Reversing the algo's used for encrypting the IMEI - GSM-Forum

papajoe · 01-14-2002, 16:38

Could anyone share some info on algorithms used in Siemens for encrypting the IMEI? Something about the memory architecture of C166 processor used inside the handies? What is the structure and differences between EELITE & EEFULL? Any help and info will be appreciated! ;-) I'm working on reverse engineering the software in Siemens S35 and if somebody wants to help, please contact me!?

TriMesh · 01-14-2002, 20:15

If you look at the thread called "Siemens map creator source" you will find a link to a file containing Pascal source for generating this data for various Siemens phones.

Although certain parts of the calculations are being carried out in the dongle, there is enough information in that file to create working maps for the C30 and C/M/S35. The program "ZeeSiemensG3" also contains a working map generator for the C/M/S35, although this is only available as object code (and it's not initially obvious that the program is a map generator, since it reads the IMEI from the phone, and always writes it back).

If you want real kudos, then reverse the x45 phones - there is currently no information available on the algorithims used in these.

If you're going to be reversing any sort of microcontroller code, then get a copy of the IDA dissassembler - I think the "pro" version supports the C166. If you can afford it, I strongly recommend buying the program, since their support is excellent (and, obviously, only available to people that have given them money <img src="smile.gif" border="0"> ).

I have no idea what the memory layout is, but would suspect that getting either the Egold or C166 manuals and looking at the reset routines would give you a reasonable idea (since normally one of the first things to do is to set up the memory/chip select control registers).

Regards,

Pete

**Victor** · 01-15-2002, 01:29

Hey Trimesh ...

:-) Do not forget A3x, A40, SL45 ...

C45 algorithm is lite version of a3x ...

Regards: Victor

papajoe · 01-15-2002, 10:16

Thanks for the information, TriMesh! In fact I was looking for EGold manual for a while but didn't find anything suitable - just the plain C166 guides. And I'm looking for it, because I use IDA to disassemble the microcontroller code and need some additional info regarding memory layout and structures used - for example EELITE and EEFULL blocks? I've already read the source published by Max and it is excellent source of information but as you mentioned some of the algo's are hidden in the dongle ;-) So I want to find out where in the microcontroller code these algo's are implemented (and not only for x35, but for x45 as well ;-))

TriMesh · 01-15-2002, 11:11

Hi, Victor

[quote]Originally posted by Victor: Hey Trimesh ...

:-) Do not forget A3x, A40, SL45 ...<hr></blockquote>

I was going to look at the A3x phones, but stopped for a couple of reasons.

1) I don't have a phone to test things on, and don't want to get a reputation as someone who releases phone killer sw <img src="smile.gif" border="0"> 2) You were already working on it, and clearly had a considerable head start. Since you are actually selling the softs, and I'm just doing this as a hobby I wouldn't want to step on your toes.

[quote]

C45 algorithm is lite version of a3x ...

Regards: Victor<hr></blockquote>

But the C45 seems to have some additional IMEI dependent blocks that the other phones don't (although the code to generate these seems to be entirely contained in Maxim's source).

Maybe I'll have to find one of the A3x phones <img src="smile.gif" border="0">

Regards, Pete

**Victor** · 01-15-2002, 14:47

c45 imei ...

only changed short and long keys ...

TriMesh · 01-15-2002, 16:54

I assume by "short and long keys" you mean the lookup tables used for transposing the nibbles in the data, and the tables of XOR values used for each round? I noticed that they were different, but the Pascal code also has an additional data structure (CodE2) that's filled with dongle supplied data, and quite a lot of extra mangling in CreateIMEISpecificBlocksC45() - which is only called for this phone type.

Of course, this could be obfuscation - although it would seem strange just doing it with one sort of phone - I can see I'm going to end up having to pull the phone firmware apart <img src="smile.gif" border="0">

Regards,

Pete

papajoe · 01-17-2002, 16:57

Do you know whether the C25/C28 handies are using the same algorithm as x35 ones or not? I have found inside the microcontroller code the same tables for performing so called tricky calculations (thanks to Max ;-). So I wander is there some map generator for these older models floating around?

Regards to all reversers out there ;-)

papajoe · 01-18-2002, 10:50

Does anybody know what is the memory layout in Siemens x35? It has 16MB address space and I've found that the core code is mapped to the last 4 Megs (0xC00000-0xFFFFFF). But there are references inside the code to lower segments. Some of them apparently are data segments but there are also calls to some code residing outside the last 4 Megs, especially from segment 0xf0 (for example calls 1,0x0208). I need some little help about the memory mappings if somebody can and want to share this info?

**Victor** · 01-18-2002, 13:55

Processor contains ROM ... with primitive routines inside ...

u need also dissasemble RAM

papajoe · 01-18-2002, 14:13

Thanks, Victor! I suppose that ROM area is mapped to 0x010000-0x017FFF, right? Will you tell me how I can get this ROM area to disassemble it? And also what do you mean to disassemble RAM - is some part of the code copied there and then run from RAM?

**Victor** · 01-18-2002, 15:04

:-) ... from 000000 to 1f0000 ...

must make big file RAM + ZEROES + BINFILE OF FLASH ... and then start dissasemble

papajoe · 01-18-2002, 15:33

Thanks again :-) Do you have some useful tool for dumping the RAM area you are talking about (000000-1f0000)? May I use the Andromeda flash reader 3.0a to download this RAM area? And one more time I want to ask about Siemens C25/C28 - is it using the same algo's for encoding the blocks 76,5008,5009,5077 with IMEI and phone id? I have one dead C28 v61 and want to make some investigation and reversing to bring it to live eventually ;-)

**Victor** · 01-19-2002, 12:58

Yes i have but is builded by me for internal my use .. Sorry i canot give to you but is easy to build this toool.

Andromeda will not help to you.

regards: Victor

thewizard · 01-19-2002, 16:23

About read ROM C45 You cant read TRUE RAM/ROM in boot mode all this datas is fake.

You need read RAM in normal or test Mode.

Regards The Wizard

01-14-2002, 16:38	#1 (permalink)
papajoe Junior Member Join Date: Jan 2002 Location: n/a Posts: 23 Member: 8446 Status: Offline Thanks Meter: 0	Reversing the algo's used for encrypting the IMEI Could anyone share some info on algorithms used in Siemens for encrypting the IMEI?<br />Something about the memory architecture of C166 processor used inside the handies?<br />What is the structure and differences between EELITE & EEFULL?<br />Any help and info will be appreciated! ;-)<br />I'm working on reverse engineering the software in Siemens S35 and if somebody wants to help, please contact me!?

01-15-2002, 01:29	#3 (permalink)
Victor Moderator Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 51 Posts: 1,056 Member: 73 Status: Offline Sonork: 100.86913 Thanks Meter: 537	Hey Trimesh ... :-) Do not forget A3x, A40, SL45 ... C45 algorithm is lite version of a3x ... Regards: Victor __________________ You'll die as you lived in a flash of the blade, in a corner forgotten by no one You lived for the touch for the feel of the steel One man, and his honor.

01-15-2002, 10:16	#4 (permalink)
papajoe Junior Member Join Date: Jan 2002 Location: n/a Posts: 23 Member: 8446 Status: Offline Thanks Meter: 0	Thanks for the information, TriMesh! <br />In fact I was looking for EGold manual for a while but didn't find anything suitable - just the plain C166 guides. And I'm looking for it, because I use IDA to disassemble the microcontroller code and need some additional info regarding memory layout and structures used - for example EELITE and EEFULL blocks?<br />I've already read the source published by Max and it is excellent source of information but as you mentioned some of the algo's are hidden in the dongle ;-) <br />So I want to find out where in the microcontroller code these algo's are implemented (and not only for x35, but for x45 as well ;-))

01-15-2002, 11:11	#5 (permalink)
TriMesh Freak Poster Join Date: Dec 2001 Location: Shenzhen, China Posts: 327 Member: 7911 Status: Offline Thanks Meter: 7	Hi, Victor [quote]Originally posted by Victor:<br /><strong>Hey Trimesh ... :-) Do not forget A3x, A40, SL45 ...</strong><hr></blockquote> I was going to look at the A3x phones, but stopped for a couple of reasons. 1) I don't have a phone to test things on, and don't want to get a reputation as someone who releases phone killer sw <img src="smile.gif" border="0"> <br />2) You were already working on it, and clearly had a considerable head start. Since you are actually selling the softs, and I'm just doing this as a hobby I wouldn't want to step on your toes. [quote]<strong> C45 algorithm is lite version of a3x ... Regards: Victor</strong><hr></blockquote> But the C45 seems to have some additional IMEI dependent blocks that the other phones don't (although the code to generate these seems to be entirely contained in Maxim's source). Maybe I'll have to find one of the A3x phones <img src="smile.gif" border="0"> Regards, Pete

01-15-2002, 14:47	#6 (permalink)
Victor Moderator Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 51 Posts: 1,056 Member: 73 Status: Offline Sonork: 100.86913 Thanks Meter: 537	c45 imei ... only changed short and long keys ... __________________ You'll die as you lived in a flash of the blade, in a corner forgotten by no one You lived for the touch for the feel of the steel One man, and his honor.

01-14-2002, 20:15	#2 (permalink)
TriMesh Freak Poster Join Date: Dec 2001 Location: Shenzhen, China Posts: 327 Member: 7911 Status: Offline Thanks Meter: 7	If you look at the thread called "Siemens map creator source" you will find a link to a file containing Pascal source for generating this data for various Siemens phones. Although certain parts of the calculations are being carried out in the dongle, there is enough information in that file to create working maps for the C30 and C/M/S35. The program "ZeeSiemensG3" also contains a working map generator for the C/M/S35, although this is only available as object code (and it's not initially obvious that the program is a map generator, since it reads the IMEI from the phone, and always writes it back). If you want real kudos, then reverse the x45 phones - there is currently no information available on the algorithims used in these. If you're going to be reversing any sort of microcontroller code, then get a copy of the IDA dissassembler - I think the "pro" version supports the C166. If you can afford it, I strongly recommend buying the program, since their support is excellent (and, obviously, only available to people that have given them money <img src="smile.gif" border="0"> ). I have no idea what the memory layout is, but would suspect that getting either the Egold or C166 manuals and looking at the reset routines would give you a reasonable idea (since normally one of the first things to do is to set up the memory/chip select control registers). Regards, Pete

01-15-2002, 16:54	#7 (permalink)
TriMesh Freak Poster Join Date: Dec 2001 Location: Shenzhen, China Posts: 327 Member: 7911 Status: Offline Thanks Meter: 7	I assume by "short and long keys" you mean the lookup tables used for transposing the nibbles in the data, and the tables of XOR values used for each round? I noticed that they were different, but the Pascal code also has an additional data structure (CodE2) that's filled with dongle supplied data, and quite a lot of extra mangling in CreateIMEISpecificBlocksC45() - which is only called for this phone type. Of course, this could be obfuscation - although it would seem strange just doing it with one sort of phone - I can see I'm going to end up having to pull the phone firmware apart <img src="smile.gif" border="0"> Regards, Pete

01-17-2002, 16:57	#8 (permalink)
papajoe Junior Member Join Date: Jan 2002 Location: n/a Posts: 23 Member: 8446 Status: Offline Thanks Meter: 0	Do you know whether the C25/C28 handies are using the same algorithm as x35 ones or not?<br />I have found inside the microcontroller code the same tables for performing so called tricky calculations (thanks to Max ;-). So I wander is there some map generator for these older models floating around? Regards to all reversers out there ;-)

01-18-2002, 10:50	#9 (permalink)
papajoe Junior Member Join Date: Jan 2002 Location: n/a Posts: 23 Member: 8446 Status: Offline Thanks Meter: 0	Does anybody know what is the memory layout in Siemens x35?<br />It has 16MB address space and I've found that the core code is mapped to the last 4 Megs (0xC00000-0xFFFFFF). But there are references inside the code to lower segments. Some of them apparently are data segments but there are also calls to some code residing outside the last 4 Megs, especially from segment 0xf0 (for example calls 1,0x0208).<br />I need some little help about the memory mappings if somebody can and want to share this info?

01-18-2002, 13:55	#10 (permalink)
Victor Moderator Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 51 Posts: 1,056 Member: 73 Status: Offline Sonork: 100.86913 Thanks Meter: 537	Processor contains ROM ... with primitive routines inside ... u need also dissasemble RAM __________________ You'll die as you lived in a flash of the blade, in a corner forgotten by no one You lived for the touch for the feel of the steel One man, and his honor.

01-18-2002, 14:13	#11 (permalink)
papajoe Junior Member Join Date: Jan 2002 Location: n/a Posts: 23 Member: 8446 Status: Offline Thanks Meter: 0	Thanks, Victor!<br />I suppose that ROM area is mapped to 0x010000-0x017FFF, right? Will you tell me how I can get this ROM area to disassemble it?<br />And also what do you mean to disassemble RAM - is some part of the code copied there and then run from RAM?

01-18-2002, 15:04	#12 (permalink)
Victor Moderator Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 51 Posts: 1,056 Member: 73 Status: Offline Sonork: 100.86913 Thanks Meter: 537	:-) ... from 000000 to 1f0000 ... must make big file RAM + ZEROES + BINFILE OF FLASH ... and then start dissasemble __________________ You'll die as you lived in a flash of the blade, in a corner forgotten by no one You lived for the touch for the feel of the steel One man, and his honor.

01-18-2002, 15:33	#13 (permalink)
papajoe Junior Member Join Date: Jan 2002 Location: n/a Posts: 23 Member: 8446 Status: Offline Thanks Meter: 0	Thanks again :-)<br />Do you have some useful tool for dumping the RAM area you are talking about (000000-1f0000)? <br />May I use the Andromeda flash reader 3.0a to download this RAM area?<br />And one more time I want to ask about Siemens C25/C28 - is it using the same algo's for encoding the blocks 76,5008,5009,5077 with IMEI and phone id? I have one dead C28 v61 and want to make some investigation and reversing to bring it to live eventually ;-)

01-19-2002, 12:58	#14 (permalink)
Victor Moderator Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 51 Posts: 1,056 Member: 73 Status: Offline Sonork: 100.86913 Thanks Meter: 537	Yes i have but is builded by me for internal my use .. Sorry i canot give to you but is easy to build this toool. Andromeda will not help to you. regards: Victor __________________ You'll die as you lived in a flash of the blade, in a corner forgotten by no one You lived for the touch for the feel of the steel One man, and his honor.

01-19-2002, 16:23	#15 (permalink)
thewizard Junior Member Join Date: Jul 2001 Location: --------- Posts: 20 Member: 5414 Status: Offline Thanks Meter: 0	About read ROM C45<br />You cant read TRUE RAM/ROM in boot mode<br />all this datas is fake. You need read RAM in normal or test Mode. Regards<br />The Wizard

Similar Threads
thread	Thread Starter	Forum	Replies	Last Post
What is the cable used for sumsung F400	foufou34	HWK	2	02-16-2009 15:05
can explain how to setup/change the FTP client for exploring the phone ?	preshaust	Cruiser Suite	2	12-12-2008 14:43
i need the unlock code for nokia 3510i imei 351462805793806	tiygyliar	Phone Unlocking Codes & Maps	2	01-12-2005 16:03
can anyone tell me what the smartcard use for???	flin898	Sony Ericsson	0	09-06-2003 15:31
What is the DSP test for on the B-phreaks stuff?	Lonegunman	Nokia Legacy Phones ( DCT-1 ,2 ,3 ,L )	4	03-11-2002 00:41

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode