Inside the Motorola VIP1920-9DCB Zaptor box from Stofa

The following will document all the findings that have been done by taking the Zaptor box apart. It contains information on the hardware, the software in the flash and the software that is downloaded at runtime.


Let us start out with a list of the interesting hardware components of the box:

Boot process

The CPU boots from the M28W320 which contains a 1st stage bootloader in the lower 64 KB. This bootloader is able to decrypt the 2nd stage bootloader starting at offset 0x10000, which actually turns out to be a Linux kernel with a small ramdisk attached. The ramdisk contains the following:


init has a size of 492488 and handles almost all tasks of the 2nd stage bootloader. It has the capability to download new software to the NAND, which is nice if you should be unlucky and have the contents of that messed up. The NAND contains an encrypted image which can be downloaded OTA. It is around 18 MB in size and contains a Linux kernel and a ramdisk.

Decrypting the firmware

The firmware is encrypted using AES-256 in ECB mode. The same key is used for decrypting the 2nd stage bootloader and the software in the NAND, and it is contained in encrypted form in the M28W320. To spare you all the trouble of pulling the key out here is a small program that demonstrates how to decrypt both encrypted images.

Why Motorola chose to encrypt the 2nd stage bootloader is beyond me, when the key for decryption is piece of cake to extract. Perhaps the smart lawyers at Motorola decided that they were best off trying to hide the fact that the box runs Linux. In that way nobody would figure out that they are having severe issues with being in compliance with GPL. However that is a story better saved for some other time.