• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[HOWTO] GT-I9100 Free SIM Unlock via nv_data.bin by Odia

Search This thread

Odia

Guest
Jan 4, 2009
668
785
Free SIM Unlock for SGS2 by Odia. (ONLY for HW Version MP 1.200)

1. Root your phone.
2. Extract your nv_data.bin
3. Look at the file with an hex-editor and goto offset 0x181460 (Ultra Edit, HxD, Hex-Workshop etc)
4. Take the hashes from 0x18146e (20 bytes), 0x18148e, 0x1814ae, 0x1814ce, 0x1814ee
5. If the hash is 7D 3E 17 CF CD 81 6C AC D4 E0 25 FA A6 50 04 FD D1 7D 51 F8 ignore it since that is 00000000
6. Put the hash into the BF exe for example:-
ighashgpu.exe /h:EF63BF26E2382917D96850CCF9632458EE6E6C77 /t:sha1 /c:d /max:8 /min:8 /salt:0000000000000000
and wait for it to finish, do that for each hash which is not zeros, the Found password: [50681318] is the code.
7. Put unaccepted simcard in the phone and when it asks for the unlock code enter them in order
8. Job done, phone is now unlocked for free.

If you cannot find a block which looks like hashes @ 0x181460, then search for SSNV and add 5216, but from the files which I have seen the block appears to be fixed @ 0x181460.

If it will not accept the code which you believe to be correct, it means the attempts have been used up, so you need to use the MCK code to unfreeze your phone, note it will not request unfreeze code, just say network lock unsucessful even your code is valid. (MCK HASH is @ offset 0x180049)

Added an example for what you need to look for.


Mastercode

Dynamic located PERSO section, holds the mastercode (MCK / unfreeze), search for PERSO and look for a hash, can be multiple old sections, added screendump with an example.
MCK HASH is also in the SSNV section @ offset 0x180049


Direct Offsets

GT-I9100
NET 0x18146e -
SUB 0x18148e -
SP 0x1814ae -
CP 0x1814ce -
MCK 0x180049 -

GT-I9000
NET 0x18154b -
SUB 0x18155f -
SP 0x181573 -
CP 0x181587 -
MCK 0x1815af -


If this saved you a few quid, maybe you would like to buy me a beer ;)

View attachment 602403

View attachment 602464

I could not have made this solution and proved my theory without the special help from pulser_g2 and Fall Guy.

I have been advised by pulser_g2 that Chainfire will make a software solution next week using this information.
(APK is here http://forum.xda-developers.com/showthread.php?t=1092451)
 
Last edited:

pulser_g2

Admin Emeritus / Senior Recognized Developer
Nov 27, 2009
19,537
11,594
OK. Sorta bad news. I can't see a way to retrieve the code itself from the file...

On another note, I DO notice that at address 0x181468, we see the semi-familiar pattern of FF 01 00 00 00 00 ...

On an unlocked phone, that was FF 00 00 00 00 00 (I checked earlier)

This fits in with the information at http://forum.xda-developers.com/showthread.php?t=761045, namely "Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)"

That suggests there is a possibility a free unlock could be gained by editing this file. But there would likely be consequences. As such I'm not going to recommend that, nor give instructions for it... If anyone chooses to, they do it 100% at their own risk, and should bear in mind that they NEED a backup of that and the corresponding md5sum first.

But I can't see an unlock code in plaintext :(

Anyway, that should be food for thought for someone who has a desire to mess about with their device. I won't be trying it for now, and I recommend you don't unless you know what to do to fix this, and are aware you are messing with stuff I don't know much about...

P
 
  • Like
Reactions: zyryn

bigmo7

Senior Member
Nov 3, 2010
943
216
London
OK. Sorta bad news. I can't see a way to retrieve the code itself from the file...

On another note, I DO notice that at address 0x181468, we see the semi-familiar pattern of FF 01 00 00 00 00 ...

On an unlocked phone, that was FF 00 00 00 00 00 (I checked earlier)

This fits in with the information at http://forum.xda-developers.com/showthread.php?t=761045, namely "Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)"

That suggests there is a possibility a free unlock could be gained by editing this file. But there would likely be consequences. As such I'm not going to recommend that, nor give instructions for it... If anyone chooses to, they do it 100% at their own risk, and should bear in mind that they NEED a backup of that and the corresponding md5sum first.

But I can't see an unlock code in plaintext :(

Anyway, that should be food for thought for someone who has a desire to mess about with their device. I won't be trying it for now, and I recommend you don't unless you know what to do to fix this, and are aware you are messing with stuff I don't know much about...

P

Scared are we? :p

Pretty understandable tbh, I was kinda hoping it was as easy to unlock as the SGS but maybe there is still a way...let's hope so. ;)
 

dh2311

Senior Member
Oct 5, 2010
598
279
Madegascar
Just want to say, hex editing doesnt work. Doesn't detect sim and you get no signal, just put old file back and all works. Looks like we're gonna need another fix.

Quick question, can anyone who has an unlocked device please send me there nv_data.bin.

I want to see if there are any other differences that could be keeping it locked.
 

pulser_g2

Admin Emeritus / Senior Recognized Developer
Nov 27, 2009
19,537
11,594
Just want to say, hex editing doesnt work. Doesn't detect sim and you get no signal, just put old file back and all works. Looks like we're gonna need another fix.

Quick question, can anyone who has an unlocked device please send me there nv_data.bin.

I want to see if there are any other differences that could be keeping it locked.

I diffed an unlocked and locked one, and there's a lot of differences at binary level :(

I would need to ask the guy whose unlocked nv_data I borrowed if he was OK with that, or see if someone else has one...

Also, I did think. Perhaps it "rejects" the file if the MD5 thing doesn't match. If it's a salted MD5, then it could check the md5 of the bin file salted against a "secret" string, and then compare to the contents of the md5sum file...
 

dh2311

Senior Member
Oct 5, 2010
598
279
Madegascar
When I tried putting the old file back i used all the same commands, and it said there was no md5 sum. Which would be expected to be honest. But maybe it requires one. Ill try again this time leave the md5. Doubt it'll work, but its worth ago

EDIT: Faliure again!
 
Last edited:

stuclark

Senior Member
May 15, 2006
540
138
London, UK
You can have my nv_data.bin if you want... my handset used to be locked to O2 but has been unlocked.
(and I've manually changed the ProductCode by editing nv_data.bin as well, not that that should make a difference)

Let me know, and I'll PM it to you
 

pulser_g2

Admin Emeritus / Senior Recognized Developer
Nov 27, 2009
19,537
11,594
You can have my nv_data.bin if you want... my handset used to be locked to O2 but has been unlocked.
(and I've manually changed the ProductCode by editing nv_data.bin as well, not that that should make a difference)

Let me know, and I'll PM it to you

Yeah it's worth a shot. Do you have your original file as well? This suggests you managed to edit it fine, and it still worked...

We have tried switching the flag for locked to 0x00, from 0x01, but it didn't work. Would be interesting to see the file though after using a code, to see if the flag is now at 0x00

Really what we might need is a BEFORE and AFTER from an unlock.

ie. anyone getting a code, could you get a dump of this file BEFORE the unlock, then enter the code, and then RE-dump to another file. Call them before and after perhaps? Then we can see what actually happened after the unlock - perhaps a checksum gets re-calculated, or a second "backup" bit was flipped that we missed?

My email, for anyone wanting to send their file (it's only 2 MB so goes fine as an attachment) is (the lines stop OCR gathering it for spam =D)

email.png
 

Top Liked Posts

  • There are no posts matching your filters.
  • 81
    Free SIM Unlock for SGS2 by Odia. (ONLY for HW Version MP 1.200)

    1. Root your phone.
    2. Extract your nv_data.bin
    3. Look at the file with an hex-editor and goto offset 0x181460 (Ultra Edit, HxD, Hex-Workshop etc)
    4. Take the hashes from 0x18146e (20 bytes), 0x18148e, 0x1814ae, 0x1814ce, 0x1814ee
    5. If the hash is 7D 3E 17 CF CD 81 6C AC D4 E0 25 FA A6 50 04 FD D1 7D 51 F8 ignore it since that is 00000000
    6. Put the hash into the BF exe for example:-
    ighashgpu.exe /h:EF63BF26E2382917D96850CCF9632458EE6E6C77 /t:sha1 /c:d /max:8 /min:8 /salt:0000000000000000
    and wait for it to finish, do that for each hash which is not zeros, the Found password: [50681318] is the code.
    7. Put unaccepted simcard in the phone and when it asks for the unlock code enter them in order
    8. Job done, phone is now unlocked for free.

    If you cannot find a block which looks like hashes @ 0x181460, then search for SSNV and add 5216, but from the files which I have seen the block appears to be fixed @ 0x181460.

    If it will not accept the code which you believe to be correct, it means the attempts have been used up, so you need to use the MCK code to unfreeze your phone, note it will not request unfreeze code, just say network lock unsucessful even your code is valid. (MCK HASH is @ offset 0x180049)

    Added an example for what you need to look for.


    Mastercode

    Dynamic located PERSO section, holds the mastercode (MCK / unfreeze), search for PERSO and look for a hash, can be multiple old sections, added screendump with an example.
    MCK HASH is also in the SSNV section @ offset 0x180049


    Direct Offsets

    GT-I9100
    NET 0x18146e -
    SUB 0x18148e -
    SP 0x1814ae -
    CP 0x1814ce -
    MCK 0x180049 -

    GT-I9000
    NET 0x18154b -
    SUB 0x18155f -
    SP 0x181573 -
    CP 0x181587 -
    MCK 0x1815af -


    If this saved you a few quid, maybe you would like to buy me a beer ;)

    View attachment 602403

    View attachment 602464

    I could not have made this solution and proved my theory without the special help from pulser_g2 and Fall Guy.

    I have been advised by pulser_g2 that Chainfire will make a software solution next week using this information.
    (APK is here http://forum.xda-developers.com/showthread.php?t=1092451)
    13
    Might try that, but can the phone boot without the nv_data, i thought it would fail


    On the subject of resetting the counter I found out how!!!!

    It also tells you your kernel is origional when it is supercurios or chainfires :D:D

    my phone claims to be unhacked but its rooted n everything.

    I'm uploading video proof now!



    How did I do it?

    Well, you know the download mode jig you can make to put the sgs into download mode. I make them and sell them on ebay to make a few quid. (not too great, too many others doing it)

    I thought "it worked on my sgs, will it work on this?"

    powered off the sgs II plugged the jig in and encountered a sceen saying "erasing download information succeeded" and now it says I have no custom binaries and my current binary is "samsung official", when its chainfires.

    It also removes the triangle warning on first boot because it thinks its genuine. But I still have my root privelages.

    I call this a warranty solution. All thanks to a resistor and u micro usb plug. :D
    http://www.youtube.com/watch?v=poH6TMbuj3E
    7
    So without asking me or pulser_g2, who can work it out from this?

    Found 1 CUDA device(s)
    Starting brute-force attack, Charset Len = 10, Min passlen = 8, Max passlen = 8
    Charset (unicode -> 0) [0123456789]
    Charset in HEX: 30 31 32 33 34 35 36 37 38 39
    Starting from [00000000]
    Hash type: SHA1, Hash: ef63bf26e2382917d96850ccf9632458ee6e6c77
    Salt: 00 00 00 00 00 00 00 00
    Device #0: [GeForce 8800 GT] 1625.00 Mhz 112 SP
    Hardware monitoring disabled.
    CURPWD: 46886710 DONE: 75.50% ETA: 0s CURSPD: 134.8M
    Found password: [50681318], HEX: 35 30 36 38 31 33 31 38
    Processed 75 497 472 passwords in 1s.
    Thus, 130 844 838 password(s) per second in average.

    and to the person who approached me and said lets do this and make lots of money FCUK YOU!!!

    Took me less than 1 hours working time to find the solution, big thanks to pulser_g2 for supplying the needed files to speed up my work.

    PS: How do I get a donate button ;)
    5
    Im happy to test for you. Mine is locked, tried tmobile earlier today, and it required a code, im rooted so i can provide anything.

    Grab that file from the device and pop me a PM. I presume you know how to get ADB up and running?
    4
    Just did an efs backup before unlock a phone using a purchased unlock code, and immediately after unlocking did another efs backup

    comparing these two backups, the only difference is nv_data.bin, and there are 2 differences in nv_data.bin:

    1. In locked nv_data.bin, at offset 00180069-0018006e, there is a 5-bytes string and a "#" sign, represent the original locked operator name. Unlock the phone will replace all these bytes with FF

    2. In locked nv_data.bin, at offset 00181469, that byte is 01, as we all know, the Helroz's app will change this byte to 00, thus unlock the phone

    So, the bit-flipping method will work, and if you want a clean unlock, remove those original locked operator name at offset 00180069

    I bought the unlock code because my phone refuse to work any more, last month one of the operator became disabled (emergency call only), and after I changed to another operator, this operator became disabled again recently. I thought it maybe because I unlocked the phone using bit-flipping method and I should try unlocking it using real unlock code. Unfortunately my phone is still disabled for those 2 operators by using real unlock code, I have to send it to samsung service (I guess some thing in the intel xmm6260 platform is broken)

    (ok, typo fixed)