Archive for March, 2011


Motorola XT300/Spice – Recovering

There are six ways to recover your phone, from various stages of damage. Of course, for most of these processes, you still need to get your hands on a stock rom image, or have your own ready from a previous backup.( I explained earlier the recommended steps to begin using your phone)

The simpler once are the hard reset and data wipe, which just remove normal user info/modifications as the registered accounts, settings and user installed apps.

Both can be accessed through the recovery boot, powering up the device with POWER+X and the pressing ALT+L on the exclamation mark screen. Then select the desired option with the volume keys and press enter when satisfied(or not) with your choice.

This is the most recommended recovery for simple problems that were probably not caused by inadvertent hacking.

Through the recovery boot it is also possible to flash a from the root of your sdcard. This package can do a multitude of things, basically change every aspect of the phone. BUT, and thats a BIG but, the apparently needs to be signed to be used with the stock recovery boot and thus, cannot be used to recover your phone(unless someone hacks on up or leaks an original one).

The most recommended and probably useful to recovery your phone from problems/hacks/whatsoever is the flashboot process. This allows direct flashing of the images at the bootloader stage, which AFAIK is not easily broken. To enter the fastboot mode, power your device pressing POWER+VOLUME KEYS. This will present a blue image. Connect your usb cable and get a copy of the fastboot binary for your computer(google it).

(Yeah.. I erased it… no fastboot anymore.. erase recovery too, don’t know if recovery would be booted. Wouldn’t help probably.)

With fastboot you can flash the partitions back to the stock ones(boot, system, recovery). Have tested to recovery my recovery in this mode. Will not boot modded partitions because of the certificate verification mentioned in an earlier post.

Note: I haven’t been able to recovery from a corrupted system partition. When repacking the extracted system.tar.gz(acquired via romdump) the phone apparently installs the data partition but enters bootloop afterwards…

Fastboot flashing update.zips, although these appear to be different from the ones used by the recovery mode.
They must have one of the following files:


android-product seems to be older, and is transformed to

board=$(cat android-product.txt)

which should be similar to the content of android-info.txt…
This must also contain at least boot.img and system.img.
Can have recovery.img.
Can use boot.sig, system.sig, recovery.sig(whatever those really are)

Note: using android-product.txt does not seem to work, apparently because of the fact that by default the requirement for baseband is ‘’, whereas the device has an empty baseband(?)

My android-product.txt ended up being just:


It appears that this does not need to be signed, ignores any other files(? at least system/ and META-INF) present in the zip.

You can also recover your phone with the flash_image binary for android. The problem is that to use it, your system must be running and you must have rooted it. So you can in theory only restore the recovery partition this way.

RSD mode… Apparently motorola has developed a proprietary protocol similar to fastboot to flash stuff onto your phone. This would require sbf images or signed update.zips(AFAIK) to be used with RSD-Lite. The problem is, AFAIK, the rsd mode in xt300/spice’s boot has not been discovered yet. Sorry.(UPDATED! boot pressing space to enter the RSD mode!)

So, the SBF images can be gotten when updating the phone using the Software Updater available from motorola. It will download the SBF files when you update, just make sure you save them. They are downloaded to the softwares program files.
Apparently it IS possible to flash an SBF image onto the XT300, but it hasn’t really a RSD mode. When rebooting into bootloader, the RSD mode can be accessed for a time, then the bootloader passes on. Using rsd-lite to reboot the phone into rsd-mode/bootloader should work.

I will make an sbf image available here in the future, when I have time again.

Sorry, I’ve been busy with my new Nexus One I bought in eBay for $260 and is having that weird touchscreen problem where touches register in the wrong height…

Apparently the RSD/BOOTLOADER mode has been found for the XT300. YAY!
Just power on the phone while space is pressed! Should be usable with RSD Lite to flash an SBF image. Have not tested the flashing.
(via Mariano, mipcomp[AT gmail])

As always, when installing another/new/whatever Android OS, clear cache and userdata(factory reset)… this normally prevents bootloops and other bugs… the downside is that you have to configure everything again and download the apps once more.


Motorola XT300/Spice – More about bootable images

As described in the android source, the format of the boot images (boot.img and recovery.img) is simple.

The first 2048 bytes are the header, which contains information about the image.

Then comes the kernel, then the ramdisk, then optionally the second stage.

Since the image is divided into pages, between each of those code segments is a padding(of 0x00).

OF COURSE the images by motorola in the XT300 do NOT follow this standard.

The *_size and *_addr are different. did not manage to understand those. The kernel is compressed in gzip apparently(search for the gzip magic 1f 8b 08 00) with a a binary that handles the decompressing as prefix for the code block.

The binary header code is probably the bootloader. As explained in another post, when erasing the boot partition, fastboot disappears and the device ends unrecoverable from our point of view. Seems to be the same method used in the droid with the mbmloader, etc.

The biggest problem is that at the end of the image is the CERTIFICATE. YAY! The certificate is a encrypted section which stores a kind of checksum of the image. The bootloader decrypts this checksum and then verifies it against the present image.

So, without being able to modify this checksum since it is encrypted by motorola, a custom boot image can’t be run. This sucks. Thanks Motorola…

I made my certs available:

Sorry, I do not know which format they are in and hence how to show them as text with openssl. If someone finds out, please leave a comment.


Motorola XT300/Spice – First Things First

First thing you’ll want to do is to have a backup! I recommend using romdump or nandroid to do this. I think it is better to do this before doing any customization to your phone, including setting up your google account, so that nothing can change your backup.(Even though only the userdata partition should be editable in the phone and hold your information effectively.)

Both of these tools extract all the content from the important partitions on your device(boot, recovery and system), which make up the ‘rom’ of the device.

You’ll probably need to root your phone (AFAIK) and install a terminal emulator. I think ADB(toolset available in the android sdk which can operate directly to the phone, including a shell, when the device is in debug mode) is not enough. I installed ConnectBot. The pity is that this program is best used with the physical keyboard since the virtual one overlaps your active prompt. But the orientation of the app is landscape mode and the physical keyboard is not. Kind of a pain.

I did my rooting with z4root, temporarily. z4root, in root mode, can also reroot or unroot your phone(just for the record).

The system partition is tarred normally, and so it’s ease to extract. Boot and recovery images are a datafile compose of the kernel, ramdisk and some additional information. It can be split with certain linux tools.

I then setup my google account, installed Titanium Backup(which needs root to work) and backed up again. It’s nice it updates your busybox version to a stable one. I find this program overrated. It does only backup userspace apps, not system installed ones. But it’s great to remove unwanted system apps, which I’ll describe next.

The phone comes with FlashbackSHOP4APPS and Phone Portal(or similar), all of them motorola cpu hogging applications.

Flashback records and shows your and your contacts activities, including calls, messages, faceboot updates, etc. Shopp4apps is a market replacement(?) which is totally useless and Phone Portal provides interactivity to the Motorola PC Tools.. I think.

I, of course,  removed those apps.

The only customization I really recommend doing, just for the sake of usability, is installing Launcher Pro, which is free and allows great improvement and customization of your launch screen.


Motorola XT300/Spice – Juicy Details

Note: This post will be updated on the go as I find new and juicier details about the spice.

Now, the more juicier details about this phone and a small description on how android works.

Canadian build is SESLA_U3_01.53.1_R01 101112. (Moto_Version.01.53.101.XT300.Mobilicity.en.NA)

Brazillian build is SESLA_U3_01.44.4 101026.


(diff tells me a lot of the files in the two rom dumps differ, including system binaries)

Also the APN files(which specify network operator connectivity) are diferent, so using a phone/rom in the wrong country will have drawbacks.(like connecting EDGE/GPRS/UMTS/etc)

Recovery Mode:

Power up pressing POWER+X until exclamation mark appears. Then Alt+L to go to the recovery menu.

Here you can wipe your phone, cache, flash an, run a command or just reboot to normal mode.

Since it’s a MOTOROLA(meh) stock recovery partition, it does not accept unofficial signed update.zips(AFAIK).

USB Flashboot:

Power up holding both volume buttons.

Now, these steps are based on a clean phone, just hard reset(or bought).

Fastboot is a protocol that enables direct maintenance actions from the pc through a PC cable. The greatness of this is that you can flash files directly from your computer.

When booting in fastboot mode, the following will appear:

USB FastBoot: V0.5
Machine ID: 1007002 v0
Build Date: Oct 26 2010, 17:31:11

MSM Id: 21
MSM Version: 2.0
Modem Build Id:76XXM-22220MSNCJOLYM
Serial Number: UNKNOWN

ptn 0 name=’boot’ start=297 len=56
ptn 1 name=’system’ start=353 len=1440
ptn 2 name=’userdata’ start=1793 len=1781
ptn 3 name=’cdrom’ start=3574 len=81
ptn 4 name=’misc’ start=3655 len=3
ptn 5 name=’recovery’ start=3658 len=44
ptn 6 name=’cache’ start=3702 len=320
ptn 7 name=’fota_bbuf’ start=4402 len=3
ptn 8 name=’fota_usd’ start=4025 len=3
ptn 9 name=’fota_bua’ start=4028 len=5
ptn 10 name=’fota_ua’ start=4033 len=5
ptn 11 name=’fota_up’ start=4038 len=48
ptn 12 name=’kpanic’ start=4086 len=3

Flashboot responds to the following getvar keys:

version: 0.5

product: XT300

I tried to boot several kernels/kernel+ramdisks/boot.img/recovery.img and all of the threw the error FAILED (remote: invalid boot image)

This appears to be a sympton of having a locked bootloader… thanks motorola!


It appears that this device does NOT have a locked bootloader(apparently Qualcomm chips do not have this problem). Was told me by #milestone-modding @


I can’t confirm wether the bootloader is really locked or not BUT I know that the recovery and boot partitions are signed, which means that they can’t be tampered with. No yummy custom image loading. It’s weird actually, I tried removing the certificate from the end of the image. Thus, the error ‘CANNOT READ BOOT IMAGE HEADER’ appears in the flashboot screen. But when I flash custom recovery images build with cyanogen it gets stuck at the motorola static logo(probably before the fastboot verification).

For the record, the partition list for the device is(/proc/mtd):

dev: size erasesize name
mtd0: 00700000 00020000 “boot”
mtd1: 0b400000 00020000 “system”
mtd2: 0dea0000 00020000 “userdata”
mtd3: 00a20000 00020000 “cdrom”
mtd4: 00060000 00020000 “misc”
mtd5: 00580000 00020000 “recovery”
mtd6: 02800000 00020000 “cache”
mtd7: 00060000 00020000 “fota_bbuf”
mtd8: 00060000 00020000 “fota_usd”
mtd9: 000a0000 00020000 “fota_bua”
mtd10: 000a0000 00020000 “fota_ua”
mtd11: 00600000 00020000 “fota_up”
mtd12: 00060000 00020000 “kpanic”

The /system/build.prop :

# begin build properties
# autogenerated by Oct 26 17:59:42 BRST 2010
# is obsolete; use ro.product.device
# Do not try to parse or .fingerprint 2.1-update1 SESLA_U3_01.44.4 101026 release-keys
# end build properties
# system.prop for surf
# Set appropriate display density
rild.libargs=-d /dev/smd0
android.keylayout.surf_keypad = /system/usr/keylayout/surf_keypad.kl
android.keychar.surf_keypad = /system/usr/keychars/surf_keypad.kcm
# Define the presence of minipad device
# IKSESAME-73 – Feature 33905 – Enabling software Opengl
# IKSESAME-73 – Feature 33905 – GridView in landscape mode
# IKSESAME-73 – Feature 33905 – flag for enabling VOD for VZW
# IKSESAME-497 – Advanced Photo Editor
# IKSESAME-73 – Feature 33905 – Multimedia permanent de blur for Camera, Media Gallery
# IKSESAME-497 – Advanced Video Editor
# IKSESAME-1689 – PT-CAN: Browser header is incomplete. X_WAP_PROFILE unavailable
# IKSESAME-2650 – Proximity sensor doesn’t work during a call sometime

The /system/default.prop : Nov 18 09:46:28 -0200 2010

Due to a request, here are some details from the About phone screen:

Revision number:0
Model number: XT300
Firmware version: 2.1-update1
Baseband version: A309_U3_01.44.4
Kernel version: 2.6.29 wmm125@zbr05lnxdroid #2
Build number: SESLA_U3_01.44.4

Here is the file list of /system/lib –

And the following is reported by Quadrant:

Vendor: Android
Renderer: Android
PixelFlinger 1.2
Version: OpenGL ES-CM 1.0

Where ‘renderer’ probably indicates that it is down by software, not by the adreno 200, which should be integrated in the MSM7225

When sth goes wrong with the boot, the devices goes into mode 22b8:9002 Motorola PCS, which apparently is a MSM7225 flash interface. Could not find a driver for this in windows, using Motorola’s drivers and RSDlite…
Here is a link to the lsusb info:

Apparently the bootloader resides in the boot partition. Possibly similar to the milestone mbm/mbmloader.
Will check on this after my phone comes back from repair =/

Trying to restore a yaffed system image set me to bootloop. Will try to dump the partition manually, when I get my phone back.


Motorola XT300/Spice – INTRO

I bought myself a Moto XT300/Spice. Since I live in Brazil, I got the Brazilian version of the phone.

I will, in the next days(if I’m not to lazy) write posts about the phone and my experiences with it, and trying to hack it.

Processor: Qualcomm msm7225 @ 528MHz
RAM: 512MB
Screen: Multitouch 3″ TFT QVGA 240×320
Camera: 3.2MP Static Focus
Battery: Motorola BT60
OS: Android Eclair 2.1-update1

Has physical qwerty slide keyboard, compass, accelerometer, backtrack and supports 3G.

Came with a 2GB microSD.

I find the Backtrack useless, camera could be better(as always in smartphones) and I miss flash leds.

While testing my phone I also discovered that rebooting consumes more battery than I thought… Each boot consumes about 10% of your total charge!

The phone comes with FlashbackSHOP4APPS and Phone Portal(or similar), flashback being a motorola cpu hogging application, shop4apps a useless market replacement and phone portal providing some interface with flashback and perhaps the Motorola PC tools.

Flashback records and shows your and your contacts activities, including calls, messages, faceboot updates, etc.

I think that for the price the phone is worthwhile.

Note: My posts about this phone will not be idiot proof. It is always good to google first, since I don’t guarantee that what I’m saying is correct. Feel free to ask how to do something or if I can make a file available for you.

The Author

Older Ramblings


Error: Twitter did not respond. Please wait a few minutes and refresh this page.

Linux User Sig