Hi all !

I've dumped full bb of the white 16G 3G, hoping it will help for software unlocking a little bit. Who need it for hacking pls contact me.

Who dont know about this pls do not spam. Thanks

Hey Ta, it's been a long time !

Very nice job and help for the community !

Originally Posted by XianLi

Hey Ta, it's been a long time !

Very nice job and help for the community !

Im still around here bro, haha, just hoping smthing simple like this will be found out

Originally Posted by Dev Team Wiki

Simple Unlock

From the S-Gold's perspective, here are the fundamentals of unlocking basebands. A simple byte sequence search combined with a neutered baseband are all you need. (The s5l8900 CPU imposes other restrictions beyond this discussion.)

The secpack is at ICE*.fls offset 0x1a4 (0×800 bytes long)
The baseband is at ICE*.fls offset 0x209a4
The baseband length is at ICE*.fls offset 0×20 (subtract 0×20000)
Due to gray's initial RCE of the baseband, and combined with a neutered bootloader, unlocking recent and future basebands has been reduced to a simple byte search.

Search for the byte sequence “ff 90 a0 e3 ff 00 00 e2 02 00 50 e3” in the baseband. You should find just once such sequence, and the next four bytes will be “02 00 00 1a”. Change these four bytes to all zeros to unlock your baseband.

Firmware Baseband fls offset
1.1.3 4.03.13 0x9a4+0x238150 = 0x238af4 (2329332)
1.1.4 4.04.05 0x9a4+0x2395cc = 0x239f70 (2334576)
2.0 beta1 4.05.00 0x9a4+0x239884 = 0x23a228 (2335272)
2.0 beta2 4.05.01 0x9a4+0x238f38 = 0x2398dc (2332892)
2.0 beta3 4.05.01 0x9a4+0x238f38 = 0x2398dc (2332892)
2.0 beta4 4.05.02 0x9a4+0x239194 = 0x239b38 (2333496)
2.0 beta5 4.05.03 0x9a4+0x23925c = 0x239c00 (2333696)
2.0 beta6 4.05.04 0x9a4+0x23925c = 0x239c00 (2333696)
2.0 beta7 4.05.04 0x9a4+0x23925c = 0x239c00 (2333696)
2.0 beta8 4.05.04 0x9a4+0x23925c = 0x239c00 (2333696)
2.0 release 4.05.04 0x9a4+0x23925c = 0x239c00 (2333696)
If you have a neutered bootloader, the following patches achieve the anySIM unlock. Just patch the .fls and feed both the .fls and .eep to the bbupdater that gets installed in /Applications/BootNeuter.app/bin by the Dev Team IPSW Builder.

dd if=/dev/zero of=ICE04.03.13_G.fls bs=1 seek=2329332 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.04.05_G.fls bs=1 seek=2334576 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.00_G.fls bs=1 seek=2335272 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.01_G.fls bs=1 seek=2332892 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.02_G.fls bs=1 seek=2333496 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.03_G.fls bs=1 seek=2333696 count=4 conv=notrunc
dd if=/dev/zero of=ICE04.05.04_G.fls bs=1 seek=2333696 count=4 conv=notrunc

Great job TA.

thanks great job.you have perfect hardware skills.

Hey bro Nice work done, repspectable hardware skills.

Hi,

Great job! Can you please post hi res picture of the cleaned pcb ? Is any of the
flash bus exposed or all is routed in the internal layer ?

BR

Thanks TA!
Nice pics

What i was waiting for.

As always, job well done
Cheers, GSMVN
N41

Very sexyyy

sweet pics