|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
Nokia Base Band 5 ( BB-5 ) Baseband-5 Phones: 2700 Classic , 2730 Classic , 3109c , 3110c , 3120c , 3250 , 3500c , 3600s , 3610 Fold , 3710 Fold , 3720 Classic , 5130 XpressM , 5200 / 5200b , 5220 XpressM , 5230 XpressM , 5300 / 5300b , 5310 / 5310b , 5320 , 5500 , 5530 XpressM , 5610 , 5630 XpressM , 5700 , 5730 XpressM , 5800 , 6085 / 6086 , 6110n , 6120c , 6121c , 6124c , 6125 , 6126 / 6133b , 6131 / 6133 , 6131 (NFC) , 6136 , 6151 , 6208 Classic , 6210n , 6212c , 6220c , 6233 , 6234 , 6260 Slide , 6263 , 6267 , 6270 , 6280 / 6288 , 6282 , 6290 , 6300 , 6300i , 6301 , 6303 Classic , 6500 Classic , 6500 Slide , 6555 , 6600 Fold , 6600 Slide , 6630 , 6650 Fold , 6680 , 6681 , 6682 , 6700 Classic , 6710 Navigator , 6720 Classic , 6730 Classic , 6760 Slide , 6790 Surge , 7210c , 7310c , 7370 , 7373 , 7390 , 7500 , 7510c , 7610c , 7900 , 8600 , 8800 arte , E50 , E51 , E52 , E55 , E60 , E61 , E61i , E62 , E63 , E65 , E66 , E70 , E71 , E72 , E75 , E90 , N70 , N71 , N72 , N73 , N75 , N76 , N77 , N78 , N79 , N80 , N81 , N82 , N85 , N86 , N90 , N91 , N92 , N93 , N93i , N95 , N95 8GB , N96 , N97 , N97 Mini , X3 , X6 |
| LinkBack | Thread Tools | Display Modes |
07-02-2005, 20:31 | #16 (permalink) |
Freak Poster Join Date: May 2003 Location: Poland Age: 36
Posts: 233
Member: 29897 Status: Offline Thanks Meter: 3 | So algo for check simlock and imei are excuted inside RAP3G or OMAP ? |
07-02-2005, 22:02 | #18 (permalink) |
Administrator Join Date: Jul 2002 Location: E G Y P T Age: 38
Posts: 3,213
Member: 14178 Status: Offline Thanks Meter: 8,862 | are you trying to disassamply flash files i thouth you are trying to unpack a flash chip dump any way in both cases no need for it , all the tricks are in the RPA3G |
07-03-2005, 03:54 | #19 (permalink) |
Freak Poster Join Date: Feb 2001
Posts: 213
Member: 3354 Status: Offline Thanks Meter: 3,948 | RAP3G j3100 etm pipe b0 j3101 etm pipe b1 j3102 TDO j3103 TMS j3104 TRST j3105 TDI j3106 TCLK j3107 etm pkt 3 j3108 etm pkt 2 j3109 etm pkt 1 j3110 EMU0 j3111 etm pkt 4 j3112 etm pkt 0 j3113 etm clk j3114 GND +XDS560 +....... I'm tired of unlocking BB5 phones |
07-03-2005, 04:14 | #20 (permalink) |
Freak Poster Join Date: Nov 2004 Location: everywhere Age: 46
Posts: 281
Member: 94023 Status: Offline Thanks Meter: 23 | Good that you are present we need really more info about BB5 what is about security certificate ready for 6680? if u are tired u can give solution to us |
07-03-2005, 09:30 | #21 (permalink) |
Junior Member Join Date: May 2005 Age: 74
Posts: 19
Member: 144697 Status: Offline Thanks Meter: 1 | So to summerize: BaseBand5 is structured in 2 blocks: -application engine (AE) and cellularphone engine (CE) -both are operating indepenently from each other (different OSes) -both are heavily secured against modifications with all kinds of checksums and public/private key encryption (certificates) -there is no direct way to communicat/interface CE (Unknown OS); only very indirectly through AE -AE (Symbian) does not allow to load device drivers which are not included in the ROM (Z:\) -unlock keys are not based on algorithms but on randomly chosen keys stored in some Nokia database where we probably never get access to -private keys of Nokia are unkown and its also very likely that we never get access to it -checksums of Nokia's public keys along with some loader code are probably stored on processor (OMAP1710 has a internal ROM of 48kb, RAP3G could have something similar) -RAP3G is not for sale, OMAP1710 is only for cooperated customers with high quantity sales (so no way getting virgin, non Nokia branded, processors to replace them) this (probably wrong) facts result in some (probably even more wrong) conclusions: -we can't load 'interesting' code on the phone e.g. a device driver to examine the memory,RAP3G interface,do in memory patching to trick the phone into believing its running in network A while running on network B,... neither the easy way (via file transfer and FExplorer execution, prevented by Symbian kernel) nor the hard way (patched flash files are prevented to execute on the phone by checksums and certificates, patched certificates will be detected by the processor which will refuse to execute further code) -even if we could control the application engine part of the phone, Nokia has probably implemented a way to share the SIM card interface between AE and CE; so the (real) locks are not only in the AE part but also in the CE part. -even if we find some bug in one of the OSes of CE or AE which allows us to unlock it, Nokia will find out about it and closes it on the next fw release. Remember bb5 can't be flashed with older fw. So let's face it, there dies your unlocking plans along with my trying to run LINUX on it.. even though my project has a higher success possibility (I needn't to take care about any certificates but the certificate checksums in the processor(s) )- but since it's only a private project, I'm not gonna buy any expensive equipment to accomplish it. Feel free to correct my assumptions/conclusions - I'd be more than happy if I have missunderstood anything essential. Last edited by ppheonixx; 07-03-2005 at 09:53. |
The Following User Says Thank You to ppheonixx For This Useful Post: |
07-03-2005, 17:54 | #22 (permalink) | |
No Life Poster Join Date: Mar 2002 Location: Somewhere in the World Age: 54
Posts: 1,425
Member: 9848 Status: Offline Thanks Meter: 144 | Quote:
nokia don't use random codes, the codes still are based on algorithm containing lock values, configuration key and IMEI. this algorithm is probably inside RAP3G inside RAP3G there must be the algorithm for writing new certificate, too, since after correct presentation of unlock code the new lock values must be signed - so the Nokia private key must be inside RAP3G, too dejan can unlock 6630 so he knows how to write new certificate and knows private key OR he knows how to disable checksum check of flash if downgrade is prevented by version information inside RAP3G its very difficult to go around, but if it's in pm data we perhaps could make a backup by reading out pm data | |
07-03-2005, 17:58 | #23 (permalink) | |
No Life Poster Join Date: Dec 2004 Location: 0x001FD00
Posts: 1,285
Member: 98572 Status: Offline Thanks Meter: 36 | Quote:
No wonder you are the king! keep working on dejan. | |
The Following User Says Thank You to Zaihtam For This Useful Post: |
07-03-2005, 18:06 | #24 (permalink) |
No Life Poster Join Date: Dec 2004 Location: 0x001FD00
Posts: 1,285
Member: 98572 Status: Offline Thanks Meter: 36 | http://focus.ti.com/docs/toolsw/fold...nt/xds560.html @dejan What price you payed to play with this kind of hack. jtag stuff never come cheap. |
07-03-2005, 18:40 | #25 (permalink) | ||
Junior Member Join Date: May 2005 Age: 74
Posts: 19
Member: 144697 Status: Offline Thanks Meter: 1 | Quote:
must have been quite hard to figure out the interface pins of an undocumented jtag aware processor (rap3g), write declarations for it and disassamble instructions. Anyway thanx for correcting me! Quote:
| ||
07-03-2005, 19:06 | #26 (permalink) |
No Life Poster Join Date: Dec 2004 Location: 0x001FD00
Posts: 1,285
Member: 98572 Status: Offline Thanks Meter: 36 | Some info (copy and pasted): RAP3G ASIC is a 3G Radio Application Processor. RAM memory is integrated into RAP3G. In general RAP3G consists of three separate parts: • Processor subsystem (PSS) that includes the main processor and related functions • MCU peripherals that are mainly controlled by MCU • DSP peripherals that are mainly controlled by DSP RM-57/58 RAP3G memories NOR flash and SDRAM Modem memory consists of 64 Mbit SDRAM and 64 Mbit NOR flash memories. SDRAM is a dynamic memory for ISA SW. NOR is used for ISA SW code and PMM data and CDSP SW code. 16-bit wide SDRAM interface consists of DDR SDRAM controller from ARM, DCDL/DLLs and wrapper logic. 32-bit wide flash interface is implemented by using EMC module. SDRAM core voltage (1.8V) is generated from Retu VDRAM and I/O voltage (1.8V) is from VIO. NOR flash uses VIO for both core and I/O voltages. see some interconnection between modules in this pic. |
07-03-2005, 19:50 | #27 (permalink) |
Junior Member Join Date: May 2005 Age: 74
Posts: 19
Member: 144697 Status: Offline Thanks Meter: 1 | okay, new assumptions: -dejan can unlock phones with jtag interface; it's a real unlocking solution without patching any firmware, removing checksum checks or certifications but by finding out the correct key to enter into the phone -SX-5 + winlock5 can calculate unlock codes new conclusions: -algorithm exists, but not extractable since the phone itself does not know about it -algorithm is unlikely to be ever cracked - smartcards are quite secure -private key (for the certificate) doesn't need to be the same for every phone, probably its not a or the Nokia private key but a phone private key for every phone unique so the unlocking solution is quite simple: 1) attache phone's rap3g to jtag 2) enter a wrong code 3) analyse captured real time processor instructions and retrive code 4) enter correct code problem solved, ... next! btw: sorry for not telling you something new - I have the feeling bb5 is the last platform which is somewhat hackable... if they would play a little bit more with certificates and disable jtag for production systems we're truly ****ed ps. if anyone knows/has an idea how I could run code in non-protected mode on a 6680 latest fw, please write me a short pm. I'm newly motivated to port linux to it because there is slight chance the processor(s) is/are not locked to the firmware (yet). As a pointer, usually device drivers do this, but custom dds are disabled on Nokia series60 phones. |
07-03-2005, 20:08 | #28 (permalink) |
No Life Poster Join Date: Dec 2004 Location: 0x001FD00
Posts: 1,285
Member: 98572 Status: Offline Thanks Meter: 36 | 1) attache phone's rap3g to jtag 2) enter a wrong code 3) analyse captured real time processor instructions and retrive code 4) enter correct code That's will be cool! No i don't think they will disable JTAG in the Future. since JTAG is Important. DOn't know if in the future JTAG ask for password also. |
07-03-2005, 21:17 | #29 (permalink) | ||
Junior Member Join Date: May 2005 Age: 74
Posts: 19
Member: 144697 Status: Offline Thanks Meter: 1 | Quote:
another way would be to download all the instructions from rom/ram, decode it and analyse it... anyway without really good and expensive equipment - it's impossible. Quote:
but shhhhhhhhhhhhtttttt! ..passwords... if they read this forums, they get bad ideas | ||
Bookmarks |
| |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
x65 patching technical discussion | Acidmrp | x6x and x7x Flashpatching | 42 | 10-10-2009 07:06 |
Iphone 3G Technical Discussion and SP Unlocking theory | GraveSlayer | iPhone 2 / iPhone 3G / iPhone 3GS | 8 | 11-15-2008 06:04 |
Technical discussion sharp705sh | celluniversal | Sharp | 0 | 05-17-2007 17:26 |
Technical discussion BB5 unlocking | twisterfan | Nokia Base Band 5 ( BB-5 ) | 0 | 05-16-2007 19:36 |
Patching: Technical Discussion ... | rizapn | x4x, x5x Flashpatching | 282 | 10-03-2006 19:23 |
|