Main Page

Revision as of 12:50, 12 August 2010 by XVilka (Talk | contribs)

Jump to: navigation, search

About this site

This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals. This phones are:

  • Motorola Milestone (our primary target)
  • Motorola Droid
  • Motorola Droid X
  • Motorola Droid 2
  • Motorola MOTOROI/Milestone XT720
  • Motorola Sholes Tablet XT701
  • Motorola Titanium XT800
  • Motorola Ruth ME511

Here you can see hardware information about this phones: description


Join us on the #milestone-modding channel of the Freenode IRC network.

Channel logs:

- See the automatic channel log here (Starts on Jan 21 2010, 11:33:51 UTC. Refreshes every 15 minutes. Timezone: UTC+1. Thanks to Kasperle.).

- There's also a manual copy of the channel log here (Starts on Jan 21 2010, 13:09:10 UTC. Timezone: UTC-6. Thanks to Orgg.).

- There's another log here (Starts on Jan 22 2010, 18:05:42 UTC. Gap between Feb 4 2010, 12:46:55 UTC and Feb 6 2010, 11:54:55 UTC. Stopped working on March 26 2010. Timezone: UTC+1. Thanks to xinix88.) which doesn't work anymore.

- There is now a new channel log here Thanks to rebel1.

If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy as on Gitorious

Even if you're not the technical type, you too can help us mod the Milestone by participating in the PR campaign to force Motorola to unlock it.

If you're technical type - see our Roadmap and progress in our Projects.

See the content index here.

Main Operation System Modding

The recovery image hasn't yet been modified due to our current impossibility of controlling the boot process. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See here and here.) uses the cdt partition table to check if the recovery has been signed correctly. If not, the recovery won't start at all and the bootloader mode shows instead of it.

Several ways of attacking this protection scheme have been proposed to get some degree of control of the boot process. Here's a quick estimation of success probability for each method, considering the information we have as of 10/Mar/2010 and ordered by decreasing efficiency:

Method Usefulness Difficulty to attempt Chance of success Status
2ndboot Very high Medium Very high This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a couple of ideas about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts custom_recovery:alternative_methods#kexec_attack here. None of these attempts work yet!

Latest attempt: Yakk patched 2nd-boot to make it work on the Milestone, but his source code remains partly unpublished at this time. Status: boots another kernel, which Yakk has also patched to get serial output over the USB connector (using custom hardware to connect to it). Currently the booted kernel has some problems with USB and fails to initialize the phone's modem so it crashes. See published code and binaries: here (build number 1.03) and here (build number 2.31). All current development of 2ndboot now going here When GSM is disabled this kexec module is able to boot the system with the recompiled kernel, but it is not really useful as a phone then. WiFi works fine, though. Yakk is now trying to use 2ndboot to start a patched version of mbm, which should be able to initialize the modem and then pass control to a custom Linux kernel. This is still under development, so don't get too excited. We'll keep you posted.

Vulnerability hunt Maximum Hard Unknown user mode memory dumper] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: Boot chain
Open Recovery Medium Done Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.

All other methods now deprecated after monthes of researching and now only part of the history: alternative ways (deprecated)

Baseband Operation System Modding

GSM/UMTS & CDMA Milestone/Droid structure