I feel like I should have been able to find the answer to this, maybe I'm distracted or something, but does anyone know how carrier/network/sim lock actually works and if there are any workarounds? Say I wanted to make one of those unlocking services. What is the process?
I saw a couple answers from some years ago, they all seem fairly vague and as if it's actually an unknown, so I'm not sure if that's current information. It seems inevitable that someone would have leaked or reverse engineered that information by now, right?
Answer
Carrier locks work at SoC/bootloader level. In simple terms the modem - which has its own Baseband Processor - is tuned to certain frequencies / bands or programmed to register with only one MCC/MNC which identifies a universally unique carrier. MCC/MNC is part of IMSI which is stored on SIM card and used in initial authentication process when device goes online.
Both modem (which is integrated in SoC) and SIM (which is a Java card Secure Element) are completely isolated from Application Processor (the one on which Android OS runs); they have their own processors, OS and possibly storage. Modem's communication protocol (through RIL) is usually vendor-specific and closed source (used to be simply ATC in good old days). Communication to SIM (APDU commands) is also routed through BP. So the unlocking workarounds aren't very straightforward but hacks do exist and they work, usually through special hardware/software.
Mostly modems accept some kind of dial code for SIM unlock, which is calculated by passing phone's IMEI through some mathematical functions, which are cracked by hackers sometimes. Another approach is to communicate with modem thorough some service mode e.g. Diagnostic Mode (DM) on Qualcomm SoC's (see this recent example), or possibly go even below that and directly use UART/JTAG entirely bypassing Android OS. So there is no standardization and official/unofficial unlocking methods largely vary from vendor to vendor and device to device.
No comments:
Post a Comment