Tutorial: How to FORCE Broadcom Phones into TEST MODE Procedure to FORCE Broadcom Phone into TEST MODE:


1. Load ANY Valid Broadcom BB5 Flash File to ATF Software
2. UNCHECK ALL the Flash Files you have Loaded (NOTHING will be FLASHED)
3. UNCHECK "Factory Reset"
4. UNCHECK "Backup Simlock"

5. Remove battery from phone but connect USB Cable

6. Click "FLASH" Button and put Battery to the Phone when the
Software Asks you to...

*** ATF Software will now BOOT your Phone into FLASH MODE then exit
directly into "TEST MODE"...

 *** You need to wait about 60 Seconds depending on how windows
handles your MTP Driver... Anyway, the ATF Software will wait until the
phone link has been properly established.


BUSCHECK USB


Code:
Number of Image Files: 3
Processing Image File :
rm618__08.25.mcusw
CMT Type : BB5
CMT Algorithm : XSR 1.6
Secondary Sending Speed : 650000Hz
Algorithm Sending Speed : 6500000Hz
Program Sending Speed : 6500000Hz
Message Reading Speed : 98000Hz
Number of Blocks : 511
Entry Point: 0x01E5
Page Format : -1
MAX PAGE : 0x0000E000
Processing Image File :
rm618__08.25.ppm_t
CMT Type : BB5
CMT Algorithm : XSR 1.6
Secondary Sending Speed : 650000Hz
Algorithm Sending Speed : 6500000Hz
Program Sending Speed : 6500000Hz
Message Reading Speed : 98000Hz
Number of Blocks : 129
Entry Point: 0x0100
Page Format : -1
MAX PAGE : 0x0000E000
Processing Image File :
rm618__08.25.image_t_0595287
CMT Type : BB5
CMT Algorithm : XSR 1.6
Secondary Sending Speed : 650000Hz
Algorithm Sending Speed : 6500000Hz
Program Sending Speed : 6500000Hz
Message Reading Speed : 98000Hz
Number of Blocks : 336
Entry Point: 0x0134
Page Format : -1
MAX PAGE : 0x0000E000
 
 
AUTO SELECTED DEAD USB FLASHING...
If Flashing DOES NOT Start in 5 Seconds,
Then Perform Steps 1, 2, 3 and 4...
1. Remove USB and Battery...
2. Insert USB.
3. Insert Battery. (Some phones boot automatically)
4. Please Power on phone shortly...
AdvanceFBox SendBootCodeEx
InitialiseBootstrap_DCT5 DIR
BootFlashMode_DCT5
BootRom Verified!
BootFlashModeDCT5Ex Succeeded First Time
SYSTEM_ID_RESPONSE_BB5 (0xC0) - 0 (0x00) bytes returned
Number of Sub Blocks 6 (0x06)
1 SYSTEM_ASIC_ID 01
Block Length : 17 (11)
BB ASIC Index : 0 (00) CMT
ID DWORD 0 : 00000000
ID DWORD 1 : 00000000
ID DWORD 2 : 22000509
ID DWORD 3 : 200C0000
2 ROM_ID 15
Block Length : 5 (05)
BB ASIC Index : 0 (00) CMT
ID DWORD 0 : 00005361
3 PUBLIC_ID 12
Block Length : 21 (15)
BB ASIC Index : 0 (00) CMT
ID DWORD 0 : B1096A83
ID DWORD 1 : 135F4216
ID DWORD 2 : 1575A668
ID DWORD 3 : 5044D453
ID DWORD 4 : E87FCD90
4 ASIC_MODE_ID 13
Block Length : 2 (02)
BB ASIC Index : 0 (00) CMT
Mode Id : 00
5 ROOT_KEY_HASH 14
Block Length : 17 (11)
BB ASIC Index : 0 (00) CMT
Hash : 1B 0D 74 C5 32 CA 1C 61 33 94 0C 74 0E 8C 78 6E
6 ROM_ID 15
Block Length : 9 (09)
BB ASIC Index : 0 (00) CMT
CRC 0 : DE56D582
CRC 1 : BDDE7A3A
START FLASHING
RawLoaderExtract: rm618__08.25.mcusw
CMT Secondary Loader: C:\AdvanceBox Turbo Flasher\Nokia\BB5_Loader\BB5_USBLoaders\BCM21351_usb2nd.fg
Secondary Loader Sent....
MCU_CONFIGURATION_RESPONSE_BB5:
MessageID : C1
SubBlocks : 06
1 Sub Block ID : 10 STORAGE_DEVICE_ID_BB5
Block Length : 0B
BB ASIC Index : CMT 00
Device Type : RAM 05
Device Index : 00
Manufacturer Code : 0000 -> Flash
Device ID : 0000 -> not detected
Extended/Fixed ID : 0000
Revision ID : 0000
2 Sub Block ID : 10 STORAGE_DEVICE_ID_BB5
Block Length : 0B
BB ASIC Index : CMT 00
Device Type : MMC 04
Device Index : 00
Manufacturer Code : FFFF -> Flash
Device ID : 0000 -> BAD FLASH TYPE
Extended/Fixed ID : 0000
Revision ID : 0000
3 Sub Block ID : 10 STORAGE_DEVICE_ID_BB5
Block Length : 0B
BB ASIC Index : CMT 00
Device Type : NOR 00
Device Index : 00
Manufacturer Code : 0020 ->
Device ID : 0030 -> Type not in database
Extended/Fixed ID : 0000
Revision ID : 0131
4 Sub Block ID : 10 STORAGE_DEVICE_ID_BB5
Block Length : 0B
BB ASIC Index : CMT 00
Device Type : NOR 00
Device Index : 01
Manufacturer Code : 0000 -> SPANSION
Device ID : 0001 -> not used
Extended/Fixed ID : 0000
Revision ID : 0000
5 Sub Block ID : 10 STORAGE_DEVICE_ID_BB5
Block Length : 0B
BB ASIC Index : CMT 00
Device Type : MuxOneNAND 03
Device Index : 00
Manufacturer Code : 0020 ->
Device ID : 0030 -> Type not in database
Extended/Fixed ID : 0000
Revision ID : 0131
6 Sub Block ID : 35 NAND_DRIVER_VERSION_BB5
Block Length : 09
BB ASIC Index : CMT 00
Data :
SearchForBootstrap_DCT5 : No Error - 0 (0x00)
Flash De******or
Manufacturer Code : 0020
Device ID : 0030
Extended/Fixed ID : 0000
Revision ID : 0000
Size : 08000000 (128 MB)
VPP Info : 0000
Erase10s : 1E
Block1s : 32
BErase1s : 02
Reserved0 : 00
Reserved1 : 00
Reserved2 : 00
CMT Algorithm Loader: C:\AdvanceBox Turbo Flasher\Nokia\BB5_Loader\BB5_USBLoaders\BCM21351_XSR16_usbalg.fg
Algorithm Loader Sent...
FUR_Control_AddClient_BB5() ASIC_INDEX_CMT (Ready)
FUR control Ok
START READING RPL DATA
IMEI: 353423040652148
Reading : NPC... OK!
Reading : CCC... OK!
Reading : HWC... OK!
Reading : R&D... OK!
RPL Backup was Successful...
Plain RPL saved to:
C:\AdvanceBox Turbo Flasher\Nokia\Backup\353423040652148\353423040652148_102114.rpl
Pabub KEY Request
PhoneInfoRequest_BB5 (Asic Index 00 )
PHONE_INFO_RESPONSE_BB5
PAPUB_KEYS_HASH_RESP_BB5 2A
BB Asic Index : 00
CMT PAPUBKEYS HASH:
E9700989029D9E899915F781B1582048E042A738
ContinueFlash_DCT5 Complete
Continue Flash Complete : : No Error - 0 (0x00)
Status_BB5 STATUS_REQUEST_BB5..
1 Sub Block ID : 15 STATUS_NAND_OK_BB5
Block Length : 0F
BB ASIC Index : 00
Device Type : 03
Device Type : 00
Num Bad Blocks : 00000001
Additional Bad : 00000001
Correctable ECC : 00000000
FlashInfo.RestartMode : 2
Flashing Done...
Total Flashing Time (Erase + Flashing) : 00:00:01
(Booting time is NOT Included)
Waiting for Phone to Start-Up..(Max 150 seconds)
Elapsed Time: 5 Seconds...
Elapsed Time: 10 Seconds...
Elapsed Time: 15 Seconds...
Elapsed Time: 20 Seconds...
Elapsed Time: 25 Seconds...
Elapsed Time: 30 Seconds...
Elapsed Time: 35 Seconds...
Elapsed Time: 40 Seconds...
Elapsed Time: 45 Seconds...
Elapsed Time: 50 Seconds...
Elapsed Time: 55 Seconds...
Elapsed Time: 60 Seconds...
SW: V 08.25 19-05-11 RM-618 (c) Nokia
IMEI: 353423040652148
CONFIG KEY : 0000000000000000
PROVIDER KEY : 2440700000000000
NETWORK NAME : Nokia Default;Finland
LOCK COUNTERS : KEYPRESS 0/3, FBUS 0/10
SIMLOCK TABLE :
Block [1] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [2] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [3] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [4] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [5] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [6] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [7] 1:Open 2:Open 3:Open 4:Open 5:Open
SIMLOCK STATE : Not Locked
SIMLOCK_TEST : PASSED
SECURITY_TEST : PASSED
SUPER_DONGLE_TEST : PASSED
SECURITY_CODE : 12345
================================================
SL3 Phone detected
================================================
* Firmware Version Downgrade will KILL PHONE !!!
* Manual Full Erase WILL KILL PHONE!!!
* Simlocks are in PM 120 Only...
* PM 308 is Write Protected...
 





Once phone is in TEST MODE, Scan phone should give you a lot
of Phone Info like this:
Code:
 
Scanning USB Ports...
================================================
Basic Phone Information
================================================
MCU Version: V 08.25 19-05-11 RM-618 (c) Nokia
IMEI Plain : 353423040652148
IMEI Spare : A353423040652140
IMEI SV : 33534230406521439F
Phone Model: Nokia X2-00
Category : Entry
Phone Type : RM-618
================================================
Extended Phone Information
================================================
Product Serial Number: DNO299898
Product Code : 0595285
Module Code : 0204491
Basic Production Code: 0591973
Long Production SN : 0
PPM SW Version : V 08.25 19-05-11 RM-618 (c) Nokia T
BT MCM Version : 2.31-SP2.31
MCU SW Version : V 08.25 19-05-11 RM-618 (c) Nokia
HW Version : 1000
RFIC Version : 9
LCD Version : SEIKO
BOM ID : 00
Content Pack Version : Content: t_0595287 V 08.25 19-05-11 RM-618 (c) Nokia
Bluetooth ID : 6C:9B:02:24:FB:27
CS Type : GSM850, GSM900, GSM1800, GSM1900
================================================
Simlock Information
================================================
CONFIG KEY : 0000000000000000
PROVIDER KEY : 2440700000000000
NETWORK NAME : Nokia Default;Finland
LOCK COUNTERS : KEYPRESS 0/3, FBUS 0/10
SIMLOCK TABLE :
Block [1] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [2] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [3] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [4] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [5] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [6] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [7] 1:Open 2:Open 3:Open 4:Open 5:Open
SIMLOCK STATE : Not Locked
SIMLOCK_TYPE : PA_SL3 (15-digit NCK)
SIMLOCK_TEST : PASSED
SECURITY_TEST : PASSED
SECURITY_CODE : 12345
PHONE_MODE : TEST

================================================
Dynamic Camera Configuration
================================================
DCC ID : NI00BC0000040A4E2000
DCC Ver: 003005
Status : OK
 





Now you can DECRYPT PM 120 HASHES AGAIN and it will GENERATE
the JOB FILE for ATF Server Now!!!


Code:
Scanning USB Ports...
================================================
Basic Phone Information
================================================
MCU Version: V 08.25 19-05-11 RM-618 (c) Nokia
IMEI Plain : 353423040652148
IMEI Spare : A353423040652140
IMEI SV : 33534230406521439F
Phone Model: Nokia X2-00
Category : Entry
Phone Type : RM-618
================================================
Extended Phone Information
================================================
Product Serial Number: DNO299898
Product Code : 0595285
Module Code : 0204491
Basic Production Code: 0591973
Long Production SN : 0
PPM SW Version : V 08.25 19-05-11 RM-618 (c) Nokia T
BT MCM Version : 2.31-SP2.31
MCU SW Version : V 08.25 19-05-11 RM-618 (c) Nokia
HW Version : 1000
RFIC Version : 9
LCD Version : SEIKO
BOM ID : 00
Content Pack Version : Content: t_0595287 V 08.25 19-05-11 RM-618 (c) Nokia
Bluetooth ID : 6C:9B:02:24:FB:27
CS Type : GSM850, GSM900, GSM1800, GSM1900
================================================
Simlock Information
================================================
CONFIG KEY : 0000000000000000
PROVIDER KEY : 2440700000000000
NETWORK NAME : Nokia Default;Finland
LOCK COUNTERS : KEYPRESS 0/3, FBUS 0/10
SIMLOCK TABLE :
Block [1] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [2] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [3] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [4] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [5] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [6] 1:Open 2:Open 3:Open 4:Open 5:Open
Block [7] 1:Open 2:Open 3:Open 4:Open 5:Open
SIMLOCK STATE : Not Locked
SIMLOCK_TYPE : PA_SL3 (15-digit NCK)
SIMLOCK_TEST : PASSED
SECURITY_TEST : PASSED
SECURITY_CODE : 12345
PHONE_MODE : TEST
 
================================================
Decrypt SL3 PM 120 HASHES for Brute Force Unlock
================================================
Decrypting PM 120...
PM 120 HASHES Extracted Successfully
7443282D273800D1D1EDA1A4EAE6C1D390404AAE
9456247C972B2B1937DD11C66F2DF58906D7F549
A999A480B33464A6DFE7C221EF6D2A3780984C6D
C6B6FD6D7B201B559CD44F60E2A76DCC2155C1EE
2A5B4411BA9CD3824337ABEBEBCA2BD224D2BA51
E97CFBED287814DB0C25007CFA92A87F32CA38CA
1B894741A59C8DE9D69B59A1413BFDB5B4C50FF0
8A0A014F56D1F8EEE0B1F5E78E6B96A10AEC59C8
 
 
Log Files for Local Brute Force Saved to:
C:\AdvanceBox Turbo Flasher\Nokia\Bruteforce\353423040652148\353423040652148.job
C:\AdvanceBox Turbo Flasher\Nokia\Bruteforce\353423040652148\353423040652148.log
C:\AdvanceBox Turbo Flasher\Nokia\Bruteforce\353423040652148\353423040652148.bcl
C:\AdvanceBox Turbo Flasher\Nokia\Bruteforce\353423040652148\353423040652148.sha
Command Line for ighashgpu:
Saved as MS Batch File: 353423040652148_ighashgpu.bat
Command Line for oclHashcat-lite64 (AMD Cards 64-Bit OS):
Saved as MS Batch File: 353423040652148_AMD_oclHashcat_64-bit.bat
Command Line for oclHashcat-lite32 (AMD Cards 32-Bit OS):
Saved as MS Batch File: 353423040652148_AMD_oclHashcat_32-bit.bat
Command Line for cudaHashcat-lite64 (NVIDIA Cards 64-Bit OS):
Saved as MS Batch File: 353423040652148_NVIDIA_cudaHashcat_64-bit.bat
Command Line for cudaHashcat-lite32 (NVIDIA Cards 32-Bit OS):
Saved as MS Batch File: 353423040652148_NVIDIA_cudaHashcat_32-bit.bat
Process Done!