I am going to show you how to get the epic 4g to to metropcs.
First thins is first, you need to get the esn added to metropcs.
If you cant add the esn in the inventory it will not work.
You can how ever use a boost mobile tutorial to clone the esn from your phone, just look on you tube.
The short bit of cloning is that its very very easy, you have to zero out, then use qxdm to load a new one.
Thats all i have to say about that.
Things you are going to need.
A computer with administrative acess
CDMA workshop 2.7
QPSP that can read the phone
HTML:
http://thepiratebay.org/torrent/6388346/Qualcomm
Metropcs prl
HTML:
http://www.corolada.com/prl/metropcs/02001.prl
samsung drivers
HTML:
http://downloadcenter.samsung.com/content/SW/201009/20100901010102890/Samsung_Mobile_Driver_V1.3.800_For_SPH-d700_Epic_4G.zip
A samsung epic with a data cable, not all cables are equal. Keep several handy.
First were going to change the msl to 000 so that metropcs Over The Air activation can work.
Turn your phone one and dial ##8778# and select modem under usb, and under uart modem.
Once you do this your phone will be readable by qpst and cdma workshop.
Drivers and Com Ports
Install the samsung drivers, once that finishes you can plug the phone in and the drivers will install.
You will need to find out what port your phone is under, and posibly change it to any open port under 25
Go to the start menu, then my computer and right click on it, select manage.
In vista/seven allow administrative acess. A window live this appear.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Click on device manager then under modems you should see Samsung Mobile Modem.
Right click on that and then select properties
Once this opens click on 2 then select advanced port settings.
This will be your port number for cdma workshop and QPSt. If you notice on my computer its at 32.
I need to change it to any number below 25 so that cdma workshop 2.7 will open it.
click on where 3 is pointing to and select a port from the list below 25. Then close that out
CDMa Workshop msl change
What ever port you had from the previous section we need to enter it on CDMA Workshop
Open CDMA WS.
4 Select your comport
5 Click connect, on my screenshot i was already connected so it says disconnect.
6 Read from them phone and information on the side will appear like your phone number when its connected.
7 Go to the security tab
8 in the spc field put 000000 (six zeros)
9 CLick on SPC Write.
Once that done you can close CDMA Workshop, it will ask you to reset.
Do it .
With part done you can slip the esn change here from the boost tutorial
QPST, PRL, INTERNET
Install QPST
Go to the start menu, all programs, QPST, then QPST Configurator
10 Go to the ports tab
11 Add New Port
12 Click on Show Serial USB/QC Diagnostic ports
13 You should see something like COM32-USB/QC Data Modem. Select it and clikc ok
14 you should see a phone in the list
15 go to Start Clients
16 Select Service Programming
A new windows will open up
17 on the phone selection windows make sure your phone is selected
18 click on ok to enter programing on selected phone.
19 Once the window opens click on read from phone
20 make sure the spc is 000000, we changed it in CDMA WS
21 click ok to
22 go to the CDMA tab
23 if you cloned your esn put your mdn or min here I dont know which is which
24 if you cloned your esn put your mdn or min here I dont know which is which
25 Select the roam tab
26 click browse and select your metropcs prl downloaded from colorado prl
27 select the display tab
28 Change the Banner to Metropcs or what ever you want. You can even leave it at sprint
29 click on the right arrow to reveal more tabs on top
30 Select the M.I.P. tab
31 Change mobile Ip to Simple Ip only
32 Change the Initial Registration to 1750ms
33 Click on RF2002 authentification calculation
34 Change registration Retries to 2
35 Change deregistration Retries 1
36 Change Lifetime-expiry registration 0
37 Now double click on user profile 0 and change to steps 39-49
38 double click on user profile 1 and change to steps 50-59
39 Change the nai to [email protected] or [email protected]
40 Change Tethered nai to [email protected] or [email protected]
41 On Ha shared secret click on enter text string
42 enter metropcs
43 on AAA shared secret select enter text string
44 enter metropcs
45 MIN HA SPI change to 12C
46 MIN-AAA SPI change to 2
47 Change the primary HA adress to 0.0.0.0
48 Change the Secondary HA adress to 0.0.0.0
49 click ok
50 Change the nai to [email protected] or [email protected]
51 Change Tethered nai to [email protected] or [email protected]
52 On Ha shared secret click on enter text string
53 enter metropcs
54 on AAA shared secret select enter text string
55 enter metropcs
56 MIN HA SPI change to 12C
57 MIN-AAA SPI change to 2
58 Change the primary HA adress to 0.0.0.0
59 Change the Secondary HA adress to 0.0.0.0
60 click ok
61 there is no 61 i skipped a number, but i know someone is going to notice. I know
62 Now click on PPP Config tab
63 in the rm tab change config tries of all 3 to 20
64 make sure the request time out is 1000 on all 3
65 make sure NAK tries are 3 on all 3
66 make sure terminate tries are 2 on lcp 3 on ipcp and 3 on ipcpv6
67 make sure request time out is 3000 on lcp and 1000 on ipcp and ipcpv6
68 click on compression setting for ipcpv6 to ignore
69 make sure require pw enc is enabled/checked
70 make sure ppp detect is enable/checked
71 change retries to 5
I seem to have lost the rest of my captures thanks to acronis!!! so i will continue with blodykiller86's pics which are not labeled
72 make sure you click on Um
73 in the Um tab change config tries on lcp 20 ipcp 20 and ipcpv6 to 0
74 make sure the request time out is 1000 on lcp and ipcp, but on ipcpv6 change it to 0
75 make sure NAK tries are 2 on lcp and ipcp but on ipcpv6 change it to 28
76 make sure terminate tries are 2 on lcp 3 on ipcp and 0 on ipcpv6
77 make sure request time out is 3000 on lcp and 1000 on ipcp and 0 on ipcpv6
78 Click on compression setting for ipcp to disable
79 click on compression setting for ipcpv6 to ignore
80 make sure Optimized domant handoff is enabled/checked
81 change retries on ppp authentication to 5
82 change tethered nai on ppp authentication to [email protected] or [email protected]
83 change User ID on ppp authentication to [email protected] or [email protected]
84 go to http://www.whiterabbit.org/android/ and put your esn where it says "Enter 1 MEID/ESN per line in the text area to your left, then click the calculate button."
The ESN is on the top of your qpst windows, copy the short number that starts with an 8 and calculate.
It will return a six digit metropcs msl code.
85 take the generated code and put it in the password
86 click on AN
73 in the AN tab change config tries on lcp 20 ipcp 20 and ipcpv6 to 0
74 make sure the request time out is 1000 on lcp and ipcp, but on ipcpv6 change it to 0
75 make sure NAK tries are 2 on lcp and ipcp but on ipcpv6 change it to 28
76 make sure terminate tries are 2 on lcp 3 on ipcp and 0 on ipcpv6
77 make sure request time out is 3000 on lcp and 1000 on ipcp and 0 on ipcpv6
78 Click on compression setting for ipcp to disable
79 click on compression setting for ipcpv6 to ignore
81 change retries on ppp authentication to 5
82 change tethered nai on ppp authentication to [email protected] or [email protected]
83 CHange the password to the msl code you got from white rabbit a six digit code.
Then just click write to phone, wait for the phone to reboot before closing qpst.
The if you want to activate your phone if its not in your account already just dial *228
to enter Over The Air activation, it will ask for english or spanish. select either
once it gets past that it will ask why you called.
Dial 2 to change number, dial 1 proced, then 1 to proced, enter your phone number, enter your security code (usually birthdate of account holder), and follow the rest of what she says.
1 is for yes 2 is for no, i usually mute the microphone.
and then its activated to an account.
Next make sure you dial *228 this time select 5 to update your prl and reboot.
All done.
I dont know how to get the mms working yet., I have tried u2nl. wap, proxies, flashing zips that change the mms settings and no luck yet.
ill let you know when i get it working or if anything comes up in the thread.
I stay very busy, so dont be surprised if i dont answer, but if you send me a message it should get to my email.
P.S. to all you cricket people i am so sorry for forgetting about you when i started writing this, please change all apropriate settings but it should work.
I will change them asap, right now though i gots to go.
P.s.s. I cant post in the development section because of the stupid stupid stupid stupid stupid stupid (you get the point) post count rules.
Update: Mms
Okay ibfound out something very useful on how to get mms to WORK, basically I sent myself a small 46k pic to gmail. But I kept messing with the phone, without even realizing I had it working. Basically before I knew it I has killed it.
Here is what I used to get it work.
Autostart.sh
#######
export PATH=$PATH:/data/local/bin
IP_ADDR="10.223.2.4"
chmod 755 /data/local/iptables
chmod 755 /data/local/u2nl
/data/local/u2nl $IP_ADDR 3128 127.0.0.1 8888 &
/data/local/iptables -t nat -o ppp0 -A OUTPUT -p tcp -d ! $IP_ADDR -j REDIRECT --to-port 8888
/sbin/remount rw
cat /data/local/telephony.db > /data/data/com.android.providers.telephony/databases/telephony.db
cat /data/local/Mms.apk > /system/app/Mms.apk
sleep 5
kill `ps | /data/local/busybox grep autostart | /data/local/busybox awk {'print $2'}`
##########
I will post post iptables binary once I figure out where to upload it. For now if you need it just msg me.
Also to be clear if you use the autostart.sh you won't have a working messages apk. In other words no text or mms untill you factory reset.
Mms
Okay i got mms, but first to vent.
First of all In my experiences with this phone, its not worth the hazle.
Get an evo or a shift.
also this phone should be defecated on, and flushed down the toiled.
The keyboard is cheap, the amoled screen is not noticeably better than evo(unlike iphone4, and not worth the 100 part price), the keyboard is cheap, gps is half decent, ui is horrible. The epic is by no means an evo killer, i have had it for 2 months and all the time i have been cursing this phone. I have bricked it 2-3 times while at work to where cw recovery wont help you any.
Then there is the issue of the kernel, you need a kernel that has iptables support.
You guessed it the stock kernel doesn't have such a thing, so compiling is the best option. Until you go to the samsung page and cant download the source. I tried opera, firefox, marthon, ie, chrome, and UC. When i get my hands on the source code i will provide the a kernel.
Next up is get a rom that has a kernel with support, oh yeah that sounds easy.
No luck so far, i have reason to think that epic experience has iptables support.
But its become abandoned and its not updated to work with the new version of clockwork recovery (edify). Just so you know simply aosp does not have support
Do yourself a favor and sell it, but if youre like me and have 2 of then.
This phone cannot be flashed just like any other phone, you always have to jump trough hoops.
Okay so lets say you got an old cw , flashed experience and were able to get a kernel with iptables.
you would get this
http://www.4shared.com/file/yofYy6uB/epic_4g.html
it comes with
u2nl
autostart.sh
iptables
telephony.db
Mms.apk
apn back up xml file.
what you need
Autostart
es file explorer and enable the root features
apn backup and restore
busybox installer
first off you need to do what the autostart.sh says.
copy u2nl, iptables, telephony.db, Mms.apk, and a copy of busybox to /data/local
then copy autostart.sh to /data/opt and you need to create the folder called opt make the autostart.sh executable. You should run the autostart.sh manually on the terminal like so ./autostart.sh. If you get a FIX ME!, it means your kernel doesnt do iptables.
the last thing is to restore the apn with apn backup and restore with the one i provide, but you need to edit it with your phone number.
edit this file acordingly in the apn xml
mmsc="http://mms.metropcs.net/mmsc?X-Device-MIN=5555555555
rerplace with your phone number like so
<apn type="null" mmsc="http://mms.metropcs.net/mmsc?X-Device-MIN=2222222222
then resotore it.
that should be ready.
I dont have it right now like i said because of stupid problems.
but like i have said, i have sent AN mms once already. But right after that i bricked the phone so i had to delete everything.
Thanks for the post missingxtension. Looking at the posted files they all seem to contain Sprint info within each file. The telephony.db file, autostart files, apns file and so on. Was this an accident or....??
I know you said you bricked your phone so i'm not sure if you meant all files are coming soon or it should work as it minus the apns-config. I was so excited until I looked in each of them.. lol
sorry to necro an old thread but i followed your steps exactly. for some reason my phone wont connect to a metro tower. i then went back into qpst and changed the sid and still cant connect to a metro tower. what am i missing?
I am one of the few, if not only members on XDA who has their Epic to MetroPCS.
If you're having issues with the internet, there's a file foating on the net that calculates the metropcs wap password needed in order to be online. Its calculated based off of your MEID.
My phone was flashed as the 2nd poster said. With the autostart u2nl crap. It sucked. My phone did not last long and the autostart was hogging my battery. It was possible with Shiziopunk's Epic Experience 2.1 eclair. (Outdated) though sine I've moved, MetroPCS towers no longer reach me in the state of Oregon so I roam 24/7. Using wifi and third party apps for mms and whatnot. I use EG22 deodexed stock now. Still have service. I still have the MetroPCS rom backed up in clockwork mod, but unless I was instructed on how to strip my personal data from it, I'm not sharing.. Donations would be appreciated to any interested. Afterall I did pay 75$ for my rom.
Shinydude100 said:
I am one of the few, if not only members on XDA who has their Epic to MetroPCS.
If you're having issues with the internet, there's a file foating on the net that calculates the metropcs wap password needed in order to be online. Its calculated based off of your MEID.
My phone was flashed as the 2nd poster said. With the autostart u2nl crap. It sucked. My phone did not last long and the autostart was hogging my battery. It was possible with Shiziopunk's Epic Experience 2.1 eclair. (Outdated) though sine I've moved, MetroPCS towers no longer reach me in the state of Oregon so I roam 24/7. Using wifi and third party apps for mms and whatnot. I use EG22 deodexed stock now. Still have service. I still have the MetroPCS rom backed up in clockwork mod, but unless I was instructed on how to strip my personal data from it, I'm not sharing.. Donations would be appreciated to any interested. Afterall I did pay 75$ for my rom.
Click to expand...
Click to collapse
im not worried about internet or anything like that yet. i need to get the phone to connect to a metro tower first. ill figure out mms and internet afterwards. i also plan on doing a metropcs version of any syndicate rom i do. it will be what the rom is plus all the **** to make the phone run on metropcs smoothly
Honestly if all that worried you was getting it to connect to a metro tower, then get your esn added with Metro. That simple.
Shinydude100 said:
Honestly if all that worried you was getting it to connect to a metro tower, then get your esn added with Metro. That simple.
Click to expand...
Click to collapse
like i mentioned before i follwed the steps in the op. one of the first steps was to clone the esn or get it added to metropcs. i cloned my esn and still cant connect to a metro tower.
Again. You need to add it to MetroPCS's ESN database, cloning over your Boost ESN is retarded. Boost Mobile is owned by Sprint. Nothing to do with Metro pcs.
ESN must be a metro esn or ported esn
MysteryEmotionz said:
like i mentioned before i follwed the steps in the op. one of the first steps was to clone the esn or get it added to metropcs. i cloned my esn and still cant connect to a metro tower.
Click to expand...
Click to collapse
I might be able to help on getting a metro esn pm me.
Also about the sprint stuff, I am 100 percent sure that the only problem i am having is a crappy kernel. I still cant download the source code to give a shot at netfilter.
I can send mms no problem, so if i send "hey" to [email protected] it goes thru no problem.
The picture messages are the problem.
I was able to install epic experience 1.9 and it didn't boot.
I downgraded the recovery to 2.5 and it looked promising.
I am not done working on this, but luckily i am to the point to where i can already start using my shift again.
I am currently also working on an evo 3d and nexus s 4g.
Again once i find out, i will post all the information I have.
Also sorry about the pictures, I took a lot of time to write and make screen shots.
But i got the thumbnail links, ill update the links asap.
I will keep an eye out on this thread, its not dead at all.
Also if you pm me, i do get a message on email.
Hey Shiny, can you pm me with info about your epic on MetroPCS? My wife has her phone already on MetroPCS, and all the basics work just fine, but her eclair has bugs, and I wanted to try to upgrade her Rom. Just wanted yours or anyone else's input. Thanks
Sent from my PG06100 using xda premium
You can upgrade her rom, but in the process, you'll more than likely lose Metro's 3G service with only 1x working (due to iptables I believe) so no picture messaging, or internet if upgraded. You should use clockworkmod for a nand backup an upgrade it once its backed up. I upgraded mine because MetroPCS is non-existent in Oregon but they have roaming here, so I wasn't going to be needing to stay on the MetroPCS friendly rom when I have wifi at home for internet/picture emailing. I'm on EH17 GB and loving it.
Unfortunatly, we do not have 3g here yet, so i guess i'll tackle that when time comes. What is the difference with the GB17? Do you have a link or should i just google it, or is it in a forum? Thanks for your help again
Sent from my PG06100 using xda premium
cbernardo13 said:
Unfortunatly, we do not have 3g here yet, so i guess i'll tackle that when time comes. What is the difference with the GB17? Do you have a link or should i just google it, or is it in a forum? Thanks for your help again
Sent from my PG06100 using xda premium
Click to expand...
Click to collapse
It still has issues but they are VERY miniscule now. Here is my own Changelog on differences.
Major GPS Lock Improvement.
On Froyo & GB: Adobe Flash Player 10.3 Works Excellent.
Apps 2 SD. (This is a *big* plus, you won't be hoggin the internal Memory Space on her Epic.)
Graphical User Interface Upgraded. The Icons in the settings Menu are now color, instead of the old Eclair look.
Battery Use now has a Graph showing your Battery Life.
Battery Life should improve after you upgrade to EH17, compared to Eclair.
~There are a few more nice things you can get, but you need to upgrade to EH17 before they will work.~ Like CRT Off animation when your screen turns off on her Epic. And a Battery Percentage inside the battery Icon in the Android Status Bar.
Make sure you get clockworkmod installed, nandroid backup her Metro Rom, before you flash anything, that rom is valuable.
Once you decide to upgrade you'll need:
-Samsung Drivers Installed.
If Windows Vista/7 it should install using your internet. If Windows XP, you'll need to look online for the Samsung Drivers. If you're on a 32-bit computer, get the X86 drivers, if on 64-Bit, get the X64 Drivers.
You'll need to download Odin, found in the the Epic Section Titled "Android Development" You can also find it online..
Once you have that, you'll need to power off her Epic, slide open the keyboard, hold down the "1" key and the power button, you'll be in Download mode. Find clockworkmod, follow the instructions and flash that using Odin. (Notice your computer should pick up her Epic as Modem, etc.) Odin will show COM1, 2..3..4.. a diff # for all of us, that's just the port assigned by your computer. Once you flash clockworkmod, next is the nandroid backup.
Turn the phone off it Odin rebooted it. Hold the down button, camera button, and power button. (Have a firm grip, don't let go until the clockworkmod recovery comes up, (should be purple if you odin'd the latest one) go to advanced/backup. Hit yes, and the Nandbackup will begin. This will save you from semi-bricking your girl's epic in the future.
Next you'll want to pick a rom to Flash, you can go with whatever you want, but I reccommend you startoff with roms using the RFS file format until you get the hang of flashing. I'm personally usng Deca's EH17 deodexed rom. Its stock. It has minor reboots, but they aren't too often. Good luck & happy flashing.
MysteryEmotionz said:
sorry to necro an old thread but i followed your steps exactly. for some reason my phone wont connect to a metro tower. i then went back into qpst and changed the sid and still cant connect to a metro tower. what am i missing?
Click to expand...
Click to collapse
When you dial *228 does it give you MetroPCS or Another Carriers Prompt? If another carriers prompt then you need to download the MetroPCS .prl to the phone. Thats how the phone locates the towers.
Exactly. And I was assuming you had flashed your phone with metro PCS already, which would have included the PRL, if you're in a rural area, it is possible to hear a diff operator if roaming. Bu if its sprint, then the prl isn't there.
I have Cricket and have everything working on the $45 plan...except MMS. Guess I'll read through some of these solutions and give em a try.
Thanks!
up-yours said:
ok cricket is going national on sept 25 2011.
i have an epic 4g and want to use it on cricket.
their are no coporate or other cricket stores here.
i will have to flash it my self right?
were do i get a cricket prl?
i can follow the guide here and hopes it all works....
any advice?
http://www.androidcentral.com/cricket-goes-national-new-phones-best-buy-stores-sept-25
Click to expand...
Click to collapse
You have to get your esn added to Cricket's system one way or another, wether that be finding a source who will add it for you for a fee, or getting a phone pre-programmed to cricket, sold to you by someone who lives near a cricket location and shipped to you. If you get the esn added, you can use google to find the appropriate prl, and if you get it preprogrammed or flashed at a location outside your area, prl will be included.
Does anyone have issues with youtube playing on wifi, but not on the 3G?
tried to clone my half broken motorola photon to epic 4g, but when i execute
scp xxxxxx
requestnvitemread ds_mip_ss_user_prof
requestnvitemread ds_mip_ss_user_prof 1
i get
15:29:20.748DIAG RX item:
15:29:20.763SPC Result = Correct
15:29:37.725requestnvitemread ds_mip_ss_user_prof
15:29:37.850DIAG TX item:
15:29:37.850index = 0
15:29:37.850mn_ha_shared_secret_length = 0x00
15:29:37.850mn_ha_shared_secret[0] = 0x00
15:29:37.850mn_ha_shared_secret[1] = 0x00
15:29:37.850mn_ha_shared_secret[2] = 0x00
15:29:37.850mn_ha_shared_secret[3] = 0x00
15:29:37.850mn_ha_shared_secret[4] = 0x00
15:29:37.850mn_ha_shared_secret[5] = 0x00
15:29:37.850mn_ha_shared_secret[6] = 0x00
15:29:37.850mn_ha_shared_secret[7] = 0x00
15:29:37.850mn_ha_shared_secret[8] = 0x00
15:29:37.850mn_ha_shared_secret[9] = 0x00
15:29:37.850mn_ha_shared_secret[10] = 0x00
15:29:37.850mn_ha_shared_secret[11] = 0x00
15:29:37.850mn_ha_shared_secret[12] = 0x00
15:29:37.850mn_ha_shared_secret[13] = 0x00
15:29:37.850mn_ha_shared_secret[14] = 0x00
15:29:37.850mn_ha_shared_secret[15] = 0x00
15:29:37.850mn_aaa_shared_secret_length = 0x00
15:29:37.850mn_aaa_shared_secret[0] = 0x00
15:29:37.850mn_aaa_shared_secret[1] = 0x00
15:29:37.850mn_aaa_shared_secret[2] = 0x00
15:29:37.850mn_aaa_shared_secret[3] = 0x00
15:29:37.850mn_aaa_shared_secret[4] = 0x00
15:29:37.850mn_aaa_shared_secret[5] = 0x00
15:29:37.850mn_aaa_shared_secret[6] = 0x00
15:29:37.850mn_aaa_shared_secret[7] = 0x00
15:29:37.850mn_aaa_shared_secret[8] = 0x00
15:29:37.850mn_aaa_shared_secret[9] = 0x00
15:29:37.850mn_aaa_shared_secret[10] = 0x00
15:29:37.850mn_aaa_shared_secret[11] = 0x00
15:29:37.850mn_aaa_shared_secret[12] = 0x00
15:29:37.850mn_aaa_shared_secret[13] = 0x00
15:29:37.850mn_aaa_shared_secret[14] = 0x00
15:29:37.850mn_aaa_shared_secret[15] = 0x00
15:29:37.850DIAG RX item:
15:29:37.850requestnvitemread - Error response received from target
15:29:56.938requestnvitemread ds_mip_ss_user_prof 1
15:29:57.063DIAG TX item:
15:29:57.063index = 1
15:29:57.063mn_ha_shared_secret_length = 0x00
15:29:57.063mn_ha_shared_secret[0] = 0x00
15:29:57.063mn_ha_shared_secret[1] = 0x00
15:29:57.063mn_ha_shared_secret[2] = 0x00
15:29:57.063mn_ha_shared_secret[3] = 0x00
15:29:57.063mn_ha_shared_secret[4] = 0x00
15:29:57.063mn_ha_shared_secret[5] = 0x00
15:29:57.063mn_ha_shared_secret[6] = 0x00
15:29:57.063mn_ha_shared_secret[7] = 0x00
15:29:57.063mn_ha_shared_secret[8] = 0x00
15:29:57.063mn_ha_shared_secret[9] = 0x00
15:29:57.063mn_ha_shared_secret[10] = 0x00
15:29:57.063mn_ha_shared_secret[11] = 0x00
15:29:57.063mn_ha_shared_secret[12] = 0x00
15:29:57.063mn_ha_shared_secret[13] = 0x00
15:29:57.063mn_ha_shared_secret[14] = 0x00
15:29:57.063mn_ha_shared_secret[15] = 0x00
15:29:57.063mn_aaa_shared_secret_length = 0x00
15:29:57.063mn_aaa_shared_secret[0] = 0x00
15:29:57.063mn_aaa_shared_secret[1] = 0x00
15:29:57.063mn_aaa_shared_secret[2] = 0x00
15:29:57.063mn_aaa_shared_secret[3] = 0x00
15:29:57.063mn_aaa_shared_secret[4] = 0x00
15:29:57.063mn_aaa_shared_secret[5] = 0x00
15:29:57.063mn_aaa_shared_secret[6] = 0x00
15:29:57.063mn_aaa_shared_secret[7] = 0x00
15:29:57.063mn_aaa_shared_secret[8] = 0x00
15:29:57.063mn_aaa_shared_secret[9] = 0x00
15:29:57.063mn_aaa_shared_secret[10] = 0x00
15:29:57.063mn_aaa_shared_secret[11] = 0x00
15:29:57.063mn_aaa_shared_secret[12] = 0x00
15:29:57.063mn_aaa_shared_secret[13] = 0x00
15:29:57.063mn_aaa_shared_secret[14] = 0x00
15:29:57.063mn_aaa_shared_secret[15] = 0x00
how can i read password out of this phone??
Im trying to back up my HA & AAA secret keys using QXDM. I have had no problems reading these values on the EVO and the OG Epic. For some reason i cant read from the ET4G.
I have read that using the OG Epic tutorial for gettitng on Boost works for the ET4G. But this involves writing the HA & AAA secret keys from a donor to the ET4G not reading from the ET4G.
http://forum.xda-developers.com/showthread.php?t=891077
In QXDM I use the folloing
Code:
spc YOUR6DIGITSPC
<ENTER>
requestnvitemread ds_mip_ss_user_prof
<ENTER>
This should give me profile 0 HA & AAA secret keys
Then
Code:
requestnvitemread ds_mip_ss_user_prof 1
<ENTER>
This should give profile 1 HA & AAA secret keys
But its returning all 0's
Code:
03:43:46.073spc 8[COLOR="Red"]XXXX[/COLOR]5
03:43:46.078RequestItem "Send Service Programming Code Request" 0x38 0x34 0x31 0x34 0x33 0x35
03:43:46.186DIAG TX item:
03:43:46.192Security Code[0] = 0x38
03:43:46.192Security Code[1] = 0x34
03:43:46.193Security Code[2] = 0x31
03:43:46.193Security Code[3] = 0x34
03:43:46.193Security Code[4] = 0x33
03:43:46.193Security Code[5] = 0x35
03:43:46.194DIAG RX item:
03:43:46.195SPC Result = Correct
03:44:38.026requestnvitemread ds_mip_ss_user_prof
03:44:38.136DIAG TX item:
03:44:38.138index = 0
03:44:38.139mn_ha_shared_secret_length = 0x00
03:44:38.139mn_ha_shared_secret[0] = 0x00
03:44:38.140mn_ha_shared_secret[1] = 0x00
03:44:38.140mn_ha_shared_secret[2] = 0x00
03:44:38.141mn_ha_shared_secret[3] = 0x00
03:44:38.141mn_ha_shared_secret[4] = 0x00
03:44:38.141mn_ha_shared_secret[5] = 0x00
03:44:38.142mn_ha_shared_secret[6] = 0x00
03:44:38.143mn_ha_shared_secret[7] = 0x00
03:44:38.143mn_ha_shared_secret[8] = 0x00
03:44:38.144mn_ha_shared_secret[9] = 0x00
03:44:38.144mn_ha_shared_secret[10] = 0x00
03:44:38.145mn_ha_shared_secret[11] = 0x00
03:44:38.145mn_ha_shared_secret[12] = 0x00
03:44:38.146mn_ha_shared_secret[13] = 0x00
03:44:38.146mn_ha_shared_secret[14] = 0x00
03:44:38.146mn_ha_shared_secret[15] = 0x00
03:44:38.147mn_aaa_shared_secret_length = 0x00
03:44:38.147mn_aaa_shared_secret[0] = 0x00
03:44:38.148mn_aaa_shared_secret[1] = 0x00
03:44:38.148mn_aaa_shared_secret[2] = 0x00
03:44:38.149mn_aaa_shared_secret[3] = 0x00
03:44:38.149mn_aaa_shared_secret[4] = 0x00
03:44:38.150mn_aaa_shared_secret[5] = 0x00
03:44:38.150mn_aaa_shared_secret[6] = 0x00
03:44:38.151mn_aaa_shared_secret[7] = 0x00
03:44:38.151mn_aaa_shared_secret[8] = 0x00
03:44:38.152mn_aaa_shared_secret[9] = 0x00
03:44:38.152mn_aaa_shared_secret[10] = 0x00
03:44:38.153mn_aaa_shared_secret[11] = 0x00
03:44:38.153mn_aaa_shared_secret[12] = 0x00
03:44:38.154mn_aaa_shared_secret[13] = 0x00
03:44:38.154mn_aaa_shared_secret[14] = 0x00
03:44:38.155mn_aaa_shared_secret[15] = 0x00
03:44:38.156DIAG RX item:
03:44:38.156requestnvitemread - Error response received from target
Does anyone know how to read the HA & AAA secret keys from the ET4G for backup purposes? Im really after the AAA because im pretty sure the HA = "secret"
Did you use the samsung defualt password?
You can also cdma workshop, they would be in 465, 466.
Sent from my SPH-D710 using XDA App
ranchosteve said:
Did you use the samsung defualt password?
You can also cdma workshop, they would be in 465, 466.
Sent from my SPH-D710 using XDA App
Click to expand...
Click to collapse
Yes I sent the password still wont read. How do I use CDMA WS to get them?
EDIT*
I used the Read NV Items function in CDMA WS I could read 465 but not 466
0466 (0x01D2) - Access denied
bump
10char...
hey you are doing it right you need to root your phone to backup it up due to security on the phone. You will get access denied in cdma ws aswell if your not rooted. I just did it on an og epic to clone my et4g.
clip3009 said:
hey you are doing it right you need to root your phone to backup it up due to security on the phone. You will get access denied in cdma ws aswell if your not rooted. I just did it on an og epic to clone my et4g.
Click to expand...
Click to collapse
Yea im rooted...What were the steps you took to read the HA and AAA off the ET4G?
WHAT firmware are you using? 2.36?
clip3009 said:
WHAT firmware are you using? 2.36?
Click to expand...
Click to collapse
im in the same boat my computer is a windows 7 i dont have a xp computer anymore could you tell me how you got it to read the nv items from you epic
Do we need a windows xp computer to get these values? When trying to write in service program I get the following error NV_UE_IMEI_I NV_READONLY_S SPRINT TOUCH EPIC
dude i used this software from this website and it was very simple and easy for me to use. pm me for a link. idk if it's permissible or not here and i dont want no drama.
Did anybody find the way to backup the secret shared keys in the Epic Touch?
Is it possible that samsung does not use nv item 466 and 1192?
Try logcat.
Put your phone in developer mode.
Connect to the computer
Run; adb logcat > log.txt
On your phone dial ##data#
Enter SPC/MSl
Select edit
Touch HA password (don't change it), exit it
Touch AAA password (don't change it), exit it.
ctrl c to kill adb
open log.txt and scroll through the long list for ha and aaa passwords.
I know kind of a pain to find but that's how I got them on my E4GT and Nexus S 4G.
Somewhere there is thread about doing this on XDA but at the moment I can not find it.
gedster314 said:
Try logcat.
Put your phone in developer mode.
Connect to the computer
Run; adb logcat > log.txt
On your phone dial ##data#
Enter SPC/MSl
Select edit
Touch HA password (don't change it), exit it
Touch AAA password (don't change it), exit it.
ctrl c to kill adb
open log.txt and scroll through the long list for ha and aaa passwords.
I know kind of a pain to find but that's how I got them on my E4GT and Nexus S 4G.
Somewhere there is thread about doing this on XDA but at the moment I can not find it.
Click to expand...
Click to collapse
this gives us mip profile 1 keys. Is there a way to get profile 0 ha and aaa keys?
ok using this method gives us the password but encrypted anyone knows how to decrypt to hex or string?
BUMP
bump
10char...
Did you ever figure this out? I'd like to backup my own keys.
I'd like to do the same. Anybody have a solution?
************************************************************
************************************************************
After doing a lot of searching and reading I found my solution.
1. Open QXDM and connect to your phone (make sure it is in diag mode)
2. Send your SPC and then your password to the phone. This will unlock the phone. (Password is from Samsung, google it)
3. Close QXDM
4. Open up QPST server, make sure your phone is still detected and open up EFS Explorer
5. Find files 465, 1192 and whatever else you want and drag them to your desktop
6. Open the files with a hex editor like WinHex.
This will give you your AAA and HA passkeys
Hope it works for everybody!
string/text/hex converter
duck95 said:
I'd like to do the same. Anybody have a solution?
Click to expand...
Click to collapse
I hope this is legal, I use this site all the time for converting values...I (nor my dad or brother in law or anyone else run/operate/profit from this site lol) it just helps and should help you guys with figuring out your keys after you get them with logcat...
http://www.string-functions.com/string-hex.aspx
If its against the rules to post this stuff, deepest apologies...
I'm having trouble bringing up this phone in EFS to write my 10.key. As far as i know, writing my HA and AAA keys (from donor device) and my 10.key should give me 3G right? I'm flashed to page plus btw, got everything working (talk/sms/mms/1x data) except 3G and i just spent the last week trying to extract the HA and AAA keys from my donor phone (ENV3, and good lord do i hate LGNPST) and of course i run into something else that should be smooth! Any help is greatly appreciated!
NV items allowed in emdrivers. Can be set via Nv_items page in EM:
50021- [EM]qisda_qwert_index
50020- [EM]qisda_gps_cold_start
50019- [EM]qisda_rf_slider_delta
50018- [EM]qisda_rf_pfc_gsm_delta
50017- [EM]qisda_rf_pfc_gsm_band
50016- [EM]qisda_rf_pfc_wcdma_delta
50015- [EM]qisda_rf_pfc_wcdma_band
50013- [EM]GA teleport mode (0-off/1-on)
50012- [EM]battery_log_enable
50003- [EM]GA same as teleport mode (leads to same)
50005 -unknown
50004 -[EM]pulsecount
50002- [EM]qisda_wm_usb_mode (known as Zune(3)/ Component(1) in EM
Most inetersting value is:
453 - [EM]ftm_mode(FACTORY TEST MODE) By default is 0. setting to 1 and after reboot reverts to 0.
I have found that ftm mode swithes boot to bootloader mode, but no any combinations of vol+/- camera didnt work.
heineken78 said:
NV items allowed in emdrivers. Can be set via Nv_items page in EM:
50021- [EM]qisda_qwert_index
50020- [EM]qisda_gps_cold_start
50019- [EM]qisda_rf_slider_delta
50018- [EM]qisda_rf_pfc_gsm_delta
50017- [EM]qisda_rf_pfc_gsm_band
50016- [EM]qisda_rf_pfc_wcdma_delta
50015- [EM]qisda_rf_pfc_wcdma_band
50013- [EM]GA teleport mode (0-off/1-on)
50012- [EM]battery_log_enable
50003- [EM]GA same as teleport mode (leads to same)
50005 -unknown
50004 -[EM]pulsecount
50002- [EM]qisda_wm_usb_mode (known as Zune(3)/ Component(1) in EM
Most inetersting value is:
453 - [EM]ftm_mode(FACTORY TEST MODE) By default is 0. setting to 1 and after reboot reverts to 0.
I have found that ftm mode swithes boot to bootloader mode, but no any combinations of vol+/- camera didnt work.
Click to expand...
Click to collapse
I find too, options update flash.ffu file from SD Card in bootloader, but don't know how to end.... in this moment
i have no idea how to enter FTM mode, according to the script inside the service tool by dell, i should press Vol Up and plugin USB, but it doesn't work at all
script:
{Header
}
{Description
}
{Code
0000 waitinput %var1 COMPort
// initial check
0001 print "确认手机已经开机 / Make sure Mobile has already reboot" "ShowMessage"
0002 print "拔掉电板和USB线 / Unplug Battery and USB Cable" "ShowMessage"
0003 print "按住加音键, 并插上USB线 / Hold Volume Up Key and plugin USB Cable" "ShowMessage"
0004 print "等待屏幕显示FTM后, 放开加音键 / Wait until show FTM on screen and release key" "ShowMessage"
0005 Run MobileToolKit_StaticM.dll WriteNVItem_ForSPU %var1 "50002" "AQ==" "1" %var2
0006 comparefalse 0008
0007 comparetrue 0009
0008 print "Switch to Composite Fail" "ShowMessage"
0009 print "重流整机请选Clear A line, 重流板子请选Clear T line / Choose Clear A Line or T Line" "ShowMessage"
}
Click to expand...
Click to collapse
Acccording to this code you should have nv_item 50002 (usb composite) set to 1 via EM tool. Please check.
Nokser said:
I find too, options update flash.ffu file from SD Card in bootloader, but don't know how to end.... in this moment
Click to expand...
Click to collapse
whoa....very interesting. Kinda like doing a gold card thing?
My nexus 7 2013 stopped connecting to wifi a week ago. Then realized bluetooth doesn't work. Wifi won't show any networks; it just fails to turn on and shows no mac address. I thought this must be a weird software issue that some config got mucked up. This happened with running stock 5.1.1 but then tried cm 12.1 to see if it will fix it. Before trying cm I did a factory reset (was stuck at the wifi signin screen) and I cleared the cache and data and cleared dalvik cache. So then I tried CM but unfortunately, this also happens. This has me pretty much convinced that it is a hardware issue and something is wrong with the wifi/bluetooth chip.
Just wanted to see what others thought. After the above, I can't see how this isn't a hardware issue. I was looking and motherboards aren't too expensive and it doesn't look too hard so I might try that.
Oh a weird thing, in this state it is causing an excessive battery drain even when off. It's been off for 8 hours at 100% charge and now is at 74%. So I'm keeping an eye on it to keep it charged until I get a motherboard replacement.
Nothing? Wouldn't others think that this sounds like a hardware problem as the issue persisted across ROMs?
Should I be concerned during disassembly that the battery continues to have an excessive drain even when off?
Do you have root? If you do, install Terminal Emulator, and type the following commands:
su
cat /proc/kmsg >> /sdcard/kmsg.log
Hold down 'Volume Down' key and press C to exit the cat program
Click to expand...
Click to collapse
Then copy the /sdcard/kmsg.log file to your computer, open it up and search for WCNSS and WLAN and see what errors you get.
EDIT:Well this is dumb, you don't have internet so...you can't download Terminal Emulator. If you can, try to get the Terminal Emulator APK downloaded from your PC and transfer it to your phone.
Thanks. I got TE transferred over. I left it for a bit and came back and cat /proc/dmsg was still running. I read that it has something to do with syslogd. I went through the logs but not much of interest. The only time WCNSS is mentioned is here:
Code:
request_suspend_state: sleep (0->3) at 9764978636663 (2015-08-18 23:22:18.939577499 UTC)
<6>[ 9764.990417] early_suspend: call handlers
<4>[ 9764.990600] [ektf3k]:[elan] elan_ktf3k_ts_suspend: enter
<6>[ 9764.991394] active wake lock PowerManagerService.Broadcasts
<6>[ 9764.991577] active wake lock PowerManagerService.WakeLocks
<6>[ 9764.991699] active wake lock PowerManagerService.Display
<6>[ 9764.991790] active wake lock pil-wcnss
<6>[ 9764.992034] PM: Syncing filesystems...
<6>[ 9765.030700] sync done.
WLAN is never mentioned, but ELAN is
Code:
<5>[18419.063201] hall_sensor: [lid_interrupt_handler] LID interrupt handler...gpio: 1..
<5>[18419.129028] hall_sensor: [lid_report_function] SW_LID report value = 1
<6>[18419.207550] request_suspend_state: wakeup (3->0) at 18419196013287 (2015-08-19 01:46:33.156923606 UTC)
<6>[18419.207855] late_resume: call handlers
<4>[18419.208129] [ektf3k]:[elan] elan_ktf3k_ts_resume: enter
<4>[18419.209289] mipi_dsi_panel_power+, on=1
<4>[18419.209930] [ektf3k]:[elan] dump repsponse: 58
<6>[18419.209930] late_resume: done
And also here:
Code:
hall_sensor: [lid_report_function] SW_LID report value = 1
<6>[18419.207550] request_suspend_state: wakeup (3->0) at 18419196013287 (2015-08-19 01:46:33.156923606 UTC)
<6>[18419.207855] late_resume: call handlers
<4>[18419.208129] [ektf3k]:[elan] elan_ktf3k_ts_resume: enter
<4>[18419.209289] mipi_dsi_panel_power+, on=1
<4>[18419.209930] [ektf3k]:[elan] dump repsponse: 58
<6>[18419.209930] late_resume: done
<4>[18419.291656] mipi_dsi_panel_power-
<6>[18419.297668] mipi_JDI_lcd_on+
<6>[18419.297668] mipi_JDI_lcd_on, JDI display on command+, command bl
<6>[18419.441711] mipi_JDI_lcd_on, JDI display on command-
<6>[18419.441711] mipi_JDI_lcd_on-
<7>[18419.457427] EXT_COMMON: hdmi_common_wta_hpd: '1' (unchanged)
I don't see anything that stands out. I was looking for a line confirming (or failing) to activate the wifi/bluetooth.
I attached dmesg but didn't see anything more that stood out, but I might be missing something.
Is there any other way to troubleshoot wifi/bluetooth?
EDIT: I found out adb logcat -d > log.txt seems to give the same as cat /proc/kmsg. I'm looking through it now, but I thought I'd attach that too.