Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,729,489 Members 45,379 Now Online
XDA Developers Android and Mobile Development Forum

[DEV][SIMLOCK] Developing a free sim-unlock for the Galaxy Ace 2(X)

Tip us?
 
krazykipa
Old
#1  
Member - OP
Thanks Meter 47
Posts: 72
Join Date: Jan 2011
Prompt [DEV][SIMLOCK] Developing a free sim-unlock for the Galaxy Ace 2(X)

Hello,

I am starting this thread in the hopes of spurring some investigation into how to unlock the Samsung Galaxy Ace 2(X) without paying for an unlock code or for a service box such as Octoplus etc. All other methods for unlocking Samsung devices (dialer code, nv_data etc) do not work on this device.

I have made a little bit of progress on my own device, the GT-S7560m or Galaxy Ace 2X, outlined here. Unfortunately, I cannot provide a method to unlock as of yet, as the method I currently have found will replace the target device IMEI with the IMEI of the 'donor' device. I have not found a way to change the IMEI back (yet).

First, what I did was simple: Root the phone and backup all partitions other than /system, /data, /cache (/dev/block/mmcblk0pX) I did this a couple of times in between reboots and factory resets to have multiple backups as well as to see if any partitions change after reboots or resets.

It turns out that there are five partitions which change (slightly or drastically) after reboots/resets. These are:

mmcblk0p9
mmcblk0p10
mmcblk0p11
mmcblk0p13
mmcblk0p19 (/efs, found via mount command)

Since the S7560M does not have a GPT partition table, I can't find the labels for what these partitions actually are. 11,13 and 19 are mostly blank, while 9 and 10 are chock full.

Next, I bought an unlock service on eBay. Once unlocked, I took another image of all the partitions, and compared which ones were changed (locked vs unlocked). Unsurprisingly, the same five partitions were different.

To narrow it down, I the flashed back the locked versions of these partitions until my simlock returned.

mmcblk0p9 is the partition that holds the simlock data

I tested flashing only p9 and, indeed, simlock disappeared and reappeared according to the version being flashed. I have multiple devices to test with at the moment, so I took the unlocked p9 from Phone A and flashed it to Phone B, and sure enough, Phone B could then accept foreign SIM cards.

Unfortunately, this also changed Phone B's IMEI to that of Phone A

I tried various tools to attempt to zero out the IMEI (so that the partition image can be shared between devices and the end-user can then restore their proper IMEI) to no avail. It seems the NV items on this device are locked or read-only for some reason.

CDMA Workshop, NV Items Reader-Writer, QPST, QXDM, all these tools are able to read NV items fine, but when trying to write back NV item 550 ue_imei it inevitably fails. In QPST an unknown error (0x80004005) is thrown when writing, whereas in QXDM the program states "No DIAG response received" when attempting to write the NV item. I tried multiple phones, PCs and versions of Windows with the same error.

You'll recall that on other devices such as the GS3, QPST/QXDM/etc works perfectly fine to restore the IMEI through NV editing.

I believe mmcblk0p9 is the 'real' EFS partition, holding the NV items for the device. It also seems to be encrypted, since I cannot find the IMEI in hex nor decimal format inside it, yet the IMEI is changed when the partition is cross-flashed. Across phones and even simply rebooting, the partition almost completely changes, save for a header and a couple of other bytes.

In order to unlock the device freely, I believe the next step is to either decrypt mmcblk0p9, or find a way to get QPST/QXDM to write to the phone

If you have any thoughts/experience, feel free to post below! I am sort of stuck here.
The Following 7 Users Say Thank You to krazykipa For This Useful Post: [ Click to Expand ]
 
Codename13
Old
#2  
Senior Member
Thanks Meter 878
Posts: 814
Join Date: Jun 2012
This is a REALLY interesting thread. We need more of these! I know that to unlock my good old Galaxy Gio, you had to pull the bml5 partition and look at it with a hex editor to find 8 digits surrounded by nonsense symbols. Unlocking this device is gonna be MUCH harder, but maybe we just need to look at one of the 5 partitions you mentioned with a hex editor? I have no need of unlocking my device, nor have I ever actually tried it, but I'd like to get involved in this. Tell me, what happens when you insert a foreign sim card into your Ace II X (then you power it on or reboot it)? Does a dialog pop up asking for a code?

Samsung Galaxy Ace II X
(GT-S7560M) - Android 4.3.1 JB - CM10.2 with some bugs

Released Works:Status: Add ".patch" to the end of the link to a Github commit, then download the commit as a patch using wget. *mindblown*


Press THANKS if I helped you in any way!
 
angrybb
Old
#3  
Member
Thanks Meter 25
Posts: 51
Join Date: Apr 2012
Dont bother with tools from market, they are made for units with samsung and qualcomm cpus. Ace2/S3 mini/S Advance/Xperia Sola/Xperia U and few others use NovaThor cpu from ST-Ericsson. So you should look in that direction. I have posted partition info here http://forum.xda-developers.com/show...2&postcount=22

You should also look those threads about partitions and some other info:
http://forum.xda-developers.com/show....php?t=2145464
http://forum.xda-developers.com/show....php?t=2352064
http://forum.xda-developers.com/show....php?t=2389395
http://forum.xda-developers.com/show....php?t=2132670

IIRC imei is most likely in cspsa partition, but encrypted. Search also for binaries in /system/lib/tee.
Some things i think may help further:
- gap betwwen partitions
- serial number is not encrypted, you can find it by searching the dump

If you want you can buy development board for NovaThor pretty cheap at http://shop.strato.com/epages/614286...ObjectID=11538 as this platform seems dead since ST-Ericsson split and so is with price of the board.
 
Szaby59
Old
#4  
Szaby59's Avatar
Senior Member
Thanks Meter 285
Posts: 403
Join Date: Aug 2010
For i8160/p/l (and for all phones with novathor soc) the imei, serial and simlock data is on cspsa_fs that's 100%, but it's encrypted and I think there is a hash check or something similar because if you edit something (no matter what) in cspsa partition dump after reflashing the modem completely stops working - no signal, no imei.
 
Codename13
Old
#5  
Senior Member
Thanks Meter 878
Posts: 814
Join Date: Jun 2012
Quote:
Originally Posted by Szaby59 View Post
For i8160/p/l (and for all phones with novathor soc) the imei, serial and simlock data is on cspsa_fs that's 100%, but it's encrypted and I think there is a hash check or something similar because if you edit something (no matter what) in cspsa partition dump after reflashing the modem completely stops working - no signal, no imei.
Quote:
Originally Posted by angrybb View Post
Dont bother with tools from market, they are made for units with samsung and qualcomm cpus. Ace2/S3 mini/S Advance/Xperia Sola/Xperia U and few others use NovaThor cpu from ST-Ericsson. So you should look in that direction. I have posted partition info here http://forum.xda-developers.com/show...2&postcount=22

You should also look those threads about partitions and some other info:
http://forum.xda-developers.com/show....php?t=2145464
http://forum.xda-developers.com/show....php?t=2352064
http://forum.xda-developers.com/show....php?t=2389395
http://forum.xda-developers.com/show....php?t=2132670

IIRC imei is most likely in cspsa partition, but encrypted. Search also for binaries in /system/lib/tee.
Some things i think may help further:
- gap betwwen partitions
- serial number is not encrypted, you can find it by searching the dump

If you want you can buy development board for NovaThor pretty cheap at http://shop.strato.com/epages/614286...ObjectID=11538 as this platform seems dead since ST-Ericsson split and so is with price of the board.
You guys are mistaken. The device being discussed is not the Ace II, but instead the Ace II X (same as S7560 Galaxy Trend or S7562 S Duos but with single sim). It does have a Snapdragon S1 clocked to 1 GHz (MSM7227A) with an Adreno 200 GPU. @op maybe you should modify the thread name to Ace II X instead of Ace 2 (X). It makes it less misleading.

Samsung Galaxy Ace II X
(GT-S7560M) - Android 4.3.1 JB - CM10.2 with some bugs

Released Works:Status: Add ".patch" to the end of the link to a Github commit, then download the commit as a patch using wget. *mindblown*


Press THANKS if I helped you in any way!
 
teddytsen
Old
#6  
Senior Member
Thanks Meter 1032
Posts: 3,276
Join Date: Mar 2013
Quote:
Originally Posted by angrybb View Post
Dont bother with tools from market, they are made for units with samsung and qualcomm cpus. Ace2/S3 mini/S Advance/Xperia Sola/Xperia U and few others use NovaThor cpu from ST-Ericsson. So you should look in that direction. I have posted partition info here http://forum.xda-developers.com/show...2&postcount=22

You should also look those threads about partitions and some other info:
http://forum.xda-developers.com/show....php?t=2145464
http://forum.xda-developers.com/show....php?t=2352064
http://forum.xda-developers.com/show....php?t=2389395
http://forum.xda-developers.com/show....php?t=2132670

IIRC imei is most likely in cspsa partition, but encrypted. Search also for binaries in /system/lib/tee.
Some things i think may help further:
- gap betwwen partitions
- serial number is not encrypted, you can find it by searching the dump

If you want you can buy development board for NovaThor pretty cheap at http://shop.strato.com/epages/614286...ObjectID=11538 as this platform seems dead since ST-Ericsson split and so is with price of the board.
wrong thread dude..

---------- Post added at 08:59 PM ---------- Previous post was at 08:59 PM ----------

Quote:
Originally Posted by Codename13 View Post
You guys are mistaken. The device being discussed is not the Ace II, but instead the Ace II X (same as S7560 Galaxy Trend or S7562 S Duos but with single sim). It does have a Snapdragon S1 clocked to 1 GHz (MSM7227A) with an Adreno 200 GPU. @op maybe you should modify the thread name to Ace II X instead of Ace 2 (X). It makes it less misleading.
they should read the entire thread first right?(first post) see how observent they are
Galaxy Ace 2
Rom: Resurrection Remix
Kernel: Stock
Recovery: CWM
Theme

My works for Galaxy Ace 2
Android Open Kang Project 4.4
Ported Android Open Kang Project
Ported Carbon 4.4.2
MIUI v5
Resurrection Remix Kitkat
 
Codename13
Old
#7  
Senior Member
Thanks Meter 878
Posts: 814
Join Date: Jun 2012
Is this thread dead?

Samsung Galaxy Ace II X
(GT-S7560M) - Android 4.3.1 JB - CM10.2 with some bugs

Released Works:Status: Add ".patch" to the end of the link to a Github commit, then download the commit as a patch using wget. *mindblown*


Press THANKS if I helped you in any way!
 
Anas Karbila
Old
#8  
Senior Member
Thanks Meter 131
Posts: 645
Join Date: Jan 2013
Location: Maassluis
Quote:
Originally Posted by Codename13 View Post
Is this thread dead?
I think so

---------- Post added at 09:21 PM ---------- Previous post was at 08:35 PM ----------

Quote:
Originally Posted by krazykipa View Post
Hello,

I am starting this thread in the hopes of spurring some investigation into how to unlock the Samsung Galaxy Ace 2(X) without paying for an unlock code or for a service box such as Octoplus etc. All other methods for unlocking Samsung devices (dialer code, nv_data etc) do not work on this device.

I have made a little bit of progress on my own device, the GT-S7560m or Galaxy Ace 2X, outlined here. Unfortunately, I cannot provide a method to unlock as of yet, as the method I currently have found will replace the target device IMEI with the IMEI of the 'donor' device. I have not found a way to change the IMEI back (yet).

First, what I did was simple: Root the phone and backup all partitions other than /system, /data, /cache (/dev/block/mmcblk0pX) I did this a couple of times in between reboots and factory resets to have multiple backups as well as to see if any partitions change after reboots or resets.

It turns out that there are five partitions which change (slightly or drastically) after reboots/resets. These are:

mmcblk0p9
mmcblk0p10
mmcblk0p11
mmcblk0p13
mmcblk0p19 (/efs, found via mount command)

Since the S7560M does not have a GPT partition table, I can't find the labels for what these partitions actually are. 11,13 and 19 are mostly blank, while 9 and 10 are chock full.

Next, I bought an unlock service on eBay. Once unlocked, I took another image of all the partitions, and compared which ones were changed (locked vs unlocked). Unsurprisingly, the same five partitions were different.

To narrow it down, I the flashed back the locked versions of these partitions until my simlock returned.

mmcblk0p9 is the partition that holds the simlock data

I tested flashing only p9 and, indeed, simlock disappeared and reappeared according to the version being flashed. I have multiple devices to test with at the moment, so I took the unlocked p9 from Phone A and flashed it to Phone B, and sure enough, Phone B could then accept foreign SIM cards.

Unfortunately, this also changed Phone B's IMEI to that of Phone A

I tried various tools to attempt to zero out the IMEI (so that the partition image can be shared between devices and the end-user can then restore their proper IMEI) to no avail. It seems the NV items on this device are locked or read-only for some reason.

CDMA Workshop, NV Items Reader-Writer, QPST, QXDM, all these tools are able to read NV items fine, but when trying to write back NV item 550 ue_imei it inevitably fails. In QPST an unknown error (0x80004005) is thrown when writing, whereas in QXDM the program states "No DIAG response received" when attempting to write the NV item. I tried multiple phones, PCs and versions of Windows with the same error.

You'll recall that on other devices such as the GS3, QPST/QXDM/etc works perfectly fine to restore the IMEI through NV editing.

I believe mmcblk0p9 is the 'real' EFS partition, holding the NV items for the device. It also seems to be encrypted, since I cannot find the IMEI in hex nor decimal format inside it, yet the IMEI is changed when the partition is cross-flashed. Across phones and even simply rebooting, the partition almost completely changes, save for a header and a couple of other bytes.

In order to unlock the device freely, I believe the next step is to either decrypt mmcblk0p9, or find a way to get QPST/QXDM to write to the phone

If you have any thoughts/experience, feel free to post below! I am sort of stuck here.
Can you post a zip file op your efs folder?
Thanks in advance.
My Work:
Ace II X
>Deodexed stock rom
https://docs.google.com/file/d/0B0Cr...lzWXRidkE/edit
>PAC-Man rom
http://forum.xda-developers.com/gala...2x-gt-t2791080

Press THANKS if I helped you in any way!
 
krazykipa
Old
#9  
Member - OP
Thanks Meter 47
Posts: 72
Join Date: Jan 2011
Hello all,

Unfortunately at this point I have sold all the Ace 2X units I had previously. I wasn't really getting anywhere anyway and ended up buying a Z3X box. Thread can be closed, or feel free to continue in my absence. Good luck!
 
Codename13
Old
#10  
Senior Member
Thanks Meter 878
Posts: 814
Join Date: Jun 2012
I'd like if we, as developers working together, could get this done. Just a question: Is there an issue if we share the same IMEI? Why can't one of us pay to unlock our device, then share our mmcblk0p9 with others? Would it cause problems if others flashed our efs partition to their device?

Samsung Galaxy Ace II X
(GT-S7560M) - Android 4.3.1 JB - CM10.2 with some bugs

Released Works:Status: Add ".patch" to the end of the link to a Github commit, then download the commit as a patch using wget. *mindblown*


Press THANKS if I helped you in any way!

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


TRENDING IN THEMER...