Originally Posted by pali

Did you already tried to erase CAL in N900?? Or why are you sure, that N900 CAL can rebuilt it itself?

Originally Posted by feuerplatz

Hi there everyone, long time user, first time writing (used maemo since N900 but never felt the need to write before) but maybe I may be of help now.
I've got my Jolla stolen and feels they are out of stock here in Russia so I went for used N9. Somehow it was stuck with Vietnamese FW and I was unable to downgrade to the European version, so I found this thread with instructions in it, I tried to slap some stuff up to be able to write older certificates to be able to downgrade.

The CAL structure itself contains the older certificates but uses only the latest version. You can dump your own certificates yourself, they're located on /dev/mtd1. CAL structure itself starts with ConF signature. I basically watched the code at https://github.com/community-ssu/lib...b/master/cal.c and explored the hexdump. I didn't want just to zero out cert-sw because of mentioned lock code problems.

The cert-sw section starts as follows and cert itself starts as a3959780.

Code:

436f 6e46 0200 0000 6365 7274 2d73 7700  ConF....cert-sw.
0000 0000 0000 0000 1c05 0000 3a08 d376  ............:..v
c2d5 0f00 a395 9780 0200 0000 2623 0298  ............&#..
b2e4 5d4e bdc3 3d00 d089 9d00 6401 0000  ..]N..=.....d...
d003 0000 1b05 0000 022e 4fb0 aa27 b5e4  ..........O..'..

The length of cert field is 1308 bytes (0x51c, the 1c05000 sequence due to endianness). I extracted mine from mtd dump first seeking the offset with hex viewer and then with dd if=calinfo of=cert-early.bin bs=1 offset=$((0x16b24)) count=1308.

Then I wrote simple libcal program, compiled it with Qt SDK. Never managed to get around aegis without putting it in deb first, however. The code itself is selfdescriptive and the sources are there if you have your own Qt SDK and want to compile yourself. I've also attached my compiled deb and some of the certificates I've dumped from my N9's CAL area. It reads cert file from /root/cert.bin and then writes it to CAL to the newest slot.

Please be careful and only use it if you're absolutely absolutely sure what are you doing. I've managed to downgrade my N9 that way. Please don't shoot yourself in the feet. It's more of an informational post to the question discussed than everyday easy solution.

Originally Posted by ViBE

does this mean that we can "downgrade" from for example region version 005 to 001 with this method?

Originally Posted by feuerplatz

In my case I downgraded DFL61_HARMATTAN_40.2012.21-3.454.6_PR_454 to DFL61_HARMATTAN_40.2012.21-3_PR_001, so yes, it should be quite possible.

Originally Posted by feuerplatz

Hi there everyone, long time user, first time writing (used maemo since N900 but never felt the need to write before) but maybe I may be of help now.
I've got my Jolla stolen and feels they are out of stock here in Russia so I went for used N9. Somehow it was stuck with Vietnamese FW and I was unable to downgrade to the European version, so I found this thread with instructions in it, I tried to slap some stuff up to be able to write older certificates to be able to downgrade.

The CAL structure itself contains the older certificates but uses only the latest version. You can dump your own certificates yourself, they're located on /dev/mtd1. CAL structure itself starts with ConF signature. I basically watched the code at https://github.com/community-ssu/lib...b/master/cal.c and explored the hexdump. I didn't want just to zero out cert-sw because of mentioned lock code problems.

The cert-sw section starts as follows and cert itself starts as a3959780.

Code:

436f 6e46 0200 0000 6365 7274 2d73 7700  ConF....cert-sw.
0000 0000 0000 0000 1c05 0000 3a08 d376  ............:..v
c2d5 0f00 a395 9780 0200 0000 2623 0298  ............&#..
b2e4 5d4e bdc3 3d00 d089 9d00 6401 0000  ..]N..=.....d...
d003 0000 1b05 0000 022e 4fb0 aa27 b5e4  ..........O..'..

The length of cert field is 1308 bytes (0x51c, the 1c05000 sequence due to endianness). I extracted mine from mtd dump first seeking the offset with hex viewer and then with dd if=calinfo of=cert-early.bin bs=1 offset=$((0x16b24)) count=1308.

Then I wrote simple libcal program, compiled it with Qt SDK. Never managed to get around aegis without putting it in deb first, however. The code itself is selfdescriptive and the sources are there if you have your own Qt SDK and want to compile yourself. I've also attached my compiled deb and some of the certificates I've dumped from my N9's CAL area. It reads cert file from /root/cert.bin and then writes it to CAL to the newest slot.

Please be careful and only use it if you're absolutely absolutely sure what are you doing. I've managed to downgrade my N9 that way. Please don't shoot yourself in the feet. It's more of an informational post to the question discussed than everyday easy solution.

Originally Posted by nieldk

using open-mode kernel.

Originally Posted by nieldk

Might be because of certs not from my device (would be cool with instructions on how to extract those)