I was looking through some old files and came up with an old tutorial on nokia DCT3 phones. New people might learn some history on old nokias, old people might get nostalgic like me.
I am not entirely sure that this tutorial belongs here, since it is network security at first (even though I've seen some gsm tutorials here). If it doesn't, please let me know and I will remove it.
Tutorial written 2003-09-01
DCT3: Altering nokia menu structure (using Griffin)
By: Niklas Bivald, The_deViL
First of all I would like to clear that I am no expert of any kind. I am new to the Griffin Box, recieved mine for two weeks ago. Knowledge wants to be free right? And since I couldn't find good texts for beginners I've decided to write them on my own...
Note: This text explains the basics of the menu structure. What I've learned so far. Planing to write a tutorial on how to add security code protection to inbox or something as soon as I learn it. But I thought I might as well give out them as seperate tutorials or due to my lack of time the texts will never come out.
The software I've used, I will assume you got them.
- Griffin (2.02)
If you need a description for this please read the Installation PDF.
- Nokia DCT3 Flash Converter (0.0.1)
Convert MCU+PPM to flash, and vice verse. This is because NokHex and such runs on *.fls
- Hex Workshop (v4.00) (I am using the demo version)
Any hex editor will probably do. I switch between Hex Workshop and Hiew
- Nokia PPM Manager (Beta 0.91)
This is used for studying nokia PPM files, for mapping the menu structure (Text-ID's and such).
- G3n0lite (v1.7)
This is the main software used for reading and altering the menu structure. Take a while getting used to.
- Working MCU+PPM
Make sure, 110% and then check it again that the MCU+PPM is working. Then duplicate the file incase you screw up.
- PPMEdit10g demo
Unfortunaly I haven't got a hold of the maker to get a license, anyone got contact with him?
- Odia, MicrostarGSM, Raskal, hurricane and the rest of you guys @ forum.griffinbox.com
- Creator of DCT3 Flash Converter, Hex Workshop, Hiew, PPM Manager and G3n0lite.
- Azywerks (He wrote the first and only text I used to get started with g3n0lite. URL: http://www.voy.com/119749/3.html)
Quote: "It is quite impossible to kill a DCT3 phone, except you will unlock it with hammer or you will switch it on or take a bath with it" (Not sure if Raskal or microstargsm said that one first, anyway you get the picture?)
However I've taken it one step further, I am using an old 5110. I think you actually can hit it with a hammer or even take a bath with it and it will still work If something really screws up, you can just flash it again.
Using g3n0lite and hex editing can be rather difficult, and enoying sometimes. But it is a fun challenge.
Converting MCU+PPM to .fls
1. Open Nokia DCT3 Flash Converter (nasNFConverter DCT3.exe)
2. Make sure the two checkboxes marked "auto" is checked and also "check MCU matches PPM".
3. Press [...] to choose MCU file, then do the same for the PPM file. Click "Convert to FLS/Dejan". Everything should go as planed and you will now have a .fls file to play with.
4. Make a copy of that .fls file. Actually, make two. In case
G3n0lite, Let's start altering
1. Open g3n0lite, press open and choose your flash file.
2. Click the Menu Structure radio button.
3. Press "Read Menustructure". You should get a long list below, if the list is rather short and contains "INVALID ADRESS" click "Menu description" and then click "Read Menustructure" again.
4. You will probably notice that everything is greek, and so far it is. In the Language box write "ENGL" (or whatever your language is)
5. Press "Read Menustructure". Now atleast you got the names to the right, making something not greek.
Now we can get to work on the basics...
[0x002A4BF4] [0x00000000] [0x0029FC44] (0x0034) (0x0387) (0x0000) (0x0032) (0x0000) (0x0000) Messages
The first block (0x002A4BF4) is the text-ID. You can see it as a hyperlink to the right text message independent of Language. That is also were g3n0lite gets the Menu Names from. Note: The text-ID is not the text message. It is just the ID number of the message.
However 002A4BF4 is not the ID. But it can easily be fetched.
There is two ways of doing this. The easy way or the way were you actually learn and understand what you are doing. I will explain them both, I recommend you to do it the hard way. That way you will get more knowledge and it will probably help you in the long run...
The hard way, Step-BY-Step:
1. Open HEX Workshop
2. Open your fls file (File -> Open). As you can see it is three "parts" of the code. Right now we will be concentrating on the middle one.
3. 002A4BF4 is a adress in the flash file, but since our flash files start on 200000 we have to substract 200000 from 002A4BF4. Real adress is 000A4BF4.
4. Press Ctrl+G. In the offset write your real adress (in my case 000A4BF4). Make sure it is selected on Hex and then press Go.
5. The blinking marker show you exacly where your adress is. Copy the 6 letters/numbers from it. Mine are: 0402 44. However that is not exacly the value we are looking for. We will ignore the first byte (04) and we will (in my case) get 0244. That is the number we are looking for
6. Open the Base Converter (Tools -> Base Converter). Choose "Raw Hex" as Byte Order and "short" as Data Type.
7. Write your HEX number in the first box. Note the answer in decimal (Mine was 580). That is the exact Text ID we are looking for. That ID number is a shortcut to the PPM file, in every language there will be a instance were the ID is (in my case) 580 and holds the correct name in choosen language.
The easy way, Step-BY-Step:
1. Remove ENGL as language in g3n0lite. Press Read Menustructure. Take the ID (to the right of every line) for "Messages". That is (for me) id: 0x0244. Copy everything after the x. For me that is: 0244
2. Open HEX Workshop (or any other HEX converter)
3. Open the Base Converter (Tools -> Base Converter). Choose "Raw Hex" as Byte Order and "short" as Data Type.
4. Write your HEX number in the first box. Note the answer in decimal (Mine was 580). That is the exact Text ID we are looking for. That ID number is a shortcut to the PPM file, in every language there will be a instance were the ID is (in my case) 280 and holds the correct name in choosen language.
If you done it the hard way or the easy way doesn't really matter. Either way you should have a ID number now. Now it is time to explode the languages from the PPM part in the flash.
1. Open PPM Manager
2. Open your fls file (File -> Open Flash)
3. Tools -> TEXT Chunk -> Export as two text files. Write a file name and hit Save.
4. Open that text file in a notepad or such. You'll notice that there are alot of number to the left, then the language, then the text after the number. Example:
578 ENGL Settings
579 ENGL Message\x0Asent
580 ENGL Messages
581 ENGL Invalid\x0Ashortcut
582 ENGL Silent
See the Connection?
This works both ways, if you want to edit the language you can just edit the text file and then import it to the flash using PPM Manager. (Tools -> TEXT Chunk -> Import from text fies)
The second block [0x00000000] is actually the shortcut to the actual function (When the link does not lead to a submenu or a yes/no question).
Take these for instance:
[0x002A495D] [0x00000000] [0x002ACA10] (0x0043) (0x0387) (0x0000) (0x0045) (0x2000) (0x0000) Erase recent call lists
[0x002ACA1C] (0x04) (0xC0) (0x0101) [0x00000000]
[0x00000000] [0x00000000] [0x00000000] (0x0043) (0x00DC) (0x0000) (0x0036) (0x0000) (0x0000)
[0x002A482E] [0x00000000] [0x00000010] (0x0043) (0x05E0) (0x0000) (0x0036) (0x3000) (0x0000) All
[0x002A4837] [0x00000000] [0x00000005] (0x0043) (0x02B2) (0x0000) (0x0036) (0x1000) (0x0000) Missed
[0x002A4834] [0x00000000] [0x00000003] (0x0043) (0x02B2) (0x0000) (0x0036) (0x1000) (0x0000) Dialled
[0x002A483D] [0x00000000] [0x00000004] (0x0043) (0x02B2) (0x0000) (0x0036) (0x1000) (0x0000) Received
The structure above is for the "Erase recent call lists" functions.
If you would change the third block on "Missed" (Remove the missed calls list) to [0x00000003] (Instead of [0x00000005]) it would actually delete the Dialled numbers instead of Missed. However, I wouldn't TRUNK (Setting it to 0x00000000) if it wasn't that before (doing this will make your phone hang when you click on the menu).
If you are planing to add a own menu set the second and third block to [0x00000000].
The fourth block ((0x0034) for Messages) is our bitmap-ID (I think). Sometimes there are one bit diffrence, 0034 is 0033 or such. You'll get the picture. If you are making root menus I suggest you take a already existing bitmaps or it will look rather wierd.
The fift block (0x0387) I am not sure of.
Before a sub menu header (Example: [0x002ABCC0] (0x04) (0xC0) (0x0101) [0x00000000]) it is (always?) the value (0x0387)
The rest of the values are unclear. Suggestion is to use the one most common.
The sixts block is just NULL. The seventh block (0x0032), just use the one most common. The eith? is NULL from what I've know, that goes for the ninth too.
I am sorry that I haven't got so much information on the fift-ninth, I haven't really found out anything from them.
That's all the basics I've learned so far. As soon as I learn more I will write togheter a new tutorial with more concrete tips and guides.
Well, convert back MCU+PPM (Se below) and then flash it...
Converting back to MCU+PPM
1. Open Nokia DCT3 Flash Converter (nasNFConverter DCT3.exe) and click the tab marked "Analyse FLS/Dejan INFO"
2. Open your .fls file there (use the [...] button)
3. Click Analyze
4. Click "Fix all Checksums"
5. Click the FLS/Dejan tab
6. Open your .fls file by pressing on the first [...] button.
7. Click Convert to WinTesla
8. Close Nokia DCT3 Flash Converter
Note: I am terribly tired right now, that's why my grammar probably stinks. But if I doesn't get this text out tonight I won't get in maybe two weeks.
Nostalgia Tutorial: Altering Nokia Dct3 Menu Structuresecurity network security network beginner perl tools tutorial
No replies to this topic
Also tagged with one or more of these keywords: security, network security, network, beginner, perl, tools, tutorial
Exploiting & Hacking →
Exploit Research & Discussion →
General GSO →
Product and Program Reviews →
General GSO →
Open Topic →
General GSO →
In The News →
Exploiting & Hacking →
Exploit Research & Discussion →