I have a Samsung Galaxy S2 GT-I9100M (shows up as GT-I9100 in about phone, I think they are exactly the same), currently running CM 11 Android 4.4.4 with baseband i9100MUGLD3. Long story short, I paid this phone upfront, not subsidised, yet, it remains locked to Bell's network (even if I've never been their client directly, my provider uses their network so it works). Bell won't unlock the phone for me unless I become their client and then give them 50$ extra for the unlock code. I find this practice completely abusive (the fact that sim locking is even legal is beyond me).
I'm a software engineer and I'm pretty tech savvy, however, I've never done low level android development. The current status is the following:
- I've extracted nv_data.bin and located the salted unlock codes hashes
- I've found out that those hashes are encrypted
- I'm fully setup and able to bruteforce unencrypted hashes, I just need to obtain them!
What I need now is some pointers on where to look for the decryption key and how to find out the encryption algorithm. Am I looking for the baseband binary? Is it where the magic happens (i.e. the decryption)?
I looked at Odia's work in http://forum.xda-developers.com/show...&postcount=518 but unfortunately, decrypting the cyphertext with the given key using AES (first 16bytes as key, second as IV), did not yield the correct plaintext. So I'm assuming it's not AES, or the KEY/IV is wrong.
This is the relevant part of my nv_data.bin file. We clearly see a pattern which leads to believe those are the 00000000 hashes encrypted individually.
00181460: ffff ffff ffff ffff ff01 0000 0000 2aa0 ..............*. 00181470: 7526 3a3c 70da 9930 3bb6 1899 4328 2801 u&:<p..0;...C((. 00181480: 1f38 559c cfa7 c1a9 b78b fced bea3 71df .8U...........q. 00181490: 3d9d e993 50b7 a777 1127 e717 c9de 94bb =...P..w.'...... 001814a0: 305b 1825 cce2 5dce a0de 2fbc ad48 71df 0[.%..].../..Hq. 001814b0: 3d9d e993 50b7 a777 1127 e717 c9de 94bb =...P..w.'...... 001814c0: 305b 1825 cce2 5dce a0de 2fbc ad48 71df 0[.%..].../..Hq. 001814d0: 3d9d e993 50b7 a777 1127 e717 c9de 94bb =...P..w.'...... 001814e0: 305b 1825 cce2 5dce a0de 2fbc ad48 71df 0[.%..].../..Hq. 001814f0: 3d9d e993 50b7 a777 1127 e717 c9de 94bb =...P..w.'...... 00181500: 305b 1825 cce2 5dce a0de 2fbc ad48 0600 0[.%..].../..H.. 00181510: 0000 0003 0505 0505 00ff ffff ffff ffff ................