|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
Nokia Base Band 5 ( BB-5 ) Baseband-5 Phones: 2700 Classic , 2730 Classic , 3109c , 3110c , 3120c , 3250 , 3500c , 3600s , 3610 Fold , 3710 Fold , 3720 Classic , 5130 XpressM , 5200 / 5200b , 5220 XpressM , 5230 XpressM , 5300 / 5300b , 5310 / 5310b , 5320 , 5500 , 5530 XpressM , 5610 , 5630 XpressM , 5700 , 5730 XpressM , 5800 , 6085 / 6086 , 6110n , 6120c , 6121c , 6124c , 6125 , 6126 / 6133b , 6131 / 6133 , 6131 (NFC) , 6136 , 6151 , 6208 Classic , 6210n , 6212c , 6220c , 6233 , 6234 , 6260 Slide , 6263 , 6267 , 6270 , 6280 / 6288 , 6282 , 6290 , 6300 , 6300i , 6301 , 6303 Classic , 6500 Classic , 6500 Slide , 6555 , 6600 Fold , 6600 Slide , 6630 , 6650 Fold , 6680 , 6681 , 6682 , 6700 Classic , 6710 Navigator , 6720 Classic , 6730 Classic , 6760 Slide , 6790 Surge , 7210c , 7310c , 7370 , 7373 , 7390 , 7500 , 7510c , 7610c , 7900 , 8600 , 8800 arte , E50 , E51 , E52 , E55 , E60 , E61 , E61i , E62 , E63 , E65 , E66 , E70 , E71 , E72 , E75 , E90 , N70 , N71 , N72 , N73 , N75 , N76 , N77 , N78 , N79 , N80 , N81 , N82 , N85 , N86 , N90 , N91 , N92 , N93 , N93i , N95 , N95 8GB , N96 , N97 , N97 Mini , X3 , X6 |
| LinkBack | Thread Tools | Display Modes |
09-16-2007, 03:50 | #1 (permalink) |
Freak Poster Join Date: Feb 2001
Posts: 213
Member: 3354 Status: Offline Thanks Meter: 3,948 | BB5 SP unlocking, theory... change anything in they SW to prevent that. Then again, maybe not! Why they left BIG hole in SP security...?.. BB5 using RSA and AES algorithm that is running from secure ROM and RAM. Main SP rutines are stored in FLASH in block "PA_SL" and those rutines are loaded in secure RAM and if RSA signature correct, CPU will run it. BUT "SP SERVER" are part of MCUSW that is running DIRECTLY from FLASH is not protected?!!! Well it is tested only once when phone starts! After that you can patch code from flash in fly. ARM CPU reads data from flash in bursts, in this case it is burst of 32 bytes and it start on 32 aligned address. So, first step is to know where is code that have to be patched in FLASH. You can find that by desoldering FLASH from phone and to read by some programming device. Or you can use my software to extract mcusw from Nokia update SW files. Find bigest file in dir and rename to "infile". Run "fls2bin.exe" wait, and two files will be created. One of them are "mcusw". NOTE: fls2bin may not work with all cpu flash files! End of Part 1 P.S. Do not post stupid comments in this thread, or even better, do not post ANY comment!!! |
The Following 15 Users Say Thank You to Dejan Kaljevic For This Useful Post: |
09-16-2007, 04:46 | #2 (permalink) |
Freak Poster Join Date: Feb 2001
Posts: 213
Member: 3354 Status: Offline Thanks Meter: 3,948 | Part 2: Once you have code, next step is to find what and where to patch code. Well, that is very complicated procedure and requires knowelage,experiance, lots of work,etc. But again, Nokia made another big hole or maybe NOT?! One of critical rutines can be EASELY find by looking for ASCII string!!!, belived or not. Magic string is "012345678901234" and it is default SP pass for test phones or what. Probably they have problem to put string somethin like "FOR HACKERS HERE IS CRITICAL CODE!" Anyway.... Use "LISTER" from windows to view "mcusw" file. In options, select "HEX" Press key "F7" Enter 012345678901234 and hit enter to start looking for that string. All other data have to look like some garbage with only that ASCII string! Note: If you do not find that string in "mcusw" try in second file that is created by "fls2bin.exe" Once you find string, look in lister HEX address of that string. Substract that address by 1000h (200h to 2000h). This is address from which tou will start to dissasemble code!!! So.... Load file in some ARM dissasembler use LITLE ENDIAN and THUMB mode Set dissasembling address previos defined, and start to dissasemble code. In that proces you have to look for instruction that points to string "012345678901234" Something like this: 00A0C9BC: FE A4 LEA R4,[PC+#03F8] ;[00A0CDB8]=33323130 '012345678901234' And you have found ONE of many SP rutines that can be patched. In this example full rutines looks like this: (From: V 05.00 27-04-07 RM-174) 00A0C9B6: F0 B5 PUSH (R4,R5,R6,R7,LR) 00A0C9B8: 06 1C ADD R6,R0,#0 00A0C9BA: 0F 1C ADD R7,R1,#0 00A0C9BC: FE A4 LEA R4,[PC+#03F8] ;[00A0CDB8]=33323130 '012345678901234' 00A0C9BE: 85 B0 SUB SP,#0014 00A0C9C0: 2E CC LDM [R4],(R1,R2,R3,R5) 00A0C9C2: 01 A8 LEA R0,[SP+#0004] 00A0C9C4: 2E C0 STM [R0],(R1,R2,R3,R5) 00A0C9C6: 02 25 MOV R5,#02 00A0C9C8: 00 24 MOV R4,#00 00A0C9CA: FF F7 07 F9 CALL 00A0BBDC 00A0C9CE: 00 28 CMP R0,#00 00A0C9D0: 02 D0 BEQ 00A0C9D8 00A0C9D2: 02 28 CMP R0,#02 00A0C9D4: 2D D0 BEQ 00A0CA32 00A0C9D6: 0A E0 JMP 00A0C9EE 00A0C9D8: 0F 22 MOV R2,#0F 00A0C9DA: 31 1C ADD R1,R6,#0 00A0C9DC: 01 A8 LEA R0,[SP+#0004] 00A0C9DE: 50 F6 6C E8 CALLX 0085CABA 00A0C9E2: 00 28 CMP R0,#00 00A0C9E4: 01 D1 BNE 00A0C9EA 00A0C9E6: 00 25 MOV R5,#00 00A0C9E8: 23 E0 JMP 00A0CA32 00A0C9EA: 08 25 MOV R5,#08 00A0C9EC: 21 E0 JMP 00A0CA32 00A0C9EE: 30 5D LDRB R0,[R6+R4] 00A0C9F0: 30 38 SUB R0,#30 00A0C9F2: 0A 28 CMP R0,#0A 00A0C9F4: 02 D3 BCC 00A0C9FC 00A0C9F6: 08 20 MOV R0,#08 00A0C9F8: 05 B0 ADD SP,#0014 00A0C9FA: F0 BD RET (R4,R5,R6,R7) 00A0C9FC: 01 34 ADD R4,#01 00A0C9FE: 24 06 LSL R4,R4,24 00A0CA00: 24 0E LSR R4,R4,24 00A0CA02: 0E 2C CMP R4,#0E 00A0CA04: F3 D9 BLS 00A0C9EE 00A0CA06: 08 20 MOV R0,#08 00A0CA08: 40 F6 3C E9 CALLX 0084CC84 00A0CA0C: 04 1C ADD R4,R0,#0 00A0CA0E: 02 1C ADD R2,R0,#0 00A0CA10: 39 1C ADD R1,R7,#0 00A0CA12: 30 1C ADD R0,R6,#0 00A0CA14: 43 F7 9E F9 CALL 0094FD54 00A0CA18: 01 28 CMP R0,#01 00A0CA1A: 01 D1 BNE 00A0CA20 00A0CA1C: 00 25 MOV R5,#00 00A0CA1E: 05 E0 JMP 00A0CA2C 00A0CA20: 60 68 LDR R0,[R4+#04] 00A0CA22: 23 28 CMP R0,#23 00A0CA24: 01 D1 BNE 00A0CA2A 00A0CA26: 08 25 MOV R5,#08 00A0CA28: 00 E0 JMP 00A0CA2C 00A0CA2A: 02 25 MOV R5,#02 00A0CA2C: 20 1C ADD R0,R4,#0 00A0CA2E: 50 F6 34 E8 CALLX 0085CA9A 00A0CA32: 28 1C ADD R0,R5,#0 00A0CA34: E0 E7 JMP 00A0C9F8 On address 00A0CA14: is most important call function that test PSW!!! On return from that function if R0=1 pass is corect and phone will be unlocked! So we can to patch data on addr: 00A0CA18: 01 28 CMP R0,#01 to 00 28 that is CMP R0,#00 or on addr: 00A0CA1A: 01 D1 BNE 00A0CA20 to 01 D0 that is BNE 00A0CA20 And phone will be unlocked!!! As you can see in first case we togle bit 0 (ad0) and in second we togle bit 8 (ad8). This method is used for N73. Anyway there is a lots of ways to patch code by fly, togling only ONE bit!!!, since Nokia left so BIG security hole in their design! End of Part 2 P.S. Do not post stupid comments in this thread, or even better, do not post ANY comment!!! |
The Following 4 Users Say Thank You to Dejan Kaljevic For This Useful Post: |
09-16-2007, 08:36 | #3 (permalink) |
Freak Poster Join Date: Apr 2005 Age: 37
Posts: 374
Member: 138877 Status: Offline Thanks Meter: 0 | "On-the-fly programming (or live coding) is a style of programming in which the programmer/performer/composer augments and modifies the program while it is running, without stopping or restarting, in order to assert expressive, programmable control for performance, composition, and experimentation at run-time. Because of the fun*****tal powers of programming languages, we believe the technical and aesthetic aspects of on-the-fly programming are worth exploring. " So mcu must be uploaded whilst phone is running..... nothing here mentioned about using test points, as Dejan explained in his first post this is alternative to using test points... Now just to figure out how to edit mcu file, and then rewrite back to phone.... anyone had any luck yet. Last edited by AboAli; 09-16-2007 at 10:58. |
09-16-2007, 09:03 | #4 (permalink) |
No Life Poster Join Date: Jan 2004 Location: Unknown Age: 39
Posts: 9,227
Member: 49752 Status: Offline Sonork: QQ:1474246528 Thanks Meter: 6,085 | @Dejan Kaljevic one most important thing if u know u can let us know... ur bb5 calculation algo is perfect why new rap don't possible extract lock area? to calc bb5 original sp unlock code .. Nokia totally removed or moved or crypted with 1024 rsa lock area? is there any way to extract or find lock area which u found before in 6630 and all old rap and make calculation solution without tp.which software u put free.. thanks for good part1 and part2 for bb5 now i can see why bb5box stand hehe.. Last edited by Syed; 09-16-2007 at 13:05. |
09-16-2007, 10:36 | #5 (permalink) | |
No Life Poster Join Date: Feb 2000 Location: UK
Posts: 3,186
Member: 1024 Status: Offline Thanks Meter: 5,510 | Quote:
Its just different way of allocation of memory, instead of declaring: char default_code[15]; they use: char default_code[] = "012345678901234"; This is the way you use to find the simlock handler ? And what is this post about ? You mean people with iq < 50 that call you 'G_o_d' will use the info, code the CPLD in VHDL and make free unlocker ? I posted all this info long time ago, just use the search button. Whoever have brain and equipment to do it based on that info, has already done it. Funny guy. | |
09-16-2007, 11:12 | #6 (permalink) | |
Freak Poster Join Date: Jan 2005 Location: Around the world Age: 56
Posts: 191
Member: 106484 Status: Offline Thanks Meter: 400 | Quote:
Then , now , you have much more info to make your own box , or to add BB5 unlocking in F1 box | |
09-16-2007, 11:17 | #7 (permalink) | |
No Life Poster Join Date: Dec 2000 Location: gsmdoctor.pl Age: 48
Posts: 1,317
Member: 2755 Status: Offline Thanks Meter: 42 | Quote:
Bph as he said posted this method long time ago, but w/o good (fast) equipment (eg. logic analyzer) the implementation chances are near 0. So long time ago was clear, that the method is to trace the address bus enough fast to handle burst mode, when right address is encountered then count the bits and change a correct one grounding the databus. The trick is to find an address and procedure entry-point. This is major work to disassemble megabytes of FW to find right call and cmp. Dejan for sure is not G*O*D, but he always has good ideas and time to check them. The tricky method with old raps is for sure more "tricky" than the one with TPs, and this method showed a real potential of himself. | |
09-16-2007, 11:21 | #8 (permalink) |
Product Supporter Join Date: Mar 2005 Location: China
Posts: 3,338
Member: 129885 Status: Offline Sonork: 100:1603514 Thanks Meter: 6,202 | Heh so in third part we must get any very fast FPGA device (XILINX/CYCLONE) and wrote simple code to count adress of and patch one bit :-) Than post it here for smart copypasters like chinesian boys / raskal / uid / etc. b.r NoName® |
09-16-2007, 11:45 | #9 (permalink) |
Junior Member Join Date: Jun 2005
Posts: 6
