ASK->RPL DCT4 Algorithm

[Al]

Many time gone and seems it's time to make it public....

If anyone remember, there are was thread looong time ago about it: http://forum.gsmhosting.com/vbb/f139...58/#post960572

Many doubts was, BUT Zulea was right that time

Here is working link to that file.

For first you should know how to decrypt/encrypt RPL data, that also can be found in that file. SAFER-K64 algo is at 000031A2 (Decode), 00002FC2 (Encode).

To build up RPL file, you should know only IMEI to calculate correct data and ASIC to encode that data.

In calculating RPL the main is UEM data, since WDPass for Flash data is just only 4 bytes which are calculated from UEM data and 2 another bytes

If you ever seen decoded RPL data in RAW, you should find out that in UEM data there is only first 16 bytes is different, the other is constant. That constant data isn't just constant, it's also calculated and it's algo that can be found at 00002D74. The 2nd 8 bytes in UEM data is just IMEI, so nothing interesting here The first 8 bytes of UEM is done at 00002A38 and 00002B48. 4 different algorithms used to get these bytes, Nokia are paranoics

After you got UEM data, process with WDPass it's very easy to calc it now, proceed at 00002C50

After creating UEM & Flash data dont forget to encode it with correct ASIC

With that info you can build up an ASK->RPL calculator for ASICs 2,5,6,7. ASIC11 uses another key and a little bit another algo, which can't be found there.

Enjoy!

PS For provided TDS6.BIN thanx goes to Zulea, without it ASK->RPL for DCT4 won't be possible for free for many amounts of users
PPS There is also some interesting things in that file....

[Dave.W]

Nice

I have attached the file TDS6 to this topic. Maybe in 1, 5, 10 years your server will be offline.

Br

[Al]

Quote:

Originally Posted by Dave.W

Nice

I have attached the file TDS6 to this topic. Maybe in 1, 5, 10 years your server will be offline.

Br

Thanx But anyway, just checked, it was already uploaded here 4 years ago

[Dave.W]

Yes, with a simple search this file can be turned up in a few minutes. Unfortunately not many users seem to use forum search

Also I think with a more harder search, you can find the file from more than 4 years ago. I think the file was on the forum from more than 1 decade.

[Al]

More hints

Example of RPL DATA2 (ASIC2).

Encrypted:

Code:

DF1C7A4823CB7F47
9316CF0449719C45
1C1C214BB916754A
1C2CB65159DF6CAB
20DC8F54157C3424
3C7C9F59431DCD97
1016F7AE296A1D4E
67AF93179F495915
6F699A1A060B8872
1A074F96739DD9BB
AA537538E7DC140A

Decrypted:

Code:

33556302100444F2
B8A50C62A780FC79
BB31043905291B31
08E916810E890349
007917E910690D99
0781043905291B31
D8C10D211C991861
1429096114A10BB9
016909D91F691EF1
03C10D211C991861
214800008F3419C7

33556302100444F2 - UEM IMEI in BCD, in this example it's: 35536200140442;

B8 - BCD UEM IMEI even parity, i.e. every bit in that byte is a parity bit for corresponding byte in BCD IMEI ( 0 bit is even parity for byte 0 (33) of BCD IMEI, 1 bit is even parity for byte 1(55) of BCD IMEI and so on );

A5 - BCD UEM IMEI byte XOR checksum;

0C62 - MUL/MOD checksum (Algorithm at 00002B48);

A780FC79 - CRC32 like BCD UEM IMEI checksum (Algorithm at 00002DFE);

BB31043905291B31
08E916810E890349
007917E910690D99
0781043905291B31
D8C10D211C991861
1429096114A10BB9
016909D91F691EF1
03C10D211C991861
2148 - data used in MUL/MOD checksum algo, actually only 3 words used at offsets 0x00 (0xBB31), 0x20 (0xD8C1), 0x40 (0x2148), others are calculated from these 3 with MUL/MOD algorithm (at 00002D74); that data are always constant on every mobile;

00008F34 - Box ID (just for information);

19C7 - checksum, just sum of all previous bytes;

[[Shadab_M]]

Hi Al!

Thanks for information you provided here and also in PM.

But as far as I am concerned, I am unable to disassemble it in IDAPro. It shows me data same as I told you in PM.

Can you provide me steps to disassemble it correctly in IDAPro? Means where to put Vector address and code start address?

I did in following way:
> Started IDAPro.
> New > Various > Binay/Raw file
> Selected TDS6.BIN
> In wizard pressed Next
> Selected HITACHI H8:h3800 processor > Next > Finish
> Now in Disassembly memory organization window, which addresses I should use?

I know, you may call me a baby, but I know, if I don't know something, I must ask.

Br,
Shadab Ahmad

[shimul_777]

how to bb5 rpl clculation any idea ?



WBR
shimul.

[angel25dz]

Quote:

Originally Posted by shadab_a4u

Hi Al!

Thanks for information you provided here and also in PM.

But as far as I am concerned, I am unable to disassemble it in IDAPro. It shows me data same as I told you in PM.

Can you provide me steps to disassemble it correctly in IDAPro? Means where to put Vector address and code start address?

I did in following way:
> Started IDAPro.
> New > Various > Binay/Raw file
> Selected TDS6.BIN
> In wizard pressed Next
> Selected HITACHI H8:h3800 processor > Next > Finish
> Now in Disassembly memory organization window, which addresses I should use?

I know, you may call me a baby, but I know, if I don't know something, I must ask.

Br,
Shadab Ahmad

it's simple

load it with selected H8/300a

ur code will be like this :


just type "C" in keyboard and ur code will be clear :



this is decode routine

[[Shadab_M]]

@angel!
Oops, I really missed it.

Thanks Bro.

Br,
Shadab Ahmad

[zulea]

Hehe, nice to remember ...

@Al, maybe you can allow your partner (dct4master) to give me ASIC11 key too. I am really bussy with other new things, and is more easy to calculate DCT4 RPL using a phone and a custom small simple loader who just calls secure rom functions (like my servers still make today) ...
And just for info, old Dejan trick to bypass Safer and load uncrypted loader to phone work on ASIC 11 too, with just small changes.

Best regards,
Zulea

PPS: Any "light" in how are calculated SP codes for ASIC 11? As I see all people now use my idea for RSA forge, even if that was in front of all people eyes for ages, and all spent a lot of time and troubles with flash patches ... what a stupid world/people.

[hassanjinja]

NOW, IT SEEMS JUNIOUR DEJAN ON TRACK. . LET US HOPE THE PROJECT UR DOING NOW MAY BE VALUEABLE, NOT BASED ON CRACKING, FINISHED AND WORKING SOFTWARE.

are u working on INFINEON cpu eg: 1280,1800,1616 ? sp. this oone seems not tough for you.

I know ur working on sl3 . I guess this is the onlything which can make u busy .

Br
HASSAN

Quote:

Originally Posted by zulea

Hehe, nice to remember ...

@Al, maybe you can allow your partner (dct4master) to give me ASIC11 key too. I am really bussy with other new things, and is more easy to calculate DCT4 RPL using a phone and a custom small simple loader who just calls secure rom functions (like my servers still make today) ...
And just for info, old Dejan trick to bypass Safer and load uncrypted loader to phone work on ASIC 11 too, with just small changes.

Best regards,
Zulea

PPS: Any "light" in how are calculated SP codes for ASIC 11? As I see all people now use my idea for RSA forge, even if that was in front of all people eyes for ages, and all spent a lot of time and troubles with flash patches ... what a stupid world/people.

[Al]

Quote:

Originally Posted by zulea

Hehe, nice to remember ...

@Al, maybe you can allow your partner (dct4master) to give me ASIC11 key too. I am really bussy with other new things, and is more easy to calculate DCT4 RPL using a phone and a custom small simple loader who just calls secure rom functions (like my servers still make today) ...
And just for info, old Dejan trick to bypass Safer and load uncrypted loader to phone work on ASIC 11 too, with just small changes.

Best regards,
Zulea

PPS: Any "light" in how are calculated SP codes for ASIC 11? As I see all people now use my idea for RSA forge, even if that was in front of all people eyes for ages, and all spent a lot of time and troubles with flash patches ... what a stupid world/people.

Why to ask anyone to provide ASIC11 keys? I also can provide them Here you go (In the same format as in TDS6): { 0x1C, 0x5F, 0xB1, 0x10, 0xD0, 0xCF, 0xCF, 0xE7, 0xFA, 0x7E, 0xE5, 0xB0, 0x09, 0x35, 0xF5, 0x74, 0xFA, 0x5F, 0x4B, 0x48, 0x77, 0x8B, 0x39, 0x56, 0xE9 };
BUT that information won't help fully, since Nokia changed not only the keys...
About bypassing SAFER - of course it will work, but I don't need it since I can encrypt custom loader correctly
Btw, who is dct4masters?

About SP unlock codes for ASIC11 - it's similair to sl3, so who needs them if we can do fake RSA?

Best reagrds,
Al

[zulea]

Quote:

Originally Posted by Al

About bypassing SAFER - of course it will work, but I don't need it since I can encrypt custom loader correctly

I use simple loader who run in "bypassed" mode to encrypt/decrypt my real custom loaders. Then run my custom made loaders encrypted.

Quote:

Originally Posted by Al

Btw, who is dct4masters?

Man from Phillipines, I not know sure his real name. I had some talks with him starting from 1 year ago (when I start study DCT4). First I planned to bruteforce SP codes for ASIC11, and for that I needed decoded SHA1 values, who use SAFER to store/read from protected PM field. For that I needed ASIC11 decode. Also reading protected PM I already done by my custom loader who read directly from flash PM area. But as you know this SHA1 values are SAFER encrypted, so I ask for keys and algo (not had enough time to play with JTAG and/or with CP14, CP15 debug to extract data and code from DCT4 SECROM). This guy said he cannot give because he promise to you not to give to anyone else.
Anyway, was an old story, and finally I solved with RSA forged signature ... was so simple and in front of our eyes for years ...
And now asked just for curiosity, because as I said I use phone to make encryption and decryption. And this phone can be the "target" phone for what is made RPL calculation ...

Quote:

Originally Posted by Al

About SP unlock codes for ASIC11 - it's similair to sl3, so who needs them if we can do fake RSA?

I not think is similar to SL3. Only RSA signature check is similar, but CODE GENERATOR sure is not same. And YES, all Nokia SP codes can be CALCULATED. About this I asked.
And this maybe will be needed, here you say:

http://forum.gsmhosting.com/vbb/f83/...ml#post5703829

http://forum.gsmhosting.com/vbb/f83/...9/#post6130239

... BUT Nokia not move a finger after more than half year passed (you not give an "time estimation" but Alex say 1-2 months). New released models have same hole. But maybe in some future they will change something (even if I am sure will pass another year and nothing changed), so is better to be prepared.

Best regards,
Zulea

PS Maybe many people not understand well all what we talk here, so you can contact me private by email at [email protected] if want to continue this kind of "private talk" (because seems I go out of topic with my personal stories).

[VIJAY2U2]

@zulea

some off topic

wat abt sl3 simlock repair?????
do u find some bug or u have ready solution???????

& i can say u got sl3 unlocking..........

[german gsm team]

Quote:

Originally Posted by zulea

CP14, CP15 debug to extract data and code from DCT4 SECROM).

What's CP 14 / CP 15 ?