16 replies to this topic

[tilal6991]

I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them. This suggests that the code for verifying the unlock code is somewhere in the OS - if we find it we should be able to create an unlock code generator

[den169]

tilal6991, on 04 September 2011 - 08:17 AM, said:

I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them. This suggests that the code for verifying the unlock code is somewhere in the OS - if we find it we should be able to create an unlock code generator

I tried a couple of unlock codes given to me by an unlocker guy,And it now says i have 8 attemps left.

[philmein]

den169, on 04 September 2011 - 11:05 AM, said:

I tried a couple of unlock codes given to me by an unlocker guy,And it now says i have 8 attemps left.

did you try them with CM7 or another rom

[wardriver_]

tilal6991, on 04 September 2011 - 08:17 AM, said:

I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them. This suggests that the code for verifying the unlock code is somewhere in the OS - if we find it we should be able to create an unlock code generator

Strace says something else...

[pid   130] 20:08:24.949471 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"UI --- RIL_REQUEST_OEM_HOOK_RAW (59) ---> RIL [token id 37, data len 28]\n\0", 74}], 3) = 81
[pid   130] 20:08:24.949956 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"zhaobin: qcril_request_oem_hook_raw: request: \0", 47}], 3) = 54
[pid   130] 20:08:24.950353 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[0]: 0x51 \0", 15}], 3) = 22
[pid   130] 20:08:24.950668 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[1]: 0x55 \0", 15}], 3) = 22
[pid   130] 20:08:24.950980 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[2]: 0x41 \0", 15}], 3) = 22
[pid   130] 20:08:24.951291 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[3]: 0x4c \0", 15}], 3) = 22
[pid   130] 20:08:24.951601 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[4]: 0x43 \0", 15}], 3) = 22
[pid   130] 20:08:24.951913 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[5]: 0x4f \0", 15}], 3) = 22
[pid   130] 20:08:24.957280 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[6]: 0x4d \0", 15}], 3) = 22
[pid   130] 20:08:24.957743 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[7]: 0x4d \0", 15}], 3) = 22
[pid   130] 20:08:24.958078 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[8]: 0x4 \0", 14}], 3) = 21
[pid   130] 20:08:24.958396 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[9]: 0x0 \0", 14}], 3) = 21
[pid   130] 20:08:24.958716 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[10]: 0x8 \0", 15}], 3) = 22
[pid   130] 20:08:24.959031 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[11]: 0x0 \0", 15}], 3) = 22
[pid   130] 20:08:24.959348 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[12]: 0xb \0", 15}], 3) = 22
[pid   130] 20:08:24.959668 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[13]: 0x0 \0", 15}], 3) = 22
[pid   130] 20:08:24.959981 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[14]: 0x0 \0", 15}], 3) = 22
[pid   130] 20:08:24.960295 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[15]: 0x0 \0", 15}], 3) = 22
[pid   130] 20:08:24.960610 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[16]: 0x1 \0", 15}], 3) = 22
[pid   130] 20:08:24.960921 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[17]: 0x0 \0", 15}], 3) = 22
[pid   130] 20:08:24.961233 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[18]: 0x0 \0", 15}], 3) = 22
[pid   130] 20:08:24.961546 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[19]: 0x0 \0", 15}], 3) = 22
[pid   130] 20:08:24.966611 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[20]: 0x20 \0", 16}], 3) = 23
[pid   130] 20:08:24.967085 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[21]: 0x20 \0", 16}], 3) = 23
[pid   130] 20:08:24.967503 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[22]: 0x20 \0", 16}], 3) = 23
[pid   130] 20:08:24.967835 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[23]: 0x20 \0", 16}], 3) = 23
[pid   130] 20:08:24.968153 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[24]: 0x20 \0", 16}], 3) = 23
[pid   130] 20:08:24.968470 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[25]: 0x20 \0", 16}], 3) = 23
[pid   130] 20:08:24.968785 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[26]: 0x20 \0", 16}], 3) = 23
[pid   130] 20:08:24.973730 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Byte[27]: 0x0 \0", 15}], 3) = 22
[pid   130] 20:08:24.974711 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_process_async_request 0x80004\0", 36}], 3) = 43
[pid   130] 20:08:24.975128 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_request_oem_hook_me_depersonalization \n\0", 53}], 3) = 60
[pid   130] 20:08:24.975566 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Not found ReqList entry : token id 37\n\0", 39}], 3) = 46
[pid   130] 20:08:24.975966 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Event RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292) pending receipt of <none>, token id 37 [0x2c6e8]\n\0", 112}], 3) = 119
[pid   130] 20:08:24.976510 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"ReqList entries : \n\0", 20}], 3) = 27
[pid   130] 20:08:24.976843 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"	RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292), token id 37\n\0", 74}], 3) = 81
[pid   130] 20:08:24.977295 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"Perso category received is 1\n\0", 30}], 3) = 37
[pid   130] 20:08:24.977646 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"RIL=>AMSS [ label = \"gsdi_perso_deactivate_feature_indicator()\" ];\0", 67}], 3) = 74
[pid   130] 20:08:24.980086 write(22, "\0\0\0\237\0\0\0\0\0\0\0\0020\0\0\26\234\225\273M\0\0\0!\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\1\0\0\0\7\0\0\0\7   	\0\0\2\306\350\0\0\0\f", 76) = 76
[pid   130] 20:08:24.981300 futex(0x40118294, 0x80 /* FUTEX_??? */, -42 <unfinished ...>
[pid   146] 20:08:24.981673 <... select resumed> ) = 1 (in [22])
[pid   146] 20:08:24.981856 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument)
[pid   146] 20:08:24.982190 read(22, "\0\0\0\237\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 17408) = 28
[pid   146] 20:08:24.982558 futex(0x40118294, 0x81 /* FUTEX_??? */, 2147483647) = 1
[pid   146] 20:08:24.982753 rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument)
[pid   146] 20:08:24.982940 select(29, [18 22 23 24 25 26 27 28], NULL, NULL, NULL <unfinished ...>
[pid   130] 20:08:24.983115 <... futex resumed> ) = 0
[pid   130] 20:08:24.983301 read(39, 0x39d28, 8196) = -1 EAGAIN (Resource temporarily unavailable)
[pid   130] 20:08:24.983501 clock_gettime(CLOCK_MONOTONIC, {145, 939915003}) = 0
[pid   130] 20:08:24.984241 select(40, [3 9 12 39], NULL, NULL, {0, 175080} <unfinished ...>
[pid   146] 20:08:25.008496 <... select resumed> ) = 1 (in [22])
[pid   146] 20:08:25.008710 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument)
[pid   146] 20:08:25.008935 read(22, "\0\0\0\210\0\0\0\0\0\0\0\0021\0\0\26\361*\322q\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\f\0\0\0\1\0\0\0#\0\0\0\r\0\0\0\21\0\0\0008\0\0\0\0\1\362V\360\0\0\0%\0\2\306\350\0\0\0#\0\0\0\1\0\0\0\0\0\0\0\0", 17408) = 96
[pid   146] 20:08:25.009528 futex(0x4011824c, 0x81 /* FUTEX_??? */, 2147483647 <unfinished ...>
[pid   168] 20:08:25.009686 <... futex resumed> ) = 0
[pid   168] 20:08:25.009805 futex(0x40118250, 0x80 /* FUTEX_??? */, 2 <unfinished ...>
[pid   146] 20:08:25.009933 <... futex resumed> ) = 1
[pid   146] 20:08:25.010045 futex(0x40118250, 0x81 /* FUTEX_??? */, 1 <unfinished ...>
[pid   168] 20:08:25.010175 <... futex resumed> ) = 0
[pid   168] 20:08:25.010286 futex(0x40118250, 0x81 /* FUTEX_??? */, 1) = 0
[pid   168] 20:08:25.010526 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_gsdi_command_callback, cmd:17\n\0", 44}], 3) = 51
[pid   168] 20:08:25.010946 write(16, " ", 1) = 1
[pid   168] 20:08:25.011180 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Queued event MMGSDI_GSDI_COMMAND_CALLBACK (336 bytes)\n\0", 55}], 3) = 62
[pid   168] 20:08:25.011613 write(22, "\0\0\0\210\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 24) = 24
[pid   168] 20:08:25.011921 futex(0x4011824c, 0x80 /* FUTEX_??? */, -28 <unfinished ...>
[pid   146] 20:08:25.012093 <... futex resumed> ) = 1
[pid   146] 20:08:25.012226 rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument)
[pid   146] 20:08:25.012415 select(29, [18 22 23 24 25 26 27 28], NULL, NULL, NULL <unfinished ...>
[pid   142] 20:08:25.012586 <... select resumed> ) = 1 (in [14])
[pid   142] 20:08:25.012738 read(14, " ", 16) = 1
[pid   142] 20:08:25.012946 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"qcril_event_main(): 1 items on queue\n\0", 38}], 3) = 45
[pid   142] 20:08:25.013320 read(14, 0x2adb4ecc, 16) = -1 EAGAIN (Resource temporarily unavailable)
[pid   142] 20:08:25.013533 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"De-queued event MMGSDI_GSDI_COMMAND_CALLBACK (196613)\n\0", 55}], 3) = 62
[pid   142] 20:08:25.014291 write(35, "qcril", 5) = 5
[pid   142] 20:08:25.014966 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"RIL <--- MMGSDI_GSDI_COMMAND_CALLBACK (196613) --- AMSS\n\0", 57}], 3) = 64
[pid   142] 20:08:25.015535 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_process_gsdi_command_callback: QCRIL_EVT_MMGSDI_GSDI_COMMAND_CALLBACK\n\0", 84}], 3) = 91
[pid   142] 20:08:25.016020 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"GSDI_PERSO_DEACT_IND_RSP\n\0", 26}], 3) = 33
[pid   142] 20:08:25.016371 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"qcril_mmgsdi_sec_process_perso_deact_cnf: status = 0x25, perso_feature = 0x0 \n\0", 79}], 3) = 86
[pid   142] 20:08:25.016841 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"GSDI_CODE_BLOCKED/PERSO_CK_BLOCKED 0x25 -> MMGSDI_CODE_BLOCKED\n\0", 64}], 3) = 71
[pid   142] 20:08:25.017290 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Found ReqList entry : RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292), token id 37\n\0", 92}], 3) = 99
[pid   142] 20:08:25.017801 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Found ReqList entry : RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292), token id 37\n\0", 92}], 3) = 99
[pid   142] 20:08:25.018303 writev(6, [{"\4", 1}, {"QCRIL\0", 6}, {"Deleted ReqList entry : token id 37 [0x2c6e8]\n\0", 47}], 3) = 54
[pid   142] 20:08:25.018691 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"ReqList entries : Empty\n\0", 25}], 3) = 32
[pid   142] 20:08:25.019051 writev(6, [{"\6", 1}, {"QCRIL\0", 6}, {"UI <--- RIL_REQUEST_OEM_HOOK_RAW(ME_DEPERSONALIZATION) (524292) Complete --- RIL [Token 37, Password Incorrect]\n\0", 113}], 3) = 120
[pid   142] 20:08:25.019601 writev(6, [{"\3", 1}, {"RILSWITCH\0", 10}, {"RILD <-- RIL (token 0x2c6e8)\0", 29}], 3) = 40
[pid   142] 20:08:25.019958 writev(6, [{"\3", 1}, {"RILSWITCH\0", 10}, {"atdToken : 0x2c6e8, bEMCRedirected 0 \0", 38}], 3) = 49
[pid   142] 20:08:25.020348 write(39, "\0\0\0\24", 4) = 4

Byte 0 to 19 always seems static.
Byte 20 to 26 is the unlock code (in this case imaginary).
The byte range is dynamic, because you can type in a password longer than 7 digits.
The last byte is always a zero byte.

So far ...

[apmel]

I have OMC how can I help to find the way to unlock

philmein, on 04 September 2011 - 11:10 AM, said:

did you try them with CM7 or another rom

[apmel]

As I understand


146] 20:08:24.982190 read(22, "\0\0\0\237\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 17408) = 28


http://fuse4bsd.creo...-cgi.cgi?read 2

Reading the code intrudiced by keyboard (28 bytes if the read it's correct)... it seems that aply a mask (237 = 11101101)    to the 4th byte) and 00000001 to the 8th byte. It read 28 bytes.

[pid   146] 20:08:24.981856 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument)

SIG_SETMASK it seems to be a mask (Constant or a function) to aply to the code to obtain if it's correct or not. I don't understand very well the documentation

rt_sigprocmask changes the list of currently blocked signals.  The  set       value  stores  the signal mask of the pending signals. The previous ac-       tion on the signal is saved in oact. The value of how indicates how the       call should behave; its values are as follows:       SIG_BLOCK              The  set  of blocked signals is the union of the current set and              the set argument.       SIG_UNBLOCK              The signals in set are removed from the current set  of  blocked              signals. It is okay to unblock a signal that is not blocked.       SIG_SETMASK              The  set  of blocked signals is set to the set argument. sigset-              size should indicate the size of a sigset_t type.
http://openalfa.com/...=rt_sigprocmask



[pid   146] 20:08:25.009528 futex(0x4011824c, 0x81 /* FUTEX_??? */, 2147483647 <unfinished ...>
[pid   168] 20:08:25.009686 <... futex resumed> ) = 0
[pid   168] 20:08:25.009805 futex(0x40118250, 0x80 /* FUTEX_??? */, 2 <unfinished ...>
[pid   146] 20:08:25.009933 <... futex resumed> ) = 1
[pid   146] 20:08:25.010045 futex(0x40118250, 0x81 /* FUTEX_??? */, 1 <unfinished ...>
[pid   168] 20:08:25.010175 <... futex resumed> ) = 0
[pid   168] 20:08:25.010286 futex(0x40118250, 0x81 /* FUTEX_??? */, 1) = 0


Trying three time to proove the unlock code?


Sorry if I'm saying stupid things, I only want to help

[tilal6991]

apmel, on 04 September 2011 - 01:20 PM, said:

As I understand


146] 20:08:24.982190 read(22, "\0\0\0\237\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 17408) = 28

http://fuse4bsd.creo...-cgi.cgi?read+2

Reading the code intrudiced by keyboard (28 bytes if the read it's correct)... it seems that aply a mask (237 = 11101101)    to the 4th byte) and 00000001 to the 8th byte. It read 28 bytes.

[pid   146] 20:08:24.981856 rt_sigprocmask(SIG_SETMASK, [HUP TRAP BUS KILL PIPE STKFLT TTIN SYS], NULL, 4) = -1 EINVAL (Invalid argument)

SIG_SETMASK it seems to be a mask (Constant or a function) to aply to the code to obtain if it's correct or not. I don't understand very well the documentation

rt_sigprocmask changes the list of currently blocked signals.  The  set   value  stores  the signal mask of the pending signals. The previous ac-   tion on the signal is saved in oact. The value of how indicates how the   call should behave; its values are as follows:   SIG_BLOCK              The  set  of blocked signals is the union of the current set and              the set argument.   SIG_UNBLOCK              The signals in set are removed from the current set  of  blocked              signals. It is okay to unblock a signal that is not blocked.   SIG_SETMASK              The  set  of blocked signals is set to the set argument. sigset-              size should indicate the size of a sigset_t type.
http://openalfa.com/...=rt_sigprocmask

[pid   146] 20:08:25.009528 futex(0x4011824c, 0x81 /* FUTEX_??? */, 2147483647 <unfinished ...>
[pid   168] 20:08:25.009686 <... futex resumed> ) = 0 [pid   168] 20:08:25.009805 futex(0x40118250, 0x80 /* FUTEX_??? */, 2 <unfinished ...> [pid   146] 20:08:25.009933 <... futex resumed> ) = 1 [pid   146] 20:08:25.010045 futex(0x40118250, 0x81 /* FUTEX_??? */, 1 <unfinished ...> [pid   168] 20:08:25.010175 <... futex resumed> ) = 0 [pid   168] 20:08:25.010286 futex(0x40118250, 0x81 /* FUTEX_??? */, 1) = 0


Trying three time to proove the unlock code?


Sorry if I'm saying stupid things, I only want to help

Keep reseasrching - we seem to be going in the right direction . I'm sorry I can't be of further use but my device is in no state to try this out.

[wardriver_]

I am no pro, but I think you are wrong.

After entering the "unlock code" the function RIL_REQUEST_OEM_HOOK_RAW is invoked.

It calls "qcril_request_oem_hook_raw" from libril-qc-1.so.
If you read the following article, my conclusion is that the unlock code is verified in the gsm (mobile) part of the phone.

If ZTE has done all right (blown qfuses, etc.), then it will be very difficult to debug the mobile part.
I've tried to read the nvram (debug mode), but it seems there are some areas which aren't readable and writeable.

Edit: This one is a good paper about the boot process and the security aspects on the qualcomm chipset.

Edited by wardriver_, 04 September 2011 - 02:03 PM.

[apmel]

Why the program read 22 bytes after then?

wardriver_, on 04 September 2011 - 01:58 PM, said:

I am no pro, but I think you are wrong.

After entering the "unlock code" the function RIL_REQUEST_OEM_HOOK_RAW is invoked.

It calls "qcril_request_oem_hook_raw" from libril-qc-1.so.
If you read the following article, my conclusion is that the unlock code is verified in the gsm (mobile) part of the phone.

If ZTE has done all right (blown qfuses, etc.), then it will be very difficult to debug the mobile part.
I've tried to read the nvram (debug mode), but it seems there are some areas which aren't readable and writeable.

Edit: This one is a good paper about the boot process and the security aspects on the qualcomm chipset.

[wardriver_]

The question should be, what does it read?
I have no idea.

apmel, on 04 September 2011 - 02:17 PM, said:

Why the program read 22 bytes after then?

[apmel]

But we can modify the code that we're seeing?

wardriver_, on 04 September 2011 - 02:56 PM, said:

The question should be, what does it read?
I have no idea.

Ok other idea, maybe is the phone which get the correct code but maybe the code (the correct) is saved in buffer and

rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument)

this instruction check if is the correct code ?

Then we only have to see this position of memory (0x...) or the buffer?

I mean the phone get the correct code and the OS check if the introduced code it's the same

Edited by apmel, 05 September 2011 - 10:20 AM.

[apmel]

Can you say to me how to obtain this trace with the mobile?

[wardriver_]

apmel, on 05 September 2011 - 03:40 PM, said:

Can you say to me how to obtain this trace with the mobile?

Sorry for the delay, but I am sick since sunday evening (fever).

1. Download strace
2. Upload strace to a writable mountpoint (e.g. /dev) --> adb push strace /dev
3. Log into shell --> adb shell
4. Change permission of strace --> chmod +x /dev/strace
5. Get the pid rild --> ps | busybox grep rild
6. Start strace --> /dev/strace -ff -F -tt -s 200 -p PIDofRILD

[wardriver_]

apmel, on 04 September 2011 - 03:36 PM, said:

But we can modify the code that we're seeing?


Ok other idea, maybe is the phone which get the correct code but maybe the code (the correct) is saved in buffer and

rt_sigprocmask(SIG_SETMASK, [], 0x2b1b096c, 4) = -1 EINVAL (Invalid argument)

this instruction check if is the correct code ?

Then we only have to see this position of memory (0x...) or the buffer?

I mean the phone get the correct code and the OS check if the introduced code it's the same

What you see are system calls.
It is no disassembling, it is a trace of a running program "through the operating system".

The function sigprocmask is refering to signals in the linux world (some kind of inter-process communication).

[whatcolour]

Made a rom off the Taiwan T3, but the lock remains.... see link below

http://android.modac...ost__p__1797106

[wardriver_]

whatcolour, on 07 September 2011 - 02:40 PM, said:

Made a rom off the Taiwan T3, but the lock remains.... see link below

http://android.modac...ost__p__1797106

It would be nice to have some more information on this device.
For example one can gathering some info from a nb0 file for the device.

I think the unlock procedure is in the amss and the coresponding unlock code is somwehre in the nvram.
But that is just a guess of mine...

[Chris_67]

tilal6991, on 04 September 2011 - 08:17 AM, said:

I can pretty much confirm that the unlock mechanism for the OMC is in the OS itself. This is because, On CM7, although it says that the phone is locked, it lets me put in unlimited number of unlock pins without validating any of them.

If this is true, a simple script that brute-forces the unlock should do the trick?!?