Hi!

I'm a programmer and i'm trying to understand how a software for unlocking phones works, because i'm going to write a one. Unfortunately i can't find any documentation about communication protocol between phone and pc, what kind of processors are used in phone, how to disassemble phone's firmware. If anyone could help me i'd be glad.
Sorry for my bad grammatical errors.

It is not as easy as you might think. There is no communication protocol documentation released by the mobile phone manufacturing companies. Everything you can find is based on reverse-engineering. When writing new unlocking software, one is interested mainly in the bootstrap protocol, rather that in the high level AT-commands, although there may be some exceptions. To find out the bootstrap protocol for a totally new phone, you may visit service center and ask them to allow you to sniff serial (in the better case) communication and hope it will not be crypted. For an older phone you may do it at home, by sniffing communication between your phone and some free or dongled unlocking program. In most cases you will find out that after you press the power button on the phone, the computer sends some kind of code into the phone. This is a program that runs inside the mobile phone, takes control over it and handles the whole communication with PC that follows. You may then analyze the code, modify it to be able to read the whole phone flash. This is the point when the hardest work takes place. You will spend many weeks analysing the phone firmware and if you are a lucky person, you will find a way to unlock the phone. However, the new phones, like Nokia 8310, 6310, 6510 and Ericsson R520m, T39m, T65s, T68m, T68i are well protected. Nokia now uses crypted boot code and Ericsson requires to pass through some flash authorization procedure to be able to send boot code to the phone.

Anyway, I did not want to discourage you. The processors used in the actual phones are:

ARM (Nokia, Motorola, Sagem, Trium,...)
Z80 (Ericsson,...)
AVR (Ericsson)
80C166 (Siemens, Sagem,...)
Motorola, e.g. 68332 (Motorola)

This is a list of processors used in mobile phones I could remember of. To disassemble code, I recommend you to buy the Interactive Disassembler Pro Advanced from DataRescue company. It is really a good reverse-engineering tool and is worth buying it.

May the force be with you

Best regards,
Lead.

Very nice info.! :)

Thanks a lot Lead.
Bye.

LEAD is the MASTER

Yes LEad is good )

Where find manuals for ARM (Nokia, Motorola, Sagem, Trium,...)

Maybe this could help you:
http://www.arm.com/arm/documentation?OpenDocument

Thank you lead for the info .

regards

lead is lead

One question to Lead:
Is firmwares for Nokia DCT4 phones are also crypted?

Yes, mostly.

Well, where can I take not crypted firmware or maybe fulldump of new nokia phone?

The easiest way is to desolder the flash chip and read its content using some chip programmer.

do someone have this dump?? I don't have enough hardware to desolder the chip...

I doubt anyone will give you the flash dump for free.

if you read a dct4 full flash straight from the IC, is it still crypted?
what is the encryption actually doing; just protecting the file from view or compressing the file?
am i correct in thinking dctX is the type of algo used to encrypt/decrypt? there is DCT (diverse cosine tangent) algo used in compression but all i find on that is image compression
tia

If you read firmware directly from the IC, it should not be crypted, I think. The CPU has to process decrypted code, so if it were crypted physically in the flash, there should be some circuit that decrypts the code on the fly without the need of CPU intervention. There is a possibility that the flash data bus is permuted somehow or xored by some value - remember the DCT3 NSM-5 (5210) with inverted address line 21 (address xored by 0x200000). But this is too academic, I am not into DCT4, so you should rather ask someone else...

thanks for the reply, hope to see you on here more often!
best regards

I forgot to answer your remaining questions.

Why they encrypt the firmware when sending it to the phone? Simply to complicate our work when analysing the firmware, creating partials, reverse-engineering algorithms, etc.

DCT - yes, it is a dicrete cosine transform, but I doubt it could have something common with Nokia DCT, except the acronym. The transform (in its 2D version) is commonly used for lossy image compression, not for lossless data encoding. A little better idea would be to use Fourier transforms or arithmetic transforms, but there are much better other alternatives from cryptography, such as RSA or ElGamal...

Don't waste your time desoldering flash IC - content is crypted (decryption done by some MCU peripherial on memory bus)

Oopps.... very interesting... what peripherial can do this??? and what algo can be used? It seems to me that not difficult...

@lead;
thanks, i think the type of algo is not so important but i would like to see it in flow chart form to help "see" how it works :)
@all; i have a feeling that the decryption is taking place in the COBBA IC...
this is a little off the main topic though by now :)

@Dave.W: you are funny, man - "in COBBA IC" :) Did you ever opened a DCT4 phone or read service manual for it ? There is no COBBA in DCT4 :) Maybe I spoke not very clear last time - decryption is done INSIDE MCU (UPP)

@junk: if you can't imagine implementation of complex algo in hw and think that any pure hw encryption must be simple you are wrong. Beleive me - some algos like DES and RC4 implements much more naturally in HDL then in C++ and runs much faster

@ All
I do a dream.
I think new unlocking ways!!
Java could be an answer. I think it's possible to make an application in java that you upgrade in your handset without hardware material.
I explain more.. Imagine that you go to unlocking website with your gsm and you download java application who can direct unlock or unlock by log (application read info and you make a connection to server and after send code...)
What do you think about this?

I don't think so.
(The current implementation of mobile) Java is very-very limited. *) It has no function to read/write mobile phone memory/flash area. Read (and especially write) access is very-very limited.
*) If the phone is locked, how can it connect to the server?

RizaPN

@Zanzamar
I am still talking about DCT3 friend :) i only just about afford a DCT4 flasher and it doesnt even work on my computer so i dont care for those phones to be honest (plus there is MUCH more i can still learn in DCT3...) :)
@Rheda31
I did read somewhere about java unlock "theory" but, as above, i think it was disproved due to the limitations of where the java application can access inside the phone :( but you never know...

There is nothing to decrypt in DCT3 - flash stored plain - no problem to desolder and read, but there are very good DCT3 flashreaders around now - no problem at all :)

now you are the funny man :)
br

if firmware in DCT3 is not crypted, what is dct3 algo for?? i ask this above and get told it is to make flash unreadable, now i'm told there is no such thing in dct3??? please..

hi Nutzo, thanks for that. it was made out that "DCTx" was the type of encryption used...
this may seem like simple theory stuff to you guys but 99% of the rest of us dont even know what DCT stands for or is...
br

Hehe
well I did not know what it exact stand for but I know what it ment :) so make it 90% :)
But zanzamar is right flash in DCT-3 is stored in plain. If you are interrested in cracking DCT4 algo I do have some encrypted bootloaders for dct-4 somewhere ;)
WBR
Salami1_1

hi thanks i think i see it now, i also have some dct4 loaders (from griffen package i think..).
so dctx is just the GENERATION (but i still dont see why lead is telling me it is a "discrete cosine transform" which is a type of algo...)
algos included within a generation are imei/sp/flash/faid all different things, i think when people on this board talk about DCTX algo, they are talking about flash algo right? the sequence of reading/writing flash? imei/faid/sp data algos would be called just that.
btw no body was really talking about DCT4, this topic title is just about UNLOCKING (not even nmp specific.)
thanks for the replies anyway, i'm learning but still need more knowledge! :)

Originally posted by junk
One question to Lead:
Is firmwares for Nokia DCT4 phones are also crypted?
that was a new "topic" in this thread (read first page, it is not 3rd, 4th post..), then talk moves to reading flash direct from IC. I then asked about DCT3, but thats pretty unimportant.
I read leads comment again and now i see, he is saying that YES dct does stand for that but NO it is not the same as used in Nokia phones. You are correct he should have just said no :)

please see this from my view, there is little/no documents or help on this subject. i have to look myself what DCT stands for, i find on the net it is "discrete..." and ask lead to confirm. his answer basically says yes.
i do appreciate you trying to explain this to me though

@Dave: Discrete cosine transform is an algorithm that is used for example in JPG image compression. Specifically, in the JPG compression application it takes 8x8 matrices of numbers representing color components of image pixels and converts them into 8x8 matrices of another numbers, which are then further processed (stripped of the less important components and then compressed by another algorithm).

http://www.cs.ualberta.ca/~jag/courses/ImProc/lectures2001/lec26/Lec26jpegCompr.PDF

@Nutzo: True. :)

@lead, i know that! i have downloaded and read MANY docs on discrete cosine transform thinking it would be some help in nmp..

@Dave: Rather study cryptography and reverse engineering than computer graphics. :D

yeah thanks for the information, hopefully that will make more sense! :)
do you please have any links/files to start on this?

Thank u Lead. U are GURU.

I think ur advice will help me. But how can i get info on cryptography and reverse engineering ?

DCT = Digital Core Technology

DCT = Digital Core Technology

Realy ?!?!? :p

BR

There is a possibility to read the contents of the flash chip without desoldering the chip. Most phones have JTAG test points where you can attach an ICE box and then use it to read out the flash chip (and even better, you can use it to break the phone while it's firmware is running and dump the memory so you figure out where the important things are stored).

For ARM chips you can use TI Code Composer with a JTAG box for debugging and single stepping, and for other chips you can use Lauterbach. Both are pretty expensive if you can't borrow one from work ;)

But it's the only solution if you are very serious about firmware hacking.

Finding the JTAG test points can be tricky, but a datasheet of the CPU will tell you which pin so with some luck you can get an idea of the general area.

Descore

thanks lead yoy are great master pls give me alink related how to programwork how to designed flaSHING SW THANKS..................................

lead you are the man yes......

i need a job somebody help me TONERIO ekeneson2002@yahoo.com 2348023152640 08023152640 thanks grately.

hello friends...this is my first time at gsm-forum..i hope to get help from here and im so glad to a member of it.
i just want your help about unlocking my vodafone801sa.i cant use it here in the philippines. its from japan. would anyone want to help me with this problem? there are few people here who were using the same gsm phone.its very hard to find a technician here to this this kind of phone. i have known one person but unluckily hes gone to u.s. pls help me pls..

Painted : Wrong Section

Lead : Can u give us a Link for a doc to begin and all the hardware needed to begin

Regards
Medusa.L

Anay can give me info about the AVR processors and how to disassemble a SonyEricsson AVR file (The IDA dont support this processor)

try to learn how to be programmer first, then you will be able to programm a software

lead is lead

lead is the leadER

good info bro :)

how to send data for unlock, read, write the phone.
Iam programmer, how to do that??....

what send to the port???????????? What information???

what is the language use for Mobile phone software writing ?

@Lead what i can use to disable a AVR file??

i use delphi program, i need code or instruction ,,,,,,construction software

@trinchera

programming is the one of easy way how make unlock software, BUT get know how how unlock something phone, this is the 99% importantest than know programming.

/////////rVolume.........Do you Know???????????????????????????????????????
Make software Unlock, Read or write??

I have some source and very interest with the programming the software,
expecile the mobile ,you can contract with me,msn:lovegsm@hotmail.com

i can write unlock porogram samsung whit you?

I am a phone repairer. I think the phone program is made of three parts in the samsung phone.The sim lock is in the eeprom.The unlosk system is in some secotion of the address.So if we want to unlock the phone ,wei must rest theese data in this secotion.Ih the other word,we should use the unlock data cover the lock data.
I am now have a samsung e100 locking.but i can't unlock.because i'm not having a tool to operate it. I'm expecting you could have great success.

Thank you lead for the info .

heheh..

give us a sign when you will obtain this knowledge. ;-)

respect lead ;)


BestRegards,
Morfeus

maybe u can get info here.....

i got that Crossworks AVR 1.2 compiler (C compiler).
Now what is my next step. I have IDA too. And a cable.

Any body going to help me?

Hi,

I AM VERY VERY intereseted in this stuff. I have access to a 100MHz DSO osciloscope - which is mine!!!! And also an ARM emulator - I think a Windows one is availble on the ARM website

maybe u can get info here.....

SO difficult to understand.

Anyway good luck you guys. And find a way to unlock the 6680!

This Guy called lead is indeed a genius in the gsm field i will like to be his apprentice if he don't mind.Pls Lead could u mail me ur email as mine is vicbush02@yahoo.com. I will be greatful if u did as i will want to learn more from u.Thank Regards 4rm Victor Bush

If you want to unlock samsung you need to know the language of the phone, the test mode commands etc.

take samsung trident..
phone communication on 38400 baud

put phone into test mode command is: .TestModeOn.
hex string = 00 54 65 73 74 4D 6F 64 65 4F 6E 16

the phone responds with: ..TestModeOn: DONE.

then you set personalisation: .SetMspersonal,2,0.
hex string = 00 53 65 74 4D 73 70 65 72 73 6F 6E 61 6C 2C 32 2C 30 16

Phone respond = ..SetMspersonal: DONE.

Now you have to set the lock levels of the phone
what you do is send:
.SetMmiNVMContents,LOCKPWD,48,48,48,48,48,48,48,48 ,0.

hex string = 00 53 65 74 4D 6D 69 4E 56 4D 43 6F 6E 74 65 6E 74 73 2C 4C 4F

The response is: SetMniNVMContens: DONE

en voila, your trident phone is unlocked..

this is working on
D100, D410, D418
E105, E400, E600, E710, E715
P100, P108, P400, P408
Q10x, Q200, Q300, Q400, Q605
S10x, S200, S300, S300M, S308
V100, V200, V205, V208
X400, X430, X450

if you want to unlock a trident C200 samsung you need to change something.. but i'm not giving everything away ;) if you're a good programmer and know things about serial communication you'll find it out :rolleyes:

A question, in Motorola P2K phones where is located the IMEI??

Im working with some V600 flashes and i dont found it in the Code Groups:


RAM Downloader
Flash Code
Flex
DSP
LP
RSA


Any help??

Motorola are very hard to disassable!

how did you know that these are the CGs of the phone? You are missing PDS!

Motorola are very hard to disassable!

how did you know that these are the CGs of the phone? You are missing PDS!

Yes i know, i need disasemmble the Binary Firmware,,

Any know what processor i must choose in the IDA for disassemble it??


WBR

U guyz r just genius!!!!

im so into digital electronics and programming..... m just waitin 4 my time 2 come to go and study this stuffs.... just wanted 2 know OW DO U PEOPLE KNOW OR UNDERSTAND THESE THEORIES and Logic beehind processor,IC ... ??!!!

did u people study Electronics??? or??? hav a degreee??? like for example how PENTIUM make its processoers!!! ??? they say u can over 2milion Transistors in a chip (microscopic) ... does any one hav a link which can show me the microscospic TRANSISTOR in real time??? in magnifed view?? wowww

i been a while..
pls continue this thread..
any one have libraries+docs on defeat these algo?

Can Somebody Help Me With These:-

Example----- Pm----permanent Memory

Mcu---?
Ppm---?
Cnt---?
Pmm--?


All These Abbriviated Terms.

Can Somebody Help Me With These:-

Example----- Pm----permanent Memory

Mcu---?
Ppm---?
Cnt---?
Pmm--?


All These Abbriviated Terms.


hi
i think
mcu > main central unit
Cnt > content
Pmm > permanatly mass memory

:) :confused:

hi,

MCU (Master Control Unit, main flash) - contains main operating software

PPM (Post Programmable Memory) - contains languages, dictionaries, menus,
ringtones, etc.

CNT (standard multimedia files in phone)

PMM (permanent memory file) - eeprom (contains memory that is not changing always when flashing and contain strings for LCD,Network,Batery etc.)

look into some box manuals for more;

--
best regards,
piotrek11

why flasher box need microproc. like atmega, pic etc ..... ? it's just for box protection or it's need for doing something ??? ... sory for my bad english.

if microcontroller are used, then the more controls you'll have with it. such as protection scheme as you mentioned. most of it they use it as the interface to interface with the phone device. it depends to the creators creativity when they used a microcontrollers on their flasher box.

Free sample for unlock D820 : if need more - welcome icq 328-035-551 (exchange)


unsigned char code D820[17]={0xAA,0x83, 0x0C, 0x00, 0x0C, 0x00, 0x13, 0x00,
0x26, 0x00, 0xA8, 0x26, 0x02, 0x00, 0x00, 0x00,
0x5C};


D800: array[1..12] of byte = (
$AA, $83, $10, $00, $10, $00, $14, $00, $25, $00, $A0, $25);
D500_unl : array[1..17] of byte =(
$AA, $83, $0C, $00, $0C, $00, $14, $00, $25, $00, $A8, $25, $04, $00, $00, $00, $5C);
:-)

Free sample for unlock D820 : if need more - welcome icq 328-035-551 (exchange)


unsigned char code D820[17]={0xAA,0x83, 0x0C, 0x00, 0x0C, 0x00, 0x13, 0x00,
0x26, 0x00, 0xA8, 0x26, 0x02, 0x00, 0x00, 0x00,
0x5C};


D800: array[1..12] of byte = (
$AA, $83, $10, $00, $10, $00, $14, $00, $25, $00, $A0, $25);
D500_unl : array[1..17] of byte =(
$AA, $83, $0C, $00, $0C, $00, $14, $00, $25, $00, $A8, $25, $04, $00, $00, $00, $5C);
:-)



As I understood - these sh... commands are sent to terminal by unlock clip ? In TAT mode ? I'm not a guru in sams phones ...

Well, writing a program to read out all the codes from Samsung Z seriez was easy.. took me about 6 hour to complete all models. Now i can read out all the codes, unlock by hand, change start up text, make full resets and so on.
But i have a few problems...

1. what is the command for reading IMEI throu USB?
2. When i want to write back the unlock code the last bytes (except the end byte) is some kind of checksum, how do i calculate it?

// Jocke

Well, writing a program to read out all the codes from Samsung Z seriez was easy.. took me about 6 hour to complete all models. Now i can read out all the codes, unlock by hand, change start up text, make full resets and so on.
But i have a few problems...

1. what is the command for reading IMEI throu USB?
2. When i want to write back the unlock code the last bytes (except the end byte) is some kind of checksum, how do i calculate it?

// Jocke

You will post sources :) :) :)

You will post sources :) :) :)

So i can find my application recompiled in 100 diffrient version where the people take all the credit as their own work and then they will sell it to other... i don't think so... But i can give you a small sample....

Procedure ResetUserCode();
Var
iCnt1, iCnt2 : Integer;
sResetCmd : String;
begin
COM := 115200;
COM.Port := ...;
and so on.....
end;

Well, writing a program to read out all the codes from Samsung Z seriez was easy.. took me about 6 hour to complete all models. Now i can read out all the codes, unlock by hand, change start up text, make full resets and so on.
But i have a few problems...

1. what is the command for reading IMEI throu USB?
2. When i want to write back the unlock code the last bytes (except the end byte) is some kind of checksum, how do i calculate it?

// Jocke


Get ida and find how are made...also this is stupid work. I would like see how u find all those commands without sniffing factory softs.:D

Br;)

Well. As motorola also uses qualcomm... and i have lots of documentation of that.. all commands... so it's not so hard with 3g.....

the last 3 bytes in hex are the crc + end string code

crc is calculated on FCS16 CRC algo, with custom hex table ;)

with custom hex table ;)

Hmm... Do you think so ?

Hmm... Do you think so ?


He is right on what he tells :)

Br;)

maybe you need custom table?

maybe he dont want his source compiled with your name on it

:D:D:D:D:D

Hi
This is my first post. I have been looking for someone who is interested in writing a program to unlock SonyEricsson GC83 PCMCIA cards. What is the chance that will be your next project?