Viper -BJK-s Experimental Page

Welcome on Viper BJKs & Brobbles Nokia Experimental Page

Here you can find a tool that can analyse flashes of 6210 Nokia Mobiles which can be also used for many other types of Nokia Mobiles (esp. 3310)

This tool can calculate all Eeprom/PMM/PPM Checksums and one MCU Checksum. There are no other Checksums in Eeprom :0) Also it can change , calculate and fix the Securitycode.

Actual Version is : 1.3 Alabaster

If you use my source code for your own work, all I only want is that you also publish your source code. If you’re kidding on me, stealing my code or making

fake progs out of it, there will be no fun for you anymore, believe me !

I decided not to publish my new sourcecode because some guys were really lame and thought they can use it for their own tools without referring to me.

Some infos about the Nokias :

CRC News *gg* by Viper BJK

--------------------------

What you can see on almost every Nokia Mobile :

The IMEI Number is saved as plain hex and as a "security" imei, which is the IMEI, xored with Hex 65

The scheme seems to be always the same. The old ones (51xx,61xx,31xx,32xx) have got an eeprom and the new ones (62xx,82xx,33xx) have got an eeprom emulated.

The first Checksum in Eeprom is calculated by adding all hex char occuring in one field before the checksum value.

(at 51xx,61xx the first length of Checksumfield is Hex 3E)
There seems to be a overall checksum called Fhkchk, starting at 0x200020 virt. repeating 2 bytes chk, 0x1F bytes Data

For Nokia 6210 and i suppose many other new Nokia Mobiles :

Overall Sectors : Here PMM :
F0F0FFF80002504D4D000000000000060001

F0F0FFF8000 = Sector Mark

2504D4D = "PMM"

00000000000006 = Don't know yet

0001 = Deactivated, 0000 for Activated

EEPROM :

Addresses :

Sometimes the base changes from 3FC000 to 3FA000 ... could not find a reason why or

where the base address is saved.

If the base is 3FC000 and the range is 200000-600000, version doesn't matter :

3FC000 : Base of EEPROM

3FC032 : Imei (Plain), 7 byte

3FC136 : Securitycode, 2 byte

3FC144 : CRC-Value, 2 byte (hexreversed, Field add, 8bit Checksum in fact)

Crc-length 3FC026-3FC143 Crc-sum at 3FC144-3FC145

3FC146 : ProductID (Hex, bitinversed), 4 byte

3FC14E : Productserialnumber (Text), 8 byte

3FC15E : HW-Version 3407 (2 byte, swapped : 70 43)

3FC162 : Imei (Security, XOR 0x65), 7 byte

3FC16A : Productiondate (Made), 2 byte m/y

3FC16C : Repaircounter, 2 byte

3FDB18 : Purchase Date, 2 byte

3FDB1A : Purchase Date available ? (80=yes, FF=no), 1 byte

3FC27A : CRC-Value, 2 byte (hexreversed, Field add, 8bit Checksum in fact, Bitmask subtraktion of 0x1FE, which is 0xFF+0xFF in fact. Some other Phones are using 0x200.)

Crc-length 3FC0146-3FC279 Crc-Sum at 3FC27A-3FC27B

3FC382 - 6AD: Supposed Radio Settings. (Setting all bytes to FF is real fun *gg*)

PPM :

Addresses :

200022 : First MCU Checksum, 2 byte (supposed to be 16 bit ???)

320000 : PPM Index

320004 : PPM Version, 7 byte (TEXT)

32000C : Date MCUSW, 8 byte (TEXT)

320015 : SW-Type, 4 byte (TEXT)

32001A : Productioncode, Copyright (TEXT)

320034 : Productiondate Soft (LPCSV180598) ?? (TEXT)

320048 : PPM Info, 5 byte

329F94 : Language, 3 byte

320268 : GSM-Info

39FFFA : Second MCU Checksum, 2 byte (same as first MCU Checksum)

MCU Checksum is 16 Bit from 0x200024 to 0x130101

MCU Checksum Field Start and Endadress is right after the Checksum (subtract base 0x200000)

Interesting : Changing the MCU does NOT lead to no network !!!!! This could be useful for our Updateresearches.

PPM Checksum is 32 Bit (multiple values). Structure is Checksum (4 bytes) + Length of Field. Starts at Pbase+0x25f

PMM :

3A0006 : Version 3.04 : PMM Index

3B0006 : Version 3.01 : PMM Index

Checksums : 00F44A000055FF00F00006D579303030303000 (Example is Securitycode)

00F4 Enabled or not ? F4=enabled, A4=disabled

4A0000 Type of Structure / Index (here for Securitycode)

55FF Begin of Structure

00F0 Checksum of Length 0006 , Checksum of 303030303000

0006 Length of Checksum

D579 Startaddress of Next Offset (relative to the beginning of PMM Sector)

Numbers and Names from Adressbook are saved as Unicode (Names) and Numbers are hexed with lobyte/hibyte 0xA for 0x0

For cheaters *bad bad boys, what ya gonna do ....." : Snake 1 Index is : 770000

Number/Name Index : F4 1A000F 55FF 06E7 003D 1D0E 03 0020 070100000000 Ak Index Start CHK CLEN Nxtb ID Strlen Index 004E006F0074007200750066002F0045006D0065007200670065006E00630079 String 0003 0B02000A00 0003 112000 011E030000000000 Bytes(len) Init Lennum(bit) Number (F for +, 0 for nothing, A for 0) Endstr

For Nokia 3110 (thanks, koloksky) :

the eeprom base vary from version

block 1

1e0000: base of eeprom

1e0032: imei(plain), 7byte

1e0136: security code

1e0144: crc-value (2 byte)

1e0026 -> 1e0143: crc length

block 2

1e014e: prod. serial no. (8 byte)

1e015e: hw. ver. (byteswapped, 2byte)

1e0162: imei (xor 0x65), 7 byte

1e016c: repair counter (2 byte)

Koloksky :

i couldn't find block 2 crc length for 3310, for

5110 v5.29 (eeprom) it starts right after crc value

(2byte: 003e-003f)& length (011d), block 2 checksum is

at (0040-offset:0xde)

For Nokia 3310 (thanks to Executer, Schrifti and other Freaks giving me backups) :

Same as 6210, but MCU Checksum is at another place. Eeprom Base is usually 1E0000, MCU Base is 130000
Already fixed a lot for 3310, but second eeprom checksum hurts :0(

Experimenting could harm your mobile, never forget :0)

If you can make a backup any nokia , please mail me !

If you find other values, or have any errors or suggestions, mail me !

Cya, ViperBJK@gmx.net