|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
GSM Programming & Reverse Engineering Here you can post all Kind of GSM Programming and Reverse Engineering tools and Secrets. |
| LinkBack | Thread Tools | Display Modes |
11-12-2010, 07:40 | #1 (permalink) |
Freak Poster Join Date: Nov 2002 Location: Russia Age: 43
Posts: 278
Member: 18270 Status: Offline Sonork: 100.109968 Thanks Meter: 106 | ASK->RPL DCT4 Algorithm If anyone remember, there are was thread looong time ago about it: http://forum.gsmhosting.com/vbb/f139...58/#post960572 Many doubts was, BUT Zulea was right that time Here is working link to that file. For first you should know how to decrypt/encrypt RPL data, that also can be found in that file. SAFER-K64 algo is at 000031A2 (Decode), 00002FC2 (Encode). To build up RPL file, you should know only IMEI to calculate correct data and ASIC to encode that data. In calculating RPL the main is UEM data, since WDPass for Flash data is just only 4 bytes which are calculated from UEM data and 2 another bytes If you ever seen decoded RPL data in RAW, you should find out that in UEM data there is only first 16 bytes is different, the other is constant. That constant data isn't just constant, it's also calculated and it's algo that can be found at 00002D74. The 2nd 8 bytes in UEM data is just IMEI, so nothing interesting here The first 8 bytes of UEM is done at 00002A38 and 00002B48. 4 different algorithms used to get these bytes, Nokia are paranoics After you got UEM data, process with WDPass it's very easy to calc it now, proceed at 00002C50 After creating UEM & Flash data dont forget to encode it with correct ASIC With that info you can build up an ASK->RPL calculator for ASICs 2,5,6,7. ASIC11 uses another key and a little bit another algo, which can't be found there. Enjoy! PS For provided TDS6.BIN thanx goes to Zulea, without it ASK->RPL for DCT4 won't be possible for free for many amounts of users PPS There is also some interesting things in that file.... |
The Following 19 Users Say Thank You to Al For This Useful Post: |
11-12-2010, 09:56 | #2 (permalink) |
No Life Poster Join Date: Nov 2001 Location: England Age: 41
Posts: 2,821
Member: 7653 Status: Offline Thanks Meter: 823 | Nice I have attached the file TDS6 to this topic. Maybe in 1, 5, 10 years your server will be offline. Br |
The Following User Says Thank You to Dave.W For This Useful Post: |
11-12-2010, 10:06 | #3 (permalink) | |
Freak Poster Join Date: Nov 2002 Location: Russia Age: 43
Posts: 278
Member: 18270 Status: Offline Sonork: 100.109968 Thanks Meter: 106 | Quote:
| |
The Following User Says Thank You to Al For This Useful Post: |
11-12-2010, 14:20 | #4 (permalink) |
No Life Poster Join Date: Nov 2001 Location: England Age: 41
Posts: 2,821
Member: 7653 Status: Offline Thanks Meter: 823 | Yes, with a simple search this file can be turned up in a few minutes. Unfortunately not many users seem to use forum search Also I think with a more harder search, you can find the file from more than 4 years ago. I think the file was on the forum from more than 1 decade. |
The Following 3 Users Say Thank You to Dave.W For This Useful Post: |
11-13-2010, 09:06 | #5 (permalink) |
Freak Poster Join Date: Nov 2002 Location: Russia Age: 43
Posts: 278
Member: 18270 Status: Offline Sonork: 100.109968 Thanks Meter: 106 | More hints Example of RPL DATA2 (ASIC2). Encrypted: Code: DF1C7A4823CB7F47 9316CF0449719C45 1C1C214BB916754A 1C2CB65159DF6CAB 20DC8F54157C3424 3C7C9F59431DCD97 1016F7AE296A1D4E 67AF93179F495915 6F699A1A060B8872 1A074F96739DD9BB AA537538E7DC140A Code: 33556302100444F2 B8A50C62A780FC79 BB31043905291B31 08E916810E890349 007917E910690D99 0781043905291B31 D8C10D211C991861 1429096114A10BB9 016909D91F691EF1 03C10D211C991861 214800008F3419C7 B8 - BCD UEM IMEI even parity, i.e. every bit in that byte is a parity bit for corresponding byte in BCD IMEI ( 0 bit is even parity for byte 0 (33) of BCD IMEI, 1 bit is even parity for byte 1(55) of BCD IMEI and so on ); A5 - BCD UEM IMEI byte XOR checksum; 0C62 - MUL/MOD checksum (Algorithm at 00002B48); A780FC79 - CRC32 like BCD UEM IMEI checksum (Algorithm at 00002DFE); BB31043905291B31 08E916810E890349 007917E910690D99 0781043905291B31 D8C10D211C991861 1429096114A10BB9 016909D91F691EF1 03C10D211C991861 2148 - data used in MUL/MOD checksum algo, actually only 3 words used at offsets 0x00 (0xBB31), 0x20 (0xD8C1), 0x40 (0x2148), others are calculated from these 3 with MUL/MOD algorithm (at 00002D74); that data are always constant on every mobile; 00008F34 - Box ID (just for information); 19C7 - checksum, just sum of all previous bytes; |
The Following 15 Users Say Thank You to Al For This Useful Post: |
11-13-2010, 10:35 | #6 (permalink) |
No Life Poster Join Date: Mar 2006 Location: .: India :. Heaven on Earth
Posts: 2,496
Member: 238812 Status: Offline Sonork: 100.1602669 Thanks Meter: 1,443 | Hi Al! Thanks for information you provided here and also in PM. But as far as I am concerned, I am unable to disassemble it in IDAPro. It shows me data same as I told you in PM. Can you provide me steps to disassemble it correctly in IDAPro? Means where to put Vector address and code start address? I did in following way: > Started IDAPro. > New > Various > Binay/Raw file > Selected TDS6.BIN > In wizard pressed Next > Selected HITACHI H8:h3800 processor > Next > Finish > Now in Disassembly memory organization window, which addresses I should use? I know, you may call me a baby, but I know, if I don't know something, I must ask. Br, Shadab Ahmad |
The Following 4 Users Say Thank You to [Shadab_M] For This Useful Post: |
11-13-2010, 11:08 | #7 (permalink) |
No Life Poster Join Date: Aug 2007 Location: bangladesh, dhaka, munshiganj. Age: 37
Posts: 717
Member: 570626 Status: Offline Sonork: 100.1579059 Thanks Meter: 129 | how to bb5 rpl clculation any idea ? WBR shimul. |
The Following User Says Thank You to shimul_777 For This Useful Post: |
11-13-2010, 11:20 | #8 (permalink) | |
No Life Poster Join Date: Jul 2006 Location: ..::DZ-25::..
Posts: 529
Member: 315181 Status: Offline Sonork: 100.1593455 Thanks Meter: 301 | Quote:
load it with selected H8/300a ur code will be like this : just type "C" in keyboard and ur code will be clear : this is decode routine | |
The Following 11 Users Say Thank You to angel25dz For This Useful Post: |
11-13-2010, 12:41 | #9 (permalink) |
No Life Poster Join Date: Mar 2006 Location: .: India :. Heaven on Earth
Posts: 2,496
Member: 238812 Status: Offline Sonork: 100.1602669 Thanks Meter: 1,443 | @angel! Oops, I really missed it. Thanks Bro. Br, Shadab Ahmad |
The Following User Says Thank You to [Shadab_M] For This Useful Post: |
11-15-2010, 00:18 | #10 (permalink) |
No Life Poster Join Date: Jul 2001 Location: Inside Raskal pocket Age: 54
Posts: 3,316
Member: 5325 Status: Offline Thanks Meter: 8,448 | Hehe, nice to remember ... @Al, maybe you can allow your partner (dct4master) to give me ASIC11 key too. I am really bussy with other new things, and is more easy to calculate DCT4 RPL using a phone and a custom small simple loader who just calls secure rom functions (like my servers still make today) ... And just for info, old Dejan trick to bypass Safer and load uncrypted loader to phone work on ASIC 11 too, with just small changes. Best regards, Zulea PPS: Any "light" in how are calculated SP codes for ASIC 11? As I see all people now use my idea for RSA forge, even if that was in front of all people eyes for ages, and all spent a lot of time and troubles with flash patches ... what a stupid world/people. |
The Following 2 Users Say Thank You to zulea For This Useful Post: |
11-15-2010, 03:24 | #11 (permalink) | |
