Download - EVO 4g tut
-
7/27/2019 EVO 4g tut
1/37
HTC EVO 4G on Virgin Mobile
Due to extreme demand I've decided to construct a A-Z guide
on how to fully flash the the HTC Evo 4G to Virgin Mobile ( just
like the name implies obviously).
Well, they're are a few items needed to complete this
somewhat lengthy process.
List of physical items:
HTC Evo 4G
Donor Virgin Mobile phone (The Lg rumor touch, Optimus V, or
Samsung Intercept if you want 3g capabilities)Data sync cable for your computer
Stress ball
Ice cream
-
7/27/2019 EVO 4g tut
2/37
Now for the list of programs needed:
LGPST LAB version 1.2 ( if using rumor touch or Optimus V asdonor phone)
CDMA Tools (version 2.7+)
QPST
QXDM Professional
rEVOlutionary or unrEVOked
STEP 1. Extracting the info
Before we can begin touching the Evo, they are a few bits of
information we'll be needing from your donor phone. In my
case I had the LG Optimus V laying around from
who-knows-when and I'll be referring most of these steps to
the processes used to extract infromation from the phone.
The things you'll be needing from the phone will be the: ESN,
MEID, HA key (default VM HA key is vmug33k), the AAA key,
-
7/27/2019 EVO 4g tut
3/37
and NV Items 1192, and 1194. The ESN and MEID have to be
the easiest bits of information to obtain. They can be easily
read by CDMA tools, just be sure to download the DIAG drivers
that are specific for your device. A lot of people get stumped
with this program so don't fret it I'll break it down a bit for you
guys.
STEP 1.2 Understanding CDMA tools
After installing your DIAG drivers, you're phone can be now
located at a port. Before it can be located as a port you'll have
to activate debugging on your donor phone. Navigate to your
phone's settings> Applications> Development> and then makesure USB Debugging is checked off, plug your donor phone into
the computer, and select charge only when the usb settings
show up on your phone.
Now to find what port your phone is in, for Windows 7 it's
really simple: Control panel> in the search bar type "device
manager" without the parenthesis and select device manager>
-
7/27/2019 EVO 4g tut
4/37
scroll down to the drop down bar titled PORTS and the only
ports there should be your phone.
-
7/27/2019 EVO 4g tut
5/37
Windows XP steps are similar with a few exceptions but it's
nothing you can't google. Remember, if you can't google it,
there's a good chance it doesn't exisist.
Now that you've located the port you can read your phone in
CDMA workshop. Open up your CDMA Workshop (version 2.7+)
and click on the drop down menu onthe upper right and select
your phones port, then select "connect to port", then "read"and you're done.
-
7/27/2019 EVO 4g tut
6/37
CDMA tools should now display your MEID and ESN *HINT*
Your MEID is the A00000xxxx or A1000xxxx number and your
ESN is an 8-digit alphanumeric combination *END HINT*.
Also a side note: If using an LG phone as your donor, expect an
error message when trying to read your phone, don't sweat it.
The message pops up because the fully can't be fully read
without reading the phone in LGNPST.
Don't forget to grab those NV Items I mentioned earlier. Just
connect your phone to CDMA tools and navigate to the Security
tab. Under the NV items box search for NV Items 1192 to 1194.
-
7/27/2019 EVO 4g tut
7/37
-
7/27/2019 EVO 4g tut
8/37
Side note: You won't be able to read these NV Items on the LgRumor touch or Lg Optimus V unless you read them first with
LGNPST.
STEP 1.4 Understanding LGNPST
(SKIP IF USING SAMSUNG INTERCEPT OR
OTHER NON-3g DONOR PHONE)
Now that we have the ESN and MEID from our donor phonewe're almost done. ESN and MEID only ensure us talk and text
but no web or MMS which would be fine but not for us. We're
better than that, we want 3g no matter the cost (not literally).
The thing about these VM LG phones is that Virgin lock these
bad boys up tight! Lucky for you, if there is anything I've
learned over the years is: Whatever the developers do good,
hackers do better. This isn't really hacking but whatever, i still
sleep fine at night. To read the Lg rumor touch or oV you'll need
to get your hands on the LGNPST Lab version 1.2 and if you're
-
7/27/2019 EVO 4g tut
9/37
using the Optimus like I did you'll also need the ls670.dll file.
Installing LGNPST isn't that tricky but installing the DLL files
threw me off a bit so I'll provide the dll file and a link to how to
install it.
Once you've installed the dll file you're phone can be
recognixed by LGNPST. If your phone isn't already, plug it into
your computer and run the LG product service tool.
Your phone should be recognized automatically but if not just
press the F key on your key board and click on "select dll" on
the menu in the top left corner of the program. Scroll down
-
7/27/2019 EVO 4g tut
10/37
until you find the ls670.dll file,
click it, select ok. Now you're almost set to read those AAA
keys (FINALLY!!!!!!), locate the "phone settings" button on main
page. If it's grayed out click on "expand" then "deminish" it and
it should be available to click on. Now, if it for a SEC code or
MSL code it can be found in CDMA tools under security tab. Just
locate the SPC square and make sure to select the LG method
from the drop down menu before reading it.
-
7/27/2019 EVO 4g tut
11/37
You should have your 6 digit code now and that should allow
you to read the phone in LGNPST. Now just read the phone and
thats it! Your phone can now be completely read.
STEP 1.6 Reading AAA keys
You know that nifty little tool I mentioned earlier called QXDM?
Yeah, well, time to pop that little guy out. I like this program
-
7/27/2019 EVO 4g tut
12/37
because once you're through with it you can fool your dumb
friends into believing you programed some super awesome
program, really the way you finish your opponent is up to you.
All joking aside try to get used to this program because once we
start on the EVO you'll be needing it a bit.
I really hate QXDM because of reasons that weren't it's fault. If
you're using Windows 7 don't forget to run this in compatability
mode (windows xp SP3). Make sure to also install QPST, you'llneed it to connect your phone to QXDM.
QPST also needs to be ran in compatibility mode. To connect to
QXDM you'll need to start up QPST Configuration and navigate
to the ports tab, click on add new port...,
-
7/27/2019 EVO 4g tut
13/37
on the left select your phones port, click ok, and finally select
the port and click enable.
-
7/27/2019 EVO 4g tut
14/37
Now run QXDM, navigate to the options tab, select
communications and select your port in the first drop down
menu, and you're set!
First they're a few commands you'll need to know to make this
program work for what you need it. You'll be needing to read
the AAA keys from your data profiles. Each Virgin Mobile phone
I've used to date have only 3 profiles, profile 0, 1, and 2. To
read these profiles for their AAA key you'll have to type in the
command bar: "requestnvitemread ds_mip_ss_user_prof "
followed by 0,
-
7/27/2019 EVO 4g tut
15/37
then 1, then 2. So to read from profile 1 you'll write
"requestnvitemread ds_mip_ss_user_prof 1". They'll be a a
long stand of four sets of numbers, two green and two blue.Ignore the first 3 sets of numbers (both the "HA_SHARED" and
the first set of "AAA_SHARED") and just copy all the numbers
excluding the "0x" and the begining of each set for example, if
you got four groups like this 0x89 0x97 0x26 0x26 you'd read it,
89 97 26 26. Each group is numbered 0-15 so ignore the first
"aaa_shared_secret_length" and start writing down the othersas I said. After removing the first two characters (0x) you should
have 32 characters and with that, you're now done (with that at
least)!
-
7/27/2019 EVO 4g tut
16/37
STEP 1.8 Ice Cream break!!!!!!
STEP 1.9 Revise
Now you should have all you need, just take a quick gander at
what you have. You should your ESN, MEID, HA password, your
AAA password, and your MIN and MDN.
-
7/27/2019 EVO 4g tut
17/37
I haven't gone over your MIN or MDN yet but its really simple,
your MIN is your phone number and your MDN is the second
number on your phone which can easily be found in settings>
about phone, usually its under "my number" and "msid". Have
this information and you're finally set, you're done, terminado,
fin, whatever you wanna say but it's over. Take once last look at
your brand new paper weight because you'll need to either
turn it off for good or wipe the ESN and MEID to ensure it
doesnt interrupt your phone service on your new EVO.
STEP 2 Preping for sugery
Now we get to the fun part! You need to prepare rewrite your
evo but first, I highly recommend you save your information on
the EVO and write down everything that we took from the
optimus ESN, Meid, everything. In case you change your mind
you'll have everything handy. When I went through this process
I wrote down all the information by hand and it helpped me
keep track of what I was doing so that's just a little tip for you
guys.
-
7/27/2019 EVO 4g tut
18/37
First thing many will want to do is root your phone. Although
it's not necesary, it'll help a bit with a few things during the
flashing process (like finding your 6- digit spc without using
CDMA workshop) but really what rooting brings to the table is
more helpful for everyday use so wether or not you root it's up
to you.
Side note: without rooting you will not be able to reach 100%
functionality.
STEP 2.2- ZEROING OUT THE PHONE
Finally the moment you've been waiting for! Now it's time to
get down and dirty with our EVO. Rooting or not you'll need the
EVO's diag drivers. Now, google was my friend here so just do a
quick search for them and you'll find em'. This part here is by
far the most time consuming step of the entire guide and
expect to spend 30+ minutes so you'll have to be very patient.
*Samsung Method*
For Samsung owners this is surprisingly simple and only
requires QXDM. In the command line enter: "password
01F2030F5F678FF9"
-
7/27/2019 EVO 4g tut
19/37
"RequestNVItemWrite MEID 000A0000000000000"
without the parenthesis and replacing the A000... with your
MEID. You can then enter command "RequestNVItemRead
Meid" to make sure it stuck, if it did you're done if not, then
you might want to try again or try the traditional method
below.
*HTC Method*
This method is also fairly easy and only requires QPST, QXDM,
and 15 minutes of your precious, precious time. You're gonna
want to make sure that your Evo has a port available too, dont
want to forget your new "baby!" Open up QPST and select EFS
explorer.
-
7/27/2019 EVO 4g tut
20/37
-
7/27/2019 EVO 4g tut
21/37
And make a new directory...
and name it "Open sesame door"
-
7/27/2019 EVO 4g tut
22/37
-
7/27/2019 EVO 4g tut
23/37
Open those files with your hex editing program and change
everything to 0s.
-
7/27/2019 EVO 4g tut
24/37
And make sure to save it and place it back in the num folder.
Before closing EFS explorer make sure to delete the "open
-
7/27/2019 EVO 4g tut
25/37
sesame door" folder so you can be on your merry way.
Now that you've zero'd out the esn and meid you can navigate
your way to QXDM.
In the command line enter "RequestNVItemWrite Meid
0x00A000000000000" replacing the A000 number with your
meid. If it stuck you should be able to see it with the command
"RequestNVItemRead Meid" and if it stuck it should show up
there which means it stuck! Congrats, talk and text should now
work.
-
7/27/2019 EVO 4g tut
26/37
*Traditional Method*
(Long way)
For this process you'll have to search for the MEID and ESNlocations on the EVO via cdma tools. It's a tricky process but I'll
walk you through it. Make sure to download winhex or another
hex editing software for this step.
1.) Open up cdma workshop and connect your phone and then
click read. Proceed to the security tab and enter your spc code
and send it to the phone to unlock it.
2.) Go to the memory tab and click start under memory scan.
Just leave the fields the way they are.
you should get something like
Scanning memory for readable areas:
Unreadable area from: 0000:0000
Readable area from: 00FA:0000
Unreadable area from: 0100:0000
Readable area from: 0109:0000
-
7/27/2019 EVO 4g tut
27/37
Unreadable area from: 01DC:0000
Process is stopped at: C000:0000
3.) Now for the tricky part. I'm not sure if this is how you figure
out the number of bytes you need but it works fine for me. The
memory is readable from 00FA:0000 to 0100:0000 so we take
the number 0100:0000 and subtract it from 00FA:0000 and
convert it to a decimal. To do this use the calculator tool in
Windows. So open the calculator and click view and select
programmer.
Now punch in 1000000. (The first zero doesn't matter, the
same goes for the other address.) Then click subtract and
punch in FA0000(of course replacing these addresses with the
ones in your scan). Now when I hit equals I get the hex number
60000. To convert this to a decimal simply select dec.
As you can see I get the number 393216.
4.) Now in the memory / Eeprom area put in the number you
calculated where it says bytes. Put in the first readable area in
the start address field. Now click read and it will prompt you to
-
7/27/2019 EVO 4g tut
28/37
-
7/27/2019 EVO 4g tut
29/37
Write it down and move on to the next. If you press ctrl, alt and
x and hit OK it will take you to the same address you were just
at so what I do is change one of the numbers and then search
again like so.
I changed the first pair to 00 so I can continue searching for
MEID addresses. Continue this process for the rest of this file
then you must do step 3-6 with your second readable areas.
Mine again was 0109:0000 - 01DC:0000. The second readablearea takes a very long time. My bytes ended up being
13,828,096.
7.) The last thing I did was do the entire process again only I put
the phone in airplane mode. This may or may not be necessary.
This same process can also be used to find your ESN locations.
Just search the same files but put your reversed ESN in the
search window in Winhex.
After you open your scan results with winhex
-do a search for your meid in reverse, with no spaces. Make
sure you check the "list search hits" box. It should list the
locations of the results at the top.
-
7/27/2019 EVO 4g tut
30/37
-there's gonna be an offset number to the left of it, you can
click on it and it changes, click it so it shows the an offset
number that contains letters.
-Open up the windows calculator and make sure it's in "HEX"
mode.. it usually starts up in "DEC" mode.
- If you did a searched, lets say "00FA-0000" for example, incdma ws, your gonna want to take your offset number and add
it to your original search location.. for example 00FA0000 with
no dash.
-You'll come up with a result like this-
*example- 00FA0000+4EDC2C= 148DC2C which would be
0x0148DC2C
-Just add 0x0 or 0x00 (depending on the length of your result
number) in front of it.-Do this for all the other locations & there you go, you have
your addresses
Overall it is a very time consuming process but if you do
-
7/27/2019 EVO 4g tut
31/37
everything correct it can save you a lot of time as opposed to
looking up addresses someone else has posted. I have tried in
the past and people with the same baseband had completely
different addresses.
For some phones, you'll have what is refered to as "floaters"
which are basically the one bastard that won't die in the action
movies and becomes the worst super villan in the movies
history when the sequel comes out. they're fairly simple to find
just run the same process again but with your phone in airplane
mode.
You should of found 10 MEID locations and 15 or more ESN
locations. If not I'm afraid you'll have to repeat this process(DUN DUN DUUUUUUN).
once you find the locations, zero them out with qxdm. Connect
your phone to qxdm and press the f4 hotkey once opened and
start inputting the addresses you found and calculated. Look for
your esn or meid and rewrite them as 0's. Once done,
disconnect your phone DO NOT POWER DOWN, and remove
the battery for a couple second then place back in and start up.
Now connect your phone again and open up QPST. In the
command bar type: "requestnvitemread esn" If done correctly
-
7/27/2019 EVO 4g tut
32/37
it should show all 0s. Then type in "requestnvitemread meid"
and it should display 0s again. If it does then give yourself a pat
on the back because you just saved the town and got rid of that
super villan before he became a pest. Now would be a good
time to eat Ice cream if you didn't finish it all the first time.
STEP 2.3-WRITING THE MEID
The beauty of the MEID is it calculates the ESN for you. open up
QPST again and type in the command bar "requestnvitemwrite
MEID" followed by 0x(DONOR MEID). For example, if I wanted
to put my MEID I'd write "requestnvitemwrite MEID
0xA0000xxxxxx" just replace the A0000xxxx number with yourdonor meid. Remeber: The meid always begins with an "A" and
is followed by either a 1000xxxxx or 0000xxxxx number.
Now disconnect your phone, remove the battery and replace.
Boot up your phone and navigate to Settings>About
phone>Status Search to see if your DONOR MEID is in the MEID
space. You could also check in QPST with "requestnvitemread
MEID" and to be safe "Requestnvitemread ESN" and check to
see if the esn stuck as well.
If they both stuck now is a time to use your best happy
-
7/27/2019 EVO 4g tut
33/37
prospector dance moves because you've just set your new
phone up with Talk and text.
STEP 2.5-Writing DATA
Now that we can call our friends to brag about our new badass
phone and show them how many people we've texted it's time
to make them spaz out with 3g capabilites.
For this you'll need QPST Configuration. Open it up and make
sure your EVO is connected to QPST and select the Start Clients
drop down menu and select Service Programing. This is where
the magic happens. They'll be two tabs you'll be working with:
the PPP Config tab and M.IP tab. Select the M.IP tab and make
sure to disable or delete profiles 3, 4, 5, and 6 and make sure to
add a profile 0. Under the profiles write:
profile:0, enabled:no, nai:, tethered nai:, ha spi:3, aaa spi:2, rev
tun:no, home:0.0.0.0, primary:dynamic, secondary:not set,
dmu pub:0, mob auth:
profile:1, enabled:yes, nai: (DONOR MEID)@mdata.vmobl.com,
tethered nai:, ha spi:21EF, aaa spi:21EF, rev tun:yes,
home:0.0.0.0, primary:not set, secondary:not set, dmu pub:0,
mob auth:
-
7/27/2019 EVO 4g tut
34/37
HA Shared: (change it to "text string" and enter "vmug33k")
AAA Shared: (change it to 'HEX string" and enter DONOR AAShared Secret)
profile:2, enb:yes, nai: (your MEID)@prov.vmobl.com, tethered
nai:, ha spi:21EF, aaa spi:21EF, rev tun:yes, home:0.0.0.0,
primary:not set, secondary:not set, dmu pub:0, mob auth:
HA Shared: (change it to "text string" and enter "vmug33k")
AAA Shared: (change it to "HEX STRING" and enter DONOR AA
Shared Secret)
And you're done with the M.IP tab. Navigate to the PPP Config
Tab. Under RM and UM dont touch it but for an - userid is
[email protected] now just write to phone, wait until
the phone reboots and disconnect it. Now you're phone
should be done! 3g should be dancing around proud on the top
on your notification bar.
STEP x.x-MMS FIX (optional)
-
7/27/2019 EVO 4g tut
35/37
If you're content with talk, text, and web go no further. If you
do not wish to root your phone go no futher. If you want to
root your phone and can't live without MMS then this is the
step you'll want to go through. First you'll want to root your
EVO obviously. I'm including the unrEVOked program with this
guide but you'll have to google how to use it, just make sure to
install clockworkmod.
Now that your phone is rooted and has S-off I've included two
ROMs that have the MMS patch, CM7 and a Ice Cream
Sandwich AOKP rom. CM7 has the MMS patch built in but the
ICS ROM has to be flashed along with the ROM. DISCLAIMER:
ALL DATA WILL BE ERASED LIKE PICTURES, MUSIC, APPS, ETC.
DO A BACKUP ON YOUR COMPUTER BEFORE FLASHING A ROM.
To flash a ROM first make sure your phone isn't running
fastboot. Make sure to uncheck it in your settings and power
down your phone. Connect your EVO to your computer and put
it in disk drive mode. You can now select from either CM7 or
the Ice Cream Sandwich Rom I included. If flashing CM7, just
copy the update-cm-7.2.0-4FEB2012-VirginMobile.zip file toyour sd cards root. If flashing AOKP ICS, copy the
VM_AOKP_24_PATCHER_EDITFY.zip,
aokp_supersonic_build-24.zip, and
gapps-ics-20120215-signed.zip to your phones root. Now press
-
7/27/2019 EVO 4g tut
36/37
and hold both the volume down button and the power button
until a white recovery screen appears. When the screen
appears wait 15 seconds to allow it to run its programs and the
using the volume rocker to scroll up and down, highlight
"recovery" and use the power button to select it.
Your phone should display the EVO 4G boot sign for a few
seconds before booting up Clock Work Mod. Now scroll down
to wipe davik cache and use power to select it. Now scroll to
Yes, Install and again using the power button to select it. Do the
same again but this time scroll down to factory reset/user data.
Now scroll down to Install Zip from sd card. Here scroll all the
way to the bottom if flashing CM7 select the
update-cm-7.2.0-4FEB2012-VirginMobile.zip and allow it to
install. If flashing AOKP, select the
aokp_supersonic_build-24.zip and flash it, repeat the same with
the VM_AOKP_24_PATCHER_EDITFY.zip and
gapps-ics-20120215-signed.zip. Now navigate back to the menu
you first came into when you opened clock work mod and
select reboot device now.
That's it! You're done and now you should have Talk, SMS,
MMS, and web working plus a nifty little Custom ROM.
I'd like to give thanks to brooksyx, Constrictor25, LeslieAnn, and
Wienerwad of XDA forums for help with the MMS patch and
-
7/27/2019 EVO 4g tut
37/37
helping with the locating of the MEID and ESN locations.
I hope this tutorial will be of service to many of you any
questions just contact UncivilSavage of XDA Forums.
Steve