FORUMS

XDA Recap: This Week In Android (May 17 – 23)

Another week, another recap. The Sunday tradition marches on this week with a fresh … more

Huawei To Sell Honor Smartphones Via Indian Retail Outlets

World’s fourth largest smartphone maker Huawei plans to now sell its … more

Sunday Debate: Are Smaller Bezels Better or Worth It?

Bezels have been getting smaller and smaller as the years go by, and while devices … more

LG G4 First Impressions and Unboxing – XDA TV

The latest in LG’s signature line of “G phones” has been released. … more
Post Reply Subscribe to Thread Email Thread

[DOWNGRADE INFO] CDT Parser - Secure Versions Checker

24th May 2012, 09:26 AM |#1  
Skrilax_CZ's Avatar
OP Recognized Developer
Thanks Meter: 1,772
 
More
On request, I've made a small application that allows you to check secure version checks by the bootloader, by which you can determine whether you can downgrade or not.

What is secure version: when bootloader checks signature (on the signed partitions), it will also verify that their secure version is greater or equal than the requirement stored. The storage works as follows:

CDT Secure Version is written to eFuse as SEC_AP_OS. It is not possible to reflash a cdt with lower secure version, you will get stuck in fastboot.

Other partitions' secure versions are stored in CDT. Therefore it's potentially possible to have multiple CDTs with same secure version, but different secure version requirements on the partitions.

Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot

How to check whether you can downgrade? It's quite simple.

1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.

Lastly, note that to flash through fastboot, filesystem partitions with 05 signature type are checked for signature / sec. version, but you cannot find these in OTA.

Download the tool from here: http://skrilax.droid-developers.org/...arser_1.00.zip
The Following 18 Users Say Thank You to Skrilax_CZ For This Useful Post: [ View ]
 
 
24th May 2012, 10:31 AM |#2  
whirleyes's Avatar
Retired Recognized Developer
Thanks Meter: 1,848
 
Donate to Me
More
Thanks, I'm just about to release mine.
But yours if perfect!

To someone who prefer to get their hand dirty,

Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID (CID) is at 0x3FFE
- 7 : EU XT910
- 5 : SKT XT910S
- 4 : CN XT910/KDDI IS12M (XT909)
- 3 : LATAM XT910
- 2 : VZW XT912
- DEAD : Phone with a wiped CID.

Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores CID number &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.
Update : Myth is confirmed!! CID is erasable by "allow-mbmloader-flashing-mbm.bin". But make sure to have a backup of it first.

I'm a motorola noobies & my information could possibly wrong.
Proceed at your own risk.

Attached is a simple Java command line tool (usefull for batch job)
usage : java -jar cdt_reader.jar input.bin > output.txt
Attached Files
File Type: zip cdt_reader.zip - [Click for QR Code] (7.3 KB, 790 views)
Last edited by whirleyes; 1st June 2012 at 04:51 PM. Reason: Add attachment;Update CID LATAM
The Following 5 Users Say Thank You to whirleyes For This Useful Post: [ View ]
24th May 2012, 12:23 PM |#3  
Pzyduck's Avatar
Senior Member
Flag La Rioja
Thanks Meter: 811
 
More
As always the best my brother.
24th May 2012, 12:34 PM |#4  
Recognized Contributor
Flag Frankfurt
Thanks Meter: 7,906
 
Donate to Me
More
Quote:
Originally Posted by whirleyes

Thanks, I'm just about to release mine.
But yours if perfect!

To someone who prefer to get their hand dirty,

Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID is at 0x3FFE
-CID 7 : EU XT910
-CID 2 : VZW XT912
-CID 4 : CN XT910/JP XT909

Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores this end bit &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.

Correct me if I'm wrong

Java command line tool

But without root we aren't able to wipe the CID partition?
24th May 2012, 01:04 PM |#5  
whirleyes's Avatar
Retired Recognized Developer
Thanks Meter: 1,848
 
Donate to Me
More
No idea. I think, fastboot doesn't implement function.
24th May 2012, 06:09 PM |#6  
Member
Flag Putignano (BA)
Thanks Meter: 7
 
More
Quote:
Originally Posted by dtrail1

But without root we aren't able to wipe the CID partition?

I have erased cdt partition and after i have flash via fastboot. For do it is important flash first the mbloader rewrite module, reboot, after not flash mbloader but erase cdt partition and after write mbloader.

If you look the sbf step in t-mobile package ...execute only first flash and reboot, stop procedure, erase cdt partion and after execute the next two step in sbf.

In this mode you can erase cdt partition. i have do it ...but after i have reflashed the cdt of 4.0.4 ota signed because the system not accept any cdt. You find cdt partition in zip of the OTA 4.0.4 T-MO ..


Bye
24th May 2012, 06:20 PM |#7  
Account currently disabled
Thanks Meter: 269
 
More
Thanks for the files!
25th May 2012, 12:54 AM |#8  
pedrotorresfilho's Avatar
Senior Member
Thanks Meter: 1,105
 
Donate to Me
More
Quote:
Originally Posted by Skrilax_CZ

Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot

How to check whether you can downgrade? It's quite simple.

1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.

Hi Skrilax

This is cdt_bin from two versions of GB, first 2.3.5 and 2.3.6 respectively:


2.3.5


2.3.6

My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.

It's possible, somehow a workaround to flash this?

May I just delete the CDT bin?

system also have diferent secure version, this is a problem to flash system too?

And, Thanks a lot for the tool!
25th May 2012, 08:15 AM |#9  
Member
Thanks Meter: 4
 
More
is it possible to downgrade with this method?

im on the latest china leak and am unable to root or downgrade...

someone help pls...
25th May 2012, 12:30 PM |#10  
Member
Flag Putignano (BA)
Thanks Meter: 7
 
More
Quote:
Originally Posted by pedrotorresfilho

Hi Skrilax

My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.

It's possible, somehow a workaround to flash this?

May I just delete the CDT bin?

system also have diferent secure version, this is a problem to flash system too?

And, Thanks a lot for the tool!

I have erased cdt partition via RDS Lite but i can reflash only with same secure cdt extracted from the OTA. I try to flash minor secure cdt but it is NO possible.

Where is the control ?
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Droid RAZR Android Development by ThreadRank