1st in the world solution to repair unrepairable BB5 phones (SX4 failed)

[karwos]

Hello
After release SX4 auth in my software, many persons contacted me and reported that simply SX4 auth not work.
What is SX4 auth, read more please here:
http:///vbb/showthread.php?t=481581
This solution was tested and prooved to work in E50, 6300, N80, etc, and phone s was 100% repairable...
But theres avaiable on market some amount of BB5 phones which simply CANT BE AUTHORIZED even using ORIGNAL Phoenix SW and PK-1 dongle and SX-4 card!!! Auhtorization simply "fails", same with other SW (jaf: error receiving data from server step2, UB: Step1 error, My sw: Card failure) - i just received in my hands this way fuked 3250 (more: http:///vbb/showpo...4&postcount=29).

But, as always, Nokia leaved big security hole...
You can repair all this phones even WITHOUT using SX-4 authorization PROCESS!
How?
Simply.

Get UFS+HWK.
Use RdCert option, and in example of RM-38 this fille will be readen from phone:
Rm-38_357934000834936_2007-12-22185230_NPCCmt.bin
Make copy of this file.
Open file and fill it with same FFFFFFFFFFFFFFFFF.... (0x184 bytes of 0xFF) write it back to phone. It will boot up BUT IMEI will be damaged. Dont worry.

NOW you can write FULL pm including RF and Energy Calibration settings! Phone will not even check the SX-4 auth status!!!

Same way you can repair downgraded phones, without even re-flashing it! Just erase NPC cert, patch the certificate using any SW, reboot phone, and that's it!

After writing PM just write back original NPC.
Tested with "unrepairable" even with Original NMP software 3250 - now phone works ok, no resets.

PS. as long as FlashBus is not yet implemented in my SW, all this steps you need do it yourself. In other way it would be just "one click" and your RF+EMC+DOWNGRADE could be repaired in 5 seconds

PS2. You can also downgrade this way new security phones. Just flash phone (without even checking "downgrade") and then do above steps.

BR,
karwos

[moldovan]

Karwos
What new here ?
In this situation , from long time ago we use BB5 Erase files , like BB5eeprom erase e.t.c.
Same result.
WBR !

P.S. Be more better , if You find solution rewrite RF and Energy Calibration settings in USA phones for 900Mhz.

[ribbentrop]

I think it's working with not-damaged certificate only . But if u have corrupted cert - u cant write PM by this way .

[karwos]

Quote:

Originally Posted by moldovan

Karwos
What new here ?
In this situation , from long time ago we use BB5 Erase files , like BB5eeprom erase e.t.c.
Same result.
WBR !

P.S. Be more better , if You find solution rewrite RF and Energy Calibration settings in USA phones for 900Mhz.

Erase is a diffrent
try yourself anyway...

[karwos]

Quote:

Originally Posted by moldovan

Karwos
What new here ?
In this situation , from long time ago we use BB5 Erase files , like BB5eeprom erase e.t.c.
Same result.
WBR !

P.S. Be more better , if You find solution rewrite RF and Energy Calibration settings in USA phones for 900Mhz.

Which phone exactly ?
HW must also support 900mhz band, and not only filters but RF ic also (helgo i.e.), not all is just software case.

[moldovan]

Quote:

Originally Posted by karwos

Which phone exactly ?
HW must also support 900mhz band, and not only filters but RF ic also (helgo i.e.), not all is just software case.

About erase : I try and did Erase apox. hm... 300 times , and all was OK.
About USA BB5
For example Nokia 6300b_RM-222 , HW is ABSOLUTLY same with 6300_RM-217 ( Quad band's 850 , 900 , 1800 , 1900 Mhz ).
But in 6300b_RM-222 is blocked 900Mhz Band in SW or PM or RAP3g RAM.
Look here : http://forum.gsmhosting.com/vbb/show...2&postcount=19
Many people wait for SW solution for conversion.
We trust in You !
WBR !

[karwos]

Quote:

Originally Posted by moldovan

About erase : I try and did Erase apox. hm... 300 times , and all was OK.
About USA BB5
For example Nokia 6300b_RM-222 , HW is ABSOLUTLY same with 6300_RM-217 ( Quad band's 850 , 900 , 1800 , 1900 Mhz ).
But in 6300b_RM-222 is blocked 900Mhz Band in SW or PM or RAP3g RAM.
Look here : http://forum.gsmhosting.com/vbb/show...2&postcount=19
Many people wait for SW solution for conversion.
We trust in You !
WBR !

Great But even if, erase and double flashing takes 100x times longer and you need to backup PM cause it will be simply erased, here is 2 min of work with absolutly no risk, thatshy I posted this information, also just repaired 2pcs 3250 unrepairable even with original pk-1 + fps-8 + sx4 Also all user data is saved, so _nothing_ will be erased

ADd me to my sonork i think will have solution for you

[karwos]

You can test if phone have band lock in MCUSW or PM writing this PM correct for "european" 6300. Dont forget to backup pm "1" before writing this, also phone needs be SX4 authorized in order to do this.

Test and post results, PLEASE

[moldovan]

Quote:

Originally Posted by karwos

You can test if phone have band lock in MCUSW or PM writing this PM correct for "european" 6300. Dont forget to backup pm "1" before writing this, also phone needs be SX4 authorized in order to do this.

Test and post results, PLEASE

Sorry I havn't sonork , just ICQ.
Yes , it is natural to erase all RAP - longer , and it is not absolutely correct. Your method of 100 % is faster.

Thanks for PM to 900Mhz! I shall try Yours 6300_900_1800_band.rar on Monday on work.
But I would think that to force to work on 900Mhz Nokia 6300b - it is necessary to rewrite RAM or some others place's of RAP3g.
On Monday we shall see.
Still time of THANKS !
WBR !

P.S. Conversion Band in BB5 platform is Good Comersial solution.
If it will work , I recommended for You : cripted this PM and make as payd addon for Your dongle.
WBR !

[karwos]

Quote:

Originally Posted by moldovan

Sorry I havn't sonork , just ICQ.
Yes , it is natural to erase all RAP - longer , and it is not absolutely correct. Your method of 100 % is faster.

Thanks for PM to 900Mhz! I shall try Yours 6300_900_1800_band.rar on Monday on work.
But I would think that to force to work on 900Mhz Nokia 6300b - it is necessary to rewrite RAM or some others place's of RAP3g.
On Monday we shall see.
Still time of THANKS !
WBR !

Yeah, you catched my point. All box maker could do just one button "RpSEC" and in 1 mins all like RF+EMC calibration + downgrade could be repaired

Try it on monday please. It could be MCUSW also blocking the band, or as you said - RAP itself, but tests is needed anyway

[karwos]

Bad news, but looks like BAND informations is stored in certificate... thats why even original Phoenix cant rewrite band.

Quote:

MISSING WCDMA (3G) AND GSM850 BAND
It has been observed that in some cases it is not possible to activate 3G via phone’s menu as the icon is not visible. This could be the case in following product codes:
0548277 RM-230 5700 EURO1 CTV UK BLACK
0548706 RM-230 5700 SCAND ELISA FINLAND BLACK
0548707 RM-230 5700 SCAND ELISA FINLAND RED
0550159 RM-230 5700 EURO3 VODAFONE HU BLACK
0550826 RM-230 5700 EURO2 CTV GERMANY BLACK
0550828 RM-230 5700 EURO2 CTV GERMANY RED
If the customer complaint concerns 3G network availability for above mentioned product codes, please check from Phoenix ‘Product Info’ window the shown CS type. If the shown type is ‘GSM900/GSM1800/GSM1900’, the certificate restore must be done.
Note: Certificate restore can be done only in level 3 & 4 service points.

[moldovan]

Quote:

Originally Posted by karwos

Yeah, you catched my point. All box maker could do just one button "RpSEC" and in 1 mins all like RF+EMC calibration + downgrade could be repaired

Try it on monday please. It could be MCUSW also blocking the band, or as you said - RAP itself, but tests is needed anyway

SW in these phones corresponds with RM-222 on RM-217 and on the contrary without problem's , as HW absolutely identical.
I certainly rewrite SW RM-222 on RM-217 first , and then shall write down Your PM.
Though earlier I wrote down Full PM 0-512 without field 308 with SX4 , but unsuccessfully.
We shall hope , that will carry Monday.
WBR !

[karwos]

The problem could be NPC mismatch between RM-217 and RM-227, because in NPC is stored KSIG0 which for each RM-xxx type is other... but i can be in mistake, this needs be checked

[harim_1981]

sir,

i read the first post....but cant understand fully....

but i will say my phone condition first and please guide me to recover my phone...

first the N95 came with blinking condition.. and i using the MT flashed it with 20...version and phone Ok,..but not formatting...(but phone working fully)

but the Formatting not successfull....so that i took backup and erased with Uni_rapido file and than flashed it 20.. version

i and restored the IMEI file...but i am not able to get Sx4 authirization...

now the set condition is Sim not valid.

i have the backup of the phone ...

can i recover it using our Multi.......please help me sir...

[harim_1981]

where is Karwos sir.....


please help us...this is the time to help us ..coz RPL service not working...