Results 1 to 5 of 5

Thread: QMAT - QC Mobile Analysis Tool

  1. #1
    Join Date
    Jan 2007
    Posts
    3
    Feedback Score
    0

    Talking QMAT - QC Mobile Analysis Tool

    QMAT - QC Mobile Analysis Tool



    What is it ?

    It is a development and debugging tool for Qualcomm mobiles - the only tool you'll ever need for research and development.


    Who may need it ?

    Mobile engineers / reverse engineers and cryptoanalysts


    Crypto Functions :

    - Calculate CRC-30, CRC-32, SHA1, SHA2 (SHA224 + SHA256), MD4 and MD5 of any file

    - Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited

    - Decrypt and Encrypt any RSA-Message, including ASN-1 / SHA Signatures. (you can add publickeys to publickeys.xml)

    - Generate RSA Private Key and create .pvk files

    - Check firmware signature given Modulus and Exponent (for HTC and BQS mobiles)

    - Extract information from .pvk files

    - Search for algorithms in binary files (find cryptomethods + signatures) CRC8, CRC16, CRC32, MD4, MD5, SHARK, HAVAL, GZIP, ZIP, SHA1, ... and much more (you can add cryptosignatures to crypto.xml)


    JTAG Interface :

    (soon via Segger J-Link)


    Functions for QC mobiles :

    1. Load binary files for :

    Extraction of certificates
    Extraction of BMPs,GIFs,PNGs, JPGs

    2. Load Partition File to get overview about NAND/NOR structure

    3. Send any String to a COM/USB Port and backup all your SMS !

    4. Make usage of QCs Diag USB/COM Port Interface
    (Useful for any QC mobile in the world)


    Standard Features :

    - Send standard diag commands or any hexadecimal command you want (database included)

    - Read out all NVItems (range given)
    (all that exist, more than QPST normally extracts)

    - Backup and Restore all NVItems

    - Read out and Dump Firmware in Memory (SRam)

    - Read out complete EFS

    - Switch to FTM Mode (or anything else you want)

    - Get infos about phone ..... etc ..... a lot more functions

    - Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)

    - Full Feature EFS Browser


    Bootloader / DownloadMode Features :


    - Load any file to mobile at any address and execute (bootloader f.e.)

    - Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
    Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
    or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader

    - Use any Download Mode or Bootloader Command to experiment

    - Read application memory of newer Diag Ver 6 in Download Mode

    - Show complete infos about used NAND after loading of Bootloader


    Flasher Features :

    Flash any QC mobile (OBL Multiboot) with given bootloader

    - Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS


    Functions for BQS only :

    1. Load AMSS to extract files or useful infos
    (EF81, E81C, EF91, SXG75, EF82, SF71, SL91 or similiar ones)

    Features :
    Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
    Extract internal filesystem (mif,bar,sig etc. files)
    Extract AMSS signature bytes (if production key)
    Show all file references used by mobile

    2. Check Firmware validity (signature)

    3. Sim_Secure extraction/decryption (non-public)

    4. Master-/Usercode/Unlock extraction and direct unlock (non-public)


    Functions for HTC only :

    1. Check validity of HTC firmware (signature check)

    2. Cut out signatures from .nbh file

    3. Split radio.nb into qualcomm files for analysis

    4. Find HTC Public keys using Cryptosearch

    5. Generate Security passwords (SPL + radio) for newer HTC

    6. Generate NBH Files (you can add any device into devlist.xml)

    7. Dump Files from NBH (you can add any type into nbhtype.xml)

    8. Fix radio.nb checksum

    9. Generic Bootloader / AT Command interface with logging functions



    Functions for Network Engineers

    Network Calculators :

    TDMA (GSM/UMTS) :
    --------------------
    IMEI
    GSM A5-1
    GSM A5-2
    GSM A5-3
    3G ECSD
    GEA3 - GPRS
    3G SNOW
    3G UEA2
    3G UIA2
    GSM A3/A8 COMP128 V1
    GSM A3/A8 COMP128 V2
    GSM A3/A8 COMP128 V3
    3G Milenage
    3G Milenage Resync

    CDMA :
    -------
    CAVE
    CAVE Authentication
    CAVE CMEA
    CAVE EMEA
    CAVE EMEA_NF
    CAVE Wireless Residential Extension
    CAVE Datakey / Look Up Table / Mask
    CAVE DTC / DCCH
    CAVE KSG
    CAVE Long Block
    CAVE Short Block
    CAVE Enhanced Message
    CAVE Enhanced Voice Privacy
    CAVE Enhanced Data Mask


    Planned in future :

    1. Bugfixes
    2. EFS Backup / Restore to Zip File
    3. QC Jtag interface using Segger J-Link ARM
    4. LNB/LNBS HTC support to replace MTTY 5. Tooltips showing real addresses in graphical window
    6. Simple NVItems Editor
    7. Read out / Write back Addressbook
    8. Restore backupped SMS to phone
    9. much much more

    NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.


    What we need :

    - Any contribution to the project is welcome.
    - Donations for new hardware and software for further development of this tool.


    Download at : http://revskills.de

    Cya,

    Viper BJK

  2. #2
    Join Date
    Dec 2006
    Location
    Thompsons Station
    Posts
    176
    Device(s)
    Moto Droid X
    Carrier(s)
    -- Cricket --
    Feedback Score
    0
    only works for 10 minutes unless you PAY for it. Just stick with RSD!

  3. #3
    Join Date
    Jan 2007
    Posts
    3
    Feedback Score
    0

    Wink

    That's right. But payment is only used to obtain new hardware and licenses needed for the further development of the tool.

    And I guess 15 Euro for a one-time registration should not be much at all.

    For that value, QMAT offers more than any tool. It is able to read the complete NVItems and also hidden EFS files BitPim can't read for example.

    Cya,

    Viper BJK

  4. #4
    Join Date
    Jan 2007
    Posts
    3
    Feedback Score
    0

    Talking

    As we wish to make a good working and much better QMAT,
    we start a Beta Tester Program.

    What advantages do you get :
    - Be the first to get unofficial versions, containing new features
    - Be productive and make QMAT more user-friendly
    - Get a discount on special modules
    - Get your phone working with QMAT
    - Increase your knowledge regarding qc technology

    Why it is important for us :
    - Make more phones work with QMAT
    - Fix any existing bug and make QMAT more stable

    If you're interested, please write a PM to me, with subject "QMAT Beta Tester" and a short introduction of yourself
    (where you are from, if you are a user / programmer / reverse engineer, why you want to be a beta tester, what phones with qc chipsets you have to test)

    Thanks,

    Viper BJK

  5. #5
    Join Date
    Jun 2013
    Posts
    1
    Feedback Score
    0
    Hy, I understand that you have started a Beta Tester Program.
    Allow me to join your efforts.
    I wonder where I can find the producer and ask for permission to advertise QMAT in CHIP
    DOWNLOAD EU Internationl site. Sorry I am not allowed to post any kinds of links here, but I can say that I am the person responsible to present new software in the mentioned site.
    As you probably already know Chip is available in Europe and Asia with more then 2229421 members ho receive newsletter with the latest new software release.
    I think that's a good idea to let more enthusiast to learn about this amazing tool, also it's a good chance to advertise the software.
    Many thanks for your help and understanding.

Bookmarks