[[boot:boot_chain]]
 
Trace: » open_recovery » dokuwiki » cdt » isw » rsd_lite » mbmloader » debugging » patches » compiling » boot_chain

Boot Chain

Graphical view

This is the boot chain of the Motorola Milestone, as far as we know1):

boot_chain

Boot partProcessorArchDumpDisassembly/Decompilation
OMAP boot ROMOMAP corearmv7-aOMAP3430 BootROM, OMAP3630 BootROMrom.idb
mbmloaderOMAP3430 corearmv7-anonembmloader.idb.gz
mbmOMAP3430 corearmv7-anonembm.idb
lblOMAP3430 corearmv7-anonenone
Wrigley arm boot ROMWrigley3G ARM corearm9nonenone
Wrigley dsp boot ROMWrigley3G TMS320c55x+c55x+f00000.gz2)none
Wrigley3G RTXC OS loaderWrigley3G ARM corearm?nonebploader.idb.gz
Wrigley RTXC OSWrigley3G TMS320c55x+c55x+nonenone
Main DSP boot ROMTMS320C6454MIPS (c64x+ edition)nonenone
Main DSP firmwareTMS320C6454MIPS (c64x+ edition)baseimage.dofnone
WiLink firmwareWiLink 6.0 TPS656905armwl1271.bin.gz and fw_wlan1271.bin.gznone
Power Manager Boot ROMTWL5030MIPS?nonenone
Touch Panel Controller boot ROMAVR ATmega324PAVR 8-bitnonenone
Linux kernelOMAP3430 corearmnonenone

All recent IDA databases of bootloaders can be found here Gitorious

(!) the CH table can be signed with CSST along with the Initial Software image. Whether Motorola did include it in the signed image or left it unsigned is unknown (and risky to test!). 3) After kokone has found that the origin mbmloader contained bit errors, the correct mbmloader binary image has been obtained again. That he has been able to validate all the signatures in mbmloader and the CH table is not part of any signed content.

(!!) in fact mbm and mbmbackup are binary identical, so mbmbackup DOES contain certificates. But its certificates are not referenced in the cdt table because it is used directly by the mbmloader (and the mbmloader doesn't use the cdt table, as discovered by yakk). In the Droid mbm and mbmbackup are binary identical, just like in the Milestone (but with a different code version). One Droid user (Orgg) had an incident with his phone in which his mbm partition became corrupt, and the phone wouldn't boot at all after that. This would suggest that the mbmbackup partition is not used for automatic recovery. User [mbm] reports that his Droid originally came with different mbm and mbmbackup, but after an update pushed by Verizon they became identical. In light of this, the mbm_backup_attack was proposed but then found to be flawed and discarded.

1) see here and here for examples of the OMAP boot process, which differs from the Milestone's as we've found in our mbmloader analysis. X-Loader and U-Boot are missing in this diagram because they have been replaced by Motorola's mbmloader. The OMAP architecture permits that the bootstrap code be located in an SD-Card, provided that the NAND Flash is unable to boot and that the SD-Card contains a proper FAT32 filesystem and a .IFT file signed as required by the HS mode. If the processor had been in GP mode, we could've followed these steps to boot from the SD-Card; unfortunately that's not the case. Some innards of similar Boot ROMs are described here and here and here. The OMAP 34xx TRM is the final reference for the platform.
2) this is partial dump of wrigley3g dsp memory (addressess: 0xF00000-0xFFFFFF). boot rom is only very small part of it.
3) Citation needed
 
boot/boot_chain.txt · Last modified: 2010/07/25 22:54 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki