Motorola Admiral XT603 SPC \ MSL unlocking

joemoreno

New member
Jan 27, 2012
1
0
0
Visit site
like this: ??

element id: 0055
record #:0001
offset: 0000
Length: 000E

Because dont work! this appear in hex only: 0000202020200000002905000000

no SPC HERE, HELP please.
 
Nov 19, 2012
7
0
0
Visit site
like this: ??

element id: 0055
record #:0001
offset: 0000
Length: 000E

Because dont work! this appear in hex only: 0000202020200000002905000000

no SPC HERE, HELP please.

I have not noticed ... for access to the NV 0055 requires SPCcode: (But now accurately known address where SPC placed
[NV items]
[Complete items - 0, Items size - 128]

00085 (0x0055) - SPC (6 digits) is required
 
Last edited:

hetaldp

New member
Mar 5, 2010
1
0
0
Visit site
00085 is the Common Location for NVitem sec_code across 100% of all qualcomm Chipset and to read it you require to send the SPC code in all Qualcomm Chipset nothing new

We need another storage location in nv which is unprotected for read operation
 

garbb

Well-known member
Nov 26, 2011
70
3
0
Visit site
Out of frustration I hacked together my own (terrible) method for finding the MSL on this phone. Its a shell script that just brute force guesses the MSL by entering ##<6 digit number from 000000-999999># into the dialer and checks until the service programming menu shows up... This does not require rooting your phone and should theoretically work on any android phone, it just needs busybox which I have included. (but it is really slow)
And yes, it did actually work for me and found the MSL of my admiral in a few hours.
here's the link: http://d-h.st/LMA

how to use:
put your phone into airplane mode so that the script cannot be interrupted by a call or text, etc...
go to settings, display, animations, and set it to 'no animations' to make the script run a bit faster
go to settings, sounds and turn off audible touch tones to make the script run a bit faster
open the phone dialer
unzip the file and copy the msl.bf.sh and busybox files to /data/local/tmp/ on your phone with adb
get to a shell with adb and type the following commands and hit enter:
"cd /data/local/tmp/"
"chmod 777 msl.bf.sh"
"chmod 777 busybox"
now make sure that the screen is on and unlocked and the phone dialer app is on the screen
run the command "./msl.bf.sh"

It will now try every combination of numbers from 000000 to 999999 to guess the MSL. Yes, this will take a while. I recommend letting it run overnight. If it successfully finds the MSL you will see the service programming menu on the screen and your MSL should be the last number that you see in the console window on your computer. If you want to stop the script before it finishes then press any letter key (on your computer in the console window) and hit enter.(PLEASE NOTE:if you do not stop the script this way it will continue to run on your phone even if you unplug it from your computer which will be annoying and probably require you to reboot your phone to stop it...) If you stop the script and then later want to resume from where you left off then you can edit the msl.bf.sh script with a text editor and change the "000000" in the 4th line to whatever number you want the script to start from and then copy it to your phone again and run it again.

Heres the script in case the download link dies:
Code:
if ./busybox [ -t 0 ]; then ./busybox stty -echo -icanon time 0 min 0; fi

keypress=''
for i in $(./busybox seq -w 000000 999999)
do
	echo "##$i#"
	logcat -c
	input text "##$i#"
	d="`logcat -d -s HiddenMenuApp:D`"
	e="`echo $d | ./busybox grep CDMA_SUCCESS`"
	read keypress
	if ./busybox [ "x$keypress" != "x" ]; then exit 1; fi
	if ./busybox [ "$e" != "" ] ; then
		echo "$d"
		echo "success?"
		echo $i > done.txt
		echo $d >> done.txt
		exit 1
	fi
done
 
Last edited:

alienmau

New member
Feb 8, 2011
1
0
0
Visit site
Hi, i just do the script SH but , when i run de script, send:
Code:
stty: not found
seq: not found

I think that maybe this commands are not on the ADB, but how i fix it? i did all the thing under windows xp, downloaded the SDK and use de plataform-tools for ADB and added to the variable on the path, copy the 2 files with adb push, and give it 777 permision, i think all exactly how you describe, but when i run the script drop me that and do nothing, so can you help me?? or maybe the script is incorrect or the syntaxis you can change??
 

3a4yI7aTiY

Member
Jan 29, 2011
5
0
0
Visit site
this is good??

[: not found
[: not found
##001502#
[: not found
[: not found
##001503#
[: not found
[: not found
##001504#
[: not found
[: not found
##001505#
[: not found
[: not found
##001506#
[: not found
[: not found
##001507#
[: not found
[: not found
##001508#
[: not found
[: not found
##001509#
[: not found
[: not found
##001510#
[: not found
[: not found
##001511#

need to hit enter every time.. what i made wrong

ps: sorry for my english
 

3a4yI7aTiY

Member
Jan 29, 2011
5
0
0
Visit site
yes and chmod do


D:\Android\adt-bundle-windows-x86_64-20131030\adt-bundle-windows-x86_64-20131030
\sdk\platform-tools>adb devices
List of devices attached
TBEN1228101898 device


D:\Android\adt-bundle-windows-x86_64-20131030\adt-bundle-windows-x86_64-20131030
\sdk\platform-tools>adb push busybox /data/local/tmp/
4192 KB/s (1867568 bytes in 0.435s)

