Procedure to FORCE Broadcom Phone into TEST MODE:
1. Load ANY Valid Broadcom BB5 Flash File to ATF Software
2. UNCHECK ALL the Flash Files you have Loaded (NOTHING will be FLASHED)
3. UNCHECK "Factory Reset"
4. UNCHECK "Backup Simlock"
5. Remove battery from phone but connect USB Cable
6. Click "FLASH" Button and put Battery to the Phone when the
Software Asks you to...
*** ATF Software will now BOOT your Phone into FLASH MODE then exit
directly into "TEST MODE"...
*** You need to wait about 60 Seconds depending on how windows
handles your MTP Driver... Anyway, the ATF Software will wait until the
phone link has been properly established.
Code:Number of Image Files: 3 Processing Image File : rm618__08.25.mcusw CMT Type : BB5 CMT Algorithm : XSR 1.6 Secondary Sending Speed : 650000Hz Algorithm Sending Speed : 6500000Hz Program Sending Speed : 6500000Hz Message Reading Speed : 98000Hz Number of Blocks : 511 Entry Point: 0x01E5 Page Format : -1 MAX PAGE : 0x0000E000 Processing Image File : rm618__08.25.ppm_t CMT Type : BB5 CMT Algorithm : XSR 1.6 Secondary Sending Speed : 650000Hz Algorithm Sending Speed : 6500000Hz Program Sending Speed : 6500000Hz Message Reading Speed : 98000Hz Number of Blocks : 129 Entry Point: 0x0100 Page Format : -1 MAX PAGE : 0x0000E000 Processing Image File : rm618__08.25.image_t_0595287 CMT Type : BB5 CMT Algorithm : XSR 1.6 Secondary Sending Speed : 650000Hz Algorithm Sending Speed : 6500000Hz Program Sending Speed : 6500000Hz Message Reading Speed : 98000Hz Number of Blocks : 336 Entry Point: 0x0134 Page Format : -1 MAX PAGE : 0x0000E000 AUTO SELECTED DEAD USB FLASHING... If Flashing DOES NOT Start in 5 Seconds, Then Perform Steps 1, 2, 3 and 4... 1. Remove USB and Battery... 2. Insert USB. 3. Insert Battery. (Some phones boot automatically) 4. Please Power on phone shortly... AdvanceFBox SendBootCodeEx InitialiseBootstrap_DCT5 DIR BootFlashMode_DCT5 BootRom Verified! BootFlashModeDCT5Ex Succeeded First Time SYSTEM_ID_RESPONSE_BB5 (0xC0) - 0 (0x00) bytes returned Number of Sub Blocks 6 (0x06) 1 SYSTEM_ASIC_ID 01 Block Length : 17 (11) BB ASIC Index : 0 (00) CMT ID DWORD 0 : 00000000 ID DWORD 1 : 00000000 ID DWORD 2 : 22000509 ID DWORD 3 : 200C0000 2 ROM_ID 15 Block Length : 5 (05) BB ASIC Index : 0 (00) CMT ID DWORD 0 : 00005361 3 PUBLIC_ID 12 Block Length : 21 (15) BB ASIC Index : 0 (00) CMT ID DWORD 0 : B1096A83 ID DWORD 1 : 135F4216 ID DWORD 2 : 1575A668 ID DWORD 3 : 5044D453 ID DWORD 4 : E87FCD90 4 ASIC_MODE_ID 13 Block Length : 2 (02) BB ASIC Index : 0 (00) CMT Mode Id : 00 5 ROOT_KEY_HASH 14 Block Length : 17 (11) BB ASIC Index : 0 (00) CMT Hash : 1B 0D 74 C5 32 CA 1C 61 33 94 0C 74 0E 8C 78 6E 6 ROM_ID 15 Block Length : 9 (09) BB ASIC Index : 0 (00) CMT CRC 0 : DE56D582 CRC 1 : BDDE7A3A START FLASHING RawLoaderExtract: rm618__08.25.mcusw CMT Secondary Loader: C:\AdvanceBox Turbo Flasher\Nokia\BB5_Loader\BB5_USBLoaders\BCM21351_usb2nd.fg Secondary Loader Sent.... MCU_CONFIGURATION_RESPONSE_BB5: MessageID : C1 SubBlocks : 06 1 Sub Block ID : 10 STORAGE_DEVICE_ID_BB5 Block Length : 0B BB ASIC Index : CMT 00 Device Type : RAM 05 Device Index : 00 Manufacturer Code : 0000 -> Flash Device ID : 0000 -> not detected Extended/Fixed ID : 0000 Revision ID : 0000 2 Sub Block ID : 10 STORAGE_DEVICE_ID_BB5 Block Length : 0B BB ASIC Index : CMT 00 Device Type : MMC 04 Device Index : 00 Manufacturer Code : FFFF -> Flash Device ID : 0000 -> BAD FLASH TYPE Extended/Fixed ID : 0000 Revision ID : 0000 3 Sub Block ID : 10 STORAGE_DEVICE_ID_BB5 Block Length : 0B BB ASIC Index : CMT 00 Device Type : NOR 00 Device Index : 00 Manufacturer Code : 0020 -> Device ID : 0030 -> Type not in database Extended/Fixed ID : 0000 Revision ID : 0131 4 Sub Block ID : 10 STORAGE_DEVICE_ID_BB5 Block Length : 0B BB ASIC Index : CMT 00 Device Type : NOR 00 Device Index : 01 Manufacturer Code : 0000 -> SPANSION Device ID : 0001 -> not used Extended/Fixed ID : 0000 Revision ID : 0000 5 Sub Block ID : 10 STORAGE_DEVICE_ID_BB5 Block Length : 0B BB ASIC Index : CMT 00 Device Type : MuxOneNAND 03 Device Index : 00 Manufacturer Code : 0020 -> Device ID : 0030 -> Type not in database Extended/Fixed ID : 0000 Revision ID : 0131 6 Sub Block ID : 35 NAND_DRIVER_VERSION_BB5 Block Length : 09 BB ASIC Index : CMT 00 Data : SearchForBootstrap_DCT5 : No Error - 0 (0x00) Flash Descriptor Manufacturer Code : 0020 Device ID : 0030 Extended/Fixed ID : 0000 Revision ID : 0000 Size : 08000000 (128 MB) VPP Info : 0000 Erase10s : 1E Block1s : 32 BErase1s : 02 Reserved0 : 00 Reserved1 : 00 Reserved2 : 00 CMT Algorithm Loader: C:\AdvanceBox Turbo Flasher\Nokia\BB5_Loader\BB5_USBLoaders\BCM21351_XSR16_usbalg.fg Algorithm Loader Sent... FUR_Control_AddClient_BB5() ASIC_INDEX_CMT (Ready) FUR control Ok START READING RPL DATA IMEI: 353423040652148 Reading : NPC... OK! Reading : CCC... OK! Reading : HWC... OK! Reading : R&D... OK! RPL Backup was Successful... Plain RPL saved to: C:\AdvanceBox Turbo Flasher\Nokia\Backup\353423040652148\353423040652148_102114.rpl Pabub KEY Request PhoneInfoRequest_BB5 (Asic Index 00 ) PHONE_INFO_RESPONSE_BB5 PAPUB_KEYS_HASH_RESP_BB5 2A BB Asic Index : 00 CMT PAPUBKEYS HASH: E9700989029D9E899915F781B1582048E042A738 ContinueFlash_DCT5 Complete Continue Flash Complete : : No Error - 0 (0x00) Status_BB5 STATUS_REQUEST_BB5.. 1 Sub Block ID : 15 STATUS_NAND_OK_BB5 Block Length : 0F BB ASIC Index : 00 Device Type : 03 Device Type : 00 Num Bad Blocks : 00000001 Additional Bad : 00000001 Correctable ECC : 00000000 FlashInfo.RestartMode : 2 Flashing Done... Total Flashing Time (Erase + Flashing) : 00:00:01 (Booting time is NOT Included) Waiting for Phone to Start-Up..(Max 150 seconds) Elapsed Time: 5 Seconds... Elapsed Time: 10 Seconds... Elapsed Time: 15 Seconds... Elapsed Time: 20 Seconds... Elapsed Time: 25 Seconds... Elapsed Time: 30 Seconds... Elapsed Time: 35 Seconds... Elapsed Time: 40 Seconds... Elapsed Time: 45 Seconds... Elapsed Time: 50 Seconds... Elapsed Time: 55 Seconds... Elapsed Time: 60 Seconds... SW: V 08.25 19-05-11 RM-618 (c) Nokia IMEI: 353423040652148 CONFIG KEY : 0000000000000000 PROVIDER KEY : 2440700000000000 NETWORK NAME : Nokia Default;Finland LOCK COUNTERS : KEYPRESS 0/3, FBUS 0/10 SIMLOCK TABLE : Block [1] 1:Open 2:Open 3:Open 4:Open 5:Open Block [2] 1:Open 2:Open 3:Open 4:Open 5:Open Block [3] 1:Open 2:Open 3:Open 4:Open 5:Open Block [4] 1:Open 2:Open 3:Open 4:Open 5:Open Block [5] 1:Open 2:Open 3:Open 4:Open 5:Open Block [6] 1:Open 2:Open 3:Open 4:Open 5:Open Block [7] 1:Open 2:Open 3:Open 4:Open 5:Open SIMLOCK STATE : Not Locked SIMLOCK_TEST : PASSED SECURITY_TEST : PASSED SUPER_DONGLE_TEST : PASSED SECURITY_CODE : 12345 ================================================ SL3 Phone detected ================================================ * Firmware Version Downgrade will KILL PHONE !!! * Manual Full Erase WILL KILL PHONE!!! * Simlocks are in PM 120 Only... * PM 308 is Write Protected...
Once phone is in TEST MODE, Scan phone should give you a lot
of Phone Info like this:
Code:Scanning USB Ports... ================================================ Basic Phone Information ================================================ MCU Version: V 08.25 19-05-11 RM-618 (c) Nokia IMEI Plain : 353423040652148 IMEI Spare : A353423040652140 IMEI SV : 33534230406521439F Phone Model: Nokia X2-00 Category : Entry Phone Type : RM-618 ================================================ Extended Phone Information ================================================ Product Serial Number: DNO299898 Product Code : 0595285 Module Code : 0204491 Basic Production Code: 0591973 Long Production SN : 0 PPM SW Version : V 08.25 19-05-11 RM-618 (c) Nokia T BT MCM Version : 2.31-SP2.31 MCU SW Version : V 08.25 19-05-11 RM-618 (c) Nokia HW Version : 1000 RFIC Version : 9 LCD Version : SEIKO BOM ID : 00 Content Pack Version : Content: t_0595287 V 08.25 19-05-11 RM-618 (c) Nokia Bluetooth ID : 6C:9B:02:24:FB:27 CS Type : GSM850, GSM900, GSM1800, GSM1900 ================================================ Simlock Information ================================================ CONFIG KEY : 0000000000000000 PROVIDER KEY : 2440700000000000 NETWORK NAME : Nokia Default;Finland LOCK COUNTERS : KEYPRESS 0/3, FBUS 0/10 SIMLOCK TABLE : Block [1] 1:Open 2:Open 3:Open 4:Open 5:Open Block [2] 1:Open 2:Open 3:Open 4:Open 5:Open Block [3] 1:Open 2:Open 3:Open 4:Open 5:Open Block [4] 1:Open 2:Open 3:Open 4:Open 5:Open Block [5] 1:Open 2:Open 3:Open 4:Open 5:Open Block [6] 1:Open 2:Open 3:Open 4:Open 5:Open Block [7] 1:Open 2:Open 3:Open 4:Open 5:Open SIMLOCK STATE : Not Locked SIMLOCK_TYPE : PA_SL3 (15-digit NCK) SIMLOCK_TEST : PASSED SECURITY_TEST : PASSED SECURITY_CODE : 12345 PHONE_MODE : TEST ================================================ Dynamic Camera Configuration ================================================ DCC ID : NI00BC0000040A4E2000 DCC Ver: 003005 Status : OK
Now you can DECRYPT PM 120 HASHES AGAIN and it will GENERATE
the JOB FILE for ATF Server Now!!!
Code:Scanning USB Ports... ================================================ Basic Phone Information ================================================ MCU Version: V 08.25 19-05-11 RM-618 (c) Nokia IMEI Plain : 353423040652148 IMEI Spare : A353423040652140 IMEI SV : 33534230406521439F Phone Model: Nokia X2-00 Category : Entry Phone Type : RM-618 ================================================ Extended Phone Information ================================================ Product Serial Number: DNO299898 Product Code : 0595285 Module Code : 0204491 Basic Production Code: 0591973 Long Production SN : 0 PPM SW Version : V 08.25 19-05-11 RM-618 (c) Nokia T BT MCM Version : 2.31-SP2.31 MCU SW Version : V 08.25 19-05-11 RM-618 (c) Nokia HW Version : 1000 RFIC Version : 9 LCD Version : SEIKO BOM ID : 00 Content Pack Version : Content: t_0595287 V 08.25 19-05-11 RM-618 (c) Nokia Bluetooth ID : 6C:9B:02:24:FB:27 CS Type : GSM850, GSM900, GSM1800, GSM1900 ================================================ Simlock Information ================================================ CONFIG KEY : 0000000000000000 PROVIDER KEY : 2440700000000000 NETWORK NAME : Nokia Default;Finland LOCK COUNTERS : KEYPRESS 0/3, FBUS 0/10 SIMLOCK TABLE : Block [1] 1:Open 2:Open 3:Open 4:Open 5:Open Block [2] 1:Open 2:Open 3:Open 4:Open 5:Open Block [3] 1:Open 2:Open 3:Open 4:Open 5:Open Block [4] 1:Open 2:Open 3:Open 4:Open 5:Open Block [5] 1:Open 2:Open 3:Open 4:Open 5:Open Block [6] 1:Open 2:Open 3:Open 4:Open 5:Open Block [7] 1:Open 2:Open 3:Open 4:Open 5:Open SIMLOCK STATE : Not Locked SIMLOCK_TYPE : PA_SL3 (15-digit NCK) SIMLOCK_TEST : PASSED SECURITY_TEST : PASSED SECURITY_CODE : 12345 PHONE_MODE : TEST ================================================ Decrypt SL3 PM 120 HASHES for Brute Force Unlock ================================================ Decrypting PM 120... PM 120 HASHES Extracted Successfully 7443282D273800D1D1EDA1A4EAE6C1D390404AAE 9456247C972B2B1937DD11C66F2DF58906D7F549 A999A480B33464A6DFE7C221EF6D2A3780984C6D C6B6FD6D7B201B559CD44F60E2A76DCC2155C1EE 2A5B4411BA9CD3824337ABEBEBCA2BD224D2BA51 E97CFBED287814DB0C25007CFA92A87F32CA38CA 1B894741A59C8DE9D69B59A1413BFDB5B4C50FF0 8A0A014F56D1F8EEE0B1F5E78E6B96A10AEC59C8 Log Files for Local Brute Force Saved to: C:\AdvanceBox Turbo Flasher\Nokia\Bruteforce\353423040652148\353423040652148.job C:\AdvanceBox Turbo Flasher\Nokia\Bruteforce\353423040652148\353423040652148.log C:\AdvanceBox Turbo Flasher\Nokia\Bruteforce\353423040652148\353423040652148.bcl C:\AdvanceBox Turbo Flasher\Nokia\Bruteforce\353423040652148\353423040652148.sha Command Line for ighashgpu: Saved as MS Batch File: 353423040652148_ighashgpu.bat Command Line for oclHashcat-lite64 (AMD Cards 64-Bit OS): Saved as MS Batch File: 353423040652148_AMD_oclHashcat_64-bit.bat Command Line for oclHashcat-lite32 (AMD Cards 32-Bit OS): Saved as MS Batch File: 353423040652148_AMD_oclHashcat_32-bit.bat Command Line for cudaHashcat-lite64 (NVIDIA Cards 64-Bit OS): Saved as MS Batch File: 353423040652148_NVIDIA_cudaHashcat_64-bit.bat Command Line for cudaHashcat-lite32 (NVIDIA Cards 32-Bit OS): Saved as MS Batch File: 353423040652148_NVIDIA_cudaHashcat_32-bit.bat Process Done!
Br,
Gsm-Rocky
Results 1 to 2 of 2
-
11-05-2011, 12:22 PM #1Banned
- Join Date
- Nov 2011
- Location
- P A K I S T A N
- Posts
- 420
- Thanks
- 0
- Thanked 83 Times in 47 Posts
Tutorial: How to FORCE Broadcom Phones into TEST MODE
-
The Following 4 Users Say Thank You to Gsm-Rocky For This Useful Post:
fian_phonsel (10-03-2012),lehan_90 (04-23-2012),mohammed (01-01-2012),SRIRAM (12-02-2011)
-
02-10-2015, 08:25 PM #2Banned
- Join Date
- Apr 2012
- Location
- Usa
- Posts
- 4
- Thanks
- 0
- Thanked 0 Times in 0 Posts
Tutorial How to FORCE Broadcom Phones into TEST MODE
STEP 4 : How to find Vcc > > >
Reply With Quote