21
edits
Changes
Jump to navigation
Jump to search
m
no edit summary
Line 85:
Line 85:
0xD800000 seems to be the start of the (a?) hardware register space.+
</source>
</source>
−This sets the [[Hollywood/Registers#HW_SRNPROT|HW_SRNPROT]] register to enable the [[Starlet/Main Memory|SRAM]] mirror at 0xFFFE0000.
After this, it loads the ELF file, and then '''zeroes out the memory area where the ELF file resides'''. Then it goes back to ARM mode and vectors to 0xFFFF0000 (the entrypoint of the ARM / vector table). The entire BOOT2 code seems to be position-independent: it can be loaded at any address and will still work, as long as it doesn't overlap with the destination of the ELF load. The entire BOOT2 file cleartext is loaded and then the loader is called, so the loader can calculate the offset of the header simply by subtracting 0x10 from the PC at its entrypoint.
After this, it loads the ELF file, and then '''zeroes out the memory area where the ELF file resides'''. Then it goes back to ARM mode and vectors to 0xFFFF0000 (the entrypoint of the ARM / vector table). The entire BOOT2 code seems to be position-independent: it can be loaded at any address and will still work, as long as it doesn't overlap with the destination of the ELF load. The entire BOOT2 file cleartext is loaded and then the loader is called, so the loader can calculate the offset of the header simply by subtracting 0x10 from the PC at its entrypoint.
Line 93:
Line 93:
=== Dynamic Linker ===
=== Dynamic Linker ===
−In later IOS versions ([[IOS28]] and later) the single IOS ARM binary was devided into several modules/libraries. The modules are loaded dynamically. The code is statically linked to a fixed address. Each module can register driver entry points at the operating systems. Functions of other modules are not directly called. Syscalls are used to communicate with other modules. The calls are forwarded to the approperiate module function.
+In later IOS versions ([[IOS28]] and later) the single monolithic IOS ARM binary was split into individual dynamically loaded modules. The main kernel is the only file to include the ELFLOADER header and stub; each individual module is a regular ELF file, loaded dynamically by the kernel to a fixed address specified in the ELF header. No functions are called directly between modules - [[IOS/Syscalls#Syscalls_.28via_undefined_instructions.29|Syscalls]] are used for individual modules to communicate with the main kernel, and resource managers are used for modules to communicate between each other (such as [[:/dev/di|DI]] interfacing with [[:/dev/es]] for ticket verification)
=== Extract ELF file ===
=== Extract ELF file ===