Unlock the new Kyocera KX1-2/Energi/Aktiv phones!

[BillA]

As you may know the new Kyocera KX1-2/Energi/Aktiv phones are unlockable at the moment, unless you have the correct SPC.

So, here are some experiments I've done:

1. Tried reading the memory from 1010000hex using UniCDMA but it's protected and gives a read error. See screenshot http://forum.gsmhosting.com/vbb/atta...id=19858&stc=1

2. Tried the abvious BitPim reading but it too gives a read error. See screenshot http://forum.gsmhosting.com/vbb/atta...id=19859&stc=1
On the other hand it lets you read and write the \brew folder. So if somebody can write a small brew app which could hex dump the \nvm\nvm\nvm_security file on the phone's screen, then that might be a solution.

3. Tried using QXDM to enter random passwords and interestingly it says "phone unlocked", but when you try to read or write the sec_code it fails. Does Kyocera use passwords at all? Anyone has the REAL working password? See screenshot http://forum.gsmhosting.com/vbb/atta...id=19860&stc=1

Update #1
Here's a trick to get into programming on SPC locked Kyocera KX1-2 series phones. I found that NV item otskl_flag is not protected so by writing a maximum value of 255 lets you enter service programming 255 times, which I think should be more than enough for the lifetime of the phone.

In QXDM enter these command lines:

mode offline-d
nv_write otksl_flag 255
mode reset

Then on the phone enter ##000000 and press the upper left SERVICE key.
And your're in!

The catch is that you still won't be able to load the PRL in QXDM or update it over the air since the SPC is still locked.
I've got in half way, now it's your turn to come up with a working PRL update, or better yet reading out the real level3 SPC.

If anyone has any working and tested solutions or ideas please post it here.
Failure is not an option, so lets get this baby unlocked!

BillA

[Number 3]

[email protected]

[BillA]

Quote:

Originally Posted by Number 3

[email protected]

I wish you would share ideas rather then sell it.

BillA

[inder]

billa where you go you can find either number-3, or some one anandcdma(kamaal) everywhere.

[BillA]

Quote:

Originally Posted by inder

billa where you go you can find either number-3, or some one anandcdma(kamaal) everywhere.

Yeah looks like they follow the leader hahaha

I believe that the solution is a flash reader which would read out the raw memory without having to enter the SPC for the ARM programmer. Anyone knows how to put a Kyocera KX series in emergency download mode like on a Samsung phone pressing 9 while powering on?

Thanks!

BillA

[Number 3]

Bill, a couple things to try. Try accessing the EFS files inside the phone. If it does not support EFS then you will need to do a complete NVM erasure and restore from an unlocked phone. Its important to erase the NVM prior because if the existing lock data is present in the phone and you simply try to overwrite it will not work. I say an erasure is needed for each phone because it appears the security state is locked from the errors posted on the other phones.

if you only have one phone to do, PM the ESN and i will try and generate the code remotely

good luck

[BillA]

Well lookie lookie who turned out to be a nice guy... Number3
Actually I'm glad to see you share ideas. After all this is what forums are all about.

Your idea sounds good about erasing the NVM and the Kyocera KX1-2 series does have and EFS but using BitPim or any other EFS tool only lets you read and write the /brew and the /user/contacts dirs. When you try to read and write any of the rest of the files it just gives a truncation error including the \nvm\nvm\nvm_security file which contains the SPC. Evidently they are all read and write protected from external retrieval. This is why I have suggested for someone to write Brew application which CAN be uploaded into the /brew folder, run internally on the phone and dump the contents of the \nvm\nvm\nvm_security file on the phone's screen.

Again, no tools can access any memory on these phones without the correct SPC unless we come up with a special solution. Does anyone have a flash reader for MSM chipsets without having to enter the correct SPC?

Keep the ideas comming,

BillA

[Number 3]

Who said i wasnt a nice guy. You just assumed i was an *** because i dont give everything away for free. As you will notice here on the boards there are many people who make a living writing software for mobile phones. Although some solutions come free other cost money because we have to eat. I suspect that megabyte for megabyte i am one of the top freebie contacts for files. Today alone i have uploaded more than 150 megs for special requests at no charge to people who need them.


In reply to the the above

Bill, It sounds like you are using inadequate tools when trying to access the EFS directories. They are protected when using programs like QXDM. Other programs will bypass all security of the EFS and read the entire contents. There are many programs that should do this including the attached screenshot.

The attached is of a protected K112 directory but as you can see in the background all the contents were extracted. This program was made to bypass all security of all Qualcomm chipsets for EFS directory but it should not be needed here. Keep looking for other programs besides bitpim and QXDM, you will see more EFS files.

Bottom line, if you only see one directory in the EFS you need to try another porgram. Maybe even QPST should show more than one.

Yes the memory can be accessed without the SPC, security state lock and SPC are 2 different locks. The SPC is only used to reprogram the phone and requested by a programs protection not the phones. Example KWPST. if you beat the programs request for the SPC you will see that the phone spills information.

Yes there are also flash readers for Qualcomm however this is not the solution needed. keep looking for the EFS programs and it will show the code. I have unlocked more than 25 thousand kyoceras in the past 2 years and have developed more than 100 kyocera programs. Trust me when i say keep looking at the EFS

good luck.

[BillA]

Quote:

Originally Posted by Number 3

Bottom line, if you only see one directory in the EFS you need to try another porgram. Maybe even QPST should show more than one.

Thanks for the good ideas!

By the way BitPim does show the full directory of the EFS including the files but unable to read it (errors out). So yes another tool is needed here.

And what's up with that Texas Instruments logo in the ESF reader?

Ok will keep on searching and experimenting...

BillA

[BillA]

Finally unlocked the SPC on KX1/2/404/440/494/Activ/Energi !!!


That's right, started this project on April 20th and now a month later it's finally done! So here we go:

As a refresher, the flash memory and EFS is protected on these phones so you can't use any memory reader or BitPim to read nvm/nvm/nvm_security.
See screenshot http://forum.gsmhosting.com/vbb/atta...chmentid=23612
So what can you do?! Spend a month, smoking cartons of cigarettes while peeking and poking the phone's memory until you realize that there's a better way.

First, the magic is using a JTAG interface to change the phone into low-level Test Mode. In this mode the ESN shows up as FFFFFFFF and the memory can be dumped by UniCDMA. See screenshot http://forum.gsmhosting.com/vbb/atta...chmentid=23613

Next, using a hex viewer you can search for the following hex string
"00 01 FF FF 01 FF FF 01 FF FF 01" followed by the SPC 514117, FSC 999999, and OTC 111111.
See screenshot http://forum.gsmhosting.com/vbb/atta...chmentid=23614

Finally, you can reset the SPC to 000000 and write the PRL of your choice.
In QXDM enter the following commands:
mode offline-d
spc "xxxxxx" (from the memory dump)
nv_write sec_code 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
pr_list_wr 0 "C:\your.prl"
mode reset

As a bonus, once you enter the correct SPC in QXDM and without rebooting the phone you can use BitPim to read and write the EFS.
See screenshot http://forum.gsmhosting.com/vbb/atta...chmentid=23615

By the way this method has been tested on all the new Kyocera KX1/2/404/440/494/Activ/Energi phones. This is just one solution, so if anyone has any other methods with screenshot proof then step right up and post it here!

In closing, please do not ask or beg me for the JTAG solution because I don't want to spoil the challenge of hacking for everyone. If you can't figure it out and need your phone unlocked, contact me in private.

Good luck,
BillA

p.s. Greetings to Number3, Piloncillo, SVC, and MegaSlava!

[class_cell]

need interface JTAG to Kx1 kyocera SOHO,
squematic or use... need very information.

information ..need writer spc... need see esn FFFFFFFF
JTAG interface info need and all in forum.

THX(THANKS)

Class_CELL

[vasssss]

I tried the method you described, but not so much luck.
It doesn't work with KX2 (KOI). The memory cannot be read with UniCDMA. there is always a read error in every range from 0x00000000 to 0xFFFFFFFF.
The spc default code is 000000, and the memory has unknown size.
I also tried Qpst, but I couldn't find the esn number anyware.
Ztree is not very good program to support hex editing.
The best hex edit program is WINHEX for windows. Edits everything.
instead the jtag I have a usb-to-Kyosera cable whitch is made by Kyocera txdta10075, and it works as COM4.

Any more ideas are welcomed.

[luzer]

BillA method needs jtag ...

[celucables]

and whats up with minlock, can somebody find any direct way to take out minlock using similar steps?

good lucky

CC

[celucables]

and whats up with minlock, can somebody find any direct way to take out minlock using similar steps?

good lucky

CC