轉載請注明來源:cuixiaolei的技術博客
這篇文章是lk啟動流程分析(以高通為例),將會詳細介紹下面的內容:
1).正常開機引導流程
2).recovery引導流程
3).fastboot引導流程
4).ffbm引導流程
5).lk向kernel傳參
start----------------------------------------
在bootable/bootloader/lk/arch/arm/crt0.S文件中有下面代碼,所以從kmain()開始介紹
bl kmain
kmain函數位於bootable/bootloader/lk/kernel/main.c
/* called from crt0.S */ void kmain(void) __NO_RETURN __EXTERNALLY_VISIBLE; void kmain(void) { // get us into some sort of thread context thread_init_early(); //初始化線程上下文 #ifdef FEATURE_AFTER_SALE_LOG_LK // do console early init console_init_early(); //初始化控制台 #endif // early arch stuff arch_early_init(); //架構初始化,如關閉cache,使能mmu // do any super early platform initialization platform_early_init(); //平台早期初始化 // do any super early target initialization target_early_init(); //目標設備早期初始化,初始化串口 dprintf(INFO, "welcome to lk\n\n"); bs_set_timestamp(BS_BL_START); // deal with any static constructors dprintf(SPEW, "calling constructors\n"); call_constructors(); // bring up the kernel heap dprintf(SPEW, "initializing heap\n"); heap_init(); //堆初始化 __stack_chk_guard_setup(); // initialize the threading system dprintf(SPEW, "initializing threads\n"); thread_init(); //線程初始化 #ifdef FEATURE_AFTER_SALE_LOG_LK // initialize the console layer dprintf(SPEW, "initializing console layer\n"); console_init(); //初始化控制台 #endif // initialize the dpc system dprintf(SPEW, "initializing dpc\n"); dpc_init(); //lk系統控制器初始化 // initialize kernel timers dprintf(SPEW, "initializing timers\n"); timer_init(); //kernel時鍾初始化 #if (!ENABLE_NANDWRITE) // create a thread to complete system initialization dprintf(SPEW, "creating bootstrap completion thread\n"); thread_resume(thread_create("bootstrap2", &bootstrap2, NULL, DEFAULT_PRIORITY, DEFAULT_STACK_SIZE)); //創建一個線程初始化系統 // enable interrupts exit_critical_section(); //使能中斷 // become the idle thread thread_become_idle(); //本線程切換成idle線程,idle為空閑線程,當沒有更高優先級的線程時才執行 #else bootstrap_nandwrite(); #endif }
arch_early_init()負責使能內存管理單元mmu
bootable/bootloader/lk/arch/arm/arch.c void arch_early_init(void) { /* turn off the cache */ arch_disable_cache(UCACHE); //關閉cache /* set the vector base to our exception vectors so we dont need to double map at 0 */ #if ARM_CPU_CORTEX_A8 set_vector_base(MEMBASE); //設置異常向量基地址 #endif #if ARM_WITH_MMU arm_mmu_init(); //使能mmu #endif /* turn the cache back on */ arch_enable_cache(UCACHE); //打開cache #if ARM_WITH_NEON /* enable cp10 and cp11 */ uint32_t val; __asm__ volatile("mrc p15, 0, %0, c1, c0, 2" : "=r" (val)); val |= (3<<22)|(3<<20); __asm__ volatile("mcr p15, 0, %0, c1, c0, 2" :: "r" (val)); isb(); /* set enable bit in fpexc */ __asm__ volatile("mrc p10, 7, %0, c8, c0, 0" : "=r" (val)); val |= (1<<30); __asm__ volatile("mcr p10, 7, %0, c8, c0, 0" :: "r" (val)); #endif #if ARM_CPU_CORTEX_A8 /* enable the cycle count register */ uint32_t en; __asm__ volatile("mrc p15, 0, %0, c9, c12, 0" : "=r" (en)); en &= ~(1<<3); /* cycle count every cycle */ en |= 1; /* enable all performance counters */ __asm__ volatile("mcr p15, 0, %0, c9, c12, 0" :: "r" (en)); /* enable cycle counter */ en = (1<<31); __asm__ volatile("mcr p15, 0, %0, c9, c12, 1" :: "r" (en)); #endif }
platform_early_init()平台早期初始化,初始化平台的時鍾和主板
bootable\bootloader\lk\platform\msm8952\platform.c
void platform_early_init(void) { board_init(); //主板初始化 platform_clock_init(); //時鍾初始化 qgic_init(); qtimer_init(); }
從代碼可知,會創建一個bootstrap2線程,並使能中斷
static int bootstrap2(void *arg) { dprintf(SPEW, "top of bootstrap2()\n"); arch_init(); //架構初始化,此函數為空,什么都沒做 // XXX put this somewhere else #if WITH_LIB_BIO bio_init(); #endif #if WITH_LIB_FS fs_init(); #endif // initialize the rest of the platform dprintf(SPEW, "initializing platform\n"); platform_init(); // 平台初始化,不同的平台要做的事情不一樣,可以是初始化系統時鍾,超頻等 // initialize the target dprintf(SPEW, "initializing target\n"); target_init(); //目標設備初始化,主要初始化Flash,整合分區表等 dprintf(SPEW, "calling apps_init()\n"); apps_init(); //應用功能初始化,主要調用boot_init,啟動kernel,加載boot/recovery鏡像等 return 0; }
apps_init()通過下面方式進入aboot_init()函數
APP_START(aboot)
.init = aboot_init,
APP_END
bootable/bootloader/lk/app/app.cvoid apps_init(void) { const struct app_descriptor *app; /* call all the init routines */ for (app = &__apps_start; app != &__apps_end; app++) { if (app->init) app->init(app); } /* start any that want to start on boot */ for (app = &__apps_start; app != &__apps_end; app++) { if (app->entry && (app->flags & APP_FLAG_DONT_START_ON_BOOT) == 0) { start_app(app); } } }
從這里開始是這篇文章的重點,分析aboot.c文件。每個項目的文件可能會有不同,但是差別會很小。
bootable/bootloader/lk/app/aboot/aboot.c void aboot_init(const struct app_descriptor *app) { unsigned reboot_mode = 0; unsigned restart_reason = 0; unsigned hard_reboot_mode = 0; bool boot_into_fastboot = false; uint8_t pon_reason = pm8950_get_pon_reason(); //pm8950_get_pon_reason() 獲取開機原因 /* Setup page size information for nv storage */ if (target_is_emmc_boot()) //檢測是emmc還是flash存儲,並設置頁大小,一般是2048 { page_size = mmc_page_size(); page_mask = page_size - 1; } else { page_size = flash_page_size(); page_mask = page_size - 1; } ASSERT((MEMBASE + MEMSIZE) > MEMBASE); //斷言,如果內存基地址+內存大小小於內存基地址,則直接終止錯誤 read_device_info(&device); //從devinfo分區表read data到device結構體 read_allow_oem_unlock(&device); //devinfo分區里記錄了unlock狀態,從device中讀取此信息 /* Display splash screen if enabled */ if (!check_alarm_boot()) { dprintf(SPEW, "Display Init: Start\n"); target_display_init(device.display_panel); //顯示splash,Splash也就是應用程序啟動之前先啟動一個畫面,上面簡單的介紹應用程序的廠商,廠商的LOGO,名稱和版本等信息,多為一張圖片 dprintf(SPEW, "Display Init: Done\n"); } #ifdef FEATURE_LOW_POWER_DISP_LK if(is_low_voltage) { //如果電量低,則顯示關機動畫,並關閉設備 mdelay(2000); //target_uninit(); target_display_shutdown(); shutdown_device(); } #endif is_alarm_boot = check_alarm_boot(); //檢測開機原因是否是由於關機鬧鍾導致 target_serialno((unsigned char *) sn_buf); dprintf(SPEW,"serial number: %s\n",sn_buf); memset(display_panel_buf, '\0', MAX_PANEL_BUF_SIZE); /* * Check power off reason if user force reset, * if yes phone will do normal boot. */ if (is_user_force_reset()) //如果強制重啟,直接進入normal_boot goto normal_boot; dprintf(ALWAYS, "pon_reason=0x%02x\n", pon_reason); /* Check if we should do something other than booting up */ if ( (pon_reason & USB_CHG) //啟動原因是插上USB,並且用戶同時按住了音量上下鍵,進入下載模式 && (keys_get_state(KEY_VOLUMEUP) && keys_get_state(KEY_VOLUMEDOWN))) { display_dloadimage_on_screen(); //顯示下載模式圖片 volume_keys_init(); //初始化音量按鍵 int i = 0; int j = 0; int k = 0; dload_flag = 1 ; while(1) //進入下載模式后,通過不同的按鍵組合進入不同的模式,下面的代碼邏輯很簡單,就不介紹了 { thread_sleep(200); //dprintf(ALWAYS, "in while circle\n"); if ( check_volume_up_key() && !check_volume_down_key() && !check_power_key() ) { /* Hold volume_up_key 3 sec to download mode, if not enough, need to hold another 3 sec. */ for(i = 0;i < 15;++i) { thread_sleep(200); if (!check_volume_up_key()) { dprintf(ALWAYS, "press volume_up not enough time\n"); break; } } if(i == 15) { break; } } else if (check_power_key() && !check_volume_up_key() && !check_volume_down_key()) { /* Hold power_key 1 sec to normal boot, if not enough, need to hold another 1 sec. */ for(j = 0;j < 5;++j) { thread_sleep(200); if (!check_power_key()) { //dprintf(ALWAYS, "press power_key not enough time\n"); break; } } if(j == 5) { goto normal_boot; } } else if (!check_volume_down_key() && !check_volume_up_key() && !check_power_key()) { /* Hold no key and go to normal boot 30 sec later. */ for(k = 0;k < 150;++k) { thread_sleep(200); if (check_power_key() || check_volume_up_key()) { //dprintf(ALWAYS, "press nothing\n"); break; } } if(k == 150) { //dprintf(ALWAYS, "goto normal_boot\n"); goto normal_boot; } } } dprintf(CRITICAL,"dload mode key sequence detected\n"); if (set_download_mode(EMERGENCY_DLOAD)) { dprintf(CRITICAL,"dload mode not supported by target\n"); } else { reboot_device(DLOAD); dprintf(ALWAYS,"Failed to reboot into dload mode\n"); } boot_into_fastboot = true; //下載模式本質上是進入fastboot }
if (!boot_into_fastboot) //如果不是通過usb+上下鍵進入下載模式 { if (keys_get_state(KEY_HOME) || (keys_get_state(KEY_VOLUMEUP) && !keys_get_state(KEY_VOLUMEDOWN))) //上鍵+電源鍵 進入recovery模式 { boot_into_recovery = 1; struct recovery_message msg; strcpy(msg.recovery, "recovery\n--show_text"); } if (!boot_into_recovery && (keys_get_state(KEY_BACK) || (keys_get_state(KEY_VOLUMEDOWN) && !keys_get_state(KEY_VOLUMEUP)))) //下鍵+back鍵進入fastboot模式,我的手機是有back實體鍵的 boot_into_fastboot = true; } reboot_mode = check_reboot_mode(); //檢測開機原因,並且修改相應的標志位 hard_reboot_mode = check_hard_reboot_mode(); if (reboot_mode == RECOVERY_MODE || hard_reboot_mode == RECOVERY_HARD_RESET_MODE) { boot_into_recovery = 1; } else if(reboot_mode == FASTBOOT_MODE || hard_reboot_mode == FASTBOOT_HARD_RESET_MODE) { boot_into_fastboot = true; } else if(reboot_mode == ALARM_BOOT || hard_reboot_mode == RTC_HARD_RESET_MODE) { boot_reason_alarm = true; } else if (reboot_mode == DM_VERITY_ENFORCING) { device.verity_mode = 1; write_device_info(&device); } else if(reboot_mode == DM_VERITY_LOGGING) { device.verity_mode = 0; write_device_info(&device); } else if(reboot_mode == DM_VERITY_KEYSCLEAR) { if(send_delete_keys_to_tz()) ASSERT(0); } normal_boot: if(dload_flag){ display_image_on_screen(); //顯示界面,上面提到過 } if (!boot_into_fastboot) //如果不是fastboot模式 { if (target_is_emmc_boot()) { if(emmc_recovery_init()) dprintf(ALWAYS,"error in emmc_recovery_init\n"); if(target_use_signed_kernel()) { if((device.is_unlocked) || (device.is_tampered)) { #ifdef TZ_TAMPER_FUSE set_tamper_fuse_cmd(); #endif #if USE_PCOM_SECBOOT set_tamper_flag(device.is_tampered); #endif } } boot_linux_from_mmc(); //程序會跑到這里,又一個重點內容,下面會獨立分析這個函數。 } else { recovery_init(); #if USE_PCOM_SECBOOT if((device.is_unlocked) || (device.is_tampered)) set_tamper_flag(device.is_tampered); #endif boot_linux_from_flash(); } dprintf(CRITICAL, "ERROR: Could not do normal boot. Reverting " "to fastboot mode.\n"); }
//下面的代碼是fastboot的准備工作,從中可以看出,進入fastboot模式是不啟動kernel的
/* We are here means regular boot did not happen. Start fastboot. */ /* register aboot specific fastboot commands */ aboot_fastboot_register_commands(); //注冊fastboot命令,建議看下此函數的源碼,此函數是fastboot支持的命令,如flash、erase等等 /* dump partition table for debug info */ partition_dump(); /* initialize and start fastboot */ fastboot_init(target_get_scratch_address(), target_get_max_flash_size()); //初始化fastboot #if FBCON_DISPLAY_MSG display_fastboot_menu_thread(); //顯示fastboot界面 #endif }
關於device_info,這里多說一點
devinfo Device information including:iis_unlocked, is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version All these attirbutes are set based on some specific conditions and written on devinfo partition.
devinfo是一個獨立的分區,里面存放了下面的一些信息,上面是高通對這個分區的介紹。
struct device_info { unsigned char magic[DEVICE_MAGIC_SIZE]; bool is_unlocked; bool is_tampered; bool is_verified; bool charger_screen_enabled; char display_panel[MAX_PANEL_ID_LEN]; char bootloader_version[MAX_VERSION_LEN]; char radio_version[MAX_VERSION_LEN]; };
從上面的分析,我們大致可以知道boot_init()主要工作
1).確定page_size大小;
2).從devinfo分區獲取devinfo信息;
3).通過不同按鍵選擇設置對應標志位boot_into_xxx;
4).如果進入fastboot模式,初始化fastboot命令等。
5).進入boot_linux_from_mmc()函數。
下面分析lk啟動過程中另一個重要的函數boot_linux_from_mmc();它主要負責根據boot_into_xxx從對應的分區內讀取相關信息並傳給kernel,然后引導kernel。
程序走到這,說成沒有進入fastboot模式,可能的情況有:正常啟動,進入recovery,開機鬧鍾啟動。
boot_linux_from_mmc()主要做下面的事情
1).程序會從boot分區或者recovery分區的header中讀取地址等信息,然后把kernel、ramdisk加載到內存中。
2).程序會從misc分區中讀取bootloader_message結構體,如果有boot-recovery,則進入recovery模式
3).更新cmdline,然后把cmdline寫到tags_addr地址,把參數傳給kernel,kernel起來以后會到這個地址讀取參數。
int boot_linux_from_mmc(void) { struct boot_img_hdr *hdr = (void*) buf; //************buf和hdr指向相同的地址,可以理解為buf就是hdr struct boot_img_hdr *uhdr; unsigned offset = 0; int rcode; unsigned long long ptn = 0; int index = INVALID_PTN; unsigned char *image_addr = 0; unsigned kernel_actual; unsigned ramdisk_actual; unsigned imagesize_actual; unsigned second_actual = 0; unsigned int dtb_size = 0; unsigned int out_len = 0; unsigned int out_avai_len = 0; unsigned char *out_addr = NULL; uint32_t dtb_offset = 0; unsigned char *kernel_start_addr = NULL; unsigned int kernel_size = 0; int rc; #if DEVICE_TREE struct dt_table *table; struct dt_entry dt_entry; unsigned dt_table_offset; uint32_t dt_actual; uint32_t dt_hdr_size; unsigned char *best_match_dt_addr = NULL; #endif struct kernel64_hdr *kptr = NULL; if (check_format_bit()) //查找bootselect分區,查看分區表,沒有此分區,所以返回值為false boot_into_recovery = 1; if (!boot_into_recovery) { //此時有兩種可能,正常開機/進入ffbm工廠測試模式,進入工廠測試模式是正行啟動,但是向kernel傳參會多一個字符串"androidboot.mode='ffbm_mode_string'" memset(ffbm_mode_string, '\0', sizeof(ffbm_mode_string)); //ffbm_mode_string = "" rcode = get_ffbm(ffbm_mode_string, sizeof(ffbm_mode_string)); //從misc分區0地址中讀取sizeof(ffbm_mode_string)的內容,如果內容是"ffbm-",返回1,否則返回0 if (rcode <= 0) { boot_into_ffbm = false; if (rcode < 0) dprintf(CRITICAL,"failed to get ffbm cookie"); } else boot_into_ffbm = true; } else //boot_into_recovery=true boot_into_ffbm = false; uhdr = (struct boot_img_hdr *)EMMC_BOOT_IMG_HEADER_ADDR; //uhdr指向boot分區header地址,header是什么東西,下面會詳細介紹 if (!memcmp(uhdr->magic, BOOT_MAGIC, BOOT_MAGIC_SIZE)) { //檢查uhdr->magic 是否等於 "ANDROID!",不知到為什么要這么做,覺的沒有什么作用 dprintf(INFO, "Unified boot method!\n"); hdr = uhdr; goto unified_boot; } if (!boot_into_recovery) { //如果不是recovery模式,可能是正常啟動或者進入ffbm,再次生命ffbm和正常啟動流程一樣啟動kernel,只是kernel起來以后,init.c文件會讀取是否有"ffbm-" index = partition_get_index("boot"); //讀取boot分區 ptn = partition_get_offset(index); //讀取boot分區的偏移量 if(ptn == 0) { dprintf(CRITICAL, "ERROR: No boot partition found\n"); return -1; } } else { index = partition_get_index("recovery"); //進入recovery模式,讀取recovery分區,並獲得recovery分區的偏移量。recovery.img和boot.img的組成是一樣的,下面有介紹 ptn = partition_get_offset(index); if(ptn == 0) { dprintf(CRITICAL, "ERROR: No recovery partition found\n"); return -1; } } /* Set Lun for boot & recovery partitions */ mmc_set_lun(partition_get_lun(index)); if (mmc_read(ptn + offset, (uint32_t *) buf, page_size)) { //從boot/recovery分區讀取1字節的內容到buf(hdr)中,我們知道在boot/recovery中開始的1字節存放的是hdr的內容,下面有詳細的介紹。 dprintf(CRITICAL, "ERROR: Cannot read boot image header\n"); return -1; } if (memcmp(hdr->magic, BOOT_MAGIC, BOOT_MAGIC_SIZE)) { //上面已經從boot/recovery分區讀取了header到hdr,這里對比magic是否等於"ANDROID!",如果不是,則表明讀取的header是錯誤的,也算是校驗吧 dprintf(CRITICAL, "ERROR: Invalid boot image header\n"); return -1; } if (hdr->page_size && (hdr->page_size != page_size)) { //比較也的大小是否相同,應該都是相同的2048字節 if (hdr->page_size > BOOT_IMG_MAX_PAGE_SIZE) { dprintf(CRITICAL, "ERROR: Invalid page size\n"); return -1; } page_size = hdr->page_size; page_mask = page_size - 1; } /* ensure commandline is terminated */ hdr->cmdline[BOOT_ARGS_SIZE-1] = 0; kernel_actual = ROUND_TO_PAGE(hdr->kernel_size, page_mask); //kernel所占的頁的總大小 例如kernel大小0x01,kernel_actual = 2048 ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask); //ramdisk所占的頁的總大小 image_addr = (unsigned char *)target_get_scratch_address(); #if DEVICE_TREE dt_actual = ROUND_TO_PAGE(hdr->dt_size, page_mask); //dt所占的頁的大小 imagesize_actual = (page_size + kernel_actual + ramdisk_actual + dt_actual); //image占的頁的總大小 #else imagesize_actual = (page_size + kernel_actual + ramdisk_actual); #endif #if VERIFIED_BOOT boot_verifier_init(); //校驗boot #endif if (check_aboot_addr_range_overlap((uint32_t) image_addr, imagesize_actual)) //校驗image_addr是否被覆蓋 { dprintf(CRITICAL, "Boot image buffer address overlaps with aboot addresses.\n"); return -1; } /* * Update loading flow of bootimage to support compressed/uncompressed * bootimage on both 64bit and 32bit platform. * 1. Load bootimage from emmc partition onto DDR. * 2. Check if bootimage is gzip format. If yes, decompress compressed kernel * 3. Check kernel header and update kernel load addr for 64bit and 32bit * platform accordingly. * 4. Sanity Check on kernel_addr and ramdisk_addr and copy data. */ dprintf(INFO, "Loading boot image (%d): start\n", imagesize_actual); bs_set_timestamp(BS_KERNEL_LOAD_START); /* Read image without signature */ if (mmc_read(ptn + offset, (void *)image_addr, imagesize_actual)) //讀取boot/recovery分區到image_addr { dprintf(CRITICAL, "ERROR: Cannot read boot image\n"); return -1; } dprintf(INFO, "Loading boot image (%d): done\n", imagesize_actual); bs_set_timestamp(BS_KERNEL_LOAD_DONE); /* Authenticate Kernel */ dprintf(INFO, "use_signed_kernel=%d, is_unlocked=%d, is_tampered=%d.\n", (int) target_use_signed_kernel(), device.is_unlocked, device.is_tampered); if(target_use_signed_kernel() && (!device.is_unlocked)) //這里是false ,感興趣可以追target_use_signed_kernel(),會發現這個函數返回的是0 { offset = imagesize_actual;uhdr->magic if (check_aboot_addr_range_overlap((uint32_t)image_addr + offset, page_size)) { dprintf(CRITICAL, "Signature read buffer address overlaps with aboot addresses.\n"); return -1; } /* Read signature */ if(mmc_read(ptn + offset, (voidffbm_mode_string *)(image_addr + offset), page_size)) { dprintf(CRITICAL, "ERROR: Cannot read boot image signature\n"); return -1; } verify_signed_bootimg((uint32_t)image_addr, imagesize_actual); } else { second_actual = ROUND_TO_PAGE(hdr->second_size, page_mask); #ifdef TZ_SAVE_KERNEL_HASH aboot_save_boot_hash_mmc((uint32_t) image_addr, imagesize_actual); #endif /* TZ_SAVE_KERNEL_HASH */ #if VERIFIED_BOOT if(boot_verify_get_state() == ORANGE) //校驗boot { #if FBCON_DISPLAY_MSG display_bootverify_menu_thread(DISPLAY_MENU_ORANGE); wait_for_users_action(); #else dprintf(CRITICAL, "Your device has been unlocked and can't be trusted.\nWait for 5 seconds before proceeding\n"); mdelay(5000); #endif set_root_flag(ORANGE,1); } #endif #ifdef MDTP_SUPPORT { /* Verify MDTP lock. * For boot & recovery partitions, MDTP will use boot_verifier APIs, * since verification was skipped in aboot. The signature is not part of the loaded image. */ mdtp_ext_partition_verification_t ext_partition; ext_partition.partition = boot_into_recovery ? MDTP_PARTITION_RECOVERY : MDTP_PARTITION_BOOT; ext_partition.integrity_state = MDTP_PARTITION_STATE_UNSET; ext_partition.page_size = page_size; ext_partition.image_addr = (uint32)image_addr; ext_partition.image_size = imagesize_actual; ext_partition.sig_avail = FALSE; mdtp_fwlock_verify_lock(&ext_partition); } #endif /* MDTP_SUPPORT */ } #if VERIFIED_BOOT #if !VBOOT_MOTA // send root of trust if(!send_rot_command((uint32_t)device.is_unlocked)) ASSERT(0); #endif #endif /* * Check if the kernel image is a gzip package. If yes, need to decompress it. * If not, continue booting. */
//檢測kernel image是否是gzip的包,如果是,解壓,如果不是,繼續boot。得到kernel的起始地址和大小
if (is_gzip_package((unsigned char *)(image_addr + page_size), hdr->kernel_size)) { out_addr = (unsigned char *)(image_addr + imagesize_actual + page_size); out_avai_len = target_get_max_flash_size() - imagesize_actual - page_size; dprintf(INFO, "decompressing kernel image: start\n"); rc = decompress((unsigned char *)(image_addr + page_size), hdr->kernel_size, out_addr, out_avai_len, &dtb_offset, &out_len); if (rc) { dprintf(CRITICAL, "decompressing kernel image failed!!!\n"); ASSERT(0); } dprintf(INFO, "decompressing kernel image: done\n"); kptr = (struct kernel64_hdr *)out_addr; kernel_start_addr = out_addr; kernel_size = out_len; } else { kptr = (struct kernel64_hdr *)(image_addr + page_size); kernel_start_addr = (unsigned char *)(image_addr + page_size); //kernel_start起始地址 kernel_size = hdr->kernel_size; //kernel大小 } /* * Update the kernel/ramdisk/tags address if the boot image header * has default values, these default values come from mkbootimg when * the boot image is flashed using fastboot flash:raw */ update_ker_tags_rdisk_addr(hdr, IS_ARM64(kptr)); //更新kernel/tags/ramdisk地址 /* Get virtual addresses since the hdr saves physical addresses. */ hdr->kernel_addr = VA((addr_t)(hdr->kernel_addr)); //保存虛擬地址(mmu) hdr->ramdisk_addr = VA((addr_t)(hdr->ramdisk_addr)); hdr->tags_addr = VA((addr_t)(hdr->tags_addr)); kernel_size = ROUND_TO_PAGE(kernel_size, page_mask); /* Check if the addresses in the header are valid. */ if (check_aboot_addr_range_overlap(hdr->kernel_addr, kernel_size) || //檢測kernel/ramdisk/tags地址是否超出emmc地址 check_aboot_addr_range_overlap(hdr->ramdisk_addr, ramdisk_actual)) { dprintf(CRITICAL, "kernel/ramdisk addresses overlap with aboot addresses.\n"); return -1; } #ifndef DEVICE_TREE if (check_aboot_addr_range_overlap(hdr->tags_addr, MAX_TAGS_SIZE)) { dprintf(CRITICAL, "Tags addresses overlap with aboot addresses.\n"); return -1; } #endif /* Move kernel, ramdisk and device tree to correct address */ memmove((void*) hdr->kernel_addr, kernel_start_addr, kernel_size); //把kernel/ramdisk放在相應的地址上 memmove((void*) hdr->ramdisk_addr, (char *)(image_addr + page_size + kernel_actual), hdr->ramdisk_size); #if DEVICE_TREE //讀取設備樹信息,放在相應的地址上 if(hdr->dt_size) { dt_table_offset = ((uint32_t)image_addr + page_size + kernel_actual + ramdisk_actual + second_actual); table = (struct dt_table*) dt_table_offset; if (dev_tree_validate(table, hdr->page_size, &dt_hdr_size) != 0) { dprintf(CRITICAL, "ERROR: Cannot validate Device Tree Table \n"); return -1; } /* Find index of device tree within device tree table */ if(dev_tree_get_entry_info(table, &dt_entry) != 0){ dprintf(CRITICAL, "ERROR: Getting device tree address failed\n"); return -1; } if (is_gzip_package((unsigned char *)dt_table_offset + dt_entry.offset, dt_entry.size)) { unsigned int compressed_size = 0; out_addr += out_len; out_avai_len -= out_len; dprintf(INFO, "decompressing dtb: start\n"); rc = decompress((unsigned char *)dt_table_offset + dt_entry.offset, dt_entry.size, out_addr, out_avai_len, &compressed_size, &dtb_size); if (rc) { dprintf(CRITICAL, "decompressing dtb failed!!!\n"); ASSERT(0); } dprintf(INFO, "decompressing dtb: done\n"); best_match_dt_addr = out_addr; } else { best_match_dt_addr = (unsigned char *)dt_table_offset + dt_entry.offset; dtb_size = dt_entry.size; } /* Validate and Read device device tree in the tags_addr */ if (check_aboot_addr_range_overlap(hdr->tags_addr, dtb_size)) { dprintf(CRITICAL, "Device tree addresses overlap with aboot addresses.\n"); return -1; } memmove((void *)hdr->tags_addr, (char *)best_match_dt_addr, dtb_size); } else { /* Validate the tags_addr */ if (check_aboot_addr_range_overlap(hdr->tags_addr, kernel_actual)) { dprintf(CRITICAL, "Device tree addresses overlap with aboot addresses.\n"); return -1; } /* * If appended dev tree is found, update the atags with * memory address to the DTB appended location on RAM. * Else update with the atags address in the kernel header */ void *dtb; dtb = dev_tree_appended((void*)(image_addr + page_size), hdr->kernel_size, dtb_offset, (void *)hdr->tags_addr); if (!dtb) { dprintf(CRITICAL, "ERROR: Appended Device Tree Blob not found\n"); return -1; } } #endif if (boot_into_recovery && !device.is_unlocked && !device.is_tampered) target_load_ssd_keystore(); unified_boot: boot_linux((void *)hdr->kernel_addr, (void *)hdr->tags_addr, //進入boot_linux函數,此函數比較簡單,更新cmdline。 (const char *)hdr->cmdline, board_machtype(), (void *)hdr->ramdisk_addr, hdr->ramdisk_size); return 0; }
如果misc分區的0地址內容是"ffbm-",則boot_into_ffbm=true
int get_ffbm(char *ffbm, unsigned size) { const char *ffbm_cmd = "ffbm-"; uint32_t page_size = get_page_size(); char *ffbm_page_buffer = NULL; int retval = 0; if (size < FFBM_MODE_BUF_SIZE || size >= page_size) { dprintf(CRITICAL, "Invalid size argument passed to get_ffbm\n"); retval = -1; goto cleanup; } ffbm_page_buffer = (char*)malloc(page_size); if (!ffbm_page_buffer) { dprintf(CRITICAL, "Failed to alloc buffer for ffbm cookie\n"); retval = -1; goto cleanup; } if (read_misc(0, ffbm_page_buffer, page_size)) { dprintf(CRITICAL, "Error reading MISC partition\n"); retval = -1; goto cleanup; } ffbm_page_buffer[size] = '\0'; if (strncmp(ffbm_cmd, ffbm_page_buffer, strlen(ffbm_cmd))) { retval = 0; goto cleanup; } else { if (strlcpy(ffbm, ffbm_page_buffer, size) < FFBM_MODE_BUF_SIZE -1) { dprintf(CRITICAL, "Invalid string in misc partition\n"); retval = -1; } else retval = 1; } cleanup: if(ffbm_page_buffer) free(ffbm_page_buffer); return retval; }
boot.img和recovery.img的組成是一樣的,所以lk加載方式一樣,只是讀取的地址和大小不同而已。
我們看下boot.img和recovery.img鏡像里有什么,理解了這個再看lk加載boot.img/recovery.img就知道是怎么回事了:
** +-----------------+ ** | boot header | 1 page ** +-----------------+ ** | kernel | n pages ** +-----------------+ ** | ramdisk | m pages ** +-----------------+ ** | second stage | o pages ** +-----------------+ ** | device tree | p pages ** +-----------------+
分析boot_img_hdr結構提
kernel_size kernel表示zImage的實際大小
kernel_addr kernel的zImage載入內存的物理地址,也是bootloader要跳轉的地址
ramdisk_size ramdisk的實際大小
ramdisk_addr ramdisk加載到內存的實際物理地址,之后kernel會解壓並把它掛載成根文件系統,我們的中樞神經-init.rc就隱藏於內
tags_addr tags_addr是傳參數用的物理內存地址,它作用是把bootloader中的參數傳遞給kernel,參數放在這個地址上
page_size page_size是存儲芯片(ram/emmc)的頁大小,取決與存儲芯片
cmdline command line它可以由bootloader向kernel傳參的內容,存放在tag_addr地址
second 可選
bootable/bootloader/lk/app/aboot/bootimg.h #ifndef _BOOT_IMAGE_H_ #define _BOOT_IMAGE_H_ typedef struct boot_img_hdr boot_img_hdr; #define BOOT_MAGIC "ANDROID!" #define BOOT_MAGIC_SIZE 8 #define BOOT_NAME_SIZE 16 #define BOOT_ARGS_SIZE 512 #define BOOT_IMG_MAX_PAGE_SIZE 4096 struct boot_img_hdr { unsigned char magic[BOOT_MAGIC_SIZE]; unsigned kernel_size; /* size in bytes */ unsigned kernel_addr; /* physical load addr */ unsigned ramdisk_size; /* size in bytes */ unsigned ramdisk_addr; /* physical load addr */ unsigned second_size; /* size in bytes */ unsigned second_addr; /* physical load addr */ unsigned tags_addr; /* physical addr for kernel tags */ unsigned page_size; /* flash page size we assume */ unsigned dt_size; /* device_tree in bytes */ unsigned unused; /* future expansion: should be 0 */ unsigned char name[BOOT_NAME_SIZE]; /* asciiz product name */ unsigned char cmdline[BOOT_ARGS_SIZE]; unsigned id[8]; /* timestamp / checksum / sha1 / etc */ }; /* ** +-----------------+ ** | boot header | 1 page ** +-----------------+ ** | kernel | n pages ** +-----------------+ ** | ramdisk | m pages ** +-----------------+ ** | second stage | o pages ** +-----------------+ ** | device tree | p pages ** +-----------------+ ** ** n = (kernel_size + page_size - 1) / page_size ** m = (ramdisk_size + page_size - 1) / page_size ** o = (second_size + page_size - 1) / page_size ** p = (dt_size + page_size - 1) / page_size ** 0. all entities are page_size aligned in flash ** 1. kernel and ramdisk are required (size != 0) ** 2. second is optional (second_size == 0 -> no second) ** 3. load each element (kernel, ramdisk, second) at ** the specified physical address (kernel_addr, etc) ** 4. prepare tags at tag_addr. kernel_args[] is ** appended to the kernel commandline in the tags. ** 5. r0 = 0, r1 = MACHINE_TYPE, r2 = tags_addr ** 6. if second_size != 0: jump to second_addr ** else: jump to kernel_addr */ boot_img_hdr *mkbootimg(void *kernel, unsigned kernel_size, void *ramdisk, unsigned ramdisk_size, void *second, unsigned second_size, unsigned page_size, unsigned *bootimg_size); void bootimg_set_cmdline(boot_img_hdr *hdr, const char *cmdline); #define KERNEL64_HDR_MAGIC 0x644D5241 /* ARM64 */ struct kernel64_hdr { uint32_t insn; uint32_t res1; uint64_t text_offset; uint64_t res2; uint64_t res3; uint64_t res4; uint64_t res5; uint64_t res6; uint32_t magic_64; uint32_t res7; }; #endif