No Life Poster Join Date: Mar 2005 Location: UGANDA Age: 50
Posts: 1,417
Member: 126167 Status: Offline Sonork: 100.1591387 Thanks Meter: 5,128 | JUNiOUR NOW, IT SEEMS JUNIOUR DEJAN ON TRACK. . LET US HOPE THE PROJECT UR DOING NOW MAY BE VALUEABLE, NOT BASED ON CRACKING, FINISHED AND WORKING SOFTWARE. are u working on INFINEON cpu eg: 1280,1800,1616 ? sp. this oone seems not tough for you. I know ur working on sl3 . I guess this is the onlything which can make u busy . Br HASSAN Quote:
| |
The Following User Says Thank You to hassanjinja For This Useful Post: |
11-15-2010, 05:16 | #12 (permalink) | |
Freak Poster Join Date: Nov 2002 Location: Russia Age: 43
Posts: 278
Member: 18270 Status: Offline Sonork: 100.109968 Thanks Meter: 106 | Quote:
BUT that information won't help fully, since Nokia changed not only the keys... About bypassing SAFER - of course it will work, but I don't need it since I can encrypt custom loader correctly Btw, who is dct4masters? About SP unlock codes for ASIC11 - it's similair to sl3, so who needs them if we can do fake RSA? Best reagrds, Al | |
The Following 5 Users Say Thank You to Al For This Useful Post: |
11-15-2010, 10:13 | #13 (permalink) | ||
No Life Poster Join Date: Jul 2001 Location: Inside Raskal pocket Age: 54
Posts: 3,316
Member: 5325 Status: Offline Thanks Meter: 8,448 | Quote:
Man from Phillipines, I not know sure his real name. I had some talks with him starting from 1 year ago (when I start study DCT4). First I planned to bruteforce SP codes for ASIC11, and for that I needed decoded SHA1 values, who use SAFER to store/read from protected PM field. For that I needed ASIC11 decode. Also reading protected PM I already done by my custom loader who read directly from flash PM area. But as you know this SHA1 values are SAFER encrypted, so I ask for keys and algo (not had enough time to play with JTAG and/or with CP14, CP15 debug to extract data and code from DCT4 SECROM). This guy said he cannot give because he promise to you not to give to anyone else. Anyway, was an old story, and finally I solved with RSA forged signature ... was so simple and in front of our eyes for years ... And now asked just for curiosity, because as I said I use phone to make encryption and decryption. And this phone can be the "target" phone for what is made RPL calculation ... Quote:
And this maybe will be needed, here you say: http://forum.gsmhosting.com/vbb/f83/...ml#post5703829 http://forum.gsmhosting.com/vbb/f83/...9/#post6130239 ... BUT Nokia not move a finger after more than half year passed (you not give an "time estimation" but Alex say 1-2 months). New released models have same hole. But maybe in some future they will change something (even if I am sure will pass another year and nothing changed), so is better to be prepared. Best regards, Zulea PS Maybe many people not understand well all what we talk here, so you can contact me private by email at [email protected] if want to continue this kind of "private talk" (because seems I go out of topic with my personal stories). Last edited by zulea; 11-15-2010 at 10:19. | ||
The Following 10 Users Say Thank You to zulea For This Useful Post: |
Bookmarks |
| |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Can the SuperTrio unlock DCT4 phones | G-Man | Nokia Digital Core Technology 4 ( DCT-4 ) | 7 | 10-31-2001 12:22 |
Very Bad news about DCT4 phones | Bph&co | Nokia Digital Core Technology 4 ( DCT-4 ) | 8 | 10-27-2001 15:38 |
Who crack Wintesla 6.10,may be ask me HOW... | Baza | Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) | 1 | 10-07-2000 14:05 |
Service maual asked for 8210 and 3210 and 51xx and 61xx | padje | Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) | 0 | 08-18-2000 00:05 |
I have that soft if smb need ask for testing.. | Nec | Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L ) | 5 | 04-01-2000 23:47 |
|