Hi,

Just downlaod HEX dump from TDS-6 and start disassembling.
The algorithm for calculate RPL data from ASK files is there.
The HEX file of TDS-6 box can be free downloaded here:
http://www.zulea.ro/TDS6.BIN

Just use IDA and select processor "Hitachi H8/300H".
Good luck :rolleyes:

If I will have enough free time, more interesting info soon in "part 2".

Best regards,
Zulea

:eek: :D

Santa Zulea coming earlier this year ???

BR

Vule

hehehehehe!!!
As Vule said, Zulea is going to give us the best gift from all!

Best Regards!

hope that will not make a new santa war ;)


regards
dixie

*merry xmas to everyone specialy to manole and zulea :D *

@Zulea.
About yes I have a lot of time but I badly went to school. Do not postpone pleasure make. ( ne ebi nam mozgi napishi cam etot kalkulator )

That's a cool gift...

WBR

Surej

this is long term move with lots of efects :)
zulea's playing chees with lots of ppl now

Hi,

Just downlaod HEX dump from TDS-6 and start disassembling.
The algorithm for calculate RPL data from ASK files is there.
The HEX file of TDS-6 box can be free downloaded here:
http://www.zulea.ro/TDS6.BIN

Just use IDA and select processor "Hitachi H8/300H".
Good luck :rolleyes:

If I will have enough free time, more interesting info soon in "part 2".

Best regards,
Zulea

how on earth did this happen? :D :D :D :p

@Zulea
Thanks For the best gift.............

waiting for the part (2)

he he

hi

thanks a lot, btw, could you upload sch too?, would be interesting take a look deep inside TDS6

best regards
Invisible

how on earth did this happen? :D :D :D :p You mean the accidental change of 'D' to 'S' at 0x11A33 ?

Hehe :)

its a end for dct4

new algos
new technology come soon


thanks zulea for sharing.......

Hehehehe -;)
This is part 2 of "Just for the record" lol. I just wondering where Zuki got this free "bin" (it's free for almost two years) :D :D :D

As I Know Mr Zulea Always Give Us A Good Free Solution
One Time From Him Directly & The Other By The Laser (crack His Soft)
So In The 2 Way Thank's Alot Mr Zulea
Waiting Part2
Br

hehe


finaly since two year..........will be back to see part 2

how is every one is waiting for part 2 and we did't see any useful post or inofrmation till now :D:D:D:D

Hi,

Just downlaod HEX dump from TDS-6 and start disassembling.
The algorithm for calculate RPL data from ASK files is there.
The HEX file of TDS-6 box can be free downloaded here:
http://www.zulea.ro/TDS6.BIN

Just use IDA and select processor "Hitachi H8/300H".
Good luck :rolleyes:

If I will have enough free time, more interesting info soon in "part 2".

Best regards,
Zulea
it is such a great thing at last to repair to ask files but

COULD U EXPLAIN CLEARER PLEASE

thanx ZULEA

Hello,
Who have disassembled this file?
Where is reset vector for this CPU?
MiKa

Any chance of giving us the EEPROM binary file to go along with the processor binary file?

Todd

TO Zulea:
Please send more info about disassembing this file...
I have problem with IDA... (need sppecial settings??? )
B.R:
MiKa

@MiKa

Just choose H8300A as the processor type and then the defaults for memory size. After that, you will have to examine the vector area to figure out where the code starts. Vectors start at address 0x00000000 and are 4 bytes (long type).

Todd

Hehe, if you have problems finding vector table, definitely you'll have much bigger problems finding algo itself, coz i don't see any strings like "ASK/RPL algo entry point here" inside that dump :D:D:D

Hehe, if you have problems finding vector table, definitely you'll have much bigger problems finding algo itself, coz i don't see any strings like "ASK/RPL algo entry point here" inside that dump :D:D:D

hehehe, good one :D

however, as bph&co already told here, no algo for calculation DATA1/DATA2 inside that dump...

But Zuki is smart, he will "find" something for sure, lol :D

waiting.......................

But Zuki is smart, he will "find" something for sure, lol :D

would be better not to force him to proof how smart he is and what he really can find by himself. this wouldnt affect onlz the griffin-boyz ;)

john doe, bph&co,

Can either of you please verify that this binary file is actually TDB-6 instead of TDS-6? The code looks good at first glance, but it could have been changed slightly.

Todd

john doe, bph&co,

Can either of you please verify that this binary file is actually TDB-6 instead of TDS-6? The code looks good at first glance, but it could have been changed slightly.

Todd

verified. zulea was probably "bull****ed" by somebody...

So could this file be used to make a TDB-6 box from a TDF-4 box, they seem to be exactly the same box just with different code? Of course I assume that the TDB-6 box would need to be activated, and programmed to support the configuration keys for a specific provider. Also the closing lock password and the security box password would have to be known. Finally you would also have to have a PKD-1SA+.

Todd

So could this file be used to make a TDB-6 box from a TDF-4 box, they seem to be exactly the same box just with different code? Of course I assume that the TDB-6 box would need to be activated, and programmed to support the configuration keys for a specific provider. Also the closing lock password and the security box password would have to be known. Finally you would also have to have a PKD-1SA+.

Todd

tdb-6 hardware is a little bit different than the tdf-4, so it´s not possible just to put tdb-6 mcu inside tdf-4. maybe possible if you make some changes to tdf-4 box hardware and dump, but i´m not sure.
as for the activation and config keys, this dump is working and activated(need external eeprom dump too) and in order to get it working for all providers just need to change 6 bytes inside the dump.
moreover it´s also possible to find out the sec. password and the correct PKD-1 serial number(must also match the box) in order to get it working. if you have this then you can write it to any other pkd-1 and make a 1SA+ out of it.
but the main question is why the heck you want to do this? wouldn´t it be easier to extract the tables or use any other 200usd box/software in order to unlock/lock nokia phones?? :)

regards,

It was mainly out of curiosity and the fact that I have a couple TDC-4 boxes (same as TDF-4 but with flash based mcu) which can be easily reprogrammed through the serial port. I though maybe I could convert them but I guess it just isn't that easy. I have some 3rd party unlocker/flasher boxes already but this just sounded like a cool item.

Thanks for the information :)

Todd

It was mainly out of curiosity and the fact that I have a couple TDC-4 boxes (same as TDF-4 but with flash based mcu) which can be easily reprogrammed through the serial port. I though maybe I could convert them but I guess it just isn't that easy. I have some 3rd party unlocker/flasher boxes already but this just sounded like a cool item.

Thanks for the information :)

Todd

wow, nice stuff, i didn´t even know that something like this(TDC) exists :)
could you might PM me your email adress? would like to exchange some info´s with you...

regards,

or todd are talking about for "TDD4" !

regards

@willy,

The TDC-4 is actually different than the TDD-4. The TDC-4 has a flash memory mcu and is labled 'COMBOX'. The TDD-4 has a OTP memory mcu and is labled 'DEFAULT SECURITY BOX'. Other than those and a few other features, they are very similar.

Todd

süüper

what is with part 2 wen coming ??

süüper

what is with part 2 wen coming ??

PART 2 ALREADY OUT

http://forum.gsmhosting.com/vbb/showthread.php?t=181358

oh really when is part 3 , still no usefull information

oh really when is part 3 , still no usefull information

Part 3 is here:

http://forum.gsmhosting.com/vbb/showthread.php?p=989752#post989752

Best regards,
Zulea

Good, learn a lot.
Thanks to all masters

BR
Woods

whare is part2 I'm waiting:)))

What about TDS-4 dump, anyone has it?

part2 I'm waiting :D :D :D :D :D :D :D

where I can get free deassemler or crack for trace32(t32mh83,www.lauterbach.com) for h8/3002

Good job,please upload link, can download.

Hi,
Just downlaod HEX dump from TDS-6 and start disassembling.
The algorithm for calculate RPL data from ASK files is there.
The HEX file of TDS-6 box can be free downloaded here:
http://www.zulea.ro/TDS6.BIN
Just use IDA and select processor "Hitachi H8/300H".
Good luck :rolleyes:
If I will have enough free time, more interesting info soon in "part 2".
Best regards,
Zulea

Plz give me a access to this BIN file for downloading

With Best Regards

Who can help I chase the ASK- RPL!Very grateful you!

link is breaked friends share the bin chirag7_9@hotmail.com

link is breaked friends share the bin chirag7_9@hotmail.com

t00 dikey@tut.by or worked link!

zulea will be fix this problem soon , and i think just have more news from he!

BR.,

denis

how contact with zulea.
email not working.

is anybody have that bin file? please, contact me... ( pltemp@inbox.ru )

here is ur file bin lets hear a good news ;) :D

Any news about reversing TDS6??