BetaAOSP
AOSPBeta
Navigate with ease
AOSP Expert & Production Engineering
3 min read

Payload Generation

The delta_generator Tool

In AOSP, OTA payloads are not simple zip files of raw images; they are highly optimized, block-level diffs. The tool responsible for creating these payloads is delta_generator. It resides in system/update_engine/scripts/ and is invoked during the Android build process by the releasetools scripts.

Full vs Delta OTA Payloads

There are two primary types of OTA payloads:

  1. Full OTA: Contains the complete, compressed block data for every target partition. It can be applied regardless of the device's current OS version.
  2. Delta OTA: Contains only the differences between the source build (currently on the device) and the target build. Delta OTAs are significantly smaller but require the device to be on an exact, specific starting build.

Payload Manifest and Operations

An OTA payload consists of a header, a Protobuf-encoded manifest, and the raw data blobs. The manifest describes exactly how to reconstruct the target partitions using a series of specific operations.

Common Update Operations

  • REPLACE / REPLACE_BZ / REPLACE_XZ: Overwrite the target blocks entirely with the provided data (uncompressed or compressed). Used mostly in Full OTAs.
  • ZERO: Fill the target blocks with zeroes. Highly efficient for sparse filesystems.
  • BSDIFF: Apply a binary patch using the bsdiff algorithm. The device reads the source block, applies the patch, and writes to the target block.
  • PUFFDIFF: A specialized patching algorithm optimized for deflate streams (like APKs or compressed kernel images).

Protobuf Definition Example

// system/update_engine/update_metadata.proto
message InstallOperation {
  enum Type {
    REPLACE = 0;
    REPLACE_BZ = 1;
    MOVE = 2;
    BSDIFF = 3;
    SOURCE_COPY = 4;
    SOURCE_BSDIFF = 5;
    ZERO = 6;
    DISCARD = 7;
    REPLACE_XZ = 8;
    PUFFDIFF = 9;
  }
  required Type type = 1;
  repeated Extent src_extents = 2;
  repeated Extent dst_extents = 3;
  optional bytes data_sha256_hash = 6;
}

Signing the Payload

Security is paramount in OTA updates. The payload manifest contains a cryptographic signature. update_engine extracts the device's public key (usually baked into the ramdisk or system partition) and verifies the payload signature before writing any blocks.

If the signature validation fails, update_engine aborts immediately to prevent applying a compromised or corrupted update.

Streaming OTA Delivery

Because of the block-level structure, a payload can be streamed. update_engine does not need to download the entire payload.bin to begin installation. As soon as the delta_generator manifest is parsed, update_engine can begin applying InstallOperation instructions sequentially as the network stream delivers the data bytes.

Previous Lesson
update_engine Internals
Next Lesson
Logcat