Hi,

As part of our research we need some assistence. We need some information from a few different XDA's, because currently we only have a limited supply of (unlocked) phones.

To get the info we need the following:

Put the XDA II in USB Wireless modem mode.
(see http://www.myxda.com/html/HowTo/XdaII/WirelessModemDocumentM_for_USB.htm and http://www.myxda.com/downloads/WirelessModem_USB_files.zip)

Now connect to the HTC USB Modem with a terminal program such as Hyperterminal. It might be a bit difficult to get connected, but with auto detect for speed and settings it should work.

On Linux you can connect with minicom to /dev/ttyUSB0 for instance.

When you confirm the AT commands work:
ATZ
OK

Please submit the following commands and mail the results back to me:

AT%V
AT%VER
AT%G23
AT%SECURITY?
AT%CID?
AT%SIMLOCK?
AT%GPIO?
AT%KEYPAD?
AT%OREG?0,0
AT%BAND?
AT%HTCBAND?
AT%LISTNETWORKCODE
AT%LISTNETSUBCODE
AT%LISTSPCODE
AT%LISTCORPORATECODE
AT%LISTSIMCODE
AT%IMEI?

If you don't want to send me your IMEI leave it out, although it might be a relevant parameter. Maybe later I'll need a few more.

UPDATE: Also please mention your ROM versions and if your device is locked.

e-mail to: W4XY@xda-developers.com

thanks,

I can try, But I don´t have the USB files to the desktop. I´m running WindowsXP Pro
This link is unavaibel.
(http://www.myxda.com/downloads/WirelessModem_USB_files.zip)
You can mail me the files at helio108@hotmail.com

JoseF

Hi !

I send you but at%security? give back error.
at%hctband? may be wrong. at%htcband? is better. :)

(My sim is not GPRS.)

Regards,
Sebi

Hi the zip file is now there and contains the necessary file USBMDM.INF that you need on your PC.

Also I added some extra fields to the list of AT commands. Especially if you have a locked device I'm interested in your results (I have none yet).

Thanks,

Hi, i'm new here and i got a XDA II which is locked by O2... i've tried the commands listed above but i got all returned "ERROR"... :shock: the only one i got is AT%CID? which gives me back "3600" and "NO CARRIER"...

Am I doing something wrong anywhere?

Can anybody pls guide me? thanks!

p/s: XDA II is the best!!! :wink:

hai®]returned "ERROR"... :shock: the only one i got is AT%CID? which gives me back "3600" and "NO CARRIER"...

Hmm, anyone else with a locked device that can comment?

All I got so far were five responses from people with unlocked devices.

Thanks,

You donkey!!!
YOU CAN'T UNLOCK WITH AT COMMANDS

You donkey!!!
YOU CAN'T UNLOCK WITH AT COMMANDS

Thanks for your wonderful informative comments. If you know that much about it why not share all your knowledge on how the device is locked and unlocked.

Actually both the official way as our previous unlock tool worked through AT commands. Further more the above commands are not directly to unlock your device but to understand the GSM ROM that we are currently researching.

Thanks for your wonderful informative comments. If you know that much about it why not share all your knowledge on how the device is locked and unlocked.

Actually both the official way as our previous unlock tool worked through AT commands. Further more the above commands are not directly to unlock your device but to understand the GSM ROM that we are currently researching.
W4XY, please don't waste your time on someone who doesn't know....

I expect to get my t-Mobile MDA (=MDA 2) this week and it will be locked
to t-Mobile, so I will come back with the information ASAP.

Keep up the good work!

Actually both the official way as our previous unlock tool worked through AT commands.
I'm sorry, I aplogize unreservedly,
oh great XDA gurus, I am not worthy to interpret even a semaphore.

I was working at O2 before Xmas, and their tech bods say that you can't unlock with AT on XDA II.. I should have their X2(PPC, but no gsm{radio}) next week, will try and send dump, along with my own (locked) version. will probably get sack :(

Mr.G

n00b here :roll:

I've followed the setup but damned if I can get HyperT to "auto negotiate" any type of connection :(

Anyone help me with manual settings or the like? I can use the XDA as a modem with the dialer prog supplied...

I've got an O2 locked the unlock for which I'd like to obtain

Ta!

Start HyperTerminal, a new connection Window will appear, in the box type XDAII (for example). then click OK.

On the next window in the "Phone Number" field type any numeric sequence

In the "Connect Using" field, ensure the HTC USB Modem is selected. Click OK.

Hit the Modify button and select the Settings Tab, then hit the ASCII Button. Place a checkmark in "Echo typed characters locally" option (this enables you to see what your typing). Click OK, and OK again on the Setting Tab Applet.

Your now back to the connection window ready to dial that number you placed in. Hit the Cancel button.

Now your ready to type those commands.

Beta

Sorted - thanks :D


All sent - any more, just ask...

I was working at O2 before Xmas, and their tech bods say that you can't unlock with AT on XDA II.. I should have their X2(PPC, but no gsm{radio}) next week, will try and send dump, along with my own (locked) version. will probably get sack :(

Well it sounds like a pretty stupid reason to get sacked, enough people are sending the info already. Actually if anything, O2 reads this site to know what the XDA is really doing. I wonder if they know that with the XDA II it is actually easier to read the GSM ROM image from the device than with the XDA I. And yes it might be we can't unlock the XDA II with AT commands only this time. But we have their unlock tool, all we need is the code and we can read all of the GSM memory allready...

More info about this at a later stage.

Hi all... i've sorted the "all errors" problem... it's 'cos my pc firewall... stupid me... :oops:

@W4XY : i've sent u the results and just to let u know that i'm really appretiate what u've done... :wink:

Thank you!

W4XY,

just emailed my results.


alex

Hi all,

I've received enough input for the moment for GSM ROMs R1.05.12.

If you have locked ROMs for other versions I'm still interested.
Dates I've seen for the specific parts of the ROM are:

%VER: aci Dani non_clearcase 17:33:58 10/09/03
%VER: aci Clem non_clearcase 10:36:13 16/10/03
%VER: aci Dani non_clearcase 13:00:27 22/10/03

The latter two only unlocked so far.

Regards,

any joy with this?

I should be getting my unlock code soon.

Are there any further commands that you'd like me to run before I unlock it?
And would you like the same list for the unlocked version?

(I have already sent a list for the locked one)

I have an unlocked O2 unit from Singapore - just upgraded to ROM 1.60 T Mobile as posted on this site

my info for you as follows


ERROR

OK
ATZ
OK
AT%v
R1.06.01

OK
at%VER
%VER: aci Dani non_clearcase 18:07:51 25/11/03
%VER: cc Dani non_clearcase 18:09:10 25/11/03
%VER: dl Dani non_clearcase 18:09:25 25/11/03
%VER: mm Dani non_clearcase 18:11:52 25/11/03
%VER: rr Dani non_clearcase 18:13:04 25/11/03
%VER: sim Dani non_clearcase 18:13:20 25/11/03
%VER: sms Dani non_clearcase 18:13:55 25/11/03
%VER: ss Dani non_clearcase 18:14:02 25/11/03
%VER: alr Dani non_clearcase 18:15:05 25/11/03
%VER: smi Dani non_clearcase 18:08:41 25/11/03
%VER: fad Dani non_clearcase 18:09:50 25/11/03
%VER: l2r Dani non_clearcase 18:10:18 25/11/03
%VER: ra Dani non_clearcase 18:10:27 25/11/03
%VER: rlp Dani non_clearcase 18:10:48 25/11/03
%VER: t30 Dani non_clearcase 18:11:16 25/11/03

OK
AT%G23
G:1337.16

OK
AT%SECURITY?
LOCKTIME: ff

OK
AT%CID?
4F320001

OK
AT%SIMLOCK?
%SIMLOCK= 00

OK
AT%GPIO?
%GPIO: 2060

OK
AT%KEYPAD?
%KEYPAD: FFFF

OK
AT%OREG?0,0

%EXT_OREG 001


OK
AT%BAND?
%BAND: 0

OK
AT%HTCBAND?
%BAND: FF

OK
AT%LISTNETWORKCODE
OK
AT%LISTNETSUBCODE
ERROR
AT%LISTSPCODE
OK
AT%LISTCORPORATECODE
OK
AT%LISTSIMCODE
OK
AT%IMEI?
HTC:35193800028048301

OK

hope it helps all those poor old Locked O2 users !!

boyo69

Info on locked ROM 1.03.00. USA just mailed ...

Some of the AT commands in this ROM seem not to exist

Hi,

it seems that XDA II gets back closer to smartphone... (AT%SECURITY is used by RIL from windows CE to decide to display SimUnlock Dialog on Voyager (E200/QTEK8080) too). I've disassembled whole of the GSM-Radio Stack for Smartphone (it's simple ARM Thumb code and guess what.... Nucelus Realtime OS ;-) UNIX in there *lol*). There I've found simlock check code (removable in ROM) ... and just noticed that HTC build a strong encryption this time.... So a decipher of the 32kB Magic Block would be really hard. Patching some bytes in ROM is much easier... ;-)

John

Hi,

Hi,

it seems that XDA II gets back closer to smartphone... (AT%SECURITY is used by RIL from windows CE to decide to display SimUnlock Dialog on Voyager (E200/QTEK8080) too). I've disassembled whole of the GSM-Radio Stack for Smartphone (it's simple ARM Thumb code and guess what.... Nucelus Realtime OS ;-) UNIX in there *lol*). There I've found simlock check code (removable in ROM) ... and just noticed that HTC build a strong encryption this time.... So a decipher of the 32kB Magic Block would be really hard. Patching some bytes in ROM is much easier... ;-)

John

Sounds like you know quite a bit about it. Actually the AT%SECURITY command looks like some kind of master override for security, while the simlock security in the XDA2 is being done by a separate command called AT%HTCLOCK. No idea why all these complicated mechanisms are necessary, cause it was pretty trivial to break with some of the other features they added. Expect a working unlocking tool before christmas!

All my research was done on smartphone (not PocketPC Phone Edition).

All I want to say is, that HTC build a complete new SIMLOCK mechanism for new smartphone device called E200/QTEK8080 which is not breakable easily. We already read ROM content with encrypted simlock and imei area but without encryption algorithm we can do nothing (in old devices simlock code was plaintext added a fixed value to make it "unreadable")

But now it is a 32k encrypted block.

So my suggestion to XDA-developers is to disassemble GSM-ROM (HTC left many of debug info in there - hehe) and patch validation of Simunlock code verification....


John

All my research was done on smartphone (not PocketPC Phone Edition).

All I want to say is, that HTC build a complete new SIMLOCK mechanism for new smartphone device called E200/QTEK8080 which is not breakable easily. We already read ROM content with encrypted simlock and imei area but without encryption algorithm we can do nothing (in old devices simlock code was plaintext added a fixed value to make it "unreadable")

But now it is a 32k encrypted block.

Hmm, that is strange. Because in the XDA2 they seem to have not done this. Actually we can now unlock devices by simply reading 16 bytes from the GSM ROM, doing a simple reverse calculation (obfuscation) and calculate a working unlock code.

The AT%SECURITY code does perform some encryption, but not of any block in the ROM (as far as we have seen) The argument to the AT%SECURITY command is a 96 byte string of which a selected number of bytes are actually used for an encryption with a fixed key in the ROM. The actually seem to be three keys for different purposes.

If you would have a GSM ROM image for me from a Smartphone I would really appreciate it.

Expect a working unlocking tool before christmas!

We still can expect it before x-mas ??????

Any news on e200 unlocking? have d/l HT program and have followed what the guys says on how to type the commands in but as soon as I do the atz one it start to type double letters so instead of at%v I get aatt%%vv any clues? (btw it's on a e200 I'm doing this)

its probably becouse you got local echo on

Well I get an error with all the commands I try on the e200, so I'm doing someing wrong or this does on work on the e200 :oops: