lk启动流程详细分析

转载请注明来源：cuixiaolei的技术博客

 

 

这篇文章是lk启动流程分析（以高通为例），将会详细介绍下面的内容：

1).正常开机引导流程

2).recovery引导流程

3).fastboot引导流程

4).ffbm引导流程

5).lk向kernel传参

 

start----------------------------------------

 

在bootable/bootloader/lk/arch/arm/crt0.S文件中有下面代码，所以从kmain()开始介绍

bl        kmain

kmain函数位于bootable/bootloader/lk/kernel/main.c

/* called from crt0.S */
void kmain(void) __NO_RETURN __EXTERNALLY_VISIBLE;
void kmain(void)
{
    // get us into some sort of thread context
    thread_init_early();          //初始化线程上下文

#ifdef FEATURE_AFTER_SALE_LOG_LK
    // do console early init
    console_init_early();          //初始化控制台
#endif

    // early arch stuff
    arch_early_init();          //架构初始化，如关闭cache，使能mmu

    // do any super early platform initialization
    platform_early_init();         //平台早期初始化

    // do any super early target initialization
    target_early_init();               //目标设备早期初始化,初始化串口

    dprintf(INFO, "welcome to lk

");
    bs_set_timestamp(BS_BL_START);           

    // deal with any static constructors
    dprintf(SPEW, "calling constructors
");
    call_constructors();

    // bring up the kernel heap
    dprintf(SPEW, "initializing heap
");
    heap_init();                      //堆初始化

    __stack_chk_guard_setup();

    // initialize the threading system
    dprintf(SPEW, "initializing threads
");
    thread_init();                     //线程初始化

#ifdef FEATURE_AFTER_SALE_LOG_LK
    // initialize the console layer

    dprintf(SPEW, "initializing console layer
");
    console_init();           //初始化控制台
#endif

    // initialize the dpc system
    dprintf(SPEW, "initializing dpc
");
    dpc_init();                        //lk系统控制器初始化

    // initialize kernel timers
    dprintf(SPEW, "initializing timers
");
    timer_init();                //kernel时钟初始化

#if (!ENABLE_NANDWRITE)
    // create a thread to complete system initialization
    dprintf(SPEW, "creating bootstrap completion thread
");
    thread_resume(thread_create("bootstrap2", &bootstrap2, NULL, DEFAULT_PRIORITY, DEFAULT_STACK_SIZE));     //创建一个线程初始化系统

    // enable interrupts
    exit_critical_section();       //使能中断

    // become the idle thread
    thread_become_idle();      //本线程切换成idle线程，idle为空闲线程，当没有更高优先级的线程时才执行
#else
        bootstrap_nandwrite();
#endif
}

arch_early_init()负责使能内存管理单元mmu

bootable/bootloader/lk/arch/arm/arch.c
void arch_early_init(void)
{
    /* turn off the cache */
    arch_disable_cache(UCACHE);      //关闭cache

    /* set the vector base to our exception vectors so we dont need to double map at 0 */
#if ARM_CPU_CORTEX_A8
    set_vector_base(MEMBASE);       //设置异常向量基地址
#endif

#if ARM_WITH_MMU
    arm_mmu_init();       //使能mmu

#endif

    /* turn the cache back on */
    arch_enable_cache(UCACHE);      //打开cache

#if ARM_WITH_NEON
    /* enable cp10 and cp11 */
    uint32_t val;
    __asm__ volatile("mrc    p15, 0, %0, c1, c0, 2" : "=r" (val));
    val |= (3<<22)|(3<<20);
    __asm__ volatile("mcr    p15, 0, %0, c1, c0, 2" :: "r" (val));

    isb();

    /* set enable bit in fpexc */
    __asm__ volatile("mrc  p10, 7, %0, c8, c0, 0" : "=r" (val));
    val |= (1<<30);
    __asm__ volatile("mcr  p10, 7, %0, c8, c0, 0" :: "r" (val));
#endif

#if ARM_CPU_CORTEX_A8
    /* enable the cycle count register */
    uint32_t en;
    __asm__ volatile("mrc    p15, 0, %0, c9, c12, 0" : "=r" (en));
    en &= ~(1<<3); /* cycle count every cycle */
    en |= 1; /* enable all performance counters */
    __asm__ volatile("mcr    p15, 0, %0, c9, c12, 0" :: "r" (en));

    /* enable cycle counter */
    en = (1<<31);
    __asm__ volatile("mcr    p15, 0, %0, c9, c12, 1" :: "r" (en));
#endif
}

platform_early_init()平台早期初始化，初始化平台的时钟和主板

bootableootloaderlkplatformmsm8952platform.c
void platform_early_init(void)
{
    board_init(); //主板初始化
    platform_clock_init(); //时钟初始化
    qgic_init();
    qtimer_init(); 
}

 

从代码可知，会创建一个bootstrap2线程，并使能中断

static int bootstrap2(void *arg)
{
    dprintf(SPEW, "top of bootstrap2()
");

    arch_init();     //架构初始化，此函数为空，什么都没做

    // XXX put this somewhere else
#if WITH_LIB_BIO
    bio_init();
#endif
#if WITH_LIB_FS
    fs_init();
#endif

    // initialize the rest of the platform
    dprintf(SPEW, "initializing platform
");
    platform_init();           // 平台初始化,不同的平台要做的事情不一样，可以是初始化系统时钟,超频等

    // initialize the target
    dprintf(SPEW, "initializing target
");
    target_init();            //目标设备初始化,主要初始化Flash,整合分区表等

    dprintf(SPEW, "calling apps_init()
");
    apps_init();           //应用功能初始化，主要调用boot_init，启动kernel，加载boot/recovery镜像等

    return 0;
}

apps_init()通过下面方式进入aboot_init()函数
APP_START(aboot)
.init = aboot_init,
APP_END

bootable/bootloader/lk/app/app.cvoid apps_init(void)
{
    const struct app_descriptor *app;

    /* call all the init routines */
    for (app = &__apps_start; app != &__apps_end; app++) {
        if (app->init)
            app->init(app);
    }

    /* start any that want to start on boot */
    for (app = &__apps_start; app != &__apps_end; app++) {
        if (app->entry && (app->flags & APP_FLAG_DONT_START_ON_BOOT) == 0) {
            start_app(app);
        }
    }
}

 

 

从这里开始是这篇文章的重点，分析aboot.c文件。每个项目的文件可能会有不同，但是差别会很小。

bootable/bootloader/lk/app/aboot/aboot.c

void aboot_init(const struct app_descriptor *app)
{
    unsigned reboot_mode = 0;
    unsigned restart_reason = 0;
    unsigned hard_reboot_mode = 0;
    bool boot_into_fastboot = false;
    uint8_t pon_reason = pm8950_get_pon_reason();                   //pm8950_get_pon_reason()  获取开机原因

    /* Setup page size information for nv storage */
    if (target_is_emmc_boot())             //检测是emmc还是flash存储，并设置页大小，一般是2048
    {
        page_size = mmc_page_size();
        page_mask = page_size - 1;
    }
    else
    {
        page_size = flash_page_size();
        page_mask = page_size - 1;
    }

    ASSERT((MEMBASE + MEMSIZE) > MEMBASE);           //断言，如果内存基地址+内存大小小于内存基地址，则直接终止错误

    read_device_info(&device);                 //从devinfo分区表read data到device结构体            
    read_allow_oem_unlock(&device);            //devinfo分区里记录了unlock状态，从device中读取此信息

    /* Display splash screen if enabled */
    if (!check_alarm_boot()) {           
        dprintf(SPEW, "Display Init: Start
");
        target_display_init(device.display_panel);          //显示splash，Splash也就是应用程序启动之前先启动一个画面,上面简单的介绍应用程序的厂商,厂商的LOGO,名称和版本等信息,多为一张图片     
        dprintf(SPEW, "Display Init: Done
");
    }



#ifdef FEATURE_LOW_POWER_DISP_LK
    if(is_low_voltage) {           //如果电量低，则显示关机动画，并关闭设备
        mdelay(2000);
        //target_uninit();
        target_display_shutdown();
        shutdown_device();
    }
#endif

    is_alarm_boot = check_alarm_boot();                           //检测开机原因是否是由于关机闹钟导致

    target_serialno((unsigned char *) sn_buf);
    dprintf(SPEW,"serial number: %s
",sn_buf);

    memset(display_panel_buf, '', MAX_PANEL_BUF_SIZE);      

    /*
     * Check power off reason if user force reset,
     * if yes phone will do normal boot.
     */
    if (is_user_force_reset())                                        //如果强制重启，直接进入normal_boot
        goto normal_boot;
    dprintf(ALWAYS, "pon_reason=0x%02x
", pon_reason);

    /* Check if we should do something other than booting up */
    if ( (pon_reason & USB_CHG)                 //启动原因是插上USB，并且用户同时按住了音量上下键，进入下载模式
        && (keys_get_state(KEY_VOLUMEUP) && keys_get_state(KEY_VOLUMEDOWN)))

    {


            display_dloadimage_on_screen();          //显示下载模式图片
            volume_keys_init();             //初始化音量按键
            int i = 0;
            int j = 0;
            int k = 0;
            dload_flag = 1 ;
            while(1)            //进入下载模式后，通过不同的按键组合进入不同的模式，下面的代码逻辑很简单，就不介绍了
            {
                thread_sleep(200);
                //dprintf(ALWAYS, "in while circle
");
                if ( check_volume_up_key() && !check_volume_down_key() && !check_power_key() )
                {
                    /* Hold volume_up_key 3 sec to download mode, if not enough, need to hold another 3 sec. */
                    for(i = 0;i < 15;++i)
                    {
                        thread_sleep(200);
                        if (!check_volume_up_key())
                        {
                            dprintf(ALWAYS, "press volume_up not enough time
");
                            break;
                        }
                    }
                    if(i == 15)
                    {
                        break;
                    }
                }
                else if (check_power_key() && !check_volume_up_key() && !check_volume_down_key())
                    {
                       /* Hold power_key 1 sec to normal boot, if not enough, need to hold another 1 sec. */
                       for(j = 0;j < 5;++j)
                        {
                            thread_sleep(200);
                            if (!check_power_key())
                            {
                                //dprintf(ALWAYS, "press power_key not enough time
");
                                break;
                            }
                        }
                        if(j == 5)
                        {
                            goto normal_boot;
                        }
                    }
                    else if (!check_volume_down_key() && !check_volume_up_key() && !check_power_key())
                        {
                            /* Hold no key and go to normal boot 30 sec later. */
                            for(k = 0;k < 150;++k)
                            {
                                thread_sleep(200);
                                if (check_power_key() || check_volume_up_key())
                                {
                                    //dprintf(ALWAYS, "press nothing
");
                                    break;
                                }
                            }
                            if(k == 150)
                            {
                                //dprintf(ALWAYS, "goto normal_boot
");
                                goto normal_boot;
                            }
                        }
            }



        dprintf(CRITICAL,"dload mode key sequence detected
");
        if (set_download_mode(EMERGENCY_DLOAD))
        {
            dprintf(CRITICAL,"dload mode not supported by target
");
        }
        else
        {
            reboot_device(DLOAD);
            dprintf(ALWAYS,"Failed to reboot into dload mode
");
        }
        boot_into_fastboot = true;         //下载模式本质上是进入fastboot
    }

    if (!boot_into_fastboot)    //如果不是通过usb+上下键进入下载模式
    {
        if (keys_get_state(KEY_HOME) || (keys_get_state(KEY_VOLUMEUP) && !keys_get_state(KEY_VOLUMEDOWN))) //上键+电源键 进入recovery模式
        {
            boot_into_recovery = 1;
            struct recovery_message msg;
            strcpy(msg.recovery, "recovery
--show_text");
         

        }

        if (!boot_into_recovery &&
            (keys_get_state(KEY_BACK) || (keys_get_state(KEY_VOLUMEDOWN) && !keys_get_state(KEY_VOLUMEUP))))   //下键+back键进入fastboot模式，我的手机是有back实体键的
            boot_into_fastboot = true;
    }


    reboot_mode = check_reboot_mode();                          //检测开机原因，并且修改相应的标志位
    hard_reboot_mode = check_hard_reboot_mode();
    if (reboot_mode == RECOVERY_MODE ||
        hard_reboot_mode == RECOVERY_HARD_RESET_MODE) {
        boot_into_recovery = 1;
    } else if(reboot_mode == FASTBOOT_MODE ||
        hard_reboot_mode == FASTBOOT_HARD_RESET_MODE) {
        boot_into_fastboot = true;
    } else if(reboot_mode == ALARM_BOOT ||
        hard_reboot_mode == RTC_HARD_RESET_MODE) {
        boot_reason_alarm = true;

    }
    else if (reboot_mode == DM_VERITY_ENFORCING)
    {
        device.verity_mode = 1;
        write_device_info(&device);
    } else if(reboot_mode == DM_VERITY_LOGGING) {
        device.verity_mode = 0;
        write_device_info(&device);
    } else if(reboot_mode == DM_VERITY_KEYSCLEAR) {
        if(send_delete_keys_to_tz())
            ASSERT(0);
    }

normal_boot:
    if(dload_flag){
        display_image_on_screen();                 //显示界面，上面提到过
    }
    if (!boot_into_fastboot)  //如果不是fastboot模式
    {
        if (target_is_emmc_boot())
        {
            if(emmc_recovery_init())
                dprintf(ALWAYS,"error in emmc_recovery_init
");
            if(target_use_signed_kernel())
            {
                if((device.is_unlocked) || (device.is_tampered))
                {
                #ifdef TZ_TAMPER_FUSE
                    set_tamper_fuse_cmd();
                #endif
                #if USE_PCOM_SECBOOT
                    set_tamper_flag(device.is_tampered);
                #endif
                }
            }

            boot_linux_from_mmc();     //程序会跑到这里，又一个重点内容，下面会独立分析这个函数。
        }
        else
        {
            recovery_init();
    #if USE_PCOM_SECBOOT
        if((device.is_unlocked) || (device.is_tampered))
            set_tamper_flag(device.is_tampered);
    #endif
            boot_linux_from_flash();
        }
        dprintf(CRITICAL, "ERROR: Could not do normal boot. Reverting "
            "to fastboot mode.
");
    }


    //下面的代码是fastboot的准备工作，从中可以看出，进入fastboot模式是不启动kernel的


    /* We are here means regular boot did not happen. Start fastboot. */

    /* register aboot specific fastboot commands */
    aboot_fastboot_register_commands();     //注册fastboot命令，建议看下此函数的源码，此函数是fastboot支持的命令，如flash、erase等等

    /* dump partition table for debug info */
    partition_dump();

    /* initialize and start fastboot */
    fastboot_init(target_get_scratch_address(), target_get_max_flash_size());     //初始化fastboot
#if FBCON_DISPLAY_MSG
    display_fastboot_menu_thread();         //显示fastboot界面
#endif
}

关于device_info,这里多说一点

devinfo     Device information including:iis_unlocked, is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version
               All these attirbutes are set based on some specific conditions and written on devinfo partition.

devinfo是一个独立的分区，里面存放了下面的一些信息，上面是高通对这个分区的介绍。

struct device_info
{
    unsigned char magic[DEVICE_MAGIC_SIZE];
    bool is_unlocked;
    bool is_tampered;
    bool is_verified;
    bool charger_screen_enabled;
    char display_panel[MAX_PANEL_ID_LEN];
    char bootloader_version[MAX_VERSION_LEN];
    char radio_version[MAX_VERSION_LEN];
};

 从上面的分析，我们大致可以知道boot_init()主要工作

1).确定page_size大小;

2).从devinfo分区获取devinfo信息;

3).通过不同按键选择设置对应标志位boot_into_xxx;

4).如果进入fastboot模式，初始化fastboot命令等。

5).进入boot_linux_from_mmc()函数。

 

 

下面分析lk启动过程中另一个重要的函数boot_linux_from_mmc();它主要负责根据boot_into_xxx从对应的分区内读取相关信息并传给kernel，然后引导kernel。

程序走到这，说成没有进入fastboot模式，可能的情况有：正常启动，进入recovery，开机闹钟启动。

boot_linux_from_mmc()主要做下面的事情 

1).程序会从boot分区或者recovery分区的header中读取地址等信息，然后把kernel、ramdisk加载到内存中。

2).程序会从misc分区中读取bootloader_message结构体，如果有boot-recovery，则进入recovery模式

3).更新cmdline，然后把cmdline写到tags_addr地址，把参数传给kernel，kernel起来以后会到这个地址读取参数。

int boot_linux_from_mmc(void)                                  
{
    struct boot_img_hdr *hdr = (void*) buf;       //************buf和hdr指向相同的地址，可以理解为buf就是hdr
    struct boot_img_hdr *uhdr;
    unsigned offset = 0;
    int rcode;
    unsigned long long ptn = 0;
    int index = INVALID_PTN;

    unsigned char *image_addr = 0;
    unsigned kernel_actual;
    unsigned ramdisk_actual;
    unsigned imagesize_actual;
    unsigned second_actual = 0;

    unsigned int dtb_size = 0;
    unsigned int out_len = 0;
    unsigned int out_avai_len = 0;
    unsigned char *out_addr = NULL;
    uint32_t dtb_offset = 0;
    unsigned char *kernel_start_addr = NULL;
    unsigned int kernel_size = 0;
    int rc;

#if DEVICE_TREE                    
    struct dt_table *table;
    struct dt_entry dt_entry;
    unsigned dt_table_offset;
    uint32_t dt_actual;
    uint32_t dt_hdr_size;
    unsigned char *best_match_dt_addr = NULL;
#endif
    struct kernel64_hdr *kptr = NULL;

    if (check_format_bit())                        //查找bootselect分区，查看分区表，没有此分区，所以返回值为false
        boot_into_recovery = 1;

    if (!boot_into_recovery) {                     //此时有两种可能，正常开机/进入ffbm工厂测试模式，进入工厂测试模式是正行启动，但是向kernel传参会多一个字符串"androidboot.mode='ffbm_mode_string'" 
        memset(ffbm_mode_string, '', sizeof(ffbm_mode_string));     //ffbm_mode_string = ""
        rcode = get_ffbm(ffbm_mode_string, sizeof(ffbm_mode_string));  //从misc分区0地址中读取sizeof(ffbm_mode_string)的内容，如果内容是"ffbm-"，返回1，否则返回0
        if (rcode <= 0) {
            boot_into_ffbm = false;
            if (rcode < 0)
                dprintf(CRITICAL,"failed to get ffbm cookie");
        } else
            boot_into_ffbm = true;
    } else                                     //boot_into_recovery=true
        boot_into_ffbm = false;
    uhdr = (struct boot_img_hdr *)EMMC_BOOT_IMG_HEADER_ADDR;           //uhdr指向boot分区header地址，header是什么东西，下面会详细介绍
    if (!memcmp(uhdr->magic, BOOT_MAGIC, BOOT_MAGIC_SIZE)) {      //检查uhdr->magic 是否等于 "ANDROID!",不知到为什么要这么做，觉的没有什么作用
        dprintf(INFO, "Unified boot method!
");
        hdr = uhdr;
        goto unified_boot;
    }
    if (!boot_into_recovery) {    //如果不是recovery模式，可能是正常启动或者进入ffbm，再次生命ffbm和正常启动流程一样启动kernel，只是kernel起来以后，init.c文件会读取是否有"ffbm-"
        index = partition_get_index("boot");         //读取boot分区
        ptn = partition_get_offset(index);      //读取boot分区的偏移量
        if(ptn == 0) {
            dprintf(CRITICAL, "ERROR: No boot partition found
");
                    return -1;
        }
    }
    else {
        index = partition_get_index("recovery");        //进入recovery模式，读取recovery分区，并获得recovery分区的偏移量。recovery.img和boot.img的组成是一样的，下面有介绍
        ptn = partition_get_offset(index);
        if(ptn == 0) {
            dprintf(CRITICAL, "ERROR: No recovery partition found
");
                    return -1;
        }
    }
    /* Set Lun for boot & recovery partitions */
    mmc_set_lun(partition_get_lun(index));        

    if (mmc_read(ptn + offset, (uint32_t *) buf, page_size)) {                 //从boot/recovery分区读取1字节的内容到buf(hdr)中，我们知道在boot/recovery中开始的1字节存放的是hdr的内容，下面有详细的介绍。
        dprintf(CRITICAL, "ERROR: Cannot read boot image header
");
                return -1;
    }

    if (memcmp(hdr->magic, BOOT_MAGIC, BOOT_MAGIC_SIZE)) {                   //上面已经从boot/recovery分区读取了header到hdr，这里对比magic是否等于"ANDROID！",如果不是，则表明读取的header是错误的，也算是校验吧
        dprintf(CRITICAL, "ERROR: Invalid boot image header
");
                return -1;
    }

    if (hdr->page_size && (hdr->page_size != page_size)) {                   //比较也的大小是否相同，应该都是相同的2048字节

        if (hdr->page_size > BOOT_IMG_MAX_PAGE_SIZE) {
            dprintf(CRITICAL, "ERROR: Invalid page size
");
            return -1;
        }
        page_size = hdr->page_size;
        page_mask = page_size - 1;
    }

    /* ensure commandline is terminated */
    hdr->cmdline[BOOT_ARGS_SIZE-1] = 0;         

    kernel_actual  = ROUND_TO_PAGE(hdr->kernel_size,  page_mask);          //kernel所占的页的总大小       例如kernel大小0x01,kernel_actual = 2048
    ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);          //ramdisk所占的页的总大小

    image_addr = (unsigned char *)target_get_scratch_address();            

#if DEVICE_TREE
    dt_actual = ROUND_TO_PAGE(hdr->dt_size, page_mask);     //dt所占的页的大小
    imagesize_actual = (page_size + kernel_actual + ramdisk_actual + dt_actual);          //image占的页的总大小
#else
    imagesize_actual = (page_size + kernel_actual + ramdisk_actual);
#endif

#if VERIFIED_BOOT
    boot_verifier_init();   //校验boot
#endif

    if (check_aboot_addr_range_overlap((uint32_t) image_addr, imagesize_actual))       //校验image_addr是否被覆盖
    {
        dprintf(CRITICAL, "Boot image buffer address overlaps with aboot addresses.
");
        return -1;
    }

    /*
     * Update loading flow of bootimage to support compressed/uncompressed
     * bootimage on both 64bit and 32bit platform.
     * 1. Load bootimage from emmc partition onto DDR.
     * 2. Check if bootimage is gzip format. If yes, decompress compressed kernel
     * 3. Check kernel header and update kernel load addr for 64bit and 32bit
     *    platform accordingly.
     * 4. Sanity Check on kernel_addr and ramdisk_addr and copy data.
     */

    dprintf(INFO, "Loading boot image (%d): start
", imagesize_actual);
    bs_set_timestamp(BS_KERNEL_LOAD_START);

    /* Read image without signature */
    if (mmc_read(ptn + offset, (void *)image_addr, imagesize_actual))        //读取boot/recovery分区到image_addr
    {
        dprintf(CRITICAL, "ERROR: Cannot read boot image
");
        return -1;
    }

    dprintf(INFO, "Loading boot image (%d): done
", imagesize_actual);
    bs_set_timestamp(BS_KERNEL_LOAD_DONE);

    /* Authenticate Kernel */
    dprintf(INFO, "use_signed_kernel=%d, is_unlocked=%d, is_tampered=%d.
",
        (int) target_use_signed_kernel(),
        device.is_unlocked,
        device.is_tampered);

    if(target_use_signed_kernel() && (!device.is_unlocked))               //这里是false ，感兴趣可以追target_use_signed_kernel(),会发现这个函数返回的是0
    {
        offset = imagesize_actual;uhdr->magic
        if (check_aboot_addr_range_overlap((uint32_t)image_addr + offset, page_size))
        {
            dprintf(CRITICAL, "Signature read buffer address overlaps with aboot addresses.
");
            return -1;
        }

        /* Read signature */
        if(mmc_read(ptn + offset, (voidffbm_mode_string *)(image_addr + offset), page_size))
        {
            dprintf(CRITICAL, "ERROR: Cannot read boot image signature
");
            return -1;
        }

        verify_signed_bootimg((uint32_t)image_addr, imagesize_actual);
    } else {
        second_actual  = ROUND_TO_PAGE(hdr->second_size,  page_mask);     
        #ifdef TZ_SAVE_KERNEL_HASH
        aboot_save_boot_hash_mmc((uint32_t) image_addr, imagesize_actual);
        #endif /* TZ_SAVE_KERNEL_HASH */

#if VERIFIED_BOOT
    if(boot_verify_get_state() == ORANGE)    //校验boot
    {
#if FBCON_DISPLAY_MSG
        display_bootverify_menu_thread(DISPLAY_MENU_ORANGE);
        wait_for_users_action();
#else
        dprintf(CRITICAL,
            "Your device has been unlocked and can't be trusted.
Wait for 5 seconds before proceeding
");
        mdelay(5000);
#endif
        set_root_flag(ORANGE,1);
    }
#endif

#ifdef MDTP_SUPPORT
        {
            /* Verify MDTP lock.
             * For boot & recovery partitions, MDTP will use boot_verifier APIs,
             * since verification was skipped in aboot. The signature is not part of the loaded image.
             */
            mdtp_ext_partition_verification_t ext_partition;
            ext_partition.partition = boot_into_recovery ? MDTP_PARTITION_RECOVERY : MDTP_PARTITION_BOOT;
            ext_partition.integrity_state = MDTP_PARTITION_STATE_UNSET;
            ext_partition.page_size = page_size;
            ext_partition.image_addr = (uint32)image_addr;
            ext_partition.image_size = imagesize_actual;
            ext_partition.sig_avail = FALSE;
            mdtp_fwlock_verify_lock(&ext_partition);
        }
#endif /* MDTP_SUPPORT */
    }

#if VERIFIED_BOOT
#if !VBOOT_MOTA
    // send root of trust
    if(!send_rot_command((uint32_t)device.is_unlocked))
        ASSERT(0);
#endif
#endif
    /*
     * Check if the kernel image is a gzip package. If yes, need to decompress it.
     * If not, continue booting.
     */
       //检测kernel image是否是gzip的包，如果是，解压，如果不是，继续boot。得到kernel的起始地址和大小

    if (is_gzip_package((unsigned char *)(image_addr + page_size), hdr->kernel_size))
    {
        out_addr = (unsigned char *)(image_addr + imagesize_actual + page_size);
        out_avai_len = target_get_max_flash_size() - imagesize_actual - page_size;
        dprintf(INFO, "decompressing kernel image: start
");
        rc = decompress((unsigned char *)(image_addr + page_size),
                hdr->kernel_size, out_addr, out_avai_len,
                &dtb_offset, &out_len);
        if (rc)
        {
            dprintf(CRITICAL, "decompressing kernel image failed!!!
");
            ASSERT(0);
        }

        dprintf(INFO, "decompressing kernel image: done
");
        kptr = (struct kernel64_hdr *)out_addr;
        kernel_start_addr = out_addr;
        kernel_size = out_len;
    } else {
        kptr = (struct kernel64_hdr *)(image_addr + page_size);
        kernel_start_addr = (unsigned char *)(image_addr + page_size);   //kernel_start起始地址
        kernel_size = hdr->kernel_size; //kernel大小
    }

    /*
     * Update the kernel/ramdisk/tags address if the boot image header
     * has default values, these default values come from mkbootimg when
     * the boot image is flashed using fastboot flash:raw
     */
    update_ker_tags_rdisk_addr(hdr, IS_ARM64(kptr)); //更新kernel/tags/ramdisk地址   

    /* Get virtual addresses since the hdr saves physical addresses. */
    hdr->kernel_addr = VA((addr_t)(hdr->kernel_addr));        //保存虚拟地址（mmu）
    hdr->ramdisk_addr = VA((addr_t)(hdr->ramdisk_addr));
    hdr->tags_addr = VA((addr_t)(hdr->tags_addr));

    kernel_size = ROUND_TO_PAGE(kernel_size,  page_mask);
    /* Check if the addresses in the header are valid. */
    if (check_aboot_addr_range_overlap(hdr->kernel_addr, kernel_size) ||                      //检测kernel/ramdisk/tags地址是否超出emmc地址
        check_aboot_addr_range_overlap(hdr->ramdisk_addr, ramdisk_actual))
    {
        dprintf(CRITICAL, "kernel/ramdisk addresses overlap with aboot addresses.
");
        return -1;
    }

#ifndef DEVICE_TREE
    if (check_aboot_addr_range_overlap(hdr->tags_addr, MAX_TAGS_SIZE))
    {
        dprintf(CRITICAL, "Tags addresses overlap with aboot addresses.
");
        return -1;
    }
#endif

    /* Move kernel, ramdisk and device tree to correct address */
    memmove((void*) hdr->kernel_addr, kernel_start_addr, kernel_size);       //把kernel/ramdisk放在相应的地址上
    memmove((void*) hdr->ramdisk_addr, (char *)(image_addr + page_size + kernel_actual), hdr->ramdisk_size);

    #if DEVICE_TREE   //读取设备树信息，放在相应的地址上
    if(hdr->dt_size) {
        dt_table_offset = ((uint32_t)image_addr + page_size + kernel_actual + ramdisk_actual + second_actual);
        table = (struct dt_table*) dt_table_offset;

        if (dev_tree_validate(table, hdr->page_size, &dt_hdr_size) != 0) {
            dprintf(CRITICAL, "ERROR: Cannot validate Device Tree Table 
");
            return -1;
        }

        /* Find index of device tree within device tree table */
        if(dev_tree_get_entry_info(table, &dt_entry) != 0){
            dprintf(CRITICAL, "ERROR: Getting device tree address failed
");
            return -1;
        }

        if (is_gzip_package((unsigned char *)dt_table_offset + dt_entry.offset, dt_entry.size))
        {
            unsigned int compressed_size = 0;
            out_addr += out_len;
            out_avai_len -= out_len;
            dprintf(INFO, "decompressing dtb: start
");
            rc = decompress((unsigned char *)dt_table_offset + dt_entry.offset,
                    dt_entry.size, out_addr, out_avai_len,
                    &compressed_size, &dtb_size);
            if (rc)
            {
                dprintf(CRITICAL, "decompressing dtb failed!!!
");
                ASSERT(0);
            }

            dprintf(INFO, "decompressing dtb: done
");
            best_match_dt_addr = out_addr;
        } else {
            best_match_dt_addr = (unsigned char *)dt_table_offset + dt_entry.offset;
            dtb_size = dt_entry.size;
        }

        /* Validate and Read device device tree in the tags_addr */
        if (check_aboot_addr_range_overlap(hdr->tags_addr, dtb_size))
        {
            dprintf(CRITICAL, "Device tree addresses overlap with aboot addresses.
");
            return -1;
        }

        memmove((void *)hdr->tags_addr, (char *)best_match_dt_addr, dtb_size);
    } else {
        /* Validate the tags_addr */
        if (check_aboot_addr_range_overlap(hdr->tags_addr, kernel_actual))
        {
            dprintf(CRITICAL, "Device tree addresses overlap with aboot addresses.
");
            return -1;
        }
        /*
         * If appended dev tree is found, update the atags with
         * memory address to the DTB appended location on RAM.
         * Else update with the atags address in the kernel header
         */
        void *dtb;
        dtb = dev_tree_appended((void*)(image_addr + page_size),
                    hdr->kernel_size, dtb_offset,
                    (void *)hdr->tags_addr);
        if (!dtb) {
            dprintf(CRITICAL, "ERROR: Appended Device Tree Blob not found
");
            return -1;
        }
    }
    #endif

    if (boot_into_recovery && !device.is_unlocked && !device.is_tampered)
        target_load_ssd_keystore();

unified_boot:

    boot_linux((void *)hdr->kernel_addr, (void *)hdr->tags_addr,           //进入boot_linux函数，此函数比较简单，更新cmdline。
           (const char *)hdr->cmdline, board_machtype(),
           (void *)hdr->ramdisk_addr, hdr->ramdisk_size);

    return 0;
}

如果misc分区的0地址内容是"ffbm-"，则boot_into_ffbm=true

int get_ffbm(char *ffbm, unsigned size)
{
    const char *ffbm_cmd = "ffbm-";
    uint32_t page_size = get_page_size();
    char *ffbm_page_buffer = NULL;
    int retval = 0;
    if (size < FFBM_MODE_BUF_SIZE || size >= page_size)
    {
        dprintf(CRITICAL, "Invalid size argument passed to get_ffbm
");
        retval = -1;
        goto cleanup;
    }
    ffbm_page_buffer = (char*)malloc(page_size);
    if (!ffbm_page_buffer)
    {
        dprintf(CRITICAL, "Failed to alloc buffer for ffbm cookie
");
        retval = -1;
        goto cleanup;
    }
    if (read_misc(0, ffbm_page_buffer, page_size))
    {
        dprintf(CRITICAL, "Error reading MISC partition
");
        retval = -1;
        goto cleanup;
    }
    ffbm_page_buffer[size] = '';
    if (strncmp(ffbm_cmd, ffbm_page_buffer, strlen(ffbm_cmd)))
    {
        retval = 0;
        goto cleanup;
    }
    else
    {
        if (strlcpy(ffbm, ffbm_page_buffer, size) <
                FFBM_MODE_BUF_SIZE -1)
        {
            dprintf(CRITICAL, "Invalid string in misc partition
");
            retval = -1;
        }
        else
            retval = 1;
    }
cleanup:
    if(ffbm_page_buffer)
        free(ffbm_page_buffer);
    return retval;
}

 

boot.img和recovery.img的组成是一样的，所以lk加载方式一样，只是读取的地址和大小不同而已。

我们看下boot.img和recovery.img镜像里有什么，理解了这个再看lk加载boot.img/recovery.img就知道是怎么回事了:

** +-----------------+ 
** | boot header     | 1 page
** +-----------------+
** | kernel          | n pages  
** +-----------------+
** | ramdisk         | m pages  
** +-----------------+
** | second stage    | o pages
** +-----------------+
** | device tree     | p pages
** +-----------------+
　　
分析boot_img_hdr结构提
　　kernel_size　　kernel表示zImage的实际大小
　　kernel_addr　　kernel的zImage载入内存的物理地址，也是bootloader要跳转的地址
　　ramdisk_size　 ramdisk的实际大小
　　ramdisk_addr　 ramdisk加载到内存的实际物理地址，之后kernel会解压并把它挂载成根文件系统，我们的中枢神经－init.rc就隐藏于内
　　tags_addr    tags_addr是传参数用的物理内存地址，它作用是把bootloader中的参数传递给kernel,参数放在这个地址上
　　page_size    page_size是存储芯片（ram/emmc）的页大小，取决与存储芯片
　　cmdline      command line它可以由bootloader向kernel传参的内容，存放在tag_addr地址
　　second 　　　 可选

bootable/bootloader/lk/app/aboot/bootimg.h

#ifndef _BOOT_IMAGE_H_
#define _BOOT_IMAGE_H_

typedef struct boot_img_hdr boot_img_hdr;

#define BOOT_MAGIC "ANDROID!"
#define BOOT_MAGIC_SIZE 8
#define BOOT_NAME_SIZE  16
#define BOOT_ARGS_SIZE  512
#define BOOT_IMG_MAX_PAGE_SIZE 4096

struct boot_img_hdr
{
    unsigned char magic[BOOT_MAGIC_SIZE];

    unsigned kernel_size;  /* size in bytes */
    unsigned kernel_addr;  /* physical load addr */

    unsigned ramdisk_size; /* size in bytes */
    unsigned ramdisk_addr; /* physical load addr */

    unsigned second_size;  /* size in bytes */
    unsigned second_addr;  /* physical load addr */

    unsigned tags_addr;    /* physical addr for kernel tags */
    unsigned page_size;    /* flash page size we assume */
    unsigned dt_size;      /* device_tree in bytes */
    unsigned unused;    /* future expansion: should be 0 */

    unsigned char name[BOOT_NAME_SIZE]; /* asciiz product name */
    
    unsigned char cmdline[BOOT_ARGS_SIZE];

    unsigned id[8]; /* timestamp / checksum / sha1 / etc */
};

/*
** +-----------------+ 
** | boot header     | 1 page
** +-----------------+
** | kernel          | n pages  
** +-----------------+
** | ramdisk         | m pages  
** +-----------------+
** | second stage    | o pages
** +-----------------+
** | device tree     | p pages
** +-----------------+
**
** n = (kernel_size + page_size - 1) / page_size
** m = (ramdisk_size + page_size - 1) / page_size
** o = (second_size + page_size - 1) / page_size
** p = (dt_size + page_size - 1) / page_size
** 0. all entities are page_size aligned in flash
** 1. kernel and ramdisk are required (size != 0)
** 2. second is optional (second_size == 0 -> no second)
** 3. load each element (kernel, ramdisk, second) at
**    the specified physical address (kernel_addr, etc)
** 4. prepare tags at tag_addr.  kernel_args[] is
**    appended to the kernel commandline in the tags.
** 5. r0 = 0, r1 = MACHINE_TYPE, r2 = tags_addr
** 6. if second_size != 0: jump to second_addr
**    else: jump to kernel_addr
*/

boot_img_hdr *mkbootimg(void *kernel, unsigned kernel_size,
                        void *ramdisk, unsigned ramdisk_size,
                        void *second, unsigned second_size,
                        unsigned page_size,
                        unsigned *bootimg_size);

void bootimg_set_cmdline(boot_img_hdr *hdr, const char *cmdline);                

#define KERNEL64_HDR_MAGIC 0x644D5241 /* ARM64 */

struct kernel64_hdr
{
    uint32_t insn;
    uint32_t res1;
    uint64_t text_offset;
    uint64_t res2;
    uint64_t res3;
    uint64_t res4;
    uint64_t res5;
    uint64_t res6;
    uint32_t magic_64;
    uint32_t res7;
};

#endif