|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
Various CDMA/TDMA Cell Phones All CDMA & TDMA Cell Phones Related Threads are here |
| LinkBack | Thread Tools | Display Modes |
04-27-2005, 16:13 | #1 (permalink) |
No Life Poster Join Date: Nov 2004 Location: USA
Posts: 1,207
Member: 92260 Status: Offline Thanks Meter: 843 | Kyocera KX1-2/Energi/Aktiv SPC unlock! So, here are some experiments I've done: 1. Tried reading the memory from 1010000hex using UniCDMA but it's protected and gives a read error. See screenshot http://forum.gsmhosting.com/vbb/atta...id=19858&stc=1 2. Tried the abvious BitPim reading but it too gives a read error. See screenshot http://forum.gsmhosting.com/vbb/atta...id=19859&stc=1 On the other hand it lets you read and write the \brew folder. So if somebody can write a small brew app which could hex dump the \nvm\nvm\nvm_security file on the phone's screen, then that might be a solution. 3. Tried using QXDM to enter random passwords and interestingly it says "phone unlocked", but when you try to read or write the sec_code it fails. Does Kyocera use passwords at all? Anyone has the REAL working password? See screenshot http://forum.gsmhosting.com/vbb/atta...id=19860&stc=1 Update #1 Here's a trick to get into programming on SPC locked Kyocera KX1-2 series phones. I found that NV item otskl_flag is not protected so by writing a maximum value of 255 lets you enter service programming 255 times, which I think should be more than enough for the lifetime of the phone. In QXDM enter these command lines: mode offline-d nv_write otksl_flag 255 mode reset Then on the phone enter ##000000 and press the upper left SERVICE key. And your're in! The catch is that you still won't be able to load the PRL in QXDM or update it over the air since the SPC is still locked. I've got in half way, now it's your turn to come up with a working PRL update, or better yet reading out the real level3 SPC. If anyone has any working and tested solutions or ideas please post it here. Failure is not an option, so lets get this baby unlocked! BillA |
04-29-2005, 22:48 | #5 (permalink) | |
No Life Poster Join Date: Nov 2004 Location: USA
Posts: 1,207
Member: 92260 Status: Offline Thanks Meter: 843 | Quote:
I believe that the solution is a flash reader which would read out the raw memory without having to enter the SPC for the ARM programmer. Anyone knows how to put a Kyocera KX series in emergency download mode like on a Samsung phone pressing 9 while powering on? Thanks! BillA | |
05-01-2005, 03:46 | #6 (permalink) |
Freak Poster Join Date: Nov 2002 Location: Kyocera NV
Posts: 191
Member: 17428 Status: Offline Thanks Meter: 4 | Bill, a couple things to try. Try accessing the EFS files inside the phone. If it does not support EFS then you will need to do a complete NVM erasure and restore from an unlocked phone. Its important to erase the NVM prior because if the existing lock data is present in the phone and you simply try to overwrite it will not work. I say an erasure is needed for each phone because it appears the security state is locked from the errors posted on the other phones. if you only have one phone to do, PM the ESN and i will try and generate the code remotely good luck |
05-02-2005, 15:26 | #7 (permalink) |
No Life Poster Join Date: Nov 2004 Location: USA
Posts: 1,207
Member: 92260 Status: Offline Thanks Meter: 843 | Well lookie lookie who turned out to be a nice guy... Number3 Actually I'm glad to see you share ideas. After all this is what forums are all about. Your idea sounds good about erasing the NVM and the Kyocera KX1-2 series does have and EFS but using BitPim or any other EFS tool only lets you read and write the /brew and the /user/contacts dirs. When you try to read and write any of the rest of the files it just gives a truncation error including the \nvm\nvm\nvm_security file which contains the SPC. Evidently they are all read and write protected from external retrieval. This is why I have suggested for someone to write Brew application which CAN be uploaded into the /brew folder, run internally on the phone and dump the contents of the \nvm\nvm\nvm_security file on the phone's screen. Again, no tools can access any memory on these phones without the correct SPC unless we come up with a special solution. Does anyone have a flash reader for MSM chipsets without having to enter the correct SPC? Keep the ideas comming, BillA |
05-02-2005, 18:56 | #8 (permalink) |
Freak Poster Join Date: Nov 2002 Location: Kyocera NV
Posts: 191
Member: 17428 Status: Offline Thanks Meter: 4 | Who said i wasnt a nice guy. You just assumed i was an *** because i dont give everything away for free. As you will notice here on the boards there are many people who make a living writing software for mobile phones. Although some solutions come free other cost money because we have to eat. I suspect that megabyte for megabyte i am one of the top freebie contacts for files. Today alone i have uploaded more than 150 megs for special requests at no charge to people who need them. In reply to the the above Bill, It sounds like you are using inadequate tools when trying to access the EFS directories. They are protected when using programs like QXDM. Other programs will bypass all security of the EFS and read the entire contents. There are many programs that should do this including the attached screenshot. The attached is of a protected K112 directory but as you can see in the background all the contents were extracted. This program was made to bypass all security of all Qualcomm chipsets for EFS directory but it should not be needed here. Keep looking for other programs besides bitpim and QXDM, you will see more EFS files. Bottom line, if you only see one directory in the EFS you need to try another porgram. Maybe even QPST should show more than one. Yes the memory can be accessed without the SPC, security state lock and SPC are 2 different locks. The SPC is only used to reprogram the phone and requested by a programs protection not the phones. Example KWPST. if you beat the programs request for the SPC you will see that the phone spills information. Yes there are also flash readers for Qualcomm however this is not the solution needed. keep looking for the EFS programs and it will show the code. I have unlocked more than 25 thousand kyoceras in the past 2 years and have developed more than 100 kyocera programs. Trust me when i say keep looking at the EFS good luck. |
05-02-2005, 20:10 | #9 (permalink) | |
No Life Poster Join Date: Nov 2004 Location: USA
Posts: 1,207
Member: 92260 Status: Offline Thanks Meter: 843 | Quote:
By the way BitPim does show the full directory of the EFS including the files but unable to read it (errors out). So yes another tool is needed here. And what's up with that Texas Instruments logo in the ESF reader? Ok will keep on searching and experimenting... BillA | |
05-24-2005, 01:49 | #10 (permalink) |
No Life Poster Join Date: Nov 2004 Location: USA
Posts: 1,207
Member: 92260 Status: Offline Thanks Meter: 843 | Finally unlocked the SPC on KX1/2/404/440/494/Activ/Energi !!! That's right, started this project on April 20th and now a month later it's finally done! So here we go: As a refresher, the flash memory and EFS is protected on these phones so you can't use any memory reader or BitPim to read nvm/nvm/nvm_security. See screenshot http://forum.gsmhosting.com/vbb/atta...chmentid=23612 So what can you do?! Spend a month, smoking cartons of cigarettes while peeking and poking the phone's memory until you realize that there's a better way. First, the magic is using a JTAG interface to change the phone into low-level Test Mode. In this mode the ESN shows up as FFFFFFFF and the memory can be dumped by UniCDMA. See screenshot http://forum.gsmhosting.com/vbb/atta...chmentid=23613 Next, using a hex viewer you can search for the following hex string "00 01 FF FF 01 FF FF 01 FF FF 01" followed by the SPC 514117, FSC 999999, and OTC 111111. See screenshot http://forum.gsmhosting.com/vbb/atta...chmentid=23614 Finally, you can reset the SPC to 000000 and write the PRL of your choice. In QXDM enter the following commands: mode offline-d spc "xxxxxx" (from the memory dump) nv_write sec_code 0x30, 0x30, 0x30, 0x30, 0x30, 0x30 pr_list_wr 0 "C:\your.prl" mode reset As a bonus, once you enter the correct SPC in QXDM and without rebooting the phone you can use BitPim to read and write the EFS. See screenshot http://forum.gsmhosting.com/vbb/atta...chmentid=23615 By the way this method has been tested on all the new Kyocera KX1/2/404/440/494/Activ/Energi phones. This is just one solution, so if anyone has any other methods with screenshot proof then step right up and post it here! In closing, please do not ask or beg me for the JTAG solution because I don't want to spoil the challenge of hacking for everyone. If you can't figure it out and need your phone unlocked, contact me in private. Good luck, BillA p.s. Greetings to Number3, Piloncillo, SVC, and MegaSlava! Last edited by BillA; 05-24-2005 at 20:04. |
05-27-2005, 02:03 | #11 (permalink) |
Junior Member Join Date: Feb 2004 Age: 57
Posts: 23
Member: 55653 Status: Offline Thanks Meter: 1 | need interface JTAG to Kx1 kyocera SOHO, squematic or use... need very information. information ..need writer spc... need see esn FFFFFFFF JTAG interface info need and all in forum. THX(THANKS) Class_CELL |
06-12-2005, 01:40 | #12 (permalink) |
Junior Member Join Date: May 2005 Age: 53
Posts: 6
Member: 148158 Status: Offline Thanks Meter: 0 | I tried the method you described, but not so much luck. It doesn't work with KX2 (KOI). The memory cannot be read with UniCDMA. there is always a read error in every range from 0x00000000 to 0xFFFFFFFF. The spc default code is 000000, and the memory has unknown size. I also tried Qpst, but I couldn't find the esn number anyware. Ztree is not very good program to support hex editing. The best hex edit program is WINHEX for windows. Edits everything. instead the jtag I have a usb-to-Kyosera cable whitch is made by Kyocera txdta10075, and it works as COM4. Any more ideas are welcomed. |
Bookmarks |
| |
|