Hello,
I was looking into CSC.apk today when this caught my eye
CscModemSettingService.java
Notice updateLockInfo and addLockInfo
It appears to read the lock codes from the /system/CSC and then update them in the modem through RIL function invokeOemRilRequestRaw (this is also the same api that samsung servicemode app uses). This is on an sgh m919.
Perhaps this could be copied, but we could instead send 00000000 as the new NetLock code?
Obviously this would require root and require the app to be running as a system app since we are calling a protected RIL function (unless we use the Samsung @multiclient api, that requires no privileges and is implemented in stock). But it would be simple to make such an app if this method works. I also discovered that unlockCnt is the number of tries you get for the network unlock code before it is locked out, not that it matters if we can just change the code to whatever we want.
Edit: looks like it is not setting the network lock key as I originally thought, but instead setting a list of allowed MCCMNC that are read from the CSC.
So if the phone was locked to MCCMNCs (making these up)
310020
48262
137373
Payload would be
31002048262#137373
I think these are being written to NVRAM through the raw ril requests
There might be another value that controls whether the region/network lock is on at all. Maybe if we just set it to an empty string, it will turn off?
I know that the app RegionLockAway works somewhat like this. It makes changes to the CSC file and then invokes CSC.apk to send the changes to the modem.
I was looking into CSC.apk today when this caught my eye
CscModemSettingService.java
Notice updateLockInfo and addLockInfo
Code:
/*
* Decompiled with CFR 0_110.
*
* Could not load the following classes:
* android.app.Service
* android.content.Context
* android.content.Intent
* android.content.SharedPreferences
* android.content.SharedPreferences$Editor
* android.os.Bundle
* android.os.Handler
* android.os.IBinder
* android.os.Message
* android.os.SystemProperties
* android.util.Log
* com.samsung.android.sec_platform_library.FactoryPhone
* com.samsung.android.sec_platform_library.PacketBuilder
* java.io.File
* java.lang.Byte
* java.lang.Integer
* java.lang.Object
* java.lang.Runnable
* java.lang.String
* java.lang.StringBuffer
* java.lang.Thread
* java.util.ArrayList
* org.w3c.dom.Node
* org.w3c.dom.NodeList
*/
package com.samsung.sec.android.application.csc;
import android.app.Service;
import android.content.Context;
import android.content.Intent;
import android.content.SharedPreferences;
import android.os.Bundle;
import android.os.Handler;
import android.os.IBinder;
import android.os.Message;
import android.os.SystemProperties;
import android.util.Log;
import com.samsung.android.sec_platform_library.FactoryPhone;
import com.samsung.android.sec_platform_library.PacketBuilder;
import com.samsung.sec.android.application.csc.CscParser;
import java.io.File;
import java.util.ArrayList;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
public class CscModemSettingService
extends Service {
private static final boolean isMarvell = "mrvl".equalsIgnoreCase(SystemProperties.get((String)"ro.board.platform", (String)"Unknown").trim());
private String CPLockCode = "";
private String DEFAULT_CSC_FILE = CscParser.getCustomerPath();
private String NSPLockCode = "";
private String NetLockCode = "";
private String OTHERS_CSC_FILE = CscParser.getOthersPath();
private String SPLockCode = "";
private int amrVoiceCodec = -1;
private int generalLockInfo = 0;
private int gprsAttachMode = 1;
ArrayList<Byte> mByteArray = new ArrayList();
private Handler mHandler;
private Intent mIntent = null;
private int mItemCount = 0;
private FactoryPhone mPhone = null;
private int networkMode = 0;
private int ssms = -1;
private String strNetworkMode = "auto";
private String strSalesCode = "";
private int unlockCnt = 3;
public CscModemSettingService() {
this.mHandler = new Handler(){
/*
* Enabled aggressive block sorting
* Lifted jumps to return sites
*/
