• Announcements

    • PaulOBrien

      Reminder - MoDaCo position on illegal content   07/30/15

      ILLEGAL CONTENT I'd like to just reaffirm MoDaCo's position regarding piracy and illegal content in the light of some recent questions / postings. Posts will be censored by myself or my moderation team if the contain or link to: Illegal / pirated / cracked software or sites that host such software Nintendo emulators / ROMs or sites hosting them (in light of Nintendo's legal stance) CUSTOM ROMS You may discuss and post links to custom device ROMs on MoDaCo, provided the following rules are adhered to: ROMs must not contain any illegal 3rd party software (this includes trial versions included without permission) ROMs must give full credit to the original author ISSUES If you have any issues with this policy, please contact PaulOBrien directly via PM.
    • PaulOBrien

      Reminder: Selling items on the forum directly is not allowed   07/30/15

      Please note that selling items on the forum directly is not allowed by the forum rules. There is a forum for eBay auctions whereby you can list the items on eBay and link to them there. This is the ONLY forum for this type of activity. You may also advertise links to the eBay forum in your signature. Please note that selling directly in contravention of these rules will result in a warning / suspension / ban.

QMAT - QC Mobile Analysis Tool

1 post in this topic

QMAT - QC Mobile Analysis Tool

What is it ?

It is a development and debugging tool for Qualcomm mobiles - the only tool you'll ever need for research and development.

Who may need it ?

Mobile engineers / reverse engineers and cryptoanalysts

Crypto Functions :

- Calculate CRC-30, CRC-32, SHA1, SHA2 (SHA224 + SHA256), MD4 and MD5 of any file

- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited

- Decrypt and Encrypt any RSA-Message, including ASN-1 / SHA Signatures. (you can add publickeys to publickeys.xml)

- Generate RSA Private Key and create .pvk files

- Check firmware signature given Modulus and Exponent (for HTC and BQS mobiles)

- Extract information from .pvk files

- Search for algorithms in binary files (find cryptomethods + signatures) CRC8, CRC16, CRC32, MD4, MD5, SHARK, HAVAL, GZIP, ZIP, SHA1, ... and much more (you can add cryptosignatures to crypto.xml)

JTAG Interface :

(soon via Segger J-Link)

Functions for QC mobiles :

1. Load binary files for :

Extraction of certificates

Extraction of BMPs,GIFs,PNGs, JPGs

2. Load Partition File to get overview about NAND/NOR structure

3. Send any String to a COM/USB Port and backup all your SMS !

4. Make usage of QCs Diag USB/COM Port Interface

(Useful for any QC mobile in the world)

Standard Features :

- Send standard diag commands or any hexadecimal command you want (database included)

- Read out all NVItems (range given)

(all that exist, more than QPST normally extracts)

- Backup and Restore all NVItems

- Read out and Dump Firmware in Memory (SRam)

- Read out complete EFS

- Switch to FTM Mode (or anything else you want)

- Get infos about phone ..... etc ..... a lot more functions

- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)

- Full Feature EFS Browser

Bootloader / DownloadMode Features :

- Load any file to mobile at any address and execute (bootloader f.e.)

- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader

Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader

or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader

- Use any Download Mode or Bootloader Command to experiment

- Read application memory of newer Diag Ver 6 in Download Mode

- Show complete infos about used NAND after loading of Bootloader

Flasher Features :

Flash any QC mobile (OBL Multiboot) with given bootloader

- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS

Functions for BQS only :

1. Load AMSS to extract files or useful infos

(EF81, E81C, EF91, SXG75, EF82, SF71, SL91 or similiar ones)

Features :

Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype

Extract internal filesystem (mif,bar,sig etc. files)

Extract AMSS signature bytes (if production key)

Show all file references used by mobile

2. Check Firmware validity (signature)

3. Sim_Secure extraction/decryption (non-public)

4. Master-/Usercode/Unlock extraction and direct unlock (non-public)

Functions for HTC only :

1. Check validity of HTC firmware (signature check)

2. Cut out signatures from .nbh file

3. Split radio.nb into qualcomm files for analysis

4. Find HTC Public keys using Cryptosearch

5. Generate Security passwords (SPL + radio) for newer HTC

6. Generate NBH Files (you can add any device into devlist.xml)

7. Dump Files from NBH (you can add any type into nbhtype.xml)

8. Fix radio.nb checksum

9. Generic Bootloader / AT Command interface with logging functions

Functions for Network Engineers

Network Calculators :




GSM A5-1

GSM A5-2

GSM A5-3






GSM A3/A8 COMP128 V1

GSM A3/A8 COMP128 V2

GSM A3/A8 COMP128 V3

3G Milenage

3G Milenage Resync




CAVE Authentication




CAVE Wireless Residential Extension

CAVE Datakey / Look Up Table / Mask



CAVE Long Block

CAVE Short Block

CAVE Enhanced Message

CAVE Enhanced Voice Privacy

CAVE Enhanced Data Mask

Planned in future :

1. Bugfixes

2. EFS Backup / Restore to Zip File

3. QC Jtag interface using Segger J-Link ARM

4. LNB/LNBS HTC support to replace MTTY 5. Tooltips showing real addresses in graphical window

6. Simple NVItems Editor

7. Read out / Write back Addressbook

8. Restore backupped SMS to phone

9. much much more


What we need :

- Any contribution to the project is welcome.

- Donations for new hardware and software for further development of this tool.

Link to the project files :


Version 3.80 (Major Release) Stable

QMAT Homepage

Cya and keep on reversing,

Viper BJK

==> Donate via PayPal <==


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

MoDaCo is part of the MoDaCo.network, © Paul O'Brien 2002-2016. MoDaCo uses IntelliTxt technology.