recovery: Switch to clang
am: 7101b2e285  -s ours

* commit '7101b2e2854985727b7ef65e5b5057e0ecf2d034':
  recovery: Switch to clang
diff --git a/Android.mk b/Android.mk
index ac1ef83..22e7802 100644
--- a/Android.mk
+++ b/Android.mk
@@ -16,7 +16,7 @@
 
 include $(CLEAR_VARS)
 
-LOCAL_SRC_FILES := fuse_sideload.c
+LOCAL_SRC_FILES := fuse_sideload.cpp
 LOCAL_CLANG := true
 LOCAL_CFLAGS := -O2 -g -DADB_HOST=0 -Wall -Wno-unused-parameter
 LOCAL_CFLAGS += -D_XOPEN_SOURCE -D_GNU_SOURCE
@@ -33,7 +33,7 @@
     asn1_decoder.cpp \
     bootloader.cpp \
     device.cpp \
-    fuse_sdcard_provider.c \
+    fuse_sdcard_provider.cpp \
     install.cpp \
     recovery.cpp \
     roots.cpp \
@@ -46,9 +46,11 @@
 
 LOCAL_FORCE_STATIC_EXECUTABLE := true
 
+ifeq ($(TARGET_USERIMAGES_USE_F2FS),true)
 ifeq ($(HOST_OS),linux)
 LOCAL_REQUIRED_MODULES := mkfs.f2fs
 endif
+endif
 
 RECOVERY_API_VERSION := 3
 RECOVERY_FSTAB_VERSION := 2
@@ -77,7 +79,6 @@
     libcutils \
     liblog \
     libselinux \
-    libstdc++ \
     libm \
     libc
 
@@ -122,7 +123,6 @@
     libminui \
     libminzip \
     libcutils \
-    libstdc++ \
     libc
 include $(BUILD_EXECUTABLE)
 
diff --git a/applypatch/Android.mk b/applypatch/Android.mk
index 4936db2..cc17a13 100644
--- a/applypatch/Android.mk
+++ b/applypatch/Android.mk
@@ -17,42 +17,42 @@
 include $(CLEAR_VARS)
 
 LOCAL_CLANG := true
-LOCAL_SRC_FILES := applypatch.c bspatch.c freecache.c imgpatch.c utils.c
+LOCAL_SRC_FILES := applypatch.cpp bspatch.cpp freecache.cpp imgpatch.cpp utils.cpp
 LOCAL_MODULE := libapplypatch
 LOCAL_MODULE_TAGS := eng
 LOCAL_C_INCLUDES += external/bzip2 external/zlib bootable/recovery
-LOCAL_STATIC_LIBRARIES += libmtdutils libmincrypt libbz libz
+LOCAL_STATIC_LIBRARIES += libbase libmtdutils libmincrypt libbz libz
 
 include $(BUILD_STATIC_LIBRARY)
 
 include $(CLEAR_VARS)
 
 LOCAL_CLANG := true
-LOCAL_SRC_FILES := main.c
+LOCAL_SRC_FILES := main.cpp
 LOCAL_MODULE := applypatch
 LOCAL_C_INCLUDES += bootable/recovery
-LOCAL_STATIC_LIBRARIES += libapplypatch libmtdutils libmincrypt libbz
-LOCAL_SHARED_LIBRARIES += libz libcutils libstdc++ libc
+LOCAL_STATIC_LIBRARIES += libapplypatch libbase libmtdutils libmincrypt libbz
+LOCAL_SHARED_LIBRARIES += libz libcutils libc
 
 include $(BUILD_EXECUTABLE)
 
 include $(CLEAR_VARS)
 
 LOCAL_CLANG := true
-LOCAL_SRC_FILES := main.c
+LOCAL_SRC_FILES := main.cpp
 LOCAL_MODULE := applypatch_static
 LOCAL_FORCE_STATIC_EXECUTABLE := true
 LOCAL_MODULE_TAGS := eng
 LOCAL_C_INCLUDES += bootable/recovery
-LOCAL_STATIC_LIBRARIES += libapplypatch libmtdutils libmincrypt libbz
-LOCAL_STATIC_LIBRARIES += libz libcutils libstdc++ libc
+LOCAL_STATIC_LIBRARIES += libapplypatch libbase libmtdutils libmincrypt libbz
+LOCAL_STATIC_LIBRARIES += libz libcutils libc
 
 include $(BUILD_EXECUTABLE)
 
 include $(CLEAR_VARS)
 
 LOCAL_CLANG := true
-LOCAL_SRC_FILES := imgdiff.c utils.c bsdiff.c
+LOCAL_SRC_FILES := imgdiff.cpp utils.cpp bsdiff.cpp
 LOCAL_MODULE := imgdiff
 LOCAL_FORCE_STATIC_EXECUTABLE := true
 LOCAL_C_INCLUDES += external/zlib external/bzip2
diff --git a/applypatch/applypatch.c b/applypatch/applypatch.cpp
similarity index 78%
rename from applypatch/applypatch.c
rename to applypatch/applypatch.cpp
index 2358d42..1767761 100644
--- a/applypatch/applypatch.c
+++ b/applypatch/applypatch.cpp
@@ -15,6 +15,7 @@
  */
 
 #include <errno.h>
+#include <fcntl.h>
 #include <libgen.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -22,14 +23,15 @@
 #include <sys/stat.h>
 #include <sys/statfs.h>
 #include <sys/types.h>
-#include <fcntl.h>
 #include <unistd.h>
-#include <stdbool.h>
+
+#include <base/strings.h>
 
 #include "mincrypt/sha.h"
 #include "applypatch.h"
 #include "mtdutils/mtdutils.h"
 #include "edify/expr.h"
+#include "print_sha1.h"
 
 static int LoadPartitionContents(const char* filename, FileContents* file);
 static ssize_t FileSink(const unsigned char* data, ssize_t len, void* token);
@@ -43,7 +45,7 @@
                           size_t target_size,
                           const Value* bonus_data);
 
-static int mtd_partitions_scanned = 0;
+static bool mtd_partitions_scanned = false;
 
 // Read a file into memory; store the file contents and associated
 // metadata in *file.
@@ -65,7 +67,7 @@
     }
 
     file->size = file->st.st_size;
-    file->data = malloc(file->size);
+    file->data = reinterpret_cast<unsigned char*>(malloc(file->size));
 
     FILE* f = fopen(filename, "rb");
     if (f == NULL) {
@@ -75,10 +77,9 @@
         return -1;
     }
 
-    ssize_t bytes_read = fread(file->data, 1, file->size, f);
-    if (bytes_read != file->size) {
-        printf("short read of \"%s\" (%ld bytes of %ld)\n",
-               filename, (long)bytes_read, (long)file->size);
+    size_t bytes_read = fread(file->data, 1, file->size, f);
+    if (bytes_read != static_cast<size_t>(file->size)) {
+        printf("short read of \"%s\" (%zu bytes of %zd)\n", filename, bytes_read, file->size);
         free(file->data);
         file->data = NULL;
         return -1;
@@ -89,21 +90,6 @@
     return 0;
 }
 
-static size_t* size_array;
-// comparison function for qsort()ing an int array of indexes into
-// size_array[].
-static int compare_size_indices(const void* a, const void* b) {
-    int aa = *(int*)a;
-    int bb = *(int*)b;
-    if (size_array[aa] < size_array[bb]) {
-        return -1;
-    } else if (size_array[aa] > size_array[bb]) {
-        return 1;
-    } else {
-        return 0;
-    }
-}
-
 // Load the contents of an MTD or EMMC partition into the provided
 // FileContents.  filename should be a string of the form
 // "MTD:<partition_name>:<size_1>:<sha1_1>:<size_2>:<sha1_2>:..."  (or
@@ -122,85 +108,74 @@
 enum PartitionType { MTD, EMMC };
 
 static int LoadPartitionContents(const char* filename, FileContents* file) {
-    char* copy = strdup(filename);
-    const char* magic = strtok(copy, ":");
-
-    enum PartitionType type;
-
-    if (strcmp(magic, "MTD") == 0) {
-        type = MTD;
-    } else if (strcmp(magic, "EMMC") == 0) {
-        type = EMMC;
-    } else {
-        printf("LoadPartitionContents called with bad filename (%s)\n",
-               filename);
+    std::string copy(filename);
+    std::vector<std::string> pieces = android::base::Split(copy, ":");
+    if (pieces.size() < 4 || pieces.size() % 2 != 0) {
+        printf("LoadPartitionContents called with bad filename (%s)\n", filename);
         return -1;
     }
-    const char* partition = strtok(NULL, ":");
 
-    int i;
-    int colons = 0;
-    for (i = 0; filename[i] != '\0'; ++i) {
-        if (filename[i] == ':') {
-            ++colons;
-        }
+    enum PartitionType type;
+    if (pieces[0] == "MTD") {
+        type = MTD;
+    } else if (pieces[0] == "EMMC") {
+        type = EMMC;
+    } else {
+        printf("LoadPartitionContents called with bad filename (%s)\n", filename);
+        return -1;
     }
-    if (colons < 3 || colons%2 == 0) {
-        printf("LoadPartitionContents called with bad filename (%s)\n",
-               filename);
-    }
+    const char* partition = pieces[1].c_str();
 
-    int pairs = (colons-1)/2;     // # of (size,sha1) pairs in filename
-    int* index = malloc(pairs * sizeof(int));
-    size_t* size = malloc(pairs * sizeof(size_t));
-    char** sha1sum = malloc(pairs * sizeof(char*));
+    size_t pairs = (pieces.size() - 2) / 2;    // # of (size, sha1) pairs in filename
+    std::vector<size_t> index(pairs);
+    std::vector<size_t> size(pairs);
+    std::vector<std::string> sha1sum(pairs);
 
-    for (i = 0; i < pairs; ++i) {
-        const char* size_str = strtok(NULL, ":");
-        size[i] = strtol(size_str, NULL, 10);
+    for (size_t i = 0; i < pairs; ++i) {
+        size[i] = strtol(pieces[i*2+2].c_str(), NULL, 10);
         if (size[i] == 0) {
             printf("LoadPartitionContents called with bad size (%s)\n", filename);
             return -1;
         }
-        sha1sum[i] = strtok(NULL, ":");
+        sha1sum[i] = pieces[i*2+3].c_str();
         index[i] = i;
     }
 
-    // sort the index[] array so it indexes the pairs in order of
-    // increasing size.
-    size_array = size;
-    qsort(index, pairs, sizeof(int), compare_size_indices);
+    // Sort the index[] array so it indexes the pairs in order of increasing size.
+    sort(index.begin(), index.end(),
+        [&](const size_t& i, const size_t& j) {
+            return (size[i] < size[j]);
+        }
+    );
 
     MtdReadContext* ctx = NULL;
     FILE* dev = NULL;
 
     switch (type) {
-        case MTD:
+        case MTD: {
             if (!mtd_partitions_scanned) {
                 mtd_scan_partitions();
-                mtd_partitions_scanned = 1;
+                mtd_partitions_scanned = true;
             }
 
             const MtdPartition* mtd = mtd_find_partition_by_name(partition);
             if (mtd == NULL) {
-                printf("mtd partition \"%s\" not found (loading %s)\n",
-                       partition, filename);
+                printf("mtd partition \"%s\" not found (loading %s)\n", partition, filename);
                 return -1;
             }
 
             ctx = mtd_read_partition(mtd);
             if (ctx == NULL) {
-                printf("failed to initialize read of mtd partition \"%s\"\n",
-                       partition);
+                printf("failed to initialize read of mtd partition \"%s\"\n", partition);
                 return -1;
             }
             break;
+        }
 
         case EMMC:
             dev = fopen(partition, "rb");
             if (dev == NULL) {
-                printf("failed to open emmc partition \"%s\": %s\n",
-                       partition, strerror(errno));
+                printf("failed to open emmc partition \"%s\": %s\n", partition, strerror(errno));
                 return -1;
             }
     }
@@ -209,15 +184,15 @@
     SHA_init(&sha_ctx);
     uint8_t parsed_sha[SHA_DIGEST_SIZE];
 
-    // allocate enough memory to hold the largest size.
-    file->data = malloc(size[index[pairs-1]]);
+    // Allocate enough memory to hold the largest size.
+    file->data = reinterpret_cast<unsigned char*>(malloc(size[index[pairs-1]]));
     char* p = (char*)file->data;
     file->size = 0;                // # bytes read so far
+    bool found = false;
 
-    for (i = 0; i < pairs; ++i) {
-        // Read enough additional bytes to get us up to the next size
-        // (again, we're trying the possibilities in order of increasing
-        // size).
+    for (size_t i = 0; i < pairs; ++i) {
+        // Read enough additional bytes to get us up to the next size. (Again,
+        // we're trying the possibilities in order of increasing size).
         size_t next = size[index[i]] - file->size;
         size_t read = 0;
         if (next > 0) {
@@ -247,9 +222,8 @@
         memcpy(&temp_ctx, &sha_ctx, sizeof(SHA_CTX));
         const uint8_t* sha_so_far = SHA_final(&temp_ctx);
 
-        if (ParseSha1(sha1sum[index[i]], parsed_sha) != 0) {
-            printf("failed to parse sha1 %s in %s\n",
-                   sha1sum[index[i]], filename);
+        if (ParseSha1(sha1sum[index[i]].c_str(), parsed_sha) != 0) {
+            printf("failed to parse sha1 %s in %s\n", sha1sum[index[i]].c_str(), filename);
             free(file->data);
             file->data = NULL;
             return -1;
@@ -259,7 +233,8 @@
             // we have a match.  stop reading the partition; we'll return
             // the data we've read so far.
             printf("partition read matched size %zu sha %s\n",
-                   size[index[i]], sha1sum[index[i]]);
+                   size[index[i]], sha1sum[index[i]].c_str());
+            found = true;
             break;
         }
 
@@ -277,18 +252,16 @@
     }
 
 
-    if (i == pairs) {
-        // Ran off the end of the list of (size,sha1) pairs without
-        // finding a match.
-        printf("contents of partition \"%s\" didn't match %s\n",
-               partition, filename);
+    if (!found) {
+        // Ran off the end of the list of (size,sha1) pairs without finding a match.
+        printf("contents of partition \"%s\" didn't match %s\n", partition, filename);
         free(file->data);
         file->data = NULL;
         return -1;
     }
 
     const uint8_t* sha_final = SHA_final(&sha_ctx);
-    for (i = 0; i < SHA_DIGEST_SIZE; ++i) {
+    for (size_t i = 0; i < SHA_DIGEST_SIZE; ++i) {
         file->sha1[i] = sha_final[i];
     }
 
@@ -297,11 +270,6 @@
     file->st.st_uid = 0;
     file->st.st_gid = 0;
 
-    free(copy);
-    free(index);
-    free(size);
-    free(sha1sum);
-
     return 0;
 }
 
@@ -311,16 +279,14 @@
 int SaveFileContents(const char* filename, const FileContents* file) {
     int fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR | S_IWUSR);
     if (fd < 0) {
-        printf("failed to open \"%s\" for write: %s\n",
-               filename, strerror(errno));
+        printf("failed to open \"%s\" for write: %s\n", filename, strerror(errno));
         return -1;
     }
 
     ssize_t bytes_written = FileSink(file->data, file->size, &fd);
     if (bytes_written != file->size) {
-        printf("short write of \"%s\" (%ld bytes of %ld) (%s)\n",
-               filename, (long)bytes_written, (long)file->size,
-               strerror(errno));
+        printf("short write of \"%s\" (%zd bytes of %zd) (%s)\n",
+               filename, bytes_written, file->size, strerror(errno));
         close(fd);
         return -1;
     }
@@ -346,54 +312,51 @@
 }
 
 // Write a memory buffer to 'target' partition, a string of the form
-// "MTD:<partition>[:...]" or "EMMC:<partition_device>:".  Return 0 on
-// success.
-int WriteToPartition(unsigned char* data, size_t len,
-                        const char* target) {
-    char* copy = strdup(target);
-    const char* magic = strtok(copy, ":");
+// "MTD:<partition>[:...]" or "EMMC:<partition_device>[:...]". The target name
+// might contain multiple colons, but WriteToPartition() only uses the first
+// two and ignores the rest. Return 0 on success.
+int WriteToPartition(unsigned char* data, size_t len, const char* target) {
+    std::string copy(target);
+    std::vector<std::string> pieces = android::base::Split(copy, ":");
+
+    if (pieces.size() < 2) {
+        printf("WriteToPartition called with bad target (%s)\n", target);
+        return -1;
+    }
 
     enum PartitionType type;
-    if (strcmp(magic, "MTD") == 0) {
+    if (pieces[0] == "MTD") {
         type = MTD;
-    } else if (strcmp(magic, "EMMC") == 0) {
+    } else if (pieces[0] == "EMMC") {
         type = EMMC;
     } else {
         printf("WriteToPartition called with bad target (%s)\n", target);
         return -1;
     }
-    const char* partition = strtok(NULL, ":");
-
-    if (partition == NULL) {
-        printf("bad partition target name \"%s\"\n", target);
-        return -1;
-    }
+    const char* partition = pieces[1].c_str();
 
     switch (type) {
-        case MTD:
+        case MTD: {
             if (!mtd_partitions_scanned) {
                 mtd_scan_partitions();
-                mtd_partitions_scanned = 1;
+                mtd_partitions_scanned = true;
             }
 
             const MtdPartition* mtd = mtd_find_partition_by_name(partition);
             if (mtd == NULL) {
-                printf("mtd partition \"%s\" not found for writing\n",
-                       partition);
+                printf("mtd partition \"%s\" not found for writing\n", partition);
                 return -1;
             }
 
             MtdWriteContext* ctx = mtd_write_partition(mtd);
             if (ctx == NULL) {
-                printf("failed to init mtd partition \"%s\" for writing\n",
-                       partition);
+                printf("failed to init mtd partition \"%s\" for writing\n", partition);
                 return -1;
             }
 
-            size_t written = mtd_write_data(ctx, (char*)data, len);
+            size_t written = mtd_write_data(ctx, reinterpret_cast<char*>(data), len);
             if (written != len) {
-                printf("only wrote %zu of %zu bytes to MTD %s\n",
-                       written, len, partition);
+                printf("only wrote %zu of %zu bytes to MTD %s\n", written, len, partition);
                 mtd_write_close(ctx);
                 return -1;
             }
@@ -409,22 +372,20 @@
                 return -1;
             }
             break;
+        }
 
-        case EMMC:
-        {
+        case EMMC: {
             size_t start = 0;
-            int success = 0;
+            bool success = false;
             int fd = open(partition, O_RDWR | O_SYNC);
             if (fd < 0) {
                 printf("failed to open %s: %s\n", partition, strerror(errno));
                 return -1;
             }
-            int attempt;
 
-            for (attempt = 0; attempt < 2; ++attempt) {
+            for (size_t attempt = 0; attempt < 2; ++attempt) {
                 if (TEMP_FAILURE_RETRY(lseek(fd, start, SEEK_SET)) == -1) {
-                    printf("failed seek on %s: %s\n",
-                           partition, strerror(errno));
+                    printf("failed seek on %s: %s\n", partition, strerror(errno));
                     return -1;
                 }
                 while (start < len) {
@@ -439,23 +400,20 @@
                     start += written;
                 }
                 if (fsync(fd) != 0) {
-                   printf("failed to sync to %s (%s)\n",
-                          partition, strerror(errno));
+                   printf("failed to sync to %s (%s)\n", partition, strerror(errno));
                    return -1;
                 }
                 if (close(fd) != 0) {
-                   printf("failed to close %s (%s)\n",
-                          partition, strerror(errno));
+                   printf("failed to close %s (%s)\n", partition, strerror(errno));
                    return -1;
                 }
                 fd = open(partition, O_RDONLY);
                 if (fd < 0) {
-                   printf("failed to reopen %s for verify (%s)\n",
-                          partition, strerror(errno));
+                   printf("failed to reopen %s for verify (%s)\n", partition, strerror(errno));
                    return -1;
                 }
 
-                // drop caches so our subsequent verification read
+                // Drop caches so our subsequent verification read
                 // won't just be reading the cache.
                 sync();
                 int dc = open("/proc/sys/vm/drop_caches", O_WRONLY);
@@ -475,10 +433,11 @@
                 }
                 unsigned char buffer[4096];
                 start = len;
-                size_t p;
-                for (p = 0; p < len; p += sizeof(buffer)) {
+                for (size_t p = 0; p < len; p += sizeof(buffer)) {
                     size_t to_read = len - p;
-                    if (to_read > sizeof(buffer)) to_read = sizeof(buffer);
+                    if (to_read > sizeof(buffer)) {
+                        to_read = sizeof(buffer);
+                    }
 
                     size_t so_far = 0;
                     while (so_far < to_read) {
@@ -489,14 +448,14 @@
                                    partition, p, strerror(errno));
                             return -1;
                         }
-                        if ((size_t)read_count < to_read) {
+                        if (static_cast<size_t>(read_count) < to_read) {
                             printf("short verify read %s at %zu: %zd %zu %s\n",
                                    partition, p, read_count, to_read, strerror(errno));
                         }
                         so_far += read_count;
                     }
 
-                    if (memcmp(buffer, data+p, to_read)) {
+                    if (memcmp(buffer, data+p, to_read) != 0) {
                         printf("verification failed starting at %zu\n", p);
                         start = p;
                         break;
@@ -504,7 +463,7 @@
                 }
 
                 if (start == len) {
-                    printf("verification read succeeded (attempt %d)\n", attempt+1);
+                    printf("verification read succeeded (attempt %zu)\n", attempt+1);
                     success = true;
                     break;
                 }
@@ -524,7 +483,6 @@
         }
     }
 
-    free(copy);
     return 0;
 }
 
@@ -534,10 +492,9 @@
 // the form "<digest>:<anything>".  Return 0 on success, -1 on any
 // error.
 int ParseSha1(const char* str, uint8_t* digest) {
-    int i;
     const char* ps = str;
     uint8_t* pd = digest;
-    for (i = 0; i < SHA_DIGEST_SIZE * 2; ++i, ++ps) {
+    for (int i = 0; i < SHA_DIGEST_SIZE * 2; ++i, ++ps) {
         int digit;
         if (*ps >= '0' && *ps <= '9') {
             digit = *ps - '0';
@@ -564,9 +521,8 @@
 // found.
 int FindMatchingPatch(uint8_t* sha1, char* const * const patch_sha1_str,
                       int num_patches) {
-    int i;
     uint8_t patch_sha1[SHA_DIGEST_SIZE];
-    for (i = 0; i < num_patches; ++i) {
+    for (int i = 0; i < num_patches; ++i) {
         if (ParseSha1(patch_sha1_str[i], patch_sha1) == 0 &&
             memcmp(patch_sha1, sha1, SHA_DIGEST_SIZE) == 0) {
             return i;
@@ -578,8 +534,8 @@
 // Returns 0 if the contents of the file (argv[2]) or the cached file
 // match any of the sha1's on the command line (argv[3:]).  Returns
 // nonzero otherwise.
-int applypatch_check(const char* filename,
-                     int num_patches, char** const patch_sha1_str) {
+int applypatch_check(const char* filename, int num_patches,
+                     char** const patch_sha1_str) {
     FileContents file;
     file.data = NULL;
 
@@ -624,13 +580,13 @@
 }
 
 ssize_t FileSink(const unsigned char* data, ssize_t len, void* token) {
-    int fd = *(int *)token;
+    int fd = *reinterpret_cast<int *>(token);
     ssize_t done = 0;
     ssize_t wrote;
-    while (done < (ssize_t) len) {
+    while (done < len) {
         wrote = TEMP_FAILURE_RETRY(write(fd, data+done, len-done));
         if (wrote == -1) {
-            printf("error writing %d bytes: %s\n", (int)(len-done), strerror(errno));
+            printf("error writing %zd bytes: %s\n", (len-done), strerror(errno));
             return done;
         }
         done += wrote;
@@ -645,7 +601,7 @@
 } MemorySinkInfo;
 
 ssize_t MemorySink(const unsigned char* data, ssize_t len, void* token) {
-    MemorySinkInfo* msi = (MemorySinkInfo*)token;
+    MemorySinkInfo* msi = reinterpret_cast<MemorySinkInfo*>(token);
     if (msi->size - msi->pos < len) {
         return -1;
     }
@@ -674,15 +630,6 @@
     }
 }
 
-static void print_short_sha1(const uint8_t sha1[SHA_DIGEST_SIZE]) {
-    int i;
-    const char* hex = "0123456789abcdef";
-    for (i = 0; i < 4; ++i) {
-        putchar(hex[(sha1[i]>>4) & 0xf]);
-        putchar(hex[sha1[i] & 0xf]);
-    }
-}
-
 // This function applies binary patches to files in a way that is safe
 // (the original file is not touched until we have the desired
 // replacement for it) and idempotent (it's okay to run this program
@@ -695,7 +642,7 @@
 //   entries in <patch_sha1_str>, the corresponding patch from
 //   <patch_data> (which must be a VAL_BLOB) is applied to produce a
 //   new file (the type of patch is automatically detected from the
-//   blob daat).  If that new file has sha1 hash <target_sha1_str>,
+//   blob data).  If that new file has sha1 hash <target_sha1_str>,
 //   moves it to replace <target_filename>, and exits successfully.
 //   Note that if <source_filename> and <target_filename> are not the
 //   same, <source_filename> is NOT deleted on success.
@@ -706,7 +653,7 @@
 //   status.
 //
 // <source_filename> may refer to a partition to read the source data.
-// See the comments for the LoadPartition Contents() function above
+// See the comments for the LoadPartitionContents() function above
 // for the format of such a filename.
 
 int applypatch(const char* source_filename,
@@ -719,8 +666,7 @@
                Value* bonus_data) {
     printf("patch %s: ", source_filename);
 
-    if (target_filename[0] == '-' &&
-        target_filename[1] == '\0') {
+    if (target_filename[0] == '-' && target_filename[1] == '\0') {
         target_filename = source_filename;
     }
 
@@ -742,9 +688,7 @@
         if (memcmp(source_file.sha1, target_sha1, SHA_DIGEST_SIZE) == 0) {
             // The early-exit case:  the patch was already applied, this file
             // has the desired hash, nothing for us to do.
-            printf("already ");
-            print_short_sha1(target_sha1);
-            putchar('\n');
+            printf("already %s\n", short_sha1(target_sha1).c_str());
             free(source_file.data);
             return 0;
         }
@@ -761,8 +705,7 @@
     }
 
     if (source_file.data != NULL) {
-        int to_use = FindMatchingPatch(source_file.sha1,
-                                       patch_sha1_str, num_patches);
+        int to_use = FindMatchingPatch(source_file.sha1, patch_sha1_str, num_patches);
         if (to_use >= 0) {
             source_patch_value = patch_data[to_use];
         }
@@ -779,8 +722,7 @@
             return 1;
         }
 
-        int to_use = FindMatchingPatch(copy_file.sha1,
-                                       patch_sha1_str, num_patches);
+        int to_use = FindMatchingPatch(copy_file.sha1, patch_sha1_str, num_patches);
         if (to_use >= 0) {
             copy_patch_value = patch_data[to_use];
         }
@@ -803,6 +745,67 @@
     return result;
 }
 
+/*
+ * This function flashes a given image to the target partition. It verifies
+ * the target cheksum first, and will return if target has the desired hash.
+ * It checks the checksum of the given source image before flashing, and
+ * verifies the target partition afterwards. The function is idempotent.
+ * Returns zero on success.
+ */
+int applypatch_flash(const char* source_filename, const char* target_filename,
+                     const char* target_sha1_str, size_t target_size) {
+    printf("flash %s: ", target_filename);
+
+    uint8_t target_sha1[SHA_DIGEST_SIZE];
+    if (ParseSha1(target_sha1_str, target_sha1) != 0) {
+        printf("failed to parse tgt-sha1 \"%s\"\n", target_sha1_str);
+        return 1;
+    }
+
+    FileContents source_file;
+    source_file.data = NULL;
+    std::string target_str(target_filename);
+
+    std::vector<std::string> pieces = android::base::Split(target_str, ":");
+    if (pieces.size() != 2 || (pieces[0] != "MTD" && pieces[0] != "EMMC")) {
+        printf("invalid target name \"%s\"", target_filename);
+        return 1;
+    }
+
+    // Load the target into the source_file object to see if already applied.
+    pieces.push_back(std::to_string(target_size));
+    pieces.push_back(target_sha1_str);
+    std::string fullname = android::base::Join(pieces, ':');
+    if (LoadPartitionContents(fullname.c_str(), &source_file) == 0 &&
+        memcmp(source_file.sha1, target_sha1, SHA_DIGEST_SIZE) == 0) {
+        // The early-exit case: the image was already applied, this partition
+        // has the desired hash, nothing for us to do.
+        printf("already %s\n", short_sha1(target_sha1).c_str());
+        free(source_file.data);
+        return 0;
+    }
+
+    if (LoadFileContents(source_filename, &source_file) == 0) {
+        if (memcmp(source_file.sha1, target_sha1, SHA_DIGEST_SIZE) != 0) {
+            // The source doesn't have desired checksum.
+            printf("source \"%s\" doesn't have expected sha1 sum\n", source_filename);
+            printf("expected: %s, found: %s\n", short_sha1(target_sha1).c_str(),
+                    short_sha1(source_file.sha1).c_str());
+            free(source_file.data);
+            return 1;
+        }
+    }
+
+    if (WriteToPartition(source_file.data, target_size, target_filename) != 0) {
+        printf("write of copied data to %s failed\n", target_filename);
+        free(source_file.data);
+        return 1;
+    }
+
+    free(source_file.data);
+    return 0;
+}
+
 static int GenerateTarget(FileContents* source_file,
                           const Value* source_patch_value,
                           FileContents* copy_file,
@@ -865,8 +868,8 @@
                     (free_space > (256 << 10)) &&          // 256k (two-block) minimum
                     (free_space > (target_size * 3 / 2));  // 50% margin of error
                 if (!enough_space) {
-                    printf("target %ld bytes; free space %ld bytes; retry %d; enough %d\n",
-                           (long)target_size, (long)free_space, retry, enough_space);
+                    printf("target %zu bytes; free space %zu bytes; retry %d; enough %d\n",
+                           target_size, free_space, retry, enough_space);
                 }
             }
 
@@ -884,8 +887,7 @@
                     // It's impossible to free space on the target filesystem by
                     // deleting the source if the source is a partition.  If
                     // we're ever in a state where we need to do this, fail.
-                    printf("not enough free space for target but source "
-                           "is partition\n");
+                    printf("not enough free space for target but source is partition\n");
                     return 1;
                 }
 
@@ -902,7 +904,7 @@
                 unlink(source_filename);
 
                 size_t free_space = FreeSpaceForFile(target_fs);
-                printf("(now %ld bytes free for target) ", (long)free_space);
+                printf("(now %zu bytes free for target) ", free_space);
             }
         }
 
@@ -927,10 +929,9 @@
         if (strncmp(target_filename, "MTD:", 4) == 0 ||
             strncmp(target_filename, "EMMC:", 5) == 0) {
             // We store the decoded output in memory.
-            msi.buffer = malloc(target_size);
+            msi.buffer = reinterpret_cast<unsigned char*>(malloc(target_size));
             if (msi.buffer == NULL) {
-                printf("failed to alloc %ld bytes for output\n",
-                       (long)target_size);
+                printf("failed to alloc %zu bytes for output\n", target_size);
                 return 1;
             }
             msi.pos = 0;
@@ -939,12 +940,11 @@
             token = &msi;
         } else {
             // We write the decoded output to "<tgt-file>.patch".
-            outname = (char*)malloc(strlen(target_filename) + 10);
+            outname = reinterpret_cast<char*>(malloc(strlen(target_filename) + 10));
             strcpy(outname, target_filename);
             strcat(outname, ".patch");
 
-            output = open(outname, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC,
-                S_IRUSR | S_IWUSR);
+            output = open(outname, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR | S_IWUSR);
             if (output < 0) {
                 printf("failed to open output file %s: %s\n",
                        outname, strerror(errno));
@@ -1006,9 +1006,7 @@
         printf("patch did not produce expected sha1\n");
         return 1;
     } else {
-        printf("now ");
-        print_short_sha1(target_sha1);
-        putchar('\n');
+        printf("now %s\n", short_sha1(target_sha1).c_str());
     }
 
     if (output < 0) {
@@ -1025,23 +1023,23 @@
             printf("chmod of \"%s\" failed: %s\n", outname, strerror(errno));
             return 1;
         }
-        if (chown(outname, source_to_use->st.st_uid,
-                  source_to_use->st.st_gid) != 0) {
+        if (chown(outname, source_to_use->st.st_uid, source_to_use->st.st_gid) != 0) {
             printf("chown of \"%s\" failed: %s\n", outname, strerror(errno));
             return 1;
         }
 
         // Finally, rename the .patch file to replace the target file.
         if (rename(outname, target_filename) != 0) {
-            printf("rename of .patch to \"%s\" failed: %s\n",
-                   target_filename, strerror(errno));
+            printf("rename of .patch to \"%s\" failed: %s\n", target_filename, strerror(errno));
             return 1;
         }
     }
 
     // If this run of applypatch created the copy, and we're here, we
     // can delete it.
-    if (made_copy) unlink(CACHE_TEMP_SOURCE);
+    if (made_copy) {
+        unlink(CACHE_TEMP_SOURCE);
+    }
 
     // Success!
     return 0;
diff --git a/applypatch/applypatch.h b/applypatch/applypatch.h
index edec848..415bc1b 100644
--- a/applypatch/applypatch.h
+++ b/applypatch/applypatch.h
@@ -48,6 +48,8 @@
 int CacheSizeCheck(size_t bytes);
 int ParseSha1(const char* str, uint8_t* digest);
 
+int applypatch_flash(const char* source_filename, const char* target_filename,
+                     const char* target_sha1_str, size_t target_size);
 int applypatch(const char* source_filename,
                const char* target_filename,
                const char* target_sha1_str,
diff --git a/applypatch/bsdiff.c b/applypatch/bsdiff.cpp
similarity index 86%
rename from applypatch/bsdiff.c
rename to applypatch/bsdiff.cpp
index b6d342b..55dbe5c 100644
--- a/applypatch/bsdiff.c
+++ b/applypatch/bsdiff.cpp
@@ -156,24 +156,24 @@
 	for(i=0;i<oldsize+1;i++) I[V[i]]=i;
 }
 
-static off_t matchlen(u_char *old,off_t oldsize,u_char *new,off_t newsize)
+static off_t matchlen(u_char *olddata,off_t oldsize,u_char *newdata,off_t newsize)
 {
 	off_t i;
 
 	for(i=0;(i<oldsize)&&(i<newsize);i++)
-		if(old[i]!=new[i]) break;
+		if(olddata[i]!=newdata[i]) break;
 
 	return i;
 }
 
 static off_t search(off_t *I,u_char *old,off_t oldsize,
-		u_char *new,off_t newsize,off_t st,off_t en,off_t *pos)
+		u_char *newdata,off_t newsize,off_t st,off_t en,off_t *pos)
 {
 	off_t x,y;
 
 	if(en-st<2) {
-		x=matchlen(old+I[st],oldsize-I[st],new,newsize);
-		y=matchlen(old+I[en],oldsize-I[en],new,newsize);
+		x=matchlen(old+I[st],oldsize-I[st],newdata,newsize);
+		y=matchlen(old+I[en],oldsize-I[en],newdata,newsize);
 
 		if(x>y) {
 			*pos=I[st];
@@ -185,10 +185,10 @@
 	};
 
 	x=st+(en-st)/2;
-	if(memcmp(old+I[x],new,MIN(oldsize-I[x],newsize))<0) {
-		return search(I,old,oldsize,new,newsize,x,en,pos);
+	if(memcmp(old+I[x],newdata,MIN(oldsize-I[x],newsize))<0) {
+		return search(I,old,oldsize,newdata,newsize,x,en,pos);
 	} else {
-		return search(I,old,oldsize,new,newsize,st,x,pos);
+		return search(I,old,oldsize,newdata,newsize,st,x,pos);
 	};
 }
 
@@ -212,8 +212,8 @@
 
 // This is main() from bsdiff.c, with the following changes:
 //
-//    - old, oldsize, new, newsize are arguments; we don't load this
-//      data from files.  old and new are owned by the caller; we
+//    - old, oldsize, newdata, newsize are arguments; we don't load this
+//      data from files.  old and newdata are owned by the caller; we
 //      don't free them at the end.
 //
 //    - the "I" block of memory is owned by the caller, who passes a
@@ -221,7 +221,7 @@
 //      bsdiff() multiple times with the same 'old' data, we only do
 //      the qsufsort() step the first time.
 //
-int bsdiff(u_char* old, off_t oldsize, off_t** IP, u_char* new, off_t newsize,
+int bsdiff(u_char* old, off_t oldsize, off_t** IP, u_char* newdata, off_t newsize,
            const char* patch_filename)
 {
 	int fd;
@@ -242,15 +242,15 @@
 
         if (*IP == NULL) {
             off_t* V;
-            *IP = malloc((oldsize+1) * sizeof(off_t));
-            V = malloc((oldsize+1) * sizeof(off_t));
+            *IP = reinterpret_cast<off_t*>(malloc((oldsize+1) * sizeof(off_t)));
+            V = reinterpret_cast<off_t*>(malloc((oldsize+1) * sizeof(off_t)));
             qsufsort(*IP, V, old, oldsize);
             free(V);
         }
         I = *IP;
 
-	if(((db=malloc(newsize+1))==NULL) ||
-		((eb=malloc(newsize+1))==NULL)) err(1,NULL);
+	if(((db=reinterpret_cast<u_char*>(malloc(newsize+1)))==NULL) ||
+		((eb=reinterpret_cast<u_char*>(malloc(newsize+1)))==NULL)) err(1,NULL);
 	dblen=0;
 	eblen=0;
 
@@ -284,26 +284,26 @@
 		oldscore=0;
 
 		for(scsc=scan+=len;scan<newsize;scan++) {
-			len=search(I,old,oldsize,new+scan,newsize-scan,
+			len=search(I,old,oldsize,newdata+scan,newsize-scan,
 					0,oldsize,&pos);
 
 			for(;scsc<scan+len;scsc++)
 			if((scsc+lastoffset<oldsize) &&
-				(old[scsc+lastoffset] == new[scsc]))
+				(old[scsc+lastoffset] == newdata[scsc]))
 				oldscore++;
 
 			if(((len==oldscore) && (len!=0)) ||
 				(len>oldscore+8)) break;
 
 			if((scan+lastoffset<oldsize) &&
-				(old[scan+lastoffset] == new[scan]))
+				(old[scan+lastoffset] == newdata[scan]))
 				oldscore--;
 		};
 
 		if((len!=oldscore) || (scan==newsize)) {
 			s=0;Sf=0;lenf=0;
 			for(i=0;(lastscan+i<scan)&&(lastpos+i<oldsize);) {
-				if(old[lastpos+i]==new[lastscan+i]) s++;
+				if(old[lastpos+i]==newdata[lastscan+i]) s++;
 				i++;
 				if(s*2-i>Sf*2-lenf) { Sf=s; lenf=i; };
 			};
@@ -312,7 +312,7 @@
 			if(scan<newsize) {
 				s=0;Sb=0;
 				for(i=1;(scan>=lastscan+i)&&(pos>=i);i++) {
-					if(old[pos-i]==new[scan-i]) s++;
+					if(old[pos-i]==newdata[scan-i]) s++;
 					if(s*2-i>Sb*2-lenb) { Sb=s; lenb=i; };
 				};
 			};
@@ -321,9 +321,9 @@
 				overlap=(lastscan+lenf)-(scan-lenb);
 				s=0;Ss=0;lens=0;
 				for(i=0;i<overlap;i++) {
-					if(new[lastscan+lenf-overlap+i]==
+					if(newdata[lastscan+lenf-overlap+i]==
 					   old[lastpos+lenf-overlap+i]) s++;
-					if(new[scan-lenb+i]==
+					if(newdata[scan-lenb+i]==
 					   old[pos-lenb+i]) s--;
 					if(s>Ss) { Ss=s; lens=i+1; };
 				};
@@ -333,9 +333,9 @@
 			};
 
 			for(i=0;i<lenf;i++)
-				db[dblen+i]=new[lastscan+i]-old[lastpos+i];
+				db[dblen+i]=newdata[lastscan+i]-old[lastpos+i];
 			for(i=0;i<(scan-lenb)-(lastscan+lenf);i++)
-				eb[eblen+i]=new[lastscan+lenf+i];
+				eb[eblen+i]=newdata[lastscan+lenf+i];
 
 			dblen+=lenf;
 			eblen+=(scan-lenb)-(lastscan+lenf);
diff --git a/applypatch/bspatch.c b/applypatch/bspatch.cpp
similarity index 97%
rename from applypatch/bspatch.c
rename to applypatch/bspatch.cpp
index b57760e..9d201b4 100644
--- a/applypatch/bspatch.c
+++ b/applypatch/bspatch.cpp
@@ -182,10 +182,9 @@
         printf("failed to bzinit extra stream (%d)\n", bzerr);
     }
 
-    *new_data = malloc(*new_size);
+    *new_data = reinterpret_cast<unsigned char*>(malloc(*new_size));
     if (*new_data == NULL) {
-        printf("failed to allocate %ld bytes of memory for output file\n",
-               (long)*new_size);
+        printf("failed to allocate %zd bytes of memory for output file\n", *new_size);
         return 1;
     }
 
diff --git a/applypatch/freecache.c b/applypatch/freecache.cpp
similarity index 79%
rename from applypatch/freecache.c
rename to applypatch/freecache.cpp
index 9827fda..2eb2f55 100644
--- a/applypatch/freecache.c
+++ b/applypatch/freecache.cpp
@@ -1,3 +1,19 @@
+/*
+ * Copyright (C) 2010 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 #include <errno.h>
 #include <libgen.h>
 #include <stdio.h>
@@ -76,7 +92,7 @@
   struct dirent* de;
   int size = 32;
   *entries = 0;
-  *names = malloc(size * sizeof(char*));
+  *names = reinterpret_cast<char**>(malloc(size * sizeof(char*)));
 
   char path[FILENAME_MAX];
 
@@ -84,8 +100,7 @@
   // directories.
   const char* dirs[2] = {"/cache", "/cache/recovery/otatest"};
 
-  unsigned int i;
-  for (i = 0; i < sizeof(dirs)/sizeof(dirs[0]); ++i) {
+  for (size_t i = 0; i < sizeof(dirs)/sizeof(dirs[0]); ++i) {
     d = opendir(dirs[i]);
     if (d == NULL) {
       printf("error opening %s: %s\n", dirs[i], strerror(errno));
@@ -107,7 +122,7 @@
       if (stat(path, &st) == 0 && S_ISREG(st.st_mode)) {
         if (*entries >= size) {
           size *= 2;
-          *names = realloc(*names, size * sizeof(char*));
+          *names = reinterpret_cast<char**>(realloc(*names, size * sizeof(char*)));
         }
         (*names)[(*entries)++] = strdup(path);
       }
@@ -127,8 +142,7 @@
 
 int MakeFreeSpaceOnCache(size_t bytes_needed) {
   size_t free_now = FreeSpaceForFile("/cache");
-  printf("%ld bytes free on /cache (%ld needed)\n",
-         (long)free_now, (long)bytes_needed);
+  printf("%zu bytes free on /cache (%zu needed)\n", free_now, bytes_needed);
 
   if (free_now >= bytes_needed) {
     return 0;
@@ -158,7 +172,7 @@
     if (names[i]) {
       unlink(names[i]);
       free_now = FreeSpaceForFile("/cache");
-      printf("deleted %s; now %ld bytes free\n", names[i], (long)free_now);
+      printf("deleted %s; now %zu bytes free\n", names[i], free_now);
       free(names[i]);
     }
   }
diff --git a/applypatch/imgdiff.c b/applypatch/imgdiff.cpp
similarity index 91%
rename from applypatch/imgdiff.c
rename to applypatch/imgdiff.cpp
index 3bac8be..50cabbe 100644
--- a/applypatch/imgdiff.c
+++ b/applypatch/imgdiff.cpp
@@ -122,6 +122,7 @@
  */
 
 #include <errno.h>
+#include <inttypes.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -179,7 +180,7 @@
 }
 
 // from bsdiff.c
-int bsdiff(u_char* old, off_t oldsize, off_t** IP, u_char* new, off_t newsize,
+int bsdiff(u_char* old, off_t oldsize, off_t** IP, u_char* newdata, off_t newsize,
            const char* patch_filename);
 
 unsigned char* ReadZip(const char* filename,
@@ -191,9 +192,10 @@
     return NULL;
   }
 
-  unsigned char* img = malloc(st.st_size);
+  size_t sz = static_cast<size_t>(st.st_size);
+  unsigned char* img = reinterpret_cast<unsigned char*>(malloc(sz));
   FILE* f = fopen(filename, "rb");
-  if (fread(img, 1, st.st_size, f) != st.st_size) {
+  if (fread(img, 1, sz, f) != sz) {
     printf("failed to read \"%s\" %s\n", filename, strerror(errno));
     fclose(f);
     return NULL;
@@ -218,7 +220,8 @@
   int cdcount = Read2(img+i+8);
   int cdoffset = Read4(img+i+16);
 
-  ZipFileEntry* temp_entries = malloc(cdcount * sizeof(ZipFileEntry));
+  ZipFileEntry* temp_entries = reinterpret_cast<ZipFileEntry*>(malloc(
+      cdcount * sizeof(ZipFileEntry)));
   int entrycount = 0;
 
   unsigned char* cd = img+cdoffset;
@@ -235,7 +238,7 @@
     int mlen = Read2(cd+32);   // file comment len
     int hoffset = Read4(cd+42);   // local header offset
 
-    char* filename = malloc(nlen+1);
+    char* filename = reinterpret_cast<char*>(malloc(nlen+1));
     memcpy(filename, cd+46, nlen);
     filename[nlen] = '\0';
 
@@ -284,7 +287,7 @@
 #endif
 
   *num_chunks = 0;
-  *chunks = malloc((entrycount*2+2) * sizeof(ImageChunk));
+  *chunks = reinterpret_cast<ImageChunk*>(malloc((entrycount*2+2) * sizeof(ImageChunk)));
   ImageChunk* curr = *chunks;
 
   if (include_pseudo_chunk) {
@@ -311,7 +314,7 @@
       curr->I = NULL;
 
       curr->len = temp_entries[nextentry].uncomp_len;
-      curr->data = malloc(curr->len);
+      curr->data = reinterpret_cast<unsigned char*>(malloc(curr->len));
 
       z_stream strm;
       strm.zalloc = Z_NULL;
@@ -381,9 +384,10 @@
     return NULL;
   }
 
-  unsigned char* img = malloc(st.st_size + 4);
+  size_t sz = static_cast<size_t>(st.st_size);
+  unsigned char* img = reinterpret_cast<unsigned char*>(malloc(sz + 4));
   FILE* f = fopen(filename, "rb");
-  if (fread(img, 1, st.st_size, f) != st.st_size) {
+  if (fread(img, 1, sz, f) != sz) {
     printf("failed to read \"%s\" %s\n", filename, strerror(errno));
     fclose(f);
     return NULL;
@@ -393,17 +397,17 @@
   // append 4 zero bytes to the data so we can always search for the
   // four-byte string 1f8b0800 starting at any point in the actual
   // file data, without special-casing the end of the data.
-  memset(img+st.st_size, 0, 4);
+  memset(img+sz, 0, 4);
 
   size_t pos = 0;
 
   *num_chunks = 0;
   *chunks = NULL;
 
-  while (pos < st.st_size) {
+  while (pos < sz) {
     unsigned char* p = img+pos;
 
-    if (st.st_size - pos >= 4 &&
+    if (sz - pos >= 4 &&
         p[0] == 0x1f && p[1] == 0x8b &&
         p[2] == 0x08 &&    // deflate compression
         p[3] == 0x00) {    // no header flags
@@ -411,7 +415,8 @@
       size_t chunk_offset = pos;
 
       *num_chunks += 3;
-      *chunks = realloc(*chunks, *num_chunks * sizeof(ImageChunk));
+      *chunks = reinterpret_cast<ImageChunk*>(realloc(*chunks,
+          *num_chunks * sizeof(ImageChunk)));
       ImageChunk* curr = *chunks + (*num_chunks-3);
 
       // create a normal chunk for the header.
@@ -435,7 +440,7 @@
 
       size_t allocated = 32768;
       curr->len = 0;
-      curr->data = malloc(allocated);
+      curr->data = reinterpret_cast<unsigned char*>(malloc(allocated));
       curr->start = pos;
       curr->deflate_data = p;
 
@@ -443,7 +448,7 @@
       strm.zalloc = Z_NULL;
       strm.zfree = Z_NULL;
       strm.opaque = Z_NULL;
-      strm.avail_in = st.st_size - pos;
+      strm.avail_in = sz - pos;
       strm.next_in = p;
 
       // -15 means we are decoding a 'raw' deflate stream; zlib will
@@ -465,11 +470,11 @@
         curr->len = allocated - strm.avail_out;
         if (strm.avail_out == 0) {
           allocated *= 2;
-          curr->data = realloc(curr->data, allocated);
+          curr->data = reinterpret_cast<unsigned char*>(realloc(curr->data, allocated));
         }
       } while (ret != Z_STREAM_END);
 
-      curr->deflate_len = st.st_size - strm.avail_in - pos;
+      curr->deflate_len = sz - strm.avail_in - pos;
       inflateEnd(&strm);
       pos += curr->deflate_len;
       p += curr->deflate_len;
@@ -493,8 +498,8 @@
       // the decompression.
       size_t footer_size = Read4(p-4);
       if (footer_size != curr[-2].len) {
-        printf("Error: footer size %d != decompressed size %d\n",
-                footer_size, curr[-2].len);
+        printf("Error: footer size %zu != decompressed size %zu\n",
+            footer_size, curr[-2].len);
         free(img);
         return NULL;
       }
@@ -502,7 +507,7 @@
       // Reallocate the list for every chunk; we expect the number of
       // chunks to be small (5 for typical boot and recovery images).
       ++*num_chunks;
-      *chunks = realloc(*chunks, *num_chunks * sizeof(ImageChunk));
+      *chunks = reinterpret_cast<ImageChunk*>(realloc(*chunks, *num_chunks * sizeof(ImageChunk)));
       ImageChunk* curr = *chunks + (*num_chunks-1);
       curr->start = pos;
       curr->I = NULL;
@@ -512,7 +517,7 @@
       curr->type = CHUNK_NORMAL;
       curr->data = p;
 
-      for (curr->len = 0; curr->len < (st.st_size - pos); ++curr->len) {
+      for (curr->len = 0; curr->len < (sz - pos); ++curr->len) {
         if (p[curr->len] == 0x1f &&
             p[curr->len+1] == 0x8b &&
             p[curr->len+2] == 0x08 &&
@@ -587,7 +592,7 @@
   }
 
   size_t p = 0;
-  unsigned char* out = malloc(BUFFER_SIZE);
+  unsigned char* out = reinterpret_cast<unsigned char*>(malloc(BUFFER_SIZE));
 
   // We only check two combinations of encoder parameters:  level 6
   // (the default) and level 9 (the maximum).
@@ -623,7 +628,15 @@
   }
 
   char ptemp[] = "/tmp/imgdiff-patch-XXXXXX";
-  mkstemp(ptemp);
+  int fd = mkstemp(ptemp);
+
+  if (fd == -1) {
+    printf("MakePatch failed to create a temporary file: %s\n",
+           strerror(errno));
+    return NULL;
+  }
+  close(fd); // temporary file is created and we don't need its file
+             // descriptor
 
   int r = bsdiff(src->data, src->len, &(src->I), tgt->data, tgt->len, ptemp);
   if (r != 0) {
@@ -638,9 +651,11 @@
     return NULL;
   }
 
-  unsigned char* data = malloc(st.st_size);
+  size_t sz = static_cast<size_t>(st.st_size);
+  // TODO: Memory leak on error return.
+  unsigned char* data = reinterpret_cast<unsigned char*>(malloc(sz));
 
-  if (tgt->type == CHUNK_NORMAL && tgt->len <= st.st_size) {
+  if (tgt->type == CHUNK_NORMAL && tgt->len <= sz) {
     unlink(ptemp);
 
     tgt->type = CHUNK_RAW;
@@ -648,14 +663,14 @@
     return tgt->data;
   }
 
-  *size = st.st_size;
+  *size = sz;
 
   FILE* f = fopen(ptemp, "rb");
   if (f == NULL) {
     printf("failed to open patch %s: %s\n", ptemp, strerror(errno));
     return NULL;
   }
-  if (fread(data, 1, st.st_size, f) != st.st_size) {
+  if (fread(data, 1, sz, f) != sz) {
     printf("failed to read patch %s: %s\n", ptemp, strerror(errno));
     return NULL;
   }
@@ -781,9 +796,8 @@
 }
 
 void DumpChunks(ImageChunk* chunks, int num_chunks) {
-    int i;
-    for (i = 0; i < num_chunks; ++i) {
-        printf("chunk %d: type %d start %d len %d\n",
+    for (int i = 0; i < num_chunks; ++i) {
+        printf("chunk %d: type %d start %zu len %zu\n",
                i, chunks[i].type, chunks[i].start, chunks[i].len);
     }
 }
@@ -806,7 +820,7 @@
       return 1;
     }
     bonus_size = st.st_size;
-    bonus_data = malloc(bonus_size);
+    bonus_data = reinterpret_cast<unsigned char*>(malloc(bonus_size));
     FILE* f = fopen(argv[2], "rb");
     if (f == NULL) {
       printf("failed to open bonus file %s: %s\n", argv[2], strerror(errno));
@@ -953,8 +967,9 @@
   DumpChunks(src_chunks, num_src_chunks);
 
   printf("Construct patches for %d chunks...\n", num_tgt_chunks);
-  unsigned char** patch_data = malloc(num_tgt_chunks * sizeof(unsigned char*));
-  size_t* patch_size = malloc(num_tgt_chunks * sizeof(size_t));
+  unsigned char** patch_data = reinterpret_cast<unsigned char**>(malloc(
+      num_tgt_chunks * sizeof(unsigned char*)));
+  size_t* patch_size = reinterpret_cast<size_t*>(malloc(num_tgt_chunks * sizeof(size_t)));
   for (i = 0; i < num_tgt_chunks; ++i) {
     if (zip_mode) {
       ImageChunk* src;
@@ -967,15 +982,16 @@
       }
     } else {
       if (i == 1 && bonus_data) {
-        printf("  using %d bytes of bonus data for chunk %d\n", bonus_size, i);
-        src_chunks[i].data = realloc(src_chunks[i].data, src_chunks[i].len + bonus_size);
+        printf("  using %zu bytes of bonus data for chunk %d\n", bonus_size, i);
+        src_chunks[i].data = reinterpret_cast<unsigned char*>(realloc(src_chunks[i].data,
+            src_chunks[i].len + bonus_size));
         memcpy(src_chunks[i].data+src_chunks[i].len, bonus_data, bonus_size);
         src_chunks[i].len += bonus_size;
      }
 
       patch_data[i] = MakePatch(src_chunks+i, tgt_chunks+i, patch_size+i);
     }
-    printf("patch %3d is %d bytes (of %d)\n",
+    printf("patch %3d is %zu bytes (of %zu)\n",
            i, patch_size[i], tgt_chunks[i].source_len);
   }
 
@@ -1012,7 +1028,7 @@
 
     switch (tgt_chunks[i].type) {
       case CHUNK_NORMAL:
-        printf("chunk %3d: normal   (%10d, %10d)  %10d\n", i,
+        printf("chunk %3d: normal   (%10zu, %10zu)  %10zu\n", i,
                tgt_chunks[i].start, tgt_chunks[i].len, patch_size[i]);
         Write8(tgt_chunks[i].source_start, f);
         Write8(tgt_chunks[i].source_len, f);
@@ -1021,7 +1037,7 @@
         break;
 
       case CHUNK_DEFLATE:
-        printf("chunk %3d: deflate  (%10d, %10d)  %10d  %s\n", i,
+        printf("chunk %3d: deflate  (%10zu, %10zu)  %10zu  %s\n", i,
                tgt_chunks[i].start, tgt_chunks[i].deflate_len, patch_size[i],
                tgt_chunks[i].filename);
         Write8(tgt_chunks[i].source_start, f);
@@ -1038,7 +1054,7 @@
         break;
 
       case CHUNK_RAW:
-        printf("chunk %3d: raw      (%10d, %10d)\n", i,
+        printf("chunk %3d: raw      (%10zu, %10zu)\n", i,
                tgt_chunks[i].start, tgt_chunks[i].len);
         Write4(patch_size[i], f);
         fwrite(patch_data[i], 1, patch_size[i], f);
diff --git a/applypatch/imgpatch.c b/applypatch/imgpatch.cpp
similarity index 97%
rename from applypatch/imgpatch.c
rename to applypatch/imgpatch.cpp
index 09b0a73..26888f8 100644
--- a/applypatch/imgpatch.c
+++ b/applypatch/imgpatch.cpp
@@ -132,7 +132,7 @@
             // must be appended from the bonus_data value.
             size_t bonus_size = (i == 1 && bonus_data != NULL) ? bonus_data->size : 0;
 
-            unsigned char* expanded_source = malloc(expanded_len);
+            unsigned char* expanded_source = reinterpret_cast<unsigned char*>(malloc(expanded_len));
             if (expanded_source == NULL) {
                 printf("failed to allocate %zu bytes for expanded_source\n",
                        expanded_len);
@@ -196,7 +196,7 @@
                 // ... unless the buffer is too small, in which case we'll
                 // allocate a fresh one.
                 free(temp_data);
-                temp_data = malloc(32768);
+                temp_data = reinterpret_cast<unsigned char*>(malloc(32768));
                 temp_size = 32768;
             }
 
diff --git a/applypatch/main.c b/applypatch/main.cpp
similarity index 76%
rename from applypatch/main.c
rename to applypatch/main.cpp
index 8e9fe80..966d8b9 100644
--- a/applypatch/main.c
+++ b/applypatch/main.cpp
@@ -23,14 +23,14 @@
 #include "edify/expr.h"
 #include "mincrypt/sha.h"
 
-int CheckMode(int argc, char** argv) {
+static int CheckMode(int argc, char** argv) {
     if (argc < 3) {
         return 2;
     }
     return applypatch_check(argv[2], argc-3, argv+3);
 }
 
-int SpaceMode(int argc, char** argv) {
+static int SpaceMode(int argc, char** argv) {
     if (argc != 3) {
         return 2;
     }
@@ -45,19 +45,18 @@
 
 // Parse arguments (which should be of the form "<sha1>" or
 // "<sha1>:<filename>" into the new parallel arrays *sha1s and
-// *patches (loading file contents into the patches).  Returns 0 on
+// *patches (loading file contents into the patches).  Returns true on
 // success.
-static int ParsePatchArgs(int argc, char** argv,
-                          char*** sha1s, Value*** patches, int* num_patches) {
+static bool ParsePatchArgs(int argc, char** argv, char*** sha1s,
+                           Value*** patches, int* num_patches) {
     *num_patches = argc;
-    *sha1s = malloc(*num_patches * sizeof(char*));
-    *patches = malloc(*num_patches * sizeof(Value*));
+    *sha1s = reinterpret_cast<char**>(malloc(*num_patches * sizeof(char*)));
+    *patches = reinterpret_cast<Value**>(malloc(*num_patches * sizeof(Value*)));
     memset(*patches, 0, *num_patches * sizeof(Value*));
 
     uint8_t digest[SHA_DIGEST_SIZE];
 
-    int i;
-    for (i = 0; i < *num_patches; ++i) {
+    for (int i = 0; i < *num_patches; ++i) {
         char* colon = strchr(argv[i], ':');
         if (colon != NULL) {
             *colon = '\0';
@@ -66,7 +65,7 @@
 
         if (ParseSha1(argv[i], digest) != 0) {
             printf("failed to parse sha1 \"%s\"\n", argv[i]);
-            return -1;
+            return false;
         }
 
         (*sha1s)[i] = argv[i];
@@ -77,17 +76,17 @@
             if (LoadFileContents(colon, &fc) != 0) {
                 goto abort;
             }
-            (*patches)[i] = malloc(sizeof(Value));
+            (*patches)[i] = reinterpret_cast<Value*>(malloc(sizeof(Value)));
             (*patches)[i]->type = VAL_BLOB;
             (*patches)[i]->size = fc.size;
-            (*patches)[i]->data = (char*)fc.data;
+            (*patches)[i]->data = reinterpret_cast<char*>(fc.data);
         }
     }
 
-    return 0;
+    return true;
 
   abort:
-    for (i = 0; i < *num_patches; ++i) {
+    for (int i = 0; i < *num_patches; ++i) {
         Value* p = (*patches)[i];
         if (p != NULL) {
             free(p->data);
@@ -96,10 +95,15 @@
     }
     free(*sha1s);
     free(*patches);
-    return -1;
+    return false;
 }
 
-int PatchMode(int argc, char** argv) {
+static int FlashMode(const char* src_filename, const char* tgt_filename,
+                     const char* tgt_sha1, size_t tgt_size) {
+    return applypatch_flash(src_filename, tgt_filename, tgt_sha1, tgt_size);
+}
+
+static int PatchMode(int argc, char** argv) {
     Value* bonus = NULL;
     if (argc >= 3 && strcmp(argv[1], "-b") == 0) {
         FileContents fc;
@@ -107,7 +111,7 @@
             printf("failed to load bonus file %s\n", argv[2]);
             return 1;
         }
-        bonus = malloc(sizeof(Value));
+        bonus = reinterpret_cast<Value*>(malloc(sizeof(Value)));
         bonus->type = VAL_BLOB;
         bonus->size = fc.size;
         bonus->data = (char*)fc.data;
@@ -115,7 +119,7 @@
         argv += 2;
     }
 
-    if (argc < 6) {
+    if (argc < 4) {
         return 2;
     }
 
@@ -126,10 +130,20 @@
         return 1;
     }
 
+    // If no <src-sha1>:<patch> is provided, it is in flash mode.
+    if (argc == 5) {
+        if (bonus != NULL) {
+            printf("bonus file not supported in flash mode\n");
+            return 1;
+        }
+        return FlashMode(argv[1], argv[2], argv[3], target_size);
+    }
+
+
     char** sha1s;
     Value** patches;
     int num_patches;
-    if (ParsePatchArgs(argc-5, argv+5, &sha1s, &patches, &num_patches) != 0) {
+    if (!ParsePatchArgs(argc-5, argv+5, &sha1s, &patches, &num_patches)) {
         printf("failed to parse patch args\n");
         return 1;
     }
@@ -163,6 +177,10 @@
 // - if the sha1 hash of <tgt-file> is <tgt-sha1>, does nothing and exits
 //   successfully.
 //
+// - otherwise, if no <src-sha1>:<patch> is provided, flashes <tgt-file> with
+//   <src-file>. <tgt-file> must be a partition name, while <src-file> must
+//   be a regular image file. <src-file> will not be deleted on success.
+//
 // - otherwise, if the sha1 hash of <src-file> is <src-sha1>, applies the
 //   bsdiff <patch> to <src-file> to produce a new file (the type of patch
 //   is automatically detected from the file header).  If that new
diff --git a/applypatch/utils.c b/applypatch/utils.cpp
similarity index 91%
rename from applypatch/utils.c
rename to applypatch/utils.cpp
index 41ff676..4a80be7 100644
--- a/applypatch/utils.c
+++ b/applypatch/utils.cpp
@@ -39,13 +39,13 @@
 }
 
 int Read2(void* pv) {
-    unsigned char* p = pv;
+    unsigned char* p = reinterpret_cast<unsigned char*>(pv);
     return (int)(((unsigned int)p[1] << 8) |
                  (unsigned int)p[0]);
 }
 
 int Read4(void* pv) {
-    unsigned char* p = pv;
+    unsigned char* p = reinterpret_cast<unsigned char*>(pv);
     return (int)(((unsigned int)p[3] << 24) |
                  ((unsigned int)p[2] << 16) |
                  ((unsigned int)p[1] << 8) |
@@ -53,7 +53,7 @@
 }
 
 long long Read8(void* pv) {
-    unsigned char* p = pv;
+    unsigned char* p = reinterpret_cast<unsigned char*>(pv);
     return (long long)(((unsigned long long)p[7] << 56) |
                        ((unsigned long long)p[6] << 48) |
                        ((unsigned long long)p[5] << 40) |
diff --git a/bootloader.h b/bootloader.h
index c2895dd..742a4ab 100644
--- a/bootloader.h
+++ b/bootloader.h
@@ -17,10 +17,6 @@
 #ifndef _RECOVERY_BOOTLOADER_H
 #define _RECOVERY_BOOTLOADER_H
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /* Bootloader Message
  *
  * This structure describes the content of a block in flash
@@ -43,6 +39,13 @@
  * multiple times, so that the UI can reflect which invocation of the
  * package it is.  If the value is of the format "#/#" (eg, "1/3"),
  * the UI will add a simple indicator of that status.
+ *
+ * The slot_suffix field is used for A/B implementations where the
+ * bootloader does not set the androidboot.ro.boot.slot_suffix kernel
+ * commandline parameter. This is used by fs_mgr to mount /system and
+ * other partitions with the slotselect flag set in fstab. A/B
+ * implementations are free to use all 32 bytes and may store private
+ * data past the first NUL-byte in this field.
  */
 struct bootloader_message {
     char command[32];
@@ -55,7 +58,8 @@
     // stage string (for multistage packages) and possible future
     // expansion.
     char stage[32];
-    char reserved[224];
+    char slot_suffix[32];
+    char reserved[192];
 };
 
 /* Read and write the bootloader command from the "misc" partition.
@@ -64,8 +68,4 @@
 int get_bootloader_message(struct bootloader_message *out);
 int set_bootloader_message(const struct bootloader_message *in);
 
-#ifdef __cplusplus
-}
-#endif
-
 #endif
diff --git a/common.h b/common.h
index b818ceb..de8b409 100644
--- a/common.h
+++ b/common.h
@@ -21,10 +21,6 @@
 #include <stdio.h>
 #include <stdarg.h>
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 #define LOGE(...) ui_print("E:" __VA_ARGS__)
 #define LOGW(...) fprintf(stdout, "W:" __VA_ARGS__)
 #define LOGI(...) fprintf(stdout, "I:" __VA_ARGS__)
@@ -50,8 +46,4 @@
 
 bool is_ro_debuggable();
 
-#ifdef __cplusplus
-}
-#endif
-
 #endif  // RECOVERY_COMMON_H
diff --git a/edify/Android.mk b/edify/Android.mk
index c366450..9b859d4 100644
--- a/edify/Android.mk
+++ b/edify/Android.mk
@@ -5,12 +5,7 @@
 edify_src_files := \
 	lexer.l \
 	parser.y \
-	expr.c
-
-# "-x c" forces the lex/yacc files to be compiled as c the build system
-# otherwise forces them to be c++. Need to also add an explicit -std because the
-# build system will soon default C++ to -std=c++11.
-edify_cflags := -x c -std=gnu89
+	expr.cpp
 
 #
 # Build the host-side command line tool
@@ -19,12 +14,13 @@
 
 LOCAL_SRC_FILES := \
 		$(edify_src_files) \
-		main.c
+		main.cpp
 
-LOCAL_CFLAGS := $(edify_cflags) -g -O0
+LOCAL_CPPFLAGS := -g -O0
 LOCAL_MODULE := edify
 LOCAL_YACCFLAGS := -v
-LOCAL_CFLAGS += -Wno-unused-parameter
+LOCAL_CPPFLAGS += -Wno-unused-parameter
+LOCAL_CPPFLAGS += -Wno-deprecated-register
 LOCAL_CLANG := true
 
 include $(BUILD_HOST_EXECUTABLE)
@@ -36,8 +32,8 @@
 
 LOCAL_SRC_FILES := $(edify_src_files)
 
-LOCAL_CFLAGS := $(edify_cflags)
-LOCAL_CFLAGS += -Wno-unused-parameter
+LOCAL_CPPFLAGS := -Wno-unused-parameter
+LOCAL_CPPFLAGS += -Wno-deprecated-register
 LOCAL_MODULE := libedify
 LOCAL_CLANG := true
 
diff --git a/edify/expr.c b/edify/expr.cpp
similarity index 92%
rename from edify/expr.c
rename to edify/expr.cpp
index 79f6282..cd1e087 100644
--- a/edify/expr.c
+++ b/edify/expr.cpp
@@ -51,7 +51,7 @@
 
 Value* StringValue(char* str) {
     if (str == NULL) return NULL;
-    Value* v = malloc(sizeof(Value));
+    Value* v = reinterpret_cast<Value*>(malloc(sizeof(Value)));
     v->type = VAL_STRING;
     v->size = strlen(str);
     v->data = str;
@@ -68,7 +68,7 @@
     if (argc == 0) {
         return StringValue(strdup(""));
     }
-    char** strings = malloc(argc * sizeof(char*));
+    char** strings = reinterpret_cast<char**>(malloc(argc * sizeof(char*)));
     int i;
     for (i = 0; i < argc; ++i) {
         strings[i] = NULL;
@@ -83,8 +83,9 @@
         length += strlen(strings[i]);
     }
 
-    result = malloc(length+1);
-    int p = 0;
+    result = reinterpret_cast<char*>(malloc(length+1));
+    int p;
+    p = 0;
     for (i = 0; i < argc; ++i) {
         strcpy(result+p, strings[i]);
         p += strlen(strings[i]);
@@ -149,7 +150,7 @@
         if (!b) {
             int prefix_len;
             int len = argv[i]->end - argv[i]->start;
-            char* err_src = malloc(len + 20);
+            char* err_src = reinterpret_cast<char*>(malloc(len + 20));
             strcpy(err_src, "assert failed: ");
             prefix_len = strlen(err_src);
             memcpy(err_src + prefix_len, state->script + argv[i]->start, len);
@@ -290,7 +291,8 @@
         goto done;
     }
 
-    long r_int = strtol(right, &end, 10);
+    long r_int;
+    r_int = strtol(right, &end, 10);
     if (right[0] == '\0' || *end != '\0') {
         goto done;
     }
@@ -325,11 +327,11 @@
 Expr* Build(Function fn, YYLTYPE loc, int count, ...) {
     va_list v;
     va_start(v, count);
-    Expr* e = malloc(sizeof(Expr));
+    Expr* e = reinterpret_cast<Expr*>(malloc(sizeof(Expr)));
     e->fn = fn;
     e->name = "(operator)";
     e->argc = count;
-    e->argv = malloc(count * sizeof(Expr*));
+    e->argv = reinterpret_cast<Expr**>(malloc(count * sizeof(Expr*)));
     int i;
     for (i = 0; i < count; ++i) {
         e->argv[i] = va_arg(v, Expr*);
@@ -351,7 +353,7 @@
 void RegisterFunction(const char* name, Function fn) {
     if (fn_entries >= fn_size) {
         fn_size = fn_size*2 + 1;
-        fn_table = realloc(fn_table, fn_size * sizeof(NamedFunction));
+        fn_table = reinterpret_cast<NamedFunction*>(realloc(fn_table, fn_size * sizeof(NamedFunction)));
     }
     fn_table[fn_entries].name = name;
     fn_table[fn_entries].fn = fn;
@@ -371,8 +373,8 @@
 Function FindFunction(const char* name) {
     NamedFunction key;
     key.name = name;
-    NamedFunction* nf = bsearch(&key, fn_table, fn_entries,
-                                sizeof(NamedFunction), fn_entry_compare);
+    NamedFunction* nf = reinterpret_cast<NamedFunction*>(bsearch(&key, fn_table, fn_entries,
+            sizeof(NamedFunction), fn_entry_compare));
     if (nf == NULL) {
         return NULL;
     }
@@ -401,7 +403,7 @@
 // zero or more char** to put them in).  If any expression evaluates
 // to NULL, free the rest and return -1.  Return 0 on success.
 int ReadArgs(State* state, Expr* argv[], int count, ...) {
-    char** args = malloc(count * sizeof(char*));
+    char** args = reinterpret_cast<char**>(malloc(count * sizeof(char*)));
     va_list v;
     va_start(v, count);
     int i;
@@ -427,7 +429,7 @@
 // zero or more Value** to put them in).  If any expression evaluates
 // to NULL, free the rest and return -1.  Return 0 on success.
 int ReadValueArgs(State* state, Expr* argv[], int count, ...) {
-    Value** args = malloc(count * sizeof(Value*));
+    Value** args = reinterpret_cast<Value**>(malloc(count * sizeof(Value*)));
     va_list v;
     va_start(v, count);
     int i;
@@ -494,7 +496,7 @@
 // Use printf-style arguments to compose an error message to put into
 // *state.  Returns NULL.
 Value* ErrorAbort(State* state, const char* format, ...) {
-    char* buffer = malloc(4096);
+    char* buffer = reinterpret_cast<char*>(malloc(4096));
     va_list v;
     va_start(v, format);
     vsnprintf(buffer, 4096, format, v);
diff --git a/edify/expr.h b/edify/expr.h
index a9ed2f9..36f8e96 100644
--- a/edify/expr.h
+++ b/edify/expr.h
@@ -21,10 +21,6 @@
 
 #include "yydefs.h"
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 #define MAX_STRING_LEN 1024
 
 typedef struct Expr Expr;
@@ -59,7 +55,7 @@
 
 struct Expr {
     Function fn;
-    char* name;
+    const char* name;
     int argc;
     Expr** argv;
     int start, end;
@@ -166,8 +162,4 @@
 
 int parse_string(const char* str, Expr** root, int* error_count);
 
-#ifdef __cplusplus
-}  // extern "C"
-#endif
-
 #endif  // _EXPRESSION_H
diff --git a/edify/main.c b/edify/main.cpp
similarity index 100%
rename from edify/main.c
rename to edify/main.cpp
diff --git a/edify/parser.y b/edify/parser.y
index f8fb2d1..098a637 100644
--- a/edify/parser.y
+++ b/edify/parser.y
@@ -70,7 +70,7 @@
 ;
 
 expr:  STRING {
-    $$ = malloc(sizeof(Expr));
+    $$ = reinterpret_cast<Expr*>(malloc(sizeof(Expr)));
     $$->fn = Literal;
     $$->name = $1;
     $$->argc = 0;
@@ -91,7 +91,7 @@
 |  IF expr THEN expr ENDIF           { $$ = Build(IfElseFn, @$, 2, $2, $4); }
 |  IF expr THEN expr ELSE expr ENDIF { $$ = Build(IfElseFn, @$, 3, $2, $4, $6); }
 | STRING '(' arglist ')' {
-    $$ = malloc(sizeof(Expr));
+    $$ = reinterpret_cast<Expr*>(malloc(sizeof(Expr)));
     $$->fn = FindFunction($1);
     if ($$->fn == NULL) {
         char buffer[256];
@@ -113,12 +113,12 @@
 }
 | expr {
     $$.argc = 1;
-    $$.argv = malloc(sizeof(Expr*));
+    $$.argv = reinterpret_cast<Expr**>(malloc(sizeof(Expr*)));
     $$.argv[0] = $1;
 }
 | arglist ',' expr {
     $$.argc = $1.argc + 1;
-    $$.argv = realloc($$.argv, $$.argc * sizeof(Expr*));
+    $$.argv = reinterpret_cast<Expr**>(realloc($$.argv, $$.argc * sizeof(Expr*)));
     $$.argv[$$.argc-1] = $3;
 }
 ;
diff --git a/etc/init.rc b/etc/init.rc
index 4277277..dc18659 100644
--- a/etc/init.rc
+++ b/etc/init.rc
@@ -5,7 +5,6 @@
     start healthd
 
 on init
-    export PATH /sbin:/system/bin
     export ANDROID_ROOT /system
     export ANDROID_DATA /data
     export EXTERNAL_STORAGE /sdcard
diff --git a/fuse_sdcard_provider.c b/fuse_sdcard_provider.cpp
similarity index 92%
rename from fuse_sdcard_provider.c
rename to fuse_sdcard_provider.cpp
index 4565c7b..eb6454f 100644
--- a/fuse_sdcard_provider.c
+++ b/fuse_sdcard_provider.cpp
@@ -34,7 +34,7 @@
 };
 
 static int read_block_file(void* cookie, uint32_t block, uint8_t* buffer, uint32_t fetch_size) {
-    struct file_data* fd = (struct file_data*)cookie;
+    file_data* fd = reinterpret_cast<file_data*>(cookie);
 
     off64_t offset = ((off64_t) block) * fd->block_size;
     if (TEMP_FAILURE_RETRY(lseek64(fd->fd, offset, SEEK_SET)) == -1) {
@@ -56,7 +56,7 @@
 }
 
 static void close_file(void* cookie) {
-    struct file_data* fd = (struct file_data*)cookie;
+    file_data* fd = reinterpret_cast<file_data*>(cookie);
     close(fd->fd);
 }
 
@@ -67,7 +67,7 @@
 };
 
 static void* run_sdcard_fuse(void* cookie) {
-    struct token* t = (struct token*)cookie;
+    token* t = reinterpret_cast<token*>(cookie);
 
     struct stat sb;
     if (stat(t->path, &sb) < 0) {
@@ -100,7 +100,7 @@
 #define SDCARD_INSTALL_TIMEOUT 10
 
 void* start_sdcard_fuse(const char* path) {
-    struct token* t = malloc(sizeof(struct token));
+    token* t = new token;
 
     t->path = path;
     pthread_create(&(t->th), NULL, run_sdcard_fuse, t);
@@ -128,7 +128,7 @@
 
 void finish_sdcard_fuse(void* cookie) {
     if (cookie == NULL) return;
-    struct token* t = (struct token*)cookie;
+    token* t = reinterpret_cast<token*>(cookie);
 
     // Calling stat() on this magic filename signals the fuse
     // filesystem to shut down.
@@ -136,5 +136,5 @@
     stat(FUSE_SIDELOAD_HOST_EXIT_PATHNAME, &st);
 
     pthread_join(t->th, NULL);
-    free(t);
+    delete t;
 }
diff --git a/fuse_sdcard_provider.h b/fuse_sdcard_provider.h
index dbfbcd5..dc2982c 100644
--- a/fuse_sdcard_provider.h
+++ b/fuse_sdcard_provider.h
@@ -17,13 +17,7 @@
 #ifndef __FUSE_SDCARD_PROVIDER_H
 #define __FUSE_SDCARD_PROVIDER_H
 
-#include <sys/cdefs.h>
-
-__BEGIN_DECLS
-
 void* start_sdcard_fuse(const char* path);
 void finish_sdcard_fuse(void* token);
 
-__END_DECLS
-
 #endif
diff --git a/fuse_sideload.c b/fuse_sideload.cpp
similarity index 96%
rename from fuse_sideload.c
rename to fuse_sideload.cpp
index 48e6cc5..9c3e75f 100644
--- a/fuse_sideload.c
+++ b/fuse_sideload.cpp
@@ -116,7 +116,7 @@
 }
 
 static int handle_init(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
-    const struct fuse_init_in* req = data;
+    const struct fuse_init_in* req = reinterpret_cast<const struct fuse_init_in*>(data);
     struct fuse_init_out out;
     size_t fuse_struct_size;
 
@@ -170,8 +170,7 @@
     attr->mode = mode;
 }
 
-static int handle_getattr(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
-    const struct fuse_getattr_in* req = data;
+static int handle_getattr(void* /* data */, struct fuse_data* fd, const struct fuse_in_header* hdr) {
     struct fuse_attr_out out;
     memset(&out, 0, sizeof(out));
     out.attr_valid = 10;
@@ -197,12 +196,12 @@
     out.entry_valid = 10;
     out.attr_valid = 10;
 
-    if (strncmp(FUSE_SIDELOAD_HOST_FILENAME, data,
+    if (strncmp(FUSE_SIDELOAD_HOST_FILENAME, reinterpret_cast<const char*>(data),
                 sizeof(FUSE_SIDELOAD_HOST_FILENAME)) == 0) {
         out.nodeid = PACKAGE_FILE_ID;
         out.generation = PACKAGE_FILE_ID;
         fill_attr(&(out.attr), fd, PACKAGE_FILE_ID, fd->file_size, S_IFREG | 0444);
-    } else if (strncmp(FUSE_SIDELOAD_HOST_EXIT_FLAG, data,
+    } else if (strncmp(FUSE_SIDELOAD_HOST_EXIT_FLAG, reinterpret_cast<const char*>(data),
                        sizeof(FUSE_SIDELOAD_HOST_EXIT_FLAG)) == 0) {
         out.nodeid = EXIT_FLAG_ID;
         out.generation = EXIT_FLAG_ID;
@@ -215,9 +214,7 @@
     return (out.nodeid == EXIT_FLAG_ID) ? NO_STATUS_EXIT : NO_STATUS;
 }
 
-static int handle_open(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
-    const struct fuse_open_in* req = data;
-
+static int handle_open(void* /* data */, struct fuse_data* fd, const struct fuse_in_header* hdr) {
     if (hdr->nodeid == EXIT_FLAG_ID) return -EPERM;
     if (hdr->nodeid != PACKAGE_FILE_ID) return -ENOENT;
 
@@ -292,7 +289,7 @@
 }
 
 static int handle_read(void* data, struct fuse_data* fd, const struct fuse_in_header* hdr) {
-    const struct fuse_read_in* req = data;
+    const struct fuse_read_in* req = reinterpret_cast<const struct fuse_read_in*>(data);
     struct fuse_out_header outhdr;
     struct iovec vec[3];
     int vec_used;
diff --git a/fuse_sideload.h b/fuse_sideload.h
index f9e3bf0..c0b16ef 100644
--- a/fuse_sideload.h
+++ b/fuse_sideload.h
@@ -17,10 +17,6 @@
 #ifndef __FUSE_SIDELOAD_H
 #define __FUSE_SIDELOAD_H
 
-#include <sys/cdefs.h>
-
-__BEGIN_DECLS
-
 // define the filenames created by the sideload FUSE filesystem
 #define FUSE_SIDELOAD_HOST_MOUNTPOINT "/sideload"
 #define FUSE_SIDELOAD_HOST_FILENAME "package.zip"
@@ -39,6 +35,4 @@
 int run_fuse_sideload(struct provider_vtab* vtab, void* cookie,
                       uint64_t file_size, uint32_t block_size);
 
-__END_DECLS
-
 #endif
diff --git a/install.cpp b/install.cpp
index c7d382f..7d88ed7 100644
--- a/install.cpp
+++ b/install.cpp
@@ -164,9 +164,9 @@
         } else if (strcmp(command, "ui_print") == 0) {
             char* str = strtok(NULL, "\n");
             if (str) {
-                ui->Print("%s", str);
+                ui->PrintOnScreenOnly("%s", str);
             } else {
-                ui->Print("\n");
+                ui->PrintOnScreenOnly("\n");
             }
             fflush(stdout);
         } else if (strcmp(command, "wipe_cache") == 0) {
diff --git a/minadbd/adb_main.cpp b/minadbd/adb_main.cpp
index 7fae99a..c968204 100644
--- a/minadbd/adb_main.cpp
+++ b/minadbd/adb_main.cpp
@@ -19,21 +19,15 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-#define TRACE_TAG TRACE_ADB
-
 #include "sysdeps.h"
 
 #include "adb.h"
 #include "adb_auth.h"
 #include "transport.h"
 
-int adb_main(int is_daemon, int server_port)
-{
-    atexit(usb_cleanup);
-
+int adb_main(int is_daemon, int server_port, int /* reply_fd */) {
     adb_device_banner = "sideload";
 
-    // No SIGCHLD. Let the service subproc handle its children.
     signal(SIGPIPE, SIG_IGN);
 
     // We can't require authentication for sideloading. http://b/22025550.
@@ -42,7 +36,7 @@
     init_transport_registration();
     usb_init();
 
-    D("Event loop starting\n");
+    VLOG(ADB) << "Event loop starting";
     fdevent_loop();
 
     return 0;
diff --git a/minadbd/services.cpp b/minadbd/services.cpp
index dd1fd7c..d25648f 100644
--- a/minadbd/services.cpp
+++ b/minadbd/services.cpp
@@ -23,7 +23,6 @@
 
 #include "sysdeps.h"
 
-#define  TRACE_TAG  TRACE_SERVICES
 #include "adb.h"
 #include "fdevent.h"
 #include "fuse_adb_provider.h"
@@ -44,13 +43,14 @@
 }
 
 static void sideload_host_service(int sfd, void* data) {
-    const char* args = reinterpret_cast<const char*>(data);
+    char* args = reinterpret_cast<char*>(data);
     int file_size;
     int block_size;
     if (sscanf(args, "%d:%d", &file_size, &block_size) != 2) {
         printf("bad sideload-host arguments: %s\n", args);
         exit(1);
     }
+    free(args);
 
     printf("sideload-host file size %d block size %d\n", file_size, block_size);
 
@@ -61,8 +61,7 @@
     exit(result == 0 ? 0 : 1);
 }
 
-static int create_service_thread(void (*func)(int, void *), void *cookie)
-{
+static int create_service_thread(void (*func)(int, void *), void *cookie) {
     int s[2];
     if(adb_socketpair(s)) {
         printf("cannot create service socket pair\n");
@@ -75,8 +74,7 @@
     sti->cookie = cookie;
     sti->fd = s[1];
 
-    adb_thread_t t;
-    if (adb_thread_create( &t, service_bootstrap_func, sti)){
+    if (!adb_thread_create(service_bootstrap_func, sti)) {
         free(sti);
         adb_close(s[0]);
         adb_close(s[1]);
@@ -84,11 +82,11 @@
         return -1;
     }
 
-    D("service thread started, %d:%d\n",s[0], s[1]);
+    VLOG(SERVICES) << "service thread started, " << s[0] << ":" << s[1];
     return s[0];
 }
 
-int service_to_fd(const char* name) {
+int service_to_fd(const char* name, const atransport* transport) {
     int ret = -1;
 
     if (!strncmp(name, "sideload:", 9)) {
@@ -97,7 +95,8 @@
         // sideload-host).
         exit(3);
     } else if (!strncmp(name, "sideload-host:", 14)) {
-        ret = create_service_thread(sideload_host_service, (void*)(name + 14));
+        char* arg = strdup(name + 14);
+        ret = create_service_thread(sideload_host_service, arg);
     }
     if (ret >= 0) {
         close_on_exec(ret);
diff --git a/minzip/Android.mk b/minzip/Android.mk
index 48d26bc..22eabfb 100644
--- a/minzip/Android.mk
+++ b/minzip/Android.mk
@@ -18,6 +18,6 @@
 
 LOCAL_CLANG := true
 
-LOCAL_CFLAGS += -Wall
+LOCAL_CFLAGS += -Werror -Wall
 
 include $(BUILD_STATIC_LIBRARY)
diff --git a/minzip/Hash.c b/minzip/Hash.c
index 8f8ed68..49bcb31 100644
--- a/minzip/Hash.c
+++ b/minzip/Hash.c
@@ -361,7 +361,7 @@
     {
         const void* data = (const void*)mzHashIterData(&iter);
         int count;
-            
+
         count = countProbes(pHashTable, (*calcFunc)(data), data, cmpFunc);
 
         numEntries++;
@@ -373,7 +373,7 @@
         totalProbe += count;
     }
 
-    LOGI("Probe: min=%d max=%d, total=%d in %d (%d), avg=%.3f\n",
+    LOGV("Probe: min=%d max=%d, total=%d in %d (%d), avg=%.3f\n",
         minProbe, maxProbe, totalProbe, numEntries, pHashTable->tableSize,
         (float) totalProbe / (float) numEntries);
 }
diff --git a/minzip/Hash.h b/minzip/Hash.h
index 8194537..e83eac4 100644
--- a/minzip/Hash.h
+++ b/minzip/Hash.h
@@ -15,6 +15,10 @@
 #include <stdbool.h>
 #include <assert.h>
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 /* compute the hash of an item with a specific type */
 typedef unsigned int (*HashCompute)(const void* item);
 
@@ -183,4 +187,8 @@
 void mzHashTableProbeCount(HashTable* pHashTable, HashCalcFunc calcFunc,
     HashCompareFunc cmpFunc);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /*_MINZIP_HASH*/
diff --git a/minzip/SysUtil.c b/minzip/SysUtil.c
index b160c9e..09ec876 100644
--- a/minzip/SysUtil.c
+++ b/minzip/SysUtil.c
@@ -3,86 +3,46 @@
  *
  * System utilities.
  */
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <string.h>
-#include <sys/mman.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+#include <assert.h>
+#include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
-#include <errno.h>
-#include <assert.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
 
 #define LOG_TAG "sysutil"
 #include "Log.h"
 #include "SysUtil.h"
 
-static int getFileStartAndLength(int fd, off_t *start_, size_t *length_)
-{
-    off_t start, end;
-    size_t length;
-
-    assert(start_ != NULL);
-    assert(length_ != NULL);
-
-    // TODO: isn't start always 0 for the single call site? just use fstat instead?
-
-    start = TEMP_FAILURE_RETRY(lseek(fd, 0L, SEEK_CUR));
-    end = TEMP_FAILURE_RETRY(lseek(fd, 0L, SEEK_END));
-
-    if (TEMP_FAILURE_RETRY(lseek(fd, start, SEEK_SET)) == -1 ||
-                start == (off_t) -1 || end == (off_t) -1) {
-        LOGE("could not determine length of file\n");
-        return -1;
-    }
-
-    length = end - start;
-    if (length == 0) {
-        LOGE("file is empty\n");
-        return -1;
-    }
-
-    *start_ = start;
-    *length_ = length;
-
-    return 0;
-}
-
-/*
- * Map a file (from fd's current offset) into a private, read-only memory
- * segment.  The file offset must be a multiple of the page size.
- *
- * On success, returns 0 and fills out "pMap".  On failure, returns a nonzero
- * value and does not disturb "pMap".
- */
-static int sysMapFD(int fd, MemMapping* pMap)
-{
-    off_t start;
-    size_t length;
-    void* memPtr;
-
+static bool sysMapFD(int fd, MemMapping* pMap) {
     assert(pMap != NULL);
 
-    if (getFileStartAndLength(fd, &start, &length) < 0)
-        return -1;
+    struct stat sb;
+    if (fstat(fd, &sb) == -1) {
+        LOGE("fstat(%d) failed: %s\n", fd, strerror(errno));
+        return false;
+    }
 
-    memPtr = mmap(NULL, length, PROT_READ, MAP_PRIVATE, fd, start);
+    void* memPtr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
     if (memPtr == MAP_FAILED) {
-        LOGW("mmap(%d, R, PRIVATE, %d, %d) failed: %s\n", (int) length,
-            fd, (int) start, strerror(errno));
-        return -1;
+        LOGE("mmap(%d, R, PRIVATE, %d, 0) failed: %s\n", (int) sb.st_size, fd, strerror(errno));
+        return false;
     }
 
     pMap->addr = memPtr;
-    pMap->length = length;
+    pMap->length = sb.st_size;
     pMap->range_count = 1;
     pMap->ranges = malloc(sizeof(MappedRange));
     pMap->ranges[0].addr = memPtr;
-    pMap->ranges[0].length = length;
+    pMap->ranges[0].length = sb.st_size;
 
-    return 0;
+    return true;
 }
 
 static int sysMapBlockFile(FILE* mapf, MemMapping* pMap)
@@ -95,7 +55,7 @@
     unsigned int i;
 
     if (fgets(block_dev, sizeof(block_dev), mapf) == NULL) {
-        LOGW("failed to read block device from header\n");
+        LOGE("failed to read block device from header\n");
         return -1;
     }
     for (i = 0; i < sizeof(block_dev); ++i) {
@@ -106,7 +66,7 @@
     }
 
     if (fscanf(mapf, "%zu %u\n%u\n", &size, &blksize, &range_count) != 3) {
-        LOGW("failed to parse block map header\n");
+        LOGE("failed to parse block map header\n");
         return -1;
     }
 
@@ -120,7 +80,7 @@
     unsigned char* reserve;
     reserve = mmap64(NULL, blocks * blksize, PROT_NONE, MAP_PRIVATE | MAP_ANON, -1, 0);
     if (reserve == MAP_FAILED) {
-        LOGW("failed to reserve address space: %s\n", strerror(errno));
+        LOGE("failed to reserve address space: %s\n", strerror(errno));
         return -1;
     }
 
@@ -129,7 +89,7 @@
 
     int fd = open(block_dev, O_RDONLY);
     if (fd < 0) {
-        LOGW("failed to open block device %s: %s\n", block_dev, strerror(errno));
+        LOGE("failed to open block device %s: %s\n", block_dev, strerror(errno));
         return -1;
     }
 
@@ -137,13 +97,13 @@
     for (i = 0; i < range_count; ++i) {
         int start, end;
         if (fscanf(mapf, "%d %d\n", &start, &end) != 2) {
-            LOGW("failed to parse range %d in block map\n", i);
+            LOGE("failed to parse range %d in block map\n", i);
             return -1;
         }
 
         void* addr = mmap64(next, (end-start)*blksize, PROT_READ, MAP_PRIVATE | MAP_FIXED, fd, ((off64_t)start)*blksize);
         if (addr == MAP_FAILED) {
-            LOGW("failed to map block %d: %s\n", i, strerror(errno));
+            LOGE("failed to map block %d: %s\n", i, strerror(errno));
             return -1;
         }
         pMap->ranges[i].addr = addr;
@@ -168,25 +128,25 @@
         // A map of blocks
         FILE* mapf = fopen(fn+1, "r");
         if (mapf == NULL) {
-            LOGV("Unable to open '%s': %s\n", fn+1, strerror(errno));
+            LOGE("Unable to open '%s': %s\n", fn+1, strerror(errno));
             return -1;
         }
 
         if (sysMapBlockFile(mapf, pMap) != 0) {
-            LOGW("Map of '%s' failed\n", fn);
+            LOGE("Map of '%s' failed\n", fn);
             return -1;
         }
 
         fclose(mapf);
     } else {
         // This is a regular file.
-        int fd = open(fn, O_RDONLY, 0);
-        if (fd < 0) {
+        int fd = open(fn, O_RDONLY);
+        if (fd == -1) {
             LOGE("Unable to open '%s': %s\n", fn, strerror(errno));
             return -1;
         }
 
-        if (sysMapFD(fd, pMap) != 0) {
+        if (!sysMapFD(fd, pMap)) {
             LOGE("Map of '%s' failed\n", fn);
             close(fd);
             return -1;
@@ -205,7 +165,7 @@
     int i;
     for (i = 0; i < pMap->range_count; ++i) {
         if (munmap(pMap->ranges[i].addr, pMap->ranges[i].length) < 0) {
-            LOGW("munmap(%p, %d) failed: %s\n",
+            LOGE("munmap(%p, %d) failed: %s\n",
                  pMap->ranges[i].addr, (int)pMap->ranges[i].length, strerror(errno));
         }
     }
diff --git a/minzip/Zip.c b/minzip/Zip.c
index a64c833..bdb565c 100644
--- a/minzip/Zip.c
+++ b/minzip/Zip.c
@@ -198,10 +198,10 @@
      */
     val = get4LE(pArchive->addr);
     if (val == ENDSIG) {
-        LOGI("Found Zip archive, but it looks empty\n");
+        LOGW("Found Zip archive, but it looks empty\n");
         goto bail;
     } else if (val != LOCSIG) {
-        LOGV("Not a Zip archive (found 0x%08x)\n", val);
+        LOGW("Not a Zip archive (found 0x%08x)\n", val);
         goto bail;
     }
 
@@ -217,7 +217,7 @@
         ptr--;
     }
     if (ptr < (const unsigned char*) pArchive->addr) {
-        LOGI("Could not find end-of-central-directory in Zip\n");
+        LOGW("Could not find end-of-central-directory in Zip\n");
         goto bail;
     }
 
@@ -429,7 +429,7 @@
 
     if (length < ENDHDR) {
         err = -1;
-        LOGV("File '%s' too small to be zip (%zd)\n", fileName, map.length);
+        LOGW("Archive %p is too small to be zip (%zd)\n", pArchive, length);
         goto bail;
     }
 
@@ -438,7 +438,7 @@
 
     if (!parseZipArchive(pArchive)) {
         err = -1;
-        LOGV("Parsing '%s' failed\n", fileName);
+        LOGW("Parsing archive %p failed\n", pArchive);
         goto bail;
     }
 
@@ -548,7 +548,7 @@
         /* uncompress the data */
         zerr = inflate(&zstream, Z_NO_FLUSH);
         if (zerr != Z_OK && zerr != Z_STREAM_END) {
-            LOGD("zlib inflate call failed (zerr=%d)\n", zerr);
+            LOGW("zlib inflate call failed (zerr=%d)\n", zerr);
             goto z_bail;
         }
 
@@ -619,13 +619,6 @@
     return ret;
 }
 
-static bool crcProcessFunction(const unsigned char *data, int dataLen,
-        void *crc)
-{
-    *(unsigned long *)crc = crc32(*(unsigned long *)crc, data, dataLen);
-    return true;
-}
-
 typedef struct {
     char *buf;
     int bufLen;
@@ -1014,7 +1007,7 @@
         if (callback != NULL) callback(targetFile, cookie);
     }
 
-    LOGD("Extracted %d file(s)\n", extractCount);
+    LOGV("Extracted %d file(s)\n", extractCount);
 
     free(helper.buf);
     free(zpath);
diff --git a/mtdutils/mtdutils.c b/mtdutils/mtdutils.c
index cc30334..cd4f52c 100644
--- a/mtdutils/mtdutils.c
+++ b/mtdutils/mtdutils.c
@@ -300,20 +300,20 @@
         if (TEMP_FAILURE_RETRY(lseek64(fd, pos, SEEK_SET)) != pos ||
                     TEMP_FAILURE_RETRY(read(fd, data, size)) != size) {
             printf("mtd: read error at 0x%08llx (%s)\n",
-                    pos, strerror(errno));
+                   (long long)pos, strerror(errno));
         } else if (ioctl(fd, ECCGETSTATS, &after)) {
             printf("mtd: ECCGETSTATS error (%s)\n", strerror(errno));
             return -1;
         } else if (after.failed != before.failed) {
             printf("mtd: ECC errors (%d soft, %d hard) at 0x%08llx\n",
-                    after.corrected - before.corrected,
-                    after.failed - before.failed, pos);
+                   after.corrected - before.corrected,
+                   after.failed - before.failed, (long long)pos);
             // copy the comparison baseline for the next read.
             memcpy(&before, &after, sizeof(struct mtd_ecc_stats));
         } else if ((mgbb = ioctl(fd, MEMGETBADBLOCK, &pos))) {
             fprintf(stderr,
                     "mtd: MEMGETBADBLOCK returned %d at 0x%08llx: %s\n",
-                    mgbb, pos, strerror(errno));
+                    mgbb, (long long)pos, strerror(errno));
         } else {
             return 0;  // Success!
         }
diff --git a/print_sha1.h b/print_sha1.h
new file mode 100644
index 0000000..9e37c5f
--- /dev/null
+++ b/print_sha1.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef RECOVERY_PRINT_SHA1_H
+#define RECOVERY_PRINT_SHA1_H
+
+#include <stdint.h>
+#include <string>
+
+#include "mincrypt/sha.h"
+
+static std::string print_sha1(const uint8_t sha1[SHA_DIGEST_SIZE], size_t len) {
+    const char* hex = "0123456789abcdef";
+    std::string result = "";
+    for (size_t i = 0; i < len; ++i) {
+        result.push_back(hex[(sha1[i]>>4) & 0xf]);
+        result.push_back(hex[sha1[i] & 0xf]);
+    }
+    return result;
+}
+
+static std::string print_sha1(const uint8_t sha1[SHA_DIGEST_SIZE]) {
+    return print_sha1(sha1, SHA_DIGEST_SIZE);
+}
+
+static std::string short_sha1(const uint8_t sha1[SHA_DIGEST_SIZE]) {
+    return print_sha1(sha1, 4);
+}
+
+#endif  // RECOVERY_PRINT_SHA1_H
diff --git a/recovery.cpp b/recovery.cpp
index a0c7452..5f3bfca 100644
--- a/recovery.cpp
+++ b/recovery.cpp
@@ -31,24 +31,26 @@
 #include <time.h>
 #include <unistd.h>
 
+#include <chrono>
+
+#include <adb.h>
 #include <base/file.h>
 #include <base/stringprintf.h>
+#include <cutils/android_reboot.h>
+#include <cutils/properties.h>
 
+#include "adb_install.h"
 #include "bootloader.h"
 #include "common.h"
-#include "cutils/properties.h"
-#include "cutils/android_reboot.h"
+#include "device.h"
+#include "fuse_sdcard_provider.h"
+#include "fuse_sideload.h"
 #include "install.h"
 #include "minui/minui.h"
 #include "minzip/DirUtil.h"
 #include "roots.h"
 #include "ui.h"
 #include "screen_ui.h"
-#include "device.h"
-#include "adb_install.h"
-#include "adb.h"
-#include "fuse_sideload.h"
-#include "fuse_sdcard_provider.h"
 
 struct selabel_handle *sehandle;
 
@@ -151,8 +153,7 @@
 static const int MAX_ARGS = 100;
 
 // open a given path, mounting partitions as necessary
-FILE*
-fopen_path(const char *path, const char *mode) {
+FILE* fopen_path(const char *path, const char *mode) {
     if (ensure_path_mounted(path) != 0) {
         LOGE("Can't mount %s\n", path);
         return NULL;
@@ -166,23 +167,102 @@
     return fp;
 }
 
+// close a file, log an error if the error indicator is set
+static void check_and_fclose(FILE *fp, const char *name) {
+    fflush(fp);
+    if (ferror(fp)) LOGE("Error in %s\n(%s)\n", name, strerror(errno));
+    fclose(fp);
+}
+
 bool is_ro_debuggable() {
     char value[PROPERTY_VALUE_MAX+1];
     return (property_get("ro.debuggable", value, NULL) == 1 && value[0] == '1');
 }
 
 static void redirect_stdio(const char* filename) {
-    // If these fail, there's not really anywhere to complain...
-    freopen(filename, "a", stdout); setbuf(stdout, NULL);
-    freopen(filename, "a", stderr); setbuf(stderr, NULL);
-}
+    int pipefd[2];
+    if (pipe(pipefd) == -1) {
+        LOGE("pipe failed: %s\n", strerror(errno));
 
-// close a file, log an error if the error indicator is set
-static void
-check_and_fclose(FILE *fp, const char *name) {
-    fflush(fp);
-    if (ferror(fp)) LOGE("Error in %s\n(%s)\n", name, strerror(errno));
-    fclose(fp);
+        // Fall back to traditional logging mode without timestamps.
+        // If these fail, there's not really anywhere to complain...
+        freopen(filename, "a", stdout); setbuf(stdout, NULL);
+        freopen(filename, "a", stderr); setbuf(stderr, NULL);
+
+        return;
+    }
+
+    pid_t pid = fork();
+    if (pid == -1) {
+        LOGE("fork failed: %s\n", strerror(errno));
+
+        // Fall back to traditional logging mode without timestamps.
+        // If these fail, there's not really anywhere to complain...
+        freopen(filename, "a", stdout); setbuf(stdout, NULL);
+        freopen(filename, "a", stderr); setbuf(stderr, NULL);
+
+        return;
+    }
+
+    if (pid == 0) {
+        /// Close the unused write end.
+        close(pipefd[1]);
+
+        auto start = std::chrono::steady_clock::now();
+
+        // Child logger to actually write to the log file.
+        FILE* log_fp = fopen(filename, "a");
+        if (log_fp == nullptr) {
+            LOGE("fopen \"%s\" failed: %s\n", filename, strerror(errno));
+            close(pipefd[0]);
+            _exit(1);
+        }
+
+        FILE* pipe_fp = fdopen(pipefd[0], "r");
+        if (pipe_fp == nullptr) {
+            LOGE("fdopen failed: %s\n", strerror(errno));
+            check_and_fclose(log_fp, filename);
+            close(pipefd[0]);
+            _exit(1);
+        }
+
+        char* line = nullptr;
+        size_t len = 0;
+        while (getline(&line, &len, pipe_fp) != -1) {
+            auto now = std::chrono::steady_clock::now();
+            double duration = std::chrono::duration_cast<std::chrono::duration<double>>(
+                    now - start).count();
+            if (line[0] == '\n') {
+                fprintf(log_fp, "[%12.6lf]\n", duration);
+            } else {
+                fprintf(log_fp, "[%12.6lf] %s", duration, line);
+            }
+            fflush(log_fp);
+        }
+
+        LOGE("getline failed: %s\n", strerror(errno));
+
+        free(line);
+        check_and_fclose(log_fp, filename);
+        close(pipefd[0]);
+        _exit(1);
+    } else {
+        // Redirect stdout/stderr to the logger process.
+        // Close the unused read end.
+        close(pipefd[0]);
+
+        setbuf(stdout, nullptr);
+        setbuf(stderr, nullptr);
+
+        if (dup2(pipefd[1], STDOUT_FILENO) == -1) {
+            LOGE("dup2 stdout failed: %s\n", strerror(errno));
+        }
+        if (dup2(pipefd[1], STDERR_FILENO) == -1) {
+            LOGE("dup2 stderr failed: %s\n", strerror(errno));
+        }
+
+        close(pipefd[1]);
+    }
 }
 
 // command line args come from, in decreasing precedence:
@@ -745,10 +825,7 @@
         int chosen_item = get_menu_selection(headers, entries, 1, 0, device);
         if (strcmp(entries[chosen_item], "Back") == 0) break;
 
-        // TODO: do we need to redirect? ShowFile could just avoid writing to stdio.
-        redirect_stdio("/dev/null");
         ui->ShowFile(entries[chosen_item]);
-        redirect_stdio(TEMPORARY_LOG_FILE);
     }
 
     for (size_t i = 0; i < (sizeof(entries) / sizeof(*entries)); i++) {
@@ -767,6 +844,7 @@
     char* path = browse_directory(SDCARD_ROOT, device);
     if (path == NULL) {
         ui->Print("\n-- No package file selected.\n");
+        ensure_path_unmounted(SDCARD_ROOT);
         return INSTALL_ERROR;
     }
 
@@ -862,9 +940,24 @@
                 break;
 
             case Device::MOUNT_SYSTEM:
-                if (ensure_path_mounted("/system") != -1) {
-                    ui->Print("Mounted /system.\n");
+                char system_root_image[PROPERTY_VALUE_MAX];
+                property_get("ro.build.system_root_image", system_root_image, "");
+
+                // For a system image built with the root directory (i.e.
+                // system_root_image == "true"), we mount it to /system_root, and symlink /system
+                // to /system_root/system to make adb shell work (the symlink is created through
+                // the build system).
+                // Bug: 22855115
+                if (strcmp(system_root_image, "true") == 0) {
+                    if (ensure_path_mounted_at("/", "/system_root") != -1) {
+                        ui->Print("Mounted /system.\n");
+                    }
+                } else {
+                    if (ensure_path_mounted("/system") != -1) {
+                        ui->Print("Mounted /system.\n");
+                    }
                 }
+
                 break;
         }
     }
@@ -914,10 +1007,6 @@
 
 int
 main(int argc, char **argv) {
-    time_t start = time(NULL);
-
-    redirect_stdio(TEMPORARY_LOG_FILE);
-
     // If this binary is started with the single argument "--adbd",
     // instead of being the normal recovery binary, it turns into kind
     // of a stripped-down version of adbd that only supports the
@@ -926,10 +1015,16 @@
     // only way recovery should be run with this argument is when it
     // starts a copy of itself from the apply_from_adb() function.
     if (argc == 2 && strcmp(argv[1], "--adbd") == 0) {
-        adb_main(0, DEFAULT_ADB_PORT);
+        adb_main(0, DEFAULT_ADB_PORT, -1);
         return 0;
     }
 
+    time_t start = time(NULL);
+
+    // redirect_stdio should be called only in non-sideload mode. Otherwise
+    // we may have two logger instances with different timestamps.
+    redirect_stdio(TEMPORARY_LOG_FILE);
+
     printf("Starting recovery (pid %d) on %s", getpid(), ctime(&start));
 
     load_volume_table();
@@ -1020,11 +1115,15 @@
         if (strncmp(update_package, "CACHE:", 6) == 0) {
             int len = strlen(update_package) + 10;
             char* modified_path = (char*)malloc(len);
-            strlcpy(modified_path, "/cache/", len);
-            strlcat(modified_path, update_package+6, len);
-            printf("(replacing path \"%s\" with \"%s\")\n",
-                   update_package, modified_path);
-            update_package = modified_path;
+            if (modified_path) {
+                strlcpy(modified_path, "/cache/", len);
+                strlcat(modified_path, update_package+6, len);
+                printf("(replacing path \"%s\" with \"%s\")\n",
+                       update_package, modified_path);
+                update_package = modified_path;
+            }
+            else
+                printf("modified_path allocation failed\n");
         }
     }
     printf("\n");
@@ -1123,6 +1222,9 @@
             property_set(ANDROID_RB_PROPERTY, "reboot,");
             break;
     }
-    sleep(5); // should reboot before this finishes
+    while (true) {
+      pause();
+    }
+    // Should be unreachable.
     return EXIT_SUCCESS;
 }
diff --git a/res-560dpi b/res-560dpi
new file mode 120000
index 0000000..8576a9b
--- /dev/null
+++ b/res-560dpi
@@ -0,0 +1 @@
+res-xxhdpi
\ No newline at end of file
diff --git a/roots.cpp b/roots.cpp
index 2bd457e..12c6b5e 100644
--- a/roots.cpp
+++ b/roots.cpp
@@ -30,10 +30,8 @@
 #include "roots.h"
 #include "common.h"
 #include "make_ext4fs.h"
-extern "C" {
 #include "wipe.h"
 #include "cryptfs.h"
-}
 
 static struct fstab *fstab = NULL;
 
@@ -72,7 +70,8 @@
     return fs_mgr_get_entry_for_mount_point(fstab, path);
 }
 
-int ensure_path_mounted(const char* path) {
+// Mount the volume specified by path at the given mount_point.
+int ensure_path_mounted_at(const char* path, const char* mount_point) {
     Volume* v = volume_for_path(path);
     if (v == NULL) {
         LOGE("unknown volume for path [%s]\n", path);
@@ -90,14 +89,18 @@
         return -1;
     }
 
+    if (!mount_point) {
+        mount_point = v->mount_point;
+    }
+
     const MountedVolume* mv =
-        find_mounted_volume_by_mount_point(v->mount_point);
+        find_mounted_volume_by_mount_point(mount_point);
     if (mv) {
         // volume is already mounted
         return 0;
     }
 
-    mkdir(v->mount_point, 0755);  // in case it doesn't already exist
+    mkdir(mount_point, 0755);  // in case it doesn't already exist
 
     if (strcmp(v->fs_type, "yaffs2") == 0) {
         // mount an MTD partition as a YAFFS2 filesystem.
@@ -106,25 +109,30 @@
         partition = mtd_find_partition_by_name(v->blk_device);
         if (partition == NULL) {
             LOGE("failed to find \"%s\" partition to mount at \"%s\"\n",
-                 v->blk_device, v->mount_point);
+                 v->blk_device, mount_point);
             return -1;
         }
-        return mtd_mount_partition(partition, v->mount_point, v->fs_type, 0);
+        return mtd_mount_partition(partition, mount_point, v->fs_type, 0);
     } else if (strcmp(v->fs_type, "ext4") == 0 ||
                strcmp(v->fs_type, "squashfs") == 0 ||
                strcmp(v->fs_type, "vfat") == 0) {
-        result = mount(v->blk_device, v->mount_point, v->fs_type,
+        result = mount(v->blk_device, mount_point, v->fs_type,
                        v->flags, v->fs_options);
         if (result == 0) return 0;
 
-        LOGE("failed to mount %s (%s)\n", v->mount_point, strerror(errno));
+        LOGE("failed to mount %s (%s)\n", mount_point, strerror(errno));
         return -1;
     }
 
-    LOGE("unknown fs_type \"%s\" for %s\n", v->fs_type, v->mount_point);
+    LOGE("unknown fs_type \"%s\" for %s\n", v->fs_type, mount_point);
     return -1;
 }
 
+int ensure_path_mounted(const char* path) {
+    // Mount at the default mount point.
+    return ensure_path_mounted_at(path, nullptr);
+}
+
 int ensure_path_unmounted(const char* path) {
     Volume* v = volume_for_path(path);
     if (v == NULL) {
diff --git a/roots.h b/roots.h
index 230d9de..6e3b243 100644
--- a/roots.h
+++ b/roots.h
@@ -19,10 +19,6 @@
 
 #include "common.h"
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 // Load and parse volume data from /etc/recovery.fstab.
 void load_volume_table();
 
@@ -33,7 +29,10 @@
 // success (volume is mounted).
 int ensure_path_mounted(const char* path);
 
-// Make sure that the volume 'path' is on is mounted.  Returns 0 on
+// Similar to ensure_path_mounted, but allows one to specify the mount_point.
+int ensure_path_mounted_at(const char* path, const char* mount_point);
+
+// Make sure that the volume 'path' is on is unmounted.  Returns 0 on
 // success (volume is unmounted);
 int ensure_path_unmounted(const char* path);
 
@@ -46,8 +45,4 @@
 // mounted (/tmp and /cache) are mounted.  Returns 0 on success.
 int setup_install_mounts();
 
-#ifdef __cplusplus
-}
-#endif
-
 #endif  // RECOVERY_ROOTS_H_
diff --git a/screen_ui.cpp b/screen_ui.cpp
index ff95915..f2fda2f 100644
--- a/screen_ui.cpp
+++ b/screen_ui.cpp
@@ -30,8 +30,10 @@
 
 #include <vector>
 
-#include "base/strings.h"
-#include "cutils/properties.h"
+#include <base/strings.h>
+#include <base/stringprintf.h>
+#include <cutils/properties.h>
+
 #include "common.h"
 #include "device.h"
 #include "minui/minui.h"
@@ -506,18 +508,17 @@
     pthread_mutex_unlock(&updateMutex);
 }
 
-void ScreenRecoveryUI::Print(const char *fmt, ...) {
-    char buf[256];
-    va_list ap;
-    va_start(ap, fmt);
-    vsnprintf(buf, 256, fmt, ap);
-    va_end(ap);
+void ScreenRecoveryUI::PrintV(const char* fmt, bool copy_to_stdout, va_list ap) {
+    std::string str;
+    android::base::StringAppendV(&str, fmt, ap);
 
-    fputs(buf, stdout);
+    if (copy_to_stdout) {
+        fputs(str.c_str(), stdout);
+    }
 
     pthread_mutex_lock(&updateMutex);
     if (text_rows_ > 0 && text_cols_ > 0) {
-        for (const char* ptr = buf; *ptr != '\0'; ++ptr) {
+        for (const char* ptr = str.c_str(); *ptr != '\0'; ++ptr) {
             if (*ptr == '\n' || text_col_ >= text_cols_) {
                 text_[text_row_][text_col_] = '\0';
                 text_col_ = 0;
@@ -532,6 +533,20 @@
     pthread_mutex_unlock(&updateMutex);
 }
 
+void ScreenRecoveryUI::Print(const char* fmt, ...) {
+    va_list ap;
+    va_start(ap, fmt);
+    PrintV(fmt, true, ap);
+    va_end(ap);
+}
+
+void ScreenRecoveryUI::PrintOnScreenOnly(const char *fmt, ...) {
+    va_list ap;
+    va_start(ap, fmt);
+    PrintV(fmt, false, ap);
+    va_end(ap);
+}
+
 void ScreenRecoveryUI::PutChar(char ch) {
     pthread_mutex_lock(&updateMutex);
     if (ch != '\n') text_[text_row_][text_col_++] = ch;
@@ -566,7 +581,7 @@
     bool show_prompt = false;
     while (true) {
         if (show_prompt) {
-            Print("--(%d%% of %d bytes)--",
+            PrintOnScreenOnly("--(%d%% of %d bytes)--",
                   static_cast<int>(100 * (double(ftell(fp)) / double(sb.st_size))),
                   static_cast<int>(sb.st_size));
             Redraw();
diff --git a/screen_ui.h b/screen_ui.h
index ea05bf1..8e18864 100644
--- a/screen_ui.h
+++ b/screen_ui.h
@@ -49,6 +49,7 @@
 
     // printing messages
     void Print(const char* fmt, ...) __printflike(2, 3);
+    void PrintOnScreenOnly(const char* fmt, ...) __printflike(2, 3);
     void ShowFile(const char* filename);
 
     // menu display
@@ -125,6 +126,7 @@
     void ProgressThreadLoop();
 
     void ShowFile(FILE*);
+    void PrintV(const char*, bool, va_list);
     void PutChar(char);
     void ClearText();
 
diff --git a/ui.cpp b/ui.cpp
index 1a0b079..2efb759 100644
--- a/ui.cpp
+++ b/ui.cpp
@@ -28,6 +28,7 @@
 #include <time.h>
 #include <unistd.h>
 
+#include <cutils/properties.h>
 #include <cutils/android_reboot.h>
 
 #include "common.h"
@@ -174,7 +175,8 @@
 
           case RecoveryUI::REBOOT:
             if (reboot_enabled) {
-                android_reboot(ANDROID_RB_RESTART, 0, 0);
+                property_set(ANDROID_RB_PROPERTY, "reboot,");
+                while (true) { pause(); }
             }
             break;
 
diff --git a/ui.h b/ui.h
index 4dcaa0f..ca72911 100644
--- a/ui.h
+++ b/ui.h
@@ -62,8 +62,10 @@
     virtual bool WasTextEverVisible() = 0;
 
     // Write a message to the on-screen log (shown if the user has
-    // toggled on the text display).
+    // toggled on the text display). Print() will also dump the message
+    // to stdout / log file, while PrintOnScreenOnly() not.
     virtual void Print(const char* fmt, ...) __printflike(2, 3) = 0;
+    virtual void PrintOnScreenOnly(const char* fmt, ...) __printflike(2, 3) = 0;
 
     virtual void ShowFile(const char* filename) = 0;
 
diff --git a/uncrypt/Android.mk b/uncrypt/Android.mk
index e73c8f1..6422cb2 100644
--- a/uncrypt/Android.mk
+++ b/uncrypt/Android.mk
@@ -20,8 +20,12 @@
 
 LOCAL_SRC_FILES := uncrypt.cpp
 
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/..
+
 LOCAL_MODULE := uncrypt
 
 LOCAL_STATIC_LIBRARIES := libbase liblog libfs_mgr libcutils
 
+LOCAL_INIT_RC := uncrypt.rc
+
 include $(BUILD_EXECUTABLE)
diff --git a/uncrypt/uncrypt.cpp b/uncrypt/uncrypt.cpp
index 46da86d..4956cc2 100644
--- a/uncrypt/uncrypt.cpp
+++ b/uncrypt/uncrypt.cpp
@@ -51,13 +51,19 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include <memory>
+
 #include <base/file.h>
 #include <base/strings.h>
+#include <cutils/android_reboot.h>
 #include <cutils/properties.h>
 #include <fs_mgr.h>
+
 #define LOG_TAG "uncrypt"
 #include <log/log.h>
 
+#include "unique_fd.h"
+
 #define WINDOW_SIZE 5
 
 static const std::string cache_block_map = "/cache/recovery/block.map";
@@ -180,7 +186,7 @@
         ALOGE("failed to open %s\n", map_file);
         return -1;
     }
-    FILE* mapf = fdopen(mapfd, "w");
+    std::unique_ptr<FILE, int(*)(FILE*)> mapf(fdopen(mapfd, "w"), fclose);
 
     // Make sure we can write to the status_file.
     if (!android::base::WriteStringToFd("0\n", status_fd)) {
@@ -189,8 +195,7 @@
     }
 
     struct stat sb;
-    int ret = stat(path, &sb);
-    if (ret != 0) {
+    if (stat(path, &sb) != 0) {
         ALOGE("failed to stat %s\n", path);
         return -1;
     }
@@ -206,7 +211,8 @@
     ranges[0] = -1;
     ranges[1] = -1;
 
-    fprintf(mapf, "%s\n%lld %lu\n", blk_dev, (long long)sb.st_size, (unsigned long)sb.st_blksize);
+    fprintf(mapf.get(), "%s\n%lld %lu\n",
+            blk_dev, (long long)sb.st_size, (unsigned long)sb.st_blksize);
 
     unsigned char* buffers[WINDOW_SIZE];
     if (encrypted) {
@@ -219,15 +225,18 @@
     size_t pos = 0;
 
     int fd = open(path, O_RDONLY);
-    if (fd < 0) {
+    unique_fd fd_holder(fd);
+    if (fd == -1) {
         ALOGE("failed to open fd for reading: %s\n", strerror(errno));
         return -1;
     }
 
     int wfd = -1;
+    unique_fd wfd_holder(wfd);
     if (encrypted) {
-        wfd = open(blk_dev, O_WRONLY | O_SYNC);
-        if (wfd < 0) {
+        wfd = open(blk_dev, O_WRONLY);
+        wfd_holder = unique_fd(wfd);
+        if (wfd == -1) {
             ALOGE("failed to open fd for writing: %s\n", strerror(errno));
             return -1;
         }
@@ -245,8 +254,7 @@
         if ((tail+1) % WINDOW_SIZE == head) {
             // write out head buffer
             int block = head_block;
-            ret = ioctl(fd, FIBMAP, &block);
-            if (ret != 0) {
+            if (ioctl(fd, FIBMAP, &block) != 0) {
                 ALOGE("failed to find block %d\n", head_block);
                 return -1;
             }
@@ -286,8 +294,7 @@
     while (head != tail) {
         // write out head buffer
         int block = head_block;
-        ret = ioctl(fd, FIBMAP, &block);
-        if (ret != 0) {
+        if (ioctl(fd, FIBMAP, &block) != 0) {
             ALOGE("failed to find block %d\n", head_block);
             return -1;
         }
@@ -302,23 +309,20 @@
         ++head_block;
     }
 
-    fprintf(mapf, "%d\n", range_used);
+    fprintf(mapf.get(), "%d\n", range_used);
     for (int i = 0; i < range_used; ++i) {
-        fprintf(mapf, "%d %d\n", ranges[i*2], ranges[i*2+1]);
+        fprintf(mapf.get(), "%d %d\n", ranges[i*2], ranges[i*2+1]);
     }
 
     if (fsync(mapfd) == -1) {
         ALOGE("failed to fsync \"%s\": %s\n", map_file, strerror(errno));
         return -1;
     }
-    fclose(mapf);
-    close(fd);
     if (encrypted) {
         if (fsync(wfd) == -1) {
             ALOGE("failed to fsync \"%s\": %s\n", blk_dev, strerror(errno));
             return -1;
         }
-        close(wfd);
     }
 
     return 0;
@@ -331,6 +335,8 @@
         if (!v->mount_point) continue;
         if (strcmp(v->mount_point, "/misc") == 0) {
             int fd = open(v->blk_device, O_WRONLY | O_SYNC);
+            unique_fd fd_holder(fd);
+
             uint8_t zeroes[1088];   // sizeof(bootloader_message) from recovery
             memset(zeroes, 0, sizeof(zeroes));
 
@@ -347,10 +353,8 @@
             }
             if (fsync(fd) == -1) {
                 ALOGE("failed to fsync \"%s\": %s\n", v->blk_device, strerror(errno));
-                close(fd);
                 return;
             }
-            close(fd);
         }
     }
 }
@@ -358,7 +362,9 @@
 static void reboot_to_recovery() {
     ALOGI("rebooting to recovery");
     property_set("sys.powerctl", "reboot,recovery");
-    sleep(10);
+    while (true) {
+      pause();
+    }
     ALOGE("reboot didn't succeed?");
 }
 
@@ -433,6 +439,7 @@
             ALOGE("failed to open pipe \"%s\": %s\n", status_file.c_str(), strerror(errno));
             return 1;
         }
+        unique_fd status_fd_holder(status_fd);
 
         if (argc == 3) {
             // when command-line args are given this binary is being used
@@ -443,7 +450,6 @@
             std::string package;
             if (!find_uncrypt_package(package)) {
                 android::base::WriteStringToFd("-1\n", status_fd);
-                close(status_fd);
                 return 1;
             }
             input_path = package.c_str();
@@ -453,12 +459,10 @@
         int status = uncrypt(input_path, map_file, status_fd);
         if (status != 0) {
             android::base::WriteStringToFd("-1\n", status_fd);
-            close(status_fd);
             return 1;
         }
 
         android::base::WriteStringToFd("100\n", status_fd);
-        close(status_fd);
     }
 
     return 0;
diff --git a/uncrypt/uncrypt.rc b/uncrypt/uncrypt.rc
new file mode 100644
index 0000000..5f4c479
--- /dev/null
+++ b/uncrypt/uncrypt.rc
@@ -0,0 +1,9 @@
+service uncrypt /system/bin/uncrypt
+    class main
+    disabled
+    oneshot
+
+service pre-recovery /system/bin/uncrypt --reboot
+    class main
+    disabled
+    oneshot
diff --git a/unique_fd.h b/unique_fd.h
new file mode 100644
index 0000000..cc85383
--- /dev/null
+++ b/unique_fd.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef UNIQUE_FD_H
+#define UNIQUE_FD_H
+
+#include <stdio.h>
+
+#include <memory>
+
+class unique_fd {
+  public:
+    unique_fd(int fd) : fd_(fd) { }
+
+    unique_fd(unique_fd&& uf) {
+        fd_ = uf.fd_;
+        uf.fd_ = -1;
+    }
+
+    ~unique_fd() {
+        if (fd_ != -1) {
+            close(fd_);
+        }
+    }
+
+    int get() {
+        return fd_;
+    }
+
+    // Movable.
+    unique_fd& operator=(unique_fd&& uf) {
+        fd_ = uf.fd_;
+        uf.fd_ = -1;
+        return *this;
+    }
+
+    explicit operator bool() const {
+        return fd_ != -1;
+    }
+
+  private:
+    int fd_;
+
+    // Non-copyable.
+    unique_fd(const unique_fd&) = delete;
+    unique_fd& operator=(const unique_fd&) = delete;
+};
+
+#endif  // UNIQUE_FD_H
diff --git a/updater/Android.mk b/updater/Android.mk
index a3df805..dcf4374 100644
--- a/updater/Android.mk
+++ b/updater/Android.mk
@@ -1,11 +1,23 @@
 # Copyright 2009 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 LOCAL_PATH := $(call my-dir)
 
 updater_src_files := \
-	install.c \
-	blockimg.c \
-	updater.c
+	install.cpp \
+	blockimg.cpp \
+	updater.cpp
 
 #
 # Build a statically-linked binary to include in OTA packages
@@ -21,20 +33,21 @@
 
 LOCAL_SRC_FILES := $(updater_src_files)
 
+LOCAL_STATIC_LIBRARIES += libfec libfec_rs libext4_utils_static libsquashfs_utils libcrypto_static
+
 ifeq ($(TARGET_USERIMAGES_USE_EXT4), true)
 LOCAL_CFLAGS += -DUSE_EXT4
 LOCAL_CFLAGS += -Wno-unused-parameter
 LOCAL_C_INCLUDES += system/extras/ext4_utils
 LOCAL_STATIC_LIBRARIES += \
-    libext4_utils_static \
     libsparse_static \
     libz
 endif
 
 LOCAL_STATIC_LIBRARIES += $(TARGET_RECOVERY_UPDATER_LIBS) $(TARGET_RECOVERY_UPDATER_EXTRA_LIBS)
-LOCAL_STATIC_LIBRARIES += libapplypatch libedify libmtdutils libminzip libz
+LOCAL_STATIC_LIBRARIES += libapplypatch libbase libedify libmtdutils libminzip libz
 LOCAL_STATIC_LIBRARIES += libmincrypt libbz
-LOCAL_STATIC_LIBRARIES += libcutils liblog libstdc++ libc
+LOCAL_STATIC_LIBRARIES += libcutils liblog libc
 LOCAL_STATIC_LIBRARIES += libselinux
 tune2fs_static_libraries := \
  libext2_com_err \
diff --git a/updater/blockimg.c b/updater/blockimg.c
deleted file mode 100644
index b006d10..0000000
--- a/updater/blockimg.c
+++ /dev/null
@@ -1,1953 +0,0 @@
-/*
- * Copyright (C) 2014 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <ctype.h>
-#include <errno.h>
-#include <dirent.h>
-#include <fcntl.h>
-#include <inttypes.h>
-#include <libgen.h>
-#include <pthread.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <sys/ioctl.h>
-#include <time.h>
-#include <unistd.h>
-
-#include "applypatch/applypatch.h"
-#include "edify/expr.h"
-#include "mincrypt/sha.h"
-#include "minzip/Hash.h"
-#include "updater.h"
-
-#define BLOCKSIZE 4096
-
-// Set this to 0 to interpret 'erase' transfers to mean do a
-// BLKDISCARD ioctl (the normal behavior).  Set to 1 to interpret
-// erase to mean fill the region with zeroes.
-#define DEBUG_ERASE  0
-
-#ifndef BLKDISCARD
-#define BLKDISCARD _IO(0x12,119)
-#endif
-
-#define STASH_DIRECTORY_BASE "/cache/recovery"
-#define STASH_DIRECTORY_MODE 0700
-#define STASH_FILE_MODE 0600
-
-char* PrintSha1(const uint8_t* digest);
-
-typedef struct {
-    int count;
-    int size;
-    int pos[0];
-} RangeSet;
-
-static RangeSet* parse_range(char* text) {
-    char* save;
-    int num;
-    num = strtol(strtok_r(text, ",", &save), NULL, 0);
-
-    RangeSet* out = malloc(sizeof(RangeSet) + num * sizeof(int));
-    if (out == NULL) {
-        fprintf(stderr, "failed to allocate range of %zu bytes\n",
-                sizeof(RangeSet) + num * sizeof(int));
-        exit(1);
-    }
-    out->count = num / 2;
-    out->size = 0;
-    int i;
-    for (i = 0; i < num; ++i) {
-        out->pos[i] = strtol(strtok_r(NULL, ",", &save), NULL, 0);
-        if (i%2) {
-            out->size += out->pos[i];
-        } else {
-            out->size -= out->pos[i];
-        }
-    }
-
-    return out;
-}
-
-static int range_overlaps(RangeSet* r1, RangeSet* r2) {
-    int i, j, r1_0, r1_1, r2_0, r2_1;
-
-    if (!r1 || !r2) {
-        return 0;
-    }
-
-    for (i = 0; i < r1->count; ++i) {
-        r1_0 = r1->pos[i * 2];
-        r1_1 = r1->pos[i * 2 + 1];
-
-        for (j = 0; j < r2->count; ++j) {
-            r2_0 = r2->pos[j * 2];
-            r2_1 = r2->pos[j * 2 + 1];
-
-            if (!(r2_0 >= r1_1 || r1_0 >= r2_1)) {
-                return 1;
-            }
-        }
-    }
-
-    return 0;
-}
-
-static int read_all(int fd, uint8_t* data, size_t size) {
-    size_t so_far = 0;
-    while (so_far < size) {
-        ssize_t r = TEMP_FAILURE_RETRY(read(fd, data+so_far, size-so_far));
-        if (r == -1) {
-            fprintf(stderr, "read failed: %s\n", strerror(errno));
-            return -1;
-        }
-        so_far += r;
-    }
-    return 0;
-}
-
-static int write_all(int fd, const uint8_t* data, size_t size) {
-    size_t written = 0;
-    while (written < size) {
-        ssize_t w = TEMP_FAILURE_RETRY(write(fd, data+written, size-written));
-        if (w == -1) {
-            fprintf(stderr, "write failed: %s\n", strerror(errno));
-            return -1;
-        }
-        written += w;
-    }
-
-    if (fsync(fd) == -1) {
-        fprintf(stderr, "fsync failed: %s\n", strerror(errno));
-        return -1;
-    }
-
-    return 0;
-}
-
-static bool check_lseek(int fd, off64_t offset, int whence) {
-    off64_t rc = TEMP_FAILURE_RETRY(lseek64(fd, offset, whence));
-    if (rc == -1) {
-        fprintf(stderr, "lseek64 failed: %s\n", strerror(errno));
-        return false;
-    }
-    return true;
-}
-
-static void allocate(size_t size, uint8_t** buffer, size_t* buffer_alloc) {
-    // if the buffer's big enough, reuse it.
-    if (size <= *buffer_alloc) return;
-
-    free(*buffer);
-
-    *buffer = (uint8_t*) malloc(size);
-    if (*buffer == NULL) {
-        fprintf(stderr, "failed to allocate %zu bytes\n", size);
-        exit(1);
-    }
-    *buffer_alloc = size;
-}
-
-typedef struct {
-    int fd;
-    RangeSet* tgt;
-    int p_block;
-    size_t p_remain;
-} RangeSinkState;
-
-static ssize_t RangeSinkWrite(const uint8_t* data, ssize_t size, void* token) {
-    RangeSinkState* rss = (RangeSinkState*) token;
-
-    if (rss->p_remain <= 0) {
-        fprintf(stderr, "range sink write overrun");
-        return 0;
-    }
-
-    ssize_t written = 0;
-    while (size > 0) {
-        size_t write_now = size;
-
-        if (rss->p_remain < write_now) {
-            write_now = rss->p_remain;
-        }
-
-        if (write_all(rss->fd, data, write_now) == -1) {
-            break;
-        }
-
-        data += write_now;
-        size -= write_now;
-
-        rss->p_remain -= write_now;
-        written += write_now;
-
-        if (rss->p_remain == 0) {
-            // move to the next block
-            ++rss->p_block;
-            if (rss->p_block < rss->tgt->count) {
-                rss->p_remain = (rss->tgt->pos[rss->p_block * 2 + 1] -
-                                 rss->tgt->pos[rss->p_block * 2]) * BLOCKSIZE;
-
-                if (!check_lseek(rss->fd, (off64_t)rss->tgt->pos[rss->p_block*2] * BLOCKSIZE,
-                                 SEEK_SET)) {
-                    break;
-                }
-            } else {
-                // we can't write any more; return how many bytes have
-                // been written so far.
-                break;
-            }
-        }
-    }
-
-    return written;
-}
-
-// All of the data for all the 'new' transfers is contained in one
-// file in the update package, concatenated together in the order in
-// which transfers.list will need it.  We want to stream it out of the
-// archive (it's compressed) without writing it to a temp file, but we
-// can't write each section until it's that transfer's turn to go.
-//
-// To achieve this, we expand the new data from the archive in a
-// background thread, and block that threads 'receive uncompressed
-// data' function until the main thread has reached a point where we
-// want some new data to be written.  We signal the background thread
-// with the destination for the data and block the main thread,
-// waiting for the background thread to complete writing that section.
-// Then it signals the main thread to wake up and goes back to
-// blocking waiting for a transfer.
-//
-// NewThreadInfo is the struct used to pass information back and forth
-// between the two threads.  When the main thread wants some data
-// written, it sets rss to the destination location and signals the
-// condition.  When the background thread is done writing, it clears
-// rss and signals the condition again.
-
-typedef struct {
-    ZipArchive* za;
-    const ZipEntry* entry;
-
-    RangeSinkState* rss;
-
-    pthread_mutex_t mu;
-    pthread_cond_t cv;
-} NewThreadInfo;
-
-static bool receive_new_data(const unsigned char* data, int size, void* cookie) {
-    NewThreadInfo* nti = (NewThreadInfo*) cookie;
-
-    while (size > 0) {
-        // Wait for nti->rss to be non-NULL, indicating some of this
-        // data is wanted.
-        pthread_mutex_lock(&nti->mu);
-        while (nti->rss == NULL) {
-            pthread_cond_wait(&nti->cv, &nti->mu);
-        }
-        pthread_mutex_unlock(&nti->mu);
-
-        // At this point nti->rss is set, and we own it.  The main
-        // thread is waiting for it to disappear from nti.
-        ssize_t written = RangeSinkWrite(data, size, nti->rss);
-        data += written;
-        size -= written;
-
-        if (nti->rss->p_block == nti->rss->tgt->count) {
-            // we have written all the bytes desired by this rss.
-
-            pthread_mutex_lock(&nti->mu);
-            nti->rss = NULL;
-            pthread_cond_broadcast(&nti->cv);
-            pthread_mutex_unlock(&nti->mu);
-        }
-    }
-
-    return true;
-}
-
-static void* unzip_new_data(void* cookie) {
-    NewThreadInfo* nti = (NewThreadInfo*) cookie;
-    mzProcessZipEntryContents(nti->za, nti->entry, receive_new_data, nti);
-    return NULL;
-}
-
-static int ReadBlocks(RangeSet* src, uint8_t* buffer, int fd) {
-    int i;
-    size_t p = 0;
-    size_t size;
-
-    if (!src || !buffer) {
-        return -1;
-    }
-
-    for (i = 0; i < src->count; ++i) {
-        if (!check_lseek(fd, (off64_t) src->pos[i * 2] * BLOCKSIZE, SEEK_SET)) {
-            return -1;
-        }
-
-        size = (src->pos[i * 2 + 1] - src->pos[i * 2]) * BLOCKSIZE;
-
-        if (read_all(fd, buffer + p, size) == -1) {
-            return -1;
-        }
-
-        p += size;
-    }
-
-    return 0;
-}
-
-static int WriteBlocks(RangeSet* tgt, uint8_t* buffer, int fd) {
-    int i;
-    size_t p = 0;
-    size_t size;
-
-    if (!tgt || !buffer) {
-        return -1;
-    }
-
-    for (i = 0; i < tgt->count; ++i) {
-        if (!check_lseek(fd, (off64_t) tgt->pos[i * 2] * BLOCKSIZE, SEEK_SET)) {
-            return -1;
-        }
-
-        size = (tgt->pos[i * 2 + 1] - tgt->pos[i * 2]) * BLOCKSIZE;
-
-        if (write_all(fd, buffer + p, size) == -1) {
-            return -1;
-        }
-
-        p += size;
-    }
-
-    return 0;
-}
-
-// Do a source/target load for move/bsdiff/imgdiff in version 1.
-// 'wordsave' is the save_ptr of a strtok_r()-in-progress.  We expect
-// to parse the remainder of the string as:
-//
-//    <src_range> <tgt_range>
-//
-// The source range is loaded into the provided buffer, reallocating
-// it to make it larger if necessary.  The target ranges are returned
-// in *tgt, if tgt is non-NULL.
-
-static int LoadSrcTgtVersion1(char** wordsave, RangeSet** tgt, int* src_blocks,
-                               uint8_t** buffer, size_t* buffer_alloc, int fd) {
-    char* word;
-    int rc;
-
-    word = strtok_r(NULL, " ", wordsave);
-    RangeSet* src = parse_range(word);
-
-    if (tgt != NULL) {
-        word = strtok_r(NULL, " ", wordsave);
-        *tgt = parse_range(word);
-    }
-
-    allocate(src->size * BLOCKSIZE, buffer, buffer_alloc);
-    rc = ReadBlocks(src, *buffer, fd);
-    *src_blocks = src->size;
-
-    free(src);
-    return rc;
-}
-
-static int VerifyBlocks(const char *expected, const uint8_t *buffer,
-                        size_t blocks, int printerror) {
-    char* hexdigest = NULL;
-    int rc = -1;
-    uint8_t digest[SHA_DIGEST_SIZE];
-
-    if (!expected || !buffer) {
-        return rc;
-    }
-
-    SHA_hash(buffer, blocks * BLOCKSIZE, digest);
-    hexdigest = PrintSha1(digest);
-
-    if (hexdigest != NULL) {
-        rc = strcmp(expected, hexdigest);
-
-        if (rc != 0 && printerror) {
-            fprintf(stderr, "failed to verify blocks (expected %s, read %s)\n",
-                expected, hexdigest);
-        }
-
-        free(hexdigest);
-    }
-
-    return rc;
-}
-
-static char* GetStashFileName(const char* base, const char* id, const char* postfix) {
-    char* fn;
-    int len;
-    int res;
-
-    if (base == NULL) {
-        return NULL;
-    }
-
-    if (id == NULL) {
-        id = "";
-    }
-
-    if (postfix == NULL) {
-        postfix = "";
-    }
-
-    len = strlen(STASH_DIRECTORY_BASE) + 1 + strlen(base) + 1 + strlen(id) + strlen(postfix) + 1;
-    fn = malloc(len);
-
-    if (fn == NULL) {
-        fprintf(stderr, "failed to malloc %d bytes for fn\n", len);
-        return NULL;
-    }
-
-    res = snprintf(fn, len, STASH_DIRECTORY_BASE "/%s/%s%s", base, id, postfix);
-
-    if (res < 0 || res >= len) {
-        fprintf(stderr, "failed to format file name (return value %d)\n", res);
-        free(fn);
-        return NULL;
-    }
-
-    return fn;
-}
-
-typedef void (*StashCallback)(const char*, void*);
-
-// Does a best effort enumeration of stash files. Ignores possible non-file
-// items in the stash directory and continues despite of errors. Calls the
-// 'callback' function for each file and passes 'data' to the function as a
-// parameter.
-
-static void EnumerateStash(const char* dirname, StashCallback callback, void* data) {
-    char* fn;
-    DIR* directory;
-    int len;
-    int res;
-    struct dirent* item;
-
-    if (dirname == NULL || callback == NULL) {
-        return;
-    }
-
-    directory = opendir(dirname);
-
-    if (directory == NULL) {
-        if (errno != ENOENT) {
-            fprintf(stderr, "opendir \"%s\" failed: %s\n", dirname, strerror(errno));
-        }
-        return;
-    }
-
-    while ((item = readdir(directory)) != NULL) {
-        if (item->d_type != DT_REG) {
-            continue;
-        }
-
-        len = strlen(dirname) + 1 + strlen(item->d_name) + 1;
-        fn = malloc(len);
-
-        if (fn == NULL) {
-            fprintf(stderr, "failed to malloc %d bytes for fn\n", len);
-            continue;
-        }
-
-        res = snprintf(fn, len, "%s/%s", dirname, item->d_name);
-
-        if (res < 0 || res >= len) {
-            fprintf(stderr, "failed to format file name (return value %d)\n", res);
-            free(fn);
-            continue;
-        }
-
-        callback(fn, data);
-        free(fn);
-    }
-
-    if (closedir(directory) == -1) {
-        fprintf(stderr, "closedir \"%s\" failed: %s\n", dirname, strerror(errno));
-    }
-}
-
-static void UpdateFileSize(const char* fn, void* data) {
-    int* size = (int*) data;
-    struct stat st;
-
-    if (!fn || !data) {
-        return;
-    }
-
-    if (stat(fn, &st) == -1) {
-        fprintf(stderr, "stat \"%s\" failed: %s\n", fn, strerror(errno));
-        return;
-    }
-
-    *size += st.st_size;
-}
-
-// Deletes the stash directory and all files in it. Assumes that it only
-// contains files. There is nothing we can do about unlikely, but possible
-// errors, so they are merely logged.
-
-static void DeleteFile(const char* fn, void* data) {
-    if (fn) {
-        fprintf(stderr, "deleting %s\n", fn);
-
-        if (unlink(fn) == -1 && errno != ENOENT) {
-            fprintf(stderr, "unlink \"%s\" failed: %s\n", fn, strerror(errno));
-        }
-    }
-}
-
-static void DeletePartial(const char* fn, void* data) {
-    if (fn && strstr(fn, ".partial") != NULL) {
-        DeleteFile(fn, data);
-    }
-}
-
-static void DeleteStash(const char* base) {
-    char* dirname;
-
-    if (base == NULL) {
-        return;
-    }
-
-    dirname = GetStashFileName(base, NULL, NULL);
-
-    if (dirname == NULL) {
-        return;
-    }
-
-    fprintf(stderr, "deleting stash %s\n", base);
-    EnumerateStash(dirname, DeleteFile, NULL);
-
-    if (rmdir(dirname) == -1) {
-        if (errno != ENOENT && errno != ENOTDIR) {
-            fprintf(stderr, "rmdir \"%s\" failed: %s\n", dirname, strerror(errno));
-        }
-    }
-
-    free(dirname);
-}
-
-static int LoadStash(const char* base, const char* id, int verify, int* blocks, uint8_t** buffer,
-        size_t* buffer_alloc, int printnoent) {
-    char *fn = NULL;
-    int blockcount = 0;
-    int fd = -1;
-    int rc = -1;
-    int res;
-    struct stat st;
-
-    if (!base || !id || !buffer || !buffer_alloc) {
-        goto lsout;
-    }
-
-    if (!blocks) {
-        blocks = &blockcount;
-    }
-
-    fn = GetStashFileName(base, id, NULL);
-
-    if (fn == NULL) {
-        goto lsout;
-    }
-
-    res = stat(fn, &st);
-
-    if (res == -1) {
-        if (errno != ENOENT || printnoent) {
-            fprintf(stderr, "stat \"%s\" failed: %s\n", fn, strerror(errno));
-        }
-        goto lsout;
-    }
-
-    fprintf(stderr, " loading %s\n", fn);
-
-    if ((st.st_size % BLOCKSIZE) != 0) {
-        fprintf(stderr, "%s size %zd not multiple of block size %d", fn, st.st_size, BLOCKSIZE);
-        goto lsout;
-    }
-
-    fd = TEMP_FAILURE_RETRY(open(fn, O_RDONLY));
-
-    if (fd == -1) {
-        fprintf(stderr, "open \"%s\" failed: %s\n", fn, strerror(errno));
-        goto lsout;
-    }
-
-    allocate(st.st_size, buffer, buffer_alloc);
-
-    if (read_all(fd, *buffer, st.st_size) == -1) {
-        goto lsout;
-    }
-
-    *blocks = st.st_size / BLOCKSIZE;
-
-    if (verify && VerifyBlocks(id, *buffer, *blocks, 1) != 0) {
-        fprintf(stderr, "unexpected contents in %s\n", fn);
-        DeleteFile(fn, NULL);
-        goto lsout;
-    }
-
-    rc = 0;
-
-lsout:
-    if (fd != -1) {
-        close(fd);
-    }
-
-    if (fn) {
-        free(fn);
-    }
-
-    return rc;
-}
-
-static int WriteStash(const char* base, const char* id, int blocks, uint8_t* buffer,
-        int checkspace, int *exists) {
-    char *fn = NULL;
-    char *cn = NULL;
-    int fd = -1;
-    int rc = -1;
-    int dfd = -1;
-    int res;
-    struct stat st;
-
-    if (base == NULL || buffer == NULL) {
-        goto wsout;
-    }
-
-    if (checkspace && CacheSizeCheck(blocks * BLOCKSIZE) != 0) {
-        fprintf(stderr, "not enough space to write stash\n");
-        goto wsout;
-    }
-
-    fn = GetStashFileName(base, id, ".partial");
-    cn = GetStashFileName(base, id, NULL);
-
-    if (fn == NULL || cn == NULL) {
-        goto wsout;
-    }
-
-    if (exists) {
-        res = stat(cn, &st);
-
-        if (res == 0) {
-            // The file already exists and since the name is the hash of the contents,
-            // it's safe to assume the contents are identical (accidental hash collisions
-            // are unlikely)
-            fprintf(stderr, " skipping %d existing blocks in %s\n", blocks, cn);
-            *exists = 1;
-            rc = 0;
-            goto wsout;
-        }
-
-        *exists = 0;
-    }
-
-    fprintf(stderr, " writing %d blocks to %s\n", blocks, cn);
-
-    fd = TEMP_FAILURE_RETRY(open(fn, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, STASH_FILE_MODE));
-
-    if (fd == -1) {
-        fprintf(stderr, "failed to create \"%s\": %s\n", fn, strerror(errno));
-        goto wsout;
-    }
-
-    if (write_all(fd, buffer, blocks * BLOCKSIZE) == -1) {
-        goto wsout;
-    }
-
-    if (fsync(fd) == -1) {
-        fprintf(stderr, "fsync \"%s\" failed: %s\n", fn, strerror(errno));
-        goto wsout;
-    }
-
-    if (rename(fn, cn) == -1) {
-        fprintf(stderr, "rename(\"%s\", \"%s\") failed: %s\n", fn, cn, strerror(errno));
-        goto wsout;
-    }
-
-    const char* dname;
-    dname = dirname(cn);
-    dfd = TEMP_FAILURE_RETRY(open(dname, O_RDONLY | O_DIRECTORY));
-
-    if (dfd == -1) {
-        fprintf(stderr, "failed to open \"%s\" failed: %s\n", dname, strerror(errno));
-        goto wsout;
-    }
-
-    if (fsync(dfd) == -1) {
-        fprintf(stderr, "fsync \"%s\" failed: %s\n", dname, strerror(errno));
-        goto wsout;
-    }
-
-    rc = 0;
-
-wsout:
-    if (fd != -1) {
-        close(fd);
-    }
-
-    if (dfd != -1) {
-        close(dfd);
-    }
-
-    if (fn) {
-        free(fn);
-    }
-
-    if (cn) {
-        free(cn);
-    }
-
-    return rc;
-}
-
-// Creates a directory for storing stash files and checks if the /cache partition
-// hash enough space for the expected amount of blocks we need to store. Returns
-// >0 if we created the directory, zero if it existed already, and <0 of failure.
-
-static int CreateStash(State* state, int maxblocks, const char* blockdev, char** base) {
-    char* dirname = NULL;
-    const uint8_t* digest;
-    int rc = -1;
-    int res;
-    int size = 0;
-    SHA_CTX ctx;
-    struct stat st;
-
-    if (blockdev == NULL || base == NULL) {
-        goto csout;
-    }
-
-    // Stash directory should be different for each partition to avoid conflicts
-    // when updating multiple partitions at the same time, so we use the hash of
-    // the block device name as the base directory
-    SHA_init(&ctx);
-    SHA_update(&ctx, blockdev, strlen(blockdev));
-    digest = SHA_final(&ctx);
-    *base = PrintSha1(digest);
-
-    if (*base == NULL) {
-        goto csout;
-    }
-
-    dirname = GetStashFileName(*base, NULL, NULL);
-
-    if (dirname == NULL) {
-        goto csout;
-    }
-
-    res = stat(dirname, &st);
-
-    if (res == -1 && errno != ENOENT) {
-        ErrorAbort(state, "stat \"%s\" failed: %s\n", dirname, strerror(errno));
-        goto csout;
-    } else if (res != 0) {
-        fprintf(stderr, "creating stash %s\n", dirname);
-        res = mkdir(dirname, STASH_DIRECTORY_MODE);
-
-        if (res != 0) {
-            ErrorAbort(state, "mkdir \"%s\" failed: %s\n", dirname, strerror(errno));
-            goto csout;
-        }
-
-        if (CacheSizeCheck(maxblocks * BLOCKSIZE) != 0) {
-            ErrorAbort(state, "not enough space for stash\n");
-            goto csout;
-        }
-
-        rc = 1; // Created directory
-        goto csout;
-    }
-
-    fprintf(stderr, "using existing stash %s\n", dirname);
-
-    // If the directory already exists, calculate the space already allocated to
-    // stash files and check if there's enough for all required blocks. Delete any
-    // partially completed stash files first.
-
-    EnumerateStash(dirname, DeletePartial, NULL);
-    EnumerateStash(dirname, UpdateFileSize, &size);
-
-    size = (maxblocks * BLOCKSIZE) - size;
-
-    if (size > 0 && CacheSizeCheck(size) != 0) {
-        ErrorAbort(state, "not enough space for stash (%d more needed)\n", size);
-        goto csout;
-    }
-
-    rc = 0; // Using existing directory
-
-csout:
-    if (dirname) {
-        free(dirname);
-    }
-
-    return rc;
-}
-
-static int SaveStash(const char* base, char** wordsave, uint8_t** buffer, size_t* buffer_alloc,
-                      int fd, int usehash, int* isunresumable) {
-    char *id = NULL;
-    int res = -1;
-    int blocks = 0;
-
-    if (!wordsave || !buffer || !buffer_alloc || !isunresumable) {
-        return -1;
-    }
-
-    id = strtok_r(NULL, " ", wordsave);
-
-    if (id == NULL) {
-        fprintf(stderr, "missing id field in stash command\n");
-        return -1;
-    }
-
-    if (usehash && LoadStash(base, id, 1, &blocks, buffer, buffer_alloc, 0) == 0) {
-        // Stash file already exists and has expected contents. Do not
-        // read from source again, as the source may have been already
-        // overwritten during a previous attempt.
-        return 0;
-    }
-
-    if (LoadSrcTgtVersion1(wordsave, NULL, &blocks, buffer, buffer_alloc, fd) == -1) {
-        return -1;
-    }
-
-    if (usehash && VerifyBlocks(id, *buffer, blocks, 1) != 0) {
-        // Source blocks have unexpected contents. If we actually need this
-        // data later, this is an unrecoverable error. However, the command
-        // that uses the data may have already completed previously, so the
-        // possible failure will occur during source block verification.
-        fprintf(stderr, "failed to load source blocks for stash %s\n", id);
-        return 0;
-    }
-
-    fprintf(stderr, "stashing %d blocks to %s\n", blocks, id);
-    return WriteStash(base, id, blocks, *buffer, 0, NULL);
-}
-
-static int FreeStash(const char* base, const char* id) {
-    char *fn = NULL;
-
-    if (base == NULL || id == NULL) {
-        return -1;
-    }
-
-    fn = GetStashFileName(base, id, NULL);
-
-    if (fn == NULL) {
-        return -1;
-    }
-
-    DeleteFile(fn, NULL);
-    free(fn);
-
-    return 0;
-}
-
-static void MoveRange(uint8_t* dest, RangeSet* locs, const uint8_t* source) {
-    // source contains packed data, which we want to move to the
-    // locations given in *locs in the dest buffer.  source and dest
-    // may be the same buffer.
-
-    int start = locs->size;
-    int i;
-    for (i = locs->count-1; i >= 0; --i) {
-        int blocks = locs->pos[i*2+1] - locs->pos[i*2];
-        start -= blocks;
-        memmove(dest + (locs->pos[i*2] * BLOCKSIZE), source + (start * BLOCKSIZE),
-                blocks * BLOCKSIZE);
-    }
-}
-
-// Do a source/target load for move/bsdiff/imgdiff in version 2.
-// 'wordsave' is the save_ptr of a strtok_r()-in-progress.  We expect
-// to parse the remainder of the string as one of:
-//
-//    <tgt_range> <src_block_count> <src_range>
-//        (loads data from source image only)
-//
-//    <tgt_range> <src_block_count> - <[stash_id:stash_range] ...>
-//        (loads data from stashes only)
-//
-//    <tgt_range> <src_block_count> <src_range> <src_loc> <[stash_id:stash_range] ...>
-//        (loads data from both source image and stashes)
-//
-// On return, buffer is filled with the loaded source data (rearranged
-// and combined with stashed data as necessary).  buffer may be
-// reallocated if needed to accommodate the source data.  *tgt is the
-// target RangeSet.  Any stashes required are loaded using LoadStash.
-
-static int LoadSrcTgtVersion2(char** wordsave, RangeSet** tgt, int* src_blocks,
-                               uint8_t** buffer, size_t* buffer_alloc, int fd,
-                               const char* stashbase, int* overlap) {
-    char* word;
-    char* colonsave;
-    char* colon;
-    int id;
-    int res;
-    RangeSet* locs;
-    size_t stashalloc = 0;
-    uint8_t* stash = NULL;
-
-    if (tgt != NULL) {
-        word = strtok_r(NULL, " ", wordsave);
-        *tgt = parse_range(word);
-    }
-
-    word = strtok_r(NULL, " ", wordsave);
-    *src_blocks = strtol(word, NULL, 0);
-
-    allocate(*src_blocks * BLOCKSIZE, buffer, buffer_alloc);
-
-    word = strtok_r(NULL, " ", wordsave);
-    if (word[0] == '-' && word[1] == '\0') {
-        // no source ranges, only stashes
-    } else {
-        RangeSet* src = parse_range(word);
-        res = ReadBlocks(src, *buffer, fd);
-
-        if (overlap && tgt) {
-            *overlap = range_overlaps(src, *tgt);
-        }
-
-        free(src);
-
-        if (res == -1) {
-            return -1;
-        }
-
-        word = strtok_r(NULL, " ", wordsave);
-        if (word == NULL) {
-            // no stashes, only source range
-            return 0;
-        }
-
-        locs = parse_range(word);
-        MoveRange(*buffer, locs, *buffer);
-        free(locs);
-    }
-
-    while ((word = strtok_r(NULL, " ", wordsave)) != NULL) {
-        // Each word is a an index into the stash table, a colon, and
-        // then a rangeset describing where in the source block that
-        // stashed data should go.
-        colonsave = NULL;
-        colon = strtok_r(word, ":", &colonsave);
-
-        res = LoadStash(stashbase, colon, 0, NULL, &stash, &stashalloc, 1);
-
-        if (res == -1) {
-            // These source blocks will fail verification if used later, but we
-            // will let the caller decide if this is a fatal failure
-            fprintf(stderr, "failed to load stash %s\n", colon);
-            continue;
-        }
-
-        colon = strtok_r(NULL, ":", &colonsave);
-        locs = parse_range(colon);
-
-        MoveRange(*buffer, locs, stash);
-        free(locs);
-    }
-
-    if (stash) {
-        free(stash);
-    }
-
-    return 0;
-}
-
-// Parameters for transfer list command functions
-typedef struct {
-    char* cmdname;
-    char* cpos;
-    char* freestash;
-    char* stashbase;
-    int canwrite;
-    int createdstash;
-    int fd;
-    int foundwrites;
-    int isunresumable;
-    int version;
-    int written;
-    NewThreadInfo nti;
-    pthread_t thread;
-    size_t bufsize;
-    uint8_t* buffer;
-    uint8_t* patch_start;
-} CommandParameters;
-
-// Do a source/target load for move/bsdiff/imgdiff in version 3.
-//
-// Parameters are the same as for LoadSrcTgtVersion2, except for 'onehash', which
-// tells the function whether to expect separate source and targe block hashes, or
-// if they are both the same and only one hash should be expected, and
-// 'isunresumable', which receives a non-zero value if block verification fails in
-// a way that the update cannot be resumed anymore.
-//
-// If the function is unable to load the necessary blocks or their contents don't
-// match the hashes, the return value is -1 and the command should be aborted.
-//
-// If the return value is 1, the command has already been completed according to
-// the contents of the target blocks, and should not be performed again.
-//
-// If the return value is 0, source blocks have expected content and the command
-// can be performed.
-
-static int LoadSrcTgtVersion3(CommandParameters* params, RangeSet** tgt, int* src_blocks,
-                              int onehash, int* overlap) {
-    char* srchash = NULL;
-    char* tgthash = NULL;
-    int stash_exists = 0;
-    int overlap_blocks = 0;
-    int rc = -1;
-    uint8_t* tgtbuffer = NULL;
-
-    if (!params|| !tgt || !src_blocks || !overlap) {
-        goto v3out;
-    }
-
-    srchash = strtok_r(NULL, " ", &params->cpos);
-
-    if (srchash == NULL) {
-        fprintf(stderr, "missing source hash\n");
-        goto v3out;
-    }
-
-    if (onehash) {
-        tgthash = srchash;
-    } else {
-        tgthash = strtok_r(NULL, " ", &params->cpos);
-
-        if (tgthash == NULL) {
-            fprintf(stderr, "missing target hash\n");
-            goto v3out;
-        }
-    }
-
-    if (LoadSrcTgtVersion2(&params->cpos, tgt, src_blocks, &params->buffer, &params->bufsize,
-            params->fd, params->stashbase, overlap) == -1) {
-        goto v3out;
-    }
-
-    tgtbuffer = (uint8_t*) malloc((*tgt)->size * BLOCKSIZE);
-
-    if (tgtbuffer == NULL) {
-        fprintf(stderr, "failed to allocate %d bytes\n", (*tgt)->size * BLOCKSIZE);
-        goto v3out;
-    }
-
-    if (ReadBlocks(*tgt, tgtbuffer, params->fd) == -1) {
-        goto v3out;
-    }
-
-    if (VerifyBlocks(tgthash, tgtbuffer, (*tgt)->size, 0) == 0) {
-        // Target blocks already have expected content, command should be skipped
-        rc = 1;
-        goto v3out;
-    }
-
-    if (VerifyBlocks(srchash, params->buffer, *src_blocks, 1) == 0) {
-        // If source and target blocks overlap, stash the source blocks so we can
-        // resume from possible write errors
-        if (*overlap) {
-            fprintf(stderr, "stashing %d overlapping blocks to %s\n", *src_blocks,
-                srchash);
-
-            if (WriteStash(params->stashbase, srchash, *src_blocks, params->buffer, 1,
-                    &stash_exists) != 0) {
-                fprintf(stderr, "failed to stash overlapping source blocks\n");
-                goto v3out;
-            }
-
-            // Can be deleted when the write has completed
-            if (!stash_exists) {
-                params->freestash = srchash;
-            }
-        }
-
-        // Source blocks have expected content, command can proceed
-        rc = 0;
-        goto v3out;
-    }
-
-    if (*overlap && LoadStash(params->stashbase, srchash, 1, NULL, &params->buffer,
-                        &params->bufsize, 1) == 0) {
-        // Overlapping source blocks were previously stashed, command can proceed.
-        // We are recovering from an interrupted command, so we don't know if the
-        // stash can safely be deleted after this command.
-        rc = 0;
-        goto v3out;
-    }
-
-    // Valid source data not available, update cannot be resumed
-    fprintf(stderr, "partition has unexpected contents\n");
-    params->isunresumable = 1;
-
-v3out:
-    if (tgtbuffer) {
-        free(tgtbuffer);
-    }
-
-    return rc;
-}
-
-static int PerformCommandMove(CommandParameters* params) {
-    int blocks = 0;
-    int overlap = 0;
-    int rc = -1;
-    int status = 0;
-    RangeSet* tgt = NULL;
-
-    if (!params) {
-        goto pcmout;
-    }
-
-    if (params->version == 1) {
-        status = LoadSrcTgtVersion1(&params->cpos, &tgt, &blocks, &params->buffer,
-                    &params->bufsize, params->fd);
-    } else if (params->version == 2) {
-        status = LoadSrcTgtVersion2(&params->cpos, &tgt, &blocks, &params->buffer,
-                    &params->bufsize, params->fd, params->stashbase, NULL);
-    } else if (params->version >= 3) {
-        status = LoadSrcTgtVersion3(params, &tgt, &blocks, 1, &overlap);
-    }
-
-    if (status == -1) {
-        fprintf(stderr, "failed to read blocks for move\n");
-        goto pcmout;
-    }
-
-    if (status == 0) {
-        params->foundwrites = 1;
-    } else if (params->foundwrites) {
-        fprintf(stderr, "warning: commands executed out of order [%s]\n", params->cmdname);
-    }
-
-    if (params->canwrite) {
-        if (status == 0) {
-            fprintf(stderr, "  moving %d blocks\n", blocks);
-
-            if (WriteBlocks(tgt, params->buffer, params->fd) == -1) {
-                goto pcmout;
-            }
-        } else {
-            fprintf(stderr, "skipping %d already moved blocks\n", blocks);
-        }
-
-    }
-
-    if (params->freestash) {
-        FreeStash(params->stashbase, params->freestash);
-        params->freestash = NULL;
-    }
-
-    params->written += tgt->size;
-    rc = 0;
-
-pcmout:
-    if (tgt) {
-        free(tgt);
-    }
-
-    return rc;
-}
-
-static int PerformCommandStash(CommandParameters* params) {
-    if (!params) {
-        return -1;
-    }
-
-    return SaveStash(params->stashbase, &params->cpos, &params->buffer, &params->bufsize,
-                params->fd, (params->version >= 3), &params->isunresumable);
-}
-
-static int PerformCommandFree(CommandParameters* params) {
-    if (!params) {
-        return -1;
-    }
-
-    if (params->createdstash || params->canwrite) {
-        return FreeStash(params->stashbase, params->cpos);
-    }
-
-    return 0;
-}
-
-static int PerformCommandZero(CommandParameters* params) {
-    char* range = NULL;
-    int i;
-    int j;
-    int rc = -1;
-    RangeSet* tgt = NULL;
-
-    if (!params) {
-        goto pczout;
-    }
-
-    range = strtok_r(NULL, " ", &params->cpos);
-
-    if (range == NULL) {
-        fprintf(stderr, "missing target blocks for zero\n");
-        goto pczout;
-    }
-
-    tgt = parse_range(range);
-
-    fprintf(stderr, "  zeroing %d blocks\n", tgt->size);
-
-    allocate(BLOCKSIZE, &params->buffer, &params->bufsize);
-    memset(params->buffer, 0, BLOCKSIZE);
-
-    if (params->canwrite) {
-        for (i = 0; i < tgt->count; ++i) {
-            if (!check_lseek(params->fd, (off64_t) tgt->pos[i * 2] * BLOCKSIZE, SEEK_SET)) {
-                goto pczout;
-            }
-
-            for (j = tgt->pos[i * 2]; j < tgt->pos[i * 2 + 1]; ++j) {
-                if (write_all(params->fd, params->buffer, BLOCKSIZE) == -1) {
-                    goto pczout;
-                }
-            }
-        }
-    }
-
-    if (params->cmdname[0] == 'z') {
-        // Update only for the zero command, as the erase command will call
-        // this if DEBUG_ERASE is defined.
-        params->written += tgt->size;
-    }
-
-    rc = 0;
-
-pczout:
-    if (tgt) {
-        free(tgt);
-    }
-
-    return rc;
-}
-
-static int PerformCommandNew(CommandParameters* params) {
-    char* range = NULL;
-    int rc = -1;
-    RangeSet* tgt = NULL;
-    RangeSinkState rss;
-
-    if (!params) {
-        goto pcnout;
-    }
-
-    range = strtok_r(NULL, " ", &params->cpos);
-
-    if (range == NULL) {
-        goto pcnout;
-    }
-
-    tgt = parse_range(range);
-
-    if (params->canwrite) {
-        fprintf(stderr, " writing %d blocks of new data\n", tgt->size);
-
-        rss.fd = params->fd;
-        rss.tgt = tgt;
-        rss.p_block = 0;
-        rss.p_remain = (tgt->pos[1] - tgt->pos[0]) * BLOCKSIZE;
-
-        if (!check_lseek(params->fd, (off64_t) tgt->pos[0] * BLOCKSIZE, SEEK_SET)) {
-            goto pcnout;
-        }
-
-        pthread_mutex_lock(&params->nti.mu);
-        params->nti.rss = &rss;
-        pthread_cond_broadcast(&params->nti.cv);
-
-        while (params->nti.rss) {
-            pthread_cond_wait(&params->nti.cv, &params->nti.mu);
-        }
-
-        pthread_mutex_unlock(&params->nti.mu);
-    }
-
-    params->written += tgt->size;
-    rc = 0;
-
-pcnout:
-    if (tgt) {
-        free(tgt);
-    }
-
-    return rc;
-}
-
-static int PerformCommandDiff(CommandParameters* params) {
-    char* logparams = NULL;
-    char* value = NULL;
-    int blocks = 0;
-    int overlap = 0;
-    int rc = -1;
-    int status = 0;
-    RangeSet* tgt = NULL;
-    RangeSinkState rss;
-    size_t len = 0;
-    size_t offset = 0;
-    Value patch_value;
-
-    if (!params) {
-        goto pcdout;
-    }
-
-    logparams = strdup(params->cpos);
-    value = strtok_r(NULL, " ", &params->cpos);
-
-    if (value == NULL) {
-        fprintf(stderr, "missing patch offset for %s\n", params->cmdname);
-        goto pcdout;
-    }
-
-    offset = strtoul(value, NULL, 0);
-
-    value = strtok_r(NULL, " ", &params->cpos);
-
-    if (value == NULL) {
-        fprintf(stderr, "missing patch length for %s\n", params->cmdname);
-        goto pcdout;
-    }
-
-    len = strtoul(value, NULL, 0);
-
-    if (params->version == 1) {
-        status = LoadSrcTgtVersion1(&params->cpos, &tgt, &blocks, &params->buffer,
-                    &params->bufsize, params->fd);
-    } else if (params->version == 2) {
-        status = LoadSrcTgtVersion2(&params->cpos, &tgt, &blocks, &params->buffer,
-                    &params->bufsize, params->fd, params->stashbase, NULL);
-    } else if (params->version >= 3) {
-        status = LoadSrcTgtVersion3(params, &tgt, &blocks, 0, &overlap);
-    }
-
-    if (status == -1) {
-        fprintf(stderr, "failed to read blocks for diff\n");
-        goto pcdout;
-    }
-
-    if (status == 0) {
-        params->foundwrites = 1;
-    } else if (params->foundwrites) {
-        fprintf(stderr, "warning: commands executed out of order [%s]\n", params->cmdname);
-    }
-
-    if (params->canwrite) {
-        if (status == 0) {
-            fprintf(stderr, "patching %d blocks to %d\n", blocks, tgt->size);
-
-            patch_value.type = VAL_BLOB;
-            patch_value.size = len;
-            patch_value.data = (char*) (params->patch_start + offset);
-
-            rss.fd = params->fd;
-            rss.tgt = tgt;
-            rss.p_block = 0;
-            rss.p_remain = (tgt->pos[1] - tgt->pos[0]) * BLOCKSIZE;
-
-            if (!check_lseek(params->fd, (off64_t) tgt->pos[0] * BLOCKSIZE, SEEK_SET)) {
-                goto pcdout;
-            }
-
-            if (params->cmdname[0] == 'i') {      // imgdiff
-                ApplyImagePatch(params->buffer, blocks * BLOCKSIZE, &patch_value,
-                    &RangeSinkWrite, &rss, NULL, NULL);
-            } else {
-                ApplyBSDiffPatch(params->buffer, blocks * BLOCKSIZE, &patch_value,
-                    0, &RangeSinkWrite, &rss, NULL);
-            }
-
-            // We expect the output of the patcher to fill the tgt ranges exactly.
-            if (rss.p_block != tgt->count || rss.p_remain != 0) {
-                fprintf(stderr, "range sink underrun?\n");
-            }
-        } else {
-            fprintf(stderr, "skipping %d blocks already patched to %d [%s]\n",
-                blocks, tgt->size, logparams);
-        }
-    }
-
-    if (params->freestash) {
-        FreeStash(params->stashbase, params->freestash);
-        params->freestash = NULL;
-    }
-
-    params->written += tgt->size;
-    rc = 0;
-
-pcdout:
-    if (logparams) {
-        free(logparams);
-    }
-
-    if (tgt) {
-        free(tgt);
-    }
-
-    return rc;
-}
-
-static int PerformCommandErase(CommandParameters* params) {
-    char* range = NULL;
-    int i;
-    int rc = -1;
-    RangeSet* tgt = NULL;
-    struct stat st;
-    uint64_t blocks[2];
-
-    if (DEBUG_ERASE) {
-        return PerformCommandZero(params);
-    }
-
-    if (!params) {
-        goto pceout;
-    }
-
-    if (fstat(params->fd, &st) == -1) {
-        fprintf(stderr, "failed to fstat device to erase: %s\n", strerror(errno));
-        goto pceout;
-    }
-
-    if (!S_ISBLK(st.st_mode)) {
-        fprintf(stderr, "not a block device; skipping erase\n");
-        goto pceout;
-    }
-
-    range = strtok_r(NULL, " ", &params->cpos);
-
-    if (range == NULL) {
-        fprintf(stderr, "missing target blocks for zero\n");
-        goto pceout;
-    }
-
-    tgt = parse_range(range);
-
-    if (params->canwrite) {
-        fprintf(stderr, " erasing %d blocks\n", tgt->size);
-
-        for (i = 0; i < tgt->count; ++i) {
-            // offset in bytes
-            blocks[0] = tgt->pos[i * 2] * (uint64_t) BLOCKSIZE;
-            // length in bytes
-            blocks[1] = (tgt->pos[i * 2 + 1] - tgt->pos[i * 2]) * (uint64_t) BLOCKSIZE;
-
-            if (ioctl(params->fd, BLKDISCARD, &blocks) == -1) {
-                fprintf(stderr, "BLKDISCARD ioctl failed: %s\n", strerror(errno));
-                goto pceout;
-            }
-        }
-    }
-
-    rc = 0;
-
-pceout:
-    if (tgt) {
-        free(tgt);
-    }
-
-    return rc;
-}
-
-// Definitions for transfer list command functions
-typedef int (*CommandFunction)(CommandParameters*);
-
-typedef struct {
-    const char* name;
-    CommandFunction f;
-} Command;
-
-// CompareCommands and CompareCommandNames are for the hash table
-
-static int CompareCommands(const void* c1, const void* c2) {
-    return strcmp(((const Command*) c1)->name, ((const Command*) c2)->name);
-}
-
-static int CompareCommandNames(const void* c1, const void* c2) {
-    return strcmp(((const Command*) c1)->name, (const char*) c2);
-}
-
-// HashString is used to hash command names for the hash table
-
-static unsigned int HashString(const char *s) {
-    unsigned int hash = 0;
-    if (s) {
-        while (*s) {
-            hash = hash * 33 + *s++;
-        }
-    }
-    return hash;
-}
-
-// args:
-//    - block device (or file) to modify in-place
-//    - transfer list (blob)
-//    - new data stream (filename within package.zip)
-//    - patch stream (filename within package.zip, must be uncompressed)
-
-static Value* PerformBlockImageUpdate(const char* name, State* state, int argc, Expr* argv[],
-            const Command* commands, int cmdcount, int dryrun) {
-
-    char* line = NULL;
-    char* linesave = NULL;
-    char* logcmd = NULL;
-    char* transfer_list = NULL;
-    CommandParameters params;
-    const Command* cmd = NULL;
-    const ZipEntry* new_entry = NULL;
-    const ZipEntry* patch_entry = NULL;
-    FILE* cmd_pipe = NULL;
-    HashTable* cmdht = NULL;
-    int i;
-    int res;
-    int rc = -1;
-    int stash_max_blocks = 0;
-    int total_blocks = 0;
-    pthread_attr_t attr;
-    unsigned int cmdhash;
-    UpdaterInfo* ui = NULL;
-    Value* blockdev_filename = NULL;
-    Value* new_data_fn = NULL;
-    Value* patch_data_fn = NULL;
-    Value* transfer_list_value = NULL;
-    ZipArchive* za = NULL;
-
-    memset(&params, 0, sizeof(params));
-    params.canwrite = !dryrun;
-
-    fprintf(stderr, "performing %s\n", dryrun ? "verification" : "update");
-
-    if (ReadValueArgs(state, argv, 4, &blockdev_filename, &transfer_list_value,
-            &new_data_fn, &patch_data_fn) < 0) {
-        goto pbiudone;
-    }
-
-    if (blockdev_filename->type != VAL_STRING) {
-        ErrorAbort(state, "blockdev_filename argument to %s must be string", name);
-        goto pbiudone;
-    }
-    if (transfer_list_value->type != VAL_BLOB) {
-        ErrorAbort(state, "transfer_list argument to %s must be blob", name);
-        goto pbiudone;
-    }
-    if (new_data_fn->type != VAL_STRING) {
-        ErrorAbort(state, "new_data_fn argument to %s must be string", name);
-        goto pbiudone;
-    }
-    if (patch_data_fn->type != VAL_STRING) {
-        ErrorAbort(state, "patch_data_fn argument to %s must be string", name);
-        goto pbiudone;
-    }
-
-    ui = (UpdaterInfo*) state->cookie;
-
-    if (ui == NULL) {
-        goto pbiudone;
-    }
-
-    cmd_pipe = ui->cmd_pipe;
-    za = ui->package_zip;
-
-    if (cmd_pipe == NULL || za == NULL) {
-        goto pbiudone;
-    }
-
-    patch_entry = mzFindZipEntry(za, patch_data_fn->data);
-
-    if (patch_entry == NULL) {
-        fprintf(stderr, "%s(): no file \"%s\" in package", name, patch_data_fn->data);
-        goto pbiudone;
-    }
-
-    params.patch_start = ui->package_zip_addr + mzGetZipEntryOffset(patch_entry);
-    new_entry = mzFindZipEntry(za, new_data_fn->data);
-
-    if (new_entry == NULL) {
-        fprintf(stderr, "%s(): no file \"%s\" in package", name, new_data_fn->data);
-        goto pbiudone;
-    }
-
-    params.fd = TEMP_FAILURE_RETRY(open(blockdev_filename->data, O_RDWR));
-
-    if (params.fd == -1) {
-        fprintf(stderr, "open \"%s\" failed: %s\n", blockdev_filename->data, strerror(errno));
-        goto pbiudone;
-    }
-
-    if (params.canwrite) {
-        params.nti.za = za;
-        params.nti.entry = new_entry;
-
-        pthread_mutex_init(&params.nti.mu, NULL);
-        pthread_cond_init(&params.nti.cv, NULL);
-        pthread_attr_init(&attr);
-        pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE);
-
-        int error = pthread_create(&params.thread, &attr, unzip_new_data, &params.nti);
-        if (error != 0) {
-            fprintf(stderr, "pthread_create failed: %s\n", strerror(error));
-            goto pbiudone;
-        }
-    }
-
-    // The data in transfer_list_value is not necessarily null-terminated, so we need
-    // to copy it to a new buffer and add the null that strtok_r will need.
-    transfer_list = malloc(transfer_list_value->size + 1);
-
-    if (transfer_list == NULL) {
-        fprintf(stderr, "failed to allocate %zd bytes for transfer list\n",
-            transfer_list_value->size + 1);
-        goto pbiudone;
-    }
-
-    memcpy(transfer_list, transfer_list_value->data, transfer_list_value->size);
-    transfer_list[transfer_list_value->size] = '\0';
-
-    // First line in transfer list is the version number
-    line = strtok_r(transfer_list, "\n", &linesave);
-    params.version = strtol(line, NULL, 0);
-
-    if (params.version < 1 || params.version > 3) {
-        fprintf(stderr, "unexpected transfer list version [%s]\n", line);
-        goto pbiudone;
-    }
-
-    fprintf(stderr, "blockimg version is %d\n", params.version);
-
-    // Second line in transfer list is the total number of blocks we expect to write
-    line = strtok_r(NULL, "\n", &linesave);
-    total_blocks = strtol(line, NULL, 0);
-
-    if (total_blocks < 0) {
-        ErrorAbort(state, "unexpected block count [%s]\n", line);
-        goto pbiudone;
-    } else if (total_blocks == 0) {
-        rc = 0;
-        goto pbiudone;
-    }
-
-    if (params.version >= 2) {
-        // Third line is how many stash entries are needed simultaneously
-        line = strtok_r(NULL, "\n", &linesave);
-        fprintf(stderr, "maximum stash entries %s\n", line);
-
-        // Fourth line is the maximum number of blocks that will be stashed simultaneously
-        line = strtok_r(NULL, "\n", &linesave);
-        stash_max_blocks = strtol(line, NULL, 0);
-
-        if (stash_max_blocks < 0) {
-            ErrorAbort(state, "unexpected maximum stash blocks [%s]\n", line);
-            goto pbiudone;
-        }
-
-        if (stash_max_blocks >= 0) {
-            res = CreateStash(state, stash_max_blocks, blockdev_filename->data,
-                    &params.stashbase);
-
-            if (res == -1) {
-                goto pbiudone;
-            }
-
-            params.createdstash = res;
-        }
-    }
-
-    // Build a hash table of the available commands
-    cmdht = mzHashTableCreate(cmdcount, NULL);
-
-    for (i = 0; i < cmdcount; ++i) {
-        cmdhash = HashString(commands[i].name);
-        mzHashTableLookup(cmdht, cmdhash, (void*) &commands[i], CompareCommands, true);
-    }
-
-    // Subsequent lines are all individual transfer commands
-    for (line = strtok_r(NULL, "\n", &linesave); line;
-         line = strtok_r(NULL, "\n", &linesave)) {
-
-        logcmd = strdup(line);
-        params.cmdname = strtok_r(line, " ", &params.cpos);
-
-        if (params.cmdname == NULL) {
-            fprintf(stderr, "missing command [%s]\n", line);
-            goto pbiudone;
-        }
-
-        cmdhash = HashString(params.cmdname);
-        cmd = (const Command*) mzHashTableLookup(cmdht, cmdhash, params.cmdname,
-                                    CompareCommandNames, false);
-
-        if (cmd == NULL) {
-            fprintf(stderr, "unexpected command [%s]\n", params.cmdname);
-            goto pbiudone;
-        }
-
-        if (cmd->f != NULL && cmd->f(&params) == -1) {
-            fprintf(stderr, "failed to execute command [%s]\n",
-                logcmd ? logcmd : params.cmdname);
-            goto pbiudone;
-        }
-
-        if (logcmd) {
-            free(logcmd);
-            logcmd = NULL;
-        }
-
-        if (params.canwrite) {
-            fprintf(cmd_pipe, "set_progress %.4f\n", (double) params.written / total_blocks);
-            fflush(cmd_pipe);
-        }
-    }
-
-    if (params.canwrite) {
-        pthread_join(params.thread, NULL);
-
-        fprintf(stderr, "wrote %d blocks; expected %d\n", params.written, total_blocks);
-        fprintf(stderr, "max alloc needed was %zu\n", params.bufsize);
-
-        // Delete stash only after successfully completing the update, as it
-        // may contain blocks needed to complete the update later.
-        DeleteStash(params.stashbase);
-    } else {
-        fprintf(stderr, "verified partition contents; update may be resumed\n");
-    }
-
-    rc = 0;
-
-pbiudone:
-    if (params.fd != -1) {
-        if (fsync(params.fd) == -1) {
-            fprintf(stderr, "fsync failed: %s\n", strerror(errno));
-        }
-        close(params.fd);
-    }
-
-    if (logcmd) {
-        free(logcmd);
-    }
-
-    if (cmdht) {
-        mzHashTableFree(cmdht);
-    }
-
-    if (params.buffer) {
-        free(params.buffer);
-    }
-
-    if (transfer_list) {
-        free(transfer_list);
-    }
-
-    if (blockdev_filename) {
-        FreeValue(blockdev_filename);
-    }
-
-    if (transfer_list_value) {
-        FreeValue(transfer_list_value);
-    }
-
-    if (new_data_fn) {
-        FreeValue(new_data_fn);
-    }
-
-    if (patch_data_fn) {
-        FreeValue(patch_data_fn);
-    }
-
-    // Only delete the stash if the update cannot be resumed, or it's
-    // a verification run and we created the stash.
-    if (params.isunresumable || (!params.canwrite && params.createdstash)) {
-        DeleteStash(params.stashbase);
-    }
-
-    if (params.stashbase) {
-        free(params.stashbase);
-    }
-
-    return StringValue(rc == 0 ? strdup("t") : strdup(""));
-}
-
-// The transfer list is a text file containing commands to
-// transfer data from one place to another on the target
-// partition.  We parse it and execute the commands in order:
-//
-//    zero [rangeset]
-//      - fill the indicated blocks with zeros
-//
-//    new [rangeset]
-//      - fill the blocks with data read from the new_data file
-//
-//    erase [rangeset]
-//      - mark the given blocks as empty
-//
-//    move <...>
-//    bsdiff <patchstart> <patchlen> <...>
-//    imgdiff <patchstart> <patchlen> <...>
-//      - read the source blocks, apply a patch (or not in the
-//        case of move), write result to target blocks.  bsdiff or
-//        imgdiff specifies the type of patch; move means no patch
-//        at all.
-//
-//        The format of <...> differs between versions 1 and 2;
-//        see the LoadSrcTgtVersion{1,2}() functions for a
-//        description of what's expected.
-//
-//    stash <stash_id> <src_range>
-//      - (version 2+ only) load the given source range and stash
-//        the data in the given slot of the stash table.
-//
-// The creator of the transfer list will guarantee that no block
-// is read (ie, used as the source for a patch or move) after it
-// has been written.
-//
-// In version 2, the creator will guarantee that a given stash is
-// loaded (with a stash command) before it's used in a
-// move/bsdiff/imgdiff command.
-//
-// Within one command the source and target ranges may overlap so
-// in general we need to read the entire source into memory before
-// writing anything to the target blocks.
-//
-// All the patch data is concatenated into one patch_data file in
-// the update package.  It must be stored uncompressed because we
-// memory-map it in directly from the archive.  (Since patches are
-// already compressed, we lose very little by not compressing
-// their concatenation.)
-//
-// In version 3, commands that read data from the partition (i.e.
-// move/bsdiff/imgdiff/stash) have one or more additional hashes
-// before the range parameters, which are used to check if the
-// command has already been completed and verify the integrity of
-// the source data.
-
-Value* BlockImageVerifyFn(const char* name, State* state, int argc, Expr* argv[]) {
-    // Commands which are not tested are set to NULL to skip them completely
-    const Command commands[] = {
-        { "bsdiff",     PerformCommandDiff  },
-        { "erase",      NULL                },
-        { "free",       PerformCommandFree  },
-        { "imgdiff",    PerformCommandDiff  },
-        { "move",       PerformCommandMove  },
-        { "new",        NULL                },
-        { "stash",      PerformCommandStash },
-        { "zero",       NULL                }
-    };
-
-    // Perform a dry run without writing to test if an update can proceed
-    return PerformBlockImageUpdate(name, state, argc, argv, commands,
-                sizeof(commands) / sizeof(commands[0]), 1);
-}
-
-Value* BlockImageUpdateFn(const char* name, State* state, int argc, Expr* argv[]) {
-    const Command commands[] = {
-        { "bsdiff",     PerformCommandDiff  },
-        { "erase",      PerformCommandErase },
-        { "free",       PerformCommandFree  },
-        { "imgdiff",    PerformCommandDiff  },
-        { "move",       PerformCommandMove  },
-        { "new",        PerformCommandNew   },
-        { "stash",      PerformCommandStash },
-        { "zero",       PerformCommandZero  }
-    };
-
-    return PerformBlockImageUpdate(name, state, argc, argv, commands,
-                sizeof(commands) / sizeof(commands[0]), 0);
-}
-
-Value* RangeSha1Fn(const char* name, State* state, int argc, Expr* argv[]) {
-    Value* blockdev_filename;
-    Value* ranges;
-    const uint8_t* digest = NULL;
-    if (ReadValueArgs(state, argv, 2, &blockdev_filename, &ranges) < 0) {
-        return NULL;
-    }
-
-    if (blockdev_filename->type != VAL_STRING) {
-        ErrorAbort(state, "blockdev_filename argument to %s must be string", name);
-        goto done;
-    }
-    if (ranges->type != VAL_STRING) {
-        ErrorAbort(state, "ranges argument to %s must be string", name);
-        goto done;
-    }
-
-    int fd = open(blockdev_filename->data, O_RDWR);
-    if (fd < 0) {
-        ErrorAbort(state, "open \"%s\" failed: %s", blockdev_filename->data, strerror(errno));
-        goto done;
-    }
-
-    RangeSet* rs = parse_range(ranges->data);
-    uint8_t buffer[BLOCKSIZE];
-
-    SHA_CTX ctx;
-    SHA_init(&ctx);
-
-    int i, j;
-    for (i = 0; i < rs->count; ++i) {
-        if (!check_lseek(fd, (off64_t)rs->pos[i*2] * BLOCKSIZE, SEEK_SET)) {
-            ErrorAbort(state, "failed to seek %s: %s", blockdev_filename->data,
-                strerror(errno));
-            goto done;
-        }
-
-        for (j = rs->pos[i*2]; j < rs->pos[i*2+1]; ++j) {
-            if (read_all(fd, buffer, BLOCKSIZE) == -1) {
-                ErrorAbort(state, "failed to read %s: %s", blockdev_filename->data,
-                    strerror(errno));
-                goto done;
-            }
-
-            SHA_update(&ctx, buffer, BLOCKSIZE);
-        }
-    }
-    digest = SHA_final(&ctx);
-    close(fd);
-
-  done:
-    FreeValue(blockdev_filename);
-    FreeValue(ranges);
-    if (digest == NULL) {
-        return StringValue(strdup(""));
-    } else {
-        return StringValue(PrintSha1(digest));
-    }
-}
-
-void RegisterBlockImageFunctions() {
-    RegisterFunction("block_image_verify", BlockImageVerifyFn);
-    RegisterFunction("block_image_update", BlockImageUpdateFn);
-    RegisterFunction("range_sha1", RangeSha1Fn);
-}
diff --git a/updater/blockimg.cpp b/updater/blockimg.cpp
new file mode 100644
index 0000000..dd6cf0d
--- /dev/null
+++ b/updater/blockimg.cpp
@@ -0,0 +1,1721 @@
+/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <ctype.h>
+#include <errno.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <linux/fs.h>
+#include <pthread.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/ioctl.h>
+#include <time.h>
+#include <unistd.h>
+#include <fec/io.h>
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include <base/parseint.h>
+#include <base/strings.h>
+
+#include "applypatch/applypatch.h"
+#include "edify/expr.h"
+#include "mincrypt/sha.h"
+#include "minzip/Hash.h"
+#include "print_sha1.h"
+#include "unique_fd.h"
+#include "updater.h"
+
+#define BLOCKSIZE 4096
+
+// Set this to 0 to interpret 'erase' transfers to mean do a
+// BLKDISCARD ioctl (the normal behavior).  Set to 1 to interpret
+// erase to mean fill the region with zeroes.
+#define DEBUG_ERASE  0
+
+#define STASH_DIRECTORY_BASE "/cache/recovery"
+#define STASH_DIRECTORY_MODE 0700
+#define STASH_FILE_MODE 0600
+
+struct RangeSet {
+    size_t count;             // Limit is INT_MAX.
+    size_t size;
+    std::vector<size_t> pos;  // Actual limit is INT_MAX.
+};
+
+static void parse_range(const char* range_text, RangeSet& rs) {
+
+    if (range_text == nullptr) {
+        fprintf(stderr, "failed to parse range: null range\n");
+        exit(1);
+    }
+
+    std::vector<std::string> pieces = android::base::Split(std::string(range_text), ",");
+    long int val;
+
+    if (pieces.size() < 3) {
+        goto err;
+    }
+
+    size_t num;
+    if (!android::base::ParseUint(pieces[0].c_str(), &num, static_cast<size_t>(INT_MAX))) {
+        goto err;
+    }
+
+    if (num == 0 || num % 2) {
+        goto err; // must be even
+    } else if (num != pieces.size() - 1) {
+        goto err;
+    }
+
+    rs.pos.resize(num);
+    rs.count = num / 2;
+    rs.size = 0;
+
+    for (size_t i = 0; i < num; i += 2) {
+        if (!android::base::ParseUint(pieces[i+1].c_str(), &rs.pos[i],
+                                      static_cast<size_t>(INT_MAX))) {
+            goto err;
+        }
+
+        if (!android::base::ParseUint(pieces[i+2].c_str(), &rs.pos[i+1],
+                                      static_cast<size_t>(INT_MAX))) {
+            goto err;
+        }
+
+        if (rs.pos[i] >= rs.pos[i+1]) {
+            goto err; // empty or negative range
+        }
+
+        size_t sz = rs.pos[i+1] - rs.pos[i];
+        if (rs.size > SIZE_MAX - sz) {
+            goto err; // overflow
+        }
+
+        rs.size += sz;
+    }
+
+    return;
+
+err:
+    fprintf(stderr, "failed to parse range '%s'\n", range_text);
+    exit(1);
+}
+
+static bool range_overlaps(const RangeSet& r1, const RangeSet& r2) {
+    for (size_t i = 0; i < r1.count; ++i) {
+        size_t r1_0 = r1.pos[i * 2];
+        size_t r1_1 = r1.pos[i * 2 + 1];
+
+        for (size_t j = 0; j < r2.count; ++j) {
+            size_t r2_0 = r2.pos[j * 2];
+            size_t r2_1 = r2.pos[j * 2 + 1];
+
+            if (!(r2_0 >= r1_1 || r1_0 >= r2_1)) {
+                return true;
+            }
+        }
+    }
+
+    return false;
+}
+
+static int read_all(int fd, uint8_t* data, size_t size) {
+    size_t so_far = 0;
+    while (so_far < size) {
+        ssize_t r = TEMP_FAILURE_RETRY(read(fd, data+so_far, size-so_far));
+        if (r == -1) {
+            fprintf(stderr, "read failed: %s\n", strerror(errno));
+            return -1;
+        }
+        so_far += r;
+    }
+    return 0;
+}
+
+static int read_all(int fd, std::vector<uint8_t>& buffer, size_t size) {
+    return read_all(fd, buffer.data(), size);
+}
+
+static int write_all(int fd, const uint8_t* data, size_t size) {
+    size_t written = 0;
+    while (written < size) {
+        ssize_t w = TEMP_FAILURE_RETRY(write(fd, data+written, size-written));
+        if (w == -1) {
+            fprintf(stderr, "write failed: %s\n", strerror(errno));
+            return -1;
+        }
+        written += w;
+    }
+
+    return 0;
+}
+
+static int write_all(int fd, const std::vector<uint8_t>& buffer, size_t size) {
+    return write_all(fd, buffer.data(), size);
+}
+
+static bool check_lseek(int fd, off64_t offset, int whence) {
+    off64_t rc = TEMP_FAILURE_RETRY(lseek64(fd, offset, whence));
+    if (rc == -1) {
+        fprintf(stderr, "lseek64 failed: %s\n", strerror(errno));
+        return false;
+    }
+    return true;
+}
+
+static void allocate(size_t size, std::vector<uint8_t>& buffer) {
+    // if the buffer's big enough, reuse it.
+    if (size <= buffer.size()) return;
+
+    buffer.resize(size);
+}
+
+struct RangeSinkState {
+    RangeSinkState(RangeSet& rs) : tgt(rs) { };
+
+    int fd;
+    const RangeSet& tgt;
+    size_t p_block;
+    size_t p_remain;
+};
+
+static ssize_t RangeSinkWrite(const uint8_t* data, ssize_t size, void* token) {
+    RangeSinkState* rss = reinterpret_cast<RangeSinkState*>(token);
+
+    if (rss->p_remain == 0) {
+        fprintf(stderr, "range sink write overrun");
+        return 0;
+    }
+
+    ssize_t written = 0;
+    while (size > 0) {
+        size_t write_now = size;
+
+        if (rss->p_remain < write_now) {
+            write_now = rss->p_remain;
+        }
+
+        if (write_all(rss->fd, data, write_now) == -1) {
+            break;
+        }
+
+        data += write_now;
+        size -= write_now;
+
+        rss->p_remain -= write_now;
+        written += write_now;
+
+        if (rss->p_remain == 0) {
+            // move to the next block
+            ++rss->p_block;
+            if (rss->p_block < rss->tgt.count) {
+                rss->p_remain = (rss->tgt.pos[rss->p_block * 2 + 1] -
+                                 rss->tgt.pos[rss->p_block * 2]) * BLOCKSIZE;
+
+                if (!check_lseek(rss->fd, (off64_t)rss->tgt.pos[rss->p_block*2] * BLOCKSIZE,
+                                 SEEK_SET)) {
+                    break;
+                }
+            } else {
+                // we can't write any more; return how many bytes have
+                // been written so far.
+                break;
+            }
+        }
+    }
+
+    return written;
+}
+
+// All of the data for all the 'new' transfers is contained in one
+// file in the update package, concatenated together in the order in
+// which transfers.list will need it.  We want to stream it out of the
+// archive (it's compressed) without writing it to a temp file, but we
+// can't write each section until it's that transfer's turn to go.
+//
+// To achieve this, we expand the new data from the archive in a
+// background thread, and block that threads 'receive uncompressed
+// data' function until the main thread has reached a point where we
+// want some new data to be written.  We signal the background thread
+// with the destination for the data and block the main thread,
+// waiting for the background thread to complete writing that section.
+// Then it signals the main thread to wake up and goes back to
+// blocking waiting for a transfer.
+//
+// NewThreadInfo is the struct used to pass information back and forth
+// between the two threads.  When the main thread wants some data
+// written, it sets rss to the destination location and signals the
+// condition.  When the background thread is done writing, it clears
+// rss and signals the condition again.
+
+struct NewThreadInfo {
+    ZipArchive* za;
+    const ZipEntry* entry;
+
+    RangeSinkState* rss;
+
+    pthread_mutex_t mu;
+    pthread_cond_t cv;
+};
+
+static bool receive_new_data(const unsigned char* data, int size, void* cookie) {
+    NewThreadInfo* nti = reinterpret_cast<NewThreadInfo*>(cookie);
+
+    while (size > 0) {
+        // Wait for nti->rss to be non-null, indicating some of this
+        // data is wanted.
+        pthread_mutex_lock(&nti->mu);
+        while (nti->rss == nullptr) {
+            pthread_cond_wait(&nti->cv, &nti->mu);
+        }
+        pthread_mutex_unlock(&nti->mu);
+
+        // At this point nti->rss is set, and we own it.  The main
+        // thread is waiting for it to disappear from nti.
+        ssize_t written = RangeSinkWrite(data, size, nti->rss);
+        data += written;
+        size -= written;
+
+        if (nti->rss->p_block == nti->rss->tgt.count) {
+            // we have written all the bytes desired by this rss.
+
+            pthread_mutex_lock(&nti->mu);
+            nti->rss = nullptr;
+            pthread_cond_broadcast(&nti->cv);
+            pthread_mutex_unlock(&nti->mu);
+        }
+    }
+
+    return true;
+}
+
+static void* unzip_new_data(void* cookie) {
+    NewThreadInfo* nti = (NewThreadInfo*) cookie;
+    mzProcessZipEntryContents(nti->za, nti->entry, receive_new_data, nti);
+    return nullptr;
+}
+
+static int ReadBlocks(const RangeSet& src, std::vector<uint8_t>& buffer, int fd) {
+    size_t p = 0;
+    uint8_t* data = buffer.data();
+
+    for (size_t i = 0; i < src.count; ++i) {
+        if (!check_lseek(fd, (off64_t) src.pos[i * 2] * BLOCKSIZE, SEEK_SET)) {
+            return -1;
+        }
+
+        size_t size = (src.pos[i * 2 + 1] - src.pos[i * 2]) * BLOCKSIZE;
+
+        if (read_all(fd, data + p, size) == -1) {
+            return -1;
+        }
+
+        p += size;
+    }
+
+    return 0;
+}
+
+static int WriteBlocks(const RangeSet& tgt, const std::vector<uint8_t>& buffer, int fd) {
+    const uint8_t* data = buffer.data();
+
+    size_t p = 0;
+    for (size_t i = 0; i < tgt.count; ++i) {
+        if (!check_lseek(fd, (off64_t) tgt.pos[i * 2] * BLOCKSIZE, SEEK_SET)) {
+            return -1;
+        }
+
+        size_t size = (tgt.pos[i * 2 + 1] - tgt.pos[i * 2]) * BLOCKSIZE;
+
+        if (write_all(fd, data + p, size) == -1) {
+            return -1;
+        }
+
+        p += size;
+    }
+
+    return 0;
+}
+
+// Do a source/target load for move/bsdiff/imgdiff in version 1.
+// 'wordsave' is the save_ptr of a strtok_r()-in-progress.  We expect
+// to parse the remainder of the string as:
+//
+//    <src_range> <tgt_range>
+//
+// The source range is loaded into the provided buffer, reallocating
+// it to make it larger if necessary.
+
+static int LoadSrcTgtVersion1(char** wordsave, RangeSet& tgt, size_t& src_blocks,
+        std::vector<uint8_t>& buffer, int fd) {
+    // <src_range>
+    char* word = strtok_r(nullptr, " ", wordsave);
+    RangeSet src;
+    parse_range(word, src);
+
+    // <tgt_range>
+    word = strtok_r(nullptr, " ", wordsave);
+    parse_range(word, tgt);
+
+    allocate(src.size * BLOCKSIZE, buffer);
+    int rc = ReadBlocks(src, buffer, fd);
+    src_blocks = src.size;
+
+    return rc;
+}
+
+static int VerifyBlocks(const std::string& expected, const std::vector<uint8_t>& buffer,
+        const size_t blocks, bool printerror) {
+    uint8_t digest[SHA_DIGEST_SIZE];
+    const uint8_t* data = buffer.data();
+
+    SHA_hash(data, blocks * BLOCKSIZE, digest);
+
+    std::string hexdigest = print_sha1(digest);
+
+    if (hexdigest != expected) {
+        if (printerror) {
+            fprintf(stderr, "failed to verify blocks (expected %s, read %s)\n",
+                    expected.c_str(), hexdigest.c_str());
+        }
+        return -1;
+    }
+
+    return 0;
+}
+
+static std::string GetStashFileName(const std::string& base, const std::string& id,
+        const std::string& postfix) {
+    if (base.empty()) {
+        return "";
+    }
+
+    std::string fn(STASH_DIRECTORY_BASE);
+    fn += "/" + base + "/" + id + postfix;
+
+    return fn;
+}
+
+typedef void (*StashCallback)(const std::string&, void*);
+
+// Does a best effort enumeration of stash files. Ignores possible non-file
+// items in the stash directory and continues despite of errors. Calls the
+// 'callback' function for each file and passes 'data' to the function as a
+// parameter.
+
+static void EnumerateStash(const std::string& dirname, StashCallback callback, void* data) {
+    if (dirname.empty() || callback == nullptr) {
+        return;
+    }
+
+    std::unique_ptr<DIR, int(*)(DIR*)> directory(opendir(dirname.c_str()), closedir);
+
+    if (directory == nullptr) {
+        if (errno != ENOENT) {
+            fprintf(stderr, "opendir \"%s\" failed: %s\n", dirname.c_str(), strerror(errno));
+        }
+        return;
+    }
+
+    struct dirent* item;
+    while ((item = readdir(directory.get())) != nullptr) {
+        if (item->d_type != DT_REG) {
+            continue;
+        }
+
+        std::string fn = dirname + "/" + std::string(item->d_name);
+        callback(fn, data);
+    }
+}
+
+static void UpdateFileSize(const std::string& fn, void* data) {
+    if (fn.empty() || !data) {
+        return;
+    }
+
+    struct stat sb;
+    if (stat(fn.c_str(), &sb) == -1) {
+        fprintf(stderr, "stat \"%s\" failed: %s\n", fn.c_str(), strerror(errno));
+        return;
+    }
+
+    int* size = reinterpret_cast<int*>(data);
+    *size += sb.st_size;
+}
+
+// Deletes the stash directory and all files in it. Assumes that it only
+// contains files. There is nothing we can do about unlikely, but possible
+// errors, so they are merely logged.
+
+static void DeleteFile(const std::string& fn, void* /* data */) {
+    if (!fn.empty()) {
+        fprintf(stderr, "deleting %s\n", fn.c_str());
+
+        if (unlink(fn.c_str()) == -1 && errno != ENOENT) {
+            fprintf(stderr, "unlink \"%s\" failed: %s\n", fn.c_str(), strerror(errno));
+        }
+    }
+}
+
+static void DeletePartial(const std::string& fn, void* data) {
+    if (android::base::EndsWith(fn, ".partial")) {
+        DeleteFile(fn, data);
+    }
+}
+
+static void DeleteStash(const std::string& base) {
+    if (base.empty()) {
+        return;
+    }
+
+    fprintf(stderr, "deleting stash %s\n", base.c_str());
+
+    std::string dirname = GetStashFileName(base, "", "");
+    EnumerateStash(dirname, DeleteFile, nullptr);
+
+    if (rmdir(dirname.c_str()) == -1) {
+        if (errno != ENOENT && errno != ENOTDIR) {
+            fprintf(stderr, "rmdir \"%s\" failed: %s\n", dirname.c_str(), strerror(errno));
+        }
+    }
+}
+
+static int LoadStash(const std::string& base, const std::string& id, bool verify, size_t* blocks,
+        std::vector<uint8_t>& buffer, bool printnoent) {
+    if (base.empty()) {
+        return -1;
+    }
+
+    size_t blockcount = 0;
+
+    if (!blocks) {
+        blocks = &blockcount;
+    }
+
+    std::string fn = GetStashFileName(base, id, "");
+
+    struct stat sb;
+    int res = stat(fn.c_str(), &sb);
+
+    if (res == -1) {
+        if (errno != ENOENT || printnoent) {
+            fprintf(stderr, "stat \"%s\" failed: %s\n", fn.c_str(), strerror(errno));
+        }
+        return -1;
+    }
+
+    fprintf(stderr, " loading %s\n", fn.c_str());
+
+    if ((sb.st_size % BLOCKSIZE) != 0) {
+        fprintf(stderr, "%s size %" PRId64 " not multiple of block size %d",
+                fn.c_str(), static_cast<int64_t>(sb.st_size), BLOCKSIZE);
+        return -1;
+    }
+
+    int fd = TEMP_FAILURE_RETRY(open(fn.c_str(), O_RDONLY));
+    unique_fd fd_holder(fd);
+
+    if (fd == -1) {
+        fprintf(stderr, "open \"%s\" failed: %s\n", fn.c_str(), strerror(errno));
+        return -1;
+    }
+
+    allocate(sb.st_size, buffer);
+
+    if (read_all(fd, buffer, sb.st_size) == -1) {
+        return -1;
+    }
+
+    *blocks = sb.st_size / BLOCKSIZE;
+
+    if (verify && VerifyBlocks(id, buffer, *blocks, true) != 0) {
+        fprintf(stderr, "unexpected contents in %s\n", fn.c_str());
+        DeleteFile(fn, nullptr);
+        return -1;
+    }
+
+    return 0;
+}
+
+static int WriteStash(const std::string& base, const std::string& id, int blocks,
+        std::vector<uint8_t>& buffer, bool checkspace, bool *exists) {
+    if (base.empty()) {
+        return -1;
+    }
+
+    if (checkspace && CacheSizeCheck(blocks * BLOCKSIZE) != 0) {
+        fprintf(stderr, "not enough space to write stash\n");
+        return -1;
+    }
+
+    std::string fn = GetStashFileName(base, id, ".partial");
+    std::string cn = GetStashFileName(base, id, "");
+
+    if (exists) {
+        struct stat sb;
+        int res = stat(cn.c_str(), &sb);
+
+        if (res == 0) {
+            // The file already exists and since the name is the hash of the contents,
+            // it's safe to assume the contents are identical (accidental hash collisions
+            // are unlikely)
+            fprintf(stderr, " skipping %d existing blocks in %s\n", blocks, cn.c_str());
+            *exists = true;
+            return 0;
+        }
+
+        *exists = false;
+    }
+
+    fprintf(stderr, " writing %d blocks to %s\n", blocks, cn.c_str());
+
+    int fd = TEMP_FAILURE_RETRY(open(fn.c_str(), O_WRONLY | O_CREAT | O_TRUNC, STASH_FILE_MODE));
+    unique_fd fd_holder(fd);
+
+    if (fd == -1) {
+        fprintf(stderr, "failed to create \"%s\": %s\n", fn.c_str(), strerror(errno));
+        return -1;
+    }
+
+    if (write_all(fd, buffer, blocks * BLOCKSIZE) == -1) {
+        return -1;
+    }
+
+    if (fsync(fd) == -1) {
+        fprintf(stderr, "fsync \"%s\" failed: %s\n", fn.c_str(), strerror(errno));
+        return -1;
+    }
+
+    if (rename(fn.c_str(), cn.c_str()) == -1) {
+        fprintf(stderr, "rename(\"%s\", \"%s\") failed: %s\n", fn.c_str(), cn.c_str(),
+                strerror(errno));
+        return -1;
+    }
+
+    std::string dname = GetStashFileName(base, "", "");
+    int dfd = TEMP_FAILURE_RETRY(open(dname.c_str(), O_RDONLY | O_DIRECTORY));
+    unique_fd dfd_holder(dfd);
+
+    if (dfd == -1) {
+        fprintf(stderr, "failed to open \"%s\" failed: %s\n", dname.c_str(), strerror(errno));
+        return -1;
+    }
+
+    if (fsync(dfd) == -1) {
+        fprintf(stderr, "fsync \"%s\" failed: %s\n", dname.c_str(), strerror(errno));
+        return -1;
+    }
+
+    return 0;
+}
+
+// Creates a directory for storing stash files and checks if the /cache partition
+// hash enough space for the expected amount of blocks we need to store. Returns
+// >0 if we created the directory, zero if it existed already, and <0 of failure.
+
+static int CreateStash(State* state, int maxblocks, const char* blockdev, std::string& base) {
+    if (blockdev == nullptr) {
+        return -1;
+    }
+
+    // Stash directory should be different for each partition to avoid conflicts
+    // when updating multiple partitions at the same time, so we use the hash of
+    // the block device name as the base directory
+    SHA_CTX ctx;
+    SHA_init(&ctx);
+    SHA_update(&ctx, blockdev, strlen(blockdev));
+    const uint8_t* digest = SHA_final(&ctx);
+    base = print_sha1(digest);
+
+    std::string dirname = GetStashFileName(base, "", "");
+    struct stat sb;
+    int res = stat(dirname.c_str(), &sb);
+
+    if (res == -1 && errno != ENOENT) {
+        ErrorAbort(state, "stat \"%s\" failed: %s\n", dirname.c_str(), strerror(errno));
+        return -1;
+    } else if (res != 0) {
+        fprintf(stderr, "creating stash %s\n", dirname.c_str());
+        res = mkdir(dirname.c_str(), STASH_DIRECTORY_MODE);
+
+        if (res != 0) {
+            ErrorAbort(state, "mkdir \"%s\" failed: %s\n", dirname.c_str(), strerror(errno));
+            return -1;
+        }
+
+        if (CacheSizeCheck(maxblocks * BLOCKSIZE) != 0) {
+            ErrorAbort(state, "not enough space for stash\n");
+            return -1;
+        }
+
+        return 1;  // Created directory
+    }
+
+    fprintf(stderr, "using existing stash %s\n", dirname.c_str());
+
+    // If the directory already exists, calculate the space already allocated to
+    // stash files and check if there's enough for all required blocks. Delete any
+    // partially completed stash files first.
+
+    EnumerateStash(dirname, DeletePartial, nullptr);
+    int size = 0;
+    EnumerateStash(dirname, UpdateFileSize, &size);
+
+    size = maxblocks * BLOCKSIZE - size;
+
+    if (size > 0 && CacheSizeCheck(size) != 0) {
+        ErrorAbort(state, "not enough space for stash (%d more needed)\n", size);
+        return -1;
+    }
+
+    return 0; // Using existing directory
+}
+
+static int SaveStash(const std::string& base, char** wordsave, std::vector<uint8_t>& buffer,
+        int fd, bool usehash) {
+    if (!wordsave) {
+        return -1;
+    }
+
+    char *id_tok = strtok_r(nullptr, " ", wordsave);
+    if (id_tok == nullptr) {
+        fprintf(stderr, "missing id field in stash command\n");
+        return -1;
+    }
+    std::string id(id_tok);
+
+    size_t blocks = 0;
+    if (usehash && LoadStash(base, id, true, &blocks, buffer, false) == 0) {
+        // Stash file already exists and has expected contents. Do not
+        // read from source again, as the source may have been already
+        // overwritten during a previous attempt.
+        return 0;
+    }
+
+    char* word = strtok_r(nullptr, " ", wordsave);
+    RangeSet src;
+    parse_range(word, src);
+
+    allocate(src.size * BLOCKSIZE, buffer);
+    if (ReadBlocks(src, buffer, fd) == -1) {
+        return -1;
+    }
+    blocks = src.size;
+
+    if (usehash && VerifyBlocks(id, buffer, blocks, true) != 0) {
+        // Source blocks have unexpected contents. If we actually need this
+        // data later, this is an unrecoverable error. However, the command
+        // that uses the data may have already completed previously, so the
+        // possible failure will occur during source block verification.
+        fprintf(stderr, "failed to load source blocks for stash %s\n", id.c_str());
+        return 0;
+    }
+
+    fprintf(stderr, "stashing %zu blocks to %s\n", blocks, id.c_str());
+    return WriteStash(base, id, blocks, buffer, false, nullptr);
+}
+
+static int FreeStash(const std::string& base, const char* id) {
+    if (base.empty() || id == nullptr) {
+        return -1;
+    }
+
+    std::string fn = GetStashFileName(base, std::string(id), "");
+
+    DeleteFile(fn, nullptr);
+
+    return 0;
+}
+
+static void MoveRange(std::vector<uint8_t>& dest, const RangeSet& locs,
+        const std::vector<uint8_t>& source) {
+    // source contains packed data, which we want to move to the
+    // locations given in locs in the dest buffer.  source and dest
+    // may be the same buffer.
+
+    const uint8_t* from = source.data();
+    uint8_t* to = dest.data();
+    size_t start = locs.size;
+    for (int i = locs.count-1; i >= 0; --i) {
+        size_t blocks = locs.pos[i*2+1] - locs.pos[i*2];
+        start -= blocks;
+        memmove(to + (locs.pos[i*2] * BLOCKSIZE), from + (start * BLOCKSIZE),
+                blocks * BLOCKSIZE);
+    }
+}
+
+// Do a source/target load for move/bsdiff/imgdiff in version 2.
+// 'wordsave' is the save_ptr of a strtok_r()-in-progress.  We expect
+// to parse the remainder of the string as one of:
+//
+//    <tgt_range> <src_block_count> <src_range>
+//        (loads data from source image only)
+//
+//    <tgt_range> <src_block_count> - <[stash_id:stash_range] ...>
+//        (loads data from stashes only)
+//
+//    <tgt_range> <src_block_count> <src_range> <src_loc> <[stash_id:stash_range] ...>
+//        (loads data from both source image and stashes)
+//
+// On return, buffer is filled with the loaded source data (rearranged
+// and combined with stashed data as necessary).  buffer may be
+// reallocated if needed to accommodate the source data.  *tgt is the
+// target RangeSet.  Any stashes required are loaded using LoadStash.
+
+static int LoadSrcTgtVersion2(char** wordsave, RangeSet& tgt, size_t& src_blocks,
+        std::vector<uint8_t>& buffer, int fd, const std::string& stashbase, bool* overlap) {
+    // <tgt_range>
+    char* word = strtok_r(nullptr, " ", wordsave);
+    parse_range(word, tgt);
+
+    // <src_block_count>
+    word = strtok_r(nullptr, " ", wordsave);
+    android::base::ParseUint(word, &src_blocks);
+
+    allocate(src_blocks * BLOCKSIZE, buffer);
+
+    // "-" or <src_range> [<src_loc>]
+    word = strtok_r(nullptr, " ", wordsave);
+    if (word[0] == '-' && word[1] == '\0') {
+        // no source ranges, only stashes
+    } else {
+        RangeSet src;
+        parse_range(word, src);
+        int res = ReadBlocks(src, buffer, fd);
+
+        if (overlap) {
+            *overlap = range_overlaps(src, tgt);
+        }
+
+        if (res == -1) {
+            return -1;
+        }
+
+        word = strtok_r(nullptr, " ", wordsave);
+        if (word == nullptr) {
+            // no stashes, only source range
+            return 0;
+        }
+
+        RangeSet locs;
+        parse_range(word, locs);
+        MoveRange(buffer, locs, buffer);
+    }
+
+    // <[stash_id:stash-range]>
+    char* colonsave;
+    while ((word = strtok_r(nullptr, " ", wordsave)) != nullptr) {
+        // Each word is a an index into the stash table, a colon, and
+        // then a rangeset describing where in the source block that
+        // stashed data should go.
+        colonsave = nullptr;
+        char* colon = strtok_r(word, ":", &colonsave);
+
+        std::vector<uint8_t> stash;
+        int res = LoadStash(stashbase, std::string(colon), false, nullptr, stash, true);
+
+        if (res == -1) {
+            // These source blocks will fail verification if used later, but we
+            // will let the caller decide if this is a fatal failure
+            fprintf(stderr, "failed to load stash %s\n", colon);
+            continue;
+        }
+
+        colon = strtok_r(nullptr, ":", &colonsave);
+        RangeSet locs;
+        parse_range(colon, locs);
+
+        MoveRange(buffer, locs, stash);
+    }
+
+    return 0;
+}
+
+// Parameters for transfer list command functions
+struct CommandParameters {
+    char* cmdname;
+    char* cpos;
+    char* freestash;
+    std::string stashbase;
+    bool canwrite;
+    int createdstash;
+    int fd;
+    bool foundwrites;
+    bool isunresumable;
+    int version;
+    size_t written;
+    NewThreadInfo nti;
+    pthread_t thread;
+    std::vector<uint8_t> buffer;
+    uint8_t* patch_start;
+};
+
+// Do a source/target load for move/bsdiff/imgdiff in version 3.
+//
+// Parameters are the same as for LoadSrcTgtVersion2, except for 'onehash', which
+// tells the function whether to expect separate source and targe block hashes, or
+// if they are both the same and only one hash should be expected, and
+// 'isunresumable', which receives a non-zero value if block verification fails in
+// a way that the update cannot be resumed anymore.
+//
+// If the function is unable to load the necessary blocks or their contents don't
+// match the hashes, the return value is -1 and the command should be aborted.
+//
+// If the return value is 1, the command has already been completed according to
+// the contents of the target blocks, and should not be performed again.
+//
+// If the return value is 0, source blocks have expected content and the command
+// can be performed.
+
+static int LoadSrcTgtVersion3(CommandParameters& params, RangeSet& tgt, size_t& src_blocks,
+        bool onehash, bool& overlap) {
+
+    char* srchash = strtok_r(nullptr, " ", &params.cpos);
+    if (srchash == nullptr) {
+        fprintf(stderr, "missing source hash\n");
+        return -1;
+    }
+
+    char* tgthash = nullptr;
+    if (onehash) {
+        tgthash = srchash;
+    } else {
+        tgthash = strtok_r(nullptr, " ", &params.cpos);
+
+        if (tgthash == nullptr) {
+            fprintf(stderr, "missing target hash\n");
+            return -1;
+        }
+    }
+
+    if (LoadSrcTgtVersion2(&params.cpos, tgt, src_blocks, params.buffer, params.fd,
+            params.stashbase, &overlap) == -1) {
+        return -1;
+    }
+
+    std::vector<uint8_t> tgtbuffer(tgt.size * BLOCKSIZE);
+
+    if (ReadBlocks(tgt, tgtbuffer, params.fd) == -1) {
+        return -1;
+    }
+
+    if (VerifyBlocks(tgthash, tgtbuffer, tgt.size, false) == 0) {
+        // Target blocks already have expected content, command should be skipped
+        return 1;
+    }
+
+    if (VerifyBlocks(srchash, params.buffer, src_blocks, true) == 0) {
+        // If source and target blocks overlap, stash the source blocks so we can
+        // resume from possible write errors
+        if (overlap) {
+            fprintf(stderr, "stashing %zu overlapping blocks to %s\n", src_blocks, srchash);
+
+            bool stash_exists = false;
+            if (WriteStash(params.stashbase, srchash, src_blocks, params.buffer, true,
+                           &stash_exists) != 0) {
+                fprintf(stderr, "failed to stash overlapping source blocks\n");
+                return -1;
+            }
+
+            // Can be deleted when the write has completed
+            if (!stash_exists) {
+                params.freestash = srchash;
+            }
+        }
+
+        // Source blocks have expected content, command can proceed
+        return 0;
+    }
+
+    if (overlap && LoadStash(params.stashbase, srchash, true, nullptr, params.buffer, true) == 0) {
+        // Overlapping source blocks were previously stashed, command can proceed.
+        // We are recovering from an interrupted command, so we don't know if the
+        // stash can safely be deleted after this command.
+        return 0;
+    }
+
+    // Valid source data not available, update cannot be resumed
+    fprintf(stderr, "partition has unexpected contents\n");
+    params.isunresumable = true;
+
+    return -1;
+}
+
+static int PerformCommandMove(CommandParameters& params) {
+    size_t blocks = 0;
+    bool overlap = false;
+    int status = 0;
+    RangeSet tgt;
+
+    if (params.version == 1) {
+        status = LoadSrcTgtVersion1(&params.cpos, tgt, blocks, params.buffer, params.fd);
+    } else if (params.version == 2) {
+        status = LoadSrcTgtVersion2(&params.cpos, tgt, blocks, params.buffer, params.fd,
+                params.stashbase, nullptr);
+    } else if (params.version >= 3) {
+        status = LoadSrcTgtVersion3(params, tgt, blocks, true, overlap);
+    }
+
+    if (status == -1) {
+        fprintf(stderr, "failed to read blocks for move\n");
+        return -1;
+    }
+
+    if (status == 0) {
+        params.foundwrites = true;
+    } else if (params.foundwrites) {
+        fprintf(stderr, "warning: commands executed out of order [%s]\n", params.cmdname);
+    }
+
+    if (params.canwrite) {
+        if (status == 0) {
+            fprintf(stderr, "  moving %zu blocks\n", blocks);
+
+            if (WriteBlocks(tgt, params.buffer, params.fd) == -1) {
+                return -1;
+            }
+        } else {
+            fprintf(stderr, "skipping %zu already moved blocks\n", blocks);
+        }
+
+    }
+
+    if (params.freestash) {
+        FreeStash(params.stashbase, params.freestash);
+        params.freestash = nullptr;
+    }
+
+    params.written += tgt.size;
+
+    return 0;
+}
+
+static int PerformCommandStash(CommandParameters& params) {
+    return SaveStash(params.stashbase, &params.cpos, params.buffer, params.fd,
+            (params.version >= 3));
+}
+
+static int PerformCommandFree(CommandParameters& params) {
+    if (params.createdstash || params.canwrite) {
+        return FreeStash(params.stashbase, params.cpos);
+    }
+
+    return 0;
+}
+
+static int PerformCommandZero(CommandParameters& params) {
+    char* range = strtok_r(nullptr, " ", &params.cpos);
+
+    if (range == nullptr) {
+        fprintf(stderr, "missing target blocks for zero\n");
+        return -1;
+    }
+
+    RangeSet tgt;
+    parse_range(range, tgt);
+
+    fprintf(stderr, "  zeroing %zu blocks\n", tgt.size);
+
+    allocate(BLOCKSIZE, params.buffer);
+    memset(params.buffer.data(), 0, BLOCKSIZE);
+
+    if (params.canwrite) {
+        for (size_t i = 0; i < tgt.count; ++i) {
+            if (!check_lseek(params.fd, (off64_t) tgt.pos[i * 2] * BLOCKSIZE, SEEK_SET)) {
+                return -1;
+            }
+
+            for (size_t j = tgt.pos[i * 2]; j < tgt.pos[i * 2 + 1]; ++j) {
+                if (write_all(params.fd, params.buffer, BLOCKSIZE) == -1) {
+                    return -1;
+                }
+            }
+        }
+    }
+
+    if (params.cmdname[0] == 'z') {
+        // Update only for the zero command, as the erase command will call
+        // this if DEBUG_ERASE is defined.
+        params.written += tgt.size;
+    }
+
+    return 0;
+}
+
+static int PerformCommandNew(CommandParameters& params) {
+    char* range = strtok_r(nullptr, " ", &params.cpos);
+
+    if (range == nullptr) {
+        return -1;
+    }
+
+    RangeSet tgt;
+    parse_range(range, tgt);
+
+    if (params.canwrite) {
+        fprintf(stderr, " writing %zu blocks of new data\n", tgt.size);
+
+        RangeSinkState rss(tgt);
+        rss.fd = params.fd;
+        rss.p_block = 0;
+        rss.p_remain = (tgt.pos[1] - tgt.pos[0]) * BLOCKSIZE;
+
+        if (!check_lseek(params.fd, (off64_t) tgt.pos[0] * BLOCKSIZE, SEEK_SET)) {
+            return -1;
+        }
+
+        pthread_mutex_lock(&params.nti.mu);
+        params.nti.rss = &rss;
+        pthread_cond_broadcast(&params.nti.cv);
+
+        while (params.nti.rss) {
+            pthread_cond_wait(&params.nti.cv, &params.nti.mu);
+        }
+
+        pthread_mutex_unlock(&params.nti.mu);
+    }
+
+    params.written += tgt.size;
+
+    return 0;
+}
+
+static int PerformCommandDiff(CommandParameters& params) {
+
+    const std::string logparams(params.cpos);
+    char* value = strtok_r(nullptr, " ", &params.cpos);
+
+    if (value == nullptr) {
+        fprintf(stderr, "missing patch offset for %s\n", params.cmdname);
+        return -1;
+    }
+
+    size_t offset = strtoul(value, nullptr, 0);
+
+    value = strtok_r(nullptr, " ", &params.cpos);
+
+    if (value == nullptr) {
+        fprintf(stderr, "missing patch length for %s\n", params.cmdname);
+        return -1;
+    }
+
+    size_t len = strtoul(value, nullptr, 0);
+
+    RangeSet tgt;
+    size_t blocks = 0;
+    bool overlap = false;
+    int status = 0;
+    if (params.version == 1) {
+        status = LoadSrcTgtVersion1(&params.cpos, tgt, blocks, params.buffer, params.fd);
+    } else if (params.version == 2) {
+        status = LoadSrcTgtVersion2(&params.cpos, tgt, blocks, params.buffer, params.fd,
+                params.stashbase, nullptr);
+    } else if (params.version >= 3) {
+        status = LoadSrcTgtVersion3(params, tgt, blocks, false, overlap);
+    }
+
+    if (status == -1) {
+        fprintf(stderr, "failed to read blocks for diff\n");
+        return -1;
+    }
+
+    if (status == 0) {
+        params.foundwrites = true;
+    } else if (params.foundwrites) {
+        fprintf(stderr, "warning: commands executed out of order [%s]\n", params.cmdname);
+    }
+
+    if (params.canwrite) {
+        if (status == 0) {
+            fprintf(stderr, "patching %zu blocks to %zu\n", blocks, tgt.size);
+
+            Value patch_value;
+            patch_value.type = VAL_BLOB;
+            patch_value.size = len;
+            patch_value.data = (char*) (params.patch_start + offset);
+
+            RangeSinkState rss(tgt);
+            rss.fd = params.fd;
+            rss.p_block = 0;
+            rss.p_remain = (tgt.pos[1] - tgt.pos[0]) * BLOCKSIZE;
+
+            if (!check_lseek(params.fd, (off64_t) tgt.pos[0] * BLOCKSIZE, SEEK_SET)) {
+                return -1;
+            }
+
+            if (params.cmdname[0] == 'i') {      // imgdiff
+                ApplyImagePatch(params.buffer.data(), blocks * BLOCKSIZE, &patch_value,
+                    &RangeSinkWrite, &rss, nullptr, nullptr);
+            } else {
+                ApplyBSDiffPatch(params.buffer.data(), blocks * BLOCKSIZE, &patch_value, 0,
+                    &RangeSinkWrite, &rss, nullptr);
+            }
+
+            // We expect the output of the patcher to fill the tgt ranges exactly.
+            if (rss.p_block != tgt.count || rss.p_remain != 0) {
+                fprintf(stderr, "range sink underrun?\n");
+            }
+        } else {
+            fprintf(stderr, "skipping %zu blocks already patched to %zu [%s]\n",
+                blocks, tgt.size, logparams.c_str());
+        }
+    }
+
+    if (params.freestash) {
+        FreeStash(params.stashbase, params.freestash);
+        params.freestash = nullptr;
+    }
+
+    params.written += tgt.size;
+
+    return 0;
+}
+
+static int PerformCommandErase(CommandParameters& params) {
+    if (DEBUG_ERASE) {
+        return PerformCommandZero(params);
+    }
+
+    struct stat sb;
+    if (fstat(params.fd, &sb) == -1) {
+        fprintf(stderr, "failed to fstat device to erase: %s\n", strerror(errno));
+        return -1;
+    }
+
+    if (!S_ISBLK(sb.st_mode)) {
+        fprintf(stderr, "not a block device; skipping erase\n");
+        return -1;
+    }
+
+    char* range = strtok_r(nullptr, " ", &params.cpos);
+
+    if (range == nullptr) {
+        fprintf(stderr, "missing target blocks for erase\n");
+        return -1;
+    }
+
+    RangeSet tgt;
+    parse_range(range, tgt);
+
+    if (params.canwrite) {
+        fprintf(stderr, " erasing %zu blocks\n", tgt.size);
+
+        for (size_t i = 0; i < tgt.count; ++i) {
+            uint64_t blocks[2];
+            // offset in bytes
+            blocks[0] = tgt.pos[i * 2] * (uint64_t) BLOCKSIZE;
+            // length in bytes
+            blocks[1] = (tgt.pos[i * 2 + 1] - tgt.pos[i * 2]) * (uint64_t) BLOCKSIZE;
+
+            if (ioctl(params.fd, BLKDISCARD, &blocks) == -1) {
+                fprintf(stderr, "BLKDISCARD ioctl failed: %s\n", strerror(errno));
+                return -1;
+            }
+        }
+    }
+
+    return 0;
+}
+
+// Definitions for transfer list command functions
+typedef int (*CommandFunction)(CommandParameters&);
+
+struct Command {
+    const char* name;
+    CommandFunction f;
+};
+
+// CompareCommands and CompareCommandNames are for the hash table
+
+static int CompareCommands(const void* c1, const void* c2) {
+    return strcmp(((const Command*) c1)->name, ((const Command*) c2)->name);
+}
+
+static int CompareCommandNames(const void* c1, const void* c2) {
+    return strcmp(((const Command*) c1)->name, (const char*) c2);
+}
+
+// HashString is used to hash command names for the hash table
+
+static unsigned int HashString(const char *s) {
+    unsigned int hash = 0;
+    if (s) {
+        while (*s) {
+            hash = hash * 33 + *s++;
+        }
+    }
+    return hash;
+}
+
+// args:
+//    - block device (or file) to modify in-place
+//    - transfer list (blob)
+//    - new data stream (filename within package.zip)
+//    - patch stream (filename within package.zip, must be uncompressed)
+
+static Value* PerformBlockImageUpdate(const char* name, State* state, int /* argc */, Expr* argv[],
+        const Command* commands, size_t cmdcount, bool dryrun) {
+
+    CommandParameters params;
+    memset(&params, 0, sizeof(params));
+    params.canwrite = !dryrun;
+
+    fprintf(stderr, "performing %s\n", dryrun ? "verification" : "update");
+
+    Value* blockdev_filename = nullptr;
+    Value* transfer_list_value = nullptr;
+    Value* new_data_fn = nullptr;
+    Value* patch_data_fn = nullptr;
+    if (ReadValueArgs(state, argv, 4, &blockdev_filename, &transfer_list_value,
+            &new_data_fn, &patch_data_fn) < 0) {
+        return StringValue(strdup(""));
+    }
+    std::unique_ptr<Value, decltype(&FreeValue)> blockdev_filename_holder(blockdev_filename,
+            FreeValue);
+    std::unique_ptr<Value, decltype(&FreeValue)> transfer_list_value_holder(transfer_list_value,
+            FreeValue);
+    std::unique_ptr<Value, decltype(&FreeValue)> new_data_fn_holder(new_data_fn, FreeValue);
+    std::unique_ptr<Value, decltype(&FreeValue)> patch_data_fn_holder(patch_data_fn, FreeValue);
+
+    if (blockdev_filename->type != VAL_STRING) {
+        ErrorAbort(state, "blockdev_filename argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+    if (transfer_list_value->type != VAL_BLOB) {
+        ErrorAbort(state, "transfer_list argument to %s must be blob", name);
+        return StringValue(strdup(""));
+    }
+    if (new_data_fn->type != VAL_STRING) {
+        ErrorAbort(state, "new_data_fn argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+    if (patch_data_fn->type != VAL_STRING) {
+        ErrorAbort(state, "patch_data_fn argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+
+    UpdaterInfo* ui = reinterpret_cast<UpdaterInfo*>(state->cookie);
+
+    if (ui == nullptr) {
+        return StringValue(strdup(""));
+    }
+
+    FILE* cmd_pipe = ui->cmd_pipe;
+    ZipArchive* za = ui->package_zip;
+
+    if (cmd_pipe == nullptr || za == nullptr) {
+        return StringValue(strdup(""));
+    }
+
+    const ZipEntry* patch_entry = mzFindZipEntry(za, patch_data_fn->data);
+    if (patch_entry == nullptr) {
+        fprintf(stderr, "%s(): no file \"%s\" in package", name, patch_data_fn->data);
+        return StringValue(strdup(""));
+    }
+
+    params.patch_start = ui->package_zip_addr + mzGetZipEntryOffset(patch_entry);
+    const ZipEntry* new_entry = mzFindZipEntry(za, new_data_fn->data);
+    if (new_entry == nullptr) {
+        fprintf(stderr, "%s(): no file \"%s\" in package", name, new_data_fn->data);
+        return StringValue(strdup(""));
+    }
+
+    params.fd = TEMP_FAILURE_RETRY(open(blockdev_filename->data, O_RDWR));
+    unique_fd fd_holder(params.fd);
+
+    if (params.fd == -1) {
+        fprintf(stderr, "open \"%s\" failed: %s\n", blockdev_filename->data, strerror(errno));
+        return StringValue(strdup(""));
+    }
+
+    if (params.canwrite) {
+        params.nti.za = za;
+        params.nti.entry = new_entry;
+
+        pthread_mutex_init(&params.nti.mu, nullptr);
+        pthread_cond_init(&params.nti.cv, nullptr);
+        pthread_attr_t attr;
+        pthread_attr_init(&attr);
+        pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE);
+
+        int error = pthread_create(&params.thread, &attr, unzip_new_data, &params.nti);
+        if (error != 0) {
+            fprintf(stderr, "pthread_create failed: %s\n", strerror(error));
+            return StringValue(strdup(""));
+        }
+    }
+
+    // The data in transfer_list_value is not necessarily null-terminated, so we need
+    // to copy it to a new buffer and add the null that strtok_r will need.
+    const std::string transfer_list(transfer_list_value->data, transfer_list_value->size);
+    std::vector<std::string> lines = android::base::Split(transfer_list, "\n");
+
+    // First line in transfer list is the version number
+    if (!android::base::ParseInt(lines[0].c_str(), &params.version, 1, 4)) {
+        fprintf(stderr, "unexpected transfer list version [%s]\n", lines[0].c_str());
+        return StringValue(strdup(""));
+    }
+
+    fprintf(stderr, "blockimg version is %d\n", params.version);
+
+    // Second line in transfer list is the total number of blocks we expect to write
+    int total_blocks;
+    if (!android::base::ParseInt(lines[1].c_str(), &total_blocks, 0)) {
+        ErrorAbort(state, "unexpected block count [%s]\n", lines[1].c_str());
+        return StringValue(strdup(""));
+    }
+
+    if (total_blocks == 0) {
+        return StringValue(strdup("t"));
+    }
+
+    size_t start = 2;
+    if (params.version >= 2) {
+        // Third line is how many stash entries are needed simultaneously
+        fprintf(stderr, "maximum stash entries %s\n", lines[2].c_str());
+
+        // Fourth line is the maximum number of blocks that will be stashed simultaneously
+        int stash_max_blocks;
+        if (!android::base::ParseInt(lines[3].c_str(), &stash_max_blocks, 0)) {
+            ErrorAbort(state, "unexpected maximum stash blocks [%s]\n", lines[3].c_str());
+            return StringValue(strdup(""));
+        }
+
+        int res = CreateStash(state, stash_max_blocks, blockdev_filename->data, params.stashbase);
+
+        if (res == -1) {
+            return StringValue(strdup(""));
+        }
+
+        params.createdstash = res;
+
+        start += 2;
+    }
+
+    // Build a hash table of the available commands
+    HashTable* cmdht = mzHashTableCreate(cmdcount, nullptr);
+    std::unique_ptr<HashTable, decltype(&mzHashTableFree)> cmdht_holder(cmdht, mzHashTableFree);
+
+    for (size_t i = 0; i < cmdcount; ++i) {
+        unsigned int cmdhash = HashString(commands[i].name);
+        mzHashTableLookup(cmdht, cmdhash, (void*) &commands[i], CompareCommands, true);
+    }
+
+    int rc = -1;
+
+    // Subsequent lines are all individual transfer commands
+    for (auto it = lines.cbegin() + start; it != lines.cend(); it++) {
+        const std::string& line_str(*it);
+        if (line_str.empty()) {
+            continue;
+        }
+
+        char* line = strdup(line_str.c_str());
+        params.cmdname = strtok_r(line, " ", &params.cpos);
+
+        if (params.cmdname == nullptr) {
+            fprintf(stderr, "missing command [%s]\n", line);
+            goto pbiudone;
+        }
+
+        unsigned int cmdhash = HashString(params.cmdname);
+        const Command* cmd = reinterpret_cast<const Command*>(mzHashTableLookup(cmdht, cmdhash,
+                params.cmdname, CompareCommandNames, false));
+
+        if (cmd == nullptr) {
+            fprintf(stderr, "unexpected command [%s]\n", params.cmdname);
+            goto pbiudone;
+        }
+
+        if (cmd->f != nullptr && cmd->f(params) == -1) {
+            fprintf(stderr, "failed to execute command [%s]\n", line_str.c_str());
+            goto pbiudone;
+        }
+
+        if (params.canwrite) {
+            if (fsync(params.fd) == -1) {
+                fprintf(stderr, "fsync failed: %s\n", strerror(errno));
+                goto pbiudone;
+            }
+            fprintf(cmd_pipe, "set_progress %.4f\n", (double) params.written / total_blocks);
+            fflush(cmd_pipe);
+        }
+    }
+
+    if (params.canwrite) {
+        pthread_join(params.thread, nullptr);
+
+        fprintf(stderr, "wrote %zu blocks; expected %d\n", params.written, total_blocks);
+        fprintf(stderr, "max alloc needed was %zu\n", params.buffer.size());
+
+        // Delete stash only after successfully completing the update, as it
+        // may contain blocks needed to complete the update later.
+        DeleteStash(params.stashbase);
+    } else {
+        fprintf(stderr, "verified partition contents; update may be resumed\n");
+    }
+
+    rc = 0;
+
+pbiudone:
+    if (params.fd != -1) {
+        if (fsync(params.fd) == -1) {
+            fprintf(stderr, "fsync failed: %s\n", strerror(errno));
+        }
+        close(params.fd);
+    }
+
+    // Only delete the stash if the update cannot be resumed, or it's
+    // a verification run and we created the stash.
+    if (params.isunresumable || (!params.canwrite && params.createdstash)) {
+        DeleteStash(params.stashbase);
+    }
+
+    return StringValue(rc == 0 ? strdup("t") : strdup(""));
+}
+
+// The transfer list is a text file containing commands to
+// transfer data from one place to another on the target
+// partition.  We parse it and execute the commands in order:
+//
+//    zero [rangeset]
+//      - fill the indicated blocks with zeros
+//
+//    new [rangeset]
+//      - fill the blocks with data read from the new_data file
+//
+//    erase [rangeset]
+//      - mark the given blocks as empty
+//
+//    move <...>
+//    bsdiff <patchstart> <patchlen> <...>
+//    imgdiff <patchstart> <patchlen> <...>
+//      - read the source blocks, apply a patch (or not in the
+//        case of move), write result to target blocks.  bsdiff or
+//        imgdiff specifies the type of patch; move means no patch
+//        at all.
+//
+//        The format of <...> differs between versions 1 and 2;
+//        see the LoadSrcTgtVersion{1,2}() functions for a
+//        description of what's expected.
+//
+//    stash <stash_id> <src_range>
+//      - (version 2+ only) load the given source range and stash
+//        the data in the given slot of the stash table.
+//
+// The creator of the transfer list will guarantee that no block
+// is read (ie, used as the source for a patch or move) after it
+// has been written.
+//
+// In version 2, the creator will guarantee that a given stash is
+// loaded (with a stash command) before it's used in a
+// move/bsdiff/imgdiff command.
+//
+// Within one command the source and target ranges may overlap so
+// in general we need to read the entire source into memory before
+// writing anything to the target blocks.
+//
+// All the patch data is concatenated into one patch_data file in
+// the update package.  It must be stored uncompressed because we
+// memory-map it in directly from the archive.  (Since patches are
+// already compressed, we lose very little by not compressing
+// their concatenation.)
+//
+// In version 3, commands that read data from the partition (i.e.
+// move/bsdiff/imgdiff/stash) have one or more additional hashes
+// before the range parameters, which are used to check if the
+// command has already been completed and verify the integrity of
+// the source data.
+
+Value* BlockImageVerifyFn(const char* name, State* state, int argc, Expr* argv[]) {
+    // Commands which are not tested are set to nullptr to skip them completely
+    const Command commands[] = {
+        { "bsdiff",     PerformCommandDiff  },
+        { "erase",      nullptr             },
+        { "free",       PerformCommandFree  },
+        { "imgdiff",    PerformCommandDiff  },
+        { "move",       PerformCommandMove  },
+        { "new",        nullptr             },
+        { "stash",      PerformCommandStash },
+        { "zero",       nullptr             }
+    };
+
+    // Perform a dry run without writing to test if an update can proceed
+    return PerformBlockImageUpdate(name, state, argc, argv, commands,
+                sizeof(commands) / sizeof(commands[0]), true);
+}
+
+Value* BlockImageUpdateFn(const char* name, State* state, int argc, Expr* argv[]) {
+    const Command commands[] = {
+        { "bsdiff",     PerformCommandDiff  },
+        { "erase",      PerformCommandErase },
+        { "free",       PerformCommandFree  },
+        { "imgdiff",    PerformCommandDiff  },
+        { "move",       PerformCommandMove  },
+        { "new",        PerformCommandNew   },
+        { "stash",      PerformCommandStash },
+        { "zero",       PerformCommandZero  }
+    };
+
+    return PerformBlockImageUpdate(name, state, argc, argv, commands,
+                sizeof(commands) / sizeof(commands[0]), false);
+}
+
+Value* RangeSha1Fn(const char* name, State* state, int /* argc */, Expr* argv[]) {
+    Value* blockdev_filename;
+    Value* ranges;
+
+    if (ReadValueArgs(state, argv, 2, &blockdev_filename, &ranges) < 0) {
+        return StringValue(strdup(""));
+    }
+    std::unique_ptr<Value, decltype(&FreeValue)> ranges_holder(ranges, FreeValue);
+    std::unique_ptr<Value, decltype(&FreeValue)> blockdev_filename_holder(blockdev_filename,
+            FreeValue);
+
+    if (blockdev_filename->type != VAL_STRING) {
+        ErrorAbort(state, "blockdev_filename argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+    if (ranges->type != VAL_STRING) {
+        ErrorAbort(state, "ranges argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+
+    int fd = open(blockdev_filename->data, O_RDWR);
+    unique_fd fd_holder(fd);
+    if (fd < 0) {
+        ErrorAbort(state, "open \"%s\" failed: %s", blockdev_filename->data, strerror(errno));
+        return StringValue(strdup(""));
+    }
+
+    RangeSet rs;
+    parse_range(ranges->data, rs);
+
+    SHA_CTX ctx;
+    SHA_init(&ctx);
+
+    std::vector<uint8_t> buffer(BLOCKSIZE);
+    for (size_t i = 0; i < rs.count; ++i) {
+        if (!check_lseek(fd, (off64_t)rs.pos[i*2] * BLOCKSIZE, SEEK_SET)) {
+            ErrorAbort(state, "failed to seek %s: %s", blockdev_filename->data, strerror(errno));
+            return StringValue(strdup(""));
+        }
+
+        for (size_t j = rs.pos[i*2]; j < rs.pos[i*2+1]; ++j) {
+            if (read_all(fd, buffer, BLOCKSIZE) == -1) {
+                ErrorAbort(state, "failed to read %s: %s", blockdev_filename->data,
+                        strerror(errno));
+                return StringValue(strdup(""));
+            }
+
+            SHA_update(&ctx, buffer.data(), BLOCKSIZE);
+        }
+    }
+    const uint8_t* digest = SHA_final(&ctx);
+
+    return StringValue(strdup(print_sha1(digest).c_str()));
+}
+
+Value* BlockImageRecoverFn(const char* name, State* state, int argc, Expr* argv[]) {
+    Value* arg_filename;
+    Value* arg_ranges;
+
+    if (ReadValueArgs(state, argv, 2, &arg_filename, &arg_ranges) < 0) {
+        return NULL;
+    }
+
+    std::unique_ptr<Value, decltype(&FreeValue)> filename(arg_filename, FreeValue);
+    std::unique_ptr<Value, decltype(&FreeValue)> ranges(arg_ranges, FreeValue);
+
+    if (filename->type != VAL_STRING) {
+        ErrorAbort(state, "filename argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+    if (ranges->type != VAL_STRING) {
+        ErrorAbort(state, "ranges argument to %s must be string", name);
+        return StringValue(strdup(""));
+    }
+
+    // When opened with O_RDWR, libfec rewrites corrupted blocks when they are read
+    fec::io fh(filename->data, O_RDWR);
+
+    if (!fh) {
+        ErrorAbort(state, "fec_open \"%s\" failed: %s", filename->data, strerror(errno));
+        return StringValue(strdup(""));
+    }
+
+    if (!fh.has_ecc() || !fh.has_verity()) {
+        ErrorAbort(state, "unable to use metadata to correct errors");
+        return StringValue(strdup(""));
+    }
+
+    fec_status status;
+
+    if (!fh.get_status(status)) {
+        ErrorAbort(state, "failed to read FEC status");
+        return StringValue(strdup(""));
+    }
+
+    RangeSet rs;
+    parse_range(ranges->data, rs);
+
+    uint8_t buffer[BLOCKSIZE];
+
+    for (size_t i = 0; i < rs.count; ++i) {
+        for (size_t j = rs.pos[i * 2]; j < rs.pos[i * 2 + 1]; ++j) {
+            // Stay within the data area, libfec validates and corrects metadata
+            if (status.data_size <= (uint64_t)j * BLOCKSIZE) {
+                continue;
+            }
+
+            if (fh.pread(buffer, BLOCKSIZE, (off64_t)j * BLOCKSIZE) != BLOCKSIZE) {
+                ErrorAbort(state, "failed to recover %s (block %d): %s", filename->data,
+                    j, strerror(errno));
+                return StringValue(strdup(""));
+            }
+
+            // If we want to be able to recover from a situation where rewriting a corrected
+            // block doesn't guarantee the same data will be returned when re-read later, we
+            // can save a copy of corrected blocks to /cache. Note:
+            //
+            //  1. Maximum space required from /cache is the same as the maximum number of
+            //     corrupted blocks we can correct. For RS(255, 253) and a 2 GiB partition,
+            //     this would be ~16 MiB, for example.
+            //
+            //  2. To find out if this block was corrupted, call fec_get_status after each
+            //     read and check if the errors field value has increased.
+        }
+    }
+
+    return StringValue(strdup("t"));
+}
+
+void RegisterBlockImageFunctions() {
+    RegisterFunction("block_image_verify", BlockImageVerifyFn);
+    RegisterFunction("block_image_update", BlockImageUpdateFn);
+    RegisterFunction("block_image_recover", BlockImageRecoverFn);
+    RegisterFunction("range_sha1", RangeSha1Fn);
+}
diff --git a/updater/install.c b/updater/install.cpp
similarity index 89%
rename from updater/install.c
rename to updater/install.cpp
index 01a5dd2..97e3905 100644
--- a/updater/install.c
+++ b/updater/install.cpp
@@ -34,6 +34,10 @@
 #include <linux/xattr.h>
 #include <inttypes.h>
 
