[DOWNGRADE INFO] CDT Parser - Secure Versions Checker

---

On request, I've made a small application that allows you to check secure version checks by the bootloader, by which you can determine whether you can downgrade or not.

What is secure version: when bootloader checks signature (on the signed partitions), it will also verify that their secure version is greater or equal than the requirement stored. The storage works as follows:

CDT Secure Version is written to eFuse as SEC_AP_OS. It is not possible to reflash a cdt with lower secure version, you will get stuck in fastboot.

Other partitions' secure versions are stored in CDT. Therefore it's potentially possible to have multiple CDTs with same secure version, but different secure version requirements on the partitions.

Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot

How to check whether you can downgrade? It's quite simple.

1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.

Lastly, note that to flash through fastboot, filesystem partitions with 05 signature type are checked for signature / sec. version, but you cannot find these in OTA.

Download the tool from here: http://skrilax.droid-developers.org/...arser_1.00.zip

Thanks, I'm just about to release mine.
But yours if perfect!

To someone who prefer to get their hand dirty,

Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID (CID) is at 0x3FFE
- 7 : EU XT910
- 5 : SKT XT910S
- 4 : CN XT910/KDDI IS12M (XT909)
- 3 : LATAM XT910
- 2 : VZW XT912
- DEAD : Phone with a wiped CID.

Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores CID number &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.
Update : Myth is confirmed!! CID is erasable by "allow-mbmloader-flashing-mbm.bin". But make sure to have a backup of it first.

I'm a motorola noobies & my information could possibly wrong.
Proceed at your own risk.

Attached is a simple Java command line tool (usefull for batch job)
usage : java -jar cdt_reader.jar input.bin > output.txt

As always the best my brother.

Quote:

Originally Posted by whirleyes

Thanks, I'm just about to release mine.
But yours if perfect!

To someone who prefer to get their hand dirty,

Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID is at 0x3FFE
-CID 7 : EU XT910
-CID 2 : VZW XT912
-CID 4 : CN XT910/JP XT909

Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores this end bit &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.

Correct me if I'm wrong

Java command line tool

But without root we aren't able to wipe the CID partition?

No idea. I think, fastboot doesn't implement function.

Quote:

Originally Posted by dtrail1

But without root we aren't able to wipe the CID partition?

I have erased cdt partition and after i have flash via fastboot. For do it is important flash first the mbloader rewrite module, reboot, after not flash mbloader but erase cdt partition and after write mbloader.

If you look the sbf step in t-mobile package ...execute only first flash and reboot, stop procedure, erase cdt partion and after execute the next two step in sbf.

In this mode you can erase cdt partition. i have do it ...but after i have reflashed the cdt of 4.0.4 ota signed because the system not accept any cdt. You find cdt partition in zip of the OTA 4.0.4 T-MO ..


Bye

Thanks for the files!

Quote:

Originally Posted by Skrilax_CZ

Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot

How to check whether you can downgrade? It's quite simple.

1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.

Hi Skrilax

This is cdt_bin from two versions of GB, first 2.3.5 and 2.3.6 respectively:


2.3.5


2.3.6

My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.

It's possible, somehow a workaround to flash this?

May I just delete the CDT bin?

system also have diferent secure version, this is a problem to flash system too?

And, Thanks a lot for the tool!

is it possible to downgrade with this method?

im on the latest china leak and am unable to root or downgrade...

someone help pls...

Quote:

Originally Posted by pedrotorresfilho

Hi Skrilax

My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.

It's possible, somehow a workaround to flash this?

May I just delete the CDT bin?

system also have diferent secure version, this is a problem to flash system too?

And, Thanks a lot for the tool!

I have erased cdt partition via RDS Lite but i can reflash only with same secure cdt extracted from the OTA. I try to flash minor secure cdt but it is NO possible.

Where is the control ?