[R&D] Unlocking the Galaxy Nexus SIM Lock

505 posts
Thanks Meter: 1,307
 
By shenye, Inactive Recognized Developer on 18th November 2011, 08:43 PM
Post Reply Email Thread
I'm starting off trying to use Odia's method on nv_data.bin. Haven't been able to find the 5 sets of hashes I need to brute force. Also, the file is not in /efs on the Galaxy Nexus, it's in /factory.

If you would like to help, I've attached the file I'm working on. To be honest, the salt has probably been changed to prevent this method from working
Attached Files
File Type: rar nv_data.rar - [Click for QR Code] (10.3 KB, 602 views)
8th December 2011, 07:46 PM |#2  
trojjanhorse's Avatar
Senior Member
Flag Toronto
Thanks Meter: 11
 
More
I've been tinkering with the .bin file myself and no luck... i think i may have to buy the code after all. I would much rather pledge my support to a dev who finds a way around this.
8th January 2012, 06:13 AM |#3  
Junior Member
Thanks Meter: 0
 
More
Hi all,

I have a galaxy nexus which is locked to a specific carrier. I managed to have it rooted and backed up with clockworkmod. I also was able to obtain the unlocked code from the carrier after much difficulty. Vodafone are just really painful.

Anyway, enough of the backstory. The process I carried out to discover something that might help you guys to find the 8 digit pin lives in the /data/radio/nv_data.bin file.
After restoring the rom before the unlocking state , I had to see what the state was state of the files before and after the unlock. I did this many times, until I found that file
was changed, (after greping for timestamp differences etc). As well, I've noticed that when I restored to a backup that had the network unlocked, it would just work when the sim of the other carrier was used. So I assume that there was some files that clockworkmod was restoring which made it unlocked. Who knew that.

When comparing this file before and after the network unlock,
(hexdump both files and did a text diff).
I've noticed that the unlock nv_data.bin had address 0180060 to 0180080
0180060 ffff ffff ffff ffff 35ff 3530 3330 3523
0180070 3530 3630 ff23 ffff ffff ffff ffff ffff
0180080 ffff ffff ffff ffff ffff ffff ffff ffff
removed from the unlocked nv_data.bin file as well as
0181460 ffff ffff ffff ffff 01ff 0000 0000 0442 changed to zero, i.e.
0181460 ffff ffff ffff ffff 00ff 0000 0000 0442


So maybe this is the addresses you can use to unlock your phone or use Odia's method to find the 8 digit code. Or you could just remove these bytes and set that flag to 0 and I assume that will unlock the phone as well.

I was planning to look at Odia's work and see what he used for obtaining the code.
So I see if I have time to look into this. But feel free to let me know if you guys get ahead of me.
8th January 2012, 07:11 AM |#4  
wilsonlam97's Avatar
Senior Member
Flag Toronto
Thanks Meter: 125
 
More
Quote:
Originally Posted by bluejet07

Hi all,

I have a galaxy nexus which is locked to a specific carrier. I managed to have it rooted and backed up with clockworkmod. I also was able to obtain the unlocked code from the carrier after much difficulty. Vodafone are just really painful.

Anyway, enough of the backstory. The process I carried out to discover something that might help you guys to find the 8 digit pin lives in the /data/radio/nv_data.bin file.
After restoring the rom before the unlocking state , I had to see what the state was state of the files before and after the unlock. I did this many times, until I found that file
was changed, (after greping for timestamp differences etc). As well, I've noticed that when I restored to a backup that had the network unlocked, it would just work when the sim of the other carrier was used. So I assume that there was some files that clockworkmod was restoring which made it unlocked. Who knew that.

When comparing this file before and after the network unlock,
(hexdump both files and did a text diff).
I've noticed that the unlock nv_data.bin had address 0180060 to 0180080
0180060 ffff ffff ffff ffff 35ff 3530 3330 3523
0180070 3530 3630 ff23 ffff ffff ffff ffff ffff
0180080 ffff ffff ffff ffff ffff ffff ffff ffff
removed from the unlocked nv_data.bin file as well as
0181460 ffff ffff ffff ffff 01ff 0000 0000 0442 changed to zero, i.e.
0181460 ffff ffff ffff ffff 00ff 0000 0000 0442


So maybe this is the addresses you can use to unlock your phone or use Odia's method to find the 8 digit code. Or you could just remove these bytes and set that flag to 0 and I assume that will unlock the phone as well.

I was planning to look at Odia's work and see what he used for obtaining the code.
So I see if I have time to look into this. But feel free to let me know if you guys get ahead of me.

Would it work if you just reflash the radio when you unlock the bootloader?
8th January 2012, 07:31 AM |#5  
Junior Member
Thanks Meter: 0
 
More
I've flashed different radios before, but I haven't checked flashing the radio and checking this file. However, I think that is unrelated since the radio firmware remains the same when I restored different versions of my clockworkmod backup and since I can relock the network pin by restoring a early image of the rom. It is probably unrelated.

Anyway, this method will assume you have root privileges. I was more concerned with finding how how to obtain the pin based on these hashes.
9th January 2012, 10:17 AM |#6  
Guest
Thanks Meter: 788
 
More
Method is the same, even the HASHes are in the same location, the nv_data from the OP has the new CRYPTED HASHes like the later SGS2 models, but simply flipping the FLAG @ 0x181469 will work for making unlock without knowing the code.

You could also make it same like a factory unlocked nv_data but I'll let you compare those and work out the method if its something you really want to do but if its just to unlock I have given all the info you need.
10th January 2012, 12:19 PM |#7  
Junior Member
Thanks Meter: 0
 
More
Yeah, so my diff confirms that. Cool as we already establish that.

But finding the code was really my goal. You know, for people who like revert back to stock but knowing the code.
So it is using some new encrypted hash like the later posts in the sg2 posts. So we have no idea how to brute force it? Yeah I had a look at all your posts and came to the conclusion it looks encrypted differently.
Oh well, maybe in time we can find a way to decrypt it.

Thanks for the reply!
10th January 2012, 05:16 PM |#8  
shenye's Avatar
OP Inactive Recognized Developer
Flag London
Thanks Meter: 1,307
 
Donate to Me
More
Odia, any chance of a request into a bit of research into this? I can provide you with my locked nv_data and my unlock codes. I don't think my nv_data has been updated though as I need to reunlock everytime I wipe...

I assume they're using a salt that's no longer 0000000000000000, so this might be able to brute force the salt string they're using?
13th January 2012, 08:30 AM |#9  
Senior Member
Thanks Meter: 3
 
More
Would be very interested in knowing how to sim unlock the SGN!
13th January 2012, 10:05 AM |#10  
Member
Thanks Meter: 14
 
More
Quote:
Originally Posted by jacobtc

Would be very interested in knowing how to sim unlock the SGN!

Add me to the list . Thanks to shenye, bluejet07 & Odia for working on this.
13th January 2012, 11:40 AM |#11  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by bluejet07

Hi all,

I have a galaxy nexus which is locked to a specific carrier. I managed to have it rooted and backed up with clockworkmod. I also was able to obtain the unlocked code from the carrier after much difficulty. Vodafone are just really painful.

Anyway, enough of the backstory. The process I carried out to discover something that might help you guys to find the 8 digit pin lives in the /data/radio/nv_data.bin file.
After restoring the rom before the unlocking state , I had to see what the state was state of the files before and after the unlock. I did this many times, until I found that file
was changed, (after greping for timestamp differences etc). As well, I've noticed that when I restored to a backup that had the network unlocked, it would just work when the sim of the other carrier was used. So I assume that there was some files that clockworkmod was restoring which made it unlocked. Who knew that.

When comparing this file before and after the network unlock,
(hexdump both files and did a text diff).
I've noticed that the unlock nv_data.bin had address 0180060 to 0180080
0180060 ffff ffff ffff ffff 35ff 3530 3330 3523
0180070 3530 3630 ff23 ffff ffff ffff ffff ffff
0180080 ffff ffff ffff ffff ffff ffff ffff ffff
removed from the unlocked nv_data.bin file as well as
0181460 ffff ffff ffff ffff 01ff 0000 0000 0442 changed to zero, i.e.
0181460 ffff ffff ffff ffff 00ff 0000 0000 0442


So maybe this is the addresses you can use to unlock your phone or use Odia's method to find the 8 digit code. Or you could just remove these bytes and set that flag to 0 and I assume that will unlock the phone as well.

I was planning to look at Odia's work and see what he used for obtaining the code.
So I see if I have time to look into this. But feel free to let me know if you guys get ahead of me.

Which program can edit bin-file?
Where is this file placed?
Post Reply Subscribe to Thread

Tags
galaxy, nexus, samsung, unlocking

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes