---------------------------------------------------------------------------
                     a K-rad Nokia Flasher (aka kNok)
---------------------------------------------------------------------------

***************************************************************************

                           D I S C L A I M E R

THIS SOFTWARE  AND ALL   THE ACCOMPANYING  FILES ARE   PROVIDED "AS IS" AND
WITHOUT  ANY   WARRANTIES   EXPRESSED   OR   IMPLIED  INCLUDING   BUT   NOT
LIMITED   TO  IMPLIED WARRANTIES  OF  MERCHANT ABILITY  AND  FITNESS FOR  A
PARTICULAR PURPOSE.

IN NO  EVENT  SHALL  I BE   LIABLE FOR  ANY  DAMAGES  WHATSOEVER (INCLUDING
WITHOUT  LIMITATION,  DAMAGES  FOR  LOSS  OF  BUSINESS  PROFITS,   BUSINESS
INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR  ANY OTHER PECUNIARY   LOSS)
ARISING OUT  OF THE USE  OR
INABILITY TO USE THIS PRODUCT.

***************************************************************************

---------------------
1. What is it anyway?
---------------------

It's a command line program, so to be able to use the built-in features,
you must "command" knok.
Let's sum-up the features it supports:

- reading flashes on any kind of PC system (let it be AMD/Intel based one)
  and store them as "raw" or "knok" flash files

- writing flashes on any kind of PC system (let it be AMD/Intel based one)
  from "raw" or "knok" flash files

- collecting phone information and dumping it into a log file
  (information such as start/end address of MCU/PPM/PMM/EEPROM blocks,
  software version, checksums, language pack)

- communicating through the user-given LPT and COM port

- beeing able to set the level of information it displays ("debug level")

- beeing able to redirect information to "log.txt"

- beeing able to update or downgrade the software of your phone

- highly configurable

---------------
2. Installation
---------------

The package consists of the following files:

CONFIG.CFG     *
MODELS.CFG     *   Configuration files
DEV_LIST.FPS   *
FLASHID.CFG    *

KNOK.EXE       *
KNOK95.EXE     *   Executables
KNOKLIB.DLL    *

PRINTIO.SYS    *   Port access drivers

file_id.diz    *
readme.txt     *   Documentation
whatsnew.txt   *

-----------------------
2.1 Configuration files
-----------------------

----------------
2.1.1 CONFIG.CFG
----------------

This files sets the basic parameters for kNok. It has 7 lines in it:

loaders       -> directory where the bootstraps and the algocodes are
config        -> directory where the configuration files are
models.cfg    -> name of the NMP config file
dev_list.fps  -> name of the flash chips config file
flashid.cfg   -> name of the file to store the list of detected flashes
algocode.cfg  -> name of the manual algocode mapping file
tia           -> what is the extension for the bootstrap and the algo 
                 code files
100           -> delay value for serial (COMx) communication

The directory is used as follows; If you ran kNok from "f:\knok" it will
search the boot and flash loaders under "f:\knok\loaders"

----------------
2.1.2 MODELS.CFG
----------------

Note that the name of this file can be changed via the 'config.cfg' file.
Check 2.1.1.

This file has the information about the certain NMPs kNok knows about.
The format is the following:

NSE-1 5110 DCT3BT2.TIA 61 06 0
 1.    2.     3.       4. 5. 6.

1. The name of the NMP (it must be in the same format it is in the phone's 
memory (i.e. there is no use to change that to '3310' or something like 
that)

2. The wide-spread name of the mobile

3. The name of the bootloader the NMP uses to communicate (must be in the
directory set by 'config.cfg')

4.-5. The delay values the bootloader uses to communicate with the NMP

6. The overruled size of the flash of the NMP. I.e. it is mostly for 7110. 
Since 7110 has two flash chips on board, but only one of them is detected,
the size of the flash has to be "increased".

------------------
2.1.3 DEV_LIST.FPS
------------------

Note that the name of this file can be changed via the 'config.cfg' file.
Check 2.1.1.

This file has the information about the certain flash types kNok knows about.
The format is the following:

000089A6: Intel 28F008SC-L, ALIAS_ID=89A2
  1.          2.               3.

or

000122DA: AMD 29LV800T, size 8Mb
  1.          2.          3.


1. The 32bit ID of the FLASH

2. The name of the flash IC

3. The size of the flash in megabits or the the "alias" (substitue) ID
   (ALIAS_ID= must be in front of the ID)

-----------------
2.1.4 FLASHID.CFG
-----------------

Note that the name of this file can be changed via the 'config.cfg' file.
Check 2.1.1.

This file has the information about the algocodes and the supported flash 
IDs the specific algo code supports. Note that this file is created 
runtime, so no need to update it manually.

00898892 I28F160.TIA
   1.         2.

1. The flash ID

2. The name of algocode file that supports the flash id

------------------
2.1.5 ALGOCODE.CFG
------------------

Note that the name of this file can be changed via the 'config.cfg' file.
Check 2.1.1.

This file has the very same layout and holds the very same information as 
the one found in FLASHID.CFG. Its purpose is when algocode cannot be 
detected automatically, you might "force" a specific flashid to be used by 
a specific flashloader. Note that this ONLY happens if the specific flashid 
is not found aoutmatically.


--------------
2.2 Executable
--------------

These are the kNok executable. Nothing more nothing less

-----------------
2.3 Documentation
-----------------

-----------------
2.3.2 file_id.diz
-----------------

The short description what is kNok about.

----------------
2.3.3 readme.txt
----------------

The very file you're reading just now.

------------------
2.3.4 whatsnew.txt
------------------

The list of changes.


------------------
3 List of commands
------------------

Generally each and every command has a short and a long version. The 
subsections will contain both.
The usage of knok is as follows:

kNok NMP cmd1 arg1a arg1b cmd2 arg2

Which means that you have to specify the NMP (i.e. NSE-1 (or 5110), NPE-
3(or 6210), etc.) and after the commands you wish to run and right after 
the commands each and every argument the command has. For each and evry 
command there is the type of the argument that must be specified. There are 
two kinds of supported arugments:

- numerical (N)
- string (S)

Note that the string arguments (because of the long filenames) must be 
given between ". (i.e. "nse-1 v05.05.fls")

**************************************************************************
Note: to start a command you must start it with a '-' or a '/' or a '\'
**************************************************************************

For example to read a raw flash (size of 65536) from a 5110 starting from 
0x200000 you should:

kNok NSE-1 -rr 0x200000 65536

The headers of the subsections will have the name of the commands and the 
arguments it needs. The arguments starting with 'N' will mean a number, 
starting with an 'S' will mean a string.

**************************************************************************
Note: 'a' number can practically mean more than one number. You can specify 
'a' number in the following way:

1..4,7,9,11..15

Which will be used as if you specified 1,2,3,4,7,9,11,12,13,14,15

To specify a hexadecimal number you must prefix it with '0x' or '0X'.
**************************************************************************

Let's see the commands.

-------------------------
3.1 setdebuglevel (sd) N1
-------------------------

Only one argument which can start from 0 to 3.

0 : no debug info to be displayed
1 : low debug infos (mostly errors)
2 : medium debug infos (low infos + some useful information)
3 : high debug infos (all kind of information, can be used to
    trace the commnucation

-------------------------
3.2 setredirection(sr) N1
-------------------------

The commands sets the type of redirection. If N1 is 0 no redirection is 
done, if N1 is 1 no logs will be displayed, instead of that logs will be 
copied to 'log.txt'. If N1 is 2 both 'log.txt' will be created and 
displaying will be done.

---------------
3.3 noerase(ne)
---------------

No arguements are used. It switches off erasing before write to flash.

-----------------
3.4 read(r) N1 N2
-----------------

This command reads from the phone starting from N1 size of N2. The command 
stores the flash in a form like this:

NSE-1 (5110) v05.07.KNK

So the first 4 part is the identification of the NMP, the rest is the 
version of the phone (it's possible that the language pack gets inserted as 
well in the name).

Note that this is stored as a 'knk' file which means that the stored flash 
begins with a header:

'K' 'N' 'O' 'K' 00 00 20 00 TT TT TT TT CS CS CS CS

So it will start with the string 'KNOK' then the 32bit address where it 
starts, then a type setting (whether it's a full or partial flash) and 
finally the checksum on the header.

This was implemented to avoid 'miswritten' partial flashes.

---------------------
3.5 rawread(rr) N1 N2
---------------------

To support the 'old', 'raw' flash format (that's why it's called raw format 
- since it only has the bytes from the flash one by one) another command is 
implemented which behaves the same way the previous one. The only 
difference is the lack of the header and the extension which is 'fls'.

---------------
3.6 readall(ra)
---------------

The command analysis the layout of the phone then it dumps all MCU blocks, 
all PPM blocks, all PMM and EEPROM blocks (if available) to disk. The 
format is FLS only. No arguments this time. Note that the name of the files 
saved with this option and the next one is the same, although content 
differs (format of saved files).

-------------------
3.7 rawreadall(rra)
-------------------

The command analysis the layout of the phone then it dumps all MCU blocks, 
all PPM blocks, all PMM and EEPROM blocks (if available) to disk. The 
format is FLS. No arguments this time. Note that the name of the files 
saved with this option and the next one is the same, although content 
differs (format of saved files).

--------------------
3.8 readmcu(rm) [N1]
--------------------

The command dumps the MCU blocks to disk. If the argument is NOT specified 
it will dump all blocks. Otherwise it will dump only the ones specified 
(note that you can specify more then one block like specifying N1 as 
0,2..3,5). The format is KNK.

------------------------
3.9 rawreadmcu(rrm) [N1]
------------------------

The command dumps the MCU blocks to disk. If the argument is NOT specified 
it will dump all blocks. Otherwise it will dump only the ones specified 
(note that you can specify more then one block like specifying N1 as 
0,2..3,5). The format is FLS.

------------------------
3.10 readppm(rppm) [N1]
------------------------

The command dumps the PPM blocks to disk. If the argument is NOT specified 
it will dump all blocks. Otherwise it will dump only the ones specified 
(note that you can specify more then one block like specifying N1 as 
0,2..3,5). The format is KNK.

---------------------------
3.11 rawreadppm(rrppm) [N1]
---------------------------

The command dumps the PPM blocks to disk. If the argument is NOT specified 
it will dump all blocks. Otherwise it will dump only the ones specified 
(note that you can specify more then one block like specifying N1 as 
0,2..3,5). The format is FLS.

-----------------------
3.12 readpmm(rpmm) [N1]
-----------------------

The command dumps the PMM blocks to disk. If the argument is NOT specified 
it will dump all blocks. Otherwise it will dump only the ones specified 
(note that you can specify more then one block like specifying N1 as 
0,2..3,5). The format is KNK.

---------------------------
3.13 rawreadpmm(rrpmm) [N1]
---------------------------

The command dumps the PMM blocks to disk. If the argument is NOT specified 
it will dump all blocks. Otherwise it will dump only the ones specified 
(note that you can specify more then one block like specifying N1 as 
0,2..3,5). The format is FLS.

------------------------
3.14 readeeprom(re) [N1]
------------------------

The command dumps the EEPROM block(s) to disk (mostly only one). If the 
argument is NOT specified it will dump all blocks. Otherwise it will dump 
only the ones specified (note that you can specify more then one block like 
specifying N1 as 0,2..3,5). The format is KNK.

----------------------------
3.15 rawreadeeprom(rre) [N1]
----------------------------

The command dumps the EEPROM block(s) to disk (mostly only one). If the 
argument is NOT specified it will dump all blocks. Otherwise it will dump 
only the ones specified (note that you can specify more then one block like 
specifying N1 as 0,2..3,5). The format is FLS.

----------------------
3.16 write(w) S1 N1 N2
----------------------

The commands writes the KNK file set by S1 to the phone. Note that you can 
not specify the starting address since it's in the flash file. If you wish 
to write only fraction of the input file, you can set N1 to the offset you 
wish to start write from (0 is the very first of the file) and N2 to the 
length (in bytes) you wish to write (note that you must set N1 and N2 both 
to zero to achieve "normal" behaviour, i.e. write the whole file).

-----------------------------
3.17 rawwrite(rw) S1 N1 N2 N3
-----------------------------

To write a plain 'FLS' file to the phone you must specify the name of the 
flash file and the starting address as well. Note that NO checking is done 
regarding the starting address, so you can easily fuck up your phone. If 
you wish to write only fraction of the input file, you can set N2 to the 
offset you wish to start write from (0 is the very first of the file) and 
N3 to the length (in bytes) you wish to write (note that you must set N2 
and N3 both to zero to achieve "normal" behaviour, i.e. write the whole 
file).

-----------------------------------
3.18 writephoneinfoandchecksum(wpc)
-----------------------------------

The commands collects some information about the phone (software version, 
language pack, phone model, start/end addresses of MCU, PPM, PMM, EEPROM 
blocks, checksum (MCU/PPM) and stores it in a log file. It also 
recalculates the flash checksum. Please note that this is quite a time 
consuming task (since it reads the full flash), so it's highly suggested to 
run it with emulation mode turned on.

-----------------------
3.19 writephoneinfo(wp)
-----------------------

The commands collects some information about the phone (software version, 
language pack, phone model, start/end addresses of MCU, PPM, PMM, EEPROM 
blocks, checksum (MCU/PPM) and stores it in a log file.

--------------------------------
3.20 writesecurityphoneinfo(wsp)
--------------------------------

The commands collects some information about the phone (software version, 
language pack, MSID, DSP software versions, etc.) and stores it in a log 
file. Note that to be able to run this command the phone must be switched 
on (since it uses MBUS communication) and the DAU9 cable must be connected 
to it (instead of the flasher cable).

--------------
3.21 lpt(l) N1
--------------

The command specifies which LPTx base address to use. Note that currently 
only the followin base addresses are accepted: 0x378, 0x278, 0x3bc. The 
default is 0x378.

--------------
3.22 com(c) N1
--------------

The command specifies which COMx (1..4) serial port to use for MBUS 
communication. The default is COM1.

-------------------
3.23 erase(e) N1 N2
-------------------

The command erases the flash starting from N1 with N2 bytes.

-----------------
3.24 eraseall(ea)
-----------------

The command erases the whole flash of the phone.

------------
3.25 confirm
------------

The command confirms any (it means before write as well) erase operations. 
So without -confirm no erase is done (this implicitly means that no -w or 
-rw as well, since that requires erase also).

-----------------------
3.26 readfullflash(rff)
-----------------------

The command saves the full flash of the phone (MCU, PPM, PMM, EEPROM) and 
saves it in KNK format. No arguments this time.

---------------------------
3.27 rawreadfullflash(rrff)
---------------------------

The command saves the full flash of the phone (MCU, PPM, PMM, EEPROM) and 
saves it in FLS format. No arguments this time.

-----------------------
3.28 emulateread(er) S1
-----------------------

The command selects emulation mode with the full flash file specified by 
S1. Selecting this option means that all operations (read, write and erase) 
will be performed on the file and not the phone itself.

---------------------------
3.29 rawemulateread(rer) S1
---------------------------

The command selects emulation mode with the full flash file specified by 
S1. Selecting this option means that all operations (read, write and erase) 
will be performed on the file and not the phone itself.

-----------------------
3.30 checkchecksums(cc)
-----------------------

The command performs checksum checking on the phone. Note that it's HIGHLY 
SUGGESTED TO RUN IT WITH EMULATION MODE TURNED ON. The following checksums 
are checked: MCU, PPM, PMM, EEPROM and PPM 32bit (this is needed for 
calculating the flash checksum when updating software of the phone). No 
arguments this time.

---------------------
3.31 fixchecksums(fc)
---------------------

The command performs checksum checking on the phone. If any of the 
checksums are incorrect, the command recalculates the correct value. Note 
that it's HIGHLY SUGGESTED TO RUN IT WITH EMULATION MODE TURNED ON. The 
following checksums are checked (and corrected if needed): MCU, PPM, PMM, 
EEPROM. No arguments this time.

------------------
3.32 checkimei(ci)
------------------

The command checks whether the security IMEI and the "normal" IMEI in the 
EEPROM is the same. Note that it's HIGHLY SUGGESTED TO RUN IT WITH 
EMULATION MODE TURNED ON. No arguments this time.

----------------
3.33 fiximei(fi)
----------------

The command checks whether the security IMEI and the "normal" IMEI in the 
EEPROM is the same. If it's not it fixes. Note that it's HIGHLY SUGGESTED 
TO RUN IT WITH EMULATION MODE TURNED ON. No arguments this time.

---------------------
3.34 checkseccode(cs)
---------------------

The command checks whether the security code in the PMM block and the one 
in the EEPROM is the same. Note that it's HIGHLY SUGGESTED TO RUN IT WITH 
EMULATION MODE TURNED ON. No arguments this time.

-------------------
3.35 fixseccode(fs)
-------------------

The command checks whether the security code in the PMM block and the one 
in the EEPROM is the same. If it's not it fixes. Note that it's HIGHLY 
SUGGESTED TO RUN IT WITH EMULATION MODE TURNED ON. No arguments this time.

-----------------------------
3.36 clearseccodecounter(csc)
-----------------------------

The command clears the security code counter. Note that it's HIGHLY 
SUGGESTED TO RUN IT WITH EMULATION MODE TURNED ON. No arguments this time.

---------------------
3.37 safeflashing(safe)
---------------------

The command switches on safe flashing. It means that whenever it is 
switched on, the program cannot modify the user data (PMM and EEPROM) in 
the flash. No arguments this time.

-------------------------
3.38 resetsettings(rs) N1
-------------------------

The command resets either the user interface (when N1 = 2), or applies 
phone settings (when N1 = 1), resets all (UIF, SCM and call counters) (when 
N1 = 3), reset DEV settings (when N1 = 4), resets full factory settings 
(when N1 = 5) or does all (when N1 = 6). Note that to be able to run this 
command the phone must be switched on (since it uses MBUS communication) 
and the DAU9 cable must be connected to it (instead of the flasher cable).

-------------------
3.39 resetphone(rp)
-------------------

The command resets the phone. Note that to be able to run this command the 
phone must be switched on (since it uses MBUS communication) and the DAU9 
cable must be connected to it (instead of the flasher cable).

-----------------------------
3.40 setsimlock(ssl) N1 S2 N3
-----------------------------

The command sets the simlockinfo. N1 is the index of the simlock (1..4), S1 
is the new value, N3 is either 1 or 0 (set 1 to open, 0 to close the lock). 
To NOT change the value set S2 to '.' (of course without the ''s). To NOT 
change the setup (i.e. the status of the lock), set N3 to other than 1 or 
0. Note that to be able to run this command the phone must be switched on 
(since it uses MBUS communication) and the DAU9 cable must be connected to 
it (instead of the flasher cable).

----------------------------
3.41 converttoknk(ctk) S1 N2
----------------------------

The command converts the given file (in S1) with the starting address N2 to 
a KNK file.

-----------------------
3.42 setcontrast(sc) N1
-----------------------

The command sets the contrast of the phone display to N1 (between 0 and 31; 
31 is the darkest, 0 is the lightest). Note that to be able to run this 
command the phone must be switched on (since it uses MBUS communication) 
and the DAU9 cable must be connected to it (instead of the flasher cable).

-------------------
3.43 setfaid(sf) N1
-------------------

The command sets the FAID based upon the new flash checksum given by N1. 
This number is retrieved when executing phoneinfo with ppm checksum (not 
simple phoneinfo!). If N1 is zero, the program will try to detect the 
checksum based upon the one found in the decoded MSID. Note that to be able 
to run this command the phone must be switched on (since it uses MBUS 
communication) and the DAU9 cable must be connected to it (instead of the 
flasher cable).

----------------------------------
3.44 convertwttofls(cwttf) S1 [S2]
----------------------------------

The command converts one (or optionally two) Wintesla flash file (DCT3 
only) to FLS format. If two files are given they're joined (i.e. give an 
MCU and a PPM pack as the argument when using two parameters)

----------------------------------
3.45 convertwttoknk(cwttk) S1 [S2]
----------------------------------

The command converts one (or optionally two) Wintesla flash file (DCT3 
only) to KNK format. If two files are given they're joined (i.e. give an 
MCU and a PPM pack as the argument when using two parameters)

----------------------
3.46 resetsplock(rspl)
----------------------

The command resets the SP lock information of the phone. Note that to be 
able to run this command the phone must be switched on (since it uses MBUS 
communication) and the DAU9 cable must be connected to it (instead of the 
flasher cable).

-------------------
3.47 setimei(si) S1
-------------------

The command changes the IMEI of the phone to S1. The S1 must include the 
last checkdigit as well (i.e. its length must be 15). If shorter IMEI is 
supplied, the program will try to use the phone's original IMEI. Note that 
to be able to run this command the phone must be switched on (since it uses 
MBUS communication) and the DAU9 cable must be connected to it (instead of 
the flasher cable).

-----------------------------
3.48 setproductcode(sp) S1 N1
-----------------------------

The command changes the productcode or the basic productcode of the phone 
to S1. The S1 must be 7 digit long. if N1 is 1 it changes the basic 
productcode, if N1 is 0 it changes the normal productcode. Note that to be 
able to run this command the phone must be switched on (since it uses MBUS 
communication) and the DAU9 cable must be connected to it (instead of the 
flasher cable).

-----------------------------
3.49 setproductsernum(sps) S1
-----------------------------

The command changes the serial number of the phone to S1. Note that to be 
able to run this command the phone must be switched on (since it uses MBUS 
communication) and the DAU9 cable must be 
connected to it (instead of the flasher cable).


-------------
4 Limitations
-------------

The phone information can only handle maximum of 16 blocks (let it be PPM, 
PMM or any other), and maximum of 512 entries in any PMM block.

---------
5 Contact
---------

If you have bright ideas, can program or simply have useful information 
about the Nokia phones, join us at:

for developers strictly:
http://groups.yahoo.com/group/knok

for users:
http://groups.yahoo.com/group/knokusers
