Converting Cert file To AT-Command

[meido one]

i have a cert file, and i want to sign the imei through AT-Command, but i have no idea how to convert the cert to AT command.
any help will be appreciate.
Thank You

[djlangel]

Ok so I am in no way responsible of coming up with any of this information on my own, Credit goes to ECS87 and Dex on GSM forum as their write ups and guidance have shed some light and helped me to understand on how to restore Cert files and IMEI on newer samsungs, This is in no way a Tutorial, its just information that i have gathered and want to put in a thread to come back and look over, and add to over time so we can learn to manually write certs and restore IMEI onto our devices rather than depend on box companies that automate this and spend $150-250 just to get access to newer solutions.


Okay so here it goes, so CERT file is unique for every phone and contains a signature, this file can’t be generated/created by anyone. This file exists in Samsung database from day of production of your phone. People who "sell" certs have access to samsungs db and can pull certs, as far as I know certs cannot be generated.

Starting with the Note 3 when you wrote an IMEI if the cert wasn't also written pertaining to that IMEI your service wouldn't work, security was very high on these phones and if we wanted to "restore" an imei to the phone you would also need the cert. But here's the catch, You can't just pull imei/cert from ANY Note 3, qualcomm chipset certs CANNOT be read, so AT&T, T-Mobile, Sprint, Verizon Note 3 cannot be read, only Exynos devices can be read from which are international variants of the note 3, so you'll need to root that phone, and pull the cert from it, and currently I do not know how to pull certs manually, only with boxes.

But ok, so onto "super imei's"...theses a range of imeis that someone found that you can write to the Note 3 without the use of a cert file and network would WORK, im not sure the quantity but there was quite alot and alot of boxes released this method to their customers, keep in mind these "ranges of imei's" are actual Note 3 phones out there that people own, and these phones were starting to get blacklisted from Financing issues, being lost or stolen etc etc and when these imei's were written, there would be issues like the phone not registering on network, only getting EDGE and other random issues, this was because the box wasn't backing up all required network settings and because there would be 20+ phones with the same super imei, that was just a mess.


Okay so now onto the universal method that we will now be using to write/restore imeis to all new samsungs:

Ok so before anything backup your NV items, use cdma ws free nv reader/writer to backup NV items, as of now we do know there is more to backup like, RFNV, Feature Mask, NV Item SIM1, NV Item SIM2 and Provisioning Item Files, not too sure what these are but they help in backing up full network settings. I'm still lost in how where these are.

Okay so we will need the phone rooted, that is a must, we will be needing a terminal emulator, and you will need to find out which EFS partitions to backup, which are modemst1, modemst2, and FSG, Use the dd if command to pull one of the partitions to your computer, take note of the exact byte size, make a new hex file that size. It'll be full of zeros, that's fine. Send it to the phone. Write this zeroed out file to the three EFS data partitions with the dd if command through adb shell. Reboot the phone. Your IMEI (and network) are gone. At this point the protection is removed and the IMEI can be wrote to (either through the diag port or through AT commands over the modem/UART).

I only know the Modem/UART method so far, so we use cdma ws AT command prompt to send AT commands to the phone now, only paid cdma ws will work as far as I know.

before you write the IMEI to the phone you will need to bypass the MSL and Akauth security so you can write IMEI and Sign it with a cert file, the MSL is always different in all phones. After reseting EFS, you can check the MSL by sending:AT+MSLSECUR=1,0
which will return all zero's, if the EFS is reset. If not it will return the MSL ADDR, which then you need to calc the MSL code, and currently its not possible in newer phones.

You can send the default MSL to note 3 using this:
AT+MSLSECUR=2,R31D40458L_1101630E3C461D334539604F3 8123A12
This is only if efs is reset. If not then you need to send,
AT+MSLSECUR=2,[MSLCODE]
Again, the MSL cannot calc at this time so that's why we reset the EFS. Unless you have access to Samsung database or software.

Then you need to bypass akseed. To read the akseed you can send:
AT+AKSEEDNO=1,0
This will give you the akseed number, this is a random number that must be calculated, and Everytime you send that command it will output a different number so you must calculate and send back the calculated akseed using:
AT+AKSEEDNO=0,[AKSEEDNO]

At this time only the boxes have access to this akseed calculation, so you must have access to at least one box that will bypass this akseed for you, I know spt and bst dongle have this, not sure about other boxes that now support newer samsungs now.

After the akseed system and MSL is bypassed, you can restore IMEI using AT+IMEITEST=2,[IMEI] and sign the IMEI using AT+IMEISIGN.


IMEISIGN requires certs for each imei, but in note 3 models those are not required if IMEI is a superimei.

Now all I did was restore a Superimei because I didn't know how to format the cert file and write it through AT commands, and when you restore a Superimei you MUST restore NV items after that to restore network settings, but this isn't all you need to restore like I stated before which is why the note 3 I repaired starting getting edge only for my customer.

I'm not sure if after you sign a imei with a compatible cert file it will automatically restore all network settings itself, I haven't tested, but I'm slowly learning and once this process is worked out, this will be the method to repair all future samsungs, unless qualcomm patches the wipe efs method that resets MSL and removes the carrier lock security, this is why anyone who does imei repair advertises "free unlock" because when you wipe efs it removes the carrier lock too. With note 2 or below they wipe efs and write new imei but through QCDM diag port, and there isn't much security on these older phones, those were the easy days. But there is alot more going on behind the scenes now, if anyone wants to contribute to this thread feel free, I will once I start learning more about this process.

[ecs87]

Quote:

Originally Posted by djlangel

Ok so I am in no way responsible of coming up with any of this information on my own, Credit goes to ECS87 and Dex on GSM forum as their write ups and guidance have shed some light and helped me to understand on how to restore Cert files and IMEI on newer samsungs, This is in no way a Tutorial, its just information that i have gathered and want to put in a thread to come back and look over, and add to over time so we can learn to manually write certs and restore IMEI onto our devices rather than depend on box companies that automate this and spend $150-250 just to get access to newer solutions.


Okay so here it goes, so CERT file is unique for every phone and contains a signature, this file can’t be generated/created by anyone. This file exists in Samsung database from day of production of your phone. People who "sell" certs have access to samsungs db and can pull certs, as far as I know certs cannot be generated.

Starting with the Note 3 when you wrote an IMEI if the cert wasn't also written pertaining to that IMEI your service wouldn't work, security was very high on these phones and if we wanted to "restore" an imei to the phone you would also need the cert. But here's the catch, You can't just pull imei/cert from ANY Note 3, qualcomm chipset certs CANNOT be read, so AT&T, T-Mobile, Sprint, Verizon Note 3 cannot be read, only Exynos devices can be read from which are international variants of the note 3, so you'll need to root that phone, and pull the cert from it, and currently I do not know how to pull certs manually, only with boxes.

But ok, so onto "super imei's"...theses a range of imeis that someone found that you can write to the Note 3 without the use of a cert file and network would WORK, im not sure the quantity but there was quite alot and alot of boxes released this method to their customers, keep in mind these "ranges of imei's" are actual Note 3 phones out there that people own, and these phones were starting to get blacklisted from Financing issues, being lost or stolen etc etc and when these imei's were written, there would be issues like the phone not registering on network, only getting EDGE and other random issues, this was because the box wasn't backing up all required network settings and because there would be 20+ phones with the same super imei, that was just a mess.


Okay so now onto the universal method that we will now be using to write/restore imeis to all new samsungs:

Ok so before anything backup your NV items, use cdma ws free nv reader/writer to backup NV items, as of now we do know there is more to backup like, RFNV, Feature Mask, NV Item SIM1, NV Item SIM2 and Provisioning Item Files, not too sure what these are but they help in backing up full network settings. I'm still lost in how where these are.

Okay so we will need the phone rooted, that is a must, we will be needing a terminal emulator, and you will need to find out which EFS partitions to backup, which are modemst1, modemst2, and FSG, Use the dd if command to pull one of the partitions to your computer, take note of the exact byte size, make a new hex file that size. It'll be full of zeros, that's fine. Send it to the phone. Write this zeroed out file to the three EFS data partitions with the dd if command through adb shell. Reboot the phone. Your IMEI (and network) are gone. At this point the protection is removed and the IMEI can be wrote to (either through the diag port or through AT commands over the modem/UART).

I only know the Modem/UART method so far, so we use cdma ws AT command prompt to send AT commands to the phone now, only paid cdma ws will work as far as I know.

before you write the IMEI to the phone you will need to bypass the MSL and Akauth security so you can write IMEI and Sign it with a cert file, the MSL is always different in all phones. After reseting EFS, you can check the MSL by sending:AT+MSLSECUR=1,0
which will return all zero's, if the EFS is reset. If not it will return the MSL ADDR, which then you need to calc the MSL code, and currently its not possible in newer phones.

You can send the default MSL to note 3 using this:
AT+MSLSECUR=2,R31D40458L_1101630E3C461D334539604F3 8123A12
This is only if efs is reset. If not then you need to send,
AT+MSLSECUR=2,[MSLCODE]
Again, the MSL cannot calc at this time so that's why we reset the EFS. Unless you have access to Samsung database or software.

Then you need to bypass akseed. To read the akseed you can send:
AT+AKSEEDNO=1,0
This will give you the akseed number, this is a random number that must be calculated, and Everytime you send that command it will output a different number so you must calculate and send back the calculated akseed using:
AT+AKSEEDNO=0,[AKSEEDNO]

At this time only the boxes have access to this akseed calculation, so you must have access to at least one box that will bypass this akseed for you, I know spt and bst dongle have this, not sure about other boxes that now support newer samsungs now.

After the akseed system and MSL is bypassed, you can restore IMEI using AT+IMEITEST=2,[IMEI] and sign the IMEI using AT+IMEISIGN.


IMEISIGN requires certs for each imei, but in note 3 models those are not required if IMEI is a superimei.

Now all I did was restore a Superimei because I didn't know how to format the cert file and write it through AT commands, and when you restore a Superimei you MUST restore NV items after that to restore network settings, but this isn't all you need to restore like I stated before which is why the note 3 I repaired starting getting edge only for my customer.

I'm not sure if after you sign a imei with a compatible cert file it will automatically restore all network settings itself, I haven't tested, but I'm slowly learning and once this process is worked out, this will be the method to repair all future samsungs, unless qualcomm patches the wipe efs method that resets MSL and removes the carrier lock security, this is why anyone who does imei repair advertises "free unlock" because when you wipe efs it removes the carrier lock too. With note 2 or below they wipe efs and write new imei but through QCDM diag port, and there isn't much security on these older phones, those were the easy days. But there is alot more going on behind the scenes now, if anyone wants to contribute to this thread feel free, I will once I start learning more about this process.

I didn't think anyone gave two ****s about previous informative posts anymore lol. You seem to have compiled quite a bit of information there!

To clear up a few things you can use the free version of CDMA WS to write AT commands over UART (you can also use DFS free, or any terminal for that matter; recently I've "found" how to write to UART through adb, still in testing). You don't need to pay for anything to send AT commands.

You can also clear/wipe the EFS through download mode. I don't like doing this because you're wiping without taking a backup. You NEED root and adb for back ups. I try not to ever wipe the EFS without EFS partitions backups. To wipe through download mode you're going to need to do research on Heimdall and you'll need a understanding of the permissions. What you learn from the adb partitions can carry over into learning Heimdall.

To learn how to change AT+IMEISIGN into a .cert file and vice versa you're going to need to take a look at a log of an IMEI repair done using the SPT box...and then you're going to need to analyze a .cert file. Within seconds you should be able to see how it started to be formatted. There isn't much difference between the two other than how the AT commands have a character limit (and a separator character...and sequence headers).

Like the poster above me mentioned, this is NOT an instructional post. But rather a decent summary on the IMEI repair function on newer Samsung phones.

[jusmejose]

Wow I see a lot of stuff going around here ... Lol anyways ....
Just a heads up the PubkeySignature and PubKey are the same nothing changes only the IMEIsignature and of course the IMEI ... The Original file or Log how ever you want to call it its just a simple Log that you can save any format and just delete the AT+IMEISign ...at least this is how I edit ... Someone might have something different ...

Im not at home at the moment to give you more details ... But as soon I get home all have a little guide to simple edit the logs and make as a 'cert' file also ... Im going to be releasing couple of logs that I can share that I don't use to the community .....

[ecs87]

Hey Jose...have you seen how they're writing the cert and IMEI through adb? Its not REALLY writing it through adb but they've got a clever little tool to utilize which consequently makes it impossible to log over radio. It was probably developed by FTDI

[jusmejose]

Quote:

Originally Posted by ecs87

Hey Jose...have you seen how they're writing the cert and IMEI through adb? Its not REALLY writing it through adb but they've got a clever little tool to utilize which consequently makes it impossible to log over radio. It was probably developed by FTDI

I have heard but I never had time to do my own research ....

[ysr84]

Quote:

Originally Posted by ecs87

Hey Jose...have you seen how they're writing the cert and IMEI through adb? Its not REALLY writing it through adb but they've got a clever little tool to utilize which consequently makes it impossible to log over radio. It was probably developed by FTDI

I agree ecs87, however you need to do more than that as we discussed... I believe you have a good start and should keep up.. I am sure you will find a solution... I am out of town but will research on this once I am back...

[johnboy38]

It works with any Samsung that requires Cert. Including AT&T Note 4, Edge, Alpha and Tmobile Avant.

[johnboy38]

Here is pic of how it looks when you sniff port during unlock and log of writing cert with MSL with other tool

[johnboy38]

[johnboy38]

Phone Found Wait...
TEST MODE OK..
Model := SM-N910A
UNIQID := CR2002DDAC2F681
Phone IMEI := 356204060xxxxx
MSL CODE USING IT..
MSL Autho Pass..
Update IMEI Ok..
SKEY := 0772
QCOM(QUALCOMM) detected..
Checking imeicert...
IMEISIGN PASS..
Update Simlock Ok..
Wifi_mac := F409D8BDB68A
Wifi_mac update ok.


All Finish..

!!! SUCCESS !!!!

Total Time Take...00:01:02
Log Saved

[stanner_austin]

All user who think what tool is this log.
i like to say its http://forum.gsmhosting.com/vbb/f922/ and i did not say user to post it he did on behalf his own will.

Regards,
Chevli

[cdfgame]

Quote:

Originally Posted by johnboy38

Phone Found Wait...
TEST MODE OK..
Model := SM-N910A
UNIQID := CR2002DDAC2F681
Phone IMEI := 356204060xxxxx
MSL CODE USING IT..
MSL Autho Pass..
Update IMEI Ok..
SKEY := 0772
QCOM(QUALCOMM) detected..
Checking imeicert...
IMEISIGN PASS..
Update Simlock Ok..
Wifi_mac := F409D8BDB68A
Wifi_mac update ok.


All Finish..

!!! SUCCESS !!!!

Total Time Take...00:01:02
Log Saved

Using Version...1.0.0.0011
Selected Port ProlificSerial0 = COM7
Selected Model
Selected Task SAM IMEI1

SAMSUNG IMEI REPAIR & CERT WRITE STARTED...
ALL SAMSUNG MSL UNLOCK METHOD USED..

Searching Phone Please wait...

Phone Found Wait...
TEST MODE OK..
Model := SM-N910A
UNIQID := CR200C9D5C213A1
Phone IMEI := 35448306181327
MSL CODE USING IT..

MSL autho fail Reset EFS & Retry Please....

All Finish..

!!! FAIL !!!!

Total Time Take...00:00:36
Log Saved

MSL 53214D62035C3D114D4E045D095F1F00 Right？

[dest]

Funny. There are about 10 other tools you can use, not just GCPRO. Good ad though.

[ecs87]

Quote:

Originally Posted by dest

Funny. There are about 10 other tools you can use, not just GCPRO. Good ad though.

johnboy is going to start yelling at you soon enough lol. Apparently "his way" of doing things is the right way and everyone else is a moron. He must be ***