About Checksums Ringtone changes.

[NokDoc]

About Checksums PPM changes.

In the Flashfile:
================
1.MCU Checksum (2)
Located at 0000.0022 and at end of PPM Section eg 00(13).FFFA
Calculated over 0000.0024 u/i end of MCU.

2.PPM Individual SubChunk Checksums (4)
Located at the begin of each individual PPM SubChunk.
Calculated over full PPM SubChunk length.
(The number of SubChunks may be different per phone type)

3.PPM Checksum (4)
Located at the end of PPM Section eg 00(13).FFFC
(calc?, maybe over full PPM length or individual SubChunks?)

4.MCU+PPM Checksum (4)
Located at 0000.0038
Calculated over almost full MCU&PPM length, Starting at 0000.0040 u/i 0000(13).FFE1 ($20 steps)


The Ringtone changing?
================
Have a good look at where changes have effect on what Checksums.
1. recalc Indiv. Tone PPM chunk Checksum.
2. recalc PPM Checksum.
3. recalc Faid, based upon the true PPM Checksum.
4. Faid is stored in MCU (=MCU+PPM Checksum!) so recalc MCU Checksum.
5. Luckily MCU Checksum itself isn't inside the MCU&PPM Checksum calc area so Faid is still the correct one.
6. flash & authorise by MBUS command with Faid nr.


The Faid?
================
For Faid calc MSID & PPM Checksum are required.
Most proggies do use bytes from flash for the PPM Checksum instead of calcing them based upon the PPM.
Here's the biggest problem, incorrect PPM Checksum = incorrect Faid = no connection.


The Lesson?
================
Changing data always has effects on a calculation somehow.
There's 2 ways to get bypassed that.
1.Change data in that way the certain Check(s) aren't changed.
2.Find other leaks or try to be bigger liar as me.

This all is based own own thinking and I'm not sure if it's some of correct.
So other ideas are very Welcome!

And now if U'll excuse me, I'm gonna watch the Muppet Show.

Happy Reversing

NokDoc

[Anonymous]

>4. Faid is stored in MCU (=MCU+PPM Checksum!) so recalc MCU Checksum.

FAID is stored in eeprom area. So MCU checksum does not need recalculation, unless you modify sg else than PPM!!!!!
FAID not equal to MCU+PPM checksum. (Flash Authority ID)


>5. Luckily MCU Checksum itself isn't inside the MCU&PPM Checksum calc >area so Faid is still the correct one.

?!?!
This is bullshit.

KAoS

[NokDoc]

Hi Mr. KAoS,

I did use verb 'Faid' where it should stand 'MCU+PPM Checksum'.
I do regret this mostfully and I'm very sorry for that.

It should say:
3. recalc MCU+PPM Checksum, based upon the new PPM Checksum.
4. MCU+PPM Checksum is stored in MCU so recalc MCU Checksum.
5. yep, as a very wise guy told me, real bullshit.

All comments are very welcome, for me there's always a time to learn!
At least I know someone has attention on these things.
Since I don't know very much about all of it I had to start somewhere, hoping guys like you can push me into correct directions.

My Lesson?
Not to yell that loud again.

So both sorry & thanks.

NokDoc

[phone-crash]

NokDoc would you be so kind to explain me the way you write the adresses.

What is> Located at the end of PPM Section eg 00(13).FFFC

How can I calculate the checksums which you mentioned in point 3 and 4. Nfree is not able to do it.

3.PPM Checksum (4)
Located at the end of PPM Section eg 00(13).FFFC
(calc?, maybe over full PPM length or individual SubChunks?)

4.MCU+PPM Checksum (4)
Located at 0000.0038
Calculated over almost full MCU&PPM length, Starting at 0000.0040 u/i 0000(13).FFE1 ($20 steps)

Can you explain me the algorhytm of calculating the checksum?

phone-crash