BootRecoverySignature

From MILEDROPEDIA
Jump to: navigation, search

Signatures on boot/recovery partitions

The following listing uses an Argentinan android 2.0 boot partition (File:2.0 boot argentina.raw) as example, but all the offsets should be the same for any boot or recovery partition, at least on the milestone, but i think on many other Motorola phones as well. AFAIK even mbm uses the same signature format, but i haven't checked that so far. The offsets given here are relative to the signature start, which can be read from CDT (sig_start_addr-base_addr)

If anyone can figure out what exactly the remaining "unknown" parts mean, you're welcome to contribute :)

          	00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0x00000000	B4 01 00 CA 02 14 DA 95 1B 6D DC 97 07 CE 40 EA		´..Ê..Ú•.mÜ—.Î@ê	# 0x00 to 0x3C: unknown
0x00000010	53 0F 90 20 91 B5 20 DD 2F F3 00 30 FF FF 00 00		S.. ‘µ Ý/ó.0ÿÿ..	#
0x00000020	02 4E B8 B9 73 15 B0 F4 4A 47 7A AC DF 7A E8 3D		.N¸¹s.°ôJGz¬ßzè=	#
0x00000030	D5 3E EF 8F AF 65 01 02 0C 30 00 11 01        		Õ>ï.¯e...0..... 	#

0x00000030	                                       81 10 00		               .	# 0x3D to 0x40: base_address (from cdt)
0x00000040	00                                             		..              	#

0x00000040	   00 2B F8 00                                 		  +ø.           	# 0x41 to 0x44: DataLength

0x00000040	               00 00 03 D3 02                  		     ...Ó.      	# 0x45 to 0x49: unknown

0x00000040	                              A2 61 B6 59 97 9C		          ¢a¶Y—œ	# 0x4A to 0xC9: ASN1 Sequence (encrypted with PrivateKey1)
0x00000050	AB 02 F0 60 90 45 F7 32 FE 00 5E E8 EB 46 BA 17		«.ð`.E÷2þ.^èëFº.	# bytes 0x00 to 0x49 of the Signature Block are hashed
0x00000060	BF BC 27 EB 34 AB 0C 91 53 9B F8 9C C2 2F 9C 22		¿¼'ë4«.‘S›øœÂ/œ"	# (everything in this document up to this point)
0x00000070	F7 65 1B C8 C7 7D 98 1F 24 47 A4 77 61 6C 80 46		÷e.ÈÇ}˜˜ .$G¤wal€F	# ASN1 parse (with openssl asn1parse)
0x00000080	1B E7 B6 75 5C 97 63 F5 01 C4 B3 C4 E9 B3 84 14		.ç¶u\—cõ.ijÄ鳄.	#     0:d=0  hl=2 l=  33 cons: SEQUENCE
0x00000090	63 1A CF 15 B0 7A FD C2 C9 72 18 75 3D 5A 59 F0		c.Ï.°zýÂÉr.u=ZYð	#     2:d=1  hl=2 l=   9 cons:  SEQUENCE
0x000000A0	47 49 99 74 ED 80 62 56 FF AA CC BA 43 D9 DF 6B		GI™tí€bVÿªÌºCÙßk	#     4:d=2  hl=2 l=   5 prim:   OBJECT            :sha1
0x000000B0	EA 1B 4D 08 38 19 05 9A 84 7F 21 94 A6 3C F6 58		ê.M.8..š„.!”¦<öX	#    11:d=2  hl=2 l=   0 prim:   NULL
0x000000C0	56 16 06 B2 65 5C 2A BE 69 9C                  		V..²e\*¾iœ      	#    13:d=1  hl=2 l=  20 prim:  OCTET STRING      [HEX DUMP]:9BAFCEE89FB01AADEAB5A15DF1FBE10A1C5E7D9E

          	                                               		                	# 0xCA to 0x24D:
          	                                               		                	# Certificate 1 (with PublicKey1)
0x000000C0	                              01               		          .     	# 0xCA: unknown
0x000000C0	                                 02 01 00      		           ...  	# 0xCB to 0xCD: the number 0 (0x02=int, 0x01=length, 0x00=number)
0x000000C0	                                          04 2E		              ..	# 0xCE to 0xCF: 0x04=string, 0x2E=length of string
0x000000D0	4F 3D 4D 6F 74 6F 72 6F 6C 61 20 49 6E 63 2C 20		O=Motorola Inc, 	# 0xD0 to 0xFD: Issuer
0x000000E0	4F 55 3D 4D 6F 74 6F 72 6F 6C 61 20 50 4B 49 2C		OU=Motorola PKI,	# (0x2E bytes)
0x000000F0	20 43 4E 3D 48 41 42 20 43 41 20 34 30 31      		 CN=HAB CA 401  	#
0x000000F0	                                          48 F4		              Hô	# 0xFE to 0x102: valid from: 1223999895 (unix time)
0x00000100	C1 97                                          		Á—              	#
0x00000100	      65 2A BA 97                              		  e*º—          	# 0x103 to 0x106: valid to: 1697299095 (unix time)
0x00000100	                  01 00                        		      ..        	# 0x107 to 0x108: unknown, some kind of separator?
0x00000100	                        04 39                  		        .9      	# 0x04=string, 0x39=length of string
0x00000100	                              4F 3D 4D 6F 74 6F		          O=Moto	# 0x10A to 0x142: Subject
0x00000110	72 6F 6C 61 20 49 6E 63 2C 20 4F 55 3D 4D 6F 74		rola Inc, OU=Mot	#
0x00000120	6F 72 6F 6C 61 20 50 4B 49 2C 20 43 4E 3D 43 53		orola PKI, CN=CS	#
0x00000130	46 20 43 41 20 34 30 31 2D 31 3B 20 53 4E 3D 33		F CA 401-1; SN=3	#
0x00000140	38 33 32                                       		832             	#
0x00000140	         02 00                                 		   ..           	# 0x143 to 0x144: unknown, algorithm identifier?
0x00000140	               00 03                           		     ..         	# 0x145 to 0x146: length of  public exponent (PublicKey1)
0x00000140	                     01 00 01                  		       ...      	# 0x147 to 0x149: public exponent (PublicKey1)
0x00000140	                              00 80            		          .€    	# 0x14A to 0x14B: length of the modulus (PublicKey1)
0x00000140	                                    B3 F1 99 8E		            ³ñ™Ž	# 0x14C to 0x1CB: modulus (PublicKey1)
0x00000150	56 03 0B 85 7E EE D6 97 B3 4C 5C AD EB 2C 9A 8F		V..…~îÖ—³L\.ë,š.	#
0x00000160	FF 57 4B C3 0F 82 A4 D1 B2 E6 2D A9 BF 59 17 D1		ÿWKÃ.‚¤Ñ²æ-©¿Y.Ñ	#
0x00000170	D1 4C 3D 7D F2 F1 85 94 1B 4A DE A6 1B 03 12 42		ÑL=}òñ…”.JÞ¦...B	#
0x00000180	DA 56 AB F9 44 A1 91 DB 77 D3 79 CD FB 5B CE 59		ÚV«ùD¡‘ÛwÓyÍû[ÎY	#
0x00000190	38 CC 15 B4 79 97 E1 74 88 4B 3D F0 71 8A D0 94		8Ì.´y—átˆK=ðqŠÐ”	#
0x000001A0	AD 95 F5 A5 D9 B1 69 18 DE 78 2D FC C2 F0 77 15		.•õ¥Ù±i.Þx-üÂðw.	#
0x000001B0	20 9A 78 0A E4 D3 BE 30 EF 21 D3 78 AF 72 B6 BF		 šx.äÓ¾0ï!Óx¯r¶¿	#
0x000001C0	23 C4 50 67 4A 4B 74 9F E7 9B F0 0D            		#ÄPgJKtŸç›ð.    	#
0x000001C0	                                    00 80      		            .€  	# 0x1CC to 0x1CD: length of the Certificate Signature
0x000001C0	                                          A8 6E		              ¨n	# 0x1CE to 0x24D: Certificate 1 Signature
0x000001D0	83 73 CB B1 A3 81 88 29 0C 31 F8 7D D2 D6 B1 C6		ƒs˱£.ˆ).1ø}ÒÖ±Æ	# Obviously this is an ASN1 sequence with an SHA-1-hash of
0x000001E0	9D 83 7B CC 57 83 81 2A 47 04 1B 47 B8 A9 20 58		.ƒ{ÌWƒ.*G..G¸© X	# Certificate 1 (0xCA to 0x1CB), encrypted with the
0x000001F0	88 11 EC 86 A1 A6 C1 AD AA 1E EE A1 EB 33 DB C8		ˆ.송¦Á.ª.î¡ë3ÛÈ	# private key of a certificate with the following
0x00000200	58 30 65 ED 9D EE 5C E1 62 89 96 84 C7 9B 62 C1		X0eí.î\áb‰–„Ç›bÁ	# subject string:
0x00000210	83 58 B1 D7 C7 35 E2 E4 6A F9 50 EA 85 7D BB AE		ƒX±×Ç5âäjùPê…}»®	# "O=Motorola Inc, OU=Motorola PKI, CN=HAB CA 401".
0x00000230	AB 4E 21 87 D1 49 17 F2 F3 98 C1 AF 64 0C 82 5F		«N!‡ÑI.òó˜ Á¯d.‚_	# I haven't found that one so far, It's nowhere in
0x00000240	24 9B B5 A0 A7 AA 82 24 52 4A 8B 21 2F B0      		$›µ §ª‚$RJ‹!/°  	# mbm...
          	                                               		                	# Certificate 1 End

          	                                               		                	# 0x24E to 0x3D2
          	                                               		                	# Certificate 2 (with PublicKey2)
0x00000240	                                          01   		              . 	# 0x24E: unknown
0x00000240	                                             02		               .	# 0x24F to 0x251: the number 0 (0x02=int, 0x01=length, 0x00=number)
0x00000250	01 00                                          		..              	#
0x00000250	      04 30                                    		  .0            	# 0x251 to 0x252: 0x04=string, 0x30=length of string
0x00000250	            4F 3D 4D 6F 74 6F 72 6F 6C 61 20 49		    O=Motorola I	#
0x00000260	6E 63 2C 20 4F 55 3D 4D 6F 74 6F 72 6F 6C 61 20		nc, OU=Motorola 	# 0x254 to 0x283: Issuer
0x00000270	50 4B 49 2C 20 43 4E 3D 43 53 46 20 43 41 20 34		PKI, CN=CSF CA 4	# = Subject of Certificate1
0x00000280	30 31 2D 31                                    		01-1            	#
0x00000280	            48 F4 C2 32                        		    HôÂ2        	# 0x284 to 0x287: valid from: 1224000050 (unix time)
0x00000280	                        65 2A BB 32            		        e*»2    	# 0x288 to 0x28B: valid to: 1697299250 (unix time)
0x00000280	                                    01 00      		            ..  	# 0x28C to 0x28D: unknown, some kind of separator?
0x00000280	                                          04 38		              .8	# 0x28E to 0x28F: 0x04=string, 0x38=length of string
0x00000290	4F 3D 4D 6F 74 6F 72 6F 6C 61 20 49 6E 63 2C 20		O=Motorola Inc, 	# 0x290 to 0x2C7: Subject
0x000002A0	4F 55 3D 4D 6F 74 6F 72 6F 6C 61 20 50 4B 49 2C		OU=Motorola PKI,	#
0x000002B0	20 43 4E 3D 41 50 50 20 34 30 31 2D 31 2D 32 3B		 CN=APP 401-1-2;	#
0x000002C0	20 53 4E 3D 33 38 33 34                        		 SN=3834        	#
0x000002C0	                        02 00                  		        ..      	# 0x2C8 to 0x2C9: unknown, algorithm identifier?
0x000002C0	                              00 03            		          ..    	# 0x2CA to 0x2CB: length of public exponent (PublicKey2)
0x000002C0	                                    01 00 01   		            ... 	# 0x2CC to 0x2CE: public exponent (PublicKey2)
0x000002C0	                                             00		               .	# 0x2CF to 0x2D0: length of the modulus (PublicKey2)
0x000002D0	80                                             		€               	#
0x000002D0	   B9 8E 7F 4E E7 C2 FA 97 1E 48 07 B6 19 13 3C		 ¹Ž.NçÂú—.H.¶..<	# 0x2D1 to 0x350: modulus (PublicKey2)
0x000002E0	28 59 EC D2 4F ED E6 9C C6 C0 96 E7 70 1C 77 F0		(YìÒOíæœÆÀ–çp.wð	#
0x000002F0	7C 24 FA C4 C3 9B 40 C1 59 CF 8C 8F 99 81 C2 FF		|$úÄÛ@ÁYÏŒ.™.Âÿ	#
0x00000300	D0 0C 86 23 59 BC 43 59 2F A9 B8 59 19 67 EE 0E		Ð.†#Y¼CY/©¸Y.gî.	#
0x00000310	C5 C9 EE 40 1F 69 24 96 10 EE B7 DC A9 66 44 AB		ÅÉî@.i$–.î·Ü©fD«	#
0x00000320	B8 E1 6A AB EA C6 4F CF 0A 51 40 52 9F 0B 22 0E		¸áj«êÆOÏ.Q@RŸ.".	#
0x00000330	3C 68 09 7E 28 B6 BC C9 6C 3F 77 8A 8D A5 58 2C		<h.~(¶¼Él?wŠ.¥X,	#
0x00000340	F6 AE 7C FE C6 26 12 E1 AF CE 46 2C F0 A1 39 6A		ö®|þÆ&.á¯ÎF,ð¡9j	#
0x00000350	7F                                             		.               	#
0x00000350	   00 80                                       		 .€             	# 0x351 to 0x352: length of Certificate Signature
0x00000350	         4E 8C 40 1F FA B8 88 86 0B 1D F2 A9 5E		   NŒ@.ú¸ˆ†..ò©^	# 0x353 to 0x3D2: Certificate 2 Signature
0x00000360	93 F8 D4 74 EE 7A 08 3C 72 35 A6 63 38 C6 85 8B		“øÔtîz.<r5¦c8Æ…‹	# Certificate 1 is the issuer of Certificate 2
0x00000370	AF 03 CF 6F 19 DD 1A A1 E8 C9 A9 57 01 C2 22 51		¯.Ïo.Ý.¡èÉ©W.Â"Q	# Certificate 2 is hashed (0x24E to 0x350)
0x00000380	B0 6C 6C EE 67 3F 4A B7 5E BD 6A 45 59 62 86 52		°llîg?J·^½jEYb†R	# ASN1 sequence (encrypted with PrivateKey1)
0x00000390	B3 DF 65 65 2A 3A 05 B7 BF 82 EB 83 2A 37 27 F1		³ßee*:.·¿‚ëƒ*7'ñ	#     0:d=0  hl=2 l=  33 cons: SEQUENCE
0x000003A0	76 2C 05 B8 6D 91 CC 2F C7 7E FD 56 E2 0F 9B DB		v,.¸m‘Ì/Ç~ýVâ.›Û	#     2:d=1  hl=2 l=   9 cons:  SEQUENCE
0x000003B0	2A 1E 9F CE 96 8C F9 8B E7 97 B0 D9 68 BC C4 3E		*.ŸÎ–Œù‹ç—°Ùh¼Ä>	#     4:d=2  hl=2 l=   5 prim:   OBJECT            :sha1
0x000003C0	A7 BD 2F 72 76 9E B1 48 6A 4F 0B A4 3F C0 7A 78		§½/rvž±HjO.¤?Àzx	#    11:d=2  hl=2 l=   0 prim:   NULL
0x000003D0	C6 68 4D                                       		ÆhM             	#    13:d=1  hl=2 l=  20 prim:  OCTET STRING      [HEX DUMP]:E7F2FA871AC6692DF4AB8494E4D797EB1899D262
          	                                               		                	# Certificate 2 End

0x000003D0	         A5 11 57 3D DB 69 67 42 53 9F AF 40 0E		   ¥.W=ÛigBSŸ¯@.	# 0x3D3 to 0x452: File Signature (signed by Certificate 2)
0x000003E0	8D A6 E3 3A 7C C8 8A BF A2 21 1C EF 7E 55 5A 93		.¦ã:|ÈŠ¿¢!.ï~UZ“	# ASN1 sequence (encrypted with PrivateKey2):
0x000003F0	83 7F 8D C0 92 B2 2C A7 D9 E4 46 BC 23 62 B0 B6		ƒ..À’²,§ÙäF¼#b°¶	# DataLength bytes, starting from 0x00 (in the mtd file) are hashed.
0x00000400	E9 3C 91 66 3D 90 02 44 BC 31 C9 24 30 B3 B6 DA		é<‘f=..D¼1É$0³¶Ú	# ASN1 parse (with openssl asn1parse)
0x00000410	24 00 49 9D 43 1D 73 10 D6 4D 7E EA B1 9C 94 05		$.I.C.s.ÖM~걜”.	#     0:d=0  hl=2 l=  33 cons: SEQUENCE
0x00000420	74 55 7E 25 84 05 58 8C 77 43 32 90 A7 E6 F4 F5		tU~%„.XŒwC2.§æôõ	#     2:d=1  hl=2 l=   9 cons:  SEQUENCE
0x00000430	E5 CF A2 35 0A D0 6C 13 B4 E7 A1 AE DE 53 CB 5F		åÏ¢5.Ðl.´ç¡®ÞSË_	#     4:d=2  hl=2 l=   5 prim:   OBJECT            :sha1
0x00000440	10 3E 07 F6 D4 59 23 83 2B 01 53 44 77 87 D5 8A		.>.öÔY#ƒ+.SDw‡ÕŠ	#    11:d=2  hl=2 l=   0 prim:   NULL
0x00000450	5F DF DC                                       		_ᚠ            	#    13:d=1  hl=2 l=  20 prim:  OCTET STRING      [HEX DUMP]:FB4752AD0CA0EB242E6BAE96A3794520732B2EEA

0x00000450	         FF FF FF FF FF FF FF FF FF FF FF FF FF		   ÿÿÿÿÿÿÿÿÿÿÿÿÿ	# 0x453 to 0x7FF
0x00000460	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	# The rest of the partition is filled with 0xFFs
0x00000470	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000480	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000490	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000004A0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000004B0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000004C0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000004D0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000004E0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000004F0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000500	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000510	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000520	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000530	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000540	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000550	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000560	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000570	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000580	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000590	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000005A0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000005B0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000005C0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000005D0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000005E0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000005F0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000600	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000610	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000620	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000630	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000640	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000650	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000660	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000670	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000680	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000690	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000006A0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000006B0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000006C0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000006D0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000006E0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000006F0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000700	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000710	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000720	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000730	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000740	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000750	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000760	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000770	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000780	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x00000790	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000007A0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000007B0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000007C0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000007D0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000007E0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#
0x000007F0	FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF		ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	#

We have two Certificates here, identified by their CommonName (CN):

  • "APP 401-1-2" is used to sign the boot and recovery partitions (DataLength bytes, starting from offset 0x00 (in the mtd file))
  • "CSF CA 401-1" is used to sign two things:
    • the "APP 401-1-2" Certificate
    • the header of the signature block, where, amongst a few other, yet unknown things, the base_address and DataLength are stored.

Furthermore we know about a third Certificate "HAB CA 401" which is used to sign "CSF CA 401-1", so our chain of trust looks like that:

"HAB CA 401" -> "CSF CA 401-1" -> "APP 401-1-2" -> boot/recovery partition

mbm is signed by a certificate "APP 401-1-1", here the chain of trust is:

"HAB CA 401" -> "CSF CA 401-1" -> "APP 401-1-1" -> mbm