Member: 152506 Status: Offline Thanks Meter: 0 | I'm missing the "permanent" part of the solution. From what I understand patching is made during the instruction fetch, toggling one bit on the data bus. This allows ARM to follow our desired code path and have the phone unlocked. But,.. in order to have this permanent, patching should be made in flash resident code. And in that case how to bypass the flash check at next boot then? Thx |
09-16-2007, 12:15 | #10 (permalink) | |
No Life Poster Join Date: Feb 2000 Location: UK
Posts: 3,186
Member: 1024 Status: Offline Thanks Meter: 5,510 | Quote:
cache. From a technical point of view all the code is executed in RAM (because of the cache) and you modify the RAM not the flash. The method is to send wrong unlock code via FBUS command and modify the result, then last step before cleanup in the code handler is to recalculate the splocks with the phone unique key ( accessible only from secure ram, where the sl_pa block is executed). So if you modify the result of test_code() func, you make the phone to recalculate its own lock, without violating the protection. The funny part is that TI warns all customers about this flaw, because the Flash is not on the same die, but rather external and the bus is exposed. Oh Boban, what do you mean by 'now' ? Check my attachment BR | |
09-16-2007, 14:40 | #12 (permalink) |
Insane Poster Join Date: Apr 2005 Age: 49
Posts: 67
Member: 140289 Status: Offline Thanks Meter: 11 | @Dejan Better way, as allways, make "fly" changes between return(false); and return(true); directly in sub. WBR @NoName® Yes MCP work at 66 MHz. And for protected You can use "gluid" solution. Online generate RND codes, and create from them configuration file for FPGA for catch "right" sequence 0's and 1's ==func(this code). |
09-16-2007, 14:45 | #13 (permalink) |
Junior Member Join Date: Jan 2006
Posts: 14
Member: 222181 Status: Offline Thanks Meter: 0 | empty phones Hi It is very nice from you Dejan to share this with us. I like to know one more thing. In theory is it possible to load empty nokia phones? If it is possible, when can we except for it? Are you working on such a project? hvala u napred |
09-16-2007, 15:43 | #14 (permalink) | |
No Life Poster Join Date: Apr 2006 Location: APPLE i Center Age: 39
Posts: 1,751
Member: 264667 Status: Offline Sonork: 100.105892 Thanks Meter: 481 | Quote:
Did U Check waht Bph&co said.... If It was 2 Easy Then why F1 Team have No bb5 solotion..?? | |
09-16-2007, 16:23 | #15 (permalink) |
No Life Poster Join Date: Nov 2004 Location: Capetown
Posts: 6,709
Member: 91045 Status: Offline Thanks Meter: 8,696 | Fact is Patching can only be done When phone is ON......That will take a While... @bph@co WHat u posted Is different then this becoz this is self explaning...!!! Here Talking about Patching a Working Code while all system is running not an easy job specially for the people (inlcuding me) reading all again and again.....thinking might get their hand on making free bb5 solution... @dejan Sir toggling only 1 bit why not possible on all flash types (mean version matters ?) @Stanner Yet Nokia not totally removed or moved or crypted with 1024 rsa locked area....i think thats why this can only be done on previous versions of SW packages.... Other Hand Working On Empty Phones fly would be much easier |
Bookmarks |
| |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Iphone 3G Technical Discussion and SP Unlocking theory | GraveSlayer | iPhone 2 / iPhone 3G / iPhone 3GS | 8 | 11-15-2008 06:04 |
Build by your self BB5 SP unlock Box | Dejan Kaljevic | Nokia Base Band 5 ( BB-5 ) | 612 | 05-14-2008 10:13 |
Cabel needed to unlock 5300 with BB5 SP UNLOCKER??? | crashing | Nokia Base Band 5 ( BB-5 ) | 5 | 09-11-2007 09:05 |
|