Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,736,274 Members 45,663 Now Online
XDA Developers Android and Mobile Development Forum

[HOW-TO] Bit-flip (nv_data.bin) unlock for the SGH-I927(R), keeps the IMEI valid!

Tip us?
 
Darkshado
Old
(Last edited by Darkshado; 21st August 2013 at 07:42 AM.)
#1  
Darkshado's Avatar
Senior Member - OP
Thanks Meter 430
Posts: 958
Join Date: Apr 2011
Location: Montréal

 
DONATE TO ME
Talking [HOW-TO] Bit-flip (nv_data.bin) unlock for the SGH-I927(R), keeps the IMEI valid!

Update: To work with the AT&T ICS ROM, this method requires installing a modified libsec-ril file. You do not need to bother with the MD5 checksums since they aren't output by this ROM and are bypassed altogether thanks to Phoenix84188's work.

Update 2: I made an update zip to easily apply Phoenix84188's modified libsec-ril file. It may also be worth mentioning that spocky12's GalaxSim Unlock works on this phone too.

Hello,

I was trying to figure out a way to unlock the phone while keeping my IMEI.

I tried tinkering with the CSC files and factory resets on stock recovery to reapply same. No luck, although I might have been able to relock it to another network, didn't bother testing. (Fixing these files also eliminates any re-locking possibilities on factory reset.)

After some research on other methods and programs for the SGS I, II and III, I managed to pull it off. There are some slight variations across models, but I got the right mix for this one. I've since called, texted and used cellular data with my Virgin Mobile Canada SIM, and it also took my T-Mobile USA SIM without complaint and roamed on Rogers. My ex girlfriend's now using it on Telus. Multiple confirmed unlocks from various parts of the world in this thread as well.

Requirements
  • Working ADB installation
  • Hex editor
  • Root (could also be done with CWM on an unrooted ROM.)

Instructions
  1. Backup the /efs partition (ideally with a tar archive as it preserves ownership and permissions information)
  2. Open nv_data.bin in a hex editor. (Frhed is one open-source option.)
  3. In the hex editor, go to offset 0x181469. An offset is a byte's position in a file, it can be given in either decimal or hexadecimal format. (The 0x notation is for hexadecimal values)
  4. On the hex side, change that value from 01 to 00 (To be technical I could have written 0x01 to 0x00)
  5. Using the hex editor's search capabilities, look for the string "302720" (Rogers) or an appropriate AT&T MNC/MCC combination (try "310410" or "310380") as applicable.
  6. This should bring you to a series of MNC/MCC pairs. (Which should match those found in your original CSC customer.xml file.) For information, the strings in my file started from offset 0x180069 and read: 30272030237030272#30237#00101#99999#99999000101000 1012
  7. Overwrite the strings by changing them to xFF (ASCII non-breaking space.)
  8. From the command prompt, push the modified nv_data.bin into place. On the stock, secure kernel:

    Code:
    C:\(Whatever your path is)>adb push nv_data.bin /sdcard/
    C:\(...)>adb shell
    $ su (check for a possible superuser prompt on the phone itself)
    # cp /sdcard/nv_data.bin /efs/nv_data.bin
    # chown radio.radio /efs/nv_data.bin
    # reboot
  9. Once the phone has done rebooting, from the command prompt:
    Code:
    C:\>adb shell
    $ su
    # cat /efs/nv.log
  10. The log should spit out a pair of error messages like this:
    Code:
    Wed Aug 29 10:45:04 2012: MD5 fail. orignal md5 '9e1e52346ec8bc3ea07988c967dab04c' computed md5 'd931816e4be7d60a3e41f6fddc27e2e4' (rild)
    Wed Aug 29 10:45:05 2012: backup NV restored.
  11. Copy the freshly computed, lightly salted (i.e. not reproducible otherwise), md5 hash from the command prompt window. (Remember that you can use the mouse to select and copy)
  12. Open nv_data.bin.md5 in a hex (or text) editor and paste it over the old one.
  13. ADB push both the previously modified nv_data.bin and nv_data.bin.md5 back to /efs/ and don't forget to chown them both again.

    Code:
    C:\(...)>adb push nv_data.bin /sdcard/
    C:\(...)>adb push nv_data.bin.md5 /sdcard/
    C:\(...)>adb shell
    $ su
    # cp /sdcard/nv_data.bin /efs/nv_data.bin
    # cp /sdcard/nv_data.bin.md5 /efs/nv_data.bin.md5
    # chown radio.radio /efs/nv_data.bin
    # chown radio.radio /efs/nv_data.bin.md5
  14. Reboot (although on second thought, shutting down, inserting a foreign SIM and turning the phone back on should work)
  15. Done! Confirm the unlock works with a "foreign" SIM, and for bonus points edit the CSC customer.xml file, setting the <NbNetworkLock> property to 0 and deleting the networks listed immediately below. You could also remove the leftover modified files on the SD card, from ADB shell:
    Code:
    $ rm /sdcard/nv_data.bin
    $ rm /sdcard/nv_data.bin.md5

If you're having a hard time with this guide, please stick to public threads where more people can help you instead of PM-ing me. Thanks.

Goodbye,

Darkshado
Attached Files
File Type: zip libsec-ril_mod_UCLJ3.zip - [Click for QR Code] (668.3 KB, 520 views)
My phones: Galaxy Note II SGH-T889V (with LTE enabled / ext4 SD card support on TouchWiz ROMs), Motorola XT-1045 Moto G LTE (TWRP)
Previous phones: Nexus S GT-I9020A, Galaxy Gio GT-S5660M (Arpeggiomod ROM / Discussion, stock rooted ROM), Motorola XT-1032 Moto G.
Phones for which I play "tech support" for family and friends: Galaxy Nexus GT-I9250, Galaxy Q SGH-T589R, Galaxy 551 GT-I5510M, LG C-800G Eclypse, Motorola XT-1032 Moto G
The Following 17 Users Say Thank You to Darkshado For This Useful Post: [ Click to Expand ]
 
santimaster2000
Old
#2  
Senior Member
Thanks Meter 68
Posts: 280
Join Date: Dec 2009
Location: Buenos Aires
Will try !!!

If this works, I can finally get rid of that piece of paper on my wallet with the Unlock Code for my phone XD
 
rovar
Old
#3  
rovar's Avatar
Senior Member
Thanks Meter 90
Posts: 394
Join Date: Apr 2012
Location: Cancun
I purchased an "unlocked" glide from amazon and been using it no problem here in Mexico, do I have to worry about it locking at some point?

I flashed ICS / CWM and the backlight fix on it and so far so good
The Following User Says Thank You to rovar For This Useful Post: [ Click to Expand ]
 
Darkshado
Old
#4  
Darkshado's Avatar
Senior Member - OP
Thanks Meter 430
Posts: 958
Join Date: Apr 2011
Location: Montréal

 
DONATE TO ME
Quote:
Originally Posted by rovar View Post
I purchased an "unlocked" glide from amazon and been using it no problem here in Mexico, do I have to worry about it locking at some point?

I flashed ICS / CWM and the backlight fix on it and so far so good
Going by my Ace and Gio experience, the following conditions have to be met for the phone to relock itself:
  • Native or no SIM card
  • Stock ROM with CSC files that contains network lock settings.
  • Stock Samsung recovery
  • Factory reset triggered, which makes the stock recovery reapply the CSC parameters.
My phones: Galaxy Note II SGH-T889V (with LTE enabled / ext4 SD card support on TouchWiz ROMs), Motorola XT-1045 Moto G LTE (TWRP)
Previous phones: Nexus S GT-I9020A, Galaxy Gio GT-S5660M (Arpeggiomod ROM / Discussion, stock rooted ROM), Motorola XT-1032 Moto G.
Phones for which I play "tech support" for family and friends: Galaxy Nexus GT-I9250, Galaxy Q SGH-T589R, Galaxy 551 GT-I5510M, LG C-800G Eclypse, Motorola XT-1032 Moto G
The Following User Says Thank You to Darkshado For This Useful Post: [ Click to Expand ]
 
rovar
Old
#5  
rovar's Avatar
Senior Member
Thanks Meter 90
Posts: 394
Join Date: Apr 2012
Location: Cancun
Alright, thanks!. Guess I'll stick to reflashing the ROM instead of factory reset whenever there's a problem
 
taiber2000
Old
#6  
Senior Member
Thanks Meter 31
Posts: 393
Join Date: Feb 2012
is this method good for GB as well as ICS/JB ?
 
Darkshado
Old
#7  
Darkshado's Avatar
Senior Member - OP
Thanks Meter 430
Posts: 958
Join Date: Apr 2011
Location: Montréal

 
DONATE TO ME
I've done it with the stock Rogers GB ROM.

With that said, if it doesn't work with the ICS leak, or with a custom ROM of some sort, you can always restore your original nv_data.bin and nv_data.bin.md5 files. You'll be back with a locked phone but no harm should be done.

IIRC, the RIL files are part of the proprietaries when used with a custom ROM anyway, so you should be good.
My phones: Galaxy Note II SGH-T889V (with LTE enabled / ext4 SD card support on TouchWiz ROMs), Motorola XT-1045 Moto G LTE (TWRP)
Previous phones: Nexus S GT-I9020A, Galaxy Gio GT-S5660M (Arpeggiomod ROM / Discussion, stock rooted ROM), Motorola XT-1032 Moto G.
Phones for which I play "tech support" for family and friends: Galaxy Nexus GT-I9250, Galaxy Q SGH-T589R, Galaxy 551 GT-I5510M, LG C-800G Eclypse, Motorola XT-1032 Moto G
 
taiber2000
Old
#8  
Senior Member
Thanks Meter 31
Posts: 393
Join Date: Feb 2012
thanks for the reply,its seems a bit tricky for me but will try to get it working when i get my phone (in about a week or so), by the way backupin the /efs partition is with cwmr?
 
Darkshado
Old
#9  
Darkshado's Avatar
Senior Member - OP
Thanks Meter 430
Posts: 958
Join Date: Apr 2011
Location: Montréal

 
DONATE TO ME
Either that or with a rooted phone. I suggest you make the backup as a tar archive, it'll keep the permissions.
My phones: Galaxy Note II SGH-T889V (with LTE enabled / ext4 SD card support on TouchWiz ROMs), Motorola XT-1045 Moto G LTE (TWRP)
Previous phones: Nexus S GT-I9020A, Galaxy Gio GT-S5660M (Arpeggiomod ROM / Discussion, stock rooted ROM), Motorola XT-1032 Moto G.
Phones for which I play "tech support" for family and friends: Galaxy Nexus GT-I9250, Galaxy Q SGH-T589R, Galaxy 551 GT-I5510M, LG C-800G Eclypse, Motorola XT-1032 Moto G
 
clefru
Old
#10  
Junior Member
Thanks Meter 0
Posts: 2
Join Date: Nov 2010
Works like a charm. Running it unlocked since 24h on a foreign SIM without issues. Thank you so much!
(Running OsiMood 2.06.07 + Rogers kernel as posted on the rooting thread + SwissCom SIM card).

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes