Jump to content

Unlock mechanism is in the OS


Guest tilal6991

Recommended Posts

Guest tilal6991

I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them. This suggests that the code for verifying the unlock code is somewhere in the OS - if we find it we should be able to create an unlock code generator :)

Link to comment
Share on other sites

I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them. This suggests that the code for verifying the unlock code is somewhere in the OS - if we find it we should be able to create an unlock code generator :)

I tried a couple of unlock codes given to me by an unlocker guy,And it now says i have 8 attemps left.

Link to comment
Share on other sites

Guest wardriver_

I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them. This suggests that the code for verifying the unlock code is somewhere in the OS - if we find it we should be able to create an unlock code generator :)

Strace says something else...


[pid   130] 20:08:24.949471 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"UI --- RIL_REQUEST_OEM_HOOK_RAW (59) ---> RIL [token id 37, data len 28]\n\0", 74}], 3) = 81

[pid   130] 20:08:24.949956 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"zhaobin: qcril_request_oem_hook_raw: request: \0", 47}], 3) = 54

[pid   130] 20:08:24.950353 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[0]: 0x51 \0", 15}], 3) = 22

[pid   130] 20:08:24.950668 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[1]: 0x55 \0", 15}], 3) = 22

[pid   130] 20:08:24.950980 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[2]: 0x41 \0", 15}], 3) = 22

[pid   130] 20:08:24.951291 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[3]: 0x4c \0", 15}], 3) = 22

[pid   130] 20:08:24.951601 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[4]: 0x43 \0", 15}], 3) = 22

[pid   130] 20:08:24.951913 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[5]: 0x4f \0", 15}], 3) = 22

[pid   130] 20:08:24.957280 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[6]: 0x4d \0", 15}], 3) = 22

[pid   130] 20:08:24.957743 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[7]: 0x4d \0", 15}], 3) = 22

[pid   130] 20:08:24.958078 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[8]: 0x4 \0", 14}], 3) = 21

[pid   130] 20:08:24.958396 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[9]: 0x0 \0", 14}], 3) = 21

[pid   130] 20:08:24.958716 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[10]: 0x8 \0", 15}], 3) = 22

[pid   130] 20:08:24.959031 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[11]: 0x0 \0", 15}], 3) = 22

[pid   130] 20:08:24.959348 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[12]: 0xb \0", 15}], 3) = 22

[pid   130] 20:08:24.959668 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[13]: 0x0 \0", 15}], 3) = 22

[pid   130] 20:08:24.959981 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[14]: 0x0 \0", 15}], 3) = 22

[pid   130] 20:08:24.960295 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[15]: 0x0 \0", 15}], 3) = 22

[pid   130] 20:08:24.960610 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[16]: 0x1 \0", 15}], 3) = 22

[pid   130] 20:08:24.960921 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[17]: 0x0 \0", 15}], 3) = 22

[pid   130] 20:08:24.961233 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[18]: 0x0 \0", 15}], 3) = 22

[pid   130] 20:08:24.961546 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[19]: 0x0 \0", 15}], 3) = 22

[pid   130] 20:08:24.966611 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[20]: 0x20 \0", 16}], 3) = 23

[pid   130] 20:08:24.967085 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[21]: 0x20 \0", 16}], 3) = 23

[pid   130] 20:08:24.967503 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[22]: 0x20 \0", 16}], 3) = 23

[pid   130] 20:08:24.967835 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[23]: 0x20 \0", 16}], 3) = 23

[pid   130] 20:08:24.968153 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[24]: 0x20 \0", 16}], 3) = 23

[pid   130] 20:08:24.968470 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[25]: 0x20 \0", 16}], 3) = 23

[pid   130] 20:08:24.968785 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[26]: 0x20 \0", 16}], 3) = 23

[pid   130] 20:08:24.973730 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[27]: 0x0 \0", 15}], 3) = 22

[pid   130] 20:08:24.974711 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_process_async_request 0x80004\0", 36}], 3) = 43

[pid   130] 20:08:24.975128 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_request_oem_hook_me_depersonalization \n\0", 53}], 3) = 60

[pid   130] 20:08:24.975566 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Not found ReqList entry : token id 37\n\0", 39}], 3) = 46

[pid   130] 20:08:24.975966 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Event RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292) pending receipt of <none>, token id 37 [0x2c6e8]\n\0", 112}], 3) = 119

[pid   130] 20:08:24.976510 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"ReqList entries : \n\0", 20}], 3) = 27

[pid   130] 20:08:24.976843 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"	RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292), token id 37\n\0", 74}], 3) = 81

[pid   130] 20:08:24.977295 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Perso category received is 1\n\0", 30}], 3) = 37

[pid   130] 20:08:24.977646 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"RIL=>AMSS [ label = \"gsdi_perso_deactivate_feature_indicator()\" ];\0", 67}], 3) = 74

[pid   130] 20:08:24.980086 write(22, "\0\0\0\237\0\0\0\0\0\0\0\0020\0\0\26\234\225\273M\0\0\0!\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\7\0\0\0\7   	\0\0\2\306\350\0\0\0\f", 76) = 76

[pid   130] 20:08:24.981300 futex(0x40118294, 0x80 /* FUTEX_??? */, -42 <unfinished ...>

[pid   146] 20:08:24.981673 <... select resumed> ) = 1 (in [22])

[pid   146] 20:08:24.981856 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument)

[pid   146] 20:08:24.982190 read(22, "\0\0\0\237\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 17408) = 28

[pid   146] 20:08:24.982558 futex(0x40118294, 0x81 /* FUTEX_??? */, 2147483647) = 1

[pid   146] 20:08:24.982753 rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument)

[pid   146] 20:08:24.982940 select(29, [18 22 23 24 25 26 27 28], NULL, NULL, NULL <unfinished ...>

[pid   130] 20:08:24.983115 <... futex resumed> ) = 0

[pid   130] 20:08:24.983301 read(39, 0x39d28, 8196) = -1 EAGAIN (Resource temporarily unavailable)

[pid   130] 20:08:24.983501 clock_gettime(CLOCK_MONOTONIC, {145, 939915003}) = 0

[pid   130] 20:08:24.984241 select(40, [3 9 12 39], NULL, NULL, {0, 175080} <unfinished ...>

[pid   146] 20:08:25.008496 <... select resumed> ) = 1 (in [22])

[pid   146] 20:08:25.008710 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument)

[pid   146] 20:08:25.008935 read(22, "\0\0\0\210\0\0\0\0\0\0\0\0021\0\0\26\361*\322q\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\f\0\0\0\1\0\0\0#\0\0\0\r\0\0\0\21\0\0\0008\0\0\0\0\1\362V\360\0\0\0%\0\2\306\350\0\0\0#\0\0\0\1\0\0\0\0\0\0\0\0", 17408) = 96

[pid   146] 20:08:25.009528 futex(0x4011824c, 0x81 /* FUTEX_??? */, 2147483647 <unfinished ...>

[pid   168] 20:08:25.009686 <... futex resumed> ) = 0

[pid   168] 20:08:25.009805 futex(0x40118250, 0x80 /* FUTEX_??? */, 2 <unfinished ...>

[pid   146] 20:08:25.009933 <... futex resumed> ) = 1

[pid   146] 20:08:25.010045 futex(0x40118250, 0x81 /* FUTEX_??? */, 1 <unfinished ...>

[pid   168] 20:08:25.010175 <... futex resumed> ) = 0

[pid   168] 20:08:25.010286 futex(0x40118250, 0x81 /* FUTEX_??? */, 1) = 0

[pid   168] 20:08:25.010526 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_gsdi_command_callback, cmd:17\n\0", 44}], 3) = 51

[pid   168] 20:08:25.010946 write(16, " ", 1) = 1

[pid   168] 20:08:25.011180 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Queued event MMGSDI_GSDI_COMMAND_CALLBACK (336 bytes)\n\0", 55}], 3) = 62

[pid   168] 20:08:25.011613 write(22, "\0\0\0\210\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 24) = 24

[pid   168] 20:08:25.011921 futex(0x4011824c, 0x80 /* FUTEX_??? */, -28 <unfinished ...>

[pid   146] 20:08:25.012093 <... futex resumed> ) = 1

[pid   146] 20:08:25.012226 rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument)

[pid   146] 20:08:25.012415 select(29, [18 22 23 24 25 26 27 28], NULL, NULL, NULL <unfinished ...>

[pid   142] 20:08:25.012586 <... select resumed> ) = 1 (in [14])

[pid   142] 20:08:25.012738 read(14, " ", 16) = 1

[pid   142] 20:08:25.012946 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"qcril_event_main(): 1 items on queue\n\0", 38}], 3) = 45

[pid   142] 20:08:25.013320 read(14, 0x2adb4ecc, 16) = -1 EAGAIN (Resource temporarily unavailable)

[pid   142] 20:08:25.013533 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"De-queued event MMGSDI_GSDI_COMMAND_CALLBACK (196613)\n\0", 55}], 3) = 62

[pid   142] 20:08:25.014291 write(35, "qcril", 5) = 5

[pid   142] 20:08:25.014966 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"RIL <--- MMGSDI_GSDI_COMMAND_CALLBACK (196613) --- AMSS\n\0", 57}], 3) = 64

[pid   142] 20:08:25.015535 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_process_gsdi_command_callback: QCRIL_EVT_MMGSDI_GSDI_COMMAND_CALLBACK\n\0", 84}], 3) = 91

[pid   142] 20:08:25.016020 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"GSDI_PERSO_DEACT_IND_RSP\n\0", 26}], 3) = 33

[pid   142] 20:08:25.016371 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_sec_process_perso_deact_cnf: status = 0x25, perso_feature = 0x0 \n\0", 79}], 3) = 86

[pid   142] 20:08:25.016841 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"GSDI_CODE_BLOCKED/PERSO_CK_BLOCKED 0x25 -> MMGSDI_CODE_BLOCKED\n\0", 64}], 3) = 71

[pid   142] 20:08:25.017290 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Found ReqList entry : RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292), token id 37\n\0", 92}], 3) = 99

[pid   142] 20:08:25.017801 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Found ReqList entry : RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292), token id 37\n\0", 92}], 3) = 99

[pid   142] 20:08:25.018303 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Deleted ReqList entry : token id 37 [0x2c6e8]\n\0", 47}], 3) = 54

[pid   142] 20:08:25.018691 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"ReqList entries : Empty\n\0", 25}], 3) = 32

[pid   142] 20:08:25.019051 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"UI <--- RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292) Complete --- RIL [Token 37, Password Incorrect]\n\0", 113}], 3) = 120

[pid   142] 20:08:25.019601 writev(6, [{"\3", 1}, {"RILSWITCH\0", 10}, {"RILD <-- RIL (token 0x2c6e8)\0", 29}], 3) = 40

[pid   142] 20:08:25.019958 writev(6, [{"\3", 1}, {"RILSWITCH\0", 10}, {"atdToken : 0x2c6e8, bEMCRedirected 0 \0", 38}], 3) = 49

[pid   142] 20:08:25.020348 write(39, "\0\0\0\24", 4) = 4

Byte 0 to 19 always seems static.

Byte 20 to 26 is the unlock code (in this case imaginary).

The byte range is dynamic, because you can type in a password longer than 7 digits.

The last byte is always a zero byte.

So far ...

Link to comment
Share on other sites

As I understand

146] 20:08:24.982190 read(22, "\0\0\0\237\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 17408) = 28

http://fuse4bsd.creo.hu/localcgi/man-cgi.cgi?read+2

Reading the code intrudiced by keyboard (28 bytes if the read it's correct)... it seems that aply a mask (237 = 11101101) to the 4th byte) and 00000001 to the 8th byte. It read 28 bytes.

[pid 146] 20:08:24.981856 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument)

SIG_SETMASK it seems to be a mask (Constant or a function) to aply to the code to obtain if it's correct or not. I don't understand very well the documentation

rt_sigprocmask changes the list of currently blocked signals. The set value stores the signal mask of the pending signals. The previous ac- tion on the signal is saved in oact. The value of how indicates how the call should behave; its values are as follows: SIG_BLOCK The set of blocked signals is the union of the current set and the set argument. SIG_UNBLOCK The signals in set are removed from the current set of blocked signals. It is okay to unblock a signal that is not blocked. SIG_SETMASK The set of blocked signals is set to the set argument. sigset- size should indicate the size of a sigset_t type.

http://openalfa.com/cgi-bin/man.cgi?section=2&topic=rt_sigprocmask

[pid 146] 20:08:25.009528 futex(0x4011824c, 0x81 /* FUTEX_??? */, 2147483647 <unfinished ...>

[pid 168] 20:08:25.009686 <... futex resumed> ) = 0

[pid 168] 20:08:25.009805 futex(0x40118250, 0x80 /* FUTEX_??? */, 2 <unfinished ...>

[pid 146] 20:08:25.009933 <... futex resumed> ) = 1

[pid 146] 20:08:25.010045 futex(0x40118250, 0x81 /* FUTEX_??? */, 1 <unfinished ...>

[pid 168] 20:08:25.010175 <... futex resumed> ) = 0

[pid 168] 20:08:25.010286 futex(0x40118250, 0x81 /* FUTEX_??? */, 1) = 0

Trying three time to proove the unlock code?

Sorry if I'm saying stupid things, I only want to help

Link to comment
Share on other sites

Guest tilal6991

As I understand

146] 20:08:24.982190 read(22, "\0\0\0\237\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 17408) = 28

http://fuse4bsd.creo...-cgi.cgi?read+2

Reading the code intrudiced by keyboard (28 bytes if the read it's correct)... it seems that aply a mask (237 = 11101101) to the 4th byte) and 00000001 to the 8th byte. It read 28 bytes.

[pid 146] 20:08:24.981856 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument)

SIG_SETMASK it seems to be a mask (Constant or a function) to aply to the code to obtain if it's correct or not. I don't understand very well the documentation

rt_sigprocmask changes the list of currently blocked signals. The set value stores the signal mask of the pending signals. The previous ac- tion on the signal is saved in oact. The value of how indicates how the call should behave; its values are as follows: SIG_BLOCK The set of blocked signals is the union of the current set and the set argument. SIG_UNBLOCK The signals in set are removed from the current set of blocked signals. It is okay to unblock a signal that is not blocked. SIG_SETMASK The set of blocked signals is set to the set argument. sigset- size should indicate the size of a sigset_t type.

http://openalfa.com/...=rt_sigprocmask

[pid 146] 20:08:25.009528 futex(0x4011824c, 0x81 /* FUTEX_??? */, 2147483647 <unfinished ...>

[pid 168] 20:08:25.009686 <... futex resumed> ) = 0 [pid 168] 20:08:25.009805 futex(0x40118250, 0x80 /* FUTEX_??? */, 2 <unfinished ...> [pid 146] 20:08:25.009933 <... futex resumed> ) = 1 [pid 146] 20:08:25.010045 futex(0x40118250, 0x81 /* FUTEX_??? */, 1 <unfinished ...> [pid 168] 20:08:25.010175 <... futex resumed> ) = 0 [pid 168] 20:08:25.010286 futex(0x40118250, 0x81 /* FUTEX_??? */, 1) = 0

Trying three time to proove the unlock code?

Sorry if I'm saying stupid things, I only want to help

Keep reseasrching - we seem to be going in the right direction :). I'm sorry I can't be of further use but my device is in no state to try this out.

Link to comment
Share on other sites

Guest wardriver_

I am no pro, but I think you are wrong.

After entering the "unlock code" the function RIL_REQUEST_OEM_HOOK_RAW is invoked.

It calls "qcril_request_oem_hook_raw" from libril-qc-1.so.

If you read the following article, my conclusion is that the unlock code is verified in the gsm (mobile) part of the phone.

If ZTE has done all right (blown qfuses, etc.), then it will be very difficult to debug the mobile part.

I've tried to read the nvram (debug mode), but it seems there are some areas which aren't readable and writeable.

Edit: This one is a good paper about the boot process and the security aspects on the qualcomm chipset.

Edited by wardriver_
Link to comment
Share on other sites

Why the program read 22 bytes after then?

I am no pro, but I think you are wrong.

After entering the "unlock code" the function RIL_REQUEST_OEM_HOOK_RAW is invoked.

It calls "qcril_request_oem_hook_raw" from libril-qc-1.so.

If you read the following article, my conclusion is that the unlock code is verified in the gsm (mobile) part of the phone.

If ZTE has done all right (blown qfuses, etc.), then it will be very difficult to debug the mobile part.

I've tried to read the nvram (debug mode), but it seems there are some areas which aren't readable and writeable.

Edit: This one is a good paper about the boot process and the security aspects on the qualcomm chipset.

Link to comment
Share on other sites

But we can modify the code that we're seeing?

The question should be, what does it read?

I have no idea.

Ok other idea, maybe is the phone which get the correct code but maybe the code (the correct) is saved in buffer and

rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument)

this instruction check if is the correct code ?

Then we only have to see this position of memory (0x...) or the buffer?

I mean the phone get the correct code and the OS check if the introduced code it's the same

Edited by apmel
Link to comment
Share on other sites

Guest wardriver_

Can you say to me how to obtain this trace with the mobile?

Sorry for the delay, but I am sick since sunday evening (fever).

1. Download strace

2. Upload strace to a writable mountpoint (e.g. /dev) --> adb push strace /dev

3. Log into shell --> adb shell

4. Change permission of strace --> chmod +x /dev/strace

5. Get the pid rild --> ps | busybox grep rild

6. Start strace --> /dev/strace -ff -F -tt -s 200 -p PIDofRILD

Link to comment
Share on other sites

Guest wardriver_

But we can modify the code that we're seeing?

Ok other idea, maybe is the phone which get the correct code but maybe the code (the correct) is saved in buffer and

rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument)

this instruction check if is the correct code ?

Then we only have to see this position of memory (0x...) or the buffer?

I mean the phone get the correct code and the OS check if the introduced code it's the same

What you see are system calls.

It is no disassembling, it is a trace of a running program "through the operating system".

The function sigprocmask is refering to signals in the linux world (some kind of inter-process communication).

Link to comment
Share on other sites

Guest wardriver_

Made a rom off the Taiwan T3, but the lock remains.... see link below

http://android.modac...ost__p__1797106

It would be nice to have some more information on this device.

For example one can gathering some info from a nb0 file for the device.

I think the unlock procedure is in the amss and the coresponding unlock code is somwehre in the nvram.

But that is just a guess of mine...

Link to comment
Share on other sites

Guest Chris_67
I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them.

If this is true, a simple script that brute-forces the unlock should do the trick?!?

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.