4.20 cracked

---

It took a small group effort, but we cracked it.

Problem 1: Bug in limitation to %UREG command

First of all, on 4.20 they check to see whether the %UREG request lies within certain bounds as follows:

AT%UREG?addr,len:

if (addr < 0x3ef000 || addr > 0x3ef007) return(0);
if ((addr+len) < 0x3ef000 || (addr+len) > 0x3ef007) return(0);

Now because addr en len are both 32 bits, we can make use of the wrap (negative in effect). After the test above the maximum length will be limited to 100 (0x64).

So for instance:

AT%UREG?3FE004,FFFFFFFF

will read 100 bytes from 0x3FE004, clearly outside the range UREG was meant to be restricted to.

Problem 2: Obfuscation too easy

When executing the command above: after 74 bytes of FF, the obfuscated result code is displayed. The information needed to get the unlock code is contained twice, in the format ABCDABCDEFGHEFGH if a different letter is assigned to each unique nibble. Nibbles are first swapped to make EHAFGBCD. Then bits 3 of nibbles H, F and B are rotated left, so that nibble H gets bit 3 from F and so forth. After this, the whole 4 byte value is rotated into the lower bit. The result is the 8 digit unlock code in BCD, which can be supplied to the unlock command:

Code:

AT%SIDLCK=0,<8-digit unlock code>

Commentary:

Nice try: took us 2 person-days, probably still less than it took to think up, define, approve and program. :twisted:


The new version of The Manipulator, online now, supports unlocking of Radio Stack 4.20.

Yippee... the manipulator works for 4.20 !!!!!

---

Hi,

I must be a very lucky guy.

Just received my xda today (64mb ram, 4.20.00 radio version, 3.16.32 ENG rom, dated 2/13/03) and was fiddling with it about half and hour ago with the former xda manipulator program (ver 1.02) which recorded error messages and couldn't work. Then I looked into the net and found this posting just made( at 10.30 pm) and was the number 6 person to view the posting; downloaded the new manipulator and hey presto - the xda is unlocked !!!!

Only one thing though- don't see the gid lock, the imei number and the call timer entries in this new program(ver 1.1) which were present in the ver 1.02 program. Not a problem for me though as long as I could use the phone on my vodaphone sim.

Anyway, thank you so much for the hard work in cracking the 4.20; really appreciate it. Well done and keep up the magnificent work.

Cheers

Yup - it works a treat - unlocked in 10 seconds.

WELL DONE guys - thanks so much for all your input here. I now have an XDA that is truly useful and versatile.

BRILLIANT!!

Rog

Just tried 1.1 on 6 phones, all with 4.20. Five of them unlocked no problem, but one of them, for some strange reason, didnt work, it read the sid code, but the one that it came back with was only 6 digits long, and when pressinng "UNLOCK" nothing more happened. All the other codes were about 8 digits long. I tried entering the code manually, butjust came back saying it wss incorrect!!!

Anyone come across this??

Many thanks in advance

Hmmm. It could be that the code (or the second half of it) starts with two zeroes, and now that you mention it: the manipulator doesn't display (or unock with) leading zeroes.

Could you try that six digit code with two leading zeroes, and (if that doesn't work) inser the zeroes in the six digit number as follows XXXX00XX or as follows 0XXX0XXX. Tell me if that's it, please...


(Expect 1.11 of The Manipulator in the next day or two...

IMEI Change

---

Great work guys i'll be unlocking my xda as soon as i get the serial cable. It is a combines serial and USB cable so if anyone has experience with this not working (Ordered from Expansys thenlet me know) otherwise i'll post here to let you know if it worked or not.

I would like to know if there are any plans to make a version of the communicator that ill change the imei.

If not will commands from hyperterminal work? (Sorry if this is not currently possible I havn't been motivated to look it all up but will be if it possible to change the IMEI through this.)

I know that ther version of Hyperterminal that come with in 2k and XP is more limited that the one in 95 and 98 so would another terminal emulation program do the job better (Reflections 420 for example).

Thanks again for the great work.

How do you find all this stuff out?? How do I learn.?

Minesh

@Peter Poelman ur a blinking genius mate, it was the last method (0XXX0XXX)

So now ive done 11 phones(R4.20), and all 11 unlocked, pretty good success rate i reckon

Keep up the great work guys

Re: IMEI Change

---

Quote:

Originally Posted by MineshT

I would like to know if there are any plans to make a version of the communicator that ill change the imei.

Manipulator (I assume that's what you mean) does change the IMEI, but not on 4.20 phones, because we can't easily reach the memory range. In fact we have ways to do it, but we didn't yet feel like doing the necessary programming work before they lock us out completely.

Quote:

If not will commands from hyperterminal work?

There's no easy (or medium-hard) way to change the IMEI on 4.20 phones.

Quote:

How do you find all this stuff out?? How do I learn.?

In this specific case, we looked at the ARM machine-code in the 4.20 binary contained in S-record form in the RSU upgrade package, using IDA (a disassembler program). We then figured out the %UREG restriction was lacking. Looking at the obfuscated code we figured we could break it without looking at further code (and the phone binary code guru was unavailable for the day), so we cracked it by just staring at enough possibilities. (We could set and reset the lock using different codes with AT%SIDLCK).

Not sure hacking phones is a specific skill one can learn. Even though we're mostly still pretty young, most of us are very experienced software developers, senior security experts. Electronics, programming and reverse-engineering experience of 20-25 years in some cases. But there's pretty good texts out there that describe disassembling other people's code, understanding embedded hardware and other areas of expertise you'd need.

Reverse-engineering needs a lot of the same skills that 'forward-engineering' does. If you have the skills needed to build something, you can begin to take it apart.

Current issues with The Manipulator

---

The Manipulator currently does not unlock phones which were locked and then user-upgraded to 4.20. So unlock first and then upgrade. Also, please read hotentot's post and my reply above for a problem that appears when the code has zeroes in certain positions.

Both issues will be addressed in the next version, due in a few days, when I know there's no other things that need fixin'.