|
Reversing the algo's used for encrypting the IMEI Could anyone share some info on algorithms used in Siemens for encrypting the IMEI?<br />Something about the memory architecture of C166 processor used inside the handies?<br />What is the structure and differences between EELITE & EEFULL?<br />Any help and info will be appreciated! ;-)<br />I'm working on reverse engineering the software in Siemens S35 and if somebody wants to help, please contact me!? |
If you look at the thread called "Siemens map creator source" you will find a link to a file containing Pascal source for generating this data for various Siemens phones. Although certain parts of the calculations are being carried out in the dongle, there is enough information in that file to create working maps for the C30 and C/M/S35. The program "ZeeSiemensG3" also contains a working map generator for the C/M/S35, although this is only available as object code (and it's not initially obvious that the program is a map generator, since it reads the IMEI from the phone, and always writes it back). If you want real kudos, then reverse the x45 phones - there is currently no information available on the algorithims used in these. If you're going to be reversing any sort of microcontroller code, then get a copy of the IDA dissassembler - I think the "pro" version supports the C166. If you can afford it, I strongly recommend buying the program, since their support is excellent (and, obviously, only available to people that have given them money <img src="smile.gif" border="0"> ). I have no idea what the memory layout is, but would suspect that getting either the Egold or C166 manuals and looking at the reset routines would give you a reasonable idea (since normally one of the first things to do is to set up the memory/chip select control registers). Regards, Pete |
Hey Trimesh ... :-) Do not forget A3x, A40, SL45 ... C45 algorithm is lite version of a3x ... Regards: Victor |
Thanks for the information, TriMesh! <br />In fact I was looking for EGold manual for a while but didn't find anything suitable - just the plain C166 guides. And I'm looking for it, because I use IDA to disassemble the microcontroller code and need some additional info regarding memory layout and structures used - for example EELITE and EEFULL blocks?<br />I've already read the source published by Max and it is excellent source of information but as you mentioned some of the algo's are hidden in the dongle ;-) <br />So I want to find out where in the microcontroller code these algo's are implemented (and not only for x35, but for x45 as well ;-)) |
Hi, Victor [quote]Originally posted by Victor:<br /><strong>Hey Trimesh ... :-) Do not forget A3x, A40, SL45 ...</strong><hr></blockquote> I was going to look at the A3x phones, but stopped for a couple of reasons. 1) I don't have a phone to test things on, and don't want to get a reputation as someone who releases phone killer sw <img src="smile.gif" border="0"> <br />2) You were already working on it, and clearly had a considerable head start. Since you are actually selling the softs, and I'm just doing this as a hobby I wouldn't want to step on your toes. [quote]<strong> C45 algorithm is lite version of a3x ... Regards: Victor</strong><hr></blockquote> But the C45 seems to have some additional IMEI dependent blocks that the other phones don't (although the code to generate these seems to be entirely contained in Maxim's source). Maybe I'll have to find one of the A3x phones <img src="smile.gif" border="0"> Regards, Pete |
c45 imei ... only changed short and long keys ... |
I assume by "short and long keys" you mean the lookup tables used for transposing the nibbles in the data, and the tables of XOR values used for each round? I noticed that they were different, but the Pascal code also has an additional data structure (CodE2) that's filled with dongle supplied data, and quite a lot of extra mangling in CreateIMEISpecificBlocksC45() - which is only called for this phone type. Of course, this could be obfuscation - although it would seem strange just doing it with one sort of phone - I can see I'm going to end up having to pull the phone firmware apart <img src="smile.gif" border="0"> Regards, Pete |
Do you know whether the C25/C28 handies are using the same algorithm as x35 ones or not?<br />I have found inside the microcontroller code the same tables for performing so called tricky calculations (thanks to Max ;-). So I wander is there some map generator for these older models floating around? Regards to all reversers out there ;-) |
Does anybody know what is the memory layout in Siemens x35?<br />It has 16MB address space and I've found that the core code is mapped to the last 4 Megs (0xC00000-0xFFFFFF). But there are references inside the code to lower segments. Some of them apparently are data segments but there are also calls to some code residing outside the last 4 Megs, especially from segment 0xf0 (for example calls 1,0x0208).<br />I need some little help about the memory mappings if somebody can and want to share this info? |
Processor contains ROM ... with primitive routines inside ... u need also dissasemble RAM |
Thanks, Victor!<br />I suppose that ROM area is mapped to 0x010000-0x017FFF, right? Will you tell me how I can get this ROM area to disassemble it?<br />And also what do you mean to disassemble RAM - is some part of the code copied there and then run from RAM? |
:-) ... from 000000 to 1f0000 ... must make big file RAM + ZEROES + BINFILE OF FLASH ... and then start dissasemble |
Thanks again :-)<br />Do you have some useful tool for dumping the RAM area you are talking about (000000-1f0000)? <br />May I use the Andromeda flash reader 3.0a to download this RAM area?<br />And one more time I want to ask about Siemens C25/C28 - is it using the same algo's for encoding the blocks 76,5008,5009,5077 with IMEI and phone id? I have one dead C28 v61 and want to make some investigation and reversing to bring it to live eventually ;-) |
Yes i have but is builded by me for internal my use .. Sorry i canot give to you but is easy to build this toool. Andromeda will not help to you. regards: Victor |
About read ROM C45<br />You cant read TRUE RAM/ROM in boot mode<br />all this datas is fake. You need read RAM in normal or test Mode. Regards<br />The Wizard |
| All times are GMT +1. The time now is 06:20. |
vBulletin Optimisation provided by
vB Optimise (Pro) -
vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2023 -