Post Reply

Qualcomm MSM boot process

OP vrushabh sutar

28th March 2014, 02:33 PM   |  #1  
OP Member
Thanks Meter: 34
 
55 posts
Join Date:Joined: Mar 2014
More
Following is a detailed explaination of quacomm MSM Boot
Process
(thanks to the original author "TJ world")

hope it helps DEVs in order to bypass SecureBoot.

An examination of how the
Qualcomm Mobile Station Modem
(MSM) Snapdragon 7x30 system-on-
chip boot-straps the processors into
an operating system.

There are two processors in the
MSM 7x30, an ARM9 for the radio
and an ARM11 auxiliary applications
processor. Each processor has its
own JTAG and can be independently
controlled using it.

ARM9 Boot Process
The ARM9 is the primary processor.
It boots first, executing the Primary
Boot Loader (PBL) from on-board
ROM at 0xFFFF0000 .
The MSM platform has the facility to
force Secure Boot using the status of
the FORCE_TRUSTED_BOOT Qfuse
on-chip or a high-state BOOT_SCUR
pin connected to GPIO95. In this
mode the PBL verifies the signature
of the SBL/OSBL before executing
it,which verifies the REX/AMMS
signature in the same way.
After some hardware initialisation the
PBL reads the Device Boot Loader
(DBL) from the first partition of the
flash memory device (In Linux,
mmcblk0p1).
DBL is part of Qualcomm's
SecureBoot, which uses
cryptography to guarantee that the
boot-loader images haven't been
tampered with. DBL configures the
Cryptographic Look-aside Processor
(CLP), a dedicated cryptographic co-
processor, and other hardware
sufficient to load and execute the
Secondary Boot Loader (SBL) from a
Flash memory device on EBI2
(External Bus Interface 2) from
partition 3 (Linux mmcblk0p3).
The SBL, also known as the
Operating System Boot Loader
(OSBL), is loaded into memory at
0x8000000 (IMEM - Internal Memory,
the MSM7230 package-on-package
(PoP) RAM). This is the ARM9
Monitor (AMON). It provides an
Extensible Firmware Interface (EFI) -
like environment for controlling the
boot process. After doing more
hardware configuration including
UARTs and USB (for potential remote
console connections to the monitor)
it loads the Applications processor
Secondary Boot Loader (APPSBL
a.k.a. hboot) on the ARM11
applications processor from partition
18 (Linux mmcblk0p18) into memory
@ 0x8D000000 virtual, 0x00000000
physical.
It then loads and executes the
combined REX/AMSS from partition
5 (Linux mmcblk0p5). The image
contains the REX (Real-time
EXecutive) which is an L4A
Pistachio embedded micro-kernel
and Iguana operating system
combination, with extensive
Qualcomm and HTC modifications
and extensions.
REX is responsible for loading the
firmware into the ancillary micro-
controller (microP), digital signal
processor and voice processor and
initialising them. It runs in Security
Domain 0 (SD0).
When the ARM11 starts REX
unloads/disconnects its eMMC driver
and from then on relies on remote
procedure calls (RPC) via shared
memory (SMEM) to the ARM11
application processor to read and
write the eMMC. On the ARM11 side
the Linux operating system uses the
rmt_storage (remote storage) driver
to handle such requests.
Finally on the ARM9 REX executes
the Advanced Mobile Subscriber
Software (AMSS). AMSS runs in
Security Domain 1 (SD1).

ARM11 Boot Process
The ARM9 running REX loads the
eMMC "hboot" partition into memory
at 0x8D00000 (virtual) and starts the
ARM11 auxiliary applications
processor executing at this location.
It runs in Security Domain 3 (SD3).
The core of the boot-loader can be
found in the Android source-code
repository in the platform/bootable/
bootloader/legacy.git project. This
source-code maps well to current
hboot images when they are reverse-
engineered; allowing the libc and
core functions and structures to be
identified.
Last edited by vrushabh sutar; 28th March 2014 at 02:37 PM.
The Following User Says Thank You to vrushabh sutar For This Useful Post: [ View ]
28th March 2014, 02:36 PM   |  #2  
manan001's Avatar
Senior Member
Flag Ahmedabad
Thanks Meter: 326
 
1,256 posts
Join Date:Joined: Sep 2011
More
What about grand 2 SM-G7102? Can u help on this phone its as it is also qualcomm. But bootstrap or unlockbootloader required... still not available..

Sent from my SM-G7102 using Tapatalk
The Following User Says Thank You to manan001 For This Useful Post: [ View ]
28th March 2014, 02:40 PM   |  #3  
OP Member
Thanks Meter: 34
 
55 posts
Join Date:Joined: Mar 2014
More
i am currently working on the Main SBL only
but what i get is a bunch of useless Hashes!
Last edited by vrushabh sutar; 30th March 2014 at 08:56 PM.
28th March 2014, 04:11 PM   |  #4  
manan001's Avatar
Senior Member
Flag Ahmedabad
Thanks Meter: 326
 
1,256 posts
Join Date:Joined: Sep 2011
More
http://forum.xda-developers.com/show....php?t=2666183

Check this out and also u can contact this developer he has already developer kernel for grand2

Sent from my SM-G7102 using Tapatalk
30th March 2014, 08:53 PM   |  #5  
OP Member
Thanks Meter: 34
 
55 posts
Join Date:Joined: Mar 2014
More
Quote:
Originally Posted by manan001

http://forum.xda-developers.com/show....php?t=2666183

Check this out and also u can contact this developer he has already developer kernel for grand2

Sent from my SM-G7102 using Tapatalk

actually i know how kernel works,
but the thing is that how do i edit the assembly code in primary registers in order to directly skip the verification which is done by boot image(kernel)
Last edited by vrushabh sutar; 30th March 2014 at 09:04 PM.
31st March 2014, 04:14 AM   |  #6  
manan001's Avatar
Senior Member
Flag Ahmedabad
Thanks Meter: 326
 
1,256 posts
Join Date:Joined: Sep 2011
More
PM Hashcode or dorimanx

Galaxy grand2 SM-G7102
31st March 2014, 11:27 AM   |  #7  
OP Member
Thanks Meter: 34
 
55 posts
Join Date:Joined: Mar 2014
More
first let me try by my own..
if no progress is done then i'll surely contact them
The Following User Says Thank You to vrushabh sutar For This Useful Post: [ View ]
1st April 2014, 11:18 AM   |  #8  
manan001's Avatar
Senior Member
Flag Ahmedabad
Thanks Meter: 326
 
1,256 posts
Join Date:Joined: Sep 2011
More
Thumbs up
Quote:
Originally Posted by vrushabh sutar

first let me try by my own..
if no progress is done then i'll surely contact them

check this..
TripRex is working on stock kernel you can take his help to bulid one..
http://forum.xda-developers.com/show...4&postcount=17
8th May 2014, 01:15 PM   |  #9  
manan001's Avatar
Senior Member
Flag Ahmedabad
Thanks Meter: 326
 
1,256 posts
Join Date:Joined: Sep 2011
More
bro any progress?
11th May 2014, 06:21 AM   |  #10  
OP Member
Thanks Meter: 34
 
55 posts
Join Date:Joined: Mar 2014
More
hmm
i've checked all the Memory offsets but found nothing different

Follwoing were the partitions:-

SBL
AMSS
QSCBL (i think we may do something of this but i am nt sure..)
AP
CSC
SYSTEM
CACHE
USRDATA
RAM
EEPROM

The Following User Says Thank You to vrushabh sutar For This Useful Post: [ View ]
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes