About this site
This wiki documents our research on the Motorola Droid-family phones (incuding Milestone) internals. This phones are:
- Motorola Milestone (our primary target)
- Motorola Milestone 2
- Motorola Droid
- Motorola Droid X
- Motorola Droid 2
- Motorola MOTOROI/Milestone XT720
- Motorola Sholes Tablet XT701
- Motorola Sholes Tablet Refresh XT711
- Motorola Titanium XT800
- Motorola Ruth ME511
- Motorola Charm MB502
- Motorola Defy MB525
Here you can see hardware information about this phones: description
IRC:
Join us on the #milestone-modding channel of the Freenode IRC network.
Channel logs:
- See the automatic channel log here 1)
- There is now a new channel log here 2)
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy as on Gitorious
If you're technical type - see our Roadmap and progress in our Projects.
See the content index here.
Main Operation System Modding
The recovery image hasn't yet been modified due to our current impossibility of controlling the boot process. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. The bootloader3) uses the cdt partition table to check if the recovery has been signed correctly. If not, the recovery won't start at all and the bootloader mode shows instead of it.
Several ways of attacking this protection scheme have been proposed to get some degree of control of the boot process. Here's a quick estimation of success probability for each method, considering the information we have as of October 2012 and ordered by decreasing efficiency:
| Method | Usefulness | Difficulty to attempt | Chance of success | Status |
|---|---|---|---|---|
| 2ndboot | Very high | Medium | Done | A minature bootloader that is called from the original kernel and boots custom one. czechop created a patch to keep Wrigley 3G modem working under the child kernel (when called at “sh hijack” time). No issues on Motorola Milestone with the child kernel. |
| Vulnerability hunt | Maximum | Hard | Unknown | As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a user mode memory dumper and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: Boot chain |
| Open Recovery | Medium | Done | Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB. | |
| 2ndinit | Medium | Done | “Restarts” init using code injection. This allows using custom init scripts clean way. Also allows custom recovery for XT720 and other models not having a vulnerable recovery. |
