Sim Unlock. Free!! - CONFIRMED WORKING

Did this work?

  • Yes :) (please post details below)

    Votes: 97 85.8%
  • No :( (please post details below)

    Votes: 16 14.2%

  • Total voters
    113

stifilz

Senior Member
Jan 9, 2012
1,838
1,173
0
NZ
CONFIRMED WORKING :)
No CDMA like Sprint or Verizon. Feel free to test though :)
EDIT: Sprint See http://forum.xda-developers.com/sprint-one-m9/general/nv-unlocksim-t3314755

Hey guys.

I recently purchased a HTC M9 Sprint with the hopes that I could unlock it. Unfortunately I was not able to :(

Anyway brought a AT&T version (that arrived yesterday) and started to have a play with it.

First things first:
HTC DEV bootloader unlock
TWRP install
SU
S-Off via Sunshine (optional)

Now for the fun :)
I dumped all the partitions (except userdata as it was 28GB lol). Then started to work on the Sim Unlock. My attempt via the method that i posted here did not work for me. I then decided to try my luck with a code from Ebay. I got one for US $4 which was pretty good. Took a few hours, but sure enough I received an email with a code. I started a logcat and then entered the SIM Unlock code and to my surprise it WORKED :). Nothing interesting in the logcat though :(

I then dumped all the partitions again (except userdata)
Here is the list BTW:
Code:
dev:        size     erasesize name
mmcblk0p1: 00004000  00000200  "board_info"
mmcblk0p2: 00400000  00000200  "pg1fs"
mmcblk0p3: 00100000  00000200  "sbl1"
mmcblk0p4: 00100000  00000200  "pmic"
mmcblk0p5: 02800000  00000200  "dummy"
mmcblk0p6: 001f7c00  00000200  "reserve_1"
mmcblk0p7: 00040000  00000200  "mfg"
mmcblk0p8: 017afc00  00000200  "pg2fs"
mmcblk0p9: 00080000  00000200  "rpm"
mmcblk0p10: 00200000  00000200  "tz"
mmcblk0p11: 00018000  00000200  "sdi"
mmcblk0p12: 00200000  00000200  "hyp"
mmcblk0p13: 00100000  00000200  "aboot"
mmcblk0p14: 00a00000  00000200  "tool_diag"
mmcblk0p15: 00a00000  00000200  "sp1"
mmcblk0p16: 00100000  00000200  "ddr"
mmcblk0p17: 00100000  00000200  "rfg_0"
mmcblk0p18: 00100000  00000200  "rfg_1"
mmcblk0p19: 00100000  00000200  "rfg_2"
mmcblk0p20: 00100000  00000200  "rfg_3"
mmcblk0p21: 00100000  00000200  "rfg_4"
mmcblk0p22: 00100000  00000200  "rfg_5"
mmcblk0p23: 00100000  00000200  "rfg_6"
mmcblk0p24: 00100000  00000200  "rfg_7"
mmcblk0p25: 00180000  00000200  "fsg"
mmcblk0p26: 03b00400  00000200  "radio"
mmcblk0p27: 01400000  00000200  "adsp"
mmcblk0p28: 00000400  00000200  "limits"
mmcblk0p29: 004f7c00  00000200  "reserve_2"
mmcblk0p30: 01600000  00000200  "persist"
mmcblk0p31: 00a00000  00000200  "ramdump"
mmcblk0p32: 00100000  00000200  "misc"
mmcblk0p33: 00180000  00000200  "modem_st1"
mmcblk0p34: 00180000  00000200  "modem_st2"
mmcblk0p35: 01400000  00000200  "fataldevlog"
mmcblk0p36: 01e00000  00000200  "devlog"
mmcblk0p37: 00040000  00000200  "pdata"
mmcblk0p38: 00004000  00000200  "control"
mmcblk0p39: 00010000  00000200  "extra"
mmcblk0p40: 00100000  00000200  "cdma_record"
mmcblk0p41: 00000400  00000200  "fsc"
mmcblk0p42: 00002000  00000200  "ssd"
mmcblk0p43: 00080000  00000200  "sensor_hub"
mmcblk0p44: 00020000  00000200  "sec"
mmcblk0p45: 00100000  00000200  "abootbak"
mmcblk0p46: 00002800  00000200  "cir_img"
mmcblk0p47: 00140400  00000200  "local"
mmcblk0p48: 00080000  00000200  "frp"
mmcblk0p49: 00200000  00000200  "cpe"
mmcblk0p50: 01400000  00000200  "carrier"
mmcblk0p51: 00040000  00000200  "skylink"
mmcblk0p52: 00020000  00000200  "rfg_8"
mmcblk0p53: 00020000  00000200  "rfg_9"
mmcblk0p54: 00020000  00000200  "rfg_10"
mmcblk0p55: 00020000  00000200  "rfg_11"
mmcblk0p56: 00020000  00000200  "rfg_12"
mmcblk0p57: 00020000  00000200  "rfg_13"
mmcblk0p58: 00020000  00000200  "rfg_14"
mmcblk0p59: 00020000  00000200  "rfg_15"
mmcblk0p60: 01000000  00000200  "absolute"
mmcblk0p61: 00e07000  00000200  "reserve"
mmcblk0p62: 04000000  00000200  "hosd"
mmcblk0p63: 04000000  00000200  "boot"
mmcblk0p64: 04000000  00000200  "recovery"
mmcblk0p65: 14000000  00000200  "cache"
mmcblk0p66: 18000000  00000200  "system"
mmcblk0p67: e0000000  00000200  "userdata"
mmcblk0p68: 12200000  00000200  "apppreload"
mmcblk0p69: 03c00000  00000200  "cota"
mmcblk0p70: 00a00000  00000200  "battery"


Now for the actual fun. I compared every single partition before and after the SIM Lock trying to find a difference. There were many differences between files as they are not 'static' and used by the system. (This was done from recovery BTW).

I was looking for a small difference such as that of the bootloader lock / unlock which you only have to change a small amount of data.
Something that stood out was mmcblk0p52 which is "rfg_8" and I only noticed this because I had made two dump before Sim Unlocking and it was THE ONLY PAIR OF DUMPS THAT MATCHED.

The files themselves aren't that big so I thought what the hell.
I flashed (dd) the 'before sim unlock' mmcblk0p52 and it was SIM LOCKED again :)
I then flashed (dd) the after 'after sim unlock' mmcblk0p52 and it was SIM UNLOCKED again :)

If you could help by getting your mmcblkop52 to me I can then compare and see if this will equal a free SIM UNLOCK for you.

AT&T No longer need :) Files are the same
T-Mobile No longer need :) Files are the same
Sprint Partition is empty, all 0's - will need to find another way
Verizon I assume it is the same as Sprint.
Others??

Please use the following code:
Code:
adb shell
su
dd if=/dev/block/bootdevice/by-name/rfg_8 of=/sdcard/rfg_8old
exit
exit
adb pull /sdcard/rfg_8old
Then upload the rfg_8old and link to me.

To Sim unlock your device

Do the above and save it to you computer. Download my rfg_8-Locked.txt and compare the two files.
You can do this using HxD from here http://mh-nexus.de/en/hxd/
Drag both files (locked partitions) into HxD and press Ctrl + K or go to File > Analysis > File-Compare > Compare....
It will prop up 'both files are identical'
If there is a file difference then STOP

If the file is the same then you can do the following:
Please copy and paste one line at a time
[Irfg_8-UnLocked.txt must be in your ADB directory OR manually place on the root of internal SD Card and rename to rfg_8 [/I]
Code:
adb push rfg_8-UnLocked.txt /sdcard/rfg_8new
adb shell
su
dd if=/sdcard/rfg_8new of=/dev/block/bootdevice/by-name/rfg_8
exit
exit
Please use the Poll above and leave a comment :)

Please don't forget to click the thanks button or donate to me http://forum.xda-developers.com/donatetome.php?u=4428363
This took a lot of time and effort. The (at least) $5 it would have cost you for the unlock code, could be put to better use :D


Thanks for the support guys

Stifilz

THANKS TO:
@grim489 for dumping the mmcblk0p52 from T-Mobile (which I found was an exact match) :)
@bigp951 for dumping the mmcblk0p52 from AT&T locked sim (which I found was an exact match) :)
@bigp951 for dumping the mmcblk0p52 from DEV Edition factory unlocked sim (which I found was empty 0's, probably due to never being locked) :)
@bigp951 for testing the Unlocked partition on AT&T and confirming it worked :D
@WildsideUK for confirming that this works while S-On :)
 

Attachments

Last edited:

grim489

Senior Member
Jan 4, 2011
381
87
0
Here is my mmcblk0p52, I am sim locked to T-Mobile. Haven't got around to trying the international software/firmware with your other unlock thread but managed to get this. :good:
 

Attachments

  • Like
Reactions: stifilz

stifilz

Senior Member
Jan 9, 2012
1,838
1,173
0
NZ
Here is my mmcblk0p52, I am sim locked to T-Mobile. Haven't got around to trying the international software/firmware with your other unlock thread but managed to get this. :good:

OMFG. THE FILE IS IDENTICAL TO MY SIM LOCKED PARTITION. FEEL FREE TO USE HxD TO 'FILE COMPARE' THE HEX VALUES YOURSELF. IF YOU ARE KEEN THEN PLEASE FLASH MY UNLOCKED PARTITION. BE VERY CAREFUL WITH THE DD COMMAND! :D


Obviously reverse the DD command :)
Do it in recovery or normal and then reboot.
Can you please dump the partition after too. Here is HxD (I love this software)
Drag both files (locked partitions) into HxD and press Ctrl + K or go to File > Analysis > File-Compare > Compare....
It will prop up 'both files are identical' :D

Thank you @grim489, credits to you
 
Last edited:

grim489

Senior Member
Jan 4, 2011
381
87
0
Gotta find somebody's sim to steal and test but it's no problem I'm just doing the simple stuff haha. Let me get back to you in a little bit stifilz, gonna try it out.

Sent from my HTC One M9 using Tapatalk
 
  • Like
Reactions: schwchar123

bigp951

Senior Member
Apr 17, 2015
251
46
0
Fullerton
I hope this works because I bought an AT&T m9 today for my wife but we are on T-mobile. Only thing is I know nothing about dd commands so would need instructions like in the OP.
 

stifilz

Senior Member
Jan 9, 2012
1,838
1,173
0
NZ
I hope this works because I bought an AT&T m9 today for my wife but we are on T-mobile. Only thing is I know nothing about dd commands so would need instructions like in the OP.
Ok first thing you will need to do is dump the current mmcblk0p52 (same as first OP). Pull this files to computer. Download my mmcblk0p52-rfg_8-Locked.txt (LOCKED VERSION) and compare the two files using HxD or similar.

IF they are the same then you can proceed to flash the my mmcblk0p52-rfg_8-UnLocked.txt(UNLOCKED) file.
Code:
adb push mmcblk0p52-rfg_8-UnLocked /sdcard/mmcblk0p52
adb shell
su
dd if=/sdcard/mmcblk0p52 of=/dev/block/mmcblk0p52
exit
exit
Please proceed at your own risk :)

Thanks
 

bigp951

Senior Member
Apr 17, 2015
251
46
0
Fullerton
Ok first thing you will need to do is dump the current mmcblk0p52 (same as first OP). Pull this files to computer. Download my mmcblk0p52-rfg_8-Locked.txt (LOCKED VERSION) and compare the two files using HxD or similar.

IF they are the same then you can proceed to flash the my mmcblk0p52-rfg_8-UnLocked.txt(UNLOCKED) file.
Code:
adb push mmcblk0p52-rfg_8-UnLocked /sdcard/mmcblk0p52
adb shell
su
dd if=/sdcard/mmcblk0p52 of=/dev/block/mmcblk0p52
exit
exit
Please proceed at your own risk :)

Thanks
I am ready to attempt this but am curious to what my chances are for a hard brick? I will copy and paste your commands
I have a nandroid on my sd card so I should be able to recover from anything minor.

EDIT--strangely enough when I attempted to push the file to the sd card this came back...

failed to copy 'mmcblk0p52-rfg_8-UnLocked' to '/sdcard/mmcblk0p52': Permission d
enied

I will put the file in the sd card manually and proceed from there
 
Last edited:

stifilz

Senior Member
Jan 9, 2012
1,838
1,173
0
NZ
I am ready to attempt this but am curious to what my chances are for a hard brick? I will copy and paste your commands
I have a nandroid on my sd card so I should be able to recover from anything minor.
I am fairly certain that it will be the correct file. I don't have another partition of someone that has Sim Unlocked before (I only have my one). I assume that it is not Unlock Code specific. I have flashed to my Sprint M9 to no avail (this had 0's before like your dev edition). Also no damage to the phone :)

Hardbrick would be HIGHLY UNLIKELY. I have put my HTC's though the wars and they have always came back to me. As long as you are S-OFF you can recover from almost anything. Copy and paste and double check everything :D.

Best of luck :good:
 
Last edited:
  • Like
Reactions: JoshDaWhite

stifilz

Senior Member
Jan 9, 2012
1,838
1,173
0
NZ
EDIT--strangely enough when I attempted to push the file to the sd card this came back...

failed to copy 'mmcblk0p52-rfg_8-UnLocked' to '/sdcard/mmcblk0p52': Permission d
enied

I will put the file in the sd card manually and proceed from there
mmcblk0p52-rfg_8-UnLocked (note .txt has been removed) will need to be in the folder where your ADB is :)
 
Last edited: