NokDoc
19-03-2002, 05:03 PM
About Checksums PPM changes.
In the Flashfile:
================
1.MCU Checksum (2)
Located at 0000.0022 and at end of PPM Section eg 00(13).FFFA
Calculated over 0000.0024 u/i end of MCU.
2.PPM Individual SubChunk Checksums (4)
Located at the begin of each individual PPM SubChunk.
Calculated over full PPM SubChunk length.
(The number of SubChunks may be different per phone type)
3.PPM Checksum (4)
Located at the end of PPM Section eg 00(13).FFFC
(calc?, maybe over full PPM length or individual SubChunks?)
4.MCU+PPM Checksum (4)
Located at 0000.0038
Calculated over almost full MCU&PPM length, Starting at 0000.0040 u/i 0000(13).FFE1 ($20 steps)
The Ringtone changing?
================
Have a good look at where changes have effect on what Checksums.
1. recalc Indiv. Tone PPM chunk Checksum.
2. recalc PPM Checksum.
3. recalc Faid, based upon the true PPM Checksum.
4. Faid is stored in MCU (=MCU+PPM Checksum!) so recalc MCU Checksum.
5. Luckily MCU Checksum itself isn't inside the MCU&PPM Checksum calc area so Faid is still the correct one.
6. flash & authorise by MBUS command with Faid nr.
The Faid?
================
For Faid calc MSID & PPM Checksum are required.
Most proggies do use bytes from flash for the PPM Checksum instead of calcing them based upon the PPM.
Here's the biggest problem, incorrect PPM Checksum = incorrect Faid = no connection.
The Lesson?
================
Changing data always has effects on a calculation somehow.
There's 2 ways to get bypassed that.
1.Change data in that way the certain Check(s) aren't changed.
2.Find other leaks or try to be bigger liar as me.
This all is based own own thinking and I'm not sure if it's some of correct.
So other ideas are very Welcome!
And now if U'll excuse me, I'm gonna watch the Muppet Show.
Happy Reversing
NokDoc
In the Flashfile:
================
1.MCU Checksum (2)
Located at 0000.0022 and at end of PPM Section eg 00(13).FFFA
Calculated over 0000.0024 u/i end of MCU.
2.PPM Individual SubChunk Checksums (4)
Located at the begin of each individual PPM SubChunk.
Calculated over full PPM SubChunk length.
(The number of SubChunks may be different per phone type)
3.PPM Checksum (4)
Located at the end of PPM Section eg 00(13).FFFC
(calc?, maybe over full PPM length or individual SubChunks?)
4.MCU+PPM Checksum (4)
Located at 0000.0038
Calculated over almost full MCU&PPM length, Starting at 0000.0040 u/i 0000(13).FFE1 ($20 steps)
The Ringtone changing?
================
Have a good look at where changes have effect on what Checksums.
1. recalc Indiv. Tone PPM chunk Checksum.
2. recalc PPM Checksum.
3. recalc Faid, based upon the true PPM Checksum.
4. Faid is stored in MCU (=MCU+PPM Checksum!) so recalc MCU Checksum.
5. Luckily MCU Checksum itself isn't inside the MCU&PPM Checksum calc area so Faid is still the correct one.
6. flash & authorise by MBUS command with Faid nr.
The Faid?
================
For Faid calc MSID & PPM Checksum are required.
Most proggies do use bytes from flash for the PPM Checksum instead of calcing them based upon the PPM.
Here's the biggest problem, incorrect PPM Checksum = incorrect Faid = no connection.
The Lesson?
================
Changing data always has effects on a calculation somehow.
There's 2 ways to get bypassed that.
1.Change data in that way the certain Check(s) aren't changed.
2.Find other leaks or try to be bigger liar as me.
This all is based own own thinking and I'm not sure if it's some of correct.
So other ideas are very Welcome!
And now if U'll excuse me, I'm gonna watch the Muppet Show.
Happy Reversing
NokDoc