Develop Bugs

Long road almost there, error 67 :( calls & text ) but no data :( [evo on boost]

Long road almost there, error 67 :( calls & text ) but no data :( [evo on boost]
THE GOOD AND BAD NEWS... THE GOOD NEWS FIRST! i got my evo4g over to boost mobile with my boost account i already had open i can outgoing text and recieve text (no mms right now) i can call out and get calls in, works great shows my boost cell phone number on my evo and everything..
NOW THE PROBLEM...
my DATA doesn't work at all... i get the error 67
I TRIED THESE INSTRUCTIONS AFTER SEEING MY DATA DIDNT WORK..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If data is not working move on to the next steps...
(Note: These are steps not verified by me as I still dont have neither 1x nor Evdo working but some people say 1 or 2 or all of these following steps combined worked for them, so i guess it depends on the network you are trying to get on)
1. First attempt to update your profile if it can or update PRL
Menu>Settings>About Phone>System Updates>Update Profile
Reboot and see if data works....
2. If still no Data, plug in your Hero to the computer, dial ##3424#, go to QPST folder and open QPST Configuration app.
Under the Ports Tab if the active COM port your phone is on is not in that list Click Add Port and add it.
Then go to Active Phones Tab, select the phone and then go to Start Clients>Service Programming
A new window opens, hit ok, then click Read From Phone on the bottom left, its gonna ask you for your MSL type it in
Then go to the M.IP Tab and under user profiles click on profile 0, click edit, and then deselect Profile Enabled, hit ok, then click Write to Phone.
Close the program unplug your hero, reboot it, and try your data again.
3. If still no data, plug in your old phone to the computer, open up QXDM
check Connections and make sure your COM port is being read.
Go to View>New>Common>NV Browser , in the Category Filter drop down menu, filter only Data
Then scroll down to ID numbers 1192 and 1194
Click read and copy down all the values in there until u reach 0x00
Then unplug your old phone and plug in your hero, dial in ##3424# and go to NV Browser
navigate to the same ID numbers 1192 and 1194, (just to be safe copy all the values here so you can revert back to the originals)
Then double click each value under the input column and it becomes changeable and change all the values to the ones from your old phone and hit write
Close QXDM unplug and reboot your hero, test Data again
4. If still no data, plug in your old phone to the computer, open up QXDM
check Connections and make sure your COM port is being read.
Go to View>New>Common>NV Browser , in the Category Filter drop down menu, filter only Data
Then scroll down to ID numbers 465 and 466
Click read and copy down all the values in there until u reach 0x00
Then unplug your old phone and plug in your hero, dial in ##3424# and go to NV Browser
navigate to the same ID numbers 465 and 466, (just to be safe copy all the values here so you can revert back to the originals)
Then double click each value under the input column and it becomes changeable and change all the values to the ones from your old phone and hit write
Close QXDM unplug and reboot your hero, test Data again
NONE OF IT WORKED.... SO I WENT TO THE SECOND SET OF INSTRUCTIONS.
Run the QPST config and plug in your phone, make sure your phone is detected in the COM port list. If not click Add New Port and add the one that it has detected your phone on. What it says may vary but USB will often be in the description.
Run QXDM click Options -> Communications and set the Target Port for the same one QPST config listed for your phone.
In the command box at the top type "spc 000000"
Note: If your SPC is not 000000 then you need to use the correct number instead!
If successful you will see a window titled "Command Output" that will output some text with the final line reading "SPC Result = Correct"
Next in the command box type "requestnvitemread ds_mip_ss_user_prof"
This will get you a lot of stuff in the Command Output window. It will start with the "DIAG TX item" section, ignore this one, we are interested in the "DIAG RX item" part.
The actual keys are 16 lines and marked in the output as 0-15. You will notice that quite handily both HA and AAA are both there. Take the part after the "0x" and that is actual key data. Just write down (or use word, notepad, whatever) to record this for safe keeping.
If you are doing this right then you have a long string of 30 characters all strung together for each key. DOUBLE CHECK YOUR COPYING! A single mistake will cause this to fail.
Putting the keys back into the phone:
Load QPST service programming, go to the M.IP tab. Double click profile 0 (in the white box) and use "Enter hex value" to enter your backups of your HA and AAA keys.
Write to phone.
Soft reset. (may not be required but I do it for good measure)
do "requestnvitemread ds_mip_ss_user_prof" for the sprint info and "requestnvitemread ds_mip_ss_user_prof 1" for the boost info
I'm telling you.. If you're getting the error 67, the following these steps above will fix it.. I'm on the Sprint network and the problem i was having was, in "Profile 0" The username which began with A000000 (this is actually your ESN #) Was from the original phone, not the donar phone... So i took the battery out the donor phone and looked at the ESN (not DEC) and began to type A00000 etc.
Then i used the steps above to get AAA Shared Secret from the Donor phone.. My AAA Shared Secret was 32 Alpha numeric characters...
i did that and still no dice.... i got the AAA key and the HA key .. both were 32 characters...
i even went as far as to get the profile info from the incognito phone, for profile 0 and 1, and made it exactly the same on my evo and addresses for the HA and alternate HA ADDRESS... still no dice.. i went into debug mode on my evo and even hit the restore to start fresh , and let it download the data via the servers... still didnt work...
i even re-entered the profile info and etc, for profile 0 and 1, and still not working
i know im close i just need to finish the puzzle please help.
oh yea, and when i go into debug mode it shows the authentication as failed.. i dont know how thats even possible I've triple checked the HA AND AAA keys via QXDM and they are the correct keys from the incognito boost phone.

Htc droid incredible on boost mobile [how to]

THIS IS FOR EDUCATIONAL PURPOSE ONLY​
Guide on Flashing HTC Droid Incredible to Boost Mobile
What you NEED
QPST
QXDM 3.11 (Google is your friend)
CDMA Tools 2.7 (Demo is good too)
Patience
HTC Diagnostic or HTC USB MODEM Drivers (I will include Win7 x64 Driver)
Donor Phone Driver (Google is your friend)
Winhex (Again, Google )
Boost Mobile Account [seems difficult for those without it]
What you DONT NEED
Wife
Kids
*Install all drivers and programs**
If you do not know how to manually install a driver, I suggest you stop where you are now.
Step 1: Donor Phone MSL/SPC
This one is really simple, call Boost Mobile Customer Rep. (To get directly to them after the guy says "For espanol press 5", just press 5, then press 2, and wait for it to ask you "To chat with a Boost Customer Rep press 0") and tell them your phone needs to be programmed and they will tell you to dial ##MSL#. SAVE THAT NUMBER and then just hang up on them.
Step 1.5:
Incase you are scared to talk with boost mobile, or you don't know your 6 digit MSL/SPC code you will have to find it manually. *Sigh*
Open QPST, click [Add New Port] on the bottom right, then uncheck [Show serial...] on the bottom left corner and on the screen to the left you should see your Donor's Port number, add it and make note of it.
Next open CDMA workshop, connect to your phones Port (COM) number, click read and your phone information will be displayed on the left.
Click on the memory tab, under memory/Eeprom put start Address: 0363:0000 leave the size at 65536 bytes, now click read and save the .bin files on your desktop.
FINALLY, open up Win Hex, open the memory file you just saved, click on specialist- Gather Text; Recognize text by "6" uncheck everything expect for " Numbers" press "OK", save the file anywhere you like. You should end up with a .txt document with 1 or more 6 digit numbers; one of them is the SPC for your phone, write it or them down.
Step 2: NV Items
Open CDMA Workshop again, go to Security under SPC write your MSL code and click SPC -> Send. It should say phone is unlocked.
Now go to Memory tab, and click Read NV_Items, and you will read NV_Items 455, 466, 1192, and 1194. Save them all.
Step 3: NAM 1 & 2
Stay in CDMA Workshop, and click the NAM Tab. Click “Read” this will display all your phones information inside of “NAM 1” Save the filename as NAM 1 and do the same for NAM 2.
Step 4: M.IP
Close Cdma Workshop. Open Service Programming and enter your Donor phones SPC. Click Read and navigate to the “MIP” Tab, we need your Donor phones NAI. Click on Profile 1 and copy down everything just to be safe. Do the same for Profile 0 if available.
Step 5: HA & AAA Passwords
HA Password for both Profiles will be "secret" in text formatClose Service Programming and open QXDM. Now in the Command Prompt on the top screen type in "SPC [MSL]" Then type in “Requestnvitemread ds_mip_ss_user_prof 1” to retrieve your Profile 1 AAA 6 Digit password. It will be the first 6 Digits in DIAG RX, which is written in HEX mode. For Profile 0, simply open NV_Item 466 all numbers after the number 10 and before the last pair of 0's will be your Profile 0 AAA. Or you can type in QXDM Requestnvitemread ds_mip_ss_user_prof and it will be all the Digits in AAA SHared DIAG RX.
If it says Access Denied it means you do not have a Profile 0. *Dont worry about it*
DONT EVER TURN ON THE DONOR PHONE'S RADIO AGAIN, PUT IT ON AIRPLANE MODE OR SOMETHING
Step 6: Root your HTC DROID INREDIBLE
Follow directions --> http://androidforums.com/incredible...ked-3-rooting-stock-incredible-evo-2-2-a.html
Step 7: Writing NAM and NV Items
Plug in your Droid Incredible to the PC. Open QPST and add its port number. Open CDMA and connect then read the Incredible, next go to Security Tab and under SPC write 000000 and send SPC.
Next go to the "Memory" tab, NV Items and write the 4 NV Items we saved from your donor phone earlier.465, 466, 1192, and 1194. Then navigate to the “NAM” TAB and Write the Nam 1 and Nam 2 Files we saved earlier by clicking Load before each on of them. If done correctly it should display your donor’s phone number and other information.
TYPE IN ##DIAG# IN YOUR DROID TO GO INTO MODEM MODE
Step 8: Zero'ing ESN & MEID
Close CDMA Workshop and open QXDM, Options- Communications- Target Port/ select your Droid Incredible's Port, click OK. You should now be connected to your phone. (if you have any trouble connecting to QXDM make sure you set your com port in QPST Configuration and use the same in Qxdm's communications, So you can actually see what's going on from the View drop down screen, select Command Output. Press F4 to get to the memory view, Change Rows from 8 to 16, Find you HEX MEID and ESN by calling ##786# it will look something like this...
MEID: A1000009C57FQZ
ESN: 8373B5C5
They might have an "0x" in front of them, just ignore that, Now pay close attention, following the example MEID and ESN I provided above you are going to separate every 2 characters and then you are going to flip a few to make it backwards just follow my model and do the same to your numbers.
Original: Separated: Flipped:
MEID A1000009C57FQZ MEID A1 00 00 09 C5 7F QZ MEID QZ 7F C5 09 00 00 A1
ESN 8373B5C5 ESN 83 73 B5 C5 ESN C5 B5 73 83
*Note* Your Meid and Esn will differ from the one used in this guide please find your own and use the same method you will need this to find you Meid and Esn in the memory.
Now the tricky part, you may have to Zero them out several times so it will stick (I would consider zero'ing them several times before restarting the phone)
These are all possible ESN and MEID Locations, [ATTACHED]
At each location, find your Meid or ESN and replace it with Zeros (0) then click Write and goto the next Meid or ESN. Do not alter anything but meids or ESNS. After you Zero'ed them out type the command "Requestnvitemread MEID" and "Requestnvitemread ESN". If its Zero'ed restart the phone, if its not, you missed a spot.
To make sure its been Zero'ed out FOR SURE restart the phone and when is back on dial ##778# click View, then Display and make sure your MEID and ESN is all 0. If its not, then try again.
Step 9: Writing MEID
After you get a message that it's zero than u can proceed to write your ESN or MEID which ever you prefer.
Commands are
requestnvitemwrite scm 0x3a
requestnvitemwrite meid 0x0(Your MEID)
MEID = actual 14 digit meid (not in reverse)
If u are writing MEID no need to write the ESN.
requestnvitemwrite esn 0x(Your ESN)
esn= actual 8 digit esn (not in reverse)
Step 10: Configuring Data
Close QXDM, open Service Programming. Navigate to the M.IP tab.
3G Donor PHONES ONLY: Click profile 0 and click edit. Check and make sure your “NAI” is the correct one for boost mobile. Enter your HA Shared password first, then enter your AAA Password into the text box, next Enter all information that you saved earlier and put them in the required box’s. (it may be different for your area)
NAI:[email protected]
Home address: 0.0.0.0
Primary HA address: 68.28.15.12
Secondary HA address: 68.28.31.12
SPI: 4D2
SPI: 4D2
Rev Tunnel Preferred: Checked now with both passwords hit ok.
Enter your HA Shared password first, then enter your AAA Password into the text box, next Enter all information that you saved earlier and put them in the required box’s
NAI:[email protected] (May varie)
Home address: 0.0.0.0
Primary HA address: 255.255.255.255
Secondary HA address: 68.28.89.76
SPI: 4D2
SPI: 4D2
Rev Tunnel Preferred: Checked now with both passwords hit ok
Make Active User 1.
Write to phone, and restart the Droid Incredible.
Now give yourself a pat in the back because you just Fully Flashed your Droid Incredible to Boost Mobile
I have yet to Know how to configure the USE of MMS, but if you know how to drop it in here .
***THIS GUIDE WAS TAKEN FROM A GUIDE I BOUGHT ON EBAY FOR FLASHING HTC EVO TO BOOST MOBILE, AND MODIFIED TO FIT THE HTC DROID INCREDIBLE***
Any questions?
EDIT** Incase your Data isnt working try this and MAKE SURE, you have this.
1. Make sure your ACTIVE USER is 1.
2. Make sure your HTC INCREDIBLE has the same PRL as your donor phone! (THIS IS HIGHLY IMPORTANT) To extract the PRL from your donor phone simply:
Connect your donor phone, Open 'Service Programming' click 'Read from Phone' enter your MSL, and then click 'Save to File' save it anywhere. You will get a qcn file, and a rl0 file. The 'rl0' file will be the PRL.
Also this happened to me before, lol, MAKE SURE MOBILE NETWORK in 'Menu -> Settings -> Wireless and Networks is TURNED ON !!
Any more questions let me know
UPDATE: Try this by igotanmp3 to get MMS working. NOTE* It does not work with Custom Themes http://forum.xda-developers.com/showpost.php?p=16440594&postcount=69
UPDATE: For Droid Incredible S & 2 FOLLOW --> http://forum.xda-developers.com/showpost.php?p=21668680&postcount=145

So did you ever figure out the mms settings? I've seen some guy in New Jersey doing full flashes on HTC Incredibles on Boost Mobile. I tried to contact him, but it seems like he is somewhat of a prick. I've been racking my brains trying to get the mms working. So far my Dinc has talk, text, internet and Sprint TV working.

I have not yet. How did you get Sprint TV running on the Incredible though?
And i think the guide to flash a HTC Hero to alltel i believe might help... changing the APN username adress and whatnot with APN Manager apk, havent gotten around it though been too busy will try tomorrow.
Sent from my ADR6300 using XDA App

eljean said:
I have not yet. How did you get Sprint TV running on the Incredible though?
And i think the guide to flash a HTC Hero to alltel i believe might help... changing the APN username adress and whatnot with APN Manager apk, havent gotten around it though been too busy will try tomorrow.
Sent from my ADR6300 using XDA App
Click to expand...
Click to collapse
I downloaded the Sprint TV Apk file and that was pretty much it

TRY THIS FOR MMS
MMS
************************************************** *******************************
(My original work)
After making sure web works,
1. Download APN Backup & Restore(Android Market)
2. Click Backup APNs
3. Goto your sdcard/ApnBackupRestore
4. Click the apn file and edit under windows or on your phone.
5. Look for the line that says Production and edit.....
<apn name="Production" numeric="00000" mcc="310" mnc="00" apn="1"
user="[email protected]"(may varie) server="null" password="null proxy="null"
port="" mmsproxy="" mmsport="" mmsprotocol="2.0"
mmsc="http://mm.myboostmobile.com" type="mms" />
6. Save the file(make sure you save it)
7. Open the APN Backup & Restore program
8. Click delete APNs(Very important)
9. Click Restore APNs
10. Close the program
11. Goto messages>menu>settings>connection settings. Make sure everything is as you edited. You should see Name(Production), MMSC(http://mm.myboostmobile.com), MMS proxy(not set), MMS port(not set), MMS protocol(WAP 2.0).
12. If everything is just as it is, viola you are all set...
Taken from http://www.howardforums.com/showthr...lashed-to-Revol-with-working-Internet-and-MMS and fixed to the Boost Mobile apn settings... correct it if its wonrg, Im not 100% sure on the settings...
I haven't tried it yet im still waiting for my MicroSD Card from Ebay :\... lol you be the guinnea pig let me know how it goes

this would go a lot better in the dev section

JoelZ9614 said:
this would go a lot better in the dev section
Click to expand...
Click to collapse
Ahh, I didnt know where else to put it

this is awesome.. what about PTT? does it work?

remy2501 said:
this is awesome.. what about PTT? does it work?
Click to expand...
Click to collapse
Yeah it should

DRIVERS
FORGOT to attach the DRIVERS sorry

Any possible way to go back to verizon MEID?

mttmelton said:
Any possible way to go back to verizon MEID?
Click to expand...
Click to collapse
Just write the original MEID and the phone would provision itself IF it has a clean esn
Sent from my ADR6300 using XDA App

Still no mms on the HTC Droid Incredible on Boost
Just wonder if anyone has figured out the mms settings for the HTC Droid Incredible on Boost Mobile. I paid some guy on Ebay and he emailed me back "here sorry all you do is this:
##3282#
change mms "hxxp;//mm . myboostmobile . com
reboot your phone and test the pics"
I was like WTF ##3282# does not even work on the Incredible, but I already knew the mmsc url. So has anyone figured this little speed bump? I have talk, text, internet & sprint TV working now I just need mms working.

roclikewhat said:
Just wonder if anyone has figured out the mms settings for the HTC Droid Incredible on Boost Mobile. I paid some guy on Ebay and he emailed me back "here sorry all you do is this:
##3282#
change mms "hxxp;//mm . myboostmobile . com
reboot your phone and test the pics"
I was like WTF ##3282# does not even work on the Incredible, but I already knew the mmsc url. So has anyone figured this little speed bump? I have talk, text, internet & sprint TV working now I just need mms working.
Click to expand...
Click to collapse
Same here. I used APN Manager and changed the mmsc url but then it would just give me access denied.
Sent from my ADR6300 using XDA App

Hello,
I read all posts above, but I couldn't understand completely. It is possible use htc incredible 2 on boost mobile?
I can buy one from ebay with clean esn and use it on Boost mobile?
thank you

idk
mttmelton said:
Any possible way to go back to verizon MEID?
Click to expand...
Click to collapse
to be honest with you, I am not entirely sure, theoretically it should be possible but at this moment I do not know since it is a new phone with new software etc etc. And I heard HTC is starting to lock their esn locations with some type of encryption so u cant read it.
Google around u might be able to and if u find someone who says and has backup that is possible come back to this guide and follow it .

for example. Can I activate this on boost mobile?
hxxp://xpressphones.vstore.ca/product_info.php?products_id=379

armars said:
for example. Can I activate this on boost mobile?
hxxp://xpressphones.vstore.ca/product_info.php?products_id=379
Click to expand...
Click to collapse
I did a little bit of research and so far I can conclude that it is not possible. I may be wrong though. I am 90% positive it is not posible YET lol

***THIS GUIDE WAS TAKEN FROM A GUIDE I BOUGHT ON EBAY FOR FLASHING HTC EVO TO BOOST MOBILE, AND MODIFIED TO FIT THE HTC DROID INCREDIBLE***
Click to expand...
Click to collapse
So you could flash it to boost mobile, but couldn't activate?

armars said:
So you could flash it to boost mobile, but couldn't activate?
Click to expand...
Click to collapse
Yeah if your donor phone is already activated

[Q] Backing up HA & AAA secret keys

Im trying to back up my HA & AAA secret keys using QXDM. I have had no problems reading these values on the EVO and the OG Epic. For some reason i cant read from the ET4G.
I have read that using the OG Epic tutorial for gettitng on Boost works for the ET4G. But this involves writing the HA & AAA secret keys from a donor to the ET4G not reading from the ET4G.
http://forum.xda-developers.com/showthread.php?t=891077
In QXDM I use the folloing
Code:
spc YOUR6DIGITSPC
<ENTER>
requestnvitemread ds_mip_ss_user_prof
<ENTER>
This should give me profile 0 HA & AAA secret keys
Then
Code:
requestnvitemread ds_mip_ss_user_prof 1
<ENTER>
This should give profile 1 HA & AAA secret keys
But its returning all 0's
Code:
03:43:46.073spc 8[COLOR="Red"]XXXX[/COLOR]5
03:43:46.078RequestItem "Send Service Programming Code Request" 0x38 0x34 0x31 0x34 0x33 0x35
03:43:46.186DIAG TX item:
03:43:46.192Security Code[0] = 0x38
03:43:46.192Security Code[1] = 0x34
03:43:46.193Security Code[2] = 0x31
03:43:46.193Security Code[3] = 0x34
03:43:46.193Security Code[4] = 0x33
03:43:46.193Security Code[5] = 0x35
03:43:46.194DIAG RX item:
03:43:46.195SPC Result = Correct
03:44:38.026requestnvitemread ds_mip_ss_user_prof
03:44:38.136DIAG TX item:
03:44:38.138index = 0
03:44:38.139mn_ha_shared_secret_length = 0x00
03:44:38.139mn_ha_shared_secret[0] = 0x00
03:44:38.140mn_ha_shared_secret[1] = 0x00
03:44:38.140mn_ha_shared_secret[2] = 0x00
03:44:38.141mn_ha_shared_secret[3] = 0x00
03:44:38.141mn_ha_shared_secret[4] = 0x00
03:44:38.141mn_ha_shared_secret[5] = 0x00
03:44:38.142mn_ha_shared_secret[6] = 0x00
03:44:38.143mn_ha_shared_secret[7] = 0x00
03:44:38.143mn_ha_shared_secret[8] = 0x00
03:44:38.144mn_ha_shared_secret[9] = 0x00
03:44:38.144mn_ha_shared_secret[10] = 0x00
03:44:38.145mn_ha_shared_secret[11] = 0x00
03:44:38.145mn_ha_shared_secret[12] = 0x00
03:44:38.146mn_ha_shared_secret[13] = 0x00
03:44:38.146mn_ha_shared_secret[14] = 0x00
03:44:38.146mn_ha_shared_secret[15] = 0x00
03:44:38.147mn_aaa_shared_secret_length = 0x00
03:44:38.147mn_aaa_shared_secret[0] = 0x00
03:44:38.148mn_aaa_shared_secret[1] = 0x00
03:44:38.148mn_aaa_shared_secret[2] = 0x00
03:44:38.149mn_aaa_shared_secret[3] = 0x00
03:44:38.149mn_aaa_shared_secret[4] = 0x00
03:44:38.150mn_aaa_shared_secret[5] = 0x00
03:44:38.150mn_aaa_shared_secret[6] = 0x00
03:44:38.151mn_aaa_shared_secret[7] = 0x00
03:44:38.151mn_aaa_shared_secret[8] = 0x00
03:44:38.152mn_aaa_shared_secret[9] = 0x00
03:44:38.152mn_aaa_shared_secret[10] = 0x00
03:44:38.153mn_aaa_shared_secret[11] = 0x00
03:44:38.153mn_aaa_shared_secret[12] = 0x00
03:44:38.154mn_aaa_shared_secret[13] = 0x00
03:44:38.154mn_aaa_shared_secret[14] = 0x00
03:44:38.155mn_aaa_shared_secret[15] = 0x00
03:44:38.156DIAG RX item:
03:44:38.156requestnvitemread - Error response received from target
Does anyone know how to read the HA & AAA secret keys from the ET4G for backup purposes? Im really after the AAA because im pretty sure the HA = "secret"

Did you use the samsung defualt password?
You can also cdma workshop, they would be in 465, 466.
Sent from my SPH-D710 using XDA App

ranchosteve said:
Did you use the samsung defualt password?
You can also cdma workshop, they would be in 465, 466.
Sent from my SPH-D710 using XDA App
Click to expand...
Click to collapse
Yes I sent the password still wont read. How do I use CDMA WS to get them?
EDIT*
I used the Read NV Items function in CDMA WS I could read 465 but not 466
0466 (0x01D2) - Access denied

bump
10char...

hey you are doing it right you need to root your phone to backup it up due to security on the phone. You will get access denied in cdma ws aswell if your not rooted. I just did it on an og epic to clone my et4g.

clip3009 said:
hey you are doing it right you need to root your phone to backup it up due to security on the phone. You will get access denied in cdma ws aswell if your not rooted. I just did it on an og epic to clone my et4g.
Click to expand...
Click to collapse
Yea im rooted...What were the steps you took to read the HA and AAA off the ET4G?

WHAT firmware are you using? 2.36?

clip3009 said:
WHAT firmware are you using? 2.36?
Click to expand...
Click to collapse
im in the same boat my computer is a windows 7 i dont have a xp computer anymore could you tell me how you got it to read the nv items from you epic

Do we need a windows xp computer to get these values? When trying to write in service program I get the following error NV_UE_IMEI_I NV_READONLY_S SPRINT TOUCH EPIC

dude i used this software from this website and it was very simple and easy for me to use. pm me for a link. idk if it's permissible or not here and i dont want no drama.

Did anybody find the way to backup the secret shared keys in the Epic Touch?

Is it possible that samsung does not use nv item 466 and 1192?

Try logcat.
Put your phone in developer mode.
Connect to the computer
Run; adb logcat > log.txt
On your phone dial ##data#
Enter SPC/MSl
Select edit
Touch HA password (don't change it), exit it
Touch AAA password (don't change it), exit it.
ctrl c to kill adb
open log.txt and scroll through the long list for ha and aaa passwords.
I know kind of a pain to find but that's how I got them on my E4GT and Nexus S 4G.
Somewhere there is thread about doing this on XDA but at the moment I can not find it.

gedster314 said:
Try logcat.
Put your phone in developer mode.
Connect to the computer
Run; adb logcat > log.txt
On your phone dial ##data#
Enter SPC/MSl
Select edit
Touch HA password (don't change it), exit it
Touch AAA password (don't change it), exit it.
ctrl c to kill adb
open log.txt and scroll through the long list for ha and aaa passwords.
I know kind of a pain to find but that's how I got them on my E4GT and Nexus S 4G.
Somewhere there is thread about doing this on XDA but at the moment I can not find it.
Click to expand...
Click to collapse
this gives us mip profile 1 keys. Is there a way to get profile 0 ha and aaa keys?

ok using this method gives us the password but encrypted anyone knows how to decrypt to hex or string?

BUMP
bump
10char...

Did you ever figure this out? I'd like to backup my own keys.

I'd like to do the same. Anybody have a solution?
************************************************************
************************************************************
After doing a lot of searching and reading I found my solution.
1. Open QXDM and connect to your phone (make sure it is in diag mode)
2. Send your SPC and then your password to the phone. This will unlock the phone. (Password is from Samsung, google it)
3. Close QXDM
4. Open up QPST server, make sure your phone is still detected and open up EFS Explorer
5. Find files 465, 1192 and whatever else you want and drag them to your desktop
6. Open the files with a hex editor like WinHex.
This will give you your AAA and HA passkeys
Hope it works for everybody!

string/text/hex converter
duck95 said:
I'd like to do the same. Anybody have a solution?
Click to expand...
Click to collapse
I hope this is legal, I use this site all the time for converting values...I (nor my dad or brother in law or anyone else run/operate/profit from this site lol) it just helps and should help you guys with figuring out your keys after you get them with logcat...
http://www.string-functions.com/string-hex.aspx
If its against the rules to post this stuff, deepest apologies...

I'm having trouble bringing up this phone in EFS to write my 10.key. As far as i know, writing my HA and AAA keys (from donor device) and my 10.key should give me 3G right? I'm flashed to page plus btw, got everything working (talk/sms/mms/1x data) except 3G and i just spent the last week trying to extract the HA and AAA keys from my donor phone (ENV3, and good lord do i hate LGNPST) and of course i run into something else that should be smooth! Any help is greatly appreciated!

[Q] AAA key for profile 1 shows up as all 00's in QXDM - Where can I find it?

I've searched around for the past couple days trying to figure out how to pull the AAA key from profile 1 on my OG EVO and I didn't have any luck finding what I need.
I've tried using QXDM:
I unlocked the phone using "spc 'msl'"
It confirms that the phone is unlocked
I entered "requestnvitemread ds_mip_ss_user_prof 1"
the result is all 0's
I've tried running "adb logcat > c:\dump.txt" and ##DATA# in edit mode.
I edited the user and the aaa shared secret and pressed cancel
Looked through the log and I'm not seeing anything jumping out at me.
I did a search for what I already know as the HA key in hex and ascii and I'm not seeing it in the log either.
I've heard you can pull the profile 1 aaa key from nv item 466.
I took a look at the one that came off my phone and it's all 00'd out.
I downloaded the DFS demo and I can read almost everything on that phone except the keys.
My question is how can I pull the proflie1 - 6-digit Sprint key from an EVO?
edit: I originally said I was looking for profile 0 key - I already have that - I'm looking for the profile 1 aaa key.
-thanks Klown80 for pointing that out.

xdapark said:
I've searched around for the past couple days trying to figure out how to pull the AAA key from profile 0 on my OG EVO and I didn't have any luck finding what I need.
I've tried using QXDM:
I unlocked the phone using "spc 'msl'"
It confirms that the phone is unlocked
I entered "requestnvitemread ds_mip_ss_user_prof"
the result is all 0's
I've tried running "adb logcat > c:\dump.txt" and ##DATA# in edit mode.
I edited the user and the aaa shared secret and pressed cancel
Looked through the log and I'm not seeing anything jumping out at me.
I did a search for what I already know as the HA key in hex and ascii and I'm not seeing it in the log either.
I've heard you can pull the profile 0 aaa key from nv item 466.
I took a look at the one that came off my phone and it's all 00'd out.
I downloaded the DFS demo and I can read almost everything on that phone except the keys.
My question is how can I pull the proflie0 - 6-digit Sprint key from an EVO?
Click to expand...
Click to collapse
Profile 0 will be a 32 digit key, pro 1 is a 12 digit key. Does data work on the Evo currently? If so try going to settings, system updates, update profile.then try reading the profile 0 again.

Klown80 said:
Profile 0 will be a 32 digit key, pro 1 is a 12 digit key. Does data work on the Evo currently? If so try going to settings, system updates, update profile.then try reading the profile 0 again.
Click to expand...
Click to collapse
you're right - it's the profile 1 key im looking for.
I updated my post and title to reflect that.
I just did a profile update and it shows all 00's
then i tried this:
factory reset and a ##RTN# reset - reboot - OTA activated - updated profile and ran "requestnvitemread ds_mip_ss_user_prof 1"
still shows all 00's
for what it's worth profile 0 and profile 1 ha and aaa keys show up as 00's in QXDM
I restored back to the original factory image (baseband 2.15.00.11.19) I made before I ever rooted the phone to see if that makes a difference.
it didn't
Can anybody confirm that QXDM 3.11.36 can read the profile keys from an EVO?
Im using some HTC Diag drivers that only seem to work with XP even though a 32 and 64 bit driver was included in the zip.
Is there any way I can do some kind of memory dump to locate it?

xdapark said:
you're right - it's the profile 1 key im looking for.
I updated my post and title to reflect that.
I just did a profile update and it shows all 00's
then i tried this:
factory reset and a ##RTN# reset - reboot - OTA activated - updated profile and ran "requestnvitemread ds_mip_ss_user_prof 1"
still shows all 00's
for what it's worth profile 0 and profile 1 ha and aaa keys show up as 00's in QXDM
I restored back to the original factory image (baseband 2.15.00.11.19) I made before I ever rooted the phone to see if that makes a difference.
it didn't
Can anybody confirm that QXDM 3.11.36 can read the profile keys from an EVO?
Im using some HTC Diag drivers that only seem to work with XP even though a 32 and 64 bit driver was included in the zip.
Is there any way I can do some kind of memory dump to locate it?
Click to expand...
Click to collapse
As long as you have a working profile 0, you can get the phone to OTA and write your profile 1 for you completely. Are you on Boost or Sprint? Unfortunately it sounds like your keys may have got erased somehow, if it does not read in QXDM, DFS, or NV items (Item 466 or 1192 should have it). Does your data work right now? Try just using "requestnvitemread ds_mip_ss_user_prof" that should read your profile 0 key, if we can get at least the profile 0 info the phone will take care of the rest. I have another idea we can try if you can not read profile 0 info. I also have htc drivers that work just fine for me on Win 7 32 bit if you want them, I have a 64 bit Win 7 driver too but have not used it yet so cant confirm it works. I have QXDM 3.09.19 and I know for sure it reads the profile keys, looks like you have a newer version so I assume it would work too.

Klown80 said:
As long as you have a working profile 0, you can get the phone to OTA and write your profile 1 for you completely. Are you on Boost or Sprint? Unfortunately it sounds like your keys may have got erased somehow, if it does not read in QXDM, DFS, or NV items (Item 466 or 1192 should have it). Does your data work right now? Try just using "requestnvitemread ds_mip_ss_user_prof" that should read your profile 0 key, if we can get at least the profile 0 info the phone will take care of the rest. I have another idea we can try if you can not read profile 0 info. I also have htc drivers that work just fine for me on Win 7 32 bit if you want them, I have a 64 bit Win 7 driver too but have not used it yet so cant confirm it works. I have QXDM 3.09.19 and I know for sure it reads the profile keys, looks like you have a newer version so I assume it would work too.
Click to expand...
Click to collapse
I had a working profile 0 - I couldnt' pull the key using "requestnvitemread ds_mip_ss_user_prof"
FWIW - I could retrieve it from 1192 and by running "requestnvitemread hdr_an_auth_passwd_long"
Out of curiosity - is there a similar command that pulls from 1?
my 466 was completely 00'd out.
I'm not too worried about it anymore - my issue is resolved now.
My problem was I couldn't get 3g working on my gnex.
You let me know the aaa key would be written as long as I had a working profile 0 so I looked for the key on my gnex.
I ran logcat on the gnex and I was able to see the key I was looking for.
I ran around for a few days with no 3g.
After I pulled the key from the gnex and re-wrote it to that same gnex - 3g started working.
Then I made a test call and got error 16.
After I talked to the sprint rep and rebooted - everything worked fine.
thanks for everything - looks like I'm good to go now.:victory:

AAA Help
xdapark said:
I had a working profile 0 - I couldnt' pull the key using "requestnvitemread ds_mip_ss_user_prof"
FWIW - I could retrieve it from 1192 and by running "requestnvitemread hdr_an_auth_passwd_long"
Out of curiosity - is there a similar command that pulls from 1?
my 466 was completely 00'd out.
I'm not too worried about it anymore - my issue is resolved now.
My problem was I couldn't get 3g working on my gnex.
You let me know the aaa key would be written as long as I had a working profile 0 so I looked for the key on my gnex.
I ran logcat on the gnex and I was able to see the key I was looking for.
I ran around for a few days with no 3g.
After I pulled the key from the gnex and re-wrote it to that same gnex - 3g started working.
Then I made a test call and got error 16.
After I talked to the sprint rep and rebooted - everything worked fine.
thanks for everything - looks like I'm good to go now.:victory:
Click to expand...
Click to collapse
Maybe you can help me out, everything on the phone works except for 3g in debug under evdo protocol it says an-aaa fail and i tried:
requestnvitemread hdr_an_auth_passwd_long and requestnvitemread ds_mip_ss_user_prof both give me:
Request:
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000015407E
Response:
004F6374203136203230313232333A31343A34384F637420303120323031324C3731302E31340041414141414E415A3A06FF70000206B1EE307E
where do i go from here any ideas?

thewire1o1 said:
Maybe you can help me out, everything on the phone works except for 3g in debug under evdo protocol it says an-aaa fail and i tried:
requestnvitemread hdr_an_auth_passwd_long and requestnvitemread ds_mip_ss_user_prof both give me:
Request:
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000015407E
Response:
004F6374203136203230313232333A31343A34384F637420303120323031324C3731302E31340041414141414E415A3A06FF70000206B1EE307E
where do i go from here any ideas?
Click to expand...
Click to collapse
If it says AN-AAA = fail then your profile 0 info is not correct. Make sure username and AAA is correct HA will be 736563726574. Look in NV item 466 or 1192 to see if your pro 0 32 digit AAA is in there, it will start after the "10"

Same boat
xdapark said:
I had a working profile 0 - I couldnt' pull the key using "requestnvitemread ds_mip_ss_user_prof"
FWIW - I could retrieve it from 1192 and by running "requestnvitemread hdr_an_auth_passwd_long"
Out of curiosity - is there a similar command that pulls from 1?
my 466 was completely 00'd out.
I'm not too worried about it anymore - my issue is resolved now.
My problem was I couldn't get 3g working on my gnex.
You let me know the aaa key would be written as long as I had a working profile 0 so I looked for the key on my gnex.
I ran logcat on the gnex and I was able to see the key I was looking for.
I ran around for a few days with no 3g.
After I pulled the key from the gnex and re-wrote it to that same gnex - 3g started working.
Then I made a test call and got error 16.
After I talked to the sprint rep and rebooted - everything worked fine.
thanks for everything - looks like I'm good to go now.:victory:
Click to expand...
Click to collapse
hello I'm on the same step you were, could you please post how did you pulled the key from the Gnex? was it with ETS? Thanks a bunch!!

Please help with flashing to pageplus!!!

