--------------- Created by sc0ty - sc0typl[at]gmail.com - http://sc0ty.pl ---------------

BlackBerry VSM branding file structure description
	first relased:	08/30/2010
	last updated:	09/13/2010

Structures description:
	In structures below - first	column is offset, second - size and third - description. 
	Offset and size are given in bytes. Values in every structure are in little endian 
	byte order.

File format description:
	The file consist of three sections:
	- header - first 28 bytes
	- resources
	- footer with sign (optional)
	
Header structure:
	00	4	signature (hex: 01 00 00 BC)
	04	4	resources size (must be even)
	08	4	checksum (negated CRC-32 of resources)
	0c	2	vendor id (0x01 for RIM - see below for id list)
	0e	2	always zero (0x00)
	10	4	version number in format a.b.c.d (first byte is d, last - a)
	14	8	reserved (always 0x00)

Resources description:
	There could be 0 to 65535 resources in single file. Every resource consist of 4-bytes
	header followed by data. Resources are lined up in a row - one after another. Headers
	are located only at even offsets - if it fall to an odd offset, there is an extra 
	insignificent byte added before it (normally 0x00).
	
Resource header structure:
	00	2	resource id (see below for id list)
	02	2	resource data size

Footer description:
	Footer is optional - could be or could not be included. Footer contain digital sign of
	the VSM file. Footer is always located in offset divided by four. If resources are 
	ended with offset which is not divided by four - extra bytes are added after resources
	section. These extra bytes are not included to resources size field of header nor 
	checksum. Value of this bytes are insignificent.
	At this moment I don't have any information about sign data format nor signing 
	algorithm. I've only figured out the 0x33 sign public key (1024 bit) which is:
	8F A7 61 CA 6E B6 94 5E 28 86 C5 8F 07 DF C1 63 3D E8 5C EF 3C AE B2 B5 4F 07 E6 67 
	10 C4 B2 7A 46 26 EE E0 CC 02 E2 99 A7 0E 97 55 E6 F7 78 05 86 80 69 80 FE A1 19 61 
	E5 57 79 5F A1 D8 8C 64 37 B7 E0 AB C0 83 52 9A 62 24 CB 20 9C 3D D7 A0 09 28 8A DF 
	28 AD 11 BF 5B 1A 4A 0C D2 C2 15 E2 F9 14 A2 A1 4D 67 A3 63 66 9E BC 1E 88 AB 05 2F 
	22 6E 74 92 98 7C 5E 82 AA 58 1B 60 23 BB FF A3
	If you have any information about how this sign work - please contact me.
	UPDATE: It seems the RSA-SHA1 algorithm is used to sign file.
 	
Footer structure:
	00	 4	footer signature (hex: 1F 2D C8 D7)
	04	 4	signer id (always 0x33) 
	08	 4	sign size (always 0x80)
	0c	80	sign data

Resource id list:
	 id		 description
	------	--------------
	0x0000	FIELD_BITMAP_1_DATA
	0x0001	FIELD_BITMAP_1_TIMEOUT
	0x0002	FIELD_BITMAP_2_DATA
	0x0010	FIELD_ENGINEERING_UNIT
	0x0011	FIELD_SUPPRESS_SOS
	0x0013	FIELD_BETA_TEST
	0x0014	FIELD_EVALUATION_UNIT
	0x0015	FIELD_SUPPORT_DIRECT_DIAL_SEND
	0x0016	FIELD_ONS_RENDER_MODE
	0x0017	FIELD_DISABLE_VOLUME_BOOST
	0x0018	FIELD_DISABLE_BLACKBERRY_PROTECTION_MODE
	0x1000	FIELD_WELCOME_MESSAGE_SUBJECT_ISO8859
	0x1001	FIELD_WELCOME_MESSAGE_BODY_ISO8859
	0x1002	FIELD_WELCOME_MESSAGE_FROM_ISO8859
	0x1003	FIELD_WELCOME_MESSAGE_SUBJECT
	0x1004	FIELD_WELCOME_MESSAGE_BODY
	0x1005	FIELD_WELCOME_MESSAGE_FROM
	0x1100	FIELD_DEVICE_MESSAGE_SUBJECT
	0x1101	FIELD_DEVICE_MESSAGE_BODY
	0x1102	FIELD_DEVICE_MESSAGE_FROM
	0x1200	FIELD_TOP_TIPS_MESSAGE_SUBJECT
	0x1201	FIELD_TOP_TIPS_MESSAGE_BODY
	0x1202	FIELD_TOP_TIPS_MESSAGE_FROM
	0x2000	FIELD_ESCREEN_HELP_MSG
	0x3000	FIELD_PROVISIONING_IP
	0x3001	FIELD_PROVISIONING_DEST_PORT
	0x3002	FIELD_PROVISIONING_SRC_PORT
	0x3003	FIELD_PROVISIONING_APN
	0x3004	FIELD_PROVISIONING_DEVICE_CLASS
	0x3005	FIELD_PROVISIONING_APN_USERNAME
	0x3006	FIELD_PROVISIONING_APN_PASSWORD
	0x3007	FIELD_PROVISIONING_FLAGS
	- 0x1	FLAG_PROVISIONING_DONT_SEND_MSISDN
	- 0x2	FLAG_PROVISIONING_DONT_SEND_ICCID
	- 0x4	FLAG_PROVISIONING_SEND_SPN
	- 0x8	FLAG_PROVISIONING_RIM
	- 0x10	FLAG_PROVISIONING_SEND_EMPLOYEE_ROLE_FEATURE_INFO
	- 0x20	FLAG_PROVISIONING_DONT_SEND_AIRTIME_USAGE_STATS
	- 0x40	FLAG_PROVISIONING_INFO_LEVEL_1
	- 0x80	FLAG_PROVISIONING_INFO_LEVEL_2
	0x3100	FIELD_2ND_PROVISIONING_IP
	0x3101	FIELD_2ND_PROVISIONING_DEST_PORT
	0x3102	FIELD_2ND_PROVISIONING_SRC_PORT
	0x3103	FIELD_2ND_PROVISIONING_APN
	0x3104	FIELD_2ND_PROVISIONING_DEVICE_CLASS
	0x3105	FIELD_2ND_PROVISIONING_APN_USERNAME
	0x3106	FIELD_2ND_PROVISIONING_APN_PASSWORD
	0x3107	FIELD_2ND_PROVISIONING_FLAGS
	- see 0x3007 flags description
	0x3500	TCP_APN_DEFAULT_APNNAME
	0x3501	TCP_APN_DEFAULT_USERNAME
	0x3502	TCP_APN_DEFAULT_PASSWORD
	0x3600	FIELD_CDMA_IIF_APN
	0x3601	FIELD_CDMA_IIF_APN_USERNAME
	0x3602	FIELD_CDMA_IIF_APN_PASSWORD
	0x3800	FIELD_PRIMARY_WIRELESS_ACCESS_FAMILY
	- 0x1	WAF_3GPP
	- 0x2	WAF_CDMA
	- 0x3	WAF_WLAN
	- 0x4	WAF_IDEN
	0x4000	FIELD_BRANDING_WAP_ICON
	0x4001	FIELD_BRANDING_TUNE
	0x4002	FIELD_BRANDING_TUNE_NAME
	0x4003	FIELD_BRANDING_KEY
	0x4004	FIELD_BRANDING_TUNE_MIDI
	0x4005	FIELD_BRANDING_WAP_SPLASH
	0x4006	FIELD_BRANDING_TUNE_CONTENT_DATA
	0x4007	FIELD_BRANDING_TUNE_CONTENT_TYPE
	0x4100	FIELD_BRANDING_BROWSER_ICON_0
	0x4101	FIELD_BRANDING_BROWSER_ICON_1
	0x4102	FIELD_BRANDING_BROWSER_ICON_2
	0x4103	FIELD_BRANDING_BROWSER_ICON_3
	0x4104	FIELD_BRANDING_BROWSER_ICON_4
	0x4105	FIELD_BRANDING_BROWSER_ICON_5
	0x4106	FIELD_BRANDING_BROWSER_ICON_6
	0x4107	FIELD_BRANDING_BROWSER_ICON_7
	0x4108	FIELD_BRANDING_BROWSER_ICON_8
	0x4109	FIELD_BRANDING_BROWSER_ICON_9
	0x4200	FIELD_IDLESCREEN_CONTENT_TYPE	(depreciated)
	0x4201	FIELD_IDLESCREEN_CONTENT_DATA	(depreciated)
	0x4202	FIELD_BRANDING_IGNORE_INTEL_SPLASH
	0x4300	FIELD_BROWSER_UAPROF_URI
	0x5000	FIELD_HELP_WMLC
	0x5100	FIELD_PREFERRED_PLMN_FEATURE
	- 0x0	VALUE_PREFERRED_PLMN_DISABLED
	- 0x1	VALUE_PREFERRED_PLMN_ENABLED
	0x5200	PHONE_BOOT_URL
	0x5201	PHONE_BOOT_NAIURL
	0x5202	BROWSER_DOMAIN_TRUSTED
	0x5203	BROWSER_PROXY_WDP
	0x5300	FIELD_CELL_BROADCAST
	0x5301	FIELD_CELL_BROADCAST_ALWAYS_POPUP
	0x6000	FIELD_MESSAGE_LIST_OPTIONS_AUTO_ATTACHMENT_DOWNLOAD_ENABLED
	0x6001	FIELD_MESSAGE_LIST_OPTIONS_AUTO_ATTACHMENT_DOWNLOAD
	0x6002	FIELD_MESSAGE_LIST_OPTIONS_AUTO_ATTACHMENT_DOWNLOAD_HIGH_SPEED_NETWORK
	0x7000	FIELD_OMA_CLIENT_PROVISIONING_DOCUMENT
	0x7010	FIELD_GAN_SECURE_GATEWAY
	0x7011	FIELD_GAN_CONTROLLER
	0x7020	FIELD_GAN_ROOT_CERT_1
	0x7021	FIELD_GAN_ROOT_CERT_2
	0x7022	FIELD_GAN_ROOT_CERT_3
	0x7023	FIELD_GAN_ROOT_CERT_4
	0x7026	FIELD_GAN_WLAN_THRESHOLD
	- 0x0	VALUE_GAN_ROVE_THRESHOLD_LOW
	- 0x1	VALUE_GAN_ROVE_THRESHOLD_MEDIUM
	- 0x2	VALUE_GAN_ROVE_THRESHOLD_HIGH
	0x7027	FIELD_GAN_SIGNAL_STRENGTH_THRESHOLD
	0x7028	FIELD_GAN_SIGNAL_QUALITY_THRESHOLD
	0x7029	FIELD_GAN_PROTOCOL_VERSION
	- 0x0	VALUE_GAN_PROTOCOL_VERSION_UMA_1_0_0
	- 0x1	VALUE_GAN_PROTOCOL_VERSION_UMA_1_0_1
	- 0x2	VALUE_GAN_PROTOCOL_VERSION_UMA_1_0_2
	- 0x3	VALUE_GAN_PROTOCOL_VERSION_UMA_1_0_3
	- 0x4	VALUE_GAN_PROTOCOL_VERSION_UMA_1_0_4
	- 0x5	VALUE_GAN_PROTOCOL_VERSION_3GPP_rev6
	0x7030	FIELD_WLAN_DISABLED
	0x7031	FIELD_WLAN_ENTERPRISE_DATA_DISABLED
	0x7032	FIELD_WLAN_ENTERPRISE_DATA_FLAG_OVERRIDES_IT_POLICY
	0x7033	FIELD_WLAN_LAYER3_AUTH_KEY 

Vendor id list:
	hexdec	dec	vendor name
	------	---	-----------
	0x01	1	RIM
	0x64	100	T_MOBILE_US
	0x65	101	CINGULAR_WIRELESS
	0x66	102	AT_T_WIRELESS
	0x67	103	NEXTEL
	0x68	104	SPRINT_PCS
	0x69	105	VERIZON_WIRELESS
	0x6a	106	ALLTEL
	0x6b	107	ROGERS_AT_T
	0x6c	108	MICROCELL
	0x6d	109	BELL_MOBILITY
	0x6e	110	BT_CELLNET
	0x6f	111	O2_GERMANY
	0x70	112	DIGIFONE
	0x71	113	TELFORT
	0x72	114	T_MOBILE_GERMANY_AUSTRIA
	0x73	115	TIM_ITALY
	0x74	116	HUTCHISON
	0x75	117	BOUYGUES_TELECOM
	0x76	118	VODAFONE_SFR_FRANCE
	0x77	119	ORANGE_FRANCE
	0x78	120	VODAFONE_UK_NETHERLANDS
	0x79	121	TELCEL_MEXICO
	0x7a	122	TELSTRA
	0x7b	123	T_MOBILE_UK
	0x7c	124	VODAFONE_GERMANY
	0x7d	125	O2_UK_IRELAND_ISLE_OF_MAN_NETHERLANDS
	0x7e	126	TELUS
	0x7f	127	SMART
	0x80	128	STARHUB
	0x81	129	TELEFONICA_SPAIN
	0x82	130	VODAFONE_SWITZERLAND_SWISSCOM
	0x83	131	CABLE_WIRELESS_WEST_INDIES
	0x84	132	VODAFONE_ITALY
	0x85	133	VODAFONE_SPAIN
	0x86	134	T_MOBILE_NETHERLANDS
	0x87	135	CINCINNATI_BELL
	0x88	136	TELEFONICA_MEXICO
	0x89	137	VODAFONE_AUSTRIA
	0x8a	138	VODAFONE_AUSTRALIA_FIJI
	0x8b	139	VODAFONE_IRELAND
	0x8c	140	TELENOR_SWEDEN
	0x8d	141	CSL
	0x8e	142	ORANGE_UK
	0x8f	143	VODAFONE_NEW_ZEALAND
	0x90	144	SINGTEL
	0x91	145	GLOBE
	0x92	146	OPTUS
	0x93	147	ORANGE_BE_MOBISTAR
	0x94	148	VODAFONE_HUNGARY
	0x95	149	BHARTI
	0x96	150	KPN_NL
	0x97	151	WIND_HELLAS_TIM_GREECE
	0x98	152	VODAFONE_BELGIUM
	0x99	153	VODAFONE_PORTUGAL
	0x9a	154	TIM_BRAZIL
	0x9b	155	BT_MOBILE
	0x9c	156	EARTHLINK
	0x9d	157	AETHER
	0x9e	158	E_PLUS
	0x9f	159	BASE
	0xa0	160	DOBSON_COMMUNICATIONS
	0xa1	161	VODAFONE_EGYPT
	0xa2	162	ORANGE_SWITZERLAND
	0xa3	163	RIM_WLAN
	0xa4	164	T_MOBILE_SUNCOM
	0xa5	165	MAXIS
	0xa6	166	VODAFONE_DENMARK_TDC
	0xa7	167	VODAFONE_SINGAPORE_M1
	0xa8	168	VODACOM_SOUTH_AFRICA
	0xa9	169	T_MOBILE_POLAND
	0xaa	170	T_MOBILE_CZECH
	0xab	171	T_MOBILE_HUNGARY
	0xac	172	AT_T_SPRINT
	0xad	173	MTN_SOUTH AFRICA
	0xae	174	TIM_CHILE_ENTEL_PCS
	0xaf	175	ORANGE_SPAIN
	0xb0	176	VODAFONE_SMARTONE_HONG_KONG
	0xb1	177	TCS_TELECOMMUNICATION_SYSTEMS
	0xb2	178	AVEA
	0xb3	179	FAST_100
	0xb4	180	TURKCELL
	0xb5	181	PARTNER_COMMUNICATIONS
	0xb7	183	ORANGE_ROMANIA
	0xba	186	TELKOMSEL
	0xbc	188	VODAFONE_GREECE
	0xbd	189	UNITED_STATES_CELLULAR_CORP
	0xbe	190	MOBILINK
	0xbf	191	VELOCITA_WIRELESS
	0xc0	192	VODAFONE_CROATIA
	0xc1	193	VODAFONE_SLOVENIA
	0xc2	194	VODAFONE_LUXEMBOURG
	0xc3	195	VODAFONE_ICELAND
	0xc4	196	VODAFONE_FIJI
	0xc5	197	VODAFONE_ROMANIA
	0xc6	198	VODAFONE_CZECH
	0xc7	199	VODAFONE_BAHRAIN
	0xc8	200	VODAFONE_KUWAIT
	0xc9	201	T_MOBILE_CROATIA
	0xca	202	T_MOBILE_SLOVAKIA
	0xcb	203	NORTEL
	0xcc	204	CHINA_MOBILE
	0xcd	205	MOVILNET
	0xd1	209	SYMPAC
	0xd2	210	PERSONAL_ARGENTINA
	0xd4	212	ETISALAT_UAE
	0xd5	213	CBEYOND
	0xd6	214	AMX
	0xd7	215	TELEFONICA_VENEZUELA
	0xd8	216	TELEFONICA_BRAZIL
	0xd9	217	ORANGE_ROMANIA
	0xda	218	KTPOWERTEL_KOREA
	0xdb	219	ROLLING_STONES
	0xdc	220	DOCOMO
	0xde	222	VODAFONE_BULGARIA
	0xdf	223	NEXTEL_INTERNATIONAL
	0xe0	224	PCCW_SUNDAY
	0xe1	225	HAWAIIAN_TELCOM_CREDO_MOBILE
	0xe2	226	VERIZON_MVNO
	0xe3	227	MOBILY
	0xe4	228	BWA
	0xe5	229	O2_CZECH_REPUBLIC
	0xe6	230	HUTCHISON_INDIA
	0xe7	231	CELCOM
	0xea	234	DIALOG
	0xeb	235	XL
	0xec	236	RELIANCE
	0xed	237	VERIZON_WIRELESS_WHOLESALE
	0xee	238	VODAFONE_TURKEY
	0xef	239	TELEFONICA_MOROCCO_MEDITEL
	0xf0	240	INDOSAT
	0xf1	241	ALCATEL_SHANGHAI_BELL
	0xf5	245	3_UK_ITALY_SWEDEN_DENMARK_AUSTRIA_IRELAND
	0xf7	247	VODAFONE_ESSAR
	0xf8	248	CENTENNIAL_WIRELESS
	0xfa	250	T_MOBILE_AUSTRIA
	0xfe	254	OI_BRAZIL
	0xff	255	TELECOM_NEW_ZEALAND
	0x102	258	HUTCHINSON_3G_AUSTRALIA
	0x103	259	CABLE_&_WIRELESS_TRINIDAD_TOBAGO
	0x10c	268	BMOBILE
	0x10d	269	TATA_TELESERVICES_INDIA
	0x10f	271	T_MOBILE_CROATIA
	0x111	273	BT_ITALY
	0x112	274	1&1
	0x115	277	MTS_MOBILITY
	0x116	278	VIRGIN_MOBILE
	0x118	280	ORANGE_SLOVAKIA
	0x11a	282	TAIWAN_MOBILE
	0x11d	285	ORANGE_AUSTRIA
	0x11e	286	VODAFONE_MALTA
	0x120	288	BASE_JIM_MOBILE
	0x127	295	CMCC_PEOPLES
	0x12a	298	DIGITEL_WIRELESS
	0x12b	299	SK_TELECOM
	0x12c	300	SOLO_MOBILE
	0x12d	301	CARPHONE_WAREHOUSE
	0x12e	302	20:20_MOBILE_GROUP
	0x134	308	XL_INDONESIA
	0x135	309	FIDO_SOLUTIONS
	0x136	310	WIND_ITALY
	
Links:
	- vsm resources description:
	http://www.blackberry.com/developers/docs/4.5.0api/net/rim/device/api/system/Branding.html
	- topic about hacking vsm files (gsmhosting forum):
	http://forum.gsmhosting.com/vbb/f83/debranding-hacking-vsm-files-659457/
	- blog about hacking blackberry devices:
	http://drbolsen.wordpress.com/

Thanks to elseWestcott, BellVictim and Dr. {B0lsen} for their reverse engineering vsm files
	and blackberry security & cryptographic issues.
	
--------------- Created by sc0ty - sc0typl[at]gmail.com - http://sc0ty.pl ---------------