|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
Nokia Base Band 5 ( BB-5 ) Baseband-5 Phones: 2700 Classic , 2730 Classic , 3109c , 3110c , 3120c , 3250 , 3500c , 3600s , 3610 Fold , 3710 Fold , 3720 Classic , 5130 XpressM , 5200 / 5200b , 5220 XpressM , 5230 XpressM , 5300 / 5300b , 5310 / 5310b , 5320 , 5500 , 5530 XpressM , 5610 , 5630 XpressM , 5700 , 5730 XpressM , 5800 , 6085 / 6086 , 6110n , 6120c , 6121c , 6124c , 6125 , 6126 / 6133b , 6131 / 6133 , 6131 (NFC) , 6136 , 6151 , 6208 Classic , 6210n , 6212c , 6220c , 6233 , 6234 , 6260 Slide , 6263 , 6267 , 6270 , 6280 / 6288 , 6282 , 6290 , 6300 , 6300i , 6301 , 6303 Classic , 6500 Classic , 6500 Slide , 6555 , 6600 Fold , 6600 Slide , 6630 , 6650 Fold , 6680 , 6681 , 6682 , 6700 Classic , 6710 Navigator , 6720 Classic , 6730 Classic , 6760 Slide , 6790 Surge , 7210c , 7310c , 7370 , 7373 , 7390 , 7500 , 7510c , 7610c , 7900 , 8600 , 8800 arte , E50 , E51 , E52 , E55 , E60 , E61 , E61i , E62 , E63 , E65 , E66 , E70 , E71 , E72 , E75 , E90 , N70 , N71 , N72 , N73 , N75 , N76 , N77 , N78 , N79 , N80 , N81 , N82 , N85 , N86 , N90 , N91 , N92 , N93 , N93i , N95 , N95 8GB , N96 , N97 , N97 Mini , X3 , X6 |
| LinkBack | Thread Tools | Display Modes |
10-04-2007, 22:02 | #61 (permalink) |
Freak Poster Join Date: Dec 1999
Posts: 154
Member: 793 Status: Offline Thanks Meter: 1 | |
10-05-2007, 08:30 | #62 (permalink) |
No Life Poster Join Date: Jan 2000 Location: GSM Forum
Posts: 1,108
Member: 871 Status: Offline Thanks Meter: 602 | @Vadim Kova The instruction we want to patch always has a subroutine branch instruction before it in all know firmwares of No-Kia BB5. The most important thing to take note is how each firmware is divided in to 32-byte bursts and our triggers really depend on this. For example, the first instace on 5200 v5.0 only executes upto the first branch instruction which is before the instruction we want to patch. That instruction we want to patch does not get executed in the first instance at all. I just know in theory that after a subroutine is finished the 32-byte block part of the Function where the branching is called is read again into RAM before it continues to process the next instruction in that Function. Also, there should be some instaces where the next 32-byte block is read in advance before even finishing the previous block. In short, you must know in advance through some disassembly and analysis which instance of that 32-byte block should be patched. And yes, it does not change because it is just reloaded back into the RAM. |
10-05-2007, 09:40 | #63 (permalink) |
Freak Poster Join Date: Dec 1999
Posts: 154
Member: 793 Status: Offline Thanks Meter: 1 | Anyway, dissassemly of branches with unknown conditions and unknown prehistory will not guarantee correct result. It is just a matter of some experimenting to check by patching all instances. How many branches we have inside the burst before patched instruction? 2? 3? It looks better than subbr disassembly. |
10-05-2007, 11:15 | #64 (permalink) | |
No Life Poster Join Date: Jan 2000 Location: GSM Forum
Posts: 1,108
Member: 871 Status: Offline Thanks Meter: 602 | Quote:
What you say is 100% true, but keep in mind we deal with branching without conditions in that subbr before the instruction we want to patch. I see this is the same in all firmwares that I played with. It is always BL sub_xxxxx before that CMP R0, #1. Now you know BL is Branch with Link, which means the return address is stored in one of the Registers. So whatever that sub_xxxxxx do (and all subbr in that sub_xxxxx), it will always go back to that function where it was called and it would return the value for R0 which we want to compare with '#1'. So what we are looking for is the last burst before sub_xxxxxx goes back to the function. That "LAST BURST" is affected by how the firmware is divided into 32-byte bursts, but that is not the only condition that affects it. True enough, a certain amount of guessing is required... but it is far more guesses if you do not know the previous burst at all... ;-) Again, we are only speaking "Theoretically" right? Because topic of this thread is "BB5 Unlocking Theory"... LOL | |
10-11-2007, 05:34 | #66 (permalink) |
No Life Poster Join Date: Jan 2000 Location: GSM Forum
Posts: 1,108
Member: 871 Status: Offline Thanks Meter: 602 | @Vadim Kova There should be a way... but it's easier to learn verilog and make one yourself than spend time trying to reverse that jed. I had mine working on the xilinx simulator, but still need to put tweaks like a UART so that I can get those wait states without guessing a single bit ;-) Check attachment... Trigger was found on 420ns... (I used 5200 v5.0 trigger). That 'led' and 'b' are the pins used to show that trigger is found. adx and clk are self-explanatory ;-) The trigger bits are set on reg [23:0] bb;... but only for simulation purposes... just for fun ;-) |
