Android RILD详解

前言

在上一篇文章里(http://sniffer.site/2016/11/29/Android-RILD%E8%AF%A6%E8%A7%A3/),简要介绍了Android RIL的架构。这一篇文章,就来看一看RILD(RIL Daemon)相关的内容。Android RIL在HAL(Hardware Abstract Layer)层(C++层)由三个部分组成:

  • RILD是系统的守护进程,主要用于初始化LIBRIL以及启动厂商自定义的Vendor RIL;
  • LIBRIL库被RILD初始化完成后,用于与Vendor RIL之间进行交互,负责接收、发送指令;
  • Vendor RIL库是第三方厂商自定义的一个库,用于向Modem发送指令或者接收来自LIBRIL或者Modem的指令, Android有一个基于AT指令的默认参考实现(reference-ril)

三者之间的关系图如下所示:

RILD and LIBRIL

从这里可以看到,RILD在启动时,负责将LibRil以及Vendor RIL进行初始化,将相应的回调函数以及调用接口进行注册,LibRIL向vendor RIL提供了接口RIL_Env,当Vendor有消息时,利用该回调返回;而Vendor RIL 同样提供了接口RIL_RadioFunctions,给LibRIl调用。这里涉及到3个主要问题:

  1. RILD是如何启动?
  2. RILD是如何进行初始化操作的?
  3. 初始完成后,LIBRIL是如何进行消息的接收与发送的?

RILD是如何启动的

RILD(RIL Daemon)是系统的守护进程,系统已启动,就会一直运行。手机开机时,kernel完成初始化后,Android启动一个初始化进程Init用于加载系统基础服务,如文件系统,zygote进程,服务管家ServiceManager,以及RILD:

1
2
3
4
5
6
7

service ril-daemon /system/bin/rild
class main
socket rild stream 660 root radio
socket rild-debug stream 660 radio system
user root
group radio cache inet misc audio log

这里,init进程从手机文件系统目录system/bin/rild中读取RILD的可执行文件,加载到内存运行;同时,创建两个socket端口:rild和rild-debug,其中rild用于RILJ与RILD之间的数据通信,而rild-debug则用于RILJ与RILD的调试。

RILD是如何进行初始化的

RILD启动后,一方面会去初始化Vendor RIL,将LIBRIL的回调接口RIL_Env传递给Vendor RIL;同时将Vendor RIL的接口RIL_RadioFunctions注册到LIBRIL中,这样一旦初始化完成,LIBRIL与Vendor RIL就可以进行数据的交换了。

来看一看RILD的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

int main(int argc, char **argv)
{
...
// Vendor RIL接口函数
const RIL_RadioFunctions *(*rilInit)(const struct RIL_Env *, int, char **);
const RIL_RadioFunctions *funcs;
...

OpenLib:

//从指定路径加载RILD可执行文件
dlHandle = dlopen(rilLibPath, RTLD_NOW);

if (dlHandle == NULL) {
RLOGE("dlopen failed: %s", dlerror());
exit(EXIT_FAILURE);
}

// 启动LIBRIL的事件处理线程
RIL_startEventLoop();
// Vendor RIL初始化函数,返回一个RIL_RadioFunctions
rilInit = (const RIL_RadioFunctions *(*)(const struct RIL_Env *, int, char **))dlsym(dlHandle, "RIL_Init");
...
funcs = rilInit(&s_rilEnv, argc, rilArgv);
RLOGD("RIL_Init rilInit completed");
// 将 RIL_RadioFunctions注册到LIBRIL中
RIL_register(funcs);

RLOGD("RIL_Init RIL_register completed");
}

RILD初始化主要完成两件事:(1) 加载Vendor RIL的代码,并对其进行初始化操作,将LIBRIL的接口RIL_Env传递给Vendor RIL,用于回调;(2)开始RIL事件处理线程;(3)将Vendor RIL的接口注册到LIBRIL中,这样LIBRIL就可以将消息发送给Vendor RIL了。

  • RIL_startEventLoop()启动RIL事件处理线程:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

extern "C" void RIL_startEventLoop(void) {
/* spin up eventLoop thread and wait for it to get started */
s_started = 0;
pthread_mutex_lock(&s_startupMutex);
...
// eventLoop函数才是真正开始启动事件处理线程的地方
int result = pthread_create(&s_tid_dispatch, &attr, eventLoop, NULL);
if (result != 0) {
RLOGE("Failed to create dispatch thread: %s", strerror(result));
goto done;
}

while (s_started == 0) {
pthread_cond_wait(&s_startupCond, &s_startupMutex);
}

done:
pthread_mutex_unlock(&s_startupMutex);
}

// evetLoop

static void *eventLoop(void *param) {
int ret;
int filedes[2];
//初始化事件队列
ril_event_init();

pthread_mutex_lock(&s_startupMutex);

s_started = 1;
pthread_cond_broadcast(&s_startupCond);

pthread_mutex_unlock(&s_startupMutex);

ret = pipe(filedes);
// 用于监听wakeup事件的pipe端口
s_fdWakeupRead = filedes[0];
s_fdWakeupWrite = filedes[1];
//设置线程唤醒事件,唤醒时,回调processWakeupCallback函数
ril_event_set (&s_wakeupfd_event, s_fdWakeupRead, true,
processWakeupCallback, NULL);

rilEventAddWakeup (&s_wakeupfd_event);

// 真正干活的函数
ril_event_loop();
// kill self to restart on error
kill(0, SIGKILL);

return NULL;
}
  • RILD初始化vendor RIL之后,将返回的RIL_RadioFunctions返回给RILD,RILD接着将其注册到LIBRIL中:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

extern "C" void RIL_register (const RIL_RadioFunctions *callbacks) {
...
/* Initialize socket1 parameters */
s_ril_param_socket = {
RIL_SOCKET_1, /* socket_id */
-1, /* fdListen */
-1, /* fdCommand */
PHONE_PROCESS, /* processName */
&s_commands_event, /* commands_event */
&s_listen_event, /* listen_event */
processCommandsCallback, /* processCommandsCallback */
NULL /* p_rs */
};
....
// back compatibility
if (s_started == 0) {
RIL_startEventLoop();
}

// start listen socket1
startListen(RIL_SOCKET_1, &s_ril_param_socket);
}

// startListen
static void startListen(RIL_SOCKET_ID socket_id, SocketListenParam* socket_listen_p) {
int fdListen = -1;
int ret;
char socket_name[10];

memset(socket_name, 0, sizeof(char)*10);

switch(socket_id) {
case RIL_SOCKET_1:
strncpy(socket_name, RIL_getRilSocketName(), 9);
break;
....
// 获取 Unix domain socket对应的FD
fdListen = android_get_control_socket(socket_name);
// 监听端口
ret = listen(fdListen, 4);

socket_listen_p->fdListen = fdListen;
// 设置监听回调事件 listenCallback,RILJ主动连接RILD时,处理该回调
/* note: non-persistent so we can accept only one connection at a time */
ril_event_set (socket_listen_p->listen_event, fdListen, false,
listenCallback, socket_listen_p);
//添加到事件队列中,并唤醒事件处理线程
rilEventAddWakeup (socket_listen_p->listen_event);
}

源代码: /hardware/ril/libril/ril.cpp

接下来,我们就来看一看LIBRIL与Vendor RIL各自提供的接口函数。 这两个接口都在/hardware/ril/include/telephony/ril.h中进行了声明。

Vendor RIL主要提供了5个接口,供LIBRIL调用:

  • RIL_RequestFunc是最主要的一个,所有从RILJ发送过来的请求均由该接口发送给Vendor RIL;
  • RIL_RadioStateRequest从LIBRIL获取modem的即时状态;
  • RIL_Supports判断Vendor RIL是否支持某个请求命令;
  • RIL_Cancel取消某个请求命令;
  • RIL_GetVersion获取RIL的版本号;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

typedef struct {
int version; /* set to RIL_VERSION */
RIL_RequestFunc onRequest;
RIL_RadioStateRequest onStateRequest;
RIL_Supports supports;
RIL_Cancel onCancel;
RIL_GetVersion getVersion;
} RIL_RadioFunctions;


// 将从RILJ发送过来的请求发送给Vendor RIL
typedef void (*RIL_RequestFunc) (int request, void *data,
size_t datalen, RIL_Token t, RIL_SOCKET_ID socket_id);
// 获取 modem 状态
typedef RIL_RadioState (*RIL_RadioStateRequest)(RIL_SOCKET_ID socket_id);

LIBRIL则向Vendor RIL提供了3个接口:

  • OnRequestComplete:RIL请求完成后,通过该接口将数据返回给LIBRIL,由LIBRIL将数据写入socket RILD;
  • OnUnsolicitedResponse:CP主动上报消息给Vendor RIL后,通过该接口将消息传给LIBRIL;
  • RequestTimedCallback:在指定时间内,LIBRIL调用回调函数RequestTimedCallback
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

struct RIL_Env {
// 请求完成,返回给LIBRIL
void (*OnRequestComplete)(RIL_Token t, RIL_Errno e,
void *response, size_t responselen);

// Vendor RIL接收到从CP主动上报的消息后,传给LIBRIL
#if defined(ANDROID_MULTI_SIM)
void (*OnUnsolicitedResponse)(int unsolResponse, const void *data, size_t datalen, RIL_SOCKET_ID socket_id);
#else
/**
* "unsolResponse" is one of RIL_UNSOL_RESPONSE_*
* "data" is pointer to data defined for that RIL_UNSOL_RESPONSE_*
*/
void (*OnUnsolicitedResponse)(int unsolResponse, const void *data, size_t datalen);
#endif
/**
* Call user-specifed "callback" function on on the same thread that
* RIL_RequestFunc is called. If "relativeTime" is specified, then it specifies
* a relative time value at which the callback is invoked. If relativeTime is
* NULL or points to a 0-filled structure, the callback will be invoked as
* soon as possible
*/
// 指定时间内LIBRIL调用回调函数RIL_TimedCallback
void (*RequestTimedCallback) (RIL_TimedCallback callback,
void *param, const struct timeval *relativeTime);
};

代码路径: /hardware/ril/rild/rild.c

初始化完成了 ,那么RIL事件处理线程是从何时开始处理事件的了?RIL事件处理线程是怎么又是同时处理来自RILJ以及Vendor RIL的消息的?下面就来看一看LIBRIL如何处理RIL事件的。

LIBRIL如何处理RIL事件

为处理RIL事件,LIBRIL提供了3个事件队列(由双向列表组成):

1
2
3
4

static struct ril_event * watch_table[MAX_FD_EVENTS];
static struct ril_event timer_list;
static struct ril_event pending_list;

其中,watch_table用于事件的监测,timer_list保存定时事件,而pending_list用于保存即将被处理的事件列表。对LIBRIL来讲,有3种类型的RIL事件需要处理:

1
2
3
4
5
6
7

// RILJ请求事件
static struct ril_event s_commands_event;
// 事件处理线程唤醒事件
static struct ril_event s_wakeupfd_event;
// RILD socket端口监听事件
static struct ril_event s_listen_event;

上一节我们了解到,在RIL事件处理线程开始时,LIBRIL会添加一个s_wakeupfd_event的唤醒事件,必要时对线程进行唤醒操作;在注册Vendor RIL的接口时,注册一个监听事件s_listen_event,当RILJ尝试通过socket连接RILD时,处理该事件;当RILJ与RILD连接成功后,处理回调函数listenCallback时,会添加一个 s_commands_event事件,用于处理RILD socket的数据。

那么,LIBRIL是从何时开始处理这些事件的?上一节我们了解到,初始化时,LIBRIL启动了一个专门的线程来处理RIL事件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

void ril_event_loop()
{
int n;
fd_set rfds;
struct timeval tv;
struct timeval * ptv;

for (;;) {

// make local copy of read fd_set
memcpy(&rfds, &readFds, sizeof(fd_set));
....
// 从FD集合中选择可用的端口
n = select(nfds, &rfds, NULL, NULL, ptv);
....
// 处理timer队列中超时的事件
processTimeouts();
// 处理监测队列中的事件: listenCallback,
processReadReadies(&rfds, n);
// OK,fire pending list
firePending();
}
}

该线程,一直监听FD(File Descriptor)集合readFds,如果有数据时,就会立即返回,进而开始执行事件的处理:首先处理定时事件队列中的event,如果发现有超时的事件,就将其加入pending队列中;接着,查看监测表(保存了最多8个事件)中是否有readFds对应的RIL事件,如果存在,则也将其放入到pending队列。最后,就要开始处理pending队列了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

static void firePending()
{
dlog("~~~~ +firePending ~~~~");
struct ril_event * ev = pending_list.next;
while (ev != &pending_list) {
struct ril_event * next = ev->next;
removeFromList(ev);
// 执行回调函数: processWakeupCallback,listenCallback,processCommandsCallback...
ev->func(ev->fd, 0, ev->param);
ev = next;
}
dlog("~~~~ -firePending ~~~~");
}

源码:/android/hardware/ril/libril/samsung/ril_event.cpp

LIBRIL事件处理线程开始时,只有两个事件:s_wakeupfd_events_listen_events_wakeupfd_event事件在添加s_listen_event事件,需要唤醒RIL事件处理线程被执行:

1
2
3
4
5
6
7
8
9
10
11

static void triggerEvLoop() {
int ret;
if (!pthread_equal(pthread_self(), s_tid_dispatch)) {
/* trigger event loop to wakeup. No reason to do this,
* if we're in the event loop thread */
do {
ret = write (s_fdWakeupWrite, " ", 1);
} while (ret < 0 && errno == EINTR);
}
}

接着,开始执行s_listen_event事件,调用回调函数listenCallback:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

static void listenCallback (int fd, short flags, void *param) {
....
// 接受RILJ的链接请求
fdCommand = accept(fd, (sockaddr *) &peeraddr, &socklen);

/* check the credential of the other side and only accept socket from
* phone process
*/
is_phone_socket = 0;

err = getsockopt(fdCommand, SOL_SOCKET, SO_PEERCRED, &creds, &szCreds);

....

ret = fcntl(fdCommand, F_SETFL, O_NONBLOCK);
....

p_info->fdCommand = fdCommand;

p_rs = record_stream_new(p_info->fdCommand, MAX_COMMAND_BYTES);

p_info->p_rs = p_rs;
ril_event_set (p_info->commands_event, p_info->fdCommand, 1,
p_info->processCommandsCallback, p_info);
// 添加指令事件`s_commands_event`
rilEventAddWakeup (p_info->commands_event);
// 建立新的连接,告知RILJ链接成功,并上报radio状态
onNewCommandConnect(p_info->socket_id);
}

下次处理pending事件队列时,处理s_commands_event,调用回调函数processCommandsCallback

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

static void processCommandsCallback(int fd, short flags, void *param) {
// 循环读 RILD socket接口数据流
for (;;) {
/* loop until EAGAIN/EINTR, end of stream, or other error */
// 读取 socket数据流
ret = record_stream_get_next(p_rs, &p_record, &recordlen);

if (ret == 0 && p_record == NULL) {
/* end-of-stream */
break;
} else if (ret < 0) {
break;
} else if (ret == 0) { /* && p_record != NULL */
processCommandBuffer(p_record, recordlen, p_info->socket_id);
}
}
....


// processCommandBuffer
static int processCommandBuffer(void *buffer, size_t buflen, RIL_SOCKET_ID socket_id) {

RequestInfo *pRI;
...
pRI = (RequestInfo *)calloc(1, sizeof(RequestInfo));

pRI->token = token;
// 根据 RILJ的REQUEST类型来获取CommandInfo
pRI->pCI = &(s_commands[request]);
pRI->socket_id = socket_id;
...
// 将请求分配给对应的函数处理
pRI->pCI->dispatchFunction(p, pRI);

return 0;
}

}

上述代码中,s_commands将所有RILJ的请求命令,对应的请求函数以及响应处理函数组成一个类型为commandInfo的结构体数组,等请求从CP返回时,就可以调用对应的响应函数来处理返回的结果了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

static CommandInfo s_commands[] = {
#include "ril_commands.h"
};

{0, NULL, NULL}, //none
{RIL_REQUEST_GET_SIM_STATUS, dispatchVoid, responseSimStatus},
{RIL_REQUEST_ENTER_SIM_PIN, dispatchStrings, responseInts},
{RIL_REQUEST_ENTER_SIM_PUK, dispatchStrings, responseInts},
{RIL_REQUEST_ENTER_SIM_PIN2, dispatchStrings, responseInts},
{RIL_REQUEST_ENTER_SIM_PUK2, dispatchStrings, responseInts},
{RIL_REQUEST_CHANGE_SIM_PIN, dispatchStrings, responseInts},
{RIL_REQUEST_CHANGE_SIM_PIN2, dispatchStrings, responseInts},
....

源码: /android/hardware/ril/libril/samsung/ril_commands.h

参考文献