Main Page

Jump to: navigation, search

About this site

This wiki documents our research on the Motorola Droid-family phones (including Milestone) internals. These phones are:

  1. Motorola Milestone (our primary target)
  2. Motorola Milestone 2
  3. Motorola Defy (MB525)
  4. Motorola Defy+ (MB526)


Join our community! Discuss with us.
Our team | Our IRC channel | IRC log #1 | IRC log #2 | IRC log #3 | Our projects on Gitorious | Our projects on Bitbucket


All about devices internals - PCB, chips
Overview | Milestone | Droid | Droid X | Droid 2 | Milestone 2 | Droid 4 | Sholes Tablet XT701 | Milestone XT720 | Titanium XT800 | Ruth ME511 | Charm | Atrix | DEXT | Defy


For developers
Useful information for experts and beginners
Toolchain | CyanogenMod | Compiling | Debugging | QEMU

Information for volunteers

If you are a developer and have some code-project for the Droid family of smartphones(e.g. Milestone) - enjoy us on Gitorious

Even if you're not the technical type, you too can help us mod the Milestone by participating in the PR campaign to force Motorola to unlock it.

If you're technical type - see our Roadmap and progress in our Projects.

See the content index here.


Bootloader Unlock
Research how-to unlock boot process for the Application Processor
Booting chain | Security | Cryptography | IDA databases of bootloaders | Disassembling

The recovery image hasn't yet been modified due to our current impossibility of controlling the boot process. We cannot alter the boot process so far because there seems to be a digital signature on each of its components. It seems the bootloader (mbm in particular (neither lbl nor mbmloader access the CDT). See here and here.) uses the cdt partition table to check if the recovery has been signed correctly. If not, the recovery won't start at all and the bootloader mode shows instead of it.


Baseband Research
All our researches of Baseband and RF part of these phones
GSM/UMTS & CDMA Milestone/Droid structure

We have running RTXC OS on Wrigley 3G modem, which consist from ARM core and TMS320C55x+ DSP core Our main problem, that Motorola using non-standard RIL, which partially implemented on AP side. Also, our second problem, that TMS320C55x+ is closed platform, and no datasheets for it available. It very different from original TMS320C55x architecture and have other opcodes. But radare2 utility have support for this platform and can do disassembly and simple analysis (you must use version from git). We have also asm55p utility from TI, which can produce binary from TMS320 assembler.


A minature bootloader that is called from the original kernel and boots custom one. As of 11/10/2012, czechop created a patch to keep Wrigley 3G modem working under the child kernel (when called at “sh hijack” time). No issues on Motorola Milestone with the child kernel.

Vulnerability hunting

As far as we know now this attack is, if not a waste of time, at least a very long shot. The idea is that reverse engineering the boot ROM, mbmloader and/or mbm might allow us to find some exploitable vulnerability in order to gain control of the boot process. Since we already have the source code for lbl, it might be useful too. Mike Baker([mbm]) has written a mode memory dumper and dumped Droid public ROM. As we found - all roms for omap3430 are identical. Same situation for the omap3630. See here: Boot chain

Open Recovery

Uses the payload exploit to start the custom recovery application. Supports rooting the phone from menu, as well as taking backups and flashing unsigned update *.zip files. Also runs ADB.


This thing basically inject code to /init to "restart itself" allowing you to use custom init binary and init.rc scripts without side effects.