Hey guys,

I got quite some years of reverse engineering experience on x86
processors but I know sh*t about mobile phone technology and ARM
processors. Anyway, I had some nice ideas which I want to try to achieve at least (one of them would be learning ARM assembly) ;)
What do you think about the idea to implement a little encryption
(I'd say XOR at first, as it should be quite easy) into the phone, so your phone can not be scanned by usual frequency scanners.
If this is possible at all (I know even less about hardware than about software) we could even implement some algorithms to change (pitch etc.) your voice. The reason for saying "if this is possible at all" is that I don't know how the voice will internally be converted from an analogue signal to the digital equivalent. The phone might convert it using a seperate chip, but the converted data might be processed by the firmware in some way, which would be good for us, since we want to modify it.
I'll mainly use IDA Pro (www.datarescue.com) to analyze the firmware.
I would really be looking forward to some people who could help me getting started in Nokia reverse engineering, writing technical documents and maybe build a little team (wampus I'm impressed by your findings).
Are you guys on iRC ?

cheers

Voice distortion on a mobile :-) Hehe I like the idea.. I think it is possible, signal 'improvement' is done by the DSP firmware; you'd have to write DSP code though and alter some codeblock hooks..

Encryption is more difficult as it is not 'signal processing' per ce, you'd have to mess with the encoded audio data, and I don't know whether the GSM network accepts 'invalid' voice comms..

Voice distortion on a mobile :-) Hehe I like the idea.. I think it is possible, signal 'improvement' is done by the DSP firmware; you'd have to write DSP code though and alter some codeblock hooks..

Encryption is more difficult as it is not 'signal processing' per ce, you'd have to mess with the encoded audio data, and I don't know whether the GSM network accepts 'invalid' voice comms..


hmm normally it should be possible to encrypt the GSM audio frames (?)
siemens released a voice-encrypting phone about 1,5 yrs ago...

hm might be a problem if the provider DEcodes the signal (maybe to PCM)
and then wants to encode it again in other network
dont know much about this....
but as a data-service it should work (?)

Let's see what I/we can do. The flasher cable I ordered will possibly arrive at my house tomorrow then I'll start looking at this stuff.
I'd love to have a look at the firmware now, but unfortunately I'm lacking of useful firmware info (tho' I've searched the web).
Can you guys provide me with some information please? - one of the most important being what the entrypoint to the code of the [nokia 5210]firmware is. (yeah, I'm *really* new to this)
Thanks in advance.

Oh.. and one more question.. are you hanging around on the internet Relay Chat network (iRC) ?

cheers

The entry point is always 200040 :-)

thanks, wumpus.
I just ran into the next 'problem':

I can't seem to get IDA to disassemble the .fls file correctly.
At least compared to WinARM's output (n5110v524.zip - including the ifo, which I both got from the WinARM site).

I'm doing it using the following steps:
1. I'm loading the .fls file into IDA, then setting the processor type to: ARM
2. Then I'm creating a ROM section starting at 0x00200000, size = 0x00100000, loading address is also 0x00200000
3. I'm jumping to address 0x002000CE in IDA and press alt-g to switch between arm/thumb mode (0x002000CE is 'THUMB Entry point' according to WinARM).

WinARM disassembles the first four instruction like this:

bl ..
bl ..
ldr ..
ldr ..

IDA's output looks like this:

(ARM)
ROM:002000EC CODE32
ROM:002000EC F0 54 F9 6E MRCVS p4, 7, R5,c9,c0, 7
ROM:002000F0 F0 1B FB 63 MVNVSS R1, #0x3C000
ROM:002000F4 48 1F 49 20 SUBCS R1, R9, R8,ASR#30
ROM:002000F8 1A 09 22 00 EOREQ R0, R2, R10,LSL R9

(THUMB)
ROM:002000EC CODE16
ROM:002000EC F0 54 STRB R0, [R6,R3]
ROM:002000EE F9 6E LDR R1, [R7,#0x6C]
ROM:002000F0 F0 1B SUB R0, R6, R7
ROM:002000F2 FB 63 STR R3, [R7,#0x3C]

What am I doing wrong ?
Thanks for your replies.

after you opened fls file, select ARMB processor and select in the listbox "Binary file". then click ok buttons, goto at address 0x200040 and press "c". then goto at 0x2000EC, switch from ARM to THUMB mode (by pressing alt-g and change the T value from 0x0 to 0x1) and finally press "c" again.

I hope this "micro-tutorial" is usefull and understandable :)
btw I'm very sorry for my poor english...

byE

thanks a lot! it worked fine here.

by the way... in case i fucked up flashing the firmware onto the phone or i patched the firmware with invalid code (i.e. the mobile won't "boot" anymore), under what conditions can i flash the firmware on the phone? Does it just have to have AC power, or do you need a "booted OS" ?

Thanks.

by the way... in case i fucked up flashing the firmware onto the phone or i patched the firmware with invalid code (i.e. the mobile won't "boot" anymore), under what conditions can i flash the firmware on the phone? Does it just have to have AC power, or do you need a "booted OS" ?

Thanks.

the 1st you said :)

Does anyone have any IDA flirt libraries (for 5210) ?

You can *always* flash DCT3 as long as the MAD, flash and memory is working from a hardware viewpoint.

IDA FLIRT libraries? no, I think noone has those. Can they made easily from a commented firmware disassembly?

At first, thanks again to everyone providing useful information !

wumpus:

regarding ida flirt files: they can be created using the ida flirt tool(s) which "converts" information from library files (.lib) to pattern files, then to flirt files, which can then be read by ida (e.g. if a specific byte pattern of mnemonics/operands in the ida database matches the pattern of let's say strcpy, ida will rename the corresponding functions to (in this case) strcpy). This will make the database a lot more readable of course.
btw: You can also export type information to an .idc for redistribution (but this doesn't export too much information).
As far as I know there's also an ida plugin which creates pattern files, which can then be used by the flirt tools.
Next question arises:
Which SDK do I have to get to develop stuff for the 5210?
(This sdk might have those .lib files btw).

Thanks

http://www.datarescue.com/idabase/pix/ida_flirt_white.gif

Next question arises:
Which SDK do I have to get to develop stuff for the 5210?
(This sdk might have those .lib files btw).

Thanks


hmm i dont know really, but i dont think there are lib files flying around..
at least none of the firmware since the lib files would contain the whole firmware...
or am i misunderstanding something?

what allows a SDK for 5210? can you upload native programmes apps
onto the phone?

hmm i dont know really, but i dont think there are lib files flying around..
at least none of the firmware since the lib files would contain the whole firmware...
or am i misunderstanding something?

what allows a SDK for 5210? can you upload native programmes apps
onto the phone?

no, the lib files don't contain the whole firmware. but let's say there is a library containing a lot of string manipulation functions, which are being inlined into the firmware, ida would recognize them (as long as there are matching byte patterns of course) using signatures made from the .lib files.

regarding the sdk: i don't know if there is any *official* sdk, but where do the downloadable games come from ? ;)

no, the lib files don't contain the whole firmware. but let's say there is a library containing a lot of string manipulation functions, which are being inlined into the firmware, ida would recognize them (as long as there are matching byte patterns of course) using signatures made from the .lib files.

regarding the sdk: i don't know if there is any *official* sdk, but where do the downloadable games come from ? ;)

thought they are in java?!

thought they are in java?!

I seriously can't imagine that, not for the 5210.

I seriously can't imagine that, not for the 5210.

correct, 5210 has no java :D