• XDA Forums have been migrated to XenForo. We are aware of several issues including missing threads, logins not working, and more. To discuss, use this thread.
  • If you are experiencing issues logging in, we migrated and software and made it more secure. We recommend trying to reset your password.

Unlock your Samsung i5500 (Where is my /efs?) [UPDATE]

Darkshado

New member
Apr 16, 2011
1,028
500
0
Montréal
Looks like ill be wiping the block section and sending it to samsung...
If it's not too late: would you look at this, flash the CWM-based recovery, and dd your EFS partition back on the phone while in recovery mode?

It could give us a clue as to the exact moment the corruption occurs.

It might solve the problem, or tell us that the solution lies elsewhere...

FWIW, I've managed to dd my stl5 partition on a Gio 5660M to the SD card without wiping my IMEI by doing it while in recovery mode. Problem is that I haven't found my IMEI in the extracted image yet...

Goodbye,

Darkshado
 

tiddydiddler

New member
Jun 22, 2011
28
6
0
Since I can't give up on this one I digged a little further into my i5500 memory.


EDIT: SAFE METHOD Did it again on april 8 2011, it works! Stick to the commands.


Guess what? I f.ckin did it. Big hoora. I'am good I know ;) Thank you!

Code:
- root your phone
- adb shell
- su
- cd /
- mount -o remount,rw / (or do it before adb with root explorer)
This works on other systems: mount -o remount,rw -t rootfs rootfs /
- mkdir /efs
- mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
- cat /efs/mits/perso.txt
- umount /efs
- reboot
EDIT: stl5 is es-tee-el-five (like STL5)

EDIT: /efs on the Galaxy the /etc/fstab says: mount rfs /dev/block/stl5 /efs nosuid nodev check=no

You will see some numbers: In my case 20404 for Vodafone NL.
Then you will see your SP unlock code followed by some 000000000 codes and another
code. Write the first one (and second just in case) down.

Shut down the phone and put it a "locked" sim. Start your phone, input the pin, and when asked for a unlock code give it the first code. Your phone is now unlocked.

Cheers

EDIT:
Rooting: http://blog.23corner.com/2010/08/30/universal-androot-1-6-2-beta-5/
Rooting newer roms: http://forum.xda-developers.com/showthread.php?t=803682. Need reboot after.
Adb and USB drivers: see attachement

EDIT: possible fix for bad imei after doing above procedure:
http://forum.xda-developers.com/showpost.php?p=15408191&postcount=4

EDIT: nice tutorial for my method - http://forum.xda-developers.com/showthread.php?p=16597429
I, too, tried the "safe" method on a standard i5500. I'm somewhat familiar with Linux(everyday user for over a decade now), so figured no harm could come from just mounting and reading stl5.

How wrong I was. Lost the IMEI, no phone connection, refused to shutdown(would restart after a few seconds with corrupt date and time).

This was a standard, unmolested phone, aside from the suggested method of root. No badly typed commands, just everything in the guide. I tried the backup/restore stl5 "fix", but this had no effect.

I strongly feel the first post in this thread, as well as the one linked to from it, should be updated to reflect the fact that "safe" means more bricked phones than successes.

Don't do it. Codes are available for £9 on eBay. It's cheaper and safer to go down that route.
 

tweakradje

New member
Mar 18, 2005
1,044
530
0
Android
sites.google.com
Sorry to hear a few had trouble with the method. Don't forget the amount that did succeed.
You cannot say that more phones are bricked than cured. Not everyone logs it here ;)

I will change the text from "Safe" to "Safest method that we know of today".
If you find a better one I will put that into the opening post.

Strange that I have done the routine many times without any problems.

I must say I use root explorer ro mount root r/w. How did you did it?
Perhaps it is also better to do it in flight mode or even in "adb reboot recovery" mode.

Perhaps you can tell me exactly what commands you gave and what tools you used.

Cheers
 

tiddydiddler

New member
Jun 22, 2011
28
6
0
Hello,

I didn't read the thread through its entirety until after I lost my IMEI. The commands were followed to the letter, but the handset was not in flight mode or recovery mode. Had I read the thread all the way through, I'd have placed the handset in recovery mode using "adb reboot recovery".

I didn't use root explorer, I mounted stl5 via the command line. It was correctly unmounted before restarting the handset.

Please don't take my response as a criticism of you or your efforts - it's very good that people are trying to offer help to the community and risking their own devices in the process! :)

I don't understand why mounting and reading the block device should cause these problems, as nothing should(!) be changed in the process. Possibly there is something we don't yet understand about RFS?

Software used: Windows 7 x64, Kies was installed, and I used ADB from the attachment in this post...
http://forum.xda-developers.com/showthread.php?t=828534

stl5 was correctly unmounted, and /efs removed prior to the reboot. After that, no network or IMEI.

I had the handset replaced by the shop the next day, and purchased a working unlock code from eBay for £9 rather than risk another handset. I'm in the UK, the handset(s) are running 2.2 and originate from 3UK(Hutchison 3G).
 

Darkshado

New member
Apr 16, 2011
1,028
500
0
Montréal
Custom recovery based method:

Flash CWM or a CWM-based recovery with Odin, then from a command line window:

C:\>adb reboot recovery

C:\>adb shell

mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs

cat /efs/mits/perso.txt

reboot

Proceed with the actual unlock.


On closer examination of the contents of my stl5 partition (safely dd'ed to the sdcard in recovery mode) there's a txt file named imeitool.txt in the same directory as perso.txt. Open that file in notepad and it looks empty, but it isn't really, you'll need a hex editor: there are 14 null values. Which conveniently matches the 14 digits found in an IMEI code, minus the Luhn check digit or SV code.

The question now: is this file of any use to us?

I tried changing the value in it to 35782304123456 instead (the first eight being common to the 5660M at least), but got no reaction from the phone. The change persists across reboots as well.
 

tweakradje

New member
Mar 18, 2005
1,044
530
0
Android
sites.google.com
imeitool.txt is also 00's on working phone with good imei. imei is stored in one of the 761 files in /nvm/num

I can give you that section in zip and my imei. But I don't have the time to search for it.
If you found it you can replace it with your imei and get my stl5.rfs to change it for
dd-ing it back to your stl5 in recovery mode.

If your phone is still booting you can enter service menu by dialing: *#197328640#
Then select [6] COMMON and angain [6] NV REBUILD.

I have not done that (not nessecary) but perhaps that brings back the imei?

Cheers
 
Last edited:

Darkshado

New member
Apr 16, 2011
1,028
500
0
Montréal
imeitool.txt is also 00's on working phone with good imei. imei is stored in one of the 761 files in /nvm/num

I can give you that section in zip and my imei. But I don't have the time to search for it.
If you found it you can replace it with your imei and get my stl5.rfs to change it for
dd-ing it back to your stl5 in recovery mode.

If your phone is still booting you can enter service menu by dialing: *#197328640#
Then select [6] COMMON and angain [6] NV REBUILD.

I have not done that (not nessecary) but perhaps that brings back the imei?

Cheers
About imeitool.txt containing 00's, I know, my 5660M Gio's IMEI is still fine.

My NV files have 728 entries instead of your 761, but that's to be expected.

I just searched for 6 digit serial number part in my NV files and did not find any matches.

I haven't dared try the NV REBUILD option in the menu, since I'd like to compare a working and a corrupt partition with Winmerge beforehand.
 

xdamaroc

New member
Aug 31, 2011
7
1
0
for people with the imei problem try this solution (it works for me):
-downgrade from android 2.2 to 2.1 using odin
-root your device using universal androot
-with adb shell :
su
dd if=/dev/block/stl5 of=/sdcard/stl5.rfs
dd if=/sdcard/stl5.rfs of=/dev/block/stl5
reboot
-upgrade to froyo

good luck
 

ol1ver

New member
Jun 25, 2011
45
14
0
gitlab.com
Gonna pickup my phone from the shop today, they added the simlock again (e.g. they flashed the original efs back.

I have a quick question though; when doing the mounting in recovery mode, does the phone still need to be rooted? I would say so, which means you'd have to su via the shell at least once to permanently accept su operations?

That said, I think a safer method, whilst in recovery mode, would be to execute the commands in succession, e.g. mount && cat /ets/persona.txt > sdcard/persona.txt && umount /efs. in 'dirty pseudo language'.

This all so that the partition access is reduced to a minimum. This should finish in microseconds.

I'd love to make a backup of the efs partition, in recovery mode, but very hesistant as I don't feel happy going back to the repair shop and tell them 'it broke again'.
 

tweakradje

New member
Mar 18, 2005
1,044
530
0
Android
sites.google.com
Perhaps this will bring IMEI back

- Download QPST from link below and install
- Switch on Diag mode on USB (dial *#7284#, select [1]USB[*] )
- Reboot phone (now you need adb drivers from post 6)
- Start "QPST Configuration" as administrator
- "Add New Port..." that shows phone "SURF....." USB
- Then select from menu "Start Clients" the "RF NV Item Manager"
- Then menu File -> Read from Phone
- Item 550 (click hex checkbox) should be you imei
- 9 bytes that are swapped: 58 in imei shows as 85
- you can write your proper imei back

Qpst: http://www.multiupload.com/FPKEE5XTJK

Cheers

EDIT: good read about NV backup/restore - http://android-dls.com/wiki/index.php?title=NV_Items_backup_and_Restore
 
Last edited:

russ18uk

New member
Aug 1, 2011
472
80
0
Gonna pickup my phone from the shop today, they added the simlock again (e.g. they flashed the original efs back.

I have a quick question though; when doing the mounting in recovery mode, does the phone still need to be rooted? I would say so, which means you'd have to su via the shell at least once to permanently accept su operations?

That said, I think a safer method, whilst in recovery mode, would be to execute the commands in succession, e.g. mount && cat /ets/persona.txt > sdcard/persona.txt && umount /efs. in 'dirty pseudo language'.

This all so that the partition access is reduced to a minimum. This should finish in microseconds.

I'd love to make a backup of the efs partition, in recovery mode, but very hesistant as I don't feel happy going back to the repair shop and tell them 'it broke again'.
If you got access to the unlock code and the imei is the same as before, the code will be the same. When I bricked my phone I made a note of the code then when I got the phone back from service with a new board, entered the code in with a locked sim and now I'm unlocked. Took a week without my phone but at least it was free lol.


Sent from my GT-S5830 using XDA App
 

tweakradje

New member
Mar 18, 2005
1,044
530
0
Android
sites.google.com
New method with /dev/bml5

EDIT: first goto OP of this thread for latest news: http://forum.xda-developers.com/showthread.php?t=828534

Note: first check if your phone is locked at all. Obvious, but some forget it.
Goto dialer and type: *#7465625#


Note: if you cannot write to sdcard: stop Kies or make sure your card is not in Mass Storage Mode

Just found another way of doing it ;) Someone needs to do it. Thanks.

In a DOS box (phone does! need to be routed)

See for temporary rooting EDIT2 below!

- adb shell
- su
- cat /dev/bml5>/sdcard/bml5.img (BE-EM-EL-FIVE is about 25 Mb)
- exit (2x)
- adb pull /sdcard/bml5.img
- now open in hex editor on PC (like xvi32)
- find the proper block with hex search:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF (2 times)
Scroll a few pages of FF's down until you see the first number (unlock code)
- my unlock code is at #1282C0A
- put locked sim in phone, boot and enter code from above :)

I did reboot twice without any problems. Also checked other bml5 images found on xda.
All have the unlock code in it !!! If your phone is not SP locked you will have 000000
instead of provider code in the same block.

That is perso.txt but 00 are FF.
In perso.txt from stl5:
Code:
00 00 00 00 00 00 00 00 00 00 36 31 34 39 33 36  = 61493638 (my unlock code)
33 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 39 32 34 32 37 33
35 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 03
05 03 05 05
In bml5.img
Code:
FF FF FF FF FF FF FF FF FF FF 36 31 34 39 33 36  = 61493638 (my unlock code)
33 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 39 32 34 32 37 33
35 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 03
05 03 05 05
Dunno where to hex search for in bml5. Perhaps FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 ?

EDIT: find the proper block with hex search:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF (2 times)
Scroll a few pages of FF's down until you see the first number (unlock code)

Let me know.

Cheers

EDIT:
The img file starts with FSR_STL. The STL5 VFAT BLOCK is in here but not accessible as
VFAT. Only by stl5 device. But that is dangerous as we have seen before.
You can find the start of the VFAT table (MSWIN4.1) in the FSR_STL (offset #153000)
Alst the size of the FRS_STL is 25 Mb, the STL/VFAT image is only 7.4 Mb.
So for now you have to do with the FSR_STL file and search in it for your unlock code.
More on Samsungs FLASH system: http://forum.xda-developers.com/showthread.php?t=801223

EDIT2:
For getting BML5 container you must root your phone. But you can easily do a temporarily root with these instructions. You do need adb.exe
- download RageAndAdb.zip from attachement and unpack
- put rageagainstthecage ELF executable in user writeable part of your phone:
1) adb push rageagainstthecage /data/local/tmp
2) adb shell
3) cd /data/local/tmp
4) chmod 777 rageagainstthecage
5) ./rageagainstthecage
- back at your pc open windows task manager (Ctrl+Shft+Esc) and kill adb process
- start adb shell again
- now you are superuser on your phone ;)
- continue with bml5 dump as written above
Samsung USB drivers can be found here: http://forum.xda-developers.com/showpost.php?p=12099386&postcount=6
 

Attachments

Last edited:

ol1ver

New member
Jun 25, 2011
45
14
0
gitlab.com
If you got access to the unlock code and the imei is the same as before, the code will be the same. When I bricked my phone I made a note of the code then when I got the phone back from service with a new board, entered the code in with a locked sim and now I'm unlocked. Took a week without my phone but at least it was free lol.


Sent from my GT-S5830 using XDA App
I was stupid enough to not write it down :S or rather, I wrote it down, but didn't save the file. After I thought it worked, i trashed it.
 

ol1ver

New member
Jun 25, 2011
45
14
0
gitlab.com
Just found another way of doing it ;) Someone needs to do it. Thanks.

In a DOS box (phone does! need to be routed)

- adb shell
- adb su
- cat /dev/bml5>/sdcard/bml5.img (25 Mb)
- exit (2x)
- adb pull /sdcard/bml5.img
- now open in hex editor on PC (like xvi32)
- find the proper block with hex search:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF (2 times)
Scroll a few pages of FF's down until you see the first number (unlock code)
- my unlock code is at #1282C0A
- put locked sim in phone, boot and enter code from above :)

I did reboot twice without any problems. Also checked other bml5 images found on xda.
All have the unlock code in it !!! If your phone is not SP locked you will have 000000
instead of provider code in the same block.

That is perso.txt but 00 are FF.
In perso.txt from stl5:
Code:
00 00 00 00 00 00 00 00 00 00 36 31 34 39 33 36  = 61493638 (my unlock code)
33 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 39 32 34 32 37 33
35 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 03
05 03 05 05
In bml5.img
Code:
FF FF FF FF FF FF FF FF FF FF 36 31 34 39 33 36  = 61493638 (my unlock code)
33 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 39 32 34 32 37 33
35 38 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 03
05 03 05 05
Dunno where to hex search for in bml5. Perhaps FF FF FF FF FF FF FF FF 30 30 30 30 30 30
30 30 ?

EDIT: find the proper block with hex search:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF (2 times)
Scroll a few pages of FF's down until you see the first number (unlock code)

Let me know.

Cheers

EDIT:
The img file starts with FSR_STL. The STL5 VFAT BLOCK is in here but not accessible as
VFAT. Only by stl5 device. But that is dangerous as we have seen before.
You can find the start of the VFAT table (MSWIN4.1) in the FSR_STL (offset #153000)
Alst the size of the FRS_STL is 25 Mb, the STL/VFAT image is only 7.4 Mb.
So for now you have to do with the FSR_STL file and search in it for your unlock code.
More on Samsungs FLASH system: http://forum.xda-developers.com/showthread.php?t=801223
Extremly interesting, you reccon 'catting' bml5 is safer then mounting stl5 to copy persona.txt? I suppose getting bml5 to extract the efs from that might be safer (for backingup purposes)

I'd also think this still best be done in recovery mode/flight mode?
 
  • Like
Reactions: chrcol

ol1ver

New member
Jun 25, 2011
45
14
0
gitlab.com
Whilst still searching, does anybody know if you can get root in recovery mode? I keep getting permission denied on su. But the phone is rooted in normal mode, su works (I told it to permanently allow su).
 

tweakradje

New member
Mar 18, 2005
1,044
530
0
Android
sites.google.com
Extremly interesting, you reccon 'catting' bml5 is safer then mounting stl5 to copy persona.txt? I suppose getting bml5 to extract the efs from that might be safer (for backingup purposes)

I'd also think this still best be done in recovery mode/flight mode?
catting bml5 is all over this board. No problems found. Try searching /dev/bml5 here.

Cheers
 

ol1ver

New member
Jun 25, 2011
45
14
0
gitlab.com
WARNING!!! DO NOT dd /dev/block/stl5 as there have been multiple reports of bricking following reading it. We already know that this block contains the EFS partition, including SIM-lock code and IMEI information. For the same reason I haven't tried dd'ing bml5 as a precaution.

from http://forum.xda-developers.com/showthread.php?t=1233719

so not that convinced yet :)

Being the stupid experimenting fool I am, I did it, in airplane mode obviously just in case.

I catted the file, removed busybox, su, Superuser.apk etc (e.g. unrooted it just in case) and rebooted.

Everything seems perfectly normal, got bluetooth, wifi mac's imei ... and the file on my SDcard. So far, it works better then before :) BUT it has been done in flightmode.

On the S5660 (Gio) the file is only 9MB (9437184 to be exact).

So i went browsing through the dump. Since I also have vodafone and as in the first post, I know my network ID is 20404 I went searching for that sequence.
Code:
0286bf0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0286c00: 0100 0100 0001 3230 3430 3423 ffff ffff  ......20404#....
0286c10: ffff ffff ffff ffff ffff ffff ffff ffff  ................
Looks pretty exciting, scrolling up a few blocks gives:
0286430: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0286440: 5045 5253 4f20 2020 2020 2030 1800 0e00 PERSO 0....
0286450: 2136 2136 0000 0e00 2136 0c03 0000 0000 !6!6....!6......
0286460: 0000 0000 0000 0000 0000 0000 0000 0000 ................
sounds like perso.txt ... (there's quite some mentions of perso txt actually)

so lets go back to 20404 and go down some ...

I do find the mentioned 05 FF FF bit;
0287ff0: ffff ffff ffff ffff ffff ffff ffff ffff ................
0288000: f16a fcff e564 fcff 8960 fcff 315d fcff .j...d...`..1]..
0288010: 3c5b fcff 995a fcff cc5a fcff 555b fcff <[...Z...Z..U[..
0288020: ca5b fcff 115c fcff 305c fcff 2e5c fcff .[...\..0\...\..
0288030: 145c fcff e75b fcff ac5b fcff 685b fcff .\...[...[..h[..
0288040: 1b5b fcff c55a fcff 685a fcff 035a fcff .[...Z..hZ...Z..
0288050: 9659 fcff 2459 fcff ab58 fcff 2d58 fcff .Y..$Y...X..-X..
0288060: aa57 fcff 2357 fcff 9856 fcff 0a56 fcff .W..#W...V...V..
0288070: 7955 fcff e654 fcff 5254 fcff bd53 fcff yU...T..RT...S..
0288080: ffff ffff ffff ffff ffff ffff ffff ffff ................
But no unlock code, not even further. I will search more :S
 
Last edited:

tweakradje

New member
Mar 18, 2005
1,044
530
0
Android
sites.google.com
Are you browsing the stl5 file? You can easily view that with winimage.

Or the bml5 file (which should be much bigger than 9 Mb)

The hex sequence I gave is for BML5 only!!

Search 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 FF FF FF FF FF FF FF FF FF FF FF FF FF FF twice!!!!

ps: als je provider code 20404 is kunnen we net zo goed nederlands praten ;)
 
Last edited:
Our Apps
Get our official app! (coming soon)
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone