The twilight zone of firmware hacking · Feb 22, 01:12 PM
Say you bought a phone and it’s only supposed to do certain things, but you suspect with a bit of tweaking it could do more. That’s where I’m at with my Motorola Razr2 V8. But help might be available if I’m willing to enter the shadowy world of firmware hacking…
The Razr2 V8 and V9 seem very similar, although they support different phone networks, they have the same look and feel. The V9 also supports better Java JSRs (including the one I’m after, JSR-82 for Bluetooth). The Razr2 phones are built with Linux as the OS and some hacking has been done to be able to modify the firmware that they run.
It’s not without complications though. It’s mostly unofficial and borderline legal. For a start, official firmware images are not available although there are archives to be found on the web, linked from phone modding forums. If you have a firmware image to put onto a phone, you need unreleased software called RSD Lite to do the job. This is available as ‘warez’. To change the firmware a windows program called SBF Recalc is needed – this is available from modding forums.
The firmware files are ‘sbf’ files, this is a container format that wraps up content to be stored in the flash of the phone. Flashing programs like RSD Lite will read ‘sbf’ files as well as SHX files (another container format). The contents of the sbf files are a number of ‘CG’ files, or code groups. For the Razr2 at least this is where it starts to get interesting. Although they are given a ‘.smg’ extension, they are in squashfs (v2) format. This means they can be edited with open source tools.
Still it’s not easy because the really important CGs that control phone operation are signed to prevent tampering – which would presumably invalidate the phone’s certification. There has been some skillful hacking resulting in a method for bypassing these signatures. But the open source world has moved on from squashfs v2 and is now on v3. Although it’s possible to run SBF Recalc in wine under Linux, it’s harder to get the tools to unsquash a v2 firmware file.
So that’s where I’m stuck, I can find V8 and V9 firmwares and can unpack them to ‘smg’ files but can’t open these easily. If I could, I might be able to find the JSR82 parts of the V9 firmware and try to transplant them into the V8 firmware. My best bet is to find an older version of Linux that has the v2 squashfs tools and use that…