PDA

View Full Version : Disassembling flash file



rawsock
31-05-2006, 10:49 AM
Hi guys,
I have some experience in reverse engineering on x86, but I'm new to ARM. I'm using IDA Pro and 6630 flash files. Could you help me with the questions below?

- I have 2 files: *.v30 and *.c0r. What exactly do they contain? I mean, why there are two files instead of one with a full flash image?
- Are these files encrypted/compressed is some way, or are they just a pure binary files? If not, is there any decrypter/decompressor for BB5 flash files?
- What is the entry point? Does it start in thumb mode?
- What architecture should i select? ARM, ARMB or ARM7? AFAIK, BB5 chips are all ARM9. Are these architectures compatible in any way?

Thanks!
I'll share my work if I got any interesting results.

magicmushrooms1
31-05-2006, 10:59 AM
http://nokiafree.org/forums/t80102/h/s.html

http://www.g3gg0.de/

rawsock
31-05-2006, 03:10 PM
http://nokiafree.org/forums/t80102/h/s.html

http://www.g3gg0.de/

Thanks, but those links talk about checksum algos only - that's one step further than I am now. Currently I just want to disassemble. I'll worry about flashing later.

BTW, the second link is about DCT4 only.

Thanks anyway.

NokDoc
31-05-2006, 04:08 PM
Hi,

Dct4, tiku & bb5 files come in a seperate mcu and a ppm packages.

Most times the mcu files are being cyphered and therefore not useable in ida.

Decyphering & recyphering after changes is at this moment only possible in dct4 files.

Additional to this flash file cyphering is also some flash checksums to be recalced. (fsig, flash signature)

That is not possible for dct4, bb5 & tiku files yet.

More about reversing and it's progress for the newer Nokia types can be found in the dct4 developers areas.

NokDoc

rawsock
31-05-2006, 06:56 PM
Thanks for reply.
Could you write a bit more about those mcu and ppm? Are they for two different ICs? Which one contains Symbian OS and the file system?
You wrote that mcu files are encrypted. Does it imply that ppm files are not?
Theoreticaly, if I manage to decipher it, would I get a pure binary flash file, or is there some additional header used by flashing software?
And finally, I suppose that whole flash file is affected by encryption, not only parts of it. If that is true, why do I see lots of plain text messages in it?

dendennis
28-06-2006, 08:06 PM
the *.vXX is the ppm file (language an customisation file) the numbers (XX) change depending on the language/phone area variation.
the *.c0r is the core file containing the main operating system.

don't know anything about reverse engineering them though good luck.

with BB5 I believe even if you can hack the firmware to avoid thing like network locks that the RAP3G Rom chip has another check on it, so a simple bypass looks like it will not work due to the very high security level, not 100% on that though.

as the locks are removed by an input code we know that the lock areas must be re-writable with software, lets hope you can find the unlock algorith.

but I suspect that reversing the flash files will not reveal much as the security seems to be burnt on the dreaded Rap3g chip.

(also note most BB5's are now multi processor phones, early bb5 are uni processor but now they are split into dual processors.)

it would be very interesting if someone figures out how to read write the undocumented ROM chip though.
again this will probably be part firmware and part stored on a ROM chip, also note sensitive info like IMEI is burnt onto a one time programmable IC.

hope some of this info is useful but I think to fully understand the firmware if you can reverse engineer it you also need an really indepth knowledge of the hardware.

Good luck anyhow