Booting Android

Bootloaders, fastboot and boot images

Booting Android 1 Copyright © 2011-2016, 2net Ltd

License

These slides are available under a Creative Commons Attribution-ShareAlike 3.0

license. You can read the full text of the license here
[Link]
You are free to

• copy, distribute, display, and perform the work

• make derivative works

• make commercial use of the work

Under the following conditions

• Attribution: you must give the original author credit

• Share Alike: if you alter, transform, or build upon this work, you may distribute
the resulting work only under a license identical to this one (i.e. include this
page exactly as it is)

• For any reuse or distribution, you must make clear to others the license terms of
this work

Booting Android 2 Copyright © 2011-2016, 2net Ltd

About Chris Simmonds
• Consultant and trainer
• Author of Mastering Embedded Linux
Programming
• Working with embedded Linux since 1999
• Android since 2009
• Speaker at many conferences and
workshops
"Looking after the Inner Penguin" blog at [Link]

[Link]

[Link]

Booting Android 3 Copyright © 2011-2016, 2net Ltd

Overview

• Android system images: boot, recovery, system,

userdata and cache
• Android "boot blobs"
• Bootloaders for Android
• Fastboot
• Flash memory and flash filesystems

Booting Android 4 Copyright © 2011-2016, 2net Ltd

Image files

• A typical build for an Android device produces five

image files in out/target/product/<product>
Image Description
[Link] Kernel + ramdisk used for normal boot
[Link] Kernel + ramdisk used to boot into recovery mode
[Link] File system image for /system
[Link] File system image for /data
[Link] File system image for /cache

Booting Android 5 Copyright © 2011-2016, 2net Ltd

Typical flash memory layout
Bootloader

misc (optional - used during OTA update)

Boot kernel + ramdisk

Recovery kernel + ramdisk

/system - read-only file system

/data - read/write file system

/cache - read/write file system

Booting Android 6 Copyright © 2011-2016, 2net Ltd

The bootloader
• All systems need a bootloader
• Responsible for:
• Early hardware initialisation

• Load and boot kernel and initial ram filesystem

• System maintenance, including loading and flashing

new kernel and system images
• Example: U-Boot
• Open source

• Used in many dev boards (BeagleBone, Raspberry

Pi) and in many shipping products
• [Link]

Booting Android 7 Copyright © 2011-2016, 2net Ltd

Booting Android
• It is possible to boot Android using a normal
bootloader such as U-Boot
• However, most devices include Android-specific
features:
• Support normal and recovery boot modes

• Ability to load kernel + ramdisk blobs ([Link] and

[Link])
• The fastboot protocol

• Example: LK (Little Kernel)

• git://[Link]/kernel/[Link]

• Supports many Qualcomm-based devices as well as

rudimentary support for BeagleBoard and PC-x86

Booting Android 8 Copyright © 2011-2016, 2net Ltd

The Android bootloader

• Pre JB 4.2, AOSP had source for a simple bootloader

in bootable/bootloader/legacy
• Used in early handsets (Android Dev Phone, HTC
Dream)
• Not updated since the Eclair release

• Some of this code may have found its way into

proprietary bootloaders

Booting Android 9 Copyright © 2011-2016, 2net Ltd

Android boot and recovery images

• The files [Link] and [Link] are created by the

tool mkbootimg (the code is in system/core/mkbootimg)
• They contain a compressed kernel, the kernel
command line and, optionally, a ramdisk in the
normal Linux compressed cpio format
• Most Android bootloaders can read and load these
images into memory
• The format is defined in bootimg.h

Booting Android 10 Copyright © 2011-2016, 2net Ltd

Boot and recovery image format

From system/core/mkbootimg/bootimg.h
struct boot_img_hdr {
ramdisk unsigned char magic[8]; // "ANDROID!"
image unsigned kernel_size;
(compressed unsigned kernel_addr;
unsigned ramdisk_size;
cpio) unsigned ramdisk_addr;
unsigned second_size; // 2nd image: not used
unsigned second_addr;
unsigned tags_addr;
unsigned page_size; // typically 2048
unsigned unused[2];
unsigned char name[16]; // product name
unsigned char cmdline[512]; // kernel cmdline
Kernel unsigned id[8]; // timestamp/checksum/etc
image unsigned char extra_cmdline[1024];
(zImage) };

Header

Booting Android 11 Copyright © 2011-2016, 2net Ltd

Boot sequence
Power
on

Boot recovery Boot normal

Bootloader

Load normal
kernel and ramdisk

Load recovery
kernel and ramdisk Run /init
Read init*.rc
Mount file systems
Start services

Recovery Normal
mode mode

Booting Android 12 Copyright © 2011-2016, 2net Ltd

Reverse-engineering a boot image
• Sometimes it is useful to extract the files from a boot
or recovery image
• There are numerous tools to do so, for example
boot-extract
[Link]
$ boot-extract [Link]
Boot header
flash page size 2048
kernel size 0x432358
kernel load addr 0x10008000
ramdisk size 0x173740
ramdisk load addr 0x11000000
name
cmdline
zImage extracted
ramdisk offset 4403200 (0x433000)
[Link] extracted
$ ls
[Link] [Link] zImage

Booting Android 13 Copyright © 2011-2016, 2net Ltd

Extracting files from a ramdisk

• The ramdisk is just a compressed cpio archive

• Extract the files like so:
$ zcat [Link] | cpio -i
5665 blocks
$ ls
charger [Link] property_contexts
...

Booting Android 14 Copyright © 2011-2016, 2net Ltd

Creating a new ramdisk

• Do the following
$ cd some-directory
$ find . | cpio -H newc --owner root:root -ov > ∼/[Link]
$ cd ∼
$ gzip [Link]

• The end result will be [Link]

Booting Android 15 Copyright © 2011-2016, 2net Ltd

Creating a new boot image

• You can create a boot or recovery image using the

mkbootimg command
• For example:
$ mkbootimg --kernel zImage --ramdisk [Link] \
--base 0x10000000 --pagesize 2048 -o [Link]

• --base is used by mkbootimg to calculate the kernel

and ramdisk load addresses as follows:
• kernel_addr = base + 0x00008000

• ramdisk_addr = base + 0x01000000

Booting Android 16 Copyright © 2011-2016, 2net Ltd

Fastboot

• Fastboot is a USB protocol and a command language

for various maintenance and development tasks
• Fastboot protocol v0.4 is defined in:
• bootable/bootloader/legacy/fastboot_protocol.txt
(up to JB 4.1)
• system/core/fastboot/fastboot_protocol.txt (JB 4.3
and later)
NOTE: fastboot is not about the speed of booting; it is about making
the development process simpler (and faster)

Booting Android 17 Copyright © 2011-2016, 2net Ltd

Booting into the bootloader

• On a typical Android device you can boot into the

bootloader by:
• powering on while pressing various buttons (Google
for details)
• from a running device, typing:
$ adb reboot-bootloader

• Once the device has booted into the bootloader you

can use the fastboot command on the development
machine to communicate with it

Booting Android 18 Copyright © 2011-2016, 2net Ltd

fastboot commands (1/3)

Basic commands
Command Description
devices List devices attached that will accept fast-
boot commands
getvar Get a variable
continue Continue boot process as normal
reboot Reboot device
reboot-bootloader Reboot back into bootloader

Booting Android 19 Copyright © 2011-2016, 2net Ltd

fastboot commands (2/3)
Flashing commands

Command Description
erase <partition> Erase <partition>
flash <partition> Erase and program <partition>
with <partition>.img of current
product
flash <partition> <filename> Erase and program <partition>
with <filename>
flashall Erase and program [Link],
[Link] and [Link] of
current product and then reboot
Where
<partition> is one of boot, recovery, system, userdata, cache
current product is $ANDROID_PRODUCT_OUT
Note: the location and size of partitions is hard-coded in the bootloader

Booting Android 20 Copyright © 2011-2016, 2net Ltd

fastboot commands (3/3)

Special commands

Command Description
oem Device-specific operations
boot <kernel> <ramdisk> Load and boot kernel and ramdisk

Example:
$ fastboot -c "kernel command line" boot zImage [Link]

Booting Android 21 Copyright © 2011-2016, 2net Ltd

fastboot variables

The getvar command should return values for at least

these variables:
Variable Meaning
version Version of the protocol: 0.4 is the one doc-
umented
version-bootloader Version string of the Bootloader
version-baseband Version string of the Baseband Software
product Name of the product
serialno Product serial number
secure If "yes" the bootloader requires signed im-
ages

Booting Android 22 Copyright © 2011-2016, 2net Ltd

Unlocking the bootloader
• Most devices ship with the bootloader locked
• fastboot getvar secure returns true

• Unlocking - where it is allowed - is device specific

• For example, on recent Nexus devices you use a
fastboot oem command
$ fastboot oem unlock

• Answer yes to the on-screen prompt

• For security reasons, this wipes the data and cache
partitions

Booting Android 23 Copyright © 2011-2016, 2net Ltd

What goes where?

[Link]: read-only
[Link]:
/app built-in Android apps
read-only
/bin native binaries
ramdisk
/framework Java components of framework
/lib native libraries
...

/init [Link]: read-write

/[Link] /app user-installed Android apps
/data persistent data
/system /dalvik-cache optimised Dex files
/system
/data ...

/cache [Link]: read-write

/backup place to backup up app data
/recovery logs used in recovery mode

Booting Android 24 Copyright © 2011-2016, 2net Ltd

Flash memory devices
• In almost all cases data is stored in flash memory
• There are two main types
• Raw NAND flash, where the chips are accessed
directly by Linux
• Managed flash, which contain an on-chip controller

• Managed flash is the most common

• Examples:
• MMC, SD and MicroSD cards: removeable storage

• eMMC (embedded MMC): same electrical interface

as MMC, but packaged as a chip
• UFS (Universal Flash Storage): similar to eMMC, but
faster and with a SCSI command set
Booting Android 25 Copyright © 2011-2016, 2net Ltd
Raw NAND flash

• NAND flash chips are accessed via the Linux MTD

(Memory Technology Device) drivers
• Partitions are named /dev/block/mtdblockN where N
is the partition number
• /proc/mtd lists the partitions and sizes
# cat / proc / mtd
dev : size erasesize name
mtd0 : 05660000 00020000 " system "
mtd1 : 04000000 00020000 " userdata "
mtd2 : 04000000 00020000 " cache "

Booting Android 26 Copyright © 2011-2016, 2net Ltd

File systems for raw NAND flash

• Flash translation layer implemented in the filesystem

• NAND flash devices require special filesystem
support, such as:
• jffs2 (Journalling Flash File System 2)
• Note: incompatible with the Android run-time (no
writeable mmaped files)!
• yaffs2 (Yet Another Flash File System 2)
• ubifs (Unsorted Block Image File System)
• Most Android devices with NAND flash use yaffs2

Booting Android 27 Copyright © 2011-2016, 2net Ltd

SD and eMMC

• Flash translation layer implemented in the chip

• The controller chip splits flash memory into 512-byte
sectors just like hard drives
• Accessed via the Linux mmcblock driver
• Partition device nodes have names of the form
mmcblk[chip number]p[partition number]
• For example:
/ dev / block / mmcblk0p3 / system
/ dev / block / mmcblk0p8 / data
/ dev / block / mmcblk0p4 / cache

Booting Android 28 Copyright © 2011-2016, 2net Ltd

File systems for eMMC

• eMMC devices "look" like hard drives

• Use the same filesystem types
• The preferred type in most Android devices is ext4
• Alternative: F2FS (Flash Friendly File System)
• Develpoed by Samsung, and deployed on some of
their devices
• Faster file writes than ext4

Booting Android 29 Copyright © 2011-2016, 2net Ltd

SD cards and other removable media

• This includes MMC, SD, microSD and USB flash

drives
• For compatibility with other operating systems they
come pre-formatted with FAT32
• Use the Linux vfat driver

Booting Android 30 Copyright © 2011-2016, 2net Ltd

Delving deeper

• This is an excerpt from my Android Porting class

• If you would like to find out more secrets of Android,
visit [Link] and
book a course

Booting Android 31 Copyright © 2011-2016, 2net Ltd