[HOWTO] GT-I9100 Free SIM Unlock via nv_data.bin by Odia

---

Free SIM Unlock for SGS2 by Odia. (ONLY for HW Version MP 1.200)

1. Root your phone.
2. Extract your nv_data.bin
3. Look at the file with an hex-editor and goto offset 0x181460 (Ultra Edit, HxD, Hex-Workshop etc)
4. Take the hashes from 0x18146e (20 bytes), 0x18148e, 0x1814ae, 0x1814ce, 0x1814ee
5. If the hash is 7D 3E 17 CF CD 81 6C AC D4 E0 25 FA A6 50 04 FD D1 7D 51 F8 ignore it since that is 00000000
6. Put the hash into the BF exe for example:-
ighashgpu.exe /h:EF63BF26E2382917D96850CCF9632458EE6E6C77 /t:sha1 /c:d /max:8 /min:8 /salt:0000000000000000
and wait for it to finish, do that for each hash which is not zeros, the Found password: [50681318] is the code.
7. Put unaccepted simcard in the phone and when it asks for the unlock code enter them in order
8. Job done, phone is now unlocked for free.

If you cannot find a block which looks like hashes @ 0x181460, then search for SSNV and add 5216, but from the files which I have seen the block appears to be fixed @ 0x181460.

If it will not accept the code which you believe to be correct, it means the attempts have been used up, so you need to use the MCK code to unfreeze your phone, note it will not request unfreeze code, just say network lock unsucessful even your code is valid. (MCK HASH is @ offset 0x180049)

Added an example for what you need to look for.


Mastercode

Dynamic located PERSO section, holds the mastercode (MCK / unfreeze), search for PERSO and look for a hash, can be multiple old sections, added screendump with an example.
MCK HASH is also in the SSNV section @ offset 0x180049


Direct Offsets

GT-I9100
NET 0x18146e -
SUB 0x18148e -
SP 0x1814ae -
CP 0x1814ce -
MCK 0x180049 -

GT-I9000
NET 0x18154b -
SUB 0x18155f -
SP 0x181573 -
CP 0x181587 -
MCK 0x1815af -


If this saved you a few quid, maybe you would like to buy me a beer

Attachment 602403

Attachment 602464

I could not have made this solution and proved my theory without the special help from pulser_g2 and Fall Guy.

I have been advised by pulser_g2 that Chainfire will make a software solution next week using this information.
(APK is here http://forum.xda-developers.com/show....php?t=1092451)

Im happy to test for you. Mine is locked, tried tmobile earlier today, and it required a code, im rooted so i can provide anything.

Quote:

Originally Posted by nintendolinky

Im happy to test for you. Mine is locked, tried tmobile earlier today, and it required a code, im rooted so i can provide anything.

Grab that file from the device and pop me a PM. I presume you know how to get ADB up and running?

OK. Sorta bad news. I can't see a way to retrieve the code itself from the file...

On another note, I DO notice that at address 0x181468, we see the semi-familiar pattern of FF 01 00 00 00 00 ...

On an unlocked phone, that was FF 00 00 00 00 00 (I checked earlier)

This fits in with the information at http://forum.xda-developers.com/showthread.php?t=761045, namely "Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)"

That suggests there is a possibility a free unlock could be gained by editing this file. But there would likely be consequences. As such I'm not going to recommend that, nor give instructions for it... If anyone chooses to, they do it 100% at their own risk, and should bear in mind that they NEED a backup of that and the corresponding md5sum first.

But I can't see an unlock code in plaintext

Anyway, that should be food for thought for someone who has a desire to mess about with their device. I won't be trying it for now, and I recommend you don't unless you know what to do to fix this, and are aware you are messing with stuff I don't know much about...

P

Quote:

Originally Posted by pulser_g2

OK. Sorta bad news. I can't see a way to retrieve the code itself from the file...

On another note, I DO notice that at address 0x181468, we see the semi-familiar pattern of FF 01 00 00 00 00 ...

On an unlocked phone, that was FF 00 00 00 00 00 (I checked earlier)

This fits in with the information at http://forum.xda-developers.com/showthread.php?t=761045, namely "Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)"

That suggests there is a possibility a free unlock could be gained by editing this file. But there would likely be consequences. As such I'm not going to recommend that, nor give instructions for it... If anyone chooses to, they do it 100% at their own risk, and should bear in mind that they NEED a backup of that and the corresponding md5sum first.

But I can't see an unlock code in plaintext

Anyway, that should be food for thought for someone who has a desire to mess about with their device. I won't be trying it for now, and I recommend you don't unless you know what to do to fix this, and are aware you are messing with stuff I don't know much about...

P

Scared are we?

Pretty understandable tbh, I was kinda hoping it was as easy to unlock as the SGS but maybe there is still a way...let's hope so.

Just want to say, hex editing doesnt work. Doesn't detect sim and you get no signal, just put old file back and all works. Looks like we're gonna need another fix.

Quick question, can anyone who has an unlocked device please send me there nv_data.bin.

I want to see if there are any other differences that could be keeping it locked.

Quote:

Originally Posted by dh2311

Just want to say, hex editing doesnt work. Doesn't detect sim and you get no signal, just put old file back and all works. Looks like we're gonna need another fix.

Quick question, can anyone who has an unlocked device please send me there nv_data.bin.

I want to see if there are any other differences that could be keeping it locked.

I diffed an unlocked and locked one, and there's a lot of differences at binary level

I would need to ask the guy whose unlocked nv_data I borrowed if he was OK with that, or see if someone else has one...

Also, I did think. Perhaps it "rejects" the file if the MD5 thing doesn't match. If it's a salted MD5, then it could check the md5 of the bin file salted against a "secret" string, and then compare to the contents of the md5sum file...

When I tried putting the old file back i used all the same commands, and it said there was no md5 sum. Which would be expected to be honest. But maybe it requires one. Ill try again this time leave the md5. Doubt it'll work, but its worth ago

EDIT: Faliure again!

Also as a note, cannot be anything to do with the md5 sum, just removed and it still works, so it cannot be checking values against it.

Quote:

Originally Posted by dh2311

Also as a note, cannot be anything to do with the md5 sum, just removed and it still works, so it cannot be checking values against it.

OK. So it seems to be checking this file is "valid" somehow then...