7/27/2019 EVO 4g tut

1/37

HTC EVO 4G on Virgin Mobile

Due to extreme demand I've decided to construct a A-Z guide

on how to fully flash the the HTC Evo 4G to Virgin Mobile ( just

like the name implies obviously).

Well, they're are a few items needed to complete this

somewhat lengthy process.

List of physical items:

HTC Evo 4G

Donor Virgin Mobile phone (The Lg rumor touch, Optimus V, or

Samsung Intercept if you want 3g capabilities)Data sync cable for your computer

Stress ball

Ice cream

7/27/2019 EVO 4g tut

2/37

Now for the list of programs needed:

LGPST LAB version 1.2 ( if using rumor touch or Optimus V asdonor phone)

CDMA Tools (version 2.7+)

QPST

QXDM Professional

rEVOlutionary or unrEVOked

STEP 1. Extracting the info

Before we can begin touching the Evo, they are a few bits of

information we'll be needing from your donor phone. In my

case I had the LG Optimus V laying around from

who-knows-when and I'll be referring most of these steps to

the processes used to extract infromation from the phone.

The things you'll be needing from the phone will be the: ESN,

MEID, HA key (default VM HA key is vmug33k), the AAA key,

7/27/2019 EVO 4g tut

3/37

and NV Items 1192, and 1194. The ESN and MEID have to be

the easiest bits of information to obtain. They can be easily

read by CDMA tools, just be sure to download the DIAG drivers

that are specific for your device. A lot of people get stumped

with this program so don't fret it I'll break it down a bit for you

guys.

STEP 1.2 Understanding CDMA tools

After installing your DIAG drivers, you're phone can be now

located at a port. Before it can be located as a port you'll have

to activate debugging on your donor phone. Navigate to your

phone's settings> Applications> Development> and then makesure USB Debugging is checked off, plug your donor phone into

the computer, and select charge only when the usb settings

show up on your phone.

Now to find what port your phone is in, for Windows 7 it's

really simple: Control panel> in the search bar type "device

manager" without the parenthesis and select device manager>

7/27/2019 EVO 4g tut

4/37

scroll down to the drop down bar titled PORTS and the only

ports there should be your phone.

7/27/2019 EVO 4g tut

5/37

Windows XP steps are similar with a few exceptions but it's

nothing you can't google. Remember, if you can't google it,

there's a good chance it doesn't exisist.

Now that you've located the port you can read your phone in

CDMA workshop. Open up your CDMA Workshop (version 2.7+)

and click on the drop down menu onthe upper right and select

your phones port, then select "connect to port", then "read"and you're done.

7/27/2019 EVO 4g tut

6/37

CDMA tools should now display your MEID and ESN *HINT*

Your MEID is the A00000xxxx or A1000xxxx number and your

ESN is an 8-digit alphanumeric combination *END HINT*.

Also a side note: If using an LG phone as your donor, expect an

error message when trying to read your phone, don't sweat it.

The message pops up because the fully can't be fully read

without reading the phone in LGNPST.

Don't forget to grab those NV Items I mentioned earlier. Just

connect your phone to CDMA tools and navigate to the Security

tab. Under the NV items box search for NV Items 1192 to 1194.

7/27/2019 EVO 4g tut

7/37

7/27/2019 EVO 4g tut

8/37

Side note: You won't be able to read these NV Items on the LgRumor touch or Lg Optimus V unless you read them first with

LGNPST.

STEP 1.4 Understanding LGNPST

(SKIP IF USING SAMSUNG INTERCEPT OR

OTHER NON-3g DONOR PHONE)

Now that we have the ESN and MEID from our donor phonewe're almost done. ESN and MEID only ensure us talk and text

but no web or MMS which would be fine but not for us. We're

better than that, we want 3g no matter the cost (not literally).

The thing about these VM LG phones is that Virgin lock these

bad boys up tight! Lucky for you, if there is anything I've

learned over the years is: Whatever the developers do good,

hackers do better. This isn't really hacking but whatever, i still

sleep fine at night. To read the Lg rumor touch or oV you'll need

to get your hands on the LGNPST Lab version 1.2 and if you're

7/27/2019 EVO 4g tut

9/37

using the Optimus like I did you'll also need the ls670.dll file.

Installing LGNPST isn't that tricky but installing the DLL files

threw me off a bit so I'll provide the dll file and a link to how to

install it.

Once you've installed the dll file you're phone can be

recognixed by LGNPST. If your phone isn't already, plug it into

your computer and run the LG product service tool.

Your phone should be recognized automatically but if not just

press the F key on your key board and click on "select dll" on

the menu in the top left corner of the program. Scroll down

7/27/2019 EVO 4g tut

10/37

until you find the ls670.dll file,

click it, select ok. Now you're almost set to read those AAA

keys (FINALLY!!!!!!), locate the "phone settings" button on main

page. If it's grayed out click on "expand" then "deminish" it and

it should be available to click on. Now, if it for a SEC code or

MSL code it can be found in CDMA tools under security tab. Just

locate the SPC square and make sure to select the LG method

from the drop down menu before reading it.

7/27/2019 EVO 4g tut

11/37

You should have your 6 digit code now and that should allow

you to read the phone in LGNPST. Now just read the phone and

thats it! Your phone can now be completely read.

STEP 1.6 Reading AAA keys

You know that nifty little tool I mentioned earlier called QXDM?

Yeah, well, time to pop that little guy out. I like this program

7/27/2019 EVO 4g tut

12/37

because once you're through with it you can fool your dumb

friends into believing you programed some super awesome

program, really the way you finish your opponent is up to you.

All joking aside try to get used to this program because once we

start on the EVO you'll be needing it a bit.

I really hate QXDM because of reasons that weren't it's fault. If

you're using Windows 7 don't forget to run this in compatability

mode (windows xp SP3). Make sure to also install QPST, you'llneed it to connect your phone to QXDM.

QPST also needs to be ran in compatibility mode. To connect to

QXDM you'll need to start up QPST Configuration and navigate

to the ports tab, click on add new port...,

7/27/2019 EVO 4g tut

13/37

on the left select your phones port, click ok, and finally select

the port and click enable.

7/27/2019 EVO 4g tut

14/37

Now run QXDM, navigate to the options tab, select

communications and select your port in the first drop down

menu, and you're set!

First they're a few commands you'll need to know to make this

program work for what you need it. You'll be needing to read

the AAA keys from your data profiles. Each Virgin Mobile phone

I've used to date have only 3 profiles, profile 0, 1, and 2. To

read these profiles for their AAA key you'll have to type in the

command bar: "requestnvitemread ds_mip_ss_user_prof "

followed by 0,

7/27/2019 EVO 4g tut

15/37

then 1, then 2. So to read from profile 1 you'll write

"requestnvitemread ds_mip_ss_user_prof 1". They'll be a a

long stand of four sets of numbers, two green and two blue.Ignore the first 3 sets of numbers (both the "HA_SHARED" and

the first set of "AAA_SHARED") and just copy all the numbers

excluding the "0x" and the begining of each set for example, if

you got four groups like this 0x89 0x97 0x26 0x26 you'd read it,

89 97 26 26. Each group is numbered 0-15 so ignore the first

"aaa_shared_secret_length" and start writing down the othersas I said. After removing the first two characters (0x) you should

have 32 characters and with that, you're now done (with that at

least)!

7/27/2019 EVO 4g tut

16/37

STEP 1.8 Ice Cream break!!!!!!

STEP 1.9 Revise

Now you should have all you need, just take a quick gander at

what you have. You should your ESN, MEID, HA password, your

AAA password, and your MIN and MDN.

7/27/2019 EVO 4g tut

17/37

I haven't gone over your MIN or MDN yet but its really simple,

your MIN is your phone number and your MDN is the second

number on your phone which can easily be found in settings>

about phone, usually its under "my number" and "msid". Have

this information and you're finally set, you're done, terminado,

fin, whatever you wanna say but it's over. Take once last look at

your brand new paper weight because you'll need to either

turn it off for good or wipe the ESN and MEID to ensure it

doesnt interrupt your phone service on your new EVO.

STEP 2 Preping for sugery

Now we get to the fun part! You need to prepare rewrite your

evo but first, I highly recommend you save your information on

the EVO and write down everything that we took from the

optimus ESN, Meid, everything. In case you change your mind

you'll have everything handy. When I went through this process

I wrote down all the information by hand and it helpped me

keep track of what I was doing so that's just a little tip for you

guys.

7/27/2019 EVO 4g tut

18/37

First thing many will want to do is root your phone. Although

it's not necesary, it'll help a bit with a few things during the

flashing process (like finding your 6- digit spc without using

CDMA workshop) but really what rooting brings to the table is

more helpful for everyday use so wether or not you root it's up

to you.

Side note: without rooting you will not be able to reach 100%

functionality.

STEP 2.2- ZEROING OUT THE PHONE

Finally the moment you've been waiting for! Now it's time to

get down and dirty with our EVO. Rooting or not you'll need the

EVO's diag drivers. Now, google was my friend here so just do a

quick search for them and you'll find em'. This part here is by

far the most time consuming step of the entire guide and

expect to spend 30+ minutes so you'll have to be very patient.

*Samsung Method*

For Samsung owners this is surprisingly simple and only

requires QXDM. In the command line enter: "password

01F2030F5F678FF9"

7/27/2019 EVO 4g tut

19/37

"RequestNVItemWrite MEID 000A0000000000000"

without the parenthesis and replacing the A000... with your

MEID. You can then enter command "RequestNVItemRead

Meid" to make sure it stuck, if it did you're done if not, then

you might want to try again or try the traditional method

below.

*HTC Method*

This method is also fairly easy and only requires QPST, QXDM,

and 15 minutes of your precious, precious time. You're gonna

want to make sure that your Evo has a port available too, dont

want to forget your new "baby!" Open up QPST and select EFS

explorer.

7/27/2019 EVO 4g tut

20/37

7/27/2019 EVO 4g tut

21/37

And make a new directory...

and name it "Open sesame door"

7/27/2019 EVO 4g tut

22/37

7/27/2019 EVO 4g tut

23/37

Open those files with your hex editing program and change

everything to 0s.

7/27/2019 EVO 4g tut

24/37

And make sure to save it and place it back in the num folder.

Before closing EFS explorer make sure to delete the "open

7/27/2019 EVO 4g tut

25/37

sesame door" folder so you can be on your merry way.

Now that you've zero'd out the esn and meid you can navigate

your way to QXDM.

In the command line enter "RequestNVItemWrite Meid

0x00A000000000000" replacing the A000 number with your

meid. If it stuck you should be able to see it with the command

"RequestNVItemRead Meid" and if it stuck it should show up

there which means it stuck! Congrats, talk and text should now

work.

7/27/2019 EVO 4g tut

26/37

*Traditional Method*

(Long way)

For this process you'll have to search for the MEID and ESNlocations on the EVO via cdma tools. It's a tricky process but I'll

walk you through it. Make sure to download winhex or another

hex editing software for this step.

1.) Open up cdma workshop and connect your phone and then

click read. Proceed to the security tab and enter your spc code

and send it to the phone to unlock it.

2.) Go to the memory tab and click start under memory scan.

Just leave the fields the way they are.

you should get something like

Scanning memory for readable areas:

Unreadable area from: 0000:0000

Readable area from: 00FA:0000

Unreadable area from: 0100:0000

Readable area from: 0109:0000

7/27/2019 EVO 4g tut

27/37

Unreadable area from: 01DC:0000

Process is stopped at: C000:0000

3.) Now for the tricky part. I'm not sure if this is how you figure

out the number of bytes you need but it works fine for me. The

memory is readable from 00FA:0000 to 0100:0000 so we take

the number 0100:0000 and subtract it from 00FA:0000 and

convert it to a decimal. To do this use the calculator tool in

Windows. So open the calculator and click view and select

programmer.

Now punch in 1000000. (The first zero doesn't matter, the

same goes for the other address.) Then click subtract and

punch in FA0000(of course replacing these addresses with the

ones in your scan). Now when I hit equals I get the hex number

60000. To convert this to a decimal simply select dec.

As you can see I get the number 393216.

4.) Now in the memory / Eeprom area put in the number you

calculated where it says bytes. Put in the first readable area in

the start address field. Now click read and it will prompt you to

7/27/2019 EVO 4g tut

28/37

7/27/2019 EVO 4g tut

29/37

Write it down and move on to the next. If you press ctrl, alt and

x and hit OK it will take you to the same address you were just

at so what I do is change one of the numbers and then search

again like so.

I changed the first pair to 00 so I can continue searching for

MEID addresses. Continue this process for the rest of this file

then you must do step 3-6 with your second readable areas.

Mine again was 0109:0000 - 01DC:0000. The second readablearea takes a very long time. My bytes ended up being

13,828,096.

7.) The last thing I did was do the entire process again only I put

the phone in airplane mode. This may or may not be necessary.

This same process can also be used to find your ESN locations.

Just search the same files but put your reversed ESN in the

search window in Winhex.

After you open your scan results with winhex

-do a search for your meid in reverse, with no spaces. Make

sure you check the "list search hits" box. It should list the

locations of the results at the top.

7/27/2019 EVO 4g tut

30/37

-there's gonna be an offset number to the left of it, you can

click on it and it changes, click it so it shows the an offset

number that contains letters.

-Open up the windows calculator and make sure it's in "HEX"

mode.. it usually starts up in "DEC" mode.

- If you did a searched, lets say "00FA-0000" for example, incdma ws, your gonna want to take your offset number and add

it to your original search location.. for example 00FA0000 with

no dash.

-You'll come up with a result like this-

*example- 00FA0000+4EDC2C= 148DC2C which would be

0x0148DC2C

-Just add 0x0 or 0x00 (depending on the length of your result

number) in front of it.-Do this for all the other locations & there you go, you have

your addresses

Overall it is a very time consuming process but if you do

7/27/2019 EVO 4g tut

31/37

everything correct it can save you a lot of time as opposed to

looking up addresses someone else has posted. I have tried in

the past and people with the same baseband had completely

different addresses.

For some phones, you'll have what is refered to as "floaters"

which are basically the one bastard that won't die in the action

movies and becomes the worst super villan in the movies

history when the sequel comes out. they're fairly simple to find

just run the same process again but with your phone in airplane

mode.

You should of found 10 MEID locations and 15 or more ESN

locations. If not I'm afraid you'll have to repeat this process(DUN DUN DUUUUUUN).

once you find the locations, zero them out with qxdm. Connect

your phone to qxdm and press the f4 hotkey once opened and

start inputting the addresses you found and calculated. Look for

your esn or meid and rewrite them as 0's. Once done,

disconnect your phone DO NOT POWER DOWN, and remove

the battery for a couple second then place back in and start up.

Now connect your phone again and open up QPST. In the

command bar type: "requestnvitemread esn" If done correctly

7/27/2019 EVO 4g tut

32/37

it should show all 0s. Then type in "requestnvitemread meid"

and it should display 0s again. If it does then give yourself a pat

on the back because you just saved the town and got rid of that

super villan before he became a pest. Now would be a good

time to eat Ice cream if you didn't finish it all the first time.

STEP 2.3-WRITING THE MEID

The beauty of the MEID is it calculates the ESN for you. open up

QPST again and type in the command bar "requestnvitemwrite

MEID" followed by 0x(DONOR MEID). For example, if I wanted

to put my MEID I'd write "requestnvitemwrite MEID

0xA0000xxxxxx" just replace the A0000xxxx number with yourdonor meid. Remeber: The meid always begins with an "A" and

is followed by either a 1000xxxxx or 0000xxxxx number.

Now disconnect your phone, remove the battery and replace.

Boot up your phone and navigate to Settings>About

phone>Status Search to see if your DONOR MEID is in the MEID

space. You could also check in QPST with "requestnvitemread

MEID" and to be safe "Requestnvitemread ESN" and check to

see if the esn stuck as well.

If they both stuck now is a time to use your best happy

7/27/2019 EVO 4g tut

33/37

prospector dance moves because you've just set your new

phone up with Talk and text.

STEP 2.5-Writing DATA

Now that we can call our friends to brag about our new badass

phone and show them how many people we've texted it's time

to make them spaz out with 3g capabilites.

For this you'll need QPST Configuration. Open it up and make

sure your EVO is connected to QPST and select the Start Clients

drop down menu and select Service Programing. This is where

the magic happens. They'll be two tabs you'll be working with:

the PPP Config tab and M.IP tab. Select the M.IP tab and make

sure to disable or delete profiles 3, 4, 5, and 6 and make sure to

add a profile 0. Under the profiles write:

profile:0, enabled:no, nai:, tethered nai:, ha spi:3, aaa spi:2, rev

tun:no, home:0.0.0.0, primary:dynamic, secondary:not set,

dmu pub:0, mob auth:

profile:1, enabled:yes, nai: (DONOR MEID)@mdata.vmobl.com,

tethered nai:, ha spi:21EF, aaa spi:21EF, rev tun:yes,

home:0.0.0.0, primary:not set, secondary:not set, dmu pub:0,

mob auth:

7/27/2019 EVO 4g tut

34/37

HA Shared: (change it to "text string" and enter "vmug33k")

AAA Shared: (change it to 'HEX string" and enter DONOR AAShared Secret)

profile:2, enb:yes, nai: (your MEID)@prov.vmobl.com, tethered

nai:, ha spi:21EF, aaa spi:21EF, rev tun:yes, home:0.0.0.0,

primary:not set, secondary:not set, dmu pub:0, mob auth:

HA Shared: (change it to "text string" and enter "vmug33k")

AAA Shared: (change it to "HEX STRING" and enter DONOR AA

Shared Secret)

And you're done with the M.IP tab. Navigate to the PPP Config

Tab. Under RM and UM dont touch it but for an - userid is

meid@mdata.vmobl.com now just write to phone, wait until

the phone reboots and disconnect it. Now you're phone

should be done! 3g should be dancing around proud on the top

on your notification bar.

STEP x.x-MMS FIX (optional)

7/27/2019 EVO 4g tut

35/37

If you're content with talk, text, and web go no further. If you

do not wish to root your phone go no futher. If you want to

root your phone and can't live without MMS then this is the

step you'll want to go through. First you'll want to root your

EVO obviously. I'm including the unrEVOked program with this

guide but you'll have to google how to use it, just make sure to

install clockworkmod.

Now that your phone is rooted and has S-off I've included two

ROMs that have the MMS patch, CM7 and a Ice Cream

Sandwich AOKP rom. CM7 has the MMS patch built in but the

ICS ROM has to be flashed along with the ROM. DISCLAIMER:

ALL DATA WILL BE ERASED LIKE PICTURES, MUSIC, APPS, ETC.

DO A BACKUP ON YOUR COMPUTER BEFORE FLASHING A ROM.

To flash a ROM first make sure your phone isn't running

fastboot. Make sure to uncheck it in your settings and power

down your phone. Connect your EVO to your computer and put

it in disk drive mode. You can now select from either CM7 or

the Ice Cream Sandwich Rom I included. If flashing CM7, just

copy the update-cm-7.2.0-4FEB2012-VirginMobile.zip file toyour sd cards root. If flashing AOKP ICS, copy the

VM_AOKP_24_PATCHER_EDITFY.zip,

aokp_supersonic_build-24.zip, and

gapps-ics-20120215-signed.zip to your phones root. Now press

7/27/2019 EVO 4g tut

36/37

and hold both the volume down button and the power button

until a white recovery screen appears. When the screen

appears wait 15 seconds to allow it to run its programs and the

using the volume rocker to scroll up and down, highlight

"recovery" and use the power button to select it.

Your phone should display the EVO 4G boot sign for a few

seconds before booting up Clock Work Mod. Now scroll down

to wipe davik cache and use power to select it. Now scroll to

Yes, Install and again using the power button to select it. Do the

same again but this time scroll down to factory reset/user data.

Now scroll down to Install Zip from sd card. Here scroll all the

way to the bottom if flashing CM7 select the

update-cm-7.2.0-4FEB2012-VirginMobile.zip and allow it to

install. If flashing AOKP, select the

aokp_supersonic_build-24.zip and flash it, repeat the same with

the VM_AOKP_24_PATCHER_EDITFY.zip and

gapps-ics-20120215-signed.zip. Now navigate back to the menu

you first came into when you opened clock work mod and

select reboot device now.

That's it! You're done and now you should have Talk, SMS,

MMS, and web working plus a nifty little Custom ROM.

I'd like to give thanks to brooksyx, Constrictor25, LeslieAnn, and

Wienerwad of XDA forums for help with the MMS patch and

7/27/2019 EVO 4g tut

37/37

helping with the locating of the MEID and ESN locations.

I hope this tutorial will be of service to many of you any

questions just contact UncivilSavage of XDA Forums.

Steve