It's finally happened: SIM-Unlock for the Sprint Moto X (XT1056)
First, a little background:
Since its debut in August, 2013 many people have been trying to crack the SIM-LOCK on the XT1056. Many have tried and long since given up. I officially became involved in the project in May, 2014, and since then, had taken over the project. After much research, I determined that a Chinese hacker had found the solution and was offering a SIM-Unlock service on Taobao.com. This individual was extremely secretive about his methods - and told no one the solution. In order to use the service, you had to SEND your XT1056 to China to be unlocked (for fear of someone discovering his method). Then, a short time afterwards, the listing completely disappeared from Taobao, never to be seen again. Afterwards, sellers only offered PRE-SIM-CRACKED XT1056's on Taobao. Fortunately, I had already discovered (by reading his prior listing), that the SIM-Unlock required that you NEVER erase the modemst1 and/or modemst2 partitions (the equivalent of EFS/baseband cache on the Moto X).
At this point, I knew without a doubt that the key was in the modemst partitions. The breakthrough, however, didn't come until Mid-July, when another XDA Member: @yefonme posted to the thread that they had obtained a China-SIM-Cracked XT1056. This user confirmed the information I already knew by telling me that the seller advised that they must never erase the modemst partitions or the SIM-Unlock would be lost. This user generously offered to assist in helping find the solution, just for sheer curiosity - they wanted to know HOW the SIM-Unlock was achieved.
At this point, I thought we had everything we needed. Knowing that the key lies in the baseband cache, I requested various users to use a tool to backup their modemst1/modemst2 partitions, and send them to me for comparison with a HEX-Editor. Several users obliged, but unfortunately, we hit another roadblock -- the EFS partitions turned out to be ENCRYPTED TO HELL! That method was going nowhere. Then I realized that upon erasing the baseband cache (modemst1/modemst2 partitions), that all NV-ITEMS were reset to their factory defaults. BINGO! This means that the baseband cache partitions MUST store the encrypted contents of NVRAM!
This meant we had another option! Using standard CDMA tools, we could do a "DUMP" of the values stored in NVRAM. Another user, @ezeuba, suggested a simple tool, and provided instructions for the other's involved to DUMP the contents of their NVRAM, for comparison. Another big issue: Since many NVITEMS are inactive / restricted, even between 2 Sprint SIM-Locked devices, it made it completely impossible to use a utility to run a differential comparison between these NV-DUMPS. This meant that the NV-ITEMS had to be compared manually, by-hand.
I spent countless hours scouring through the data, comparing the THOUSANDS of NV-ITEMS from the China-Cracked XT1056 with the dumps provided by the Sprint SIM-Locked users. It was taking forever! I knew that the key to comparing the NVITEMS was finding values that were the SAME on all the Locked XT1056s, but DIFFERENT, only on the SIM-CRACKED XT1056. If a particular NVITEM differs between 2 or more LOCKED XT1056s, it is likely not the value we are looking for.
Then, finally, I came across an NVITEM that struck me as unique. It was the SAME on all the LOCKED XT1056's I analyzed, but different ONLY on the CRACKED XT1056. I was hesitantly optimistic, and posted about it here: http://forum.xda-developers.com/show...&postcount=250
Well, my intuition was Spot-On, and this DID turn out to be the proverbial "smoking gun". Another user (ignoring my suggestions to WAIT and let another user who had offered to donate an XT1056 mainboard try it first) went ahead and wrote the new value as I had suggested. BAM!!! And the rest is HISTORY.
OK, so enough about the history, and on to the solution!!!!!
So the key lies in NVITEM # 8378
On the China-Cracked XT1056, the value was "01"
On all the SIM-LOCKED XT1056's, the value was "00"
That's all there is to it. You can use the CDMA Tool of your choice to write "01" to NVITEM 8378 to achieve SIM-Unlock!
You will also need to change the RUIM config to "RUIM-Only" in order to prevent the phone from reverting to CDMA-mode upon reboot. This is controlled by NVITEM 855 (see instructions in post # 2)
This method is KNOWN to unlock for all international GSM carriers,
POST # 2 in this thread will be reserved for complete instructions for those of you who aren't familiar with how to write NV-ITEMS. These instructions are courtesy of @ezeuba.
POST # 3 will be reserved for detailed instructions on how to install the necessary DIAG Drivers, and how to manually FORCE driver installation, if necessary.
I believe in giving credit where it is due, so I want to personally thank:
* @hsngt and @jaaa1976 - who provided me with the NVDUMPS I used to find the SIM-Unlock method. @jaaa1976 was the FIRST person to be unlocked by my method
* @ezeuba for providing these users with step-by-step instructions on how to READ and SAVE said NVITEM dumps.
* @Vivjen for support and generous offer to donate a XT1056 mainboard (which turned out to be unnecessary)
* @crabbyone for encouraging me to take a 2nd look at NVITEM # 8322 (which turned out to be the Domestic Unlock solution)
* @Arnold Snarb for originally discovering the property of NVITEM # 8322 (which unlocked the Razr M for domestic use)
* All the others who submitted EFS and/or NVDUMPS (even though I didn't use them to find the solution)
* Everyone who believed in me and provided encouragement and moral support ( that includes YOU, @KJ )
* Everyone who makes good on their bounty pledges and everyone who DONATES (paypal: email@example.com )
* Everyone who is appreciative and gracious for the ENORMOUS amount of time I've spent making this SIM-Unlock possible for everyone
* The China-man who found the solution FIRST, even though he didn't share it with anyone and intended to only use it for Profit (I bet he is PISSED at me -- he was charging $80 U.S. for EACH unlock )
*** and ESPECIALLY @yefonme --- without YOU, NONE of this would be possible.
[Q]: How much should I donate to you for all the time (weeks) you spent working on this?
[A]: Please donate what you feel it is worth to you. The XT1056 can be found far cheaper than any other Moto X Variant, and now that we can SIM-UNLOCK it, it will become much more popular. If I have saved you money, or added value to the phone you already own, I would appreciate being compensated accordingly. I realize that some are not able to donate, and I understand. Do what you can / what you feel is fair. I spent countless hours on this, and would appreciate being somewhat-compensated for my efforts. This, of course, is not a requirement, since I have posted the solution and made it freely available to everyone. Keep in mind that the China Taobao-seller was charging $80 for EACH unlock...and HIS sim-crack didn't even unlock for Domestic U.S users!!!
PayPal Donation address: firstname.lastname@example.org
DO NOT email me asking for help with this. I won't answer you. *Post in the Thread* - this is the only way you will get support. I'm sure that you understand...
This works for all Republic Wireless XT1049's also, but ONLY if you can unlock the bootloader (only possible through the "China Middleman" - use search). You MUST flash the Sprint XT1056 ROM to your RW XT1049 device for this to work for you.
If you use my SIM-CRACK, I'm not responsible for ANYTHING that goes wrong. USE CAUTION! If you hit the wrong button, or write the wrong NVITEM, you could end up in BIG TROUBLE (possible BRICK). You have been warned.
And lastly, YOU MAY ---NOT--- COPY ANY PART OF MY SIM-UNLOCK METHODS. YOU MAY NOT SHARE/RE-DISTRIBUTE MY FILES, OR POST THEM TO OTHER SITES. THE ONLY ACCEPTABLE THING IS TO ---LINK--- THIS THREAD TO OTHER SITES. IT IS UNACCEPTABLE TO STEAL MY (OR ANYONE ELSE'S) WORK!!!!! I will be extremely offended if I find that someone stole my work and posted it elsewhere. ONLY Link this thread. Don't copy any or all of its contents elsewhere. PERIOD.
^This is NOT an unreasonable request....