In this article, I am sharing my knowledge on the topic Understanding the Bootloader Process of android in detail. The Android operating system has a complex and multistage start-up routine. Manufacturers lock the start-up process to protect revenue and maintain control of the device you purchase. The nature of the Android start-up process allows developers and hackers to replace parts of it to achieve full control of an Android device.
Understanding the Bootloader Process of android in detail
Your Android device follows certain steps when booting up. The following steps are simplified and made generic to apply to most Android devices.
1. Special code in the boot read-only memory (ROM) locates the first-stage bootloader and loads it into memory. The boot ROM is an ASIC that has its code permanently programmed.
2. The first-stage bootloader loads the second-stage bootloader after initializing some memory and getting the hardware ready.
The bootloader checks to see if the security flag is on (S – ON). If it is on, then the bootloader will load only signed (official) kernels. If the security flag is off (S-OFF), then the bootloader no longer checks for signatures. Setting S-OFF also releases other security lock downs, making the entire file system writable and enabling other goodies, such as allowing you to install a custom recovery process on the device.
This is the step in which you want your custom bootloader to be loaded. The holy grail of hacking a manufacturer’s handset is to load a custom bootloader so that a custom kernel can be loaded.
Fastboot is a protocol that allows low-level commands to be sent to a device to do such things as write files (such as custom bootloaders, recoveries and ROMs) to the operating system. Most manufacturers, therefore, disable the Fastboot protocol at the factory. Because the second-stage bootloader is the step in the boot process where the
Fastboot protocol is enabled or disabled, this part of the code is frequently encrypted or otherwise locked down by OEMs. Some devices, such as Nexus devices and the Xoom, can be unlocked, allowing the Fastboot protocol to be enabled.
- The bootloader loads a Linux kernel and customizations into memory. At this point, the bootloader hands off control of the hardware to the Linux kernel. The Linux kernel and any software or firmware customizations are usually all packaged together. On some devices, they are called a ROM. The name ROM is a slight misnomer because NAND storage is not truly read-only. Other devices require custom images (in IMG format) to be written to memory; still others have the kernel package written from an RUU file. However the kernel package is placed on the device, the bootloader must know where it is located and how to hand over the reins to it.
- The last step is the initialization (INIT) process. The INIT process is the mother of all other processes that run on your device. It initializes all of the processes necessary for basic hardware access and device functionality. It also starts up the Dalvik virtual machine processes where most applications are executed.
Through this whole start-up process, the important thing for you to understand is that most of the hoops you have to jump through when rooting your Android are to achieve one or both of two goals –
• to set S-OFF, thereby allowing you to load your own custom kernel package
• to install a custom second-stage bootloader to allow you to ignore the S – ON or S – 0 F F state and load your own custom kernel package.
On some devices, neither goal is achievable and you must use workarounds to carry out device customizations. Devices with completely encrypted bootloaders, such as the Milestone and DroidX, can still be customized to some extent. The amount of customization you are able to achieve on these devices is limited and the process is usually a little more complex.
