/* MCU checksum - will NOT cause CS in most phones ;) */
0x01000026 2 bytes MCUCHK, same algorithm as DCT3
/* PeaK - netmon displays this in a special page .. why? */
0x01000028 2 bytes "PeaK"
/* FAID */
0x0100002C 12 bytes FAID
/* flash permanent data - used by PMM routines */
0x0100003A 28 bytes - flash permanent data ( IMEI, UEM WD reset pass, tunning params, etc, encr)
FCHK is checked (or at least prepared) by ROMCALL 0x840015
no simple way to bypass this, except finding the correct
calculation algortihm. i guess its done by the SPLock algo
that is in ROM. dont really know what this one does if the
calculation fails. maybe it overwrites some memory in DSP
interesting is, that the init routines first set a special
routine as ABORT(?) handler that enters system mode and
calls ROMCALL 0x8001E7 before the 0x840015 is called.
0x0100006C i think there are 8 bytes FCHK (FlashChecksum)
0x01000074 block count of FCHK (8 byte blocksize) min size 2
0x01000078 start address of FCHK and MCUCHK
/* no idea ;) */
/* not sure what this ROMCALL is for */
0x01000084 if set between 0x01000000 and 0x03FFFFFF, given as R0 to ROMCALL 0x840013
0x01000088 given as R1 to ROMCALL 0x00840013
for setting up memory map via ROMCALL 0x840017
addresses in these ranges are mapped out for the hardware
decryptor and directly accessable.
0x0100008C if set start address of uncrypted area 1
0x01000090 end address of uncrypted area 1
0x01000094 start address of uncrypted area 2
0x01000098 end address of uncrypted area 2
[DCT4] FCK bypass?
well, now everyone wants to modify flashfiles.
but be warned, you can only modify the area above 1M (starting from 0x01100000)
else your phone will end up with no network and a poweroff after 1 min :)
the only chance for now is to bypass the FCHK, but first i have to know what algo is used :(
if we knew the algo, or if someone would tell me the checksum of 16 0xFF bytes,
then i could fool the algorithm ;)
or lets say we brute force that checksum...
we give each participant 256 checksums to test...
good idea... anyone can bring up 72057594037927935 guys who help? :)
[DCT4] FCHK bypass brainstorming
yes, i know... the 3rd message today ;)
okay just some thoughts about the FCHK...
if the routine 0x0084015 really does the calc
(this routine calls one at 0x00800XXX which is read protected)
then it either:
- saves data on the stack (very low security)
- saves the data at some internal RAM (higher security)
- keeps the data while calculation in registers (also high security)
in my opinion it doesnt keep data in registers.
i also dont think it saves data on stack, that would be too "insecure".
dont ask me why, but i think during calculation the data is kept
in the on-die RAM at 0x0200 and gets overwritten
after the calculation is done.
so we have to:
- use original flashfile
- modify the timer interrupt to break every some cpu clocks (possible?)
- inject code into the timer interrupt to check registers/PC and the RAM area and save data about the calced stuff
- if the correct checksum was found in registers/ram, save that address and capture
that data for a modded flash with pointer to FF bytes
int 0x00 - MDI (DSP)
int 0x01 - MDI (DSP)
int 0x02 - DMA
int 0x03 - UEM
int 0x09 - STI (Serial Terminal Interface) ?
int 0x0A - UPP (?)
int 0x0B - UPP (FIQ?)
int 0x0C - UPP (FIQ?)
int 0x19 - UPP (timer?)
int 0x0E - UEM
int 0x13 - UEM
int 0x18 - UEM
int 0x1E - ABORT
[DCT4] some GENIO's of 6610
0x00 - VEN of LP3985 Voltage Regulator
0x03 - FM Radio Clock
0x04 - LCD Reset
0x05 - RF TXPower
0x06 - RF Reset
0x07 - RF TXA
0x08 - RF TXL 1 & FM Radio Enable
0x09 - RF Mode
0x0A - RF EXTANT & IR Module SD Pin
0x0B - RF BANDSEL & FM Radio SClk
0x0C - RF AData & FM Radio SData
0x0D - RF RXGain
0x0E - Audio Router Enable
0x0F - Audio Router Clock
0x10 - Audio Router Data
0x17 - WP of flash
0x1D - SIMCLKI
0x1E - SIMIOCTRL
0x1F - SIMDATA
Nie możesz pisać nowych tematów Nie możesz odpowiadać w tematach Nie możesz zmieniać swoich postów Nie możesz usuwać swoich postów Nie możesz głosować w ankietach Nie możesz załączać plików na tym forum Możesz ściągać załączniki na tym forum