GSM Shop
GSM-Forum  

Welcome to the GSM-Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features.
Only registered members may post questions, contact other members or search our database of over 8 million posts.

Registration is fast, simple and absolutely free so please - Click to REGISTER!

If you have any problems with the registration process or your account login, please contact contact us .

Go Back   GSM-Forum > GSM & CDMA Phones / Tablets Software & Hardware Area > Nokia > Nokia Base Band 5 ( BB-5 )

Nokia Base Band 5 ( BB-5 ) Baseband-5 Phones: 2700 Classic , 2730 Classic , 3109c , 3110c , 3120c , 3250 , 3500c , 3600s , 3610 Fold , 3710 Fold , 3720 Classic , 5130 XpressM , 5200 / 5200b , 5220 XpressM , 5230 XpressM , 5300 / 5300b , 5310 / 5310b , 5320 , 5500 , 5530 XpressM , 5610 , 5630 XpressM , 5700 , 5730 XpressM , 5800 , 6085 / 6086 , 6110n , 6120c , 6121c , 6124c , 6125 , 6126 / 6133b , 6131 / 6133 , 6131 (NFC) , 6136 , 6151 , 6208 Classic , 6210n , 6212c , 6220c , 6233 , 6234 , 6260 Slide , 6263 , 6267 , 6270 , 6280 / 6288 , 6282 , 6290 , 6300 , 6300i , 6301 , 6303 Classic , 6500 Classic , 6500 Slide , 6555 , 6600 Fold , 6600 Slide , 6630 , 6650 Fold , 6680 , 6681 , 6682 , 6700 Classic , 6710 Navigator , 6720 Classic , 6730 Classic , 6760 Slide , 6790 Surge , 7210c , 7310c , 7370 , 7373 , 7390 , 7500 , 7510c , 7610c , 7900 , 8600 , 8800 arte , E50 , E51 , E52 , E55 , E60 , E61 , E61i , E62 , E63 , E65 , E66 , E70 , E71 , E72 , E75 , E90 , N70 , N71 , N72 , N73 , N75 , N76 , N77 , N78 , N79 , N80 , N81 , N82 , N85 , N86 , N90 , N91 , N92 , N93 , N93i , N95 , N95 8GB , N96 , N97 , N97 Mini , X3 , X6

Reply
 
LinkBack Thread Tools Display Modes
Old 09-16-2007, 04:50   #1 (permalink)
Freak Poster
 
Join Date: Feb 2001
Posts: 213
Member: 3354
Status: Offline
Thanks Meter: 3,948
BB5 SP unlocking, theory...


It seems that everybody know how it works, but not Nokia, since they didn't
change anything in they SW to prevent that.

Then again, maybe not!
Why they left BIG hole in SP security...?..

BB5 using RSA and AES algorithm that is running from secure ROM and RAM.
Main SP rutines are stored in FLASH in block "PA_SL" and those rutines are
loaded in secure RAM and if RSA signature correct, CPU will run it.

BUT "SP SERVER" are part of MCUSW that is running DIRECTLY from
FLASH is not protected?!!! Well it is tested only once when phone starts!
After that you can patch code from flash in fly.

ARM CPU reads data from flash in bursts, in this case it is burst of 32 bytes
and it start on 32 aligned address.

So, first step is to know where is code that have to be patched in FLASH.
You can find that by desoldering FLASH from phone and to read by some
programming device.
Or you can use my software to extract mcusw from Nokia update SW files.
Find bigest file in dir and rename to "infile". Run "fls2bin.exe" wait, and two
files will be created. One of them are "mcusw".

NOTE: fls2bin may not work with all cpu flash files!

End of Part 1

P.S.
Do not post stupid comments in this thread, or even better, do not post ANY comment!!!
Attached Files
File Type: rar Fls2bin.rar (2.1 KB, 5315 views)
  Reply With Quote
The Following 15 Users Say Thank You to Dejan Kaljevic For This Useful Post:
Show/Hide list of the thanked
Old 09-16-2007, 05:46   #2 (permalink)
Freak Poster
 
Join Date: Feb 2001
Posts: 213
Member: 3354
Status: Offline
Thanks Meter: 3,948
Part 2:

Once you have code, next step is to find what and where to patch code.
Well, that is very complicated procedure and requires knowelage,experiance,
lots of work,etc.
But again, Nokia made another big hole or maybe NOT?!
One of critical rutines can be EASELY find by looking for ASCII string!!!,
belived or not.
Magic string is "012345678901234" and it is default SP pass for test phones or
what. Probably they have problem to put string somethin like "FOR HACKERS HERE IS CRITICAL CODE!"
Anyway....

