BB5 downgrade - GSM-Forum

Dejan Kaljevic · 01-31-2007, 19:28

Best method is FULL FLASH erase and restoring with original Nokia rpl file!

Otherwise....

I didn't play much with that problem but you can try...
All test are made with 6630, probably it works with other BB5

MCU & DSP signatures are stored in 308,1 field on subblock
"ab0fbd96af2ac271d26264af dead 06 00"

That subblock is crypted by AES algorithm, and you have to know 16bytes key
or to use attack to make change on that subblock.
But...

To make simple SW update Nokia made some backdors.
Rap is testing that subblock and if new SW is newer than SW signature in
that subbblock RAP will update subblock with newer SW signature.
Otherwise, if new SW is older, RAP will STOP.
BUT if that subblock is corupted RAP will write default current SW signature!!!

So, procedure is next:

Power your BB5 phone.
After few sec. read field 308,1
Find in readed field 308,1 bytes "ab0fbd96af2ac271d26264afdead0600"
and after that header fill next 16 bytes with zeros.
Write back that new field 308,1 to phone.
Well why Nokia made that after writing new fild 308,1 it is not tested...
Anyway new field is stored in FLASH and it will be tested on NEXT phone reset!!!
Here is more critical part.
You have to flash phone with older SW before phone SW reset!!!
You have to find flasher that allows very fast entering phone in FLASH mode!!!
(if flasher after powering phone gives to much time to RAP start SW testing,
SW downgrade will faill!)
If every thing goes ok after flashing ,RAP will find corrupted subblock
and will authorise previous wrote downgraded SW!

That's it.

B.R.
Dejan

icon · 01-31-2007, 19:46

do i need to read the area for each phone every time or one time i read then use the same file for other phone

DeDaMrAz · 01-31-2007, 19:47

@Dejan

Could you address that problem on gsm-serbia??? (So we can talk normaly

)

moldovan · 01-31-2007, 20:18

Quote:

Originally Posted by Dejan Kaljevic

...
You have to find flasher that allows very fast entering phone in FLASH mode!!!
...

Fine , theory is clear.
What flasher You can recommend ?
WBR !

..::ArchitRaj::.. · 01-31-2007, 20:23

Quote:

Originally Posted by moldovan

Fine , theory is clear.
What flasher You can recommend ?
WBR !

Hi

I think MT is good

BR

Archit Raj

eivoig · 01-31-2007, 20:32

Dejans theory is true but the question is can we use the the back up RPL to rewrite after downgrade or we need to buy RPL from nokia server and write it to the downgraded phone.

F1 is not too fast flasher must better mt-box flasher. If dejan bb5 unlocker is available much better but until now there is no picture of that amazing box.

vodafone_banha · 01-31-2007, 20:40

i hope it is work

good luck

Marinsabac · 01-31-2007, 21:46

why you need a picture.. you can put it in anybox.. and paint it and write anything that you like on it.. it's not important how it looks like so you can see it....

Dejan Kaljevic · 01-31-2007, 21:47

Using this method to downgrade SW, you do NOT need rpl file, but phone
must be 100% working.

About flasher. Well after this post in day or two all flasher will support
SW downgrade using this method

B.R.
Dejan

Quote:

Originally Posted by eivoig

Dejans theory is true but the question is can we use the the back up RPL to rewrite after downgrade or we need to buy RPL from nokia server and write it to the downgraded phone.

F1 is not too fast flasher must better mt-box flasher. If dejan bb5 unlocker is available much better but until now there is no picture of that amazing box.

bojsa_84 · 01-31-2007, 21:50

dejan I need your help, look your mail please
tanks

Marinsabac · 01-31-2007, 21:51

why you need a picture?.. you can put it in any box.. and paint it and write anything that you like on it.. it's not important how it looks like but it's important what it does...

Senior · 01-31-2007, 22:04

Hi Dejan,

nice to see You here, how are You doing?

OvidelGSM · 01-31-2007, 22:06

Quote:

Originally Posted by Dejan Kaljevic

Using this method to downgrade SW, you do NOT need rpl file, but phone
must be 100% working.

About flasher. Well after this post in day or two all flasher will support
SW downgrade using this method

B.R.
Dejan

sorry for off-topic ... what about that promissed boxes from you?

dervish · 01-31-2007, 22:12

Quote:

Originally Posted by Dejan Kaljevic

You have to find flasher that allows very fast entering phone in FLASH mode!!!

Possible in detail?
If possible, what flasher from known

Kashif Khan · 01-31-2007, 22:22

Welcome back sir Dejan,
I read your solution i know it will work 100% but i have another question for you ,According to people's and my thinking herez only one person in this world who can provide us BB5 unlocking solution and thats you.
Why you leaved the forum?
why you don't make the box?
And when you are giving us the solution?
And who deleted your posts?
BR
Kashif Khan

01-31-2007, 19:28	#1 (permalink)
Dejan Kaljevic Freak Poster Join Date: Feb 2001 Posts: 213 Member: 3354 Status: Offline Thanks Meter: 3,948	BB5 downgrade Best method is FULL FLASH erase and restoring with original Nokia rpl file! Otherwise.... I didn't play much with that problem but you can try... All test are made with 6630, probably it works with other BB5 MCU & DSP signatures are stored in 308,1 field on subblock "ab0fbd96af2ac271d26264af dead 06 00" That subblock is crypted by AES algorithm, and you have to know 16bytes key or to use attack to make change on that subblock. But... To make simple SW update Nokia made some backdors. Rap is testing that subblock and if new SW is newer than SW signature in that subbblock RAP will update subblock with newer SW signature. Otherwise, if new SW is older, RAP will STOP. BUT if that subblock is corupted RAP will write default current SW signature!!! So, procedure is next: Power your BB5 phone. After few sec. read field 308,1 Find in readed field 308,1 bytes "ab0fbd96af2ac271d26264afdead0600" and after that header fill next 16 bytes with zeros. Write back that new field 308,1 to phone. Well why Nokia made that after writing new fild 308,1 it is not tested... Anyway new field is stored in FLASH and it will be tested on NEXT phone reset!!! Here is more critical part. You have to flash phone with older SW before phone SW reset!!! You have to find flasher that allows very fast entering phone in FLASH mode!!! (if flasher after powering phone gives to much time to RAP start SW testing, SW downgrade will faill!) If every thing goes ok after flashing ,RAP will find corrupted subblock and will authorise previous wrote downgraded SW! That's it. B.R. Dejan

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
--- BB5 Downgrade Problem - Finally Solved! ---	Bph&co	Nokia Base Band 5 ( BB-5 )	76	11-18-2007 10:15
BB5 downgrade without any box!!!	heydi	Nokia Base Band 5 ( BB-5 )	4	01-12-2007 03:53
-- BB5 Downgrade Procedure --	Bph&co	Federal One	0	01-09-2007 22:31
bb5 downgrade	samanthe	Nokia Base Band 5 ( BB-5 )	3	05-19-2006 20:24

01-31-2007, 19:46	#2 (permalink)
icon Freak Poster Join Date: Oct 2005 Location: China Posts: 118 Member: 191046 Status: Offline Sonork: 100.84351 Thanks Meter: 7	do i need to read the area for each phone every time or one time i read then use the same file for other phone

01-31-2007, 19:47	#3 (permalink)
DeDaMrAz Freak Poster Join Date: May 2002 Location: Serbia Age: 42 Posts: 257 Member: 11604 Status: Offline Thanks Meter: 7	@Dejan Could you address that problem on gsm-serbia??? (So we can talk normaly )

01-31-2007, 20:32	#6 (permalink)
eivoig No Life Poster Join Date: Jul 2001 Location: Spinning on my OWN Orbit Posts: 968 Member: 5358 Status: Offline Thanks Meter: 211	Dejans theory is true but the question is can we use the the back up RPL to rewrite after downgrade or we need to buy RPL from nokia server and write it to the downgraded phone. F1 is not too fast flasher must better mt-box flasher. If dejan bb5 unlocker is available much better but until now there is no picture of that amazing box.

01-31-2007, 20:40	#7 (permalink)
vodafone_banha Temporary banned !! Join Date: May 2005 Age: 39 Posts: 257 Member: 148045 Status: Offline Thanks Meter: 17	i hope it is work good luck

01-31-2007, 21:46	#8 (permalink)
Marinsabac Freak Poster Join Date: May 2005 Location: Serbia Age: 45 Posts: 269 Member: 146744 Status: Offline Thanks Meter: 25	why you need a picture.. you can put it in anybox.. and paint it and write anything that you like on it.. it's not important how it looks like so you can see it....

01-31-2007, 21:50	#10 (permalink)
bojsa_84 Junior Member Join Date: Jan 2007 Posts: 1 Member: 443261 Status: Offline Thanks Meter: 0	dejan I need your help, look your mail please tanks

01-31-2007, 21:51	#11 (permalink)
Marinsabac Freak Poster Join Date: May 2005 Location: Serbia Age: 45 Posts: 269 Member: 146744 Status: Offline Thanks Meter: 25	why you need a picture?.. you can put it in any box.. and paint it and write anything that you like on it.. it's not important how it looks like but it's important what it does...

01-31-2007, 22:04	#12 (permalink)
Senior Freak Poster Join Date: May 1999 Posts: 123 Member: 8 Status: Offline Thanks Meter: 21	Hi Dejan, nice to see You here, how are You doing?

01-31-2007, 22:22	#15 (permalink)
Kashif Khan No Life Poster Join Date: Oct 2004 Location: Holland China Brazil Age: 43 Posts: 3,815 Member: 88016 Status: Offline Thanks Meter: 320	Welcome back sir Dejan, I read your solution i know it will work 100% but i have another question for you ,According to people's and my thinking herez only one person in this world who can provide us BB5 unlocking solution and thats you. Why you leaved the forum? why you don't make the box? And when you are giving us the solution? And who deleted your posts? BR Kashif Khan