BB5 - Technical Discussion

[adihack]

@JuniorJack Where have you got files what you habe disassembled ? Plase share your sources !

So algo for check simlock and imei are excuted inside RAP3G or OMAP ?

[JuniorJack]

Hi,

Simple: C:\Program Files\Nokia\Phoenix\Flash\

[..::Neo::..]

are you trying to disassamply flash files i thouth you are trying to unpack a flash chip dump any way in both cases no need for it , all the tricks are in the RPA3G

[Dejan Kaljevic]

RAP3G

j3100 etm pipe b0
j3101 etm pipe b1
j3102 TDO
j3103 TMS
j3104 TRST
j3105 TDI
j3106 TCLK
j3107 etm pkt 3
j3108 etm pkt 2
j3109 etm pkt 1
j3110 EMU0
j3111 etm pkt 4
j3112 etm pkt 0
j3113 etm clk
j3114 GND

+XDS560 +.......

I'm tired of unlocking BB5 phones

[Al@din]

Good that you are present
we need really more info about BB5
what is about security certificate
ready for 6680?
if u are tired u can give solution to us

[ppheonixx]

So to summerize:
BaseBand5 is structured in 2 blocks:
-application engine (AE) and cellularphone engine (CE)
-both are operating indepenently from each other (different OSes)
-both are heavily secured against modifications with all kinds of checksums and public/private key encryption (certificates)
-there is no direct way to communicat/interface CE (Unknown OS); only very indirectly through AE
-AE (Symbian) does not allow to load device drivers which are not included in the ROM (Z:\)
-unlock keys are not based on algorithms but on randomly chosen keys stored in some Nokia database where we probably never get access to
-private keys of Nokia are unkown and its also very likely that we never get access to it
-checksums of Nokia's public keys along with some loader code are probably stored on processor (OMAP1710 has a internal ROM of 48kb, RAP3G could have something similar)
-RAP3G is not for sale, OMAP1710 is only for cooperated customers with high quantity sales (so no way getting virgin, non Nokia branded, processors to replace them)

this (probably wrong) facts result in some (probably even more wrong) conclusions:
-we can't load 'interesting' code on the phone e.g. a device driver to examine the memory,RAP3G interface,do in memory patching to trick the phone into believing its running in network A while running on network B,...
neither the easy way (via file transfer and FExplorer execution, prevented by Symbian kernel) nor the hard way (patched flash files are prevented to execute on the phone by checksums and certificates, patched certificates will be detected by the processor which will refuse to execute further code)
-even if we could control the application engine part of the phone, Nokia has probably implemented a way to share the SIM card interface between AE and CE; so the (real) locks are not only in the AE part but also in the CE part.
-even if we find some bug in one of the OSes of CE or AE which allows us to unlock it, Nokia will find out about it and closes it on the next fw release. Remember bb5 can't be flashed with older fw.

So let's face it, there dies your unlocking plans along with my trying to run LINUX on it.. even though my project has a higher success possibility (I needn't to take care about any certificates but the certificate checksums in the processor(s) )- but since it's only a private project, I'm not gonna buy any expensive equipment to accomplish it.
Feel free to correct my assumptions/conclusions - I'd be more than happy if I have missunderstood anything essential.

[german gsm team]

Quote:

Originally Posted by ppheonixx

-unlock keys are not based on algorithms but on randomly chosen keys stored in some Nokia database where we probably never get access to

since Winlock 5 allows unlock code calculation with SX-5 smartcard but without phone connected this must be wrong

nokia don't use random codes, the codes still are based on algorithm containing lock values, configuration key and IMEI. this algorithm is probably inside RAP3G

inside RAP3G there must be the algorithm for writing new certificate, too, since after correct presentation of unlock code the new lock values must be signed - so the Nokia private key must be inside RAP3G, too

dejan can unlock 6630 so he knows how to write new certificate and knows private key OR he knows how to disable checksum check of flash

if downgrade is prevented by version information inside RAP3G its very difficult to go around, but if it's in pm data we perhaps could make a backup by reading out pm data

[Zaihtam]

Quote:

Originally Posted by Dejan Kaljevic

RAP3G

j3100 etm pipe b0
j3101 etm pipe b1
j3102 TDO
j3103 TMS
j3104 TRST
j3105 TDI
j3106 TCLK
j3107 etm pkt 3
j3108 etm pkt 2
j3109 etm pkt 1
j3110 EMU0
j3111 etm pkt 4
j3112 etm pkt 0
j3113 etm clk
j3114 GND

+XDS560 +.......

I'm tired of unlocking BB5 phones

You unlock using a JTAG Debugger? That's why in the Picture you posted before you have connected a ribbon data cable to your phone. no wonder now. but the JTAG interface cannot be attach via Tommahawk interface. then you should dissasm the phone. and there are no connector inside, you soldered the wire to jtag test point pinout? OMG! Boundary Scan Level Hack. Phew..

No wonder you are the king! keep working on dejan.

[Zaihtam]

http://focus.ti.com/docs/toolsw/fold...nt/xds560.html

@dejan
What price you payed to play with this kind of hack. jtag stuff never come cheap.

[ppheonixx]

Quote:

Originally Posted by german gsm team

nokia don't use random codes [...]

dejan can unlock 6630 so he knows how to write new certificate and knows private key OR he knows how to disable checksum check of flash

I wasn't sure if dejan really could unlock phones or not (no offense dejan, but until I see something with my own eyes..). Of course the JTAG way could mean a lot of new possibilities.

must have been quite hard to figure out the interface pins of an undocumented jtag aware processor (rap3g), write declarations for it and disassamble instructions.
Anyway thanx for correcting me!

Quote:

inside RAP3G there must be the algorithm for writing new certificate, too, since after correct presentation of unlock code the new lock values must be signed - so the Nokia private key must be inside RAP3G, too

according to my schematics, CE (incl. rap3g) has its own 8mb rom and 8mb ram; of course if rap3g is similar to the omap processor and there is on processor memory I would use it to lock the firmware to the processor and vice verce too (as I described in my first post).

[Zaihtam]

Some info (copy and pasted):

RAP3G ASIC is a 3G Radio Application Processor. RAM memory is integrated into RAP3G.
In general RAP3G consists of three separate parts:
• Processor subsystem (PSS) that includes the main processor and related functions
• MCU peripherals that are mainly controlled by MCU
• DSP peripherals that are mainly controlled by DSP
RM-57/58
RAP3G memories NOR flash and SDRAM

Modem memory consists of 64 Mbit SDRAM and 64 Mbit NOR flash memories.
SDRAM is a dynamic memory for ISA SW.
NOR is used for ISA SW code and PMM data and CDSP SW code.
16-bit wide SDRAM interface consists of DDR SDRAM controller from ARM, DCDL/DLLs and wrapper logic. 32-bit
wide flash interface is implemented by using EMC module.
SDRAM core voltage (1.8V) is generated from Retu VDRAM and I/O voltage (1.8V) is from VIO. NOR flash uses VIO
for both core and I/O voltages.


see some interconnection between modules in this pic.

[ppheonixx]

okay, new assumptions:
-dejan can unlock phones with jtag interface; it's a real unlocking solution without patching any firmware, removing checksum checks or certifications but by finding out the correct key to enter into the phone
-SX-5 + winlock5 can calculate unlock codes

new conclusions:
-algorithm exists, but not extractable since the phone itself does not know about it
-algorithm is unlikely to be ever cracked - smartcards are quite secure
-private key (for the certificate) doesn't need to be the same for every phone, probably its not a or the Nokia private key but a phone private key for every phone unique

so the unlocking solution is quite simple:

1) attache phone's rap3g to jtag
2) enter a wrong code
3) analyse captured real time processor instructions and retrive code
4) enter correct code

problem solved, ... next!

btw: sorry for not telling you something new - I have the feeling bb5 is the last platform which is somewhat hackable... if they would play a little bit more with certificates and disable jtag for production systems we're truly ****ed

ps. if anyone knows/has an idea how I could run code in non-protected mode on a 6680 latest fw, please write me a short pm. I'm newly motivated to port linux to it because there is slight chance the processor(s) is/are not locked to the firmware (yet). As a pointer, usually device drivers do this, but custom dds are disabled on Nokia series60 phones.

[Zaihtam]

1) attache phone's rap3g to jtag
2) enter a wrong code
3) analyse captured real time processor instructions and retrive code
4) enter correct code

That's will be cool!

No i don't think they will disable JTAG in the Future. since JTAG is Important. DOn't know if in the future JTAG ask for password also.

[ppheonixx]

Quote:

Originally Posted by Zaihtam

1) attache phone's rap3g to jtag
2) enter a wrong code
3) analyse captured real time processor instructions and retrive code
4) enter correct code

That's will be cool!

yea - probably its not that easy (they wouldn't use some humpdydumpty library function to compare entered code with real code) so you need to single step and/or modify fetched instructions to trick the system into comparing more of the unlock code (if that is even possible on JTAG; the only time I needed it was back on ipaq times where I flashed it back to life via JTAG)
another way would be to download all the instructions from rom/ram, decode it and analyse it... anyway without really good and expensive equipment - it's impossible.

Quote:

No i don't think they will disable JTAG in the Future. since JTAG is Important. DOn't know if in the future JTAG ask for password also.

ah, you mean for testing while in production..
but shhhhhhhhhhhhtttttt! ..passwords... if they read this forums, they get bad ideas

[Dejan Kaljevic]

For playing with BB5 6630 OMAP OS Symbian

j5100 TDO
j5101 TMS
j5102 nRST
j5103 TDI
j5104 etmp stat 3
j5105 TCK
j5106 etmp stat 4
j5107 etmp stat 5
j5108 rTCK
j5109 EMU0
...