10-11-2007, 09:01 | #67 (permalink) | |
No Life Poster Join Date: Feb 2000 Location: UK
Posts: 3,186
Member: 1024 Status: Offline Thanks Meter: 5,510 | Quote:
Here some interesting reading about cpu cache and branch prediction. BR | |
10-12-2007, 14:20 | #68 (permalink) |
No Life Poster Join Date: Jan 2000 Location: GSM Forum
Posts: 1,108
Member: 871 Status: Offline Thanks Meter: 602 | Some info on cpld jed files... Ok, so dk said it is possible to inject that 5200 v5.0 trigger into n95unlock.jed ... I can tell you where to look and how to correct checksum... First open n95unlock.jed... at the bottom you will see checksum of 'B6E2'... take note of that. Now look at: L004720 01101010011010100110111111101111101111111110111111 111111111111111111111111111111* which is located at 'Note Block 0 PLA AND array *'... this is where dk put the 13 bits of hi n95 trigger... In CPLD, "01" = 1, "10" = 0 and "11" is not used (nu)... so put a space after each bit and you will see something like this: 01 10 10 10 01 10 10 10 01 10 11 11 11 10 11 11 10 11 11 11 11 10 111111111111111111111111111111111111* and then convert to: 1-0-0-0-1-0-0-0-1-0-nu-nu-nu-0-nu-nu-0-nu-nu-nu-nu-0-nu-nu-nu.... so we get 13 bits from it which is '1000100010000' Now we move on to find the next 11 bits which is found here: L009648 01010111110110101101011111111011111110111101111111 111111111111111111111111111111* which is found in 'Note Block 1 PLA AND array *'... From that, convert it so that you will get the bits... You should get: '11110011001' ... Now you have the 24 bits he used for trigger which is '1000100010000' - '11110011001' Easy enough??? Well, we know these are the bits, but because the CPLD fitter is the one that decides where and how to store these bits, you still need to guess the proper arrangement of this bits! In short, for now we only know that the trigger uses 10 bits that are '1' and 14 bits that are '0'... we don't know the proper arrangement ;-( So we get '1111111111-00000000000000' and we want to put 5200 v5.0 bits in there... First you will have to change the checksum because the 5200 v5.0 have different number of '0' and '1'. For 5200 v5.0 111111000000000010000010, we have 8 bits that are '1' and 16 bits that are '0'. We need to change 3 '0' from n95.jed into '1' and so we just simply add 3 to the checksum to make our changes valid. So B6E2 + 3 = B6E5. Now all you have to do is guess where to put those bits in the proper location and you will be able to use it for any bb5... Via bruteforce,,, it should take you 1,000.000 attempts! If you have the time,,, go ahead ;-) Or wait for further developements on this topic! |
11-20-2007, 20:50 | #69 (permalink) |
Junior Member Join Date: Nov 2007
Posts: 8
Member: 626178 Status: Offline Thanks Meter: 0 | Hello, I see this is a thread where BB5 guru are discussing possibilities of unlocking BB5 phones... Well, I'm not a guru but could anybody provide any info about frames which Dejan's program sends over FBus? First of all, I would like to see a description of frames starting with "1e 00 10 53" bytes. As I understand, this is to read the phone memory, right? The reason why I'm asking this is simple. I have Nokia E65 phone which does not communicate with Dejan's program over DKU-5 cable with ark3116 USB-UART converter inside. Perhaps, E65 does not support FBus on PopPort. Though I'm not sure of this... At the same time another program, NSS (Nemesis Service Suite) can read the phone data over CA-53 USB cable, including famous 308.1 section. USB analyzer shows that NSS mimics FBus communication over USB bulk transfer with some modifications: byte 0x1b is used as frame header instead of 0x1e, no ACK frames are sent, no SeqNum, no FramesToGo, and no checksum, since USB bulk transfer is considered as absolutely reliable. After writing some program to translate between serial FBus and USB frames, I could make Dejan's bb5_unlocker to communicate with the phone connected over plain CA-53 cable. I got the phone version, IMEI and SP Ver lines. But then nothing... It seems that the phone does not understand "1e 00 10 53", err... sorry "1b 00 10 53" frames, or sends wrong data. I think that "1e 00 10 53" frames can be translated into "1b 00 10 23" frames used by NSS. However, these frames have quite different format. So, I would appreciate if someone could provide any valuable information about FBus frames used to read BB5 phones memory. Thank you. |
11-21-2007, 00:01 | #70 (permalink) |
No Life Poster Join Date: Feb 2006 Location: The pub
Posts: 526
Member: 236929 Status: Offline Thanks Meter: 12 | man u seem like u know your onions, historys/research is always good tho http:///vbb/showthread.php?t=215949 http:///vbb/showth...ight=technical Aswell as the unlock theory thread,every thing u want to know is here on gsm jus search a little more |
11-21-2007, 19:47 | #72 (permalink) |
Junior Member Join Date: Nov 2007
Posts: 8
Member: 626178 Status: Offline Thanks Meter: 0 | dandylion, thank you... Unfortunately, I could not find any documentation regarding FBus frames format used in Dejan's program but I could find in this forum a log from serial port sniffer when bb5_unlocker communicated with a phone supporting FBus over serial port. I could compare this dump with mine and found that my USB-Serial translator program was not completely correct. It calculated SeqNo bytes for all frames instead of using one sequence counter for ACK frames and another for data frames. I fixed that and now I could get complete info after hitting "Read Phone" button!!! However, after hitting "Make Log" the program said "Error read pm data"... Well, it seems that now the problem is with large data frames with contents of 308.1 memory area. With USB transport one frame is 1Kbytes long and it seems Dejan's program does not expect that. I need to cut every frame for smaller fragments and send them to bb5_unlocker in separate frames. So, still there is a hope that it will work. Is there any chance of Dejan replying to this? I think he could make his program to communicate over plain CA-53 cable over USB. This is really simple. I do that as follows: My translator program is running in Linux using open source libusb to communicate with USB. This program is also connected to a socket/pipe created by VMware Player. The socket is a virtual COM1 port for Windows XP running inside VMware. So, when bb5_unlocker runs inside VMware, it communicates with this socket instead of real COM port, and therefore with that translator program. If Dejan is so kind to rewrite his program to communicate directly over USB than things might be much easier. |
12-06-2007, 23:22 | #73 (permalink) |
Junior Member Join Date: Dec 2003
Posts: 1
Member: 45356 Status: Offline Thanks Meter: 0 | Hi, I guess you've studied serial spy from this thread. It all seems conforming to FBUS protocol that is also described in: http://wiki.gnokii.org/index.php/Protocol_description just like this, only ID is different: Code: buf[at++]=0x1e; // id comunication 0x1e cable=0x1e infred=0x1c buf[at++]=0x00; // dest 0x00=mobil buf[at++]=0x0c; // source 0x0c=pc buf[at++]=type; // comand type see below buf[at++]=0; // multiple sms buf[at++]=size; // size of data for(n=0;n<size;n++) buf[at++]=data[n]; ... I've recently browsed through various forums (Hasnain et al.) and tried to understand how the log file is constructed: bytes from 0x00 to 0x6F are really taken from famous [308] block, right after dead0400 sequenceSo it would be nice to understand which command is used to get these 10 (or maybe 16) bytes using FBUS and from where? Unfortunately the serial spy does not include the final log. So if someone could possibly make the similar spy and attach the LOG file, it would be great. Then also the same command could be possibly sent over USB to newer BB5 versions? Pavel |
12-19-2007, 18:31 | #74 (permalink) | |
Junior Member Join Date: Dec 2007
Posts: 1
Member: 657274 Status: Offline Thanks Meter: 0 | Maybe who knows how 2 decode strings in DK box cfg file? For example all the same 5200 5.00: Quote:
$ - marker end of version of phone 30 - not used in last version 2 - not used in last version(in previous version it may be value 4) 9F7000928508C5D744262D - sequence which sending 2 box in native form What does it sequence mean? It is not like a triggering string because so big.How 2 allocate trigerring pads? Maybe can someone explain this format? | |
01-20-2008, 05:45 | #75 (permalink) |
No Life Poster Join Date: Feb 2002 Location: Scotland, UK
Posts: 1,480
Member: 9719 Status: Offline Thanks Meter: 4 | i really like your first post it made me laugh. glad to see you have joined the main forum for anything to do with mobile phone unlocking and repairs....be sure to use the search feature at will as its useful. p.s can i guess the answer to be something like the sequence translates to another language that some nice other gsm forum member will have to explain. p.p.s. pls slap me silly if the answer is easy p.p.p.a. ok my sarcism is lost in space a.t.m. i really don't know how else to welcome a new member that got stuck right into all this programming and an-alysis stuff so quick/deep quickly....thats enthusiam for you i guess.... Hello & welcome to gsmforum |
Bookmarks |
| |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Iphone 3G Technical Discussion and SP Unlocking theory | GraveSlayer | iPhone 2 / iPhone 3G / iPhone 3GS | 8 | 11-15-2008 06:04 |
Build by your self BB5 SP unlock Box | Dejan Kaljevic | Nokia Base Band 5 ( BB-5 ) | 612 | 05-14-2008 10:13 |
Cabel needed to unlock 5300 with BB5 SP UNLOCKER??? | crashing | Nokia Base Band 5 ( BB-5 ) | 5 | 09-11-2007 09:05 |
|