sgmdoc.txt

(15 KB) Pobierz 
                    -=================================-
                     Sagem Doctor Version 1.4c Read-me
                    -=================================-

Contents
--------

 - Introduction
 - What's new
 - Finding out phone id on MW93x phones
 - Repairing checksums
 - Repairing phones with "PB3 EEPROM"
 - Command line parameters
 - The different backup areas
 - (not!) Restoring with a backup from a different phone
 - Common problems


Introduction
------------
This program allows to read and write memory fields in the eeprom of a
Sagem 900 series phone. As several important settings are stored in
the eeprom, changes at the wrong fields can damage the phone in several
ways. Please do not change fields without a reason just to see what
happens.

A backup and restore function is included, but this might not help with
all problems because some errors will make data communication with the
phone impossible.

Anyway, YOU HAVE BEEN WARNED and please don't blame me if your phone
won't work after treating it with this program.

If you have a problem with Sagem Doctor, please read through this
text completely; many questions are answered here.

For comments or questions not answered in this text, contact me
via eMail under the address <SagemDoctor@web.de>

The latest version of Sagem Doctor and other Sagem-related material
from me is available at my website:

   http://SagemDoctor.de.vu/


What's new?
-----------

SagemDoctor can now work on MW93x phones: See 'finding out phone id
on MW93x phones' for details. Thanx to ReMiX for the information!

Also, I worked on the interface (see the fancy colors?) and I now
finished the functions to work on a prom_img file instead of a real
phone...

Backup files now also include the output of command 78 for finding
phone id / hash tables.


Repairing Checksums
-------------------

Sagem phones contain a number of checksum fields which protect
other fields in the eeprom. If these fields are changed without
also changing the checksum accordingly, the phones will display
"SIMLOCKED" also without sim card and will not work.

SagemDoctor contains a function to repair checksums after modifying
the protected fields, so you can change the data without the phone
becoming locked.

I wanted to include this function for a long time, and it was possible
through the help of 'ThS9' who provided me with everything I needed
to know about the algorithm.

You can also restore broken simlock data (which uses the same encryption)
in several ways:

 - you can use the data of working phone,
 - you can use some standard values (note that this will
   enable a simlock on the phone),
 - you can manually enter lock data

  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  ! Before changing any field values or checksums, you should !
  ! create a backup of the eeprom to be able to restore your  !
  ! phone if something goes wrong.                            !
  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

When verifying checksums, you can choose between different actions
for repair:

- if you think the data in the prom- / flash-field is correct and the
  checksum is wrong, choose '1' to correct the checksum with the data
  from the field.

- if you think the data is wrong and the checksum is correct, choose
  '2' to rebuild the field data from the checksum.

In newer phones, Sagem uses different encryption keys for the checkums,
so you must check if your phone's encryption is supported by SagemDoctor.

Also, in newer phones SagemDoctor must read the phone id by brute force
because it can not be read normally anymore. However, this has some
problems:

  - it takes a few minutes (depends on how fast your pc is)
  - it only works if some of the checksum fields are still correct

However, you can write down the phone-id and enter it manually
so you don't have to do the brute-force method again.


Finding out phone id on MW93x phones
------------------------------------
If you want to repair the checksums on a MW93x phone, you
can't use the brute force algorithm to read the phone id:
the phone id in these phones has a wider number range than
older phones:

- old phones had phone id's between 033170000000 and 033170FFFFFF;
  so sagemdoctor had to check 16.7 million different numbers.

- the MW93x phones have id's between 000000000000 and FFFFFFFFFFFF;
  so there are 281474976 million different numbers - too much to check!
 
However, you can use the SagemT logger program (you can find it on
the internet with google) to read a log of the phone and then use this
log to calculate the phone id in sagemdoctor:

When sagemdoctor says it can not read the phone id, select the option
"3 - Read ID from SagemT log". You can then write down the calculated
id and enter it manually when you need it later.


Repairing phones with "PB3 EEPROM"
----------------------------------
There are many broken phones with this error message.

You can repair this problem, but it's not easy: If the phone has
this error, you sometimes can't work with the datacable anymore.

In this case, you must read and write the eeprom with an eeprom
programmer ("PonyProgrammer" is good for doing this). Contact
me for details about how to do this.

Step-by-Step Repair:

 o Try to find a working phone of the same model and with the same
   firmware version and create a backup of this phone.

 o Create a backup file of the broken phone.

 o Write the content of field 0 of the broken phone on a piece of paper.

 o If the phone has firmware version FT4.1M, you need the phone ID
   of the broken phone, so I hope you also have this :-) 

 o Write the backup of the working phone to the broken phone.

 o Set field 0 back to the original value from the piece of paper

 o Use SagemDoctor function '9' to repair the simlock and checksum
   fields

 o If everything worked like expected, you now have repaired your
   broken Sagem!

[This should work, at least in theory. I currently have no broken
 phone to try this, so there might be some other problems]


Command line parameters:
------------------------
Sagem Doctor can be called with the following command line parameters:

   -p [num]   : Use comport com[num] to communicate with the phone.

   -b [speed] : Use communication speed of [speed] bps.
                Allowed values are 2400/4800/9600/19200/38400/57600/115200

   -e         : The "etna" flag: suppress output of transferred data
                in the phone I/O-window. This can help on some
                computers where the text output is very slow.

   -?         : display help screen for the command line parameters.


The different backup areas:
---------------------------
The software in the phone stores information in "fields", numbered from
0 to 16383. However, most of the fields are not used in current phones.
When creating backups, you can select the field areas you want to backup.
If you select "all other fields", Sagem Doctor will try to read all
possible field numbers, even if they are empty. Because creating a full
backup takes very long, a quick backup will only read the fields which
are known to contain data.

This is the preferred choice for older firmware revisions, but new firmware
revisions can introduce new data in fields which were empty before. These
fields will not be read with quick backup, so choose "full backup" if
you think this is the case.

Hint: You can create a full and a quick backup and compare the size of
the backup files. If the size is the same, you can use quick backup.
  
Note that using the restore function will not delete fields that were empty
at the time of the backup and have been added to the memory since then. As
far as I know, this concerns game highscores, SMS and phonebook entries
stored in the phone and WAP-related fields on phones that support this.


(Not!) Restoring with a backup from a different phone:
------------------------------------------------------
In general, it's not a good idea to write the memory content of
one phone into the memory of another phone. This will not solve
any problems but will instead give you a bunch of new problems
you do _not_ want to face.

 o You can NOT update/downdate your firmware by using a backup
   from a different phone! The phone firmware is stored in a
   different memory area which can not be written to with Sagem Doctor!

 o You can NOT remove the simlock by using a backup from
   a different (unlocked) phone!

If you still want to write a different backup to a phone (for example
because your phone is broken beyond repair), please follow the description
in the section "Repairing phones with PB3 EEPROM".


Common problems:
----------------

- Many "timeout" error messages when commands are sent
+ The Sagem phones have a built-in power saving function which will
  disable the data communication when not used for a certain period of time.
  Pressing 'C' on the phone will wake the phone up, so try this if
  you are having timeout problems.

- You have written a backup of a phone to a different phone, and now
  the phone does not work.
+ Please read the section about the backup function. If field 0 is changed,
  the phone displays an error message (usually "SIM missing"), because
  there is another (encrypted) copy of field 0 in an area that can not
  be read or written to by Sagem Doctor. The two copies must match, so
  write back the old value of field 0.
  If you don't remember the old field 0, you can use the IMEI from the
  label under the battery, and calculate field 0 from it. Look for a
  progam called 'sagfield0rep...

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin