Results 1 to 23 of 23

Thread: Looking for serious developers

  1. #1

    Looking for serious developers

    Hi.

    I'm looking for serious developers who do their homework and know more than just how to click buttons. It appears to me that this forum is a good place to find those..

    My experience is broad and covers almost all big brands. However I was away for about 2 years, and thus missed the most recent changes. Now I'm about to dig into all this again, and would love to communicate with others.

    In the past, my work was somewhat isolated. This was bad, because I had to do everything myself. On the other hand it was good, because I was able to do stuff that others couldn't do. I'm not exactly sure what is public knowledge right now and what isn't. But eg I am able to decrypt Nk Flash and FIA, and to boot UPP and cable-unlock 0120 without any Phoenix files, which isn't public knowledge IMHO.

    Are you my kind of dude?

    Marc

  2. #2
    Join Date
    Sep 2002
    Location
    Portugal
    Posts
    1,295
    by ur post, i see u are outdated

    what kind of programer u really need?
    Attention Portuguese users:

    Novo fórum de GSM e outros 100% em Português:


    GsmIn.com

  3. #3
    Quote Originally Posted by Crux2002
    by ur post, i see u are outdated

    what kind of programer u really need?
    Hi Crux..

    Please check your private messages, I sent you one a few days ago.

    Marc

  4. #4
    Join Date
    Mar 2002
    Location
    Portugal
    Posts
    68
    But eg I am able to decrypt Nk Flash and FIA
    I would looooove to know this!

  5. #5
    Join Date
    Mar 2003
    Location
    Dublin - www.GSMsolutions.ie
    Posts
    219

    .

    @jmarc


    What is your new mission...maybe we can help

  6. #6
    Quote Originally Posted by gsmsolutionsltd
    @jmarc

    What is your new mission...maybe we can help
    At the moment I'm updating my knowledge to todays' phones (which seems to be quite easy) and filling the gaps that remain from the past (which is more difficult).

    One example is what I call the UPP buskey. It's the value that's stored in flash and has to be copied to the IO space to enable the transparent bus decryption. Obviously it's stored in the UPP hardware for comparision, and the only way I found to get the value is to read it from the flash. That is, when the flash is totally erased, I better have a backup of it. I'd really prefer to read or re-generate this value from hardware, but found no way to do it (yet).

    Note that I conduct my experiments with a special piece of native software (not with Phoenix files). That is, I have complete control over the hardware and initialisation. The limiting factor is my knowledge of the hardware, not the software I use.

    Do you know what I'm talking about?

  7. #7
    Join Date
    Sep 2002
    Location
    Portugal
    Posts
    1,295
    thats cool

    seems like u know more than me

    btw what software are u talking about. what is that
    Attention Portuguese users:

    Novo fórum de GSM e outros 100% em Português:


    GsmIn.com

  8. #8
    So, if i can understood you, you found a way to run a custom-made boot loader on the phone? is that? All boot loaders are encrypted and decrypted in run-time, how to you do that? I Think the phone will refuse to run any code in "plain text"...

  9. #9
    Yes, that's what I do. I boot my own native code to do my analysis. I disassembled the FIA files and regular firmware to find out how to control the hardware. Eg how to configure the chipselects, how to allow flash write access, how to use the CBUS (thanks to the debug messages that NMP left in their firmware), etc.

    However, there remain a lot of things that I don't know. Those that are not contained in no FIA or firmware file, and not obvious enough to just try them. The UPP buskey is an example. I think it's the encrypted version of another piece of data (like the UPP serial number), and either stored in some kind of OTP memory, or deducted from the other data at runtime. Might be possible because there exists an ACK bit which has to be polled after loading the key (which indicates processing in hardware or by the DSP). Well I think I have to do a measurement of the processing time to find out more about it.

    The DSP is another such thing, I have quite a lot of disassembled firmware code that communicates with the DSP, but it's far from being complete and reproducable. When I boot the phone and try to communicate with the DSP, it doesn't work (there's some initialisation missing, obviously). And also I still didn't manage to download the DSP code for disassembling.

    Did anyone of you? Or are there already DSP code patches in newer phones (like there were in DCT3)? I'd love to see them.

  10. #10
    Can you explaint me what is teh purpose of UPP buskey? is that the "key" that decrypts the code? where is located on the phone the algo that decrypts the firmware? Do you encrypted your boot loader before load it on the phone? How you decrypt the firmware to diassemble? I) would love to put my hands on a decrypted dct4 firmware Have you try to dissasemble a symbian firmware? sysmbian firmwares have filesystem, i would be very usefull to understand that file system to be able to exact individual "programs" since the symbian phones are divid in programs so you can diassemble just what you need.

  11. #11
    > Can you explaint me what is teh purpose of UPP buskey? is that the "key" that decrypts the code?

    Yes. I think it is an encrypted table. Each phone has a different key but they all result in the same table after decryption. The table, once initialised, is then used as key for the bus decryption. It also contains some kind of consistency check so that invalid (eg random) keys can be rejected.

    > where is located on the phone the algo that decrypts the firmware?

    In the UPP bus interface hardware.

    > Do you encrypted your boot loader before load it on the phone?

    Sure, otherwise it wouldn't execute.

    > How you decrypt the firmware to diassemble?

    The easiest way is to download it from the phone as seen by UPP, so the phone itself does the decryption. Given a matching ciphertext / plaintext pair, I can also encrypt any plaintext under the same key. I didn't investigate that any further, but I might try tonight. I did this a long time ago and don't recall all the details.

    > I) would love to put my hands on a decrypted dct4 firmware Have you try to dissasemble a symbian firmware?

    No.

    > sysmbian firmwares have filesystem, i would be very usefull to understand that file system to be able to exact individual "programs" since the symbian phones are divid in programs so you can diassemble just what you need.

    I don't know how symbian stores the files. However, the normal DCT4 also have a filesystem and I know how it works (enough to read write modify and delete files). If symbian works with files larger than 64k then it obviously has to use a different filesystem. The one I know can be recognized by lots of ocurrances of "f4 xx xx xx 55 ff ff ff".


    Having answered your questions, is there anyone who can help me with mine?

  12. #12
    Join Date
    Sep 2002
    Location
    Portugal
    Posts
    1,295
    u should take a look at www.blacksphere.tk
    take a look here http://zope.achterklap.nl:8080/nokia/sub_100hardware
    and here http://zope.achterklap.nl:8080/nokia/sub_200nokiaos

    there's everything u talk about there, as far as i know

    even inicialization stuff.

    send me pm with ur mail, icq or msn please


    u will be surprised with all information in www.blacksphere.tk

    all creditz for that goes to wumpus and g3gg0 (i hope i didnt forget anyone) :d
    Attention Portuguese users:

    Novo fórum de GSM e outros 100% em Português:


    GsmIn.com

  13. #13
    Jmarc, pls check your pm.

  14. #14
    Well, i can´t help you with your questions, the only thing i know abot DSP is that you can´t update DSP firmware, but you can add something like a "plug-in" to DSP via codebloks that hook in DSP firmware.
    can you send me some info about the dct4 filesystem? Or explaint wat methot you use to encrypt your boot loader? I really want to analyse/reverse-engineer a symbian firmware

    Send me a mail: [email protected]
    Last edited by Mulder3; 05-02-2004 at 02:29 PM.

  15. #15
    Join Date
    Jul 2003
    Location
    The Netherlands
    Posts
    254
    Great, this sounds like some kind of blacksphere project for DCT4. Disassembling the DCT3 phones was really thrilling for me.

    DCT4 would be cool to port MADos to, as those phones have polyphonic sound and color screen. Woohoo..

    Too bad I don't have a DCT4 phone and don't have much time for this anymore either

    But I'm really interested in the progress of this.

    BTW: The DSP stuff sounds much like the DSP in DCT3. This one also has codeblocks as 'patches' and 'hooks' for the main DSP firmware.

    Does it use MDI as CPU<->DSP protocol?

    Well good luck.

  16. #16
    I don´t know if it uses MDI or not? But something says me that it uses... Mabe jmarc can answer that question... I cannot decrypt the dct4 files, so i really don´t know... I think that DCT4s are like DCT3s in terms of programming, the ony diference is ony the security on the phone... (I am only especulating...)

  17. #17
    Quote Originally Posted by Mulder3
    I don´t know if it uses MDI or not? But something says me that it uses... Mabe jmarc can answer that question... I cannot decrypt the dct4 files, so i really don´t know... I think that DCT4s are like DCT3s in terms of programming, the ony diference is ony the security on the phone... (I am only especulating...)
    Yes there is an MDI which is one of the bigger code modules (~1800 lines). I didn't analyse it fully, but when browsing through it I identified several functions. There are probably more..

    0xXXXXXXXX ; mcu2dsp erste funktion von hw_mdi.c
    0xXXXXXXXX ; uword = mcu2dsp_GetMboxFree(*apidef); kleiner max_m2d_mbx_size;
    0xXXXXXXXX ; mcu2dspAllocateMbox(*struct{*apidef,*msg}) msg[8]=typ msg[9]=typ msg[a]=size msg[c]=?
    0xXXXXXXXX ; mcu2dsp wieder mbx alloc failed
    0xXXXXXXXX ; mcu2dsp alloc und int

    0xXXXXXXXX ; dsp2mcu_GetMbxFree
    0xXXXXXXXX ; dsp2mcuInc(*apidef, uword increment_count);
    0xXXXXXXXX ; dsp2mcu_Read(apidef, *dst, len); len in words

    0xXXXXXXXX ; mcu2dspInc0x0c(*apidef, uword increment_count);

    0xXXXXXXXX ; mcu2dsp_WriteMsg(apidef, *msg, len); len in words

    0xXXXXXXXX ; hw_arm_cpsr_get();
    0xXXXXXXXX ; hw_arm_cpsr_put(ulong);
    0xXXXXXXXX ; hw_arm_stack_set(ulong);
    0xXXXXXXXX ; ulong = hw_arm_stack_get();

    0xXXXXXXXX ; *msg GetMsg(); kann auf literale zurueckgeben (wie frueher)

    0xXXXXXXXX ; set ctrl_wd_index(apidef, ctrl_wd_index);
    0xXXXXXXXX ; set au_ctrl_index(apidef, ?, ?) mfams
    0xXXXXXXXX ; mcu2dsp copy r2 worte von *r1++ to *r0++

    0xXXXXXXXX ; swr(apidef,enum); liest aus apidef->0x28 verschiedene felder

    0xXXXXXXXX ; hw_mdi_pdram_bank_switch(device 3-4, bank 2-;
    0xXXXXXXXX ; einzige funktion mit pdram_bank_switch(3,8 und dann 4,;

  18. #18
    Join Date
    Sep 2002
    Location
    Portugal
    Posts
    1,295
    what program u used to get that info
    Attention Portuguese users:

    Novo fórum de GSM e outros 100% em Português:


    GsmIn.com

  19. #19
    That´s a what i call a Reverse-engineer... How do you know that the file is named "hw_mdi.c" ? Or you have some leaked source from Nokia R&D dept.? LOL

  20. #20
    Quote Originally Posted by Mulder3
    That´s a what i call a Reverse-engineer... How do you know that the file is named "hw_mdi.c" ? Or you have some leaked source from Nokia R&D dept.? LOL
    Nokia was kind enough to leave debug messages on, like

    Assertion failed, (mcu_in_offset < apidef->max_m2d_mbx_size), file hw_mdi.c, line 764

    But boys, this becomes pathetic. Please write something interesting.

    The software I use is ADW, Crisp, and a set of selfmade tools. I often read that people use IDA but I personally hate it (although I have a legitimate license).

  21. #21
    I can´t write anything to help you... sorry... Maybe you can explaint how to encypt/decrypt flashes to us, so we can analyse the firmware, i´ts a bit dificult to say you something because i can´t decrypt it, or at least, maybe you can send us some firmware decrypted.

  22. #22
    Quote Originally Posted by jmarc
    Hi.

    I'm looking for serious developers who do their homework and know more than just how to click buttons. It appears to me that this forum is a good place to find those..

    My experience is broad and covers almost all big brands. However I was away for about 2 years, and thus missed the most recent changes. Now I'm about to dig into all this again, and would love to communicate with others.

    In the past, my work was somewhat isolated. This was bad, because I had to do everything myself. On the other hand it was good, because I was able to do stuff that others couldn't do. I'm not exactly sure what is public knowledge right now and what isn't. But eg I am able to decrypt Nk Flash and FIA, and to boot UPP and cable-unlock 0120 without any Phoenix files, which isn't public knowledge IMHO.

    Are you my kind of dude?

    Marc
    Marc, please check your PM...

    regards,

  23. #23
    Join Date
    Mar 2002
    Location
    Romania
    Posts
    73
    From the info you have it's not you that is outdated, it's us. Since we're not able to decrypt the flashes we can't study them. No study = no information.

    If you managed to find some people to help you that's good. If not then either you'll have to wait until we catch up with you or you have to "invest" in the future and give us some more details.

    BR,
    Mircea

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Apps Developers, Read In....
    By ALMOGAVER in forum Nokia NFREE DCT3 Developers
    Replies: 5
    Last Post: 12-04-2003, 12:12 PM
  2. programming section in nokiafree
    By spider-x in forum DCT 3 Flashing / Upgrading / Modding
    Replies: 5
    Last Post: 13-08-2002, 10:51 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •