QUOTE(TheSpecialist @ Xboxhacker.net)
Well from power-on:
1. 1BL (first bootloader, stored in ROM), this loads decrypts and starts:
2. CB (2BL, 2nd bootloader, stored in NAND), this this loads decrypts and starts:
3. CD. This loads, decrypts and decompresses CE, which contains the base kernel + base HV. It also loads decrypts and then starts:
4. CF. This loads, decrypts and decompresses CG, which contains the patches for kernel and HV. It then applies the patches and starts up the patched HV and then the patched kernel. Then it boots dash.
So basically it's like: 1BL -> 2 BL -> patch kernel and HV and start them -> boot dashboard.
Every step also checks signature for the next step of course.
Yes, it seems everything past 1bl is checked and signed. Looks like all you gotta do is find a way to defeat the 1bl, and you've won. Hypervisor isn't even up until the 4th step.