Hi,
I am currently residing on the One S forums (don't have a One V), and have found (in conjunction with jh787) a working method of SIM unlocking the One S for free.
The method may also be applicable to the One V.
Part of the trick is obtaining an UN_Lock-code stored on the phone. On the One S this is found as follows:
1) You need root
2) You need Terminal Emulator (free from the market)
Open the Terminal Emulator app and type:
su [enter]
strings -n 8 /dev/block/mmcblk0p6 [enter] (or maybe mmcblk0p7 on the One V)
It will output several lines of data.
One the One S, towards the bottom are 2 lines. One contains your IMEI number, the other reads UN_Lock_code=063312345 (for example)
This is NOT the SIM unlock code - don't use it!
I believe that the One V uses a different partition structure, so the correct data may not be in the mmcblk0p6 block.
If anyone can tell be the correct block for the One V, I will test the hack on your device and, if possible, provide a free sim unlock hack for the One V.
For One S, what is this mmcblk0p6 referring to ?
Below is One V partition structure:
mmcblk0p17: misc
mmcblk0p21: recovery
mmcblk0p22: boot
mmcblk0p25: system
mmcblk0p28: cache
mmcblk0p26: userdata
mmcblk0p29: devlog
mmcblk0p31: pdata
mmcblk0p30: extra
mmcblk0p32: fat
mmcblk0p27: swap
ckpv5 said:
For One S, what is this mmcblk0p6 referring to ?
Click to expand...
Click to collapse
Good question - I have absolutely no idea!!
I found the IMEI number in block mmcblk0p7 but I didn't find the UN_Lock_code string. Maybe thats because mine is not SIM locked.
hlavicka82 said:
I found the IMEI number in block mmcblk0p7 but I didn't find the UN_Lock_code string. Maybe thats because mine is not SIM locked.
Click to expand...
Click to collapse
That may well be the case. Have added a note in the OP. Can other users try mmcblk0p7 and report..
Here is my TE output from that block which shows what you are looking for.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
From other reports, I believe that the code may not exist in a factory-unlocked phone (only a carrier-locked one).
This method may help to search for the right string.
if the code is not under or above the ime code , its suposed to have a date instead, that means that the unlock code is not in the device
any news? i really need it!
this is good idea of a thread! i was about to pay for this, if someone can crack it i will donate him the payment i ment to pay for it
I have a partially locked one v (it is locked on Orange carrier - but it is confirmed as working with a Cosmote AND Vodafone carrier). Is this method working? I want to know because I want to root the thing and if I don't find a good method to unlock it I may as well go with it to service center. It's only 1 day old. Cheers
Tested, it doesn't work. Here's why:
"sh: strings: not found".
Cheers!
This is on stock version. So i guess I need to push the 'strings' in /system/bin
1ceb0x said:
I have a partially locked one v (it is locked on Orange carrier - but it is confirmed as working with a Cosmote AND Vodafone carrier). Is this method working? I want to know because I want to root the thing and if I don't find a good method to unlock it I may as well go with it to service center. It's only 1 day old. Cheers
Click to expand...
Click to collapse
This method is not yet working on the One V. We still do not know where the UN_Lock_code resides (If it is there at all - it is not on the mmcblk0p6 block). If your phone works with 3 different sim cards, however, it is not SIM-locked!
1ceb0x said:
Tested, it doesn't work. Here's why:
"sh: strings: not found".
Cheers!
This is on stock version. So i guess I need to push the 'strings' in /system/bin
Click to expand...
Click to collapse
The strings command seems to work only if you have busybox installed. It will work on most custom ROMs but not on stock unless you have installed busybox manually.
I have busybox installed. I've pushed strings to /system/bin and now I'll run the command. I don't know if this works or not because no one with an unlocked sim has tried it and said it was good or not.
i found this
mmcblk0p7
ORANGB10
00000168
3518160590368500
QCT_UMTS_RADIO_VER=1
HSDPACat=10
HSUPACat=6
QCT_UMTS_RADIO_END=1
&<2jz12F
wi5zz/z 0^
09/46i_6
574908040
00000006
574908040
&<2jz12F
wi5zz/z 0^
09/46i_6
""##$%&(*+-0368;
!"#$%&(*,/26:>CG
&!&2&D&U&g&x&
7$H$Z$k$}$
&0&H&S&d&v&
!"#$%&(*,/26:>CG
,.037;AGNV`lz
[email protected]:/ #
did anyone made some progress or found any other way for software based unlocking?
I was wondering how does this unlocking sites get their codes anyway,i am sure they dont have a deal with carriers or HTC of any sort,so there must be a way to find out the codes by our selves...adb,or some tool perhaps,idk
Reason i am posting this question is that i got no means to pay anything through internet due to not having a paypal system where i live and dont have a credit card too.
Also i would like to bring some DEVELOPERS attention to this.
If i find a way i am going to post it here for sure,if someone can help,please do PM me or answer in this thread.
Thanks.
Here is my output:
I've loceted the IMEI, but nothing seems like the "unlock".
[email protected]:/ # strings -n 8 /dev/block/mmcblk0p7
strings -n 8 /dev/block/mmcblk0p7
HTC__032
00000168
(IMEI removed)
QCT_UMTS_RADIO_VER=1
HSDPACat=10
HSUPACat=6
QCT_UMTS_RADIO_END=1
fnq!` Z!
[email protected]
[email protected]|]ze
574908040
00000001
574908040
fnq!` Z!
[email protected]
[email protected]|]ze
""##$%&(*+-0368;
!"#$%&(*,/26:>CG
&!&2&D&U&g&x&
7$H$Z$k$}$
&0&H&S&d&v&
!"#$%&(*,/26:>CG
,.037;AGNV`lz
found this on mmcblk0p18, but I don't know if it belongs to bootloader or simlock. (my phone has no simlock)
Code:
strings -n 8 /dev/block/mmcblk0p18 | grep -i unlock
unlocktoken
INFOunlock token check successfully
FAILunlock token check failed
*** UNLOCKED ***
[SIMLOCK_ERR] Unlock SIM card by smart card fail!!!
Unlock SIM card by smart card fail!!!
UnlockCode=[%s]
unlock memory
clearsimlocktype: UnlockSimLockbySmartCard failed
clearsimlocktype: UnlockSimLockbySmartCard success!!!
Device was already unlocked!
[RADIO_ERR] UnLockcode length %d error!
[RADIO_ERR] Unlock SimLock by SmartCard NG
setunlock_status
setunlock_unlock
setunlock_lock
setunlock_relock
TechnoLover said:
found this on mmcblk0p18, but I don't know if it belongs to bootloader or simlock. (my phone has no simlock)
Click to expand...
Click to collapse
I guess this should be useful. Can anyone with a sim locked try this in block 18 and see if it gives you different output?
my mouse wont let me select stuff so here's a screenie of my output simlocked
Lloir said:
my mouse wont let me select stuff so here's a screenie of my output simlocked
Click to expand...
Click to collapse
same here (output)
from the string sytax, I think that adr.18 is a string container for the bootloader
Have tried the tool from here but nothing looks like the unlock code from the partitions of the script.
Seems like form the One series only the S can be unlocked this way as of now. Nor the X, XL, threads says anything new.
Ken-Shi_Kun said:
same here
Click to expand...
Click to collapse
oh no mine's broken broken left click is damaged
Related
Hello,
I made new free app for unlock Galaxy S and his variants.
Galaxy S Unlock
This app need:
Root + Busybox + Active internet connection.
Not work on Docomo, Docomo have nv_data rev 0.400, International Galaxy S have rev 0.800 and rev 1.500
Tested and worked for Galaxy S sold with android 2.1 (for vibrant and captivate this method is the same of this: http://forum.xda-developers.com/showpost.php?p=8983897&postcount=103 compiled in apk)
Tested and worked on Galaxy S sold with android 2.2 in france all new GS sold with android 2.2 must use step 2 for 2.2.
Link to first test:
http://forum.frandroid.com/topic/38909-apk-pour-desimlockage-cherche-testeur/
Link to download:
http://perso.numericable.fr/helroz/Perso/Galaxy_S_Unlock.zip
or
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
For security, save your /efs folder
Step 1 save your /efs folder
Step 2 Unlock your phone in 60 seconds, black screen is normal(get the good step2 for phones sold on 2.1 or 2.2)
Step 3 Built .nv_data.bak (after restart)
And last choice restore /efs folder saved on step 1 if you have any problem.
This is not a final version, test at your risk
Edit 07/02/20011:
Unlock method is changed by only "change lock-bytes" because minority phones have random signal problem and several users delete the backup of efs folder and send me a message for help after
Please send a message for inform me if this method work good for phones sold on 2.2
why the active internet connection ?
just write an apk that will change the lockbit in nv_data.bin and rebuild
it should only need root access
anyway .. a good start
If the phone was sold with Android 2.1 and upgraded to 2.2 with Kies witch step 2 i will chose? Thx.
Lockbit is à good idea but with normal unlock nv_data have more changes.
With internet connection, i download my generic unlocked nv_data and i built a real unlocked nv_data.
I have retourn of SGS unlock pro and new nv_data on phone sold with froyo, just Lockbit change make problem with 3g and call.
And my unlocked nv_data are in zip, just 15kb...
ZiDanRO said:
If the phone was sold with Android 2.1 and upgraded to 2.2 with Kies witch step 2 i will chose? Thx.
Click to expand...
Click to collapse
Chose for 2.1
nice idea, I'm glad somebody develops an app for this issue!
I am currently running 2.2.1, any experience with this FW?
helroz said:
Lockbit is à good idea but with normal unlock nv_data have more changes.
With internet connection, i download my generic unlocked nv_data and i built a real unlocked nv_data.
I have retourn of SGS unlock pro and new nv_data on phone sold with froyo, just Lockbit change make problem with 3g and call.
And my unlocked nv_data are in zip, just 15kb...
Click to expand...
Click to collapse
I can send you the proper nv_data.bin template file File attached .. now you can include it in your apk and like this, your program will have to extract the imei from original nv_data.bin and after, insert it into the template and then replace it in efs (also deleting the md5 in the process).
One click job and still no internet connection
FULLY Tested on 2.2 and 2.2.1 (stock/factory 2.2 / 2.2.1 and also 2.2 / 2.2.1 upgraded from 2.1)
PS: Add an input box so one can chose a new NCK and Freeze code for later re-locking by code for warranty *7465625*638*# and like this, they won't need any app to re-lock it since they have the code the phone accepts
It's work on 2.2.1 i have good returns.
But the must important is original version of Android 2.1 or 2.2 for step 2.
Good job , it worked perfectly on my SFR locked SGS. Thanks a lot.
I don't need you for have à good nv_data for unlock.
I unlock I9000 since september and my method is à reference of all other.
My choice for download is just a choice.
And my 2 unlocked nv_data was made with a normal unlock method. After i change just a imei and product code.
And for relock for garanty, just reinsert efs save of step1 and it's good.
helroz said:
I don't need you for have à good nv_data for unlock.
I unlock I9000 since september and my method is à reference of all other.
My chose for download is just a choice.
And my 2 unlocked nv_data was made with a normal unlock method. After i change just a imei and product code.
Click to expand...
Click to collapse
as you wish .. but I was ready to help
and please, next time don't start the whole "I unlock since september" .. you should know better who unlocked the SGS first
Helroz, your technique that you proposed was a hell of an idea, think this is just a program that compiles everything ! Anyway, big thumbs for your good job, ur method was the only one that helped me unlock my SFR Galaxy S !
Again, Thx
Not better but my method work and was invisible if phone goes to repair.
I made the same files if this is unlocked with the code.
Man you saved my life , was trying to unlock with everything and nothing
im on froyo 2.2 from Bell Galaxy S Vibrant, did it twice and second time work like a charm.
Merci beaucoup mon ami!
RazvanG, your proper nv_data unlock réf, This is Not the mine ???
I see my mods in. (imei, unfreeze,simunloc,productcode...) This mods made by me i have this file in my computer, because i have made this file.
Does not work on Docomo SC-02b .... Big suprize... stupid special docomo version ...
Stupid question...but how can you tell if its worked without putting another sim card in...
Sent from my GT-I9000 using XDA App
Excellent, je galérais pour le desimlock j'ai lancé ton appli sans trop y croire et pouf, plus besoin de menacer Orange pour le code de desimlock.
Un grand merci.
helroz said:
RazvanG, your proper nv_data unlock réf, This is Not the mine ???
I see my mods in. (imei, unfreeze,simunloc,productcode...) This mods made by me i have this file in my computer, because i have made this file.
Click to expand...
Click to collapse
The attached file is HEXed and extracted from a proper-unlocked 2.1 to 2.2 using codes provided, based on IMEI.
If your solution uses the same file structure, than is it good to go.
Just add it to your apk (yes, it will be 2 MB bigger) but won't need an internet connection at all and also, add an input box for the user so one can chose its own NCK and/or Unfreeze (and like this, will be able to re-lock it without a backup of the original /efs)
^^
No need 2mb, if i zip files, just need 30kb (I use 2 differents nv_data unlocked).
I work for automatic selection of good nv_data version for unlock (new nv_data is not compatible with old) this is a reason for sold on 2.1 or 2.2, but now i have lots of problems for read a version extracted in a .txt file and made a comparator. (this is my future update).
For simlock and unfreeze keys, this is à bad idea, i made this on .jar file on windows and i sent a confusion. I have message of user: why is the code?
Efs save is simply and have original files.
For download or make files in apk, i like download, i have an admob and admob don't work offline. One day....perhaps
I'm not very good for made apk but it's work.
Hi,
I am currently residing on the One S forums (don't have a One X), and have found (in conjunction with jh787) a working method of SIM unlocking the One S for free.
The method may also be applicable to the One X.
Part of the trick is obtaining an UN_Lock-code stored on the phone. On the One S this is found as follows:
1) You need root
2) You need Terminal Emulator (free from the market)
Open the Terminal Emulator app and type:
su [enter]
strings -n 8 /dev/block/mmcblk0p6 [enter]
It will output several lines of data.
One the One S, towards the bottom are 2 lines. One contains your IMEI number, the other reads UN_Lock_code=063312345 (for example)
This is NOT the SIM unlock code - don't use it!
I believe that the One X uses a different partition structure, so the correct data may not be in the mmcblk0p6 block.
If anyone can tell be the correct block for the One X, I will test the hack on your device and, if possible, provide a free sim unlock hack for the One X.
Isn't it simlock free if the device is rooted?
Sent from my HTC One X using xda premium
tested on
strings -n 8 /dev/block/mmcblk0p1
strings -n 8 /dev/block/mmcblk0p2
strings -n 8 /dev/block/mmcblk0p3
etc etc etc etc etc etc etc etc etc
strings -n 8 /dev/block/mmcblk0p18
strings -n 8 /dev/block/mmcblk0p19
strings -n 8 /dev/block/mmcblk0p20
NOTE: skipped system data and cache blocks reason is obvious i think
but none of the blocks had that output
but maybe that output doesn't exist on a sim lock free phone
sorry can't help you out bro wait for someone to test on a sim locked HOX
owain94 said:
tested on
strings -n 8 /dev/block/mmcblk0p1
strings -n 8 /dev/block/mmcblk0p2
strings -n 8 /dev/block/mmcblk0p3
etc etc etc etc etc etc etc etc etc
strings -n 8 /dev/block/mmcblk0p18
strings -n 8 /dev/block/mmcblk0p19
strings -n 8 /dev/block/mmcblk0p20
NOTE: skipped system data and cache blocks reason is obvious i think
but none of the blocks had that output
but maybe that output doesn't exist on a sim lock free phone
sorry can't help you out bro wait for someone to test on a sim locked HOX
Click to expand...
Click to collapse
Interesting theory!
The method is now confirmed working on the One S. Now all we need is the right block for the One X!
stiffmast3r said:
Isn't it simlock free if the device is rooted?
Sent from my HTC One X using xda premium
Click to expand...
Click to collapse
No - rooting does not remove a carrier simlock
Could any One XL users please try this as well?
I believe that the XL block structure may be similar to the One S...
One XL users are HERE
ckpv5 said:
One XL users are HERE
Click to expand...
Click to collapse
Ah! I hadn't noticed the subtle distinction of the Rogers/AT&T tag..!
I always thought this is included in warez, if hack for getting dropbpx space is considered warez, then isn't this bigger warez than that? Using this people can getting fully unlocked phones at low cost, isn't that harming HTC and should this be promoted on xda? I may be wrong but don't shoot me if you disagree...
Sent from my HTC One X
This wudnt harm HTC in any way shape or form, it's the carriers that lose out on a bit of money to unlock the phone, and who actually asks carriers to unlock there phone anyway?
Sent from my HTC One X using XDA
owain94 said:
tested on
strings -n 8 /dev/block/mmcblk0p1
strings -n 8 /dev/block/mmcblk0p2
strings -n 8 /dev/block/mmcblk0p3
etc etc etc etc etc etc etc etc etc
strings -n 8 /dev/block/mmcblk0p18
strings -n 8 /dev/block/mmcblk0p19
strings -n 8 /dev/block/mmcblk0p20
NOTE: skipped system data and cache blocks reason is obvious i think
but none of the blocks had that output
but maybe that output doesn't exist on a sim lock free phone
sorry can't help you out bro wait for someone to test on a sim locked HOX
Click to expand...
Click to collapse
Same here. Except my handset is locked.
Sent from my HTC One X using Tapatalk 2
same here, my handset is locked. (H3G)
fetto666 said:
same here, my handset is locked. (H3G)
Click to expand...
Click to collapse
Here is my TE output from that block which shows what you are looking for.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
From other reports, I believe that the code may not exist in a factory-unlocked phone (only a carrier-locked one).
~ # strings -n 8 /dev/block/mmcblk0p6
[email protected]+\CtMf
our ONE X is total different
vladnosferatu said:
our ONE X is total different
Click to expand...
Click to collapse
OK. This method may help to search for the right string.
A Backlink By Me To Thank You
http://www.freshnewsarea.com/tricks/unlock-htc-one-s-free-root-needed/
ascot17 said:
OK. This method may help to search for the right string.
Click to expand...
Click to collapse
on the ONE X Nvidia Tegra 3, the blocks with that information are hidden.
we can not access them, we need to make an exploit to access them
vladnosferatu said:
on the ONE X Nvidia Tegra 3, the blocks with that information are hidden.
we can not access them, we need to make an exploit to access them
Click to expand...
Click to collapse
OK thanks for the update. A dead end then I guess!
Trip is working on a 3.0 kernel. He says that with his kernel we can access all the partitions. I believe all partitions = all blocks. Correct me if i'm wrong.
Check his twitter
neodox said:
Trip is working on a 3.0 kernel. He says that with his kernel we can access all the partitions. I believe all partitions = all blocks. Correct me if i'm wrong.
Check his twitter
Click to expand...
Click to collapse
I doubt, we need to exploit
I removed download link due to this method not working on lollipop.
This guide is deprecated, please use TWRP Recovery from this thread to install root
DISCLAMER and WARNING: I'm not responsible for bricked devices, dead SD cards, thermonuclear war, or the current economic crisis. Please do some research if you have any concerns about this app.
Click to expand...
Click to collapse
You have been warned!
Links:
Sony PC Companion
Download link removed while I will test for compatibility with 5.x, md5 summ: e2c34b07faa415a6cbb95943649c7eba
Step 1:
Code:
[URL="source.android.com/source/building-devices.html#unlocking-the-bootloader"]Unlocked bootloader[/URL]
1. Enable adb debug
2. adb reboot bootloader
3. fastboot oem unlock (twice if requested)
4. fastboot format cache
5. fastboot format userdata
6. fastboot getvar all (and verify that it is)
7. fastboot reboot
Step 2:
Code:
Updated to the latest KNX01V
[URL="http://www.sonymobile.com/us/tools/pc-companion/"]Install Sony PC Companion[/URL] and use Supports Zone -> Accessories software update -> Smartwatch 3
Step 3:
Code:
Have Flashboot (Sony s1 flash) drivers installed just in case (Install Sony PC Companion and do update as indicated in previous step)
Step 4:
Code:
[COLOR="red"]BOOT [/COLOR][COLOR="Red"](DO NOT EVER FLASH IT!!!)[/COLOR] rooting boot.img
1. Download rooting kernel image (SWR50-rootboot.img)
2. Reboot into bootloader (adb reboot bootloader)
3. fastboot boot SWR50-rootboot.img
4. Wait till device reboots or sits in black screen for a while (1 min+ then reboot it by holding power 10+sec)
Step 5:
Code:
Verify by:
1. adb shell
2. su
3. you should see [email protected]:/ #
Step 6:
Code:
1. Let me know!
2. Use it, dive into GPS investigation or customizations, etc.....
Special thanks:
1. Justin Case for LG G Watch rooting method using LGGW-rootboot.img
2. osm0sis for Android Image Kitchen
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
reserved
How it works:
1. Each boot.img packs zImage (real kernel) and ramdisk (special files for kernel use)
2. This one has all modifications from LGGW rootboot by Justin Case:
a. Adds su binary, superuser.sh install script, modified install-recovery.sh and additional step into init.rc file to invoke superuser.sh install script. Also modifications to mount system as rw and some disabled security.
