Main Page
About this site
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals. These phones are:
|
|
Information for volunteers
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on Gitorious
Even if you're not the technical type, you too can help us mod the Milestone by participating in the PR campaign to force Motorola to unlock it.
If you're technical type - see our Roadmap and progress in our Projects.
See the content index here.
|
|
2ndboot
This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a couple of ideas about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts custom_recovery:alternative_methods#kexec_attack here.
Vulnerability hunting
As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a mode memory dumper and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: Boot chain
Bruteforce
This is distributed computation of the 1024 bit RSA secret key, which can be used for signing our bootloaders and kernel images.
Open Recovery
Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.
2ndinit
This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.