Vibrant 4G/SGS 4G manual method here
PRO App also works on Vibrant 4G/SGS 4G for anyone who doesn't feel comfortable with a hex editor
Do NOT try this or any other unlock method on the SC-02B Docomo phone. Please see thread here for progress on the SC-02B
Please note the same information used to develop the app is in the guide for free... the app just makes it easier
ALL METHODS FOR NEWER PHONES REQUIRE ROOT... PLEASE GO GET ROOT ON YOUR PHONE AND THEN COME BACK.
Oh and BTW... I cannot be held responsible for anything that happens to your phone.... EVER!
Before you start... if you don't have root you WILL need it unless you are on a really old version of android 2.1 (look in Appendix A for depreciated methods)
Step 1. - Retrieve nv_data.bin file
use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
cat /efs/nv_data.bin >> /sdcard/nv_data.bin
Step 2. - Edit nv_data.bin file
mount the internal SD Card on your computer
make a backup copy of the nv_data.bin file on your computer
using your favorite HEX editor open the nv_data.bin on the sdcard
jump to address 0x181468
you should see a string like this
ff 01 00 00 00 00 46 46
there are 5 different types of locks in 5 different bytes
the FF byte should be left alone
the first byte after the FF is the network lock
the next byte is the network subset lock
the next byte is the sp lock
the next byte is the cp lock
the last byte appears to be a data lock.
the 46 46 should be left alone
Change any 0x01 to 0x00 (or 0x00 to 0x01 to lock for warranty)
It should read ff 00 00 00 00 00 46 46 for unlocked
save and close file
unmount SD Card
Step 3. - Replace nv_data.bin file
I want to say it again so no one misses it MAKE SURE YOU HAVE A BACKUP OF YOUR NV_DATA.BIN FILE BEFORE YOU CONTINUE!!!!!
use "adb shell" or a terminal emulator to get a terminal prompt and run the following commands
Code:
su
rm /efs/nv_data.bin
rm /efs/nv_data.bin.md5
cat /sdcard/nv_data.bin >> /efs/nv_data.bin
chmod 755 /efs/nv_data.bin
chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
reboot
your phone is now unlocked... enjoy
[OPTIONAL] Use the PRO app [OPTIONAL]
Please note that this step is ONLY here for people that are not comfortable using a Hex editor.
Search "Vibrant unlock" in the market or scan the QR code:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Install and run app
press menu
press Unlock Phone
Select phone
allow root
at this point if you get an error code make SURE you mount your internal SD card on your computer and backup the nv_data.bin.orig file that is there.
press unlock
restart and your phone is now unlocked
to lock your phone for warranty
press lock instead of unlock
restart your phone, remove root, and take your phone in for warranty
APPENDIX A (DEPRECIATED)
DOES NOT WORK ON 90% PHONES PLEASE USE THE APP
Using ADB
Make sure that Network Lock is the only thing on... go to phone and enter *#7465625#
Make sure USB debugging is enabled (Settings->Applications->Development->USB Debugging)
Using APP (Thanks ClarkeHackworth and DaGentooBoy)
ClarkHackworth's page about the app
Same thing as before if this bricks your phone sorry but we aren't responsible.
Step A.1. – Get your code
Search Samsung Galaxy S Unlock Tool in the market or scan the QR code.
Install SGS_Unlock.apk
Applications->SGS Unlock
Menu->Root Gen Codes (Root method is the most reliable method at this point)
Jump to Step A.2.
Step A.1.alternate – Get your code
For Mac Updated!!! New Script
nbs11 said:
1. Download the Samsung Galaxy S Unlocker for Mac from this here:
http://www.multiupload.com/9NEBR6FAKD
2. Mount the DMG and drag the folder onto the hard drive. DO NOT DRAG THE ICON WITH THE LOCK (the app). Once the file is finished copying continue.
3. Open the application with the lock. It should open a terminal window. Let it run for a few seconds and then it should show a screen like this:
4. Write down your unlock code
Click to expand...
Click to collapse
For Windows UPDATED!!! With Un-Freeze Codes
Video Guide
Download and extract the attached Generate Unlock Windows.zip.
Run Generate_Code.bat
Look for the line Network Control Key:YourCode
Save the code
Step A.2. – Enter the code
Power down your phone
Put in a SIM card from another carrier
Power up your phone
When it boots up it will ask for the unlock code that you found above
OR
NO SIM Method (Thanks RazvanG)
(Apparently this just adds another SIM to the accepted SIM list... can someone confirm?)
remove sim card
power on phone without sim
enter *7465625*638*# and relock the phone to another network other than the one u have u'r sim card (eg 22610)
power off phone
insert sim card back
power on and enter nck code extracted from .bak file
phone unlocked
Step A.3. – Flash back (IF THE CODE DIDN'T WORK)
Flash back to an older firmware (I9000XXJF7 with 513.pit worked for me on an I9000)
Now enter the unlock code you generated in Step 2.
RazvanG said:
HOW TO LOCK SAMSUNG GALAXY S - FOR WARRANTY PURPOSES ONLY (TESTED)
After you get the NCK code using the method above, enter: *7465625*638*#
There will be a pop-up box.
Complete the first field (MCC/MNC) with the network you want your phone locked to (eg. 226 10 where 226 = romania; 10 = orange etc.) and the second field (Control Key) with the NCK extracted from the .bak file.
Press OK and your phone should relock.
RazvanG
Click to expand...
Click to collapse
Guide in Spanish here
Guide in Italian here
Guide in Chinese here
LEGAL NOTES (because information should be free for all):
YOU MAY NOT, BY ANY MEANS, USE THIS SOLUTION/CODE OR PART OF IT FOR COMMERCIAL PURPOSES.
DO NOT USE THIS EXTRACTION METHOD COMMERCIALLY
PLEASE give credit (and donations if you can) to
For those of you that have donated THANKS! (You know who you are... you paid for my developer account so I could post the app)
DaGentooBoy For this AWESOME guide, the free and PRO apps, finding the other unlock bits, the original mac and windows scripts, the no root cat nv_data method, the unfreeze code portion of the mac script, and a lot of troubleshooting (Paypal)
dawen, Helroz, and NWolf for discovering the hex location of the lock bit in the nv_data.bin file (donate to NWolf here)
RazvanG for pointing galaxysguy in the right direction, finding the Freeze Code location in the .bak file, the code for re-locking the phone to any network, and the solution to unlock with only one sim card (Paypal)
rbnet.it and marcopon for the cool SGUX utility for windows to extract both the Unlock and Unfreeze codes (donate to marcopon and rbnet.it Here)
nbs11 for the new mac script that makes it REALLY easy (donate here)
Bowsa2511 for the command to extract the unlock code on a Mac (Paypal here)
rhcp0112345 for finding the file and giving me (and others) a place to start (Donate here)
galaxysguy for confirming that I was looking at the right code (Paypal here)
AllGamer for starting the Bounty thread and giving the XDA devs the motivation to get started.
If you want me to extract the code for you just PM me with a link to your zipped bml3.bak or nv_data.bin file and I will send you back the code. If it works please feel free to donate via Paypal
Great work dagentooboy. I was working on a free unlock myself but approaching it from a slightly different angle. Unfortunately bricking my phone held me up a lot but I'm glad to see someone has done it now.
re: credits
apparently marcopon helped rbnet.it to write that sgux utility.
AllGamer said:
re: credits
apparently marcopon helped rbnet.it to write that sgux utility.
Click to expand...
Click to collapse
thanks... I saw the bounty thread is updated. Feel free to link to the instructions on this thread so that they all go to one place.
AllGamer said:
re: credits
apparently marcopon helped rbnet.it to write that sgux utility.
Click to expand...
Click to collapse
Yes! It's shown in the credits:
Uploaded with ImageShack.us
This is just the thing I've been looking for. Thanks a lot. Just out of curiosity, why do you have to flash back to older firmware after entering the unlock code?
Yes, I usually go by the Mark0 nick but it was already used in the forum (IIRC).
I want also to thanks andars05 for a post he made that provided some inspiration.
Nice to see that the tool is proving to be useful!
Feel free to donate to the PayPal link rbnet.it provided!
Got "Permission denied" after su in step 1 - I've got rooted Captivate with stock firmware - I know that is probably problem with access to root account, but all apps are working properly with it. Any idea for solution?
I've Windows 7, tried running command line with administrator privileges, but it didn't helped.
TheNaturat said:
Got "Permission denied" after su in step 1 - I've got rooted Captivate with stock firmware - I know that is probably problem with access to root account, but all apps are working properly with it. Any idea for solution?
I've Windows 7, tried running command line with administrator privileges, but it didn't helped.
Click to expand...
Click to collapse
After "su", have you allowed the root access on the phone?
Jreddekopp said:
This is just the thing I've been looking for. Thanks a lot. Just out of curiosity, why do you have to flash back to older firmware after entering the unlock code?
Click to expand...
Click to collapse
Sorry That is what it took to unlock mine. I updated the first post... you don't have to do that if the code works.
Thanks so much, it worked on my Globe locked SGS (Philippines).
MAC users use 0xED Hex Editor and just search SSNV and you'll get your 8 digits unlock code.
TheNaturat said:
Got "Permission denied" after su in step 1 - I've got rooted Captivate with stock firmware - I know that is probably problem with access to root account, but all apps are working properly with it. Any idea for solution?
I've Windows 7, tried running command line with administrator privileges, but it didn't helped.
Click to expand...
Click to collapse
I found the same code in the nv_data.bin file... if you can't get the dd thing to work try
Code:
cat /efs/nv_data.bin >> /sdcard/nv_data.bin
having problems pulling the file but I have SU permissions.
$ su
su
dd if=/dev/block/bml3 of=/sdcard/bml3.bak
dd if=/dev/block/bml3 of=/sdcard/bml3.bak
Permission denied
$ dd: can't open '/dev/block/bml3': Permission denied
$
antz88c said:
Thanks so much, it worked on my Globe unlocked SGS (Philippines).
MAC users use 0xED Hex Editor and just search SSNV and you'll get your 8 digits unlock code.
Click to expand...
Click to collapse
I used HexEdit
http://sourceforge.net/projects/hexedit/
You can try both but the important thing is finding the code. Searching for SSNV should get you right there.
nickbarbs said:
having problems pulling the file but I have SU permissions.
$ su
su
dd if=/dev/block/bml3 of=/sdcard/bml3.bak
dd if=/dev/block/bml3 of=/sdcard/bml3.bak
Permission denied
$ dd: can't open '/dev/block/bml3': Permission denied
$
Click to expand...
Click to collapse
Try this and let me know if it works.
samsung galaxy s sgh-i897
has anyone unlocked the samsung galaxy s sgh-i897 useing this method?
Network unlock successful
Click to expand...
Click to collapse
Thank you guys!
WOWOOWOWOWOOWWWW
NETWORK UNLOCK SUCCESSFULL
as soon as i get my 25$ refund from this guy and 6£ from someone else you'll get it
EDIT: I'm Samsung Captivate Sgh-i897
turilo said:
has anyone unlocked the samsung galaxy s sgh-i897 useing this method?
Click to expand...
Click to collapse
I haven't heard of anyone but you are welcome to give it a try. Please let me know if it works.
ok i will try so first i download the file? then follow the directions? if this works im definetly donateing
Related
Just updated post with more details, I hope someone will find it more useful. As always make sure you have a backup, make a backup of your nv_data.bin BEFORE editing.
I was not able to unlock my phone Froyo 2.2 I9000M phone running I9000UGJK4 firmware by using this official thread http://forum.xda-developers.com/showthread.php?t=761045
and after few hours of searching I found this method which worked for me from first attempt.
I give all the credits for this idea to cursor2010 from http://forum.xda-developers.com/showpost.php?p=8656481&postcount=156
Here are the detailed steps
* Your phone must be rooted (I used SuperOneClick http://forum.xda-developers.com/showthread.php?t=803682) to do this unlocking and busybox from market is installed
* Get the archive file from first post of this topic. The archive contains ADB software which we will use to connect to the phone.
* Turn On USB debugging Application->Settings->Application->Development
* Follow the instructions of STEP 4 from http://www.communityhosting.net/sgsunlock/i9000.html to get your nv_data.bin to your PC
Get your current nv_data.bin file from the /efs directory on your phone. This can be done with ADB. Most often, the nv_data.bin file is not readable and you will get a permission denied message. You'll need to enter the commands manually.
To do this with ADB, from the DOS command prompt you can type:
adb pull /efs/nv_data.bin
If you receive a permission denied error, you can fix it by typing the following commands from an ADB shell (type "adb shell" at the DOS command prompt) or from within a terminal on the phone:
adb shell
su
chmod 777 /efs/nv_data.bin
exit
exit
Then from the DOS command prompt:
adb pull /efs/nv_data.bin
Using Hex editor edit the file ( you can use any hex editor, http://www.logitheque.com/logiciels/windows/utilitaires/editeur_hexadecimal/telecharger/edithexa_9903.htm for example). I personally use UltraEdit.
View attachment 464171
At the offset of 180069H you will see your provider MCC and MNC codes see http://en.wikipedia.org/wiki/Mobile_Network_Code
In my case the code was 30261020404... which is Bell Canada, so I changed 610 to 720 Rogers Canada now the code is 30272020404...
Again the offset in the file is 180069H.
Save the file on the pc.
* Follow the instructions from http://forum.xda-developers.com/showpost.php?p=8182729&postcount=107
Copy your nv_data.bin to temporary folder on your phone:
adb shell "mkdir /sdcard/efs"
adb push nv_data.bin /sdcard/efs
adb shell
su
ls -l -a /efs
If there is an nv_data.bin.md5 file in the directory, all is well. You should continue with these commands:
mv /efs/.nv_data.bak /efs/.nv_data.bakk
mv /efs/.nv_data.bak.md5 /efs/.nv_data.bakk.md5
rm /efs/nv_data.bin
rm /efs/nv_data.bin.md5
rm /efs/.nv2.bak
rm /efs/.nv2.bak.md5
busybox cp /sdcard/efs/nv_data.bin /efs/nv_data.bin
chmod 755 /efs/nv_data.bin
chown radio.radio /efs/nv_data.bin
exit
exit
if you have errors on the chown command, use
chown 1001.1001 /efs/nv_data.bin
If there was no nv_data.bin.md5 file, then something is wrong and you'll need to see other options or reflash again with a known working ROM that generates a new MD5 file when it's missing.
* Reboot the phone, it should not ask any unlock codes or anything, in my case it simply just registered on Rogers network
* Obviously you also need to program your APN settings for Rogers from http://forum.xda-developers.com/showthread.php?t=809003 to make your 3G working. For your own provider please search forum.
I wish it would be much simpler or automated or tested on bigger variety of phones.If somebody could gather the statistics and check if this method is applicable throughout all the versions of I9000, that would be very nice.
Feel free to comment my post.
Phams0 said:
I had problems unlocking too. But the little trick that Happy Hunter posted worked. The phone is now locked to fido instead of bell.
I guess my phone is one of the newer builds. That's why the original unlocking method doesn't work.
I bought it a few days ago from Bell.
Model number: GT-I9000M
Firmware Version: 2.2
Baseband Version: I9000UGJK4
Kernel Version: 2.6.32.9 [email protected] #1
Build number: Froyo.UGJK4
Click to expand...
Click to collapse
in hex editor on phone jump to address look for 00181460 looked in the colums on the right of 00181460 and saw
ff ff ff ff ff ff ff ff 01 00 00 00 so i changed 01 to 00
that will make your phone sim free, u dont have to edit to lock just one network, i already try this tricked while leaving 610 as bell in the nv_data file, after i changed to 00 my rogers sim now work, so i assume it will work with other sims also
in my case this method did not work,
I try something different:
I changed too nv_data.bak and delete nv_data.bin.md5 and nv_data.bak.md5 and now my phone is unlocked
This is such a great written guide, i'd have been a shame to have it get lost inside that unlock topic
so I made it a topic of its own for all the new people trying to unlock Froyo
NOTE: in some HEX editor the offset reads as 181460
bizkopt said:
in my case this method did not work,
I try something different:
I changed too nv_data.bak and delete nv_data.bin.md5 and nv_data.bak.md5 and now my phone is unlocked
Click to expand...
Click to collapse
LOL !!!!
i can't believe it, this is the most ridiculous "lock' ever
i tried it and it truely works
just delete the files and it automatically becomes SIM free, it wont even ask you for the PIN
tried with 3 different SIM cards, all of them can call out and access to 3G
bizkopt said:
in my case this method did not work,
I try something different:
I changed too nv_data.bak and delete nv_data.bin.md5 and nv_data.bak.md5 and now my phone is unlocked
Click to expand...
Click to collapse
there is no friggin way it is that simple...isnt ur imei or some other pertinent info store in the files?
I can confirm this works, been using it for a month to switch vibrants over to Fido and Rogers.
dawen said:
in hex editor on phone jump to address look for 00181460 looked in the colums on the right of 00181460 and saw
ff ff ff ff ff ff ff ff 01 00 00 00 so i changed 01 to 00
that will make your phone sim free, u dont have to edit to lock just one network, i already try this tricked while leaving 610 as bell in the nv_data file, after i changed to 00 my rogers sim now work, so i assume it will work with other sims also
Click to expand...
Click to collapse
This worked great for me. Thanks!
sjavvaji said:
there is no friggin way it is that simple...isnt ur imei or some other pertinent info store in the files?
Click to expand...
Click to collapse
it is really that easy
i couldn't believe it myself either
so does that mean hex editing is unecessary.. since that would seem to inidicate that it would then be locked to whatever provider you change the code too.. So dont bother editing the file,,, just delete the files, as a side does still know when you are roming or not when you do it with this method.. i kinda doubt it?
Sorry for the newbie question. THis is the first time I root android phones.
1. My phone was originally 2.1 and I upgraded it to 2.2
2. I ran superoneclick and I can see "superuser" on my app list (I asume it is rooted)
3. unable to get nv_data.bin so I ran "ADB shell" at the dos prompt
4. when I hit "chmod 777 /efs/nv_data.bin" I got "unable to chmod...operation not permitted".
Please let me know what I can do to unlock. THanks.
try using root explorer in the market.
I managed to use andexplorer to look at the efs directory but it it was empty??
Awesome, just tried this on my 3rd Galaxy S Vibrant which came with JL2. Works brilliantly. Nothing else worked.
Does anyone know if this will survive a flash with a custom ROM?
Thanks
mklo said:
I managed to use andexplorer to look at the efs directory but it it was empty??
Click to expand...
Click to collapse
If you've installed Darky's Rom 8.1 you've most likely lost Root as I had. So do the following:
boot into recovery, go to Advanced Speedmod ULK features > Root/Install Superuser, and select the first option i.e 'Simple: install busybox+su'. If this doesn't work, turn on the phone, open Superuser, forget all the apps, then again boot into recovery and follow the above steps.
Click to expand...
Click to collapse
old post (not relevant anymore):
Same here. Root explorer only shows this:
/efs
5.01MB used, 935K free, r/w
..
Parent Folder.Any ideas?
make sure you are able to see hidden files
I don't want to pollute this thread but can someone be a bit more specific on what to do on the "simple" unlock shown below
bizkopt said:
in my case this method did not work,
I try something different:
I changed too nv_data.bak and delete nv_data.bin.md5 and nv_data.bak.md5 and now my phone is unlocked
Click to expand...
Click to collapse
I.e. "changed too nv_data.bak" means he renamed nv_data.bin to nv_data.bak
OR did he delete nv_data.bin and renamed .nv_data.bak to ny_data.bin?
I don't have nv_data.bak.md5 but I do have .nv_data.bak.md5 should I delete this other file?
(I don't mind the hex editing way but if there is a simpler way I'll try it first)
hey guys i am just wondering would this instruction help getting verizon samsung fascinate to be on sprint network and data working?
i have my fascinate on sprint already but i just never can get the 3G icon to come up
hello, excuse me I am completly new with SGS
where can I find these 2 files ? (internal card ??)
thanks for your reply
I used root explorer to get nv_data.bin on PC. Then got eXchange.rar, putted nv_data.bin from the phone in the same folder with Reparation_nv_data.jar nv_data.binvierge from eXchange.rar, ran Reparation_nv_data.jar, putted some 8 digit random numbers in filed one and two (different ones), copied nv_data.binvierge back to phone, renamed it to nv_data.bin, deleted EVERYTHING from /efs folder BESIDE nv_data.bin and .imei. Then got the battery off from the phone (not turning it off from power button), left like that for 5 seconds, back in, power on...TADA! Phone unlocked
It has to be rooted.
This is a method from razvang in romanian.
Hi,
I have purchased a 5510 for one of my parents, without Contract, but blocked by a French provider: "Bouygues Telecom".
I think that's going to be easy to unlock, but I have not yet find how.
The phone has been flashed on the latest stock rom samsung (samfirmware) and it is not root.
if the root is necessary, what app or software is needed? and how to unlock?
ps: as a purchase without Contract, I can not ask my provider to unlock it.
[solved]
this solution works for me with the last rom samsung and rooted by "SuperOneClickv2.3.3-ShortFuse".
it's in french, so good luck with google translate!
phonandroid.com/forum/desimlocker-samsung-ace-s5830-en-invite-de-commande-t4206.html
alucka said:
this solution works for me with the last rom samsung and rooted by "SuperOneClickv2.3.3-ShortFuse".
it's in french, so good luck with google translate!
phonandroid.com/forum/desimlocker-samsung-ace-s5830-en-invite-de-commande-t4206.html
Click to expand...
Click to collapse
I can confirm this works on my I5510M from Bell Mobility. I just tried it using a TELUS sim card.
Here are the steps I took:
0. Type in dial pad *#7465625#, make sure network lock is [ON]... if not you're not simlocked
1. If phone is not rooted, download SuperOneClickv2.2-ShortFuse.zip from this thread: http://forum.xda-developers.com/showthread.php?t=803682
2. Connect the phone to your computer using, windows 7 installed the correct drivers for me
3. Once the drivers are installed, disconnect your phone
4. Open SuperOneClick
5. Reconnect your phone to the computer
6. Press Root in SuperOneClick... wait for it to finish (may take ~2-5 min)
7. Your phone is now rooted, hooray
8. Make sure your phone is in debug mode. Settings > Applications > Developer > Debug Mode
9. Copy ADB folder from SuperOneClick folder to C:\
10. Open command prompt (start > run > cmd)
11. Type in the following commands:
Code:
cd C:/adb (navigate to the adb folder you just placed)
adb devices (to verify device is connected)
adb shell
su
cat /dev/bml5>/sdcard/bml5.img (thats an "L" not a "one")
exit
You just copied bml5 binary to the root of your sdcard. If you get access denied, your phone was not properly rooted, try again.
12. Mount your SDCard and copy bml5.img to your desktop
13. Download HexEdit here: http://www.physics.ohio-state.edu/~prewett/hexedit/
14. Open bml5.img in HexEdit
15. Press FIND, select HEX, and paste in "FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30 30 30" (without quotes), then press OK
16. It should find the hex sequence, look to the right pane of HexEdit and you'll see an 8-digit numeric code (mine was split over two lines). This is your sim unlock code. Write down this code.
17. Turn off your phone
18. Place another networks simcard in your phone, and turn your phone back on
19. After it boots, it'll say this phone is network locked, and prompt for an unlock code... type the code found in step 16
20. If it doesn't prompt type in in the dialer: #7465625*638*# then type in your code
21. It should unlock no problem
22. Double check by typing *#7465625# in the dialer and making sure Network Lock is [OFF]
Let me know if you have any questions. Cheers.
stuasmo City
JT-on said:
I can confirm this works on my I5510M from Bell Mobility. I just tried it using a TELUS sim card.
Here are the steps I took:
0. Type in dial pad *#7465625#, make sure network lock is [ON]... if not you're not simlocked
1. If phone is not rooted, download SuperOneClickv2.2-ShortFuse.zip from this thread: http://forum.xda-developers.com/showthread.php?t=803682
2. Connect the phone to your computer using, windows 7 installed the correct drivers for me
3. Once the drivers are installed, disconnect your phone
4. Open SuperOneClick
5. Reconnect your phone to the computer
6. Press Root in SuperOneClick... wait for it to finish (may take ~2-5 min)
7. Your phone is now rooted, hooray
8. Make sure your phone is in debug mode. Settings > Applications > Developer > Debug Mode
9. Copy ADB folder from SuperOneClick folder to C:\
10. Open command prompt (start > run > cmd)
11. Type in the following commands:
Code:
cd C:/adb (navigate to the adb folder you just placed)
adb devices (to verify device is connected)
adb shell
su
cat /dev/bml5>/sdcard/bml5.img (thats an "L" not a "one")
exit
You just copied bml5 binary to the root of your sdcard. If you get access denied, your phone was not properly rooted, try again.
12. Mount your SDCard and copy bml5.img to your desktop
13. Download HexEdit here: http://www.physics.ohio-state.edu/~prewett/hexedit/
14. Open bml5.img in HexEdit
15. Press FIND, select HEX, and paste in "FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30 30 30" (without quotes), then press OK
16. It should find the hex sequence, look to the right pane of HexEdit and you'll see an 8-digit numeric code (mine was split over two lines). This is your sim unlock code. Write down this code.
17. Turn off your phone
18. Place another networks simcard in your phone, and turn your phone back on
19. After it boots, it'll say this phone is network locked, and prompt for an unlock code... type the code found in step 16
20. If it doesn't prompt type in in the dialer: #7465625*638*# then type in your code
21. It should unlock no problem
22. Double check by typing *#7465625# in the dialer and making sure Network Lock is [OFF]
Let me know if you have any questions. Cheers.
Click to expand...
Click to collapse
Thanks, I can find the hexstrings 24 times in the image file but none of them has a 8 digit numeric string close by.
For unlocking purpose I need to copy /dev/bml15, I was able to access it but after flashing I can't access it any more,any ideas?
/dev/bml15: No such device or address
thanks.
# id
id
uid=0(root) gid=0(root)
# ls -l /dev/bml15
ls -l /dev/bml15
brwxrwx--- root root 137, 15 2013-01-06 14:54 bml15
# ls -l /dev/block/bml15
ls -l /dev/block/bml15
/dev/block/bml15: No such file or directory
# cat /dev/bml15 > /sdcard/bml15.img
cat /dev/bml15 > /sdcard/bml15.img
/dev/bml15: No such device or address
# dd if=/dev/bml15 of=/sdcard/bml15.img
dd if=/dev/bml15 of=/sdcard/bml15.img
/dev/bml15: cannot open for read: No such device or address
# ls -l /dev/bml15
ls -l /dev/bml15
brwxrwx--- root root 137, 15 2013-01-06 14:54 bml15
# which cat
which cat
/system/bin/cat
# id
id
uid=0(root) gid=0(root)
# uname -a
uname -a
Linux localhost 2.6.32.9-perf #21 PREEMPT Fri Jun 10 11:53:15 IST 2011 armv6l GNU/Linux
#
Worked for me - also a GT-i5510 from Bell
falcon09 said:
Thanks, I can find the hexstrings 24 times in the image file but none of them has a 8 digit numeric string close by.
Click to expand...
Click to collapse
I found it a few lines up from where the first occurrence of the string was. In the Hex editor, try scrolling up a few lines and see if there's an 8 digit code that isn't 00000000 - my stuck out like a sore thumb once I went back a few lines.
falcon09 said:
For unlocking purpose I need to copy /dev/bml15, I was able to access it but after flashing I can't access it any more,any ideas?
/dev/bml15: No such device or address
Click to expand...
Click to collapse
Are you trying to copy /dev/bml15 or /dev/bml5? The instructions I followed were for /dev/bml5 and that worked for my phone.
Colin
Why i can't find the 8 digit numbers ?
that's awesome !!! was able to do mine.. I'm too happy to search for this thing as i was going to pay for the unlock... Thanks for sharing this buddy !!
thanks for the guide
Another Bell success story
My wife is on Bell and I'm on Telus. The only reason she hasn't switched is that Telus doesn't have a QWERTY phone she likes. These instructions worked flawlessly on her 551. XP found and installed the drivers with no problems. I used ES File Manager to copy bml5.img from the SD card to a shared folder on the XP machine via WiFi. When I ran the hex editor there was only one match for the hex search string and I scrolled up 2 lines and saw the code. I popped my Telus SIM in her phone and when it powered up it prompted me for an unlock code. I entered the code and made a couple of test calls.
I have attached a prtscr of the hex editor with the search string hilighted. Note that it's repeated 3 times and the scroll bar shows it's near the end of the file.
greetings and thanks...
Excellent contribution, I have a GT-I5510L and follow his footsteps, at first the computer gave me two errors but it was nothing serious, and then did the miracle, but the hex editor to use was the XVI32, I saw a little more faster and easier to use.
