need help to unlock P6200 to use other sim cards - Samsung Galaxy Tab Plus

after doing a little research on the web why it's asking for sim network unlock pin, found out it's because my device it locked with a certain carrier/provider. i made sure it was already unlocked when i got, i was even able to use for about a week. however, for some reason it got locked again and got that message. i'm sure i didn't make any changes because this is my first time to have a samsung tab, that's when i tried to do more research about it and i know there's a way to do it but i guess i need a more detailed guide, please help... thanks!

This program finds the SIM unlock code for your Samsung Galaxy p6200 device. It requires root / superuser.
Simply install the application, hit the "SIM unlock code" button, wait a few minutes, and it should come up with the code. It can indeed take a while, so plug your phone in the charger before running, and go make yourself a cup of coffee.
Write down the code, turn off your device, insert a SIM that doesn't match your SIM lock, turn the device on again, and enter the code when the device asks for it.
If the code does not work, do NOT try it again. You might end up with a freeze. The app can also find the unfreeze code, but if the SIM unlock code was wrong in the first place, maybe so is the unfreeze code.download free sim unlock for galaxy p6200 here:http://www.mobyware.net/get-software-65666.html
........Another method :Step 1. - Retrieve nv_data.bin file
use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
cat /efs/nv_data.bin >> /sdcard/nv_data.bin
cat /efs/.nv_state >> /sdcard/.nv_state
busybox cp -r /efs /sdcard/
Step 2. - Edit nv_data.bin file
mount the internal SD Card on your computer
make a backup copy of the nv_data.bin file on your computer
using your favorite HEX editor open the nv_data.bin on the sdcard
jump to address 0x181468
you should see a string like this
ff 01 00 00 00 00
there are 5 different types of locks in 5 different bytes
the FF byte should be left alone
the first byte after the FF is the network lock
the next byte is the network subset lock
the next byte is the sp lock
the next byte is the cp lock
the last byte appears to be a data lock.
the 46 46 should be left alone
Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)
It should read ff 00 00 00 00 00 46 46 for unlocked
save and close file
unmount SD Card
Step 3. - Replace nv_data.bin file
I want to say it again so no one misses it MAKE SURE YOU HAVE A BACKUP OF YOUR /efs/ FOLDER BEFORE YOU CONTINUE!!!!!
use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
rm /efs/nv_*
rm /efs/.nv_*
cat /sdcard/nv_data.bin >> /efs/nv_data.bin
cat /sdcard/.nv_state >> /efs/.nv_state
chmod 755 /efs/nv_data.bin
chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
chmod 755 /efs/.nv_state
chown radio.radio /efs/.nv_state || chown 1001.1001 /efs/.nv_state
reboot
your tab is now unlocked... enjoy
Just make sure you back up your entire /efs folder (save it on your computer and your tablet) before making any change.I believe you can refer to this one on the 10.1 tab forum :http://forum.xda-developers.com/showthread.php?t=1336659&highlight=t-mobile+unlock....

Can anyone confirm that this solution works? I'm reluctant to try without a guarantee
Sent from my HTC Desire S using xda app-developers app

@devid801
Ok, so I've opened the nv_data.bin file in hex edtor and found the following at address 00181468 : ff 01 00 00 00 00 44 4b . As you can see, the 46 46 is not there, instead there is 44 4b . Is this significant? Do I have to replace with 46 46 or should I leave it alone? Could this mean that this solution does not apply in my case and I risk breaking my device if I use it? Please advise.
Edit: I ignored the 44 4b bytes there and just changed the 01 to 00 and it worked, I am now network unlocked. Thanks for posting the solution

Related

Changing to a non-english keyboard layout [cupcake support]

I WILL NOT TAKE ANY RESPONSABILITY FOR WHAT HAPPENS TO YOUR PHONE. THIS IS AT YOUR OWN RISK. THIS IS ONLY TRIED ON VERSION 1.1, 1.5 AND 1.6 ON THE DEVELOPER PHONE.
I was fed up with having to hold a and o for my swedish chars, so couple of hours ago I decided to create a swedish layout, and here's how you can do it too. You need an unlocked android phone, such as the Dev1. I will also assume that you have and know how to use the SDK. Connect your phone to your computer and run:
Code:
adb shell
In the shell run getprop and find hw.keyboards.0.devname. This for me is trout-keypad-v3. If it's the same for you, do the following, otherwise change accordingly.
Code:
adb pull /system/usr/keychars/trout-keypad-v3.kcm.bin Desktop/
You now have a copy of the keychar-binary on your desktop, make sure to backup it. Open it in a binary editor, and you will find a file coded with an intro followed by lots of data coded as below (not documented, therefore not guarantied, but I feel pretty certain it's right, dots are 0x00):
..char.numberchar.smallchar.bigchar.smallspecial.bigspecial.(keycode+1).
For example, my A looked like:
..A.2.a.A.a.A.?.
What I want it to look like is:
..A.2.a.A.å.Å.?.
If your hex-editor allows that then congrats to you, mine didn't. What I had to do was to use a ascii-table (http://www.ascii-code.com/) and use teh hex code.
00 00 41 00 32 00 61 00 41 00 61 00 41 00 1E 00
...should therefore be...
00 00 41 00 32 00 61 00 41 00 E5 00 C5 00 1E 00
I now have å and Å on my a-button. The next button for me, Z, could be done using the exact same tactic. The fun part came with X. Notice the coding:
00 00 58 00 39 00 78 00 58 00 78 00 00 EF 35 00
The problem here is EF, which is there to make sure that there is not a ... in the middle of the char-code. What we do here is therefore to change the EF to 00 when we change the 00 before it. The result would therefore be:
00 00 58 00 39 00 78 00 58 00 F6 00 D6 00 35 00
Now let's save the file. We can send it to the device with the following code. THIS WILL REPLACE YOUR CURRENT LAYOUT.
Code:
adb root
adb remount
adb push trout-keypad-v3.kcm.bin /system/usr/keychars/
For security reasons I would recommend you to always reboot your phone after running adb remount, since this will leave your /system more vulnerable then usual.
Now we can restart the phone, and hopefully it will have a new working layout. If the layout is totally different from yours (for example alt+a is #) that means the encoding of the new file is wrong, and another layout is used. If this happens I recommend you start from the beginning, it doesn't take much time, and small errors can be avoided. You can do as above to reset your old layout:
Code:
adb root
adb remount
adb push trout-keypad-v3.kcm.bin.backup /system/usr/keychars/trout-keypad-v3.kcm.bin
My working swedish layout is attached. alt+a => å, alt+z => ä, alt+x => ö.
Hope you will appreciate this as much as I do.
Thanks to Joushou for all the help in #android.
Thank you! this is fantastic. I just have to figure out how this would work with asian fonts
Thanks maybe everybody can put the different layout in this thread.
In France we have azerty layout.
Great thanks!
Would be interesting to be able to SWITCH layouts.
I salute you sir for this easy guide!! Though using notepad ++ i didnt even use hex view! but just chose to see through the null null crap on the screen!! Total matrixe experience! But i definetly vote to get this a sticky for easy goofing with keyboard layouts!
Works great on Haykuro 1.5, changed a to ä and z to ö. Writing finnish on a mobile phone has never been so easy
Tack ska du ha!
Now that would be fun to do the same but by modifying the on-screen keyboard
Just modified the keypad for qwertz to work with haykuro 6hr1.
Download is in the attachment!
Text version of QWERTZ kcm
Hello-
Does any one have the text version of qwertz.kcm.bin?
Thanks.
Hey,
If I've changed that layout will that effect the virtual keyboard layout in 1.5.
If it's not, how can I change the layout for the virtual keyboard.
regards
Nice to see that this is appreciated.
Hamdan919 said:
Hey,
If I've changed that layout will that effect the virtual keyboard layout in 1.5.
If it's not, how can I change the layout for the virtual keyboard.
regards
Click to expand...
Click to collapse
No, it will not. To change the virtual layout you have to program a new layout, or wait for someone else to do it. There are alternative virtual keyboards to download from the market. Make sure that the virtual keyboard does not have internet privileges though, since the virtual keyboard can listen to every single key you push, even on the hardware keyboard. This means that the virtual keyboard can modify the hardware keyboard though, but I haven't seen that except for a bug in a layout.
I don't mind programming the french layout, can you tell me where to find the default qwerty keyboard to alter for the VK?
Right now I have the french layout for the physical keyboard and just miss the VK on my jf1.51 build.
Regards
DJ_Spray said:
I don't mind programming the french layout, can you tell me where to find the default qwerty keyboard to alter for the VK?
Right now I have the french layout for the physical keyboard and just miss the VK on my jf1.51 build.
Regards
Click to expand...
Click to collapse
http://android.git.kernel.org/?p=platform/packages/inputmethods/LatinIME.git;a=summary
Sry for refreshing such an old Thread but i want to ask something.
Is there any way to do this, without adb?
Rey-619 said:
Sry for refreshing such an old Thread but i want to ask something.
Is there any way to do this, without adb?
Click to expand...
Click to collapse
As long as you have root. Get into your phone, write:
Code:
dd if=/system/usr/keychars/trout-keypad-v3.kcm.bin of=/sdcard/keypad
Now you can get the file off your sdcard, and do back it up. When you are ready just put it back. Before you can put it back you will have to remount your /system mount with write access. Run mount and look what is before /system. In my case the line looks like:
/dev/block/mtdblock3 /system yaffs2 ro 0 0
In my case I would therefore write:
Code:
su
mount -o rw,remount /dev/block/mtdblock3 /system
dd if=/sdcard/keypad of=/system/usr/keychars/trout-keypad-v3.kcm.bin
This should work as well as the adb method described in original post.
dd if=/system/usr/keychars/trout-keypad-v3.kcm.bin of=/sdcard/keypad
-> /keypad: canot open for write: Read-only file system
I have root.
Have i type this in terminal commander? right? ore in Bootloader?
Rey-619 said:
dd if=/system/usr/keychars/trout-keypad-v3.kcm.bin of=/sdcard/keypad
-> /keypad: canot open for write: Read-only file system
I have root.
Have i type this in terminal commander? right? ore in Bootloader?
Click to expand...
Click to collapse
You are supposed to put it into a terminal. You do have a sdcard, right? Is it mounted to the computer when you try to run the command? If it is, the unmount it and try again.
i tryed both ^^
damn i need the german keyboard layout xD
Rey-619 said:
i tryed both ^^
damn i need the german keyboard layout xD
Click to expand...
Click to collapse
Could you give me the output of mount that includes /sdcard as second argument?
mhm.... xD
Code:
$ mount
rootfs /dev tmpfs rw,mode=755 0 0
devpts /dev/pts devpts rw,mode=600 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
tmpfs /sqlite_smt_journals tmpfs rw=,size=4096k 0 0
/dev/block/mtdblock3 /system yaffs2 ro 0 0
/dev/block/mtdblock5 /data yaffs2 rw,nosiud,nodev 0 0
/dev/block/mtdblock4 /cache yaffs2 rw,nosuid,nodev 0 0
/dev/block/mmcblk0p2 /system/sd ext3 rw,noatime,nodiratime,errors=continue,data=ordered 0 0
/dev/block//vold/179:1 /sdcard vflat rw,dirsync,nosuid,nodev noexec,uid=100,gid=1000,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8 0 0
#

unlock vibrant, stuck :S

ok so i followed ALL the steps in this
-thread http://forum.cyanogenmod.com/topic/4999-howto-sim-unlock-your-vibrant-galaxy-s/
I created a bml3.bak, and copied it into my c:/, downloaded sgux.exe also put it in my c:/. however when i open cmd and type, "c:\sgux.exe bml3.bak" It says
Searching code block...
found...
searching codes..
then it returns to normal state, where the code?!
i even tried it with a backup of my nv_data.bin, but i get the same results
no help on this one? , I could pm you a link to my nv_data.bin, and bml3.bak and would also donate if you help me find the code.! =(
I have the same issue!
HEX editing of nv_data.bin helped!! No sim lock anymore
mount the internal SD Card on your computer
make a backup copy of the nv_data.bin file on your computer
using your favorite HEX editor open the nv_data.bin on the sdcard
jump to address 0x181468
you should see a string like this
ff 01 00 00 00 00 46 46
there are 5 different types of locks in 5 different bytes
the FF byte should be left alone
the first byte after the FF is the network lock
the next byte is the network subset lock
the next byte is the sp lock
the next byte is the cp lock
the last byte appears to be a data lock.
the 46 46 should be left alone
Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)
save and close file
unmount SD Card
Click to expand...
Click to collapse

[Hack] Root Phones ("exploit needless" method)

[Hack] Root Phones ("exploit needless" method)
How I root any ROM on (almost?) any Android Phone
My Phone simply needs to fullfill one requirement:
I MUST be able to flash the recovery.img standalone!
Chapter One: unpack, edit and repack recovery.img
I will use these Linux programs:
split bootimg (Thanks to William Enck)
mkbootimg (compiled from AOSP source)
...the former splits the recovery.img into kernel and ramdisk...
...the latter repack all togheteher...
...For example I'll try these commands on a clockworkmod recovery from an HTC desire (I download 5.0.2.0-bravo from ClockWorkMod)...
Linux Side:
Code:
[email protected] $ split_bootimg.pl recovery-clockwork-5.0.2.0-bravo.img
Page size: 2048 (0x00000800)
Kernel size: 1831224 (0x001bf138)
Ramdisk size: 1291948 (0x0013b6ac)
Second size: 0 (0x00000000)
Board name:
Command line: no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5
Writing recovery-clockwork-5.0.2.0-bravo.img-kernel ... complete.
Writing recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz ... complete.
[email protected] $
I write down parameters needed later on:
Page Size = 2048
Command line = 'no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5'
HexEditing Lookout of recovery.img header:
Code:
[email protected] $ hexedit recovery-clockwork-5.0.2.0-bravo.img
00000000 41 4E 44 52 4F 49 44 21 38 F1 1B 00 00 80 00 20 ANDROID!8......
00000010 AC B6 13 00 00 00 00 21 00 00 00 00 00 00 F0 20 .......!.......
00000020 00 01 [COLOR=#0000ff][B]00[/B][/COLOR] [COLOR=red][B]20[/B][/COLOR] 00 08 00 00 00 00 00 00 00 00 00 00 ... ............
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 6E 6F 5F 63 6F 6E 73 6F 6C 65 5F 73 75 73 70 65 no_console_suspe
00000050 6E 64 3D 31 20 6D 73 6D 73 64 63 63 5F 73 64 69 nd=1 msmsdcc_sdi
00000060 6F 69 72 71 3D 31 20 77 69 72 65 2E 73 65 61 72 oirq=1 wire.sear
00000070 63 68 5F 63 6F 75 6E 74 3D 35 00 00 00 00 00 00 ch_count=5......
I use the highlighted address ordered as follows:
base = 0x20000000
Now I simply repack alltoghether.. just to check new file vs old one:
Code:
[email protected] $ mkbootimg --kernel recovery-clockwork-5.0.2.0-bravo.img-kernel --ramdisk recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz --base 0x20000000 --pagesize 2048 --cmdline 'no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5' -o recovery_new.img
[email protected] $
[email protected] $ diff recovery-clockwork-5.0.2.0-bravo.img recovery_new.img
[email protected] $
No warnings, binary files don't differ...
Editing ramdisk:
Code:
[email protected] $ mkdir ramdisk
[email protected]ndalf $ cd ramdisk/
[email protected] $ gunzip -c ../recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz | cpio -i
4294 blocks
[email protected] $ ls -l
totale 144
drwxrwx--x 2 doc doc 4096 23 nov 23.56 data
-rw-r--r-- 1 doc doc 2615 23 nov 23.56 [B]default.prop[/B]
drwxr-xr-x 2 doc doc 4096 23 nov 23.56 dev
drwxr-xr-x 2 doc doc 4096 23 nov 23.56 etc
-rwxr-x--- 1 doc doc 94372 23 nov 23.56 init
-rwxr-x--- 1 doc doc 691 23 nov 23.56 init.rc
drwxr-xr-x 2 doc doc 4096 23 nov 23.56 proc
drwxr-xr-x 3 doc doc 4096 23 nov 23.56 res
drwxr-x--- 2 doc doc 4096 23 nov 23.56 sbin
drwxr-xr-x 2 doc doc 4096 23 nov 23.56 sys
drwxr-xr-x 3 doc doc 4096 23 nov 23.56 system
drwxr-xr-x 2 doc doc 4096 23 nov 23.56 tmp
-rw-r--r-- 1 doc doc 0 23 nov 23.56 ueventd.goldfish.rc
-rw-r--r-- 1 doc doc 4027 23 nov 23.56 ueventd.rc
[email protected] $
I'm going to modify one line of default.prop from
Code:
...
ro.secure=[B]1[/B]
...
to
Code:
...
ro.secure=[B]0[/B]
...
WARNING: clockworkmod recoveries could already have ro.secure set to 0
Repack ramdisk:
Code:
[email protected] $ find . | cpio -o -H newc | gzip > ../recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz
4295 blocks
[email protected] $ cd ..
[email protected] $
Repack recovery.img (as showed before):
Code:
[email protected] $ mkbootimg --kernel recovery-clockwork-5.0.2.0-bravo.img-kernel --ramdisk recovery-clockwork-5.0.2.0-bravo.img-ramdisk.gz --base 0x20000000 --pagesize 2048 --cmdline 'no_console_suspend=1 msmsdcc_sdioirq=1 wire.search_count=5' -o recovery_new.img
[email protected] $
Chapter Two: flash recovery.img to phone
I own a Samsung Galaxy Next, so I need to create an Odin Ready Archive and so on...
Different phone brands need different flash methods, I bet...
Chapter Three: Rooting
I need android sdk and I try android debug bridge...
...on a not rooted phone:
Code:
(i686) [email protected] $ adb shell
[B]$[/B] su
Permission denied
[B]$[/B]
...and on a rooted one:
Code:
(i686) [email protected] $ adb shell
[B]$[/B] su
[B]#[/B]
Now, starting the phone in recovewry mode with ro.secure=0, connecting with "adb shell" I find:
Code:
[email protected] $ adb shell
#
Already a root shell! No exploit needed!
Take a look to /system:
Code:
# mount
...
/dev/block/mmcblk0p3 /system ext4 [B]rw[/B],relatime,barrier=1,data=ordered 0 0
...
WOW! already "read-write" mounted... (if not mounted I can easily remount it "rw"... I'm root!)
Now, having su binary, Superuser.apk and busybox in the linux working directory:
Linux side:
Code:
[email protected] $ adb push su /system/xbin
417 KB/s (22228 bytes in 0.051s)
[email protected] $ adb push su /system/bin
529 KB/s (22228 bytes in 0.041s)
[email protected] $ adb push busybox /system/xbin
5061 KB/s (1674712 bytes in 0.323s)
[email protected] $
Anyway it should be better to make a backup of old su binary before overwriting it (adb pull /system/bin/su su-old)
"adb shell":
Code:
# chown root.shell /system/bin/su
# chmod 06755 /system/bin/su
# chown root.shell /system/xbin/su
# chmod 06755 /system/xbin/su
# chmod 04755 /system/xbin/busybox
#
WARNINNG: ordered commands
Linux:
Code:
[email protected] $ adb push com.noshufou.android.su-1.apk /system/app/Superuser.apk
5198 KB/s (843503 bytes in 0.158s)
[email protected] $
"adb shell":
Code:
# chmod 644 /system/app/Superuser.apk
#
THAT'S ALL FOLKS!​
reboot system now!
...
Code:
[email protected] $ adb shell
$ su
#
Enjoy!
...no exploit needed...
...
...Simply Linux Way of Hacking!...
Doc,
I dont get any command line: ...
in stock recovery/boot image.
can i just edit the default.prop of stock recovery img and flash it as PDA? or one package?
also does this not work when done to the boot.img?
roofrider said:
...I dont get any command line: ...
in stock recovery/boot image.
Click to expand...
Click to collapse
Command Line is optional, and usually - for example - you don't get anyone on Samsung Galxy Phone... for the HTC used in the example, instead, there was one, needed to tune the boot parameters on runtime...
can i just edit the default.prop of stock recovery img and flash it as PDA? or one package?
Click to expand...
Click to collapse
Surely you can! This Thread is exactly what you said: "change one file in stock recovery image"... all the rest is explanation on how I did it...
also does this not work when done to the boot.img?
Click to expand...
Click to collapse
Loud and Clear! Boot works in the same way but I prefer not to unsecure the system too much... cause any app could gain root privileges without asking for whenever she wants...
...whilst I'm the only one who decide to enter Recovery Mode...
Hi.
Even I can read on /tmp/recovery.log:
Code:
[property list]
ro.secure=0
ro.allow.mock.location=0
I get a normal user prompt on adb shell when phone is recovery boot.
So I guess I need some more tunning for make this work on a Samsung Galaxy Mini.
Thanks anyway. I've learnt how to build images with this post :good:
Galaxi Mini too!
XiR_ said:
Hi.
Even I can read on /tmp/recovery.log:
Code:
[property list]
ro.secure=0
ro.allow.mock.location=0
I get a normal user prompt on adb shell when phone is recovery boot.
So I guess I need some more tunning for make this work on a Samsung Galaxy Mini.
Thanks anyway. I've learnt how to build images with this post :good:
Click to expand...
Click to collapse
I own a Galaxy Mini too and I just get the same issue while testing Gingerbread 2.3.6 S5570XWKTN; my previous release was S5570XIKQC (2.3.4) where I got easy superuser rights on connection...
Maybe there is something more to check for...
Actually I have two simple workarounds to root, anyway, the working system as explained above:
I flash an old Recovery (2.3.4)! no real need to bump to 2.3.6 other then "on working system" (here there is my one: CODE_S5570XIKQC_recovery.tar.md5)
I flash (my current option) a CWM based recovery (here there is my one, freshly compiled from Mebitek Cyanogen 7.2 Unofficial Source: CODE_S5570CYANO_recovery.tar.md5 - CWM 5.0.2.8)
2.3.6 XWKTN
Testing Gb 2.3.6 XWKTN I got another unusual issue (unconfirmed on the network...):
After root, when I power on the phone I get the binaries
/system/xbin/su
/system/xbin/busybox
always deleted...
I workarounded it modifying the boot image:
I changed permissions of
/sbin
folder
Code:
# ls -l /
...
drwxr-x[B][COLOR="Red"]r[/COLOR][/B]-[B][COLOR="Red"]x[/COLOR][/B] 2 root root 0 Jan 1 1970 sbin
...
to give every user "exec rights" on it, then I put there both binaries!
Eh eh... I know that the system PATH first look there for commands:
Code:
# set | grep ^PATH
PATH=[B][COLOR="Red"]/sbin[/COLOR][/B]:/vendor/bin:/system/sbin:/system/bin:/system/xbin
#
Last:
I also put in 2.3.6 recovery /sbin folder the last "su" binary (source from GitHub)...
On execution I get "SegFault", but Root privileges Anyway:
Code:
$ su
Segmentation Fault
#
...amazing...

[Resolved] Ammendments to Samsung Galaxy S SIM Unlocking Procedures

Folks,
I was trying to SIM unlock my Galaxy S I9000 using this thread: http://forum.xda-developers.com/showthread.php?t=761045 and noticed the following:
Filesystems Mounted Read only: / and /system are mounted ro
Patching nv_data.bin doesn't work: the result once that's done is the phne still being SIM locked
So here's my amended procedure, that worked on my Galaxy S I9000, locked to T-mobile UK:
If your phone is not rooted, then follow any of the methods listed in this link to root your phone first, before going any further. I will post a full rooting procedure and integrate it with this post shortly, for convenience and completeness.
Once rooted, enable USB debugging on your phone from the settings menu. Various releases of Brokendroid will have subtle differences on how this is done, but I'm sure you'll find your way. Again, I intend to update this procedure once I finish the rooting article, so the instructions are more complete. Also enable SD Card USB access.
Connect your phone to a USB port on a computer
Assuming you have downloaded, extracted and installed Brokendroid SDK from (Google, then there will be a directory under where you extracted the tools that looks something like: sdk/platform-tools. Change to that directory, and issue the following commands:
Code:
$ ./adb shell
[email protected]$ su -
[email protected]# cat /efs/nv_data.bin >> /sdcard/nv_data.bin
Once done, copy the nv_data.bin file from your SD card to your machine and make a working copy (e.g. nv_data-working.bin)
Using your favourite hex editor, go to address 0x00180066 and look for the following sequence of bytes:
Code:
00 [HL] [HL] [HL] [HL] [HL] 23
Where the [HL] sequence represents your present network's PLMN code.
Replace all the sequence above with 00; In n my case, the PLMN for T-mobile is 23410, so the byte sequence was changed as follows:
Code:
From
00 32 33 34 31 30 23
To
00 00 00 00 00 00 00
Go to address 0x181468
This is a sequence of 8 bytes that starts with FF and ends with 46 46. In my case, this was:
Code:
FF 01 00 00 00 00 46 46
The significance of these bytes are as follows:
FF Sart of string - LEAVE ALONE
Network Lock
Network Subset Lock
SP Lock
CP Lock
Data Lock.
46 46 End of string - LEAVE ALONE
You need to change this sequence so that all bytes between the FF and 46 46 are set to 00. I.e.;
Code:
FF 00 00 00 00 00 46 46
Save the resulting file.
Transfer the resulting file to your SD card - I am assuming your new file name is nv_data-working.bin
Issue the following commands, with your phone connected to the computer:
Code:
[email protected]# mount -o rw,remount /
[email protected]# mount -o rw,remount /sys
[email protected]# mount -o rw,remount /system
[email protected]# rm /efs/nv_data.bin
[email protected]# rm /efs/nv_data.bin.md5
[email protected]# cat /sdcard/nv_data-working.bin > /efs/nv_data.bin
[email protected]# chmod 755 /efs/nv_data.bin
[email protected]# chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
reboot
[/LIST]
And you are done .. your phone is SIM unlocked :)

[REQUEST]: dump of /persist folder

Hi,
Would someone with a carrier/SIM-unlocked Moto G be able to provide me with a dump of their /persist folder?
I think you'll probably need to be rooted also.
After starting an adb shell, I did this:
cp -r /persist /storage/emulated/legacy/download
and then was able to copy the persist folder from the Download folder onto my PC
What I'm hoping is that the SIM unlock status is stored in a file in the persist folder...
My attempts to unlock via code have been unsuccessful -- I've tried 3 different unlock services but they've all come back unable to find a code for my IMEI.
My phone is a XT1032 that's locked to Telus/Koodo in Canada.
cheers
albert.
Bump. I'm sitting in the same boat as are many other Canadian moto g owners.
Sent from my XT1032 using XDA Premium 4 mobile app
AlbertDude said:
Hi,
Would someone with a carrier/SIM-unlocked Moto G be able to provide me with a dump of their /persist folder?
I think you'll probably need to be rooted also.
After starting an adb shell, I did this:
cp -r /persist /storage/emulated/legacy/download
and then was able to copy the persist folder from the Download folder onto my PC
What I'm hoping is that the SIM unlock status is stored in a file in the persist folder...
My attempts to unlock via code have been unsuccessful -- I've tried 3 different unlock services but they've all come back unable to find a code for my IMEI.
My phone is a XT1032 that's locked to Telus/Koodo in Canada.
cheers
albert.
Click to expand...
Click to collapse
I have rooted and SIM unlocked Moto G.
I checked /persist and it's folders and sub-folders..........
I can find no file or data with date newer than Nov 7, 2013 which are original files as I only SIM Unlocked Dec 5th. and I only acquired phone just days before that!!
So, where in /persist do you think this data resides???
I was hoping that it would be a flag in one of those *nv.bin files. But from their names (".bt_nv.bin" and "WCNSS_qcom_wlan_factory_nv.bin"), it looks like they might be config files for bluetooth and wlan.
If you don't mind doing some digging, I would be interested in knowing if there were any files modified when you SIM unlocked (Dec. 5).
I think these series of steps would work to do so:
adb shell
su
cd /
ls -lR | grep 2013-12-05
Hopefully, you didn't do much else with the phone on Dec. 5...
irishpancake said:
I have rooted and SIM unlocked Moto G.
I checked /persist and it's folders and sub-folders..........
I can find no file or data with date newer than Nov 7, 2013 which are original files as I only SIM Unlocked Dec 5th. and I only acquired phone just days before that!!
So, where in /persist do you think this data resides???
Click to expand...
Click to collapse
AlbertDude said:
I was hoping that it would be a flag in one of those *nv.bin files. But from their names (".bt_nv.bin" and "WCNSS_qcom_wlan_factory_nv.bin"), it looks like they might be config files for bluetooth and wlan.
If you don't mind doing some digging, I would be interested in knowing if there were any files modified when you SIM unlocked (Dec. 5).
I think these series of steps would work to do so:
adb shell
su
cd /
ls -lR | grep 2013-12-05
Hopefully, you didn't do much else with the phone on Dec. 5...
Click to expand...
Click to collapse
Hi...sorry, just seen this...
can i get back to you, i don't have the phone here, but as soon as i get home, I'll do that for you, OK??
AlbertDude said:
I was hoping that it would be a flag in one of those *nv.bin files. But from their names (".bt_nv.bin" and "WCNSS_qcom_wlan_factory_nv.bin"), it looks like they might be config files for bluetooth and wlan.
If you don't mind doing some digging, I would be interested in knowing if there were any files modified when you SIM unlocked (Dec. 5).
I think these series of steps would work to do so:
adb shell
su
cd /
ls -lR | grep 2013-12-05
Hopefully, you didn't do much else with the phone on Dec. 5...
Click to expand...
Click to collapse
see attached file....
but grep o/p shown below???
[email protected]_umts:/ # ls -lR | grep 2013-12-05
drwxr-xr-x mot_pwric mot_pwric 2013-12-05 21:43 batt_health
-rw-r----- mot_pwric mot_pwric 32 2013-12-05 21:43 batt-0123456789abcdef_0
drwxrwx--- system mot_tcmd 2013-12-05 18:35 svcs
-rw-rw---- u0_a0 mot_tcmd 8 2013-12-05 18:35 activation_date
Click to expand...
Click to collapse
Interesting!
I assume that the "activation_date" file is in the "svcs" folder?
Could you do some more digging to find the full path to this file?
I think you can do a search for that file from adb shell with these commands:
cd /
find -name activation_date
I won't be able to check my phone for this file till late tonight.
cheers.
irishpancake said:
see attached file....
but grep o/p shown below???
Click to expand...
Click to collapse
AlbertDude said:
Interesting!
I assume that the "activation_date" file is in the "svcs" folder?
Could you do some more digging to find the full path to this file?
I think you can do a search for that file from adb shell with these commands:
cd /
find -name activation_date
I won't be able to check my phone for this file till late tonight.
cheers.
Click to expand...
Click to collapse
Hi, find is busybox command, so I installed it!!! [using terminal emul]
OK, here is the output: [just bolded and colored the path to activation_date for clarity]
[email protected]_umts:/ $ su
[email protected]_umts:/ # cd /
[email protected]_umts:/ # pwd
/
[email protected]_umts:/ # find -name activation_date
./pds/public/svcs/activation_date
find: ./proc/21679/task/21679/ns/net: No such file or directory
find: ./proc/21679/ns/net: No such file or directory
find: ./proc/22243: No such file or directory
find: ./proc/22421/task/22421/ns/net: No such file or directory
find: ./proc/22421/ns/net: No such file or directory
1|[email protected]_umts:/ #
1|[email protected]_umts:/ #
Click to expand...
Click to collapse
I have the "activation_date" file also. Mine has a modification date of Dec 06 -- which is when I unlocked the bootloader and rooted the phone.
It's contents (via a hex editor are):
0000000: 0000 0142 c73e 7789 ...B.>w...
irishpancake: would you be able to share the contents of your version of the file?
thanks!
irishpancake said:
Hi, find is busybox command, so I installed it!!! [using terminal emul]
OK, here is the output: [just bolded and colored the path to activation_date for clarity]
Click to expand...
Click to collapse
AlbertDude said:
I have the "activation_date" file also. Mine has a modification date of Dec 06 -- which is when I unlocked the bootloader and rooted the phone.
It's contents (via a hex editor are):
0000000: 0000 0142 c73e 7789 ...B.>w...
irishpancake: would you be able to share the contents of your version of the file?
thanks!
Click to expand...
Click to collapse
OK, using HxD
Code:
Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 00 00 01 42 C4 0B 1B 5B ...BÄ..[
Original file Permissions: rw-rw-rw- [0666]
Path: /pds/public/svcs/activation_date
Size: 8.008B
Last modified: Dec 05, 2013 08:35:00 pm
Owner: u0_a0
Group: mot_tcmd
Well,
that was disappointing -- the data is actually a timestamp (which makes sense for a file called "activation_date").
It's the number of milliseconds since the Unix epoch (1970-01-01).
Back to the drawing board...
irishpancake said:
OK, using HxD
Code:
Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 00 00 01 42 C4 0B 1B 5B ...BÄ..[
Original file Permissions: rw-rw-rw- [0666]
Path: /pds/public/svcs/activation_date
Size: 8.008B
Last modified: Dec 05, 2013 08:35:00 pm
Owner: u0_a0
Group: mot_tcmd
Click to expand...
Click to collapse
AlbertDude said:
Well,
that was disappointing -- the data is actually a timestamp (which makes sense for a file called "activation_date").
It's the number of milliseconds since the Unix epoch (1970-01-01).
Back to the drawing board...
Click to expand...
Click to collapse
OK, sorry, thanks for the info anyway!!!
It was an interesting exercise for me :good:
If I can do anything else, within my not inconsiderable limits, let me know.....cheers
Thanks for trying. So I'm guessing it's a no-go.
Sent from my XT1032 using XDA Premium 4 mobile app
Koodo is offering the code for $50. What a rip!
Sent from my XT1032 using XDA Premium 4 mobile app
So I SIM-unlocked my Moto G with an unlock code (after trying 4 unlock services) but prior to unlocking, I dumped a bunch of files onto my PC.
I grabbed these same files after unlocking and took a look to see which of these files were changed.
The only thing that I noted that changed after unlocking was in
./proc/config/time.offset
I wasn't actually able to copy the files from ./proc since they were all 0 bytes (see http://www.tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html)
However, I was able to view their contents using 'cat'
The time.offset data changed from:
Tag: Name [time.offset:llong] Size: [8]
Data:
[0x42] [0x71] [0x29] [0xED] [0xFF] [0xFF] [0xFF] [0xFF]
to:
Tag: Name [time.offset:llong] Size: [8]
Data:
[0x41] [0x71] [0x29] [0xED] [0xFF] [0xFF] [0xFF] [0xFF]
So the first byte of the "time.offset" data might be a SIM-lock indication.
Would be interesting to see what other people's phones show for this data.
How exactly do I read /proc/config/time.offset?
"cat /proc/config/time.offset" gives the error that it's a directory.
It's easier to check the values in the folder: /proc/config/all
where you can do a 'cat < new'
However, checking my phone's value today shows:
Tag: Name [time.offset:llong] Size: [8]
Data:
[0x3F] [0x71] [0x29] [0xED] [0xFF] [0xFF] [0xFF] [0xFF]
So it looks like that first byte isn't related to the sim-lock status as its value has changed again.
Also if you go into the /proc/config/time.offset folder you'll see 3 files: ascii, raw, type
'cat < raw' shows:
3F7129EDFFFFFFFF
So back to square one with no clue as to where the SIM-lock status is stored.
lost101 said:
How exactly do I read /proc/config/time.offset?
"cat /proc/config/time.offset" gives the error that it's a directory.
Click to expand...
Click to collapse
Should I just throw in the towel and sell this phone?
Sent from my XT1032 using XDA Premium 4 mobile app
I bought two Moto G, both cannot unlocked. so what I can do?
Buy retail, unlocked moto g (any phone) next time. Or port nr to provider they are locked to.

Categories

Resources