Debranding - Hacking VSM files First, big hat tip to user sdtv13, for posting this collection of oodles of VSM files: http://rapidshare.com/files/175815498/all_vsm_pack.zip I've been looking at a few, here's what I've seen, maybe someone can add to this knowledge until we have the scheme for the VSM file format, then we can make our own?!?! - A VSM is a resource file of sorts and contains 1 OR MORE files inside, These resources seem to be uncompressed and may be text, PNG files or even MP3 files. The first 20 bytes of a VSM file are a biggie header and largely unknown in purpose: - byte offset 0xC seems to be the Vendor ID - the last 2 bytes of these 20 (in high-low order) indicate the size of the first resource ... then we have the first resource If there's only one resource in the VSM then we have some unknown and irregularly-counted trailing bytes (say 6 or 7?). If we have another resource in the VSM file then after the first resource_data ends we then have 8 unknown bytes, then two bytes (again in high-low format) indicating the size of the second resource, followed by the second resource. That's all I have time for, maybe someone can leapfrog on this? Thx to all for the info on this site - i just un-network-locked my 8700r successfully (or so it seems : ) =-=-=-=- The most important part to consider here, is that VSM files ARE NOT merely 20 static bytes prepended to a PNG splash-screen file. =-=-=-=- Personally, if I wanted to adjust my splash screen I'd go about it this way: - locate the relevant VSM file from my provider for my model of device - remove the PNG part of it which is my splash screen - and insert into the same location in the VSM file my new PNG splash screen - then adjust the last 2 bytes of the 20-byte header to be the size of my inserted PNG file since it's unlikely that my PNG will be the same filesize as the original - have $100 in hand to replace my BB if I brick it when I load this new VSM file Good luck! |
I did all 1/2 month ago, but splash screen still blank and vendor stoll showed me -1. I haven't enough time for continue discover. My question is which algorithms of CRC check in VSM file |
Quote:
Quote:
BTW, may I ask: are you sure a checksum is used, how do you know this, etc? I do have a link to a code segment from someone who years ago who hacked the serial communications protocol (i.e. RS-232 data for the RIM 957). The reason I post this is that 1) it's probably easy for someone to implement this algorithm and see if resource sections (or the whole VSM file) are being checksummed with this algorithm and 2) RIM seems to be rather lazy - by that I mean that in OS 4.1 (IIRC) the little icons on the device (when it was connected to the PC) looked just like the cheesy, pixelated ones on my olde, olde RIM 957 when it was connected to the PC ... which suggests to me that RIM likes to re-use their intellectual property for years and years. Anyway, here's the link: http://www.off.net/cassis/protocol-d...ion.html#h-5.0 Maybe someone can do a quick & dirty to see if this is the checksum used by RIM in the VSM files? |
Quote:
;) |
Branding (VSM) API Info Let me also add this link since it looks informative for anyone wanting to hack the VSM file format... http://www.blackberry.com/developers.../Branding.html It explains the various resource_types which may (presumably) appear in the VSM file. My guess is that the resource_type identifiers will appear in part of the header/unknown bytes in the VSM file. (Thanks to user hhardheart for posting this link previously). |
Hacking VSM Files - More CheckSum API from RIM, "Resource Bundles" Looks like the RIM API has some checksum calculators built within it - perhaps one of these is doing the dirty work; from: http://www.blackberry.com/DevMediaLi...w.do?name=java we have: Quote:
http://www.blackberry.com/developers...rceBundle.html Quote:
http://www.blackberry.com/developers...index-all.html speaks a little of "resource bundle" and the like. |
VSM files start with the bytes 01 00 00 bc which appear to be nothing more than a magic number. Changing any of these first four bytes causes the file to not be recognized as a VSM file. Next are four bytes that give the length of the resource section in little-endian order so 46 0b 00 00 signifies that the length is 0x00000b46 or 2886 bytes long. The next four bytes are calculated by taking 0xffffffff - (the CRC-32 of the resource section). If the CRC-32 of the resource section is 0x5480b153 then take 0xffffffff - 0x5480b153 = 0xab7f4eac so the four bytes are ac 4e 7f ab. The Vendor ID takes the next two bytes. Remember that little-endian order is used, so 36 01 is used to represent the vendor id 310 for Wind Italy. The Vendor ID MAY be changed without affecting the file signature or the checksum. The next two bytes are always zero. There is a single byte value of unknown purpose followed by two bytes of zero followed by a byte that is zero when the unknown value is zero, and one when the unknown value is non-zero. There are eight bytes of zero before the resource section begins. This may be reserved for future use. The resource section may be empty, but most often it contains resources. Each resource starts with two bytes that specify the resource type, followed by a two byte resource length value, followed by the resource data. If the last byte of the resource falls on an even-numbered address offset (assuming the first byte in the file is considered offset zero) then there is a pad null byte between the two resources. The pad byte is not figured into the length of either resource, but is included in the value for the total resource section length found in the file header. The resouces may be listed in any order, however changing any byte in the resource section including resource order will cause the file signature to be invalid. Following the resource section there may or may not be a footer and signature. The footer is the byte sequence: 1F 2D C8 D7 33 00 00 00 80 00 00 00. I am not sure of the function of the first eight bytes, but I believe the 80 00 specifies that the signature is of length 0x0080 or 128 bytes. There are two null bytes followed by a 128 byte (1024 bit) signature. The following table lists the values to use to define a field type followed by a name for each. There are also some values for flags listed after the field for which they are used. Code: 0x0 FIELD_BITMAP_1_DATA Code: 0x01 1 RIM |
Quote:
Nice work. Do you have an updated version of your parsing tool? - I'm having trouble parsing the PNGs from some of the VSMs with your 2/3/2009 release. Also, your online VSM design tool is fantastic. Thanks again. Do you know under what circumstances it is necessary to have a signed VSM file? mobytes |
I have made some changes, but only to cause some of the files that contain only text to be named .txt instead of .bin. Which VSM files are you having trouble with? I'll bet they are the ones that don't have any PNG files in them. Some of the VSM files have images in them others don't and some don't even have ANY resource section at all, just the header. You can look at the VSM files in question and search for the text "PNG" Here is the latest code: Code: #include <stdio.h> |
I'm not sure when it is required to use a signed VSM file. I suspect that RIM will start requiring signed VSM files in newer versions of the OS now that we know how to create our own with valid checksums. I will leave it up to someone else to figure out and document the process of verifying the VSM signature. Of course I know that one can write a BlackBerry app that calls Branding.isDataSigned(), but I'm talking about figuring out what part of the VSM file is hashed to get the signature and what public key is used to verify it. I've been working the last few days on adding all the remaining fields to the online VSM creator. In the process I made lots of errors and had to go back and find and fix them all. And then someone decided that it was inappropriate and my entire hosting account was deleted without any notification. That's OK though, because I have another place to host it. There are still a couple things I want to test out before I put it back online. One of those is the converson of a midi ringtone to RIM tone/duration values. I'll post when it is ready to go. I've also completed (with some help) a BlackBerry application that retrieves all the branding information and saves it to the BlackBerry filesystem as separate files for each field. It was useful in verifying the branding info was actually written exactly as sent...even if what was sent did not make sense. i.e. loading a text file as the browser background. Of course the text file would not be displayed when running the browser, and would probably crash or at least give an error. I know that loading a text file instead of a PNG for the splash screen cause a failure to boot giving an "app error 523 reset" The BrandingInfo application is also nice to run if you would like to see what branding is currently applied to your device before messing with it. You could even back up your branding info to restore it later, although I haven't found a way to retrieve the signature for the branding data short of comparing your branding data with the 1000+ VSM files and hoping there is one that matches and getting the signature from that. |
Thanks for sharing your info! Quote:
|
Hello BellVictim How can i change PNG file in your VSM file patch? I've a PNG file and i want to replace PNG file in VSM file , to become my PNG file. Thank you! |
Wescott, do you by chance know or have the VSM file to debrand a Blackberry 8900 - T-Mobile USA...? Im new to this whole thing and although I am very familiar with MFI, Im not familiar with debranding and the VSM files nor have been able to locate anything. Any help is appreciated. Thank You! |
Quote:
wow, this is excellent news! Good work! I can't wait for the release of the website and bb-brand-reading-app! I'm new to the scene but am reading like crazy to catch up. I have already traced your C code and have made some of my own custom VSMs. Thanks elseWestcott! ps) need any testers? |
Quote:
|
All times are GMT +1. The time now is 22:39. |
vBulletin Optimisation provided by
vB Optimise (Pro) -
vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2023 -