Flash & Uem Imei
 

Hello,
For those who want to play and patch DCT4 phones...

There is a piece of more than 100Mb listing of 8310 DCT4 phone
that I was disassembled long time before (2001-2002).
Since I'm not interested anymore...

Hints:
01000000 plain FLASH base addr
09000000 cipher FLASH base addr
There is atlast 3 ways to decrypt<->encrypt DCT4 FLASH images.

And there it is...

###########################################
; Get_IMEI
###########################################
;r0 = dest
;RET r0 = status; 1=OK
;If IMEI is BAD dest will be filled with FF,FF,FF,.... ("?????....")

002B2E2C: B5 30 PUSH (R4,R5,LR)
002B2E2E: B0 82 SUB SP,#0008

;==========================================
; get IMEI from flash

002B2E30: 1C 04 ADD R4,R0,#0 ;r0 = dest
002B2E32: 21 0D MOV R1,#0D ;offset
002B2E34: 22 10 MOV R2,#10 ;size
002B2E36: F0 00 F9 AD CALL 002B3194 ;Get_secure_data_from_FLASH (GET IMEI)

002B2E3A: 1C 05 ADD R5,R0,#0
002B2E3C: 2D 01 CMP R5,#01
002B2E3E: D1 1A BNE 002B2E76 ;jmp if IMEI FLASH is NOT VALID!

;==========================================
; get IMEI from UEM

002B2E40: 46 68 MOV R0,SP ;r0 = dest (SP_LOC[8])
002B2E42: F0 00 F9 DF CALL 002B3204 ;READ_UEM_IMEI r0 = dest
002B2E46: 1C 05 ADD R5,R0,#0 ;r5 = status
002B2E48: 2D 01 CMP R5,#01
002B2E4A: D1 0B BNE 002B2E64 ;jmp if UEM IMEI is zero (00,00,00,...)

;==========================================
; compare UEM & FLASH IMEI

002B2E4C: 46 69 MOV R1,SP ;r1=UEM IMEI, r4=FLASH IMEI
002B2E4E: 20 00 MOV R0,#00
002B2E50: 5D 03 LDRB R3,[R0+R4]
002B2E52: 78 0A LDRB R2,[R1+#00]
002B2E54: 42 93 CMP R3,R2
002B2E56: D1 08 BNE 002B2E6A ;jmp if there is difference!
002B2E58: 31 01 ADD R1,#01
002B2E5A: 1C 40 ADD R0,R0,#1
002B2E5C: 04 00 LSL R0,R0,16
002B2E5E: 0C 00 LSR R0,R0,16
002B2E60: 28 08 CMP R0,#08
002B2E62: DB F5 BLT 002B2E50

;==========================================
002B2E64: 2D 00 CMP R5,#00
002B2E66: D0 01 BEQ 002B2E6C
002B2E68: E0 05 JMP 002B2E76

002B2E6A: 25 00 MOV R5,#00
002B2E6C: 20 03 MOV R0,#03
002B2E6E: F0 00 F8 67 CALL 002B2F40 ;Get_sys_flag
002B2E72: 28 02 CMP R0,#02
002B2E74: D0 09 BEQ 002B2E8A

002B2E76: 2D 01 CMP R5,#01
002B2E78: D0 07 BEQ 002B2E8A

;==========================================
; fill dest with "FF" if IMEI is BAD!

002B2E7A: 21 FF MOV R1,#FF
002B2E7C: 20 00 MOV R0,#00
002B2E7E: 55 01 STRB R1,[R0+R4]
002B2E80: 1C 40 ADD R0,R0,#1
002B2E82: 04 00 LSL R0,R0,16
002B2E84: 0C 00 LSR R0,R0,16
002B2E86: 28 10 CMP R0,#10
002B2E88: DB F9 BLT 002B2E7E

002B2E8A: 20 01 MOV R0,#01
002B2E8C: B0 02 ADD SP,#0008
002B2E8E: BD 30 RET (R4,R5)


########################################
Get_secure_data_from_FLASH
########################################
;r0 = dest
;r1 = offset in FLASH secure data block
;r2 = size in bytes
;RET r0 = status ;1=OK (in dest is valid data), else ERROR (dest is filed by FF...)
;=======================================

002B3194: B5 F0 PUSH (R4,R5,R6,R7,LR)
002B3196: B0 81 SUB SP,#0004
002B3198: 1C 14 ADD R4,R2,#0
002B319A: 91 00 STR R1,[SP+#0000] ;save PARAM R1 (offset)
002B319C: 1C 06 ADD R6,R0,#0


;=======================================
;copy SECURE FLASH cipher block of 28h bytes from FLASH 900003ah to temp RAM 43d14h

002B319E: 4D 5B LDR R5,[PC+#016C] ;[002B330C]=00043D14 ;r5 = temp baf
002B31A0: 49 5E LDR R1,[PC+#0178] ;[002B331C]=0900003A
002B31A2: 1C 28 ADD R0,R5,#0
002B31A4: 22 28 MOV R2,#28
002B31A6: 4B 5C LDR R3,[PC+#0170] ;[002B3318]=00043FD0
002B31A8: 68 1B LDR R3,[R3+#00] ;=840001
002B31AA: 46 FE MOV LR,PC
002B31AC: 47 18 BX R3 ;call 840001 (ROM_SEC__COPY_MEM r0=dest r1=src r2=size)

;=======================================
;decode SECURE FLASH cipher block

002B31AE: 1C 28 ADD R0,R5,#0 ;r0,r1 = src,dst
002B31B0: 1C 29 ADD R1,R5,#0
002B31B2: 22 28 MOV R2,#28 ;size
002B31B4: 23 20 MOV R3,#20 ;decryption mode
002B31B6: F7 FF FF 64 CALL 002B3082 ;DECRYPT_DATA
002B31BA: 1C 07 ADD R7,R0,#0 ;r7 = decrypt status

;=======================================
; calc checksum of decrypted SECURE FLASH block and test if it is correct

002B31BC: 1C 28 ADD R0,R5,#0 ;r0 = src
002B31BE: 21 26 MOV R1,#26 ;size
002B31C0: F7 FF FF 84 CALL 002B30CC ;CALC_SUM (ret r0=chk)
002B31C4: 21 26 MOV R1,#26
002B31C6: 5D 49 LDRB R1,[R1+R5]
002B31C8: 02 0A LSL R2,R1,8
002B31CA: 21 27 MOV R1,#27
002B31CC: 5D 49 LDRB R1,[R1+R5]
002B31CE: 43 11 ORR R1,R2 ;r1 = chk from SECURE FLASH block
002B31D0: 42 88 CMP R0,R1
002B31D2: D1 0A BNE 002B31EA ;jmp if checksum is BAD!

002B31D4: 2F 01 CMP R7,#01
002B31D6: D1 0D BNE 002B31F4 ;jmp if decrypt status is BAD!

;=======================================
; copy from SECURE FLASH decrypted block offset*size to dest (for IMEI offset=dh,size=10h)

002B31D8: 4B 4F LDR R3,[PC+#013C] ;[002B3318]=00043FD0
002B31DA: 98 00 LDR R0,[SP+#0000] ;PARAM R1 (offset)
002B31DC: 19 41 ADD R1,R0,R5 ;r1 = temp_baf+offset
002B31DE: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest)
002B31E0: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size)
002B31E2: 68 1B LDR R3,[R3+#00] ;=840001
002B31E4: 46 FE MOV LR,PC
002B31E6: 47 18 BX R3 ;call 840001 (ROM_SEC__COPY_MEM r0=dest r1=src r2=size)
002B31E8: E0 04 JMP 002B31F4

;=======================================
; If FLASH IMEI have any error dest will be filled with "FF".....

002B31EA: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size)
002B31EC: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest)
002B31EE: 21 FF MOV R1,#FF ;r1 = fill value
002B31F0: F1 86 FE 0C CALL 00439E0C ;FILL_MEM

;=======================================
; fill temp_baf to make HACKING harder :)

002B31F4: 1C 28 ADD R0,R5,#0 ;r0 = temp_baf
002B31F6: 21 FF MOV R1,#FF ;r1 = fill value
002B31F8: 22 28 MOV R2,#28 ;size
002B31FA: F1 86 FE 07 CALL 00439E0C ;FILL_MEM

002B31FE: 1C 38 ADD R0,R7,#0
002B3200: B0 01 ADD SP,#0004
002B3202: BD F0 RET (R4,R5,R6,R7)
;************************************************

;################################################
READ_UEM_IMEI
;################################################
;r0 = dest
;RET r0 = status; 1=IMEI is not zero (00,00,00,....)

002B3204: B5 F0 PUSH (R4,R5,R6,R7,LR)
002B3206: 1C 04 ADD R4,R0,#0
002B3208: 26 04 MOV R6,#04 ;read 4 registers
002B320A: 4D 48 LDR R5,[PC+#0120] ;[002B332C]=014AE414 ;IMEI reg:mask table (1b,1c,1d,1e, mask=ffff)
002B320C: 27 00 MOV R7,#00

002B320E: 68 28 LDR R0,[R5+#00] ;r0 = reg:mask
002B3210: F0 01 FD 99 CALL 002B4D46 ;READ_UEM_REG
002B3214: 04 00 LSL R0,R0,16 ;r0 = reg value
002B3216: 0C 00 LSR R0,R0,16
002B3218: 2F 00 CMP R7,#00
002B321A: D1 02 BNE 002B3222
002B321C: 28 00 CMP R0,#00
002B321E: D0 00 BEQ 002B3222
002B3220: 27 01 MOV R7,#01
002B3222: 0A 01 LSR R1,R0,8
002B3224: 70 21 STRB R1,[R4+#00] ;wr reg value H to dest
002B3226: 34 01 ADD R4,#01
002B3228: 70 20 STRB R0,[R4+#00] ;wr reg value L to dest
002B322A: 34 01 ADD R4,#01
002B322C: 35 04 ADD R5,#04
002B322E: 3E 01 SUB R6,#01
002B3230: D1 ED BNE 002B320E

002B3232: 1C 38 ADD R0,R7,#0
002B3234: BD F0 RET (R4,R5,R6,R7)
;************************************************

004AE414: 00 1B ;IMEI UEM TABLE
004AE416: FF FF
004AE418: 00 1C
004AE41A: FF FF
004AE41C: 00 1D
004AE41E: FF FF
004AE420: 00 1E
004AE422: FF FF
;************************************************


B.R.
Dejan Kaljevic

Hi!

I am very happy that i see You again in forum! :)

Have u made patched flash?

@Dejan Kaljevic
We all will be happy if you share some pached flashes !!!!

happy to see great dejan become in cellular world
and like asked him one question .
why ime repaning in dct4 can resolve just griffin server

No, I'm not in GSM world more than 2,5 years, and I don't know what's
hapens in GSM.
About Griffin server, I don't know, maybe other are stupid?
Long time before I've offered DCT4 UEM & FLASH IMEI algorithm but nobody was interested.

Anyway... don't ask for patched flash, etc. I've post enough hints, so
OPEN YOURS EYES, OPEN YOURS MIND!
(Maybe you can check bin file from ZULEA?
http://forum.gsmhosting.com/vbb/showthread.php?t=178158 )

BTW: Where in the World GSM providers using A5\2 algoritm?

B.R.
Dejan

@Dejan welcome back in gsmword;)

Hmmm, . . . . . everybody know, who is Dejan !!! :-)
P.S. Svaka cast i skidam kapu!!!! ( sorry for non-english )
P.S. Anyhow info about compV2 !?

@ Dejan Kaljevic,
Welcome to here! I hope you are fine!
Best Regards
yaren

The KING is Back !

Good save the KING !

longlive the gsm king.........

hi
welcome back dejan
ur are the best in nokia imei change, dct3,dct4....

bye

Hi,

@ "king"
Sorry but nothing useful in your posted info.
No info about encrypt/decrypt flash files, no info about rpl algorithm, imei decrypt routine missing, ....
As always you juts make noise ;) But sure you have a plan to do something in near future in this field. I supose one of this two options: to make your own money or to destroy ask/rpl andro's server business. Next weeks will see wich one you chose.
Or also you can left it as is is today, and in few days all people who 'licked' you here will forget your name and keep doing their usual things day by day.
No offence please.

Best regards,
Zulea

hmh 3 ways?
oh, i just know one :D

are you willing to explain me one of the other ways?
because im trying to decrypt TIKU flashes... :-/


btw: were you able to dump the ROM region around 800000 or 800300 ?
i didnt have any success yet, it seems its mapped out (data fetch error)

do you know a little about the memory map registers around 0x06010000 or 0x06100000 ?

nice meet you ..............

i have nothing to add here since im not as talented as these 3 gods here but i hope this thread is going somewhere.