Is it possible to break through the DIAG port on a BREW device ?

[Moon164]

A while ago I posted that I was trying to figure out a more efficient way to unlock/jailbreak the Zeebo console by trying to figure out how the 61u.key is generated:

https://gbatemp.net/threads/im-tryi...ay-to-unlock-jailbreak-zeebo-consoles.653809/

But I haven't had much success with it.



So now I'm trying to figure out other alternatives.

The Zeebo has the BREW 4.0.2 operating system (many old cell phones use BREW 3 but I don't know of any that use BREW 4 itself) and there is a DIAG Port behind the console.

It is generally possible to access the console's DIAG Port by placing its 61u.key on an SD Card, many people use JTAG to be able to extract the console's 61u.key (or delete it from the console's memory, so the console cannot you will need it more) and in 1.1 models just place an empty usb.key on the SD Card at boot time and access to the diagnostic port will be active.

I obviously don't have the 61u.key for my console and its version is 1.2 which doesn't work with the usb.key method (I tried) but I still wanted to try to see the result:



RevSkills

After installing the drivers related to Zeebo (the driver that the Zeebo Club community gave me worked without problems, but I noticed that some old Qualcomm drivers also work, the only thing that changes from one to the other is the name "YUGA" or " Qualcomm", both drivers work exactly the same for me with Zeebo)

Well, then I tried to proceed the way you usually do when you have a Zeebo with 61u.key/USB.key on the SD Card at boot time.

As expected, RevSkills crashes. (this happens because the console is not allowing access to the diagnostic port)

DFS Port Manager

With DFS Port Manager the results were more interesting.



At first the app was just in an infinite loop "Request to Open Port / Waiting for Port..."

But then I tried a few more times removing and put tue USB cable to the console at boot time and in one of them the app actually managed to enter the Zeebo.

So I tried again a few more times, 99% of the time I was in an infinite loop with the app trying to enter the Zeebo port, but in a few rare moments I managed to enter:

But unfortunately for me, the app didn't provide me with any information, it didn't let me access the console's internal files or anything, so I think that even though I managed to log in, it didn't give me full access.



So I came to ask for help here, considering that BREW was an old Qualcomm operating system that was used on older cell phones, there probably must be some cell phone method that works with Zeebo, right?

Something that allows me to access the diagnostic port even without the 61u.key, or some way for the console to think that I have access.



It is possible ?

 

[Quincy]

the hell is a zeebo? Never heard of this console (or BREW, fwiw)

If all you are trying to do is access the internal filesystem, assuming it is contained in a single IC/EEPROM, couldn't you just physically dump out the chip with a programmer like CH341A or similar programmers?

 

[The Real Jdbye]

the hell is a zeebo? Never heard of this console (or BREW, fwiw)

If all you are trying to do is access the internal filesystem, assuming it is contained in a single IC/EEPROM, couldn't you just physically dump out the chip with a programmer like CH341A or similar programmers?

Apparently some educational game console.

 

[Quincy]

Apparently some educational game console.

Is that something like those 50-in-one "Zii" thingies you saw back in the Wii-era?

Edit: I just checked out the topic OP reffers to, and over there OP posted a whole bunch of related technical information regarding the console, this issue and 63key-files, someone with a bit more mathmatical/en-decryptical/cypheral knowledge mifght just be able to reverse-engineer the formula needed from the complete console datasets (console IMEI, serial no, generated key) (also, why do these consoles have an IMEI? Do they contain a celular modem of sorts? IMEIs are pretty much only used on phones and mobile data-modems afaik, for normal systems we usually have the adapter MAC to fulfil the role IMEI has on phones.)

edit 2: I did notice something regarding the s/ns though, which I posted to the topic OP mentions. I'll quote what I said over there here as well just in case

I do not know if you spotted this already regarding the longer serial no, but the longer ones all start with the same string BQAAF01. The s/n will be the same length as the older s/ns once you omit this part from the s/n (namely, 16 characters) so it is safe to assume that during generation either that part is omited from the new s/ns or added to the old s/ns (added to old is unlikely though, if they were going to do that the s/ns would have had that part in front of them from day 1)

 

[Moon164]

the hell is a zeebo? Never heard of this console (or BREW, fwiw)

If all you are trying to do is access the internal filesystem, assuming it is contained in a single IC/EEPROM, couldn't you just physically dump out the chip with a programmer like CH341A or similar programmers?

As I said in my other post:

https://gbatemp.net/threads/im-tryi...ailbreak-zeebo-consoles.653809/#post-10406085

Zeebo was a Brazilian console launched by TecToy, it was not a success and was only released in Brazil, China, India and Mexico which makes it quite rare.

Here you can check out all the games the console had:


And there are some very interesting videos about the console that I recommend watching if you're interested: