How to RECOVER SL3 SIMLOCK DATA from Full Flash for FREE !!

[..::Angel::..]

Greetings.

Here are the steps to RECOVER SIMLOCK DATA from FULL FLASH backup.

1. Read FULL FLASH via ATF Box
2. You must know phone's original Product Code. It can be seen on back
side of phone at it's lable or from NPC DATA. NPC can be backup EVEN phone is dead...
In my case Product Code is: "059H5S3"
3. Search for your Product Code in Nokia Data Package or Navifirm.
Its important because it will tell you phone's original PM120,0.
In my case: "RM-775 MEA-7 DARK URDU" So, my phone is Factory unlocked
by Nokia and it's Provider Key is: 2440700000000000. Now some Hex work ;-)
4. Use any good HexEditor, I uses HxD. drag and drop FLASH_DUMP.bin to HxD
5. Press Ctrl + F, Search for: "2440700000000000" and DataType: Hex-values



We found PM120,0 512 byte(s). But it should be 944 byte(s) if phone have 24407 provider key...
If we will look upper, will find the rest 432 byte(s) DATA, too.



512+432 = 944 byte(s). That's mean now our PM120,0 is 100% Oki.

Now look little upper, we'll get PM120,2 = 130 byte(s).
It will always have "0100" in the end or "01000000" in the end if phone is 20-digits NCK...



Again look upper, and we'll get PM120,1 = 160 byte(s).



So, now we have recovered PM120,0 - PM120,1 and PM120,2. Left PM120,3.
We can simply put "000000000000000000000000" of 112 byte(s) ...
Since phone was factory unlocked, it will always have "00000000000000000".

Few things about PM120:

- If phone was Factory unlocked than it will have PM120 like this:

PM120,0 = 944 byte(s).
PM120,1 = 160 byte(s).
PM120,2 = 130 byte(s). or 132 byte(s). If phone is using 20-digit NCK
PM120,3 = 112 byte(s). and all ZERO "000000000000000000000000"

- If phone was network locked before and u or customer made a unlock of
it than look for the original product code and it will tell you what PM120,0
it should have inside and it's length... Also, PM120,3 will be changed here
NOT all ZEROs. It will contain your phone's UNLOCK CODE(s).

For example PM120,3 112 byte(s):

00000000000000000000000000000000 <---- LEVEL 1 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 2 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 3 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 4 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 5 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 6 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 7 CODE(s) are stored here

If phone was locked before, you'll see codes instead of ZEROs.
This PM120,3 can also be found near PM120,0 like we found PM120,1
and PM120,2. If it have stored unlock codes inside, else, can put ZEROs
of 112 byte(s).

Here is the PM120 I recoverd from FullFlash backup:

Quote:

[120]
0=000000000000000024407000000000000018070000000000 0050000005FFFFFF00B4000005FFFFFF0118000005FFFFFF01 7C000005FFFFFF01E0000005FFFFFF0244000005FFFFFF02A8 000005FFFFFF000000007FFF6F07FFFFFFFFF800030C030005 03000000007FFF6F3EFFFFFFFFC000030F0200010300000000 7FFF6F3FFFFFFFFFC000031102000103000000007FFF6F07FF FFFFFF07FE031308000503000000007FFF6F07FFFFFFFF07FE 031B08000503000000007FFF6F07FFFFFFFFF8000323030005 03000000007FFF6F3EFFFFFFFFC00003260200010300000000 7FFF6F3FFFFFFFFFC000032802000103000000007FFF6F07FF FFFFFF07FE032A08000503000000007FFF6F07FFFFFFFF07FE 033208000503000000007FFF6F07FFFFFFFFF800033A030005 03000000007FFF6F3EFFFFFFFFC000033D0200010300000000 7FFF6F3FFFFFFFFFC000033F02000103000000007FFF6F07FF FFFFFF07FE034108000503000000007FFF6F07FFFFFFFF07FE 034908000503000000007FFF6F07FFFFFFFFF8000351030005 03000000007FFF6F3EFFFFFFFFC00003540200010300000000 7FFF6F3FFFFFFFFFC000035602000103000000007FFF6F07FF FFFFFF07FE035808000503000000007FFF6F07FFFFFFFF07FE 036008000503000000003F007F206F07FFFFF8000368030005 03000000003F007F206F3EFFFFC000036B0200010300000000 3F007F206F3FFFFFC000036D02000103000000003F007F206F 07FFFF07FE036F08000503000000003F007F206F07FFFF07FE 037708000503000000003F007F206F07FFFFF800037F030005 03000000003F007F206F3EFFFFC00003820200010300000000 3F007F206F3FFFFFC000038402000103000000003F007F206F 07FFFF07FE038608000503000000003F007F206F07FFFF07FE 038E08000503000000003F007F206F07FFFFF8000396030005 03000000003F007F206F3EFFFFC00003990200010300000000 3F007F206F3FFFFFC000039B02000103000000003F007F206F 07FFFF07FE039D08000503000000003F007F206F07FFFF07FE 03A508000503FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
1=3800783F4AF6EA45EF84D2D744C7F3FF5A1015ABA20B2CB4 B5709B3A35E93EAA6C170A1BCF73245AE6B5060AB7F255A9BB 5494A75A6B5408B89537213660984D60731CE93E2C8883C63F 3C41D8083503BB34C9E01BCD3DB83D1E9BF96EF4E7B261590C 4BFA8E508A8AC2C2F0A5853B4B6BD4EDF4BF5B5A28235955C4 F6480287AF3060D484FEC9DE1BEA2919F79D3FD1F82C01F14C 32F94F0EDCA9588B644705
2=ACE5AA9F5FD8AD4794DDEAD60C9EE1579B3E3F09429734B7 C9167E5F0109ABFC721624A5F56A78CF24931CE1A1391577B2 A7EE7C48CFC2D5B32A0142BCBE9B99B18DC8986C0ED153BABD 74459DB06208468EA7E559CBB423B2F312477A5880F381BF40 6EF5628D6A7042930B039F51948BFB5B01495E49D00D6D94A9 83EA04970100
3=000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000

Logs after Full ERASED, FLASHED:

Code:

18:45:07 : ================================================
18:45:07 :             Basic Phone Information             
18:45:07 : ================================================
18:45:07 : MCU Version: V 07.32 08-12-11 RM-775 (c) Nokia            
18:45:07 : IMEI Plain : 357399045545626
18:45:07 : IMEI Spare : A357399045545620
18:45:07 : IMEI SV    : 33573990455456251F
18:45:07 : Category   : Phone
18:45:07 : Phone Type : RM-775
18:45:07 : 
18:45:07 : ================================================
18:45:07 :            Extended Phone Information           
18:45:07 : ================================================
18:45:07 : Product Serial Number: 0
18:45:07 : Long Production SN   : 0
18:45:08 : PPM SW Version       : V 07.32 08-12-11 RM-775 (c) Nokia             MEC
18:45:08 : BT MCM Version       : 4217-v924
18:45:08 : MCU SW Version       : V 07.32 08-12-11 RM-775 (c) Nokia
18:45:08 : RFIC Version         : |Alli_4.b.1
18:45:08 : DSP Version          : 92_PM2_7.32
18:45:08 : LCD Version          : TPO
18:45:08 : Content Pack Version : Content: meac_059H5S3 V 07.32 03-02-12 RM-775 (c) Nokia
18:45:08 : AHNE Version         : 21
18:45:08 : RETU Version         : 51
18:45:08 : TAHVO Version        : 00
18:45:08 : Wireless LAN ID      : 94:3A:F0:14:FA:7A
18:45:08 : Bluetooth ID         : 94:3A:F0:14:AC:5A
18:45:08 : CS Type              : GSM850, GSM900, GSM1800, GSM1900, WCDMA I, WCDMA II, WCDMA V, WCDMA VIII
18:45:08 : 
18:45:08 : ================================================
18:45:08 :               Simlock Information               
18:45:08 : ================================================
18:45:08 : Unable to read SP Data..
18:45:08 : SECURITY_TEST           : PASSED
18:45:09 : SECURITY_CODE          : 12345
18:45:09 : PHONE_MODE              : TEST
18:45:09 :                                                 
18:45:09 : ================================================
18:45:09 :           Dynamic Camera Configuration          
18:45:09 : ================================================
18:45:09 : DCC ID  : 0A4E2007
18:45:09 : DCC Ver: 008005
18:45:09 : Status   : OK

Logs after write recovered PM120:

Code:

