calc4.2.2 - i need using tips, PLEASE! - GSM-Forum

bRk@ · 04-08-2003, 19:34

anyone who used calc 4.2.x or older,
and succesfully found ID,
please let me give
some using tips

what to use as crypted/uncrypted fields,
what is 41 or 01 lo9ck level
etc.

thanx.

b.r.
ALex.

04-08-2003, 23:17

How to use this calc:

It 'calculates' (brute force) the phoneID for Sagem Phones
To check, weather a ID is correct or not, it needs some input data:
Field 0: This is the phone IMEI in a twisted form
A pair of fields: a uncrypted and a crypted field
The uncrypted field can be a field that is protected by checksum and the crypted field is the checksum for it.
Or, if you know the locklevel, you can use field 251 as crypted field and as uncrypted field, you enter the locklevel (usually 41 or 01).

The modes:

Mode 0:
This is for old Phones, where you know the beginning of the PhoneID. Usually this is 033170 or 033171. You have to enter the beginning of the ID.

Mode 1:
This i sthe same like mode 1, but the program automatically chooses the first 3 bytes. At first 033170, then 033171, then many other values between 033160 and 033179.

Mode 2:
This lets you determine the real phoneID out of the crypted phoneID, many well known sagem-loggers produce.

Mode 3:
This is phoneID determination for MX3XXX DX 3,5 X Phones. This is the most powerfull Option to find the ID in this Phone. But it takes a long time (up to 80h with 1Ghz processor)

Mode 4:
The same as mode 4, but faster. It tests not the compleate ID-range, but its faster

Mode 5:
This is also ID determination for MX3XXX DX 3,5 X Phones. It is based on a list of known 3-byte ID-suffixes. It cannot find IDs with unknown suffix, but its very fast (20 sec). So, i suggest, to use this mode first.
It works finest for Firmwares DJ 3,5Cand quite well for DJ3,5D but bad for DJ3,5E

Mode 6:
The same like mode 5, but only with 2 byte suffixes. This way, you have a better chance, to get your ID, but it takes longer...

Mode 7:
Another suffix-based Method for MX3XXX DX 3,5 X Phones
It tries out and recombines the most common bytes of the known suffixes. If this works well or not, i do not know. You may try it out. It needs ~ 4,5 h on a 1Ghz PC

So what mode to choose for MX3XXX DX 3,5 X Phones?
At first try option 5. The chance is good for DJ3,5C or D(but not for DJ3,5E). This are only 30 seconds
Then try out Option 6. There you have a real chance to get your ID and its only some hours
After that you may test the new Option 7, if you like...
If this fails too, you have the coice :-) Either a try with the 'fast' Option 4 or the best detection mode, mode 3. But this can take very long (80h)
Well.. Nobody is perfect, this program is based on statistic... It may be, that even this most powerfull mode fails... Thats life.

Now good luck brute forcing your phoneID out...

Heres a list of field pairs from some firmwares...In othe Phones, the combinations can be other way
Perhapes it helps you :-)

MW3026 DJ3,5 C/D/E
Lock level 41
16128 <-> 5251
16129 <-> 5252
16140 <-> 5253
16141 <-> 5254
16177 <-> 5255
16178 <-> 5256
185 <-> 5257
227 <-> 5258
268 <-> 5259
5120 <-> 5260
5374 <-> 5261
5375 <-> 5262
5376 <-> 5263
5798 <-> 5264
5908 <-> 5265
995 <-> 5266

DH4,6J: 051201 1740
Lock level 42
5259 <-> 268
5251 <-> 16128
5252 <-> 16129

DI4.6G
Lock level 00
16128 <-> 5251
16129 <-> 5252
16140 <-> 5253
16141 <-> 5254
16177 <-> 5255
16178 <-> 5256
185 <-> 5257
227 <-> 5258
268 <-> 5259
5120 <-> 5260
995 <-> 5266

mr_x4you · 04-09-2003, 06:57

Or better, reah help ! Sometimes "helps" !!!!!!!!

DomnulV · 04-09-2003, 07:04

OK...
I undestand when CREW say HeHE.....
Your response (legija) is like HeHe...... or ask at www.sagem.com
The good response and easy for you is.....READ OLD TOPIC.....
It is right response.....

cotton · 04-09-2003, 11:34

Is there no way to unlock sagems just by a cable?

csr1200 · 04-09-2003, 12:10

I see in the programs help
DI4,6G
..so this means it can find the phone ID for DI4,6J

What about DI4,6J ?

What option to use ?

Thank you.

chris922 · 04-09-2003, 21:05

>..so this means it can find the phone ID for DI4,6J

No :-)

Trier · 04-10-2003, 10:13

Quote:

Originally posted by chris922
>..so this means it can find the phone ID for DI4,6J

No :-)

Heheheheheh this is not 100% exact answer.

Yes, it can find phone ID for ALL phones regardless of the version, but you should run the program many times, and when i say many i mean MANY MANY times untill a maximum of 256*256*256 times and you will find for sure your phone ID.

So 16777216 times max at aprox 20 seconds/run...

This yelds 335544320 seconds maximum time (in worst case) to find 100% your phone ID with chris calc.

That's only 5592405.33 Minutes, or 93206.75 Hours, or 3883.61 days. But remember this is max wait time under worst conditions

Am i wrong or not?

chris922 · 04-11-2003, 18:26

@Trier
You forgot to give a important advice:

If field 251 and Locklevel is used in your method, you will find a Phone ID much earlier...
Theres only one problem: This ID will not be correct.
You check 256^6 times if the selected ID is valid.

Field 191 is 4 byte long... So, the probabillity that this field matches by accident to your other data is 1:256^4

You see, you will find ~ 65536 IDs
But you have ~10.5 years to check them all :-)

:-)

Trier · 04-11-2003, 21:21

I normally suggest to use 5251 and 16128

But the false IDs' advice is good to be known too

04-08-2003, 19:34	#1 (permalink)
bRk@ Junior Member Join Date: Feb 2003 Location: Serbia Age: 48 Posts: 22 Member: 21723 Status: Offline Thanks Meter: 0	calc4.2.2 - i need using tips, PLEASE! anyone who used calc 4.2.x or older, and succesfully found ID, please let me give some using tips what to use as crypted/uncrypted fields, what is 41 or 01 lo9ck level etc. thanx. b.r. ALex.

04-08-2003, 23:17	#2 (permalink)
legija Guest Posts: n/a Member:	How to use this calc: It 'calculates' (brute force) the phoneID for Sagem Phones To check, weather a ID is correct or not, it needs some input data: Field 0: This is the phone IMEI in a twisted form A pair of fields: a uncrypted and a crypted field The uncrypted field can be a field that is protected by checksum and the crypted field is the checksum for it. Or, if you know the locklevel, you can use field 251 as crypted field and as uncrypted field, you enter the locklevel (usually 41 or 01). The modes: Mode 0: This is for old Phones, where you know the beginning of the PhoneID. Usually this is 033170 or 033171. You have to enter the beginning of the ID. Mode 1: This i sthe same like mode 1, but the program automatically chooses the first 3 bytes. At first 033170, then 033171, then many other values between 033160 and 033179. Mode 2: This lets you determine the real phoneID out of the crypted phoneID, many well known sagem-loggers produce. Mode 3: This is phoneID determination for MX3XXX DX 3,5 X Phones. This is the most powerfull Option to find the ID in this Phone. But it takes a long time (up to 80h with 1Ghz processor) Mode 4: The same as mode 4, but faster. It tests not the compleate ID-range, but its faster Mode 5: This is also ID determination for MX3XXX DX 3,5 X Phones. It is based on a list of known 3-byte ID-suffixes. It cannot find IDs with unknown suffix, but its very fast (20 sec). So, i suggest, to use this mode first. It works finest for Firmwares DJ 3,5Cand quite well for DJ3,5D but bad for DJ3,5E Mode 6: The same like mode 5, but only with 2 byte suffixes. This way, you have a better chance, to get your ID, but it takes longer... Mode 7: Another suffix-based Method for MX3XXX DX 3,5 X Phones It tries out and recombines the most common bytes of the known suffixes. If this works well or not, i do not know. You may try it out. It needs ~ 4,5 h on a 1Ghz PC So what mode to choose for MX3XXX DX 3,5 X Phones? At first try option 5. The chance is good for DJ3,5C or D(but not for DJ3,5E). This are only 30 seconds Then try out Option 6. There you have a real chance to get your ID and its only some hours After that you may test the new Option 7, if you like... If this fails too, you have the coice :-) Either a try with the 'fast' Option 4 or the best detection mode, mode 3. But this can take very long (80h) Well.. Nobody is perfect, this program is based on statistic... It may be, that even this most powerfull mode fails... Thats life. Now good luck brute forcing your phoneID out... Heres a list of field pairs from some firmwares...In othe Phones, the combinations can be other way Perhapes it helps you :-) MW3026 DJ3,5 C/D/E Lock level 41 16128 <-> 5251 16129 <-> 5252 16140 <-> 5253 16141 <-> 5254 16177 <-> 5255 16178 <-> 5256 185 <-> 5257 227 <-> 5258 268 <-> 5259 5120 <-> 5260 5374 <-> 5261 5375 <-> 5262 5376 <-> 5263 5798 <-> 5264 5908 <-> 5265 995 <-> 5266 DH4,6J: 051201 1740 Lock level 42 5259 <-> 268 5251 <-> 16128 5252 <-> 16129 DI4.6G Lock level 00 16128 <-> 5251 16129 <-> 5252 16140 <-> 5253 16141 <-> 5254 16177 <-> 5255 16178 <-> 5256 185 <-> 5257 227 <-> 5258 268 <-> 5259 5120 <-> 5260 995 <-> 5266

04-09-2003, 06:57	#3 (permalink)
mr_x4you Registered User Join Date: Jun 2001 Location: x Posts: 3,295 Member: 4989 Status: Offline Thanks Meter: 13	Or better, reah help ! Sometimes "helps" !!!!!!!!

04-09-2003, 07:04	#4 (permalink)
DomnulV No Life Poster Join Date: May 2000 Location: Bacau, Romania Age: 50 Posts: 914 Member: 1447 Status: Offline Thanks Meter: 97	OK... I undestand when CREW say HeHE..... Your response (legija) is like HeHe...... or ask at www.sagem.com The good response and easy for you is.....READ OLD TOPIC..... It is right response.....

04-09-2003, 11:34	#5 (permalink)
cotton Junior Member Join Date: Feb 2003 Location: Bolton - UK Age: 40 Posts: 28 Member: 22078 Status: Offline Thanks Meter: 0	Is there no way to unlock sagems just by a cable?

04-09-2003, 12:10	#6 (permalink)
csr1200 Insane Poster Join Date: Feb 2003 Location: UK Age: 43 Posts: 73 Member: 20844 Status: Offline Thanks Meter: 0	I see in the programs help DI4,6G ..so this means it can find the phone ID for DI4,6J What about DI4,6J ? What option to use ? Thank you.

04-09-2003, 21:05	#7 (permalink)
chris922 No Life Poster Join Date: Mar 2002 Posts: 774 Member: 10175 Status: Offline Thanks Meter: 0	>..so this means it can find the phone ID for DI4,6J No :-)

04-11-2003, 18:26	#9 (permalink)
chris922 No Life Poster Join Date: Mar 2002 Posts: 774 Member: 10175 Status: Offline Thanks Meter: 0	@Trier You forgot to give a important advice: If field 251 and Locklevel is used in your method, you will find a Phone ID much earlier... Theres only one problem: This ID will not be correct. You check 256^6 times if the selected ID is valid. Field 191 is 4 byte long... So, the probabillity that this field matches by accident to your other data is 1:256^4 You see, you will find ~ 65536 IDs But you have ~10.5 years to check them all :-) :-)

04-11-2003, 21:21	#10 (permalink)
Trier No Life Poster Join Date: Jan 2001 Location: La Coruña-Spain Posts: 1,146 Member: 3035 Status: Offline Thanks Meter: 2	I normally suggest to use 5251 and 16128 But the false IDs' advice is good to be known too