FORUMS

My quest to sim unlock my SGS2

Thanks Meter: 1
 
By ldiamond2, Member on 13th May 2015, 03:03 PM
Post Reply Subscribe to Thread Email Thread
Hi fellow devs,

I have a Samsung Galaxy S2 GT-I9100M (shows up as GT-I9100 in about phone, I think they are exactly the same), currently running CM 11 Android 4.4.4 with baseband i9100MUGLD3. Long story short, I paid this phone upfront, not subsidised, yet, it remains locked to Bell's network (even if I've never been their client directly, my provider uses their network so it works). Bell won't unlock the phone for me unless I become their client and then give them 50$ extra for the unlock code. I find this practice completely abusive (the fact that sim locking is even legal is beyond me).

I'm a software engineer and I'm pretty tech savvy, however, I've never done low level android development. The current status is the following:
  • I've extracted nv_data.bin and located the salted unlock codes hashes
  • I've found out that those hashes are encrypted
  • I'm fully setup and able to bruteforce unencrypted hashes, I just need to obtain them!

What I need now is some pointers on where to look for the decryption key and how to find out the encryption algorithm. Am I looking for the baseband binary? Is it where the magic happens (i.e. the decryption)?
I looked at Odia's work in http://forum.xda-developers.com/show...&postcount=518 but unfortunately, decrypting the cyphertext with the given key using AES (first 16bytes as key, second as IV), did not yield the correct plaintext. So I'm assuming it's not AES, or the KEY/IV is wrong.

This is the relevant part of my nv_data.bin file. We clearly see a pattern which leads to believe those are the 00000000 hashes encrypted individually.
Code:
00181460: ffff ffff ffff ffff ff01 0000 0000 2aa0  ..............*.                                                                                                                                                
00181470: 7526 3a3c 70da 9930 3bb6 1899 4328 2801  u&:<p..0;...C((.                                                                                                                                                
00181480: 1f38 559c cfa7 c1a9 b78b fced bea3 71df  .8U...........q.                                                                                                                                                
00181490: 3d9d e993 50b7 a777 1127 e717 c9de 94bb  =...P..w.'......                                                                                                                                                
001814a0: 305b 1825 cce2 5dce a0de 2fbc ad48 71df  0[.%..].../..Hq.                                                                                                                                                
001814b0: 3d9d e993 50b7 a777 1127 e717 c9de 94bb  =...P..w.'......                                                                                                                                                
001814c0: 305b 1825 cce2 5dce a0de 2fbc ad48 71df  0[.%..].../..Hq.                                                                                                                                                
001814d0: 3d9d e993 50b7 a777 1127 e717 c9de 94bb  =...P..w.'......                                                                                                                                                
001814e0: 305b 1825 cce2 5dce a0de 2fbc ad48 71df  0[.%..].../..Hq.                                                                                                                                                
001814f0: 3d9d e993 50b7 a777 1127 e717 c9de 94bb  =...P..w.'......                                                                                                                                                
00181500: 305b 1825 cce2 5dce a0de 2fbc ad48 0600  0[.%..].../..H..                                                                                                                                                
00181510: 0000 0003 0505 0505 00ff ffff ffff ffff  ................
Any help would be greatly appreciated.
 
 
19th May 2015, 08:12 AM |#2  
Senior Member
Thanks Meter: 203
 
More
Hi,

Try to use this zip and read the procedure inside first !

-Install GScript.apk and put the "unlock.sh" on your phone (internal or external)
-Run GScript : click "add script" and put the text line as in the description. Run The script now !

That's all

Good Luck
Attached Files
File Type: zip Samsung SIM Unlocking.zip - [Click for QR Code] (31.5 KB, 30 views)
19th May 2015, 03:42 PM |#3  
OP Member
Thanks Meter: 1
 
More
Quote:
Originally Posted by marouane80

Hi,

Try to use this zip and read the procedure inside first !

-Install GScript.apk and put the "unlock.sh" on your phone (internal or external)
-Run GScript : click "add script" and put the text line as in the description. Run The script now !

That's all

Good Luck


Hi,
I just read the script and this is basically just zeroing out the lock bytes in the nv_data.bin file. I may try this route but ideally I'd want to find the 8 digit unlock code to properly and reliably unlock the phone. I know Odia managed to decrypt the hashes but I just don't know where he managed to find the key. He obviously have more low level dev experience with arm than I do.
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes