Manual "Restoring" Cert file + IMEI for newer GSM Samsung Models

[discodisco19]

press like button to see post

[hide-thanks]


Ok so I am in no way responsible of coming up with any of this information on my own, Credit goes to ECS87 and Dex on GSM forum as their write ups and guidance have shed some light and helped me to understand on how to restore Cert files and IMEI on newer samsungs, This is in no way a Tutorial, its just information that i have gathered and want to put in a thread to come back and look over, and add to over time so we can learn to manually write certs and restore IMEI onto our devices rather than depend on box companies that automate this and spend $150-250 just to get access to newer solutions.


Okay so here it goes, so CERT file is unique for every phone and contains a signature, this file can’t be generated/created by anyone. This file exists in Samsung database from day of production of your phone. People who "sell" certs have access to samsungs db and can pull certs, as far as I know certs cannot be generated.

Starting with the Note 3 when you wrote an IMEI if the cert wasn't also written pertaining to that IMEI your service wouldn't work, security was very high on these phones and if we wanted to "restore" an imei to the phone you would also need the cert. But here's the catch, You can't just pull imei/cert from ANY Note 3, qualcomm chipset certs CANNOT be read, so AT&T, T-Mobile, Sprint, Verizon Note 3 cannot be read, only Exynos devices can be read from which are international variants of the note 3, so you'll need to root that phone, and pull the cert from it, and currently I do not know how to pull certs manually, only with boxes.

But ok, so onto "super imei's"...theses a range of imeis that someone found that you can write to the Note 3 without the use of a cert file and network would WORK, im not sure the quantity but there was quite alot and alot of boxes released this method to their customers, keep in mind these "ranges of imei's" are actual Note 3 phones out there that people own, and these phones were starting to get blacklisted from Financing issues, being lost or stolen etc etc and when these imei's were written, there would be issues like the phone not registering on network, only getting EDGE and other random issues, this was because the box wasn't backing up all required network settings and because there would be 20+ phones with the same super imei, that was just a mess.


Okay so now onto the universal method that we will now be using to write/restore imeis to all new samsungs:

Ok so before anything backup your NV items, use cdma ws free nv reader/writer to backup NV items, as of now we do know there is more to backup like, RFNV, Feature Mask, NV Item SIM1, NV Item SIM2 and Provisioning Item Files, not too sure what these are but they help in backing up full network settings. I'm still lost in how where these are.

Okay so we will need the phone rooted, that is a must, we will be needing a terminal emulator, and you will need to find out which EFS partitions to backup, which are modemst1, modemst2, and FSG, Use the dd if command to pull one of the partitions to your computer, take note of the exact byte size, make a new hex file that size. It'll be full of zeros, that's fine. Send it to the phone. Write this zeroed out file to the three EFS data partitions with the dd if command through adb shell. Reboot the phone. Your IMEI (and network) are gone. At this point the protection is removed and the IMEI can be wrote to (either through the diag port or through AT commands over the modem/UART).

I only know the Modem/UART method so far, so we use cdma ws AT command prompt to send AT commands to the phone now, only paid cdma ws will work as far as I know.

before you write the IMEI to the phone you will need to bypass the MSL and Akauth security so you can write IMEI and Sign it with a cert file, the MSL is always different in all phones. After reseting EFS, you can check the MSL by sending:AT+MSLSECUR=1,0
which will return all zero's, if the EFS is reset. If not it will return the MSL ADDR, which then you need to calc the MSL code, and currently its not possible in newer phones.

You can send the default MSL to note 3 using this:
AT+MSLSECUR=2,R31D40458L_1101630E3C461D334539604F3 8123A12
This is only if efs is reset. If not then you need to send,
AT+MSLSECUR=2,[MSLCODE]
Again, the MSL cannot calc at this time so that's why we reset the EFS. Unless you have access to Samsung database or software.

Then you need to bypass akseed. To read the akseed you can send:
AT+AKSEEDNO=1,0
This will give you the akseed number, this is a random number that must be calculated, and Everytime you send that command it will output a different number so you must calculate and send back the calculated akseed using:
AT+AKSEEDNO=0,[AKSEEDNO]

At this time only the boxes have access to this akseed calculation, so you must have access to at least one box that will bypass this akseed for you, I know spt and bst dongle have this, not sure about other boxes that now support newer samsungs now.

After the akseed system and MSL is bypassed, you can restore IMEI using AT+IMEITEST=2,[IMEI] and sign the IMEI using AT+IMEISIGN.


IMEISIGN requires certs for each imei, but in note 3 models those are not required if IMEI is a superimei.

Now all I did was restore a Superimei because I didn't know how to format the cert file and write it through AT commands, and when you restore a Superimei you MUST restore NV items after that to restore network settings, but this isn't all you need to restore like I stated before which is why the note 3 I repaired starting getting edge only for my customer.

I'm not sure if after you sign a imei with a compatible cert file it will automatically restore all network settings itself, I haven't tested, but I'm slowly learning and once this process is worked out, this will be the method to repair all future samsungs, unless qualcomm patches the wipe efs method that resets MSL and removes the carrier lock security, this is why anyone who does imei repair advertises "free unlock" because when you wipe efs it removes the carrier lock too. With note 2 or below they wipe efs and write new imei but through QCDM diag port, and there isn't much security on these older phones, those were the easy days. But there is alot more going on behind the scenes now, if anyone wants to contribute to this thread feel free, I will once I start learning more about this process.[/hide-thanks]