Better Mobile App

XDA IIs unlocking method

OK IMEI-CHECK charge £20 to unlock the phone, and I say fair enough. Why am I posting this? Did you know that their method is probably writing a NEW locking code using some other algorithm? If you run their software, it will inflate and write (about 4K of data if i remember correctly) in the part of the Radio ROM, where you only get access from the bootloader (memory address h'0' to h'10000'). Now here's the thing: I bet if I call T-mobile and ask for the unlocking code, it won't work in my phone, as these guys are actually modifying the Radio ROM without even telling you. Have you guys thought about insurance? For those who don't pay £9.99 or whatever extra cover, what if you pricey and precious pda goes bonkers? I think they should tell you *before* doing anything, about any possible problems.
Come on you guys, someone said he has compiled a few logs/imei numbers. Let's crack this thing, it has been done before for xda I and II, why can't we do it for IIs/IIi?

If that's the case, then I wonder what's in those .uif files they ask you to send back to them? Could it be a backup of the sections of the radio ROM that they're replacing?
Also, if they're writing a fixed set of data to the radio ROM, how come everyone seems to have different unlock codes? Could they be replacing the actual algorithm that calculates the unlock code so that it only accepts certain combinations of codes from them?
-no1

Just had another thought - what if they're replacing code in the radio ROM with code from the Himalaya so that the unlock process then works in the same way as the Himalaya?
Has anyone tried using the xda2unlock tool after running the program from IMEI-Check??? I can't test this just now, so it's just a guess.
-no1

Could they be replacing the actual algorithm that calculates the unlock code so that it only accepts certain combinations of codes from them?
Click to expand...
Click to collapse
Yes I believe that's what they actually do. I tried to run their utility with a debugger but it does not allow execution as long as a debugger is running, nice one IMEI-CHECK. However, I have done a full USB port logging when the utility runs and I found out that they write a new image between addresses 0 and 10000 of the radio rom, and that they also read from 3FC000 the first 4000 bytes, and from FFFEF000 the first 20 bytes.
Yesterday I discovered something odd...after running their application, and by inserting a different SIM card, the attempts counter for the unlocking code had a negative value of several millions. Now I suspect that by writing in adresses 0-10000, i think they replace the default unlocking utility which allows to enter the code.
Another idea I will try will be to run a debugger in the PDA (if I can find one) and see if I can capture the memory address with which it compares the input code.
Come on guys, especially you who did the unlocking utility for XDA II!! Give us some help here!!!!

Zouganelis,
That's excellent that you've been able to sniff the USB traffic. Keep up the investigations!
I wonder why they'd need to read sections of the ROM? If they're replacing the calculation algorithm section of the ROM with their own code, then they should already know how to calculate the unlock code - i.e. they shouldn't need the user to send them back the .uif file.
This makes me wonder if the code they are replacing is just a copy of the code from another device e.g. the Himalaya.
If they are replacing with code from the Himalaya then the unlock process may revert back to how it works on the Himalaya.
Has anyone been able to test this by running the xda2unlock tool for the Himalaya *after* running the IMEI-Check program?
Does anyone have the source code for xda2unlock by the way? I tried searching for it, but it doesn't seem to be available.
-no1

Another thing, does anyone know if it's possible to back up and restore this secret area of the radio ROM using the backup to SD method? I assume that when you dump your radio ROM to SD card it's not including this part of the ROM???
I want to be able to fully restore any bits that the IMEI-Check tool is changing, just in case.
-no1

Come on guys, anyone else trying to crack this thing? We need someone who knows how to disassamble/reverse engineer this log file. It can't be that hard! Also, I think the key to understanding what their little proggy does, is to manage to run a debugger when the unlock program runs. It has some mechanism of detecting a running debugger and it quits if you have a debugger running at the same time. I bet my MDA III that some experienced programmer can overcome this and fool their application? I am running out of ideas guys and I am really against paying these thieves 20 quid for nothing. They MUST have done this using the previous unlocking methods for XDA I and II. Does any1 know who did those unlockign utilities? These guys must help us!!!

Have you tried to run OllyDbg as a debugger tool to see what is happening? Your earlier findings were very interesting...let me study this and get back to you all...
One remark upfront though: I do not think they are modifying your Radio ROM....this would mean that if you upgrade/replace your current Radio ROM, you would be SIM-lock free...and I do not think that is the case...

OK, some initial observations:
1. Lousy software...hard to use for novices...why have the phone enter BL mode automatically (using enterBL.exe)...I think we can do better!
2. Since the phone must be in BL mode, I do think it extracts some info from the radio ROM, but the SIM-Lock could also reside in the Extended ROM, since this is usually customized by the provider?
3. Interesting to see that the same proggie and procedure is used for all XDA-X models
4. Can anyone post a file (output of the proggie) of what they have mailed these folks, as an example?
5. I was always under the impression that the SIM-Lock resides in the SIM itself, so this is a software workaround? What happens if you upgrade your ROMs...you need to go through this process again? Does anyone have experience with this?
Thanks, and let's get this thing cracked!

HappyGoat,
My understanding is that SIM lock is implemented by the phone itself rather than the SIM card.
In the case of our HTC devices, there seems to be a small area of the radio ROM that does not get written to (even when you upgrade your ROM). This area is where the SIM lock is located, and probably other information such as your IMEI number.
This is probably why your IMEI and SIM lock information never get replaced when you upgrade your ROMs. I seem to remember that an older version of the xda2unlock tool was able to change your IMEI number but it got pulled for legal reasons.
When I unlocked my Himalaya, it stayed unlocked even after later upgrading the ROMs, so the state of the SIM lock is being stored somewhere. It can't be on the SIM because what if you change your SIM after you unlock it? The phone would need to be able to read your old SIM to check if the phone is locked!
Zouganelis,
Have you got any idea if it's possible to back up the areas of the radio ROM you mentioned to SD card? Like the current SD card backup method, but getting ALL of it?
-no1

Happygoat and no1,
i am pretty sure they write to the radio ROM some data they inflate from their "unlocking" executable file. How do I know this? Well, when I put a different SIM into my XDA IIs, after I enter the pin code, the simlock application comes up (simlock.exe under \windows\) which checks for the correct unlocking code. Now usually, you have 3 attempts available to do this, before the phone locks and says "contact customer services" or whatever. After I run their application, the counter had a value of -2billion or something, making it impossible to lock it. Interestingly enough, the memory adresses to which they WRITE, are between 0 and 10000. Is it a coincidence the simlock.exe application is 10.5kB? I don't think so!! i think they write their own simlock application to reset the counter, and then they read from 3FC000 the first 4000 bytes, and from FFFEF000 the first 20 bytes. The simlock code MUST be here!! i will post the log from the USB port sniffing tomorrow, as I don't have these files right now. It's pretty obvious to see how the bootloader works. Anyone with past experience especially with CE based devices will be able to figure out how to read these last two chunks of the radio rom.
Here's a link with some interesting files, RED has posted in the past:
http://www.pgwest.com/phone-files/
Username: xda
Passwrod: blueangel
I do agree with no1 regarding the simlock, I think this is exactly the way it works.
no1, I don't know how to do any backup to the SD card, but if you really know what you are doing in the bootloader, try reading from the memory addresses I mentioned earlier.
Keep it up guys, i think we know what their software does, we now need to find out how to read properly the output log.
Regards,
Zouga

Hi zouganelis and no1,
Thanks for the explanations and comments...all makes sense to me now, excellent.
Zouganelis, thanks for the website...that is the stuff I was looking for, cheers!
I do indeed think we are close...will report back later.

So... if they need the .uif file AND the IMEI number, could it just be a case of using the IMEI code to decrypt the contents of the .uif file? In other words the IMEI code is the decryption key??? But what kind of encryption are they using?
I think they used simple XORing in the past for encrypting the radio, OS, and extended ROMs, but this changed slightly for the Blueangel. I wonder if they used a similar method?
-no1

Interesting thought...and a simple one...which explains they can turn around a request so quickly...
You might be correct...the IMEI could bear the encrypted code for simlock or not. Nowadays, encryption standards are:
DES
MD5
SHA
DES is relatively easy to "crack", SHA being the hardest...they are one-way encryptions, which mean they can not be reversed. The only way to get a match is to try...I have numerous proggies for this and will explore this option...

OK, did some more googling, found the following. There appear to be only 3 companies or people who can do this, which makes it even more interesting...
1. www.imei-check.com (UK)
- Download proggie
- Send them back the output and EMEI number
- Receive unlock code
2. Ebay guy (Canada): http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=43312&item=5763970199&rd=1&ssPageName=WDVW
- Sends you software
- You will run this software and it will generate a log file (data cable required).
- You'll need to email us this log file and we will send you the unlock code with instructions as soon as possible
Looks like same procedure as EMEI-CHECK
3. www.UnLockItNow.com (Company in Malta): http://www.unlockitnow.com/remote/unlock/by_cable/Pocket_PC/unlock/XDA_IIs_unlock.php
Not sure what process they use, but looks the same.
-----------------------------------------
Then I also came across this interesting story: http://www.modaco.com/index.php?showtopic=200968
This guy writes (edited):
I happend across an official O2 email address that I sent an (abbreviated) SIM unlock request, briefly stating why I needed my XDA IIs to be SIM unlocked, and providing my O2 account number and the handset IMEI number. 30 minutes later and I was emailed back an unlock code.
No ifs, no buts, no questions asked and no payment required.
I placed my Orange SIM card in the IIs, waited for it to boot, entered the code and was greeted with "Unlock Code Accepted." Both dialling out and receiving calls on my Orange account no problemo.
...
Bearing the above in mind, I'm not going to directly post the email address, but will gladly pass it on via PM.
Click to expand...
Click to collapse
The interesting part here is that he only had to give his EMEI number, nothing else...and received an unlock code.

If you take the official route of unlocking your phone through your network provider, all they need is your IMEI number because they can calculate your unlock code from that.
I'm not 100% certain how the process works, but I'm fairly sure the algorithm they use to generate the unlock code is different for each handset manufacturer. I think the network provider either has to send your IMEI to the handset manufacturer for them to calculate the unlock code, or possibly the provider is given a database of unlock codes for all the handsets they purchase. This might explain why it sometimes takes them a few days or weeks to get back to you with the unlock code.
So figuring out how they convert the IMEI number to the unlock code would be another way to attack the problem. Although, I think it would probably be very difficult to figure out what hashing algorithm they're using to generate the code. But if it can be done, then it would certainly make things a hell of a lot easier!
-no1

SH*TE I have been writing a post for about half an hour now explaining the files and as soon as I logged in it was lost. :evil: :evil: :evil: :evil: :evil:
Anyways, here we go again. I am posting the files I promised yesterday. The are three JPEGs which are handwritten notes from the first time I run their application, and a log file from the second time I run the application. Here's the thing: the first time, the software send a read command for the addresses 0-10000 of the radio rom (rrbmc x 0 10000) and store in the x variable. Then it probably compared the checksum with their data, and it didn't match, so they deleted this part of the rom (rerase 0 10000) and they written their own version of it stored in a vector called data (rw data 0 10000). So far so good.
The second time I run the software, it sent again the rrbmc command but this time it didn't erase or written anything, so I guess it does actually what I said before with the checksum.
Another important remark:
The first time I run the software, the software requested some information from the device (rinfo) and the xda replied:
BlueAngel B120 C6B23C704A59520150993080051FF87B
After it finished writing, it sent the same command once more and this time the xda replied:
BlueAngel B120 C6 BE3A709999541E509810802FD775B0
Now the second time I run the application, the rinfo command returned:
BlueAngel B120 C6BC3C70B329B2B1509980809FE49B11
Can these be some form of HEX encryption keys or something?
Happygoat maybe you could use them in your nice proggies?
Anyhow, I think this is all for now. The commands in the logs should be straight forward to understand, it's just the data part which needs real decoding of some sort.
Hope it helps, regards Zouga

Zouga,
Thanks alot for the info...and your patience!
I downloaded a program called USB Monitor, which supposedly logs all data transferred via the USB port...is that the proggie you used as well?
What I want to do is run the IMEI-CHECK program on my device a few times in a row..since it was never SIMLOCKED, I wonder what the output will be...and if they will be different.
I suggest other people run this software as well with a USB port logger, so we can compare logs, and perhaps figure out precisely what we need to do.
Regarding the encryption, I will have a look. I do not think that the data you gave me (C6BC3C70B329B2B1509980809FE49B11) is encrypted...looks like plain ol' HEX to me...will do some more research.
What I think would be the ultimate solution, is to develop an app that calculates the unlock code based upon IMEI number...easy to use, no workarounds, and something I understand: Encryption...
Yes, I am biased...but I am reading up on ass'y code right now to get my arms around this thing...so bare with me...

Hi HappyGoat,
It's good that finally you guys got interested in this! Yes it is the same piece of software I used to sniff the port, it would be interesting to see the output of your unlocked device. Could you please post it as soon as you have it? I hope we can crack this!!
Come on guys, don't just complain for the £20 charge, give us some help here!! We should all run the software and log the data to compare them, as HappyGoat suggested. Then we should all be HappyXdaUsers
Looking forward to some news,
Zouga

Zouga,
Can't download the zip file (bottom one) for some reason...reports that file can not be found...can you try again please?
Cheers,
HG

Reverse engineering the HERMES imei-check unlocker

I am trying to capture the unlock of my M3100 to help the forum.
I followed the directions below...
fun_key said:
What you need befor you start:
USBMON (I used the trial): http://www.hhdsoftware.com/usbmon.html
A win 2k/XP computer with admin rights
How to fool the IMEI-CRACK tool:
-Login with the administrator and setup USBMON
-Create with the administrator a user (named wathever you like) with only "user" or "powered user" rights
-Log in with the user you just created (you may have to resetup Active sync with this user; I don't know why but it seems that active sync doesnt setup for all user)
-Right click on the USBMON icon and select "run as"; input the administrator credential and configure the software ready for the capture
-Launch the crack and follow the instruction
And voila ! The dump should be achieved by now
Click to expand...
Click to collapse
I had to create another admin account as the unlock UTIL requires that you use the Admin account. I have been able to RUN USBMON while starting the unlock and it put the M3100 in the white unlock screen but then get an error and the util has shut down.
Any Ideas? I don't mind waiting to unlock so I help th community out...

OK...I think I captured it....The unlocked changes to a different driver type in the middle of the unlock. So I started a new session with the "NEW" device I think I captured it all but what do I do with this file now?

slimsaturn said:
OK...I think I captured it....The unlocked changes to a different driver type in the middle of the unlock. So I started a new session with the "NEW" device I think I captured it all but what do I do with this file now?
Click to expand...
Click to collapse
attach it here

Alright...POF They are too big to attach....Anywhere else I can throw them? If someone tells me how to upload them to the FTP I will do ASAP...Hopefully this is able to help someone. If I did miss the crucial info i am sorry for failing

no problem, i'm sure it will be juicy
Put them here:
ftp://xdaupload:[email protected]/Hermes/
USERNAME: xdaupload
PASSWORD: xda
let me know when the files are uploaded.

OK so I am getting a 530 Permission Denied error. Can i just email them or someone let me know what I am doing wrong

Email them to me.
sexy [email protected] vijay555.com
V

Finally the files are here:
ftp://xda:[email protected]/Hermes/Technical/unlocker-capture.zip
Going to have a look at them right now! will post something later

pof said:
Finally the files are here:
ftp://xda:[email protected]/Hermes/Technical/unlocker-capture.zip
Going to have a look at them right now! will post something later
Click to expand...
Click to collapse
Good Deal...hopefully this helps us

Slimsaturn!! You got it right
This is more or less what the unlocker does, will explain it in another post:
Code:
retuoR
USB> shmsg 8 2 "unlocking..."
USB> rtask a
[COLOR="Red"]Enter Radio Bootloader[/COLOR]
USB> rpass
HTCS-[url=http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoaderPassword]dyamic password[/url]-HTCE
...
USB> rversion
[COLOR="Red"]0106[/COLOR]
rrbmc x 6D0000 8000
rwdata 4D0000 800
[HTCS]- code, to big to paste here -[HTCE]
retuoR
USB> rtask b
[COLOR="Red"]Enter radio Image
AT-Command interpeter ready[/COLOR]
[email protected]=0,1,22051978
[email protected]=0,2,22051978
[email protected]=0,4,22051978
[email protected]=0,8,22051978
[email protected]=0,16,22051978
[email protected]=0,32,22051978
AT
retuoR
USB> shmsg 8 2 " done"
USB> task 8

Is that from what I sent you

slimsaturn, yes this has been taken from the files you posted (Thanks!).
Here is the process explained, if you don't understand anything check the wiki bootloader page for a better explanation.
Code:
retuoR
Returns from radio bootloader to normal bootloader, probably here because the capture was not started at the very begining of the unlocker process
Code:
USB> shmsg 8 2 "unlocking..."
USB> rtask a
[COLOR="Red"]Enter Radio Bootloader[/COLOR]
Shows "unlocking..." on hermes screen, enters radio bootloader
Code:
USB> rpass
HTCS-[url=http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoaderPassword]dyamic password[/url]-HTCE
Sends "rpass \r" (mind the space between rpass and \r), then sends "HTCS" + the password + the CRC of the password as bytes + "HTCE".
This authenticates to the radio bootloader (to be able to use the rrbmc command later), the password is dynamic (but the method to generate it is known) and sent encapsulated on a HTCS+password+CRC+HTCE block.
It should either return "T " for succes, or "F " for failure (encapsulated in the HTCSHTCE block), in the capture it returns "T".
Code:
USB> rversion
[COLOR="Red"]0106[/COLOR]
returns radio version encapsulated in HTCS HTCE block.
Code:
rrbmc x 6D0000 8000
Read back 32768 bytes (0x8000) of memory content from address 6D0000 and save the data to a file named "x".
@slimsaturn: do you have a file named "x" on your computer? can you send it too? if not, can you try to "undelete" it with some tool...?
Code:
rwdata 4D0000 800
[HTCS]+(2048 bytes of code, to big to paste here)+(4 bytes crc)+[HTCE]
This writes 2048 bytes (0x800) of data to address 4D0000, the data is sent encapsulated on HTCSHTCE block as well. I guess this does the CID unlocking.
These 2048 bytes are on the attachment, if anyone wants to look at (hint: compare it with extracted radios using an hex editor).
Code:
retuoR
USB> rtask b
[COLOR="Red"]Enter radio Image
AT-Command interpeter ready[/COLOR]
Returns from radio bootloader to normal bootloader, then enters the AT command interpreter to talk to GSM AT cmd interface.
Code:
[email protected]=0,1,22051978
[email protected]=0,2,22051978
[email protected]=0,4,22051978
[email protected]=0,8,22051978
[email protected]=0,16,22051978
[email protected]=0,32,22051978
This enters the same sim unlock code to all locking facilities (2,4,8,16,32). The code here is 22051978, I guess this code is calculated from what has been previously read by rrbmc command. Will be a different code on every device. Weird that it doesn't get the locked facility first, it just tries all them.
Code:
retuoR
USB> shmsg 8 2 " done"
USB> task 8
This exits from the AT command interpreter, shows "done" on the Hermes screen and reboots the device.
Now I'm going to try the 'rrbmc' command on my hermes and see what is read from there... I've also found that the content written to device by rwdata has some strings in common on GSM.nb (radio) extracted from NBH update, so it's part of the radio.

pof said:
@slimsaturn: do you have a file named "x" on your computer? can you send it too? if not, can you try to "undelete" it with some tool...?
Click to expand...
Click to collapse
Sure...I will check my recycling BIN tonight. If I can't find it there do you have utility that I can use to search my PC to try to locate it?

It will not be in the recycle bin, it will be either on the folder you run the unlocker from, or on the c:\temp c:\windows\temp
The exact size of the file is 32768 bytes, it is named "x" (without extension).
If the unlocker has removed the file (most probably) then it will be removed (but not in the recycle bin!) so you will need to use some software to undelete removed files, I don't know any but google may help.

Pof, I just tried running the unlocker with file i/o monitoring, and didn't see it produce a file called X (or anything else that looked like a likely candidate)
Maybe we can do a before and after dump of the radio patch - it'll probably be using a similar idea to the Universal unlocker if it's overwriting the radio.
V

pof said:
It will not be in the recycle bin, it will be either on the folder you run the unlocker from, or on the c:\temp c:\windows\temp
The exact size of the file is 32768 bytes, it is named "x" (without extension).
If the unlocker has removed the file (most probably) then it will be removed (but not in the recycle bin!) so you will need to use some software to undelete removed files, I don't know any but google may help.
Click to expand...
Click to collapse
Alright I will check tonight. I am guessing this is the missing link to fully understand what happens.

help needed
I need the help from someone who hasn't unlocked their phone yet and is willing to pay imei-check the 20GBP: I need to compare two regions of the radio before and after running the unlocker.
These are the steps to follow:
1) Disable activesync on your computer by right click on activesync icon -> connection settings -> uncheck "allow USB connections".
2) Put your device in BootLoader mode
3) Connect device to computer using USB cable.
4) Download TryBootloader.exe and run it.
5) TryBootloader fails most times you run it with one of these errors:
"Could not enter bootloader mode" or "SetCommState failed Could not open device " you need to reset your device and put it in bootloader mode again, and keep trying until you get this (usually no more than 5 or 6 tries):
Code:
USB>info 3
password ~:0T4~~000~X~000
Entered advanced bootloader
rtask a
rtask a
Enter Radio Bootloader
rinfo
rpass
Retval:
T
Entered radio bootloader
6) Once TryBootloader successfully authenticates you, open mtty.exe and select "USB" port and click "OK", this time you will not get the usual "USB>" prompt because you will already be in radio bootloader, but this should give you an authenticated command line in radio bootloader where you have all commands enabled.
7) Start HHD USBMonitor.
8) File -> New session -> USB Monitor -> Select USB device where your phone is connected -> Check "request view" -> Finish
9) In the upper part there are two tabs: basic and complete. Click on "Complete".
10) Type these commands in mtty window (do not copy paste, type them!) please note that you will not get any output (echo) on the screen when typing because you are on radio bootloader:
Code:
[b]rrbmc a 6D0000 8000[/b]
You will see a lot of garbage in the mtty screen, don't worry... when it finishes, type the next command:
[b]rrbmc b 4D0000 800[/b]
You will see a lot of garbage in the mtty screen again, don't worry... when it finisheds, close mtty.
11) you should see all the USB traffic output on USB monitor window.
12) click on Edit -> Export and Save as type "ANSI Text files".
13) Save the file and zip it. Name it "dump-before-unlock.zip"
14) Enable USB connections on ActiveSync again, softreset your Hermes and make sure activesync icon is "green" again.
15) Run the imei check unlocker as normal, following their instructions.
16) Once your phone is unlocked, repeat steps 1 to 13 but this time name the file "dump-after-unlock.zip"
17) Post a comment here and attach the two files, if they are too big upload them to xda-developers ftp.
After that we'll have everything to start working on a free unlocker
PS: I am traveling from Spain to Germany tomorrow and will be 1 week "away" without internet connection, I hope someone will have uploaded the files when I come back!!!

Awesome on the Stick

slimsaturn said:
I am trying to capture the unlock of my M3100 to help the forum.
I followed the directions below...
I had to create another admin account as the unlock UTIL requires that you use the Admin account. I have been able to RUN USBMON while starting the unlock and it put the M3100 in the white unlock screen but then get an error and the util has shut down.
Any Ideas? I don't mind waiting to unlock so I help th community out...
Click to expand...
Click to collapse
Humm, interesting, when I tried it didn't required the admin rights so far. I tried this a quite long time ago, I may have forgot something or they may have updated there util.
@pof: You were talking about CID unlocking. I don't think that the IMEI tool is still able to make the tytn Super CID. I have used it about 2 months ago and my device is far from being super CID . Slimsaturn, could you please give us the CID of your device in order to check what really happen down there?
EDIT: I found the exe program when I tested the dump. There is now an updated version of the .exe on there website. I guess that it could be interesting to test differents version of the tool, in order to better understand what it realy does and how it does it.
I upload here the older version, it can maybe interest someone. I ll give more tries with the newest version, if it is able to handle my radio version.

nice work
my £20 donation is sitting here waiting for you guys!!!!!!!!!!
anything i can do to help?

Application unlock for HTC Monet (Virgin Lobster 700tv)

Been trying everything on the Internet and managed to make some headway with Monet (Virgin Lobster 700tv) unlock (this might work for Meteor/C700 as well).
1. Firstly you need to get rid of the 'registry security policy' lock.
Download cert install sp.zip:
[see attachment]
a. copy "SP_AllowCertificateInstall.cab" to the root of Monet memory or card
b. Use file explorer on monet to navigate to file. Click to run. Should run ok.
c. Unzip "SDA_ApplicationUnlock.zip" on PC and run "SDA_ApplicationUnlock.exe" whilst Monet is connected via activesync
2. Copy registry editor onto Monet. I used PHM, but others should work. Note install PHM loader on PC whilst monet is connected via activesync. It might install correctly on Monet, it might not. This does not matter. Just navigate on your PC to Program Files\phm and find the .exe file and copy to root of Monet memory or card.
Also nice free remote registry editor here (works from PC whilst phone is connected via activesync):
http://www.breaksoft.com/Blog/Utilities/2005/1/Mobile_Registry_Editor.aspx
Excellent 'free' combined file explorer and registry editor (perhaps for later - after app. unlock) SGS:
http://www.handango.com/PlatformPro...925777&Ntt=registry&productId=195244&R=195244
3. Using phm (or the registry app you like) change the four keys specified in this guide (you might find the above process has already reset 1001 and 101b:
http://wiki.spv-developers.com/HTC_Application_Unlock_Guide
They are:
Under HKEY_LOCAL_MACHINE\Security\Policies\Policies:
a. Change the DWORD named "1001" to 1 (could originally be 2)
b. Change the DWORD named "1005" to 40 (could originally be 16)
c. HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1017 = 128 or 16 (before) 144 (after)
d. HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 101b = 1 (this key might not exist, if so, create it).
4. Restart
5. HOORAY. Now your phone is fully application unlocked.
-----the following procedure is to SIM Unlock, this currently does not work. Possibly spv-services will be updated at some time to work with the Monet---->
6. Now download spv_services:
http://www.spv-developers.com/forum/showthread.php?t=236
a. copy the cert.cab file to you Monet. Select and run using File explorer. it should run fine.
b. Next step. Run SPV_services from PC whilst phone still connected via Activesync. Should unlock ..... however I get checksum error....
Will investigate. Anyone have any luck please say. At least we can now get the phone app.unlocked.
------------------------->
Note: I have read that the phone might again become app.locked if you do a hard reset. If this is the case, just follow the above again.
rgds

colonel said:
(...)
b. Next step. Run SPV_services from PC whilst phone still connected via Activesync. Should unlock ..... however I get checksum error....
(...)
Click to expand...
Click to collapse
So this thread should not be named Full unlock for HTC Monet :>

apparently wen i tell spv services to use simlock tool. it freezes at a blue screen trying to load a php.. this is after i input AGREE into the box..
it opens fine b4 that.. am i doing anything wrong?

bongmaster said:
apparently wen i tell spv services to use simlock tool. it freezes at a blue screen trying to load a php.. this is after i input AGREE into the box..
it opens fine b4 that.. am i doing anything wrong?
Click to expand...
Click to collapse
SPV-Services needs to access the internet.
A php is an active type of web page.
It would appear that there is something blocking it from access the internet. Most probably a firewall on your PC, either the internal windows one, or a 3rd party package you have installed. You need to check this.
If its for the Monet I wouldn't bother anyhow as SPV-Services can not currently SIMunlock this phone.
rgds

colonel said:
SPV-Services needs to access the internet.
A php is an active type of web page.
It would appear that there is something blocking it from access the internet. Most probably a firewall on your PC, either the internal windows one, or a 3rd party package you have installed. You need to check this.
If its for the Monet I wouldn't bother anyhow as SPV-Services can not currently SIMunlock this phone.
rgds
Click to expand...
Click to collapse
1st thing i checked was the firewall..
i know wat a php is i run a phpbb forum and yea it is a Monet (lobster 700)..
shame ( i really need to unlock the networks on it ) i have an O2 sim and wen i put it in it askes for a network unlock code.. if only i had that code.. any idea how to obtain it?

the only way currently is to use virgin or a commercial service
If you put at least £30 of talk time on your virgin account, they will send you the unlock code for free.
Otherwise search google or this forum for a commercial unlocking service.
rgds

colonel said:
1. Firstly you need to get rid of the 'registry security policy' lock.
Download cert install sp.zip:
http://www.spv-developers.com/forum/showthread.php?t=425
Click to expand...
Click to collapse
Hi, I have a question. I would like to try it but the link above shows: Invalid Thread specified. If you followed a valid link, please notify the administrator :-(

burticek said:
Hi, I have a question. I would like to try it but the link above shows: Invalid Thread specified. If you followed a valid link, please notify the administrator :-(
Click to expand...
Click to collapse
Edit: Never mind. I have found it ;-)

Virgin Lobster
I have followed all the instructions
I get an error when running the sim lock to as follows:
Encrypted checksum not found
I then use a vodafone sime and get Network is locked. PLease input unlock code.
Any ideas?
SteveW

classicxda said:
I have followed all the instructions
I get an error when running the sim lock to as follows:
Encrypted checksum not found
I then use a vodafone sime and get Network is locked. PLease input unlock code.
Any ideas?
SteveW
Click to expand...
Click to collapse
simunlock is not working yet on the monet.
this procedure only app. unlocks
rgds
c.

Lobster unlock
What would it cost to do this?
Cheers
SteveW

just phone virgin if yu have a lobster. they require £30 of airtime to be purchased before they give you the code

Application Unlock for HTC Monet
Hi colonel
I have been trying in vain to do an application unlock on my Lobster 700tv. I have managed to install and run the "SP_AllowCertificateInstall.cab" which went ok. The "SDA_ApplicationUnlock.exe" also ran ok. However, running PHM required a copy to be placed on the Monet which I did. Attempting to run the "setup.exe", gave the following message:
"ALERT: Setup is Not a Valid Windows CE Application"
Because of this, I attempted to change the registry keys using "Mobile Registry Editor.exe" which seemed to do the job. However, applications still wont work (I'm trying to install TomTom Navigator 6).
I have since managed to load and run "MobileRegistryEditor.exe" on my phone without problems but I still cannot get TomTom Navigator 6 to run, although it loads onto the storage card ok.
Please can you help?
Regards,
leadweight

leadweight said:
Hi colonel
I have been trying in vain to do an application unlock on my Lobster 700tv. I have managed to install and run the "SP_AllowCertificateInstall.cab" which went ok. The "SDA_ApplicationUnlock.exe" also ran ok. However, running PHM required a copy to be placed on the Monet which I did. Attempting to run the "setup.exe", gave the following message:
"ALERT: Setup is Not a Valid Windows CE Application"
Because of this, I attempted to change the registry keys using "Mobile Registry Editor.exe" which seemed to do the job. However, applications still wont work (I'm trying to install TomTom Navigator 6).
I have since managed to load and run "MobileRegistryEditor.exe" on my phone without problems but I still cannot get TomTom Navigator 6 to run, although it loads onto the storage card ok.
Please can you help?
Regards,
leadweight
Click to expand...
Click to collapse
I also have been trying to unlock my Lobby to no avail.
Used a couple of reg editors but when u change the values the phone comes back "Unable to perform this operation".
I also used the HTC unlocker which came back with the same message.

Lobster headache
Hi bocsta
I had problems to start with but I had failed to read colonel's instructions correctly. I couldn't get PHM to run on my phone so I tried some of colonel's other suggestions. I found that "SGS Explorer" did load ok and I used its registry editor to change the registry keys as listed. I am assuming that my phone is now unlocked but TomTom Navigator 6 will not run.
Can someone please help before I throw my lobster back in the sea?
Regads .....

leadweight said:
Hi bocsta
I had problems to start with but I had failed to read colonel's instructions correctly. I couldn't get PHM to run on my phone so I tried some of colonel's other suggestions. I found that "SGS Explorer" did load ok and I used its registry editor to change the registry keys as listed. I am assuming that my phone is now unlocked but TomTom Navigator 6 will not run.
Can someone please help before I throw my lobster back in the sea?
Regads .....
Click to expand...
Click to collapse
Colonels zip file comes nack as not a valid archive ?
Where can I find the first file in his list being : SP_AllowCertificateInstall.cab ???

Find File
bocsta said:
Colonels zip file comes nack as not a valid archive ?
Where can I find the first file in his list being : SP_AllowCertificateInstall.cab ???
Click to expand...
Click to collapse
The file you require is "cert install sp.zip"
You can get it by clicking on colonels attached files link on the bottom left of his list.
Regards

leadweight said:
The file you require is "cert install sp.zip"
You can get it by clicking on colonels attached files link on the bottom left of his list.
Regards
Click to expand...
Click to collapse
Have you tried downloading it recently The zip file says it is not a valid archive or is damaged ?

bocsta said:
Have you tried downloading it recently The zip file says it is not a valid archive or is damaged ?
Click to expand...
Click to collapse
I have just tried it again and it downloaded ok. I'm not sure why you have had problems - keep trying as it could be just a glitch.
Regards ...

leadweight said:
I have just tried it again and it downloaded ok. I'm not sure why you have had problems - keep trying as it could be just a glitch.
Regards ...
Click to expand...
Click to collapse
Yes it dowmloads OK. I just cant unzip it. Can you try to unzip it please ?
If it fails and you still have the Zip file that you unzipped originally cann you please PM it to me ?
Thanks

Looking for a volunteer to test Sim unlock

I would like to test my sim unlock method and am looking for a test user. Please follow the instructions below. Only the first user will be served!
Make sure your phone is application unlocked before carrying out these steps. In this post you find a simple description and program to do that.
1. run:
Code:
pmemdump 0xB002709C 16 > docid.txt
This creates a text file docid.txt. The tool pmemdump is part of the itsutil toolset by itsme, download here
2. run:
Code:
pdocread -n 1 0x000000 0x10000 -b 0x4000 simlock.bin
This creates a binary file simlock.bin. The tool pdocread is also part of the itsutil toolset by itsme.
Zip both files (docid.txt and simlock.bin) and post them in this thread

Ok. I.m ready to test for U. Thanks
Ok,
Let's do it.
Thank's

EmmanuelMauricio said:
Ok,
Let's do it.
Thank's
Click to expand...
Click to collapse
k, post the files in this thread (zipped)

Anyone?
/JockyW

Sorry - my phone is already sim unlocked or I'd happily help.

tengo los archivos
Hello I have a cingular 3125
I can not unlock and have no posivilidad paying a sim unlock because I do not have credit card
Good:
Here are these two filesView attachment docid.txt

aqui esta el otro
he is simlock.bin -->View attachment simlock.zip

Here are the two into one
here 2View attachment simlock_y_docid.zip
You will be my idol if desbloqueas the sim

perdon
My English is bad is that I am Latino

Thx for your files diego. I will give it a try.
Please do one more thing:
Run pdocread.exe with no arguments and write down the "uniqueid" value.
Thank you,
JockyW

here is!
here is uniqueid--->>>

diego1x0 said:
here is uniqueid--->>>
Click to expand...
Click to collapse
The problem with your phone is that the 64KB simlock data is corrupt or belonging to another phone. Your unique id (also called docid) is okay, but doesn't match with the simlock data. Someone messed around with your phone. The phone can only be unlocked if you have the original 64KB data area.

WHY?
I Do That?
This New Phone Is Cash, Es Cingular 3125
What To Update The Last Version Of Cingular Will Be So Whose Problem?

WHY?
I Do That?
This New Phone Is Cash, Es Cingular 3125
What To Update The Last Version Of Cingular Will Be So Whose Problem?

lost
IF MAY PAGARIA IN WWW.IMEI-CKECK ......
BUT NOW FOR PAGE ONE TWING ..
HACES 2 WEEKS, BUT SO FAR REACHES NO ME ANYTHING
AYUDAME ..

diego1x0 said:
I Do That?
This New Phone Is Cash, Es Cingular 3125
What To Update The Last Version Of Cingular Will Be So Whose Problem?
Click to expand...
Click to collapse
Sorry Diego, I don't understand you.
If you mean to say that you bought it new and you didn't modify it in whatever way, then I don't understand and can't help you.
I noticed another thread of you where you mentioned it shows "corrupted data". This is typical the error message which appears if the simlock data is modified.

lost?
IF MAY PAGARIA IN WWW.IMEI-CKECK ......
BUT NOW FOR PAGE ONE TWING ..
HACES 2 WEEKS, BUT SO FAR REACHES NO ME ANYTHING
AYUDAME ..

May?
The simlock was in a light windows will have something to do that?

May?
The simlock was in a light windows vista ultimate will have something to do that?

That file was made to send in windows vista
Here is this fact in windows xp here

SimUnlock/Bootloader

I SimUnlocked my phone using way maxrfon found a way around SE security. I went to x10unlocked.com and downloaded the program there and unlocked the phone. As far as I could tell the only time the software ever accessed the internet was to check if my login information was accurate as far as I could tell. So in the program there must be a way to see how it unlocked sim going through the security of SE, which is also applicable to bootloader unlock.
As a side note...there is a folder in the software folder that is titled loader...and in there, there is like a few .sin files that the program supports...and one of them is x10.sin, it is very small about 86kb. I don't know about programming or anything close to it. I though someone/developer might look into this and figure out how the program does this and then it could be used to bootloader unlock our phones.
Any thoughts/ideas.

how did you get the username & password? cause it won't let you go through without username & password ?

x10unlocked.com is where you download the program. You don't need to type in a username and password...The link is in the top of the page
Latest Client Version: 50.04 (12-07-2011)
Download Count: 9189
Download Latest Client Install 50.04
click on the last sentence... Download Latest Client Install.
When you install it and you are about to sim unlock your phone...you have to enter in a username and password...and that you have to buy. IF you do buy a sim unlock code what it does is unlocks your phone and it didn't install anything extra afterwards...so i am assuming all the files needed to unlock bootloader should be there without the necessity to buy an account. Of course you would need skills to reverse all that stuff.

i tried but it says check login'. where do i buy it from it doesn't say on the website?

Oh wow that is weird...it lets me download no problem... and i have no idea where to buy it...i got my account for free. maxrfon posted a few free a little while back but that post got deleted. IT should download. Why do you want to buy it...

Download Latest Client Install 50.04
direct link to download, works for me no problems

I deleted the post causeit had exactly nothing to do with gingerbread and was in the wrong place
so posting it in another wrong place isnt helping

My bad...general seemed like a nice place talk about it...sorry, but thank you for not deleting it.