QC BQS Firmware Analyzer

[viperbjk]

Hi there boys and girls ...

it is done now .... although it is really nothing more or less pure homebrew,
not very good documented, lightweight progged program,

QC BQS Firmware Analyzer Open Source Project C plusplus is alive !

Needed for compiling :
Visual Studio 2008 Beta 2, or Release (Standard, Professional, Team Suite ... No Express)
Any MFC C plusplus Compiler (soon)

Binary is Win32, included in Rar under Directory "Debug" for testing purposes.


What is it ?
-----------
Let's call it the ultimate BQS / QC swiss knife and very special Crypto Tool (RSA Signature Calc can be used for any mobile):

BQS only :
----------

1. Load AMSS to extract files or useful infos
(EF81, E81C, EF91, SXG75, EF82, SF71, SL91 or similiar ones)

Features :
Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
Extract internal filesystem (mif,bar,sig etc. files)
Extract certificates
Extract all BMPs,GIFs,PNGs, JPGs
Extract AMSS signature bytes (if production key)
Show all file references used by mobile

2. Sim_Secure extraction/decryption (non-public)

3. Master-/Usercode/Unlock extraction and direct unlock (non-public)

All QC :
--------
1. Load Partition File to get overview about NAND/NOR structure

2. Make usage of QCs Diag Interface .... to do nice things
(Useful for any QC mobile in the world)

Standard Features :
-------------------
- Send standard diag commands or any hexadecimal command you want (database included)

- Read out all NVItems (range given)
(all that exist, more than QPST normally extracts)

- Backup and Restore all NVItems

- Read out and Dump Firmware in Memory (IRam)

- Read out complete EFS

- Switch to FTM Mode (or anything else you want)

- Get infos about phone ..... etc ..... a lot more functions

- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)


Bootloader / DownloadMode Features :
-------------------------------------
- Load any file to mobile at any address and execute (bootloader f.e.)

- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader

- Use any Download Mode or Bootloader Command to experiment

- Read application memory of newer Diag Ver 6 in Download Mode

- Show complete infos about used NAND after loading of Bootloader


Flasher Features :
-----------------
Flash any QC mobile (OBL Multiboot) with given bootloader

- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS


3. Crypto Function :
-----------------
- Calculate CRC-30, SHA1 and MD4 of any file
- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited
- Decrypt any RSA-Message, including ASN-1 / SHA Signatures.
- Check firmware signature given Modulus and Exponent


4. Sim_Secure extraction/decryption (non-public)

5. Full Feature JTAG Interface (non-public)

Although it is still a bit buggy and things have to be speeded up ...
it is the successor of AMSS Analyzer .... but more reliable and even much faster

Planned in future :
-----------------
1. Bugfixes
2. Tooltips showing real addresses in graphical window
3. EFS2 Directory Browsing
4. Elimination of extracted files in amss.mbn for better understanding
5. Simple NVItems Editor
6. Porting NVM hack already working with JTAG to COM/USB
7. AMSS signature hack, Exploit for Signature (this will be a tough task)
8. Read out SMS / Addressbook via Diag Interface

NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.

What we need :
----------------
- Any contribution to the project is welcome.
- Donations for new hardware and software for further development of this tool.
- We need support in programming and documentation XD


Link to the project files :
------------------------
Version 3.03 Fruit Assassin (Major Release) Stable
http://code.google.com/p/qcbqsanalyzer/downloads/list


Cya and keep on reversing,

Viper BJK

If you think my tool is useful and you would like to donate some money for further development, feel free to do so :

Full source will be granted to those how donate more than 5 Euros, because program is now "Donationware".

http://viperbjk.beepworld.de/

[adfree]

1 wish for future feature.

Please with sugar on the top.

All files which are found and extracted by your Tool. To eliminate from AMSS.mbn.

I mean to overwrite in an Copy of AMSS.MBN at the right position.

Example.

Code:

AMSS123456789abcdefghPICTUREXXXXXXXXxxxxxxxxZZZZZZZZ

So after find 7 Byte Picture, to fill the 7 Byte with other Chars. Maybe FFFF or 0000.

Code:

AMSS123456789abcdefghFFFFFFFXXXXXXXXxxxxxxxxZZZZZZZZ

So that structure of AMSS.mbn is not destroyed. And noobs like me can concentrate their eys on other Code.

Thanx.

[viperbjk]

No prob. I will add it

[vorkachev]

Can't uderstand how to get it work (... Debug executable always fals on opening file with reference dlgfile.cpp line 978 (Debug Assertion fault). Visual Express 2008 is not suitable cause it doesn't include mfc library. So if you want to compile it manualy at least Visual Studio Standart is needed

[ziofrank83]

It runs also with ef81 not unfrozen ???

[viperbjk]

Of course it does. Works with any BQS mobile Based on QC chipset.
Com part works with any QC chipset Based mobile, f.e. Samsung, LG.

Cya,

Viper BJK

[vorkachev]

May you at leas share afx.h? MFC from Platform SDK is too old to support append function.. 'Append' : is not a member of 'CString'

[viperbjk]

Zitat:

Zitat von vorkachev May you at leas share afx.h? MFC from Platform SDK is too old to support append function.. 'Append' : is not a member of 'CString'

Not needed.
Either you use Visual Studio 2008 as recommended.
Or you simply replace .Append Function with +=
=> new source has fixed that.

Cya,

Viper BJK

[viperbjk]

Zitat:

Zitat von vorkachev Can't uderstand how to get it work (... Debug executable always fals on opening file with reference dlgfile.cpp line 978 (Debug Assertion fault). Visual Express 2008 is not suitable cause it doesn't include mfc library. So if you want to compile it manualy at least Visual Studio Standart is needed

I think this is due to the fact that you try to use my prog under Vista.
Start program with admin rights ..... UAC does not allow to write without user rights.

Another option is not to have opened the amss file with another program such as hexeditor or disasm.

Last hint is to replace the OpenFileDialog ..... I'll have a look into it.
# Update : Fixed OpenFileDialog -> Replaced Vista one with Standard-Functions #

Cya,
Viper BJK

[adfree]

I used
XP
AMSS.MBN from EF81 SVN 58

Basicfunctions works.

Code:

File->Select MBN/QAPP

Then u can choose Extraction:
Internal Filesystem
Certificates
BMPs
GIFs
PNGs
End-Signature / Checksum

Information
FS Reference Strings

Some other functions need to be fixed. Bugs allready reported to viperbjk.

Best Regards