BB5 - Technical Discussion - GSM-Forum

adihack · 06-27-2005, 22:58

! PLASE DON'T POST HERE ANY USELESS INFORMATION ABOU FAKE UNLOCK SOLUTIONS !

What is BB5 ? It new platform what Nokia Mobile Phones use in new products. After review it looks similar to WD2 platform(ex. 6600). It can't work without operation system. Heart of BB5 is main procssor "RAP3G". This name is codename used by Nokia to describe very good Texas Instrument integrtaed prcosseor developed for mobile solutions. It's new technolgy OMAP 1710(up to 220 MhZ). Here you can view infmation at Texas Instrument about this platform:

-> http://focus.ti.com/general/docs/wtb...data/omap_1710

Another link goes to documenation of "Innovator Development Kit" very similar to Nokia 6630

-> http://www-s.ti.com/sc/psheets/spru667/spru667.pdf

For this Kit is avaible good descripted JTAG(shuld work also with BB5) and Flasher via USB. Algoritms must be very similar !

Here you can download 60 days evaluation Code Composer v2:

-> https://focus.ti.com/general/docs/re...sp?regAppId=97

This is software what Nokia Mobile Phones used to develope software for Nokia BB5 Platform ! It's include Compiler, Linker, Debuger etc.

Fot today that's all. I hope that I'm not stay alone in this topic. We waiting for other useful information. Also I will post tomorrow next part of information

Good luck

MobileTech Team,
Poland

Mohanad · 06-28-2005, 11:48

I Think you have some wrong info,The RAP3G Processor is Very Similer To The Previous UPP2WD and its Handling The CMT Side Of The Phone and the Second Processor is OMAP 1710 Witch Handling The APE Side OF The Phone.
The Power MAnagment Ic's (UEM) Now Splited into Two Parts (Tahvo) and (Retu) its very Integrated Asic Devloped By Nokia.

Hope This info is good For All.

John_Doe · 06-28-2005, 14:09

and here some more infos...

experts · 07-01-2005, 09:17

...was impressed by the info. u posted regarding the RAP3G Processor. Was wondering if you have any other helpful info. on other Nk IC i.e. UPP, UEM, RAM, FLASH, HAGAR, MJOLNER, etc.
Anywhere could obtain photos from Mnf. ?
Regards,
Xprts

John_Doe · 07-01-2005, 12:11

Quote:

Originally Posted by experts

...was impressed by the info. u posted regarding the RAP3G Processor. Was wondering if you have any other helpful info. on other Nk IC i.e. UPP, UEM, RAM, FLASH, HAGAR, MJOLNER, etc.
Anywhere could obtain photos from Mnf. ?
Regards,
Xprts

here some info's about RETU...

sixkiller666 · 07-01-2005, 14:17

And few hints on BB5 Certificate structure

So. let's rock and roll

Regards

Commselect Inc.

MuXBoX · 07-01-2005, 15:36

This is a DUAL ENGINE PHONE with two processor one for EPOC and one for NOS. Both operating systems are physically seperated on different cores. NOS is now totally focused on the cellular modem activites and EPOC is totally focussed to user activities. The old series 60 was a single engine with the above points being shared.

BB5 security.

Most of the vital terminal/phone information such as locks, customisation etc have been encrypted/signed using a private key before downloading to the phone. This happens in the production phase.

If the information is is changed (ie lock status) the phone will recognise this and will not switch on.

The security system of the phone will apply a reset to the phone after 3 minutes if the security certificate is missing. If the certificate becomes corrupted the phone will reset every 30 seconds.

P.S. Anybody out there an ace repairer i wish to swap tricks and tips with them on things like fixing sysol samsung with key press faults and wd2/series 60 nokias that have signal failures

loneunlocker · 07-01-2005, 17:34

Quote:

Originally Posted by MuXBoX

This is a DUAL ENGINE PHONE with two processor one for EPOC and one for NOS. Both operating systems are physically seperated on different cores. NOS is now totally focused on the cellular modem activites and EPOC is totally focussed to user activities. The old series 60 was a single engine with the above points being shared.

BB5 security.

Most of the vital terminal/phone information such as locks, customisation etc have been encrypted/signed using a private key before downloading to the phone. This happens in the production phase.

If the information is is changed (ie lock status) the phone will recognise this and will not switch on.

The security system of the phone will apply a reset to the phone after 3 minutes if the security certificate is missing. If the certificate becomes corrupted the phone will reset every 30 seconds.

