Qualcomm

About Qualcomm
Qualcomm Incorporated is a semiconductors company, and one of the biggest manufacturers of smartphone and tablet SoCs.

Booting Procedure
Qualcomm ARM SoCs make use of several bootloaders, each of which initializes and/or checks some things and then passes on execution to the next stage in the boot chain. The final stage is whatever operating system runs on the SoC. There are slight differences between the boot chains for different SoCs, here is a triplet of charts showing the boot chains of relatively recent Qualcomm SoCs.



As you can see, the main change introduced in msm8974 is the merging of SBL1, which used to consist of three bootloaders, into one, and the main change introduced in msm8996 is support for the ABL UEFI bootloader - however, in some cases, aboot is still used. These charts are not necessarily exact representations of the boot chain on a specific SoC in a specific application, since modifications can be made by manufacturers by either replacing / editing one of the later links in the chain, or by adding more bootloader stages.

A more close examination of these bootloaders will follow.

Useful Links

 * Qualcomm's Chain of Trust - LineageOS
 * Exploiting Qualcomm EDL Programmers (1)
 * Research & Exploitation framework for Qualcomm EDL Firehose programmers
 * Little Kernel Boot Loader Overview
 * Reverse Engineering Android's Aboot
 * Qualcomm Linux Modems by Quectel & Co
 * Comparing Qualcomm's XBL UEFI bootloaders on Snapdragon 820, 835, and 845
 * EBL Wiki
 * Examining Pointer Authentication on the iPhone XS
 * Full Trustzone Exploit for MSM8974
 * Pointer authentication on armv8.3-a
 * an EL1/EL3 coldboot vulnerability affecting 7 years of LG Android devices