Documentation

<- Back to documentation

Building CopperheadOS from source

Build dependencies

  • x86_64 Linux build environment (OS X is not supported, unlike AOSP)
  • Android Open Source Project build dependencies
  • Linux kernel build dependencies
  • 16GiB of memory or more
  • 100GiB of free storage space

Devices

Supported

  • Nexus 9 WiFi (flounder)
  • Nexus 5X (bullhead)
  • Nexus 6P (angler)

Partially supported

CopperheadOS has initial incomplete support for these devices without the full set of functionality. These targets are untested due to not owning the devices and not expected to work reliably.

  • Pixel (sailfish)
  • Pixel XL (marlin)

Downloading source code

Note that Android’s source tree is huge, so this will use a lot of bandwidth and disk space.

You likely want to use the most recent stable tag, not the development branch.

Development branch

A single development branch is currently used to support the Nexus 9, 5X and 6P:

mkdir copperheados-nougat-mr1.1-release
cd copperheados-nougat-mr1.1-release
repo init -u https://github.com/CopperheadOS/platform_manifest.git -b nougat-mr1.1-release
repo sync -j32

Note that this branch will change to nougat-mr2-release at some point, when AOSP makes that switch. Existing devices may also split off into their own branches and new devices will likely be supported by separate branches until the next major stable release of AOSP.

Stable release

Pick a specific build for a device from the downloads page and download the source tree. Note that some devices use different Android Open Source Project branches so they end up with different tags. Make sure to use the correct tag for a device.

mkdir copperheados-NRD90U.2016.09.09.07.12.48
cd copperheados-NRD90U.2016.09.09.07.12.48
repo init -u https://github.com/CopperheadOS/platform_manifest.git -b refs/tags/NRD90U.2016.09.09.07.12.48

Verify the manifest:

gpg --recv-keys 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
gpg --recv-keys 4340D13570EF945E83810964E8AD3F819AB10E78
cd .repo/manifests.git
git verify-tag --raw $(git describe)
cd ../..

Complete the source tree download:

repo sync -j32

Verify the source tree:

cd ../..
repo forall -c 'git verify-tag --raw $(git describe)' || echo Verification failed!

These instructions will be extended in the future to check the verify-tag output.

Note that the repo command itself takes care of updating itself and uses gpg to verify by default.

Updating and switches branches/tags

To update the source tree, run the repo init command again to select the branch or tag and then run repo sync -j32 again. You don’t need to start over to switch between different branches or tags. You may need to run repo init again to continue down the same branch since CopperheadOS only provides a stable history via tags.

Building

The build has to be done from bash as envsetup.sh is not compatible with other shells like zsh.

Set up the build environment:

source build/envsetup.sh
export LANG=C
unset _JAVA_OPTIONS
export BUILD_NUMBER=$(date --utc +%Y.%m.%d.%H.%M.%S)
export DISPLAY_BUILD_NUMBER=true
chrt -b -p 0 $$

Select the desired build target (aosp_bullhead is the Nexus 5X):

choosecombo release aosp_bullhead user

For a development build, you may want to replace user with userdebug in order to have better debugging support. Production builds should be user builds as they are significantly more secure.

Start the build process, with -j# used to set the number of parallel jobs to the number of CPU threads. You also need 2-4GiB of memory per job, so reduce it based on available memory if necessary:

make target-files-package -j20

Faster builds for development use only

The normal production build process involves building a target files package to be resigned with secure release keys and then converted into factory images and/or an update zip via the sections below. If you have a dedicated development device with no security requirements, you can save time by using the default make target, leaving the bootloader unlocked and flashing the raw images that are signed with the default public test keys:

make -j20

Technically, you could generate test key signed update packages. However, there’s no point of sideloading update packages when the bootloader is unlocked and there’s no value in a locked bootloader without signing the build using release keys, since verified boot will be meaningless and the keys used to verify sideloaded updates are also public. The only reason to use update packages or a locked bootloader without signing the build with release keys would be testing that functionality and it makes a lot more sense to test it with proper signing keys rather than the default public test keys.

Generating release signing keys

Next, keys need to be generated for signing the build. The sample certificate subject can be replaced with your own information or simply left as-is. This only has to be done for your first release build, and then the keys are reused for subsequent updates.

The keys should not be given passwords due to limitations in the upstream scripts. If you want to secure them at rest, you should take a different approach where they can still be available to the signing scripts as a directory of unencrypted keys.

mkdir keys
cd keys
../development/tools/make_key releasekey '/C=CA/ST=Ontario/L=Toronto/O=CopperheadOS/OU=CopperheadOS/CN=CopperheadOS/emailAddress=copperheados@copperhead.co'
../development/tools/make_key platform '/C=CA/ST=Ontario/L=Toronto/O=CopperheadOS/OU=CopperheadOS/CN=CopperheadOS/emailAddress=copperheados@copperhead.co'
../development/tools/make_key shared '/C=CA/ST=Ontario/L=Toronto/O=CopperheadOS/OU=CopperheadOS/CN=CopperheadOS/emailAddress=copperheados@copperhead.co'
../development/tools/make_key media '/C=CA/ST=Ontario/L=Toronto/O=CopperheadOS/OU=CopperheadOS/CN=CopperheadOS/emailAddress=copperheados@copperhead.co'
../development/tools/make_key verity '/C=CA/ST=Ontario/L=Toronto/O=CopperheadOS/OU=CopperheadOS/CN=CopperheadOS/emailAddress=copperheados@copperhead.co'
cd ..

Generate the verity public key:

make -j20 generate_verity_key
out/host/linux-x86/bin/generate_verity_key -convert keys/verity.x509.pem keys/verity_key

Generating signed factory images and full update packages

For the Pixel and Pixel XL, build the tool needed to generate A/B updates:

make -j20 brillo_update_payload

Generate a signed release build with the release.sh script:

./release.sh bullhead

The factory images and update package will be in out/release-bullhead.

release.sh:

#!/bin/bash

user_error() {
  echo user error, please replace user and try again >&2
  exit 1
}

[[ $# -eq 1 ]] || user_error
[[ -n $BUILD_NUMBER ]] || user_error

KEY_DIR=keys
OUT=out/release-$1-$BUILD_NUMBER

source device/common/clear-factory-images-variables.sh

get_radio_image() {
  grep -Po "require version-$1=\K.+" vendor/$2/vendor-board-info.txt | tr '[:upper:]' '[:lower:]'
}

if [[ $1 == bullhead ]]; then
  BOOTLOADER=$(get_radio_image bootloader lge/$1)
  RADIO=$(get_radio_image baseband lge/$1)
elif [[ $1 == flounder ]]; then
  BOOTLOADER=$(get_radio_image bootloader htc/$1)
elif [[ $1 == angler ]]; then
  BOOTLOADER=$(get_radio_image bootloader huawei/$1)
  RADIO=$(get_radio_image baseband huawei/$1)
elif [[ $1 == marlin ]]; then
  BOOTLOADER=$(get_radio_image bootloader google_devices/$1)
  RADIO=$(get_radio_image baseband google_devices/$1)
elif [[ $1 == sailfish ]]; then
  BOOTLOADER=$(get_radio_image bootloader google_devices/$1)
  RADIO=$(get_radio_image baseband google_devices/$1)
else
  user_error
fi

BUILD=$BUILD_NUMBER
VERSION=$(grep -Po "export BUILD_ID=\K.+" build/core/build_id.mk | tr '[:upper:]' '[:lower:]')
DEVICE=$1
PRODUCT=$1

mkdir -p $OUT || exit 1

TARGET_FILES=$DEVICE-target_files-$BUILD.zip

if [[ $DEVICE == bullhead ]]; then
  EXTRA_OTA=(-b device/lge/bullhead/update-binary)
fi

build/tools/releasetools/sign_target_files_apks -o -d "$KEY_DIR" \
  --replace_verity_public_key "$KEY_DIR/verity_key.pub" --replace_verity_private_key "$KEY_DIR/verity" \
  out/target/product/$DEVICE/obj/PACKAGING/target_files_intermediates/aosp_$DEVICE-target_files-$BUILD_NUMBER.zip \
  $OUT/$TARGET_FILES || exit 1

build/tools/releasetools/ota_from_target_files --block -k "$KEY_DIR/releasekey" "${EXTRA_OTA[@]}" $OUT/$TARGET_FILES \
  $OUT/$DEVICE-ota_update-$BUILD.zip || exit 1

build/tools/releasetools/img_from_target_files -n $OUT/$TARGET_FILES \
  $OUT/$DEVICE-img-$BUILD.zip || exit 1

cd $OUT || exit 1

source ../../device/common/generate-factory-images-common.sh

mv $DEVICE-$VERSION-factory.tar $DEVICE-factory-$BUILD_NUMBER.tar
rm -f $DEVICE-factory-$BUILD_NUMBER.tar.xz
xz -v --lzma2=dict=512MiB,lc=3,lp=0,pb=2,mode=normal,nice=64,mf=bt4,depth=0 $DEVICE-factory-$BUILD_NUMBER.tar

Prebuilt code

Like the Android Open Source Project, CopperheadOS contains some code that’s built separately and then bundled into the source tree as binaries. Ideally, everything would be built-in tree with the AOSP build system but it’s not always practical.

Kernel

Unlike AOSP, CopperheadOS builds the kernel as part of the operating system rather than bundling a pre-built kernel image.

Chromium and WebView

Chromium and the WebView are independent applications built from the Chromium source tree. AOSP only includes the WebView as Chrome is added as part of the Google Play components. There are prebuilt apks bundled at platform/external/chromium and platform/external/chromium-webview.

See Chromium’s Android build instructions for details on obtaining the prerequisites.

mkdir chromium
cd chromium
fetch --nohooks android --target_os_only=true

Sync to the latest stable release, which was 55.0.2883.91 at the time of writing:

gclient sync --with_branch_heads -r 55.0.2883.91

Apply the CopperheadOS patches on top of the tagged release:

git clone https://github.com/CopperheadOS/chromium_patches.git
cd src
git am ../chromium_patches/*.patch

Note that we don’t have our own public repository at the moment because Chromium is too large to host it on GitHub or Bitbucket where we are hosting the other repositories.

Then, configure the build in the src directory:

gn args out/Default

CopperheadOS configuration:

target_os = "android"
target_cpu = "arm64"
is_debug = false

is_official_build = true
is_component_build = false
symbol_level = 0

ffmpeg_branding = "Chrome"
proprietary_codecs = true

android_channel = "stable"
android_default_version_name = "55.0.2883.91"
android_default_version_code = "288309150"

To build Chromium:

ninja -C out/Default/ chrome_modern_public_apk

To build the WebView:

ninja -C out/Default/ system_webview_apk

The apks are signed as part of the build process for the OS after they’re bundled into external/chromium and external/chromium-webview.

Silence

A prebuilt Silence app is included in platform/external/Silence as a replacement for the AOSP Messaging app. It has many external dependencies including legacy Android SDK dependencies so an in-tree build is impractical right now.

See the Silence build instructions for details.