It took a small group effort, but we cracked it.
Problem 1: Bug in limitation to %UREG command
First of all, on 4.20 they check to see whether the %UREG request lies within certain bounds as follows:
AT%UREG?addr,len:
if (addr < 0x3ef000 || addr > 0x3ef007) return(0);
if ((addr+len) < 0x3ef000 || (addr+len) > 0x3ef007) return(0);
Now because addr en len are both 32 bits, we can make use of the wrap (negative in effect). After the test above the maximum length will be limited to 100 (0x64).
So for instance:
AT%UREG?3FE004,FFFFFFFF
will read 100 bytes from 0x3FE004, clearly outside the range UREG was meant to be restricted to.
Problem 2: Obfuscation too easy
When executing the command above: after 74 bytes of FF, the obfuscated result code is displayed. The information needed to get the unlock code is contained twice, in the format ABCDABCDEFGHEFGH if a different letter is assigned to each unique nibble. Nibbles are first swapped to make EHAFGBCD. Then bits 3 of nibbles H, F and B are rotated left, so that nibble H gets bit 3 from F and so forth. After this, the whole 4 byte value is rotated into the lower bit. The result is the 8 digit unlock code in BCD, which can be supplied to the unlock command:
Code:
AT%SIDLCK=0,<8-digit unlock code>
Commentary:
Nice try: took us 2 person-days, probably still less than it took to think up, define, approve and program. :twisted:
The new version of The Manipulator, online now, supports unlocking of Radio Stack 4.20.
Yippee... the manipulator works for 4.20 !!!!!
Hi,
I must be a very lucky guy.
Just received my xda today (64mb ram, 4.20.00 radio version, 3.16.32 ENG rom, dated 2/13/03) and was fiddling with it about half and hour ago with the former xda manipulator program (ver 1.02) which recorded error messages and couldn't work. Then I looked into the net and found this posting just made( at 10.30 pm) and was the number 6 person to view the posting; downloaded the new manipulator and hey presto - the xda is unlocked !!!!
Only one thing though- don't see the gid lock, the imei number and the call timer entries in this new program(ver 1.1) which were present in the ver 1.02 program. Not a problem for me though as long as I could use the phone on my vodaphone sim.
Anyway, thank you so much for the hard work in cracking the 4.20; really appreciate it. Well done and keep up the magnificent work.
Cheers
Yup - it works a treat - unlocked in 10 seconds.
WELL DONE guys - thanks so much for all your input here. I now have an XDA that is truly useful and versatile.
BRILLIANT!!
Rog
Just tried 1.1 on 6 phones, all with 4.20. Five of them unlocked no problem, but one of them, for some strange reason, didnt work, it read the sid code, but the one that it came back with was only 6 digits long, and when pressinng "UNLOCK" nothing more happened. All the other codes were about 8 digits long. I tried entering the code manually, butjust came back saying it wss incorrect!!!
Anyone come across this??
Many thanks in advance
Hmmm. It could be that the code (or the second half of it) starts with two zeroes, and now that you mention it: the manipulator doesn't display (or unock with) leading zeroes.
Could you try that six digit code with two leading zeroes, and (if that doesn't work) inser the zeroes in the six digit number as follows XXXX00XX or as follows 0XXX0XXX. Tell me if that's it, please...
(Expect 1.11 of The Manipulator in the next day or two...
IMEI Change
Great work guys i'll be unlocking my xda as soon as i get the serial cable. It is a combines serial and USB cable so if anyone has experience with this not working (Ordered from Expansys thenlet me know) otherwise i'll post here to let you know if it worked or not.
I would like to know if there are any plans to make a version of the communicator that ill change the imei.
If not will commands from hyperterminal work? (Sorry if this is not currently possible I havn't been motivated to look it all up but will be if it possible to change the IMEI through this.)
I know that ther version of Hyperterminal that come with in 2k and XP is more limited that the one in 95 and 98 so would another terminal emulation program do the job better (Reflections 420 for example).
Thanks again for the great work.
How do you find all this stuff out?? How do I learn.?
Minesh
@Peter Poelman ur a blinking genius mate, it was the last method (0XXX0XXX)
So now ive done 11 phones(R4.20), and all 11 unlocked, pretty good success rate i reckon
Keep up the great work guys
Re: IMEI Change
MineshT said:
I would like to know if there are any plans to make a version of the communicator that ill change the imei.
Click to expand...
Click to collapse
Manipulator (I assume that's what you mean) does change the IMEI, but not on 4.20 phones, because we can't easily reach the memory range. In fact we have ways to do it, but we didn't yet feel like doing the necessary programming work before they lock us out completely.
If not will commands from hyperterminal work?
Click to expand...
Click to collapse
There's no easy (or medium-hard) way to change the IMEI on 4.20 phones.
How do you find all this stuff out?? How do I learn.?
Click to expand...
Click to collapse
In this specific case, we looked at the ARM machine-code in the 4.20 binary contained in S-record form in the RSU upgrade package, using IDA (a disassembler program). We then figured out the %UREG restriction was lacking. Looking at the obfuscated code we figured we could break it without looking at further code (and the phone binary code guru was unavailable for the day), so we cracked it by just staring at enough possibilities. (We could set and reset the lock using different codes with AT%SIDLCK).
Not sure hacking phones is a specific skill one can learn. Even though we're mostly still pretty young, most of us are very experienced software developers, senior security experts. Electronics, programming and reverse-engineering experience of 20-25 years in some cases. But there's pretty good texts out there that describe disassembling other people's code, understanding embedded hardware and other areas of expertise you'd need.
Reverse-engineering needs a lot of the same skills that 'forward-engineering' does. If you have the skills needed to build something, you can begin to take it apart.
Current issues with The Manipulator
The Manipulator currently does not unlock phones which were locked and then user-upgraded to 4.20. So unlock first and then upgrade. Also, please read hotentot's post and my reply above for a problem that appears when the code has zeroes in certain positions.
Both issues will be addressed in the next version, due in a few days, when I know there's no other things that need fixin'.
Related
Hi All
Sitting here with my 64mB XDA trying to unlock it.
Manipulator seems not to work. If I use it I get error in all fields.
Going into bootloader and using Hyperterminal I can get communication OK .... see the following...
******************************************************
InitDebugSerial using SERIAL PORT 2
******************************************************
HTC Bootloader for [Wallaby] Version:5.15
Copyright (c) 1998-2001 High Tech Computer Corporation
Built at: Jun 6 2002 20:29:17
CPU speed = 206 MHz
DRAM speed = 103 MHz
Hardware platform = 2; (0VT, 1re-PV, 2V, 3anasonic LCD, 4:Reserved)
Get resp timeout err, status is 42
Receive Response error, cmd = 41, arg = FFC000
comd1 No Response
Block size = 512 BYTES
Total blocks in Card: 488320 = 244160k bytes
No legal identify flag in SD Card
Wait for turn on GSM...
GSM Turn on time = 1868 ms
FW 0:12:19>dualser
Wait for turn on GSM...
GSM already on -> RESET !!
GSM turn on successed!!
GSM RESET...
AT-Command Interpreter ready
Screen on XDA is sitting there with GSM turn ON success.
SO dualser is sending the XDA into AT mode OK. However if I type in the AT%UREG?3FE00C,4 command the XDA simply returns ERROR.
What am I doing wrong???
HELP!!!
Not sure what the problem is. Try running The Manipulator and see if it unlocks it.
Hi
I have tried the Manipulator several times.
The phone goes from Walalby to GSM sucess OK.
The phone 'clicks' a couple of times.
The Manipulator screen shows:
Status : Reading data from phone
SID ERROR
GID ERROR
No IMEI
timer <non-zero>
and thats it - nothing more can be done.
I have tried the software on three different computers and the same result.
Running ROM 3.14.13 ENG
Radio 4.20
Protocol version 32S54
Phone is only a few weeks old and is 64Mb version.
Everything else works fine on it. IMEI number shows on device information. Radio turns on and asks for SIM unlock code OK.
Running Tom Tom Nav2, Fonix etc on it and all 100%.
If I use Hyperterminal then you get the results as above. If you type ? rather than dualser then the list of commands comes back as it should do.
Really Wierd.
Any thoughts as to what I can try next???
Rog
Just an afterthought...
Could it be to do with Radio 4.20???
Has anyone unlocked an XDA yet with this version of Radio??? Could they have altered the access to the SID in some way with this release??
Rog
Soory to be a pain here but has anyone ANY ideas as to what to do from here???
(If I use an O2 card then the phone is fine so its not a hardware fault).
Have none of you XDA-Developer guys a clue or advice on this??
Rog
4.20
http://xda-developers.com/phpBB/viewtopic.php?t=896
Re: 4.20
apart from the machine are there any programs specific to the xda?
_____________________________________________________________
Unlock your phone
Entertainers
watch footie for free
Cheap mp3s
Get back on ebay
Money reading emails
Male entertainers
Improve your golf score in 2 weeks
dagaul, your advertising links are not welcome as far as I am concerned. The admins of this board keep it ad free and you come along with a whole bunch of then in your signature. It doesnt affect me directly but this board isnt here to carry your money making advertisements, why dont you set up a website yourself for that purpose?
Rant over. :evil: :evil: :evil: :shock: :shock: :roll: :roll:
Does every XDA II have a unique ID ?
If yes, is there a way to change that via software ?
Every XDA II has a unique IMEI number. You can find this underneath the battery in the back.
You *may* be able to query it in software by using a TAPI call:
lineGetGeneralInfo
http://msdn.microsoft.com/library/d...s/guide_ppc/htm/extapi_linegetgeneralinfo.asp
I haven't looked into it much, but I very much doubt you can change it.
there is also a unique id in the Disk-On-Chip chip.
Finding IMEI
Dialing *#06# will give you the same IMEI result as looking under the battery.
Sounds worse than I expected. Can anyone think of a way that both, the disk-on-chip ID and the IMEI number could be masked, changed, or hidden ?
PARANOYA.... but as always with these things, better be prepared.....
I don't know how yet, but the imei is derived from data in a flashable rom area, so in theory it should be possible to modify it.
the disk-on-chip id is in true read-only memory.
though you may be able to trick application into thinking it has changed by modifying the trueffs.dll driver.
afaik imei ist not changeable. every phone has a separate imei and it will be sent, also with cardnumber, at avery call to your provider .
for paranoia buy a phone and card on a flee market.
changing the imei is a matter of finding the place in the gsm rom where it is decoded from the data in rom.
you can either modify that code, or figure out the encoding, and change the encoded imei in rom.
not that it is easy, it involves some serious reverse engineering, but possible. we did it for the xda-1 too.
I understand that there is also some kind of checksum applied to the imei so putting any old numbers wont work on some phones, in fact it renders the phone useless, I dont know if this applies to the XDA2 although the XDA1 was very casual about the imei number, no checks whatsoever were carried out, even had my birthday as an imei in my old xda.
Any one interested in writing a utility to mask does numbers or even to change them at leasure ?
itsme said:
changing the imei is a matter of finding the place in the gsm rom where it is decoded from the data in rom.
you can either modify that code, or figure out the encoding, and change the encoded imei in rom.
not that it is easy, it involves some serious reverse engineering, but possible. we did it for the xda-1 too.
Click to expand...
Click to collapse
Itsme, as it has been done for the XDA 1, is there any chance it will be done for the XDA 2 ?
Laws differ from country to country, and I don't even want to go THERE...
But it would be remiss of me, not to point out that SIM unlocking is perfectly legal in the UK.
BUT, in the UK, to change an IMEI on a handset is illegal, and carries a 5 year prison sentence.
Other countries can be quite different I'm led to beleive though.
a while back ( 5 years or so ) I read a story about how they were identifying phones by fingerprinting the analog signal from the transmitter. apparently small differences in the analog parts make each phone uniquely identifyable.
hey itsme
do you still have this article... I would be very interested to read it...
I can not believe this... Honestly... this is impossible (and I do believe in aliens)
Neither the PA nor the RF of a mobile phone has anykind of serial register or an area where you could influence the signal to finger print it,
next thing that the signal get heavily disturbed while transmitted, they are happy enough if they find the normal payload ;-)
or was it 4 year and 50 weeks ago ;-)
Alex
it was not explicitly made different, just that analog parts are never exactly the same.
found it:
http://iwce-mrt.com/ar/radio_fight_cellular_cloning/
not sure if it would still work, in 7 years, cellphone technology has changed quite a bit.
if you search for 'radio frequency fingerprinting' on google you will find more on it.
chuck said:
as it has been done for the XDA 1, is there any chance it will be done for the XDA 2 ?
Click to expand...
Click to collapse
I'd say chance of 90%, where the 10% is for taking into account I didn't actually do it. The new method of unlocking the XDA 2 pretty much allows you to change all values in the phone.
hi itsme
I called our rf-radio specialists... they never hear about it and do not think it is possible.
Seven years about the radio of a mobile did indeed constist of many (hundert) discretes which all have of course have a tolerance, now a days the hole radio fits into a single chip with some discrets around.
The qualtiy of the radio also has greatly improved so the difference between manufators have become so small that it is not possible to judge different radios by their signals.
An other thing just came to my mind... this article is from america, here they use and used analog cell-phones... I am pretty sure this technologie refers to analog cellphone standart and not to a GSM one...
hey the more I think about it the more I like this explanation...
Now I can sleep better...
Alex
W4XY, do you know from experience if any checksum is used with the imei in the XDA2 or is it the same as the xda1 where just about any number could be used.?
I have no true idea if the algorithm is different for the IMEI in the XDA 2 as I have not looked at that in particular, but I suspect it will be the same as a lot of other stuff is still the same too.
An IMEI is supposed to satisfy a Luhn check - which is the same checksum algorithm as used for Credit Cards.
Useless fact: the number printed on a SIM card also satisfies the same check.
to all XDA developers (is their a change IMEI software USB) if yes where can i find it & if no is it going to be developed any soon? when?
I doubt the developers will be writing software for that particular use on the xda1, if you have a serial cable it will work on the xda as long as the radio stack is the early versions, it wont work on radio stack 4.21 for instance.
so where can i get the early(<4.20) Radio version coz i wanna use the
manipulator programme with my XDA2 device ?
????????????????
Chanaging IMEI is a way to get RID of those SPIES who pry into our personal info. Violations of our right to privicy....
Emil, can you expand on that statement please, the imei is the phones identity tag, if you have a prepay sim card your identity is unknown, if you have a post pay contract sim then your details are known and your phone is trackable by the sim details regardless of the imei/phone used.
i want to reset the timer to know how much i talked ,so where can i found that radio version
As far as I know, xda manipulator is for xda1 only.
IMEI-change and call-timer reset
No software exists to change IMEI or reset timers on Himalaya/XDA-II. Also no software does it to the Wallaby/XDA over USB, and The Manipulator, the program that does it to the Wallaby via the serial port only works with certain Radio Stack versions.
We have no legal or moral problems with IMEI-changing or timer reset, but it's a lot of hard work to write something which overwrites parts of people's radio software reliably. The last thing we want is 300 people wrecking their phones and blaming us. This issue has sort of scared us away from this type of modification.
(Unlocking is different since it only reads the ROM and then uses the 'official' mechanism of AT-commands in the phone for unlocking.)
No idea whether this topic will be revisited at some point, but don't hold your breath...
I can help you to change IMEI for XDA I or XDA II
cgigate
tell me how ....pls
cgigate said:
I can help you to change IMEI for XDA I or XDA II
Click to expand...
Click to collapse
Will you tell how it all works, and maybe even create a wiki page on it? We have itsme's and W4XY's works, bu we need many more people to publish the results their trips into the phone ROM and bootloader...
Peter,
Can you tell me how to read or find my IMEI number. I have a phone that was a display model and the lable on the back was removed so I can't get it there and the system identity shows a generic IMEI number (as I've found with all the updated 2003 ones).
Thanks,
David
moto1 said:
Can you tell me how to read or find my IMEI number. I have a phone that was a display model and the lable on the back was removed so I can't get it there and the system identity shows a generic IMEI number (as I've found with all the updated 2003 ones).
Click to expand...
Click to collapse
Try dialing *#06# on the phone. This works on all GSM phones (since it is in the GSM specification to be approved as one).
That still gives the generic IMEI number with an extra "01" at the end. It seems to be a glitch in the 2003 software because the IMEI numbers are available before you upgrade but not after. I thought I was missing something but the other units with the upgrade are giving the same generic number (350314010000009). Does anyone else come up with that IMEI #.(May be T-Mobile only!)
David
nope
I upgraded my rom lots of time and never lost my original IMEI number (which is written inside the case, under the battery)
It must be in the "T-Mobile" upgrade that changes the number in the system settings.
no solution till now????!!!!!
I'd like to try out a sim unlock code I generated for my 8525. However, I only have the one sim. How can I get to the unlock process without having to insert another sim? Really I just need to test it.
-fluxist
I'm not really sure what you're asking.
Huh?
Doom Tints said:
I'm not really sure what you're asking. Why not ask the person whose sim card it is for the unlock code? If you are just "testing" the phone at this point, I'm assuming it's not even your phone.
If you want to see a Hermes in action, go ahead and return it to the rightful owner and I'm sure they will give you a friendly walkthrough.
Click to expand...
Click to collapse
Doom Tints' Score: ZERO for reading comprehension.
I have an 8525 that belongs to me. Shall i forward you a receipt? Very helpful. Anyways, to clarify for anyone else who gets confused easily, I was curious how to I can test my sim unlock code on my own locked Hermes. Obviously I could remove the sim lock with the stickied utility in the forums, but that is not my purpose. I simply need to verify that my unlock code generating algorithm is working. I don't believe that I've seen anyone discussing the ability to generate unlock codes for any arbitrary IMEI before. Although I could be mistaken.
The wiki states that I can use:
[email protected]=0,<facility>,<code>
Facility is a number between 0 and 32, code is a 8 digit code.
What shall I use for the facility? "SC"? "PS"? Those are the only relevant facility codes I know of. Should then I convert SC to 0x5343? Maybe I just answered my own question...
Thanks Doom Tint!
-f
I'm not sure there's a way. I just ended up borrowing a friend's T-Mobile sim when i was unlocking my 3125 - it takes about 2 minutes so it's not big deal to do quickly then hand back the sim chip to the friend.
Thanks for the clarification instead of the tiny 1-sentence question without explaining what you were doing.
BTW, I had already edited my message before you posted your response.
woohoo!
yay! it works.
[email protected]=0,1,<code>
did the trick.
@SIMLOCK=00
anyone know if there are any HTC models which cannot be sim unlocked through published means? this unlock code generator should be universal,
-f
fluxist said:
anyone know if there are any HTC models which cannot be sim unlocked through published means? this unlock code generator should be universal
Click to expand...
Click to collapse
This only works on devices with qualcomm msm6250 (universal) / msm6275 (hermes, trinity...). It needs a bootloader with 'rtask' command but you can also do it in a simple CE program with RilDevSpecific() functions, communicating with the radio through RIL dll if you don't have an 'rtask' enabled bootloader.
Hi, I own a Samsung S7, International version ( SM-G930F ). Wanted to unlock it to use it with other companies, and did some research in order to be able to unlock it manually (I used to unlock all phones by my own, this one is harder that usual).
Well, this might be a new phone and a solution may not be present here yet, but I know that some programs allow you to read the SIM unlock codes from the phone z3x allows you to do that, Octopus and ChimeraTool too, among others.
So... it really may be possible to do this manually.. rooting the phone, of course..
I know that the S4 allows you to do this quite simply:
just opening a terminal and typing:
su [enter]
strings -n 8 /dev/block/mmcblk0p6 [enter]
to get the UN_Lock_code, and then performing some calculation using the IMEI number and the UN_Lock_code, followed by some further really simple ordering algorithm, you can find the full algorithm here.
That being said, if we could get the UN_Lock_code from the S7, the algorithm may even be the same.
The bad news is that /dev/block/mmcblk0p6 doesnt even exist on the S7 file system, so obviouly they somehow improved the security on this phone, but the tools mentioned above are able to get this unlock codes anyway, so it surely exists a way to read them from the phone in some other way.
If you are a developer working on any of these tools, or have the knowledge to investigate this on your own, please give me your feedback ! People here on xda and all over the world will appreciate a solution:
Doing this manually obviously requires some skills to root the phone in the first place, maybe install the terminal or use ADB, so the unlocking business wont be affected at all.. and it avoids trouble with unlocking companies that give wrong codes and dont refund.
So I only see advantages in this. Thanks a lot to the developers that give this issue a try, I maid my own little research and I think that getting the UN_Lock_code or SIM unlock codes is really possible in the S7 Exynos.
Good luck, and any feedback will be greatly appreciated !
In the UK once you've had your phone for 6 months the carrier has to give you the unlock code IIRC
I'm with o2 and the o2 app has a setting to unlock the phone with a warning that you must still honour the remainder of your contract
*Detection* said:
In the UK once you've had your phone for 6 months the carrier has to give you the unlock code IIRC
I'm with o2 and the o2 app has a setting to unlock the phone with a warning that you must still honour the remainder of your contract
Click to expand...
Click to collapse
Yep I know that some carriers are able to get the codes from the manufacturer, samsung in this case, and even have their own DB of unlock codes for each of their IMEI numbers, this codes are then compared to the ones in the phone, if the code matches any of the codes in the phone, then it unlocks, else counter is incremented.
This thread is about getting the unlock codes from the phone, as some applications do, such as z3x, Octopus, ChimeraTool.
The question is: If this tools are able to get the codes inmediately from the phone, which file are they accessing inside the phone, and which further steps are they performing
The reasoning behind all this is that if all of these tools can do it in some seconds, then we can do it.
I'm actually looking for some explanation, similar to the S4 thread linked above. Or failing that, where can we investigate further to finally get this information.
Thanks a lot !
EDIT: Maybe this is not the best section, but this discussion is related to Samsung S7 EEPROM and filesystem layout, reverse-engineering and investigation.
**Mod edit*
Posting warez is not allowed. This includes cracks that avoid paying for software.
It doesn't work canolucas ,I keep having fails. Tried to reinstall,restart pc and no change