Guest tilal6991 Posted September 4, 2011 Report Share Posted September 4, 2011 I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them. This suggests that the code for verifying the unlock code is somewhere in the OS - if we find it we should be able to create an unlock code generator :) Link to comment Share on other sites More sharing options...
Guest den169 Posted September 4, 2011 Report Share Posted September 4, 2011 I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them. This suggests that the code for verifying the unlock code is somewhere in the OS - if we find it we should be able to create an unlock code generator :) I tried a couple of unlock codes given to me by an unlocker guy,And it now says i have 8 attemps left. Link to comment Share on other sites More sharing options...
Guest philmein Posted September 4, 2011 Report Share Posted September 4, 2011 I tried a couple of unlock codes given to me by an unlocker guy,And it now says i have 8 attemps left. did you try them with CM7 or another rom Link to comment Share on other sites More sharing options...
Guest wardriver_ Posted September 4, 2011 Report Share Posted September 4, 2011 I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them. This suggests that the code for verifying the unlock code is somewhere in the OS - if we find it we should be able to create an unlock code generator :) Strace says something else... [pid 130] 20:08:24.949471 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"UI --- RIL_REQUEST_OEM_HOOK_RAW (59) ---> RIL [token id 37, data len 28]\n\0", 74}], 3) = 81 [pid 130] 20:08:24.949956 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"zhaobin: qcril_request_oem_hook_raw: request: \0", 47}], 3) = 54 [pid 130] 20:08:24.950353 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[0]: 0x51 \0", 15}], 3) = 22 [pid 130] 20:08:24.950668 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[1]: 0x55 \0", 15}], 3) = 22 [pid 130] 20:08:24.950980 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[2]: 0x41 \0", 15}], 3) = 22 [pid 130] 20:08:24.951291 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[3]: 0x4c \0", 15}], 3) = 22 [pid 130] 20:08:24.951601 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[4]: 0x43 \0", 15}], 3) = 22 [pid 130] 20:08:24.951913 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[5]: 0x4f \0", 15}], 3) = 22 [pid 130] 20:08:24.957280 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[6]: 0x4d \0", 15}], 3) = 22 [pid 130] 20:08:24.957743 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[7]: 0x4d \0", 15}], 3) = 22 [pid 130] 20:08:24.958078 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[8]: 0x4 \0", 14}], 3) = 21 [pid 130] 20:08:24.958396 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[9]: 0x0 \0", 14}], 3) = 21 [pid 130] 20:08:24.958716 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[10]: 0x8 \0", 15}], 3) = 22 [pid 130] 20:08:24.959031 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[11]: 0x0 \0", 15}], 3) = 22 [pid 130] 20:08:24.959348 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[12]: 0xb \0", 15}], 3) = 22 [pid 130] 20:08:24.959668 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[13]: 0x0 \0", 15}], 3) = 22 [pid 130] 20:08:24.959981 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[14]: 0x0 \0", 15}], 3) = 22 [pid 130] 20:08:24.960295 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[15]: 0x0 \0", 15}], 3) = 22 [pid 130] 20:08:24.960610 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[16]: 0x1 \0", 15}], 3) = 22 [pid 130] 20:08:24.960921 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[17]: 0x0 \0", 15}], 3) = 22 [pid 130] 20:08:24.961233 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[18]: 0x0 \0", 15}], 3) = 22 [pid 130] 20:08:24.961546 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[19]: 0x0 \0", 15}], 3) = 22 [pid 130] 20:08:24.966611 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[20]: 0x20 \0", 16}], 3) = 23 [pid 130] 20:08:24.967085 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[21]: 0x20 \0", 16}], 3) = 23 [pid 130] 20:08:24.967503 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[22]: 0x20 \0", 16}], 3) = 23 [pid 130] 20:08:24.967835 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[23]: 0x20 \0", 16}], 3) = 23 [pid 130] 20:08:24.968153 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[24]: 0x20 \0", 16}], 3) = 23 [pid 130] 20:08:24.968470 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[25]: 0x20 \0", 16}], 3) = 23 [pid 130] 20:08:24.968785 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[26]: 0x20 \0", 16}], 3) = 23 [pid 130] 20:08:24.973730 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[27]: 0x0 \0", 15}], 3) = 22 [pid 130] 20:08:24.974711 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_process_async_request 0x80004\0", 36}], 3) = 43 [pid 130] 20:08:24.975128 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_request_oem_hook_me_depersonalization \n\0", 53}], 3) = 60 [pid 130] 20:08:24.975566 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Not found ReqList entry : token id 37\n\0", 39}], 3) = 46 [pid 130] 20:08:24.975966 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Event RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292) pending receipt of <none>, token id 37 [0x2c6e8]\n\0", 112}], 3) = 119 [pid 130] 20:08:24.976510 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"ReqList entries : \n\0", 20}], 3) = 27 [pid 130] 20:08:24.976843 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {" RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292), token id 37\n\0", 74}], 3) = 81 [pid 130] 20:08:24.977295 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Perso category received is 1\n\0", 30}], 3) = 37 [pid 130] 20:08:24.977646 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"RIL=>AMSS [ label = \"gsdi_perso_deactivate_feature_indicator()\" ];\0", 67}], 3) = 74 [pid 130] 20:08:24.980086 write(22, "\0\0\0\237\0\0\0\0\0\0\0\0020\0\0\26\234\225\273M\0\0\0!\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\7\0\0\0\7 \0\0\2\306\350\0\0\0\f", 76) = 76 [pid 130] 20:08:24.981300 futex(0x40118294, 0x80 /* FUTEX_??? */, -42 <unfinished ...> [pid 146] 20:08:24.981673 <... select resumed> ) = 1 (in [22]) [pid 146] 20:08:24.981856 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument) [pid 146] 20:08:24.982190 read(22, "\0\0\0\237\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 17408) = 28 [pid 146] 20:08:24.982558 futex(0x40118294, 0x81 /* FUTEX_??? */, 2147483647) = 1 [pid 146] 20:08:24.982753 rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument) [pid 146] 20:08:24.982940 select(29, [18 22 23 24 25 26 27 28], NULL, NULL, NULL <unfinished ...> [pid 130] 20:08:24.983115 <... futex resumed> ) = 0 [pid 130] 20:08:24.983301 read(39, 0x39d28, 8196) = -1 EAGAIN (Resource temporarily unavailable) [pid 130] 20:08:24.983501 clock_gettime(CLOCK_MONOTONIC, {145, 939915003}) = 0 [pid 130] 20:08:24.984241 select(40, [3 9 12 39], NULL, NULL, {0, 175080} <unfinished ...> [pid 146] 20:08:25.008496 <... select resumed> ) = 1 (in [22]) [pid 146] 20:08:25.008710 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument) [pid 146] 20:08:25.008935 read(22, "\0\0\0\210\0\0\0\0\0\0\0\0021\0\0\26\361*\322q\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\f\0\0\0\1\0\0\0#\0\0\0\r\0\0\0\21\0\0\0008\0\0\0\0\1\362V\360\0\0\0%\0\2\306\350\0\0\0#\0\0\0\1\0\0\0\0\0\0\0\0", 17408) = 96 [pid 146] 20:08:25.009528 futex(0x4011824c, 0x81 /* FUTEX_??? */, 2147483647 <unfinished ...> [pid 168] 20:08:25.009686 <... futex resumed> ) = 0 [pid 168] 20:08:25.009805 futex(0x40118250, 0x80 /* FUTEX_??? */, 2 <unfinished ...> [pid 146] 20:08:25.009933 <... futex resumed> ) = 1 [pid 146] 20:08:25.010045 futex(0x40118250, 0x81 /* FUTEX_??? */, 1 <unfinished ...> [pid 168] 20:08:25.010175 <... futex resumed> ) = 0 [pid 168] 20:08:25.010286 futex(0x40118250, 0x81 /* FUTEX_??? */, 1) = 0 [pid 168] 20:08:25.010526 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_gsdi_command_callback, cmd:17\n\0", 44}], 3) = 51 [pid 168] 20:08:25.010946 write(16, " ", 1) = 1 [pid 168] 20:08:25.011180 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Queued event MMGSDI_GSDI_COMMAND_CALLBACK (336 bytes)\n\0", 55}], 3) = 62 [pid 168] 20:08:25.011613 write(22, "\0\0\0\210\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 24) = 24 [pid 168] 20:08:25.011921 futex(0x4011824c, 0x80 /* FUTEX_??? */, -28 <unfinished ...> [pid 146] 20:08:25.012093 <... futex resumed> ) = 1 [pid 146] 20:08:25.012226 rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument) [pid 146] 20:08:25.012415 select(29, [18 22 23 24 25 26 27 28], NULL, NULL, NULL <unfinished ...> [pid 142] 20:08:25.012586 <... select resumed> ) = 1 (in [14]) [pid 142] 20:08:25.012738 read(14, " ", 16) = 1 [pid 142] 20:08:25.012946 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"qcril_event_main(): 1 items on queue\n\0", 38}], 3) = 45 [pid 142] 20:08:25.013320 read(14, 0x2adb4ecc, 16) = -1 EAGAIN (Resource temporarily unavailable) [pid 142] 20:08:25.013533 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"De-queued event MMGSDI_GSDI_COMMAND_CALLBACK (196613)\n\0", 55}], 3) = 62 [pid 142] 20:08:25.014291 write(35, "qcril", 5) = 5 [pid 142] 20:08:25.014966 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"RIL <--- MMGSDI_GSDI_COMMAND_CALLBACK (196613) --- AMSS\n\0", 57}], 3) = 64 [pid 142] 20:08:25.015535 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_process_gsdi_command_callback: QCRIL_EVT_MMGSDI_GSDI_COMMAND_CALLBACK\n\0", 84}], 3) = 91 [pid 142] 20:08:25.016020 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"GSDI_PERSO_DEACT_IND_RSP\n\0", 26}], 3) = 33 [pid 142] 20:08:25.016371 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_sec_process_perso_deact_cnf: status = 0x25, perso_feature = 0x0 \n\0", 79}], 3) = 86 [pid 142] 20:08:25.016841 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"GSDI_CODE_BLOCKED/PERSO_CK_BLOCKED 0x25 -> MMGSDI_CODE_BLOCKED\n\0", 64}], 3) = 71 [pid 142] 20:08:25.017290 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Found ReqList entry : RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292), token id 37\n\0", 92}], 3) = 99 [pid 142] 20:08:25.017801 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Found ReqList entry : RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292), token id 37\n\0", 92}], 3) = 99 [pid 142] 20:08:25.018303 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Deleted ReqList entry : token id 37 [0x2c6e8]\n\0", 47}], 3) = 54 [pid 142] 20:08:25.018691 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"ReqList entries : Empty\n\0", 25}], 3) = 32 [pid 142] 20:08:25.019051 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"UI <--- RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292) Complete --- RIL [Token 37, Password Incorrect]\n\0", 113}], 3) = 120 [pid 142] 20:08:25.019601 writev(6, [{"\3", 1}, {"RILSWITCH\0", 10}, {"RILD <-- RIL (token 0x2c6e8)\0", 29}], 3) = 40 [pid 142] 20:08:25.019958 writev(6, [{"\3", 1}, {"RILSWITCH\0", 10}, {"atdToken : 0x2c6e8, bEMCRedirected 0 \0", 38}], 3) = 49 [pid 142] 20:08:25.020348 write(39, "\0\0\0\24", 4) = 4 Byte 0 to 19 always seems static. Byte 20 to 26 is the unlock code (in this case imaginary). The byte range is dynamic, because you can type in a password longer than 7 digits. The last byte is always a zero byte. So far ... Link to comment Share on other sites More sharing options...
Guest apmel Posted September 4, 2011 Report Share Posted September 4, 2011 I have OMC how can I help to find the way to unlock did you try them with CM7 or another rom Link to comment Share on other sites More sharing options...
Guest apmel Posted September 4, 2011 Report Share Posted September 4, 2011 As I understand 146] 20:08:24.982190 read(22, "\0\0\0\237\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 17408) = 28 http://fuse4bsd.creo.hu/localcgi/man-cgi.cgi?read+2 Reading the code intrudiced by keyboard (28 bytes if the read it's correct)... it seems that aply a mask (237 = 11101101) to the 4th byte) and 00000001 to the 8th byte. It read 28 bytes. [pid 146] 20:08:24.981856 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument) SIG_SETMASK it seems to be a mask (Constant or a function) to aply to the code to obtain if it's correct or not. I don't understand very well the documentation rt_sigprocmask changes the list of currently blocked signals. The set value stores the signal mask of the pending signals. The previous ac- tion on the signal is saved in oact. The value of how indicates how the call should behave; its values are as follows: SIG_BLOCK The set of blocked signals is the union of the current set and the set argument. SIG_UNBLOCK The signals in set are removed from the current set of blocked signals. It is okay to unblock a signal that is not blocked. SIG_SETMASK The set of blocked signals is set to the set argument. sigset- size should indicate the size of a sigset_t type. http://openalfa.com/cgi-bin/man.cgi?section=2&topic=rt_sigprocmask [pid 146] 20:08:25.009528 futex(0x4011824c, 0x81 /* FUTEX_??? */, 2147483647 <unfinished ...> [pid 168] 20:08:25.009686 <... futex resumed> ) = 0 [pid 168] 20:08:25.009805 futex(0x40118250, 0x80 /* FUTEX_??? */, 2 <unfinished ...> [pid 146] 20:08:25.009933 <... futex resumed> ) = 1 [pid 146] 20:08:25.010045 futex(0x40118250, 0x81 /* FUTEX_??? */, 1 <unfinished ...> [pid 168] 20:08:25.010175 <... futex resumed> ) = 0 [pid 168] 20:08:25.010286 futex(0x40118250, 0x81 /* FUTEX_??? */, 1) = 0 Trying three time to proove the unlock code? Sorry if I'm saying stupid things, I only want to help Link to comment Share on other sites More sharing options...
Guest tilal6991 Posted September 4, 2011 Report Share Posted September 4, 2011 As I understand 146] 20:08:24.982190 read(22, "\0\0\0\237\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 17408) = 28 http://fuse4bsd.creo...-cgi.cgi?read+2 Reading the code intrudiced by keyboard (28 bytes if the read it's correct)... it seems that aply a mask (237 = 11101101) to the 4th byte) and 00000001 to the 8th byte. It read 28 bytes. [pid 146] 20:08:24.981856 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument) SIG_SETMASK it seems to be a mask (Constant or a function) to aply to the code to obtain if it's correct or not. I don't understand very well the documentation rt_sigprocmask changes the list of currently blocked signals. The set value stores the signal mask of the pending signals. The previous ac- tion on the signal is saved in oact. The value of how indicates how the call should behave; its values are as follows: SIG_BLOCK The set of blocked signals is the union of the current set and the set argument. SIG_UNBLOCK The signals in set are removed from the current set of blocked signals. It is okay to unblock a signal that is not blocked. SIG_SETMASK The set of blocked signals is set to the set argument. sigset- size should indicate the size of a sigset_t type. http://openalfa.com/...=rt_sigprocmask [pid 146] 20:08:25.009528 futex(0x4011824c, 0x81 /* FUTEX_??? */, 2147483647 <unfinished ...> [pid 168] 20:08:25.009686 <... futex resumed> ) = 0 [pid 168] 20:08:25.009805 futex(0x40118250, 0x80 /* FUTEX_??? */, 2 <unfinished ...> [pid 146] 20:08:25.009933 <... futex resumed> ) = 1 [pid 146] 20:08:25.010045 futex(0x40118250, 0x81 /* FUTEX_??? */, 1 <unfinished ...> [pid 168] 20:08:25.010175 <... futex resumed> ) = 0 [pid 168] 20:08:25.010286 futex(0x40118250, 0x81 /* FUTEX_??? */, 1) = 0 Trying three time to proove the unlock code? Sorry if I'm saying stupid things, I only want to help Keep reseasrching - we seem to be going in the right direction :). I'm sorry I can't be of further use but my device is in no state to try this out. Link to comment Share on other sites More sharing options...
Guest wardriver_ Posted September 4, 2011 Report Share Posted September 4, 2011 (edited) I am no pro, but I think you are wrong. After entering the "unlock code" the function RIL_REQUEST_OEM_HOOK_RAW is invoked. It calls "qcril_request_oem_hook_raw" from libril-qc-1.so. If you read the following article, my conclusion is that the unlock code is verified in the gsm (mobile) part of the phone. If ZTE has done all right (blown qfuses, etc.), then it will be very difficult to debug the mobile part. I've tried to read the nvram (debug mode), but it seems there are some areas which aren't readable and writeable. Edit: This one is a good paper about the boot process and the security aspects on the qualcomm chipset. Edited September 4, 2011 by wardriver_ Link to comment Share on other sites More sharing options...
Guest apmel Posted September 4, 2011 Report Share Posted September 4, 2011 Why the program read 22 bytes after then? I am no pro, but I think you are wrong. After entering the "unlock code" the function RIL_REQUEST_OEM_HOOK_RAW is invoked. It calls "qcril_request_oem_hook_raw" from libril-qc-1.so. If you read the following article, my conclusion is that the unlock code is verified in the gsm (mobile) part of the phone. If ZTE has done all right (blown qfuses, etc.), then it will be very difficult to debug the mobile part. I've tried to read the nvram (debug mode), but it seems there are some areas which aren't readable and writeable. Edit: This one is a good paper about the boot process and the security aspects on the qualcomm chipset. Link to comment Share on other sites More sharing options...
Guest wardriver_ Posted September 4, 2011 Report Share Posted September 4, 2011 The question should be, what does it read? I have no idea. Why the program read 22 bytes after then? Link to comment Share on other sites More sharing options...
Guest apmel Posted September 4, 2011 Report Share Posted September 4, 2011 (edited) But we can modify the code that we're seeing? The question should be, what does it read? I have no idea. Ok other idea, maybe is the phone which get the correct code but maybe the code (the correct) is saved in buffer and rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument) this instruction check if is the correct code ? Then we only have to see this position of memory (0x...) or the buffer? I mean the phone get the correct code and the OS check if the introduced code it's the same Edited September 5, 2011 by apmel Link to comment Share on other sites More sharing options...
Guest apmel Posted September 5, 2011 Report Share Posted September 5, 2011 Can you say to me how to obtain this trace with the mobile? Link to comment Share on other sites More sharing options...
Guest wardriver_ Posted September 6, 2011 Report Share Posted September 6, 2011 Can you say to me how to obtain this trace with the mobile? Sorry for the delay, but I am sick since sunday evening (fever). 1. Download strace 2. Upload strace to a writable mountpoint (e.g. /dev) --> adb push strace /dev 3. Log into shell --> adb shell 4. Change permission of strace --> chmod +x /dev/strace 5. Get the pid rild --> ps | busybox grep rild 6. Start strace --> /dev/strace -ff -F -tt -s 200 -p PIDofRILD Link to comment Share on other sites More sharing options...
Guest wardriver_ Posted September 6, 2011 Report Share Posted September 6, 2011 But we can modify the code that we're seeing? Ok other idea, maybe is the phone which get the correct code but maybe the code (the correct) is saved in buffer and rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument) this instruction check if is the correct code ? Then we only have to see this position of memory (0x...) or the buffer? I mean the phone get the correct code and the OS check if the introduced code it's the same What you see are system calls. It is no disassembling, it is a trace of a running program "through the operating system". The function sigprocmask is refering to signals in the linux world (some kind of inter-process communication). Link to comment Share on other sites More sharing options...
Guest whatcolour Posted September 7, 2011 Report Share Posted September 7, 2011 Made a rom off the Taiwan T3, but the lock remains.... see link below Link to comment Share on other sites More sharing options...
Guest wardriver_ Posted September 8, 2011 Report Share Posted September 8, 2011 Made a rom off the Taiwan T3, but the lock remains.... see link below http://android.modac...ost__p__1797106 It would be nice to have some more information on this device. For example one can gathering some info from a nb0 file for the device. I think the unlock procedure is in the amss and the coresponding unlock code is somwehre in the nvram. But that is just a guess of mine... Link to comment Share on other sites More sharing options...
Guest Chris_67 Posted September 16, 2011 Report Share Posted September 16, 2011 I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them. If this is true, a simple script that brute-forces the unlock should do the trick?!? Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now