Use "LISTER" from windows to view "mcusw" file.
In options, select "HEX"
Press key "F7"
Enter 012345678901234 and hit enter to start looking for that string.
All other data have to look like some garbage with only that ASCII string!

Note: If you do not find that string in "mcusw" try in second file that is
created by "fls2bin.exe"

Once you find string, look in lister HEX address of that string.
Substract that address by 1000h (200h to 2000h).
This is address from which tou will start to dissasemble code!!!

So....


Load file in some ARM dissasembler use LITLE ENDIAN and THUMB mode
Set dissasembling address previos defined, and start to dissasemble code.

In that proces you have to look for instruction that points to string
"012345678901234"

Something like this:

00A0C9BC: FE A4 LEA R4,[PC+#03F8] ;[00A0CDB8]=33323130 '012345678901234'

And you have found ONE of many SP rutines that can be patched.

In this example full rutines looks like this:
(From: V 05.00 27-04-07 RM-174)


00A0C9B6: F0 B5 PUSH (R4,R5,R6,R7,LR)
00A0C9B8: 06 1C ADD R6,R0,#0
00A0C9BA: 0F 1C ADD R7,R1,#0
00A0C9BC: FE A4 LEA R4,[PC+#03F8] ;[00A0CDB8]=33323130 '012345678901234'
00A0C9BE: 85 B0 SUB SP,#0014
00A0C9C0: 2E CC LDM [R4],(R1,R2,R3,R5)
00A0C9C2: 01 A8 LEA R0,[SP+#0004]
00A0C9C4: 2E C0 STM [R0],(R1,R2,R3,R5)
00A0C9C6: 02 25 MOV R5,#02
00A0C9C8: 00 24 MOV R4,#00
00A0C9CA: FF F7 07 F9 CALL 00A0BBDC
00A0C9CE: 00 28 CMP R0,#00
00A0C9D0: 02 D0 BEQ 00A0C9D8
00A0C9D2: 02 28 CMP R0,#02
00A0C9D4: 2D D0 BEQ 00A0CA32
00A0C9D6: 0A E0 JMP 00A0C9EE
00A0C9D8: 0F 22 MOV R2,#0F
00A0C9DA: 31 1C ADD R1,R6,#0
00A0C9DC: 01 A8 LEA R0,[SP+#0004]
00A0C9DE: 50 F6 6C E8 CALLX 0085CABA
00A0C9E2: 00 28 CMP R0,#00
00A0C9E4: 01 D1 BNE 00A0C9EA
00A0C9E6: 00 25 MOV R5,#00
00A0C9E8: 23 E0 JMP 00A0CA32
00A0C9EA: 08 25 MOV R5,#08
00A0C9EC: 21 E0 JMP 00A0CA32
00A0C9EE: 30 5D LDRB R0,[R6+R4]
00A0C9F0: 30 38 SUB R0,#30
00A0C9F2: 0A 28 CMP R0,#0A
00A0C9F4: 02 D3 BCC 00A0C9FC
00A0C9F6: 08 20 MOV R0,#08
00A0C9F8: 05 B0 ADD SP,#0014
00A0C9FA: F0 BD RET (R4,R5,R6,R7)
00A0C9FC: 01 34 ADD R4,#01
00A0C9FE: 24 06 LSL R4,R4,24
00A0CA00: 24 0E LSR R4,R4,24
00A0CA02: 0E 2C CMP R4,#0E
00A0CA04: F3 D9 BLS 00A0C9EE
00A0CA06: 08 20 MOV R0,#08
00A0CA08: 40 F6 3C E9 CALLX 0084CC84
00A0CA0C: 04 1C ADD R4,R0,#0
00A0CA0E: 02 1C ADD R2,R0,#0
00A0CA10: 39 1C ADD R1,R7,#0
00A0CA12: 30 1C ADD R0,R6,#0
00A0CA14: 43 F7 9E F9 CALL 0094FD54
00A0CA18: 01 28 CMP R0,#01
00A0CA1A: 01 D1 BNE 00A0CA20
00A0CA1C: 00 25 MOV R5,#00
00A0CA1E: 05 E0 JMP 00A0CA2C
00A0CA20: 60 68 LDR R0,[R4+#04]
00A0CA22: 23 28 CMP R0,#23
00A0CA24: 01 D1 BNE 00A0CA2A
00A0CA26: 08 25 MOV R5,#08
00A0CA28: 00 E0 JMP 00A0CA2C
00A0CA2A: 02 25 MOV R5,#02
00A0CA2C: 20 1C ADD R0,R4,#0
00A0CA2E: 50 F6 34 E8 CALLX 0085CA9A
00A0CA32: 28 1C ADD R0,R5,#0
00A0CA34: E0 E7 JMP 00A0C9F8


On address 00A0CA14: is most important call function that test PSW!!!
On return from that function if R0=1 pass is corect and phone will be unlocked!

So we can to patch data on addr:

00A0CA18: 01 28 CMP R0,#01 to
00 28 that is CMP R0,#00

or on addr:

00A0CA1A: 01 D1 BNE 00A0CA20 to
01 D0 that is BNE 00A0CA20

And phone will be unlocked!!!

As you can see in first case we togle bit 0 (ad0) and in second
we togle bit 8 (ad8). This method is used for N73.

Anyway there is a lots of ways to patch code by fly, togling only ONE bit!!!,
since Nokia left so BIG security hole in their design!


End of Part 2

P.S.
Do not post stupid comments in this thread, or even better, do not post ANY comment!!!
Attached Files
File Type: txt Sp.txt (2.5 KB, 3434 views)
  Reply With Quote
The Following 4 Users Say Thank You to Dejan Kaljevic For This Useful Post:
Show/Hide list of the thanked
Old 09-16-2007, 09:36   #3 (permalink)
Freak Poster
 
Join Date: Apr 2005
Age: 32
Posts: 374
Member: 138877
Status: Offline
Thanks Meter: 0
"On-the-fly programming (or live coding) is a style of programming in which the programmer/performer/composer augments and modifies the program while it is running, without stopping or restarting, in order to assert expressive, programmable control for performance, composition, and experimentation at run-time. Because of the fun*****tal powers of programming languages, we believe the technical and aesthetic aspects of on-the-fly programming are worth exploring. "

So mcu must be uploaded whilst phone is running..... nothing here mentioned about using test points, as Dejan explained in his first post this is alternative to using test points...
Now just to figure out how to edit mcu file, and then rewrite back to phone....
anyone had any luck yet.

Last edited by AboAli; 09-16-2007 at 11:58.
  Reply With Quote
Old 09-16-2007, 10:03   #4 (permalink)
Product Manager
 
Join Date: Jan 2004
Location: Unknown
Age: 34
Posts: 8,786
Member: 49752
Status: Offline
Sonork: QQ:1474246528
Thanks Meter: 5,815
@Dejan Kaljevic
one most important thing if u know u can let us know...

ur bb5 calculation algo is perfect why new rap don't possible extract lock area?

to calc bb5 original sp unlock code ..

Nokia totally removed or moved or crypted with 1024 rsa lock area?

is there any way to extract or find lock area which u found before in 6630 and all old rap and make calculation solution without tp.which software u put free..


thanks for good part1 and part2 for bb5 now i can see why bb5box stand hehe..

Last edited by Syed; 09-16-2007 at 14:05.
  Reply With Quote
Old 09-16-2007, 11:36   #5 (permalink)
No Life Poster
 
Bph&co's Avatar
 
Join Date: Feb 2000
Location: UK
Posts: 3,185
Member: 1024
Status: Offline
Thanks Meter: 5,505
Quote:
Originally Posted by Dejan Kaljevic View Post
But again, Nokia made another big hole or maybe NOT?!
One of critical rutines can be EASELY find by looking for ASCII string!!!,
belived or not.
Magic string is "012345678901234" and it is default SP pass for test phones or
what. Probably they have problem to put string somethin like "FOR HACKERS HERE IS CRITICAL CODE!"
Well,

Its just different way of allocation of memory, instead of declaring:

char default_code[15]; they use:
char default_code[] = "012345678901234";

This is the way you use to find the simlock handler ?
And what is this post about ? You mean people with iq < 50 that call you
'G_o_d' will use the info, code the CPLD in VHDL and make free unlocker ?

