Reply
Thread Tools
Posts: 1,225 | Thanked: 1,905 times | Joined on Feb 2011 @ Quezon City, Philippines
#31
Originally Posted by pali View Post
Did you already tried to erase CAL in N900?? Or why are you sure, that N900 CAL can rebuilt it itself?
Heard it on #maemo. Someone apparently erased MTD1, but on reboot it restored IMEI data, as read from BB5.

Won't try wiping mtd1 myself, but ask DocScrutinizer or vi, they idle on IRC long enough to bookmark that part of the IRC log.
__________________
N9 PR 1.3 Open Mode + kernel-plus for Harmattan
@kenweknot, working on Glacier for Nemo.
 
Posts: 2,154 | Thanked: 8,464 times | Joined on May 2010
#32
Can you point me irc logs?

I already tried freemangordon RE libcal on computer with nandsim and libcal created empty CAL structure in nandsim. So it can be true that NOLO will recreate cal if it is damaged and push new data from BB5...
 

The Following 2 Users Say Thank You to pali For This Useful Post:
Posts: 10 | Thanked: 62 times | Joined on Jan 2016
#33
Hi there everyone, long time user, first time writing (used maemo since N900 but never felt the need to write before) but maybe I may be of help now.
I've got my Jolla stolen and feels they are out of stock here in Russia so I went for used N9. Somehow it was stuck with Vietnamese FW and I was unable to downgrade to the European version, so I found this thread with instructions in it, I tried to slap some stuff up to be able to write older certificates to be able to downgrade.

The CAL structure itself contains the older certificates but uses only the latest version. You can dump your own certificates yourself, they're located on /dev/mtd1. CAL structure itself starts with ConF signature. I basically watched the code at https://github.com/community-ssu/lib...b/master/cal.c and explored the hexdump. I didn't want just to zero out cert-sw because of mentioned lock code problems.

The cert-sw section starts as follows and cert itself starts as a3959780.
Code:
436f 6e46 0200 0000 6365 7274 2d73 7700  ConF....cert-sw.
0000 0000 0000 0000 1c05 0000 3a08 d376  ............:..v
c2d5 0f00 a395 9780 0200 0000 2623 0298  ............&#..
b2e4 5d4e bdc3 3d00 d089 9d00 6401 0000  ..]N..=.....d...
d003 0000 1b05 0000 022e 4fb0 aa27 b5e4  ..........O..'..
The length of cert field is 1308 bytes (0x51c, the 1c05000 sequence due to endianness). I extracted mine from mtd dump first seeking the offset with hex viewer and then with dd if=calinfo of=cert-early.bin bs=1 offset=$((0x16b24)) count=1308.

Then I wrote simple libcal program, compiled it with Qt SDK. Never managed to get around aegis without putting it in deb first, however. The code itself is selfdescriptive and the sources are there if you have your own Qt SDK and want to compile yourself. I've also attached my compiled deb and some of the certificates I've dumped from my N9's CAL area. It reads cert file from /root/cert.bin and then writes it to CAL to the newest slot.

Please be careful and only use it if you're absolutely absolutely sure what are you doing. I've managed to downgrade my N9 that way. Please don't shoot yourself in the feet. It's more of an informational post to the question discussed than everyday easy solution.
Attached Files
File Type: gz cal-writer_0.1.tar.gz (15.6 KB, 185 views)
File Type: deb cal-writer_0.1_armel.deb (4.7 KB, 192 views)
File Type: gz certs.tar.gz (1.3 KB, 191 views)
 

The Following 25 Users Say Thank You to feuerplatz For This Useful Post:
Posts: 1,293 | Thanked: 4,319 times | Joined on Oct 2014
#34
Originally Posted by feuerplatz View Post
Hi there everyone, long time user, first time writing (used maemo since N900 but never felt the need to write before) but maybe I may be of help now.
I've got my Jolla stolen and feels they are out of stock here in Russia so I went for used N9. Somehow it was stuck with Vietnamese FW and I was unable to downgrade to the European version, so I found this thread with instructions in it, I tried to slap some stuff up to be able to write older certificates to be able to downgrade.

The CAL structure itself contains the older certificates but uses only the latest version. You can dump your own certificates yourself, they're located on /dev/mtd1. CAL structure itself starts with ConF signature. I basically watched the code at https://github.com/community-ssu/lib...b/master/cal.c and explored the hexdump. I didn't want just to zero out cert-sw because of mentioned lock code problems.

The cert-sw section starts as follows and cert itself starts as a3959780.
Code:
436f 6e46 0200 0000 6365 7274 2d73 7700  ConF....cert-sw.
0000 0000 0000 0000 1c05 0000 3a08 d376  ............:..v
c2d5 0f00 a395 9780 0200 0000 2623 0298  ............&#..
b2e4 5d4e bdc3 3d00 d089 9d00 6401 0000  ..]N..=.....d...
d003 0000 1b05 0000 022e 4fb0 aa27 b5e4  ..........O..'..
The length of cert field is 1308 bytes (0x51c, the 1c05000 sequence due to endianness). I extracted mine from mtd dump first seeking the offset with hex viewer and then with dd if=calinfo of=cert-early.bin bs=1 offset=$((0x16b24)) count=1308.

Then I wrote simple libcal program, compiled it with Qt SDK. Never managed to get around aegis without putting it in deb first, however. The code itself is selfdescriptive and the sources are there if you have your own Qt SDK and want to compile yourself. I've also attached my compiled deb and some of the certificates I've dumped from my N9's CAL area. It reads cert file from /root/cert.bin and then writes it to CAL to the newest slot.

Please be careful and only use it if you're absolutely absolutely sure what are you doing. I've managed to downgrade my N9 that way. Please don't shoot yourself in the feet. It's more of an informational post to the question discussed than everyday easy solution.
Marvelous! Thanks for this great information.

As a note. This should be added to WIKI pages I believe ...
 

The Following 7 Users Say Thank You to nieldk For This Useful Post:
Posts: 128 | Thanked: 105 times | Joined on Dec 2014 @ Hungary
#35
does this mean that we can "downgrade" from for example region version 005 to 001 with this method?
 

The Following User Says Thank You to ViBE For This Useful Post:
Posts: 10 | Thanked: 62 times | Joined on Jan 2016
#36
Originally Posted by ViBE View Post
does this mean that we can "downgrade" from for example region version 005 to 001 with this method?
In my case I downgraded DFL61_HARMATTAN_40.2012.21-3.454.6_PR_454 to DFL61_HARMATTAN_40.2012.21-3_PR_001, so yes, it should be quite possible.
 

The Following 6 Users Say Thank You to feuerplatz For This Useful Post:
Posts: 17 | Thanked: 13 times | Joined on Jan 2016
#37
Originally Posted by feuerplatz View Post
In my case I downgraded DFL61_HARMATTAN_40.2012.21-3.454.6_PR_454 to DFL61_HARMATTAN_40.2012.21-3_PR_001, so yes, it should be quite possible.
Please post a tutorial or maybe youtube link for downgrade N9.Thank you!
 
Posts: 1,293 | Thanked: 4,319 times | Joined on Oct 2014
#38
Originally Posted by feuerplatz View Post
Hi there everyone, long time user, first time writing (used maemo since N900 but never felt the need to write before) but maybe I may be of help now.
I've got my Jolla stolen and feels they are out of stock here in Russia so I went for used N9. Somehow it was stuck with Vietnamese FW and I was unable to downgrade to the European version, so I found this thread with instructions in it, I tried to slap some stuff up to be able to write older certificates to be able to downgrade.

The CAL structure itself contains the older certificates but uses only the latest version. You can dump your own certificates yourself, they're located on /dev/mtd1. CAL structure itself starts with ConF signature. I basically watched the code at https://github.com/community-ssu/lib...b/master/cal.c and explored the hexdump. I didn't want just to zero out cert-sw because of mentioned lock code problems.

The cert-sw section starts as follows and cert itself starts as a3959780.
Code:
436f 6e46 0200 0000 6365 7274 2d73 7700  ConF....cert-sw.
0000 0000 0000 0000 1c05 0000 3a08 d376  ............:..v
c2d5 0f00 a395 9780 0200 0000 2623 0298  ............&#..
b2e4 5d4e bdc3 3d00 d089 9d00 6401 0000  ..]N..=.....d...
d003 0000 1b05 0000 022e 4fb0 aa27 b5e4  ..........O..'..
The length of cert field is 1308 bytes (0x51c, the 1c05000 sequence due to endianness). I extracted mine from mtd dump first seeking the offset with hex viewer and then with dd if=calinfo of=cert-early.bin bs=1 offset=$((0x16b24)) count=1308.

Then I wrote simple libcal program, compiled it with Qt SDK. Never managed to get around aegis without putting it in deb first, however. The code itself is selfdescriptive and the sources are there if you have your own Qt SDK and want to compile yourself. I've also attached my compiled deb and some of the certificates I've dumped from my N9's CAL area. It reads cert file from /root/cert.bin and then writes it to CAL to the newest slot.

Please be careful and only use it if you're absolutely absolutely sure what are you doing. I've managed to downgrade my N9 that way. Please don't shoot yourself in the feet. It's more of an informational post to the question discussed than everyday easy solution.
Hmm was trying with the certificate "cert-DFL61_HARMATTAN_10.2011.34-1_PR_001"

placed in /root/ and named cert.bin.

Executed cal-writer with devel-su and develsh to obtain highest permissions, using open-mode kernel.

However, cal-write fails at the end and reverts..

Attached is log from cal-writer failing to write the cert.

Might be because of certs not from my device (would be cool with instructions on how to extract those)

Added this to an idea for coding competition, and will personally spit in an extra award if a complete app can be created
http://talk.maemo.org/showpost.php?p...7&postcount=23
Attached Files
File Type: zip log.zip (4.7 KB, 100 views)

Last edited by nieldk; 2016-01-24 at 07:34. Reason: this is cool for a coding competion entry
 

The Following 7 Users Say Thank You to nieldk For This Useful Post:
Posts: 2,154 | Thanked: 8,464 times | Joined on May 2010
#39
Originally Posted by nieldk View Post
using open-mode kernel.
In open-mode booted kernel is nand partition for CAL locked to read-only mode.

If you want write access to CAL, you must boot in normal production kernel, not open-mode. There is no other way.
 

The Following 6 Users Say Thank You to pali For This Useful Post:
Posts: 10 | Thanked: 62 times | Joined on Jan 2016
#40
Originally Posted by nieldk View Post
Might be because of certs not from my device (would be cool with instructions on how to extract those)
As it has been pointed out, CAL is locked in openmode. The certs seem to be firmware version specific, as I understand. Actually, the quick guide is given is my original post, near those hex lines. However I think the program to read certificates from user device would benefit N950 users.

As for the simple application: I'd rather wait for some hardcore experts say is that a good idea, maybe there's some unexpected consequences and whatnot. I will think about it but I don't want to release some software to easily and irreversibly brick their device. Perhaps I'll start with cert-sw extractor for the N950 guys.
 

The Following 7 Users Say Thank You to feuerplatz For This Useful Post:
Reply


 
Forum Jump


All times are GMT. The time now is 20:17.