Thread: Debranding - Hacking VSM files
View Single Post
Old 01-30-2009, 17:47   #7 (permalink)
elseWestcott
Freak Poster
 
Join Date: Jan 2009
Posts: 170
Member: 956117
Status: Offline
Thanks Meter: 66
Thumbs down
VSM files start with the bytes 01 00 00 bc which appear to be nothing more than a magic number. Changing any of these first four bytes causes the file to not be recognized as a VSM file.

Next are four bytes that give the length of the resource section in little-endian order so 46 0b 00 00 signifies that the length is 0x00000b46 or 2886 bytes long.

The next four bytes are calculated by taking 0xffffffff - (the CRC-32 of the resource section). If the CRC-32 of the resource section is 0x5480b153 then take 0xffffffff - 0x5480b153 = 0xab7f4eac so the four bytes are ac 4e 7f ab.

The Vendor ID takes the next two bytes. Remember that little-endian order is used, so 36 01 is used to represent the vendor id 310 for Wind Italy. The Vendor ID MAY be changed without affecting the file signature or the checksum.

The next two bytes are always zero.

There is a single byte value of unknown purpose followed by two bytes of zero followed by a byte that is zero when the unknown value is zero, and one when the unknown value is non-zero.

There are eight bytes of zero before the resource section begins. This may be reserved for future use.

The resource section may be empty, but most often it contains resources. Each resource starts with two bytes that specify the resource type, followed by a two byte resource length value, followed by the resource data. If the last byte of the resource falls on an even-numbered address offset (assuming the first byte in the file is considered offset zero) then there is a pad null byte between the two resources. The pad byte is not figured into the length of either resource, but is included in the value for the total resource section length found in the file header.

The resouces may be listed in any order, however changing any byte in the resource section including resource order will cause the file signature to be invalid.

Following the resource section there may or may not be a footer and signature. The footer is the byte sequence: 1F 2D C8 D7 33 00 00 00 80 00 00 00. I am not sure of the function of the first eight bytes, but I believe the 80 00 specifies that the signature is of length 0x0080 or 128 bytes. There are two null bytes followed by a 128 byte (1024 bit) signature.

The following table lists the values to use to define a field type followed by a name for each. There are also some values for flags listed after the field for which they are used.
Code:
0x0    FIELD_BITMAP_1_DATA
0x1    FIELD_BITMAP_1_TIMEOUT
0x2    FIELD_BITMAP_2_DATA
0x10    FIELD_ENGINEERING_UNIT
0x11    FIELD_SUPPRESS_SOS
0x13    FIELD_BETA_TEST
0x14    FIELD_EVALUATION_UNIT
0x15    FIELD_SUPPORT_DIRECT_DIAL_SEND
0x16    FIELD_ONS_RENDER_MODE
0x17    FIELD_DISABLE_VOLUME_BOOST
0x18    FIELD_DISABLE_BLACKBERRY_PROTECTION_MODE
0x1000    FIELD_WELCOME_MESSAGE_SUBJECT_ISO8859
0x1001    FIELD_WELCOME_MESSAGE_BODY_ISO8859
0x1002    FIELD_WELCOME_MESSAGE_FROM_ISO8859
0x1003    FIELD_WELCOME_MESSAGE_SUBJECT
0x1004    FIELD_WELCOME_MESSAGE_BODY
0x1005    FIELD_WELCOME_MESSAGE_FROM
0x1100    FIELD_DEVICE_MESSAGE_SUBJECT
0x1101    FIELD_DEVICE_MESSAGE_BODY
0x1102    FIELD_DEVICE_MESSAGE_FROM
0x1200    FIELD_TOP_TIPS_MESSAGE_SUBJECT
0x1201    FIELD_TOP_TIPS_MESSAGE_BODY
0x1202    FIELD_TOP_TIPS_MESSAGE_FROM
0x2000    FIELD_ESCREEN_HELP_MSG
0x3000    FIELD_PROVISIONING_IP
0x3001    FIELD_PROVISIONING_DEST_PORT
0x3002    FIELD_PROVISIONING_SRC_PORT
0x3003    FIELD_PROVISIONING_APN
0x3004    FIELD_PROVISIONING_DEVICE_CLASS
0x3005    FIELD_PROVISIONING_APN_USERNAME
0x3006    FIELD_PROVISIONING_APN_PASSWORD
0x3007    FIELD_PROVISIONING_FLAGS
0x1    FLAG_PROVISIONING_DONT_SEND_MSISDN
0x2    FLAG_PROVISIONING_DONT_SEND_ICCID
0x4    FLAG_PROVISIONING_SEND_SPN
0x8    FLAG_PROVISIONING_RIM
0x10    FLAG_PROVISIONING_SEND_EMPLOYEE_ROLE_FEATURE_INFO
0x20    FLAG_PROVISIONING_DONT_SEND_AIRTIME_USAGE_STATS
0x40    FLAG_PROVISIONING_INFO_LEVEL_1
0x80    FLAG_PROVISIONING_INFO_LEVEL_2
0x3100    FIELD_2ND_PROVISIONING_IP
0x3101    FIELD_2ND_PROVISIONING_DEST_PORT
0x3102    FIELD_2ND_PROVISIONING_SRC_PORT
0x3103    FIELD_2ND_PROVISIONING_APN
0x3104    FIELD_2ND_PROVISIONING_DEVICE_CLASS
0x3105    FIELD_2ND_PROVISIONING_APN_USERNAME
0x3106    FIELD_2ND_PROVISIONING_APN_PASSWORD
0x3107    FIELD_2ND_PROVISIONING_FLAGS
0x3500    TCP_APN_DEFAULT_APNNAME
0x3501    TCP_APN_DEFAULT_USERNAME
0x3502    TCP_APN_DEFAULT_PASSWORD
0x3600    FIELD_CDMA_IIF_APN
0x3601    FIELD_CDMA_IIF_APN_USERNAME
0x3602    FIELD_CDMA_IIF_APN_PASSWORD
0x3800    FIELD_PRIMARY_WIRELESS_ACCESS_FAMILY
0x1    WAF_3GPP
0x2    WAF_CDMA
0x3    WAF_WLAN
0x4    WAF_IDEN
0x4000    FIELD_BRANDING_WAP_ICON
0x4001    FIELD_BRANDING_TUNE
0x4002    FIELD_BRANDING_TUNE_NAME
0x4003    FIELD_BRANDING_KEY
0x4004    FIELD_BRANDING_TUNE_MIDI
0x4005    FIELD_BRANDING_WAP_SPLASH
0x4006    FIELD_BRANDING_TUNE_CONTENT_DATA
0x4007    FIELD_BRANDING_TUNE_CONTENT_TYPE
0x4100    FIELD_BRANDING_BROWSER_ICON_0
0x4101    FIELD_BRANDING_BROWSER_ICON_1
0x4102    FIELD_BRANDING_BROWSER_ICON_2
0x4103    FIELD_BRANDING_BROWSER_ICON_3
0x4104    FIELD_BRANDING_BROWSER_ICON_4
0x4105    FIELD_BRANDING_BROWSER_ICON_5
0x4106    FIELD_BRANDING_BROWSER_ICON_6
0x4107    FIELD_BRANDING_BROWSER_ICON_7
0x4108    FIELD_BRANDING_BROWSER_ICON_8
0x4109    FIELD_BRANDING_BROWSER_ICON_9
0x4200    FIELD_IDLESCREEN_CONTENT_TYPE
0x4201    FIELD_IDLESCREEN_CONTENT_DATA
0x4202    FIELD_BRANDING_IGNORE_INTEL_SPLASH
0x4300    FIELD_BROWSER_UAPROF_URI
0x5000    FIELD_HELP_WMLC
0x5100    FIELD_PREFERRED_PLMN_FEATURE
0x0    VALUE_PREFERRED_PLMN_DISABLED
0x1    VALUE_PREFERRED_PLMN_ENABLED
0x5200    PHONE_BOOT_URL
0x5201    PHONE_BOOT_NAIURL
0x5202    BROWSER_DOMAIN_TRUSTED
0x5203    BROWSER_PROXY_WDP
0x5300    FIELD_CELL_BROADCAST
0x5301    FIELD_CELL_BROADCAST_ALWAYS_POPUP
0x6000    FIELD_MESSAGE_LIST_OPTIONS_AUTO_ATTACHMENT_DOWNLOAD_ENABLED
0x6001    FIELD_MESSAGE_LIST_OPTIONS_AUTO_ATTACHMENT_DOWNLOAD
0x6002    FIELD_MESSAGE_LIST_OPTIONS_AUTO_ATTACHMENT_DOWNLOAD_HIGH_SPEED_NETWORK
0x7000    FIELD_OMA_CLIENT_PROVISIONING_DOCUMENT
0x7010    FIELD_GAN_SECURE_GATEWAY
0x7011    FIELD_GAN_CONTROLLER
0x7020    FIELD_GAN_ROOT_CERT_1
0x7021    FIELD_GAN_ROOT_CERT_2
0x7022    FIELD_GAN_ROOT_CERT_3
0x7023    FIELD_GAN_ROOT_CERT_4
0x7026    FIELD_GAN_WLAN_THRESHOLD
0x0    VALUE_GAN_ROVE_THRESHOLD_LOW
0x1    VALUE_GAN_ROVE_THRESHOLD_MEDIUM
0x2    VALUE_GAN_ROVE_THRESHOLD_HIGH
0x7027    FIELD_GAN_SIGNAL_STRENGTH_THRESHOLD
0x7028    FIELD_GAN_SIGNAL_QUALITY_THRESHOLD
0x7029    FIELD_GAN_PROTOCOL_VERSION
0x0    VALUE_GAN_PROTOCOL_VERSION_UMA_1_0_0
0x1    VALUE_GAN_PROTOCOL_VERSION_UMA_1_0_1
0x2    VALUE_GAN_PROTOCOL_VERSION_UMA_1_0_2
0x3    VALUE_GAN_PROTOCOL_VERSION_UMA_1_0_3
0x4    VALUE_GAN_PROTOCOL_VERSION_UMA_1_0_4
0x5    VALUE_GAN_PROTOCOL_VERSION_3GPP_rev6
0x7030    FIELD_WLAN_DISABLED
0x7031    FIELD_WLAN_ENTERPRISE_DATA_DISABLED
0x7032    FIELD_WLAN_ENTERPRISE_DATA_FLAG_OVERRIDES_IT_POLICY
0x7033    FIELD_WLAN_LAYER3_AUTH_KEY
Below is a list of Vendor ID values in both hex and decimal.
Code:
0x01    1    RIM
0x64    100    T_MOBILE_US
0x65    101    CINGULAR_WIRELESS
0x66    102    AT_T_WIRELESS
0x67    103    NEXTEL
0x68    104    SPRINT_PCS
0x69    105    VERIZON_WIRELESS
0x6a    106    ALLTEL
0x6b    107    ROGERS_AT_T
0x6c    108    MICROCELL
0x6d    109    BELL_MOBILITY
0x6e    110    BT_CELLNET
0x6f    111    O2_GERMANY
0x70    112    DIGIFONE
0x71    113    TELFORT
0x72    114    T_MOBILE_GERMANY_AUSTRIA
0x73    115    TIM_ITALY
0x74    116    HUTCHISON
0x75    117    BOUYGUES_TELECOM
0x76    118    VODAFONE_SFR_FRANCE
0x77    119    ORANGE_FRANCE
0x78    120    VODAFONE_UK_NETHERLANDS
0x79    121    TELCEL_MEXICO
0x7a    122    TELSTRA
0x7b    123    T_MOBILE_UK
0x7c    124    VODAFONE_GERMANY
0x7d    125    O2_UK_IRELAND_ISLE_OF_MAN_NETHERLANDS
0x7e    126    TELUS
0x7f    127    SMART
0x80    128    STARHUB
0x81    129    TELEFONICA_SPAIN
0x82    130    VODAFONE_SWITZERLAND_SWISSCOM
0x83    131    CABLE_WIRELESS_WEST_INDIES
0x84    132    VODAFONE_ITALY
0x85    133    VODAFONE_SPAIN
0x86    134    T_MOBILE_NETHERLANDS
0x87    135    CINCINNATI_BELL
0x88    136    TELEFONICA_MEXICO
0x89    137    VODAFONE_AUSTRIA
0x8a    138    VODAFONE_AUSTRALIA_FIJI
0x8b    139    VODAFONE_IRELAND
0x8c    140    TELENOR_SWEDEN
0x8d    141    CSL
0x8e    142    ORANGE_UK
0x8f    143    VODAFONE_NEW_ZEALAND
0x90    144    SINGTEL
0x91    145    GLOBE
0x92    146    OPTUS
0x93    147    ORANGE_BE_MOBISTAR
0x94    148    VODAFONE_HUNGARY
0x95    149    BHARTI
0x96    150    KPN_NL
0x97    151    WIND_HELLAS_TIM_GREECE
0x98    152    VODAFONE_BELGIUM
0x99    153    VODAFONE_PORTUGAL
0x9a    154    TIM_BRAZIL
0x9b    155    BT_MOBILE
0x9c    156    EARTHLINK
0x9d    157    AETHER
0x9e    158    E_PLUS
0x9f    159    BASE
0xa0    160    DOBSON_COMMUNICATIONS
0xa1    161    VODAFONE_EGYPT
0xa2    162    ORANGE_SWITZERLAND
0xa3    163    RIM_WLAN
0xa4    164    T_MOBILE_SUNCOM
0xa5    165    MAXIS
0xa6    166    VODAFONE_DENMARK_TDC
0xa7    167    VODAFONE_SINGAPORE_M1
0xa8    168    VODACOM_SOUTH_AFRICA
0xa9    169    T_MOBILE_POLAND
0xaa    170    T_MOBILE_CZECH
0xab    171    T_MOBILE_HUNGARY
0xac    172    AT_T_SPRINT
0xad    173    MTN_SOUTH AFRICA
0xae    174    TIM_CHILE_ENTEL_PCS
0xaf    175    ORANGE_SPAIN
0xb0    176    VODAFONE_SMARTONE_HONG_KONG
0xb1    177    TCS_TELECOMMUNICATION_SYSTEMS
0xb2    178    AVEA
0xb3    179    FAST_100
0xb4    180    TURKCELL
0xb5    181    PARTNER_COMMUNICATIONS
0xb7    183    ORANGE_ROMANIA
0xba    186    TELKOMSEL
0xbc    188    VODAFONE_GREECE
0xbd    189    UNITED_STATES_CELLULAR_CORP
0xbe    190    MOBILINK
0xbf    191    VELOCITA_WIRELESS
0xc0    192    VODAFONE_CROATIA
0xc1    193    VODAFONE_SLOVENIA
0xc2    194    VODAFONE_LUXEMBOURG
0xc3    195    VODAFONE_ICELAND
0xc4    196    VODAFONE_FIJI
0xc5    197    VODAFONE_ROMANIA
0xc6    198    VODAFONE_CZECH
0xc7    199    VODAFONE_BAHRAIN
0xc8    200    VODAFONE_KUWAIT
0xc9    201    T_MOBILE_CROATIA
0xca    202    T_MOBILE_SLOVAKIA
0xcb    203    NORTEL
0xcc    204    CHINA_MOBILE
0xcd    205    MOVILNET
0xd1    209    SYMPAC
0xd2    210    PERSONAL_ARGENTINA
0xd4    212    ETISALAT_UAE
0xd5    213    CBEYOND
0xd6    214    AMX
0xd7    215    TELEFONICA_VENEZUELA
0xd8    216    TELEFONICA_BRAZIL
0xd9    217    ORANGE_ROMANIA
0xda    218    KTPOWERTEL_KOREA
0xdb    219    ROLLING_STONES
0xdc    220    DOCOMO
0xde    222    VODAFONE_BULGARIA
0xdf    223    NEXTEL_INTERNATIONAL
0xe0    224    PCCW_SUNDAY
0xe1    225    HAWAIIAN_TELCOM_CREDO_MOBILE
0xe2    226    VERIZON_MVNO
0xe3    227    MOBILY
0xe4    228    BWA
0xe5    229    O2_CZECH_REPUBLIC
0xe6    230    HUTCHISON_INDIA
0xe7    231    CELCOM
0xea    234    DIALOG
0xeb    235    XL
0xec    236    RELIANCE
0xed    237    VERIZON_WIRELESS_WHOLESALE
0xee    238    VODAFONE_TURKEY
0xef    239    TELEFONICA_MOROCCO_MEDITEL
0xf0    240    INDOSAT
0xf1    241    ALCATEL_SHANGHAI_BELL
0xf5    245    3_UK_ITALY_SWEDEN_DENMARK_AUSTRIA_IRELAND
0xf7    247    VODAFONE_ESSAR
0xf8    248    CENTENNIAL_WIRELESS
0xfa    250    T_MOBILE_AUSTRIA
0xfe    254    OI_BRAZIL
0xff    255    TELECOM_NEW_ZEALAND
0x102    258    HUTCHINSON_3G_AUSTRALIA
0x103    259    CABLE_&_WIRELESS_TRINIDAD_TOBAGO
0x10c    268    BMOBILE
0x10d    269    TATA_TELESERVICES_INDIA
0x10f    271    T_MOBILE_CROATIA
0x111    273    BT_ITALY
0x112    274    1&1
0x115    277    MTS_MOBILITY
0x116    278    VIRGIN_MOBILE
0x118    280    ORANGE_SLOVAKIA
0x11a    282    TAIWAN_MOBILE
0x11d    285    ORANGE_AUSTRIA
0x11e    286    VODAFONE_MALTA
0x120    288    BASE_JIM_MOBILE
0x127    295    CMCC_PEOPLES
0x12a    298    DIGITEL_WIRELESS
0x12b    299    SK_TELECOM
0x12c    300    SOLO_MOBILE
0x12d    301    CARPHONE_WAREHOUSE
0x12e    302    20:20_MOBILE_GROUP
0x134    308    XL_INDONESIA
0x135    309    FIDO_SOLUTIONS
0x136    310    WIND_ITALY
Last edited by elseWestcott; 01-30-2009 at 17:55. Reason: reformat
  Reply With Quote
The Following 13 Users Say Thank You to elseWestcott For This Useful Post:
Show/Hide list of the thanked
 
Page generated in 0.74894 seconds with 7 queries