FORUMS
Remove All Ads from XDA

Reverse engineering the HERMES imei-check unlocker

281 posts
Thanks Meter: 0
 
By slimsaturn, Senior Member on 24th October 2006, 09:16 PM
Thread Closed Email Thread
3rd November 2006, 07:35 PM |#51  
Junior Member
Thanks Meter: 0
 
More
Smile
Hey pof,
great work so far. Everyone can programm things,but reverse engeneering a software and remaking the algorithm is just for real masters
So would it help if I buy also an license on the imei site and do some dumps so u have more to compare? (haven't done a dump until now, but it won't be so hard.)

Another question is, what happens when u flash to another rom while u are in this faked boot loader? Do u still have simlock in the other flashed roms?

thnx for your work man! Just go on!!
cu
 
 
3rd November 2006, 09:05 PM |#52  
pof's Avatar
Retired Moderator
Barcelona
Thanks Meter: 72
 
Donate to Me
More
Quote:
Originally Posted by da4walker

So would it help if I buy also an license on the imei site and do some dumps so u have more to compare? (haven't done a dump until now, but it won't be so hard.)

If you want to do it go on, I have captured almost the full process, but still are some things I don't understand, will post here all I get when I have finished, so everyone can look at it and we can understand more things together. Most of the process can be captured event without buying it: all the activesync part and SuperCID bootloader is done before it asks you for the file, what comes after is what slimsaturn already captured. I would suggest not to buy unless you really need to unlock your unit fast or want to get more involved in the reversing process.


Quote:
Originally Posted by da4walker

Another question is, what happens when u flash to another rom while u are in this faked boot loader?

I think you can't flash another rom (still haven't tried it though) because the cert on the fake bootloader belongs to imei-check an the NBH from shipped roms have signatrue wrappers form HTC, so you'll get an invalid cert error from the bootloader.

Quote:
Originally Posted by da4walker

Do u still have simlock in the other flashed roms?

Yes, the sim unlocking part is done at the very last part of the whole process (the [email protected]? commands I posted before). Still have to figure out how it is calculated, haven't reached that yet.
4th November 2006, 03:34 PM |#53  
pof's Avatar
Retired Moderator
Barcelona
Thanks Meter: 72
 
Donate to Me
More
When you launch M3100v3cUnlock.exe with green ActiveSync icon in system tray, it sends some files to the device using activesync. I captured the process over USB and extracted the files (see attachment).

This is what is done over ActiveSync:

Code:
1) Transfer: \Windows\8a227ad5-481f-42a3-9e80-a76dad03e0c2.cab

2) Trasnfer: \Windows\CM_Entries.XML

3)      run: wceload.exe ? /nouninstall /noui /delete \windows\8a227ad5-481f-42a3-9e80-a76dad03e0c2.cab

4) Transfer: \Windows\8a227ad5-481f-42a3-9e80-a76dad03e0c2.rgu

5) Transfer: \Windows\8a227ad5-481f-42a3-9e80-a76dad03e0c1.cab

6)      run: wceload.exe ? /nouninstall /noui /delete \windows\8a227ad5-481f-42a3-9e80-a76dad03e0c1.cab

7)      run: 8a227ad5-481f-42a3-9e80-a76dad03e0c2.rgu /register
There is probably something else after this, I still have to investigate.

Then the "fake" 1.04 bootloader with SuperCID starts. I guess they jump from WinCE to the memory address of this fake bootloader, similar to what gnuharet does when boting a linux kernel from WinCE.

BTW, I used the "fake" bootloader from imei-check to upgrade a preproduction hermes with IPL-0.16 SPL-0.94 to bootloader 1.04 and worked flawlessly

Someone willing to investigate this files? I will follow with the process and let you know if find anything else interesting.


EDIT: "imei-check-activesync-files.zip" file removed as IMEI-check claimed it is IMEI-check copyrights stuff. Sorry.
5th November 2006, 12:48 AM |#54  
pof's Avatar
Retired Moderator
Barcelona
Thanks Meter: 72
 
Donate to Me
More
Exclamation Full unlocking proces revealed (PART I)
Finally I managed to capture everything the unlocker does, this should be enough for an experienced programmer to write a free unlocker, so anyone interested please read this comment (two parts) and download this file:

unlocker-reversed.zip (EDIT: file removed as IMEI-check claimed it is IMEI-check copyrights stuff. Sorry.)

The file contains this information:
Code:
activesync-files
        files transfered to the unlocker via activesync to prepare the fake
        bootloader environment. This is sent before the unlocker requests the
        key (unl) file.

imeicheck-unlocker
        Version 3c of the imei-check unlocker, used to capture the process and
        extract the files found here

migsoft-signed-bootloader
        NBH file signed by MIGsoft, sent to the fake bootloader to flash
        IPL-1.01 and SPL-1.04.
        The .dbh file contains the same NBH without the signature wrapping.
        *.nb files is the extracted contents of the NBH file.

process-captured
        Two different unlocking process captured, see included readme for
        details.

rversion-0106/00-rrbmc-6D0000-8000.bin
        content read from device
rversion-0106/00-rwdata-4D0000-800.bin
        content write on device by the unlocker

rversion-0107/rdparam-files
        content read from device

rversion-0107/rwdata-files
        content write on device by the unlocker
Basically what they do is patching some parts of the radio to make sure the unlocking code will be always the same, at the end of the process the same [email protected] commands are used to really unlock the phone after the radio is patched.

Now the process explained:
  1. turn phone on and connect to pc (green ActiveSync icon in system tray)
    When you see the green icon in system tray then ActiveSync is connected properly to your phone

    Click on M3100v3cUnlock.exe, this message apperars on screen:

    Code:
    HTC Hermes v3c unlock
    
    Starting communication.................
    While this happens your device is in ActiveSync mode, and the unlocker transfers 2 CAB files, one XML file and one RGU file to the Hermes, installs the first signed cab file (deleting it after) and installs a certificate to your phone so it doesn't complain about running unsigned code when the other files are executed:
    1. Transfer: \Windows\8a227ad5-481f-42a3-9e80-a76dad03e0c2.cab
    2. Trasnfer: \Windows\CM_Entries.XML
    3. run: wceload.exe ? /nouninstall /noui /delete \windows\8a227ad5-481f-42a3-9e80-a76dad03e0c2.cab
    4. Transfer: \Windows\8a227ad5-481f-42a3-9e80-a76dad03e0c2.rgu
    5. Transfer: \Windows\8a227ad5-481f-42a3-9e80-a76dad03e0c1.cab
    6. run: wceload.exe ? /nouninstall /noui /delete \windows\8a227ad5-481f-42a3-9e80-a76dad03e0c1.cab
    7. run: 8a227ad5-481f-42a3-9e80-a76dad03e0c2.rgu /register
  2. After the rgu file is executed, the phone jumps to a "fake" 1.04 bootloader which is somewhat different from the "real" 1.04 bootloader:
    • It allows flashing code signed using MIGsoft certificates instead of HTC certificates.
    • It shows as if your device was SuperCID (info 2) and security level=0 (task 32).
    • It shows your IMEI inside the 'info 3' command output.
    • It doesn't show IPL and SPL versions on the top left side of the tri-color screen.
  3. The unlocker shows this:

    Code:
    Checking device...
    
    Your IMEI: 3577XXXXXXXXXXX
    While this happens, the unlocker issues the command 'info 3' to the fake bootloader, so it sees which is your IMEI to compare it with the key file you get from imei-check when you pay the unlocker, and shows your IMEI on screen.
  4. The unlocker asks you to provide the valid key file (your-IMEI.unl), shows this on screen:
    Code:
    This program will work ONLY with the key generated for your phone (IMEI).
    If you try to unlock with a key for a different IMEI or a bad key,
    the UNLOCK WILL NOT WORK.
    
    Please select a key file...
    If you don't have a key file for your IMEI just visit your supplier site.
    When you provide the valid key file, the unlocker follows.
  5. The unlocker shows this:

    Code:
    Checking device.....................................
    While this happens, the unlocker sends these commands:

    info 3
    This returns a HTCS/HTCE encapsulated data block of 2140 bytes, which contains the information used to calculate the password to authenticate to bootloader.
    password xxxxxxxxxxxxxxxxx
    The unlocker calculates the password and sends it to the bootloader. As authentication is successful "Pass1" is returned.
    NOTE: For instructions on how to calculate the dynamic password read the wiki.
    set 1e 1
    This sets the RUU command read/write flag to 1 (unlock).
    wdatah 6065f 535cd095
    This flashes the file HERMIMG_IPL1.01_SPL1.04_ONLY.nbh signed by MIGsoft, which overwrites your current bootloader with one containing IPL-1.01 and SPL-1.04.
    set 1e 1
    This sets the RUU command read/write flag to 1 (unlock) again.
    set 14 1
    This changes the action after reset to 1 which tells the device to start in bootloader mode after reset instead of starting the OS.
    task 8
    Resets the device
  6. The device resets and goes into real 1.04 bootloader just flashed, the unlocker shows this:

    Code:
    Unlocking..._........._..... .............................

THE REST OF THE PROCES FOLLOWS INTO THE NEXT COMMENT, IT WAS TOO BIG TO FIT IN 1 COMMENT
5th November 2006, 12:48 AM |#55  
pof's Avatar
Retired Moderator
Barcelona
Thanks Meter: 72
 
Donate to Me
More
Exclamation Full unlocking proces revealed (PART II)
THE PREVIOUS PART IS IN THE COMMENT BEFORE THIS ONE

6. The device resets and goes into real 1.04 bootloader just flashed, the unlocker shows this:

Code:
Unlocking..._........._..... .............................
While this happens, the unlocker does the following:

set 6 ffff
Turns device screen white.
info 3
Get password crypt information.
info 3
Get password crypt information (again).
password xxxxxxxxxxxxxxxx
Authenticates to the bootloader
set 1e 1
This sets the RUU command read/write flag to 1 (unlock).
wdatah 6065f 535cd095
This tries to flash the same HERMIMG_IPL1.01_SPL1.04_ONLY.nbh file signed by MIGsoft which has been flashed before. As this time the device is running on the real 1.04 bootloader and the signature is not from HTC, the bootloader returns "Image Cert is error..." and nothing gets flashed.
set 1e 1
This sets the RUU command read/write flag to 1 (unlock) again.
set 1 0
This sets the operation mode to user
set 5 ffff
This sets the background color white
set 2 1
Sets the back color flag on
shmsg 2 2 "SIM-UNLOCK"
Shows the string "SIM-UNLOCK" on row 2, column 2 of the device screen.
shmsg 8 2 "initializing..."
Shows the string "initializing..." on row 8, column 2 of the device screen.
rtask b
This enters to the Radio Image AT Command interpreter
AT+CGSN
This AT command returns the IMEI of your device. A "0" is returned after which indicates that the command has been executed successfully.
AT
Returns "0" (ok).
retuoR
Exits the AT command interpreter and goes back to normal bootloader.
shmsg 8 2 "unlocking..."
Shows the string "unlocking..." on row 8, column 2 of the device screen.
rtask a
This enters the radio bootloader.
rinfo
Get password crypt information to authenticate to radio bootloader.
rpass \r HTCSxxxxxxxxxxxxxxxx(4byte-crc)HTCE
This authenticates to the radio bootloader. The device returns "T" meaning success.
rversion
This returns radio bootloader version. The rest of the process can vary depending on what the device returns here:
  • For radio bootloader version <= 0106 the command 'rrbmc' will be used to read the device's memory content
  • For radio bootloader version >= 0107 the command 'rdpram' will be used to read the device's memory content
  • -If rversion is <= 0106

    rrbmc x 6D0000 8000
    This reads back 32768 bytes (0x8000) of memory content from address 0x6D0000. I put the read contents on 00-rrbmc-6D0000-8000.bin, the 4-byte checksum for this file is "3D 2E 51 98" (hexa).
    rwdata 4D0000 800
    This sends the the contents of the file 00-rwdata-4D0000-800.bin to the device encapsulated in HTCS+contents+4byteCRC+HTCE. The CRC for the file is "F4 3E 36 04" (hexa).
    retuoR
    Exits the radio bootloader and goes back to normal bootloader.
  • - If rversion is >= 0107

    rwdata 0 10000
    This sends the the contents of the file 01-rwdata-0-10000.bin to the device encapsulated in HTCS+contents+4byteCRC+HTCE. The CRC for the file is "6F 17 EF 2C" (hexa).
    rwdata 10000 10000
    This sends the the contents of the file 02-rwdata-10000-10000.bin to the device encapsulated in HTCS+contents+4byteCRC+HTCE. The CRC for the file is "B0 8D 60 65" (hexa).
    rwdata 20000 10000
    This sends the the contents of the file 03-rwdata-20000-10000.bin to the device encapsulated in HTCS+contents+4byteCRC+HTCE. The CRC for the file is "A5 F0 3C 09" (hexa).
    rwdata 30000 10000
    This sends the the contents of the file 04-rwdata-30000-10000.bin to the device encapsulated in HTCS+contents+4byteCRC+HTCE. The CRC for the file is "A5 F0 3C 09" (hexa). (note: this is not an errror the data sent is the same)
    rwdata 40000 10000
    This sends the the contents of the file 05-rwdata-40000-10000.bin to the device encapsulated in HTCS+contents+4byteCRC+HTCE. The CRC for the file is "AC 02 5A EB" (hexa).
    rwdata 100000 10000
    This sends the the contents of the file 06-rwdata-100000-10000.bin to the device encapsulated in HTCS+contents+4byteCRC+HTCE. The CRC for the file is "CD 8C 22 4D" (hexa).
    rwdata 110000 10000
    This sends the the contents of the file 07-rwdata-110000-10000.bin to the device encapsulated in HTCS+contents+4byteCRC+HTCE. The CRC for the file is "93 10 BD 5E" (hexa).
    rwdata 120000 10000
    This sends the the contents of the file 08-rwdata-120000-10000.bin to the device encapsulated in HTCS+contents+4byteCRC+HTCE. The CRC for the file is "A5 F0 3C 09" (hexa).
    rwdata 130000 10000
    This sends the the contents of the file 09-rwdata-130000-10000.bin to the device encapsulated in HTCS+contents+4byteCRC+HTCE. The CRC for the file is "A5 F0 3C 09" (hexa).
    retuoR
    Exits the radio bootloader and goes back to normal bootloader. (they have some problems with CR+LF here, so the unlocker has to issue the command 3 times :P)
    rtask a
    This enters the radio bootloader again.
    rinfo
    Get password crypt information to authenticate to radio bootloader.
    rpass \r HTCSxxxxxxxxxxxxxxxx(4byte-crc)HTCE
    This authenticates to the radio bootloader. The device returns "T" meaning success.
    rdpram x 340000 8000
    This reads back 32768 bytes (0x8000) of memory content from address 0x340000. I put the read contents on 01-rdparam-340000-8000.bin, the 4-byte checksum for this file is "A1 6A 6A F0".
    rdpram x 348000 8000
    This reads back 32768 bytes (0x8000) of memory content from address 0x348000. I put the read contents on 02-rdparam-348000-8000.bin, the 4-byte checksum for this file is "BC 26 7D 78".
    rdpram x 350000 8000
    This reads back 32768 bytes (0x8000) of memory content from address 0x350000. I put the read contents on 03-rdparam-350000-8000.bin, the 4-byte checksum for this file is "B0 4F DF AF".
    rdpram x 358000
    This reads back 32768 bytes (0x8000) of memory content from address 0x358000. I put the read contents on 04-rdparam-358000-8000.bin, the 4-byte checksum for this file is "7C FA 81 6A".
    rwdata 158000 8000
    This writes 32768 bytes (0x8000) of data to address 0x158000, the data is sent encapsulated on HTCS+data+(4byteCRC)+HTCE block. I put the contents on 10-rwdata-158000-8000.bin, the 4-byte checksum for this data is "7D E0 E2 B2".
    retuoR
    Exits the radio bootloader and goes back to normal bootloader.

- This is the rest of the unlocking process, the same in all rversion:
rtask b
This enters the radio Image AT-Command interpeter, the unlocking will follow:
[email protected]=0,1,22051978
Device returns "0"
[email protected]=0,2,22051978
Device returns "0"
[email protected]=0,4,22051978
Device returns "0"
[email protected]=0,8,22051978
Device returns "4"
[email protected]=0,16,22051978
Device returns "4"
[email protected]=0,32,22051978
Device returns "0"
AT
retuoR
retuoR
Exits the radio bootloader and goes back to normal bootloader.
7. The unlocker shows this:

Code:
Unlocking done.

Device is rebooting
This is what happens, the unlocker sends this commands:

shmsg 8 2 " done"
Shows the string " done" on row 2, column 2 of the device screen.
task 8
Resets the device
8. That's all

Now, who is willing to write a free unlocker?
5th November 2006, 02:27 AM |#56  
Senior Member
Thanks Meter: 12
 
More
SUperb..Unbelievable stuff..
5th November 2006, 05:05 AM |#57  
pof's Avatar
Retired Moderator
Barcelona
Thanks Meter: 72
 
Donate to Me
More
Lightbulb How to make the unlocker using a patched radio
OK, I know how to make the unlocker... it is almost ready... but as I like to share the knowledge here it is the process to patch the radio:

I took 1.13 radio from cingular's 1.31 rom, the same I used to unlock my device.

1) Extract radio 1.13 from the shipped rom:
Code:
nbh2dbh.pl HERMIMG_Cingular_1.31.502.1_SHIP.nbh HERMIMG_Cingular_1.31.502.1_SHIP.dbh

dbhdecode.pl HERMIMG_Cingular_1.31.502.1_SHIP.dbh
This generates GSM.nb which contains the shipped original 1.13 radio.

2) Join all the files I extracted from the imei-check unlocker:
Code:
cat 01-rwdata-0-10000.bin 02-rwdata-10000-10000.bin \
03-rwdata-20000-10000.bin 04-rwdata-30000-10000.bin \
05-rwdata-40000-10000.bin > imeicheck-0-50000.bin

cat 06-rwdata-100000-10000.bin \
07-rwdata-110000-10000.bin 08-rwdata-120000-10000.bin \
09-rwdata-130000-10000.bin > imeicheck-100000-140000.bin

cp 10-rwdata-158000-8000.bin imeicheck-158000-160000.bin
3) Extract the same parts from the original radio to compare them:
Code:
dd if=GSM.nb of=pof-0-50000.bin bs=1 count=327680
dd if=GSM.nb of=pof-100000-140000.bin bs=1 count=262144 skip=1048576
dd if=GSM.nb of=pof-158000-160000.bin bs=1 count=32768 skip=1409024
4) compare the parts overwriten by imei-check unlocker with the same parts on original radio:
Code:
hexdump -C -v imeicheck-0-50000.bin > imeicheck-0-50000.txt
hexdump -C -v pof-0-50000.bin > pof-0-50000.txt
hexdump -C -v imeicheck-100000-140000.bin > imeicheck-100000-140000.txt
hexdump -C -v pof-100000-140000.bin > pof-100000-140000.txt
hexdump -C -v imeicheck-158000-160000.bin > imeicheck-158000-160000.txt
hexdump -C -v pof-158000-160000.bin > pof-158000-160000.txt

diff -u pof-0-50000.txt imeicheck-0-50000.txt
--- pof-0-50000.txt     2006-11-05 04:19:31.000000000 +0100
+++ imeicheck-0-50000.txt       2006-11-05 04:19:18.000000000 +0100
@@ -3199,8 +3199,8 @@
 0000c7e0  5c f3 7c d8 f7 57 7c d8  13 13 7c d8 0c 6b ab d1  |\.|..W|...|..k..|
 0000c7f0  0c 16 ab d1 13 24 bf d1  c2 13 13 de a1 60 9f d1  |.....$.......`..|
 0000c800  8d 13 13 13 5c 13 13 13  2f 13 13 13 13 13 13 13  |....\.../.......|
-0000c810  ce b2 ae 13 ce b2 ae 13  ce b2 ae 13 13 13 13 13  |................|
-0000c820  ce b2 ae 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
+0000c810  42 6e ae 13 42 6e ae 13  42 6e ae 13 13 13 13 13  |Bn..Bn..Bn......|
+0000c820  42 6e ae 13 13 13 13 13  13 13 13 13 13 13 13 13  |Bn..............|
 0000c830  13 13 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
 0000c840  13 13 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
 0000c850  13 13 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
@@ -4223,8 +4223,8 @@
 000107e0  5c f3 7c d8 f7 57 7c d8  13 13 7c d8 0c 6b ab d1  |\.|..W|...|..k..|
 000107f0  0c 16 ab d1 13 24 bf d1  c2 13 13 de a1 60 9f d1  |.....$.......`..|
 00010800  8d 13 13 13 5c 13 13 13  2f 13 13 13 13 13 13 13  |....\.../.......|
-00010810  ce b2 ae 13 ce b2 ae 13  ce b2 ae 13 13 13 13 13  |................|
-00010820  ce b2 ae 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
+00010810  42 6e ae 13 42 6e ae 13  42 6e ae 13 13 13 13 13  |Bn..Bn..Bn......|
+00010820  42 6e ae 13 13 13 13 13  13 13 13 13 13 13 13 13  |Bn..............|
 00010830  13 13 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
 00010840  13 13 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
 00010850  13 13 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
@@ -6142,7 +6142,7 @@
 00017fd0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
 00017fe0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
 00017ff0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
-00018000  d4 50 c0 e0 01 01 17 33  6c 22 52 16 16 96 63 ff  |.P.....3l"R...c.|
+00018000  d4 50 c0 e0 01 01 17 33  6c 22 52 16 63 63 63 ff  |.P.....3l"R.ccc.|
 00018010  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
 00018020  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
 00018030  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|

diff -u pof-100000-140000.txt imeicheck-100000-140000.txt
--- pof-100000-140000.txt       2006-11-05 04:23:06.000000000 +0100
+++ imeicheck-100000-140000.txt 2006-11-05 04:22:54.000000000 +0100
@@ -1,5 +1,5 @@
 00000000  a8 4f 70 b5 fd 38 6a 49  b9 17 50 c0 e0 01 01 17  |.Op..8jI..P.....|
-00000010  33 6c 22 52 16 22 16 f6  13 13 13 13 13 13 13 13  |3l"R."..........|
+00000010  33 6c 22 52 22 22 16 f6  13 13 13 13 13 13 13 13  |3l"R""..........|
 00000020  13 13 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
 00000030  13 13 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
 00000040  13 13 13 13 13 13 13 13  13 13 13 13 13 13 13 13  |................|
@@ -749,7 +749,7 @@
 00002ec0  1a 10 13 b5 13 13 a3 d8  c2 13 13 8e ca 24 7c 84  |.............$|.|
 00002ed0  54 13 7c 84 25 ce ff dd  e6 13 13 de ca 33 7c d8  |T.|.%........3|.|
 00002ee0  a6 24 6a 8f 13 13 a0 d1  5a 10 13 b5 13 13 a3 d8  |.$j.....Z.......|
-00002ef0  54 13 13 8e ca 24 7c 84  54 13 7c 84 52 ff ff dd  |T....$|.T.|.R...|
+00002ef0  54 13 13 8e ca 24 7c 84  54 13 7c 84 fc cf ff dd  |T....$|.T.|.....|
 00002f00  13 a3 7c 84 c2 13 13 de  24 24 7c d8 a4 13 6a 8f  |..|.....$$|...j.|
 00002f10  92 e5 ff dd c1 e5 ff dd  1b 13 7c 84 ce 90 1c fb  |..........|.....|
 00002f20  67 4d 21 2e 94 13 13 13  67 47 cb cb 39 13 13 13  |gM!.....gG..9...|

diff -u pof-158000-160000.txt imeicheck-158000-160000.txt
--- pof-158000-160000.txt       2006-11-05 04:26:55.000000000 +0100
+++ imeicheck-158000-160000.txt 2006-11-05 04:26:39.000000000 +0100
@@ -374,7 +374,7 @@
 00001750  5c c9 fc 8f 14 51 c3 fc  68 8e 6d ff 8f 8e 8f a6  |\....Q..h.m.....|
 00001760  8a c9 a3 90 68 bc e6 e6  8f ec 2c 2c 81 14 0b 0b  |....h.....,,....|
 00001770  96 4f b0 af 96 4f bf 5c  54 96 79 c9 4f 1e 5c 51  |.O...O.\T.y.O.\Q|
-00001780  8e 8e ff a9 5c 26 68 fc  5a da 79 ff bc 5c 1b 5c  |....\&h.Z.y..\.\|
+00001780  8e 8e ff a9 5c 26 68 fc  5a da 14 ff bc 5c 1b 5c  |....\&h.Z....\.\|
 00001790  d7 34 4a 0e 0e c9 14 0e  4a 51 1b 4f fc 0e 05 be  |.4J.....JQ.O....|
 000017a0  96 32 8f bf 0b 51 16 8f  79 50 96 ee a9 8e 68 68  |.2...Q..yP....hh|
 000017b0  c2 26 79 8f 68 0d 5c a8  e5 55 c9 4f 6d 96 5c ec  |.&y.h.\..U.Om.\.|
5) Generate a patched radio with imei-check's modifications:

I will take some parts from the original 1.13 radio (GSM.nb) and some other parts from the imei-check patches, the layout should be like this:

Code:
RADIO FROM - TO (hexa)  |     FROM - TO(bytes)| Where to take
------------------------+---------------------+----------------------------
0x00000000 - 0x00050000 | 00000000 - 00327680 | imeicheck-0-50000.bin (327680 bytes)
0x00050000 - 0x00100000 | 00327680 - 01048576 | GSM.nb (720896 bytes)
0x00100000 - 0x00140000 | 01048576 - 01310720 | imeicheck-100000-140000.bin (262144 bytes)
0x00140000 - 0x00158000 | 01310720 - 01409024 | GSM.nb (98304 bytes)
0x00158000 - 0x00160000 | 01409024 - 01441792 | imeicheck-158000-166000.bin (32768 bytes)
0x00160000 - 0x00D80000 | 01441792 - 14155776 | GSM.nb (12713984 bytes)
The commands used to generate the patched radio:

Code:
dd if=GSM.nb of=patched-50000-100000.bin bs=1 count=720896 skip=327680
dd if=GSM.nb of=patched-140000-158000.bin bs=1 count=98304 skip=1310720
dd if=GSM.nb of=patched-160000-D80000.bin bs=1 count=12713984 skip=1441792

cat imeicheck-0-50000.bin \
patched-50000-100000.bin imeicheck-100000-140000.bin \
patched-140000-158000.bin imeicheck-158000-160000.bin \
patched-160000-D80000.bin > gsm113-patched.nb
6) Now I compare the patched radio with the original one, to make sure all the process was correct:

Code:
hexdump -C -v gsm113-patched.nb > gsm113-patched.txt
hexdump -C -v GSM.nb > GSM.txt
diff -u gsm113-patched.txt GSM.txt
7) Done, what does this means?

If you flash this patched radio then your device will be SuperCID and Security Level=0 and can be unlocked using this unlocking code: 22051978

After flashing another radio ROM (or shipped ROM) your device will be CID-locked again and Security Level=FF (unprivileged) but it will remain sim-unlocked forever.

So there's really no need to program an unlocker... I will make the nbf and provide the radio upgrade, so anyone can unlock their hermes for free

Expect the free unlocker in another thread in a while....
5th November 2006, 07:38 AM |#58  
pof's Avatar
Retired Moderator
Barcelona
Thanks Meter: 72
 
Donate to Me
More
Unlocker ready
This thread is no more sticky, I have published the patched radio and instructions to unlock the phone for free on another thread which is now sticky.

Please only comment on this thread if you have questions related to the unlocking process I explained or the method used to develop the free unlocker.

For downloading the free unlocker go here: Free HTC Hermes SIM Unlocker Available, and post the free unlocker related questions there.
5th November 2006, 03:39 PM |#59  
Senior Member
Thanks Meter: 0
 
More
Very interesting!
So there look to be 3 different areas which are patched, one might presume them to be (in no particular order): SuperCID, Security Level, and Ulock code.

I'm still waiting on a Cingular 8525, so I have no Hermes to play with.

It would be interesting to make each of these patches in turn and see which one does what. I'd take a SWAG and say the larger patch does the unlock code itself, but that's a total guess of course. Knowing what each patched area does will help us to develop a more pure unlocker and maybe sticky SuperCID and stick Security level....

Great work pof!!!!

Richard
5th November 2006, 09:45 PM |#60  
Member
Paris
Thanks Meter: 0
 
More
Wow someone had a busy night

The first part looks pretty useful in a completely unrelated way

Code:
1) Transfer: \Windows\8a227ad5-481f-42a3-9e80-a76dad03e0c2.cab

2) Trasnfer: \Windows\CM_Entries.XML

3)      run: wceload.exe ? /nouninstall /noui /delete \windows\8a227ad5-481f-42a3-9e80-a76dad03e0c2.cab
with this signed program we'll probably be able to application unlock any locked device, which is a problem with newer AKUs today.

The bootloader booting trick from CE seems very interesting as well to develop and test custom bootloaders with minimal risks.

Hopefully these informations will now be used to design custom tools and a nicer unlocker that does not patch the radio ROM
5th November 2006, 10:32 PM |#61  
pof's Avatar
Retired Moderator
Barcelona
Thanks Meter: 72
 
Donate to Me
More
Quote:
Originally Posted by rsolomon

So there look to be 3 different areas which are patched, one might presume them to be (in no particular order): SuperCID, Security Level, and Ulock code.

If i'm not wrong, SuperCID and Seclevel=0 should be the same part in the patch.

Quote:
Originally Posted by rsolomon

It would be interesting to make each of these patches in turn and see which one does what. I'd take a SWAG and say the larger patch does the unlock code itself, but that's a total guess of course. Knowing what each patched area does will help us to develop a more pure unlocker and maybe sticky SuperCID and stick Security level....

I will make the 3 patched roms with a separate patch on each one in order to understand what each part does. I have started to play a bit with IDA pro, but seems quite difficult now, and I have not so much time next week: university + work :(


Quote:
Originally Posted by Arisme

Wow someone had a busy night

For sure

Quote:
Originally Posted by Arisme

The first part looks pretty useful in a completely unrelated way
[...]
with this signed program we'll probably be able to application unlock any locked device, which is a problem with newer AKUs today.

Yes they seem very interesting because the first cab is signed and then it transfers a XML file conaining a custom certificate which is installed and the second cab is signed with this certificate so it does not ask the user to accept the certificate when it is run. This can also be useful for application-unlock in the ExtROM to make cooked ExtROM as in WM2003

Quote:
Originally Posted by Arisme

The bootloader booting trick from CE seems very interesting as well to develop and test custom bootloaders with minimal risks.

I think it is similar to what gnuharet does with the linux kernel, they have the fake bootloader in memory and jump to that address. This is done by the rgu file which seems to be a PE executable and does something with the registry also... very weird...


Quote:
Originally Posted by Arisme

Hopefully these informations will now be used to design custom tools and a nicer unlocker that does not patch the radio ROM

Yes, this has been a good starting point, but there's still a mountain to climb!
Thread Closed Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes