reverse-engineeringchecksumnokiafirmware

How to modify checksum after making changes in Nokia 215 4G firmware?


If I change any character in the firmware file and try to flash it, it will failed. But it will successfully flashed if I changed the string with the same number of character if it's not a function.

After further searching, I found out about the checksum and that in order to flash the custom firmware, you need to calculate it and modify it in the firmware.

This is the firmware:

https://www.mediafire.com/file/ok2c0qodao5fld1/Nokia_215_4G_readed_test.pac/file

I use HxD to read the file.

If I search for checksum, I got some results ->

enter image description here

Also, I searched for sha ->

enter image description here

So here, I tried to change == with != and also I changed it to 1 == 1 but, It always failed to flash

I am lost. I don't know what to search for or from where to start.

I hope that someone could help me out!

Note: I can provide access to my PC to try the flash tool (nokia tool v0.060 using easybox) and maybe debugging in the phone.


Solution

  • Spreadtrum .pac file uses "CRC16 modbus" for its checksum.

    There are two checksums in the firmware file at the end of .pac header.

    One is for checksum upto that CRC16 offset, and other one is for checksum from end of second CRC16 offset to end of file.

    You can see the structure of .pac file at https://github.com/HemanthJabalpuri/pacextractor/blob/9d7690187006e029867016af9c6620c565c3428f/c/pacextractor.h