DCT4Crypter by nok5rev & g3gg0

[watusi2]

----------------------------------
DCT4Crypter
----------------------------------
by nok5rev & g3gg0
__________________________________________________ _____
Yes, this package contains the necessary routines and
even some apps to decrypt DCT4 FlashFiles and also to
encrypt again after you applied some changes. We must
admit, this stuff is not "hot" anymore - it was coded
in about 2 months between 01/2004 and 03/2004. That's
now nearly 2 years. But it still should be a somewhat
interesting X-Mas present for all the GSM-Modders out
there...
__________________________________________________ _____

Why this was done?
-----------------------
Why? I think it was just fun
But i dont remember anymore who of us had the idea
to start analyzing the encryption algorithm.
I just remember, we both suddenly sat in front of
many bits (really MANY!) and stared at them to
find out how the data was encrypted.

How this was done?
-----------------------
Heh, just open your notepad.exe, paste some 100
lines of 11001001 10101010 11100100 11100001...
and you know what we've done in these 2 months
We didnt have any access to neither the flash device,
MCU or RAM, nor we used any (Java-)Exploit floating
around. We didnt even have any of these DCT4-devices
at this point. This was simply done with looking at
about 20 different flash files.

Who did this?
-----------------------
This was all done by nok5rev and g3gg0. We both spent
about the same amount of time for this stuff and
both helped each other in finding out the neccessary
bits for decoding. But we also got little help from
kodo (thanks for the auto basevalue finder)

What can i do with it?
------------------------
Generally you should now be able to en/decrypt the DCT4
FlashFiles used in "standard" dct4 devices. Standard
DCT4 devices means any 6310, 8310, ...., 6610, 7250
and so on. TIKU-devices like the 6230, 6230i or even
symbian devices are _NOT_ supported.
The first DCT4 devices still had enrcypted PPM's, but
nokia switched to non-encrypted ones for obvious
security reasons.
So don't wonder, when some people already have modded
3510i handsets which just have some graphics changed.
It's the standard PPM structure that was also used in
DCT3 phones. Unfortunately theres a little difference
that causes the most tools to crash or do mistakes.
However, the MCU files still are crypted
The FlashFiles all have the same encryption method,
it just differs in a (we call it) basevalue, which is
just a simple XOR parameter. When decrypting, the
programs spit out the basevalue which you normally don't
need. The tools remember the value and ask you for the file
that should be encrypted again (or they use a predefined
filename).

Will modding work?
-----------------------
After you re-encrypted a modified FlashFile you can
flash it, but your phone won't power-on. why?
We didn't track that down very deep, but when removing
the "Claudia" sequence in the flash header it will work
at least with the wrong "FAID" - that means it resets
after some time
But please make sure, you have a working, original file
flashed before you write a modded file with disabled Claudia.
Claudia is the tag in flash header starting with
D3 40 and the 0x40 bytes coming after that. Just FF the
0x40 bytes behind the tag.
-> D3 40 [0x40 bytes Claudia]
replace with
-> D3 40 [0x40 times FF]

Okay that's it
We've flashed our phones (we got after reversing the encryption)
several times - even with faulty Claudia and FAID - without any
bigger problem.
So, if you turn your phone into a brick, dont blame us...
... it's your fault!


Thanks to:
------------------------
Kodo
B.
U.

Oh, and if you plan to integrate this code into your commercial
products... ...unfortunately we can't do anything against it
But if you do so, _please_ be so kind and reward our work with
sending an license/sample of your program/device to either
nok5rev or g3gg0 - thanks!

enjoy this stuff as much as we enjoyed coding it

Best Regards,
g3gg0/nok5rev


http://www.gsmfreeboard.com/forum/sh...d.php?t=119075
http://rapidshare.de/files/9991118/Merry_Xmas.zip.html

[strangerboy]

Nice work friend.... i´m glad to see some ppl realy know how to have fun

Don´t have time now for playing around with that... but for sure some ppl will find it interesting...

Keep on rocking .... happy new year to you all....

[alro]

I appreciate your work!

[golumbu]

Thanks for your hard work ,I really appreciate it !

WBR
golumbu

[Zaihtam]

Niceeee................... this is cool. Happy new year.....!

[GSM Solutions Ireland]

Thanx for sharing!

Regards
Gsm solutions Ltd

[rooty]

Very nice work, thanx for sharing!
Wish you more fun in New Year!!!

[Dave.W]

without faid it is useless...

[g3gg0]

DCT3 also once was without any FAID solution, wasnt it?
why did people then analyze the firmware?

[Dave.W]

it was only one man, your friend TEK who had brains to crack dct3 FAId from others work, if you guys have not done that by now why you think anyone unknown to you will do that?

i think it easiest to reverse twister/griffin/jaf sw to find out dct4 faid calculation but who will step up?

[Zaihtam]

They all are well protected.
ask papa dejan, maybe he will give it for free.

[Dave.W]

i am sorry, but i have saw on here free schemes./hex for prodigy and also twister. even b-phreaks said that there is enough information in twister freeeeeeeeeee!!!!! thread to creat your own flasher box..

i cannot be bothered to look at this myself. i think Dejan is in same mood these days

[Zaihtam]

Anybody compiled it? i got VC++ 6 only here. it use the VC++ 7.

[ben_whiteus]

should not be any issues with either compiler. I compiled it with lcc.

[g3gg0]

CrypterX had a little bug that prevented correct encryption:

http://nokiafree.org/forums/showthre...d=1#post379481
http://www.gsmfreeboard.com/forum/sh...d.php?p=756994