PDA

View Full Version : nokia 6280 unlocking project-- help welcome



naigh
17-12-2007, 01:25 PM
hi I,m trying to unlock nokia 6280 by tthe dejan bb5 unlocking teory but i need help with this....if this theory works we can unlock all bb5.

this is the theory
It seems that everybody know how it works, but not Nokia, since they didn't
change anything in they SW to prevent that.

Then again, maybe not!
Why they left BIG hole in SP security...?..

BB5 using RSA and AES algorithm that is running from secure ROM and RAM.
Main SP rutines are stored in FLASH in block "PA_SL" and those rutines are
loaded in secure RAM and if RSA signature correct, CPU will run it.

BUT "SP SERVER" are part of MCUSW that is running DIRECTLY from
FLASH is not protected?!!! Well it is tested only once when phone starts!
After that you can patch code from flash in fly.

ARM CPU reads data from flash in bursts, in this case it is burst of 32 bytes
and it start on 32 aligned address.

So, first step is to know where is code that have to be patched in FLASH.
You can find that by desoldering FLASH from phone and to read by some
programming device.
Or you can use my software to extract mcusw from Nokia update SW files.
Find bigest file in dir and rename to "infile". Run "fls2bin.exe" wait, and two
files will be created. One of them are "mcusw".

NOTE: fls2bin may not work with all cpu flash files!

End of Part 1
http://rapidshare.com/files/56060733/Fls2bin.rar.html

Part 2:

Once you have code, next step is to find what and where to patch code.
Well, that is very complicated procedure and requires knowelage,experiance,
lots of work,etc.
But again, Nokia made another big hole or maybe NOT?!
One of critical rutines can be EASELY find by looking for ASCII string!!!,
belived or not.
Magic string is "012345678901234" and it is default SP pass for test phones or
what. Probably they have problem to put string somethin like "FOR HACKERS HERE IS CRITICAL CODE!"
Anyway....

Use "LISTER" from windows to view "mcusw" file.
In options, select "HEX"
Press key "F7"
Enter 012345678901234 and hit enter to start looking for that string.
All other data have to look like some garbage with only that ASCII string!

Note: If you do not find that string in "mcusw" try in second file that is
created by "fls2bin.exe"

Once you find string, look in lister HEX address of that string.
Substract that address by 1000h (200h to 2000h).
This is address from which tou will start to dissasemble code!!!

So....


Load file in some ARM dissasembler use LITLE ENDIAN and THUMB mode
Set dissasembling address previos defined, and start to dissasemble code.

In that proces you have to look for instruction that points to string
"012345678901234"

Something like this:

00A0C9BC: FE A4 LEA R4,[PC+#03F8] ;[00A0CDB8]=33323130 '012345678901234'

And you have found ONE of many SP rutines that can be patched.

In this example full rutines looks like this:
(From: V 05.00 27-04-07 RM-174)


00A0C9B6: F0 B5 PUSH (R4,R5,R6,R7,LR)
00A0C9B8: 06 1C ADD R6,R0,#0
00A0C9BA: 0F 1C ADD R7,R1,#0
00A0C9BC: FE A4 LEA R4,[PC+#03F8] ;[00A0CDB8]=33323130 '012345678901234'
00A0C9BE: 85 B0 SUB SP,#0014
00A0C9C0: 2E CC LDM [R4],(R1,R2,R3,R5)
00A0C9C2: 01 A8 LEA R0,[SP+#0004]
00A0C9C4: 2E C0 STM [R0],(R1,R2,R3,R5)
00A0C9C6: 02 25 MOV R5,#02
00A0C9C8: 00 24 MOV R4,#00
00A0C9CA: FF F7 07 F9 CALL 00A0BBDC
00A0C9CE: 00 28 CMP R0,#00
00A0C9D0: 02 D0 BEQ 00A0C9D8
00A0C9D2: 02 28 CMP R0,#02
00A0C9D4: 2D D0 BEQ 00A0CA32
00A0C9D6: 0A E0 JMP 00A0C9EE
00A0C9D8: 0F 22 MOV R2,#0F
00A0C9DA: 31 1C ADD R1,R6,#0
00A0C9DC: 01 A8 LEA R0,[SP+#0004]
00A0C9DE: 50 F6 6C E8 CALLX 0085CABA
00A0C9E2: 00 28 CMP R0,#00
00A0C9E4: 01 D1 BNE 00A0C9EA
00A0C9E6: 00 25 MOV R5,#00
00A0C9E8: 23 E0 JMP 00A0CA32
00A0C9EA: 08 25 MOV R5,#08
00A0C9EC: 21 E0 JMP 00A0CA32
00A0C9EE: 30 5D LDRB R0,[R6+R4]
00A0C9F0: 30 38 SUB R0,#30
00A0C9F2: 0A 28 CMP R0,#0A
00A0C9F4: 02 D3 BCC 00A0C9FC
00A0C9F6: 08 20 MOV R0,#08
00A0C9F8: 05 B0 ADD SP,#0014
00A0C9FA: F0 BD RET (R4,R5,R6,R7)
00A0C9FC: 01 34 ADD R4,#01
00A0C9FE: 24 06 LSL R4,R4,24
00A0CA00: 24 0E LSR R4,R4,24
00A0CA02: 0E 2C CMP R4,#0E
00A0CA04: F3 D9 BLS 00A0C9EE
00A0CA06: 08 20 MOV R0,#08
00A0CA08: 40 F6 3C E9 CALLX 0084CC84
00A0CA0C: 04 1C ADD R4,R0,#0
00A0CA0E: 02 1C ADD R2,R0,#0
00A0CA10: 39 1C ADD R1,R7,#0
00A0CA12: 30 1C ADD R0,R6,#0
00A0CA14: 43 F7 9E F9 CALL 0094FD54
00A0CA18: 01 28 CMP R0,#01
00A0CA1A: 01 D1 BNE 00A0CA20
00A0CA1C: 00 25 MOV R5,#00
00A0CA1E: 05 E0 JMP 00A0CA2C
00A0CA20: 60 68 LDR R0,[R4+#04]
00A0CA22: 23 28 CMP R0,#23
00A0CA24: 01 D1 BNE 00A0CA2A
00A0CA26: 08 25 MOV R5,#08
00A0CA28: 00 E0 JMP 00A0CA2C
00A0CA2A: 02 25 MOV R5,#02
00A0CA2C: 20 1C ADD R0,R4,#0
00A0CA2E: 50 F6 34 E8 CALLX 0085CA9A
00A0CA32: 28 1C ADD R0,R5,#0
00A0CA34: E0 E7 JMP 00A0C9F8


On address 00A0CA14: is most important call function that test PSW!!!
On return from that function if R0=1 pass is corect and phone will be unlocked!

So we can to patch data on addr:

00A0CA18: 01 28 CMP R0,#01 to
00 28 that is CMP R0,#00

or on addr:

00A0CA1A: 01 D1 BNE 00A0CA20 to
01 D0 that is BNE 00A0CA20

And phone will be unlocked!!!

As you can see in first case we togle bit 0 (ad0) and in second
we togle bit 8 (ad. This method is used for N73.

Anyway there is a lots of ways to patch code by fly, togling only ONE bit!!!,
since Nokia left so BIG security hole in their design!


End of Part 2

Part 3:

Code patching on fly.

Because of low power, modern FLASH on data lines drives low power (1-5mA)
so, using any CPLD or FPGA with port current driving of 20mA or more will
force FLASH to togle data on its pins(s).

Method is simple. Find appropriate pad on flash to togle its data (ad0,ad1,ad8,etc), and FLASH clk that is using for CPU sinhronisation with FLASH.

CPLD have to read burst data on appropriate FLASH pin and to compare
with appropriate value. Once that ocure, CPLD will togle value on FLASH
pin, and that's it!

Building such device is simple (look for post of N95 smallest unlock device
with xc2c32a), but finding trigering value is a litle complicated.

ARM reads data from FLASH in 32 bytes long bursts and space between
bursts are defined by FLASH speed and it is set by Firmware.
To be easyest, you can use RDY and OE to determine when burst data is
valid. Burst is valid when OE=0 and RDY=1 ! But you have to find those
TP on phone board (6630 have it!)

EXAMPLE:

We will use AD0 and CLK on 5200 (with SW = V 05.00 27-04-07 RM-174)
because those TP exists on board.
Use procedure from PART 1 and 2.

We have to patch data on addr:

00A0CA18: 01 28 CMP R0,#01 with
00 28 that is CMP R0,#00

Since bursts starts on 32byte aligned address, we have to look data from
00A0CA00: to 00A0CA1F:

Also, we have to togle AD0 pin, and we have to look on first bit of odd bytes
(because of LITLE ENDIAN format)

So looking on bit0 from 00A0CA18: to 00A0CA1F: we wil get:
0010000010101101

and 001000001010->1<-101 have to be togled to 0.

As you can see 12 bits from left can be used for trigering bits, but
it will be many togling if we use only 12 bits and phone will crash!
For sucess, we have to use 24 or more trigering bits.
To obtain more bits we can use:

If we using RDY and OE and there is no CALL function between two bursts,
just read next 16 bits from address - 32.

If we using RDY and OE and there is CALL function like in this example
we have to find by dissasembling where is LAST burst is readed before CALL
ends. That is more complicated and it is easyest to guess values!

If we NOT using RDY and OE we have also to guess values.
Here is some observation.

Pause between bursts can be from 6 to 9 bits.
If first bit of new burst is 0 then all bits will be 0 (in most casess)
If first bit of new burst is 1 then bits will start with 0 and will finish with 1
(00000111)

How to guess bits.
Easyest way is using CPLD and previously founded 16 bits (0010000010101101)
In this example first bit is 0 so we will add from left 0
(00010000010101101)
Run SP unlocking with connected CPLD and look if CPLD found matching!
If it is found just add again 0 to left. If not replace 0 with 1 and try again
Also you can start with 1 to replace with 0.

On the end with luck you will find only one long string in size of 24 bits or more.
If you found more than one string YOU have to test all of them until you
find right one!

In this example it looks: 111111000000000010000010101101

Since togling bit is 4-th from right, we simple have to remove those 4 bits.
11111100000000001000001010 and THAT IS IT!!!

Note: depend of CPLD design some delay(pipeline) can exist.
In my design for xc2c32a it is used delay of 2 clock (bits) so triger string will
be: 111111000000000010000010 and if you know how to insert that string
in jedec file, you will be able to unlock 5200 V 05.00 27-04-07 RM-174

End of part 3.

By DEJAN KALJEVIC





i have the 6280 firmware and the mcusw, and in the hex editor i found the string 012345678901234 but i can do the next step -"Substract that address by 1000h (200h to 2000h).
This is address from which tou will start to dissasemble code!!!"

if anyone knows how to do this step please help.
thanks