ROM 1.06 - broke that code???
it is: 5E 4D 31 30 41
just had an idea how to get that xor-passkey...
every *.nbf files begins (when decrypted) with the string 'PM10A' which is, converted into hexadecimal '50 4D 31 30 41' (you can verify that with an hex editor examining an decrypted file (*.nba) . As i read in some article from the internet, an xor-key is symmetrical (ok, not such a big deal ;) ). That means that you can xor-compare the encrypted part with the decrypted one and get the passkey!
how to do:
(i'll take the imate.zip after executing the change.bat for that since it contains both encrypted and decryted files when you delete the "del *.nba" line at the end of the batch file)
write down the first 8 bytes of the encrpyted file
=> 71 48 35 10 (from nk.nbf)
write down the first 8 bytes of the decrypted file
=> 50 4D 31 30 (from nk.nba)
now take the windows calculator, activate scientific mode and switch to hex, also choose 'word' on the right side
a) enter 7148, press XOR, now enter 504D
b) the result should be 2105
remember, we're looking for an 8 digits key! the result shows the last 4 digits in *inverse* order. so we have (after changing) XX XX 05 21
(XX XX stands for the missing first 4 digits)
c) do steps a) and b) again with the comparison of 3510 with 3130
you'll get 420 as result which is (after adding a leading '0') 04 20
change the digits and get: 20 04 05 21 which is, when you look into the change.bat, exactly the given key for decrypting!!!
======== NOW FOR THE WANTED QTEK/DANGAARD-ROM ========
in the dangaard-contribution the nk-nbf begins with:
"4B 37 43 6E" which you must compare again with
"50 4D 31 30"
do the steps mentioned above and get: 5E 72 7A 1B
xda3nbftool -x ms_.nbf ms_.nba 0x5e727a1b
xda3nbftool -x nk.nbf nk.nba 0x5e727a1b
xda3nbftool -x radio_.nbf radio_.nba 0x5e727a1b
xda3nbftool -so T-MOB101 -sl WWE ms_.nba
xda3nbftool -so T-MOB101 -sl WWE nk.nba
xda3nbftool -so T-MOB101 -sl WWE radio_.nba
xda3nbftool -c -u NK.nba
xda3nbftool -c -u ms_.nba
xda3nbftool -c -u Radio_.nba
xda3nbftool -x ms_.nba ms_.nbf 0x5e727a1b
xda3nbftool -x nk.nba nk.nbf 0x5e727a1b
xda3nbftool -x radio_.nba radio_.nbf 0x5e727a1b
unfortunately the calculation/correction of the checksum in the xda3nbftool doesn't work correctly. We'll need to calculate the new checksum by hand. As it is much too late for me now, i'd like to invite some other folks to support me! Refer to wiki to get the offsets for the checksum.