FlashAuthorityID calculation Algorithm - Page 2 - GSM-Forum

Invisible · 12-11-2001, 17:08

hi,

I can´t confirm this since I haven´t take a look at new DCT4 phones but Dejan promissed us that in 6 months he will give it for free. I think that if faid will be so closer it won´t be for free.

best regards, Invisible

Invisible · 12-12-2001, 13:56

hi, -------------------------------------- 1000737D push 0 1000737F call FLS1GetAuthorityID <--* 10007384 and eax, 7FFFFFFFh 10007389 jnz short loc_10007399 1000738B lea edx, [esp+20h+faid] 1000738F push edx 10007390 push esi 10007391 call flashidsetdct4 --------------------------------------- just another dissambling of a dongle call, we can´t determine how closer are the algorithms if they are stored in the dongle. By the way, FLS-1 is clonable from DK dongle?, any info?,

best regards, Invisible

GsMen · 12-12-2001, 18:31

[quote]Originally posted by Bph&Co: 

 Strange on their pages there are no details about their Dongles. The same time everyone know that they don't have the manpower to develop such a soution - so obvious reason is they buy cracked PIC's for that. Just ask them <img src="smile.gif" border="0">

 Best Regards, Alex<hr></blockquote>

So If I buy a JIC box I can use DEJAN too cause it has a cracked pic in it (or visa versa??)

GsMen

Bph&co · 12-12-2001, 20:52

Hi,

Sorry but never seen it ! A lot of members sell this - probably will take them less than a minute to see what's inside and give you a clue <img src="smile.gif" border="0">

BR

maxxnskk · 12-13-2001, 03:54

Ok guyz what do you say about link <a href="http://www.net.yu/~dejan/download/src_104.zip" target="_blank">http://www.net.yu/~dejan/download/src_104.zip</a> on this page? <a href="http://users.net.yu/~dejan/flasher/flasher.html" target="_blank">http://users.net.yu/~dejan/flasher/flasher.html</a>

emix · 12-13-2001, 04:15

link does not work sori!!

maxxnskk · 12-13-2001, 04:28

But look on the flasher page. It modified. I already have sources, but I download it from polishgsm.com and thought that it is fake. Now I see that Dejan modifid his page. May be time is come

maxxnskk · 12-13-2001, 04:53

Maybe all Dejan's pic and hex is only as blind?

Invisible · 12-14-2001, 11:27

hi,

dk2sendandrecive is the important part, calculation of the faid is done inside dongle, wintesla only full buffer and seed dongle, so as you see is more that a simple xor encription. Also FLS dongle uses Des in comunication to avoid being simulate. Once calculation is done (dk2sendandrecive) the software updates it. I see three ways to attack it: 1.- Scratch list, slow since Des in involved 2.- Dongle reverse, unafortunaly I don´t have one 3.- Flash dissamble, no coments

please correct me if I am wrong,

best regards, Invisible

Bph&co · 12-14-2001, 14:43

Hi guys,

As I see you are reffering to the old FLS-2D device.

But inside you can find AVR and DK3 ASIC. The FAID calcultion performed by the AVR got nothing to do with calls to DES ASIC. They just use common interface - control port of the LPT.

DES ASIC is used for read and write eeprom calls -to encrypt the data in the eeprom and EncriptionThru calls.

AVR does the calculation of FAID. That's why for example if you don't have FLS device, but only PKD-1 you can't update eeprom.

Best Regards

dito · 12-14-2001, 15:12

Is the new PDK based on a DK3?

Best regards!

Bph&co · 12-14-2001, 15:42

Hi dito,

PKD1 uses DES2ACS for encryption, but FLS-2D use DES3ACS which is the ASIC from DK3 dongle.

Best Regards

dito · 12-14-2001, 15:46

But you don't need a PDK-1 when you got a FLS-2 right?

Best regards!

smoother · 12-14-2001, 16:31

Bph&Co, i think ist's more easy if u give ALL FAID recalculation alghoritm! <img src="wink.gif" border="0"> Don't u think so?

Keep your Good WorkZ, Mate!

Invisible · 12-14-2001, 18:55

hi,

Bph&Co is right, comunication is done with DES as far as I get it from Deskey manuals. Calculation is done by mcu inside. About PKD-1, Bph&Co, could you tell me if it´s based on a DK2 or a DK12?, I have one DK2 and would like to have PKD-1 updating x25020 eeprom. Also if I updated eeprom successfull how does I know dongle password (I have package from Saras but not complete). I don´t have FLS-1 so I can´t give more info,

best regards, Invisible

[ 14 December 2001 18:57: Message edited by: Invisible ]

12-11-2001, 17:08	#16 (permalink)
Invisible No Life Poster Join Date: Apr 2001 Location: รำมว&# Posts: 2,461 Member: 3956 Status: Offline Sonork: galletto3 rules :D Thanks Meter: 55	hi, I can´t confirm this since I haven´t take a look at new DCT4 phones but Dejan promissed us that in 6 months he will give it for free.<br />I think that if faid will be so closer it won´t be for free. best regards,<br />Invisible

12-12-2001, 13:56	#17 (permalink)
Invisible No Life Poster Join Date: Apr 2001 Location: รำมว&# Posts: 2,461 Member: 3956 Status: Offline Sonork: galletto3 rules :D Thanks Meter: 55	hi,<br />--------------------------------------<br />1000737D push 0<br />1000737F call FLS1GetAuthorityID <--*<br />10007384 and eax, 7FFFFFFFh<br />10007389 jnz short loc_10007399<br />1000738B lea edx, [esp+20h+faid]<br />1000738F push edx<br />10007390 push esi<br />10007391 call flashidsetdct4<br />---------------------------------------<br />just another dissambling of a dongle call,<br />we can´t determine how closer are the algorithms<br />if they are stored in the dongle.<br />By the way, FLS-1 is clonable from DK dongle?, any info?, best regards,<br />Invisible

12-12-2001, 18:31	#18 (permalink)
GsMen No Life Poster Join Date: Sep 2000 Location: Netherlands Posts: 857 Member: 2100 Status: Offline Thanks Meter: 40	[quote]Originally posted by Bph&Co:<br /><strong> <br />Strange on their pages there are no details about their Dongles. The same time everyone know that they don't have the manpower to develop such a soution - so obvious reason is they buy cracked PIC's for that. Just ask them <img src="smile.gif" border="0"> <br />Best Regards, Alex</strong><hr></blockquote> So If I buy a JIC box I can use DEJAN too cause it has a cracked pic in it (or visa versa??) GsMen

12-13-2001, 03:54	#20 (permalink)
maxxnskk Freak Poster Join Date: Oct 2001 Location: Novosibirsk Posts: 277 Member: 6791 Status: Offline Thanks Meter: 0	Ok guyz what do you say about link <br /><a href="http://www.net.yu/~dejan/download/src_104.zip" target="_blank">http://www.net.yu/~dejan/download/src_104.zip</a><br />on this page?<br /><a href="http://users.net.yu/~dejan/flasher/flasher.html" target="_blank">http://users.net.yu/~dejan/flasher/flasher.html</a>

12-13-2001, 04:28	#22 (permalink)
maxxnskk Freak Poster Join Date: Oct 2001 Location: Novosibirsk Posts: 277 Member: 6791 Status: Offline Thanks Meter: 0	But look on the flasher page.<br />It modified.<br />I already have sources, but I download it from polishgsm.com and thought that it is fake.<br />Now I see that Dejan modifid his page.<br />May be time is come

12-12-2001, 20:52	#19 (permalink)
Bph&co No Life Poster Join Date: Feb 2000 Location: UK Posts: 3,186 Member: 1024 Status: Offline Thanks Meter: 5,510	Hi, Sorry but never seen it ! A lot of members sell this - probably will take them less than a minute to see what's inside and give you a clue <img src="smile.gif" border="0"> BR

12-13-2001, 04:15	#21 (permalink)
emix Freak Poster Join Date: May 2001 Location: o(''.'')o Posts: 259 Member: 4647 Status: Offline Thanks Meter: 3	link does not work sori!!

12-13-2001, 04:53	#23 (permalink)
maxxnskk Freak Poster Join Date: Oct 2001 Location: Novosibirsk Posts: 277 Member: 6791 Status: Offline Thanks Meter: 0	Maybe all Dejan's pic and hex is only as blind?

