This is a compilation of NOKIA secrets!

-= http://netsplit.home.icq.com =-

-------------------------------------------------

Here is a little tutorial for how to put sec.code to your outbox menu

In this case the file is 3310 5.79 whit ppm A

First of all open your CLEAN file in g3n0lite and watch the outbox line and the phone security line, you will find this:
[0x0031824B] [0x0000001D] (0x0179) (0x05E0) (0x0000) (0x0052) (0x0000) (0x0024) Outbox
[0x00318107] [0x0000004C] (0x0179) (0x05E0) (0x0000) (0x0052) (0x0C00) (0x0024) Phone\x0Asecurity

The second address is some kind function id or something, if it is 0000001D the phone jumps to outbox or if it is 0000004C it jumps to the phone security menu and usually asks sec.code before you can change phone security.

Now you have to change outbox function id 0000001D to 0000004C, but you cant change it in g3n0lite, you have to change it in hexworkshop.
The outbox line which you see in g3n0lite looks in hexworkshop like this 0031824B0000001D017905E00000005200000024

Find this and change 0000001D to 0000004C.
If you now open your file in g3n0lite you can see that the outboxes function id has changed. 

Now you have to make another outbox menu to the free space of MCU, the free space starts around the address 12ed30. 

REMEMBER that in the phone the start address is 00200000, but in the hexworkshop it is 00000000, so if there is address like this 00317B13 in the flash and if you want to go to that address in hexworkshop you have to change the number 3 to 1.

When you make a new outbox menu you need message menu header, message menu first line(null line or something) and the original outbox line.

The lines in g3n0lite: 

Header: [0x0030CDD0] (0x0B) (0x80) (0x0101) [0x00111442]
Null line: [0x0031809B] [0x00000000] (0x0179) (0x00DC) (0x0000) (0x000D) (0x0100) (0x0024) Messages
Outbox line: [0x0031824B] [0x0000001D] (0x0179) (0x05E0) (0x0000) (0x0052) (0x0000) (0x0024) Outbox 

Lines in hexworkshop:

0030CDD00B80010100111442
0031809B00000000017900DC0000000D01000024
0031822A00000021017905E00000005204000024

You have to change the headers first address so that is the address where real menu starts ( in front of the null line ) and you have to correct the hex value in the menu header which tells the number of menus, it´s now 0B,correct it to 01. 
If you insert the new menu so that it starts at the address 0012ED50, is should look like this: 0032ED5C01800101001114420031809B00000000017900DC00
00000D010000240031822A00000021017905E0000000520400
0024

Now you have to find the hex value, which tells the phone where it jumps to after you have entered the sec.code. Now it´s the address of sec.code on/off menu, but you have to change it so that jumps to your new outbox menu ( to address 0012ED50 ).

Its quite hard to find this hex value, in this case the value is 00328D60, you can find it and replace it whit 0032ED50 (notice that it have to be 0032ED50, NOT 0012ED50 ). 

But the real way to find this value is very hard. I used method like this: First export text chunk whit PPM Manager, open the exported txt file and find some text which is in the phone security menu, exp None or Phone, then take the number in front of the word and change it to hex with hexworkshops baseconverter, then insert value 04 in front of it and find it in the flash file, you will maybe find it in many paces, but right is the pace where is other values which starts too with 04. Now watch which is the address of that value and find it ( it is something like this 00XXXXXX ). This what you now fond is the phone security menu, you have to find the header of this menu and the headers address is in this case 00328D60 find this and replace it whit 0032ED50.

Remember to update or kill mcu checksums!


-------------------------------------------------

Adding the slideshow menu


Add this 2 lines of text using g3n0lite 1.6 below the Netmonitor
and increase the menu count.

+ADD_TEXT SlideSh0w
[0xDEADBEEF] [0x00000000] [0x00000000] (0x0175) (0x0B64) (0x0000) (0x0000) (0x0000) (0x0000) SlideSh0w

Slideshow offset
logo 84x48 size / 26a lenght
12b92c - 12bb96
12bb24 - 12bdbe
12bd1c - 12bf86
12bf14 - 12c17e

-------------------------------------------------

Hex Workshop 3.11 
s/n: 90481-408176-E94B 
-------------------------------------------------

How to Invert LCD
1. First make a backup of your phone 200000 - 400000 
2. Make a copy of the backup 
3. Open the backup copy in Hex Workshop.
4. Search for the following Hex String (without the spaces)....
	7809 4388 0600
5. Change the Hex String '88' to 'C0' (0 = zero, not the letter O) so it looks like this
	7809 43C0 0600
6. Save The File.
7. Open the file in NFree and calculate PPM & MCU Checksums
8. Flash the file back to the phone
9. Calculate the FAID with logger software
-------------------------------------------------

3310 5.57 offsets
Antenna : FC144 - FC148
Battery : FC15c - FC15f
Bar1	: FC1a0 - FC1a4
	: FC1b0 - FC1b2
	: FC1CC - FC1CD
	: FC1DC - FC1DD
Envelope: ee781 - ee78c
Padlock : ee814 - ee822
Cowboy  : 113f04 - 11416E 
line2   : ee854 - ee85c
Silent	: 33860 - ee869
NetMonitor menulogo (use HexGraph by Mr. Max3232) 
location 12B960h, size 94h, screen 74x16) 

---
animated boot logo offsets 3310v5.57 (use HexGraph)
logo 84x48 size / 26a lenght / 1F8 offset difference

1st F5494 - F56FE
2nd F568C - F58F6
3rd F5884 - F5AEE
4th F5A7C - F5CE6
5th F5C74 - F5EDE
6th f5e6c - f60d6
7th f6064 - f62ce

----
[3310 offsets] 
Antenna: Start: FC17C End: FC180 
Battery: Start: FC194 End: FC197 

Signal/Battery Bars: 
4th: Start: FC1D8 End:FC1DB 
3rd: Start: FC1e8 End: FC1ea 
2nd: Start: FC204 End: FC205 
1st: Start: FC214 End: FC215 

-------------------------------------------------
Changing Menu Icons

1. First make a backup of your phone 200000 - 400000 
2. Make a copy of the backup 
3. Open the backup copy in NokHex 1.00
4. select the menu graphic item that you want to change in the combo-box at 4
5. As most of the menu graphics are animated (have more than one frame/picture in them) you must select the frame you want to edit in the combo box at 5.
6. After selecting the frame number at 5, you will notice that the empty text box (2), is now filled with characters (0-9 & A-F). This is the HEX code for the picture you are about to edit.
7. Click 'HEX to Pic' (7).
8. The frame you selected will now be showing in the 'LogoManager' style box (1).
9. Once the picture is showing, you can edit it with the mouse. 
LEFT CLICK = boxes fill with black 
RIGHT CLICK = filled boxes are cleared.
10. After editing the frame and you are happy with it, click 'Pic to HEX' (5).
11. Click 'Save To File' (8)
12. Repeat steps 4 to 11 for every picture that you want to edit. It's bet to only do one menu icon at a time - this way if you get contact service or kill your phone, you will know what is wrong.
13. After editing all the frames you want to press 'Correct MCU Checksum' (9).
14. Flash the file back to your phone using rolis 4.7* and calculate the FAiD using b-phreaks logger & tek or FAiD monster & koci.
15. Your phone should have some new menu icons and all should be working if everything went well.

Some features of NokHex that might aid u in your editing:

Press Ctrl+E for 'AutoPic' - This feature displays the picture as soon as the HEX code is shown - saves you having to press 'Hex to Pic' all the time.

Press Ctrl+R for 'AutoHex' - This feature automatically changes the HEX code as you are editing the picture - saves you having to press 'Pic to HEX' all the time.

------------------------------------------------------

Flashing SMS for 33xx

1. Open PPM Manager 
2. Click File Open Flash unmodified 3310.fls 
3. Click Tools, TEXT Chuck, Export as two text files... 
4. Enter Filename and click Save 
5. At line: 
29 COMM .,?!:;-+#*()'"_@&$\xA3%/<>\xBF\xA1\xA7=\xA4\xB0\xA5 
delete 2 \xB0\xA5 
add \x01 for BLINKING Character 
add \x0A for LineFeed Character 
it look like: 
29 COMM .,?!:;-+#*()'"_@&$\xA3%/<>\xBF\xA1\xA7=\xA4\x01\x0A 
6. Save and Exit 
7. Open PPM Manager and Open the unmodified 3310.fls file again 
8. Click Tools, TEXT Chunk, Import from text files 
9. Browse on the modified TEXT file and click Open 
10. Click Tools, Update All PPM CRCs 
11. Save and Exit...Connect fone using Flasher 
12. Using Rollis4.77 flash the modified 3310.fls on my phone 
13. using MBUS run/open Knok22 
14. Click Phone settings, Quick set FAID 
15. Click Modify locks, Reset SP lock 
16. Click Phone settings, Reset phone



-------------------------------------------------------------------------------------
Changing Menu on 3310

1. First make a backup of your phone - Only PPM & MCU - NO EEPROM
2. Make a copy of the backup 
3. Open the backup copy in PPM Manager
4. Select 'Tools' > 'TEXT Chunk' > 'Export as two text files...'
5. Save the text files to the desktop (somewhere where you wont forget where they are)
6. Open the *.txt file in windows wordpad
7. Click the find button
8. Search then for 'Menu' or any word that you want to change - you can select match case if you want
9. You can now change 'Menu' (or your chosen word) to any word, any length BUT, it must be able to fit on the screen - use the message editor to see if it fits, or to get a rough idea.
If you notice, on your phone, 'Keypad Locked' is split into 2 lines - in the text file however, 'Keypad Locked' is separated by '\x0A'. This special character is the line feed character, it's like the 'Enter/Return' Button on your keyboard.
10. After editing the *.txt file - save the changes
11. Open PPM Manager back up and select 'Tools' > 'TEXT Chunk' > 'Import from text files...'
12. Select the *.txt file that you just edited.
13. After completion of text file import, you will notice that there is an exclamation mark (!) on the PPM line (shown in the picture above). This shows that there are errors in the PPM part of the flash.
14. Select 'Tools' > 'Update All PPM CRCs' - you will notice that the exclamation mark goes.
15. Click on 'Save' Then 'Exit'
16. Flash the file back to your phone
16. If all went well, your phone should now display your desired word instead of 'Menu'
Menu is not the only thing that is changeable. I have also changed 'Unlock', 'Switch Off!', 'Phone book', 'Messages', 'Games', 'Tones' and a few more. Just look around in your backup. 

------------------------------------------------------------------
* 3310 -> 3315

1. Open Rolis 4.77 
2. Flash a 3310 5.47 PPM/MCU file 
3. Open Knok (phoenix build 1) 
4. Go to 'Phone Settings' and select 'Quick Set FAiD' 
5. Go to 'Phone Settings' and select 'Convert 3310 into 3315' 
6. Go to 'Phone Settings' and select 'Quick Set FAiD' 
7. Go to 'Modify Locks' 
8. Click on 'Reset SP Locks' 
9. Go to 'Phone Settings' and select 'Reset User Interface Settings' 
10. Go to 'Phone Settings' and select 'Quick Set FAiD' 
11. Your Phone should now be a 3315.

--------------------------------------------------------------------------------

NFREE Troubleshootings guide 
From last quarter of year 2000 Nokia changed protection schema about how to 
remove sp lock on nokia phones, thats why was necessary to use different methods 
to unlock nokia phones, and Dejan invented a cheap way to flash Nokia phones 
without expensive security box. Here we show a guide to fix commom problems 
about flashing: 

Possible problems after Flashing: 

1. Symptoms: In the Screen always appear CONTACT SERVICE: 

Description: Indication that the data of the MCU or PPM or Mostly EEPROM 
is corrupted. 

Solution: Apply method A and Method E 


2. Symptoms: In the screen INSERT SIM and then resets and then CONTACT 
SERVICE: 

Description:Indication that the data of the MCU or PPM is corrupted 

Solution: Apply Method A 


3. Symptoms: Phone with no network: 

Description: Indication that the Faid still needs to be updated. 

Solution: Apply method B. If Faid was succesful updated and still error 
maintains, some checksums have incorrect values -> Apply Method C, Method 
A and Method B 


4. Symptoms: Phone no power on: 

Description: Indication that the MCU data might be corrupted. 

Solution: Apply Method A 


5. Symptoms: .Strange pictures and ringtones after authorising faid: 

Description: Indication that some eeprom registers needs to be updated 
by reset eeprom command. 

Solution: Apply Method D 


6. Symptoms: Bad but still working network connection: 

Description: Indication that some eeprom registers needs to be updated 
by reset eeprom command 

or a Factory Reset Command. 

Solution: Apply Method D 


7. Symptoms: MSID is 000000000001000100000 after flashing: 

Description: Indication that your phone either was unlocked partially 
or MCU or PPM is corrupted 

Solution: Apply method E or method F 


8. Symptoms: When getting into wap settings phone hangs(6210,3330) : 

Description: Indication that it must be resetted to factory settings 
after flashing 

Solution: Type *#7370# with simcard in it, if doesnt work then apply 
method E 


9. Symptoms: Blank screen after flashing and after entring menu: 

Description:Sometimes it is caused by corrupted EEPROM sometimes its 
DISPLAY problem 

Solution: First apply method E, if doesnt work then try to DELETE STARTUP 
LOGO (2 hands),if it also doesnt work change DISPLAY 




Solution Methods: 

Method A: Try to reflash the phone with the original or corrected backup 
by using flasher cable and proggies for flashing, like kNok, 
flash 
tool or Dejan flasher. 

Method B: Try to Update Faid by Comport cable and proggies as Nokia 
tool 1.7b by Rolis, bPreaks 
Eeprom tool V3 or nk_calc from dejan. 

Method C: Try to trace and recalculate the incorrect checksums in flashfile 
by programs as 
nFree1.2, flash analyser, ppm 
manager091 and many others 

(note: Mostly a full flash file with only MCU & PPM Data is required for 
these proggies.) 

Method D: Try to do a Full phone reset by using com port cable and proggies 
as NokiaTool 

Method E: Try to upload virgin eeprom or eeprom from a working phone,then 
change IMEI with eeprom 
tools 3.1,or Rolis 1.7b,or nk_calc,power off the phone and then back on,now 
all 4 locks are OPEN and IMEI changed,now you UPDATE FAID using one of theese 
3 tools,and your phone works now.....If your phone still dont get into network 
use log calculator by TEK.... 

Method F: Try to close all 4 locks by Nokiatool or similar (if it gets 
error like CANNOT CLOSE LOCK dont worry,locks are closed even it says error,read 
phone again and you will see.....) 

then flash your phone again with MCU+PPM file,now read your phone's MSID...if 
it is ok,first unlock all 4 locks by that 3 tools mentioned above and then UPDATE 
FAID...... 


Comments are very welcome, it should be a thing we all agree with. 



Glossary: 

Flash: Flash is a type of memory, Its name comes from how the memory 
is designed. Asection of memory cells can be erased in a single action or in 
a "flash.". At NFREE, flash files are the files used to change programs 
or firmware inside the phones. 

PPM: Post Programmable Memory, special package developed by Nokia for 
flexible upgrading 

MCU: Micro Controller Unit, the program part which contains instructions. 

MSID: Mobile Subscriber Identifier. 

FAID: Flash Authority IDentifier Number, 12 bytes, consist of 4 byte 
from fchk.c 
and 8 bytes from MSID calc. 


netsplit.home.icq.com
haroldan 01/07/03

thanks to:
nFree