So, I've picked up my replacement Xoom after bricking my first. I decided to rip my system and recovery partitions again for completeness, after discovering BeagleBoy's system.img was different from mine. I've posted my Xoom WiFi (MZ604) recovery.img in another thread. Anyway, I can confirm the WiFi recovery partition on both my old Xoom and new Xoom have an MD5 of 1f853c8636ab22b5d651a5512f0865c0. Great success! I hope others with a virgin Xoom Wi-Fi can confirm with me.
And here's something interesting... After ripping a new system.img (MD5 4b7b974a0cc8cdc00521de970b7fc611) from my new Xoom, I did a compare against my first system.img from my bricked Xoom. And also against BeagleBoy's. ALL 3 ARE DIFFERENT. I think I may have compromised my first system.img from my bricked Xoom by doing an "adb remount" before ripping the partition.
Now to confirm... With system.img having been extracted (and backed up) from my new Xoom. I performed an "adb remount" and immediately ripped the system partition again. Did a new MD5 check and... It changed... It's looking like a RW remount does compromise the "virginity" of the system.img file.
One more thing... I'm hoping someone with a factory locked WiFi Xoom can replicate BeagleBoy's boot.img file (MD5 051d1f7e150d4077adb388b5f8e53462). He flashed the Tiamat kernel onto the recovery partition instead of the boot partition (to maintain its integrity) and booted into recovery (Beagle, if you can elaborate on how to do this, please do).
I asked for expert help so I will not be doing step-by-step instructions.
Testing method 1 (retrieving system.img and recovery.img):
1. Put virgin Xoom in fastboot mode (if you can't do this, you shouldn't be helping)
2. Do a "fastboot oem unlock" and "fastboot flash boot.img" where boot.img is the Tiamat boot image to give you basic root. Reboot into normal mode.
3. With USB debugging on, do an "adb shell". Do not do a remount during test!
4. At the root (#) prompt, extract your system and recovery using the following commands (do recovery first, much faster):
dd if=/dev/block/platform/sdhci-tegra.3/by-name/recovery of=/mnt/sdcard/recovery_wifi_virgin.img
dd if=/dev/block/platform/sdhci-tegra.3/by-name/system of=/mnt/sdcard/system_wifi_virgin.img
Click to expand...
Click to collapse
5. Do an "adb pull" of the two .img files you created in /mnt/sdcard/.
6. Run a MD5 on the two files and report here.
7. ???
8. Profit
Test method 2 (install Tiamat into recovery partition and extract boot.img and system.img)
1. I will edit this section as needed. But the gist of it is to install Tiamat into recovery partition and then extract boot.img and system.img using a similar method to above...
...
8. In fastboot, reflash the recovery partition I saved on
References:
BeagleBoy's thread for his boot.img and system.img (http://forum.xda-developers.com/showthread.php?t=1017398)
My thread for the recovery.img file I first extracted (and hoping is consistant between all Xoom WiFi's of varying regions) at http://forum.xda-developers.com/showthread.php?t=1036574
Placeholder for an external link to my system.img file (when I have time to upload it somewhere for hosting)
Scourge1024's MD5 test results on old Xoom (fail?):
boot.img - (not tested)
system.img - 203465c9fb9d6bc926dd0dea9b85ebc4 (not valid as a clean image after remount)
recovery.img - 1f853c8636ab22b5d651a5512f0865c0 (matches my new Xoom; may not)
Scourge1024 new Xoom (Win?):
boot.img - (not tested)
system.img - 4b7b974a0cc8cdc00521de970b7fc611 (never RW mounted, hoping this is consistant)
recovery.img - 1f853c8636ab22b5d651a5512f0865c0 (matches my new Xoom; may not)
BeagleBoy:
boot.img - 051d1f7e150d4077adb388b5f8e53462 (trying to find out if this is consistent)
system.img - fd78a2297290c3fdc7377ded6090e2ae (does not match either of mine)
recovery.img - (not tested; overwritten)
Now to see if people can get a consistant MD5 for boot.img...
My expectation is that the kernel images (not the entire boot images) should be identical across devices and between boot and recovery.
The system image differences you're experiencing are probably expected -- remember *access* times are logged within the file system, it is ext4 after all -- and because you're pulling a system image, rather than the files themselves, you see a difference. Things like that are going to be difficult to eliminate.
ydaraishy said:
My expectation is that the kernel images (not the entire boot images) should be identical across devices and between boot and recovery.
The system image differences you're experiencing are probably expected -- remember *access* times are logged within the file system, it is ext4 after all -- and because you're pulling a system image, rather than the files themselves, you see a difference. Things like that are going to be difficult to eliminate.
Click to expand...
Click to collapse
If system is left in read-only access, would the access times be affected? I'm thinking this is possibly the reason why my "fastboot oem lock" failed. I had been able to relock my device before touching the boot, system and recovery partitions. Userdata was obviously changed the moment I booted up normally so I think that can be taken out of the equation. Plus, it gets wiped each lock/unlock anyway.
Anyway, I'm NOT going to try relocking my new Xoom... One heart attack was enough. And Best Buy might catch on I'm doing something I shouldn't be.
Can someone grab their MZ604 recovery partition? I'd like to see if they get the same MD5 I do. I doubt anyone has a modified recovery partition besides BeagleBoy. I'm trying to isolate if there's any difference between Canadian Wi-Fi Xooms (like my own) and the US ones. I already know my recovery partition is different than the MZ600 Verizon Xoom.
Think about this people... If Moto isn't going to give us Wi-Fi guys official img files, we'll have to get them ourselves.
Scourge1024 said:
If system is left in read-only access, would the access times be affected? I'm thinking this is possibly the reason why my "fastboot oem lock" failed. I had been able to relock my device before touching the boot, system and recovery partitions. Userdata was obviously changed the moment I booted up normally so I think that can be taken out of the equation. Plus, it gets wiped each lock/unlock anyway.
Anyway, I'm NOT going to try relocking my new Xoom... One heart attack was enough. And Best Buy might catch on I'm doing something I shouldn't be.
Can someone grab their MZ604 recovery partition? I'd like to see if they get the same MD5 I do. I doubt anyone has a modified recovery partition besides BeagleBoy. I'm trying to isolate if there's any difference between Canadian Wi-Fi Xooms (like my own) and the US ones. I already know my recovery partition is different than the MZ600 Verizon Xoom.
Think about this people... If Moto isn't going to give us Wi-Fi guys official img files, we'll have to get them ourselves.
Click to expand...
Click to collapse
I'd say mounting ro might help, but I'm not sure. It's possible filesystem metadata might change even if mounted read-only. I'd need to know more about ext4 to make a firm call.
One really needs to know what the "fastboot oem lock" procedure is using to validate the currently written images -- I have a feeling a signature check is being made, but I can't be sure of that. It might be fruitful to diff the Moto-provided images with ones dd'd off a running MZ600, perhaps. All just guesses though.
(let alone how cruddily designed it is to be only transitioned between lock and unlock states with correct firmware and no validation being made -- ie., it's very nicely easy to brick)
I bought my first smart phone Samsung Gio S5660M and tried to unlock it. I tried different ways but weird things happened and I don’t know what causes the problem. I was wondering whether the unlock code would change if I did something to the phone. Now the phone is still locked and I really need and appreciate your help.
First I used the method in the link: http://forum.xda-developers.com/showthread.php?t=1204705 to root and unlock the phone but was not able to finish it. The steps that I have completed are as follows:
To root the phone:
1. Download this file http://www.mediafire.com/download.php?jzvnlbhidsd5f6l
2. Copy root_gb_gio.zip to the root of the SD card and put the card in the phone
3. Shutdown the phone.
4. Put the phone in recovery Mode (press: Home button + Power button toghether)
5. In recovery mode, choose Install Update from SD-card using Vol. up / down key and press Home key to confirm
6. Search for the root_gb_gio.zip file on the SD-card and Press home key again to run the update
7. Reboot
8. Verify in the app folder if SuperUser app is installed properly
9. Reboot
Network Unlock (using ADB Shell from PC).
1. Download and install Samsung Kies to the PC from here: http://www.samsungapps.com/about/onPc.as, also install Samsung USB Driver
2. Download and install ADB which comes with Android SDK from: http://developer.android.com/sdk/index.html
-Go to the "Available Packages" Option on the left Menu
-Click on the "Refresh" Button on the bottom Right and wait until it finish
-From Items select the "Andoid SDK platform-tools, revision 6" Item
-Click the "Install Selected" button on the botton right and wait until it finish then close the Android SDK
3. Add the correct path
-Right-click on Computer Icon (on your Desktop) and select "Properties" from the menu,
-On My PC Properties select the "Advanced Options" Tab
-Click "Advanced System Settings"
-Click "Environment Variables"
-Highlight the "Path" Variable and click the "Edit"
-At the end of the line (and path) add the path: ;C:\Program Files\Android\android-sdk\platform-tools
4. Connect the phone to the computer via the USB cable
-Click on the start button and open the "Run" option, on Run type cmd.exe and press enter. A command prompt window popped out.
-Type the next text to access the ADB Shell: cd C:\Program Files\Android\android-sdk\platform-tools
-Type: adb shell
-Now in adb shell (and executing commands on the phone itself)
-Type the next command: su
-The superuser application popped up on the PHONE SCREEN (yes take a look at the phone screen) asking to allow root privileges to the adb shell. Choose Allow root access for the ADB shell on the phone.
-Type: cd /
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: cat /efs/mits/perso.txt
got a bunch of characters on the screen and a 8 digit number, the unlock code, which is 28572603
-Type: unmount /efs (It should umount /efs, but I typed it wrong)
5. Disconnect the USB cable from the phone
6.Turn the phone off and insert the SIM card
7. Turn on the phone
In the last step it should ask for the unlock code to unlock the phone, however, it didn’t ask for the unlock code. Instead there was a message: “Phone is SIM Corporate Locked” and there is nowhere to input any code.
When I typed “*#7465625#, the result is as follows: Network Lock [OFF], Network Subset Lock [OFF], SP Lock [OFF], CP Lock [ON]. Note that the corporate lock is on. But I could access menu with the foreign SIM card in the phone. When I tried to dial “*#7465625*638*28572603” or “#0111*28572603” with or without foreign SIM card, the message is always something like network not available (cannot recall the exact words). When I went to a FIDO kiosk for help (SIM card is from FIDO), they told me to unroot the phone so that the phone could ask for the unlock code.
I googled corporate lock/SPCK code on the Internet and there is such message: “In 1% of cases to unlock samsung SPCK code is need”, I called Samsung for help with SPCK code. The technical support in Samsung asked me to factory reset the phone by typing “*2767*3855#”. After the reset, the status of the locks were still the same as before, so is the message “Phone is SIM Corporate Locked”. Then Samsung told me that they don’t have SPCK code. I noticed that SuperUser icon was still on the menu after the factory reset.
A further search showed the unlock method of mapping image partition from: http://forum.xda-developers.com/showthread.php?t=1244695 and http://forum.xda-developers.com/showpost.php?p=17148825&postcount=334 (same method). When I went to Shell and typed “su”, not sure whether because of the factory reset or not, superuser or admin denied, so I redid the rooting by following the previous steps, but it only took a few seconds to finish it. Then the steps I followed were:
1, first, go to the command line of pc.(win xp "start->run->cmd" )
and type "cd\", now in the root of the hard drive (also tried cd \Program Files\Android\android-sdk\platform-tools)
2, second, type "adb shell".
3, after that, type "su".
4, then, type "cat /dev/bml5>/sdcard/bml5.img"
5, type twice "exit" to disconnect with gio.
6, type "adb pull /sdcard/bml5.img"
But there is an error message “remote object /sdcar/bml5.img does not exist". I just repeated the steps a few minutes ago to get a few screenshots:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
(using cd \Program Files\Android\android-sdk\platform-tools)
(using cd \)
(a different error: so I used mount command)
I think at this point (cannot recall after the following tries or at this time) that I inserted a foreign SIM card, the phone began to show message “Network Locked”, took out the foreign SIM card, typed “*#7465625#", weird enough, the result changed to: Network Lock [ON], Network Subset Lock [OFF], SP Lock [OFF], CP Lock [OFF]. Corporate lock is gone but the network lock came back. I don’t know the reason – is that because I did factory reset?
I put the foreign SIM card back to the phone, input the unlock code generated earlier “28572603”, but it was not successful. I decided to go back to the first method (ADB shell from PC) to generate the unlock code again to see whether the result code is the same. However, weird gain, this time no code at all. I reproduced the screenshot a moment ago for the result (I had to cut the screen into two half):
The third method I tried is to unlock the phone by using Android Terminal Emulator, the steps were:
- In Android Market, download and install Android Terminal Emulator
- Boot up the Android Terminal Emulator application
-Using the on-screen keyboard, type su, allowed the permission from the prompt
-Type: cd /
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: cat /efs/mits/perso.txt
The desire result should be a bunch of characters on the screen and a 8 digit number. However, I didn’t get the desire result – it seems that the result is the same as using the first method after factory reset, here is the screenshot (it seems that the shot is incomplete, but I had a hard time to get even such an incomplete shot – the shell would exit when I tried to screenshot):
My questions are: why the same method cannot generate the same code? Is it because I did something to the phone, like factory reset? The unlock code will change because of the situation or it will always keep the same? Why I cannot see the bml5.img? Is it possible I damaged it by chance? I am also worried that now even if I buy uncode code from GSMLiberty, it would not work any more because of what I did to the phone. Is it possible so? What is my option now? (I tried the code once, so I still have another two chances to input unlock code). Is what has happened weird or there is a reason for that?
Thank you very much.
I also pulled the perso.txt file onto my PC and reviewed it in XVI32. It does not look like any of the files others mentioned (a lot of 00 or FF followed by a number). Attached here is perso.txt. Is my perso.txt corrupted? If yes, how can I recover it? Thanks.
As far as I know, you're the first person that's reported seeing a CP lock on this phone... One possibility is that this happened instead of plain old bricking when you mistyped the umount command the first time around.
Is your IMEI still intact?
Did you reboot the phone since your third attempt?
Did you by any chance keep the first perso.txt you cat'ed on your first attempt?
The suggestion below is at best a shot in the dark and could very well worsen the situation. With that out of the way...
If your IMEI is still intact, you could try booting in CWM, mounting /efs as rewritable, and upload the attached perso.txt, unmount efs and reboot. The file is simply my own perso.txt, from an unlocked 5660M, with your unlock code put in place of mine in a Unix line-ending aware editor. (Another, albeit riskier possibility would be to mount rewritable in the main OS and cat the file into place, then unmount and reboot.)
Good luck,
Darkshado
Thank you, Darkshado, for answering my questions.
Yes the IMEI is still intact. What is weird is that now CP is off and network lock is on after I don't know which operation - I thought it should be due to the factory reset, but after factory reset, the status was still CP [ON] and network lock [OFF]. The I did reroot. The phone was rebooted many times after each attempt, and I only input unlock code once so I still have another two chances.
No I didn't make a copy of the original perso.txt as I almost knew nothing when I first tried.
About unmount mistake, is it so severe if there is a typo? My thought was that mounting and unmounting just control access to the file. When we mount a file, we get access to the file. If we forget to unmount it, it leave a hole for others to access. Is my understanding right? If yes, the typo in unmount command for the first method should not be a big deal as I rebooted the phone after an probably unsuccessful unmount.
As to the perso.txt, what I guess is that the file perso.txt contains all the unlock codes and when we input unlock code from the screen, the system will compare the input code with the code in perso.txt. If they are the same, unlock succeeds, which is similar to using password when we login anywhere. Am I right?
I actually think that uploading your perso.txt mught be a solution. But before doing that, I think it is better to compare your perso.txt with another perso.txt from another phone to see whether the difference is only the unlock code. If yes, the solution will succeed. However, if the perso.txt files from different phones are quite different -like the location of the unlock code and other data that is not 00 or FF, there is a good chance that it's very risky. Do you have another perso.txt available? Or anybody in the forum has a perso.txt available to compare?
My other question is how useful is this perso.txt. If I delete it totally by chance and ask people to unlock the phone from hardware, will the system still operate normally?
I'm going to try to factory reset the phone and reroot again - My PC is in repair and I'll try after I get my PC back - to see whether perso.txt could be restored. Do you have bml5.img in your phone? I don't know why I don't have it on my phone. But from the forum, it looks like that the bml5.img is very similar to perso.txt, only 00 becomes FF or vice verse.
Thanks again for your help.
SPnewb said:
Thank you, Darkshado, for answering my questions.
Yes the IMEI is still intact. What is weird is that now CP is off and network lock is on after I don't know which operation - I thought it should be due to the factory reset, but after factory reset, the status was still CP [ON] and network lock [OFF]. The I did reroot. The phone was rebooted many times after each attempt, and I only input unlock code once so I still have another two chances.
Click to expand...
Click to collapse
That is very strange. What, if any, SIMs did you have in the phone when attempting the unlock at the different stages? Was the Fido SIM in at any time before trying to get an unlock code prompt?
As far as I know, the factory reset operation, at least when triggered from recovery, only wipes the /data and /cache partitions. Is anything done to NV items? I don't have any data to tell.
About unmount mistake, is it so severe if there is a typo? My thought was that mounting and unmounting just control access to the file. When we mount a file, we get access to the file. If we forget to unmount it, it leave a hole for others to access. Is my understanding right? If yes, the typo in unmount command for the first method should not be a big deal as I rebooted the phone after an probably unsuccessful unmount.
As to the perso.txt, what I guess is that the file perso.txt contains all the unlock codes and when we input unlock code from the screen, the system will compare the input code with the code in perso.txt. If they are the same, unlock succeeds, which is similar to using password when we login anywhere. Am I right?
Click to expand...
Click to collapse
Your understanding about mounting and unmounting is correct, but I am not certain that perso.txt is actually used by the phone to check the unlock code. It may also be written there for some other reasons...
The problem with our phones is that corruption has occurred by merely reading the stl5 partition the wrong way.
I actually think that uploading your perso.txt mught be a solution. But before doing that, I think it is better to compare your perso.txt with another perso.txt from another phone to see whether the difference is only the unlock code. If yes, the solution will succeed. However, if the perso.txt files from different phones are quite different -like the location of the unlock code and other data that is not 00 or FF, there is a good chance that it's very risky. Do you have another perso.txt available? Or anybody in the forum has a perso.txt available to compare?
My other question is how useful is this perso.txt. If I delete it totally by chance and ask people to unlock the phone from hardware, will the system still operate normally?
Click to expand...
Click to collapse
The idea of comparing some perso.txt files is good, but so far all the perso.txt files I've seen uploaded came from the Euro/Asia 5660 Gio, so we'd need files from a 5660M. They did look almost identical to mine though, with essentially a Bell network identifier at the beginning that wasn't present at all in theirs. One person with a 5660 also posted a before/after set, and the file does change a little after the unlock.
I've been reluctant to try too many things on my EFS partition, like deleting perso.txt to see how the phone reacts, for fear of bricking it.
I'm going to try to factory reset the phone and reroot again - My PC is in repair and I'll try after I get my PC back - to see whether perso.txt could be restored. Do you have bml5.img in your phone? I don't know why I don't have it on my phone. But from the forum, it looks like that the bml5.img is very similar to perso.txt, only 00 becomes FF or vice verse.
Thanks again for your help.
Click to expand...
Click to collapse
There are two "levels" you can access the partitions on the phone. stl is a higher level access, with which you can get correct RFS partitions for instance, while bml is a lower, block-level access. perso.txt is simply a file contained in stl5, also known as the /efs partition. You can read its contents in a round-about way via bml, but you wouldn't want to flash an /efs, /system/ or /data partition through bml.
Unlike reading stl5, reading bml5 has not caused anyone bricking so far. bml5 is sufficient to get the unlock code as well.
Good luck,
Darkshado
Hi Darkshado,
Thank you very much for your help.
Darkshado said:
That is very strange. What, if any, SIMs did you have in the phone when attempting the unlock at the different stages? Was the Fido SIM in at any time before trying to get an unlock code prompt?
Click to expand...
Click to collapse
The phone was locked to Bell, and my SIM card is from FIDO. I also got a Rogers SIM card for testing. When I rooted and generated teh code, I didn't have any SIM card in the phone. When I inserted Fido card after teh first attempt, I got the message " Phone is SIM Coperated locked" [i.e. when CP lock is On and other locks OFF], but I could still use the other functions of the phone. When the CP lock is OFF and Network lock is ON, I could not use the phoen at all because teh screen asked to input unlock code. If no input orcode is wrong, I cannot use the phone at all. Without SIM card, I could still use other functions of the phone.
As far as I know, the factory reset operation, at least when triggered from recovery, only wipes the /data and /cache partitions. Is anything done to NV items? I don't have any data to tell.
Click to expand...
Click to collapse
What is NV items? Can you tell me how I can tell where to see NV items?
Your understanding about mounting and unmounting is correct, but I am not certain that perso.txt is actually used by the phone to check the unlock code. It may also be written there for some other reasons...
Click to expand...
Click to collapse
I was wondering whether the perso.txt is like config file?
The problem with our phones is that corruption has occurred by merely reading the stl5 partition the wrong way.
Click to expand...
Click to collapse
perso.txt is simply a file contained in stl5, also known as the /efs partition. You can read its contents in a round-about way via bml, but you wouldn't want to flash an /efs, /system/ or /data partition through bml.
Click to expand...
Click to collapse
I cannot think of where I read the partition wriong other than I might hav etyped the wrong unmount for the first time followed by a reboot. I actually thinking of falshing the phone, but for the moment I have not read anything about flash yet and have no idea where to find the proper version of files to falsh.
When I pull the perso.txt to PC, I seemed to use the following method (my PC is still in repair so I cannot verify ):
-Type: adb shell
-Now in adb shell
-Type: su
- allow root privileges to the adb shell.
-Type : mount -o remount rw /
-Type: mkdir /efs
-Type: mount -o nosuid,ro,nodev -t vfat /dev/block/stl5 /efs
-Type: exit twice to exit shell
-Type: adb pull /efs/mits/perso.txt
-Type: adb shell (to go back to shell)
-Type: umount
Is there any risk with this method?
About perso.txt,
One person with a 5660 also posted a before/after set, and the file does change a little after the unlock.
Click to expand...
Click to collapse
I will try to see whether I could get some perso.txt files from anotehr forum (redflagdeals). Can you tell me where I can find the before/after set?
Thank you again very much.
Cathy
Hello Cathy,
One big piece of advice I can give you is to try and have a basic understanding of whatever command it is you're typing in an ADB shell.
The "cat" command can take one or many standard inputs (we'll stick to files for now) and output them to a standard output; in our case, the screen or another file.
Its one way of copying a file, or simply seeing its contents depending on where you send it.
With multiple files in the input, you're concatenating them before they get output.
I would not try the method in your last post AT ALL. You already have your code, and I see no reason why your current perso.txt would be of any use. It is a configuration file, it has to do with the various locks, but I wouldn't be able to tell you more. The way yours has been "corrupted" (I'm employing the term loosely here) may be the reason you've seen that CP lock appear. It may also have altered your Network unlock code in unforeseen ways.
I don't remember anyone trying to directly adb pull perso.txt from the /efs partition off a live phone. Do this at your own risk.
The problems we've seen occur are in all likelyhood due to interference between the modem firmware and the higher-level Android OS. That's why even normally "harmless" read commands have caused problems.
The dd command, as well as leaving /efs mounted on normal mode phone shutdown are constants in multiple bricking cases on the Gio and other similar Samsung phones like the Galaxy Ace and Mini.
The lower-level bml5 partition has been deemed safe to read with the dd command so far, even from a live phone.
Completely disable the modem firmware, like in recovery mode, and you can access, and even edit, the /efs partition in a relatively safe manner.
Something interesting happened as I began writing this: I don't know how or when this happened, but I somehow had relocked my phone to Bell!
I decided to try the lock status code you posted above and saw "Network Lock: ON" Slipping another SIM (an unactivated Koodo one) in my Gio prompted for the unlock code, which I typed and got a network unlocked message.
I took another look at the perso.txt file I had modified for you and recognized a number near the beginning: 302610 that's the Bell MNC! I rebooted in recovery, mounted /efs and adb pulled perso.txt again (safe because I was in recovery mode). The file has the exact same length, and a few differences visible in Winmerge or a hex editor of your choosing.
I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell.
You also asked about NV items: they're phone settings common to all Qualcomm cellular modem based cellphones. GSM and WCDMA antenna power and gain settings, factory test mode, IMEI, there are thousands.
In the case of the Gio, some are accessible off the EFS (stl5) partition in the /nvm/num/ directory. Others, like the IMEI unfortunately, are stored elsewhere in the phone, I don't know where. We can read all the settings by using two leaked Samsung programs, named QPST and QXDM respectively. We can edit some of them, but unless you know exactly what you're doing, this is an easy way to completely mess up a phone.
One last silly question: did you have a MicroSD memory card in the phone when you tried cat'ing bml5 to /sdcard on your second attempt?
Okay. I think there is a way to solve your unusual lock problems, try the following steps:
Get Odin here
Get the latest Odin-flashable Gio ClockworkMod-based recovery available on XDA.
Download the perso_Cathy.txt attached below.
Flash the CWM-based recovery to your phone.
Reboot in recovery mode and connect the phone to your computer.
In Windows Explorer, go to the directory you've saved perso_Cathy.txt, and shift+right-click on the directory. Open command line from here. (Otherwise, open a command line window and cd to that directory.)
adb shell (notice your shell is already # aka root)
mount -o nosuid,rw,nodev -t vfat /dev/block/stl5 /efs (notice we're mounting rewritable this time)
exit (this will take you back to the regular command line)
adb push perso_Cathy.txt /efs/mits/perso.txt (so we're pushing and renaming at the same time)
adb shell umount /efs (I doubt this is *really* necessary, but better safe than sorry. You can send single commands to the shell this way)
adb reboot
The phone should already be unlocked on reboot.
Good luck,
Darkshado
Hi Darkshado,
Thank you for your quick response.
Darkshado said:
One big piece of advice I can give you is to try and have a basic understanding of whatever command it is you're typing in an ADB shell.
Click to expand...
Click to collapse
That's good advice If I read the whole thread of unlocking first before I began unlocking, there might not have been problems. I began to unlock after reading a few postings. I used Linux long time ago, but obviously I could not recall anything now.
I would not try the method in your last post AT ALL. You already have your code, and I see no reason why your current perso.txt would be of any use. It is a configuration file, it has to do with the various locks, but I wouldn't be able to tell you more. The way yours has been "corrupted" (I'm employing the term loosely here) may be the reason you've seen that CP lock appear. It may also have altered your Network unlock code in unforeseen ways.
Click to expand...
Click to collapse
The code I had was got before the corrupted perso.txt. I had a strong feeling that the input unlock code will be compared with the code in perso.txt for unlocking, Otherwise if perso.txt is not useful any more, why when I input the initially generated unlock code, the unlocking is not successful. The CP lock is now OFF after the perso.txt is corrupted, though it is hard to judge whether CP is ON or not before perso.txt is corrupted because I got the unlock first then I saw CP was ON.
I don't remember anyone trying to directly adb pull perso.txt from the /efs partition off a live phone. Do this at your own risk.
Click to expand...
Click to collapse
Can you tell me what command you use to get perso.txt? From the info below it seems that you use the same or similar commands, but in the recovery mode instead of the normal mode, is it right?
I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell.
Click to expand...
Click to collapse
By editing perso.txt only?
One last silly question: did you have a MicroSD memory card in the phone when you tried cat'ing bml5 to /sdcard on your second attempt?
Click to expand...
Click to collapse
Yes, since I inserted the MicroSD card into the phone for rooting, I never took it out. But I can hardly imagine this will cause any problem.
I think there is a way to solve your unusual lock problems, try the following steps:
Get Odin here
Get Ingmar Steen's latest Gio ClockworkMod-based recovery here
Download the perso_Cathy.txt attached below.
Flash the CWM-based recovery to your phone.
Reboot in recovery mode and connect the phone to your computer.
In Windows Explorer, go to the directory you've saved perso_Cathy.txt, and shift+right-click on the directory. Open command line from here. (Otherwise, open a command line window and cd to that directory.)
adb shell (notice your shell is already # aka root)
mount -o nosuid,rw,nodev -t vfat /dev/block/stl5 /efs (notice we're mounting rewritable this time)
exit (this will take you back to the regular command line)
adb push perso_Cathy.txt /efs/mits/perso.txt (so we're pushing and renaming at the same time)
adb shell umount /efs (I doubt this is *really* necessary, but better safe than sorry. You can send single commands to the shell this way)
adb reboot
Click to expand...
Click to collapse
After a second thought, I decided not to flash the memory since I have little knowledge about it and the tools you mentioned here. As you suggest, I should know enough before doing it. So now, I was wondering whether it will solve the problem by just push the file perso_Cathy.txt in your above message to /efs/mits/perso.txt in recovery mode. What do you think? Another quesion is that I wish to back up all the files in the operating system before any more action. Can you tell me how to back up?
My PC is back but now I cannot even install androit SDK on the computer, so I have to bring it back for repair. So the next few days I probably would not be able to try anything, but once I try, I'll let you know the rsult.
Thank you very much.
Cathy
SPnewb said:
I had a strong feeling that the input unlock code will be compared with the code in perso.txt for unlocking
Click to expand...
Click to collapse
It most definitely is compared. From what I can tell, perso.txt contains all the SIM-lock information, status and codes.
Can you tell me what command you use to get perso.txt? From the info below it seems that you use the same or similar commands, but in the recovery mode instead of the normal mode, is it right?
Click to expand...
Click to collapse
Exactly. Recovery mode is what makes the whole thing safe. You need a rooted recovery to do it though.
There are two ways to get the actual perso.txt file off the phone: adb pull (directly or by cat'ing the file to the sd card beforehand) or dd'ing the stl5 partition and extracting perso.txt from it.
By editing perso.txt only?
Click to expand...
Click to collapse
Yes.
After a second thought, I decided not to flash the memory since I have little knowledge about it and the tools you mentioned here. As you suggest, I should know enough before doing it. So now, I was wondering whether it will solve the problem by just push the file perso_Cathy.txt in your above message to /efs/mits/perso.txt in recovery mode. What do you think?
Click to expand...
Click to collapse
I'm pretty confident it will solve the problem, otherwise I would not have gone to the trouble of writing these instructions and uploading the file for you.
Another quesion is that I wish to back up all the files in the operating system before any more action. Can you tell me how to back up?
Click to expand...
Click to collapse
Look here.
My PC is back but now I cannot even install androit SDK on the computer, so I have to bring it back for repair. So the next few days I probably would not be able to try anything, but once I try, I'll let you know the rsult.
Click to expand...
Click to collapse
What does the ADK installer say? If its complaining about not finding the JDK when you've already installed it, just it Back, and then Next. It will detect at that time and proceed with the installation. It's a known bug. Also, stick to JDK version 6 for the time being. Version 7 is so recent there might be some incompatibilities...
Thank you very much.
Click to expand...
Click to collapse
You're welcome.
Goodbye,
Darkshado
The phone is bricked now. What I did is: hole the HOme key while pressing the power key, the phone asked me whether to "reboot the system now" or "update from /sdcard" or "wipe /data XXX factory reset" (sth like factory reset) or "wipe /cach", I chose "reboot the system now". after that , connect the phone to the system. What I did in PC is catured in teh following image:
After that, when rebooting the phone, the phone began to falsh "samsung" and it cannot be shut down any more.
It seems that using other people's perso.txt does not work. One reason may be that, as you said, "perso.txt contains all the SIM-lock information, status and codes", other than unlock code, it might also read each individual phone's information, since that hte perso.txt is not mine, the phone cannot find the proper information, which causes phone to do indefinite loop. If that is the case, instead of uploading a new perso.txt, editing my own (even the corrupted) perso.txt and changing the corresponding location into the unlock code might work, as the phoen could start up before. Another reason may be that by editing the perso.txt, the system might detect the action for example like using CRC, and if only perso.txt is edited, system detected inconsistency and will go into indefinite loop. If I were the developer and I am aware that perople crack the phone, I might using another file or check code to protect. In this case, "I turns out I can relock and unlock my phone as I see fit! I haven't tried, but I wouldn't be surprised if I could even lock my phone to a network other than Bell." might not work.
I guess that now even hardware unlock will not work, becaue when the phone start, it will read "perso.txt" and cannot find the right information. The only solution is push my original corrupted perso.txt back to the phone, but the question is how? Can you advise me what I should do now? SInce the phone does not start up at all, can I still flash the memory using Odin?
Thank you very much.
Cathy
Crap. I'm afraid that if your phone is now bootlooping with no access to recovery mode there is little to be done but to get it serviced or replaced.
No one has been able to flash EFS with Odin yet on our phones.
Also, your image attachment explaining what you attempted exactly is missing...
Look at the perso.txt files in a hex editor, there's no CRC or MD5 like thing anywhere in there. Of course it could be placed elsewhere, but it would be a first to have a booby-trapped phone OS...
I'll try locking my phone to another network within the next week for the heck of it.
Goodbye,
Darkshado
It's the format of the image. I changed to a different image format. You should be able to view the image in the first page now. Anyway, I posted it here again:
I'll try locking my phone to another network within the next week for the heck of it.
Click to expand...
Click to collapse
Let me know the result.
Thanks.
Cathy
SPnewb said:
Anyway, I posted it here again:
Click to expand...
Click to collapse
Please tell me: in what mode were you booted when you did the above?
Recovery?
Was the text blue or orange?
It's not normal that you had to use su. Otherwise your commands were correct starting with mount -o remount rw /
Darkshado said:
Please tell me: in what mode were you booted when you did the above?
Recovery?
Was the text blue or orange?
It's not normal that you had to use su. Otherwise your commands were correct starting with mount -o remount rw /
Click to expand...
Click to collapse
I thought that I booted in recovery mode since when I turned on the phone, I held Home key then press the power key, but when the phone start up there were only 4 or 5 choices in the recovery menu and except the one "reboot the system now", there were no other choices about reboot. I suspected that to choose "reboot the system now" will cause startup in normal mode. How do you start up the phone in recover mode?
I cannot recall teh color of the text, but I never see any orange text since I had the phone.
Thank you very much for your help. I'm going to get another Gio to unlock.
This works fine on my phone. If it doesn't work on yours, standard disclaimer applies about bricking, phone exploding, etc... that's all on you.
The problem has been that regardless of patches and regardless of methods to make the stock 8.1 data partition readable from TWRP, my phone won't do it. So as follows is how I've backup up and restored as an alternative. I don't know if this works well on Windows (Probably not) or MacOS (More likely it will), so its only tested on Linux.
Install adb on the computer
On the running phone, enable usb debugging.
Connect to the phone, allow the computer to access it.
Get a shell
Code:
adb shell
Enter as follows to find the block device where data is mounted
Code:
mount | grep /data | grep block
My output was this
Code:
/dev/block/mmcblk0p24 on /data type ext4 (rw,seclabel,nosuid,nodev,noatime,discard,journal_checksum,journal_async_commit,noauto_da_alloc,errors=panic,data=ordered
The first part, "/dev/block/mmcblk0p24" is what I was interested in. You can see it's mounted at /data
You're in fact looking for this specifically at the beginning "/dev/block/mmcblk0p24 on /data"
If you're confused or you have multiple mount-points or what not, or you don't understand, Stop Now, you're about to screw things up.
Copy the first part of what you have here, in my case "/dev/block/mmcblk0p24" (don't use quotes though)
Reboot into TWRP.
Make sure /data is not mounted in the TWRP menu. If it is, then no need to do this as you can back it up directly from TWRP anyway, and you don't nee this.
Backup will make an image of the entire partition, so it will be big. As follows to backup, change the /dev/block/xxxxxxx to what yours is, if it is differant. Replace xxxxxxx with what your output was, mine was mmcblk0p24 (this needs to be input correctly for backup and restore, this here is where you can screw your phone up)
Code:
adb shell 'dd if=/dev/block/xxxxxxx' > DataBackupName.img
(Above, you DO use the single quotes)
DataBackupName.img can be named whatever you want to call it.
This takes a long time, my phone writes 12 gigs or so.
The above command should exit telling you how much data was written. You don't want to have an incomplete backup because the usb cable wasn't great or the process spit the dummy for some reason.
To restore, cross your fingers (works fine on my PC)
Also from TWRP and also making sure data is not mounted:
Code:
adb push DataBackupName.img /dev/block/xxxxxxx
You need to have the correct text to replace the xxxxxx. Screwing this up is very high risk of bricking your phone.
Okay all that said, my assumption is that the initial dump won't work on Windows as it needs to direct the output to a file and I have a hunch that the syntax above for directing the output might be done differently. If someone knows how to do the backup on Windows, or can clarify if it works or not as is (after testing) I imagine that would be helpful for Windows users. Feedback in general is good for others, solutions to problems are great.
Additionally, when I was looking for this solution, the answers were a bit old and had to be mildly adapted, but there was a complaint back then that adb couldn't handle the restore. That hasn't been the case for me. A more recent adb binary might fix this if you happen to have this sort of problem.
A benefit of this method, is that if your system can mount an ext4 volume, you can also mount the image, so if you only want one file from a previous backup, or you want to remove a file from the image, or add one, that's all possible... with Linux (Linux geeks know who they are). Note that the image also contains the contents of what gets mounted at /storage/emulated/0
You can compress the image file when its done to reduce the size.
Hi guys!!!
I have a rooted first generation Pixel running stock Android 10. I would like to take a physical image of the device using ADB.
If I command "mount" in ADB shell, I get for example the following line:
/dev/block/sda35 on /data type ext4
If I image /dev/block/sda35 with dd and netcat, I get an image but the file based encryption comes in the way and the files are useless.
So if I would like to take a clear text (physical) image of this device, what should I image? Or maybe the other way of asking this is, what is the best image I can expect through ADB with root privileges?
Thanks!!!
Any particular reason you don't want to backup through TWRP?
The main reason is that I am interested to know how this is done manually through ADB.
I am also interested how the file based encryption works and what kind of information I can get out from the device with a best possible image.
So for me this is only an experiment, I dont have any valuable data on the device
dd allows you to get a bit-perfect copy of the partition. You are seeing the contents exactly as they are. For Android to view the actual files (well, those that are encrypted, not necessarily everything is encrypted with FBE) it has to decrypt them, which requires the key. Additionally, as you can have multiple users on a device, each of the user's files have a separate key.
In the old days of encrypted partitions, there was a metadata partition or similar that you could get the key from. Under FBE, I'm not sure how to do it, but the principle would be similar. So the only way to get a clear text copy of the files using dd is to decrypt.
Do have any knowledge how Android does this decryption in practise?
When I imaged /dev/block/sda, which should be the ”raw” memory device, my phone was open (passcode was entered to gain access to the phone) and the device remained in this state through the imaging.
Still this raw device is FBE, as I would expect actually. So Android does the decryption somehow to the mounted partition, but I dont know how.
Actually I can see that my root directory / comes from a device /dev/root, but in ADB shell I cannot find this device.
Maybe the next thing I will try is to use ADB when my phone is booted to TWRP and TWRP does the decryption...
In any case, Thanks for your answer!
I don't know the details, but one key point about decrypting is that it does not change the actual content on disk. Think of decrypting as a translation service. There is something on disk you want to read, so the translator turns it into the plain text view. Similarly if you want to store some data, the translation service converts it into the encrypted view to be stored on disk. This is all done as the files are requested, and is transparent to any app. (Otherwise if you decrypted the disk and 'pulled the plug', you could go in and get the plain text content, which would defeat the purpose of encryption).
So doing this in TWRP won't make any difference.