MTD based nands are more complicated then eMMC nands in this aspect, as MTD nands you simply cannot read from the 'hidden' portions of the nand. eMMC ones you can.
eMMC devices you can always read from any eMMC partition, so you can likely make complete backups including your modem (though no custom recovery does this by default, it's still a bad idea)
Fortunately for us, MTD seems to be 'obsolete', every device that launched with GB installed or newer uses eMMC.
Dell Streak 5/Partition layout - XDA wiki
Dell Streak Pro/Partition layout - XDA wiki
The S5 is a MTD device, the SPro is eMMC, note how the SPro has many more partitions.
The majority of them also exist on the S5, but the only way to access them (safely) is though a stock recovery.
You can write to them with fastboot, but some of them must be unpacked by an updater in the stock recovery. Simply flash them (specific ones) and you'll super-brick that would require JTAGging at a minimum to fix.
You simply cant read the other MTD partitions without JTAGing (it might be possible with a specificly modified kernal, but you dont gain anything doing this, if at all), assuming that the hidden parts are MTD partitions even. For all we know the controller could be directly writing onto NAND pages with their locs hardcoded (which would kinda be like partitioning, but without the formal partition tables(?) )
There's also is a small amount of memory that can only be written (afaik) via JTAG.
It contains your device's ID, such as Service tag and IMEI.
On tegra devices (at least the S7 and S10) it's the WP1 and WP2 partition.
It could be possible that it's on the NAND as a MTD partition, but if it is we dont know about it. It would be insane (and illegal, as changing your IMEI is illegal in most countries) to write to it, but so there's never been an example of it. I dont know where they are on the SPro, i'd need a live device to check.
The modem OS itself is stored on the nand, the modem processor knows (or the bootloader knows) how to feed it it's OS image.
- NAND: <everything on the partition layout above, including the below>
- The innerSD
- Modem storage (lock state)
- Device unique data (IMEI and Service tag)
- RTC (the clock)
I dont know the exact terminology or the exact order of booting on qualcomm snapdragons (it's likely to be the same with all at least in the same generation)
But it's something like:
- Press power button
- CPU powers up
- IPL loads <hardwired onto cpu>
- Check if innerSD is valid (this is streak specific, device also locks up if it fails as the loader isnt robust enough to work around it)
- Init modem and it's firmware <amss.mbn on older devices, non_hlos.bin on newer devices> (FYI modems are themselves complete 'system's in that they have their own ram and OS, basebands are complete OS images in most devices)
- Check what button combos are pressed
- Start booting:
- If you pressed the recovery mode combo:
- Load recovery SPL <dbl.mbn? + DT.img>
- Display SPL menu:
- Load Recovery ("update from update.pkg")
- Read from recovery.img and load it
- Caliberate screen
- If you pressed fastboot mode combo:
- Load the fastboot loader <fsbl.mbn?>
- If you pressed the download mode combo:
- Go into download mode (for QDLtool)
- If you did not press any combo: begin booting normally
- Load dsp1.mbn
- Load boot.bin
- Linux kernal mounts and starts reading:
- Android boots normally
- Boot completes, you're at the lockscreen/home screen
I'm just making educated guesses at which *.mbn does what, as noone's really studied them to the point that they are willing to modify them.
Regardless they're signed so you cant modify them (we dont know per-se that the CPU checks the signatures on *.mbns, but I dont think any is willing to risk their device to try anyway)
The kernal images arnt signed, you can simply toss any kernal that is valid (otherwise it wouldnt boot)
When your device boots, the logo flashes 4 times:
- 1st logo: IPL and it's logo (possibly hardwired onto chip)
- 2nd logo: SPL and it's logo (stored in one of the *.mbns)
- 3rd logo: UBOOT and the kernal logo (stored with the kernal, sounds like a band name)
- 4th logo: bootimage.zip (whatever boot splash is with the installed rom