Finding SIMLock algorithm from IMEIs and valid unlock codes - GSM-Forum

iVMX · 02-02-2012, 13:57

Hi there.

I have a series of Huawei USB dongles (new models, NOT unlockable for free), and a set of unlock codes which are all valid (I already unlocked many of them).

I was wondering... considering that I have a decent amount of IMEI/LockCode pairs (20+), would it be possible to somehow find out the underlying algorithm that generates the unlock codes from the IMEIs?

How would I go about doing that? Is there any particular software that could "compare" the list of IMEIs with the list of unlock codes and look for patterns or something?

Just a thought of course. I might as well be completely wrong.

Thanks.

fr3nsis · 02-02-2012, 14:31

Quote:

Originally Posted by iVMX

Hi there.

I have a series of Huawei USB dongles (new models, NOT unlockable for free), and a set of unlock codes which are all valid (I already unlocked many of them).

I was wondering... considering that I have a decent amount of IMEI/LockCode pairs (20+), would it be possible to somehow find out the underlying algorithm that generates the unlock codes from the IMEIs?

How would I go about doing that? Is there any particular software that could "compare" the list of IMEIs with the list of unlock codes and look for patterns or something?

Just a thought of course. I might as well be completely wrong.

Thanks.

start to post them here

which modems are? firmwares customized or new models like e367,e353...?

iVMX · 02-02-2012, 15:17

I'd love to, but unfortunately there are important security reasons that prevent me from posting the IMEIs here.

Of course I wouldn't mind sharing the algorithm if I found it, but I just can't share the specific IMEIs.

Oh, btw, they are a bunch of super sweet Vodafone K4605 Dual Carrier devices (Huawei E372).

If any of you can point me in the right direction to try and crack the codes myself I'll be glad to try. Otherwise... I think we'll have to wait :/

latigido922 · 02-02-2012, 18:15

Quote:

Originally Posted by iVMX

I'd love to, but unfortunately there are important security reasons that prevent me from posting the IMEIs here.

Of course I wouldn't mind sharing the algorithm if I found it, but I just can't share the specific IMEIs.

Oh, btw, they are a bunch of super sweet Vodafone K4605 Dual Carrier devices (Huawei E372).

If any of you can point me in the right direction to try and crack the codes myself I'll be glad to try. Otherwise... I think we'll have to wait :/

All you need is: "hwideadatacard"

Erdman · 02-02-2012, 19:13

"hwideadatacard" its new constant value for new model ? Any other change for algo ?

fr3nsis · 02-02-2012, 19:46

Quote:

Originally Posted by latigido922

All you need is: "hwideadatacard"

you are wrong my friend

imei 356793040863318 , *** code sniffed from dc-unlocker 16507861
hwidea... code 58058755

iVMX · 02-03-2012, 09:01

I'm gonna need a little bit more help... I'm a noob when it comes to this stuff. Where should I be looking? Some software that reads stuff from the device... hex editor...?

Oh... did I mention the K4605 is dual carrier? 42mbps anyone?

Spoochy · 02-07-2012, 04:33

Quote:

Originally Posted by boucettay

U like try, research, maths, and perhaps No result

take this

---- nck ----------- imei ------------- nck --------- imei --------
688950000000 000000000000000 668950000010 000000000000010
488950000001 000000000000001 686950000100 000000000000100
288950000004 000000000000002 688750001000 000000000001000
088950000009 000000000000003 688930010000 000000000010000
888950000006 000000000000004 688958100000 000000000100000
688950000005 000000000000005 688951800000 000000001000000
488950000006 000000000000006 688960080000 000000010000000
288950000009 000000000000007 688050008000 000000100000000
088950000004 000000000000008 689950000800 000001000000000
888950000001 000000000000009 698950000080 000010000000000
688950000000 111111111111111 788950000008 000100000000000
022394444444 222222222222222 688950000000 001000000000000
800172222222 333333333333333 688950000000 010000000000000
022394444444 444444444444444 688950000000 100000000000000
688950000000 555555555555555 446536868686 101010101010101
688950000000 666666666666666 264718686868 010101010101010
022394444444 777777777777777 622954400440 110011001100110
800172222222 888888888888888 088390044004 001100110011001
022394444444 999999999999999 022350008888 111111100000000

WBR

Many more examples if you crawle this category..

**.:hack3r2k:.** · 02-09-2012, 08:48

Quote:

Originally Posted by fr3nsis

you are wrong my friend

imei 356793040863318 , *** code sniffed from dc-unlocker 16507861
hwidea... code 58058755

Why you dont dump the bloody nand by jtag, extract elf, load in ida and start digging. Much faster and usefull then loosing time arround

Br

fr3nsis · 02-09-2012, 08:58

Quote:

Originally Posted by .:hack3r2k:.

Why you dont dump the bloody nand by jtag, extract elf, load in ida and start digging. Much faster and usefull then loosing time arround

Br

modem wasn't mine and customer won't lost warranty
anyway i have extracted elf from firmware update , i'm reading it

Erdman · 03-06-2012, 16:59

Flash code algo for new modem its the same ! Ani news for unlock code ?

DarkManDZ · 03-21-2012, 04:42

Quote:

Originally Posted by .:hack3r2k:.

Why you dont dump the bloody nand by jtag, extract elf, load in ida and start digging. Much faster and usefull then loosing time arround

Br

how to extract elf and with which tool???

[Shadab_M] · 03-21-2012, 11:51

Quote:

Originally Posted by DarkManDZ

how to extract elf and with which tool???

You can use RIFF.

Read DUMP and Load in Qualcomm Dump Analysis Tool (Addon in RIFF).

Br,
Shadab Ahmad

**TestBox2** · 03-23-2012, 04:40

Quote:

Originally Posted by fr3nsis

you are wrong my friend

imei 356793040863318 , *** code sniffed from dc-unlocker 16507861
hwidea... code 58058755

All simple :-)

// old-modems calc nck algo
Function h_nck(imei: string; password: string='hwe620datacard'):string;
var
digest : TMD5DigestX;
nck: dword;
_hash:string;
Revers:LongWord;
begin

TMD5Digest(digest):=md5stringa(password);
For Revers:=4 To 11 Do imei:=imei + LowerCase(IntToHex(Digest.v[Revers],2));
TMD5Digest(digest):=md5stringa(imei);

SetLength(_hash,32); BinToHex(@Digest,@_hash[1],16);
form1.memo1.Lines.add('Hash code: '+LowerCase(_hash));

For Revers:=0 To 3 Do Nck:=(Nck SHL 8) OR (Digest.v[Revers] XOR
Digest.v[Revers+4] XOR Digest.v[Revers+12] XOR Digest.v[Revers+8]);
Nck:=(Nck AND $1FFFFFF) OR $2000000; result:=(inttostr(Nck));

end;

dzunlocker · 03-23-2012, 10:55

Quote:

Originally Posted by DarkManDZ

how to extract elf and with which tool???

Hi
For playing with J-tag dump you can use "revskills", other softwares...Ort dump analyser etc ... you can also extract it manually.

hints : Hex editor + the Partition Table + '.ELF' magic
...

Regards

02-02-2012, 13:57	#1 (permalink)
iVMX Junior Member Join Date: Feb 2012 Posts: 3 Member: 1717812 Status: Offline Thanks: 0 Thanked 0 Times in 0 Posts	Finding SIMLock algorithm from IMEIs and valid unlock codes Hi there. I have a series of Huawei USB dongles (new models, NOT unlockable for free), and a set of unlock codes which are all valid (I already unlocked many of them). I was wondering... considering that I have a decent amount of IMEI/LockCode pairs (20+), would it be possible to somehow find out the underlying algorithm that generates the unlock codes from the IMEIs? How would I go about doing that? Is there any particular software that could "compare" the list of IMEIs with the list of unlock codes and look for patterns or something? Just a thought of course. I might as well be completely wrong. Thanks.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
thread	Thread Starter	Forum	Replies	Last Post
Unlocking 5190	Ryu	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	23	09-16-2012 23:57
Help: Forgot my 6110 user lock code!!	GByte9	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	5	05-10-2012 14:14
IR between 6150 and IBM TP 600	favdijck	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	3	11-15-2011 12:08
wt603 and .pkd	ARt	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	0	06-13-1999 19:18
Copy from one 6110 to another	Leif Nielsen	Nokia Legacy Phones ( DCT-1 , DCT-2 , DCT-3 , DCT-L )	1	06-10-1999 22:36

02-02-2012, 15:17	#3 (permalink)
iVMX Junior Member Join Date: Feb 2012 Posts: 3 Member: 1717812 Status: Offline Thanks: 0 Thanked 0 Times in 0 Posts	I'd love to, but unfortunately there are important security reasons that prevent me from posting the IMEIs here. Of course I wouldn't mind sharing the algorithm if I found it, but I just can't share the specific IMEIs. Oh, btw, they are a bunch of super sweet Vodafone K4605 Dual Carrier devices (Huawei E372). If any of you can point me in the right direction to try and crack the codes myself I'll be glad to try. Otherwise... I think we'll have to wait :/

02-02-2012, 19:13	#5 (permalink)
Erdman Insane Poster Join Date: Jan 2003 Location: Romania Age: 36 Posts: 61 Member: 20066 Status: Online Thanks: 3 Thanked 21 Times in 16 Posts	"hwideadatacard" its new constant value for new model ? Any other change for algo ?

02-03-2012, 09:01	#7 (permalink)
iVMX Junior Member Join Date: Feb 2012 Posts: 3 Member: 1717812 Status: Offline Thanks: 0 Thanked 0 Times in 0 Posts	I'm gonna need a little bit more help... I'm a noob when it comes to this stuff. Where should I be looking? Some software that reads stuff from the device... hex editor...? Oh... did I mention the K4605 is dual carrier? 42mbps anyone?

03-06-2012, 16:59	#11 (permalink)
Erdman Insane Poster Join Date: Jan 2003 Location: Romania Age: 36 Posts: 61 Member: 20066 Status: Online Thanks: 3 Thanked 21 Times in 16 Posts	Flash code algo for new modem its the same ! Ani news for unlock code ?