E680 Firmware hacking

Updates

The new firmware for e680/i and 1200 is being uploaded,
the links will appear here when they're up.
Have fun!
- RSD Lite v2.7
- Rohs-modded AEP e680i firmware full + e680 hack
- A1200 v48 firmware
- A1200 v40 firmware

OLD STUFF

Check out the new utilities !
Bash and slocate and Less and Iproute2 and Nmap are here too !
The best way to run:
create dirs:
/diska/bin
/diska/lib
put the libraries in the lib
put the binaries in the bin
create a file /diska/profile
put this inside:
---
 . /home/native/.profile
 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/helix:/diska/lib
 export PATH=$PATH:/diska/bin
---
then, when logged in, do this:
. /diska/profile
(space between the dot and slash is IMPORTANT)
ash

old UPDATE !!!
There wa a typo in the /proc/ name.
It's /proc/motusbd, not usbmotd !
----

Screenshots of OPIE running on e680i here:Opie


As you all know, modification to existing firmware is possible, using the MultiFlexTool by motorola (part of the PST package). So, using a modified firmware (being uploaded) that starts scripts:
/mmc/mmca1/acmattach.txt when modem usb attached
/mmc/mmca1/acmdetach.txt when modem usb detached
/mmc/mmca1/storattach.txt when storage usb attached
/mmc/mmca1/stordetach.txt when storage usb detached
/mmc/mmca1/startup.txt when starting up.
So, by adding a line
echo MotNet > /proc/motusbd
to acmattach.txt you get USB to put itself into USBLAN mode (the mode=99 one).
That's basicaly it ;)
read on on the forum how to flash modified firmware.
p.s. please click on banners at least sometimes ^_^;

Downloads

Example of encoded video clip : Ding-Ding!

Sorry, the binaries had to be pulled, too much traffic. Please use the torrent to download what you need. (you can select only the needed files from the torrent)
Update: the upload is on an adsl line, so it'll take at least until tomorrow for all the files to be up. So, either leave the torrent open in hopes for it to download fast, or just try again tomorrow. Btw, if you already have the files, put them in the downloading directory and start the torrent again. Hopefully, it'll recognize them and help seed !!! thanks
Torrent for all the files (r51 and e680i firmware, utils and usblan hack)
Lots of utils (nano,top,nc etc +libs)
  binaries: stun-client, dmesg, free, killall, ldd, nano, nattest, nc, pstree, renice, snarf, snice, strace, top, uptime, vmstat, w, watch.
  libs: bluetooth, form, menu, ncurses, panel, proc
NEW!!! slocate (+updatedb) !!!
NEW!!! bash !!!
NEW!!! less !!!
NEW!!! iproute2 (connect to internet from phone)
NEW!!! nmap

WARNING

Procedure to backup your firmware is yet unknown.
By flashing your phone you are losing your current firmware and everything stored in flash.

Flashing procedure

First, to flash your e680, install PST 7.11, and plug the phone in using modem USB mode.
After that, either use PST directly (not recommended), or run the MultiFlashFlex.exe program located in your PST dir (C:\Program Files\Motorola\PST by default).

The phone should connect and be recognized. After clicking "Start", do not touch anything and do not remove cable from phone.
There's a stage where the phone erases its flash. The program will look dead.
It is NOT. Wait until it finishes and do NOT disconnect the phone.
After the flash is finished, you can reboot your phone and enjoy the new firmware.

In case you still managed to break the flashing process, and got something corrupted, all is not lost yet. If you didn't corrupt the bootloader (most probably), you can do the following to start the phone in flashing mode:
Hold the top-right and bottom-left SIDE buttons while switching the phone ON.
It should show a blue screen and load the bootloader.
If everything went fine, start the flashing program and try to reflash again.
If you still get problems, try flashing with another firmware file.

Firmware contents

The firmware files (*.shx) contain header with some identifiers (if someone decodes them, please leave a message), and then binary files in Motorola's S-format.

S-format is an ascii-only format for binary files representation for firmware storage. It differs from intel hex, uu and base64.

Since the firmware file is solid, before decoding you should split it up. The boundaries for splits are S0 identifiers. Each S0 string identifies a unique binary file.

The R51_a1p version contains, f.e.:

 code_map
 code_group0
 HDR (split into 4 files)
 /vobs/platform2000/code/R51_G_0F.51.A1P_0F.40.B1P/apimage/GAS_ASIA_T672LE_P004.img
    mount -t vfat /dev/tffsb1 /diska -o uid=2000 -o gid=233 -o iocharset=utf8 -o noatime
 /vobs/platform2000/code/R51_G_0F.51.A1P_0F.40.B1P/apimage/R51_G_0F.51.A1P_zImage
    compressed kernel
 /vobs/platform2000/code/R51_G_0F.51.A1P_0F.40.B1P/apimage/R51_G_0F.51.A1P_rootfs_cramfs.img
    mounted as /dev/root on / type cramfs
 /vobs/platform2000/code/R51_G_0F.51.A1P_0F.40.B1P/apimage/R51_G_0F.51.A1P_userfs_hat.img
    mount -t vfm /dev/mtdblock2 /ezxlocal
 /vobs/platform2000/code/R51_G_0F.51.A1P_0F.40.B1P/apimage/GAS_ASIA_T672LE_R51_G_0F.51.A1P_L001.img
    mounted as /dev/tffsa on /usr/language type cramfs
 /vobs/platform2000/code/R51_G_0F.51.A1P_0F.40.B1P/apimage/GAC_GENERIC_CORE_G003.img
    compressed bitmap logo
 /vobs/platform2000/code/R51_G_0F.51.A1P_0F.40.B1P/apimage/GAS_ASIA_T672LE_S005.img
    mounted as /dev/roflash2 on /usr/setup type cramfs

p.s. The S7.. strings can be deleted as they point to the execution address, which is worthless for us.

After splitting the shx file, you will get multiple s-format-encoded binary files. Use a conversion utility to decode them, and to encode back later on.
One such utility is binex.
After conversion with binex of each file (binex /b file.s19), binex will create an WWXXYYZZ.BIN file, where WWXXYYZZ stand for the address that binary should've been written onto when flashing.

From in-system information, addresses/sizes are:

 Bootloader: 128KBytes at 0x01FC0000 (unknown. CORE is a logo, not bootloader)
 Kernel: 896KBytes at 0x00020000 (zImage)
 VFM Filesystem: 5632KBytes at 0x01A00000 (userfs)
 Root Filesystem: ????KBytes at 0x00120000 (rootfs) -- may be 20MBytes ?

Execution address seems to be 0x11000000 (from S70511000000FA in shx file) for what its worth.
After unpacking, you can mount each image and tinker with its contents.

Future tasks

It probably is possible to change the images and put them back into firmware (after encoding back to s19).
It may even be risk-free, if the bootloader section is not touched. Apparently, the "/vobs/" is the cvs-like repository at Moto, they're creating images directly from the stable repository. Platform2000 is a generic GSM platform for Moto phones running linux. The bootloader is product-dependent and sits in gsm_bootloader.S and gsm_raflash.S and provides display support for flash mode.

Author

silvio

Counter :