Nokia 105 RM908 ext...
 
Notifications
Clear all

Nokia 105 RM908 extract data from HEX

9 Posts
2 Users
0 Likes
1,414 Views
(@aikon)
Posts: 8
Active Member
Topic starter
 

Dear all,

Would like to ask for help, info or guidelines in trying to extract SMSs and contacts from a whole dump file of a Nokia 105 RM-908 (8MB in total). Had to do a chip off since the device was heavily damaged beyond repair and this was the only way. Did manage to read a couple of the messages and contacts using a HEX editor however I need also the exact dates and recipients to where the messages were sent. I know it is not an easy task but willing to go for it.

In particular I can view a message of relative importance and apparently even the recipient. Regards the date, (having no particular schema to follow as in later devices) assumed it must be somewhere near the message start zone. Further searching yielded a possible date however unsure if I did the right steps….. converted 4 particular HEX bytes to decimal and then this epoch value to a human date. Yet here am unsure if this is correct or not as have no idea if this can be applied to such a Nokia model.

Also noticed that this particular message text is different from the others found. For instance if the text should be HELLO it is H.E.L.L.O for some reason. The dots have left me questioning why…Could it have been deleted and this is the reason?

One other possibility in solving this but unsure if it might give any solution is to build up a flash file using the PMM of this file and use it in another similar one with the same version and view the info from it.

Thanks for any help and your time.

 
Posted : 27/01/2020 8:45 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Also noticed that this particular message text is different from the others found. For instance if the text should be HELLO it is H.E.L.L.O for some reason. The dots have left me questioning why…

That often is an artifact of the hex viewer, most by default render hex values corresponding to non-printable chaacters as dots, but they aren't dots, likely they may be 00's and the text might be saved in Unicode.

Try the following
1) open worpad
2) type in it HELLO
3) save the file as myhello.txt (unicode text)
4) open the myhello.txt with your hex editor/viewer

What happens?

Could it have been deleted and this is the reason?

Hmmm, it would be an interesting approach to deletion, particularly when free space is limited …

jaclaz

 
Posted : 27/01/2020 11:49 am
(@aikon)
Posts: 8
Active Member
Topic starter
 

Thanks for the reply Jaclaz.

Indeed, tried that and there is no dot (.) in between the letters once opened up in a HEX editor. This COULD mean that the message might have been deleted.

 
Posted : 27/01/2020 3:34 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

This COULD mean that the message might have been deleted.

No, it would make no sense whatever.

Commonly "deleting" means "delisting" or "de-addressing" a file object in the filesystem structure (leaving the actual object where it is, as opposed to wiping where the object is overwritten with 00's or with a given or random hex pattern).

This approach is historically taken because de-listing involves writing one or at the most a bunch of bytes to the mass storage device.

If you wipe you need to write at least the same amount of bytes as the size of the object and this is
1) slower
2) stupidly wearing the device for no advantage

IF the deleting involved taking the original content and interspersing it with hex values it would mean that for each byte you read the byte, shift it one postion, insert the hex value and write back the result, it is at the very least one read and two writes for each byte, hence it is at byte level at the very least twice as slow as wiping, and even using cache it will be at the most as fast as (please read as "as slow as") wiping and procure at least double the wear on the underlying device (as the obhect would result twice its previous size).

I doubt that in a hex editor your "HELLO" looks like

48 2E 45 2E 4C 2E 4C 2E 4F 2E

(2E is the hex value corresponding to the ASCII "dot"), as it is very common that it will look like

48 00 45 00 4C 00 4C 00 4F 00

(which is a "normal" Unicode string)

but of course everything is possible.

jaclaz

 
Posted : 27/01/2020 4:05 pm
(@aikon)
Posts: 8
Active Member
Topic starter
 

seems it will remain a mystery why the (.) is there. For sure the user did not press a (.) after each letter. Weirdly enough, I could only find 2 messages in the whole dump and the other one has 2 versions…. one with a (.) and one without.

 
Posted : 27/01/2020 5:34 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

seems it will remain a mystery why the (.) is there. For sure the user did not press a (.) after each letter. Weirdly enough, I could only find 2 messages in the whole dump and the other one has 2 versions…. one with a (.) and one without.

Which hex code corresponds in the hex editor to the dot?

00?

2E?

Something else?

jaclaz

 
Posted : 27/01/2020 6:13 pm
(@aikon)
Posts: 8
Active Member
Topic starter
 

00 mate

 
Posted : 27/01/2020 6:31 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

00 mate

And then - for *some* reasons - and as expected the message (or a copy of it) was saved as Unicode or however in a two byte per character encoding.

And it also means - as expected - that your hex editor does actually render 00's as dots.

We are now cruising at an improbability level of two to the power of twenty-five thousand to one against and falling, and we will be restoring normality as soon as we are sure what is normal anyway.

jaclaz

 
Posted : 27/01/2020 6:44 pm
(@aikon)
Posts: 8
Active Member
Topic starter
 

Using Hexinator V1.11. Personally I find it really good.

 
Posted : 27/01/2020 7:21 pm
Share: