QMAT - QC Mobile Analysis Tool
What is it ?
It is a development and debugging tool for Qualcomm mobiles - the only tool you'll ever need for research and development.
Who may need it ?
Mobile engineers / reverse engineers and cryptoanalysts
Crypto Functions :
- Calculate CRC-30, CRC-32, SHA1, SHA2 (SHA224 + SHA256), MD4 and MD5 of any file
- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited
- Decrypt and Encrypt any RSA-Message, including ASN-1 / SHA Signatures. (you can add publickeys to publickeys.xml)
- Generate RSA Private Key and create .pvk files
- Check firmware signature given Modulus and Exponent (for HTC and BQS mobiles)
- Extract information from .pvk files
- Search for algorithms in binary files (find cryptomethods + signatures) CRC8, CRC16, CRC32, MD4, MD5, SHARK, HAVAL, GZIP, ZIP, SHA1, ... and much more (you can add cryptosignatures to crypto.xml)
JTAG Interface :
(soon via Segger J-Link)
Functions for QC mobiles :
1. Load binary files for :
Extraction of certificates
Extraction of BMPs,GIFs,PNGs, JPGs
2. Load Partition File to get overview about NAND/NOR structure
3. Send any String to a COM/USB Port and backup all your SMS !
4. Make usage of QCs Diag USB/COM Port Interface
(Useful for any QC mobile in the world)
Standard Features :
- Send standard diag commands or any hexadecimal command you want (database included)
- Read out all NVItems (range given)
(all that exist, more than QPST normally extracts)
- Backup and Restore all NVItems
- Read out and Dump Firmware in Memory (SRam)
- Read out complete EFS
- Switch to FTM Mode (or anything else you want)
- Get infos about phone, codes ..... etc ..... a lot more functions
- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)
- Full Feature EFS Browser
Bootloader / DownloadMode Features :
- Load any file to mobile at any address and execute (bootloader f.e.)
- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader
- Use any Download Mode or Bootloader Command to experiment
- Read application memory of newer Diag Ver 6 in Download Mode
- Show complete infos about used NAND after loading of Bootloader
Flasher Features :
Flash any QC mobile (OBL Multiboot) with given bootloader
- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS
Functions for BQS only :
1. Load AMSS to extract files or useful infos
(EF81, E81C, EF91, SXG75, EF82, SF71, SL91 or similiar ones)
Features :
Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
Extract internal filesystem (mif,bar,sig etc. files)
Extract AMSS signature bytes (if production key)
Show all file references used by mobile
2. Check Firmware validity (signature)
3. Sim_Secure extraction/decryption (non-public)
4. Master-/Usercode/Unlock extraction and direct unlock (non-public)
Functions for HTC only :
1. Check validity of HTC firmware (signature check)
2. Cut out signatures from .nbh file
3. Split radio.nb into qualcomm files for analysis
4. Find HTC Public keys using Cryptosearch
5. Generate Security passwords (SPL + radio) for newer HTC
6. Generate NBH Files (you can add any device into devlist.xml)
7. Dump Files from NBH (you can add any type into nbhtype.xml)
8. Fix radio.nb checksum
9. Generic Bootloader / AT Command interface with logging functions
Functions for Network Engineers
Network Calculators :
TDMA (GSM/UMTS) :
--------------------
IMEI
GSM A5-1
GSM A5-2
GSM A5-3
3G ECSD
GEA3 - GPRS
3G SNOW
3G UEA2
3G UIA2
GSM A3/A8 COMP128 V1
GSM A3/A8 COMP128 V2
GSM A3/A8 COMP128 V3
3G Milenage
3G Milenage Resync
CDMA :
-------
CAVE
CAVE Authentication
CAVE CMEA
CAVE EMEA
CAVE EMEA_NF
CAVE Wireless Residential Extension
CAVE Datakey / Look Up Table / Mask
CAVE DTC / DCCH
CAVE KSG
CAVE Long Block
CAVE Short Block
CAVE Enhanced Message
CAVE Enhanced Voice Privacy
CAVE Enhanced Data Mask
and much more ....
Planned in future :
1. Bugfixes
2. EFS Restore to Zip File
3. QC Jtag interface using Segger J-Link ARM
4. LNBS HTC support to replace MTTY 5. Tooltips showing real addresses in graphical window
5. CDMA Write functions
6. Read out / Write back Addressbook
7. Restore backupped SMS to phone
8. much much more
NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.
What we need :
- Any contribution to the project is welcome.
- Donations for new hardware and software for further development of this tool.
Link to the project files :
------------------------
Version 4.21 (Major Release) Stable
QMAT Homepage
Cya and keep on reversing,
Viper BJK
==> Donate via PayPal <==
Thanks, that's very useful. Keep up the good work!
Update : Version 3.51
---------------------
- Crypto Bugfixes solved
- Com Port Bugfixes solved
Added QMAT 3.51 manual to download page
Cya,
Viper BJK
Update : 3.52
-------------
What's new ?
1. Added SHA2 crypto search algos (SHA224 and SHA256)
2. Added SHA2 (SHA224 and SHA256) and MD5 hash generation
3. Some Bugfixes
4. HTC Security Generator for all newer HTC models (reverse genned) :
SPL and radio (works with Diamond !!)
Note : For Copy'n'Paste .. do not use MTTY, but Putty !!!
See new manual for further details ....
Enjoy !
Cya,
Viper BJK
nice one..!
Thanks
New version : 3.54
------------------
Updates :
- Added SHA-256 from HTC
- Improved RSA Decryption ... now better readable
- Added function to reverse byte strings for RSA Decryption
- Bugfixes
Cya,
Viper BJK
Update:
Small SHA2 bugfix
Good information. thanks
New version : 3.6
------------------
Updates :
- Added NBH Generator Tool
=> you can add any device to devlist.xml
=> you can sign rom files either using pvk file or using dummy signature
- Added NBH Dump Tool
=> Remove Signatures function or
=> Extract any part you wish or
=> Extract all files from nbh
=> Show infos about nbh file
=> Add new deviceparts (typeinfo) to nbhtype.xml
- Added publickeys as XML
=> add any public key to publickeys.xml
- Added tool to fix radio.nb checksum
Bugfixes :
- Fixed NBH Signature extraction
- Fixed RSA Function
For the design of NBH Tools, I was strictly influenced by Olipro's work
Cya,
Viper BJK
This is a real work....!!!!
thx for this great program
Update : 3.61
-------------
What is new ?
-------------
After being fed up with buggy Putty + Mtty, I implemented
HTC Bootloader AT Command Interface. (see picture below)
Also I was missing a good copy paste function for my hex editor.
Why wasn't it working before ?
=> HTC Bootloader isn't able to take more than one byte sent.
So :
- Implemented HTC Bootloader AT Command Tool (works also for other ones)
- Several severe bugfixes (like Display fixes)
- Fixed RSA Decryption bug (Pubkeys loaded incorrectly from xml)
What will be next ?
------------------
As I'm a Vista user (sic!) I also use the really old Activesync driver.
But this one lacks of high-speed transfer, so I'm going to implement a solution
for newer HTC phones and newer OS, as Micros*** changed to WinUSB Interface (which is better imho than virtual com port).
So :
- Will implement REAL Usb interface, no virtual serial port use
Cya,
Viper BJK
Small update :
--------------
WinUSB is now fully implemented !
It really works like a charm, much faster than putty or mtty, and really stable.
mb command runs like hell
Even better, you can break off USB connection and continue seconds after reading out bytes .... this is big news
So ... Vista Users, use new WMDC drivers, forget about old activesync one.
And as for the XP users, download WinUSB runtimes now
Bad to say, but of course WinUSB won't work with old activesync.
I'm going to implement now a logfunction for binary data, so it can be used with pdump. Once I understand how "autodownload" works, I will implement it also so that my tool can replace mtty.
If there are any wishes what should be implemented, say so
Of course I will open source for WinUSB connection for those who want to port their tools.
Cya,
Viper BJK
Update 3.70
------------
What is new ?
--------------
- Big bugfixes
- Added new WinUSB and Serial Interface for HTC Bootloader (with binary log AND pdump support)
- Added partition tool to show MORE info
- Complete new Serial interface
- Added feature to use different bootloader commands for nand reading
- Added feature to read different sizes for nand reading
- Fixed radio.nb extraction
- Fixed radio.nb checksum calculation
- etc. ..... see Manual 3.7 for complete introduction
Cya,
Viper BJK
Update 3.71
------------
Sorry for that one ... WinUSB didn't work due to memory leak.
Fixed ....
Cya,
Viper BJK
Update 3.72
------------
What's new ?
-------------
- Included HTC Security Decoder in AT Command Interface
(easier to use)
- Fixed USB / SER Problems
- HTCE/HTCS were not displayed correctly
- Fixed Display Scroll Problems in AT Command Interface
Enjoy !
Cya,
Viper BJK
Update 3.73 *Speed release !*
------------
As someone really needed this func, the following was added :
- htc at command interface bytelog can now be any filename (select log file)
- You can send any data to encapsulate, for example you want to send bytes 0x00 0x01 0x02 and 0x03 .... enter "00010203", press encap button and
bytes will be send using correct HTC "HTCS....HTCE" encap
Cya,
Viper BJK
- removed -
Update 3.74 *Special Edition for CMonex*
------------------------------------------
News :
- Added function to upload files in encapsulated header
- Bugfixes
Cya,
Viper BJK
News :
-------
3.74 has a lot of bugs in it, so sorry for that.
Download of my tool is atm not possible, I'm looking for another hoster.
New version 3.75 will be soon out, adding several bugfixes and nvitems support for HTC. Also, beginning with 3.75, my software will be shareware.
People that already donated 15 EUR will of course get source and registration key as usual for free.
Expect news soon.
Cya,
Viper BJK
ThanX Alot for this GREAT Tool !
Keep up your Good Work !
Is it possible to upload this tool on the board ? I have a forbidden acces to the google code page ... :'(
Wizard Service Tool v4.2.2
03/05/06 15:12:58
CPU Manuf. FAILED
IMEI: 355046015665718
=> Bootloaders:
IPL: 3.15.0001 (G4 device)
SPL: 3.15 (G3 device)
SPL date unknown
Registry AKU: .0.4.2
Radio values FAILED
=>Extended_ROM:
Version: Unknown
Name: Extended_ROM
Status: hidden
=> Drives and partitions:
|--Handle--|---Size---|
8e9e5e4a - 3.00M (0x2ff400)
eea932ca - 48.23M (0x303c000)
4eae72b6 - 52.82M (0x34d2000)
2eae7002 - 3.06M (0x310000)
afb24fa2 - 3.06M (0x30fc00)
=> DOC chip unique ID:
00000000e3270205060b04e80b0b0677
Key Index: 60
All Done.
PLEASE I NEED HELP TO UNLOCK MY ARTE 110 MDA .SIMLOCK
i have a unlock programm for u is very simple give your e-mail and a send it
Regards cash-net
thanks in advance dis is my email.address.
[email protected]
cash-net said:
i have a unlock programm for u is very simple give your e-mail and a send it
Regards cash-net
Click to expand...
Click to collapse
please send me sw for unlock thanks
[email protected]
i need to hard reset any one can help pls
Hello all,
I halfway cooking a new rom for asus P835 but now i dont know what to do. I hope someone could point me a direction pls.
I have been able to take out the xip.bin and imgfs.bin from the rom without error(rom with wm6.5 21812). With these 2 files on hand, i've done 2 things.
for xip.bin, i used xipport. Pressed [dump xip] and got a directory without error. Then pressed [make pkgs] also without error i've got the xip structured up according to other tutorials online. so far i havent figured out what to do with these file yet.
for imgfs.bin, i used imgtodump tool to extract the files within. after that i used buildos+packagetool to open the "dump" folder and pressed [build packages]. also without error i've got imgfs structured. until now i haven't figured what to do next.
I wanted to upgrade the os to newer build, lets say 23037, can anyone tell me what should I do next?
btw, i'm looking at the guide here to use xipkitchen to combine 2 xip.bin from original rom and new rom release? I'm not sure why this is required. Can anyone explain?
thanks in advance.
So, now i've completed xip modulation and removed some conflicted addresses. But in the end, i found out that there are missing things compared to original address map. Can someone tell me if they are important?
original map.txt
Code:
8026db8c - 802b07f6 L00042c6a filedata wince.nls
802b07f8 - 802bb7f8 L0000b000 filedata boot.hv
802bb7f8 - 802c3226 L00007a2e filedata boot.rgu
802c3228 - 802ca228 L00007000 filedata mxip_lang.vol
802ca228 - 802cdbcd L000039a5 filedata sysroots.p7b
802cdbd0 - 802cef72 L000013a2 filedata b00d0fcf-0459-5ea5-d217-f50a2e1ce607.dsm
802cef74 - 802cff52 L00000fde filedata 723fb954-d931-4348-b672-82a188e587b5.dsm
802cff52 - 802ddf44 L0000dff2 NUL
802ddf44 - 802ddf44 L00000000 End: highest physical address
802ddf44 - 802de000 L000000bc NUL
802de000 - 802de000 L00000000 Start: start of RAM
802de000 - 802df000 L00001000 initialized data of region_4 nk.exe
802df000 - 802e0000 L00001000 initialized data of region_5 nk.exe
802e0000 - 802e6000 L00006000 uninitialized data of region_1 nk.exe
802e6000 - 8030f000 L00029000 initialized data of region_2 nk.exe
8030f000 - 80314000 L00005000 NUL
80314000 - 80314000 L00000000 ------ start of RAM free space
80314000 - 873fffff L070ebfff NUL
873fffff - 873fffff L00000000 End: end of RAM
modified map.txt
Code:
8027db5c - 802c07c6 L00042c6a filedata wince.nls
802c07c8 - 802cb7c8 L0000b000 filedata boot.hv
802cb7c8 - 802d31f6 L00007a2e filedata boot.rgu
802d31f8 - 802da1f8 L00007000 filedata mxip_lang.vol
802da1f8 - 802e067e L00006486 filedata sysroots.p7b
802e0680 - 802e1a22 L000013a2 filedata b00d0fcf-0459-5ea5-d217-f50a2e1ce607.dsm
802e1a24 - 802e2a02 L00000fde filedata 723fb954-d931-4348-b672-82a188e587b5.dsm
802e2a02 - 803ddf44 L000fb542 NUL
803ddf44 - 803ddf44 L00000000 End: highest physical address
803ddf44 - 803de000 L000000bc NUL
803de000 - 803de000 L00000000 Start: start of RAM
803de000 - 80414000 L00036000 NUL
80414000 - 80414000 L00000000 ------ start of RAM free space
80414000 - 873fffff L06febfff NUL
873fffff - 873fffff L00000000 End: end of RAM
In the end of the map, initialisation of regions is missing and the ram size has increased. Can I just ignore it?
Can anyone help?
thanks.
File In ImgUtils.rar Packege:
-> cecompr_nt.dll
-> cereg400.dll
-> compress.dll
-> exfat_nt.dll
-> fatutil_nt.dll
-> fsdmgr_nt.dll + fsdmgr_nt.ini
-> imgfs_nt.dll
-> mspart_nt.dll
-> ramblk_nt.dll
-> rawfs_nt.dll
cecompr_nt.dll - this is module is an interface to the wince rom compression library.
Product Name: Platform Builder
Product Version: 7.00.2324
Compression: LZX/XPR
cereg400.dll - ...
Description of the product: Platform Builder Hive-Registry Build DLL for CE 4.0
Product Name: Platform Builder
Product Version: 7.00.2324
compress.dll - ...
Description of the product: Platform Builder LZX Compression Library
Product Name: Platform Builder
Product Version: 7.00.2313
exfat_nt.dll - ...
Description of the product: Platform Builder Windows CE TexFAT filesystem for Deskop
Product Name: Platform Builder
Product Version: 7.00.2324
fatutil_nt.dll - ...
Description of the product: Platform Builder Windows CE FAT Utility Library for Deskop
Product Name: Platform Builder
Product Version: 7.00.2324
fsdmgr_nt.dll - ...
Description of the product: Platform Builder Windows CE Storage Manager for Deskop
Product Name: Platform Builder
Product Version: 7.00.3536
fsdmgr_nt.ini - in file:
Code:
;
; Copyright (c) Microsoft Corporation. All rights reserved.
;
; Use of this source code is subject to the terms of the Microsoft end-user
; license agreement (EULA) under which you licensed this SOFTWARE PRODUCT.
; If you did not accept the terms of the EULA, you are not authorized to use
; this source code. For a copy of the EULA, please see the LICENSE.RTF on your
; install media.
;
; partition table for the NT storage manager
[System\StorageManager\PartitionTable]
01=FATFS
04=FATFS
06=FATFS
07=NTFS
0B=FATFS
0C=FATFS
0E=FATFS
0F=FATFS
20=BOOT
21=BINFS
22=ROMIMAGE
23=RAMIMAGE
25=IMGFS
26=BINARY
; Block driver info
[Drivers\BlockDevice\RAMBlk]
Dll=ramblk_nt.dll
Prefix=DSK
; Boot/Update loader file system, uses the raw file system driver
; BOOT partitions are not cylinder aligned by MSPART because they
; are assumed to be write-once and never updated
[System\StorageManager\BOOT]
FriendlyName=XIP Boot/Update Loader
Dll=rawfs_nt.dll
Paging=dword:0
; XIP Image file system, uses the raw file system driver
[System\StorageManager\ROMIMAGE]
FriendlyName=ROM XIP Image
Dll=rawfs_nt.dll
Paging=dword:0
; RAM Image file system, uses the raw file system driver
[System\StorageManager\RAMIMAGE]
FriendlyName=RAM XIP Image
Dll=rawfs_nt.dll
Paging=dword:0
; Raw binary data file system, uses the raw file system driver
[System\StorageManager\BINARY]
FriendlyName=Raw Binary Data Partition
Dll=rawfs_nt.dll
Paging=dword:0
; Image-update file system
[System\StorageManager\IMGFS]
FriendlyName=Image-Update Filesystem
Dll=imgfs_nt.dll
ReservedBufferSize=dword:20000
Paging=dword:1
XIP=dword:0
CompressionDll=cecompr_nt.dll
; @CESYSGEN IF CECOMPR_LZXDECOMP
; Use the LZX compression engine
CompressionType=LZX
; @CESYSGEN ELSE
; @CESYSGEN IF CECOMPR_XPRDECOMP
; use the Xpress compression engine
CompressionType=XPR
; @CESYSGEN ENDIF
; @CESYSGEN ENDIF
; exFAT file system
[System\StorageManager\FATFS]
FriendlyName=FAT Filesystem
Dll=exfat_nt.dll
Util=fatutil_nt.dll
FriendlyName=FAT FileSystem
DisableAutoFormat=dword:0
DisableAutoScan=dword:1
FormatTfat=dword:1
Paging=dword:0
EnableCache=dword:0
; partition driver key
[System\StorageManager\MSPART]
Dll=mspart_nt.dll
; default storage profile
[System\StorageManager\Profiles]
AutoMount=dword:0
AutoPart=dword:0
AutoFormat=dword:0
MountFlags=dword:0
DefaultFileSystem=
PartitionDriverName=MSPART
; NOR flash storage profile
[System\StorageManager\Profiles\NOR\IMGFS]
XIP=dword:1
[System\StorageManager\Profiles\NOR]
Name=NOR Flash
EnableXIP=dword:1
PhysicalFlashLayout=dword:1
[System\StorageManager\Profiles\NOR\MSPART]
PrimaryPart=dword:1
AlignCylinder=dword:1
SkipSector1=dword:1
; NAND flash storage profile
[System\StorageManager\Profiles\NAND]
Name=NAND Flash
LogicalFlashLayout=dword:1
[System\StorageManager\Profiles\NAND\MSPART]
PrimaryPart=dword:1
AlignCylinder=dword:1
SkipSector1=dword:1
; Hard Disk storage profile
; will not define flash layout sector
[System\StorageManager\Profiles\HD]
Name=Hard Disk
[System\StorageManager\Profiles\HD\MSPART]
PrimaryPart=dword:1
AlignCylinder=dword:1
imgfs_nt.dll - ...
Description of the product: Platform Builder Windows CE IMGFS filesystem for Deskop
Product Name: Platform Builder
Product Version: 7.00.2324
mspart_nt.dll - ...
Description of the product: Platform Builder Windows CE Deskop Partition Manager
Product Name: Platform Builder
Product Version: 7.00.2324
ramblk_nt.dll - ...
Description of the product: Platform Builder Windows CE Deskop Block Driver
Product Name: Platform Builder
Product Version: 7.00.2324
rawfs_nt.dll - ...
Description of the product: Platform Builder Windows CE RAW Filesystem for Deskop
Product Name: Platform Builder
Product Version: 7.00.2324
Search more info and loop links file....
[Microsoft Platform Builder 7.00]More File from PB 7.00
Reserved.....
let me bumpmthis post