|
|
 |
|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact us. |
| |||||||
| Register | FAQ | Donate | Forum Rules | ★. iPhone Unlock .★ | -= JTAG BOOM =- | Search | Today's Posts | Mark Forums Read |
| GSM Programming & Reverse Engineering Here you can post all Kind of GSM Programming and Reverse Engineering tools and Secrets. |
 |
| | LinkBack | Thread Tools | Display Modes |
05-20-2012, 18:18
| #1 (permalink) |
| No Life Poster  Join Date: Mar 2002 Location: Somewhere in the World
Posts: 1,224
Member: 9848 Status: Offline Thanks: 48
Thanked 119 Times in 83 Posts
| Some thoughts about ICERA based modems eg. Nokia CS1x series. Until now there is only 1 non-released solution for ICERA-based modems like Nokia CS-1x series / Option AT&T 322 Orange 515m / Vodafone K-3806-Z During analysis of fimware updater for Nokia CS-15 I found some files in firmware directory. One of this file is asn1_tool.exe When you start this app in a DOS-Box you get: c:\>asn1_tool AUDIO_CFG asn1 encoder/decoder version 1.3 CUST_CFG asn1 encoder/decoder version 7.9_04_1.2 Default usage: asn1 -s <SPEC_TYPE> [-q] [-u] (-e|-d|-g) <file.bin> <file.xml> -to generate default: asn1 -s <SPEC_TYPE> -g -x <file.xml> -b <file.bin> -to encode from XML: asn1 -s <SPEC_TYPE> -e -x <file.xml> -b <file.bin> -to decode from binary: asn1 -s <SPEC_TYPE> -d -b <file.bin> SPEC_TYPE values: - PLAT_CFG - EXTHDR - CUST_CFG - AUDIO_CFG - AUDIO_ECAL - AUDIO_TCAL Optional flags: -q (quiet mode) -u (values equal to default not encoded) And c:\>asn1_tool -s CUST_CFG -d -b nocd.iso.wrapped <CustomerConfig> <crossBootCheck> <secondaryBootUpda****able><false/></secondaryBootUpda****able> <loaderUpda****able><false/></loaderUpda****able> <factoryTestsUpda****able><false/></factoryTestsUpda****able> <appliUpda****able><false/></appliUpda****able> <crossBootCheckEnable><true/></crossBootCheckEnable> <massUpda****able><false/></massUpda****able> </crossBootCheck> <preferredSystem><wcdmaPref/></preferredSystem> <serviceDomain><csPs/></serviceDomain> <bandConfiguration> <bandGroupScan><emeaFirst/></bandGroupScan> <w1900BeforeW850><false/></w1900BeforeW850> <preferredBand> <Band><none/></Band> </preferredBand> <bandCapabilities> <Band><none/></Band> </bandCapabilities> <diversityOnBand> <Band><fddBandI/></Band> <Band><fddBandII/></Band> <Band><fddBandV/></Band> </diversityOnBand> </bandConfiguration> <customMepData> <personalisationsActivated>2</personalisationsActivated> <personalisationsEnabled>31</personalisationsEnabled> <personalisationKeyPS> <Uint16>0</Uint16> </personalisationKeyPS> <personalisationKeyPN> <Uint16>0</Uint16> </personalisationKeyPN> <personalisationKeyPU> <Uint16>0</Uint16> </personalisationKeyPU> <personalisationKeyPC> <Uint16>0</Uint16> </personalisationKeyPC> <personalisationKeyPP> <Uint16>0</Uint16> </personalisationKeyPP> <keyRetryPS>10</keyRetryPS> <keyRetryPN>10</keyRetryPN> <keyRetryPU>10</keyRetryPU> <keyRetryPC>10</keyRetryPC> <keyRetryPP>10</keyRetryPP> <networkIds> <SimPlmnAsn> </SimPlmnAsn> </networkIds> <networkSubsetId> <Uint16>0</Uint16> </networkSubsetId> <serviceProviderId> <Uint16>0</Uint16> </serviceProviderId> <corporateId> <Uint16>0</Uint16> </corporateId> </customMepData> <copsInitPlmn> <mcc>4095</mcc> <mnc>4095</mnc> <mncThreeDigitsDecoding>0</mncThreeDigitsDecoding> </copsInitPlmn> <copsInitNwSelMode>0</copsInitNwSelMode> <cgdcont> <cid>0</cid> <pdpType>IP</pdpType> <apnName></apnName> <pdpAddr></pdpAddr> <dComp>0</dComp> <hComp>0</hComp> </cgdcont> <cgeqreq> <cid>0</cid> <trafficClass>0</trafficClass> <maxBitRateUplink>0</maxBitRateUplink> <maxBitRateDownlink>0</maxBitRateDownlink> <guaranteedBitRateUplink>0</guaranteedBitRateUplink> <guaranteedBitRateDownlink>0</guaranteedBitRateDownlink> <deliveryOrder>0</deliveryOrder> <maxSduSize>0</maxSduSize> <sduErrorRatio>0E0</sduErrorRatio> <residualBER>0E0</residualBER> <deliveryOfErrSdu>0</deliveryOfErrSdu> <transferDelay>0</transferDelay> <trafficPriority>0</trafficPriority> </cgeqreq> <cimiDisabled><false/></cimiDisabled> <ati1String>Icera, Inc.</ati1String> <ati2String></ati2String> <ati3String></ati3String> <ati4String></ati4String> <ati5String></ati5String> <ati6String></ati6String> <ati7String></ati7String> <cfunModeAtStart>1</cfunModeAtStart> <operator1Enhancements><false/></operator1Enhancements> <usb> <idVendor>6531</idVendor> <idProduct>769</idProduct> <bcdDevice>1</bcdDevice> <manufacturer>Icera Inc.</manufacturer> <product>Datacard</product> <serialNumber>0.0.1</serialNumber> <idProductMassStorage>773</idProductMassStorage> </usb> <softwareVersionNumber>99</softwareVersionNumber> <customerLabel></customerLabel> <specificationVersion>7</specificationVersion> <specificationRevision>9</specificationRevision> <ignoreWwanDisableFunct><true/></ignoreWwanDisableFunct> <extension> <versioning> <swVersion></swVersion> <date></date> <time></time> <model></model> <drvVersion></drvVersion> <control></control> </versioning> <customerIdVersion>04_1.2</customerIdVersion> </extension> <engineeringMode> <access><disabled/></access> <engineeringKey> 01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10 A1 B2 C3 D4 </engineeringKey> <factoryAccess><passwordEnabled/></factoryAccess> <factoryEngineeringKey> 78 5E DE 9F E2 D1 EE 62 5F 43 E6 D1 69 B6 AE 46 C4 7F 14 8E </factoryEngineeringKey> </engineeringMode> <csVoiceDisabled><false/></csVoiceDisabled> <operatorEnhancements> <operator1Enhancements><false/></operator1Enhancements> <operator2Enhancements><false/></operator2Enhancements> </operatorEnhancements> <hspaCategories> <hsdpaCategory><cat8/></hsdpaCategory> <hsupaCategory><cat5/></hsupaCategory> </hspaCategories> <modelIdString></modelIdString> <manufacturerIdString></manufacturerIdString> <temperatureSafety> <temperatureThr0>400</temperatureThr0> <temperatureThr1>400</temperatureThr1> <temperatureThr2>400</temperatureThr2> </temperatureSafety> <cipheringA53Enabled><false/></cipheringA53Enabled> <batteryMonitoring> <vbatCriticalThr>0</vbatCriticalThr> <pwrRedLBGmskVoltage>0</pwrRedLBGmskVoltage> <pwrRedLBGmskPowerVal>0</pwrRedLBGmskPowerVal> <pwrRedLB8pskVoltage>0</pwrRedLB8pskVoltage> <pwrRedLB8pskPowerVal>0</pwrRedLB8pskPowerVal> <pwrRedHBGmskVoltage>0</pwrRedHBGmskVoltage> <pwrRedHBGmskPowerVal>0</pwrRedHBGmskPowerVal> <pwrRedHB8pskVoltage>0</pwrRedHB8pskVoltage> <pwrRedHB8pskPowerVal>0</pwrRedHB8pskPowerVal> <rfPaOnThrUmts>10000</rfPaOnThrUmts> <rfPaOnThrGsm>10000</rfPaOnThrGsm> </batteryMonitoring> <gprsAttachAtPowerOn><true/></gprsAttachAtPowerOn> </CustomerConfig> Anybody know how to read out this information from a live modem? Anybody know how to enter the factory mode? From another source I got the following: <customMepData> <personalisationsActivated>2</personalisationsActivated> <personalisationPSEnabled><true/></personalisationPSEnabled> <personalisationKeyPN> XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX </personalisationKeyPN> <personalisationKeyPU> XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX </personalisationKeyPU> <personalisationKeyPC> XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX </personalisationKeyPC> <personalisationKeyPP> XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX </personalisationKeyPP> <keyRetryPS>10</keyRetryPS> <keyRetryPN>10</keyRetryPN> <keyRetryPU>10</keyRetryPU> <keyRetryPC>10</keyRetryPC> <keyRetryPP>10</keyRetryPP> <networkIdsList> <SimPlmnAsn> <mcc>4095</mcc> <mnc>4095</mnc> <mncThreeDigitsDecoding>0</mncThreeDigitsDecoding> </SimPlmnAsn> </networkIdsList> <networkSubsetIdsList> <Uint16>255</Uint16> </networkSubsetIdsList> <serviceProviderIdsList> <Uint16>255</Uint16> </serviceProviderIdsList> <corporateIdsList> <Uint16>255</Uint16> </corporateIdsList> <personalisationKeyLockErase> XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX </personalisationKeyLockErase> </customMepData> All keys are the same (XXed by me). Anybody know how to send personalisation commands to modem? Some commands are in config directory when you install Nokia_Internet_Modem.exe. Files are readable SQLite 3 databases. |
 |
|
05-21-2012, 20:41
| #3 (permalink) |
| No Life Poster Join Date: Mar 2002 Location: Somewhere in the World
Posts: 1,224
Member: 9848 Status: Offline Thanks: 48
Thanked 119 Times in 83 Posts
| C:\program files\nokia internet modem\firmwares |
| |
| The Following User Says Thank You to german gsm team For This Useful Post: |
|
06-16-2012, 18:55
| #6 (permalink) |
| No Life Poster Join Date: Mar 2002 Location: Somewhere in the World
Posts: 1,224
Member: 9848 Status: Offline Thanks: 48
Thanked 119 Times in 83 Posts
| The Icera updater writes files to the filesystem. Perhaps someone can patch it to read it. Here is a standalone updater from finnish operator Elisa for Nokia CS-17 http://www.elisa.fi/elisa/docimages/...er-0.1.0.5.exe |
| |
|
06-16-2012, 19:15
| #7 (permalink) |
| Junior Member  Join Date: Feb 2012
Posts: 37
Member: 1723215 Status: Offline Thanks: 6
Thanked 12 Times in 8 Posts
| nevermind, how and who stores files. isnt modem connected to com-port virtual or phisical? hang up tracer and log traffic. all we need program sends right sequence to the modem |
| |
|
06-17-2012, 11:51
| #8 (permalink) |
| No Life Poster Join Date: Mar 2002 Location: Somewhere in the World
Posts: 1,224
Member: 9848 Status: Offline Thanks: 48
Thanked 119 Times in 83 Posts
| There is a file Nokia_Internet_Stick_CS-10_RD_flashing_instructions.doc on the net. But unfortunarely the python script is missing. Screenshot from the word file: |
| |
|
06-17-2012, 17:55
| #9 (permalink) |
| Product Manager   Join Date: Feb 2005 Location: Poland Age: 23
Posts: 4,836
Member: 117496 Status: Offline Sonork: 100.83919 Thanks: 84
Thanked 21,562 Times in 675 Posts
| Nice R&D, I will buy few sticks and check what's going on  |
| |
| The Following 2 Users Say Thank You to karwos For This Useful Post: |
|
06-20-2012, 08:56
| #10 (permalink) | |
| Product Manager  Join Date: Aug 2002 Location: FuriouSTeaM
Posts: 34,506
Member: 15022 Status: Online Sonork: 100.53452 Thanks: 388
Thanked 33,928 Times in 5,140 Posts
| Quote:
And you will need hexrays update support for this cpu. No opcodes, no debugger etc for these cpus Br  | |
| |
|
06-20-2012, 12:14
| #11 (permalink) |
| No Life Poster Join Date: Mar 2002 Location: Somewhere in the World
Posts: 1,224
Member: 9848 Status: Offline Thanks: 48
Thanked 119 Times in 83 Posts
| I doubt that Icera ported linux to a completely new CPU architecture. If someone finds a way how to unpack the modem.wrapped file we will see. It's zlib with Icera header. Until now I didn't find the zlib header. |
| |
|
06-21-2012, 05:59
| #12 (permalink) | |
| Moderator  Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 41
Posts: 739
Member: 73 Status: Online Sonork: 100.86913 Thanks: 5
Thanked 317 Times in 97 Posts
| Quote:
2. modem.wrapped ?!?!?! Code: 0A04E81C40000000D3A43E0000000088 0000000101000000DD730BA400000000 81004040000298DB58DCCB98DCCC4C8 A80C182B8C0000000000000000000000 00001E71C0C000000 C3A23E00 78DAC4BD0B585357BA30BCF7CECE9500 9B9B606B3409A060B5265CBCB4C506D08A1DAD58 - IN YELLOW -> Compressed data 0x78, 0xDA -> ZLIB extra compression (level 9) CUT TO HERE!!! 3. Use attached exe to decompress. Code: D:\test>zlibc.exe -d modem.wrapped mdm Irgendeine Taste zum Abbrechen druecken! Dekomprimiere modem.wrapped nach mdm. Prozent fertig: 99% Status: Erfolg D:\test> Regards: Victor | |
| |
| The Following 2 Users Say Thank You to Victor For This Useful Post: |
|
06-22-2012, 19:42
| #13 (permalink) | |
| Freak Poster Join Date: Apr 2003
Posts: 221
Member: 26596 Status: Offline Thanks: 9
Thanked 12 Times in 8 Posts
| Quote:
...and what is next step after unzlib maybe dxp disassembler ))))Regards, Latigido922 | |
| |
|
06-23-2012, 04:49
| #14 (permalink) |
| Moderator Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 41
Posts: 739
Member: 73 Status: Online Sonork: 100.86913 Thanks: 5
Thanked 317 Times in 97 Posts
| No idea ... I just help with unpacking.Who want reverse let's reverse. i do all huawei modems by imei. |
| |
|
06-25-2012, 17:55
| #15 (permalink) | |
| Product Manager Join Date: Aug 2002 Location: FuriouSTeaM
Posts: 34,506
Member: 15022 Status: Online Sonork: 100.53452 Thanks: 388
Thanked 33,928 Times in 5,140 Posts
| Quote:
Yeah but here problem is that no tools out there for us =)) Br | |
| |
|
| Bookmarks |
| Thread Tools | |
| Display Modes | |
| |
Similar Threads | ||||
| thread | Thread Starter | Forum | Replies | Last Post |
| New Nokia Software!!!!!!! | Jefferson | Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L ) | 73 | 05-15-2013 13:07 |
| Need software upgrade for Nokia 5110 | ptkrf | Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L ) | 26 | 09-25-2012 02:41 |
| Seeking for flash nokia 5110 old version (3 version) can exchange for new | Tomas | Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L ) | 7 | 11-17-2011 17:08 |
Linear Mode
