test_client.c

// 从servicemanager获取handle
uint32_t svcmgr_lookup(struct binder_state *bs, uint32_t target, const char *name)
{
    uint32_t handle;
    unsigned iodata[512/4];
    struct binder_io msg, reply;

    bio_init(&msg, iodata, sizeof(iodata), 4);
    bio_put_uint32(&msg, 0);  // strict mode header
    bio_put_string16_x(&msg, SVC_MGR_NAME);
    bio_put_string16_x(&msg, name);

    if (binder_call(bs, &msg, &reply, target, SVC_MGR_CHECK_SERVICE))
        return 0;

    handle = bio_get_ref(&reply);

    if (handle)
        binder_acquire(bs, handle);

    binder_done(bs, &msg, &reply);

    return handle;
}


uint32_t g_hello_handle;
uint32_t g_goodbye_handle;

int main(int argc, char **argv)
{

int fd;
struct binder_state *bs;
uint32_t svcmgr = BINDER_SERVICE_MANAGER;
uint32_t handle;
bs = binder_open(128*1024);

//获取goodbye服务
handle = svcmgr_lookup(bs, svcmgr, "goodbye");
g_hello_handle = handle;

//获取hello服务
handle = svcmgr_lookup(bs, svcmgr, "hello");
g_hello_handle = handle;

//通过handle调用服务函数
sayhello_to("hi");
saygoodbye();

}


int saygoodbye_to(char *name)
{
    unsigned iodata[512/4];
    struct binder_io msg, reply;
    int ret;
    int exception;

    /* 构造binder_io */
    bio_init(&msg, iodata, sizeof(iodata), 4);
    bio_put_uint32(&msg, 0);  // strict mode header
    bio_put_string16_x(&msg, "IGoodbyeService");

    /* 放入参数 */
    bio_put_string16_x(&msg, name);

    /* 调用binder_call */
    if (binder_call(g_bs, &msg, &reply, g_goodbye_handle, GOODBYE_SVR_CMD_SAYGOODBYE_TO))
        return 0;
    
    /* 从reply中解析出返回值 */
    exception = bio_get_uint32(&reply);
    if (exception)
        ret = -1;
    else
        ret = bio_get_uint32(&reply);

    binder_done(g_bs, &msg, &reply);

    return ret;
    
}

这里以saygoodbye_to为例，查看相关源代码,最终也是走到binder_transaction

static void binder_transaction(struct binder_proc *proc,
                   struct binder_thread *thread,
                   struct binder_transaction_data *tr, int reply)
{
struct binder_transaction *t;
struct binder_proc *target_proc;
struct binder_thread *target_thread = NULL;
struct binder_node *target_node = NULL;
struct list_head *target_list;
wait_queue_head_t *target_wait;
//...

//这里有值
if (tr->target.handle) {
    struct binder_ref *ref;
    //通过handle获取binder_ref
    ref = binder_get_ref(proc, tr->target.handle);
    if (ref == NULL) {
        binder_user_error("%d:%d got transaction to invalid handle\n",
            proc->pid, thread->pid);
        return_error = BR_FAILED_REPLY;
        goto err_invalid_target_handle;
    }
    //获取binder_node节点
    target_node = ref->node;
} else {
        //...
}

//...设置下相关数据

//插入目标队列
t->work.type = BINDER_WORK_TRANSACTION;
list_add_tail(&t->work.entry, target_list);

if (target_wait)
    //唤醒目标队列
    wake_up_interruptible(target_wait);
    
}

服务端被唤醒之后，开始进行数据解析，最终调用到用户空间自己解析处理的函数。

test_server.c

int sayhello_to(char *name)
{
    static int cnt = 0;
    fprintf(stderr, "say hello to %s : %d\n", name, ++cnt);
    return cnt;
}

int hello_service_handler(struct binder_state *bs,
                   struct binder_transaction_data *txn,
                   struct binder_io *msg,
                   struct binder_io *reply)
{
    /* 根据txn->code知道要调用哪一个函数
     * 如果需要参数, 可以从msg取出
     * 如果要返回结果, 可以把结果放入reply
     */

    /* sayhello
     * sayhello_to
     */
    
    uint16_t *s;
    char name[512];
    size_t len;
    uint32_t handle;
    uint32_t strict_policy;
    int i;


    // Equivalent to Parcel::enforceInterface(), reading the RPC
    // header with the strict mode policy mask and the interface name.
    // Note that we ignore the strict_policy and don't propagate it
    // further (since we do no outbound RPCs anyway).
    strict_policy = bio_get_uint32(msg);


    switch(txn->code) {
    case HELLO_SVR_CMD_SAYHELLO:
        sayhello();
        bio_put_uint32(reply, 0); /* no exception */
        return 0;

    case HELLO_SVR_CMD_SAYHELLO_TO:
        /* 从msg里取出字符串 */
        s = bio_get_string16(msg, &len);  //"IHelloService"
        s = bio_get_string16(msg, &len);  // name
        if (s == NULL) {
            return -1;
        }
        for (i = 0; i < len; i++)
            name[i] = s[i];
        name[i] = '\0';

        /* 处理 */
        i = sayhello_to(name);

        /* 把结果放入reply */
        bio_put_uint32(reply, 0); /* no exception */
        bio_put_uint32(reply, i);
        
        break;

    default:
        fprintf(stderr, "unknown code %d\n", txn->code);
        return -1;
    }

    return 0;
}


int main(int argc, char **argv)
{
    int fd;
    struct binder_state *bs;
    uint32_t svcmgr = BINDER_SERVICE_MANAGER;
    uint32_t handle;
    int ret;

    bs = binder_open(128*1024);
    if (!bs) {
        fprintf(stderr, "failed to open binder driver\n");
        return -1;
    }

    /* add service */
    ret = svcmgr_publish(bs, svcmgr, "hello", hello_service_handler);
    if (ret) {
        fprintf(stderr, "failed to publish hello service\n");
        return -1;
    }

    binder_set_maxthreads(bs, 10);

    binder_loop(bs, test_server_handler);

    return 0;
}

总结：
client通过servicemanager拿到了需要的server handle，在自己的binder_proc创建了一个binder_ref，这个binder_ref的des指向handle,我们就可以通过handle找到binder_ref,通过binder_ref找到服务的binder_node,在将用户空间数据copy到内核空间，组装数据加入目标读取队列，唤醒目标进程，目标进程进行数据解析执行在返回对应的值，就能实现进程交互了。