Bringing a Motorola Photon to Ting (need MEID/ESN help)

First off, I know this is "questionable" in some places. If you're not comfortable discussing it in public, my email is burgess AT nightscapetech.com.

 

I picked up a used Sprint Motorola Photon from ebay, the phone still has a good ESN (so I own it outright, and the previous owner has no debts to Sprint). I started populating it with the profile information from my Brio (See this thread: https://help.ting.com/entries/21495371?page=1). I was able to write all the information except for the ESN and the MEID, both of those simply revert back to their original values. Is thee any special trick to getting the ESN and MEID to write properly? I have been using the DFS tool, I only have the free version of CDMA workshop, but I might be willing to pay for it if someone confirms that it works for this, or other motorola phones.

1

Comments

17 comments
  • I haven't played with the Motorola photon personally, but most of the time phones won't let you change the MEID unless it starts out at 0. Use DFS or cdma tool or something like that to 0 out the MEID (or the ESN, either will do). Once it's all zeros, then you can typically write the MEID that you want.

     

    Just FYI, writing different MEIDs onto phones is not a crime or felony or any of that nonsense if there is no intention to fraud. All those that react all crazy to that are just making a fuss out of nothing.

    0
    Comment actions Permalink
  • Thanks Ryan. I tried zeroing out the ESN, and it still didn't work, but I only tried that once. I was able to zero out the MSL easy enough. The phone is easily rootable, know of any methods using a rooted phone? The ESN has to be acessible somewhere. Should I have the phone on the diagnostic menu or something?

     

    I agree with you on the legality of changing ESNs, once you actually read the law, it is quite obviously directed at people that clone ESNs, so they can eavesdrop, make "free" calls, or get out of paying their debts to their carrier. I just didn't want to start up a conversation about that.

    0
    Comment actions Permalink
  • I could be completely wrong so don't take my answer as final. I was under the impression that it's almost impossible to change ESNs in Motorola Phones using QPST or CDMA Workshop. Motorola disables the ability to write the ESN/MEID bytes.

    0
    Comment actions Permalink
  • Juan - Thats what it looks like. I swear I saw a way to change it prior to purchasing the Photon. I might have to just break down and buy a different phone.

    0
    Comment actions Permalink
  • Just wanted to update in case anyone else is considering a Photon. I was able to get it to work by using DFS to search for the old ESN and MEID numbers in memory, and then overwrite them. However, the changes do not survive a reboot. You can find some scripts online that can be configured to run at boot time, and will overwrite the memory locations every time the phone boots, but its a sketchy hack at best. The phone is just locked down too hard right now.

    0
    Comment actions Permalink
  • Which version of DFS did you use?

    0
    Comment actions Permalink
  • 4.0.0.4

    0
    Comment actions Permalink
  • any updates on this one ? I would be interested in this as well.

    0
    Comment actions Permalink
  • No more updates from me. This was to be my primary phone, so I had to sell it and buy a Nexus S.

     

    Its really too bad, the Photon is a really nice phone. Maybe once I get the Nexus working, I'll pick up a cheap Photon to test again. One thing I did notice, for future hackers, is that this phone supports a full restore. I was able to restore all the settings (including the ESN, MEID, MDN, AAA & HA passwords, etc.) with a button press. So somewhere in the memory of that phone is a full backup of all the profile info. That might be where the phone is pulling the ESN and MEID from at boot time.  If you could find a way to edit those memory locations, you might be able to get around the problem. I also have a copy of the ESN/MEID rewriting scripts (they were rather difficult to find), if anyone wants to try them.

    0
    Comment actions Permalink
  • Joshua, Is there any any way you can email (flute-29 at hotmail) me the rewriting scripts and some instructions on how to  edit the esn for photon. Thank you

    0
    Comment actions Permalink
  • @Joshua:

    Like I said, I do not have a Motorola device. . . and based on my research, CDMA Workshop does not appear to work on it

    While Googling "Changing Motorola ESN", I came across this interesting article:

    Look at Post #21 here:  

    http://www.howardforums.com/showthread.php/1729468-Droid-X-(and-other-moto-droids)-ESN-and-MEID-correction-repair-SOLVED/page2

    Maybe you already tried this.

    Your thoughts? 

    0
    Comment actions Permalink
  • @Joe Mendez - Yes, that is the tutorial that I followed. Unfortunately the United States Department of Immigration and Customs Enforcement has shut down all of the file hosting sites that were hosting the script they used. Its a neat hack, the script runs at boot time and overwrites all the ESN memory locations with the ESN you specify. I never went that far with it, since it was easier for me to just resell the phone and buy a new one.

     

    @Muralidhar I will email you the script as soon as I can pry it out of my NAS. You might be able to find a link to it in the thread that Joe posted. What I did was follow the instructions on this page:  http://cdmagurus.com/break-room/break-rooms/cdma-flashing-basics/4641-basics-efficient-readable-memory-scanning-dumping-scratch.html#axzz23xKPnawk to locate all the readable memory locations, and dump them to my computer. I then used a hex editor to search for the ESN and MEID values. I ended up with a list of 7 or 8 ESN/MEID locations. I then used QPST to overwrite those locations with the new ESN and MEID (the instructions for this are on the page that Joe linked to). This seemed to work until I restarted the phone. The script that I have, and that Joe Mendez linked to, is designed to run when your phone first turns on 

    0
    Comment actions Permalink
  • The script that I have, and that Joe Mendez linked to, is designed to run when your phone first turns on....and overwrite all the ESN/MEID values with the ones you specify.

    That is what the last sentence should have said.

    0
    Comment actions Permalink
  • @Joshua,

    Thanks so much for sharing your Motorola knowledge with the Ting community!

    It is fascinating to me how each vendor chooses to lock their devices down (ESN/MEID, Root, MSL, etc. . . )

    For the time being, I will make sure I stay away from Motorola as a target phone when using a Ting donor phone.

    0
    Comment actions Permalink
  • I also meant to tell you that I purchased and used CMDA Workshop to pull the Profile-0 and Profile-1 info from the M370 and to the Evo.

    I also used CDMA to change HTC Evo 4G ESN and MEID several times ( back and fortth between Evo old and new ESN/MEID).

    All without any problems what so ever.

    Good luck with your next target phone! 

    0
    Comment actions Permalink
  • @ Joe - I am actually using a Nexus S 4g now. It ported to Ting quite easily, i'm just missing 3g since I used the Brio as a donor.

    0
    Comment actions Permalink
  • Ok, I finally beat my NAS into submission (isn't is awesome when a hard drive disappears from a RAID array?). 

    Muralidhar Kondapaneni - I have now emailed you a zip file containing the scripts and the readme file. I also uploaded the ReadMe file to my Ggogle Drive, in case anyone wanted to look at it:

    https://docs.google.com/document/d/1guGqrFKndbdX-jK1opSGFq1wSVqOiYDChEJSvGF1nAU/edit

    0
    Comment actions Permalink

Please sign in to leave a comment.