If they unlock for free. backuo both NV data's and this will be the best shot we have at cracking it
If you want an unlock solution someone should send me the files very soon, if you want any references to what I can do, you can check here:-
http://forum.gsmhosting.com/vbb/f311/hwk-release-15-10-2010-26-10-2010-discussion-1117446/
http://forum.gsmhosting.com/vbb/f311/hwk-release-15-10-2010-26-10-2010-discussion-1117446/
That site is Chinese to me. What the hell are these cables? Home-made cables? I don't understand at all what's going on there.
Home made cables based on technical sheets of relative chipsets I think
Sent from my GT-I9100 using XDA App
Sent from my GT-I9100 using XDA App
Right. Can you back up your nv_data.bin before and after unlock. Then send them to me and pulsar, make sure its clear which ones which. And we'll try and find a pattern
Sent from my GT-I9100 using XDA Premium App
Sent from my GT-I9100 using XDA Premium App
Go ahead and get the before/after, but I looked at a before/after and found it unintelligible
Far too much changed.Go ahead and get the before/after, but I looked at a before/after and found it unintelligible
I would be interested in a vbindiff of the before- and afterstate. May someone get me that pls so I can have a look?
cheers
Go ahead and get the before/after, but I looked at a before/after and found it unintelligible
oh, i figured it would only change a little bit. I'll have a look anyway
Bloody typical! O2 have only gone and sent me the code for a different IMEI!
the last 3 digits are different....... i can see what i submitted was correct but their reply has the wrong imei so the code doesnt work!
EDIT!
Just rang them... turns out the guy i spoke to says they probably sent me the wrong code on purpose as they believed i would be going to flog on it on ebay as an unlocked phone LOL!
he's made me put the O2 sim back in it to show i am going to use it. Whats it to them anyway!?
the last 3 digits are different....... i can see what i submitted was correct but their reply has the wrong imei so the code doesnt work!
EDIT!
Just rang them... turns out the guy i spoke to says they probably sent me the wrong code on purpose as they believed i would be going to flog on it on ebay as an unlocked phone LOL!
he's made me put the O2 sim back in it to show i am going to use it. Whats it to them anyway!?
Last edited:
Someone has already figured out how to extract the unlock codes, but most likely won't release how he did it: http://www.youtube.com/user/123unlock?feature=mhee#p/a/u/0/APVhKG4tFUw
Last edited:
I've not got any known unlock codes unfortunately, else I'd give you them.
Anyone got their locked bin, and the code they received?
If the unlock-code is hashed with sha1 I don't see a way to reverse that. AFAIK it's not a matter of decrypting here since sha1 is a hashing-algo. If samsung did their work right there's only brute-forcing left. One could create a rainbowtable that holds the hashes of all known-length (16 digits) unlock-codes but that would take like forever - and result in a ridiculously big file. I would be happy to hear what you guys are gonna try...
Currently Odia is brute forcing it
I don't fully understand how it works, but here's what I do understand...
When you know the unlock code, you enter it into Android, which sends it to the radio, and something "happens". It then finds out if it worked or not...
What I will say is that Odia knows this stuff very well, so I'm just going to stop talking now
I think it is gonna be possible, given that video showing it being done. I can sorta imagine what it's doing, but I can't think how to explain it.Ehm... Unlocking through radio <-> network provider ??
My GSM knowledge is kinda rusty, but I don't think so...
But hey, we could put a sniffer in and after analyzing simulate a "Hooray! Free your Android"-Response we didn't even receive... ?
But probably that would be encrypted as well and has to match the IMEI or ****...
My GSM knowledge is kinda rusty, but I don't think so...
But hey, we could put a sniffer in and after analyzing simulate a "Hooray! Free your Android"-Response we didn't even receive... ?
But probably that would be encrypted as well and has to match the IMEI or ****...
Similar threads
- Locked
Top Liked Posts
-
There are no posts matching your filters.
-
81Free SIM Unlock for SGS2 by Odia. (ONLY for HW Version MP 1.200)
1. Root your phone.
2. Extract your nv_data.bin
3. Look at the file with an hex-editor and goto offset 0x181460 (Ultra Edit, HxD, Hex-Workshop etc)
4. Take the hashes from 0x18146e (20 bytes), 0x18148e, 0x1814ae, 0x1814ce, 0x1814ee
5. If the hash is 7D 3E 17 CF CD 81 6C AC D4 E0 25 FA A6 50 04 FD D1 7D 51 F8 ignore it since that is 00000000
6. Put the hash into the BF exe for example:-
ighashgpu.exe /h:EF63BF26E2382917D96850CCF9632458EE6E6C77 /t:sha1 /c:d /max:8 /min:8 /salt:0000000000000000
and wait for it to finish, do that for each hash which is not zeros, the Found password: [50681318] is the code.
7. Put unaccepted simcard in the phone and when it asks for the unlock code enter them in order
8. Job done, phone is now unlocked for free.
If you cannot find a block which looks like hashes @ 0x181460, then search for SSNV and add 5216, but from the files which I have seen the block appears to be fixed @ 0x181460.
If it will not accept the code which you believe to be correct, it means the attempts have been used up, so you need to use the MCK code to unfreeze your phone, note it will not request unfreeze code, just say network lock unsucessful even your code is valid. (MCK HASH is @ offset 0x180049)
Added an example for what you need to look for.
Mastercode
Dynamic located PERSO section, holds the mastercode (MCK / unfreeze), search for PERSO and look for a hash, can be multiple old sections, added screendump with an example.
MCK HASH is also in the SSNV section @ offset 0x180049
Direct Offsets
GT-I9100
NET 0x18146e -
SUB 0x18148e -
SP 0x1814ae -
CP 0x1814ce -
MCK 0x180049 -
GT-I9000
NET 0x18154b -
SUB 0x18155f -
SP 0x181573 -
CP 0x181587 -
MCK 0x1815af -
If this saved you a few quid, maybe you would like to buy me a beer
View attachment 602403
View attachment 602464
I could not have made this solution and proved my theory without the special help from pulser_g2 and Fall Guy.
I have been advised by pulser_g2 that Chainfire will make a software solution next week using this information.
(APK is here http://xdaforums.com/showthread.php?t=1092451)13Might try that, but can the phone boot without the nv_data, i thought it would fail
On the subject of resetting the counter I found out how!!!!
It also tells you your kernel is origional when it is supercurios or chainfires
my phone claims to be unhacked but its rooted n everything.
I'm uploading video proof now!
How did I do it?
Well, you know the download mode jig you can make to put the sgs into download mode. I make them and sell them on ebay to make a few quid. (not too great, too many others doing it)
I thought "it worked on my sgs, will it work on this?"
powered off the sgs II plugged the jig in and encountered a sceen saying "erasing download information succeeded" and now it says I have no custom binaries and my current binary is "samsung official", when its chainfires.
It also removes the triangle warning on first boot because it thinks its genuine. But I still have my root privelages.
I call this a warranty solution. All thanks to a resistor and u micro usb plug.
http://www.youtube.com/watch?v=poH6TMbuj3E7So without asking me or pulser_g2, who can work it out from this?
Found 1 CUDA device(s)
Starting brute-force attack, Charset Len = 10, Min passlen = 8, Max passlen = 8
Charset (unicode -> 0) [0123456789]
Charset in HEX: 30 31 32 33 34 35 36 37 38 39
Starting from [00000000]
Hash type: SHA1, Hash: ef63bf26e2382917d96850ccf9632458ee6e6c77
Salt: 00 00 00 00 00 00 00 00
Device #0: [GeForce 8800 GT] 1625.00 Mhz 112 SP
Hardware monitoring disabled.
CURPWD: 46886710 DONE: 75.50% ETA: 0s CURSPD: 134.8M
Found password: [50681318], HEX: 35 30 36 38 31 33 31 38
Processed 75 497 472 passwords in 1s.
Thus, 130 844 838 password(s) per second in average.
and to the person who approached me and said lets do this and make lots of money FCUK YOU!!!
Took me less than 1 hours working time to find the solution, big thanks to pulser_g2 for supplying the needed files to speed up my work.
PS: How do I get a donate button5
Grab that file from the device and pop me a PM. I presume you know how to get ADB up and running?4Just did an efs backup before unlock a phone using a purchased unlock code, and immediately after unlocking did another efs backup
comparing these two backups, the only difference is nv_data.bin, and there are 2 differences in nv_data.bin:
1. In locked nv_data.bin, at offset 00180069-0018006e, there is a 5-bytes string and a "#" sign, represent the original locked operator name. Unlock the phone will replace all these bytes with FF
2. In locked nv_data.bin, at offset 00181469, that byte is 01, as we all know, the Helroz's app will change this byte to 00, thus unlock the phone
So, the bit-flipping method will work, and if you want a clean unlock, remove those original locked operator name at offset 00180069
I bought the unlock code because my phone refuse to work any more, last month one of the operator became disabled (emergency call only), and after I changed to another operator, this operator became disabled again recently. I thought it maybe because I unlocked the phone using bit-flipping method and I should try unlocking it using real unlock code. Unfortunately my phone is still disabled for those 2 operators by using real unlock code, I have to send it to samsung service (I guess some thing in the intel xmm6260 platform is broken)
(ok, typo fixed)
New posts
-
-
-
[TOOL] XperiFirm ~ Xperia Firmware Downloader [v5.7.0]- Latest: IgorEisberg
-
