QMAT V5.

00
Manual
(c) 2009
by B. Kerler
How to register
- Please go to htt!""###.re$s%&lls.'e"( choose )Buy QMAT*.
- +o to )Ma&n*( select )About*.
- Press button ),oy -o.t#are /0 to ,l&boar'*.
- Paste your -o.t#are /0 &nto the reg&strat&on .or1 us&ng ,trl-V %eyboar' co1b&nat&on or r&ght
1ouse cl&c%( )Paste*.
- -elect ay1ent 1etho'.
A.ter ay1ent #e #&ll sen' you an reg&strat&on %ey $&a e1a&l. -elect " 2&ghl&ght the %ey an' coy
the %ey &nto the cl&boar' us&ng ,trl-, %eyboar' co1b&nat&on or $&a r&ght 1ouse cl&c% ),oy*.
- Press button )Paste 3eg%ey .ro1 ,l&boar'*. 4ou #&ll then nee' to restart QMAT.
5nce the so.t#are &s reg&stere'( you can use the 6et#or% ,alculator an' the -o.t#are /0 #&ll no
longer be '&slaye'.
7or actual r&ces( see 3eg&strat&on age at htt!""re$s%&lls.'e
Why to register :
- -uort .urther 'e$elo1ent an' 1ore hones to be a''e'
- 8nl&1&te' usage (no t&1e l&1&t)
- 6et#or% ,alculator
- Personal suort an' re9uests .or .eatures
- 7lash any .&r1#are us&ng '&ag ort
- an' a lot 1ore...
1. Main Menu
1.1. Select Output Directory
,hoos&ng h&s 1enu &te1 allo#s you to select #here e:tracte' .&les shoul' be sa$e' at.
1.2. Quit
Qu&t the rogra1.
2. Firmware Forensics
Th&s Menu /te1 #&ll let you 'o se$eral tas%s us&ng your 1ob&le .&r1#are or any other b&nary.
2.1. General Forensics
2.1.1. Search or !lgorithms
Th&s .unct&on lets you e:tract use.ul &n.os about algor&th1s an' ubl&c %eys to be .oun' &n b&narys(
so you can eas&ly .&n' the correson'&ng .unct&ons us&ng an '&sasse1bler !)
More than 90 s&gnatures are alrea'y a''e'( an' any ne# s&gnatures can be a''e' to the .&le
cryto.:1l. The 2e: Value 0:77 &s treate' as a #&l' car'.
;:a1le outut o. 2T, 7&r1#are !
,ryto! ,3,-<= nor1 00<>7,>0h
,ryto! ,3,-<= nor1 0020?=0,h
,ryto! ,3,-<= nor1 0027A;2,h
,ryto! ,3,-<= &n$ 00<>7;>0h
,ryto! ,3,-<= &n$ 0020?@0,h
,ryto! ,3,-<= &n$ 0027B02,h
,ryto! ,3,-A0 00<>7@>0h
,ryto! ,3,-A0 0020?20,h
B
,ryto! -;ACDM0> %ey 00B72<>>h
,ryto! -;ACDM0> %ey 00,0;=00h
,ryto! -;ACDM0> %ey 00,0;A<>h
,ryto! A;- sbo:< 00A,,B,>h
,ryto! A;- sbo:2 00A,,,,>h
,ryto! 2T, 3a'&o -ecur&ty Table 00<,A><,h
...
Possible algos: 59
2.1.2. Search or Functions
Th&s .unct&on lets you .&n' co11on .unct&ons &n any b&nary( so you can eas&ly .&n' .unct&ons at the
g&$en a''resses us&ng a '&sasse1bler !)
Any ne# .unct&on s&gnature can be a''e' to the .&le .unct&on.:1l. The 2e: Value 0:77 &s treate' as
a #&l' car'.
;:a1le outut o. 2T, 7&r1#are !
0x00076bd3 Memcpy Generic
0x00247c7f Memcpy Generic
0x00076bc8 Memcpy4
0x00247c74 Memcpy4
0x00076dcc srlen
0x00076cdc srcmp
0x00077f68 !!r!di"0
0x00aac5#0 !!r!di"0
0x000770f4 !!32!!r!raise
0x0097bd40 !!32!!r!raise
0x000#633c rex!in!free!32
0x000#6328 rex!in!loc$!32
0x00e2f98c aoi
0x00ba752e Ge%&ap'yes
0x00ba74b0 %&ap'is
0x00076a78 Mem(lr
)))))
0x0#092228 sprinf
0x00ca0dd8 randini
0x00ca0e06 rand
Possible f*ncions lile endian: 28
2.1.". Show #artition $no
/n th&s 1enu &te1 you can select any Q, art&t&on .&le that shoul' be analyse'.
Th&s .unct&on &s really hel.ul &n un'erstan'&ng #hat 'ata sect&ons can be .oun' #here &n 6A60 or
653 .lash.
;&ther you can enter any age su1 an' age s&Ee you #&sh to &nterret the 'ata(
or a'' e:&st&ng ones to Fart&t&on.:1lF.
2.1.%. Fin& Security #asswor&
Th&s .unct&on searches .or the -P &n .&r1#are b&nar&es.
2.1.'. (yte )utter
Th&s Tool #&ll hel you cut Gun% 'ata .ro1 .&les.
A.ter select&ng the .&le you can enter at #h&ch o..set the cutt&ng o. 'ata shoul' start( ho# 1any
bytes shall be 'elete' an' ho# large the '&stance bet#een the 'ata to be cut &s.
7or e:a1le( youH$e got a .&le. The .&rst 0:<00 bytes( there &s no Gun% 'ata at all. ;nter start o..set
)<00*. Then 0:<0 bytes are Gun% 'ata. ;nter nu1ber o. bytes )<0*. Th&s Gun% 'ata occurs e$ery
0:200 bytes. ;nter reeat o. bytes )200*.
2.1.*. H+)
2.1.*.1. Dump H+) ra&io.n,
Th&s .unct&on lets you 'u1 all %no#n ra'&o arts l&%e a1ss( 9csbl an' oe1sbl .ro1 .nb .&les or any
other .&r1#are us&ng custo1&Eable ra'&osl&t.:1l &n or'er to a'' ne# 'e$&ces.
2.1.*.2. Fi- ra&io.n, chec.sum
Th&s .unct&on re1o$es the s&gnature .ro1 nbh so &t can be .urther sl&t &nto .&r1#are .&les .or
e:a1le.
2.1.*.". /(H Dump +ool
Th&s .unct&on 'u1s any .&le you #ant .ro1 nbh or Gust r& the s&gnatures. F5en 6B2F #&ll sho#
&n.os about the 6B2 7&le an' #&ll also sho# you #hat .&les you can 'u1.
4ou can a'' any ne# nbh-.&letye by a''&ng the1 to Fnbhtye.:1lF.
2.1.*.%. /(H Generate +ool
Th&s .unct&on can generate a $al&' 6B2 .&le( e&ther us&ng 'u11y s&gnatures or real ones. 4ou can
a'' any ne# 'e$&ce to F'e$l&st.:1lF. /. you #&sh to use a r&$ate %ey to s&gn( Gust select F8se .$%
7&leF be.ore generat&ng the 6B2. 6e# an'ro&' 6B2s are also suorte' by select&ng )+enerate
An'ro&' /1age*.
,hun% s&Ee &s the s&Ee o. each bloc% to be s&gne'. 3eal byte s&Ee &s calce' by 1ult&ly&ng &t #&th
<02>.
-&gnature -&Ee &s byte s&Ee. /. you #&sh to use -&gnatures #&th h&gher b&t encryt&on( Gust calc
B&tlength " @. ( 7or e:a1le ! <02> B&t " @ I <2@ ( that &s 0:@0 &n he: )
2.1.*.'. Dump /0items rom ile
8s&ng th&s .unct&on( you can loa' any 2T, 6an' 'u1 .ro1 Area 0!2T, as a .&le an' &t #&ll
&nterrete the 'ata an' sho# all .oun' n$&te1s. Th&s #&ll only #or% .or so1e +-M 'e$&ces r&ght
no#.
2.1.*.*. Dump 1)) cutter
Th&s .unct&on lets you cut ;,, 'ata .ro1 2T, .&r1#are rea' '&rectly .ro1 6A60.
2.1.2. (enQ
Sim Secure :
These .unct&ons let you loa' ot 'ata .or 'ecryt&on( encryt&on o. s&1secure( '&rect unloc% the
1ob&le or e$en calculate 1asterco'es( netloc%co'es or other co'es.
+hese unctions are non3pu,lic at the moment an& will ,e ma&e pu,lic or registere& users as
soon as the mo,iles are no longer supporte& ,y the 0en&or.
2.2. 1-traction
2.2.1. Open (inary or 1-traction
/n th&s 1enu &te1 you can select any Q, AM-- 7&le or any other .&le (l&%e 6A60 .ull-.lash)
you #ant to be analyse' an' e:tracte'. 5nce selecte'( &t sho#s &n.os about the AM-- or .&r1#are
$ers&ons.
;:a1le !
BQ- !
+ile,-nfo :
,,,,,,,,,,,
.%'-/ 0 123apf is4000
Prod*c 5r) 0 6+8#
%75 0 58
%8 b*ild 0 96!#433!#7)0)#6
:ype 0 P
2T, !
+ile,-nfo :
,,,,,,,,,,,
16M%'; 0 <:(!'11: 7#)00)25
=(%'; 0 =(:!'11: 75225##
>5?5/ -denificaion 'loc$
(ompiled >*n 20 2008 #9:28:45
7ersion 00 >5?5/ 08)00)03
>5?5/)6;+ for M%M7500 %.@+ and ++?
M*li,-mage 'oo %*ppor only
(opyrigA BcC 2004,2005 by =.?;(1MMD -ncorporaed) ?ll @igAs @eser"ed)
6nd of -/ 'loc$
2.2.2. 1-traction Su,menu
5en any b&nary .&le us&ng the )5en B&nary .or ;:tract&on* 1enu.
A.ter that you can e:tract any cert&.&cate( b1( g&.( ng an' Gg that can be .oun' &n the .&le.
2.2.2.1 $nternal Filesystem Menu
Th&s 1enu lets you e:tract &nternal .&les( &. the a1ss has an &nternal .&lesyste1.
;:a1le ! str&ngs ).s!"* can be .oun' by he:e'&tor.
/. the 1e1ory o..set '&..ers( you can enter the o..set '&..erence by e&ther enter&ng D$alue or -$alue.
7or e:a1le( us&ng he:e'&tor search .or str&ng ).s!"*. The 0J530 be.ore .s shoul' be the .&le
o..set. Bar 7&les al#ays start #&th he: 0:<< 0:0<( so r&ght o..set can be .oun' .ast.
4ou can a'' any 'e$&ce &nto the .&lesys.:1l.
2.2.2.2 FS 4eerence Strings
Th&s .unct&on #&ll search .or any &nternal Q, ;1be''e' 7&le -yste1 re.erences.
2.2.2." (QS 1n& Signature
1-traction :
A.ter loa'&ng a b&nary .&le &n the .&le 1enu( these .unct&ons let you e:tract the en' s&gnature.
(The last 0:25= bytes o. a .&le)
2.". 1-tract G5$# rom ile
8s&ng th&s .unct&on you 1ay e:tract any +K/P co1resse' 'ata .ro1 any b&nary. Lust enter the
o..set #here the gE&e' 'ata starts an' &ts length. 4ou 1ay e:tract b&nar&es u to <00 MB.
Attent&on ! 7or e:tract&ng e$en s1all .&les( you #&ll also nee' a 1&n&1u1 o. <00MB .ree sace.
2.%. 1-tract F!+ rom ile
8s&ng th&s .unct&on you 1ay e:tract any 7AT<2"7AT<= .&lesyste1 .ro1 any b&nary. Lust oen the
b&nary an' &t #&ll sho# &n.o about all .&les &nclu'e' to be e:tracte' an' all label &n.o. 4ou 1ay also
e:tract the .&les by select&ng );:tract* an' oen&ng a .at .&le.
". )ryptoanalysis +ools
".1. )rypto +ool,o-
".1.1. 4S!3Decryption61ncryption +ool
Th&s tool ro$&'es o#er.ul 3-A 7unct&ons. 4ou can encryt " 'ecryt any 1essage us&ng 3-A
algor&th1.
7or encryt&on you nee' !
- Pr&$ate ;:onent (Pr&$ate Key)
- Mo'ulus
- -&gnature to encryt (Pla&nte:t Message as 2e: -tr&ng)
7or 'ecryt&on you nee' !
- Publ&c ;:onent (Publ&c Key) - A an' <000< are co11on ones
- Mo'ulus
- -&gnature to 'ecryt (;ncryte' Message as 2e: -tr&ng)
-&1ly ress F0ecryt us&ng ValuesF to e&ther en- or 'ecryt.
The 7unct&on 3e$erse -tr&ng can cut out 2e:1essages (l&%e 00!7A!B,!;B) or can Gust re$erse
'oublebyte he:str&ngs.
4ou can also enter any 1o'ulus an' e:onent an' chec% BQ- an' 2T, 7&r1#ares .or $al&'&ty.
;:a1les o. Publ&c Keys are alrea'y g&$en .or 2T, 1ob&les( BQ- 1ob&les an' ol' &Phone.
Publ&c Keys can be a''e' &nto the Fubl&c%eys.:1lF .&le.
".1.2. 4S!37eygenerator
Th&s .unct&on lets you generate a 3-A Pr&$ate Key( .or e:a1le &n or'er to s&gn o#n .&r1#ares. Lust
enter any b&tlength you #&sh ('ec&1al) an' the nee'e' ubl&c e:onent (he:) an' ress F+enerate
3-A KeysF. A.ter generat&on( you 1ay sa$e the calculate' %ey &n an .$% ,onta&ner 7&le( ress&ng
F,reate .$% 7&les us&ng 3esultsF or Gust coyHnHaste the1.
".1.". D1S3)alculator
Th&s .unct&on lets you calculate 0;- (=> B&t)( 20;- (<2@ B&t) an' A0;- (a%a. Tr&le 0;- - <92
B&t) &n the 1o'es ;,B( ,B,( ,7B an' 57B.
4ou can also enter ho# 1any t&1es the calculat&on &s &terate'.
".1.%. !1S3)alculator
Th&s .unct&on lets you calculate A;- #&th %ey s&Ees <2@ B&t( <92 B&t an' 25= B&t &n the 1o'es
;,B( ,B, an' ,7B.
".1.'. +1!3)alculator
Th&s .unct&on lets you calculate T;A an' &1ro$e' T;A (MT;A) &n the 1o'es ;,B an' ,B,.
".1.*. )4)3"8 )alculator
Th&s tool can calculate a ,3,A0 $alue .or any 7&le #&th g&$en ages&Ee an' stes&Ee( but can also
.&: a .&le to .&t a nee'e' Q, ,3,A0 $alue by brute.orc&ng last > bytes (.or e:a1le 9csblh'con.
.&le).
".2. Generate Hashes
Th&s .unct&on #&ll calculate M0>( M05( -2A<( -2A2 (-2A-22> an' -2A-25=)( ,3,<= an'
,3,A2 an' se$eral ;,, o. any selecte' .&le.
;:a1le !
SHA1 : DF870F3A4C306A4AD19232D47FAAA4F315079ECB
SHA224 :
46A09505ADBD225572BFE53C03B83D1798CED6E2FD30B88B190F853DCCCCCCCC
SHA256 :
8646D2F73CBBB227E93011C30B40CBF526E830A49EF55FE7E25777BF6674EBEC
SHA256-HTC :
4FBAC64CA15493CFB81B9823CFE31E1497E4BDF1FE9758F20FA7AE877ED765D2
MD4 : 91523B28F7F2B0565CDEAA4E3A165EEB
MD5 : 88BA062A43782CEBB8CDC722F305C31A
CRC16 (0x1189) : EBCE
CRC30 (Block: 0x1000 !"#$: 0x200) : 2F34652C
CRC30 (Block: 0x2000 !"#$: 0x400) : 1068B9C4
CRC32 (0xEDB88320) : 199ECB76
CRC32 (0x04C11DB7) : 3EB38D82
CRC32 HTC (0xEDB88320) : C95C445B
ECC R$$% Solo&o' ((")*+,10) : A3820A8D639278A67BCC
ECC BCH M*c)o' 3 -,+$ : 222222
ECC H"&&*'# To./*-" (8 -*+ - 0x200 -,+$.) : CFCFCF
ECC H"&&*'# (8 -*+ - 0x200 -,+$.) : CFCFCF
ECC H"&&*'# (16 -*+ - 0x200 -,+$.) : F3F3F3
".". Show .p0. File
Th&s .unct&on lets you e:tract use.ul &n.os .ro1 a r&$ate %ey conta&ner .&le (.$%).
,urrently( only r&$ate %eys are suorte'.
;:a1le outut !
@%?2
Mo'ulus !
BAA2A7>B=2BAAA90<;;A770=59<,A5=9;,A9072?7BB7>=AB2?;AA0<75?0@<9A???=9?<@A2009?9B7=;<509?A20;7A2<0,0A5252,=>
2222@@;@,,<0B;>,@B;97<9,==B=;?,=,=,?50A7?;<A9A9=,0A9<,2;5>70,9?0A@??A>A;5>@A<>?=;,99<@7,22@09A>@220>0?2<75?B
<AA?A<?A,A>?79>00=<A09<;B9?57?>5?B=;<B5@90
Pr&1e< !
0,???2B502=?A>?>>A?5??79,;>?==09@7@A;;9A02950=9@,,2=05;090=?0BAA,AB;A0,>B00@70><A@AB>9A;50@0,<=;0B=;=,7A2;
A9AB=7B9B;B2A5?97500,7
Pr&1e2 !
00<>?9A5;05@?A0?A=90A5;>A570727AB<;B7BA5;A,0A0>,;?=;<;;0=;A7;=5<0A<@>=@5070,AAA>BA=0<2<27>02507@?0;=?9@B9@5
@@B?A9B2<;0AB5752,90A
;:< !
099B?07=2?2>@A9?5A>A=5<,@5B5,5@A=>>>95,B;05>B909A2=09=B>B@,@50<0;0=05;2>A2=0;00A;<?@?B9=@=B27?90=A2B5090@B9A7
09=ABA<0595709==?0A
;:2 !
AAA,520550AAB25;,0A=5ABA2,=;=@B@,70>=;>7<==,<0A20B?A225A0AA=A>B@7B@;,>B,?@572,5@05<70;7>2,2;20B0;;;;<>5A
<<5AAA0=52B9<BA7@A909<9?
,oe.. !
?0092;=>;2@,@5;@,A5A5??=;5,@=;09;B00A;220<0<A;;20BBA>,?A@0B0057A=<@00AA<2>27?@A,=B70,050?9?=;?702B,;0>5=0B7
20B@>0?ABA,9029@07?9A
Pr&$;: !
0;;<77,A<0<0@<727>>0055AB5007?0A0><7,A50?>,0<7<B=97=>?9>A20>@>0>;;,A7@<0?7;9<0@;@09A<97B><;;=,<5?A95;AA7?>25@
09;B?>;7>@0?0@@<2>=0=A<;2A;A00<2>B=>0222>99=7?@B7?@00A@;,>A>;@0@>;5?A5?0,??AB2A@;,=2??;290;905705A5A200,2B
A2?@AA5070A=@<;<9<?A2@A;;090A?AA=A0BA7075
%. Har&ware Forensics
Th&s 1enu #&ll o..er )onl&ne* suort( l&%e access&ng any .eatures Q, 1ob&les o..er us&ng 8-B or
-er&al /nter.ace( J/6 ,; 'e$&ces (JM 5.: - =.<) but also us&ng LTA+.
%.1. 9se Mo,ile #orts
Th&s .unct&on lets you e:er&1ent #&th a lot o. stan'ar' Q, an' AT ,o11an' .unct&ons.
%.1.1. Diag #ort :Q); :
Th&s tool can be use' #&th all Q, 1ob&les #&th 0&ag Port enable'. /t #&ll allo# to sen' any
co11an' as he: str&ng $&a 0&ag Port to any 1ob&le connecte' $&a 8-B or ,5M ort.
On +op you can select what interace you wish to use. #ort will ,e opene& automatically when
nee&e&. +he #ort will ,e close& once you close the win&ow< change the com port or select any
other ,au& rate. (elow you can select &iag mo&e unctions or phones in !+ mo&e in or&er to
switch to =c &iag mo&e.
J&th )-elect Cog-7&le* you can tell the rogra1 #here to sa$e '&slaye' 'ata &n the ,o1 3esult
J&n'o# (b&g #h&te #&n'o# #&th he: $alues). J&th no 7&le6a1e entere'( as a stan'ar' .&lena1e
)co1log* &n al&cat&on '&rectory &s use'.
-elect any stan'ar' 9c co11an' you #&sh to sen' un'er )0&ag co11an's* or enter any he: $alue
to be sen' (#&thout crc)( .or e:a1le )000<020A0>* an' cl&c% on )-en' ,1'* to sen' to 1ob&le $&a
8-B 0&ag /nter.ace. -elect&ng )6o ,3,D?;* #&ll sen' ra# he: bytes #&thout crc generat&on an'
ost.&: 0:?;.
4ou can also run :1l scr&ts #&th auto-log .unct&on. -ee scr&ts"scr&t.:1l .or an e:a1le on ho#
to use. )0elay* 1eans ho# 1any 1s to #a&t be.ore sen'&ng ne:t co11an'. 5t&on la&nI*<*
1eans to sen' ra# 'ata #&thout crc an' ost.&: 0:?;.
8n'er )0&ag .unct&ons* you can use sec&al .unct&ons l&%e !
- -a$e Me1ory to .&le
- 0&slay Me1ory
- Jr&te Me1ory (0A6+;358-)
- -a$e 6V/te1s to .&le
- 0&slay 6V/te1
- Jr&te 6V/te1 (0A6+;358-)
- 3ea' ;7-
- Bac%u 6V/te1s (B&nary)
- 3estore 6V/te1s (B&nary)
- ;nable 7TM Mo'e
- 0&sable 7TM Mo'e
- +enerate -&1-ecure ,o11an' (0A6+;358-)
- -#&tch to 5..l&ne Analog Mo'e
- -#&tch to 5..l&ne 0&g&tal Mo'e
- -#&tch to 3eset
- -#&tch to 5..l&ne 7actory Test Mo'e
- -#&tch to 5nl&ne 1o'e
- -#&tch to Co# o#er 1o'e
- 7&n' -P, &n ;7- (5l'er M-M)
- 7&n' -P, &n ;7- (6e#er M-M)
- 3ea' -P, .ro1 ;7- .&le
- 7&n' -P &n Me1ory
- +et ,all -tac%
- 3ea' -&1 ,ontacts (2ua#e&)
- 3ea' -M-
- 3ea' P3C
- Jr&te P3C
- ;nable Tosh&ba 7TM Mo'e
The 7unct&ons );nter 7TM* an' )Cea$e 7TM* #&ll #r&te the 7TM Mo'e &nto 6V/te1 an'
auto1at&cally reboot the hone.
The ,o11an' )+enerate -&1-ecure ,o11an' 0A6+;358-* can ro'uce a co11an' str&ng
.ro1 a g&$en s&1secure .&le #h&ch the user #ants to #r&te to -&1-ecure. Be care.ul( &ncorrect use o.
th&s tool #&ll lea$e your hone useless.
5n hones #here only a 1o'e1 ort 'oes e:&st( you 1&ght nee' to sen' a co11an' to enable '&ag
ort. 8se the buttons un'er F;nable 0&ag Mo'e .unct&ons .or hones &n AT 1o'eF to enable '&ag
ort eas&ly. 3e1e1ber to set the r&ght bau'rate nee'e' .or your hone.
The 5t&on )Ven'or* lets you select gener&c rehea'ers use' by so1e $en'ors &. they 'onHt use
stan'ar' 9c rotocol.
7unct&ons that #onHt #or% .or all M-M hones !
- The 7unct&on F3ea' -M-F #&ll rea' all -M- .ro1 hone 1e1ory.
- The 7unct&on F+et ,all -tac%F #&ll sho# all rec&e$e' " 1&sse' calls ..e.
- The 7unct&on F3ea' -&1 ,ontactsF #&ll rea' all s&1 contacts .ro1 hua#e& hones
These are some of the Diag Commands supported (Examples how to use):
Get >ersion ino :
-elect )Vernu1* &n the co11an' l&st an' ress )-en'c1'* button or Gust ress ;nter
Get Mo,ile (uil& $D :
-elect )B8/C0/0* &n the co11an' l&st an' ress )-en'c1'* button or Gust ress ;nter
Sen& S#) e-ample :
-elect )-P,-;60* &n the co11an' l&st.
A'' to the co11an' )><* the -P, you #ant to sen'.
7or e:a1le( &. your -P, #oul' be 000000( con$ert 'ec&1als to asc&& (0IA0( <IA<( etc... 9IA9)(
you #oul' ha$e to sen' )><A0A0A0A0A0A0*.
Sen& Security #asswor& :S#; :
-elect )PA--J0* &n the co11an' l&st.
A'' to the co11an' )>=* the -P, you #ant to sen'.
7or e:a1le( &. your -P, #oul' be <2A>5=?@( con$ert 'ec&1als to asc&& (0IA0( <IA<( etc... 9IA9)(
you #oul' ha$e to sen' )>=A<A2AAA>A5A=A?A@*.
Get /an& Flash ino :
-elect )+;TN0;VN/675* &n the co11an' l&st an' ress )-en'c1'* button or Gust ress ;nter
)hange Mo,ile operation mo&e :
-elect )M50;,2A6+;* &n the co11an' l&st.
A'' to the co11an' )>9* the Mo'e you #ant to change.
For example :
-et Phone &nto 7TM 1o'e
-en' )290A00* to s#&tch to 7TM( ress )-en'c1'*
A.ter that( you nee' to reboot the hone by sen'&ng )290200*.
4ea& />$tems
To rea' sec&.&c 6V/te1s( select )3ea' 6V/te1s* &n -tan'ar' Mo'e Tab.
;nter the range to rea' out an' ress )Cets go* to start. /t #&ll as% .or a .&lena1e to sa$e the 'ata.
4ou can also restore " bac%u all 6V/te1s us&ng those co11an's &n -tan'ar' Mo'e Tab.
Write />$tems
7or #r&t&ng 6V/te1s( select )6VJ3/T;* &n the co11an' l&st an' a'' the nu1ber lus the 'ata.
e:a1le ! Jr&te /te1 0<,5( 0ata 0< (enable 7TM 1o'e er1anently)
2?,50<0<00000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000
0ata 1ust al#ays be @0 bytes Gust l&%e &n the e:a1le.
4ea& 1FS
To rea' out ;7-( select )3ea' ;7-* &n 0&ag Port Tab.
;nter the 1a: range to rea' out an' ress )Cets go* to start. 7or ne#er Q, 'e$&ces you 1ay also
select an alternate #ay to rea' out ;7-. /t #&ll as% .or a .&lena1e to sa$e the 'ata.
+here are a lot more unctions you can &o with it. ?imits are only what your mo,ile is capa,le
o. Write< rea& conig &ata< contacts< rea& an& write SMS ..... an& much more.
%.1.2. Mo&em #ort :Sync;
Th&s tool 1ay be use' by any Mo'e1 ort.
Ce.t o. Button F-en' A-,//F you can enter any AT ,o11an' you #&sh an' sen' a.ter ress&ng
;nter or ress&ng button F-en' A-,//F.
4ou 1ay also choose AT .unct&ons un'er F-elect Act&onF an' ress&ng F+oF to e:ecute.
AT .unct&ons a$a&lable !
- 3ea' all -M-
- 3ea' all contacts
- 3ea' /M-/
- 3ea' /M;/
- 3ea' 1anu.acturer &'ent&.&cat&on
- 3ea' 1o'el &'ent&.&cat&on
- 3ea' re$&s&on &'ent&.&cat&on
- 3ea' oerator na1es
- 3ea' battery charge
- 3ea' s&gnal 9ual&ty
- -/M ! 3ea' /M-/
- -/M ! 3ea' Kc - +-M
- -/M ! 3ea' /,, /'ent&.&cat&on
- -/M ! +et Cocat&on /n.o (TM-/DCA/D378)
- -/M ! +et ,&her&ng Keys (K-/D,KD/K) - 8MT-
- -/M ! +et ,&her&ng Pac%et Keys (K-/P-D,KP-D/KP-) - 8MT-
3eg&stere' 8sers o. QMAT #&ll also be able to use the AP08 &nter.ace that lets you sen' any
AP08 co11an' you #&sh to access the -/M car' &n the 1ob&le.
Th&s &s sec&ally use.ul .or .orens&cs( l&%e rea'&ng current c&her %eys an' restore 'elete' s1s or
contacts.
%.1.". Mo&em #ort :!sync;
Th&s &nter.ace lets you tal% #&th any AT &nterreter &n asynchronous 1o'e( l&%e 2T, Tr&color
Bootloa'er.
B&nary log .&le #&ll be sa$e' to the al&cat&on '&rectory as FbytelogF or any g&$en .&lena1e &n the
lo#er e'&t bo:.
B&nary log #&ll start us&ng )-tart ser&al* or )-tart 8-B* button an' #&ll en' us&ng the )-to ser&al*
or )-to 8-B* button. 0o not try to rea' the log .&le #h&le connect&on &s st&ll runn&ng( other#&se the
rogra1 #&ll crash.
4ou ha$e t#o ot&ons to use &t !
<. 8s&ng -er&al ort( you can Gust use &t #&th any ser&al ort l&%e Act&$e-ync one un'er MP.
Lust select r&ght co1 ort( ress F-tart -er&alF an' you can enter any co11an' you l&%e.
;&ther ress ;nter a.ter#ar's or ress F-en' Asc&& $&a -er&alF to sen' &nstruct&ons.
A.ter you are .&n&she' or #ant to use your b&nary log( ress F-to -er&alF.
2. 8s&ng 8-B ort ($&a J&n8-B co1at&ble 'r&$er( l&%e J0M, un'er V&sta)( you can enter any
'r&$er gu&' &nto the 8-B +u&' ;'&t Bo:( ress F-tart 8-BF an' then you can enter any co11an'
you l&%e. /. you #ant to sen' your &nstruct&ons $&a ;nter-Key( Gust select F-#&tch 'e.ault sen'
buttonF. 5r you can Gust ress F-en' Asc&& $&a 8-BF.
A.ter you are .&n&she' or #ant to use your b&nary log( ress F-to 8-BF.
3e1e1ber #hen us&ng J0M, to '&sable ),onnect to 8-B* un'er Pre.erences( ,onnect&on
Pre.erences( other#&se you are not able to connect.
H+) ln, comman& or uploa&ing irmware :
;:a1le !
)lnb slash 50<>0000* #&ll uloa' any .&le at 6A60 a''ress 0:50<>0000
)lnb os 50>20000* #&ll uloa' any 5- .&le at 6A60 a''ress 0:50>20000
5nce the lnb co11an' &s e:ecute'( &t #&ll as% .or the .&le to be uloa'e'.
Security 9nloc. Features :
3a'&o Bootloa'er !
<. ;nter )rsee'* as a co11an'( ress ;nter
2. ,oyHnHPaste result &nto the e'&tbo: le.t to the ),alc Pass#or'* button
A. Press ),alc Pass#or'* button
>. ;nter )rass* as a co11an'( ress ;nter
5. Press )-en' result* button
-PC !
<. -tart 8-B 220 Mon&tor (get tr&al or .ull)
2. ;nter F&n.o AF
A. coy bytes at os&t&on 0:2B0 (0:20 bytes str&ng) &nto e'&tor bo: le.t to F,alc Pass#or'F
>. ress F,alc Pass#or'F
5. ;nter Fass#or'F D result &n result bo: le.t to )-en' 3esult* ( ress ;nter
(;:a1le ! ass#or' O'OOOOOOOOOrO000)
1ncapsulate Features :
4ou can e&ther sen' byte encasulate' &nto the 2T,--2T,; 2ea'er that #ere entere' as a he:
str&ng &nto the e'&tbo: le.t to the ),alc Pass#or'* button (;:a1le ! ABA><2A>5=)( or e$en uloa'
co1lete .&les encasulate' us&ng the );ncasulate b&nary .&le an' sen'* button.
Th&s .eature &s $ery use.ul us&ng co11an's l&%e rass or r#.actory.
%.1.%. )o&es
Th&s tab o..ers you tools to rea' out co'es an' ass#or's us&ng 0&ag Port( but also lets you sen' -P
an' -P, .or authent&.&cat&on an' change the -P,. There are alrea'y se$eral -Ps &nclu'e' you can
eas&ly e:an' by #r&t&ng ne# -Ps &nto the .&le con.&g"s.:1l. -elect&ng the $en'or #&ll s#&tch
rotocols &. non-9c stan'ar' rotocols are use'.
Also so1e use.ul &n.os l&%e /M-/ an' CA,"CA/ can be rea' out.
%.1.'. )DM!
Th&s tab o..ers you .unct&ons to rea' an' #r&te &n.os an' sett&ngs .or ,0MA hones us&ng 0&ag
Port.
%.1.*. (OO+?O!D14 6 DOW/?O!D MOD1:
Th&s 1enu o..ers Bootloa'er an' 0o#nloa' Mo'e .unct&ons. Ta%e care o. any act&on labele' #&th
)0A6+;358-* as &t 1ay lea$e your hone unusable.
Download Mode :
Jh&le &n 0o#nloa' Mo'e( #h&ch can be enable' &n stan'ar' 1o'e by only select&ng );nable
0o#nloa' Mo'e* an' ress&ng )3un Bootloa'er.unct&ons* you can sen' any co11an' &n the
co11an' l&st( 1ar%e' &n the &cture as )3ea' 3oot%ey* #&th re.&: )0J6M50;*.
8s&ng the button )3ea' Me1 &n 0#nMo'e* you can rea' out Al&cat&on Me1ory #&th range
g&$en &. your hone suorts Q, 0&ag Vers&on greater than =( but also use other ty&cal Q, 0&ag
age rea' .unct&ons by chang&ng co11an' byte an' age s&Ee to rea'.
Bootloader :
4ou 1ay use any bootloa'er to loa' an' e:ecute you #&sh to. /n or'er to enable 6A60 rea'
.unct&ons( you ha$e to select )8se =250A hot.&:* or F8se ?200A hot.&:F( 'een'&ng on your current
Q, 1o'el. The #&n'o# belo# the chec% buttons &s the a''ress #here to sen' the bootloa'er an' at
#h&ch a''ress to e:ecute. Pages&Ee can be res&Ee' .or s1aller bootloa'er than 0:A79 (2e:).
5nce the bootloa'er &s loa'e'( &t &s announce' &n the result #&n'o# as you can see &n the &cture.
Then you can rea' any range o. 6A60 #&th the range g&$en us&ng the )3ea' 6A60 #&th Coa'erF
.unct&on.
7or rea'&ng out 6A60 t#o roce'ures e:&st !
<.
3e1o$e an' re&nsert battery
3e1o$e 'ata cable
-et 1ob&le &n e1ergency 1o'e (hol' Po#er 5n D P( release a.ter Ben9 Cogo aears)
/nsert 'ata cable
Press F3un Bootloa'er.unct&onsF
6o# you can select loa'er c1' l&%e F3ea' 3oot%eyF or F3ea' -&1-ecureF an' ress F-en' c1'F.
3esult #&ll aear &n #&n'o# belo#.
5r you can ress F3ea' 6A60F to rea' out a sec&.&c 6A60 range (7ullBac%u)
A.ter #or%&ng( select F3eset honeF an' ress F-en' c1'F .or nor1al hone oerat&on.
/. that 'oesnHt #or%( re1o$e an' re&nsert battery .or nor1al hone oerat&on.
2.
/nsert 'ata cable
Press F;nter 7TM Mo'eF &n nor1al hone oerat&on.
Press F-en' sec&al loa'erF
6o# you can select loa'er c1' l&%e F3ea' 3oot%eyF or F3ea' -&1-ecureF an' ress F-en' c1'F.
3esult #&ll aear &n #&n'o# belo#.
5r you can ress F3ea' 6A60F to rea' out a sec&.&c 6A60 range (7ullBac%u)
A.ter #or%&ng( select F3eset honeF an' ress F-en' c1'F.
/. that 'oesnHt #or%( re1o$e an' re&nsert battery.
Press FCea$e 7TM Mo'eF .or nor1al hone oerat&on.
(ootloa&er comman&s :
These co11an's can be use' to test atche' or stan'ar' 9c uloa'e' bootloa'ers or to unloc% non-stan'ar'
bootloa'ers.
3ea' 3oot%ey -ec&al Bootloa'er
3ea' -&1N-ecure -ec&al Bootloa'er
3ea' -&1N-ecure2 -ec&al Bootloa'er
8nloc% Bootloa'er KT;
2ello
3ea' Me1
Jr&te Me1
Jr&te 6A60 0A6+;358-
-ync
3eboot Phone
Po#ero.. Phone
5en ,onnect&on
,lose ,onnect&on
-ecur&ty Mo'e
Jr&te Part&t&on Table 0A6+;358-
-et Mult&1o'e 0A6+;358-
,3,A0 ;nable
Downloa&3Mo&e comman&s :
These co11an's can be use' #hen the hone &s &n 0o#nloa'-Mo'e (&n&t&ate' nor1ally $&a 0:AA co11an')
0J6M50;! Jr&te<=B&tBloc% 0A6+;358-
0J6M50;! ;raseMe1Bloc% 0A6+;358-
0J6M50;! ;:ecute
0J6M50;! 6o 5erat&on
0J6M50;! 3e9uestPara1
0J6M50;! 0u1Me1Bloc%
0J6M50;! 3eset Phone
0J6M50;! 8nloc%-ecure5s
0J6M50;! 3e9uest-o.tVer
0J6M50;! Po#ero.. Phone
0J6M50;! Jr&teA2B&tBloc% 0A6+;358-
0J6M50;! Me1ory0ebugQuery
0J6M50;! Me1ory3ea'3e9
0J6M50;! -#&tch0#nMo'e
Downloa&3Mo&e unctions :
These .unct&ons #&ll a'' 'u1&ng by us&ng stan'ar' or atche' bootloa'ers or $&a 'o#nloa' 1o'e.
3ea' .ull 6A60 us&ng atche' Coa'er I 'u1 nan' $&a atche' 9c bootloa'er
3ea' 6A60 us&ng stan'ar' Coa'er I 'u1 nan' $&a stan'ar' 9c bootloa'er (starts at a1ss nor1ally)
3ea' 6A60 us&ng C+ Coa'er I 'u1 nan' $&a C+ bootloa'er
3ea' 6A60 us&ng KT; Coa'er I 'u1 nan' $&a KT; bootloa'er
3ea' 6A60 us&ng -a1sung Coa'er (QI M-M=250) I 'u1 nan' &n -a1sung 'o#nloa' 1o'e
-ho# M;M Part&t&ons &n 0J6M50; I sho# 1e1ory art&t&ons to 'u1 (1s1=2=0 or ne#er)
3ea' M;M &n 0J6M50; I'u1 1e1ory art&t&ons (1s1=2=0 or ne#er)
3ea' -&1-ecure 0ata us&ng atche' Coa'er I 'u1 -&1-ecure 0ata .ro1 Ben9"-&e1ens hones

Flasher $nterace :MSM*2'8 only; :
Be.ore us&ng th&s .unct&on( you 1ust loa' an' e:ecute a .lash&ng bootloa'er( e&ther the &nclu'e' one
.or M-M=250"A or any g&$en. -elect any art you #&sh to uloa' to the hone. Th&s .unct&on &s
'angerous so you shoul' %no# #hat you 'o. 7lash&ng .unct&on shoul' only be use' #&th .ully
charge' battery. Press&ng )7lash AM-- - 0A6+;358-* #&ll start .lash&ng roce'ure.
+his unction is only a0aila,le to registere& users.
W!4/$/G : Dumpe& 1FS cannot ,e written @@@
%.1.2. 1FS (rowser Mo&e :
8s&ng th&s tool( you ha$e .ull access to the e1be''e' .&le syste1 o. e$ery 'e$&ce R Bre# A.:.
Lust ress )3ea' 0&rectory*( #a&t a .e# secon's an' you are able to bro#se the .&le tree.
A.ter that you #&ll be able to bac%u the #hole .s us&ng the FBac%u 7- to K/PF button.
/n or'er to use subsyste1 co11an's &nstea' o. stan'ar' 9c co11an's( select )8se -ub-ys* be.ore
rea'&ng '&rector&es.
Directories :
/. you cl&c% on any '&rectory #&th the r&ght 1ouse button( a 1enu #&ll aear that lets you create or
re1o$e '&rector&es an' also bac%u the '&rectory to a K/P .&le. 3e1e1ber( only e1ty '&rector&es
can be re1o$e' !)
Files :
/. you cl&c% on any .&le #&th the r&ght 1ouse button( a 1enu #&ll aear that lets you rea'( #r&te(
re1o$e .&les( set .&le attr&butes an' e$en set re1ote .&le l&n%s.
-elect&ng any .&le #&th the le.t 1ouse button #&ll sho# &tHs attr&butes on the s1all #&n'o# at the
r&ght s&'e.
5n select&ng 3ea' 7&le( &t #&ll .&rst rea' out the .&le an' #&ll then as% #here to sa$e &t on your
har''&s%. 4ou can see the rogress at the rogress bar.
5n select&ng Jr&te 7&le( &t #&ll as% .or the .&le to uloa' to the hone an' #&ll then start uloa'&ng.
4ou can also see the rogress at the rogress bar.
5n select&ng 3e1o$e 7&le( a .&le #&ll be re1o$e' .ro1 the '&rectory.
5n select&ng -et 7&le Attr&butes( you can 1o'&.y the .&le attr&butes. 6ot all hones suort th&s
.eature.
5n select&ng ,reate 7&le C&n%( you can set a $&rtual .&le l&n% o&nt&ng to the 1e1ory o. the 'e$&ce. A
1enu #&ll sho# on #h&ch you nee' to enter the .&lena1e( the basea''ress (#here to start &n ra1)
an' the length that shoul' be l&n%e' to. 6ot all hones suort th&s .eature.
/. there are any errors( they #&ll be sho#n as a te:t Gust belo# the )3ea' 0&rector&es* button.
)Bac%u 7- to K/P* lets you E& the co1lete 7&lesyste1.
%.2. Generate H+) Gol& )ar&
Th&s tool lets you create a gol'car' .or 2T, 'e$&ces. The gol'car' &s a sec&al -0 car' that unloc%s
0&agnost&c 7eatures .or 2T, 'e$&ces.
5nce your 'e$&ce &s connecte' $&a Act&$esync " JM0,( you can ress F+et -0 ,ar' -er&al .ro1
J/6,; 0e$&ceF to obta&n the ser&al nu1ber o. the &nserte' -0,ar' &n your P0A"-1arthone.
Alternat&$ely you can enter the <=-byte -er&al nu1ber 1anually.
To 1a%e &t #or%( lease chec% the .ollo#&ng !
- 5n the 'e$&ce( allo# start o. &tsut&ls.'ll
- 5n so1e 'e$&ces you 1ust set the r&ght secur&ty er1&ss&ons $&a 3eg&stry ;'&tor !
H01M2S$c3)*+,2!ol*c*$.2!ol*c*$.24000010014 .$+ +o *'+$#$) 1
A.ter that( select the 'e$&ce un'er F'e$&ce %eyF to generate a gol'car' &1age.
Then you can choose e&ther F-a$e +ol'car' /1age to 7&leF to generate a -0,ar' /1age(
or #r&te the +ol'car' '&rectly to the -0 ,ar' &nserte' &n your P0A"-1arthone $&a F-a$e +ol'car'
/1age to J/6,; -0F.
%.". W$/)1 SD )ar& 9tils
5nce your 'e$&ce (P0A or -1arthone) &s connecte' $&a Act&$esync " JM0,( you can ra# rea' or
#r&te -0 /1ages o. any s&Ee belo# > +B to the -0 ,ar' &n your 'e$&ce.
To 1a%e &t #or%( lease chec% the .ollo#&ng !
- 5n the 'e$&ce( allo# start o. &tsut&ls.'ll
- 5n so1e 'e$&ces you 1ust set the r&ght secur&ty er1&ss&ons $&a 3eg&stry ;'&tor !
H01M2S$c3)*+,2!ol*c*$.2!ol*c*$.24000010014 .$+ +o *'+$#$) 1
%.%. 9se A+!G :using Segger A3?in. !4M or any GD( &e0ices;
Th&s .unct&on lets you rea&r " #r&te " rea' out any 6A60 $&a Ltag. /t &s only a$a&lable to reg&stere'
custo1ers #ho bought th&s lug&n. ,urrently #e only suort 6A60 'e$&ces. 5ne6A60 an' 653
.lash #&ll be a''e' soon.
Steps in or&er to Atag MSM chipsets :
9sing Segger A3?in. !4M :recommen&e&; :
<. Press ),onnect Ltag*. /. the 'e$&ce &s suorte'( correct M-M ch&set an' 6an' .lash #&ll be auto1at&cally selecte'.
4ou can eas&ly a'' ne# M-M ch&sets by e'&t&ng Gtag'e$&ces.:1l an' also a'' ne# &n&t str&ngs. /n or'er to a'' ne#
M-M ch&sets or &n&t str&ngs( lease as% .or ass&stance at our .oru1. -a1e al&es &n or'er to a'' ne# 6A60
'e$&ces.
2. -elect nee'e' see' an' ress )-et see'*. ,hoose lo# see's &. the 'ata #r&tten or rea' &s corrute'.
A. 7or so1e 6A60s you #&ll nee' to &n&t the nan' be.ore usage. -elect the correct 6A60 an' ress )/n&t 6an'* then.
4ou can a'' ne# 6A60 &n&t scr&ts by e'&t&ng Gtag'e$&ces.:1l.
A. -elect any .unct&on you #&sh to use. /n or'er to rea' nan'( you 1ay select )3ea'* a.ter enter&ng a $al&' range &n the
select&on belo#. 4ou can a'' any custo1 ranges to l&st by e'&t&ng Gtag'e$&ces.:1l. The .unct&on )0&sable MM8* #&ll
'&sable any 1e1ory 1a&ng that &s 'one by the M-M ch&set &. nee'e'. -to act&on #&ll sto any runn&ng .unct&on.
Be.ore #r&t&ng( you 1ay select )erase be.ore #r&t&ng* an' )$er&.y #hen #r&t&ng* &. you #ant to. -ho# reg&sters #&ll
sho# all current reg&sters the ar1 cu has. 7unct&ons )3ea' 1e1ory* an' )Jr&te 1e1ory* #onHt .lash any nan' but
#&ll you enable to 'u1 any 1e1ory range. 8s&ng these .unct&ons you can .or e:a1le uloa' o#n loa'ers an'
e:ecute the1. 7or #r&t&ng &nto 1e1ory( set .&rst range &te1 to start&ng a''ress an' secon' range &te1 to en' a''ress.
7or e:ecut&on( enter P, a''ress &nto the .&rst range &te1 an' ress button )e:ecute*.
9sing GD( &e0ices :or e-ample OpenO)D; :
<. -elect )8se +0B .or 6A60*.
2. ;nter +0B 2ost an' Port.
A. 4ou 1ay no# enter an' sen' any +0B ,1' $&a the c1'l&ne.
>. -elect M-M ch&set (not auto'etecte') an' ress ),onnect Ltag*.
5. 4ou can use all .unct&ons e:cet )-ho# reg&sters*( );:ecute*( )3eboot*( )2alt*( )3eset*. -ee .unct&on 'escr&t&on at
)8s&ng segger L-C&n% A3M* Po&nt A.
'. /etwor. )alculations
Th&s .unct&on lets you calculate ty&cal 6et#or% algor&th1s( nee'e' .or authent&.&cat&on or to
encryt"'ecryt net#or% 'ata.
-ee &cture abo$e .or suorte' algor&th1s (T0MA ! +-M " 8MT-( ,0MA ! ,a$e).
+his unction is only a0aila,le or registere& users.
SO 1/AOB +H$S +OO? :;