How to write a soft for unlocking phone - GSM-Forum

Liu CAs · 06-01-2002, 07:16

Hi!

I'm a programmer and i'm trying to understand how a software for unlocking phones works, because i'm going to write a one. Unfortunately i can't find any documentation about communication protocol between phone and pc, what kind of processors are used in phone, how to disassemble phone's firmware. If anyone could help me i'd be glad.
Sorry for my bad grammatical errors.

**Lead** · 06-02-2002, 05:28

It is not as easy as you might think. There is no communication protocol documentation released by the mobile phone manufacturing companies. Everything you can find is based on reverse-engineering. When writing new unlocking software, one is interested mainly in the bootstrap protocol, rather that in the high level AT-commands, although there may be some exceptions. To find out the bootstrap protocol for a totally new phone, you may visit service center and ask them to allow you to sniff serial (in the better case) communication and hope it will not be crypted. For an older phone you may do it at home, by sniffing communication between your phone and some free or dongled unlocking program. In most cases you will find out that after you press the power button on the phone, the computer sends some kind of code into the phone. This is a program that runs inside the mobile phone, takes control over it and handles the whole communication with PC that follows. You may then analyze the code, modify it to be able to read the whole phone flash. This is the point when the hardest work takes place. You will spend many weeks analysing the phone firmware and if you are a lucky person, you will find a way to unlock the phone. However, the new phones, like Nokia 8310, 6310, 6510 and Ericsson R520m, T39m, T65s, T68m, T68i are well protected. Nokia now uses crypted boot code and Ericsson requires to pass through some flash authorization procedure to be able to send boot code to the phone.

Anyway, I did not want to discourage you. The processors used in the actual phones are:

ARM (Nokia, Motorola, Sagem, Trium,...)
Z80 (Ericsson,...)
AVR (Ericsson)
80C166 (Siemens, Sagem,...)
Motorola, e.g. 68332 (Motorola)

This is a list of processors used in mobile phones I could remember of. To disassemble code, I recommend you to buy the Interactive Disassembler Pro Advanced from DataRescue company. It is really a good reverse-engineering tool and is worth buying it.

May the force be with you

Best regards,
Lead.

***[MoOkIe]*** · 06-02-2002, 11:30

Very nice info.!

Thanks a lot Lead.
Bye.

mujie · 06-07-2002, 17:12

LEAD is the MASTER

OrbiTel · 01-07-2003, 20:12

Yes LEad is good )

kulibin · 01-08-2003, 01:17

Where find manuals for ARM (Nokia, Motorola, Sagem, Trium,...)

**Lead** · 01-08-2003, 01:23

Maybe this could help you:
http://www.arm.com/arm/documentation?OpenDocument

Wings · 01-08-2003, 09:13

Thank you lead for the info .

regards

sago · 01-08-2003, 11:04

lead is lead

junk · 01-08-2003, 14:41

One question to Lead:
Is firmwares for Nokia DCT4 phones are also crypted?

**Lead** · 01-08-2003, 14:49

Yes, mostly.

junk · 01-08-2003, 14:52

Well, where can I take not crypted firmware or maybe fulldump of new nokia phone?

**Lead** · 01-08-2003, 14:57

The easiest way is to desolder the flash chip and read its content using some chip programmer.

junk · 01-08-2003, 14:59

do someone have this dump?? I don't have enough hardware to desolder the chip...

**Lead** · 01-08-2003, 15:09

I doubt anyone will give you the flash dump for free.

06-01-2002, 07:16	#1 (permalink)
Liu CAs Junior Member Join Date: Jun 2002 Age: 28 Posts: 1 Member: 12494 Status: Offline Thanks: 0 Thanked 0 Times in 0 Posts	How to write a soft for unlocking phone Hi! I'm a programmer and i'm trying to understand how a software for unlocking phones works, because i'm going to write a one. Unfortunately i can't find any documentation about communication protocol between phone and pc, what kind of processors are used in phone, how to disassemble phone's firmware. If anyone could help me i'd be glad. Sorry for my bad grammatical errors.

06-02-2002, 05:28	#2 (permalink)
Lead Product Manager Join Date: Aug 2008 Age: 38 Posts: 3,306 Member: 1841 Status: Offline Thanks: 2 Thanked 451 Times in 131 Posts	Re: How to write a soft for unlocking phone It is not as easy as you might think. There is no communication protocol documentation released by the mobile phone manufacturing companies. Everything you can find is based on reverse-engineering. When writing new unlocking software, one is interested mainly in the bootstrap protocol, rather that in the high level AT-commands, although there may be some exceptions. To find out the bootstrap protocol for a totally new phone, you may visit service center and ask them to allow you to sniff serial (in the better case) communication and hope it will not be crypted. For an older phone you may do it at home, by sniffing communication between your phone and some free or dongled unlocking program. In most cases you will find out that after you press the power button on the phone, the computer sends some kind of code into the phone. This is a program that runs inside the mobile phone, takes control over it and handles the whole communication with PC that follows. You may then analyze the code, modify it to be able to read the whole phone flash. This is the point when the hardest work takes place. You will spend many weeks analysing the phone firmware and if you are a lucky person, you will find a way to unlock the phone. However, the new phones, like Nokia 8310, 6310, 6510 and Ericsson R520m, T39m, T65s, T68m, T68i are well protected. Nokia now uses crypted boot code and Ericsson requires to pass through some flash authorization procedure to be able to send boot code to the phone. Anyway, I did not want to discourage you. The processors used in the actual phones are: ARM (Nokia, Motorola, Sagem, Trium,...) Z80 (Ericsson,...) AVR (Ericsson) 80C166 (Siemens, Sagem,...) Motorola, e.g. 68332 (Motorola) This is a list of processors used in mobile phones I could remember of. To disassemble code, I recommend you to buy the Interactive Disassembler Pro Advanced from DataRescue company. It is really a good reverse-engineering tool and is worth buying it. May the force be with you Best regards, Lead. Last edited by Lead; 06-02-2002 at 05:30.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

06-02-2002, 11:30	#3 (permalink)
*[MoOkIe]* Super Moderator Join Date: Mar 2001 Location: Leiria, PT & Macao, CN Posts: 2,525 Member: 3756 Status: Offline Thanks: 0 Thanked 3 Times in 3 Posts	Very nice info.! Thanks a lot Lead. Bye.

06-07-2002, 17:12	#4 (permalink)
mujie No Life Poster Join Date: Jan 2002 Location: MARS Posts: 1,491 Member: 8304 Status: Offline Thanks: 3 Thanked 98 Times in 31 Posts	LEAD is the MASTER

01-07-2003, 20:12	#5 (permalink)
OrbiTel No Life Poster Join Date: Jan 2001 Location: CZ Age: 30 Posts: 981 Member: 3041 Status: Offline Thanks: 0 Thanked 0 Times in 0 Posts	Yes LEad is good )

01-08-2003, 01:17	#6 (permalink)
kulibin Freak Poster Join Date: Oct 2002 Age: 26 Posts: 427 Member: 16452 Status: Offline Thanks: 2 Thanked 4 Times in 3 Posts	Where find manuals for ARM (Nokia, Motorola, Sagem, Trium,...)

01-08-2003, 01:23	#7 (permalink)
Lead Product Manager Join Date: Aug 2008 Age: 38 Posts: 3,306 Member: 1841 Status: Offline Thanks: 2 Thanked 451 Times in 131 Posts	Maybe this could help you: http://www.arm.com/arm/documentation?OpenDocument

01-08-2003, 09:13	#8 (permalink)
Wings Freak Poster Join Date: Jun 1999 Location: California Age: 36 Posts: 396 Member: 255 Status: Offline Thanks: 0 Thanked 1 Time in 1 Post	Thank you lead for the info . regards

01-08-2003, 11:04	#9 (permalink)
sago Junior Member Join Date: Dec 2002 Location: heart Age: 47 Posts: 35 Member: 18477 Status: Offline Thanks: 0 Thanked 0 Times in 0 Posts	lead is lead

01-08-2003, 14:41	#10 (permalink)
junk Insane Poster Join Date: May 2002 Location: Russia Age: 27 Posts: 62 Member: 12371 Status: Offline Thanks: 0 Thanked 0 Times in 0 Posts	One question to Lead: Is firmwares for Nokia DCT4 phones are also crypted?

01-08-2003, 14:49	#11 (permalink)
Lead Product Manager Join Date: Aug 2008 Age: 38 Posts: 3,306 Member: 1841 Status: Offline Thanks: 2 Thanked 451 Times in 131 Posts	Yes, mostly.

01-08-2003, 14:52	#12 (permalink)
junk Insane Poster Join Date: May 2002 Location: Russia Age: 27 Posts: 62 Member: 12371 Status: Offline Thanks: 0 Thanked 0 Times in 0 Posts	Well, where can I take not crypted firmware or maybe fulldump of new nokia phone?

01-08-2003, 14:57	#13 (permalink)
Lead Product Manager Join Date: Aug 2008 Age: 38 Posts: 3,306 Member: 1841 Status: Offline Thanks: 2 Thanked 451 Times in 131 Posts	The easiest way is to desolder the flash chip and read its content using some chip programmer.

01-08-2003, 14:59	#14 (permalink)
junk Insane Poster Join Date: May 2002 Location: Russia Age: 27 Posts: 62 Member: 12371 Status: Offline Thanks: 0 Thanked 0 Times in 0 Posts	do someone have this dump?? I don't have enough hardware to desolder the chip...

01-08-2003, 15:09	#15 (permalink)
Lead Product Manager Join Date: Aug 2008 Age: 38 Posts: 3,306 Member: 1841 Status: Offline Thanks: 2 Thanked 451 Times in 131 Posts	I doubt anyone will give you the flash dump for free.