SL3 patch unlock (Flash patching) possible or not? - GSM-Forum

MOURAD™ · 05-29-2011, 19:35

Since now no one told about SL3 patch unlock (Flash patching) possible or not?

lets share here your opinion and answers about this.

Best Regards.

Medusa Lancer · 05-29-2011, 19:47

it's not possible for now!!!

angel25dz · 05-29-2011, 19:49

not possible and even if possible is useless

g-gabber · 05-29-2011, 19:58

Quote:

Originally Posted by angel25dz

not possible and even if possible is useless

If it would be possible to patch firmware, it would be enough to change one byte to unlock the phone.

br g

angel25dz · 05-29-2011, 20:34

Quote:

Originally Posted by g-gabber

If it would be possible to patch firmware, it would be enough to change one byte to unlock the phone.

br g

....Maybe

..............but i don't think changing 1 byte will be enough to unlock SL3 phones.

correct me if i'm wrong :
in SL1, SL2 when code is valid phone change lock flag and using PATCH u need just to change 1 byte (0 or 1) and the phone do the rest, it change flag and phone will be unlocked for ever.

but in SL3 the phone don't make any change because each new SL data need RSA1024 signature, so it need RSA private key !!! phone have only public key to check signtaure .....

./br

g-gabber · 05-29-2011, 20:49

Quote:

Originally Posted by angel25dz

....Maybe

..............but i don't think changing 1 byte will be enough to unlock SL3 phones.

correct me if i'm wrong :
in SL1, SL2 when code is valid phone change lock flag and using PATCH u need just to change 1 byte (0 or 1) and the phone do the rest, it change flag and phone will be unlocked for ever.

but in SL3 the phone don't make any change because each new SL data need RSA1024 signature, so it need RSA private key !!! phone have only public key to check signtaure .....

./br

In case of SL3 you don't need to manipulate the signature. There is function which is called "is_simlock_open", all what need to do is change a condition jump on right place. Consider there is a hybrid firmware like E71 v300 which supports sl2 and sl3.

br g

angel25dz · 05-29-2011, 21:20

Quote:

Originally Posted by g-gabber

In case of SL3 you don't need to manipulate the signature. There is function which is called "is_simlock_open", all what need to do is change a condition jump on right place. Consider there is a hybrid firmware like E71 v300 which supports sl2 and sl3.

br g

"IS_SIMLOCK_OPEN" in case of SL3, what it do exactly ??

I see it like this :

1st it check lock flag,
1- if phone unlocked (factory unlocked with provider 244) exit function and phone start unlocked....

2- if phone is not factory unlocked it check PM120,03
a- if empty : phone start locked
b- if there is data in PM120,3, it generate SP and bruteforce RND to compare sha1 hash's
b-1 if sha1 is the same stored in PM120,1 : phone start unlocked
b-2 if sha1 not found phone start : Contact service

the only known way to check validity of NCK is compare SHA1 (SP+RND+IMEI) the reason why phone need to bruteforce salt, if there is another way (permanent way) to check if phone is unlocked or not, why phone need to do bruteforce in every start ???

./br

**oOXTCOo** · 05-30-2011, 01:20

if you can exploit the phone to accept patched firmware
then you can do all what you whant

you can completly disable simlock check or you can
write another rsa key for simlock and write the correct
sp code into pm or unlock with calculated code for
the rsa sign wich you have written...

problem is more.. how to exploit the phone to accept
patched firmware and not how it is protected...
it dose no matter how its protected... with patching
you can change everything...

correct me if iam wrong.

better discuse how to make phone to accept patched firmware.

lam_spiderman · 05-30-2011, 01:30

Quote:

Originally Posted by Mrd07

Since now no one told about SL3 patch unlock (Flash patching) possible or not?

lets share here your opinion and answers about this.

Best Regards.

not now, wait come .

kamiran · 05-30-2011, 23:53

Quote:

Originally Posted by oOXTCOo

if you can exploit the phone to accept patched firmware
then you can do all what you whant

you can completly disable simlock check or you can
write another rsa key for simlock and write the correct
sp code into pm or unlock with calculated code for
the rsa sign wich you have written...

problem is more.. how to exploit the phone to accept
patched firmware and not how it is protected...
it dose no matter how its protected... with patching
you can change everything...

correct me if iam wrong.

better discuse how to make phone to accept patched firmware.

i like the idea of finding an exploit ... like devs do in ios or android based phones to install custom (patched) firmwares.

Br

K@mi

.:SUBRATA:. · 05-31-2011, 06:08

Quote:

Originally Posted by kamiran

i like the idea of finding an exploit ... like devs do in ios or android based phones to install custom (patched) firmwares.

Br

K@mi

Android has different firmware structure. open source kernel. nokia is really different.

B/R
Sub4t4

orbita · 05-31-2011, 08:54

Quote:

Originally Posted by angel25dz

"IS_SIMLOCK_OPEN" in case of SL3, what it do exactly ??
the only known way to check validity of NCK is compare SHA1 (SP+RND+IMEI) the reason why phone need to bruteforce salt, if there is another way (permanent way) to check if phone is unlocked or not, why phone need to do bruteforce in every start ???

./br

I'am really beginer in Nokia, so correct me if wrong.
1.This value, in fact is not random value, it's stored in some space in phone.
(cripted,hashed by some algo no matter).

2.To acces secure storage area need modified loader , but..... if use nokia C++ and make small aplication to colect some data from phone?
Upload this to phone and execute and save this data to memory card?
Is same like acces private filesistem from outside and from inside.

Idea is to acces some phone security function from inside not from outside
and execute this function.
Exist posibility to catch this value used in code verification algo ?

datalife2000 · 05-31-2011, 09:42

"...CORRECT ME IF I AM WRONG..." i like the idea...

orbita · 05-31-2011, 09:54

Quote:

Originally Posted by datalife2000

"...CORRECT ME IF I AM WRONG..." i like the idea...

You post this only to post some?
If have some usefull to write, write.
If not, not need post nonsense.

Is so "hot" in Africa now ?

angel25dz · 05-31-2011, 10:28

Quote:

Originally Posted by orbita

I'am really beginer in Nokia, so correct me if wrong.

I'm a beginner too

Quote:

1.This value, in fact is not random value, it's stored in some space in phone.
(cripted,hashed by some algo no matter).

?

Salt is totally random, this is why phone must bruteforce it to check NCK validity....

Quote:

if use nokia C++ and make small aplication to colect some data from phone?

why ?? all needed data u can get it using custom loader.... even u make this kind of app, i don't think it can be able to access to secure storage...it need to find and exploit a system hole like bufferoverflow or other kind of holes....

Quote:

Is so "hot" in Africa now ?

yes......

./br

05-29-2011, 19:35	#1 (permalink)
MOURAD™ No Life Poster Join Date: Mar 2007 Location: Guangzhou-China Posts: 1,270 Member: 468587 Status: Offline Sonork: 100.1612429 Thanks: 321 Thanked 677 Times in 404 Posts	SL3 patch unlock (Flash patching) possible or not? Since now no one told about SL3 patch unlock (Flash patching) possible or not? lets share here your opinion and answers about this. Best Regards.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
thread	Thread Starter	Forum	Replies	Last Post
6110 power does not stay on	sc~micro	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	5	04-10-2013 02:07
Unlocking 5190	Ryu	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	23	09-16-2012 23:57
Seeking for flash nokia 5110 old version (3 version) can exchange for new	Tomas	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	7	11-17-2011 17:08
"Deskey Device driver not found" ?? Please help	DivAdonis	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	0	06-28-1999 14:56

05-29-2011, 19:47	#2 (permalink)
Medusa Lancer Freak Poster Join Date: Feb 2004 Location: Tcp Ip Posts: 203 Member: 52360 Status: Offline Sonork: 100.1611553 Thanks: 6 Thanked 42 Times in 16 Posts	it's not possible for now!!!

05-29-2011, 19:49	#3 (permalink)
angel25dz No Life Poster Join Date: Jul 2006 Location: ..::DZ-25::.. Posts: 542 Member: 315181 Status: Offline Sonork: 100.1593455 Thanks: 162 Thanked 310 Times in 174 Posts	not possible and even if possible is useless

05-30-2011, 01:20	#8 (permalink)
oOXTCOo Product Manager Join Date: Dec 2000 Location: J.A.U - Just Another Unlocker Age: 33 Posts: 3,382 Member: 2878 Status: Offline Thanks: 1,587 Thanked 8,998 Times in 1,521 Posts	if you can exploit the phone to accept patched firmware then you can do all what you whant you can completly disable simlock check or you can write another rsa key for simlock and write the correct sp code into pm or unlock with calculated code for the rsa sign wich you have written... problem is more.. how to exploit the phone to accept patched firmware and not how it is protected... it dose no matter how its protected... with patching you can change everything... correct me if iam wrong. better discuse how to make phone to accept patched firmware.

05-31-2011, 09:42	#13 (permalink)
datalife2000 No Life Poster Join Date: Jan 2002 Location: Africa Posts: 1,968 Member: 8843 Status: Offline Thanks: 255 Thanked 116 Times in 64 Posts	"...CORRECT ME IF I AM WRONG..." i like the idea...