A detailed look at the boot process

From t-hack.com - Hack X300T / X301T
Jump to: navigation, search
  • The XPU starts and executes the Code from the Boot ROM
  • The XPU boot ROM code verifies the encrypted and signed internal 512kb serial flash contents and loads the XOS
  • The XOS tries to find a valid xenv block on the parallel flash at offset 0. It will try CS2 16 bits, CS3 16 bits, CS2 8 bits, CS3 8 bits. If no xenv block is found it sets up an infinite loop for the host cpu and starts it.
  • The XOS sets up the PLL and DRAM using the xenv settings
  • The XOS executes the xrpc referenced by the x.boot setting (decrypts the bootloader and stores it at the address specified by the xrpc header)
  • The XOS remaps the host cpu boot address to the bootloader load address via CPU_remap_address, i.e. the load address 0x10800000 gets remapped to 0x1fc00000 (= 0xbfc00000) which is the mips reset exception vector address where the host cpu starts executing code after a reset
  • The XOS stores the gbus address for the used xenv block at LR_XENV_LOCATION in the host cpu local ram (0x61ff0)
  • The XOS starts the host cpu
Personal tools