Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,785,193 Members 37,529 Now Online
XDA Developers Android and Mobile Development Forum

[DOWNGRADE INFO] CDT Parser - Secure Versions Checker

Tip us?
 
Skrilax_CZ
Old
#1  
Skrilax_CZ's Avatar
Recognized Developer - OP
Thanks Meter 1,342
Posts: 897
Join Date: Dec 2009
Location: Prague

 
DONATE TO ME
Default [DOWNGRADE INFO] CDT Parser - Secure Versions Checker

On request, I've made a small application that allows you to check secure version checks by the bootloader, by which you can determine whether you can downgrade or not.

What is secure version: when bootloader checks signature (on the signed partitions), it will also verify that their secure version is greater or equal than the requirement stored. The storage works as follows:

CDT Secure Version is written to eFuse as SEC_AP_OS. It is not possible to reflash a cdt with lower secure version, you will get stuck in fastboot.

Other partitions' secure versions are stored in CDT. Therefore it's potentially possible to have multiple CDTs with same secure version, but different secure version requirements on the partitions.

Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot

How to check whether you can downgrade? It's quite simple.

1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.

Lastly, note that to flash through fastboot, filesystem partitions with 05 signature type are checked for signature / sec. version, but you cannot find these in OTA.

Download the tool from here: http://skrilax.droid-developers.org/...arser_1.00.zip
PRIVATE MESSAGES regarding firmwares / support will NOT BE ANSWERED!

Motorola Photon Q
Bootloader: 10.9B
Firmware: CM 11.0

Motorola Droid MAXX
Bootloader: 30.B0
Firmware: Stock 4.4

Acer Iconia A500
Bootloader: V9 0.03.14-MUL (dualboot + recovery + extfs boot + bootmenu)
Android: TegraOwnders JB-MR1 v13
LUbuntu: 13.04


2nd-init for Locked Bootloaders

Acer Iconia A500 / A501 Patched Bootloader Thread

Motorola Phones Stock Firmwares

You may donate me if you like my work.
The Following 18 Users Say Thank You to Skrilax_CZ For This Useful Post: [ Click to Expand ]
 
whirleyes
Old
(Last edited by whirleyes; 1st June 2012 at 04:51 PM.) Reason: Add attachment;Update CID LATAM
#2  
whirleyes's Avatar
Retired Recognized Developer
Thanks Meter 1,826
Posts: 832
Join Date: Aug 2007

 
DONATE TO ME
Thanks, I'm just about to release mine.
But yours if perfect!

To someone who prefer to get their hand dirty,

Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID (CID) is at 0x3FFE
- 7 : EU XT910
- 5 : SKT XT910S
- 4 : CN XT910/KDDI IS12M (XT909)
- 3 : LATAM XT910
- 2 : VZW XT912
- DEAD : Phone with a wiped CID.

Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores CID number &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.
Update : Myth is confirmed!! CID is erasable by "allow-mbmloader-flashing-mbm.bin". But make sure to have a backup of it first.

I'm a motorola noobies & my information could possibly wrong.
Proceed at your own risk.

Attached is a simple Java command line tool (usefull for batch job)
usage : java -jar cdt_reader.jar input.bin > output.txt
Attached Files
File Type: zip cdt_reader.zip - [Click for QR Code] (7.3 KB, 615 views)
those were the days...
The Following 5 Users Say Thank You to whirleyes For This Useful Post: [ Click to Expand ]
 
Pzyduck
Old
#3  
Pzyduck's Avatar
Senior Member
Thanks Meter 789
Posts: 395
Join Date: Nov 2010
Location: La Rioja
As always the best my brother.
Firmware Team: Kent_lkc - Kwachu - daywalker04 - Pzyduck - Skrilax_CZ - toto221
My devices: Motorola V3i Marron>>>Motorola V9x>>>Motorola Milestone>>>Motorola Milestone 2>>>Motorola Atrix>>>Motorola RAZR>>>Motorola RAZR HD
"Firmware Team Forum"
 
dtrail1
Old
#4  
Recognized Contributor
Thanks Meter 7,749
Posts: 4,836
Join Date: Oct 2011
Location: Frankfurt

 
DONATE TO ME
Quote:
Originally Posted by whirleyes View Post
Thanks, I'm just about to release mine.
But yours if perfect!

To someone who prefer to get their hand dirty,

Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID is at 0x3FFE
-CID 7 : EU XT910
-CID 2 : VZW XT912
-CID 4 : CN XT910/JP XT909

Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores this end bit &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.

Correct me if I'm wrong

Java command line tool
But without root we aren't able to wipe the CID partition?
My English? Well, if you find any orthographic mistakes you're allowed to keep them for your own behalf, to sell 'em, use them or whatever you want to do with it..

Every little cup of coffee will help! BIG THANKS to all who supported me in any way and this great community!!

Currently needed: I'm happy!
But I'm thankful for everything!!


And/or help me by registering here via THIS banner - and earn some BTC for yourself with your own banner:

It's just a matter of time - you'll get BTC/FTC/LTC/ETC for simply doing -.- NOTHING

 
whirleyes
Old
#5  
whirleyes's Avatar
Retired Recognized Developer
Thanks Meter 1,826
Posts: 832
Join Date: Aug 2007

 
DONATE TO ME
No idea. I think, fastboot doesn't implement function.
those were the days...
 
linusmax
Old
#6  
Member
Thanks Meter 7
Posts: 59
Join Date: May 2003
Location: Putignano (BA)
Quote:
Originally Posted by dtrail1 View Post
But without root we aren't able to wipe the CID partition?
I have erased cdt partition and after i have flash via fastboot. For do it is important flash first the mbloader rewrite module, reboot, after not flash mbloader but erase cdt partition and after write mbloader.

If you look the sbf step in t-mobile package ...execute only first flash and reboot, stop procedure, erase cdt partion and after execute the next two step in sbf.

In this mode you can erase cdt partition. i have do it ...but after i have reflashed the cdt of 4.0.4 ota signed because the system not accept any cdt. You find cdt partition in zip of the OTA 4.0.4 T-MO ..


Bye
 
john9
Old
#7  
Account currently disabled
Thanks Meter 269
Posts: 1,586
Join Date: Oct 2011
Thanks for the files!
 
pedrotorresfilho
Old
#8  
pedrotorresfilho's Avatar
Senior Member
Thanks Meter 1,095
Posts: 1,590
Join Date: Jan 2012

 
DONATE TO ME
Quote:
Originally Posted by Skrilax_CZ View Post
Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot

How to check whether you can downgrade? It's quite simple.

1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.
Hi Skrilax

This is cdt_bin from two versions of GB, first 2.3.5 and 2.3.6 respectively:


2.3.5


2.3.6

My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.

It's possible, somehow a workaround to flash this?

May I just delete the CDT bin?

system also have diferent secure version, this is a problem to flash system too?

And, Thanks a lot for the tool!
 
raghav.glass
Old
#9  
Member
Thanks Meter 4
Posts: 33
Join Date: Sep 2009
is it possible to downgrade with this method?

im on the latest china leak and am unable to root or downgrade...

someone help pls...
 
linusmax
Old
#10  
Member
Thanks Meter 7
Posts: 59
Join Date: May 2003
Location: Putignano (BA)
Quote:
Originally Posted by pedrotorresfilho View Post
Hi Skrilax

My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.

It's possible, somehow a workaround to flash this?

May I just delete the CDT bin?

system also have diferent secure version, this is a problem to flash system too?

And, Thanks a lot for the tool!
I have erased cdt partition via RDS Lite but i can reflash only with same secure cdt extracted from the OTA. I try to flash minor secure cdt but it is NO possible.

Where is the control ?

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes