hi all
i want to know in the flash file for nokia . where i can get the address for erase flash
i know in the flash the address for erase and wright where it is
like in patched flash for 6610i it is erase from adress xxxxxxx to address xxxxxx
and wright where that address puted in the flash ??????

and i want to know how i can debuging and anlise and assmbly the flash file for nokia by ida ?? what the prosseccor i must chose ????
i have flash from mobile 3510i and i want to deassmbly it by ida i take that flash from the phone by read flash in tornado . thnx for dejan
and sorry for my bad english
thnx for all of u ;)

After the first 9 bytes, the header of flash file are organised as a series of TLV (Type, Length, and Value). The type and length field are one byte each. The erase address belong to type 0xc8, and this field is organised as

0xc8 <len> <start addr of region 1><end addr of region 1> <start addr of region 2><end addr of region 2> ... <start addr of region n><end addr of region n>

Each of the specified region will be erased (unless you choose not to) if you use flasher like JAF prior to flashing the phone. Read g3gg0 webpage for more details.

As for ida pro, it can't be used to debug nokia firmware. You can only disassemble and analyse it. Typically, you can choose ARMB as the architecture. But for Symbian phone, you should choose ARM.

thnx man for ur very nice replay but i can not find it u can help me in that

A20000010000000011C810013200000132FFFF015200000152 FFFFDD20020100120084080880101020044440800100022004 020900100020084001A000DE088B7FDD632ABE7CA2AA040152 0000C2054443543400C30F4443543420414C474F524954484D 00DA0101C90109CA020D0CCB20E40120420001001F00030000 0000FFFF00000000235C040F00000340C6052290CD08000186 A000000000CE0800632EA000000000CF0800632EA000000000 D1080000C73800000000D40401201120D9020010D3406522E4 A7ADC7FF7B0A8AE6DAFCC9059D2B8C244A53574093CB2A188F 7243CA86F43339A637EE53F65CB738E0AACEEAE4C0FEC23E49 987E9B7EDA7EBB16A26A571401320000D0004000BCCE4873CE B758BDE8A37FBB4A2DB21E0E299D6DBC20F39A46693BCDAF34 6C4B1EC8

where the len and start address and end address here ???
thnx for ur help ;)

A20000010000000011
here it start.
C8 10 013200000132FFFF015200000152 FFFFDD020100120084080880101020044440800100022004 020900100020084001A000DE088B7FDD632ABE7CA2AA040152 0000C2054443543400C30F4443543420414C474F524954484D 00DA0101C90109CA020D0CCB20E40120420001001F00030000 0000FFFF00000000235C040F00000340C6052290CD08000186 A000000000CE0800632EA000000000CF0800632EA000000000 D1080000C73800000000D40401201120D9020010D3406522E4 A7ADC7FF7B0A8AE6DAFCC9059D2B8C244A53574093CB2A188F 7243CA86F43339A637EE53F65CB738E0AACEEAE4C0FEC23E49 987E9B7EDA7EBB16A26A571401320000D0004000BCCE4873CE B758BDE8A37FBB4A2DB21E0E299D6DBC20F39A46693BCDAF34


read the instructions carefully.


good luck...

Taken from http://www.g3gg0.de

=====================================
[DCT4] Flash Header Tag ID's
Februar 13, 2006
oh i think i never made them public....
here are the flash header tags i know.

C2 secondary_id
C3 algorithm_id
C8 erase_area
C9 vpp
CA vcc
CB hw_config_byte
CC hw_config_offset
CD secondary_speed
CE algorithm_speed
CF program_speed
D0 secret_info
D1 msg_read_speed
D3 claudia_info
D4 mcu_id_info
D5 vcc_off_time
D9 programming_options
DA fps8_options
DE fps8_timeouts
DF mm_bus_config
E0 mm_open_config
E1 mm_part_config
E3 mm_prog_config

but dont ask me what all the options mean or
how you can tell what all the bits are for ;)

==================================================

A20000010000000011
here it start.
C8 10 013200000132FFFF015200000152FFFFD
<snip>
.

In case it is still not clear. For this case, you have two ranges

01320000 - 0132FFFF, 01520000 - 0152FFFFD

very nice thnx for all who helped me ;)