My Rokr E2 Spek

Rokr E2


Linux version 2.4.20_mvlcee31-mainstone_pxa27x (BJDC@LINUX) (GCC 3.x for XSCALE) #1 Jan 1,2003


Processor       : Intel XScale-PXA27x rev 7 (v5l)||
BogoMIPS        : 103.76
Features        : swp half thumb fastmult edsp
CPU implementor : 0x69
CPU architecture: 5TE
CPU variant     : 0x0
CPU part        : 0x411
CPU revision    : 7
Cache type      : undefined 5
Cache clean     : undefined 5
Cache lockdown  : undefined 5
Cache unified   : harvard
I size          : 32768
I assoc         : 32
I line length   : 32
I sets          : 32
D size          : 32768
D assoc         : 32
D line length   : 32
D sets          : 32

Default power management clock settings appear to be 104Mhz, 208Mhz, and 312Mhz at 1.35v.


80MB Physical (/dev/mem)

0x3F000000-0x3FFFFFFF  (16MB)
0xA0000000-0xA3FFFFFF  (64MB)

This should be wrong!As the value read from MDCNFG is 0x0bae2bcd,it should have 2 SDRAM chips,1 in partition 0,size 32M,the other in partition 3,size 16M,both 16bits.

45MB in-system

       total:    used:    free:  shared: buffers:  cached:
Mem:  47509504 45441024  2068480        0   466944 19390464
Swap:        0        0        0
MemTotal:        46396 kB
MemFree:          2020 kB
MemShared:           0 kB
Buffers:           456 kB
Cached:          18936 kB
SwapCached:          0 kB
Active:          17284 kB
Inactive:        15592 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:        46396 kB
LowFree:          2020 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Committed_AS:    57172 kB

But in linux-2.4.17\arch\arm\def-configs\ezx-sumatra CONFIG_EZXBASE_SDRAM_32_16 is set,I think it should be 48M,more close to 47509504

Flash Memory

Here is a map of the flash memory:

Filesystem           1k-blocks      Used Available Use% Mounted on
rootfs                   56752     56752         0 100% /
/dev/root                56752     56752         0 100% /
/dev/roflash1            10968     10968         0 100% /usr/language
/dev/roflash2            26308     26308         0 100% /usr/data_resource
/dev/roflash3              452       452         0 100% /usr/setup
/dev/roflash4              116       116         0 100% /usr/securesetup
/dev/mtdblock8            6144       884      5260  15% /ezx_user
/dev/mtdblock9           12160      1204     10956  10% /ezxlocal
/dev/mmca1              122912     10304    112608   9% /mmc/mmca1

Note: /dev/mmca1 is my SD card
MTD structure (/proc/mtd):

   dev : size     erasesize  name
  mtd0 : 00008000 00008000 "CADDO_SECOND"
  mtd1 : 00008000 00008000 "ITUNES"
  mtd2 : 00008000 00008000 "CADDO_PRIMARY"
  mtd3 : 00008000 00008000 "FOTA_REV"
  mtd4 : 00040000 00020000 "MBM"
  mtd5 : 00020000 00020000 "CONFIG"
  mtd6 : 00020000 00020000 "BLOB"
  mtd7 : 00100000 00020000 "KERNEL"
  mtd8 : 00600000 00020000 "USERFS_DB"
  mtd9 : 00be0000 00020000 "USERFS_GENERAL"
  mtd10: 00020000 00020000 "TEST_CMD"
  mtd11: 00020000 00020000 "LOGO"
  mtd12: 000c0000 00020000 "FOTA"
  mtd13: 00020000 00020000 "RESERVE"

Note that only mtd8 and mtd9 are mounted as block devices. For 33P, “ITUNES” is empty. “LOGO” contains a GIF89a image at offset 0x800, used as the operator logo on boot.

Motorola Flash Memory Regions, label, and filename (from /etc/

Physical address 0 to 32M is occupied by flash chip 0 of AP,and 32M-64M by flash 1,they are both “Intel StrataFlash® Wireless Memory System (LV18/LV30 SCSP) 1024-Mbit LV family”,Manufacturer Code:0x89,Device Identifier Code of chip 0:0x881c,and chip 1:8819,the datasheet can be downloaded from

 0x00000000 - 0x0001FFFF   caddo               (caddo_data.bin)
 0x00020000 - 0x0005FFFF   mbm                 (mbm.bin)
 0x00060000 - 0x000607FF   cdtcsf              (cdtcsf)
 0x00060800 - 0x00066FFF   cdt                 (cdt.bin)
 0x00067000 - 0x0007FFFF   kct                 (kct.bin)
 0x00080000 - 0x000807FF   blobcsf             (blobcsf)
 0x00080800 - 0x0009FFFF   blob                (blob)
 0x000A0000 - 0x000A07FF   kernelcsf           (kernelcsf)
 0x000A0800 - 0x0019FFFF   kernel              (zImage)
 0x001A0000 - 0x00A9FFFF   resource            (resource.img)
 0x00AA0000 - 0x0109FFFF   userdb              (userfs_db.img)
 0x010A0000 - 0x01C9FFFF   usergeneral         (userfs_general.img)
 0x01CA0000 - 0x01CA0FFF   securesetupcsf      (securesetupcsf)
 0x01CA1000 - 0x01CBFFFF   securesetup         (secure_setup.img)
 0x01CC0000 - 0x01CDFFFF   tcmd                (tcmd)
 0x01CE0000 - 0x01CE07FF   logocsf             (logocsf)
 0x01CE0800 - 0x01CFFFFF   logo                (logo.img)
 0x01D00000 - 0x01DBFFFF   fota                (fota.img)
 0x01DC0000 - 0x01DDFFFF   paniclog            (N/A)
 0x01DE0000 - 0x025DFFFF   language            (language.img)
 0x025E0000 - 0x025FFFFF   setup               (setup.img)
 0x02600000 - 0x02600FFF   rootcsf             (rootcsf)
 0x02601000 - 0x03FFFFFF   root                (rootfs_cramfs.img)
 0xA0200000 - 0xA024FFFF   rdl                 (rdl)

Flashing the E2

The ROKR E2 can be flashed from linux using the moto4lin ezxflash tools. The E2 AP (linux) flash data is held in a .sbf file. Use moto4lin’s parseheader then unsbf to extract the code groups (memory regions). Some of the regions are cramfs images and can be mounted as a loopback file:

  mount -t cramfs {file.bin} -o loop,offset={n} /mountpoint/path

Cramfs Code Groups:

  Address file  Offset  Mountpoint          Notes
  ------------  ------  ----------          -----
  001a0000.bin      0   /usr/data_resource  /dev/roflash2
  01ca0000.bin   4096   /usr/securesetup    /dev/roflash4
  01de0000.bin      0   /usr/language       /dev/roflash1
  025e0000.bin      0   /usr/setup          /dev/roflash3
  02600000.bin   4096   /                   /dev/root

JFFS2 Code Groups

  00aa0000.bin      0   /ezx_user           /dev/mtd8, /dev/mtdblock8, "USERFS_DB"
  010a0000.bin      0   /ezxlocal           /dev/mtd9, /dev/mtdblock9, "USERFS_GENERAL"

Partial Cramfs Code Groups:

  a0de0000.bin 0x220000    / (?)    (??) (Extended root fs? Debugging root?)

Other Code Groups:

  00060000.bin  -  Maps to mtd5 CONFIG - (Has kernel boot args?)
  00080000.bin  -  Bootloader - Maps to mtd6 "BLOB"
  000a0000.bin  -  Maps to mtd7 "KERNEL"
  01ce0000.bin  -  Operator logo at offset 0x800.  Maps to mtd11 "LOGO"
  03fc8000.bin  -  ?? (AP->BP comms?  BIOS?) no mtd mapping
  10040000.bin  -  ??
  10080000.bin  -  ?? (200 bytes long)
  100800c8.bin  -  ?? Has references to "sim", IMEI Lock, SEEM, call meters, IMELODY ringtone, SMS, an GEM
                      Contains 16-bit text:
                          "Motorola Phone ED3F9710: Motorola Communications Class B"
                          "Motorola Communication Interface0"
                          "Audio Control Interface"
                          "Linear Streaming Audio MiCrophone Interface"
                          "Logarithm Streaming Aucio Microphone interface"
                          "Linear Streaming Audio Speaker Interface"
                          "Logarithmic Streaming Audio Speaker Interface"
                          "Accessory2Motorola MCU Data Logger"
                          "Motorola Test Command"
                          "Motorola DSP Logger"
                          "Motorola DSP Debugger"
                          "Motorola Data Interface"
  10330000.bin  -  ?? (2048 bytes long)
  10350000.bin  -  ?? Contains 16-bit text "Motorola's Flash Neptune LTE2"
  10390000.bin  -  ?? Byte patterns looks like image assets


Debug Port

There appears to be two Debug Ports on the Rokr E2. The one on the front provides JTag access to the Applications Processor and access to the the ST_UART for a serial console. The other is assumed for the base-band.

Kernel NFS Support

The ROKR E2’s kernel has static NFS support. After starting a telnet session, an exported NSF volume can be mounted with:

 mkdir /tmp/mnt
 mount -t nfs{export} /tmp/mnt -o nolock

Note that ‘nolock’ must be used, as no port mapper exists on the phone.

Media Player

Seems to use Helix 10.0 mediaplayer for tunes. However it is missing the plugin so Ogg/Vorbis files do not play on this device (yet!)

These are the included plugins:



Official ROM version 33P uses Opera 8.5.2023.

  CLIENT: MOT-E2/R564_G_12.02.32P Mozilla/4.0 (compatible; MSIE 6.0; Motorola ROKR E2)

Interesting Files

  • This is a link to a dump of the directory structure and files found with firmware 43P: E2_FindDump
  • /usr/SYSqtapp/phone/alertprocess -playvol {n} -playfile foo.wav will play the foo.wav audio file at volume {n} (0-10).
  • /usr/SYSqtapp/phone/vibrateprocess -playperiod {n} will cause the phone to vibrate for {n} seconds (default=1)
  • (C, no mangeled names) communicates with the BP through a pair of PF_LOCAL UDP sockets to place calls, record audio, get BP version information, possibly check subsidy lock status, etc.
  • /lib/modules/logger.o logs events to a pair of files on ezxlocal. Usage:
 insmod /lib/modules/logger.o
 /usr/SYStapi/ 1

This will start logging, as per the writeable policy in /ezxlocal/ezx_aplog.cfg. The default is to log MUX and output files to /ezxlocal/downloads/mystuff/ as and

  • /etc/init.d/ sets up all session variables necessary for executing apps.
  • start-stop-daemon can be used like a “sudo -u root” by scripts run as user ezx:
  start-stop-daemon --start --chuid root --exec {command} (command's arguments...)

Note that +s executables will fail unless user ezx makes a copy:

  cp /bin/mknod /tmp/mknod; start-stop-daemon --start --chuid root --exec /tmp/mknod /tmp/device c 1 2
  • The contains a number of WiFi-related routines.

The motoac kernel modifications

The Rokr E2 (and presumably the A1200) can restrict access to certain areas of the filesystem and tasks through a Motorola modified version of SELinux and policy called motoac. Motorola released the source for this under the GPL as part of their kernel source code release.

This is a link to a dump of the strings found in the acpolicy.cfg file distributed with firmware 33P: E2_acpolicy.cfg_strings

Motorola SElinux Policy

The ROKR 33P build’s security policy can be found in the binary file /etc/acpolicy.cfg. Here is a summary for user ‘root’:

  /usr/*      protected resource (r-x)
  /bin/*      protected resource (r-x)
  /sbin/*     protected resource (r-x)
  /etc/*      protected resource (r-x)
  /.backup/*  protected resource (r-x)
  Defined Domains:
     1: moto_domain
     2: carrier
     3: trusted
     4: Untrusted

Note that a more restrictive policy is defined for user “ezx”.

Interesting Info

You can boot into flash mode by holding the “Voice Key” on the right side of the phone while powering up the phone. If you push the voice key again, you will go into the BP flash mode. Remove battery to reboot.

The PCM sound device driver only supports 16-bit LE audio.

ROM Version Discrepancies (from 33P)


  • No MPKG installer/MPKG installer disabled (handset from China Mobile)


  • Phone was purchased in China 2007/07, phone and firmware branded with China Mobile (中国移动)
  • No mpkg installer.
  • No USBNET connection option but IP access could be enabled with AT commands from modem mode. Handset would respond to ping (
  • However, all ports were closed; no telnet or smb access.


  1. aku pengen N95 itu lho. keren, kayaknya internet tablet nya Nokia cuma pake linux kan

  2. […] Mandriva Spring with Motorola Rokr E2 Ditulis dalam Linux, Mandriva, Tips by bayuart di/pada Juni 27th, 2008 Spek Motorola Rokr E2 […]

  3. motomodder jg nih 🙂

  4. seep INFO nya……
    q aja dah py ni E2 2th-an tp baru skarang tau info detilnya :p .
    btw YM_nya mas apa?? (buat ty2 sputar E2)


  5. I should notify u about it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: