Guest plink212 Posted February 2, 2003 Report Posted February 2, 2003 Err... no.. The bit i was on about is on the xda manipulator page it mentions the AT%UREG?3FE00C,4 command and Ages said that him and Firass were looking at the logs of the phone using ATCMD in the bootloader. I was wondering how? as I cannot for the life of me find an AT command reference that even mentions AT&UREG let alone anything else Tim
Guest Firaas Posted February 2, 2003 Report Posted February 2, 2003 You can access AT command logs by activating the Log flag in Bootloader > Global Flags. Access "DebugLog0.txt" in the root directory using Activesync.
Guest plink212 Posted February 2, 2003 Report Posted February 2, 2003 okay, I am assuming that ATCMD W> means write and ATCMD R> is read? (i.e. the result of the command) but what on earth is ICR? Tim
Guest aGeS Posted February 2, 2003 Report Posted February 2, 2003 That we don't know but was hoping that you could tell us... ? :wink: I still think it's a good idea that some of us looks at the dumps and others at the logging. Step 1 could be a program that sets the right flag with an AT cmd. I don't know if this is possible and we need a programmer which could look into this. Neither Firaas nor me are programmers... Step 2 could be if we could figure out where the SID lock is stored. This would be the best solution as we then just could unlock the phones with the correct code. We need help on this one and everybody should feel free to give this some thought.
Guest plink212 Posted February 2, 2003 Report Posted February 2, 2003 ATCMD W>::ATWHAT IS THE QUICKEST WAY TO GET DIVORCED ATCMD R>::ATSTARING AT THE LOGS ALL AFTERNOON arrgghhh this is driving me insane. The only thing that I have gleamed all afternoon is that the unlock code in an xda is 8180 bytes from the end of the radio rom assuming the radio rom is exactly 4mb :[
Guest aGeS Posted February 2, 2003 Report Posted February 2, 2003 Well what we seems to have found out is the function of these two important ATs: AT+CPIN sets the SIM PIN AT+CFUN sets the operator lock i.e. AT+CFUN=1 means that the phone think that the operator lock is OK and that it shouldn't ask for SID lock key. This also means that AT+CFUN=0 means that the phone switches on the SID lock. If it was possible to make a program that set AT+CFUN=1 after the AT+CPIN is OK then the phone (in theory) should work as unlocked. Note: None of this has been tested and has just been deduced from the logs.
Guest pete1312 Posted February 2, 2003 Report Posted February 2, 2003 Does this site need another "Index" (or whatever it may be called in technospeak), as all this thread is totally beyond me! By all means carry on guys & gals, but I'm personally looking for everyday type of info when I search the Main Forum!
Guest Firaas Posted February 2, 2003 Report Posted February 2, 2003 Ah. The code should therefore be in the GSM bit, right? That can be backed up to SD...
Guest Firaas Posted February 2, 2003 Report Posted February 2, 2003 I notice +CREG coming up after every +CFUN, don't know if that's relevant. Also, AT+CIMI seems to respond with a 15-digit number which is dependant on the SIM used. Any idea what this could be?
Guest Firaas Posted February 2, 2003 Report Posted February 2, 2003 i.e. AT+CFUN=1 means that the phone think that the operator lock is OK and that it shouldn't ask for SID lock key.Hm, this doesn't seem to be the case. If you flick through my logs, with the Orange SIM, CFUN:1 is received, followed by CFUN:0 a short while later. In the O2 log, CFUN:1 is received followed by CFUN:1 a short while later. However, in the T-Mobile log, CFUN:1 is received followed by CFUN:1, but on the second boot, CFUN:0 follows CFUN:1. There doesn't seem to be any link in writing to CFUN either. The below is the section of the log that is written when SIMLock.exe loads: #383 Â 02/01 20:00:55 Â ATCMD W>::AT^SATC=1,0901FF7F00000010;+CFUN=1 #384 Â 02/01 20:00:55 Â ICR::=1087,0,1158,0,1158,0,1087,0 #385 Â 02/01 20:00:59 Â ICR::=1122,0,1160,0,1160,0,1122,0 #386 Â 02/01 20:00:59 Â ATCMD R>::0 #387 Â 02/01 20:00:59 Â ICR::=1122,0,1160,0,1160,0,1122,0 #388 Â 02/01 20:00:59 Â ATCMD W>::ATE0 #389 Â 02/01 20:00:59 Â ICR::=1122,0,1160,0,1160,0,1122,0 #390 Â 02/01 20:00:59 Â ICR::=1127,0,1162,0,1162,0,1127,0 #391 Â 02/01 20:00:59 Â ATCMD R>::0 #392 Â 02/01 20:00:59 Â ICR::=1127,0,1162,0,1162,0,1127,0 #393 Â 02/01 20:00:59 Â ATCMD W>::AT+CPIN? #394 Â 02/01 20:00:59 Â ICR::=1127,0,1162,0,1162,0,1127,0 #395 Â 02/01 20:00:59 Â ICR::=1136,0,1176,0,1176,0,1136,0 #396 Â 02/01 20:00:59 Â ATCMD R>::+CPIN: READY 0 #397 Â 02/01 20:00:59 Â ICR::=1136,0,1178,0,1178,0,1136,0 #398 Â 02/01 20:01:00 Â ICR::=1136,0,1178,0,1178,0,1136,0 #399 Â 02/01 20:01:00 Â ATCMD W>::AT+COPS=0 #400 Â 02/01 20:01:00 Â ICR::=1136,0,1178,0,1178,0,1136,0 #401 Â 02/01 20:01:14 Â ICR::=1146,0,1180,0,1180,0,1146,0 #402 Â 02/01 20:01:14 Â ATCMD R>::0 +CREG: 2 +CREG: 1 #403 Â 02/01 20:01:14 Â ICR::=1146,0,1200,0,1200,0,1146,0 #404 Â 02/01 20:01:14 Â ICR::=1146,0,1200,0,1200,0,1146,0 #405 Â 02/01 20:01:14 Â ATCMD W>::AT+CPIN? #406 Â 02/01 20:01:14 Â ICR::=1146,0,1200,0,1200,0,1146,0 #407 Â 02/01 20:01:14 Â ICR::=1155,0,1214,0,1214,0,1155,0 #408 Â 02/01 20:01:14 Â ATCMD R>::+CPIN: READY 0 #409 Â 02/01 20:01:14 Â ICR::=1155,0,1216,0,1216,0,1155,0 #410 Â 02/01 20:01:14 Â ICR::=1155,0,1216,0,1216,0,1155,0 #411 Â 02/01 20:01:14 Â ATCMD W>::AT+CSQ #412 Â 02/01 20:01:14 Â ICR::=1155,0,1216,0,1216,0,1155,0 #413 Â 02/01 20:01:15 Â ICR::=1162,0,1229,0,1229,0,1162,0 #414 Â 02/01 20:01:15 Â ATCMD R>::+CSQ: 14,99 0 #415 Â 02/01 20:01:15 Â ICR::=1162,0,1231,0,1231,0,1162,0 #416 Â 02/01 20:01:15 Â ICR::=1162,0,1231,0,1231,0,1162,0 #417 Â 02/01 20:01:15 Â ATCMD W>::AT+COPS=3,2;+COPS? #418 Â 02/01 20:01:15 Â ICR::=1162,0,1231,0,1231,0,1162,0 #419 Â 02/01 20:01:15 Â ICR::=1181,0,1251,0,1251,0,1181,0 #420 Â 02/01 20:01:15 Â ATCMD R>::+COPS: 0,2,"23430" 0 #421 Â 02/01 20:01:15 Â ICR::=1181,0,1253,0,1253,0,1181,0 #422 Â 02/01 20:01:15 Â ICR::=1181,0,1253,0,1253,0,1181,0 #423 Â 02/01 20:01:15 Â ATCMD W>::AT+CIMI #424 Â 02/01 20:01:15 Â ICR::=1181,0,1253,0,1253,0,1181,0 #425 Â 02/01 20:01:15 Â ICR::=1189,0,1270,0,1270,0,1189,0 #426 Â 02/01 20:01:15 Â ATCMD R>::234306340077357 0 #427 Â 02/01 20:01:15 Â ICR::=1189,0,1272,0,1272,0,1189,0 #428 Â 02/01 20:01:15 Â ICR::=1189,0,1272,0,1272,0,1189,0 #429 Â 02/01 20:01:15 Â ATCMD W>::AT$AD=102 #430 Â 02/01 20:01:15 Â ICR::=1189,0,1272,0,1272,0,1189,0 #431 Â 02/01 20:01:15 Â ICR::=1199,0,1274,0,1274,0,1199,0 #432 Â 02/01 20:01:15 Â ATCMD R>::0 #433 Â 02/01 20:01:15 Â ICR::=1199,0,1274,0,1274,0,1199,0 #434 Â 02/01 20:01:15 Â ATCMD W>::AT+CRSM=192,28440,0,0,15 #435 Â 02/01 20:01:15 Â ICR::=1199,0,1274,0,1274,0,1199,0 #436 Â 02/01 20:01:17 Â ICR::=1224,0,1319,0,1319,0,1224,0 #437 Â 02/01 20:01:17 Â ATCMD R>::+CRSM: 144,0,0000000A6F18040011FFFF01020000 0 #438 Â 02/01 20:01:17 Â ICR::=1224,0,1321,0,1321,0,1224,0 #439 Â 02/01 20:01:17 Â ICR::=1224,0,1321,0,1321,0,1224,0 #440 Â 02/01 20:01:17 Â ATCMD W>::AT+CIMI #441 Â 02/01 20:01:17 Â ICR::=1224,0,1321,0,1321,0,1224,0 #442 Â 02/01 20:01:17 Â ICR::=1232,0,1338,0,1338,0,1232,0 #443 Â 02/01 20:01:17 Â ATCMD R>::234306340077357 0 #444 Â 02/01 20:01:17 Â ICR::=1232,0,1340,0,1340,0,1232,0 #445 Â 02/01 20:01:17 Â ICR::=1232,0,1340,0,1340,0,1232,0 #446 Â 02/01 20:01:17 Â ATCMD W>::AT+CRSM=192,28433,0,0,15 #447 Â 02/01 20:01:17 Â ICR::=1232,0,1340,0,1340,0,1232,0 #448 Â 02/01 20:01:18 Â ICR::=1257,0,1385,0,1385,0,1257,0 #449 Â 02/01 20:01:18 Â ATCMD R>::+CRSM: 144,0,000000016F11040011FFFF01020000 0 #450 Â 02/01 20:01:18 Â ICR::=1257,0,1387,0,1387,0,1257,0 #451 Â 02/01 20:01:18 Â ICR::=1257,0,1387,0,1387,0,1257,0 #452 Â 02/01 20:01:18 Â ATCMD W>::AT+CRSM=176,28440,0,0,10 #453 Â 02/01 20:01:18 Â ICR::=1257,0,1387,0,1387,0,1257,0 #454 Â 02/01 20:01:19 Â ICR::=1282,0,1422,0,1422,0,1282,0 #455 Â 02/01 20:01:19 Â ATCMD R>::+CRSM: 144,0,6F6E65326F6E65202020 0 #456 Â 02/01 20:01:19 Â ICR::=1282,0,1424,0,1424,0,1282,0 #457 Â 02/01 20:01:19 Â ICR::=1282,0,1424,0,1424,0,1282,0 #458 Â 02/01 20:01:19 Â ATCMD W>::AT+CFUN=0 #459 Â 02/01 20:01:19 Â ICR::=1282,0,1424,0,1424,0,1282,0
Guest Firaas Posted February 3, 2003 Report Posted February 3, 2003 My serial cable arrived this morning. For anyone looking at buying one, I'd definitely recommend Moonlight-Tech. I ordered last Monday via airmail, cost hardly £10. Will play tonight...
Guest plink212 Posted February 3, 2003 Report Posted February 3, 2003 If the code is in the GSM rom is there any chance that anyone who has their unlock code (Paul hint hint) could dump their GSM rom to the SD card and search it for the decimal unlock code and or its HEX equivalent using WINHEX or equivalent. We could then use the offset and with luck............... Tim
Guest plink212 Posted February 4, 2003 Report Posted February 4, 2003 Have anyone made any progress? Tim
Guest Paul [MVP] Posted February 4, 2003 Report Posted February 4, 2003 The GSM dump doesn't seem to contain the lock code, as dumping it from an unlocked SPV to a locked one doesn't change the unlock code. I suspect it's in an area that can't be dumped this way! P
Guest plink212 Posted February 4, 2003 Report Posted February 4, 2003 bugger, winhex has quite a cool search for text function which lets you search for a string of 8 numbers, I am working through my 17 mb terminal dump (using the rbmc and capture text in hyperterm) this is a rather ugly method hopefully it will be in there.
Guest plink212 Posted February 4, 2003 Report Posted February 4, 2003 Yeh rbmc, you input rbmc [filename startaddress length] and it just dumps the rom contents to the terminal This would all be really easy if I just knew what offsett to dump :[ On that note does anyone know how to reset the unlock code counter ? as I am having to wait 960 seconds to try the next code :[
Guest plink212 Posted February 4, 2003 Report Posted February 4, 2003 is it possible to lift simlock.exe off the smartphone or to debug it in situ?
Guest Arisme Posted February 4, 2003 Report Posted February 4, 2003 oh and for those without serial cables, I've posted a little something on Smartphony to access the bootloader with the USB cradle - see http://9eek.org/forum/viewtopic.php?t=2035, translated here 1) Check that your wceusbsh.inf file (in windowsinf) has the line MSFT = "Microsoft"Â USBVid_045E&Pid_00CE.DeviceDesc = "Microsoft USB Sync"Â or add it 2) Kill ActiveSync (process name is wcescomm.exe) 3) Put the SPV in 3-colors Canary mode, and put it on the craddle - it should be recognized 4) Download http://arisme.free.fr/SPV/USBTerm.zip and run USBTerm - type "quit" to quit (or find a terminal that could attach to the device driver called WCEUSBSH001)
Guest DJHope Posted February 5, 2003 Report Posted February 5, 2003 Quality, ill try that when i get my cradel back ;) DJ Hope
Guest Paul [MVP] Posted February 5, 2003 Report Posted February 5, 2003 Think there's something wrong with your shift key dude ;) P
Guest Hax Posted February 5, 2003 Report Posted February 5, 2003 bugger, winhex has quite a cool search for text function which lets you search for a string of 8 numbers, I am working through my 17 mb terminal dump (using the rbmc and capture text in hyperterm) this is a rather ugly method hopefully it will be in there. Do we even know if the "raw" unlock code is stored in the ROM? Surely, it's just used as part of an algorithm in conjunction with another area of the ROM? Just a thought, Adam
Guest DJHope Posted February 5, 2003 Report Posted February 5, 2003 From experince with the XDA you can fish it out of the great ROM Void somehow!
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now