Summary During the regular boot sequence, Huawei’s BootROM initializes the UFS hardware and the crypto engine in order to load and verify the next stage bootloader image from flash. However, when run in download mode, which maybe used for factory flashing and repair purposes, a connected host can communicate with the BootROM via USB over a serial communication channel. The basis of the communication is a slightly modified version of XMODEM protocol. The first frame to be sent must be the head chunk, which defines the destination address and the size of the file to be downloaded via the following data chunks.

Summary During the regular boot sequence, Huawei’s BootROM initializes the UFS hardware and the crypto engine in order to load and verify the next stage bootloader image from flash. However, when run in download mode, which maybe used for factory flashing and repair purposes, a connected host can communicate with the BootROM via USB. In this case, the BootROM acts as a USB1.1 Serial-over-USB gadget, with a single data endpoint. Based on kernel sources, the USB device appears to be a Synopsys DesignWare USB 3.0 controller. Although the implementation of the USB stack in the Linux kernel and the BootROM is quite different (latter is orders of magnitude simpler), the offsets and the register map of the device can be learned from (drivers/usb/dwc3):