------------2005.10.31

A little the theory of the keys of siemens (or < that yet entirely they did not realize and they stole paid writers >):
In the "true" telephones of Siemens, built on ARM type of processor, all keys kriptuyutsya with the base values only of 
two keys ESN and IMEI recorded in OTP (single-time programmed region of microcircuit Flash). 
Remaining keys are in no way attached to the equipment and it is possible "to recount them" and to rewrite.

ESN (Electronic Serial Number) 
- usually the 32- bit number, comprised of the series number of microcircuit Flash. The series number of microcircuit 
Flash prescribes producer. He is situated in OTP the regions of microcircuit and contains from by the eighth of bytes. 
Each microcircuit Flash has unique series number. The change (rerecording) of it is impossible. Frequently ESN confuse 
with FlashID old siemens and represent in the form of sequence from ya-rekh of bytes, as they were stored in the old 
telephones and were called on simenovski to 2002. as FSN (Flash Serial Number). PhoneID - this inverted is byte-by-byte ESN.

IMEI (International Mobile Equipment Identifier) 
- is prescribed in OTP region Flash at Siemens's plant. After record IMEI block OTP "is shut from the record" - after 
prescribing special bit in Flash to microcircuit. Record and the change of data in region OTP is impossible after this. 
Flash Number IMEI in region OTP of microcircuit Flash is absent during the replacement by the new ( clean ), but it is 
opened for the record. For the correct prescribing of number IMEI in OTP the region of the new Flash use  function Freeze, 
having preliminarily prepared all "secret" blocks EEPROM and after writing down special "clean" or "new" BCORE with remaining 
data of piercing. Attention: The access to OTP will closed and replace IMEI in OTP will be impossible after Freeze! 
More attentively check that introduced IMEI into the the new Flash! The second time for new Flash microcircuit not will be! 
In the telephone there are additional functions (on protocol BFC) of the step by step record OTP of region.
For their work is necessary the introduction into the telephone of key Skey. But to use them does not have special sense, 
since region OTP on the user telephone is already closed from the record. During the replacement by the the new Flash to make 
this without the additional checkings riskovanno even better to use a function"Freeze"  - it makes additional testings before 
record IMEI in OTP zone.
IMEI participate in kriptovanii and be present in 52, 76, 5008, 5009, 5077, 5121, 5123 blocks EEPROM, and it is so prescribed 
into region BCORE.

SKEY (service key) 
- key from by the eighth of decimal digits for the repair and check-out works with the telephone. It opens the different 
levels of access to the data of telephone on the different protocols of work with the telephone. There is until today had three 
or four versions of modifiers this key depending on the type of telephone. Modifiers are introduced for limiting the access to 
certain "secret" data in the telephone. 

Basic modifiers of access on the priority: 
"D" - for the strange developers (partial access),
"S" - for the service is center (partial access),
"X" - for the plant (complete access).
In the old telephones the introduction of key without the modifier is received by telephone as key for the service it is center 
with the partial access.
Program x65PapuaUtils uses only maximum modifier with the complete access. For changing the level of access to the maximum, for 
ASTS level 2.5e, there is knopochka "reading EEP Skey", which at the level of accessTO "S" reads SKEY and on the confirmation is 
introduced  it withTHE "X" modifier.

Value for checking this key zakriptovano and to be stored in 5121 block EEPROM.
After correct introduction the key is stored in 5122 blocks EEPROM.

BKEY (Boot Key) 
- this is key for the load of arbitrary butloadera into the telephone. 
This key consists of 16 byte of khesh obtained on algorithm MD5 of the line with the expansion to 16 bytes into which they enter 
ESN and SKEY. 
With the message of this key into butloadere, telephone is produced above it function MDof 5 calculations of khesh and it further 
compares this khesh with HASH of that recorded in region BCORE. 
For series SGOLD, with the introduction of the correct SKEY into "Service mode" key BKEY is prescribed into block 52 eeprom and 
telephone no longer compares keys for the load of arbitrary butloadera. For EGOLD this key to be stored in region EELITE...
BCORE Record HASH is empty with the "clean" or " the new " and BKEY so is not checked.

HASH (MD of 5 Khesh from Bkey) 
- control signature for checking the keys BKEY, ESN+SKEY, and other blocks and the keys, which depend on ESN and SKEY.
This key consists of 16 byte of khesh obtained on algorithm MD5 of the line BKEY and is prescribed in region BCORE with the address 
0xA0000238 in the telephones on SGOLD to platform (on NewSGOLD with another address) and usually into 0x800330 on EGOLD to the 
platform of telephones. In the "clean" or "the new" BCORE this record is empty. It is calculated according to the data from EEPROM 
and is prescribed by telephone according to the function"Freeze". 

MKEY (Master keys) - to '-t' different keys from by the eighth of decimal digits for turning off of different blockings:
* # 0000 *the xxxxxxxx# - Blocking The network
* # 0001 *the xxxxxxxx# - blocking the supplier of the services
* # 0002 *the xxxxxxxx# - the personalization of the supplier of the services
* # 0003 *the xxxxxxxx# - the telephone code
* # 0004 *the xxxxxxxx# - blocking the subscriber's set of the network
* # 0005 *the xxxxxxxx# - only this sym
Where"xxxxxxxx" - the corresponding master is key.
Tyuey are zakriptovany and are stored in 5121 block EEPROM.

HWID (HardWare IDentifycial number) 
- the decimal number of the model of telephone. In cryptography it does not participate.
... 

Freeze 
- this is the fixation of all keys in BCORE telephone and OTP from the deliberate BY EYEPROM blocks, with other additional markings. 
If BCORE clean - to telephone are necessary no passwords, but do not work standard service svupy, but telephone ploughs to 100%.
For the work of the function of cutter is necessary correct calculation and record of blocks 52, 76, 5008, 5009, 5077, 5121, 5122, 5123 
and "clean for crust". Given for calculating the blocks are taken from the page the "codes", and the number of "recoil" from the page "flesh". 
This is plant method, but not patch. After introduction HAVE in this function, telephone all makes itself and prescribes all codes and 
markings in BKORE and if Flesh is new and is clean, then HAVE in OTP a region also. This method works with Aof 50 models of telephones, 
but on the models lower than S'shch a little another interface, since there another processor, but it is more studied by all and 4 I do 
not see sense this to make in my program- test.

- by papuas
------------2005.4.3
PhoneId - it is Id of your phone, 4 bytes, for example 0xF748E421. You can see it in V_Klay.
PhoneCode - it is security code for some functions of the phone, 4-8 digits, for example 1234.
But *#0003* needs MASTER-code, not PhoneId, not PhoneCode.
Smelter doesn't calculate master-code, only PhoneCode and PhoneId.
- by avkiev
------------2005.3.28
;补丁中几个标志的含义
;Legend

;(c) - Copyright
;(p) - Ported
;(i) - Improved
;(r) - Respect
;(m) - Moved
;(t) - Textured
------------2005.3.28
What sorts of locks are there?

1. Lock phone to SIM card. If your phone is locked to the SIM you cannot use any other SIM than the one you have: SIM broken makes phone useless. A SIM Card Lock is a lock programmed into a mobile phone which only allows one company's SIM to be used in the phone. The reasoning behind this is to keep your custom to that network. Simlocks are also referred to as SP Locks or Network locks. Once your simlock is removed you can place any (dependent on phone model) SIM card into it including foreign networks if you take the phone abroad.

2. Lock phone to Operator (Network or Service Provider). If your phone is locked to an operator, you can use any SIM from this operator in your phone. You can switch between contract and prepaid as you wish, but not to a different operator.

3. Lock phone to CODE (Product Lock or Offer Lock). If your phone is locked to a code, the phone checks a special "password" (GID) on the SIM that must match your phone. Providers often use different passwords for contract and prepaid.

So unlocking is: Removing the locks on the phone so you can use the phone with any compatible SIM Card. Unlocking will allow you to use other service providers' SIM card. For example if you have an ABC GSM phone you can only put in an ABC SIM card, but if you unlock you can put in DEF XYZ, etc.

How can I verify whether my phone is SIM Card Locked?

If you place any card other than the one that the phone accepts, then you will get a message such as 'Incorrect Card', 'SIM Card not accepted', 'Enter Special Code', 'Enter NCK' or similar.

So unlocking is tampering with the software? - It can be, most programs to unlock on the internet change some data in the phone software other just make a log and calculate unlock code. You will have to type the unlock code with special code in your phone to unlock it.

Why should I unlock/upgrade my cellphone?

First of all we will give the reasons to unlock your cellphone: There are several providers in every country. A provider is a company from which you are using its network to communicate. Of course these providers are not all the same the one is better then the other. And ALSO the one is more expensive then the other. So if you buy cheap phone (that mostly comes with cheap provider because providers give money to make phones cheaper for us, and if the provider isn't that good, think about no network in distant places or in buildings, the provider has to find other way to get customers so they do it with making there mobiles cheaper) and then buy lose SIM card from better provider and you put in that SIM the phone says: 'SIM Card not accepted'.... (we are talking about prepaid phones here!!) Now there is the unlocking part :) When it is unlocked (or not locked, if you have contract your phone will likely not to be locked) you can put ANY SIM Card in it that you want.

------------2005.3.28
Produktionsdatum, Variant und Mapping-Info.

Beispiel anhand eines C6V P.-Date: 2004-10-11, Variant: B102, Std-Map/SW: 1/15, D-Map/Prov.: 4/143
Die x55 bis x62 Serie ist analog dazu zu sehen.
Hierfur muss Block 5005 mit dem EEPROM Tool ausgelesen und als txt Datei gespeichert werden. ?ffnet man die entstandene textdatei findet man ?hnliches wie hier (nur halt furs eigene Gerat):

00 FF FF 37 00 FF FF FF FF FF FF 0B A4 FF 0F 01 
8F 04 02 10 2F FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF 47 FF 00 59 76 
90 06 00 00 00 00 00 00 12 E6 01 02 E8 18 02 FF

Produktionsdatum: 0B A4 > 
0B (hex) = 11 = Tag; 
A (hex) = 10 = Monat; 
4 (hex und letzte Ziffer dieses Bytes) = 4 für 2004 = Jahr
P.-Date = 2004-10-11

Std-Map/SW: 0F 01 > 
0F (hex) = 15 = SW; 
01 (hex) = 1 = Std-Map
Std-Map/SW: 1/15

D-Map/Prov: 8F 04 > 
8F (hex) = 143 = Prov; 
04 (hex) = 4 = D-Map
D-Map/Prov.: 4/143

Variant: 02 10 2 > 
02 = Buchstabe des Alphabets 2 > B (A w?re folglich 01); 
10 2 = Variant in Ziffern
Variant: B102

Viel Spass mit der Solution
by brandiber 2005 
-------
Jetzt noch die Infos, die ihr in einem Mapping findet, das ihr einspielen wollt. Beispiel ist ein ein v43 Standard sowie Provider (Delta-) Mapping für CX70

Standard Map:

[MapFileInfo]
Product = 322 Hardwareversion wie sie auch das EEPROM Tool anzeigt. Wird vom Mapper mit der des Delta Mappings sowie der tats?chlichen Hardwareversion des Ger?ts verglichen
Provider = 0x00
MapVer = 0x01 Std-Map
SWVersion = 43 Ist natürlich die Softwareversion (SW) und sollte mit der im Delta Mapping übereinstimmen. Diese wird vom Mapper in Hex umgewandelt und dann im Ger?t abegespeichert (Siehe Block 5005)
Time = 170441
Date = 050125

Delta oder Provider Map:

[MapFileInfo]
Product = 322 
Provider = 0x90 Kann so übernommen werden... also 90 (hex) = 144 = Prov. (Im Ger?testatus)
MapVer = 0x16B Davon holt sich der Mapper nur die letzten beiden Stellen und fügt sie in Block 5005 ein... also 6B (hex) = 107 = D-Map (Siehe Info Block 5005)
SWVersion = 43
Time = 145524
Date = 050128

Wer aus den Infos gern ein Mapping Tool schreibt: You are welcome  
Die Infos gelten auch für x45 Ger?te. ?ltere hab ich nicht gestestet.
Weiterhin k?nnte man noch folgendes einbaun:
Jedes Ger?t mit Hardwareversion kleiner 300 denke ich ist ein EGold Ger?t und braucht dementsprechenden Boot. Alles ab 300 SGold (so denke ich zumindest. Hat sich bisher so best?tigt und k?nnte in einen Mapper übernommen werden; also automatische Erekennung der Bootmethode anhand der Product-Info im Mapping )
Solution by brandiber 2005