ok so i followed ALL the steps in this
-thread http://forum.cyanogenmod.com/topic/4999-howto-sim-unlock-your-vibrant-galaxy-s/
I created a bml3.bak, and copied it into my c:/, downloaded sgux.exe also put it in my c:/. however when i open cmd and type, "c:\sgux.exe bml3.bak" It says
Searching code block...
found...
searching codes..
then it returns to normal state, where the code?!
i even tried it with a backup of my nv_data.bin, but i get the same results
no help on this one? , I could pm you a link to my nv_data.bin, and bml3.bak and would also donate if you help me find the code.! =(
I have the same issue!
HEX editing of nv_data.bin helped!! No sim lock anymore
mount the internal SD Card on your computer
make a backup copy of the nv_data.bin file on your computer
using your favorite HEX editor open the nv_data.bin on the sdcard
jump to address 0x181468
you should see a string like this
ff 01 00 00 00 00 46 46
there are 5 different types of locks in 5 different bytes
the FF byte should be left alone
the first byte after the FF is the network lock
the next byte is the network subset lock
the next byte is the sp lock
the next byte is the cp lock
the last byte appears to be a data lock.
the 46 46 should be left alone
Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)
save and close file
unmount SD Card
Click to expand...
Click to collapse
Related
On page 67 of the Service Manual, it mentions "Turn the device power off and insert Diagnostic SD card. Press and hold Capture button, then press Power button to enter Diagnostic mode."
I'm thinking that the camera + power button will make the G1 boot off the SD Card.. this may be a way to run a hacked rev 30 on a locked rev 30 phone...
I will try some stuff tonight...
-Nikropht
that does seem interesting... im going to try to flash JF's img after in finishes downloading... i'll post results... along with my attempt to flash a signed rc29 update... cross your fingers i dont brick the damned phone
The Artemis device had this so-called "Diagnostic SD" mentioned. Im asuming therefore we could dossibly create one and flash our device with whatever firmware, akin to the "Pandora Battery" for PSP.
Worth exploring, but difficult to pull of without bricking... If it is possibly to flash a signed RC30 at any point using the current SD method, then at least we know we cannot brick the phone
the SPL bootloader (engineering and original) look for NBH files on the SD card.
DREADIAG.nbh
and
DREAIMG.nbh
As you can see, their purpose is clear. One is for booting diagnostics and the other is for flashing the firmware.
^^^so are you saying flashing DREAIMG.nbh is possible with this method?
damien667 said:
the SPL bootloader (engineering and original) look for NBH files on the SD card.
DREADIAG.nbh
and
DREAIMG.nbh
As you can see, their purpose is clear. One is for booting diagnostics and the other is for flashing the firmware.
Click to expand...
Click to collapse
So could we create a dreadiag.nbh from RC29?
Yes indeedy. However, we don't know the format of said nbh files. We're working on it still.
richbayliss said:
The Artemis device had this so-called "Diagnostic SD" mentioned. Im asuming therefore we could dossibly create one and flash our device with whatever firmware, akin to the "Pandora Battery" for PSP.
Worth exploring, but difficult to pull of without bricking... If it is possibly to flash a signed RC30 at any point using the current SD method, then at least we know we cannot brick the phone
Click to expand...
Click to collapse
its possible to flash update.zip so we won't brick the phone... the issue is that each update checks for something on the one previously installed... like mentioned in one of my other posts its a endless loop... we can change whatit looks for but then loose the signature...
Can we not use the info here
http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH
To go the other way!?
richbayliss said:
Can we not use the info here
http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH
To go the other way!?
Click to expand...
Click to collapse
ok... HAs anyone tried to extract DREAIMG.NBH just to see how its formated or structured??? If so we could compare it to the data listed for the hermes nbh format just to compare differences(if any) to see how closely they match... just a thought
If I could get a copy of the file I would give it a whirl... but cannot find it anywhere.
Guys,
NBH files are a proprietary format. They are like the update.zip, but different. We don't know how, as this is embedded into the SPL code that is all in binary format at the time (it's not been disassembled). No one except HTC and/or T-Mo will have these original files anyway. This means we're going to have to build one from scratch with reverse engineering of the spl (at least that's what it looks like as of now). That being said, there is no NBH file that is "found" on any file system of the G1. The NBH file contains files within itself that are flashed onto the NAND flash of the phone, like update.zip. The difference is that NBH files are not signed (that we know of yet), and the format in which they have to be assembled.
richbayliss said:
If I could get a copy of the file I would give it a whirl... but cannot find it anywhere.
Click to expand...
Click to collapse
I cant find it either.... its out there though... too many people have posted their experiments with it... if any has it or know where it is is located please post... thank...
DREAIMG.nbh is nowhere. People are just creating empty files with that filename to see what the bootloader will do.
damien667 said:
DREAIMG.nbh is nowhere. People are just creating empty files with that filename to see what the bootloader will do.
Click to expand...
Click to collapse
Yup. Well to be correct there are probably true DREAIMG.NBH files somewhere out there (at a htc repair center most likely), but they have not yet made their way into the hands of the hacking community.
True.
I would rick messing if there was an update.zip of the OTA RC30 as is now. So I could rescue myself.
Looking at the WinMo phones, they have NBH for a few devices, and it is common for all of them to put the OS partition at header 0x0400, even on the latest Diamond device. So I would risk trying a file with this IF I knew I wouldnt be bricking for life.
richbayliss said:
True.
I would rick messing if there was an update.zip of the OTA RC30 as is now. So I could rescue myself.
Looking at the WinMo phones, they have NBH for a few devices, and it is common for all of them to put the OS partition at header 0x0400, even on the latest Diamond device. So I would risk trying a file with this IF I knew I wouldnt be bricking for life.
Click to expand...
Click to collapse
there is an official rc30 update.zip out... however it does not seem to alter the os... i re-flahed my rc30 with it and i didnt have to re log into google and nothing was missing... all of my text messages were even intact
When you flash with update.zip, it does not affect the data partition (where all your settings and installed apps are located). It only changes radio, system, and boot partitions.
formar of DREAIMG.nbh:
0x200 bytes header,
then N images one by one(radio, hboot, recovery, boot, splash, sysfs, userfs)
header:
000: 48 00 00 00 54 00 00 00 43 00 00 00 49 00 00 00 │H...T...C...I...
010: 4D 00 00 00 41 00 00 00 47 00 00 00 45 00 00 00 │M...A...G...E...
020: 44 52 45 41 31 30 30 30 30 00 00 00 00 00 00 00 │DREA10000.......
030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │................
seems like simple "magic"
+0x40: 32 DD's - IMHO type descriptor's (type of each image, 00 if not used)
+0xC0: 32 DD's - offset of images
+0x140: 32 DD's - size of each image
+0x1C0: version?
1C0: 31 31 31 31 31 31 31 31 00 00 00 00 00 00 00 00 │11111111........
1D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │................
1E0: 30 2E 30 35 2E 30 2E 30 00 00 00 00 00 00 00 00 │0.05.0.0........
1F0: 47 65 6E 65 72 69 63 00 00 00 00 00 00 00 00 00 │Generic.........
Booting from the SD card is probably how you enter the manufacturers test mode RE: FACTORY_TEST Run as a manufacturer test application, running as the root user. "android.permission.FACTORY_TEST"
http://code.google.com/android/reference/android/Manifest.permission.html
after doing a little research on the web why it's asking for sim network unlock pin, found out it's because my device it locked with a certain carrier/provider. i made sure it was already unlocked when i got, i was even able to use for about a week. however, for some reason it got locked again and got that message. i'm sure i didn't make any changes because this is my first time to have a samsung tab, that's when i tried to do more research about it and i know there's a way to do it but i guess i need a more detailed guide, please help... thanks!
This program finds the SIM unlock code for your Samsung Galaxy p6200 device. It requires root / superuser.
Simply install the application, hit the "SIM unlock code" button, wait a few minutes, and it should come up with the code. It can indeed take a while, so plug your phone in the charger before running, and go make yourself a cup of coffee.
Write down the code, turn off your device, insert a SIM that doesn't match your SIM lock, turn the device on again, and enter the code when the device asks for it.
If the code does not work, do NOT try it again. You might end up with a freeze. The app can also find the unfreeze code, but if the SIM unlock code was wrong in the first place, maybe so is the unfreeze code.download free sim unlock for galaxy p6200 here:http://www.mobyware.net/get-software-65666.html
........Another method :Step 1. - Retrieve nv_data.bin file
use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
cat /efs/nv_data.bin >> /sdcard/nv_data.bin
cat /efs/.nv_state >> /sdcard/.nv_state
busybox cp -r /efs /sdcard/
Step 2. - Edit nv_data.bin file
mount the internal SD Card on your computer
make a backup copy of the nv_data.bin file on your computer
using your favorite HEX editor open the nv_data.bin on the sdcard
jump to address 0x181468
you should see a string like this
ff 01 00 00 00 00
there are 5 different types of locks in 5 different bytes
the FF byte should be left alone
the first byte after the FF is the network lock
the next byte is the network subset lock
the next byte is the sp lock
the next byte is the cp lock
the last byte appears to be a data lock.
the 46 46 should be left alone
Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)
It should read ff 00 00 00 00 00 46 46 for unlocked
save and close file
unmount SD Card
Step 3. - Replace nv_data.bin file
I want to say it again so no one misses it MAKE SURE YOU HAVE A BACKUP OF YOUR /efs/ FOLDER BEFORE YOU CONTINUE!!!!!
use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
rm /efs/nv_*
rm /efs/.nv_*
cat /sdcard/nv_data.bin >> /efs/nv_data.bin
cat /sdcard/.nv_state >> /efs/.nv_state
chmod 755 /efs/nv_data.bin
chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
chmod 755 /efs/.nv_state
chown radio.radio /efs/.nv_state || chown 1001.1001 /efs/.nv_state
reboot
your tab is now unlocked... enjoy
Just make sure you back up your entire /efs folder (save it on your computer and your tablet) before making any change.I believe you can refer to this one on the 10.1 tab forum :http://forum.xda-developers.com/showthread.php?t=1336659&highlight=t-mobile+unlock....
Can anyone confirm that this solution works? I'm reluctant to try without a guarantee
Sent from my HTC Desire S using xda app-developers app
@devid801
Ok, so I've opened the nv_data.bin file in hex edtor and found the following at address 00181468 : ff 01 00 00 00 00 44 4b . As you can see, the 46 46 is not there, instead there is 44 4b . Is this significant? Do I have to replace with 46 46 or should I leave it alone? Could this mean that this solution does not apply in my case and I risk breaking my device if I use it? Please advise.
Edit: I ignored the 44 4b bytes there and just changed the 01 to 00 and it worked, I am now network unlocked. Thanks for posting the solution
Folks,
I was trying to SIM unlock my Galaxy S I9000 using this thread: http://forum.xda-developers.com/showthread.php?t=761045 and noticed the following:
Filesystems Mounted Read only: / and /system are mounted ro
Patching nv_data.bin doesn't work: the result once that's done is the phne still being SIM locked
So here's my amended procedure, that worked on my Galaxy S I9000, locked to T-mobile UK:
If your phone is not rooted, then follow any of the methods listed in this link to root your phone first, before going any further. I will post a full rooting procedure and integrate it with this post shortly, for convenience and completeness.
Once rooted, enable USB debugging on your phone from the settings menu. Various releases of Brokendroid will have subtle differences on how this is done, but I'm sure you'll find your way. Again, I intend to update this procedure once I finish the rooting article, so the instructions are more complete. Also enable SD Card USB access.
Connect your phone to a USB port on a computer
Assuming you have downloaded, extracted and installed Brokendroid SDK from (Google, then there will be a directory under where you extracted the tools that looks something like: sdk/platform-tools. Change to that directory, and issue the following commands:
Code:
$ ./adb shell
[email protected]$ su -
[email protected]# cat /efs/nv_data.bin >> /sdcard/nv_data.bin
Once done, copy the nv_data.bin file from your SD card to your machine and make a working copy (e.g. nv_data-working.bin)
Using your favourite hex editor, go to address 0x00180066 and look for the following sequence of bytes:
Code:
00 [HL] [HL] [HL] [HL] [HL] 23
Where the [HL] sequence represents your present network's PLMN code.
Replace all the sequence above with 00; In n my case, the PLMN for T-mobile is 23410, so the byte sequence was changed as follows:
Code:
From
00 32 33 34 31 30 23
To
00 00 00 00 00 00 00
Go to address 0x181468
This is a sequence of 8 bytes that starts with FF and ends with 46 46. In my case, this was:
Code:
FF 01 00 00 00 00 46 46
The significance of these bytes are as follows:
FF Sart of string - LEAVE ALONE
Network Lock
Network Subset Lock
SP Lock
CP Lock
Data Lock.
46 46 End of string - LEAVE ALONE
You need to change this sequence so that all bytes between the FF and 46 46 are set to 00. I.e.;
Code:
FF 00 00 00 00 00 46 46
Save the resulting file.
Transfer the resulting file to your SD card - I am assuming your new file name is nv_data-working.bin
Issue the following commands, with your phone connected to the computer:
Code:
[email protected]# mount -o rw,remount /
[email protected]# mount -o rw,remount /sys
[email protected]# mount -o rw,remount /system
[email protected]# rm /efs/nv_data.bin
[email protected]# rm /efs/nv_data.bin.md5
[email protected]# cat /sdcard/nv_data-working.bin > /efs/nv_data.bin
[email protected]# chmod 755 /efs/nv_data.bin
[email protected]# chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
reboot
[/LIST]
And you are done .. your phone is SIM unlocked :)
Hi everyone!
Currently i'm writing driver for my STM Cortex-M4 demo board which act as an USB Host,when connecting my android phone to the demo board,it cannot get the right bootsector content;when i issue an Read10 command to the phone with LBA=0, what i got is like this:
eb 58 90 61 6e 64 72 6f .X.andro
69 64 20 00 02 40 16 11 id [email protected]
according to FAT32 definitions,it means OEM ID is android,sector size is 512bytes,cluster size is 32768bytes,which is not real
However,when i connect the phone to an pc and capture the mount process,i found that windows got the same result like me before it
issue another Read10 command with LBA=0x00008000,then it got the correct info,like this:
eb 58 90 4d 53 44 4f 53 .X.MSDOS
35 2e 30 00 02 08 e6 08 5.0.....
is there anyone know why?
You should remember that Android uses the YAFFS file system, not FAT, so unless you took that into consideration that could be what is throwing you off.
Problem Solved!
As i mentioned on top.My android phone has two storage part,an 2GB eMMC and a 8GB kingston microSD card. Both of them use FAT32 filesystem and can be recognized as USB Massstorage Device when connect the phone to a pc.
The linux USB-gadget driver is the key object to achived this goal.However ,there is little trick.
1.the internal eMMC is mounted without an MBR in sector0.Which means issue an SCSI read10 comand with LBA=0 will get an valid FAT32 partition bootsector
2.when things come to the microSD card,it's a little different.The anroid phone returns an MBR at LBA=0,this MBR does not exists on the microSD card itself. Mainly the MBR describe the OEM ID= android,and at position 446 there is an valid partition table entry #0 which indicates
the FAT32 bootsector of this partition is located at LBA=0x0800.Besides ,the MBR is not valid someway,it has" FAT32"string on location 0x52 which indicates it's an FAT32 partition bootsector which it's not.
To solve this problem ,i modify my FAT32 filesystem code to avoid this issue.However ,why my phone create this MBR is still remains to learn.
Like the alternate Nokia 8.1 Bootloader Unlock method before, here's what you need:
- TWRP accessibility with proper bootloader downgrading. You must use Chinese 7to TWRP I posted last year (In Nokia 6 Root Guide) to achieve this (either 3.1.1 or 3.2.1 are OK), so downgrading the bootloader back to Nougat is necessary.
If your phone still stay at Android 7 or 8, great, you're welcome to NB1-Collision method.
As I've introduced in Nokia 8.1 forum:
Since it uses the unlock key from Nokia 8 and I tricked the phone as Nokia 8, I called the unlock method "NB1-Collision".
Click to expand...
Click to collapse
The identification to verify if the unlock key valid is located at deviceinfo partition, and here are the offsets:
SN: 0x00000010
IMEI1: 0x00002010
Still, editing the IMEI1 here will not change the actual IMEI stored at NVRAM, so you can't use this to do anything illegal.
If you know the point, you can unlock your phone without reading this guide. In case you don't, let me tell you how.
Part 0: Obtain an official unlock key for Nokia 8, and you must know it's IMEI1 and SN
Same as before, I will not provide mine, please do it yourself.
Part 1: Boot to TWRP
Skip this part if you can boot to TWRP already. Just boot to TWRP and do Part 2.
To make sure the phone will definitely boot to TWRP with proper signature, you can flash TWRP to boot partition directly:
Code:
fastboot oem dm-verity (md5)
fastboot flash aboot /path/to/D1C-0-331A-emmc_appsboot_service.mbn
fastboot reboot-bootloader
fastboot oem dm-verity (md5)
fastboot flash boot /path/to/7to-twrp.img
The extraction password of the service bootloader zip is "WLBGFIH123", in case you want to know.
Then reboot to the TWRP:
Code:
fastboot reboot
OK, now you've entered the TWRP.
Part 2: Dump the deviceinfo partition and hack it
If you're familiar with adb commands, here's how:
Code:
adb shell dd if=/dev/block/bootdevice/by-name/deviceinfo of=/tmp/deviceinfo.img
adb pull /tmp/deviceinfo.img
The rest of the procedure are straight forward. Use a Hex Editor to edit the deviceinfo partition:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 46 49 48 45 32 50 5F 42 00 00 00 00 01 00 00 00 FIHE2P_B........
00000010 4E 42 31 47 41 44 32 37 38 30 30 31 32 33 34 35 NB1GAD2780012345
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00002000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002010 31 32 33 34 35 36 37 38 39 30 31 32 33 34 37 00 123456789012347.
00002020 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 00 xxxxxxxxxxxxxxx.
And save it as deviceinfo_mod.img.
Push it back to your phone, along with new version of emmc_appsboot, either service or retail are OK - you can extract it from recent OTA packages.
Code:
adb push /path/to/deviceinfo_mod.img /tmp/d1
adb push /path/to/D1C-0-562H-emmc_appsboot.mbn /tmp/d2
adb shell dd if=/tmp/d1 of=/dev/block/bootdevice/by-name/deviceinfo
adb shell dd if=/tmp/d2 of=/dev/block/bootdevice/by-name/aboot
adb reboot bootloader
Part 3: Unlock the bootloader
Code:
fastboot flash unlock /path/to/unlock.key
fastboot flashing unlock_critical
Your phone will reboot immediately. Don't stop right here, execute following command straight forward:
Code:
fastboot oem alive
When fastboot responsed OKAY, please proceed:
Code:
fastboot flash unlock /path/to/unlock.key
fastboot oem unlock-go
All done. Your phone has unlocked bootloader.
Part 4: Restore original deviceinfo and reinstall stock firmware with OST LA
Code:
fastboot flash deviceinfo /path/to/deviceinfo.img
I needn't to mention how to flash stock firmware with OST LA or NOST.
FYC, firmware can be downloaded from https://fih-firmware.hikaricalyx.com/hmd_en.html#d1c .
Good luck then!
Specially thanks to HMD Global for releasing official Nokia 8 bootloader unlock, otherwise it would be impossible.
I was think about this method before you release. But noone provide me the unlock.key, so I cancel to research this method. But thank for your effort
Elvaa said:
I was think about this method before you release. But noone provide me the unlock.key, so I cancel to research this method. But thank for your effort
Click to expand...
Click to collapse
You can ask for an existing unlock key requested, before the_laser got banned here as alternate method.
But you also need to know it's IMEI1 and SN.
So, you can't flash new emmc_appsboot after you hacked deviceinfo partition.
You can upload the file: deviceinfo.img edited to NB1 and we just need to save the stock deviceinfo.img of the device. And flash directly your deviceinfo.img.
That would be faster
App Unlockbootloader.apk :
Messages Error: Device not support.
???
taicracker said:
You can upload the file: deviceinfo.img edited to NB1 and we just need to save the stock deviceinfo.img of the device. And flash directly your deviceinfo.img.
That would be faster
Click to expand...
Click to collapse
You can't simply do this. As I mentioned before, deviceinfo partition contains unique and critical credentials for your phone, and it will not accept the credentials from other devices.
Also, deviceinfo partition contains your IMEI, and disclose IMEI here is strictly forbidden.
The Unlock.key
Can you Explain me Little About The Unlock Key Please
Việt nam
Until now, it is possible to root nokia 6 ta 1021 android 8.1.0
hikari_calyx said:
You can't simply do this. As I mentioned before, deviceinfo partition contains unique and critical credentials for your phone, and it will not accept the credentials from other devices.
Also, deviceinfo partition contains your IMEI, and disclose IMEI here is strictly forbidden.
Click to expand...
Click to collapse