Hi there boys and girls ... for those interested ....
QC BQS Ana*lyzer 3.0
What is it ?
-----------
Let's call it the ultimate BQS / QC swiss knife and very special Crypto Tool (RSA Signature Calc can be used for any mobile):
BQS only :
----------
1. Load AMSS to extract files or useful infos
(EF81, E81C, EF91, SXG75, EF82, SF71, SL91, M7 or similiar ones)
Features :
Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
Extract internal filesystem (mif,bar,sig etc. files)
Extract certificates
Extract all BMPs,GIFs,PNGs, JPGs
Extract AMSS signature bytes (if production key)
Show all file references used by mobile
2. Sim_Secure extraction/decryption (non-public)
3. Master-/Usercode/Unlock extraction and direct unlock (non-public)
All QC :
--------
1. Load Partition File to get overview about NAND/NOR structure
2. Make usage of QCs Diag Interface .... to do nice things
(Useful for any QC mobile in the world)
Standard Features :
-------------------
- Send standard diag commands or any hexadecimal command you want (database included)
- Read out all NVItems (range given)
(all that exist, more than QPST normally extracts)
- Backup and Restore all NVItems
- Read out and Dump Firmware in Memory (IRam)
- Read out complete EFS
- Switch to FTM Mode (or anything else you want)
- Get infos about phone ..... etc ..... a lot more functions
- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)
Bootloader / DownloadMode Features :
-------------------------------------
- Load any file to mobile at any address and execute (bootloader f.e.)
- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader
- Use any Download Mode or Bootloader Command to experiment
- Read application memory of newer Diag Ver 6 in Download Mode
- Show complete infos about used NAND after loading of Bootloader
Flasher Features :
-----------------
Flash any QC mobile (OBL Multiboot) with given bootloader
- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS
3. Crypto Function :
-----------------
- Calculate CRC-30, SHA1 and MD4 of any file
- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited
- Decrypt any RSA-Message, including ASN-1 / SHA Signatures.
- Check firmware signature given Modulus and Exponent
4. Sim_Secure extraction/decryption (non-public)
5. Full Feature JTAG Interface (non-public)
Although it is still a bit buggy and things have to be speeded up ...
it is the successor of AMSS Analyzer .... but more reliable and even much faster
Planned in future :
-----------------
1. Bugfixes
2. Tooltips showing real addresses in graphical window
3. EFS2 Directory Browsing
4. Elimination of extracted files in amss.mbn for better understanding
5. Simple NVItems Editor
6. Porting NVM hack already working with JTAG to COM/USB
7. AMSS signature hack, Exploit for Signature (this will be a tough task)
8. Read out SMS / Addressbook via Diag Interface
NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.
What we need :
----------------
- Any contribution to the project is welcome.
- Donations for new hardware and software for further development of this tool.
- We need support in programming and documentation XD
Link to the project files :
------------------------
Version 3.00 Fruit Assassin (Major Release)
http://code.google.com/p/qcbqsanalyzer/downloads/list
Cya and keep on reversing,
Viper BJK
For full source, see project homepage.
If you think my tool is useful and you would like to donate some money for further development, feel free to do so :
http://viperbjk.beepworld.de/
great stuff, I admire your work, this has been used to partially unbrick a htc titan (work in progress still, as it crashes on some bit of code in init god knows why).
Hi.
New Version supports MSM7200.
Maybe take an look.
Code:
New version 3.42 out
--------------------
What's new ?
-------------
- Find public keys in HTC SPL.nb via Cryptosearch
- Added Public Keys for [B]HTC[/B] Firmware (Diamond, Kaiser, Raphael)
- Exponent bugfixes
- New RSA Decryption interface
Feedback are welcome.
Thanx.
Best Regards
Forbidden
Your client does not have permission to get URL /p/qcbqsanalyzer/downloads/list from this server.
bad link
Link to the project files :
------------------------
Version 3.00 Fruit Assassin (Major Release)
http://code.google.com/p/qcbqsanalyzer/downloads/list
Does this software works on new phones, or is there any similar software?
Please somebody help to modify firmware to enable international GPRS connections
What we currently have:
1. Mi Bunny Watch Q is Working on MT6261 SOC
2. Operating system is modified 2011 year Nucleos RTOS, which was widely used in older featurephones
3. Firmware is not available for separate downloading. Watch updating is OverTheAir (via Bluetooth connection from your smartphone with original APP, and, PROBABLY via GPRS connection) firmware files are called
SH08_PCB01_gprs_MT6260_S00.MAUI_11B_W13_08_MP_V15.bin
My current firmware version is MAUI.11B.W13.08.MP.V15
updates are downloaded from http://upgrade.imibaby.net/upgradeWatch
also you can find http://sw105-online.imibaby.net/ link in firmware - probably for watch activation
All we have now - full ROMdump of my watch divided to parts with Readback Extractor mtk
Also we can get acess to NVRAM and FAT partition with MauiMETA_v9.1635.23 tool (you need NVRAM database file for MT6261 chip - i've gt one from Keneksi X8 firmware kit ( or from official site ) also i have used scatter file from Keneksi to download ramdump with SP Flash Tool
Also there is good tool Binwalk which i don't know how to use well
4. Watch activation procedure looks like: ( english user manual for similar product )
-turn on the watch (lights on and sound prompt)
-insert SIMcard (sound prompt)
-----------we are currently here------------------
-GPRS connection is automatically established
-and watches time should set up the time (you get a sound prompt) /what notifies server of pairing ready status/ - this should be a sign and confirmation of successful internet connection
-you scan QR code in your user-manual (smartphone receives pairing settings from server) and establish connection between smartphone and WATCH
...
5. Watch officially supports only Chinese SIM cards. Confirmed by manufacturer. Chinese cellular operators settings are preinstalled. MNC MCC and APN can be found in firmware like 460 46000 46002 46007 etc
i have tryed to change MCC and MNC to my operators (25501) (my operator supports any APN so i got luck here)
and have got a breakthrough here - watch began to establish GPRS connections via "internet" APN
but no luck - time is not set up, i've got no "successful connection" sound prompt, and it is still impossible to activate it.
I have contacted manufacturer via Weibo and WeChat.
Everywhere i got refused with corporate security reasons, BUT at the very beginning i think some very helpful manager answered and tryed to give help (later he disappeared)
He requested from me to fill up XML form with my cellular operator's settings and sent image explaination
Hello,Mr Pumpkin
There is some instructions you can follow.
First,please make sure the sim card support calling in or calling out.
Secondly,be sure the sim card supports 2G GPRS connection.
You can consult the local operators about specific parameters.
The "code" parameter and "apn" parameter in the following table must be filled in correctly.
The other parameters are alternative.
Code:
<?xml version="1.0" encoding="UTF-8" ?>
- <Account>
- <AcntHdr>
<AcntVer>1.0</AcntVer>
</AcntHdr>
- <AcntBody>
- <SIM Operator="BEELINE" Code="25502">
- <Item Bearer="GPRS">
<AppType>WAP</AppType>
<Title>Beeline WAP GPRS</Title>
<APN>wap.beeline.ua</APN>
<Authentication>NONE</Authentication>
<Homepage>http://wap.beeline.ua</Homepage>
<Proxy Enable="Yes" ProxyAddress="172.29.18.192" ProxyPort="8080" />
<PrimaryDNS>null</PrimaryDNS>
<SecondDNS>null</SecondDNS>
<IPAddress>null</IPAddress>
<Subnet>null</Subnet>
<ConnectionType>HTTP</ConnectionType>
</Item>
Click to expand...
Click to collapse
There is excellent site with lots of information
https://www.dr-lex.be/hardware/china_phone_flashing.html
Also some discussion is going on MIUI forum and russian 4pda forum
International Apn settings
The answer from the Chinese manufacturer is an xml file that we should add to the device ROM. It is not so different to the following thread
https://forum.xda-developers.com/showthread.php?t=2387346
I have my bunny watch 2, that I have paired during a visit to Sz, and will try to add the xml file today. Hopefully we can get a connection.
EASolana said:
The answer from the Chinese manufacturer is an xml file that we should add to the device ROM. It is not so different to the following thread
https://forum.xda-developers.com/showthread.php?t=2387346
I have my bunny watch 2, that I have paired during a visit to Sz, and will try to add the xml file today. Hopefully we can get a connection.
Click to expand...
Click to collapse
Excellent desicion! I will try to do it.
I can assume, that developer didn't offered me this thing because we actually don't have access to ROM. We can get there only with MAUI META tool. Also the watch is not based on Android, so we will have to find correct folder to place the file and guess correct name for it.
Also XML should be specifically formatted, and we have this format from developer.
Easier said than done, but still I got some progress today.
After reviewing the ROM I was able to find several At commands to control the device.
I'm missing the sintaxis on many of them, but I was able to directly perform and receive a call from the Hyper terminal.
I named the xml file default.xml and placed on the root directory and several others but no luck achieving a Apn configuration.
Also I browsed the fat and nvram looking for hints on how the device was configured while using the Chinese card, but no luck there.
If I'm able to find the device configuration At command it should be pretty straightforward.
Just as a note, the App is fully Chinese, no options on the menu are translated.
EASolana said:
Easier said than done, but still I got some progress today. .
Click to expand...
Click to collapse
Some of terminal AT+ commands work excellent (like ATD Most interesting one is AT+DEBUG_ON and AT+DEBUG_OFF it changes usb connection type. ( With debug on you will get 2 usb devices (usb com, and modem)
About app - i have translated it to russian, if it can help )
Connecting outside of china
Well, today I got connection from outside of China.
I played with several of the At commands that were supposed to actually configure the settings, and all seemed to make the terminal hang.
But after rebooting the phone it got a connection. Now it's fully working.
I used the AT+CGDCONT command.
Then I reviewed again the Fat to look for changes and the only file that was modified is store_info. Dat file.
That file was loaded in the same back up you made, with China Mobile settings, and now mine has got the unicom settings.
For the information it contains it looks fairly similar to the format the engineer gave you a solution for.
EASolana said:
Well, today I got connection from outside of China
Click to expand...
Click to collapse
Excellent news. Now i just would like to have some more details, on how i could repeat your success.
AT+CGDCONT is not working for me - no answer from watch to this command.
Can you provide some more info. What MCC and MNC does your cellular operator has? What version of firmware do you use.
Did you actually implemented any changes to your firmware?
Which terminal software do you use? Which COM device you selected? Was DEBUG mode active?
Or what should i do to get my watch connected?
Thank you.
Hello,
EASolana said:
I have my bunny watch 2, that I have paired during a visit to Sz, and will try to add the xml file today. Hopefully we can get a connection.
Click to expand...
Click to collapse
Did you connected with a Chinese Sim card and then changed it to a foreign one?
So I first activated my device in China with a Xiaomi Sim card.
Then traveled back to Hk, and tried with Hk local China unicom, China Mobile and three Sim cards. None worked.
Then I tried the at command for setting up the Apn settings on the device. The commands would not give an OK response, so I do not know exactly which one worked.
Then rebooted the device, and it can connect with Three and China mobile cards. UNICOM still not working.
I saw the change in the file mentioned above. It changed from one operator to the other.
HK is not so far from China, so i think there could be native support for your operators.
Anyway, could you please provide other then China Mobile store_info.dat file from your FAT partition, and a ROMdump to compare. I think you have a more fresh watch firmware. Thank you
Today I'm in China so I will not be able to upload the files to a G drive location, tomorrow I should be able to upload them.
I have bought a new device today (this time the mini GPS, 6261 based) and done a backup before the network registration and after.
I can confirm that all changes are happening to the file named "store_info.dat", and all the new data is matching to the xml format you were given. But written on a low level way inside the .dat file.
The GPRS - APN settings are independent of the GSM settings. So you will need 2G settings for your local operator, be sure you are registered in the network by performing a call to your SIM Card number then modify the store_info file with your specific operator parameters. Be sure to do this on the Hex editor so file length is constant after your perform the modification.
EASolana said:
So you will need 2G settings for your local operator, be sure you are registered in the network by performing a call to your SIM Card number then modify the store_info file with your specific operator parameters. Be sure to do this on the Hex editor so file length is constant after your perform the modification.
Click to expand...
Click to collapse
I am bothered with MCC and MCC settings. All i can see in DAT file is apn for internet wap and mtp, but no readable data about cellular operator
Update: i have sniffed through the firmware again, and i got that China, Hong-Kong and Taiwan are natively supported by the watch... Probably you will get some problems with diferrent cellular operators, but all 3 MCC codes 460 466 and 454 are in firmware
If you keep looking in the firmware, just bellow the MCC codes you will actually find the APN settings. Keep searching to the bottom of the file and you will find the W. A. P... U. N.I.C.O.M... C.H.I.N.A...M.O.B.I.L.E part of the string, that means that beside replacing your MMC on the top of the file above by replacing the 460, 466, 454 codes, you also have to look toward the end of the file and replace the 460000, 454000, 46600 codes with your combination of MCC and MN settings.
Since you cannot add length to the file, remember to find an operator WAP setting that will fit in the current.
EASolana said:
460000, 454000, 46600 .
Click to expand...
Click to collapse
all of them? - i was trying all of this, except editing DAT file
Please, share your DAT file
Also please, tell me MCC and MNC of your HK cellular network, on which you have managed to make everything work (perferably for the first time with your watch)
By the way, sniffing around MTK6261 source code led me to interesting things
setting are really preinstalled
custom_config_account.c file from "Source_code_of_6261\code_6261A_L1\custom\common" gives a clue.
I think for now - i have to chose one cellular operator, and fix all it's settings to fit my needs
Yes! I did it!!!!!! Woohoo!!!!
FlamingPumpkin said:
all of them? - i was trying all of this, except editing DAT file
Please, share your DAT file
Also please, tell me MCC and MNC of your HK cellular network, on which you have managed to make everything work (perferably for the first time with your watch)
Click to expand...
Click to collapse
These are the operators that i have tried in HK.
China Mobile
Name: CMHK
APN: cmhk
MCC = 454
MNC = 12
MMSC = http://mms.hk.chinamobile.com/mms
454 07 Unicom
454 11 Hongkong Telecom
454 00 CSL
454 16 PCCW
454 06 Smartone-Vodafone
Attached is the DAT file.
Where you got the source code from?
Source_code_of_6261\code_6261A_L1\custom\comm on
EASolana said:
Where you got the source code from?
Source_code_of_6261\code_6261A_L1\custom\comm on
Click to expand...
Click to collapse
https://mega.nz/#F!JMsgDCYR!qn39qDJ5LzOz1TkUbdqvtQ
Time to sum up progress.
Activation option #1
Have your Chinese Seller activate the device using a Chinese Sim card before shipping, and this should ensure full communication in China, Hong Kong, Taiwan. (460.466.454) and possibly in the following places:
208 - France, 404 - India, 405 - India, 454 - Hong Kong, 455 - Macao, 466 - Taiwan, 502 - Malaysia, 505 - Australia, 510 - Indonesia, 515 - Philipines, 520 - Thailand, 525 - Singapore.
Given that MCC codes for several operators in those countries are included in the list inside the FW.
If you are choosing this way, you need to remember the device is only 2G - GMS 900/1800 compatible, so before you waste time, ensure you carrier is compatible. Australia has just dumpled 2G support so don't even try.
You can execute the following AT code before purchasing the SIM card, and it will tell you the carriers that the device could possibly connect: AT+COPS=?
It will reply the MCC Codes and operator name, with that information you can look for a valid unlocked and activated sim card.
Since device was activated in china it will easily go trough the regular process of scanning the QR code and adding the device to your APP.
Activation Option #2.
Modifiy the MCC parameters inside the FW and include your specific operator details.
FlammingPumpking, you can help us comment on how you succeed with activation.