Post Reply

[GUIDE] SUCCESS!!! SIM-Unlock Sprint XT1056 (SIM-CRACK) Moto X GSM **NOW U.S. TOO!**

OP samwathegreat

23rd July 2014, 06:04 AM   |  #1  
samwathegreat's Avatar
OP Senior Member
Thanks Meter: 1,719
 
1,986 posts
Join Date:Joined: Apr 2010
Donate to Me
Greetings fellow XDAers,

It's finally happened: SIM-Unlock for the Sprint Moto X (XT1056)


(International-use Only. Anyone in the U.S. - Don't bother at the moment. Myself and some others are looking into the possibility of extending the SIM-CRACK to U.S. users, but RIGHT NOW, not possible. Sorry.) NOW EXTENDED TO DOMESTIC U.S. USERS AS WELL! - I have discovered the domestic-unlock solution!!!!

First, a little background:

Since its debut in August, 2013 many people have been trying to crack the SIM-LOCK on the XT1056. Many have tried and long since given up. I officially became involved in the project in May, 2014, and since then, had taken over the project. After much research, I determined that a Chinese hacker had found the solution and was offering a SIM-Unlock service on Taobao.com. This individual was extremely secretive about his methods - and told no one the solution. In order to use the service, you had to SEND your XT1056 to China to be unlocked (for fear of someone discovering his method). Then, a short time afterwards, the listing completely disappeared from Taobao, never to be seen again. Afterwards, sellers only offered PRE-SIM-CRACKED XT1056's on Taobao. Fortunately, I had already discovered (by reading his prior listing), that the SIM-Unlock required that you NEVER erase the modemst1 and/or modemst2 partitions (the equivalent of EFS/baseband cache on the Moto X).

At this point, I knew without a doubt that the key was in the modemst partitions. The breakthrough, however, didn't come until Mid-July, when another XDA Member: @yefonme posted to the thread that they had obtained a China-SIM-Cracked XT1056. This user confirmed the information I already knew by telling me that the seller advised that they must never erase the modemst partitions or the SIM-Unlock would be lost. This user generously offered to assist in helping find the solution, just for sheer curiosity - they wanted to know HOW the SIM-Unlock was achieved.

At this point, I thought we had everything we needed. Knowing that the key lies in the baseband cache, I requested various users to use a tool to backup their modemst1/modemst2 partitions, and send them to me for comparison with a HEX-Editor. Several users obliged, but unfortunately, we hit another roadblock -- the EFS partitions turned out to be ENCRYPTED TO HELL! That method was going nowhere. Then I realized that upon erasing the baseband cache (modemst1/modemst2 partitions), that all NV-ITEMS were reset to their factory defaults. BINGO! This means that the baseband cache partitions MUST store the encrypted contents of NVRAM!

This meant we had another option! Using standard CDMA tools, we could do a "DUMP" of the values stored in NVRAM. Another user, @ezeuba, suggested a simple tool, and provided instructions for the other's involved to DUMP the contents of their NVRAM, for comparison. Another big issue: Since many NVITEMS are inactive / restricted, even between 2 Sprint SIM-Locked devices, it made it completely impossible to use a utility to run a differential comparison between these NV-DUMPS. This meant that the NV-ITEMS had to be compared manually, by-hand.

I spent countless hours scouring through the data, comparing the THOUSANDS of NV-ITEMS from the China-Cracked XT1056 with the dumps provided by the Sprint SIM-Locked users. It was taking forever! I knew that the key to comparing the NVITEMS was finding values that were the SAME on all the Locked XT1056s, but DIFFERENT, only on the SIM-CRACKED XT1056. If a particular NVITEM differs between 2 or more LOCKED XT1056s, it is likely not the value we are looking for.

Then, finally, I came across an NVITEM that struck me as unique. It was the SAME on all the LOCKED XT1056's I analyzed, but different ONLY on the CRACKED XT1056. I was hesitantly optimistic, and posted about it here: http://forum.xda-developers.com/show...&postcount=250

Well, my intuition was Spot-On, and this DID turn out to be the proverbial "smoking gun". Another user (ignoring my suggestions to WAIT and let another user who had offered to donate an XT1056 mainboard try it first) went ahead and wrote the new value as I had suggested. BAM!!! And the rest is HISTORY.

OK, so enough about the history, and on to the solution!!!!!


So the key lies in NVITEM # 8378

On the China-Cracked XT1056, the value was "01"
On all the SIM-LOCKED XT1056's, the value was "00"


That's all there is to it. You can use the CDMA Tool of your choice to write "01" to NVITEM 8378 to achieve SIM-Unlock!

You will also need to change the RUIM config to "RUIM-Only" in order to prevent the phone from reverting to CDMA-mode upon reboot. This is controlled by NVITEM 855 (see instructions in post # 2)

This method is KNOWN to unlock for all international GSM carriers, but DOES NOT unlock for Domestic U.S. carriers. Something else is in place, it appears, that BLOCKS the United States MCCs. NOW EXTENDED TO U.S. USERS AS WELL!!!

POST # 2 in this thread will be reserved for complete instructions for those of you who aren't familiar with how to write NV-ITEMS. These instructions are courtesy of @ezeuba.

POST # 3 will be reserved for detailed instructions on how to install the necessary DIAG Drivers, and how to manually FORCE driver installation, if necessary.

I believe in giving credit where it is due, so I want to personally thank:

* @hsngt and @jaaa1976 - who provided me with the NVDUMPS I used to find the SIM-Unlock method. @jaaa1976 was the FIRST person to be unlocked by my method

* @ezeuba for providing these users with step-by-step instructions on how to READ and SAVE said NVITEM dumps.

* @Vivjen for support and generous offer to donate a XT1056 mainboard (which turned out to be unnecessary)

* @crabbyone for encouraging me to take a 2nd look at NVITEM # 8322 (which turned out to be the Domestic Unlock solution)

* @Arnold Snarb for originally discovering the property of NVITEM # 8322 (which unlocked the Razr M for domestic use)

* All the others who submitted EFS and/or NVDUMPS (even though I didn't use them to find the solution)

* Everyone who believed in me and provided encouragement and moral support ( that includes YOU, @KJ )

* Everyone who makes good on their bounty pledges and everyone who DONATES (paypal: samwathegreat@gmail.com )

* Everyone who is appreciative and gracious for the ENORMOUS amount of time I've spent making this SIM-Unlock possible for everyone

* The China-man who found the solution FIRST, even though he didn't share it with anyone and intended to only use it for Profit (I bet he is PISSED at me -- he was charging $80 U.S. for EACH unlock )

*** and ESPECIALLY @yefonme --- without YOU, NONE of this would be possible.




[Q]: How much should I donate to you for all the time (weeks) you spent working on this?

[A]: Please donate what you feel it is worth to you. The XT1056 can be found far cheaper than any other Moto X Variant, and now that we can SIM-UNLOCK it, it will become much more popular. If I have saved you money, or added value to the phone you already own, I would appreciate being compensated accordingly. I realize that some are not able to donate, and I understand. Do what you can / what you feel is fair. I spent countless hours on this, and would appreciate being somewhat-compensated for my efforts. This, of course, is not a requirement, since I have posted the solution and made it freely available to everyone. Keep in mind that the China Taobao-seller was charging $80 for EACH unlock...and HIS sim-crack didn't even unlock for Domestic U.S users!!!

PayPal Donation address: samwathegreat@gmail.com

DO NOT email me asking for help with this. I won't answer you. *Post in the Thread* - this is the only way you will get support. I'm sure that you understand...

Additional info:
This works for all Republic Wireless XT1049's also, but ONLY if you can unlock the bootloader (only possible through the "China Middleman" - use search). You MUST flash the Sprint XT1056 ROM to your RW XT1049 device for this to work for you.

DISCLAIMER:

If you use my SIM-CRACK, I'm not responsible for ANYTHING that goes wrong. USE CAUTION! If you hit the wrong button, or write the wrong NVITEM, you could end up in BIG TROUBLE (possible BRICK). You have been warned.


And lastly, YOU MAY ---NOT--- COPY ANY PART OF MY SIM-UNLOCK METHODS. YOU MAY NOT SHARE/RE-DISTRIBUTE MY FILES, OR POST THEM TO OTHER SITES. THE ONLY ACCEPTABLE THING IS TO ---LINK--- THIS THREAD TO OTHER SITES. IT IS UNACCEPTABLE TO STEAL MY (OR ANYONE ELSE'S) WORK!!!!! I will be extremely offended if I find that someone stole my work and posted it elsewhere. ONLY Link this thread. Don't copy any or all of its contents elsewhere. PERIOD.

^This is NOT an unreasonable request....
Attached Thumbnails
Click image for larger version

Name:	moto_x_unlocked.jpg
Views:	2092
Size:	244.1 KB
ID:	2866313  
Last edited by samwathegreat; 21st August 2014 at 05:02 PM.
The Following 59 Users Say Thank You to samwathegreat For This Useful Post: [ View ]
23rd July 2014, 06:05 AM   |  #2  
samwathegreat's Avatar
OP Senior Member
Thanks Meter: 1,719
 
1,986 posts
Join Date:Joined: Apr 2010
Donate to Me
FULL INSTRUCTIONS

!!!!! A WORD OF WARNING:
Once you complete this method, it is possible that you will NEVER be able to use your phone on Sprint / CDMA again! I -stupidly- flashed my Republic Wireless XT1049 (I should have known better -- I am using their service, and had no intentions of switching to GSM) in attempt to get better results / instructions for you guys. Now my phone is STUCK in GSM mode, the roaming indicator will not go away, I can't make calls on CELL, and no matter what I've tried, I cannot revert back. Not flashing my EFS backup, nor flashing back to stock, nor erasing the modemst partitions has been able to get me back on CDMA. PRL is STUCK on "1", and no matter how many times I write a new PRL, it won't stick. I'll be lucky if I can get my phone back in working order.....

^EDIT to above: This turned out to be EASILY fixed by flashing the entire SPRINT SBF to my Republic Wireless device, then, subsequently flashing back the Republic Wireless ROM (I WANT to STAY on Republic Wireless). DO NOT ATTEMPT THIS SIM-Unlock on the Republic Wireless ROM. Something about the RW ROM prevents you from going back to CDMA once on GSM. Flash the SPRINT ROM, FIRST, if you want to GSM-Unlock your Republic Wireless XT1049. The SPRINT ROM does not seem to have this issue, so you are probably OK, but take caution, nonetheless. I'm finally back on Republic Wireless (CDMA) after hours of frustration and fear that I was permanently stuck on GSM.

I don't recommend this if you plan to ever go back to CDMA / Sprint Probably fine - But once again, use caution.

Still want to continue? ------> Don't blame me if you end up STUCK on GSM


If you want my support, you must be on the Stock XT1056 Sprint ROM. I will not support any other ROMS from any other variants, or any custom roms. If you change roms, good luck, but no support will be provided. Additionally, support will ONLY be provided by posting to this thread. Do not email me or PM me with questions. I'm sure you understand...

AND Don't forget: This DOES NOT unlock for Domestic use, in the United States. Blame Motorola/Sprint. Something else is in place, it seems, that BLOCKS the U.S. MCCs. If you live in the U.S., DON'T BOTHER, unless you plan to sell your device to someone overseas. Myself and others are looking into the possibility of extending the SIM-Unlock to those in the U.S., but hasn't happened YET. I've also discovered the DOMESTIC UNLOCK solution now, as well!!!

FIRST, you must be in DIAGNOSTIC MODE:

You MUST have "USB Debugging" DISABLED, or the DIAG Port will NOT activate!!!

Quote:
Originally Posted by ezeuba

There are 2 ways to get to DIAG mode on this device. If ##3424# doesn't work, you can try the default for most Motorola devices: Power off phone. Hold down BOTH Volume Buttons and press the Power Button (It's called the 3-finger salute). When the phone boots, it will display a diagnostic screen called Fastboot Mode with options to scroll to and select. Use the Volume Down Button to scroll and the Volume Up Button to select. Scroll to the bottom of that list and when BP TOOLS is highlighted, press the Volume Up Button. The phone will restart and if you have Motorola device drivers on your computer, it will install the correct port (something like BP DIAG port Motorola QC Diag Port - look for it in your computer's Device Manager to get the port number).[/B]


****If you are having driver issues, and you have an entry for "Motorola QC Diag Interface" (not "Port") under "Other Devices" (and not "Ports (COM & LPT)"), SEE POST # 3 for detailed instructions (WITH PICTURES) on how to FORCE the driver installation.

Next, download and install the attached "SPCUtility.apk" app on your phone. Run it -- it will give you YOUR SPC Code. Write it down / take note of it.

IF ANYONE CAN TELL ME WHO DEVELOPED THIS APP, I WILL GIVE THEM THE APPROPRIATE CREDIT. I have tried (without success) to find out who the author is.

unlock1

Then, flash the attached nv-unlock.txt, nv-unlock2.txt, unlock-domestic.txt AND nv-ruim-only.txt files as per these instructions:
1. Open the attached "NV-Items Reader-Writer"
2. Enter YOUR COM PORT # as shown in DEVICE Manager
3. Enter YOUR SPC Code into the box, as shown.
4. Check the box immediately next to where you entered the SPC Code.
5. Click "Connect"!

unlock2

Now, follow these instructions:
1. Click "READ" --AT THE TOP--
2. Make sure it says: "SPC is Correct. Phone Unlocked."
3. Click the "Write" button, and find the "nv-unlock.txt" file - make sure it confirms success
4. Click the "Write" button, and find the "nv-unlock2.txt" file - make sure this confirms success
5. Click the "Write" button, and find the "unlock-domestic.txt" file - make sure this also confirms success
6. Click the "Write" button, and find the "nv-ruim-only.txt" fine - and make sure it confirms success as well
7. Last, click MODE, then RESET

unlock3


And lastly, once the phone reboots, go to Settings, More, Mobile Networks and select GSM/UMTS.

DONE! You are SIM-Unlocked!

KNOWN ISSUES: On domestic carriers, users are reporting that although it DOES work, the signal bars may show no service. (I am looking into this.) Additionally, if data isn't working, YOU NEED TO INPUT THE PROPER APN FOR YOUR CARRIER (as with all GSM phones).

^^^***THIS MAY BE SOLVED*** Apparently, it involves simply using fastboot to set your carrier! (THANKS, @ejlmd , and @leonardoafa !!!) You can see this post for more details: http://forum.xda-developers.com/show...&postcount=126 (And hit the "THANKS" to @ejlmd, and @leonardoafa in the linked post). This **should** fix your signal bar issues, AND roaming indicator, and allow SMS without issue.

ALSO, you will NOT get LTE data...on any carrier except Sprint because the radio inside doesn't support any LTE bands except 25 (used by Sprint). You also won't get HSPA/HSPA+ (3G/4G) data for any carrier using frequencies not supported by the Sprint Moto X. For instance: If you are using T-Mobile, unless you are in an area that has been re-farmed to 1900mhz HSPA/HSPA+, you will only get EDGE data. This is because T-Mobile extensively uses HSPA/HSPA+ on the 1700mhz AWS band which is not supported by the Sprint Moto X. See the link below for a complete list of frequencies supported by the XT1056.


http://en.wikipedia.org/wiki/Moto_X

Keep in mind that once you write the "nv-ruim-only.txt" file, you will no longer be able to use CDMA without flashing the "revert" file listed below (puts you back on the default RUIM-CONFIG). The "revert" file is ONLY to be used if you want (for some reason) to switch back to CDMA. You do not need it if you intend to only use GSM. Also, the purpose of "nv-unlock2" is to unlock the MIP settings, and prevent the phone from reverting BACK to NV-Only upon reboot.


Additionally, keep in mind that if you ever "SBF" back to stock, using RSD Lite (or fastboot method), it will un-do the SIM-CRACK, and you will need to repeat these steps.

You ***SHOULD*** be able to accept Updates (OTAs) without losing the SIM-CRACK.

*****If you click any of the attached TXT files, and it OPENS in your browser, instead of downloading, RIGHT-CLICK on it, and click "Save Link As" -- it should download without issue.

[Q]: How much should I donate to you for all the time (weeks) you spent working on this?

[A]: Please donate what you feel it is worth to you. The XT1056 can be found far cheaper than any other Moto X Variant, and now that we can SIM-UNLOCK it, it will become much more popular. If I have saved you money, or added value to the phone you already own, I would appreciate being compensated accordingly. I realize that some are not able to donate, and I understand. Do what you can / what you feel is fair. I spent countless hours on this, and would appreciate being somewhat-compensated for my efforts. This, of course, is not a requirement, since I have posted the solution and made it freely available to everyone. Keep in mind that the China Taobao-seller was charging $80 for EACH unlock...and HIS sim-crack didn't even unlock for Domestic U.S users!!!

PayPal Donation address: samwathegreat@gmail.com
Attached Thumbnails
Click image for larger version

Name:	unlock1.png
Views:	16084
Size:	41.2 KB
ID:	2867464   Click image for larger version

Name:	unlock2.png
Views:	16180
Size:	60.9 KB
ID:	2867536   Click image for larger version

Name:	unlock3.png
Views:	14938
Size:	63.5 KB
ID:	2873397  
Attached Files
File Type: txt nv-unlock.txt - [Click for QR Code] (639 Bytes, 1916 views)
File Type: rar NV-items_reader_writer.rar - [Click for QR Code] (2.43 MB, 920 views)
File Type: txt nv-ruim-only.txt - [Click for QR Code] (639 Bytes, 1018 views)
File Type: txt revert-ruim-default.txt - [Click for QR Code] (639 Bytes, 668 views)
File Type: apk SPCUtility.apk - [Click for QR Code] (24.9 KB, 1031 views)
File Type: txt nv-unlock2.txt - [Click for QR Code] (479 Bytes, 943 views)
File Type: txt unlock-domestic.txt - [Click for QR Code] (639 Bytes, 890 views)
Last edited by samwathegreat; 14th August 2014 at 05:01 AM.
The Following 36 Users Say Thank You to samwathegreat For This Useful Post: [ View ]
23rd July 2014, 06:05 AM   |  #3  
samwathegreat's Avatar
OP Senior Member
Thanks Meter: 1,719
 
1,986 posts
Join Date:Joined: Apr 2010
Donate to Me
Driver Issues?

This post is for you.

In order to use the DIAG interface, you must first install the Motorola Drivers from here: https://motorola-global-portal.custh...ail/a_id/88481

REMEMBER: As stated in POST # 2, you MUST have "USB Debugging" DISABLED, or the DIAG port will NOT activate.

If you installed these drivers, and you still can't get it to work, and you have an entry under "Other Devices" (In Device Manager) called "Motorola QC Diag Interface" (SEE PIC1, attached below) follow the instructions in the attached pictures STEP-BY-STEP, IN ORDER, to FORCE driver installation.

We are ONLY concerned with the QC Diag Interface - don't worry about the rest of the entries under "Unknown Devices" -- these are not important.

Once you have successfully FORCED the driver installation, you should have an entry under Ports (COM & LPT), called "Motorola QC Diag Port (COMX)" (SEE PIC8, attached below). NOTE the value of "X" - this is the COM port you will use for our purposes. When you successfully have this entry, you can continue with the "FULL INSTRUCTIONS" in POST # 2.

[Q]: How much should I donate to you for all the time (weeks) you spent working on this?

[A]: Please donate what you feel it is worth to you. The XT1056 can be found far cheaper than any other Moto X Variant, and now that we can SIM-UNLOCK it, it will become much more popular. If I have saved you money, or added value to the phone you already own, I would appreciate being compensated accordingly. I realize that some are not able to donate, and I understand. Do what you can / what you feel is fair. I spent countless hours on this, and would appreciate being somewhat-compensated for my efforts. This, of course, is not a requirement, since I have posted the solution and made it freely available to everyone. Keep in mind that the China Taobao-seller was charging $80 for EACH unlock...and HIS sim-crack didn't even unlock for Domestic U.S users!!!

PayPal Donation address: samwathegreat@gmail.com

Attached Thumbnails
Click image for larger version

Name:	PIC1.png
Views:	1120
Size:	51.6 KB
ID:	2867253   Click image for larger version

Name:	PIC2.png
Views:	1017
Size:	27.0 KB
ID:	2867254   Click image for larger version

Name:	PIC3.png
Views:	1015
Size:	56.9 KB
ID:	2867255   Click image for larger version

Name:	PIC4.png
Views:	989
Size:	56.4 KB
ID:	2867256   Click image for larger version

Name:	PIC5.png
Views:	1126
Size:	64.4 KB
ID:	2867257  

Click image for larger version

Name:	PIC6.png
Views:	1102
Size:	66.8 KB
ID:	2867258   Click image for larger version

Name:	PIC7.png
Views:	878
Size:	78.2 KB
ID:	2867259   Click image for larger version

Name:	PIC8.png
Views:	920
Size:	48.6 KB
ID:	2867260  
Last edited by samwathegreat; 30th July 2014 at 10:26 AM.
The Following 19 Users Say Thank You to samwathegreat For This Useful Post: [ View ]
23rd July 2014, 06:08 AM   |  #4  
ezeuba's Avatar
Senior Member
Flag Lagos
Thanks Meter: 84
 
291 posts
Join Date:Joined: Sep 2009
Thumbs up
You're the man!!! I doff my hat for you, sir. I think the best option will be to create an nv-item txt file for that particular nv-item (8378). I will get to it now and see what gives. Cheers man...
The Following 3 Users Say Thank You to ezeuba For This Useful Post: [ View ]
23rd July 2014, 06:10 AM   |  #5  
samwathegreat's Avatar
OP Senior Member
Thanks Meter: 1,719
 
1,986 posts
Join Date:Joined: Apr 2010
Donate to Me
Quote:
Originally Posted by ezeuba

You're the man!!! I doff my hat for you, sir. I think the best option will be to create an nv-item txt file for that particular nv-item (8378). I will get to it now and see what gives. Cheers man...

Excellent! Please get me the instructions & necessary tools to use ASAP so I can post it in Post # 2 for the users who need step-by-step instructions. Thanks for all your help as well - I have given you credit accordingly.
The Following 4 Users Say Thank You to samwathegreat For This Useful Post: [ View ]
23rd July 2014, 06:17 AM   |  #6  
yefonme's Avatar
Junior Member
Thanks Meter: 8
 
9 posts
Join Date:Joined: Jun 2013
More
Thumbs up
Excellent work,buddy!!!
Thanks to your efforts, I can imagine how difficult it is.
And I was very pleased to be able to help.
23rd July 2014, 06:44 AM   |  #7  
ezeuba's Avatar
Senior Member
Flag Lagos
Thanks Meter: 84
 
291 posts
Join Date:Joined: Sep 2009
Done!!!
Just flash this attached file. Connect as usual to the NV-ITEMS Reader/Writer. Click Write and select the attached file which you must have downloaded. After writing, go to Mode and click reset. Phone will restart. Go to Settings, More, Mobile Networks and select GSM/UMTS. Phone unlocked. Special thanks again to @samwathegreat without whom this will not be possible.

I'm on GSM right now...

NB If you've been using this phone on CDMA, you need to change RUIM Config to RUIM Only, else whenever you restart it will revert back to CDMA mode.
Attached Files
File Type: txt nv-unlock.txt - [Click for QR Code] (639 Bytes, 190 views)
Last edited by ezeuba; 23rd July 2014 at 07:15 AM. Reason: Additional findings
The Following 8 Users Say Thank You to ezeuba For This Useful Post: [ View ]
23rd July 2014, 07:00 AM   |  #8  
samwathegreat's Avatar
OP Senior Member
Thanks Meter: 1,719
 
1,986 posts
Join Date:Joined: Apr 2010
Donate to Me
Quote:
Originally Posted by ezeuba

Just flash this attached file. Connect as usual to the NV-ITEMS Reader/Writer. Click Write and select the attached file which you must have downloaded. After writing, go to Mode and click reset. Phone will restart. Go to Settings, More, Mobile Networks and select GSM/UMTS. Phone unlocked. Special thanks again to @samwathegreat without whom this will not be possible.

I'm on GSM right now...

POST # 2 Updated. Thanks!!!!!
The Following 3 Users Say Thank You to samwathegreat For This Useful Post: [ View ]
23rd July 2014, 07:07 AM   |  #9  
Kittiesoncrack's Avatar
Senior Member
Flag Chicago
Thanks Meter: 61
 
236 posts
Join Date:Joined: Aug 2012
More
hey man, amazing job on this! so many people will happy to see this!
23rd July 2014, 07:12 AM   |  #10  
Member
Thanks Meter: 13
 
36 posts
Join Date:Joined: Aug 2012
You're the man!!!

Post Reply Subscribe to Thread

Tags
xt1056 sim unlock sim-unlock sprint
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Moto X General by ThreadRank