This project aims to reverse engineer the firmware present on the Motorola Sensorhub - a STM32 MCU inside most Motorola smartphones.

This MCU handles non-stop polling and processing of sensor data with the ability to send an interrupt to the smartphones CPU under specific conditions (also known as Moto Actions or Moto Gestures).

• STM32 Cortex-M0 programming manual: pdf
• STM32L0x1 family reference manual: pdf
• BMI160 datasheet: pdf
• AK09912C datasheet: pdf
• Wiki pages

The sensorhub communicates with the kernel via SPI - the driver can be found here.
The Android HAL and accompanying motosh binary (used for flashing firmware) are released by Motorola here under the respective motosh_bin and motosh_hal directories.

You can grab your own sensorhubfw.bin by copying it from /etc/firmware/sensorhubfw.bin.

Warning: do note your firmware may differ from the one included in this repository, as it has not yet been confirmed whether the firmware differs across devices. A couple leaked schematics have shown drastic changes of the pinouts which means different functionality.

• Very basic reverse engineering done (to be documented)
• Ability to boot the stock firmware in Renode (see simulating)
  • Can be debugged with gdb (no symbols though)
  • Appears to boot and attempt to access sensors
  • Model incomplete
    • Some internal functionality missing or partial (RCC etc)
    • No sensors modeled yet
• Ability to boot custom firmware in Renode
  • Can be used to test if the sensorhub model is correct
  • Basic STM32L0 examples work
  • NVIC/SysTick/GPIO and timers functional
  • Weird bug where calling __aeabi_uidiv calls __exidx_end which then executes code out of bounds
    • This makes setting up UART (and probably a lot more stuff) impossible

# clone main repo
git clone https://github.com/Ristovski/motosh-fw
# clone `libopencm3` under the `thirdparty/libopencm3` subdirectory
cd motosh-fw/thirdparty
git clone https://github.com/libopencm3/libopencm3 --depth=1
# build `libopencm3` for the `stm32/L0` target (make sure you have an arm cross-compiler working (`export PATH=$PATH:/path/to/cross/gcc/bin/`))
cd libopencm3
make TARGETS=stm32/l0
cd ../../

Optionally, if you would like to emulate firmware, install Renode. Linux users can use the portable releases - just make sure to set your PATH accordingly.

Copy cross_file.txt.example to cross_file.txt and edit the prefix variable to point to your cross-compiler.

meson --cross-file cross_file.txt build && cd build
ninja

This will produce the following two files:
motosh - ELF file containing symbols - useful for debugging under gdb
motosh.bin - pure binary version generated with objcopy -O binary motosh motosh.bin

With Renode it is possible to simulate the official Moto sensorhub firmware (included at fw/sensorhubfw.bin) to the point where it boots and attempts to communicate with the (non-existent) sensors.

There are two models included in the sim directory, motosh.{repl,resc} - which is meant to be as close to the official MCU as possible and customfw.{repl,resc} - meant to be used as a "playground" for testing the custom firmware and general accuracy of the Renode simulator.

TODO: More Renode documentation.

To run the official firmware in the simulator, cd into the sim directory and run FW=fw/sensorhubfw.bin renode motosh.resc.

To run the custom firmware in the simulator, run ninja install && ninja sim inside the build directory to first copy the binary firmware into the right place and then launch Renode.