+#include <base/parseint.h>
+#include <base/strings.h>
+#include <base/stringprintf.h>
+
 #include "bootloader.h"
 #include "applypatch/applypatch.h"
 #include "cutils/android_reboot.h"
@@ -53,31 +57,43 @@
 #include "wipe.h"
 #endif
 
-void uiPrint(State* state, char* buffer) {
-    char* line = strtok(buffer, "\n");
-    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
-    while (line) {
-        fprintf(ui->cmd_pipe, "ui_print %s\n", line);
-        line = strtok(NULL, "\n");
+// Send over the buffer to recovery though the command pipe.
+static void uiPrint(State* state, const std::string& buffer) {
+    UpdaterInfo* ui = reinterpret_cast<UpdaterInfo*>(state->cookie);
+
+    // "line1\nline2\n" will be split into 3 tokens: "line1", "line2" and "".
+    // So skip sending empty strings to UI.
+    std::vector<std::string> lines = android::base::Split(buffer, "\n");
+    for (auto& line: lines) {
+        if (!line.empty()) {
+            fprintf(ui->cmd_pipe, "ui_print %s\n", line.c_str());
+            fprintf(ui->cmd_pipe, "ui_print\n");
+        }
     }
-    fprintf(ui->cmd_pipe, "ui_print\n");
+
+    // On the updater side, we need to dump the contents to stderr (which has
+    // been redirected to the log file). Because the recovery will only print
+    // the contents to screen when processing pipe command ui_print.
+    fprintf(stderr, "%s", buffer.c_str());
 }
 
 __attribute__((__format__(printf, 2, 3))) __nonnull((2))
 void uiPrintf(State* state, const char* format, ...) {
-    char error_msg[1024];
+    std::string error_msg;
+
     va_list ap;
     va_start(ap, format);
-    vsnprintf(error_msg, sizeof(error_msg), format, ap);
+    android::base::StringAppendV(&error_msg, format, ap);
     va_end(ap);
+
     uiPrint(state, error_msg);
 }
 
 // Take a sha-1 digest and return it as a newly-allocated hex string.
 char* PrintSha1(const uint8_t* digest) {
-    char* buffer = malloc(SHA_DIGEST_SIZE*2 + 1);
-    int i;
+    char* buffer = reinterpret_cast<char*>(malloc(SHA_DIGEST_SIZE*2 + 1));
     const char* alphabet = "0123456789abcdef";
+    size_t i;
     for (i = 0; i < SHA_DIGEST_SIZE; ++i) {
         buffer[i*2] = alphabet[(digest[i] >> 4) & 0xf];
         buffer[i*2+1] = alphabet[digest[i] & 0xf];
@@ -133,18 +149,20 @@
         goto done;
     }
 
-    char *secontext = NULL;
+    {
+        char *secontext = NULL;
 
-    if (sehandle) {
-        selabel_lookup(sehandle, &secontext, mount_point, 0755);
-        setfscreatecon(secontext);
-    }
+        if (sehandle) {
+            selabel_lookup(sehandle, &secontext, mount_point, 0755);
+            setfscreatecon(secontext);
+        }
 
-    mkdir(mount_point, 0755);
+        mkdir(mount_point, 0755);
 
-    if (secontext) {
-        freecon(secontext);
-        setfscreatecon(NULL);
+        if (secontext) {
+            freecon(secontext);
+            setfscreatecon(NULL);
+        }
     }
 
     if (strcmp(partition_type, "MTD") == 0) {
@@ -152,7 +170,7 @@
         const MtdPartition* mtd;
         mtd = mtd_find_partition_by_name(location);
         if (mtd == NULL) {
-            uiPrintf(state, "%s: no mtd partition named \"%s\"",
+            uiPrintf(state, "%s: no mtd partition named \"%s\"\n",
                     name, location);
             result = strdup("");
             goto done;
@@ -202,11 +220,13 @@
     }
 
     scan_mounted_volumes();
-    const MountedVolume* vol = find_mounted_volume_by_mount_point(mount_point);
-    if (vol == NULL) {
-        result = strdup("");
-    } else {
-        result = mount_point;
+    {
+        const MountedVolume* vol = find_mounted_volume_by_mount_point(mount_point);
+        if (vol == NULL) {
+            result = strdup("");
+        } else {
+            result = mount_point;
+        }
     }
 
 done:
@@ -230,17 +250,19 @@
     }
 
     scan_mounted_volumes();
-    const MountedVolume* vol = find_mounted_volume_by_mount_point(mount_point);
-    if (vol == NULL) {
-        uiPrintf(state, "unmount of %s failed; no such volume\n", mount_point);
-        result = strdup("");
-    } else {
-        int ret = unmount_mounted_volume(vol);
-        if (ret != 0) {
-           uiPrintf(state, "unmount of %s failed (%d): %s\n",
-                    mount_point, ret, strerror(errno));
+    {
+        const MountedVolume* vol = find_mounted_volume_by_mount_point(mount_point);
+        if (vol == NULL) {
+            uiPrintf(state, "unmount of %s failed; no such volume\n", mount_point);
+            result = strdup("");
+        } else {
+            int ret = unmount_mounted_volume(vol);
+            if (ret != 0) {
+                uiPrintf(state, "unmount of %s failed (%d): %s\n",
+                         mount_point, ret, strerror(errno));
+            }
+            result = mount_point;
         }
-        result = mount_point;
     }
 
 done:
@@ -413,9 +435,8 @@
 }
 
 Value* DeleteFn(const char* name, State* state, int argc, Expr* argv[]) {
-    char** paths = malloc(argc * sizeof(char*));
-    int i;
-    for (i = 0; i < argc; ++i) {
+    char** paths = reinterpret_cast<char**>(malloc(argc * sizeof(char*)));
+    for (int i = 0; i < argc; ++i) {
         paths[i] = Evaluate(state, argv[i]);
         if (paths[i] == NULL) {
             int j;
@@ -430,7 +451,7 @@
     bool recursive = (strcmp(name, "delete_recursive") == 0);
 
     int success = 0;
-    for (i = 0; i < argc; ++i) {
+    for (int i = 0; i < argc; ++i) {
         if ((recursive ? dirUnlinkHierarchy(paths[i]) : unlink(paths[i])) == 0)
             ++success;
         free(paths[i]);
@@ -454,7 +475,8 @@
     }
 
     double frac = strtod(frac_str, NULL);
-    int sec = strtol(sec_str, NULL, 10);
+    int sec;
+    android::base::ParseInt(sec_str, &sec);
 
     UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
     fprintf(ui->cmd_pipe, "progress %f %d\n", frac, sec);
@@ -517,8 +539,6 @@
     }
     bool success = false;
 
-    UpdaterInfo* ui = (UpdaterInfo*)(state->cookie);
-
     if (argc == 2) {
         // The two-argument version extracts to a file.
 
@@ -534,14 +554,16 @@
             goto done2;
         }
 
-        FILE* f = fopen(dest_path, "wb");
-        if (f == NULL) {
-            printf("%s: can't open %s for write: %s\n",
-                    name, dest_path, strerror(errno));
-            goto done2;
+        {
+            FILE* f = fopen(dest_path, "wb");
+            if (f == NULL) {
+                printf("%s: can't open %s for write: %s\n",
+                        name, dest_path, strerror(errno));
+                goto done2;
+            }
+            success = mzExtractZipEntryToFile(za, entry, fileno(f));
+            fclose(f);
         }
-        success = mzExtractZipEntryToFile(za, entry, fileno(f));
-        fclose(f);
 
       done2:
         free(zip_path);
@@ -552,7 +574,7 @@
         // as the result.
 
         char* zip_path;
-        Value* v = malloc(sizeof(Value));
+        Value* v = reinterpret_cast<Value*>(malloc(sizeof(Value)));
         v->type = VAL_BLOB;
         v->size = -1;
         v->data = NULL;
@@ -567,7 +589,7 @@
         }
 
         v->size = mzGetZipEntryUncompLen(entry);
-        v->data = malloc(v->size);
+        v->data = reinterpret_cast<char*>(malloc(v->size));
         if (v->data == NULL) {
             printf("%s: failed to allocate %ld bytes for %s\n",
                     name, (long)v->size, zip_path);
@@ -866,17 +888,14 @@
 }
 
 static Value* SetMetadataFn(const char* name, State* state, int argc, Expr* argv[]) {
-    int i;
     int bad = 0;
-    static int nwarnings = 0;
     struct stat sb;
     Value* result = NULL;
 
     bool recursive = (strcmp(name, "set_metadata_recursive") == 0);
 
     if ((argc % 2) != 1) {
-        return ErrorAbort(state, "%s() expects an odd number of arguments, got %d",
-                          name, argc);
+        return ErrorAbort(state, "%s() expects an odd number of arguments, got %d", name, argc);
     }
 
     char** args = ReadVarArgs(state, argc, argv);
@@ -887,20 +906,22 @@
         goto done;
     }
 
-    struct perm_parsed_args parsed = ParsePermArgs(state, argc, args);
+    {
+        struct perm_parsed_args parsed = ParsePermArgs(state, argc, args);
 
-    if (recursive) {
-        recursive_parsed_args = parsed;
-        recursive_state = state;
-        bad += nftw(args[0], do_SetMetadataRecursive, 30, FTW_CHDIR | FTW_DEPTH | FTW_PHYS);
-        memset(&recursive_parsed_args, 0, sizeof(recursive_parsed_args));
-        recursive_state = NULL;
-    } else {
-        bad += ApplyParsedPerms(state, args[0], &sb, parsed);
+        if (recursive) {
+            recursive_parsed_args = parsed;
+            recursive_state = state;
+            bad += nftw(args[0], do_SetMetadataRecursive, 30, FTW_CHDIR | FTW_DEPTH | FTW_PHYS);
+            memset(&recursive_parsed_args, 0, sizeof(recursive_parsed_args));
+            recursive_state = NULL;
+        } else {
+            bad += ApplyParsedPerms(state, args[0], &sb, parsed);
+        }
     }
 
 done:
-    for (i = 0; i < argc; ++i) {
+    for (int i = 0; i < argc; ++i) {
         free(args[i]);
     }
     free(args);
@@ -920,8 +941,7 @@
     if (argc != 1) {
         return ErrorAbort(state, "%s() expects 1 arg, got %d", name, argc);
     }
-    char* key;
-    key = Evaluate(state, argv[0]);
+    char* key = Evaluate(state, argv[0]);
     if (key == NULL) return NULL;
 
     char value[PROPERTY_VALUE_MAX];
@@ -948,33 +968,31 @@
 
     struct stat st;
     if (stat(filename, &st) < 0) {
-        ErrorAbort(state, "%s: failed to stat \"%s\": %s",
-                   name, filename, strerror(errno));
+        ErrorAbort(state, "%s: failed to stat \"%s\": %s", name, filename, strerror(errno));
         goto done;
     }
 
 #define MAX_FILE_GETPROP_SIZE    65536
 
     if (st.st_size > MAX_FILE_GETPROP_SIZE) {
-        ErrorAbort(state, "%s too large for %s (max %d)",
-                   filename, name, MAX_FILE_GETPROP_SIZE);
+        ErrorAbort(state, "%s too large for %s (max %d)", filename, name, MAX_FILE_GETPROP_SIZE);
         goto done;
     }
 
-    buffer = malloc(st.st_size+1);
+    buffer = reinterpret_cast<char*>(malloc(st.st_size+1));
     if (buffer == NULL) {
         ErrorAbort(state, "%s: failed to alloc %lld bytes", name, (long long)st.st_size+1);
         goto done;
     }
 
-    FILE* f = fopen(filename, "rb");
+    FILE* f;
+    f = fopen(filename, "rb");
     if (f == NULL) {
-        ErrorAbort(state, "%s: failed to open %s: %s",
-                   name, filename, strerror(errno));
+        ErrorAbort(state, "%s: failed to open %s: %s", name, filename, strerror(errno));
         goto done;
     }
 
-    if (fread(buffer, 1, st.st_size, f) != st.st_size) {
+    if (fread(buffer, 1, st.st_size, f) != static_cast<size_t>(st.st_size)) {
         ErrorAbort(state, "%s: failed to read %lld bytes from %s",
                    name, (long long)st.st_size+1, filename);
         fclose(f);
@@ -984,7 +1002,8 @@
 
     fclose(f);
 
-    char* line = strtok(buffer, "\n");
+    char* line;
+    line = strtok(buffer, "\n");
     do {
         // skip whitespace at start of line
         while (*line && isspace(*line)) ++line;
@@ -1028,15 +1047,6 @@
     return StringValue(result);
 }
 
-
-static bool write_raw_image_cb(const unsigned char* data,
-                               int data_len, void* ctx) {
-    int r = mtd_write_data((MtdWriteContext*)ctx, (const char *)data, data_len);
-    if (r == data_len) return true;
-    printf("%s\n", strerror(errno));
-    return false;
-}
-
 // write_raw_image(filename_or_blob, partition)
 Value* WriteRawImageFn(const char* name, State* state, int argc, Expr* argv[]) {
     char* result = NULL;
@@ -1063,14 +1073,16 @@
     }
 
     mtd_scan_partitions();
-    const MtdPartition* mtd = mtd_find_partition_by_name(partition);
+    const MtdPartition* mtd;
+    mtd = mtd_find_partition_by_name(partition);
     if (mtd == NULL) {
         printf("%s: no mtd partition named \"%s\"\n", name, partition);
         result = strdup("");
         goto done;
     }
 
-    MtdWriteContext* ctx = mtd_write_partition(mtd);
+    MtdWriteContext* ctx;
+    ctx = mtd_write_partition(mtd);
     if (ctx == NULL) {
         printf("%s: can't write mtd partition \"%s\"\n",
                 name, partition);
@@ -1085,14 +1097,13 @@
         char* filename = contents->data;
         FILE* f = fopen(filename, "rb");
         if (f == NULL) {
-            printf("%s: can't open %s: %s\n",
-                    name, filename, strerror(errno));
+            printf("%s: can't open %s: %s\n", name, filename, strerror(errno));
             result = strdup("");
             goto done;
         }
 
         success = true;
-        char* buffer = malloc(BUFSIZ);
+        char* buffer = reinterpret_cast<char*>(malloc(BUFSIZ));
         int read;
         while (success && (read = fread(buffer, 1, BUFSIZ, f)) > 0) {
             int wrote = mtd_write_data(ctx, buffer, read);
@@ -1136,13 +1147,11 @@
         return NULL;
     }
 
-    char* endptr;
-    size_t bytes = strtol(bytes_str, &endptr, 10);
-    if (bytes == 0 && endptr == bytes_str) {
-        ErrorAbort(state, "%s(): can't parse \"%s\" as byte count\n\n",
-                   name, bytes_str);
+    size_t bytes;
+    if (!android::base::ParseUint(bytes_str, &bytes)) {
+        ErrorAbort(state, "%s(): can't parse \"%s\" as byte count\n\n", name, bytes_str);
         free(bytes_str);
-        return NULL;
+        return nullptr;
     }
 
     return StringValue(strdup(CacheSizeCheck(bytes) ? "" : "t"));
@@ -1166,16 +1175,14 @@
         return NULL;
     }
 
-    char* endptr;
-    size_t target_size = strtol(target_size_str, &endptr, 10);
-    if (target_size == 0 && endptr == target_size_str) {
-        ErrorAbort(state, "%s(): can't parse \"%s\" as byte count",
-                   name, target_size_str);
+    size_t target_size;
+    if (!android::base::ParseUint(target_size_str, &target_size)) {
+        ErrorAbort(state, "%s(): can't parse \"%s\" as byte count", name, target_size_str);
         free(source_filename);
         free(target_filename);
         free(target_sha1);
         free(target_size_str);
-        return NULL;
+        return nullptr;
     }
 
     int patchcount = (argc-4) / 2;
@@ -1200,7 +1207,7 @@
         return NULL;
     }
 
-    char** patch_sha_str = malloc(patchcount * sizeof(char*));
+    char** patch_sha_str = reinterpret_cast<char**>(malloc(patchcount * sizeof(char*)));
     for (i = 0; i < patchcount; ++i) {
         patch_sha_str[i] = patches[i*2]->data;
         patches[i*2]->data = NULL;
@@ -1248,28 +1255,24 @@
     return StringValue(strdup(result == 0 ? "t" : ""));
 }
 
+// This is the updater side handler for ui_print() in edify script. Contents
+// will be sent over to the recovery side for on-screen display.
 Value* UIPrintFn(const char* name, State* state, int argc, Expr* argv[]) {
     char** args = ReadVarArgs(state, argc, argv);
     if (args == NULL) {
         return NULL;
     }
 
-    int size = 0;
-    int i;
-    for (i = 0; i < argc; ++i) {
-        size += strlen(args[i]);
-    }
-    char* buffer = malloc(size+1);
-    size = 0;
-    for (i = 0; i < argc; ++i) {
-        strcpy(buffer+size, args[i]);
-        size += strlen(args[i]);
+    std::string buffer;
+    for (int i = 0; i < argc; ++i) {
+        buffer += args[i];
         free(args[i]);
     }
     free(args);
-    buffer[size] = '\0';
+
+    buffer += "\n";
     uiPrint(state, buffer);
-    return StringValue(buffer);
+    return StringValue(strdup(buffer.c_str()));
 }
 
 Value* WipeCacheFn(const char* name, State* state, int argc, Expr* argv[]) {
@@ -1289,7 +1292,7 @@
         return NULL;
     }
 
-    char** args2 = malloc(sizeof(char*) * (argc+1));
+    char** args2 = reinterpret_cast<char**>(malloc(sizeof(char*) * (argc+1)));
     memcpy(args2, args, sizeof(char*) * argc);
     args2[argc] = NULL;
 
@@ -1356,7 +1359,7 @@
     }
 
     int i;
-    uint8_t* arg_digest = malloc(SHA_DIGEST_SIZE);
+    uint8_t* arg_digest = reinterpret_cast<uint8_t*>(malloc(SHA_DIGEST_SIZE));
     for (i = 1; i < argc; ++i) {
         if (args[i]->type != VAL_STRING) {
             printf("%s(): arg %d is not a string; skipping",
@@ -1392,7 +1395,7 @@
     char* filename;
     if (ReadArgs(state, argv, 1, &filename) < 0) return NULL;
 
-    Value* v = malloc(sizeof(Value));
+    Value* v = reinterpret_cast<Value*>(malloc(sizeof(Value)));
     v->type = VAL_BLOB;
 
     FileContents fc;
@@ -1519,7 +1522,8 @@
     char* len_str;
     if (ReadArgs(state, argv, 2, &filename, &len_str) < 0) return NULL;
 
-    size_t len = strtoull(len_str, NULL, 0);
+    size_t len;
+    android::base::ParseUint(len_str, &len);
     int fd = open(filename, O_WRONLY, 0644);
     int success = wipe_block_device(fd, len);
 
@@ -1550,15 +1554,14 @@
         return ErrorAbort(state, "%s() could not read args", name);
     }
 
-    int i;
-    char** args2 = malloc(sizeof(char*) * (argc+1));
+    char** args2 = reinterpret_cast<char**>(malloc(sizeof(char*) * (argc+1)));
     // Tune2fs expects the program name as its args[0]
     args2[0] = strdup(name);
-    for (i = 0; i < argc; ++i) {
+    for (int i = 0; i < argc; ++i) {
        args2[i + 1] = args[i];
     }
     int result = tune2fs_main(argc + 1, args2);
-    for (i = 0; i < argc; ++i) {
+    for (int i = 0; i < argc; ++i) {
         free(args[i]);
     }
     free(args);
diff --git a/updater/updater.c b/updater/updater.cpp
similarity index 97%
rename from updater/updater.c
rename to updater/updater.cpp
index 661f695..0f22e6d 100644
--- a/updater/updater.c
+++ b/updater/updater.cpp
@@ -89,7 +89,7 @@
         return 4;
     }
 
-    char* script = malloc(script_entry->uncompLen+1);
+    char* script = reinterpret_cast<char*>(malloc(script_entry->uncompLen+1));
     if (!mzReadZipEntry(&za, script_entry, script, script_entry->uncompLen)) {
         printf("failed to read script from package\n");
         return 5;
diff --git a/verifier_test.cpp b/verifier_test.cpp
index 82546ed..21633dc 100644
--- a/verifier_test.cpp
+++ b/verifier_test.cpp
@@ -141,6 +141,12 @@
         vfprintf(stderr, fmt, ap);
         va_end(ap);
     }
+    void PrintOnScreenOnly(const char* fmt, ...) {
+        va_list ap;
+        va_start(ap, fmt);
+        vfprintf(stderr, fmt, ap);
+        va_end(ap);
+    }
     void ShowFile(const char*) { }
 
     void StartMenu(const char* const * headers, const char* const * items,