You are here

Vulnerable recovery for Motorola Milestone - root any known firmware version

A SBF file that contains only the vulnerable recovery (CG47) from SHOLS_U2_01.14.0.
Allows to root any known Milestone firmware version. It will not change anything in the phone system etc., only the recovery partition will be reflashed.
Flash the SBF using RSD Lite 4.6 (Windows) or sbf_flash (Linux).
After you flash this SBF, you will be able to use the conventional update.zip method to install the su and Superuser.apk (aka root).

Made with SBF Recalc and hexedit.

Possible issues you may encounter:
1. If the RSD lite does not activate the Start button after you open the SBF file, you need to rename the SBF file to some simple short name, eg. recovery.sbf, and to put it to some simple short path, e.g C:\recovery.sbf (known Windows Vista / 7 issue).
2. "E:EOCD marker occurs after start of EOCD E:signature verification failed" error after you apply the update.zip in recovery means that you do not have the vulnerable recovery on your phone.
If you applied an OTA update before, there is a script run at every system boot that checks and re-flashes the recovery when its checksum doesn't match. In such case, you have to avoid booting to android after the vulnerable recovery flash. Boot directly to recovery when RSD Lite restarts the phone (hold camera button) and from there remove the /system/etc/install-recovery.sh file.
rm -f /system/etc/install-recovery.sh
A script for OpenRecovery is attached (install OpenRecovery and put the script to /sdcard/OpenRecovery/scripts before you flash the vulnerable recovery). Later in OpenRecovery, the first thing you should do is to run this script from the Run Script menu.

The latest version (w. RAMDLD 90.78): http://www.mediafire.com/?jzzjmmrvwkz
works on any phone with 90.72, 90.73, 90.74 and 90.78 bootloader

For reference only - older version (w. RAMDLD 90.74): http://www.mediafire.com/?0mlannzemzz
works only on phones with 90.72, 90.73 and 90.74 bootloader

AttachmentSize
Disable_recovery_check_by_OTA.zip212 bytes

Comments

Hello, I Google'ed about ramdld but couldn't find more detailed info about it yet. Could you shed me some light?

On the other hand, I'm trying to just hexedit 90 74 to 90 78 from the 2.0.1 sbf though the sbf-recalc tool terminated abnormally.....do you think it is a feasible workaround for downgrading?

Nothize

If I understand correctly, you want to create a full 2.0.1 SBF, but with the included RAMDLD replaced with 90.78 version so it can be flashed also on the phones with 90.78 bootloader, right?
I've extracted the hmg file and the smg CG and RAMDLD images from 2.01 and 2.1 SBF files using SBF Recalc, copied the hmg, the smg with CG47 and the smg with RAMDLD to a new directory, used SBF Recalc to build a new SBF file from it, let it to recalculate the checksums and then corrected them in the resulting SBF file with hexedit (the correct checksum values reported from phone can be found in the RSD Lite log after you try to flash the new SBF file).
So you can use this way or you can try the new tool that should be able to calculate the correct checksums immediately, but I haven't tried it yet so I'm not sure how finished it is.
Look here: SBF / MBN depacker ALPHA 3

Hi nadlabak,

You get my meaning exactly and with a very detailed description of the process. Thank you.
I thought you manipulated RAMDLD manually but I understand the whole process now, wow!

It seems that my machine has not enough memory for sbf recalc(tried 1.2.8 and 1.2.9) so it crashed when the free memory seems to be used up.

While creating a trimmed sbf it works just fine. Thanks for your link to the new tool by Skyrilax_CZ, he is so cool too!

Nothize

Succeeded. Thanks nadlabak. :)

Nothize

I'm glad that I could help.

Hi,
I cannot root my phone as I am getting cannot find update_binary. Please help!

Hi nadlabak
I am running miui rom on my milestone.But the rom does not have an option to boot to recovery, like cyanogenmod.Also, my volume buttons dont work anymore and I cannot enter recovery anymore.
Is there another way to enter recovery?

It is one of the awesome site in my view as far as my knowledge is concerned about this kind website. Thanks for sharing! ldewwdqh

Hi after installing the newest OTA update for the milestone (yes i know dam ass thing to do) i get the error you talk about in number 2. But when after RSD lite restarts my phone and i force it to boot into recovery i cant seem to access adb to remove the file, how do i do this? or is there any other way to do it?

Hi,
I have not been able to remove the script that reinstalls stock recovery. I tried both running the script supplied above and typing in "rm -f /system/etc/install-recovery.sh" in console in GOT-OR. Neither works. There's no error message, just no result, and the next time I boot into recovery, the stock recovery comes up. Any suggestions? Thank you. ~~~~Xenobio

Hey! Nadlabak/Kabaldan!

Thank you so much for your great work. I have been dying to install CM6 and I read all the forums and everything but I am stuck with being unable to install vulnerable recovery. I have a stock 2.1 Milestone with one OTA update that was also Android 2.1. My phone came Eclair and stayed eclair, and this would be my first custom ROM. I did the OTA update while rooted using Universal Single Root. After getting the famous EOCD error, I tried flashing V.Recovery but it gives me a flashing error 0x0700F and FAIL. Any hints? PLEASE help :)

So i shut down the phone, i press up and power and get to the place where i select the sbf file and click start.
I see the phone gets restarted and the rsd lite tool shows "please manualy power up the phone", but its already on.
I dont know what to do now.

Hello, i have a motorola milestone and i have a problem, i can't instal all the custom roms for this phone, when i try to restore i have the message "Boot: md5 checksum file missing"
Openrecovery 1.46, milestone 2.1.
Thanks

Hi i follow all the instructions tha exists but i cannot open open recovery. I entered to the recovery mode (the triangle with exclamation mark) but when i press volume up +power nothing happen.... could you help me? There is 3 days with a headache due this.... :(

Try pressing the volume up key first then the camera button, not the power button.

i tries all methods but cant entr recovery mode i tried vol up + cam, but no sucess yet any idea whats problem, n any solution for this, plz explain step by step as m a n00b

Hold The Home Button And Hold The Power Button Until The Motorola Logo Pops Up Then When A Triangle Pops Up With ! Inside It Press Both Vol+ And Vol- Buttons At The Same Time. Use The Volume Up/Down To Scroll Menu And Power Button To Enter The Selected Mode.. Hope This Helps If You Have Not Fixed This Problem Yet..

Hi Guys

I have a Problem with Openrecovery (3.3 based on 1.46 for the Milestone). I installed the vulnerable Bootloader, then installed OpenRecovery (using update.zip) and then i could use OpenRecovery. Then i placed the "remove OTA Recovery recreation" script onto my sdcard and ran it in OpenRecovery. When i reboot my phone i can get into OpenRecovery, but when i boot into Android (2.1-update1 for a Vodafone/german Milestone) the original RecoveryManager is reinstalled and i have to start all over. What i found out is that the install-recovery-sh is deleted, however something else restores the original Recovery menu.

Any ideas?

Greets Thomas

I had problems installing a vulnerable recovery due to an OTA update, then I found this page and succeded in less than 5 minutes, thanks a lot! Now I can start enjoying your rom!

Just to give an update the process I did
1. Copy update.zip and the OpenRecovery directory to SD Card
2. Boot MMSTNE into Debug mode (up+PWR)
3. open RDS lite and loaded the sbf (90.78)
4. Start the update process and while you see on MMSTNE screen "Updating......" hold x+CAMBTN to boot into recovery
5. phone then gets rebooted and voila :)

m having" E:EOCD marker occurs after start of EOCD E:signature verification failed " error in the rooting procedure .. wht do i do

E: cant open cache/recovery/command
-- Install from SDcard...
Finding update package
Opening update package
Verifying update package
E:signature verification failed
Installation aborted.

Why is this happening and can you help me fix it please?
I have used rsdlite to flash the file.
I have a Milestone (telus) with 90.78 bootloader
When I flash it says PASS

Probably not directly related to this, but I'll ask anyway. Maybe I'm not alone:

I have a Milestone A835 with bootloader 90.73. It's running CM7 RC4.1 and Androidiani OR.

What I'm doing is:
1.- Flash vulnerable_recovery_only_RAMDLD90_78.sbf with RSD Lite.
2.- While it is updating, hold camera button until phone reboots into recovery mode.
3.- Apply update.zip to start Androidiani OR.
4.- Open console and do rm -f /system/etc/install-recovery.sh (also tried the attached script)
5.- Reboot phone.

Until here everything goes according to plan. To verify that it worked, I tried downloading ROM Manager and flashing Clockwork Recovery. So I formated the SD card to remove any trace of Androidiani OR and flashed CR. Everything goes ok apparently, so I tell ROM Manager to boot into recovery mode. Phone restarts, the recovery logo comes up installing something and then phone reboots again into CM7.

Manually rebooted into recovery and applied update.zip (CR one) and I'm getting:
E: failed to verify whole-file signature
E: signature verification failed
Installation aborted.

So, I don't know if it is that I'm not getting a vulnerable recovery or that CR is not working. If I go into ROM Manager, it says that I have CR installed, even if I format the SD card again. At least, I can still use Androidiani OR normally.

Any ideas?

Hi. I just reset my Milestone to stock Telus 2.1 so that I could apply the official 2.2 update. When reverting back to 2.1 RSD Lite worked just fine. I then planned to install CM7 over 2.2 and hoped to use this vulnerable recovery to do so.

So I started my phone in the bootloader and started RSD Lite and selected the file. However, when I try to start RSD Lite gives me an error: "Failed flashing process. Failed flashing process. Error processing flash file (0X700F); phone connected"

When I check the error log, I see the following:

"17:25:52, May 15, 2011
Line: 565
ERROR: Error processing flash file.
File: D:\GitProjectsReleases\hdt_windows_flash\flash\code\flashdll\FlashHdlr.cpp
Device ID: 0"

Any suggestions would be most appreciated.

Thanks!

Hi ,
I have Milestone 2.1 , after donwnload upgrade for Android 2.1 from Motorola web site , My Phone does not start and I only get Motorola Sign on the screen ( nothing more ) and operating system don't start
also , when I connect USB cable The indication light does not turn on , when I connect to PC , the PC DOES NOT SEE MY PHONE , Finally the phone is getting warm

can you help me to get the mobile start again

Thanks

Hello, i have an issue... every time i try to reboot in recovery mode the phone reboots as soon as the triangle screen appears. Please, help... it reboots and the phone works and all but i cant enter the recovery mode to apply the last nightly update.

Info, i have the first nightly version of CM7 installed... maybe its a common issue that i dont know about.

Thanks !

how do I get to bootloader without power and volume rocker buttons?
my phone is rooted I used quickboot and adb but I canrlt grt to bootloader.

Hello sir I am installing cynozenmod7 on my milestone 2.1 and all ready rebooted my phone. When I install terminal imulater and type su them $ sign change to #. But when I am applying sdcard upadate.zip after reeboting my phone them this message appears....

E: Can’t open/cache/recovery/command
Finding update package…
Opening update package…
Verifying update package…
Installing update package…
Can’t find update_binary
Rebooting your phone

I have trying many time.

Sir what is the problem please guide me I am getting mad by this problem Thank you....

HELP! I have Bootloader 2C.7C on my Droid 1 Milestone.
Using this SBF file just gets a "Critical Error"
I realize I can use "sbf recalc" to edit your sbf if I had the correct Hmd and RAMDLD.SMG files for 2C.7C I'm not sure how to do it. Can anybody help?

Hello,

I was guided to this page on the process to root my Milestone A853. However the instructions on this page are not very clear. Can you please provide a step by step instruction on how this is done.

Thanks in advance,
Joel

This option is satisfactory when visually comparing samples superb to well a uniform specified reference

|Using a boar bristle hairbrush on your hair can help to reduce frizzing. Frizzy hair is a common problem for many people. Using a boar bristle hair brush while blow drying hair can eliminate frizz. Brush the affected hair gently while pointing the dryer downward as you dry.

|Using a boar bristle hairbrush on your hair can help to reduce frizzing. Frizzy hair is a common problem for many people. Using a boar bristle hair brush while blow drying hair can eliminate frizz. Brush the affected hair gently while pointing the dryer downward as you dry.

|Using a boar bristle hairbrush on your hair can help to reduce frizzing. Frizzy hair is a common problem for many people. Using a boar bristle hair brush while blow drying hair can eliminate frizz. Brush the affected hair gently while pointing the dryer downward as you dry.

|Using a boar bristle hairbrush on your hair can help to reduce frizzing. Frizzy hair is a common problem for many people. Using a boar bristle hair brush while blow drying hair can eliminate frizz. Brush the affected hair gently while pointing the dryer downward as you dry.

|When you want to clean the bathtub, use a kitchen sponge. Kitchen sponges do exactly the same job, and they do it for much less money. You can even get bigger savings by purchasing them in bulk.

|When you want to clean the bathtub, use a kitchen sponge. Kitchen sponges do exactly the same job, and they do it for much less money. You can even get bigger savings by purchasing them in bulk.

|When you want to clean the bathtub, use a kitchen sponge. Kitchen sponges do exactly the same job, and they do it for much less money. You can even get bigger savings by purchasing them in bulk.

|When you want to clean the bathtub, use a kitchen sponge. Kitchen sponges do exactly the same job, and they do it for much less money. You can even get bigger savings by purchasing them in bulk.

The potato was generally considered as a poisonous plant by many people

The potato was generally considered as a poisonous plant by many people

The potato was generally considered as a poisonous plant by many people

The potato was generally considered as a poisonous plant by many people

Artists often create designs that are of great beauty and high artistic me if they are not adaptable to utility

Artists often create designs that are of great beauty and high artistic me if they are not adaptable to utility

Artists often create designs that are of great beauty and high artistic me if they are not adaptable to utility

Artists often create designs that are of great beauty and high artistic me if they are not adaptable to utility

On to see the bone the houses in the cities, visitors usually instinctively ask how come the houses systematically

On to see the bone the houses in the cities, visitors usually instinctively ask how come the houses systematically

On to see the bone the houses in the cities, visitors usually instinctively ask how come the houses systematically

Pages

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.