AOSP Insider
AOSP Framework & Internals
2 min read

Binderized Mode

Learn about Binderized Mode.

Introduction

Binderized Mode is the standard, secure architectural model for hardware abstraction in modern Android devices. Under this model, the Hardware Abstraction Layer (HAL) runs in an entirely separate process from the Android framework, communicating entirely through inter-process communication (IPC).

Cross-process Binderized HAL

In a binderized architecture, the vendor provides a standalone executable daemon (e.g., android.hardware.sensors@2.0-service). When the device boots, init launches this daemon. The daemon instantiates the hardware implementation and registers it with the hwservicemanager.

When the system server (or any other framework client) needs to talk to the hardware, it retrieves a proxy object from hwservicemanager. Any method called on this proxy is packed into a transaction and sent across process boundaries.

Separate HAL Process (Vendor Process)

HAL processes live in the vendor partition (/vendor/bin/hw/). Because they are completely separate Linux processes, they run with their own UID, their own memory space, and their own strict SELinux domain contexts.

For example, the Audio HAL runs as audioserver, while the Sensors HAL runs under a dedicated hal_sensors context.

HwBinder Communication

For HIDL HALs, the communication mechanism is HwBinder, facilitated by the /dev/hwbinder kernel node.

// Client side calling a binderized HAL
sp<ISensors> sensors = ISensors::getService();
// This call marshals data, traps to the kernel, and wakes the vendor process
sensors->activate(sensorHandle, true);

To mitigate the performance impact of copying large chunks of data (like camera frames or audio streams) over Binder, binderized HALs heavily utilize Fast Message Queues (FMQ) or Shared Memory (Ashmem/ION/DMA-BUF). The Binder transaction simply passes the file descriptor of the shared memory, allowing the framework and vendor process to read/write zero-copy data.

Advantages of Binderized Mode

  1. Isolation and Stability: If a vendor camera driver crashes, it only takes down the camera.provider process. The Android OS (system_server) detects the death via linkToDeath(), cleans up state, and can ask init to restart the HAL, all without causing a device reboot or soft-brick.
  2. Security: Vendor code is historically a frequent source of vulnerabilities. By isolating HALs into separate processes, SELinux policies can heavily restrict what the HAL can access, preventing privilege escalation.
  3. Updatability: Binderized mode cleanly enforces the Treble boundary, allowing Google to update the system image independently of the vendor implementation.
Previous Lesson
Passthrough Mode
Next Lesson
Why Migrate HIDL to AIDL