According to the cdt table and the boot chain The mbm_backup is not signed.
If we could modify the mbm_backup and let the mbm_loader to boot it correctly, then we could try to rewrite our own mbm_backup and make it to not check the cdt partition for the boot and recovery images.
Edit: Static code analysis by yakk has found this hypothesis to be flawed. In his own words, “mbmloader loads both mbm and mbmbackup to check their security versions, in order to upgrade mbmbackup if it's version is lower, or to restore mbm if its security version was lowered. this doesn't allow to downgrade mbm. and mbmloader knows nothing about cdt and always tries to load mbm or mbmbackup from fixed adresses and check signature.” It seems Motorola trusted their ability to prevent users from gaining root, thereby preventing both mbm and mbmbackup being downgraded at the same time (which would succeed at downgrading mbm).
According to [mbm] (not the partition but the user on #milestone-modding ) he got an ota update which updated his mbm. Right now he checked his mbm_backup and it's equal to the mbm partition ( Even though the ota update didn't touch it ).
We think ( this has not been checked !! ) the mbm_loader would do these things (to read from left to right ) if the mbm is not valid:
There must be something that checks if mbm is valid; if yes, it seems to copy the mbm over to the mbm_backup (only if they're different?).
Questions:
We need to modify the mbm_backup in order to get the mbm_backup to load our unsigned boot/recovery images.
Ideas:
Problems:
We need to find a way which mbm_loader would call mbm_backup instead of mbm.
Ideas:
Problems: