PDA

View Full Version : Nokia Tool with DCT3/4 Support



Swifty
06-08-2003, 10:19 AM
A while ago I started to build my own Nokia Tool for DCT3 phones in VB. Since every man and his dog seems to be writing a front end for the DCT4 calc I thought I would implement this into my Vb program.

What I need to know is the MBUS commands to retrieve the IMEI and MCC+MNC from a DCT4 phone.

MBUS commands for the DCT3 are pretty easy, but I'm having difficulty finding any information for the MBUS DCT4 commands.

I captured the data being sent to the phone via bWinLock v1.0 but this uses FBUS.

Attatched is the current status of my program.

Any help is greatly appreciated..

pico
06-08-2003, 11:48 AM
there is no m bus in dct4, only f bus:)

MrWolfman
06-08-2003, 02:15 PM
cyberdog will be th man to contact about this
his calc has this feature built in so he should be able to help

POOLEY
06-08-2003, 02:21 PM
SWIFTY, well done it works quite well. any chance of you mailing me any commands you have cos i have a similar project and could do with a little help.....are you the man???

re:pico why not help the job and post any infos you have too????:cool: :cool:

[email protected]

pico
06-08-2003, 03:04 PM
sorry pooley, i never had dct4 for playing with...:(
i only remember reading, no m bus command set in dct4.

yesterday i did think to start this project myself, but couldnt be bothered to work on dct3 unlock algo (all version dct3). plus its very easy to press *#06# on your dct4 :)
i attached disassembly from dct3 clip (unlock+imei) incase you would like to find out that yourself.

Swifty
06-08-2003, 03:04 PM
attn: pico

I have attatched the FBUS details of the comms between bWinlock and a DCT4 phone could you tell me which commands are are for retreiving IMEI and MCC.

attn: MrWolfman

I'm using v1.4 of cyberdog calc and the button to read the IMEI does nothing

att: POOLEY

Which commands would you like me to mail you, the commands for the DCT3 MBUS ?

pico
06-08-2003, 03:13 PM
sorry, i cant really say that..
you can try with nk_project (http://www.nokia-unlocping.pwp.blueyonder.co.uk/resource) to send the commands in your phone and see what gets returned in the box. or knock up your own app to test them..

pico
06-08-2003, 03:25 PM
btw, its either:
1E 00 10 1B 00 08 00 03 18 07 00 01 01 47 17 51

or
1E 00 10 1B 00 0A 00 03 06 00 41 00 00 00 01 40 48 52

or
1E 00 10 15 00 08 00 06 00 02 00 00 01 41 0F 58

or
1E 00 10 53 00 07 00 08 00 12 0D 01 42 00 41 4F

or
1E 00 10 53 00 06 00 08 1D 0C 01 43 12 12

please let me know any results:)

POOLEY
07-08-2003, 12:49 PM
any commands for dct3 or 4 and any other phones, this is a big project.
if you want to help mail me @ [email protected]

cheers lads:)

Swifty
07-08-2003, 12:56 PM
Does anyone know why you send "55 55 55 55 55" over the FBUS before sending the command to a DCT4 phone. Is it some sort of initialse or to put the phone into local mode ?

Nokia FBUS by Maestro v0.25 sends "55 55 55 55 55" to the phone before every command.

BwinLock also sends "55 55 55 55 55" to the phone but only at the beggining, not at before every command sent to the phone.

POOLEY
07-08-2003, 01:42 PM
COULD BE SOME SORT OF "HELLO" BEING SENT TO THE PHONE, if the software gets the same as an answer then communication starts i think, can anyone else comment on this?

pico
07-08-2003, 03:21 PM
well; the phone doesnt reply to that 5555555555 so its not a "hello"/init message :)

i recon;
bWinlock send 5555555555h to the com port. phone doesnt recognise that, BUT it does get stored at the ports inbuffer (all output data is received in inbuffer also..)

now, when bWinlock sends the next command two things can happen:
first:- if phone is connected, it will reply the required string of data; and write this to com ports inbuffer.
second:- if no phone is connected, the second command is returned to the ports in buffer joined AT THE END of the first data (555...).

now bWinlock can check the inbuffer.
if it was "5"; phone was not connected. else, you got data :)

Swifty
07-08-2003, 04:25 PM
I've had a play with the commands and got some results with my 3510 over FBUS

IMEI
1E 00 10 1B 00 0A (00 03 06 00 41 00 00 00) 01 40 48 52

VERSION
1E 00 10 1B 00 08 (00 03 18 07 00 01) 01 47 17 51

The parts in brackets is the actual block data the rest is just the usual FrameID, Length, Sequence Number and CheckSums.

Swifty
08-08-2003, 11:09 AM
More results with my 3510 over FBUS

Configuration Key
1E 00 10 53 00 06 (00 08 1D 0C) 01 43 12 12

The parts in brackets is the actual block data the rest is just the usual FrameID, Length, Sequence Number and CheckSums.

The configuration key is 16 digits long, the first five digits is the MCC+MNC.

Now my program can read the IMEI & MCC+MNC and calculate the codes without any input from the user :D

Salami1_1
09-08-2003, 07:27 PM
here you are guys:

DCT4 Fbus commands

Fbus commands:

IMEI - 1E 00 0C 1B 00 07 00 01 00 00 41 01 42 00 11 1C

OP Name - 1E 00 0C 0A 00 07 00 01 00 00 00 01 45 00 57 0D

PPM/HW - 1E 00 10 1B 00 08 00 03 08 07 01 FF 01 47 06 AF

Prod.code - 1E 00 10 1B 00 08 00 03 07 0B 00 FF 01 46 08 A2

Prod.Serial - 1E 00 10 1B 00 08 00 03 07 0B 00 FF 01 46 08 A2

WBR

myke2002
09-08-2003, 08:27 PM
unlock counter:

1E 00 10 7F 00 02 15 02 1B 7F 1E 00 10 53 00 07 00 08 00 12 0D 01 44 00 47 4F

fgl30
08-09-2003, 05:01 AM
@Swifty

Great tool, but every time I try to read my 3310 I got MS ID invalid. Itīs a bug?

Thx

MobyProject
15-09-2003, 10:09 PM
A while ago I started to build my own Nokia Tool for DCT3 phones in VB. Since every man and his dog seems to be writing a front end for the DCT4 calc I thought I would implement this into my Vb program.

Any help is greatly appreciated..

Its a great idea and program, but what about 8 digit MCC MNC Codes

i will follow this with great interest

Paul