I have an old smartphone lying around (Sony Xperia E2303, a.k.a. M4 Aqua) and I'd love to try and create some sort of a bootdemo or perhaps even a really basic operating system. Unfortunately, I hadn't been able to find any resources regarding low-level programming for modern smartphones. I found only a handful of relevant topics on this board [1, 2], but none of them were particularly helpful.
On IBM PC-compatible, things are simple. When the machine is started, on-board firmware gets loaded into memory and executed. It performs some initialization and once everything's ready, it starts looking for a bootable medium. It either looks for 0x55aa boot signature at the end of the first sector or directly loads a certain file from the filesystem if it's UEFI. Than it's a matter of a single JMP and you're free to do whatever you want. BIOS is our best friend and writing a simple demo is actually a no-brainer because of that.
I have no idea how things work on a modern smartphone. I've found some explanations of the boot process [3, 4], but it's difficult to make sense of it. Let me explain what I mean.
This is Pavel Dubrova's effort to bring Android 11 with a mainline Linux kernel [5] to Xperia M4 Aqua. In order for me to flash it to my device, I have to:
1. Power off the device, press Volume Up and while holding it, plugin the USB cable to the computer. LED now turns blue and device is in a so-called fastboot mode. I would assume anything related to fastboot mode is stored in a different part of the internal flash memory, so that hard-bricking the device is less of a possibility, but that's actually in contrary to [3] (see the comments).
2. Once the fastboot is on, I can now flash contents to certain partitions. Here, Pavel uses just boot, system, cache and userdata. This is interesting, because the boot.img file, which Pavel provided and which goes into the boot partition, actually doesn't seem to contain low-level code (directly "chewable" by the CPU). I tried examining it and it showed this:
Code: Select all
$ file boot.img
boot.img: Android bootimg, kernel, ramdisk, page size: 2048, cmdline (androidboot.hardware=tulip androidboot.boot_devices=soc/7824900.sdhci androidboot.memcg=1 cgrou)
$ hexdump -C -n 100 boot.img
00000000 41 4e 44 52 4f 49 44 21 f7 01 90 00 00 80 00 80 |ANDROID!........|
00000010 f0 c8 0c 00 00 00 00 81 00 00 00 00 00 00 00 00 |................|
00000020 00 01 00 80 00 08 00 00 00 00 00 00 49 01 00 16 |............I...|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 61 6e 64 72 6f 69 64 62 6f 6f 74 2e 68 61 72 64 |androidboot.hard|
00000050 77 61 72 65 3d 74 75 6c 69 70 20 61 6e 64 72 6f |ware=tulip andro|
00000060 69 64 62 6f |idbo|
00000064
So, the bootloader partition it is (hopefully, probably). Unfortunately, I couldn't find a way to read the partition via fastboot, so I can't really be sure. What I'm really concerned about is that:
1. I would very much want to avoid hard-bricking the device. Although out-dated, it's still a very nice piece of hardware and I want to eventually reflash it with a stock ROM and use it as a secondary smartphone. Since I'm not sure where the fastboot mode actually comes from and what would happen if I just flashed a random garbage to the bootloader partition, I have to stay void of such experiments for now.
2. Even if I didn't risk hard-bricking the device, I still eventually want to recover (preferably) the stock bootloader – or whatever I have in there currently, because I vaguely remember unlocking the bootloader and rooting the device several years ago. This wouldn't be a problem if I could simply perform a backup first.
For a moment, I thought I could perhaps avoid touching the bootloader whatsoever and just play inside the recovery partition. Perhaps I could take a look at some project like TWRP for inspiration, right? Well, no. Again, it seems to be just a kernel that gets loaded using the bootloader…
Any advices on how to flash my own assembly code into the bootloader partition without risking hard-bricking the device would be greatly appreciated. And sorry for the lengthy post, but I wanted to provide enough context.