Huawei algo for all - GSM-Forum

fr3nsis · 03-08-2010, 16:57

1st: thanks to sergeymkl for his post

unlock code (imei 123456789012347):

MD5 ("1234567890123475e8dd316726b0335") = 8f 43 ae 1a 33 19 c6 49 cc 57 40 8b 6a 39 2d 6b

8f xor 33 xor cc xor 6a =1a
43 xor 19 xor 57 xor 39 =34
ae xor c6 xor 40 xor 2d =05
1a xor 49 xor 8b xor 6b =b3

1a3405b3 and 1ffffff or 2000000 = 23405B3

hex2dec (23405B3) = 36963763 -> unlock code

same steps for flash code , only one different

MD5 ("12345678901234797B7BC6BE525AB44")= ..............

br from italy

montana_sfx · 03-08-2010, 17:02

so nice sharing

BR!

sergeymkl · 03-08-2010, 17:04

Xexe, good job.

Here is my description i planned to post tomorrow:

Quote:

Originally Posted by СРПСКИ

Ево како се израчунавају HUAWEI кодеви:

Прво се споји ИМЕИ број и константе које сам у предњим постевима написао и објаснио непотребност прве МД5 операције.

Тај спојени ланац АСЦИИ знакова се сада упучује ”МД5” функцији.

Резултат МД5 функције се сада посматра не као ланац АСЦИИ знакова већ као ланац 8-битовних бинарни бројева (=бајтова) исписани као хексадекадни бројеви, дакле два АСЦИИ знакова чине један 8-битовни бинарни број.

Над тим ланцем бинарних бројева се сада спроводе следеће логичне операције:

Дефинишемо 4 бројке/бајтове кода К0 - К4
Дефинишемо бројке/бајтове МД5 резултата као М0-М15
Дефинишемо ИИЛИ као знак за искључиву дисјункцију (искл. ”или”)
Дефинишемо ИЛИ као знак за укључиву дисјункцију (укл. ”или”)
Дефинишемо И као знак за коњункцију (и)

К3 = М0 ИИЛИ М4 ИИЛИ М12 ИИЛИ М8
К2 = М1 ИИЛИ М5 ИИЛИ М13 ИИЛИ М9
К1 = М2 ИИЛИ М6 ИИЛИ М14 ИИЛИ М10
К0 = М3 ИИЛИ М7 ИИЛИ М15 ИИЛИ М11

Након тога још вршимо две операције:
К3 И 01
К3 ИЛИ 02

Коначно 4 добијене бројке претварамо у декадни број
и добијамо 8-бројчани код за декодирање.

Here is screenshot of Olly:

sergeymkl · 03-08-2010, 17:12

Here is a rather unusual Huawei calculator

dr_aybyd · 03-08-2010, 17:48

can you explain more here

Quote:

8f xor 33 xor cc xor 6a =1a
43 xor 19 xor 57 xor 39 =34
ae xor c6 xor 40 xor 2d =05
1a xor 49 xor 8b xor 6b =b3

thanks

sergeymkl · 03-08-2010, 18:01

See here:
Exclusive or - Wikipedia, the free encyclopedia

XOR sets bits in the resulting byte that are set in ONE of the input bytes, but not both.

For example:

Code:

XOR(8F h, 33 h)

8F h = 10001111 b
33 h = 00110011 b
=[XOR]===========
BC h = 10111100 b

The XOR operation has the nice property that it can be used for encryption,
because the operation can be reversed by XOR'ing with the key.

See here:

Code:

8F h = 10001111 b
33 h = 00110011 b
=[XOR]===========
BC h = 10111100 b <- Result of XOR(8F h, 33 h)

BC h = 10111100 b
33 h = 00110011 b
=[XOR]===========
8F h = 10001111 b <- Original value

But only if the key length is same as the message length it's secure.

If two values XOR'ed result in zero, they are the same.

