10/17/2013

Fixing Galaxy Nexus's IMEI Number

I have been using Galaxy Nexus for quite some time and it worked fine as an everyday+development phone until its IMEI number got blocked on T-Mobile recently. If your IMEI number is 004999010640000 (you can see your IMEI number by dialing *#06#), then this post might help you restore your connectivity. It did for me: I got my GN off eBay long ago. It was a DoCoMo phone from Japan and it was unlocked with the F*ckDoCoMo app by the seller.

For the confused audience

You used Galaxy Nexus on T-Mobile (or other networks) and someday you found it suddenly stop to register onto the cellular network. After rounds of unhelpful customer service calls, you were told that your IMEI number (004999010640000) is blocked on the T-Mobile network (and possibly other networks too). Furthermore, the customer representative could do absolutely nothing about it (aside from filing an effectless unblock request). If you have a blocked IMEI other than the stated one, this post will not help: it does NOT teach you how to change to an arbitrary IMEI. Legality aside, software-based IMEI change on Galaxy Nexus seems to remain an unsolved problem (unlike some other phones). 

Solution

The gist of my approach is to restore the original, unique IMEI number (it is on the sticker on the back of your phone under the battery) from your phone's /factory/.nv_data.bak file. And if you do your backups right, you shouldn't lose any of your data. The usual disclaimer for hacking guides applies: It worked for me and I believe it works in principle, but I cannot guarantee that it will work for you and I cannot be responsible for any damage. 

The basic ideas/facts behind the solution are:
  1. /factory/.nv_data.bak (and maybe /factory/nv_data.bin too?) stores the system backup of your IMEI (and other information). Note since this file is hidden (its filename starts with a dot), you can only list this file by "$ ls -a"
  2. similarly /data/radio/nv_data.bin stores your current IMEI (and other information)
  3. both files store the IMEI in some non-obvious way. This prevents easy IMEI modification with a Hex editor. This is why we cannot just make up a new IMEI number for your GN, unlike some other phones which lacks such protective mechanisms.
  4. the android system uses salted md5 checksums stored in /factory/.nv_data.bak.md5 and /data/radio/nv_data.bin.md5 to detect tempering of the aforementioned files. We don't know how to generate these salted checksums but a glitch/oversight in ICS (Ice Cream Sandwich, Android 4.0.x) can effectively generate them for us: it logs an offending checksum along with its correct counterpart.
  5. if both nv_data files fail the checksum test, the android system will create a "default" /data/radio/nv_data.bin containing the infamous generic IMEI (along with the unlock status). In fact, F*ckDoCoMo app achieved unlocking GN via this side-effect of tempering nv_data and leaving the checksums out-of-sync. The nice thing is that the app does edit your /factory/.nv_data.bak in a sensible way so your phone will remain unlocked with this nv_data file.

If your /factory/.nv_data.bak has not been overwritten inadvertently -- that is a big "if" which can only be tested by experimentation --, then we should be able to recover your original IMEI by acquiring the correct checksum for /factory/.nv_data.bak

Instructions

(I assume that you are familiar with adb, fastboot, and other basic tools or can easily acquire such knowledge via the Web. Upon requests, I will edit this post to expand/clarify on any unclear steps. The XDA threads mentioned at the end are also helpful.)

0. backup your entire phone to /sdcard with the ClockworkMod recovery (CWMR) boot image's backup utility. In additon, as there is risk that you will lose your unique IMEI forever, you should carefully backup the entire /factory and /data/radio directories onto your laptop/desktop/cloud/etc. You can do that by $ adb pull.

1. install a rooted ICS-based ROM (root is probably not necessary since you can get that in CWMR, but it will make life easier), e.g. cm-9.0.0-maguro-stable from cyanogenmod. The glitch we rely on is fixed in later versions. (I tried JellyBean 4.2 and it was no good.)

2. (You will need root to do this and the following steps.) Take note of the content in /data/radio/log/nv.log
$ cat /data/radio/log/nv.log 
It should look something like this:
Thu Jun 28 19:54:08 2012: /data/radio/nv_data.bin does not exist.
Thu Jun 28 19:54:08 2012: MD5 fail. orignal md5 '672f544c3d4c3c4f5bc699966bac6210' computed md5 '3b93401f8fb129a51aba4e70a8b47fbb' (rild)
Thu Jun 28 19:54:08 2012: MD5 fail. orignal md5 '92d39f2375e581f8bd8095486c8758b1' computed md5 'a4bc620886c51f712caa377adf90cf24' (rild)
Thu Jun 28 19:54:09 2012: default NV restored.
Find the original md5 that is the same as /factory/.nv_data.bak.md5 (in my case, it is 92d39f2375e581f8bd8095486c8758b1) and then you should copy the computed md5 in the same line (so in my case, it is a4bc620886c51f712caa377adf90cf24). The computed md5 is the salted md5 checksum we want. FYI- The other set of md5's corresponds to /factory/nv_data.bin. You don't really need to worry about them unless .nv_data.bak is corrupted and nv_data.bin is not. Then you might want to try the process with /factory/nv_data.bin.

3. Remount /factory as read/write and then replace .nv_data.bak.md5 with the correct salted md5 checksum from last step.
$ mount -oremount,rw /factory
$ echo salted-md5-checksum > /factory/.nv_data.bak.md5

4. $ rm /data/radio/nv_data.bin*

5. $ reboot. Now /data/radio/nv.log should contain no new complaints about failed checksums and the IMEI should be restored to some non-generic number! (If you don't care about restoring your data or the ROM/Android version you were using, you are done now.)

6. restore your backup from /sdcard using CWMR. Note that /data/radio (but not /factory) is replaced by your restored backup, so your IMEI is the generic one again! 

7. Since we have the correct salted md5 checksum in /factory/.nv_data.bak.md5 to go with /factory/.nv_data.bak, you only need to remove /data/radio/nv_data.bin* and then reboot to let the system automatically restore from /factory/.nv_data.bak. Finally, after rebooting, you should see the same non-generic IMEI as what you saw in step 5, while having your phone restored!

If this works and you want to thank me, buy me a cup of coffee and/or follow me on twitter: @falcondai :)


Additional Resource

You can check whether your IMEI is blocked on T-Mobile: http://www.t-mobile.com/VERIFYIMEI.ASPX (004999010640000 is confirmed to be blocked. Such a generic IMEI should never get blocked... maybe someone reported their phone with that IMEI as stolen to T-Mobile?) This IMEI number seems to be a default for many Samsung phones.

According to some people on Reddit, this generic IMEI number was blocked on T-Mobile as early as 2013/2: http://www.reddit.com/r/Android/comments/17yizs/anyone_else_running_a_custom_rom_and_have_your/ But mine somehow managed to survive till recently, about one month ago, i.e. 2013/9. I called T-Mobile to add the generic IMEI number to my account explicitly after the first time it showed symptoms (likely back in February) and that solved the problem for me until it happened again.

My method is inspired mainly by these two threads on XDA:
http://forum.xda-developers.com/showthread.php?t=1606982 (very insightful post that spotted the glitch)

Most, if not all, software-based IMEI modification discussions/methods do not generalize and almost certainly won't help in the case of Galaxy Nexus due to obfuscation in nv_data. (If you find anything applicable, feel free to share them in comments.)

49 comments:

  1. hi
    logs in my phone are bit different:
    Fri Nov 22 19:21:50 2013: __refresh_md5_file: Can't open /factory/nv_data.bin.md5. Read-only file system.
    Fri Nov 22 19:21:50 2013: MD5 is turned on.
    Fri Nov 22 19:21:50 2013: /data/radio/nv_data.bin does not exist.
    Fri Nov 22 19:21:50 2013: invalid size /factory/nv_data.bin, 524288 bytes.
    Fri Nov 22 19:21:51 2013: default NV restored.
    Fri Nov 22 19:21:51 2013: MD5 fail. orignal md5 '' computed md5 '81ccbebd56adaa12e89bd4791c4a6e9a' (rild)
    Fri Nov 22 19:21:52 2013: default NV restored.
    Fri Nov 22 19:26:16 2013: __refresh_md5_file: Can't open /factory/nv_data.bin.md5. Read-only file system.
    Fri Nov 22 19:26:16 2013: MD5 is turned on.

    can you help?

    ReplyDelete
    Replies
    1. Fri Nov 22 19:21:51 2013: MD5 fail. orignal md5 '' computed md5 '81ccbebd56adaa12e89bd4791c4a6e9a' (rild)

      this line is the key, did you mask out the original md5? you want to check if that is the md5 checksum in your ``/factory/.nv_data.bak.md5`` If so, (again backup every relevant files to your computer before you modify any files) replace it with the computed md5 as in step 3.

      Delete
    2. http://www.gsmfastest.com/imeiunlock.html

      IPhone 5 /4S / 4 IMEI Unlock Benefits:
      IMEI Unlocks are PERMANENT Factory unlocks. After your iPhone is unlocked via IMEI it will stay unlocked forever, you never have to worry about losing your unlock when updating your iPhone. IMEI unlocks are Factory unlocks that work with any iPhone model ( 3G/3GS/4/4S/5), any iOS version and any baseband. Guaranteed!
      iPhone 5 and iOS 6.2.1 (latest) Fully Supported!

      Imei Unlock Benefits
      how to imei unlock iphone first get imei number by dialing 06# as you get imei of your mobile you are ready to get imei unlock your mobile. imei unlock is a very easy way to get unlock of your iphone. via imei unlock you get permanently unlock of your mobile phone. we also say about the imei unlock is a very simple way to get factory unlock of your mobile or official unlock of your mobile.

      Permanent Factory unlock Benefits:

      Official Factory Unlock via IMEI. No Hassle with shipping, simply submit your unique iMei number and wait 0-24 hours. After you receive our Email, connect your iPhone to iTunes and you will get a message that your iPhone is unlocked. Forever! gsmfastest.com

      Delete
  2. How do I go to 4.1+ after this

    ReplyDelete
    Replies
    1. in step 6, you can flash a custom 4.1+ ROM or a stock ROM onto your phone (instead of restoring your backup), then follow step 7.

      Delete
  3. Man you're great! this just saved my gnex! thank you!

    ReplyDelete
  4. Hi,
    Do you think this'll work if I factory restored my Gnex after using the f***docomo app?
    Thanks!

    ReplyDelete
    Replies
    1. i think so. you are still getting the generic IMEI instead of your real IMEI, right? According to my theory, that is exactly due to md5 checksum-nv_data mismatch. Don't forget to backup everything.

      Delete
  5. Thank you very very much! It worked, but now it's again carrier locked....
    Here are my observations, maybe it will help others:
    1. The phone got stuck at the cyanogenmod loading screen, so I factory reset, wiped cache and dalvik from CWM. Then I reflashed from CWM.
    2. My original md5 checksum was '' NOT kidding.
    3. I installed stock Android 4.3 and didn't have to do step 7 Lucky I guess...
    Again, thank you, and if someone has an idea OTHER than the f***docomo app to unlock my phone, I'm listening.

    ReplyDelete
    Replies
    1. that s intriguing. empty original md5 per se should not be a huge problem as long as your android version is willing to generate the correct md5 for you ;)

      Is your IMEI number the same as the one on the back of your phone behind the battery? But the phone became locked again, right? One thing I would suggest is to re-run f*ckDocomo (alternatively you can modify the .nv_data in a HEX editor yourself) and then try to obtain the md5 via the hack.

      Delete
    2. Hello,
      Sorry for the delay, but I have another question: If I save my factory folder with the correct IMEI and then re-run the app, can I restore just by pasting the folder back? Of course this would break the unlock, but I could try using the phone with the default one, maybe my local carrier doesn't care.

      Delete
    3. yes, i think so. Think of /factory/.nv_data.bak as the ultimate backup that the Android system will attempt to restore from. And /factory/nv_data.bin as the currently active version.

      Delete
  6. hy

    my /factory folder is empty, i'm using root explorer to see all the files , there is only a sub-folder called Lost+Found witch is also empty
    Are the files hidden or there are gone ?
    If they are all deleted what can be done ?

    ReplyDelete
  7. i m not sure, you might have lost them. try terminal emulator or adb with root. note that .nv_data are hidden files so you will need "$ ls -a" to see them under adb shell or terminal emulator. If they are all gone, it might not be possible to recover your original IMEI.

    ReplyDelete
    Replies
    1. i tried $ ls -a with root in terminal emulator in /factory and the is nothing there, only a sub-folder called Lost+Found.

      would copying the files from another phone work ? or creating others ?

      Delete
    2. lost+found is a special directory of Linux system. it is not useful for this purpose.

      copying others' .nv_data might work but you will end up having the same IMEI number, which might or might not be a problem with the carrier and/or your friend.

      Delete
    3. is it possible to copy someone else imei and restore it to my phone.....i have a samsung galaxy s2 can i copy its imei to galaxy nexus

      Delete
    4. backup and give it a try.

      Delete
  8. This is really the only post online that matches my problem and I thank you for your information. I bought a Galaxy Nexus from Negri back in April of 2012 and in February 2013 when I received an OTA update of Android suddenly I lost the ability to connect to the mobile network on TMobile based providers. I switched to an ATT provider (Straight Talk) until 10 months later when I tried to make the switch again. For two weeks I've been trying to fix this issue and learned that it has to do with the generic imei problem (Tmobile blocks it)

    While I think I got really close to following your instructions, in conjunction with deciphering some things from the other posts you link to, in a quick trial I fixed my problem in the following way:

    Used Nexus Root Toolkit to install a Stock Rom of 4.04 (you must unlock first using toolkit).
    Rooted 4.04 Rom and completed Busybox install as requested by NRT
    Installed FuxkDocomoV3.1.apk (allow non market installs from settings)
    The FD app would not allow me to "relock" because no backup was found but did give me the option to
    Unlock forever button
    Phone rebooted like 4 times
    Checked Imei with *#06# and was no longer generic.
    Used Cyanogenmod installed to update to 4.3.1

    I tried to follow a youtube video where the guy was using the FD app to get his imei back from generic but it didn't work on 4.0.2 with any version of the FD app.

    What did work was the 4.0.4 android rooted and unlocked with FD 3.1

    Perhaps I was just lucky but worth a shot for those (like me) who are totally confused by this adb stuff. You lost me (and in the other xda post too) where you say "copy" the md5 checksum "somewhere". Are you making a text file with the hash in it and renaming it "salted checksum"? The other post the guy names his has "computed". Thanks!!

    ReplyDelete
    Replies
    1. Thanks for sharing your solution! It seems that FDv3.1 has magical power. maybe it did the checksum fiddling for you correctly. I don't know enough about all the tools you used to judge.

      yes, but saving/naming the file to /factory/.nv_data.bak.md5. In step 3, the command "$ echo salted-md5-checksum > /factory/.nv_data.bak.md5" saves the correct (i.e. the "computed md5" in the log) checksum into a file named /factory/.nv_data.bak.md5. To be more explicit, in the example given in step 2, I would execute
      "$ echo a4bc620886c51f712caa377adf90cf24 > /factory/.nv_data.bak.md5"
      to save the correct checksum. I hope this clarifies the steps.

      ADB (android debug bridge) is a standard developer tool in android SDK. It connects your phone to your computer to let you do all sorts of development tasks including opening a shell (command line) on your phone. In the article, this is how ADB was used. All those shell commands are meant to be executed on adb shell. You can also use ADB to pull/push files from/to your phone to backup/transfer. If you want to get deeper into android hacking, you can read more about it here: http://developer.android.com/tools/help/adb.html

      Delete
    2. This comment has been removed by the author.

      Delete
    3. thanks! I try this, install cm 9 and run fuckdocomo v3.1 and it restore my imei, so great, many thanks !

      Delete
  9. This comment has been removed by the author.

    ReplyDelete
  10. I have the same problem.

    my imei is generic and not have nv_data backup.
    I did a factory wipe, Which deleted the nv_data files. And now the system generates the generic in /data/radio/nv_data.bin

    (the folder /factory contains only the folder "lost+found" and nothing more)

    Perhaps there is a solution. I'll try what he did.


    with GIO ZANE was it too?

    ReplyDelete
    Replies
    1. Did the solution by GIO ZANE work for you? I have the same problem too.

      Was looking at this solution but it will cost about $40 incl the cost for the cable. http://www.sammobile.com/forum/showthread.php?t=7554

      Looks like a JTAG repair of the IMEI is the only solution for phones that don't have a backup of the original nv files.

      Delete
    2. If the original nv_data file is lost, my feeling is that you cannot recover your IMEI. But maybe your /data/radio/nv_data.bin is generated from FD and still contains your original nv_data content... you can follow the same procedures and give it a try.

      Delete
    3. I tried the process explained by GIO Zane and it did not work. I did not use FD to unlock my phone - i bought it factory unlocked from Google. I lost my nv_data files when my /factory partition was wiped and i installed a custom ROM. I do not have any nandroid backups to restore to. I KNOW the IMEI can be repaired (re-written, not restored) but you must use a JTAG device (SPT, Z3X, etc.)

      Delete
    4. having the same problem... did u find any fix

      Delete
  11. Hi,

    My Galaxy Nexus lost its IMEI in a factory reset.

    I tried your help, but there is no files on /data/radio/ and /data/radio/log. Thus, there is no log file in /data/radio/log where I can get the salted md5 (step 2).

    I notice that there are the files: nv_data.bin, nv_data.bin.md5, nv_data.bin.md5_compute, nv_state and nv_log inside the folder /factory and also the correspondant *.bak files.

    The files .*bak are in the folder /factory. I think they are OK.

    Any help?

    ReplyDelete
    Replies
    1. what is the content of your nv_log and nv_data.md5_compute? they sound tempting.

      If you can find similar information in them, i.e. the paired md5 checksums, then I think you can follow the procedure with those files instead.

      Delete
  12. Since I got a few emails from people asking about my fix I'll just reiterate that its very possible even with potentially lost data the fuxkdocomo app version 3.1 will unlock the phone correctly and restore the imei. As falcondai said there is potentially some "magical" stuff that the FD app can do. You must downgrade first to 4.04 and root for the app to run. (See my prior comment for details). Thanks guys!

    ReplyDelete
  13. please check my post on xda. http://forum.xda-developers.com/showthread.php?p=49740682
    it may clear some doubts. thanks.

    ReplyDelete
  14. if somebody could make a video, that'll be great :\
    please help.

    ReplyDelete
    Replies
    1. i think that is a fine idea. If anyone does make one/find one, feel free to post it here.

      Delete
  15. i found the efs image, can i flash it via odin?

    ReplyDelete
    Replies
    1. I don't know. Maybe you can give it a try and let people know how it goes.

      Delete
  16. hi ... my phone suddenly stopped working with all networks, and i found out i have this imei issue too (although my phone networks say that the 0046... imei is not blocked - i'm in the uk).

    i guess it may have happened because i bought my phone second hand. when i got it and decided to install a cusom rom, i deleted everything from CWMrecovery, including all the system folders, in case there was any spyware, and i am guessing this is how the imei got reset. however, i'm guessing it's only last week (when my problems started) that someone in some phone company decided to block it. (i bought these phones months ago).

    my question is - in newer phones - is the imei on some read only chip, or is this problem likely to continue if i delete all system files (i just bought a nexus 4 and am waiting for it to arrive, but the first thing i want to do is delete everything for security).

    secondly, i found that if i restore from backups, often my phone is quite sluggish. is there any way to go around this ?

    thanks

    ReplyDelete
    Replies
    1. look around for info regarding different phone models' designs. I think Samsung's Galaxy series might have a common IMEI storage design: from what i heard, many of them share the same 0046 default.

      I think the slowdown is more of a perception problem. Possibly older and more occupied system than the one previously running. Check out my other post regarding one cause of android being slow: http://blog.falcondai.com/2012/04/one-cause-of-slowdown-in-android-phones.html

      Delete
  17. Hi,

    I have same problem as Leonardo Dias above.
    Suddenly, my phone stopped working as phone - no signal - baseband version unknown, IMEI unknown etc.

    I rooted phone and checked in /data/radio dir - there were no files - only dir called log - but no files inside that.

    I could see nv_data.bin in /factory dir intact - though the md5 is not matching.

    I tried copying all files in /factory to /data/radio - restored owner to radio - still no use.

    Any help?


    ReplyDelete
  18. hey

    many hours spent on your page,and some problems are now solved but :

    My nv.log shows now :
    Tue Jun 3 12:28:06 2014: __refresh_md5_file: Can't open /factory/nv_data.bin.md5. Read-only file system.
    Tue Jun 3 12:28:06 2014: MD5 is turned on.
    Tue Jun 3 12:28:06 2014: invalid size /data/radio/nv_data.bin, 1578090 bytes.
    Tue Jun 3 12:28:06 2014: NV restored.(GED)
    Tue Jun 3 12:28:06 2014: NV restored.(GED)

    It seems that
    nv_data.bin et .nv_data.bak are same files
    nv_data.bin.md5 et .nv_data.bak.md5 are same files with same md5 in

    I'm still with the bad IMEI
    Thanks for your job :)

    ReplyDelete
    Replies
    1. I reply to me. ^^
      The bin generated in data/radio is not the same as in factory so md5 is different

      Delete
    2. What is the size of your :
      /data/radio/nv_data.bin
      /factory/nv_data.bin.bak
      /factory/nv_data.bin

      Delete
  19. Hi Mr. Dai,

    Could you please let me know where I can download F**k DoCoMo app? Despite my try, I was not able find an APK over the internet. I would be grateful if you could provide a download link.

    Thanks.

    ReplyDelete
  20. i dont have anything inside /factory folder
    what can i do?

    ReplyDelete
  21. This a very informative post. I like this post. You show how to easily android mobilehardreset solution. write more informative post. thanks

    ReplyDelete
  22. Hi, I have lost my own nv_data.bin and md5. Can I use another I9250 files

    ReplyDelete
  23. Hello, I lost nv_data.bin because don't have the backups (never do that). Some idea what can I do, I try this tuto but no luck. Thanks for your post.

    ReplyDelete