http://www.droid-developers.org/api.php?action=feedcontributions&user=Wikiadmin&feedformat=atomMILEDROPEDIA - User contributions [en]2024-03-28T18:19:45ZUser contributionsMediaWiki 1.23.2http://www.droid-developers.org/wiki/MediaWiki:SidebarMediaWiki:Sidebar2011-10-25T00:37:09Z<p>Wikiadmin: fixes for sidebar</p>
<hr />
<div>* navigation<br />
** mainpage|mainpage-description<br />
** http://www.droid-developers.org/wiki/2ndboot | 2ndboot<br />
** http://www.droid-developers.org/wiki/Vulnerability_hunting | Vulnerability hunting<br />
** http://www.droid-developers.org/wiki/Open_recovery | Open Recovery<br />
** http://www.droid-developers.org/wiki/2ndinit | 2ndinit<br />
** recentchanges-url|recentchanges<br />
* SEARCH<br />
* see also<br />
** http://http://www.omappedia.org/ | OMAPpedia<br />
** http://bb.osmocom.org/trac/ | OsmocomBB<br />
** http://openbsc.osmocom.org/trac/ | OpenBSC<br />
** http://www.ti.com/ | Texas Instruments<br />
** https://opensource.motorola.com | OpenSource Motorola<br />
** http://source.android.com/ | Android<br />
* TOOLBOX<br />
* LANGUAGES</div>Wikiadminhttp://www.droid-developers.org/wiki/File:Atrix_Second_Side.jpgFile:Atrix Second Side.jpg2011-05-28T20:02:53Z<p>Wikiadmin: </p>
<hr />
<div></div>Wikiadminhttp://www.droid-developers.org/wiki/File:Atrix_One_Side.jpgFile:Atrix One Side.jpg2011-05-28T20:01:51Z<p>Wikiadmin: </p>
<hr />
<div></div>Wikiadminhttp://www.droid-developers.org/wiki/Motorola_AtrixMotorola Atrix2011-05-28T20:01:04Z<p>Wikiadmin: </p>
<hr />
<div>== FCC information ==<br />
<br />
FCC ID: IHDP56LS1<br />
<br />
== Parts list ==<br />
<br />
* CPU = [[Nvidia Tegra 2]]<br />
* Modem = [[Qualcomm MDM6200]]<br />
* Qualcomm PM8028<br />
* Triquint TQM7M5013<br />
* Broadcom BCM4329<br />
* Memory = [[Hynix H8BCS0QG0MMR]]<br />
* Power/Audio = [[Texas Instruments TWL5030]] Power Management (Catalog name '''TPS65950''')<br />
* Backlight = [[National Semiconductor LM3532]]<br />
* Magnetometer and Temperature sensor = [[Asahi Kasei Microsystems AK8975]]<br />
* Tap/Double Tap detector = [[Kionix KXTF9]]<br />
<br />
<br />
== PCB photos ==<br />
<br />
[[File:Atrix_One_Side.jpg]]<br />
[[File:Atrix_Second_Side.jpg]]<br />
<br />
== CPU ==<br />
<br />
<pre><br />
Processor : ARMv7 Processor rev 0 (v7l)<br />
processor : 0<br />
BogoMIPS : 1998.84<br />
<br />
Features : swp half thumb fastmult vfp edsp vfpv3 vfpv3d16<br />
CPU implementer : 0x41<br />
CPU architecture: 7<br />
CPU variant : 0x1<br />
CPU part : 0xc09<br />
CPU revision : 0<br />
<br />
Hardware : Olympus<br />
Revision : 83f0<br />
Serial : 027c108040a02297<br />
<br />
cat /proc/bootinfo<br />
POWERUPREASON : 0x00004000<br />
BL_VERSION : 0x00000007<br />
UBOOT_VERSION : 0x00000000<br />
CID_RECOVER_BOOT : 0x00<br />
</pre><br />
<br />
== Interrupts ==<br />
<br />
cat /proc/interrupts<br />
<pre><br />
CPU0 CPU1<br />
36: 1 0 PPI NvOsIrqKern0036<br />
46: 1120 0 PPI mmc1<br />
51: 0 0 PPI mmc2<br />
52: 2626 0 PPI tegra-otg, ehci_h<br />
61: 0 0 PPI NvOsIrqKern0061<br />
62: 2579 0 PPI NvOsIrqKern0062<br />
63: 61885 0 PPI mmc0<br />
70: 28244 0 PPI NvOsIrqKern0070<br />
73: 33 0 PPI timer0<br />
74: 48502 0 PPI timer_lp2wake<br />
85: 4414 0 PPI NvOsIrqKern0085<br />
86: 129276 0 PPI NvOsIrqKern0086<br />
91: 0 0 PPI NvOsIrqKern0091<br />
109: 0 0 PPI mc_status<br />
114: 127 0 PPI NvOsIrqKern0114<br />
115: 0 0 PPI NvOsIrqKern0115<br />
116: 0 0 PPI NvOsIrqKern0116<br />
117: 0 0 PPI tegra-kbc<br />
118: 11330 0 PPI cpcap-irq<br />
122: 1317 0 PPI tegra_uart_3<br />
124: 0 0 PPI NvOsIrqKern0124<br />
129: 554 0 PPI ehci_hcd:usb2<br />
136: 0 0 PPI dma_channel_0<br />
137: 0 0 PPI dma_channel_1<br />
138: 0 0 PPI dma_channel_2<br />
139: 480 0 PPI dma_channel_3<br />
140: 0 0 PPI dma_channel_4<br />
141: 466 0 PPI dma_channel_5<br />
142: 87 0 PPI dma_channel_6<br />
143: 90 0 PPI dma_channel_7<br />
144: 2 0 PPI dma_channel_8<br />
145: 18 0 PPI dma_channel_9<br />
146: 6 0 PPI dma_channel_10<br />
147: 0 0 PPI dma_channel_11<br />
148: 0 0 PPI dma_channel_12<br />
149: 0 0 PPI dma_channel_13<br />
150: 0 0 PPI dma_channel_14<br />
151: 0 0 PPI dma_channel_15<br />
192: 629 0 GPIO uart_wake_host<br />
217: 0 0 GPIO NvOsIrqKern0217<br />
225: 2260 0 GPIO isl29030_als_ir<br />
226: 0 0 GPIO akm8975<br />
237: 565 0 GPIO ts_intr<br />
261: 0 0 GPIO mmc2<br />
281: 0 0 GPIO spi_mrdy<br />
288: 25468 0 GPIO mdm_ctrl<br />
289: 0 0 GPIO mdm_ctrl<br />
293: 226 0 GPIO aes_int<br />
344: 0 0 GPIO mdm_ctrl<br />
362: 1 0 GPIO mdm_ctrl<br />
363: 19 0 GPIO kxtf9_irq<br />
IPI: 11834 28925<br />
LOC: 107529 10926<br />
Err: 0<br />
</pre><br />
<br />
== Iomem ==<br />
<br />
cat /proc/iomem<br />
<pre><br />
00000000-13ffffff : System RAM<br />
0003a000-005fffff : Kernel text<br />
00600000-00730917 : Kernel data<br />
20000000-29ffffff : System RAM<br />
2a000000-3fffffff : System RAM<br />
50000000-50023fff : host1x<br />
50000000-50023fff : tegra_grhost<br />
54040000-5407ffff : mpe<br />
54040000-5407ffff : tegra_grhost<br />
54080000-540bffff : vi<br />
54080000-540bffff : tegra_grhost<br />
54100000-5413ffff : isp<br />
54100000-5413ffff : tegra_grhost<br />
54200000-5423ffff : display<br />
54200000-5423ffff : tegra_grhost<br />
54240000-5427ffff : display2<br />
54240000-5427ffff : tegra_grhost<br />
58000000-59ffffff : tegra_gart<br />
70006040-7000605f : serial<br />
7000e200-7000e2ff : tegra-kbc<br />
7000e200-7000e2ff : tegra-kbc<br />
7000f000-7000f3ff : tegra_gart<br />
c5000000-c5003fff : tegra-udc.0<br />
c5000000-c5003fff : tegra-ehci.0<br />
c5000000-c5003fff : tegra-otg.0<br />
c5000000-c5003fff : tegra-udc<br />
c5008000-c500bfff : tegra-ehci.2<br />
c5008000-c500bfff : tegra-ehci.2<br />
c8000000-c80001ff : tegra-sdhci.0<br />
c8000000-c80001ff : tegra-sdhci.0<br />
c8000400-c80005ff : tegra-sdhci.2<br />
c8000400-c80005ff : tegra-sdhci.2<br />
c8000600-c80007ff : tegra-sdhci.3<br />
c8000600-c80007ff : tegra-sdhci.3<br />
</pre><br />
<br />
== Devices ==<br />
<br />
cat /proc/devices<br />
<pre><br />
Character devices:<br />
1 mem<br />
4 /dev/vc/0<br />
4 tty<br />
4 ttyS<br />
5 /dev/tty<br />
5 /dev/console<br />
5 /dev/ptmx<br />
7 vcs<br />
10 misc<br />
13 input<br />
21 sg<br />
29 fb<br />
66 ttySPI<br />
89 i2c<br />
90 mtd<br />
108 ppp<br />
128 ptm<br />
136 pts<br />
166 ttyACM<br />
180 usb<br />
188 ttyUSB<br />
189 usb_device<br />
216 rfcomm<br />
234 ts0710mux<br />
249 hidraw<br />
250 ttyGS<br />
251 usbmon<br />
252 ttyHS<br />
253 nvhost<br />
254 rtc<br />
<br />
Block devices:<br />
259 blkext<br />
7 loop<br />
8 sd<br />
11 sr<br />
31 mtdblock<br />
65 sd<br />
66 sd<br />
67 sd<br />
68 sd<br />
69 sd<br />
70 sd<br />
71 sd<br />
128 sd<br />
129 sd<br />
130 sd<br />
131 sd<br />
132 sd<br />
133 sd<br />
134 sd<br />
135 sd<br />
179 mmc<br />
254 device-mapper<br />
</pre><br />
== Partitions ==<br />
<pre><br />
major minor #blocks name Label <br />
179 0 15541760 mmcblk0<br />
179 1 3584 mmcblk0p1 (bootloader,ptable,microboot+sig+free)<br />
179 2 512 mmcblk0p2 (BCT)<br />
179 3 2048 mmcblk0p3 pds type=ext2<br />
179 4 1 mmcblk0p4 <br />
179 5 1024 mmcblk0p5<br />
179 6 512 mmcblk0p6<br />
179 7 512 mmcblk0p7<br />
179 8 1024 mmcblk0p8<br />
179 9 2048 mmcblk0p9 <br />
179 10 8192 mmcblk0p10 <br />
179 11 8192 mmcblk0p11 <br />
179 12 327680 mmcblk0p12 system type=ext3<br />
179 13 786432 mmcblk0p13 type=ext3<br />
179 14 20480 mmcblk0p14 MOTOROLA TYPE=iso9660<br />
179 15 655360 mmcblk0p15 type=ext3<br />
179 16 2097152 mmcblk0p16 type=ext3<br />
179 17 353280 mmcblk0p17 preinstall sec_type=ext2 type=ext3<br />
179 18 11233792 mmcblk0p18 MB860 type=vfat<br />
</pre><br />
<pre><br />
CG2 no 22,528 Partition table<br />
CG5 sig 20845608 Radio<br />
CG42 sig 3145728 MOSTLY EMPTY<br />
CG44 sig 3145728 Bootloader?<br />
CG47 sig 262144 Microboot (Engine and Slot for hashing in microboot priv.c)<br />
<br />
rdl.bin ?????????<br />
ptable ?????????<br />
CDT.bin ?????????<br />
BCT.bin ?????????<br />
PT.bin ?????????<br />
EBT.bin ?????????<br />
MBR.bin ?????????<br />
EBB.bin ?????????<br />
NVC.bin ?????????<br />
mmcblk0p1 3670016 <br />
CG3 mmcblk0p2 ext2 CDT.??? 524288 points 0x0000 androidboot.bootloader<br />
100% mmcblk0p3 PDS.bin 2097152 Persistent Data Storage<br />
mmcblk0p4 EBR.bin 1024 Extended Boot Record?<br />
100% mmcblk0p5 SP.bin 1048576 Signature<br />
mmcblk0p6 CID.bin 524288 UNKNOWN?<br />
mmcblk0p7 MSC.bin 524288 Misc?<br />
100% CG53 mmcblk0p8 LOG.bin no 1048576 Logo (boot)<br />
100% mmcblk0p9 KPA.bin 2097152 Kernel Panic Data<br />
100% CG55 mmcblk0p10 ext3 SOS.bin sig 8388608 Recovery<br />
100% CG56 mmcblk0p11 ext3 LNX.bin sig 8388608 Boot Image - Linux zImage + Ramdisk<br />
100% CG57 mmcblk0p12 ext3 APP.bin sig 335544320 System<br />
100% CG58 mmcblk0p13 ext3 OSH.bin sig 805306368 OSH WebTop<br />
100% CG59 mmcblk0p14 HFS CDR.bin sig 20971520 CDROM (Motorola Helper)<br />
100% mmcblk0p15 ext3 CAC.bin 671088640 Cache image<br />
100% mmcblk0p16 ext3 UDA.bin 2147483648 Userdata image<br />
100% CG62 mmcblk0p17 ext3 PIA.bin 361758720 Preinstalled image<br />
100% mmcblk0p18 fat SDC.bin 11233792k Internal SDCARD<br />
EBF.bin ??????<br />
NVF.bin ??????<br />
<br />
<br />
512k ? CDT/EBR/CID/MSC/MBR<br />
CG50,CG51,CG52,CG54,CG60,GG61 are empty<br />
</pre><br />
<pre><br />
mount<br />
rootfs / rootfs ro,relatime 0 0<br />
tmpfs /dev tmpfs rw,relatime,mode=755 0 0<br />
devpts /dev/pts devpts rw,relatime,mode=600 0 0<br />
proc /proc proc rw,relatime 0 0<br />
sysfs /sys sysfs rw,relatime 0 0<br />
none /acct cgroup rw,relatime,cpuacct 0 0<br />
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0<br />
none /dev/cpuctl cgroup rw,relatime,cpu 0 0<br />
/dev/block/mmcblk0p12 /system ext3 ro,noatime,nodiratime,data=ordered 0 0<br />
/dev/block/mmcblk0p16 /data ext3 rw,nosuid,nodev,relatime,data=ordered 0 0<br />
/dev/block/mmcblk0p15 /cache ext3 rw,nosuid,nodev,relatime,data=ordered 0 0<br />
/dev/block/mmcblk0p3 /pds ext2 rw,nosuid,noexec,relatime 0 0<br />
/dev/block/mmcblk0p13 /osh ext3 rw,relatime,errors=continue,data=ordered 0 0<br />
tmpfs /osh/lib/init/rw tmpfs rw,nosuid,relatime,mode=755 0 0<br />
varrun /osh/var/run tmpfs rw,nosuid,relatime,mode=755 0 0<br />
varlock /osh/var/lock tmpfs rw,nosuid,nodev,noexec,relatime 0 0<br />
securityfs /sys/kernel/security securityfs rw,relatime 0 0<br />
/dev/block/mmcblk0p17 /preinstall ext3 ro,noatime,nodiratime,data=ordered 0 0<br />
/proc /osh/proc proc rw,relatime 0 0<br />
</pre><br />
<br />
== Downloads ==<br />
Relevant downloads from http://gitbrew.org/atrix/<br />
<br />
<pre><br />
Tegra Documention (From NVIDIA) - http://gititbit.ch/aDj8<br />
Olympus Engineering Device Dump - http://gititbit.ch/aEd2<br />
Tegra Crypto Engine Source Snapshot - http://gititbit.ch/tces1<br />
OLYFR U4 1.5.2 /system dump - http://gititbit.ch/aOw2<br />
Olympus Kernel Source - http://gititbit.ch/aOw3<br />
Handset_USB_Driver_32_v4.9.0 - Moto Atrix Driver - http://gititbit.ch/aUSB1<br />
Handset_USB_Driver_64_v4.9.0 - Moto Atrix Driver - http://gititbit.ch/aUSB2<br />
</pre><br />
<br />
== GPIOs ==<br />
<br />
[[Category:Phones]]</div>Wikiadminhttp://www.droid-developers.org/wiki/ContentContent2011-04-23T23:23:41Z<p>Wikiadmin: </p>
<hr />
<div>Check with [[Special:PrefixIndex]]<br />
<br />
Content index:<br />
<br />
* [[Hacked Features]]<br />
* [[Patches]]<br />
<br />
Booting review:<br />
<br />
* [[Booting chain]]<br />
* [[Application Processor Boot ROM]]<br />
* [[Baseband Processor Boot ROM]]<br />
* [[BP firmware]]<br />
* [[mbmloader]]<br />
* [[mbm]]<br />
* [[linux kernel]]<br />
* [[wilink firmware]]<br />
<br />
Custom recovery:<br />
<br />
* [[Cryptography]]<br />
* [[Vulnerability hunting]]<br />
* [[Custom_recovery:alternative_methods]]<br />
* [[Custom_recovery:pr_attack]]<br />
* [[Legal Attack]]<br />
* [[MBM backup attack]]<br />
* [[root attack]]<br />
* [[Public bounty]]<br />
<br />
Custom ROM:<br />
<br />
* [[2ndboot]]<br />
* [[2ndinit]]<br />
* [[MOTOROFL]]<br />
* [[CyanogenMod for Milestone]]<br />
<br />
Hardware:<br />
<br />
* [[FM_radio]]<br />
* [[GSM/CDMA-chain]]<br />
* [[Wrigley 3G]]<br />
<br />
[[Modes]]<br />
<br />
Partitions:<br />
<br />
* [[CDT]]<br />
* [[CH]]<br />
* [[ISW]]<br />
* [[mbmloader]]<br />
* [[mbm]]<br />
<br />
SBF:<br />
<br />
* [[SBF | ALL]]<br />
* [[SBF Milestone]]<br />
* [[SBF Droid]]<br />
* [[SBF DroidX]]<br />
* [[SBF Ruth]]<br />
* [[SBF XT701]]<br />
* [[SBF XT720]]<br />
* [[SBF XT800]]<br />
<br />
Tools:<br />
<br />
* [[Building with AOSP]]<br />
* [[Compiling]]<br />
* [[Debugging]]<br />
* [[Disassembling]]<br />
* [[ROM Flashing]]<br />
* [[CSST]]<br />
* [[FAQ]]<br />
* [[Interesting links]]<br />
* [[Kernel sources]]<br />
* [[USB drivers]]<br />
<br />
Misc:<br />
<br />
* [[Credits]]<br />
* [[Roadmap]]</div>Wikiadminhttp://www.droid-developers.org/wiki/Main_PageMain Page2011-04-23T23:22:52Z<p>Wikiadmin: /* Information for volunteers */</p>
<hr />
<div>__NOTOC__<br />
<br />
==== About this site ====<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals.<br />
These phones are:<br />
<br />
<br />
# '''Motorola Milestone''' (our primary target)<br />
# Motorola Milestone 2<br />
# Motorola Droid<br />
# Motorola Droid X<br />
# Motorola Droid 2<br />
# Motorola MOTOROI/Milestone XT720<br />
# Motorola Sholes Tablet XT701<br />
# Motorola Titanium XT800<br />
# Motorola Ruth ME511 aka. Flipout<br />
# Motorola Charm (MB502)<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:community.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Community</span>'''<br /><small>Join our community! Discuss with us. </small><small><hr /> [[Credits | Our team]] | [irc://irc.freenode.net/#milestone-modding Our IRC channel] | [http://www.damogran.de/milestone-modding/ <span title="Starts on Jan 21 2010, 11:33:51 UTC. Refreshes every 15 minutes. Timezone: UTC+1. Thanks to Kasperle.">IRC log #1</span>] | [http://bacon.ojnk.org/milestone-modding.log <span title="Starts on Jan 21 2010, 13:09:10 UTC. Timezone: UTC-6. Thanks to Orgg.">IRC log #2</span>] | [http://milestone.bekaakut.de/ <span title="There is now a new channel log. Thanks to rebel1">IRC log #3</span>] | [http://milestone.denhaas.info/ <span title="Starts on Jan 22 2010, 18:05:42 UTC. Gap between Feb 4 2010, 12:46:55 UTC and Feb 6 2010, 11:54:55 UTC. Stopped working on March 26 2010. Timezone: UTC+1. Thanks to xinix88. Doesn't work anymore">IRC log #4</span>] | [http://gitorious.org/+droid-developers Our projects on Gitorious] | [http://hg.droid-developers.org/2ndboot Our projects on Bitbucket]</small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:hardware.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Hardware</span>'''<br /><small>All about devices internals - PCB, chips </small><small><hr />[[device_information|Overview]] | [[Motorola Milestone | Milestone]] | [[Motorola Droid | Droid]] | [[Motorola Droid X | Droid X]] | [[Motorola Droid 2 | Droid 2]] | [[Motorola Milestone 2 | Milestone 2]] | [[Motorola Sholes Tablet XT701 | Sholes Tablet XT701]] | [[Motorola Milestone XT720 | Milestone XT720]] | [[Motorola Titanium XT800 | Titanium XT800]] | [[Motorola Ruth ME511 | Ruth ME511]] | [[Motorola Charm | Charm]] | [[Motorola Atrix | Atrix]]</small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">For developers</span>'''<br /><small>Useful information for experts and beginners </small><small><hr />[[Toolchain]] | [[MOTOROFL]] | [[Compiling]] | [[Debugging]] | [[QEMU]] </small><br />
|}<br />
<br />
|}<br />
<br />
==== Information for volunteers ====<br />
<br />
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on [http://gitorious.org/+droid-developers Gitorious]<br />
<br />
Even if you're not the technical type, you too can help us mod the Milestone by participating in the [[Custom_recovery:pr_attack|PR campaign to force Motorola to unlock it]].<br />
<br />
If you're technical type - see our [[roadmap|Roadmap]] and progress in our [[projects|Projects]].<br />
<br />
See the [[content|content index here]].<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Bootloader Unlock</span>'''<br /><small>Research how-to unlock boot process for the Application Processor </small><small><hr />[[Booting chain]] | [[Security]] | [[Cryptography]] | [http://gitorious.org/+droid-developers/droid/reversed IDA databases of bootloaders] | [[Disassembling]] </small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
The [[modes|recovery image]] hasn't yet been [http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images modified] due to our current impossibility of controlling [[Booting chain|the boot process]]. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See [[Booting chain|here]] and [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2012?_pagenum=2 here].) uses the [[CDT|cdt partition table]] to check if the recovery has been signed correctly. If not, the recovery won't start at all and the [[modes|bootloader mode]] shows instead of it.<br />
<br />
* '''[[2ndboot]]'''<br />
* '''[[Vulnerability hunting]]'''<br />
* '''[[Bruteforce]]'''<br />
* '''[[open_recovery | Open Recovery]]'''<br />
* '''[[2ndinit]]'''<br />
<br />
|}<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:baseband.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Baseband Research</span>'''<br /><small>All our researches of Baseband and RF part of these phones</small><small><hr />[[GSM/CDMA-chain|GSM/UMTS & CDMA Milestone/Droid structure]]</small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
We have running RTXC OS on [[Wrigley 3G]] modem, which consist from ARM core and [[TMS320C55x+]] DSP core<br />
Our main problem, that Motorola using non-standard RIL, which partially implemented on AP side.<br />
Also, our second problem, that [[TMS320C55x+]] is closed platform, and no datasheets for it available.<br />
It very different from original [[TMS320C55x]] architecture and have other opcodes.<br />
We only have '''asm55p''' utility from TI, which can produce binary from TMS320 assembler.<br />
So, it is very important task - make full reverse of it. [[File:asm55p.idb.bz2]]<br />
<br />
* '''[[Baseband Processor Boot ROM]]'''<br />
* '''[[BP firmware]]'''<br />
* '''[[Texas Instruments Wrigley 3G]]'''<br />
* '''[[GSM/CDMA-chain]]'''<br />
<br />
|}<br />
<br />
|<br />
|}<br />
<br />
{{#TwitterFBLike:right|small}}<br />
<br />
== '''[[2ndboot]]''' ==<br />
<br />
This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a [http://android.git.kernel.org/?p=kernel/omap.git;a=blob;f=arch/arm/mach-omap2/prcm.c;h=86c3fe328f51736ee4139b59654252021f3d90a2;hb=refs/heads/android-omap-2.6.29-eclair#l129 couple] of [https://patchwork.kernel.org/patch/82291/ ideas] about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts [[custom_recovery:alternative_methods#kexec_attack here]].<br />
<br />
== '''[[Vulnerability hunting]]''' ==<br />
<br />
As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a [http://pastebin.ca/raw/1833228|user mode memory dumper] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: [[Booting chain|Boot chain]]<br />
<br />
== '''[[Bruteforce]]''' ==<br />
<br />
This is distributed computation of the 1024 bit RSA secret key, which can be used for signing our bootloaders and kernel images. <br />
<br />
== '''[[open_recovery | Open Recovery]]''' ==<br />
<br />
Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.<br />
<br />
== '''[[2ndinit]]''' ==<br />
<br />
This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.</div>Wikiadminhttp://www.droid-developers.org/wiki/Main_PageMain Page2011-04-23T23:15:16Z<p>Wikiadmin: </p>
<hr />
<div>__NOTOC__<br />
<br />
==== About this site ====<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals.<br />
These phones are:<br />
<br />
<br />
# '''Motorola Milestone''' (our primary target)<br />
# Motorola Milestone 2<br />
# Motorola Droid<br />
# Motorola Droid X<br />
# Motorola Droid 2<br />
# Motorola MOTOROI/Milestone XT720<br />
# Motorola Sholes Tablet XT701<br />
# Motorola Titanium XT800<br />
# Motorola Ruth ME511 aka. Flipout<br />
# Motorola Charm (MB502)<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:community.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Community</span>'''<br /><small>Join our community! Discuss with us. </small><small><hr /> [[Credits | Our team]] | [irc://irc.freenode.net/#milestone-modding Our IRC channel] | [http://www.damogran.de/milestone-modding/ <span title="Starts on Jan 21 2010, 11:33:51 UTC. Refreshes every 15 minutes. Timezone: UTC+1. Thanks to Kasperle.">IRC log #1</span>] | [http://bacon.ojnk.org/milestone-modding.log <span title="Starts on Jan 21 2010, 13:09:10 UTC. Timezone: UTC-6. Thanks to Orgg.">IRC log #2</span>] | [http://milestone.bekaakut.de/ <span title="There is now a new channel log. Thanks to rebel1">IRC log #3</span>] | [http://milestone.denhaas.info/ <span title="Starts on Jan 22 2010, 18:05:42 UTC. Gap between Feb 4 2010, 12:46:55 UTC and Feb 6 2010, 11:54:55 UTC. Stopped working on March 26 2010. Timezone: UTC+1. Thanks to xinix88. Doesn't work anymore">IRC log #4</span>] | [http://gitorious.org/+droid-developers Our projects on Gitorious] | [http://hg.droid-developers.org/2ndboot Our projects on Bitbucket]</small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:hardware.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Hardware</span>'''<br /><small>All about devices internals - PCB, chips </small><small><hr />[[device_information|Overview]] | [[Motorola Milestone | Milestone]] | [[Motorola Droid | Droid]] | [[Motorola Droid X | Droid X]] | [[Motorola Droid 2 | Droid 2]] | [[Motorola Milestone 2 | Milestone 2]] | [[Motorola Sholes Tablet XT701 | Sholes Tablet XT701]] | [[Motorola Milestone XT720 | Milestone XT720]] | [[Motorola Titanium XT800 | Titanium XT800]] | [[Motorola Ruth ME511 | Ruth ME511]] | [[Motorola Charm | Charm]] | [[Motorola Atrix | Atrix]]</small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">For developers</span>'''<br /><small>Useful information for experts and beginners </small><small><hr />[[Toolchain]] | [[MOTOROFL]] | [[Compiling]] | [[Debugging]] | [[QEMU]] </small><br />
|}<br />
<br />
|}<br />
<br />
==== Information for volunteers ====<br />
<br />
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on [http://gitorious.org/+droid-developers Gitorious]<br />
<br />
Even if you're not the technical type, you too can help us mod the Milestone by participating in the [[Custom_recovery:pr_attack|PR campaign to force Motorola to unlock it]].<br />
<br />
If you're technical type - see our [[roadmap|Roadmap]] and progress in our [[projects|Projects]].<br />
<br />
See the [[content|content index here]].<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Bootloader Unlock</span>'''<br /><small>Research how-to unlock boot process for the Application Processor </small><small><hr />[[Booting chain]] | [[Security]] | [[Cryptography]] | [http://gitorious.org/+droid-developers/droid/reversed IDA databases of bootloaders] | [[Disassembling]] </small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
The [[modes:recovery_mode|recovery image]] hasn't yet been [http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images modified] due to our current impossibility of controlling [[Booting chain|the boot process]]. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See [[Booting chain|here]] and [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2012?_pagenum=2 here].) uses the [[CDT|cdt partition table]] to check if the recovery has been signed correctly. If not, the recovery won't start at all and the [[modes|bootloader mode]] shows instead of it.<br />
<br />
* '''[[2ndboot]]'''<br />
* '''[[Vulnerability hunting]]'''<br />
* '''[[Bruteforce]]'''<br />
* '''[[open_recovery | Open Recovery]]'''<br />
* '''[[2ndinit]]'''<br />
<br />
|}<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:baseband.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Baseband Research</span>'''<br /><small>All our researches of Baseband and RF part of these phones</small><small><hr />[[GSM/CDMA-chain|GSM/UMTS & CDMA Milestone/Droid structure]]</small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
We have running RTXC OS on [[Wrigley 3G]] modem, which consist from ARM core and [[TMS320C55x+]] DSP core<br />
Our main problem, that Motorola using non-standard RIL, which partially implemented on AP side.<br />
Also, our second problem, that [[TMS320C55x+]] is closed platform, and no datasheets for it available.<br />
It very different from original [[TMS320C55x]] architecture and have other opcodes.<br />
We only have '''asm55p''' utility from TI, which can produce binary from TMS320 assembler.<br />
So, it is very important task - make full reverse of it. [[File:asm55p.idb.bz2]]<br />
<br />
* '''[[Baseband Processor Boot ROM]]'''<br />
* '''[[BP firmware]]'''<br />
* '''[[Texas Instruments Wrigley 3G]]'''<br />
* '''[[GSM/CDMA-chain]]'''<br />
<br />
|}<br />
<br />
|<br />
|}<br />
<br />
{{#TwitterFBLike:right|small}}<br />
<br />
<br />
<br />
== '''[[2ndboot]]''' ==<br />
<br />
This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a [http://android.git.kernel.org/?p=kernel/omap.git;a=blob;f=arch/arm/mach-omap2/prcm.c;h=86c3fe328f51736ee4139b59654252021f3d90a2;hb=refs/heads/android-omap-2.6.29-eclair#l129 couple] of [https://patchwork.kernel.org/patch/82291/ ideas] about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts [[custom_recovery:alternative_methods#kexec_attack here]].<br />
<br />
== '''[[Vulnerability hunting]]''' ==<br />
<br />
As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a [http://pastebin.ca/raw/1833228|user mode memory dumper] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: [[Booting chain|Boot chain]]<br />
<br />
== '''[[Bruteforce]]''' ==<br />
<br />
This is distributed computation of the 1024 bit RSA secret key, which can be used for signing our bootloaders and kernel images. <br />
<br />
== '''[[open_recovery | Open Recovery]]''' ==<br />
<br />
Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.<br />
<br />
== '''[[2ndinit]]''' ==<br />
<br />
This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.</div>Wikiadminhttp://www.droid-developers.org/wiki/ModesModes2011-04-23T23:06:45Z<p>Wikiadmin: Merged all Mode:* pages in Modes page</p>
<hr />
<div>= Bootloader Mode =<br />
<br />
If you want to get your milestone on bootloader mode you've to power off the device and start it by pressing Power + DpadUp.<br />
This will bring your milestone on a black screen.<br />
<br />
=== Versions of the Bootloader ===<br />
<br />
When the bootloader is ready to be flashed it shows the version - see the [[mbm|mbm]] page<br />
<br />
=== Bootloader with Fastboot mode enabled ===<br />
<br />
To access the [http://android-dls.com/wiki/index.php?title=Fastboot Fastboot mode] on the Bootloader, use the "adb reboot bootloader" command via USB with the Motorola update kit installed on the PC. <br />
Usually, this mode is not available on the Droid. Unfortunately, although fastboot does work with the Milestone, none of the known fastboot commands seem to work (except developer phones).<br />
<br />
= Recovery Mode =<br />
<br />
=== What is it for? ===<br />
<br />
A recovery method is required whenever we need to try new kernel versions on the Milestone. Without a recovery method, any unsuccessful test would be the last one (the phone would be "bricked"). The standard recovery method for Android is the '''recovery mode'''.<br />
<br />
<br />
=== How to access it ===<br />
<br />
You can access the recovery mode on the milestone by shutting down the device and start it by pressing simultaneously Power+CameraButton (on 90.78 bootloader it is Power+X button).<br />
<br />
After you get the Warning image you can access the menu by pressing simultaneously CameraButton+VolumeUp<br />
<br />
=== How to run ADB in Recovery Mode: ADBrecovery ===<br />
<br />
The daemon adbd runs unprivileged in the Milestone because property ro.secure is set to 1 in default.prop (you can use the getprop command to check this). But we can use the su command to run adbd as root anyway.<br />
<br />
[http://alldroid.org/viewtopic.php?f=259&t=1617|Poseidon's proof of concept] of this idea evolved into [http://www.megaupload.com/?d=Q31VFVHF|this first version of a recovery patch for Milestone] which in turn evolved into [http://alldroid.org/viewtopic.php?f=259&t=1617|the current ADBrecovery version], now incorporating a port of nandroid and being [http://alldroid.org/viewtopic.php?f=259&t=1808|able to backup and restore several key Milestone partitions].<br />
<br />
=== Open Recovery ===<br />
<br />
Developed by Skrilax_CZ.<br />
<br />
Credit for mankind (from alldroid) for the CustomUpdate, on which this recovery is based,<br />
<br />
credit for poseidon (also from alldroid) for ADBRecovery.<br />
<br />
Current version 1.14 [06/11/2010]<br />
<br />
Open Recovery is a fully customised recovery using the payload hack to restart the stock recovery into itself. Supports easy rooting and taking backups from the menu and easily extendable. The page is here: [[open_recovery|Open Recovery]]<br />
<br />
=== misc partition ===<br />
<br />
There's an interaction pathway between the OS and the recovery stage, using commands written into the misc partition. See the source code of the GPL motobox command by Motorola. See [http://android.git.kernel.org/?p=platform/bootable/recovery.git;a=blob;f=firmware.c#l47|here] how the bootloader (mbm or lbl) communicate with the OS in order to update the radio firmware and the boot image itself.<br />
<br />
= Programming Mode =<br />
<br />
There is a "hidden" Programming Menu integrated in Android on the Milestone and DROID <br />
<br />
* Select Phone<br />
* Using the dial pad (not the keyboard) Dial ##PROGRAM (##7764726)<br />
* Send<br />
<br />
the access key on the DROID is "000000". Programming menu is not present on the Milestone, even though you can show the screen to enter the password (see below).<br />
<br />
=== Analysis ===<br />
<br />
User Wally88@foromilestone.com.ar suggests this program lies in the [http://www.mediafire.com/?m25j2njyzmg Program Menu apk file]. Bavilo also tried to deodex this program using [http://code.google.com/p/smali/ smali/baksmali] and maybe [http://code.google.com/p/smali/downloads/detail?name=deodexerant-v1.0-Android2.0&can=2&q=label%3AFeatured deodexerant]. His deodex result is [http://www647.megaupload.com/files/a0ee392fc7b12a91fd2aea573a6514d1/ProgramMenu.rar here].<br />
<br />
By running the following command from a shell the code challenge screen is showed:<br />
<pre><br />
$ am start -a android.intent.action.MAIN -n com.motorola.programmenu/.SecurityApp<br />
</pre><br />
=== Result ===<br />
<br />
The Service Programming menu is only for CDMA phones but was somehow kept on the Milestone.<br />
<br />
This is logged:<br />
<pre><br />
''SecurityApp( 1256): checkSubsidyLockPasswdComplete() errno=OEM_RIL_CDMA_GENERIC_FAILURE''<br />
</pre><br />
<br />
However, the application defines also ''errno=OEM_RIL_CDMA_NAM_PASSWORD_INCORRECT'', which would be more likely to be thrown when the password was incorrect.</div>Wikiadminhttp://www.droid-developers.org/wiki/ModesModes2011-04-23T23:04:36Z<p>Wikiadmin: moved Modes:recovery mode to Modes: merging with other modes description</p>
<hr />
<div>==== Recovery Mode on Motorola Milestone ====<br />
<br />
=== What is it for? ===<br />
<br />
A recovery method is required whenever we need to try new kernel versions on the Milestone. Without a recovery method, any unsuccessful test would be the last one (the phone would be "bricked"). The standard recovery method for Android is the '''recovery mode'''.<br />
<br />
<br />
=== How to access it ===<br />
<br />
You can access the recovery mode on the milestone by shutting down the device and start it by pressing simultaneously Power+CameraButton (on 90.78 bootloader it is Power+X button).<br />
<br />
After you get the Warning image you can access the menu by pressing simultaneously CameraButton+VolumeUp<br />
<br />
=== How to run ADB in Recovery Mode: ADBrecovery ===<br />
<br />
The daemon adbd runs unprivileged in the Milestone because property ro.secure is set to 1 in default.prop (you can use the getprop command to check this). But we can use the su command to run adbd as root anyway.<br />
<br />
[http://alldroid.org/viewtopic.php?f=259&t=1617|Poseidon's proof of concept] of this idea evolved into [http://www.megaupload.com/?d=Q31VFVHF|this first version of a recovery patch for Milestone] which in turn evolved into [http://alldroid.org/viewtopic.php?f=259&t=1617|the current ADBrecovery version], now incorporating a port of nandroid and being [http://alldroid.org/viewtopic.php?f=259&t=1808|able to backup and restore several key Milestone partitions].<br />
<br />
=== Open Recovery ===<br />
<br />
Developed by Skrilax_CZ.<br />
<br />
Credit for mankind (from alldroid) for the CustomUpdate, on which this recovery is based,<br />
<br />
credit for poseidon (also from alldroid) for ADBRecovery.<br />
<br />
Current version 1.14 [06/11/2010]<br />
<br />
Open Recovery is a fully customised recovery using the payload hack to restart the stock recovery into itself. Supports easy rooting and taking backups from the menu and easily extendable. The page is here: [[open_recovery|Open Recovery]]<br />
<br />
=== misc partition ===<br />
<br />
There's an interaction pathway between the OS and the recovery stage, using commands written into the misc partition. See the source code of the GPL motobox command by Motorola. See [http://android.git.kernel.org/?p=platform/bootable/recovery.git;a=blob;f=firmware.c#l47|here] how the bootloader (mbm or lbl) communicate with the OS in order to update the radio firmware and the boot image itself.</div>Wikiadminhttp://www.droid-developers.org/wiki/MbmloaderMbmloader2011-04-23T23:03:11Z<p>Wikiadmin: </p>
<hr />
<div>= What is mbmloader =<br />
<br />
Strictly speaking, mbmloader (There's a (c) 2006 Motorola notice in it, since it reuses code from the older versions of mbmloader used in previous Motorola phones. This works to our advantage because some of those earlier versions have been reverse engineered in the past by yakk in his MotoMagX hack.) is one of the first components in the [[Booting chain|boot chain]]. It verifies and then loads the mbm component. It checks mbmbackup for newer versions of mbm, so that mbm cannot be downgraded (this can be easily bypassed once running as root, since both mbm and mbmbackup could be downgraded at the same time).<br />
<br />
More generally speaking, we sometimes say "mbmloader" to refer to the whole bootstrap system, which is composed by:<br />
* [[CH|CH table]]<br />
* Certificates and Public Keys<br />
* [[PPA|Primary Protected Application]]<br />
* [[ISW|Initial Software image]]<br />
<br />
The mtd-hack module by '''janneg''' allows us to dump mtd00 which includes all of these, and we usually call this the "mbmloader dump" or "mbmloader CG".<br />
<br />
= mbmloader protections =<br />
<br />
Mbmloader has public certificates in it (see the [[ISW|ISW section]]). These certificates parsed on [[Cryptography]] page. We also know that both the Milestone and the Droid run in HS mode, which requires this format.<br />
<br />
According to the CSST's use of openssl, the openssl "commands" used to generate the certificates may somehow be intercepted. Moreover, analyzing the csstcli(command line tool) and it's parameters may identify what and how the certificates are signing upon.<br />
<br />
= Loading mbmloader from SD card =<br />
<br />
mbmloader can be loaded from SD card after software reset. It may be useful to check new version of mbmloader without reflashing phone.<br />
Details: [[How to load mbmloader from SD card]]<br />
<br />
= How mbmloader verify mbm? =<br />
<br />
== Introduction ==<br />
<br />
yakk has contributed his effort to map many high level functions name for the mbmloader image. This allows easier inspection of how the verification of mbm is performed. Perhaps he has already reviewed the related portion of codes for potential vulnerability, trying to document the findings that allows continuation could be a possible way to figure out a way.<br />
<br />
== Work flow ==<br />
<br />
mbm is read into address 0x8f310000.<br />
<br />
Search for the end of signature mark(the data length suggests a sha1sum):<br />
<pre><br />
6B D3 98 E2 D6 F0 F8 CF FC D4 96 72 5E B3 A8 B3 6B F9 B1 16<br />
</pre><br />
<br />
<br />
= Milestone mbmloader =<br />
<br />
now we only known only two versions of mbmloader for milestone:<br />
* one [[File:mbmloader-0.5A.raw.gz]]<br />
* two [[File:mbmloader-1.raw.gz]]<br />
<br />
== Background ==<br />
<br />
Accredited by yakk, idb of mbmloader with high level function names are available. Further exploration is in the progress to map more information from kernel source and technical reference manual.<br />
<br />
== Kernel source ==<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<syntaxhighlight lang="c" line><br />
#define REGISTER_ADDRESS_DIE_ID 0x4830A218<br />
#define REGISTER_ADDRESS_MSV 0x480023B4<br />
</syntaxhighlight><br />
<br />
Searching b4 23 00 48 in mbmloader give:<br />
<syntaxhighlight lang="asm" line><br />
ROM:87004954 EF BE AD DE dword_87004954 DCD 0xDEADBEEF ; DATA XREF: get_fuse+4<br />
ROM:87004954 ; sub_87004798+A<br />
ROM:87004958 B4 23 00 48 MSV DCD 0x480023B4 ; DATA XREF: get_fuse:loc_87004786<br />
ROM:8700495C 18 A2 30 48 DIE_ID DCD 0x4830A218 ; DATA XREF: sub_87004832+18<br />
</syntaxhighlight><br />
<br />
arch/arm/plat-omap/include/mach/omap34xx.h:<br />
<syntaxhighlight lang="c" line><br />
#define L4_34XX_BASE 0x48000000<br />
#define L4_WK_34XX_BASE 0x48300000<br />
#define L4_PER_34XX_BASE 0x49000000<br />
#define L4_EMU_34XX_BASE 0x54000000<br />
#define L3_34XX_BASE 0x68000000<br />
#define OMAP3430_32KSYNCT_BASE 0x48320000<br />
#define OMAP3430_CM_BASE 0x48004800<br />
#define OMAP3430_PRM_BASE 0x48306800<br />
#define OMAP343X_SMS_BASE 0x6C000000<br />
#define OMAP343X_SDRC_BASE 0x6D000000<br />
#define OMAP34XX_GPMC_BASE 0x6E000000<br />
#define OMAP343X_SCM_BASE 0x48002000<br />
#define OMAP34XX_IC_BASE 0x48200000<br />
#define OMAP34XX_IVA_INTC_BASE 0x40000000<br />
#define OMAP34XX_SR1_BASE 0x480C9000<br />
#define OMAP34XX_SR2_BASE 0x480CB000<br />
#define OMAP34XX_DSP_BASE 0x58000000<br />
</syntaxhighlight><br />
<br />
== Technical Reference Manual ==<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Abbreviation<br />
! Meaning<br />
! Reference<br />
|-<br />
| MSV <br />
| Model Specific Value <br />
| spruf98 p. 981, 6.6.4.47(System Control Module, Registers, GENERAL registers description), Table 6-496. CONTROL_MSV_0 <br />
|}<br />
<br />
4.14.1 CM Module Registers, Table 4-90. CM Instance Summary (spruf98 p.440)<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Module Name<br />
! Base Address (hex)<br />
! Size<br />
|-<br />
| IVA2_CM <br />
| 0x4800 4000 <br />
| 8192 bytes<br />
|-<br />
| OCP_System_Registers_CM <br />
| 0x4800 4800 <br />
| 8192 bytes<br />
|-<br />
| MPU_CM <br />
| 0x4800 4900 <br />
| 8192 bytes<br />
|-<br />
| CORE_CM <br />
| 0x4800 4A00 <br />
| 8192 bytes<br />
|-<br />
| SGX_CM <br />
| 0x4800 4B00 <br />
| 8192 bytes<br />
|-<br />
| WKUP_CM <br />
| 0x4800 4C00 <br />
| 8192 bytes<br />
|-<br />
| Clock_Control_Registers_CM <br />
| 0x4800 4D00 <br />
| 8192 bytes<br />
|-<br />
| DSS_CM <br />
| 0x4800 4E00 <br />
| 8192 bytes<br />
|-<br />
| CAM_CM <br />
| 0x4800 4F00 <br />
| 8192 bytes<br />
|-<br />
| PER_CM <br />
| 0x4800 5000 <br />
| 8192 bytes<br />
|-<br />
| EMU_CM <br />
| 0x4800 5100 <br />
| 8192 bytes<br />
|-<br />
| Global_Registers_CM <br />
| 0x4800 5200 <br />
| 8192 bytes<br />
|-<br />
| NEON_CM <br />
| 0x4800 5300 <br />
| 8192 bytes<br />
|-<br />
| USBHOST_CM <br />
| 0x4800 5400 <br />
| 8192 bytes<br />
|}<br />
<br />
6.6 System Control Module Registers Table 6-80. Instance Summary<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Name<br />
! Address<br />
! Instance length<br />
|-<br />
| INTERFACE<br />
| 0x4800 2000<br />
| 36 bytes<br />
|-<br />
| PADCONFS<br />
| 0x4800 2030<br />
| 564 bytes<br />
|-<br />
| GENERAL<br />
| 0x4800 2270<br />
| 767 bytes<br />
|-<br />
| MEM_WKUP<br />
| 0x4800 2600<br />
| 1K byte<br />
|-<br />
| PADCONFS_WKUP<br />
| 0x4800 2A00<br />
| 80 bytes<br />
|-<br />
| GENERAL_WKUP<br />
| 0x4800 2A60<br />
| 31 bytes<br />
|} <br />
<br />
<br />
18.8 McSPI Registers, Table 18-22. Instance Summary<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Module Name<br />
! Base Address<br />
! Size<br />
|-<br />
|MCSPI1<br />
|0x4809 8000<br />
|4Kbytes<br />
|-<br />
|MCSPI2<br />
|0x4809 A000<br />
|4Kbytes<br />
|-<br />
|MCSPI3<br />
|0x480B 8000<br />
|4Kbytes<br />
|-<br />
|MCSPI4<br />
|0x480B A000<br />
|4Kbytes<br />
|}<br />
<br />
== Address extracted from mbmloader ==<br />
<br />
Prefixed by 0x4800:<br />
<pre><br />
0x48002000 Control Revision<br />
0x48002180 CONTROL_PADCONF_UART1_CTS - Configuration register for pads uart1_cts(clear to send), uart1_rx. ((spruf98 p. 870, 6.6.3.85 CONTROL_PADCONF_UART1_CTS))<br />
0x480021C8 CONTROL_PADCONF_MCSPI1_CLK - Configuration register for pads mcspi1_clk, mcspi1_simo<br />
0x480022F0 Control status - SYS_BOOT and DEVICETYPE<br />
0x480023B4 MSV - Model Specific Value, 4 bytes<br />
0x48004000 Clock manager, Module region A, 8KB ((spruf98 p.203, Table 2-3. L4-Core Memory Space Mapping))<br />
0x48004904 CM_CLKEN_PLL_MPU, This register allows controlling the DPLL1 modes. ((spruf98 p.454))<br />
0x48004A00 Table 4-143. CM_FCLKEN1_CORE, Controls the module functional clock activity.<br />
0x48004A10 Table 4-147. CM_ICLKEN1_CORE, Controls the modules interface clock activity.<br />
0x48004A20 Table 4-153. CM_IDLEST1_CORE, CORE modules access availability monitoring. This register is read only and automatically updated.<br />
0x48004B40 Table 4-177. CM_CLKSEL_SGX, SGX clock selection.<br />
0x48004C00 4.14.1.7.1 CM_FCLKEN_WKUP, Table 4-185. CM_FCLKEN_WKUP, Controls the modules functional clock activity.<br />
0x48004D00 Table 4-195. CM_CLKEN_PLL, This register allows controlling the DPLL3 and DPLL4 modes.<br />
0x48004E40 Table 4-227. CM_CLKSEL_DSS, Modules clock selection.<br />
0x48005000 Table 4-251. CM_FCLKEN_PER, Controls the modules functional clock activity. RW, WDTIMER can be enabled/disabled here.<br />
0x48005140 Table 4-267. CM_CLKSEL1_EMU, Modules clock selection.<br />
</pre><br />
<br />
Prefixed by 0x4830:<br />
<pre><br />
0x48306000 Table 4-297. PRM Instance Summary, IVA2_PRM<br />
0x48306D40 Table 4-387. PRM_CLKSEL, This register controls the selection of the system clock frequency. This register is reset on power-up only. RW<br />
0x48307000 Table 4-297. PRM Instance Summary, PER_PRM<br />
0x48307250 Table 4-456. PRM_RSTCTRL, Global software and DPLL3 reset control. This register is auto-cleared. Only write 1 is possible. A read returns 0 only. Perhaps it be used to issue a software reset? ((4.5.9.2 Global Warm Reset Sequence))<br />
0x48307270 Table 4-466. PRM_CLKSRC_CTRL, This register provides control over the device source clock.<br />
0x4830A218 DIE ID, 16 bytes<br />
</pre><br />
<br />
Other 32-bit dword:<br />
<pre><br />
0x18000000<br />
0x1F000000<br />
0x20000000<br />
0x208D0024<br />
0x28000000<br />
0x3FCFF000<br />
0x40000000<br />
0x40208800 SRAM <br />
0x4020C800 SRAM<br />
0x43FFFE01<br />
0x4806A000 UART1 DLL_REG, 16.6 UART/IrDA/CIR Registers<br />
0x48098000 18.8 McSPI Registers, McSPI1(Multichannel Serial Port Interface)<br />
0x48314000 WDTIMER2, Table 15-66. WDT2 Register Summary<br />
0x48318000 GPTIMER1, 15.3 General-Purpose (GP) Timer Registers<br />
0x49020000 UART3 (infrared), 2.3.2.3 L4-Peripheral Memory Space Mapping, Table 2-5. L4-Peripheral Memory Space Mapping<br />
0x5004800C <br />
0x5005C008<br />
0x5A827999 SHA1 c1<br />
0x6E000000 Table 10-27. Instance Summary, GPMC.<br />
0x6E00007C 10.1.7.2.17 GPMC_NAND_COMMAND_i, This register is not a true register, just an address location.<br />
0x6E000084 10.1.7.2.19 GPMC_NAND_DATA_i, This register is not a true register, just an address location.<br />
0x6E0000A8 10.1.7.2.16 GPMC_CONFIG7_i, i = 1<br />
0x6E0001F4 10.1.7.2.24 GPMC_ECC_CONFIG, ECC configuration, RW, able to control hardware ECC.<br />
0x6E0001F8 10.1.7.2.25 GPMC_ECC_CONTROL, ECC control, RW, able to control hardware ECC.<br />
0x6ED9EBA1 SHA1 c2<br />
0x76543210<br />
0x78020000<br />
0x7FFFFED3<br />
0x80000000 <br />
0x80080000<br />
0x81000000<br />
0x81001000<br />
0x81001080<br />
0x81001484<br />
0x81001888<br />
0x81001908<br />
0x8100192C<br />
0x81001D2C<br />
0x8100212C<br />
0x810021AC<br />
0x8100222C<br />
0x8100322C<br />
0x8100422C<br />
0x8100522C<br />
0x8100562C<br />
0x8100762C<br />
0x81007A14<br />
0x81007A54<br />
0x81007C54<br />
0x81007C64<br />
0x81007CE4<br />
0x81007DE4<br />
0x81007DF4<br />
0x81007E04<br />
0x8100AE40<br />
0x85030004<br />
0x860527A0<br />
0x87000998<br />
0x87009792<br />
0x87009A08<br />
0x87009BDC<br />
0x87009E52<br />
0x87009E5C<br />
0x87009FA6<br />
0x8700AA96<br />
0x8700B614<br />
0x8700B634<br />
0x8700B664<br />
0x8700B684<br />
0x87014D4C<br />
0x89ABCDEF<br />
0x8F1BBCDC SHA1 c3<br />
0x8F310000 mbm load address<br />
0x8F311000 mbm offset 0x1000<br />
0x8FFFFFFF<br />
0x90000000<br />
0xB17219E9 special value in mbm<br />
0xCA62C1D6 SHA1 c4<br />
0xDEADBEEF dummy value mark dead beef<br />
0xF0E1D2C3<br />
0xFC000000<br />
0xFEDCBA98<br />
0xFF000000<br />
0xFFF800FF<br />
0xFFFDD000<br />
0xFFFFDFE1<br />
0xFFFFF7FF<br />
0xFFFFFC01<br />
0xFFFFFFFD<br />
0xFFFFFFFF<br />
</pre><br />
<br />
== Mbmloader replacement Attack ==<br />
<br />
By having probed the hardware, with this simple code:<br />
<pre><br />
#include <mach/cpu.h><br />
main () <br />
{<br />
printk(KERN_INFO "omap type: %d\n", omap_type());<br />
}<br />
</pre><br />
we know the OMAP processor works in High Security mode upon booting (as opposed to General Purpose mode). We know the Droid is working in HS mode too. <br />
In HS mode the [[mbmloader|mbmloader]]'s cryptographic signature can be checked before booting, and since the signatures are being checked in later stages of the boot process, we guess both mbmloader and mbm are probably signed and verified too. Static code analysis seem to confirm the signatures are in place.<br />
Mbmloader itself apparently checks for mbm's signature before passing control to it. The idea of this attack is simply to replace mbmloader with another version that does not check for mbm's signature. We would then be free to replace mbm with a patched version that allowed us to run modified kernels and boot images.<br />
<br />
=== Hypothesis ===<br />
<br />
We can find some mbmloader that is signed with the same key as the Milestone's but that does not enforce the signature chain on mbm. We are also able to write to the NAND area where mbmloader is stored, so as to replace it.<br />
<br />
=== How can we write to the NAND area where mbmloader is stored ===<br />
<br />
Janneg's test has sadly demonstrated that we're currently unable to write meaningful data on those sectors of the NAND Flash. The Hardware ECC mechanism should be used somehow.<br />
<br />
=== How to know in advance whether a given mbmloader can work on the Milestone ===<br />
<br />
When janneg's phone was unfortunately bricked, it ended up with a corrupted mbmloader and trying to boot from USB (expecting a signed image in some unknown format). In this mode, the phone's boot ROM sends the ASIC ID to the USB host. In janneg's case, the ASIC ID was:<br />
<pre><br />
05010501 34300757 13020100 12150136 <br />
66e176b7 00efa289 0d53bd71 93627710<br />
b01bbe14 15011d3f b662794d 8c70fb57<br />
b4cb492e 27f66f15 2e4f1509 01f7488f<br />
28a027e5 b3<br />
</pre><br />
<br />
This has been decomposed into the following information by user [mbm], based on table 1-8 in the 1.4.4.1 section of the [http://bunnitude.com/misc/files/omap/pdf/sprufd6.pdf sprufd6.pdf TRM document]:<br />
<pre><br />
ASIC ID Item Size [bytes] Description<br />
Items 1 Number of subblocks<br />
ID sub block 7 Device identification information<br />
Secure mode subblock 4 Secure identification data<br />
Public ID subblock 23 Public identification data generated by secure ROM<br />
Root key hash subblock 23 Root key hash generated by a secure ROM service<br />
Checksum Subblock 11 4 bytes: CRC of public ROM. 4 bytes: CRC of secure ROM<br />
<br />
ITEMS: 05<br />
ID[01] 05 [01][34 30 07 57]<br />
SECURE[13] 02 [01][00]<br />
PUBLIC[12] 15 [01][36 66 e1 76 b7 00 ef a2 89 0d 53 bd 71 93 62 77 10 b0 1b be]<br />
ROOT[14] 15 [01][1d 3f b6 62 79 4d 8c 70 fb 57 b4 cb 49 2e 27 f6 6f 15 2e 4f]<br />
CRCS[15] 09 [01][f7 48 8f 28][a0 27 e5 b3]<br />
</pre><br />
<br />
It seems user kokone has been able to guess how the key verification process works. Using [[Cryptography|his tool for exporting mbmloader keys into .PEM format]], he realized that the SHA1 verification hash of the "Public Key in LBL Format including the 0x14 bytes status info in front" results in value '''1d3fb662794d8c70fb57b4cb492e27f66f152e4f''', which is precisely the same value as the ROOT[14] field decoded from the ASIC ID. It is verified that kokone calculated the sha1 hash based on this formula:<br />
<br />
''' root_pk_hash = sha1_hash(20_bytes_key_info + modulus) '''<br />
<br />
Modulus's length is specified in the key info. For instance, a 1024-bits modulus would require only 1024-bits to be hashed due to the least significant byte order of modulus.<br />
<br />
The content can be extracted by mbmloader using this command:<br />
<pre><br />
dd if=mtd_00_mbmloader.img skip=1076 bs=1 count=276 of=pk.bin<br />
sha1sum pk.bin<br />
1d3fb662794d8c70fb57b4cb492e27f66f152e4f *pk.bin <br />
</pre><br />
A sample file can be downloaded -> <br />
<br />
It has also been found that droid001's returns this same value (reversed order is normal due to different presentation method of sha1sum and pkhash) in its '''CONTROL_RPUB_KEY_H[4:0]''' field.<br />
<br />
Running droid001's pkhash in Latam Milestone phones shows that those phones have the same hardware key as the European Milestone.<br />
<br />
Sadly, the Droid hash stored in hardware is different from the Milestone's: it is '''75ed7020641333dd7bc3aecb9857683c2422efe1'''(see [http://pastebin.com/raw.php?i=e9XbzQXp].). Thus, we won't be able to use Droid's mbmloader on the Milestone. It's strange that the root pk hash is different from the value calculated by hand according to the method above.((http://milestone.denhaas.info/date/10-03-2010/ 17:42:38 nothize))<br />
<br />
XVilka's developer phone, mbmloader version 90.80 (which has a CertPK that matches the CSST 2.6's multiroot key; see [http://pastebin.ca/1831383].), does NOT run in HS mode. It does have a hash key stored in hardware (different from the one in the normal Milestone, see [http://pastebin.ca/1831344].), but it is not used in GP mode.<br />
<br />
