nok5rev
25-12-2005, 10:18 AM
----------------------------------
DCT4Crypter
----------------------------------
by nok5rev & g3gg0
_______________________________________________________
Yes, this package contains the necessary routines and
even some apps to decrypt DCT4 FlashFiles and also to
encrypt again after you applied some changes. We must
admit, this stuff is not "hot" anymore - it was coded
in about 2 months between 01/2004 and 03/2004. That's
now nearly 2 years. But it still should be a somewhat
interesting X-Mas present for all the GSM-Modders out
there...
_______________________________________________________
Why this was done?
-----------------------
Why? I think it was just fun :)
But i dont remember anymore who of us had the idea
to start analyzing the encryption algorithm.
I just remember, we both suddenly sat in front of
many bits (really MANY!) and stared at them to
find out how the data was encrypted.
How this was done?
-----------------------
Heh, just open your notepad.exe, paste some 100
lines of 11001001 10101010 11100100 11100001...
and you know what we've done in these 2 months ;)
We didnt have any access to neither the flash device,
MCU or RAM, nor we used any (Java-)Exploit floating
around. We didnt even have any of these DCT4-devices
at this point. This was simply done with looking at
about 20 different flash files.
Who did this?
-----------------------
This was all done by nok5rev and g3gg0. We both spent
about the same amount of time for this stuff and
both helped each other in finding out the neccessary
bits for decoding. But we also got little help from
kodo (thanks for the auto basevalue finder)
What can i do with it?
------------------------
Generally you should now be able to en/decrypt the DCT4
FlashFiles used in "standard" dct4 devices. Standard
DCT4 devices means any 6310, 8310, ...., 6610, 7250
and so on. TIKU-devices like the 6230, 6230i or even
symbian devices are _NOT_ supported.
The first DCT4 devices still had enrcypted PPM's, but
nokia switched to non-encrypted ones for obvious
security reasons.
So don't wonder, when some people already have modded
3510i handsets which just have some graphics changed.
It's the standard PPM structure that was also used in
DCT3 phones. Unfortunately theres a little difference
that causes the most tools to crash or do mistakes.
However, the MCU files still are crypted ;)
The FlashFiles all have the same encryption method,
it just differs in a (we call it) basevalue, which is
just a simple XOR parameter. When decrypting, the
programs spit out the basevalue which you normally don't
need. The tools remember the value and ask you for the file
that should be encrypted again (or they use a predefined
filename).
Will modding work?
-----------------------
After you re-encrypted a modified FlashFile you can
flash it, but your phone won't power-on. why?
We didn't track that down very deep, but when removing
the "Claudia" sequence in the flash header it will work
at least with the wrong "FAID" - that means it resets
after some time :)
But please make sure, you have a working, original file
flashed before you write a modded file with disabled Claudia.
Claudia is the tag in flash header starting with
D3 40 and the 0x40 bytes coming after that. Just FF the
0x40 bytes behind the tag.
-> D3 40 [0x40 bytes Claudia]
replace with
-> D3 40 [0x40 times FF]
Okay that's it :)
We've flashed our phones (we got after reversing the encryption)
several times - even with faulty Claudia and FAID - without any
bigger problem.
So, if you turn your phone into a brick, dont blame us...
... it's your fault! ;)
Thanks to:
------------------------
Kodo
B.
U.
Oh, and if you plan to integrate this code into your commercial
products... ...unfortunately we can't do anything against it :(
But if you do so, _please_ be so kind and reward our work with
sending an license/sample of your program/device to either
nok5rev or g3gg0 - thanks!
enjoy this stuff as much as we enjoyed coding it :)
Best Regards,
nok5rev/g3gg0
DCT4Crypter
----------------------------------
by nok5rev & g3gg0
_______________________________________________________
Yes, this package contains the necessary routines and
even some apps to decrypt DCT4 FlashFiles and also to
encrypt again after you applied some changes. We must
admit, this stuff is not "hot" anymore - it was coded
in about 2 months between 01/2004 and 03/2004. That's
now nearly 2 years. But it still should be a somewhat
interesting X-Mas present for all the GSM-Modders out
there...
_______________________________________________________
Why this was done?
-----------------------
Why? I think it was just fun :)
But i dont remember anymore who of us had the idea
to start analyzing the encryption algorithm.
I just remember, we both suddenly sat in front of
many bits (really MANY!) and stared at them to
find out how the data was encrypted.
How this was done?
-----------------------
Heh, just open your notepad.exe, paste some 100
lines of 11001001 10101010 11100100 11100001...
and you know what we've done in these 2 months ;)
We didnt have any access to neither the flash device,
MCU or RAM, nor we used any (Java-)Exploit floating
around. We didnt even have any of these DCT4-devices
at this point. This was simply done with looking at
about 20 different flash files.
Who did this?
-----------------------
This was all done by nok5rev and g3gg0. We both spent
about the same amount of time for this stuff and
both helped each other in finding out the neccessary
bits for decoding. But we also got little help from
kodo (thanks for the auto basevalue finder)
What can i do with it?
------------------------
Generally you should now be able to en/decrypt the DCT4
FlashFiles used in "standard" dct4 devices. Standard
DCT4 devices means any 6310, 8310, ...., 6610, 7250
and so on. TIKU-devices like the 6230, 6230i or even
symbian devices are _NOT_ supported.
The first DCT4 devices still had enrcypted PPM's, but
nokia switched to non-encrypted ones for obvious
security reasons.
So don't wonder, when some people already have modded
3510i handsets which just have some graphics changed.
It's the standard PPM structure that was also used in
DCT3 phones. Unfortunately theres a little difference
that causes the most tools to crash or do mistakes.
However, the MCU files still are crypted ;)
The FlashFiles all have the same encryption method,
it just differs in a (we call it) basevalue, which is
just a simple XOR parameter. When decrypting, the
programs spit out the basevalue which you normally don't
need. The tools remember the value and ask you for the file
that should be encrypted again (or they use a predefined
filename).
Will modding work?
-----------------------
After you re-encrypted a modified FlashFile you can
flash it, but your phone won't power-on. why?
We didn't track that down very deep, but when removing
the "Claudia" sequence in the flash header it will work
at least with the wrong "FAID" - that means it resets
after some time :)
But please make sure, you have a working, original file
flashed before you write a modded file with disabled Claudia.
Claudia is the tag in flash header starting with
D3 40 and the 0x40 bytes coming after that. Just FF the
0x40 bytes behind the tag.
-> D3 40 [0x40 bytes Claudia]
replace with
-> D3 40 [0x40 times FF]
Okay that's it :)
We've flashed our phones (we got after reversing the encryption)
several times - even with faulty Claudia and FAID - without any
bigger problem.
So, if you turn your phone into a brick, dont blame us...
... it's your fault! ;)
Thanks to:
------------------------
Kodo
B.
U.
Oh, and if you plan to integrate this code into your commercial
products... ...unfortunately we can't do anything against it :(
But if you do so, _please_ be so kind and reward our work with
sending an license/sample of your program/device to either
nok5rev or g3gg0 - thanks!
enjoy this stuff as much as we enjoyed coding it :)
Best Regards,
nok5rev/g3gg0