PDA

View Full Version : FAID and Checksum Calculation



phonedudes
10-08-2002, 12:20 AM
For the Euro phones there are many progz to do such things.

Mainly need to know whats used to calculate Faid and how to calculate the MCU checksums.

Who can explain EXACTLY what these progz do? When the programs calculate faid can someone tell us how it comes to its solution? Also the progz that set the checksum.. What array of bytes does it calculate and how?

Were trying to apply these theories to U.S/Canada models as well as NON GSM phones.

If someone could give ANY generic flash file with offset examples that are used to calculate it would be greatly appreciated. :)

Cannot seem to find docs on the theory, just to use these certain progz which DONT work for these flash files.


:-D

phonedudes
11-08-2002, 03:52 AM
It looks like we figured out the PPM sections..

Still need algo used for MCU and what things make up the FAID calculation..

Gone through tons of old posts w/some things contradicting each other.. but since there are programs written now I would think all the Theories are concrete now..

So any input would be appreciated...

NokDoc
11-08-2002, 11:17 PM
Hi Mr. PhoneDudes,

The structure looks common to me so programs could possibly handle flash modifications.
The calcs inside the flash files are also the same as normal types.

Ur only true concern is the Faid command based on Esn instead of Imei.
That calc is based on the Flash Checksum and Imei nr.
All Faid calcs in different tools are all based on one source, by Mr. Tek.
That source again was based on emulating the calc that was originally been done inside some programmed chip.
The calc itself is still mysterious to almost anyone.
There should be one guy on this planet maybe capable of doing the same with Esn instead of Imei.
But I can't, sorry.

NokDoc

phonedudes
12-08-2002, 04:28 AM
Noc Doc,

I think we missed something... When you say
The calcs inside the flash files are also the same as normal types.

What 'normal types' are we talking about. You also say that the faid is based on the flash checksum and imei number.So what is the 'flash checksum' and how is that derived? Is it another checksum of the entire mcu+ppm??

The way we understand it so far is if you take a flash file you have a mcu chunk and ppm chunks. Each ppm has its own checksum. And the Mcu has a checksum. (Which is our other ? how is the Mcu checksum calculated -- Since its only a 2byte checksum its a 16bit sum but is there a specific point it usually starts?)

If all programs are based off Mr. Tek's algo does anyone have source code for one of the programs that uses it or how could we contact Mr. Tek?

Thanks again for your input...

NokDoc
12-08-2002, 06:19 PM
Hi Mr. Phonedudes,

1, the mcu check.
Just sum of all 16 bits, starting from 24h to end of mcu.
Written twice in file, 1 at 22h and 1 at (end of ppm - 6)
(tip: nFree1.2)

2, the 7-9 ppm checks.
Just sum of all 32 bits, starting from ppm chunk start +4 to end of ppm chunk.
Written in start of each ppm chunk.
(tip: ppm manager)

3, the flash check.
Calcs bitswapping on every 2 bytes per 20h, starting from mcu 40h to end of ppm.
(Fchk.c by Mr. Tek, DL area)
Written at end of ppm - 4
(tip: ppm manager, knok on emulation mode)

4, the Faid number calc, this is not written to file, it is input for mbus Faid command.
Calc is done by Tek's manual logger method.
I have seen sources going around some months ago.
(tip: knok QSetFaid, bPreaks eeprom tools)

Our imei can be obtained by mbus command.
For testing various mbus commands on Ur types U can maybe read the 6110.txt file from the gNokii project from Mr. Martin Wiacek.

Btw, I never saw a good Us/Canada type flash I think.
Can U maybe send one please?
Thanks.

NokDoc

phonedudes
13-08-2002, 02:28 AM
@NokDoc :
Thank you again for the info. After a few quick checks on a few newer gsm files they appear 100% to match the info.
The TDMA files however as you will see do not match completely (mcu/flash checksums) so those are the ones we included..

1. 6160 (old ver software) tri-band Tdma/amps 800-1900 similar in style,platform of 6110,6190. (No Frills phone, no downloadable ringtones, 1-way SMS send not functional

2. 5165 tri-band Tdma/amps 800-1900 similar in style,platform of 5110,5190. (Not newest but does have 2-way sms,downloadable ringtones)

Two things we noticed :

1. Hex offset $22 does contain what could be a MCU checksum but you will see that checksum is NOT at the end of the flash nor calculates correctly.
2. Flash checksum does not calculate based on current methods.

We have changed ppm data and re-calc ppm checksum(s), reflashed and all seems well. When we change ANYTHING in Mcu and reflash of course it cant find network.

Look forward to you possibly finding what were missing :confused: ...

Thanks again .. PHONEDUDES :) :grin: :)

phonedudes
13-08-2002, 02:40 AM
A few things about the programs (tips) you mentioned...

1) 'nfree1.2' which I believe there were 2 versions of, plus a v1.3 any particular reason you mention 1.2 and not 1.3?
2) ppm manager v.091 is the most recent, correct?
3) fchk.c in dl area , does not have a download Option next to it.
4) knok any particular version?? We cannot get knok to read flash files. Never tried emulation mode for flashes. Other then wintesla we use Rolis 4.78 mainly and Dejan 1.00b to read and write.
5) Qsetfaid -- will not calculate since the flash/mcu checksums dont calculate correctly.
Phonedudes :) :grin: :)







:grin:

NokDoc
13-08-2002, 03:52 PM
Hi,

Thanks for the flash, finally I have one myself.
By far more interresting as the tone stuff.

Some quick replies:
1. nFree 1.2, from our mainpage, no other, and only for MCU
2. yep, 091
3. weird, I'll check.
4. kNok not required, as I said knok is the same calc as in ppm manager, they are all based on the same fchk.c flash check calc.
5. Cannot say yet, depends on Ur info about bad calcs.

NokDoc

phonedudes
14-08-2002, 03:35 AM
A little bit more info on those flash files that im sure you could figure out but to verify is..

6160 v105 phone uses 00898892: Intel 28F800B3-T flash
5165 v606 phone uses 002000D7: ST M29W800AT flash

The newer type like the 5165 was read w/Rolis. The 6160 took a lot experimenting to get to read w/Dejan will not read w/anything else accept of course Wintelsa.

Like we said the Mcu checksum area $22 # does differ from phone to phone will verify if it is the same on phone w/same flash version for sure.

Checked the download section again file still does NOT have a download prompt by it.

Also tried 'emulator mode' w/Knok and had same results w/every flash file we had... Errors out w/ cannot determine MCU version.

Let us know if you what you figure out and if you need anything else we have PLENTY of phones.

PHONEDUDES :) :grin: :)

sonicdeejay
14-08-2002, 03:53 AM
:)

NokDoc
15-08-2002, 08:16 PM
Hi,

I had a look at those two files and they certainly differ.

Mcu2 and flash check locations is a problem in both files.
Both have address location pointers for them but the data there is definately not reliable. FF's :)

If not knowing what to look for it is hard to test flash check calc.
Mcu calc is ok.

Most tools cannot handle the file because there is a 8 byte difference in the VNext method for addressing the depending data.

More after the weekend.

NokDoc

phonedudes
16-08-2002, 06:21 AM
@NokDoc

You said MCU check is ok -- Do you mean you were able to confirm and calculate the Mcu checksum and found 1 location where it was stored but unable to locate the second location for the mcu checksum?

And what do you mean by 'VNext method for addressing'?

Thanks again for taking the time !! look forward to hearing what you find after the weekend.

Phonedudes :) :grin: :)

NokDoc
16-08-2002, 04:01 PM
Hi,

Yes, the mcu is calced ok
mcu1 location is ok
mcu2 location is ?

ppm chunk locations are ok
ppm chunk calcs are ok

FLash Check ?
FLash Check location not reliable

Finding 'VNext' is a method (trick) to me to find where to find useable data pointers in file, like ppm, checksums or version string addresses.
They are mostly written in that area.

Ps, the tool U see does not exist.

NokDoc

Kontact
19-08-2002, 02:05 AM
one thing i notice on tdma 5165. i can't find the start address and end address of the mcu1. n GSM 5110 it is in loc 0x24 to 0x29. but on 5165 i can't see it yet... maybe i need more time to check the flash... and it's seem it has no mcu2? :confused: :confused: :confused:

phonedudes
27-08-2002, 11:13 PM
TDMA does NOT seem to have a ending address.

Assume when 'you guys' use the term 'mcu2' we are referring to another location the checksum for the mcu is stored, correct? Which like stated is another thing NOT seeming to appear on any TDMA flashes.

Still a little confused on the 'flash check' whole thing, since that seems to be a guessing game so far as to where it is stored at if they use the same range of memory all the time.

@NokDoc
Your 'vnext' method, do you find that for the most part there is only one area of the flash that has such a thing? And if you found that in the files we sent can you tell us the area its at so we know we are on the correct track... I think its remembering the+$20xxxx thing that makes it confusing.
Should just have the hex editor always start at $200000 instead of 0.

The quest continues...

Phonedudes :) :grin: :)