Professional Documents
Culture Documents
00
Manual
(c) 2009
by B. Kerler
How to register
After payment we will send you an registration key via email. Select / Highlight the key and copy
the key into the clipboard using Ctrl-C keyboard combination or via right mouse click „Copy“.
- Press button „Paste Regkey from Clipboard“. You will then need to restart QMAT.
Once the software is registered, you can use the Network Calculator and the Software ID will no
longer be displayed.
Why to register :
Choosing his menu item allows you to select where extracted files should be saved at.
1.2. Quit
This Menu Item will let you do several tasks using your mobile firmware or any other binary.
2.1. General Forensics
2.1.1. Search for Algorithms
This function lets you extract useful infos about algorithms and public keys to be found in binarys,
so you can easily find the corresponding functions using an disassembler :)
More than 90 signatures are already added, and any new signatures can be added to the file
crypto.xml. The Hex Value 0xFF is treated as a wild card.
This function lets you find common functions in any binary, so you can easily find functions at the
given addresses using a disassembler :)
Any new function signature can be added to the file function.xml. The Hex Value 0xFF is treated as
a wild card.
In this menu item you can select any QC partition file that should be analysed.
This function is really helpful in understanding what data sections can be found where in NAND or
NOR flash.
Either you can enter any page sum and page size you wish to interpret the data,
or add existing ones to "partition.xml".
2.1.4. Find Security Password
This Tool will help you cut junk data from files.
After selecting the file you can enter at which offset the cutting of data should start, how many
bytes shall be deleted and how large the distance between the data to be cut is.
For example, you've got a file. The first 0x100 bytes, there is no junk data at all. Enter start offset
„100“. Then 0x10 bytes are junk data. Enter number of bytes „10“. This junk data occurs every
0x200 bytes. Enter repeat of bytes „200“.
2.1.6. HTC
This function lets you dump all known radio parts like amss, qcsbl and oemsbl from .nb files or any
other firmware using customizable radiosplit.xml in order to add new devices.
This function removes the signature from nbh so it can be further split into firmware files for
example.
This function dumps any file you want from nbh or just rip the signatures. "Open NBH" will show
infos about the NBH File and will also show you what files you can dump.
This function can generate a valid NBH file, either using dummy signatures or real ones. You can
add any new device to "devlist.xml". If you wish to use a private key to sign, just select "Use .pvk
File" before generating the NBH. New android NBHs are also supported by selecting „Generate
Android Image“.
Chunk size is the size of each block to be signed. Real byte size is calced by multiplying it with
1024.
Signature Size is byte size. If you wish to use Signatures with higher bit encryption, just calc
Bitlength / 8. ( For example : 1024 Bit / 8 = 128 , that is 0x80 in hex )
2.1.6.5. Dump Nvitems from file
Using this function, you can load any HTC Nand dump from Area 0:HTC as a file and it will
interprete the data and show all found nvitems. This will only work for some GSM devices right
now.
This function lets you cut ECC data from HTC firmware read directly from NAND.
2.1.7. BenQ
Sim Secure :
These functions let you load otp data for decryption, encryption of simsecure, direct unlock the
mobile or even calculate mastercodes, netlockcodes or other codes.
These functions are non-public at the moment and will be made public for registered users as
soon as the mobiles are no longer supported by the vendor.
2.2. Extraction
Example :
BQS :
File-Info :
-----------
HTC :
File-Info :
-----------
Open any binary file using the „Open Binary for Extraction“ menu.
After that you can extract any certificate, bmp, gif, png and jpg that can be found in the file.
This menu lets you extract internal files, if the amss has an internal filesystem.
Example : strings „fs:/“ can be found by hexeditor.
If the memory offset differs, you can enter the offset difference by either entering +value or -value.
For example, using hexeditor search for string „fs:/“. The DWORD before fs should be the file
offset. Bar Files always start with hex 0x11 0x01, so right offset can be found fast.
This function will search for any internal QC Embedded File System references.
Extraction :
After loading a binary file in the file menu, these functions let you extract the end signature.
(The last 0x256 bytes of a file)
Using this function you may extract any GZIP compressed data from any binary. Just enter the
offset where the gzipped data starts and its length. You may extract binaries up to 100 MB.
Attention : For extracting even small files, you will also need a minimum of 100MB free space.
2.4. Extract FAT from file
Using this function you may extract any FAT12/FAT16 filesystem from any binary. Just open the
binary and it will show info about all files included to be extracted and all label info. You may also
extract the files by selecting „Extract“ and opening a fat file.
3. Cryptoanalysis Tools
This tool provides powerful RSA Functions. You can encrypt / decrypt any message using RSA
algorithm.
The Function Reverse String can cut out Hexmessages (like 00:FA:BC:EB) or can just reverse
doublebyte hexstrings.
You can also enter any modulus and exponent and check BQS and HTC Firmwares for validity.
Examples of Public Keys are already given for HTC mobiles, BQS mobiles and old iPhone.
This function lets you generate a RSA Private Key, for example in order to sign own firmwares. Just
enter any bitlength you wish (decimal) and the needed public exponent (hex) and press "Generate
RSA Keys". After generation, you may save the calculated key in an .pvk Container File, pressing
"Create .pvk Files using Results" or just copy'n'paste them.
3.1.3. DES-Calculator
This function lets you calculate DES (64 Bit), 2DES (128 Bit) and 3DES (aka. Triple DES - 192
Bit) in the modes ECB, CBC, CFB and OFB.
You can also enter how many times the calculation is iterated.
3.1.4. AES-Calculator
This function lets you calculate AES with key sizes 128 Bit, 192 Bit and 256 Bit in the modes
ECB, CBC and CFB.
3.1.5. TEA-Calculator
This function lets you calculate TEA and improved TEA (XTEA) in the modes ECB and CBC.
3.1.6. CRC-30 Calculator
This tool can calculate a CRC30 value for any File with given pagesize and stepsize, but can also
fix a file to fit a needed QC CRC30 value by bruteforcing last 4 bytes (for example qcsblhdconf
file).
3.2. Generate Hashes
This function will calculate MD4, MD5, SHA1, SHA2 (SHA-224 and SHA-256), CRC16 and
CRC32 and several ECC of any selected file.
Example :
SHA1 : DF870F3A4C306A4AD19232D47FAAA4F315079ECB
SHA224 :
46A09505ADBD225572BFE53C03B83D1798CED6E2FD30B88B190F853DCCCCCCCC
SHA256 :
8646D2F73CBBB227E93011C30B40CBF526E830A49EF55FE7E25777BF6674EBEC
SHA256-HTC :
4FBAC64CA15493CFB81B9823CFE31E1497E4BDF1FE9758F20FA7AE877ED765D2
MD4 : 91523B28F7F2B0565CDEAA4E3A165EEB
MD5 : 88BA062A43782CEBB8CDC722F305C31A
CRC16 (0x1189) : EBCE
CRC30 (Block: 0x1000, Page: 0x200) : 2F34652C
CRC30 (Block: 0x2000, Page: 0x400) : 1068B9C4
CRC32 (0xEDB88320) : 199ECB76
CRC32 (0x04C11DB7) : 3EB38D82
CRC32 HTC (0xEDB88320) : C95C445B
ECC Reed Solomon (parity10) : A3820A8D639278A67BCC
ECC BCH Micron 3 byte : 222222
ECC Hamming Toshiba (8 bit - 0x200 bytes) : CFCFCF
ECC Hamming (8 bit - 0x200 bytes) : CFCFCF
ECC Hamming (16 bit - 0x200 bytes) : F3F3F3
This function lets you extract useful infos from a private key container file (.pvk).
Currently, only private keys are supported.
Example output :
RSA2
Modulus :
B332AF4B62B3AA901EE3FFD6591CA569ECA90F27FBBF46AB27EAA01F57D819A7776971832D0979BF6E15D9732DEFA21DCDA5252C64
222288E8CC1DBE4C8BE9F19C66B6E7C6C6C75D3F7E1A9A96C0391C2E54F0C97D387734AE54831476EC9918FC22809A4822D4D721F57B
1337A17ACA47F94DD61AD91EB975F7457B6E1B589D
Prime1 :
DC7772B50267A474437577F9CE4766098F83EE9AD2950698CC26D5E09D670BA3CABEA0C4BD08FD41A83B49AE5D8DC16EDB6E6CF32E
A93B6FB9BEB2A579F5DDCF
Prime2 :
D01479A5ED587AD7369DA5E4A5F0F2FAB1EBFB35EAC0A04CE76E1EE06E3FE651031846850F0C33A4BA6D1212F4D25DF87DE6798B985
88B739B21EDAB5F52C9D3
Exp1 :
D99B70F6272483975A4A651C85B5C58A644495CBED54B909326096B4B8C8501DE06D5E24326DE003E1787B9686B2F79D632B50908B9AF
096ABA10595FD9667D3
Exp2 :
33AC52055DAAB25ECDA65AB32C6E68B8CF046E4F166C1DA2DB7A225AD3A634B8FB8EC4BC785F2C58051FDEF42C2E2DBDEEEE1453
115333D652B91B3F8A9D9197
Coeff :
7D092E64E28C85E8C3535776E5C86E09EB0DAE2201013EE20BBA4C738DB0D5F3618DD3A1242F783C6BF0CD5D7976E7F02BCED4560BF
20B84073BAC90298DF793
PrivExp :
0EE1FFC3101081F2F44DD55AB50DF703041FCA5D74C01F1B69F6479432D484D4EECAF81D7FE9108E809319FB41EE6C157395EAAF74258
D9EB74EF48D70881246D631E2AEADD124B64D2224996F78BF78DD38EC4A4E8D84E57A57DC773B2A8EC6277E29DE905F05A5A20DC2B
3278A350FD3681E1917A283EE09D37AA63DB3FDF5
4. Hardware Forensics
This menu will offer „online“ support, like accessing any features QC mobiles offer using USB or
Serial Interface, WIN CE devices (WM 5.x - 6.1) but also using JTAG.
4.1. Use Mobile Ports
This function lets you experiment with a lot of standard QC and AT Command functions.
This tool can be used with all QC mobiles with Diag Port enabled. It will allow to send any
command as hex string via Diag Port to any mobile connected via USB or COM port.
On Top you can select what interface you wish to use. Port will be opened automatically when
needed. The Port will be closed once you close the window, change the com port or select any
other baud rate. Below you can select diag mode functions for phones in AT mode in order to
switch to qc diag mode.
With „Select Log-File“ you can tell the program where to save displayed data in the Com Result
Window (big white window with hex values). With no FileName entered, as a standard filename
„comlog“ in application directory is used.
Select any standard qc command you wish to send under „Diag commands“ or enter any hex value
to be send (without crc), for example „0001020304“ and click on „Send Cmd“ to send to mobile via
USB Diag Interface. Selecting „No CRC+7E“ will send raw hex bytes without crc generation and
postfix 0x7E.
You can also run xml scripts with auto-log function. See scripts/script.xml for an example on how
to use. „Delay“ means how many ms to wait before sending next command. Option plain=“1“
means to send raw data without crc and postfix 0x7E.
The Functions „Enter FTM“ and „Leave FTM“ will write the FTM Mode into NVItem and
automatically reboot the phone.
The Command „Generate SimSecure Command DANGEROUS“ can produce a command string
from a given simsecure file which the user wants to write to SimSecure. Be careful, incorrect use of
this tool will leave your phone useless.
On phones where only a modem port does exist, you might need to send a command to enable diag
port. Use the buttons under "Enable Diag Mode functions for phones in AT mode" to enable diag
port easily. Remember to set the right baudrate needed for your phone.
The Option „Vendor“ lets you select generic preheaders used by some vendors if they don't use
standard qc protocol.
These are some of the Diag Commands supported (Examples how to use):
For example, if your SPC would be 000000, convert decimals to ascii (0=30, 1=31, etc... 9=39),
you would have to send „41303030303030“.
For example, if your SPC would be 12345678, convert decimals to ascii (0=30, 1=31, etc... 9=39),
you would have to send „463132333435363738“.
For example :
Set Phone into FTM mode
Send „290300“ to switch to FTM, press „Sendcmd“
After that, you need to reboot the phone by sending „290200“.
Read NVItems
To read specific NVItems, select „Read NVItems“ in Standard Mode Tab.
Enter the range to read out and press „Lets go“ to start. It will ask for a filename to save the data.
You can also restore / backup all NVItems using those commands in Standard Mode Tab.
Write NVItems
For writing NVItems, select „NVWRITE“ in the command list and add the number plus the data.
example : Write Item 01C5, Data 01 (enable FTM mode permanently)
27C5010100000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000
Data must always be 80 bytes just like in the example.
Read EFS
To read out EFS, select „Read EFS“ in Diag Port Tab.
Enter the max range to read out and press „Lets go“ to start. For newer QC devices you may also
select an alternate way to read out EFS. It will ask for a filename to save the data.
There are a lot more functions you can do with it. Limits are only what your mobile is capable
of. Write, read config data, contacts, read and write SMS ..... and much more.
4.1.2. Modem Port (Sync)
Left of Button "Send ASCII" you can enter any AT Command you wish and send after pressing
Enter or pressing button "Send ASCII".
You may also choose AT functions under "Select Action" and pressing "Go" to execute.
AT functions available :
- Read all SMS
- Read all contacts
- Read IMSI
- Read IMEI
- Read manufacturer identification
- Read model identification
- Read revision identification
- Read operator names
- Read battery charge
- Read signal quality
- SIM : Read IMSI
- SIM : Read Kc - GSM
- SIM : Read ICC Identification
- SIM : Get Location Info (TMSI+LAI+RFU)
- SIM : Get Ciphering Keys (KSI+CK+IK) - UMTS
- SIM : Get Ciphering Packet Keys (KSIPS+CKPS+IKPS) - UMTS
Registered Users of QMAT will also be able to use the APDU interface that lets you send any
APDU command you wish to access the SIM card in the mobile.
This is specially useful for forensics, like reading current cipher keys and restore deleted sms or
contacts.
4.1.3. Modem Port (Async)
This interface lets you talk with any AT interpreter in asynchronous mode, like HTC Tricolor
Bootloader.
Binary log file will be saved to the application directory as "bytelog" or any given filename in the
lower edit box.
Binary log will start using „Start serial“ or „Start USB“ button and will end using the „Stop serial“
or „Stop USB“ button. Do not try to read the log file while connection is still running, otherwise the
program will crash.
1. Using Serial port, you can just use it with any serial port like ActiveSync one under XP.
Just select right com port, press "Start Serial" and you can enter any command you like.
Either press Enter afterwards or press "Send Ascii via Serial" to send instructions.
After you are finished or want to use your binary log, press "Stop Serial".
2. Using USB port (via WinUSB compatible driver, like WDMC under Vista), you can enter any
driver guid into the USB Guid Edit Box, press "Start USB" and then you can enter any command
you like. If you want to send your instructions via Enter-Key, just select "Switch default send
button". Or you can just press "Send Ascii via USB".
After you are finished or want to use your binary log, press "Stop USB".
Remember when using WDMC to disable „Connect to USB“ under Preferences, Connection
Preferences, otherwise you are not able to connect.
Example :
„lnb splash 50140000“ will upload any file at NAND address 0x50140000
„lnb os 50420000“ will upload any OS file at NAND address 0x50420000
Once the lnb command is executed, it will ask for the file to be uploaded.
Radio Bootloader :
1. Enter „rseed“ as a command, press Enter
2. Copy'n'Paste result into the editbox left to the „Calc Password“ button
3. Press „Calc Password“ button
4. Enter „rpass“ as a command, press Enter
5. Press „Send result“ button
SPL :
1. Start USB HHD Monitor (get trial or full)
2. Enter "info 3"
3. copy bytes at position 0x2B0 (0x20 bytes string) into editor box left to "Calc Password"
4. press "Calc Password"
5. Enter "password" + result in result box left to „Send Result“ , press Enter
(Example : password ~d~~~~~~~~~r~000)
Encapsulate Features :
You can either send byte encapsulated into the HTCS-HTCE Header that were entered as a hex
string into the editbox left to the „Calc Password“ button (Example : AB34123456), or even upload
complete files encapsulated using the „Encapsulate binary file and send“ button.
