Android Penetration Testing Tutorial For Beginners

Android Boot Process Explained (Steps in Booting Process)

Steps in Android Booting Process

The booting process of Android takes place in the following steps:

1. Boot ROM

Also called power ON, the Boot ROM step starts once the power button is pressed. The code of Boot ROM executes, and the BootLoader is loaded into the RAM. 

2. BootLoader

It is a low-level code used to specify the instructions to the device about how to start and find the system kernel. It is done in two stages. 

  • In the first stage, the external RAM is found, and a program is loaded.

  • In the second stage, the network and memory are set up for running the kernel. 

3. Kernel

A kernel is replaceable software that interacts with the device hardware. When the kernel starts running, it starts performing several operations, like setting up cache, loading drivers, mounting root file system, protecting memory, loading kernel daemons, starting process table, etc. 

4. Init

Init is the process responsible for mounting directories and running scripts to set up the system initially. 

5. Zygote and Dalvik VM

Once the system boots, the Zygote process begins. It then creates the Dalvik VM and accepts requests to launch apps in minimum time.

6. System Servers

The system servers start operation once the Java classes and resources are loaded. It is considered the core of the Android system. The system servers load the relevant library for enabling specific functionalities.

Test your knowledge with a quick quiz!

What is the process responsible for mounting directories and running scripts to set up the system initially?

Select the correct answer

Android Boot Loaders

Locked Boot Loaders

When there are locked boot loaders, it restricts the users from making changes to the firmware of the device. The restrictions can be different for each device on the basis of the manufacturer. For the boot loader restrictions, cryptographic signature verification is used. 

Unlocked Boot Loaders

There are mechanisms to unlock a locked bootloader. It can be unlocked for running a custom kernel, recovery image, etc. However, unlocked bootloaders carry security risks. If an attacker finds a lost or stolen device with an unlocked bootloader, he can upload a custom Android boot image to it and recover all the data.

Gaining Root with Unlocked Bootloader

It is easy to find root access to devices with the unlocked bootloader. There is no need to find and exploit any vulnerability or bug. Custom changes can be made to the device and modify permissions. 

Gaining Root with Locked Bootloader

No manufacturer offers a method to unlock a locked bootloader. It then becomes a challenge. To unlock it, there will be a need to find vulnerabilities or flaws and exploit them to make an entry point for rooting. Furthermore, not all manufacturers have the same type of boot loader. 

Finding Root Access on Booted System

To find root access to a booted system, there is a need for gaining root shell via some unpatched security bug in the OS. Such a rooting method is also called soft root because it is based on the software.

The unpatched bug or vulnerability can be found in the rooting process, a program, kernel, carrying out link attack against file permission, or exploiting other issues. Depending on where the programmer has made mistakes, the attacks are launched.

Did you find this article helpful?