EDIT: for a quick answer on how to get data working go to post # 222 of this thread!
Hey Guys,
I have been following the thread about the Evo 4G working on boostmobile. I hope someone would be able to help me, I am a bit stuck. First off, I won't bother anyone with any "n00b-ness", as I do know how to use google to find my own information. Here's where I am right now:
I have a "new" EVO 4G that had its MEID marked bad because the previous owner did not pay ETF to sprint. I also had a BlackBerry tour that I managed to connect with BoostMobile using a bit of social engineering (insisting to the relatively naive CSR that it's NOT a blackberry, as its MEID would indicate). I went through all the QXDM and Hexeditor fun to zero out the ESN, and finally the elusive MEID. **I will not mention what I did next, please use your imagination. I do not want to cause any trouble on the forum for talking about (you know what). I then switched the BlackBerry tour into GSM mode, to prevent it from causing a conflict, but at the same time to allow the phone to power up so I could continue to retrieve data or settings off it. Once I changed the programming info (MDN/MSID), I was able to make and receive calls. SMS worked inbound and outbound. Then, I changed the MMS url to mm_myboostmobile_com. Now I was able to send and receive MMS messages. After rooting my Froyo 2.2, I installed the 2.1 EPST app to be able to update PRL via ##775# / ##PRL#. Now, I have been trying various different PRL files from different forums as well as corolada_com. I also copied NV items 465, 466, 1192, and 1194 from my BlackBerry. I still cannot get data working, not EVDO, not even 1x. I would be most grateful to anyone who will contribute to this thread in a positive, constructive way. And if you're a Python, C# .NET, Perl, or Java programmer, or an SQL Server admin, I would gladly share the plethora of information I have in these areas with you. Thank You.
Ok, I have data working now. In the spirit of giving back to the community, here is what I did: I connected to the phone using Qualcomm QPST Service Programming, clicked Read and entered my MSL/SPC code. Then, under the M.IP tab, (you will only have this tab in a more recent build of QPST, I had to upgrade to build 348) I selected "profile 0" and clicked edit. Here, I unchecked the first checkbox which enables the profile. I wrote the changes to the device, and data began working. My rate is very pathetic, 100-200kbps. With previous device (blackberry tour 9630) this was over 5x faster. Maybe I am not getting EVDO? I will try several different PRL files and report results. I also heard that the HA and AAA secrets, stored in NV items 1192 and 1194 must be copied to authenticate for EVDO speeds. I am having trouble reading these from the (previous device) blackberry, particularly 1192. The resulting read in CDMA workshop produces an access denied error in the output file. QPST and QXDM don't even show these items in the nv items list at all, even if you click "File menu> read supported RF NV Items". All other items seem to show, but not these. Of course, you must send the MSL/SPC code before you attempt any nv item reading or writing. Has anyone else managed to transfer their boostmobile-specific HA secret and AAA shared secret from a blackberry onto an android device? What transfer rates are other boostmobile users getting on android devices in large metropolitan areas? (i'm in nyc).. I have heard some far-fetched solutions including "change your SPC to the old phone's SPC", is there any truth to this? Sorry if my thoughts are a bit disorganized. I will try to write a proper tutorial when I have time. Again, thanks to everyone that contributed to make my google searching a success, in this forum as well as others. Please feel free to put in your .02 as maybe I have overlooked something.
The only thing I can offer is on the tour. You don't need GSM mode to have it on. Simply turn off the radio.
I had the same issue or rather kind of similar. I am getting an Error (NV_READONLY_S) in QPST while trying to write to the EVO. Any help on why its doing that? I have surpassed the meid/pesn zero thingy and txt talk just as you have but to get data wkng proves to be difficult. Please advise.
unique, the problem with BB OS 5.0 and higher is that after a dead battery shutdown, it has the mobile network enabled on initial boot. Bosstalk, the NV_READONLY_S error can be ignored, the changes will stick anyway. What phone are you switching from? Did you try disabling the 0 profile under M.IP tab in QPST? Which PRL are you using?
uniquenameevo,
Do u have any assistance you could offer? I have been searching like crazy and its killing me.
gsxrmonkey said:
unique, the problem with BB OS 5.0 and higher is that after a dead battery shutdown, it has the mobile network enabled on initial boot.
Click to expand...
Click to collapse
True, my 9700 does this also. I did not know about the dead battery shutdown on yours
I am switching from an htc tp2 to an evo.
Firstly, When I do the requestnvitemread ds_mip_ss_user_prof in QXDM I get the ha shared hex passwd but all zeros for the AAA shared hex passwd. Isnt it suppose to be a combo of letters and numbers? Please advise.
Talk and Txt EVO but no Data
Can someone please lend a helping hand here. I am up to my wits with this one. Ive got txt and talk working on boost but somehow cannot get data.
(Error code 67)
My donor phone: HTC TP2 with boost
Evo: Rooted(unrevoked 3.2) with 2.2 Froyo update
Installed EPST.apk using Root explorer.
PRL used is 60660
Things Ive done so far:
1.Used QPST to match NV Items 465,466,1192 and 1194 from donor to evo using NV browser.
2. Used Qpst in the Mip tab and matched settings of the donor with the Evo
The only rough end that may be prohibiting my access is the fact that I cannot get an accurate AAA shared reading. I followed the SPC "msl" thingy then did the requestnvitemread ds_mip_ss_user_prof command that gave me good ha shared numbers after the 0x. However the AAA yield 0x00 all the way thru. Im not getting a long string of characters as others have gotten. Please advise!!! I would greatly appreciate it.
I am at the same point.
I think the HA is "secret" in plaintext
the AAA I managed to get was very long and qpst service programming app refused to accept any key in hex over 32 chars. I believe the one I have is 64 chars.
Do I have to send 'mode offline-d' if the radio is disabled anyway?
If anyone knows a way around this please advise.
Donor phone is BlackBerry Tour 9630
Target phone is HTC Evo 4G with 2.2 Froyo rooted
bosstalk said:
Can someone please lend a helping hand here. I am up to my wits with this one. Ive got txt and talk working on boost but somehow cannot get data.
(Error code 67)
My donor phone: HTC TP2 with boost
Evo: Rooted(unrevoked 3.2) with 2.2 Froyo update
Installed EPST.apk using Root explorer.
PRL used is 60660
Things Ive done so far:
1.Used QPST to match NV Items 465,466,1192 and 1194 from donor to evo using NV browser.
2. Used Qpst in the Mip tab and matched settings of the donor with the Evo
The only rough end that may be prohibiting my access is the fact that I cannot get an accurate AAA shared reading. I followed the SPC "msl" thingy then did the requestnvitemread ds_mip_ss_user_prof command that gave me good ha shared numbers after the 0x. However the AAA yield 0x00 all the way thru. Im not getting a long string of characters as others have gotten. Please advise!!! I would greatly appreciate it.
Click to expand...
Click to collapse
i just got my EVO and i was wondering if you could help me in the right direction to make the switch i have 7 BOOST CDMA LINES and plenty of donor's also i have about 9 boost cdma c290 would one of them work or does it need to be a higher end HS thanks to all
sdwyz74 said:
i just got my EVO and i was wondering if you could help me in the right direction to make the switch i have 7 BOOST CDMA LINES and plenty of donor's also i have about 9 boost cdma c290 would one of them work or does it need to be a higher end HS thanks to all
Click to expand...
Click to collapse
I am in the same boat as this guy, but have read and got to the point of making calls, txt, and mms. I just need data!!! I am so close...so close. CDMA WS will not read the c290. I get that it fails to answer. I used BITPIM to get the NVM settings of the c290, but I need to know how to take the key information to place into the EVO. Error 67 is driving me nuts!!!
Please someone help with getting data on my boost evo. I have managed to get talk and text working but cannot get data. Any assistance in this matter would be greatly appreciated.
I have read several forums and none of those methods are working for me.
Thanks in advance.
bosstalk said:
Firstly, When I do the requestnvitemread ds_mip_ss_user_prof in QXDM I get the ha shared hex passwd but all zeros for the AAA shared hex passwd. Isnt it suppose to be a combo of letters and numbers? Please advise.
Click to expand...
Click to collapse
For profile 0 aaa password you need to send this:
requestnvitemread hdr_an_auth_passwd_long
Good luck.
i have a tp2 on a cdma account.
what i did is use a cdma info from a NON activated boost phone. (use you imagination) no more detail on that.
once i was done i simple activated the phone and it activated and downloaded the ha and aaa.
let me know if this works as i am trying to get this to work
For ##DATA# is ##3282# and to pull the hex value use QXDM (you can find it on the net) and you will need QPST for the port server. In QXDM on most phones you send the MSL of the phone then request to read the password:
spc (your 6 digit msl)
requestnvitemread hdr_an_auth_passwd_long
On some phones you can get it with:
requestnvitemread ds_mip_ss_user_prof
And to get the dial-up 6-digit AAA password of profile 1 just add a 1 at the end:
requestnvitemread ds_mip_ss_user_prof 1
Ok I finally got my data icon to show up and my 1x data to work and the way I did it is I got my 6 digit AAA password from the donor rant phone straight from the device itself than I entered under profile 0 and profile 1 in my epic in QPST service programming secret as my ha user name and the 6 character password with text string selected. I used the same user name and password for both profiles because its the only way I get any data. But I can only get 1x. I tried changing primary & secondary servers but makes no difference. Any ideas why Im not getting 3g?
edit: n/m i figured it out
savior02 said:
Ok I finally got my data icon to show up and my 1x data to work and the way I did it is I got my 6 digit AAA password from the donor rant phone straight from the device itself than I entered under profile 0 and profile 1 in my epic in QPST service programming secret as my ha user name and the 6 character password with text string selected. I used the same user name and password for both profiles because its the only way I get any data. But I can only get 1x. I tried changing primary & secondary servers but makes no difference. Any ideas why Im not getting 3g?
edit: n/m i figured it out
Click to expand...
Click to collapse
If your donor is 1x that's all you're getting. And you don't use the same password. Provisioning is 16 hexadecimal digits and your account password is 6
Both use HA password "secret" (without quotes, of course)
m4f1050 said:
If your donor is 1x that's all you're getting. And you don't use the same password. Provisioning is 16 hexadecimal digits and your account password is 6
Both use HA password "secret" (without quotes, of course)
Click to expand...
Click to collapse
Ok I finally got it working on 3g the thing is my donor is a rant and is very difficult to extract the 16 hex from it. Everything is working now but my voicemail doesnt notify me of new ones.
My friend has a HTC EVO 4G phone and wants to change the MEID and phone number on this phone. After hours of internet searching we've found that it can be changed with "CDMA Workshop" but the $99 for the use of this program rules this out is there any other way (FREE or cheap) way to make these changes.?
Changing the MEID would cause the connectivity to stop functioning, since it will not be able to authenticate properly with the Sprint network.
Why would you want to do this in the first place?
There are other ways of doing this, completly free. But before you start you should know, that it is hours and hours of work, even with CDMAWS.
Why you want to do that and you can change the phone number with Sprint for free I had change it a few times already LOL
Sent from my PC36100 using Tapatalk
I guess he wants it as a "clone" phone. He's contantly braking his phone and rather than go through all the trouble of going in the store he wanted to have a clone on standby.
Forst of all, I am not using my Epic 4G in US or a country that changing ESN/MEID is illegal, just for technical help. if you know details about this phone/chipset or whatever it matters i will be appreciated.
Currently I am going to change the phone's ESN to a new one other than the pESN which is generated from MEID found under the battery. However, I use this method mobile5.in/forums/index.php?/topic/255-meid-esn-repair-for-samsung-epic-4g and get the correct MEID result, also the corresponding pESN is correct too. With the absolute right AKEY which is written by CDMAWorkshop, I can't use the phone service.To give further clarity, I am using a MEID which is taken from my previous "droid pro" and that phone is not switched on now, it's far away from my network. and that means I am copying old droid pro's MEID on to my new Epic 4G, then use the same IMSI(MIN) / AKEY.
Just don't know if something different with Samsung platform or this specific Qualcomm chip used in Epic 4G. I got right MEID/pESN on the phone's screen with ##RTN#, and correct pESN in QPST,QXDM,CDMAWorkshop, but I still can't input akey on the phone by ##AKEY#, no matter wich format i use (16hex,20dec,26dec) it says AKEY failed.
Thanks in advance for answering
I have been in the process of attempting to flash my Epic 4g to boost for about a week now (with very limited time each day). Thanks to the help of some awesome people here on the forum I have made quite a bit of progress. I have however, hit a wall. I am currently attempting to use a Samsung Replenish which I purchased with GB 2.3.6 pre-installed. I have gotten to the point where I need to extract the HA/AAA keys from the donor and it is locked down tighter than (insert random virgin joke here...). I have tried two methods, method 1- reading NV Items 465,466,1192, and 1194, this method gives me four text files, each of which say access denied toward the top and give me nothing but goose eggs. method 2- using QXDM typing password (spc) which works fine, I have the right SPC and it accepts it, but then when I type the requestnvitemread ds_mip_ss_user_prof command (and I have tried prof 1 and prof 0) it says "error recieved from target". I am not familiar with anything more technical than what I explained, I know my way around these phones a bit and am technically savvy, but I do not know any code or anything like that.
I stated in my first post that I dont mind having to spend money to get my epic to boost but I would like to avoid it. With that being said, I would like to know if there is anything that I can try before pulling the trigger on a Sanyo Incognito (which to my understanding is one of the easier phones to use for this process). I have read that flashing back to froyo might help, but I cant find anything on flashing the Replenish back to Froyo as no one seems to want to do it. If anyone has any advice on flashing back to Froyo or anything else that I can try to get those keys I would be eternally grateful (well maybe for a day or two, after that I'd probably forget...anyways...)
thanks in advance for any help!!
Even though you're trying to flash an Epic 4G, this question is more applicable to a Replenish forum (if there is one), where people have experience reading these NV items on that particular model.
Some things to try:
Try first sending "password 01F2030F5F678FF9" in QXDM. (I wouldn't be surprised if this password did not work for the Replenish. Some Samsung devices have unique passwords.)
Try DFS CDMA Tool.
Try reading /nvm/num/ in QPST EFS Explorer.
etirkca said:
Even though you're trying to flash an Epic 4G, this question is more applicable to a Replenish forum (if there is one), where people have experience reading these NV items on that particular model.
Some things to try:
Try first sending "password 01F2030F5F678FF9" in QXDM. (I wouldn't be surprised if this password did not work for the Replenish. Some Samsung devices have unique passwords.)
Try DFS CDMA Tool.
Try reading /nvm/num/ in QPST EFS Explorer.
Click to expand...
Click to collapse
Yeah, unfortunately for me, this phone isn't very popular...especially in the hacking/flashing community so my resources are limited, I did not see a thread dedicated to this phone on here. I tried using the password that you gave me and it did accept it but did not change my result. I also tried using efs explorer and each file that I save/view says secret and nothing else....
Usually reading EFS is blocked until you send the 16 digit password, but it sounds like you did that already. Sorry, I've never used a Replenish, so I'm not sure what else to do.
etirkca said:
Usually reading EFS is blocked until you send the 16 digit password, but it sounds like you did that already. Sorry, I've never used a Replenish, so I'm not sure what else to do.
Click to expand...
Click to collapse
NP thanks anyway, I went ahead and bought an Incognito. I got a deal on ebay, for a nonfunctional unit with guaranteed ESN as well as USB capabilities for $35, the dealer sells them specifically for the purpose of donor/flashing. Guess I'll have to wait a few more days for an almost fully functional Epic...At least now I get to play around with some roms and fine tune that sucker to my exact liking
One more quick question though, When I get the phone, should I transfer my boost account to it BEFORE I flash the epic? or can I just flash it, call from the epic and transfer it all that way?
You need to have the incognito on boost first. When you transfer the account to incognito they will program the phone for you. I would suggest you to talk to a live person at boost when you activate the incognito. Write down the spc code and mdn number. This will save you some time. After that everything else should be easy. Program the epic with the information from incognito.
bugzy3188 said:
One more quick question though, When I get the phone, should I transfer my boost account to it BEFORE I flash the epic? or can I just flash it, call from the epic and transfer it all that way?
Click to expand...
Click to collapse
Sent from my PC36100 using XDA Premium App
i only was wondering if the GNEX meid (9xxx kind) is possible to be compatible with (Axxx kind) i dont want to do it or nothing but, i mean, i only was thinking on that b/c the gnex has a IMEI and i was wondering if there can be any kind of conflicts between the (Axxx meid and the 9xxx imei), ex the imei of the gnex is 9xxxxxxxxxxxxx and the meid is 9xxxxxxxxxxxxx but if you got a imei of 9xxxxxxxxxxxxxx and a meid of Axxxxxxxxxxxxx there can be conflicts with that?, i mean technically i know you only can get text 3g speeds (not 4g b/c the imei isnt the same and couldnt be activate b/c the parameters doesnt match) and calls but the big question is if there can be conflicts between the meid and the imei because they are from different nomenclature? or for someting else?
No its not but with a HEX editor stuff can be changed
Sent from my SPH-D710 using XDA
Not sure what you want to do, but just thought I'd let you know that altering an IMEI is both illegal in places, and can seriously gerfungle-up your phone. Also, the gnex IMEI has an MD5 checksum based on an unknown random seed, so it's pointless to change it with a hex editor. It will just revert to a generic IMEI that some carriers block.