April 17, 2006
well if you say nokia's programmers are not funny, you're wrong ;)
just have a look at:
g3gg0.de/~geggo/dct4/deadbeef.html
hehe, quite amusing :) [more] Comments (4)
|
März 31, 2006
just some notes about the used GENIO pins in the 6610.
0x00 - VEN of LP3985 Voltage Regulator
0x03 - FM Radio Clock
0x04 - LCD Reset
0x05 - RF TXPower
0x06 - RF Reset
0x07 - RF TXA
0x08 - RF TXL 1 & FM Radio Enable
0x09 - RF Mode
0x0A - RF EXTANT & IR Module SD Pin
0x0B - RF BANDSEL & FM Radio SClk
0x0C - RF AData & FM Radio SData
0x0D - RF RXGain
0x0E - Audio Router Enable
0x0F - Audio Router Clock
0x10 - Audio Router Data
0x17 - WP of flash
0x1D - SIMCLKI
0x1E - SIMIOCTRL
0x1F - SIMDATA
[more] Comments (0)
|
März 27, 2006
fiq 0x00 - MDI (DSP)
fiq 0x06 - FBUS
fiq 0x07 - FBUS
fiq 0x08 - FBUS
fiq 0x09 - DMA1
int 0x00 - MDI (DSP)
int 0x01 - MDI (DSP)
int 0x02 - DMA0
int 0x04 - UEM
int 0x09 - STI (Serial Terminal Interface) ?
int 0x0A - UPP (?)
int 0x0C - UPP (delayed func queue?)
int 0x0D - UPP (delayed OS message?)
int 0x10 - Keypad?
int 0x19 - UPP (timer?)
int 0x0E - UEM
int 0x13 - UEM
...
int 0x18 - UEM
int 0x1E - DELAYED ABORT
[more] Comments (0)
|
März 20, 2006
yes, i know... the 3rd message today ;)
okay just some thoughts about the FlashSignature...
if the routine 0x0084015 really does the calc
(this routine calls one at 0x00800XXX which is read protected)
then it either:
- saves data on the stack (very low security)
- saves the data at some internal RAM (higher security)
- keeps the data while calculation in registers (also high security)
in my opinion it doesnt keep data in registers.
i also dont think it saves data on stack, that would be too "insecure".
dont ask me why, but i think during calculation the data is kept
in the on-die RAM at 0x0200 and gets overwritten
after the calculation is done.
so we have to:
- use original flashfile
- modify the timer interrupt to break every some cpu clocks (possible?)
- inject code into the timer interrupt to check registers/PC and the RAM area and save data about the calced stuff
- if the correct FlashSignature was found in registers/ram, save that address and capture
that data for a modded flash with pointer to FF bytes
ouch... much work ^^
[more] Comments (0)
|
März 20, 2006
well, now everyone wants to modify flashfiles.
but be warned, you can only modify the area above 1M (starting from 0x01100000)
else your phone will end up with no network and a poweroff after 1 min :)
the only chance for now is to bypass the FlashSignature, but first i have to know what algo is used :(
if we knew the algo, or if someone would tell me the checksum of 16 0xFF bytes,
then i could fool the algorithm ;)
or lets say we brute force that FSIG...
we give each participant 256 checksums to test...
good idea... anyone can bring up 72057594037927935 guys who help? :)
[more] Comments (1)
|
März 20, 2006
hi again :)
okay today ill tell you a little about the flash header at around 0x01000000.
at least i will tell you what i know about the data there hehe :)
no guarantee that this data is correct... some things are widly guessed.
/* unk - used by malloc/free routines */
0x01000020 4 bytes unk
/* defines flash mode (dejan) */
0x01000024 1 byte
/* MCU checksum - will NOT cause CS in most phones ;) */
0x01000026 2 bytes MCUCHK, same algorithm as DCT3
/* PeaK - netmon displays this in a special page .. why? */
0x01000028 2 bytes "PeaK"
/* FAID */
0x0100002C 12 bytes FAID (but dejan calls this flash crypt key)
/* flash permanent data - used by PMM routines */
0x0100003A 40 bytes - flash permanent data ( IMEI at offset 0x0D, UEM WD reset pass, tunning params, etc, encr)
/*
FSIG is checked (or at least prepared) by ROMCALL 0x840015
no simple way to bypass this, except finding the correct
calculation algortihm. i guess its done by the SPLock algo
that is in ROM. dont really know what this one does if the
calculation fails. maybe it overwrites some memory in DSP
memory space.
interesting is, that the init routines first set a special
routine as ABORT(?) handler that enters system mode and
calls ROMCALL 0x8001E7 before the 0x840015 is called.
*/
0x0100006C i think there are 8 bytes FSIG (FlashChecksum)
0x01000074 block count of FSIG (8 byte blocksize) min size 2
0x01000078 start address of FSIG and MCUCHK
/* no idea ;) */
0x0100007C empty
0x01000080 empty
/* not sure what this ROMCALL is for */
0x01000084 if set between 0x01000000 and 0x03FFFFFF, given as R0 to ROMCALL 0x840013
0x01000088 given as R1 to ROMCALL 0x00840013
/*
for setting up memory map via ROMCALL 0x840017
addresses in these ranges are mapped out for the hardware
decryptor and directly accessable.
*/
0x0100008C if set start address of uncrypted area 1
0x01000090 end address of uncrypted area 1
0x01000094 start address of uncrypted area 2
0x01000098 end address of uncrypted area 2
[more] Comments (1)
|
Februar 13, 2006
oh i think i never made them public....
here are the flash header tags i know.
C2 secondary_id
C3 algorithm_id
C8 erase_area
C9 vpp
CA vcc
CB hw_config_byte
CC hw_config_offset
CD secondary_speed
CE algorithm_speed
CF program_speed
D0 secret_info
D1 msg_read_speed
D3 claudia_info
D4 mcu_id_info
D5 vcc_off_time
D9 programming_options
DA fps8_options
DE fps8_timeouts
DF mm_bus_config
E0 mm_open_config
E1 mm_part_config
E3 mm_prog_config
but dont ask me what all the options mean or
how you can tell what all the bits are for ;)
[more] Comments (4)
|
Januar 26, 2006
hiho...
i updated CEntrilo again.
now it supports setting the PushToTalk key
in the settings dialog.
just click on the empty(!!) PTT textbox and
press the key you want to be assigned..
enjoy ;)
[more] Comments (4)
|
Dezember 31, 2005 [more] Comments (7)
|
Dezember 31, 2005
heyho...
i updated CEntrilo to support connecting to a specific
port. just enter the port with an : behind the hostname.
for example: ventrilo.server.com:3784
enjoy :) [more] Comments (4)
|
Oktober 17, 2005
i uploaded a modified version of the CEntrilo tool
that should work with MDA's :)
if you set the trigger level to 0, the note recorder
button on the side of the phone works as push to
talk key - at least it should ^^ [more] Comments (3)
|
Mai 23, 2005
I fixed minor issues:
- added window caption (title) so it shows up in tasklist
- if you set trigger level to 0, its like PTT.
- any other value stands for the percentage of the VU meter when to trigger
- some fixes/cleanups in the connect-code
- added mfcce400.dll (and mfcce400d.dll to make it complete)
get it on the projects page [more] Comments (6)
|
Mai 9, 2005
Hi there :)
after some break i developed a new app..
its a client for the well-known inet voice system 'Ventrilo'.
But i just made it for Pocket-PC's (WinCE, Mobile 2002...)
Maybe i'll code a linux-version too when i'm funny ;)
For now there's no linux client, no MAC-OS client etc by the original creator...
Nothing but a WIN32 version. Very odd for those using alternative OS'es.
If someone needs CEntrilo, just DL it from the projects section ;)
[more] Comments (2)
|
November 26, 2004
i coded a small routine for MADos which is able to parse a function
like 2x²+16x-9a and calculate the result.
its 100% C so its also possible to port it to Yak's project which
allows n*kia-compliant code to be generated.
as if n*kia compiled it themselves :)
maybe we see a nice function plotter in the phone somewhen :) [more] Comments (1)
|
Oktober 6, 2004
the last days im struggling with school...
after some years of a normal job i intend to
visit a highschool to get a computer scientists degree
these days u must have that stupid kind of paper ;)
else u're worth nothing - even if u know computers better than many others do ;)
so the most time i try to learn some stupid things and
the rest i use for recovering... school makes u tired and lazy :(
hope the next 1-2 months i get used to that lazy way of living and can
continue my hobbies..
who knows... maybe we have a DCT-4 mod very soon (<4 months)
at least we (= a good friend and me) already know how to do that hehe
[more] Comments (24)
|
September 18, 2004
ha!
now im 24 years old... what a baad feeling :)
once u're 18, you get older faster as u realize...
yeah...
hm.
nevermind, life still goes on ;) [more] Comments (8)
|
Juli 31, 2004
i didnt tell you that some very smart guy sponsored me with a twister box :D
hey, i love that thing.... but i already failed with flashing BlueTooth on my 6600 haha
the flash attempt aborted when starting to flash the BT chip and i couldnt
enable it again until my nokia service partner repaired it....
reflashing the chip was also not possible for me..
so i left it out after the nokia guy reflashed it
anyway its a cool thing :)
thanks to the sponsor!!
one thing....
if someone has a 6610/7210/7250/any dct4 over and wants to sponsor the work i do
or just want to say "Thank You" for the tools and patches i did for DCT-3,
then just mail me to geggo@g3gg0.de
i'll thank you for any gift i get and give you credit on the "Thanks to:" page :)
[more] Comments (0)
|
Juli 26, 2004
as u can see here, i uploaded now the src of my MP3 player :)
it includes all the source u need to make your player bluetooth capable
and controllable via "Bemused"
i love it :D [more] Comments (2)
|
Mai 28, 2004
after i tried my luck with a 8310-board, someone gave me a tip and said that nokia disabled JTAG support in the processors :-/
too bad.. so no chance getting into it with a normal DCT-4 phone..
maybe some old internal beta-phones have JTAG enabled?
maybe u can help me if you have a betatest phone :) [more] Comments (2)
|
April 26, 2004
thanks to kraze1984 we have now arcanoid in MADos :D
woooooh! i love that game :)
thank u very much kraze! [more] Comments (9)
|
