Difference between revisions of "Main Page"

From MILEDROPEDIA
Jump to: navigation, search
m (Added Droid 4 page)
 
(50 intermediate revisions by 8 users not shown)
Line 1: Line 1:
 +
__NOTOC__
 +
 
==== About this site ====
 
==== About this site ====
  
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals.
+
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%
This phones are:
+
  
* '''Motorola Milestone''' (our primary target)
+
| width=50% style="vertical-align:top"|
* Motorola Droid
+
* Motorola Droid X
+
* Motorola Droid 2
+
* Motorola MOTOROI/Milestone XT720
+
* Motorola Sholes Tablet XT701
+
* Motorola Titanium XT800
+
* Motorola Ruth ME511     
+
  
Here you can see hardware information about this phones: [[device_information|description]]
+
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals.
 +
These phones are:
  
'''IRC:'''
 
  
Join us on the #milestone-modding channel of the Freenode IRC network.
+
# '''Motorola Milestone''' (our primary target)
 +
# Motorola Milestone 2
 +
# Motorola Defy (MB525)
 +
# Motorola Defy+ (MB526)
  
Channel logs:
+
| width=50% style="vertical-align:top"|
  
- See the automatic channel log [http://www.damogran.de/milestone-modding/ here] (Starts on Jan 21 2010, 11:33:51 UTC. Refreshes every 15 minutes. Timezone: UTC+1. Thanks to Kasperle.).  
+
{|
 +
|style="vertical-align:top"|
 +
[[Image:community.png]]
 +
|style="vertical-align:top"|
 +
'''<span style="font-variant:small-caps; font-size:150%">Community</span>'''<br /><small>Join our community! Discuss with us. </small><small><hr /> [[Credits | Our team]] | [irc://irc.freenode.net/#milestone-modding Our IRC channel] | [http://188.40.36.100/logbot/ <span title="Thanks to Skrilax_CZ.">IRC log #1</span>] | [http://milestone.bekaakut.de/ <span title="There is now a new channel log. Thanks to rebel1">IRC log #2</span>] | [http://mmlogs.doshaska.net/ <span title="Backup log. Started 23.09.2011.">IRC log #3</span>] | [http://gitorious.org/+droid-developers Our projects on Gitorious] | [http://hg.droid-developers.org/ Our projects on Bitbucket]</small>
 +
|}
  
- There's also a manual copy of the channel log [http://bacon.ojnk.org/milestone-modding.log here] (Starts on Jan 21 2010, 13:09:10 UTC. Timezone: UTC-6. Thanks to Orgg.).
+
{|
 +
|style="vertical-align:top"|
 +
[[Image:hardware.png]]
 +
|style="vertical-align:top"|
 +
'''<span style="font-variant:small-caps; font-size:150%">Hardware</span>'''<br /><small>All about devices internals - PCB, chips </small><small><hr />[[device_information|Overview]] | [[Motorola Milestone | Milestone]] | [[Motorola Droid | Droid]] | [[Motorola Droid X | Droid X]] | [[Motorola Droid 2 | Droid 2]] | [[Motorola Milestone 2 | Milestone 2]] | [[Motorola Droid 4 | Droid 4]] | [[Motorola Sholes Tablet XT701 | Sholes Tablet XT701]] | [[Motorola Milestone XT720 | Milestone XT720]] | [[Motorola Titanium XT800 | Titanium XT800]] | [[Motorola Ruth ME511 | Ruth ME511]] | [[Motorola Charm | Charm]]  | [[Motorola Atrix | Atrix]] | [[Motorola DEXT | DEXT]] | [[Motorola Defy | Defy]]</small>
 +
|}
  
- There's another log [http://milestone.denhaas.info/ here] (Starts on Jan 22 2010, 18:05:42 UTC. Gap between Feb 4 2010, 12:46:55 UTC and Feb 6 2010, 11:54:55 UTC. Stopped working on March 26 2010. Timezone: UTC+1. Thanks to xinix88.) which doesn't work anymore.
+
{|
 +
|style="vertical-align:top"|
 +
[[Image:reverse.gif]]
 +
|style="vertical-align:top"|
 +
'''<span style="font-variant:small-caps; font-size:150%">For developers</span>'''<br /><small>Useful information for experts and beginners </small><small><hr />[[Toolchain]] | [[CyanogenMod]] | [[Compiling]] | [[Debugging]] | [[QEMU]] </small>
 +
|}
  
- There is now a new channel log [http://milestone.bekaakut.de/ here] Thanks to rebel1.
+
|}
  
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy as on [http://gitorious.org/+droid-developers Gitorious]
+
==== Information for volunteers ====
 +
 
 +
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on [http://gitorious.org/+droid-developers Gitorious]
  
 
Even if you're not the technical type, you too can help us mod the Milestone by participating in the [[Custom_recovery:pr_attack|PR campaign to force Motorola to unlock it]].
 
Even if you're not the technical type, you too can help us mod the Milestone by participating in the [[Custom_recovery:pr_attack|PR campaign to force Motorola to unlock it]].
Line 37: Line 51:
 
See the [[content|content index here]].
 
See the [[content|content index here]].
  
==== Main Operation System Modding ====
+
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%
  
The [[modes:recovery_mode|recovery image]] hasn't yet been [http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images modified] due to our current impossibility of controlling [[boot:boot_chain|the boot process]]. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See [[boot:boot_chain|here]] and [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2012?_pagenum=2 here].) uses the [[CDT|cdt partition table]] to check if the recovery has been signed correctly. If not, the recovery won't start at all and the [[modes:bootloader_mode|bootloader mode]] shows instead of it.
+
| width=50% style="vertical-align:top"|
  
Several ways of attacking this protection scheme have been proposed to get some degree of control of the boot process. Here's a quick estimation of success probability for each method, considering the information we have as of 10/Mar/2010 and ordered by decreasing efficiency:
+
{|
 
+
|style="vertical-align:top"|
{| border="1" cellpadding="0" cellspacing="0"
+
[[Image:reverse.gif]]
! Method
+
|style="vertical-align:top"|
! Usefulness
+
'''<span style="font-variant:small-caps; font-size:150%">Bootloader Unlock</span>'''<br /><small>Research how-to unlock boot process for the Application Processor </small><small><hr />[[Booting chain]] | [[Security]] | [[Cryptography]] | [http://gitorious.org/+droid-developers/droid/reversed  IDA databases of bootloaders] | [[Disassembling]] </small>
! Difficulty to attempt
+
! Chance of success
+
! Status
+
 
|-
 
|-
|[[custom_rom:2ndboot|2ndboot]]
+
|style="vertical-align:top"|
|Very high
+
|style="vertical-align:top"|
|Medium
+
The [[modes|recovery image]] hasn't yet been [http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images modified] due to our current impossibility of controlling [[Booting chain|the boot process]]. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See [[Booting chain|here]] and [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2012?_pagenum=2 here].) uses the [[CDT|cdt partition table]] to check if the recovery has been signed correctly. If not, the recovery won't start at all and the [[modes|bootloader mode]] shows instead of it.
|Very high
+
|This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a [http://android.git.kernel.org/?p=kernel/omap.git;a=blob;f=arch/arm/mach-omap2/prcm.c;h=86c3fe328f51736ee4139b59654252021f3d90a2;hb=refs/heads/android-omap-2.6.29-eclair#l129 couple] of [https://patchwork.kernel.org/patch/82291/ ideas] about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts [[custom_recovery:alternative_methods#kexec_attack here]]. '''None of these attempts work yet!'''
+
  
Latest attempt: '''Yakk''' patched 2nd-boot to make it work on the Milestone, but his source code remains partly unpublished at this time. Status: boots another kernel, which Yakk has also patched to get serial output over the USB connector (using custom hardware to connect to it). Currently the booted kernel has some problems with USB and fails to initialize the phone's modem so it crashes. See published code and binaries: [http://www.droid-developers.org/files/2ndboot.rar here (build number 1.03)] and [http://www.droid-developers.org/files/uploads/kern0231.rar here (build number 2.31)]. All current development of 2ndboot now going [http://hg.droid-developers.org/droiddev/2ndboot here] When GSM is disabled this kexec module is able to boot the system with the recompiled kernel, but it is not really useful as a phone then. WiFi works fine, though. Yakk is now trying to use 2ndboot to start a patched version of mbm, which should be able to initialize the modem and then pass control to a custom Linux kernel. This is still under development, so don't get too excited. We'll keep you posted.
+
* '''[[2ndboot]]'''
 +
* '''[[Vulnerability hunting]]'''
 +
* '''[[open_recovery | Open Recovery]]'''
 +
* '''[[2ndinit]]'''
 +
 
