add QCDT support

[erik-smit]

Dump Android Verified Boot Signature (c) B.Kerler 2017
------------------------------------------------------
Kernel=0x00001000, length=0x012C1000
Ramdisk=0x012C2000, length=0x004DD000
Second=0x0179F000, length=0x00000000
QCDT=0x0179F000, length=0x0008E000
Signature start=0x0182D000

Image-Target: b'/boot'
Image-Length: 0x182d000

Image-Hash: b'00810604dac25e8fbbf23eb0e446fbaf485f6b89cf09eef95f85cdc0a3e60312'
Signature-Hash: b'1d39e66a1152bb0b82ce01a8b61179b894615700fd867f57583eb322fb07af14'

Signature-RSA-Modulus (n): b'c210e84edf25fecc61c1783766b8fd72e26a2ad044401187c5faab9669811266d7d64f59d5bd2f207e6f19ab94421c5cf6fa319023c426df857cf97a05692eb828efd5c8112f3c8cf30c1e497285b0d8a57d195b89016b6718da68bf71372a7c37e160dffdf6d322088ce9e09c4d6b957f3d70ebaa15a69ec164943c4d0f1c495332cf170fd6a3416b70f5cdd6e40b77b02bd060062fb044077ac6ad4c25fa2bd644f2611dfa8dd7974089427ee1f27eea3f38f6c1cd4b26641a1760b98b25be4c20477f156e6380ba0b8749008a01ff61408f6e11ffa369205f1311b71352f889a2be7b737fd9b50a1b63c2465ba2990dea4eeabee70dabba6c9ca80f4b4ea5'
Signature-RSA-Exponent (e): b'010001'

TZ Root of trust (locked): b'dd77957b0e16dcc5f88f2fbb2c1890da664d241ab42cbd4e28afe2aed2dc32dc'
TZ Root of trust (unlocked): b'b9abcedb380dd6991882ce511299419c1e5c0a32d766232b7a0b78cd6550c9c8'```

[erik-smit]

I needed this to parse the bootimg of my LG Flex2 (H955). I found the format on https://github.com/tegrak/Fricando/tree/master/bootimg-parser

[bkerler]

Merging this patch would make the regular avb signature no longer work. I will have a closer look and try to add it as an option instead

[erik-smit]

How does it make regular AVB signatures not work? The QCDT header entries are all zeroes on regular AVBs or not?

[bkerler]

+        param.os_version = fields[11]

That field is fields[10] normally, as patch obviously requires 8 bytes instead of 4 bytes. Qcdt is custom QC and not regular Android structure.

[erik-smit]

I've split the single 8-byte unused field into 2 4-byte fields. Should have the same layout.

[bkerler]

No, because you just shortened the namefield from 16s to 8s and added two additional integer but space for unused is only a 4 byte integer. I've tested it and both layouts aren't compatible in one structure. That's not how it should be.

In the python code you copied from and you refered to, it says
10) unused #1 (4B) (zero in standard Android) 11) unused #2 (4B) (zero in standard Android) but according to official android boot_img_hdr.h, it's uint32_t (4 bytes) not uint64_t (8 bytes).

Please see https://android.googlesource.com/platform/system/core/+/master/mkbootimg/bootimg.h for correct structure :)

[erik-smit]

Hm, ok, so... What the document I referred to calls "unused #2" is osversion in the Android sources?

[bkerler]

Yes. Never mind, I will have a look at it shortly.

[bkerler]

Can you please provide your boot.img ? I'd like to test my code to confirm it works now correctly before committing.

[bkerler]

This is the result of the latest commit :

Dump Android Verified Boot Signature (c) B.Kerler 2017
------------------------------------------------------
Kernel=0x00001000, length=0x012C1000
Ramdisk=0x012C2000, length=0x005E1000
Second=0x018A3000, length=0x00000000
QCDT=0x018A3000, length=0x0008E000
Signature start=0x01931000

Image-Target: b'/recovery'
Image-Length: 0x1931000

Image-Hash: b'ba348fa505e67f34da778e5ee9577f245dc704047bd2ef260aba17461b0584e6'
Signature-Hash: b'ba348fa505e67f34da778e5ee9577f245dc704047bd2ef260aba17461b0584e6'

Signature-RSA-Modulus (n): b'c210e84edf25fecc61c1783766b8fd72e26a2ad044401187c5faab9669811266d7d64f59d5bd2f207e6f19ab94421c5cf6fa319023c426df857cf97a05692eb828efd5c8112f3c8cf30c1e497285b0d8a57d195b89016b6718da68bf71372a7c37e160dffdf6d322088ce9e09c4d6b957f3d70ebaa15a69ec164943c4d0f1c495332cf170fd6a3416b70f5cdd6e40b77b02bd060062fb044077ac6ad4c25fa2bd644f2611dfa8dd7974089427ee1f27eea3f38f6c1cd4b26641a1760b98b25be4c20477f156e6380ba0b8749008a01ff61408f6e11ffa369205f1311b71352f889a2be7b737fd9b50a1b63c2465ba2990dea4eeabee70dabba6c9ca80f4b4ea5'
Signature-RSA-Exponent (e): b'010001'

TZ Root of trust (locked): b'dd77957b0e16dcc5f88f2fbb2c1890da664d241ab42cbd4e28afe2aed2dc32dc'
TZ Root of trust (unlocked): b'b9abcedb380dd6991882ce511299419c1e5c0a32d766232b7a0b78cd6550c9c8
'``

[erik-smit]

I'll need to re-get the files, but I'm getting errors downloading them.

To get the boot.img , download a KDZ extractor from https://forum.xda-developers.com/showthread.php?t=2600575 and then the KDZ from http://pkg02.xcdn.gdms.lge.com/dn/downloader.dev?fileKey=FWE4UDR752RJADJ71AC7NTO/H95520c_00_0921.kdz

If my download succeeds, I'll check back in a few hours to let you know if your change worked.

[erik-smit]

Looks fine!

$ python3 verify_signature.py  ../boot_458752.bin

Dump Android Verified Boot Signature (c) B.Kerler 2017
------------------------------------------------------
Kernel=0x00001000, length=0x012C1000
Ramdisk=0x012C2000, length=0x004DD000
Second=0x0179F000, length=0x00000000
QCDT=0x0179F000, length=0x0008E000
Signature start=0x0182D000

Image-Target: b'/boot'
Image-Length: 0x182d000

Image-Hash: b'00810604dac25e8fbbf23eb0e446fbaf485f6b89cf09eef95f85cdc0a3e60312'
Signature-Hash: b'1d39e66a1152bb0b82ce01a8b61179b894615700fd867f57583eb322fb07af14'

Signature-RSA-Modulus (n): b'c210e84edf25fecc61c1783766b8fd72e26a2ad044401187c5faab9669811266d7d64f59d5bd2f207e6f19ab94421c5cf6fa319023c426df857cf97a05692eb828efd5c8112f3c8cf30c1e497285b0d8a57d195b89016b6718da68bf71372a7c37e160dffdf6d322088ce9e09c4d6b957f3d70ebaa15a69ec164943c4d0f1c495332cf170fd6a3416b70f5cdd6e40b77b02bd060062fb044077ac6ad4c25fa2bd644f2611dfa8dd7974089427ee1f27eea3f38f6c1cd4b26641a1760b98b25be4c20477f156e6380ba0b8749008a01ff61408f6e11ffa369205f1311b71352f889a2be7b737fd9b50a1b63c2465ba2990dea4eeabee70dabba6c9ca80f4b4ea5'
Signature-RSA-Exponent (e): b'010001'

TZ Root of trust (locked): b'dd77957b0e16dcc5f88f2fbb2c1890da664d241ab42cbd4e28afe2aed2dc32dc'
TZ Root of trust (unlocked): b'b9abcedb380dd6991882ce511299419c1e5c0a32d766232b7a0b78cd6550c9c8'```