Difference between revisions of "Booting chain"

From MILEDROPEDIA
Jump to: navigation, search
(Description)
m
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Boot Chain =
+
= OMAP Platform =
 
+
 
== Graphical view ==
 
== Graphical view ==
  
This is the boot chain of the Motorola Milestone, as far as we know((see [http://download.micron.com/pdf/technotes/nand/tn2916.pdf here] and [http://omappedia.org/wiki/Bootloader_Project here] for examples of the OMAP boot process, which differs from the Milestone's as we've found in our [[mbmloader|mbmloader analysis]]. X-Loader and U-Boot are missing in this diagram because they have been replaced by Motorola's mbmloader. The OMAP architecture permits that the bootstrap code be located in an SD-Card, provided that the NAND Flash is unable to boot and that the SD-Card contains a proper FAT32 filesystem and a .IFT file signed as required by the HS mode. If the processor had been in GP mode, we could've followed [http://www.anddev.org/viewtopic.php?p=12989 these steps] to boot from the SD-Card; unfortunately that's not the case. Some innards of similar Boot ROMs are described [http://focus.ti.com/lit/ug/spru963a/spru963a.pdf here] and [http://bunnitude.com/misc/files/omap/pdf/sprufd6.pdf here] and [http://focus.ti.com.cn/download/wtbu/csst_sdp3430_releasenotes_v2_4.pdf here]. The [http://focus.ti.com/pdfs/wtbu/SWPU223_FinalEPDF_02_18_2010.pdf OMAP 34xx TRM] is the final reference for the platform.)):
+
This is the boot chain of the Motorola Milestone, as far as we know. X-Loader and U-Boot are missing in this diagram because they have been replaced by Motorola's mbmloader, which  is calles ISW image, and contain CH table, TOC, PPA and ISW parts. The OMAP architecture permits that the bootstrap code be located in an SD-Card, provided that the NAND Flash is unable to boot and that the SD-Card contains a proper FAT32 filesystem and a .IFT file signed as required by the HS mode. If the processor had been in GP mode, we could've followed [http://www.anddev.org/viewtopic.php?p=12989 these steps] to boot from the SD-Card; unfortunately that's not the case. Some innards of similar Boot ROMs are described [http://focus.ti.com/lit/ug/spru963a/spru963a.pdf here] and [http://bunnitude.com/misc/files/omap/pdf/sprufd6.pdf here] and [http://focus.ti.com.cn/download/wtbu/csst_sdp3430_releasenotes_v2_4.pdf here].  
  
 
[[File:Boot chrain flow.png|800px]]         
 
[[File:Boot chrain flow.png|800px]]         
Line 16: Line 15:
 
! Disassembly/Decompilation
 
! Disassembly/Decompilation
 
|-
 
|-
|[[AP_Boot_ROM|OMAP boot ROM]]
+
|[[Application Processor Boot ROM|OMAP boot ROM]]
 
|OMAP core
 
|OMAP core
 
|armv7-a
 
|armv7-a
|[[File:omap_3430.bin.gz|OMAP3430 BootROM]], [[File:omap_3630.bin.gz|OMAP3630 BootROM]]
+
|[[File:omap_3430.bin.gz|OMAP3430 BootROM]], [[File:omap_3630.bin.gz|OMAP3630 BootROM]], [[File:omap_4430.bin.gz|OMAP4430 BootROM]]
 
|[[File:omap_3430_bootrom.idb.gz| OMAP3430 Boot ROM Reversed]]
 
|[[File:omap_3430_bootrom.idb.gz| OMAP3430 Boot ROM Reversed]]
 
|-
 
|-
Line 40: Line 39:
 
|none
 
|none
 
|-
 
|-
|[[BP_Boot_ROM|Wrigley arm boot ROM]]
+
|[[Baseband Processor Boot ROM|Wrigley arm boot ROM]]
 
|[[Wrigley_3G|Wrigley3G]] ARM core
 
|[[Wrigley_3G|Wrigley3G]] ARM core
 
|arm9
 
|arm9
Line 46: Line 45:
 
|none
 
|none
 
|-
 
|-
|[[BP_Boot_ROM|Wrigley dsp boot ROM]]
+
|[[Baseband Processor Boot ROM|Wrigley dsp boot ROM]]
 
|[[Wrigley_3G|Wrigley3G]] TMS320c55x+
 
|[[Wrigley_3G|Wrigley3G]] TMS320c55x+
 
|c55x+
 
|c55x+
Line 64: Line 63:
 
|none
 
|none
 
|-
 
|-
|Main DSP boot ROM
+
|Main DSP/IVA boot ROM
 
|TMS320C6454
 
|TMS320C6454
 
|MIPS (c64x+ edition)
 
|MIPS (c64x+ edition)
Line 70: Line 69:
 
|none
 
|none
 
|-
 
|-
|Main DSP firmware
+
|Main DSP/IVA firmware
 
|TMS320C6454
 
|TMS320C6454
 
|MIPS (c64x+ edition)
 
|MIPS (c64x+ edition)
Line 84: Line 83:
 
|[[CPCAP | Power Manager]] Boot ROM
 
|[[CPCAP | Power Manager]] Boot ROM
 
|TWL5030
 
|TWL5030
|MIPS?
+
|Vendor Specific (ASIC)
 
|[[File:firmware_1_2x.bin.gz| TWL5030 firmware]]
 
|[[File:firmware_1_2x.bin.gz| TWL5030 firmware]]
 
|none
 
|none
Line 100: Line 99:
 
|none
 
|none
 
|}
 
|}
 +
 +
= Tegra Platform =
  
 
All recent IDA databases of bootloaders can be found here [http://gitorious.org/droid/reversed Gitorious]
 
All recent IDA databases of bootloaders can be found here [http://gitorious.org/droid/reversed Gitorious]
Line 107: Line 108:
  
 
(!!) in fact mbm and mbmbackup are binary identical, so mbmbackup DOES contain certificates. But its certificates are not referenced in the [[CDT|cdt table]] because it is used directly by the mbmloader (and the mbmloader doesn't use the cdt table, as discovered by yakk). In the Droid mbm and mbmbackup are binary identical, just like in the Milestone (but with a different code version). One Droid user (Orgg) had an incident with his phone in which his mbm partition became corrupt, and the phone wouldn't boot at all after that. This would suggest that the mbmbackup partition is not used for automatic recovery. User [mbm] reports that his Droid originally came with different mbm and mbmbackup, but after an update pushed by Verizon they became identical. In light of this, [[MBM_backup_attack|the mbm_backup_attack]] was proposed but then found to be flawed and discarded.
 
(!!) in fact mbm and mbmbackup are binary identical, so mbmbackup DOES contain certificates. But its certificates are not referenced in the [[CDT|cdt table]] because it is used directly by the mbmloader (and the mbmloader doesn't use the cdt table, as discovered by yakk). In the Droid mbm and mbmbackup are binary identical, just like in the Milestone (but with a different code version). One Droid user (Orgg) had an incident with his phone in which his mbm partition became corrupt, and the phone wouldn't boot at all after that. This would suggest that the mbmbackup partition is not used for automatic recovery. User [mbm] reports that his Droid originally came with different mbm and mbmbackup, but after an update pushed by Verizon they became identical. In light of this, [[MBM_backup_attack|the mbm_backup_attack]] was proposed but then found to be flawed and discarded.
 +
 +
[[Category:Booting Chain]]

Latest revision as of 20:32, 4 February 2012

OMAP Platform

Graphical view

This is the boot chain of the Motorola Milestone, as far as we know. X-Loader and U-Boot are missing in this diagram because they have been replaced by Motorola's mbmloader, which is calles ISW image, and contain CH table, TOC, PPA and ISW parts. The OMAP architecture permits that the bootstrap code be located in an SD-Card, provided that the NAND Flash is unable to boot and that the SD-Card contains a proper FAT32 filesystem and a .IFT file signed as required by the HS mode. If the processor had been in GP mode, we could've followed these steps to boot from the SD-Card; unfortunately that's not the case. Some innards of similar Boot ROMs are described here and here and here.

Boot chrain flow.png

Description

Boot part Processor Arch Dump Disassembly/Decompilation
OMAP boot ROM OMAP core armv7-a File:Omap 3430.bin.gz, File:Omap 3630.bin.gz, File:Omap 4430.bin.gz File:Omap 3430 bootrom.idb.gz
mbmloader OMAP3430 core armv7-a none MBMloader-0.5A reversed
mbm OMAP3430 core armv7-a none MBM-90.72 reversed
lbl OMAP3430 core armv7-a none none
Wrigley arm boot ROM Wrigley3G ARM core arm9 none none
Wrigley dsp boot ROM Wrigley3G TMS320c55x+ c55x+ File:Wrigley dump.gz((this is partial dump of wrigley3g dsp memory (addressess: 0xF00000-0xFFFFFF). boot rom is only very small part of it.)) none
Wrigley3G RTXC OS loader Wrigley3G ARM core arm? none BPloader reversed
Wrigley RTXC OS Wrigley3G TMS320c55x+ c55x+ none none
Main DSP/IVA boot ROM TMS320C6454 MIPS (c64x+ edition) none none
Main DSP/IVA firmware TMS320C6454 MIPS (c64x+ edition) File:Baseimage.dof.gz none
WiLink firmware WiLink 6.0 TPS656905 arm Wilink 6.0 NVS and Wilink 6.0 firmware none
Power Manager Boot ROM TWL5030 Vendor Specific (ASIC) File:Firmware 1 2x.bin.gz none
Touch Panel Controller boot ROM AVR ATmega324P AVR 8-bit none none
Linux kernel OMAP3430 core arm none none

Tegra Platform

All recent IDA databases of bootloaders can be found here Gitorious

(!) the CH table can be signed with CSST along with the Initial Software image. Whether Motorola did include it in the signed image or left it unsigned is unknown (and risky to test!). ((Citation needed)) After kokone has found that the origin mbmloader contained bit errors, the correct mbmloader binary image has been obtained again. That he has been able to validate all the signatures in mbmloader and the CH table is not part of any signed content.

(!!) in fact mbm and mbmbackup are binary identical, so mbmbackup DOES contain certificates. But its certificates are not referenced in the cdt table because it is used directly by the mbmloader (and the mbmloader doesn't use the cdt table, as discovered by yakk). In the Droid mbm and mbmbackup are binary identical, just like in the Milestone (but with a different code version). One Droid user (Orgg) had an incident with his phone in which his mbm partition became corrupt, and the phone wouldn't boot at all after that. This would suggest that the mbmbackup partition is not used for automatic recovery. User [mbm] reports that his Droid originally came with different mbm and mbmbackup, but after an update pushed by Verizon they became identical. In light of this, the mbm_backup_attack was proposed but then found to be flawed and discarded.