Phone Lock Picking Continued

I have spent some more time on retrieving the phone lock code from Nokia e-series models. It appears that on e-series phones the security code is not stored in the permanent memory. However, I did manage to find a flag value in the permanent memory which is used to enable or disable the phone lock. On the e65, this is the value in field 308, sector 8. Setting this value to 0x00 disables the phone lock. On the e70, this value is stored in field 95 sector 0. Unfortunately the e71 appears not to store this flag value nor the phone lock code in the PM.

In short, it is difficult to predict where a certain model of the e-series will store its security code data. The best way to find this (at least, that is how I did it) is comparing memory dumps of a test model before and after changing security codes and enabling/disabling the code. I used the tool vbindiff to compare the dumps and find differences. The differences may indicate where security code data is stored.

How to pick a Nokia phone lock

Today, I have been working on security code retrieval from various Nokia smart phones. Nokia phones can be configured to lock the device (note the difference with the SIM PIN code) with a password after a certain period of time and at boot time. A locked phone does not respond to USB, bluetooth or keyboard input. You can see how this may pose a problem for forensic investigation on such a device...

For Nokia phones there are ways to retrieve or reset this security code whithout changing relevant user data on the phone.
1. For DCT3 and DCT4 models of Nokia it is possible to calculate a master code from the phone's IMEI number. This 10-digit master code overrides the security code. Unfortunately the newer phones are not DCT3 or DCT4, but BB5 phones.

2. THC posted a method that uses a flaw in the Nokia software to auto-execute software from the MMC card even though the phone is locked. I haven't tried this method (yet), but I am curious to see on which Nokia models this method works and if it depends on the version of OS.

3. This is my favourite since it only involves a read from memory and now I can guarantee not to alter any user data. All that is needed is a flasher tool like JAF or NSS and the proper cables.
Nokia phones store the security code in a part of the memory called the persistent memory or PM. The PM is not touched by ROM flash file when the phone is flashed. The PM may store information like security code, Bluetooth address and service provider info. The JAF tool can extract this PM and store it. A quick peek into these PM files shows the security code in clear text! I have tried it on the following models: Nokia 6600, N72, N78 and N95. Here is an example of a PM value containing the security code:
[35]
0=35 34 33 32 31 00 00 00
The first 5 bytes contain the 5 digits of the security code, just substract 0x30 from each byte. This results in 54321 as the security code. Easy huh! Now, I have tried this method for an E70 and E71, but it appears these models store the security code in some encoded form.
This method might just work for all newer Nokia models that do not have a QWERTY keyboard.

I am to see how security codes can be retrieved, reset or circumvented on other phones.

Hello World

Welcome to my fresh blog on small scale digital device forensics!
Let me give you a small introduction of myself. My name is Ivo Pooters and I am currently (hopefully not for long) a student Information Security at the Technical University of Eindhoven. Just recently I discovered the wonderful world of digital forensics and decided to do my thesis research in this area. Besides doing my thesis I am working at the Forensics department of Fox-IT, a company specialized in Information Security.
To give you a small insight in my thesis project: I am looking into new methods to a forensic image from Symbian smartphones. Ofcourse, in time the result will be posted here.


My plan with this blog is to share my thoughts, information and experiences with anyone who is interested. Even more, I am looking forward to useful comments from you people.