public void handleMessage(Message message) {
int n = message.getData().getInt("error");
switch (message.what) {
default: {
return;
}
case 2000: {
Log.i((String)"CscModemSettingService", (String)"SEND_PRECONFIG_DONE response incoming!!");
if (n == 0) return;
Log.i((String)"CscModemSettingService", (String)"AsyncResult Exception Occur!!!");
return;
}
case 2001: {
Log.i((String)"CscModemSettingService", (String)"SEND_MODEM_DONE response incoming!!");
if (n == 0) return;
Log.i((String)"CscModemSettingService", (String)"AsyncResult Exception Occur!!!");
return;
}
case 2002:
}
Log.i((String)"CscModemSettingService", (String)"SEND_RESET_DONE response incoming!!");
if (n != 0 && !isMarvell) {
Log.i((String)"CscModemSettingService", (String)"AsyncResult Exception Occur!!!");
return;
}
SharedPreferences.Editor editor = CscModemSettingService.this.getSharedPreferences("csc.preferences_name", 0).edit();
editor.putBoolean("csc.key.csc_modem_setting_done", true);
editor.commit();
}
};
}
private void compareLockAndModemInfo() {
this.readModemInfo();
this.readLockInfo();
this.mItemCount = 0;
this.mByteArray = new ArrayList();
this.addModemInfoToBuffer();
this.addLockInfoToBuffer();
Log.i((String)"CscModemSettingService", (String)("compareLockAndModemInfo() : mByteArray = " + this.mByteArray.size()));
this.sendByteBuffer(7, 1);
}
/*
* Enabled aggressive block sorting
*/
private void readLockInfo() {
CscParser cscParser = new CscParser(this.DEFAULT_CSC_FILE);
int n = 5;
this.NetLockCode = "";
this.SPLockCode = "";
this.NSPLockCode = "";
this.CPLockCode = "";
String string = cscParser.get("Settings.Main.Security.UnlockCnt");
this.unlockCnt = string == null ? 3 : new Integer(string);
NodeList nodeList = cscParser.searchList(cscParser.search("Settings.Main.Security."), "NetworkLock");
if (nodeList != null && nodeList.getLength() > 0) {
this.generalLockInfo = 1 | this.generalLockInfo;
for (int i = 0; i < nodeList.getLength(); ++i) {
StringBuffer stringBuffer = new StringBuffer(cscParser.getValue(nodeList.item(i)));
if (stringBuffer.toString().length() == 5) {
n = 5;
stringBuffer.append("#");
} else {
n = 6;
}
Log.i((String)"CscModemSettingService", (String)("NetworkLock > code (" + i + ") : " + stringBuffer.toString()));
this.NetLockCode = this.NetLockCode + stringBuffer.toString();
}
}
Log.i((String)"CscModemSettingService", (String)("NetworkLock > all code : " + this.NetLockCode));
NodeList nodeList2 = cscParser.searchList(cscParser.search("Settings.Main.Security."), "SubsetLock");
if (nodeList2 != null && nodeList2.getLength() > 0) {
this.generalLockInfo = 2 | this.generalLockInfo;
for (int i = 0; i < nodeList2.getLength(); ++i) {
StringBuffer stringBuffer = new StringBuffer(cscParser.getValue(nodeList2.item(i)));
if (stringBuffer.toString().length() == 2) {
stringBuffer.append("#");
}
Log.i((String)"CscModemSettingService", (String)("SubsetLock > code (" + i + ") : " + stringBuffer.toString()));
this.NSPLockCode = this.NSPLockCode + Integer.toString((int)n) + stringBuffer.toString();
}
}
Log.i((String)"CscModemSettingService", (String)("SubsetLock > all code : " + this.NSPLockCode));
NodeList nodeList3 = cscParser.searchList(cscParser.search("Settings.Main.Security."), "SPLock");
if (nodeList3 != null && nodeList3.getLength() > 0) {
this.generalLockInfo = 8 | this.generalLockInfo;
for (int i = 0; i < nodeList3.getLength(); ++i) {
String string2 = cscParser.getValue(nodeList3.item(i));
Log.i((String)"CscModemSettingService", (String)("SPLock > code (" + i + ") : " + string2));
this.SPLockCode = this.SPLockCode + string2;
}
}
Log.i((String)"CscModemSettingService", (String)("SPLock > all code : " + this.SPLockCode));
NodeList nodeList4 = cscParser.searchList(cscParser.search("Settings.Main.Security."), "CPLock");
if (nodeList4 != null && nodeList4.getLength() > 0) {
this.generalLockInfo = 16 | this.generalLockInfo;
for (int i = 0; i < nodeList4.getLength(); ++i) {
String string3 = cscParser.getValue(nodeList4.item(i));
Log.i((String)"CscModemSettingService", (String)("CPLock > code (" + i + ") : " + string3));
this.CPLockCode = this.CPLockCode + string3;
}
}
Log.i((String)"CscModemSettingService", (String)("CPLock > all code : " + this.CPLockCode));
}
/*
* Enabled aggressive block sorting
*/
private void readModemInfo() {
CscParser cscParser = new CscParser(this.DEFAULT_CSC_FILE);
this.strNetworkMode = new CscParser(this.OTHERS_CSC_FILE).get("Settings.Main.Network.NetworkMode");
if (this.strNetworkMode == null) {
String string = SystemProperties.get((String)"ro.csc.sales_code");
this.networkMode = "SKT".equals((Object)string) || "KTT".equals((Object)string) || "LGT".equals((Object)string) ? 0 : 1;
} else if (this.strNetworkMode.equalsIgnoreCase("auto")) {
this.networkMode = 1;
} else if (this.strNetworkMode.equalsIgnoreCase("UMTS")) {
this.networkMode = 2;
} else if (this.strNetworkMode.equalsIgnoreCase("GSM")) {
this.networkMode = 3;
} else if (this.strNetworkMode.equalsIgnoreCase("900")) {
this.networkMode = 4;
} else if (this.strNetworkMode.equalsIgnoreCase("1800")) {
this.networkMode = 5;
} else if (this.strNetworkMode.equalsIgnoreCase("1900")) {
this.networkMode = 6;
}
if (cscParser.get("Settings.Main.Network.AutoAttach") == null) {
this.gprsAttachMode = 1;
} else if (cscParser.get("Settings.Main.Network.AutoAttach").equalsIgnoreCase("on")) {
this.gprsAttachMode = 1;
} else if (cscParser.get("Settings.Main.Network.AutoAttach").equalsIgnoreCase("off")) {
this.gprsAttachMode = 0;
}
if (cscParser.get("Settings.Messages.SMS.SSMS") == null) {
this.ssms = 0;
} else if (cscParser.get("Settings.Messages.SMS.SSMS").equalsIgnoreCase("on")) {
this.ssms = 1;
} else if (cscParser.get("Settings.Messages.SMS.SSMS").equalsIgnoreCase("off")) {
this.ssms = 0;
}
if (cscParser.get("Settings.Main.Sound.AMRVoiceCodec") == null) {
this.amrVoiceCodec = -1;
return;
} else {
if (cscParser.get("Settings.Main.Sound.AMRVoiceCodec").equalsIgnoreCase("enable") || cscParser.get("Settings.Main.Sound.AMRVoiceCodec").equalsIgnoreCase("on")) {
this.amrVoiceCodec = 1;
return;
}
if (!cscParser.get("Settings.Main.Sound.AMRVoiceCodec").equalsIgnoreCase("disable") && !cscParser.get("Settings.Main.Sound.AMRVoiceCodec").equalsIgnoreCase("off")) return;
{
this.amrVoiceCodec = 0;
return;
}
}
}
private void readSalesCode() {
this.strSalesCode = new CscParser(this.DEFAULT_CSC_FILE).get("GeneralInfo.SalesCode");
Log.i((String)"CscModemSettingService", (String)("csc modem strSalesCode = " + this.strSalesCode));
}
private void updateLockInfo() {
String string;
String string2 = CscParser.getSalesCode();
if (!string2.equals((Object)"null") && new File(string = "/system/csc/" + string2 + this.DEFAULT_CSC_FILE).exists()) {
this.DEFAULT_CSC_FILE = string;
}
this.readLockInfo();
this.mItemCount = 0;
this.mByteArray = new ArrayList();
this.addLockInfoToBuffer();
Log.i((String)"CscModemSettingService", (String)("updateLockInfo() : mByteArray Size = " + this.mByteArray.size()));
this.sendByteBuffer(8, 0);
}
private void updateModemInfo() {
this.readSalesCode();
this.sendSalesCode();
this.readModemInfo();
this.mItemCount = 0;
this.mByteArray = new ArrayList();
this.addModemInfoToBuffer();
Log.i((String)"CscModemSettingService", (String)("updateModemInfo() : mByteArray Size = " + this.mByteArray.size()));
this.sendByteBuffer(7, 0);
this.sendResetMsg();
}
public void addLockInfoToBuffer() {
Log.i((String)"CscModemSettingService", (String)"add Lock Info");
this.mByteArray.add((Object)new Byte(-127));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(6));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(255 & this.generalLockInfo)));
this.mItemCount = 1 + this.mItemCount;
if ((1 & this.generalLockInfo) > 0) {
int n = this.NetLockCode.length();
int n2 = n + 15;
this.mByteArray.add((Object)new Byte(-126));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(n2 & 255)));
this.mByteArray.add((Object)new Byte((byte)(n2 << 8)));
this.mByteArray.add((Object)new Byte(3));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(2));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(255 & this.unlockCnt)));
this.mByteArray.add((Object)new Byte(3));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(n & 255)));
this.mByteArray.add((Object)new Byte((byte)(n << 8)));
new byte[this.NetLockCode.length()];
byte[] arrby = this.NetLockCode.getBytes();
for (int i = 0; i < arrby.length; ++i) {
this.mByteArray.add((Object)new Byte(arrby[i]));
}
this.mItemCount = 1 + this.mItemCount;
}
if ((2 & this.generalLockInfo) > 0) {
int n = this.NSPLockCode.length();
int n3 = n + 15;
this.mByteArray.add((Object)new Byte(-125));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(n3 & 255)));
this.mByteArray.add((Object)new Byte((byte)(n3 << 8)));
this.mByteArray.add((Object)new Byte(3));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(2));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(255 & this.unlockCnt)));
this.mByteArray.add((Object)new Byte(3));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(n & 255)));
this.mByteArray.add((Object)new Byte((byte)(n << 8)));
new byte[this.NSPLockCode.length()];
byte[] arrby = this.NSPLockCode.getBytes();
for (int i = 0; i < arrby.length; ++i) {
this.mByteArray.add((Object)new Byte(arrby[i]));
}
this.mItemCount = 1 + this.mItemCount;
}
if ((8 & this.generalLockInfo) > 0) {
int n = this.SPLockCode.length();
int n4 = n + 15;
this.mByteArray.add((Object)new Byte(-124));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(n4 & 255)));
this.mByteArray.add((Object)new Byte((byte)(n4 << 8)));
this.mByteArray.add((Object)new Byte(3));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(2));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(255 & this.unlockCnt)));
this.mByteArray.add((Object)new Byte(3));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(n & 255)));
this.mByteArray.add((Object)new Byte((byte)(n << 8)));
new byte[this.SPLockCode.length()];
byte[] arrby = this.SPLockCode.getBytes();
for (int i = 0; i < arrby.length; ++i) {
this.mByteArray.add((Object)new Byte(arrby[i]));
}
this.mItemCount = 1 + this.mItemCount;
}
if ((16 & this.generalLockInfo) > 0) {
int n = this.CPLockCode.length();
int n5 = n + 15;
this.mByteArray.add((Object)new Byte(-123));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(n5 & 255)));
this.mByteArray.add((Object)new Byte((byte)(n5 << 8)));
this.mByteArray.add((Object)new Byte(3));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(2));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(255 & this.unlockCnt)));
this.mByteArray.add((Object)new Byte(3));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(n & 255)));
this.mByteArray.add((Object)new Byte((byte)(n << 8)));
new byte[this.CPLockCode.length()];
byte[] arrby = this.CPLockCode.getBytes();
for (int i = 0; i < arrby.length; ++i) {
this.mByteArray.add((Object)new Byte(arrby[i]));
}
this.mItemCount = 1 + this.mItemCount;
}
}
public void addModemInfoToBuffer() {
Log.i((String)"CscModemSettingService", (String)"add Modem Info");
if (this.networkMode > 0) {
this.mByteArray.add((Object)new Byte(-121));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(255 & this.networkMode)));
this.mItemCount = 1 + this.mItemCount;
}
this.mByteArray.add((Object)new Byte(-119));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(255 & this.gprsAttachMode)));
this.mItemCount = 1 + this.mItemCount;
if (this.amrVoiceCodec >= 0) {
this.mByteArray.add((Object)new Byte(-117));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(255 & this.amrVoiceCodec)));
this.mItemCount = 1 + this.mItemCount;
}
this.mByteArray.add((Object)new Byte(-115));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(11));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(2));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte((byte)(255 & this.ssms)));
this.mByteArray.add((Object)new Byte(2));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(1));
this.mByteArray.add((Object)new Byte(0));
this.mByteArray.add((Object)new Byte(0));
this.mItemCount = 1 + this.mItemCount;
}
public IBinder onBind(Intent intent) {
return null;
}
public void onCreate() {
this.mPhone = new FactoryPhone((Context)this);
}
public void onDestroy() {
super.onDestroy();
this.mPhone.disconnectFromRilService();
}
public void onStart(Intent intent, int n) {
Log.i((String)"CscModemSettingService", (String)"onStart");
this.mIntent = intent;
Thread thread = new Thread(new Runnable(){
public void run() {
if (CscModemSettingService.this.mIntent != null && CscModemSettingService.this.mIntent.hasExtra("MODE")) {
String string = CscModemSettingService.this.mIntent.getStringExtra("MODE");
if ("SET_LOCK_INFO".equals((Object)string)) {
Log.i((String)"CscModemSettingService", (String)"SET_LOCK_INFO for modem values. (PHASE 1 writing)");
CscModemSettingService.this.updateLockInfo();
}
if ("SET_MODEM_INFO".equals((Object)string)) {
Log.i((String)"CscModemSettingService", (String)"SET_MODEM_INFO for modem values. (PHASE 2 writing)");
CscModemSettingService.this.updateModemInfo();
}
if ("COMPARE_VERIFY_MODEM".equals((Object)string)) {
Log.i((String)"CscModemSettingService", (String)"COMPARE_VERIFY for modem values. ");
CscModemSettingService.this.compareLockAndModemInfo();
}
return;
}
Log.i((String)"CscModemSettingService", (String)"NO EXTRA");
}
});
thread.setPriority(10);
thread.start();
}
public void sendByteBuffer(int n, int n2) {
int n3 = this.mByteArray.size();
byte[] arrby = new byte[n3];
for (int i = 0; i < n3; ++i) {
arrby[i] = ((Byte)this.mByteArray.get(i)).byteValue();
}
Log.i((String)"CscModemSettingService", (String)"sendByteBuffer");
PacketBuilder packetBuilder = new PacketBuilder(6, (byte)n);
if (n == 7) {
packetBuilder.addData((byte)n2);
}
packetBuilder.addData((byte)this.mItemCount);
packetBuilder.addData(arrby, 0, n3);
this.mPhone.invokeOemRilRequestRaw(packetBuilder.getPacket(), this.mHandler.obtainMessage(2001));
}
public void sendResetMsg() {
Log.i((String)"CscModemSettingService", (String)"sendResetMsg");
PacketBuilder packetBuilder = new PacketBuilder(6, 5);
packetBuilder.addData(1);
if (this.mPhone != null) {
this.mPhone.invokeOemRilRequestRaw(packetBuilder.getPacket(), this.mHandler.obtainMessage(2002));
return;
}
Log.e((String)"CscModemSettingService", (String)"sendResetMsg fail");
}
public void sendSalesCode() {
Log.i((String)"CscModemSettingService", (String)"sendSalesCode");
if (this.strSalesCode == null) {
return;
}
PacketBuilder packetBuilder = new PacketBuilder(6, 1);
packetBuilder.addData(0);
packetBuilder.addData(0);
packetBuilder.addData(this.strSalesCode.getBytes(), 0, this.strSalesCode.getBytes().length);
this.mPhone.invokeOemRilRequestRaw(packetBuilder.getPacket(), this.mHandler.obtainMessage(2000));
}
}It appears to read the lock codes from the /system/CSC and then update them in the modem through RIL function invokeOemRilRequestRaw (this is also the same api that samsung servicemode app uses). This is on an sgh m919.
Perhaps this could be copied, but we could instead send 00000000 as the new NetLock code?
Obviously this would require root and require the app to be running as a system app since we are calling a protected RIL function (unless we use the Samsung @multiclient api, that requires no privileges and is implemented in stock). But it would be simple to make such an app if this method works. I also discovered that unlockCnt is the number of tries you get for the network unlock code before it is locked out, not that it matters if we can just change the code to whatever we want.
Edit: looks like it is not setting the network lock key as I originally thought, but instead setting a list of allowed MCCMNC that are read from the CSC.
So if the phone was locked to MCCMNCs (making these up)
310020
48262
137373
Payload would be
31002048262#137373
I think these are being written to NVRAM through the raw ril requests
There might be another value that controls whether the region/network lock is on at all. Maybe if we just set it to an empty string, it will turn off?
I know that the app RegionLockAway works somewhat like this. It makes changes to the CSC file and then invokes CSC.apk to send the changes to the modem.