You are looking at the HTML representation of the XML format.
HTML is good for debugging, but is unsuitable for application use.
Specify the format parameter to change the output format.
To see the non HTML representation of the XML format, set format=xml.
See the complete documentation, or
API help for more information.
<?xml version="1.0"?>
<api>
<query>
<pages>
<page ns="0" title="API" missing="" />
<page pageid="1" ns="0" title="Main Page">
<revisions>
<rev user="XVilka" timestamp="2013-07-21T21:08:41Z" comment="Added Droid 4 page" contentformat="text/x-wiki" contentmodel="wikitext" xml:space="preserve">__NOTOC__
==== About this site ====
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%
| width=50% style="vertical-align:top"|
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals.
These phones are:
# '''Motorola Milestone''' (our primary target)
# Motorola Milestone 2
# Motorola Defy (MB525)
# Motorola Defy+ (MB526)
| width=50% style="vertical-align:top"|
{|
|style="vertical-align:top"|
[[Image:community.png]]
|style="vertical-align:top"|
'''<span style="font-variant:small-caps; font-size:150%">Community</span>'''<br /><small>Join our community! Discuss with us. </small><small><hr /> [[Credits | Our team]] | [irc://irc.freenode.net/#milestone-modding Our IRC channel] | [http://188.40.36.100/logbot/ <span title="Thanks to Skrilax_CZ.">IRC log #1</span>] | [http://milestone.bekaakut.de/ <span title="There is now a new channel log. Thanks to rebel1">IRC log #2</span>] | [http://mmlogs.doshaska.net/ <span title="Backup log. Started 23.09.2011.">IRC log #3</span>] | [http://gitorious.org/+droid-developers Our projects on Gitorious] | [http://hg.droid-developers.org/ Our projects on Bitbucket]</small>
|}
{|
|style="vertical-align:top"|
[[Image:hardware.png]]
|style="vertical-align:top"|
'''<span style="font-variant:small-caps; font-size:150%">Hardware</span>'''<br /><small>All about devices internals - PCB, chips </small><small><hr />[[device_information|Overview]] | [[Motorola Milestone | Milestone]] | [[Motorola Droid | Droid]] | [[Motorola Droid X | Droid X]] | [[Motorola Droid 2 | Droid 2]] | [[Motorola Milestone 2 | Milestone 2]] | [[Motorola Droid 4 | Droid 4]] | [[Motorola Sholes Tablet XT701 | Sholes Tablet XT701]] | [[Motorola Milestone XT720 | Milestone XT720]] | [[Motorola Titanium XT800 | Titanium XT800]] | [[Motorola Ruth ME511 | Ruth ME511]] | [[Motorola Charm | Charm]] | [[Motorola Atrix | Atrix]] | [[Motorola DEXT | DEXT]] | [[Motorola Defy | Defy]]</small>
|}
{|
|style="vertical-align:top"|
[[Image:reverse.gif]]
|style="vertical-align:top"|
'''<span style="font-variant:small-caps; font-size:150%">For developers</span>'''<br /><small>Useful information for experts and beginners </small><small><hr />[[Toolchain]] | [[CyanogenMod]] | [[Compiling]] | [[Debugging]] | [[QEMU]] </small>
|}
|}
==== Information for volunteers ====
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on [http://gitorious.org/+droid-developers Gitorious]
Even if you're not the technical type, you too can help us mod the Milestone by participating in the [[Custom_recovery:pr_attack|PR campaign to force Motorola to unlock it]].
If you're technical type - see our [[roadmap|Roadmap]] and progress in our [[projects|Projects]].
See the [[content|content index here]].
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%
| width=50% style="vertical-align:top"|
{|
|style="vertical-align:top"|
[[Image:reverse.gif]]
|style="vertical-align:top"|
'''<span style="font-variant:small-caps; font-size:150%">Bootloader Unlock</span>'''<br /><small>Research how-to unlock boot process for the Application Processor </small><small><hr />[[Booting chain]] | [[Security]] | [[Cryptography]] | [http://gitorious.org/+droid-developers/droid/reversed IDA databases of bootloaders] | [[Disassembling]] </small>
|-
|style="vertical-align:top"|
|style="vertical-align:top"|
The [[modes|recovery image]] hasn't yet been [http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images modified] due to our current impossibility of controlling [[Booting chain|the boot process]]. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See [[Booting chain|here]] and [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2012?_pagenum=2 here].) uses the [[CDT|cdt partition table]] to check if the recovery has been signed correctly. If not, the recovery won't start at all and the [[modes|bootloader mode]] shows instead of it.
* '''[[2ndboot]]'''
* '''[[Vulnerability hunting]]'''
* '''[[open_recovery | Open Recovery]]'''
* '''[[2ndinit]]'''
|}
| width=50% style="vertical-align:top"|
{|
|style="vertical-align:top"|
[[Image:baseband.png]]
|style="vertical-align:top"|
'''<span style="font-variant:small-caps; font-size:150%">Baseband Research</span>'''<br /><small>All our researches of Baseband and RF part of these phones</small><small><hr />[[GSM/CDMA-chain|GSM/UMTS & CDMA Milestone/Droid structure]]</small>
|-
|style="vertical-align:top"|
|style="vertical-align:top"|
We have running RTXC OS on [[Wrigley 3G]] modem, which consist from ARM core and [[TMS320C55x+]] DSP core
Our main problem, that Motorola using non-standard RIL, which partially implemented on AP side.
Also, our second problem, that [[TMS320C55x+]] is closed platform, and no datasheets for it available.
It very different from original [[TMS320C55x]] architecture and have other opcodes.
But [http://rada.re/ radare2] utility have support for this platform and can do disassembly and simple analysis (you must use version from git).
We have also '''asm55p''' utility from TI, which can produce binary from TMS320 assembler.
* '''[[Baseband Processor Boot ROM]]'''
* '''[[BP firmware]]'''
* '''[[Texas Instruments Wrigley 3G]]'''
* '''[[GSM/CDMA-chain]]'''
|}
|
|}
== '''[[2ndboot]]''' ==
A minature bootloader that is called from the original kernel and boots custom one. As of 11/10/2012, '''czechop''' created a patch to keep Wrigley 3G modem working under the child kernel (when called at “sh hijack” time). No issues on Motorola Milestone with the child kernel.
== '''[[Vulnerability hunting]]''' ==
As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a [http://pastebin.ca/raw/1833228|user mode memory dumper] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: [[Booting chain|Boot chain]]
== '''[[open_recovery | Open Recovery]]''' ==
Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.
== '''[[2ndinit]]''' ==
This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.</rev>
</revisions>
</page>
</pages>
</query>
</api>