FAQ about Nokia BB5 and detailed procedures manuals

[moulnisky]

From the original PM

Quote:

pls corect me if im wrong
1. sl corupted- create rpl from pm
2. security failed- write pm 1 n 309 with sx4 authorize ,making sure sx4 bypass NOT thick
3.restoring imei- write cmt crt back
4 flashing- i try to flash just one version higher just in case it dont work i could go one more version higher. cuz i have experience that some phone dont work latest version. i go one version at a time so prevent me from downgrading. yes i create back rpl certificate n full pm.

which part of pm get modified when unlock?
is it pm 120 in bb5 pm208 in dct4

surdongle? what is it?i is that pm308

downgrade second to last resort
if u downgrade after making all backup upcorse, if phone dies,
do i just flash back to original or higher than original version?
would that revive it?

erase bb5 last resort(scared) lol
1.make back up rpl pm certificates
2. dont erase bb5 phone with protected 120 n 308
3. how do i know which erase file to use?
4. is it different for each phones?
i got these folowing bb5 erase file
bb5erase_8mbrap
bb5erase_16mbrap
bbb5erase_32mbrap
bb5erase_ee_8mbrap
bb5erase_ee_16mbrap
bb5erase_ee_32mbrap
bb5erase_ee_UNI_rapido

lol which do i use?
i know i just flash it like a mcu
after erase, flash it it with same or higher version, then write rpl, then write all certificates then full pm. do i write back the 120 n 308 from back since i erase it?
or never write 120 n 308 back?
do i still have to sx4 authorize after full erase?
Some software have a safe erase where i guese it doesnt erase field 308

sorry for all the question. i just wanna get educated

Too many questions to give an answer in a PM.. 6000 caracters won't be enaugh so here a Thread as answer and which, I hope, can be usefull for other people as well.
I start telling you the answer are based only on my experience and for what I learned here on the forum and in some points I could be wrong.
let's start

1) SL Corrupted : This happens when the simlock data inside the PM308 are tempered. In the mobiles SL1 and SL2 can be solved easily doing the unlock using the RPL method ; In the mobiles SL3, if you have a good copy of the PM120 complete is enaugh make RPL from PM and write the RPL back.. the problem is solved. without back-ups or if the fields 1 and 2 of the PM120 are tempered the only solution is a full nokia RPL

2) Security test Failed: Normally means some checksum are out of sync: essential is to obtain the SX4 authorize; once you got it write the PM 1 and 309. If the security continues after getting the sx4 and writing the PM check the CCC, the HWC and Variant certificates or Write back the back-up RPL and retry.

3) Imei 1234560: This happens when or the NPC cert, or the PM308 or both are not sync with the CMT_PUBLIC_ID present in the OTP. If you have a back-up od the NPC certificates or an rpl back-up write them back. If still you get the imei 1234560.. write back the back-up of the PM 308 too on the SL1 mobiles..

4) Flashing: Normally I try to flash with the same version of firmware is already in the mobile. depending the history of the phone may be usefull flash the phone with an higher version. Be always carefull with the rapido SL2 and SL3 to don't flash a mobile with firmware up to V21 with a firmware V30 or newer as the layout of the PM308 is different and the superdongle get corrupted in the process. About the downgrade carefull to the mobiles with the PM308 write protected (Cyclone suite warns you about the error in apply the downgrade patch and is better you stop if you don't know how to recover).

Which part of pm get modified when unlock? In the SL1 mobiles is the PM308, In the SL2 mobiles using the patch unlock the PM120 and the PM308, using the NCK codes the PM120 field 3 (Unlocking code) and the field 0 (Flag 502 moved to 503).

Superdongle? what is it? It is a part of the PM308 normally located (if you see the PM with wordpad without the automatic lf) after the 4 row of the PM308 field 1 up to line 9. If this area is corrupted the mobiles goes in watch dog and restarts randomly or after about 2 minutes of call or listening music.

Watch dog Is a state which happens when the security is violated: It normally happens when the mobiles is in imei 1234560 (NPC erased or corrupted or PM308 tempered ) or Superdongle missing or corrupted.

downgrade second to last resort
if u downgrade after making all backup upcorse, if phone dies,
do i just flash back to original or higher than original version?
would that revive it?

If you put back PM 308, 120 and certs or RPL apart the same version of the firmware the mobile will be OK 100%

The erase files are depending the model.. you can find them in the rapido sl2 firmware in some packages.. I use the files suggested by Kashi4gul in this thread BB5 Full Erase Rap and Rapido (5310, 5610, 5700, 6110n, 6120c. . . etc) and never had problems (Thanks always Kashi4gul) anyway the FUll erase function on Cyclone works perfect
If you have a nokia RPL you must follow these steps
a) Erase the phone
b) Flash the phone with the higher version related to the product code is on the lable under the battery
c) Write RPL
d) SX4 authorize
e) Full PM without 308 and 120 (Check always the files before you write them)

Safe erase: Is an erase made with skip APE thicked after the erase you are still able to read the infos of the mobile and to get the local mode.

Hope you will find usefull these info

BR

Alex

[moulnisky]

Ok.. The sample here is about a contact service which has as cause the simlock error.
This sample is valid for any contact service as well
When asking for help in the forum, is always better post infos and security analyse logs as shown
Lets see the case
a) read the infos of the mobile (Tab common/info click on "read info")


Here we can see immediately the mobile has the SP data corrupted but the imei is fine: the mobile must have his imei or any job on it will be only a wasting of time!

b) See the security analyze logs (Just go in the tab bb5/security and click on "Security analyze")



We can see well now the problem is only about the simlock in this mobile: to solve it the best way is always the unlock via the RPL method
So we thick "RPL Calculation" and click on direct unlock



Simlock now is OK and the mobile should be already out of the CS but to prevent any more problem we go on with the sx4 authorization and writing a good PM 1 and 309: Don't write the full PM of another mobile as you can corrupt the camera configuration and we could have other problems afterward; the best way is to write back again the PM 1 and 309 of our mobile but if you have not experience in doing this you can use a PM 1 and 309 available on the forum or download this PM Collection and use the one related to your mobile model

Lets go on doing click on SX4 authorize (Tab BB5/security)



Now we got the SX4 authorization to write the PM; Is important to know the Cyclone software, if the superdongle is corrupted, doing click on the SX4 authorize rebuild the superdongle as well and fix the issue, all in one click.
Lets move immediately in the tab Common/info and with "SX4 bypass" NOT THICKED we click on "write PM"



We wrote successfully our good PM: is important to know if you still get error 19 after the successfully SX4 authorization and the software stay a quite long in starting the PM writing, the problem is related to a wrong BSI value used; If you are using an UFC try with a lower BSI value this job or if it is a standard cable and you are using the TMA adapter, reduce a bit the BSI correction (or increase it) until you can write successfully the PM. Obviously you must repeat again the sx4 authorize before any try.
To verify everything is OK we now check the mobile selftest doing click on the proper button in the same common/info tab



Yes! job is done

If the mobile still have security error problems try doing an RPL from phone now and writing it back (Thick plain RPL): it should solve.. if not, look for a good RPL with inside the CCC and HWC certificates same model (and if possible product code) of your mobile.

BR

Alex

[moulnisky]

As I said the mobile was erased so no local mode and no chances to get infos: the only mode to see the mobile is via flash mode so we start doing check flashing bus to see if the mobile is connected properly and working

step a - Check flashing bus

Code:

Booting CMT...
CMT_SYSTEM_ASIC_ID: 000000010000022600010006030C192101033000
CMT_EM_ASIC_ID:  00000296
CMT_EM_ASIC_ID:  00000B22
CMT_PUBLIC_ID:  0BC001087F4F0256E6A3FD83F8F1F77504022228
CMT_ASIC_MODE_ID: 00
CMT_ROOT_KEY_HASH: 9DDBFCFE6E73CED7D8C6268C8EB85723
CMT_BOOT_ROM_CRC: 273F6D55
CMT_SECURE_ROM_CRC: DFAAF68F
CMT Ready!
Searching for BootCode: DualLine 32Bit
RAP3Gv3_2nd.fg, Type: 2nd Boot Loader, Rev: 0.10.42.0, Algo: BB5
Flashbus Write baud set to 1.0Mbits
Flashbus Read baud set to 98Kbits
Using OLD BB5 FLASHING PROTOCOL
If software STUCK HERE with box TX LED lit, that means:
1. You have not attached yellow TX2 Adapter (IT IS REQUIRED FOR BB5 PHONES WHEN USING JAF/UFS CABLES!)
2. Your cable is not TX2 Enabled!
3. Transmission error occured, try again
In either cases, you need to reconnect your box from USB.
FlashChip[0,CMT]: 0x00EC240000008A31, Samsung, NOR
FlashContent[0,CMT]: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, NOR
FlashChip[0,CMT]: 0xFFFF000000000000, Unknown, MMC
Transmission Mode Requested: Single Line, 8 bit, Accepted: Single Line, 8 bit
Searching for BootCode: DualLine 32Bit
FlashChip 0x00EC2400 (Samsung), Size: 64MBytes, VPP: 9V
RAP3Gv3_algo.fg, Type: Algorithm, Rev: 0.10.40.0, Algo: BB5 ALGORITHM
Flashbus Write baud set to 2.0Mbits
Transmission Mode Requested: Dual Line, 32 bit, Accepted: Dual Line, 32 bit
Box TX2 Data Pin set to: Service Pin 3
Box VPP disabled
Internal CMT Phone VPP Enabled
Warning: PAPUBKEYS Hash Missing!
APE Boot skipped on user request
Flashbus Write baud set to 5.0Mbits
Restarting MCU...

Ok.. as we cann see the mobile is there connected properly and working so we can procede now with the flashing
Important thing I checked the back-ups before going on and the rpl back-up is fully valid with inside simlock and npc back-up!!

step b - Flashing

Code:

Scanning avaiable products...
Processing C:\Program Files (x86)\Cyclone Box\StoredFiles\...
Found 4 products, Filtering BB5 Products - wait...
4 Products left after filtering. Ready.
Retrieving Variants for Product 2700C - wait...
1 Variants Retrieved
Processing pre flash tasks...
Pre flash tasks finished, continuing...
Processing rm561__09.97.mcusw (CMT)...
Booting CMT...
CMT_SYSTEM_ASIC_ID: 000000010000022600010006030C192101033000
CMT_EM_ASIC_ID:  00000296
CMT_EM_ASIC_ID:  00000B22
CMT_PUBLIC_ID:  0BC001087F4F0256E6A3FD83F8F1F77504022228
CMT_ASIC_MODE_ID: 00
CMT_ROOT_KEY_HASH: 9DDBFCFE6E73CED7D8C6268C8EB85723
CMT_BOOT_ROM_CRC: 273F6D55
CMT_SECURE_ROM_CRC: DFAAF68F
CMT Ready!
rm561__09.97.mcusw, Type: Flash Image, Algo: BB5, BB5 ALGORITHM
Searching for BootCode: DualLine 32Bit (Forcing OLD Protocol)
RAP3Gv3_2nd.fg, Type: 2nd Boot Loader, Rev: 0.10.42.0, Algo: BB5
Flashbus Write baud set to 1.0Mbits
Flashbus Read baud set to 98Kbits
Using OLD BB5 FLASHING PROTOCOL
If software STUCK HERE with box TX LED lit, that means:
1. You have not attached yellow TX2 Adapter (IT IS REQUIRED FOR BB5 PHONES WHEN USING JAF/UFS CABLES!)
2. Your cable is not TX2 Enabled!
3. Transmission error occured, try again
In either cases, you need to reconnect your box from USB.
FlashChip[0,CMT]: 0x00EC240000008A31, Samsung, NOR
FlashContent[0,CMT]: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, NOR
FlashChip[0,CMT]: 0xFFFF000000000000, Unknown, MMC
Transmission Mode Requested: Single Line, 8 bit, Accepted: Single Line, 8 bit
Searching for BootCode: DualLine 32Bit (Forcing OLD Protocol)
FlashChip 0x00EC2400 (Samsung), Size: 64MBytes, VPP: 9V
RAP3Gv3_algo.fg, Type: Algorithm, Rev: 0.10.40.0, Algo: BB5 ALGORITHM
Flashbus Write baud set to 2.0Mbits
Transmission Mode Requested: Dual Line, 32 bit, Accepted: Dual Line, 32 bit
Box TX2 Data Pin set to: Service Pin 3
Box VPP disabled
Internal CMT Phone VPP Enabled
Warning: PAPUBKEYS Hash Missing!
Flashbus Write baud set to 5.0Mbits
Sending Certificates...
Certificates OK
Started group flash erase
EraseArea[0,CMT]: 0x00000000-0x000006BF, NOR
EraseArea[0,CMT]: 0x000006C0-0x0001FFFF, NOR
EraseArea[0,CMT]: 0x00040000-0x000BFFFF, NOR
EraseArea[0,CMT]: 0x000C0000-0x0013FFFF, NOR
EraseArea[0,CMT]: 0x00140000-0x0137FFFF, NOR
EraseArea[0,CMT]: 0x01380000-0x0151FFFF, NOR
Waiting 320s for erasure finish...
Erase taken 4.914s
Writing all blocks...
Initializing TurboCache...
TurboCache Loaded!
Writing CMT NOLO Certificate...
Writing CMT KEYS Certificate...
Writing CMT PRIMAPP Certificate...
Writing CMT PASUBTOC Certificate...
WARNING: CMT PAPUBKEYS Hash is Empty, writing first found PAPUBKEYS
Writing CMT PAPUBKEYS Certificate...
Writing CMT UPDAPP Certificate...
Writing CMT DSP0 Certificate...
Writing CMT MCUSW Certificate...
Programming Status OK!
All blocks written OK! Time taken 68.749s
Flashing Speed: 2368,07 kBit/S
Restarting MCU...
Processing rm561__09.97.mcusw (APE)...
Processing rm561__09.97.ppm_ae (CMT)...
Booting CMT...
CMT_SYSTEM_ASIC_ID: 000000010000022600010006030C192101033000
CMT_EM_ASIC_ID:  00000296
CMT_EM_ASIC_ID:  00000B22
CMT_PUBLIC_ID:  0BC001087F4F0256E6A3FD83F8F1F77504022228
CMT_ASIC_MODE_ID: 00
CMT_ROOT_KEY_HASH: 9DDBFCFE6E73CED7D8C6268C8EB85723
CMT_BOOT_ROM_CRC: 273F6D55
CMT_SECURE_ROM_CRC: DFAAF68F
CMT Ready!
rm561__09.97.ppm_ae, Type: Flash Image, Algo: BB5, BB5 ALGORITHM
Searching for BootCode: DualLine 32Bit (Forcing OLD Protocol)
RAP3Gv3_2nd.fg, Type: 2nd Boot Loader, Rev: 0.10.42.0, Algo: BB5
Flashbus Write baud set to 1.0Mbits
Flashbus Read baud set to 98Kbits
Using OLD BB5 FLASHING PROTOCOL
If software STUCK HERE with box TX LED lit, that means:
1. You have not attached yellow TX2 Adapter (IT IS REQUIRED FOR BB5 PHONES WHEN USING JAF/UFS CABLES!)
2. Your cable is not TX2 Enabled!
3. Transmission error occured, try again
In either cases, you need to reconnect your box from USB.
FlashChip[0,CMT]: 0x00EC240000008A31, Samsung, NOR
FlashContent[0,CMT]: 00000000000000000000000000000000, NOR
FlashChip[0,CMT]: 0xFFFF000000000000, Unknown, MMC
Transmission Mode Requested: Single Line, 8 bit, Accepted: Single Line, 8 bit
Searching for BootCode: DualLine 32Bit (Forcing OLD Protocol)
FlashChip 0x00EC2400 (Samsung), Size: 64MBytes, VPP: 9V
RAP3Gv3_algo.fg, Type: Algorithm, Rev: 0.10.40.0, Algo: BB5 ALGORITHM
Flashbus Write baud set to 2.0Mbits
Transmission Mode Requested: Dual Line, 32 bit, Accepted: Dual Line, 32 bit
Box TX2 Data Pin set to: Service Pin 3
Box VPP disabled
Internal CMT Phone VPP Enabled
PAPUBKEYS Hash for CMT: 3EA22A1DDA660002E56108DB5072A10F8709443F
Flashbus Write baud set to 5.0Mbits
Started group flash erase
EraseArea[0,CMT]: 0x01520000-0x01DBFFFF, NOR
Waiting 320s for erasure finish...
Erase taken 1.997s
Writing all blocks...
Initializing TurboCache...
TurboCache Loaded!
Programming Status OK!
All blocks written OK! Time taken 19.469s
Flashing Speed: 2337,36 kBit/S
Restarting MCU...
Processing rm561__09.97.ppm_ae (APE)...
Processing rm561__09.97.image_ae_fr_blac (CMT)...
Booting CMT...
CMT_SYSTEM_ASIC_ID: 000000010000022600010006030C192101033000
CMT_EM_ASIC_ID:  00000296
CMT_EM_ASIC_ID:  00000B22
CMT_PUBLIC_ID:  0BC001087F4F0256E6A3FD83F8F1F77504022228
CMT_ASIC_MODE_ID: 00
CMT_ROOT_KEY_HASH: 9DDBFCFE6E73CED7D8C6268C8EB85723
CMT_BOOT_ROM_CRC: 273F6D55
CMT_SECURE_ROM_CRC: DFAAF68F
CMT Ready!
rm561__09.97.image_ae_fr_blac, Type: Flash Image, Algo: BB5, BB5 ALGORITHM
Searching for BootCode: DualLine 32Bit (Forcing OLD Protocol)
RAP3Gv3_2nd.fg, Type: 2nd Boot Loader, Rev: 0.10.42.0, Algo: BB5
Flashbus Write baud set to 1.0Mbits
Flashbus Read baud set to 98Kbits
Using OLD BB5 FLASHING PROTOCOL
If software STUCK HERE with box TX LED lit, that means:
1. You have not attached yellow TX2 Adapter (IT IS REQUIRED FOR BB5 PHONES WHEN USING JAF/UFS CABLES!)
2. Your cable is not TX2 Enabled!
3. Transmission error occured, try again
In either cases, you need to reconnect your box from USB.
FlashChip[0,CMT]: 0x00EC240000008A31, Samsung, NOR
FlashContent[0,CMT]: 00000000000000000000000000000000, NOR
FlashChip[0,CMT]: 0xFFFF000000000000, Unknown, MMC
Transmission Mode Requested: Single Line, 8 bit, Accepted: Single Line, 8 bit
Searching for BootCode: DualLine 32Bit (Forcing OLD Protocol)
FlashChip 0x00EC2400 (Samsung), Size: 64MBytes, VPP: 9V
RAP3Gv3_algo.fg, Type: Algorithm, Rev: 0.10.40.0, Algo: BB5 ALGORITHM
Flashbus Write baud set to 2.0Mbits
Transmission Mode Requested: Dual Line, 32 bit, Accepted: Dual Line, 32 bit
Box TX2 Data Pin set to: Service Pin 3
Box VPP disabled
Internal CMT Phone VPP Enabled
PAPUBKEYS Hash for CMT: 3EA22A1DDA660002E56108DB5072A10F8709443F
Flashbus Write baud set to 5.0Mbits
Started group flash erase
EraseArea[0,CMT]: 0x01DC0000-0x0215FFFF, NOR
EraseArea[0,CMT]: 0x02160000-0x03FBFFFF, NOR
Waiting 320s for erasure finish...
Erase taken 7.831s
Writing all blocks...
Initializing TurboCache...
TurboCache Loaded!
Programming Status OK!
All blocks written OK! Time taken 27.425s
Flashing Speed: 2488,17 kBit/S
Restarting MCU...
Processing rm561__09.97.image_ae_fr_blac (APE)...
All images processed OK! Processing post flash tasks...
Setting Factory Defaults...
Factory defaults OK
Reading info...
MCU Version V 09.97
MCU Date 18-06-10
Product  RM-561 (Nokia 2700 classic)
Manufacturer (c) Nokia            
IMEI  12345610654321?
IMEI Spare 1A32541660452301
IMEI SV  1332541660452351F4000000
PPM  V 09.97, 18-06-10, RM-561, (c) Nokia            , AE
CNT  Content: ae_fr_black, V 09.97, 18-06-10, RM-561, (c) Nokia            , 
PSN  0
PSD  0000000000000000
LPSN  0
RETU  16
TAHVO  22
AHNE  30
RFIC  06540601
DSP  ICPR72_09w26
LCD  SEIKO
BT  2222-302
Failed to read info -> Failed to read SP info
Read info thread finished, continuing...
Post flash tasks finished!
Flashing successfully finished!

