BB5 S40 MCU modyfing?

[maciekbronkz]

Hi all.
I tried to modify mcusw in nokia (*#0000# - change name of mcu etc). Flashing process ok but effect? Phone doesn't boot up. Some controllers? I think any byte in mcu is not codded by any security (faid, fsig and fsig_ext probably are not used, only rsa/aes but where?). Some areas in mcu should can be modded without any problems. Next attempt - I modify any byte in mcu. when i flashing:

Code:

Asic CMT: Start programming 49221 KB...
Asic CMT: Programming data sent: 0%
Asic CMT: Programming data sent: 10%
Asic CMT: Programming data sent: 20%
Asic CMT: Programming data sent: 30%
Asic CMT: Programming data sent: 40%
FUR: ALGO reported error in Control Frame. Unable to continue.
ERROR: Programming error reported for asic CMT
-- Error Type        0x05
-- Error Specifier   0x08
-- Of*****ng Addr    0x01A8C400
-- Expected content  0x00008683
-- Detected content  0x0000868D
Error sending programming command 0x8400A814
ERROR Sending status request to Algo! 0x8400A814
Error while programming CMT!
Error when flashing Algo (0x84012283)
Unable to flash phone 0x84012283

Mcusw is file with some sectors:



Every sector as you seen on screen has a hash - it is rap hash, but 11 sector - papubkeys has one more hash - I don't know what hash it's. Sector 11 is not mapped in memory. Sectors which haven't hashes are I think block headers.
Generally: I think papubkeys is "controller" for the mcu, which not allow to boot phone.


Any ideas? Tips? Corrects for me? Thanks a lot and sorry for my language.

[kevin168]

did u used trix for that?

br,

[g-gabber]

The firmware is signed by rsa, there is no way to patch bb5 firmware at this moment.

[meiky]

u can't only a modified mcu to patcher BB5,coz must read hardware too.

[kevin168]

Quote:

Originally Posted by g-gabber

The firmware is signed by rsa, there is no way to patch bb5 firmware at this moment.

How about the Nokia Editor spread on the net?
it can edit some firmware part and repack it.

br,
kevin168

[Dzirt]

PPM and CNT are not signed.

[kevin168]

Quote:

Originally Posted by Dzirt

PPM and CNT are not signed.

So not all part in mcu are signed?
as the tool can repack ROFS from Core fspx.

CMIIW

Br,
kevin168

[Dzirt]

ROFS repack done funny
If we made TOC change - phone will no longer check it in new FW versions.
I already check some parts - as usual nokia not cover full certs with it, just ROFS1, ROFS2 and ROFS3 part can be changed. If we make other change - phone dead.
And most important - rofs is just a fs image, not a FW part, so, it not secured as weel.