This wiki documents our research on the Motorola Droid-family phones (incuding Milestone) internals. This phones are:
Here you can see hardware information about this phones: description
Join us on the #milestone-modding channel of the Freenode IRC network.
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy as on Gitorious
If you're technical type - see our Roadmap and progress in our Projects. See the content index here.
The recovery image hasn't yet been modified due to our current impossibility of controlling the boot process. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. The bootloader3) uses the cdt partition table to check if the recovery has been signed correctly. If not, the recovery won't start at all and the bootloader mode shows instead of it.
Several ways of attacking this protection scheme have been proposed to get some degree of control of the boot process. Here's a quick estimation of success probability for each method, considering the information we have as of October 2012 and ordered by decreasing efficiency:
|Method||Usefulness||Difficulty to attempt||Chance of success||Status|
|2ndboot||Very high||Medium||Done||A minature bootloader that is called from the original kernel and boots custom one. czechop created a patch to keep Wrigley 3G modem working under the child kernel (when called at “sh hijack” time). No issues on Motorola Milestone with the child kernel.|
|Vulnerability hunt||Maximum||Hard||Unknown||As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a user mode memory dumper and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: Boot chain|
|Open Recovery||Medium||Done||Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.|
|2ndinit||Medium||Done||“Restarts” init using code injection. This allows using custom init scripts clean way. Also allows custom recovery for XT720 and other models not having a vulnerable recovery.|