I can vouch that this method works great. Purchased a Bell branded phone for my wife (she broke her S3), followed the steps and voila!
Kudos.
I get in hexeditor this messge
search string not found
what can i do please !?
Read Only?
when I do the command "cat /dev/bml5>/sdcard/bml5.img" I get an error saying "cannot create /sdcard/bml5.img: read-only file system"
Help anyone?! xD
sahacing said:
thanks for the guide
Click to expand...
Click to collapse
thanks work whell on mine bell now its on Rogers
works well lol jus tried it
THANKS JT-ON!
Grandpa needed simple phone for just making phone call, I had 551 collecting dust but those online unlocking sites were asking $25~$30 for unlock code, which is probably more than what phone is worth...
unlocked mine following your instruction!
just want let everyone this works but you have to use HexEdit, nothing else.
URL on JT's guide is not working, i downloaded some other random Hex reader and it did not find the FF FF 30 30....
I found HexEdit from some other site and it found FF FF 30 30 sequence no problem.
JT-on said:
I can confirm this works on my I5510M from Bell Mobility. I just tried it using a TELUS sim card.
Here are the steps I took:
0. Type in dial pad *#7465625#, make sure network lock is [ON]... if not you're not simlocked
1. If phone is not rooted, download SuperOneClickv2.2-ShortFuse.zip from this thread: http://forum.xda-developers.com/showthread.php?t=803682
2. Connect the phone to your computer using, windows 7 installed the correct drivers for me
3. Once the drivers are installed, disconnect your phone
4. Open SuperOneClick
5. Reconnect your phone to the computer
6. Press Root in SuperOneClick... wait for it to finish (may take ~2-5 min)
7. Your phone is now rooted, hooray
8. Make sure your phone is in debug mode. Settings > Applications > Developer > Debug Mode
9. Copy ADB folder from SuperOneClick folder to C:\
10. Open command prompt (start > run > cmd)
11. Type in the following commands:
Code:
cd C:/adb (navigate to the adb folder you just placed)
adb devices (to verify device is connected)
adb shell
su
cat /dev/bml5>/sdcard/bml5.img (thats an "L" not a "one")
exit
You just copied bml5 binary to the root of your sdcard. If you get access denied, your phone was not properly rooted, try again.
12. Mount your SDCard and copy bml5.img to your desktop
13. Download HexEdit here: http://www.physics.ohio-state.edu/~prewett/hexedit/
14. Open bml5.img in HexEdit
15. Press FIND, select HEX, and paste in "FF FF FF FF FF FF FF FF FF FF 30 30 30 30 30 30 30 30" (without quotes), then press OK
16. It should find the hex sequence, look to the right pane of HexEdit and you'll see an 8-digit numeric code (mine was split over two lines). This is your sim unlock code. Write down this code.
17. Turn off your phone
18. Place another networks simcard in your phone, and turn your phone back on
19. After it boots, it'll say this phone is network locked, and prompt for an unlock code... type the code found in step 16
20. If it doesn't prompt type in in the dialer: #7465625*638*# then type in your code
21. It should unlock no problem
22. Double check by typing *#7465625# in the dialer and making sure Network Lock is [OFF]
Let me know if you have any questions. Cheers.
Click to expand...
Click to collapse
work ok thank you
At the beginning, i gave my girlfriend a galaxy ace GT-S5830i.
My Network is the Telenor, Her is the T-Mobile.
So i wanted to unlock it..
All the methods of the GT-S5830 isnt worked.
After few long days, ive found a relock method (Network Provider Change (not unlock))
Progies, you need:
- Android SDK (or simply an ADB environment, below uploaded)
- KIES (only for the drivers)
- Root file(below uploaded)
- Hex editor(Below uploaded)
First you have to root your phone.
- Copy the update.zip to SD card
- Turn off phone
- Press and hold the Home button, and the volume up button.
- Press and hold the power button, until the Galaxy Ace text appears and disappears.
- When disappears, release only the power button...
- Wait until the Galaxy Ace text appears and turns into bright yellow.
- Release all the buttons, and the recovery comes up.
-Choose the apply update from SD card, then choose the zip, you copied.
reboot your phone...
Alright, Here comes the relock procedure
- First make sure, the usb debug is turned on...
[Settings>applications>Development>USB Debugging]
and the drivers are installed correctly (if it isn't, then install KIES)
- exrtact the ADB.zip from below to C:\
- Open Start Menu, then open Run command, and write here :
cmd
Then a command prompt comes up..
The commands:
Code:
c:
cd adb
adb shell
su !! A SU windows pops up in your phone.. Allow it !!
cat dev/block/bml15 > /data/local/bml15.bin
exit
exit
adb pull data/local/
Open this link:
h t t p :// en . wikipedia . org/wiki/Mobile_Network_Code [remove the spaces]
Search for your current MCC and MNC.
and the provider, you wanted to change to.
write it down. First the MCC and then the MNC
For example i'd like to change from hungarian Telenor to hungarian T-Mobile
So for the hungarian telenor's MCC is 216 and MNC is 01 => 21601
and the hungarian T-Mobile's MCC is 216 and MNC is 30 => 21630
Extract the XVI32, you downloaded.
open it, and open the bml15.bin in your C:\ADB
Press ctrl+F
At the Text String line enter your code (my example code is: 21601)
press ok
Change it to your next code (My example next code is: 21630)
Save it as bml15_unlocked.bin
Then open your command prompt again.
Code:
c:
cd adb
adb push bml15_unlocked.bin /data/local/bml15_unlocked
adb shell
su
dd if=/data/local/bml15_unlocked of=/dev/bml15
exit
exit
Reboot your phone with the new sim card
Cuii said:
At the beginning, i gave my girlfriend a galaxy ace GT-S5830i.
My Network is the Telenor, Her is the T-Mobile.
So i wanted to unlock it..
Click to expand...
Click to collapse
much easier way in my sig, also applicable for ACE S5830i
Doky73 said:
much easier way in my sig, also applicable for ACE S5830i
Click to expand...
Click to collapse
Yes much easier thanks unlocked my S5830i no problems!! cheers!!!
Cuii said:
Code:
c:
cd adb
adb shell
su !! A SU windows pops up in your phone.. Allow it !!
cat dev/block/bml15 > /data/local/bml15.bin
exit
exit
adb pull data/local/
Click to expand...
Click to collapse
Sorry I'm fairly new to this sort of stuff, how should I enter the code?
TootyPang said:
Sorry I'm fairly new to this sort of stuff, how should I enter the code?
Click to expand...
Click to collapse
Forget about this commands, if your device is S5830i then download Galaxy Toolbox from Google Play Store! It's free...
See my sig!
Sent from my SGSII using Tapatalk 2 & Swype
... "by George Orwell"
Doky73 said:
Forget about this commands
Click to expand...
Click to collapse
some will prefer to press a button some want the hard way and finally all are winners
unfortunately I don't have a Samsung phone to test it but surely someone is to appreciate first post on this thread too !
Great post Cuii easy to follow!
I was able to pull the bml15.bin. But now when I opened it, I have trouble finding the unlocking code. It doesn't seem tho match the wikipage
Can someone tell me on which line the code can be found? It's mentioned in XVI32 on the left (in hexadecimal) and on the bottom in decimal address.
Thanks!
<edit> : never mind it turned out my new phone was already simlock free !!! it was supposed to be simlock at delivery. I guess my provider made a mistake
Thanks this has saved my mates phone (he imported it was supposed to be unlocked but it wasnt). I tried every other procedure without success but this worked. Cheers
very nice tutorial keep sharing THANKS!!!!
Did not work
Hello I tried the rooting as suggested and my phone does not turn on now. All it does is flash, I tried to flash my phone and still does the same thing after it reboots. Odin says that it passes but it still does not.
Any suggestions?
thanks
Cuii said:
At the beginning, i gave my girlfriend a galaxy ace GT-S5830i.
My Network is the Telenor, Her is the T-Mobile.
So i wanted to unlock it..
All the methods of the GT-S5830 isnt worked.
After few long days, ive found a relock method (Network Provider Change (not unlock))
Progies, you need:
- Android SDK (or simply an ADB environment, below uploaded)
- KIES (only for the drivers)
- Root file(below uploaded)
- Hex editor(Below uploaded)
First you have to root your phone.
- Copy the update.zip to SD card
- Turn off phone
- Press and hold the Home button, and the volume up button.
- Press and hold the power button, until the Galaxy Ace text appears and disappears.
- When disappears, release only the power button...
- Wait until the Galaxy Ace text appears and turns into bright yellow.
- Release all the buttons, and the recovery comes up.
-Choose the apply update from SD card, then choose the zip, you copied.
reboot your phone...
Alright, Here comes the relock procedure
- First make sure, the usb debug is turned on...
[Settings>applications>Development>USB Debugging]
and the drivers are installed correctly (if it isn't, then install KIES)
- exrtact the ADB.zip from below to C:\
- Open Start Menu, then open Run command, and write here :
cmd
Then a command prompt comes up..
The commands:
Code:
c:
cd adb
adb shell
su !! A SU windows pops up in your phone.. Allow it !!
cat dev/block/bml15 > /data/local/bml15.bin
exit
exit
adb pull data/local/
Open this link:
h t t p :// en . wikipedia . org/wiki/Mobile_Network_Code [remove the spaces]
Search for your current MCC and MNC.
and the provider, you wanted to change to.
write it down. First the MCC and then the MNC
For example i'd like to change from hungarian Telenor to hungarian T-Mobile
So for the hungarian telenor's MCC is 216 and MNC is 01 => 21601
and the hungarian T-Mobile's MCC is 216 and MNC is 30 => 21630
Extract the XVI32, you downloaded.
open it, and open the bml15.bin in your C:\ADB
Press ctrl+F
At the Text String line enter your code (my example code is: 21601)
press ok
Change it to your next code (My example next code is: 21630)
Save it as bml15_unlocked.bin
Then open your command prompt again.
Code:
c:
cd adb
adb push bml15_unlocked.bin /data/local/bml15_unlocked
adb shell
su
dd if=/data/local/bml15_unlocked of=/dev/bml15
exit
exit
Reboot your phone with the new sim card
Click to expand...
Click to collapse
thanks
Just perfect
Doky73 said:
much easier way in my sig, also applicable for ACE S5830i
Click to expand...
Click to collapse
Using Dorky's way of unlocking my GT-S5830i was exactly what I needed, so I made a sizeable donation and I won't say thank you:laugh:
Thanks
Doky73 said:
much easier way in my sig, also applicable for ACE S5830i
Click to expand...
Click to collapse
I know you said not to say thanks but are you aware of the heartache you save some ppl who are trying to unlock their phones, not to mention time. I spent hours trying to unlock my 5830i with the Root, Busybox, Galaxy Unlock method all to no avail, I kept getting that the unlock code was "or or or or" with no actual codes showing. I had convinced myself my phone could not be unlocked because of the i after the 5830 as everybody with a std 5830 seemed to be doing fine, that was until I found your great app. To be honest I have not donated as things are not that great but I will. :good:
Thanks a lot!
Succesfully unlocked my 5830.
Hi @Cuii
Extract the XVI32, you downloaded.
open it, and open the bml15.bin in your C:\ADB
Click to expand...
Click to collapse
I don't understand your mean.
When I Extract, and open downloaded file, And not have the bml15.bin !
Please help me this problem.
Thanks you
samsung galaxy ace network lock
c:
cd adb
adb shell
su !! A SU windows pops up in your phone.. Allow it !!
cat dev/block/bml15 > /data/local/bml15.bin
exit
exit
am stuck on the cmd code.
path error
Hi, yesterday i flashed with original firmware on my Sam Gio S5660.
But now hes ask me for a Network lock key..
i already tried found the code with bml5.img but the code dont work.
i have SU ChainfireXDA
can i got any help plz ?
Hugs
xxxxxxxxxx
Drhoffman said:
Hi, yesterday i flashed with original firmware on my Sam Gio S5660.
But now hes ask me for a Network lock key..
i already tried found the code with bml5.img but the code dont work.
i have SU ChainfireXDA
can i got any help plz ?
Hugs
Click to expand...
Click to collapse
On the board I found numerous examples of the dd command to make a copy of the efs memory block. But they also use:
dd if=/dev/block/stl4 of=/sdcard/stl4.bin bs=4096
(stl4 is efs for Galaxy S)
Why the bs=4096 parameter?
Cheers
Quote:
Originally Posted by vampires.remembered View Post
Steps
1. Root your phone with: Universal Androot (I used this one) or z4root
2. Install application [.apk]: SU File Manager & Terminal (I used this one)
3. Run SUBFS (SU File Manager & Terminal)
4. Select Terminal
Enter this in Terminal:
Code:
su
dd if=/dev/block/stl5 of=/sdcard/stl5.rfs
5. Open /sdcard/stl5.rfs (or copy it to PC and open it from there) with winimage (free download) or similar.
6. Extract from it the file: mits/perso.txt
7. Open: perso.txt. You will find an 8 digit code. This is your Network Unlock code.
8. Insert an unaccepted SIM card (from a locked carrier). Your phone will ask you for the Network Unlock code.
9. Insert the 8 digit code (Network Unlock code) from perso.txt.
10. Thank tweakradje!
That's it!
All of the above applications and programs can be googled.
PS: This was done for Vodafone RO.
gofsat said:
Enter this in Terminal:
Code:
su
dd if=/dev/block/stl5 of=/sdcard/stl5.rfs
5. Open /sdcard/stl5.rfs (or copy it to PC and open it from there) with winimage (free download) or similar.
6. Extract from it the file: mits/perso.txt
7. Open: perso.txt. You will find an 8 digit code. This is your Network Unlock code.
8. Insert an unaccepted SIM card (from a locked carrier). Your phone will ask you for the Network Unlock code.
9. Insert the 8 digit code (Network Unlock code) from perso.txt.
10. Thank tweakradje!
That's it!
All of the above applications and programs can be googled.
PS: This was done for Vodafone RO.
Click to expand...
Click to collapse
Thank you very much :victory::victory::victory: I'm dealing with this problem for 2 days. I found the "network lock code" in perso.txt and my problem solved :good:
Cheers :highfive:
Cheers :good::good::good:
I put cm11 on my gio, but still need unlock network key? Where do i find that??
I have seen reports of getting Temp-Root.
Please share how you are getting Temp Root.
Enable OEM-UNLOCKING ---->>> Without the switch in the Developer Options.
The OEM-UNLOCKING switch simply sets the last byte of the FRP partition to 01 or 00.
00 means the boot loader can not be unlocked.
01 means it can.
Steps
1 ) Enable developer options on the device and turn on usb debugging.
2 ) Get the Temp Root Access ( We need to use the adb shell )
3 ) Copy the FRP partition to a image file. (execute the below command in adb shell)
Code:
dd if=/dev/block/bootdevice/by-name/frp of=/sdcard/frp.img
3 ) Copy the FRP image file to a computer . (execute the below command in command window)
Code:
adb pull /sdcard/frp.img
4 ) Open the frp.img in a hex editor like HXD.
change the last byte from 00 to 01. See pics below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
5) First copy the edited frp.img to the sdcard.
Code:
adb push frp.img /sdcard/
6) Flash the edited frp.img to the device
Code:
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
Now boot the device into download mode
7) Get the unlock token for the htc dev site.
Code:
fastboot oem get identifier token
Go to HTC-DEV site and finish unlocking the Boot-Loader.
To Get Perm Root
1) After unlocking the boot loader flash TWRP recovery.
Code:
fastboot flash recovery twrprecovery.img
I can build the TWRP recovery ( Possibly even use Desire 626s TWRP Recovery )
2) Install supersu using TWRP.
3) Enjoy the Rooted Desire 526 ( VERIZON Model)
Can someone please share with us how you are obtaining temp root
So I guess No One is getting temp root ???
A thought on how to get root.
I'm not an app guy but what I suggest is.......
On a HTC Desire 626s toggle the OEM_UNLOCKING switch on and off.
Capture the command the switch uses to set the last byte of the FRP partition.
Create a app or command that is the same to run on the desire 526.
If we can set the last byte to 01 instead of 00 then we can unlock the bootloader with the normal HTC DEV.
If you tell me how to caputre / log that command I can do it on my desire 626s.
Work around
BigCountry907 said:
So I guess No One is getting temp root ???
A thought on how to get root.
I'm not an app guy but what I suggest is.......
On a HTC Desire 626s toggle the OEM_UNLOCKING switch on and off.
Capture the command the switch uses to set the last byte of the FRP partition.
Create a app or command that is the same to run on the desire 526.
If we can set the last byte to 01 instead of 00 then we can unlock the bootloader with the normal HTC DEV.
If you tell me how to caputre / log that command I can do it on my desire 626s.
Click to expand...
Click to collapse
Are you saying you need a screenshot of the oem token for the 626? I have both the Verizon 526 and cricket 626. If necessary, I can get it. Really hoping you find a workaround.
@Darcliet
Are you saying you need a screenshot of the oem token for the 626? I have both the Verizon 526 and cricket 626. If necessary, I can get it. Really hoping you find a workaround.
Click to expand...
Click to collapse
No thats bot what i'm saying.
This is a way to get the needed OEM Unlock Token from the desire 526.
If we can set the last byte of the FRP partition to 01 then FASTBOOT OEM_UNLOCK will generate the TOKEN.
So what we need to accomplish is
Either:
A) find a way to get temp root so we can dd flash the frp partition.
B) Replicate the command that is executed on the android system to set the byte.
My reference to the Desire 626s is that the 626s has the Enable OEM Unlocking in the Developer Options.
So if we turn on and off the oem unlocking switch and then logcat the command that is executed we can use the logged command to set the FRP on the 526.
If someone tells me how to get temp root, or how to log the command from the 626s. We can give it a try.
Logcat of the switch
So I toggled on and off my Oem-Unlocking Switch in Developer Options ( Desire 626s)
This is the output I believe for that switch.
Code:
[COLOR="SeaGreen"]V/WindowManager( 911): not Base app: Adding window Window{52eef4 u0 com.android.settings/com.android.settings.SubSettings} at 4 of 10
I/PhoneStatusBar( 4325): setSystemUiNavVisibility(swipe=false hasFocus=false hasPolicy=false shadeState=true)
I/PhoneStatusBar( 4325): hiding the MENU button mLongPressHomeMenu = false
D/FindExtension(15804): FindExtension: before mHardwareRenderer.initialize, mSurface.isValid() = true
I/ThreadedRenderer(15804): Defer allocateBuffers to drawing time
W/Settings(15804): Setting adb_blocked has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
W/Settings(15804): Setting bugreport_in_power_menu has moved from android.provider.Settings.Secure to android.provider.Settings.Global.
I/PhoneStatusBar( 4325): setSystemUiNavVisibility(swipe=false hasFocus=false hasPolicy=false shadeState=true)
I/PhoneStatusBar( 4325): hiding the MENU button mLongPressHomeMenu = false
W/InputMethodManagerService( 911): Window already focused, ignoring focus gain of: [email protected] attribute=null, token = [email protected], client pid=15804, inputType=0x(null)[/COLOR]
So someone who knows more about how this works, maybe they can come up with a way to replicate those commands.
So we could execute them on the 526.
It looks like this is setting the byte maybe???
Window already focused, ignoring focus gain of: [email protected] attribute=null, token = [email protected], client pid=15804, inputType=0x
I'm not sure, this is a little out of my realm of expertise.
One thing I do know is if we can set the last bit of FRP to 01 then we can get the oem unlock token from fastboot.
flashed new frp with 0 changed to 1...
but when proceeding to htcdev website to enter my device identifier token i get the following error
"We're sorry, but it appears your attempt to unlock the bootloader on this device has failed. This could be caused by several factors including simple errors in the entry of the unlock token, problems with your device, or a lack of manufacturer support for the unlocking process. Please see the specific error code listed below, and try again if necessary.
Error Code: 170.
Error Reason: CID Not Allowed."
Gators850 said:
flashed new frp with 0 changed to 1...
but when proceeding to htcdev website to enter my device identifier token i get the following error
"We're sorry, but it appears your attempt to unlock the bootloader on this device has failed. This could be caused by several factors including simple errors in the entry of the unlock token, problems with your device, or a lack of manufacturer support for the unlocking process. Please see the specific error code listed below, and try again if necessary.
Error Code: 170.
Error Reason: CID Not Allowed."
Click to expand...
Click to collapse
Ok so at least your getting the unlock token now
We can try to edit the misc.img the same way.
Pull it off your phone and open in hex editor.
You will find the CID in there.
Change it to the cid for metro pcs.
We might need to edit the board_info.img the same way too.
Then try again.
Im trying to get my temp root back.
I had it and had to factory reset my phone.
now kingo is not working again.
Took me like 20 times before.
is the highlighted section what im looking for??
BigCountry907 said:
Ok so at least your getting the unlock token now
We can try to edit the misc.img the same way.
Pull it off your phone and open in hex editor.
You will find the CID in there.
Change it to the cid for metro pcs.
We might need to edit the board_info.img the same way too.
Then try again.
Im trying to get my temp root back.
I had it and had to factory reset my phone.
now kingo is not working again.
Took me like 20 times before.
Click to expand...
Click to collapse
No that's not it.
Got to look at build.prop
# begin build properties
# autogenerated by buildinfo.sh
htc.build.stage=2
ro.aa.customizationid=3026008
ro.aa.project=A13_WL_L51_DESIRE_SENSE70_VZW
ro.prot=true
ro.aa.maincid=VZW__003
ro.aa.cidlist=VZW__003
ro.aa.rid=205
ro.aa.modelid=0PM310000
ro.aa.report=com
ro.aa.skulist=603
ro.aa.taskid=448911
ro.aa.mainsku=603
ro.aa.romver=1.07.603.5
ro.onecid=1
ro.cwkey=VZW__003
ro.build.id=LMY47O
ro.build.display.id=LMY47O release-keys
ro.build.version.incremental=564390.5
ro.build.version.sdk=22
ro.build.version.codename=REL
ro.build.version.all_codenames=REL
ro.build.version.release=5.1
This is the CID:
ro.aa.maincid=VZW__003
This is the MAINVER:
ro.aa.romver=1.07.603.5
If you search for 1.07.603.5
you will see the CID right by it.
You might only find.
0PM310000
We should change that too.
I'm kinda thinking there is more in the frp.img thats causing the problem.
I want to drop the FRP.img from my desire 626s and give it a try.
Be careful could end up bricking.
If I can get this thing to root again im going to try and push my misc.img and frp.img from my desire 626s to the 526.
they are both msm8909 chipsets so should be compatible.
Crossing things up like that could cause a brick.
But ill take the chance. only paid $35 for the thing.
Heres the info for the 626s
# begin build properties
# autogenerated by buildinfo.sh
htc.build.stage=2
ro.aa.customizationid=3031505
ro.aa.project=A32E_UL_L51_DESIRE_SENSE70
ro.prot=true
ro.aa.maincid=METRO001
ro.aa.modelid=0PM911000
ro.aa.rid=427
ro.aa.taskid=455088
ro.aa.cidlist=METRO001
ro.aa.report=com
ro.aa.skulist=1550
ro.aa.mainsku=1550
ro.aa.romver=1.23.1550.3
ro.onecid=1
ro.cwkey=METRO001
ro.build.id=LMY47O
ro.build.display.id=LMY47O release-keys
ro.build.version.incremental=637541.3
ro.build.version.sdk=22
ro.build.version.codename=REL
ro.build.version.all_codenames=REL
ro.build.version.release=5.1
use the CID and Mainver And device model from here.
If you are changing your misc.img.
mainver = 1.23.1550.3
cid = METRO001
mid= 0PM911000
change mainver to 1.00.0000.0
Theese are the files from my 626s.
You can try to dd them over.
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
dd if=/sdcard/misc.img of=/dev/block/bootdevice/by-name/misc
dd if=/sdcard/board_info.img of=/dev/block/bootdevice/by-name/board_info
It Could cause you not to boot.
I would do frp.img and try unlock
then if dont work add misc.img
then if dont work add board_info
Backup your original files first so if it goes wrong there might be a chance to put them back.
flashed the files you provided,again once proceeding to the htcdev website to enter the token i get same error as before
BigCountry907 said:
Theese are the files from my 626s.
You can try to dd them over.
dd if=/sdcard/frp.img of=/dev/block/bootdevice/by-name/frp
dd if=/sdcard/misc.img of=/dev/block/bootdevice/by-name/misc
dd if=/sdcard/board_info.img of=/dev/block/bootdevice/by-name/board_info
It Could cause you not to boot.
I would do frp.img and try unlock
then if dont work add misc.img
then if dont work add board_info
Backup your original files first so if it goes wrong there might be a chance to put them back.
Click to expand...
Click to collapse
flashed the files you provided,again once proceeding to the htcdev website to enter the token i get same error as before
Click to expand...
Click to collapse
Well that makes things much more complicated.
Chances are it's probably coded in the boot-loader itself.
If you don't mind I want to have you pull all the firmware files off the phone.
All of them.
I'll write you a script. (I still never got my temp root back).
I would like to take a look at the recovery and the kernel in the boot.img.
Like I said the Desire 626s and the Desire 530 both are msm8909 chipsets. This also includes the newer Desire 526 as well. This means that the actual firmware running the chips is the same. My initial Idea was to build my own firmware for the 626s and test flash it on the 526. If that works then theoretically we could take the boot-loader and radio images from a S-off device and flash it to a non s-off and have s-off.
Yes I know there is no way to write to those partitions without s-off ( By normal means anyway ).
Now if you intentionally cause the right kind of brick by removing the right firmware and not removing the wrong firmware to force the device into Emergency Download Mode then provided that we have the other files we need for QPST and or QFIL ( for msm8909 chips ) we can take the firmware files from the RUU for the 626s and push it to the 526.
Pretty crazy I know. For sure not easy. And also after such a flash the 526 would actually be a 626s.
If you want to know how we could do this then go here and download the whole Qualcomm Tech Folder.
https://github.com/dante198406/Qual...0-NR964-4_C_MSM8909_LA_SW_User_Manual_SPD.pdf
Learn the QPST - QFIL stuff and away we go.
Not sure what my issue is getting root now.
Kingo keeps getting stuck at lime 52% till I reboot and then stuck at 65% till reboot then stuck at 77% till fail root.
Any Ideas?
Heres a Link To the process in general.
http://www.droidsavvy.com/unbrick-qualcomm-mobiles/
Ya im frustrated now.
I spent a whole day trying to get temp root back.
No luck.
It Seems to be an issue with the kingo link app on the phone.
When i did get root it wasnt poping up now it keeps popping up.
cmd
Would this be the correct code I'd go about to back up Img?
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard1/backup.img bs=512 count=30535646
New to this so do apologize
Would this be the correct code I'd go about to back up Img?
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard1/backup.img bs=512 count=30535646
Click to expand...
Click to collapse
Almost but not quite.
If you ran that command go to your sdcard1 folder and delete the backup.img.
Otherwise your phone memory is more than full.
The htc devices seem to use sdcard2 as the external sd card.
So first you will need a 32gb sd card.
The image size will be like 16gb.
then the command I would use is.
Code:
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard2/backup.img
then
Code:
exit
exit
so that you are at the regular command window.
then
Code:
adb pull /sdcard2/backup.img
To get it to the computer.
That is 1 of the backups we need.
But we need each partition individually too.
Give me a little wile and Ill post the commands.
And Please don't try to intentionally brick your phone.
It might not be so easy to use qfil or qpst to fix it.
There are other files we need to get for qpst first.
so this code gave me a file or directory does not exsit:
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard2/backup.img
So I Changed It To The Following:
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/ext_sd/backup.img
BigCountry907 said:
Almost but not quite.
If you ran that command go to your sdcard1 folder and delete the backup.img.
Otherwise your phone memory is more than full.
The htc devices seem to use sdcard2 as the external sd card.
So first you will need a 32gb sd card.
The image size will be like 16gb.
then the command I would use is.
Code:
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard2/backup.img
then
Code:
exit
exit
so that you are at the regular command window.
then
Code:
adb pull /sdcard2/backup.img
To get it to the computer.
That is 1 of the backups we need.
But we need each partition individually too.
Give me a little wile and Ill post the commands.
And Please don't try to intentionally brick your phone.
It might not be so easy to use qfil or qpst to fix it.
There are other files we need to get for qpst first.
Click to expand...
Click to collapse
Ok as long as the file goes to the external sdcard your good to go.
I found the kingoroot issue. The root works fine but the kingosuperuser app is not giving me the prompt to grant root permission. They need to fix kingosuperuser. Get it out to them and if they fix it many more people will easily get temp root. After you have it working the 1st time. Like actually working with adb shell
su
after reboot run kingoroot again and temp root comes right back.
I cant get past the su part again.