New Phone: Samsung Galaxy S2 LTE

Again I’m feeding my gadget habit by picking up a new to me phone. This time it turns out the phone is effectively brand new, it still had the factory plastic on the screen and came with the box and all new accessories. I’d been watching the local used phone market via kijiji for a while and this one popped up at a great price, I was lucky to be one of the first to respond with a firm offer to buy.

The phone model number is SGH-I727R and is locked to the Rogers network here in Canada. It is basically the same as the AT&T SGH-I727 model, this means there should be reasonable community support for 3rd party firmware (specifically CyanogenMod).

Even prior to purchase I usually do quite a bit of reading up on the potential of the device. While in general the technology upgrade is across the board, a couple stick in my head: 4.5″ AMOLED screen; 1.5GHz dual core; 8MP camera. Apparently this phone has the capability to be flashed over to work on AWS networks such as Wind, I doubt I’ll need this but it’s nice to have such a capable phone.

The first real hurdle I came across was unlocking the phone. I had seen enough material on the XDA Forums indicating that it wasn’t a big deal to unlock this model, but I had hoped it would be as easy as the i9000 was (a simple software patch). In the end I bought an unlock code via eBay, the price was very low and I had some amount of purchase protection through eBay in theory. I found the listing via a post on XDA by a member who’s quite active and has the same phone, this also increased my confidence that it was going work.

I made the eBay purchase at 8pm, there were several (I’m assuming) automated email responses pointing me at the website to submit my IMEI. In less than 6 hours I had an unlock code, I suspect if I had made the purchase at a more convenient time of day it would have been even quicker. Inserting my Fido SIM caused the phone to present the Network Lock Control Key screen, I was able to enter the 8 digit unlock code and unlock my phone. I don’t know, but I suspect that it may have requested the unlock over the mobile network, there was a few on screen messages indicating that it was ‘requesting’ the unlock. The unlock is persistent across firmware upgrades, and appears to be for all SIMs based on my testing.

In the hope that I could help identify a software only unlock, I did a little poking around on the stock firmware. In order to do this poking, it was necessary to gain root. I did this using the zergRush exploit. I was glad that I had a copy of zergRush cached away, as the file linked by the XDA post wasn’t available.

You will need adb installed and setup on your computer and communicating with the phone (you might need to turn on adb support under Menu->Applications->Development->USB debugging), assuming you’ve got that sorted out using zergRush is quite easy:

adb push zergRush /data/local
adb shell
cd /data/local
chmod 755 zergRush

Now when you run zergRush you’ll see something like:

$ ./zergRush

[**] Zerg rush - Android 2.2/2.3 local root
[**] (C) 2011 Revolutionary. All rights reserved.

[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.

[+] Found a GingerBread ! 0x00000118
[+] Found a Samsung, running Samsung mode
[*] Scooting ...
[*] Sleeping a bit (~40s)...
[*] Waking !
[*] Sending 149 zerglings ...
[*] Sleeping a bit (~40s)...
[*] Waking !
[*] Sending 189 zerglings ...
[+] Zerglings found a way to enter ! 0x18
[+] Overseer found a path ! 0x00030730
[*] Sleeping a bit (~40s)...
[*] Waking !
[*] Sending 189 zerglings ...
[+] Overseer found a path ! 0x000307f8
[*] Sleeping a bit (~40s)...
[*] Waking !
[*] Sending 189 zerglings ...
[+] Zerglings caused crash (good news): 0x40322cd4 0x0074
[*] Researching Metabolic Boost ...
[+] Speedlings on the go ! 0xafd19b63 0xafd3975f
[*] Sleeping a bit (~40s)...
[*] Waking !
[*] Sending 181 zerglings ...

[+] Rush did it ! It's a GG, man !
[+] Killing ADB and restarting as root... enjoy!

Now when you connect again with adb you’ll be in a root shell. Now with full access to all of the files, I copied some of them down in the hope of spotting a change to one that controlled the locked state. Exploring the filesystem it seems that the i727 phone doesn’t have a nv_ram.bin file, nor were any of the potential candidates modified by the unlocking process. This was a failed experiment, but still fun to try. I will note that zergRush does leave the phone in a pretty sick state – UI is very, very sluggish – you’ll want to reboot as soon as you’re done messing around.