Firmware downgrade from 1.3 to 1.2 possible
 

I will change back from 1.3 to 1.2 but with the Nokia Flsah tool it is not possible. Have somewone a Solution for a Firmwaredowngrade.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Not possible; search before creating new duplicate threads...

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Not possible is the default answer for marcaurell.

However it is possible if:
a) you have R&D certificate in your device (which only Nokia employees have)
b) you use software downgrade exploit (which is not publicly available)

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Another option would be to deploy a 1.2 rootfs backup, and flash the kernel using a dd-made backup.

Not the brightest of ideas, as I still don't know why people would want to downgrade, but hey, at least it's an idea.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

I think someone did it by using hexedit to change the version number in the older image.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

that will never work, since if you edit any bit on the image, then signature checksums will fail.

But anyways there really is not valid reasons to downgrade, other than sometimes you might want to go on PR1.1 if your ovi store application entry happens to fail the QA (and even then you can use RDA), but if your not ovi store app developer then there really is no reason.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

IICR nemomobile requieres pr1.2 to be flashed

but i am curious about those downgrade hacks ...

regards

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Thank at All for answers and suggestions.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

well I have runned nemomobile on PR1.3 so I don't think that there is any limitations, all the instructions are just for PR1.2.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Perhaps people might want an email client which shows unread counts reliably or a web browser which doesn't aggravatingly blank the address bar when it fails to load a page, two major regressions in what was supposed to be a bugfix release.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

but that doesn't require you to downgrade, if you want to run some older versions of applications, you can just extract the binaries from older firmwares, and use inception or other exploits to install them over the new binaries in PR1.3.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

A reason to downgrade in Pr 1.2: to have a usable autocorrection for French :(
Fortunately, we have the Swype keyboard but it's a sad situation.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

exploit for usb flasher?
bug in x-loader?
bug in nolo?
or somehow on device via inception?

Re: Firmware downgrade from 1.3 to 1.2 possible
 

It's not even possible in the Nokia factory :D, so i don't think, it will never happened. Been there done that... I think there could be some software to do so, but it's only available for Maemo/Meego team.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

design problem :)

you need be in normal mode (not open mode) and clean/erase the cert-sw..., and you can downgrade the APE side (not the CMT side)

http://mg.pov.lt/harmattan-irclog/%2...03-23T22:15:27

:)

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Ok, so what is stored in CAL key "cert-sw"?

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Can you share the guide to do that?

Re: Firmware downgrade from 1.3 to 1.2 possible
 

In normal mode you have read&write access to CAL. So I think downgrade can be done with writing some old cert to CAL, then rebooting & flashing old version of fiasco.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

or write NULL using cal_write_block(...)

Re: Firmware downgrade from 1.3 to 1.2 possible
 

I have Dev environment, but I have not libcal-dev and I am not so experienced with C. Do you have binary of cal_write_block?

Re: Firmware downgrade from 1.3 to 1.2 possible
 

PLEASE PLEASE post a Guide for downgrade

Re: Firmware downgrade from 1.3 to 1.2 possible
 

hopefully nobody will ever release a guide for that, since if you mess up with CAL too much, you can end up with permant brick of your device (even nokia care is not able reflash perm bricked devices). (And if there is ever PR upgrade it would force Nokia to lock CAL even in normal mode)...

Re: Firmware downgrade from 1.3 to 1.2 possible
 

That's actually the reason inception is more dangerous than open mode.

I was thinking about this one day, what lead me to this was some time back somebody had a weird problem, IMEI of the device was corrupted.

The fact that cal is locked when running in open mode helps to protect from random faults that could wreck havoc by writing something to a critical area by mistake. In normal mode, under inception/opensh there is no such protection.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

@rainisto: is there any way how to repair perm bricked devices? and who can that if nokia care not?

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Well in short there is no way.

However if you have done backup from your CAL then you could in theory restore CAL from your backup. BUT before you get your hopes up, only Nokia employees with R&D certificate can backup&restore CAL areas, and all the people that could generate R&D certificates for N9 have already left the company.

And factory line jtag flasher, but its quite unlikely that you get access inside the production factory (and those factory lines are already ramped down anyways).

So in short if you happen to mess up your CAL, you can throw the device in garbage for spare parts and buy a new phone.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

This is propably the only viable way of doing it. BTW, I thought Nokia Service shops would be able to flash the device via JTAG interface...? I mean if there is some repairs done to the RFU the phone needs to be recalibrated, right?

For JTAG flashing you actually do not need fancy equipment, just a cheapy ~200 eur USB/JTAG adapter and some soldering skills is required :D

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Ok, so I must be very very carefull to not damage CAL...

Re: Firmware downgrade from 1.3 to 1.2 possible
 

This would break lock code functionality. Or, they could store the lock code in a file, which is arguably a lot more insecure than storing it in an obscure database no one's bothered to write a library to interface with.

IIRC the IMEI is stored on the BB5 chip, which runs completely separate from the SoC. All the SoC side of the system does is talk to the BB5 over the OMAP's SSI interface.

Something else may have been broken, but it sure isn't corruption of the IMEI.

And if the N9 is just like the N900, you could probably flash_erase /dev/mtd1 and CAL would be able to partially rebuild itself (kids, don't try this at home!)

Re: Firmware downgrade from 1.3 to 1.2 possible
 

OK, if that is so, then where is the MFG calibration data for RFU stored?
I kinda thought it would be in CAL (that it is an abbreviation for CALibration, but maybe I was mistaken...)

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Did you already tried to erase CAL in N900?? Or why are you sure, that N900 CAL can rebuilt it itself?

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Heard it on #maemo. Someone apparently erased MTD1, but on reboot it restored IMEI data, as read from BB5.

Won't try wiping mtd1 myself, but ask DocScrutinizer or vi, they idle on IRC long enough to bookmark that part of the IRC log.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Can you point me irc logs?

I already tried freemangordon RE libcal on computer with nandsim and libcal created empty CAL structure in nandsim. So it can be true that NOLO will recreate cal if it is damaged and push new data from BB5...

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Hi there everyone, long time user, first time writing (used maemo since N900 but never felt the need to write before) but maybe I may be of help now.
I've got my Jolla stolen and feels they are out of stock here in Russia so I went for used N9. Somehow it was stuck with Vietnamese FW and I was unable to downgrade to the European version, so I found this thread with instructions in it, I tried to slap some stuff up to be able to write older certificates to be able to downgrade.

The CAL structure itself contains the older certificates but uses only the latest version. You can dump your own certificates yourself, they're located on /dev/mtd1. CAL structure itself starts with ConF signature. I basically watched the code at https://github.com/community-ssu/lib...b/master/cal.c and explored the hexdump. I didn't want just to zero out cert-sw because of mentioned lock code problems.

The cert-sw section starts as follows and cert itself starts as a3959780.
The length of cert field is 1308 bytes (0x51c, the 1c05000 sequence due to endianness). I extracted mine from mtd dump first seeking the offset with hex viewer and then with dd if=calinfo of=cert-early.bin bs=1 offset=$((0x16b24)) count=1308.

Then I wrote simple libcal program, compiled it with Qt SDK. Never managed to get around aegis without putting it in deb first, however. The code itself is selfdescriptive and the sources are there if you have your own Qt SDK and want to compile yourself. I've also attached my compiled deb and some of the certificates I've dumped from my N9's CAL area. It reads cert file from /root/cert.bin and then writes it to CAL to the newest slot.

Please be careful and only use it if you're absolutely absolutely sure what are you doing. I've managed to downgrade my N9 that way. Please don't shoot yourself in the feet. It's more of an informational post to the question discussed than everyday easy solution.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Marvelous! Thanks for this great information.

As a note. This should be added to WIKI pages I believe ...

Re: Firmware downgrade from 1.3 to 1.2 possible
 

does this mean that we can "downgrade" from for example region version 005 to 001 with this method?

Re: Firmware downgrade from 1.3 to 1.2 possible
 

In my case I downgraded DFL61_HARMATTAN_40.2012.21-3.454.6_PR_454 to DFL61_HARMATTAN_40.2012.21-3_PR_001, so yes, it should be quite possible.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Please post a tutorial or maybe youtube link for downgrade N9.Thank you!

Re: Firmware downgrade from 1.3 to 1.2 possible
 

Hmm was trying with the certificate "cert-DFL61_HARMATTAN_10.2011.34-1_PR_001"

placed in /root/ and named cert.bin.

Executed cal-writer with devel-su and develsh to obtain highest permissions, using open-mode kernel.

However, cal-write fails at the end and reverts..

Attached is log from cal-writer failing to write the cert.

Might be because of certs not from my device (would be cool with instructions on how to extract those)

Added this to an idea for coding competition, and will personally spit in an extra award if a complete app can be created
http://talk.maemo.org/showpost.php?p...7&postcount=23

Re: Firmware downgrade from 1.3 to 1.2 possible
 

In open-mode booted kernel is nand partition for CAL locked to read-only mode.

If you want write access to CAL, you must boot in normal production kernel, not open-mode. There is no other way.

Re: Firmware downgrade from 1.3 to 1.2 possible
 

As it has been pointed out, CAL is locked in openmode. The certs seem to be firmware version specific, as I understand. Actually, the quick guide is given is my original post, near those hex lines. However I think the program to read certificates from user device would benefit N950 users.

As for the simple application: I'd rather wait for some hardcore experts say is that a good idea, maybe there's some unexpected consequences and whatnot. I will think about it but I don't want to release some software to easily and irreversibly brick their device. Perhaps I'll start with cert-sw extractor for the N950 guys.