Page 7 of 19 FirstFirst ... 2345678910111217 ... LastLast
Results 121 to 140 of 363
  1. #121  
    Originally posted by Mol
    Could one of the Cingular unlocked Treo users try to run this program?
    sure:

    hser - as expected
    gmfl - GM
    hwvr - B
    prnm - Treo 600
    crnm - INT
    revn - 1.09
    GoUc - <undefined>
    GpUc - <undefined>

    Bill S
  2.    #122  
    Originally posted by Mol


    Did you try an unlock code after applying the upgrade? If so, does it happen to be 11111111?
    I believe so.

    I tried it again, first putting 22222222 as the unlock code, this generated ???????? (square) in the GoUc area.

    Then I tried putting 11111111 and that generated >>>>>>>>(square) in the GoUc area.

    Then I tried 33333333 and that generated @@@@@@@@(square) in the GoUc area.

    So know we know GoUc is the unlock code storage space correct?
  3. #123  
    with all this effort into hacking the ROM, how about a simple brute force app that runs on the treo. My AT&T treo doesn't say anything except "the SIMLock on this device has NOT been removed" even after many many many repeated attempts with codes have been put in.

    If someone could code a prc that simply starts with the unlock sequence *#*#xxxxxxxx* and counts up from 0 all the way up - it could be a brute force attack and get the code. Once we have a few codes - maybe an algorhythm could be made to get better on this prc.
  4. #124  
    Originally posted by nodeel
    with all this effort into hacking the ROM, how about a simple brute force app that runs on the treo. My AT&T treo doesn't say anything except "the SIMLock on this device has NOT been removed" even after many many many repeated attempts with codes have been put in.

    If someone could code a prc that simply starts with the unlock sequence *#*#xxxxxxxx* and counts up from 0 all the way up - it could be a brute force attack and get the code. Once we have a few codes - maybe an algorhythm could be made to get better on this prc.
    Some phones will permanently lock after a certain number of unlock attempts have been made, to dissuade brute force attempts. I'd be very surprised if Handspring didn't anticipate such a simplistic hack attempt. They aren't stupid.

    This phone will be hacked because there are just too many backdoors to prevent it from happening. Using Handspring's own software updater will probably be the easiest method to use.
  5. #125  
    Originally posted by The Chupacabra


    Some phones will permanently lock after a certain number of unlock attempts have been made, to dissuade brute force attempts. I'd be very surprised if Handspring didn't anticipate such a simplistic hack attempt. They aren't stupid.

    This phone will be hacked because there are just too many backdoors to prevent it from happening. Using Handspring's own software updater will probably be the easiest method to use.
    I know i've read some threads where people have mentioned that handspring did not build that capability into the treo. Also, remember the threads where AT&T locked phones would return a false "the simlock was removed from this device" when actually they were still locked - a "fake" unlock. All i know is that i've tried about 30 codes in a row - not after resets...and my device is not rejecting further attempts. THis leads me to believe that Handsrping did NOT build in a brute force thwarting mechanism
  6. #126  
    Originally posted in the other unlock thread for AT&T phones...


    Some Now I am really hopeless! No working solution to unlock!

    So here is an idea ( to the programmers among us )

    All we need is a simple prc that would start automatically after every soft reset and then


    1) Turn on the wireless mode of the TREO 600
    2) Check the appearing dialog box's title bar ( SIM CARD NOT ALLOWED if phone is locked)
    3) if 2 is the case send the key sequence *#*#00000000# and then DIAL
    4) wait 5 sec and reset the phone
    5) restart from 1 ( step 3 will be then the next integer ) and so on

    It is the brute force method but it might work since I guess that there is no limit of unseccesfull attempts.

    It might sound pathetic but if someone can really program a little prc like that it is worth the try.

    Drmed
  7. #127  
    Originally posted by nodeel
    A sad tale of begging and desperation.

    And someone would spend hours trying to code this for you because...?
  8. #128  
    Originally posted by The Ugly Truth



    And someone would spend hours trying to code this for you because...?
    I'm not asking anyone to code it for me...it was a suggestion to the community. I however, can code this if someone can clue me on useful sites and API's for the Treo 600.
  9. #129  
    Originally posted by nodeel


    I'm not asking anyone to code it for me...it was a suggestion to the community. I however, can code this if someone can clue me on useful sites and API's for the Treo 600.
    So you wanna write an app, do you?

    Developers' area

    Handspring's developers' forum

    I'll expect you to have a polished app (Bruticus™ by nodeel) by Wednesday.




  10. #130  
    Originally posted by The Ugly Truth


    So you wanna write an app, do you?

    Developers' area

    Handspring's developers' forum

    I'll expect you to have a polished app (Bruticus™ by nodeel) by Wednesday.





    And I want it for free and with technical support 24/7/365.
  11. #131  
    Originally posted by vulcan
    So know we know GoUc is the unlock code storage space correct?
    Yes, this seems correct. Mol and I exchanged a few emails yesterday evening, to experiment with one interesting finding I had done, but no luck so far...

    Anyway here's what I have found: the GoUc field is 9 bytes long, and the last character seems to always be a little square (0x0D in hexa).

    My GoUc starts with EEFE and my unlock code by 8898, so I decided to study this in depth.

    In fact the GoUc is exactly the same string as my unlock code, except that every byte has been added the 0x0D (14 in decimal) value.

    So, assuming that everyone has the same square character (0x0D in hex) as the last (ninth) character in his/her GoUc field, we have the following table:

    unlock code.......GoUc
    0........................=
    1........................>
    2........................?
    3........................@
    4........................A
    5........................B
    6........................C
    7........................D
    8........................E
    9........................F


    If you have an unlocked Treo 600, didn't play with the GoUc or the unlock code, and have forgotten the unlock code, maybe this can provide a way to get it back.

    The problem is that unless you have entered the right code, this value will certainly be useless...<sigh>

    Mol confirmed that reflashing the Treo using the updater will indeed erase this GoUc field, so if we start with an empty field it isn't helping much to unlock the phone!
  12.    #132  
    Hmm, just had another thought, wonder where the routine is stored to check the unlock code?

    I remember on Windows XP there was a program that uses Windows own codecheck to brute force for valid serials. IE, you find the routine, extract it to your own software, run it on a palm emulator and let it brute force every combination through.

    Oh, and motivation for capable programmers... if gsmlocker.com can get US$100 imagine how much you could get? Wouldn't take much more than a paypal account and you'd earn a good amount of $$$.
  13. #133  
    >>The problem is that unless you have entered the right code,
    >>this value will certainly be useless...<sigh>

    This is like p2k motorola(330,350,450....), you can see code whit service program only if phone is already unlocked....

    >>I know i've read some threads where people have mentioned
    >>that handspring did not build that capability into the treo. Also,
    >>remember the threads where AT&T locked phones would
    >>return a false "the simlock was removed from this device"
    >>when actually they were still locked - a "fake" unlock. All i
    >>know is that i've tried about 30 codes in a row - not after
    >>resets...and my device is not rejecting further attempts. THis
    >>leads me to believe that Handsrping did NOT build in a brute
    >>force thwarting mechanism

    maybe,maybe not, some phones after entering bad codes,wont to
    accept right code...(for motorola after entering bed codes you must wait 45min. to try again, nokia after trying 5 codes(bad), it cant be unlocked via keybord only cables...)
    Last edited by atari; 01/11/2004 at 04:34 AM.
  14. #134  
    This thread gets more interesting by the minute....
    Thanks for all the combined efforts to find a soluciton to this.

    In the meantime, as everyone else on this forum (or owner of a locked Treo) probably, I have done tons of other searches. In one of the zillion threads, I found a link to a Canadian company that does unlocking. I called them up and they said they were very close to have the unlocking solution for the Treo 600. They currently do not offer it (as other scammers do out there) so lets see how serious they are. They had the unlocking done for the Palm Tungsten W and said they were hours away from having it for the Treo 600.

    So... lets see if the results of the combined brain power here and other companies out there trying to get it done.

    Thanks guys!!!

    -MrByte

    -----
    A happy Treo 600 user (but stuck with AT&T....)
  15. #135  
    Originally posted by euroclie


    Yes, this seems correct. Mol and I exchanged a few emails yesterday evening, to experiment with one interesting finding I had done, but no luck so far...

    Anyway here's what I have found: the GoUc field is 9 bytes long, and the last character seems to always be a little square (0x0D in hexa).

    My GoUc starts with EEFE and my unlock code by 8898, so I decided to study this in depth.

    In fact the GoUc is exactly the same string as my unlock code, except that every byte has been added the 0x0D (14 in decimal) value.

    So, assuming that everyone has the same square character (0x0D in hex) as the last (ninth) character in his/her GoUc field, we have the following table:

    unlock code.......GoUc
    0........................=
    1........................>
    2........................?
    3........................@
    4........................A
    5........................B
    6........................C
    7........................D
    8........................E
    9........................F


    If you have an unlocked Treo 600, didn't play with the GoUc or the unlock code, and have forgotten the unlock code, maybe this can provide a way to get it back.

    The problem is that unless you have entered the right code, this value will certainly be useless...<sigh>

    Mol confirmed that reflashing the Treo using the updater will indeed erase this GoUc field, so if we start with an empty field it isn't helping much to unlock the phone!
    Looks like the firmware procedure is basically this:

    * using the Tokenwriter, read and write tokens. You can see the TokenWriter at work at some point during the process - I need to record it with a video because it's only visible for a split second.
    * savesimlock and save the Mini param db. This doesn't seem to work correctly in the current firmware upgrades: it doesn't save the GoUc parameter, i.e. the unlock code.
    * install firmware and ROM
    * restoresimlock, but since nothing appears to be saved this doesn't do anything.

    The only "easy" option I see is to find the flag or value that is used on the Cingular version for the unlock status. From the list of tokens posted by tvBilly (thx for that) we can see that they don't have any unlock code and so there must be some flag somewhere else that is defining the unlocked-by-default status.
  16. #136  
    I thought I'd post the list of commands that I've found in the DeviceCustomizer.prc in Advanced Mode.

    savesimlock Always results in "Saving SIM Lock Database...Success!" but no file

    restoresimlock Always results in "Restoring SIM Lock Database...Success!".

    creatert Creates a ROM Token database on the Palm Card. The created ROM Tokens.pdb contains the prnm, crnm and revn (see the token list of the TokenWriter.prc)

    savetrace Creates a HSTraceDatabase.pdb on the Palm Card. The database contains everything you've entered, plus more information about the actual functions that are being called. This looks like something that might be interesting for the real Palm developers (not me )

    restoretrace Causes a reset on my Treo

    savestate Always results in "Saving DC State...Error 0x102D016A"

    checkstate Always results in "Saved State Status: Not Saved"

    restorestate Causes a reset on my Treo

    download Says something about downloading an XMODEM file.

    createcp Creates a CDMA Params.pdb on the Palm Card. On my GSM Treo the generated file contains the crnm INT and something like DATA CDPW.

    That's all for now.
  17.    #137  
    I'm really curious as to why they store the unlock code. One would normally assume the unlock code is used to unset a simlocked flag somewhere.

    Unless the unlock code stored in GoUc is used to regularly to check the simlock status. ie, everytime the radio is turned on GoUc is checked against a ROM algorithm vs the IMEI. Perhaps the sim locking on AT&T phones is even hardwired into the phone ROM?

    OK how about this:
    - we can write to the GoUc token
    - there is an AT Command that returns (AT+CLCK iirc)

    Write a routine that tries every combination to the GoUc token and use the AT+CLCK command to check the simlock status?
  18. #138  
    Originally posted by vulcan
    I'm really curious as to why they store the unlock code. One would normally assume the unlock code is used to unset a simlocked flag somewhere.

    Unless the unlock code stored in GoUc is used to regularly to check the simlock status. ie, everytime the radio is turned on GoUc is checked against a ROM algorithm vs the IMEI. Perhaps the sim locking on AT&T phones is even hardwired into the phone ROM?

    OK how about this:
    - we can write to the GoUc token
    - there is an AT Command that returns (AT+CLCK iirc)

    Write a routine that tries every combination to the GoUc token and use the AT+CLCK command to check the simlock status?
    Not sure what you mean by the AT command and what it should return. Could you please give a bit more details? TIA.
  19.    #139  
    Turn on the wireless mode of your treo, plug it into a serial data cable, start up a terminal program on your pc (like Hyperterminal), use 115kbps for the speed.

    On your treo dial #*TETHERED# (#*8384373#). This puts your treo into a 'modem' like state. From the terminal program type AT+CLCK.

    This document has info on most of the AT commands : http://ftp.k2.net/misc/gsm-at.pdf
  20. #140  
    I am actually surprised by the progress made!

    I believe we are very close to the solution. It might be either
    a) write a short Window program to send brute force code to Treo and read back the locking status (using AT command)
    b) write a short prc program to do the same (using AT command)

    Just want to keep this threat at the top so we don't lose attention.
Page 7 of 19 FirstFirst ... 2345678910111217 ... LastLast

Posting Permissions