Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[DOWNGRADE INFO] CDT Parser - Secure Versions Checker

OP Skrilax_CZ

24th May 2012, 10:26 AM   |  #1  
Skrilax_CZ's Avatar
OP Recognized Developer
Flag Prague
Thanks Meter: 1,348
 
900 posts
Join Date:Joined: Dec 2009
Donate to Me
More
On request, I've made a small application that allows you to check secure version checks by the bootloader, by which you can determine whether you can downgrade or not.

What is secure version: when bootloader checks signature (on the signed partitions), it will also verify that their secure version is greater or equal than the requirement stored. The storage works as follows:

CDT Secure Version is written to eFuse as SEC_AP_OS. It is not possible to reflash a cdt with lower secure version, you will get stuck in fastboot.

Other partitions' secure versions are stored in CDT. Therefore it's potentially possible to have multiple CDTs with same secure version, but different secure version requirements on the partitions.

Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot

How to check whether you can downgrade? It's quite simple.

1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.

Lastly, note that to flash through fastboot, filesystem partitions with 05 signature type are checked for signature / sec. version, but you cannot find these in OTA.

Download the tool from here: http://skrilax.droid-developers.org/...arser_1.00.zip
The Following 18 Users Say Thank You to Skrilax_CZ For This Useful Post: [ View ]
24th May 2012, 11:31 AM   |  #2  
whirleyes's Avatar
Retired Recognized Developer
Thanks Meter: 1,847
 
832 posts
Join Date:Joined: Aug 2007
Donate to Me
More
Thanks, I'm just about to release mine.
But yours if perfect!

To someone who prefer to get their hand dirty,

Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID (CID) is at 0x3FFE
- 7 : EU XT910
- 5 : SKT XT910S
- 4 : CN XT910/KDDI IS12M (XT909)
- 3 : LATAM XT910
- 2 : VZW XT912
- DEAD : Phone with a wiped CID.

Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores CID number &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.
Update : Myth is confirmed!! CID is erasable by "allow-mbmloader-flashing-mbm.bin". But make sure to have a backup of it first.

I'm a motorola noobies & my information could possibly wrong.
Proceed at your own risk.

Attached is a simple Java command line tool (usefull for batch job)
usage : java -jar cdt_reader.jar input.bin > output.txt
Attached Files
File Type: zip cdt_reader.zip - [Click for QR Code] (7.3 KB, 662 views)
Last edited by whirleyes; 1st June 2012 at 05:51 PM. Reason: Add attachment;Update CID LATAM
The Following 5 Users Say Thank You to whirleyes For This Useful Post: [ View ]
24th May 2012, 01:23 PM   |  #3  
Pzyduck's Avatar
Senior Member
Flag La Rioja
Thanks Meter: 797
 
396 posts
Join Date:Joined: Nov 2010
More
As always the best my brother.
24th May 2012, 01:34 PM   |  #4  
Recognized Contributor
Flag Frankfurt
Thanks Meter: 7,797
 
4,845 posts
Join Date:Joined: Oct 2011
Donate to Me
More
Quote:
Originally Posted by whirleyes

Thanks, I'm just about to release mine.
But yours if perfect!

To someone who prefer to get their hand dirty,

Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID is at 0x3FFE
-CID 7 : EU XT910
-CID 2 : VZW XT912
-CID 4 : CN XT910/JP XT909

Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores this end bit &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.

Correct me if I'm wrong

Java command line tool

But without root we aren't able to wipe the CID partition?
24th May 2012, 02:04 PM   |  #5  
whirleyes's Avatar
Retired Recognized Developer
Thanks Meter: 1,847
 
832 posts
Join Date:Joined: Aug 2007
Donate to Me
More
No idea. I think, fastboot doesn't implement function.
24th May 2012, 07:09 PM   |  #6  
Member
Flag Putignano (BA)
Thanks Meter: 7
 
59 posts
Join Date:Joined: May 2003
More
Quote:
Originally Posted by dtrail1

But without root we aren't able to wipe the CID partition?

I have erased cdt partition and after i have flash via fastboot. For do it is important flash first the mbloader rewrite module, reboot, after not flash mbloader but erase cdt partition and after write mbloader.

If you look the sbf step in t-mobile package ...execute only first flash and reboot, stop procedure, erase cdt partion and after execute the next two step in sbf.

In this mode you can erase cdt partition. i have do it ...but after i have reflashed the cdt of 4.0.4 ota signed because the system not accept any cdt. You find cdt partition in zip of the OTA 4.0.4 T-MO ..


Bye
24th May 2012, 07:20 PM   |  #7  
Account currently disabled
Thanks Meter: 269
 
1,586 posts
Join Date:Joined: Oct 2011
Thanks for the files!
25th May 2012, 01:54 AM   |  #8  
pedrotorresfilho's Avatar
Senior Member
Thanks Meter: 1,098
 
1,590 posts
Join Date:Joined: Jan 2012
Donate to Me
More
Quote:
Originally Posted by Skrilax_CZ

Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot

How to check whether you can downgrade? It's quite simple.

1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.

Hi Skrilax

This is cdt_bin from two versions of GB, first 2.3.5 and 2.3.6 respectively:


2.3.5


2.3.6

My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.

It's possible, somehow a workaround to flash this?

May I just delete the CDT bin?

system also have diferent secure version, this is a problem to flash system too?

And, Thanks a lot for the tool!
25th May 2012, 09:15 AM   |  #9  
Member
Thanks Meter: 4
 
33 posts
Join Date:Joined: Sep 2009
is it possible to downgrade with this method?

im on the latest china leak and am unable to root or downgrade...

someone help pls...
25th May 2012, 01:30 PM   |  #10  
Member
Flag Putignano (BA)
Thanks Meter: 7
 
59 posts
Join Date:Joined: May 2003
More
Quote:
Originally Posted by pedrotorresfilho

Hi Skrilax

My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.

It's possible, somehow a workaround to flash this?

May I just delete the CDT bin?

system also have diferent secure version, this is a problem to flash system too?

And, Thanks a lot for the tool!

I have erased cdt partition via RDS Lite but i can reflash only with same secure cdt extracted from the OTA. I try to flash minor secure cdt but it is NO possible.

Where is the control ?

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes