Page 1 of 19 12345611 ... LastLast
Results 1 to 20 of 363
  1.    #1  
    OK so far its seems we're all going around in circles here trying to unlock the Treo 600.

    What do we know so far:
    - IMEI based unlock providers have failed to unlock AT&T phones
    - Other carriers have provided unlock codes based on the IMEI
    - one site is claiming its done via a 'data' cable (assumed to be a Serial cable)
    - AT&T use a carrier code of 310380, and possible HsNC

    From my point of view it appears the unlocking crowd have been unable to break the IMEI -> Unlock Code encryption for the Treo 600. In fact I even wonder if the software received from the likes of gsmunlocker.com will be in fact a serial port based brute force unlocker (ie tries every combination).

    It seems to me, somewhere in the Treo the code for AT&T must be stored (ie 310380). Where is that? Is the a special register within the phone side? Or is there merely a file we rip out, update with our local carriers code using a hex-editor, and rewrite to flash?

    My first question is how do I get the flash files out of the Treo 600? Backupbuddy says it cannot access OS5 flash, and JackSprat says it can't see my Treo 600s flash?
  2. #2  
    You can use Filez to copy the flash content to your SD card.

    I used palmdeMON and disassembled phone.prc and I think I saw a SIM unlock function. Interesting. Good luck!

    PRCExplorer is another useful tool
  3. #3  
    OK
    Please excuse my ingorance.
    Can someone point me toward a primer explaining why I may want to unlock my Treo 600 GSM?
  4. #4  
    Didn't see the other post about the company that will charge you a fee for the unlock code.

    But as that company exists I think it rules out the idea that it's in the ROM somewhere.

    I suspect a algorithm is used to derive the unlock code from the IMEI number.

    The carriers should do it for you, but they take their time about it.

    Last year I unlocked a tMobile Treo 180.

    Process was simple, but time consuming. Because it takes so long to unlock a phone you must have an account with the carrier doing the unlocking.

    Call your carriers CSR, tell them you need to remove the subscriber lock from your phone.

    They will ask for several items of information including the IMEI number.

    Next you wait. tMobile claimed they had to send the info back to HandSpring who would then send them the unlock codes. Each code is unique to each phone. tMobile contacted me by SMS when they received the code from HandSpring. tMobile said it would take 10 days and it did.

    I called tMobile CSR, they walked me through the unlock process.

    While inconvenient it was painless. Also it was kinda cool going into a AT&T store and popping in the salesclerk's SIM into my phone nad having everything work.

    My unlocked GSM Treo worked on tMobile, Cingular, and AT&T with no issues.
    Last edited by dgoodisi; 01/04/2004 at 12:07 AM.
  5. #5  
    Originally posted by dgoodisi
    Last year I unlocked a tMobile Treo 180.

    .....
    I forgot to make it clear, you must have an active account with the carrier that has the subscriber lock. If it's a tMobile phone, call tMobile, Cingular phone call Cingular, etc.

    You can't by a Cingular phone and expect tMobile to unlock it. Cingular must do it, and of course they have to be willing.
  6. #6  
    Originally posted by lvidx
    OK
    Please excuse my ingorance.
    Can someone point me toward a primer explaining why I may want to unlock my Treo 600 GSM?
    So you can take your $500 phone with you when you change carriers.
  7.    #7  
    Well I'm getting in way over my head now. I did some mucking around and found what appeared to be the CDMA code embedded in the phone.prc file and the gsm code in the GSMLibrary.prc

    Among the stuff was this gem, now its a long a time since I've done assembler, does this look close to what we're after? :
    ; ---------- FUNCTION IsAWSSim(struct, struct, struct, byte)
    ;
    ; local struct sVar_07 = -$7(a6)
    ; local byte bVar_08 = -$8(a6)
    ; local word wVar_0A = -$A(a6)

    IsAWSSim:
    00010816 4E56 FFF4 link.l a6, #-$C
    0001081A 3D7C 0007 FFF6 move.w #$0007, wVar_0A
    00010820 6100 D472 bsr.w GsmGlobalsGet
    00010824 42A7 clr.l -(a7)
    00010826 42A7 clr.l -(a7)
    00010828 486E FFF6 pea.l wVar_0A
    0001082C 486E FFF8 pea.l bVar_08
    00010830 2068 05B2 move.l $5B2(a0), a0
    00010834 4E90 jsr.l (a0)
    00010836 4A40 tst.w d0
    00010838 6652 bne.s loc_1088C
    0001083A 122E FFF8 move.b bVar_08, d1
    0001083E 0C01 cmp.b #$1, d1
    00010840 0033 6648 or.b #$33, $48(a3, d6.w)
    00010844 102E FFF9 move.b sVar_07, d0
    00010848 0C00 cmp.b #$0, d0
    0001084A 0031 6610 or.b #$31, $10(a1, d6.w)
    0001084E 0C2E 0030 cmp.b #$2E, $30(a6)
    00010852 FFFA DC.W #FFFA
    00010854 6608 bne.s loc_1085E
    00010856 0C2E 0033 cmp.b #$2E, $33(a6)
    0001085A FFFB DC.W #FFFB
    0001085C 671C beq.s loc_1087A
    loc_1085E:
    0001085E 0C01 cmp.b #$1, d1
    00010860 0033 6628 or.b #$33, $28(a3, d6.w)
    00010864 0C00 cmp.b #$0, d0
    00010866 0031 6622 or.b #$31, $22(a1, d6.w)
    0001086A 0C2E 0030 cmp.b #$2E, $30(a6)
    0001086E FFFA DC.W #FFFA
    00010870 661A bne.s loc_1088C
    00010872 0C2E 0039 cmp.b #$2E, $39(a6)
    00010876 FFFB DC.W #FFFB
    00010878 6612 bne.s loc_1088C
    loc_1087A:
    0001087A 0C2E 0038 cmp.b #$2E, $38(a6)
    0001087E FFFC DC.W #FFFC
    00010880 660A bne.s loc_1088C
    00010882 7001 move.l #$1, d0
    00010884 0C2E 0030 cmp.b #$2E, $30(a6)
    00010888 FFFD DC.W #FFFD
    0001088A 6702 beq.s loc_1088E
    loc_1088C:
    0001088C 4240 clr.w d0
    loc_1088E:
    0001088E 4E5E unlk.l a6
    00010890 4E75 rts
    00010892 8849 or.w a1, d4
    00010894 7341 DC.W #7341
    00010896 5753 sub.w #$3, (a3)
    00010898 5369 6D00 sub.w #$1, $6D00(a1)
    0001089C 0000 or.b #$0, d0
  8.    #8  
    Forgot to say, looks to me like the AT&T Treo's are hardwired in the ROM to look for AT&T SIMs?

    So the question is can we get an unlocked Treo's gsmlibrary.prc file?
  9. #9  
    the most wanted topic, let's keep it up!!!
  10. #10  
    So the question is can we get an unlocked Treo's gsmlibrary.prc file?
    I have GSMLibrary.prc from an unlocked Cingular T600 (upgraded to 2.08 fw and 1.09-INT sw) but cannot post it because it is too big (215kb). I also have 5 small files named GSMLibrary_enUS.prc and similar. PM me if you want it.
  11. #11  
    Please keep me updated if this experiement works. Can you send the unlocked GsmLibrary.prc file across?

    Cheers,
    Vishal
    vishal@talrejas.com
  12. #12  
    Originally posted by vulcan
    Well I'm getting in way over my head now. I did some mucking around and found what appeared to be the CDMA code embedded in the phone.prc file and the gsm code in the GSMLibrary.prc

    Among the stuff was this gem, now its a long a time since I've done assembler, does this look close to what we're after? :
    ; ---------- FUNCTION IsAWSSim(struct, struct, struct, byte)
    ;
    ; local struct sVar_07 = -$7(a6)
    ; local byte bVar_08 = -$8(a6)
    ; local word wVar_0A = -$A(a6)

    IsAWSSim:
    00010816 4E56 FFF4 link.l a6, #-$C
    0001081A 3D7C 0007 FFF6 move.w #$0007, wVar_0A
    00010820 6100 D472 bsr.w GsmGlobalsGet
    00010824 42A7 clr.l -(a7)
    00010826 42A7 clr.l -(a7)
    00010828 486E FFF6 pea.l wVar_0A
    0001082C 486E FFF8 pea.l bVar_08
    00010830 2068 05B2 move.l $5B2(a0), a0
    00010834 4E90 jsr.l (a0)
    00010836 4A40 tst.w d0
    00010838 6652 bne.s loc_1088C
    0001083A 122E FFF8 move.b bVar_08, d1
    0001083E 0C01 cmp.b #$1, d1
    00010840 0033 6648 or.b #$33, $48(a3, d6.w)
    00010844 102E FFF9 move.b sVar_07, d0
    00010848 0C00 cmp.b #$0, d0
    0001084A 0031 6610 or.b #$31, $10(a1, d6.w)
    0001084E 0C2E 0030 cmp.b #$2E, $30(a6)
    00010852 FFFA DC.W #FFFA
    00010854 6608 bne.s loc_1085E
    00010856 0C2E 0033 cmp.b #$2E, $33(a6)
    0001085A FFFB DC.W #FFFB
    0001085C 671C beq.s loc_1087A
    loc_1085E:
    0001085E 0C01 cmp.b #$1, d1
    00010860 0033 6628 or.b #$33, $28(a3, d6.w)
    00010864 0C00 cmp.b #$0, d0
    00010866 0031 6622 or.b #$31, $22(a1, d6.w)
    0001086A 0C2E 0030 cmp.b #$2E, $30(a6)
    0001086E FFFA DC.W #FFFA
    00010870 661A bne.s loc_1088C
    00010872 0C2E 0039 cmp.b #$2E, $39(a6)
    00010876 FFFB DC.W #FFFB
    00010878 6612 bne.s loc_1088C
    loc_1087A:
    0001087A 0C2E 0038 cmp.b #$2E, $38(a6)
    0001087E FFFC DC.W #FFFC
    00010880 660A bne.s loc_1088C
    00010882 7001 move.l #$1, d0
    00010884 0C2E 0030 cmp.b #$2E, $30(a6)
    00010888 FFFD DC.W #FFFD
    0001088A 6702 beq.s loc_1088E
    loc_1088C:
    0001088C 4240 clr.w d0
    loc_1088E:
    0001088E 4E5E unlk.l a6
    00010890 4E75 rts
    00010892 8849 or.w a1, d4
    00010894 7341 DC.W #7341
    00010896 5753 sub.w #$3, (a3)
    00010898 5369 6D00 sub.w #$1, $6D00(a1)
    0001089C 0000 or.b #$0, d0
    i had a second hand sprint treo 600 these days.i am in china,trying use t600 in china unicom cdma network(the only one cdma network in china),unicom's cdma phone is unique, phone is seperated with sim-like card,like gsm phone.it seems need to "unlock" the sprint t600, please tell me whether the above messages useful in "unlocking" the sprint 600 in china?

    when i power on the t600,it displays "roaming" in my home,and i can get phone info through option menus, it look like these:

    PHONE NUMBER:91xxxxxxxx(ten digit number)
    pcs vision:dmw3
    Username (blank)
    ESNĄG600B4D5A
    Software:Treo600-1.0-SPR
    Hardware:B
    HS SN:HBSAD3411A00F
    PRL REV:10020
    PRI CHECKSUM:0X8d39

    when i power off t600, it shows only:
    Software:Treo600-1.0-SPR
    Hardware:B
    HS SN:HBSAD3411A00F

    other lines are blank

    ----
    i noticed in gsmlocker.com, it now can "unlock" sprint t600,but i am not sure the "unlocked" sprint t600 can be used in gsm network? or it can be used only in china unicom cdma? but in gsmlocker.com,it doesnt provide an option like china unicom cdma network. it confused me so much. please tell me how i can do this sprint 600 in china. thanks.
  13. #13  
    Hi,

    Thanks for sending the unlocked GSMLibrary.prc file. How does one write this back into the ROM? Would a normal HotSync do the trick or would that go only to the RAM?

    Please post your experience and I shall follow by example...let's hope this unlocks the Treo from AT&T's slavery.

    Cheers,
    Vishal
    vishal@talrejas.com
  14. #14  
    A normal HotSync will not do it. Sorry, but you have reached the limit of my technical ability. It goes without saying, but you run the risk of seriously messing up your Treo if you start playing around with settings files without knowing what you are doing.
  15. #15  
    For everyone not following the unlocking thread, please read before posting.


    http://discussion.treocentral.com/tc...-t43864/s.html

    every normal attempt has been made to unlock the treo 600, without success.
    Last edited by tinomen; 01/05/2004 at 02:43 PM.
  16.    #16  
    Bad news. The gsmlibrary.prc is exactly the same on both the unlocked and locked Treo 600 (I did a file compare). So the unlocking data is somewhere else.
  17. #17  
    I think the idea is to re-do the unlocking code itself.

    Similar to breaking the old copy-protection schemes used in game software - simply "patch" the software so it THINKS it has been correctly run.
  18. #18  
    Hi guys,

    Very interesting stuff, probably all together we will sort things out.

    To be honest: i think we have to focus on all files starting with "Phone". In my locked orangeUK treo 600 I see serveral resource db's starting with "Phone_ORNG". I guess all of you have similar ones.

    Maybe it's the case that those files contain unlock info, referred to in the "Phone"-application?
  19. #19  
    Similar to breaking the old copy-protection schemes used in game software - simply "patch" the software so it THINKS it has been correctly run.
    I agree with you: the part which gets modified when you enter the unlocking code is probably in FlashROM so that it survives a hard reset (I've performed a few hard resets on my device already, and it's still unlocked).

    So I see two possibilities:

    1) The unlocking utility in ROM just checks that the unlocking code matches the IMEI number, and if this is the case, the sim-locking status is changed in FlashROM. In this case, it's "only" a matter of locating the FlashROM area involved, and finding the "unlocked" status correct value to modify similarly another Treo 600.

    2) The sim-locking status in FlashROM is not in a "simple" format, i.e. there is a value in there which is the result of the IMEI number and unlocking code with some maths involved, and as such even if we could somehow locate and grab the appropriate part of the FlashROM, it wouldn't be usable on another Treo 600.

    I do hope that we are in case #1, but I won't hold my breath...

    Does anyone know where in the address space the phone firmware is located?
  20. #20  
    To access to the info you are looking for you have to get your hands on the SIAM firmware upgrade, extract the file named DeviceCustomizer.prc (or something like that ... don't have my Treo here ... ). You can do that by performing the SIAM upgrade procedure from an SD card and cancel it before running the flash operation: before saying yes when asked if you want to apply the HS_Engineering script (scenario file).

    This prc contains code that reads and restores a series of parameters before and after the flash is overwritten. A part of the information is refered as SimLockDB ... I think the DeviceCustomizer.prc is using the scenario file (that you can extract as well). A quick look at the assembly tells me that this scenario file contains a flag telling to perform or not restore of the SimLockDB after the flash operation...

    In the PRC you have two calls : SimLockSaveDBToSD and SimLockRestoreDBFromSD, without parameters. They perform a save of the SIMLockDB in a file on the SD before the flash operation and restore it from this file after the flash operation (look at the disassembly of the code).

    Next step is to make a small prog that will embed SimLockSaveDBfromSD like code and ask people to send the resulting file and try to understand the SimLock database format.

    The question is: what happens if this info is not restored / badly restored ? Does this leave the phone in a instable state ? Is this info encrypted with the IMEI etc etc ... sadly I have no time to dig into that and make the prog from the two calls ...

    Once it has been done it would be a mater of writing back an unlocked data using a prog embeding SimLockSaveDBfromSD. Or maybe only change a flag in the scenario file ...

    FrenchFries
Page 1 of 19 12345611 ... LastLast

Posting Permissions