S55 Flash patches

[3aTmr]

; Advanced Security SMS Patch

; S55 FW 20
; (c) 2004 by ACiD[mrp]
; GSM Development Crew
; www.gsm-dev.com

; !!! BE CAREFUL USING THIS !!!
; !!! READ INSTRUCTIONS !!!

; this will send an SMS on SIM change after network connection
; this will send an new SMS after EVERY reboot with new SIM card
; you can stop this by changing EEPROM block 5003 again to FFFF
; then it will start again on next SIM change.

; you need to have an EEPROM Block 5003 on you phone. Create this
; with Siemens Debugger. Size is 2 Bytes and it should contain the
; data FFFF

; data AAAA means send Security SMS on next network connect
; data 1111 means send Security SMS on next network connect after
; next reboot.

; after send SMS data is changed from AAAA into 1111
; after reboot data is changed from 1111 into AAAA

; with this patch you will not have any more warnings "allow connection"
; for any MIDlet.

; use this MIDlet:
; ftp://ronees.unets.ru/siemens/SecureSMS.rar

; a:\Java\jam\SecureSMS\GSM.jar
; change this to run another MIDlet
21A8D0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 613A5C4A6176615C6A616D5C53656375
21A8E0: FFFFFFFFFFFFFFFFFFFFFFFFFFFF 7265534D535C47534D2E6A617200

;---- New block. Segment address: CB0000 --------
8B2B9E: 26F01804E00DC4D02C00C4C02A00E02E 884088C088D088E088F0E6FC1000DA73
8B2BAE: 88E0E6FC6E24E6FD520100E066FEFF3F 870EE6FCAAAADA6130A898F098E098D0
8B2BBE: F2FF02FEDACE 98C09840DB00

;---- New block. Segment address: 610000 --------
21A800: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E00C88C0E00DE00E88E088D0E02F88F0
21A810: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FC8B13E6FDF000E03EE00FDAA212CD
21A820: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 06F00800E004D7400300F2F4F000DB00
21A830: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF D7400300F6FCF000E00C88C0E00DE00E
21A840: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 88E088D0E02F88F0E6FC8B13E6FDF000
21A850: FFFFFFFFFFFFFFFFFFFFFFFFFFFF E03EE00FDAA266CD06F00800DB00
21A85E: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DA6100A846F4FFFF2D04E6FCAAAADA61
21A86E: FFFFFFFFFFFFFFFF 30A8DA927264DB00
21A876: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 8840886088C088D088E088F0DA6100A8
21A886: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 46F4FFFF2D0846F411112D05BB0DE6FC
21A896: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 1111DA6130A898F098E098D098C09860
21A8A6: FFFFFFFFFFFFFFFF 984088908880DB00
21A8AE: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E006D7400D00F7FCD815E6FCD028E6FD
21A8BE: FFFFFFFFFFFFFFFFFFFF 8601E00EDA97ACAFCB00

;---- New block. Segment address: 990000 --------
59D2FC: 2D04 CC00

;---- New block. Segment address: 710000 --------
31A9CC: 88908880 DA6176A8

;---- New block. Segment address: CB0000 --------
8B2B06: DA927264 DA615EA8


Sourcecode to convert to other phones:
; .----------------------------------------.
; | SIEMENS S55 v20 |
; | Advanced Java Security Patch |
; | 2004 by ACiD [mrp] |
; | |
; | GSM Development Crew |
; | www.gsm-dev.com |
; | please sign guestbook |
; '----------------------------------------'

$Segmented
$Mod167

; you need to have EEBlock 5003 in Phone
; create this with Siemens Debugger (2 Byte = 0xFFFF)

WriteEEPROM EQU 0A2CD66h
ReadEEPROM EQU 0A2CD12h
FreeSpace EQU 061A800h
RunMIDlet EQU 097AFACh
HideSelectDefaultBook EQU 0730E87h
ProviderName EQU 071A9CCh
Patch_Address EQU 0CB2B9Eh ;Free Space in Flash (CHANGE THIS)
TempSpaceInRAM EQU 0C0F0h ; 2 Bytes free space in RAM
ByteBeforRunMIDlet EQU 0355D8h

; Status of EEPROM Block 5003:
; FF - no need to send security SMS
; AA - send security SMS now
; 11 - send security SMS after reboot.

Patch Section Code Word At Patch_address ; Start Patch at Patch_Address
main proc far ; start main of patch
; Patch kommt da hin wo die Abfrage "alle Einträge ins Addressbuch kopieren?" war
mov [-r0], r4
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15

mov r12, #10h
calls seg(HideSelectDefaultBook), sof(HideSelectDefaultBook)

mov r12, #0AAAAh
calls seg(MyWriteEEPROM), sof(MyWriteEEPROM)

mov r15, [r0+]
mov r14, [r0+]
mov r13, [r0+]
mov r12, [r0+]
mov r4, [r0+]

rets
main endp
Patch EndS

MainRoutine Section Code Word At FreeSpace ; Start Patch at Patch_Address
MyReadEEPROM proc far ; start main of patch
mov r12, #0
mov [-r0], r12
mov r13, #0
mov r14, #0
mov [-r0], r14
mov [-r0], r13
mov r15, #2 ; DataToRead BYTES
mov [-r0], r15
mov r12, #5003 ; EEBLOCK: 5003
mov r13, #POF(TempSpaceInRAM) ; DataToRead OFFSET
mov r14, #PAG(TempSpaceInRAM) ; DataToRead SEGMENT
mov r15, #0 ; Start at Byte (Offset)
calls seg(ReadEEPROM),sof(ReadEEPROM)
add r0, #8
mov r4, #0h
extp #PAG(TempSpaceInRAM), #1
mov r4, POF(TempSpaceInRAM)
rets
MyReadEEPROM endp

MyWriteEEPROM proc far
extp #PAG(TempSpaceInRAM), #1
mov POF(TempSpaceInRAM), r12
mov r12, #0
mov [-r0], r12
mov r13, #0
mov r14, #0
mov [-r0], r14
mov [-r0], r13
mov r15, #2 ; DataToWrite BYTES
mov [-r0], r15
mov r12, #5003 ; EEBLOCK: 5003
mov r13, #POF(TempSpaceInRAM) ; DataToWrite OFFSET
mov r14, #PAG(TempSpaceInRAM) ; DataToWrite SEGMENT
mov r15, #0 ; Start at Byte (Offset)
calls seg(WriteEEPROM),sof(WriteEEPROM)
add r0, #8
rets
MyWriteEEPROM endp

TestSendAgain proc far ; this routine has to be called on every boot

calls seg(MyReadEEPROM), sof(MyReadEEPROM)
cmp r4, #0FFFFh
jmp cc_Z, no_SendAgain
SendAgain:
mov r12, #0AAAAh
calls seg(MyWriteEEPROM), sof(MyWriteEEPROM)
no_SendAgain:

calls seg(0926472h), sof(0926472h) ;overwritten command
rets
TestSendAgain endp

TestSend proc far
mov [-r0], r4
mov [-r0], r6
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15

calls seg(MyReadEEPROM), sof(MyReadEEPROM)
cmp r4, #0FFFFh
jmp cc_Z, no_Send
cmp r4, #01111h
jmp cc_Z, no_Send
call SendNow
mov r12, #1111h
calls seg(MyWriteEEPROM), sof(MyWriteEEPROM)
no_Send:

mov r15, [r0+]
mov r14, [r0+]
mov r13, [r0+]
mov r12, [r0+]
mov r6, [r0+]
mov r4, [r0+]

mov [-r0], r9 ; replaced code
mov [-r0], r8 ; replaced code
rets
TestSend endp

SendNow proc near
mov r6, #0
extp #PAG(ByteBeforRunMIDlet), #1
movb POF(ByteBeforRunMIDlet), rl6
mov r12, #POF(String)
mov r13, #PAG(String)
mov r14, #0
calls seg(RunMIDlet), sof(RunMIDlet)
ret
EndPoint:
SendNow endp
MainRoutine EndS

String Section Data Byte At (EndPoint)
db "a:\Java\jam\SecureSMS\GSM.jar", 0
String EndS

DisableJavaQestion Section Code Word At 099D2FCh
DisableJavaQestion_main proc far ; start main of patch
nop
DisableJavaQestion_main endp
DisableJavaQestion EndS

EntryProviderName Section Code Word At 071A9CCh
CallPatch proc far
calls seg(TestSend), sof(TestSend)
CallPatch endp
EntryProviderName EndS

EntryBoot Section Code Word At 0CB2B06h
CallPatch2 proc far
calls seg(TestSendAgain), sof(TestSendAgain)
CallPatch2 endp
EntryBoot EndS