Unlock any PM308 write protected SL2 using RPL: possible?

[moulnisky]

Spent last night doing experiments about RPL.
Reading the logs of Genie RPL generator to solve the SP corrupted data I saw the RPL generate by their server are in this structure..

CERT_PROG_DATA_OUT_CMT]
SIMLOCK_DATA_1=8D15652AF81FAD349B84440CEAAD97D8DD1 7601F0000000000000000244070000000000000180700
SIMLOCK_DATA_2=000000000050000005FFFFFF00B4000005F FFFFF0118000005FFFFFF017C000005FFFFFF01E00000
SIMLOCK_DATA_3=05FFFFFF0244000005FFFFFF02A8000005F FFFFF000000007FFF6F07FFFFFFFFF800030C03000503
SIMLOCK_DATA_4=000000007FFF6F3EFFFFFFFFC000030F020 00103000000007FFF6F3FFFFFFFFFC000031102000103
SIMLOCK_DATA_5=000000007FFF6F07FFFFFFFF07FE0313080 00503000000007FFF6F07FFFFFFFF07FE031B08000503
SIMLOCK_DATA_6=000000007FFF6F07FFFFFFFFF8000323030 00503000000007FFF6F3EFFFFFFFFC000032602000103
SIMLOCK_DATA_7=000000007FFF6F3FFFFFFFFFC0000328020 00103000000007FFF6F07FFFFFFFF07FE032A08000503
SIMLOCK_DATA_8=000000007FFF6F07FFFFFFFF07FE0332080 00503000000007FFF6F07FFFFFFFFF800033A03000503
SIMLOCK_DATA_9=000000007FFF6F3EFFFFFFFFC000033D020 00103000000007FFF6F3FFFFFFFFFC000033F02000103
SIMLOCK_DATA_10=000000007FFF6F07FFFFFFFF07FE034108 000503000000007FFF6F07FFFFFFFF07FE034908000503
SIMLOCK_DATA_11=000000007FFF6F07FFFFFFFFF800035103 000503000000007FFF6F3EFFFFFFFFC000035402000103
SIMLOCK_DATA_12=000000007FFF6F3FFFFFFFFFC000035602 000103000000007FFF6F07FFFFFFFF07FE035808000503
SIMLOCK_DATA_13=000000007FFF6F07FFFFFFFF07FE036008 000503000000003F007F206F07FFFFF800036803000503
SIMLOCK_DATA_14=000000003F007F206F3EFFFFC000036B02 000103000000003F007F206F3FFFFFC000036D02000103
SIMLOCK_DATA_15=000000003F007F206F07FFFF07FE036F08 000503000000003F007F206F07FFFF07FE037708000503
SIMLOCK_DATA_16=000000003F007F206F07FFFFF800037F03 000503000000003F007F206F3EFFFFC000038202000103
SIMLOCK_DATA_17=000000003F007F206F3FFFFFC000038402 000103000000003F007F206F07FFFF07FE038608000503
SIMLOCK_DATA_18=000000003F007F206F07FFFF07FE038E08 000503000000003F007F206F07FFFFF800039603000503
SIMLOCK_DATA_19=000000003F007F206F3EFFFFC000039902 000103000000003F007F206F3FFFFFC000039B02000103
SIMLOCK_DATA_20=000000003F007F206F07FFFF07FE039D08 000503000000003F007F206F07FFFF07FE03A508000503
SIMLOCK_DATA_21=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
SIMLOCK_DATA_22=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
SIMLOCK_DATA_23=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
SIMLOCK_DATA_24=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
SIMLOCK_DATA_25=FFFFFFFF
SIMLOCK_KEY_DATA_1=BFD40CB1E072BBF403BF77BB5BD50374461E725A0ACAB74315 ACB0EE116D7015883EF239C8C06DC4
SIMLOCK_KEY_DATA_2=0E4F95D145B267B3411D1C8DD154FDE7683328135F908012B3 4FD914ADC2986318F06A036CB21D03
SIMLOCK_KEY_DATA_3=B1AA4DA5023E3E2A8EE4F102467321416E8ED560


The first part (SIMLOCK_DATA_1 to 25) is always the same.. (is just a PM120 field 0 unlocked with provvider key 24407)
The second part (SIMLOCK_KEY_DATA_1 to 3) is just the fields 1 and 2 of the mobile field 120

[120]
0=800000000000000000101000000000000018010000000000 0020000001FFFFFF000000007FFF6F07FFFFFFFFF800003403 00050300101FFF
1=BFD40CB1E072BBF403BF77BB5BD50374461E725A0ACAB74315 ACB0EE116D7015883EF239C8C06DC40E4F95D145B267B3411D1C8DD154FDE7683328135F908012B3 4FD914ADC2986318F06A036CB21D03
2=B1AA4DA5023E3E2A8EE4F102467321416E8ED560

Considering today all the boxes can read a PM120 and can write an RPL using this 2 informations create an RPL like this is an easy job.
We can write an RPL in all the rapido SL2 phone without problem included in those which have the PM308 write protected.
The rpl in this structure, generate by the Genie universal server, once written in the mobile give the mobile unlocked!
So, if we create, as sample, for a nokia 5800, reading the PM120 in it, an RPL like this and we write it in the mobile will be it unlocked?

Tests and logs will follow shortly..

BR

Alex

[RedBlackPT]

Is possible................but at the moment i dont have any phone to try..

[JAVA Good]

hello mister moulnisky

because I'am verry bad in english, I need some reply from you and help you.

this RPL file is generated by Genie clip for unlock phone, can you tell me for wich phone pls ?

if I good understand, all the box, for unlock a BB5 SL2, read the field 120 and 308, generate a RPL and write it ?, I tell this because on some phone the 308 is protected, I think N96, 5800.

I have an experience on a RM-320 N95 8GB :
some one of my friend unlock this phone, and put it in Contact Reteiler, I find the original full pm and compair,
after read the PM of phone, I see this :
1) on PM 120 they have only first line changed : 0 = xxxxxxx101
2) but about field 308 it's all changed

I just change the first line of PM120 and all field 308, and phone is ok, SO after this I can understand the phone change 120 and 308 for unlocking.

but I have a small question if you know, what is the best RPL backup, because on some RPL backup files the name is for exemple :

356XXXXXXXXXXX_CRT_backup_718286, and inside this file I have this line :
[CERT_PROG_DATA_OUT_CMT]

and some time I have too this :
[CERT_PROG_DATA_OUT_APE]

but I am some confused, with a same phone I don't have all the time the same size of RPL backup, so I 'am not sure if I have a good backup.

Best Regards,
JAVA Good.

[CooLer55555]

but how to create this 3 lines?

[JAVA Good]

if you speack about 3 line of field 120, it's specific for the phone, you can't create it and if you write a field 120 of other phone you lose this 3 line and sure need an RPL files for repair this,

but about the first line in field 120 like 0 = 8xxxxxxxxxxxxxx101 or 0= 00000000000028001 this line can be maded with JAU software.

and about field 308, this is an other world, I just know on SL2 phone the line 0 of field 120 and all field 308 is changed.

Best Regards,
JAVA Good.

[free1600]

some one tested ?

br,
free1600

[toutou_gsm]

i think its a good idea may be a good solution for sl2 phones


b.r toutou_gsm

[CooLer55555]

Quote:

Originally Posted by free1600

some one tested ?

br,
free1600

no. but i will test it today on a n96

[JAVA Good]

after unlocking :

- the first line of field 120 changed,

- and all line of 308 is changed, just some line in the end of this fiel it's only 0000000000, and this don't change, but for exemple with my exemple I find 2 big 0000000 line.

- and I haven't a good software and easy to use for compaire PM, but I see a small modification on all field, but I think this is not importante, because all peopel tell you can write a good PM on phone, so this other field is universal for the same phone model.

I share the Full locked PM and Full unlocked PM of a RM-320 if some one need compaire.

Best Regards,
JAVA Good.

[gr8ice]

Quote:

Originally Posted by moulnisky

Spent last night doing experiments about RPL.
Reading the logs of Genie RPL generator to solve the SP corrupted data I saw the RPL generate by their server are in this structure..

CERT_PROG_DATA_OUT_CMT]
SIMLOCK_DATA_1=8D15652AF81FAD349B84440CEAAD97D8DD1 7601F0000000000000000244070000000000000180700
SIMLOCK_DATA_2=000000000050000005FFFFFF00B4000005F FFFFF0118000005FFFFFF017C000005FFFFFF01E00000
SIMLOCK_DATA_3=05FFFFFF0244000005FFFFFF02A8000005F FFFFF000000007FFF6F07FFFFFFFFF800030C03000503
SIMLOCK_DATA_4=000000007FFF6F3EFFFFFFFFC000030F020 00103000000007FFF6F3FFFFFFFFFC000031102000103
SIMLOCK_DATA_5=000000007FFF6F07FFFFFFFF07FE0313080 00503000000007FFF6F07FFFFFFFF07FE031B08000503
SIMLOCK_DATA_6=000000007FFF6F07FFFFFFFFF8000323030 00503000000007FFF6F3EFFFFFFFFC000032602000103
SIMLOCK_DATA_7=000000007FFF6F3FFFFFFFFFC0000328020 00103000000007FFF6F07FFFFFFFF07FE032A08000503
SIMLOCK_DATA_8=000000007FFF6F07FFFFFFFF07FE0332080 00503000000007FFF6F07FFFFFFFFF800033A03000503
SIMLOCK_DATA_9=000000007FFF6F3EFFFFFFFFC000033D020 00103000000007FFF6F3FFFFFFFFFC000033F02000103
SIMLOCK_DATA_10=000000007FFF6F07FFFFFFFF07FE034108 000503000000007FFF6F07FFFFFFFF07FE034908000503
SIMLOCK_DATA_11=000000007FFF6F07FFFFFFFFF800035103 000503000000007FFF6F3EFFFFFFFFC000035402000103
SIMLOCK_DATA_12=000000007FFF6F3FFFFFFFFFC000035602 000103000000007FFF6F07FFFFFFFF07FE035808000503
SIMLOCK_DATA_13=000000007FFF6F07FFFFFFFF07FE036008 000503000000003F007F206F07FFFFF800036803000503
SIMLOCK_DATA_14=000000003F007F206F3EFFFFC000036B02 000103000000003F007F206F3FFFFFC000036D02000103
SIMLOCK_DATA_15=000000003F007F206F07FFFF07FE036F08 000503000000003F007F206F07FFFF07FE037708000503
SIMLOCK_DATA_16=000000003F007F206F07FFFFF800037F03 000503000000003F007F206F3EFFFFC000038202000103
SIMLOCK_DATA_17=000000003F007F206F3FFFFFC000038402 000103000000003F007F206F07FFFF07FE038608000503
SIMLOCK_DATA_18=000000003F007F206F07FFFF07FE038E08 000503000000003F007F206F07FFFFF800039603000503
SIMLOCK_DATA_19=000000003F007F206F3EFFFFC000039902 000103000000003F007F206F3FFFFFC000039B02000103
SIMLOCK_DATA_20=000000003F007F206F07FFFF07FE039D08 000503000000003F007F206F07FFFF07FE03A508000503
SIMLOCK_DATA_21=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
SIMLOCK_DATA_22=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
SIMLOCK_DATA_23=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
SIMLOCK_DATA_24=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
SIMLOCK_DATA_25=FFFFFFFF
SIMLOCK_KEY_DATA_1=BFD40CB1E072BBF403BF77BB5BD50374461E725A0ACAB74315 ACB0EE116D7015883EF239C8C06DC4
SIMLOCK_KEY_DATA_2=0E4F95D145B267B3411D1C8DD154FDE7683328135F908012B3 4FD914ADC2986318F06A036CB21D03
SIMLOCK_KEY_DATA_3=B1AA4DA5023E3E2A8EE4F102467321416E8ED560


The first part (SIMLOCK_DATA_1 to 25) is always the same.. (is just a PM120 field 0 unlocked with provvider key 24407)
The second part (SIMLOCK_KEY_DATA_1 to 3) is just the fields 1 and 2 of the mobile field 120

[120]
0=800000000000000000101000000000000018010000000000 0020000001FFFFFF000000007FFF6F07FFFFFFFFF800003403 00050300101FFF
1=BFD40CB1E072BBF403BF77BB5BD50374461E725A0ACAB74315 ACB0EE116D7015883EF239C8C06DC40E4F95D145B267B3411D1C8DD154FDE7683328135F908012B3 4FD914ADC2986318F06A036CB21D03
2=B1AA4DA5023E3E2A8EE4F102467321416E8ED560

Considering today all the boxes can read a PM120 and can write an RPL using this 2 informations create an RPL like this is an easy job.
We can write an RPL in all the rapido SL2 phone without problem included in those which have the PM308 write protected.
The rpl in this structure, generate by the Genie universal server, once written in the mobile give the mobile unlocked!
So, if we create, as sample, for a nokia 5800, reading the PM120 in it, an RPL like this and we write it in the mobile will be it unlocked?

Tests and logs will follow shortly..

BR

Alex

You mean if we write like above lines in a manner in Notepad (Simlosk data 1..2....3...........4.....5 etc.)
and SIMLOCK_KEY_DATA_1 edit with field 120
AND SAVE IN NOTEPAD.........................THEN it is a your phones RPL ...
Are you sure that this way we calculate RPL.............

[moulnisky]

Is an old Idea I had 3 months ago which i gave to the software developers (I'm not one of them).
The idea been used in different ways by some Coders (SP area rebuild or 9dd unlock).
I just used the idea to make my own "sp_area rebuild system" which i use in my workshop.
Obviously what you can read in my original post (early june) was really an early stage.. lot of studies and work been done afterward.

BR

Alex

[JAVA Good]

hello all,

@gr8ice

use search button man, and don't put a same message in like this thread pls.

Best Regards,
JAVA Good.

[CooLer55555]

so, i taked my unlocked n96 and writed only the simlock key data from the locked phone to the phone and now it is locked and have no problems. so i think it is also possible to unlock a phone.

[moulnisky]

I think too.. we made some tests abut with oOXTCOo in that period but been stopped has he was busy with the JAU project (A really great tool) and I got busy with family situations so the idea been used only in part.
If I rebrush up it again I will post here the updates

BR

Alex

[oOXTCOo]

Quote:

Originally Posted by moulnisky

I think too.. we made some tests abut with oOXTCOo in that period but been stopped has he was busy with the JAU project (A really great tool) and I got busy with family situations so the idea been used only in part.
If I rebrush up it again I will post here the updates

BR

Alex

yes i researched it!

if simlockkeys okay, you can write your own rpl per hand and write this simlock rpl, this repairs pm308 also.

but this is mostly useless cause pm308 is mostly not demaged, mostly user overwrite the simlockkeys, and if user not overwrite the simlockeys it can repaired just by J.A.U with rebuild pm120 subblock 0.

you can only write another simlock table (locked or unlocked, number of blocks, provider... all can be changed) but this need recalculated simlockkeys for the new simlocktable.

thats the problem and thats the reason way i have stopped researching this... i have a idea how to calculate this simlockkeys, but for this i need someone with very good asm skills...