Project

General

Profile

Actions

Issue #1845

open

Matching nv_data md5 failed after I got my cellphone unlocked (I have a efs backup)

Added by ariel enter about 7 years ago. Updated over 3 years ago.

Status:
New
Priority:
Urgent
Assignee:
-
Category:
-
Target version:
Start date:
11/03/2017
Due date:
% Done:

0%

Estimated time:
Resolution:
Device:
Galaxy S 2 (I9100)
Grant:
Type of work:
Unknown

Description

Some how I got my cellphone locked again to use only the original cellphone company's SIM chips, as described in my last submitted issue [[https://redmine.replicant.us/issues/1840]].

I decided to take my cellphone to a technician on my city. He told me that he could only unlock it if the cellphone was running the stock ROM, so after instilling it, I took it back to him and sure enough, he unlocked it and I was able to use other company's SIM chips.

Unfortunately after installing replicant back, I was still unable to get service.

I'm sending my encrypted full radio logs from replicant and lineageos, and I'm sharing some of the content where I believe may lies the problem.

Replicant log:

D use-Rlog/RLOG-RIL-IPC: Checked nv_data path
D use-Rlog/RLOG-RIL-IPC: Checked nv_data md5 path
D use-Rlog/RLOG-RIL-IPC: Calculated nv_data md5: 3db13216a5302aa00a00d5548ef826b6
D use-Rlog/RLOG-RIL-IPC: Read nv_data md5: 00309e92dfbccc5fcd2bc1a43c27b387
D use-Rlog/RLOG-RIL-IPC: Matching nv_data md5 failed
D use-Rlog/RLOG-RIL-IPC: Checking nv_data failed
D use-Rlog/RLOG-RIL-IPC: Checking nv_data backup path failed
D use-Rlog/RLOG-RIL-IPC: Checking nv_data backup path failed
D use-Rlog/RLOG-RIL-IPC: Checking nv_data backup failed
D use-Rlog/RLOG-RIL-IPC: Restoring nv_data failed
D use-Rlog/RLOG-RIL-IPC: Loading nv_data failed

Lineageos Log:

E use-Rlog/RLOG-RIL: Modem_Boot:
E use-Rlog/RLOG-RIL: check_cracking
E use-Rlog/RLOG-RIL: check_cracking: cracking detected: lockProblemPatch 0x01
E use-Rlog/RLOG-RIL: check_cracking: cracking detected: patch was done
E use-Rlog/RLOG-RIL: load_md5_state: MD5 state 1
E use-Rlog/RLOG-RIL: md5_enable: on 1
E use-Rlog/RLOG-RIL: check_nv_data_validity: 
E use-Rlog/RLOG-RIL: check_nv_data_size: 
E use-Rlog/RLOG-RIL: check_md5: 
E use-Rlog/RLOG-RIL: compute_md5: path /efs/nv_data.bin
E use-Rlog/RLOG-RIL: check_md5: checksum fail
E use-Rlog/RLOG-RIL: NV data tainted! Restoring...
E use-Rlog/RLOG-RIL: check_md5: 
E use-Rlog/RLOG-RIL: compute_md5: path /efs/.nv_data.bak
E use-Rlog/RLOG-RIL: compute_md5: open(/efs/.nv_data.bak) fail. No such file or directory.
E use-Rlog/RLOG-RIL: No valid backup data. Create default nv data.
E use-Rlog/RLOG-RIL: can't open a phone image from (/dev/block/mmcblk0p8) / Permission denied.
E use-Rlog/RLOG-RIL: create_default_nv_data: 
E use-Rlog/RLOG-RIL: => create new nv_data file(/efs/nv_data.bin).
E use-Rlog/RLOG-RIL: create_default_nv_data: Open a phone image from (/dev/block/mmcblk0p8).
E use-Rlog/RLOG-RIL: can't open a phone image from (/dev/block/mmcblk0p8).
E use-Rlog/RLOG-RIL: compute_md5: path /efs/nv_data.bin
E use-Rlog/RLOG-RIL: /efs/nv_data.bin  md5 : 2d44b1b4d8b512c006e8dfa559eaad1a
E use-Rlog/RLOG-RIL: make_md5_file: (/efs/nv_data.bin.md5)
E use-Rlog/RLOG-RIL: make_md5_file: fd 7
E use-Rlog/RLOG-RIL: make_md5_file: write 32
E use-Rlog/RLOG-RIL: make_md5_file: fd 7 errno 13
D use-Rlog/RLOG-RIL: wait Modem boot ready

After the technician finished unlocking the phone I asked him if he used a special PIN code or something to unlock it, but he said he used some tool that allows the system to “jump” the lock.

I'm guessing he modify some how nv_data.bin and that's what replicant and lineageos is picking on. It appears that the .bak files where deleted to prevent the system from overriding the unlock, and the permissions for mmcblk0p8 where alter so lineageos can't use it to fix it either.

Fortunately, I made a efs backup before I took it to the technician. I suppose I could use it to override what the technician did, but I fear the phone will become locked again. Maybe I could just copy the bak files from the backup I made or fix the permissions on mmcblk0p8 that is preventing lineageos to use it.

Could it be possible that I could made a new md5sum of the modified nv_data.bin and it would work?

I'm a little frustrated because when I first got the phone it was unlocked and I didn't have any problem using replicant. Could it be that the unlocked was made in a different way back then? Using a PIN number perhaps?

Any way, could you guys tell me what I should do next? I could just push the entire efs backup back in if necessary, even if it means I get back to 0 on the unlocking issue. I know I should have asked you guys first how I could unlocked it on the first place.

Anyway, Thank you very much for any advice you can give me on this. Thank you.


Files

replicant.log.gpg (10.6 KB) replicant.log.gpg ariel enter, 11/03/2017 04:43 PM
lineageos.log.gpg (24.3 KB) lineageos.log.gpg ariel enter, 11/03/2017 04:43 PM
lineageos2.log.gpg (13.3 KB) lineageos2.log.gpg ariel enter, 11/03/2017 07:54 PM
Actions #1

Updated by ariel enter about 7 years ago

I should have mention that, the first time I got the cell phone and it was already unlocked, it was running Jelly Bean, but this time, the phone was running ice sandwich when it was unlocked. I don't know if it has any thing to do with why replicant worked without any problem the first time. I suppose I could have gotten the cellphone to do a samsung up date to JB before installing replicant again, but I don't think it would have made any different, would it? Thank you.

Actions #2

Updated by ariel enter about 7 years ago

This is weird. After restarting the phone I made another radio log from lineageos, but the results are a little different. I'm attaching the encrypted full version and will add some of it's content here:

E use-Rlog/RLOG-RIL: check_cracking
E use-Rlog/RLOG-RIL: check_cracking: cracking detected: lockProblemPatch 0x00
E use-Rlog/RLOG-RIL: check_nv_data_validity: 
E use-Rlog/RLOG-RIL: check_nv_data_size: 
E use-Rlog/RLOG-RIL: check_md5: 
E use-Rlog/RLOG-RIL: compute_md5: path /efs/nv_data.bin
E use-Rlog/RLOG-RIL: MD5 check OK.
E use-Rlog/RLOG-RIL: compute_md5: path /efs/.nv_core.bak
E use-Rlog/RLOG-RIL: compute_md5: open(/efs/.nv_core.bak) fail. No such file or directory.
E use-Rlog/RLOG-RIL: check_cracking: cracking detected - routine 1
E use-Rlog/RLOG-RIL: backup_nv_data: src /efs/nv_data.bin   dst /efs/.nv_data.bak
E use-Rlog/RLOG-RIL: check_nv_data_size: 
E use-Rlog/RLOG-RIL: backup_using_secondary_backup:
E use-Rlog/RLOG-RIL: backup_using_secondary_backup: WARNING - read too small. 
E use-Rlog/RLOG-RIL: copy_file: 
E use-Rlog/RLOG-RIL: (/efs/.nv_data.bak) open failed with No such file or directory
E use-Rlog/RLOG-RIL: copy_file: 
E use-Rlog/RLOG-RIL: (/efs/.nv_data.bak.md5) open failed with No such file or directory
E use-Rlog/RLOG-RIL: restore_backup_data OK.
E use-Rlog/RLOG-RIL: check_cracking: cracking detected - routine 3
E use-Rlog/RLOG-RIL: open(nv core) fail. No such file or directory.
E use-Rlog/RLOG-RIL: load_md5_state: MD5 state 1
E use-Rlog/RLOG-RIL: md5_enable: on 1
E use-Rlog/RLOG-RIL: check_nv_data_validity: 
E use-Rlog/RLOG-RIL: check_nv_data_size: 
E use-Rlog/RLOG-RIL: check_md5: 
E use-Rlog/RLOG-RIL: compute_md5: path /efs/nv_data.bin
E use-Rlog/RLOG-RIL: MD5 check OK.
D use-Rlog/RLOG-RIL: wait Modem boot ready
D use-Rlog/RLOG-RIL: modem status [ 0x3 ]
D use-Rlog/RLOG-RIL: modem status [ 0x3 ]
D use-Rlog/RLOG-RIL: modem status [ 0x3 ]
D use-Rlog/RLOG-RIL: modem status [ 0x3 ]
D use-Rlog/RLOG-RIL: modem status [ 0x3 ]
D use-Rlog/RLOG-RIL: modem status [ 0x3 ]
D use-Rlog/RLOG-RIL: modem status [ 0x3 ]
D TelephonyManager: No /proc/cmdline exception=java.io.FileNotFoundException: /proc/cmdline (Permission denied)
D TelephonyManager: /proc/cmdline=

It appears as lineageos noticed that some "cracking" was made so that the cell phone became unlocked. And it doesn't complain anymore about the md5sum. It does keep complaining about nv_data.bin but something else. I'll restart the phone again and send a message if it's different again.

Actions #3

Updated by ariel enter about 7 years ago

Attachment

Actions #4

Updated by ariel enter about 7 years ago

ariel enter wrote:

This is weird. After restarting the phone I made another radio log from lineageos, but the results are a little different. I'm attaching the encrypted full version and will add some of it's content here:

[...]

It appears as lineageos noticed that some "cracking" was made so that the cell phone became unlocked. And it doesn't complain anymore about the md5sum. It does keep complaining about nv_data.bin but something else. I'll restart the phone again and send a message if it's different again.

It came up the same this time. In my efs backup I have a lot of .bak files and their md5 that are not present in the current efs, I keep wondering if it will be enough to copy those files back in, but I really need advice. Thank you.

Actions #5

Updated by ariel enter almost 7 years ago

I figure it will be a good idea to send the current content of my efs:

drwxrwx--x 10 radio system  4096 2017-11-02 02:17 .
drwxr-xr-x 17 root  root       0 2017-11-06 16:04 ..
drwxrwxr-x  5 root  root    4096 2017-07-24 22:12 .files
-rw-r--r--  1 radio radio      1 2017-07-24 22:12 .nv_state
drwxrwxr-x  2 radio system  4096 2017-07-24 22:12 FactoryApp
drwxrwxr-x  2 radio system  4096 2017-07-24 22:12 bluetooth
-rw-r--r--  1 root  root       6 2017-07-24 22:12 calibration_data
-rw-r--r--  1 root  root       9 2017-07-24 22:12 cryptprop_applied_result
-rw-r--r--  1 root  root       1 2017-07-24 22:12 cryptprop_essiv
-rw-r--r--  1 root  root       5 2017-07-24 22:12 cryptprop_onetimeboot
-rw-r--r--  1 root  root       1 2017-07-24 22:12 cryptprop_rebootMode
-rw-r--r--  1 root  root       3 2017-07-24 22:12 cryptprop_securewipedata
drwxr-xr-x  3 root  root    4096 2017-07-24 22:12 dmp
drwxr-xr-x  8 root  root    4096 2017-07-24 22:12 efs
drwxrwxr-x  2 radio system  4096 2017-07-24 22:12 imei
drwx------  2 root  root    4096 2017-07-24 22:13 lost+found
-rw-r--r--  1 radio radio  10128 2017-11-06 17:05 nv.log
-rwx------  1 radio radio      0 2000-01-01 03:47 nv_data.bin
-rw-r--r--  1 radio radio     32 2000-01-01 03:47 nv_data.bin.md5
-rw-r--r--  1 root  root     880 2017-07-24 22:12 redata.bin
-rw-rw-rw-  1 radio radio      1 2017-11-02 00:41 upgaddr
drwxrwxr-x  2 radio system  4096 2017-07-24 22:12 wifi

Also my partition table:

adb shell ls -al /dev/block/platform/dw_mmc/by-name
total 0
drwxr-xr-x 2 root root 280 2017-11-06 16:04 .
drwxr-xr-x 4 root root 340 2017-11-06 16:04 ..
lrwxrwxrwx 1 root root  20 2017-11-06 16:04 CACHE -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root  21 2017-11-06 16:04 DATAFS -> /dev/block/mmcblk0p10
lrwxrwxrwx 1 root root  20 2017-11-06 16:04 EFS -> /dev/block/mmcblk0p1
lrwxrwxrwx 1 root root  20 2017-11-06 16:04 FACTORYFS -> /dev/block/mmcblk0p9
lrwxrwxrwx 1 root root  21 2017-11-06 16:04 HIDDEN -> /dev/block/mmcblk0p12
lrwxrwxrwx 1 root root  20 2017-11-06 16:04 KERNEL -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 root root  20 2017-11-06 16:04 MODEM -> /dev/block/mmcblk0p8
lrwxrwxrwx 1 root root  20 2017-11-06 16:04 PARAM -> /dev/block/mmcblk0p4
lrwxrwxrwx 1 root root  20 2017-11-06 16:04 RECOVERY -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root  20 2017-11-06 16:04 SBL1 -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root  20 2017-11-06 16:04 SBL2 -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 root root  21 2017-11-06 16:04 UMS -> /dev/block/mmcblk0p11

Something I noticed is that after this problem started, the battery life as been drastically reduced. In the lineageos logs there is a message that says "No battery calibration data found.", which I think may be the problem. Anyway, hope you can help me out. Thank you.

Actions #6

Updated by ariel enter almost 7 years ago

I think I'm going to try to move some things around, I'll be making a backup of my current EFS thought. Worst case scenario, I could just use my first EFS backup, even if it means losing the unlock made to the phone.

I already found that making a md5sum can not be done since there is a random seed involved in the process. Also, it seems that the unlock is made by changing some hex value on nv_data.bin and getting the right md5 some how. It appears that the process used to unlocked the phone may not have been the problem, but apparently some files where lost while installing replicant some how, but I really don't know.

I won't be moving anything until this Monday late afternoon. If some one could give me an advice before that it would really help me a lot, even if it is to wait a little longer for help.

I'm just a little scare to touch anything because it's been an awful experience, and it seems like it's very easy to break things up. Thankfully, Wolfgang Wiedmeyer was able to help me the first time and I learned in time how important it is to make EFS backups before things got out of control. I agree with some other posts about having that info on the installation guide, at least a warning about the important of having a EFS backup just in case. I'm sure replicant does a backup already I just don't know where it is I suppose.

Anyway, thanks a lot for such an incredible job you are doing with Replicant, it's really awesome and I'm really looking forward to get my phone running it once again. Thank you C:

Actions #7

Updated by Art Os almost 7 years ago

it’s a supposition :

if you don t do full flash (modem part particulary) after unlock by technician (under 4.0 if i understand) maybe detection of that is made by lineageos with closed source ril,
try only install replicant with nd data unlocked, and delete nv data bak and md5. md5 will be recreated, and not nv_data. maybe…

Actions #8

Updated by ariel enter almost 7 years ago

Art Os wrote:

it’s a supposition :

if you don t do full flash (modem part particulary) after unlock by technician (under 4.0 if i understand) maybe detection of that is made by lineageos with closed source ril,
try only install replicant with nd data unlocked, and delete nv data bak and md5. md5 will be recreated, and not nv_data. maybe…

Thank you so much for you help Art Os. Unfortunately nothing seemed to work and I ended up choosing to use my efs back up and fortunately that brought the phone service back even if the unlocked was lost. Also luckily, the battery calibration thing also was resolved C:

Now I'll need to find out a way to unlock it again, hopefully by my self. I'll ask in the general forum for help with that as I should have done in the first time in the first place.

Once again I thank you for your kindly advice, it really bring me up. I'm just a little too passionate with the idea of using repicant and I get a little inpatient and upset. I also want to thank Wolfgang Wiedmeyer for his help earlier, I know this is not a replicant issue but I didn't know where to go.

Anyway, we can close now this issue #. It seems I can't do it from here. Thank you.

Actions #9

Updated by ariel enter almost 7 years ago

OMG. I just got my problem Fixed!!! I was starting to have nightmares about this problem last night xD, but I finally got it.

First of all I can't stress enough how important it was that I had a efs backup.

When I first got my cellphone, I made a backup using CWM recovery before trying replicant, but unfortunately, I got so stress out when I first got stuck in this problem that I accidentally ended up deleting the full content of the external microSD card with the TWRP recovery where the bakup was made xD

So first lesson is to be patience. I really don't know if a regular CWM would have backed up efs back then, but surely I wouldn't have felt so stupid if I hadn't done it.

Thankfully, the problem was not that I got my IMEI lost, I just got my cellphone locked back.

And this is where the efs back up was so important. After reading about it on the forum by pure luck I backed my efs directory before taking it to a local technician to get it unlocked again.

Since I did not have any issues the first time, I went back to install replicant again right away, and I ended up with still not having any service again :S

Apparently what happened had something to do with the android version differences. The first time I got my cellphone, it had android jelly bean and when installing Replicant I didn't had any problem. Second time the cell phone was unlocked, it had ice sandwich and there is where the problem arose.

I read somewhere that before any major up date from one android version to another, a efs backup is due, since some time files are missing some how on the process. I read some where it had something to do with the file system but I really don't understand at all.

So after finding out how to unlock the cellphone my self, I just had to make a backup of the efs files and put them back in after installing replicant.

Finding out how to unlock the cellphone was no easy task. I even got the supposedly unlock code from the seller's company, but it ended up not working on the jely bean stock rom for some reason.

The right track was to follow the following thread:

https://forum.xda-developers.com/galaxy-s2/themes-apps/root-sgs2-sim-unlock-code-finder-t1092451

Even though, the app it self was unable to get the right code, it pointed up to another app called "Galaxy_S Unlock" app from "Helroz". Even though it's code finder didn't worked either, the app had another option which changes some hexadecimal bites to the nv_data.bin file and some how the md5 is also created.

Changing nv_data.bin bits was something I read before but I didn't know how it could be done. Thankfully "Galaxy_S Unlock" app from "Helroz" does this for you.

"Galaxy_S Unlock" app from "Helroz" is not present in the google play store anymore, but you can search for the apk.
I know this was the way the technician unlocked the phone because installing replicant on it resulted on the same issue. Thankfully this time I backed up the files from efs when it was just unlocked and I move the files to replicant and that was it.

Using the original ice sandwich rom was important because while using newest lineageos and the app I got the same result as if I had installed replicant over the fresh unlecked files.

I'm sure nobody should read this whole story but I learned so much in the process that I felt I had to share it.

I insist that there should be a warning on the replicant installation page about backing up the efs partition. It doesn't have to say how. For instance, I root the phone and use adb as described in my post here: https://redmine.replicant.us/boards/33/topics/14594

I'm talking about just a "little warning before proceeding" thing, just for noobs like me xD

I can't imagine what would have happened if the cellphone had have ice sandwich in the begging the first time I try replicant.

I'll be making a big monetary donation in the following days ;) I'm really thankful to this project. Thanks a lot for such a wonderful work. Thank you all.

Oh, we can now close this issue know for sure xD. Thank you.

Actions #10

Updated by _I3^ RELATIVISM over 3 years ago

  • Type of work Unknown added
Actions

Also available in: Atom PDF