Related
On request, I've made a small application that allows you to check secure version checks by the bootloader, by which you can determine whether you can downgrade or not.
What is secure version: when bootloader checks signature (on the signed partitions), it will also verify that their secure version is greater or equal than the requirement stored. The storage works as follows:
CDT Secure Version is written to eFuse as SEC_AP_OS. It is not possible to reflash a cdt with lower secure version, you will get stuck in fastboot.
Other partitions' secure versions are stored in CDT. Therefore it's potentially possible to have multiple CDTs with same secure version, but different secure version requirements on the partitions.
Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot
How to check whether you can downgrade? It's quite simple.
1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.
Lastly, note that to flash through fastboot, filesystem partitions with 05 signature type are checked for signature / sec. version, but you cannot find these in OTA.
Download the tool from here: http://skrilax.droid-developers.org/moto/tools/CDTParser_1.00.zip
Thanks, I'm just about to release mine.
But yours if perfect!
To someone who prefer to get their hand dirty,
Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID (CID) is at 0x3FFE
- 7 : EU XT910
- 5 : SKT XT910S
- 4 : CN XT910/KDDI IS12M (XT909)
- 3 : LATAM XT910
- 2 : VZW XT912
- DEAD : Phone with a wiped CID.
Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores CID number &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.
Update : Myth is confirmed!! CID is erasable by "allow-mbmloader-flashing-mbm.bin". But make sure to have a backup of it first.
I'm a motorola noobies & my information could possibly wrong.
Proceed at your own risk.
Attached is a simple Java command line tool (usefull for batch job)
usage : java -jar cdt_reader.jar input.bin > output.txt
As always the best my brother.
whirleyes said:
Thanks, I'm just about to release mine.
But yours if perfect!
To someone who prefer to get their hand dirty,
Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID is at 0x3FFE
-CID 7 : EU XT910
-CID 2 : VZW XT912
-CID 4 : CN XT910/JP XT909
Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores this end bit &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.
Correct me if I'm wrong
Java command line tool
Click to expand...
Click to collapse
But without root we aren't able to wipe the CID partition?
No idea. I think, fastboot doesn't implement function.
dtrail1 said:
But without root we aren't able to wipe the CID partition?
Click to expand...
Click to collapse
I have erased cdt partition and after i have flash via fastboot. For do it is important flash first the mbloader rewrite module, reboot, after not flash mbloader but erase cdt partition and after write mbloader.
If you look the sbf step in t-mobile package ...execute only first flash and reboot, stop procedure, erase cdt partion and after execute the next two step in sbf.
In this mode you can erase cdt partition. i have do it ...but after i have reflashed the cdt of 4.0.4 ota signed because the system not accept any cdt. You find cdt partition in zip of the OTA 4.0.4 T-MO ..
Bye
Thanks for the files!
Skrilax_CZ said:
Secure version is checked right when signature is checked. This is for Signature Type:
00 - unsigned
01 - checked at each boot
02 - checked at each boot by BP
05 - checked once, and right after flashing with fastboot
How to check whether you can downgrade? It's quite simple.
1) Find the last cdt.bin (cdt.bin_signed) in OTA or FXZ you flashed. Open it in the tool.
2) Open the FXZ or OTA, you are about to flash. Compare secure versions for all partitions, including CDT. If the new flash file has lower secure versions, you cannot downgrade.
Click to expand...
Click to collapse
Hi Skrilax
This is cdt_bin from two versions of GB, first 2.3.5 and 2.3.6 respectively:
2.3.5
2.3.6
My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.
It's possible, somehow a workaround to flash this?
May I just delete the CDT bin?
system also have diferent secure version, this is a problem to flash system too?
And, Thanks a lot for the tool!
is it possible to downgrade with this method?
im on the latest china leak and am unable to root or downgrade...
someone help pls...
pedrotorresfilho said:
Hi Skrilax
My question is about the secutiry version. It's a 03 cdt secure that's not described by you and I want move back.
It's possible, somehow a workaround to flash this?
May I just delete the CDT bin?
system also have diferent secure version, this is a problem to flash system too?
And, Thanks a lot for the tool!
Click to expand...
Click to collapse
I have erased cdt partition via RDS Lite but i can reflash only with same secure cdt extracted from the OTA. I try to flash minor secure cdt but it is NO possible.
Where is the control ?
linusmax said:
I have erased cdt partition via RDS Lite but i can reflash only with same secure cdt extracted from the OTA. I try to flash minor secure cdt but it is NO possible.
Where is the control ?
Click to expand...
Click to collapse
Hi, thanks 4 the reply.
Had you flashed the lower secure mbmloader before?
Status code (Locked 0) :/
Sent from my XT910 using Tapatalk 2
@pedrotorresfilho: Secure version is a plain number. What I was describing is signature type (different column).
And no, once you have cdt.bin with sec. ver 03, you can only flash another one with sec. ver 03.
Skrilax_CZ said:
@pedrotorresfilho: Secure version is a plain number. What I was describing is signature type (different column).
And no, once you have cdt.bin with sec. ver 03, you can only flash another one with sec. ver 03.
Click to expand...
Click to collapse
Oh, Man!
Actual official OTA to Vivo is GB 2.3.5, but update to 2.3.6 before ICS rollout is about to happen. Next one will probably be the good one. (All the OTA updates to LatAm razrs came from service providers, carrier: Rogers, Fido, Telcel, Vivo...)
I saw a VIVO update news in motorola website and I'm guessing ICS will come first to vivo phones.
Thanks a lot!
Bump!
whirleyes said:
Thanks, I'm just about to release mine.
But yours if perfect!
To someone who prefer to get their hand dirty,
Open the cdt.bin with a binary editor.
Main secure version ID is at 0x37FC (value = 04 since ICS)
Certificate is 2048bit, starting at address 0x3800 ~ 0x3FFF
Customer ID is at 0x3FFE
-CID 7 : EU XT910
-CID 5 : SKT XT910S
-CID 4 : CN XT910/KDDI IS12M (XT909)
-CID 2 : VZW XT912
#CID for LATAM? (I haven't check)
Extra:
Remember the method to install chinese ICS??
by wiping the CID partition, the bootloader ignores this end bit &
that enable you to flash different region rom.
The side effect is, it's only bootable via bp-tools.
I'm a motorola noobies & my information could possibly wrong.
Proceed at your own risk.
Attached is a simple Java command line tool (usefull for batch job)
usage : java -jar cdt_reader.jar input.bin > output.txt
Click to expand...
Click to collapse
Thanks for sharing!
I have a bricked xt910s which has no sbf files to flash...
My question is if i change the CID in other razr version's fastboot files cdt (to match my xt910s), would i be able to flash it to my damn SKT Razr?
Would it be possible to edit that cdt file?
I greatly appreciated your suggestions!
Thanks.
Sent from my HTC Wildfire
reachking said:
Would it be possible to edit that cdt file?
Click to expand...
Click to collapse
The cdt file is sign by a Motorola security certificate. If you edit it, it will failed the verification test. It won't be flash-able.
whirleyes said:
The cdt file is sign by a Motorola security certificate. If you edit it, it will failed the verification test. It won't be flash-able.
Click to expand...
Click to collapse
am stuck on ICS 4.04 leak(non rooted) i plan to flash 2.3.6 on this and give motorola my non booting phone to get a motherboard or some sort of replaced phone to get back to the 2.3.6.
nischalnischal said:
am stuck on ICS 4.04 leak(non rooted) i plan to flash 2.3.6 on this and give motorola my non booting phone to get a motherboard or some sort of replaced phone to get back to the 2.3.6.
Click to expand...
Click to collapse
No need to change hardware parts. They are able to flash special signed fastboot files to rewrite partitions.
Gesendet von meinem XT910 mit Tapatalk 2
dtrail1 said:
No need to change hardware parts. They are able to flash special signed fastboot files to rewrite partitions.
Gesendet von meinem XT910 mit Tapatalk 2
Click to expand...
Click to collapse
wow thats news good let me try that
nischalnischal said:
wow thats news good let me try that
Click to expand...
