Re: Dumping flash from HTC Desire 510

simlock code generator is common.

Re: Dumping flash from HTC Desire 510

Someone gave me a Sprint HTC Evo 4G, which is a CDMA phone I believe. There's no SIM Slot. Carrier unlocking that thing doesn't seem to be simple. I've unlocked the bootloader and turned the security bit off so it shows S-Off. There's a SIMLOCK function under HBOOT and I've generated the Config.dat file, but it always hangs at the Wait for AMSS Ready. If I hit the power button, then it complains about something not being a key-card.

I'm doing some research on it, but I'd love to unlock it so I could put that on the Straight Talk network. I think it might involve putting a different firmware on it, like one that was made for a Straight Talk HTC Evo 4G.

Re: Dumping flash from HTC Desire 510

have you opened it?
we have not used that technology in Europe for 20 years.
i would be curious if it has a sim hidden deep inside.
on the older phones the IMSI/IMEI had to be changed with custom software to one supplied by the carrier.

Re: Dumping flash from HTC Desire 510

^ Havn't seen integrated SIMs in the Western US for about 5 years now. My old Huawei Ascend M865 had an integrated SIM. Wish it had the option for a SIM card, but thats the European version that has one... Man did that thing fly with a 2x overclock! Android 2.3.3 running on a 600mhz CPU clocked at 1.2Ghz! Most extreme OC i ever did.... I miss that thing...

Re: Dumping flash from HTC Desire 510

only thing i miss about the analog phones was the motorola trick where you short 2 of the pins on the battery connector with a thin wire and long-hold "*" to activate a hidden mode that turned it into an open radio where you could step through the channels and listen to everyone!!!

Re: Dumping flash from HTC Desire 510

We replaced a cracked screen on it. It was his first smart phone and paid us to repair the broken LCD screen / glass. Afterwards, he tried putting it on the Straight Talk network and couldn't, so he just gave it to us. For fun, I was going to see if I could put it on the Straight Talk network. I believe it's a 4G phone. There is no SIM. I think I can just take it to StraightTalkBYOP.com and enter the info and they can put it on their network, because they use Sprint Towers, among other towers (AT&T and even Verizon I think).

I don't think changing the IMEI would be hard. I think maybe something called the MEID might need to be changed though, I dunno. I think it involves getting a CDMA donor phone that goes on Straight Talk and copying the MEID over. Essentially, you clone the phone.

It's been a great learning experience though and I've had fun playing with it, despite it being an older phone.

Re: Dumping flash from HTC Desire 510

My friend had this cheap TracFone (I think) that broke. He could add minutes, but couldn't make any phone calls and couldn't receive them, but what was cool, he could send an unlimited number of text messages and the minutes would never go down.

I wanted to buy it off of him to have almost free texts for life. You'd still have to put minutes on it every once in awhile to keep it active, but they had this card that costed like 20$ and it'd keep the phone active for a year, without needing to put minutes on it. He ended up calling TracFone (or whoever) and they sent him a free mailing label, he sent it in, they sent him a replacement.

Re: Dumping flash from HTC Desire 510

there was a gsm phone you could do that with by putting a pic chip in it to constantly re-write the remaining credit into the phones eeprom.

they didnt make that mistake again!!
.

Re: Dumping flash from HTC Desire 510

So a little update with the hacking of the HTC Desire 510. We bought a MicroUSB to USB OTG cable from BestBuy. I wanted to reprogram one of these Teensy boards I had and make it into a pin generator for cells, even though I wasn't expecting it to work with the Desire 510.

I plug the cable into the 510 and then I plug a USB keyboard into it, just for shits and giggles, and I can type the PIN with the USB keyboard. So I'm pretty certain I can program one of these Teensy boards. When I was looking for an adapter in the basement, I found two other ones. A Teensy 2.0 and a Teensy 3.6. I think I'll try with the Teensy 2.0.

I'm pretty sure it won't be hard to write the program to send the 4 digit pins and then pause 30 seconds after 5 attempts....but I'm not sure how the Teensy board could tell if a valid PIN was entered. Any thoughts on that? The Teensy 3.6 has a MicroSD slot, so I could use that to write down the valid PIN, if I can somehow detect when that happened.

Thanks!

Re: Dumping flash from HTC Desire 510

The Teensy doesn't need to know if the pin was entered correctly. One it unlocks the phone its done its job
Code that can be used was in the link goontron posted.

Re: Dumping flash from HTC Desire 510

That code that Goontron sent I don't think is for the Teensy. I was looking at it, and I think it's more of script for a configurable key. Kinda like what I'm using, but I think you can configure it for various things. For example, the only code in that link was to generate a text file with 9,999 numbers from 0000 to 9999 or something like that, at least from what I've seen.

You put it on the MicroSD card and the Ducky Key will load it or something.

Anyway, I wrote a simple program for the Teensy 3.6 that I have. It enters the pins, then waits 35 seconds or so. I still need to fine tune it a bit (like to hit enter after 5 failed attempts to do away with the message that displays). And to hit a button every few seconds when the 30 second countdown begins so it doesn't lock the screen.

The problem is the phone knows I'm trying to hack into it and it starts a shutdown timer (you can see the little icon pop up in the top bar there). After it's been turned on for x amount of seconds, if a proper pin isn't entered, the phone restarts.

I can modify my program to stop counting when the phone restarts, but I don't know if the USB port resets during this process. It might restart my program, and if so, I need to take advantage of the MicroSD slot to keep some sort of lock file on there.

So, the program will wait until the phone turns on and gets to the lock screen. Then it'll act as a mouse and swipe the screen up to get to the enter pin screen. It'll enter 5 sets of pins and then wait 30 seconds or so. Every time it tries a pin, it'll write it to a file on the MicroSD card. It'll create a lock file. The first time the program runs, it'll look for the lock file. If the lock file is there, it'll always wait the amount of time that it starts for the phone to start up, and then do the finger swipe. Then, it'll read the MicroSD card to see where we left off counting and start from there.

Re: Dumping flash from HTC Desire 510

^Huh? Oh. Yeah, no. That's Ducky Script. https://github.com/hak5darren/USB-Ru...ki/Duckyscript

Wouldn't be hard to port the firmware/compiler, but yeah, no.

Re: Dumping flash from HTC Desire 510

Yeah. I think, for the most part, it'd probably be easier and less work to just continue the program I've written. Unfortunately, I couldn't figure out how to just use my favourite text editor and make to compile the hex. I can with the Teensy 2.0 dev board, but for the Teensy 3.6, I have to use the TeensyDuino thing, which I don't like at all, but I guess it makes it a bit easier to do the things I want to do.

For example, I just had to call a delay(<ms>); function in the startup code, and then in the loop code, I just call Keyboard.print(number); to print whatever I want to the screen.

I believe these functions might be libraries that come with the TeensyDuino. It kinda hides all the real code. I don't really like programming that way. I like having a Makefile and if I'm using a library, link it statically to my object files, etc. But I was in a bit of a rush and didn't have a lot of time to try and figure out how to compile code for the Teensy 3.6 the way I wanted to.

There's a sample Makefile and they tell you how inside what you need to do, but it wasn't the clearest. The chip on the 3.6 is an mk66fx1m0.

The avr cross-compiler doesn't support this chip. The chip is made by NXP. I think it's the Kinetis K-Series architecture. Supposedly there's some optimized C compiler by Green Hills, but I think this mk66fx1m0 is based on ARM Cortex-M4 Core, so maybe I can just download the compiler from ARM?

Re: Dumping flash from HTC Desire 510

yes, use Linux and download "gcc-arm-none-eabi"
you also need std-c and various tools, but the package-manager will handle that.


or use windows, and install the arduino package.
then select the duo board and it will download the arm compiler.

Re: Dumping flash from HTC Desire 510

That's it? Just download gcc-arm-none-eabi? What's the eabi stuff about? I believe it stands for Embedded Application Binary Interface. I don't really understand it though. Wikipedia says:
So does it have something to do with libraries? I don't get it.


**EDIT: It might be called cross-arm-gcc7 and cross-arm-binutils on my OpenSuSE Tumbleweed distro. But what do I pick for the processor type? I had these installed last night and -mmcu=mk66fx1m0 doesn't work.

These are the available packages that are compiler related:
I installed cross-arm-gcc7, but that installs the gnueabi gcc, not the none-eabi one. I can't figure out how to use zypper to tell me what files each package provides yet, I'm searching google.

Re: Dumping flash from HTC Desire 510

I think I can figure this out. I can download the source and compile myself or find a precompiled binary for OpenSuSE, or I can just use the one that comes with Arduino and just manually copy it (which might be a bad idea).

I noticed, after looking through the Makefile for the TeensyDuino stuff that got installed for the Arduino stuff, I see:
So that answers one question. Just a matter of finding a repository with a compiler version that would work. I almost want to use some of the libraries, at least for now, that comes with the TeensyDuino / Arduino stuff. Makes it a lot easier. Wonder if I can just link to them using the gcc-arm-none-eabi compiler....

Re: Dumping flash from HTC Desire 510

source
https://launchpad.net/gcc-arm-embedded/

arduino stuff uses arduino library's
so maybe read here:
http://www.stm32duino.com/

Re: Dumping flash from HTC Desire 510

I found an OpenSuSE Tumbleweed repository that just includes the gcc-arm-none-eabi compiler, the bintools, and GDB. I downloaded and installed it. I still need to play with it.

What's kind of nice is I can look at the TeensyDuino Makefile and see how they set certain things up. For example, they're using the nano.specs file that they point the compiler to. This is nice, because then I don't have to define stuff like _SBRK or whatever it is.

The libraries, even though they're Arduino libraries, I don't see why I couldn't just link to the ones I needed with the compiler. I was looking at the TeensyDuino / Arduino stuff a bit more closely and noticed they use the gcc-arm-none-eabi compiler, just a bit of an older version. I think they're using version 5.x and I've downloaded and installed 6.x through the repository.

I'm having some issues with the phone and program though. There's a few bugs I need to work out. For example, when the, You've entered 5 invalid attempts, you need to wait 30 seconds message appears, I program the Teensy to hit enter to do away with the message, but if I don't touch the screen every 5 seconds or so, it'll turn the screen off and needs to be unlocked again (with the finger swipe).

So I programmed the Teensy to work as a keyboard, mouse, and touch sensor or whatever it is. The touch stuff looks a bit hard, but I've programmed it so the mouse pointer moves up every 5 seconds or so. This prevents it from locking. What I do is configure the screen size (854 x 480) in my code, then I position the mouse pointer to 427, 20 (x, y). I'll move the mouse up 100 pixels or so, then click, then release. Then reposition the pointer to 427, 20. but the repositioning isn't working. I think I just need a delay after moving it up. I can see the mouse move every 5 seconds or so, and that prevents the screen from locking, but once the mouse pointer gets to the very top of the screen, it locks. Worse case, I can move the mouse up 100 pixels, then after the next 5 seconds, move it down.

One problem though, after 10 attempts, the program always starts back at 0000, like the USB port resets or something. I gotta find away to tell when the phone is at the login screen. I heard the JTAG VCC drops after a bit. Maybe I can use that? I still need to implement the MicroSD card stuff. When the phone restarts, the Teensy gets reset, every time.

Re: Dumping flash from HTC Desire 510

tbh the only stuff i did with arm yet is customise other peoples work.
and those people dealt with all the seperation of the shit from usefull stuff first.

the only library they used was LibOpenCM3
which btw, looks really nice.
http://libopencm3.org/

Re: Dumping flash from HTC Desire 510

Okay, I've fixed almost all the bugs now. The only thing I'm having trouble with is during the 30 second countdown (after 5 failed attempts), after 10 seconds or so, the screen goes dark and then locks. Gotta figure out how to keep that active still so it doesn't go dark.

Finally, I need to write code to store the pin on a MicroSD card, so when the phone reboots, it'll start off where it left off at, not start over at 0000.

Then I can just let this run and away we go. I think I'm going to need to use my programmable power supply and take the battery out of the phone and use that to power it, so the phone battery doesn't go dead.