This tab offers you tools to read out codes and passwords using Diag Port, but also lets you send SP
and SPC for authentification and change the SPC. There are already several SPs included you can
easily expand by writing new SPs into the file config/sp.xml. Selecting the vendor will switch
protocols if non-qc standard protocols are used.
Also some useful infos like IMSI and LAC/LAI can be read out.
4.1.5. CDMA
This tab offers you functions to read and write infos and settings for CDMA phones using Diag
Port.
4.1.6. BOOTLOADER / DOWNLOAD MODE:
This menu offers Bootloader and Download Mode functions. Take care of any action labeled with
„DANGEROUS“ as it may leave your phone unusable.
Download Mode :
While in Download Mode, which can be enabled in standard mode by only selecting „Enable
Download Mode“ and pressing „Run Bootloaderfunctions“ you can send any command in the
command list, marked in the picture as „Read Rootkey“ with prefix „DWNMODE“.
Using the button „Read Mem in DwnMode“ you can read out Application Memory with range
given if your phone supports QC Diag Version greater than 6, but also use other typical QC Diag
page read functions by changing command byte and page size to read.
Bootloader :
You may use any bootloader to load and execute you wish to. In order to enable NAND read
functions, you have to select „Use 6250A hotfix“ or "Use 7200A hotfix", depending on your current
QC model. The window below the check buttons is the address where to send the bootloader and at
which address to execute. Pagesize can be resized for smaller bootloader than 0x3F9 (Hex).
Once the bootloader is loaded, it is announced in the result window as you can see in the picture.
Then you can read any range of NAND with the range given using the „Read NAND with Loader"
function.
1.
Remove and reinsert battery
Remove data cable
Set mobile in emergency mode (hold Power On + #, release after Benq Logo appears)
Insert data cable
Press "Run Bootloaderfunctions"
Now you can select loader cmd like "Read Rootkey" or "Read SimSecure" and press "Send cmd".
Result will appear in window below.
Or you can press "Read NAND" to read out a specific NAND range (FullBackup)
After working, select "Reset phone" and press "Send cmd" for normal phone operation.
If that doesn't work, remove and reinsert battery for normal phone operation.
2.
Insert data cable
Press "Enter FTM Mode" in normal phone operation.
Press "Send special loader"
Now you can select loader cmd like "Read Rootkey" or "Read SimSecure" and press "Send cmd".
Result will appear in window below.
Or you can press "Read NAND" to read out a specific NAND range (FullBackup)
After working, select "Reset phone" and press "Send cmd".
If that doesn't work, remove and reinsert battery.
Press "Leave FTM Mode" for normal phone operation.
Bootloader commands :
These commands can be used to test patched or standard qc uploaded bootloaders or to unlock non-standard
bootloaders.
Download-Mode commands :
These commands can be used when the phone is in Download-Mode (initiated normally via 0x3A command)
Download-Mode functions :
These functions will add dumping by using standard or patched bootloaders or via download mode.
Read full NAND using patched Loader = dump nand via patched qc bootloader
Read NAND using standard Loader = dump nand via standard qc bootloader (starts at amss normally)
Read NAND using LG Loader = dump nand via LG bootloader
Read NAND using ZTE Loader = dump nand via ZTE bootloader
Read NAND using Samsung Loader (<= MSM6250) = dump nand in Samsung download mode
Show MEM Partitions in DWNMODE = show memory partitions to dump (msm6260 or newer)
Read MEM in DWNMODE =dump memory partitions (msm6260 or newer)
Read SimSecure Data using patched Loader = dump SimSecure Data from Benq/Siemens phones
Flasher Interface (MSM6250 only) :
Before using this function, you must load and execute a flashing bootloader, either the included one
for MSM6250/A or any given. Select any part you wish to upload to the phone. This function is
dangerous so you should know what you do. Flashing function should only be used with fully
charged battery. Pressing „Flash AMSS - DANGEROUS“ will start flashing procedure.
This function is only available to registered users.
Using this tool, you have full access to the embedded file system of every device > Brew 3.x.
Just press „Read Directory“, wait a few seconds and you are able to browse the file tree.
After that you will be able to backup the whole fs using the "Backup FS to ZIP" button.
In order to use subsystem commands instead of standard qc commands, select „Use SubSys“ before
reading directories.
Directories :
If you click on any directory with the right mouse button, a menu will appear that lets you create or
remove directories and also backup the directory to a ZIP file. Remember, only empty directories
can be removed :)
Files :
If you click on any file with the right mouse button, a menu will appear that lets you read, write,
remove files, set file attributes and even set remote file links.
Selecting any file with the left mouse button will show it's attributes on the small window at the
right side.
On selecting Read File, it will first read out the file and will then ask where to save it on your
harddisk. You can see the progress at the progress bar.
On selecting Write File, it will ask for the file to upload to the phone and will then start uploading.
You can also see the progress at the progress bar.
On selecting Set File Attributes, you can modify the file attributes. Not all phones support this
feature.
On selecting Create File Link, you can set a virtual file link pointing to the memory of the device. A
menu will show on which you need to enter the filename, the baseaddress (where to start in ram)
and the length that should be linked to. Not all phones support this feature.
If there are any errors, they will be shown as a text just below the „Read Directories“ button.
This tool lets you create a goldcard for HTC devices. The goldcard is a special SD card that unlocks
Diagnostic Features for HTC devices.
Once your device is connected via Activesync / WMDC, you can press "Get SD Card Serial from
WINCE Device" to obtain the serial number of the inserted SDCard in your PDA/Smartphone.
After that, select the device under "device key" to generate a goldcard image.
Then you can choose either "Save Goldcard Image to File" to generate a SDCard Image,
or write the Goldcard directly to the SD Card inserted in your PDA/Smartphone via "Save Goldcard
Image to WINCE SD".
4.3. WINCE SD Card Utils
Once your device (PDA or Smartphone) is connected via Activesync / WMDC, you can raw read or
write SD Images of any size below 4 GB to the SD Card in your device.
This function lets you repair / write / read out any NAND via Jtag. It is only available to registered
customers who bought this plugin. Currently we only support NAND devices. OneNAND and NOR
flash will be added soon.
1. Press „Connect Jtag“. If the device is supported, correct MSM chipset and Nand flash will be automatically selected.
You can easily add new MSM chipsets by editing jtagdevices.xml and also add new init strings. In order to add new
MSM chipsets or init strings, please ask for assistance at our forum. Same applies in order to add new NAND
devices.
2. Select needed speed and press „Set speed“. Choose low speeds if the data written or read is corrupted.
3. For some NANDs you will need to init the nand before usage. Select the correct NAND and press „Init Nand“ then.
You can add new NAND init scripts by editing jtagdevices.xml.
3. Select any function you wish to use. In order to read nand, you may select „Read“ after entering a valid range in the
selection below. You can add any custom ranges to list by editing jtagdevices.xml. The function „Disable MMU“ will
disable any memory mapping that is done by the MSM chipset if needed. Stop action will stop any running function.
Before writing, you may select „erase before writing“ and „verify when writing“ if you want to. Show registers will
show all current registers the arm cpu has. Functions „Read memory“ and „Write memory“ won't flash any nand but
will you enable to dump any memory range. Using these functions you can for example upload own loaders and
execute them. For writing into memory, set first range item to starting address and second range item to end address.
For execution, enter PC address into the first range item and press button „execute“.
This function lets you calculate typical Network algorithms, needed for authentification or to
encrypt/decrypt network data.
See picture above for supported algorithms (TDMA : GSM / UMTS, CDMA : Cave).
This function is only available for registered users.