Booting process of Android devices

The Android operating system goes through various phases during boot. Booting an Android device starts at power-on and ends at the visibility of the home screen. The boot process of devices that run Android is influenced by the firmware design of the SoC manufacturers.

Stages

Primary Bootloader

The Primary Bootloader (PBL), which is stored in the boot ROM http://sei.pku.edu.cn/~yaoguo/papers/Yuan-MobileCloud-18.pdf

is the first stage of the boot process. This code is written by the chipset manufacturer.^[1]

The PBL verifies the authenticy of the next stage.

On Samsung smartphones, the Samsung Secure Boot Key (SSBK) is used by the boot ROM to verify the next stages. https://doi.org/10.1016/j.diin.2018.01.008

On SoCs from Qualcomm, it is possible to enter the Qualcomm Emergency Download Mode from the primary bootloader.

If the verification of the secondary bootloader fails, it will enter EDL https://alephsecurity.com/2018/01/22/qualcomm-edl-1/

Secondary Bootloader

Because the space in the boot ROM is limited, a secondary bootloader on the eMMC is used. http://sei.pku.edu.cn/~yaoguo/papers/Yuan-MobileCloud-18.pdf The secondary bootloader loads the secure OS (TrustZone).^[2]

On the Qualcomm MSM8960 for example, the Secondary Bootloader 1 loads the Secondary Bootloader 2. The Secondary Bootloader 2 loads TrustZone and the Secondary Bootloader 3.^[3]

The SBL is now called XDL by Qualcomm.

ABOOT

The Android Applications Bootloader (ABOOT), which implements the fastboot interface (which is absent in Samsung devices).

ABOOT verifies the authenticy of the boot and recovery partitions.

By pressing a specific key combination, devices kan also boot in recovery mode.

ABOOT then transfers control to the Linux kernel.

Kernel and initramfs

The initramfs is a gzip'ed cpio archive that contains a root file system. It contains init, which is executed.

The Android kernel boots, which is a modified version of the Linux kernel.

Init does mount the partitions. dm-verify verifies the integrity of the partitions that are specified in the fstab file.

Zygote

Zygote is spawned by the init process, which is responsible for starting Android applications and service processes. 10.1.1.1038.5212

It loads and initializes classes that are supposed to be used very often into the heap. For example, dex data structures of libraries.

After Zygote has started, it listens for commands on a socket. When a new applications starts, a command is sends to Zygote which executes a fork() system call.

https://gvpress.com/journals/IJMUE/vol12_no7/3.pdf

Partition layout

The Android system is divided across different partitions.^[4]

The Qualcomm platform makes use of the GUID partition table. Altough this specifications is part of the UEFI specification, it does not depend on UEFI.^[5]

dm-verity

dm-verity is a Linux kernel module that that was introduced by Google in Android since version 4.4.

The stock implementation only supports block based verification, but Samsung has added support for files.^[2]

References

^ Hay, R. (2017). fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations. WOOT.
^ ^a ^b Kanonov, Uri; Wool, Avishai (2016-10-24). "Secure Containers in Android". Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices. New York, NY, USA: ACM. doi:10.1145/2994459.2994470.
^ Tao, Chen, Yue Zhang, Yulong Wang, Zhi Wei, (2017-07-17). Downgrade Attack on TrustZone. OCLC 1106269801.{{cite book}}: CS1 maint: extra punctuation (link) CS1 maint: multiple names: authors list (link)
^ Alendal, Gunnar; Dyrkolbotn, Geir Olav; Axelsson, Stefan (March 2018). "Forensics acquisition — Analysis and circumvention of samsung secure boot enforced common criteria mode". Digital Investigation. 24: S60 – S67. doi:10.1016/j.diin.2018.01.008. ISSN 1742-2876.
^ Zhao, Longze; Xi, Bin; Wu, Shunxiang; Aizezi, Yasen; Ming, Daodong; Wang, Fulin; Yi, Chao (2018). "Physical Mirror Extraction on Qualcomm-based Android Mobile Devices". Proceedings of the 2nd International Conference on Computer Science and Application Engineering - CSAE '18. New York, New York, USA: ACM Press. doi:10.1145/3207677.3278046.

External links

[1] Hay, R. (2017). fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations. WOOT.

[:0-2] Kanonov, Uri; Wool, Avishai (2016-10-24). "Secure Containers in Android". Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices. New York, NY, USA: ACM. doi:10.1145/2994459.2994470.

[3] Tao, Chen, Yue Zhang, Yulong Wang, Zhi Wei, (2017-07-17). Downgrade Attack on TrustZone. OCLC 1106269801.{{cite book}}: CS1 maint: extra punctuation (link) CS1 maint: multiple names: authors list (link)

[4] Alendal, Gunnar; Dyrkolbotn, Geir Olav; Axelsson, Stefan (March 2018). "Forensics acquisition — Analysis and circumvention of samsung secure boot enforced common criteria mode". Digital Investigation. 24: S60 – S67. doi:10.1016/j.diin.2018.01.008. ISSN 1742-2876.

[5] Zhao, Longze; Xi, Bin; Wu, Shunxiang; Aizezi, Yasen; Ming, Daodong; Wang, Fulin; Yi, Chao (2018). "Physical Mirror Extraction on Qualcomm-based Android Mobile Devices". Proceedings of the 2nd International Conference on Computer Science and Application Engineering - CSAE '18. New York, New York, USA: ACM Press. doi:10.1145/3207677.3278046.

[1]

[2]

[3]

[4]

[5]