S5L87xx iPod Boot Process
This summarizes the boot process of Samsung S5L87XX based iPods (Nano 3G+, Classic).
The S5L87xx SoC starts executing the Bootrom at power up. The BootROM mainly lives at 0x20000000, but is also mapped to 0x00000000 as that's where the ARM core expects interrupt vectors to be present.
The BootROM does the bare minimum to load a second stage: set up stacks/modes, bring up PLLs, and opens clock gates for AES/NAND/NOR/USB as needed.
The bootROM then checks a few conditions (like GPIO, probably set by the clickwheel controler) to decide what to do next:
- Load a second stage bootloader from NOR
- Load a second stage bootloader from NAND
- Start DFU mode over USB
Starting DFU mode is also the fail-safe mode that the BootROM will run if other boot methods fail.
The second-stage bootloader (loaded as an IMG1) is signature checked, decrypted, and executed.
Second Stage Bootloader (bootloader / WTF)
When loaded from NAND/NOR this bootloader is referred to as 'bootloader'. When loaded over DFU during recovery more, it's called 'WTF'. They are pretty much the same codebase, with slight differences in the 'main' flow of booting the next stage.
The bootloader/WTF images are based around EFI, and thus quite modular. When further booting another EFI-based payload, eg. Diags, the bootloader/WTF's EFI interfaces are also available to the latter stage.
This stage initializes a bunch of peripherals/subsystems, like DRAM, the LCD, UART, the interrupt controller(s), FTL, ...
Depending on the implementation (WTF vs. bootloader), pressed keys and other unknown conditions it will either continue booting OSOS (or diagnostics/disk mode/aupd) from NAND or go into another USB DFU mode. The WTF by default goes into USB DFU. This permits another IMG1 being loaded and executed.
As with the BootROM, the bootloader/DFU perform IMG1 signature checking and decryption.