HTC Detail as a donor phone

So this is how to use an HTC Detail as a donor phone. 90% of this is about the same as any other donor phone, but getting 3G working is not for the faint of heart. Do this at your own risk. Really, if you aren't comfortable with the idea of damaging both your donor phone and your ported phone, this isn't for you. I'm assuming you know your way around CDMA Workshop, Android, and cell towers, since this is a more advanced technique for 3G.

This is all from my memory and notes, but I don't think I left out any steps.

To pull off the needed information from my Detail, I used the following tools:

  • CDMA Workship.
  • Qualcomm's Product Support Tools: QPST and QXDM.
  • A hex editor.

It's not necessarily required, but for reference,** I am using a rooted HTC Detail running Sprint's Gingerbread ROM. I had already unlocked the phone using the MSL code, and that isn't covered in this tutorial.**

Everything but the AAA and HA passwords should work fine on Ting Froyo, but since extracting your 3G keys (HA and AAA passwords) must be done with a memory dump, YMMV. Most importantly, if it works at all, it would be on an unlocked froyo phone. If you don't know what any of that meant, start with a simpler donor phone.

Here's what you do:

  1. Make sure your phone is fully charged.
  2. Dial ##3424# and hit send. Connect your phone to your computer using your USB cable.
  3. Open your Device Manager and find HTC USB Modem. It should be listed as a modem. Double click on the device and open the modem tab. If your device is not showing up as a modem, step 2 didn't work.
  4. In QPST, go to Configuration and make sure the port listed in the modem tab from step 4 is listed. If it isn't, you need to add it and select it.
  5. Open CDMA Workshop and select the port you found and configured in steps 4 and 5. If it connects, you're good so far. If not, you want to retrace steps 2-5 and make sure that QPST is configured to the port your HTC Detail is showing up under.
  6. Click on the main tab and note the following:

Device Information -> MEID

CDMA Settings -> Phone Number ->  MIN

Really, it doesn't hurt to just take a screenshot.
7. This part requires that you've already unlocked your phone using the MSL. Go to the Memory tab and enter an address of 1260:0000 and I set the size to 999999. I actually got to 1260 by just incrementing it from 1000 and seeing what works, since I didn't find any reliable source on what memory is readable. Click on Read and save the file to disk. This may take several minutes. In a hex editor, you want to find your AAA/HA keys.
8. This is by far the sketchiest part.
9. Using the Unix strings command, I pulled all the strings from the file and then filtered for ones that are 32 characters long. From there, I looked for strings immediately preceeding the 32 character strings that are 12 characters long. So to reiterate, I found only one instance, in the binary data, of a 12 character string followed by a Unix newline, then followed by a 32 character string terminated again by a Unix newline. These turned out to be my keys.

So, from here, you have from CDMA workshop your MEID, MDN, and NIN. You have from the memory dump your 3G keys. This should be all you need to get a Sprint phone working on Ting with 3G.

Sorry if that wasn't the best tutorial. I started with a rooted and modified Ting phone, and my method for extracting the AAA and HA keys is less than scientific. But, in terms of pure probability, it's going to be unlikely that your phone's memory is going to have a 12 string and a 32 character string right next to each other delimited by newlines. So that's what you can look for pretty reliably on any phone that's unlocked and storing them in cleartext in memory.

Happy hacking!

0

Comments

1 comment
  • Oh, I forgot to mention. You also need HTC's Diagnostic Drivers installed.

    0
    Comment actions Permalink

Please sign in to leave a comment.