PHmimisiwewe
Leecher
ZLT X17U — Full Technical Summary
Hardware
| Component | Detail |
|---|---|
| ODU SoC | Unisoc UIS8520 (yocto_v620) |
| Architecture | ARM64 |
| Modem | Integrated Unisoc, 5G NSA capable |
| Flash | NAND, single UBI partition (ubipac, ~500MB) |
| RAM | 512MB DDR |
Firmware & Boot Chain
Bootloader: unisoc-tiny-distro-uboot22
Kernel: Linux (ARM64), cmdline-configured
Rootfs: squashfs, mounted read-only via dm-verity (/dev/dm-0)
Verity mode: restart_on_corruption — hash mismatch triggers immediate reboot
FEC: enabled (fec_roots 2) — additional corruption detection layer
Root hash: 7127d7387c1ddd3b402b16a80a0ae6f38b37d493855000965ee9eb9bab73c642 (hardcoded in bootloader cmdline, immutable without signing key)
UBI Volume Map
Filesystem Layout
/ squashfs, ro, verity-enforced
/var overlayfs → backed by /mnt/userdata/var — persistent
/home overlayfs → backed by /mnt/userdata/home — persistent
/mnt/data overlayfs → backed by /mnt/userdata/data — persistent
/lcm ubifs, rw, noexec — persistent, tool anchor
/mnt/user_config ubifs, rw, noexec — persistent, script anchor
/log_data ubifs, rw, noexec — persistent, exfil path
/productinfo ubifs, rw, noexec — persistent
PLMN Lock — Root Cause & Bypass
What the lock is
Not a modem NCK/SIM lock. A userspace dial-guard in /usr/bin/dialer (Unisoc yocto_v620 connection manager). The modem itself is fully unlocked — dialer is the gatekeeper.
Architecture
dialer runs under inittab with respawn — init auto-restarts on exit
SYS_LOCK_OPERATOR_SW="0" in main_config — software flag already disabled, or not depending on the operator lock implementation, abyway whether "0" or "1" it does nothing
Root cause: hardcoded IMSI prefix allowlist at binary offset 332848, evaluated by a separate code path that ignores the SW flag entirely
Mismatch → "Enter Operator Lock State" → connection shutdown
Bypass method
Binary ρá†ch at offset 332848 — expand allowlist to include target MNCs. Zeroing the list blocks all operators including allowlisted ones.
Key rule
Never manually start dialer — always let inittab own respawn. Manual start causes double-instance. shell.sh only manages the bind mount and issues one killall to trigger a clean respawn onto the patched binary.
NV Write Primitive
ubiupdatevol works on all non-verity UBI volumes
Verity only covers ubi0_system. All NV volumes (nr_downloadnv, nr_deltanv, etc.) are unprotected and writable. Useful for modem-level band config, APN defaults, and PHY calibration — not for PLMN lock (which is userspace).
What Doesn't Work
unisoc-tiny-distro-uboot22 uis8520-1h31-nand+unisoc-tiny-2.0+W26.05.2-18.03.17+user+native uis8520-1h31-nand
~ # cat /proc/mtd
dev: size erasesize name
mtd0: 00080000 00020000 "splloader"
mtd1: 00140000 00020000 "gm_firmware"
mtd2: 00300000 00020000 "uboot"
mtd3: 000c0000 00020000 "sml"
mtd4: 00200000 00020000 "trustos"
mtd5: 000c0000 00020000 "teecfg"
mtd6: 00300000 00020000 "ubootbak"
mtd7: 000c0000 00020000 "smlbak"
mtd8: 00200000 00020000 "trustosbak"
mtd9: 000c0000 00020000 "teecfgbak"
mtd10: 000c0000 00020000 "sysdump"
mtd11: 00040000 00020000 "dumpstatus"
mtd12: 1f040000 00020000 "ubipac"
~ #
~ # cat /sys/class/ubi/ubi0/*/name
userconfig
userconfig_bak
misc
misc_bak
uboot_log
calinv
nr_factorynv
nr_runtimenv1
nr_runtimenv2
nr_downloadnv
nr_modem
nr_deltanv
productinfo
nr_phy
l_agdsp
pm_sys
boot
system
sysdumpdb
userdata
log_data
lcm_data
productinfo_bak
wificalibration
wificalibration_bak
prodnv
miscdata
miscdata_bak
recovery
~ #
~ #