FORUMS
Remove All Ads from XDA

reverse-engineering nv_data.bin

5 posts
Thanks Meter: 0
 
By slingamn, Junior Member on 24th August 2012, 12:07 PM
Post Reply Email Thread
I have a rooted Galaxy Nexus GSM (Maguro) running ClockworkMod and the stable version of CM9. I've been trying to find out how exactly the IMEI is stored --- whether it's baked into the radio component or whether it's controllable from firmware --- and how /factory/nv_data.bin relates to it.

I was able to "break" my IMEI, i.e., set it to the infamous 004999010640000, via the following procedure (derived from http://forum.xda-developers.com/show....php?t=1264021 ):

0. Get an adb root shell
1. Back up the contents of `/factory`, e.g., with `adb pull`
2. Remount the `/factory` filesystem read-only with `mount -oremount,rw /dev/block/mtdblock0 /factory`
3. Delete `/factory/nv_data.bin` and `/factory/nv_data.bin.md5`
4. Delete `/data/radio/nv_data.bin` and `/data/radio/nv_data.bin.md5`
5. Reboot

After this, the IMEI was reported as 004999010640000. Then I was able to restore my IMEI to its original value as follows:

0. Restore `/factory/nv_data.bin` (owned by root)
1. Restore `/data/radio/nv_data.bin` (owned by radio)

So it seems clear that the IMEI reported by the device depends on the contents of the firmware. But it's possible that the radio unit is hard-wired to only be in two possible states, 004999 and the true IMEI.

`/data/radio/nv.log` has log lines from code attempting to read `nv_data.bin`, in particular:

Fri Aug 24 01:10:53 2012: MD5 is turned on.

I searched all the repositories in the Google Android codebase for the string "MD5 is turned on" and couldn't find the code that generates this log line. Is it possible that it's generated by a proprietary binary blob?

So, the open questions:

1. Where is the code that knows how to interpret nv_data.bin?
2. Does nv_data.bin actually contain the IMEI?

Thanks for your time!
 
 
24th August 2012, 01:38 PM |#2  
efrant's Avatar
Developers Relations / Senior Moderator
Flag Montreal
Thanks Meter: 10,760
 
Donate to Me
More
Have a look at this thread.
24th August 2012, 11:00 PM |#3  
OP Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by efrant

Have a look at this thread.

That's more or less what I did; I was able to break and unbreak my IMEI using the procedures outlined there. What I'm trying to find out is whether the IMEI is actually stored in that file (the first "theorem" in that post, although it is not proven), what code is able to read the IMEI, and whether the IMEI can be modified.

There's some more information here: http://forum.xda-developers.com/show...1626593&page=2

which points to the Samsung rild as the code which knows how to interpret nv_data.bin, and suggests that the md5 verification is performed with a secret seed. But I can't find the source code for the Samsung-specific rild to confirm this. Perhaps it is a binary blob somewhere on my phone's filesystem?

The two strings I have to recognize the code are the log message `MD5 is turned on.` and the function `__refresh_md5_file`.
24th August 2012, 11:10 PM |#4  
OP Junior Member
Thanks Meter: 0
 
More
Update: running `pmap` on `/system/bin/rild` showed that it links against `/system/vendor/lib/libsec-ril.so`. I think this is the relevant blob --- it looks like both of those strings are in there.
24th August 2012, 11:49 PM |#5  
efrant's Avatar
Developers Relations / Senior Moderator
Flag Montreal
Thanks Meter: 10,760
 
Donate to Me
More
Quote:
Originally Posted by slingamn

Update: running `pmap` on `/system/bin/rild` showed that it links against `/system/vendor/lib/libsec-ril.so`. I think this is the relevant blob --- it looks like both of those strings are in there.

/system/vendor/lib/libsec-ril.so is just the "radio interface layer". It has nothing to do with the IMEI.
26th August 2012, 10:44 AM |#6  
OP Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by efrant

/system/vendor/lib/libsec-ril.so is just the "radio interface layer". It has nothing to do with the IMEI.

I think it does have to do with the IMEI, based on the strings that are in it. Here's the output of `nm -D` on it: gist.github.com/70f5222ce6d578a9655e

In particular, here are some suggestive strings: requestGetIMEI, requesetOemImei, requestOemEventStartIMEI, TxIMEI_EventStartImei, RxIMEI_UpdateItem.

I think it's likely that some of the functions here can be used to push a new IMEI value into the radio unit. But given that it also contains the log messages found in `nv_data.log`, it seems like it definitely has the role of reading and verifying `nv_data.bin`.

Does anyone have any guesses about the naming scheme of these functions, in particular the "Tx" and "Rx" strings?
16th November 2013, 02:56 PM |#7  
Junior Member
Thanks Meter: 0
 
More
Unhappy
Quote:
Originally Posted by slingamn

I think it does have to do with the IMEI, based on the strings that are in it. Here's the output of `nm -D` on it: gist.github.com/70f5222ce6d578a9655e

In particular, here are some suggestive strings: requestGetIMEI, requesetOemImei, requestOemEventStartIMEI, TxIMEI_EventStartImei, RxIMEI_UpdateItem.

I think it's likely that some of the functions here can be used to push a new IMEI value into the radio unit. But given that it also contains the log messages found in `nv_data.log`, it seems like it definitely has the role of reading and verifying `nv_data.bin`.

Does anyone have any guesses about the naming scheme of these functions, in particular the "Tx" and "Rx" strings?

so? no updates on this?
i'm stuck with the 0000049xxxxx generic IMEI and no back up... i'm trying everything i found on the internet with my poor knowledge and i'm stuck... no idea what to do
17th November 2013, 02:30 AM |#8  
OP Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by blasael

so? no updates on this?
i'm stuck with the 0000049xxxxx generic IMEI and no back up... i'm trying everything i found on the internet with my poor knowledge and i'm stuck... no idea what to do

I gave up on this project. If you're interested in working on it further, I would suggest contacting the Replicant developers (#replicant on freenode) for advice --- they're the people I would expect to know the most about hardware issues of this stripe.
14th January 2014, 04:07 AM |#9  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by slingamn

I gave up on this project. If you're interested in working on it further, I would suggest contacting the Replicant developers (#replicant on freenode) for advice --- they're the people I would expect to know the most about hardware issues of this stripe.

i am also haviong the same problem.I installed 4.3 factory image,build JWR66Y on my Galaxy Nexus .But after flashing my IMEI become generic (004999010640000).So I cant registered on network. Can give some suggestions to restore my genuine IMEI...
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes