Serial Cable Arrived

[Guest plink212]

Err... no..

The bit i was on about is on the xda manipulator page it mentions the AT%UREG?3FE00C,4 command and Ages said that him and Firass were looking at the logs of the phone using ATCMD in the bootloader. I was wondering how? as I cannot for the life of me find an AT command reference that even mentions AT&UREG let alone anything else

Tim

[Guest Firaas]

You can access AT command logs by activating the Log flag in Bootloader > Global Flags.

Access "DebugLog0.txt" in the root directory using Activesync.

[Guest plink212]

okay,

I am assuming that ATCMD W> means write

and ATCMD R> is read? (i.e. the result of the command)

but what on earth is ICR?

Tim

[Guest aGeS]

That we don't know but was hoping that you could tell us... ? :wink:

I still think it's a good idea that some of us looks at the dumps and others at the logging.

Step 1 could be a program that sets the right flag with an AT cmd. I don't know if this is possible and we need a programmer which could look into this. Neither Firaas nor me are programmers...

Step 2 could be if we could figure out where the SID lock is stored. This would be the best solution as we then just could unlock the phones with the correct code.

We need help on this one and everybody should feel free to give this some thought.

[Guest plink212]

ATCMD W>::ATWHAT IS THE QUICKEST WAY TO GET DIVORCED

ATCMD R>::ATSTARING AT THE LOGS ALL AFTERNOON

arrgghhh this is driving me insane.

The only thing that I have gleamed all afternoon is that the unlock code in an xda is 8180 bytes from the end of the radio rom assuming the radio rom is exactly 4mb :[

[Guest aGeS]

Well what we seems to have found out is the function of these two important ATs:

AT+CPIN sets the SIM PIN

AT+CFUN sets the operator lock

i.e. AT+CFUN=1 means that the phone think that the operator lock is OK and that it shouldn't ask for SID lock key.

This also means that AT+CFUN=0 means that the phone switches on the SID lock.

If it was possible to make a program that set AT+CFUN=1 after the AT+CPIN is OK then the phone (in theory) should work as unlocked.

Note: None of this has been tested and has just been deduced from the logs.

[Guest pete1312]

Does this site need another "Index" (or whatever it may be called in technospeak), as all this thread is totally beyond me!

By all means carry on guys & gals, but I'm personally looking for everyday type of info when I search the Main Forum!

[Guest Firaas]

Ah. The code should therefore be in the GSM bit, right?

That can be backed up to SD...

[Guest Firaas]

I notice +CREG coming up after every +CFUN, don't know if that's relevant.

Also, AT+CIMI seems to respond with a 15-digit number which is dependant on the SIM used.

Any idea what this could be?

[Guest Arisme]

probably the ICCID of the card

[Guest Firaas]

i.e. AT+CFUN=1 means that the phone think that the operator lock is OK and that it shouldn't ask for SID lock key.

Hm, this doesn't seem to be the case.

If you flick through my logs, with the Orange SIM, CFUN:1 is received, followed by CFUN:0 a short while later.

In the O2 log, CFUN:1 is received followed by CFUN:1 a short while later.

However, in the T-Mobile log, CFUN:1 is received followed by CFUN:1, but on the second boot, CFUN:0 follows CFUN:1.

There doesn't seem to be any link in writing to CFUN either.

The below is the section of the log that is written when SIMLock.exe loads:

#383  02/01 20:00:55  ATCMD W>::AT^SATC=1,0901FF7F00000010;+CFUN=1

#384  02/01 20:00:55  ICR::=1087,0,1158,0,1158,0,1087,0

#385  02/01 20:00:59  ICR::=1122,0,1160,0,1160,0,1122,0

#386  02/01 20:00:59  ATCMD R>::0

#387  02/01 20:00:59  ICR::=1122,0,1160,0,1160,0,1122,0

#388  02/01 20:00:59  ATCMD W>::ATE0

#389  02/01 20:00:59  ICR::=1122,0,1160,0,1160,0,1122,0

#390  02/01 20:00:59  ICR::=1127,0,1162,0,1162,0,1127,0

#391  02/01 20:00:59  ATCMD R>::0

#392  02/01 20:00:59  ICR::=1127,0,1162,0,1162,0,1127,0

#393  02/01 20:00:59  ATCMD W>::AT+CPIN?

#394  02/01 20:00:59  ICR::=1127,0,1162,0,1162,0,1127,0

#395  02/01 20:00:59  ICR::=1136,0,1176,0,1176,0,1136,0

#396  02/01 20:00:59  ATCMD R>::+CPIN: READY

0

#397  02/01 20:00:59  ICR::=1136,0,1178,0,1178,0,1136,0

#398  02/01 20:01:00  ICR::=1136,0,1178,0,1178,0,1136,0

#399  02/01 20:01:00  ATCMD W>::AT+COPS=0

#400  02/01 20:01:00  ICR::=1136,0,1178,0,1178,0,1136,0

#401  02/01 20:01:14  ICR::=1146,0,1180,0,1180,0,1146,0

#402  02/01 20:01:14  ATCMD R>::0

+CREG: 2

+CREG: 1

#403  02/01 20:01:14  ICR::=1146,0,1200,0,1200,0,1146,0

#404  02/01 20:01:14  ICR::=1146,0,1200,0,1200,0,1146,0

#405  02/01 20:01:14  ATCMD W>::AT+CPIN?

#406  02/01 20:01:14  ICR::=1146,0,1200,0,1200,0,1146,0

#407  02/01 20:01:14  ICR::=1155,0,1214,0,1214,0,1155,0

#408  02/01 20:01:14  ATCMD R>::+CPIN: READY

0

#409  02/01 20:01:14  ICR::=1155,0,1216,0,1216,0,1155,0

#410  02/01 20:01:14  ICR::=1155,0,1216,0,1216,0,1155,0

#411  02/01 20:01:14  ATCMD W>::AT+CSQ

#412  02/01 20:01:14  ICR::=1155,0,1216,0,1216,0,1155,0

#413  02/01 20:01:15  ICR::=1162,0,1229,0,1229,0,1162,0

#414  02/01 20:01:15  ATCMD R>::+CSQ: 14,99

0

#415  02/01 20:01:15  ICR::=1162,0,1231,0,1231,0,1162,0

#416  02/01 20:01:15  ICR::=1162,0,1231,0,1231,0,1162,0

#417  02/01 20:01:15  ATCMD W>::AT+COPS=3,2;+COPS?

#418  02/01 20:01:15  ICR::=1162,0,1231,0,1231,0,1162,0

#419  02/01 20:01:15  ICR::=1181,0,1251,0,1251,0,1181,0

#420  02/01 20:01:15  ATCMD R>::+COPS: 0,2,"23430"

0

#421  02/01 20:01:15  ICR::=1181,0,1253,0,1253,0,1181,0

#422  02/01 20:01:15  ICR::=1181,0,1253,0,1253,0,1181,0

#423  02/01 20:01:15  ATCMD W>::AT+CIMI

#424  02/01 20:01:15  ICR::=1181,0,1253,0,1253,0,1181,0

#425  02/01 20:01:15  ICR::=1189,0,1270,0,1270,0,1189,0

#426  02/01 20:01:15  ATCMD R>::234306340077357

0

#427  02/01 20:01:15  ICR::=1189,0,1272,0,1272,0,1189,0

#428  02/01 20:01:15  ICR::=1189,0,1272,0,1272,0,1189,0

#429  02/01 20:01:15  ATCMD W>::AT$AD=102

#430  02/01 20:01:15  ICR::=1189,0,1272,0,1272,0,1189,0

#431  02/01 20:01:15  ICR::=1199,0,1274,0,1274,0,1199,0

#432  02/01 20:01:15  ATCMD R>::0

#433  02/01 20:01:15  ICR::=1199,0,1274,0,1274,0,1199,0

#434  02/01 20:01:15  ATCMD W>::AT+CRSM=192,28440,0,0,15

#435  02/01 20:01:15  ICR::=1199,0,1274,0,1274,0,1199,0

#436  02/01 20:01:17  ICR::=1224,0,1319,0,1319,0,1224,0

#437  02/01 20:01:17  ATCMD R>::+CRSM: 144,0,0000000A6F18040011FFFF01020000

0

#438  02/01 20:01:17  ICR::=1224,0,1321,0,1321,0,1224,0

#439  02/01 20:01:17  ICR::=1224,0,1321,0,1321,0,1224,0

#440  02/01 20:01:17  ATCMD W>::AT+CIMI

#441  02/01 20:01:17  ICR::=1224,0,1321,0,1321,0,1224,0

#442  02/01 20:01:17  ICR::=1232,0,1338,0,1338,0,1232,0

#443  02/01 20:01:17  ATCMD R>::234306340077357

0

#444  02/01 20:01:17  ICR::=1232,0,1340,0,1340,0,1232,0

#445  02/01 20:01:17  ICR::=1232,0,1340,0,1340,0,1232,0

#446  02/01 20:01:17  ATCMD W>::AT+CRSM=192,28433,0,0,15

#447  02/01 20:01:17  ICR::=1232,0,1340,0,1340,0,1232,0

#448  02/01 20:01:18  ICR::=1257,0,1385,0,1385,0,1257,0

#449  02/01 20:01:18  ATCMD R>::+CRSM: 144,0,000000016F11040011FFFF01020000

0

#450  02/01 20:01:18  ICR::=1257,0,1387,0,1387,0,1257,0

#451  02/01 20:01:18  ICR::=1257,0,1387,0,1387,0,1257,0

#452  02/01 20:01:18  ATCMD W>::AT+CRSM=176,28440,0,0,10

#453  02/01 20:01:18  ICR::=1257,0,1387,0,1387,0,1257,0

#454  02/01 20:01:19  ICR::=1282,0,1422,0,1422,0,1282,0

#455  02/01 20:01:19  ATCMD R>::+CRSM: 144,0,6F6E65326F6E65202020

0

#456  02/01 20:01:19  ICR::=1282,0,1424,0,1424,0,1282,0

#457  02/01 20:01:19  ICR::=1282,0,1424,0,1424,0,1282,0

#458  02/01 20:01:19  ATCMD W>::AT+CFUN=0

#459  02/01 20:01:19  ICR::=1282,0,1424,0,1424,0,1282,0

[Guest Firaas]

My serial cable arrived this morning. For anyone looking at buying one, I'd definitely recommend Moonlight-Tech.

I ordered last Monday via airmail, cost hardly £10.

Will play tonight...

[Guest plink212]

If the code is in the GSM rom is there any chance that anyone who has their unlock code (Paul hint hint) could dump their GSM rom to the SD card and search it for the decimal unlock code and or its HEX equivalent using WINHEX or equivalent. We could then use the offset and with luck...............

Tim

[Guest plink212]

Have anyone made any progress?

Tim

[Guest Paul [MVP]]

The GSM dump doesn't seem to contain the lock code, as dumping it from an unlocked SPV to a locked one doesn't change the unlock code.

I suspect it's in an area that can't be dumped this way!

P

[Guest plink212]

bugger,

winhex has quite a cool search for text function which lets you search for a string of 8 numbers, I am working through my 17 mb terminal dump (using the rbmc and capture text in hyperterm) this is a rather ugly method hopefully it will be in there.

[Guest Paul [MVP]]

rbmc?

P

[Guest plink212]

Yeh rbmc, you input

rbmc [filename startaddress length]

and it just dumps the rom contents to the terminal

This would all be really easy if I just knew what offsett to dump :[

On that note does anyone know how to reset the unlock code counter ? as I am having to wait 960 seconds to try the next code :[

[Guest plink212]

is it possible to lift simlock.exe off the smartphone or to debug it in situ?

[Guest Arisme]

oh and for those without serial cables, I've posted a little something on Smartphony to access the bootloader with the USB cradle - see http://9eek.org/forum/viewtopic.php?t=2035, translated here

1) Check that your wceusbsh.inf file (in windowsinf) has the line

MSFT = "Microsoft" 

USBVid_045E&Pid_00CE.DeviceDesc = "Microsoft USB Sync" 

or add it

2) Kill ActiveSync (process name is wcescomm.exe)

3) Put the SPV in 3-colors Canary mode, and put it on the craddle - it should be recognized

4) Download http://arisme.free.fr/SPV/USBTerm.zip and run USBTerm - type "quit" to quit

(or find a terminal that could attach to the device driver called WCEUSBSH001)

[Guest DJHope]

Quality, ill try that when i get my cradel back ;)

DJ Hope

[Guest stevesco]

WOrkZ fiNe HerE ! ;)

[Guest Paul [MVP]]

Think there's something wrong with your shift key dude ;)

P

[Guest Hax]

bugger,

winhex has quite a cool search for text function which lets you search for a string of 8 numbers, I am working through my 17 mb terminal dump (using the rbmc and capture text in hyperterm) this is a rather ugly method hopefully it will be in there.

Do we even know if the "raw" unlock code is stored in the ROM? Surely, it's just used as part of an algorithm in conjunction with another area of the ROM?

Just a thought,

Adam

[Guest DJHope]

From experince with the XDA you can fish it out of the great ROM Void somehow!