viperbjk
18-04-2008, 02:42 AM
Hi there boys and girls ... for those interested ....
QC BQS Ana*lyzer 3.0
What is it ?
-----------
Let's call it the ultimate BQS / QC swiss knife and very special Crypto Tool (RSA Signature Calc can be used for any mobile):
BQS only :
----------
1. Load AMSS to extract files or useful infos
(EF81, E81C, EF91, SXG75, EF82, SF71, SL91, M7 or similiar ones)
Features :
Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
Extract internal filesystem (mif,bar,sig etc. files)
Extract certificates
Extract all BMPs,GIFs,PNGs, JPGs
Extract AMSS signature bytes (if production key)
Show all file references used by mobile
2. Sim_Secure extraction/decryption (non-public)
3. Master-/Usercode/Unlock extraction and direct unlock (non-public)
All QC :
--------
1. Load Partition File to get overview about NAND/NOR structure
2. Make usage of QCs Diag Interface .... to do nice things
(Useful for any QC mobile in the world)
Standard Features :
-------------------
- Send standard diag commands or any hexadecimal command you want (database included)
- Read out all NVItems (range given)
(all that exist, more than QPST normally extracts)
- Backup and Restore all NVItems
- Read out and Dump Firmware in Memory (IRam)
- Read out complete EFS
- Switch to FTM Mode (or anything else you want)
- Get infos about phone ..... etc ..... a lot more functions
- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)
Bootloader / DownloadMode Features :
-------------------------------------
- Load any file to mobile at any address and execute (bootloader f.e.)
- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader
- Use any Download Mode or Bootloader Command to experiment
- Read application memory of newer Diag Ver 6 in Download Mode
- Show complete infos about used NAND after loading of Bootloader
Flasher Features :
-----------------
Flash any QC mobile (OBL Multiboot) with given bootloader
- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS
3. Crypto Function :
-----------------
- Calculate CRC-30, SHA1 and MD4 of any file
- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited
- Decrypt any RSA-Message, including ASN-1 / SHA Signatures.
- Check firmware signature given Modulus and Exponent
4. Sim_Secure extraction/decryption (non-public)
5. Full Feature JTAG Interface (non-public)
Although it is still a bit buggy and things have to be speeded up ...
it is the successor of AMSS Analyzer .... but more reliable and even much faster
Planned in future :
-----------------
1. Bugfixes
2. Tooltips showing real addresses in graphical window
3. EFS2 Directory Browsing
4. Elimination of extracted files in amss.mbn for better understanding
5. Simple NVItems Editor
6. Porting NVM hack already working with JTAG to COM/USB
7. AMSS signature hack, Exploit for Signature (this will be a tough task)
8. Read out SMS / Addressbook via Diag Interface
NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.
What we need :
----------------
- Any contribution to the project is welcome.
- Donations for new hardware and software for further development of this tool.
- We need support in programming and documentation XD
Link to the project files :
------------------------
Version 3.00 Fruit Assassin (Major Release)
http://code.google.com/p/qcbqsanalyzer/downloads/list
Cya and keep on reversing,
Viper BJK
For full source, see project homepage.
If you think my tool is useful and you would like to donate some money for further development, feel free to do so :
http://viperbjk.beepworld.de/
QC BQS Ana*lyzer 3.0
What is it ?
-----------
Let's call it the ultimate BQS / QC swiss knife and very special Crypto Tool (RSA Signature Calc can be used for any mobile):
BQS only :
----------
1. Load AMSS to extract files or useful infos
(EF81, E81C, EF91, SXG75, EF82, SF71, SL91, M7 or similiar ones)
Features :
Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
Extract internal filesystem (mif,bar,sig etc. files)
Extract certificates
Extract all BMPs,GIFs,PNGs, JPGs
Extract AMSS signature bytes (if production key)
Show all file references used by mobile
2. Sim_Secure extraction/decryption (non-public)
3. Master-/Usercode/Unlock extraction and direct unlock (non-public)
All QC :
--------
1. Load Partition File to get overview about NAND/NOR structure
2. Make usage of QCs Diag Interface .... to do nice things
(Useful for any QC mobile in the world)
Standard Features :
-------------------
- Send standard diag commands or any hexadecimal command you want (database included)
- Read out all NVItems (range given)
(all that exist, more than QPST normally extracts)
- Backup and Restore all NVItems
- Read out and Dump Firmware in Memory (IRam)
- Read out complete EFS
- Switch to FTM Mode (or anything else you want)
- Get infos about phone ..... etc ..... a lot more functions
- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)
Bootloader / DownloadMode Features :
-------------------------------------
- Load any file to mobile at any address and execute (bootloader f.e.)
- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader
- Use any Download Mode or Bootloader Command to experiment
- Read application memory of newer Diag Ver 6 in Download Mode
- Show complete infos about used NAND after loading of Bootloader
Flasher Features :
-----------------
Flash any QC mobile (OBL Multiboot) with given bootloader
- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS
3. Crypto Function :
-----------------
- Calculate CRC-30, SHA1 and MD4 of any file
- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited
- Decrypt any RSA-Message, including ASN-1 / SHA Signatures.
- Check firmware signature given Modulus and Exponent
4. Sim_Secure extraction/decryption (non-public)
5. Full Feature JTAG Interface (non-public)
Although it is still a bit buggy and things have to be speeded up ...
it is the successor of AMSS Analyzer .... but more reliable and even much faster
Planned in future :
-----------------
1. Bugfixes
2. Tooltips showing real addresses in graphical window
3. EFS2 Directory Browsing
4. Elimination of extracted files in amss.mbn for better understanding
5. Simple NVItems Editor
6. Porting NVM hack already working with JTAG to COM/USB
7. AMSS signature hack, Exploit for Signature (this will be a tough task)
8. Read out SMS / Addressbook via Diag Interface
NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.
What we need :
----------------
- Any contribution to the project is welcome.
- Donations for new hardware and software for further development of this tool.
- We need support in programming and documentation XD
Link to the project files :
------------------------
Version 3.00 Fruit Assassin (Major Release)
http://code.google.com/p/qcbqsanalyzer/downloads/list
Cya and keep on reversing,
Viper BJK
For full source, see project homepage.
If you think my tool is useful and you would like to donate some money for further development, feel free to do so :
http://viperbjk.beepworld.de/