{{Short description|Boot for Android devices}} The booting process of Android devices starts at the power-on of the SoC (system on a chip) and ends at the visibility of the home screen, or special modes like recovery, fastboot, or Odin mode for Samsung devices.{{efn|These modes tend to support a feature to resume regular booting}} The boot process of devices that run Android is influenced by the firmware design of the SoC manufacturers.

== Background == As of 2018, 90% of the SoCs of the Android market are supplied by either Qualcomm, Samsung or MediaTek.<ref name=":2">{{Cite book|last1=Garri|first1=Khireddine|last2=Kenaza|first2=Tayeb|last3=Aissani|first3=Mohamed|title=2018 International Conference on Smart Communications in Network Technologies (SaCoNeT) |chapter=A Novel approach for bootkit detection in Android Platform |date=October 2018|chapter-url=http://dx.doi.org/10.1109/saconet.2018.8585583|pages=277–282|publisher=IEEE|doi=10.1109/saconet.2018.8585583|isbn=978-1-5386-9493-0|s2cid=56718094}}</ref> Other vendors include UNISOC, Rockchip, Marvell, Nvidia and previously Texas Instruments.

== History == Verified boot, a booting security measure, was introduced with Android KitKat.<ref>{{Cite web|last1=Edge |first1=Jake |title=Android Verified Boot [LWN.net]|url=https://lwn.net/Articles/638627/|url-status=live|access-date=2021-09-25|website=LWN.net|date=April 2015 |archive-url=https://web.archive.org/web/20150422212411/http://lwn.net/Articles/638627/|archive-date=2015-04-22}}</ref>

== Stages ==

=== Primary Bootloader === The Primary Bootloader (PBL), which is stored in the Boot ROM<ref>{{Cite book|last1=Yuan|first1=Pengfei|last2=Guo|first2=Yao|last3=Chen|first3=Xiangqun|last4=Mei|first4=Hong|title=2018 6th IEEE International Conference on Mobile Cloud Computing, Services, and Engineering (MobileCloud) |chapter=Device-Specific Linux Kernel Optimization for Android Smartphones |date=March 2018|pages=65–72|doi=10.1109/MobileCloud.2018.00018|isbn=978-1-5386-4879-7|s2cid=13742883}}</ref> is the first stage of the boot process. This code is written by the chipset manufacturer.<ref name=":3">{{Cite journal|last=Hay|first=Roee|date=2017-08-14|title=fastboot oem vuln: android bootloader vulnerabilities in vendor customizations|url=https://dl.acm.org/doi/10.5555/3154768.3154790|journal=Proceedings of the 11th USENIX Conference on Offensive Technologies|series=WOOT'17|location=Vancouver, BC, Canada|publisher=USENIX Association|pages=22}}</ref>

The PBL verifies the authenticity of the next stage.

On Samsung smartphones, the Samsung Secure Boot Key (SSBK) is used by the boot ROM to verify the next stages.<ref>{{Cite journal|date=2018-03-01|title=Forensics acquisition — Analysis and circumvention of samsung secure boot enforced common criteria mode|url=https://www.sciencedirect.com/science/article/pii/S1742287618300409|journal=Digital Investigation|language=en|volume=24|pages=S60–S67|doi=10.1016/j.diin.2018.01.008|issn=1742-2876|last1=Alendal|first1=Gunnar|last2=Dyrkolbotn|first2=Geir Olav|last3=Axelsson|first3=Stefan|hdl=11250/2723051|hdl-access=free}}</ref>

On SoCs from Qualcomm, it is possible to enter the Qualcomm Emergency Download Mode from the primary bootloader.

If the verification of the secondary bootloader fails, it will enter EDL.<ref>{{Cite web|date=2018-01-22|title=Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals|url=https://alephsecurity.com/2018/01/22/qualcomm-edl-1/|access-date=2021-09-13|website=alephsecurity.com|language=en}}</ref><ref>{{cite web | title=Qualcomm Documentation | url=https://docs.qualcomm.com/bundle/publicresource/topics/80-70014-254/flash_images_unregistered.html#move-to-edl-mode | access-date=February 26, 2025}}</ref>

=== Secondary Bootloader === Because the space in the boot ROM is limited, a secondary bootloader on the eMMC or eUFS is used.<ref name=":1">{{Cite book|last1=Yuan|first1=Pengfei|last2=Guo|first2=Yao|last3=Chen|first3=Xiangqun|last4=Mei|first4=Hong|title=2018 6th IEEE International Conference on Mobile Cloud Computing, Services, and Engineering (MobileCloud) |chapter=Device-Specific Linux Kernel Optimization for Android Smartphones |date=March 2018|chapter-url=http://dx.doi.org/10.1109/mobilecloud.2018.00018|pages=65–72|publisher=IEEE|doi=10.1109/mobilecloud.2018.00018|isbn=978-1-5386-4879-7|s2cid=13742883}}</ref> The secondary bootloader initializes TrustZone.<ref name=":1" /><ref name=":0">{{Cite book|last1=Kanonov|first1=Uri|last2=Wool|first2=Avishai|title=Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices |chapter=Secure Containers in Android |date=2016-10-24|chapter-url=http://dx.doi.org/10.1145/2994459.2994470|series=SPSM '16|pages=3–12|location=New York, NY, USA|publisher=ACM|doi=10.1145/2994459.2994470|isbn=9781450345644|s2cid=8510729}}</ref>

On the Qualcomm MSM8960 for example, the Secondary Bootloader 1 loads the Secondary Bootloader 2. The Secondary Bootloader 2 loads TrustZone and the Secondary Bootloader 3.<ref>{{Cite book|last=Tao|first=Chen, Yue Zhang, Yulong Wang, Zhi Wei|title=Downgrade Attack on TrustZone|date=2017-07-17|oclc=1106269801}}</ref>

The SBL is now called XBL by Qualcomm which is a UEFI implementation, and on smartphone and tablet type devices, XBL is usually an EDK2 implementation.

Qualcomm formerly uses LK (Little Kernel) plus Aboot, or now uses XBL (eXtensible Bootloader) plus ABL; Samsung Exynos uses S-Boot; very old MediaTek SoC's use Das U-Boot and recent MediaTek SoC's use UEFI. <ref name=":2" /> Little Kernel is a microkernel for embedded devices, which has been modified by Qualcomm and MediaTek to use it as a bootloader.<ref>{{Cite book|last=Tang|first=Qinghao|title=Internet of things security: principles and practice|date=2021|others=Fan Du|isbn=978-981-15-9942-2|location=Singapore|pages=166|oclc=1236261208}}</ref> The Android Bootloader (Aboot or ABL) implements the fastboot interface. Android Bootloader verifies the authenticity of the boot and recovery partitions.<ref name=":3" /> By pressing a specific key combination, devices can also boot in recovery mode. Android Bootloader then transfers control to the Linux kernel.

=== Kernel and initramfs === {{See also|Booting process of Linux}} The initramfs is a gzipped cpio archive that contains a small root file system. It contains init, which is executed. The Android kernel is a modified version of the Linux kernel. Init then mounts the partitions. dm-verity verifies the integrity of the partitions that are specified in the fstab file. dm-verity is a Linux kernel module that was introduced by Google in Android since version 4.4. The stock implementation only supports block based verification, but Samsung has added support for files.<ref name=":0" />

=== Zygote === {{See also|Bionic (software)#Components}} Zygote is spawned by the init process, which is responsible for starting Android applications and service processes. It loads and initializes classes that are supposed to be used very often into the heap. For example, dex data structures of libraries. After Zygote has started, it listens for commands on a socket. When a new application is to be started, a command is sent to Zygote, which executes a fork() system call.{{cn|date=September 2021}}

== Partition layout == The Android system is divided across different partitions.<ref>{{Cite journal|last1=Alendal|first1=Gunnar|last2=Dyrkolbotn|first2=Geir Olav|last3=Axelsson|first3=Stefan|date=March 2018|title=Forensics acquisition — Analysis and circumvention of samsung secure boot enforced common criteria mode|url=http://dx.doi.org/10.1016/j.diin.2018.01.008|journal=Digital Investigation|volume=24|pages=S60–S67|doi=10.1016/j.diin.2018.01.008|issn=1742-2876|hdl=11250/2723051|hdl-access=free}}</ref>

The Qualcomm platform makes use of the GUID partition table. This specification is part of the UEFI specification, but does not depend on UEFI firmware.<ref>{{Cite book|last1=Zhao|first1=Longze|last2=Xi|first2=Bin|last3=Wu|first3=Shunxiang|last4=Aizezi|first4=Yasen|last5=Ming|first5=Daodong|last6=Wang|first6=Fulin|last7=Yi|first7=Chao|title=Proceedings of the 2nd International Conference on Computer Science and Application Engineering |chapter=Physical Mirror Extraction on Qualcomm-based Android Mobile Devices |date=2018|chapter-url=http://dx.doi.org/10.1145/3207677.3278046|series=Csae '18|pages=1–5|location=New York, New York, USA|publisher=ACM Press|doi=10.1145/3207677.3278046|isbn=9781450365123|s2cid=53038902}}</ref>

== See also == * coreboot * Booting process of Linux * Booting process of macOS * Booting process of Windows

== Explanatory notes == {{notelist}}

== References == {{Reflist}}

== External links ==

* [https://source.android.com/security/verifiedboot/boot-flow Android.com - Boot Flow] * [https://source.android.com/devices/automotive/power/boot_time Managing Boot Time] * [https://osg.wiki/books/all-about-deados/page/qualcomm-bootloaders Qualcomm Bootloaders] * [https://lineageos.org/engineering/Qualcomm-Firmware/ Qualcomm's Chain of Trust] * [https://www.qualcomm.com/media/documents/files/secure-boot-and-image-authentication-technical-overview-v2-0.pdf Secure Boot and Image Authentication] * [https://www.timesys.com/security/secure-boot-snapdragon-410/ Secure boot on Snapdragon 410] * [https://blog.quarkslab.com/analysis-of-qualcomm-secure-boot-chains.html Analysis of Qualcomm Secure Boot Chains] * [https://github.com/msm8916-mainline/qhypstub msm8916-mainline/qhypstub] * [https://dev.to/larsonzhong/android-system-init-process-startup-and-init-rc-full-analysis-22hi Android system init process startup and init.rc full analysis] *[https://android.googlesource.com/platform/system/core/+/master/init/README.md Android Init Language]

{{Android}} {{Firmware and booting}}

Category:Android (operating system) Category:Booting processes Category:Boot loaders