3. So basically it mount system as rw and does following (cut from superuser.sh install script):
Code:
#!/system/bin/sh
/system/bin/mount -o remount,rw /system
/system/bin/sleep 2
/system/bin/cat /sbin/su > /system/xbin/su
/system/bin/cat /sbin/su > /system/xbin/daemonsu
/system/bin/cat /sbin/install-recovery.sh > /system/etc/install-recovery.sh
/system/bin/chown 0.0 /system/xbin/su
/system/bin/chown 0.0 /system/xbin/daemonsu
/system/bin/chown 0.0 /system/etc/install-recovery.sh
/system/bin/chmod 06755 /system/xbin/su
/system/bin/chmod 06755 /system/xbin/daemonsu
/system/bin/chmod 755 /system/etc/install-recovery.sh
/system/bin/sync
/system/bin/sleep 3
/system/bin/reboot
I have dumped the rom from my debug/test version and was wondering if you were able to give me a guide on how i could try and flash it with a retail version? I presume this root guide probably won't work for me
Well, if hardware and partitions are the same - I do not see why it will not work. However, it will not help to flash.
I might try to compile twrp, but will have to carefully read its docs first.
thanks @XorZone confirmed as working and a nice easy process too (I was already unlocked).
Out of curiosity, modded LGGW rootboot or just renamed?
iBuzman said:
thanks @XorZone confirmed as working and a nice easy process too (I was already unlocked).
Out of curiosity, modded LGGW rootboot or just renamed?
Click to expand...
Click to collapse
Thanks for letting me know!
I reverse engineered changes in LGGW by unpacking and comparing ramdisks from both rootboot and original lg kernel and then applied the same changes to our kernel extracted from PC Companion files.
great thinking and good job ?
btw, that pic confirmed su access to watch over bluetooth debug connection ?
really great tutorial. I am planning to buy this watch, but I think currently there is NO app that requires Root. so I wonder how can we get benefit of this ?
Kurotsuchi said:
really great tutorial. I am planning to buy this watch, but I think currently there is NO app that requires Root. so I wonder how can we get benefit of this ?
Click to expand...
Click to collapse
There is at least Wear Control app: https://play.google.com/store/apps/details?id=octathorp.wearcontrol
I plan to code density changer that will require access to adb, so either from rooted phone or rooted wear.
Kurotsuchi said:
really great tutorial. I am planning to buy this watch, but I think currently there is NO app that requires Root. so I wonder how can we get benefit of this ?
Click to expand...
Click to collapse
how to benefit?
root apps of course!!
(sry for bad pic, unlocked bootloader z3 in low light [emoji12]
XorZone said:
There is at least Wear Control app: https://play.google.com/store/apps/details?id=octathorp.wearcontrol
I plan to code density changer that will require access to adb, so either from rooted phone or rooted wear.
Click to expand...
Click to collapse
that's awesome man! will purchase mine next week, can't wait to root it. thanks for the answer.
Thanks for the root, XorZone. For anyone wondering, here's the dmesg of the watch
A few small observations from digging:
The main chipset seems to be the BCM23550
The CPU has 4 cores, 2 are disabled in software. Should be easy enough to reenable if you please
It definitely has WiFi hardware, but the firmware is currently missing from the image. If you mange to get a hold of compatible firmware and nvram, it should be simple enough to get WiFi up and running
The WiFi firmware message mentions a "43341". Which is odd because apparently the main chipset does have WiFi support built in. Searching for a Broadcom 43341 gives you this, but this might just be a red herring.
cb22 said:
Thanks for the root, XorZone. For anyone wondering, here's the dmesg of the watch
A few small observations from digging:
The main chipset seems to be the BCM23550
The CPU has 4 cores, 2 are disabled in software. Should be easy enough to reenable if you please
It definitely has WiFi hardware, but the firmware is currently missing from the image. If you mange to get a hold of compatible firmware and nvram, it should be simple enough to get WiFi up and running
The WiFi firmware message mentions a "43341". Which is odd because apparently the main chipset does have WiFi support built in. Searching for a Broadcom 43341 gives you this, but this might just be a red herring.
Click to expand...
Click to collapse
Yeah, I noticed the same about WiFi chip, it might be that they packed bcm43341 as part of the BCM23550 soc, like Invensense MPU9250 chip packs mpu6500 inside.
For the 43341 I'm finding it in the configs here: https://android.googlesource.com/kernel/tegra/+/bdde9f16131a5ac2039062d5ce22e3e153acbe68^!/
Looks like BCM43341 is BCM4334 + NFC chip, so we could try S3 I9300 files as per http://redmine.replicant.us/projects/replicant/wiki/GalaxyS3I9300Firmwares
how can i grant superuser permission to an app? i install es file explorer with sideload but i can't get superuser permission. the procedure is ok
Sorry admins for not putting in correct location....
Moved to Correct Area!
cdrshm said:
Sorry admins for not putting in correct location....
I can not get my device to show up in adb devices and its driving me crazy. Tried windows 7/8/server 2012R2 ..lol
Now I have done my fair share of custom roms and bootloaders.
OG Droid
Nexus
Nexus 10
Asus Memo Pad (came from alarm company, and could only load one app...now its a full running tablet)
I am sure its a silly thing I have done or am missing...
Thoughts....ideas?..need more info?
Click to expand...
Click to collapse
As usual, check if adb enabled in settings-about-developer options, if there are no developer options - it is as usual 7 times click on build number in about screen.
And please use Q&A thread for such questions
I've confirmed root survives the Lollipop update
Wow, I was out whole weekend, will have to catch up with the update
no way to putt NCK , no information on internet , Putty erro, DC unlocker not support .if found NCK how do i use that ? firmware update?? but where? this is real challenging for me
tks
ATI
Manufacturer: Huawei Technologies Co., Ltd.
Model: HWD14
Revision: 11.232.03.10.824
IMEI: 3528980453****
+GCAP: +CGSM
OK
AT^NVRDEX=50503,0,128
ERROR
Anandasri2 said:
no way to putt NCK , no information on internet , Putty erro, DC unlocker not support .if found NCK how do i use that ? firmware update?? but where? this is real challenging for me
tks
ATI
Manufacturer: Huawei Technologies Co., Ltd.
Model: HWD14
Revision: 11.232.03.10.824
IMEI: 3528980453****
+GCAP: +CGSM
OK
AT^NVRDEX=50503,0,128
ERROR
Click to expand...
Click to collapse
Found modem : M9625E-1
Model : Huawei HWD15
IMEI : 352898045xxxxxx
Serial NR. : N7SDW1431700xxxx
Firmware : 11.232.03.10.824
Dashboard version : 22.001.26.06.824
SIM Lock status : Locked (Card lock)
Wrong codes entered : 0 (unlock attempts left : 10)
sorry, this modem not supported !
Anandasri2 said:
Found modem : M9625E-1
DC unlocker
Model : Huawei HWD15
IMEI : 352898045xxxxxx
Serial NR. : N7SDW1431700xxxx
Firmware : 11.232.03.10.824
Dashboard version : 22.001.26.06.824
SIM Lock status : Locked (Card lock)
Wrong codes entered : 0 (unlock attempts left : 10)
sorry, this modem not supported !
Click to expand...
Click to collapse
CardLock_UnLock-e58xx/HUAWEI MODEM Code Writer not working ether for NCK enter may be Firmware block ..!
Anandasri2 said:
CardLock_UnLock-e58xx/HUAWEI MODEM Code Writer not working ether for NCK enter may be Firmware block ..!
Click to expand...
Click to collapse
only firmware online is "easy-firmware" looks scam to me cuss it's paid and suspicious .
HWD14_11.232.03.30.824_22.001.26.06.824
HWD14TCPU-V100R001B232D03SP30C824_Firmware_05012FPY.zip
Date: 26-09-2018 | Size: 270.65 MB
found something working but got error
"CardLock_UnLock-e58xx " code writer detect this device but when enter NCK its got error, may be due to firmware block
For NCK used old V1 algo cuss imei# start we 35XXXXXXXXXXX
but non of attempts count according to DC unlocker still remain 10 chances
if not found any solution soon i will try to update it by Web UI built in using auto update, but still hesitate to do cuss it may more difficult to unlock
*i tried using puty telnet /Serial commands but no success
++++++++++++++++++++++++++++++++++++++++
1.at^sfm=1
2.at^reset
3.AT^NVWREX=8268,0,12,1,0,0,0,2,0,0,0,A,0,0,0
4.at^sfm=0
5.at^reset
+++++++++++++++++++++++++++++++++++
atc ati
atc at^nvwrex=8268,0,12,1,0,0,0,2,0,0,0,a,0,0,0
+++++++++++++++++++++++++++++++++++=
ATI
ATI
AT^NVRDEX=50503,0,128
++++++++++++++++++++++++++++++++++++
if i found any progress i will update , also if some one can help much appreciate...!:angel:
tks,
Anandasri2 said:
only firmware online is "easy-firmware" looks scam to me cuss it's paid and suspicious .
HWD14_11.232.03.30.824_22.001.26.06.824
HWD14TCPU-V100R001B232D03SP30C824_Firmware_05012FPY.zip
Date: 26-09-2018 | Size: 270.65 MB
found something working but got error
"CardLock_UnLock-e58xx " code writer detect this device but when enter NCK its got error, may be due to firmware block
For NCK used old V1 algo cuss imei# start we 35XXXXXXXXXXX
but non of attempts count according to DC unlocker still remain 10 chances
if not found any solution soon i will try to update it by Web UI built in using auto update, but still hesitate to do cuss it may more difficult to unlock
*i tried using puty telnet /Serial commands but no success
++++++++++++++++++++++++++++++++++++++++
1.at^sfm=1
2.at^reset
3.AT^NVWREX=8268,0,12,1,0,0,0,2,0,0,0,A,0,0,0
4.at^sfm=0
5.at^reset
+++++++++++++++++++++++++++++++++++
atc ati
atc at^nvwrex=8268,0,12,1,0,0,0,2,0,0,0,a,0,0,0
+++++++++++++++++++++++++++++++++++=
ATI
ATI
AT^NVRDEX=50503,0,128
++++++++++++++++++++++++++++++++++++
if i found any progress i will update , also if some one can help much appreciate...!:angel:
tks,
Click to expand...
Click to collapse
working this command
but
ATI
> AT ^ CARDLOCK?
^ CARDLOCK: 1,10,0
when enter
AT ^ CARDLOCK = "Xx NCK CodeXXX" nothings happen so i realize this is firmware block ...
so i have to find modified firmware for do this so if any one have access to easy-firmware. com resource and get "HWD14_11.232.03.30.824_22.001.26.06.824 HWD14TCPU-V100R001B232D03SP30C824_Firmware_05012FPY.zip" pls share with me : so at least give a try ..
Anandasri2 said:
working this command
but
ATI
> AT ^ CARDLOCK?
^ CARDLOCK: 1,10,0
when enter
AT ^ CARDLOCK = "Xx NCK CodeXXX" nothings happen so i realize this is firmware block ...
so i have to find modified firmware for do this so if any one have access to easy-firmware. com resource and get "HWD14_11.232.03.30.824_22.001.26.06.824 HWD14TCPU-V100R001B232D03SP30C824_Firmware_05012FPY.zip" pls share with me : so at least give a try ..
Click to expand...
Click to collapse
+++++++++++++++++++++ DAY 5 ++++++++++++++++++++++++++++
finally found way to download original Firmware , with all revision
HWD14_UPDATE_11.232.03.10.824_22.001.26.06.824.ZIP English/Japanese
HWD14_UPDATE_11.232.03.30.824_22.001.26.06.824.ZIP English/Japanese
bit of research i realize ZIP is a compressed bin file, not a compressed package.. also i know nothing abut these files so i have to dig more to learn how to handle those file may it's impossible but still i don't
know :laugh:
now i have
*firmware file
*Hi links drivers to enable COM port
Anandasri2 said:
+++++++++++++++++++++ DAY 5 ++++++++++++++++++++++++++++
finally found way to download original Firmware , with all revision
HWD14_UPDATE_11.232.03.10.824_22.001.26.06.824.ZIP English/Japanese
HWD14_UPDATE_11.232.03.30.824_22.001.26.06.824.ZIP English/Japanese
bit of research i realize ZIP is a compressed bin file, not a compressed package.. also i know nothing abut these files so i have to dig more to learn how to handle those file may it's impossible but still i don't
know :laugh:
now i have
*firmware file
*Hi links drivers to enable COM port
Click to expand...
Click to collapse
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
working with some tools in linux (binwalk... ect ) but still no luck if some one can mod this firmware pls let me know i will send the link ... cuss it's long way to go learn Reverse Engineering :silly:
Anandasri2 said:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
working with some tools in linux (binwalk... ect ) but still no luck if some one can mod this firmware pls let me know i will send the link ... cuss it's long way to go learn Reverse Engineering :silly:
Click to expand...
Click to collapse
FM file links
http://update.hicloud.com:8180/TDS/..._UPDATE_11.232.03.10.824_22.001.26.06.824.ZIP
http://update.hicloud.com:8180/TDS/..._UPDATE_11.232.03.30.824_22.001.26.06.824.ZIP
Anandasri2 said:
FM file links
http://update.hicloud.com:8180/TDS/..._UPDATE_11.232.03.10.824_22.001.26.06.824.ZIP
http://update.hicloud.com:8180/TDS/..._UPDATE_11.232.03.30.824_22.001.26.06.824.ZIP
Click to expand...
Click to collapse
doesn't work because the file is corrupted looks like it's faking about corrupt cuss looks suspicious to me ,i think archive is good but they don't need open it easily:laugh: still looking forward
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Anandasri2 said:
doesn't work because the file is corrupted looks like it's faking about corrupt cuss looks suspicious to me ,i think archive is good but they don't need open it easily:laugh: still looking forward
Click to expand...
Click to collapse
Here is my latest version of My Oneplus Tool . This tool can do almost everything for you. I have added a method to switch the Oem_Unlock switch on Sim locked devices. It will ungray the switch so you can flip it and bootloader unlock. It still has all the other tools like the engineer mode decrypt, to enable the app. Also lots of hidden SECRETS like every oneplus device has a hidden copy of busybox already installed . and this will access it. Plus this has a long list of dialer codes .There are lots of tools like scrcpy and a windows file explorer for your device. I have also added lots of fastboot adb commands. Please feel free to let me know if anything can be added. I been notifided this has been reported as a virus, it is only a .bat file converted to exe. please scan for yourself.
One+_TooL.7z | by Ju5t3nc4s3 for /e/OS supported models
Download GApps, Roms, Kernels, Themes, Firmware, and more. Free file hosting for all Android developers.
www.androidfilehost.com
Please donate for the cause.
Donate to Ju5t3nc4s3
Help support Ju5t3nc4s3 by donating or sharing with your friends.
www.paypal.com
I have now made this ungray method usless LoL I have a working method that lets u flash msm and boot direct to bootloader and unlock without the need for a oem unlock token from oneplus , even works if ur still sim locked.
any guidance?
better with an instruction。
thx for sharing。
Thank very much. This is awesome !
But like werichard559 said, better with instructions. Otherwise you will get Many Many Many questions....
its self explained in the tool. its just written in bash and packed with everything like adb tools into a exe.
has a menu with items.
Interesting, MS Windows and Linux?
galaxys said:
Interesting, MS Windows and Linux?
Click to expand...
Click to collapse
exe on linux? Nah, you could decompile and pull the scripts
Only reason for the exe is to have all the file together. Nice and neat.And unlike all the others that want you to post your IMEI to the NET to do the engineer mode decrypt . I wrote this so the decryption is done in shell on the phone.
Ju5t3nC4s3 said:
Only reason for the exe is to have all the file together. Nice and neat.And unlike all the others that want you to post your IMEI to the NET to do the engineer mode decrypt . I wrote this so the decryption is done in shell on the phone.
Click to expand...
Click to collapse
Engineer mode from dialer? Did you just script to edit the config file in mnt/vendor/persist/engineermode/engineermode_config ? We appreciate your work. Work smarter not harder
Zeus0fyork said:
Engineer mode from dialer? Did you just script to edit the config file in mnt/vendor/persist/engineermode/engineermode_config ? We appreciate your work. Work smarter not harder
Click to expand...
Click to collapse
To disable the incryption? ,and enable engineer mode? Yes the config is edited ,can only be done with root . Or a very long process. I released a shell command to do this few months back.It just uses a sed cmd. Now to generate the code on the device in shell to enter . That wasn't easy, had a heck of a time finding a cmd that would get the correct hash I needed for a crc32b . And to have it enter that code for u on the screen,it just had to be done. Lol . I have loads of dialer codes still I haven't added to the tool. A lot I'm not sure what they even do yet ,like *#632# no clue. There is a completely extra app that is also decrypted with the engineer mode. OpEngMode or TmoEngMode for TMobile.
This has all can together just from the data mining and the need for the tools for the reversing of the simlock . I been working on it now for some time and have discovered many other vulnerablitys. I have unlocked some devices,but never 1 the same. Before I released this I descoverd how to flip the oem_unlock switch under the greyed out area.and was able to unpack a msm download and mod to repack it. So after flash the switch is on. By 1 bit I found in one of the partitions. Recently I have located some code just like the engineer mode qr for the sim unlock. And there is a couple RSA private keys with it.I also located a dialer code to skip setupwizard. And another code that gives u all USB access like adb ,diag , all with out verification.
Ju5t3nC4s3 said:
This has all can together just from the data mining and the need for the tools for the reversing of the simlock . I been working on it now for some time and have discovered many other vulnerablitys. I have unlocked some devices,but never 1 the same. Before I released this I descoverd how to flip the oem_unlock switch under the greyed out area.and was able to unpack a msm download and mod to repack it. So after flash the switch is on. By 1 bit I found in one of the partitions. Recently I have located some code just like the engineer mode qr for the sim unlock. And there is a couple RSA private keys with it.I also located a dialer code to skip setupwizard. And another code that gives u all USB access like adb ,diag , all with out verification.
Click to expand...
Click to collapse
what u mean by 'some code just like the engineer mode qr for the sim unlock'
now iam having touble to sim unlock my TMO OP9,could u pls help me out?
There is no method to sim_unlock other then official service.
Ju5t3nC4s3 said:
There is no method to sim_unlock other then official service.
Click to expand...
Click to collapse
oh,really sad to hear that.
still merry christmas.
thx for ur shares.
I have been working on reversing the OnePlus sim_lock now for over a year. Every device after the Op6 they made a change that if you erase the efs to reset it, You will lose total access to the sim card. It looks to be a key needed by the sim in the SFS path , same location as the simlock fuse.
Ju5t3nC4s3 said:
Here is my latest version of My Oneplus Tool . This tool can do almost everything for you. I have added a method to switch the Oem_Unlock switch on Sim locked devices. It will ungray the switch so you can flip it and bootloader unlock. It still has all the other tools like the engineer mode decrypt, to enable the app. Also lots of hidden SECRETS like every oneplus device has a hidden copy of busybox already installed . and this will access it. Plus this has a long list of dialer codes .There are lots of tools like scrcpy and a windows file explorer for your device. I have also added lots of fastboot adb commands. Please feel free to let me know if anything can be added.
Downloads for : OnePlus /e/OS supported models | AndroidFileHost.com | Download GApps, Roms, Kernels, Themes, Firmware and more. Free file hosting for all Android developers.
Download GApps, Roms, Kernels, Themes, Firmware, and more. Free file hosting for all Android developers.
www.androidfilehost.com
Click to expand...
Click to collapse
What problem can be? androidfilehost said no mirrors found/ ((((
I'll upload to Gdive in a bit also. Android file host does this. Lots of time u just need to wait a bit to get it to work.
Ju5t3nC4s3 said:
I'll upload to Gdive in a bit also. Android file host does this. Lots of time u just need to wait a bit to get it to work.
Click to expand...
Click to collapse
I will be glad to Gdrive link. I waited all day, got to the computer. And hosting broke me off. lol
P
020982 said:
I will be glad to Gdrive link. I waited all day, got to the computer. And hosting broke me off. lol
Click to expand...
Click to collapse
One+_TooL.exe
drive.google.com
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Still sim locked and no unlock.bin, thank you good sir
? What are u trying to show ,,u can check the sim lock in *#808#.