[R&D] Unlocking the Galaxy Nexus SIM Lock

Search This thread
By:
Advanced…
shenye

shenye

Inactive Recognized Developer
Oct 29, 2009
506
1,289
London
I'm starting off trying to use Odia's method on nv_data.bin. Haven't been able to find the 5 sets of hashes I need to brute force. Also, the file is not in /efs on the Galaxy Nexus, it's in /factory.

If you would like to help, I've attached the file I'm working on. To be honest, the salt has probably been changed to prevent this method from working :(
 

Attachments

  • nv_data.rar
    10.3 KB · Views: 609
trojjanhorse

trojjanhorse

Senior Member
Dec 23, 2009
162
11
Toronto
I've been tinkering with the .bin file myself and no luck... i think i may have to buy the code after all. I would much rather pledge my support to a dev who finds a way around this.
 
B

bluejet07

New member
Dec 29, 2011
3
0
Hi all,

I have a galaxy nexus which is locked to a specific carrier. I managed to have it rooted and backed up with clockworkmod. I also was able to obtain the unlocked code from the carrier after much difficulty. Vodafone are just really painful.

Anyway, enough of the backstory. The process I carried out to discover something that might help you guys to find the 8 digit pin lives in the /data/radio/nv_data.bin file.
After restoring the rom before the unlocking state , I had to see what the state was state of the files before and after the unlock. I did this many times, until I found that file
was changed, (after greping for timestamp differences etc). As well, I've noticed that when I restored to a backup that had the network unlocked, it would just work when the sim of the other carrier was used. So I assume that there was some files that clockworkmod was restoring which made it unlocked. Who knew that.

When comparing this file before and after the network unlock,
(hexdump both files and did a text diff).
I've noticed that the unlock nv_data.bin had address 0180060 to 0180080
0180060 ffff ffff ffff ffff 35ff 3530 3330 3523
0180070 3530 3630 ff23 ffff ffff ffff ffff ffff
0180080 ffff ffff ffff ffff ffff ffff ffff ffff
removed from the unlocked nv_data.bin file as well as
0181460 ffff ffff ffff ffff 01ff 0000 0000 0442 changed to zero, i.e.
0181460 ffff ffff ffff ffff 00ff 0000 0000 0442


So maybe this is the addresses you can use to unlock your phone or use Odia's method to find the 8 digit code. Or you could just remove these bytes and set that flag to 0 and I assume that will unlock the phone as well.

I was planning to look at Odia's work and see what he used for obtaining the code.
So I see if I have time to look into this. But feel free to let me know if you guys get ahead of me.
 
Last edited:
wilsonlam97

wilsonlam97

Senior Member
Jul 11, 2010
688
123
Toronto
bluejet07 said:
Hi all,

I have a galaxy nexus which is locked to a specific carrier. I managed to have it rooted and backed up with clockworkmod. I also was able to obtain the unlocked code from the carrier after much difficulty. Vodafone are just really painful.

Anyway, enough of the backstory. The process I carried out to discover something that might help you guys to find the 8 digit pin lives in the /data/radio/nv_data.bin file.
After restoring the rom before the unlocking state , I had to see what the state was state of the files before and after the unlock. I did this many times, until I found that file
was changed, (after greping for timestamp differences etc). As well, I've noticed that when I restored to a backup that had the network unlocked, it would just work when the sim of the other carrier was used. So I assume that there was some files that clockworkmod was restoring which made it unlocked. Who knew that.

When comparing this file before and after the network unlock,
(hexdump both files and did a text diff).
I've noticed that the unlock nv_data.bin had address 0180060 to 0180080
0180060 ffff ffff ffff ffff 35ff 3530 3330 3523
0180070 3530 3630 ff23 ffff ffff ffff ffff ffff
0180080 ffff ffff ffff ffff ffff ffff ffff ffff
removed from the unlocked nv_data.bin file as well as
0181460 ffff ffff ffff ffff 01ff 0000 0000 0442 changed to zero, i.e.
0181460 ffff ffff ffff ffff 00ff 0000 0000 0442


So maybe this is the addresses you can use to unlock your phone or use Odia's method to find the 8 digit code. Or you could just remove these bytes and set that flag to 0 and I assume that will unlock the phone as well.

I was planning to look at Odia's work and see what he used for obtaining the code.
So I see if I have time to look into this. But feel free to let me know if you guys get ahead of me.
Click to expand...
Click to collapse

Would it work if you just reflash the radio when you unlock the bootloader?
 
B

bluejet07

New member
Dec 29, 2011
3
0
I've flashed different radios before, but I haven't checked flashing the radio and checking this file. However, I think that is unrelated since the radio firmware remains the same when I restored different versions of my clockworkmod backup and since I can relock the network pin by restoring a early image of the rom. It is probably unrelated.

Anyway, this method will assume you have root privileges. I was more concerned with finding how how to obtain the pin based on these hashes.
 
Last edited:
O

Odia

Guest
Jan 4, 2009
668
785
Method is the same, even the HASHes are in the same location, the nv_data from the OP has the new CRYPTED HASHes like the later SGS2 models, but simply flipping the FLAG @ 0x181469 will work for making unlock without knowing the code.

You could also make it same like a factory unlocked nv_data but I'll let you compare those and work out the method if its something you really want to do but if its just to unlock I have given all the info you need.
 
B

bluejet07

New member
Dec 29, 2011
3
0
Yeah, so my diff confirms that. Cool as we already establish that.

But finding the code was really my goal. You know, for people who like revert back to stock but knowing the code.
So it is using some new encrypted hash like the later posts in the sg2 posts. So we have no idea how to brute force it? Yeah I had a look at all your posts and came to the conclusion it looks encrypted differently.
Oh well, maybe in time we can find a way to decrypt it.

Thanks for the reply!
 
shenye

shenye

Inactive Recognized Developer
Oct 29, 2009
506
1,289
London
Odia, any chance of a request into a bit of research into this? I can provide you with my locked nv_data and my unlock codes. I don't think my nv_data has been updated though as I need to reunlock everytime I wipe...

I assume they're using a salt that's no longer 0000000000000000, so this might be able to brute force the salt string they're using?
 
M

Mutantz

Member
Nov 30, 2010
22
0
bluejet07 said:
Hi all,

I have a galaxy nexus which is locked to a specific carrier. I managed to have it rooted and backed up with clockworkmod. I also was able to obtain the unlocked code from the carrier after much difficulty. Vodafone are just really painful.

Anyway, enough of the backstory. The process I carried out to discover something that might help you guys to find the 8 digit pin lives in the /data/radio/nv_data.bin file.
After restoring the rom before the unlocking state , I had to see what the state was state of the files before and after the unlock. I did this many times, until I found that file
was changed, (after greping for timestamp differences etc). As well, I've noticed that when I restored to a backup that had the network unlocked, it would just work when the sim of the other carrier was used. So I assume that there was some files that clockworkmod was restoring which made it unlocked. Who knew that.

When comparing this file before and after the network unlock,
(hexdump both files and did a text diff).
I've noticed that the unlock nv_data.bin had address 0180060 to 0180080
0180060 ffff ffff ffff ffff 35ff 3530 3330 3523
0180070 3530 3630 ff23 ffff ffff ffff ffff ffff
0180080 ffff ffff ffff ffff ffff ffff ffff ffff
removed from the unlocked nv_data.bin file as well as
0181460 ffff ffff ffff ffff 01ff 0000 0000 0442 changed to zero, i.e.
0181460 ffff ffff ffff ffff 00ff 0000 0000 0442


So maybe this is the addresses you can use to unlock your phone or use Odia's method to find the 8 digit code. Or you could just remove these bytes and set that flag to 0 and I assume that will unlock the phone as well.

I was planning to look at Odia's work and see what he used for obtaining the code.
So I see if I have time to look into this. But feel free to let me know if you guys get ahead of me.
Click to expand...
Click to collapse
Which program can edit bin-file?
Where is this file placed?
 
sitajony

sitajony

Senior Member
Oct 31, 2008
114
3
31
Next to Guingamp (Bretagne)
sitajony.hbg.fr
Unlock your Galaxy Nexus whenever your want :)

Hello, I've bought my Galaxy Nexus on december, 2 weeks later I've finaly found how unlock my phone :) I live in france and here we've to buy code and it's very expensive...
"I've made" a Batch script running only on Windows OS but we can see that is a Shell code... (In fact this come from a website in japanese without help and no choice so I've created this batch script)
After downloading, edit it and press CTRL+H then type in first field this:
"C:\Program Files (x86)\Android\android-sdk\platform-tools\adb.exe" and type the ADB path on your PC on the second field. (Keep this if it's the same path)
PRESS CTRL+S and run it...
The first question is:
Restore? (Answers: oui=yes, non=no)
Type "yes" only if you've already tried to unlock and it didn't work...
Finaly wait few minutes and in the last question, you'll can directly reboot your phone without touching your phone :D

Please tell me if there're problems or if you want ask me some questions...
Good luck!
 
  • Like
Reactions: rafi300, Roman2K and cristian1975
R

Roman2K

Member
Jan 10, 2012
43
14
@sitajony
Thanks a lot for contributing this Window batch script!

However, I think it's a bit of a mess in there (repetitions, some useless RW remounts, and world-writable permission settings, deletions of files in / that weren't created in the first place). Anyone willing to run it ought to double check every single line beforehand.

From what I understand, the core of it boils down to something like this:
Code: 
$ echo -en \\x00 > tmp00 
$ dd if=/factory/nv_data.bin of=tmpff bs=1 count=30 skip=16 
$ dd if=/factory/nv_data.bin of=data1 bs=1 count=1572969 
$ dd if=/factory/nv_data.bin of=data2 bs=1 skip=1572999 count=5090 
$ dd if=/factory/nv_data.bin of=data3 bs=1 skip=1578090 
$ cat data1 tmpff data2 tmp00 data3 > nv_data.bin 
$ md5sum nv_data.bin | tr '\n' 'X' | sed 's/ .*//' > nv_data.bin.md5 
# cp nv_data.bin{,.md5} /data/radio/

So this /factory/nv_data.bin is being split and the pieces re-arranged. Do you have details as to what is being done exactly? And / or the link to the original script on the japanese site?
 
C

cristian1975

Member
Sep 5, 2008
17
0
Don't know what is doing, but works. But backup first EFS folder, factory ...
@sitajony - I didn't had cp command in my "nexus" shell, but managed with RootExplorer and rest of the code, thanks.
 
G

gaglax

Member
Jan 22, 2011
45
4
Roman2K said:
@sitajony
Thanks a lot for contributing this Window batch script!

However, I think it's a bit of a mess in there (repetitions, some useless RW remounts, and world-writable permission settings, deletions of files in / that weren't created in the first place). Anyone willing to run it ought to double check every single line beforehand.

From what I understand, the core of it boils down to something like this:
Code: 
$ echo -en \\x00 > tmp00 
$ dd if=/factory/nv_data.bin of=tmpff bs=1 count=30 skip=16 
$ dd if=/factory/nv_data.bin of=data1 bs=1 count=1572969 
$ dd if=/factory/nv_data.bin of=data2 bs=1 skip=1572999 count=5090 
$ dd if=/factory/nv_data.bin of=data3 bs=1 skip=1578090 
$ cat data1 tmpff data2 tmp00 data3 > nv_data.bin 
$ md5sum nv_data.bin | tr '\n' 'X' | sed 's/ .*//' > nv_data.bin.md5 
# cp nv_data.bin{,.md5} /data/radio/

So this /factory/nv_data.bin is being split and the pieces re-arranged. Do you have details as to what is being done exactly? And / or the link to the original script on the japanese site?
Click to expand...
Click to collapse

i am planning to switch from stock to cyanogenmod9.
so is it safe to use the script and then flash CM9?

thx
 
sitajony

sitajony

Senior Member
Oct 31, 2008
114
3
31
Next to Guingamp (Bretagne)
sitajony.hbg.fr
Sorry, I can't answer immediately, I don't remember the website address sorry...
@gaglax Don't run this code, run the batch script else you'll get errors, there're some others lines needed...
You've to run it after any rom flashed if you've deleted the "/data" folder in ClockWorldMod menu...

@Roman2K
Yes it's splitted, we get bytes that we need without informations about unlock state and then write all in "nv_data.bin" file to unlock folder...

I've also noticed that I've some problems with my network, sometime I'm in offline mode, someone else have this problem too?
 
G

gaglax

Member
Jan 22, 2011
45
4
ok so i flashed cyanogenmod 9 kang.
then replaced the path .. but it always says permission denied.

so i went to settings/debugging and enabled root, adb over networks.
now i cannot get into the phone via adb:
Code: 
C:\>"c:\android-sdk\platform-tools\adb.exe" devices
List of devices attached
000000000000        device

C:\>"c:\android-sdk\platform-tools\adb.exe" shell

it just stays there ..

ok i think that adb over network seems somehow broken in the latest kang from here: http://xdaforums.com/showthread.php?t=1398495
 
Last edited:
R

Roman2K

Member
Jan 10, 2012
43
14
@gaglax
"su" asks for a password before executing a command (or shell) as another user. If "root" doesn't have a password, I believe it prints the "Permissions denied" error you're getting.

To run commands as root with "adb", you should rather start with running:
Code: 
$ adb root

This will restart the ADB client process in the background (sort of bridge between the "adb" command and the phone) with root privileges. For that, your phone must be running a build with root access, like a development build (build type full_maguro-userdebug).

Then, to run commands more conveniently than invoking "adb" every time:
Code: 
$ adb shell

@sitajony
OK, thanks for the clarifications.

I haven't tried the chopped up + reassembled nv_data.bin yet. I'm all new to Android and even newer to the SDK. Really good stuff, high quality documentation, but I'm going step by step before attempting anything I don't understand fully.

I've tried loading a factory image, thinking that since it replaces the radio flash partition, it would load a clean version of whatever it is the carrier tampered with. Didn't work, still asks for a network unlock code after entering the PIN code.

Next, I'll try your nv_data.bin manipulation, but first I'm building a -userdebug to gain root access.
 
Last edited:
G

gaglax

Member
Jan 22, 2011
45
4
Roman2K said:
@gaglax
"su" asks for a password before executing a command (or shell) as another user. If "root" doesn't have a password, I believe it prints the "Permissions denied" error you're getting.

To run commands as root with "adb", you should rather start with running:


This will restart the ADB client process in the background (sort of bridge between the "adb" command and the phone) with root privileges. For that, your phone must be running a build with root access, like a development build (build type full_maguro-userdebug).

Then, for to run commands more conveniently than invoking "adb" every time:


@sitajony
OK, thanks for the clarifications.

I haven't tried the chopped up + reassembled nv_data.bin yet. I'm all new to Android and even newer to the SDK. Really good stuff, high quality documentation, but I'm going step by step before attempting anything I don't understand fully.

I've tried loading a factory image, thinking that since it replaces the radio flash partition, it would load a clean, untampered-with version of whatever the carrier locked down. Didn't work, still asks for a network unlock code after entering the PIN code.

Next, I'll try your nv_data.bin manipulation, but first I'm building a -userdebug to gain root access.
Click to expand...
Click to collapse

cool that was it ..!! :D
i restarted with:
Code: 
adb root
then used the script.
somehow there where some error messages but the galaxy nexus is now sim unlocked.

thx for your help ;-)
 
You must log in or register to reply here.

Similar threads

L
Post your Galaxy Nexus home screens
Replies
14K
Views
4M
O
ohussain
franciscofranco
[KERNEL] [GPL] [GN] franco.Kernel r398
Replies
45K
Views
8M
C
Ctzokas
PlayfulGod
[ROM] [UNOFFICIAL] [01122014] CyanogenMod 11 for the Samsung Galaxy Nexus
Replies
4K
Views
971K
PlayfulGod
PlayfulGod
benkxda
  • Locked
[INDEX] Samsung Galaxy Nexus - ROMs, Kernels, MODs, Recoveries, Themes [16 Jun 2017]
Replies
435
Views
1M
Thanos
Thanos
osm0sis
[REF] [RADIO] [GSM] Galaxy Nexus GT-i9250 Baseband Collection & Discussion
Replies
3K
Views
1M
T
TG09

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 3
    sitajony
    sitajony
    Unlock your Galaxy Nexus whenever your want :)

    Hello, I've bought my Galaxy Nexus on december, 2 weeks later I've finaly found how unlock my phone :) I live in france and here we've to buy code and it's very expensive...
    "I've made" a Batch script running only on Windows OS but we can see that is a Shell code... (In fact this come from a website in japanese without help and no choice so I've created this batch script)
    After downloading, edit it and press CTRL+H then type in first field this:
    "C:\Program Files (x86)\Android\android-sdk\platform-tools\adb.exe" and type the ADB path on your PC on the second field. (Keep this if it's the same path)
    PRESS CTRL+S and run it...
    The first question is:
    Restore? (Answers: oui=yes, non=no)
    Type "yes" only if you've already tried to unlock and it didn't work...
    Finaly wait few minutes and in the last question, you'll can directly reboot your phone without touching your phone :D

    Please tell me if there're problems or if you want ask me some questions...
    Good luck!
    View
    1
    G
    gaglax
    ctkhaled said:
    i reflash my gnex with an aosp rooted rom a i unlocked it again. but still the phone enter aircraft mode for 1 or 2 minutes randomly.
    please help with this, i revert to my old nokia :confused:
    Click to expand...
    Click to collapse

    did you execute a full wipe, factory reset, davlik cache, ..?
    attached you will find my original files.
    View
    1
    A
    aviv2001
    help!!

    why is not work?!?
    plz help me!!
    View
    1
    T
    tndb
    Since there havent been much more discussion going on and ive recently gotten a simlocked nexus myself, I decided to try out this "hack" and I got the same issue as most with network calls dropping and data dropping and swapping over to roaming and just going nuts.

    I decided to try out another modem so I flashed XXKL1 from http://xdaforums.com/showthread.php?t=1444288 and it has just been working flawlessy for two days now and I also pushed it alot with having webradio streaming nonstop and surfing the web, making calls etc and it didnt drop once and the following day when I was out working passing by different cellstations etc I had the same experience as home.. NO DROPS, so this modem will also help users running old vanilla firmware etc. I think the kernel can screw it up a bit aswell since I saw some posts about ppl still having issues about it (with XXKL1) but that was with custom kernels instead of the one supplied from each rom.

    I havent tried many roms as I went through quite some posts before I decided on one and I chosed Pauls 4.04 (from modaco http://android.modaco.com/topic/351...a-gsm-modaco-custom-rom-for-the-galaxy-nexus/) since it didnt had too much overclock and modified kernel bull**** which otherwise makes your phone unstable and messy and just creates other problems which takes time to find out where it comes from.


    So for me I used the Galaxy Nexus toolkit to unlock and root phone, then I used the patch from this thread and after that I flashed Pauls Ir11 Beta 2 4.04 rom + XXKL1 baseband modem which has been working flawlessy. Always remember to clear data/system/cache and dalvik cache if you are coming from another rom/kernel to avoid strange issues and stay away from wierd kernels unless you wanna risk it ofc then go ahead and have a messy phone :)
    View
    1
    heo_con184
    heo_con184
    ErrorF002 said:
    I purchased an unlocked GSM phone and used WugFresh's toolkit to unlock it and reflash with yakju. Before doing this the phone worked fine with my SIM card. Afterthe process I got "SIM network unlock PIN"

    I am seeing a lot of stuff in this thread and after this failure I don't want to do more to my phone than is needed to get it to work.

    What do I need to do at this point to get my phone to use the SIM and have a stock Google Image.

    You help is appreciated.
    Click to expand...
    Click to collapse

    Just type your purchased unlock code that you already bought.
    View

New posts