I posted all this info long time ago, just use the search button. Whoever
have brain and equipment to do it based on that info, has already done it.

Funny guy.
  Reply With Quote
Old 09-16-2007, 12:12   #6 (permalink)
Freak Poster
 
Boban's Avatar
 
Join Date: Jan 2005
Location: Around the world
Age: 50
Posts: 191
Member: 106484
Status: Offline
Thanks Meter: 400
Quote:
Originally Posted by Bph&co View Post
Well,

Its just different way of allocation of memory, instead of declaring:

char default_code[15]; they use:
char default_code[] = "012345678901234";

This is the way you use to find the simlock handler ?
And what is this post about ? You mean people with iq < 50 that call you
'G_o_d' will use the info, code the CPLD in VHDL and make free unlocker ?

I posted all this info long time ago, just use the search button. Whoever
have brain and equipment to do it based on that info, has already done it.

Funny guy.
Great
Then , now , you have much more info to make your own box , or to add BB5 unlocking in F1 box
  Reply With Quote
Old 09-16-2007, 12:17   #7 (permalink)
No Life Poster
 
*MaTeOoSh*'s Avatar
 
Join Date: Dec 2000
Location: gsmdoctor.pl
Age: 42
Posts: 1,317
Member: 2755
Status: Offline
Thanks Meter: 42
Quote:
Originally Posted by louischara View Post
So mcu must be uploaded whilst phone is running..... nothing here mentioned about using test points, as Dejan explained in his first post this is alternative to using test points...
Now just to figure out how to edit mcu file, and then rewrite back to phone....
anyone had any luck yet.
routines will not start, if they're not signed properly. This is a protection against code patching done by internally by CPU.

Bph as he said posted this method long time ago, but w/o good (fast) equipment (eg. logic analyzer) the implementation chances are near 0.

So long time ago was clear, that the method is to trace the address bus enough fast to handle burst mode, when right address is encountered then count the bits and change a correct one grounding the databus.

The trick is to find an address and procedure entry-point. This is major work to disassemble megabytes of FW to find right call and cmp.

Dejan for sure is not G*O*D, but he always has good ideas and time to check them. The tricky method with old raps is for sure more "tricky" than the one with TPs, and this method showed a real potential of himself.
  Reply With Quote
Old 09-16-2007, 12:21   #8 (permalink)
Product Supporter
 
NoName®'s Avatar
 
Join Date: Mar 2005
Location: China
Posts: 3,251
Member: 129885
Status: Offline
Sonork: 100:1603514
Thanks Meter: 5,816
Heh so in third part we must get any very fast FPGA device (XILINX/CYCLONE) and wrote simple code to count adress of and patch one bit :-)
Than post it here for smart copypasters like chinesian boys / raskal / uid / etc.


b.r NoName®
  Reply With Quote
Old 09-16-2007, 12:45   #9 (permalink)
Junior Member
 
Join Date: Jun 2005
Posts: 6
Member: 152506
Status: Offline
Thanks Meter: 0
I'm missing the "permanent" part of the solution.
From what I understand patching is made during the instruction fetch, toggling one bit on the data bus.
This allows ARM to follow our desired code path and have the phone unlocked.

But,.. in order to have this permanent, patching should be made in flash resident code.
And in that case how to bypass the flash check at next boot then?

Thx
  Reply With Quote
Old 09-16-2007, 13:15   #10 (permalink)
No Life Poster
 
Bph&co's Avatar
 
Join Date: Feb 2000
Location: UK
Posts: 3,185
Member: 1024
Status: Offline
Thanks Meter: 5,505
Quote:
Originally Posted by dopper View Post
I'm missing the "permanent" part of the solution.
From what I understand patching is made during the instruction fetch, toggling one bit on the data bus.
This allows ARM to follow our desired code path and have the phone unlocked.

But,.. in order to have this permanent, patching should be made in flash resident code.
And in that case how to bypass the flash check at next boot then?

Thx
Yeah, its done while the branch prediction unit dumps block to the processor
cache. From a technical point of view all the code is executed in RAM (because
of the cache) and you modify the RAM not the flash.

The method is to send wrong unlock code via FBUS command and modify
the result, then last step before cleanup in the code handler is to recalculate
the splocks with the phone unique key ( accessible only from secure ram,
where the sl_pa block is executed).

So if you modify the result of test_code() func, you make the phone to
recalculate its own lock, without violating the protection.

The funny part is that TI warns all customers about this flaw, because the
Flash is not on the same die, but rather external and the bus is exposed.

Oh Boban, what do you mean by 'now' ? Check my attachment

BR
Attached Images
File Type: gif Untitled-1.gif (78.0 KB, 4789 views)
  Reply With Quote
Old 09-16-2007, 15:32   #11 (permalink)
Freak Poster
 
Join Date: Apr 2005
Age: 32
Posts: 374
Member: 138877
Status: Offline
Thanks Meter: 0
anyone been succesful trying this, i have been totally unsuccesful trying to open file using ARM Disassembler. Keep getting header error.
Anyone know what this mean?
  Reply With Quote
Old 09-16-2007, 15:40   #12 (permalink)
Insane Poster
 
Join Date: Apr 2005
Age: 44
Posts: 67
Member: 140289
Status: Offline
Thanks Meter: 11
@Dejan Better way, as allways, make "fly" changes between return(false); and return(true); directly in sub. WBR
@NoName® Yes MCP work at 66 MHz. And for protected You can use "gluid" solution. Online generate RND codes, and create from them configuration file for FPGA for catch "right" sequence 0's and 1's ==func(this code).
  Reply With Quote
Old 09-16-2007, 15:45   #13 (permalink)
Junior Member
 
Join Date: Jan 2006
Posts: 14
Member: 222181
Status: Offline
Thanks Meter: 0
empty phones

Hi

It is very nice from you Dejan to share this with us.
I like to know one more thing. In theory is it possible to load empty nokia phones?
If it is possible, when can we except for it? Are you working on such a project?

hvala u napred
  Reply With Quote
Old 09-16-2007, 16:43   #14 (permalink)
No Life Poster
 
Join Date: Apr 2006
Location: APPLE i Center
Age: 33
Posts: 1,723
Member: 264667
Status: Offline
Sonork: 100.105892
Thanks Meter: 462
Quote:
Originally Posted by NOKIA127 View Post
Mr Dejan, with all the respect to you.

1. of its post previous. Do you believe that nokia put that error so that its telephones are unlocked to future for all boxes?

2. why the other boxes do not look errors in nokia sw, the other boxes are copy and copy your work?

3. Do you think that the other boxes should change their way to work?

i think so it is very difficult that you this responds, you are very busy but I believe important you know their opinion.

Nokia127
It is Not 2 Easy to Break the Nokia BB5 security as Dejan Describe In His Own words....
Did U Check waht Bph&co said....
Quote:
Originally Posted by Bph&co View Post
I posted all this info long time ago, just use the search button. Whoever have brain and equipment to do it based on that info, has already done it.
If It was 2 Easy Then why F1 Team have No bb5 solotion..??
  Reply With Quote
Old 09-16-2007, 17:23   #15 (permalink)
No Life Poster
 
Amir-SkillZ's Avatar
 
Join Date: Nov 2004
Location: Capetown
Posts: 6,703
Member: 91045
Status: Offline
Thanks Meter: 8,691
Fact is Patching can only be done When phone is ON......That will take a While...
@[email protected]
WHat u posted Is different then this becoz this is self explaning...!!!
Here Talking about Patching a Working Code while all system is running not an easy job
specially for the people (inlcuding me) reading all again and again.....thinking might get their hand on making free bb5 solution...
@dejan
Sir toggling only 1 bit why not possible on all flash types (mean version matters ?)
@Stanner
Yet Nokia not totally removed or moved or crypted with 1024 rsa locked area....i think thats why this can only be done on previous versions of SW packages....
Other Hand Working On Empty Phones fly would be much easier
  Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
thread Thread Starter Forum Replies Last Post
Iphone 3G Technical Discussion and SP Unlocking theory GraveSlayer iPhone 2 / iPhone 3G / iPhone 3GS 8 11-15-2008 06:04
Build by your self BB5 SP unlock Box Dejan Kaljevic Nokia Base Band 5 ( BB-5 ) 613 05-14-2008 11:13
Cabel needed to unlock 5300 with BB5 SP UNLOCKER??? crashing Nokia Base Band 5 ( BB-5 ) 5 09-11-2007 10:05

 



All times are GMT +1. The time now is 14:05.



Powered by Searchlight © 2018 Axivo Inc.
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2018 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2017 -
Page generated in 0.49952 seconds with 9 queries

SEO by vBSEO