Archive for the 'xt300/spice' Category


A Message From The Author


this blog was initially created to enable me to write my experiences and other informations I wanted to pass on to others and myself, if I ever need something again.
This has not changed.

The problem is, since I started writing about android and more specifically, the XT300 the number of visits of the blog have risen somewhat(in comparison of what they were before, the most visited post was about vBox and Vmware migration).

This is a problem since it tends to increase my guilt of not keeping the blog updated.

And it’s not that I don’t have some things to write about:
SESGC rom(SESGC_U3_10.10.0), which was in the motorola open-source projects in Sourceforge, apparently has the GPU activated, though it is mostly in chinese and does not have google integration.
-Back to hacking the XT300, since it now is recoverable with RSD(should test this first)
-My experiences with the Nexus One(vs the XT300) and details about the buggy touchscreen

If anyone has any other idea or suggestion, please tell me in the comments. Note that this blog is focused on specific knowledge, I try to consider all related info and warnings, but I’m not inclined to make very specific and n00b-proof guides.

Well, I feel a little better now, and you know now what’s to come.
This post is like TODO’s in src… not really useful but relieves the guild 😀


More dumping!

Since I got a brand new refurbished not-completely-working version of my very own phone, I started hacking it again.

And dumping it.

Just to remember how the partition table looks:

dev: size erasesize name
mtd0: 00700000 00020000 “boot”
mtd1: 0b400000 00020000 “system”
mtd2: 0dea0000 00020000 “userdata”
mtd3: 00a20000 00020000 “cdrom”
mtd4: 00060000 00020000 “misc”
mtd5: 00580000 00020000 “recovery”
mtd6: 02800000 00020000 “cache”
mtd7: 00060000 00020000 “fota_bbuf”
mtd8: 00060000 00020000 “fota_usd”
mtd9: 000a0000 00020000 “fota_bua”
mtd10: 000a0000 00020000 “fota_ua”
mtd11: 00600000 00020000 “fota_up”
mtd12: 00060000 00020000 “kpanic”

The cdrom partition contains a CD image, with the files:


and the config.ini content is:

version= 02.00.23


The contents of all the fota* partitions:

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

The misc partition:

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|
00000800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
00000c40 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|
00001800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
00020000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

kpanic partition content:

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

I dumped the system partition via cat but unyaffs complained it was not valid…

No idea why really… and the tar backup I created previously was good for shit… stuck in bootloop… perhaps this one does it… who knows..


My Phone Is Back From Repair!

As some might have noticed, I ended up bricking my phone after I tried to replace a lib with a similar one from a HTC phone, where the adreno renderer was enabled.

Why brick with something to simple? Perhaps I wouldn’t have if I knew somethings I know today, like the superoneclick tool which can give you adb root shell.

My problem was that without the graphical interface working(the new lib did not work at all), the superuser app could not grant super user for my su in adb shell.

I ended up trying to restore my system partition(tar to yaffs2) back to my device, but got stuck in bootloop. GREAT!

Frustrated, I erased everything on my phone(as in boot partition went bye bye). Thus I discovered that the bootloader resided in the boot partition. GREAT²!

Apparently it works similarly to the droids mbmloader scheme. In short, I had only the usb interface to the mbmloader(?) which said ‘MSM7225 Flash’ and I did not have/find any driver to. And so I took it to the technical assistance.

After 20 days I finally got a call that my phone was back, ready for retrieval. Managed to get there in the same day still, was promptly served at the store and got my phone back.

I turned it up, noted that it didn’t ask for my Google account. So I reset it and booted again. I turned up fine. So my problem had been fixed! Finally! The wait had not been in vain.

Upon arriving home, I started setting up my phone again to an usable state, like disabling the APN connectivity which my phone account is not activated for. To login to my Google account and configure the phone I would have to connect to my WiFi network. I configured it and… it did not connect! WHY?

I erased the connection and tried again. No success… I went to advanced settings, and noted the Mac Address: 11:22:33:44:55:66! That is NOT normal, for one, the first byte should be EVEN! 11 is not a valid first byte for a normal devices mac address. And 11:22:33 is not even Motorola’s mac address range. GREAT³!

I checked the /etc/wifi/nvram.txt file which configures the devices mac address, it looks fine…

And so it will come to pass… that I will have to go to the store againCRAP…

The XT300 came back updated to Baseband version: A306_U3_01.72.0
And version: SESLA_U3_01.72.0

AFAIK, the update is available in motorolas crappy website. Moto Helper/Motorola Software Update.

And z4root does not work anymore. Superoneclick does(tested).

I heard that the new version is faster. Would have to remove phone portal and flashback to confirm 😛


Motorola XT300/Spice – Recovering

There are six ways to recover your phone, from various stages of damage. Of course, for most of these processes, you still need to get your hands on a stock rom image, or have your own ready from a previous backup.( I explained earlier the recommended steps to begin using your phone)

The simpler once are the hard reset and data wipe, which just remove normal user info/modifications as the registered accounts, settings and user installed apps.

Both can be accessed through the recovery boot, powering up the device with POWER+X and the pressing ALT+L on the exclamation mark screen. Then select the desired option with the volume keys and press enter when satisfied(or not) with your choice.

This is the most recommended recovery for simple problems that were probably not caused by inadvertent hacking.

Through the recovery boot it is also possible to flash a from the root of your sdcard. This package can do a multitude of things, basically change every aspect of the phone. BUT, and thats a BIG but, the apparently needs to be signed to be used with the stock recovery boot and thus, cannot be used to recover your phone(unless someone hacks on up or leaks an original one).

The most recommended and probably useful to recovery your phone from problems/hacks/whatsoever is the flashboot process. This allows direct flashing of the images at the bootloader stage, which AFAIK is not easily broken. To enter the fastboot mode, power your device pressing POWER+VOLUME KEYS. This will present a blue image. Connect your usb cable and get a copy of the fastboot binary for your computer(google it).

(Yeah.. I erased it… no fastboot anymore.. erase recovery too, don’t know if recovery would be booted. Wouldn’t help probably.)

With fastboot you can flash the partitions back to the stock ones(boot, system, recovery). Have tested to recovery my recovery in this mode. Will not boot modded partitions because of the certificate verification mentioned in an earlier post.

Note: I haven’t been able to recovery from a corrupted system partition. When repacking the extracted system.tar.gz(acquired via romdump) the phone apparently installs the data partition but enters bootloop afterwards…

Fastboot flashing update.zips, although these appear to be different from the ones used by the recovery mode.
They must have one of the following files:


android-product seems to be older, and is transformed to

board=$(cat android-product.txt)

which should be similar to the content of android-info.txt…
This must also contain at least boot.img and system.img.
Can have recovery.img.
Can use boot.sig, system.sig, recovery.sig(whatever those really are)

Note: using android-product.txt does not seem to work, apparently because of the fact that by default the requirement for baseband is ‘’, whereas the device has an empty baseband(?)

My android-product.txt ended up being just:


It appears that this does not need to be signed, ignores any other files(? at least system/ and META-INF) present in the zip.

You can also recover your phone with the flash_image binary for android. The problem is that to use it, your system must be running and you must have rooted it. So you can in theory only restore the recovery partition this way.

RSD mode… Apparently motorola has developed a proprietary protocol similar to fastboot to flash stuff onto your phone. This would require sbf images or signed update.zips(AFAIK) to be used with RSD-Lite. The problem is, AFAIK, the rsd mode in xt300/spice’s boot has not been discovered yet. Sorry.(UPDATED! boot pressing space to enter the RSD mode!)

So, the SBF images can be gotten when updating the phone using the Software Updater available from motorola. It will download the SBF files when you update, just make sure you save them. They are downloaded to the softwares program files.
Apparently it IS possible to flash an SBF image onto the XT300, but it hasn’t really a RSD mode. When rebooting into bootloader, the RSD mode can be accessed for a time, then the bootloader passes on. Using rsd-lite to reboot the phone into rsd-mode/bootloader should work.

I will make an sbf image available here in the future, when I have time again.

Sorry, I’ve been busy with my new Nexus One I bought in eBay for $260 and is having that weird touchscreen problem where touches register in the wrong height…

Apparently the RSD/BOOTLOADER mode has been found for the XT300. YAY!
Just power on the phone while space is pressed! Should be usable with RSD Lite to flash an SBF image. Have not tested the flashing.
(via Mariano, mipcomp[AT gmail])

As always, when installing another/new/whatever Android OS, clear cache and userdata(factory reset)… this normally prevents bootloops and other bugs… the downside is that you have to configure everything again and download the apps once more.


Motorola XT300/Spice – More about bootable images

As described in the android source, the format of the boot images (boot.img and recovery.img) is simple.

The first 2048 bytes are the header, which contains information about the image.

Then comes the kernel, then the ramdisk, then optionally the second stage.

Since the image is divided into pages, between each of those code segments is a padding(of 0x00).

OF COURSE the images by motorola in the XT300 do NOT follow this standard.

The *_size and *_addr are different. did not manage to understand those. The kernel is compressed in gzip apparently(search for the gzip magic 1f 8b 08 00) with a a binary that handles the decompressing as prefix for the code block.

The binary header code is probably the bootloader. As explained in another post, when erasing the boot partition, fastboot disappears and the device ends unrecoverable from our point of view. Seems to be the same method used in the droid with the mbmloader, etc.

The biggest problem is that at the end of the image is the CERTIFICATE. YAY! The certificate is a encrypted section which stores a kind of checksum of the image. The bootloader decrypts this checksum and then verifies it against the present image.

So, without being able to modify this checksum since it is encrypted by motorola, a custom boot image can’t be run. This sucks. Thanks Motorola…

I made my certs available:

Sorry, I do not know which format they are in and hence how to show them as text with openssl. If someone finds out, please leave a comment.


Motorola XT300/Spice – First Things First

First thing you’ll want to do is to have a backup! I recommend using romdump or nandroid to do this. I think it is better to do this before doing any customization to your phone, including setting up your google account, so that nothing can change your backup.(Even though only the userdata partition should be editable in the phone and hold your information effectively.)

Both of these tools extract all the content from the important partitions on your device(boot, recovery and system), which make up the ‘rom’ of the device.

You’ll probably need to root your phone (AFAIK) and install a terminal emulator. I think ADB(toolset available in the android sdk which can operate directly to the phone, including a shell, when the device is in debug mode) is not enough. I installed ConnectBot. The pity is that this program is best used with the physical keyboard since the virtual one overlaps your active prompt. But the orientation of the app is landscape mode and the physical keyboard is not. Kind of a pain.

I did my rooting with z4root, temporarily. z4root, in root mode, can also reroot or unroot your phone(just for the record).

The system partition is tarred normally, and so it’s ease to extract. Boot and recovery images are a datafile compose of the kernel, ramdisk and some additional information. It can be split with certain linux tools.

I then setup my google account, installed Titanium Backup(which needs root to work) and backed up again. It’s nice it updates your busybox version to a stable one. I find this program overrated. It does only backup userspace apps, not system installed ones. But it’s great to remove unwanted system apps, which I’ll describe next.

The phone comes with FlashbackSHOP4APPS and Phone Portal(or similar), all of them motorola cpu hogging applications.

Flashback records and shows your and your contacts activities, including calls, messages, faceboot updates, etc. Shopp4apps is a market replacement(?) which is totally useless and Phone Portal provides interactivity to the Motorola PC Tools.. I think.

I, of course,  removed those apps.

The only customization I really recommend doing, just for the sake of usability, is installing Launcher Pro, which is free and allows great improvement and customization of your launch screen.


Motorola XT300/Spice – Juicy Details

Note: This post will be updated on the go as I find new and juicier details about the spice.

Now, the more juicier details about this phone and a small description on how android works.

Canadian build is SESLA_U3_01.53.1_R01 101112. (Moto_Version.01.53.101.XT300.Mobilicity.en.NA)

Brazillian build is SESLA_U3_01.44.4 101026.


(diff tells me a lot of the files in the two rom dumps differ, including system binaries)

Also the APN files(which specify network operator connectivity) are diferent, so using a phone/rom in the wrong country will have drawbacks.(like connecting EDGE/GPRS/UMTS/etc)

Recovery Mode:

Power up pressing POWER+X until exclamation mark appears. Then Alt+L to go to the recovery menu.

Here you can wipe your phone, cache, flash an, run a command or just reboot to normal mode.

Since it’s a MOTOROLA(meh) stock recovery partition, it does not accept unofficial signed update.zips(AFAIK).

USB Flashboot:

Power up holding both volume buttons.

Now, these steps are based on a clean phone, just hard reset(or bought).

Fastboot is a protocol that enables direct maintenance actions from the pc through a PC cable. The greatness of this is that you can flash files directly from your computer.

When booting in fastboot mode, the following will appear:

USB FastBoot: V0.5
Machine ID: 1007002 v0
Build Date: Oct 26 2010, 17:31:11

MSM Id: 21
MSM Version: 2.0
Modem Build Id:76XXM-22220MSNCJOLYM
Serial Number: UNKNOWN

ptn 0 name=’boot’ start=297 len=56
ptn 1 name=’system’ start=353 len=1440
ptn 2 name=’userdata’ start=1793 len=1781
ptn 3 name=’cdrom’ start=3574 len=81
ptn 4 name=’misc’ start=3655 len=3
ptn 5 name=’recovery’ start=3658 len=44
ptn 6 name=’cache’ start=3702 len=320
ptn 7 name=’fota_bbuf’ start=4402 len=3
ptn 8 name=’fota_usd’ start=4025 len=3
ptn 9 name=’fota_bua’ start=4028 len=5
ptn 10 name=’fota_ua’ start=4033 len=5
ptn 11 name=’fota_up’ start=4038 len=48
ptn 12 name=’kpanic’ start=4086 len=3

Flashboot responds to the following getvar keys:

version: 0.5

product: XT300

I tried to boot several kernels/kernel+ramdisks/boot.img/recovery.img and all of the threw the error FAILED (remote: invalid boot image)

This appears to be a sympton of having a locked bootloader… thanks motorola!


It appears that this device does NOT have a locked bootloader(apparently Qualcomm chips do not have this problem). Was told me by #milestone-modding @


I can’t confirm wether the bootloader is really locked or not BUT I know that the recovery and boot partitions are signed, which means that they can’t be tampered with. No yummy custom image loading. It’s weird actually, I tried removing the certificate from the end of the image. Thus, the error ‘CANNOT READ BOOT IMAGE HEADER’ appears in the flashboot screen. But when I flash custom recovery images build with cyanogen it gets stuck at the motorola static logo(probably before the fastboot verification).

For the record, the partition list for the device is(/proc/mtd):

dev: size erasesize name
mtd0: 00700000 00020000 “boot”
mtd1: 0b400000 00020000 “system”
mtd2: 0dea0000 00020000 “userdata”
mtd3: 00a20000 00020000 “cdrom”
mtd4: 00060000 00020000 “misc”
mtd5: 00580000 00020000 “recovery”
mtd6: 02800000 00020000 “cache”
mtd7: 00060000 00020000 “fota_bbuf”
mtd8: 00060000 00020000 “fota_usd”
mtd9: 000a0000 00020000 “fota_bua”
mtd10: 000a0000 00020000 “fota_ua”
mtd11: 00600000 00020000 “fota_up”
mtd12: 00060000 00020000 “kpanic”

The /system/build.prop :

# begin build properties
# autogenerated by Oct 26 17:59:42 BRST 2010
# is obsolete; use ro.product.device
# Do not try to parse or .fingerprint 2.1-update1 SESLA_U3_01.44.4 101026 release-keys
# end build properties
# system.prop for surf
# Set appropriate display density
rild.libargs=-d /dev/smd0
android.keylayout.surf_keypad = /system/usr/keylayout/surf_keypad.kl
android.keychar.surf_keypad = /system/usr/keychars/surf_keypad.kcm
# Define the presence of minipad device
# IKSESAME-73 – Feature 33905 – Enabling software Opengl
# IKSESAME-73 – Feature 33905 – GridView in landscape mode
# IKSESAME-73 – Feature 33905 – flag for enabling VOD for VZW
# IKSESAME-497 – Advanced Photo Editor
# IKSESAME-73 – Feature 33905 – Multimedia permanent de blur for Camera, Media Gallery
# IKSESAME-497 – Advanced Video Editor
# IKSESAME-1689 – PT-CAN: Browser header is incomplete. X_WAP_PROFILE unavailable
# IKSESAME-2650 – Proximity sensor doesn’t work during a call sometime

The /system/default.prop : Nov 18 09:46:28 -0200 2010

Due to a request, here are some details from the About phone screen:

Revision number:0
Model number: XT300
Firmware version: 2.1-update1
Baseband version: A309_U3_01.44.4
Kernel version: 2.6.29 wmm125@zbr05lnxdroid #2
Build number: SESLA_U3_01.44.4

Here is the file list of /system/lib –

And the following is reported by Quadrant:

Vendor: Android
Renderer: Android
PixelFlinger 1.2
Version: OpenGL ES-CM 1.0

Where ‘renderer’ probably indicates that it is down by software, not by the adreno 200, which should be integrated in the MSM7225

When sth goes wrong with the boot, the devices goes into mode 22b8:9002 Motorola PCS, which apparently is a MSM7225 flash interface. Could not find a driver for this in windows, using Motorola’s drivers and RSDlite…
Here is a link to the lsusb info:

Apparently the bootloader resides in the boot partition. Possibly similar to the milestone mbm/mbmloader.
Will check on this after my phone comes back from repair =/

Trying to restore a yaffed system image set me to bootloop. Will try to dump the partition manually, when I get my phone back.

The Author

Older Ramblings


Linux User Sig