This page documents the hardware that Firefox OS runs on from a security perspective. Here you'll find information regarding SoC, bootloader access, and other security-relevant bits as they are discovered.

Sony Xperia Z3C

Service Menu

A service menu can be accessed through the stock Android firmware by dialing *#*#7378423#*#* (*#*#SERVICE#*#*). Service Info / Configuration will tell you if unlocking the bootloader is allowed.

Bootloader Access

Fastboot is locked when it comes from the factory, but elegible devices can be unlocked on Sony's Bootloader Unlock Page. The website requires a valid e-mail address and the device's IMEI (accessible on the box or by dialing *#06#). Once unlocked, fastboot has full write access.

Flashing

The device can be flashed with Flashtool through flash mode or (fastboot when unlocked). Stock images are available through xda developers.

Orange Klif

Bootloader

Right after SoC power-up, there is a serial boot ROM listening on the USB port, repeatedly sending the string READY until it timeouts. If you want to interact with the boot ROM, you need to complete a handshake, else it will continue with the regular boot sequence. It communicates through a variant of the MTK Romloader Potocol.

There is a software called SP Flash Tool that can interact with MediaTek boot ROMs to dump, flash and test compatible devices given that you provide it a valid "scatter" config file. Please note that there are dozens of versions of SP Flash Tool around which may or may not be compatible.

Fastboot

Fastboot is available and active, but doesn't allow flash writing. However, flash partitions and other device info can be listed. We have access to a developer device on which fastboot mode can be entered by the following tricky sequence:

1. Disconnect USB
2. Remove battery
3. Insert battery
4. Attach back cover for button operation
5. Hold PWR+DOWN
6. Keep holding while the boot logo shows
7. Wait until the screen goes black again (reboot cycle)
8. Keep holding PWR+DOWN for two or three more seconds
9. Release buttons
10. Press UP
11. If screen not showing FASTBOOT mode..., goto 5

After step 9, the device is sitting in its boot menu on a random entry, waiting for button input. Unfortunately, the screen is turned off, so you can't see what's going on.

The boot menu contains three entries:

1. Recovery
2. Fastboot
3. Normal

Contrary to what the boot menu says, DOWN cycles through the menu, and UP boots the selected mode.

Recovery mode

Our developer device has a recovery mode that can be activated by the following steps:

1. Disconnect USB cable
2. Remove battery
3. Insert battery
4. Attach back cover for button operation
5. Hold PWR + UP until boot logo shows
6. Release buttons

Factory mode

Our developer device has a factory mode that can be activated by the following steps:

1. Disconnect USB cable
2. Remove battery
3. Insert battery
4. Attach back cover for button operation
5. Hold PWR + DOWN until boot logo shows
6. Release buttons

Documentation

• MT6253 Baseband Processor Datasheet (predecessor)

Flame

Fastboot

Fastboot access is unusually complete on the Flame. It even allows setting the amount of available memory for emulating memory restrictions.

Flash Mode

The Flame has a special emergency download mode that allows flashing even when its flash content has been corrupted. It requires the special USB recovery cable that is unfortunately packaged only with some Flames, and a proprietary Emergency Download Tool. The tool uploads and executes an in-memory stub that implements the fastboot protocol.

Recovery Cable

The recovery cable physically resembles a regular Type A to Micro-B USB cable, but with two modifications to the Micro-B connector:

• Pin 4 (ID) is grounded to pin 5, turning it electrically into a Micro-A connector.
• Pin 3 (D+) is pulled low to pin 5 by a 30 MΩ resistor.

Documentation

• Flame Guide on MDN.
• Firefox OS developer phone guide on MDN