Valid HTML 4.01 Transitional
This page is under construction.

Motorola Droid 3
Installing CyanogenMod

Jim Carter, 2011-11-23

Table of Contents

R00t Your Phone

The first step for everything is to gain root access. There is a script (for Windows) to root this class of phones in one click. Link #1 for root exploit (by Dan Rosenberg, 2011-08-25) (this exploit is confirmed to also work on the Droid X, Droid X2, Droid Cliq, Droid Cliq 2, Droid 2, and Droid Bionic.) Link #2 for a howto and script (by Kellex, 2011-08-25). The latter runs on Windows and uses Visual Basic to send the commands making up the exploit.

I'm going to copy and paste the commands in the exploit. Preliminary: (Credit for this reminder to Kellex's howto.) Settings -> Applications -> Development -> USB Debugging, which enables you to use ADB, although you can also type the commands into the terminal emulator. Jimc thinks it will also be helpful to select Stay Awake, at least while doing the exploit. Stay with Charge Only when connecting USB; you want the SD cards to stay mounted.

Note: The root privilege only lasts a limited time, probably just through one reboot. Evidently /data/local.prop is rebuilt at boot time.

OK, my pocket computer is now rooted. Thanks to Dan Rosenberg. I actually modified the procedure slightly: brought /data/local.prop back to my laptop, modified it there, copied it back as /data/, and renamed it (after saving the original). The umask is 0, and the deposited file ends up owned by shell:shell mode 666. After the final reboot, though, the boot scripts apparently fix the owner and mode to system:system 644.

Installing the su Binary and Superuser App

To install the Superuser app you first need the Superuser app to be installed, or at least the su binary that comes with it. If you tried and failed to install Superuser already, first uninstall what you have.

Look on ChainsDD's site; he's the developer. Links and MD5 sums are on this page. Download (for Android-2.x) or whatever the current version is. This is a zip file which is to be installed by Recovery. However, it is not signed with Motorola keys (yeah, sure) and so the stock Recovery refuses to read it. We need to use the root exploit to do by hand what Recovery would have done.

Installation howto by xeronuro dated 2010-12-31. Unpack your zip file; you'll find system/app/Superuser.apk and system/bin/su inside. Jimc has modified the procedure somewhat below to work on the stock image of the Droid 3. I'm running Linux on my laptop; for Windows, the commands in the first section are similar. First do the root exploit from the previous section. After you reboot, connect the Droid to the laptop by the USB cable and make sure that ADB is executing as root. Then do the following:

--executing on your laptop--
mkdir subin
cd subin
unzip ../
adb shell # needs to run as root, needs root exploit.
--executing on Droid--
cat /proc/mounts # find out which device is mounted on /system
mount -o rw,remount -t ext3 /dev/block/system /system
--in another window on the laptop--
adb push ./system/bin/su /system/bin/su
adb push ./system/app/Superuser.apk /system/app/Superuser.apk
--back to command window executing on Droid--
chmod 6755 /system/bin/su
ls -l /system/bin/su # Verify -rwsr-sr-x root root
ln -s ../bin/su /system/xbin/su # Installer script wants this to be done

Your root exploit is now gone -- the prompt for adb shell says shell@cdma_solana. But you can do su root and you actually become root. You have now rooted your phone, permanently (until something gets messed up). In the step where you did adb push Superuser.apk you also installed the Superuser app.

If you start the Superuser app, hit menu -> preferences -> su version, and it says vnull, you don't have /system/bin/su installed, probably because you installed Superuser from the market without having it installed already. Uninstall it and follow the instructions in this section.

Installing Busybox

The stock image lacks most UNIX utilities, and the Safestrap installation procedure depends on them. The normal way to provide them is through Busybox. This forum post about a missing Busybox by crpeck on RootzWiki dated 2011-12-02 revealed what I had done wrong, namely assuming that I didn't really need Busybox.

According to xeronuro's howto (see above), there is an app, BusyBox by Stephen (Stericson), available in the Market. Assuming you have a working su, just execute the app and it will do all the work.

I tried BusyBox Installer by jrummy16 in the Market. This is v2.0 and has versions of BusyBox up to 1.19.3.

Installing Safestrap

Safestrap by Hashcode includes a Recovery image which will read and install zip files signed with hackers' keys, like CyanogenMod, or other hacked images. This is based on Koush's Clockwork Recovery but with a very cool twist: it installs the hacked system image in the /preinstall partition, not overwriting your main system image, and it can interchange the main and preinstall partitions (i.e. exchange which one is mounted where). The containing package is an app to install this Recovery image. The benefit is, if you mess up your CyanogenMod installation you can revert to stock, and clean up the mess at your leisure. Here's how to install Safestrap:

SBF Debrick Procedure

To investigate: SBF debrick ; backup strategies.

Follow this link for the not exactly original copy of the SBF Debrick Procedure, originally by ikithme. According to the post, this is what people at a Verizon store use to debrick phones; they don't have JTAG, and so if you mess it up, nobody knows any recourse short of soldering a JTAG connector onto your phone (assuming the connections are even known for Droid 3, which I doubt).

This will put a pristine Motorola image onto the phone, replacing all user hacks, packages and data. The user area of the SD card(s) is not wiped. You will need to reactivate the phone afterward. How to reactivate on Verizon (other mobile operators have their own procedure): dial *228 and select option 1. They mention while the phone is booting, hold up on the DPAD. Subsequent comments suggest that this is for a Droid model with a physical directional pad with 4 arrow keys and possibly a central OK button. It is possible (I hope never to have to test this) that up-arrow on the physical keyboard of the Droid 3 is equivalent.

User Level Backups

Make any user-level backups that you're going to. I'm going to make a separate copy of all the Verizon apps because I may want to reinstall one or two and try them out, like the office app or the games. I very carefully avoided investing any time in customizing the Verizon image, importing contacts and bookmarks, etc. because I knew I would be wiping user data. Actually I'm going to pack up the entire /data even though Safestrap will also make a backup of it. Backup procedure (requires Busybox):

adb shell #Executing on Droid3
su root #Shell account lacks permission to read /data
cd /data
tar cf /sdcard-ext/data-20111210-jimc.tar . #Took 100 secs
--In separate window on laptop--
adb pull /sdcard-ext/data-20111210-jimc.tar ./data-20111210-jimc.tar #Took 85 secs
--Back to command window--
rm /sdcard-ext/data-20111210-jimc.tar
exit #Backup is finished

A problem with backups is, in a major upgrade like CM7 to CM9, apps tend to change the database table schemas. Some can recognize an old-style database and convert it, but not all. It's best to go through all apps where you have significant content, specifically contacts, calendar, bookmarks, and X.509 certificates, and either sync them into the cloud (if your security rules allow) or induce the app to write a semantic backup, e.g. vCard (RFC 2425/2445) format for contacts.

Then-current version numbers, from Settings -> About Phone:

I'm pretty sure that the PRL (Preferred Roaming List) is what locks the phone to Verizon; this is going to have to be replaced.

Update to 5.6.890

In reality I attempted to install CyanogenMod over the phone as described in the previous section, and got a bootloop. In response to my query, both eww245 and Hashcode recommend updating to system version 5.6.890.XT862.Verizon.en.US, since CyanogenMod and (most) other hacked system images include kernel modules compiled with and for its kernel. Android turns on module version magic (vermagic) including the eentsy version, so an exactly exact match between modules and the kernel is required.

I obtained the 5.6.890 update from a posting by sic4672 dated 3 months ago which would be 2011-09-xx, when this update was newly coming out OTA. I usually don't install software, particularly exceedingly critical software, from sources I'm not familiar with, but this was the only one that my search terms turned up, and I'll be using the locked Motorola Recovery to install it, so any damage will be detected and the image will be rejected if so. The sha1sum of my instance of the file is e5681532bcd74d70d507f3463d6dcecb7f0a49b5; with Busybox you can run the command on the phone.

All relevant data and backups have been copied off the phone, so I have maximum flexibility for screwup recovery.

A vital first step is to de-install Safestrap.


Version numbers after updating, from Settings -> About Phone:

Now you have to go back to the beginning and re-do all the steps to root your phone, install Busybox, etc.

Installing CyanogenMod

Continuing in Hashcode's instructions for installing Safestrap and CM7 dated 2011-10-04; it's the last post on this page: (


The first time around I was using system 5.5.959, and the installed CyanogenMod image had kernel modules (and likely other important stuff) for 5.6.890, so when I rebooted it bootlooped, i.e. got to where it should have shown the boot animation, but rebooted, again and again. Cure: update to 5.6.890, using the instructions given previously. For historical interest, here is documentation of the struggle.