[HOWTO] GT-I9100 Free SIM Unlock via nv_data.bin by Odia

Search This thread
By:
Advanced…
C

crusher1908

Senior Member
Aug 23, 2011
93
0
Toluca
dertys_ said:
Hi crusher1908 there is yours unlocked NV_DATA.BIN extract, put in the /efs directory set permission rwx--- restart the phone and ENJOY!! Before this make the /efs backup..:p
Click to expand...
Click to collapse

dertys_ said:
Hi crusher1908 Maiby in you area vhere you live is 3G signal is so weak.You need try to configure you Access Point Namess "APN" propertly!!! Or change yours Network Mode to Auto Mode in "Settings" Menu. ....''if you use GSM Mode you newer connect to HSUPA or HSDPA..."
Click to expand...
Click to collapse

Man, i don't know how to say thanks to you, my phone is working perfectly, after a couple of digital reprogramations (of the company) and a few reboot my network is going really well, man! really, thank you very much! :D
 
S

solarj

Member
Nov 5, 2008
18
4
Just did an efs backup before unlock a phone using a purchased unlock code, and immediately after unlocking did another efs backup

comparing these two backups, the only difference is nv_data.bin, and there are 2 differences in nv_data.bin:

1. In locked nv_data.bin, at offset 00180069-0018006e, there is a 5-bytes string and a "#" sign, represent the original locked operator name. Unlock the phone will replace all these bytes with FF

2. In locked nv_data.bin, at offset 00181469, that byte is 01, as we all know, the Helroz's app will change this byte to 00, thus unlock the phone

So, the bit-flipping method will work, and if you want a clean unlock, remove those original locked operator name at offset 00180069

I bought the unlock code because my phone refuse to work any more, last month one of the operator became disabled (emergency call only), and after I changed to another operator, this operator became disabled again recently. I thought it maybe because I unlocked the phone using bit-flipping method and I should try unlocking it using real unlock code. Unfortunately my phone is still disabled for those 2 operators by using real unlock code, I have to send it to samsung service (I guess some thing in the intel xmm6260 platform is broken)

(ok, typo fixed)
 
Last edited:
  • Like
Reactions: VWFeature, trickius, cowbutt and 1 other person
D

dertys_

Member
Sep 30, 2008
19
7
solarj said:
Just did an efs backup before unlock a phone using a purchased unlock code, and immediately after unlocking did another efs backup

comparing these two backups, the only difference is nv_data.bin, and there are 2 differences in nv_data.bin:

1. In unlocked nv_data.bin, at offset 00180069-0018006e, there is a 5-bytes string and a "#" sign, represent the original locked operator name. Unlock the phone will replace all these bytes with FF

2. In unlocked nv_data.bin, at offset 00181469, that byte is 01, as we all know, the Helroz's app will change this byte to 00, thus unlock the phone

So, the bit-flipping method will work, and if you want a clean unlock, remove those original locked operator name at offset 00180069

I bought the unlock code because my phone refuse to work any more, last month one of the operator became disabled (emergency call only), and after I changed to another operator, this operator became disabled again recently. I thought it maybe because I unlocked the phone using bit-flipping method and I should try unlocking it using real unlock code. Unfortunately my phone is still disabled for those 2 operators by using real unlock code, I have to send it to samsung service (I guess some thing in the intel xmm6260 platform is broken)
Click to expand...
Click to collapse

Hi yesterday i read this post and try this metod, phone is still in working order for all cell operators.Two this metods give really working and clean unlock!!! Thank you for GOOD IDEA!!!
 
C

cowbutt

Senior Member
Feb 11, 2010
199
54
Lenovo Thinkpad Tablet
Moto G
solarj said:
Just did an efs backup before unlock a phone using a purchased unlock code, and immediately after unlocking did another efs backup

comparing these two backups, the only difference is nv_data.bin, and there are 2 differences in nv_data.bin:

1. In unlocked nv_data.bin, at offset 00180069-0018006e, there is a 5-bytes string and a "#" sign, represent the original locked operator name. Unlock the phone will replace all these bytes with FF

2. In unlocked nv_data.bin, at offset 00181469, that byte is 01, as we all know, the Helroz's app will change this byte to 00, thus unlock the phone
Click to expand...
Click to collapse

Presumably you mean 'In LOCKED' in both of those descriptions.

I can confirm those observations with my backup of efs with a rev 1.5 i9100 locked to T-Mobile UK (TMUK). A slight difference is that the MCC+MNC at 00180069 is actually two MCC+MNCs: 23430#23431# (i.e. 12 bytes instead of 6). 23430 is TMUK's MCC+MNC. 23431 might be Virgin (who are a TMUK MVNO).

So, the bit-flipping method will work, and if you want a clean unlock, remove those original locked operator name at offset 00180069
Click to expand...
Click to collapse
 
  • Like
Reactions: dertys_
trucker11

trucker11

Senior Member
Jun 3, 2010
85
7
Melton Mowbray
NEW to all this

Hi Guys Just got the Galaxy S2 rooted it think its a great phone even better than my Desire but i ve tried to unlock it no success can anyone help me pls
heres my file
the guys who do all this stuff are saving us money time and alot of headaches keep the good work up
 

Attachments

  • efsbackup.tar.gz
    28.9 KB · Views: 81
D

dertys_

Member
Sep 30, 2008
19
7
trucker11 said:
Hi Guys Just got the Galaxy S2 rooted it think its a great phone even better than my Desire but i ve tried to unlock it no success can anyone help me pls
heres my file
the guys who do all this stuff are saving us money time and alot of headaches keep the good work up
Click to expand...
Click to collapse

Hi trucker11 Its yours unlocked nv_data.bin. Extract put in phone sd card, copy to /efs directory (use RootExplorer) from card, set file permission to rwx---, delete nv_data.bin.md5 from the phone and reboot!!! Enjoy!!
 
Last edited:
  • Like
Reactions: trucker11
G

gomson

Member
Oct 13, 2007
7
0
Need help

Hiya guys...
Been trying to sim-unlock my phone but no luck.
I've rooted it and tried several of the tools available and still cant unlock it.
It's Samsung galaxy S2 and attached is the extracted nv_data.bin file..
Please any help would be greatly appreciated..

Thanks in advance..
:D
 

Attachments

  • nv_data.zip
    11.8 KB · Views: 69
D

dertys_

Member
Sep 30, 2008
19
7
gomson said:
Hiya guys...
Been trying to sim-unlock my phone but no luck.
I've rooted it and tried several of the tools available and still cant unlock it.
It's Samsung galaxy S2 and attached is the extracted nv_data.bin file..
Please any help would be greatly appreciated..

Thanks in advance..
:D
Click to expand...
Click to collapse
Hi gomson. its unlocked nv_data.bin from you phone. Extract and Enjoy!!!
 
Last edited:
K

kevkamikaze

Member
Feb 24, 2010
16
0
dertys_ or anyone else who can help me with this i'd be very grateful, I've spent some time trying to figure this out but cant :(
 

Attachments

  • nv_data.7z
    8.2 KB · Views: 212
Last edited:
D

dertys_

Member
Sep 30, 2008
19
7
kevkamikaze said:
dertys_ or anyone else who can help me with this i'd be very grateful, I've spent some time trying to figure this out but cant :(
Click to expand...
Click to collapse

Hi kevkamikaze! It is unlocked nv_data.bin.. Extract, copy to /efs folder, set permission rwx---,delete nv_data.bin.md5, reboot phone and Enjoy!!!

Some terminal commands:
Code: 
su
stop
rm /efs/nv_data.bin
rm /efs/nv_data.bin.md5
cat /sdcard/nv_data.bin >> /efs/nv_data.bin
chmod 755 /efs/nv_data.bin
chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
reboot
 
Last edited:
  • Like
Reactions: trickius and kevkamikaze
K

kevkamikaze

Member
Feb 24, 2010
16
0
dertys_ said:
Hi kevkamikaze! It is unlocked nv_data.bin.. Extract, copy to /efs folder, set permission rwx---,delete nv_data.bin.md5, reboot phone and Enjoy!!!

Some terminal commands:
Code: 
su
stop
rm /efs/nv_data.bin
rm /efs/nv_data.bin.md5
cat /sdcard/nv_data.bin >> /efs/nv_data.bin
chmod 755 /efs/nv_data.bin
chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
reboot
Click to expand...
Click to collapse

Thanks for taking the time to do this! Very kind of you :)

Edit. Tested and works perfect..thanks again dertys_ !

Sent from my GT-I9100 using xda premium
 
Last edited:
R

radkor

Senior Member
May 9, 2006
475
298
Warsaw
So, is there yet working method to obtain unlock code and unfreeze code from nv_data.bin with new hashes?
I can unlock phone but i want these codes...
 
T

trickius

Member
May 25, 2007
27
4
www.tatagka.com
hello, nice work guys!

I bought a samsung out of ebay as an unlocked one but it turned out locked! :mad:
Chainfire's app doesn't seem to find the unlock code. Also i try with odia instructions and no luck.
Can you please help me with this one?


Thanks a lot i would be much obligated
 

Attachments

  • nv_data.7z
    8.7 KB · Views: 92
Last edited:
C

cavaliere06

Member
Jun 19, 2011
44
8
cudos

Odia said:
Yes there is a working method, but its not released. They are not hashes in the new nv_data format, well they are not hashes as they are stored, but once manipulated they become hashes :p
Click to expand...
Click to collapse

I hope it gets released soon since I alredy tried the old method and CHainfires app even buy an unlock from gsmliberty.net and mobilefreedom.net, fortunately they gave me A refound. So I'm getting out of options :(

:p :)
And well since I'm desperate I wan't to try the method of Mr. dertys_ since it seam to work for my fellow crusher1908 from the same country and carrier.

Leave here my nv_data.bin
 

Attachments

  • nv_data.rar
    14.5 KB · Views: 95
Last edited:
You must log in or register to reply here.

Similar threads

codeworkx
[ROM][GT-I9100][4.0.4] CyanogenMod 9 nightly builds | DEVELOPMENT THREAD
Replies
3K
Views
4M
limitedMUSCL
limitedMUSCL
Chainfire
[30.10.2012][CF-Root 5.6] K**,LA*,LP-126BHJQ73SC89DEFWGKIQOTUXY,LQ-5B - su+bb+CWM4/5
Replies
7K
Views
6M
jokeromafiaa
jokeromafiaa
gokhanmoral
  • Locked
[KERNEL][ExTweaks] SiyahKernel v2.6.14 - "One kernel to rule them all"
Replies
20K
Views
5M
Crescendo Xenomorph
Crescendo Xenomorph
bajee11
[ROM][4.2.2] Android Open Kang Project (AOKP) - GT-I9100 - [JB-MR1][Milestone 2]
Replies
3K
Views
806K
Z
Zolorn
atinm
[ROM][GWK74] CyanogenMod 7 [DEVELOPMENT ONLY]
Replies
2K
Views
1M
Vaedryn
Vaedryn

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 81
    O
    Odia
    Free SIM Unlock for SGS2 by Odia. (ONLY for HW Version MP 1.200)

    1. Root your phone.
    2. Extract your nv_data.bin
    3. Look at the file with an hex-editor and goto offset 0x181460 (Ultra Edit, HxD, Hex-Workshop etc)
    4. Take the hashes from 0x18146e (20 bytes), 0x18148e, 0x1814ae, 0x1814ce, 0x1814ee
    5. If the hash is 7D 3E 17 CF CD 81 6C AC D4 E0 25 FA A6 50 04 FD D1 7D 51 F8 ignore it since that is 00000000
    6. Put the hash into the BF exe for example:-
    ighashgpu.exe /h:EF63BF26E2382917D96850CCF9632458EE6E6C77 /t:sha1 /c:d /max:8 /min:8 /salt:0000000000000000
    and wait for it to finish, do that for each hash which is not zeros, the Found password: [50681318] is the code.
    7. Put unaccepted simcard in the phone and when it asks for the unlock code enter them in order
    8. Job done, phone is now unlocked for free.

    If you cannot find a block which looks like hashes @ 0x181460, then search for SSNV and add 5216, but from the files which I have seen the block appears to be fixed @ 0x181460.

    If it will not accept the code which you believe to be correct, it means the attempts have been used up, so you need to use the MCK code to unfreeze your phone, note it will not request unfreeze code, just say network lock unsucessful even your code is valid. (MCK HASH is @ offset 0x180049)

    Added an example for what you need to look for.


    Mastercode

    Dynamic located PERSO section, holds the mastercode (MCK / unfreeze), search for PERSO and look for a hash, can be multiple old sections, added screendump with an example.
    MCK HASH is also in the SSNV section @ offset 0x180049


    Direct Offsets

    GT-I9100
    NET 0x18146e -
    SUB 0x18148e -
    SP 0x1814ae -
    CP 0x1814ce -
    MCK 0x180049 -

    GT-I9000
    NET 0x18154b -
    SUB 0x18155f -
    SP 0x181573 -
    CP 0x181587 -
    MCK 0x1815af -


    If this saved you a few quid, maybe you would like to buy me a beer ;)

    View attachment 602403

    View attachment 602464

    I could not have made this solution and proved my theory without the special help from pulser_g2 and Fall Guy.

    I have been advised by pulser_g2 that Chainfire will make a software solution next week using this information.
    (APK is here http://xdaforums.com/showthread.php?t=1092451)
    View
    13
    dh2311
    dh2311
    Might try that, but can the phone boot without the nv_data, i thought it would fail


    On the subject of resetting the counter I found out how!!!!

    It also tells you your kernel is origional when it is supercurios or chainfires :D:D

    my phone claims to be unhacked but its rooted n everything.

    I'm uploading video proof now!



    How did I do it?

    Well, you know the download mode jig you can make to put the sgs into download mode. I make them and sell them on ebay to make a few quid. (not too great, too many others doing it)

    I thought "it worked on my sgs, will it work on this?"

    powered off the sgs II plugged the jig in and encountered a sceen saying "erasing download information succeeded" and now it says I have no custom binaries and my current binary is "samsung official", when its chainfires.

    It also removes the triangle warning on first boot because it thinks its genuine. But I still have my root privelages.

    I call this a warranty solution. All thanks to a resistor and u micro usb plug. :D
    http://www.youtube.com/watch?v=poH6TMbuj3E
    View
    7
    O
    Odia
    So without asking me or pulser_g2, who can work it out from this?

    Found 1 CUDA device(s)
    Starting brute-force attack, Charset Len = 10, Min passlen = 8, Max passlen = 8
    Charset (unicode -> 0) [0123456789]
    Charset in HEX: 30 31 32 33 34 35 36 37 38 39
    Starting from [00000000]
    Hash type: SHA1, Hash: ef63bf26e2382917d96850ccf9632458ee6e6c77
    Salt: 00 00 00 00 00 00 00 00
    Device #0: [GeForce 8800 GT] 1625.00 Mhz 112 SP
    Hardware monitoring disabled.
    CURPWD: 46886710 DONE: 75.50% ETA: 0s CURSPD: 134.8M
    Found password: [50681318], HEX: 35 30 36 38 31 33 31 38
    Processed 75 497 472 passwords in 1s.
    Thus, 130 844 838 password(s) per second in average.

    and to the person who approached me and said lets do this and make lots of money FCUK YOU!!!

    Took me less than 1 hours working time to find the solution, big thanks to pulser_g2 for supplying the needed files to speed up my work.

    PS: How do I get a donate button ;)
    View
    5
    pulser_g2
    pulser_g2
    nintendolinky said:
    Im happy to test for you. Mine is locked, tried tmobile earlier today, and it required a code, im rooted so i can provide anything.
    Click to expand...
    Click to collapse

    Grab that file from the device and pop me a PM. I presume you know how to get ADB up and running?
    View
    4
    S
    solarj
    Just did an efs backup before unlock a phone using a purchased unlock code, and immediately after unlocking did another efs backup

    comparing these two backups, the only difference is nv_data.bin, and there are 2 differences in nv_data.bin:

    1. In locked nv_data.bin, at offset 00180069-0018006e, there is a 5-bytes string and a "#" sign, represent the original locked operator name. Unlock the phone will replace all these bytes with FF

    2. In locked nv_data.bin, at offset 00181469, that byte is 01, as we all know, the Helroz's app will change this byte to 00, thus unlock the phone

    So, the bit-flipping method will work, and if you want a clean unlock, remove those original locked operator name at offset 00180069

    I bought the unlock code because my phone refuse to work any more, last month one of the operator became disabled (emergency call only), and after I changed to another operator, this operator became disabled again recently. I thought it maybe because I unlocked the phone using bit-flipping method and I should try unlocking it using real unlock code. Unfortunately my phone is still disabled for those 2 operators by using real unlock code, I have to send it to samsung service (I guess some thing in the intel xmm6260 platform is broken)

    (ok, typo fixed)
    View

New posts