The phone software consists of several parts:
* MCU (Mobile Control Unit?) - the program that runs on the phone
* PPM (Post-Programmable Memory, or in plain words the language pack) - determines what languages will be available in the phone
* CNT (content) - default pictures and sounds coming in your phone's Gallery
* PM (or EEPROM) - contains various settings specific to your phone, including calibration for various devices present in your phone, like the battery, camera, light sensor, RF part, etc.)
Flashing erases and writes MCU and PPM, and depending on the flashing method may or may not touch the CNT area. But PM is normally not updated.
It is the PM that contains your IMEI number and lock data (which are interconnected). Plus, the IMEI is also contained in OTP (one-time programmable) memory, where it is put at the factory and cannot be deleted or changed later, other than replacing the chip that contains it.
All Nokia phones used encryption to avoid unlocking. However, DCT3 and DCT4 encryption was easier. This time, it is much harder. Plus, some algorithms are placed in "execute-only" ROM (which cannot be read or written, only executed, thus nobody knows what's in there). Of course, there is the "easy" way of unlocking by entering a code which can be calculated knowing only IMEI of the phone and the network it is locked to. But the calculation algorithm is guarded heavily and if you want your operator to give you the unlock code, you have to meet the operator's requirements (like staying active for a certain time, etc.) This is done because operators subsidize SIM-locked phones and want their money back before you leave.
You can erase PM if you want, but then your phone will lose IMEI and will lock up (because as I already mentioned SIM-lock algorithms are tied to IMEI). This happened to DCT3, DCT4 and now in BB5. But for DCT3 and DCT4 easy unlock is available, while for BB5 the security measures are much heavier. The only way you can repair your phone after screwing PM is through Nokia (for some big bucks, I presume ).
For flashing, there are two ways: official and unofficial. Unofficially, you can buy special software and hardware (like UFS with HWK, JAF, Griffin, or MT-box). But your warranty will be gone. Officially, you can take it to a Nokia Authorized Service Center or recently, with BB5 phones, you can do it at home, with the standard USB cable, by downloading the Nokia Software Updater and firmware from Nokia Web site. The only restriction is that you cannot change languages officially.
The unlock code is different for each and every phone (I already mentioned that the locking algorithms are tied to IMEI and network code, didn't I?)
1) i know the older nokia models the algorithms have been leaked or cracked and you can just get an unlocking code through a calculator usually provided the IMEI and network provider etc...why can't all phones be unlocked like this...what's different?..for example why wud u need a flashing box or smart clip to unlock a phone instead of remote unlocking?
It differs from one manufacturer to another, but before you can make such a calculator, you have to get the encryption algo somehow (steal it from an operator, or read out and disassemble phone firmware). In some cases, this is not enough and you still cannot get the code without having some info from the specific handset. For example, there is a program around that calculates mastercode for Siemens phones, but you have to enter the IMEI and feed it the security-related EEPROM blocks from your mobile. Which makes the prog pretty much useless, since these blocks are normally hidden and you can get them only by cutting the testpoint, or entering Skey, which means you can just as well unlock the phone directly.
2) since some algorithms are placed in executable only ROM...im assuming this was not the case in DCT3 and DCT4. the reason that the algorithms would be in the phone would be to verify with the unlock code of the phone whether the user enters the correct code correct? basically what is the purpose that the algorithms would be present inside the phone, to decrypt the actual lock data?
You are right. The phone needs the security algo inside to verify the unlock code.
For DCT3, all security was ensured by FAID (Flash Authority ID) - a value, likely in EEPROM, that was tied to the phone's IMEI, firmware checksum and electronic serial numbers of the flash chip and some other chips. Without matching FAID, the phone would not see network, reboot every 30 seconds, and get all locks activated. Hence, if you swapped flash chips between two perfectly healthy 3310's, neither would work due to FAID mismatch. But since the phones had no other protection, as soon as someone very bright (Dejan Kalevich it was) made a device to read and write flash on these phones, it was easy to get all the algorithms.
2) if someone really wants to make a phone that one cannot unlock, why not put the lock data in OTP instead of putting it in a EEPROM?
You're right, but then what would you do about legitimate cases when you would need your phone unlocked? When you buy a locked phone from an operator, they can usually give you the unlock code after a certain time (say, three years), during which you have repaid to the operator the amount by which they subsidized this phone. Or they can do it earlier, if you have a good lawyer.
3) you said flashing the new nokia can be done with only a usb cable if using the nokia software at home?...so why do we need a flashing box and special cables and software to unlock it?
a) Of all Nokias, only BB5 can be flashed via USB. For DCT3/4 you need a box.
b) A box serves two purposes - it adapts signals from computer port to those used by the phone, and it works as a copy-protection measure for the software, which won't run without a box.
c) I'm not an expert in the architecture of Nokia phones, but to the best of my knowledge, the POP port is not identical to the service connector (the one under the battery). There are some lower-level things that can be done only through the service connector. Besides, some phones simply don't have the USB/POP port. For these, the only way to go is an adapter cable.
4) what does a flashing box, special cables, and software actually DO? i read it gets past the boot of the phone to send an unknown command (i'm assuming the command is sent to EEPROM?). so what does it do...does it modify any values in memory (Where), erase the SIM lock data from EEPROM, change the SIM lock data to replace it with an easy code,or...?
Usually, the third-party software is based on the manufacturer's SW. There is even a box (Griffin or JAF?) that emulates Nokia dongle and can be used with Phoenix application. If you want to unlock your phone, you'll need one of these boxes with the relevant software and adapter cables. Understandably, Nokia will not release a software to unlock its phones to general public and if you want to buy it officially, you have to open an Authorized Service Center and shell out some big bucks, while the boxes cost around $200.
You should understand that even though the unlock may be technically possible with a USB cable, you will have to do it through a box and adapter cable. Just because that's the way software is written.
5) what is the role of encryption in preventing number 4 above?
Suppose a phone won't let you read out the contents of its flash memory. You can always desolder the flash chip and read it using external flash programmer hardware. If you look at the resulting file and see something like "ENTER 12345678 TO UNLOCK THIS PHONE", this will be all too easy, won't it? That's what encryption is there for. Of course, you will have to use a disassembler program and technical specifications of the phone processor and flash chip to reverse-engineer the firmware and see how it works, but Nokia, for example, uses custom-made processors, for which precise datasheets are not available.
6) when do you NEED a flashing box to flash or to unlock? is to get access to EEPROM?
For flashing BB5 phones that don't have a POP port or USB connector; for flashing dead BB5 phones that cannot use "dead USB flashing" in Phoenix; and for flashing and unlocking earlier DCT4/DCT3 phones. You can also unlock but not flash DCT3 using FBUS cable (COM, or USB-to-COM).
7) would you need special cables to connect the phone to access the SIM lock data even if the phone came with a data cable?...does the data cable restrict access to EEPROM?....are the MCU, PPM and EEPROM and CNT on the same flash chip?
A cable is just a cable, it does not impose any restrictions by itself. Its functionality is limited by the functionality of interfaces it connects to, both on the phone and on the PC. I already mentioned in answer to Question 3 that POP port is different from the service connector, and the software has restrictions too. For example, NSU can only flash working phones, with a SIM card, with a charger connected and in Normal mode. Cracked Phoenix can flash some phones from dead state, but not all. Not sure about original Phoenix, but if you want to unlock phones with original Phoenix, I gather, you will need an additional smart-card, which will only give you a limited number of unlock attempts and is not available to anyone other than high-level service centers. And by the way, another advantage of adapter cables is that you don't need a battery with them - the required power signals are fed from the box.
Once upon a time, phone settings were stored in a different chip (physically, a different type of memory, since these data are modiified more often and in smaller chunks than the firmware). Hence they are still widely known as EEPROM (Electronically Eraseable Programmable Read-Only Memory). But since after Nokia 3210, they have become incorporated in the flash chip (I don't know if it's still different physical memory type, or the same; I know in many cases it uses smaller blocks for writing). The tendency is to have everything in one chip, to keep the phones cheap and easy to make. However, as phone memory grows bigger, these areas can be divided. For example, 6230 uses a different memory chip for the gallery (CNT), even of a different type (NOR for firmware and NAND for content, whatever those mean).
8) what if a phone does not have a place for a data cable or its connection ports for connecting a cable are physically protected or not available...then basically you cannot unlock or flash such a phone correct?
Official service centers also need access to the phone (for flashing or diagnostics), so there should be something, if not on the outside of the phone, then on the inside. No manufacturer can afford replacing every phone with a minor malfunction.
9) u mentioned MCU, PPM, PM etc...usually are all phone's memory divided like this for example motorolas?
Concept is the same, names may differ. In Motorola, when you flash a phone you will see there are different cogegroups (CG1, CG2, CG4, etc.) Nokia's MCU is Motorola's CG1, PPM (langpack) is CG2(?), PM is PDS, CNT is flex, etc. Siemens has FFS (flex filesystem), which is usually not updated while flashing.
10) where is the boot loader in memory? and why do we need testpoint for some motorolas with boot .52 etc?
There are, in most phones, two bootloaders. One is in a small ROM area within the CPU chip. This is the first to start. Some phones don't have it. The other is in the beginning of flash address space. If you kill the flash bootloader, the ROM bootloader can still connect to the PC and let you flash the phone. If there is no ROM bootloader and you kill flash bootcore, the only way is to remove flash chip and program it on an external programmer device. Phones without ROM bootloader usually have on-board contact points for JTAG interface, which allows direct access to flash and CPU busses. Don't ask me about it, I have no idea.
Now the testpoints. I will describe (in small detail) Siemens boot-up procedure and how you can penetrate the defences.
When you press the power button, ROM bootloader initialises. Its job is to check if flash bootloader (bootcore) is present. If it is, the ROM bootloader starts it. If not, it attempts to connect and load an external bootloader from the system interface (without any security checks).
When flash bootloader starts, it looks to system interface again, to check for any attempts to load an external program. But this time, you need to present a valid Bootkey to enter, unless the phone is in Factory mode.
[off: Siemens phones have several security levels, from Customer (lowest access) to Factory (highest access). More on this later].
If the external loader cannot be loaded (or cannot present a valid Bootkey), the phone software starts. Security-related data is in flash bootcore and in eeprom. None of these is accessible in Customer mode. Relevant EEPROM blocks will not be listed, read or written. Lock data is tied to IMEI (there are two IMEIs: one in OTP flash, the other in EEPROM - and the phone won't start if they don't match) and flash ESN (Electronic Serial Number), which is also not readable in Customer Mode.
To get full access to the phone, you will need to enter a valid Skey (8 decimal digits), which is selected randomly by Siemens at production and is encrypted in EEPROM security blocks. Or a Bootkey (32 hex digits) to bypass internal bootloader. Attempts to enter Skey are limited and there is an increasingly long waiting period after each incorrect attempt. Or you can trick the phone into thinking it has an empty flash bootloader (by cutting a track in older Siemenses, or shorting a point to the ground in newer Siemenses). This temporarily disrupts power to the flash chip, then the ROM bootloader allows an external bootloader to be run in the phone. With that, you can do anything - internal defences are no longer working. Then you just read out the ESN, IMEI and EEPROM security blocks to produce Bootkey and Skey. After this, you can restore the Testpoint - you have all you need. Now you can read and write entire phone memory, replace security blocks and do pretty much anything. One thing you can do with these data is calculate mastercodes - codes that are typed in on the phone keyboard to remove user code or service provider lock. They look like *#0003*xxxxxxxx# - where an 8-digit decimal number is substituted for xxxxxxxx. That is mastercode. There are several mastercodes (from 0 to 7) for different locks that can be enabled on a Siemens phone. Number 3 is for user code, number 0 is for SP-lock. If you enter phone code incorrectly three times, you will not be able to deactivate it, other than entering a mastercode (or doing direct unlock using testpoint).
Same goes with Motorola. When you do a testpoint, you short-circuit flash chip power to the ground, making the ROM bootloader think it's got empty flash. That is why your phone is detected as "Blank Neptune LTE" instead of "Secure Neptune LTE". After you remove the TP, you can read contents of the flash chip, see and reverse the encryption algo and unlock the phone using the information found in PDS. The reason you need the testpoint is that the bootloader (the one in flash) won't let you download and run anything without a proper digital signature (and this signing uses complex encryption which is not easy to crack). So, it's easier to disable the bootloader than to try and forge the signature for an external bootloader. On newer Motorolas (like L7) all bootcore versions have this protection. On V3, older versions don't have this protection, hence don't need the testpoint.
courtesy of KPbICMAH