D:\Android\adt-bundle-windows-x86_64-20131030\adt-bundle-windows-x86_64-20131030
\sdk\platform-tools>adb push msl.bf.sh /data/local/tmp/
10 KB/s (535 bytes in 0.051s)

D:\Android\adt-bundle-windows-x86_64-20131030\adt-bundle-windows-x86_64-20131030
\sdk\platform-tools>adb shell
$ su
su
# cd /data/local/tmp/
cd /data/local/tmp/
# ls
ls
msl.bf.sh
busybox
# chmod 777 msl.bf.sh
chmod 777 msl.bf.sh
# chmod 777 busybox
chmod 777 busybox
# ./msl.bf.sh
./msl.bf.sh
[: not found

##007925#
[: not found
[: not found
##007926#
[: not found
[: not found
##007927#
 
Last edited:

chxnugs

New member
Dec 18, 2013
1
0
0
Visit site
im actually running this script as i type this. i have the straight talk galaxy s3 (s960l) and i have tried absolutely everything. this is my last chance and its working awesome so far. im sure this will work ty sir for the script! ive been on getting my msl for a week

EDIT: i meant to get back sooner, but after a day of running the script i FINALLY got it! but i did notice since i ran the script on a galaxy s3, the script did not stop for the service menu. i just kept close eyes on it when i seen the menu on the phone for the first time. i edited the script to start on the last numbers i seen it before the service menu was up. my number started with a 1 so i got lucky. thank you and for anyone that cant find the msl on the "S960L" , this may be your only way
 
Last edited:

Rich Carter

New member
Mar 11, 2015
1
0
0
Visit site
Realize this is an old thread, but I have a question about the speed. I'm trying to brute force my Moto Admiral's MSL now. The script has been running for about 27 hours and I'm only around 153000. Does the CPU speed of the computer you're using impact the the cracking speed, or is it limited by the speed of the phone? It seems impossibly fast that the OP was able to crack it within a few hours.

I don't need the phone for anything else, so I'm happy to have it run all week if it needs that long. I was just curious how others were able to get it in such record speed.
 

garbb

Well-known member
Nov 26, 2011
70
3
0
Visit site
The reason I got my MSL in a few hours is that I was very lucky and my MSL began with the digits 10XXXX. It's been a while since I used this but unfortunately I don't think there is really anything you can do to make it faster other than turning off animations, touch tones, and putting the phone into airplane mode like I mentioned in my post. Maybe you can go into the settings menu and apps menu and try to shut down everything that is running?
As far as I understand it, the script is running on the phone and so the speed of your computer should have no impact on the speed. I know this because if you disconnect the phone from your computer then it will continue to run on the phone. (don't do this BTW..)

If I were you I would just let it run for as long as possible and then if you want to use the phone just make a note of what number it tried last and put it into the script in place of the "000000" to resume later.

Also, if this is a phone that you have working on a current, valid sprint account and you are the account holder then you can simply call customer service and ask for the MSL and they will tell you. I have done this with other phones before and it wasn't a problem at all.
 

ezeuba

New member
Apr 22, 2013
2
0
0
Visit site
First things first. Thanks a million for this. Is there any way to really make the script stop when it finds the MSL? The first time I tried it it didn't stop and I woke in the middle of the night to see the service menu but the script was still running on the computer. I'm doing it all over again and it's keeping me at the computer all day. Any way to modify the script to make sure it does stop when it finds the MSL?
 

garbb

Well-known member
Nov 26, 2011
70
3
0
Visit site
What the script is trying to to is input a guess for the MSL and then look at the logcat log from the phone for "CDMA_SUCCESS" which would indicate that the correct MSL has been input and then it will stop.
The problem is that what will appear in the log for a correct MSL is different for every phone...

So try this:
Before you install the script, get to a shell with adb and run "logcat -c" to clear the log. Then go to the dialer on your phone and type in a random 6 digit MSL (##xxxxxx#). Then run "logcat -d" to dump everything in the log since you cleared it.
Hopefully you will see something in the log that indicates that the MSL was not correct, for example for my current phone I see "I/MSL_Service( 1567): not msl and otksl : 963250" where 963250 was the MSL I input that was incorrect.

Now use the following script instead which is the same as the original one I posted except that instead of checking for something the log to know that the correct MSL was entered, it will check that something is NOT in the log (the message that you get when inputting an incorrect MSL).

Code:
if ./busybox [ -t 0 ]; then ./busybox stty -echo -icanon time 0 min 0; fi
keypress=''
for i in $(./busybox seq -w 360114 999999)
do
	echo "##$i#"
	logcat -c
	input text "##$i#"
	sleep 0.1
	d="`logcat -d`"
	e="`echo $d | ./busybox grep 'not msl'`"
	read keypress
	if ./busybox [ "x$keypress" != "x" ]; then exit 1; fi
	if ./busybox [ "$e" = "" ] ; then
		echo "$d"
		echo "success?"
		echo $i > done.txt
		echo $d >> done.txt
		exit 1
	fi
done

This is for my phone. Since I see the text "not msl" in my logcat when I input an incorrect MSL I put 'not msl' into the line starting with e=
You will need to see what you get in your logcat upon entering an incorrect MSL and put that into the script before you run it.
For me this will occasionally generate a false-positive (i think because it can't get the log fast enough after inputting a number so I put the "sleep 0.1" in there to give it a bit more time and reduce the chances of this happening. You may need to adjust this delay if you are getting false-positives but of course the greater the delay then the longer it will take to find the MSL.