Hi by All users of this forum.


This methode is not original and i think this methode we posible used as templaty unlock solution .

When you ask me about why i say the - i am repeat about i am not a first have this idea . This idea have realiced from software engineer from our country . In fact i not publish hes name and i know this way from he opened BB5 unlock solution.


************************************************** ********

How to want to make uunlock ? - from next 4x thread i write .

This unlock work to be fine via Flash patch and no more .

I need 20 locked phones and 20 unlock codes .
I need UP 1024 device and 2-4 monts of job .


How to work ! >

In first i want desoldered flash and put to UP 1024 programmer .
New i have extract flash file from chip.

Next we soldering flash chip to phone and unlock via code.


After we new make extract flash chip and disasemple sourse code .


When we seen algo - we make patch addon .

************************************************** ********

What you think about this idea ?

my ICQ 333-414-824

Sonork 100.69222

dr_mobile2004@hotmail.com


BR. Dr.Mobile

man learn how to write in english before making a plan

it can be done try !

It is allready done.
Nokia 6280 from 3 UK with version 3.36 appeared here in my country.And guess what?
Those phones are not unlocked by Dejan Team, but by someone else.
And off course,after you flash such phone(each phone have software faults) you get total 100% working BUT LOCKED phone.

Best Regards!

It is allready done.
Nokia 6280 from 3 UK with version 3.36 appeared here in my country.And guess what?
Those phones are not unlocked by Dejan Team, but by someone else.
And off course,after you flash such phone(each phone have software faults) you get total 100% working BUT LOCKED phone.

Best Regards!

But the weird part are the phone can be downgrade after upgrade!!:eek: :eek: 5.92 -->3.36
Some phone still can be use even the imei is corrupted without 2 minute restart!!
:eek: :eek:


Does that mean this version have very weak security measurement compare to other version??


BR

Hi friend
ur idea is not bad but
can done if you make same operation in RAP3G r/w
this cpu Good luck.

Hopefully we can see the solution been done and released :)

Regards
GFI-Team

The unlocked phone doesn't change the firmware i think, it just have the right key at at the right place. so far i knew it is stored in the PM area. if i not wrong.


Good Luck...

give me your adress I send you 20 phones for test.But after you give me source code for free,....

@mobileland: have you HW to read out flash from one's of these phones ?

Yes, I think that BB5 phone flash can be easy patched to unlock phone. But you must known that this patched flash can't be written via cable ! Flash files are signed by certificates. Only way to write patched flash is to use external programmer. This is the easiest way to unlock BB5 - but it's difficult in use and risky(desolderning BGA chips) and can't be protected.

This solution maybe working with the GA628 and lower Ericson :D

@shaaker: Before you comment somethink better think twice if you are right. I know what I am writing, I have seen a lot of disassembled Nokia BB5 firmware, I know how is working this Symbian platform. So if you don't have any ideas to post plase don't post useless posts ..

please always remember that our friend sent to him some hundred bucks once and did not receive nothing valuable :)

so please send your stuff to him and wait and leave honest people like shaaker alone...

@mobileland: have you HW to read out flash from one's of these phones ?

Yes, I think that BB5 phone flash can be easy patched to unlock phone. But you must known that this patched flash can't be written via cable ! Flash files are signed by certificates. Only way to write patched flash is to use external programmer. This is the easiest way to unlock BB5 - but it's difficult in use and risky(desolderning BGA chips) and can't be protected.



Ofcourse the easy method of patched to unlock , i tool you about this methode is not original and this methode we possible used as template unlock in some time .

So about Flash files are signed by certificates - i know about some sertificates have bug, for example mathematik function * to 0 , if you have dct4/bb5 flash sourse - maybe you know about the better.


This methode is cheap with buyed external programmer from Dedjan or buyed RAP 3g MCU.


*OCTOPUS d.o.o.
In fact if some peoples send me nokias and hardware - i give he all result as free for partner .


BR.

@adihack
are you sure about the possiblility of writing a patched code right into the flash IC is applicable? (using a hardware flash programmer). I haven't tried it but the UP1024 can do it i think.

Do you think the unlock can be done in the NAND flash IC? how about the RAP 3G Nor Flash where the certificates stuff?

Good Luck...

@Zaihtam: Everything in this world can be explained. As I remember nand flash in 6630 has 256 mbit capacity. Do you think it is possible to checksum it on every phone turn on ?? Writing flash takes few minutes so it's completly impossible to calculate checksum in miliseconds durning phone start. There are no phones whose can veryify they software durning every boot .. it's just technially impossible.

Zaihtam

Methode patching flash is exist . Not i am first opened this technology , i wanna try reply this and no more .

If you have internal flash programmer - so make extract flash dump and send me to my mail.

Zaihtam

Methode patching flash is exist . Not i am first opened this technology , i wanna try reply this and no more .

If you have internal flash programmer - so make extract flash dump and send me to my mail.

look frind if u want to do that u can do it by
1- get locked phone
2- take the flash on itby 1024 ;)
3- send it to dejan the king cuz dejan make patched flash ;)
4- he will unlock it for u
5- take the flash agean by 1024 but unloked one and patched ;)
6- get another locked phone
7- write on it the flash u take from unlocked phone by 1024
8- put the flash on the phone agean
9- test the phone i think the phone will work very very nice but i do not know if "the imei will be 1234567 or not and turn off after 2 min or not" but the phone will unlokced .
10 -if working fine and do not turn off after 2 min and the imei is good then that very nice we have unlocked flash but the format for it by 1024 then we need to pack it and make it on the format like any flash. to flash it by mt or ufs .

look frind if u want to do that u can do it by
1- get locked phone
2- take the flash on itby 1024 ;)
3- send it to dejan the king cuz dejan make patched flash ;)
4- he will unlock it for u
5- take the flash agean by 1024 but unloked one and patched ;)
6- get another locked phone
7- write on it the flash u take from unlocked phone by 1024
8- put the flash on the phone agean
9- test the phone i think the phone will work very very nice but i do not know if "the imei will be 1234567 or not and turn off after 2 min or not" but the phone will unlokced .
10 -if working fine and do not turn off after 2 min and the imei is good then that very nice we have unlocked flash but the format for it by 1024 then we need to pack it and make it on the format like any flash. to flash it by mt or ufs .



Dear , look it there .

1. Locked phones i get from partner.
2. extract dump from UP1024
3. i not send dump to another programmer. all data well be confidential.
4. firs unlock i get via unlock code
5. next make new extract flash dump and learn analice
6. when learn dump be done , we make a patch
7. this patch we put to flash and programm flash dump back to the phone
8. next will debug and test result.



I repeat, this methode exist !!!

I wanna try reply and no more ..

man it is very easy cuz dejan make patching flash
we want the flash dejan flash by .
that will finshed by the mithod i sayed

it seems a long way round, and i see a few problems with your ideas.

1: MCU SW will not change when unlok code is enetered. It is part of PM that will be written to. For read/write PM, no need for desolder any IC, can be made with UFS3...
So read locked and unlocked MCU will not help you. Must get locked/unlocked PM..

2: If you want to "analyze algo" at point of unlock code, then you must use JTAG, not readed flash.
MCU code is not changing when code is enetered. It is ROM! Best you can do is to step through the code line by line and trace the codes to make a calculator...

3: If you want disassembled BB5 firmware then I dont think the best way is to read and dump. Better to search some old posts on DCT4 by Dejan, who showed how to find encrypt/decrypt keys in DCT4. DCT4 - BB5 cannot be so very different.

See there is two ways. JTAG to find code authenticate algo, or disassemble flash to make patch.

@Dave.W:

1) When good code is entered MCU leave not changed, but secutity certifciate is changed. Even if someone have thousend of these certifictates it's almost imposibble to find this algo via comparing.

2) JTAG is disabled in Nokia phones since DCT4 realased. So the only way is to desolder flash to make read out or find other way to enable JTAG.

3) Flash from Nokia 6630 readed by UP1024 already posted some time ago by Zaitham. It isn't crypted so you can just put it into IDA as ARM code.

I suppose that some time ago Dejan may patched some parts of firmware. Probably he make additional call to recalculation certificate for unlock(same as good code entered). But he for sure after unlock reflash all phones. Why I think that he doing it by this method ? He want phones with described phone sw version. So he probably patch only one part of firmware to save his time ..

1. arent security certificate stored in OMAP or RAP3G on board? i am sure thats what i read in service manual (although it is almost 2 years since i read that)

2. read some posts in the past. it is possible to debug BB5 with JTAG. just must rebuild the JTAG chain. if you know some about uP systems then it should be not so hard. with the knowledge, is just as hard as desolder/reball any IC. Dejan himself posted that infos.

3. well i think the best solution to anyone wanting to make this is to look in that file then.
take notes by g3gg0 and his crew. they can do 99% of things with a flash file and hex editor only. no need to even have the phone infront of them

man i want to read the flash file dejan make not unlock the phone by codes cuz i know dejan patch some thing in mcu and i can take theflash file from the phone without up1024 it is very eassy for me to take the flash . any one can help us by unlock the phone by dejan and send us the board of the phone unlocked and then we can do that patch ;)any one can help by send that board unlokced by dejan contact me .

please always remember that our friend sent to him some hundred bucks once and did not receive nothing valuable :)

so please send your stuff to him and wait and leave honest people like shaaker alone...

and he is not the only one :D, with his great tested stuff..........

@Ramiz: You CAN'T read anything useful from phone unlocked by Dejan. Don't think that Dejan is so stupid that he return to customers phones with patched flashes .. If anyone think that he unlock phones only via flashing plase read carefully all his posts(especially about fields to backup).

IF YOU REFLASH PHONE UNLOCKED BY DEJAN IT WILL BE STILL UNLOCKED

@Ramiz: You CAN'T read anything useful from phone unlocked by Dejan. Don't think that Dejan is so stupid that he return to customers phones with patched flashes .. If anyone think that he unlock phones only via flashing plase read carefully all his posts(especially about fields to backup).

IF YOU REFLASH PHONE UNLOCKED BY DEJAN IT WILL BE STILL UNLOCKED

hehe, thanks man :D
so that's the end of story of this topic.

i think, this Ukrainian pizdabol as allways smoking too much canabis :)

i know it's logical, to unlock the phones fia patching, but what i mean, how you gonna managed by unlock every phone by desoldering the NAND flash?

Btw, i have uploaded Rap3g norflash content somewhere in this forum.

the nand flash i don't have equipment to read it.



GOod Luck...

can someone be nice enuff to post some of Dejan's old posts relating to this topic when working with DCT4 etc? thanks

...

IF YOU REFLASH PHONE UNLOCKED BY DEJAN IT WILL BE STILL UNLOCKED

100% true ... i have tested few times, also have collect ot 308 field of phones "before" and "after" Dejan's unlock and if you interested - can show you efect...

@unreal002: Are you OK ? Why you don't find Dejan's posts youself ? You can just use forum search.

@Zaitham: I agree with you. I think it's quite easy way to find out how to patch flash, but main problem is desoldering flash in every phone. It's the main reason why nobody have done it before. If someone will provide you patched beta flash can you test if it will work ?

can any body give me step by step method to temporarely unlocking of bb5 i want try this method

thanx

can someone be nice enuff to post some of Dejan's old posts relating to this topic when working with DCT4 etc? thanks

you are true "unreal" :p

you see at the top of the page? search?

better you start there

:)

now we can downgrade BB5 phones with JAF :p

can any body give me step by step method to temporarely unlocking of bb5 i want try this method

thanx
there is no tempory unlock method.the only unlock method is to call your service provider and pay them:D

and he is not the only one :D, with his great tested stuff..........

so what you want to say ? about i send to crucher scdr2.hex v10a and he not possible make pcb :)))) or sag_dd hex not be work ?

me put arphive link there or what as prove ?

you and u crucher has been big LAIMERs - forever !!!

@bilal shah

You asking how to make unlocking step by step :)

Np, i write you .


Get 20 locked phones and unlocking code .

Desolder flash and put to programmer for reading uncrypted dump, and after soldering flash back to phone and make unlock via code .

Then make desolder flash and read unlocked flash dump .

Open IDAdisasembler and make compare both flash files .

That all procedure and no more .

When you will make this procedure with twenty telephones that you receive statistics and can make unlock_patch for the telephone.

This technique is an innovation, it is a very old technique and most accessible of all as inside nokia flash is uncrypted:)

BR. Dr.Mobile

So far i know, there is no one unlocked BB5 using this method, so how you gonna get an patched unlocked phone?


Good Luck...

Zaihtam

So far you did not know, some guys keep used this technology in my country in Nikolaev city.

@dorian2004

Read some about RSA, CRC, certificate signing and flash checksum protection... or buy motorola C261/V177 and try flash patching method, it's answer to you why it's not work ;)

Why DB2020 is so hard to unlock ? Because we can't flash to db2020 any own trash, only signed flash be accepted.
BB5 is the same story.

Cinek;2244171']@dorian2004

Read some about RSA, CRC, certificate signing and flash checksum protection... or buy motorola C261/V177 and try flash patching method, it's answer to you why it's not work ;)

Why DB2020 is so hard to unlock ? Because we can't flash to db2020 any own trash, only signed flash be accepted.
BB5 is the same story.

Dear friend, when i cracked JAF and make extract hex from protected MCU - me not trust any peoples , Raskal same not trust me .

All of them shouted that it is impossible to break open RSA 512!!!

And I to you shall say so. I also did not break open RSA, I simply have bypassed it(him).

And when i have shared some latest hex - many peoples will be in horror .

Because only after made the people begin to understand a complete picture occurring.

Such people as you - are complete. You never in anything do not believe. And you begin to laugh before the certain time. And then bite to itself a hand. As all facts against you.
In a history set of examples. Let's recollect Nickolai Kopernik. Which asserted approved that a planet have round a sun.
And such people as you have accused by his its traitor of religion and fired on a fire.

BR. Dr.Mobile

This is interesting :)

Cinek;2244171']Why DB2020 is so hard to unlock ? Because we can't flash to db2020 any own trash, only signed flash be accepted.
BB5 is the same story.

hello

you are wrong about db2020 unlock,


you can flash any trash you want to the phone,
you can even finish the phone and upload customization without emma card..

the only problem on db2020 unlock is the extra erom lock which can´t be (aparently) bypassed, the erom is locked-down at startup so it can´t be write,

best regards
Invisible

@[c]Cinek: You are right, but no in 100%. I wrote here that it's impossible to flash BB5 phone with patched flash. But if you flash any phone with software with changed code in MCU by external programmer(for example UP1024 or JTAG device) it must work. The other point is if this method is useful enought to start unlocking usign it. Finally, if someone have phones unlocked by 3rd party whose after flashing going to be relocked we have the target. Then this person must read all flash with external programmer flash memory, then send phone to unlock. Now read out flashes again and comapre.

@[c]Cinek: Nie wiem czy dobrze kojarze, bo jakby login inny troche. Ty jestes z Mielca ?

Wow, it's a good news, did he used this method in bb5 phone? if so then dejan is not the only one who can unlock bb5 phones.

really, it should be a good news to all ppl who wait for a bb5 to be unlocked.

than your work should not be that hard, since you just need to get the unlocked phones and makes some compare. then bingo... then why you should get about 20 phones to do so? :(


:D

Good Luck...

@[c]Cinek: You are right, but no in 100%. I wrote here that it's impossible to flash BB5 phone with patched flash. But if you flash any phone with software with changed code in MCU by external programmer(for example UP1024 or JTAG device) it must work. The other point is if this method is useful enought to start unlocking usign it. Finally, if someone have phones unlocked by 3rd party whose after flashing going to be relocked we have the target. Then this person must read all flash with external programmer flash memory, then send phone to unlock. Now read out flashes again and comapre.

@[c]Cinek: Nie wiem czy dobrze kojarze, bo jakby login inny troche. Ty jestes z Mielca ?

If you change something in flash, phone detect difference with stored checksum.

I only spend some time on researching V177/C261 calypso+, if TI cr8 rap3g like calypso+ (biult-in crypto processor with [64b, 128b] keys to check flash integrity and checksum before start anything from flash) I only want to wish good luck to person which think flash patching is so easy to do :)

@Invisible
Thanks for correcting my words.

@adihack
Nie jestem z Mielca, czesto bywam na elektrodzie.

@[c]Cinek: I'm still almost sure that MCU integrity in BB5 is not checked durning every boot. Security certificates, some PM fields for sure. But not MCU code .. And I have to say again that it's impossible to write modified flash to phone by cable because flash is crypted and signed. But the only way to get the truth is to check it out on phone.

@Zaihtam: I hope that you will find some time and you can check if modefied flash writed by external programmer will work ok. It seems that only you have required devices to check it out ..

@[c]Cinek: I'm still almost sure that MCU integrity in BB5 is not checked durning every boot. Security certificates, some PM fields for sure. But not MCU code .. And I have to say again that it's impossible to write modified flash to phone by cable because flash is crypted and signed. But the only way to get the truth is to check it out on phone.

@Zaihtam: I hope that you will find some time and you can check if modefied flash writed by external programmer will work ok. It seems that only you have required devices to check it out ..

Why not, then
why BB5 phones are booting not 3 seconds like old DCT4
but about 20 seconds or more (i not counted)?
Why ST_Security test failing sometimes :D ?

Its not big problem to make mcusw hash during bootup (of course not full, only critical areas of flash), bb5 have fast enough cpu.
Even if not - phone can do it "on the fly" - same as when Certificate is broken (and st_Security fails). Phone switching off in random moments (after 30 secs, 3 minutes, 10 minutes, etc).

This is my opinion ;)

BR

@[c]Cinek: And I have to say again that it's impossible to write modified flash to phone by cable because flash is crypted and signed. ..

can you explain this a little more please? and is the whole flash encrypted or only eeprom?

thanks.

setool unlock all db2020 via flash patching. bypas db2020 security posible.

@KOBOL

When was this discussion about DB2020? Read the Topic and post before you answer. BB5 is not DB2020.

BB5=Nokia
DB2020=Sony Ericsson

http://focus.ti.com/pdfs/vf/wireless/securitywhitepaper.pdf - 4 understanding OMAP security :) Crypto library + crypto SW + crypto HW ;)

Hello sir please.......................


I think you are mad, or try to confuse others.

Stop it please.................

:mad: :mad: :mad:

no need 10 or 20 phone only 2-3 phone
1. unlock code from operator
2. rpl file for restore certificates and lock status
3. ti jtag
4. mt-box
4. asembler and disasembler

conect phone too jtag and insert code on the fly dump all info check unlock command and changes.

jtag is disabled by default, soemhow BPH know how to activated it, he has snipped of the code, and I don't know where it was extracted, maybe BPH can give us some story.

Dejan seems to be know how to enabled it. or he has Developer Certificates.


Good Luck...

Hi,

JTAG is enabled after succesfull flash/ram test ( based on where you boot from).
Also you need to have valid developers certificate in the phone (R&D entry in
TOC points to it).
If somebody managed to connect via JTAG in a phone without Dev Cert please
let me know, maybe i am wrong.

Somebody said that is not possible to make full integrity check on the flash,
cause will take too much time. Unfortunately this is not the case - the chip
is fast enough to do full flash check every few hundred mS. And don't mistake
the RAP3 chip with some generic baseband MCUs used in other phones, where
all the security is in the SW. Since DCT4, Nokias implement most of the
security stuff as logic, and if 'bad guy' is detected, TX hardware is not
initilized, WD's are not reset, etc - all this by logic inside the chips, not
instructions executed by the CPU.

Regards

hey b phreaks&co, just one question.

do you have a solution to unlock bb5? just out of interest, i dont care for buying.

i am just wondering why you never released it. i know you are smart guys and im sure you could do it a long time ago.

i am just curious if you made it?

for me, you have nothing to proove. you had a good name even before "eeprom tools" :)

Hi Brother.


its may be posible but minimum chanc 26%

Best Regards


GSM STROONG

hello to all, here you try to think. let see if i'm good at that.

1. dejan unlock bb5 very fast, very simple program one button on window.
i sure he has the key of signing, or certificate or whatever you want to say.
(story about he accept only board, i think he don't wan't sniffer for key)
(story about wire conected to board is just dust in eyes,
same story have zulea at first unlock ericsson bla bla bla)

2. is not flashing, just change 1 bit and signing. 99% sure.

3. you won't find nothing on flash about crypting or signing field pm 308.
is done by rap3g.

i think protection is like this: you say to rap3g sign that .... i have the key.
rap3g sign field. 1024byte data 1024 byte rsa field 308

you can't crack rsa 1024, if you can crack then go to rsa challenge and take de money, you don't need the bb5 business....


regard's to all...
iulik

hello to all, here you try to think. let see if i'm good at that.

1. dejan unlock bb5 very fast, very simple program one button on window.
i sure he has the key of signing, or certificate or whatever you want to say.
(story about he accept only board, i think he don't wan't sniffer for key)
(story about wire conected to board is just dust in eyes,
same story have zulea at first unlock ericsson bla bla bla)

2. is not flashing, just change 1 bit and signing. 99% sure.

3. you won't find nothing on flash about crypting or signing field pm 308.
is done by rap3g.

i think protection is like this: you say to rap3g sign that .... i have the key.
rap3g sign field. 1024byte data 1024 byte rsa field 308

you can't crack rsa 1024, if you can crack then go to rsa challenge and take de money, you don't need the bb5 business....


regard's to all...
iulik


1 is correct...

as well as 2 and 3...

but flash ic where cmt is stored is the place where the lock area are stored...

forget area 308 coz its as well as you can find something on flash... certificates and crc's

rap3g verify area 308 and corrects it "on the fly" if something is "wrong"

partial flashing is possible....

but must be done by bypassing both the flash and the crocodile proc called RAP3G

coz rap3g verifies like a monster.....

bb5 has algos monsterously hard to find

a needle in a haystack

hey b phreaks&co, just one question.

do you have a solution to unlock bb5? just out of interest, i dont care for buying.

i am just wondering why you never released it. i know you are smart guys and im sure you could do it a long time ago.

i am just curious if you made it?

for me, you have nothing to proove. you had a good name even before "eeprom tools" :)

I posted long time ago that we are not interested in this because Dejan claimed
the solution, and second there is no way on earth you can make protected
unlock solution for this platform.

Just watch his box - for how long is going to last ( if he release it at all)

Regards

hi

he didn´t released anything so I don´t think he will now,

just a tought,

best regards
Invisible

Maybe Dejan just needed to keep his name UP? :p

dejan is dejan. thats it. he can make the solutions every time, but face it, he has no idea of "business".

his big break, dejan flasher, he gaved away scheme and software free. as a taster to buy his product dejan 1.04. well many people made a lot lot lot of money on his "free trial". and in the end, dejan made very small money on 1.04 box.

instead, he got beat in the market by other third party (neelix box and b-phreaks/koci logs). eventually all was free..

his show on dct4 was the same. a free dct4 unlocker as a taste, but by the standard we know, it was not a nice tool. the "cheap china flasher" for dct4, i hear was also dejans work. but with some input from an other source. well see how that fails also in the market.

so its safe to say dejan is a good mind, but everytime he tries to sell something, it makes a big flop.

i think he made a mistake of threatning JAF team into not releasing BB5 unlock though.

instead of making the angry noises to them, he should have asked to come in on the project.

then everyone is a winner, including the unlocking public!

but enough of dejan hehe

well speaked Dave. ;)

like a dejan fanatic huh...

:D

DAVE........I 10000000000000000000000000000000000000000000%%%%%% %
Agree!!!!!!

Dejan Should Opologise And Join Jaf Partnership.....they Will Take Care Of Bussiness...he Will Win ...

evry thing has the time.......
evry move to make will have their own explaination

we cant guest what is in dejan's.....so does the odeon team...

let shall we be a good public:D

i think its possible idea if we can read pm from flash chip before unlock and after

no solution yet
only with logs

i have one noob question: what makes the rap3g works so fast? i am thinking that maybe here lies the solution of bb5 unlocking. just a thought.

br,
bojs

if we can read ship by Jtag , we must find Point of jtag .
After reading a same version as a phone unlocked , we programme the other Phone locked ??????
the second must be unlocked ?
what u think ?

Hey guys,

Wanna know where the lock data is stored in pm 308 then check this out http://forum.gsmhosting.com/vbb/showthread.php?t=285892&page=22

B.R.
Francis Rodrigues
The Mobile King Team

dont say again this is bluff

All of you are wayiting free things from dejan team, solutions that may cost a fortune for a programer from romania, why dont you try to do that with your phones? i want to see a guy like SicilianBoy kissing the a$$ of someone like dejan for a bb5 unlocking solution, most of us are not learning english at the school, im the one who learned the english from the tv and internet, because i want it. dont be a jerk, any one of you, all here we trying to make somme money clean and fear, and because we try to add somme help here. tahnk you for reading this she...

Unlock BB5 it will be done in comming soon !!!

When we shall make it - all world o know that they have chosen not the easy contenders.

BB5 unlocking is through read codes no other and no direct unlock like dct 4, if there is a very good programmer except Dejan now BB5 is can easily be unlock.
By the way there is no money in BB5 unlocking!

..............................................

Unlock BB5 it will be done in comming soon !!!

When we shall make it - all world o know that they have chosen not the easy contenders.


харош людям муму ебать....

Stop cheat a people --- all russian forums cnew who is a Dr.Mobile....

at the end they go in th castle and live forever very very happy...

this is the end of this story.


WBR; Albelektronik TEAM

I know two way in theory about unlock BB-5 with two different methode.

In fact, this both methode trustable, need only time and brain..

as i tool later bb5 the wery safe platform and so about extract flash dump from flash - the easy :)

as eivoig said for sure dejan unlocks bb5 through code reading as he needs phones to have at least one try left to enter unlocking code via cable else they can't be unlocked (maybe he uses tp too) and for sure thats the best and fastest methode to use to avoid rap3g verifications !!

br

You don't need UP-1024 to read flash.
You can make a PIC18 project and build a customized nand programmer
like this:
http://i161.photobucket.com/albums/t231/Makanaki_photos/18LF2550D1.jpg


It has been discussed before that nothing much is important in the flash
except for the PM area which you can already dump using UFS devices.

The question is, do you think people will actually pay $$$$ for a stand alone
BB5 unlocker at this time? Everyone here has been waiting for over 2 years
for such a software and I think they are still willing to wait just a few more
weeks to wait for a cracked version of that stand alone unlocker once it is
released. It's a dark future for BB5... no money here, moving along...

Just my 2cents.

B.R.,

can i get more details about this pic-project. like hex and pin connections.

thanks

wbr
AshwaniGaur

yes give us more info plz
br

You don't need UP-1024 to read flash.
You can make a PIC18 project and build a customized nand programmer
like this:
http://i161.photobucket.com/albums/t231/Makanaki_photos/18LF2550D1.jpg


It has been discussed before that nothing much is important in the flash
except for the PM area which you can already dump using UFS devices.

The question is, do you think people will actually pay $$$$ for a stand alone
BB5 unlocker at this time? Everyone here has been waiting for over 2 years
for such a software and I think they are still willing to wait just a few more
weeks to wait for a cracked version of that stand alone unlocker once it is
released. It's a dark future for BB5... no money here, moving along...

Just my 2cents.

B.R.,


I see you make a wery strange board , what is it ? flash programmer or what ?

Maybe u put there software for his device or more info..

man learn how to write in english before making a plan

Dont be rude......let them say

finally BB5 unlocked By cable KDU :)

Look the picture:

http://www.access2ftp.nm.ru/calc.gif

We are seen about Dejan calc use only 48 byte for a make unlock string (All rest dust).

First 32 byte we get from extracted PM file.

Next lost 16 byte ??



B.R. Dr.Mobile

@Dorian2004

This is the full Log readed ?
there is only 48byte ?

Is there this 16 byte the byte Magic ?

but , when one time this getted , how can us calculat theme ?


have u idea !
Add me msn please we can talk more :
blacksnak_@hotmail.com

We are seen about Dejan calc use only 48 byte for a make unlock string (All rest dust).

First 32 byte we get from extracted PM file.

Next lost 16 byte ??



B.R. Dr.Mobile

Request: 12.05.2007 22:24:29.96064 (+0.0156 seconds)

1E 00 10 7F 00 02 D2 02 DC 7F 1E 00 10 53 00 08
0D 00 01 47 02 0D

Answer: 12.05.2007 22:24:29.08564 (+0.0625 seconds)

1E 10 00 7F 00 02 53 07 4D 6A 1E 10 00 53 00 5E
12 55 FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF 00 44 00 00 00 00 [22 AA 12 23
2D DE F9 68 1A 43 C5 9C 09 E1 A0 3B] 23 6D B3 36
EB 43 D0 2B 64 63 54 51 68 BD 79 B5 01 FF FF FF
00 00 00 00 3F 00 7F 20 6F 07 FF FF F8 00 00 50
03 00 05 02 00 00 00 00 7F FF 6F 07 01 43 D6 2C

"22 AA 12 23 2D DE F9 68 1A 43 C5 9C 09 E1 A0 3B" = the last 16 magic bytes ;)

And the imei ?

we dont need it ?

Its allready done by dejan.Why u west ur time.Bater u makes other soft which is diffrent.Thanks bro!!!!!!!

what's this line 1E 00 10 7F 00 02 D2 02 DC 7F 1E 00 10 53 00 08
0D 00 01 47 02 0D ?