Archive for the 'recovery' Category


More dumping!

Since I got a brand new refurbished not-completely-working version of my very own phone, I started hacking it again.

And dumping it.

Just to remember how the partition table looks:

dev: size erasesize name
mtd0: 00700000 00020000 “boot”
mtd1: 0b400000 00020000 “system”
mtd2: 0dea0000 00020000 “userdata”
mtd3: 00a20000 00020000 “cdrom”
mtd4: 00060000 00020000 “misc”
mtd5: 00580000 00020000 “recovery”
mtd6: 02800000 00020000 “cache”
mtd7: 00060000 00020000 “fota_bbuf”
mtd8: 00060000 00020000 “fota_usd”
mtd9: 000a0000 00020000 “fota_bua”
mtd10: 000a0000 00020000 “fota_ua”
mtd11: 00600000 00020000 “fota_up”
mtd12: 00060000 00020000 “kpanic”

The cdrom partition contains a CD image, with the files:


and the config.ini content is:

version= 02.00.23


The contents of all the fota* partitions:

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

The misc partition:

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|
00000800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
00000c40 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|
00001800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
00020000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

kpanic partition content:

00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |…………….|

I dumped the system partition via cat but unyaffs complained it was not valid…

No idea why really… and the tar backup I created previously was good for shit… stuck in bootloop… perhaps this one does it… who knows..


My Phone Is Back From Repair!

As some might have noticed, I ended up bricking my phone after I tried to replace a lib with a similar one from a HTC phone, where the adreno renderer was enabled.

Why brick with something to simple? Perhaps I wouldn’t have if I knew somethings I know today, like the superoneclick tool which can give you adb root shell.

My problem was that without the graphical interface working(the new lib did not work at all), the superuser app could not grant super user for my su in adb shell.

I ended up trying to restore my system partition(tar to yaffs2) back to my device, but got stuck in bootloop. GREAT!

Frustrated, I erased everything on my phone(as in boot partition went bye bye). Thus I discovered that the bootloader resided in the boot partition. GREAT²!

Apparently it works similarly to the droids mbmloader scheme. In short, I had only the usb interface to the mbmloader(?) which said ‘MSM7225 Flash’ and I did not have/find any driver to. And so I took it to the technical assistance.

After 20 days I finally got a call that my phone was back, ready for retrieval. Managed to get there in the same day still, was promptly served at the store and got my phone back.

I turned it up, noted that it didn’t ask for my Google account. So I reset it and booted again. I turned up fine. So my problem had been fixed! Finally! The wait had not been in vain.

Upon arriving home, I started setting up my phone again to an usable state, like disabling the APN connectivity which my phone account is not activated for. To login to my Google account and configure the phone I would have to connect to my WiFi network. I configured it and… it did not connect! WHY?

I erased the connection and tried again. No success… I went to advanced settings, and noted the Mac Address: 11:22:33:44:55:66! That is NOT normal, for one, the first byte should be EVEN! 11 is not a valid first byte for a normal devices mac address. And 11:22:33 is not even Motorola’s mac address range. GREAT³!

I checked the /etc/wifi/nvram.txt file which configures the devices mac address, it looks fine…

And so it will come to pass… that I will have to go to the store againCRAP…

The XT300 came back updated to Baseband version: A306_U3_01.72.0
And version: SESLA_U3_01.72.0

AFAIK, the update is available in motorolas crappy website. Moto Helper/Motorola Software Update.

And z4root does not work anymore. Superoneclick does(tested).

I heard that the new version is faster. Would have to remove phone portal and flashback to confirm 😛


Motorola XT300/Spice – Recovering

There are six ways to recover your phone, from various stages of damage. Of course, for most of these processes, you still need to get your hands on a stock rom image, or have your own ready from a previous backup.( I explained earlier the recommended steps to begin using your phone)

The simpler once are the hard reset and data wipe, which just remove normal user info/modifications as the registered accounts, settings and user installed apps.

Both can be accessed through the recovery boot, powering up the device with POWER+X and the pressing ALT+L on the exclamation mark screen. Then select the desired option with the volume keys and press enter when satisfied(or not) with your choice.

This is the most recommended recovery for simple problems that were probably not caused by inadvertent hacking.

Through the recovery boot it is also possible to flash a from the root of your sdcard. This package can do a multitude of things, basically change every aspect of the phone. BUT, and thats a BIG but, the apparently needs to be signed to be used with the stock recovery boot and thus, cannot be used to recover your phone(unless someone hacks on up or leaks an original one).

The most recommended and probably useful to recovery your phone from problems/hacks/whatsoever is the flashboot process. This allows direct flashing of the images at the bootloader stage, which AFAIK is not easily broken. To enter the fastboot mode, power your device pressing POWER+VOLUME KEYS. This will present a blue image. Connect your usb cable and get a copy of the fastboot binary for your computer(google it).

(Yeah.. I erased it… no fastboot anymore.. erase recovery too, don’t know if recovery would be booted. Wouldn’t help probably.)

With fastboot you can flash the partitions back to the stock ones(boot, system, recovery). Have tested to recovery my recovery in this mode. Will not boot modded partitions because of the certificate verification mentioned in an earlier post.

Note: I haven’t been able to recovery from a corrupted system partition. When repacking the extracted system.tar.gz(acquired via romdump) the phone apparently installs the data partition but enters bootloop afterwards…

Fastboot flashing update.zips, although these appear to be different from the ones used by the recovery mode.
They must have one of the following files:


android-product seems to be older, and is transformed to

board=$(cat android-product.txt)

which should be similar to the content of android-info.txt…
This must also contain at least boot.img and system.img.
Can have recovery.img.
Can use boot.sig, system.sig, recovery.sig(whatever those really are)

Note: using android-product.txt does not seem to work, apparently because of the fact that by default the requirement for baseband is ‘’, whereas the device has an empty baseband(?)

My android-product.txt ended up being just:


It appears that this does not need to be signed, ignores any other files(? at least system/ and META-INF) present in the zip.

You can also recover your phone with the flash_image binary for android. The problem is that to use it, your system must be running and you must have rooted it. So you can in theory only restore the recovery partition this way.

RSD mode… Apparently motorola has developed a proprietary protocol similar to fastboot to flash stuff onto your phone. This would require sbf images or signed update.zips(AFAIK) to be used with RSD-Lite. The problem is, AFAIK, the rsd mode in xt300/spice’s boot has not been discovered yet. Sorry.(UPDATED! boot pressing space to enter the RSD mode!)

So, the SBF images can be gotten when updating the phone using the Software Updater available from motorola. It will download the SBF files when you update, just make sure you save them. They are downloaded to the softwares program files.
Apparently it IS possible to flash an SBF image onto the XT300, but it hasn’t really a RSD mode. When rebooting into bootloader, the RSD mode can be accessed for a time, then the bootloader passes on. Using rsd-lite to reboot the phone into rsd-mode/bootloader should work.

I will make an sbf image available here in the future, when I have time again.

Sorry, I’ve been busy with my new Nexus One I bought in eBay for $260 and is having that weird touchscreen problem where touches register in the wrong height…

Apparently the RSD/BOOTLOADER mode has been found for the XT300. YAY!
Just power on the phone while space is pressed! Should be usable with RSD Lite to flash an SBF image. Have not tested the flashing.
(via Mariano, mipcomp[AT gmail])

As always, when installing another/new/whatever Android OS, clear cache and userdata(factory reset)… this normally prevents bootloops and other bugs… the downside is that you have to configure everything again and download the apps once more.

The Author

Older Ramblings


Linux User Sig