About this site
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals. This phones are:
Here you can see hardware information about this phones: smartphones internals, detail hardware review
Information for volunteers
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy as on Gitorious
Even if you're not the technical type, you too can help us mod the Milestone by participating in the PR campaign to force Motorola to unlock it.
See the content index here.
The recovery image hasn't yet been modified due to our current impossibility of controlling the boot process. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See here and here.) uses the cdt partition table to check if the recovery has been signed correctly. If not, the recovery won't start at all and the bootloader mode shows instead of it.
Several ways of attacking this protection scheme have been proposed to get some degree of control of the boot process. Here's a quick estimation of success probability for each method, considering the information we have as of 10/Mar/2010 and ordered by decreasing efficiency:
|Method||Usefulness||Difficulty to attempt||Chance of success||Status|
|2ndboot||Very high||Medium||Very high||This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a couple of ideas about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts custom_recovery:alternative_methods#kexec_attack here. None of these attempts work yet!
Latest attempt: Yakk patched 2nd-boot to make it work on the Milestone, but his source code remains partly unpublished at this time. Status: boots another kernel, which Yakk has also patched to get serial output over the USB connector (using custom hardware to connect to it). Currently the booted kernel has some problems with USB and fails to initialize the phone's modem so it crashes. See published code and binaries: here (build number 1.03) and here (build number 2.31). All current development of 2ndboot now going here When GSM is disabled this kexec module is able to boot the system with the recompiled kernel, but it is not really useful as a phone then. WiFi works fine, though. Yakk is now trying to use 2ndboot to start a patched version of mbm, which should be able to initialize the modem and then pass control to a custom Linux kernel. This is still under development, so don't get too excited. We'll keep you posted.
|Vulnerability hunt||Maximum||Hard||Unknown||user mode memory dumper] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: Boot chain|
|Open Recovery||Medium||Done||Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.|
All other methods now deprecated after monthes of researching and now only part of the history: alternative ways (deprecated)