12-14-2001, 11:27	#24 (permalink)
Invisible No Life Poster Join Date: Apr 2001 Location: รำมว&# Posts: 2,461 Member: 3956 Status: Offline Sonork: galletto3 rules :D Thanks Meter: 55	hi, dk2sendandrecive is the important part, calculation of the faid is done inside dongle, wintesla only full buffer and seed dongle, so as you see is more that a simple xor encription.<br />Also FLS dongle uses Des in comunication to avoid being simulate. Once calculation is done (dk2sendandrecive) the software updates it.<br />I see three ways to attack it:<br />1.- Scratch list, slow since Des in involved<br />2.- Dongle reverse, unafortunaly I don´t have one<br />3.- Flash dissamble, no coments please correct me if I am wrong, best regards,<br />Invisible

12-14-2001, 14:43	#25 (permalink)
Bph&co No Life Poster Join Date: Feb 2000 Location: UK Posts: 3,186 Member: 1024 Status: Offline Thanks Meter: 5,510	Hi guys, As I see you are reffering to the old FLS-2D device. But inside you can find AVR and DK3 ASIC. The<br />FAID calcultion performed by the AVR got nothing<br />to do with calls to DES ASIC. They just use common interface - control port of the LPT. DES ASIC is used for read and write eeprom calls -to encrypt the data in the eeprom and EncriptionThru calls. AVR does the calculation of FAID. That's why for <br />example if you don't have FLS device, but only PKD-1 you can't update eeprom. Best Regards

12-14-2001, 15:12	#26 (permalink)
dito No Life Poster Join Date: Jan 2000 Posts: 501 Member: 860 Status: Offline Thanks Meter: 1	Is the new PDK based on a DK3? Best regards!

12-14-2001, 15:42	#27 (permalink)
Bph&co No Life Poster Join Date: Feb 2000 Location: UK Posts: 3,186 Member: 1024 Status: Offline Thanks Meter: 5,510	Hi dito, PKD1 uses DES2ACS for encryption, but FLS-2D use<br />DES3ACS which is the ASIC from DK3 dongle. Best Regards

12-14-2001, 15:46	#28 (permalink)
dito No Life Poster Join Date: Jan 2000 Posts: 501 Member: 860 Status: Offline Thanks Meter: 1	But you don't need a PDK-1 when you got a FLS-2 right? Best regards!

12-14-2001, 16:31	#29 (permalink)
smoother Freak Poster Join Date: May 2001 Location: Portugal Posts: 132 Member: 4812 Status: Offline Thanks Meter: 0	Bph&Co, i think ist's more easy if u give ALL<br />FAID recalculation alghoritm! <img src="wink.gif" border="0"> <br />Don't u think so? Keep your Good WorkZ, Mate!

12-14-2001, 18:55	#30 (permalink)
Invisible No Life Poster Join Date: Apr 2001 Location: รำมว&# Posts: 2,461 Member: 3956 Status: Offline Sonork: galletto3 rules :D Thanks Meter: 55	hi, Bph&Co is right, comunication is done with DES as far as I get it from Deskey manuals.<br />Calculation is done by mcu inside.<br />About PKD-1, Bph&Co, could you tell me if it´s based on a DK2 or a DK12?, I have one DK2 and would like to have PKD-1 updating x25020 eeprom. <br />Also if I updated eeprom successfull how does I know dongle password (I have package from Saras but not complete).<br />I don´t have FLS-1 so I can´t give more info, best regards,<br />Invisible <FONT COLOR="#ffff00" SIZE="1">[ 14 December 2001 18:57: Message edited by: Invisible ]</font>

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
IMEI checkdigit calculation algorithm needed	crusher	Sony Ericsson	5	10-31-2006 09:16
where I can find JAVA algorithme for calculator ?	JAVA Good	GSM Programming & Reverse Engineering	0	10-22-2004 09:46
Maxon calculator algorithm need	Batgoy	GSM Programming & Reverse Engineering	1	05-07-2003 15:09
Need any info. about sagem unlock code calculation algorithms...	majid	Infineon C16X M51 & ARM7 M52 BASED	1	05-14-2002 06:52
NCK calculation algorithm	kynky	Infineon C16X M51 & ARM7 M52 BASED	0	09-14-2000 22:25