[REF] xperia 2011 internals, boot process, testpoint

---

I'd like to clarify few technical internals of xperia 2011 phones.

What is the sequence of sw components that are executed on power on?
Where are they stored? I guess that there is not only the one big flash chip which we have the firmware on, right?
What does grounding of testpoint do - what's the internal logical function when testpoint is grounded while xperia gets connected via usb?

Please correct/extend/clarify my following assumptions (that might be completely wrong) about the boot process:
- the very first sw component that gets started on power on, a primary boot code, is stored in a small rom, which cannot ever be changed and contains also signature verification public key
- the primary boot rom verifies integrity and signature of s1boot, which is stored somewhere in the big flash and starts s1boot if signature check of it was valid
- s1boot checks integrity of other fw components stored in the big flash, like the kernel and baseband fw images
- if all signatures/integrity are ok, baseband fw is passed to radio controller cpu and radio is started, linux kernel is loaded into ram and started
- linux kernel uses it's initernal initramfs as root filesystem and executes init scripts stored there
- mtd partitions (like for /system and /data) are mounted (from the big flash mapped as mtd devices), android core processes are started, phone starts...

Now about s1boot - is this component handling all of following functions?
- flash mode usb interface (i.e. S1 protocol for loading/flashing images?)
- fastboot mode usb interface
- booting from flash as described above

I assume that signature verification is done also in any flashing or image usb loading mode provided by s1boot, right?
Is it right that if testpoint is grounded, s1boot temporarily disables signature verification for code image that may be loaded via usb?
Or does it provide kind of jtag interface via usb?

Does the "boot loader unlock via testpoint without loosing drm" method uses the testpoint in order to flash patched s1boot, that returns always valid verification results?

But how that could be possible - I mean, if s1boot is patched, it's integrity would fail the check done by the primary boot code started from the small rom that can't ever be changed?

Please share your knowledge, I am curious and I'd like to know how it works. Already searched a lot regarding this topic. My assumptions are based on possible similarity with older xperia models that bootloader lock bypass was discussed here (but where the testpoint was not used).
Thanks.

boot (kernel) mtd partition

---

Is there any reason why access to kernel flash area is not mapped as mtd partition in custom kernels?
I see some bits concerning nand setup for boot area implemented in FXP kernel, but the configs are not used in final nand devices setup.
Is there any hardware reason that causes mapping of kernel flash area as mtd device with write access in linux not to work?

boot process description

---

I've found quite good boot process description, unfortunately not able to post external links, so google for "Qualcomm MSM Snapdragon 7x30 boot process", it's the first link found (points to tjworld net).

The description is for Qualcomm Mobile Station Modem (MSM) Snapdragon 7x30 system-on-chip platforms, so it should be also valid for Xperia 2011 phones as they use MSM8255, which is a 1GHz variant of MSM7x30 (running at 800MHz) - these chipsets belong to Snapdragon S2 generation chipset.

Most probably the main difference in order to apply the googled boot process description to xperia 2011 devices would be that all references to eMMC (mmcblk) should be considered as mtd flash present in xperia devices instead.

What do you think?

Quote:

Originally Posted by j4nn

I've found quite good boot process description, unfortunately not able to post external links, so google for "Qualcomm MSM Snapdragon 7x30 boot process", it's the first link found (points to tjworld net).

The description is for Qualcomm Mobile Station Modem (MSM) Snapdragon 7x30 system-on-chip platforms, so it should be also valid for Xperia 2011 phones as they use MSM8255, which is a 1GHz variant of MSM7x30 (running at 800MHz) - these chipsets belong to Snapdragon S2 generation chipset.

Most probably the main difference in order to apply the googled boot process description to xperia 2011 devices would be that all references to eMMC (mmcblk) should be considered as mtd flash present in xperia devices instead.

What do you think?

I think you'll have more luck (if any) in the Dev section. Maybe some mod will have the consideration to move your thread that way.

It may also be a good idea (if you're interested in general Android phone booting as apposed to Xperia specific) to look around in the general Android sections of the forums.

However, don't hesitate to centralize your findings in this thread... I'd be thrilled to read whatever you find out (don't have the time to go looking for it, though).

yes, I guess it would be better in dev section, but it's unfortunate that I cannot post replies (nor start thread) there yet...
my 10 posts minimum in the rules not reached yet:-/

Quote:

Originally Posted by j4nn

yes, I guess it would be better in dev section, but it's unfortunate that I cannot post replies (nor start thread) there yet...
my 10 posts minimum in the rules not reached yet:-/

You're getting close, though

http://www.anyclub.org/2012/02/andro...-bring-up.html

the link above is quite good in explaining what happens in our msm7x30 chipset