- 积分
- 75
- 实力分
- 点
- 金钱数
- 两
- 技术分
- 分
- 贡献分
- 分
|
楼主 |
发表于 2007-5-23 11:38:12
|
显示全部楼层
Instruction of Joker For SX1(Joker使用的初、中级教程)
Instruction of Joker For SX1
Joker是一个功能强大的SX1的Egold修改工具, 功能上面类似于65,75系列的PapuaUtils。
(所不同的是Joker用于E-gold,而PapuaUtils用于S-gold)
一、“Flash”功能界面(针对TP后的SX1)
1.能够读写8 MB E-Gold部分,功能上与V_Klay和Freia大致相同。我们可以来备份和恢复E-Gold及其重要部分。
2.推荐备份Fullflash, BCORE(Bootcore), EEPROM。其中LangPack为语言包文件(即lg44),没有特殊用途,不必单独备份。
3.Manual即手动选择备份地址和大小。
4.T9, EE_FS, FFS(A,B,C) , 均与SX1无关。
注:
a.按“Read”,看到“Start”提示短按开机键连接
b.备份为Bin格式的文件不要用V_Klay恢复
选项说明
Protect Bcore-保护Bcore,即不向Bootcore中写入数据
ReCalc Key--写入备份同时重置系统的密码(关于系统密码解释,参见Skey功能界面说明)
Backup F.S.EEP-写入备份前先保存FactroyEEP和SecureEEP(关于EEP区块分类,参见Service功能界面说明)
Protect Fac.EEP-保护FactoryEEP,即不更改EEPROM中FactroyEEP区块
Prepared Bcore-允许向Bootcore中写入数据
注:
1.按“Write”之后,找到你备份的Bin文件,看到“Start”提示短按开机键连接,进行恢复!
2.一般来说,对于TP后的SX1,如果要完全恢复备份的话,选项前面的小勾不要打上。
二、“Skey”功能界面(针对TP后的SX1)
1.
计算Skey
Start...
短按开机键连接
Loading BootsModel(SX1)...
Sending StartBoot Ok.
Sending MainBoot Ok.
SIEMENS SX1 lg44 Sw15
Soft FlashID: 0089/8854 (0090/0090)
FlashID: 0089/8854
Flash Size: 8Mb
Region(1): Blocks 127, Size 64Kb
Region(2): Blocks 8, Size 8Kb
Start EEPROM segments at addres 0xFE0000
FSN: F8426FB2 -> PhoneID: B26F42F8
OTP IMEI: 352079003022116
HASH: 86C2E90922AB8E748AF7FD1AD594C987
Boot terminated.
Test and Calc Skey...
BOOTKEY: 765088C420F244534F197DF298554872
SKEY: 21330240
根据PhoneID,IMEI就算出了BootKey,Skey
2.写入Skey (不TP SX1的Skey很难获取,而且即使获得了Skey,写入也需要TP,一个好像自相矛盾的功能)
首先自定义Skey,然后写入,这个在低版本的Joker中支持!
3.重置所有密匙
两种功能
a)TP后解锁(解锁见SX1 TP后,解锁软件使用的简明教程)
(如果不想更改IMEI以及Bootkey和Skey,请不要勾选“USE Imei”,选择“
”)
可以在设置
中自定义密匙,包括SX1的Master Code。
注:
*#0000*12345678# - Network Lock
*#0001*12345678# - Service Provider Lock
*#0002*12345678# - Corporate Code
*#0003*12345678# - Phone Code(MasterCode即“解锁码”)
*#0004*12345678# - Network Subset Lock
*#0005*12345678# - Only Sim
提示信息:
Start... 短按开机键连接
Loading BootsModel(SX1)...
Sending StartBoot Ok.
Sending MainBoot Ok.
SIEMENS SX1 lg44 Sw15
Soft FlashID: 0089/8854 (0090/0090)
FlashID: 0089/8854
Flash Size: 8Mb
Region(1): Blocks 127, Size 64Kb
Region(2): Blocks 8, Size 8Kb
Start EEPROM segments at addres 0xFE0000
FSN: F8426FB2 -> PhoneID: B26F42F8
OTP IMEI: 352079003022116
HASH: 86C2E90922AB8E748AF7FD1AD594C987
Use OTP IMEI: 352079003022116
USE SKEY: 21330240
*#0000*12345678# - Network Lock
*#0001*12345678# - Service Provider Lock
*#0002*12345678# - Corporate Code
*#0003*12345678# - Phone Code
*#0004*12345678# - Network Subset Lock
*#0005*12345678# - Only Sim
(可以看到密匙已经更改)
BCORE HASH is equivalent - not change.
Read EEPROM addr: 0xFE0000 size: 0x020000...
EEPROM backup in ".\Backup\SX1lg44Sw15_EEPROM_070515203327.bin" file.
Write EEPROM addr: 0xFE0000 size: 0x020000...
Change BOOTKEY - Ok.
Change EEP0076 - Ok.
Change EEP5009 - Ok.
Change EEP5077 - Ok.
Change EEP5121 - Ok.
Change EEP5122 - Ok.
Change EEP5123 - Ok.
(以上这几个区块就是这些密码的对应存放地址)
重新设置了EEPROM中的密匙之后,如果再遇到锁死,只需输入你自定义的MasterCode就可以了。(本例为*#0003*12345678#)
输入解锁码后,手机提示为:“SIM限制已关”-“手机将重新启动”—“确认”,重启之后发现手机的安全码已变成默认的“12345”。
另外SX1的升级界面也会发生改变,因为重置密码的同时也开启了Factroy Mode(工厂模式).
2)Change IMEI(需配合屏蔽OTP IMEI检查补丁)——这里只更改了EEPROM中的IMEI信息并通过补丁屏蔽实现正常开机
勾选“USE Imei”—填入想改的IMEI号-按”ReCalc All Keys”
Start...
短按开机键连接
Loading BootsModel(SX1)...
Sending StartBoot Ok.
Sending MainBoot Ok.
SIEMENS SX1 lg44 Sw15
Soft FlashID: 0089/8854 (0090/0090)
FlashID: 0089/8854
Flash Size: 8Mb
Region(1): Blocks 127, Size 64Kb
Region(2): Blocks 8, Size 8Kb
Start EEPROM segments at addres 0xFE0000
FSN: F8426FB2 -> PhoneID: B26F42F8
OTP IMEI: 352079003022116
HASH: 86C2E90922AB8E748AF7FD1AD594C987
Use EXT IMEI: 352079002982989
USE SKEY: 12345678(Cfg中可以自定义)
*#0000*12345678# - Network Lock
*#0001*12345678# - Service Provider Lock
*#0002*12345678# - Corporate Code
*#0003*12345678# - Phone Code
*#0004*12345678# - Network Subset Lock
*#0005*12345678# - Only Sim
Read BCORE addr: 0x800000 size: 0x020000...
BCORE backup in ".\Backup\SX1lg44Sw15_BCORE_070515234003.bin" file.
Write BCORE at addr: 0x800000...
Change BCORE HASH - Ok.
Read EEPROM addr: 0xFE0000 size: 0x020000...
EEPROM backup in ".\Backup\SX1lg44Sw15_EEPROM_070515234038.bin" file.
Write EEPROM addr: 0xFE0000 size: 0x020000...
Change BOOTKEY - Ok.
Change EEP0076 - Ok.
Change EEP5009 - Ok.
Change EEP5077 - Ok.
Change EEP5121 - Ok.
Change EEP5122 - Ok.
Change EEP5123 - Ok.
Bootcore改变后,bootkey也随之变化。
这时再计算一次Skey,点 ,可以看到Bootkey和Hash均发生变化。
Start...
短按开机键连接
Loading BootsModel(SX1)...
Sending StartBoot Ok.
Sending MainBoot Ok.
SIEMENS SX1 lg44 Sw15
Soft FlashID: 0089/8854 (0090/0090)
FlashID: 0089/8854
Flash Size: 8Mb
Region(1): Blocks 127, Size 64Kb
Region(2): Blocks 8, Size 8Kb
Start EEPROM segments at addres 0xFE0000
FSN: F8426FB2 -> PhoneID: B26F42F8
OTP IMEI: 352079003022116
HASH: 0945B410FD83F32A5AB46C4127A93FB3
Read EEP5009 block (ver00), size 10 bytes - Ok.
EEP IMEI: 352079003022116
Boot terminated.
Test and Calc Skey...
BOOTKEY: 010D033CEB47051C2505E08D1FADD2B6
SKEY: 12345678
Use Master keys in New Security blocks:
*#0000*12345678# - Network Lock
*#0001*12345678# - Service Provider Lock
*#0002*12345678# - Corporate Code
*#0003*12345678# - Phone Code
*#0004*12345678# - Network Subset Lock
*#0005*12345678# - Only Sim
4.
读取工厂模式相关的EEP
(“F”这里应该理解为“Factroy”)
Factroy EEP除了包括在上一步中自定义的0076 5009 5077 5121 5122 5123六个区块外,还包括0067 5005 5007 5008 5012 5093
Start...
短按开机键连接
Loading BootsModel(SX1)...
Sending StartBoot Ok.
Sending MainBoot Ok.
SIEMENS SX2 lg44 Sw15
Soft FlashID: 0089/8854 (0090/0090)
FlashID: 0089/8854
Flash Size: 8Mb
Region(1): Blocks 127, Size 64Kb
Region(2): Blocks 8, Size 8Kb
Start EEPROM segments at addres 0xFE0000
FSN: F8426FB2 -> PhoneID: B26F42F8
OTP IMEI: 352079003022116
HASH: 86C2E90922AB8E748AF7FD1AD594C987
Read EEP0067 block (ver00), size 20 bytes - Ok.
Read EEP0076 block (ver00), size 10 bytes - Ok.
Read EEP5005 block (ver00), size 64 bytes - Ok.
Read EEP5007 block (ver00), size 10 bytes - Ok.
Read EEP5008 block (ver00), size 224 bytes - Ok.
Read EEP5009 block (ver00), size 10 bytes - Ok.
Read EEP5012 block (ver00), size 12 bytes - Ok.
Read EEP5077 block (ver00), size 232 bytes - Ok.
Read EEP5093 block (ver00), size 76 bytes - Ok.
Read EEP5121 block (ver00), size 56 bytes - Ok.
Read EEP5122 block (ver00), size 6 bytes - Ok.
Read EEP5123 block (ver00), size 12 bytes - Ok.
EEPROM blocks is written in ".\Backup\SX1lg44Sw15_Backup070515224612.eep" file.
12 factory EEP blocks are read out and are saved.
5.更改手机的名称
按“Name change”,弹出对话框
本例把SX1改为SX2,然后“OK”
Start...
Loading BootsModel(SX1)...
Sending StartBoot Ok.
Sending MainBoot Ok.
SIEMENS SX1 lg44 Sw15
Soft FlashID: 0089/8854 (0090/0090)
FlashID: 0089/8854
Flash Size: 8Mb
Region(1): Blocks 127, Size 64Kb
Region(2): Blocks 8, Size 8Kb
Start EEPROM segments at addres 0xFE0000
FSN: F8426FB2 -> PhoneID: B26F42F8
OTP IMEI: 352079003022116
HASH: 0945B410FD83F32A5AB46C4127A93FB3
Read Flash seg: 0x870000 size: 0x010000...
Segment backup in ".\Backup\SX1lg44Sw15_87-01_070516174151.bin" file.
Write Flash seg: 0x870000 size: 0x010000...
Write New Name "SX2" - Ok.
三、Service 功能界面
未TP的SX1可以使用界面中的以下功能
选择进入ServiceMode(短按开机键连接)或NormalMode
(使用EEP相关功能不要用NormalMode, 尤其是整理和读写EEP, 必须在Service Mode下面进行)
1.5005 MAP Info
可以用来修改MAP的信息,如下图
举例
“出厂日期修改”
由原来的2005年7月7号改为2010年
Start...
Loading ServiceBoot...
Sending ServiceBoot Ok.IMEI:
Error Get Battery Voltage!
SecurityMode: Error!
Read and edit block 5005...
HWID: 194 (SX1)
Date: 07/07/05
Variant: Q 800
Std-Map/SW: 1/7
D-Map/Prov.: 2/37
EEP5005 block is written in ".\Backup\SX1lg44Sw15_5005_070516181242.eep" file.
Write block 5005 - Ok.
New data block:
P.-Date: 07/05/10
Variant: Q 800
Std-Map/SW: 1/7
D-Map/Prov.: 2/37
For exact map of data on menu *#06# -
ReStart Phone!
2.对部分EEPROM进行读写(Service Mode的限定, 因为不TP的SX1是不能完全读取EEPROM的)
相当于Siemens EEPROM Tool的作用,只是不能向前者那样对某个区块进行操作。
a.备份EEP
IMEI:
Error Get Battery Voltage!
SecurityMode: Error!
Backup EEPROM blocks...
HWID: 194 (SX1)
EELITE Info: free buffer 55460 bytes, free at all 55622 bytes, free for deleted 55622 bytes.
EEFULL Info: free buffer 5446 bytes, free at all 35424 bytes, free for deleted 27376 bytes.
Read All EELITE blocks from 1 to 280 ...
Read All EEFULL blocks from 5000 to 5416 ...
痒栩囗?怦邈?EEP 犭铌钼: 354 ?.
EEPROM is written in "C:\Documents and Settings\geliner\桌面\SX1lg44Sw15_All_070515214226.eep" file.
b. 写入EEP
IMEI:
Error Get Battery Voltage!
SecurityMode: Error!
Open "C:\Documents and Settings\geliner\桌面\SX1lg44Sw15_All_070515214226.eep" file...
File used HWID: 194 (SX1)
The file contains 354 EEP of blocks.
EELITE Info: free buffer 55590 bytes, free at all 55622 bytes, free for deleted 55622 bytes.
EEFULL Info: free buffer 18034 bytes, free at all 35424 bytes, free for deleted 27376 bytes.
Phone HWID: 194 (SX1)
Write 180 EELITE blocks...
Write 174 EEFULL blocks...
EELITE Info: free buffer 45820 bytes, free at all 55622 bytes, free for deleted 55622 bytes.
EEFULL Info: free buffer 20524 bytes, free at all 35424 bytes, free for deleted 27376 bytes.
Write 354 EEPROM blocks - Ok.
354个区块,功能与Siemens EEPROM Tool相仿
c.整理EEP(就像电脑上对硬盘分区碎片整理的功能,即先备份后格式化再恢复)
Siemens EEPROM Tool也有类似功能,为“Formate”,不是格式化删除的意思
HWID: 194 (SX1)
EELITE Info: free buffer 55460 bytes, free at all 55622 bytes, free for deleted 55622 bytes.
EEFULL Info: free buffer 5446 bytes, free at all 35424 bytes, free for deleted 27376 bytes.
Read All EELITE blocks from 1 to 280 ...
Read All EEFULL blocks from 5000 to 5416 ...
痒栩囗?怦邈?EEP 犭铌钼: 354 ?.
Backup Blocks saved in ".\Backup\SX1lg44Sw15_Backup070515214416.eep" file.
Format EELITE...
EELITE Info: free buffer 65360 bytes, free at all 65392 bytes, free for deleted 65392 bytes.
Write 180 EELITE blocks...
Format EEFULL...
EEFULL Info: free buffer 12128 bytes, free at all 35424 bytes, free for deleted 27376 bytes.
Write 174 EEFULL blocks...
EELITE Info: free buffer 55590 bytes, free at all 55622 bytes, free for deleted 55622 bytes.
EEFULL Info: free buffer 18562 bytes, free at all 35424 bytes, free for deleted 27376 bytes.
Defrag EEPROM blocks - Ok.
(可以看出是先自动备份后在写上去的,不会删除原来的EEPROM)
FactroyEEP与SecureEEP
前者必须通过TP获取,与解锁码直接相关!
后者不需TP就可获取,应该是所谓的Map吧!~~~
用一个等式表明
EEPROM(TP机子获取完全的EEPROM备份)=FactroyEEP(需TP获取)+SecureEEP(service mode下获取)
总结:不TP的机子是由于获取不了FactroyEEP而无法算得解锁码!
d.删除EEPROM中的Instance(事例)文件
SX1 EEP中本身没有Instance,故此功能不适于SX1
Instance Format...
Delete Instance "Voice Memo" - None.
Delete Instance "Voice Dialing" - None.
Delete Instance "Browser Cache" - None.
Delete Instance "File System" - None.
Delete Instance "Tegic" - None.
Delete Instance "Address Book" - None.
ReStart Phone!
早期E-Gold应该有这个功能!比如情景模式设置等(如MC60),但是SX1是Nokia塞班的外壳,所以这些东西就去掉了吧~~~
d.Simulate SIM
模拟SIM模式,用处不大。
e.
TP的SX1除了可以使用以上功能外,还可以在开启Factroy Mode基础上使用
Read and Calc Keys,5008 Phone Code 和Master Keys的功能, 但是此时已经没有什么意义了。因为开启FactroyMode意味着PhoneCode和MasterKeys已经被重置了。换句话说,我们在计算着我们已经得出的结果。
可以看出此项功能主要是用于未TP的SX1。
四、对比度调整(Contrast)
用于那些对比度不正常的SX1,调整很简单,这里不再详述。
注:
1. 进入Service Mode中调整对比度
2. 建议不要任意调整,除非你的机子对比度不正常,注意备份5007块EEPROM
五、其他(?)具体可以看一看这个讨论贴 关于SX1 实现 OTP IMEI的修改,讨论!
Freeze功能
可以刷新OTP中IMEI(需要硬件修改-更换OTP芯片)。崭新的OTP芯片是开放的,一旦写入程序后,自动锁闭,不可更改。所以如果要真正实现更改手机的IMEI,必须从更换新的OTP芯片和更改EEPROM两方面入手。
前面已经对EEPROM中IMEI的更改做了介绍,现在说一下OTP的更新
实现步骤:
1. 植入新的OTP芯片
2. 使用“Freeze”,随即产生IMEI和ESN,产生新的bootcore和对EEPROM进行同样IMEI的修改,然后锁闭OTP空间。
只空有理论,不知道大s上是否可行?希望精通硬件的朋友测试一下。
目前65,75 S-gold平台可以通过PapuaUtils 的Freeze选项,更改OTP及相应EEPROM的IMEI,实现真正的IMEI的修改。
有些问题还描述的不太详细,例如FactroyEEP和SerivceEEP的区别(TP与未TP所获取的EEProm的差异)
,希望通过大家的不断纠正、补充、测试、探索来丰富它! |
|
IP卡
狗仔卡
发表于 2007-5-23 09:48:14
提升卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2007-5-23 09:49:40
发表于 2007-5-23 10:06:22
发表于 2007-5-23 10:18:31
