FORUMS

Successful IMEI repair on i9300 without backup.

7 posts
Thanks Meter: 24
 
By SlashV, Junior Member on 26th November 2013, 04:38 PM
Post Reply Email Thread
Just to share a successful restoration of a damaged /efs partition on a i9300 without any backup. Maybe this will help someone save their phone or avoid having to send it in for repair. This appears to be the usual advice when the efs partition is damaged and you don't have a backup. You're fsck'ed. However, you might get lucky, like I did. Read on.

The story: I was running the phone with a custom built cm-10.1 and playing Candy Crush when the battery died. After that the phone wouldn't boot. After booting into recovery it appeared /efs wouldn't mount. That puts the phone in a boot loop. Desperation...

The key to the provided solution is that eventhough your parition is damaged, the relevant data (nv_data.bin) may still exist.

Here's what I did. Not all steps may be necessary, but this is what happened to work for me. The steps I think are crucial are highlighted.

!!!AS USUAL, TRY ANY OF THIS AT YOUR OWN RISK!!! In any case, only do this when your efs partition is damaged and won't mount, not when only files in it are missing or something else.

1. Create an image of /dev/block/mmcblk0p3. mmcblk0p3 is the device file for the partition that is mounted as /efs
I did this by logging into the phone while it is in recovery with adb:
Code:
   linux# adb root
   linux# adb shell
   phone# dd if=/dev/block/mmcblk0p3 of=/data/efs.img
   phone# exit
   linux# adb pull /data/efs.img .
You now have an image of the efs partition. To verify that it is indeed broken, I did a filecheck on the image:
Code:
   
   linux# losetup /dev/loop0 efs.img
   linux# fsck /dev/loop0
That gave an "Invalid Superblock" message. The partition is indeed b0rked. No (obvious) way to rescue the filesystem.

2. I still didn't know what to do so I flashed a stock ROM (G4) using Odin. Still boot looping. Since I wasn't sure the partition table wasn't damaged and the efs partition was lost anyway, I decided to check "Repartition", which is generally discouraged, using a pit file downloaded from the forum.

3. I re-rooted using CF-Root. This time using Heimdal from linux. Stock didn't fix things and you need root to access the partitions.

4. Format the efs! It's unusable and I made a backup, so in recovery:
Code:
  
   linux# adb root
   linux# adb shell
   phone# mke2fs /dev/block/mmcblk0p3
Reboot the phone and voila! A booting phone, but obviously without serial number and a default IMEI. And some screen came up which I think means I was in factory mode. The data in the /efs partition has been rebuilt with a set of default files.

5. I edited some files in /efs/FactoryApp
Code:
 
   linux# adb root
   linux# adb shell
   phone# cd /efs/FactoryApp
   phone# echo -n ON > factorymode
   phone# echo -n ON > keystr
   phone# echo -n <xxxxxxx> > serial_no
Where <xxxxxxx> is your serial number, found under the battery. Not sure if this did anything useful, but the serial number no longer indicated 0000000 after that.

6. I flashed cm-10.1 again from recovery, because I was experimenting with EFSPro, which requires busybox on the phone. EFSPro doesn't do much for you in this case. So I don't think this is important.

7. Try to recreate an nv_data.bin from the damaged partition! In order to do this I pulled the rebuilt default nv_data.bin from the phone and compared it to efs.img created in step 1.
Code:
 
   linux# adb root
   linux# adb pull /efs/nv_data.bin .
   linux# xxd nv_data.bin > nv_data.hex
   linux# xxd efs.img > efs.hex
Now inspecting the nv_data.hex, it started out like:

Code:
0000000: cccc cccc cccc cccc cccc cccc cccc cccc  ................
0000010: cccc cccc cccc cccc cccc cccc cccc cccc  ................
0000020: 4d21 5317 00a0 a2f7 1435 5799 529d 129b  M!S......5W.R...
0000030: 48bd ca0e 6249 1367 37a5 96c3 39da 19ea  H...bI.g7...9...
0000040: 0000 0000 e000 0000 0200 7400 6c00 0000  ..........t.l...
0000050: 0000 0000 0000 8130 0100 0000 0000 0000  .......0........
0000060: ffff ffff ffff ffff ffff ffff ffff ffff  ................
0000070: ffff ffff 0200 0000 333a 3476 2020 2020  ........3:4v    
0000080: 5350 3632 3630 5f4d 305f 4d4f 4445 4d5f  SP6260_M0_MODEM_
0000090: 3033 2e31 3332 375f 4442 3133 3037 3032  03.1327_DB130702
00000a0: 2032 3031 332d 4a75 6c2d 3136 2032 303a   2013-Jul-16 20:
00000b0: 3035 3a33 3020 0a20 2020 2050 4442 5f4e  05:30 .    PDB_N
00000c0: 4f54 5f41 5641 494c 4142 4c45 200a 0000  OT_AVAILABLE ...
I then searched for "MODEM" in efs.hex and found several similar entries. So for the next step, you might have to try a few times. I found one at address 0600000:

Code:
0600080: 5350 3632 3630 5f4d 305f 4d4f 4445 4d5f  SP6260_M0_MODEM_
0600090: 3033 2e31 3234 315f 4442 3132 3130 3038  03.1241_DB121008
06000a0: 2032 3031 322d 4e6f 762d 3136 2031 343a   2012-Nov-16 14:
06000b0: 3030 3a34 3920 0a20 2020 2050 4442 5f4e  00:49 .    PDB_N
06000c0: 4f54 5f41 5641 494c 4142 4c45 200a 0000  OT_AVAILABLE ...
I then extracted a block of data with the size of nv_data.bin from efs.img starting at this address:
Code:
 
   linux# dd if=efs.img of=new_nv_data.bin skip=12288 count=4096
"skip" indicates the offset (0x0600000) and "count" the filesize (0x0200000). I now had a recreated old nv_data.bin.

8. Put the recreated nv_data.bin on the phone and delete backups.
Code:
 
   linux# adb root
   linux# adb shell
   phone# cd /efs
   phone# rm nv_data.bin
   phone# rm .nv_data.bak
   phone# rm .nv_core.bak
   phone# adb push new_nv_data.bin /efs/nv_data.bin
I rebooted the phone and miracle oh miracle. I had my original IMEI back! Not sure if the phone is in optimal condition, but I can make calls and I have mobile data.

Hope any of this may be of any help to anyone. It took me quite a while to figure things out !!
The Following 23 Users Say Thank You to SlashV For This Useful Post: [ View ] Gift SlashV Ad-Free
28th November 2013, 10:57 PM |#2  
Senior Member
Thanks Meter: 18
 
More
If this works, you have made an excellent work and i think this has to be stickied :sly:

Inviato dal mio GT-I9300 utilizzando Tapatalk
29th November 2013, 06:41 AM |#3  
Mr Woolf's Avatar
Senior Member
Flag Cornishman stuck in Yorkshire
Thanks Meter: 792
 
More
Well done fella, good work!

Sent from my GT-I9300 using xda premium
29th November 2013, 08:41 AM |#4  
Senior Member
Thanks Meter: 28
 
More
Hi SlashV,
Very interesting approach of one of the most frequent issues for I9300!
My case is as follows: I have recovered IMEI with more common methods: kTool,and..
- in 4.3 ROM's my IMEI and serial are ok ... and I have network ,but
- in CM11 or OMNI 4.4 my IMEI is correct but the serial number is wrong !
(and therefore I have no network)

Could you suggest, please, a way to read and/or repair the Serial number in CM11 ?!
( using Terminal Emulator would be also possible?)

Thanks in advance!
29th November 2013, 01:35 PM |#5  
SlashV's Avatar
OP Junior Member
Thanks Meter: 24
 
More
serial number in cm
Quote:
Originally Posted by stefan.slavici

Hi SlashV,
Very interesting approach of one of the most frequent issues for I9300!

Thanks.

Quote:
Originally Posted by stefan.slavici

My case is as follows: I have recovered IMEI with more common methods: kTool,and..
- in 4.3 ROM's my IMEI and serial are ok ... and I have network ,but
- in CM11 or OMNI 4.4 my IMEI is correct but the serial number is wrong !
(and therefore I have no network)

Could you suggest, please, a way to read and/or repair the Serial number in CM11 ?!
( using Terminal Emulator would be also possible?)

Thanks in advance!

I think my serial number got restored by step 5 of what I did even before I restored my original nv_data.bin, so you might try that. It's easy from the terminal and I'm fairly sure it won't hurt. Make a backup of you efs first!
However, I am somewhat surprised by your issue. How can the serial number change? I did notice CM shows a different serial for me than is on the sticker, so maybe I have the same issue, or CM just shows a different representation of the same number. Anyway, I have no network issues because of it. Maybe your network issues have to do with something else than the serial no?
29th November 2013, 03:21 PM |#6  
sriram231092's Avatar
Senior Member
Flag the city of ATLANTIS
Thanks Meter: 222
 
Donate to Me
More
Quote:
Originally Posted by SlashV

Thanks.



I think my serial number got restored by step 5 of what I did even before I restored my original nv_data.bin, so you might try that. It's easy from the terminal and I'm fairly sure it won't hurt. Make a backup of you efs first!
However, I am somewhat surprised by your issue. How can the serial number change? I did notice CM shows a different serial for me than is on the sticker, so maybe I have the same issue, or CM just shows a different representation of the same number. Anyway, I have no network issues because of it. Maybe your network issues have to do with something else than the serial no?

no! the serial number changed when i flashed CM11 but no network problem. and then it is back to the previous serial number when i flashed s4 evolution rom!
29th November 2013, 06:22 PM |#7  
laura almeida's Avatar
Senior Member
Flag Toronto
Thanks Meter: 3,100
 
More
OMG
You are a genius
This Thread should be moved to General
29th November 2013, 07:11 PM |#8  
boomboomer's Avatar
Senior Member
Thanks Meter: 829
 
More
Glad that the op got his imei & serial back, also that he's posted such detailed instructions (although I think a couple of them won't be necessary for most). For the majority of those who arrive at xda, after breaking their phone by flashing random things they didn't understand it will read like diy brain surgery.

Best option, as always, is to backup the efs -unfortunately it's usually far too late by the time they get to xda.

Sent from my GT-I9300 using Tapatalk
The Following User Says Thank You to boomboomer For This Useful Post: [ View ] Gift boomboomer Ad-Free
30th November 2013, 09:53 AM |#9  
Member
Thanks Meter: 20
 
More
I also had a similar problem. I had IMEI but not valid serial (000000). I solved temporaly using Ariza Patch. But if I can restore the serial using your method.... then I MUST BUY YOU A BEER MY FRIEND!
30th November 2013, 05:45 PM |#10  
Member
Thanks Meter: 20
 
More
Some news. In my case I have a correct IMEI but a wrong serial (000000). Resulting in a no network conenctivity.

I've tried modifing the efs.img directly by hand and adding the serial to the serial_no file (it's in plain text). Then I restored using ktool. And nothing. It still says 0000000.

So. Then I tried over adb as you did. echo -n <serial> > serial_no. The operation went succesfully but when I rebooted my phone it still shows 000000.

So I'm guessing (as excepted) these things have protection against tampered serials/imei. Maybe a hash somewhere... But I'm not willing to reverse engineer that (I don't even have the knowledge!).

So....I don't know how you did it. But that step alone doesn't restore the serial number.

---------- Post added at 02:45 PM ---------- Previous post was at 01:56 PM ----------

So I decided to took my investigation a little further.

I had an efs back up so I reproduced all your steps but only on linux.

The offsets of my nv_data.bin are the same as yours. I extracted my new_nv_data.bin from my efs.img (using dd). Then I compared the nv_data.bin extracted mounting the efs.img. They are the same. Not a single bit difference.

I guess it was expected. I just wanted to make sure there wasn't anything wrong with my efs backup.

So. This method really works if you lost you efs partition (corrupted). But In my case (efs not corrupted, IMEI ok, serial 0000), it didn't help.

I bet there's a solution floating around. But there's also a business behind this (all those boxes). So, I don't know if I will be ever be available to fix this by myself.
1st December 2013, 03:54 PM |#11  
Member
Thanks Meter: 20
 
More
I'm starting to think that maybe the trick is to format efs (having a backup of course). But I don't know. I'm not that brave haha.

Changing the serial_no file does nothing. That doesn't work for sure. I've tried one more time using root browser and it didn't change from 00000.

Everything is inside nv_data.bin I think. Even the serial. But I guess nobody will tell me here how to correct that so I have network connectivity again without patching.

Anyway, I don't know why so secretive about all this info. I mean, all the boxes out there let you change you IMEI. I bet all the burglers out there already know how to do it. The only ones that still don't know how to do it are the honest people haha. Kind of ironic.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes