lyq1996的博客
IPQ6000系列启动流程分析
lyq1996
  2025-03-23 02:04:06   2025-03-23 02:04:06  2.9k 字  16 分钟  

IPQ6000系列启动流程分析

目的

最近想折腾一下嵌入式硬件,加深一下对硬件和操作系统的理解,因此在手头找了一个ipq6000的路由器,分析下它在上电后的启动流程,为将来自己编写一个bootloader打下基础。

这个bootloader或许是纯C编写,也或许是Rust编写,它必须支持:

  1. 网络(仅Ethernet)
  2. 串口
  3. 存储(MMC首先、NAND其次)
  4. 多线程
  5. 引导(仅FIT image)

———— Just For Fun.

设备分区

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
root@JDBoxV2:~# blkid
/dev/mmcblk0: PTUUID="98101b32-bbe2-4bf2-a06e-2bb33d000c20" PTTYPE="gpt"
/dev/mmcblk0p1: PARTLABEL="0:SBL1" PARTUUID="76956397-a5ca-abcf-cfff-49da1c1c1be8"
/dev/mmcblk0p2: PARTLABEL="0:BOOTCONFIG" PARTUUID="7ba9c6de-ca09-2821-690a-64095242d2a0"
/dev/mmcblk0p3: PARTLABEL="0:BOOTCONFIG1" PARTUUID="1a1ed8db-f385-e8e6-9c74-e18d77bd489b"
/dev/mmcblk0p4: PARTLABEL="0:QSEE" PARTUUID="60f4eda8-3aad-0876-e16a-85254a9fd2a0"
/dev/mmcblk0p5: PARTLABEL="0:QSEE_1" PARTUUID="0cbb89b7-6322-4f98-2a36-c86b2161e82d"
/dev/mmcblk0p6: PARTLABEL="0:DEVCFG" PARTUUID="3871eeb7-ffd8-da0b-c61a-3b98b877a59e"
/dev/mmcblk0p7: PARTLABEL="0:DEVCFG_1" PARTUUID="4d84d3c2-4b7e-026a-3859-9399e060fd5b"
/dev/mmcblk0p8: PARTLABEL="0:RPM" PARTUUID="ad59f4d5-ef22-0f8f-08eb-e52be4d4fd62"
/dev/mmcblk0p9: PARTLABEL="0:RPM_1" PARTUUID="0315721b-068c-c728-8f13-b5154fe16902"
/dev/mmcblk0p10: PARTLABEL="0:CDT" PARTUUID="55d84ba7-7afe-068e-f02b-2b67dd330510"
/dev/mmcblk0p11: PARTLABEL="0:CDT_1" PARTUUID="8d32c906-b4e5-28bc-3050-5be0a3401b36"
/dev/mmcblk0p12: PARTLABEL="0:APPSBLENV" PARTUUID="a65238ed-379f-52e9-f01a-0e45a12d9da4"
/dev/mmcblk0p13: PARTLABEL="0:APPSBL" PARTUUID="88236518-8902-2ecf-6bfb-a33684f1fea0"
/dev/mmcblk0p14: PARTLABEL="0:APPSBL_1" PARTUUID="37a1760e-fea6-1e41-3446-9f4b78492b4c"
/dev/mmcblk0p15: PARTLABEL="0:ART" PARTUUID="e0ab46b9-b259-2644-58d6-5edd6f28e130"
/dev/mmcblk0p16: PARTLABEL="0:HLOS" PARTUUID="8a64c084-9d78-bc87-1438-cbeb2dd343ee"
/dev/mmcblk0p17: PARTLABEL="0:HLOS_1" PARTUUID="486078f8-baec-2466-2dc0-4e4d197f4440"
/dev/mmcblk0p18: TYPE="squashfs" PARTLABEL="rootfs" PARTUUID="39677e50-19f8-f4e2-71c0-8998c27e4b12"
/dev/mmcblk0p19: TYPE="squashfs" PARTLABEL="0:WIFIFW" PARTUUID="d1f6197d-bc9b-8f34-3d34-867f2a94c20a"
/dev/mmcblk0p20: TYPE="squashfs" PARTLABEL="rootfs_1" PARTUUID="8821dc34-da76-d18d-5141-7ed3c9c988d8"
/dev/mmcblk0p21: TYPE="squashfs" PARTLABEL="0:WIFIFW_1" PARTUUID="0665f737-3484-6a78-51fb-f5bc008dee0d"
/dev/mmcblk0p22: UUID="3d9a7891-66d6-4c9d-892f-10d850a7e19a" TYPE="ext4" PARTLABEL="rootfs_data" PARTUUID="a3c6191b-5e4b-9895-6289-886424d7a8ca"
/dev/mmcblk0p23: PARTLABEL="0:ETHPHYFW" PARTUUID="4a60b8d4-5f17-c1eb-5ea8-ada9a8fc0a9d"
/dev/mmcblk0p24: UUID="1d89ec7d-79d9-4a35-9329-30999a73f5af" TYPE="ext4" PARTLABEL="plugin" PARTUUID="4856f760-73f1-4db4-d89d-1eaae564bb24"
/dev/mmcblk0p25: UUID="1dc4f6fd-f03f-4589-9e37-409872cbde7c" TYPE="ext4" PARTLABEL="log" PARTUUID="380a410e-0479-abb6-37f7-0c792c436ef2"
/dev/mmcblk0p26: TYPE="swap" PARTLABEL="swap" PARTUUID="da210aab-3fdf-2640-f432-4c604371906b"
/dev/mmcblk0p27: UUID="afe9b133-ad0d-4f1f-86d6-c577b9df2490" TYPE="ext4" PARTLABEL="storage" PARTUUID="ceb8abfc-7258-fe04-17ae-6e699579e38f"

初分析

根据前面一些大佬的分析,上电后先从bootrom先执行PBL(Primary Boot Loader),bootrom集成在芯片内,没有输出,用户不可读写不可见。

对于我这个集成了64g emmc的型号,pbl先从闪存中读出gpt分区,然后根据分区表,读取SBL(Second Bootloader)并执行,执行SBL时的串口日志如下:

1
2
3
4
5
6
7
8
9
10
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.0.3-00086-IPQ60xxLZB-1
S - IMAGE_VARIANT_STRING=IPQ6018LA
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu200
S - Boot Interface: eMMC
S - Secure Boot: Off
...
B -    352305 - sbl1_ddr_set_default_params, Start
D -       274 - sbl1_ddr_set_default_params, Delta

可以看到SBL打印了一些有用的数据,可以推测出:

  1. 它一定有eMMC驱动,否则无法跳转到保存在eMMC上的uboot;
  2. 它初始化了DDR;
  3. 它支持安全启动,但这里并没有打开。

随后SBL执行APPSBL,也就是uboot,串口打印日志如下:

1
2
3
4
5
6
7
8
9
U-Boot 2016.01 (Nov 14 2020 - 18:22:38 +0800)
DRAM:  smem ram ptable found: ver: 2 len: 4
512 MiB
got gpio config
NAND:  Nand Flash error. Status = 80
Reset cmd status failed
SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0000
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)0 MiB
MMC:   <NULL>: 0 (eMMC)

接下来进入uboot,uboot的代码都是开源的。先从一组dtb(地址在0x44000000)中,选择出符合Board machine id的dtb,并加载:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
## Loading fdt from FIT Image at 44000000 ...
   Using 'config@cp03-c2' configuration
   Trying 'fdt@cp03-c2' fdt subimage
     Description:  ARM OpenWrt qcom-ipq60xx-cpxx device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x443f3fc4
     Data Size:    68119 Bytes = 66.5 KiB
     Architecture: ARM
     Hash algo:    crc32
     Hash value:   84d1d4a4
     Hash algo:    sha1
     Hash value:   772693e802807c4f398053725eb5ba85d6b496b5
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x443f3fc4
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 484ec000, end 484ffa16 ... OK
Could not find PCI in device tree
Using machid 0x8030201 from environment

这其实就是一种可复用的设计,uboot是设备无关的,设备相关的设备树单独保存,uboot+dtbs的组合,可以给不同的板子使用。顺便提一嘴,Linux内核中也是这样设计的,我在很久以前做的骁龙835 cpu和gpu降压小玩具,就是从内核img中反编译出dts,然后修改dts中定义的cpu电压,最后再还原成dtb并组合成内核镜像。当时内核镜像中就包含了很多dtb,所以需要读取machine id取出当前设备的dtb。

然后uboot把HLOS(High Level OS)加载到内存中,然后从内存中启动HLOS,也就是Linux内核。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
...
    ret = get_partition_info_efi_by_name(blk_dev,
            "0:HLOS", &disk_info);
...

    // 不是,这直接调用uboot cmd加载到内存????
    snprintf(runcmd, sizeof(runcmd), "mmc read 0x%x 0x%x 0x%x",
                CONFIG_SYS_LOAD_ADDR,
                (uint)disk_info.start, (uint)disk_info.size);

    snprintf(runcmd, sizeof(runcmd),
                "bootm 0x%x\n", (CONFIG_SYS_LOAD_ADDR +
                        sizeof(mbn_header_t)));
...

启动Linux内核时还会传递参数:

1
#define CONFIG_BOOTARGS			"console=ttyMSM0,115200n8"
1
2
3
4
5
...
    strlcpy(bootargs, "rootfsname=rootfs", sizeof(boot_args));
    if (sfi->rootfs.offset == 0xBAD0FF5E)
        ret  = set_uuid_bootargs(bootargs, "rootfs", sizeof(boot_args), false);
...

最重要的参数是rootfs,否则Linux无法找到rootfs,也就无法挂载根文件系统。

SBL

SBL是高通提供的,其基于高通XBLLoader。从中提取一些有用的strings:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
Generated Test Root CA1
SecTools1
California1
CDMA Technologies100.
'General Use Test Key (for testing only)0
150910222743Z
350905222743Z0q1
California1&0$
Generated Test Attestation CA1
SecTools1
Generated Test Root CA1
SecTools1
California1
CDMA Technologies100.
'General Use Test Key (for testing only)0
150910222741Z
350905222741Z0
Generated Test Root CA1
SecTools1
California1
CDMA Technologies100.
'General Use Test Key (for testing only)0
DDR: Start of HAL DDR Boot Training
DDR: End of HAL DDR Boot Training
SBL1, End
SBL1, Delta
CDT Version:%d,Platform ID:%d,Major ID:%d,Minor ID:%d,Subtype:%d
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/IPQ6018Pkg/Library/XBLLoaderLib/sbl1_mc.c
sbl1_efs_handle_cookies, Start
sbl1_efs_handle_cookies, Delta
GCC [RstStat:0x%X, RstDbg:0x%X] WDog Stat : 0x%X
SBL1, Start
/dev/icbcfg/boot
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/IPQ6018Pkg/Library/XBLLoaderLib/sbl1_hw.c
pm_device_init, Start
vsense_init, Start
vsense_init, Delta
sbl1_ddr_set_params, Start
Pre_DDR_clock_init, Start
Pre_DDR_clock_init, Delta
sbl1_ddr_set_params, Delta
sbl1_ddr_set_default_params, Start
sbl1_ddr_set_default_params, Delta
sbl1_wait_for_ddr_training, Start
sbl1_wait_for_ddr_training, Delta
CPR configuration: 0x%x
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/IPQ6018Pkg/Library/XBLLoaderLib/sbl1_config.c
0:QSEE
0:RPM
0:APPSBL
0:DEVCFG
0:APDP
0:CDT
OEM_MISC Image Loaded, Delta
PMIC Image Loaded, Delta
APDP Image Loaded, Delta
QTI_MISC Image Loaded, Delta
QSEE Dev Config Image Loaded, Delta
QSEE Image Loaded, Delta
RPM Image Loaded, Delta
APPSBL Image Loaded, Delta
smem_version_set: Unable to allocate version array: type %d.
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/Library/SmemLib/src/smem.c
smem_version_set: Unable to allocate version array: type %d.
SMEM base addr=0x%08X, size=%d memory mapping failed.
SMEM base addr=0x%08X, size=%d memory mapping failed.
SMEM is not initialized by Boot.
SMEM is not initialized by Boot.
smem_init: major version (%d) does not match all procs!
smem_init: major version (%d) does not match all procs!
/core/mproc/smem
Cannot get DALProp handle, result=%d.
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/Library/SmemLib/src/smem_xbl_loader.c
Cannot get DALProp handle, result=%d.
smem_vers
Cannot get smem_vers DAL prop, result=%d.
Cannot get smem_vers DAL prop, result=%d.
smem_toc_vers
Cannot get smem_toc_vers DAL prop, result=%d.
Cannot get smem_toc_vers DAL prop, result=%d.
smem_partitions
Cannot get smem_partitions DAL prop. result=%d.
Cannot get smem_partitions DAL prop. result=%d.
smem_max_items
Cannot get smem_max_items DAL prop. result=%d.
Cannot get smem_max_items DAL prop. result=%d.
SMEM TOC + targ_info too big! TOC: %d B; targ_info: %d B, max: %d B.
SMEM TOC + targ_info too big! TOC: %d B; targ_info: %d B, max: %d B.
Invalid SMEM memory type, %d, requested.
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/Library/SmemLib/src/smem_legacy.c
Invalid SMEM memory type, %d, requested.
Invalid smem_type=%d
Invalid smem_type=%d
In new SMEM version smem_alloc_add_table_entry() is not supported
In new SMEM version smem_alloc_add_table_entry() is not supported
Can't initialize heap info
Can't initialize heap info
Assertion smem_legacy_info.smem_buf_data_tbl[buf_tbl_idx].tag != SMEM_INVALID failed
Assertion smem_legacy_info.smem_buf_data_tbl[buf_tbl_idx].tag != SMEM_INVALID failed
Invalid memory type %d
Invalid memory type %d
Assertion SMEM_READ_SMEM_4(&toc->version) == 1 failed
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/Library/SmemLib/src/smem_partition.c
Assertion SMEM_READ_SMEM_4(&toc->version) == 1 failed
Assertion SMEM_READ_SMEM_4(&toc->num_entries) <= SMEM_MAX_PARTITIONS failed
Assertion SMEM_READ_SMEM_4(&toc->num_entries) <= SMEM_MAX_PARTITIONS failed
Assertion ((unsigned int)hdr & SMEM_PAGE_ALIGN_MASK) == 0 failed
Assertion ((unsigned int)hdr & SMEM_PAGE_ALIGN_MASK) == 0 failed
Assertion hdr->identifier == SMEM_PARTITION_HEADER_ID failed
Assertion hdr->identifier == SMEM_PARTITION_HEADER_ID failed
Assertion partition_offset > 0 failed
Assertion partition_offset > 0 failed
Assertion partition_offset < smem_size - SMEM_TOC_SIZE failed
Assertion partition_offset < smem_size - SMEM_TOC_SIZE failed
Assertion (size & SMEM_PAGE_ALIGN_MASK) == 0 failed
Assertion (size & SMEM_PAGE_ALIGN_MASK) == 0 failed
SMEM Partition %d init failed with status 0x%x
SMEM Partition %d init failed with status 0x%x
Flash Throughput, %d KB/s  (%d Bytes,  %d us)
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_pbl_v2.c
PBL, Start
bootable_media_detect_entry, Start
bootable_media_detect_success, Start
elf_loader_entry, Start
auth_hash_seg_entry, Start
auth_hash_seg_exit, Start
elf_segs_hash_verify_entry, Start
elf_segs_hash_verify_exit, Start
auth_xbl_sec_hash_seg_entry, Start
auth_xbl_sec_hash_seg_exit, Start
xbl_sec_segs_hash_verify_entry, Start
xbl_sec_segs_hash_verify_exit, Start
PBL, End
Exception caught by SBL1 vector table!!
ELR-EL1: %16lx (Exception Link Register) *PC at exc
ESR-EL1: %16lx (Exception Syndrome Register)
Error code %x at %s Line %d
BOOT
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_error_handler.c
XPU Violation Occured
DDR Frequency, %d MHz
PBL Patch Ver: %d
Core 0 Frequency, %d MHz
Boot Interface: 
NAND
eMMC
SDCARD
None
Unknow
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_logger.c
JTAG ID
OEM ID
Serial Number
OEM Config Row 0
OEM Config Row 1
Feature Config Row 0
Feature Config Row 1
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_logger_ram.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_logger_timer.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_flash.c
boot_flash_init, Start
boot_flash_init, Delta
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_flash_target.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_flash_dev_if.c
boot_flash_trans_sdcc_factory
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_flash_trans_sdcc.c
boot_flash_trans_sdcc
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_flash_dev_sdcc_if.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_flash_dev_sdcc.c
boot_flash_dev_sdcc
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_sdcc_hotplug.c
boot_flash_trans_nand_factory
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_flash_trans_nand.c
boot_flash_trans_nand
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_flash_dev_nand_if.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_flash_dev_nand.c
boot_flash_dev_nand
0:MIBIB
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_flash_dev_dal.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_flash_partition.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_mc.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_config.c
Img Loading failed, Trying Backup partition...
Image Load, Start
(%d Bytes)
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_elf_loader.c
boot_config_data_table_init, Start
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_config_data.c
boot_config_data_table_init, Delta
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_config_flash.c
CDT Partition Loading Failed. Trying Alternate CDT Partition...
Error: Flash read fail
Error: CDT is not programmed
Error: Platform ID is not programmed
Loading CDT Partion Failed.
Warning: CRC missmatch trying alternate CDT Partition...
Error: CRC missmatch
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_smem.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_ddr_info.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_ram_partition.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_authenticator.c
DENTAL PLAN!
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/sbl1_sahara.c
Sahara: Hello pkt sent
Sahara: Hello Response Received
Sahara: Reset request received
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_hash.c
TargetCfg
DalEnv
PMIC_ARB
Flash: Failed to do initialization for probe!
0:ALL
Flash: nsuab - Timeout expired, wrsr update failed. !
Flash: nsuab - Unknown NOR Family wrsr update failed. !
Flash: nsuab - wrsr update failed!
Flash: nswe - Enabling Write Enable Latch Failed!
Flash: nsces - Device program/erase error bit set!
Flash: nscs - Timeout expired, during operation %u!
Flash-BAM: BAM Tranfer Failed!
No public key provisioned 
-BDEV_DEVNULL_DRIVER
/hdev/dev.null
IMAGE_VARIANT_STRING=IPQ6018LA
OEM_IMAGE_VERSION_STRING=crm-ubuntu124
QC_IMAGE_VERSION_STRING=BOOT.XF.0.3-00100-IPQ60xxLZB-1
OEM_IMAGE_UUID_STRING=Q_SENTINEL_{488BD7FC-6DA5-4586-802D-050C44A5E4F5}_20201122_2239
SMEM version=0x%X not supported.
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/Library/SmemLib/src/smem_boot.c
SMEM version=0x%X not supported.
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/IPQ6018Pkg/Library/ClockTargetLib/ClockXBL.c
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/IPQ6018Pkg/Library/XBLLoaderLib/boot_dload.c
TCSR reg value 0x%x 
/local/mnt/workspace/CRMBuilds/BOOT.XF.0.3-00100-IPQ60xxLZB-1_20201122_223714/b/boot_images/QcomPkg/XBLLoader/boot_dload_dump.c
pImem Disabled, segment not added to dump.
DDR: Computed CRC checksum retrieved from flash is %d
DDR: Checksum to be stored on flash is %d
Qualcomm Technologies, Inc.1*0(
!Qualcomm Cryptographic Operations1.0,
%XBL Sec Attestation Root CA 2 SubCA 10
201006090934Z
221006090934Z0W1
        San Diego1
QUALCOMM1
CASS - SBL30
Qualcomm Technologies, Inc.1*0(
!Qualcomm Cryptographic Operations1&0$
XBL Sec Attestation Root CA 20
Qualcomm Technologies, Inc.1*0(
!Qualcomm Cryptographic Operations1.0,
%XBL Sec Attestation Root CA 2 SubCA 10
/dev/icbcfg/boot
QC_IMAGE_VERSION_STRING=TZ.WNS.5.1-00123
IMAGE_VARIANT_STRING=OAPAANAAA
OEM_IMAGE_VERSION_STRING=CRM

看起来它叫做XBL,找了一圈,源码不好找到。根据:xbltools项目,可以得知,XBL分区分为三个部分:

  1. sbl1.elf,负责初始化硬件,然后跳转到xbl_core.elf
  2. xbl_core.elf,bootloader
  3. xbl_sec.mbn,xbl的入口,它跳转到sbl1.elf

现在问题是,我这块ipq6000的板子已经有了单独的appsbl分区,存放了uboot,它和上面的xbl_core.elf的作用是一致的,我不确定是否在XBL里是不是还有一个xbl_core.elf。

———— 未完待续

IPQ6000系列启动流程分析
2025/03/22/ipq6000-bootup/
作者
lyq1996
发布于
2025-03-23 02:04
许可
 评论
评论插件加载失败
正在加载评论插件
  1. 1. IPQ6000系列启动流程分析
    1. 1.1. 目的
    2. 1.2. 设备分区
    3. 1.3. 初分析
    4. 1.4. SBL
© 2016 - 2025    lyq1996
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
访客数 访问量
  1. 1. IPQ6000系列启动流程分析
    1. 1.1. 目的
    2. 1.2. 设备分区
    3. 1.3. 初分析
    4. 1.4. SBL