Click to collapse
Of course it's possible they'll check partition signature to find out you void warranty.
just wanted to say i had been running my verizon note 3 (non-dev edition) like everyone else here
with the bl unlocked to dev edition and rooted most likely with either kingo or supersu through teamyemin or proyemin and i think there is another one too.
basically if you want to go back 100% original (including your original cid) its not as easy as you might think.
first thing i did was wipe everything that was possible to wipe from within twrp recovery.
next i booted to odin download mode
from there i flashed the OB6 official firmware
then i rooted using the kingo method as this seemed the most likely not to infect my computer and possibly only stole info from my phone. (this used the 2 files 1.tar and 2.tar flashed with odin for pc)
i then verified my root and installed terminal emulator end es file explorer root
i copied samsung_cid to phone sd card and used es file explorer root to move to ./data/local/tmp
changed my cid back to original and rebooted phone
booted to stock recovery and wiped everything i could and booted into odin download mode
flashed OF1 official
there is a very important part that could get alot of ppl phones into brick mode.
when you goto change the cid back to original you better already have the stock BL on and running and >>>NOT<<< the DEV-BL
that is why i chose to flash an official OB6 rom first
if you try to change the cid to original non-dev edition and reboot your phone this could have problems since you would have the dev bl flashed with a non dev bl cid
when the cid for the dev edition became available you could change the cid first and boot into the bl and it would say something like developer mode enabled or someting like that even if you had the stock bl flashed (not the dev bl)
this is fine
only problem is if you change that cid back to stock/original non-dev while you are running the dev bl
i dont know what would happen but i bet it wouldnt be good.
ok next part i think is important is getting rid of kingo root as much as possible and that is why i flashed the OB6 firmware first and then OF1 for my very last step.
ok thanks.
i know alot of ppl are probably gonna say why would you want to go back to stock original cid and my answer is this.
phone is really stable and also if i want to sell it which im thinking about.
hope it helped some ppl.
Where do we get our original Cid?
The method used to do the unlocking runs the tool in two passes, like this:
pass1: change the CID.
pass2: (create debrick image &) alter the aboot partition sig to the DevEd sig.
There is no reason this can not be reversed (assuming you have root on ANY ROM) e.g. :
pass_negative_2: flash stock aboot to aboot partition.**
pass_negative_1: revert the CID by altering the original code to write your CID (minor code change and recompile).
** must be from the exact same version of boot firmware you have on the phone; you could use "dd" for this.
There's no reports of people trying this explicitly, but OTOH note this: there were owners of DevEd devices that accidentally flashed stock bootloaders. They didn't change their CID, and they didn't brick. They just couldn't go back to an unlocked bootloader any longer, or boot custom kernels: they converted their phones to retail without ever changing their CID.
Anyhow, it appears that you went through a ton of effort, when all you needed to do was flash the stock "aboot" back into place.
It probably isn't even necessary to revert the CID back.
ExpialZLD said:
Where do we get our original Cid?
Click to expand...
Click to collapse
You recorded it - as a precaution - when you went through the unlocking process. Didn't you?
As I mentioned above, it probably doesn't matter anyway.
@OP: did your "Custom" boot logo disappear eventually?
PS even after doing this the phone will still have a blown knox warranty flag and certain TZ/qseecom functionality will no longer work, even with 100% pure stock on the phone.
bftb0 said:
The method used to do the unlocking runs the tool in two passes, like this:
pass1: change the CID.
pass2: (create debrick image &) alter the aboot partition sig to the DevEd sig.
There is no reason this can not be reversed (assuming you have root on ANY ROM) e.g. :
pass_negative_2: flash stock aboot to aboot partition.**
pass_negative_1: revert the CID by altering the original code to write your CID (minor code change and recompile).
** must be from the exact same version of boot firmware you have on the phone; you could use "dd" for this.
There's no reports of people trying this explicitly, but OTOH note this: there were owners of DevEd devices that accidentally flashed stock bootloaders. They didn't change their CID, and they didn't brick. They just couldn't go back to an unlocked bootloader any longer, or boot custom kernels: they converted their phones to retail without ever changing their CID.
Anyhow, it appears that you went through a ton of effort, when all you needed to do was flash the stock "aboot" back into place.
It probably isn't even necessary to revert the CID back.
You recorded it - as a precaution - when you went through the unlocking process. Didn't you?
As I mentioned above, it probably doesn't matter anyway.
@OP: did your "Custom" boot logo disappear eventually?
PS even after doing this the phone will still have a blown knox warranty flag and certain TZ/qseecom functionality will no longer work, even with 100% pure stock on the phone.
Click to expand...
Click to collapse
Does by record do you mean by using a tool or like taking a picture of the cid
ExpialZLD said:
Does by record do you mean by using a tool or like taking a picture of the cid
Click to expand...
Click to collapse
Cut-n-paste to a text file.
The tool spews out onto the screen the device's CID before it goes about changing it.
That assumes you followed the directions in the OP and used ADB. Or, didn't follow those instructions and used a terminal emulator. (I don't know whether or not the app shows you the output from the binary).
As I mentioned, folks that had DevEd devices (that is, "factory unlocked" bootloaders) that made the mistake of flashing stock firmware turned their DevEd phones into retail phones - without ever changing the CID to some other value. So it may not even matter - you end up with a "retail" phone with the same CID that you currently have.
In any event, if you didn't record the previous CID, there's nothing to do about it.
The OP mentions something called "samsung_cid". I presume he is talking about a mod of the original code that allows you to re-write the CID to an arbitrary value.
Hello guys,
my goal is to successfully unlock the bootloader with the safest possible method. I`m not completely inexperienced with unlocking, rooting etc, but every phone is different, and to avoid some mistakes, i want to get shure, if its possible with my procedure that i think could work.
Actual Phone status:
Build number: ALP-L29 8.0.0.141(c636patch01) - I think this is xloader 01 / Security Patch is 1. August 2018
Bootloader : locked
FRP : locked
SIM/Net :unlocked
I tried HCU Client 1.0.0.0290, phone gets recognized, but bootloader can`t be read, i get:
Read bootloader code fail!
Not supported/unknown chipset!
I think it`s cause of to high build number, and security patch.
So now, my main idea is to downgrade with dload method.
I downloaded these Service Firmware from androidhost.ru:
ALP-L29 8.0.0.135(C185) Firmware Android 8.0.0 EMUI 8.0.0 05014TBQ androidhost.ru / Not shure what xloader in it, but should be 01. Maybe someone knows
C636 i couldn`t find.
My 1st question: Can I flash this firmware, without bricking my phone?
If no, what possibilities I have else?
My 2nd : Has the Simcard be installed for unlocking?
I appreciate all your help, greets from germany
lilck said:
Hello guys,
my goal is to successfully unlock the bootloader with the safest possible method. I`m not completely inexperienced with unlocking, rooting etc, but every phone is different, and to avoid some mistakes, i want to get shure, if its possible with my procedure that i think could work.
Actual Phone status:
Build number: ALP-L29 8.0.0.141(c636patch01) - I think this is xloader 01 / Security Patch is 1. August 2018
Bootloader : locked
FRP : locked
SIM/Net :unlocked
I tried HCU Client 1.0.0.0290, phone gets recognized, but bootloader can`t be read, i get:
Read bootloader code fail!
Not supported/unknown chipset!
I think it`s cause of to high build number, and security patch.
So now, my main idea is to downgrade with dload method.
I downloaded these Service Firmware from androidhost.ru:
ALP-L29 8.0.0.135(C185) Firmware Android 8.0.0 EMUI 8.0.0 05014TBQ androidhost.ru / Not shure what xloader in it, but should be 01. Maybe someone knows
C636 i couldn`t find.
My 1st question: Can I flash this firmware, without bricking my phone?
If no, what possibilities I have else?
My 2nd : Has the Simcard be installed for unlocking?
I appreciate all your help, greets from germany
Click to expand...
Click to collapse
141 is xloader 02 if I remember correctly. Firmware finder is down so can't check. And as such you won't be able to downgrade to a build where dc works.
Flashing C185 on C636 is not recommended. It could work but you would have to use DC unlocker temp unlock after to flash C185 oeminfo, then flash dload again. I have not tried this.
But still, if B141 is xloader 02 it will not work anyway.
Wait for FF to come back online to check what xloader ALP-L29C432B142 is
Can Anybody help me ?
I have a rooted and unlocked Mate 10 Pro.
But with the new Update , i can't downgrade Play Service.... I need this for a Game.
Now i need to downgrade to a lower version.
Thanks for help.
P.s.: I search in the Forum , but the most is search for downgrade from EMUI 8 to 7 or 9 to 8.
The lowest version you can downgrade to is B146 (Assuming you are on BLA-L29C432B156), using firmware from androidhost.ru.
OR flash images manually through TWRP, this way you could downgrade to first build if you wanted to xD
Just don't flash XLOADER.img as you are on new xloader. Flashing one from B145 or earlier will brick your phone.
ante0 said:
The lowest version you can downgrade to is B146 (Assuming you are on BLA-L29C432B156), using firmware from androidhost.ru.
OR flash images manually through TWRP, this way you could downgrade to first build if you wanted to xD
Just don't flash XLOADER.img as you are on new xloader. Flashing one from B145 or earlier will brick your phone.
Click to expand...
Click to collapse
For flash with TWRP you must need "BOOTLOADER UNLOCKED" and you know very wel that's service is Down from time.
So you guide NOT help for nothing.
vanito said:
For flash with TWRP you must need "BOOTLOADER UNLOCKED" and you know very wel that's service is Down from time.
So you guide NOT help for nothing.
Click to expand...
Click to collapse
Did I state otherwise? OP has an unlocked bootloader.
ante0 said:
Did I state otherwise? OP has an unlocked bootloader.
Click to expand...
Click to collapse
Ok sorry, haven't seen OP have unlocked bootloader.
Ok now i want do a question to you.
Sinche i've all professional tool for Extract and Flash also each single partition in Upgrade mode w/o unlocked bootloader, have one BLA-L09 C432 in B158.
If i flash the B143 C432 w/o Xloader partition, phone will not boot or boot having same B156 version?
My customer mistaked this device flashing Ram Disk, (Loader) + OEMINFO by TESTPOINT and have lost IMEI. So, i was searching a way for Downgrade and do Imei Repair, but there writed in all side that's impossible Downgrade from B156 or earlier...you have solution?
vanito said:
Ok sorry, haven't seen OP have unlocked bootloader.
Ok now i want do a question to you.
Sinche i've all professional tool for Extract and Flash also each single partition in Upgrade mode w/o unlocked bootloader, have one BLA-L09 C432 in B158.
If i flash the B143 C432 w/o Xloader partition, phone will not boot or boot having same B156 version?
My customer mistaked this device flashing Ram Disk, (Loader) + OEMINFO by TESTPOINT and have lost IMEI. So, i was searching a way for Downgrade and do Imei Repair, but there writed in all side that's impossible Downgrade from B156 or earlier...you have solution?
Click to expand...
Click to collapse
Easiest way, in my opinion, would be to just flash board firmware. Since he already has testpoint available?
Then you can repair imeis and that while on board using HCU. You can not get back original oeminfo though unless he has a backup of it.
But imeis that phone uses will be repaired, and you can still unlock using HCU's get unlock code button. Original code, if he got it through Huawei, will not be usable though.
Here's a guide for using HCU and steps to take, any deviation from these steps will result in no imei or no network.
1)Flash oeminfo (own backup) from fastboot
2)Backup modemnvm_system, modemnvm_factory and modemnvm_backup using adb pull from a command prompt (/dev/block/bootdevice/by-name/modemnvm_system and so on)
3)Flash backed up modemnvm_system, modemnvm_factory and modemnvm_backup from fastboot
3)Modify and brand with HCU (check everything but those that erase/flash empty board) (remember to fill vendor and cust)
4)Unlock sim with HCU
5)Read Bootloader code if you ever used HCU to get code before
6)Download and flash service firmware from androidhost.ru using a OTG cable and a memory stick
For step 1 you should be able to just backup and flash the existing oeminfo in phone as it's already using someone elses (DC's oeminfo flash will just download an oeminfo from their server and flash it, so you get someone elses oeminfo).
i have a pixel 6 verizon and need to downgrade the firmware to android 13 october 2022. The only way to do that is via OTA image flash but whenever i try it does not flash since it cannot downgrade bootloader. the phone cannot be oem unlocked. my only chance is to edit/remove boot.img and/or modify the script to prevent the bootloader flash. i've found payload file dumpers but only to extract the images within. is there any way to do this? i know it can be don for the full system images rather easy.
ronclone said:
i have a pixel 6 verizon and need to downgrade the firmware to android 13 october 2022. The only way to do that is via OTA image flash but whenever i try it does not flash since it cannot downgrade bootloader. the phone cannot be oem unlocked. my only chance is to edit/remove boot.img and/or modify the script to prevent the bootloader flash. i've found payload file dumpers but only to extract the images within. is there any way to do this? i know it can be don for the full system images rather easy.
Click to expand...
Click to collapse
are you looking for a way to edit the extracted images?
If so I think you might be able to edit the extracted boot images with a text editor although not sure how reliable my information is for that
catcatjpg said:
are you looking for a way to edit the extracted images?
If so I think you might be able to edit the extracted boot images with a text editor although not sure how reliable my information is for that
Click to expand...
Click to collapse
yes, i would like to edit the image to skip flashing the bootloader. however, OTA images are different than full factory images. they do not have an easy way to modify a "flash-all.bat" file or equivalent. therefore my question, i would like to know if something like this is posible at all.
ronclone said:
i have a pixel 6 verizon and need to downgrade the firmware to android 13 october 2022. The only way to do that is via OTA image flash but whenever i try it does not flash since it cannot downgrade bootloader. the phone cannot be oem unlocked. my only chance is to edit/remove boot.img and/or modify the script to prevent the bootloader flash. i've found payload file dumpers but only to extract the images within. is there any way to do this? i know it can be don for the full system images rather easy.
Click to expand...
Click to collapse
The bootloader has to be unlocked to manually flash a factory image or OTA. Since you have a Verizon device you cannot unlock your bootloader, so attempting to flash any image of any kind will fail. Worse, even if you did have an unlocked device, without a custom recovery you won't be able to flash modified factory images. The stock recovery checks for the presence of Google's signature in the factory image and, if it doesn't find it, will refuse to flash the package.
Modifying flash-all.bat to not flash the bootloader by commenting out the proper line in the batch file will work since you're not modifying the images themselves, but the point is moot anyway since you cannot manually flash factory images due to that pesky bootloader.
That's the issue. However just to clarify, I absolutely can flash OTA images via fastboot even with a locked bootloader, I've done it multiple times. What I can't do is flash full factory images, the ones that need an unlocked bootloader.
I stand corrected regarding the flashing of OTA update files. Flashing full OTA images is conceivably possible, considering that I forgot Google gave device owners that capability. However, this doesn't change the fact you cannot alter Google-supplied ROM images without losing Google's signature on those files. So you won't be able to flash an OTA without also flashing the bootloader.
So is there a specific reason you have to have that particular bootloader?
It's not a bootloader problem per se. It's an Android version problem for me. I wouldn't mind downgrading the bootloader, is just that pixel devices apparently cannot downgrade bootloeader so it must be done with some kind of trickery.
Your on a device with an unlockable bootloader.
You can only flash official ota zips in recovery provided you are not downgrading.
Any attempt to manipulate the OTA zip will break the Google signature, and therefore any attempt to flash it on a locked bootloader will fail.
Tldr: forget about it
shoey63 said:
Your on a device with an unlockable bootloader.
You can only flash official ota zips in recovery provided you are not downgrading.
Any attempt to manipulate the OTA zip will break the Google signature, and therefore any attempt to flash it on a locked bootloader will fail.
Tldr: forget about it
Click to expand...
Click to collapse
yeah i think you're right. unfortunately.