (certs != NULL) {
-                fprintf(stderr, "Cannot specify -file with other certs specified\n");
-                return 2;
-            }
-            ++argn;
-            certs = load_keys(argv[argn], &num_keys);
-            ++argn;
-        } else if (argv[argn][0] == '-') {
-            fprintf(stderr, "Unknown argument %s\n", argv[argn]);
-            return 2;
-        } else {
-            break;
-        }
-    }
-
-    if (argn == argc) {
-        fprintf(stderr, "Must specify package to verify\n");
-        return 2;
-    }
-
-    if (num_keys == 0) {
-        certs = (Certificate*) calloc(1, sizeof(Certificate));
-        if (certs == NULL) {
-            fprintf(stderr, "Failure allocating memory for default certificate\n");
-            return 1;
-        }
-        certs->key_type = Certificate::RSA;
-        certs->rsa = &test_key;
-        certs->ec = NULL;
-        certs->hash_len = SHA_DIGEST_SIZE;
-        num_keys = 1;
-    }
-
-    ui = new FakeUI();
-
-    MemMapping map;
-    if (sysMapFile(argv[argn], &map) != 0) {
-        fprintf(stderr, "failed to mmap %s: %s\n", argv[argn], strerror(errno));
-        return 4;
-    }
-
-    int result = verify_file(map.addr, map.length, certs, num_keys);
-    if (result == VERIFY_SUCCESS) {
-        printf("VERIFIED\n");
-        return 0;
-    } else if (result == VERIFY_FAILURE) {
-        printf("NOT VERIFIED\n");
-        return 1;
-    } else {
-        printf("bad return value\n");
-        return 3;
-    }
-}
diff --git a/verifier_test.sh b/verifier_test.sh
deleted file mode 100755
index 4761cef..0000000
--- a/verifier_test.sh
+++ /dev/null
@@ -1,121 +0,0 @@
-#!/bin/bash
-#
-# A test suite for recovery's package signature verifier.  Run in a
-# client where you have done envsetup, lunch, etc.
-#
-# TODO: find some way to get this run regularly along with the rest of
-# the tests.
-
-EMULATOR_PORT=5580
-DATA_DIR=$ANDROID_BUILD_TOP/bootable/recovery/testdata
-
-WORK_DIR=/data/local/tmp
-
-# set to 0 to use a device instead
-USE_EMULATOR=0
-
-# ------------------------
-
-if [ "$USE_EMULATOR" == 1 ]; then
-  emulator -wipe-data -noaudio -no-window -port $EMULATOR_PORT &
-  pid_emulator=$!
-  ADB="adb -s emulator-$EMULATOR_PORT "
-else
-  ADB="adb -d "
-fi
-
-echo "waiting to connect to device"
-$ADB wait-for-device
-
-# run a command on the device; exit with the exit status of the device
-# command.
-run_command() {
-  $ADB shell "$@" \; echo \$? | awk '{if (b) {print a}; a=$0; b=1} END {exit a}'
-}
-
-testname() {
-  echo
-  echo "::: testing $1 :::"
-  testname="$1"
-}
-
-fail() {
-  echo
-  echo FAIL: $testname
-  echo
-  [ "$open_pid" == "" ] || kill $open_pid
-  [ "$pid_emulator" == "" ] || kill $pid_emulator
-  exit 1
-}
-
-
-cleanup() {
-  # not necessary if we're about to kill the emulator, but nice for
-  # running on real devices or already-running emulators.
-  run_command rm $WORK_DIR/verifier_test
-  run_command rm $WORK_DIR/package.zip
-
-  [ "$pid_emulator" == "" ] || kill $pid_emulator
-}
-
-$ADB push $ANDROID_PRODUCT_OUT/system/bin/verifier_test \
-          $WORK_DIR/verifier_test
-
-expect_succeed() {
-  testname "$1 (should succeed)"
-  $ADB push $DATA_DIR/$1 $WORK_DIR/package.zip
-  shift
-  run_command $WORK_DIR/verifier_test "$@" $WORK_DIR/package.zip || fail
-}
-
-expect_fail() {
-  testname "$1 (should fail)"
-  $ADB push $DATA_DIR/$1 $WORK_DIR/package.zip
-  shift
-  run_command $WORK_DIR/verifier_test "$@" $WORK_DIR/package.zip && fail
-}
-
-# not signed at all
-expect_fail unsigned.zip
-# signed in the pre-donut way
-expect_fail jarsigned.zip
-
-# success cases
-expect_succeed otasigned.zip -e3
-expect_succeed otasigned_f4.zip -f4
-expect_succeed otasigned_sha256.zip -e3 -sha256
-expect_succeed otasigned_f4_sha256.zip -f4 -sha256
-expect_succeed otasigned_ecdsa_sha256.zip -ec -sha256
-
-# success with multiple keys
-expect_succeed otasigned.zip -f4 -e3
-expect_succeed otasigned_f4.zip -ec -f4
-expect_succeed otasigned_sha256.zip -ec -e3 -e3 -sha256
-expect_succeed otasigned_f4_sha256.zip -ec -sha256 -e3 -f4 -sha256
-expect_succeed otasigned_ecdsa_sha256.zip -f4 -sha256 -e3 -ec -sha256
-
-# verified against different key
-expect_fail otasigned.zip -f4
-expect_fail otasigned_f4.zip -e3
-expect_fail otasigned_ecdsa_sha256.zip -e3 -sha256
-
-# verified against right key but wrong hash algorithm
-expect_fail otasigned.zip -e3 -sha256
-expect_fail otasigned_f4.zip -f4 -sha256
-expect_fail otasigned_sha256.zip
-expect_fail otasigned_f4_sha256.zip -f4
-expect_fail otasigned_ecdsa_sha256.zip
-
-# various other cases
-expect_fail random.zip
-expect_fail fake-eocd.zip
-expect_fail alter-metadata.zip
-expect_fail alter-footer.zip
-
-# --------------- cleanup ----------------------
-
-cleanup
-
-echo
-echo PASS
-echo
diff --git a/wear_touch.cpp b/wear_touch.cpp
new file mode 100644
index 0000000..f22d40b
--- /dev/null
+++ b/wear_touch.cpp
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "common.h"
+#include "wear_touch.h"
+
+#include <dirent.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+
+#include <linux/input.h>
+
+#define DEVICE_PATH "/dev/input"
+
+WearSwipeDetector::WearSwipeDetector(int low, int high, OnSwipeCallback callback, void* cookie):
+    mLowThreshold(low),
+    mHighThreshold(high),
+    mCallback(callback),
+    mCookie(cookie),
+    mCurrentSlot(-1) {
+    pthread_create(&mThread, NULL, touch_thread, this);
+}
+
+WearSwipeDetector::~WearSwipeDetector() {
+}
+
+void WearSwipeDetector::detect(int dx, int dy) {
+    enum SwipeDirection direction;
+
+    if (abs(dy) < mLowThreshold && abs(dx) > mHighThreshold) {
+        direction = dx < 0 ? LEFT : RIGHT;
+    } else if (abs(dx) < mLowThreshold && abs(dy) > mHighThreshold) {
+        direction = dy < 0 ? UP : DOWN;
+    } else {
+        LOGD("Ignore %d %d\n", dx, dy);
+        return;
+    }
+
+    LOGD("Swipe direction=%d\n", direction);
+    mCallback(mCookie, direction);
+}
+
+void WearSwipeDetector::process(struct input_event *event) {
+    if (mCurrentSlot < 0) {
+        mCallback(mCookie, UP);
+        mCurrentSlot = 0;
+    }
+
+    if (event->type == EV_ABS) {
+        if (event->code == ABS_MT_SLOT)
+            mCurrentSlot = event->value;
+
+        // Ignore other fingers
+        if (mCurrentSlot > 0) {
+            return;
+        }
+
+        switch (event->code) {
+        case ABS_MT_POSITION_X:
+            mX = event->value;
+            mFingerDown = true;
+            break;
+
+        case ABS_MT_POSITION_Y:
+            mY = event->value;
+            mFingerDown = true;
+            break;
+
+        case ABS_MT_TRACKING_ID:
+            if (event->value < 0)
+                mFingerDown = false;
+            break;
+        }
+    } else if (event->type == EV_SYN) {
+        if (event->code == SYN_REPORT) {
+            if (mFingerDown && !mSwiping) {
+                mStartX = mX;
+                mStartY = mY;
+                mSwiping = true;
+            } else if (!mFingerDown && mSwiping) {
+                mSwiping = false;
+                detect(mX - mStartX, mY - mStartY);
+            }
+        }
+    }
+}
+
+void WearSwipeDetector::run() {
+    int fd = findDevice(DEVICE_PATH);
+    if (fd < 0) {
+        LOGE("no input devices found\n");
+        return;
+    }
+
+    struct input_event event;
+    while (read(fd, &event, sizeof(event)) == sizeof(event)) {
+        process(&event);
+    }
+
+    close(fd);
+}
+
+void* WearSwipeDetector::touch_thread(void* cookie) {
+    ((WearSwipeDetector*)cookie)->run();
+    return NULL;
+}
+
+#define test_bit(bit, array)    (array[bit/8] & (1<<(bit%8)))
+
+int WearSwipeDetector::openDevice(const char *device) {
+    int fd = open(device, O_RDONLY);
+    if (fd < 0) {
+        LOGE("could not open %s, %s\n", device, strerror(errno));
+        return false;
+    }
+
+    char name[80];
+    name[sizeof(name) - 1] = '\0';
+    if (ioctl(fd, EVIOCGNAME(sizeof(name) - 1), &name) < 1) {
+        LOGE("could not get device name for %s, %s\n", device, strerror(errno));
+        name[0] = '\0';
+    }
+
+    uint8_t bits[512];
+    memset(bits, 0, sizeof(bits));
+    int ret = ioctl(fd, EVIOCGBIT(EV_ABS, sizeof(bits)), bits);
+    if (ret > 0) {
+        if (test_bit(ABS_MT_POSITION_X, bits) && test_bit(ABS_MT_POSITION_Y, bits)) {
+            LOGD("Found %s %s\n", device, name);
+            return fd;
+        }
+    }
+
+    close(fd);
+    return -1;
+}
+
+int WearSwipeDetector::findDevice(const char* path) {
+    DIR* dir = opendir(path);
+    if (dir == NULL) {
+        LOGE("Could not open directory %s", path);
+        return false;
+    }
+
+    struct dirent* entry;
+    int ret = -1;
+    while (ret < 0 && (entry = readdir(dir)) != NULL) {
+        if (entry->d_name[0] == '.') continue;
+
+        char device[PATH_MAX];
+        device[PATH_MAX-1] = '\0';
+        snprintf(device, PATH_MAX-1, "%s/%s", path, entry->d_name);
+
+        ret = openDevice(device);
+    }
+
+    closedir(dir);
+    return ret;
+}
+
diff --git a/wear_touch.h b/wear_touch.h
new file mode 100644
index 0000000..9a1d315
--- /dev/null
+++ b/wear_touch.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __WEAR_TOUCH_H
+#define __WEAR_TOUCH_H
+
+#include <pthread.h>
+
+class WearSwipeDetector {
+
+public:
+    enum SwipeDirection { UP, DOWN, RIGHT, LEFT };
+    typedef void (*OnSwipeCallback)(void* cookie, enum SwipeDirection direction);
+
+    WearSwipeDetector(int low, int high, OnSwipeCallback cb, void* cookie);
+    ~WearSwipeDetector();
+
+private:
+    void run();
+    void process(struct input_event *event);
+    void detect(int dx, int dy);
+
+    pthread_t mThread;
+    static void* touch_thread(void* cookie);
+
+    int findDevice(const char* path);
+    int openDevice(const char* device);
+
+    int mLowThreshold;
+    int mHighThreshold;
+
+    OnSwipeCallback mCallback;
+    void *mCookie;
+
+    int mX;
+    int mY;
+    int mStartX;
+    int mStartY;
+
+    int mCurrentSlot;
+    bool mFingerDown;
+    bool mSwiping;
+};
+
+#endif // __WEAR_TOUCH_H
diff --git a/wear_ui.cpp b/wear_ui.cpp
index ebe0dfe..b437fd0 100644
--- a/wear_ui.cpp
+++ b/wear_ui.cpp
@@ -16,9 +16,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
-#include <pthread.h>
 #include <stdarg.h>
-#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
@@ -31,14 +29,10 @@
 
 #include "common.h"
 #include "device.h"
-#include "minui/minui.h"
 #include "wear_ui.h"
-#include "ui.h"
 #include "cutils/properties.h"
-#include "base/strings.h"
-
-static int char_width;
-static int char_height;
+#include "android-base/strings.h"
+#include "android-base/stringprintf.h"
 
 // There's only (at most) one of these objects, and global callbacks
 // (for pthread_create, and the input event system) need to find it,
@@ -61,11 +55,10 @@
     menu_unusable_rows(0),
     intro_frames(22),
     loop_frames(60),
+    animation_fps(30),
     currentIcon(NONE),
     intro_done(false),
     current_frame(0),
-    animation_fps(30),
-    rtl_locale(false),
     progressBarType(EMPTY),
     progressScopeStart(0),
     progressScopeSize(0),
@@ -84,7 +77,6 @@
     for (size_t i = 0; i < 5; i++)
         backgroundIcon[i] = NULL;
 
-    pthread_mutex_init(&updateMutex, NULL);
     self = this;
 }
 
@@ -148,41 +140,6 @@
     }
 }
 
-void WearRecoveryUI::SetColor(UIElement e) {
-    switch (e) {
-        case HEADER:
-            gr_color(247, 0, 6, 255);
-            break;
-        case MENU:
-        case MENU_SEL_BG:
-            gr_color(0, 106, 157, 255);
-            break;
-        case MENU_SEL_FG:
-            gr_color(255, 255, 255, 255);
-            break;
-        case LOG:
-            gr_color(249, 194, 0, 255);
-            break;
-        case TEXT_FILL:
-            gr_color(0, 0, 0, 160);
-            break;
-        default:
-            gr_color(255, 255, 255, 255);
-            break;
-    }
-}
-
-void WearRecoveryUI::DrawTextLine(int x, int* y, const char* line, bool bold) {
-    gr_text(x, *y, line, bold);
-    *y += char_height + 4;
-}
-
-void WearRecoveryUI::DrawTextLines(int x, int* y, const char* const* lines) {
-    for (size_t i = 0; lines != nullptr && lines[i] != nullptr; ++i) {
-        DrawTextLine(x, y, lines[i], false);
-    }
-}
-
 static const char* HEADERS[] = {
     "Swipe up/down to move.",
     "Swipe left/right to select.",
@@ -221,7 +178,7 @@
             if (menu_items > menu_end - menu_start) {
                 sprintf(cur_selection_str, "Current item: %d/%d", menu_sel + 1, menu_items);
                 gr_text(x+4, y, cur_selection_str, 1);
-                y += char_height+4;
+                y += char_height_+4;
             }
 
             // Menu begins here
@@ -232,7 +189,7 @@
                 if (i == menu_sel) {
                     // draw the highlight bar
                     SetColor(MENU_SEL_BG);
-                    gr_fill(x, y-2, gr_fb_width()-x, y+char_height+2);
+                    gr_fill(x, y-2, gr_fb_width()-x, y+char_height_+2);
                     // white text of selected item
                     SetColor(MENU_SEL_FG);
                     if (menu[i][0]) gr_text(x+4, y, menu[i], 1);
@@ -240,7 +197,7 @@
                 } else {
                     if (menu[i][0]) gr_text(x+4, y, menu[i], 0);
                 }
-                y += char_height+4;
+                y += char_height_+4;
             }
             SetColor(MENU);
             y += 4;
@@ -256,9 +213,9 @@
         int ty;
         int row = (text_top+text_rows-1) % text_rows;
         size_t count = 0;
-        for (int ty = gr_fb_height() - char_height - outer_height;
+        for (int ty = gr_fb_height() - char_height_ - outer_height;
              ty > y+2 && count < text_rows;
-             ty -= char_height, ++count) {
+             ty -= char_height_, ++count) {
             gr_text(x+4, ty, text[row], 0);
             --row;
             if (row < 0) row = text_rows-1;
@@ -324,26 +281,19 @@
     }
 }
 
-void WearRecoveryUI::LoadBitmap(const char* filename, GRSurface** surface) {
-    int result = res_create_display_surface(filename, surface);
-    if (result < 0) {
-        LOGE("missing bitmap %s\n(Code %d)\n", filename, result);
-    }
-}
-
 void WearRecoveryUI::Init()
 {
     gr_init();
 
-    gr_font_size(&char_width, &char_height);
+    gr_font_size(&char_width_, &char_height_);
 
     text_col = text_row = 0;
-    text_rows = (gr_fb_height()) / char_height;
-    visible_text_rows = (gr_fb_height() - (outer_height * 2)) / char_height;
+    text_rows = (gr_fb_height()) / char_height_;
+    visible_text_rows = (gr_fb_height() - (outer_height * 2)) / char_height_;
     if (text_rows > kMaxRows) text_rows = kMaxRows;
     text_top = 1;
 
-    text_cols = (gr_fb_width() - (outer_width * 2)) / char_width;
+    text_cols = (gr_fb_width() - (outer_width * 2)) / char_width_;
     if (text_cols > kMaxCols - 1) text_cols = kMaxCols - 1;
 
     LoadBitmap("icon_installing", &backgroundIcon[INSTALLING_UPDATE]);
@@ -369,29 +319,6 @@
     RecoveryUI::Init();
 }
 
-void WearRecoveryUI::SetLocale(const char* locale) {
-    if (locale) {
-        char* lang = strdup(locale);
-        for (char* p = lang; *p; ++p) {
-            if (*p == '_') {
-                *p = '\0';
-                break;
-            }
-        }
-
-        // A bit cheesy: keep an explicit list of supported languages
-        // that are RTL.
-        if (strcmp(lang, "ar") == 0 ||   // Arabic
-            strcmp(lang, "fa") == 0 ||   // Persian (Farsi)
-            strcmp(lang, "he") == 0 ||   // Hebrew (new language code)
-            strcmp(lang, "iw") == 0 ||   // Hebrew (old language code)
-            strcmp(lang, "ur") == 0) {   // Urdu
-            rtl_locale = true;
-        }
-        free(lang);
-    }
-}
-
 void WearRecoveryUI::SetBackground(Icon icon)
 {
     pthread_mutex_lock(&updateMutex);
@@ -653,3 +580,35 @@
     }
     pthread_mutex_unlock(&updateMutex);
 }
+
+void WearRecoveryUI::PrintOnScreenOnly(const char *fmt, ...) {
+    va_list ap;
+    va_start(ap, fmt);
+    PrintV(fmt, false, ap);
+    va_end(ap);
+}
+
+void WearRecoveryUI::PrintV(const char* fmt, bool copy_to_stdout, va_list ap) {
+    std::string str;
+    android::base::StringAppendV(&str, fmt, ap);
+
+    if (copy_to_stdout) {
+        fputs(str.c_str(), stdout);
+    }
+
+    pthread_mutex_lock(&updateMutex);
+    if (text_rows > 0 && text_cols > 0) {
+        for (const char* ptr = str.c_str(); *ptr != '\0'; ++ptr) {
+            if (*ptr == '\n' || text_col >= text_cols) {
+                text[text_row][text_col] = '\0';
+                text_col = 0;
+                text_row = (text_row + 1) % text_rows;
+                if (text_row == text_top) text_top = (text_top + 1) % text_rows;
+            }
+            if (*ptr != '\n') text[text_row][text_col++] = *ptr;
+        }
+        text[text_row][text_col] = '\0';
+        update_screen_locked();
+    }
+    pthread_mutex_unlock(&updateMutex);
+}
diff --git a/wear_ui.h b/wear_ui.h
index 259a63e..e2d6fe0 100644
--- a/wear_ui.h
+++ b/wear_ui.h
@@ -17,19 +17,13 @@
 #ifndef RECOVERY_WEAR_UI_H
 #define RECOVERY_WEAR_UI_H
 
-#include <pthread.h>
-#include <stdio.h>
+#include "screen_ui.h"
 
-#include "ui.h"
-#include "minui/minui.h"
-
-class WearRecoveryUI : public RecoveryUI {
+class WearRecoveryUI : public ScreenRecoveryUI {
   public:
     WearRecoveryUI();
 
     void Init();
-    void SetLocale(const char* locale);
-
     // overall recovery state ("background image")
     void SetBackground(Icon icon);
 
@@ -47,6 +41,7 @@
 
     // printing messages
     void Print(const char* fmt, ...);
+    void PrintOnScreenOnly(const char* fmt, ...) __printflike(2, 3);
     void ShowFile(const char* filename);
     void ShowFile(FILE* fp);
 
@@ -58,9 +53,6 @@
 
     void Redraw();
 
-    enum UIElement { HEADER, MENU, MENU_SEL_BG, MENU_SEL_FG, LOG, TEXT_FILL };
-    virtual void SetColor(UIElement e);
-
   protected:
     int progress_bar_height, progress_bar_width;
 
@@ -79,7 +71,7 @@
     int intro_frames;
     int loop_frames;
 
-    // animation's fps (default: 30)
+    // Number of frames per sec (default: 30) for both of intro and loop.
     int animation_fps;
 
   private:
@@ -89,9 +81,6 @@
 
     int current_frame;
 
-    bool rtl_locale;
-
-    pthread_mutex_t updateMutex;
     GRSurface* backgroundIcon[5];
     GRSurface* *introFrames;
     GRSurface* *loopFrames;
@@ -128,11 +117,9 @@
     void update_screen_locked();
     static void* progress_thread(void* cookie);
     void progress_loop();
-    void LoadBitmap(const char* filename, GRSurface** surface);
     void PutChar(char);
     void ClearText();
-    void DrawTextLine(int x, int* y, const char* line, bool bold);
-    void DrawTextLines(int x, int* y, const char* const* lines);
+    void PrintV(const char*, bool, va_list);
 };
 
 #endif  // RECOVERY_WEAR_UI_H