Database Users

Reversing IMEI-CHECK's Wizard Unlocker :)

Hey Folks,
After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.
The application is protected by Themida which is in my view the leading protector on the market currently (yes better than execryptor).
The unlocker has Ring0 protection, Emulated API's, Resource Encryption + Lots more fun and games.
Now onto what I have found so far.
The GUI stuff:
Code:
set 1 0
set 5 ffffffff
set 2 0
set 6 000000
set 4 000000
progressbar 0 239 0 255 ffffff 100 0
shmsg 0 0 " . : | Wizard Unlock | : ."
info 1
shmsg 3 0 " ..detecting device.."
set 32 2
info 0
shmsg 4 0 " >>> Wizard found"
Is plain to see, but the evil work is well tucked away in a procedure which is pushed onto the VirtualMachine.
So I still need to fish that out (loooonnnng task)...
However the very most interesting part (I find) is the existance of a ROM inside the unlocker.
Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.
Download:
http://rapidshare.com/files/12763879/_00CC0000.mem
For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S
The following tools are also 'picked up':
Filenames:
Code:
PORTMON.exe
SnoopyPro.exe
Device Monitor.exe
Window Titles:
Code:
Portmon Class
SnoopyPro
USB Monitor
Device Monitor
Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.
Since he has NO terms about his programs what so ever then there is no legal problems with what I am doing to his application.
He is probably too scared of HTC anyway, since he is decompiling their firmwares in order to make the product. (Which is outlawed in HTC's terms)
Anyway....
Watch this space

Very interesting, would information gathered from the Wizard unlocker lead to cracking the Treo 750 unlocker? Or any other phone that imei-check supports for that matter?

Whiterat said:
After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.
Click to expand...
Click to collapse
Great, will you disclose your findings? there was an earlier post about the unlocker for G4 wizards, here (see comment #36):
http://forum.xda-developers.com/showthread.php?t=284312
Whiterat said:
However the very most interesting part (I find) is the existance of a ROM inside the unlocker.
Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.
Click to expand...
Click to collapse
It seems that this is the patched SPL that is flashed on the first unlocking step, it is modified so that when it is told to flash an splash screen, it flashes the security area, overwriting the CID.
Whiterat said:
For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S
Click to expand...
Click to collapse
I will load it at IDA and compare with a normal wizard SPL...
Whiterat said:
Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.
Click to expand...
Click to collapse
Yes, the imei-check guys are doing great job with their unlockers... similar method is used in artemis unlocker too. They load a modified SPL in RAM and jump to its physical address from WinCE, this modified SPL shows the DOC ID in help of "set" command and allows flashing unsigned code, then they use obtained DOC ID info to patch the security area by sending a "fake" splash screen, same as in wizard unlocker.
Whiterat said:
Watch this space
Click to expand...
Click to collapse
I will

phoa not much point in me continuing!
You've got the whole lot there!
I'm a lover not a coder, I simply reverse in order to help others succeed.
Since you have all important info anyway, Not really going to be of much help here
P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......

Whiterat said:
phoa not much point in me continuing!
You've got the whole lot there!
Click to expand...
Click to collapse
Well I didn't want to discourage you on continuing the reversing process, I just pointed you to the thread where we discussed about the unlocking method a while ago...
I admire the fact that you reached that far only disassembling / debugging the binary, what we actually did to have the full process was capturing it with USB monitor; the unlocker can be tricked if you run the usb monitor process as one user, ant the unlocker as a different user, but imei-check seem to have corrected this 'bug' in newer unlockers.
Whiterat said:
Since you have all important info anyway, Not really going to be of much help here
Click to expand...
Click to collapse
We don't have _all_ the important info, we have the commands that the unlocker sends to the bootloader, but the data sent to flash the security area is actually different in every phone, so flashing what is sent in one phone to another phone will actually brick it.
I think it can be helpful if you manage to reverse the algorithm that the unlocker uses to generate the code which is flashed on the security area, this can't be done capturing usb traffic, this has to be reversed from the binary, and Themida is not easy to break as you sure have noticed
Whiterat said:
P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......
Click to expand...
Click to collapse
No sorry, i don't have any... I am not very used to IDA, started using it few months ago and still learning new things about it everytime I start it

Ah cool I will look into it a bit further
(Need to get a friend to code a tool to remove the junk code)
e.g
PUSH EAX
PUSH EDX
MOV EAX,2282
INC EAX
DEC EDX
POP EDX
POP EAX
Since it is popping those registers off the stack, its actually altered nothing
Themida is a cow, Because my friend didnt manage to make a start on the junk code remover (and I didnt realise there was a virtualised function) I just did each Import by hand (approx 4 hours lol)
Also rebuilt the OEP by hand too, not too hard since it was VC++6.
I have a G4 which I have unlocked with Imei-Calc (thus I have the key file, which I *think* might decrypt parts of the program, or possibly is part of an encrypted rom.)
3 Last things:
1. Can the G3/G4 chip be worked out by IMEI, i.e IMEI represents a date and the chips were only used after a certain date? or is this tool generic for G3/G4 ?
2. Do you have an SPL for 2.08.10
3. How can I dump my SPL (bearing in mind my only minisd has a full backup of my rom, Just in case crossbow gets a little ugly for my liking)
Ohh one last thing, kbdus.dll on Crossbow.....Is there a kbduk.dll as far as you know?
My Wizard has british keyboard and all the chars are shifted +1.....
Thats my next major task I think before continuing on this thing
Btw, To use the usb logger on newer versions of IMEI-CALC, just rename the exe and change the class name

Hi..Answer on the "Last Three Things"
1.) No one cannot identify G3/G4 with imei.If u lok carefully the place below yr battery u will find a"G4" written besides yr imei no.In G3, nothing is written.The most commeon way is to check IPL/SPL .001 in the end is G4.
2) Take a ROM which has 2.08 SPL. and use typho5.exe to dismantle the ROM parts.If ROM is release recently then you will find IPL/SPL for G3/G4 both.Chek the threads here..
3) As such crossbow ROM has no IPL/SPL..if u know what ROM u were using prior to that, u can apply above to dump yr ipl SPL..secondly you can do this with awizard1.3 beta.
I hope this helps

Unlocking sim on ht-03a?

Been trying to unlock this phone for days now, bought in japan(ntt docomo)
Have the unlock code and all, but unable to get to the point where i enter the code. Also read that I had to flash the sd card or something, but just keep getting the message "not allow" at some point. If anyone have some tips it would be highly appreciated.
edit; and ive tried rebooting it with new sim
Any help for a guy who has basically no clue of programming?
Yours,
Stefan!
oh, and its one of those 0006 models ^_^

1.5 or 1.6?
Are you running 1.5 or 1.6? If you are running 1.6, you are in for a bit of fun.
Some Japanese guys have used this site to unlock BEFORE the 1.6 OTA because the generated code only works on Docomo's 1.5 firmware.
NOTE: Remote unlock by IMEI is not supported on the newest DoCoMo firmware update. User must downgrade the ROM to the old version or flash a custom ROM without DoCoMo branding on the device prior to unlock it. We do not provide instructions on how to flash a different ROM.
Click to expand...
Click to collapse
The OTA to 1.6 hit me on 10/27/2009 and rolled out over the course of a week. If you phone was in use in Japan after this time, then it's probably running 1.6.

Apparently can unlock ht-03a v 1.6... for about $100US
Just ran into a site that seems quite shady but nonetheless claims to be able to unlock 1.6 in 3 days for 10,000 yen eek. Their regular price is 8,000 yen (which is still too expensive) if you are still running 1.5. This could just be classic bad web design still common in Japan that makes the site look shady.
Basically, they are saying no functions will change by unlocking and not to upgrade beyond 1.6 after unlocking (assuming 2.x ever is pushed by docomo). And that if your phone is version 1.5, they will return it to you unlocked and running version 1.6.
Purely for my amusement, I paste the machine translation of their site (provided by them "hear")
Release charge;VERSION 1.6 of \8,000 and HT-03A is \2,000UP.
- Details of release
There is no change in a portable function etc. after it releases it.
Release days
- HT-03A is SOFTWEAR [bajon] 1.5 is the first.
It takes VERSION 1.6 about three days. (\2,000UP)
- It takes HT1100 about three days.
Request trivia; After it releases it when VERSION of HT-03A is 1.5, VERSION UP is done to 1.6.
I will pass it. (When networking if you do not do The demand of VERSION UP is usual [deru]. )
The problem is not in VERSION UP after it releases it.
Without doing VERSION UP when VERSION of VERSION 1.6 or more (1.6 is OK) goes out
Please give to me.
Click to expand...
Click to collapse
PS - "release" = unlock

its 1.6 yes, and thats just too expensive
thx though!

Agreed - stupidly expensive, so your only other option is to root and flash a ROM other than Docomo's 1.6

Mind telling me how to do that? been trying for ages. Does it mean doing something to an sd card? is there a guide i should follow? tried yesterday, but just got the "not allow" message

Haha, sorry but I can't be cause I don't know how - which is why I originally said something about your going to be in for some fun if you have 1.6. The information is here. There are wikis, but I haven't had a need to do it, so I am not up on what needs to be done. I know that it was much easier with 1.5 (one click) but not impossible with 1.6. Dig around this board and hopefully you'll get tossed in the correct direction.
If you are using this phone in Japan on docomo's network and you do succeed in flashing a new ROM, be careful with the APN setting for data transmissions because you can end up with a very high data bill if you connect to the wrong one.
Good luck and hopefully someone might chime in with links appropriate to the ht-03a.

if u trying to unlock the phone to use any sim card in it and u already have the code, u need to put the sim card of the new network u r trying to use, when the magic boots up, it will ask for the code, u enter it and thats it, u r unlocked

Doesnt work, already tried that :F

achillies400 said:
if u trying to unlock the phone to use any sim card in it and u already have the code, u need to put the sim card of the new network u r trying to use, when the magic boots up, it will ask for the code, u enter it and thats it, u r unlocked
Click to expand...
Click to collapse
That does not work with the firmware provided by Docomo.

stefan2612 said:
Mind telling me how to do that? been trying for ages. Does it mean doing something to an sd card? is there a guide i should follow? tried yesterday, but just got the "not allow" message
Click to expand...
Click to collapse
Did you see this?
http://wiki.xda-developers.com/index.php?pagename=HTC_Sapphire_Hacking
Also, here seems to be full instructions on how to move down to 1.5. I have no idea how, if at all, these instructions would be different for Docomo's ROM on the HT-03a.
http://theunlockr.com/2009/10/15/how-to-root-a-donut-phone-android-1-6/
Good luck. If you learn anything, let me know

Thanks, ill see if i can get this to work! If not i guess ill be forced to check out some cable guy, or someone with a clue

Didnt work, thought id try the htc sync one aswell, but it never recognized my phone, even if i installed drivers, reinstalled them, updated, everything. And yes, i did fix the debug settings etc on phone.

I guess you are using windows, not something unix-like (linux or mac), right?
Towards the end of this thread, the discussion moves towards getting Win 7 to recognize phones for using ADB. Maybe something here could help.
http://forum.xda-developers.com/showthread.php?t=502010

have mac and windows, but htc sync wasnt for mac so ^^

Wait a minute... Like I said, I've never tried this, but I don't believe you need to use HTC sync. I could be wrong. I think you need to use ADB, which is part of the SDK. ADB allows you push files to handset, as well as get an interactive shell. Basically, it gives you command line access to your phone from your computer.
If you have ever used the terminal app on a mac, that is where you would use ADB.
Once you have ADB up and working, you can type stuff like ADB devices to get a list of connected phones or ADB shell to get an interactive shell.

yeah ive tried that too, only got msgs saying not allow

stefan2612 said:
yeah ive tried that too, only got msgs saying not allow
Click to expand...
Click to collapse
If you give me more information, then I may (or may not) be able to help.
What exactly was not allowed? Does ADB work at all?
What step in what howto did you make it to?
Are you able to get ADB to detect your device?
Are you using ADB on win or mac? win 7? mac os 10.6?
Did you get a permission denied (or something that) error when you tried to push a file with ADB?

For the docomo HT-03A sim unlock, you need to have a rooted phone first...No way around it that i have found... hell its a twofer... basic rom isn't any fun anyway...
I have gotten 7 Sim unlock codes from swiftunlocks at gmail.com, email him and ask...
I first found him on ebay... so he is probly still there...
My bigger question is how to get around the IMEI filitering done by Docomo's bizhodai APN... I WANT A NEXUS, but if I can't have unlimted Data it could be the death of my bank account...

thisoneguy said:
For the docomo HT-03A sim unlock, you need to have a rooted phone first...No way around it that i have found... hell its a twofer... basic rom isn't any fun anyway...
I have gotten 7 Sim unlock codes from swiftunlocks at gmail.com, email him and ask...
I first found him on ebay... so he is probly still there...
My bigger question is how to get around the IMEI filitering done by Docomo's bizhodai APN... I WANT A NEXUS, but if I can't have unlimted Data it could be the death of my bank account...
Click to expand...
Click to collapse
Only if you are running Docomo's 1.6 ROM, which he is (which is why his unlock code doesn't work). The 1.5 ROM would accept IMEI-generated unlock codes and was rootable in one click.
But I can't really help this guy as I have not tried to root my HT-03a, which is also on 1.6.
Quick question: So it is NOT rumor that docomo is filtering the biz-hodai APN by IMEI number? People commenting on my blog say that docomo refuses to register the IMEI of a phone if it is not from docomo.
Sucks.
Can you point this guy in the right direction for rooting specific to the HT-03a?
Also, check the link to a Japanese site I posted at the beginning of this thread. If it is worth 10,000 yen, sounds like they can do it. 10,000 yen is too much, though.

[GUIDE] Galaxy Tab Network Unlock

**UPDATE**
This method causes your serial number to change to 00000000 (which isn't a problem as such as this isn't currently used for anything) but there is a new method which involves directly hex editing the nv_data.bin file, which may be faster and does not change your serial number. You can find the details here: http://forum.xda-developers.com/showthread.php?t=843323.
**UPDATE**
First up I'll say that I'm not incredibly familiar with Galaxy S firmware changes/modding, and this mostly builds on work done in these areas, so not all these steps may be necessary but they worked for me. If someone can suggest a faster way to do this/unnecessary steps then please go ahead and reply with them!
This unlocked my Network Locked Australian Galaxy Tab and so I assume should work for others.
You should back up your /efs/ folder before you proceed as you may need this to undo if something goes wrong.
*I take no responsibility if something goes wrong!*
Requirements:
Root access
repair_nv_data.zip (from http://forum.xda-developers.com/showpost.php?p=8942669&postcount=94)
Java
Busybox
The Android SDK for ADB, Root Explorer or some similar file system explorer/editor
(If you have US firmware with no Phone software, you may need to flash European firmware as described here: http://forum.xda-developers.com/showthread.php?t=838250 ).
Firstly, on your phone dial *#7465625# and check if the Network Lock is set to [ON], if so then your phone is locked (duh), so continue.
1. Use Superoneclick (http://forum.xda-developers.com/showthread.php?t=812367) to root your phone (the other z4root method may work as well, but this isn't what I used).
2. Either use ADB or some other method to rename or delete (backup first):
/efs/nv_data.bin.md5
/efs/.nv_data.bak
/efs/.nv_data.bak.md5
(I just used Root Explorer to rename them to something else).
3. Restart your phone and then go into the /efs/ directory and see if the 'nv_data.bin.md5' file has been re-created by your phone, as long as it has been created then you can proceed.
4. Go to http://forum.xda-developers.com/showpost.php?p=8942669&postcount=94 and download the repair_nv_data.zip file (the credit for all of this mostly goes to that thread and helroz).
5. Install 'busybox' from the Market. Once you install it, you actually have to run it and properly install it (the Market app is basically an installer) - the files in the above zip have a dependency on this.
6. Extract the above zip to your PC, plug in your Tab in USB debugging mode. Run the Step 2.bat from the extracted file. You may need to allow the script super user access several times. This should copy the /efs/ and a bunch of files into a directory with a french name.
7. Run the Reparation_nv_data.jar file. (You will need Java for this step.) It will prompt you to enter two numbers, which are your pseudo-unlock codes. I entered '11111111' and '11111111' (eight 1's) both times. This rewrites the nv_data.bin file to be simunlocked with these details.
8. Run the Step 4.bat. Your superuser app (the one installed when you rooted using SuperOneClick) will need you to allow each command to have root access so keep an eye on your Tab. You may need to press y/n a few times if you encounter errors. This is uploading the edited nv_data.bin onto your Tab.
This batch file will stop several times and need you to hit a key when it pauses. My Tab rebooted halfway through this batch file - when it did this I waited for it to fully reboot back to the lock screen before pressing a key to make the script continued while the Tab was actually able to respond to its commands.
9. Towards the end of its execution it rebooted a second time. It paused during loading up and had some yellow writing on the screen saying it was updating media (I assume it was rebuilding the nv_data.bin). Leave it for a minute and it will prompt you to reboot/some other options. Just press whatever it wants (home I think) to reboot the phone - you don't want any of the other recovery options.
10. Go into your dialer and put in *#7465625# again and (hopefully) voila! Your phone should no longer be network locked. Try a SIM from a different provider to make sure.
Enjoy!
Edit: I had to go out and actually buy a prepaid SIM to confirm that all was working with a different provider. Attached are screen caps of my Tab on two different networks, as well as the network status screen, making/receiving calls etc. all works on both.

Awesome man, thanks.
This is much better than the 2 month wait we had for Galaxy S unlocking.

Hello, I'm french and i use your post to unlock my Galaxy TAB SFR ''réunion island'' and she is unlock thanks for your AMAZING post for unlock TAB
Ps: For unlock my TAB by SFR REUNION, he tell me 150 Euros.... Vive smithdc & helroz

Works well! I had little trouble running java on windows7. But changing compatibility mode to windowsxp sp3 and check run this program as an administrator solved the problem.
Thanks for easy guide!

tacoda, you mean for running the .jar file? or for installing Java itself? (I assume the former).

Sweeet thx , curious if unlocking the AT&T version has hardware only set to AT&Ts 3G frequencies, so 3g wont work on tmobile or is it capable of running 3g on tmobile with a unlocked AT&T tab?

smithdc said:
tacoda, you mean for running the .jar file? or for installing Java itself? (I assume the former).
Click to expand...
Click to collapse
Running the jar file. I didnt know how to run it.
Sent from my SGH-T959 using XDA App

Does the sim card and/or sd card should or should not be plugged in during the unlocking progress?

It shouldn't make a difference Zeron.Wong.

jay_jay_n said:
Sweeet thx , curious if unlocking the AT&T version has hardware only set to AT&Ts 3G frequencies, so 3g wont work on tmobile or is it capable of running 3g on tmobile with a unlocked AT&T tab?
Click to expand...
Click to collapse
Traditionally, AT&T and T-Mobile hardware used different radios, it was more than just firmware. That's also true on the little brother Galaxy S series, the Vibrant has a different radio than the Captivate (though the Vibrant radio DOES have 1900 band in the hardware, for some reason).

Kudos to smithdc for this awesome guide! I saved a lot of money thanks to him. Congrats again.

Bump, is there any way to sticky/pin this for people?

So your saying if I use this method and install my tmous unlimited sim I can get calls and 3g or do I need a prepaid sim

I'm not sure on how T-Mobile are blocking, but if it IS my IMEI then you would have to use a SIM from a different network.
If they are blocking your IMEI on their network, then you would have to use a SIM from a different network (as a different network, wouldn't be blocking this IMEI number). Changing it to a different SIM on the same network won't help as your IMEI is for the device itself.

I just want to clarify something..
I have a T Mobile Tab and want to use a SIM I have for ATT.
Will I have to flash my device with the EU firmware first in order to get the phone software on it..then do the rest of the unlocking steps?
Assuming thats correct..after unlocking it I then can put my ATT sim card in and it should work for calls and data (Edge only) with not having to tweak any setting at all? Or do I have to set up my wap.cingular connections for the data like on a WM phone on ATT?
And if I want to get back to original out-of-the-box firmware from T Mobile (like if I had to send it in for repair) I just have to flash stock T Mobile firmware and its back completely to original?
Thanks..and wow am I loving this TAB !!!

You'll need to set up your APN data for AT&T, yes.

Thanks for the fast reply. As for the flashing of the EU rom..is that the only/best way so far in order for me T Mobile Tab to get the radio software on it. I was thinking I saw an APK for the radio software someplace but did not know what way was better.
I just want to be 100% sure bfr I take the jump to unlocking and playing with the phone part
thanks

I got a quick couple of questions:
1. If I restore original firmware (Canadian), does it relock my phone?
2. Where can I get the Canadian firmware release? I see EURO and US, but no Canadian.

I read on one of the other threads that sim unlock method also changes your imei number. Is this really case?

clubtech said:
I read on one of the other threads that sim unlock method also changes your imei number. Is this really case?
Click to expand...
Click to collapse
Yes, it will set your IMEI to a bogus one that will get your T-Mobile internet access disabled after 1/2 hour.

[Q] Possible Hboot Hack ????

Whilst spending more endless hours attempting to root my wildfire, I have noticed that if I push mtd0 to sdcard as mtd0.img, and then use HxD to edit it as though to use flash_version ( I was thinking I wonder if it's possible to spoof supercid 111111) so after backing up the original I filled the entire file full of 1's (I tried 0's first, the error message tells me if i could force 0's this may be a good thing???) and flashed misc.
On entering hboot when it checks sdcard a load of 1's came up before anything else, so i repeated the experiment with stars *, and *'s is what hboot seen.
I'm thinking possiblity of some kind of alternate boot or mabye a command (fastboot oem unlock, or fastboot erase hboot) or something along those lines. Tried modifying the first line, but still came up *'s so somewhere else in the file possibly where version goes, but version doesnt usually show up on sdcheck does it.
Experiments continue

Keep up the experiments!
Thanks!

keep up doing it, you are great

thousands of people hope this work in the future...
i think unrevoked is not doing anything now
we r 4 months from 2.2....

Any more luck? How is this getting on?

dannyjmcguinness said:
Whilst spending more endless hours attempting to root my wildfire, I have noticed that if I push mtd0 to sdcard as mtd0.img, and then use HxD to edit it as though to use flash_version ( I was thinking I wonder if it's possible to spoof supercid 111111) so after backing up the original I filled the entire file full of 1's (I tried 0's first, the error message tells me if i could force 0's this may be a good thing???) and flashed misc.
On entering hboot when it checks sdcard a load of 1's came up before anything else, so i repeated the experiment with stars *, and *'s is what hboot seen.
I'm thinking possiblity of some kind of alternate boot or mabye a command (fastboot oem unlock, or fastboot erase hboot) or something along those lines. Tried modifying the first line, but still came up *'s so somewhere else in the file possibly where version goes, but version doesnt usually show up on sdcheck does it.
Experiments continue
Click to expand...
Click to collapse
I tried this a week ago and it does not seems to work :S
cid version is on "ro.cid" prop. Change cid on mtd0, flash it and then try a "getprop ro.cid"
Of course, you'll get the original CID, not the supercid. You cannot change these properties (ro.secure is another one. The ONE that prevent us from writing on system, etc)
I think these properties are Read-Only and are loaded into the system from the hboot at boot time.
I managed to change the default.prop on "/" from ro.secure=1 to ro.secure=0 but every time you reboot your phone this file goes back to ro.secure=1, so I think hboot re-load every file and prop needed for their security lock at boot.
I repeat, even with root access you won't change a single property with "ro." before.
Not a single one.
Sorry guys, we'll have to wait more...
For more information abot the proccess read my post: http://forum.xda-developers.com/showthread.php?t=1042077
As you can see, no one has answered yet so I think this is useless...

Looks promising!
Sent from my HTC Wildfire using XDA App

Think I've discovered a bit more, I'm absolutly posotive that this is the way forward. Problem is not enough people seem interested in this post.
It would appear that this can be used to issue a boot message, so please share your knowledge on what you know of boot messages, coz I'm pretty sure a boot message could be used to override certain parameters.
Please people, if you read this, HELP ME OUT

I know what are you talking about,and I think that might help you
http://runtimeworld.com/2011/04/a-complete-list-of-hboot-commands/
I could work with you on this, PM me if you are interested
edit: this command has 8 letters (like cidnum):
writemid // write model ID

The best thing u've found.. I'm feeling like we'll oly root wildfire before unrevoked.,
It'll be good if we do it our self as unrevoked has tried hard but not succeeded due to heavy lock of hboot.. If there is a luck and ability to do it, we can do it..
I dont hav knowledge in linux and android much elz i would hav joined to root wildfire with u all..
Best of luck for rooting and make sure not to brick the phone..

God, I must follow this post.
Thanks for your hard work.
Sent from my HTC Wildfire using XDA App

Maybe you'll find something interesting there
tjworld.net/wiki/Android/HTC/Vision/HbootAnalysis
sry, can't add urls i'm new

ejnreon said:
Maybe you'll find something interesting there
tjworld.net/wiki/Android/HTC/Vision/HbootAnalysis
sry, can't add urls i'm new
Click to expand...
Click to collapse
cant be THAT new if you joined in 2009 :L

[GUIDE] SUCCESS!!! SIM-Unlock Sprint XT1056 (SIM-CRACK) Moto X GSM **NOW U.S. TOO!**

Greetings fellow XDAers,
It's finally happened: SIM-Unlock for the Sprint Moto X (XT1056)
(International-use Only. Anyone in the U.S. - Don't bother at the moment. Myself and some others are looking into the possibility of extending the SIM-CRACK to U.S. users, but RIGHT NOW, not possible. Sorry.) NOW EXTENDED TO DOMESTIC U.S. USERS AS WELL! - I have discovered the domestic-unlock solution!!!!
First, a little background:
Since its debut in August, 2013 many people have been trying to crack the SIM-LOCK on the XT1056. Many have tried and long since given up. I officially became involved in the project in May, 2014, and since then, had taken over the project. After much research, I determined that a Chinese hacker had found the solution and was offering a SIM-Unlock service on Taobao.com. This individual was extremely secretive about his methods - and told no one the solution. In order to use the service, you had to SEND your XT1056 to China to be unlocked (for fear of someone discovering his method). Then, a short time afterwards, the listing completely disappeared from Taobao, never to be seen again. Afterwards, sellers only offered PRE-SIM-CRACKED XT1056's on Taobao. Fortunately, I had already discovered (by reading his prior listing), that the SIM-Unlock required that you NEVER erase the modemst1 and/or modemst2 partitions (the equivalent of EFS/baseband cache on the Moto X).
At this point, I knew without a doubt that the key was in the modemst partitions. The breakthrough, however, didn't come until Mid-July, when another XDA Member: @yefonme posted to the thread that they had obtained a China-SIM-Cracked XT1056. This user confirmed the information I already knew by telling me that the seller advised that they must never erase the modemst partitions or the SIM-Unlock would be lost. This user generously offered to assist in helping find the solution, just for sheer curiosity - they wanted to know HOW the SIM-Unlock was achieved.
At this point, I thought we had everything we needed. Knowing that the key lies in the baseband cache, I requested various users to use a tool to backup their modemst1/modemst2 partitions, and send them to me for comparison with a HEX-Editor. Several users obliged, but unfortunately, we hit another roadblock -- the EFS partitions turned out to be ENCRYPTED TO HELL! That method was going nowhere. Then I realized that upon erasing the baseband cache (modemst1/modemst2 partitions), that all NV-ITEMS were reset to their factory defaults. BINGO! This means that the baseband cache partitions MUST store the encrypted contents of NVRAM!
This meant we had another option! Using standard CDMA tools, we could do a "DUMP" of the values stored in NVRAM. Another user, @ezeuba, suggested a simple tool, and provided instructions for the other's involved to DUMP the contents of their NVRAM, for comparison. Another big issue: Since many NVITEMS are inactive / restricted, even between 2 Sprint SIM-Locked devices, it made it completely impossible to use a utility to run a differential comparison between these NV-DUMPS. This meant that the NV-ITEMS had to be compared manually, by-hand.
I spent countless hours scouring through the data, comparing the THOUSANDS of NV-ITEMS from the China-Cracked XT1056 with the dumps provided by the Sprint SIM-Locked users. It was taking forever! I knew that the key to comparing the NVITEMS was finding values that were the SAME on all the Locked XT1056s, but DIFFERENT, only on the SIM-CRACKED XT1056. If a particular NVITEM differs between 2 or more LOCKED XT1056s, it is likely not the value we are looking for.
Then, finally, I came across an NVITEM that struck me as unique. It was the SAME on all the LOCKED XT1056's I analyzed, but different ONLY on the CRACKED XT1056. I was hesitantly optimistic, and posted about it here: http://forum.xda-developers.com/showpost.php?p=54334931&postcount=250
Well, my intuition was Spot-On, and this DID turn out to be the proverbial "smoking gun". Another user (ignoring my suggestions to WAIT and let another user who had offered to donate an XT1056 mainboard try it first) went ahead and wrote the new value as I had suggested. BAM!!! And the rest is HISTORY.
OK, so enough about the history, and on to the solution!!!!!
So the key lies in NVITEM # 8378
On the China-Cracked XT1056, the value was "01"
On all the SIM-LOCKED XT1056's, the value was "00"
That's all there is to it. You can use the CDMA Tool of your choice to write "01" to NVITEM 8378 to achieve SIM-Unlock!
You will also need to change the RUIM config to "RUIM-Only" in order to prevent the phone from reverting to CDMA-mode upon reboot. This is controlled by NVITEM 855 (see instructions in post # 2)
This method is KNOWN to unlock for all international GSM carriers, but DOES NOT unlock for Domestic U.S. carriers. Something else is in place, it appears, that BLOCKS the United States MCCs. NOW EXTENDED TO U.S. USERS AS WELL!!!
POST # 2 in this thread will be reserved for complete instructions for those of you who aren't familiar with how to write NV-ITEMS. These instructions are courtesy of @ezeuba.
POST # 3 will be reserved for detailed instructions on how to install the necessary DIAG Drivers, and how to manually FORCE driver installation, if necessary.
I believe in giving credit where it is due, so I want to personally thank:
* @hsngt and @jaaa1976 - who provided me with the NVDUMPS I used to find the SIM-Unlock method. @jaaa1976 was the FIRST person to be unlocked by my method
* @ezeuba for providing these users with step-by-step instructions on how to READ and SAVE said NVITEM dumps.
* @Vivjen for support and generous offer to donate a XT1056 mainboard (which turned out to be unnecessary)
* @crabbyone for encouraging me to take a 2nd look at NVITEM # 8322 (which turned out to be the Domestic Unlock solution)
* @Arnold Snarb for originally discovering the property of NVITEM # 8322 (which unlocked the Razr M for domestic use)
* All the others who submitted EFS and/or NVDUMPS (even though I didn't use them to find the solution)
* Everyone who believed in me and provided encouragement and moral support ( that includes YOU, @KJ )
* Everyone who makes good on their bounty pledges and everyone who DONATES (paypal: [email protected] )
* Everyone who is appreciative and gracious for the ENORMOUS amount of time I've spent making this SIM-Unlock possible for everyone
* The China-man who found the solution FIRST, even though he didn't share it with anyone and intended to only use it for Profit (I bet he is PISSED at me -- he was charging $80 U.S. for EACH unlock )
*** and ESPECIALLY @yefonme --- without YOU, NONE of this would be possible.
[Q]: How much should I donate to you for all the time (weeks) you spent working on this?
[A]: Please donate what you feel it is worth to you. The XT1056 can be found far cheaper than any other Moto X Variant, and now that we can SIM-UNLOCK it, it will become much more popular. If I have saved you money, or added value to the phone you already own, I would appreciate being compensated accordingly. I realize that some are not able to donate, and I understand. Do what you can / what you feel is fair. I spent countless hours on this, and would appreciate being somewhat-compensated for my efforts. This, of course, is not a requirement, since I have posted the solution and made it freely available to everyone. Keep in mind that the China Taobao-seller was charging $80 for EACH unlock...and HIS sim-crack didn't even unlock for Domestic U.S users!!!
PayPal Donation address: [email protected]
DO NOT email me asking for help with this. I won't answer you. *Post in the Thread* - this is the only way you will get support. I'm sure that you understand...
Additional info:
This works for all Republic Wireless XT1049's also, but ONLY if you can unlock the bootloader (only possible through the "China Middleman" - use search). You MUST flash the Sprint XT1056 ROM to your RW XT1049 device for this to work for you.
DISCLAIMER:
If you use my SIM-CRACK, I'm not responsible for ANYTHING that goes wrong. USE CAUTION! If you hit the wrong button, or write the wrong NVITEM, you could end up in BIG TROUBLE (possible BRICK). You have been warned.
And lastly, YOU MAY ---NOT--- COPY ANY PART OF MY SIM-UNLOCK METHODS. YOU MAY NOT SHARE/RE-DISTRIBUTE MY FILES, OR POST THEM TO OTHER SITES. THE ONLY ACCEPTABLE THING IS TO ---LINK--- THIS THREAD TO OTHER SITES. IT IS UNACCEPTABLE TO STEAL MY (OR ANYONE ELSE'S) WORK!!!!! I will be extremely offended if I find that someone stole my work and posted it elsewhere. ONLY Link this thread. Don't copy any or all of its contents elsewhere. PERIOD.
^This is NOT an unreasonable request....

FULL INSTRUCTIONS ​
!!!!! A WORD OF WARNING:
Once you complete this method, it is possible that you will NEVER be able to use your phone on Sprint / CDMA again! I -stupidly- flashed my Republic Wireless XT1049 (I should have known better -- I am using their service, and had no intentions of switching to GSM) in attempt to get better results / instructions for you guys. Now my phone is STUCK in GSM mode, the roaming indicator will not go away, I can't make calls on CELL, and no matter what I've tried, I cannot revert back. Not flashing my EFS backup, nor flashing back to stock, nor erasing the modemst partitions has been able to get me back on CDMA. PRL is STUCK on "1", and no matter how many times I write a new PRL, it won't stick. I'll be lucky if I can get my phone back in working order.....
^EDIT to above: This turned out to be EASILY fixed by flashing the entire SPRINT SBF to my Republic Wireless device, then, subsequently flashing back the Republic Wireless ROM (I WANT to STAY on Republic Wireless). DO NOT ATTEMPT THIS SIM-Unlock on the Republic Wireless ROM. Something about the RW ROM prevents you from going back to CDMA once on GSM. Flash the SPRINT ROM, FIRST, if you want to GSM-Unlock your Republic Wireless XT1049. The SPRINT ROM does not seem to have this issue, so you are probably OK, but take caution, nonetheless. I'm finally back on Republic Wireless (CDMA) after hours of frustration and fear that I was permanently stuck on GSM.
I don't recommend this if you plan to ever go back to CDMA / Sprint Probably fine - But once again, use caution.
Still want to continue? ------> Don't blame me if you end up STUCK on GSM
If you want my support, you must be on the Stock XT1056 Sprint ROM. I will not support any other ROMS from any other variants, or any custom roms. If you change roms, good luck, but no support will be provided. Additionally, support will ONLY be provided by posting to this thread. Do not email me or PM me with questions. I'm sure you understand...
AND Don't forget: This DOES NOT unlock for Domestic use, in the United States. Blame Motorola/Sprint. Something else is in place, it seems, that BLOCKS the U.S. MCCs. If you live in the U.S., DON'T BOTHER, unless you plan to sell your device to someone overseas. Myself and others are looking into the possibility of extending the SIM-Unlock to those in the U.S., but hasn't happened YET. I've also discovered the DOMESTIC UNLOCK solution now, as well!!!
FIRST, you must be in DIAGNOSTIC MODE:
You MUST have "USB Debugging" DISABLED, or the DIAG Port will NOT activate!!!
ezeuba said:
There are 2 ways to get to DIAG mode on this device. If ##3424# doesn't work, you can try the default for most Motorola devices: Power off phone. Hold down BOTH Volume Buttons and press the Power Button (It's called the 3-finger salute). When the phone boots, it will display a diagnostic screen called Fastboot Mode with options to scroll to and select. Use the Volume Down Button to scroll and the Volume Up Button to select. Scroll to the bottom of that list and when BP TOOLS is highlighted, press the Volume Up Button. The phone will restart and if you have Motorola device drivers on your computer, it will install the correct port (something like BP DIAG port Motorola QC Diag Port - look for it in your computer's Device Manager to get the port number).[/B]
Click to expand...
Click to collapse
****If you are having driver issues, and you have an entry for "Motorola QC Diag Interface" (not "Port") under "Other Devices" (and not "Ports (COM & LPT)"), SEE POST # 3 for detailed instructions (WITH PICTURES) on how to FORCE the driver installation.
Next, download and install the attached "SPCUtility.apk" app on your phone. Run it -- it will give you YOUR SPC Code. Write it down / take note of it.
IF ANYONE CAN TELL ME WHO DEVELOPED THIS APP, I WILL GIVE THEM THE APPROPRIATE CREDIT. I have tried (without success) to find out who the author is.
Then, flash the attached nv-unlock.txt, nv-unlock2.txt, unlock-domestic.txt AND nv-ruim-only.txt files as per these instructions:
1. Open the attached "NV-Items Reader-Writer"
2. Enter YOUR COM PORT # as shown in DEVICE Manager
3. Enter YOUR SPC Code into the box, as shown.
4. Check the box immediately next to where you entered the SPC Code.
5. Click "Connect"!
Now, follow these instructions:
1. Click "READ" --AT THE TOP--
2. Make sure it says: "SPC is Correct. Phone Unlocked."
3. Click the "Write" button, and find the "nv-unlock.txt" file - make sure it confirms success
4. Click the "Write" button, and find the "nv-unlock2.txt" file - make sure this confirms success
5. Click the "Write" button, and find the "unlock-domestic.txt" file - make sure this also confirms success
6. Click the "Write" button, and find the "nv-ruim-only.txt" fine - and make sure it confirms success as well
7. Last, click MODE, then RESET
And lastly, once the phone reboots, go to Settings, More, Mobile Networks and select GSM/UMTS.
DONE! You are SIM-Unlocked!
KNOWN ISSUES: On domestic carriers, users are reporting that although it DOES work, the signal bars may show no service. (I am looking into this.) Additionally, if data isn't working, YOU NEED TO INPUT THE PROPER APN FOR YOUR CARRIER (as with all GSM phones).
^^^***THIS MAY BE SOLVED*** Apparently, it involves simply using fastboot to set your carrier! (THANKS, @ejlmd , and @leonardoafa !!!) You can see this post for more details: http://forum.xda-developers.com/showpost.php?p=54468353&postcount=126 (And hit the "THANKS" to @ejlmd, and @leonardoafa in the linked post). This **should** fix your signal bar issues, AND roaming indicator, and allow SMS without issue.
ALSO, you will NOT get LTE data...on any carrier except Sprint because the radio inside doesn't support any LTE bands except 25 (used by Sprint). You also won't get HSPA/HSPA+ (3G/4G) data for any carrier using frequencies not supported by the Sprint Moto X. For instance: If you are using T-Mobile, unless you are in an area that has been re-farmed to 1900mhz HSPA/HSPA+, you will only get EDGE data. This is because T-Mobile extensively uses HSPA/HSPA+ on the 1700mhz AWS band which is not supported by the Sprint Moto X. See the link below for a complete list of frequencies supported by the XT1056.
http://en.wikipedia.org/wiki/Moto_X
Keep in mind that once you write the "nv-ruim-only.txt" file, you will no longer be able to use CDMA without flashing the "revert" file listed below (puts you back on the default RUIM-CONFIG). The "revert" file is ONLY to be used if you want (for some reason) to switch back to CDMA. You do not need it if you intend to only use GSM. Also, the purpose of "nv-unlock2" is to unlock the MIP settings, and prevent the phone from reverting BACK to NV-Only upon reboot.
Additionally, keep in mind that if you ever "SBF" back to stock, using RSD Lite (or fastboot method), it will un-do the SIM-CRACK, and you will need to repeat these steps.
You ***SHOULD*** be able to accept Updates (OTAs) without losing the SIM-CRACK.
*****If you click any of the attached TXT files, and it OPENS in your browser, instead of downloading, RIGHT-CLICK on it, and click "Save Link As" -- it should download without issue.
[Q]: How much should I donate to you for all the time (weeks) you spent working on this?
[A]: Please donate what you feel it is worth to you. The XT1056 can be found far cheaper than any other Moto X Variant, and now that we can SIM-UNLOCK it, it will become much more popular. If I have saved you money, or added value to the phone you already own, I would appreciate being compensated accordingly. I realize that some are not able to donate, and I understand. Do what you can / what you feel is fair. I spent countless hours on this, and would appreciate being somewhat-compensated for my efforts. This, of course, is not a requirement, since I have posted the solution and made it freely available to everyone. Keep in mind that the China Taobao-seller was charging $80 for EACH unlock...and HIS sim-crack didn't even unlock for Domestic U.S users!!!
PayPal Donation address: [email protected]

Driver Issues?​
This post is for you.
In order to use the DIAG interface, you must first install the Motorola Drivers from here: https://motorola-global-portal.custhelp.com/app/answers/detail/a_id/88481
REMEMBER: As stated in POST # 2, you MUST have "USB Debugging" DISABLED, or the DIAG port will NOT activate.
If you installed these drivers, and you still can't get it to work, and you have an entry under "Other Devices" (In Device Manager) called "Motorola QC Diag Interface" (SEE PIC1, attached below) follow the instructions in the attached pictures STEP-BY-STEP, IN ORDER, to FORCE driver installation.
We are ONLY concerned with the QC Diag Interface - don't worry about the rest of the entries under "Unknown Devices" -- these are not important.
Once you have successfully FORCED the driver installation, you should have an entry under Ports (COM & LPT), called "Motorola QC Diag Port (COMX)" (SEE PIC8, attached below). NOTE the value of "X" - this is the COM port you will use for our purposes. When you successfully have this entry, you can continue with the "FULL INSTRUCTIONS" in POST # 2.
[Q]: How much should I donate to you for all the time (weeks) you spent working on this?
[A]: Please donate what you feel it is worth to you. The XT1056 can be found far cheaper than any other Moto X Variant, and now that we can SIM-UNLOCK it, it will become much more popular. If I have saved you money, or added value to the phone you already own, I would appreciate being compensated accordingly. I realize that some are not able to donate, and I understand. Do what you can / what you feel is fair. I spent countless hours on this, and would appreciate being somewhat-compensated for my efforts. This, of course, is not a requirement, since I have posted the solution and made it freely available to everyone. Keep in mind that the China Taobao-seller was charging $80 for EACH unlock...and HIS sim-crack didn't even unlock for Domestic U.S users!!!
PayPal Donation address: [email protected]

You're the man!!! I doff my hat for you, sir. I think the best option will be to create an nv-item txt file for that particular nv-item (8378). I will get to it now and see what gives. Cheers man...

ezeuba said:
You're the man!!! I doff my hat for you, sir. I think the best option will be to create an nv-item txt file for that particular nv-item (8378). I will get to it now and see what gives. Cheers man...
Click to expand...
Click to collapse
Excellent! Please get me the instructions & necessary tools to use ASAP so I can post it in Post # 2 for the users who need step-by-step instructions. Thanks for all your help as well - I have given you credit accordingly.

Excellent work,buddy!!!
Thanks to your efforts, I can imagine how difficult it is.
And I was very pleased to be able to help.:victory:

Done!!!
Just flash this attached file. Connect as usual to the NV-ITEMS Reader/Writer. Click Write and select the attached file which you must have downloaded. After writing, go to Mode and click reset. Phone will restart. Go to Settings, More, Mobile Networks and select GSM/UMTS. Phone unlocked. Special thanks again to @samwathegreat without whom this will not be possible.
I'm on GSM right now...
NB If you've been using this phone on CDMA, you need to change RUIM Config to RUIM Only, else whenever you restart it will revert back to CDMA mode.

ezeuba said:
Just flash this attached file. Connect as usual to the NV-ITEMS Reader/Writer. Click Write and select the attached file which you must have downloaded. After writing, go to Mode and click reset. Phone will restart. Go to Settings, More, Mobile Networks and select GSM/UMTS. Phone unlocked. Special thanks again to @samwathegreat without whom this will not be possible.
I'm on GSM right now...
Click to expand...
Click to collapse
POST # 2 Updated. Thanks!!!!!

hey man, amazing job on this! so many people will happy to see this!

You're the man!!!

Thanks again everyone.
I REALLY need someone in the United States to test this and advise whether or not it unlocks for Domestic (U.S.) GSM Carriers.
We know that the "official" Sprint OTA-Sim-Unlock (only offered if you are a current sprint customer, have had an account for a specified amount of time, and meet other criteria) does NOT unlock for domestic use (international only).
I'm anxious to find out if my SIM-CRACK unlocks for those of us in the U.S. -- I need to know ASAP so I can update my OP accordingly.

@samwathegreat
If it is possible that you could make a video or how to flash this to your phone I think it would be beneficial to some. Even if your phone is already unlocked if you can flash this way then I feel that it's going to stop the millions of questions that are going to come from the thread. Just my two cents, thanks again :good: :victory: :highfive:

Vekhez said:
@samwathegreat
If it is possible that you could make a video or how to flash this to your phone I think it would be beneficial to some. Even if your phone is already unlocked if you can flash this way then I feel that it's going to stop the millions of questions that are going to come from the thread. Just my two cents, thanks again :good: :victory: :highfive:
Click to expand...
Click to collapse
Good suggestion. Full, detailed, instructions are listed in POST # 2 already, but this could help some, and I could put it in POST # 3. I'll see if I can get another user to make a video.
Remember: I don't own an XT1056: I did all of this for YOU GUYS, and all without even owning a Sprint XT1056
You are welcome to create a video yourself! I think the instructions are concise enough that you should be able to manage making a video. If you do, I'll post it in #3 and give you appropriate credit for it.

samwathegreat said:
Good suggestion. Full, detailed, instructions are listed in POST # 2 already, but this could help some, and I could put it in POST # 3. I'll see if I can get another user to make a video.
Remember: I don't own an XT1056: I did all of this for YOU GUYS, and all without even owning a Sprint XT1056
You are welcome to create a video yourself! I think the instructions are concise enough that you should be able to manage making a video. If you do, I'll post it in #3 and give you appropriate credit for it.
Click to expand...
Click to collapse
I don't have the appropriate equipment or environment (living in a 'college dorm' (kinda like that) with 24 people, it's never quiet) otherwise I would make one ASAP.
You don't even have one?! OH MY GOD. Your amazing doing all of this without the device...
Also a few things, I can't download the .txt file... I can only view what it says... So how do I download that, and then from that where do I put it to flash, just in the text box?

Vekhez said:
I don't have the appropriate equipment or environment (living in a 'college dorm' (kinda like that) with 24 people, it's never quiet) otherwise I would make one ASAP.
You don't even have one?! OH MY GOD. Your amazing doing all of this without the device...
Also a few things, I can't download the .txt file... I can only view what it says... So how do I download that, and then from that where do I put it to flash, just in the text box?
Click to expand...
Click to collapse
Right-click the txt file. Then click "save link as". It will download perfectly. I will add this info to Post#2

XT1052
Nice job ! I followed the old thread.. I know how much work it was.
Just a question. This method will work on moto XT1052 version ?

Green78 said:
Nice job ! I followed the old thread.. I know how much work it was.
Just a question. This method will work on moto XT1052 version ?
Click to expand...
Click to collapse
No idea? Use the NV-ITEM reader/writer attached in POST # 2 to read NVITEM 8378
Under Range (Dec), type 8378 into both fields (type nothing into the HEX boxes) and click READ. If NV8378 is "00", there is a good chance it will. Try and let me know!!!! If it already reads "01", it won't work.
...can't you get a SIM-Unlock code from a regular GSM Sim-Unlock-Code seller for the XT1052?

actually I don't need sim unlock....but, some of french moto X owner bought their phone on US (XT1053 sorry, not XT1052).
But my question is the same: does it work on other moto X model ?
I'm gonna try you method to see what happen.

Green78 said:
actually I don't need sim unlock....but, some of french moto X owner bought their phone on US (XT1053 sorry, not XT1052).
But my question is the same: does it work on other moto X model ?
I'm gonna try you method to see what happen.
Click to expand...
Click to collapse
ALL XT1053s should already be sim-unlocked. In fact, all variants except the XT1056 and XT1049 (that aren't -already- unlocked) can be SIM-Unlocked using the normal methods...(online code-sellers, etc.)
My method definitely works on all XT1056s.
It *SHOULD* work on all XT1049s (Republic Wireless), but ONLY if you unlock the BL and flash the XT1056 ROM to it.

ezeuba said:
Just flash this attached file. Connect as usual to the NV-ITEMS Reader/Writer. Click Write and select the attached file which you must have downloaded. After writing, go to Mode and click reset. Phone will restart. Go to Settings, More, Mobile Networks and select GSM/UMTS. Phone unlocked. Special thanks again to @samwathegreat without whom this will not be possible.
I'm on GSM right now...
NB If you've been using this phone on CDMA, you need to change RUIM Config to RUIM Only, else whenever you restart it will revert back to CDMA mode.
Click to expand...
Click to collapse
Thanks for the update. Can you provide more detailed instructions on how to change to RUIM only? I know how to do this....with DFS anyways....but many won't. Which tool do you suggest?
Actually, I believe that RUIM config is also stored in a NV item!
I *believe* that it is NVITEM 855 --- can you check for me? If I'm right, "00" = RUIM only, and "01" = default setting. Can you confirm?!?!
We could just update the txt file with this one additional NV-Value, and the users would only have to flash the ONE file, and it will crack AND set the RUIM config to RUIM only.
What do you think?