Professional Documents
Culture Documents
Phones
- Cho JooBong -
http://hacker.or.kr
Contents
Introduce
Protocol
Password Cracking
Data Recovery
Game Crack
2
Introduce
Phone Tools
QPST
BitPim
Easy CDMA
SIMCon
SIMIS
PhoneBase
MobileEdit
Protocol Analysis
Analysis
Protocol
5
Protocol
Protocol
BREW Protocol
BITPIM/QPST
Modem Protocol
Request
Response
ATQ0V1E0
Initializing Query
AT+GMM
AT+FCLASS=?
AT#CLS=?
ATIn
AT+GCI?
AT+GCI=?
BREW Protocol
Root Directory Request/Response
Request
59
0A
02
brew
command prefix
directory
listing
01
00
directorypath
length
directory
pathname + null
00
00
index
20
00
dummy
E9
7E
crc
Check value
brew
terminator
Response
59
command
prefix
05
00
00
0A
00
directory
ok
listing
00 F4
F8
05
01
00
00
00
unknown
A0
00
00
00
index
01
unknown
05
length
C0
crc
00
02
dummy
00
00
00
00
00
4D
6F
76
69
65
7E
terminator
8
BREW Protocol
File List Request/Response
Request
59
command
prefix
14
pathlength
2F
/
65
e
4C
L
61
a
0B
file
listing
56
V
61
a
6E
n
02
00
00
00
index
6F
o
6E
n
69
i
67
g
00
null
63
c
2F
/
9C
dummy
65
e
4B
K
44
D
6F
o
3C
crc
42
B
72
r
7E
terminator
Response
59
command
prefix
1F
00
unknown
00
00
00
00
dummy
69
i
6B
k
63
c
6F
o
83
crc
65
e
72
r
0A
00
02
00
directory
ok
index
listing
00
00
B4
40
74
40
file created date/time
00
14
1F
fullpath
directory pathlength
length
44
42
2F
4C
61
D
B
/
L
a
64
61
74
31
2E
d
a
t
1
.
EA
7E
terminator
00
00
dummy
65
6E
n
70
p
01
file size
56
6F
o
67
g
72
r
00
2F
/
6D
m
BREW Protocol
Request
04
11
6E
fiepath
fileopen
index
n
length
73
6D
73
5F 30 32
s
m
s
_
0
2
7B
5A
7E
crc
terminator
6D
m
36
6
2F
/
00
null
59
command
prefix
04
01
file open
index
00
D8
AF
76
v
38
8
7E
crc
terminator
Response
59
command
prefix
8C
data
size
0A
data
stream
00
04
00
File open
ok
1E
01
00
00
8C
00
00
index
06
4F
00
file size
00
0B
80
08
3E
data stream
09
04
03
~ ~
01
FE
data/repeater
B2
E5
crc
7E
terminator
10
BREW Protocol
Error Response
Response
59
command
prefix
0A[0B|04]
command
type
1C
error
signal
AC
FE
crc
7E
terminator
0x1C : NoMoreEntriesException
0x08 : NoSuchDirectoryException
0x06 : NoSuchFileException
0x1A : BadPathnameException
0x1B : NameTooLongException
0x07 : DirectoryExistException
0x100: CommandException
0x101: MalformedBrewCommandException
0x04 : AccessDeniedException
0x16 : FileSystemFullException
11
EasyCDMA Protocol
Directory Request/Response
Request
4B
13
0B
00
2F
00
19
11
7E
index
Terminator
CRC
File System
Command prefix
Directory Name
Response
4B
13
0B
00
24
D8
40
02
00
00
00
00
43
B6
7E
index
KEY
File System
Command prefix
CRC
Terminator
12
EasyCDMA Protocol
File List Request/Response
Request
4B
13
0C
00
24
D8
40
02 01
00 00 00
0D 6E
7E
Terminator
CRC
KEY
Index
Response
4B 13 0C 00 24 D8 40 02 01 00 00 00 00 00 00 00 00 00 00 00 03 80 00
DIR(0x01)/FILE(0x00)
00 CE 00 00 00 00 00 00 00 00 00 00 00 80 3D D5 12
File Size
Date
24 53 59 53 2E 46 41 43 54 4F 52 59 00 00 7D 5E 6A 7E
File Name
CRC
Terminato
r
13
EasyCDMA Protocol
END(?) Request/Response
Request
[S] 4B 13 0D 00 24 D8 40 02 90 B8 7E
Response
[R] 4B 13 0D 00 00 00 00 00 96 69 7E
14
EasyCDMA Protocol
END(?) Request/Response
Request
[S] 4B 13 0F 00 2F 00 F5 63 7E
Response
[R] 4B 13 0F 00 00 00 00 00 FF 41 00 00
0F 00 00 00 0D 00 00 00 00 00 00 00 80
3D D5 12 80 3D D5 12 EC 46 7E
15
Phone Password
Password Authentication
Password comparison occurs on the side of the PC
Password can be acquired from the query response
Com -> User
Password
Request
Compare
User Password
Phone Password
16
Phone Password
\x26\x52\x00\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x26\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x0
0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
0\x00\x00\x00\x00\x00\x00\x00\x64\xB2\x7E
Compare
Password
\x26\x52\x00\x35\x31\x30\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00\x00\x00\x00\x00\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
0\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0
0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x34\xF6\x7E
17
Data Recovery
Storing SMS
SMS messages within one file
One file for each SMS message
Deleting SMS
Whether the SMS has been deleted or not
can be known by checking flag
Data still exist after deleting
Cant get Deleted time
18
Data Recovery
SMS Data
Total Message Size : 1377Byte
Message End : \x00\x00\x0a
First Byte : 7E (Live)
Other(Delete)
000060d2h: 7F A6 0D 00
000060e2h: 00 F4 DC 00
000060f2h: 00 01 08 3C
00006102h: 00 00 C0 FC
00006112h: 00 0B 30 31
29 ; ..01031779918..)
00006122h: 11 13 31 00
00
00
00
C8
30
07
00
00
AD
33
00
00
00
BF
31
09
00
2A
AC
37
29
00
00
B6
37
11
00
01
F4
39
13
00
00
BF
39
31
0C
01
E4
31
00
00
F4
B8
38
00 00 00 00 00 00 00 00 00
00
0B
DC
C1
07
00
00
00
00
09
00
00
00
00
;
;
;
;
?.....)..1....
..............
...<...*......
....
; ..1..........
19
Game
20
Game
Money
00000000h:
00000010h:
00000020h:
00000030h:
00000040h:
00000050h:
00000060h:
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
01
04
00
00
00
23
33
90
47
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
03
00
02
00
00
03
00
C0
0E
EC
13
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
01
00
00
00
01
00
00
C9
03
00
03
5B
19
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
03
00
00
00
00
96
23
96
10
C8
00
00
;
;
;
;
;
;
;
...........?..?
...#...........#
...3...?......?
...?...........
...G...?..[...?
................
................
Play Time
21
Etc
22
Etc
23
http://hacker.or.kr