It seems that everybody know how it works, but not Nokia, since they didn't
change anything in they SW to prevent that.
Then again, maybe not!
Why they left BIG hole in SP security...?..
BB5 using RSA and AES algorithm that is running from secure ROM and RAM.
Main SP rutines are stored in FLASH in block "PA_SL" and those rutines are
loaded in secure RAM and if RSA signature correct, CPU will run it.
BUT "SP SERVER" are part of MCUSW that is running DIRECTLY from
FLASH is not protected?!!! Well it is tested only once when phone starts!
After that you can patch code from flash in fly.
ARM CPU reads data from flash in bursts, in this case it is burst of 32 bytes
and it start on 32 aligned address.
So, first step is to know where is code that have to be patched in FLASH.
You can find that by desoldering FLASH from phone and to read by some
programming device.
Or you can use my software to extract mcusw from Nokia update SW files.
Find bigest file in dir and rename to "infile". Run "fls2bin.exe" wait, and two
files will be created. One of them are "mcusw".
NOTE: fls2bin may not work with all cpu flash files!
End of Part 1