Database Users

Unlock HELP please!!!

Hi All
Sitting here with my 64mB XDA trying to unlock it.
Manipulator seems not to work. If I use it I get error in all fields.
Going into bootloader and using Hyperterminal I can get communication OK .... see the following...
******************************************************
InitDebugSerial using SERIAL PORT 2
******************************************************
HTC Bootloader for [Wallaby] Version:5.15
Copyright (c) 1998-2001 High Tech Computer Corporation
Built at: Jun 6 2002 20:29:17
CPU speed = 206 MHz
DRAM speed = 103 MHz
Hardware platform = 2; (0VT, 1re-PV, 2V, 3anasonic LCD, 4:Reserved)
Get resp timeout err, status is 42
Receive Response error, cmd = 41, arg = FFC000
comd1 No Response
Block size = 512 BYTES
Total blocks in Card: 488320 = 244160k bytes
No legal identify flag in SD Card
Wait for turn on GSM...
GSM Turn on time = 1868 ms
FW 0:12:19>dualser
Wait for turn on GSM...
GSM already on -> RESET !!
GSM turn on successed!!
GSM RESET...
AT-Command Interpreter ready
Screen on XDA is sitting there with GSM turn ON success.
SO dualser is sending the XDA into AT mode OK. However if I type in the AT%UREG?3FE00C,4 command the XDA simply returns ERROR.
What am I doing wrong???
HELP!!!

Not sure what the problem is. Try running The Manipulator and see if it unlocks it.

Hi
I have tried the Manipulator several times.
The phone goes from Walalby to GSM sucess OK.
The phone 'clicks' a couple of times.
The Manipulator screen shows:
Status : Reading data from phone
SID ERROR
GID ERROR
No IMEI
timer <non-zero>
and thats it - nothing more can be done.
I have tried the software on three different computers and the same result.
Running ROM 3.14.13 ENG
Radio 4.20
Protocol version 32S54
Phone is only a few weeks old and is 64Mb version.
Everything else works fine on it. IMEI number shows on device information. Radio turns on and asks for SIM unlock code OK.
Running Tom Tom Nav2, Fonix etc on it and all 100%.
If I use Hyperterminal then you get the results as above. If you type ? rather than dualser then the list of commands comes back as it should do.
Really Wierd.
Any thoughts as to what I can try next???
Rog

Just an afterthought...
Could it be to do with Radio 4.20???
Has anyone unlocked an XDA yet with this version of Radio??? Could they have altered the access to the SID in some way with this release??
Rog

Soory to be a pain here but has anyone ANY ideas as to what to do from here???
(If I use an O2 card then the phone is fine so its not a hardware fault).
Have none of you XDA-Developer guys a clue or advice on this??
Rog

4.20
http://xda-developers.com/phpBB/viewtopic.php?t=896

Re: 4.20
apart from the machine are there any programs specific to the xda?
_____________________________________________________________
Unlock your phone
Entertainers
watch footie for free
Cheap mp3s
Get back on ebay
Money reading emails
Male entertainers
Improve your golf score in 2 weeks

dagaul, your advertising links are not welcome as far as I am concerned. The admins of this board keep it ad free and you come along with a whole bunch of then in your signature. It doesnt affect me directly but this board isnt here to carry your money making advertisements, why dont you set up a website yourself for that purpose?
Rant over. :evil: :evil: :evil: :shock: :shock: :roll: :roll:

4.20 cracked

It took a small group effort, but we cracked it.
Problem 1: Bug in limitation to %UREG command
First of all, on 4.20 they check to see whether the %UREG request lies within certain bounds as follows:
AT%UREG?addr,len:
if (addr < 0x3ef000 || addr > 0x3ef007) return(0);
if ((addr+len) < 0x3ef000 || (addr+len) > 0x3ef007) return(0);
Now because addr en len are both 32 bits, we can make use of the wrap (negative in effect). After the test above the maximum length will be limited to 100 (0x64).
So for instance:
AT%UREG?3FE004,FFFFFFFF
will read 100 bytes from 0x3FE004, clearly outside the range UREG was meant to be restricted to.
Problem 2: Obfuscation too easy
When executing the command above: after 74 bytes of FF, the obfuscated result code is displayed. The information needed to get the unlock code is contained twice, in the format ABCDABCDEFGHEFGH if a different letter is assigned to each unique nibble. Nibbles are first swapped to make EHAFGBCD. Then bits 3 of nibbles H, F and B are rotated left, so that nibble H gets bit 3 from F and so forth. After this, the whole 4 byte value is rotated into the lower bit. The result is the 8 digit unlock code in BCD, which can be supplied to the unlock command:
Code:
AT%SIDLCK=0,<8-digit unlock code>
Commentary:
Nice try: took us 2 person-days, probably still less than it took to think up, define, approve and program. :twisted:
The new version of The Manipulator, online now, supports unlocking of Radio Stack 4.20.

Yippee... the manipulator works for 4.20 !!!!!
Hi,
I must be a very lucky guy.
Just received my xda today (64mb ram, 4.20.00 radio version, 3.16.32 ENG rom, dated 2/13/03) and was fiddling with it about half and hour ago with the former xda manipulator program (ver 1.02) which recorded error messages and couldn't work. Then I looked into the net and found this posting just made( at 10.30 pm) and was the number 6 person to view the posting; downloaded the new manipulator and hey presto - the xda is unlocked !!!!
Only one thing though- don't see the gid lock, the imei number and the call timer entries in this new program(ver 1.1) which were present in the ver 1.02 program. Not a problem for me though as long as I could use the phone on my vodaphone sim.
Anyway, thank you so much for the hard work in cracking the 4.20; really appreciate it. Well done and keep up the magnificent work.
Cheers

Yup - it works a treat - unlocked in 10 seconds.
WELL DONE guys - thanks so much for all your input here. I now have an XDA that is truly useful and versatile.
BRILLIANT!!
Rog

Just tried 1.1 on 6 phones, all with 4.20. Five of them unlocked no problem, but one of them, for some strange reason, didnt work, it read the sid code, but the one that it came back with was only 6 digits long, and when pressinng "UNLOCK" nothing more happened. All the other codes were about 8 digits long. I tried entering the code manually, butjust came back saying it wss incorrect!!!
Anyone come across this??
Many thanks in advance

Hmmm. It could be that the code (or the second half of it) starts with two zeroes, and now that you mention it: the manipulator doesn't display (or unock with) leading zeroes.
Could you try that six digit code with two leading zeroes, and (if that doesn't work) inser the zeroes in the six digit number as follows XXXX00XX or as follows 0XXX0XXX. Tell me if that's it, please...
(Expect 1.11 of The Manipulator in the next day or two...

IMEI Change
Great work guys i'll be unlocking my xda as soon as i get the serial cable. It is a combines serial and USB cable so if anyone has experience with this not working (Ordered from Expansys thenlet me know) otherwise i'll post here to let you know if it worked or not.
I would like to know if there are any plans to make a version of the communicator that ill change the imei.
If not will commands from hyperterminal work? (Sorry if this is not currently possible I havn't been motivated to look it all up but will be if it possible to change the IMEI through this.)
I know that ther version of Hyperterminal that come with in 2k and XP is more limited that the one in 95 and 98 so would another terminal emulation program do the job better (Reflections 420 for example).
Thanks again for the great work.
How do you find all this stuff out?? How do I learn.?
Minesh

@Peter Poelman ur a blinking genius mate, it was the last method (0XXX0XXX)
So now ive done 11 phones(R4.20), and all 11 unlocked, pretty good success rate i reckon
Keep up the great work guys

Re: IMEI Change
MineshT said:
I would like to know if there are any plans to make a version of the communicator that ill change the imei.
Click to expand...
Click to collapse
Manipulator (I assume that's what you mean) does change the IMEI, but not on 4.20 phones, because we can't easily reach the memory range. In fact we have ways to do it, but we didn't yet feel like doing the necessary programming work before they lock us out completely.
If not will commands from hyperterminal work?
Click to expand...
Click to collapse
There's no easy (or medium-hard) way to change the IMEI on 4.20 phones.
How do you find all this stuff out?? How do I learn.?
Click to expand...
Click to collapse
In this specific case, we looked at the ARM machine-code in the 4.20 binary contained in S-record form in the RSU upgrade package, using IDA (a disassembler program). We then figured out the %UREG restriction was lacking. Looking at the obfuscated code we figured we could break it without looking at further code (and the phone binary code guru was unavailable for the day), so we cracked it by just staring at enough possibilities. (We could set and reset the lock using different codes with AT%SIDLCK).
Not sure hacking phones is a specific skill one can learn. Even though we're mostly still pretty young, most of us are very experienced software developers, senior security experts. Electronics, programming and reverse-engineering experience of 20-25 years in some cases. But there's pretty good texts out there that describe disassembling other people's code, understanding embedded hardware and other areas of expertise you'd need.
Reverse-engineering needs a lot of the same skills that 'forward-engineering' does. If you have the skills needed to build something, you can begin to take it apart.

Current issues with The Manipulator
The Manipulator currently does not unlock phones which were locked and then user-upgraded to 4.20. So unlock first and then upgrade. Also, please read hotentot's post and my reply above for a problem that appears when the code has zeroes in certain positions.
Both issues will be addressed in the next version, due in a few days, when I know there's no other things that need fixin'.

ACT! Link for Pocket PC international phone + problem

Hi,
I run the ACT! v.6 CRM data base on my PC and the Link for Pocket PC on my XDAII and it runs great. Only problem is that on my XDA it inserts my country code (+61 for Australia) which makes all my contact phone numbers invalid.
+61 3396 9000 is invalid
+61 07 3396 9000 is invalid - have to drop the 0 from 07
+61 7 3396 9000 is valid.
Does anyone know how to disable the +61 / international prefix? Or even drop the 0 from the area code?
Much appreciated, I have spent hours searching and trying to resolve this frustrating issue!!

When you add a phone number to act you have to select the style that you want want the numbers displayed.
Select the freestyle and you should be ok. You should only have to select the freestyle once and then you are ok from then on.

Did you solve your issue?
I am having the same issue with Act and the XDA II. Did you resolve yours and if so how?
TIA
Anthony

IMEI# for registering device

:? I tried to register my JAM on clubimate but the place holder is for 15 digits(valid) but the imei I have on my device is 17 digits!. can anyone guide me what to do as imate support :evil:

use the first 15 digits. Dont worry about the last two.

IMEI sent incorrectly to network

The IMEI number shown on device does not match the IMEI sent to the GSM network?!
I have to register my HD2 with the local authorities in order to be able to use it in Turkey.
While in the process of doing so, I came across something peculiar:
The IMEI number I get with *#06# (which, also is the number written on the unit's box) differs from the IMEI sent to the GSM network by one digit.
IMEI on device and box: 35XX XXXX XXXX 051
IMEI as seen by the gsm operator: 35XX XXXX XXXX 050
Apart from being unable to decide which IMEI to register --I think I'll go with the one "visible" to gsm operators-- This could be a serious bug.
Has anyone else experienced similar behaviour?
Regards,
Gwelwhir
Edit: ROM: 1.48.405.2 (71294) WWE -- I'll revert to the original NLD ROM and see if the issue is the same.

To try a different approach, I set up a BlueTooth partnership, and connected with PuTTY / Serial over BT to that port.
AT commands all returned "OK", but no information.
including AT+CGSN. The IMEI was not displayed.

gwelwhir said:
To try a different approach, I set up a BlueTooth partnership, and connected with PuTTY / Serial over BT to that port.
AT commands all returned "OK", but no information.
including AT+CGSN. The IMEI was not displayed.
Click to expand...
Click to collapse
try:
[email protected]?
(with the question mark)
but I think this isn't very interesting. you probably meant the IMEI on the box is 2 chars shorter than the one displayed by software (usually a "01" is the extra 2 digits). that's perfectly normal

cmonex said:
try:
[email protected]?
(with the question mark)
but I think this isn't very interesting. you probably meant the IMEI on the box is 2 chars shorter than the one displayed by software (usually a "01" is the extra 2 digits). that's perfectly normal
Click to expand...
Click to collapse
Thanks Cmonex, I will try "[email protected]?" as soon as I can.
Other than that, I did not mean the IMEI on the box is 2 chars shorter, I am already aware of that. To clarify:
IMEI @ box: 35XX XXXX XXXX 051
IMEI @ dev: 35XX XXXX XXXX 05101 (+2 digits np here)
IMEI @ gsm: 35XX XXXX XXXX 050
I'll post as soon as I test the "[email protected]?".

The situation is resolved:
As far as the GSM CDR is concerned, even if they receive the IMEI "wrong", they process only the first 14 digits of the IMEI; the 15th digit (and the 2 more after that where applicable) being inconsequential.
(So, I was able to register my device.)
As for the "[email protected]?" query, it does display the IMEI, thanks.
Gwelwhir