I need help flashing my LGOG to P+!!! If you or know someone that has done it successfully with wireless workshop, please PM me or reply to my post. I'm willing to compensate ($20?) for a remote flash. Thank you!

alibabakazam said:
I need help flashing my LGOG to P+!!! If you or know someone that has done it successfully with wireless workshop, please PM me or reply to my post. I'm willing to compensate ($20?) for a remote flash. Thank you!
Click to expand...
Click to collapse
I'm not sure if this is what you need but I ran across it a long time ago......hope it helps
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Sprint Phone To PagePlus 3G MVDO Programming
Software Requirements:
Cheap/Free - New QPST & QXDM Pro or DFS CDMA Tool Donor/Demo
Premium - CDMA Workshop ( FOR THIS PHONE YOU WILL NEED THE PAID VERSION --- NO OTHER OPTION WILL WORK )
ESN Change - not required for Verizon clean non-blacklisted phones
(Signed Keys Required):
To get 3G Data a Phone must obtain Verizon/PagePlus unique ID/Keys after activation that is delivered to each phone.
Each unique HAA/AA password key is tied to the account phone number.
Activation is network new number/port setup, phone to phone ESN/MEID swap, or phone number change.
QPST will write to my HTC EVO. For non-data programming once you do the above just allow the phone to self-activation. It completes but it doesn't program the 3G data.
Requirements:
1. Sprint 3G Cellphone (prefer clean ESN)
2. Either the latest QPST & QXDM Pro (recommended) , CDMA Workshop, or DFS Tool (recommended)
3. Modified Sprint PRL for Verizon Network
4. Verizon DMU Key ( THIS IS THE "10 KEY" IN EFS )
First you must program the Phone to Verizon/PagePlus.
A. Change MSL from Sprint MSL unlock,
ehow Sprint MSL or MSL Reader = marketplace download {require root}
B. Next Program Verizon format contained within documents if not porting with a preexisting phone number use [email protected] and [email protected] for phone provisioning.
C. Copy/Push the DMU Key to Phone’s DMU folder
D. Program the Verizon PRL
E. You must Disable mobile network data before you Dial *228 Activation
F. Activate the Phone with *228 which will update most data information then reboot
G. Within 10 – 15 mins of Activation do the following
H. Verify and correct your [email protected] in phone provisioning to final phone number
I. Program the phone with the following:
Program all Verizon phone passwords and HA Shared passwords to "vzw" without quotes. Click profile 0 and click edit.
Check and make sure your “NAI” is the correct one for Verizon/PagePlus network:
MCC 310 and MNC 00
NAI: [email protected]
MN HA SPI Set: Enable
MN HA SPI Value: 12C
MN AAA SPI Set: Enable
MN AAA SPI Value: 2
Reverse Tunneling: Enable
Home Address: 0.0.0.0
Primary HA Address: 255.255.255.255
Secondary HA Address: 0.0.0.0
DMU Pub Key: 10
MN Authenticator: 0
Rev Tunnel Preferred: Checked now with both passwords hit ok.
Now Profile 1 information below must retain the same data details as profile 0.
Your AAA is [email protected]
Your initial HA Shared is vzw
Rev Tunnel Preferred: Checked now with both passwords hit ok
J. The 3G DATA Sprint trick.
On Sprint a Phone without activation will have its Active Mip profile defaulted to 0. After any type of programming the default Active Profile becomes 1 but you’ll NEED it to be set to 0 for the initial data Verizon programming connection only.
Generally changing the Phone’s Active Mip Profile by ESPT Dialer or by programming software will auto reboot the Phone.
Warning, by all means necessary AVOID the Phone reboot as it will initialize your Phone’s Active Mip Profile back to 1. There is a critical reason for this!
* You’ll need a root experimental ESPT Dialer to change the Phone’s active data profile setting which will fail to reboot.
OR
* You'll need to use CDMA or DFL Tool and change the Active Mip Profile to 0 without rebooting the active Phone. {Not sure reread I}
K. After changing Mip Profile to 0 be sure to view the changed Dialer ESPT ##DATA# “Date Profile” settings at least two as this could crash. At crash view again until the ##DATA# reloads resolves any crashing.
L. After changing the profile above your Phone’s voice and data transmission will be inactive. Toggle “Airplane” mode first ON then OFF. Now your signal bar will show an active broadcast transmission again.
M. Change network to CDMA PRL or do whatever you need to do for the Phone to maintain a stable data connection.
N. Enable the mobile data network, preferably outside. Maintain data connection for at least 10 minutes
O. Before you Reboot / Power off the Phone Disable the mobile data network again.
P. Use DFS TOOL or QXDM Pro and copy all of Mip Profile 0 data to Profile 1. Clone both your HA Shared & AAA passwords then enter all information that was programmed OTA earlier and clone to profile 1.
HA Shared Secret: shouldn't be garbled characters (OTA programming has assigned your phone unique keys)
AAA Shared Secret: shouldn't be garbled characters (OTA programming has assigned your phone unique keys)
Now you’re done!
You will get:
A. Voice
B. Text
C. 3G Data Locked
MMS Setup:
Requires you change the Phone’s APN Settings:
A. Dial ##DATA or Voice Dialer speak “Open APN”
B. Change to:
Port delete {Not Set}
Proxy delete {Not Set}
MMS http://mms.vtext.com/servlets/mms
press menu button then Save

Thanks bud!
Wow, thank you for taking the time to post all that information. It seems to be a lot more work than I thought, especially with the money I'll have to spend to get the right versions of the required software for this job. I'm seriously thinking of letting someone else just help me. Thank you again for your help!