So, all in all, we do not have any mbmloader suitable for installation on the Milestone that will break Motorola's chain of trust. If you know of any other mbmloader version, let us know.<br />
<br />
== Problems ==<br />
=== mbm's entry point ===<br />
<br />
The Droid's mbm might have a different entry point than the one in the Milestone's mbm. Thus the Droid's mbmloader would not be able to pass control to the Milestone's mbm. The obvious workaround would be to replace mbm too. '''There might be other offsets to take care of, besides mbm's entry point.'''<br />
<br />
=== mbm's hardware initialization process ===<br />
<br />
The Droid's hardware might be a bit different from the Milestone's. This is supported by an [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2016 official Motorola reply to a direct question by vekexasia]. If that's the case, the Droid's mbm would fail to initialize the Milestone's hardware, thereby bricking the phone. The workaround would be to use the Milestone's mbm, but patching it so that the Droid's mbmloader is able to use it (e.g., moving mbm code around, inserting jumps, etc.). There would be no problem with patching Milestone's mbm in this case, since the Droid's mbmloader would not check on mbm's signature (but this is an ad-hoc hypothesis, because we don't know it for sure!).<br />
<br />
=== cdt format ===<br />
<br />
The CDT table's format seems to differ between the Droid and the Milestone, so if we were to use the Droid mbmloader this should be handled somehow.<br />
<br />
=== Risk ===<br />
<br />
In the event of a mistake in the process, or if our hypothesis is wrong, the device would be bricked beyond repair (at least with the resources we have, namely [[ROM_Flashing|RSD Lite]]). The person trying this attack should be aware of this risk, and would probably be willing to try it on a device which could be sent to Motorola for repair without much hassle or cost (e.g., a Milestone that has some obvious warranty-covered issue such as a defective keyboard, etc). A German Motorola service agent is said to have quoted 89 euros for repairing firmware tampering.<br />
<br />
== Attack process ==<br />
<br />
[http://bit.ly/cqNt3i Here's a donation link] that some people have set up to buy a Milestone for testing this attack.<br />
<br />
Note: this test procedure is under review, so please ask before following it!<br />
<br />
# If possible, record the whole process with a video camera), so it can later be analyzed. You should also log in to the IRC channel for assistance during this attack.<br />
# Get [http://www.megaupload.com/?d=15EGPJ0U the 6mb droid dump] and gunzip the file((Since the CH header differs between the Droid and the Milestone, the Droid CH table may not work with a Milestone. The risk is low, though, because the difference is small. Although we cannot be sure about it, it is [mbm]'s opinion that it could work. In case you want to keep the Milestone CH table, you can use this other [http://www.megaupload.com/?d=V7BIRKOF patched Droid dump] instead, but keep in mind that the Release Notes for CSST v2.4 suggest the CH header can be signed too (and if it is, this patched Droid dump could brick your phone permanently). Nonetheless, as far as we know the CH table doesn't seem to be signed in the Milestone nor in the Droid, so this patched Droid dump should probably work fine. Finally, a whole dump of a Droid NAND flash can be used too; just remember that it should contain at least CH+MBMLOADER+MBM+MBMBACKUP+CDT.).<br />
# Obtain and transfer a modified, write-enabled mtd-hack-based harakiri.ko module to the phone ([http://www.megaupload.com/?d=1H1XODOM untested source code by [mbm] here that compiles with warnings](it's a quick and dirty version; it takes mtd->erase and points it at new erase function which is just a cut and paste of the old one with the panic commented out), [http://www.megaupload.com/?d=2ZG207FO precompiled binary here with those warnings solved]).<br />
# Set USB Debugging in the Milestone's Settings/Applications/Development configuration menu.<br />
# Boot the Milestone in [[recovery_mode|Recovery mode with ADBrecovery]], so it's running on RAM.<br />
# Follow this procedure to change mbmloader:<br />
## su to root<br />
## Execute a command to write the Droid image into the h_harakiri mtd. The correct command is yet to be determined((There are two known teardowns of the Droid, and none of the Milestone. There's the [http://www.phonewreck.com/2009/11/12/motorola-droid-teardown-analysis/ phoneWreck teardown] and the [http://www.isuppli.com/News/Pages/iSuppli-Does-Droid-Teardown-Finds-$18775-Bill-of-Materials-and-Manufacturing-Cost.aspx iSuppli cost analysis]. The 512 MB total NAND flash is split in 256 MB PoP and 256 MB standalone. The PoP chip is a Toshiba YBC0A111100L8, although there is no information about this chip ID on the web; iSupply but doesn't mention any chip ID. The standalone chip seen in the phoneWreck teardown is [http://www.data-io.com/device/details.asp?Prog=PS300FC&DevTech=ALL&PAdapt=ALL&PBase=ALL&PkgType=ALL&SemiMfgr=Motorola&offset=150&DID=60430&SUP_ID=60548&PMODEL=PS300FC&HW_ID=57462 Toshiba TY9000A000GLLF], and the one seen in the iSuppli pictures is a [http://www.dataio.com/device/details.asp?Prog=FLX500&DidList=63337&DID=63337&SUP_ID=55023&PMODEL=FLX500&HW_ID=57462 Numonyx (SGS-Thomson, STMicroelectronics) NANDA9R4N4CZBA5]. As seen on the Linux syslog, the Droid's memory detection message is "NAND device: Manufacturer ID 0x20, Chip ID: 0xbc (ST Micro NAND 512MiB 1,8V 16-bit)". In contrast, the Milestone's memory detection message is "NAND device: Manufacturer ID: 0x98, Chip ID: 0xbc (Toshiba NAND 512MiB 1,8V 16-bit)".)).<br />
<br />
* Note 1: do NOT use dd at this point, because it seems to corrupt the hardware-ECC-corrected part of the NAND flash((see the patches introduced to the OMAPZoom project on 2010-01-07 [http://git.omapzoom.org/?p=repo/x-loader.git;a=summary here]. They may point the way to fix this problem, although those sources seem to apply to a [http://www.datasheetsite.com/extpdf.php?q=http%3A%2F%2Fwww.samsung.com%2FProducts%2FSemiconductor%2FNANDFlash%2FSLC_LargeBlock%2F1Gbit%2FK9F1G08U0A%2Fds_k9f1g08x0a_rev10.pdf Samsung K9F1G08R0A] chip. User kokone proposes that "The ROM loader reads mbmloader using low level access to the Flash ... Perhaps the hardware ECC is not yet enabled and the used software ECC not compatible with hardware ECC?". But user sgx says "I can confirm that hardware ecc is required to properly flash an omap initial bootloader".)). User janneg created a Milestone dump, flashed it using dd but saw md5 difference with his previous dump; he then tried flash_image and the phone rebooted automatically due to panic in old mtd-hack. The reboot went fine (even though there were bit errors) and the system ran fine, even booting Android. ([http://pastebin.ca/1815149 Here]'s the corrupted code diff, so we can inspect whether that was ECC or not).<br />
<br />
* Note 2: do NOT use "flash_image h_harakiri droid.flash" at this point, because it may not be writing to the correct NAND flash location (or otherwise does in a way that is not bootable). User janneg tried this command after his abovementioned test; he also added mtd-hack with panic workaround, flashed the Milestone dump again using flash_image and md5 hash of boot area was correct again. But then he rebooted and the phone was bricked. We still do not know what went wrong with this test. His phone was left with the boot ROM receiving USB commands((see the abovementioned sprufd6.pdf TRM. User playya has put together [[http://pastebin.com/MX72CpRW some untested code]] for talking to the boot ROM in this state.)).<br />
<br />
* Note 3: An alternative method has been proposed by Skrilax_CZ based on how other Motorola phones have their mbmloader updated: by creating [http://rapidshare.com/files/357531828/Milestone-bootloader-flash-test-9072.rar an SBF file] containing mbm (CG30), mbmloader (CG31), bploader (CG32) and a modded ramdld. The ramdld can be modded because the address table inside the ramdld located between addresses 0x0F8 and 0x260 (offsets of the smg) is not signed. But applying this SBF file blindly is likely to brick your phone, because:<br />
- we do not know whether the Milestone mbm is able to write to the hardware-based ECC protection of the first sectors of the NAND flash.<br />
- the included mbmloader version is 90.72 which is the oldest Milestone version. If you have a later mbm version, the mbmloader will refuse to boot in order to prevent the mbm downgrade; thus, the phone would be bricked.<br />
- the included bploader is set at 128KB long. This has been extracted from a live phone. The length is guessed (there are only 0xff after this part, and the Sholes Table bploader is also 128KB long).<br />
# Execute "sync" as root.<br />
# Execute "dmesg" and see the latest info, to check if there were any errors during the flashing.<br />
# Dump the flash contents in the SD card. For example, try something like "dd if=/dev/mtd11 of=/sdcard/afterflash.img" if mtd11 is h_harakiri<br />
# Take the battery out.<br />
# Put the battery back.<br />
# Connect the Milestone via USB to a Linux host.<br />
# Press the D-Pad UP key, and hold it. Press the Power button for a while, then let go of both keys.<br />
# Report what happens at this point.<br />
# Does it turn the screen on? (check it out in a dark room).<br />
# run "lsusb -vd 22b8:41db" on the Linux host (you may need to wait a bit before you get any results with this).<br />
# If mbm shows up on the display and says "OK to program", then we're in. We just need to prepare a custom SBF with the correct baseband, etc., and then load it with RSD Lite under Windows XP (MUST be XP for meaningful results).<br />
<br />
[[Category:Booting Chain]]</div>Wikiadminhttp://www.droid-developers.org/wiki/ContentContent2010-12-28T00:50:23Z<p>Wikiadmin: </p>
<hr />
<div>Check with [[Special:PrefixIndex]]<br />
<br />
Content index:<br />
<br />
* [[Hacked Features]]<br />
* [[Patches]]<br />
<br />
Booting review:<br />
<br />
* [[Booting chain]]<br />
* [[Application Processor Boot ROM]]<br />
* [[Baseband Processor Boot ROM]]<br />
* [[BP firmware]]<br />
* [[mbmloader]]<br />
* [[mbm]]<br />
* [[linux kernel]]<br />
* [[wilink firmware]]<br />
<br />
Custom recovery:<br />
<br />
* [[Cryptography]]<br />
* [[Vulnerability hunting]]<br />
* [[Custom_recovery:alternative_methods]]<br />
* [[Custom_recovery:pr_attack]]<br />
* [[Legal Attack]]<br />
* [[MBM backup attack]]<br />
* [[mbmloader replacement attack]]<br />
* [[MWC2010 Awareness]]<br />
* [[root attack]]<br />
* [[Public bounty]]<br />
<br />
Custom ROM:<br />
<br />
* [[2ndboot]]<br />
* [[2ndinit]]<br />
* [[MOTOROFL]]<br />
* [[CyanogenMod for Milestone]]<br />
<br />
Hardware:<br />
<br />
* [[FM_radio]]<br />
* [[GSM/CDMA-chain]]<br />
* [[Wrigley 3G]]<br />
<br />
Modes:<br />
<br />
* [[Modes:bootloader_mode]]<br />
* [[Modes:programmer_mode]]<br />
* [[Modes:recovery_mode]]<br />
<br />
Partitions:<br />
<br />
* [[CDT]]<br />
* [[CH]]<br />
* [[ISW]]<br />
* [[mbmloader]]<br />
* [[mbm]]<br />
<br />
SBF:<br />
<br />
* [[SBF | ALL]]<br />
* [[SBF Milestone]]<br />
* [[SBF Droid]]<br />
* [[SBF DroidX]]<br />
* [[SBF Ruth]]<br />
* [[SBF XT701]]<br />
* [[SBF XT720]]<br />
* [[SBF XT800]]<br />
<br />
Tools:<br />
<br />
* [[Building with AOSP]]<br />
* [[Compiling]]<br />
* [[Debugging]]<br />
* [[Disassembling]]<br />
* [[ROM Flashing]]<br />
* [[CSST]]<br />
* [[FAQ]]<br />
* [[Interesting links]]<br />
* [[Kernel sources]]<br />
* [[USB drivers]]<br />
<br />
Misc:<br />
<br />
* [[Credits]]<br />
* [[Roadmap]]</div>Wikiadminhttp://www.droid-developers.org/wiki/Main_PageMain Page2010-12-28T00:50:02Z<p>Wikiadmin: </p>
<hr />
<div>__NOTOC__<br />
<br />
==== About this site ====<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals.<br />
These phones are:<br />
<br />
<br />
# '''Motorola Milestone''' (our primary target)<br />
# Motorola Milestone 2<br />
# Motorola Droid<br />
# Motorola Droid X<br />
# Motorola Droid 2<br />
# Motorola MOTOROI/Milestone XT720<br />
# Motorola Sholes Tablet XT701<br />
# Motorola Titanium XT800<br />
# Motorola Ruth ME511 aka. Flipout <br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:community.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Community</span>'''<br /><small>Join our community! Discuss with us. </small><small><hr /> [[Credits | Our team]] | [irc://irc.freenode.net/#milestone-modding Our IRC channel] | [http://www.damogran.de/milestone-modding/ <span title="Starts on Jan 21 2010, 11:33:51 UTC. Refreshes every 15 minutes. Timezone: UTC+1. Thanks to Kasperle.">IRC log #1</span>] | [http://bacon.ojnk.org/milestone-modding.log <span title="Starts on Jan 21 2010, 13:09:10 UTC. Timezone: UTC-6. Thanks to Orgg.">IRC log #2</span>] | [http://milestone.bekaakut.de/ <span title="There is now a new channel log. Thanks to rebel1">IRC log #3</span>] | [http://milestone.denhaas.info/ <span title="Starts on Jan 22 2010, 18:05:42 UTC. Gap between Feb 4 2010, 12:46:55 UTC and Feb 6 2010, 11:54:55 UTC. Stopped working on March 26 2010. Timezone: UTC+1. Thanks to xinix88. Doesn't work anymore">IRC log #4</span>] | [http://gitorious.org/+droid-developers Our projects on Gitorious] | [http://hg.droid-developers.org/2ndboot Our projects on Bitbucket]</small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:hardware.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Hardware</span>'''<br /><small>All about devices internals - PCB, chips </small><small><hr />[[device_information|Overview]] | [[Motorola Milestone | Milestone]] | [[Motorola Droid | Droid]] | [[Motorola Droid X | Droid X]] | [[Motorola Droid 2 | Droid 2]] | [[Motorola Sholes Tablet XT701 | Sholes Tablet XT701]] | [[Motorola Milestone XT720 | Milestone XT720]] | [[Motorola Titanium XT800 | Titanium XT800]] | [[Motorola Ruth ME511 | Ruth ME511]] </small><br />
|}<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">For developers</span>'''<br /><small>Useful information for experts and beginners </small><small><hr />[[Toolchain]] | [[MOTOROFL]] | [[Compiling]] | [[Debugging]] </small><br />
|}<br />
<br />
|}<br />
<br />
==== Information for volunteers ====<br />
<br />
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on [http://gitorious.org/+droid-developers Gitorious]<br />
<br />
Even if you're not the technical type, you too can help us mod the Milestone by participating in the [[Custom_recovery:pr_attack|PR campaign to force Motorola to unlock it]].<br />
<br />
If you're technical type - see our [[roadmap|Roadmap]] and progress in our [[projects|Projects]].<br />
<br />
See the [[content|content index here]].<br />
<br />
{| cellspacing=5 cellpadding=15 border=0 valign="top" width=100%<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:reverse.gif]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Bootloader Unlock</span>'''<br /><small>Research how-to unlock boot process for the Application Processor </small><small><hr />[[Booting chain]] | [[Security]] | [[Cryptography]] | [http://gitorious.org/+droid-developers/droid/reversed IDA databases of bootloaders] | [[Disassembling]] </small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
The [[modes:recovery_mode|recovery image]] hasn't yet been [http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images modified] due to our current impossibility of controlling [[Booting chain|the boot process]]. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See [[Booting chain|here]] and [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2012?_pagenum=2 here].) uses the [[CDT|cdt partition table]] to check if the recovery has been signed correctly. If not, the recovery won't start at all and the [[modes:bootloader_mode|bootloader mode]] shows instead of it.<br />
<br />
* '''[[2ndboot]]'''<br />
* '''[[Vulnerability hunting]]'''<br />
* '''[[Bruteforce]]'''<br />
* '''[[open_recovery | Open Recovery]]'''<br />
* '''[[2ndinit]]'''<br />
<br />
|}<br />
<br />
| width=50% style="vertical-align:top"|<br />
<br />
{|<br />
|style="vertical-align:top"|<br />
[[Image:baseband.png]]<br />
|style="vertical-align:top"|<br />
'''<span style="font-variant:small-caps; font-size:150%">Baseband Research</span>'''<br /><small>All our researches of Baseband and RF part of these phones</small><small><hr />[[GSM/CDMA-chain|GSM/UMTS & CDMA Milestone/Droid structure]]</small><br />
|-<br />
|style="vertical-align:top"|<br />
|style="vertical-align:top"|<br />
We have running RTXC OS on [[Wrigley 3G]] modem, which consist from ARM core and [[TMS320C55x+]] DSP core<br />
Our main problem, that Motorola using non-standard RIL, which partially implemented on AP side.<br />
Also, our second problem, that [[TMS320C55x+]] is closed platform, and no datasheets for it available.<br />
It very different from original [[TMS320C55x]] architecture and have other opcodes.<br />
We only have '''asm55p''' utility from TI, which can produce binary from TMS320 assembler.<br />
So, it is very important task - make full reverse of it. [[File:asm55p.idb.bz2]]<br />
<br />
* '''[[Baseband Processor Boot ROM]]'''<br />
* '''[[BP firmware]]'''<br />
* '''[[Texas Instruments Wrigley 3G]]'''<br />
* '''[[GSM/CDMA-chain]]'''<br />
<br />
|}<br />
<br />
|<br />
|}<br />
<br />
== '''[[2ndboot]]''' ==<br />
<br />
This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a [http://android.git.kernel.org/?p=kernel/omap.git;a=blob;f=arch/arm/mach-omap2/prcm.c;h=86c3fe328f51736ee4139b59654252021f3d90a2;hb=refs/heads/android-omap-2.6.29-eclair#l129 couple] of [https://patchwork.kernel.org/patch/82291/ ideas] about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts [[custom_recovery:alternative_methods#kexec_attack here]].<br />
<br />
== '''[[Vulnerability hunting]]''' ==<br />
<br />
As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a [http://pastebin.ca/raw/1833228|user mode memory dumper] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: [[Booting chain|Boot chain]]<br />
<br />
== '''[[Bruteforce]]''' ==<br />
<br />
This is distributed computation of the 1024 bit RSA secret key, which can be used for signing our bootloaders and kernel images. <br />
<br />
== '''[[open_recovery | Open Recovery]]''' ==<br />
<br />
Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.<br />
<br />
== '''[[2ndinit]]''' ==<br />
<br />
This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.</div>Wikiadminhttp://www.droid-developers.org/wiki/Booting_chainBooting chain2010-12-28T00:47:41Z<p>Wikiadmin: </p>
<hr />
<div>== Graphical view ==<br />
<br />
This is the boot chain of the Motorola Milestone, as far as we know((see [http://download.micron.com/pdf/technotes/nand/tn2916.pdf here] and [http://omappedia.org/wiki/Bootloader_Project here] for examples of the OMAP boot process, which differs from the Milestone's as we've found in our [[mbmloader|mbmloader analysis]]. X-Loader and U-Boot are missing in this diagram because they have been replaced by Motorola's mbmloader. The OMAP architecture permits that the bootstrap code be located in an SD-Card, provided that the NAND Flash is unable to boot and that the SD-Card contains a proper FAT32 filesystem and a .IFT file signed as required by the HS mode. If the processor had been in GP mode, we could've followed [http://www.anddev.org/viewtopic.php?p=12989 these steps] to boot from the SD-Card; unfortunately that's not the case. Some innards of similar Boot ROMs are described [http://focus.ti.com/lit/ug/spru963a/spru963a.pdf here] and [http://bunnitude.com/misc/files/omap/pdf/sprufd6.pdf here] and [http://focus.ti.com.cn/download/wtbu/csst_sdp3430_releasenotes_v2_4.pdf here]. The [http://focus.ti.com/pdfs/wtbu/SWPU223_FinalEPDF_02_18_2010.pdf OMAP 34xx TRM] is the final reference for the platform.)):<br />
<br />
[[File:Boot chrain flow.png|800px]] <br />
<br />
== Description ==<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Boot part<br />
! Processor<br />
! Arch<br />
! Dump<br />
! Disassembly/Decompilation<br />
|-<br />
|[[Application Processor Boot ROM|OMAP boot ROM]]<br />
|OMAP core<br />
|armv7-a<br />
|[[File:omap_3430.bin.gz|OMAP3430 BootROM]], [[File:omap_3630.bin.gz|OMAP3630 BootROM]]<br />
|[[File:omap_3430_bootrom.idb.gz| OMAP3430 Boot ROM Reversed]]<br />
|-<br />
|[[mbmloader|mbmloader]]<br />
|OMAP3430 core<br />
|armv7-a<br />
|none<br />
|[[File:boot:mbmloader-0.5a.idb.gz|MBMloader-0.5A reversed]]<br />
|-<br />
|[[mbm|mbm]]<br />
|OMAP3430 core<br />
|armv7-a<br />
|none<br />
|[[File:boot:mbm-90.72.idb.gz|MBM-90.72 reversed]]<br />
|-<br />
|lbl<br />
|OMAP3430 core<br />
|armv7-a<br />
|none<br />
|none<br />
|-<br />
|[[Baseband Processor Boot ROM|Wrigley arm boot ROM]]<br />
|[[Wrigley_3G|Wrigley3G]] ARM core<br />
|arm9<br />
|none<br />
|none<br />
|-<br />
|[[Baseband Processor Boot ROM|Wrigley dsp boot ROM]]<br />
|[[Wrigley_3G|Wrigley3G]] TMS320c55x+<br />
|c55x+<br />
|[[File:wrigley_dump.gz]]((this is partial dump of wrigley3g dsp memory (addressess: 0xF00000-0xFFFFFF). boot rom is only very small part of it.))<br />
|none<br />
|-<br />
|[[BP_Loader|Wrigley3G RTXC OS loader]]<br />
|[[Wrigley_3G|Wrigley3G]] ARM core<br />
|arm?<br />
|none<br />
|[[File:bploader.idb.gz|BPloader reversed]]<br />
|-<br />
|[[BP_firmware|Wrigley RTXC OS]]<br />
|[[Wrigley_3G|Wrigley3G]] TMS320c55x+<br />
|c55x+<br />
|none<br />
|none<br />
|-<br />
|Main DSP boot ROM<br />
|TMS320C6454<br />
|MIPS (c64x+ edition)<br />
|none<br />
|none<br />
|-<br />
|Main DSP firmware<br />
|TMS320C6454<br />
|MIPS (c64x+ edition)<br />
|[[File:baseimage.dof.gz|TMS320C6454 Boot Rom]]<br />
|none<br />
|-<br />
|[[Wilink_firmware|WiLink firmware]]<br />
|WiLink 6.0 TPS656905<br />
|arm<br />
|[[File:wl1271.bin.gz| Wilink 6.0 NVS]] and [[File:fw_wlan1271.bin.gz| Wilink 6.0 firmware]]<br />
|none<br />
|-<br />
|[[CPCAP | Power Manager]] Boot ROM<br />
|TWL5030<br />
|Vendor Specific (ASIC)<br />
|[[File:firmware_1_2x.bin.gz| TWL5030 firmware]]<br />
|none<br />
|-<br />
|Touch Panel Controller boot ROM<br />
|AVR ATmega324P<br />
|AVR 8-bit<br />
|none<br />
|none<br />
|-<br />
|[[Linux_kernel|Linux kernel]]<br />
|OMAP3430 core<br />
|arm<br />
|none<br />
|none<br />
|}<br />
<br />
All recent IDA databases of bootloaders can be found here [http://gitorious.org/droid/reversed Gitorious]<br />
<br />
<del>(!) the [[partitions:ch|CH table]] can be signed with [[tools:CSST|CSST]] along with the [[partitions:isw|Initial Software image]]. Whether Motorola did include it in the signed image or left it unsigned is unknown (and risky to test!). ((Citation needed))<br />
</del> After kokone has found that the origin mbmloader contained bit errors, the correct mbmloader binary image has been obtained again. That he has been able to validate all the signatures in mbmloader and the CH table is not part of any signed content.<br />
<br />
(!!) in fact mbm and mbmbackup are binary identical, so mbmbackup DOES contain certificates. But its certificates are not referenced in the [[CDT|cdt table]] because it is used directly by the mbmloader (and the mbmloader doesn't use the cdt table, as discovered by yakk). In the Droid mbm and mbmbackup are binary identical, just like in the Milestone (but with a different code version). One Droid user (Orgg) had an incident with his phone in which his mbm partition became corrupt, and the phone wouldn't boot at all after that. This would suggest that the mbmbackup partition is not used for automatic recovery. User [mbm] reports that his Droid originally came with different mbm and mbmbackup, but after an update pushed by Verizon they became identical. In light of this, [[MBM_backup_attack|the mbm_backup_attack]] was proposed but then found to be flawed and discarded.<br />
<br />
[[Category:Booting Chain]]</div>Wikiadminhttp://www.droid-developers.org/wiki/MediaWiki:SidebarMediaWiki:Sidebar2010-10-27T22:36:19Z<p>Wikiadmin: </p>
<hr />
<div>* navigation<br />
** mainpage|mainpage-description<br />
** https://www.droid-developers.org/wiki/2ndboot | 2ndboot<br />
** https://www.droid-developers.org/wiki/Vulnerability_hunting | Vulnerability hunting<br />
** https://www.droid-developers.org/wiki/Open_recovery | Open Recovery<br />
** https://www.droid-developers.org/wiki/2ndinit | 2ndinit<br />
** recentchanges-url|recentchanges<br />
* SEARCH<br />
* see also<br />
** http://http://www.omappedia.org/ | OMAPpedia<br />
** http://bb.osmocom.org/trac/ | OsmocomBB<br />
** http://openbsc.osmocom.org/trac/ | OpenBSC<br />
** http://www.ti.com/ | Texas Instruments<br />
** https://opensource.motorola.com | OpenSource Motorola<br />
** http://source.android.com/ | Android<br />
* TOOLBOX<br />
* LANGUAGES</div>Wikiadminhttp://www.droid-developers.org/wiki/MediaWiki:SidebarMediaWiki:Sidebar2010-10-27T22:34:31Z<p>Wikiadmin: </p>
<hr />
<div>* navigation<br />
** mainpage|mainpage-description<br />
** [[2ndboot]]<br />
** [[2ndinit]]<br />
** [[Vulnerability_hunting]]<br />
** recentchanges-url|recentchanges<br />
* SEARCH<br />
* see also<br />
** http://http://www.omappedia.org/ | OMAPpedia<br />
** http://bb.osmocom.org/trac/ | OsmocomBB<br />
** http://openbsc.osmocom.org/trac/ | OpenBSC<br />
** http://www.ti.com/ | Texas Instruments<br />
** https://opensource.motorola.com | OpenSource Motorola<br />
** http://source.android.com/ | Android<br />
* TOOLBOX<br />
* LANGUAGES</div>Wikiadminhttp://www.droid-developers.org/wiki/MediaWiki:SidebarMediaWiki:Sidebar2010-10-27T22:33:14Z<p>Wikiadmin: </p>
<hr />
<div>* navigation<br />
** mainpage|mainpage-description<br />
** [[2ndboot]]<br />
** [[2ndinit]]<br />
** recentchanges-url|recentchanges<br />
* SEARCH<br />
* see also<br />
** http://http://www.omappedia.org/ | OMAPpedia<br />
** http://bb.osmocom.org/trac/ | OsmocomBB<br />
** http://openbsc.osmocom.org/trac/ | OpenBSC<br />
** http://www.ti.com/ | Texas Instruments<br />
** https://opensource.motorola.com | OpenSource Motorola<br />
** http://source.android.com/ | Android<br />
* TOOLBOX<br />
* LANGUAGES</div>Wikiadminhttp://www.droid-developers.org/wiki/MediaWiki:SidebarMediaWiki:Sidebar2010-10-27T22:32:43Z<p>Wikiadmin: </p>
<hr />
<div>* navigation<br />
** mainpage|mainpage-description<br />
** [[2ndboot]]<br />
** [[Vulnerability_hunting]]<br />
** [[Open_recovery]]<br />
** [[2ndinit]]<br />
** recentchanges-url|recentchanges<br />
* SEARCH<br />
* see also<br />
** http://http://www.omappedia.org/ | OMAPpedia<br />
** http://bb.osmocom.org/trac/ | OsmocomBB<br />
** http://openbsc.osmocom.org/trac/ | OpenBSC<br />
** http://www.ti.com/ | Texas Instruments<br />
** https://opensource.motorola.com | OpenSource Motorola<br />
** http://source.android.com/ | Android<br />
* TOOLBOX<br />
* LANGUAGES</div>Wikiadminhttp://www.droid-developers.org/wiki/MediaWiki:SidebarMediaWiki:Sidebar2010-10-27T22:32:11Z<p>Wikiadmin: </p>
<hr />
<div>* navigation<br />
** mainpage|mainpage-description<br />
** [[2ndboot]]<br />
** [[Vulnerability hunting ]]<br />
** [[Open recovery ]]<br />
** [[2ndinit]]<br />
** recentchanges-url|recentchanges<br />
* SEARCH<br />
* see also<br />
** http://http://www.omappedia.org/ | OMAPpedia<br />
** http://bb.osmocom.org/trac/ | OsmocomBB<br />
** http://openbsc.osmocom.org/trac/ | OpenBSC<br />
** http://www.ti.com/ | Texas Instruments<br />
** https://opensource.motorola.com | OpenSource Motorola<br />
** http://source.android.com/ | Android<br />
* TOOLBOX<br />
* LANGUAGES</div>Wikiadminhttp://www.droid-developers.org/wiki/MediaWiki:SidebarMediaWiki:Sidebar2010-10-27T22:31:35Z<p>Wikiadmin: </p>
<hr />
<div>* navigation<br />
** mainpage|mainpage-description<br />
** [[2ndboot]]<br />
** [[Vulnerability_hunting | Vulnerabilty hunting ]]<br />
** [[Open_recovery | Open Recovery ]]<br />
** [[2ndinit]]<br />
** recentchanges-url|recentchanges<br />
* SEARCH<br />
* see also<br />
** http://http://www.omappedia.org/ | OMAPpedia<br />
** http://bb.osmocom.org/trac/ | OsmocomBB<br />
** http://openbsc.osmocom.org/trac/ | OpenBSC<br />
** http://www.ti.com/ | Texas Instruments<br />
** https://opensource.motorola.com | OpenSource Motorola<br />
** http://source.android.com/ | Android<br />
* TOOLBOX<br />
* LANGUAGES</div>Wikiadminhttp://www.droid-developers.org/wiki/MediaWiki:SidebarMediaWiki:Sidebar2010-10-27T22:31:05Z<p>Wikiadmin: </p>
<hr />
<div>* navigation<br />
** mainpage|mainpage-description<br />
** [[2ndboot]]<br />
** [[Vulnerability_hunting | Vulnerabilty hunting]]<br />
** [[Open_recovery | Open Recovery]]<br />
** [[2ndinit]]<br />
** recentchanges-url|recentchanges<br />
* SEARCH<br />
* see also<br />
** http://http://www.omappedia.org/ | OMAPpedia<br />
** http://bb.osmocom.org/trac/ | OsmocomBB<br />
** http://openbsc.osmocom.org/trac/ | OpenBSC<br />
** http://www.ti.com/ | Texas Instruments<br />
** https://opensource.motorola.com | OpenSource Motorola<br />
** http://source.android.com/ | Android<br />
* TOOLBOX<br />
* LANGUAGES</div>Wikiadminhttp://www.droid-developers.org/wiki/TMS320C55x%2BTMS320C55x+2010-09-20T21:16:01Z<p>Wikiadmin: </p>
<hr />
<div>{{#widget:Google Spreadsheet<br />
|key=0AlX32SwXTZPudDZfUjB4X0U2Sm1WNlZHS1pMOHc2Y2c<br />
|width=1024<br />
|height=600<br />
}}</div>Wikiadminhttp://www.droid-developers.org/wiki/Widget:Google_SpreadsheetWidget:Google Spreadsheet2010-09-20T21:12:38Z<p>Wikiadmin: </p>
<hr />
<div><noinclude><br />
__NOTOC__<br />
This widget allows you to add '''[http://documents.google.com/support/spreadsheets/ Google Spreadsheets]''' to your wiki page.<br />
<br />
To insert this widget, use the following code:<br />
<br />
<nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki><br />
|key=po-s58YMwf85Q3UxRzdGOBw<br />
|width=500<br />
|height=300<br />
}}</nowiki><br />
</noinclude><br />
<includeonly><iframe width="<!--{$width|escape:'html'|default:500}-->" height="<!--{$height|escape:'html'|default:300}-->" frameborder="0" src="http://spreadsheets.google.com/ccc?key=<!--{$key|escape:'urlpathinfo'}--><!--{if not $page}-->&output=html&widget=true<!--{/if}-->"></iframe></includeonly></div>Wikiadminhttp://www.droid-developers.org/wiki/TMS320C55x%2BTMS320C55x+2010-09-20T21:08:49Z<p>Wikiadmin: </p>
<hr />
<div>{{#widget:Google Spreadsheet<br />
|key=0AlX32SwXTZPudDZfUjB4X0U2Sm1WNlZHS1pMOHc2Y2c<br />
|width=800<br />
|height=600<br />
}}</div>Wikiadminhttp://www.droid-developers.org/wiki/TMS320C55x%2BTMS320C55x+2010-09-20T21:05:14Z<p>Wikiadmin: </p>
<hr />
<div>{{#widget:Google Document<br />
|key=0AlX32SwXTZPudDZfUjB4X0U2Sm1WNlZHS1pMOHc2Y2c<br />
|width=800<br />
|height=600<br />
}}</div>Wikiadminhttp://www.droid-developers.org/wiki/Widget:Google_DocumentWidget:Google Document2010-09-20T21:04:37Z<p>Wikiadmin: Created page with "<noinclude>__NOTOC__ This widget allows you to add '''[http://documents.google.com/support/ Google Documents]''' to your wiki page. To insert this widget, use the following code..."</p>
<hr />
<div><noinclude>__NOTOC__<br />
This widget allows you to add '''[http://documents.google.com/support/ Google Documents]''' to your wiki page.<br />
<br />
To insert this widget, use the following code:<br />
<br />
<nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki><br />
|key=1hhpWRL4oyH6Aqf42laXo_lElObX_1JiaV4FMt8llA_U<br />
|width=500<br />
|height=300<br />
}}</nowiki><br />
<br />
== Parameters ==<br />
* '''width''' and '''height''' define document dimensions, 500x300 is default<br />
* '''id''' - id parameter used in the URL<br />
* '''key''' - docID parameter used in old document URL (use it instead of '''id''' to embed old document)<br />
<br />
== Sample result ==<br />
{{#widget:{{PAGENAME}}<br />
|id=1hhpWRL4oyH6Aqf42laXo_lElObX_1JiaV4FMt8llA_U<br />
|width=500<br />
|height=300<br />
}}<br />
<br />
=== Old document ===<br />
Old document that has '''docID''' attribute in the URL instead of '''id'''.<br />
<br />
{{#widget:{{PAGENAME}}<br />
|key=dcn37mcz_34cvfjpmhf<br />
|width=500<br />
|height=300<br />
}}<br />
<br />
{{Template:Copy to your site}}<br />
<br />
== Related widgets ==<br />
* [[Widget:Google Spreadsheet|Google Spreadsheet]] - for embedding spreadsheets<br />
* [[Widget:Google Form|Google Form]] - for embedding spreadsheet forms<br />
* [[Widget:Google Presentation|Google Presentation]] - for embedding presentations<br />
<br />
</noinclude><includeonly><iframe width="<!--{$width|escape:'html'|default:500}-->" height="<!--{$height|escape:'html'|default:300}-->" frameborder="1" src="http://docs.google.com/<!--{if isset($id)}-->document/pub?id=<!--{$id|escape:'urlpathinfo'}-->&amp;embedded=1<!--{elseif isset($key)}-->View?docID=<!--{$key|escape:'urlpathinfo'}-->&hgd=1<!--{/if}-->"></iframe></includeonly></div>Wikiadminhttp://www.droid-developers.org/wiki/MediaWiki:SidebarMediaWiki:Sidebar2010-09-03T22:47:27Z<p>Wikiadmin: </p>
<hr />
<div>* navigation<br />
** mainpage|mainpage-description<br />
** portal-url|portal<br />
** currentevents-url|currentevents<br />
** recentchanges-url|recentchanges<br />
** randompage-url|randompage<br />
** helppage|help<br />
* SEARCH<br />
* see also<br />
** http://http://www.omappedia.org/ | OMAPpedia<br />
** http://bb.osmocom.org/trac/ | OsmocomBB<br />
** http://openbsc.osmocom.org/trac/ | OpenBSC<br />
** http://www.ti.com/ | Texas Instruments<br />
** https://opensource.motorola.com | OpenSource Motorola<br />
** http://source.android.com/ | Android<br />
* TOOLBOX<br />
* LANGUAGES</div>Wikiadminhttp://www.droid-developers.org/wiki/MediaWiki:SidebarMediaWiki:Sidebar2010-09-03T16:02:10Z<p>Wikiadmin: Created page with "* navigation ** mainpage|mainpage-description ** portal-url|portal ** currentevents-url|currentevents ** recentchanges-url|recentchanges ** randompage-url|randompage ** helppage|..."</p>
<hr />
<div>* navigation<br />
** mainpage|mainpage-description<br />
** portal-url|portal<br />
** currentevents-url|currentevents<br />
** recentchanges-url|recentchanges<br />
** randompage-url|randompage<br />
** helppage|help<br />
* SEARCH<br />
* see also<br />
** http://http://www.omappedia.org/ | OMAPpedia<br />
** http://www.ti.com/ | Texas Instruments<br />
** https://opensource.motorola.com | OpenSource Motorola<br />
** http://source.android.com/ | Android<br />
* TOOLBOX<br />
* LANGUAGES</div>Wikiadminhttp://www.droid-developers.org/wiki/User_talk:XVilkaUser talk:XVilka2010-09-03T14:45:44Z<p>Wikiadmin: /* Here will be my test place */</p>
<hr />
<div>== Widgets ==<br />
<br />
[[Widget:Google Spreadsheet]]<br />
<br />
== Here will be my test place ==<br />
<br />
{{#widget:Google Spreadsheet<br />
|key=0AlX32SwXTZPudHQxWmFvWjEwV25hZXR6QjJxM1lCVlE<br />
|width=500<br />
|height=300<br />
}}</div>Wikiadminhttp://www.droid-developers.org/wiki/User_talk:XVilkaUser talk:XVilka2010-09-03T14:23:49Z<p>Wikiadmin: </p>
<hr />
<div>== Widgets ==<br />
<br />
[[Widget:Google Spreadsheet]]<br />
<br />
== Here will be my test place ==<br />
<br />
{{#widget:Google Spreadsheet<br />
|id=0AlX32SwXTZPudHQxWmFvWjEwV25hZXR6QjJxM1lCVlE<br />
|width=500<br />
|height=300<br />
}}</div>Wikiadminhttp://www.droid-developers.org/wiki/Widget:Google_SpreadsheetWidget:Google Spreadsheet2010-09-03T14:15:31Z<p>Wikiadmin: Created page with "<noinclude> __NOTOC__ This widget allows you to add '''[http://documents.google.com/support/spreadsheets/ Google Spreadsheets]''' to your wiki page. </noinclude> <includeonly><if..."</p>
<hr />
<div><noinclude><br />
__NOTOC__<br />
This widget allows you to add '''[http://documents.google.com/support/spreadsheets/ Google Spreadsheets]''' to your wiki page.<br />
</noinclude><br />
<includeonly><iframe width="<!--{$width|escape:'html'|default:500}-->" height="<!--{$height|escape:'html'|default:300}-->" frameborder="0" src="http://spreadsheets.google.com/pub?key=<!--{$key|escape:'urlpathinfo'}--><!--{if not $page}-->&output=html&widget=true<!--{/if}-->"></iframe></includeonly></div>Wikiadminhttp://www.droid-developers.org/wiki/Main_PageMain Page2010-08-09T13:09:57Z<p>Wikiadmin: </p>
<hr />
<div>==== About this site ====<br />
<br />
This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals.<br />
This phones are:<br />
<br />
* '''Motorola Milestone''' (our primary target)<br />
* Motorola Droid<br />
* Motorola Droid X<br />
* Motorola Droid 2<br />
* Motorola MOTOROI/Milestone XT720<br />
* Motorola Sholes Tablet XT701<br />
* Motorola Titanium XT800<br />
* Motorola Ruth ME511 <br />
<br />
Here you can see hardware information about this phones: [[device_information|description]]<br />
<br />
'''IRC:'''<br />
<br />
Join us on the #milestone-modding channel of the Freenode IRC network. <br />
<br />
Channel logs:<br />
<br />
- See the automatic channel log [http://www.damogran.de/milestone-modding/ here] (Starts on Jan 21 2010, 11:33:51 UTC. Refreshes every 15 minutes. Timezone: UTC+1. Thanks to Kasperle.). <br />
<br />
- There's also a manual copy of the channel log [http://bacon.ojnk.org/milestone-modding.log here] (Starts on Jan 21 2010, 13:09:10 UTC. Timezone: UTC-6. Thanks to Orgg.).<br />
<br />
- There's another log [http://milestone.denhaas.info/ here] (Starts on Jan 22 2010, 18:05:42 UTC. Gap between Feb 4 2010, 12:46:55 UTC and Feb 6 2010, 11:54:55 UTC. Stopped working on March 26 2010. Timezone: UTC+1. Thanks to xinix88.) which doesn't work anymore.<br />
<br />
- There is now a new channel log [http://milestone.bekaakut.de/ here] Thanks to rebel1. <br />
<br />
If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy as on [http://gitorious.org/+droid-developers Gitorious]<br />
<br />
Even if you're not the technical type, you too can help us mod the Milestone by participating in the [[Custom_recovery:pr_attack|PR campaign to force Motorola to unlock it]].<br />
<br />
If you're technical type - see our [[roadmap|Roadmap]] and progress in our [[projects|Projects]].<br />
<br />
See the [[content|content index here]].<br />
<br />
==== Main Operation System Modding ====<br />
<br />
The [[modes:recovery_mode|recovery image]] hasn't yet been [http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images modified] due to our current impossibility of controlling [[boot:boot_chain|the boot process]]. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See [[boot:boot_chain|here]] and [https://opensource.motorola.com/sf/discussion/do/listPosts/projects.milestone/discussion.general_comments.topc2012?_pagenum=2 here].) uses the [[CDT|cdt partition table]] to check if the recovery has been signed correctly. If not, the recovery won't start at all and the [[modes:bootloader_mode|bootloader mode]] shows instead of it.<br />
<br />
Several ways of attacking this protection scheme have been proposed to get some degree of control of the boot process. Here's a quick estimation of success probability for each method, considering the information we have as of 10/Mar/2010 and ordered by decreasing efficiency:<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Method<br />
! Usefulness<br />
! Difficulty to attempt<br />
! Chance of success<br />
! Status<br />
|-<br />
|[[custom_rom:2ndboot|2ndboot]]<br />
|Very high<br />
|Medium<br />
|Very high<br />
|This attack right now is by far the most promising and convenient. Recently a few developers have pursued this approach in at least three independent attempts. All face a significant roadblock: hardware initialization. There are a [[http://android.git.kernel.org/?p=kernel/omap.git;a=blob;f=arch/arm/mach-omap2/prcm.c;h=86c3fe328f51736ee4139b59654252021f3d90a2;hb=refs/heads/android-omap-2.6.29-eclair#l129 couple]] of [[https://patchwork.kernel.org/patch/82291/ ideas]] about tackling it, but it is still a work in progress at the time of this writing. See more information about previous attempts [[custom_recovery:alternative_methods#kexec_attack here]]. '''None of these attempts work yet!'''<br />
<br />
Latest attempt: '''Yakk''' patched 2nd-boot to make it work on the Milestone, but his source code remains partly unpublished at this time. Status: boots another kernel, which Yakk has also patched to get serial output over the USB connector (using custom hardware to connect to it). Currently the booted kernel has some problems with USB and fails to initialize the phone's modem so it crashes. See published code and binaries: [[http://www.droid-developers.org/files/2ndboot.rar here (build number 1.03)]] and [[http://www.droid-developers.org/files/uploads/kern0231.rar here (build number 2.31)]]. All current development of 2ndboot now going [[http://hg.droid-developers.org/droiddev/2ndboot here]] When GSM is disabled this kexec module is able to boot the system with the recompiled kernel, but it is not really useful as a phone then. WiFi works fine, though. Yakk is now trying to use 2ndboot to start a patched version of mbm, which should be able to initialize the modem and then pass control to a custom Linux kernel. This is still under development, so don't get too excited. We'll keep you posted.<br />
|-<br />
|[[custom_rom:exploit|Vulnerability hunt]]<br />
|Maximum<br />
|Hard<br />
|Unknown<br />
|As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a [[http://pastebin.ca/raw/1833228|user mode memory dumper]] and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: [[boot:boot_chain|Boot chain]]<br />
|-<br />
|[[open_recovery|Open Recovery]]<br />
|Medium<br />
| <br />
|Done<br />
|Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.<br />
|}<br />
<br />
All other methods now deprecated after monthes of researching and now only part of the history: [[custom_recovery:alternative_methods|alternative ways (deprecated)]]<br />
<br />
==== Baseband Operation System Modding ====<br />
<br />
[[hardware:gsm_cdma_chain|GSM/UMTS & CDMA Milestone/Droid structure]]</div>Wikiadminhttp://www.droid-developers.org/wiki/CompilingCompiling2010-08-09T10:13:48Z<p>Wikiadmin: </p>
<hr />
<div>====== Compiling kernel modules for Milestone's original kernel ======<br />
<br />
===== Requirements =====<br />
<br />
* Linux system<br />
* Build essentials<br />
* Java JDK 5.0<br />
* Flex<br />
* Bison<br />
* Gperf<br />
* SDL<br />
* ESD<br />
* WxGTK 2.6<br />
* Zip<br />
* Curl<br />
<br />
For Ubuntu 9.10 32-Bit:<br />
<pre><br />
$ sudo apt-get install git-core gnupg sun-java5-jdk flex bison gperf libsdl-dev libesd0-dev libwxgtk2.6-dev build-essential zip curl libncurses5-dev zlib1g-dev<br />
</pre><br />
For Ubuntu 9.10 64-Bit:<br />
<pre><br />
$ sudo apt-get install git-core gnupg flex bison gperf build-essential zip curl sun-java5-jdk zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 lib32ncurses5-dev ia32-libs x11proto-core-dev libx11-dev lib32readline5-dev lib32z-dev<br />
</pre><br />
Set the system to use the right version of java by default:<br />
<pre><br />
$ sudo update-java-alternatives -s java-1.5.0-sun<br />
</pre><br />
X11: Ubuntu doesn't have packages for the X11 libraries, but that can be worked around with the following command:<br />
<pre><br />
$ sudo ln -s /usr/lib32/libX11.so.6 /usr/lib32/libX11.so<br />
</pre><br />
<br />
===== Setting up the Environment =====<br />
<br />
1. Refer to [[tools:kernel_sources|this page]] to find the kernel sources as they are specifically made for the Milestone...<br />
<br />
2. Download repo (a tool provided by Google to pull down the source code)<br />
<pre><br />
$ mkdir ~/bin<br />
$ export PATH=$PATH:~/bin<br />
$ curl http://android.git.kernel.org/repo >~/bin/repo<br />
$ chmod +x ~/bin/repo<br />
</pre><br />
<br />
===== Getting the Source =====<br />
<pre><br />
$ mkdir ~/foo<br />
$ cd ~/foo<br />
$ repo init -u git://android.git.kernel.org/platform/manifest.git<br />
$ repo sync<br />
</pre><br />
===== Compile =====<br />
<br />
Create a kernel environment in your working directory<br />
<pre><br />
$ cd ~/foo<br />
$ mkdir kernel <br />
</pre><br />
After untarring archive_0115-kernel.tgz into the kernel directory, we're ready to build the kernel and modules. [http://pastebin.org/277027|Here]'s a config file prepared by xvilka in case you need it.<br />
<pre><br />
$ cd ~/foo<br />
$ make -f kernel/kernel.mk ENG_BLD=1 <br />
</pre><br />
Your zImage (the kernel) will be located at<br />
<pre><br />
~/foo/motorola/bsp/prebuilt/target/images/zImage<br />
</pre><br />
<br />
Your modules can be found in<br />
<pre><br />
~/foo/motorola/bsp/prebuilt/target/images/system/lib/modules/<br />
</pre><br />
<br />
===== Compiling mtd-hack.c =====<br />
<br />
1. Place mtd-hack.c inside:<br />
<pre><br />
~/foo/kernel/drivers/mtd/<br />
</pre> <br />
2. Add this line to the Makefile:<br />
<pre><br />
obj-m += mtd-hack.o<br />
</pre><br />
3. Compile it with the same command as above.<br />
<pre><br />
$ make -f kernel/kernel.mk ENG_BLD=1<br />
</pre><br />
<br />
===== Recompiling Eclair for Milestone =====<br />
<br />
Follow the instructions for [http://source.android.com/documentation/building-for-dream|compiling cupcake for HTC Dream] replacing cupcake with eclair and Dream with Milestone.<br />
<br />
====== Kernel compilation on Windows(or other OSes that Colinux supports) ======<br />
<br />
Kernel compilation on Windows could be a bit tricky. [[http://colinux.org/|Colinux]]((suggested by playya)) is used to ease the life. The smallest tool set is examined and the required storage space is provided for constrained build environment.<br />
<br />
In this guide, the Ubuntu 9.04 1GB file system(download size is 4xMB) will be used.<br />
<br />
Minimum storage requirement:<br />
<br />
^ ^Size ^Description ^<br />
| |1GB|Ubuntu 9.04 FS + basic tool + 74MB ARM tool chain|<br />
| |1.3GB(accounting for wasted size)|763MB build output + 384MB Kernel source + 2.6MB zImage and ko|<br />
|Total|2.3GB| |<br />
<br />
===== Colinux setup =====<br />
<br />
Colinux consists of a user space kernel and a front-end(or layer) that sits on the OS side. It is capable of running a Linux natively on Windows. Due to the small download size required(around 60MB, Colinux+Ubuntu 9.04 FS), it could provide a quick jump into the Linux world on Windows.<br />
<br />
==== Installation ====<br />
<br />
The directory layout on Windows:<br />
<br />
^Path ^Description ^<br />
|[somewhere]\coLinux|Installation folder of coLinux|<br />
|[somewhere]\coLinux\fs|Sub-folder to put our linux|<br />
<br />
Follow these steps or work on your own:<br />
- Visit [[http://colinux.org/|Colinux]] download link.<br />
- Download and install coLinux-0.7.5.exe((the lastest as of the time of writing)).<br />
- Skip the image download.(You may choose one there provided that they have apt-get)<br />
- Download [[http://sourceforge.net/projects/colinux/files/Images%202.6.x%20Ubuntu/Ubuntu%209.04/Ubuntu-9.04-1gb.7z/download|Ubuntu-9.04-1gb.7z]]<br />
- Unzip Ubuntu-9.04-1gb.7z to coLinux\fs.<br />
- Create a 1.3GB(or 1.5GB if u have more spaces) file as coLinux\fs\cobd2.img. See [[http://colinux.wikia.com/wiki/HowtoCreateSwapFile|HowtoCreateSwapFile]]. Create the file with the desired size first, then format it in coLinux later.<br />
- Copy coLinux\example.conf to coLinux\fs\ubu.conf.<br />
- Modify ubu.conf appropriately. Here is the diff: <file properties><br />
--- ../example.conf 2009-09-14 22:26:42.000000000 +0000<br />
+++ ubu.conf 2010-03-03 07:32:13.000000000 +0000<br />
@@ -20 +20 @@<br />
-cobd0="c:\coLinux\root_fs"<br />
+cobd0="fs/Ubuntu-9.04.ext3.1gb.fs"<br />
@@ -41 +41 @@<br />
-#cocon=120x40<br />
+cocon=120x40<br />
@@ -47 +47 @@<br />
-#eth0=slirp<br />
+eth0=slirp,,tcp:22:22<br />
@@ -50 +50 @@<br />
-#eth1=tuntap<br />
+eth1=tuntap<br />
@@ -57,0 +58,4 @@<br />
+cofs0=d:\<br />
+cofs1=r:\<br />
+<br />
+cobd2=fs\cobd2.img<br />
</file> Edit the file to see most meaning of the settings. cofs0=d:\ will expose Windows d:\ drive to the cofs0 that can be mounted inside coLinux. To mount: <code><br />
mkdir /mnt/d<br />
mount -t cofs 0 /mnt/d</code>Remove cofs0=d:\ and cofs1=r:\ if you don't have these drives. Exposing a drive is important to extract downloaded tools from Windows. cobd2=fs\cobd2.img will expose a image file to the cobd2 device that will be used to store the build output.<br />
- Open a command prompt, cd to the directory of coLinux then start it by executing colinux-daemon @fs\ubu.conf. You should see a linux console popped up.<br />
<br />
==== Login ====<br />
<br />
User id: root<br />
Password: root<br />
<br />
Use alt+f1, alt+f2, ......etc to switch to another terminal.<br />
<br />
==== SSH ====<br />
<br />
Alternately, use ssh client like putty to connect to the host machine's port 22 as set by "eth0=slirp,,tcp:22:22". Putty gives better control on the scroll history and coloring.<br />
<br />
==== Accessing the host's file system ====<br />
<br />
To access host's file system, first specify<file properties>cofs0=r:\</file> in the ubu.conf above where r:\ is the drive you want to expose. Next start up coLinux then execute:<code bash>mkdir /mnt/r<br />
mount -t cofs 0 /mnt/r</code><br />
<br />
==== Attach a new file system to store the kernel build output ====<br />
<br />
The kernel build output is about <br />
<br />
- See [[http://colinux.wikia.com/wiki/HowtoCreateSwapFile|HowtoCreateSwapFile]] for how to create a file of size at least 1.3GB at coLinux\fs\cobd2.img. No need to format the image as it may take time.<br />
- Add <file properties>cobd2=fs\cobd2.img</file> to coLinux\fs\ubu.conf if you haven't done so yet.<br />
- Restart coLinux if it's running.<br />
- Login to linux, execute these:<code>mkfs.ext3 /dev/cobd2 # Be careful to type cobd2, not others!!<br />
mkdir /mnt/cobd2 # Create an empty folder for mounting.<br />
mount -t ext3 /dev/cobd2 /mnt/cobd2</code><br />
- Add the mounts to /etc/fstab if u want to save them from a reboot:<file><br />
/dev/cobd2 /mnt/cobd2 ext3 defaults 0 1<br />
</file><br />
<br />
===== Minimum tool set =====<br />
<br />
==== The basic ====<br />
<br />
Install the needed tools:<br />
apt-get install flex bison gperf build-essential zip<br />
<br />
flex, bison and gperf are needed by the make to do some pre-processing on the source files.<br />
<br />
==== Cross-compiler toolchain ====<br />
<br />
There're several options:<br />
- [[http://android.git.kernel.org/?p=platform/prebuilt.git;a=tree;f=linux-x86/toolchain/arm-eabi-4.4.0|Android Open Source Platform prebuilt snapshot]]. Click on the snapshot link to get a tar. It's about 74MB uncompressed.<br />
- Android ndk (as tested 1.6 is arm-eabi-4.2.0 which doesn't support armv7-a architecture)<br />
- [[http://www.codesourcery.com/sgpp/lite/arm/portal/release1039|Sourcery G++ arm eabi tool-chain]]. It is very large because all of its binary are statically linked. So it is not recommended.<br />
<br />
Assume you've chosen 1 since it is the best current option. After downloaded the toolchain to r:\prebuilt-balhbalhbalbhabalh.tar.gz, execute:<code bash><br />
tar xzf /mnt/r/prebuilt-balhbalhbalbhabalh.tar.gz -C ~<br />
</code><br />
A prebuilt folder will be created in user home.<br />
<br />
===== Build the kernel =====<br />
<br />
==== Grab the source ====<br />
<br />
Visit [[tools:kernel_sources]] to see the location of the kernel source. Milestone 01.15.0 has been tested. Extract the source to ~/android.<br />
<br />
==== Prepare the build folder ====<br />
<br />
/root # Home<br />
prebuilt # Untar the ARM tool chain to ~<br />
android -> /mnt/cobd2 # ln -s /mnt/cobd2 android<br />
kernel # Milestone kernel source<br />
b.sh # Shell script to make<br />
<br />
<file bash b.sh><br />
#!/bin/bash<br />
make -f kernel/kernel.mk KERNEL_CROSS_COMPILE=~/prebuilt/bin/arm-eabi- $*<br />
</file><br />
==== Build now ====<br />
<br />
<code bash><br />
cd ~/android<br />
./b.sh<br />
</code><br />
<br />
You may see an error about wilink_6_1. As long as you aren't going to build a whole system, you can ignore it. Otherwise, download the system-wlan source from [[tools:kernel_sources]] too.<br />
<br />
===== Compiling your own toolchain from scratch =====<br />
<br />
1. Download your device kernel, unpack this and create configs and headers:<br />
<code><br />
make mapphone_defconfig<br />
make headers_install ARCH=arm INSTALL_HDR_PATH=~/build/kern_h/<br />
</code><br />
You must know, what proccessor chip you have on target device, and set optimisation options <br />
from (http://gcc.gnu.org/onlinedocs/gcc-4.4.3/gcc/ARM-Options.html#ARM-Options)<br />
For example, if you have Motorola Milestone - so processor chip is TI OMAP3430 - ARM Cortex a8 (armv7a arch)<br />
(http://en.wikipedia.org/wiki/ARM_architecture)<br />
So you need use configs with -omap3430 suffix.<br />
If you have HTC Hero you need configs with -msm7200a suffix.<br />
<br />
{{:tools:my.tar.bz2|}}<br />
<br />
Also, I recommend use kernel-...configs instead of XVilka-...configs for creating toolchain for kernel building and hacking.<br />
<br />
Set enviroment variable for building options:<br />
<code><br />
export _XXCFLAGS=" -march=armv7-a -mtune=cortex-a8 -mfpu=neon" (if you have Milestone/Droid or other device on TI OMAP3430)<br />
export _XXCFLAGS=" -march=armv6j -mtune=arm1136jf-s" (if you have HTC Hero or other device on Quallcomm MSM 7200A)<br />
</code><br />
2. Download crosstool-ng (http://ymorin.is-a-geek.org/dokuwiki/projects/crosstool),<br />
Unpack, build (you need for: make,install,bash,cut,sed,grep,gcc,awk,bison,flex,automake,libtool,stat,<br />
wget,cvs,patch,tar,gzip,bzip2,lzma,readlink,ncurses, mpfr-dev, gmp-dev)<br />
<code><br />
.configure<br />
make<br />
make install<br />
</code><br />
3. Create dir toolchain-android, cd to it and copy files:<br />
XVilka-crosstool-<suffix>.config in .config<br />
XVilka-uClibc-<suffix>.config in uClibc-0.9.30.2.config<br />
and then run: <br />
<code><br />
ct-ng menuconfig <br />
</code><br />
change anything, if you need, and save to .config<br />
then exec:<br />
<code><br />
ct-ng build<br />
</code><br />
4. Done! We have toolchain in build/x-tools. <br />
All tools have this triplet: arm-android-linux-uclibsgnueabi-*<br />
just add them in PATH<br />
<code><br />
export PATH=$HOME/build/x-tools/arm-android-linux-uclibcgnueabi/bin:$PATH<br />
export CROSS_COMPILE=arm-android-linux-uclibcgnueabi-<br />
export KERNEL_CROSS_COMPILE=arm-android-linux-uclibcgnueabi-<br />
</code><br />
So we can run:<br />
<code><br />
arm-android-linux-uclibcgnueabi-gcc<br />
</code><br />
Also we have system root directory in: <br />
~/build/x-tools/arm-android-linux-uclibcgnueabi/arm-android-linux-uclibcgnueabi/sys-root<br />
For some reasons we just copy it in ~/build/cross/sys-root <br />
<code><br />
chmod +w sys-root<br />
chmod +w sys-root/usr<br />
chmod +w sys-root/usr/lib<br />
</code><br />
4. Build and install libbfd with all targets support:<br />
<code><br />
cvs -z 9 -d :pserver:anoncvs@sourceware.org:/cvs/src login<br />
{enter "anoncvs" as the password}<br />
cvs -z 9 -d :pserver:anoncvs@sourceware.org:/cvs/src co binutils<br />
cd binutils/bfd<br />
./configure --enable-targets=arm-android-linux-uclibcgnueabi --prefix=$HOME/build/cross<br />
make<br />
make install<br />
</code><br />
Also we need for zlib and zlib-devel, and liberty library.<br />
<br />
5. Build ksplice patched with ksplice.patch<br />
<code><br />
git clone http://www.ksplice.com/git/ksplice.git<br />
cd ksplice<br />
patch -p0 < ksplice.patch <br />
./configure --with-libbfd=$HOME/build/cross/lib/libbfd.a --with-bfd-include-dir=$HOME/build/cross/include<br />
make<br />
sudo make install<br />
</code><br />
6. Build kernel<br />
<code><br />
make mapphone_defconfig<br />
make -f kernel/kernel.mk<br />
copy files System.map and .config in directory kernel/ksplice<br />
ksplice-create --diffext=.patched_ext kernel<br />
</code><br />
<br />
=====Building and using tiny toolchain=====<br />
For compiling some small hacking utility or kernel module you don need<br />
in hole gcc toolkit (more than 60 MB) and hole libc.<br />
So we need for something small and tiny. It can be tiny C compiler (tcc) and dietlibc<br />
You can download, unpack, copy bin files in /usr/local/bin, lib files in /usr/local/lib,<br />
tiny-root in $HOME/build. Link for downloading - {{:tools:tiny-tool.tar.gz|}}<br />
If you want to know how i building it - read below:<br />
<br />
For example we choose working directory as $HOME/build<br />
Download latest release of tiny C compiler (http://tinycc.org/) from git:<br />
<code><br />
git clone git://repo.or.cz/tinycc.git $HOME/build/tinycc<br />
</code><br />
Download latest release of dietlibc (http://www.fefe.de/dietlibc/) from cvs:<br />
<code><br />
cvs -d :pserver:cvs@cvs.fefe.de:/cvs -z9 co $HOME/build/dietlibc<br />
</code><br />
After this we need to build tcc:<br />
<code><br />
cd $HOME/build/tinycc<br />
./configure --enable-cross --prefix=$HOME/build/tiny-toolchain<br />
make<br />
make install<br />
</code><br />
So we have this tools in $HOME/build/tiny-toolchain/bin:<br />
<code><br />
arm-eabi-tcc<br />
arm-fpa-ld-tcc<br />
arm-fpa-tcc<br />
arm-vfp-tcc<br />
c67-tcc<br />
i386-win32-tcc<br />
tcc<br />
x86_64-tcc<br />
x86_64-win32-tcc<br />
</code><br />
Add them in enviroment variable PATH for easy executing:<br />
<code><br />
export PATH=$HOME/build/tiny-toolchain/bin:$PATH<br />
</code><br />
But also we need a C library. So make the "target root" directory:<br />
<code><br />
mkdir $HOME/build/tiny-root<br />
</code><br />
Building dietlibc:<br />
<code><br />
cd $HOME/build/dietlibc<br />
make prefix=$HOME/build/tiny-root<br />
make prefix=$HOME/build/tiny-root ARCH=arm CROSS=arm-android-linux-uclibcgnueabi-<br />
make install-headers prefix=$HOME/build/tiny-root ARCH=arm CROSS=arm-android-linux-uclibcgnueabi-<br />
make install-bin prefix=$HOME/build/tiny-root ARCH=arm CROSS=arm-android-linux-uclibcgnueabi-<br />
</code><br />
Prepare "target root" directory:<br />
<code><br />
ln -s $HOME/build/tiny-root/lib-arm $HOME/build/tiny-root/lib<br />
cp $HOME/build/tiny-toolchain/include/* $HOME/build/tiny-root/include/<br />
cp $HOME/build/tiny-toolchain/lib/* $HOME/build/tiny-root/lib/<br />
</code><br />
Also, for kernel development we need for kernel headers:<br />
<code><br />
cd /path/to/you/kernel/sources<br />
make headers_install ARCH=arm INSTALL_HDR_PATH=$HOME/build/tiny-root/include<br />
</code><br />
So, we have all needed libraries and headers in $HOME/build/tiny-root<br />
You can use tcc for compiling your small utilities, for example by this command:<br />
<code><br />
arm-eabi-tcc -nostdinc -nostdlib -I$HOME/build/tiny-root/include -L$HOME/build/tiny-root/lib -o example example.c<br />
</code><br />
Enjoy!</div>Wikiadminhttp://www.droid-developers.org/wiki/Building_with_AOSPBuilding with AOSP2010-08-09T10:10:03Z<p>Wikiadmin: </p>
<hr />
<div>====== Building with Android Build System ======<br />
<br />
Skip to the [[tools:building_with_aosp#quick_start|Quick Start]] section if you just want to build.<br />
<br />
===== Background =====<br />
<br />
Android has invented it's own build system on top of make, which is intended to build things easier for a target that has different CPU architecture, and with some flexible configuration setting either defined in environment variable or the config file for different combination of build type.<br />
<br />
However, people lacking with a large hard disk, fast speed network or fast enough machine may suffer from this not so common build system that we might get used to.<br />
<br />
The default guideline for building a single piece of program say the adb tool or dalvikvm inside AOSP is to repo sync the whole repository and perform a full build. Although it maybe the fastest and simplest way, some people may just don't meet the storage space constraint while others may think that it's a total waste of storage space and bandwidth.<br />
<br />
After struggling with the error messages day after day, the mysteries are resolved. Building with the Android Building System could be fun and joy with a known possible shortest path!<br />
<br />
===== Official material =====<br />
<br />
Visit the official site for a brief overview on [http://source.android.com/porting/build_system.html|Android Building System] first.<br />
<br />
===== Quick Start =====<br />
<br />
Assume you have done the setup and fetched the code. Followings are the important keys to note:<br />
* Use repo init to create the Makefile inside the root of the AOSP directory. Or use this file instead:<br />
<pre><br />
### DO NOT EDIT THIS FILE ###<br />
include build/core/main.mk<br />
### DO NOT EDIT THIS FILE ###<br />
</pre> <br />
Without this, the m, mm and mmm bash function won't work even you have executed '. build/envsetup.sh'.(The usage of dot in bash is equivalent to the 'source' command.)<br />
* Download the snapshot of the prebuilt toolchain arm-eabi-4.4.0(or latest) from AOSP git would be small enough to build.(for linux x86 that I've tried)<br />
* When you see the looped dependency of libhost and acp, try building projects together: 'mmm build/libs/host build/tools/acp'. (This is the 1st problem you will be stuck at warning no acp when building libhost while acp depends on libhost and vice versa!)<br />
* When you see no target to build crtbegin_dynamic.o, try the same trick: 'mmm bionic/libc dalvik'.<br />
* When you see no target to build xyz that is not the cases above, it's time to fetch and make along the dependency chain.<br />
<br />
That's all! For sure there should be a static 'dependency list' for a given project but I have not managed to create it yet. Good luck!<br />
<br />
===== Other resources =====<br />
<br />
* [http://android-tricks.blogspot.com/2009/02/hello-world-c-program-on-using-android.html|Hello World C program using Android Toolchain]. It uses agcc(tool chain wrapper written in Perl, probably the one that [mbm] has used too!)</div>Wikiadminhttp://www.droid-developers.org/wiki/MbmloaderMbmloader2010-08-09T10:08:24Z<p>Wikiadmin: </p>
<hr />
<div>===== MBM loader =====<br />
<br />
<br />
==== What is mbmloader ====<br />
<br />
Strictly speaking, mbmloader((There's a (c) 2006 Motorola notice in it, since it reuses code from the older versions of mbmloader used in previous Motorola phones. This works to our advantage because some of those earlier versions have been reverse engineered in the past by yakk in his MotoMagX hack.)) is one of the first components in the [[boot:boot_chain|boot chain]]. It verifies and then loads the mbm component. It checks mbmbackup for newer versions of mbm, so that mbm cannot be downgraded((this can be easily bypassed once running as root, since both mbm and mbmbackup could be downgraded at the same time)).<br />
<br />
More generally speaking, we sometimes say "mbmloader" to refer to the whole bootstrap system, which is composed by the [[CH|CH table]], the [[ISW|Initial Software image]], and mbmloader itself (inside the ISW image). For example, the mtd-hack module by janneg allows us to dump mtd00 which includes all of these, and we usually call this the "mbmloader dump" or "mbmloader CG".<br />
<br />
==== mbmloader protections ====<br />
<br />
It seems the mbmloader has public certificates on it (see the [[ISW|ISW section]]). These certificates don't seem to be in any recognizable format, but they conform to [[tools:csst|CSST]]'s HS signed image format, so we can assume mbmloader is signed. We also know that both the Milestone and the Droid run in HS mode, which requires this format.<br />
<br />
According to the CSST's use of openssl, the openssl "commands" used to generate the certificates may somehow be intercepted. Moreover, analyzing the csstcli(command line tool) and it's parameters may identify what and how the certificates are signing upon.<br />
<br />
==== mbm ===<br />
=== What is mbm? ===<br />
<br />
mbm is Motorola Boot Manager((http://wiki.openezx.org/Z6_Security)). According to the [[boot:boot_chain|boot bhain]], mbmloader will pass the control to mbm after the signature embedded in mbm is verified.<br />
<br />
== How mbmloader verify mbm? ==<br />
<br />
== Introduction ==<br />
<br />
yakk has contributed his effort to map many high level functions name for the mbmloader image. This allows easier inspection of how the verification of mbm is performed. Perhaps he has already reviewed the related portion of codes for potential vulnerability, trying to document the findings that allows continuation could be a possible way to figure out a way.<br />
<br />
== Work flow ==<br />
<br />
mbm is read into address 0x8f310000.<br />
<br />
Search for the end of signature mark(the data length suggests a sha1sum):<br />
<pre><br />
6B D3 98 E2 D6 F0 F8 CF FC D4 96 72 5E B3 A8 B3 6B F9 B1 16<br />
</pre><br />
<br />
<br />
=== Milestone mbmloader ===<br />
<br />
now we only known only two versions of mbmloader for milestone:<br />
* one {{:boot:mbmloader-1.raw.gz|mbmloader 5.a0 version}}<br />
* two {{:boot:mbmloader-2.raw.gz|mbmloader }}<br />
<br />
===== Background =====<br />
<br />
Accredited by yakk, idb of mbmloader with high level function names are available. Further exploration is in the progress to map more information from kernel source and technical reference manual.<br />
<br />
===== Kernel source =====<br />
<br />
drivers/misc/sec/sec_core.h:<br />
<pre><br />
#define REGISTER_ADDRESS_DIE_ID 0x4830A218<br />
#define REGISTER_ADDRESS_MSV 0x480023B4<br />
</pre><br />
<br />
Searching b4 23 00 48 in mbmloader give:<br />
<pre><br />
ROM:87004954 EF BE AD DE dword_87004954 DCD 0xDEADBEEF ; DATA XREF: get_fuse+4�r<br />
ROM:87004954 ; sub_87004798+A�r<br />
ROM:87004958 B4 23 00 48 MSV DCD 0x480023B4 ; DATA XREF: get_fuse:loc_87004786�r<br />
ROM:8700495C 18 A2 30 48 DIE_ID DCD 0x4830A218 ; DATA XREF: sub_87004832+18�r<br />
</pre><br />
<br />
arch/arm/plat-omap/include/mach/omap34xx.h:<br />
<pre><br />
#define L4_34XX_BASE 0x48000000<br />
#define L4_WK_34XX_BASE 0x48300000<br />
#define L4_PER_34XX_BASE 0x49000000<br />
#define L4_EMU_34XX_BASE 0x54000000<br />
#define L3_34XX_BASE 0x68000000<br />
#define OMAP3430_32KSYNCT_BASE 0x48320000<br />
#define OMAP3430_CM_BASE 0x48004800<br />
#define OMAP3430_PRM_BASE 0x48306800<br />
#define OMAP343X_SMS_BASE 0x6C000000<br />
#define OMAP343X_SDRC_BASE 0x6D000000<br />
#define OMAP34XX_GPMC_BASE 0x6E000000<br />
#define OMAP343X_SCM_BASE 0x48002000<br />
#define OMAP34XX_IC_BASE 0x48200000<br />
#define OMAP34XX_IVA_INTC_BASE 0x40000000<br />
#define OMAP34XX_SR1_BASE 0x480C9000<br />
#define OMAP34XX_SR2_BASE 0x480CB000<br />
#define OMAP34XX_DSP_BASE 0x58000000<br />
</pre><br />
===== Technical Reference Manual =====<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Abbreviation<br />
! Meaning<br />
! Reference<br />
|-<br />
| MSV <br />
| Model Specific Value <br />
| spruf98 p. 981, 6.6.4.47(System Control Module, Registers, GENERAL registers description), Table 6-496. CONTROL_MSV_0 <br />
|}<br />
<br />
4.14.1 CM Module Registers, Table 4-90. CM Instance Summary (spruf98 p.440)<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Module Name<br />
! Base Address (hex)<br />
! Size<br />
|-<br />
| IVA2_CM <br />
| 0x4800 4000 <br />
| 8192 bytes<br />
|-<br />
| OCP_System_Registers_CM <br />
| 0x4800 4800 <br />
| 8192 bytes<br />
|-<br />
| MPU_CM <br />
| 0x4800 4900 <br />
| 8192 bytes<br />
|-<br />
| CORE_CM <br />
| 0x4800 4A00 <br />
| 8192 bytes<br />
|-<br />
| SGX_CM <br />
| 0x4800 4B00 <br />
| 8192 bytes<br />
|-<br />
| WKUP_CM <br />
| 0x4800 4C00 <br />
| 8192 bytes<br />
|-<br />
| Clock_Control_Registers_CM <br />
| 0x4800 4D00 <br />
| 8192 bytes<br />
|-<br />
| DSS_CM <br />
| 0x4800 4E00 <br />
| 8192 bytes<br />
|-<br />
| CAM_CM <br />
| 0x4800 4F00 <br />
| 8192 bytes<br />
|-<br />
| PER_CM <br />
| 0x4800 5000 <br />
| 8192 bytes<br />
|-<br />
| EMU_CM <br />
| 0x4800 5100 <br />
| 8192 bytes<br />
|-<br />
| Global_Registers_CM <br />
| 0x4800 5200 <br />
| 8192 bytes<br />
|-<br />
| NEON_CM <br />
| 0x4800 5300 <br />
| 8192 bytes<br />
|-<br />
| USBHOST_CM <br />
| 0x4800 5400 <br />
| 8192 bytes<br />
|}<br />
<br />
6.6 System Control Module Registers Table 6-80. Instance Summary<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Name<br />
! Address<br />
! Instance length<br />
|-<br />
| INTERFACE<br />
| 0x4800 2000<br />
| 36 bytes<br />
|-<br />
| PADCONFS<br />
| 0x4800 2030<br />
| 564 bytes<br />
|-<br />
| GENERAL<br />
| 0x4800 2270<br />
| 767 bytes<br />
|-<br />
| MEM_WKUP<br />
| 0x4800 2600<br />
| 1K byte<br />
|-<br />
| PADCONFS_WKUP<br />
| 0x4800 2A00<br />
| 80 bytes<br />
|-<br />
| GENERAL_WKUP<br />
| 0x4800 2A60<br />
| 31 bytes<br />
|} <br />
<br />
<br />
18.8 McSPI Registers, Table 18-22. Instance Summary<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Module Name<br />
! Base Address<br />
! Size<br />
|-<br />
|MCSPI1<br />
|0x4809 8000<br />
|4Kbytes<br />
|-<br />
|MCSPI2<br />
|0x4809 A000<br />
|4Kbytes<br />
|-<br />
|MCSPI3<br />
|0x480B 8000<br />
|4Kbytes<br />
|-<br />
|MCSPI4<br />
|0x480B A000<br />
|4Kbytes<br />
|}<br />
<br />
===== Address extracted from mbmloader =====<br />
<br />
Prefixed by 0x4800:<br />
<pre><br />
0x48002000 Control Revision<br />
0x48002180 CONTROL_PADCONF_UART1_CTS - Configuration register for pads uart1_cts(clear to send), uart1_rx. ((spruf98 p. 870, 6.6.3.85 CONTROL_PADCONF_UART1_CTS))<br />
0x480021C8 CONTROL_PADCONF_MCSPI1_CLK - Configuration register for pads mcspi1_clk, mcspi1_simo<br />
0x480022F0 Control status - SYS_BOOT and DEVICETYPE<br />
0x480023B4 MSV - Model Specific Value, 4 bytes<br />
0x48004000 Clock manager, Module region A, 8KB ((spruf98 p.203, Table 2-3. L4-Core Memory Space Mapping))<br />
0x48004904 CM_CLKEN_PLL_MPU, This register allows controlling the DPLL1 modes. ((spruf98 p.454))<br />
0x48004A00 Table 4-143. CM_FCLKEN1_CORE, Controls the module functional clock activity.<br />
0x48004A10 Table 4-147. CM_ICLKEN1_CORE, Controls the modules interface clock activity.<br />
0x48004A20 Table 4-153. CM_IDLEST1_CORE, CORE modules access availability monitoring. This register is read only and automatically updated.<br />
0x48004B40 Table 4-177. CM_CLKSEL_SGX, SGX clock selection.<br />
0x48004C00 4.14.1.7.1 CM_FCLKEN_WKUP, Table 4-185. CM_FCLKEN_WKUP, Controls the modules functional clock activity.<br />
0x48004D00 Table 4-195. CM_CLKEN_PLL, This register allows controlling the DPLL3 and DPLL4 modes.<br />
0x48004E40 Table 4-227. CM_CLKSEL_DSS, Modules clock selection.<br />
0x48005000 Table 4-251. CM_FCLKEN_PER, Controls the modules functional clock activity. RW, WDTIMER can be enabled/disabled here.<br />
0x48005140 Table 4-267. CM_CLKSEL1_EMU, Modules clock selection.<br />
</pre><br />
<br />
Prefixed by 0x4830:<br />
<pre><br />
0x48306000 Table 4-297. PRM Instance Summary, IVA2_PRM<br />
0x48306D40 Table 4-387. PRM_CLKSEL, This register controls the selection of the system clock frequency. This register is reset on power-up only. RW<br />
0x48307000 Table 4-297. PRM Instance Summary, PER_PRM<br />
0x48307250 Table 4-456. PRM_RSTCTRL, Global software and DPLL3 reset control. This register is auto-cleared. Only write 1 is possible. A read returns 0 only. Perhaps it be used to issue a software reset? ((4.5.9.2 Global Warm Reset Sequence))<br />
0x48307270 Table 4-466. PRM_CLKSRC_CTRL, This register provides control over the device source clock.<br />
0x4830A218 DIE ID, 16 bytes<br />
</pre><br />
<br />
Other 32-bit dword:<br />
<pre><br />
0x18000000<br />
0x1F000000<br />
0x20000000<br />
0x208D0024<br />
0x28000000<br />
0x3FCFF000<br />
0x40000000<br />
0x40208800 SRAM <br />
0x4020C800 SRAM<br />
0x43FFFE01<br />
0x4806A000 UART1 DLL_REG, 16.6 UART/IrDA/CIR Registers<br />
0x48098000 18.8 McSPI Registers, McSPI1(Multichannel Serial Port Interface)<br />
0x48314000 WDTIMER2, Table 15-66. WDT2 Register Summary<br />
0x48318000 GPTIMER1, 15.3 General-Purpose (GP) Timer Registers<br />
0x49020000 UART3 (infrared), 2.3.2.3 L4-Peripheral Memory Space Mapping, Table 2-5. L4-Peripheral Memory Space Mapping<br />
0x5004800C <br />
0x5005C008<br />
0x5A827999 SHA1 c1<br />
0x6E000000 Table 10-27. Instance Summary, GPMC.<br />
0x6E00007C 10.1.7.2.17 GPMC_NAND_COMMAND_i, This register is not a true register, just an address location.<br />
0x6E000084 10.1.7.2.19 GPMC_NAND_DATA_i, This register is not a true register, just an address location.<br />
0x6E0000A8 10.1.7.2.16 GPMC_CONFIG7_i, i = 1<br />
0x6E0001F4 10.1.7.2.24 GPMC_ECC_CONFIG, ECC configuration, RW, able to control hardware ECC.<br />
0x6E0001F8 10.1.7.2.25 GPMC_ECC_CONTROL, ECC control, RW, able to control hardware ECC.<br />
0x6ED9EBA1 SHA1 c2<br />
0x76543210<br />
0x78020000<br />
0x7FFFFED3<br />
0x80000000 <br />
0x80080000<br />
0x81000000<br />
0x81001000<br />
0x81001080<br />
0x81001484<br />
0x81001888<br />
0x81001908<br />
0x8100192C<br />
0x81001D2C<br />
0x8100212C<br />
0x810021AC<br />
0x8100222C<br />
0x8100322C<br />
0x8100422C<br />
0x8100522C<br />
0x8100562C<br />
0x8100762C<br />
0x81007A14<br />
0x81007A54<br />
0x81007C54<br />
0x81007C64<br />
0x81007CE4<br />
0x81007DE4<br />
0x81007DF4<br />
0x81007E04<br />
0x8100AE40<br />
0x85030004<br />
0x860527A0<br />
0x87000998<br />
0x87009792<br />
0x87009A08<br />
0x87009BDC<br />
0x87009E52<br />
0x87009E5C<br />
0x87009FA6<br />
0x8700AA96<br />
0x8700B614<br />
0x8700B634<br />
0x8700B664<br />
0x8700B684<br />
0x87014D4C<br />
0x89ABCDEF<br />
0x8F1BBCDC SHA1 c3<br />
0x8F310000 mbm load address<br />
0x8F311000 mbm offset 0x1000<br />
0x8FFFFFFF<br />
0x90000000<br />
0xB17219E9 special value in mbm<br />
0xCA62C1D6 SHA1 c4<br />
0xDEADBEEF dummy value mark dead beef<br />
0xF0E1D2C3<br />
0xFC000000<br />
0xFEDCBA98<br />
0xFF000000<br />
0xFFF800FF<br />
0xFFFDD000<br />
0xFFFFDFE1<br />
0xFFFFF7FF<br />
0xFFFFFC01<br />
0xFFFFFFFD<br />
0xFFFFFFFF<br />
</pre></div>Wikiadminhttp://www.droid-developers.org/wiki/ISWISW2010-08-09T10:04:46Z<p>Wikiadmin: </p>
<hr />
<div>==== Initial Software image ====<br />
<br />
Since the NAND flash cannot be used to XIP (eXecute In Place), and since there must be public-key certificates inside the ISW block, there's a header on the ISW (Initial SoftWare) block. This header is not publicly documented (i.e., not in the TRM) for HS devices like the Milestone and the Droid. User droid001 has compared the Droid dump, the Milestone dump and the example CSST HS image, proposing an ISW structure like this one:<br />
<br />
<pre><br />
ISW Block:<br />
<br />
+-----------------+ 0x0200+0x0000<br />
/------| X-LOADER header |<br />
| +-----------------+<br />
|<br />
| +-----------------+ 0x0200+0x0020<br />
| /--| KEYS header |<br />
| | +-----------------+<br />
| |<br />
| | +-----------------+ 0x0200+0x0040<br />
| /-|--| PRIMAPP header |<br />
| | | +-----------------+<br />
| | |<br />
| | | +----------+ 0x0200+0x0200<br />
| | \->| CertPK |<br />
| | +----------+ 0x0200+0x0200+(0x0960-0x0001)<br />
| |<br />
| |<br />
| | +----------+ 0x0200+0x0c00<br />
| \--->| CertPPA |<br />
| +----------+ 0x0200+0x0c00+(0x1650-0x0001)<br />
|<br />
|<br />
| +---------------------------------------------------------------+<br />
| | +----------+ 0x0200+0x2400 X-LOADER |<br />
| | /-->| CertISW | |<br />
| | | +----------+ 0x0200+0x2400+(0x0350-1) |<br />
\-|---* |<br />
| | +-----------------+ 0x0200+0x2400+0x0350 |<br />
| \-->| ISW Code & Data | |<br />
| +-----------------+ 0x0200+0x2400+(0xbe8c-0x0001) |<br />
+---------------------------------------------------------------+<br />
</pre><br />
<br />
<br />
'''ISW Block'''<br />
<br />
'''ISW Block Headers'''<br />
<br />
'''X-LOADER Header'''<br />
<pre><br />
0200: 00 24 00 00 8c be 00 00 00 00 00 00 00 00 00 00<br />
0210: 00 00 00 87 58 2d 4c 4f 41 44 45 52 00 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0" <br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0200<br />
|0x00002400<br />
| ISW offset((ISW offsets are relative to the start of the ISW block (0x200).)) to X-LOADER <br />
| <br />
|-<br />
|0x0204<br />
|0x0000BE8C<br />
| X-LOADER block length <br />
| This is the number of bytes to load into RAM, since the whole X-LOADER block is copied.<br />
This value differs on the Droid (it's 0x0000862C).<br />
|-<br />
|0x0208<br />
|0x00000000 0x00000000<br />
| <br />
| <br />
|-<br />
|0x0210<br />
|0x87000000<br />
| RAM load address. This is the RAM location where the X-LOADER block is copied into RAM. <br />
|The RAM execution starts at (this value+ 0x350), which is the ISW Entry Point, because CertISW's length is fixed (0x350).<br />
|-<br />
|0x0214<br />
|'X-LOADER'<br />
| Id <br />
| <br />
|}<br />
<br />
'''KEYS header'''<br />
<pre><br />
0220: 00 02 00 00 60 09 00 00 00 00 00 00 00 00 00 00<br />
0230: 00 00 00 00 4b 45 59 53 00 00 00 00 00 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0220<br />
|0x00000200<br />
| ISW offset to CertPK <br />
| <br />
|-<br />
|0x0224<br />
|0x00000960<br />
| Lenght of CertPK<br />
| <br />
|-<br />
|0x0228<br />
|0x00000000 0x00000000<br />
| <br />
| <br />
|-<br />
|0x0230<br />
|0x00000000<br />
| <br />
| <br />
|-<br />
|0x0234<br />
|'KEYS'<br />
| Id <br />
|Public Keys (plural?)<br />
|}<br />
<br />
'''PRIMAPP header'''<br />
<pre><br />
0240: 00 0c 00 00 50 16 00 00 00 00 00 00 00 00 00 00<br />
0250: 00 00 00 00 50 52 49 4d 41 50 50 00 00 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0240<br />
|0x00000C00<br />
| ISW offset to CertPPA <br />
| <br />
|-<br />
|0x0244<br />
|0x00001650<br />
| Length of CertPPA<br />
| This value differs on the Droid (0x00001604).<br />
|-<br />
|0x0248<br />
|0x00000000 0x00000000<br />
| <br />
| <br />
|-<br />
|0x0250<br />
|0x00000000<br />
| <br />
| <br />
|-<br />
|0x0254<br />
|'PRIMAPP'<br />
| Id <br />
| Primary Application<br />
|}<br />
<br />
'''ISW Block Headers closing mark'''<br />
<pre><br />
0260: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
0270: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
</pre><br />
'''Empty space'''<br />
<pre><br />
0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
...<br />
03f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
'''KEYS block'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0400<br />
| 'CertPK_' <br />
| Public Key Certificate((CSST_UserManual 2.5 p.77 4.2.5)) <br />
| Ends at 0x0200+0x0200+(0x0960-0x0001) = 0x0d5f<br />
|}<br />
<br />
'''Empty space'''<br />
<pre><br />
0d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
...<br />
0df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
<br />
'''PRIMAPP block'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0e00<br />
| 'CertPPA' <br />
| Primary Protected Application Certificate((CSST_UserManual 2.5 p.4 0.3)) <br />
|Ends at 0x0200+0x0c00+(0x1650-0x0001) = 0x244f<br />
|}<br />
<br />
'''Empty space'''<br />
<pre><br />
2450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
...<br />
25f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
'''X-LOADER block'''<br />
<br />
This '''storage area''' contains the signed ISW. We have named it "X-LOADER" for naming consistency reasons, and to avoid having too many data blocks called "ISW". This is not to be confused with the [http://www.sakoman.net/cgi-bin/gitweb.cgi?p=x-load-omap3.git;a=summary|X-Loader or X-Load program], which is the name of a **program** that is not used in Motorola Milestone/Droid but in TI OMAP development boards. In fact, Motorola itself (or picked this up by some patch from TI) labeled the whole 0x00000-0x7ffff NAND area as "X-Loader-NAND" in this [http://pastebin.com/f1f80e2d6|code added by Motorola to the Linux kernel]. And TI's eFuse patent mentions that the "X-LOADER" string is required for the system to boot in HS mode.<br />
<br />
'''CertISW'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x2600<br />
| 'CertISW' <br />
| Initial Software Certificate((CSST_UserManual 2.5 p.77 4.2.5)) <br />
| Fixed length 0x350 Bytes<br />
|}<br />
<br />
'''ISW Code & Data'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x2950<br />
| 0f 10 a0 e1 <br />
| See disassembly below. <br />
|ISW Entry point<br />
|-<br />
|0x2954<br />
| lots of code and data here <br />
| This contains the Motorola mbmloader code (anything else?).<br />
|Ends at 0x0200+0x2400+(0xbe8c-0x0001)<br />
|}<br />
<br />
Here is a disasembly of the Entry Point:<br />
<br />
<pre><br />
/*<br />
Starting to disassemble from this point brings a meaningful flow. It is the <br />
initial portion of the whole ca. 48kB or 34kB by droid image loaded into RAM<br />
(SDRAM Q2-ChipSelect-0 512MB starts at 0x8000 0000 [see TRM]) <br />
<br />
It is the check for the PC if it was 0x87000350, which fits with the<br />
recorded "Load Address"+"Initial SW Entry Point" in CSST that is 0x87000000 + 0x0350.<br />
<br />
When the ISW entry point is changed in CSST, its value will be added to a value with base<br />
value 0x350 at 0x27B4 of the .img file.<br />
<br />
So in a nutshell, the first 0x0350 bytes in RAM are likely a copy of the CertISW.<br />
*/<br />
<br />
ROM:00000000 0F 10 A0 E1 MOV R1, PC ; Subtract 8 for the address of THIS<br />
ROM:00000004 08 10 41 E2 SUB R1, R1, #8 ; due to pipelining.<br />
ROM:00000008 C0 20 9F E5 LDR R2, =0x87000350<br />
ROM:0000000C 02 00 51 E1 CMP R1, R2 ; Checks whether it is running at the correct RAM location.<br />
ROM:00000010 1B 00 00 1A BNE loc_84 ; If it's not, branches into a dead loop.<br />
:<br />
:<br />
ROM:00000084 loc_84 ; CODE XREF: ROM:00000010<br />
ROM:00000084 ; ROM:loc_84<br />
ROM:00000084 FE FF FF EA B loc_84 ; This is a Dead Loop.<br />
</pre><br />
<br />
A nice disassembly of mbmloader has been provided by Yakk {{:partitions:mtd_00_mbmloader.idb.zip|IDA DB of mbmloader}}. He used IDA version 5.5.<br />
<br />
[http://pastebin.com/f1a32bf1c|Here] is an older, barely readable [[tools:disassembling|decompilation]] of mbmloader by maui.<br />
<br />
<br />
'''ISW Block End'''</div>Wikiadminhttp://www.droid-developers.org/wiki/ISWISW2010-08-09T10:04:12Z<p>Wikiadmin: </p>
<hr />
<div>==== Initial Software image ====<br />
<br />
Since the NAND flash cannot be used to XIP (eXecute In Place), and since there must be public-key certificates inside the ISW block, there's a header on the ISW (Initial SoftWare) block. This header is not publicly documented (i.e., not in the TRM) for HS devices like the Milestone and the Droid. User droid001 has compared the Droid dump, the Milestone dump and the example CSST HS image, proposing an ISW structure like this one:<br />
<br />
<pre><br />
ISW Block:<br />
<br />
+-----------------+ 0x0200+0x0000<br />
/------| X-LOADER header |<br />
| +-----------------+<br />
|<br />
| +-----------------+ 0x0200+0x0020<br />
| /--| KEYS header |<br />
| | +-----------------+<br />
| |<br />
| | +-----------------+ 0x0200+0x0040<br />
| /-|--| PRIMAPP header |<br />
| | | +-----------------+<br />
| | |<br />
| | | +----------+ 0x0200+0x0200<br />
| | \->| CertPK |<br />
| | +----------+ 0x0200+0x0200+(0x0960-0x0001)<br />
| |<br />
| |<br />
| | +----------+ 0x0200+0x0c00<br />
| \--->| CertPPA |<br />
| +----------+ 0x0200+0x0c00+(0x1650-0x0001)<br />
|<br />
|<br />
| +---------------------------------------------------------------+<br />
| | +----------+ 0x0200+0x2400 X-LOADER |<br />
| | /-->| CertISW | |<br />
| | | +----------+ 0x0200+0x2400+(0x0350-1) |<br />
\-|---* |<br />
| | +-----------------+ 0x0200+0x2400+0x0350 |<br />
| \-->| ISW Code & Data | |<br />
| +-----------------+ 0x0200+0x2400+(0xbe8c-0x0001) |<br />
+---------------------------------------------------------------+<br />
</pre><br />
<br />
<br />
'''ISW Block'''<br />
<br />
'''ISW Block Headers'''<br />
<br />
'''X-LOADER Header'''<br />
<pre><br />
0200: 00 24 00 00 8c be 00 00 00 00 00 00 00 00 00 00<br />
0210: 00 00 00 87 58 2d 4c 4f 41 44 45 52 00 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0" <br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0200<br />
|0x00002400<br />
| ISW offset((ISW offsets are relative to the start of the ISW block (0x200).)) to X-LOADER <br />
| <br />
|-<br />
|0x0204<br />
|0x0000BE8C<br />
| X-LOADER block length <br />
| This is the number of bytes to load into RAM, since the whole X-LOADER block is copied.<br />
This value differs on the Droid (it's 0x0000862C).<br />
|-<br />
|0x0208<br />
|0x00000000 0x00000000<br />
| <br />
| <br />
|-<br />
|0x0210<br />
|0x87000000<br />
| RAM load address. This is the RAM location where the X-LOADER block is copied into RAM. <br />
|The RAM execution starts at (this value+ 0x350), which is the ISW Entry Point, because CertISW's length is fixed (0x350).<br />
|-<br />
|0x0214<br />
|'X-LOADER'<br />
| Id <br />
| <br />
|}<br />
<br />
'''KEYS header'''<br />
<pre><br />
0220: 00 02 00 00 60 09 00 00 00 00 00 00 00 00 00 00<br />
0230: 00 00 00 00 4b 45 59 53 00 00 00 00 00 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0220<br />
|0x00000200<br />
| ISW offset to CertPK <br />
| <br />
|-<br />
|0x0224<br />
|0x00000960<br />
| Lenght of CertPK<br />
| <br />
|-<br />
|0x0228<br />
|0x00000000 0x00000000<br />
| <br />
| <br />
|-<br />
|0x0230<br />
|0x00000000<br />
| <br />
| <br />
|-<br />
|0x0234<br />
|'KEYS'<br />
| Id <br />
|Public Keys (plural?)<br />
|}<br />
<br />
'''PRIMAPP header'''<br />
<pre><br />
0240: 00 0c 00 00 50 16 00 00 00 00 00 00 00 00 00 00<br />
0250: 00 00 00 00 50 52 49 4d 41 50 50 00 00 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0240<br />
|0x00000C00<br />
| ISW offset to CertPPA <br />
| <br />
|-<br />
|0x0244<br />
|0x00001650<br />
| Length of CertPPA<br />
| This value differs on the Droid (0x00001604).<br />
|-<br />
|0x0248<br />
|0x00000000 0x00000000<br />
| <br />
| <br />
|-<br />
|0x0250<br />
|0x00000000<br />
| <br />
| <br />
|-<br />
|0x0254<br />
|'PRIMAPP'<br />
| Id <br />
| Primary Application<br />
|}<br />
<br />
'''ISW Block Headers closing mark'''<br />
<pre><br />
0260: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
0270: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
</pre><br />
'''Empty space'''<br />
<pre><br />
0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
...<br />
03f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
'''KEYS block'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0400<br />
| 'CertPK_' <br />
| Public Key Certificate((CSST_UserManual 2.5 p.77 4.2.5)) <br />
| Ends at 0x0200+0x0200+(0x0960-0x0001) = 0x0d5f<br />
|}<br />
<br />
'''Empty space'''<br />
<pre><br />
0d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
...<br />
0df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
<br />
'''PRIMAPP block'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0e00<br />
| 'CertPPA' <br />
| Primary Protected Application Certificate((CSST_UserManual 2.5 p.4 0.3)) <br />
|Ends at 0x0200+0x0c00+(0x1650-0x0001) = 0x244f<br />
|}<br />
<br />
'''Empty space'''<br />
<pre><br />
2450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
...<br />
25f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
'''X-LOADER block'''<br />
<br />
This '''storage area''' contains the signed ISW. We have named it "X-LOADER" for naming consistency reasons, and to avoid having too many data blocks called "ISW". This is not to be confused with the [http://www.sakoman.net/cgi-bin/gitweb.cgi?p=x-load-omap3.git;a=summary|X-Loader or X-Load program], which is the name of a **program** that is not used in Motorola Milestone/Droid but in TI OMAP development boards. In fact, Motorola itself (or picked this up by some patch from TI) labeled the whole 0x00000-0x7ffff NAND area as "X-Loader-NAND" in this [[http://pastebin.com/f1f80e2d6|code added by Motorola to the Linux kernel]]. And TI's eFuse patent mentions that the "X-LOADER" string is required for the system to boot in HS mode.<br />
<br />
'''CertISW'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x2600<br />
| 'CertISW' <br />
| Initial Software Certificate((CSST_UserManual 2.5 p.77 4.2.5)) <br />
| Fixed length 0x350 Bytes<br />
|}<br />
<br />
'''ISW Code & Data'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x2950<br />
| 0f 10 a0 e1 <br />
| See disassembly below. <br />
|ISW Entry point<br />
|-<br />
|0x2954<br />
| lots of code and data here <br />
| This contains the Motorola mbmloader code (anything else?).<br />
|Ends at 0x0200+0x2400+(0xbe8c-0x0001)<br />
|}<br />
<br />
Here is a disasembly of the Entry Point:<br />
<br />
<pre><br />
/*<br />
Starting to disassemble from this point brings a meaningful flow. It is the <br />
initial portion of the whole ca. 48kB or 34kB by droid image loaded into RAM<br />
(SDRAM Q2-ChipSelect-0 512MB starts at 0x8000 0000 [see TRM]) <br />
<br />
It is the check for the PC if it was 0x87000350, which fits with the<br />
recorded "Load Address"+"Initial SW Entry Point" in CSST that is 0x87000000 + 0x0350.<br />
<br />
When the ISW entry point is changed in CSST, its value will be added to a value with base<br />
value 0x350 at 0x27B4 of the .img file.<br />
<br />
So in a nutshell, the first 0x0350 bytes in RAM are likely a copy of the CertISW.<br />
*/<br />
<br />
ROM:00000000 0F 10 A0 E1 MOV R1, PC ; Subtract 8 for the address of THIS<br />
ROM:00000004 08 10 41 E2 SUB R1, R1, #8 ; due to pipelining.<br />
ROM:00000008 C0 20 9F E5 LDR R2, =0x87000350<br />
ROM:0000000C 02 00 51 E1 CMP R1, R2 ; Checks whether it is running at the correct RAM location.<br />
ROM:00000010 1B 00 00 1A BNE loc_84 ; If it's not, branches into a dead loop.<br />
:<br />
:<br />
ROM:00000084 loc_84 ; CODE XREF: ROM:00000010<br />
ROM:00000084 ; ROM:loc_84<br />
ROM:00000084 FE FF FF EA B loc_84 ; This is a Dead Loop.<br />
</pre><br />
<br />
A nice disassembly of mbmloader has been provided by Yakk {{:partitions:mtd_00_mbmloader.idb.zip|IDA DB of mbmloader}}. He used IDA version 5.5.<br />
<br />
[http://pastebin.com/f1a32bf1c|Here] is an older, barely readable [[tools:disassembling|decompilation]] of mbmloader by maui.<br />
<br />
<br />
'''ISW Block End'''</div>Wikiadminhttp://www.droid-developers.org/wiki/ISWISW2010-08-09T10:02:27Z<p>Wikiadmin: </p>
<hr />
<div>==== Initial Software image ====<br />
<br />
Since the NAND flash cannot be used to XIP (eXecute In Place), and since there must be public-key certificates inside the ISW block, there's a header on the ISW (Initial SoftWare) block. This header is not publicly documented (i.e., not in the TRM) for HS devices like the Milestone and the Droid. User droid001 has compared the Droid dump, the Milestone dump and the example CSST HS image, proposing an ISW structure like this one:<br />
<br />
<pre><br />
ISW Block:<br />
<br />
+-----------------+ 0x0200+0x0000<br />
/------| X-LOADER header |<br />
| +-----------------+<br />
|<br />
| +-----------------+ 0x0200+0x0020<br />
| /--| KEYS header |<br />
| | +-----------------+<br />
| |<br />
| | +-----------------+ 0x0200+0x0040<br />
| /-|--| PRIMAPP header |<br />
| | | +-----------------+<br />
| | |<br />
| | | +----------+ 0x0200+0x0200<br />
| | \->| CertPK |<br />
| | +----------+ 0x0200+0x0200+(0x0960-0x0001)<br />
| |<br />
| |<br />
| | +----------+ 0x0200+0x0c00<br />
| \--->| CertPPA |<br />
| +----------+ 0x0200+0x0c00+(0x1650-0x0001)<br />
|<br />
|<br />
| +---------------------------------------------------------------+<br />
| | +----------+ 0x0200+0x2400 X-LOADER |<br />
| | /-->| CertISW | |<br />
| | | +----------+ 0x0200+0x2400+(0x0350-1) |<br />
\-|---* |<br />
| | +-----------------+ 0x0200+0x2400+0x0350 |<br />
| \-->| ISW Code & Data | |<br />
| +-----------------+ 0x0200+0x2400+(0xbe8c-0x0001) |<br />
+---------------------------------------------------------------+<br />
</pre><br />
<br />
<br />
'''ISW Block'''<br />
<br />
'''ISW Block Headers'''<br />
<br />
'''X-LOADER Header'''<br />
<pre><br />
0200: 00 24 00 00 8c be 00 00 00 00 00 00 00 00 00 00<br />
0210: 00 00 00 87 58 2d 4c 4f 41 44 45 52 00 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0" <br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0200<br />
|0x00002400<br />
| ISW offset((ISW offsets are relative to the start of the ISW block (0x200).)) to X-LOADER <br />
| <br />
|-<br />
|0x0204<br />
|0x0000BE8C<br />
| X-LOADER block length <br />
| This is the number of bytes to load into RAM, since the whole X-LOADER block is copied.<br />
This value differs on the Droid (it's 0x0000862C).<br />
|-<br />
|0x0208<br />
|0x00000000 0x00000000<br />
| <br />
| <br />
|-<br />
|0x0210<br />
|0x87000000<br />
| RAM load address. This is the RAM location where the X-LOADER block is copied into RAM. <br />
|The RAM execution starts at (this value+ 0x350), which is the ISW Entry Point, because CertISW's length is fixed (0x350).<br />
|-<br />
|0x0214<br />
|'X-LOADER'<br />
| Id <br />
| <br />
|}<br />
<br />
'''KEYS header'''<br />
<pre><br />
0220: 00 02 00 00 60 09 00 00 00 00 00 00 00 00 00 00<br />
0230: 00 00 00 00 4b 45 59 53 00 00 00 00 00 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0220<br />
|0x00000200<br />
| ISW offset to CertPK <br />
| <br />
|-<br />
|0x0224<br />
|0x00000960<br />
| Lenght of CertPK<br />
| <br />
|-<br />
|0x0228<br />
|0x00000000 0x00000000<br />
| <br />
| <br />
|-<br />
|0x0230<br />
|0x00000000<br />
| <br />
| <br />
|-<br />
|0x0234<br />
|'KEYS'<br />
| Id <br />
|Public Keys (plural?)<br />
|}<br />
<br />
'''PRIMAPP header'''<br />
<pre><br />
0240: 00 0c 00 00 50 16 00 00 00 00 00 00 00 00 00 00<br />
0250: 00 00 00 00 50 52 49 4d 41 50 50 00 00 00 00 00<br />
</pre><br />
^Offset (mbmloader img)^Value^Meaning^Comment^<br />
|0x0240|0x00000C00| ISW offset to CertPPA | |<br />
|0x0244|0x00001650| Length of CertPPA| This value differs on the Droid (0x00001604).|<br />
|0x0248|0x00000000 0x00000000| | |<br />
|0x0250|0x00000000| | |<br />
|0x0254|'PRIMAPP'| Id | Primary Application|<br />
<br />
'''ISW Block Headers closing mark'''<br />
<pre><br />
0260: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
0270: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
</pre><br />
'''Empty space'''<br />
<pre><br />
0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
...<br />
03f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
'''KEYS block'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0400<br />
| 'CertPK_' <br />
| Public Key Certificate((CSST_UserManual 2.5 p.77 4.2.5)) <br />
| Ends at 0x0200+0x0200+(0x0960-0x0001) = 0x0d5f<br />
|}<br />
<br />
'''Empty space'''<br />
<pre><br />
0d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
...<br />
0df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
<br />
'''PRIMAPP block'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x0e00<br />
| 'CertPPA' <br />
| Primary Protected Application Certificate((CSST_UserManual 2.5 p.4 0.3)) <br />
|Ends at 0x0200+0x0c00+(0x1650-0x0001) = 0x244f<br />
|}<br />
<br />
'''Empty space'''<br />
<pre><br />
2450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
...<br />
25f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
'''X-LOADER block'''<br />
<br />
This '''storage area''' contains the signed ISW. We have named it "X-LOADER" for naming consistency reasons, and to avoid having too many data blocks called "ISW". This is not to be confused with the [http://www.sakoman.net/cgi-bin/gitweb.cgi?p=x-load-omap3.git;a=summary|X-Loader or X-Load program], which is the name of a **program** that is not used in Motorola Milestone/Droid but in TI OMAP development boards. In fact, Motorola itself (or picked this up by some patch from TI) labeled the whole 0x00000-0x7ffff NAND area as "X-Loader-NAND" in this [[http://pastebin.com/f1f80e2d6|code added by Motorola to the Linux kernel]]. And TI's eFuse patent mentions that the "X-LOADER" string is required for the system to boot in HS mode.<br />
<br />
'''CertISW'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x2600<br />
| 'CertISW' <br />
| Initial Software Certificate((CSST_UserManual 2.5 p.77 4.2.5)) <br />
| Fixed length 0x350 Bytes<br />
|}<br />
<br />
'''ISW Code & Data'''<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Offset (mbmloader img)<br />
! Value<br />
! Meaning<br />
! Comment<br />
|-<br />
|0x2950<br />
| 0f 10 a0 e1 <br />
| See disassembly below. <br />
|ISW Entry point<br />
|-<br />
|0x2954<br />
| lots of code and data here <br />
| This contains the Motorola mbmloader code (anything else?).<br />
|Ends at 0x0200+0x2400+(0xbe8c-0x0001)<br />
|}<br />
<br />
Here is a disasembly of the Entry Point:<br />
<br />
<pre><br />
/*<br />
Starting to disassemble from this point brings a meaningful flow. It is the <br />
initial portion of the whole ca. 48kB or 34kB by droid image loaded into RAM<br />
(SDRAM Q2-ChipSelect-0 512MB starts at 0x8000 0000 [see TRM]) <br />
<br />
It is the check for the PC if it was 0x87000350, which fits with the<br />
recorded "Load Address"+"Initial SW Entry Point" in CSST that is 0x87000000 + 0x0350.<br />
<br />
When the ISW entry point is changed in CSST, its value will be added to a value with base<br />
value 0x350 at 0x27B4 of the .img file.<br />
<br />
So in a nutshell, the first 0x0350 bytes in RAM are likely a copy of the CertISW.<br />
*/<br />
<br />
ROM:00000000 0F 10 A0 E1 MOV R1, PC ; Subtract 8 for the address of THIS<br />
ROM:00000004 08 10 41 E2 SUB R1, R1, #8 ; due to pipelining.<br />
ROM:00000008 C0 20 9F E5 LDR R2, =0x87000350<br />
ROM:0000000C 02 00 51 E1 CMP R1, R2 ; Checks whether it is running at the correct RAM location.<br />
ROM:00000010 1B 00 00 1A BNE loc_84 ; If it's not, branches into a dead loop.<br />
:<br />
:<br />
ROM:00000084 loc_84 ; CODE XREF: ROM:00000010<br />
ROM:00000084 ; ROM:loc_84<br />
ROM:00000084 FE FF FF EA B loc_84 ; This is a Dead Loop.<br />
</pre><br />
<br />
A nice disassembly of mbmloader has been provided by Yakk {{:partitions:mtd_00_mbmloader.idb.zip|IDA DB of mbmloader}}. He used IDA version 5.5.<br />
<br />
[http://pastebin.com/f1a32bf1c|Here] is an older, barely readable [[tools:disassembling|decompilation]] of mbmloader by maui.<br />
<br />
<br />
'''ISW Block End'''</div>Wikiadminhttp://www.droid-developers.org/wiki/USB_driversUSB drivers2010-08-09T09:40:12Z<p>Wikiadmin: </p>
<hr />
<div>== Motorola USB drivers ==<br />
<br />
Required for flashing the Milestone with [[RSD_Lite|RSD Lite]].[http://direct.motorola.com/hellomoto/Common/Drivers%20and%20Plug%20ins/USB_Drivers_32_bit_4.2.0.zip|driver 32 bits] and [http://direct.motorola.com/hellomoto/Common/Drivers%20and%20Plug%20ins/USB_Drivers_64_bit_4.2.0.zip|driver 64 bits]<br />
<br />
Motorola's links to current driver versions are [http://www.motorola.com/consumers/v/index.jsp?vgnextoid=ceb1cc6e48970210VgnVCM1000008406b00aRCRD|here].</div>Wikiadminhttp://www.droid-developers.org/wiki/CHCH2010-08-09T09:38:19Z<p>Wikiadmin: </p>
<hr />
<div>====== CH table ======<br />
<br />
===== What is it? =====<br />
Up to the first 512 bytes of the flash memory on OMAP34xx systems can be occupied by the Configuration Header, as described in section 26.4.8.2 in the OMAP34xx TRM. This table is loaded by the OMAP boot ROM in order to set various options before delivering control to the bootstrap code (X-Loader, included in the Initial Software image located at NAND position 0x00000208).<br />
<br />
===== Is it protected? =====<br />
<br />
* Cryptographic protections<br />
* The CH table can be included in the signed bootstrap image. Starting from version 2.4 (released on 21/Jul/2008)((csst_sdp3430_releasenotes_v2_4.pdf, p.10, 3.1.1 Diagnostics module (platform dependent fixees) Table 3, Defect ID: OMAPS00159940 Description: Support for the Configuration Header (CH) within this signed image)), TI's tool CSST can include the CH table inside the signed code. Whether the Milestone's and the Droid's signed images include their respective CH tables is unknown. Some have argued that it may not be signed, but the fact that the tools to do it were available to Motorola and the fact that they would have to explicitly exclude the CH table from the image when they tried to sign each link in the [[boot_chain|boot chain]] are not encouraging. <br />
* However, there is another kind of interpretation of the release note 's statement: <pre>Support for the Configuration Header (CH) within this signed image</pre> Since this statement is inside the "Diagnostics module" section, and the word "support" can be interpreted as being able to continue the diagnostic without interrupting by the CH which wasn't expected in earlier version. In fact, by the practical use of CSST 2.5, there is no evidence showing that the CH is a part of the ISW that would affect the value of CertISW. An experiment has been done to sign an image with the CH options altered, the resulting binary diff shows only the difference in CH.<br />
<br />
<br />
===== How does it differ between Droid and Milestone? =====<br />
Inspection of the Milestone's "mbmloader dump", which spans this flash area, shows that it does contain a CH table, and that it differs from the Droid's (thanks to droid001 for noticing and for proposing the packed-fields format)((we have compared European and Latin American Milestone mbmloader dumps, and they are identical.)). <br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Position<br />
! Droid CH<br />
! Milestone CH<br />
! Meaning<br />
|-<br />
|0x125<br />
|0xb9<br />
|0xae<br />
|This sets the refresh countdown timer in the memory controller to 0x04b9 (Droid) or 0x04ae (Milestone). Thus, the Milestone's memory is refreshed about 0,9% faster than the Droid's, at least at boot time (this might be changed later according to [[http://patchwork.kernel.org/patch/51927/|this]]). Whether the Milestone's hardware supports running at Droid's lower refresh rate is unknown.<br />
|-<br />
|0x1a3<br />
|0x02<br />
|0x00<br />
|This value lies outside any CH ITEM, in a padding area. Whether it has a purpose or not is unknown.<br />
|}<br />
<br />
In order to boot a Droid image on a Milestone (see [[custom_recovery:mbmloader_replacement_attack|mbmloader replacement attack]]) one might want to keep the Milestone CH. The abovementioned cryptographic protection may also preclude us to merge the Milestone CH with the Droid bootstrap code.<br />
<br />
===== The CH table parsed =====<br />
<br />
Parsing the CH table was not trivial. When reading the table with the usual fixed 32-bit word from the raw NAND, little-endian ordering, the results were somewhat surprising (CH present but inactive, "must be 0"'s that weren't, etc). Although it has not been fully understood why it might be being used, the following packed-fields mapping obtains more likely results:<br />
<br />
* 1-byte field: 0x12 as quoted on the TRM corresponds to byte 12 at the immediate next storage position<br />
* 2-byte field: 0x1234 as quoted on the TRM corresponds to bytes 34 12 at the immediate next storage positions<br />
* 4-byte field: 0x12345678 as quoted on the TRM corresponds to bytes 78 56 34 12 at the immediate next storage positions<br />
<br />
The resulting CH looks like the following:<br />
<br />
'''CH TOC'''<br />
<br />
'''CH ITEM 1'''<br />
<pre><br />
0000: a0 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00<br />
0010: 00 00 00 00 43 48 53 45 54 54 49 4e 47 53 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Field name<br />
! Value<br />
! Meaning<br />
|-<br />
|Start<br />
|0x000000a0<br />
|Points to start of Item 1<br />
|-<br />
|Size<br />
|0x00000050<br />
|Length of Item 1<br />
|-<br />
|Reserved<br />
|0x00000000 0x00000000 0x00000000<br />
| <br />
|-<br />
|Filename<br />
|"CHSETTINGS"<br />
|Type of Item 1<br />
|}<br />
<br />
'''CH ITEM 2'''<br />
<pre><br />
0020: f0 00 00 00 5c 00 00 00 00 00 00 00 00 00 00 00<br />
0030: 00 00 00 00 43 48 52 41 4d 00 00 00 00 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Field name<br />
! Value<br />
! Meaning<br />
|-<br />
|Start<br />
|0x000000f0<br />
|Points to start of Item 2<br />
|-<br />
|Size<br />
|0x0000005c<br />
|Length of Item 2<br />
|-<br />
|Reserved<br />
|0x00000000 0x00000000 0x00000000<br />
| <br />
|-<br />
|Filename<br />
|"CHRAM"<br />
|Type of Item 2<br />
|}<br />
<br />
'''CH TOC closing mark'''<br />
<pre><br />
0040: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
0050: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
</pre><br />
'''EMPTY DATA SPACE'''<br />
<pre><br />
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
'''ITEM 1: CHSETTINGS BLOCK'''<br />
<pre><br />
00a0: c1 c0 c0 c0 00 01 00 00 01 00 00 02 00 00 00 00<br />
00b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
00c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Field name<br />
! Value<br />
! Meaning<br />
|-<br />
|Section key<br />
|0xc0c0c0c1<br />
|this verifies that it's a CHSETTINGS block, ok<br />
|-<br />
|Valid<br />
|0x00<br />
|this block is DISABLED, so it's not used!!!<br />
|-<br />
|Version<br />
|0x01<br />
|correct<br />
|-<br />
|Reserved<br />
|0x0000<br />
| <br />
|-<br />
|Clock settings<br />
|0x02000001<br />
|Clock configuration applied = 1 [yes]<br />
* Reserved = 0<br />
* Perform clock configuration = 0 [no]<br />
* Set and lock DPLL4 PER = 0 [no]<br />
* Set and lock DPLL1 (MPU) = 0 [no]<br />
* Set and lock DPLL3 (CORE) = 0 [no]<br />
* Bypass DPLL4 before setting clocks = 0 [no]<br />
* Bypass DPLL1 before setting clocks = 0 [no]<br />
* Bypass DPLL3 before setting clocks = 0 [no]<br />
* System clock ID = 0x02 [13 MHz]<br />
|}<br />
<br />
'''ITEM 2: CHRAM BLOCK'''<br />
<pre><br />
00f0: c2 c0 c0 c0 01 00 00 00 00 00 04 00 00 01 00 00<br />
0100: 08 00 00 0f 00 00 00 00 00 00 00 00 03 00 00 00<br />
0110: 99 80 58 03 32 00 00 00 20 00 00 00 c6 b4 9d ba<br />
0120: 20 22 02 00 02 ae 04 00 03 00 00 00 00 00 00 00<br />
0130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0140: 00 00 00 00 00 00 00 00 01 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Field name<br />
! Value<br />
! Meaning<br />
|-<br />
|Section key<br />
|0xc0c0c0c2<br />
|this verifies that it's a CHRAM block, ok<br />
|-<br />
|Valid<br />
|0x01<br />
|this block is enabled<br />
|-<br />
|Reserved<br />
|0x000000<br />
| <br />
|-<br />
|SDRC_SYSCONFIG (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_CS_CFG (LSB)<br />
|0x0004<br />
| <br />
|-<br />
|SDRC_SHARING (LSB)<br />
|0x0100<br />
| <br />
|-<br />
|SDRC_ERR_TYPE (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_DLLA_CTRL (LSB)<br />
|0x0008<br />
| <br />
|-<br />
|SDRC_DLLA_CTRL (MSB)<br />
|0x0f00<br />
| <br />
|-<br />
|Reserved<br />
|0x0000<br />
| <br />
|-<br />
|Reserved<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_POWER (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_POWER (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|Memory type (LSB)<br />
|0x0003<br />
|Mobile DDR<br />
|-<br />
|"Must be 0"<br />
|0x0000<br />
|ok<br />
|-<br />
|SDRC_MCFG_0 (LSB)<br />
|0x0008<br />
| <br />
|-<br />
|SDRC_MCFG_0 (MSB)<br />
|0x0358<br />
| <br />
|-<br />
|SDRC_MR_0 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR1_0 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR2_0 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR3_0 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLA_0 (LSB)<br />
|0x0003<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLA_0 (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLB_0 (LSB)<br />
|0x2220<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLB_0 (MSB)<br />
|0x0002<br />
| <br />
|-<br />
|SDRC_RFRCTRL_0 (LSB)<br />
|0xae02<br />
|this value differs between the Droid and the Milestone; the Droid uses the 0xb902 value here. See the next comment.<br />
|-<br />
|SDRC_RFRCTRL_0 (MSB)<br />
|0x0004<br />
|<br />
*SDRC_RFR_CTRL_0[23:8]: ARCV = 0x04ae for Milestone or 0x04b9 for Droid. This is the autorefresh counter value to set the refresh period. The autorefresh counter is uploaded with the result of (tREFI / tCK)-50<br />
*SDRC_RFR_CTRL_0[7:2]: Reserved = 0<br />
*SDRC_RFR_CTRL_0[1:0]: ARE = 0x2 This means refresh counter is loaded with 4xARCV: Burst of 4 autorefresh commands when autorefresh counter reaches 0<br />
|-<br />
|Memory type (LSB)<br />
|0x0003<br />
|Mobile DDR<br />
|-<br />
|"Must be 0"<br />
|0x0000<br />
|ok<br />
|-<br />
|SDRC_MCFG_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_MCFG_1 (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_MR_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR1_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR2_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR3_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLA_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLA_1 (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLB_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLB_1 (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_RFRCTRL_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_RFRCTRL_1 (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|Reserved<br />
|0x0000<br />
| <br />
|-<br />
|Reserved<br />
|0x0000<br />
| <br />
|-<br />
|Flags<br />
|0x0001<br />
|CS0 is configured<br />
|-<br />
|"Must be 0"<br />
|0x0000<br />
| <br />
|}<br />
<br />
'''MORE EMPTY DATA SPACE'''<br />
<pre><br />
0140: 00 00 00 00<br />
0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
'''CH END'''</div>Wikiadminhttp://www.droid-developers.org/wiki/CHCH2010-08-09T09:34:04Z<p>Wikiadmin: </p>
<hr />
<div>====== CH table ======<br />
<br />
===== What is it? =====<br />
Up to the first 512 bytes of the flash memory on OMAP34xx systems can be occupied by the Configuration Header, as described in section 26.4.8.2 in the OMAP34xx TRM. This table is loaded by the OMAP boot ROM in order to set various options before delivering control to the bootstrap code (X-Loader, included in the Initial Software image located at NAND position 0x00000208).<br />
<br />
===== Is it protected? =====<br />
<br />
* Cryptographic protections<br />
* The CH table can be included in the signed bootstrap image. Starting from version 2.4 (released on 21/Jul/2008)((csst_sdp3430_releasenotes_v2_4.pdf, p.10, 3.1.1 Diagnostics module (platform dependent fixees) Table 3, Defect ID: OMAPS00159940 Description: Support for the Configuration Header (CH) within this signed image)), TI's tool CSST can include the CH table inside the signed code. Whether the Milestone's and the Droid's signed images include their respective CH tables is unknown. Some have argued that it may not be signed, but the fact that the tools to do it were available to Motorola and the fact that they would have to explicitly exclude the CH table from the image when they tried to sign each link in the [[boot_chain|boot chain]] are not encouraging. <br />
* However, there is another kind of interpretation of the release note 's statement: <pre>Support for the Configuration Header (CH) within this signed image</pre> Since this statement is inside the "Diagnostics module" section, and the word "support" can be interpreted as being able to continue the diagnostic without interrupting by the CH which wasn't expected in earlier version. In fact, by the practical use of CSST 2.5, there is no evidence showing that the CH is a part of the ISW that would affect the value of CertISW. An experiment has been done to sign an image with the CH options altered, the resulting binary diff shows only the difference in CH.<br />
<br />
<br />
===== How does it differ between Droid and Milestone? =====<br />
Inspection of the Milestone's "mbmloader dump", which spans this flash area, shows that it does contain a CH table, and that it differs from the Droid's (thanks to droid001 for noticing and for proposing the packed-fields format)((we have compared European and Latin American Milestone mbmloader dumps, and they are identical.)). <br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Position<br />
! Droid CH<br />
! Milestone CH<br />
! Meaning<br />
|-<br />
|0x125<br />
|0xb9<br />
|0xae<br />
|This sets the refresh countdown timer in the memory controller to 0x04b9 (Droid) or 0x04ae (Milestone). Thus, the Milestone's memory is refreshed about 0,9% faster than the Droid's, at least at boot time (this might be changed later according to [[http://patchwork.kernel.org/patch/51927/|this]]). Whether the Milestone's hardware supports running at Droid's lower refresh rate is unknown.<br />
|-<br />
|0x1a3<br />
|0x02<br />
|0x00<br />
|This value lies outside any CH ITEM, in a padding area. Whether it has a purpose or not is unknown.<br />
|}<br />
<br />
In order to boot a Droid image on a Milestone (see [[custom_recovery:mbmloader_replacement_attack|mbmloader replacement attack]]) one might want to keep the Milestone CH. The abovementioned cryptographic protection may also preclude us to merge the Milestone CH with the Droid bootstrap code.<br />
<br />
===== The CH table parsed =====<br />
<br />
Parsing the CH table was not trivial. When reading the table with the usual fixed 32-bit word from the raw NAND, little-endian ordering, the results were somewhat surprising (CH present but inactive, "must be 0"'s that weren't, etc). Although it has not been fully understood why it might be being used, the following packed-fields mapping obtains more likely results:<br />
<br />
* 1-byte field: 0x12 as quoted on the TRM corresponds to byte 12 at the immediate next storage position<br />
* 2-byte field: 0x1234 as quoted on the TRM corresponds to bytes 34 12 at the immediate next storage positions<br />
* 4-byte field: 0x12345678 as quoted on the TRM corresponds to bytes 78 56 34 12 at the immediate next storage positions<br />
<br />
The resulting CH looks like the following:<br />
<br />
'''CH TOC'''<br />
<br />
'''CH ITEM 1'''<br />
<pre><br />
0000: a0 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00<br />
0010: 00 00 00 00 43 48 53 45 54 54 49 4e 47 53 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Field name<br />
! Value<br />
! Meaning<br />
|-<br />
|Start<br />
|0x000000a0<br />
|Points to start of Item 1<br />
|-<br />
|Size<br />
|0x00000050<br />
|Length of Item 1<br />
|-<br />
|Reserved<br />
|0x00000000 0x00000000 0x00000000<br />
| <br />
|-<br />
|Filename<br />
|"CHSETTINGS"<br />
|Type of Item 1<br />
|}<br />
<br />
'''CH ITEM 2'''<br />
<pre><br />
0020: f0 00 00 00 5c 00 00 00 00 00 00 00 00 00 00 00<br />
0030: 00 00 00 00 43 48 52 41 4d 00 00 00 00 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Field name<br />
! Value<br />
! Meaning<br />
|<br />
|Start<br />
|0x000000f0<br />
|Points to start of Item 2<br />
|-<br />
|Size<br />
|0x0000005c<br />
|Length of Item 2<br />
|-<br />
|Reserved<br />
|0x00000000 0x00000000 0x00000000<br />
| <br />
|-<br />
|Filename<br />
|"CHRAM"<br />
|Type of Item 2<br />
|}<br />
<br />
'''CH TOC closing mark'''<br />
<pre><br />
0040: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
0050: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
</pre><br />
'''EMPTY DATA SPACE'''<br />
<pre><br />
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
'''ITEM 1: CHSETTINGS BLOCK'''<br />
<pre><br />
00a0: c1 c0 c0 c0 00 01 00 00 01 00 00 02 00 00 00 00<br />
00b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
00c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
^Field name^Value^Meaning^<br />
|Section key|0xc0c0c0c1|this verifies that it's a CHSETTINGS block, ok|<br />
|Valid|0x00|this block is DISABLED, so it's not used!!!|<br />
|Version|0x01|correct|<br />
|Reserved|0x0000| |<br />
|Clock settings|0x02000001|Clock configuration applied = 1 [yes]|<br />
|:::|:::|Reserved = 0|<br />
|:::|:::|Perform clock configuration = 0 [no]|<br />
|:::|:::|Set and lock DPLL4 PER = 0 [no]|<br />
|:::|:::|Set and lock DPLL1 (MPU) = 0 [no]|<br />
|:::|:::|Set and lock DPLL3 (CORE) = 0 [no]|<br />
|:::|:::|Bypass DPLL4 before setting clocks = 0 [no]|<br />
|:::|:::|Bypass DPLL1 before setting clocks = 0 [no]|<br />
|:::|:::|Bypass DPLL3 before setting clocks = 0 [no]|<br />
|:::|:::|System clock ID = 0x02 [13 MHz]|<br />
<br />
'''ITEM 2: CHRAM BLOCK'''<br />
<pre><br />
00f0: c2 c0 c0 c0 01 00 00 00 00 00 04 00 00 01 00 00<br />
0100: 08 00 00 0f 00 00 00 00 00 00 00 00 03 00 00 00<br />
0110: 99 80 58 03 32 00 00 00 20 00 00 00 c6 b4 9d ba<br />
0120: 20 22 02 00 02 ae 04 00 03 00 00 00 00 00 00 00<br />
0130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0140: 00 00 00 00 00 00 00 00 01 00 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Field name<br />
! Value<br />
! Meaning<br />
|-<br />
|Section key<br />
|0xc0c0c0c2<br />
|this verifies that it's a CHRAM block, ok<br />
|-<br />
|Valid<br />
|0x01<br />
|this block is enabled<br />
|-<br />
|Reserved<br />
|0x000000<br />
| <br />
|-<br />
|SDRC_SYSCONFIG (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_CS_CFG (LSB)<br />
|0x0004<br />
| <br />
|-<br />
|SDRC_SHARING (LSB)<br />
|0x0100<br />
| <br />
|-<br />
|SDRC_ERR_TYPE (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_DLLA_CTRL (LSB)<br />
|0x0008<br />
| <br />
|-<br />
|SDRC_DLLA_CTRL (MSB)<br />
|0x0f00<br />
| <br />
|-<br />
|Reserved<br />
|0x0000<br />
| <br />
|-<br />
|Reserved<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_POWER (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_POWER (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|Memory type (LSB)<br />
|0x0003<br />
|Mobile DDR<br />
|-<br />
|"Must be 0"<br />
|0x0000<br />
|ok<br />
|-<br />
|SDRC_MCFG_0 (LSB)<br />
|0x0008<br />
| <br />
|-<br />
|SDRC_MCFG_0 (MSB)<br />
|0x0358<br />
| <br />
|-<br />
|SDRC_MR_0 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR1_0 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR2_0 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR3_0 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLA_0 (LSB)<br />
|0x0003<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLA_0 (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLB_0 (LSB)<br />
|0x2220<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLB_0 (MSB)<br />
|0x0002<br />
| <br />
|-<br />
|SDRC_RFRCTRL_0 (LSB)<br />
|0xae02<br />
|this value differs between the Droid and the Milestone; the Droid uses the 0xb902 value here. See the next comment.<br />
|-<br />
|SDRC_RFRCTRL_0 (MSB)<br />
|0x0004<br />
|<br />
*SDRC_RFR_CTRL_0[23:8]: ARCV = 0x04ae for Milestone or 0x04b9 for Droid. This is the autorefresh counter value to set the refresh period. The autorefresh counter is uploaded with the result of (tREFI / tCK)-50<br />
*SDRC_RFR_CTRL_0[7:2]: Reserved = 0<br />
*SDRC_RFR_CTRL_0[1:0]: ARE = 0x2 This means refresh counter is loaded with 4xARCV: Burst of 4 autorefresh commands when autorefresh counter reaches 0<br />
|-<br />
|Memory type (LSB)<br />
|0x0003<br />
|Mobile DDR<br />
|-<br />
|"Must be 0"<br />
|0x0000<br />
|ok<br />
|-<br />
|SDRC_MCFG_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_MCFG_1 (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_MR_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR1_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR2_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_EMR3_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLA_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLA_1 (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLB_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_ACTIM_CTRLB_1 (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_RFRCTRL_1 (LSB)<br />
|0x0000<br />
| <br />
|-<br />
|SDRC_RFRCTRL_1 (MSB)<br />
|0x0000<br />
| <br />
|-<br />
|Reserved<br />
|0x0000<br />
| <br />
|-<br />
|Reserved<br />
|0x0000<br />
| <br />
|-<br />
|Flags<br />
|0x0001<br />
|CS0 is configured<br />
|-<br />
|"Must be 0"<br />
|0x0000<br />
| <br />
|}<br />
<br />
'''MORE EMPTY DATA SPACE'''<br />
<pre><br />
0140: 00 00 00 00<br />
0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
</pre><br />
'''CH END'''</div>Wikiadminhttp://www.droid-developers.org/wiki/CHCH2010-08-09T09:13:45Z<p>Wikiadmin: </p>
<hr />
<div>====== CH table ======<br />
<br />
===== What is it? =====<br />
Up to the first 512 bytes of the flash memory on OMAP34xx systems can be occupied by the Configuration Header, as described in section 26.4.8.2 in the OMAP34xx TRM. This table is loaded by the OMAP boot ROM in order to set various options before delivering control to the bootstrap code (X-Loader, included in the Initial Software image located at NAND position 0x00000208).<br />
<br />
===== Is it protected? =====<br />
<br />
* Cryptographic protections<br />
* The CH table can be included in the signed bootstrap image. Starting from version 2.4 (released on 21/Jul/2008)((csst_sdp3430_releasenotes_v2_4.pdf, p.10, 3.1.1 Diagnostics module (platform dependent fixees) Table 3, Defect ID: OMAPS00159940 Description: Support for the Configuration Header (CH) within this signed image)), TI's tool CSST can include the CH table inside the signed code. Whether the Milestone's and the Droid's signed images include their respective CH tables is unknown. Some have argued that it may not be signed, but the fact that the tools to do it were available to Motorola and the fact that they would have to explicitly exclude the CH table from the image when they tried to sign each link in the [[boot_chain|boot chain]] are not encouraging. <br />
* However, there is another kind of interpretation of the release note 's statement: <pre>Support for the Configuration Header (CH) within this signed image</pre> Since this statement is inside the "Diagnostics module" section, and the word "support" can be interpreted as being able to continue the diagnostic without interrupting by the CH which wasn't expected in earlier version. In fact, by the practical use of CSST 2.5, there is no evidence showing that the CH is a part of the ISW that would affect the value of CertISW. An experiment has been done to sign an image with the CH options altered, the resulting binary diff shows only the difference in CH.<br />
<br />
<br />
===== How does it differ between Droid and Milestone? =====<br />
Inspection of the Milestone's "mbmloader dump", which spans this flash area, shows that it does contain a CH table, and that it differs from the Droid's (thanks to droid001 for noticing and for proposing the packed-fields format)((we have compared European and Latin American Milestone mbmloader dumps, and they are identical.)). <br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Position<br />
! Droid CH<br />
! Milestone CH<br />
! Meaning<br />
|-<br />
|0x125<br />
|0xb9<br />
|0xae<br />
|This sets the refresh countdown timer in the memory controller to 0x04b9 (Droid) or 0x04ae (Milestone). Thus, the Milestone's memory is refreshed about 0,9% faster than the Droid's, at least at boot time (this might be changed later according to [[http://patchwork.kernel.org/patch/51927/|this]]). Whether the Milestone's hardware supports running at Droid's lower refresh rate is unknown.<br />
|-<br />
|0x1a3<br />
|0x02<br />
|0x00<br />
|This value lies outside any CH ITEM, in a padding area. Whether it has a purpose or not is unknown.<br />
|}<br />
<br />
In order to boot a Droid image on a Milestone (see [[custom_recovery:mbmloader_replacement_attack|mbmloader replacement attack]]) one might want to keep the Milestone CH. The abovementioned cryptographic protection may also preclude us to merge the Milestone CH with the Droid bootstrap code.<br />
<br />
===== The CH table parsed =====<br />
<br />
Parsing the CH table was not trivial. When reading the table with the usual fixed 32-bit word from the raw NAND, little-endian ordering, the results were somewhat surprising (CH present but inactive, "must be 0"'s that weren't, etc). Although it has not been fully understood why it might be being used, the following packed-fields mapping obtains more likely results:<br />
<br />
* 1-byte field: 0x12 as quoted on the TRM corresponds to byte 12 at the immediate next storage position<br />
* 2-byte field: 0x1234 as quoted on the TRM corresponds to bytes 34 12 at the immediate next storage positions<br />
* 4-byte field: 0x12345678 as quoted on the TRM corresponds to bytes 78 56 34 12 at the immediate next storage positions<br />
<br />
The resulting CH looks like the following:<br />
<br />
'''CH TOC'''<br />
<br />
'''CH ITEM 1'''<br />
<pre><br />
0000: a0 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00<br />
0010: 00 00 00 00 43 48 53 45 54 54 49 4e 47 53 00 00<br />
</pre><br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Field name<br />
! Value<br />
! Meaning<br />
|-<br />
|Start<br />
|0x000000a0<br />
|Points to start of Item 1<br />
|-<br />
|Size<br />
|0x00000050<br />
|Length of Item 1<br />
|-<br />
|Reserved<br />
|0x00000000 0x00000000 0x00000000<br />
| <br />
|-<br />
|Filename<br />
|"CHSETTINGS"<br />
|Type of Item 1<br />
|}<br />
<br />
'''CH ITEM 2'''<br />
<pre><br />
0020: f0 00 00 00 5c 00 00 00 00 00 00 00 00 00 00 00<br />
0030: 00 00 00 00 43 48 52 41 4d 00 00 00 00 00 00 00<br />
</pre><br />
^Field name^Value^Meaning^<br />
|Start|0x000000f0|Points to start of Item 2|<br />
|Size|0x0000005c|Length of Item 2|<br />
|Reserved|0x00000000 0x00000000 0x00000000| |<br />
|Filename|"CHRAM"|Type of Item 2|<br />
<br />
**CH TOC closing mark**<br />
<br />
0040: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
0050: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
<br />
<br />
**EMPTY DATA SPACE**<br />
<br />
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
<br />
**ITEM 1: CHSETTINGS BLOCK**<br />
<br />
00a0: c1 c0 c0 c0 00 01 00 00 01 00 00 02 00 00 00 00<br />
00b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
00c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
00d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
00e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
<br />
^Field name^Value^Meaning^<br />
|Section key|0xc0c0c0c1|this verifies that it's a CHSETTINGS block, ok|<br />
|Valid|0x00|this block is DISABLED, so it's not used!!!|<br />
|Version|0x01|correct|<br />
|Reserved|0x0000| |<br />
|Clock settings|0x02000001|Clock configuration applied = 1 [yes]|<br />
|:::|:::|Reserved = 0|<br />
|:::|:::|Perform clock configuration = 0 [no]|<br />
|:::|:::|Set and lock DPLL4 PER = 0 [no]|<br />
|:::|:::|Set and lock DPLL1 (MPU) = 0 [no]|<br />
|:::|:::|Set and lock DPLL3 (CORE) = 0 [no]|<br />
|:::|:::|Bypass DPLL4 before setting clocks = 0 [no]|<br />
|:::|:::|Bypass DPLL1 before setting clocks = 0 [no]|<br />
|:::|:::|Bypass DPLL3 before setting clocks = 0 [no]|<br />
|:::|:::|System clock ID = 0x02 [13 MHz]|<br />
<br />
**ITEM 2: CHRAM BLOCK**<br />
<br />
00f0: c2 c0 c0 c0 01 00 00 00 00 00 04 00 00 01 00 00<br />
0100: 08 00 00 0f 00 00 00 00 00 00 00 00 03 00 00 00<br />
0110: 99 80 58 03 32 00 00 00 20 00 00 00 c6 b4 9d ba<br />
0120: 20 22 02 00 02 ae 04 00 03 00 00 00 00 00 00 00<br />
0130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0140: 00 00 00 00 00 00 00 00 01 00 00 00<br />
<br />
^Field name^Value^Meaning^<br />
|Section key|0xc0c0c0c2|this verifies that it's a CHRAM block, ok|<br />
|Valid|0x01|this block is enabled|<br />
|Reserved|0x000000| |<br />
|SDRC_SYSCONFIG (LSB)|0x0000| |<br />
|SDRC_CS_CFG (LSB)|0x0004| |<br />
|SDRC_SHARING (LSB)|0x0100| |<br />
|SDRC_ERR_TYPE (LSB)|0x0000| |<br />
|SDRC_DLLA_CTRL (LSB)|0x0008| |<br />
|SDRC_DLLA_CTRL (MSB)|0x0f00| |<br />
|Reserved|0x0000| |<br />
|Reserved|0x0000| |<br />
|SDRC_POWER (LSB)|0x0000| |<br />
|SDRC_POWER (MSB)|0x0000| |<br />
|Memory type (LSB)|0x0003|Mobile DDR|<br />
|"Must be 0"|0x0000|ok|<br />
|SDRC_MCFG_0 (LSB)|0x0008| |<br />
|SDRC_MCFG_0 (MSB)|0x0358| |<br />
|SDRC_MR_0 (LSB)|0x0000| |<br />
|SDRC_EMR1_0 (LSB)|0x0000| |<br />
|SDRC_EMR2_0 (LSB)|0x0000| |<br />
|SDRC_EMR3_0 (LSB)|0x0000| |<br />
|SDRC_ACTIM_CTRLA_0 (LSB)|0x0003| |<br />
|SDRC_ACTIM_CTRLA_0 (MSB)|0x0000| |<br />
|SDRC_ACTIM_CTRLB_0 (LSB)|0x2220| |<br />
|SDRC_ACTIM_CTRLB_0 (MSB)|0x0002| |<br />
|SDRC_RFRCTRL_0 (LSB)|0xae02|this value differs between the Droid and the Milestone; the Droid uses the 0xb902 value here. See the next comment.|<br />
|SDRC_RFRCTRL_0 (MSB)|0x0004|SDRC_RFR_CTRL_0[23:8]: ARCV = 0x04ae for Milestone or 0x04b9 for Droid. This is the autorefresh counter value to set the refresh period. The autorefresh counter is uploaded with the result of (tREFI / tCK)-50|<br />
|:::|:::|SDRC_RFR_CTRL_0[7:2]: Reserved = 0|<br />
|:::|:::|SDRC_RFR_CTRL_0[1:0]: ARE = 0x2 This means refresh counter is loaded with 4xARCV: Burst of 4 autorefresh commands when autorefresh counter reaches 0|<br />
|Memory type (LSB)|0x0003|Mobile DDR|<br />
|"Must be 0"|0x0000|ok|<br />
|SDRC_MCFG_1 (LSB)|0x0000| |<br />
|SDRC_MCFG_1 (MSB)|0x0000| |<br />
|SDRC_MR_1 (LSB)|0x0000| |<br />
|SDRC_EMR1_1 (LSB)|0x0000| |<br />
|SDRC_EMR2_1 (LSB)|0x0000| |<br />
|SDRC_EMR3_1 (LSB)|0x0000| |<br />
|SDRC_ACTIM_CTRLA_1 (LSB)|0x0000| |<br />
|SDRC_ACTIM_CTRLA_1 (MSB)|0x0000| |<br />
|SDRC_ACTIM_CTRLB_1 (LSB)|0x0000| |<br />
|SDRC_ACTIM_CTRLB_1 (MSB)|0x0000| |<br />
|SDRC_RFRCTRL_1 (LSB)|0x0000| |<br />
|SDRC_RFRCTRL_1 (MSB)|0x0000| |<br />
|Reserved|0x0000| |<br />
|Reserved|0x0000| |<br />
|Flags|0x0001|CS0 is configured|<br />
|"Must be 0"|0x0000| |<br />
<br />
**MORE EMPTY DATA SPACE**<br />
<br />
0140: 00 00 00 00<br />
0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />
<br />
**CH END**</div>Wikiadminhttp://www.droid-developers.org/wiki/CDTCDT2010-08-09T09:09:17Z<p>Wikiadmin: </p>
<hr />
<div>===== Milestone partitions =====<br />
<br />
Just like a desktop computer's hard disk, the Milestone's Flash RAM is divided in partitions called CG's (Code or Content Groups). The list of CG's in a system is called CDT (Code Description Table?), and it is analogous to the partition table on a PC. The CDT itself is stored in a CG.<br />
<br />
During the firmware flashing process, [[sbf|a SBF file]] that contains one or more CG's is used to update the Flash RAM contents accordingly. The CDT table (which is located within [[http://www.megaupload.com/?d=CJ3ZYNUI|CG31]]) determines which NAND parts have to be checked for signatures. It is very different from the Droid's, of course((See [http://www.mediafire.com/?wnjwcofjqzn|here] for a copy of the Droid's CDT table)). The following tables show the CDT contents((compiled by [mbm] and vekexasia based on raw data and on [http://wiki.openezx.org/Z6_Security|OpenEZX Wiki]. Reformatted by karmapolis.)).<br />
<br />
===== CDT Table of Milestone / Titanium =====<br />
<br />
{| border="1" cellpadding="0" cellspacing="0"<br />
! Link((the links are for Milestone dumps))<br />
! Name<br />
! Signed?<br />
! CG_num<br />
! CG_name<br />
! signature_type<br />
! start_addr((comment by [mbm]: "subtract the base address from the signature start/end to get the offsets in the mtd files"))<br />
! end_addr<br />
! base_addr<br />
! sig_start_addr<br />
! sig_end_addr<br />
|-<br />
|[[http://www.megaupload.com/?d=4GH76X5U|mbmloader.img]]<br />
|Ramloader<br />
|Yes (OMAP security)<br />
|63<br />
|mbmloader<br />
|0<br />
|0x00000000<br />
|0x00020000<br />
|0x87000780<br />
|0x8701ff80<br />
|0x8702077f<br />
|-<br />
|[[http://www.megaupload.com/?d=R5HGK52U|mbm.img]]<br />
|Motorola Boot Manager<br />
|Yes (Motorola CSF/HAB)<br />
|30<br />
|mbm<br />
|0<br />
|0x00020000<br />
|0x000c0000<br />
|0x8f310000<br />
|0x8f34f800<br />
|0x8f34ffff<br />
|-<br />
|[[http://www.megaupload.com/?d=R5HGK52U|mbmbackup.img]]<br />
|MBM backup (identical to MBM)<br />
|no<br />
|55<br />
|mbmbackup<br />
|0<br />
|0x000c0000<br />
|0x00160000<br />
|0xffffffff<br />
|0xffffffff<br />
|0xffffffff<br />
|-<br />
|[[http://www.megaupload.com/?d=PPWAOJBE|bploader.img]]<br />
|Baseband software boot loader<br />
|No<br />
|56<br />
|bploader<br />
|0<br />
|0x00160000<br />
|0x001c0000<br />
|0xffffffff<br />
|0xffffffff<br />
|0xffffffff<br />
|-<br />
|[[http://www.megaupload.com/?d=CJ3ZYNUI|cdt.bin]]<br />
|MEM_MAP / CDT Table<br />
|Yes<br />
|31<br />
|cdt.bin<br />
|1<br />
|0x001c0000<br />
|0x00220000<br />
|0x8f070000<br />
|0x8f073800<br />
|0x8f073fff<br />
|-<br />
|[[http://www.megaupload.com/?d=T8VZAW90|pdsfs.img]]<br />
|Yaffs2 image mounted as /etc/pds<br />
|No<br />
|38<br />
|pds<br />
|0<br />
|0x00220000<br />
|0x003a0000<br />
|0xffffffff<br />
|0xffffffff<br />
|0xffffffff<br />
|-<br />
|[[http://www.megaupload.com/?d=QS0EGYH6|lbl]]<br />
|Linux Boot Loader<br />
|Yes<br />
|34<br />
|lbl<br />
|1<br />
|0x003a0000<br />
|0x00400000<br />
|0x80d00000<br />
|0x80d03800<br />
|0x80d03fff<br />
|-<br />
|lbl_backup.img<br />
|LBL Backup<br />
|Yes<br />
|57<br />
|lbl_backup<br />
|1<br />
|0x00400000<br />
|0x00460000<br />
|0x80d00000<br />
|0x80d03800<br />
|0x80d03fff<br />
|-<br />
|[[http://www.megaupload.com/?d=Y6R1N9I0|cid]]<br />
| <br />
|No<br />
|43<br />
|cid<br />
|0<br />
|0x00460000<br />
|0x004c0000<br />
|0xffffffff<br />
|0xffffffff<br />
|0xffffffff<br />
|-<br />
|[[http://www.megaupload.com/?d=9JYO5CIB|sp]]<br />
|See note (*)<br />
|No<br />
|41<br />
|sp<br />
|0<br />
|0x004c0000<br />
|0x00640000<br />
|0x8f0b0000<br />
|0x8f1af800<br />
|0x8f1affff<br />
|-<br />
|[[http://www.megaupload.com/?d=RT1KUV9W|devtree]]<br />
| <br />
|Yes<br />
|61<br />
|devtree<br />
|1<br />
|0x00640000<br />
|0x006a0000<br />
|0x8f090000<br />
|0x8f0af800<br />
|0x8f0affff<br />
|-<br />
|[[http://www.megaupload.com/?d=7MJQ6UFH|logo.bin]]<br />
|Boot Logo<br />
|Yes<br />
|42<br />
|logo.bin<br />
|0<br />
|0x006a0000<br />
|0x00740000<br />
|0x8ee70000<br />
|0x8eeaf800<br />
|0x8eeaffff<br />
|-<br />
|[[http://www.megaupload.com/?d=59NRBSIB|misc.img]]<br />
| <br />
|Yes<br />
|44<br />
|misc<br />
|0<br />
|0x00740000<br />
|0x007a0000<br />
|0xffffffff<br />
|0xffffffff<br />
|0xffffffff<br />
|-<br />
|boot.img<br />
|Android boot image<br />
|Yes<br />
|35<br />
|boot<br />
|1<br />
|0x007a0000<br />
|0x00b20000<br />
|0x81100000<br />
|0x813bf800<br />
|0x813bffff<br />
|-<br />
|bpsw<br />
| baseband/gps sw <br />
|Yes<br />
|45<br />
|bpsw<br />
|2<br />
|0x00b20000<br />
|0x00ee0000<br />
|0x64100000<br />
|0x643ff800<br />
|0x643fffff<br />
|-<br />
|recovery<br />
|Android Recovery<br />
|Yes<br />
|47<br />
|recovery<br />
|1<br />
|0x00ee0000<br />
|0x01360000<br />
|0x81100000<br />
|0x814bf800<br />
|0x814bffff<br />
|-<br />
|[[http://www.megaupload.com/?d=SUJ9AITU|cdrom]]<br />
| <br />
|No((checked once right after flashing image from SBF))<br />
|33<br />
|cdrom<br />
|5<br />
|0x01360000<br />
|0x01c80000<br />
|0x82000000<br />
|0x827df800<br />
|0x827dffff<br />
|-<br />
|system.img<br />
|Android /system<br />
|No((checked once right after flashing image from SBF))<br />
|39<br />
|system<br />
|5<br />
|0x01c80000<br />
|0x0cc80000<br />
|0x82000000<br />
|0x8ca1f800<br />
|0x8ca1ffff<br />
|-<br />
|cache<br />
|Android /cache<br />
|No<br />
|40<br />
|cache<br />
|0<br />
|0x0cc80000<br />
|0x13680000<br />
|0xffffffff<br />
|0xffffffff<br />
|0xffffffff<br />
|-<br />
|userdata<br />
|Android /data<br />
|No<br />
|37<br />
|userdata<br />
|0<br />
|0x13680000<br />
|0x1fba0000<br />
|0xffffffff<br />
|0xffffffff<br />
|0xffffffff<br />
|-<br />
|cust<br />
|Android /system/etc/motorola<br />
|No((checked once right after flashing image from SBF))<br />
|36<br />
|cust<br />
|5<br />
|0x1fba0000<br />
|0x1fd80000<br />
|0x82000000<br />
|0x8211f800<br />
|0x8211ffff<br />
|-<br />
|kpanic<br />
|kernel panic dump<br />
|No<br />
|53<br />
|kpanic<br />
|0<br />
|0x1fd80000<br />
|0x1ff80000<br />
|0xffffffff<br />
|0xffffffff<br />
|0xffffffff<br />
|-<br />
|rsv<br />
|Reserved block<br />
|No<br />
|54<br />
|rsv<br />
|0<br />
|0x1ff80000<br />
|0x20000000<br />
|0xffffffff<br />
|0x00000000<br />
|0x00000000<br />
|}<br />
<br />
===== CDT Table of Droid X =====<br />
<br />
^Link^Name^Signed?^CG_num^CG_name^signature_type^start_addr((comment by [mbm]: "subtract the base address from the signature start/end to get the offsets in the mtd files"))^end_addr^base_addr^sig_start_addr^sig_end_addr^<br />
|mbr| |Yes (OMAP security)|64|mbr|0|0x00000000|0x00020000||||<br />
|mbmloader.img|Ramloader|Yes (OMAP security)|63|mbmloader|0|0x00020000|0x00040000||||<br />
|mbm.img|Motorola Boot Manager|Yes (Motorola CSF/HAB)|30|mbm|0|0x00080000|0x00100000||||<br />
|mbmbackup.img|MBM backup (identical to MBM)|no|55|mbmbackup|0|0x00100000|0x00180000||||<br />
|ebr|ebr|No|65|ebr|0|0x00180000|0x00200000||||<br />
|bploader.img|Baseband software boot loader|No|56|bploader|0|0x00200000|0x00280000||||<br />
|cdt.bin|MEM_MAP / CDT Table|Yes|31|cdt.bin|1|0x00280000|0x00300000||||<br />
|pdsfs.img|Yaffs2 image mounted as /etc/pds|No|38|pds|0|0x00300000|0x00700000||||<br />
|lbl|Linux Boot Loader|Yes|34|lbl|1|0x00700000|0x00780000||||<br />
|lbl_backup.img|LBL Backup|Yes|57|lbl_backup|1|0x00800000|0x00900000||||<br />
|cid| |No|43|cid|0|0x02580000|0x02600000||||<br />
|sp| |No|41|sp|0|0x00900000|0x00b00000||||<br />
|devtree| |Yes|61|devtree|1|0x00b00000|0x00b80000||||<br />
|devtree_backup| |Yes|62|devtree_backup|1|0x00b80000|0x00c00000||||<br />
|logo.bin|Boot Logo|Yes|42|logo.bin|0|0x00800000|0x00900000||||<br />
|misc.img| |Yes|44|misc|0|0x02500000|0x02580000||||<br />
|boot.img|Android boot image|Yes|35|boot|1|0x01000000|0x01400000||||<br />
|bpsw| baseband/gps sw |Yes|45|bpsw|2|0x00b20000|0x00ee0000||||<br />
|recovery|Android Recovery|Yes|47|recovery|1|0x01400000|0x01900000||||<br />
|cdrom| |No((checked once right after flashing image from SBF))|33|cdrom|5|0x01900000|0x02500000||||<br />
|system.img|Android /system|No((checked once right after flashing image from SBF))|39|system|5|0x02a00000|0x01420000||||<br />
|cache|Android /cache|No|40|cache|0|0x0cc80000|0x13680000||||<br />
|userdata|Android /data|No|37|userdata|0|0x20000000|0x40000000||||<br />
|kpanic|kernel panic dump|No|53|kpanic|0|0x02600000|0x02a00000||||<br />
<br />
> **Note(*)**<br />
> cg41(sp)isn't signed (it's seen from cdt), but it contains some interesting stuff:<br />
> 1) copy of cdt from offset 0x14.<br />
> 2) some records for every code group with 5th signature type: cdrom (started from offset 0x60000), system (0x80000), cust (0xa0000). these records contain signature, cg description from cdt and some other unknown info. every element of sp has header that contains strings (or may be values) like rrrA, ip*2, CDTV, OTVV, etc). these headers are built with mbm and the whole sp code group seems to be filled with mbm.<br />
> (according to cdt…sp has a signature, but the signature_type is 0. we don't know if mbm will check) (signature_type 0 means means that code group isn't checked by mbm, btw logo.bin also haven't signature. Every cdt description that contains starting address, contains also signature adresses. But you can check sp or logo.bin - these cgs doesn't contain any signature on the address from cdt.)<br />
> 3) type 1 signatures on CGs are checked on each boot by mbm<br />
> 4) comment by yakk regarding the meaning of type 5 signature for CGs: "ramdld stores special mark to sp code group after flashing system and mbm checks signature during first boot after flashing and reset that mark, and store some info (the signature itself in moto format, and some other)".<br />
<br />
===== Extracting partitions =====<br />
<br />
==== Method, which use right ecc correction ====<br />
<br />
You need kernel module and mtd-utils. Here you can download precompiled mtd-utils and kernel module, with sources. <br />
{{:partitions:mtd-utils.tar.bz2|mtd-utils.tar.bz2}}<br />
<pre><br />
insmod mtd_dumpall.ko<br />
echo "0 64" > /proc/mtd_dumpall<br />
cat /proc/mtd_dumpall > /tmp/mtd0.bin<br />
</pre><br />
<br />
The result is in ASCII format where ^d[^:]+ denotes data lines and ^o[^:]+ denotes OOB data. Each data line have 0x20 ASCII hex.<br />
<br />
To transform them to binary:<br />
<pre><br />
grep ^d | xxd -r -c 0x20 > out.bin<br />
</pre><br />
<br />
or just try use nanddump directly<br />
<br />
==== janneg_'s kernel module ====<br />
<br />
After booting into Linux, some of these partitions are available through MTD devices (/dev/mtd*). But other partitions are not available because the Linux kernel provided by Motorola does not map them into MTD devices. janneg_ has created [http://www.megaupload.com/?d=4OVM12NP|a kernel module] that maps them all, thus enabling us to extract anything from the Milestone's Flash. You can try a precompiled binary [http://share1t.com/3k0ket|here] if you don't want to compile it yourself.<br />
<br />
==== MOTOMAGX Backup ====<br />
<br />
There's a tool called MotoMagX Backup that is used on MotoMagX phones to retrieve the CGs from the phone via USB, and even though Milestone is NOT a MotoMagX phone it has several similarities with that technology. This tool, [http://www.megaupload.com/?d=BN6ZSZQV|MotoMagxBackup v0.01], has been tested with the Milestone by MauiMauer. The tool recognizes the Milestone connected via USB, sends the ramloader program that is run in the phone's RAM, but then the phone locks up and needs to have its battery removed (phone return ERR: 0x85 - which means unknown command).<br />
<br />
<br />
Milestone RAMDLDs don't have READ command handler that is used by MMBackup. The MBM itself has that handler, but it doesn't work and hangs the phone if use it with correct parameters.</div>Wikiadminhttp://www.droid-developers.org/wiki/ModesModes2010-08-09T08:56:22Z<p>Wikiadmin: </p>
<hr />
<div>==== Recovery Mode on Motorola Milestone ====<br />
<br />
=== What is it for? ===<br />
<br />
A recovery method is required whenever we need to try new kernel versions on the Milestone. Without a recovery method, any unsuccessful test would be the last one (the phone would be "bricked"). The standard recovery method for Android is the '''recovery mode'''.<br />
<br />
<br />
=== How to access it ===<br />
<br />
You can access the recovery mode on the milestone by shutting down the device and start it by pressing simultaneously Power+CameraButton (on 90.78 bootloader it is Power+X button).<br />
<br />
After you get the Warning image you can access the menu by pressing simultaneously CameraButton+VolumeUp<br />
<br />
=== How to run ADB in Recovery Mode: ADBrecovery ===<br />
<br />
The daemon adbd runs unprivileged in the Milestone because property ro.secure is set to 1 in default.prop (you can use the getprop command to check this). But we can use the su command to run adbd as root anyway.<br />
<br />
[http://alldroid.org/viewtopic.php?f=259&t=1617|Poseidon's proof of concept] of this idea evolved into [http://www.megaupload.com/?d=Q31VFVHF|this first version of a recovery patch for Milestone] which in turn evolved into [http://alldroid.org/viewtopic.php?f=259&t=1617|the current ADBrecovery version], now incorporating a port of nandroid and being [http://alldroid.org/viewtopic.php?f=259&t=1808|able to backup and restore several key Milestone partitions].<br />
<br />
=== Open Recovery ===<br />
<br />
Developed by Skrilax_CZ.<br />
<br />
Credit for mankind (from alldroid) for the CustomUpdate, on which this recovery is based,<br />
<br />
credit for poseidon (also from alldroid) for ADBRecovery.<br />
<br />
Current version 1.14 [06/11/2010]<br />
<br />
Open Recovery is a fully customised recovery using the payload hack to restart the stock recovery into itself. Supports easy rooting and taking backups from the menu and easily extendable. The page is here: [[open_recovery|Open Recovery]]<br />
<br />
=== misc partition ===<br />
<br />
There's an interaction pathway between the OS and the recovery stage, using commands written into the misc partition. See the source code of the GPL motobox command by Motorola. See [http://android.git.kernel.org/?p=platform/bootable/recovery.git;a=blob;f=firmware.c#l47|here] how the bootloader (mbm or lbl) communicate with the OS in order to update the radio firmware and the boot image itself.</div>Wikiadminhttp://www.droid-developers.org/wiki/Wrigley_3GWrigley 3G2010-08-09T08:51:50Z<p>Wikiadmin: </p>
<hr />
<div>It is a custom digital baseband architecture (DBB).<br />
It consist from:<br />
<br />
# DSP Processor - TMS320C55x+ - based<br />
# MCU (general purpose processor) - ARM9 - based<br />
<br />
Both communicated with each other over the shared memory<br />
<br />
{{:hardware:wrigley3g-2.png|}}<br />
<br />
Source DIA file: [http://droid-developers.org/files/diagrams/Wrigley3G.dia|Wrigley3G]<br />
<br />
As and AP (OMAP3430) Wrigley3G use one memory chip, but another partition.</div>Wikiadminhttp://www.droid-developers.org/wiki/GSM/CDMA-chainGSM/CDMA-chain2010-08-09T08:51:19Z<p>Wikiadmin: </p>
<hr />
<div>This is a simple diagram of data paths in Milestone GSM/UMTS modem:<br />
<br />
{{:hardware:gsm-modem.png|}}<br />
<br />
Here this diagram in DIA format: [http://droid-developers.org/files/diagrams/GSM-modem.dia|GSM/UMTS modem]</div>Wikiadminhttp://www.droid-developers.org/wiki/FM_radioFM radio2010-08-09T08:50:40Z<p>Wikiadmin: </p>
<hr />
<div>== It won't work ==<br />
<br />
Unfortunately dproldan has concluded, after [http://www.multiupload.com/0IRR37CI6K disassembling his phone], that the Milestone lacks critical traces and components to support the FM radio capabilities (both tx and rx). So FM radio tuning and/or transmission seems to be completely impossible on the Milestone.<br />
<br />
== Links ==<br />
http://alldroid.org/archived/threads/14549.html original thread about FM radio on milestone, as said there they were able to scan for radio stations but without audio. They used libs and apps from xt800<br />
<br />
http://www.multiupload.com/4BD1T5ZLM6 system dump from xt800<br />
<br />
== Approach Nr. 1 ==<br />
To use libs and apps from some motorola phone that got fm radio working ( xt701, xt800 )<br />
<br />
<br />
1. <br />
Status:<br />
cant scan for anything, reason unknown<br />
<br />
* [http://pastebin.com/search?cx=013305635491195529773:t-lahnuezfu&cof=FORID:10&ie=UTF-8&q=fmradioserver&sa.x=0&sa.y=0&sa=Search|strace] of fmradioserver on Milestone.<br />
<br />
== Approach Nr. 2 ==<br />
To use that app http://git.omapzoom.org/?p=platform/hardware/ti/omap3.git;a=tree;f=fmradio;hb=HEAD<br />
<br />
Status:<br />
cant scan for any stations, reason unknown, tested on Droid and Milestone, works ok on XT701 ( with their bts files )<br />
<br />
Links:<br />
[http://x0.nu.mu/~omen/fmapp http://x0.nu.mu/~omen/fmapp]<br />
[http://x0.nu.mu/~omen/fm_rx_init_1273.2.bts http://x0.nu.mu/~omen/fm_rx_init_1273.2.bts] ( from droidx )<br />
[http://x0.nu.mu/~omen/fmc_init_1273.2.bts http://x0.nu.mu/~omen/fmc_init_1273.2.bts] ( from droidx )<br />
<br />
<br />
Steps to test it:<br />
<pre><br />
cp fmapp for example to /system/xbin/<br />
cp *.bts files to /etc/<br />
cd to some directory where you got write permissions, fmapp will create 2 log files in it<br />
turn BT off, if u have it on, then turn it on and run fmapp then press p, if u get any error reset bt and fast run fmapp<br />
u also need to reset bt each time u run fmapp<br />
press h for command list<br />
?0 to lower rssi threshold to 0 and after that > or < to start seek for some radio stations<br />
</pre></div>Wikiadminhttp://www.droid-developers.org/wiki/Root_attackRoot attack2010-08-09T08:48:52Z<p>Wikiadmin: </p>
<hr />
<div>=== The Root Hack ===<br />
<br />
This [http://translate.google.com/translate?hl=en&ie=UTF-8&sl=de&tl=en&u=http://www.android-hilfe.de/news-ankuendigungen/15014-android-hilfe-de-rootet-milestone.html&prev=_t&rurl=translate.google.com&twu=1|root hack for the Motorola Milestone] is exactly the same [http://forum.xda-developers.com/showthread.php?p=5110554#post5110554|hack originally found] [http://alldroid.org/viewtopic.php?f=210&t=567|on the Droid], but with a different update.zip file. It basically exploits a bug in the updater program on the phone, which takes a signed ZIP file and uses it to update the firmware. The bug consists in that the updater doesn't properly check the ZIP file contents, so it can be altered.<br />
<br />
See a tutorial for applying the root hack on Android version 2.1 [http://androidforums.com/motorola-milestone/75460-milestone-2-1-update-root-guide.html|here].<br />
<br />
[http://www.droid-life.com/2010/07/30/new-dmupdater-beta-easily-roots-android-2-1/|This] method is working for rooting Milestone too.</div>Wikiadminhttp://www.droid-developers.org/wiki/Root_attackRoot attack2010-08-09T08:48:37Z<p>Wikiadmin: </p>
<hr />
<div>=== The Root Hack ===<br />
<br />
This [http://translate.google.com/translate?hl=en&ie=UTF-8&sl=de&tl=en&u=http://www.android-hilfe.de/news-ankuendigungen/15014-android-hilfe-de-rootet-milestone.html&prev=_t&rurl=translate.google.com&twu=1|root hack for the Motorola Milestone] is exactly the same[[http://forum.xda-developers.com/showthread.php?p=5110554#post5110554|hack originally found] [http://alldroid.org/viewtopic.php?f=210&t=567|on the Droid], but with a different update.zip file. It basically exploits a bug in the updater program on the phone, which takes a signed ZIP file and uses it to update the firmware. The bug consists in that the updater doesn't properly check the ZIP file contents, so it can be altered.<br />
<br />
See a tutorial for applying the root hack on Android version 2.1 [http://androidforums.com/motorola-milestone/75460-milestone-2-1-update-root-guide.html|here].<br />
<br />
[http://www.droid-life.com/2010/07/30/new-dmupdater-beta-easily-roots-android-2-1/|This] method is working for rooting Milestone too.</div>Wikiadminhttp://www.droid-developers.org/wiki/MBM_backup_attackMBM backup attack2010-08-09T08:38:32Z<p>Wikiadmin: </p>
<hr />
<div>====== Mbm backup Attack ======<br />
<br />
According to the [[CDT|cdt table]] and the [[boot:boot_chain|boot chain]] The mbm_backup is not signed. <br />
<br />
===== Hypothesis =====<br />
If we could modify the mbm_backup and let the [[mbmloader|mbm_loader]] to boot it correctly, then we could try to rewrite our own mbm_backup and make it to not check the cdt partition for the boot and recovery images.<br />
<br />
'''Edit:''' Static code analysis by yakk has found this hypothesis to be flawed. In his own words, "mbmloader loads both mbm and mbmbackup to check their security versions, in order to upgrade mbmbackup if it's version is lower, or to restore mbm if its security version was lowered. this doesn't allow to downgrade mbm. and mbmloader knows nothing about cdt and always tries to load mbm or mbmbackup from fixed adresses and check signature." It seems Motorola trusted their ability to prevent users from gaining root, thereby preventing both mbm and mbmbackup being downgraded at the same time (which would succeed at downgrading mbm).<br />
<br />
===== Problems =====<br />
=== Mbm_backup cloning issue ===<br />
<br />
According to [mbm] (not the partition but the user on #milestone-modding ) he got an ota update which updated his mbm. Right now he checked his mbm_backup and it's equal to the mbm partition ( Even though the ota update didn't touch it ).<br />
<br />
== Why did it happen ? ==<br />
We think ( this has not been checked !! ) the mbm_loader would do these things (to read from left to right ) if the mbm is not valid:<br />
<br />
There must be something that checks if mbm is valid; if yes, it seems to copy the mbm over to the mbm_backup (only if they're different?).<br />
<br />
Questions: <br />
* Does the "something" copy the mbm to mbm_backup only if the mbm and mbm_backup are different?<br />
* Does the "something" copy the mbm to mbm_backup only if mbm isn't working?<br />
<br />
=== How to modify the mbm_backup ===<br />
We need to modify the mbm_backup in order to get the mbm_backup to load our unsigned boot/recovery images. <br />
<br />
Ideas: <br />
# We could find the mbm_backup routine which checks the signature based on the cdt and make it always return "true"<br />
# We could find the boot.img & recovery.img checks and let the code to not call the previous mentioned routine<br />
<br />
Problems: <br />
# If we modify the mbm_backup in order to arrange our needs, we could probably have a brick if the mbm_backup is wrong.<br />
<br />
=== How to tell mbm_loader to boot mbm_backup ===<br />
We need to find a way which mbm_loader would call mbm_backup instead of mbm. <br />
<br />
Ideas:<br />
# Write some kind of trash on mbm<br />
<br />
Problems:<br />
# No one knows how mbm_loader works and if it would really call mbm_backup if mbm is unsigned properly. ( We need an arm asm expert :P )</div>Wikiadminhttp://www.droid-developers.org/wiki/2ndboot2ndboot2010-08-09T08:33:09Z<p>Wikiadmin: </p>
<hr />
<div>=== 2ndboot ===<br />
<br />
This is bootloader, which can boot custom boot image even droid-family phone has locked bootloader. <br />
<br />
It consist from:<br />
* small kernel module, for creating device for booting/controlling boot<br />
* small userspace program, which give for module boot image and flags <br />
* universal bootloader, which can uses many places for booting<br />
<br />
It's derived from collaborative work of '''yakk''' and '''dimichxp''' for creating bootloader for older motorola phones,<br />
before their RSA have been cracked.<br />
<br />
Now, this project ported to the Milestone hardware and can boot custom kernel fully, except of baseband part.<br />
<br />
Here you can find current development sources of 2ndboot: [http://bitbucket.org/droiddev/2ndboot/overview]<br />
<br />
See published binaries: [http://www.droid-developers.org/files/2ndboot.rar|here (build number 1.03)] and [http://www.droid-developers.org/files/uploads/kern0231.rar|here (build number 2.31)].<br />
<br />
Also it is necesseary for developing 2ndboot and custom bootloader/kernel to debug over serial port: [[Tools:debugging|Debugging]]</div>Wikiadmin