Look, what have made our chineese brothers with a SL45i:
http://www.konca.com/opus/kvsim/index_en.html

Can we make it with Nokia?

grreetz

It is already here
Look throught the sim cloning section to find out about sim-emu

regards,
Danny

i only read this thread today and i would say:
what a fucking gr8 idea!

without the need of having a simcard, would it be possible to inject simemu code in nokia firmware?

this way we would not need to buy thos dam greencards for 20 eur each :p

possible, i would say yes. but could we do it?

WHAT IS IT POSSIBLE !!!!

Oh Boy !!

Do tell me also if any of u find a link becoz i m not able to find it in NFree.

Regards

im not saying it already exist

i just think that it may be possible just need to know a way to do it

better starting seriously on it ;)

here is the link for hex file of sime-emu 6.01 in all languages

http://simemu.gsmhosting.net/Sim_Emu_6.01.zip

Here is Sim-Emu Configurator v1.12c(Multy ICC-ID support)

http://borozda.com/pic-ador/

If you were to put Sim-Emu in a flash you would need a hard memory area and unfortunatly most DCT3 have very little spare eeprok space so I would think this near impossible.

regards,
Danny

it takes only 64kb of memory

i've seen mados in a 3310, remember?

the processor was more then enough to do it. and it was 128kb at beggining...

it takes only 64kb of memory

i've seen mados in a 3310, remember?

the processor was more then enough to do it. and it was 128kb at beggining...

The patch for siemens (binary) takes only 13k. So...
There's a thread on reversing that patch on http://forum.siemens-club.ru/viewtopic.php?TopicID=43063&page=0 but its in russian.

Credits for reversing go to Sinclair from that forum
(Siemens uses other processor than Nokia, but main thing should be clear)



$SEGMENTED
$MOD167

; макрос для создания db
%*DEFINE(STR2DB(nm,str))(%nm db 0%SET(x,1)%WHILE(%x LT %LEN(%str))(%SUBSTR(%str,%x,2)%SET(x,%x+2)%IF(%x LT %LEN(%str))THEN(h,0)ELSE(h)FI))

;---------------------------------------------------------------------------------------
SIM_number EQU 0000414h ;Variable with choosen SIM number
SIM_Access_Function EQU 090C66Ah ;Access physical SIM memcpy EQU 0DC3AD6h
SIM_RAM_var EQU 0159306h ;Variable used for crypting.

PATCH_PLACE EQU 0E1F000h ;Patch body
var_1010 EQU 0000400h ;Variables in free RAM place
var_1020 EQU 0000410h
var_1021 EQU 0000411h
var_1022 EQU 0000412h

call_sim_dpp EQU 056h ; DPP value, loaded on patched address

PATCH_ADDRESS1 EQU 0BE0958h ;Replacing calls
PATCH_ADDRESS2 EQU 0BE09E4h ;SIM_Access_Function
PATCH_ADDRESS3 EQU 0BDFAFCh ;Before MessageDispatch
;---------------------------------------------------------------------------------------
;---------------------------------------------------------------------------------------
;---------------------------------------------------------------------------------------

PATCH1 SECTION CODE WORD AT PATCH_ADDRESS1
patch1_proc proc far
calls seg(SimAccessReplace), sof(SimAccessReplace)
patch1_proc endp
PATCH1 ENDS

PATCH2 SECTION CODE WORD AT PATCH_ADDRESS2
patch2_proc proc far
calls seg(SimAccessReplace), sof(SimAccessReplace)
patch2_proc endp
PATCH2 ENDS

PATCH3 SECTION CODE WORD AT PATCH_ADDRESS3
patch3_proc proc far
calls seg(call_sim), sof(call_sim)
patch3_proc endp
PATCH3 ENDS
;---------------------------------------------------------------------------------------
;---------------------------------------------------------------------------------------
;---------------------------------------------------------------------------------------

PATCH SECTION CODE WORD AT PATCH_PLACE

%STR2DB(IMSI_SIM_1,00000000000000000000000000000000)
%STR2DB(KI___SIM_1,00000000000000000000000000000000)
%STR2DB(IMSI_SIM_2,00000000000000000000000000000000)
%STR2DB(KI___SIM_2,00000000000000000000000000000000)

%STR2DB(d512,66B1BAA2029C704B3719080CFBC1F6BC6DD597352A4FBF73E9F2A4DFD1946CA1FC25F42F40D306EDB9A08B714C8A3B46431A0D9D3FB3DD1ED624A645987CCF74)
%STR2DB( ,F7C229544701310E5F23A915604ED7E1B6F31C5CC976044AF880110B9284F530955A782757E66AE8AF137EBECA8D89B0FA1B6528DBE33A1433B262D88C162079)
%STR2DB( ,3D67CB481D6E55D4B4CC96B70F42ACC438C59E00642D990790DEA3A73C87D2E7AEA526F9E022DCE5D9D0F144CEBD7DFFEF36A8597B7A499175EA8F6381C8C052)
%STR2DB( ,68AA88EB5D51CDADEC5E69342EE4C60539FE619B8E85C7ABBB3241B57F6B93E2B8DA83214D561F2C583EEE12182B9A17509F866F0972035B1082530AC3F0FD77)
%STR2DB( ,B166A2BA9C024B7019370C08C1FBBCF6D56D35974F2A73BFF2E9DFA494D1A16C25FC2FF4D340ED06A0B9718B8A4C463B1A439D0DB33F1EDD24D645A67C9874CF)
%STR2DB( ,C2F7542901470E31235F15A94E60E1D7F3B65C1C76C94A0480F80B11849230F55A952778E657E86A13AFBE7E8DCAB0891BFA2865E3DB143AB233D862168C7920)
%STR2DB( ,673D48CB6E1DD455CCB4B796420FC4ACC538009E2D640799DE90A7A3873CE7D2A5AEF92622E0E5DCD0D944F1BDCEFF7D36EF59A87A7B9149EA75638FC88152C0)
%STR2DB( ,AA68EB88515DADCD5EEC3469E42E05C6FE399B61858EABC732BBB5416B7FE293DAB82183564D2C1F3E5812EE2B18179A9F506F8672095B0382100A53F0C377FD)

%STR2DB(d256,130B50722B01455E27127F756103552B1B7C46532F473F0A2F594F040E3B0B05236B67441556245B557E20326D5E7806354F1C2D635F292258445D376E7D6914)
%STR2DB( ,5A504C60173C594079380E4A6508134E4C42682E6F32200327003A195C16123339417774166D07563B5D3E6E4E634D430C71576266055821263817084B2D0D4B)
%STR2DB( ,5F3F1C317B7814702C1E0F626A02671D526B2A7C181E29106C64752849280772527324700C6664545C3048610936374A717B111A353A0409457A15762A3C1B49)
%STR2DB( ,767D220F417354403E514601186F79536851317F30691F0A065B57251036747E1F260D00486A4D3D1A432E1D60253D3465112C6C473442392133195A02777A23)

%STR2DB(d128,34322C061531293B27331920332F342B250428223D0C1C043A17080F0C160912370A212332012B03390D3E0E072A2C3B3E391B06081F1A3629162D1427031038)
%STR2DB( ,3002151C242A3C212212000B180A113D1D0E2D1A372E0B11362E09181E3C20001426021E3A230110382817300D13131B1F352F263F0F3105253519243F1D0507)

%STR2DB(d64 ,01051D0619011217111300091819061F1C14181E041B030D0F100E120403080914000C1A15081C021D020F070B160E0A11150C1E1A1B101F0B070D170A051613)

%STR2DB(d32 ,0F0C0A04010E0B0705000E0701020D080A03040906000302050608090B0D0F0C)

enc_tbl dw pof(d512), pag(d512)
dw pof(d256), pag(d256)
dw pof(d128), pag(d128)
dw pof(d64), pag(d64)
dw pof(d32), pag(d32)

SimAccessReplace proc far
mov [-r0], r9
mov [-r0], r8
mov r9, [r0+#0Ch]
mov r8, [r0+#0Ah]
mov r1, #pof(var_1022)
mov r2, #pag(var_1022)
extp r2, #1
mov r3, [r1]
jb r3.1, SIM_selected
mov r1, #pof(var_1022)
mov r2, #pag(var_1022)
extp r2, #1
mov r3, [r1]
bfldl r3, #2, #2
extp r2, #1
mov [r1], r3
extp #pag(SIM_number), #1
movb rl1, SIM_number
cmpb rl1, #1
jmpr cc_C, set_D8D94_to_default
cmpb rl1, #3
jmpr cc_ULE, loc_BFA1C6

set_D8D94_to_default:
movb rl1, #1
extp #pag(SIM_number), #1
movb SIM_number, rl1

loc_BFA1C6:
extp #pag(SIM_number), #1
movb rl1, SIM_number
cmpb rl1, #2
jmpr cc_Z, SIM1
cmpb rl1, #3
jmpr cc_Z, SIM2
jmpr cc_UC, PhysicalSIM
; ---------------------------------------------------------------------------

SIM1:
extp #pag(IMSI_SIM_1), #1
movb rl1, IMSI_SIM_1
jmpr cc_NZ, SIM_selected
jmpr cc_UC, PhysicalSIM
; ---------------------------------------------------------------------------

SIM2:
extp #pag(IMSI_SIM_2), #1
movb rl1, IMSI_SIM_2

jmpr cc_NZ, SIM_selected

PhysicalSIM:
movb rl1, #1
extp #pag(SIM_number), #1
movb SIM_number, rl1

SIM_selected:
extp #pag(SIM_number), #1
movb rl1, SIM_number
cmpb rl1, #1
jmpa cc_Z, loc_BFA2E2
cmp r14, #88h
jmpa cc_Z, loc_BFA2A2
cmp r14, #0A4h
jmpr cc_Z, loc_BFA238
cmp r14, #0C0h
jmpr cc_Z, loc_BFA26C
cmp r14, #0B0h
jmpr cc_Z, loc_BFA27E
jmpa cc_UC, loc_BFA2E2
; ---------------------------------------------------------------------------

loc_BFA238:
extp r9, #1
movb rl1, [r8]
cmpb rl1, #6Fh
jmpa cc_NZ, loc_BFA2E2
mov r1, r8
mov r2, r9
add r1, #1
extp r2, #1
movb rl3, [r1]
cmpb rl3, #7
jmpr cc_Z, loc_BFA25A
cmpb rl3, #7Eh
jmpa cc_NZ, loc_BFA2E2

loc_BFA25A:
extp r2, #1
movb rl1, [r1]
mov r2, #pof(var_1021)
mov r3, #pag(var_1021)
extp r3, #1
movb [r2], rl1
jmpa cc_UC, loc_BFA2E2
; ---------------------------------------------------------------------------

loc_BFA26C:
mov r1, #pof(var_1021)
mov r2, #pag(var_1021)
extp r2, #1
movb rl1, [r1]
cmpb rl1, #88h
jmpr cc_Z, loc_BFA292
jmpr cc_UC, loc_BFA2E2
; ---------------------------------------------------------------------------

loc_BFA27E:
mov r1, #pof(var_1021)
mov r2, #pag(var_1021)
extp r2, #1
movb rl1, [r1]
cmpb rl1, #7
jmpr cc_Z, loc_BFA292
cmpb rl1, #7Eh
jmpr cc_NZ, loc_BFA2E2

loc_BFA292:
movb rl1, #92h
mov r2, #pof(var_1020)
mov r3, #pag(var_1020)
extp r3, #1
movb [r2], rl1
jmpr cc_UC, loc_BFA2E2
; ---------------------------------------------------------------------------

loc_BFA2A2:
movb rl1, #88h
mov r2, #pof(var_1021)
mov r3, #pag(var_1021)
extp r3, #1
movb [r2], rl1
mov [-r0], r12
mov [-r0], r13
mov [-r0], r15
mov [-r0], r14
mov r2, #10h
mov [-r0], r2
mov r12, #pof(var_1010)
mov r13, #pag(var_1010)
mov r14, r8
mov r15, r9
calls seg(memcpy), sof(memcpy)
add r0, #2
mov r14, [r0+]
mov r15, [r0+]
mov r13, [r0+]
mov r12, [r0+]

loc_BFA2E2:
mov r1, [r0+#10h]
mov r2, [r0+#12h]
mov [-r0], r2
mov [-r0], r1
mov r3, [r0+#12h]
mov [-r0], r3
mov [-r0], r9
mov [-r0], r8
mov r4, [r0+#12h]
mov [-r0], r4
mov r5, [r0+#12h]
mov [-r0], r5
mov r10, [r0+#12h]
mov [-r0], r10
calls seg(SIM_Access_Function), sof(SIM_Access_Function)
add r0, #10h
mov r8, [r0+]
mov r9, [r0+]
rets
SimAccessReplace endp

; ---------------------------------------------------------------------------
; ---------------------------------------------------------------------------
; ---------------------------------------------------------------------------

call_sim proc far
mov [-r0], r1
mov [-r0], r2
mov [-r0], r3
mov [-r0], r4
mov [-r0], r5
mov [-r0], r6
mov [-r0], r7
mov [-r0], r8
mov [-r0], r9
mov [-r0], r10
mov [-r0], r11
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
calls seg(sim), sof(sim)
mov r15, [r0+]
mov r14, [r0+]
mov r13, [r0+]
mov r12, [r0+]
mov r11, [r0+]
mov r10, [r0+]
mov r9, [r0+]
mov r8, [r0+]
mov r7, [r0+]
mov r6, [r0+]
mov r5, [r0+]
mov r4, [r0+]
mov r3, [r0+]
mov r2, [r0+]
mov r1, [r0+]
mov DPP0, #call_sim_dpp
rets
call_sim endp
; ---------------------------------------------------------------------------
; ---------------------------------------------------------------------------
; ---------------------------------------------------------------------------

sim proc far

extp #pag(SIM_number), #1
movb rl1, SIM_number
cmpb rl1, #1
jmpa cc_ULE, exit
cmpb rl1, #3
jmpa cc_UGT, exit
mov r12, #pof(var_1020)
mov r13, #pag(var_1020)
extp r13, #1
movb rl1, [r12]
cmpb rl1, #92h ; 'Т'
jmpa cc_NZ, exit
mov r12, #pof(var_1021)
mov r13, #pag(var_1021)
extp r13, #1
movb rl1, [r12]
jmpa cc_Z, exit
extp #pag(SIM_number), #1
movb rl1, SIM_number
cmpb rl1, #2
jmpr cc_Z, SIM_card1_selected
cmpb rl1, #3
jmpa cc_NZ, exit

mov r12, #pof(KI___SIM_2)
mov r13, #pag(KI___SIM_2)
jmpr cc_UC, loc_BFA390
; ---------------------------------------------------------------------------

SIM_card1_selected:
mov r12, #pof(KI___SIM_1)
mov r13, #pag(KI___SIM_1)

loc_BFA390:
mov r14, #pof(var_1021)
mov r15, #pag(var_1021)
extp r15, #1
movb rl1, [r14]
cmpb rl1, #88h ; 'И'
jmpr cc_Z, loc_BFA406
cmpb rl1, #7
jmpr cc_Z, loc_BFA3AE
cmpb rl1, #7Eh ; '~'
jmpr cc_Z, loc_BFA3F2
jmpa cc_UC, loc_BFA428
; ---------------------------------------------------------------------------

loc_BFA3AE:
mov r14, #pof(var_1022)
mov r15, #pag(var_1022)
extp r15, #1
mov r1, [r14]
bfldl r1, #4, #4
extp r15, #1
mov [r14], r1
mov r14, #9
mov [-r0], r14
mov r15, #pof(SIM_RAM_var)
mov r1, #pag(SIM_RAM_var)
mov r2, r12
mov r3, r13
extp r1, #2
mov r12, [r15+]
mov r13, [r15]
mov r15, r3
mov r14, r2
add r14, #10h
calls seg(memcpy), sof(memcpy)
add r0, #2
jmpr cc_UC, loc_BFA428
; ---------------------------------------------------------------------------

loc_BFA3F2:
mov r12, #pof(var_1022)
mov r13, #pag(var_1022)
extp r13, #1
mov r14, [r12]
bfldl r14, #8, #8
extp r13, #1
mov [r12], r14
jmpr cc_UC, loc_BFA428
; ---------------------------------------------------------------------------

loc_BFA406:
mov r14, #pof(SIM_RAM_var)
mov r15, #pag(SIM_RAM_var)
extp r15, #2
mov r1, [r14+]
mov r2, [r14]
mov [-r0], r2
mov [-r0], r1
mov r14, r12
mov r15, r13
mov r12, #pof(var_1010)
mov r13, #pag(var_1010)
calls seg(Encode), sof(Encode)
add r0, #4

loc_BFA428:
movb rl1, #0
mov r12, #pof(var_1020)
mov r13, #pag(var_1020)
extp r13, #1
movb [r12], rl1
mov r12, #pof(var_1021)
mov r13, #pag(var_1021)
extp r13, #1
movb [r12], rl1

exit:
rets
sim endp

; ---------------------------------------------------------------------------
; ---------------------------------------------------------------------------
; ---------------------------------------------------------------------------

Encode proc far
assume DPP3:SYSTEM
mov [-r0], r9
mov [-r0], r8
mov [-r0], r7
mov [-r0], r6
mov [-r0], r15
mov [-r0], r14
sub r0, #0A2h ; 'в'
mov r10, [r0+#0B0h]
mov r3, [r0+#0AEh]
mov r14, #10h

loc_BFA850:
mov r15, r12
mov r8, r13
sub r15, #10h
add r15, r14
extp r8, #1
movb rl6, [r15]
mov r15, r14
add r15, r0
movb [r15], rl6
cmpi1 r14, #1Fh
jmpr cc_SLT, loc_BFA850
mov r14, #1

loc_BFA86C:
mov r12, #0

loc_BFA86E:
mov r13, [r0+#0A2h]
mov r15, [r0+#0A4h]
add r13, r12
extp r15, #1
movb rl6, [r13]
mov r13, r12
add r13, r0
movb [r13], rl6
cmpi1 r12, #0Fh
jmpr cc_SLT, loc_BFA86E
mov r12, #0

loc_BFA888:
mov r13, #0
jmpa cc_UC, loc_BFA952
; ---------------------------------------------------------------------------

loc_BFA88E:
mov r15, #0
jmpa cc_UC, loc_BFA944
; ---------------------------------------------------------------------------

loc_BFA894:
mov r8, #5
sub r8, r12
mov r9, #1
shl r9, r8
mul r9, r13
mov r8, MDL
mov r11, r15
add r11, r8
mov r9, #4
sub r9, r12
mov r7, #1
shl r7, r9
mov r6, r11
add r6, r7
mov r1, r0
and r1, #3FFFh
mov r2, DPP1
add r1, r11
extp r2, #1
movb rl7, [r1]
movbz r7, rl7
mov r8, r0
and r8, #3FFFh
mov r9, DPP1
add r8, r6
extp r9, #1
movb rl4, [r8]
movbz r4, rl4
shl r4, #1
add r7, r4
mov r4, #9
sub r4, r12
mov r6, #1
shl r6, r4
mov MDL, r7
div r6
mov r7, MDH
mov [r0+#0A0h], r7
extp r9, #1
movb rl4, [r8]
movbz r4, rl4
extp r2, #1
movb rl5, [r1]
movbz r11, rl5
shl r11, #1
add r11, r4
mov MDL, r11
div r6
mov r11, MDH
mov r6, #pof(enc_tbl)
mov r7, #pag(enc_tbl)
mov r4, r12
shl r4, #2
add r6, r4
extp r7, #2
mov r5, [r6+#2]
mov r4, [r6]
mov [-r0], r3
mov r3, [r0+#0A2h]
add r4, r3
extp r5, #1
movb rl4, [r4]
extp r2, #1
movb [r1], rl4
mov r3, [r0+]
extp r7, #2
mov r1, [r6+]
mov r2, [r6]
add r1, r11
extp r2, #1
movb rl6, [r1]
extp r9, #1
movb [r8], rl6
add r15, #1

loc_BFA944:
mov r8, #4
sub r8, r12
mov r9, #1
shl r9, r8
cmp r9, r15
jmpr cc_SGT, loc_BFA894
add r13, #1

loc_BFA952:
mov r15, #1
shl r15, r12
cmp r15, r13
jmpr cc_SGT, loc_BFA88E
cmpi1 r12, #4
jmpr cc_SLT, loc_BFA888
mov r12, #0

loc_BFA960:
mov r13, #0

loc_BFA962:
mov r15, r12
add r15, r0
movb rl6, [r15]
movbz r6, rl6
mov r15, #3
sub r15, r13
shr r6, r15
andb rl6, #1
mov r15, r12
shl r15, #2
add r15, r13
add r15, r0
movb [r15+#20h], rl6
cmpi1 r13, #3
jmpr cc_SLT, loc_BFA962
cmpi1 r12, #1Fh
jmpr cc_SLT, loc_BFA960
cmp r14, #8
jmpr cc_SGE, loc_BFA9E4
mov r12, #0

loc_BFA990:
movb rl6, #0
mov r1, #10h
add r1, r0
and r1, #3FFFh
mov r2, DPP1
add r1, r12
extp r2, #1
movb [r1], rl6
mov r13, #0

loc_BFA9A8:
mov r8, r12
shl r8, #3
add r8, r13
mov r15, r8
shl r15, #4
add r15, r8
mov r8, r15
ashr r15, #6
shr r15, #9
add r15, r8
and r15, #0FF80h
neg r15
add r15, r8
extp r2, #1
movb rl6, [r1]
add r15, r0
movb rl7, [r15+#20h]
movbz r7, rl7
mov r15, #7
sub r15, r13
shl r7, r15
orb rl6, rl7
extp r2, #1
movb [r1], rl6
cmpi1 r13, #7
jmpr cc_SLT, loc_BFA9A8
cmpi1 r12, #0Fh
jmpr cc_SLT, loc_BFA990

loc_BFA9E4:
cmpi1 r14, #8
jmpa cc_SLT, loc_BFA86C
mov r14, #0

loc_BFA9EC:
mov r12, r14
shl r12, #1
mov r13, r12
add r13, r0
movb rl6, [r13+#1]
add r12, r0
movb rl7, [r12]
movbz r7, rl7
shl r7, #4
orb rl7, rl6
mov r12, r3
mov r13, r10
add r12, r14
extp r13, #1
movb [r12], rl7
cmpi1 r14, #3
jmpr cc_SLT, loc_BFA9EC
mov r14, #0

loc_BFAA12:
mov r12, r14
shl r12, #1
mov r13, r12
add r13, r0
movb rl6, [r13+#12h]
movbz r6, rl6
shl r6, #6
mov r13, r12
add r13, r0
movb rl7, [r13+#13h]
movbz r7, rl7
shl r7, #2
orb rl6, rl7
add r12, r0
movb rl7, [r12+#14h]
movbz r7, rl7
shr r7, #2
orb rl6, rl7
mov r12, r3
mov r13, r10
add r12, #4
add r12, r14
extp r13, #1
movb [r12], rl6
cmpi1 r14, #5
jmpr cc_SLT, loc_BFAA12
movb rl6, [r0+#1Eh]
movbz r6, rl6
shl r6, #6
movb rl7, [r0+#1Fh]
movbz r7, rl7
shl r7, #2
orb rl6, rl7
extp r10, #1
movb [r3+#0Ah], rl6
movb rl6, #0
extp r10, #1
movb [r3+#0Bh], rl6
add r0, #0A6h
mov r6, [r0+]
mov r7, [r0+]
mov r8, [r0+]
mov r9, [r0+]
rets
Encode endp

PATCH ENDS
end


Its not complete, after there are corrections...

Crux what I was on about is storing the sim data
You need to have memory space you can read to and from like the eeprom

Unfortunatly for example the 3310 there is very little free space
Although there may be enough space to add the code in your flash what happens to phonebook and messages???

regards,
Danny

but is this done already on a siemens?

i didnt understand it fully yet

if was done on a siemens, then i am sure it can be done on a nokia

in my 3310 i have fee 484 kb of memory, removing languages, etc

ok ok.

links related to this:

http://forum.gsmhosting.com/vbb/showthread.php?t=168487

http://www.konca.com/opus/kvsim/index_en.html

Crux, there is enough space for code in 3310's FLASH. But there is NOT enough free space in EEPROM for storing sim data. FLASH is a READ-ONLY memory (you can write to it using flasher, but the firmware code CAN'T), EEPROM is a read-write memory that remembers its contents when you turn phone off (as opposite to RAM). We would need this EEPROM space but unfortunately currently we can get about 200 bytes in 3310 (and in other models even less, only about 10 bytes in 5110). This may change (some people are working on it) but till now it's impossible to get more.

Oh !! No.

BTW, how much eeprom is needed

regards

i already made such a patch loooong ago...
i tried it but it seems my imsi and ki were wrong
hmmh not sure for which software version it was...
but i think its a 3310. if someone is skilled, he could look in the different
flashes if there are the sim functions

it was completely written by hand, no c compiler or similar was used.
but in the emulator it worked 100%




//
.sub func_mul
.des own_mul
// R0 = R0 * R1
// R1 must me the lower one!
//
/////////////////////////////////////////

push r2, lr

mov r2, 0
@loop:
cmp r1, 0
beq @end
add r2, r2, r0
sub r1, 1
b @loop

@end:
mov r0, r2
pop r2, lr

.endsub
/////////////////////////////


//
//
.sub func_a3a8_hack
.des own_a3a8_hack
// replaces the A3A8 calculation
//
//
//
/////////////////////////////////////////
.inj f2cc
.org f2cc
.imp own_run_comp128 0x12D15C

mov r0, r4
bl @own_run_comp128
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
/////////////////////////////////////////

//
//
.sub func_get_imsi
.des own_get_imsi
// places current IMSI in buffer R0 points to
//
//
//
/////////////////////////////////////////

push r0, r1, r2, r3, lr

mov r1, @imsi
mov r2, 0x0c
bl @n_memcpy

pop r0, r1, r2, r3, lr

@imsi:
dd 08deadbe
dd efdeadbe
dd efffffff
/////////////////////////////////////////



//
//
.sub func_run_comp128
.des own_run_comp128
// own_run_comp128
//
// calculates the COMP128 response
// par: R0 = RAND
// ret: R0 = ptr to 0066[Sres][Kc]
// (RAM to free)
/////////////////////////////////////////
push r1, r2, r3, r4, r5, lr

mov r4, r0

mov r0, 0x12
bl @n_malloc
mov r5, r0
mov r2, 0x00
strb r2, r0, 0
mov r2, 0x66
strb r2, r0, 1
add r2, r0, 2

//mov r0, 6
//bl @own_get_config_nibble
mov r3, 0
lsl r3, r0, 4

mov r0, r4
mov r1, @key
add r1, r1, r3

bl @own_a3a8
mov r0, r5

pop r1, r2, r3, r4, r5, lr

nop
@key:
dd 11111111
dd 11111111
dd 11111111
dd 11111111
//
dd 22222222
dd 22222222
dd 22222222
dd 22222222
//
dd 33333333
dd 33333333
dd 33333333
dd 33333333
//
dd 44444444
dd 44444444
dd 44444444
dd 44444444
//
/////////////////////////////////////////

//
//
.sub func_a3a8
.des own_a3a8
// own_a3a8 ( byte rand[16], byte key[16], byte simoutput[12] )
// calculates the COMP128 response
//
//
/////////////////////////////////////////
//
// R0 = i
// R1 = j
// R2 = k
// R3 = l
// R4 = m
// R5 = n
// r6 = y
// R7 = z
// h0 = RAND[16]
// h1 = Key[16]
// h2 = out[12]
// h3 = x[32]
//
push r0, r1, r2, r3, r4, r5, r6, r7, lr

mov r3, h0
mov r4, h1
mov r5, h2
mov r6, h3
push r3, r4, r5, r6

mov h0, r0
mov h1, r1
mov h2, r2

bl @disable_irq

// allocate 32 bytes for x[32]
mov r0, 20
bl @n_malloc
mov h3, r0


// load RAND into last 16 bytes of x
mov r3, h0
mov r4, h3
mov r0, 0x10
@next_rand:
cmp r0, 0x20
beq @skip_rand
mov r1, 0x10
sub r2, r0, r1
ldrb r1, r3, r2
strb r1, r4, r0
add r0, 1
b @next_rand
@skip_rand:

// loop 8 times
// R0 = i

mov r0, 1

@next_loop:
cmp r0, 9
bne @do_loop
b @skip_loop

@do_loop:
// load key into first 16 bytes of x
mov r2, h1
mov r3, h3
mov r1, 0
@next_keyload:
cmp r1, 0x10
beq @skip_keyload
ldrb r4, r2, r1
strb r4, r3, r1
add r1, 1
b @next_keyload
@skip_keyload:

// perform substitutions
// R1 = j
// R2 = k
// R3 = l

mov r1, 0
@next_subst:
cmp r1, 5
beq @skip_subst
mov r2, 0
@next_substk:
mov r4, 1
lsl r4, r1
cmp r2, r4
beq @skip_substk
mov r3, 0
@next_substl:
mov r4, 4
sub r4, r4, r1
mov r5, 1
lsl r5, r4
cmp r3, r5
beq @skip_substl

// do l+k*(1<<(5-j))
mov r4, 5
sub r4, r4, r1
mov r5, 1
lsl r5, r4
push r0, r1, r2
mov r0, r2
mov r1, r5
bl @own_mul
mov r4, r0
pop r0, r1, r2
add r4, r4, r3
// now have m in r4

// do m+(1<<(4-j))
mov r5, 4
sub r5, r5, r1
mov r6, 1
lsl r6, r5
add r5, r6, r4
// now have n in R5
// push k and l.. dont need them here
// and r0, r1.. need space

push r2, r3
push r0, r1

// now do (x[m]+2*x[n]) % (1<<(9-j))
// first calc (1<<(9-j))
mov r2, 9
sub r2, r2, r1
mov r3, 1
lsl r3, r2
push r3
// pushed r3 (1<<(9-j)) for next operation

// then do (x[m]+2*x[n])
mov r2, h3
ldrb r1, r2, r5
lsl r1, r1, 1
ldrb r3, r2, r4
add r0, r1, r3
pop r1
push r1
// save the (1<<(9-j)) again
// now we have (x[m]+2*x[n]) in r0 and (1<<(9-j)) in R1
// divide them
push r0, r1, r2, r3, r4, r5, r7
bl @n_divide
mov r6, r0
pop r0, r1, r2, r3, r4, r5, r7
// done
// now we have y in r6

// now do (x[m]+2*x[n]) % (1<<(9-j))
// do (2*x[m]+x[n])
ldrb r1, r2, r4
lsl r1, r1, 1
ldrb r3, r2, r5
add r0, r1, r3
pop r1
// and get the saved (1<<(9-j))
// now we have (2*x[m]+x[n]) in r0 and (1<<(9-j)) in R1
// divide them
push r0, r1, r2, r3, r4, r5, r6
bl @n_divide
mov r7, r0
pop r0, r1, r2, r3, r4, r5, r6
// now we have z in r7
// get our 2 saved registers because we need them

pop r0, r1

// here we will set x[m] to the values in the tables j,y
push r0, r1, r2, r3, r4, r5, r6, r7
mov r0, r1
mov r1, r6
bl @own_a3a8_get_table
mov r1, h3
strb r0, r1, r4
pop r0, r1, r2, r3, r4, r5, r6, r7
// done

// here we will set x[n] to the values in the tables j,z
push r0, r1, r2, r3, r4, r5, r6, r7
mov r0, r1
mov r1, r7
bl @own_a3a8_get_table
mov r1, h3
strb r0, r1, r5
pop r0, r1, r2, r3, r4, r5, r6, r7
// done

pop r2, r3
// substitution done
add r3, 1
b @next_substl
@skip_substl:

add r2, 1
b @next_substk
@skip_substk:

add r1, 1
b @next_subst
@skip_subst:

push r0
cmp r0, 8
bge @no_permut

// alloc 32 bytes for x_bak
mov r0, 0x20
bl @n_malloc

// copy 32 bytes from x to x_bak
push r0, r1
mov r1, h3
mov r2, 0x20
bl @n_memcpy
pop r0, r1
mov r1, r0
// now x_bak is in r1

mov r2, 0
@next_permut:
cmp r2, 0x10
beq @skip_permut

// x[j+16] = 0
mov r7, h3
mov r4, 0
mov r6, 0x10
add r5, r2, r6
strb r4, r7, r5
// done

mov r4, 0
@next_nibbling:
cmp r4, 8
beq @skip_nibbling
// nibble bytes
// calc nextbit = ((8*j+k)*17) % 128
push r0, r1, r2, r3, r4, r5, r6
lsl r6, r2, 3
add r0, r6, r4
mov r1, 0x11
bl @own_mul
mov r1, 0x7f
and r0, r1
mov r7, r0
pop r0, r1, r2, r3, r4, r5, r6
// nextbit is in r7
// perform get bit[nextbit]
push r0, r1, r2, r3, r4, r5, r6

push r1
mov r0, r7
mov r1, 4
bl @n_divide
mov r3, r1
pop r1

ldrb r7, r1, r3
mov r2, 3
sub r2, r2, r0
lsr r7, r2
mov r0, 1
and r7, r0
pop r0, r1, r2, r3, r4, r5, r6
// the bit[nextbit] is in R7
// do bit[nextbit] << (7-k)
mov r5, 7
sub r5, r5, r4
lsl r7, r5
// result is in R7
// now OR it with x[j+16]
mov r3, h3
mov r5, 0x10
add r5, r5, r2
ldrb r6, r3, r5
orr r6, r7
strb r6, r3, r5
// jippieeee...
add r4, 1
b @next_nibbling
@skip_nibbling:
add r2, 1
b @next_permut
@skip_permut:
push r0, r1, r2, r3, r4, r5, r6, r7
mov r0, r1
bl @n_free
pop r0, r1, r2, r3, r4, r5, r6, r7
@no_permut:
pop r0

add r0, 1
b @next_loop
@skip_loop:



// now combine the nibbles to the simoutput string

mov r0, h2
mov r1, h3

mov r2, 0
@next_sres:
cmp r2, 4
beq @skip_sres
lsl r3, r2, 1
ldrb r4, r1, r3
add r3, 1
ldrb r5, r1, r3
lsl r4, r4, 4
orr r4, r5
strb r4, r0, r2
add r2, 1
b @next_sres
@skip_sres:

mov r2, 0
@next_kc:
cmp r2, 6
beq @skip_kc
lsl r3, r2, 1
add r3, 0x12
ldrb r4, r1, r3
add r3, 1
ldrb r5, r1, r3
add r3, 1
ldrb r6, r1, r3
lsl r4, r4, 6
lsl r5, r5, 2
lsr r6, r6, 2
orr r4, r5
orr r4, r6
mov r3, r2
add r3, 4
strb r4, r0, r3
add r2, 1
b @next_kc
@skip_kc:

mov r2, 0x1e
ldrb r4, r1, r2
add r2, 1
ldrb r5, r1, r2
lsl r4, r4, 6
lsl r5, r5, 2
orr r4, r5
mov r2, 0x0a
strb r4, r0, r2

mov r2, 0x0b
mov r4, 0x00
strb r4, r0, r2

mov r0, h3
bl @n_free
bl @enable_irq

pop r3, r4, r5, r6
mov h0, r3
mov h1, r4
mov h2, r5
mov h3, r6

pop r0, r1, r2, r3, r4, r5, r6, r7, lr
.endsub

///////////////////////////////////////////

cool. here is the boss speaking :o

@g3gg0

@imsi:
dd 08deadbe
dd efdeadbe
dd efffffff



i assume this values should be used to replace imsi, for example

if imsi is 0812 3456 7890 1234 56

we should use

@imsi:
dd 08123456
dd 78901234
dd 56FFFFFF


right?

how about ki?



and why in armada code is stopped when applying the patch?




i only see



// Armada v2.0
// Development release compiled:
// 23:26:53, Jun 28 2003


function func_mul =
{
"own_mul",
.....
.....
18,
0
};


function func_a3a8_hack =
{
"own_a3a8_hack",
....
....
32,
0

Code was patched successfully

};






ps. i am using a 3310 v5.79 flash becouse as u told it was old, so i assume should be this one


PS: NOKDOC RULEZ :D

if we have no free space in eeprom, maybe we could hardcode the data that we input at patching stage (using some encryption algo :) or without that). Of course a little unsecure, but its still an issue.

BTW, i have a SIM reader and cards that give their KI and IMSI. (in fact i have already that stuff scanned). If there's any flash i could test it.

grreeetz

just arrived.

i have reader too.

how can we make this patch by g3gg0 work?

i dont understand it very well

see u

Mr. G3gg0,

It injects a hook at 0000.F2CC, and it points to new added data at 0012.D15C, supposed to be freemcu.

Those addresses not look logical for the 3310 to me.

So, please help me help Mr. Crux. :)

NokDoc

Hmmm, you say it's so simple? Maybe I could write a script for NokiX. But I need explanations what we are talking here about. We speak of a virtual SIM card inside phone's memory, yes? And what is this IMSI and KI numbers anyway? And what will happen if we try to add a contact to virtual sim placed in flash memory?

imsi and ki are 2 unique values needed to identify the simcard.

u can read those values with a card reader. if u search in sim clone area u will get more info

i have a lot of valid imsi and ki here

i can give u one. catch ya on icq ;)

hmh i think i did it for some 3310, but which version... i really dont know anymore

the routines to hook are:

- "get IMSI from SIM"
- "get A3A8 ciphered response"

im not sure about the TMSI but i think if the phone couldnt identify using TMSI and Ki repsonse,
it will try again with IMSI and Ki resp...
so imho its enough to patch these 2 routines :)


this code is in g3n0lite source (as the above code is too but nobody realized):



if ( do_comp128 )
{

own_mul = asm_create_function ( base, func_mul );
own_comp128_table_0 = asm_create_function ( base, func_comp_t0 );
own_comp128_table_1 = asm_create_function ( base, func_comp_t1 );
own_comp128_table_2 = asm_create_function ( base, func_comp_t2 );
own_comp128_table_3 = asm_create_function ( base, func_comp_t3 );
own_comp128_table_4 = asm_create_function ( base, func_comp_t4 );
own_comp128_tables = asm_create_function ( base, func_comp_t );
own_a3a8_get_table = asm_create_function ( base, func_comp_get_tbl );
own_a3a8 = asm_create_function ( base, func_a3a8 );
own_run_comp128 = asm_create_function ( base, func_run_comp128 );
own_get_imsi = asm_create_function ( base, func_get_imsi );
if ( !asm_inject_bl ( base, (void*)((unsigned long)0x8b01a), own_get_imsi ) )
fatal ( "could not inject BL to own_get_imsi at get_imsi\n", 0 ); //3310
/* if ( !asm_inject_bl ( base, (void*)((unsigned long)0x66a2c), own_get_imsi ) )
fatal ( "could not inject BL to own_get_imsi at get_imsi\n", 0 ); //5110*/
}




and:


function func_comp_t0 = {
"own_comp128_table_0",
"\x66\xB1\xBA\xA2\x02\x9C\x70\x4B\x37\x19\x08\x0C\xFB\xC1\xF6\xBC"
"\x6D\xD5\x97\x35\x2A\x4F\xBF\x73\xE9\xF2\xA4\xDF\xD1\x94\x6C\xA1"
"\xFC\x25\xF4\x2F\x40\xD3\x06\xED\xB9\xA0\x8B\x71\x4C\x8A\x3B\x46"
"\x43\x1A\x0D\x9D\x3F\xB3\xDD\x1E\xD6\x24\xA6\x45\x98\x7C\xCF\x74"
"\xF7\xC2\x29\x54\x47\x01\x31\x0E\x5F\x23\xA9\x15\x60\x4E\xD7\xE1"
"\xB6\xF3\x1C\x5C\xC9\x76\x04\x4A\xF8\x80\x11\x0B\x92\x84\xF5\x30"
"\x95\x5A\x78\x27\x57\xE6\x6A\xE8\xAF\x13\x7E\xBE\xCA\x8D\x89\xB0"
"\xFA\x1B\x65\x28\xDB\xE3\x3A\x14\x33\xB2\x62\xD8\x8C\x16\x20\x79"
"\x3D\x67\xCB\x48\x1D\x6E\x55\xD4\xB4\xCC\x96\xB7\x0F\x42\xAC\xC4"
"\x38\xC5\x9E\x00\x64\x2D\x99\x07\x90\xDE\xA3\xA7\x3C\x87\xD2\xE7"
"\xAE\xA5\x26\xF9\xE0\x22\xDC\xE5\xD9\xD0\xF1\x44\xCE\xBD\x7D\xFF"
"\xEF\x36\xA8\x59\x7B\x7A\x49\x91\x75\xEA\x8F\x63\x81\xC8\xC0\x52"
"\x68\xAA\x88\xEB\x5D\x51\xCD\xAD\xEC\x5E\x69\x34\x2E\xE4\xC6\x05"
"\x39\xFE\x61\x9B\x8E\x85\xC7\xAB\xBB\x32\x41\xB5\x7F\x6B\x93\xE2"
"\xB8\xDA\x83\x21\x4D\x56\x1F\x2C\x58\x3E\xEE\x12\x18\x2B\x9A\x17"
"\x50\x9F\x86\x6F\x09\x72\x03\x5B\x10\x82\x53\x0A\xC3\xF0\xFD\x77"
"\xB1\x66\xA2\xBA\x9C\x02\x4B\x70\x19\x37\x0C\x08\xC1\xFB\xBC\xF6"
"\xD5\x6D\x35\x97\x4F\x2A\x73\xBF\xF2\xE9\xDF\xA4\x94\xD1\xA1\x6C"
"\x25\xFC\x2F\xF4\xD3\x40\xED\x06\xA0\xB9\x71\x8B\x8A\x4C\x46\x3B"
"\x1A\x43\x9D\x0D\xB3\x3F\x1E\xDD\x24\xD6\x45\xA6\x7C\x98\x74\xCF"
"\xC2\xF7\x54\x29\x01\x47\x0E\x31\x23\x5F\x15\xA9\x4E\x60\xE1\xD7"
"\xF3\xB6\x5C\x1C\x76\xC9\x4A\x04\x80\xF8\x0B\x11\x84\x92\x30\xF5"
"\x5A\x95\x27\x78\xE6\x57\xE8\x6A\x13\xAF\xBE\x7E\x8D\xCA\xB0\x89"
"\x1B\xFA\x28\x65\xE3\xDB\x14\x3A\xB2\x33\xD8\x62\x16\x8C\x79\x20"
"\x67\x3D\x48\xCB\x6E\x1D\xD4\x55\xCC\xB4\xB7\x96\x42\x0F\xC4\xAC"
"\xC5\x38\x00\x9E\x2D\x64\x07\x99\xDE\x90\xA7\xA3\x87\x3C\xE7\xD2"
"\xA5\xAE\xF9\x26\x22\xE0\xE5\xDC\xD0\xD9\x44\xF1\xBD\xCE\xFF\x7D"
"\x36\xEF\x59\xA8\x7A\x7B\x91\x49\xEA\x75\x63\x8F\xC8\x81\x52\xC0"
"\xAA\x68\xEB\x88\x51\x5D\xAD\xCD\x5E\xEC\x34\x69\xE4\x2E\x05\xC6"
"\xFE\x39\x9B\x61\x85\x8E\xAB\xC7\x32\xBB\xB5\x41\x6B\x7F\xE2\x93"
"\xDA\xB8\x21\x83\x56\x4D\x2C\x1F\x3E\x58\x12\xEE\x2B\x18\x17\x9A"
"\x9F\x50\x6F\x86\x72\x09\x5B\x03\x82\x10\x0A\x53\xF0\xC3\x77\xFD",
512
};

function func_comp_t1 = {
"own_comp128_table_1",
"\x13\x0B\x50\x72\x2B\x01\x45\x5E\x27\x12\x7F\x75\x61\x03\x55\x2B"
"\x1B\x7C\x46\x53\x2F\x47\x3F\x0A\x2F\x59\x4F\x04\x0E\x3B\x0B\x05"
"\x23\x6B\x67\x44\x15\x56\x24\x5B\x55\x7E\x20\x32\x6D\x5E\x78\x06"
"\x35\x4F\x1C\x2D\x63\x5F\x29\x22\x58\x44\x5D\x37\x6E\x7D\x69\x14"
"\x5A\x50\x4C\x60\x17\x3C\x59\x40\x79\x38\x0E\x4A\x65\x08\x13\x4E"
"\x4C\x42\x68\x2E\x6F\x32\x20\x03\x27\x00\x3A\x19\x5C\x16\x12\x33"
"\x39\x41\x77\x74\x16\x6D\x07\x56\x3B\x5D\x3E\x6E\x4E\x63\x4D\x43"
"\x0C\x71\x57\x62\x66\x05\x58\x21\x26\x38\x17\x08\x4B\x2D\x0D\x4B"
"\x5F\x3F\x1C\x31\x7B\x78\x14\x70\x2C\x1E\x0F\x62\x6A\x02\x67\x1D"
"\x52\x6B\x2A\x7C\x18\x1E\x29\x10\x6C\x64\x75\x28\x49\x28\x07\x72"
"\x52\x73\x24\x70\x0C\x66\x64\x54\x5C\x30\x48\x61\x09\x36\x37\x4A"
"\x71\x7B\x11\x1A\x35\x3A\x04\x09\x45\x7A\x15\x76\x2A\x3C\x1B\x49"
"\x76\x7D\x22\x0F\x41\x73\x54\x40\x3E\x51\x46\x01\x18\x6F\x79\x53"
"\x68\x51\x31\x7F\x30\x69\x1F\x0A\x06\x5B\x57\x25\x10\x36\x74\x7E"
"\x1F\x26\x0D\x00\x48\x6A\x4D\x3D\x1A\x43\x2E\x1D\x60\x25\x3D\x34"
"\x65\x11\x2C\x6C\x47\x34\x42\x39\x21\x33\x19\x5A\x02\x77\x7A\x23",
256
};

function func_comp_t2 = {
"own_comp128_table_2",
"\x34\x32\x2C\x06\x15\x31\x29\x3B\x27\x33\x19\x20\x33\x2F\x34\x2B"
"\x25\x04\x28\x22\x3D\x0C\x1C\x04\x3A\x17\x08\x0F\x0C\x16\x09\x12"
"\x37\x0A\x21\x23\x32\x01\x2B\x03\x39\x0D\x3E\x0E\x07\x2A\x2C\x3B"
"\x3E\x39\x1B\x06\x08\x1F\x1A\x36\x29\x16\x2D\x14\x27\x03\x10\x38"
"\x30\x02\x15\x1C\x24\x2A\x3C\x21\x22\x12\x00\x0B\x18\x0A\x11\x3D"
"\x1D\x0E\x2D\x1A\x37\x2E\x0B\x11\x36\x2E\x09\x18\x1E\x3C\x20\x00"
"\x14\x26\x02\x1E\x3A\x23\x01\x10\x38\x28\x17\x30\x0D\x13\x13\x1B"
"\x1F\x35\x2F\x26\x3F\x0F\x31\x05\x25\x35\x19\x24\x3F\x1D\x05\x07",
128
};

function func_comp_t3 = {
"own_comp128_table_3",
"\x01\x05\x1D\x06\x19\x01\x12\x17\x11\x13\x00\x09\x18\x19\x06\x1F"
"\x1C\x14\x18\x1E\x04\x1B\x03\x0D\x0F\x10\x0E\x12\x04\x03\x08\x09"
"\x14\x00\x0C\x1A\x15\x08\x1C\x02\x1D\x02\x0F\x07\x0B\x16\x0E\x0A"
"\x11\x15\x0C\x1E\x1A\x1B\x10\x1F\x0B\x07\x0D\x17\x0A\x05\x16\x13",
64
};

function func_comp_t4 = {
"own_comp128_table_4",
"\x0F\x0C\x0A\x04\x01\x0E\x0B\x07\x05\x00\x0E\x07\x01\x02\x0D\x08"
"\x0A\x03\x04\x09\x06\x00\x03\x02\x05\x06\x08\x09\x0B\x0D\x0F\x0C",
32
};

function func_comp_t = {
"own_comp128_tables",
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x00\x00\x00\x00",
20,
0,
{ 0 },
{ NULL },
5,
{ 0, 4, 8, 0x0c, 0x10 },
{ &own_comp128_table_0, &own_comp128_table_1, &own_comp128_table_2, &own_comp128_table_3, &own_comp128_table_4 },
{ 0, 0, 0, 0, 0 }
};




function func_comp_get_tbl =
{
"own_a3a8_get_table",
"\xB5\x06\x00\x80"
"\x4A\x01\x58\x12"
"\x5C\x50\xBD\x06"
"\x00\x00\x00\x00",
16,
0,
{ 0 },
{ NULL },
1,
{ 0x0C },
{ &own_comp128_tables },
{ 0 }
};

Is it posible to create sim-scaner in 3310 for search Ki of SIM?

Is it posible to create sim-scaner in 3310 for search Ki of SIM?

Theorically, using MADos - yes. we have routine to work with SIM card. we can find algo for calculating KI (there's a good thread for learning that on one good forum).

But first of all we need, that MADos don't turn off after 4063 seconds! Otherwise, everything we had calculated will disappear and as most of the cards have a limit of running A38 algorythm from 10000 till 65000 and as the processor of Nokia is not very fast, we will loose those steps everytime as MADos is rebooted!!!


grrreetz

Any new ideas?

Any new ideas?

flash file map is initialized somewhere in MCU just like what is being done when we are relocating PPM to the end of the file.

Could it be that we can increase eeprom size by moving PPM a little farther upwards, by changing MCU initialization tables for "PPM end"(including the last 6 bytes) and "eeprom start addresses". Then we'd be able to read and write like we do in normal eeprom from lets say 0x001C0000 to 0x001D0000, that would be 64kb and is enough to accommodate our much needed eeprom space. (of course its just a thought, i just hope i'd share my idea...)

@Set
That is some good thinking, that way we would heave heaps of free eeprom space (not only for this idea, but other patches too) :-D

@g3gg0
I noticed hehe :P
(The whole algo in C code is also in a link on ur site) ;)

It is true
In theory we could just move the Eeprom
All the eeprom addresses are relative as the eeprom table is just like an addition table (although a little more complex)

I think the best person to ask is the doctor of nokia (NokDoc)
He has dealt a lot with eeprom stuff and taught me quite a bit ;)

regards,
Danny

about eeprom space. a 3410 has pmm which has a lot of free space. 180 k of java (but you can put more using pmm edit- i put about 320k of java). so maybe someone can make sim emulation for 3410??

It does work.. Its really very similar to what the project Z team did to 8210 firmware. the only difference is its done in eeprom. I'll try to post flash tommorow. Got 1 problem though... When I press *#0000# or *#06#, I get an SMS ascending tone even when there's no message... Gez I screwed it up when I replaced all references of 003D0000 with the new eeprom start address.

Lets hope yak can write a script in increasing eeprom space
We'll also need those config id's to work with virtual sims' settings

And maybe sir nokdoc has those hidden magic up his sleeve about eeprom reversing (never seen his magic fail) (his solution for 7 bars nimh batt works great on my 3310 too-respect goes to you doc)

Sir g3gg0 has the code...

We do have great nfree support team and beta testers

I can cheer.. :D

group hug!!!

Any news? Anybody tryed to do Sim-Emu in Nokia software?

I don't get the idea of increasing eeprom space. I know we can have one 64k block for our selfes in 3310. The problem is: when we get it filled with our stuff we will have to erase it to write something new and this way we will loose everything already stored. Nokia uses TWO 64k blocks to emulate eeprom. When one get filled the other is erased and the values are flashed there. When the other gets filled the first one is erased. This way all previously written values are safe. Both blocks are scanned during power up and latest values are transfered to special RAM buffer from where they are then read by many routines. This buffer is only 0x4800 long in 3310 and this is our limitation. We also cannot have two 64k blocks free I think. So, I still don't know where can we get free eeprom-alike space to save second sim.

Hi,

>> The problem is: when we get it filled with our stuff...

I suggest U all think too complex.

According to Mr. G3's demo it would be sufficient to have just a tiny of info to be able to run the phone without sim.

Therefore epr size is not the limit.

In my experiment I took my imei/ sec imei data and put it into mcu somewhere.

We supposed to do the same with these values Mr. G3 mentioned.

NokDoc

@ NokDoc

maybe you're right but this way we will "waste" the rest of 64k space. but it's not bad, after all we can't have everything :)

on the other hand i've looked at PMM sections lately. in 3310 they are used to keep voice tags, each has 8kb, together take one flash block (64k). i wonder how they are flashed so the other 7 are not destroyed...

Hey..

First to say, thanks for the idea\suggestion.
I would like to help when there is enough information, or if someone can fill me in because i never really worked with nokia's flash files. I have experience with C++, but rather use Delphi (Pascal), and as i know Nokix was written with the use of this IDE too, so i'd rather use that (for Windows programs ofcourse).. I also know the basics of asm (the basic operators), but i've only used it to make Windows programs.. Anyway, i don't know much more about flash files than that they are devided into MCU, PPM and EEPROM, the latter being the read-write memory.

Ok anyway what i wanted to say was, i think it would be best to do things in the following order (as far as i can understand, ki is calculated from some data read from the card. is the length of the data required long? if yes then 2.\3. wouldn't work very well)
1. debug and modify g33g0's code so it'd work on a hard-coded imsi\ki
2. make a program for the PC (like for Windows), to calculate ki from given data (not read using a sim card reader)
3. modify mados (i guess that'd be the easiest option) to read imsi and data needed to calculate ki, and display that data. The user could then copy (by retyping) this data to the program made in 2. This would avoid having to buy a SIM card reader, since it can be costly.
4. modify mados to be able to calculate ki too, especially if the data needed for ki is very long.
5. make g33g0's code read\write the imsi and ki somewhere to use it (this isn't needed that much, since people could always modify the script and insert the proper imsi\ki before flashing to phone.. you probably don't change numbers every day)

This is only my view on it, and since i don't fully understand certain things (especially how ki is calculated), it may appear totally wrong.

I am very intrigued by the idea anyway, so i'd be glad to help if possible.

Just a thought there: the IMSI and KI are there for a reason, that means they probably are used at some time (like sent to the network or something). I mean, i don't get it if it takes so much processing power for calculating KI, then how is it used anyway? What i'm thinking is, that since these values are there to be used, they have to be used somehow.. And if they are, you could probably just add a call to a function that would save it to eepromright after the call that does whatever the phone is meant to do with these values. Then you'd just add a menu or something, that would display it, just like some modded flashes do it for IMEI.
It's very much possible i didn't get this right, but i hope i did though.