Difference between revisions of "Main Page"

Jump to: navigation, search
m (fixed mercurial url)
Line 42: Line 42:
'''<span style="font-variant:small-caps; font-size:150%">For developers</span>'''<br /><small>Useful information for experts and beginners </small><small><hr />[[Toolchain]] | [[MOTOROFL]] | [[Compiling]] | [[Debugging]] | [[QEMU]] </small>
'''<span style="font-variant:small-caps; font-size:150%">For developers</span>'''<br /><small>Useful information for experts and beginners </small><small><hr />[[Toolchain]] | [[CyanogenMod]] | [[Compiling]] | [[Debugging]] | [[QEMU]] </small>

Revision as of 19:59, 12 July 2011

About this site

This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals. These phones are:

  1. Motorola Milestone (our primary target)
  2. Motorola Milestone 2
  3. Motorola Droid
  4. Motorola Droid X
  5. Motorola Droid 2
  6. Motorola MOTOROI/Milestone XT720
  7. Motorola Sholes Tablet XT701
  8. Motorola Titanium XT800
  9. Motorola Ruth ME511 aka. Flipout
  10. Motorola Charm (MB502)


Join our community! Discuss with us.
Our team | Our IRC channel | IRC log #1 | IRC log #2 | IRC log #3 | IRC log #4 | Our projects on Gitorious | Our projects on Bitbucket


All about devices internals - PCB, chips
Overview | Milestone | Droid | Droid X | Droid 2 | Milestone 2 | Sholes Tablet XT701 | Milestone XT720 | Titanium XT800 | Ruth ME511 | Charm | Atrix


For developers
Useful information for experts and beginners
Toolchain | CyanogenMod | Compiling | Debugging | QEMU

Information for volunteers

If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on Gitorious

Even if you're not the technical type, you too can help us mod the Milestone by participating in the PR campaign to force Motorola to unlock it.

If you're technical type - see our Roadmap and progress in our Projects.

See the content index here.


Bootloader Unlock
Research how-to unlock boot process for the Application Processor
Booting chain | Security | Cryptography | IDA databases of bootloaders | Disassembling

The recovery image hasn't yet been modified due to our current impossibility of controlling the boot process. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See here and here.) uses the cdt partition table to check if the recovery has been signed correctly. If not, the recovery won't start at all and the bootloader mode shows instead of it.


Baseband Research
All our researches of Baseband and RF part of these phones
GSM/UMTS & CDMA Milestone/Droid structure

We have running RTXC OS on Wrigley 3G modem, which consist from ARM core and TMS320C55x+ DSP core Our main problem, that Motorola using non-standard RIL, which partially implemented on AP side. Also, our second problem, that TMS320C55x+ is closed platform, and no datasheets for it available. It very different from original TMS320C55x architecture and have other opcodes. We only have asm55p utility from TI, which can produce binary from TMS320 assembler. So, it is very important task - make full reverse of it. File:Asm55p.idb.bz2


This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a couple of ideas about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts custom_recovery:alternative_methods#kexec_attack here.

Vulnerability hunting

As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a mode memory dumper and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: Boot chain


This is distributed computation of the 1024 bit RSA secret key, which can be used for signing our bootloaders and kernel images.

Open Recovery

Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.


This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.