# UEFI Boot Sequence
According to [the UEFI spec](https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf) a device will initially start up and look for a particular file based on the architecture of the system:\
\
As we need to bypass the standard boot, we use the jailbreak to hack the process using a supplemental policy, which enables testsignmode.\
See [EFI Signing for details](https://lawrence-1.gitbook.io/surfacert-hacking/development/efi-signing-secure-boot)
SoC will load the boot setup, then load up UEFI bios.\
\
UEFI will then load /efi/boot/bootarm.efi (which needs to be signed with a (hardcoded) secureboot-key) into ram and pass it control to then load other stuff in turn.\
\
We haven't been able to sign our own stuff yet ( if we could then we could just install uboot and bypass all the pain!).\
\
So.. we use Microsoft's, aka WindowsBootManager (/efi/boot/bootarm.efi) to eventually load our boot tool (i.e. grub2)
Microsoft's bootarm.efi checks for
efi/microsoft/boot/bcd (boot configuration data)
(which then loads our special "jailbreak" policy), then loads a test.efi shim, which finally loads a secondary EFI file - i.e. GRUB2 or uefi shell placed in the root.
/boot.efi \
\
Hardcoded bootloader boots "bootarm.efi"(1: windows bootmanager) Bootmanager loads BCD (2) \
Bootmanager loads SecureBootDebug.efi, and the SecureBootDebugPolicy.p7b\
Then loads a test.efi (lolhax? shim) \[this can be changed to our own shim, eg ]\
Which finally loads our boot.efi\
```
+efi
+---microsoft
+------boot
+---------fonts (obvious)
+---------bcd(2)
+---------(automatically generated files)
+---boot
+------bootarm.efi(1)
+unicode.pf2
+test.efi(3)
+grub.cfg
+BOOT.efi
```
More detail here - \
[https://forum.xda-developers.com/windows-8-rt/rt-development/wip-secure-boot-linux-surface-rt-t3653848/page12](https://forum.xda-developers.com/showpost.php?p=82452439\&postcount=115)
Also worth a look through\
\