PDA

View Full Version : howto calc 3310 ppm checksum?



StiNKy
02-08-2003, 01:52 AM
can anyone tell me the maths behind calculating a nokia3310's PPM checksums? psuedo code would be nice :P

thanks in advanced.

NokDoc
02-08-2003, 06:36 AM
Hi,

Here's nice info for the mcu & ppm checks.

http://nokiafree.org

(browse down)

NokDoc

StiNKy
02-08-2003, 07:11 AM
I read that, and it seemed rather non-sensical.

NokDoc
02-08-2003, 07:42 AM
Hi,

I can remember, I had that too long ago.

But he, it only encouraged me to study harder.

NokDoc

StiNKy
02-08-2003, 07:45 AM
it doesn't actually explain how the checksum is calculated.... just the location of it...

NokDoc
02-08-2003, 07:48 AM
Hmm...

Well, shall we start be telling me actually which one?

There is a mcu, some ppm's, a flash chk, and 2 eeprom checks.

In my opinion, only flash check ain't explained there.

NokDoc

StiNKy
02-08-2003, 07:49 AM
what the topic says, ppm checks... ie the checksum at the start of every chunk. a chunk being lpcs, font, text, etc.

NokDoc
02-08-2003, 08:03 AM
Hi,

>> PPM Checksum is 32 Bit (multiple values).
>> Structure is Checksum (4 bytes) + Length of Field.
>> Starts at Pbase+0x25f

Ok, it is not quite clear. ;)

That's a sum (a+b+c+..)

The sum of all 32 bit values, over every full ppm subchunk ranges.

Same way as was done as 16 bit in Mcu ChkSum.

Not calc the value at the checksum location itself.

NokDoc

StiNKy
02-08-2003, 08:05 AM
thank you. before I came to this site I tried a sum, but using char's (8bit) and not int (32bit)... so close yet so far. gonna try it now thanks :)

by the way, most of that info seems to be quite old, and some of it (probably due to its age) is incorrect.

NokDoc
02-08-2003, 08:22 AM
Hi,

I hope it works out for U, in 32 bit mode.

U're right, very old info.

But it is nostalgic to many guys around here.

I could never dare to correct the guy who wrote it.

Maybe with the knowledge I gathered by now, I make an uptodate FAQ bout checks one day.

But since DeadMcu & DeadFaid are quite a better solution, I rather would focus on a DeadPpm. ;)

Good Luck...

NokDoc

StiNKy
02-08-2003, 08:55 AM
it worked! thanks for your help.
took me a while to remember that I was dealing with big-endian. someone should print that in big red letters.... would've saved me a lot of time :P

StiNKy
02-08-2003, 09:35 PM
and now another checksum problem.
I can calculate the ppm chunk checksum's no problem.
but the final ppm checksum, found at the last 4 bytes of the .fls file, how do I calculate that?...

Ice Draagon
04-08-2003, 01:52 AM
This was posted a long time ago, so here it is again:

Note:The last 4-bytes (flash checksum) is quite complicated, and it's not included here.




PPM Checksums Algorithm
by Ice Draagon <[email protected]>
July 2001


Conventions used in this document:

Strings are enclosed in {} or " "

Hex values begin with "x" like in x02E5

Null-terminated strings are indicated by StrZ at
end of identifier.

base32(PPM1) returns a 32bit value like x00320000

offset(MCUChecksum) returns a 32bit value like x00000022

word(MCUChecksum) returns a 16bit value like x02E5

dword(FlashChecksum) returns a 32bit value like x35A003CC

24bit(StartMCU) returns a 24bit value like x200024

Underscore between hex means "to" like in x002C_x002F,
it means values from x002C to x002F.

2-digit numbers found at end of identifiers (like the 16 in Chksum16)
denotes value type (Chksum16 is a 16bit value like x02E5)

Chksum16 is a 16bit checksum obtained by adding 16bit values.
Example:
Offset Word
x320034 x1234
x320036 x1122
Chksum16 x2356

Chksum32 is a 32bit checksum obtained by adding 32bit values.
Example:
Offset DWord
x320034 x12345678
x320038 x11223344
Chksum32 x234589BC













Searching for PPM Block checksums:

PPM1:
Set base32=x00320000

or use search string {xFFFF,"PPM",x00}.
base32=offset({xFFFF,"PPM",x00})+2

BOPPM1...........base32
Chksum32.........base32+x002C
ddChkSum32.......dword(Chksum32) ; base32+x002C_x002F
PPMLength32......base32+x0030
ddPPMLen32.......dword(PPMLength32) ; base32+x0030_x0033
BChkSum32........PPMLength32
EChkSum32........BChkSum32+ddPPMLen32-4 ; less 4 bytes (length of ddChkSum32)
EOPPM1...........EChkSum32

Set PPMx.........PPM1
Set EOPPMx.......EOPPM1

PPMx:

Set PPMBlockEndString={x0000,x0000,x0000,x0010,x0000,x0000,x0000,x0000}

base32=EOPPMx+1

or use PPMBlockEndString after base32(PPMx)
base32=offset(PPMBlockEndString)+16

If dword(base32)=x00000000 then
end PPM block search
Else
BOPPMx........base32
Chksum32......base32
ddChksum32....dword(Chksum32)
PPMLength32...base32+4
ddPPMLen32....dword(PPMLength32)
BChkSum32.....PPMLength32
EChkSum32.....BChkSum32+PPMLength32-4 ; less 4 bytes (length of ddChkSum32)
EOPPMx........EChkSum32


EndIf

Loop to PPMx until PPM block search ends












PPM Blocks:
PPM1.............PPM Version
PPM2.............GSM Code Version
PPM3.............Fonts
PPM4.............Language Text Version
PPM5.............Language Array Order/Index
PPM6.............Tone Pack Version
PPM7.............Mobile Network Codes
PPM8.............Language Packs


PPM1 Block contents: *PPM Version
(Note, null-terminated strings are indicated by StrZ at
end of identifier)
base32..............offset(PPM1)
PPMHeaderStrZ.......(base32)_(base32+3)
PPMVerStrZ..........(base32+4)_(base32+35)
Reserve1............(base32+36)_(base32+39) {xFFFF,xFF00}
PPMPackStrZ.........(base32+40)_(base32+41)
Reserve2............(base32+42)_(base32+43) {xFFFF}
Chksum32............(base32+44)_(base32+47)
PPMLength32.........(base32+48)_(base32+51) *Starting from offset(Chksum32)
LangPackVerStrZ.....(base32+52)_(base32+63)
BOSectUnk1..........(base32+63)_(base32+67) {x0000,x0001}
SectionLength32.....(base32+68)_(base32+71) *Starting from offset(BOSectUnk1)
Unk2Str.............(base32+72)_(base32+75) *In 6210v301C "A13C"
SectionContents.....(base32+76)_(offset(BOSectUnk1)+SectionLength32)
EOSection...........(base32+76)+(offset(BOSectUnk1)+SectionLength32)
PPMBlockEndString...(offset(EOSection)+1)_((offset(EOSection)+1)+16)


PPM2 Block contents: *GSM Code version
base32..............offset(PPM2)
Chksum32............(base32)_(base32+3)
PPMLength32.........(base32+4)_(base32+7) *Starting from offset(Chksum32)
GSMCodeVerStrZ......(base32+8)_(base32+19)
BOSectUnk1..........(base32+20)_(base32+23) {x0000,x0001}
SectionLength32.....(base32+24)_(base32+27) *Starting from offset(BOSectUnk1)
Unk2Str.............(base32+28)_(base32+31) *In 6210v301C "A13C"
SectionContents.....(base32+32)_(offset(BOSectUnk1)+SectionLength32)
EOSection...........(base32+32)+(offset(BOSectUnk1)+SectionLength32)
PPMBlockEndString...(offset(EOSection)+1)_((offset(EOSection)+1)+16)


PPM3 Block contents: *Fonts
base32..............offset(PPM3)
Chksum32............(base32)_(base32+3)
PPMLength32.........(base32+4)_(base32+7) *Starting from offset(Chksum32)
FontStrZ............(base32+8)_(base32+19)
BOSectUnk1..........(base32+20)_(base32+23) {x0000,x0001}
SectionLength32.....(base32+24)_(base32+27) *Starting from offset(BOSectUnk1)
Unk2Str.............(base32+28)_(base32+31) {x0000,x0000}
SectionContents.....(base32+32)_(offset(BOSectUnk1)+SectionLength32)
EOSection...........(base32+32)+(offset(BOSectUnk1)+SectionLength32)
PPMBlockEndString...(offset(EOSection)+1)_((offset(EOSection)+1)+16)


PPM4 Block contents: *Language Text Version
base32..............offset(PPM4)
Chksum32............(base32)_(base32+3)
PPMLength32.........(base32+4)_(base32+7) *Starting from offset(Chksum32)
TextVerStrZ.........(base32+8)_(base32+19)

Set EOSectx.........(base32+20)

PPM4Sections:
BOSectx.............(EOSectx)
If word(BOSectx)=(x0000) then
*Check for PPMBlockEndString
If found(PPMBlockEndString) then PPM4 Block ends
Else
If word(BOSectx)=(xFFFF) then
EOSectx=EOSectx+2
Loop to PPM4Sections
EndIf
EndIf
LangIndex...........(BOSectx)_(BOSectx+3) *See notes after this block
SectxLen32..........(BOSectx+4)_(BOSectx+7) *Starting from BOSectx
LangCode............(BOSectx+8)_(BOSectx+11) *See notes after this block
SectxContents.......(BOSectx+12)_(BOSectx+SectxLen32)
EOSectx.............(BOSectx+12)+(BOSectx+SectxLen32)

SectxContents (COMM lang code not included):
base32..............offset(SectxContents)
BOTypex.............(base32)_(base32+3) Coding type (0800 0000 - ansi, 8800 0000 - unicode)
BOLangx.............base32+4)
Repeat
Get byte from offset
Check if byte=xFF, if TRUE then break
byte..............length of string (1-based)
End
BOStringsx..........right after the xFF marker
BOEOStringsx........xFF filler, since length must be divisible by 4.


Loop to PPM4Sections until PPMBlockEndString is encountered

Notes:
LangIndex........LangCode
x0000,x0033......COMM - common to all (don't modify)
x0000,x0002......GERM
x0000,x0001......ENGL
x0000,x000D......TURK
x0000,x0005......SPAN
x0000,x0003......FREN

NokDoc
04-08-2003, 11:24 AM
Hi,

A sum is a sum, no mathematical tricks, simply a+b+c...

Flash check (fchk) is no sum.

It takes 2 bytes per 32, almost over the whole mcu & ppm range.

It does some XOR with the bits of the 2 bytes each time.

Back in time, I remembered a guy called Mr. Tek made a C source, called fchk.c (Tek's manual logger)

It will be floating around on forum, check around feb/ march 2002.

Good Luck

NokDoc

StiNKy
04-08-2003, 01:41 PM
*sigh* the last 4 bytes which icedragon called the 'flash checksum' that's what i'm after... usually checksums can be a mathetmatical equation... which is what i'm after.
anyone?

StiNKy
10-08-2003, 09:38 AM
so no-one can explain to me exactly how this flash checksum is calculated?... I find that hard to beleive...

Ice Draagon
12-08-2003, 07:23 AM
It's a more complicated routine. I have it in Delphi 6.I used is as a routine in my FBOX unit which I compiled in my GeoFlasher.

As soon as I "revive" my harddisk at home (within this week), I'll send you the routine (or attach it here). It's in Delphi 6, as mentioned, but you might have an idea how when translated to other programming languages.


Originally posted by StiNKy
*sigh* the last 4 bytes which icedragon called the 'flash checksum' that's what i'm after... usually checksums can be a mathetmatical equation... which is what i'm after.
anyone?

NokDoc
13-08-2003, 07:56 PM
Hi,

Sorry, maybe this helps.

NokDoc

wumpus
13-08-2003, 08:48 PM
The flash (FAID) checksum is calculated by the DSP, maybe that's why it did cost people quite some time to figure out how it works

NokDoc
13-08-2003, 10:33 PM
Hi,

Faid is not the flash checksum fchk???

Tools use it from the last 4 bytes in flash.

For calcing the faid, Flash Authorisation ID, to use in mbus command.

Or they calc it with the dongle emulation code by Mr. Tek.

But I doubt if people actually figured out the emulation itself?

NokDoc

wumpus
13-08-2003, 11:15 PM
It takes 2 bytes per 32, almost over the whole mcu & ppm range.

It does some XOR with the bits of the 2 bytes each time.

I just recognized that algorithm from my "journeys" into the firmware code. The two bytes are fed block-by-block into DSP shared RAM, the DSP does some number munching and returns the 32 bit checksum.

I didn't know the four fchk bytes and the last bytes of the FAID were that same result, but yeah that seems to be the case.

Ice Draagon
14-08-2003, 01:14 AM
My best guess is that people who know WinARM studied/debugged/disassembled/traced the flash routine, mainly the MCU part of the flash, and figured out how the Flash Authorization works, just like what Wumpus stated, by "journeying into the firmware code".

This (flash routine can be traced) is one of the main reason why Nokia secured the flash content by using RSA BSAFE Crypto MicroEdition software in their DCT4 phones. So that the routines can be protected from prying eyes. The routines are decrypted as needed when used by the phone.


Originally posted by NokDoc
Hi,

But I doubt if people actually figured out the emulation itself?

NokDoc

StiNKy
14-08-2003, 08:23 AM
ok now i'm quite lost. fsck? faid? dsp?

Ice Draagon
14-08-2003, 09:44 AM
FCHK is the flash check, which we sometimes called Flash Checksum in which it is not really a checksum per se but a calculated value obtained from 2 bytes at every 32nd offset of the MCU/PPM.

That FCHK is also equivalent to the last 4 bytes of the full flash of the phone (PMM/EEPROM not included).

FAID is the Flash Authority ID which is obtained from the computation from FCHK, COBBAID, IMEI, some tables, etc. and then XORd before writing to the phone via MBUS in order for the phone to gain network signal.

Meanwhile the DSP is a part of tthe phone (processor/MCU/RAM/Whatever, you get the idea).



Originally posted by StiNKy
ok now i'm quite lost. fsck? faid? dsp?

StiNKy
14-08-2003, 11:37 AM
ah I see. and I take it the .c file in that .zip NokDoc posted is supposed to calculate the fsck of the given file?... I tried it out and the result it gave differed from the last 4 bytes of my flash file... my flash file contains MCU and PPM. and it's a total of 1,900,544 bytes.
now in my flash file I know the ppm starts at an offset 0x130000... is the mcu supposed to start anywhere specific or just at the start of the file? the reason I ask this is because the .c file starts at an offset of 0x40... just wondering why?

wumpus
14-08-2003, 12:05 PM
The algorithm starts at offset 0x40, that's normal

StiNKy
14-08-2003, 02:05 PM
then why is this .c file still calculating a wrong fsck?...

NokDoc
14-08-2003, 05:28 PM
Hi,

>> calculating a wrong fsck?..

It is the correct one...

The value U calc still need to be Xored with a 32 bit constant value.

U can re-calc that const by Xor the calced value with a known value from a flash.

If U do it on 2 or more files U will recognise the const.

Beware that Nokia sometimes uses other, double, calc method for fchk.

Eg a 3330-430/450 and the 3310-503/513.

Bout the Functions:

We know where they are, and how they work basically.

Like Mr. Wumpus said, it is impossible to look in areas outside the mcu itself to see the actual calc.

Though lately it is possible to look into ram, which could possibly lead to new info.

Eg, I found some essential storage locations of the used values from mcu/ dsp.

But he....

DeadFaid is here. :)

Unless there is a serious attempt to bypass that mbus command and put the values directly to eeprom area?

Ps, the fchk calc ranges are definied, not static.

But U still can use the start +40h & EndOfPpm-4, like in the demo.
(That is also why most tool have the bug when using eeprom area too! :) )

NokDoc