Saturday, July 11, 2009

Unlocking LG Phones with the EGold chipset

Recently I bought a dirt-cheap LG phone which had a netlock. After some poking around, I've stumbled across its firmware which I was able to disassemble, so I've written a small script that reads out the netlock code required for unlocking the phone. The phone is interfaced via RS232 which operates at TTL levels: a max232, pl2303 or an equivalent chip should do the job. There are usually soldering points for RXD, TXD and GND on the logic board. Most phones also have pins with these signals at their connector.

The script can save the contents of the flashrom and the so-called "eeprom" (which is just a section of the flashrom containing all the juicy bits) to a file. I've tested it on an LG GB102 and a LG KP100 - it should also work for most other Egold Lite based phones, possibly even from other vendors.
The script has been released under GPL - I wonder how many idiots will ignore this. Anyway, here it is: 
As always, it's a python script that operates on the command line interface. For unlocking your phone, do the following things:
  1. Connect TxD, RxD and GND from your serial port interface to the serial port of your cell phone. Keep in mind that you need TTL levels, so you must not use the regular RS232 port of your PC! On your cell phone, there are usually test points where the cable can be directly soldered onto. The battery still has to fit onto the device once your cable has been soldered on. Also, the total length of the cables between the convert chip and the cell phone has to be as short as possible! Alternatively, you can just use a flasher cable (KE500 type for the GB102, KG800 for the KP100).
  2. Install Python 2.6.x, then pywin32, and then pyserial.
  3. Copy the script to a folder on your hard drive.  
  4. Two additional files are required: boot-1st-stage.bin and boot-2nd-stage.bin. I can't distribute them for obvious legal reasons, so you have to find them elsewhere. The sha1 sum of both files is checked during the initialization of the script.
  5. Open a command shell and navigate to that folder.
  6. Start the script with the parameter specifying the port of your serial interface, e.g. --port COM4 -e
  7. Press the 'ON' button of your cell phone. You'll receive the unlock code and instructions how to use it from the script.