here you go ... one paid solution available

http://www.imei-check.co.uk/m700unlock.php

here you go ... one paid solution available

http://www.imei-check.co.uk/m700unlock.php
But does that do a CID unlock?

Thats what I'm wondering too...

Thats what I'm wondering too...

yes. it will supercid your device

yes. it will supercid your device
So then I guess it is settled (if the unlock works). We pay 28 euros, unlock our phone and load the new Dopod WWE ROM with gps enabled...I think I'll wait on reports of how this ROM performs.

I bought the unlock but am to scared to try it yet.

I've unlocked my Italian P3600. Now i have HTCSSuperCIDHTCE

^__^

Rember to activete USB Adavanced Function on START--MENU--SETTINGS--CONNECTION - USB to PC

I've unlocked my Italian P3600. Now i have HTCSSuperCIDHTCE

^__^

Rember to activete USB Adavanced Function on START--MENU--SETTINGS--CONNECTION - USB to PC

u already paid the unlock?

u already paid the unlock?

yes... 38 eur

thanks i wish for a free solution soon :P

YESSSSSSSSSSSSSSSSSS~!
Working!!!!!!!!!!!!!!!!!!!!

CID Unlocked!

thanks i wish for a free solution soon :P
Maybe it is possible to do the same approach as the Hermes and reverse engineer the Imei-check program. I already take a look to the program with a hex-editor but the program is encrypted as far as I saw.

Don't know what is the best approach to start creating a own unlock utility.
My programming skills are limited to php and c# etc.

Hopefully Pof can give us some hints where to start.
I am willing to pay for the unlock service if it helps to create a CID unlock solution.

Imei-check unlockers are packed with themida, they put very good protections to make it very hard to disassemble and run in debuggers. Usb sniffing is possible, but they also try to prevent this.

There are basically two things that you need before you can make a free unlocker:

1) radio patch: Trinity radio has the same structure as Hermes radio, and the patch is almost the same. There are several parts patched, all have fixed offset except the last one:

Decoded radio, patched bits (first column is the offset)
+0000c810 d4 c8 b1 00 d4 c8 b1 00 d4 c8 b1 00 00 00 00 00
^^ ^^ ^^ ^^ ^^ ^^
+0000c820 d4 c8 b1 00 00 00 00 00 00 00 00 00 00 00 00 00
^^ ^^
+00010810 d4 c8 b1 00 d4 c8 b1 00 d4 c8 b1 00 00 00 00 00
^^ ^^ ^^ ^^ ^^ ^^
+00010820 d4 c8 b1 00 00 00 00 00 00 00 00 00 00 00 00 00
^^ ^^
+00102ef0 04 00 00 1a 06 10 a0 e1 04 00 a0 e1 ef fb ff eb
^^ ^^


The last part is at a variable offset between 0x00159600 and 0x00159900, and not always the same bits are patched.
You can extract the patch by sniffing what the unlocker does over USB.

Be warned that there are some trinity radios with HTC radio bootloader V1.0108, and this process is probably not valid for this radios, you should better capture the unlocker process while unlocking a device with a V1.0107 radio bootloader.


2) flashing unsigned code: You need a way to flash unsigned code in radio to be able to make a free unlocker. In hermes this is possible in 1.04 bootloader with 'rtask' command to access the radio bootloader, that's why my unlocker only works with this bootloader version, but in Trinity you don't have a bootloader that allows this AFAIK.

In short, what imei-check does to be able to flash unsigned code is putting a modified SPL in RAM, disable MMU and jump from WinCE to the address where this SPL is stored. Reimplementing this is a hard work, I tried by modifying haret but still haven't been able to successfully start a working bootloader from it.

If you are not able to do this with your programming skillz, you'll have to extract the files from imei-check unlocker, this can also be done by sniffing the activesync connection that the unlocker does prior to jumping to the modified SPL, but you will not be able to provide a free solution with this files, because imei-check will claim intellectual property rights on them, so you should better not publish this even if you are able to extract it from the unlocker.


Hope this makes more or less clear what you have to do, as always feel free to ask if you are interested in learning more and something is unclear, but please review the hermes thread (http://forum.xda-developers.com/showthread.php?t=280819) first, where this is explained in more detail.

Good luck!

Pof, anyone,
I tried the Imei-check unlock. Unfortunately it wouldn't work on my HTC P3600. The guys that run the service were great and gave me a refund. Apparently there is something strange about my phone/ROM. I decided to reload the "shipped" HTC Trinity ROM on the XDA Ftp site. When the bootloader screen came up it said MFG SPL 1.01...??? What is that? I thought it should be SPL 1.06 7 or 8??? In the end the ROM loaded normally so I suppose that I can wait for the official ROM update like others. I'm just wondering why my SPL is different.

Because imei-check unlocker puts this bootloader version on your device.

Because imei-check unlocker puts this bootloader version on your device.
Is this a bad thing? Could it cause problems later? I guess it can be changed back again by another ROM update?
Thanks

SPL-1.01 ??

if that bootloader could be extracted, i think a free unlocker for trinity could be reality very very soon!

I have patched the 1.22.01.01 radio with HTC_BOOT 0107. When flashed on a Trinity device should give security Level=0 (SuperCID) and allow to SIM unlock it using any MSL code.

Download: GSM122patched_unsigned.zip (ftp://xda:xda@ftp.xda-developers.com/Trinity/Unlocker/GSM122patched_unsigned.zip)

The only problem is that you can't flash it because is not signed and the bootloader won't allow it, so you need to start researching how to flash unsigned code on Trinity. I don't have a Trinity and can't help you much on this.

hi :) i am a noob. what i have to do with the *.nb file?!

I have patched the 1.22.01.01 radio with HTC_BOOT 0107. When flashed on a Trinity device should give security Level=0 (SuperCID) and allow to SIM unlock it using any MSL code.

Download: GSM122patched_unsigned.zip (ftp://xda:xda@ftp.xda-developers.com/Trinity/Unlocker/GSM122patched_unsigned.zip)
The only problem is that you can't flash it because is not signed and the bootloader won't allow it, so you need to start researching how to flash unsigned code on Trinity. I don't have a Trinity and can't help you much on this.
Since I have bootloader MFG 1.01 on my Trinity do you think this bootloader would allow me to run the file?

When bootloader checks image signature: only during flashing or on every system boot too ? If first why patching rom without bootloader assistance seems to be considered as not so good idea ? Having device application unlocked (trustlevel=2) we can do any lo-level stuff from wince, and SC32442's nand flash controller is pretty well documented. So why not ?

Since I have bootloader MFG 1.01 on my Trinity do you think this bootloader would allow me to run the file?

If you have this bootloader, means you've already paid to unlock... so this won't offer you anything new. And I don't know the features of this bootloader on trinity... you should test which commands it has.

When bootloader checks image signature: only during flashing or on every system boot too ?
Before flashing the file.

Having device application unlocked (trustlevel=2) we can do any lo-level stuff from wince, and SC32442's nand flash controller is pretty well documented. So why not ?

If the radio code is flashed on the NAND (?) this should be a possible solution, but we have yet to find where exactly... and you'll possibly brick several devices before being able to do it right. I don't have that low level wince programming experience.

What imei-check unlocker does to flash unsigned code is easier, they just put a modified bootloader on ram and jump into it from WinCE (the same way haret does with linux kernel), I think modifying haret to do this should be easier. I have been trying to do that on hermes, and I have some code if you want to have a look... probably you can adapt it to trinity.

On hermes I can jump successfully to IPL (0x00000000) and also modify it, see a "proof of concept" photo below, but I have problems after I copy a "custom" SPL (0x30000000) into mem and device hungs when I jump into it (after disabling MMU, etc...).

http://pof.eslack.org/hermes-unlocker/haret/spl.jpg

So how can i unlock Trinity for free with a file you provided?

If you have this bootloader, means you've already paid to unlock... so this won't offer you anything new. And I don't know the features of this bootloader on trinity... you should test which commands it has.


Before flashing the file.


Yeah, I paid for the unlock, but it didn't work. I now have bootloader MFG 1.01 on my Trinity and it is still locked. Apparently there was some problem with my device and the unlock. I reflashed my P3600 WWE with the standard HTC ship ROM from the ftp successfully, and it still wouldn't run the unlocker...so I guess I will have to wait for an "official" ROM release.

If the radio code is flashed on the NAND (?)Good question indeed. Radio unit is somewhat independed subsystem, so it may be or may be not depending on speciefic design. Can't tell you anything 'bout triniti now, but there is a simple way to find it out. However patching radio rom is not the only way to victory: wouldn't it be enough to flash pathced bootloader with no signature checking ? But there is another vital question - does bl contain self integrity check ? Very brief examenation of triniti spl make me think that this is rather unlikely, but who knows. Is there any experimental proof of presence or absence of it ?and you'll possibly brick several devices before being able to do it right.what make you think so ? correct me if i am wrong, but while we keep bl & radio virginal we have no chances to brick device in any case. And flasher could be debugged on less critical parts of rom. Certainly if we flash wrong code or device power unexpectedly goes down during flashing process we'l got a brick. But flashing with botloader have same vulnerability.I don't have that low level wince programming experience.I do. Can't say same thing about free time unfortunately, but sometimes i have it too.
What imei-check unlocker does to flash unsigned code is easierI doubt.but I have problems after I copy a "custom" SPL (0x30000000) into mem and device hungs when I jump into it (after disabling MMU, etc...)how deep customisations were ? just patching couple of conditional branches with nops or patching init code too ? spl at least contain tons of hardcoded absolute addresses, and do mmu setup. it is necessary either patch em, or maybe do initial setup by yourself and after that jump to spl code that do actual job. Quite doubtful that this is easier than writing simple standalone flasher.

wouldn't it be enough to flash pathced bootloader with no signature checking ?
That would be enough to flash any ROM (bypass CID checking), but not to have security level=0 or remove the SimLock.

does bl contain self integrity check ?
No, it does not.

Is there any experimental proof of presence or absence of it ?what make you think so?
For IPL you can see the photo I attached in my previous comment. For SPL there's no proof of concept on Trinity, but I can show you for Artemis... will explain later ;)

correct me if i am wrong, but while we keep bl & radio virginal we have no chances to brick device in any case. And flasher could be debugged on less critical parts of rom. Certainly if we flash wrong code or device power unexpectedly goes down during flashing process we'l got a brick. But flashing with botloader have same vulnerability.

That's right, I have no idea on how to do low-level access to physical NAND from CE. I said you can brick it while programming the flasher because I guess if you do something wrong in your code you can produce permanent failures on NAND (ie:a write operation which is not performed block-wise would certainly damage the NAND flash, isn't it?).

I doubt.how deep customisations were ? just patching couple of conditional branches with nops or patching init code too ? spl at least contain tons of hardcoded absolute addresses, and do mmu setup. it is necessary either patch em, or maybe do initial setup by yourself and after that jump to spl code that do actual job. Quite doubtful that this is easier than writing simple standalone flasher.

Well for me writing a standalone flasher seems more risky that doing all the stuff in RAM :)
I started this project with a couple of people, we have Hermes, Trinity, Artemis and Herald devices. We have successfully started an Artemis & Herald SPL using a modified version of psetmem (from itsutils) which places the splitted spl.nb file at memory address 0x10000000, then we use a modified gnuharet to disable DMA and jump into this address, and the code is executed successfully: we can start for example bootloader version 1.11 while having 1.25 on the device. We have not yet modified the SPL to accept custom certificates or unsigned dbh files, but one of us is working on this right now.