Also on some CPUs XOR R, R (R = same register) is used to clear
a register, since its faster than loading a zero into it.

fr3nsis · 03-08-2010, 18:01

bro xor is an operation of boolean algebra ...

byte 0 xor byte 4 xor byte 8 xor byte 12 = 1A
byte 1 xor byte 5 xor byte 9 xor byte 13 = 34
byte 2 xor byte 6 xor byte 10 xor byte 14 = 05
byte 3 xor byte 7 xor byte 11 xor byte 15 = b3

if this is us array() as byte = 8f 43 ae 1a 33 19 c6 49 cc 57 40 8b 6a 39 2d 6b

for n=0 to 3

code=code & ( array(0+n) xor array(4+n) xor array(8+n) xor array(12+n) ).tostring("X2")

next

mustipusti · 03-08-2010, 18:47

done

[Shadab_M] · 03-08-2010, 18:51

Can you post Source Code here?

Br,
Shadab Ahmad

sergeymkl · 03-08-2010, 18:57

Why need source code and for what language?

Everything is now explained, even no more reversing needed.

mustipusti · 03-08-2010, 18:59

Quote:

Originally Posted by shadab_a4u

Can you post Source Code here?

Br,
Shadab Ahmad

just convert imei : 111111111111111" + e8dd316726b0335" to md5
read fr3nsis post and you know how to do the rest

s400py · 03-08-2010, 21:26

Code:

import hashlib

def getCode(imei, salt):
        digest = hashlib.md5((imei+salt).lower()).digest()
        code = 0
        for i in range(0,4):
                code += (ord(digest[i])^ord(digest[4+i])^ord(digest[8+i])^ord(digest[12+i])) << (3-i)*8
        code &= 0x1ffffff
        code |= 0x2000000
        return code

imei = "123456789012347"

print getCode(imei, "5e8dd316726b0335")
print getCode(imei, "97B7BC6BE525AB44")

python

TMODEALER · 03-08-2010, 21:35

Does this work on phones, or only the modems?

sergeymkl · 03-08-2010, 22:32

@TMODEALER:
only modem / dataacard

@s400py:
Bug inside code... Note that "97b7bc6be525ab44" must be lower case if you
store it as string, otherwise result is different MD5.

Code:

 
MD5 ("12345678901234797b7bc6be525ab44") = dc437087aa353b82fe6b063ba52acc5f
MD5 ("12345678901234797B7BC6BE525AB44") = 2252a9c151cca5d1749350dd01e30726

s400py · 03-08-2010, 22:47

sergey,

Code:

(imei+salt).lower()

03-08-2010, 16:57	#1 (permalink)
fr3nsis No Life Poster Join Date: Oct 2005 Location: Rome , Italy Posts: 1,530 Member: 190882 Status: Offline Sonork: BB PIN: 7C83D9CE Thanks Meter: 1,282	Huawei algo for all 1st: thanks to sergeymkl for his post unlock code (imei 123456789012347): MD5 ("1234567890123475e8dd316726b0335") = 8f 43 ae 1a 33 19 c6 49 cc 57 40 8b 6a 39 2d 6b 8f xor 33 xor cc xor 6a =1a 43 xor 19 xor 57 xor 39 =34 ae xor c6 xor 40 xor 2d =05 1a xor 49 xor 8b xor 6b =b3 1a3405b3 and 1ffffff or 2000000 = 23405B3 hex2dec (23405B3) = 36963763 -> unlock code same steps for flash code , only one different MD5 ("12345678901234797B7BC6BE525AB44")= .............. br from italy

03-08-2010, 18:01	#6 (permalink)
sergeymkl Freak Poster Join Date: Jun 2009 Location: !!!! AWAY FROM BOARD, STUDY !! Posts: 363 Member: 1055354 Status: Offline Thanks Meter: 252	See here: Exclusive or - Wikipedia, the free encyclopedia XOR sets bits in the resulting byte that are set in ONE of the input bytes, but not both. For example: Code: XOR(8F h, 33 h) 8F h = 10001111 b 33 h = 00110011 b =[XOR]=========== BC h = 10111100 b The XOR operation has the nice property that it can be used for encryption, because the operation can be reversed by XOR'ing with the key. See here: Code: 8F h = 10001111 b 33 h = 00110011 b =[XOR]=========== BC h = 10111100 b <- Result of XOR(8F h, 33 h) BC h = 10111100 b 33 h = 00110011 b =[XOR]=========== 8F h = 10001111 b <- Original value But only if the key length is same as the message length it's secure. If two values XOR'ed result in zero, they are the same. Also on some CPUs XOR R, R (R = same register) is used to clear a register, since its faster than loading a zero into it.

03-08-2010, 22:32	#14 (permalink)
sergeymkl Freak Poster Join Date: Jun 2009 Location: !!!! AWAY FROM BOARD, STUDY !! Posts: 363 Member: 1055354 Status: Offline Thanks Meter: 252	@TMODEALER: only modem / dataacard @s400py: Bug inside code... Note that "97b7bc6be525ab44" must be lower case if you store it as string, otherwise result is different MD5. Code: MD5 ("12345678901234797b7bc6be525ab44") = dc437087aa353b82fe6b063ba52acc5f MD5 ("12345678901234797B7BC6BE525AB44") = 2252a9c151cca5d1749350dd01e30726

03-08-2010, 22:47	#15 (permalink)
s400py Insane Poster Join Date: Nov 2007 Posts: 75 Member: 636340 Status: Offline Thanks Meter: 110	sergey, Code: (imei+salt).lower()

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Good news for all cruiser owner	jonymahmud	Cruiser Suite	0	03-29-2010 11:05
huawei algo where can i get	darmiles	GSM Programming & Reverse Engineering	0	02-11-2010 03:31
Free solutions for GSM. Support for all free. Nokia Authority Id calculation algo !	te	Main Sales Section	6	12-15-2001 14:57

03-08-2010, 17:02	#2 (permalink)
montana_sfx Insane Poster Join Date: Feb 2006 Location: DATABASE Age: 34 Posts: 83 Member: 234503 Status: Offline Sonork: 100.1584481 Thanks Meter: 41	so nice sharing BR!

03-08-2010, 17:12	#4 (permalink)
sergeymkl Freak Poster Join Date: Jun 2009 Location: !!!! AWAY FROM BOARD, STUDY !! Posts: 363 Member: 1055354 Status: Offline Thanks Meter: 252	Here is a rather unusual Huawei calculator

03-08-2010, 18:01	#7 (permalink)
fr3nsis No Life Poster Join Date: Oct 2005 Location: Rome , Italy Posts: 1,530 Member: 190882 Status: Offline Sonork: BB PIN: 7C83D9CE Thanks Meter: 1,282	bro xor is an operation of boolean algebra ... byte 0 xor byte 4 xor byte 8 xor byte 12 = 1A byte 1 xor byte 5 xor byte 9 xor byte 13 = 34 byte 2 xor byte 6 xor byte 10 xor byte 14 = 05 byte 3 xor byte 7 xor byte 11 xor byte 15 = b3 if this is us array() as byte = 8f 43 ae 1a 33 19 c6 49 cc 57 40 8b 6a 39 2d 6b for n=0 to 3 code=code & ( array(0+n) xor array(4+n) xor array(8+n) xor array(12+n) ).tostring("X2") next

03-08-2010, 18:47	#8 (permalink)
mustipusti Freak Poster Join Date: Mar 2009 Posts: 234 Member: 984268 Status: Offline Thanks Meter: 150	done

03-08-2010, 18:51	#9 (permalink)
[Shadab_M] No Life Poster Join Date: Mar 2006 Location: .: India :. Heaven on Earth Posts: 2,496 Member: 238812 Status: Offline Sonork: 100.1602669 Thanks Meter: 1,443	Can you post Source Code here? Br, Shadab Ahmad

03-08-2010, 18:57	#10 (permalink)
sergeymkl Freak Poster Join Date: Jun 2009 Location: !!!! AWAY FROM BOARD, STUDY !! Posts: 363 Member: 1055354 Status: Offline Thanks Meter: 252	Why need source code and for what language? Everything is now explained, even no more reversing needed.

03-08-2010, 21:35	#13 (permalink)
TMODEALER Junior Member Join Date: Jan 2010 Posts: 33 Member: 1212698 Status: Offline Thanks Meter: 2	Does this work on phones, or only the modems?