Category: Android

Unlocking Samsung Galaxy S Vibrant (Bell)

I’ve been a big fan of unlocked GSM phones since my first one back in 2009. I’ve also been through a surprising number of different phone since then, but all of them have been 2nd (or 3rd) hand and have been a good price for a phone that still has lots of use left in it. My latest phone the Samsung Galaxy S Vibrant (i9000m) is no different, but it came to me locked to Bell.

I purchased the i9000m knowing it could be easily unlocked if you had the right magic. With the stock firmware, if you don’t have the phone unlocked you’ll see what’s pictured at the top of this post when you install a SIM card.

It turns out the forums have a great how to guide, with pointers to an app on the Android Market if you’re afraid of a little bit of hex editing. It should go without saying that I selected the hex editing route. I’ll describe the steps I used here, but  all credit to the folks in the forums for figuring this out.

I will assume that you’ve rooted your i9000m and you’re not incapable of using a hex editor.

Step 1: We’re going to copy some non-volatile memory off the phone that contains the ‘lock’. Perform the following commands on the phone (probably via ADB).

$ su
# cat /efs/nv_data.bin >> /sdcard/nv_data.bin

Now copy that file onto your PC for editing. Make a backup of the original before step 2.

Step 2: Edit that file, I used hexedit on Ubuntu. The lock bit is inside of the byte at 0x181469 in the file. See the green circle below, change that 01 into a 00 and save the file.

Starting at offset 0x181468 you should see the series of digits: ff 01 00 00 00 00 46 46

The XDA post describes it as follows:

There are 5 different types of locks in 5 different bytes

the FF byte should be left alone
the first byte after the FF is the network lock
the next byte is the network subset lock
the next byte is the sp lock
the next byte is the cp lock
the last byte appears to be a data lock.
the 46 46 should be left alone

Step 3: Use the modified file to update your phone. Let’s assume you copied the modified file to /sdcard/nv_data.bin on the phone, and again the commands below are executed on the phone.

$ su
# rm /efs/nv_data.bin
# rm /efs/nv_data.bin.md5
# cat /sdcard/nv_data.bin >> /efs/nv_data.bin
# chmod 755 /efs/nv_data.bin
# chown radio.radio /efs/nv_data.bin || chown 1001.1001 /efs/nv_data.bin
# reboot

That’s it, you’re unlocked. The unlock should persist across ROM (firmware) changes.

References: a great article with pointers to valuable information on the i9000 series.

Samsung Galaxy S Vibrant: CyanogenMod 7.1

While I switched phones, I wasn’t interested in switching away from the community firmware (CyanogenMod) that I’ve been running for the last several phones. Above you see the Samsung Galaxy S Vibrant pictured next to the HTC Desire. You can clearly see the difference in screen size (resolution is identical).

For purposes of firmware changes, the i9000m is very similar to the international version of the i9000. CyanogenMod for the i9000 has only been moved to stable as of 7.1 – so support for it is still relatively new. Compared to the Desire which shares much with the NexusOne and has a very stable base in the community.

Initially my plan was to root, unlock, then start playing with firmware changes. After banging my head for an evening trying to get SuperOneClick to work under Linux I gave up my initial plan. [Recent experience shows that SuperOneClick 2.2 works fine under Windows]. Plan B was to just install CyanogenMod after which we’ll have root and we can unlock.

Since I did this, the wiki instructions have changed and now specify 2.3 as the base, when I did this they specified 2.2. If in doubt, follow the wiki.

The steps break down the following steps

  1. First we install heimdall on our PC
  2. We use that to install custom kernel with root on the phone
  3. Then we flash CyanogenMod via ClockworkMod recovery that came with that new kernel package

Step 1) So heimdall is a cross platform open source firmware tool for Samsung devices. It seems to work well under Ubuntu and you can use the CLI, or add a GUI package.

Step 2) I used the GUI and found it to be straight forward installing the speedmod kernel.  Simply place your device into download mode, point heimdall at the kernel file you download via the wiki and off you go.

At this point we are running a rooted device AND we have ClockworkMod recovery image installed. We could at this point decide to unlock the device and use it as is. Since we’re so close, let’s just move on to step 3.

Step 3) Install CyanogenMod + optional Gapps. I suggest you get these via the Forum and grab the latest. This is as simple as place the files on the internal SD card, and boot into recovery. From there I suggest you follow the instructions and do a full wipe / factory reset then do the installation.

The install of CyanogenMod 7.1 will result in your ClockworkMod being upgraded as well, this is an artifact of the Samsung system layout which seems to lump everything into a single update lump. In my case this meant I also got a modem that was more suitable for use in the United States and registered with my local carriers as roaming. I ended up using the KG3 radio.

In the photo at the top of the screen, both devices are running basically identical configurations. I used TitaniumBackup to get to this state, but I won’t recommend it in general. The resulting installation worked, but exhibited some instabilities. I can’t pin the blame on TitaniumBackup, but the wisdom of the forum was that it can introduce problems. What it did do for me is something that I find to be a real problem moving from device to device, the Android Market treats each device you connect individually – there doesn’t appear to be an easy way to say “take all the apps on this device, and put them on this other one”.

The nice thing about the sequence of steps here is that we haven’t needed to change the bootloaders at all, this increases the safety factor of what we’ve done as we should be able to easily get into recovery or worst case download mode to fix things.

Samsung Galaxy S Vibrant Recovery / Download mode

Recently I continued to feed my phone habit by buying a used Samsung Galaxy S Vibrant (i9000m). This phone was originally intended for use on the Bell Mobility network but can be unlocked to work on other GSM based carriers. In my case I’m using the phone on Fido. If you are patient, you’ll find good condition used phones below the $200 price point locally.

Of course I have no interest in running the stock firmware and will be installing CyanogenMod on it as soon as possible. The very first step is to learn a little about how the process of updating the firmware works so I don’t break anything. This post will focus on entering recovery and download mode, two different update states but both important.

The image at the top of this post is the stock recovery image. The phone I got had a 2.2 version of Android installed on it. There are various ways to get into this mode, some depend on the version of the firmware you have installed (which bootloader specifically).

  1. From powered off state. Home + vol up + vol down + power.
  2. From powered off state. Home + vol up + power.
  3. From booted and running. Using adb issue “reboot recovery”.

For the button version (#1, #2) release all buttons once you see the i9000 boot screen. For my phone, it was #2, I have seen a phone that used #1, and the adb method should work with both.

The stock recovery doesn’t offer many features. You can format the internal SD card, wipe the phone, and install an update that is on the internal SD card partition. If you look carefully you’ll see the version 3e at the top, this version does a signature check on the update.zip file and will not let you install unsigned binaries (the 2e version didn’t do a signature check).

The second mode you need to be able to get into is download mode. Download mode is used by Kies and Heimdall for doing installations. It is a more primitive mode than recovery which is running a software updatable portion of the firmware which is of course something you could relatively easily get wrong. If you’ve read a bit you’ll have come across references to a download jig that can be built (or bought) that can get you into download mode, some bootloaders apparently don’t have download mode buttons and if you break things badly you can’t get into adb.

To enter download mode.

  1. From powered off state, Home + vol down + power.
  2. From booted and running. Using adb issue “reboot download”.

You should get the an image simlar to the one above. The “Do not turn off Target!!!” message is only valid when you’re actually installing some firmware changes, if you accidentally enter download mode don’t panic.

The other thing many people have problems with is getting reliable USB connectivity to the device. I’m running Linux as my desktop which seems to have no problems in general. Windows seems to have all sorts of problems, some of which appear to be triggered by the Kies drivers. As a general rule of thumb I do suggest you try to verify that you can reliable communicate with the device before shoving some new firmware down the wire.

One other observation about this type of activity: many people out there that are posting in the forums have little to no idea how this stuff actually works. I won’t claim to be an expert in all things here, but I like to think I have a firm grasp on the basics. If you’re really lost, stop – maybe this isn’t something you should be doing. Read a lot, filter out the bad information and take steps you understand. Ideally you want to have a consistent and logical mental model of what is happening. There was apparently also some bad firmware revisions early on from Samsung that caused a lot of internet chatter which needs to be ignored at this point.

Now that we’re somewhat comfortable with the two modes, have some confidence that we can reliable talk to the device and have a couple of the tools installed – we can start thinking about what firmware and changes we’ll be doing to the device.