FORUMS
Remove All Ads from XDA

Unlock your Samsung i5500 (Where is my /efs?) [UPDATE]

833 posts
Thanks Meter: 409
 
By tweakradje, Senior Member on 4th November 2010, 12:06 PM
Post Reply Email Thread
31st August 2011, 03:00 PM |#331  
Member
Flag Eindhoven
Thanks Meter: 2
 
More
Gonna pickup my phone from the shop today, they added the simlock again (e.g. they flashed the original efs back.

I have a quick question though; when doing the mounting in recovery mode, does the phone still need to be rooted? I would say so, which means you'd have to su via the shell at least once to permanently accept su operations?

That said, I think a safer method, whilst in recovery mode, would be to execute the commands in succession, e.g. mount && cat /ets/persona.txt > sdcard/persona.txt && umount /efs. in 'dirty pseudo language'.

This all so that the partition access is reduced to a minimum. This should finish in microseconds.

I'd love to make a backup of the efs partition, in recovery mode, but very hesistant as I don't feel happy going back to the repair shop and tell them 'it broke again'.
 
 
31st August 2011, 03:03 PM |#332  
OP Senior Member
Flag Android
Thanks Meter: 409
 
More
Perhaps this will bring IMEI back

- Download QPST from link below and install
- Switch on Diag mode on USB (dial *#7284#, select [1]USB[*] )
- Reboot phone (now you need adb drivers from post 6)
- Start "QPST Configuration" as administrator
- "Add New Port..." that shows phone "SURF....." USB
- Then select from menu "Start Clients" the "RF NV Item Manager"
- Then menu File -> Read from Phone
- Item 550 (click hex checkbox) should be you imei
- 9 bytes that are swapped: 58 in imei shows as 85
- you can write your proper imei back

Qpst: http://www.multiupload.com/FPKEE5XTJK

Cheers

EDIT: good read about NV backup/restore - http://android-dls.com/wiki/index.ph...up_and_Restore
31st August 2011, 03:36 PM |#333  
Senior Member
Thanks Meter: 81
 
More
Quote:
Originally Posted by ol1ver

Gonna pickup my phone from the shop today, they added the simlock again (e.g. they flashed the original efs back.

I have a quick question though; when doing the mounting in recovery mode, does the phone still need to be rooted? I would say so, which means you'd have to su via the shell at least once to permanently accept su operations?

That said, I think a safer method, whilst in recovery mode, would be to execute the commands in succession, e.g. mount && cat /ets/persona.txt > sdcard/persona.txt && umount /efs. in 'dirty pseudo language'.

This all so that the partition access is reduced to a minimum. This should finish in microseconds.

I'd love to make a backup of the efs partition, in recovery mode, but very hesistant as I don't feel happy going back to the repair shop and tell them 'it broke again'.

If you got access to the unlock code and the imei is the same as before, the code will be the same. When I bricked my phone I made a note of the code then when I got the phone back from service with a new board, entered the code in with a locked sim and now I'm unlocked. Took a week without my phone but at least it was free lol.


Sent from my GT-S5830 using XDA App
31st August 2011, 03:59 PM |#334  
OP Senior Member
Flag Android
Thanks Meter: 409
 
More
Angry New method with /dev/bml5
EDIT: first goto OP of this thread for latest news: http://forum.xda-developers.com/showthread.php?t=828534

Note: first check if your phone is locked at all. Obvious, but some forget it.
Goto dialer and type: *#7465625#


Note: if you cannot write to sdcard: stop Kies or make sure your card is not in Mass Storage Mode

Just found another way of doing it Someone needs to do it. Thanks.

In a DOS box (phone does! need to be routed)

See for temporary rooting EDIT2 below!

- adb shell
- su
- cat /dev/bml5>/sdcard/bml5.img (BE-EM-EL-FIVE is about 25 Mb)
- exit (2x)
- adb pull /sdcard/bml5.img
- now open in hex editor on PC (like xvi32)
- find the proper block with hex search:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF (2 times)
Scroll a few pages of FF's down until you see the first number (unlock code)
- my unlock code is at #1282C0A
- put locked sim in phone, boot and enter code from above

I did reboot twice without any problems. Also checked other bml5 images found on xda.
All have the unlock code in it !!! If your phone is not SP locked you will have 000000
instead of provider code in the same block.

That is perso.txt but 00 are FF.
In perso.txt from stl5:
Code:
00 00 00 00 00 00 00 00 00 00 36 31 34 39 33 36  = 61493638 (my unlock code)
33 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 39 32 34 32 37 33
35 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 03
05 03 05 05
In bml5.img
Code:
FF FF FF FF FF FF FF FF FF FF 36 31 34 39 33 36  = 61493638 (my unlock code)
33 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 39 32 34 32 37 33
35 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 03
05 03 05 05
Dunno where to hex search for in bml5. Perhaps FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 ?

EDIT: find the proper block with hex search:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF (2 times)
Scroll a few pages of FF's down until you see the first number (unlock code)

Let me know.

Cheers

EDIT:
The img file starts with FSR_STL. The STL5 VFAT BLOCK is in here but not accessible as
VFAT. Only by stl5 device. But that is dangerous as we have seen before.
You can find the start of the VFAT table (MSWIN4.1) in the FSR_STL (offset #153000)
Alst the size of the FRS_STL is 25 Mb, the STL/VFAT image is only 7.4 Mb.
So for now you have to do with the FSR_STL file and search in it for your unlock code.
More on Samsungs FLASH system: http://forum.xda-developers.com/showthread.php?t=801223

EDIT2:
For getting BML5 container you must root your phone. But you can easily do a temporarily root with these instructions. You do need adb.exe
- download RageAndAdb.zip from attachement and unpack
- put rageagainstthecage ELF executable in user writeable part of your phone:
1) adb push rageagainstthecage /data/local/tmp
2) adb shell
3) cd /data/local/tmp
4) chmod 777 rageagainstthecage
5) ./rageagainstthecage
- back at your pc open windows task manager (Ctrl+Shft+Esc) and kill adb process
- start adb shell again
- now you are superuser on your phone
- continue with bml5 dump as written above
Samsung USB drivers can be found here: http://forum.xda-developers.com/show...86&postcount=6
Attached Files
File Type: zip RageAndAdb.zip - [Click for QR Code] (294.4 KB, 30841 views)
The Following 48 Users Say Thank You to tweakradje For This Useful Post: [ View ] Gift tweakradje Ad-Free
1st September 2011, 01:22 PM |#335  
Member
Flag Eindhoven
Thanks Meter: 2
 
More
Quote:
Originally Posted by russ18uk

If you got access to the unlock code and the imei is the same as before, the code will be the same. When I bricked my phone I made a note of the code then when I got the phone back from service with a new board, entered the code in with a locked sim and now I'm unlocked. Took a week without my phone but at least it was free lol.


Sent from my GT-S5830 using XDA App

I was stupid enough to not write it down :S or rather, I wrote it down, but didn't save the file. After I thought it worked, i trashed it.
1st September 2011, 01:28 PM |#336  
Member
Flag Eindhoven
Thanks Meter: 2
 
More
Quote:
Originally Posted by tweakradje

Just found another way of doing it Someone needs to do it. Thanks.

In a DOS box (phone does! need to be routed)

- adb shell
- adb su
- cat /dev/bml5>/sdcard/bml5.img (25 Mb)
- exit (2x)
- adb pull /sdcard/bml5.img
- now open in hex editor on PC (like xvi32)
- find the proper block with hex search:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF (2 times)
Scroll a few pages of FF's down until you see the first number (unlock code)
- my unlock code is at #1282C0A
- put locked sim in phone, boot and enter code from above

I did reboot twice without any problems. Also checked other bml5 images found on xda.
All have the unlock code in it !!! If your phone is not SP locked you will have 000000
instead of provider code in the same block.

That is perso.txt but 00 are FF.
In perso.txt from stl5:

Code:
00 00 00 00 00 00 00 00 00 00 36 31 34 39 33 36  = 61493638 (my unlock code)
33 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 39 32 34 32 37 33
35 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 03
05 03 05 05
In bml5.img
Code:
FF FF FF FF FF FF FF FF FF FF 36 31 34 39 33 36  = 61493638 (my unlock code)
33 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 39 32 34 32 37 33
35 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 03
05 03 05 05
Dunno where to hex search for in bml5. Perhaps FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 ?

EDIT: find the proper block with hex search:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF (2 times)
Scroll a few pages of FF's down until you see the first number (unlock code)

Let me know.

Cheers

EDIT:
The img file starts with FSR_STL. The STL5 VFAT BLOCK is in here but not accessible as
VFAT. Only by stl5 device. But that is dangerous as we have seen before.
You can find the start of the VFAT table (MSWIN4.1) in the FSR_STL (offset #153000)
Alst the size of the FRS_STL is 25 Mb, the STL/VFAT image is only 7.4 Mb.
So for now you have to do with the FSR_STL file and search in it for your unlock code.
More on Samsungs FLASH system: http://forum.xda-developers.com/showthread.php?t=801223

Extremly interesting, you reccon 'catting' bml5 is safer then mounting stl5 to copy persona.txt? I suppose getting bml5 to extract the efs from that might be safer (for backingup purposes)

I'd also think this still best be done in recovery mode/flight mode?
The Following User Says Thank You to ol1ver For This Useful Post: [ View ] Gift ol1ver Ad-Free
1st September 2011, 01:30 PM |#337  
Member
Flag Eindhoven
Thanks Meter: 2
 
More
Whilst still searching, does anybody know if you can get root in recovery mode? I keep getting permission denied on su. But the phone is rooted in normal mode, su works (I told it to permanently allow su).
1st September 2011, 02:43 PM |#338  
OP Senior Member
Flag Android
Thanks Meter: 409
 
More
Quote:
Originally Posted by ol1ver

Extremly interesting, you reccon 'catting' bml5 is safer then mounting stl5 to copy persona.txt? I suppose getting bml5 to extract the efs from that might be safer (for backingup purposes)

I'd also think this still best be done in recovery mode/flight mode?

catting bml5 is all over this board. No problems found. Try searching /dev/bml5 here.

Cheers
1st September 2011, 03:20 PM |#339  
Member
Flag Eindhoven
Thanks Meter: 2
 
More
Quote:

WARNING!!! DO NOT dd /dev/block/stl5 as there have been multiple reports of bricking following reading it. We already know that this block contains the EFS partition, including SIM-lock code and IMEI information. For the same reason I haven't tried dd'ing bml5 as a precaution.


from http://forum.xda-developers.com/show....php?t=1233719

so not that convinced yet

Being the stupid experimenting fool I am, I did it, in airplane mode obviously just in case.

I catted the file, removed busybox, su, Superuser.apk etc (e.g. unrooted it just in case) and rebooted.

Everything seems perfectly normal, got bluetooth, wifi mac's imei ... and the file on my SDcard. So far, it works better then before BUT it has been done in flightmode.

On the S5660 (Gio) the file is only 9MB (9437184 to be exact).

So i went browsing through the dump. Since I also have vodafone and as in the first post, I know my network ID is 20404 I went searching for that sequence.
Code:
0286bf0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0286c00: 0100 0100 0001 3230 3430 3423 ffff ffff  ......20404#....
0286c10: ffff ffff ffff ffff ffff ffff ffff ffff  ................
Looks pretty exciting, scrolling up a few blocks gives:
Quote:

0286430: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0286440: 5045 5253 4f20 2020 2020 2030 1800 0e00 PERSO 0....
0286450: 2136 2136 0000 0e00 2136 0c03 0000 0000 !6!6....!6......
0286460: 0000 0000 0000 0000 0000 0000 0000 0000 ................

sounds like perso.txt ... (there's quite some mentions of perso txt actually)

so lets go back to 20404 and go down some ...

I do find the mentioned 05 FF FF bit;
Quote:

0287ff0: ffff ffff ffff ffff ffff ffff ffff ffff ................
0288000: f16a fcff e564 fcff 8960 fcff 315d fcff .j...d...`..1]..
0288010: 3c5b fcff 995a fcff cc5a fcff 555b fcff <[...Z...Z..U[..
0288020: ca5b fcff 115c fcff 305c fcff 2e5c fcff .[...\..0\...\..
0288030: 145c fcff e75b fcff ac5b fcff 685b fcff .\...[...[..h[..
0288040: 1b5b fcff c55a fcff 685a fcff 035a fcff .[...Z..hZ...Z..
0288050: 9659 fcff 2459 fcff ab58 fcff 2d58 fcff .Y..$Y...X..-X..
0288060: aa57 fcff 2357 fcff 9856 fcff 0a56 fcff .W..#W...V...V..
0288070: 7955 fcff e654 fcff 5254 fcff bd53 fcff yU...T..RT...S..
0288080: ffff ffff ffff ffff ffff ffff ffff ffff ................

But no unlock code, not even further. I will search more :S
1st September 2011, 05:20 PM |#340  
OP Senior Member
Flag Android
Thanks Meter: 409
 
More
Are you browsing the stl5 file? You can easily view that with winimage.

Or the bml5 file (which should be much bigger than 9 Mb)

The hex sequence I gave is for BML5 only!!

Search 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF twice!!!!

ps: als je provider code 20404 is kunnen we net zo goed nederlands praten
1st September 2011, 08:45 PM |#341  
Member
Flag Eindhoven
Thanks Meter: 2
 
More
Quote:
Originally Posted by tweakradje

Are you browsing the stl5 file? You can easily view that with winimage.

Or the bml5 file (which should be much bigger than 9 Mb)

The hex sequence I gave is for BML5 only!!

Search 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF twice!!!!

ps: als je provider code 20404 is kunnen we net zo goed nederlands praten

Dat verstaan andere dan weer niet

I don't have winimage, nor windows

Got the code, completely different location then the 20404 id though. Not even near by. What I did was open the bml5 image in vim and turned it to hexmode view. (Though i'm sure there's many better ways, such as hexdump -C | grep ) Anyhow, I knew my 2 of the codes where 00000000. So I searched for ...0000 (or FFFFFF303030 in hex I suppose) and i found the codes surrounded by lots of ffffff's. thus ... bingo. There it was. I searched for the unlock code and there where many many references to this code.

Short story long, the bml5 image on the Gio (S5660) seems to be the safest way so far. I know dding the stl5 bricks it (first hand experience) so didn't have that image.

Btw, you can somewhat mount the vfat container that's hidden within the bml5 image. Find the MSWIN tag in the file with a hexeditor and use that as an offset for mount -o loop,offset=0xsomenumber. It'll mount but only 4 files seem to be visible and it seems heavily corrupted. Which sorta explains what the difference between rfs and bml is.
Post Reply Subscribe to Thread

Tags
efs, i5500, nv_data.bin, unlock

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes