Softbank 007SH Unlock FOUND!

**tokyo_dom** · 07-31-2012, 07:40 PM

I wonder if there is a way to set up a paypal account that is totally neutral, which we can all deposit into; and offer it as payment to some of the more knowledgeable hackers on the GSMHosting forum.

This is not just as simple as 'extracting the c functions' as those functions are long gone - compiled into ARM machine code, and quite possibly encrypted as well.

There are 2 possible ways to proceed from here:

1. Find the code that parses the unlock key and work out the algorithm used. Use that in combination with the showing of the Network Unlock panel to remove the SIM lock. This goes along the lines of what Cheeseus posted above - find out how the Docomo's are executing the unlock statement; it is likely Sharp wouldnt change it too much for Softbank

2. Find the code which queries the NV RAM for the network lock status, and modify it to ignore the result. This involves making a change to the radio byte code, which is checked by the ECC bytes that we strip off (10 bytes every 528 byte block, which sort of works like an MD5 checksum - if any bytes are changed, it will fail the checksum and phone will be bricked. UNLESS we can work out how to recalculate the ECC too).

Both of these rely on the fact that we can extract the AMSS, which should START with an .ELF file (.ELF is kind of like a windows .exe file - it is a linux executable format), but it seems the partition table doesnt match what we are seeing in the radio dump

**sweetcutebee** · 08-01-2012, 01:36 AM

Our progress has now back to : 2%

**SuperSZ** · 08-01-2012, 11:44 AM

Originally Posted by sweetcutebee

Our progress has now back to : 2%

if kokos doesn't unlock 007SH anymore, why doesn't he tell us how he did the unlock? (we suppose it's by JTAG but we don't know)

**Shu_Hayate09** · 08-03-2012, 07:03 PM

so how goes the unlocking?

any progress?

there doesnt seem to be anyone left who does unlocking...

**Kyoex** · 08-04-2012, 03:06 AM

hackers aren't offering unlocks anymore for $$$ ? What happened to kokos and a few of the people in China?

**Stereowind** · 08-04-2012, 03:11 AM

Originally Posted by SuperSZ

if kokos doesn't unlock 007SH anymore, why doesn't he tell us how he did the unlock? (we suppose it's by JTAG but we don't know)

I think he's just stopped his worldwide service, because unlock is still available for russians on the russian website.

**kokos** · 08-05-2012, 03:10 AM

Originally Posted by Stereowind

I think he's just stopped his worldwide service, because unlock is still available for russians on the russian website.

I stopped worldwide service, because i have agent in HK who can unlock 003,005,006,007 and all android sharp from Docomo. You can write me to pm and i give to you contacts.

**ubutun** · 08-05-2012, 08:51 AM

Have any one dump the radio image at different situation ?
I think image will be quite different, even after u restart the phone.
So the image could only serve as a referrence.
I don't think the guy, who unlock this phone, knew the radio image when he began his unlocking.

Think about he remote unlock some other docomo's not 007sh.
It is clear that the key would be some files in /system/lib or /system/bin or somewhere else.

In Docom's there is a simunlock.apk, so he can figure it out remotely.
But 007sh, he have to modified some file(s) to unlock it.
That's why he need ur phone.

And as that of docomo's, no file was modified after unlock, he can restore the original files without losing unlock.

**SuperSZ** · 08-05-2012, 02:49 PM

Originally Posted by ubutun

Have any one dump the radio image at different situation ?
I think image will be quite different, even after u restart the phone.
So the image could only serve as a referrence.
I don't think the guy, who unlock this phone, knew the radio image when he began his unlocking.

Think about he remote unlock some other docomo's not 007sh.
It is clear that the key would be some files in /system/lib or /system/bin or somewhere else.

In Docom's there is a simunlock.apk, so he can figure it out remotely.
But 007sh, he have to modified some file(s) to unlock it.
That's why he need ur phone.

And as that of docomo's, no file was modified after unlock, he can restore the original files without losing unlock.

People here managed to modify the phone.apk which will send you to a menu in which you can enter a unlock code. The thing is that nobody knows where to get that code; and supposing you magically manage to get the code, nobody knows if, once introduced, it will unlock the phone (like with no error or problems at all).

If by "the guy who unlock this phone" you mean kokos, indeed, we don't think he knew about the radio thing either. We think he unlocks by JTAG, but we don't know which box he uses (so far, we only know about boxes which support these phones chipsets, but no official compatibility with the phones themselves yet). Either he unlocks by JTAG, or he uses something completly unknown and different (which doesn't involve root)

All I know is that a friend is gonna travel to the US in September. If by then there's no sim-unlock yet, I'm gonna ask him to buy a galaxy s3 for me (because all technology is incredibly overpriced in my country) and I'll see how the f*ck I manage to sell a rare phone which ""doesn't work"" (it does, but must CPR every 20 minutes, so it would be like it doesn't work) at a fair price :/

**ubutun** · 08-05-2012, 06:14 PM

Originally Posted by SuperSZ

People here managed to modify the phone.apk which will send you to a menu in which you can enter a unlock code. The thing is that nobody knows where to get that code; and supposing you magically manage to get the code, nobody knows if, once introduced, it will unlock the phone (like with no error or problems at all).

If by "the guy who unlock this phone" you mean kokos, indeed, we don't think he knew about the radio thing either. We think he unlocks by JTAG, but we don't know which box he uses (so far, we only know about boxes which support these phones chipsets, but no official compatibility with the phones themselves yet). Either he unlocks by JTAG, or he uses something completly unknown and different (which doesn't involve root)

All I know is that a friend is gonna travel to the US in September. If by then there's no sim-unlock yet, I'm gonna ask him to buy a galaxy s3 for me (because all technology is incredibly overpriced in my country) and I'll see how the f*ck I manage to sell a rare phone which ""doesn't work"" (it does, but must CPR every 20 minutes, so it would be like it doesn't work) at a fair price :/

I don't think phone.apk is the key file, the core file might be something like ??ril.??
Whether he unlocks by JTAG, i don't know, but if he does, japanes guys should have unlock it already!
And as we know, he unlock it after a way to full root had been post, made things clear.
He cannot unlock 104sh from softbank, yet.
Why ?
Cos japanese Guys don't want to share the way to root softbank's any more.
Why they share ways to root the newest sharp phone of docomo, but not 104sh ?
It is quit intresting. But it can be understood. Did'nt it ?

Just a little my opnion.

**sweetcutebee** · 08-05-2012, 08:35 PM

I am going to give up.
What we can do is to pray the guy(who did know to unlock) can share or telling us some tips.
Thank you tokyo_dom , napans . You two did a lot on this. I just pm you two for my personal e-mail.

At last, thank you all and howardfourms.
I *might* be somewhere on others forum.

**Shu_Hayate09** · 08-06-2012, 03:16 AM

oh no, you guys are giving up? lol oh well, i know u guys gave it a great try

i was waiting to see how everything went with you guys.

but now that you guys give up, im sending my phone to get unlocked today !

thx guys!

**m1lk** · 08-06-2012, 04:04 AM

dont know why u guys complain about cpr.

i got a 2010 bbsim, and if i dont get signal back at a deadzone i just goto the secret menu, turn the radio off, then turn it on. done. i also have it set to GSM auto prn.

if you have to carry two phones with you, a japanese phone, and a cpr phone, then its not worth it.

function > form. and this phone is both, especially with the simunlock. i will have this sent out,

**cheeseus** · 08-06-2012, 04:24 AM

On Docomo phones, the "secret" code you dial to call the Network Depersonalization Panel calls SHSimControlApp.apk, which in turn calls different files on the different Docomo models. For example, on the SH-01D, it calls the CB400SF file, on the SH-12C, it calls libJniSHSimControlApp.so and libshsimcontrol.so.

LGTool are improving their direct unlock services for supported phones (Docomo). Hopefully, soon they will turn to SoftBank as well.

I tried the LGTool a couple of days ago at my friend's office (with my SH-01D) - it is SO QUICK a procedure, takes less than 30 seconds to read the unlock code.

**Disastorm** · 08-06-2012, 05:27 AM

Originally Posted by m1lk

dont know why u guys complain about cpr.

i got a 2010 bbsim, and if i dont get signal back at a deadzone i just goto the secret menu, turn the radio off, then turn it on. done. i also have it set to GSM auto prn.

if you have to carry two phones with you, a japanese phone, and a cpr phone, then its not worth it.

function > form. and this phone is both, especially with the simunlock. i will have this sent out,

What is the secret menu? Does it work on 003/005/007SH?