Hint:
010000000 Plain FLASH base
090000000 Cipher FLASH base


###########################################
; Get_IMEI
###########################################
;r0 = dest
;RET r0 = status; 1=OK
;If IMEI is BAD dest will be filled with FF,FF,FF,.... ("?????....")

002B2E2C: B5 30 PUSH (R4,R5,LR)
002B2E2E: B0 82 SUB SP,#0008

;==========================================
; get IMEI from flash

002B2E30: 1C 04 ADD R4,R0,#0 ;r0 = dest
002B2E32: 21 0D MOV R1,#0D ;offset
002B2E34: 22 10 MOV R2,#10 ;size
002B2E36: F0 00 F9 AD CALL 002B3194 ;Get_secure_data_from_FLASH (GET IMEI)

002B2E3A: 1C 05 ADD R5,R0,#0
002B2E3C: 2D 01 CMP R5,#01
002B2E3E: D1 1A BNE 002B2E76 ;jmp if IMEI FLASH is NOT VALID!

;==========================================
; get IMEI from UEM

002B2E40: 46 68 MOV R0,SP ;r0 = dest (SP_LOC[8])
002B2E42: F0 00 F9 DF CALL 002B3204 ;READ_UEM_IMEI r0 = dest
002B2E46: 1C 05 ADD R5,R0,#0 ;r5 = status
002B2E48: 2D 01 CMP R5,#01
002B2E4A: D1 0B BNE 002B2E64 ;jmp if UEM IMEI is zero (00,00,00,...)

;==========================================
; compare UEM & FLASH IMEI

002B2E4C: 46 69 MOV R1,SP ;r1=UEM IMEI, r4=FLASH IMEI
002B2E4E: 20 00 MOV R0,#00
002B2E50: 5D 03 LDRB R3,[R0+R4]
002B2E52: 78 0A LDRB R2,[R1+#00]
002B2E54: 42 93 CMP R3,R2
002B2E56: D1 08 BNE 002B2E6A ;jmp if there is difference!
002B2E58: 31 01 ADD R1,#01
002B2E5A: 1C 40 ADD R0,R0,#1
002B2E5C: 04 00 LSL R0,R0,16
002B2E5E: 0C 00 LSR R0,R0,16
002B2E60: 28 08 CMP R0,#08
002B2E62: DB F5 BLT 002B2E50

;==========================================
002B2E64: 2D 00 CMP R5,#00
002B2E66: D0 01 BEQ 002B2E6C
002B2E68: E0 05 JMP 002B2E76

002B2E6A: 25 00 MOV R5,#00
002B2E6C: 20 03 MOV R0,#03
002B2E6E: F0 00 F8 67 CALL 002B2F40 ;Get_sys_flag
002B2E72: 28 02 CMP R0,#02
002B2E74: D0 09 BEQ 002B2E8A

002B2E76: 2D 01 CMP R5,#01
002B2E78: D0 07 BEQ 002B2E8A

;==========================================
; fill dest with "FF" if IMEI is BAD!

002B2E7A: 21 FF MOV R1,#FF
002B2E7C: 20 00 MOV R0,#00
002B2E7E: 55 01 STRB R1,[R0+R4]
002B2E80: 1C 40 ADD R0,R0,#1
002B2E82: 04 00 LSL R0,R0,16
002B2E84: 0C 00 LSR R0,R0,16
002B2E86: 28 10 CMP R0,#10
002B2E88: DB F9 BLT 002B2E7E

002B2E8A: 20 01 MOV R0,#01
002B2E8C: B0 02 ADD SP,#0008
002B2E8E: BD 30 RET (R4,R5)


########################################
Get_secure_data_from_FLASH
########################################
;r0 = dest
;r1 = offset in FLASH secure data block
;r2 = size in bytes
;RET r0 = status ;1=OK (in dest is valid data), else ERROR (dest is filed by FF...)
;=======================================

002B3194: B5 F0 PUSH (R4,R5,R6,R7,LR)
002B3196: B0 81 SUB SP,#0004
002B3198: 1C 14 ADD R4,R2,#0
002B319A: 91 00 STR R1,[SP+#0000] ;save PARAM R1 (offset)
002B319C: 1C 06 ADD R6,R0,#0


;=======================================
;copy SECURE FLASH cipher block of 28h bytes from FLASH 900003ah to temp RAM 43d14h

002B319E: 4D 5B LDR R5,[PC+#016C] ;[002B330C]=00043D14 ;r5 = temp baf
002B31A0: 49 5E LDR R1,[PC+#0178] ;[002B331C]=0900003A
002B31A2: 1C 28 ADD R0,R5,#0
002B31A4: 22 28 MOV R2,#28
002B31A6: 4B 5C LDR R3,[PC+#0170] ;[002B3318]=00043FD0
002B31A8: 68 1B LDR R3,[R3+#00] ;=840001
002B31AA: 46 FE MOV LR,PC
002B31AC: 47 18 BX R3 ;call 840001 (ROM_SEC__COPY_MEM r0=dest r1=src r2=size)

;=======================================
;decode SECURE FLASH cipher block

002B31AE: 1C 28 ADD R0,R5,#0 ;r0,r1 = src,dst
002B31B0: 1C 29 ADD R1,R5,#0
002B31B2: 22 28 MOV R2,#28 ;size
002B31B4: 23 20 MOV R3,#20 ;decryption mode
002B31B6: F7 FF FF 64 CALL 002B3082 ;DECRYPT_DATA
002B31BA: 1C 07 ADD R7,R0,#0 ;r7 = decrypt status

;=======================================
; calc checksum of decrypted SECURE FLASH block and test if it is correct

002B31BC: 1C 28 ADD R0,R5,#0 ;r0 = src
002B31BE: 21 26 MOV R1,#26 ;size
002B31C0: F7 FF FF 84 CALL 002B30CC ;CALC_SUM (ret r0=chk)
002B31C4: 21 26 MOV R1,#26
002B31C6: 5D 49 LDRB R1,[R1+R5]
002B31C8: 02 0A LSL R2,R1,8
002B31CA: 21 27 MOV R1,#27
002B31CC: 5D 49 LDRB R1,[R1+R5]
002B31CE: 43 11 ORR R1,R2 ;r1 = chk from SECURE FLASH block
002B31D0: 42 88 CMP R0,R1
002B31D2: D1 0A BNE 002B31EA ;jmp if checksum is BAD!

002B31D4: 2F 01 CMP R7,#01
002B31D6: D1 0D BNE 002B31F4 ;jmp if decrypt status is BAD!

;=======================================
; copy from SECURE FLASH decrypted block offset*size to dest (for IMEI offset=dh,size=10h)

002B31D8: 4B 4F LDR R3,[PC+#013C] ;[002B3318]=00043FD0
002B31DA: 98 00 LDR R0,[SP+#0000] ;PARAM R1 (offset)
002B31DC: 19 41 ADD R1,R0,R5 ;r1 = temp_baf+offset
002B31DE: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest)
002B31E0: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size)
002B31E2: 68 1B LDR R3,[R3+#00] ;=840001
002B31E4: 46 FE MOV LR,PC
002B31E6: 47 18 BX R3 ;call 840001 (ROM_SEC__COPY_MEM r0=dest r1=src r2=size)
002B31E8: E0 04 JMP 002B31F4

;=======================================
; If FLASH IMEI have any error dest will be filled with "FF".....

002B31EA: 1C 22 ADD R2,R4,#0 ;r2 = PARAM R2 (size)
002B31EC: 1C 30 ADD R0,R6,#0 ;r0 = PARAM R0 (dest)
002B31EE: 21 FF MOV R1,#FF ;r1 = fill value
002B31F0: F1 86 FE 0C CALL 00439E0C ;FILL_MEM

;=======================================
; fill temp_baf to make HACKING harder :)

002B31F4: 1C 28 ADD R0,R5,#0 ;r0 = temp_baf
002B31F6: 21 FF MOV R1,#FF ;r1 = fill value
002B31F8: 22 28 MOV R2,#28 ;size
002B31FA: F1 86 FE 07 CALL 00439E0C ;FILL_MEM

002B31FE: 1C 38 ADD R0,R7,#0
002B3200: B0 01 ADD SP,#0004
002B3202: BD F0 RET (R4,R5,R6,R7)
;************************************************

;################################################
READ_UEM_IMEI
;################################################
;r0 = dest
;RET r0 = status; 1=IMEI is not zero (00,00,00,....)

002B3204: B5 F0 PUSH (R4,R5,R6,R7,LR)
002B3206: 1C 04 ADD R4,R0,#0
002B3208: 26 04 MOV R6,#04 ;read 4 registers
002B320A: 4D 48 LDR R5,[PC+#0120] ;[002B332C]=014AE414 ;IMEI reg:mask table (1b,1c,1d,1e, mask=ffff)
002B320C: 27 00 MOV R7,#00

002B320E: 68 28 LDR R0,[R5+#00] ;r0 = reg:mask
002B3210: F0 01 FD 99 CALL 002B4D46 ;READ_UEM_REG
002B3214: 04 00 LSL R0,R0,16 ;r0 = reg value
002B3216: 0C 00 LSR R0,R0,16
002B3218: 2F 00 CMP R7,#00
002B321A: D1 02 BNE 002B3222
002B321C: 28 00 CMP R0,#00
002B321E: D0 00 BEQ 002B3222
002B3220: 27 01 MOV R7,#01
002B3222: 0A 01 LSR R1,R0,8
002B3224: 70 21 STRB R1,[R4+#00] ;wr reg value H to dest
002B3226: 34 01 ADD R4,#01
002B3228: 70 20 STRB R0,[R4+#00] ;wr reg value L to dest
002B322A: 34 01 ADD R4,#01
002B322C: 35 04 ADD R5,#04
002B322E: 3E 01 SUB R6,#01
002B3230: D1 ED BNE 002B320E

002B3232: 1C 38 ADD R0,R7,#0
002B3234: BD F0 RET (R4,R5,R6,R7)
;************************************************

004AE414: 00 1B ;IMEI UEM TABLE
004AE416: FF FF
004AE418: 00 1C
004AE41A: FF FF
004AE41C: 00 1D
004AE41E: FF FF
004AE420: 00 1E
004AE422: FF FF
;************************************************

Everyone please notice that thanks for this goes to Dejan. Check out GSM-Forum for more.

offcourse, it's all dejan's work =)

but it sems like no one here is intrested in the information =p

Don't think that I'm totally lame,
but I'm not sure for what is this good,
can someone tell me.
Thanx
Shef

i can tell you that i'm useless ragardinq programing..
but if you have knowlenge it sems like you can make partitial flash files with this, changing imei and so on, witout chaning uem

but i think you need more algos for that

also you can read encryüted flas files fom nokia dct-4 phones. the first step into dct4 modding...

more on gsm-forum... theres a wide range of discussion about that!

i also think that nobody is intrested in it... what a pitty, *****s :)

greetings from germany
[ExiTuS], NokiaPort.de

we are going to give it a try today and see what we can read out from some phones and if it's of any use

i know that some people here workind on this could someone just come out from the shadows.

can someone give me some info about arm programing ?
i'm not asking for much, you could keep all indo about your projects as a secret