A Hands-on of Android Things on Rpi3

Get a Rpi3 and follow the steps to flash the boot image to a SD card. Then, you are ready to explore.
I first hooked the HDMI output to my TV but the display is messy. But you can tell there is something on the screen, which is good sign that Android is running. Looks like the image stride is not correct. Probably the resolution doesn't match, e,g 1366x768 vs 1920x1080. I didn't dig further since I haven't get the adb working, yet.
It turned out adb over usb didn't work and the micro usb is for power only. So to get the adb, you have to connect the Ethernet cable (even you are very reluctant to do so as me) first and use adb over tcp.
$ adb devices
List of devices attached

$ adb connect Android.local
connected to Android.local:5555

$ adb devices
List of devices attached
Android.local:5555  device

$ adb shell
rpi3:/ $ 

As I said, I hate Ethernet, because I have no easy access to the Ethernet in my home office. So I want to set up the Wifi and use adb over it.
And, the doc says
Connect an Ethernet cable to your local network.
Note: You may also choose to connect over Wi-Fi.
That is misleanding, IMO. It sounds to me  you can use either Ethernet or Wifi. But, to connect to Wifi you should use adb shell commands, which means you have to connect to Ethernet first and then use adb command to connect to Wifi. The command provided works well. At least by checking the ifconfig output, wlan was assigned an IP address.
But doc here also says:
Network: Wi-Fi cannot connect to the internet if Ethernet is also connected to a network without internet access.
I have no idea what does that mean, especial the last few words.
As said, my purpose is to use the adb over Wifi, so I tried following steps but seems no luck. Maybe I messed up some steps or just didn't try enough times :)
1. Connect Ethernet
2. Connect adb over Ethernet
3. Setup Wifi using adb
4. Disconnect Ethernet
5. Reset the board and hope the Wifi will connect automatically
6. Connect adb over Wifi
With adb working, I can just dump a few things such as Partitions, Processes, Services and a few others. And, here are the (boring) dumps.

Partitions

A/B partition in place. Which is a mandatory feature for IoT device for effective seamless update.
rpi3:/ $ ls /dev/block/platform/soc/3f202000.sdhost/by-name/ -l                
total 0
lrwxrwxrwx 1 root root 20 1970-01-01 00:00 boot_a -> /dev/block/mmcblk0p4
lrwxrwxrwx 1 root root 20 1970-01-01 00:00 boot_b -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 root root 21 1970-01-01 00:00 gapps_a -> /dev/block/mmcblk0p13
lrwxrwxrwx 1 root root 21 1970-01-01 00:00 gapps_b -> /dev/block/mmcblk0p14
lrwxrwxrwx 1 root root 21 1970-01-01 00:00 misc -> /dev/block/mmcblk0p10
lrwxrwxrwx 1 root root 21 1970-01-01 00:00 oem_a -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 root root 21 1970-01-01 00:00 oem_b -> /dev/block/mmcblk0p12
lrwxrwxrwx 1 root root 20 1970-01-01 00:00 rpiboot -> /dev/block/mmcblk0p1
lrwxrwxrwx 1 root root 20 1970-01-01 00:00 system_a -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root 20 1970-01-01 00:00 system_b -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root 20 1970-01-01 00:00 uboot_a -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root 20 1970-01-01 00:00 uboot_b -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 root root 21 1970-01-01 00:00 userdata -> /dev/block/mmcblk0p15
lrwxrwxrwx 1 root root 20 1970-01-01 00:00 vbmeta_a -> /dev/block/mmcblk0p8
lrwxrwxrwx 1 root root 20 1970-01-01 00:00 vbmeta_b -> /dev/block/mmcblk0p9

Process

Notes: no Weaved, no Webserved.
USER      PID   PPID  VSIZE  RSS   WCHAN            PC  NAME
root      1     0     7336   1548           /init
root      2     0     0      0              kthreadd
root      3     2     0      0              ksoftirqd/0
root      5     2     0      0              kworker/0:0H
root      7     2     0      0              rcu_preempt
root      8     2     0      0              rcu_sched
root      9     2     0      0              rcu_bh
root      10    2     0      0              migration/0
root      11    2     0      0              migration/1
root      12    2     0      0              ksoftirqd/1
root      14    2     0      0              kworker/1:0H
root      15    2     0      0              migration/2
root      16    2     0      0              ksoftirqd/2
root      17    2     0      0              kworker/2:0
root      18    2     0      0              kworker/2:0H
root      19    2     0      0              migration/3
root      20    2     0      0              ksoftirqd/3
root      21    2     0      0              kworker/3:0
root      22    2     0      0              kworker/3:0H
root      23    2     0      0              kdevtmpfs
root      24    2     0      0              netns
root      25    2     0      0              perf
root      26    2     0      0              khungtaskd
root      27    2     0      0              writeback
root      28    2     0      0              ksmd
root      29    2     0      0              crypto
root      30    2     0      0              bioset
root      31    2     0      0              kblockd
root      33    2     0      0              cfg80211
root      34    2     0      0              rpciod
root      35    2     0      0              kswapd0
root      36    2     0      0              vmstat
root      37    2     0      0              fsnotify_mark
root      38    2     0      0              nfsiod
root      64    2     0      0              kthrotld
root      65    2     0      0              bioset
root      89    2     0      0              VCHIQ-0
root      90    2     0      0              VCHIQr-0
root      91    2     0      0              VCHIQs-0
root      92    2     0      0              iscsi_eh
root      93    2     0      0              spi0
root      94    2     0      0              dwc_otg
root      95    2     0      0              DWC Notificatio
root      96    2     0      0              VCHIQka-0
root      97    2     0      0              dm_bufio_cache
root      98    2     0      0              kworker/u8:1
root      99    2     0      0              irq/92-mmc1
root      100   2     0      0              bioset
root      101   2     0      0              mmcqd/0
root      102   2     0      0              binder
root      103   2     0      0              kworker/1:1
root      104   2     0      0              ipv6_addrconf
root      105   2     0      0              SMIO
root      106   2     0      0              deferwq
root      108   2     0      0              kworker/0:2
root      109   2     0      0              brcmf_wq/mmc1:0
root      110   2     0      0              brcmf_wdog/mmc1
root      114   2     0      0              jbd2/mmcblk0p6-
root      115   2     0      0              ext4-rsv-conver
root      116   1     2932   1132           /sbin/ueventd
root      121   2     0      0              jbd2/mmcblk0p15
root      122   2     0      0              ext4-rsv-conver
root      123   2     0      0              jbd2/mmcblk0p11
root      124   2     0      0              ext4-rsv-conver
root      125   2     0      0              jbd2/mmcblk0p13
root      126   2     0      0              ext4-rsv-conver
logd      127   1     11676  2700           /system/bin/logd
root      128   1     5344   2208           /system/bin/debuggerd
root      129   1     11784  4632           /system/bin/vold
root      134   2     0      0              kauditd
root      137   128   5088   508            debuggerd:signaller
root      145   1     2992   496            /sbin/healthd
root      146   1     4560   2412           /system/bin/lmkd
system    147   1     4600   1928           /system/bin/servicemanager
system    148   1     30480  12760          /system/bin/surfaceflinger
shell     150   1     9272   820            /sbin/adbd
root      151   1     965944 94544          zygote
audioserver 153   1     21844  7644         /system/bin/audioserver
cameraserver 154   1     14512  6516        /system/bin/cameraserver
drm       155   1     13316  5876           /system/bin/drmserver
root      156   1     4972   2052           /system/bin/installd
keystore  157   1     7476   3624           /system/bin/keystore
mediacodec 158   1     12968  5668          media.codec
media     159   1     17108  7672           /system/bin/mediadrmserver
mediaex   160   1     37784  7056           media.extractor
media     161   1     39664  9588           /system/bin/mediaserver
root      162   1     24916  3892           /system/bin/netd
root      163   1     9016   3948           /system/bin/peripheralman
root      165   1     3540   1876           /system/bin/sh
system    166   1     7236   2780           /system/bin/gatekeeperd
system    167   1     7060   3768           /system/bin/userinputdriverservice
metrics_coll 168   1     9152   4752        /system/bin/metrics_collector
metricsd  169   1     10868  4888           /system/bin/metricsd
root      175   1     4100   1876           /system/xbin/perfprofd
root      176   1     10072  6028           /system/bin/update_engine
mdnsr     179   1     2004   688            /system/bin/mdnsd
system    410   151   1088328 124132        /system_server
media_rw  479   129   8236   2668           /system/bin/sdcard
wifi      517   1     7572   3932           /system/bin/wpa_supplicant
system    541   151   1069296 72760         com.android.settings
u0_a5     571   151   1037892 57084         android.ext.services
u0_a4     599   151   1044800 70048         android.process.media
system    618   151   1045744 71300         com.android.iotlauncher
u0_a7     643   151   1179200 92776         com.google.android.gms.feedback
u0_a7     658   151   1213404 147912        com.google.android.gms.persistent
u0_a8     684   151   1039576 57448         com.android.managedprovisioning
u0_a9     698   151   1037816 56488         com.android.onetimeinitializer
u0_a1     715   151   1040192 64552         com.android.providers.calendar
u0_a7     730   151   1051700 71176         com.google.process.gapps
u0_a7     772   151   1333476 156352        com.google.android.gms
radio     864   151   1040476 62692         com.android.phone
u0_a2     896   151   1047240 73176         android.process.acore
u0_a7     949   151   1179200 94860         com.google.android.gms.ui

Services

Found 110 services:
0   gpsdriverservice: [com.google.android.things.userdriver.IGpsDriverService]
1   contexthub_service: [android.hardware.location.IContextHubService]
2   dns_listener: [android.net.metrics.IDnsEventListener]
3   connectivity_metrics_logger: [android.net.IConnectivityMetricsLogger]
4   imms: [com.android.internal.telephony.IMms]
5   media_projection: [android.media.projection.IMediaProjectionManager]
6   launcherapps: [android.content.pm.ILauncherApps]
7   shortcut: [android.content.pm.IShortcutService]
8   trust: [android.app.trust.ITrustManager]
9   media_router: [android.media.IMediaRouterService]
10  media_session: [android.media.session.ISessionManager]
11  restrictions: [android.content.IRestrictionsManager]
12  graphicsstats: [android.view.IGraphicsStats]
13  assetatlas: [android.view.IAssetAtlas]
14  dreams: [android.service.dreams.IDreamManager]
15  commontime_management: []
16  network_time_update_service: []
17  samplingprofiler: []
18  diskstats: []
19  appwidget: [com.android.internal.appwidget.IAppWidgetService]
20  soundtrigger: [com.android.internal.app.ISoundTriggerService]
21  jobscheduler: [android.app.job.IJobScheduler]
22  hardware_properties: [android.os.IHardwarePropertiesManager]
23  serial: [android.hardware.ISerialManager]
24  DockObserver: []
25  audio: [android.media.IAudioService]
26  wallpaper: [android.app.IWallpaperManager]
27  dropbox: [com.android.internal.os.IDropBoxManagerService]
28  search: [android.app.ISearchManager]
29  country_detector: [android.location.ICountryDetector]
30  location: [android.location.ILocationManager]
31  devicestoragemonitor: []
32  notification: [android.app.INotificationManager]
33  recovery: [android.os.IRecoverySystem]
34  updatelock: [android.os.IUpdateLock]
35  servicediscovery: [android.net.nsd.INsdManager]
36  connectivity: [android.net.IConnectivityManager]
37  ethernet: [android.net.IEthernetManager]
38  rttmanager: [android.net.wifi.IRttManager]
39  wifiscanner: [android.net.wifi.IWifiScanner]
40  wifi: [android.net.wifi.IWifiManager]
41  wifip2p: [android.net.wifi.p2p.IWifiP2pManager]
42  netpolicy: [android.net.INetworkPolicyManager]
43  netstats: [android.net.INetworkStatsService]
44  network_score: [android.net.INetworkScoreService]
45  textservices: [com.android.internal.textservice.ITextServicesManager]
46  network_management: [android.os.INetworkManagementService]
47  clipboard: [android.content.IClipboard]
48  statusbar: [com.android.internal.statusbar.IStatusBarService]
49  device_policy: [android.app.admin.IDevicePolicyManager]
50  deviceidle: [android.os.IDeviceIdleController]
51  lock_settings: [com.android.internal.widget.ILockSettings]
52  uimode: [android.app.IUiModeManager]
53  mount: [IMountService]
54  accessibility: [android.view.accessibility.IAccessibilityManager]
55  input_method: [com.android.internal.view.IInputMethodManager]
56  pinner: []
57  vrmanager: [android.service.vr.IVrManager]
58  input: [android.hardware.input.IInputManager]
59  window: [android.view.IWindowManager]
60  alarm: [android.app.IAlarmManager]
61  consumer_ir: [android.hardware.IConsumerIrService]
62  vibrator: [android.os.IVibratorService]
63  content: [android.content.IContentService]
64  account: [android.accounts.IAccountManager]
65  media.camera.proxy: [android.hardware.ICameraServiceProxy]
66  telephony.registry: [com.android.internal.telephony.ITelephonyRegistry]
67  scheduling_policy: [android.os.ISchedulingPolicyService]
68  webviewupdate: [android.webkit.IWebViewUpdateService]
69  usagestats: [android.app.usage.IUsageStatsManager]
70  battery: []
71  sensorservice: [android.gui.SensorServer]
72  sensordriverservice: [com.google.android.things.userdriver.ISensorDriverService]
73  processinfo: [android.os.IProcessInfoService]
74  permission: [android.os.IPermissionController]
75  cpuinfo: []
76  dbinfo: []
77  gfxinfo: []
78  meminfo: []
79  procstats: [com.android.internal.app.procstats.IProcessStats]
80  activity: [android.app.IActivityManager]
81  user: [android.os.IUserManager]
82  otadexopt: [android.content.pm.IOtaDexopt]
83  package: [android.content.pm.IPackageManager]
84  display: [android.hardware.display.IDisplayManager]
85  power: [android.os.IPowerManager]
86  appops: [com.android.internal.app.IAppOpsService]
87  batterystats: [com.android.internal.app.IBatteryStats]
88  netd: [android.net.INetd]
89  media.camera: [android.hardware.ICameraService]
90  media.drm: [android.media.IMediaDrmService]
91  media.resource_manager: [android.media.IResourceManagerService]
92  media.player: [android.media.IMediaPlayerService]
93  media.extractor: [android.media.IMediaExtractorService]
94  media.sound_trigger_hw: [android.hardware.ISoundTriggerHwService]
95  media.radio: [android.hardware.IRadioService]
96  media.audio_policy: [android.media.IAudioPolicyService]
97  media.audio_flinger: [android.media.IAudioFlinger]
98  drm.drmManager: [drm.IDrmManagerService]
99  media.codec: [android.media.IMediaCodecService]
100 android.brillo.UpdateEngineService: [android.brillo.IUpdateEngine]
101 android.brillo.metrics.IMetricsCollectorService: [android.brillo.metrics.IMetricsCollectorService]
102 gpu: [android.ui.IGpuService]
103 SurfaceFlinger: [android.ui.ISurfaceComposer]
104 batteryproperties: [android.os.IBatteryPropertiesRegistrar]
105 android.brillo.metrics.IMetricsd: [android.brillo.metrics.IMetricsd]
106 com.google.android.things.pio.IPeripheralManager: [com.google.android.things.pio.IPeripheralManager]
107 inputdriverservice: [com.google.android.things.userdriver.IInputDriverService]
108 android.security.keystore: [android.security.IKeystoreService]
109 android.service.gatekeeper.IGateKeeperService: [android.service.gatekeeper.IGateKeeperService]

Things/Brillo specific services

0   gpsdriverservice: [com.google.android.things.userdriver.IGpsDriverService]
72  sensordriverservice: [com.google.android.things.userdriver.ISensorDriverService]
106 com.google.android.things.pio.IPeripheralManager: [com.google.android.things.pio.IPeripheralManager]
107 inputdriverservice: [com.google.android.things.userdriver.IInputDriverService]

100 android.brillo.UpdateEngineService: [android.brillo.IUpdateEngine]
101 android.brillo.metrics.IMetricsCollectorService: [android.brillo.metrics.IMetricsCollectorService]
105 android.brillo.metrics.IMetricsd: [android.brillo.metrics.IMetricsd]

props

rpi3:/ $ getprop                                                               
[camera.disable_zsl_mode]: [1]
[crash_reporter.coredump.enabled]: [1]
[dalvik.vm.appimageformat]: [lz4]
[dalvik.vm.dex2oat-Xms]: [64m]
[dalvik.vm.dex2oat-Xmx]: [512m]
[dalvik.vm.heapsize]: [256m]
[dalvik.vm.image-dex2oat-Xms]: [64m]
[dalvik.vm.image-dex2oat-Xmx]: [64m]
[dalvik.vm.isa.arm.features]: [default]
[dalvik.vm.isa.arm.variant]: [generic]
[dalvik.vm.lockprof.threshold]: [500]
[dalvik.vm.stack-trace-file]: [/data/anr/traces.txt]
[dalvik.vm.usejit]: [true]
[dalvik.vm.usejitprofiles]: [true]
[debug.atrace.tags.enableflags]: [0]
[debug.force_rtl]: [0]
[dev.bootcomplete]: [1]
[init.svc.adbd]: [running]
[init.svc.audioserver]: [running]
[init.svc.bootanim]: [stopped]
[init.svc.cameraserver]: [running]
[init.svc.console]: [running]
[init.svc.crash_reporter]: [stopped]
[init.svc.crash_sender]: [running]
[init.svc.debuggerd]: [running]
[init.svc.drm]: [running]
[init.svc.gatekeeperd]: [running]
[init.svc.healthd]: [running]
[init.svc.inputdriverserv]: [running]
[init.svc.installd]: [running]
[init.svc.keystore]: [running]
[init.svc.lmkd]: [running]
[init.svc.logd]: [running]
[init.svc.logd-reinit]: [stopped]
[init.svc.mdnsd]: [running]
[init.svc.media]: [running]
[init.svc.mediacodec]: [running]
[init.svc.mediadrm]: [running]
[init.svc.mediaextractor]: [running]
[init.svc.metricscollector]: [running]
[init.svc.metricsd]: [running]
[init.svc.netd]: [running]
[init.svc.perfprofd]: [running]
[init.svc.peripheralman]: [running]
[init.svc.servicemanager]: [running]
[init.svc.surfaceflinger]: [running]
[init.svc.ueventd]: [running]
[init.svc.update_engine]: [running]
[init.svc.vold]: [running]
[init.svc.wpa_supplicant]: [running]
[init.svc.zygote]: [running]
[log.tag.Hyphenator]: [SUPPRESS]
[log.tag.WifiHAL]: [D]
[net.bt.name]: [Android]
[net.change]: [net.dns3]
[net.dns1]: [211.29.132.12]
[net.dns2]: [198.142.0.51]
[net.dns3]: [198.142.235.14]
[net.hostname]: [android-226a3ebfc34ad1f3]
[net.qtaguid_enabled]: [1]
[net.tcp.default_init_rwnd]: [60]
[persist.sys.dalvik.vm.lib.2]: [libart.so]
[persist.sys.profiler_ms]: [0]
[persist.sys.usb.config]: [adb]
[persist.sys.webview.vmsize]: [104857600]
[pm.dexopt.ab-ota]: [speed-profile]
[pm.dexopt.bg-dexopt]: [speed-profile]
[pm.dexopt.boot]: [verify-profile]
[pm.dexopt.core-app]: [speed]
[pm.dexopt.first-boot]: [interpret-only]
[pm.dexopt.forced-dexopt]: [speed]
[pm.dexopt.install]: [interpret-only]
[pm.dexopt.nsys-library]: [speed]
[pm.dexopt.shared-apk]: [speed]
[qemu.gles]: [-1]
[ro.allow.mock.location]: [0]
[ro.baseband]: [unknown]
[ro.board.platform]: []
[ro.boot.hardware]: [rpi3]
[ro.boot.selinux]: [permissive]
[ro.boot.slot_suffix]: [_a]
[ro.bootimage.build.date]: [Mon Dec 12 20:53:57 UTC 2016]
[ro.bootimage.build.date.utc]: [1481576037]
[ro.bootimage.build.fingerprint]: [generic/iot_rpi3/rpi3:7.0/NIF73/3565696:userdebug/test-keys]
[ro.bootloader]: [unknown]
[ro.bootmode]: [unknown]
[ro.build.ab_update]: [true]
[ro.build.characteristics]: [default]
[ro.build.date]: [Mon Dec 12 20:53:57 UTC 2016]
[ro.build.date.utc]: [1481576037]
[ro.build.description]: [iot_rpi3-userdebug 7.0 NIF73 3565696 test-keys]
[ro.build.display.id]: [iot_rpi3-userdebug 7.0 NIF73 3565696 test-keys]
[ro.build.fingerprint]: [generic/iot_rpi3/rpi3:7.0/NIF73/3565696:userdebug/test-keys]
[ro.build.flavor]: [iot_rpi3-userdebug]
[ro.build.host]: [vpeb11.mtv.corp.google.com]
[ro.build.id]: [NIF73]
[ro.build.product]: [rpi3]
[ro.build.system_root_image]: [true]
[ro.build.tags]: [test-keys]
[ro.build.type]: [userdebug]
[ro.build.user]: [android-build]
[ro.build.version.all_codenames]: [REL]
[ro.build.version.base_os]: []
[ro.build.version.codename]: [REL]
[ro.build.version.incremental]: [3565696]
[ro.build.version.preview_sdk]: [0]
[ro.build.version.release]: [7.0]
[ro.build.version.sdk]: [24]
[ro.build.version.security_patch]: [2016-12-05]
[ro.carrier]: [unknown]
[ro.config.alarm_alert]: [Alarm_Classic.ogg]
[ro.config.notification_sound]: [OnTheHunt.ogg]
[ro.crypto.state]: [unsupported]
[ro.dalvik.vm.native.bridge]: [0]
[ro.debuggable]: [1]
[ro.hardware]: [rpi3]
[ro.hardware.camera]: [v4l2]
[ro.hardware.gps]: [iot]
[ro.hardware.sensors]: [iot]
[ro.kernel.qemu]: [1]
[ro.kernel.qemu.force_gles]: [-1]
[ro.product.board]: [rpi3]
[ro.product.brand]: [generic]
[ro.product.cpu.abi]: [armeabi-v7a]
[ro.product.cpu.abi2]: [armeabi]
[ro.product.cpu.abilist]: [armeabi-v7a,armeabi]
[ro.product.cpu.abilist32]: [armeabi-v7a,armeabi]
[ro.product.cpu.abilist64]: []
[ro.product.device]: [rpi3]
[ro.product.manufacturer]: [unknown]
[ro.product.model]: [iot_rpi3]
[ro.product.name]: [iot_rpi3]
[ro.revision]: [0]
[ro.runtime.firstboot]: [59481]
[ro.secure]: [1]
[ro.serialno]: []
[ro.wifi.channels]: []
[ro.zygote]: [zygote32]
[security.perf_harden]: [1]
[selinux.reload_policy]: [1]
[service.bootanim.exit]: [1]
[sys.boot_completed]: [1]
[sys.sysctl.extra_free_kbytes]: [12294]
[sys.sysctl.tcp_def_init_rwnd]: [60]
[sys.usb.config]: [adb]
[sys.usb.configfs]: [0]
[sys.usb.state]: [adb]
[vold.has_adoptable]: [0]
[wifi.interface]: [wlan0]
[wifi.supplicant_scan_interval]: [15]
[wlan.driver.status]: [ok]

Graphic/Display

Only one layer, a full screen iotlauncher. Built-in screen is 1366x768.
$ dumpsys SurfaceFlinger
Build configuration: [sf] [libui] [libgui]
Sync configuration: [using: EGL_KHR_fence_sync]

Visible layers (count = 1)
+ Layer 0xb11dc400 (com.android.iotlauncher/com.android.iotlauncher.IoTLauncher)

Displays (1 entries)
+ DisplayDevice: Built-in Screen
   type=0, hwcId=0, layerStack=0, (1366x 768), ANativeWindow=0xb08aa008, orient= 0 (type=00000000), flips=1254, isSecure=1, powerMode=2, activeConfig=0, numLayers=1
   v:[0,0,1366,768], f:[0,0,1366,768], s:[0,0,1366,768],transform:[[1.000,0.000,-0.000][0.000,1.000,-0.000][0.000,0.000,1.000]]

SurfaceFlinger global state:
EGL implementation : 1.2 Android Driver 1.2.0
EGL_KHR_fence_sync EGL_KHR_image_base EGL_ANDROID_image_native_buffer EGL_ANDROID_swap_rectangle 
GLES: Android, Android PixelFlinger 1.4, OpenGL ES-CM 1.0
GL_EXT_debug_marker GL_OES_byte_coordinates GL_OES_fixed_point GL_OES_single_precision GL_OES_read_format GL_OES_compressed_paletted_texture GL_OES_draw_texture GL_OES_matrix_get GL_OES_query_matrix GL_OES_EGL_image GL_OES_EGL_sync GL_OES_compressed_ETC1_RGB8_texture GL_ARB_texture_compression GL_ARB_texture_non_power_of_two GL_ANDROID_user_clip_plane GL_ANDROID_vertex_buffer_object GL_ANDROID_generate_mipmap 
  Region undefinedRegion (this=0xb11f82ac, count=1)
    [  0,   0,   0,   0]
  orientation=0, isDisplayOn=1
  last eglSwapBuffers() time: 21.146000 us
  last transaction time     : 33.385000 us
  transaction-flags         : 00000000
  refresh-rate              : 60.000002 fps
  x-dpi                     : 159.891235
  y-dpi                     : 159.895081
  gpu_to_cpu_unsupported    : 0
  eglSwapBuffers time: 0.000000 us
  transaction time: 0.000000 us
h/w composer state:
  h/w composer not present and enabled
Allocated buffers:
0xb0e1a2c0: 4098.00 KiB | 1366 (1366) x  768 |        1 | 0x00000933
0xb1197340: 2049.00 KiB | 1366 (1366) x  768 |        4 | 0x00001a33
0xb1197440: 2049.00 KiB | 1366 (1366) x  768 |        4 | 0x00001a33
0xb1197900: 4098.00 KiB | 1366 (1366) x  768 |        1 | 0x00000933
Total allocated (estimate): 12294.00 KB

Camera

Used v4l2 camera HAL. Obviously, it means the camera support is not complete since the standard v4l2 interfaces aren't sufficient to support a full Android camera v3. This was one of the problem Project Ara team tried to solve and there are some relevant discussion ongoing in the v4l2 kernel community.
$ dumpsys media.camera
Camera module HAL API version: 0x100
Camera module API version: 0x204
Camera module name: V4L2 Camera HAL v3
Camera module author: The Android Open Source Project
Number of camera devices: 0
Number of normal camera devices: 0

An Overview Of Android Application Sandbox Mechanism

The Problem:

Define a policy to control how various clients can access different resources.
A solution:
  1. Each resource has an owner and belongs to a group.
  2. Each client has an owner but can belongs to multiple groups.
  3. Each resource has a mode stating the access permissions allowed for its ownergroup members and others, respectively.
In the context of operating system, or Linux specifically, the resources can be files, sockets, etc; the clients are actually processes; and we have three access permissions:read, write and execute.
Yes, this is just Linux's UID/GID based access control model, and the rules are enforced by Linux kernel. What we will discuss in this article is how it works Android. By the end of the article, we should be able to answer following questions.
  1. How does Android set up the owner, groups and mode of a resource?
  2. How does Android set up the owner and groups of a process?
  3. What does it mean for users and apps? For example, is it possible for app1 access app2's data? Will a normal app be able to access device node directly?
The discussion here is based on the latest android master (Android N) but we'll mention some history in the hope it helps your understanding..

Android Users and Groups ID

Before we jumping in and answering above questions, let first take a look how the user and group are represented in Android. Yes, with an ID, obliviously. Here lists all the users and groups IDs for the system, their meaning and designated ranges for different purposes.
/* This is the master Users and Groups config for the platform.*/
#define AID_ROOT             0  /* traditional unix root user */
#define AID_SYSTEM        1000  /* system server */
#define AID_RADIO         1001  /* telephony subsystem, RIL */
#define AID_BLUETOOTH     1002  /* bluetooth subsystem */
#define AID_GRAPHICS      1003  /* graphics devices */
#define AID_INPUT         1004  /* input devices */
#define AID_AUDIO         1005  /* audio devices */
#define AID_CAMERA        1006  /* camera devices */
#define AID_LOG           1007  /* log devices */
#define AID_COMPASS       1008  /* compass device */
#define AID_MOUNT         1009  /* mountd socket */
#define AID_WIFI          1010  /* wifi subsystem */
#define ...
#define AID_WEBVIEW_ZYGOTE 1053 /* WebView zygote process */
/* The 3000 series are intended for use as supplemental group id's only*/
#define AID_NET_BT_ADMIN  3001  /* bluetooth: create any socket */
#define AID_NET_BT        3002  /* bluetooth: create sco, rfcomm or
#define AID_APP          10000  /* first app user */
#define AID_USER        100000  /* offset for uid ranges for each user */
Then, we will look at the first question - How and when to set up the owner, groups and mode of a resource? Roughly speaking, there are two categories. The first is to set it when the file system is created; the second is to set it during the system init.

File System Configuration

When creating the file systems, following information will be utilized to set the mode, uid and guid of corresponding directories and files. Since M, OEM are allowed to override those rules with customized configuration.
static const struct fs_path_config android_dirs[] = {
    { 00770, AID_SYSTEM, AID_CACHE,  0, "cache" },
    { 00500, AID_ROOT,   AID_ROOT,   0, "config" },
    { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/app" },
    { 00771, AID_ROOT,   AID_ROOT,   0, "data/dalvik-cache" },
    { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data/data" },
    { 01771, AID_SYSTEM, AID_MISC,   0, "data/misc" },
    { 00775, AID_MEDIA_RW, AID_MEDIA_RW, 0, "data/media" },
    { 00771, AID_SYSTEM, AID_SYSTEM, 0, "data" },
    { 00755, AID_ROOT,   AID_SYSTEM, 0, "mnt" },
    { 00755, AID_ROOT,   AID_ROOT,   0, "root" },
    { 00755, AID_ROOT,   AID_SHELL,  0, "system/bin" },
    { 00755, AID_ROOT,   AID_SHELL,  0, "system/vendor" },
    { 00755, AID_ROOT,   AID_SHELL,  0, "vendor" },
    { 00777, AID_ROOT,   AID_ROOT,   0, "sdcard" },
    { 00755, AID_ROOT,   AID_ROOT,   0, 0 },
};

static const struct fs_path_config android_files[] = {
    { 00555, AID_ROOT,      AID_ROOT,      0, "system/etc/rc.*" },
    { 00644, AID_MEDIA_RW,  AID_MEDIA_RW,  0, "data/media/*" },
    { 00755, AID_ROOT,      AID_SHELL,     0, "system/vendor/bin/*" },
    { 00755, AID_ROOT,      AID_SHELL,     0, "vendor/bin/*" },
    { 00755, AID_ROOT,      AID_SHELL,     0, "vendor/xbin/*" },
    { 00750, AID_ROOT,      AID_SHELL,     0, "sbin/*" },
    { 00755, AID_ROOT,      AID_ROOT,      0, "bin/*" },
    { 00750, AID_ROOT,      AID_SHELL,     0, "init*" },
    { 00640, AID_ROOT,      AID_SHELL,     0, "fstab.*" },
    { 00644, AID_ROOT,      AID_ROOT,      0, 0 },
};

System Init and init.rc

The second place to set mode/uid/gid of a particular file or directory is the init.rcs, which will be read by init process - the first user space program will be executed after kernel is ready.
The full description of the init.rc and the boot process is outside of the scope of this article. As far as what is relevant to the discussing here, it boils down to use chown and chmod to set the owner and mode for a particular file and directory.
on post fs-data
    # We chown/chmod /data again so because mount is run as root + defaults
    chown system system /data
    chmod 0771 /data

Ueventd and Device Node

One thing we are of particular interest are the UID and GID of device node. Since device nodes are the interface to the system hardware resources, a failure to enforce permission control on device node indicates a big security vulnerability.
ueventd is responsible for taking are of assigning the correct mode, UID and GID to the device node. It starts very early and will parse uventd.*.rc and set up the mode/uid/gid of corresponding device node. This is the third place you can tweak the mode, uid and guid for a file but it is specific for the device node.
ueventd.rc
/dev/alarm                0664   system     radio
/dev/rtc0                 0640   system     system
/dev/tty0                 0660   root       system
/dev/graphics/*           0660   root       graphics
/dev/input/*              0660   root       input
/dev/eac                  0660   root       audio
/dev/cam                  0660   root       camera
...
To recap, we have covered three places where you can set the mode/uid/gid for files and directories, that is 1) when you creating the file system, 2) when the system start running and 3) a special handling of the device nodes using ueventd.
Now, it is time to look at another part of the story - how the uid/gid are set for processes. First, we will check the system processes. And, normal app processes.

UID/GID of System Process

At the late stage of the init process, the core system services, such as servicemanager, vold and surfaceflinger, will be started. The UID and GID of the system process are specified in its corresponding .rc file. For example forsurfaceflinger, it's configuration is in the surfaceflinger.rc. It might worth note that, before M, the system process and its settings are all put into a centralized file called init.rc.
service surfaceflinger /system/bin/surfaceflinger
    class core
    user system
    group graphics drmrpc readproc
    onrestart restart zygote
    writepid /sys/fs/cgroup/stune/foreground/tasks
As you can see, each process is assigned a user and multiple groups. For example, surfaceflinger's UID is system and it belongs to three groups: graphics, drmrpc and readproc.
To show the USER ID of a process, use ps
myDevice # ps
system    427   1     171224 23988 S /system/bin/surfaceflinger
To show the Group IDs of a process, we can check the process’ related proc file.
myDevice # cat /proc/427/status
Name:   surfaceflinger
State:  S (sleeping)
Tgid:   427
Pid:    427
PPid:   1
TracerPid:  0
Uid:    1000    1000    1000    1000
Gid:    1003    1003    1003    1003
FDSize: 256
Groups: 1026 3009
We can see that surfaceflinger belongs to 1003 and 1026 groups, which are graphics and drmrpc respectively. (*1003 is the gid, 1026 and 3009 are the supplementary group it belongs to. See the proc main page for detail)

UID/GID of Normal App Process

Normal app will be assigned AID above 10000, and the GUID will be the same as AID.
To show the UID, use ps:
USER      PID   PPID  VSIZE   RSS            PC   NAME
u0_a46    5833  1096  2283376 144908 7e739ecab4 S com.android.camera2
To check the GID, check its proc file:
myDevice:/ # cat /proc/5833/status
Name:   android.camera2
State:  S (sleeping)
Tgid:   5833
Pid:    5833
PPid:   1096
TracerPid:  0
Uid:    10046   10046   10046   10046
Gid:    10046   10046   10046   10046
FDSize: 128
Groups: 3003
Note that the GID is the same as UID, which are 10046. It is easy to find out how it is related to the name u0_a46.
You may have noticed that there is supplementary groups ID the camera2 process belongs, 3003 (i.e AID_INET). It is related with what permission this app has been granted.

Permission and GUID for Apps

If an application requests certain permission and is granted, the corresponding group ID will be added to the process of the application. Part of the mapping between the permission and group id is shown as below:
<permission name="android.permission.BLUETOOTH" >
    <group gid="net_bt" />
</permission>
<permission name="android.permission.WRITE_MEDIA_STORAGE" >
    <group gid="media_rw" />
    <group gid="sdcard_rw" />
</permission>
<permission name="android.permission.INTERNET" >
    <group gid="inet" />
</permission>
We will use above camera2 app as an example to show how the permission is related to the group it is assigned.
To show the permissions granted for camera2 application, use dumpsys package: adb shell dumpsys package com.android.camera2
  install permissions:
  // other permissions are removed for clarity
  android.permission.INTERNET: granted=true
  gids=[3003]
As we can see, since camera2 app is granted INTERNET permission, which maps to the inet group, it has the supplementary groups 3003.

Apps With Special UID

One particular interest is to assign an app a special UID so it will be allowed to access resource that otherwise won't be able to access. By special UID, we usually mean the UID defined for system, i.e those belong to the range of 1000 to 1999. Can that be achieved?
Yes, we can do that by declaring android:sharedUserId="android.uid.xxxx" in the AndroidManifest.xml. In addition, the application also should be signed with the platform key by adding LOCAL_CERTIFICATE := platform in the Android.mk.
One example is the NFC app. Instead of having a normal u0_axx UID, Nfc app has the User ID nfc.
    nfc       4414  1096  1579708 59440 SyS_epoll_ 7e739ecab4 S com.android.nfc
And that is AID_NFC, 1027.
arche:/ # cat /proc/4414/status
Name:   com.android.nfc
Tgid:   4414
Pid:    4414
PPid:   1096
Uid:    1027    1027    1027    1027
Gid:    1027    1027    1027    1027
Groups: 3001 3002 3003 9997 41027
And that means the nfc app can access following device node directly!
myDevice:/ # ls -l /dev/pn54x
crw-rw---- 1 nfc nfc 10,  73 1970-01-09 20:14 /dev/pn54x
Here is an example how that is achieved in nfc app.
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.android.nfc"
    android:sharedUserId="android.uid.nfc">
Being able to access the device node directly means lots of trusts; that is the reason the application request system UID must also be signed with platform certification.
LOCAL_PACKAGE_NAME := Nfc
LOCAL_CERTIFICATE := platform
Now, it is time to have some exercises.

Exercises

1. Can app1 can access app2’s data?

Normally, they can't.
drwxr-x--x u0_a21   u0_a21            1970-01-01 04:12 com.android.calendar
drwxr-x--x u0_a22   u0_a22            1970-01-01 00:54 com.android.camera2
App’s uid/gid are unique and the mode is set to “rw” only for the owner. So, app1 can’t access the data of app2.
But it can be done by sharing same uid and signed with same certification, as we discussed in Apps with Special UID.

2. Whether a process can access a certain device node?

It depends.
case 1 : same UID
root@myBoard:/ # ll /dev/ion
crw-rw-rw- system   media     10,  62 1970-01-01 00:00 ion
surfacflinger can access /dev/ion because surfaceflinger’s user is system and so is the /dev/ion.
A recap that the mode/uid/gid of /dev/ion is set in the ueventd.device.rc/dev/ion 0666 system media
case 2 : same Group
root@myBoard:/ # ll /dev/video0
crw-rw----   root     camera    81,   0 1970-01-01 00:00 video0
Despite that UID of video0 and the mediaserver are different (root and media respectively), but since they belongs to the same group (camera), and also the permission for group member is “rw”, so mediaserver can read and write /dev/video0node.

UID and Binder call

So far, we limit our definition of resources to be files. However, it can be something else, such as the ability to trigger certain system action, or more general, to do a Binder call.
For each binder call, at the server side, you can get its calling PID and UID, which can be used determine whether the call will be served or denied. This is the most basic but fundamental practice in Android to ensure the IPC security.

Summary

UID/GID based security control is a type of Discretionary Access Control(DAC). It is the fundamental part of Android's sandbox and security model to ensure the data and system security, so it's important to understand how it works.
Since Android 4.3, SELinux, as an implementation of Mandatory Access Control(MAC), has been utilized to overcome the limitation of DAC and to further improve the security of Android. We can talk it about it someday as well.