motosh-fw
motosh-fw copied to clipboard
Reverse engineering the Motorola sensorhub firmware
motosh-fw
This project aims to reverse engineer the firmware present on the Motorola Sensorhub - a STM32 MCU inside most Motorola smartphones.
This MCU handles non-stop polling and processing of sensor data with the ability to send an interrupt to the smartphones CPU under
specific conditions (also known as Moto Actions
or Moto Gestures
).
Documentation and resources
- STM32 Cortex-M0 programming manual: pdf
- STM32L0x1 family reference manual: pdf
- BMI160 datasheet: pdf
- AK09912C datasheet: pdf
- Wiki pages
The sensorhub communicates with the kernel via SPI - the driver can be found here.
The Android HAL and accompanying motosh
binary (used for flashing firmware) are released by Motorola
here under the respective motosh_bin
and motosh_hal
directories.
You can grab your own sensorhubfw.bin
by copying it from /etc/firmware/sensorhubfw.bin
.
Warning: do note your firmware may differ from the one included in this repository, as it has not yet been confirmed whether the firmware differs across devices. A couple leaked schematics have shown drastic changes of the pinouts which means different functionality.
Current progress
- Very basic reverse engineering done (to be documented)
- Ability to boot the stock firmware in Renode (see simulating)
-
Can be debugged with
gdb
(no symbols though) - Appears to boot and attempt to access sensors
- Model incomplete
- Some internal functionality missing or partial (RCC etc)
- No sensors modeled yet
-
Can be debugged with
- Ability to boot custom firmware in Renode
- Can be used to test if the sensorhub model is correct
- Basic STM32L0 examples work
- NVIC/SysTick/GPIO and timers functional
- Weird bug where calling
__aeabi_uidiv
calls__exidx_end
which then executes code out of bounds- This makes setting up UART (and probably a lot more stuff) impossible
Installation
# clone main repo
git clone https://github.com/Ristovski/motosh-fw
# clone `libopencm3` under the `thirdparty/libopencm3` subdirectory
cd motosh-fw/thirdparty
git clone https://github.com/libopencm3/libopencm3 --depth=1
# build `libopencm3` for the `stm32/L0` target (make sure you have an arm cross-compiler working (`export PATH=$PATH:/path/to/cross/gcc/bin/`))
cd libopencm3
make TARGETS=stm32/l0
cd ../../
Optionally, if you would like to emulate firmware, install Renode. Linux users can use the
portable
releases - just make sure to set yourPATH
accordingly.
Building
Copy cross_file.txt.example
to cross_file.txt
and edit the prefix
variable to point to your cross-compiler.
meson --cross-file cross_file.txt build && cd build
ninja
This will produce the following two files:
motosh
- ELF file containing symbols - useful for debugging under gdb
motosh.bin
- pure binary version generated with objcopy -O binary motosh motosh.bin
Tools
Simulating
With Renode it is possible to simulate the official Moto sensorhub firmware (included at fw/sensorhubfw.bin
)
to the point where it boots and attempts to communicate with the (non-existent) sensors.
There are two models included in the sim
directory, motosh.{repl,resc}
- which is meant to be as close to the official MCU as possible
and customfw.{repl,resc}
- meant to be used as a "playground" for testing the custom firmware and general accuracy of the Renode simulator.
TODO: More Renode documentation.
To run the official firmware in the simulator, cd
into the sim
directory and run FW=fw/sensorhubfw.bin renode motosh.resc
.
To run the custom firmware in the simulator, run ninja install && ninja sim
inside the build
directory to first copy the binary firmware into
the right place and then launch Renode.