Motorola Droid X2 (motorola-daytona)

Information
This device has a locked bootloader, installing custom roms requires an exploit. Unknown if this device will ever be booting. This phone is a really old former daily driver, so I thought about pulling it out and messing around to see if there's anything I can do, collect any information about the device, and see if it's possible to get it booting. There's some interesting stuff related to the bootloader that you can access by holding down +, you can cycle through them with  and select with , including console=ttyS0,115200n8, which I assume is for serial, interesting that they left that in the production units considering the bootloader is locked down, and NvFlash which may or may not be exploitable.

When this device is plugged into a computer, the internal storage partition behaves like a mass storage device, such as a flash drive. Disk /dev/sdc: 4.36 GiB, 4683988992 bytes, 9148416 sectors Disk model: MB870 Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00000000

Rooting and booting custom kernels
There's userland and kernel exploits for rooting Android, kexec may be possible! Investigating kexec here. My idea is to kexec into a mainline kernel, and from there launch postmarketOS. This idea is also talked about here.
 * Pete's Motorola Root Tools (Android 2.2-2.3.4)

Booting into Clock Work Mod Recovery
Back in the day there was a method of installing custom roms by rooting the phone from userspace and bootstrapping a custom recovery. This seems to hijack the "Charge Only" mode which it enters when you plug in a charging cable without pressing any buttons (it shows an animation of a battery filling up). It's a ramdisk hijack so it's not booting into a custom kernel, however we might be able to use this method to kexec. This method is also used for installing custom roms, fun stuff we can do there.

Research into booting custom kernels
I'm researching into the possibility of using kexec as an option for loading custom kernels. Tegra also has exploits, so unlocking the bootloader doesn't seem impossible, however entering APX mode might require a special cable, and using APX mode to unlock the bootloader may or may not be quite difficult. We might be able to load a patched bootloader.

Kernel version
Linux version 2.6.32.9-00005-g2440aba (hudsoncm@il93lnxdroid52) (gcc version 4.4.0 (GCC) ) #2 SMP PREEMPT Tue Aug 23 22:13:22 CDT 2011

Partition layout (Android 2.3.4)
Partitions don't seem to be named, so I don't know what any of them are for.
 * 1) fdisk -l /dev/block/mmcblk0

Disk /dev/block/mmcblk0: 7991 MB, 7991721984 bytes 1 heads, 16 sectors/track, 975552 cylinders Units = cylinders of 16 * 512 = 8192 bytes Disk identifier: 0x00000000

Device Boot     Start         End      Blocks   Id  System /dev/block/mmcblk0p1             65         512        3584   83  Linux Partition 1 does not end on cylinder boundary. /dev/block/mmcblk0p2            513         576         512   83  Linux Partition 2 does not end on cylinder boundary. /dev/block/mmcblk0p3            577         832        2048   83  Linux Partition 3 does not end on cylinder boundary. /dev/block/mmcblk0p4            833     1046848     8368128    5  Extended Partition 4 does not end on cylinder boundary. /dev/block/mmcblk0p5            897        1024        1024   83  Linux /dev/block/mmcblk0p6           1025        1088         512   83  Linux /dev/block/mmcblk0p7           1089        1152         512   83  Linux /dev/block/mmcblk0p8           1153        1280        1024   83  Linux /dev/block/mmcblk0p9           1281        1536        2048   83  Linux /dev/block/mmcblk0p10          1537        2560        8192   83  Linux /dev/block/mmcblk0p11          2561        3584        8192   83  Linux /dev/block/mmcblk0p12          3585       61184      460800   83  Linux /dev/block/mmcblk0p13         61185       61248         512   83  Linux /dev/block/mmcblk0p14         61249       63808       20480   83  Linux /dev/block/mmcblk0p15         63809      103232      315392   83  Linux /dev/block/mmcblk0p16        103233      365376     2097152   83  Linux /dev/block/mmcblk0p17        365377      403776      307200   83  Linux /dev/block/mmcblk0p18        403777     1046848     5144576   83  Linux

Mount Output (Android 2.3.4)
rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,relatime,mode=755 0 0 devpts /dev/pts devpts rw,relatime,mode=600 0 0 proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,relatime 0 0 tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0 tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0 /dev/block/mmcblk0p12 /system ext3 ro,noatime,nodiratime,barrier=1,data=ordered 0 0 /dev/block/mmcblk0p16 /data ext3 rw,nosuid,nodev,noatime,nodiratime,errors=continue,barrier=1,data=ordered 0 0 /dev/block/mmcblk0p15 /cache ext3 rw,nosuid,nodev,noatime,nodiratime,errors=continue,barrier=1,data=ordered 0 0 /dev/block/mmcblk0p17 /preinstall ext3 ro,nosuid,nodev,noatime,nodiratime,data=ordered 0 0 /dev/block/vold/179:18 /mnt/sdcard vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 /dev/block/vold/179:18 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0 tmpfs /mnt/sdcard/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0

Contributors

 * NoriTech