On Hermes & Trinity it is a bit more difficult, we are not 100% sure yet of what the problem is: We can jump successfully to IPL address, but then IPL reads SPL from NAND and executes it, so even if we previously place a SPL on memory it is overwritten by IPL. If we jump to SPL address device just hangs and we have no way of debugging it (having the jtag points for these devices would be amazing, but no one knows them as far as I'm concerned), we know it is copying the SPL correctly because we print a red line on video ram after copying it, but it just hangs after this. Our strongest bet at the moment is that SPL is not able to run standalone in Hermes & Trinity, it has some interaction with IPL and IPL code needs to be run first to setup the proper environment for it.

Anyway, if you want more details or want join us in this project you are more than welcome to participate, or if you want to take the other approach and start developing a custom flasher it would be good too, we'll certainly learn something and have some fun with it! PM me and I will send you my IM contact details :)

Yeah, I paid for the unlock, but it didn't work. I now have bootloader MFG 1.01 on my Trinity and it is still locked. Apparently there was some problem with my device and the unlock. I reflashed my P3600 WWE with the standard HTC ship ROM from the ftp successfully, and it still wouldn't run the unlocker...so I guess I will have to wait for an "official" ROM release.

Me too have paid for the unlock, have just bought the p3600 to flash the gps firmware but the unlocker never succeeds, have not yet tried to get in touch with imei unlock support... @MATTERHORN: Can you give me a hint at whom you directed the complaint at IMEI UNLOCK?

Cheers

That would be enough to flash any ROM (bypass CID checking), but not to have security level=0 or remove the SimLock.wich would be enough to do everything you want :)

That's right, I have no idea on how to do low-level access to physical NAND from CE.start from ce, pre-setup enviropment (memory mappings, load data from files, etc), disable interrupts and say ce bye-bye.


On Hermes & Trinity it is a bit more difficult, we are not 100% sure yet of what the problem is: We can jump successfully to IPL address, but then IPL reads SPL from NAND and executes it, so even if we previously place a SPL on memory it is overwritten by IPL.good question contain at least half of the answer - patch the IPL and you'll got the result.
I've tried to jump to IPL, but machine hangs on it execution (debuging scren-drawing code placed at 0x00000000 works just fine) - shurely I need to shutdown hardware more accurately, but no time for it :( So if you do have working code, than look at this (trinity 0.50 IPL):
ROM:00000380 STMIA R0!, {R1-R8} ; here RAM at 0x3000000-0x30080000 get zeroed
ROM:00000384 SUBS R9, R9, #0x20
ROM:00000388 BNE loc_380

ROM:00000904 LDRB R1, [R6,#0x10] ; here we read byte from NAND
ROM:00000908 ADD R0, R0, #1
ROM:0000090C CMP R0, #0x800
ROM:00000910 STRB R1, [R4],#1 ; And here we store it to RAM
ROM:00000914 BLT loc_904I'm shure that you know how to replace couple of str's with mov r0, r0 :)

Me too have paid for the unlock, have just bought the p3600 to flash the gps firmware but the unlocker never succeeds, have not yet tried to get in touch with imei unlock support... @MATTERHORN: Can you give me a hint at whom you directed the complaint at IMEI UNLOCK?

Cheers
Look for a Private message. I sent them a screen shot of the dos window of the unlock process. Then they had me run a trace file. I sent it to them, they said that there is a problem with some roms...what luck. Anyway, they sent me a refund.

The good news is that I just read in another thread that the official HTC rom could be coming as early as the 4th of February!

Good news - with patched IPL i was able to run SPL from RAM.
http://img209.imageshack.us/img209/9651/trinitygk3.th.jpg (http://img209.imageshack.us/my.php?image=trinitygk3.jpg)

and yes, with patched SPL i've got SuperCID and security level=0
http://img216.imageshack.us/img216/4294/untitled1qt6.th.png (http://img216.imageshack.us/my.php?image=untitled1qt6.png)

now my loader code is one big quick'n'dirty hack backed in half an hour, so it is quite unstable (i mean it does not start IPL every time it run) and i have no time to debug it now. But all principial problems are solved, and if i have a bit of freetime on weekend you'll get the "softspl" for flashing your trinity with everything you want.

Great News mate

@Des

Sounds great !! Hope you will have some free time for developement before weekend ;-)

Good news - with patched IPL i was able to run SPL from RAM.

and yes, with patched SPL i've got SuperCID and security level=0


damn! :eek: :D

I've been fighting to get that done on hermes for ages! You're the best!

@Des: Again I am so impressed on how you managed to do this in such little time, you should be very well versed in these matters... i'm just a newbie :)

We have modified the IPL and substituted the part where the RAM is zeroed by nop (MOV R0, R0) and the "STRB R1, [R4],#1" by "ADD R4, R4, #1" and it does not boot on Hermes. But if we leave the STRB on place, it boots with our "modified" IPL (but getting SPL from NAND :().

Attached is original hermes IPL-1.01 and two different unsuccessful attempts to make it not read SPL from flash.

Any clues on what is wrong here?

Amazing work Des.

Been working on the same thing, but still not the point where you are.

Keep up with it!

Any clues on what is wrong here?put some debug code in memory instead of SPL (like this one - it paints screen white. it's in M$ armasm, may not be direct compatible with gnu, but the idea is simple)psphys
MOV R0, #0x10800000 ; framebuffer physical address
MOV R1, #0xFFFFFFFF ; tho white pixels
MOV R2, #0x12C00 ; 320*240
psloop
STR R1, [R0], #4
SUBS R2, R2, #2
BNE psloop
B psphys ; prevent future code executiondoes it get there ? If no thing got much easier - IPL is less than 4k in size so it is pretty possible to reverse it instruction by instruction. If yes than we must find out where SPL halts, not too simple but still possible. But before debugging SPL may i ask you what steps do you perform before saying "mov pc, #0" ?

I'm rather far away from htc rom formats and not very keen on look into em, so if you want to be able to flash unsigned code - please cook me rom with invalid signature but correct in all other aspects (format, crc's, etc).

Great solution and very fast

I hoped there would be a free one but as someone else said I paid 600E for the trinity I might as well pay 28 for having the GPS on board.

Now I am a very happy trinity gps owner

my HTC p3600 , TIM branded , shows these values in bootloader:

TRIN 100
IPL-0.50

TRIN100
SPL-1.07.000


does it mean anything special ? can I proceed with cid-unlock procedure using the link of the first post or it is better to wait?

these values indicate any "special risk" doing this unlocking procedure?

Please let me understand what could happen... using simple explaination

Thanks for any help !!

put some debug code in memory instead of SPL (like this one - it paints screen white.
[...]
does it get there ?

No :(
The IPL is hanging when I patch it to not copy the SPL contents from NAND.

If no thing got much easier - IPL is less than 4k in size so it is pretty possible to reverse it instruction by instruction. If yes than we must find out where SPL halts, not too simple but still possible.

Yes, I can make the IPL paint the screen right before it starts reading SPL from NAND, but not after that, so I think it's halting right after it, at offset 0x934.

But before debugging SPL may i ask you what steps do you perform before saying "mov pc, #0" ?

First I use machinagod's modified psetmem.exe to place the files in memory:
psetmem.exe -f -p 0x00000000 IPL.nb
psetmem.exe -f -p 0x30000000 SPL.nb

Then I use a modified haret version to jump to physical address 0, which I know is working because I can place a modified IPL (for example only version numer hex edited) and jump into it. I can provide the source if you are interested.

I'm rather far away from htc rom formats and not very keen on look into em, so if you want to be able to flash unsigned code - please cook me rom with invalid signature but correct in all other aspects (format, crc's, etc).

Take any NBH file (http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH) and modify the Header (for example the CID) this will make the signature invalid. You can also remove the signatures with nbh2dbh.pl (http://nah6.com/~itsme/cvs-xdadevtools/xda2nbftool/nbh2dbh.pl) and sign the file again with your custom certificate using ImageHash.exe (from .NET Compact Framework).

No :(As I've said before this is more likely good than bad: the IPL is realy small. I'l shurely take look at this as soon as i have time for.The IPL is hanging when I patch it to not copy the SPL contents from NAND.One possible reason may be that nand contain some configuration data (for example KernelIoControl() used to jump to service mode just set some flags in nand and make reset after that), but however i havn't noticed any usage of this data by trinity IPL.
First I use machinagod's modified psetmem.exe to place the files in memory... Then I use a modified haret version to jump to physical address 0Quite a dirty way indeed. You have OS running (and possibly accessing memory) when you are writing to mem and before you jump to it. I'm not shure if memory occupied by ipl and spl is used by os (and for ipl i'm almost shure that it isn't) but disabling interrupts (=> stopping os task scheduler) before placing ipl and spl on their places is a good idea: maybe this is unnecessary but it cost nothing, do no harm and eliminates any possible problems from that side.

Take any NBH file (http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH) and modify the Header (for example the CID) this will make the signature invalid.Doesn't this ruin the crc/checksum too or data integrity in signed roms protected only by signatures (wich of course is more than enough, but for compatibility reasons conventional (non cryptographic) cs may be still in use as i guess).[/quote]You can also remove the signatures with nbh2dbh.pl (http://nah6.com/~itsme/cvs-xdadevtools/xda2nbftool/nbh2dbh.pl) and sign the file again with your custom certificate using ImageHash.exe (from .NET Compact Framework).thanks, I'l try this.

Please can someone answer to this question:
- unlocking CID (superCID), after installing TEST ROM, will I be able to upgrade to official HTC ROM, whatever bootloader will it has?

I have this HTC P3600 with a Portuguese ROM on it.
If i do this unlock, will i be able to replace it with an English ROM...? Or will i still be obliged to put a Portuguese ROM as the original one...?
Can anybody help me...?
Thanx in advance!

Please can someone answer to this question:
- unlocking CID (superCID), after installing TEST ROM, will I be able to upgrade to official HTC ROM, whatever bootloader will it has?

I asked that same question here:

http://forum.xda-developers.com/showthread.php?t=293182&page=6

I was told that you can only install a rom with the same or higher version bootloader, so if the test rom has 1.07 boot and you install it and the official HTC rom has 1.06 boot, you would not be able to install the official HTC rom. That's why I'm still waiting.

If i do this unlock, will i be able to replace it with an English ROM...? yes you can.

I have this HTC P3600 with a Portuguese ROM on it.
If i do this unlock, will i be able to replace it with an English ROM...? Or will i still be obliged to put a Portuguese ROM as the original one...?
Can anybody help me...?
Thanx in advance!

Third time the same message. All your questions are already answered if you can read. Be warned the HTC P3600 will be very hard to use whatever language you install IF YOU DON'T READ.

I asked that same question here:

http://forum.xda-developers.com/showthread.php?t=293182&page=6

I was told that you can only install a rom with the same or higher version bootloader, so if the test rom has 1.07 boot and you install it and the official HTC rom has 1.06 boot, you would not be able to install the official HTC rom. That's why I'm still waiting.
I wonder if you run the imei-check unlocker on the device again if it doesn't change the bootloader back to 1.01. Imei-check didn't work on my Trinity but it now has a 1.01 MFG bootloader. I'll have to wait for an official HTC WWE rom to get my GPS activated :mad: .

On last weekend I was too busy with skiing and was too far away from pc to keep my promise and code a bit. Hope that this (http://forum.xda-developers.com/showthread.php?t=293632) would be more then enough compensation for that :)

Hope that this would be more then enough compensation
think everyone will be gratefull