Changes between Version 35 and Version 36 of Android/HTC/Vision/BootProcess


Ignore:
Timestamp:
10/11/10 05:45:13 (7 years ago)
Author:
tj
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Android/HTC/Vision/BootProcess

    v35 v36  
    22 
    33= Boot Process = 
    4   For the complete list of my articles on Android devices and software,  including analysis of devices and system firmware, lists of external  resources and tools, and How-To instructions, check the [http://tjworld.net/search/opensearch?q=wiki%3AWikiStart front page of this wiki]                     under the Android heading. 
     4  For the complete list of my articles on Android devices and software,  including analysis of devices and system firmware, lists of external  resources and tools, and How-To instructions, check the [http://tjworld.net/search/opensearch?q=wiki%3AWikiStart front page of this wiki]                      under the Android heading. 
    55 
    66An examination of how the [http://www.qualcomm.com/products_services/chipsets/snapdragon.html Qualcomm Mobile Station Modem (MSM) Snapdragon] 7x30 system-on-chip boot-straps the processors into an operating system. 
     
    2727Finally on the ARM9 REX executes the Advanced Mobile Subscriber Software (AMSS). AMSS runs in Security Domain 1 (SD1). 
    2828 
    29 [[BR]]ARM11 Boot Process 
    30  
    31 The ARM9 running REX loads the eMMC "hboot" partition into memory at 0x8D00000 and starts the ARM11 auxiliary applications processor executing at this location. It runs in Security Domain 3 (SD3). The core of the boot-loader can be found in the [http://android.git.kernel.org/ Android source-code repository] in the [http://android.git.kernel.org/?p=platform/bootable/bootloader/legacy.git;a=summary platform/bootable/bootloader/legacy.git] project.  This source-code maps well to current hboot images when they are  reverse-engineered; allowing the libc and core functions and structures  to be identified. 
     29== ARM11 Boot Process == 
     30The ARM9 running REX loads the eMMC "hboot" partition into memory at 0x8D00000 (virtual) and starts the ARM11 auxiliary applications processor executing at this location. It runs in Security Domain 3 (SD3). The core of the boot-loader can be found in the [http://android.git.kernel.org/ Android source-code repository] in the [http://android.git.kernel.org/?p=platform/bootable/bootloader/legacy.git;a=summary platform/bootable/bootloader/legacy.git] project.  This source-code maps well to current hboot images when they are  reverse-engineered; allowing the libc and core functions and structures  to be identified. 
    3231 
    3332=== HBoot === 
     
    283282From the now-deleted QC BQS Analyzer: Booting Sequence Explained 
    284283 
    285 > [ 1. QBL (OTP)------------Check of QCSBL header and Config Bits (30 Bit) -> Value hardcoded (Func at FFFF0674)[[BR]]         Load of QCSBL header and Config Bits (Func at FFFF0396)[[BR]]         Check of PBL (SHA1) -> Value hardcoded (Func at FFFF03A0)[[BR]]         Load of PBL (Func at FFFF0260), Entrypoint : 0x0, with given QCSBL Header 2. PBL -------Check of QCSBL (SHA1 + RSA-2048-SHA1 Signature Decryption from QCSBL) (Func at 0xBC)[[BR]]         Load of QCSBL (Func at 0x2FC), Entrypoint : 0x02D4C01C 3. QCSBL--------Check of OEMSBL (SHA1 + RSA-2048-SHA1 Signature Decryption from OEMSBL) (Func at 02D4C118)[[BR]]         Init of OEMSBL (Func at 0x2D4C2A0), Entrypoint : 0x02D9C354[[BR]]         Loading of OEMSBL (Func not yet found)[[BR]]         Check of AMSS (SHA1 + RSA-2048-SHA1 Signature Decryption from AMSS)(Func at 02D4C15C)[[BR]]         Loading of AMSS (Func at 0x02D4C060), Entrypoint : 0x0] 
     284> [ 1. QBL (OTP)------------Check of QCSBL header and Config Bits (30 Bit) -> Value hardcoded (Func at FFFF0674)[[BR]]          Load of QCSBL header and Config Bits (Func at FFFF0396)[[BR]]          Check of PBL (SHA1) -> Value hardcoded (Func at FFFF03A0)[[BR]]          Load of PBL (Func at FFFF0260), Entrypoint : 0x0, with given QCSBL Header 2. PBL -------Check of QCSBL (SHA1 + RSA-2048-SHA1 Signature Decryption from QCSBL) (Func at 0xBC)[[BR]]          Load of QCSBL (Func at 0x2FC), Entrypoint : 0x02D4C01C 3. QCSBL--------Check of OEMSBL (SHA1 + RSA-2048-SHA1 Signature Decryption from OEMSBL) (Func at 02D4C118)[[BR]]          Init of OEMSBL (Func at 0x2D4C2A0), Entrypoint : 0x02D9C354[[BR]]          Loading of OEMSBL (Func not yet found)[[BR]]          Check of AMSS (SHA1 + RSA-2048-SHA1 Signature Decryption from AMSS)(Func at 02D4C15C)[[BR]]          Loading of AMSS (Func at 0x02D4C060), Entrypoint : 0x0] 
    286285 
    287286----