About XBI file format of X65!

[BennieZ]

Hello, somebody
I am attempt to modify XBI file of X65. I'd like change Version to V51 from Winswup V25. try to cheat bootcore to downgrade. I has modified Version and HashTable. but BootCore check HashTable by the first SIGNATURE. and winswup display message: Software signature was rejected. I am using WSFFXBI.exe, and has modified HASHTable . but compile signature is invalid.

please give me some help.

First and Second SIGNATURE

Code:

00000000h: 53 69 65 6D 65 6E 73 20 4D 6F 62 69 6C 65 20 50 ; Siemens Mobile P
00000010h: 68 6F 6E 65 73 3A 53 49 47 4E 41 54 55 52 45 3A ; hones:SIGNATURE:
00000020h: 30 31 2E 30 30 1A 01 00 00 01 80 00 CC 9F 51 98 ; 01.00.....€.虩Q?
00000030h: EA 1A 52 77 A4 AE CB ED F0 79 81 4B 0C 48 F8 FD ; ?Rwぎ隧饄並.H
00000040h: DC 2A 42 29 A5 94 28 18 D6 3E 9B BC A7 03 9F C9 ; ?B)(.?浖?熒
00000050h: 29 62 14 98 4D 0C 70 5D 1C E2 CF 35 7C 2F 28 96 ; )b.楳.p].庀5|/(?
00000060h: 60 53 CB AB 34 54 37 DE 68 67 0F 58 5C CA 1F C6 ; `S双4T7辢g.X\??
00000070h: 48 98 CB 20 10 C0 7D 10 FD 6F 0A 64 84 D2 07 44 ; H標 .纝.齩.d勔.D
00000080h: 31 32 06 49 56 E3 14 17 AF 2C D4 92 36 BE 2B 42 ; 12.IV?.?話6?B
00000090h: 25 CE 77 DE 5F 7E 49 11 55 65 E4 FD 45 F4 94 B9 ; %蝫轤~I.Ue潺E魯?
000000a0h: A9 63 DC 5A 32 8D 35 FE DD 7A D2 61 01 FF FF FE ; ヽ躗2?z襛.?
000000b0h: 80 00 A4 3A 81 44 E5 3C 77 66 28 9F 37 94 4D 2A ; €.?丏?wf(?擬*
000000c0h: D6 2D C5 06 C6 FE 37 E1 2A C1 2A 88 35 8C A4 63 ; ??掐7???尋c
000000d0h: 84 A3 9E AD CA FC 74 E6 E4 7C 8D 42 5E 86 9D BD ; 劊灜庶t驿|岯^啙?
000000e0h: 55 F9 04 A9 F5 E3 F8 EE 9C 10 36 5E 7F D8 57 11 ; U?泺顪.6^豔.
000000f0h: E7 54 73 36 DB CF E0 25 FA D9 9A 04 0A 62 02 00 ; 鏣s6巯??.b..
00000100h: 7C 1B 41 09 F2 9A 79 6D D1 EB 27 4C B5 6D 2C B9 ; |.A.驓ym央'L祄,?
00000110h: 17 AB 3E 05 D7 DE 00 9D 52 C4 8E 8F 33 1E AD 88 ; .?.邹.漅膸?.瓐
00000120h: BE 5B C7 0E 27 CB D9 13 D3 14 2C 64 2B 9C 49 BE ; 綶?'速.?,d+淚?
00000130h: EC 30                                           ; ?

HashTable

Code:

00000370h: 00 46 FF FF FF FE 00 01 04 04 45 58 54 5F 53 49 ; .F?...EXT_SI
00000380h: 47 4E 41 54 55 52 45 5F 48 41 53 48 5F 41 52 45 ; GNATURE_HASH_ARE
00000390h: 41 00 01 14 40 00 B3 00 9E 03 00 00 F8 8E 11 E6 ; A...@.??..鴰.?
000003a0h: B0 85 18 A8 A4 10 03 84 B3 EF 87 96 39 07 00 00 ; 皡.à..劤飮?...

[bluegatar]

There are some
Siemens boot-core expert in the Siemens (read some
deep discussion about boot-core in the "GSM
Programming" section) ...

[Papuas]

Quote:

Originally Posted by BennieZ

Hello, somebody
I am using WSFFXBI.exe, and has modified HASHTable .

10/2004

[BennieZ]

Quote:

Originally Posted by Papuas

10/2004

@Papuas
Very thanks for your source. I has read it. but found nothing about Rebuild the first SIGNATURE. Signatur1Click is a null function. only output info.

Code:

void __fastcall TFormMain::Signatur1Click(TObject *Sender)
{
  ShowLog("В даровом варианте ныне такое не пишится... не настало время...");
  ShowLog("Путь идет в обход...");
  ShowVersion();
}

It is 1024bit . I has searched some Hash arithmetic from internet, and cann't find out which make a 1024bit SIGNATURE. MD5 is only 128bit. the item of HASH table is HASH from pre item start to this block of FF.
example to S6CV50:

Code:

H00: po bloku    0x0000039E	=A8CFA1F04D7ED0A71771B9D8D23EA5CB

I has modified this FF Block.

Code:

FFCmd:5D,Size:36,Data: 53 36 43 00 FF FF FF FF FF FF FF FF FF FF FF FF FF 53 49 45 4D 45 4E 53 00 FF FF FF FF 3B 06 B8 FF FF 50
Mobile Name: S6C SIEMENS Ver:50

and recalculate the first HASH which from this block to Block 39E. but bootcore reject the first signature.

best regards!

[avkiev]

Quote:

Originally Posted by BennieZ

It is 1024bit . I has searched some Hash arithmetic from internet, and cann't find out which make a 1024bit SIGNATURE.

RSA-1024
........................

[Papuas]

Quote:

Originally Posted by avkiev

RSA-1024

RSA-1024 )) !!!

Modulus(N) (Public Key):
D9D9F3BB3F7085838691D8A0DAC395A5A34DD04FCFE3504A54 A634526034D2FB76695DEF3696560FC06DEF3812B7C72FBFD6 A0D515E7132414454040F9694908B13BED979AEF9F2063DA07 F8403CEB303268084986A23B3E6121FE7BCED2AD3B02005C41 30A38D5279F097284EFC186AE95E0AB2BE4BA7A858442891F4 BEECEF

S65_110300.XBI.EXE:
1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFF003020300
C06082A864886F70D020505000410
CAE9874D70960658123621E9AA10F5E0

C55_249111.XBI.EXE
1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFF003020300
C06082A864886F70D020505000410
82F1367FCA280C92C2E4CC6412AB1519
....

[BennieZ]

Quote:

Originally Posted by Papuas

RSA-1024 )) !!!

Modulus(N) (Public Key):

S65_110300.XBI.EXE:
CAE9874D70960658123621E9AA10F5E0

C55_249111.XBI.EXE
....

@Papuas
Does you mean E is 0x1000001,and the last line is MD5 of HashTable?
and this part is same to every phone.

Code:

1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFF003020300
C06082A864886F70D020505000410

then add MD5 to this part and make cryptograph by E and N.
the cryptograph is first SIGNATURE.

sorry for my poorl english and knowledge about RSA.

[avkiev]

Quote:

Originally Posted by BennieZ

Does you mean E is 0x1000001

AFAIK, E = 0x10001
..........................

[BennieZ]

Quote:

Originally Posted by avkiev

AFAIK, E = 0x10001
..........................

Yes, It is 0x10001. 1000001 is only a ID.
I has tried to modify BLOCK 0052, and want to use a new D and N, but It is invalid.

[Papuas]

Quote:

Originally Posted by BennieZ

Yes, It is 0x10001. 1000001 is only a ID.
I has tried to modify BLOCK 0052, and want to use a new D and N, but It is invalid.

Update "Public Key" in the BLOCK 0052, and utillize "Clear Bcore", further "Freeze" function for carry of the new code in BCORE …

[BennieZ]

Quote:

Originally Posted by Papuas

Update "Public Key" in the BLOCK 0052, and utillize "Clear Bcore", further "Freeze" function for carry of the new code in BCORE …

Can this function be done at server mode? or must do at factory mode?
My original intention is downgrade from v50 to v25. which minimal version of BCore is V50. So I want to get ESN and HASH from v25.

[Papuas]

Quote:

Originally Posted by BennieZ

Can this function be done at server mode? or must do at factory mode?
My original intention is downgrade from v50 to v25. which minimal version of BCore is V50. So I want to get ESN and HASH from v25.

Methods unbounded set !!!
Not of sense for this purpose to downgrade from v50 to v25 or to utilize TP...
There are simple paths through SWUOTA and deceit Swup of the answering device in the telephone etc.

[xuantrinhkhanh]

Quote:

Originally Posted by BennieZ

Can this function be done at server mode? or must do at factory mode?
My original intention is downgrade from v50 to v25. which minimal version of BCore is V50. So I want to get ESN and HASH from v25.

H!!
you use program freia crack , add me yahoo messeager [email protected]

[bluegatar]

Can freia cracked get the ESN and HASH from v50???????