Samsung M370 (Donor Phone) - Getting the AAA Shared and HA Shared Passwords

*Credits:

*
- None of this would be possible without the shared knowledge of others in Ting threads who have paved the way with other donor phones!

- Joey Scotti for his support, patience and persistence!

**

Things to know before you start:**

  • Donor Phone:  Samsung SPH-M370
  • Software:  QXDM (used for reading the elusive HA and AAA Shared Passwords)
  • Software: Data Pilot v520 trial  software  http://www.tucows.com/preview/421541

 

**
===== Getting the info from the M370 (donor phone): =====**

Connect your PC to your M370:

1)     Install the Data Pilot software which will provide the drivers for the M370

2)     Connect your phone.  Your laptop should recognize the M370 and install the drivers

 

Profile-0 (3G data):  Getting HA + AAA Shared Passwords:

1)     Connect the M370 to QXDM

2)     Select Command Output from the View drop down list

3)     In the Command box, type spc <your-MSL-here>  (without the “<” and “>” signs).  Example:  spc 123456

4)     Press Enter

5)     In the Command box, type Password 01f2030f5f678ff9 

6)     Press Enter

7)     In the Command box, type Requestnvitemread ds_mip_ss_user_prof 0 for Profile-0 which is your 3G data connection

8)     Press Enter

9)     To find the “HA Shared Password” for Profile-0:  Skip past the green text (as seen in the attached image in the word doc) and look for the purple/blue text for your passwords.  Look for mn_ha_shared_secret [0] thru [5].  In the example in the attached image, the hex password 736563726474 translates to ‘secret’ when converted to ASCII.  If you are curious and want to convert Hex to ASCII, you can use this site:  http://www.dolcevie.com/js/converter.html

10)  To find the “AAA Shared Password” for Profile-0:  Skip past the green text (attached image in doc) and look for the purple/blue text for your passwords.  Look for mn_aaa_shared_secret [0] thru [15]. 

   

Profile-1 (1x data):  Getting HA + AAA Shared Passwords:

11)  Repeat steps 7 thru 10 above, except that you will look for the Profile-1 (1x data) passwords by using the “Requestnvitemread ds_mip_ss_user_prof 1” command.

===== Sprint Evo 4G as the Target Phone ===== 

I was able to clone the M370 to my Sprint Evo 4G and now have the following:

- Calling

- Texting

- 1x Data Connection (initially until I found the Profile-0 passwords for 3G data connection)

- 3G Data Connection 

I used CDMA Workshop to transfer the settings from the M370 to the Evo as follows:

1) Import the NAM1 profile from the M370

2) Import the NAM2 profile from the M370

3) Set the Profile-0 HA Shared Password

4) Set the Profile-0 AAA Shared Password

5) Set the Profile-1 HA Shared Password

6) Set the Profile-0 AAA Shared Password

7) Set the ESN

8) Set the MEID

Enjoy!

Note: While I did use CDMA Workshop, others have also been successful with QPST and QXDM software which are both free. 

I am now a new Ting customer enjoying the  service and $aving$!

If you need clarification on any of the above steps. . . or find mistakes, please let me know.

I will update/fix the post.

Thanks, Joe . . . 

===== How to add MMS -- [Contributed by Joey on 8/8/2012)  =====

**To add that to get MMS (picture messages), you have to change the MMSC URL on the target phone. Ting uses the URL:  http://mms.plspictures.com for their MMS service, which differs from the sprintpcs URL that is pre-programmed on Sprint Android phones. I was told by Ting support today that in order to activate your MMS account, you have to send an 
MMS on your donor phone first, before being able to use it on your target phone. Then, on the target* phone, you have to change the MMSC URL. I say to do this on yoru donor phone first for good measure, as that is an unmodified Ting phone so the instructions Ting gave me should definitely work on the donor phone. I am trying this today on my lunch break and will report back if it is successful.

*


Step 1*: send an MMS message on your donor phone to activate your MMS account. if the message is not set successfully, you need to make sure your Ting phnoe has the correct MMSC url to begin with as well. Ting support can tell you how to get into the settings to change this, but I'm told the Vero at least is ##3282# (##DATA#).

*


Step 2:**

  • HTC Androids: dial ##DATA#, go to edit mode, type in your MSL for the target phone (I set mine to 000000 when I unlock my Androids). then scroll to MMSC URL and enter ** http://mms.plspictures.com**. Might have to hit menu to save changes, I don't remember.
  • Samsung Androids: dial *#*#DATA#*#*, go to edit mode, type in your MSL, go to 'Others', and change the MMSC URL to ** http://mms.plspictures.com**. I believe changes are committed instantly.

Step 3:  you may have to reboot. try sending an MMS from your target phone to a friend to test. Hopefully others can report if these instructions are successful or not.

4

Comments

52 comments
  • Great job Joe. I believe you're the first to report success with the M370 as a donor phone. It looks like the phone is pretty much entirely unlocked too, which means that basically any program can pull the AAA keys off the phone. Awesome!

    0
    Comment actions Permalink
  • Thanks!

    Yes, it took me few days to figure it out.  At several points, I was doubtful that this basic phone had "3G" passwords.

    But once I found them and connected to "3G" with the correct Profile-0 passwords, it was very exciting to finally have 3G connectivity.

    0
    Comment actions Permalink
  • Ryan - Joe was unable to pull the HA/AAA passwords using CDMA Workshop, DFS, or even QPST, so they seem to be somewhat hidden, but at least sending the commands listed above reports them! Good find, Joe!

     

    Joe - you may want to add that to get MMS (picture messages), you have to change the MMSC URL on the target phone. Ting uses the URL: http://mms.plspictures.com for their MMS service, which differs from the sprintpcs URL that is pre-programmed on Sprint Android phones. I was told by Ting support today that in order to activate your MMS account, you have to send an MMS on your donor phone first, before being able to use it on your target phone. Then, on the target phone, you have to change the MMSC URL. I say to do this on yoru donor phone first for good measure, as that is an unmodified Ting phone so the instructions Ting gave me should definitely work on the donor phone. I am trying this today on my lunch break and will report back if it is successful.

     

    Step 1: send an MMS message on your donor phone to activate your MMS account. if the message is not set successfully, you need to make sure your Ting phnoe has the correct MMSC url to begin with as well. Ting support can tell you how to get into the settings to change this, but I'm told the Vero at least is ##3282# (##DATA#).

    *Step 2:

    *

    • HTC Androids: *dial *##DATA#, go to edit mode, type in your MSL for the target phone (I set mine to 000000 when I unlock my Androids). then scroll to MMSC URL and enter http://mms.plspictures.com. Might have to hit menu to save changes, I don't remember.
    • Samsung Androids: *dial **#*#DATA#*#*, go to edit mode, type in your MSL, go to 'Others', and change the MMSC URL to http://mms.plspictures.com. I believe changes are committed instantly.

    **Step 3:  **you may have to reboot. try sending an MMS from your target phone to a friend to test. Hopefully others can report if these instructions are successful or not.

    0
    Comment actions Permalink
  • Was your copy of CDMA workshop purchased or were you able to do this with the trial version?  I'm still on the hunt for a decent price on a sprint Gnex, once I find out I plan on getting a donor phone from Ting and flashing it to the Gnex.

    0
    Comment actions Permalink
  • Sagi - you can do the above with DFS, which is free. It may not be as user-friendly as the new, paid version of CDMA WS, but it is full-featured.

    0
    Comment actions Permalink
  • Joey, ah right.  Thanks for the reminder, I'll certainly do that instead.  I think I saw some directions on the brio donor thread about using DFS.  I haven't decided which to use for a donor, brio or m370.  Sounds like the m370 is the way to go though.  I hope you have success with the MMS issue and thanks very much for taking the time to do this and post clear instructions.  Here's hoping to my finally having a Gnex on Ting :-)

    How are your 3G download speeds?  300-500kps?

    0
    Comment actions Permalink
  • I would absolutely recommend the M370 as Joe did all the hard work figuring it out. Mine is on the FedEx truck today - I will post later tonight here once I get everything working. As far as I know, only one person with the Kyocera Brio donor claims to have 3G while a whole group doesn't. I wouldn't take that risk. Maybe hold off on ordering until I confirm I can get it working on my Samsung Nexus S tonight. That way we will have two independent reports of the M370 as a donor on an HTC and a Samsung phone, as well as two different methods to write the data (CDMA WS vs DFS & QPST).

    0
    Comment actions Permalink
  • Am I correct in presuming that even if my Gnex has a bad ESN; the sprint network will perceive the flashed Gnex as the donor phone and there should be no long term surprises of the flashed Gnex being flagged whilst on Ting?  I've never used a flashed device with a bad ESN but I keep hearing it's no big deal and not to worry about it.

    0
    Comment actions Permalink
  • You overwrite the bad ESN with the good ESN from Ting. The bad ESN will never get used on the Sprint/Ting network. I bought two bad ESN Nexus S phones on eBay to use on Ting after buying my Ting donors. One up and running, one to go!

    0
    Comment actions Permalink
  • Thanks Joey; I'll document my experiences as well.  Only thing I"m not clear of at this point is what happens to the flash if I want to put android 4.1 on the Gnex?  Will the flash hold since I presume all of this flashing is to the modem firmware?  I'm thinking it my be best to settle the Gnex software as I want it to be, make a backup image of the phone then do the flashing with DFS. 

    Currently, I have an Epic 4G touch on Ting.  Do you think I should activate it by porting the number to the donor phone first and then do the flashing?  That seems to make the most sense to me.  I may have to carry around two devices for a short time, but that is ok.  Tis all in the interest of education!

    0
    Comment actions Permalink
  • I am happy to report mms now works! I turned on my Vero, sent an MMS to myself successfully, then I was able to send and receive on my Nexus S. Oddly enough, I tried this same method to 'activate my account on the mms network' a few weeks ago, but sending the message failed at 99% every time I tried. Also of note, I flashed Cyanogenmod10 last night (Android 4.1.1 Jelly Bean), and updated my mmsc url through the *#*#DATA#*#* method above. No idea why none of this worked for the past month, but I'm glad it does now!

     

    Sagi - I just answered your question and you are correct. The carrier settings get saved to the firmware, not the operating system (with the exception of the MMSC url in an Android APN file, maybe?) That's exactly what I did as well before flashing the Jelly Bean rom - I made a nand backup. That's a beast of a phone you have there. Yes, port the number to the donor phone first and activate the donor, then send yourself a test mms, and when your Ting account is all setup, then you can flash. This took my Ting account under 24 hours. Maybe even under 12 hours, but I went to sleep and tried again in the morning.

    0
    Comment actions Permalink
  • Thanks for the confirmation Joey.  To anyone wondering:

    Android devices have three things you can flash separately (or as a package).  The ROM, the modem firmware and the kernel.  All the flashing of donor phones we're discussing is happening to the modem firmware.  In Theory the ROM shouldn't matter (the flashing of the rom won't undo the flashing of the donor phone to the main phone) but if it's a custom rom based on an unofficial build, there may be somethings about the kernel/rom that may not call properly to the modem or work well with the flash.  Can't really know that without 1st hand experience.

    Yeah it is a beast of a phone.  I had a Gnex on a GMS carrier and miss the phone quite a bit.  The screen rez on the EP4GT bothers me as does the little tricks one must do to maintain usage of a tighter rez on the device.  I've liked it so much I'm still considering going back tmobile and use their monthly 4g plan so I can use an unlocked GSM Gnex.  I dunno, I'm awfully fond of Ting's business model and I swore I wasn't going to spend another dime on another android phone (I'm looking at you S3) unless it was a nexus.  I'm tired of dealing with the carriers and their trundling updates; Google's position on CDMA devices and their refusal to allow Ting to carrier the Gnex is disappointing as well.

    Perhaps one day Ting will be able to get in on some GSM.  It really does make things much easier for the customer; I have no idea how or why CDMA became such the phenom that it has in America.

     

    0
    Comment actions Permalink
  • GSM sure is easier moving devices around, but nothing beats the Sprint MVNO deals. I saw a great article about the rise of the Sprint MVNOs; I think it's in Ting's press section as they're named in it. The GSM prepaids that use AT&T's MVNO are a ripoff compared to all the Sprint MVNOs.

    And don't hope for a fast update even if you get a CDMA Nexus, because it still has to go through Sprint first. Google can send out the GSM updates themselves since it's a worldwide standard, but Sprint has absolutely no info on the Galaxy Nexus update, let alone the older Nexus S. Last night I bit the bullet and installed an 'experimental' build of CyanogenMod10 on my Nexus S. Don't know why it's experimental when EVERYTHING works fine, and it includes the official hardware binaries released by Google last week. I'm guessing there will be a similar CM10 rom for the Sprint Galaxy Nexus as well soon, if not already. I really recommend ditching that Samsung skin on your GSII and installing an AOSP rom like CyanogenMod. There are so many added features and customizations it's crazy.

    0
    Comment actions Permalink
  • Joey:  Did you flash your Nexus s with a similar method as outlined here?:   https://help.ting.com/entries/21760313-galaxy-nexus-working-in-ting-brio-donor

    Sounds like he used a program called ETS to flash the info onto his Gnex.  I presume you used DFS to do that on your nexus s.  I'm sure it'll be more clear once I have the phones in hand and start the process.

    0
    Comment actions Permalink
  • I'm not sure what ETS is. I used DFS and QPST as outlined in this guide: https://help.ting.com/entries/21256192-nexus-s-on-ting-working

    0
    Comment actions Permalink
  • Joe - I followed your instructions to get the HA / AAA passwords and I have my Nexus S up and running from the M370 on 3G, 1X, calls, and texts.

     

    Some interesting findings - while it initially looked like DFS couldn't read the HA / AAA passwords at all, I clicked all the NAM1 - NAM5 profiles from the drop down list, clicking the 'read' button on each page, and then went back to the M.IP page and clicked read, and the passwords appeared. But, I also sent the password 01f2030f5f678ff9 to DFS, which may have helped read those items?

     

    After manually entering in all my info - the SPC, ESN, MEID, MDN, the NAM1 and NAM2 settings, the data HDR AN Long UID, and the HA/AAA passwords and IP addressed on the M.IP tab for both data profile 0 (3g) and profile 1 (1x), I rebooted my phone and found calls, texts, and 1x were working. Not 3G. I was sure I typed in the passwords correctly, so I went back into DFS and my hunch was correct: the 'active profile' setting was on 1. I changed it to 0 for 3G, and 3G kicked on without even having to reboot the phone.

    0
    Comment actions Permalink
  • @Joey:  Congratulations!

    So good to hear others also having success with the trusty M370.

    I had tried many times to get the AAA and HA passwords.  Every time I tried, I got all zeros in the Hex characters for the AAA/HA passwords.

    However, once I entered the "password 01f2030f5f678ff9" as specified at the top of this thread, I was able to see the passwords in Hex!

    0
    Comment actions Permalink
  • Ok, begging for help!!!  Second day of head banging and I still cannot get the Evo to connect to cdma(full newly purchased edition)  M370 connects just fine.  I have tried deleting and installing several different drivers with no luckNothing more on Google I can find to try.   Evo 4g  is rooted running Myn's WarmTwoPointThree. I have both Msl codes. If you can help I can also be reached holsch2010@gmail.com.  Thanks!

    0
    Comment actions Permalink
  • Did you put it in DIAG mode before connecting to your computer?

    0
    Comment actions Permalink
  • Sorry, should have stated that, Yes, and tried every combination i could think of.  Seems that I have read the phone needs to be recognized as a modem???

    0
    Comment actions Permalink
  • You said you have an Evo 4G, but my search for your ROM shows Evo 3D. If ##DIAG# doesn't work, you need to go back to a stock ROM as far as I know.

    0
    Comment actions Permalink
  • (but once you're up and running on Ting, you can flash back a custom rom. just make a nand backup of the stock rom in case you need to access anything at the firmware level again for switching carriers)

    0
    Comment actions Permalink
  • @Rob:

    Joey S is correct.  The non-stock roms do not natively support DIAG mode.

    However, there are scripts that you can run without having to go back to stock.  I know they work because I used them to go into DIAG mode on a Cyanogen Mod ROM.

    I will post the instructions shortly.  So, hang on. 

    0
    Comment actions Permalink
  • @Rob:

    Found it!  Here is the website.

    Here are the steps:

    1) Boot to recovery and flash the zip file "signed-diagscripts.zip"  (this only needs to be done once)

    2) After flashing, boot back into Android.

    3) Open the "Gscipt Lite" app

    4) Select the "diag_on" script Make sure you allow SuperUser permissions!

    After this, the CDMA WS will see your Evo.  Just have your MSL handy.

    After you are all done, you can turn off DIAG mode by executing the "diag_off" script.

    I works really well.  Let me know if any other questions.

    0
    Comment actions Permalink
  • @Rob:

    You won't regret getting CDMA WS, it makes it really easy.

    Here are some lessons learned:

    BEFORE you copy or clone any info:

    1) Make a back up of the original M370 Profile-0 and Profile-1 settings

    2) Make a back up of the original Evo 4G Profile-0 and Profile-1 settings 

    3) If you want to you can also save off the Evo 4G AAA/HA Shared Passwords.

    CDMA WS makes it really easy to bouce back and forth between the old and new info.

    0
    Comment actions Permalink
  • @Rob:

    Sorry, forgot to include the link to the  "signed-diagscripts.zip":

    http://forum.xda-developers.com/showthread.php?t=1060184 

    0
    Comment actions Permalink
  • Thanks for the info, this worked for me!

    0
    Comment actions Permalink
  • Just FYI, I was a little skeptical that pulling this information was not possible with DFS since QXDM makes the same serial calls.

    I tested this with an M370. DFS works just fine and has far less steps than QXDM. It is my recommended tool for pulling profile information from the M370 since it is quite a bit easier to use than QXDM.

    0
    Comment actions Permalink
  • @Ryan,

    Thanks for sharing your findings!

    If you don't mind sharing your steps using DFS, I can update the first post for the benefit of others.

    Cheers! 

    0
    Comment actions Permalink
  • Does anybody know anything about differing quality of waterproof  cases?? I am looking into Body Glove because they are cheap and seem pretty legit- would love to get a second-opinion!

    Here is a link to their cases if you want to check ‘em out and let me know- thanks!  

    www.bodyglovemobile.com

    0
    Comment actions Permalink

Please sign in to leave a comment.