CDMA???!!! - Upgrading, Modifying and Unlocking

I've googled for hours for this. I am looking to get the MSL/'unlock code'/SPC for my CDMA blueangel. I have not found the answer anywhere. Does anyone have any pointers for me in unlocking an HTC CDMA phone?
Any help will be SO greatly appreciated.

You can use this app (you need to run the 2003 version of the .exe). It will take your ESN HEX as input (use capital letters) and will produce your MSL (not OTKSL). This app works for all HTC CDMA phones--Harrier (CDMA Blue Angel), Apache, and Titan).
It was created by a guy named isosdcftp over at ppcgeeks.com. Here is a link to the thread in case you're interested (primarily concerns the titan/mogul though):
http://forum.ppcgeeks.com/showthread.php?t=5531
Also keep in mind some carriers use 000000 for the MSL. If neither that nor the code produced by GetSPC work, then perhaps the particular carrier who sold your phone used their own MSL algorithm (possible but unlikely).

doesnt work.. I'm with telecom new zealand if that's any help

Can you be more specific? Does the app run and produce an invalid MSL or can you not even get the app to run? If you want to PM me with your ESN HEX I will generate it on my end and PM it back to you to confirm.
I have a Sprint-branded Harrier (I'm in the US) and GetSPC spit out the correct MSL for me, but maybe TNZ programs in their own MSL instead of using the HTC default. In that case not much you can do unless you get the phone into DIAG mode and see if bitpim can read it.

Sorry man. It generates a MSL, but when I go into the pst (##778+talk) I enter it and it barks at me 'Your unlock code is not correct!'. I will pm you with my ESN.
And how would I put it into diag mode? I am fluent with bitpim and linux etc. but I can't figure out how to put it in diag mode.
If there's any more help from anyone it would be VERY greatly appreciated.

tatotato said:
Sorry man. It generates a MSL, but when I go into the pst (##778+talk) I enter it and it barks at me 'Your unlock code is not correct!'. I will pm you with my ESN.
And how would I put it into diag mode? I am fluent with bitpim and linux etc. but I can't figure out how to put it in diag mode.
If there's any more help from anyone it would be VERY greatly appreciated.
Click to expand...
Click to collapse
put the phone in diag mode ##DIAG send or ##3424 + send, then instal serial driver for the new hardware, you can google for the driver, then check the modem com port under modem in Device manager, and set the same com port for Bitpim using other CDMA phones, then check in NVM 000 or 001 and you should see the 6 digits SPC or once you know the virtual serial allocated to modem you may use other tools to check spc
Lets see how it goes,..
bR

doesn't work, when I go ##DIAG+talk it just calls the number.

please help to unlock my zte ev-do modern s/n 412823812444
am getting phone does not accept spc in cdma workshop thanks.

Related

S720 ESN Read Write method

S720 / HTC LIBRA / HTC 5800 / Fusion / Boss
I'm happy to hear that somebody is working on a hard SPL for HTC S720. Here's the deal, I really want to change esn in this phone but I realized that for now it's not possible.
It's a MSM7500.
**I've tryied QPST but the version 2.7 only support MSN6500.
**I've tried QXDM 3.9.19 and still can't write the new esn. It says read only.
_________________________
How to put it not in read only?
Could I use a anykind of ready/writer to change info directly on the chip?
-----------------------------
**CDMA Workshop 2.7 all kind os ESN write doesn't work.
-----So, two options left:
1- either I desolder the esn chip and change it for a new one (to be honest, I haven't discovered yet if the esn is inside the MSM or on a different chip. If it's the case (on a diff. chip) it's a bit a pain in the but to do but it's still an option.
2 - I want to try shadowmite's method for writing the ESN into a PPC6800. Again it need to be done in high level via MTTY.
Concerning MTTY I cannot run commands because I can't put the phone on the boot loader screen.
I will try to run RUU wich will put the phone in bootloader screen. And then try mtty.
I tried the method of RUU to get into bootloader and then run MTTY but it doesn't work... I get the error ''Unable to load USB port''.
Any suggestion...? Or any help I could bring to create this hard spl?
And please, anybody that is gonna tell me that it's illegal to do and that is gonna write me the FBI phone number it's fine, just pass to the next thread!
I'd be more than happy to help anybody with what I can.

[HOW-TO] [CDMA] Backup your HA and AAA keys

Sometimes when you flash a new radio, or you mess around in QPST you can break your data. Whats behind the breakage you may ask? Its your AAA and HA shared secrets.
A little background information:
The HA key is what gets you 1x data on your carrier. This is carrier specific, however is NOT phone specific. This could be google'd if you really required it.
The AAA key:
This IS device specific, you cant google it. Its connected to your account, and the way to get it is not what some consider easy. This is what gets you EVDO speeds, with out it you are stuck on 1x. If you call your carrier they will not give it to you either.
Continuing on to more information...
We will need a few tools to backup the keys, some free some not.
Team BlueRidge Sense 2.1 (it contains proper apps for using DM PORT)
QPST (free find it online)
CDMA Workshop (the demo should be fine, you could also borrow it)
HTC DIAG drivers (Just google it and find the installation guide)
Time
A hex editor
Now for the fun.... (If something seems too vague, google it)
First, we must get msl, use the app MSL Reader in the market.
Now, dial ##PORT# on the you will get a menu, hit enable, and then
go ahead and enter your MSL.
Now, lets open QPST, set up the phone, and go to EFS in the services tab of QPST
Now in EFS, make a folder called "open sesame door" without quotes all lower case in the root directory of the file system
reboot your phone
Now---- Open CDMA workshop and connect to the com port of your phone
Lets do memory read here, see where stuff is
Readable area from: 013D:0000
Unreadable area from: 01EA:0000
Readable area from: C000:0000
Process is stopped at: C0F1:0000
That says, we can read 013D:0000 and C000:0000 Ill save you time and tell you we need to dump 013D:0000 however (for all vm ive seen)
So now, lets go back to cdma workshop (should be there already) and choose to read Memory, make sure eeprom is not checked
Start address will be 013D:0000 (what i mentioned earlier)
size 99999999
This will scan the phone and dump everything into a .bin
Lets get a snack while this dumps... It will take a while
_________________________________________________
Okay, now the thing is dumped, lets call this scan1.bin
Open this in hex now, and hit ctrl+f
search for the word "secret" No quotes of course
now (for vm) you will see vmug33k that is your HA key, the first one showed under secret is ALWAYS HA key
look down one line, whalla, your aaa key is right below. (BACK THIS UP email it to yourself take a picture, ect, DONT LOOSE IT EVER, YOU WONT GET IT BACK)
so now you have your keys backed up, i cant tell you what you can or cannot do with them, it is up to you the end user, however i cannot endorse flashing phones or any illegal activity. In the mannor I am providing this, it is to ONLY save your aaa key incase of a bad radio flash, if you ever find a leaked radio.
You're right Simon, you will not get that AAA secret back, better hope you have warranty if you lose it (i know from experience). Thanks for this.
On another note, do you know if their is a way to increase max speaker volume through qpst on this phone?
Does it allow you to write also?
What do you mean write?
To another device
Sent from my HTC_A510c using Tapatalk
You can but I can not say how as it's illegal in some cases. If you, the end user choose to, it is up to you. I can not endorse it, however, I can say, qpst is your friend
Sent from my HTC_A510c using Tapatalk
You say line below but that's a bit vague seeing as you don't say what offset length your using. Are you using 8, 10, 16 offset or what?
How long is the AKEY?
I'm a bit confused. I had it with QXDM but it doesn't work under Vista so I can't look it up the easy way.
Any help would be appreciated.
QXDM runs on Win7, don't know why it wouldn't on Vista... [the key is one must run it in XP compatibility mode]. That being said, the above tutorial references a tool in QPST [which doesn't require compatibility mode] called EFS Explorer; then switches to CDMA ware. It works as prescribed; no QXDM needed [QXDM didn't work for me attempting the easy way; doesn't display second set of info].
On specific question, if you open the dumped file in a hex editor [like HxD], you can visually see your aaa key after searching, as the tutorial suggests you do. I didn't need to put any offsets in my hex editor. You will find the aaa key to be 10 characters I believe for our phones [or more [[double that]] in binary].
Hope that helps; thanks for the tut Simon.
Rob
Sent from my PC36100 using Tapatalk 2

[Q] SuPrimo v23/30 with CDMA Converter vXX

Hello to all of you! Can anyone help me to find out one little thing?)
I was searching for the info about converting SuPrimo 23 (updated version). I really loved that! It's just I can't convert it to CDMA as well. I tried with CDMA Converter v15 but it didn't work. (I took it from developer's site shubham(dot)viperbravo(dot)info. Needless to say, the phone was unrooted, cwm's set... the phone's virgin mobile.
So, when I'm trying to get into diag mode it just shows me the message about USSD problem (which is definetely from GSM world, not CDMA). So, what I have is a device that can be used just as box of widgets)) no phone, no wifi. But there's radio and internet through cable connect to pc.
Oh well, any tip?
upd1:
Kernel version is 3.0.30JmxPrimoC+ [email protected] #1 PREEMPT
Radiomodule 1.00.00.0521_2
Release number 2.22.401.1 CL92876 release-keys
Andriod version 4.0.4
SuPrimo v23 was converted with SuPrimo v15.0 and instead of cdma settings I have gsm one, like emtpy imei, imei sv, imsi plus no phone number, no mac address is given.
Any ideas, please?
upd2:
After searching all over (in here and other sites) I dropped to a solution which brought me to a bricked phone and then kinda recovering.
What was done
- the rom from VM RUU was taken, which led to 'bricked mode';
- Jmz PrimoC Kernel v0.1 's taken and was flashed the kernel;
- then VM odex is installed (which led to bricked again)
- then SuPrimo 23 and SuPrimo Converter CDMA 15; (all settings appeared - yeeha! - but! ) got another weird problem - 'Unfortunately, Personalize has stopped'.
I donno what causes the problem.I read there might be a CID problem.. but not sure.
Still help is needed and appreciated. 'Cause except my settings and chinese map (??) nothing more works) for now.
can't drop in diag mode
Well, continue my research)
Many of you know what command to use to get into diag mode, this is ##3424#. But my phone doesn't allow it. Like if it's a gsm model. Donno why. So, what I did is I used such a command:
- *#*#3424#*#* (this is HTC Function Test v3.01.01g)
It gives a list of tests which you may run. So, I run device information and and it shown me Model Number, Dev serial, MEID, Phone numberand MSI all correct. Then I run Hardware information and Software info and all's okay too.
And then I run another command - *#*#4636*#*# (Testing) And took a look into Phone Information:
Neighboring CID: unknown
GSM service: Emergency calls only (?? why?)
Network type: unknown
GSM disconnects: =====DATA======
Set preferred network type: CDMA auto (PRL)
I donno why ##diag# doesn't work. Coz of that my pc doesn't see COM port of htc and therefore I can't use QPST or CDMA workshop or whatever that changes settings of the phone.
Help me please, what direction should I take a look at?
ollelinux said:
Well, continue my research)
Many of you know what command to use to get into diag mode, this is ##3424#. But my phone doesn't allow it. Like if it's a gsm model. Donno why. So, what I did is I used such a command:
- *#*#3424#*#* (this is HTC Function Test v3.01.01g)
It gives a list of tests which you may run. So, I run device information and and it shown me Model Number, Dev serial, MEID, Phone numberand MSI all correct. Then I run Hardware information and Software info and all's okay too.
And then I run another command - *#*#4636*#*# (Testing) And took a look into Phone Information:
Neighboring CID: unknown
GSM service: Emergency calls only (?? why?)
Network type: unknown
GSM disconnects: =====DATA======
Set preferred network type: CDMA auto (PRL)
I donno why ##diag# doesn't work. Coz of that my pc doesn't see COM port of htc and therefore I can't use QPST or CDMA workshop or whatever that changes settings of the phone.
Help me please, what direction should I take a look at?
Click to expand...
Click to collapse
I am currently running SuPrimoV.30 with CDMA converter V.15
Using TWRP recovery allows you to flash the zips in the correct order as listed below.
1. Did you perform a full wipe when installing SuPrimoV.23/V.30?
2. Be sure to flash CDMA converter right after flashing SuPrimoV.23/V.30.
3. Boot into fastboot and flash the boot.img from CDMA converter zip.
4. Reboot phone and Enjoy SuPrimoV.23/V.30. Hope this helps!
Gryff302 said:
I am currently running SuPrimoV.30 with CDMA converter V.15
Using TWRP recovery allows you to flash the zips in the correct order as listed below.
1. Did you perform a full wipe when installing SuPrimoV.23/V.30?
2. Be sure to flash CDMA converter right after flashing SuPrimoV.23/V.30.
3. Boot into fastboot and flash the boot.img from CDMA converter zip.
4. Reboot phone and Enjoy SuPrimoV.23/V.30. Hope this helps!
Click to expand...
Click to collapse
Thanks for sharing your knowledge with me.
TWRP? Why not CWM?(I used CWM-based Recovery v.6.0.1.5)
And if TWRP - then which version (link is appreciated)
I used full wipe. But as for 3. - cwm & converter zip. I'll try the way you suggest and set the newer version of SuPrimo.
Thank you for your help!
Twrp is nice because it is touch not the buttons. In my opinion I freaking love touch recoveries. Twrp seems to be less buggy than the cwm for hov on CDMA. The current version is 2.3.1 somewhere on the hov forums
Sent from my HTC One
2Gryff302:
Well, I did all as you've written. Phone is clean) (no phone number) and no diag mode still. (
upd:
And yes, in v.30 I had a problem with camera (it didn't work). So, I changed my rom to jmz one.

[Q] I Need Help I May Have Hard Bricked My Phone

I was trying to change the spc/msl to 000000 and was supposed to make it like 303030303030 in hex but i made it 00000000000 in hex and now its set as NUL NUL NUL NUL. My question is i have another galaxy s3 with my spc/msl set at 000000 can i copy the nv item 85 from one phone and adb push it to another? Please if you can Help me ide owe you big time.:crying:
If the Device Boots, it is not " Hard Bricked " . Have you tried doing an ODIN back to Stock ?
prboy1969 said:
If the Device Boots, it is not " Hard Bricked " . Have you tried doing an ODIN back to Stock ?
Click to expand...
Click to collapse
yah but that didint do anything because the nv item 85 is in the efs partition. I think the only way to fix it is to buy dfs or cdma workshop. Then it may be possable to scan for the msl\spc and input the displayed lock code to then copy the correct nv item back. It was late and i was messing with it its my wifes phone lol.... mine is fine. Im sure i can prob. fix it because we have access to the bootloader. I dunno im kind of a noob at this. Dang crap is picky and not like windows. If it were a windows like os it would already be fixed lol. And Thanks For the Reply.....
I take it you are trying to Flash to PrePaid ? If you want the MSL you can check out THIS thread. Also the thread HERE may be of some assistance.
prboy1969 said:
I take it you are trying to Flash to PrePaid ? If you want the MSL you can check out THIS thread. Also the thread HERE may be of some assistance.
Click to expand...
Click to collapse
well i can do getprop and it says [ril.MSL] : [ ]
lol but i cant enter a blank password and all 000000 didnt work either
For the method I linked to work you have to be on an LJ7 Rom.
prboy1969 said:
For the method I linked to work you have to be on an LJ7 Rom.
Click to expand...
Click to collapse
i did all that already lol my problem is i made my nv 85 item (msl) null all ooooooooooo in hex when its supposed to be 30303030303030...or 000000 not in hex...so my spc and or msl is now null it might as well be deleted because without cdma workshop or dfs i cant access the locked sectors on the phone and when i do getprop ril.MSL in terminal emulator on the lj7 rom with the lg2 modem i get [ril.MSL]: [ ] which is just a space no numbers or anything. And as far as i know i need the msl to be able to copy over any nv items. But i cannot enter a space as password so i guess till i buy either cdma workshorp or dfs i cant fix it am i correct? Please Help Me Which is best solution???? And what is the best software to buy?
I'm going to say that CDMA Workshop is your best bet. As for where the best way to buy it. I would have to say Google is your friend.

Kyocera DuraXT e4277 DIAG Mode??

Hi,
How do I get into the diag mode of this phone? I googled and googled until I could search no more!!
I tried ##diag# and some other codes but none is giving me the option.
I need to be able to connect the phone to the PC and see it in DFS, CDMA, QPST. None of these see the phone usb port now.
Please help. Thank you!
Sprint Kyocera DuraXT E4277
Well, I figured it out!
After all this headache of looking for the DIAG menu on the DuraXT.. It turns out that its not needed.. all I had to do is install the drivers on PC and connect USB cable.. Select Modem on phone and DFS was able to read it.
Now I am another problem.. I need the 16 digit device password and the only thing I see on google is that its all F's (FFFFFFFFFFFFFFF) but that is not correct.
Does anyone know how to find the SPC/MSL for the DuraXT E4277? The memory is unreadable, completely locked from reading.
Mr. Q 5 said:
Well, I figured it out!
After all this headache of looking for the DIAG menu on the DuraXT.. It turns out that its not needed.. all I had to do is install the drivers on PC and connect USB cable.. Select Modem on phone and DFS was able to read it.
Now I am another problem.. I need the 16 digit device password and the only thing I see on google is that its all F's (FFFFFFFFFFFFFFF) but that is not correct.
Click to expand...
Click to collapse
thelastemperor24 said:
Does anyone know how to find the SPC/MSL for the DuraXT E4277? The memory is unreadable, completely locked from reading.
Click to expand...
Click to collapse
Unfortunately Kyocera phones do not use 16 digit passwords, only Samsungs do. If you're trying to repair the esn/imei or unlock it, don't even waste your time, there are no specialized tools available for those tasks, other than reading the user lock, nam, etc via DFS/CWS or other similar cdma tools. But you'll probably need the SPC/MSL which may be gotten from Sprint by pretending that you need the code to factory reset it through the ##786# menu. Kyocera phones have always had elusive security, including full memory lock. Just chalk it up as a "No Can Do"

Categories

Resources