|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
Nokia Digital Core Technology 4 ( DCT-4 ) DCT-4 Phones: 1100 , 1100 , 1101 , 1108 , 1110 , 1110 , 1110i , 1112 , 1112 , 1112i , 12i GSM Modul, 1600 , 1600 , 2112 , 2125i , 2126i , 2128i , 2255 , 2300 , 2300 , 2355 , 2600 , 2650 , 2651 , 2652 , 2760 Americas, 2760 Europe/Asia, 30 Terminal, 3100 , 3105 , 3108 , 3120 , 3120 , 3125 , 3128 , 3129 , 3152 , 3155 , 3155i , 3200 , 3205 , 3205i , 3220 , 3220 , 3300 , 3300 , 3320 , 3321 , 3360 , 3361 , 3510 , 3510i , 3520 , 3530 , 3560 , 3570 , 3585 , 3586 , 3586i , 3587 , 3587i , 3588i , 3589i , 3590 , 3595 , 3595i , 5070 , 5070 , 5100 , 5140 , 5140 , 5140i , 6010 , 6012 , 6015 , 6015i , 6016i , 6019i , 6020 , 6020 , 6021 , 6030 , 6030 , 6050 , 6060 , 6060 , 6061 , 6070 , 6070 , 6080 , 6080 , 610 Car Kit, 6100 , 6101 , 6101 , 6101 , 6102 , 6102 , 6102 , 6102 , 6103 , 6103 , 6108 , 6111 , 6112 , 6152 , 6155 , 6155i , 616 Car Kit, 6170 (TIKU) , 6170 (TIKU) , 6200 , 6220 , 6225 , 6225i , 6230 (TIKU) , 6230 (TIKU) , 6230i (TIKU) , 6235 (TIKU) , 6235i (TIKU) , 6236i , 6255 (TIKU) , 6255i (TIKU) , 6256 , 6256i , 6310 , 6310i , 6340 , 6340i , 6360 , 6370 , 6385 , 6500 , 6510 , 6560 , 6585 , 6590 , 6590i , 6610 , 6610i , 6650 , 6651 , 6800 , 6800 , 6810 , 6820 , 6820 , 6820i , 6822 , 6822 , 7200 , 7210 , 7250 , 7250i , 7260 , 7270 (TIKU), 7270 (TIKU) , 7280 (TIKU) , 7280 (TIKU) , 7360 , 7380 , 7600 (TIKU) , 7620 , 810 Car Kit, 8310 , 8390 , 8587 , 8800 (TIKU) , 8800 Sirocco Edition (TIKU) , 8801 (TIKU) , 8910 , 8910i , D211 , Nokia Remote Camera DCT-4+ (Plus) : 1200 , 1208 , 1208b , 1209 , 1650 , 1650b , 1680c-2b Classic, 2310 , 2600c , 2610 , 2610b , 2626 , 2630 Americas, 2630 Europe/Asia, 2670h Fold, 5000 , 5000 , 7070 |
| LinkBack | Thread Tools | Display Modes |
01-08-2005, 23:08 | #1 (permalink) |
Freak Poster Join Date: Feb 2001
Posts: 213
Member: 3354 Status: Offline Thanks Meter: 3,948 | Flash & Uem Imei For those who want to play and patch DCT4 phones... There is a piece of more than 100Mb listing of 8310 DCT4 phone that I was disassembled long time before (2001-2002). Since I'm not interested anymore... Hints: 01000000 plain FLASH base addr 09000000 cipher FLASH base addr There is atlast 3 ways to decrypt<->encrypt DCT4 FLASH images. And there it is... ########################################### ; Get_IMEI ########################################### ;r0 = dest ;RET r0 = status; 1=OK ;If IMEI is BAD dest will be filled with FF,FF,FF,.... ("?????....") 002B2E2C: B5 30 PUSH (R4,R5,LR) 002B2E2E: B0 82 SUB SP,#0008 ;========================================== ; get IMEI from flash 002B2E30: 1C 04 ADD R4,R0,#0 ;r0 = dest 002B2E32: 21 0D MOV R1,#0D ;offset 002B2E34: 22 10 MOV R2,#10 ;size 002B2E36: F0 00 F9 AD CALL 002B3194 ;Get_secure_data_from_FLASH (GET IMEI) 002B2E3A: 1C 05 ADD R5,R0,#0 002B2E3C: 2D 01 CMP R5,#01 002B2E3E: D1 1A BNE 002B2E76 ;jmp if IMEI FLASH is NOT VALID! ;========================================== ; get IMEI from UEM 002B2E40: 46 68 MOV R0,SP ;r0 = dest (SP_LOC[8]) 002B2E42: F0 00 F9 DF CALL 002B3204 ;READ_UEM_IMEI r0 = dest 002B2E46: 1C 05 ADD R5,R0,#0 ;r5 = status 002B2E48: 2D 01 CMP R5,#01 002B2E4A: D1 0B BNE 002B2E64 ;jmp if UEM IMEI is zero (00,00,00,...) ;========================================== ; compare UEM & FLASH IMEI 002B2E4C: 46 69 MOV R1,SP ;r1=UEM IMEI, r4=FLASH IMEI 002B2E4E: 20 00 MOV R0,#00 002B2E50: 5D 03 LDRB R3,[R0+R4] 002B2E52: 78 0A LDRB R2,[R1+#00] 002B2E54: 42 93 CMP R3,R2 002B2E56: D1 08 BNE 002B2E6A ;jmp if there is difference! 002B2E58: 31 01 ADD R1,#01 002B2E5A: 1C 40 ADD R0,R0,#1 002B2E5C: 04 00 LSL R0,R0,16 002B2E5E: 0C 00 LSR R0,R0,16 002B2E60: 28 08 CMP R0,#08 002B2E62: DB F5 BLT 002B2E50 ;========================================== 002B2E64: 2D 00 CMP R5,#00 002B2E66: D0 01 BEQ 002B2E6C 002B2E68: E0 05 JMP 002B2E76 002B2E6A: 25 00 MOV R5,#00 002B2E6C: 20 03 MOV R0,#03 002B2E6E: F0 00 F8 67 CALL 002B2F40 ;Get_sys_flag 002B2E72: 28 02 CMP R0,#02 002B2E74: D0 09 BEQ 002B2E8A 002B2E76: 2D 01 CMP R5,#01 002B2E78: D0 07 BEQ 002B2E8A ;========================================== ; fill dest with "FF" if IMEI is BAD! 002B2E7A: 21 FF MOV R1,#FF 002B2E7C: 20 00 MOV R0,#00 002B2E7E: 55 01 STRB R1,[R0+R4] 002B2E80: 1C 40 ADD R0,R0,#1 002B2E82: 04 00 LSL R0,R0,16 002B2E84: 0C 00 LSR R0,R0,16 002B2E86: 28 10 CMP R0,#10 002B2E88: DB F9 BLT 002B2E7E 002B2E8A: 20 01 MOV R0,#01 002B2E8C: B0 02 ADD SP,#0008 002B2E8E: BD 30 RET (R4,R5) ######################################## Get_secure_data_from_FLASH ######################################## ;r0 = dest ;r1 = offset in FLASH secure data block ;r2 = size in bytes ;RET r0 = status ;1=OK (in dest is valid data), else ERROR (dest is filed by FF...) ;======================================= 002B3194: B5 F0 PUSH (R4,R5,R6,R7,LR) 002B3196: B0 81 SUB SP,#0004 002B3198: 1C 14 ADD R4,R2,#0 002B319A: 91 00 STR R1,[SP+#0000] ;save PARAM R1 (offset) 002B319C: 1C 06 ADD R6,R0,#0 ;======================================= ;copy SECURE FLASH cipher block of 28h bytes from FLASH 900003ah to temp RAM 43d14h 002B319E: 4D 5B LDR R5,[PC+#016C] ;[002B330C]=00043D14 ;r5 = temp baf 002B31A0: 49 5E LDR R1,[PC+#0178] ;[002B331C]=0900003A 002B31A2: 1C 28 ADD R0,R5,#0 002B31A4: 22 28 MOV R2,#28 002B31A6: 4B 5C LDR R3,[PC+#0170] ;[002B3318]=00043FD0 002B31A8: 68 1B LDR R3,[R3+#00] ;=840001 002B31AA: 46 FE MOV LR,PC 002B31AC: 47 18 BX R3 ;call 840001 (ROM_SEC__COPY_MEM r0=dest r1=src r2=size) ;======================================= ;decode SECURE FLASH cipher block 002B31AE: 1C 28 ADD R0,R5,#0 ;r0,r1 = src,dst 002B31B0: 1C 29 ADD R1,R5,#0 002B31B2: 22 28 MOV R2,#28 ;size 002B31B4: 23 20 MOV R3,#20 ;decryption mode 002B31B6: F7 FF FF 64 CALL 002B3082 ;DECRYPT_DATA 002B31BA: 1C 07 ADD R7,R0,#0 ;r7 = decrypt status ;======================================= ; calc checksum of decrypted SECURE FLASH block and test if it is correct 002B31BC: 1C 28 ADD R0,R5,#0 ;r0 = src 002B31BE: 21 26 MOV R1,#26 ;size 002B31C0: F7 FF FF 84 CALL 002B30CC ;CALC_SUM (ret r0=chk) 002B31C4: 21 26 MOV R1,#26 002B31C6: 5D 49 LDRB R1,[R1+R5] 002B31C8: 02 0A LSL R2,R1,8 002B31CA: 21 27 MOV R1,#27 002B31CC: 5D 49 LDRB R1,[R1+R5] 002B31CE: 43 11 ORR R1,R2 ;r1 = chk from SECURE FLASH block 002B31D0: 42 88 CMP R0,R1 002B31D2: D1 0A BNE 002B31EA ;jmp if checksum is BAD! 002B31D4: 2F 01 CMP R7,#01 002B31D6: D1 0D BNE 002B31F4 ;jmp if decrypt status is BAD! ;======================================= ; copy from SECURE FLASH decrypted block offset*size to dest (for IMEI offset=dh,size=10h) 002B31D8: 4B 4F LDR R3,[PC+#013C] ;[002B3318]=00043FD0 002B31DA: 98 00 LDR R0,[SP+#0000] ;PARAM R1 (offset) 002B31DC: 19 41 ADD R1,R0,R5 ;r1 = temp_baf+offset 002B31DE: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest) 002B31E0: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size) 002B31E2: 68 1B LDR R3,[R3+#00] ;=840001 002B31E4: 46 FE MOV LR,PC 002B31E6: 47 18 BX R3 ;call 840001 (ROM_SEC__COPY_MEM r0=dest r1=src r2=size) 002B31E8: E0 04 JMP 002B31F4 ;======================================= ; If FLASH IMEI have any error dest will be filled with "FF"..... 002B31EA: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size) 002B31EC: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest) 002B31EE: 21 FF MOV R1,#FF ;r1 = fill value 002B31F0: F1 86 FE 0C CALL 00439E0C ;FILL_MEM ;======================================= ; fill temp_baf to make HACKING harder 002B31F4: 1C 28 ADD R0,R5,#0 ;r0 = temp_baf 002B31F6: 21 FF MOV R1,#FF ;r1 = fill value 002B31F8: 22 28 MOV R2,#28 ;size 002B31FA: F1 86 FE 07 CALL 00439E0C ;FILL_MEM 002B31FE: 1C 38 ADD R0,R7,#0 002B3200: B0 01 ADD SP,#0004 002B3202: BD F0 RET (R4,R5,R6,R7) ;************************************************ ;################################################ READ_UEM_IMEI ;################################################ ;r0 = dest ;RET r0 = status; 1=IMEI is not zero (00,00,00,....) 002B3204: B5 F0 PUSH (R4,R5,R6,R7,LR) 002B3206: 1C 04 ADD R4,R0,#0 002B3208: 26 04 MOV R6,#04 ;read 4 registers 002B320A: 4D 48 LDR R5,[PC+#0120] ;[002B332C]=014AE414 ;IMEI reg:mask table (1b,1c,1d,1e, mask=ffff) 002B320C: 27 00 MOV R7,#00 002B320E: 68 28 LDR R0,[R5+#00] ;r0 = reg:mask 002B3210: F0 01 FD 99 CALL 002B4D46 ;READ_UEM_REG 002B3214: 04 00 LSL R0,R0,16 ;r0 = reg value 002B3216: 0C 00 LSR R0,R0,16 002B3218: 2F 00 CMP R7,#00 002B321A: D1 02 BNE 002B3222 002B321C: 28 00 CMP R0,#00 002B321E: D0 00 BEQ 002B3222 002B3220: 27 01 MOV R7,#01 002B3222: 0A 01 LSR R1,R0,8 002B3224: 70 21 STRB R1,[R4+#00] ;wr reg value H to dest 002B3226: 34 01 ADD R4,#01 002B3228: 70 20 STRB R0,[R4+#00] ;wr reg value L to dest 002B322A: 34 01 ADD R4,#01 002B322C: 35 04 ADD R5,#04 002B322E: 3E 01 SUB R6,#01 002B3230: D1 ED BNE 002B320E 002B3232: 1C 38 ADD R0,R7,#0 002B3234: BD F0 RET (R4,R5,R6,R7) ;************************************************ 004AE414: 00 1B ;IMEI UEM TABLE 004AE416: FF FF 004AE418: 00 1C 004AE41A: FF FF 004AE41C: 00 1D 004AE41E: FF FF 004AE420: 00 1E 004AE422: FF FF ;************************************************ B.R. Dejan Kaljevic Last edited by Dejan Kaljevic; 01-08-2005 at 23:19. |
The Following 6 Users Say Thank You to Dejan Kaljevic For This Useful Post: |
01-09-2005, 00:26 | #5 (permalink) | |
Freak Poster Join Date: Feb 2001
Posts: 213
Member: 3354 Status: Offline Thanks Meter: 3,948 | Quote:
hapens in GSM. About Griffin server, I don't know, maybe other are stupid? Long time before I've offered DCT4 UEM & FLASH IMEI algorithm but nobody was interested. Anyway... don't ask for patched flash, etc. I've post enough hints, so OPEN YOURS EYES, OPEN YOURS MIND! (Maybe you can check bin file from ZULEA? http://forum.gsmhosting.com/vbb/showthread.php?t=178158 ) BTW: Where in the World GSM providers using A5\2 algoritm? B.R. Dejan | |
01-09-2005, 01:10 | #6 (permalink) | |
No Life Poster Join Date: Oct 1999 Age: 48
Posts: 1,867
Member: 4201 Status: Offline Thanks Meter: 6 | Quote:
@Dejan welcome back in gsmword | |
01-09-2005, 14:19 | #12 (permalink) |
No Life Poster Join Date: Jul 2001 Location: Inside Raskal pocket Age: 54
Posts: 3,316
Member: 5325 Status: Offline Thanks Meter: 8,448 | Hi, @ "king" Sorry but nothing useful in your posted info. No info about encrypt/decrypt flash files, no info about rpl algorithm, imei decrypt routine missing, .... As always you juts make noise But sure you have a plan to do something in near future in this field. I supose one of this two options: to make your own money or to destroy ask/rpl andro's server business. Next weeks will see wich one you chose. Or also you can left it as is is today, and in few days all people who 'licked' you here will forget your name and keep doing their usual things day by day. No offence please. Best regards, Zulea |
01-09-2005, 14:53 | #13 (permalink) |
Insane Poster Join Date: Apr 2004 Location: no
Posts: 73
Member: 61288 Status: Offline Thanks Meter: 45 | hmh 3 ways? oh, i just know one are you willing to explain me one of the other ways? because im trying to decrypt TIKU flashes... :-/ btw: were you able to dump the ROM region around 800000 or 800300 ? i didnt have any success yet, it seems its mapped out (data fetch error) do you know a little about the memory map registers around 0x06010000 or 0x06100000 ? |
01-09-2005, 15:55 | #15 (permalink) |
Freak Poster Join Date: Jan 2001 Location: 13 00 N, 122 00 E (PH)
Posts: 364
Member: 3156 Status: Offline Thanks Meter: 63 | i have nothing to add here since im not as talented as these 3 gods here but i hope this thread is going somewhere. |
The Following User Says Thank You to d_bug For This Useful Post: |
Bookmarks |
| |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
how to check flash imei or uem imei without local mode | ashish mobile | Nokia Hardware & Hardware Repair | 1 | 11-27-2009 05:01 |
UEM IMEI not readed Asic 11,1200,1208 & 1650 Problem solution | JHON_DREAM | Nokia Digital Core Technology 4 ( DCT-4 ) | 36 | 08-02-2009 11:21 |
E720 problem with flashing & rebuilding imei | blinet | Twisterflasher | 1 | 12-17-2005 17:37 |
IMEI FLASH or UEM+FLASH | mr_rocco | Griffin | 0 | 12-05-2004 22:10 |
|