Mobile now is fully flashed with factory default; it shown no imei and no valid simlock: this is normal on an erased mobile
we can go on now to write back the RPL back-up we have in the stored files folder

Step c - write back RPL back-up

Code:

Skipping RPL decryption...
Parsing decrypted RPL...
Processing FBUS Part...
Writing Product Code... 
Writing PSN... 
Writing HWID... 
Writing Simlock...
Handling as SL3 Simlock Data
Handling as SIMLOCK1 Format
Reading Security Block...
Security block OK and saved to "RM-561_12345610654321_28052012_184308.SecurityBlock.PM"
15 Digits NCK Found
Simlock ACCEPTED OK !
Writing Superdongle key...
Superdongle Key ACCEPTED OK !
Writing CMLA key...
CMLA Key ACCEPTED OK !
Writing WMDRM PD Data...
WMDRM PD Data ACCEPTED OK !
Processing FLASHBUS Part...
Booting CMT...
CMT_SYSTEM_ASIC_ID: 000000010000022600010006030C192101033000
CMT_EM_ASIC_ID:  00000296
CMT_EM_ASIC_ID:  00000B22
CMT_PUBLIC_ID:  0BC001087F4F0256E6A3FD83F8F1F77504022228
CMT_ASIC_MODE_ID: 00
CMT_ROOT_KEY_HASH: 9DDBFCFE6E73CED7D8C6268C8EB85723
CMT_BOOT_ROM_CRC: 273F6D55
CMT_SECURE_ROM_CRC: DFAAF68F
CMT Ready!
Searching for BootCode: DualLine 32Bit (Forcing OLD Protocol)
RAP3Gv3_2nd.fg, Type: 2nd Boot Loader, Rev: 0.10.42.0, Algo: BB5
Flashbus Write baud set to 1.0Mbits
Flashbus Read baud set to 98Kbits
Using OLD BB5 FLASHING PROTOCOL
If software STUCK HERE with box TX LED lit, that means:
1. You have not attached yellow TX2 Adapter (IT IS REQUIRED FOR BB5 PHONES WHEN USING JAF/UFS CABLES!)
2. Your cable is not TX2 Enabled!
3. Transmission error occured, try again
In either cases, you need to reconnect your box from USB.
FlashChip[0,CMT]: 0x00EC240000008A31, Samsung, NOR
FlashContent[0,CMT]: 00000000000000000000000000000000, NOR
FlashChip[0,CMT]: 0xFFFF000000000000, Unknown, MMC
Transmission Mode Requested: Single Line, 8 bit, Accepted: Single Line, 8 bit
Searching for BootCode: DualLine 32Bit (Forcing OLD Protocol)
FlashChip 0x00EC2400 (Samsung), Size: 64MBytes, VPP: 9V
RAP3Gv3_algo.fg, Type: Algorithm, Rev: 0.10.40.0, Algo: BB5 ALGORITHM
Flashbus Write baud set to 2.0Mbits
Transmission Mode Requested: Dual Line, 32 bit, Accepted: Dual Line, 32 bit
Box TX2 Data Pin set to: Service Pin 3
Box VPP disabled
Internal CMT Phone VPP Enabled
PAPUBKEYS Hash for CMT: 3EA22A1DDA660002E56108DB5072A10F8709443F
APE Subsystem Not Found
Flashbus Write baud set to 5.0Mbits
CMT NPC Erased
CMT NPC Written
CMT HWC Erased
CMT HWC Written
CMT CCC Erased
CMT CCC Written
Restarting MCU...
Write RPL Finished!
MCU Version V 09.97
MCU Date 18-06-10
Product  RM-561 (Nokia 2700 classic)
Manufacturer (c) Nokia            
IMEI  354350044492685
Mastercode 5424247426
IMEI Spare 3A45530044946208
IMEI SV  3345530044946258F4000000
PPM  V 09.97, 18-06-10, RM-561, (c) Nokia            , AE
CNT  Content: ae_fr_black, V 09.97, 18-06-10, RM-561, (c) Nokia            , 
PSN  DJW512338
Product Code 0589277
PSD  0000000000000000
LPSN  0
RETU  16
TAHVO  22
AHNE  30
HW  1001
RFIC  06540601
DSP  ICPR72_09w26
LCD  SEIKO
BT  2222-302
Simlock Server SIMLOCK SERVER
Simlock Key 2440700000000000
Simlock Profile 0000000000000000
Simlock Key Cnt 0
Simlock FBUS Cnt 0
Simlock [1,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [1,2] State: OPENED Type: GID Data: FFFF
Simlock [1,3] State: OPENED Type: GID Data: FFFF
Simlock [1,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [1,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [2,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [2,2] State: OPENED Type: GID Data: FFFF
Simlock [2,3] State: OPENED Type: GID Data: FFFF
Simlock [2,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [2,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [3,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [3,2] State: OPENED Type: GID Data: FFFF
Simlock [3,3] State: OPENED Type: GID Data: FFFF
Simlock [3,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [3,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [4,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [4,2] State: OPENED Type: GID Data: FFFF
Simlock [4,3] State: OPENED Type: GID Data: FFFF
Simlock [4,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [4,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [5,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [5,2] State: OPENED Type: GID Data: FFFF
Simlock [5,3] State: OPENED Type: GID Data: FFFF
Simlock [5,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [5,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [6,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [6,2] State: OPENED Type: GID Data: FFFF
Simlock [6,3] State: OPENED Type: GID Data: FFFF
Simlock [6,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [6,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [7,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [7,2] State: OPENED Type: GID Data: FFFF
Simlock [7,3] State: OPENED Type: GID Data: FFFF
Simlock [7,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [7,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF

Bingo.. our mobile has back simlock and imei so we can finish our job doing the sx4 auth and writing the suggested PM to get the mobile out of contact service

step d - sx4 auth and suggested PM

Code:

 SX4 Authorization / SD Repair Procedure Started....
"0BC001087F4F0256E6A3FD83F8F1F77504022228.B0000A7E" Exists, That is good...
MCU Version V 09.97
MCU Date 18-06-10
Product  RM-561 (Nokia 2700 classic)
Manufacturer (c) Nokia            
IMEI  354350044492685
Mastercode 5424247426
Reading Security Block...
Security block OK and saved to "RM-561_354350044492685_28052012_184340.SecurityBlock.PM"
SX4 Status: Not authorized (74)
Started mutual authenthication with card...
Receiving Phone Seed 1...
Phone Seed 1 Received
Sending calculated Data 1, and expecting Seed 2...
Calculated Data 1 accepted, Phone Seed 2 Received
Sending calculated Data 2
Calculated Data 2 sent, Checking Authorization Status again
Authorization successfully finished!
Looking for Virgin PM In Database...
Found, writing...
[1,0] Written, Length: 12 bytes, Status: OK
[1,1] Written, Length: 70 bytes, Status: OK
[1,2] Written, Length: 70 bytes, Status: OK
[1,3] Written, Length: 70 bytes, Status: OK
[1,4] Written, Length: 70 bytes, Status: OK
[1,5] Written, Length: 276 bytes, Status: OK
[1,6] Written, Length: 276 bytes, Status: OK
[1,7] Written, Length: 276 bytes, Status: OK
[1,8] Written, Length: 276 bytes, Status: OK
[1,9] Written, Length: 384 bytes, Status: OK
[1,10] Written, Length: 384 bytes, Status: OK
[1,11] Written, Length: 384 bytes, Status: OK
[1,12] Written, Length: 384 bytes, Status: OK
[1,13] Written, Length: 384 bytes, Status: OK
[1,14] Written, Length: 384 bytes, Status: OK
[1,15] Written, Length: 384 bytes, Status: OK
[1,16] Written, Length: 384 bytes, Status: OK
[1,17] Written, Length: 32 bytes, Status: OK
[1,19] Written, Length: 16 bytes, Status: OK
[1,20] Written, Length: 32 bytes, Status: OK
[309,0] Written, Length: 4 bytes, Status: OK
[309,1] Written, Length: 2 bytes, Status: OK
[309,2] Written, Length: 12 bytes, Status: OK
[309,4] Written, Length: 12 bytes, Status: OK
[309,5] Written, Length: 12 bytes, Status: OK
[309,7] Written, Length: 12 bytes, Status: OK
[309,8] Written, Length: 12 bytes, Status: OK
[309,17] Written, Length: 12 bytes, Status: OK
[309,22] Written, Length: 12 bytes, Status: OK
Write PM Finished, Record written OK: 29, Record written NOT OK: 0

Mobile almost ready.. just a little thing: this mobile is erased so the camera configuratin is gone... we just go in the tab common/info and click on analyze repair dcc

step e- analyze repair dcc

Code:

Analyzing Dynamic Camera Configuration...
--> Primary Camera Not Exists
Secondary Camera: NIMMIIIIRRFF0A021001XXXXXX
Secondary Camera Configuration is destroyed, writing factory one...
Writing Configuration...
Configuration Accepted!
Dynamic Camera Configuration Analyze/Repair Finished!

now all should be ok.. lets check the mobile for any security or simlock errors, this just as double check

step f - security analyze

Code:

Started Phone Security Analysis...
MCU Version V 09.97
MCU Date 18-06-10
Product  RM-561 (Nokia 2700 classic)
Manufacturer (c) Nokia            
IMEI  354350044492685
Mastercode 5424247426
Reading Security Block...
Security block OK and saved to "RM-561_354350044492685_28052012_184410.SecurityBlock.PM"
Step 1 : Testing SIMLOCK
SIMLOCK SEFLTEST PASSED OK!
Step 2 : Testing SECURITY
SECURITY SEFLTEST PASSED OK!
Step 3 : Analyzing Security Block
"0BC001087F4F0256E6A3FD83F8F1F77504022228.B0000A7E" Exists, That is good...
Checking SUPERDONGLE...
SUPERDONGLE FOUND AND CHECKSUM OK! PASSED!
Checking SIMLOCK...
Failed to decode Security Section, Box Reported: Security Section Not Found (SL3 phone?)
Checking MCU&DSP TIMESTAMPS...
MCU&DSP TIMESTAMPS FOUND AND CHECKSUM OK! PASSED!
Checking CMLA KEYS...
Failed to decode Security Section, Box Reported: Security Section Not Found (SL3 phone?)
Checking ECC KEYS...
Failed to decode Security Section, Box Reported: Security Section Not Found (SL3 phone?)
Checking DIV KEYS...
DIV KEYS FOUND AND CHECKSUM OK! PASSED!
Analyze finished!
Normal mode set
MCU Version V 09.97
MCU Date 18-06-10
Product  RM-561 (Nokia 2700 classic)
Manufacturer (c) Nokia            
IMEI  354350044492685
Mastercode 5424247426
IMEI Spare 3A45530044946208
IMEI SV  3345530044946258F4000000
PPM  V 09.97, 18-06-10, RM-561, (c) Nokia            , AE
CNT  Content: ae_fr_black, V 09.97, 18-06-10, RM-561, (c) Nokia            , 
PSN  DJW512338
Product Code 0589277
PSD  0000000000000000
LPSN  0
RETU  16
TAHVO  22
AHNE  30
HW  1001
RFIC  06540601
DSP  ICPR72_09w26
LCD  SEIKO
Simlock Server SIMLOCK SERVER
Simlock Key 2440700000000000
Simlock Profile 0000000000000000
Simlock Key Cnt 0
Simlock FBUS Cnt 0
Simlock [1,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [1,2] State: OPENED Type: GID Data: FFFF
Simlock [1,3] State: OPENED Type: GID Data: FFFF
Simlock [1,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [1,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [2,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [2,2] State: OPENED Type: GID Data: FFFF
Simlock [2,3] State: OPENED Type: GID Data: FFFF
Simlock [2,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [2,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [3,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [3,2] State: OPENED Type: GID Data: FFFF
Simlock [3,3] State: OPENED Type: GID Data: FFFF
Simlock [3,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [3,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [4,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [4,2] State: OPENED Type: GID Data: FFFF
Simlock [4,3] State: OPENED Type: GID Data: FFFF
Simlock [4,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [4,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [5,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [5,2] State: OPENED Type: GID Data: FFFF
Simlock [5,3] State: OPENED Type: GID Data: FFFF
Simlock [5,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [5,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [6,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [6,2] State: OPENED Type: GID Data: FFFF
Simlock [6,3] State: OPENED Type: GID Data: FFFF
Simlock [6,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [6,5] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF
Simlock [7,1] State: OPENED Type: MCC-MNC Data: FFFFFF
Simlock [7,2] State: OPENED Type: GID Data: FFFF
Simlock [7,3] State: OPENED Type: GID Data: FFFF
Simlock [7,4] State: OPENED Type: IMSI Data: FFFFFFFFFFFFFFFF

All fine
mobile ready to go back to the customer

BR

Alex