If you have ever built a custom operating system or dug into low-level digital forensics, you know that understanding how a device wakes up is just as important as the OS it runs.
The Raspberry Pi Zero 2 W is a favorite for lightweight cybersecurity tools and headless servers. But unlike a standard desktop PC that relies on a traditional BIOS or UEFI, the Raspberry Pi utilizes a unique, GPU-centric architecture.
In this guide, we are going to break down the exact seven-stage "handshake" protocol that brings the Broadcom System-on-Chip (SoC) to life, from the moment voltage hits the board to the second your custom Linux command prompt appears.
ποΈ The Master and the Peripheral
Before we look at the stages, you have to invert how you think about computer architecture. On a standard x86 motherboard, the CPU is the master. On the Raspberry Pi, the Broadcom VideoCore GPU is the captain of the ship.
When you plug in the power β‘, the main ARM Cortex-A53 processor is completely inactive. It is up to the GPU to prepare the environment, initialize the memory, and ultimately wake the CPU up. Here is exactly how that relay race happens:
π₯ Stage 1: The Mask ROM (The Root of Trust)
When 5V power is applied, a tiny fragment of hardwired instructions deep inside the silicon wafer wakes up the GPU. This is the Mask ROM.
- π Immutable Security: Because this code is physically etched into the silicon during manufacturing, it can never be rewritten or modified. This guarantees the device wakes up in a highly predictable state.
- π― The Mission: The Mask ROM has only one jobβto scan the microSD card slot for a primary partition formatted as FAT32 and look for a specific file called
bootcode.bin.
π§ Stage 2: Waking the RAM (bootcode.bin)
At this millisecond, the Pi has absolutely no working system memory. The GPU loads bootcode.bin into its own internal cache.
- π§ Memory Calibration: The Zero 2 W has 512MB of SDRAM physically stacked on top of the processor.
bootcode.bincontains the precise electrical timing instructions required to activate and stabilize this memory. - β
Once the memory controller verifies the RAM is stable and ready to act as a workspace, the GPU discards
bootcode.binand moves to the next phase.
π¨ Stage 3: The GPU Firmware (start.elf)
With the RAM active, the GPU loads start.elf. This is the most complex piece of closed-source, proprietary firmware on the board.
- π» The Hidden OS:
start.elfactually runs its own lightweight Real-Time Operating System (RTOS) internally. - π‘οΈ Hardware Management: This firmware assumes total control over the physical board. It manages power delivery, initializes hardware interfaces, and monitors thermal limits. If your board gets too hot during a heavy packet-injection attack, it is
start.elfthat dynamically throttles the processor to prevent it from melting.
π© Stage 4: Your Hardware Control Panel (config.txt)
Before the GPU considers waking up the main ARM processor, it reads a plain-text file called config.txt.
Think of this as the equivalent of pressing "Delete" to enter your BIOS settings. By defining parameters here, you dictate how the hardware behaves before the OS even exists π οΈ.
For example, if you are building a headless cybersecurity tool and want to maximize the RAM available for your scripts, you can shrink the GPU's memory allocation and enable the serial console with just two lines:
π»
gpu_mem=16
πenable_uart=1
π¦ Stage 5: The CPU Takeover (kernel8.img)
This is the grand finale of the hardware bootloader. The GPU locates your compiled operating system kernel (typically kernel8.img for a 64-bit environment).
- π€ The Handoff: The graphics processor copies the entire kernel image into the main system RAM. It then sends an electrical signal to release the reset line on the ARM CPU.
- π’ The OS Begins: The CPU wakes from its slumber, looks at the memory address where the kernel was placed, and immediately begins executing your Linux instructions.
From this millisecond forward, your operating system is officially in charge. The GPU respectfully steps back into a supporting role.
π§ The Transition: From Bare Metal to Linux
At the end of Stage 5, we officially leave the "hardware firmware" phase and enter the Software Phase. Here is how your custom Linux operating system stands itself up.
πͺ Stage 6: Kernel Initialization and the Device Tree (The Bridge)
The Linux kernel is the engine, but when it first wakes up, it is essentially blind π¦. It doesn't know what kind of board it is running on.
- πΊοΈ Reading the Map (
.dtb): Before the kernel can do anything useful, it reads a file called the Device Tree Blob (for the Zero 2 W, usuallybcm2710-rpi-zero-2-w.dtb). This file is a literal map of the motherboard. It tells the kernel exactly which GPIO pins connect to the Wi-Fi chip and where the USB controller is. - βοΈ Driver Activation: Armed with the Device Tree, the kernel starts loading its internal drivers. It initializes the virtual memory, sets up the network stack, and probes the USB ports.
- π Mounting the Root Filesystem (RootFS): This is the most critical part of Stage 6. The kernel reaches out to the SD card's second partition (ext4) and mounts it as the Root Directory (
/). The "engine" is fully running and has access to its tools, but there is still no user interface.
π« Stage 7: PID 1 and "Userland" (The Embedded init Phase)
Now the system has to cross the boundary from "Kernel Space" (privileged, low-level) to "User Space" π (where your full commands, scripts, and cybersecurity tools actually run).
To do this, the kernel executes the very first program on the system, typically /sbin/init. It is permanently assigned Process ID 1 (PID 1). In a custom, lightweight embedded OS tailored for the Pi Zero, PID 1 is handled by a streamlined init system that follows a strict, sequential script:
- ποΈ Mounting the API Filesystems: The
initprogram immediately creates the "virtual" filesystems:/proc,/sys, and/dev. These live in the Pi's RAM and allow your standard commands (likefdiskorps) to see the hardware and running processes. - π The Blueprint (
/etc/inittab): Theinitprogram reads a single configuration file containing the master instructions for the boot sequence. - π The Master Startup Script (
/etc/init.d/rcS): Your custom Pi OS runs a master startup script that executes commands sequentially: - It populates your
/devfolder with your physical hardware nodes. - It brings up the Wi-Fi interface (
wlan0) π‘ and requests an IP address. - It launches a lightweight SSH daemon π, opening port 22 for remote access.
- (Note: Because this runs sequentially, you can inject custom packet-sniffing or security scripts right here to execute with root privileges before login).
- π» The Shell (The Prompt): Finally,
initspawns agettyprocess on your active terminal (UART serial or HDMI). This handles the login prompt. Once authenticated, it drops you into your full command-line shell (like Bash), with the vast majority of your RAM completely free.
π Why Custom OS Engineers Care
By understanding this entire pipeline, you can see exactly how a 5-volt power source turns into a functional, hacking-ready embedded Linux machine in just a few seconds.
| Phase | Stage | Active Component | Primary Action |
|---|---|---|---|
| 𧱠Hardware | 1. Mask ROM | GPU | Hardwired root of trust; looks for SD card. |
| π½ Firmware | 2. bootcode.bin |
GPU | Initializes and stabilizes the 512MB SDRAM. |
| π½ Firmware | 3. start.elf |
GPU | Hidden RTOS takes over board power/thermals. |
| π οΈ Config | 4. config.txt |
GPU | Applies your custom hardware limits (e.g., gpu_mem=16). |
| π€ Handoff | 5. kernel8.img |
CPU | GPU copies Linux to RAM and wakes up the ARM CPU. |
| π§ Kernel | 6. Device Tree / VFS | CPU | Kernel maps the hardware and mounts your rootfs. |
| π§βπ» Userland | 7. The init Process |
CPU | Sequential scripts mount /sys, start Wi-Fi/SSH, and spawn the Bash login prompt. |
π― The Domino Effect: Your Role as the OS Architect
Think of the boot process like setting up a line of dominoes π². When you plug the Pi into the wall π, gravity (the hardware) knocks all the dominoes down automatically from Stage 1 to 7. The Pi "takes care of everything" during the actual boot-up.
However, as the custom OS engineer, you have to manually design and place dominoes 4, 5, 6, and 7 before you ever plug the power cable in π§ .
Here is the exact breakdown of who does what before the Pi boots:
π The "Hands-Off" Stages (Broadcomβs Job)
You do not code, alter, or compile anything here. Buildroot simply downloads these pre-made files and puts them on your SD card.
- π₯ Stage 1 (Mask ROM): You can't touch this; it's physically inside the chip.
- π§ Stage 2 (
bootcode.bin): You just let it sit on the SD card. - π¨ Stage 3 (
start.elf): You just let it sit on the SD card.
π οΈ The "Hands-On" Stages (Your Job)
If you do nothing here, the boot process will fail or run poorly. You must "do something" for these stages during your Buildroot setup:
- π© Stage 4 (
config.txt): You have to write the text in this file to tell the GPU to shrink its memory (gpu_mem=16) and turn on the serial console. If you don't, the Pi defaults to wasting RAM on graphics you aren't using. - π¦ Stage 5 (
kernel8.img): You have to configure this. When you runmake menuconfigin Buildroot, you are choosing exactly what goes into this kernel. - πͺ Stage 6 (Device Tree & RootFS): You choose which packages (like OpenSSH, Python, Nmap) are packed into the RootFS. If you don't add them during the build, they won't be there when the kernel looks for them.
- π« Stage 7 (
initand Userland): You have to write or configure the startup scripts (like/etc/init.d/rcS). If you want a Python packet-sniffer to run the second the Pi turns on, you must explicitly type that command into the script before you flash the SD card.
π The Bottom Line
Once the SD card is flashed and inserted, the Pi Zero takes care of the entire 7-stage sequence in less than 5 seconds without you touching a keyboard β‘. But to get to that point, you are the architect responsible for engineering stages 4 through 7! π