Samsung Sucks: How they soft-locked the Galaxy S21 and what you can do about it.

Update 12/2021: Samsung giveth, and Samsung taketh away. With the OneUI 4 beta that’s been running over the last few months, Samsung actually relented and added both eSIM and carrier firmware switching to the S21! And through beta 3 I believe, everything worked as it should: I pop in an AT&T SIM and the phone would reboot, reconfigure, and AT&T bands would now be unlocked and usable. The saga is over! It’s finally over!…or so I thought.

With the last beta and final release, Samsung looks to have walked this back. Now, unfortunately, the behavior is no different than it was on previous releases of OneUI. I can pop in another SIM and it’ll pick it up and work, but the phone will not reconfigure nor will it switch CSCs over. 

Though, 1. I’ve only tested this with deactivated SIMs, so it could be that the S21 is trying to reach out and “activate” with the carrier before switching, but this seems to not work with MVNOs if that’s the case (as I did try it with my RedPocket GSMA SIM when it was active, and it didn’t switch), and 2. I’ve not tested the eSIM and I’ve no idea if that works. It might, seeing as the eSIM comes up as TMB,XAA when looking at the CSCs. I don’t have a lot of faith, however.

End update, and onto our regularly scheduled article: 

Around the time of the Galaxy S7, Samsung did something really cool with their phones, something that Apple had been doing for a bit but was very nice to see others taking up as well: They began making their phones universally compatible. How they did this was kind of neat: They shipped one model of phone (for all intents and purposes, even though they DID have different model numbers at the time) that had all the band compatibility you could want, but the phone would determine what bands and features to enable based on the firmware on the phone.

If it was running, say, AT&T firmware? AT&T bands would be enabled and AT&T-centric features would be enabled as well. The AT&T bloatware would also load. If you had the unlocked model direct from Samsung, your phone would reboot and change up behind the scenes but no bloatware would be involved, the firmware had the ability to just change up the cellular configuration alone via something called a CSC, which is the little code that determines what phone you have and what carrier configuration you’re going to get.

Enterprising people figured out that if you patched ODIN (Samsung’s firmware flashing tool) to not verify the firmware it’s flashing, you could actually flash the unlocked firmware onto a carrier S7 and gain all the compatibility benefits (but this would never SIM unlock a phone. You still had to do that yourself). Now your AT&T S7 could work on Verizon with no issues!

This worked because whenever you flashed a different firmware like this, it actually changed the CSC to match the firmware. So if you flashed the unlocked firmware, the firmware would give you the ability to jump between CSCs with the swap of a SIM card. 

Eventually with the Galaxy S8, the normal, carrier- tainted firmware got this ability too. If you had a T-Mobile S8 with all the T-Mobile fixings (and it was SIM unlocked), you could slip an AT&T SIM into it and the phone would reboot and you’d have an AT&T boot screen with AT&T apps and AT&T network bands enabled. It for all intents and purposes became an AT&T phone. You also still had the option of flashing the unlocked firmware, if you so pleased.

What goes up, must come down

This practice continued all the way up until the S20 (and Note 20?), and it was a nice thing to have. It meant you didn’t have to go out and buy a new phone if you switched carriers, and with phones lasting many more years than they used to, it was again a very nice gesture.

But with the Galaxy S21, Samsung decided they were going to shut the door on this loophole. For some reason whenever you flash a firmware onto a S21, it looks at the CSC that the phone was manufactured with (I think. This is speculation) and sort of soft locks to that. Previously, new firmware would actually ignore the built-in manufactured CSC in favor of the CSC provided at the firmware level.

As such, if you grab the Verizon firmware and try to flash it over your AT&T firmware, rather than being greeted with Verizon’s boot screen and such, you’ll just be given AT&T’s firmware all over again.

Samsung even went so far as to lock out going to unlocked firmware in a similar fashion. You can flash the unlocked firmware and it’ll have the look and feel of the unlocked S21, however the CSC will still remain locked to your carrier, and as such you’ll only have the network bands enabled by the original carrier’s configuration.

(This is relatively problematic for AT&T; if you have another carrier’s CSC in the US you lose the ability to use LTE bands 14, 29, and 30, which can be quite important depending on where you live.)

To put it lightly: this sucks ass. Samsung made a dick move here by essentially soft-locking phones to carriers like this. It isn’t as bad as a full SIM lock, no. But it is nonetheless a dick move. (An AT&T SIM will still work with a T-Mobile config, for example. It’ll just be lacking some “nice to have” bands and result in a degraded experience.)

There is, however, a workaround to get things kind of working.

Canada saves the day

As I was throwing myself at this problem, someone on reddit named RayW suggested something kind of out there, but still might be crazy enough to work: try flashing the Canadian firmware and see what happens. And maybe try flashing the unlocked US firmware after?

This works because the Canadian variant of the S21s (in my case, the G991W because I have a regular S21) use the very same CPU as the US variants. Therefore with patched ODIN, we can flash it onto our US S21. And sure enough, this actually worked. When I went into Settings > About Phone < Software Information, my CSC had changed to XAC/XAC/TMB! (Note, the last CSC will never change. That’s the CSC the phone originally shipped with.)

Checking the phone’s band configuration (*#2263# at the dialer if you’re curious), sure enough, the bands had changed. mmWave 5G was gone (because they don’t use it in Canada, I guess?) and I actually had SOME of the AT&T LTE bands back. This was an improvement!

Now, knowing that the US firmware seems to check and/or use the previous firmware’s CSC when flashing, I tried flashing the US unlocked firmware over the Canadian firmware. Sure enough…the US firmware didn’t know what to do with this and defaulted to XAA/XAA/TMB.

So by going a very roundabout way with firmware, it is possible to get your CSC to at least change to XAA without having to pay for something like SamKey to do it.

However, this unfortunately is very easy to undo. You cannot use the original carrier’s SIM anymore. In my case, my original CSC is TMB, so that means no T-Mobile. What’ll happen is what the phone should be doing with other SIMs in the first place: It’ll reboot and reconfigure itself and when it’s done it’ll once again be locked to the original CSC. (In this case: TMB/TMB/TMB.)

If that should happen, you’ll have to go through ALL of this again to get back to XAA. 

Worse yet, this can happen even on the Canadian firmware. I’m not sure how.

That this is necessary is just outright asinine and I hope somewhere Samsung is working on bringing actual carrier switching to carrier-tainted S21s. 

Because if they don’t, it just might be time for me to go back to a Pixel.



, ,