[REF] How to unlock/unfreeze all SGS Models [NOW WORKS ON Vibrant 4G][Updated 4-9-11]

What model did this work on?

  • GT-I9000

    Votes: 2,074 49.3%
  • USA Vibrant

    Votes: 977 23.2%
  • USA Captivate

    Votes: 573 13.6%
  • Bell I9000

    Votes: 275 6.5%
  • Other

    Votes: 304 7.2%

  • Total voters
    4,203
Search This thread

dagentooboy

Senior Member
Feb 16, 2008
544
156
Kansas
Vibrant 4G/SGS 4G manual method here

PRO App also works on Vibrant 4G/SGS 4G for anyone who doesn't feel comfortable with a hex editor

Do NOT try this or any other unlock method on the SC-02B Docomo phone. Please see thread here for progress on the SC-02B

Please note the same information used to develop the app is in the guide for free... the app just makes it easier

ALL METHODS FOR NEWER PHONES REQUIRE ROOT... PLEASE GO GET ROOT ON YOUR PHONE AND THEN COME BACK.

Oh and BTW... I cannot be held responsible for anything that happens to your phone.... EVER!


Before you start... if you don't have root you WILL need it unless you are on a really old version of android 2.1 (look in Appendix A for depreciated methods)

Step 1. - Retrieve nv_data.bin file
use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
cat /efs/nv_data.bin >> /sdcard/nv_data.bin

Step 2. - Edit nv_data.bin file
mount the internal SD Card on your computer
make a backup copy of the nv_data.bin file on your computer
using your favorite HEX editor open the nv_data.bin on the sdcard
jump to address 0x181468

you should see a string like this
ff 01 00 00 00 00 46 46
there are 5 different types of locks in 5 different bytes
the FF byte should be left alone
the first byte after the FF is the network lock
the next byte is the network subset lock
the next byte is the sp lock
the next byte is the cp lock
the last byte appears to be a data lock.
the 46 46 should be left alone
Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)
It should read ff 00 00 00 00 00 46 46 for unlocked
save and close file
unmount SD Card

Step 3. - Replace nv_data.bin file
I want to say it again so no one misses it MAKE SURE YOU HAVE A BACKUP OF YOUR NV_DATA.BIN FILE BEFORE YOU CONTINUE!!!!!

use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
rm /efs/nv_data.bin
rm /efs/nv_data.bin.md5
cat /sdcard/nv_data.bin >> /efs/nv_data.bin
chmod 755 /efs/nv_data.bin
chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
reboot
your phone is now unlocked... enjoy :D

[OPTIONAL] Use the PRO app [OPTIONAL]
Please note that this step is ONLY here for people that are not comfortable using a Hex editor.
Search "Vibrant unlock" in the market or scan the QR code:
img.php


Install and run app
press menu
press Unlock Phone
Select phone
allow root
at this point if you get an error code make SURE you mount your internal SD card on your computer and backup the nv_data.bin.orig file that is there.
press unlock
restart and your phone is now unlocked

to lock your phone for warranty
press lock instead of unlock
restart your phone, remove root, and take your phone in for warranty


APPENDIX A (DEPRECIATED)

DOES NOT WORK ON 90% PHONES PLEASE USE THE APP

Using ADB
Make sure that Network Lock is the only thing on... go to phone and enter *#7465625#
Make sure USB debugging is enabled (Settings->Applications->Development->USB Debugging)
Using APP (Thanks ClarkeHackworth and DaGentooBoy)
ClarkHackworth's page about the app
Same thing as before if this bricks your phone sorry but we aren't responsible.

Step A.1. – Get your code
Search Samsung Galaxy S Unlock Tool in the market or scan the QR code.
img.php

Install SGS_Unlock.apk
Applications->SGS Unlock
Menu->Root Gen Codes (Root method is the most reliable method at this point)

Jump to Step A.2.

Step A.1.alternate – Get your code

For Mac Updated!!! New Script

1. Download the Samsung Galaxy S Unlocker for Mac from this here:
http://www.multiupload.com/9NEBR6FAKD

2. Mount the DMG and drag the folder onto the hard drive. DO NOT DRAG THE ICON WITH THE LOCK (the app). Once the file is finished copying continue.

3. Open the application with the lock. It should open a terminal window. Let it run for a few seconds and then it should show a screen like this:

9039xs.png


4. Write down your unlock code

For Windows UPDATED!!! With Un-Freeze Codes
Video Guide
Download and extract the attached Generate Unlock Windows.zip.
Run Generate_Code.bat
Look for the line Network Control Key:YourCode
Save the code

Step A.2. – Enter the code

Power down your phone
Put in a SIM card from another carrier
Power up your phone
When it boots up it will ask for the unlock code that you found above

OR

NO SIM Method (Thanks RazvanG)
(Apparently this just adds another SIM to the accepted SIM list... can someone confirm?)
remove sim card
power on phone without sim
enter *7465625*638*# and relock the phone to another network other than the one u have u'r sim card (eg 22610)
power off phone
insert sim card back
power on and enter nck code extracted from .bak file
phone unlocked

Step A.3. – Flash back (IF THE CODE DIDN'T WORK)

Flash back to an older firmware (I9000XXJF7 with 513.pit worked for me on an I9000)
Now enter the unlock code you generated in Step 2.


HOW TO LOCK SAMSUNG GALAXY S - FOR WARRANTY PURPOSES ONLY (TESTED)

After you get the NCK code using the method above, enter: *7465625*638*#
There will be a pop-up box.
Complete the first field (MCC/MNC) with the network you want your phone locked to (eg. 226 10 where 226 = romania; 10 = orange etc.) and the second field (Control Key) with the NCK extracted from the .bak file.
Press OK and your phone should relock.
RazvanG

Guide in Spanish here
Guide in Italian here
Guide in Chinese here

LEGAL NOTES (because information should be free for all):
YOU MAY NOT, BY ANY MEANS, USE THIS SOLUTION/CODE OR PART OF IT FOR COMMERCIAL PURPOSES.
DO NOT USE THIS EXTRACTION METHOD COMMERCIALLY



PLEASE give credit (and donations if you can) to
For those of you that have donated THANKS! (You know who you are... you paid for my developer account so I could post the app)

DaGentooBoy For this AWESOME guide, the free and PRO apps, finding the other unlock bits, the original mac and windows scripts, the no root cat nv_data method, the unfreeze code portion of the mac script, and a lot of troubleshooting :D (Paypal)

dawen, Helroz, and NWolf for discovering the hex location of the lock bit in the nv_data.bin file (donate to NWolf here)

RazvanG for pointing galaxysguy in the right direction, finding the Freeze Code location in the .bak file, the code for re-locking the phone to any network, and the solution to unlock with only one sim card (Paypal)

rbnet.it and marcopon for the cool SGUX utility for windows to extract both the Unlock and Unfreeze codes (donate to marcopon and rbnet.it Here)

nbs11 for the new mac script that makes it REALLY easy (donate here)

Bowsa2511 for the command to extract the unlock code on a Mac (Paypal here)

rhcp0112345 for finding the file and giving me (and others) a place to start (Donate here)

galaxysguy for confirming that I was looking at the right code (Paypal here)

AllGamer for starting the Bounty thread and giving the XDA devs the motivation to get started.

If you want me to extract the code for you just PM me with a link to your zipped bml3.bak or nv_data.bin file and I will send you back the code. If it works please feel free to donate via Paypal
 

Attachments

  • SGS_Unlock.apk
    64.1 KB · Views: 82,978
Last edited:

Jreddekopp

Member
Jul 7, 2010
19
0
Edmonton
This is just the thing I've been looking for. Thanks a lot. Just out of curiosity, why do you have to flash back to older firmware after entering the unlock code?
 

marcopon

Member
Apr 3, 2010
17
0
Yes, I usually go by the Mark0 nick but it was already used in the forum (IIRC).
I want also to thanks andars05 for a post he made that provided some inspiration.

Nice to see that the tool is proving to be useful! :cool:

Feel free to donate to the PayPal link rbnet.it provided! :D
 
Last edited:

TheNaturat

Member
Aug 6, 2010
36
2
Got "Permission denied" after su in step 1 - I've got rooted Captivate with stock firmware - I know that is probably problem with access to root account, but all apps are working properly with it. Any idea for solution?

I've Windows 7, tried running command line with administrator privileges, but it didn't helped.
 

rbnet.it

Member
Aug 2, 2010
27
1
www.rbnet.it
Got "Permission denied" after su in step 1 - I've got rooted Captivate with stock firmware - I know that is probably problem with access to root account, but all apps are working properly with it. Any idea for solution?

I've Windows 7, tried running command line with administrator privileges, but it didn't helped.

After "su", have you allowed the root access on the phone?
 
Last edited:

antz88c

Senior Member
Mar 9, 2010
435
46
Thanks so much, it worked on my Globe locked SGS (Philippines).

MAC users use 0xED Hex Editor and just search SSNV and you'll get your 8 digits unlock code.
 
Last edited:

dagentooboy

Senior Member
Feb 16, 2008
544
156
Kansas
Got "Permission denied" after su in step 1 - I've got rooted Captivate with stock firmware - I know that is probably problem with access to root account, but all apps are working properly with it. Any idea for solution?

I've Windows 7, tried running command line with administrator privileges, but it didn't helped.

I found the same code in the nv_data.bin file... if you can't get the dd thing to work try

Code:
cat /efs/nv_data.bin >> /sdcard/nv_data.bin
 

nickbarbs

Senior Member
Jul 20, 2010
352
46
London
having problems pulling the file but I have SU permissions.


$ su
su
dd if=/dev/block/bml3 of=/sdcard/bml3.bak
dd if=/dev/block/bml3 of=/sdcard/bml3.bak
Permission denied
$ dd: can't open '/dev/block/bml3': Permission denied
$
 

nickbarbs

Senior Member
Jul 20, 2010
352
46
London
WOWOOWOWOWOOWWWW

NETWORK UNLOCK SUCCESSFULL

as soon as i get my 25$ refund from this guy and 6£ from someone else you'll get it

EDIT: I'm Samsung Captivate Sgh-i897
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 53
    Vibrant 4G/SGS 4G manual method here

    PRO App also works on Vibrant 4G/SGS 4G for anyone who doesn't feel comfortable with a hex editor

    Do NOT try this or any other unlock method on the SC-02B Docomo phone. Please see thread here for progress on the SC-02B

    Please note the same information used to develop the app is in the guide for free... the app just makes it easier

    ALL METHODS FOR NEWER PHONES REQUIRE ROOT... PLEASE GO GET ROOT ON YOUR PHONE AND THEN COME BACK.

    Oh and BTW... I cannot be held responsible for anything that happens to your phone.... EVER!


    Before you start... if you don't have root you WILL need it unless you are on a really old version of android 2.1 (look in Appendix A for depreciated methods)

    Step 1. - Retrieve nv_data.bin file
    use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
    Code:
    su
    cat /efs/nv_data.bin >> /sdcard/nv_data.bin

    Step 2. - Edit nv_data.bin file
    mount the internal SD Card on your computer
    make a backup copy of the nv_data.bin file on your computer
    using your favorite HEX editor open the nv_data.bin on the sdcard
    jump to address 0x181468

    you should see a string like this
    ff 01 00 00 00 00 46 46
    there are 5 different types of locks in 5 different bytes
    the FF byte should be left alone
    the first byte after the FF is the network lock
    the next byte is the network subset lock
    the next byte is the sp lock
    the next byte is the cp lock
    the last byte appears to be a data lock.
    the 46 46 should be left alone
    Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)
    It should read ff 00 00 00 00 00 46 46 for unlocked
    save and close file
    unmount SD Card

    Step 3. - Replace nv_data.bin file
    I want to say it again so no one misses it MAKE SURE YOU HAVE A BACKUP OF YOUR NV_DATA.BIN FILE BEFORE YOU CONTINUE!!!!!

    use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
    Code:
    su
    rm /efs/nv_data.bin
    rm /efs/nv_data.bin.md5
    cat /sdcard/nv_data.bin >> /efs/nv_data.bin
    chmod 755 /efs/nv_data.bin
    chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
    reboot
    your phone is now unlocked... enjoy :D

    [OPTIONAL] Use the PRO app [OPTIONAL]
    Please note that this step is ONLY here for people that are not comfortable using a Hex editor.
    Search "Vibrant unlock" in the market or scan the QR code:
    img.php


    Install and run app
    press menu
    press Unlock Phone
    Select phone
    allow root
    at this point if you get an error code make SURE you mount your internal SD card on your computer and backup the nv_data.bin.orig file that is there.
    press unlock
    restart and your phone is now unlocked

    to lock your phone for warranty
    press lock instead of unlock
    restart your phone, remove root, and take your phone in for warranty


    APPENDIX A (DEPRECIATED)

    DOES NOT WORK ON 90% PHONES PLEASE USE THE APP

    Using ADB
    Make sure that Network Lock is the only thing on... go to phone and enter *#7465625#
    Make sure USB debugging is enabled (Settings->Applications->Development->USB Debugging)
    Using APP (Thanks ClarkeHackworth and DaGentooBoy)
    ClarkHackworth's page about the app
    Same thing as before if this bricks your phone sorry but we aren't responsible.

    Step A.1. – Get your code
    Search Samsung Galaxy S Unlock Tool in the market or scan the QR code.
    img.php

    Install SGS_Unlock.apk
    Applications->SGS Unlock
    Menu->Root Gen Codes (Root method is the most reliable method at this point)

    Jump to Step A.2.

    Step A.1.alternate – Get your code

    For Mac Updated!!! New Script

    1. Download the Samsung Galaxy S Unlocker for Mac from this here:
    http://www.multiupload.com/9NEBR6FAKD

    2. Mount the DMG and drag the folder onto the hard drive. DO NOT DRAG THE ICON WITH THE LOCK (the app). Once the file is finished copying continue.

    3. Open the application with the lock. It should open a terminal window. Let it run for a few seconds and then it should show a screen like this:

    9039xs.png


    4. Write down your unlock code

    For Windows UPDATED!!! With Un-Freeze Codes
    Video Guide
    Download and extract the attached Generate Unlock Windows.zip.
    Run Generate_Code.bat
    Look for the line Network Control Key:YourCode
    Save the code

    Step A.2. – Enter the code

    Power down your phone
    Put in a SIM card from another carrier
    Power up your phone
    When it boots up it will ask for the unlock code that you found above

    OR

    NO SIM Method (Thanks RazvanG)
    (Apparently this just adds another SIM to the accepted SIM list... can someone confirm?)
    remove sim card
    power on phone without sim
    enter *7465625*638*# and relock the phone to another network other than the one u have u'r sim card (eg 22610)
    power off phone
    insert sim card back
    power on and enter nck code extracted from .bak file
    phone unlocked

    Step A.3. – Flash back (IF THE CODE DIDN'T WORK)

    Flash back to an older firmware (I9000XXJF7 with 513.pit worked for me on an I9000)
    Now enter the unlock code you generated in Step 2.


    HOW TO LOCK SAMSUNG GALAXY S - FOR WARRANTY PURPOSES ONLY (TESTED)

    After you get the NCK code using the method above, enter: *7465625*638*#
    There will be a pop-up box.
    Complete the first field (MCC/MNC) with the network you want your phone locked to (eg. 226 10 where 226 = romania; 10 = orange etc.) and the second field (Control Key) with the NCK extracted from the .bak file.
    Press OK and your phone should relock.
    RazvanG

    Guide in Spanish here
    Guide in Italian here
    Guide in Chinese here

    LEGAL NOTES (because information should be free for all):
    YOU MAY NOT, BY ANY MEANS, USE THIS SOLUTION/CODE OR PART OF IT FOR COMMERCIAL PURPOSES.
    DO NOT USE THIS EXTRACTION METHOD COMMERCIALLY



    PLEASE give credit (and donations if you can) to
    For those of you that have donated THANKS! (You know who you are... you paid for my developer account so I could post the app)

    DaGentooBoy For this AWESOME guide, the free and PRO apps, finding the other unlock bits, the original mac and windows scripts, the no root cat nv_data method, the unfreeze code portion of the mac script, and a lot of troubleshooting :D (Paypal)

    dawen, Helroz, and NWolf for discovering the hex location of the lock bit in the nv_data.bin file (donate to NWolf here)

    RazvanG for pointing galaxysguy in the right direction, finding the Freeze Code location in the .bak file, the code for re-locking the phone to any network, and the solution to unlock with only one sim card (Paypal)

    rbnet.it and marcopon for the cool SGUX utility for windows to extract both the Unlock and Unfreeze codes (donate to marcopon and rbnet.it Here)

    nbs11 for the new mac script that makes it REALLY easy (donate here)

    Bowsa2511 for the command to extract the unlock code on a Mac (Paypal here)

    rhcp0112345 for finding the file and giving me (and others) a place to start (Donate here)

    galaxysguy for confirming that I was looking at the right code (Paypal here)

    AllGamer for starting the Bounty thread and giving the XDA devs the motivation to get started.

    If you want me to extract the code for you just PM me with a link to your zipped bml3.bak or nv_data.bin file and I will send you back the code. If it works please feel free to donate via Paypal
    5
    Unlock Froyo 2.2 I9000M phone running I9000UGJK4

    Just updated post with more details, I hope someone will find it more useful. As always make sure you have a backup, make a backup of your nv_data.bin BEFORE editing.

    I was not able to unlock my phone Froyo 2.2 I9000M phone running I9000UGJK4 firmware by using this official thread http://xdaforums.com/showthread.php?t=761045
    and after few hours of searching I found this method which worked for me from first attempt.

    I give all the credits for this idea to cursor2010 from http://xdaforums.com/showpost.php?p=8656481&postcount=156

    Here are the detailed steps

    * Your phone must be rooted (I used SuperOneClick http://xdaforums.com/showthread.php?t=803682) to do this unlocking and busybox from market is installed
    * Get the archive file from first post of this topic. The archive contains ADB software which we will use to connect to the phone.
    * Turn On USB debugging Application->Settings->Application->Development
    * Follow the instructions of STEP 4 from http://www.communityhosting.net/sgsunlock/i9000.html to get your nv_data.bin to your PC

    Get your current nv_data.bin file from the /efs directory on your phone. This can be done with ADB. Most often, the nv_data.bin file is not readable and you will get a permission denied message. You'll need to enter the commands manually.
    To do this with ADB, from the DOS command prompt you can type:

    adb pull /efs/nv_data.bin

    If you receive a permission denied error, you can fix it by typing the following commands from an ADB shell (type "adb shell" at the DOS command prompt) or from within a terminal on the phone:

    adb shell
    su
    chmod 777 /efs/nv_data.bin
    exit
    exit


    Then from the DOS command prompt:

    adb pull /efs/nv_data.bin

    Using Hex editor edit the file ( you can use any hex editor, http://www.logitheque.com/logiciels/windows/utilitaires/editeur_hexadecimal/telecharger/edithexa_9903.htm for example). I personally use UltraEdit.

    UEdit.jpg

    At the offset of 180069H you will see your provider MCC and MNC codes see http://en.wikipedia.org/wiki/Mobile_Network_Code

    In my case the code was 30261020404... which is Bell Canada, so I changed 610 to 720 Rogers Canada now the code is 30272020404...

    Again the offset in the file is 180069H.

    Save the file on the pc.

    * Follow the instructions from http://xdaforums.com/showpost.php?p=8182729&postcount=107

    Copy your nv_data.bin to temporary folder on your phone:

    adb shell "mkdir /sdcard/efs"
    adb push nv_data.bin /sdcard/efs
    adb shell
    su
    ls -l -a /efs


    If there is an nv_data.bin.md5 file in the directory, all is well. You should continue with these commands:

    mv /efs/.nv_data.bak /efs/.nv_data.bakk
    mv /efs/.nv_data.bak.md5 /efs/.nv_data.bakk.md5
    rm /efs/nv_data.bin
    rm /efs/nv_data.bin.md5
    rm /efs/.nv2.bak
    rm /efs/.nv2.bak.md5
    busybox cp /sdcard/efs/nv_data.bin /efs/nv_data.bin
    chmod 755 /efs/nv_data.bin
    chown radio.radio /efs/nv_data.bin
    exit
    exit

    if you have errors on the chown command, use
    chown 1001.1001 /efs/nv_data.bin


    If there was no nv_data.bin.md5 file, then something is wrong and you'll need to see other options or reflash again with a known working ROM that generates a new MD5 file when it's missing.

    * Reboot the phone, it should not ask any unlock codes or anything, in my case it simply just registered on Rogers network

    * Obviously you also need to program your APN settings for Rogers from http://xdaforums.com/showthread.php?t=809003 to make your 3G working. For your own provider please search forum.

    I wish it would be much simpler or automated or tested on bigger variety of phones.If somebody could gather the statistics and check if this method is applicable throughout all the versions of I9000, that would be very nice.

    Feel free to comment my post.
    2
    can you tell me which method you used ??

    The HEX hack is the one that works on most devices. Unfortunately the unlcok code was removed from the bin file a long time ago.
    2
    Hey, I know this thread is old but I just wanted to say Thanks man. This worked perfectly to unlock an AT&T Captivate SGH-i897.

    can you tell me which method you used ??
    1
    re: credits
    apparently marcopon helped rbnet.it to write that sgux utility.

    thanks... I saw the bounty thread is updated. Feel free to link to the instructions on this thread so that they all go to one place.