FORUMS
Remove All Ads from XDA

SIMLOCK_S1

8,663 posts
Thanks Meter: 21,502
 
By munjeni, Senior Member on 2nd September 2019, 05:05 PM
Post Reply Email Thread
Hi! Searching my old hard disk I have found something interesting, have no idea where I got it, but seems its something related to sim (un)locking on xperia. Hope somebody find it interesting.

Looking further after some work on some trim area units trying to identify some new units I have found something interesting.

abyte0 array:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 00 08 B3 00 00 00 04 A0 00 00 00 00 00 08 FD  ...³....*......ý
00000010  00 00 00 10 00 00 08 00 05 00 00 00 0E 00 00 00  ................
00000020  08 00 00 00 00 00 09 61 00 00 00 04 FE FF FF FF  .......a....þÿÿÿ
00000030  00 00 08 B3 00 00 00 04 AA 00 00 00              ...³....ª...
Array contain 4 trim area units which is writen using function tawrite:
Code:
--unit------size-------data------
000008B3    0004    A0 00 00 00
000008FD    0010    00 00 08 00 05 00 00 00 0E 00 00 00 08 00 00 00
00000961    0004    FE FF FF FF
000008B3    0004    AA 00 00 00
looking forward to my z1c trim area dump and searching for those 3 units I found only one unit with excatly the same size of 4 bytes:
000008B3 0004 50 00 00 00

I realy have no idea how it working and whats is consequence writing that to trim area but you must agree those 3 units is definitelly realted to sim (un)locking? Unit 0x8b3 is probably start-stop-idle sequence? Since my z1c was not sim locked probably 2 units is missing because of that. Or vice versa, if all 3 units exist device is sim locked? Somebody with sim lock please look and tell me here! I realy have no idea where I found tawrite.zip, tried google search no results.

Two files simlock.ta-1.6 and simlock.ta-2.1 is probably generated by readReply function?
Attached Files
File Type: zip tawrite.zip - [Click for QR Code] (1.1 KB, 16 views)
The Following User Says Thank You to munjeni For This Useful Post: [ View ] Gift munjeni Ad-Free
 
 
10th September 2019, 03:58 AM |#2  
Senior Member
Flag Alabama
Thanks Meter: 330
 
More
@munjeni
Going through the ABL on the XZ1c, I've found that 0x7DA is, in fact the simlock unit.
Unfortunately, it looks like 0x851 is a simlock signature.

It appears that the simlock unit gets an SHA256 digest computed which is compared against the signature in 0x851.
You'll see the beginnings of it in j4nn's ABL PE file at loc_331CC.

It also looks like, immediately after reading 0x851, the code path grabs the IMEI.
Then it gets what it calls the "asahi signature", then starts calculating and validating digests up the certificate chain.
The Following User Says Thank You to pbarrette For This Useful Post: [ View ] Gift pbarrette Ad-Free
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes