We discovered that SEMC’s loader (version 3.2.4.5) has a during GDFS write operations. By sending a malformed WRITE_GDFS command with a specific nonce (derived from phone’s internal RSA modulus), the loader jumps to an insecure RAM routine instead of aborting.
We release this not for profit, but for preservation. Thousands of these phones still exist in drawers around the world. Give them a second life. Aerix v0.99 - Unlocking Sony Ericsson 2
We reverse-engineered the remaining Sony Ericsson security protocols by analyzing original SEMC service firmwares and brute-forcing the last obfuscated SIM-lock routines. "Phase 2" in our roadmap refers to full factory SIM unlock + bootloader patch without testpoint damage . We discovered that SEMC’s loader (version 3