 +
|}
 +
 
 +
| width=50% style="vertical-align:top"|
 +
 
 +
{|
 +
|style="vertical-align:top"|
 +
[[Image:baseband.png]]
 +
|style="vertical-align:top"|
 +
'''<span style="font-variant:small-caps; font-size:150%">Baseband Research</span>'''<br /><small>All our researches of Baseband and RF part of these phones</small><small><hr />[[GSM/CDMA-chain|GSM/UMTS & CDMA Milestone/Droid structure]]</small>
 
|-
 
|-
|[[custom_rom:exploit|Vulnerability hunt]]
+
|style="vertical-align:top"|
|Maximum
+
|style="vertical-align:top"|
|Hard
+
We have running RTXC OS on [[Wrigley 3G]] modem, which consist from ARM core and [[TMS320C55x+]] DSP core
|Unknown
+
Our main problem, that Motorola using non-standard RIL, which partially implemented on AP side.
|As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a [http://pastebin.ca/raw/1833228|user mode memory dumper] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: [[boot:boot_chain|Boot chain]]
+
Also, our second problem, that [[TMS320C55x+]] is closed platform, and no datasheets for it available.
|-
+
It very different from original [[TMS320C55x]] architecture and have other opcodes.
|[[open_recovery|Open Recovery]]
+
But [http://rada.re/ radare2] utility have support for this platform and can do disassembly and simple analysis (you must use version from git).
|Medium
+
We have also '''asm55p''' utility from TI, which can produce binary from TMS320 assembler.
|
+
 
|Done
+
* '''[[Baseband Processor Boot ROM]]'''
|Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.
+
* '''[[BP firmware]]'''
 +
* '''[[Texas Instruments Wrigley 3G]]'''
 +
* '''[[GSM/CDMA-chain]]'''
 +
 
 
|}
 
|}
  
All other methods now deprecated after monthes of researching and now only part of the history: [[custom_recovery:alternative_methods|alternative ways (deprecated)]]
+
|
 +
|}
 +
 
 +
== '''[[2ndboot]]''' ==
 +
 
 +
A minature bootloader that is called from the original kernel and boots custom one. As of 11/10/2012, '''czechop''' created a patch to keep Wrigley 3G modem working under the child kernel (when called at “sh hijack” time). No issues on Motorola Milestone with the child kernel.
 +
 
 +
== '''[[Vulnerability hunting]]''' ==
 +
 
 +
As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a [http://pastebin.ca/raw/1833228|user mode memory dumper] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: [[Booting chain|Boot chain]]
 +
 
 +
== '''[[open_recovery | Open Recovery]]''' ==
 +
 
 +
Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.
  
==== Baseband Operation System Modding ====
+
== '''[[2ndinit]]''' ==
  
[[hardware:gsm_cdma_chain|GSM/UMTS & CDMA Milestone/Droid structure]]
+
This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.

Latest revision as of 21:08, 21 July 2013


About this site

This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals. These phones are:


  1. Motorola Milestone (our primary target)
  2. Motorola Milestone 2
  3. Motorola Defy (MB525)
  4. Motorola Defy+ (MB526)

Community.png

Community
Join our community! Discuss with us.
Our team | Our IRC channel | IRC log #1 | IRC log #2 | IRC log #3 | Our projects on Gitorious | Our projects on Bitbucket

Hardware.png

Hardware
All about devices internals - PCB, chips
Overview | Milestone | Droid | Droid X | Droid 2 | Milestone 2 | Droid 4 | Sholes Tablet XT701 | Milestone XT720 | Titanium XT800 | Ruth ME511 | Charm | Atrix | DEXT | Defy

Reverse.gif

For developers
Useful information for experts and beginners
Toolchain | CyanogenMod | Compiling | Debugging | QEMU

Information for volunteers

If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on Gitorious

Even if you're not the technical type, you too can help us mod the Milestone by participating in the PR campaign to force Motorola to unlock it.

If you're technical type - see our Roadmap and progress in our Projects.

See the content index here.

Reverse.gif

Bootloader Unlock
Research how-to unlock boot process for the Application Processor
Booting chain | Security | Cryptography | IDA databases of bootloaders | Disassembling

The recovery image hasn't yet been modified due to our current impossibility of controlling the boot process. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See here and here.) uses the cdt partition table to check if the recovery has been signed correctly. If not, the recovery won't start at all and the bootloader mode shows instead of it.

Baseband.png

Baseband Research
All our researches of Baseband and RF part of these phones
GSM/UMTS & CDMA Milestone/Droid structure

We have running RTXC OS on Wrigley 3G modem, which consist from ARM core and TMS320C55x+ DSP core Our main problem, that Motorola using non-standard RIL, which partially implemented on AP side. Also, our second problem, that TMS320C55x+ is closed platform, and no datasheets for it available. It very different from original TMS320C55x architecture and have other opcodes. But radare2 utility have support for this platform and can do disassembly and simple analysis (you must use version from git). We have also asm55p utility from TI, which can produce binary from TMS320 assembler.

2ndboot

A minature bootloader that is called from the original kernel and boots custom one. As of 11/10/2012, czechop created a patch to keep Wrigley 3G modem working under the child kernel (when called at “sh hijack” time). No issues on Motorola Milestone with the child kernel.

Vulnerability hunting

As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a mode memory dumper and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: Boot chain

Open Recovery

Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.

2ndinit

This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.