FORUMS
Remove All Ads from XDA

[DEVS] Droid X2 CDT Table

34 posts
Thanks Meter: 54
 
By mostKnownUnknown, Member on 6th August 2011, 02:01 PM
Post Reply Email Thread
Hello,

Here is something potentially useful for the devs.

I took some time the past few days to experiment a bit with my phone and work on my hexdump skills. After a few days, I came up with some interesting results which I think is worth posting.

CDT Table for Droid X2

After unpacking and experimenting a bit with the two SBF files for the DX2, I noticed an interesting pattern develop in CG3 (Code Group?). CG3 describes the CDT (Code Description Table?) which defines contents of the SBF file by each CG and where in flash memory space the CG is installed (I'd publish that too but I'm not trusting what Depacker 1.3 is telling me). I used the DX1 CDT file (found in CG31) as a reference but was hard since the format changed between the DX1 and the DX2. There is a pattern and here is what I currently have.

HTML Code:
CDT Entry #	CDT Start Byte	CDT Name	CG#	Signed	Partition	Location within Partition	Signature Location	Exists in SBF
1               0x0010          rdl.bin         ?	?	?               ?                               ?                       ?
2               0x0058          ptable          2	N	?               0x00000000 - 0x000057FF         -                       Y
3               0x00A0          cdt.bin         3	Y	mmcblk0p2       0x00000000 - 0x0007FFFF         0x0007F7FC - 0x0007FC52	Y
4               0x00E8          configtable     39	Y	?               0x00000000 - 0x002FFFFF         0x002FF7FC - 0x002FFC50	Y
5               0x0130          partitiontable  40	?	?               ?                               ?                       N
6               0x0178          bootloader      42	Y	mmcblk0p1       0x00000000 - 0x002FFFFF         0x002FF7FC - 0x002FFC50	Y
7               0x01c0          mbr             45	?	?               ?                               ?                       N
8               0x0208          ebb             46	?	?               ?                               ?                       N
9               0x0250          microboot       47	Y	mmcblk0p1       0x00300000 - 0x0037FFFF 	0x0037F7FC - 0x0037FC52	Y
10              0x0298          pds             51	N	mmcblk0p3       0x00000000 - 0x001FFFFF         -                       N
11              0x02E0          ebr             52	?	?               ?                               ?                       N
12              0x0328          sp              53	?	?               ?                               ?                       N
13              0x0370          cid             54	?	?               ?                               ?                       N
14              0x03B8          misc            55	?	?               ?                               ?                       N
15              0x0400          logo.bin        56	N	?               0x00000000 - 0x00031FFF         -                       Y
16              0x0448          kpanic          57	?	?               ?                               ?                       N
17              0x0490          recovery        58	Y	mmcblk0p10      0x00000000 - 0x007FFFFF         0x007FF7FC - 0x007FFC52	Y
18              0x04D8          boot            59	Y	mmcblk0p11      0x00000000 - 0x007FFFFF         0x007FF7FC - 0x007FFC52	Y
19              0x0520          system          60	N	mmcblk0p12      0x00000000 - 0x1C1FFFFF         -                       Y
20              0x0568          webtop          61	?	?               ?                               ?                       N
21              0x05B0          cdrom           62	N	mmcblk0p14      0x00000000 - 0x013FFFFF         -                       Y
22              0x05F8          cache           63	N	mmcblk0p15      0x00000000 - 0x133FFFFF         -                       N
23              0x0640          userdata        64	N	mmcblk0p16      0x00000000 - 0x7FFFFFFF         -                       N
24              0x0688          preinstall      65	N	mmcblk0p17      0x00000000 - 0x12BFFFFF         -                       Y
25              0x06D0          sdcard          66	N	mmcblk1         -                               -                       N
I also tried to map the CGs to partitions in /dev/block. It some cases it was really simple especially since most of the bottom of the table is already mounted (adb shell cat /proc/partitions). The others I had to pull a data copy (e.g. adb shell su -c "dd if=/dev/block/mmcblk0p1 of=/mnt/sdcard-ext/Dev/Partitions/mmcblk0p1.img"), copied the blocks to the computer and did hex compares for the first 0x300 or so bytes. In some cases (particularly mmcblk0p1 where the bootloader and the microboot are made one block together), two CG files are flashed onto one partition back-to-back. In that case I got a bit lucky with hex searching.

Things got more interesting when comparing SBFs of the DX2's sister phones (Atrix 4G and Photon 4G). It turns out not only the table is located in the same CG (CG3) but it also follows the same byte order. Either the names and CG numbers are slightly different (Atrix) or the table is identical to the DX2 with a few extra entries (Photon). Here is what I have.

HTML Code:
CDT Entry #	CDT Start Byte	DX2 CDT Name	DX2 CG#	Atrix CDT Name	Atrix CG#	Photon CDT Name	Photon CG#
1		0x0010		rdl.bin		?	rdl.bin		?		rdl.bin		?
2		0x0058		ptable		2	ptable		2		ptable		2
3		0x00A0		cdt.bin		3	CDT.bin		3		cdt.bin		3
4		0x00E8		configtable	39	BCT.bin		42		configtable	39
5		0x0130		partitiontable	40	PT.bin		43		partitiontable	40
6		0x0178		bootloader	42	EBT.bin		44		bootloader	42
7		0x01c0		mbr		45	MBR.bin		45		mbr		45
8		0x0208		ebb		46	EBB.bin		46		ebb		46
9		0x0250		microboot	47	NVC.bin		47		microboot	47
10		0x0298		pds		51	PDS.bin		48		pds		51
11		0x02E0		ebr		52	EBR.bin		49		ebr		52
12		0x0328		sp		53	SP.bin		50		sp		53
13		0x0370		cid		54	CID.bin		51		cid		54
14		0x03B8		misc		55	MSC.bin		52		misc		55
15		0x0400		logo.bin	56	LOG.bin		53		logo.bin	56
16		0x0448		kpanic		57	KPA.bin		54		kpanic		57
17		0x0490		recovery	58	SOS.bin		55		recovery	58
18		0x04D8		boot		59	LND.bin		56		boot		59
19		0x0520		system		60	APP.bin		57		system		60
20		0x0568		webtop		61	OSH.bin		58		webtop		61
21		0x05B0		cdrom		62	CDR.bin		59		cdrom		62
22		0x05F8		cache		63	CAC.bin		60		cache		63
23		0x0640		userdata	64	UDA.bin		61		userdata	64
24		0x0688		preinstall	65	PIA.bin		62		preinstall	65
25		0x06D0		sdcard		66	SDC.bin		63		sdcard		66
26		0x0718					EBF.bin		64		gpt		67
27		0x0760					NVF.bin		65	
Verification

One thought must be going through your head is "how is this single digit poster coming up with this stuff?" One, despite not being a true dev, I like looking at low level code and have some experience with it. Second, I encourage that someone takes the time verify my findings by replicating the methods I used as well as provide any thoughts on making low level hex analysis useful.

SBFs Used:
Droid X2: VRZ_MB870_DTN-14.8_1FF_01.sbf
Atrix 4G: OLYFR_U4_1.5.2_SIGNED.sbf
Photon 4G: 1FF-sunfire-user-2.3.4-4.5.1A-1_SUN-154_MR-3-CM-release-keys-signed-Sprint-US.sbf

Procedure
- Take a SBF file
- Unpack using Moto Android Depacker 1.3
- Open CG3 in a hex editor (Hex Fiend is free for MacOSX)
- Find the location where an ASCII name starts (e.g. 0x0178 = bootloader, see tables above)
- Exactly 0x21 bytes from the start of the name is the CG value in hex

Thoughts

This analysis comes to mind two things:
1. A "Full" SBF does not mean it has all the partitions. - There is a possibility of bricking your phone beyond belief and even an SBF may not save you.
2. The DX2 seems to be really close to its siblings (Atrix 4G and especially Photon 4G). - I hate the idea gets thrown around of "Don't use Atrix mods unless you like bricks" without any real technical explanation as to why not. I'm not saying that people tomorrow should flash Atrix SBFs onto DX2 phones. I am saying that we (the DX2 community) should be aware and work closely with the other sister communities to know EXACTLY where the differences between the two phones lie. And hopefully the communities can contribute something that everyone can benefit (i.e. DX2 and Photon 4G ports of the Atrix bootloader unlock).

I'll experiment with a few other ideas I have in mind and I'll post them as I find something. Thanks for reading.

- mostKnownUnknown
The Following 4 Users Say Thank You to mostKnownUnknown For This Useful Post: [ View ] Gift mostKnownUnknown Ad-Free
 
 
6th August 2011, 08:35 PM |#2  
Member
Thanks Meter: 23
 
More
As this makes no sense to me as a whole, I definetely agree with the similarity of Atrix and DX2.

I am guessing we could [somewhat] easily port the IHOP sbf unlock straight to our phone, and give us an unlocked bootloader.
6th August 2011, 11:42 PM |#3  
0vermind's Avatar
Senior Member
Salt Lake City, Utah
Thanks Meter: 402
 
More
Very thorough research! Well done!
7th August 2011, 01:38 AM |#4  
Junior Member
Thanks Meter: 1
 
More
Quote:
Originally Posted by religi0n

As this makes no sense to me as a whole, I definetely agree with the similarity of Atrix and DX2.

I am guessing we could [somewhat] easily port the IHOP sbf unlock straight to our phone, and give us an unlocked bootloader.

I doubt this quite a bit, as even the international version of the Atrix required a different SBF for IHOP, and with the X2, we're talking about different amount of RAM (which, coincidentally, was actually an issue with the international Atrix), and a different radio/chipset. However, it isn't a stretch to imagine that a couple of devoted devs could figure out a way to port the unlocked bootloader, especially since the Tenfar System Recovery worked with minimal modifications. So, hopefully.
7th August 2011, 05:20 AM |#5  
juhde's Avatar
Senior Member
Flag Carlsbad, NM
Thanks Meter: 39
 
More
Quote:
Originally Posted by jeffster888

I doubt this quite a bit, as even the international version of the Atrix required a different SBF for IHOP, and with the X2, we're talking about different amount of RAM (which, coincidentally, was actually an issue with the international Atrix), and a different radio/chipset. However, it isn't a stretch to imagine that a couple of devoted devs could figure out a way to port the unlocked bootloader, especially since the Tenfar System Recovery worked with minimal modifications. So, hopefully.

I agree with you. Could we get a unlocked boot loader ported? Possibly but leaning into to the "won't work area".

The real problem is right now, the people with the know how either don't have a device to experiment with or they don't care/to frustrated with (motorola, the og x never being cracked), or they're just to interested in another device. For what ever reason, it seems like the heavy hitters are mostly just ignoring the X2, for now (hopefully).
Sent from my DROID X2 using XDA Premium App
7th August 2011, 06:09 AM |#6  
OP Member
Flag New Jersey
Thanks Meter: 54
 
More
Quote:
Originally Posted by religi0n

As this makes no sense to me as a whole, I definetely agree with the similarity of Atrix and DX2.

I am guessing we could [somewhat] easily port the IHOP sbf unlock straight to our phone, and give us an unlocked bootloader.

Yeah. Sorry if this seems a bit overwhelming. I'd figure to get the data out there first and generate some thoughts. Here's a little bit of background.

So memory in your phone is broken up into a number of partitions. This is much like how you would break up your hard drive into a number of partitions if you plan to install multiple OSes on to your computer. Instead, partitions on your phone are there to organize the data into groups for certain functionality.

If you have adb running, you can verify what partitions you have by running "adb shell cat /proc/partitions":

HTML Code:
./adb shell cat /proc/partitions
major minor  #blocks  name

 179        0    7804416 mmcblk0
 179        1       3584 mmcblk0p1
 179        2        512 mmcblk0p2
 179        3       2048 mmcblk0p3
 179        4          1 mmcblk0p4
 179        5       1024 mmcblk0p5
 179        6        512 mmcblk0p6
 179        7        512 mmcblk0p7
 179        8       1024 mmcblk0p8
 179        9       2048 mmcblk0p9
 179       10       8192 mmcblk0p10
 179       11       8192 mmcblk0p11
 179       12     460800 mmcblk0p12
 179       13        512 mmcblk0p13
 179       14      20480 mmcblk0p14
 179       15     315392 mmcblk0p15
 179       16    2097152 mmcblk0p16
 179       17     307200 mmcblk0p17
 179       18    4574208 mmcblk0p18
 179       32    7774208 mmcblk1
 179       33    7773184 mmcblk1p1
Some partitions (particularly the bottom of the table) are easy to figure out since they are mounted when the operating system is run and you can open its file structure (usually with root).

HTML Code:
./adb shell mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/mmcblk0p12 /system ext3 rw,relatime,data=ordered 0 0
/dev/block/mmcblk0p16 /data ext3 rw,nosuid,nodev,noatime,nodiratime,data=ordered 0 0
/dev/block/mmcblk0p15 /cache ext3 rw,nosuid,nodev,noatime,nodiratime,data=ordered 0 0
/dev/block/mmcblk0p3 /pds ext3 rw,nosuid,noexec,relatime,data=ordered 0 0
/dev/block/mmcblk0p17 /preinstall ext3 ro,noatime,nodiratime,data=ordered 0 0
However, most of the partitions are not in a file format that you can mount. And it's hard to figure out that the partition is used for. Since access to the partitions are located in "/dev/block/", I've begun pulling partition images from the phone and trying some low level hex/byte analysis with our SBF's CG data.

For example, in the table from my first post, CG42 (bootloader) and CG47 (microboot) get flashed onto the same memory partition (mmcblk0p1). This has some weird complications which we need to be aware of. Both CG42 and CG47 are already signed. So when I analyzed mmcblk0p1, there are actually two sets of signature data in that partition. I'm not sure what the consequences are for messing with a double-signed partition but at least it's information that we can be aware of now.

As for the bootloader, I actually doubt we can do a direct port of the Atrix unlocker. I don't think it's a memory addressing issue (since most of the partitions have a fixed size and are filled with 0xFF blank data at the end if necessary). I think I'll be getting around the signature checking. If you open any of the bootloader unlock SBFs from Atrix's Project Pudding, all of them are signed and the signatures are not the same between the unlockers for Atrix ATT vs. Atrix Bell. Wasn't the unlock SBFs a leak from Moto's development servers? If so, since it came from Moto, I severely doubt that Moto would use the same private key between carriers, let alone between phones.

As a whole, I plan to learn as much about my phone as possible even if I need to delve down into byte data and assembly code. If we want an unlocked bootloader, I'm going to at least try to do something about it rather than sit on my butt and pray to the phone gods. If anything, we'll learn something new about this phone which is at least something since there is so little DX2 data out there.
The Following 5 Users Say Thank You to mostKnownUnknown For This Useful Post: [ View ] Gift mostKnownUnknown Ad-Free
9th August 2011, 12:50 PM |#7  
Senior Member
Flag Chicago
Thanks Meter: 48
 
Donate to Me
More
I am in love with you bro.
If you get us an unlocked bootloader, I will give you $500 cash in person.

Sent from my ADR6350
9th August 2011, 01:48 PM |#8  
Senior Member
Flag Tampa Bay
Thanks Meter: 18
 
More
Quote:
Originally Posted by Avelnan

$500 cash in person.

And you will have the love and admiration of hundreds of people.


Is there anything I can do to help in this process? I sort of followed what you saying...
Sent from my DROID X2 using XDA Premium App
10th August 2011, 03:29 AM |#9  
0vermind's Avatar
Senior Member
Salt Lake City, Utah
Thanks Meter: 402
 
More
Quote:
Originally Posted by Ihatepullups

Is there anything I can do to help in this process? I sort of followed what you saying...

Let's hack moto's servers and download all the development crap we can for the DX2! ;D

Kidding aside, I too also am wondering if there is anything I can do to help.

Edit: @Mostknownunknown How did you unpack the .sbf file? I can't figure it out..
10th August 2011, 01:57 PM |#10  
MikeJ92YJ's Avatar
Senior Member
Thanks Meter: 94
 
Donate to Me
More
Quote:
Originally Posted by 0vermind

Let's hack moto's servers and download all the development crap we can for the DX2! ;D

Kidding aside, I too also am wondering if there is anything I can do to help.

Edit: @Mostknownunknown How did you unpack the .sbf file? I can't figure it out..

He Mentioned Something About Depacker 1.3.
10th August 2011, 05:31 PM |#11  
OP Member
Flag New Jersey
Thanks Meter: 54
 
More
Quote:
Originally Posted by 0vermind

Edit: @Mostknownunknown How did you unpack the .sbf file? I can't figure it out..

Yeah. Sorry. It would be good if people knew how to get the tools.

After doing some plenty of google searching, Skrilax_CZ's SBF Depacker 1.3 works in unpacking SBFs from terga-based moto phones. Apparently, SBFs have been in use through the Moto RAZR days, but the format keeps changing. Skrilax_CZ's 1.3 version is the only one I know that works.

Since I can't post links yet:
modmymobile.com/forums/402-general-motorola-android/530781-sbf-depacker-1-3-03-22-2011-a.html

Any good hex editor is useful. I'm a Macbook Pro user so I've found Hexfiend. Google it.

Quote:
Originally Posted by 0vermind

Kidding aside, I too also am wondering if there is anything I can do to help.

I have some ideas. But the more I'm researching Pudding, the more it seems impossible for a port. But I'll share my thoughts once I get out of work.
The Following User Says Thank You to mostKnownUnknown For This Useful Post: [ View ] Gift mostKnownUnknown Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes