GSM Tech

Dr. H. Nikolaus Schaller hns at
Sat Dec 15 18:50:48 CET 2007

Am 15.12.2007 um 16:28 schrieb Joe Pfeiffer:

> Steve writes:
>> I'd agree with the statement about the AT commands, but I do think  
>> its
>> probably possible to get unintended functionality out of the GSM  
>> modem
>> without resorting to decapping the chip.  After all that is  
>> exactly what
>> the unlockers are doing.
>> The unlockers are probably a major reason why TI is so paranoid about
>> the workings of their chipset since that is where the SIM and  
>> provider
>> locks are usually implemented.  I wish I could give you more  
>> information
>> about the techniques they use, but I don't know what they are.  It  
>> would
>> be interesting to find out, but FIC may not appreciate the  
>> discussion on
>> their mailing list either.
> I hadn't thought of that -- now I do find myself wondering where and
> how the locks are really implemented....

If you look here (which is an official T-Mobile page in German):,11547,17655-_,00.html?WT.srch=1

it is described as follows:

1. you purchase an unlock code within 24 months or get it for free.

2. how the unlock code is operated depends on the device model, i.e.
they have a set of different PDF files describing it.

3. for example on a Siemens phone, you switch on the device without
the SIM card and type in the unlocking code. Then, you switch off
and can install an arbitrary SIM card since it is unlocked.

So, what can we deduce from it?

* There is no "timer" for the 24 months
* The code might be individual for each IMEI (Mobile Equipment  
Identifier), i.e. your specific device.
* It is NOT stored on the SIM. So, the phone is locked for a specific  
* It is NOT stored in the Network (Home Location Register)
* So, the only remaining location can be the EEPROM/Flash of the GSM  

Basically it is the same as a login on a computer. There is a user  
name (IMEI)
and a password (IMSI). Passwords are stored in encrypted form  
somewhere in the internals
of the operating system (/etc/passwd). And there is a second password  
which can be
used to enable "guest" login, i.e. remove the standard password.

Unlocking a module could therefore be securely provided by an AT  
command where the user must provide an unlocking code that the
network operator has issued.

Now, if it is stored in the module, the module's hard- and software  
must make sure that it can be unlocked only by providing the correct  
code through AT commands and that there is nothing like directly  
writing to
memory etc. Well, if the software of the module would be open source,
they simply cannot assure this.

More information about the device-owners mailing list