vB Easy Archive - Unlock the new Kyocera KX1/2/404/494/Energi/Aktiv phones!

Pages: 1

Unlock the new Kyocera KX1/2/404/494/Energi/Aktiv phones!
(Click here to view the original thread with full colors/images)

Posted by: BillA

Finally unlocked the SPC on KX1/2/404/440/494/Activ/Energi !!!

That's right, started this project on April 20th and now a month later it's finally done! So here we go:

As a refresher, the flash memory and EFS is protected on these phones so you can't use any memory reader or BitPim to read nvm/nvm/nvm_security.
See screenshot http://forum.gsmhosting.com/vbb/att...achmentid=23612
So what can you do?! Spend a month, smoking cartons of cigarettes while peeking and poking the phone's memory until you realize that there's a better way.

First, the magic is using a JTAG interface to change the phone into low-level Test Mode. In this mode the ESN shows up as FFFFFFFF and the memory can be dumped by UniCDMA. See screenshot http://forum.gsmhosting.com/vbb/att...achmentid=23613

Next, using a hex viewer you can search for the following hex string
"00 01 FF FF 01 FF FF 01 FF FF 01" followed by the SPC 514117, FSC 999999, and OTC 111111.
See screenshot http://forum.gsmhosting.com/vbb/att...achmentid=23614

Finally, you can reset the SPC to 000000 and write the PRL of your choice.
In QXDM enter the following commands:
mode offline-d
spc "xxxxxx" (from the memory dump)
nv_write sec_code 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
pr_list_wr 0 "C:\your.prl"
mode reset

As a bonus, once you enter the correct SPC in QXDM and without rebooting the phone you can use BitPim to read and write the EFS.
See screenshot http://forum.gsmhosting.com/vbb/att...achmentid=23615

By the way this method has been tested on all the new Kyocera KX1/2/404/440/494/Activ/Energi phones. This is just one solution, so if anyone has any other methods with screenshot proof then step right up and post it here!

In closing, please do not ask or beg me for the JTAG solution because I don't want to spoil the challenge of hacking for everyone. If you can't figure it out and need your phone unlocked, contact me in private.

Good luck,
Bill A.

p.s. Greetings to Number3, Piloncillo, SVC, and MegaSlava!
p.s. Sorry, the screenshot attachments are big so I had to post it on GSM-Forum.

Posted by: masteruy

The spoken thing.

Posted by: Tsuriro

BillA : Do you think you could help me revive a dead kyo Se47 with jtag? You seem to know a little more about jtag than I. Please PM me. Thanks.

Posted by: kyocera

How to change the phone into low-level Test Mode?

Posted by: Tsuriro

Billa what jtag software are you using to access the phones and where can I get it? Please Respond! Thanks

Posted by: jtc982

can't see any pics. says ytou have to be a member

Posted by: som1dies2nite

I notice the KX5 wasnt listed, but will it still work?

Posted by: DocsPlace

Can you post your info so that we do not have to sign up on another GSM Mobile Site on Howard Forums

Thanks
Tom
Docsplace