[REF] xperia 2011 internals, boot process, testpoint
I'd like to clarify few technical internals of xperia 2011 phones.
What is the sequence of sw components that are executed on power on?
Where are they stored? I guess that there is not only the one big flash chip which we have the firmware on, right?
What does grounding of testpoint do - what's the internal logical function when testpoint is grounded while xperia gets connected via usb?
Please correct/extend/clarify my following assumptions (that might be completely wrong) about the boot process:
- the very first sw component that gets started on power on, a primary boot code, is stored in a small rom, which cannot ever be changed and contains also signature verification public key
- the primary boot rom verifies integrity and signature of s1boot, which is stored somewhere in the big flash and starts s1boot if signature check of it was valid
- s1boot checks integrity of other fw components stored in the big flash, like the kernel and baseband fw images
- if all signatures/integrity are ok, baseband fw is passed to radio controller cpu and radio is started, linux kernel is loaded into ram and started
- linux kernel uses it's initernal initramfs as root filesystem and executes init scripts stored there
- mtd partitions (like for /system and /data) are mounted (from the big flash mapped as mtd devices), android core processes are started, phone starts...
Now about s1boot - is this component handling all of following functions?
- flash mode usb interface (i.e. S1 protocol for loading/flashing images?)
- fastboot mode usb interface
- booting from flash as described above
I assume that signature verification is done also in any flashing or image usb loading mode provided by s1boot, right?
Is it right that if testpoint is grounded, s1boot temporarily disables signature verification for code image that may be loaded via usb?
Or does it provide kind of jtag interface via usb?
Does the "boot loader unlock via testpoint without loosing drm" method uses the testpoint in order to flash patched s1boot, that returns always valid verification results?
But how that could be possible - I mean, if s1boot is patched, it's integrity would fail the check done by the primary boot code started from the small rom that can't ever be changed?
Please share your knowledge, I am curious and I'd like to know how it works. Already searched a lot regarding this topic. My assumptions are based on possible similarity with older xperia models that bootloader lock bypass was discussed here (but where the testpoint was not used).