P.S. Anybody out there an ace repairer i wish to swap tricks and tips with them on things like fixing sysol samsung with key press faults and wd2/series 60 nokias that have signal failures

very interesting information thanks
regards loneunlocker

german gsm team · 07-02-2005, 16:29

Quote:

Originally Posted by sixkiller666

And few hints on BB5 Certificate structure

So. let's rock and roll

Regards

Commselect Inc.

Could you give some infos from which document the screenshots are? Is the document available somwhere?

german gsm team · 07-02-2005, 16:30

Since after presentation of correct unlock password the phone writes new simlock data the "Nokia Private Key" must be inside the phone. E.g. in RAP3G ?!?

Who can reverse engineer and read out RAP3G?

MuXBoX · 07-02-2005, 17:34

The 3g Radio Application Processor (RAP3G) replaced the TIKU. This chip looks like it has no memory at all. It is a processor so i dont think this would contain any data german gsm team.
I can tell you its also not the RETU, TAHVO.

I think what we are looking for is a security certificate that is encrypted using an external key at the nokia flash centres. I do not know how security certificates work but i can imagine they are not disimilar to the types of security used by microsoft when signing certificates for websites. So basically this will be a purely software unlock. Now if you manage to open sp lock etc ,the certificate will not match and hence wont work. If you change the certificate in any way without using the encoding hardware key found at nokia centres then the phone wont work due to corrupt certificate.

What you "could" do is re-write parts of the operating system to stop it ever looking for the security in the first place maybe. This would involve rewriting part of the series 60 OS. So getting past the lock is the easy bit , getting the phone to work afterwards will be what people like dejan are struggling to do.

The Repair Shop · 07-02-2005, 17:57

I'm learnig quit abit here guys please keep it uP :-)

**..::Neo::..** · 07-02-2005, 18:24

from my own exprince RPA3G got imei and unlock algo sotred inside

sixkiller666 · 07-02-2005, 19:24

Quote:

Originally Posted by ..::Neo::..

from my own exprince RPA3G got imei and unlock algo sotred inside

Actually better look on structure of BB5 architecure

Best regards

Commselect Inc.

JuniorJack · 07-02-2005, 20:00

Quote:

Originally Posted by MuXBoX

What you "could" do is re-write parts of the operating system to stop it ever looking for the security in the first place maybe. This would involve rewriting part of the series 60 OS. So getting past the lock is the easy bit

Not that fast...

PerformAuth ; CODE XREF: load_algo+D2p
BX PC ; Thumb to Arm switch
NOP
LDR R12, =0x3F6D ; boot addr
BX R12
; End of function PerformAuth

---

06-27-2005, 22:58	#1 (permalink)
adihack Freak Poster Join Date: May 2003 Location: Poland Age: 36 Posts: 233 Member: 29897 Status: Offline Thanks Meter: 3	BB5 - Technical Discussion ! PLASE DON'T POST HERE ANY USELESS INFORMATION ABOU FAKE UNLOCK SOLUTIONS ! What is BB5 ? It new platform what Nokia Mobile Phones use in new products. After review it looks similar to WD2 platform(ex. 6600). It can't work without operation system. Heart of BB5 is main procssor "RAP3G". This name is codename used by Nokia to describe very good Texas Instrument integrtaed prcosseor developed for mobile solutions. It's new technolgy OMAP 1710(up to 220 MhZ). Here you can view infmation at Texas Instrument about this platform: -> http://focus.ti.com/general/docs/wtb...data/omap_1710 Another link goes to documenation of "Innovator Development Kit" very similar to Nokia 6630 -> http://www-s.ti.com/sc/psheets/spru667/spru667.pdf For this Kit is avaible good descripted JTAG(shuld work also with BB5) and Flasher via USB. Algoritms must be very similar ! Here you can download 60 days evaluation Code Composer v2: -> https://focus.ti.com/general/docs/re...sp?regAppId=97 This is software what Nokia Mobile Phones used to develope software for Nokia BB5 Platform ! It's include Compiler, Linker, Debuger etc. Fot today that's all. I hope that I'm not stay alone in this topic. We waiting for other useful information. Also I will post tomorrow next part of information Good luck MobileTech Team, Poland

06-28-2005, 11:48	#2 (permalink)
Mohanad Freak Poster Join Date: Sep 2001 Location: Syria Posts: 107 Member: 6475 Status: Offline Thanks Meter: 1	Bb 5.0 I Think you have some wrong info,The RAP3G Processor is Very Similer To The Previous UPP2WD and its Handling The CMT Side Of The Phone and the Second Processor is OMAP 1710 Witch Handling The APE Side OF The Phone. The Power MAnagment Ic's (UEM) Now Splited into Two Parts (Tahvo) and (Retu) its very Integrated Asic Devloped By Nokia. Hope This info is good For All.

07-01-2005, 09:17	#4 (permalink)
experts Junior Member Join Date: Jun 2005 Location: Canada Posts: 12 Member: 157119 Status: Offline Thanks Meter: 0	Thnx Doe ... & adihack... ...was impressed by the info. u posted regarding the RAP3G Processor. Was wondering if you have any other helpful info. on other Nk IC i.e. UPP, UEM, RAM, FLASH, HAGAR, MJOLNER, etc. Anywhere could obtain photos from Mnf. ? Regards, Xprts

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
x65 patching technical discussion	Acidmrp	x6x and x7x Flashpatching	42	10-10-2009 07:06
Iphone 3G Technical Discussion and SP Unlocking theory	GraveSlayer	iPhone 2 / iPhone 3G / iPhone 3GS	8	11-15-2008 06:04
Technical discussion sharp705sh	celluniversal	Sharp	0	05-17-2007 17:26
Technical discussion BB5 unlocking	twisterfan	Nokia Base Band 5 ( BB-5 )	0	05-16-2007 19:36
Patching: Technical Discussion ...	rizapn	x4x, x5x Flashpatching	282	10-03-2006 19:23

07-01-2005, 15:36	#7 (permalink)
MuXBoX Junior Member Join Date: Jun 2003 Age: 48 Posts: 30 Member: 30719 Status: Offline Thanks Meter: 0	This is a DUAL ENGINE PHONE with two processor one for EPOC and one for NOS. Both operating systems are physically seperated on different cores. NOS is now totally focused on the cellular modem activites and EPOC is totally focussed to user activities. The old series 60 was a single engine with the above points being shared. BB5 security. Most of the vital terminal/phone information such as locks, customisation etc have been encrypted/signed using a private key before downloading to the phone. This happens in the production phase. If the information is is changed (ie lock status) the phone will recognise this and will not switch on. The security system of the phone will apply a reset to the phone after 3 minutes if the security certificate is missing. If the certificate becomes corrupted the phone will reset every 30 seconds. P.S. Anybody out there an ace repairer i wish to swap tricks and tips with them on things like fixing sysol samsung with key press faults and wd2/series 60 nokias that have signal failures

07-02-2005, 16:30	#10 (permalink)
german gsm team No Life Poster Join Date: Mar 2002 Location: Somewhere in the World Age: 54 Posts: 1,425 Member: 9848 Status: Offline Thanks Meter: 144	Since after presentation of correct unlock password the phone writes new simlock data the "Nokia Private Key" must be inside the phone. E.g. in RAP3G ?!? Who can reverse engineer and read out RAP3G?

07-02-2005, 17:34	#11 (permalink)
MuXBoX Junior Member Join Date: Jun 2003 Age: 48 Posts: 30 Member: 30719 Status: Offline Thanks Meter: 0	The 3g Radio Application Processor (RAP3G) replaced the TIKU. This chip looks like it has no memory at all. It is a processor so i dont think this would contain any data german gsm team. I can tell you its also not the RETU, TAHVO. I think what we are looking for is a security certificate that is encrypted using an external key at the nokia flash centres. I do not know how security certificates work but i can imagine they are not disimilar to the types of security used by microsoft when signing certificates for websites. So basically this will be a purely software unlock. Now if you manage to open sp lock etc ,the certificate will not match and hence wont work. If you change the certificate in any way without using the encoding hardware key found at nokia centres then the phone wont work due to corrupt certificate. What you "could" do is re-write parts of the operating system to stop it ever looking for the security in the first place maybe. This would involve rewriting part of the series 60 OS. So getting past the lock is the easy bit , getting the phone to work afterwards will be what people like dejan are struggling to do.

07-02-2005, 17:57	#12 (permalink)
The Repair Shop No Life Poster Join Date: Feb 2003 Location: In My Pub Posts: 5,828 Member: 307549 Status: Offline Thanks Meter: 188	I'm learnig quit abit here guys please keep it uP :-)

07-02-2005, 18:24	#13 (permalink)
..::Neo::.. Administrator Join Date: Jul 2002 Location: E G Y P T Age: 38 Posts: 3,213 Member: 14178 Status: Offline Thanks Meter: 8,862	from my own exprince RPA3G got imei and unlock algo sotred inside