Article reprinted link:
https://blog.csdn.net/RadianceBlau/article/details/73229005
For embedded engineers understand chip startup process is very necessary in the analysis, debugging problems are likely when it comes to this knowledge, and this knowledge is part of the more complex, because it involves internal to the chip architecture, start all phases of software code execution, and start mode and so on. Below the more common startup Qualcomm MSM8953 chip, for example, macro analysis, the following is to start the process:
(1) processor core
The above can be seen from the block diagram of the processor has MSM8953 5, respectively:
- APPS, Cortex A53 core, running android;
- RPM (Resource Power Manager), CortexM3 core, mainly for low power applications;
- Modem (MSS_QDSP6), high-pass its own instruction set processors, processing 3G, 4G communication protocol;
- Pronto (WCNSS), wifi relevant code processing;
- LPASS, audio-related.
Corresponding to the following chip hardware configuration diagram of each processor in a block diagram of view is very clear:
(2) Start image description
- PBL (Primary Boot Loader), located in rom is really the first line of code on the chip after power has, in the normal boot process will load SBL1. If you start a 9008 virtual port exception for emergency Download (force_boot_from_usb pin (MSM8953 is gpio37 on the short board) to 1.8v can be forced into an emergency download mode);
- SBL1 (Second BootLoader stage 1), eMMC located in the loading of PBL, initialization buses, DDR, clocks and the like, will be a virtual port 9006, can not be switched to dump ram;
- QSEE / TrustZone, safety-related, such as FUSE;
- DEVCFG OEM configuration information (e.g. OEMLock);
- Debug Policy Commissioning;
- APPSBL, 即为BootLoader,目前使用LK(littlekernel);
- HLOS(High LevelOperating System) ,即为Linux/Android;
- Modem PBL,即为Modem处理器的PBL;
- MBA(Modem BootAuthenticator),Modem处理器启动鉴权。
(3)启动流程
- 系统上电,使MSM8953从上电复位开始运行。
- 在Cortex A53中运行的PBL会加载:
a、从启动设备(如eMMC)加载SBL1 segment1到L2(即为TCM);
b、加载SBL1 segment2到RPM处理器的RAM中。
- SBL1 segment1会初始化DDR,然后完成如下加载:
a、从启动设备加载QSEE image到DDR;
b、从启动设备加载DEVCFG image到DDR;
c、从启动设备加载Debug Policy image到DDR;
d、从启动设备加载HLOS APPSBL image到DDR;
e、从启动设备加载RPMfirmware image到RPM的RAM中。
- SBL1移交运行控制权给QSEE。QSEE建立安全运行环境,配置xPU,支持fuse。
a、SBL1运行在AArch32模式,而QSEE运行在AArch64模式。为了切换到AArch64模式,SBL1会启动重映射器,操作RMR寄存器,然后触发warm-reset,QSEE就能够运行在AArch64模式了。
- QSEE通知RPM启动RPM 固件的执行。
- QSEE移交运行控制权给HLOS APPSBL:
a、 APPSBL只能在AArch32模式开始运行;
b、这时AArch32的运行模式切换是在EL3/Monitor模式完成的。通过查看APPSBL的ELF头能够得知其需要运行在32位指令集架构下。EL3/Monitor模式改变到32位模式,然后再启动APPSBL。
- APPSBL加载、验证kernel。APPSBL通过SCM调用改变到HLOS kernel需要的AArch64模式。这和之前LK直接跳转到kernel运行是不同的。
- HLOS kernel通过PIL加载MBA到DDR。
- HLOS kernel对Hexagon modem DSP进行解复位。
- Modem PBL继续它的启动。
- HLOS kernel 通过PIL加载AMSS modemimage到DDR。
- Modem PBL验证MBA然后跳转到MBA。
- HLOS通过PIL加载WCNSS(Pronto)image到DDR。
- HLOS对WCNSS(Pronto)进行解复位以便Prontoimage开始执行。
- HLOS通过PIL加载LPASS image到DDR。
- HLOS对LPSAA进行解复位以便LPASSimage开始执行。
下面是流程的简化图,其中区分了AArch32和AArch64位的QSEE/TrustZone:
(4)关于eMMC和DDR的初始化时间问题
从上面的描述中已经可以看清,为避免迷惑,在分离出来看看:
- PBL中是含有eMMC驱动的,有访问eMMC的能力,自身运行在MCU内部SRAM中;
- 除了PBL程序的img在MCU片内ROM外,其余img均存储在eMMC中;
- PBL首先从eMMC加载SBL1到L2(内部缓存并非DDR),SBL1同样运行在片内SRAM;
- 有SBL1初始化DDR各种时序后,DDR自此可用(eMMC一直可用);
- 再由SBL1加载其余各个img到DDR,然后按照linux的正常顺序启动。
关于ARMv8架构的知识,推荐如下博客: