Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,738,775 Members 40,973 Now Online
XDA Developers Android and Mobile Development Forum

[HOWTO] GT-I9100 Free SIM Unlock via nv_data.bin by Odia

Tip us?
 
Odia
Old
(Last edited by Odia; 20th December 2011 at 02:30 PM.) Reason: added i9000 info
#1  
Guest - OP
Thanks Meter 761
Posts: 662
Join Date: Jan 2009
Default [HOWTO] GT-I9100 Free SIM Unlock via nv_data.bin by Odia

Free SIM Unlock for SGS2 by Odia. (ONLY for HW Version MP 1.200)

1. Root your phone.
2. Extract your nv_data.bin
3. Look at the file with an hex-editor and goto offset 0x181460 (Ultra Edit, HxD, Hex-Workshop etc)
4. Take the hashes from 0x18146e (20 bytes), 0x18148e, 0x1814ae, 0x1814ce, 0x1814ee
5. If the hash is 7D 3E 17 CF CD 81 6C AC D4 E0 25 FA A6 50 04 FD D1 7D 51 F8 ignore it since that is 00000000
6. Put the hash into the BF exe for example:-
ighashgpu.exe /h:EF63BF26E2382917D96850CCF9632458EE6E6C77 /t:sha1 /c:d /max:8 /min:8 /salt:0000000000000000
and wait for it to finish, do that for each hash which is not zeros, the Found password: [50681318] is the code.
7. Put unaccepted simcard in the phone and when it asks for the unlock code enter them in order
8. Job done, phone is now unlocked for free.

If you cannot find a block which looks like hashes @ 0x181460, then search for SSNV and add 5216, but from the files which I have seen the block appears to be fixed @ 0x181460.

If it will not accept the code which you believe to be correct, it means the attempts have been used up, so you need to use the MCK code to unfreeze your phone, note it will not request unfreeze code, just say network lock unsucessful even your code is valid. (MCK HASH is @ offset 0x180049)

Added an example for what you need to look for.


Mastercode

Dynamic located PERSO section, holds the mastercode (MCK / unfreeze), search for PERSO and look for a hash, can be multiple old sections, added screendump with an example.
MCK HASH is also in the SSNV section @ offset 0x180049


Direct Offsets

GT-I9100
NET 0x18146e -
SUB 0x18148e -
SP 0x1814ae -
CP 0x1814ce -
MCK 0x180049 -

GT-I9000
NET 0x18154b -
SUB 0x18155f -
SP 0x181573 -
CP 0x181587 -
MCK 0x1815af -


If this saved you a few quid, maybe you would like to buy me a beer

Attachment 602403

Attachment 602464

I could not have made this solution and proved my theory without the special help from pulser_g2 and Fall Guy.

I have been advised by pulser_g2 that Chainfire will make a software solution next week using this information.
(APK is here http://forum.xda-developers.com/show....php?t=1092451)
The Following 76 Users Say Thank You to Odia For This Useful Post: [ Click to Expand ]
 
nintendolinky
Old
#2  
nintendolinky's Avatar
Senior Member
Thanks Meter 257
Posts: 1,211
Join Date: May 2009
Location: Wakefield, West Yorkshire

 
DONATE TO ME
Im happy to test for you. Mine is locked, tried tmobile earlier today, and it required a code, im rooted so i can provide anything.
The Following 3 Users Say Thank You to nintendolinky For This Useful Post: [ Click to Expand ]
 
pulser_g2
Old
#3  
pulser_g2's Avatar
Developer Admin / Senior Recognized Developer
Thanks Meter 10690
Posts: 19,244
Join Date: Nov 2009
Quote:
Originally Posted by nintendolinky View Post
Im happy to test for you. Mine is locked, tried tmobile earlier today, and it required a code, im rooted so i can provide anything.
Grab that file from the device and pop me a PM. I presume you know how to get ADB up and running?


Having trouble getting an answer? | What is XDA about? | How to ask for help?

if [ $PM.incoming.type = $type.question.ROM.how_to_use ] || [ $PM.incoming.type = $type.question.ROM.silly_question ]; then mv $PM.incoming /.trash; PM.response($responsetype.ignore); $PM.sender.ignore_in_future=true; init.sequence($boy_who_cried_wolf); fi;

BTC: 1K2fpDsRHkirWmk3PKiqtzhVHKUJCWPWnN
PGP: 0x260F4FDEF258E3C4
The Following 4 Users Say Thank You to pulser_g2 For This Useful Post: [ Click to Expand ]
 
pulser_g2
Old
#4  
pulser_g2's Avatar
Developer Admin / Senior Recognized Developer
Thanks Meter 10690
Posts: 19,244
Join Date: Nov 2009
OK. Sorta bad news. I can't see a way to retrieve the code itself from the file...

On another note, I DO notice that at address 0x181468, we see the semi-familiar pattern of FF 01 00 00 00 00 ...

On an unlocked phone, that was FF 00 00 00 00 00 (I checked earlier)

This fits in with the information at http://forum.xda-developers.com/showthread.php?t=761045, namely "Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)"

That suggests there is a possibility a free unlock could be gained by editing this file. But there would likely be consequences. As such I'm not going to recommend that, nor give instructions for it... If anyone chooses to, they do it 100% at their own risk, and should bear in mind that they NEED a backup of that and the corresponding md5sum first.

But I can't see an unlock code in plaintext

Anyway, that should be food for thought for someone who has a desire to mess about with their device. I won't be trying it for now, and I recommend you don't unless you know what to do to fix this, and are aware you are messing with stuff I don't know much about...

P


Having trouble getting an answer? | What is XDA about? | How to ask for help?

if [ $PM.incoming.type = $type.question.ROM.how_to_use ] || [ $PM.incoming.type = $type.question.ROM.silly_question ]; then mv $PM.incoming /.trash; PM.response($responsetype.ignore); $PM.sender.ignore_in_future=true; init.sequence($boy_who_cried_wolf); fi;

BTC: 1K2fpDsRHkirWmk3PKiqtzhVHKUJCWPWnN
PGP: 0x260F4FDEF258E3C4
The Following User Says Thank You to pulser_g2 For This Useful Post: [ Click to Expand ]
 
bigmo7
Old
#5  
bigmo7's Avatar
Senior Member
Thanks Meter 216
Posts: 940
Join Date: Nov 2010
Location: London

 
DONATE TO ME
Quote:
Originally Posted by pulser_g2 View Post
OK. Sorta bad news. I can't see a way to retrieve the code itself from the file...

On another note, I DO notice that at address 0x181468, we see the semi-familiar pattern of FF 01 00 00 00 00 ...

On an unlocked phone, that was FF 00 00 00 00 00 (I checked earlier)

This fits in with the information at http://forum.xda-developers.com/showthread.php?t=761045, namely "Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)"

That suggests there is a possibility a free unlock could be gained by editing this file. But there would likely be consequences. As such I'm not going to recommend that, nor give instructions for it... If anyone chooses to, they do it 100% at their own risk, and should bear in mind that they NEED a backup of that and the corresponding md5sum first.

But I can't see an unlock code in plaintext

Anyway, that should be food for thought for someone who has a desire to mess about with their device. I won't be trying it for now, and I recommend you don't unless you know what to do to fix this, and are aware you are messing with stuff I don't know much about...

P
Scared are we?

Pretty understandable tbh, I was kinda hoping it was as easy to unlock as the SGS but maybe there is still a way...let's hope so.
HTC One - ARHD 10.0 - Stock Kernel
Nexus 7 - SmoothROM 5.1 - Stock Kernel

History
ZTE Blade II
SGS3
SGS2
SGS
Nokia E71
Nokia 5800
Nokia N82
T-mobile G1
Motoroloa L7
Nokia 7600
Can't remember past this point :/


My (geeky) Android blog
&
Twitter

If someone has helped you out, use the thanks button!
 
dh2311
Old
#6  
dh2311's Avatar
Senior Member
Thanks Meter 278
Posts: 574
Join Date: Oct 2010
Location: Liverpool

 
DONATE TO ME
Just want to say, hex editing doesnt work. Doesn't detect sim and you get no signal, just put old file back and all works. Looks like we're gonna need another fix.

Quick question, can anyone who has an unlocked device please send me there nv_data.bin.

I want to see if there are any other differences that could be keeping it locked.
Device: Sony Xperia Z
ROM: monxDIFIED
Recovery: TWRP 2.6.0.1

Some of my work

Galaxy S II Wipe Custom Binary Counter
 
pulser_g2
Old
#7  
pulser_g2's Avatar
Developer Admin / Senior Recognized Developer
Thanks Meter 10690
Posts: 19,244
Join Date: Nov 2009
Quote:
Originally Posted by dh2311 View Post
Just want to say, hex editing doesnt work. Doesn't detect sim and you get no signal, just put old file back and all works. Looks like we're gonna need another fix.

Quick question, can anyone who has an unlocked device please send me there nv_data.bin.

I want to see if there are any other differences that could be keeping it locked.
I diffed an unlocked and locked one, and there's a lot of differences at binary level

I would need to ask the guy whose unlocked nv_data I borrowed if he was OK with that, or see if someone else has one...

Also, I did think. Perhaps it "rejects" the file if the MD5 thing doesn't match. If it's a salted MD5, then it could check the md5 of the bin file salted against a "secret" string, and then compare to the contents of the md5sum file...


Having trouble getting an answer? | What is XDA about? | How to ask for help?

if [ $PM.incoming.type = $type.question.ROM.how_to_use ] || [ $PM.incoming.type = $type.question.ROM.silly_question ]; then mv $PM.incoming /.trash; PM.response($responsetype.ignore); $PM.sender.ignore_in_future=true; init.sequence($boy_who_cried_wolf); fi;

BTC: 1K2fpDsRHkirWmk3PKiqtzhVHKUJCWPWnN
PGP: 0x260F4FDEF258E3C4
 
dh2311
Old
(Last edited by dh2311; 5th May 2011 at 08:54 PM.)
#8  
dh2311's Avatar
Senior Member
Thanks Meter 278
Posts: 574
Join Date: Oct 2010
Location: Liverpool

 
DONATE TO ME
When I tried putting the old file back i used all the same commands, and it said there was no md5 sum. Which would be expected to be honest. But maybe it requires one. Ill try again this time leave the md5. Doubt it'll work, but its worth ago

EDIT: Faliure again!
Device: Sony Xperia Z
ROM: monxDIFIED
Recovery: TWRP 2.6.0.1

Some of my work

Galaxy S II Wipe Custom Binary Counter
 
dh2311
Old
#9  
dh2311's Avatar
Senior Member
Thanks Meter 278
Posts: 574
Join Date: Oct 2010
Location: Liverpool

 
DONATE TO ME
Also as a note, cannot be anything to do with the md5 sum, just removed and it still works, so it cannot be checking values against it.
Device: Sony Xperia Z
ROM: monxDIFIED
Recovery: TWRP 2.6.0.1

Some of my work

Galaxy S II Wipe Custom Binary Counter
 
pulser_g2
Old
#10  
pulser_g2's Avatar
Developer Admin / Senior Recognized Developer
Thanks Meter 10690
Posts: 19,244
Join Date: Nov 2009
Quote:
Originally Posted by dh2311 View Post
Also as a note, cannot be anything to do with the md5 sum, just removed and it still works, so it cannot be checking values against it.
OK. So it seems to be checking this file is "valid" somehow then...


Having trouble getting an answer? | What is XDA about? | How to ask for help?

if [ $PM.incoming.type = $type.question.ROM.how_to_use ] || [ $PM.incoming.type = $type.question.ROM.silly_question ]; then mv $PM.incoming /.trash; PM.response($responsetype.ignore); $PM.sender.ignore_in_future=true; init.sequence($boy_who_cried_wolf); fi;

BTC: 1K2fpDsRHkirWmk3PKiqtzhVHKUJCWPWnN
PGP: 0x260F4FDEF258E3C4

Tags
galaxy s2, rom
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes