Nokia Flash Reverse Electronic Engineering
Nokia Flash Reverse Electronic Engineering


Welcome to NFREE, your Nokia Source Information where to find lattest info about Reverse Electronic Engineering, specially study Flashes files of Nokia phones.

We are under construction, but we have available a forum where our team discuss about this new project. Nokiaguru presents new page about how to modify and upgrade/downgrade phone software and How to change ringtones at your nokia phone modifying flash file, you can find this at new webpage http://gsmsearch.com/nokiaguru. Send flashes that we can study. You can upload your flashes at NFree Board.

Please visit our sponsor link to hold up this page:


If you are webmaster you can help us to promote our page so we can find more collaborators that can supply important info or needed full flashes to study. Please put this banner at your web page:


Nokia Flash Reverse Electronic Engineering
http://nfree.gsmsearch.com

Here you can check all info that we have discovered. We will try to update this page often, Anyway i recommend you that you use our discussion forum to make a new comment or question.

Our analysis of 6210 Nokia Mobiles which can be also used for many other types of Nokia Mobiles (esp. 3310)

This tool can calculate all Eeprom/PMM/PPM Checksums and one MCU Checksum. There are no other Checksums in Eeprom :0) Also it can change , calculate and fix the Securitycode.

We have developed a software it's NFREE 1.2 prototype

If you use my source code for your own work, all I only want is that you also publish your source code. If you’re kidding on me, stealing my code or making fake progs out of it, there will be no fun for you anymore, believe me !

I decided not to publish my new sourcecode because some guys were really lame and thought they can use it for their own tools without referring to me.

Some infos about the Nokias :

CRC News *gg* by Viper BJK

What you can see on almost every Nokia Mobile :

The IMEI Number is saved as plain hex and as a "security" imei, which is the IMEI, xored with Hex 65

The scheme seems to be always the same. The old ones (51xx,61xx,31xx,32xx) have got an eeprom and the new ones (62xx,82xx,33xx) have got an eeprom emulated.

The first Checksum in Eeprom is calculated by adding all hex char occuring in one field before the checksum value. (at 51xx,61xx the first length of Checksumfield is Hex 3E)

For Nokia 6210 and i suppose many other new Nokia Mobiles :

Overall Sectors : Here PMM :
F0F0FFF80002504D4D000000000000060001

F0F0FFF8000 = Sector Mark

2504D4D = "PMM"

00000000000006 = Don't know yet

0001 = Deactivated, 0000 for Activated

EEPROM :

Addresses :

Sometimes the base changes from 3FC000 to 3FA000 ... could not find a reason why or

where the base address is saved.

If the base is 3FC000 and the range is 200000-600000, version doesn't matter :

  • 3FC000 : Base of EEPROM
  • 3FC032 : Imei (Plain), 7 byte
  • 3FC136 : Securitycode, 2 byte
  • 3FC144 : CRC-Value, 2 byte (hexreversed, Field add, 8bit Checksum in fact)

  • Crc-length 3FC026-3FC143 Crc-sum at 3FC144-3FC145

  • 3FC146 : ProductID (Hex, bitinversed), 4 byte

  • 3FC14E : Productserialnumber (Text), 8 byte

  • 3FC15E : HW-Version 3407 (2 byte, swapped : 70 43)

  • 3FC162 : Imei (Security, XOR 0x65), 7 byte

  • 3FC16A : Productiondate (Made), 2 byte m/y

  • 3FC16C : Repaircounter, 2 byte

  • 3FDB18 : Purchase Date, 2 byte

  • 3FDB1A : Purchase Date available ? (80=yes, FF=no), 1 byte

  • 3FC27A : CRC-Value, 2 byte (hexreversed, Field add, 8bit Checksum in fact, Bitmask subtraktion of 0x1FE, which is 0xFF+0xFF in fact. Some other Phones are using 0x200.)

Crc-length 3FC0146-3FC279 Crc-Sum at 3FC27A-3FC27B

  • 3FC382 - 6AD: Supposed Radio Settings. (Setting all bytes to FF is real fun *gg*)

PPM :

Addresses :

  • 200022 : First MCU Checksum, 2 byte (supposed to be 16 bit ???)
  • 320000 : PPM Index
  • 320004 : PPM Version, 7 byte (TEXT)
  • 32000C : Date MCUSW, 8 byte (TEXT)
  • 320015 : SW-Type, 4 byte (TEXT)
  • 32001A : Productioncode, Copyright (TEXT)
  • 320034 : Productiondate Soft (LPCSV180598) ?? (TEXT)
  • 320048 : PPM Info, 5 byte
  • 329F94 : Language, 3 byte
  • 320268 : GSM-Info
  • 39FFFA : Second MCU Checksum, 2 byte (same as first MCU Checksum)

MCU Checksum is 16 Bit from 0x200024 to 0x130101

MCU Checksum Field Start and Endadress is right after the Checksum (subtract base 0x200000)

Interesting : Changing the MCU does NOT lead to no network !!!!! This could be useful for our Updateresearches.

PPM Checksum is 32 Bit (multiple values). Structure is Checksum (4 bytes) + Length of Field. Starts at Pbase+0x25f

PMM :

  • 3A0006 : Version 3.04 : PMM Index
  • 3B0006 : Version 3.01 : PMM Index

Checksums : 00F44A000055FF00F00006D579303030303000 (Example is Securitycode)

  • 00F4 Enabled or not ? F4=enabled, A4=disabled
  • 4A0000 Type of Structure / Index (here for Securitycode)
  • 55FF Begin of Structure
  • 00F0 Checksum of Length 0006 , Checksum of 303030303000
  • 0006 Length of Checksum
  • D579 Startaddress of Next Offset (relative to the beginning of PMM Sector)

Numbers and Names from Adressbook are saved as Unicode (Names) and Numbers are hexed with lobyte/hibyte 0xA for 0x0

For cheaters *bad bad boys, what ya gonna do ....." : Snake 1 Index is : 770000

Number/Name Index : F4 1A000F 55FF 06E7 003D 1D0E 03 0020 070100000000 Ak Index Start CHK CLEN Nxtb ID Strlen Index 004E006F0074007200750066002F0045006D0065007200670065006E00630079 String 0003 0B02000A00 0003 112000 011E030000000000 Bytes(len) Init Lennum(bit) Number (F for +, 0 for nothing, A for 0) Endstr

For Nokia 3110 (thanks, koloksky) :

the eeprom base vary from version

block 1

  • 1e0000: base of eeprom
  • 1e0032: imei(plain), 7byte
  • 1e0136: security code
  • 1e0144: crc-value (2 byte)
  • 1e0026 -> 1e0143: crc length

block 2

  • 1e014e: prod. serial no. (8 byte)
  • 1e015e: hw. ver. (byteswapped, 2byte)
  • 1e0162: imei (xor 0x65), 7 byte
  • 1e016c: repair counter (2 byte)

Koloksky :

i couldn't find block 2 crc length for 3310, for

5110 v5.29 (eeprom) it starts right after crc value

(2byte: 003e-003f)& length (011d), block 2 checksum is at (0040-offset:0xde)

For Nokia 3310 (thanks to Executer, Schrifti and other Freaks giving me backups) :

Same as 6210, but MCU Checksum is at another place. Eeprom Base is usually 1E0000, MCU Base is 130000
Already fixed a lot for 3310, but second eeprom checksum hurts :0(

Experimenting could harm your mobile, never forget :0)

If you can make a backup any nokia , please mail me !

If you find other values, or have any question, comments or suggestions, use our new forum NFREE Board !

By Viper BJKs & Brobbles

ViperBJK@gsmsearch.com