Need help removing sim lock from Qualcomm radio NAND dump (Sharp 005SH) - General Questions and Answers

Hi all, i am hoping for some assistance in decoding/working out where the SIM lock is held in the radio of my Japanese Sharp 005SH (Android 2.3.4, Snapdragon processor). Putting another carriers sim just shows a USIM-MEP screen, and no possibility of entering an unlock code like many other Android phones.
The Japanese hacking community have managed to get full root, unlock the NAND and also a secondary Miyabi LSM lock, but they are unwilling to discuss removing the SIM lock (somewhat taboo here or something)
However on repeated requests, they have written a kernel which allows me to get a dump of the raw data in the radio NAND chip, and given me the hint that using QualcommDumpAnalyser, it should be able to be found. "Qualcomm NAND programming isnt particularly unique or difficult, so if you know how that works, you should be able to work it out"
Unfortunately i dont.
I have the dump of the radio (a 100mb img file), and QualcommDumpAnalyser, but not sure where to go from there. Opening the dump file in a hex editor doesnt give any obvious clues - no mention of LOCK, USIM, MCC/MNC, or even my IMEI.
Is there someone who can give me some clues on how to proceed from here? I can supply the radio dump if required

Hi!. I am the same guy from the Howard Forums . I think you should upload it anyways. Maybe some expert sees this, decides to download it just to check it out, and it ends up being a piece of cake for him/her to modify

Is there any progress on this? I have a 003SH and am tired of CPR constantly.

Related

data crashes

hey all.i have problem with my htc tornado.so i triyed to update rom,and i have "data crashes" when sim card inserted.so what i must to do with my phone?i tried to use any unlockers for that and any ROM's,but it still data crashes.
so what should i do with that?
Here is your answer
As gutek85 already pointed to my post, let me add that your problem has nothing to do with ROM upgrades. ROM upgrades (aka "flashing") have different parts you usually do not touch (Splash-Screen, Radio + Low-Level-loaders: IPL and SPL) and those that you want to change (OS - aka "Windows Version").
None of those are touching the "encrypted block".
When getting a device from anyone, always check if the device can work with your SIM Card. If you get the "data crashes" message - see the post referenced. If you get a message about entering an unlock code then your device is SIM locked.
The Lokiwiz tooling can remedy this problem and (if applied correctly and with care) supply you a SIM unlocked and CID unlocked device.
i was bought this phone and unlock it with code one year ago..
i think its need some soft operation
The diagnosis is 100% sure. If you have the message "data crashes..." when inserting your SIM and trying to get Radio contact, then your encrypted block IS corrupted. If everything was ok after you unlocked the device, why did you bother to do something more to that? What went wrong? I never had problems with lokiwiz - enough written about it in my kitchen post.
Please mind that to my knowledge all tools dealing with unlocking (lokiwiz or wizardunlock, which does not work on my Tornados) are reading the whole encrypted block (just 64k), modify something inside (either remove CID lock or remove SIM Lock - some even claim to change the IMEI) and then write back the whole block. So if anything goes wrong to the things these tools are writing in the encrypted block, your only way to get back is to restore the original block. If you do not have it any longer - you are lost if on your own. You can play around for hours or days (and fail) or pay 10GBP to the imei-check.uk guys and you are done - your choice.
Luckily you can still use the device as a WinMo music player or alike - just GSM Radio will not work as long as your encrypted block is broken.
i can pay 10 GBP...they send me block's or they send me code only?
look it up here: http://imei-check.co.uk/c600_unlock.php
C600 is one of the many Tornado variants - it will work for you as well.
Is it posible to write backuped encrypted block from another Tornado phone?
It could be a solution for people like kviaff...
No it does not work - you can try (if you backup the original to restore later). It seems that the IMEI (read with *#06#) is taken from another (hidden?) place and it must match the one stored in the encrypted block.
This is why the "data crashes..." message appears! The IMEI do not match. I had received such a wrong written Tornado board (from AlainL - we had a thread about this here in the forum, in my kitchen thread I believe) and it could successfully be recovered with the imei-check.uk method (paying them, of course).
Mind that the lokiwiz will not take care of existing lock-backup.bin files in its directory. The next call to any option will overwrite the previous. It could be safeguarded in the batchfile (for those who are batch wizards), but you can rename this yourself before calling the next option.
What if I change my imei (with Wizard Service Tool) to imei of the phone with corrupted encrypted block and then create backup? Maybe it can help fix problem...
Well you are the only one that has reported that the Wizard Service Tool works on the Tornado - and only with the 6.5 ROM from SGregory.
I don't know what actually these tools are doing in detail to the devices - and time as well as effort to investigate on this is not worth it if you just shell out 10 GBP to have it working again.
You would also first need to find out which kind of corruption the encrypted block actually has. It could well be that a non-matching IMEI is just one of many reasons to issue this "data crashes..." message (it was for me - as reported).
You should know (you do, I think) that changing the IMEI is illegal and you must obviously obey the rules how an IMEI is constructed. So why bother with all this?
kviaff must discuss what he did to the device with the guys at imei-check.uk and ask them if their procedure will recover it. We can only guess here as he did not tell how that happened to his device yet.
I know, that imei changing is illegal, but in situations of service it's legal. Similar to Windows Mobile modifications (you know it, I think) But back to the cost of reconstructing, 10 GBP is enough money to fix it by myself. In Poland i can buy SPV C600 for equivalent 15-20 GBP (in good condition) so it's uneconmic
I have one reserve C600 so I'll experimented with it (I'll make a backup copy of course) So wish me luck and of course will inform you of the results
By searching for something else I found this blog and finally also this XDA thread. I have not checked the tool yet (maybe will never do) - but in case anyone dares?!
Possibly the data-crashes goes away if everything is re-constructed in the encrypted block for a new IMEI (or the original one)? Should have found it in January this year when I payed IMEI-CHECK.UK the bucks to recover a Tornado board.
I'll try it and write if it works with "Data craches..." problem
tobbbie said:
Well you are the only one that has reported that the Wizard Service Tool works on the Tornado - and only with the 6.5 ROM from SGregory.
I don't know what actually these tools are doing in detail to the devices - and time as well as effort to investigate on this is not worth it if you just shell out 10 GBP to have it working again.
You would also first need to find out which kind of corruption the encrypted block actually has. It could well be that a non-matching IMEI is just one of many reasons to issue this "data crashes..." message (it was for me - as reported).
You should know (you do, I think) that changing the IMEI is illegal and you must obviously obey the rules how an IMEI is constructed. So why bother with all this?
kviaff must discuss what he did to the device with the guys at imei-check.uk and ask them if their procedure will recover it. We can only guess here as he did not tell how that happened to his device yet.
Click to expand...
Click to collapse
I can vouch for the fact that Wizard Service Tool works on Tornado. I had Super CID unlocked my mob using some other method and then while doing some random stuff, had changed the IMEI to something like 000..123..90 or something just for fun's sake. Then a few months later, India passed a law which made phones with invalid IMEI useless. So, I had to use some software to recover my IMEI from a memory block, forgot which one I used ( I had erased the IMEI off from the surface below battery due to another freakish accident ) Then I used WST to restore my earlier IMEI.
Most probably you have loaded the WM65 ROM from Gregory - there it works and the "data crashes" message is suppressed (by the ROM). The corrupted block would not work with any other ROM and the WST would not work with any other as well.
At least these are the conclusions from gutek85 so far.
Mind that the WST is not the IMEI changer for the wizard!
It's posible to read original IMEI from (original) CID block with WST.
CID Action => Read CID block
Ok, finally I tried the IMEI change Wizard on one of my spare Tornados. Result is:
it works in changing the IMEI, if the device was ok before the change then there is still no "data crashes" after the change
it should NOT work in getting rid of the "data crashes" message because obviously the encrypted block is not linked to the IMEI of the device but to a HW characteristic of the device itself.
If I remember right (when searching for a solution for my old "data crashes" PBA) the encrypted block is linked to the Disc-On-Chip-ID which is HW unique per DOC in each device. It cannot be linked to the IMEI because otherwise a change of the IMEI would have created the data-crashes message. I have checked if the encrypted block is changed by the IMEI Update Wizard - and it is not. It is still possible that the "encrypted block" is extending beyond the 64k that lokiwiz is backing up.
So it is a nice tool to play with but has no real purpose for those who are legal owners of their devices. There is plenty of information regarding the consequences of changing the IMEI (legal and technical), so let me pick the simplest: If you change your device type (the first 6 digits) then the network may treat your device in a wrong way and you could experience strange behavior of e.g. MMS or configuration messages.
If you pick the IMEI of an existing (and connected) device you may bring the legal owner in problems - not only yourself.
For the curious:
In the scope of changing the IMEI the tool reads (and decrypts?) a block of 16k. It saves it temporarily in its program directory under "pdocread.dat"
after change (before write back) it holds the changed data there as well. For the Tornado you see that the IMEI is stored at offset x'300C safeguarded by some checksum at x'3008.
Mind: "IMEI Change Wizard" is NOT the "Wizard Service Tool (WST)"
I also finally succeeded to make the WST run with a stock WM5 Tornado. You have to manually add one policy setting:
HKEY_LOCAL_MACHINE\Security\Policies\Policies
add there a DWORD "0000101a" and set it to the value "1". This is what the "Cert_SPCS.cab" does but this will run only on PPC devices and not on a smartphone. Not sure though which of the operations from the WST will actually work on the Tornado and which will kill the device in one or the other way.
Good job
So there is still no way to fix Encrypted Block for free... Maybe someone could crack IMEICheck tool for avoid keyfile or make keyfile generator I tryed, but haven't enough knowledge...

HTC Boot loader unlocking process (how it's probably done programatically)

I posted this on my website, and thought people here might also appreciate it:
So to start this off, this is not about how to unlock your HTC phones boot loader, it is about what we can infer about the process due to the way to works (for more information on the process, see this). From what it would appear this is some sort of hashing algorithm, upon first look it would most likely be a one way hash of the token passed to them at step 2. However there is also the possibility that this is RSA in reverse.
If it is a hashing algorithm, this seems to be a best case scenario. If it is a hashing algorithm, then each ID will have a different unlock code sent to them obviously. But the real question is how to phone will validate this. Does the phone have the unlock code programmed into the NAND, which would be a very nice solution if it just checks to see if the two codes match. Or does it just have the algorithm to hash the id built in and do that before checking it, which is another decent proposition as if a hacker could get there hand on that and reverse engineer they could set up a 3rd party boot loader unlocker.
If it is RSA in reverse it would actually be much simpler to break the code. We know that the phones processor can only do so much computation which would limit the possibilities for the key used to decrypt what is sent back from the HTC server. We also know that the key would have to be stored on the phone, even if it was just temporarily in order for the phone to be able to unlock the boot loader if that was the case, so it would lend the possibility that the user could dump the information in the NAND and get the decryption key. However unfortunately as we know that won’t help much with RSA as it uses two different keys to encrypt and decrypt, but it is an intriguing thought.
In conclusion there aren’t too many possibilities of how the boot loader is being unlocked by HTC, those are the only ones which I could think of that would fit (however there are likely many more). Thus because of the limited possibilities, it is only a matter of time until the process is reverse engineered allowing users to unlock their boot loader through non-official means, and if it is not able to be reverse engineered, I’d be willing to make a gentleman’s bet that at some point it will get leaked. If anyone would like to rebuttal and tell me why I’m dead wrong I would love to hear it. What are your thoughts on this?
Just a pointer, even with the phones limited processing power as long as its not trying to crack ,generating keys, or encrypting stuff, it would be very easy to use a very long key
Edit: there could also be a chip on the board that checks a hash on the bootloader, if the hash is different (think md5) the bootloader is not the same. However It would not prevent you from doing, rather it would prevent your phone from booting
Lol just shot my own idea out of the sky
Sent from my ADR6300 using XDA App

verizon galaxy siii programming mdn required on non-stock roms?

Relocated from email discussion:
Hey, great tool[editorial: I think in reference to: http://code.google.com/p/cdmaworkshoptool/ ]. Would it be possible for me to get a copy of the most recent build? I'm looking into some things on the galaxy s3 because we lose the min and phone number on non-stock roms. -C
to C:
Most recent build is .2 which is public.. What exactly do you mean by lose? As in they must be reprogrammed after.a rom is flashed? Does the, normal version of dev term you have downloaded fail to write the number back?
3:39 PM (2 hours ago)
to me
It's a temporary problem with cm10. Development has been slow. It's lost on the first reboot and then mms doesn't work. In android, under status about it lists "My Phone Number" as unknown and Min as unknown. Just trying to see if I can write them while the OS is booted.
to C:
To write a mdn and min typically you would connect to the phone in diagnostic mode.. Send mode offline. Send spc. Then simply write mdn and min from the nam part of the interface.. There are typically three nv items which dev term writes for mdn, and min. Then, mode reset will reset and you can confirm if this wrote the nv item..
Did that answer any questions?
to C:
Having never tested a galaxy s iii I'm not sure if devterm should work... There is alot of chatter online about a program called ets, you might look.for that if devterm doesn't work. Please let me know if you are able to successfully write on the galaxy siii.
to me
We are able to write to it with qpst. I actually got the numbers back, but I'm not sure how. Now Im in the process of seeing if I can figure out how to replicate it. What is supposed to happen when you put it into reset mode? It doesn't work for me after that.
to C:
After mode reset the radio of the phone will literally reset.. Some phones this will actually turn off and on the whole phone.. Some will just show no.service temporarily... After mode reset.cdmadevterm will disconnect.from phone.. There are alot of variables, but typically if.qpst could write the phone devterm should also be able.. The mdn and min are really quite simply three nv items, I suspect the subsystem that normally stores this information is being overwritten or formatted by cyanogen...
if you have ever used cdma worksop or qxdm the mode offline and mode reset is functionally the.same..
to me
Thank you so much for going back and forth with me on this. I really appreciate it. The only major difference I noticed between an nv dump on stock and cm is that cm has a lock code for some reason. What is this ETS software you're referring to? CDMA workshop is a bit too expensive unfortunately.
Although I am not totally familiar with the tool it is linked on XDA in another section:
http://forum.xda-developers.com/showthread.php?t=1696621
I wonder if this might have something to do with the chipset not being qualcomm? On the other hand if you said it worked with qpst maybe they are somehow compatible?
The VIA tool probably won't work since we do have a qualcomm chipset. I still have not figured out how i managed to get it to work once but it came up with the unlock sim message I put in the code for my phone that I Found in nvram and then I tried the spc and a few other things and eventually hit dismiss. It said that it could not connect or something to that effect. Then I checked and it had my phone number as 000-000-xxxx which xxx was that unlock code. Then I restarted and I had the number again. I'm wondering if I somehow got the phone to let go of how its storing the phone number.
Hm. If it is qualcomm I would think that cdmaDevTerm should work... this is how one would normally write the mdn and min with devterm:
http://www.chromableedstudios.com/techninjutsu/howtowritemdnminwithcdmadevterm
Perhaps if this doesn't work you could include the response to the NV write from the LogQ tab to help understand the behavior? Maybe the rom is activating a different Nam profile or something?(I'm not sure if I even have a spot on the UI for that in devterm but a log might help understand)
(for logging purposes you may want to trying writing a fake phone number for privacy)
I guess my question also is: are you trying to figure out why the rom does this? or just a good way to fix it when it does?

Taking Security To The Next Level...

Im new here but seeking advice from whoever can help.
Im very interested in setting up the most secure Nexus 5 possible.
Since Copperhead OS stopped supporting nexus 5.
Ive done most instructions found here torproject website blog mission-impossible-hardening-android-security-and-privacy
Comes to a point where you DD your Modem img To Blank. but i see its still repairable or the chip still has access to all components for radio transmission.
ive been searching everywhere but cant find anything about this. i wanted to Remove the Qualcomm WTR1605L chip and and the boot process pointing to it.
so there physically has only wifi connection.
Is this possible?
will removing the chip cuase errors or brick the phone?
any profession help would be Great!
Okay still couldn't find info on this phone to tablet set up so will attempt the removal and see if any errors are fixable.
Will updates this post with images and issues

Lost/stolen phone suggestion

I've been wondering lately, is there any solution to make a lost/stolen phone really unusable even after flashing etc?
Yes i know a couple method about google dashboard or google email verification, but as a flashing junkies, i look at that method is easily crackable.
I've been wondering too, is there any tech to make the phone unusable via IMEI blocking (user requested)? Unusable means like maybe the phone will no longer getting SIM services even after switching to any SIM cards -or- better if it still locks the phone and showing user editable lockscreen info - both even after flashing/changing email (since IMEI will still intact even after flashing unless you format the EFS which will resut in blank IMEI = no SIM services).
Then the phone manufacture support it by making an imposible (or hardly possible) IMEI changes, it can do via software or dedicated IMEI chip hardware.
The point i'm trying to make is if there is a tech like that, it will surely making a higher chance of someone retruning an accidentaly found phone and wishing for a reward afterward rather than having a thought of flashing it then re-use/sell it. The cost of making a locked lost/stolen phone usable again should be high enough that people wont bother to do it.
Well i believe i'm not searching enough to found the answer, but i guess there isn't yet exist any techonlogy to make a lost/stolen phone barely/fully unusable even after changes via software/hardware. It's been almost 10 years since android cames up,
I think we should push this to google/phone manufacture.
It's just my opinion, let me hear what is your thought.
And i'm wishing too somebody get inspired and take an action (since i'm just a lazy guy)
PS: sorry if there is a grammar mistake.
Can do nothing with IMEI there are many easy ways to change IMEI number of android device ???

Categories

Resources