During power-on, the contents of the flash memory is mapped at address 0x08000000. Addresses in this document are given as offsets from this address.
The very first chunk of code in flash memory is the first bootloader stage, (so-called boot0), it is the first code to be executed in the boot process. This stage is, amongst other things, responsible for checking the signature on the second stage bootloader (so-called boot1) and execute it if the signature is valid. Boot1 is located at offset 0x030000, the executable code at this address is prefixed with a header, 0x100 bytes in length, containing an RSA signature of the boot1 code (for a type definition of this header, see in ). One of the very first action of boot1 is to relocates itself at address 0x87E80000 and execution is continued from there. Boot1 is responsible for checking the signature on the next stage bootloader, which is the linux kernel.
The device contain two kernels, one init kernel at offset 0x210000 and one recovery kernel at offset 0x080000. Typically, the recovery kernel is used when the device is powered on with the Volume Up key pressed. The logic in boot1 is to select the init kernel by default and check the signature on it. If the signature is valid, the init kernel is booted, otherwise the signature on the recovery kernel is checked. If the signature on both the recovery and the init kernels are invalid, then the device will not boot.
In the Special Developer Edition firmware, the logic in boot1 is somewhat different. The signature check is only performed on the recovery kernel, and the header on the init kernel does not contain a signature. If the init kernel is used, some important parts of the flash memory are locked to prevent damaging the device: boot0, boot1, the RSA keys, and the recovery kernel are all locked.
The last step in the boot process is an intermediary root filesystem. Both kernel images are supplied with a cpio filesystem, which are unpacked by their respective kernels into an initramfs. The initramfs supplied to the recovery kernel contains, for example, a set of scripts that will allow the user to format the device's hard drive or install a new firmware. The initramfs supplied to the init kernel contains a script that will enforce the "HDD lock" (ensures the hard drive cannot be replaced) and verify the signature on the rootfs. If both of these verifications pass, the rootfs is mounted and switch_root'ed to.