Reversing the algo's used for encrypting the IMEI

[papajoe]

To Victor:

Are you using the BFB protocol for reading the memory from the mobile? And if yes, where can I find some more information about this protocol? I've already some knowledge about it by reversing some of the tools out there, but their authors must have some more info on that indeed ;-))<br />I don't want to mess with your business and am curious just for myself about the internals of the protection scheme used by Siemens :-)

Thanks and regards!

[thewizard]

This commands for read RAM in normal mode is forbidden in C45. You need patch flash ...

regards

[Victor]

wizard is verry verry right... <img src="smile.gif" border="0">

[papajoe]

Ok, but for the time being I don't need to read RAM from C45, only from x35 (or x25).<br />Is it possible to be done in normal mode via BFB protocol?<br />And should I read the whole 16M addressable space?

[Victor]

yes! read without problems ...

[papajoe]

Ok, thanks again, Victor!<br />May I ask you just one more question - where in the addressable memory space the EEPROM area is mapped to? <br />And also could you help me with the syntax of one particular BFB command - for reading EEfull blocks (14 08 1c 14 xx xx yy yy zz zz chksum)? <br />I'm interested particulary what is the meaning of yy yy ;-))

[OrbiTel]

[quote]Originally posted by The_Wizard:<br /><strong>About read ROM C45<br />You cant read TRUE RAM/ROM in boot mode<br />all this datas is fake.

You need read RAM in normal or test Mode.

Regards<br />The Wizard</strong><hr></blockquote>

This is not true, you can read good data from Bootmode process, but you mus hav goo boot loader. I have not ! I find !

OrbiTel

[papajoe]

To Victor:<br />I am almost ready with my memory dumper ;-)<br />But I'm still waiting for a little more help regarding the memory layout, e.g. where EEPROM area is mapped inside the addressable memory space (000000-FFFFFF)?<br />Would you be so kind to give me a clue? :-)<br />And also about the syntax of ReadEefull command (the problem is how to read blocks that are longer than the maximum of 31 bytes per request?) I suppose that yy yy is the offset from the beginning of the block but if you could confirm that it would be great ;-))<br />Thanks!

[gin1978]

Quote:

Originally posted by papajoe
To Victor:<br />I am almost ready with my memory dumper ;-)<br />But I'm still waiting for a little more help regarding the memory layout, e.g. where EEPROM area is mapped inside the addressable memory space (000000-FFFFFF)?<br />Would you be so kind to give me a clue? :-)<br />And also about the syntax of ReadEefull command (the problem is how to read blocks that are longer than the maximum of 31 bytes per request?) I suppose that yy yy is the offset from the beginning of the block but if you could confirm that it would be great ;-))<br />Thanks!

x35_Flasher

+could you/someone send me newer bfb95eg.dll or equiv?

cheerz,
Anton

[jrok]

if anyone want it just email me [email protected]

[TheSig]

Quote:

Originally posted by TriMesh
If you look at the thread called "Siemens map creator source" you will find a link to a file containing Pascal source for generating this data for various Siemens phones.

-- some text skipped ---

Please give a link to pascal soures.
Thanks

[comunicatel]

and what about S40.
It uses this subroutine

Procedure TIForm.CreateIMEISpecificBlocksS40(IMEI: String; ID: String);
Begin
Idx := 0;
ConvertToPhoneID(ID);
ConvertToC30BCD(IMEI);
EncriptC30HiddenBlocks($08, $000A, Def00, 00);
EncriptC30HiddenBlocks($08, $06E6, Def0C, 18);
EncriptC30HiddenBlocks($1C, $0CFE, Def22, 02);
EncriptC30HiddenBlocks($3C, $0D20, Def40, 00);
EncriptC30HiddenBlocks($0C, $0D60, Def10, 00);
EncriptC30HiddenBlocks($28, $0D70, Def2E, 02);
EncriptC30HiddenBlocks($40, $0D9E, Def44, 00);
EncriptC30HiddenBlocks($FC, $07FE, DefFF, 00);
EncriptC30HiddenBlocks($FC, $08FE, DefFF, 00);
EncriptC30HiddenBlocks($FC, $09FE, DefFF, 00);
EncriptC30HiddenBlocks($FC, $0AFE, DefFF, 00);
EncriptC30HiddenBlocks($FC, $0BFE, DefFF, 00);
End;
AS U can see Its simillar to C30 calculation of specific blocks

[Henrich SGU]

U have tested this subroutine on S40 ?

[Saulyss]

So coding algo is similar ....

[Sergey[Power User]]

Quote:

Originally posted by Nutzo
Hi,

since nobody wanted to help, I did it myself.
So to jump to conlusion:

to unlock "new" C/M/S35s you need to XOR the
phoneid (Cod18) with 0xCA, 0xFE, 0xAF.
All the other things are totally the SAME.

Cheers,

Thanx...

P.S.which addresses of this code in firmware?

Quote:

p.s. Could anybody help me to create dumper for
lower memory addresses? Is that a "simple" Egold
flasher which simply reads the lower "flash" memory map?
(of course only on C35). Another thing. Could anyone point
me to an address where I could find the infamous sub
which handles reading request on C45 (i.e. what must
be patched so that to be able to read the lower addresses)?
Pretty please. If someone helps me I can send him the
sources of my program called kSie (after kNok) which
has several unlocking method in it (C35, C45, "new" C35).

What do you mean saying "lower addresses"?Internal ChipSet ROM?External RAM? (they're really at lowest addresses).Anyway,I think it is a good idea to unassemble Max-RFon boots from his flashing SW.They're SMALL and using them it is possible to grab int.ROM/RAM/FLASH/... etc
Hint: one boot seq used for C\M\S35,S40,etc... only 45 series different.
(I think it will be not so hard to modify this boots to make your custom tasks you need... they're quite small and easy to uderstand)