Android: Partition tables

In this article, I will tell you about partition tables for MTK and QCOM devices.
Unlike the OS on computers, smartphones don’t have dynamic partition table.

Android

How to view partitions

  1. Install Device Info HW and view partitions
  2. Download Termux and enter mount command

To view all partitions, you need a superuser rights or TWRP recovery.

  1. Install Device Info HW and view partitions
  2. Reboot to TWRP, open terminal and enter mount command

Bootloaders

As we know, Android has several alternative boot modes. You will learn more about them in my next article.

ABOOT (UBOOT on MTK) is the first bootloader. This partition contains the low-level software for power and volume buttons. Each key combination corresponds to a different boot mode.

SBL is a secondary bootloader. Its code is executed after first bootloader, and depending on the boot mode, either the kernel is loaded — boot.img, or boot for recovery, or fastboot.

Main partitions

In this article I will cover all the main types of the partition table.

  1. BOOT is the core of Android
  2. VENDOR is a partition containing many binaries and drivers for everything and everyone. Previously, all these binaries were in the system partition, but with the Project Treble they were separated
  3. PRODUCT is a new partition (added in 2019) containing pre-installed applications and services
  4. SYSTEM is the main system partition. It contains frameworks, a lot of props, fstabs, overlays, RROs, software for working with binaries from vendor. Previously, applications were also stored in this partition (they are stored now, but only the most important ones).
  5. USERDATA — user data partition, contains three more partitions such as DATA (this partiton is everywhere, it stores application data), CACHE (system and application cache) and STORAGE (partition where you store your photos and files, access in the explorer).

Before Android 8.1 and Project Treble, the partition table looked like this:

System-only partition table

Then Project Treble given us a new partition — vendor. Our diagram has become a little more complicated:

Treble-compatible partition table

With the arrival of Treble, the world saw another architecture — arm64_ab and a new complicated partition table. Now the low-level recovery partition is right in boot. The cache partition was removed, and the main system partitions were duplicated. Such partition table clearly takes up more memory, and less space is left on storage.

But the main feature is that with this architecture, Android devices can update in the background! You download the update and continue to use your phone, and then just reboot into the new system, which is installed on duplicate partitions. And if update was unsuccessful, phone will boot into the first half of the partitions.

A/B partition table

Old architecture arm64_a wasn’t abandoned. The manufacturers added a product partition and mounted system to the system_root:

SAR A-only partition table

SoС-specific partitions

  1. MODEM (RADIO on MTK) is a phone modem (baseband). This partition can control Wi-Fi, Bluetooth and GPS (on most newer devices they are handled by the kernel). Modem is a mini-OS for a cellular radio chip that has its own processor. The modem partition is special, because the phones have a separate processor for the modem code to work, so the modem is not included in the system image
  2. RIL (Radio Interface Layer) is a low-level partition between the OS kernel and baseband. RIL’s job is to translate all phone requests from the Android environment and map them to the modem’s AT command delivery. The AT command is used to communicate with the modem, there is a baseband processor (BP), which must have a processor on Android devices in addition to the normal processor, i.e. the application processor (AP)
  3. TZ (TrustZone) is a partition used on the ARM architecture for additional security features. It combines the user’s encryption key with a hardware key generated by the encryption processor to make it harder to compromise security
  4. RPM (Resource & Power Management), which triggers the execution of the Primary / Primitive BootLoader (PBL) in the BootROM — controls the power of the radio, modem, etc.
  5. DSP (Digital Signal Processor) is a partition on Qualcomm devices to help with things like smooth video playback (media processor and real-time sensors)
  6. HYP (HyperVisor) is a hypervisor. Required to support virtualization
  7. PERSIST is a partitio which stores the driver for Wi-Fi, Bluetooth, LTE / CDMA / GSM and Hotspot sensors
  8. RECOVERY is a partition with the recovery menu
  9. OEM is a partition that includes small adjustments of the original equipment manufacturer and mobile phone brand) during over-the-air updates
  10. FOTA is a partition where OTA updates are downloaded. In most cases, instead of fota, these updates are downloaded to the cache partition
  11. FSC partition contains modem file system cookies
  12. SSD (Secure Software Download) is a partition for storing some encrypted keys. These keys are checked when downloading OS updates
  13. FRP (Factory Reset Protection) is a special partition created to save information about the accounts of smartphone manufacturers (for example, Mi Account on Xiaomi). The trick is that when the settings are reset, FRP is not erased, so you will not be able to get rid of the login to your account on a stolen xiaomi.
  14. DEVCFG is used by TZ for updates
  15. LKSECAPP is for online checking and updating RPM components
  16. TZLIMITS is Qualcomm Limits Management Hardware driver. Stores metadata for the SBL
  17. SYSCFG is Qualcomm Core Power Reduction regulator to improve application processor performance and power saving through voltage control
  18. DIP, MDTP implement Qualcomm SafeSwitch technology to block and track stolen phones
  19. CMNLIB, KEYMASTER, SEC are used for hash load verification. If the OS hash doesn’t match the hash written in the keymaster, your phone won’t boot the OS. This is the main reason why you cannot flash custom firmware on a locked bootloader.
  20. OEMKEYSTORE refers to data Full Disc Encryption (FDE)
  21. MCFG (Modem Configuration) is used on dual SIM devices, downloads MBN files (modem binaries)
  22. SPLASH is a splash screen or boot logo that appears when the device boots up at the ABOOT stage. After it, you can see “Powered by Android” boot animation
  23. CHGLOGO is the same screen for charging a discharged phone
  24. MSADP, APDP, DPO are used for debug policy
  25. EFS is a partition containing information about IMEI, SN and IMEI SV
  26. RSADEVINFO contains a low-level information about the device, including:
is_unlocked
is_tampered
is_verified
charger_screen_enabled
display_panel
bootloader_version
radio_version

You can view values by typing fastboot oem device-info command in ADB shell. Before loading the OS, bootloader checks rsadvinfo’s data.

Sources

throw new NoSuchElementException("Bio is not found");