--------------------------------
a K-rad Nokia Flasher (aka kNok)
--------------------------------

****************************************************************************

                           D I S C L A I M E R 


THIS SOFTWARE AND ALL THE ACCOMPANYING FILES ARE PROVIDED "AS IS" AND 
WITHOUT ANY WARRANTIES EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO 
IMPLIED WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. 

IN NO EVENT SHALL I BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING WITHOUT 
LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, 
LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF 
THE USE OR INABILITY TO USE THIS PRODUCT. 

****************************************************************************

---------------------
1. What is it anyway?
---------------------

It's a command line program, so to be able to use the built-in features,
you must "command" knok. 
Let's sum-up the features it supports:

- reading flashes on any kind of PC system (let it be AMD/Intel based one)
  and store them as "binary" or "knok" flash files

- writing flashes on any kind of PC system (let it be AMD/Intel based one)
  from "binary" or "knok" flash files

- collecting phone information and dumping it into a log file 
  (information such as start/end address of MCU/PPM/PMM/EEPROM blocks,
  software version, checksums, language pack)

- communicating through the user-given LPT and COM port

- beeing able to set the level of information it displays ("debug level")

- beeing able to redirect information to "log.txt"

- beeing able to update or downgrade the software of your phone

- highly configurable

--------------------------------------------
2. If you're still interested - Installation
--------------------------------------------

The package consists of the following files:

CONFIG.CFG     *   
MODELS.CFG     *   Configuration files
DEV_LIST.FPS   *   
FLASHID.CFG    *

KNOK.EXE       *   
KNOK95.EXE     *   Executables
KNOKLIB.DLL    *

PRINTIO.SYS    *   Port access drivers

file_id.diz    *
readme.txt     *   Documentation
whatsnew.txt   *

-----------------------
2.1 Configuration files
-----------------------

----------------
2.1.1 CONFIG.CFG
----------------

This files sets the basic parameters for kNok. It has 7 lines in it:

loaders       -> directory where the bootstraps and the algocodes are
config        -> directory where the configuration files are
models.cfg    -> name of the NMP config file
dev_list.fps  -> name of the flash chips config file
flashid.cfg   -> name of the file to store the list of detected flashes
algocode.cfg  -> name of the manual algocode mapping file
tia           -> what is the extension for the bootstrap and the algo code files
100           -> delay value for serial (COMx) communication

The directory is used as follows; If you ran kNok from "f:\knok" it will
search the boot and flash loaders under "f:\knok\loaders"

----------------
2.1.2 MODELS.CFG
----------------

Note that the name of this file can be changed via the 'config.cfg' file.
Check 2.1.1.

This file has the information about the certain NMPs kNok knows about.
The format is the following:

NSE-1 5110 DCT3BT2.TIA 61 06 0
 1.    2.     3.       4. 5. 6.


1. The name of the NMP (it must be in the same format it is in the phone's
memory (i.e. there is no use to change that to '3310' or something like that)

2. The wide-spread name of the mobile

3. The name of the bootloader the NMP uses to communicate (must be in the
directory set by 'config.cfg')

4.-5. The delay values the bootloader uses to communicate with the NMP

6. The overruled size of the flash of the NMP. I.e. it is mostly for 7110.
   Since 7110 has two flash chips on board, but only one of them is detected,
   the size of the flash has to be "increased".

------------------
2.1.3 DEV_LIST.FPS
------------------

Note that the name of this file can be changed via the 'config.cfg' file.
Check 2.1.1.

This file has the information about the certain flash types kNok knows about.
The format is the following:

000089A6: Intel 28F008SC-L, ALIAS_ID=89A2
  1.          2.               3.

or

000122DA: AMD 29LV800T, size 8Mb
  1.          2.          3.


1. The 32bit ID of the FLASH

2. The name of the flash IC

3. The size of the flash in megabits or the the "alias" (substitue) ID 
   (ALIAS_ID= must be in front of the ID)

-----------------
2.1.4 FLASHID.CFG
-----------------

Note that the name of this file can be changed via the 'config.cfg' file.
Check 2.1.1.

This file has the information about the algocodes and the supported flash
IDs the specific algo code supports. Note that this file is created runtime,
so no need to update it manually.

00898892 I28F160.TIA
   1.         2.

1. The flash ID

2. The name of algocode file that supports the flash id

------------------
2.1.5 ALGOCODE.CFG
------------------

Note that the name of this file can be changed via the 'config.cfg' file.
Check 2.1.1.

This file has the very same layout and holds the very same information
as the one found in FLASHID.CFG. Its purpose is when algocode cannot
be detected automatically, you might "force" a specific flashid to
be used by a specific flashloader. Note that this ONLY happens if the
specific flashid is not found aoutmatically.


--------------
2.2 Executable
--------------

These are the kNok executable. Nothing more nothing less

-----------------
2.3 Documentation
-----------------

-----------------
2.3.2 file_id.diz
-----------------

The short description what is kNok about.

----------------
2.3.3 readme.txt
----------------

The very file you're reading just now.

------------------
2.3.4 whatsnew.txt
------------------

The list of changes.


------------------
3 List of commands
------------------


Generally each and every command has a short and a long
version. The subsections will contain both.
The usage of knok is as follows:

kNok NMP cmd1 arg1a arg1b cmd2 arg2

Which means that you have to specify the NMP (i.e. NSE-1 (or
5110), NPE-3(or 6210), etc.) and after the commands you wish 
to run and right after the commands each and every argument 
the command has. For each and evry command there is the type
of the argument that must be specified. There are two kinds 
of supported arugments:

- numerical (N)
- string (S)

Note that the string arguments (because of the long filenames)
must be given between ". (i.e. "nse-1 v05.05.fls")

**************************************************************
Note: to start a command you must start it with a '-' or a '/'
or a '\'
**************************************************************

For example to read a binary flash (size of 65536) from a 5110
starting from 0x200000 you should:

kNok NSE-1 -rb 0x200000 65536

The headers of the subsections will have the name of the commands
and the arguments it needs. The arguments starting with 'N' will
mean a number, starting with an 'S' will mean a string.

*********************************************************************
Note: 'a' number can practically mean more than one number. You can
specify 'a' number in the following way:

1..4,7,9,11..15

Which will be used as if you specified 1,2,3,4,7,9,11,12,13,14,15

To specify a hexadecimal number you must prefix it with '0x' or '0X'.
*********************************************************************

Let's see the commands.

-------------------------
3.1 setdebuglevel (sd) N1
-------------------------

Only one argument which can start from 0 to 3.

0 : no debug info to be displayed
1 : low debug infos (mostly errors)
2 : medium debug infos (low infos + some useful information)
3 : high debug infos (all kind of information, can be used to
    trace the commnucation

-------------------------
3.2 setredirection(sr) N1
-------------------------

The commands sets the type of redirection. If N1 is 0 no 
redirection is done, if N1 is 1 no logs will be displayed,
instead of that logs will be copied to 'log.txt'. If N1 is
2 both 'log.txt' will be created and displaying will be done.

---------------
3.3 noerase(ne)
---------------

No arguements are used. It switches off erasing before write to
flash.

-----------------
3.4 read(r) N1 N2
-----------------

This command reads from the phone starting from N1 size of N2.
The command stores the flash in a form like this:

NSE-1 (5110) v05.07.KNK

So the first 4 part is the identification of the NMP, the rest is
the version of the phone (it's possible that the language pack gets
inserted as well in the name).

Note that this is stored as a 'knk' file which means that the
stored flash begins with a header:

'K' 'N' 'O' 'K' 00 00 20 00 CS

So it will start with the string 'KNOK' then the 32bit address
where it starts and then a checksum on the header.

This was implemented to avoid 'miswritten' partial flashes.

---------------------
3.5 rawread(rr) N1 N2
---------------------

To support the 'old', 'raw' flash format (that's why it's called
raw format - since it only has the bytes from the flash one
by one) another command is implemented which behaves the same way
the previous one. The only difference is the lack of the header
and the extension which is 'fls'.

---------------
3.6 readall(ra)
---------------

The command analysis the layout of the phone then it dumps all
MCU blocks, all PPM blocks, all PMM and EEPROM blocks (if available)
to disk. The format is FLS only. No arguments this time. 
Note that the name of the files saved with this option and the next 
one is the same, although content differs (format of saved files).

-------------------
3.7 rawreadall(rra)
-------------------

The command analysis the layout of the phone then it dumps all
MCU blocks, all PPM blocks, all PMM and EEPROM blocks (if available)
to disk. The format is FLS. No arguments this time.
Note that the name of the files saved with this option and the next 
one is the same, although content differs (format of saved files).

--------------------
3.8 readmcu(rm) [N1]
--------------------

The command dumps the MCU blocks to disk. If the argument is NOT
specified it will dump all blocks. Otherwise it will dump only
the ones specified (note that you can specify more then one
block like specifying N1 as 0,2..3,5). The format is KNK.
The name of the stored file will be the same as with 3.4 
just the extension will be 'XXm', where XX is the index of 
the MCU block (i.e. if you dump the 0th block it will 00, if 
you dump the 2nd it will be 02).

------------------------
3.9 rawreadmcu(rrm) [N1]
------------------------

The command dumps the MCU blocks to disk. If the argument is NOT
specified it will dump all blocks. Otherwise it will dump only
the ones specified (note that you can specify more then one
block like specifying N1 as 0,2..3,5). The format is FLS.
The name of the stored file will be the same as with 3.4 
just the extension will be 'XXm', where XX is the index of 
the MCU block (i.e. if you dump the 0th block it will 00, if 
you dump the 2nd it will be 02).

------------------------
3.10 readppm(rppm) [N1]
------------------------

The command dumps the PPM blocks to disk. If the argument is NOT
specified it will dump all blocks. Otherwise it will dump only
the ones specified (note that you can specify more then one
block like specifying N1 as 0,2..3,5). The format is KNK.
The name of the stored file will be the same as with 3.4
just the extension will be 'CXX', where C is the language pack,
XX is the index of the PPM block (i.e. if you dump the 0th block
it will 00, if you dump the 2nd it will be 02).

---------------------------
3.11 rawreadppm(rrppm) [N1]
---------------------------

The command dumps the PPM blocks to disk. If the argument is NOT
specified it will dump all blocks. Otherwise it will dump only
the ones specified (note that you can specify more then one
block like specifying N1 as 0,2..3,5). The format is FLS.
The name of the stored file will be the same as with 3.4
just the extension will be 'CXX', where C is the language pack,
XX is the index of the PPM block (i.e. if you dump the 0th block
it will 00, if you dump the 2nd it will be 02).

-----------------------
3.12 readpmm(rpmm) [N1]
-----------------------

The command dumps the PMM blocks to disk. If the argument is NOT
specified it will dump all blocks. Otherwise it will dump only
the ones specified (note that you can specify more then one
block like specifying N1 as 0,2..3,5). The format is FLS.
The name of the stored file will be the same as with 3.4 
just the extension will be 'XXp', where XX is the index of 
the PMM block (i.e. if you dump the 0th block it will 00, if 
you dump the 2nd it will be 02).

---------------------------
3.13 rawreadpmm(rrpmm) [N1]
---------------------------

The command dumps the PMM blocks to disk. If the argument is NOT
specified it will dump all blocks. Otherwise it will dump only
the ones specified (note that you can specify more then one
block like specifying N1 as 0,2..3,5). The format is KNK. 
The name of the stored file will be the same as with 3.4 
just the extension will be 'XXp', where XX is the index of 
the PMM block (i.e. if you dump the 0th block it will 00, if 
you dump the 2nd it will be 02).

------------------------
3.14 readeeprom(re) [N1]
------------------------

The command dumps the EEPROM block(s) to disk (mostly only one).
If the argument is NOT specified it will dump all blocks. 
Otherwise it will dump only the ones specified (note that you 
can specify more then one block like specifying N1 as 0,2..3,5).
The format is KNK. The name of the stored file will be the
same as with 3.4 just the extension will be 'XXe', where XX is 
the index of the EEPROM block (i.e. if you dump the 0th block it
will 00, if you dump the 2nd it will be 02).

----------------------------
3.15 rawreadeeprom(rre) [N1]
----------------------------

The command dumps the EEPROM block(s) to disk (mostly only one).
If the argument is NOT specified it will dump all blocks. 
Otherwise it will dump only the ones specified (note that you 
can specify more then one block like specifying N1 as 0,2..3,5).
The format is FLS. The name of the stored file will be the
same as with 3.4 just the extension will be 'XXe', where XX is 
the index of the EEPROM block (i.e. if you dump the 0th block it
will 00, if you dump the 2nd it will be 02).

----------------------
3.16 write(w) S1 N1 N2
----------------------

The commands writes the KNK file set by S1 to the phone. Note
that you can not specify the starting address since it's in the
flash file. If you wish to write only fraction of the input file,
you can set N1 to the offset you wish to start write from (0 is
the very first of the file) and N2 to the length (in bytes) you
wish to write (note that you must set N1 and N2 both to zero to
achieve "normal" behaviour, i.e. write the whole file).

-----------------------------
3.17 rawwrite(rw) S1 N1 N2 N3
-----------------------------

To write a plain 'FLS' file to the phone you must specify the name
of the flash file and the starting address as well. 
Note that NO checking is done regarding the starting address, 
so you can easily fuck up your phone. If you wish to write only 
fraction of the input file, you can set N2 to the offset you 
wish to start write from (0 is the very first of the file) and 
N3 to the length (in bytes) you wish to write (note that you 
must set N2 and N3 both to zero to achieve "normal" behaviour, 
i.e. write the whole file).

-----------------------------------
3.18 writephoneinfoandchecksum(wpc)
-----------------------------------

The commands collects some information about the phone (software
version, language pack, phone model, start/end addresses of MCU, PPM,
PMM, EEPROM blocks, checksum (MCU/PPM) and stores it in a log file.
It also recalculates the flash checksum. Please note that this
is quite a time consuming task (since it reads the full flash),
so it's highly suggested to run it with emulation mode turned on.

-----------------------
3.19 writephoneinfo(wp)
-----------------------

The commands collects some information about the phone (software
version, language pack, phone model, start/end addresses of MCU, PPM,
PMM, EEPROM blocks, checksum (MCU/PPM) and stores it in a log file.

--------------------------------
3.20 writesecurityphoneinfo(wsp)
--------------------------------

The commands collects some information about the phone (software
version, language pack, MSID, DSP software versions, etc.) and 
stores it in a log file. Note that to be able to run this command
the phone must be switched on (since it uses MBUS communication)
and the DAU9 cable must be connected to it (instead of the
flasher cable).

--------------
3.21 lpt(l) N1
--------------

The command specifies which LPTx base address to use. Note that 
currently only the followin base addresses are accepted: 0x378, 0x278,
0x3bc. The default is 0x378.

--------------
3.22 com(c) N1
--------------

The command specifies which COMx (1..4) serial port to use for MBUS 
communication.  The default is COM1.

-------------------
3.23 erase(e) N1 N2
-------------------

The command erases the flash starting from N1 with N2 bytes.

-----------------
3.24 eraseall(ea)
-----------------

The command erases the whole flash of the phone.

------------
3.25 confirm
------------

The command confirms any (it means before write as well)
erase operations. So without -confirm no erase is done (this
implicitly means that no -w or -wb as well, since that requires
erase also).

-----------------------
3.26 readfullflash(rff)
-----------------------

The command saves the full flash of the phone (MCU, PPM, PMM, 
EEPROM) and saves it in KNK format. No arguments this time.

---------------------------
3.27 rawreadfullflash(rrff)
---------------------------

The command saves the full flash of the phone (MCU, PPM, PMM, 
EEPROM) and saves it in FLS format. No arguments this time.

-----------------------
3.28 emulateread(er) S1
-----------------------

The command selects emulation mode with the full flash file
specified by S1. Selecting this option means that all
operations (read, write and erase) will be performed on the file
and not the phone itself.

---------------------------
3.29 rawemulateread(rer) S1
---------------------------

The command selects emulation mode with the full flash file
specified by S1. Selecting this option means that all
operations (read, write and erase) will be performed on the file
and not the phone itself.

-----------------------
3.30 checkchecksums(cc)
-----------------------

The command performs checksum checking on the phone. 
Note that it's HIGHLY SUGGESTED TO RUN IT WITH EMULATION MODE
TURNED ON. The following checksums are checked: MCU, PPM, PMM,
EEPROM and PPM 32bit (this is needed for calculating the 
flash checksum when updating software of the phone).
No arguments this time.

---------------------
3.31 fixchecksums(fc)
---------------------

The command performs checksum checking on the phone. If any of the
checksums are incorrect, the command recalculates the correct value.
Note that it's HIGHLY SUGGESTED TO RUN IT WITH EMULATION MODE 
TURNED ON. The following checksums are checked (and corrected if 
needed): MCU, PPM, PMM, EEPROM.
No arguments this time.

------------------
3.32 checkimei(ci)
------------------

The command checks whether the security IMEI and the "normal" IMEI
in the EEPROM is the same. Note that it's HIGHLY SUGGESTED TO RUN 
IT WITH EMULATION MODE  TURNED ON. 
No arguments this time.

----------------
3.33 fiximei(fi)
----------------

The command checks whether the security IMEI and the "normal" IMEI
in the EEPROM is the same. If it's not it fixes. 
Note that it's HIGHLY SUGGESTED TO RUN IT WITH EMULATION MODE
TURNED ON. 
No arguments this time.

---------------------
3.34 checkseccode(cs)
---------------------

The command checks whether the security code in the PMM block and
the one in the EEPROM is the same. 
Note that it's HIGHLY SUGGESTED TO RUN IT WITH EMULATION MODE
TURNED ON. 
No arguments this time.

-------------------
3.35 fixseccode(fs)
-------------------

The command checks whether the security code in the PMM block and
the one in the EEPROM is the same. If it's not it fixes. 
Note that it's HIGHLY SUGGESTED TO RUN IT WITH EMULATION MODE
TURNED ON. 
No arguments this time.

-----------------------------
3.36 clearseccodecounter(csc)
-----------------------------

The command clears the security code counter.
Note that it's HIGHLY SUGGESTED TO RUN IT WITH EMULATION MODE
TURNED ON. 
No arguments this time.
                   
---------------------
3.37 safeflashing(safe)
---------------------

The command switches on safe flashing. It means that whenever
it is switched on, the program cannot modify the user data 
(PMM and EEPROM) in the flash.
No arguments this time.

-------------------------
3.38 resetsettings(rs) N1
-------------------------

The command resets either the user interface (when N1 = 2),
or applies phone settings (when N1 = 1), resets all (UIF, SCM
and call counters) (when N1 = 3), reset DEV settings 
(when N1 = 4), resets full factory settings (when N1 = 5) or 
does all (when N1 = 6).
Note that to be able to run this command
the phone must be switched on (since it uses MBUS communication)
and the DAU9 cable must be connected to it (instead of the
flasher cable).

-------------------
3.39 resetphone(rp)
-------------------

The command resets the phone.
Note that to be able to run this command
the phone must be switched on (since it uses MBUS communication)
and the DAU9 cable must be connected to it (instead of the
flasher cable).

--------------------------------
3.40 setsimlock(ssl) N1 S2 N3 N4
--------------------------------

The command sets the simlockinfo. N1 is the index of the simlock
(1..4), S1 is the new value, N3 is either 1 or 0 (set 1 to open,
0 to close the lock). To NOT change the value set S2 to '.'
(of course without the ''s). To NOT change the setup (i.e. the
status of the lock), set N3 to other than 1 or 0. To change
the type of simlock (i.e. user or factory) set N4 to 1(user)
or to 2(factory). To NOT change the type set N4 to 0.
Note that to be able to run this command
the phone must be switched on (since it uses MBUS communication)
and the DAU9 cable must be connected to it (instead of the
flasher cable).

----------------------------
3.41 converttoknk(ctk) S1 N2
----------------------------

The command converts the given file (in S1) with the starting
address N2 to a KNK file.

-----------------------
3.42 setcontrast(sc) N1
-----------------------

The command sets the contrast of the phone display to N1
(between 0 and 31; 31 is the darkest, 0 is the lightest).
Note that to be able to run this command
the phone must be switched on (since it uses MBUS communication)
and the DAU9 cable must be connected to it (instead of the
flasher cable).

-------------------
3.43 setfaid(sf) N1
-------------------

The command sets the FAID based upon the new flash checksum
given by N1. This number is retrieved when executing 
phoneinfo with ppm checksum (not simple phoneinfo!).
If N1 is zero, the program will try to detect the checksum
based upon the one found in the decoded MSID.
Note that to be able to run this command the phone must 
be switched on (since it uses MBUS communication)
and the DAU9 cable must be connected to it (instead of the
flasher cable).

----------------------------------
3.44 convertwttofls(cwttf) S1 [S2]
----------------------------------

The command converts one (or optionally two) Wintesla 
flash file (DCT3 only) to FLS format. If two files 
are given they're joined (i.e. give an MCU and a PPM
pack as the argument when using two parameters)

----------------------------------
3.45 convertwttoknk(cwttk) S1 [S2]
----------------------------------

The command converts one (or optionally two) Wintesla 
flash file (DCT3 only) to KNK format. If two files 
are given they're joined (i.e. give an MCU and a PPM
pack as the argument when using two parameters)

----------------------
3.46 resetsplock(rspl)
----------------------

The command resets the SP lock information of the
phone. 
Note that to be able to run this command the phone must 
be switched on (since it uses MBUS communication)
and the DAU9 cable must be connected to it (instead of the
flasher cable).

-------------------
3.47 setimei(si) S1
-------------------

The command changes the IMEI of the phone to S1.
The S1 must include the last checkdigit as well
(i.e. its length must be 15). If shorter IMEI is
supplied, the program will try to use the phone's
original IMEI.
Note that to be able to run this command the phone must 
be switched on (since it uses MBUS communication)
and the DAU9 cable must be connected to it (instead of the
flasher cable).

--------------------------
3.48 setproductcode(sp) S1
--------------------------

The command changes the productcode of the phone 
to S1. The S1 must be 7 digit long.
Note that to be able to run this command the phone must 
be switched on (since it uses MBUS communication)
and the DAU9 cable must be connected to it (instead of the
flasher cable).


-------------
4 Limitations
-------------

There are limitations regarding the number of entries in the config files
(especially in the bootloader, flashloader and alias files).

---------------------
4.1 Phone information
---------------------

It handles maximum of 16 blocks (let it be PPM, PMM or 
any other), and maximum of 512 entries in any PMM block.

---------
5 Contact
---------

If you have bright ideas, can program or simply have useful
information about the Nokia phones, join us at:

for developers strictly:
http://groups.yahoo.com/group/knok

for users:
http://groups.yahoo.com/group/knokusers
