Tegra SoC's

Boot process of Tegra SoC's from PowerOn to Bootrom to Bootloader
Every Tegra SoC contains a small built in ROM. Tegra3 has one which is 48kB in size. This ROM is called BootRom.
The Bootrom is responsible for initial SoC setup. The code stored in bootrom will execute on the Boot and Power Management Processor (BPMP) which is a ARM7TDMI(ARMv4T) CPU. Until DRAM is setup it can only use iRam which is only 64kB in size. After DRAM setup it will load a Bootloader to DRAM and transfers control to it.

How the Bootrom works

  1. 1.
    Checks fuse or strap to decide which boot device should be used.
  2. 2.
    Try to read a valid signed BCT
  3. 3.
    Set up DRAM according to BCT
  4. 4.
    Load a hashed Bootloader specified in BCT and execute it
  5. 5.
    If no valid Bootloader is found it enters USB recovery mode (RCM/APX)
From there its the firmware job to setup the main CPU (ARMv7-Cortex-A9) and transfer control to the main CPU. This part of the firmware/bootloader is called Secondary ProgramLoader (SPL).
On a stock Surface RT/2 this bootloader is UEFI TianoCore EDK2 which provides the UEFI API.

Fusée Gelée - BootRom Exploit

USB recovery mode can be exploited. See Fusée Gelée

Further reading