18:46:19 : ================================================
18:46:19 :             Basic Phone Information             
18:46:19 : ================================================
18:46:19 : MCU Version: V 07.32 08-12-11 RM-775 (c) Nokia            
18:46:19 : IMEI Plain : 357399045545626
18:46:19 : IMEI Spare : A357399045545620
18:46:19 : IMEI SV    : 33573990455456251F
18:46:19 : Phone Model: Nokia X3-02.5
18:46:19 : Category   : Phone
18:46:19 : Phone Type : RM-775
18:46:19 : 
18:46:19 : 
18:46:19 : Field : 120 Sub : 0 Byte(s): 944  - Ok
18:46:19 : Field : 120 Sub : 1 Byte(s): 160  - Ok
18:46:19 : Field : 120 Sub : 2 Byte(s): 130  - Ok
18:46:19 : Field : 120 Sub : 3 Byte(s): 112  - Ok
18:46:20 : PM  Upload Done!...
18:46:25 : 
18:46:25 : Scanning USB Ports...
18:46:25 : 
18:46:25 : ================================================
18:46:25 :             Basic Phone Information             
18:46:25 : ================================================
18:46:25 : MCU Version: V 07.32 08-12-11 RM-775 (c) Nokia            
18:46:25 : IMEI Plain : 357399045545626
18:46:25 : IMEI Spare : A357399045545620
18:46:25 : IMEI SV    : 33573990455456251F
18:46:25 : Phone Model: Nokia X3-02.5
18:46:25 : Category   : Phone
18:46:25 : Phone Type : RM-775
18:46:25 : 
18:46:25 : ================================================
18:46:25 :            Extended Phone Information           
18:46:25 : ================================================
18:46:25 : Product Serial Number: 0
18:46:25 : Long Production SN   : 0
18:46:25 : PPM SW Version       : V 07.32 08-12-11 RM-775 (c) Nokia             MEC
18:46:25 : BT MCM Version       : 4217-v924
18:46:26 : MCU SW Version       : V 07.32 08-12-11 RM-775 (c) Nokia
18:46:26 : RFIC Version         : |Alli_4.b.1
18:46:26 : DSP Version          : 92_PM2_7.32
18:46:26 : LCD Version          : TPO
18:46:26 : Content Pack Version : Content: meac_059H5S3 V 07.32 03-02-12 RM-775 (c) Nokia
18:46:26 : AHNE Version         : 21
18:46:26 : RETU Version         : 51
18:46:26 : TAHVO Version        : 00
18:46:26 : Wireless LAN ID      : 94:3A:F0:14:FA:7A
18:46:26 : Bluetooth ID         : 94:3A:F0:14:AC:5A
18:46:26 : CS Type              : GSM850, GSM900, GSM1800, GSM1900, WCDMA I, WCDMA II, WCDMA V, WCDMA VIII
18:46:26 : 
18:46:26 : ================================================
18:46:26 :               Simlock Information               
18:46:26 : ================================================
18:46:26 : CONFIG KEY    :  0000000000000000
18:46:26 : PROVIDER KEY  :  2440700000000000
18:46:26 : NETWORK NAME  :  Nokia Default;Finland
18:46:26 : LOCK COUNTERS :  KEYPRESS 0/3,  FBUS 0/10
18:46:26 : SIMLOCK TABLE :
18:46:26 :    Block [1]  1:Open 2:Open 3:Open 4:Open 5:Open
18:46:26 :    Block [2]  1:Open 2:Open 3:Open 4:Open 5:Open
18:46:26 :    Block [3]  1:Open 2:Open 3:Open 4:Open 5:Open
18:46:26 :    Block [4]  1:Open 2:Open 3:Open 4:Open 5:Open
18:46:26 :    Block [5]  1:Open 2:Open 3:Open 4:Open 5:Open
18:46:26 :    Block [6]  1:Open 2:Open 3:Open 4:Open 5:Open
18:46:26 :    Block [7]  1:Open 2:Open 3:Open 4:Open 5:Open
18:46:26 : SIMLOCK STATE :  Not Locked
18:46:26 : 
18:46:26 : SIMLOCK_TYPE             : PA_SL3 (15-digit NCK)
18:46:26 : SIMLOCK_TEST             : PASSED
18:46:26 : SECURITY_TEST           : PASSED
18:46:26 : SECURITY_CODE          : 12345
18:46:27 : CMLA_KEY                    : ABSENT
18:46:27 : SUPER_DONGLE_TEST : PASSED
18:46:27 : 
18:46:27 : ================================================
18:46:27 :               SL3 Phone detected                
18:46:27 : ================================================
18:46:27 :                                                 
18:46:27 : * Firmware Version Downgrade will KILL PHONE !!!
18:46:27 : * Manual Full Erase WILL KILL PHONE!!!          
18:46:27 : * Simlocks are in PM 120 Only...                
18:46:27 : * PM 308 is Write Protected...                  
18:46:27 : 
18:46:27 : PHONE_MODE              : TEST
18:46:27 :                                                 
18:46:27 : ================================================
18:46:27 :           Dynamic Camera Configuration          
18:46:27 : ================================================
18:46:27 : DCC ID  : 0A4E2007
18:46:27 : DCC Ver: 008005
18:46:27 : Status   : OK

BR

[..::Angel::..]

Quote:

Originally Posted by dimchik007

What model of phone was repaired?

Hi,

Phone was X3-02 RM-775 wrong flashed by Aamir_Zia's brother to RM-639.
Logs are available in post # 1. As well I did other flash size(s) phones...
64MB, 128MB, 256MB and 512MB are tested by me... PM120 is not always
at same place, different size flash will have different places for simlock...

But the method is same for all Flash chips.. I posted above...
1024MB chip will test later when I get phones on hands. Sometime,
need look deeper, more complex. But not impossible.

As well as NPC, CCC, HWC can be recovered easily...

- Bus check phone with ATF and see the CMT_PAPUBEKYS - length: 20 byte(s).
- Search for CMT_PAPUBKEYS inside full flash - HexValues, you'll directly
get NPC CERTIFICATE.. And after CCC and HWC - just need remove FFFFF
between NPC, HWC, CCC..
- Since it can be readout EVEN from DEAD phones, so, no need to waste time..
Better read - much faster than recovering. ;-)

BR

[riajul1988]

ATF is free................

InfinityBox BEST need 25 credits but world fast solutions

[..::Angel::..]

Quote:

Originally Posted by jonny_dhaka

Search for your Product Code in Nokia Data Package or Navifirm.
Its important because it will tell you phone's original PM120,0.




1:sir i am not understand this line
how can i understand phone orignal pm120,0
can u give some explain

2:how can i find Provider Key?

3:Here is the PM120 I recoverd from FullFlash backup:
can i save it in notepad?

thanks for this usefull post

Hi,

This is important because.. if phone is locked to Vodafone UK:
than PM120, 0 - off course will be "2341500000000" and if you'll
be searching for "244070000" than even thousands of hours u will
spend without results.. ;-)

Search for any voda uk product code in Nokia Data Package. You will see
like "RM-XXX EURO-VODA UK" - that's mean now we need to find PM120,0
for "23415000000" and also not 944 byte(s). Because its 56 bytes only
and You will maybe find these 56 byte(s) few times inside flash.

BR

[..::Angel::..]

Quote:

Originally Posted by riajul1988

ATF is free................

InfinityBox BEST need 25 credits but world fast solutions

Well, for the first time. I also took (X)hours... But what? Now it was only
5 mins or less job to recover simlock... ;-) And FREEE now If u can't do it than you'll have to buy it...

BR

[.::GSMUnlock::.]

Very Gud Update from A great team .................thnx but there are many Questions will come after this update ........

1) how to know phone was locked or unlocked
2) how can we get exact 0,1,2,3 sections of PM120 in ur post u shown end point and length it will b more easy if u mention exact hex values from which value to which is section 0,1,2,3
3) more important how can we get network unlock key if its unlocked by any Oprator ...........
thank you Mr.Angel for this gud update
Br
.::GSMUnlock::.

[..::Angel::..]

@.::GSMUnlock::.

1. Search by Product Code.. if you found that phone's original Product code's
flash files are like "RM-XXX EURO H3G UK" or any other operator. Than it must
be lock/unlock phone by Network unlock for BruteForce ...
When you'll get PM120,0 - nearby little more search upper or lower, you'll
also get PM120,3.

CODE(s) are stored there... If phone is unlock by network codes.
LEVEL 1 field will be used. But it can also be BruteForce unlock, mostly,
users uses LEVEL 7 for BF unlock.. So, it will be in the end where LEVEL 7
written. You can simply copy these fields AS IS and write as PM.
Phone will remain unlocked as it was before.

00000000000000000000000000000000 <---- LEVEL 1 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 2 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 3 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 4 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 5 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 6 CODE(s) are stored here
00000000000000000000000000000000 <---- LEVEL 7 CODE(s) are stored here

In simple:

You found flash files for XXX Network = phone can be locked or unlocked..
To determine it - you need to look in PM120,3 - if all 112 byte(s)
are ZEROs and Flashes you found are appear to be AS XXX Network. Than
phone must be LOCKED...

And if you found flash files for XXX Network = phone can be locked or unlocked..
To determine it - you need to look in PM120,3 - if all 112 byte(s) are
NOT ZERO and first or last 16 byte(s) looks like CODES. Than its unlocked
phone by Network or BruteForce...

2. They are NOT always in correct order. Sometime, you'll find PM120,0 first
and other in last or sometime you'll find PM120,0 in last and other before it...
But the method is: Just hit to ProviderKey and little more search will lead
you to other PM120 fields. Need some brain to analyze PMs. If you will
success few times - it will become more easy for other next times.

3. I wrote about it in point # 1. CODES are in Hex can easy convert...

Well, I had just installed HxD before few days only. And found something
USEFULL...so, shared here with all of you.

BR

[moldovan]

Quote:

Originally Posted by ..::Angel::..

Well, for the first time. I also took (X)hours... But what? Now it was only
5 mins or less job to recover simlock... ;-) And FREEE now If u can't do it than you'll have to buy it...

BR

And what?
You spent the X-th hours, Y of nerves, Z... , and put result of your hard work for free.
Any work should be paid.
Would be more reasonable to add function of extraction of SLD from FF to ATF-Box for credits.
WBR!

[asad_nomy7]

Quote:

Originally Posted by s1emens

Can you apply this to ATF for next update to make it simpler, thank you

br,
s1emens

That will be bad for professionals.becasue this method is complicated and not done by SU so the time for earn money for professionals and for hard workers.

[..::Angel::..]

Quote:

Originally Posted by m_nasir

its mean we can repair sl3 contact service...



wbw,
Muhammad Nasir Javed

Hi,

No... It WILL NOT REPAIR Contact Service..

For example - you have phone in DEAD condition and flash cannot make power on mobile.
You can read the Full Flash first.. EXTRACT Full PM120 and RPL you can backup
even phone is dead... After EraseFlash and if phone is powered on - u can easy
repair SIMLOCK and RPL to make phone fully working.

Many phones around which have problem like Vibrate, BlankDisplay, Dead etc...
but after Full ERASE/FLASH can power up, so, this is the method to readout
PM120 before....

BR

[..::Angel::..]

Quote:

Originally Posted by dinesh01

sir

i am reading nokia 5130 is very slow

Hi,

It not needed for 5130c... You can Backup RPL and ERASE NPC (Write another) BB5 phone's RPL - phone will get local mode - now read PM120 if available inside...

BR

[..::Angel::..]

Quote:

Originally Posted by haroon454

i agree with u post video for simlock repair if atf can repair

Hi,

If anyone needs a VIDEO Tutorial, than this SIMLOCK Recover is
NOT for them... They better stay away from it.

BR

[B Smith]

I conferm that this is a working method............... the people who cant manage it, will ask for video etc............

[..::Angel::..]

Quote:

Originally Posted by binh217

hi.

how to read full flash and write(file read)?

thanks!

Hi,

Open ATF SW...
Flashing->ReadFlash->Read Full Flash...
File will be saved to: C:\AdvanceBox Turbo Flasher\Nokia\Recovered\Flash_Dump.bin
Drag and drop this file to HexEditor and search for SIMLOCK DATA...
When you found - save it to .txt and after change .txt to.pm file...
You can easy write this PM to phone via simple Write PM function.

BR

[Demongsm]

Quote:

Originally Posted by .::GSMUnlock::.

Very Gud Update from A great team .................thnx but there are many Questions will come after this update ........

1) how to know phone was locked or unlocked
2) how can we get exact 0,1,2,3 sections of PM120 in ur post u shown end point and length it will b more easy if u mention exact hex values from which value to which is section 0,1,2,3
3) more important how can we get network unlock key if its unlocked by any Oprator ...........

Congratulations!
Very clever, Mr. Ali!
It's time to buy my own ATF!

GSM unlock.
If phone was previously unlocked by NCK, that must be stored in rpl data. If it's not damaged. That must be the network unlock key.
You may also ask information about whether if the phone is factory unlocked/free or not in a Nokia care by IMEI.
If PM120 data is damaged, You shall not know information about the phone's last capable configuration's simlock state in normal mode. Invalid data.
(Usually Locked I think, because somebody tried to tamper data - if it was not a bad flashing as it was in the first post.)
The last address minus length is equal to the start address.
You must be careful because of the difference between 15 and 20 digit NCK length. 1 set of 100 is has 20 digit NCK.
This method is for recovering w/o buying rpl files. No NCK can be calculated from these data.
First recover the read log and calculate key as usual.

B R