You are on page 1of 45

QMAT V5.

00

Manual

(c) 2009
by B. Kerler
How to register

- Please go to http://www.revskills.de/, choose „Buy QMAT“.


- Go to „Main“, select „About“.

- Press button „Copy Software ID to Clipboard“.


- Paste your Software ID into the registration form using Ctrl-V keyboard combination or right
mouse click, „Paste“.
- Select payment method.

After payment we will send you an registration key via email. Select / Highlight the key and copy
the key into the clipboard using Ctrl-C keyboard combination or via right mouse click „Copy“.

- Press button „Paste Regkey from Clipboard“. You will then need to restart QMAT.

Once the software is registered, you can use the Network Calculator and the Software ID will no
longer be displayed.

For actual prices, see Registration page at http://revskills.de

Why to register :

- Support further development and more phones to be added


- Unlimited usage (no time limit)
- Network Calculator
- Personal support and requests for features
- Flash any firmware using diag port
- and a lot more...
1. Main Menu

1.1. Select Output Directory

Choosing his menu item allows you to select where extracted files should be saved at.

1.2. Quit

Quit the program.


2. Firmware Forensics

This Menu Item will let you do several tasks using your mobile firmware or any other binary.
2.1. General Forensics
2.1.1. Search for Algorithms

This function lets you extract useful infos about algorithms and public keys to be found in binarys,
so you can easily find the corresponding functions using an disassembler :)

More than 90 signatures are already added, and any new signatures can be added to the file
crypto.xml. The Hex Value 0xFF is treated as a wild card.

Example output of HTC Firmware :

Crypto: CRC-16 norm 0014FC40h


Crypto: CRC-16 norm 0020760Ch
Crypto: CRC-16 norm 002FAE2Ch
Crypto: CRC-16 inv 0014FE40h
Crypto: CRC-16 inv 0020780Ch
Crypto: CRC-16 inv 002FB02Ch
Crypto: CRC-30 0014F840h
Crypto: CRC-30 0020720Ch

Crypto: SEAL+MD4 key 00BF2144h
Crypto: SEAL+MD4 key 00C0E600h
Crypto: SEAL+MD4 key 00C0EA14h
Crypto: AES sbox1 00ACCBC4h
Crypto: AES sbox2 00ACCCC4h
Crypto: HTC Radio Security Table 001C341Ch
...
Possible algos: 59

2.1.2. Search for Functions

This function lets you find common functions in any binary, so you can easily find functions at the
given addresses using a disassembler :)

Any new function signature can be added to the file function.xml. The Hex Value 0xFF is treated as
a wild card.

Example output of HTC Firmware :

0x00076bd3 Memcpy Generic


0x00247c7f Memcpy Generic
0x00076bc8 Memcpy4
0x00247c74 Memcpy4
0x00076dcc strlen
0x00076cdc strcmp
0x00077f68 __rt_div0
0x00aac510 __rt_div0
0x000770f4 __32__rt_raise
0x0097bd40 __32__rt_raise
0x0001633c rex_int_free_32
0x00016328 rex_int_lock_32
0x00e2f98c atoi
0x00ba752e GetSwapBytes
0x00ba74b0 SwapBits
0x00076a78 MemClr
.....
0x01092228 sprintf
0x00ca0dd8 randinit
0x00ca0e06 rand

Possible functions little endian: 28

2.1.3. Show Partition Info

In this menu item you can select any QC partition file that should be analysed.
This function is really helpful in understanding what data sections can be found where in NAND or
NOR flash.

Either you can enter any page sum and page size you wish to interpret the data,
or add existing ones to "partition.xml".
2.1.4. Find Security Password

This function searches for the SP in firmware binaries.

2.1.5. Byte Cutter

This Tool will help you cut junk data from files.

After selecting the file you can enter at which offset the cutting of data should start, how many
bytes shall be deleted and how large the distance between the data to be cut is.

For example, you've got a file. The first 0x100 bytes, there is no junk data at all. Enter start offset
„100“. Then 0x10 bytes are junk data. Enter number of bytes „10“. This junk data occurs every
0x200 bytes. Enter repeat of bytes „200“.
2.1.6. HTC

2.1.6.1. Dump HTC radio.nb

This function lets you dump all known radio parts like amss, qcsbl and oemsbl from .nb files or any
other firmware using customizable radiosplit.xml in order to add new devices.

2.1.6.2. Fix radio.nb checksum

This function removes the signature from nbh so it can be further split into firmware files for
example.

2.1.6.3. NBH Dump Tool

This function dumps any file you want from nbh or just rip the signatures. "Open NBH" will show
infos about the NBH File and will also show you what files you can dump.

You can add any new nbh-filetype by adding them to "nbhtype.xml".


2.1.6.4. NBH Generate Tool

This function can generate a valid NBH file, either using dummy signatures or real ones. You can
add any new device to "devlist.xml". If you wish to use a private key to sign, just select "Use .pvk
File" before generating the NBH. New android NBHs are also supported by selecting „Generate
Android Image“.

Chunk size is the size of each block to be signed. Real byte size is calced by multiplying it with
1024.

Signature Size is byte size. If you wish to use Signatures with higher bit encryption, just calc
Bitlength / 8. ( For example : 1024 Bit / 8 = 128 , that is 0x80 in hex )
2.1.6.5. Dump Nvitems from file

Using this function, you can load any HTC Nand dump from Area 0:HTC as a file and it will
interprete the data and show all found nvitems. This will only work for some GSM devices right
now.

2.1.6.6. Dump ECC cutter

This function lets you cut ECC data from HTC firmware read directly from NAND.
2.1.7. BenQ

Sim Secure :
These functions let you load otp data for decryption, encryption of simsecure, direct unlock the
mobile or even calculate mastercodes, netlockcodes or other codes.

These functions are non-public at the moment and will be made public for registered users as
soon as the mobiles are no longer supported by the vendor.
2.2. Extraction

2.2.1. Open Binary for Extraction


In this menu item you can select any QC AMSS File or any other file (like NAND full-flash)
you want to be analysed and extracted. Once selected, it shows infos about the AMSS or firmware
versions.

Example :

BQS :

File-Info :
-----------

USBID = O'zapft is!000


Product Nr. = EF81
SVN = 58
SW build = KE_1433_17.0.16
Type = P

HTC :
File-Info :
-----------

OEMSBL = HTC_BOOT V1.00.25


QCSBL = QCT_BOOT V522511

JNAND Identification Block


Compiled Jun 20 2008 19:28:45
Version == JNAND 08.00.03
JNAND.ELF for MSM7500 SURF and FFA
Multi-Image Boot Support only
Copyright (c) 2004-2005 by QUALCOMM, Incorporated. All Rights Reserved.
End of ID Block
2.2.2. Extraction Submenu

Open any binary file using the „Open Binary for Extraction“ menu.
After that you can extract any certificate, bmp, gif, png and jpg that can be found in the file.

2.2.2.1 Internal Filesystem Menu

This menu lets you extract internal files, if the amss has an internal filesystem.
Example : strings „fs:/“ can be found by hexeditor.

If the memory offset differs, you can enter the offset difference by either entering +value or -value.
For example, using hexeditor search for string „fs:/“. The DWORD before fs should be the file
offset. Bar Files always start with hex 0x11 0x01, so right offset can be found fast.

You can add any device into the filesys.xml.


2.2.2.2 FS Reference Strings

This function will search for any internal QC Embedded File System references.

2.2.2.3 BQS End Signature

Extraction :
After loading a binary file in the file menu, these functions let you extract the end signature.
(The last 0x256 bytes of a file)

2.3. Extract GZIP from file

Using this function you may extract any GZIP compressed data from any binary. Just enter the
offset where the gzipped data starts and its length. You may extract binaries up to 100 MB.
Attention : For extracting even small files, you will also need a minimum of 100MB free space.
2.4. Extract FAT from file

Using this function you may extract any FAT12/FAT16 filesystem from any binary. Just open the
binary and it will show info about all files included to be extracted and all label info. You may also
extract the files by selecting „Extract“ and opening a fat file.
3. Cryptoanalysis Tools

3.1. Crypto Toolbox

3.1.1. RSA-Decryption/Encryption Tool

This tool provides powerful RSA Functions. You can encrypt / decrypt any message using RSA
algorithm.

For encryption you need :


- Private Exponent (Private Key)
- Modulus
- Signature to encrypt (Plaintext Message as Hex String)

For decryption you need :


- Public Exponent (Public Key) - 3 and 10001 are common ones
- Modulus
- Signature to decrypt (Encrypted Message as Hex String)

Simply press "Decrypt using Values" to either en- or decrypt.

The Function Reverse String can cut out Hexmessages (like 00:FA:BC:EB) or can just reverse
doublebyte hexstrings.
You can also enter any modulus and exponent and check BQS and HTC Firmwares for validity.
Examples of Public Keys are already given for HTC mobiles, BQS mobiles and old iPhone.

Public Keys can be added into the "publickeys.xml" file.


3.1.2. RSA-Keygenerator

This function lets you generate a RSA Private Key, for example in order to sign own firmwares. Just
enter any bitlength you wish (decimal) and the needed public exponent (hex) and press "Generate
RSA Keys". After generation, you may save the calculated key in an .pvk Container File, pressing
"Create .pvk Files using Results" or just copy'n'paste them.
3.1.3. DES-Calculator

This function lets you calculate DES (64 Bit), 2DES (128 Bit) and 3DES (aka. Triple DES - 192
Bit) in the modes ECB, CBC, CFB and OFB.

You can also enter how many times the calculation is iterated.
3.1.4. AES-Calculator

This function lets you calculate AES with key sizes 128 Bit, 192 Bit and 256 Bit in the modes
ECB, CBC and CFB.
3.1.5. TEA-Calculator

This function lets you calculate TEA and improved TEA (XTEA) in the modes ECB and CBC.
3.1.6. CRC-30 Calculator

This tool can calculate a CRC30 value for any File with given pagesize and stepsize, but can also
fix a file to fit a needed QC CRC30 value by bruteforcing last 4 bytes (for example qcsblhdconf
file).
3.2. Generate Hashes

This function will calculate MD4, MD5, SHA1, SHA2 (SHA-224 and SHA-256), CRC16 and
CRC32 and several ECC of any selected file.

Example :

SHA1 : DF870F3A4C306A4AD19232D47FAAA4F315079ECB
SHA224 :
46A09505ADBD225572BFE53C03B83D1798CED6E2FD30B88B190F853DCCCCCCCC
SHA256 :
8646D2F73CBBB227E93011C30B40CBF526E830A49EF55FE7E25777BF6674EBEC
SHA256-HTC :
4FBAC64CA15493CFB81B9823CFE31E1497E4BDF1FE9758F20FA7AE877ED765D2
MD4 : 91523B28F7F2B0565CDEAA4E3A165EEB
MD5 : 88BA062A43782CEBB8CDC722F305C31A
CRC16 (0x1189) : EBCE
CRC30 (Block: 0x1000, Page: 0x200) : 2F34652C
CRC30 (Block: 0x2000, Page: 0x400) : 1068B9C4
CRC32 (0xEDB88320) : 199ECB76
CRC32 (0x04C11DB7) : 3EB38D82
CRC32 HTC (0xEDB88320) : C95C445B
ECC Reed Solomon (parity10) : A3820A8D639278A67BCC
ECC BCH Micron 3 byte : 222222
ECC Hamming Toshiba (8 bit - 0x200 bytes) : CFCFCF
ECC Hamming (8 bit - 0x200 bytes) : CFCFCF
ECC Hamming (16 bit - 0x200 bytes) : F3F3F3

3.3. Show .pvk File

This function lets you extract useful infos from a private key container file (.pvk).
Currently, only private keys are supported.

Example output :

RSA2
Modulus :
B332AF4B62B3AA901EE3FFD6591CA569ECA90F27FBBF46AB27EAA01F57D819A7776971832D0979BF6E15D9732DEFA21DCDA5252C64
222288E8CC1DBE4C8BE9F19C66B6E7C6C6C75D3F7E1A9A96C0391C2E54F0C97D387734AE54831476EC9918FC22809A4822D4D721F57B
1337A17ACA47F94DD61AD91EB975F7457B6E1B589D
Prime1 :
DC7772B50267A474437577F9CE4766098F83EE9AD2950698CC26D5E09D670BA3CABEA0C4BD08FD41A83B49AE5D8DC16EDB6E6CF32E
A93B6FB9BEB2A579F5DDCF
Prime2 :
D01479A5ED587AD7369DA5E4A5F0F2FAB1EBFB35EAC0A04CE76E1EE06E3FE651031846850F0C33A4BA6D1212F4D25DF87DE6798B985
88B739B21EDAB5F52C9D3
Exp1 :
D99B70F6272483975A4A651C85B5C58A644495CBED54B909326096B4B8C8501DE06D5E24326DE003E1787B9686B2F79D632B50908B9AF
096ABA10595FD9667D3
Exp2 :
33AC52055DAAB25ECDA65AB32C6E68B8CF046E4F166C1DA2DB7A225AD3A634B8FB8EC4BC785F2C58051FDEF42C2E2DBDEEEE1453
115333D652B91B3F8A9D9197
Coeff :
7D092E64E28C85E8C3535776E5C86E09EB0DAE2201013EE20BBA4C738DB0D5F3618DD3A1242F783C6BF0CD5D7976E7F02BCED4560BF
20B84073BAC90298DF793
PrivExp :
0EE1FFC3101081F2F44DD55AB50DF703041FCA5D74C01F1B69F6479432D484D4EECAF81D7FE9108E809319FB41EE6C157395EAAF74258
D9EB74EF48D70881246D631E2AEADD124B64D2224996F78BF78DD38EC4A4E8D84E57A57DC773B2A8EC6277E29DE905F05A5A20DC2B
3278A350FD3681E1917A283EE09D37AA63DB3FDF5
4. Hardware Forensics

This menu will offer „online“ support, like accessing any features QC mobiles offer using USB or
Serial Interface, WIN CE devices (WM 5.x - 6.1) but also using JTAG.
4.1. Use Mobile Ports

This function lets you experiment with a lot of standard QC and AT Command functions.

4.1.1. Diag Port (QC) :

This tool can be used with all QC mobiles with Diag Port enabled. It will allow to send any
command as hex string via Diag Port to any mobile connected via USB or COM port.

On Top you can select what interface you wish to use. Port will be opened automatically when
needed. The Port will be closed once you close the window, change the com port or select any
other baud rate. Below you can select diag mode functions for phones in AT mode in order to
switch to qc diag mode.

With „Select Log-File“ you can tell the program where to save displayed data in the Com Result
Window (big white window with hex values). With no FileName entered, as a standard filename
„comlog“ in application directory is used.
Select any standard qc command you wish to send under „Diag commands“ or enter any hex value
to be send (without crc), for example „0001020304“ and click on „Send Cmd“ to send to mobile via
USB Diag Interface. Selecting „No CRC+7E“ will send raw hex bytes without crc generation and
postfix 0x7E.

You can also run xml scripts with auto-log function. See scripts/script.xml for an example on how
to use. „Delay“ means how many ms to wait before sending next command. Option plain=“1“
means to send raw data without crc and postfix 0x7E.

Under „Diag functions“ you can use special functions like :

- Save Memory to file


- Display Memory
- Write Memory (DANGEROUS)
- Save NVItems to file
- Display NVItem
- Write NVItem (DANGEROUS)
- Read EFS
- Backup NVItems (Binary)
- Restore NVItems (Binary)
- Enable FTM Mode
- Disable FTM Mode
- Generate SimSecure Command (DANGEROUS)
- Switch to Offline Analog Mode
- Switch to Offline Digital Mode
- Switch to Reset
- Switch to Offline Factory Test Mode
- Switch to Online mode
- Switch to Low power mode
- Find SPC in EFS (Older MSM)
- Find SPC in EFS (Newer MSM)
- Read SPC from EFS file
- Find SP in Memory
- Get Call Stack
- Read Sim Contacts (Huawei)
- Read SMS
- Read PRL
- Write PRL
- Enable Toshiba FTM Mode

The Functions „Enter FTM“ and „Leave FTM“ will write the FTM Mode into NVItem and
automatically reboot the phone.

The Command „Generate SimSecure Command DANGEROUS“ can produce a command string
from a given simsecure file which the user wants to write to SimSecure. Be careful, incorrect use of
this tool will leave your phone useless.

On phones where only a modem port does exist, you might need to send a command to enable diag
port. Use the buttons under "Enable Diag Mode functions for phones in AT mode" to enable diag
port easily. Remember to set the right baudrate needed for your phone.

The Option „Vendor“ lets you select generic preheaders used by some vendors if they don't use
standard qc protocol.

Functions that won't work for all MSM phones :


- The Function "Read SMS" will read all SMS from phone memory.
- The Function "Get Call Stack" will show all recieved / missed calls f.e.
- The Function "Read Sim Contacts" will read all sim contacts from huawei phones

These are some of the Diag Commands supported (Examples how to use):

Get Version info :


Select „Vernum“ in the command list and press „Sendcmd“ button or just press Enter

Get Mobile Build ID :


Select „BUILDID“ in the command list and press „Sendcmd“ button or just press Enter

Send SPC example :


Select „SPCSEND“ in the command list.
Add to the command „41“ the SPC you want to send.

For example, if your SPC would be 000000, convert decimals to ascii (0=30, 1=31, etc... 9=39),
you would have to send „41303030303030“.

Send Security Password (SP) :


Select „PASSWD“ in the command list.
Add to the command „46“ the SPC you want to send.

For example, if your SPC would be 12345678, convert decimals to ascii (0=30, 1=31, etc... 9=39),
you would have to send „463132333435363738“.

Get Nand Flash info :


Select „GET_DEV_INFO“ in the command list and press „Sendcmd“ button or just press Enter

Change Mobile operation mode :


Select „MODECHANGE“ in the command list.
Add to the command „49“ the Mode you want to change.

For example :
Set Phone into FTM mode
Send „290300“ to switch to FTM, press „Sendcmd“
After that, you need to reboot the phone by sending „290200“.

Read NVItems
To read specific NVItems, select „Read NVItems“ in Standard Mode Tab.
Enter the range to read out and press „Lets go“ to start. It will ask for a filename to save the data.
You can also restore / backup all NVItems using those commands in Standard Mode Tab.

Write NVItems
For writing NVItems, select „NVWRITE“ in the command list and add the number plus the data.
example : Write Item 01C5, Data 01 (enable FTM mode permanently)

27C5010100000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000
Data must always be 80 bytes just like in the example.

Read EFS
To read out EFS, select „Read EFS“ in Diag Port Tab.
Enter the max range to read out and press „Lets go“ to start. For newer QC devices you may also
select an alternate way to read out EFS. It will ask for a filename to save the data.

There are a lot more functions you can do with it. Limits are only what your mobile is capable
of. Write, read config data, contacts, read and write SMS ..... and much more.
4.1.2. Modem Port (Sync)

This tool may be used by any Modem port.

Left of Button "Send ASCII" you can enter any AT Command you wish and send after pressing
Enter or pressing button "Send ASCII".

You may also choose AT functions under "Select Action" and pressing "Go" to execute.

AT functions available :
- Read all SMS
- Read all contacts
- Read IMSI
- Read IMEI
- Read manufacturer identification
- Read model identification
- Read revision identification
- Read operator names
- Read battery charge
- Read signal quality
- SIM : Read IMSI
- SIM : Read Kc - GSM
- SIM : Read ICC Identification
- SIM : Get Location Info (TMSI+LAI+RFU)
- SIM : Get Ciphering Keys (KSI+CK+IK) - UMTS
- SIM : Get Ciphering Packet Keys (KSIPS+CKPS+IKPS) - UMTS

Registered Users of QMAT will also be able to use the APDU interface that lets you send any
APDU command you wish to access the SIM card in the mobile.

This is specially useful for forensics, like reading current cipher keys and restore deleted sms or
contacts.
4.1.3. Modem Port (Async)

This interface lets you talk with any AT interpreter in asynchronous mode, like HTC Tricolor
Bootloader.

Binary log file will be saved to the application directory as "bytelog" or any given filename in the
lower edit box.
Binary log will start using „Start serial“ or „Start USB“ button and will end using the „Stop serial“
or „Stop USB“ button. Do not try to read the log file while connection is still running, otherwise the
program will crash.

You have two options to use it :

1. Using Serial port, you can just use it with any serial port like ActiveSync one under XP.
Just select right com port, press "Start Serial" and you can enter any command you like.
Either press Enter afterwards or press "Send Ascii via Serial" to send instructions.
After you are finished or want to use your binary log, press "Stop Serial".

2. Using USB port (via WinUSB compatible driver, like WDMC under Vista), you can enter any
driver guid into the USB Guid Edit Box, press "Start USB" and then you can enter any command
you like. If you want to send your instructions via Enter-Key, just select "Switch default send
button". Or you can just press "Send Ascii via USB".
After you are finished or want to use your binary log, press "Stop USB".
Remember when using WDMC to disable „Connect to USB“ under Preferences, Connection
Preferences, otherwise you are not able to connect.

HTC lnb command for uploading firmware :

Example :
„lnb splash 50140000“ will upload any file at NAND address 0x50140000
„lnb os 50420000“ will upload any OS file at NAND address 0x50420000

Once the lnb command is executed, it will ask for the file to be uploaded.

Security Unlock Features :

Radio Bootloader :
1. Enter „rseed“ as a command, press Enter
2. Copy'n'Paste result into the editbox left to the „Calc Password“ button
3. Press „Calc Password“ button
4. Enter „rpass“ as a command, press Enter
5. Press „Send result“ button

SPL :
1. Start USB HHD Monitor (get trial or full)
2. Enter "info 3"
3. copy bytes at position 0x2B0 (0x20 bytes string) into editor box left to "Calc Password"
4. press "Calc Password"
5. Enter "password" + result in result box left to „Send Result“ , press Enter
(Example : password ~d~~~~~~~~~r~000)

Encapsulate Features :
You can either send byte encapsulated into the HTCS-HTCE Header that were entered as a hex
string into the editbox left to the „Calc Password“ button (Example : AB34123456), or even upload
complete files encapsulated using the „Encapsulate binary file and send“ button.

This feature is very useful using commands like rpass or rwfactory.


4.1.4. Codes

This tab offers you tools to read out codes and passwords using Diag Port, but also lets you send SP
and SPC for authentification and change the SPC. There are already several SPs included you can
easily expand by writing new SPs into the file config/sp.xml. Selecting the vendor will switch
protocols if non-qc standard protocols are used.

Also some useful infos like IMSI and LAC/LAI can be read out.
4.1.5. CDMA

This tab offers you functions to read and write infos and settings for CDMA phones using Diag
Port.
4.1.6. BOOTLOADER / DOWNLOAD MODE:

This menu offers Bootloader and Download Mode functions. Take care of any action labeled with
„DANGEROUS“ as it may leave your phone unusable.

Download Mode :
While in Download Mode, which can be enabled in standard mode by only selecting „Enable
Download Mode“ and pressing „Run Bootloaderfunctions“ you can send any command in the
command list, marked in the picture as „Read Rootkey“ with prefix „DWNMODE“.

Using the button „Read Mem in DwnMode“ you can read out Application Memory with range
given if your phone supports QC Diag Version greater than 6, but also use other typical QC Diag
page read functions by changing command byte and page size to read.
Bootloader :
You may use any bootloader to load and execute you wish to. In order to enable NAND read
functions, you have to select „Use 6250A hotfix“ or "Use 7200A hotfix", depending on your current
QC model. The window below the check buttons is the address where to send the bootloader and at
which address to execute. Pagesize can be resized for smaller bootloader than 0x3F9 (Hex).
Once the bootloader is loaded, it is announced in the result window as you can see in the picture.
Then you can read any range of NAND with the range given using the „Read NAND with Loader"
function.

For reading out NAND two procedures exist :

1.
Remove and reinsert battery
Remove data cable
Set mobile in emergency mode (hold Power On + #, release after Benq Logo appears)
Insert data cable
Press "Run Bootloaderfunctions"
Now you can select loader cmd like "Read Rootkey" or "Read SimSecure" and press "Send cmd".
Result will appear in window below.
Or you can press "Read NAND" to read out a specific NAND range (FullBackup)
After working, select "Reset phone" and press "Send cmd" for normal phone operation.
If that doesn't work, remove and reinsert battery for normal phone operation.

2.
Insert data cable
Press "Enter FTM Mode" in normal phone operation.
Press "Send special loader"
Now you can select loader cmd like "Read Rootkey" or "Read SimSecure" and press "Send cmd".
Result will appear in window below.
Or you can press "Read NAND" to read out a specific NAND range (FullBackup)
After working, select "Reset phone" and press "Send cmd".
If that doesn't work, remove and reinsert battery.
Press "Leave FTM Mode" for normal phone operation.

Bootloader commands :
These commands can be used to test patched or standard qc uploaded bootloaders or to unlock non-standard
bootloaders.

Read Rootkey Special Bootloader


Read Sim_Secure Special Bootloader
Read Sim_Secure2 Special Bootloader
Unlock Bootloader ZTE
Hello
Read Mem
Write Mem
Write NAND DANGEROUS
Sync
Reboot Phone
Poweroff Phone
Open Connection
Close Connection
Security Mode
Write Partition Table DANGEROUS
Set Multimode DANGEROUS
CRC30 Enable

Download-Mode commands :
These commands can be used when the phone is in Download-Mode (initiated normally via 0x3A command)

DWNMODE: Write16BitBlock DANGEROUS


DWNMODE: EraseMemBlock DANGEROUS
DWNMODE: Execute
DWNMODE: No Operation
DWNMODE: RequestParam
DWNMODE: DumpMemBlock
DWNMODE: Reset Phone
DWNMODE: UnlockSecureOps
DWNMODE: RequestSoftVer
DWNMODE: Poweroff Phone
DWNMODE: Write32BitBlock DANGEROUS
DWNMODE: MemoryDebugQuery
DWNMODE: MemoryReadReq
DWNMODE: SwitchDwnMode

Download-Mode functions :
These functions will add dumping by using standard or patched bootloaders or via download mode.

Read full NAND using patched Loader = dump nand via patched qc bootloader
Read NAND using standard Loader = dump nand via standard qc bootloader (starts at amss normally)
Read NAND using LG Loader = dump nand via LG bootloader
Read NAND using ZTE Loader = dump nand via ZTE bootloader
Read NAND using Samsung Loader (<= MSM6250) = dump nand in Samsung download mode
Show MEM Partitions in DWNMODE = show memory partitions to dump (msm6260 or newer)
Read MEM in DWNMODE =dump memory partitions (msm6260 or newer)
Read SimSecure Data using patched Loader = dump SimSecure Data from Benq/Siemens phones
Flasher Interface (MSM6250 only) :

Before using this function, you must load and execute a flashing bootloader, either the included one
for MSM6250/A or any given. Select any part you wish to upload to the phone. This function is
dangerous so you should know what you do. Flashing function should only be used with fully
charged battery. Pressing „Flash AMSS - DANGEROUS“ will start flashing procedure.
This function is only available to registered users.

WARNING : Dumped EFS cannot be written !!!


4.1.7. EFS Browser Mode :

Using this tool, you have full access to the embedded file system of every device > Brew 3.x.

Just press „Read Directory“, wait a few seconds and you are able to browse the file tree.
After that you will be able to backup the whole fs using the "Backup FS to ZIP" button.
In order to use subsystem commands instead of standard qc commands, select „Use SubSys“ before
reading directories.
Directories :
If you click on any directory with the right mouse button, a menu will appear that lets you create or
remove directories and also backup the directory to a ZIP file. Remember, only empty directories
can be removed :)

Files :
If you click on any file with the right mouse button, a menu will appear that lets you read, write,
remove files, set file attributes and even set remote file links.
Selecting any file with the left mouse button will show it's attributes on the small window at the
right side.
On selecting Read File, it will first read out the file and will then ask where to save it on your
harddisk. You can see the progress at the progress bar.

On selecting Write File, it will ask for the file to upload to the phone and will then start uploading.
You can also see the progress at the progress bar.

On selecting Remove File, a file will be removed from the directory.

On selecting Set File Attributes, you can modify the file attributes. Not all phones support this
feature.

On selecting Create File Link, you can set a virtual file link pointing to the memory of the device. A
menu will show on which you need to enter the filename, the baseaddress (where to start in ram)
and the length that should be linked to. Not all phones support this feature.

If there are any errors, they will be shown as a text just below the „Read Directories“ button.

„Backup FS to ZIP“ lets you zip the complete Filesystem.


4.2. Generate HTC Gold Card

This tool lets you create a goldcard for HTC devices. The goldcard is a special SD card that unlocks
Diagnostic Features for HTC devices.

Once your device is connected via Activesync / WMDC, you can press "Get SD Card Serial from
WINCE Device" to obtain the serial number of the inserted SDCard in your PDA/Smartphone.

Alternatively you can enter the 16-byte Serial number manually.

To make it work, please check the following :


- On the device, allow start of itsutils.dll
- On some devices you must set the right security permissions via Registry Editor :
HKLM\Security\Policies\Policies\"00001001" set to integer 1

After that, select the device under "device key" to generate a goldcard image.

Then you can choose either "Save Goldcard Image to File" to generate a SDCard Image,
or write the Goldcard directly to the SD Card inserted in your PDA/Smartphone via "Save Goldcard
Image to WINCE SD".
4.3. WINCE SD Card Utils

Once your device (PDA or Smartphone) is connected via Activesync / WMDC, you can raw read or
write SD Images of any size below 4 GB to the SD Card in your device.

To make it work, please check the following :


- On the device, allow start of itsutils.dll
- On some devices you must set the right security permissions via Registry Editor :
HKLM\Security\Policies\Policies\"00001001" set to integer 1
4.4. Use JTAG (using Segger J-Link ARM or any GDB devices)

This function lets you repair / write / read out any NAND via Jtag. It is only available to registered
customers who bought this plugin. Currently we only support NAND devices. OneNAND and NOR
flash will be added soon.

Steps in order to Jtag MSM chipsets :

Using Segger J-Link ARM (recommended) :

1. Press „Connect Jtag“. If the device is supported, correct MSM chipset and Nand flash will be automatically selected.
You can easily add new MSM chipsets by editing jtagdevices.xml and also add new init strings. In order to add new
MSM chipsets or init strings, please ask for assistance at our forum. Same applies in order to add new NAND
devices.

2. Select needed speed and press „Set speed“. Choose low speeds if the data written or read is corrupted.

3. For some NANDs you will need to init the nand before usage. Select the correct NAND and press „Init Nand“ then.
You can add new NAND init scripts by editing jtagdevices.xml.

3. Select any function you wish to use. In order to read nand, you may select „Read“ after entering a valid range in the
selection below. You can add any custom ranges to list by editing jtagdevices.xml. The function „Disable MMU“ will
disable any memory mapping that is done by the MSM chipset if needed. Stop action will stop any running function.
Before writing, you may select „erase before writing“ and „verify when writing“ if you want to. Show registers will
show all current registers the arm cpu has. Functions „Read memory“ and „Write memory“ won't flash any nand but
will you enable to dump any memory range. Using these functions you can for example upload own loaders and
execute them. For writing into memory, set first range item to starting address and second range item to end address.
For execution, enter PC address into the first range item and press button „execute“.

Using GDB devices (for example OpenOCD) :

1. Select „Use GDB for NAND“.


2. Enter GDB Host and Port.
3. You may now enter and send any GDB Cmd via the cmdline.
4. Select MSM chipset (not autodetected) and press „Connect Jtag“.
5. You can use all functions except „Show registers“, „Execute“, „Reboot“, „Halt“, „Reset“. See function description at
„Using segger J-Link ARM“ Point 3.
5. Network Calculations

This function lets you calculate typical Network algorithms, needed for authentification or to
encrypt/decrypt network data.
See picture above for supported algorithms (TDMA : GSM / UMTS, CDMA : Cave).
This function is only available for registered users.

SO ENJOY THIS TOOL :)

You might also like