Page 10 of 19 FirstFirst ... 56789101112131415 ... LastLast
Results 181 to 200 of 363
  1. #181  
    Mol,

    I think that without parameters the program will always return True ('Locked' like you programmed in that case) if there is a (!!!the one of the SIM???)network AVAILABLE. It's probably the case that you can identify the network (for example OUK???) with one of the parameters and then it will only look if that particular network is available. It isn't, so: False!!!!
  2. #182  
    Hi,

    I try both versions of the prc program from Mol, But same both version make my treo restart(under the wireless on mode) . My treo is fw2.09 locked by AT&T U.S.

    Thanks

  3. #183  
    fcmt, are you using an AT&T SIM card when running these tests?
  4. #184  
    Yes, I'm using the AT & T sim card to test.
    If I use my local sim card to test, it won't restart but no information display

    Thanks
  5. #185  
    I've just registered to post my phoneinfo results.
    I am on Orange UK. My Treo is, alas, still locked:

    Number: <my number>
    Operator: Orange
    Signal Strength: 13
    Roam Status: Not Roaming
    Software: Treo600-1.0-OUK
    Hardware: A
    Serial: <my serial i guess>
    IMEI: <my EMEI>
    ESN:
    Lock Status: Locked

    I was wondering if there is any significance to the serial number. Can i do anything with it?
    Also, i've noticed that Orange UK users have Hardware revision A. Anyone know what is the difference between A and B?
  6. cvt
    cvt is offline
    cvt's Avatar
    Posts
    32 Posts
    #186  
    i presume colour of casing. Orange is the black casing.
  7. #187  
    Hi Mol,

    Ran again the Phone Info application tonight, I'm back in France and here's what I get:

    Operator: F SFR
    Roam Status: Not Roaming
    Lock Status: Locked
    (rest of info unchanged)

    So I think your program probably doesn't (yet) display the lock status acurately.

    I'm pretty busy for the next four days, but I'll have a look as soon as possible and get back to you!
  8. #188  
    I think the API is returning whether you're allowed to register the SIM with other networks that is has found. So in your case it's returning that you can't use it with Orange and Bouygues.

    However I've found an undocumented API that is returning WrongSIM for my SFR card. I'll post a version later today.
  9. ewm
    ewm is offline
    ewm's Avatar
    Posts
    14 Posts
    #189  
    I have a Cingular phone running on the Cingluar network. I did the 2.09 update to it.

    Here's my information:

    Number: <my number>
    Operator: Cingular
    Signal Strength: 8
    Roam Status: Roaming
    Software: Treo600-1.09-INT
    Hardware: b
    Serial: <my serial i guess>
    IMEI: <my EMEI>
    ESN:
    Lock Status: Not Locked

    Hope this helps...
  10. #190  
    Cingular Treo - Updated to 2.09

    Number: Number not on SIM
    Operator: AT&T Wireless
    Signal Strength: 19
    Roam Status: Not Roaming
    Software: Treo600-1.09.INT
    Hardware: B
    Serial: HAAADXXXXXXXX
    IMEI: XXXXXXXXXXXXXXX
    ESN: <BLANK>
    Lock Status: Not Locked

    I doubt that this will get us any closer to unlocking the suckers - I'm trying to find a locked AT&T one on the cheap (so to speak) to use as a test platform.

    DemonJ
  11. #191  
    demonj & ewm, thx for posting the cingular results. Of course now I'm really confused about what this API is returning. Could you please let me know if you can use another network with your SIM card, i.e. when you go to Select Network and choose another one, does the phone register to that network?
  12. #192  
    Ok - I go into the phone application, select Options -> Select Network

    Searching for available networks

    I get a list of networks (we have 2 here in Bermuda) and I have a choice to select which network I use. If I select the "other" network I get an "unable to register" error - which is correct. If I can't get a signal from AT&T I get a SOS only on my handset from the other network.

    Whilst I was in Canada and the US, the phone would automatically register on AT&T but I could select another "Roaming" network if I so chose to. (A bit of background - prior to AT&T Bermuda being part of AT&T it was another company altogether "Telecom Bermuda" - so they still technically have roaming agreements with other cellular carriers).

    Hope this adds to the confusion ;-)

    DemonJ


    Originally posted by Mol
    demonj & ewm, thx for posting the cingular results. Of course now I'm really confused about what this API is returning. Could you please let me know if you can use another network with your SIM card, i.e. when you go to Select Network and choose another one, does the phone register to that network?
  13. #193  
    I guess I need more results from people that have unlocked their phone, i.e. the phone came locked and they used a code to unlock it.

    Any volunteers?
  14. ewm
    ewm is offline
    ewm's Avatar
    Posts
    14 Posts
    #194  
    Cingular does some tricks with their network naming here in NJ - the two available networks are named "Cingular" and "Cingular Extend". The phone will not usally register on "Cingular Extend" when a "Cingular" network is available.

    What makes this interesting is that if I put a AT&T sim card in, the available networks become "AT&T Wireless" and "T-Mobile". There appears to be a remaping of the names based on the econtents of the sim.

    For what it's worth, my old T180 showed the same behavior.
  15. #195  
    Mol, and others,

    I don't suppose you guys could start a new thread to test your app? I mean, it's cool and all that, don't get me wrong. But I keep checking this thread hoping someone has discovered something that may help the unlock hackers and I keep reading debugging reports for Mol's app

    Jeff
  16. #196  
    Originally posted by sysvr4
    Mol, and others,

    I don't suppose you guys could start a new thread to test your app? I mean, it's cool and all that, don't get me wrong. But I keep checking this thread hoping someone has discovered something that may help the unlock hackers and I keep reading debugging reports for Mol's app

    Jeff
    Well, the only reason I posted the app is because I'm trying to find an easy way to detect whether a phone is locked or unlocked. It would help me in understanding how the HS APIs around security are working.
  17. #197  
    Guys and Gals,

    You've got to keep this thread going! I have no idea what you're talking about most of the time, but I'm still riveted to any new development. I wish I was a hacker so I could join in!

    I am curious, though, about what will happen if this rumoured merger between Cingular and AT&T takes place (actually, it's more of a buyout by Cingular of AT&T from what I've read). I mean, let's say I "break" my AT&T sim card. There must be a way for a Cingular card to work in there! Otherwise we're all getting new Treos! Woohoo!

    And finally, just to egg you on a bit, when I had my Nokia 3600, I was amazed that people found a way to hack Apple's iSync to make it work with the 3600. I mean, if OSX can be hacked, surely you guys can handle a little old os like Palm...

    Great job everyone!
  18. #198  
    Last edited by frenchfries; 01/19/2004 at 11:15 PM.
  19. #199  
    Here is an example of my take I understanding on of the funcs in the firmware (SIMLockCheckNetworkLock).
    Hope this will help others to go on ...

    Basically what it does is that it get a 6 byte string input and check it against an encrypted string that is decrypted on the fly using the decrypt function.
    It uses also a func called BATTMgrResumeCharging ... probably something wrong here with the addressing ...

    Well not that much here .. except that I'm wondering if simply modify the code so that SIMLockCheckNetworkLock returns always 1 would not do the trick ;-)

    Before doing so, I'll dig a bit more into other funcs ... but oh god I don't have time !


    3a1078 :b5b0 : PUSH { R4,R5,R7, LR } // Save R4,R5,R7 on stack - save LR as well for function call return
    3a107a :45d5 E : CMP SP, H2 // Check on all funcs ... probably some heap overflow check
    3a107c :da01 . : BGE 3a1082 //
    3a107e :f00af863: BL 3ab148 (Routine (11 calls)) //
    3a1082 :1c07 .. : MOV R7, R0 // R7 = R0 (1st parameter, let's call it Parm1), so R7 = Parm1
    3a1084 :b083 : ADD SP, #-000c // Reserve 12 bytes on the stack for function usage
    3a1086 :482c H, : LDR R0, #003f8060 // Load a structure pointer into R0, let's call it Ptr1
    3a1088 :7cc0 | : LDRB R0, [R0, #13] // R0 = *((char *)Ptr1 + 13) , let's call it Ptr1->Byte1
    3a108a :ab02 . : ADD R3, SP, #0008 // R3 points on the 9th char of the 12 we reserved on stack (let's call this LocByte1), so R3 = &LocByte1
    3a108c :7018 p. : STRB R0, [R3, #0] // LocByte1 = R0 = Ptr1->Byte1
    3a108e :207f  : MOV R0, #7f // R0 = #7f
    3a1090 :03c0 . : LSL R0, R0, #.15 // R0 = R0<<15 = #7f0000, let's cal it PtrByte2 (a special reserver part of the memory ? Why is it computed like this ?)
    3a1092 :7800 x. : LDRB R0, [R0, #0] // R0 = PtrByte2[0]
    3a1094 :2501 %. : MOV R5, #1 // R5 = 1
    3a1096 :2800 (. : CMP R0, #0 // if (R0 == 0)
    3a1098 :d004 . : BEQ 3a10a4 // Goto Branch1
    3a109a :1c38 .8 : MOV R0, R7 // R0 = Parm1 (R0 is used as 1st parm for function calls)
    3a109c :f6b7fba4: BL 2587e8 (Routine (4 calls)) // R0 = Routine1(Parm1)
    3a10a0 :2800 (. : CMP R0, #0 // if (R0 == 0)
    3a10a2 :d001 . : BEQ 3a10a8 // Goto Branch2

    Branch1

    3a10a4 :1c28 .( : MOV R0, R5 // R0 = R5 = 1
    3a10a6 :e044 D : B 3a1132 // goto Branch8 (return (1))

    Branch2

    3a10a8 :2101 !. : MOV R1, #1 // R1 = 1
    3a10aa :a802 . : ADD R0, SP, #0008 // R0 = &LocByte1, LocByte1 = Ptr1->Byte1
    3a10ac :f000fc37: BL 3a191e (Routine (11 calls)) // DecryptData(&LocByte1, 1) (call using a reference, not a direct value)
    3a10b0 :2400 $. : MOV R4, #0 // R4 = 0
    3a10b2 :a802 . : ADD R0, SP, #0008 // R0 = &LocByte1 (modified)
    3a10b4 :7800 x. : LDRB R0, [R0, #0] // R0 = LocByte1
    3a10b6 :2800 (. : CMP R0, #0 // if (LocByte1 <= 0)
    3a10b8 :dd3a : : BLE 3a1130 // goto Branch7 (return(0))

    Branch6

    3a10ba :0060 .` : LSL R0, R4, #.1 // R0 = R4 << 1 = 0 ??? I don't understand ...
    3a10bc :1900 .. : ADD R0, R0, R4 // R0 += R4
    3a10be :0040 .@ : LSL R0, R0, #.1 // R0 = R0 << 1 = 0 ???
    3a10c0 :4b1e K. : LDR R3, #003f8074 // R3 = Ptr2
    3a10c2 :18c1 . : ADD R1, R0, R3 // R1 = &Ptr2->Data1
    3a10c4 :4668 Fh : MOV R0, SP // R0 = stack pointer = LocString2 (points on the 1st char of the 12 we reserved on stack)
    3a10c6 :2206 ". : MOV R2, #6 // R2 = 6
    3a10c8 :f005fa2c: BL 3a6524 (Routine (13 calls)) // BATTMgrResumeCharging(LocString2 , &Ptr2->Data1, 6)
    3a10cc :4668 Fh : MOV R0, SP // R0 = stack pointer = LocString2
    3a10ce :2106 !. : MOV R1, #6 // R1 = 6
    3a10d0 :f000fc25: BL 3a191e (Routine (11 calls)) // DecryptData(LocString2 , 6)
    3a10d4 :a800 . : ADD R0, SP, #0000 // R0 = LocString2
    3a10d6 :7800 x. : LDRB R0, [R0, #0] // R0 = LocString2[0] (modified by DecryptData)
    3a10d8 :7839 x9 : LDRB R1, [R7, #0] // R1 = Parm1[0]
    3a10da :4288 B : CMP R0, R1 // if (LocString2[0] != Parm1[0])
    3a10dc :d121 ! : BNE 3a1122 // goto Branch3
    3a10de :a800 . : ADD R0, SP, #0000 // R0 = LocString2
    3a10e0 :7840 x@ : LDRB R0, [R0, #1] // R0 = LocString2[1]
    3a10e2 :7879 xy : LDRB R1, [R7, #1] // R1 = Parm1[1]
    3a10e4 :4288 B : CMP R0, R1 // if (LocString2[1] != Parm1[1])
    3a10e6 :d11c . : BNE 3a1122 // goto Branch3
    3a10e8 :a800 . : ADD R0, SP, #0000 // R0 = LocString2
    3a10ea :7880 x : LDRB R0, [R0, #2] // R0 = LocString2[2]
    3a10ec :78b9 x : LDRB R1, [R7, #2] // R1 = Parm1[2]
    3a10ee :4288 B : CMP R0, R1 // if (LocString2[1] != Parm1[1])
    3a10f0 :d117 . : BNE 3a1122 // goto Branch3
    3a10f2 :a800 . : ADD R0, SP, #0000 //
    3a10f4 :78c0 x : LDRB R0, [R0, #3] //
    3a10f6 :78f9 x : LDRB R1, [R7, #3] //
    3a10f8 :4288 B : CMP R0, R1 // if (LocString2[3] != Parm1[3])
    3a10fa :d112 . : BNE 3a1122 // goto Branch3
    3a10fc :a801 . : ADD R0, SP, #0004 //
    3a10fe :7800 x. : LDRB R0, [R0, #0] //
    3a1100 :7939 y9 : LDRB R1, [R7, #4] //
    3a1102 :4288 B : CMP R0, R1 // if (LocString2[4] != Parm1[4])
    3a1104 :d10d . : BNE 3a1122 // goto Branch3
    3a1106 :a801 . : ADD R0, SP, #0004
    3a1108 :78402800: : x@(. // ????? - probably a problem with the disassembler ...
    3a110c :d0ca : BEQ 3a10a4
    3a110e :a801 . : ADD R0, SP, #0004
    3a1110 :7840 x@ : LDRB R0, [R0, #1]
    3a1112 :7979 yy : LDRB R1, [R7, #5]
    3a1114 :4288 B : CMP R0, R1 // if (LocString2[5] != Parm1[5])
    3a1116 :d101 . : BNE 3a111c // goto Branch4
    3a1118 :2001 . : MOV R0, #1 // R0 = 1
    3a111a :e000 . : B 3a111e // goto Branch5

    Branch4

    3a111c :2000 . : MOV R0, #0 // R0 = 0

    Branch5

    3a111e :2800 (. : CMP R0, #0 // if (R0 != 0)
    3a1120 :d1c0 : BNE 3a10a4 // goto Branch1 (return(1))

    Branch3

    3a1122 :1c60 .` : ADD R0, R4, #1 // RO = R4 + 1
    3a1124 :06040e24: AND R4, R0, #000000ff // R4 = R0 & #ff
    3a1128 :a802 . : ADD R0, SP, #0008 // R0 = &LocByte1
    3a112a :7800 x. : LDRB R0, [R0, #0] // R0 = LocByte1
    3a112c :4284 B : CMP R4, R0 // if(R4 == R0)
    3a112e :dbc4 : BLT 3a10ba // goto Branch6

    Branch7

    3a1130 :2000 . : MOV R0, #0 // return(0)

    Branch8

    3a1132 :b003 . : ADD SP, #000c // Liberate the 12 bytes on the stack
    3a1134 :bdb0 : POP { R4,R5,R7, PC } // Restore registers and return
    -----------------------------------------^ end routine
  20.    #200  
    You guys are well beyond me. However, I would just like to remind you if you do manage to get the unlocking happening I will happily PAY!
Page 10 of 19 FirstFirst ... 56789101112131415 ... LastLast

Posting Permissions