QMAT - QC Mobile Analysis Tool


What is it ?

It is a development and debugging tool for Qualcomm mobiles - the only tool you'll ever need for research and development.


Who may need it ?

Mobile engineers / reverse engineers and cryptoanalysts


Crypto Functions :

- Calculate CRC-30, CRC-32, SHA1, SHA2 (SHA224 + SHA256), MD4 and MD5 of any file

- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited

- Decrypt and Encrypt any RSA-Message, including ASN-1 / SHA Signatures. (you can add publickeys to publickeys.xml)

- Generate RSA Private Key and create .pvk files

- Check firmware signature given Modulus and Exponent (for HTC and BQS mobiles)

- Extract information from .pvk files

- Search for algorithms in binary files (find cryptomethods + signatures) CRC8, CRC16, CRC32, MD4, MD5, SHARK, HAVAL, GZIP, ZIP, SHA1, ... and much more (you can add cryptosignatures to crypto.xml)


JTAG Interface :

(soon via Segger J-Link)


Functions for QC mobiles :

1. Load binary files for :

Extraction of certificates
Extraction of BMPs,GIFs,PNGs, JPGs

2. Load Partition File to get overview about NAND/NOR structure

3. Send any String to a COM/USB Port and backup all your SMS !

4. Make usage of QCs Diag USB/COM Port Interface
(Useful for any QC mobile in the world)


Standard Features :

- Send standard diag commands or any hexadecimal command you want (database included)

- Read out all NVItems (range given)
(all that exist, more than QPST normally extracts)

- Backup and Restore all NVItems

- Read out and Dump Firmware in Memory (SRam)

- Read out complete EFS

- Switch to FTM Mode (or anything else you want)

- Get infos about phone, codes ..... etc ..... a lot more functions

- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)

- Full Feature EFS Browser


Bootloader / DownloadMode Features :

- Load any file to mobile at any address and execute (bootloader f.e.)

- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader

- Use any Download Mode or Bootloader Command to experiment

- Read application memory of newer Diag Ver 6 in Download Mode

- Show complete infos about used NAND after loading of Bootloader


Flasher Features :

Flash any QC mobile (OBL Multiboot) with given bootloader

- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS


Functions for BQS only :

1. Load AMSS to extract files or useful infos
(EF81, E81C, EF91, SXG75, EF82, SF71, SL91 or similiar ones)

Features :
Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
Extract internal filesystem (mif,bar,sig etc. files)
Extract AMSS signature bytes (if production key)
Show all file references used by mobile

2. Check Firmware validity (signature)

3. Sim_Secure extraction/decryption (non-public)

4. Master-/Usercode/Unlock extraction and direct unlock (non-public)


Functions for HTC only :

1. Check validity of HTC firmware (signature check)

2. Cut out signatures from .nbh file

3. Split radio.nb into qualcomm files for analysis

4. Find HTC Public keys using Cryptosearch

5. Generate Security passwords (SPL + radio) for newer HTC

6. Generate NBH Files (you can add any device into devlist.xml)

7. Dump Files from NBH (you can add any type into nbhtype.xml)

8. Fix radio.nb checksum

9. Generic Bootloader / AT Command interface with logging functions



Functions for Network Engineers

Network Calculators :

TDMA (GSM/UMTS) :
--------------------
IMEI
GSM A5-1
GSM A5-2
GSM A5-3
3G ECSD
GEA3 - GPRS
3G SNOW
3G UEA2
3G UIA2
GSM A3/A8 COMP128 V1
GSM A3/A8 COMP128 V2
GSM A3/A8 COMP128 V3
3G Milenage
3G Milenage Resync

CDMA :
-------
CAVE
CAVE Authentication
CAVE CMEA
CAVE EMEA
CAVE EMEA_NF
CAVE Wireless Residential Extension
CAVE Datakey / Look Up Table / Mask
CAVE DTC / DCCH
CAVE KSG
CAVE Long Block
CAVE Short Block
CAVE Enhanced Message
CAVE Enhanced Voice Privacy
CAVE Enhanced Data Mask
and much more ....


Planned in future :

1. Bugfixes
2. EFS Restore to Zip File
3. QC Jtag interface using Segger J-Link ARM
4. LNBS HTC support to replace MTTY 5. Tooltips showing real addresses in graphical window
5. CDMA Write functions
6. Read out / Write back Addressbook
7. Restore backupped SMS to phone
8. much much more

NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.


What we need :

- Any contribution to the project is welcome.
- Donations for new hardware and software for further development of this tool.


Link to the project files :
------------------------
Version 4.21 (Major Release) Stable
QMAT Homepage (http://revskills.de)


Cya and keep on reversing,

Viper BJK


==> Donate via PayPal <== (https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=info%40revskills%2ede&item_name=Donations%20for%20QMAT&no_shipping=1&tax=0&currency_code=EUR&lc=US&bn=PP%2dDonationsBF&charset=UTF%2d8)

Thanks, that's very useful. Keep up the good work! :)

Update : Version 3.51
---------------------
- Crypto Bugfixes solved
- Com Port Bugfixes solved

Added QMAT 3.51 manual to download page :)

Cya,

Viper BJK

Update : 3.52
-------------

What's new ?

1. Added SHA2 crypto search algos (SHA224 and SHA256)
2. Added SHA2 (SHA224 and SHA256) and MD5 hash generation
3. Some Bugfixes
4. HTC Security Generator for all newer HTC models (reverse genned) :
SPL and radio (works with Diamond !!)

Note : For Copy'n'Paste .. do not use MTTY, but Putty !!!

See new manual for further details ....


Enjoy !

Cya,

Viper BJK

nice one..!
Thanks

New version : 3.54
------------------

Updates :

- Added SHA-256 from HTC
- Improved RSA Decryption ... now better readable
- Added function to reverse byte strings for RSA Decryption
- Bugfixes

Cya,

Viper BJK

Update:
Small SHA2 bugfix

Good information. thanks

New version : 3.6
------------------

Updates :
- Added NBH Generator Tool
=> you can add any device to devlist.xml
=> you can sign rom files either using pvk file or using dummy signature

- Added NBH Dump Tool
=> Remove Signatures function or
=> Extract any part you wish or
=> Extract all files from nbh
=> Show infos about nbh file
=> Add new deviceparts (typeinfo) to nbhtype.xml

- Added publickeys as XML
=> add any public key to publickeys.xml

- Added tool to fix radio.nb checksum :)

Bugfixes :
- Fixed NBH Signature extraction
- Fixed RSA Function

For the design of NBH Tools, I was strictly influenced by Olipro's work :)

Cya,

Viper BJK

This is a real work....!!!!

thx for this great program

Update : 3.61
-------------

What is new ?
-------------

After being fed up with buggy Putty + Mtty, I implemented
HTC Bootloader AT Command Interface. (see picture below)
Also I was missing a good copy paste function for my hex editor.

Why wasn't it working before ?
=> HTC Bootloader isn't able to take more than one byte sent.

So :
- Implemented HTC Bootloader AT Command Tool (works also for other ones)
- Several severe bugfixes (like Display fixes)
- Fixed RSA Decryption bug (Pubkeys loaded incorrectly from xml)

What will be next ?
------------------
As I'm a Vista user (sic!) I also use the really old Activesync driver.
But this one lacks of high-speed transfer, so I'm going to implement a solution
for newer HTC phones and newer OS, as Micros*** changed to WinUSB Interface (which is better imho than virtual com port).

So :
- Will implement REAL Usb interface, no virtual serial port use

Cya,

Viper BJK

Small update :
--------------

WinUSB is now fully implemented !
It really works like a charm, much faster than putty or mtty, and really stable.
mb command runs like hell :)
Even better, you can break off USB connection and continue seconds after reading out bytes .... this is big news :)

So ... Vista Users, use new WMDC drivers, forget about old activesync one.
And as for the XP users, download WinUSB runtimes now :)

Bad to say, but of course WinUSB won't work with old activesync.

I'm going to implement now a logfunction for binary data, so it can be used with pdump. Once I understand how "autodownload" works, I will implement it also so that my tool can replace mtty.

If there are any wishes what should be implemented, say so :)
Of course I will open source for WinUSB connection for those who want to port their tools.

Cya,

Viper BJK

Update 3.70
------------

What is new ?
--------------
- Big bugfixes
- Added new WinUSB and Serial Interface for HTC Bootloader (with binary log AND pdump support)
- Added partition tool to show MORE info
- Complete new Serial interface
- Added feature to use different bootloader commands for nand reading
- Added feature to read different sizes for nand reading
- Fixed radio.nb extraction
- Fixed radio.nb checksum calculation
- etc. ..... see Manual 3.7 for complete introduction

Cya,

Viper BJK

Update 3.71
------------

Sorry for that one ... WinUSB didn't work due to memory leak.
Fixed ....

Cya,

Viper BJK

Update 3.72
------------

What's new ?
-------------
- Included HTC Security Decoder in AT Command Interface
(easier to use)
- Fixed USB / SER Problems
- HTCE/HTCS were not displayed correctly
- Fixed Display Scroll Problems in AT Command Interface

Enjoy !

Cya,

Viper BJK

Update 3.73 *Speed release !*
------------

As someone really needed this func, the following was added :

- htc at command interface bytelog can now be any filename (select log file)

- You can send any data to encapsulate, for example you want to send bytes 0x00 0x01 0x02 and 0x03 .... enter "00010203", press encap button and
bytes will be send using correct HTC "HTCS....HTCE" encap

Cya,

Viper BJK

- removed -

Update 3.74 *Special Edition for CMonex* :)
------------------------------------------

News :

- Added function to upload files in encapsulated header :)
- Bugfixes

Cya,

Viper BJK

News :
-------

3.74 has a lot of bugs in it, so sorry for that.
Download of my tool is atm not possible, I'm looking for another hoster.

New version 3.75 will be soon out, adding several bugfixes and nvitems support for HTC. Also, beginning with 3.75, my software will be shareware.

People that already donated 15 EUR will of course get source and registration key as usual for free.

Expect news soon.

Cya,

Viper BJK

ThanX Alot for this GREAT Tool !

Keep up your Good Work !

Is it possible to upload this tool on the board ? I have a forbidden acces to the google code page ... :'(

Is it possible to upload this tool on the board ? I have a forbidden acces to the google code page ... :'(

Sorry, I will upload the new version of the tool as soon as my new domain is up and running. Of course I can also upload it to the board.

As I changed my software to shareware license I am no longer allowed to host it on google.


Cya,

Viper BJK

Small update :
--------------

New version will take some time, sorry for that.
I'm going to host my software now on my own, as google's policy does not allow to host shareware.
Stay tuned :)

What will be included in new version :
--------------------------------------
- Cryptosearch uses now xml database
- Cryptosearch is also able to find algos in big endian
- Added several new algos
- For registered people, GSM/ECSD/GEA3 A3/A8/A5.1/A5.2/A5.3 keygen will be included

Unregistered version will still be free to use, but may only be run 10 minutes each session.

Cya,

Viper BJK

P.S.: If there is a need for A-Key (CDMA) calculation, I will add that too.

Another update :
----------------

New website is almost done. I hope I can release the next version this week.

The Network Calculator has been expanded and will include :
-------------------------------------
TDMA :

GSM A5-1
GSM A5-2
GSM A5-3
3G ECSD
GEA3 - GPRS
3G SNOW
3G UEA2
3G UIA2
GSM A3/A8 COMP128 V1
GSM A3/A8 COMP128 V2
GSM A3/A8 COMP128 V3
3G Milenage
3G Milenage Resync

CDMA :

CAVE (all specs)
-------------------------------------

Update :

I've reversed complete Comp128 V2 and Comp128 V3 algorithms.

Due to respect to global gsm providers and knowing that
almost all gsm providers use comp128V2, I will only
release the sources of my tool including these algorithms to
proven gsm providers and members of gsm/3gpp group.


Cya,

Viper BJK

Small update :
--------------

Last few steps are going to be done for the next release.
I only need to implement a few missing cave functions, then the new software
release will hit the public.

A lot of sleepless nights have been done to implement missing algorithms like comp128 v2 and v3 and cave and to implement cryptosearch features like big endian search (this one really rules !), but also a lot of unusual cryptoalgos.

The network calculators will be available to registered users and are a real gem for network engineers, as more than just the standard things can be calculated.

Stay tuned for the next release, hopefully available at the end of this week.

Cya,

Viper BJK

Update :
---------

Tool is now being beta tested by some reversers. As soon all bad bugs are fixed *hopefully none*, tool will be released.

Cya,

Viper BJK

Update :
--------

Some betatester bugs were found and are now fixed. Also I implemented the essential network calculations also for CAVE, so that the network calculator features the following functions :

TDMA (GSM/UMTS) :
--------------------
GSM A5-1
GSM A5-2
GSM A5-3
3G ECSD
GEA3 - GPRS
3G SNOW
3G UEA2
3G UIA2
GSM A3/A8 COMP128 V1
GSM A3/A8 COMP128 V2
GSM A3/A8 COMP128 V3
3G Milenage
3G Milenage Resync

CDMA :
-------
CAVE
CAVE Authentication
CAVE CMEA
CAVE EMEA
CAVE EMEA_NF
CAVE Wireless Residential Extension
CAVE Datakey / Look Up Table / Mask
CAVE DTC / DCCH
CAVE KSG
CAVE Long Block
CAVE Short Block
CAVE Enhanced Message
CAVE Enhanced Voice Privacy
CAVE Enhanced Data Mask

Also I did heavily update the cryptosearch and algorithms.

As these features are implemented now, I'm now waiting for the comments of the betatesters and their bugs to be fixed. Once they're done (this week for sure), I will release the new version of my tool you've all been waiting for such a long time.

Cya,

Viper BJK

me too. from taiwan to log in. help needed... thx.
Is it possible to upload this tool on the board ? I have a forbidden acces to the google code page ... :'(

me too. from taiwan to log in. help needed... thx.

yjlee .... solution for downloading will be available soon :)


http://www.revskills.de/downloads/QMATManual.pdf

This is the manual for the new upcoming version :)

Stay tuned ... beta testing is almost done :)

Cya,

Viper BJK

New version 3.75 out !
----------------------

After quite a lot of sleepless nights, I proudly present the new version 3.75.

What's new ?
-------------
- Tool is now shareware. Without registration, it will only run 10 minutes each session, new network calculator and flashing is only available to registered users. Registration costs 15 EUR and will be used for further development of the software.

- Network calculator (TDMA and CDMA) for encryption/decryption and authentication calculations (registered users only)

- NV Items Dumper for HTC Dumps

- Crypto Search supports also big endian search and new algos can be added to crypto.xml

- Extraction now also works for globe phones

- Several bugfixes and much much more to mention ... see manual :)

Cya and enjoy,

Viper BJK

P.S.: For downloading of the software, see my signature

New version 3.76 out
---------------------

News :
- Com port bugfixes
- Bootloader bugfixes, Special Bootloader now supports lengths
- Added Imei calculation to Network Calculator
- Added Get SimSecure Button for Benq Mobile Repair Support

Cya,

Viper BJK

New version 3.77 out
--------------------

News :
-------
- Internal fileextraction is now universal. Just add the right
memory offset and device to filesys.xml.

- Implemented rudimentary EFS
(Directory browsing) ..... backup and restore tool will soon be added :)

- Added support of Globe WTPH 1090

- Bugfixes

Cya,

Viper BJK

News :
-------

After implementing VERY rudimentary EFS support, I did now implement full EFS Reading support ...... and .... it is even faster than BitPim and will offer more info :)

Next steps will be to include "Read File", "Write File", "Create Directory", "Remove Directory" and of course very fast Backup / Restore Functions.

So stay tuned ... as my tool will become a real professional Software for any QC work :)

I'm also thinking about adding reverser tools like automatic memory search. If there is any need for any feature, please go to http://forum.revskills.de.
Good ideas will be rewarded with a free registration :)

Cya,

Viper BJK

New features that might be added :

- EFS Browser (being implemented right now)
- BRT and QC NVItems Dumper
- NVItems Editor
- CDMA NAM Updater
- HTC mtty download feature (lnb/lnbs)
- Add support for Huawei E220 (unlock / read EFS etc.)
- Add support for Globe Phones
- JTAG interface

What do you think should be added or would be useful ?

It seems as I've got to do a large step forward with my tool.

I never really thought about fixing memory leaks ... but now, developing the
EFS Tool, I really had to.

189 MB memory allocation in under 5 sec ... that was way too much.
36 MB wasn't even better ... now it's 0 bytes memory leak :)

See image how EFS Tool already looks like in actual development version.

Cya,

Viper BJK

Update :
It's very fast, and it seems regarding download of files, it is even much faster than BitPim.
Also it is able to read files that BitPim can't :)

Some of you always said parts of QMAT are unstable.

Yes, you were right. Tonight I found a solution to an issue I always wanted to have fixed. Normally I had to call the ComPort Interface Class by searching it via FindWindow. Of course that one didn't always succeed.

Now, thanks to C. Petzold (that Microsoft Guy) I realized there is a better way to do so : GetParent().

Also I improved a lot in new version.

EFS Browser is almost done, only few functions are missing.

Cya,

Viper BJK

New version 3.80 out
--------------------

What's new :

- Fixed Com Port memory leaks (much more stable now, and faster)

- FULL EFS2 (Embedded Filesystem) Support for all QC mobiles > Brew 3.x
(offers more standard features than BitPim like set attributes and remote
links and can even read damaged files)

- Updated Manual , now with Example usage

- Fixed a lot of bugfixes and memory leaks


What will be next :
------------------
- HTC LNB/s support
- Backup / Restore whole directories to EFS as ZIP
- QC Jtag interface

Cya,

Viper BJK

P.S.:
Thanks to all that registered and donated so far, making this tool possible

Update : Version 3.81
---------------------

Some people could not start the program. Issue fixed.
Sorry for that.


Cya,

Viper BJK

Update 3.82 *HotFix*
---------------------

EFS Changes :
--------------
- Some strange behaviour occured when removing files.
Fixed that to work now.

- When a Directory is empty, File Menu cannot be reached.
Now you can select a Directory and upload a file via the Directory Menu.


Cya,

Viper BJK

P.S.:
Thanks for the error reports ! :) And sorry for so much updates lately.
But I try to release bugfixes as soon as possible :)

Sometimes com port handling really is no fun at all :)

For the implementation of HTC lnb command, I had to rewrite complete serial thread handling.

So stay tuned for more news soon :)

Cya,

Viper BJK

Also, beginning with 3.75, my software will be shareware.


Can somebody post the 3.74 source here ?

For Source please request at http://revskills.de.

Cya,

Viper BJK

Small update :
--------------

Currently I'm heavily implementing severe changes in my software.

Some features that will be added in next version released soon :

- Complete redesign of menu GUI for better understanding
- Function search (search for typical QC functions with wildcards in binary files) with
editable database
- lnb support for HTC (currently, serial port supported only)
- Complete rewrite of HTC AT command (now better handling of USB and serial)
- Cut Tool (cut x bytes every x bytes starting from offset x)
- EFS Browsing fixes

I'm also thinking about a IDA plugin to implement my tool to IDA for debugging and function retrieval.

Cya,

Viper BJK

P.S.:
Reversing my software and/or republishing it without permission (also buggy versions) is no good behaviour.

Using code segments of my tool for pure unlocking purposes without ever having registered my software at all and making money out of my hard work ... well .... think about it if it really helps in further development of this tool.
I won't support any unlocking at all, and my software was never intended to do so.

New version 3.90 out
--------------------

What's new :
-------------

- Complete redesign of menu GUI for better understanding
- Function search (search for typical QC functions with wildcards in binary files)
with editable database and wildcard support
- lnb support for HTC (currently, serial port supported only)
- Complete rewrite of AT command interface (now better handling of USB and
serial)
- Cut Tool (cut x bytes every x bytes starting from offset x)
- EFS Browsing fixes
- etc ...

Cya,

Viper BJK

New version 3.91 out
---------------------

Added important com port hotfix (increased timeouts)


Cya,

Viper BJK

P.S.:
Reversing my software and/or republishing it without permission (also buggy versions) is no good behaviour.


Can you tell exactly how the pre-3.75 code was licensed ?
Since it was already hosted at google, i doubt that republishing these specific versions "is no good behaviour".
I'm not interested myself in any unlocking, windows software, shareware et al.
All CPU technical data gathered by me is full-disclosure, as you can see from wiki.
And the source code is all GPL (mostly linux kernel and haret)

Pre 3.74 code is still in the public. It is no longer hosted at google due to license reasons. It was hosted under the license of GPLv3.

No good behaviour means :

Spreading a version that is known to be buggy which even bricks phones just to avoid registration, although the only limitation to the old version is the usage of 10 minutes per session, the old functions are still for free.

Or :

Reversing the software, using code parts without naming the author and using it against the author's will for unlocking purposes.


Asking for implementations, for example in order to port it to linux is just fine, and I am always happy in helping other people as long as the knowledge is in fair usage and respects the work of mobile companies and engineering divisions.

Due to the fact that security heavily increases and even small exploits vanish to make modding possible, I cannot release everything to the public .... otherwise there would be no more modding anymore in the future.

Just to get it straight why my software is now shareware and no open source anymore :

I hoped that donations would help me in further development of my tool, as I had to buy (and still have) a lot of hardware, software and licenses.
In fact, donations never exceeded 30 Euros in 2 years.
But a lot of people used my open source for their unlocking tools and made a lot of money.
Comparing the functions of my tool to competitors (that want for less features more than 100 bucks), I think the price of 15 Euro is fair.
If it isn't, please let me know.

I'm still a man of the community and will help in every aspect except unlocking, and will of course help other reversers as much as I can.

Cya,

Viper BJK

New version 3.92 out
--------------------

What's new ?
-------------

1. Com port fixes :

- Changing tab will allow to change com port
- Stable write (no more crashes)

2. GUI improvements

Cya,

Viper BJK

New version 3.93 out
--------------------

What's new ?
-------------

- Added several com port fixes
- Added better recognition of NVItems
- Added display one single NVItem
- Added easy NVItem Write Interface

Cya,

Viper BJK

New version 3.94
----------------

Speed update

- Improved byte cutter also to cut first signatures
- Byte Cutter fixes


Cya,

Viper BJK

P.S.: If there is a need for CDMA functions like min/nam/esn/prl etc ... please let me know.

New version 3.95 - STABLE :)
----------------------------

- Added several new crypto algorithms
- Fixed EFS Browser Write

Cya,

Viper BJK

lol mister BJK..

any chance to get the old buggy source code?

that was gpled.
or if anyone downloaded it in time, I would be thankful for that.

Just tell me what you want to do :) Maybe I can help.

It was hosted under the license of GPLv3, but never was published as such.
That's why I've taken off the source and the tool from Google.

For the better understand what GPL really is, go to http://www.gnu.org/licenses/gpl-3.0.html.
Just as it is published under the license of GPL doesn't mean that the source code is for free
or that you may just use parts of the source code for your own work without permission or
copyright tags.

Sorry that this "GPL" is making so much trouble ... :D

But releasing it under GPLv3 does only make sense if there are people who
contribute to the code. I might release it again for public if I get the feeling that this really happens. But as long the code is just copy'n'pasted into other tools ... sorry ... that doesn't help this community at all.

Cya,

Viper BJK

New version 3.96 out
--------------------

What's new ?
-------------

- Bugfixes
- Improved Function scan
- Improved algorithm scan
- Add baudrate selection for CDMA phones

- Added new Code Tab in Com Tool :
- Send SPC and SP,
- Read several codes and passwords, like SPC, SP, fieldtest codes, PPP
passwords, etc.
- Get IMEI+IMSI from WCDMA and GSM + LAI/LAC/PLMN info

- Added general way to find SP in firmware for MSM6250/6280

etc.

Cya,

Viper BJK

New version 3.97 out
--------------------

News :
-------

- Added Diag Mode enabler for some mobiles
- Added Bootloader enabler for ZTE
- Added several functions to function.xml

Cya,

Viper BJK

Small update :
--------------

Got a new diamond today ... and oh ... QMAT seems to be still unstable.
Current version of the AT Command Interpreter Tool doesn't show anything when in USB Mode and both modi crash sometimes.

But relax :)

Fixes are already in the work ... so that we can replace mtty with a much more stable and improved QMAT very soon, I promise :D

Also due to the help of Jockyw2001 (giving me a CDMA phone for tests), I'll be able to add a whole bunch of CDMA features. So thx to him for his great support :)

If there are any future wishes for addons or features, please let me know, as other users may profit from your ideas.

Small update on Diamond reversing :
-----------------------------------
I was now able to identify the diag mode functions.
Good news : All functions in the GSM one seem to be intact and may need only little patching to enable diag mode.
So to say : We're on the track to enable this feature.

As for USA 3G Bands .... I'll have to wait for the firmwares, so I can compare if there is another CPU revision used in FUZE.
Then I can say if we're lucky and may be able to enable these bands.

As for Jtag - I'm currently programming a jtag interface for msm7x00x and others. Once I'm done,
we can begin JTAG testing. We need bricked phones from bad flashing that are no option for RMA/warranty.
Hopefully we will then be able to jtag diamond and that means we might be able to add more features, like the sd extension slot a lot of you are waiting for :D

Cya,

Viper BJK

I think that this is a great and powerfull tool.

I also like where you are going with your open source approach....

I would like to offer anything that you may need from a Sprint Diamond.

I could send you any information and help test and diagnose.

Please keep the good work coming...

Anybody is Welcome to Help each other.

Lets work together.

Best Regards

Small update :
--------------


all great stuff :D

if you need Fuze firmware, see wiki for roms. but it seems the radio doesn't matter, as 1.02.25.31 worked on the Fuze fine

great on the CDMA phone :)

New version 3.98 out
--------------------

What is new ?

- Com and USB HTC AT Tool is now stable
- Both Com and USB support LNB command

What will be done for next version(s) :

- support of LNBS command in order to replace mtty completely
- CDMA support such as MIN/NAM writing etc.

Cya,

Viper BJK

New version 3.99 out
----------------------------

News :
- Bootloader bugfixes
- Add read nand support for MSM6280 (Beta) via Bootloader
- Fixed some EFS issues
- Several gui fixes

In the works :
- support of LNBS command in order to replace mtty completely
- CDMA support such as MIN/NAM writing etc.
- upload files via activesync
- Jtag interface for most MSM

Cya,

Viper BJK

New version 4.00 out
--------------------

What's new ?
-------------

- Several severe com port / usb / bugfixes
- Improved HTC AT interface to work with problematic laptops
- Fixed Read Memory in DWN Mode (length)
- Added Full EFS to ZIP feature in EFS browser
- Added Backup Directory to ZIP feature in EFS browser

In the works :
- support of LNBS command in order to replace mtty completely
- CDMA support such as MIN/NAM writing etc.
- upload files via activesync / easy diamond OS flash
- Jtag interface for most MSM
- Full Huawei E220 support
- Full Globe Quad Lite PCMCIA support

Cya,

Viper BJK

Thanks to Jockyw2001, I'm now holding a cdma phone in my hands.

Next version will be much more stable, support ZTE phones and MSM6000 platform and will offer some more features.

So stay tuned !

Cya,

Viper BJK

New version 4.01 out - STABLE
------------------------------

What's new ?
-------------

- Support of ZTE CDMA phones
- Support of unstable Phones using serial port
- General CDMA support
- Read out CDMA info
- Added MIN1/MIN2 algo to network calculator
- Fixed a lot of bugs in EFS/COM/USB and memory
- Added Option to use Index for NVItem Display
- and much more ...

In short : Best und most stable version ever !


In the works :
- support of LNBS command in order to replace mtty completely
- CDMA writing for registered users only
- upload files via activesync / easy diamond OS flash
- Jtag interface for most MSM
- Full Huawei E220 support
- Full Globe Quad Lite PCMCIA support

Cya n enjoy,

Viper BJK

New version 4.02 out
--------------------

What's new ?
-------------
- Bootloader and Flasher improvements
- Small bugfixes

Cya,

Viper BJK

Small update on progress :
--------------------------

Next version 4.03 will add official support for Huawei E220.

Also the CDMA Interface will be reconstructed in the next version
and will offer options to write imsi and imsi_t fields like min, dir number, etc.

I will also add a feature to read out all contacts / phone numbers using diag port.

Not sure as for version 4.03 or 4.04, but I will also add a activesync file uploader,
making rom os update using diamond or htc phones in general very easy and secure.

I'm also thinking about adding some general seeking stuff like SPC search tools and adding an AT command browser *thanks for the idea, adfree*.

What would be nice to be added to make mobile life easier *except unlocking stuff* ?

Cya,

Viper BJK

Small update :
--------------

New version 4.03 will have several improvements and a lot of new features.

Most people were waiting long for it, but now, I also included a EFS Search for SPC for both new and old MSM working, even if the device is security locked :D

Also using standard qc loader, you will now be able to dump the firmware easily. Thx to Xiao Jian, I will also add support for LG firmware dump.

I've added a lot of GUI improvements, bugfixes, additions and also Beta CDMA Write support.

I guess new version will be out this week :)

Cya and thx for all persons that have donated and support me in the progress of this tool,

Viper BJK

P.S.: sashomarten, please contact me via info@revskills.de, as your email is no longer existing

Version 4.03 out
----------------

- Write CDMA beta
- Find SPC in EFS (new and old MSM)
- Find SP in Memory
- Bugfixes
- New commands (Frequency bands / IMSI, etc...)
- Gui improvements (heavily updated for easier use)
- New bootloader interface + commands
- Option Globetrotter 3G Quad support
- Huawei E220 support
- much more ....

Cya,

Viper BJK

Hi viperbjk,

All of a sudden QMAT version 4.03 stopped working for me, while previous versions were... It seems to be failing while running protector stub, but I don't have any debuggers or monitors running, so it's not clear what's the cause.

I'm attaching a profiling log generated by depends.exe in XP SP3 and Vista.
Apparently if I'm the only one with this issue, then forget it, it's probably something on my PCs. If not, please fix :)

thanks!

Yep, the protection stub has changed. Thanks for your reply.

Will release 4.04 with fixes today :)

Cya,

Viper BJK

New version 4.04 out
--------------------

Changes :

- Now ALL EFS will be dumped (Big Bugfix)
- Protection stub corrected as some people could not run version 4.03
- We do also offer network licenses on special request, so license is personalized and not bound to one PC.

Cya,

Viper BJK

New version 4.05 out - Hotfix
----------------------------

Sorry, but this fast hotfix was needed. Sometimes bad things you only get to know occational, although I'm doing a lot of testing before release :(

- Com port bugfixes (heap errors)
- Signature bugfixes (algorithms, functions, spc search)

Cya,

Viper BJK

P.S.: We are currently talking with QC about official licenses to give you better support for QC mobiles.

Small update on progress :

I'm currently changing the radio dump function.

The new implementation will a universal split tool, with a database in xml.

Easy to use, and of course, splitting radio into the right files will be just fine.


Cya,

Viper BJK

New version 4.06 out
--------------------

What's new :

- EFS Write bugfix (did only write 100 bytes)
- Improved HTC Radio Dumper a lot (may split any file according to config in radiosplit.xml)

Cya,

Viper BJK

New version 4.07 out
--------------------

What's new :
-------------

- Read out ALL sms and contacts (also missed calls etc.) via AT
- Added several stability bugfixes (Com-Port)
- GUI changes
- Added several AT commands like reading from sim (imsi / kc)
- Added function to display and write memory easily
- etc.

Cya,

Viper BJK

Exciting news for upcoming QMAT version 4.08 :
----------------------------------------------

Registered owners of QMAT will soon be able to

Send APDU directly to the Sim card according to TS 51.011

Thus, you will be able to read deleted sms, contacts, last dialed numbers, kc,
imsi, ck, etc.. while sim card is still in the mobile, you do not even need to buy
hardware for using it, you just need your data cable !

This feature will work for most 3G / UMTS mobiles and data modems,
also for a lot non-qualcomm ones.

Cya,

Viper BJK

New version 4.08 out
--------------------

News :
-------
- Sim APDU Command Tool added
- Gui Bugfixes
- AT Command Bugfixes

Cya,

Viper BJK

One small question only - licence is same type like for kaspersky or something else ?

Well I've got no idea what your question means :)

Kaspersky imho is an Antivirus-Tool and has nothing to do with QMAT.
But I guess what you wanted to ask is, what licenses are available.

License is either limited to one person (meaning : hardware key), but you may request keys for max. 2 other PCs (or due to special reasons, for example you lost the key or you reinstalled your PC).
(Price is 15 EUR)

or

License is a name license (bound to real name, no hardware key).
(Special requests only and you must sign a NDA)

Hope this answers your question.

Cya,

Viper BJK

No, you don't understand me :D. Does the licence is like regkey.dat, licence.key or something else like dongle etc etc.. And 've got no idea what this mean: Special requests only and you must sign a NDA. Whats NDA ?

Yes, it's a reg file, no dongle.

NDA is a Non Disclosure Agreement you have to sign, saying that none of the information or software will be released to public.

Cya,

Viper BJK

Small update :

We are currently working on gold card solution for newer HTC devices :D

So stay tuned :)

Cya,

Viper BJK

New version 4.09 out
--------------------

News :
-------

- Added SPC Change Function
- Added Gold Card generation for older HTC devices
- HTC Encap Bugfixes for NAND writing of large files
- EFS Bugfixes
- Several other bugfixes

Cya,

Viper BJK

New version 4.10 out
--------------------

News :
-------

- Long filename support
- Several NBH Dump bugfixes (files are no longer locked)
- Added possibility to choose Output Directory for NBH extraction

Cya,

Viper BJK

Small update on progress :
--------------------------

Next version 4.11 will feature :
- HTC Gold Card generation for newer devices (non-public, only for contributors)
- Read SD Serial Number from WM Device, Read and Write complete SD Card
- 3DES and DES Toolkit
- Updated Cryptolibrary
- Some RSA / AES / Bluefish hacks

Cya n happy X-mas,

Viper BJK

New version 4.20 out
--------------------

What's new :
-------------

- WIN CE SD Card Utils for reading / writing raw images to SD Card
- Improved HTC Gold Card generation a lot, also added several keys
- New Crypto Tools interface featuring AES, DSA, RSA, TEA/XTEA and CRC30
(in several modes like ECD, CBC, OFB, etc..)
- New registration model for registered QMAT users and board contributors
- A lot bugfixes

Cya,

Viper BJK

Why this error ?

" The procedure entry point _except_handler4_common could not be located in the dynamic link library msvcrt.dll "

Whats this ?

Small update :
--------------

Released version 4.20b - due to users with problems.

Hopefully the msvcrt.dll error is fixed.


Cya,

Viper BJK

Why this error ?

" The procedure entry point _except_handler4_common could not be located in the dynamic link library msvcrt.dll "

Whats this ?

I'm getting the same issue, I've reported it in the QMAT forum.

See what happens.

Ta
Dave

Why this error ?

" The procedure entry point _except_handler4_common could not be located in the dynamic link library msvcrt.dll "

Whats this ?

Yeah, some users reported that error occuring with version 4.20a.
We changed some includes and our homebrew protector seemed not to like it.

Version 4.20b will hopefully fix this error.

Cya,

Viper BJK

Solution found - delete file rapi.dll :D and it work. I'm confused, why need this file ?

едит: Same problem with V4.20b !!!

Thanks for the info. Some users had problems that rapi.dll wasn't found.

We will delete the rapi.dlls from the zip till a solution is found.

Cya n thx,

Viper BJK

Thanks for the info. Some users had problems that rapi.dll wasn't found.

We will delete the rapi.dlls from the zip till a solution is found.

Cya n thx,

Viper BJK

Might depend on the version of ActiveSync installed. I have 4.5 on XP.

Ta
Dave

I know that the Latest version of ActiveSync is 4.5

I know that the Latest version of ActiveSync is 4.5

You missed my point. :)
What version did the users that had the problem with "4.20a" have ... ??

Dave

They hadn't installed any activesync nor wmdc, that's the problem.

So I included rapi.dll in the zip directory, but each version is different and depends on the current installation of activesync or wmdc.

This is really messy, but as I read on other forums, a lot of people have this crazy problem.

I've been writing to microsoft, hopefully they have a compiling hint.

For now, only solution is to delete the rapi.dll if it resides in qmat's directory,
and to install activesync on xp or wmdc on vista if it is missing.

Cya,

Viper BJK

The answer was fast ... wow ....

the hint was : "Use delay loaded dlls.". So far it seems to work.

So go and get 4.20c.

Still : If you want to use the wince tools, you need either activesync (xp) or wmdc (vista) installed.

Cya,

Viper BJK

New version 4.21 out
---------------------

What's new ?
-------------

- Improved SD Card Utils + Gold Card Generation to :
=> Give details about size of SD Card
=> Select SD Card if several cards exist in one device

- GUI Bugfixes

- Added Key for Quartz

Cya,

Viper BJK

Moved thread to :

http://forum.xda-developers.com/showthread.php?t=465572


Cya,

Viper BJK