5,368,880 Members 37,569 Now Online Twitter Facebook Google plus Youtube
 NEWS Forum Wiki XDA TV

# ROM 1.06 - broke that code???

Tip us?
 15th February 2005, 12:52 AM Guest Thanks Meter Posts: n/a ROM 1.06 - broke that code??? hey, it is: 5E 4D 31 30 41 just had an idea how to get that xor-passkey... every *.nbf files begins (when decrypted) with the string 'PM10A' which is, converted into hexadecimal '50 4D 31 30 41' (you can verify that with an hex editor examining an decrypted file (*.nba) . As i read in some article from the internet, an xor-key is symmetrical (ok, not such a big deal ;) ). That means that you can xor-compare the encrypted part with the decrypted one and get the passkey! how to do: (i'll take the imate.zip after executing the change.bat for that since it contains both encrypted and decryted files when you delete the "del *.nba" line at the end of the batch file) write down the first 8 bytes of the encrpyted file => 71 48 35 10 (from nk.nbf) write down the first 8 bytes of the decrypted file => 50 4D 31 30 (from nk.nba) now take the windows calculator, activate scientific mode and switch to hex, also choose 'word' on the right side a) enter 7148, press XOR, now enter 504D b) the result should be 2105 remember, we're looking for an 8 digits key! the result shows the last 4 digits in *inverse* order. so we have (after changing) XX XX 05 21 (XX XX stands for the missing first 4 digits) c) do steps a) and b) again with the comparison of 3510 with 3130 you'll get 420 as result which is (after adding a leading '0') 04 20 change the digits and get: 20 04 05 21 which is, when you look into the change.bat, exactly the given key for decrypting!!! ======== NOW FOR THE WANTED QTEK/DANGAARD-ROM ======== in the dangaard-contribution the nk-nbf begins with: "4B 37 43 6E" which you must compare again with "50 4D 31 30" do the steps mentioned above and get: 5E 72 7A 1B =========NEW CHANGE.BAT=================== xda3nbftool -x ms_.nbf ms_.nba 0x5e727a1b xda3nbftool -x nk.nbf nk.nba 0x5e727a1b xda3nbftool -x radio_.nbf radio_.nba 0x5e727a1b xda3nbftool -so T-MOB101 -sl WWE ms_.nba xda3nbftool -so T-MOB101 -sl WWE nk.nba xda3nbftool -so T-MOB101 -sl WWE radio_.nba xda3nbftool -c -u NK.nba xda3nbftool -c -u ms_.nba xda3nbftool -c -u Radio_.nba xda3nbftool -x ms_.nba ms_.nbf 0x5e727a1b xda3nbftool -x nk.nba nk.nbf 0x5e727a1b xda3nbftool -x radio_.nba radio_.nbf 0x5e727a1b ============================================ unfortunately the calculation/correction of the checksum in the xda3nbftool doesn't work correctly. We'll need to calculate the new checksum by hand. As it is much too late for me now, i'd like to invite some other folks to support me! Refer to wiki to get the offsets for the checksum. regards, André REPLY
 dkot 15th February 2005, 11:47 AM Member Thanks Meter 0 Posts: 84 Join Date: Dec 2004 Location: Poland,Katowice Good job Andre!!! Are you sure, that it is simple XOR coded ? Did you check how it works with previous rom (any other)? I can write small prog for checksum calculating but I have to know how this checksum is calculated. Regards, Darek REPLY
 popsi 15th February 2005, 12:02 PM Senior Member Thanks Meter 3 Posts: 124 Join Date: Jan 2004 More Info > I do believe they changed the algorithem. Since in the old ROM (IMATE) you could read the password using a hex editor at offset 50. This is the result using xdatool with -t switch on the qtek ROM. xda3nbftool -x NK.nbf NK.nba 0x4156cc35 xda3nbftool -x ms_.nbf ms_.nba 0x8e86c6cc I believe we're not too far away from a solution. REPLY

NightmarE
Senior Member
Thanks Meter 0
Posts: 150
Join Date: Dec 2003
Quote:
 Originally Posted by dkot Good job Andre!!! Are you sure, that it is simple XOR coded ? Did you check how it works with previous rom (any other)? I can write small prog for checksum calculating but I have to know how this checksum is calculated. Regards, Darek
yes, it is true
 kha 15th February 2005, 02:22 PM Junior Member Thanks Meter 0 Posts: 26 Join Date: Jan 2005 More Info > It seems that header is not excatly in same format as it was previous nbf so PM10 might not give accurate key for extracting, nor you can't get any other hint for decoding, like Magician or WWE... Or the file is encrypted twice.... REPLY
 15th February 2005, 02:44 PM Guest Thanks Meter Posts: n/a the thing that astonishes me is the fact that after xor-comparison the provider string of the "decrypted" dangaard-rom is "t-mob101"??? REPLY
Guest
Thanks Meter
Posts: n/a
Quote:
 Originally Posted by kha It seems that header is not excatly in same format as it was previous nbf so PM10 might not give accurate key for extracting, nor you can't get any other hint for decoding, like Magician or WWE... Or the file is encrypted twice....
where do you see that the header is different? and why wouldnt you take the matching strings like pm10 to get an xor-key?
 taron 15th February 2005, 03:56 PM Senior Member Thanks Meter 0 Posts: 128 Join Date: Feb 2005 Location: Paris More Info > Hey, good work guys ! Go on :) Val. REPLY
 mamaich 16th February 2005, 12:54 AM Recognized Developer Thanks Meter 190 Posts: 1,144 Join Date: Apr 2004  DONATE TO ME It is impossible to use old xda3nbftool to decrypt the ROM. Header and encryption methods have changed a bit. Long time ago I've explained new algos in this post: http://forum.xda-developers.com/viewtopic.php?t=14877 using this code you can easily decrypt ROM, change operator settings and reflash to a different device. P.S. you don't need to "get a xor-passkey". It is contained in header in plaintext. REPLY

kha
Junior Member
Thanks Meter 0
Posts: 26
Join Date: Jan 2005
Quote:
 Originally Posted by mamaich It is impossible to use old xda3nbftool to decrypt the ROM. Header and encryption methods have changed a bit. Long time ago I've explained new algos in this post: http://forum.xda-developers.com/viewtopic.php?t=14877 using this code you can easily decrypt ROM, change operator settings and reflash to a different device. P.S. you don't need to "get a xor-passkey". It is contained in header in plaintext.
Yep, thats true, with your code it shows correct:

PM10A DANGA001 WWE 1.05.00 Magician 0 0 0 e896d943

Hope we got someday updated xda3nbftool...

 Thread Tools Search this Thread Search this Thread: Advanced Search Display Modes Linear Mode