|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source | Mark Forums Read |
| LinkBack | Thread Tools | Display Modes |
01-08-2007, 13:04 | #106 (permalink) |
Freak Poster Join Date: Oct 2003 Age: 49
Posts: 311
Member: 41760 Status: Offline Thanks Meter: 16 | |
01-24-2007, 21:57 | #108 (permalink) |
Freak Poster Join Date: Jan 2007 Location: usa Age: 39
Posts: 106
Member: 438379 Status: Offline Thanks Meter: 0 | hey guys...i read in this post and other post that the nokia BB5 models cannot be unlocked such as the E70? 1) Is this still true and does anyone know the technical reasons why? also had another quick question : 2) somebody claimed that they were able to Flash the BB5 models...but not unlock. ive always been a lil confused about this. i thought there is only 1 memory (flash) chip inside the cell phone and flashing should erase ALL of the memory or this is not the case and the SIM locks etc. are located in another part of memory? if so...where?...any schematics would help flashing will not unlock your phone correct?...why is it? if you can flash the BB5 models than why cant u unlock it, because there is no algorithm for the code and its random? so its easier to flash then unlock from this fact? I would really love to get some answers as I've barely been getting any...most of the time ppl just use the equipment and dunno how it works, thanks a lot ! |
01-25-2007, 07:02 | #109 (permalink) |
Freak Poster Join Date: Oct 2003 Age: 49
Posts: 311
Member: 41760 Status: Offline Thanks Meter: 16 | That's right, you can flash your BB5, but not unlock. And here is why: First of all, some general information: The phone software consists of several parts:
It is the PM that contains your IMEI number and lock data (which are interconnected). Plus, the IMEI is also contained in OTP (one-time programmable) memory, where it is put at the factory and cannot be deleted or changed later, other than replacing the chip that contains it. All Nokia phones used encryption to avoid unlocking. However, DCT3 and DCT4 encryption was easier. This time, it is much harder. Plus, some algorithms are placed in "execute-only" ROM (which cannot be read or written, only executed, thus nobody knows what's in there). Of course, there is the "easy" way of unlocking by entering a code which can be calculated knowing only IMEI of the phone and the network it is locked to. But the calculation algorithm is guarded heavily and if you want your operator to give you the unlock code, you have to meet the operator's requirements (like staying active for a certain time, etc.) This is done because operators subsidize SIM-locked phones and want their money back before you leave. You can erase PM if you want, but then your phone will lose IMEI and will lock up (because as I already mentioned SIM-lock algorithms are tied to IMEI). This happened to DCT3, DCT4 and now in BB5. But for DCT3 and DCT4 easy unlock is available, while for BB5 the security measures are much heavier. The only way you can repair your phone after screwing PM is through Nokia (for some big bucks, I presume ). For flashing, there are two ways: official and unofficial. Unofficially, you can buy special software and hardware (like UFS with HWK, JAF, Griffin, or MT-box). But your warranty will be gone. Officially, you can take it to a Nokia Authorized Service Center or recently, with BB5 phones, you can do it at home, with the standard USB cable, by downloading the Nokia Software Updater and firmware from Nokia Web site. The only restriction is that you cannot change languages officially. I hope this explains your questions. P.S.: Oh yes, and the unlock code is different for each and every phone (I already mentioned that the locking algorithms are tied to IMEI and network code, didn't I?) Last edited by KPbICMAH; 01-25-2007 at 07:05. Reason: Added P.S. |
01-26-2007, 17:59 | #110 (permalink) |
Freak Poster Join Date: Jan 2007 Location: usa Age: 39
Posts: 106
Member: 438379 Status: Offline Thanks Meter: 0 | hey man, i just wanted to say thank you so much..ur info helps explain a lot of stuff. ive been spending so much time trying to get answers like these and ur answers are exactly what ive been searching for. if u dont mind... i just had a few questions regarding what you said please . i know im asking for a lot but i appreciate all of your help. 1) i know the older nokia models the algorithms have been leaked or cracked and you can just get an unlocking code through a calculator usually provided the IMEI and network provider etc...why can't all phones be unlocked like this...what's different?..for example why wud u need a flashing box or smart clip to unlock a phone instead of remote unlocking? 2) since you said some algorithms are placed in executable only ROM...im assuming this was not the case in DCT3 and DCT4. the reason that the algorithms would be in the phone would be to verify with the unlock code of the phone whether the user enters the correct code correct? basically what is the purpose that the algorithms would be present inside the phone, to decrypt the actual lock data? 2) if someone really wants to make a phone that one cannot unlock, why not put the lock data in OTP instead of putting it in a EEPROM? 3) you said flashing the new nokia can be done with only a usb cable if using the nokia software at home?...so why do we need a flashing box and special cables and software to unlock it? 4) what does a flashing box, special cables, and software actually DO? i read it gets past the boot of the phone to send an unknown command (i'm assuming the command is sent to EEPROM?). so what does it do...does it modify any values in memory (Where), erase the SIM lock data from EEPROM, change the SIM lock data to replace it with an easy code,or...? 5) what is the role of encryption in preventing number 4 above? 6) when do you NEED a flashing box to flash or to unlock? is to get access to EEPROM? 7) would you need special cables to connect the phone to access the SIM lock data even if the phone came with a data cable?...does the data cable restrict access to EEPROM?....are the MCU, PPM and EEPROM and CNT on the same flash chip? 8) what if a phone does not have a place for a data cable or its connection ports for connecting a cable are physically protected or not available...then basically you cannot unlock or flash such a phone correct? 9) u mentioned MCU, PPM, PM etc...usually are all phone's memory divided like this for example motorolas? lastly... 10) where is the boot loader in memory? and why do we need testpoint for some motorolas with boot .52 etc? plz take ur time...but if u cud answer these for me....u dunno how much it would help. again THANKS |
01-29-2007, 13:27 | #111 (permalink) | ||||||||||||
Freak Poster Join Date: Oct 2003 Age: 49
Posts: 311
Member: 41760 Status: Offline Thanks Meter: 16 | Quote:
Quote:
Quote:
For DCT3, all security was ensured by FAID (Flash Authority ID) - a value, likely in EEPROM, that was tied to the phone's IMEI, firmware checksum and electronic serial numbers of the flash chip and some other chips. Without matching FAID, the phone would not see network, reboot every 30 seconds, and get all locks activated. Hence, if you swapped flash chips between two perfectly healthy 3310's, neither would work due to FAID mismatch. But since the phones had no other protection, as soon as someone very bright (Dejan Kalevich it was) made a device to read and write flash on these phones, it was easy to get all the algorithms. Quote:
Quote:
b) A box serves two purposes - it adapts signals from computer port to those used by the phone, and it works as a copy-protection measure for the software, which won't run without a box. c) I'm not an expert in the architecture of Nokia phones, but to the best of my knowledge, the POP port is not identical to the service connector (the one under the battery). There are some lower-level things that can be done only through the service connector. Besides, some phones simply don't have the USB/POP port. For these, the only way to go is an adapter cable. Quote:
You should understand that even though the unlock may be technically possible with a USB cable, you will have to do it through a box and adapter cable. Just because that's the way software is written. Quote:
Quote:
Quote:
Once upon a time, phone settings were stored in a different chip (physically, a different type of memory, since these data are modiified more often and in smaller chunks than the firmware). Hence they are still widely known as EEPROM (Electronically Eraseable Programmable Read-Only Memory). But since after Nokia 3210, they have become incorporated in the flash chip (I don't know if it's still different physical memory type, or the same; I know in many cases it uses smaller blocks for writing). The tendency is to have everything in one chip, to keep the phones cheap and easy to make. However, as phone memory grows bigger, these areas can be divided. For example, 6230 uses a different memory chip for the gallery (CNT), even of a different type (NOR for firmware and NAND for content, whatever those mean). Quote:
Quote:
lastly... Quote:
Now the testpoints. I will describe (in small detail) Siemens boot-up procedure and how you can penetrate the defences. When you press the power button, ROM bootloader initialises. Its job is to check if flash bootloader (bootcore) is present. If it is, the ROM bootloader starts it. If not, it attempts to connect and load an external bootloader from the system interface (without any security checks). When flash bootloader starts, it looks to system interface again, to check for any attempts to load an external program. But this time, you need to present a valid Bootkey to enter, unless the phone is in Factory mode. [off: Siemens phones have several security levels, from Customer (lowest access) to Factory (highest access). More on this later]. If the external loader cannot be loaded (or cannot present a valid Bootkey), the phone software starts. Security-related data is in flash bootcore and in eeprom. None of these is accessible in Customer mode. Relevant EEPROM blocks will not be listed, read or written. Lock data is tied to IMEI (there are two IMEIs: one in OTP flash, the other in EEPROM - and the phone won't start if they don't match) and flash ESN (Electronic Serial Number), which is also not readable in Customer Mode. To get full access to the phone, you will need to enter a valid Skey (8 decimal digits), which is selected randomly by Siemens at production and is encrypted in EEPROM security blocks. Or a Bootkey (32 hex digits) to bypass internal bootloader. Attempts to enter Skey are limited and there is an increasingly long waiting period after each incorrect attempt. Or you can trick the phone into thinking it has an empty flash bootloader (by cutting a track in older Siemenses, or shorting a point to the ground in newer Siemenses). This temporarily disrupts power to the flash chip, then the ROM bootloader allows an external bootloader to be run in the phone. With that, you can do anything - internal defences are no longer working. Then you just read out the ESN, IMEI and EEPROM security blocks to produce Bootkey and Skey. After this, you can restore the Testpoint - you have all you need. Now you can read and write entire phone memory, replace security blocks and do pretty much anything. One thing you can do with these data is calculate mastercodes - codes that are typed in on the phone keyboard to remove user code or service provider lock. They look like *#0003*xxxxxxxx# - where an 8-digit decimal number is substituted for xxxxxxxx. That is mastercode. There are several mastercodes (from 0 to 7) for different locks that can be enabled on a Siemens phone. Number 3 is for user code, number 0 is for SP-lock. If you enter phone code incorrectly three times, you will not be able to deactivate it, other than entering a mastercode (or doing direct unlock using testpoint). Same goes with Motorola. When you do a testpoint, you short-circuit flash chip power to the ground, making the ROM bootloader think it's got empty flash. That is why your phone is detected as "Blank Neptune LTE" instead of "Secure Neptune LTE". After you remove the TP, you can read contents of the flash chip, see and reverse the encryption algo and unlock the phone using the information found in PDS. The reason you need the testpoint is that the bootloader (the one in flash) won't let you download and run anything without a proper digital signature (and this signing uses complex encryption which is not easy to crack). So, it's easier to disable the bootloader than to try and forge the signature for an external bootloader. On newer Motorolas (like L7) all bootcore versions have this protection. On V3, older versions don't have this protection, hence don't need the testpoint. Hopefully, I have shed some light on the issue, without muddling it up altogether. And sorry it took so long, as this is the third time I am typing this BIG article. Once I closed the browser accidentally, and once my computer died on me - apparently some forces wouldn't want this information to be released. | ||||||||||||
04-12-2007, 18:02 | #118 (permalink) |
Junior Member Join Date: Mar 2007 Location: vicenza italy
Posts: 35
Member: 473395 Status: Offline Thanks Meter: 2 | -- UFSx Device: UFS3 SarasSoft, USB S/N: 112491 -- Target Id : 62 CF 1 7 -- UFSx Boot : UFxBoot V2.2 (c) SarasSoft 2003. -- UFSx Firmw.: UFS_USB V2.6 (c) SarasSoft 2005. -- UFSx S/N : 112491 -- Features : 00000001 -- Licence 5 : True -- UFSx Vendor: POWER-FLASHER -- HWK ERROR : 0002 |
04-16-2007, 05:00 | #120 (permalink) | |
Freak Poster Join Date: Oct 2003 Age: 49
Posts: 311
Member: 41760 Status: Offline Thanks Meter: 16 | Quote:
L: iamanidiot P: icannotread L: iamanimbecile P: icannotthink L: iambraindead P: icannotcontactmyreseller L: iamatotaldummy P: ishouldnotpostmyserial L: iamclueless P: idontknowsh!t L: givemelogin P: iwillstartkillingphones L: imustnotreproduce P: somebodykillme WBR, KPbICMAH P.S.: Alternatively, you can try accessing the support server 1073741824 times giving "maozedong" for login and "maorules" for password. After about 1041529569 attempts the server will surrender and let you in with this login and password. | |
Bookmarks |
Thread Tools | |
Display Modes | |
| |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
UFS And HWK Updates [ Consufed ] | Amarbir | UFS2 + UFS3-Tornadoflasher | 31 | 12-08-2015 07:09 |
i need advice for ufs and hwk support | ludwigma | UFS2 + UFS3-Tornadoflasher | 0 | 06-20-2007 22:27 |
New UFS and HWK update (BB5 available) | ufs2flasher | HWK | 3 | 09-05-2005 16:00 |
|