I understand that Adam still wants a qualcomm msm8960 data sheet or at least a qfuse AN, but it could be a while until that appears. Looking through the documents, both the manual and baseband, I have come the the conclusion that the qfuse for trusted boot is blown. In the service manual I see that BOOT_CONFIG_6 is pulled high on bootup and then changes to a regular GPIO pin. Consulting the baseband documentation BOOT_CONFIG_6 is tied to an internal pulldown (must be very weak as sammy is pulling up with a 10k so there is static current). BOOT_CONFIG_6 from the baseband states that 0 = Secure Boot (default due to pulldown) | 1 = Fast Boot. So the pin is telling the MSM8960 to not use secure boot however it does it anyway. This would be typical behavior of the the MSM7xxx with a trusted boot qfuse blown. I have no reason to think that physical security on these chips varies significantly through revisions.
So I guess back to the drawing board. I am beginning to understand a lot of this boot process, I am a EE so the android booting process is a little bit of a mystery. I would love to have a google hangout with Adam, and Lee and all others who know something about how this black box works.
Adam perhaps you or someone else can spell out what part of the bootloader(or which one SBL, aboot, etc) we really need to modify to load custom kernals(I think it is probably the first two but I don't know), I am sort of a low level linux noob so explaining things could be quite helpful to me and others.
Lets start sharing every little shed of data and start a "greatest hits" repository of all things we learn that are important.
I found the other two documents LLStarks is talking about ( Secure Boot 3.0/PBL and boot_config diagram). The Boot_config datasheet gives us the same info that is on the MSM8960 baseband docs. I will reproduce it here:
BOOT_CONFIG_1 | BOOT_CONFIG_0 |
0 | 0 | EMER. BOOT(SDC3 FOLLOWED BY USB HS)
0 | 1 | SDC3 FOLLOWED BY SDC1
1 | 0 | SDC3 FOLLOWED BY SDC2
1 | 1 | SDC1 (eMMC, DEFAULT)
0 | Secure Boot
1 | Fast Boot
Also the PBL documentation confirms that the qfuses override the physical pin connections. Oh and by the way there are fuses that also block the boot config0/1 mode (in addition to the mentioned boot config 6) so changing these physically may have no effect if they are blown.
I believe the code earlier in this thread shows that when boot fails it goes in Emergency boot, there are some nice explanations as to what is happening in the boot arch document. So anyone decompiling aboot may want to find that and look through it. Keep in mind again that emergency boot can still be blocked by a fuse. I guess we really need to read those bad boys to see what we are dealing with instead of experimenting.
By the way in case anyone didn't notice the default boot mode is Secure Boot(due to the pulldown), however as I mentioned the qualcomm baseband docs say to pull up that pin(boot_config_6) on boot on therefore negating secure boot on non fuse blown systems. So it seems qualcomm was trying to be nice and leave the door open but verizon noticed, closed, and locked it