Hi :-)

I'm trying some small changes in a 7250i firmware but the phone don't start..
(Claudia info set to 0xFF)

test1:
> full flash MCU+PPM (phone ok)
> flash patched MCU
> don't start

test2:
> flash MCU (phone ok)
> flash patched MCU
> don't start

test3:
> flash MCU (phone ok)
> flash patched MCU+PPM
> don't start

somebody has been able to make work 7250i with patched MCU?

BR
indear

@indear

what did u do with the 7250i mcu? me i tried to create partial files and it works

br,
:)

is the CLEAN MCU the SAME version as the one of the patched file?
and you are sure you replaced all 0x40 bytes after D340 with FFs?

i tested it just with 6610, nok5rev with 7250 afaik

im not absolutely sure, the 7250i will work but i think it will :)

@NOKMASTERgsm
expand radio frequency
(http://forum.gsmhosting.com/vbb/showthread.php?t=259671)

I need change (decrypt flash):
offset original new
0x3865C8 00 01 A5 E0 => 00 01 D4 C0
0x3865CC 00 01 55 CC => 00 01 11 70
0x386760 00 01 A5 E0 => 00 01 D4 C0
0x386764 00 01 55 CC => 00 01 11 70

@g3gg0
yes, clean and patched MCU is the same version 5.41 and claudia info is set to 0xFF
original flash
0x95: D3 40 5B FB 27 ..... 0D 3A 77
patched flash
0x95: D3 40 FF FF FF ..... FF FF FF

:???:

hmh sounds strange...

are you sure, the file size didnt change after editing?

try to dump the flash and reencrypt it.
then compare the newly created one with the original file
is there any difference?

yes is really strange..

the file have the same size


try to dump the flash and reencrypt it.
then compare the newly created one with the original file
read patched flash from phone and encrypt? is correct?

and one question, claudia info is only the flash checksum or contain more info?

:)

update:
add image with comparison of patched mcu (decrypted) and read flash from phone (decrypted) :confused:

please send the ORIGINAL flash file to: [email protected]
i will have a look at it....


oh by the way..
you have to decrypt the original file and reencrypt the modded one
in the same program instance.....


this means:

- start CrypterX

=> serialize
#open ORIGINAL
#save SERIALIZED

=> decrypt
#open SERIALIZED
#save to DECRYPTED

[EDIT THIS DECRYPTED FILE]

=> encrypt
#open MODIFIED
#save ENCRYPTED

=> blockify
#open ENCRYPTED
#save FINAL_FLASH
#open ORIGINAL

- close CrypterX

file sent :)

edit:
ok I going to test ;)

yup, just DL it

I flash result file and doesn't work :(
(with claudia info set to FF)

I see a strange thing..
CryptDCT4 and decr generate the same files, and compared with original files only change
patched bytes and block check

but CrypterX generate a file very different (using the same instance)

ex:
final file, offset 0x386f40
original = > 42 7C EB 8F AA CB 8F 47 - 64 F5 F0 F0 B7 6F DC 88
decr => 42 7C EB 8F AA CB 8F 3D - 6D F5 F0 BF B8 6F DC 88
cryptdct4 => 42 7C EB 8F AA CB 8F 3D - 6D F5 F0 BF B8 6F DC 88
crypterx => 4C 42 E5 B1 A4 F5 81 03 - 63 CB FE 81 B6 51 D2 B6

:o

i wonder, if you really selected the files as i wrote in the last message,
especially in the blockify stage

but i expect a bug :-/
ill check that!

CrypterX had a little bug that prevented correct encryption:

http://nokiafree.org/forums/showthread.php?p=379481&posted=1#post379481
http://www.gsmfreeboard.com/forum/showthread.php?p=756994


thanks indear, for finding out that :)
as u all know, i rarely use graphic tools, so i didnt realize that bug
after an API change ;)

check this link.....


http://www.tapgsm.com.ph/showthread.php?t=21802&page=3

please send the ORIGINAL flash file to: [email protected]
i will have a look at it....


oh by the way..
you have to decrypt the original file and reencrypt the modded one
in the same program instance.....

- close CrypterX

Hi, g3gg0

Yes, u r right.

as far as i can recall, your algo works great.

whether full mcu patched or partial patched files. both works great.

re: claudia. no need to 0xFF. and patching will work. but on 1100 and other newer model it will have network problem.

oh killing mcu chksum might help also.

regards

file sent :)

edit:
ok I going to test ;)

if you still have problem. send me the decrypted file. and will chk.

[email protected]

regards

oh killing mcu chksum might help also.


Can you hint how? :roll:

hi,

first of all thanks to nok5rev , g3gg0, nokdoc and friends. ;-)

8310v620 MCU
-----------------------------------------v Routine (2 calls)
2d1884 :b5f0 ╡≡ : PUSH { R4,R5,R6,R7, LR }
2d1886 :1c0c .. : MOV R4, R1
2d1888 :1c07 .. : MOV R7, R0
2d188a :49d4 I╘ : LDR R1, #01000100
2d188c :2500 %. : MOV R5, #0
2d188e :48d4 H╘ : LDR R0, #0150fa0c
2d1890 :4281 Bü : CMP R1, R0
2d1892 :d206 ╥. : BCS 2d18a2
2d1894 :1a40 .@ : SUB R0, R0, R1
2d1896 :1040 .@ : ASR R0, R0, #.1
2d1898 :880a ê. : LDRH R2, [R1, #0]
2d189a :1955 .U : ADD R5, R2, R5
2d189c :3102 1. : ADD R1, #2
2d189e :3801 8. : SUB R0, #1
2d18a0 :d1fa ╤· : BNE 2d1898
2d18a2 :4ed0 N╨ : LDR R6, #01000000 ('(╤H│ê')
2d18a4 :3626 6& : ADD R6, #26
2d18a6 :2001 . : MOV R0, #1
2d18a8 :06c0 .└ : LSL R0, R0, #.27
2d18aa :4306 C. : ORR R6, R0
2d18ac :f008fbd9: BL 2da062 (Routine (5 calls))
2d18b0 :2800 (. : CMP R0, #0
2d18b2 :d102 ╤. : BNE 2d18ba
2d18b4 :8830 ê0 : LDRH R0, [R6, #0]
2d18b6 :8020 Ç : STRH R0, [R4, #0]
2d18b8 :e009 α. : B 2d18ce
2d18ba :f001ff59: BL 2d3770 (Routine (163 calls))
2d18be :f008fba2: BL 2da006 (Routine (5 calls))
2d18c2 :8830 ê0 : LDRH R0, [R6, #0]
2d18c4 :8020 Ç : STRH R0, [R4, #0]
2d18c6 :f008fba9: BL 2da01c (Routine (6 calls))
2d18ca :f001ff5b: BL 2d3784 (Routine (145 calls))
2d18ce :803d Ç= : STRH R5, [R7, #0]
2d18d0 :2000 . : MOV R0, #0
2d18d2 :8821 ê! : LDRH R1, [R4, #0]
2d18d4 :042a0c12: AND R2, R5, #0000ffff
2d18d8 :428a Bè : CMP R2, R1
2d18da :d000 ╨. : BEQ 2d18de
2d18dc :2001 . : MOV R0, #1 Change 01 -> 00 and MCU Checksum DEAD!
2d18de :bdf0 ╜≡ : POP { R4,R5,R6,R7, PC }
-----------------------------------------^ end routine

it's the same with all asic2. soon the next problem will be, how come on some new asic 2. gets no networks after modz. ;-(

regards

6630 modified....


http://rapidshare.de/files/11063796/MODZ6630.zip.html

3100/3120 5.91 modded ... not a really great thing, but a simple start :-)

http://www.gsmfreeboard.com/forum/showthread.php?t=120482

maybe other models will follow :)

3100/3120 5.91 modded ... not a really great thing, but a simple start :-)

http://www.gsmfreeboard.com/forum/showthread.php?t=120482

maybe other models will follow :)

Hi Krisha

first dct4 moddling sw i see ;-) congratz! hope i have 3100/3120 on my hand.

definitely all possible dct4 asic 2 will follow... ;-)

regards

3100/3120 5.91 modded ... not a really great thing, but a simple start :-)

http://www.gsmfreeboard.com/forum/showthread.php?t=120482

maybe other models will follow :)

Nice! This could be a big start. Hope to see some modded asic5 nokias (e.g. 6600). :-D :-D :-D

Hi,

CONGRATZ!!!

New milestone, dct4 modding is a public fact now.

(demn, I gotto start saving for a box now...)

NokDoc

@kontact:

thanks ;)
nice to see, you also start modding dct-4's :D

but thats not all for now...
nok5rev and i will soon release a nice tool, that will help
reverse engineers a little bit ;)
but more about that soon

@kontact:

thanks ;)
nice to see, you also start modding dct-4's :D

but thats not all for now...
nok5rev and i will soon release a nice tool, that will help
reverse engineers a little bit ;)
but more about that soon

@g3gg0

likewise...

yeah a little push will go a long way. hope to see the tool soon.

regards

@g3gg0
thx now CrypterX works fine :)

@Kontact
thanks for offer your help! :)
I finally found mcu_checksum in 7250i



ROM:01434110 chk_flash_cheksum ; CODE XREF: sub_138007E+10p
ROM:01434110
ROM:01434110 var_1C = -0x1C
ROM:01434110
ROM:01434110 PUSH {R0,R1,R4-R7,LR}
ROM:01434112 LDR R0, =unk_1000000
ROM:01434114 ADD R6, R1, #0
ROM:01434116 ADD R4, R0, #0
ROM:01434118 ADD R7, R0, #0
ROM:0143411A ADD R7, #0xC0
ROM:0143411C LDR R0, [R7,#0x3C]
ROM:0143411E ADD R4, #0xFF
ROM:01434120 ADD R4, #1
ROM:01434122 MOV R5, #0
ROM:01434124 CMP R0, #0
ROM:01434126 SUB SP, SP, #4
ROM:01434128 BNE loc_1434136
ROM:0143412A LDR R0, =aHw_st_c
ROM:0143412C LDR R2, =0x823
ROM:0143412E LDR R1, =aHw_st_c
ROM:01434130 ADD R0, #0x40
ROM:01434132 BL assert
ROM:01434136
ROM:01434136 loc_1434136 ; CODE XREF: chk_flash_cheksum+18j
ROM:01434136 LDR R0, =unk_1000000
ROM:01434138 LDR R2, [R7,#0x3C]
ROM:0143413A B loc_1434142
ROM:0143413C ; ---------------------------------------------------------------------------
ROM:0143413C
ROM:0143413C loc_143413C ; CODE XREF: chk_flash_cheksum+34j
ROM:0143413C LDRH R1, [R4]
ROM:0143413E ADD R5, R1, R5
ROM:01434140 ADD R4, #2
ROM:01434142
ROM:01434142 loc_1434142 ; CODE XREF: chk_flash_cheksum+2Aj
ROM:01434142 CMP R2, R4
ROM:01434144 BCS loc_143413C
ROM:01434146 MOVL R1, 0x8000000
ROM:0143414A ADD R0, #0x26
ROM:0143414C ORR R0, R1
ROM:0143414E ADD R4, R0, #0
ROM:01434150 BL sub_1432C20
ROM:01434154 CMP R0, #0
ROM:01434156 BEQ loc_143416E
ROM:01434158 BL sub_134C728
ROM:0143415C BL sub_1432B98
ROM:01434160 LDRH R0, [R4]
ROM:01434162 STRH R0, [R6]
ROM:01434164 BL sub_1432BC4
ROM:01434168 BL sub_134C736
ROM:0143416C B loc_1434172
ROM:0143416E ; ---------------------------------------------------------------------------
ROM:0143416E
ROM:0143416E loc_143416E ; CODE XREF: chk_flash_cheksum+46j
ROM:0143416E LDRH R0, [R4]
ROM:01434170 STRH R0, [R6]
ROM:01434172
ROM:01434172 loc_1434172 ; CODE XREF: chk_flash_cheksum+5Cj
ROM:01434172 LSL R0, R5, #0x10
ROM:01434174 LDR R1, [SP,#0x20+var_1C]
ROM:01434176 LSR R0, R0, #0x10
ROM:01434178 STRH R0, [R1]
ROM:0143417A LDRH R1, [R6]
ROM:0143417C CMP R0, R1
ROM:0143417E BNE loc_1434184
ROM:01434180 MOV R0, #0
ROM:01434182
ROM:01434182 loc_1434182 ; CODE XREF: chk_flash_cheksum+76j
ROM:01434182 POP {R1-R7,PC}
ROM:01434184 ; ---------------------------------------------------------------------------
ROM:01434184
ROM:01434184 loc_1434184 ; CODE XREF: chk_flash_cheksum+6Ej
ROM:01434184 MOV R0, #1 Change 01 -> 00 and MCU chk dead
ROM:01434186 B loc_1434182
ROM:01434186 ; End of function chk_flash_cheksum


and..



ROM:015DD88C off_15DD88C DCD sub_1380108+1 ; DATA XREF: ROM:off_137F6E4o
ROM:015DD890 DCD aSt_uem_cbus_if_test ; "ST_UEM_CBUS_IF_TEST"
ROM:015DD894 DCD unk_1512E01
ROM:015DD898 DCD 0xC000000
ROM:015DD89C DCD sub_137FF70+1
ROM:015DD8A0 DCD aSt_sleep_x_loop_test ; "ST_SLEEP_X_LOOP_TEST"
ROM:015DD8A4 DCD unk_1000F01
ROM:015DD8A8 DCD 0xC000000
ROM:015DD8AC DCD sub_137FDB0+1
ROM:015DD8B0 DCD aSt_aux_da_loop_test ; "ST_AUX_DA_LOOP_TEST"
ROM:015DD8B4 DCD 0xFD0101
ROM:015DD8B8 DCD 0xC000000
ROM:015DD8BC DCD sub_137FDD8+1
ROM:015DD8C0 DCD aSt_ear_data_loop_test ; "ST_EAR_DATA_LOOP_TEST"
ROM:015DD8C4 DCD 0xFE0301
ROM:015DD8C8 DCD 0xC000000
ROM:015DD8CC DCD sub_137FFEA+1
ROM:015DD8D0 DCD aSt_tx_idp_loop_test ; "ST_TX_IDP_LOOP_TEST"
ROM:015DD8D4 DCD unk_1021101
ROM:015DD8D8 DCD 0xC000000
ROM:015DD8DC DCD loc_1380012+1
ROM:015DD8E0 DCD aSt_tx_iq_dp_loop_test ; "ST_TX_IQ_DP_LOOP_TEST"
ROM:015DD8E4 DCD unk_1031201
ROM:015DD8E8 DCD 0xC000000
ROM:015DD8EC DCD sub_137FF20+1
ROM:015DD8F0 DCD aSt_sim_clk_loop_test ; "ST_SIM_CLK_LOOP_TEST"
ROM:015DD8F4 DCD unk_1010C01
ROM:015DD8F8 DCD 0xC000000
ROM:015DD8FC DCD sub_137FF48+1
ROM:015DD900 DCD aSt_sim_io_ctrl_loop_tes ; "ST_SIM_IO_CTRL_LOOP_TEST"
ROM:015DD904 DCD loc_1370D00+1
ROM:015DD908 DCD 0xC000000
ROM:015DD90C DCD sub_137FEAE+1
ROM:015DD910 DCD aSt_mbus_rx_tx_loop_test ; "ST_MBUS_RX_TX_LOOP_TEST"
ROM:015DD914 DCD sub_1330800+1
ROM:015DD918 DCD 0xA000000
ROM:015DD91C DCD sub_138003A+1
ROM:015DD920 DCD aSt_backup_batt_test ; "ST_BACKUP_BATT_TEST"
ROM:015DD924 DCD loc_1391400+1
ROM:015DD928 DCD 0xA000000
ROM:015DD92C DCD sub_13800DC+1
ROM:015DD930 DCD aSt_radio_test ; "ST_RADIO_TEST"
ROM:015DD934 DCD 0x2A02
ROM:015DD938 DCD 0xA000000
ROM:015DD93C DCD sub_1380068+1
ROM:015DD940 DCD aSt_warranty_test ; "ST_WARRANTY_TEST"
ROM:015DD944 DCD 0x2702
ROM:015DD948 DCD 0xC000000
ROM:015DD94C DCD sub_137FEEC+1
ROM:015DD950 DCD aSt_pa_temp_test ; "ST_PA_TEMP_TEST"
ROM:015DD954 DCD 0x2473301
ROM:015DD958 DCD 0xC000000
ROM:015DD95C DCD sub_1380050+1
ROM:015DD960 DCD aSt_sim_lock_test ; "ST_SIM_LOCK_TEST"
ROM:015DD964 DCD 0x2101
ROM:015DD968 DCD 0xC000000
ROM:015DD96C DCD sub_137FED6+1
ROM:015DD970 DCD aSt_ppm_validity_test ; "ST_PPM_VALIDITY_TEST"
ROM:015DD974 DCD 0xA04
ROM:015DD978 DCD 0xC000000
ROM:015DD97C DCD sub_137FE90+1
ROM:015DD980 DCD aSt_keyboard_stuck_test ; "ST_KEYBOARD_STUCK_TEST"
ROM:015DD984 DCD loc_1320702
ROM:015DD988 DCD 0xA000000
ROM:015DD98C DCD sub_138007E+1
ROM:015DD990 DCD aSt_flash_checksum_test ; "ST_FLASH_CHECKSUM_TEST"
ROM:015DD994 DCD 0x2904
ROM:015DD998 DCD 0xC000000
ROM:015DD99C DCD sub_137FE00+1
ROM:015DD9A0 DCD aSt_camera_if_test ; "ST_CAMERA_IF_TEST"
ROM:015DD9A4 DCD loc_1481600
ROM:015DD9A8 DCD 0xA000000
ROM:015DD9AC DCD st_conf_sw_type+1
ROM:015DD9B0 DCD aSt_sw_type_validity_tes ; "ST_SW_TYPE_VALIDITY_TEST"
ROM:015DD9B4 DCD 0x4401
ROM:015DD9B8 DCD 0xC000000
ROM:015DD9BC DCD sub_112CCF0+1
ROM:015DD9C0 DCD aSt_rf_chip_id_test ; "ST_RF_CHIP_ID_TEST"
ROM:015DD9C4 DCD 0x1E00
ROM:015DD9C8 DCD 0xA000000
ROM:015DD9CC DCD sub_112CD7A+1
ROM:015DD9D0 DCD aSt_ir_if_test ; "ST_IR_IF_TEST"
ROM:015DD9D4 DCD 0x2D02
ROM:015DD9D8 DCD 0xA000000


the pattern is

DWORD test_function
DWORD test_name
DWORD ¿?
DWORD ¿?

many thanks to nok5rev & g3gg0 for dct4decrypter :wink:

for 3100



ROM:013540B4 chk_flash_cheksum ; CODE XREF: sub_12CA256+10p
.....
ROM:01354128 MOV R0, #1 Change 01 -> 00 and MCU chk dead
.....


test list at ROM:0152B604

menu structure 8310

ROM:0148AF48 Message_Main DCD SubMenu ; DATA XREF: ROM:MENU_Entryo
ROM:0148AF4C DCD unk_4FFD0
ROM:0148AF50 DCD PTR2Messge_sub_Struc
ROM:0148AF54 DCD 0x7330001
ROM:0148AF58 DCD Message_table_sub_struc
ROM:0148AF5C DCD 0xC000000
ROM:0148AF60 Write_MenuItem DCD MenuItem ; DATA XREF: ROM:Message_table_sub_struco
ROM:0148AF64 DCD unk_4FFE0
ROM:0148AF68 DCD mWrite_Message_select
ROM:0148AF6C DCD 0x1A0087
ROM:0148AF70 Inbox_MenuItem DCD MenuItem ; DATA XREF: ROM:0148E098o
ROM:0148AF74 DCD unk_4FFE8
ROM:0148AF78 DCD mInbox_select
ROM:0148AF7C DCD 0x1B0088

now every moddler can treat dct4 just like dct3. ;-)

regards

fbus debugger ? hmm why not... since jtag sucks (at least for me). here is the fbus sync (8x 'U') prepare function on 3100. It's possible to include own bytes in that routine. Knok out the check if the sync is already sent, call a own routine, that malloc mem (8 bytes) and return the adress before the last BL :)



012A8150 prepare_fbus_send_UUUUUUUU ; CODE XREF: sub_12A7C9A+16p
012A8150 PUSH {R4,R5,R7,LR}
012A8152 LDR R4, =0x31638
012A8154 SUB R4, #0x18 ; 31620
012A8156 LDR R0, [R4] ; int alreadySentSyncBytes
012A8158 CMP R0, #0
012A815A BNE loc_12A819E
012A815C MOV R5, #1
012A815E STR R5, [R4] ; alreadySentSyncBytes = 1
012A8160 BL sub_130FC5C
012A8164 MOV R0, #0x14 ; 20 bytes
012A8166 BL maybe_malloc
012A816A MOV R1, #4
012A816C STR R0, [R4,#0x14] ; store allocated memory
012A816E STMIA R0!, {R1,R5} ; store 0000000400000001 at allocated mem
012A8170 SUB R0, #8 ; reset to allocated mem
012A8172 STR R1, [R0,#8] ; 000000040000000100000004
012A8174 LDR R1, =unk_1522DAC
012A8176 ADD R1, #2
012A8178 STR R1, [R0,#0xC] ; 00000004000000010000000401522DAE
012A817A STR R0, [R4,#0x10] ; save allocated mem
012A817C MOV R1, #4
012A817E MOV R0, #6
012A8180 BL sub_136C4C8
012A8184 MOV R1, #0
012A8186 MOV R0, #1
012A8188 BL sub_12A76DC
012A818C MOV R1, #2
012A818E MOV R0, #1
012A8190 BL sub_130FC7C
012A8194 LDR R0, [R4,#0x10] ; get allocated mem
012A8196 MOV R1, #2
012A8198 LDR R0, [R0,#0xC] ; get UUUUUUUU adress
012A819A BL sub_130FC8C
012A819E
012A819E loc_12A819E ; CODE XREF: prepare_fbus_send_UUUUUUUU+Aj
012A819E POP {R4,R5,R7,PC}
012A819E ; End of function prepare_fbus_send_UUUUUUUU


indear already knows it, we have a little public DB that is very hungry ;-)
http://krisha.dyndns.org/dct4infobase

you guys are crazy. good work!

hi, also some stuff... (for 6610 v6.32)

i used dump_flash_over_AT.txt to dump (as the name says) the flash/ram
contents over AT commands (via infrared also)

it was fired with some AT command, i think "AT+CRLP"

didnt analyse the AT functions, so its just made up to FIRE the injected code...
no parameters etc...

nearly the same for set_radio_freq.txt to experiment with radio
not sure if that worked

Will it be possible to change the menu icons in 3100. Where are the icons? in the MCU? Has this been done on a DCT4 before?

The icons in 3100 look really cheap and would like to replace them with 6610/7250 or my custom ones

Not 100% sure if happens in all DCT4 but looks like in 8310 the bitmaps are in PPM; in fact there's a chunk called ANIM ;)

cheers