PDA

View Full Version : FLS protection by IMEI?



ShadoW2004
23-09-2005, 05:28 AM
Is it posible to protect FLS file by do depending by IMEI?

icecoldbaby.
23-09-2005, 08:40 AM
Is it posible to protect FLS file by do depending by IMEI?

Is possible on DCT-3

ShadoW2004
23-09-2005, 12:57 PM
2 icecoldbaby

How can I do it?

icecoldbaby.
23-09-2005, 03:17 PM
2 icecoldbaby

How can I do it?

I dont personally know but i know a man who does and ive also tried it and it works.

I will speak to him and see if he is willing to post it.

ShadoW2004
23-09-2005, 03:39 PM
I dont personally know but i know a man who does and ive also tried it and it works.

I will speak to him and see if he is willing to post it.

OK, thank you before!

mestrini
24-09-2005, 02:54 AM
Is it posible to protect FLS file by do depending by IMEI?

can you explain what it means "by do depending by IMEI" ?

I'm interested in this FLS protection aswell, thanks

ShadoW2004
24-09-2005, 05:54 AM
2 mestrini

It means that if somebody downloaded FLS from my phone he cant to flash it into his phone....understand?

Sorry for my bad english....

icecoldbaby.
24-09-2005, 03:26 PM
the orignal flash has the orignal phones imei written in the the fls file, when someone copies the fls and tried to fls it to another phone the original imei does not match the new one so the flash locks and you need a ten digit pin to unlock it.

ShadoW2004
25-09-2005, 08:47 AM
2 icecoldbaby

But if change IMEI with M-BUS cable and program like DCT3 Repair Partner?
What 10 digits pin you mean?

icecoldbaby.
25-09-2005, 10:45 AM
2 icecoldbaby

But if change IMEI with M-BUS cable and program like DCT3 Repair Partner?
What 10 digits pin you mean?


I dont know the full ins and outs, i didnt write it. Ive just seen it work but....
If you use m-bus and change imei, you change it in the phone not the flash. Once the flash imei does not match the phone imei the flash locks and you need a ten digit pin to unlock it

compuboy
25-09-2005, 05:20 PM
what if the user makes a FullBackup.....

mestrini
25-09-2005, 08:04 PM
what if the user makes a FullBackup.....

Then you get the risk of having more than one phone with same IMEI and unless the country's different there can be a problem :-P

icecoldbaby.
25-09-2005, 09:21 PM
Then you get the risk of having more than one phone with same IMEI and unless the country's different there can be a problem :-P


Dont know the full ins and outs but i belive once locked the only way to unlcok it is with the ten digit pin.

No two phones with the same imei can be used at once - one will have no signal

squidgy45
25-09-2005, 09:27 PM
Just a note on the last post - a few years ago on a different forum we conducted an experiment - the result of it was that 30 phones were conected to the orange network all using the same IMEI number just to see what happened - not only did they all get a signal - we even called each other on them!! They were left connected for a few days and they all remained active - so you can connect more than one phone to a uk network with the same IMEI number in the UK at least!!

Steve

mestrini
25-09-2005, 10:34 PM
Dont know the full ins and outs but i belive once locked the only way to unlcok it is with the ten digit pin.

No two phones with the same imei can be used at once - one will have no signal


well, Steve got here first as i was going to tell you about this test some users made :lol:

But what i think you meant was two SIM cards with same number running at same time, then only one will get signal ;)

icecoldbaby.
26-09-2005, 09:17 AM
well, Steve got here first as i was going to tell you about this test some users made :lol:

But what i think you meant was two SIM cards with same number running at same time, then only one will get signal ;)


I have tried it myself and two phones with the same imei do not work, try it your self

ShadoW2004
26-09-2005, 05:34 PM
I think it's depending from provider ... some checking IMEI and Ki + IMSI other only Ki + IMSI...

2 icecoldbaby

Can you ask that man who know how do it? (i about subject of topic) It is very important for me...

yak
26-09-2005, 09:03 PM
I think the best protection should be based on Cobba ID. This cannot be changed.

NokDoc
27-09-2005, 04:47 PM
Hi,

Nokia expected protection too once...

I think the best protection is the fact everyone uses tools.

Eg, changing Ur version string already make alot of tools go weird.

Then imagine when U get one bit changed in the fchk calc function.

No tool would ever be able to set faid then, unless U have the corresponding 'key' tool costum made on that file.

NokDoc

jigger
28-09-2005, 12:49 AM
here's an old tool that "messes up the CRC table".
this maybe of help.

ShadoW2004
28-09-2005, 07:44 AM
Is it posible to get IMEI by software (script) and do some mathematic functions with it?

squidgy45
28-09-2005, 03:24 PM
Just to confirm mine and mr mestrini's earlier comments - i now have a D500 and a 3310 running on the same imei number - have connected to o2 and orange and both work fine simultaniously! Maybe we could retry the experiment on this forum on other networks to see if the networks have changed? If anyone is interested send me a PM and I'll start a thread to arrange a time!

BR steve

icecoldbaby.
28-09-2005, 05:00 PM
Just to confirm mine and mr mestrini's earlier comments - i now have a D500 and a 3310 running on the same imei number - have connected to o2 and orange and both work fine simultaniously! Maybe we could retry the experiment on this forum on other networks to see if the networks have changed? If anyone is interested send me a PM and I'll start a thread to arrange a time!

BR steve

I have two 3310's running on the same IMEI O2 and only one has signal

mestrini
29-09-2005, 12:04 AM
Is it posible to get IMEI by software (script) and do some mathematic functions with it?

It's possible but it requires a FUBU (MCU+PPM+EEP) so I think you should consider yak's proposal (maybe he's working on it by now ;) ) since you can read a phone's COBBA ID via MBUS cable and then create an own_FAID_calc() that would prevent the flash to run on any other phone :-D

I would write the script myself but i don't know the functions that read COBBA ID :(

mestrini
29-09-2005, 12:08 AM
here's an old tool that "messes up the CRC table".
this maybe of help.


thanks for the tool m8 :) but this only prevents others from editing the flash and not from using it on any other phone, which i think is the motivation here

dvirus666
29-09-2005, 12:54 AM
I may be a bit DUMB but may I ask why.

if you are going to the level of protecting the flash so no others can copy it, would it not be easier to not let any other people use your phone if you know they could make a backup or i some case's not make your flash public.

But then you must remember that once in the flash it would not be long before someone else could find a way to bypass the protection.

If you look back to when we all first started to try an crack the original firmware from the DCT3 phones. Now we can create almost anything we want, with some help from some great people. ;-)

ShadoW2004
29-09-2005, 06:08 AM
If we can get IMEI and do some mathematic functions - we can generate unlock code for using FLS (it is like trial protection in Symbian phones) for exaple we can place some bite in EEPROM it can be 0 or 1 ... if 0 then when phone starting give form for entering unlock code and do nothink else (plone not gives access to his functions) if we entering right code then 0 changing to 1 and all good we can work with phone!!!! What you can say about my idea?

dvirus666
29-09-2005, 11:32 AM
I have already created a script that does something similar to this.

You enter your own 10 DIGIT SPECIAL UNLOCKING CODE via the Nokix parameters field. Then when flashed to your phone it will compare TWO memory blocks to see if it the IMEI is the one stored in the EEPROM. If the BLOCKS are the same then no SPECIAL CODE will be required and the phone will boot as normal but if there is any differents between these blocks it will ask for the SPECIAL CODE.

but i stored the config in ram. This way it will ask every time you boot the phone up.

I will post up some screen shots later and hope to post the script for you to test out. But you must remember it is not 100% secure. There is a way round it if you know what to look for.

ShadoW2004
29-09-2005, 03:17 PM
2 dvirus666

Good!!! Waiting for your screenshots and scripts!

dvirus666
29-09-2005, 04:47 PM
Here are the screenshots, I will try to post the script when I get back to my PC.

This is not my IMEI. It is just some number I changed to test the script.

yak
29-09-2005, 06:11 PM
@ dvirus666

If you have any problems storing config in EEPROM, please explain what kind of problems.

I have to say I'm impressed :D.

compuboy
29-09-2005, 07:14 PM
@dvirus666

First of all congratulations..


What if one creates a FullBackup of the Phone and then flash it on other....

I have seen that two phones with same IMEI Number are working very fine here.

Regards....

mestrini
30-09-2005, 12:23 AM
I may be a bit DUMB but may I ask why.

if you are going to the level of protecting the flash so no others can copy it, would it not be easier to not let any other people use your phone if you know they could make a backup or i some case's not make your flash public.

But then you must remember that once in the flash it would not be long before someone else could find a way to bypass the protection.

If you look back to when we all first started to try an crack the original firmware from the DCT3 phones. Now we can create almost anything we want, with some help from some great people. ;-)

Please remember that some may have commercial motivations (not agreeing with it though :-P ) and not everyone has the knowledge to reverse it





What if one creates a FullBackup of the Phone and then flash it on other....

I have seen that two phones with same IMEI Number are working very fine here.

Yep, that's why i said that yak's suggestion of using COBBA ID is the safest

compuboy
30-09-2005, 10:38 AM
@mestrini

ya, me too think that COBBA Id would be the ideal way to work.

Mr. Yak plz throw some light on this topic.

regards

dvirus666
30-09-2005, 03:27 PM
@ yak:
I dont have any problems with storing in the EEPROM, I just thought it would be better if stored in the RAM so it checks on every boot up.

@ compuboy:
As I dont post a FULL BACKUP only the MCU & PPM for my mods this would not affect me. But This is one of the problems when using the IMEI to protect the flash. Too many duplicate IMEI numbers around the world.

@ mestrini:
The "commercial motivations" :x is the only reason I could see why this would be usefull.

But any way here is the first script I wrote. This version does not contain a dialog for entering a CODE to unlock the flash.

Simply if your IMEI does not match the IMEI found in the EEPROM the phone will show

FIRMWARE
PROTECTION
and then switch's off after 15 seconds.

Usage.
In the Nokix parameters field simply enter your IMEI number (Only first 14 Digits are needed) and patch.

compuboy
01-10-2005, 05:38 AM
@dvirus666

The script is asking for that 14 digit code everytime the phone boots. Its difficult for a user to remember that 14 digit code everytime.

Acc. to me it would be better if the check is done only first time the phone boots and if check is successfull then code is not asked next time..

rest its upto u

regards

dvirus666
01-10-2005, 11:40 AM
@ compuboy:
Are you sure (I might have posted the wrong script :P ). This script should not ask for any code. It was just a TEST.
All that will be displayed is some text with YOUR IMEI number then switch off after seconds.

Unless your IMEI is the same as the one you entered in the script while patching then it will show this text on screen.


Anyway as I said before it should only be used for testing, nothing else.

ShadoW2004
04-10-2005, 02:31 PM
What new? ;-)

Kontact
05-10-2005, 05:14 AM
Is it posible to protect FLS file by do depending by IMEI?

what do u mean by this? so that no one can copy ur flash?

or flash will run on specific imei only?

@yak

i did check those cobba id, long time ago. and here is what i can recall.

like for ex. 8210 all of them will have a cobba id 0x33 (not so sure if this is the right value).
3310 all will have cobba id 0x22.

that means cobba does not have a unique id on each unit.

@nokdoc

yes that is one way of protecting ur flash file to be copied to another unit. but, fchk can be killed thou.

regards

yak
05-10-2005, 10:36 AM
@ Kontakt

Oh, that's odd. I was sure it is unique but I haven't try to calculate it myself yet. I'm just wondering why programs like NokTool by Rolis or DCT3RepairPartner by neb are showing me 32bit (or 24bit?) CobbaID.

Can someone compare this with different 3310? I have only one.
Mine gives following results (fck killed):

PPM check: 00 00 00 00
Cobba ID: 00 61 A0 CD
Signature: AC AD AB 87

NokDoc
05-10-2005, 06:24 PM
Hi,

Albert, I think U confuse it with phone id byte.

Which value is needed to read the msid via mbus.

Which again contained that Cobba id and it's check byte.

Which then was used along with fchk to faid calc.

Which then lead to real proper 'flash authorisation', aim of the flash protection itself like Nokia imagined.

That fchk might look disabled, it's still an essential value in the faid calc.

This, and the fact besides the maker not many guys actually know how the faid calc works, looks like quite a good protection to me.

Like Nokia added variations in it's lock code calcs.

And without comparing material it was almost impossible to see what changed, just the fact it was changed...

NokDoc

ShadoW2004
09-10-2005, 10:25 AM
2 dvirus666

What new?

Kontact
18-10-2005, 01:31 AM
@ Kontakt

Oh, that's odd. I was sure it is unique but I haven't try to calculate it myself yet. I'm just wondering why programs like NokTool by Rolis or DCT3RepairPartner by neb are showing me 32bit (or 24bit?) CobbaID.

Can someone compare this with different 3310? I have only one.
Mine gives following results (fck killed):

PPM check: 00 00 00 00
Cobba ID: 00 61 A0 CD
Signature: AC AD AB 87


yes. u r right. but what i was trying to say is that if u use wintesla and read the phone info. u will see what i mean.

i have no dct3 to test now to show. but maybe some guys can try.

i think nokdoc is right. my memory start to fail now. ;-(

anyways, i hope i did not confuse anyone.

regards

Kontact
18-10-2005, 01:44 AM
Hi,

Albert, I think U confuse it with phone id byte.

Which value is needed to read the msid via mbus.

Which again contained that Cobba id and it's check byte.

Which then was used along with fchk to faid calc.

NokDoc

hmm... i might be confuse, since it's been long time ago. but to make the confusion short. ;-) i was saying u can't use the cobba id to protect flash.

yes u said it right about FAID w/c nokia made as protection. but with kill faid patched. it totally wipe out the flash protection nokia made.

and now some guys want to do a better flash protection. ;-) as dvirus666 said.


But then you must remember that once in the flash it would not be long before someone else could find a way to bypass the protection.


regards

reyer
03-12-2005, 10:48 PM
dvirus666, can you give me source code of your script in C language?