Unlock Telstra’s Huawei Y5 (Y560)

Published on May 29th, 2017
by Dylanger Daly

Hey Guys,

I recently picked up a locked Huawei Y5 from K-Mart for about $80AUD

This device is running a Qualcomm Snapdragon 210, the device is by default locked to Telstra, showing the following screen when a non-accepted SIM is loaded into the device:

 

Unlock me maybe?

First download TWRP here.
In order to unlock this device you’ll need to unlock the bootloader, to do so go into Settings, enable Development Settings and allow ‘OEM Unlocking’, also enable ADB, your settings should look like below:

Once here, run the command adb reboot bootloader

That will boot the device into fastboot mode, once here, unlock the bootloader and boot TWRP.

[user@sys-usb ~]$ fastboot oem unlock
[user@sys-usb ~]$ fastboot oem device-info
...
(bootloader) Device tampered: false
(bootloader) Device unlocked: true
(bootloader) Charger screen enabled: true
(bootloader) Display panel:
OKAY [ 0.009s]
finished. total time: 0.009s
[user@sys-usb ~]$ fastboot boot recovery-twrp3021-y560.img
downloading 'boot.img'...
OKAY [ 0.383s]
booting...
OKAY [ 0.085s]
finished. total time: 0.468s
[user@sys-usb ~]$

Once we’re here, we’ll need to mount the persist partition to /persist


[user@sys-usb ~]$ adb shell
~ # mkdir persist
~ # mount /dev/block/bootdevice/by-name/persist /persist
~ # cd /persist/
/persist # ls -la
__bionic_open_tzdata: couldn't find any tzdata when looking for localtime!
__bionic_open_tzdata: couldn't find any tzdata when looking for GMT!
__bionic_open_tzdata: couldn't find any tzdata when looking for posixrules!
drwxrwx--x 9 system system 4096 May 29 07:48 .
drwxr-xr-x 22 root root 0 May 29 07:59 ..
-rw-rw-r-- 1 system system 12234 Jan 1 1970 .auto_test_log.bin
-rw------- 1 bluetoot bluetoot 9 Jan 1 1970 .bt_nv.bin
-rwxrwxrwx 1 system system 18 May 29 07:48 .simlock-retry.bin
-rw-rw-r-- 1 system system 128 Jan 1 1970 .sn.bin
-rw------- 1 root root 0 Jan 1 1970 .test_gps_flag.bin
-rw-rw-r-- 1 root root 1 Jan 1 1970 AUDIO.FLG
-rw------- 1 root root 0 Jan 1 1970 PCBA.FLG
-rw------- 1 system system 0 Jan 1 1970 PHONE.FLG
-rw------- 1 system system 0 Jan 1 1970 PHONEMMI1.FLG
-rw------- 1 system system 3 Jan 1 1970 RUNIN.FLG
-rw-r--r-- 1 root root 10419 Sep 6 2015 WCNSS_wlan_dictionary.dat
-rw------- 1 system system 14 Jan 1 1970 acc_avg
drwx------ 4 system system 4096 Jan 1 1970 data
drwxrwx--- 2 system graphics 4096 Jan 1 1970 display
drwxrwx--- 2 system system 4096 Jan 1 1970 drm
drwxrwx--- 3 3012 3013 4096 Jan 1 1970 hlos_rfs
-rwx------ 1 root root 1 Jan 1 1970 log_flag
drwx------ 2 root root 4096 Jan 1 1970 lost+found
-rw------- 1 system system 3 Jan 1 1970 prox_avg
drwx------ 6 3012 3012 4096 Jan 1 1970 rfs
drwxrwx--- 2 system system 4096 Jan 1 1970 sensors
-rw-rw---- 1 system system 1 Jan 1 1970 serialno
-rw-rw---- 1 root sdcard_r 218 May 29 07:48 simlock-conf.xml
-rw-r--r-- 1 root root 24 Jan 1 1970 wlan_mac.bin

The main file to note here is simlock-conf.xml

Catting it shows the following:

Looking at the ns tag, we can see 50501 then two other digits, this is the MCC and MNC for Telstra, Australia 505 being Australia, 01 being Telstra

In order to unlock this device, all that’s required is setting ns to 505, this will allow ANY Australian SIM, the resulting change should look like the following:

You can also download the unlocked simlock-conf.xml here.

Next, upload the xml file to /sdcard then remove the old xml, then move it from /sdcard to /persist

Once the device has been rebooted:

Enjoy any provider you want!

Knitty-Gritty

The process that parses this xml is called hwdiag, it exists in /system/bin/hwdiag and its launched by init on boot:

There’s some really weird paths that it checks like /persist/.unlocked.bin and /data/Yepflag:

You can see it writes 80 byes into the buffer passed into this function, then /data/Yepflag is just checked to see if it exists:

In the next few posts we’ll be diving into hwdiag to see what else it does!

Cheers Guys!

Dylanger Daly

If its Security, I'm there. I mainly work in the Security Research Field, most of my focus is Mobile Security, anything from the hardware to TrustZone to the Modem. Bypassing checks one NOP at a time.

You've reached the end!

back to top