XDA Manipulator

The XDA Manipulator was developed by the XDA Developers and can be found at this location. The tool offers the possibility to change the IMEI, clear the call logs and remove the network lock from an XDA device. By connecting the XDA with a serial cable to a PC and running the above tool, these modifications can be achieved.

The reason these modifications can be made is found in the possibilities of the device itself. The Pocket PC Phone Edition consists basically of two separate CPU's and operating systems. One is the StrongArm with Windows CE, the other is a combination of an ARM and a DSP and runs a dedicated OS with the GSM stack. Both CPU's communicate through a serial port. When Windows CE is running this port is claimed by a driver, but when in bootloader mode this port is directly accessible. By booting in the bootloader mode (pressing the power button, while resetting with the stylus) and then giving the command dualser, the external serial port is directly connected to the GSM serial port. With a PC it is now possible to give AT commands.

Research of the GSM ROM image showed that several commands are available, which are not part of the normal GSM command set. To name a few: AT%UREG, AT%SIDLCK, AT%SIDCNT etc. Further research showed that the information on IMEI, network provider lock and call logs is readily available in the flash ROM of the device. With a command like AT%UREG it is possible to directly read these memory locations. For example a simple command like AT%UREG?3FE00C,4 will show the code that is needed to unlock the device. Entering this code directly when the device asks for it will clear the lock.

The examples above show that the security of a device is severly compromised when device manufacturers leave debug information or commands in a production device. Further it also shows that simply puting in a check for an input field without additional effort like encryption results in circumventing protection in a way that is beyond trivial.