Samsung Galaxy S3 ESN Swap (from LG Optimus S)

I've (mostly) swapped an LG Optimus S (refurbished) donor phone over to my Sprint Galaxy S3.  However, I'm having some odd behavior with the 3G data.  I'm hoping someone can help me out!  Once I get the kinks worked out, I'd be happy to write up a step-by-step document as I'm guessing there are others who aren't patient enough for the BYOD to get here ;)

My problem:

I've got the Galaxy S3 up and running with the ESN and calling, texting, and data (both 1X and 3G).  However, it seems like my 3G connection doesn't work on certain towers.  When I'm at home (on an Airave still active directly through Sprint) it works fine on 3G (wifi disconnected of course).  In other areas on Sprint towers it works fine with 3G.  However, certain towers show full coverage and "Sprint" (i.e. not roaming) coverage, but my data connection fails with an authentication related error.

What I've done for the ESN swap:

1) Installed DFS (latest version of their freeware package)

2) Installed appropriate Samsung drivers (from Samsung site)

3) Installed appropriate LG drivers (from LG site)

4) Achieved connectivity to both phones through DFS

5) Located the SPC a.k.a. MSL for both phones (Ting was awesome, Sprint was a challenge as the phone wasn't on my account, but I got it)

6) Located the device PWD for each phone

7) Read settings for each phone and archived (screenshots in a Word doc)

8) Copied settings from my LG phone to the S3 (ESN&MEID, MDN, MSID, data profile username, HA IP's, and PRL)

9) *DID NOT* copy the AAA or HA keys from the LG Optimus or overwrite the AAA/HA keys on the S3

10) Performed an activation on the S3 by entering "##72786#"

This resulted in the phone getting updated programming information (from what I understand) and resulted in me having working phone and data.  However, as I mentioned above, my 3G still doesn't work on certain towers.  Does anyone know if the AAA / HA keys get provisioned when you do the "Activate" action?  I'm curious whether that's my problem, or whether it's something else.  I'd also love to know if it's imperative that I keep the old AAA / HA settings from the S3 (with original ESN) for use if I want to use the original ESN to activate it (and bring my donor Optimus S back to life) once Ting gets BYOD off the ground.

1

Comments

64 comments
  • Thanks for the reply, Peter. Now that you have access to the Ting Army wikis, are you confident that everything you did in the original post can be undone? If so, I'll likely see if I can replicate your procedure this weekend. I'd like to start using this S3 as an actual phone as long as I'm not shooting myself in the foot.

    0
    Comment actions Permalink
  • I am confident of the ESN swap and other programming details (minus the AAA/HA keys), and I believe they can be undone.  I can't validate that I didn't screw up the AAA/HA keys of course as I can't read them, but I made sure not to click write on that screen in DFS.  You're certainly taking a risk if you can't save off your AAA/HA keys.  I hope I didn't mess mine up, but I won't know until I try to officially BYOD it.

    I've heard there's a way for Sprint to recreate them (the AAA is actually the one that's hard to replace, I believe the HA key is the same for all phones), but I'm not sure if Ting can get them to do it.

    I believe there is a way to read the keys from the Samsung using QPST or QXDM, but I wasn't making quick progress and gave up for now.

    0
    Comment actions Permalink
  • Just to chime in here, you aren't stuck if you overwrite/scrap your AAA/HA keys without backing them up. These CMDA phones have a way to reset the programming back to their original settings. You'll almost certainly need to be on the stock OS to get that to work. The method varies from phone to phone, but Sprint usually has the key on how (Ting Support can help). In some cases, it's as simple as doing an update profile. Some other phones have a hidden programming reset, and other phones require a full factory reset or similar to get those settings restored.

    That being said, if you can read them via a CDMA programming tool, life would always be easier, but I wouldn't give up hope of you can't.

    0
    Comment actions Permalink
  • Ryan: I'm familiar with the ##72786# reset method.  However, this doesn't reset my ESN and it also doesn't cause my S3 to generate valid AAA/HA keys.  Unfortunately I can't figure out whether it does reset the AAA/HA keys.  I've also read that for some people on the Optimus S (or perhaps the V) it was possible to get the AAA key erased due to ROM related modifications, and they were unable to reset the AAA key at that point.  Do you have any details on how to reset it?

    One thing I've come across also is that one profile (e.g. Profile #1) is used for doing the initial programming to set up the real profile (e.g. Profile #2).  My S3 looked that way.  I wonder if messing with Profile #1 could kill your capability to recreate Profile #2?

    0
    Comment actions Permalink
  • Al/Luke: To get the galaxy s3 ha/aaa keys you have to downgrade the modem on the phone to an older version. I can't remember which off the top of my head, but I'm fairly certain that the launch modem flashed with ODIN will resolve that issue.

    Peter/Ryan: While the ##72786# reset *does* reset info like MSID/MDN, I've found that the only reset that is fully reliable in getting a phone back to stock settings/fix errors with data profiles (mind you, I've only done this in a retail/service environment, not with anything flashed... so I doubt it would reset ESN/MEID/counters...) is a ##786# reset, which requires an msl. Generally it's a last resort in a service environment, but with some phones such as the Evo 4G LTE for Sprint (which has a bug where the data profile information gets corrupted and crashes EPST, was very annoying to figure out), it's the only solution short of replacement. I would assume that the AAA key would be regenerated from that type of reset, but I'm not entirely certain. As for the HA key, it's generally the same across the same carrier/mvno. Off the top of my head I can only remember virgin mobile's, which is 766D756733336B/vmug33k, and sprint's, which is 736563726574.

    ps

    try converting the sprint ha key to text... ;)

    0
    Comment actions Permalink
  • Oh! Sorry to double post, but I just thought of something. If anyone who reads this thread has 1x or 3g, if you could go into your dialer and dial ##33284#, and then enter 777468, and then tap on EVDO Engineering Protocol... what is your AN-AAA status? I assume that those of you who are stuck on 1x are having an aaa auth failure, however I could be wrong, but this would perhaps allow us to narrow down the possibilities.

     

    As for me being dumb, I reread the original post. OP, your auth failure is most likely related to this. You'll need to grab the aaa key out of your optimus I believe, I can help you if you need it. If you're worried about backing up your aaa key on the s3, see my post above. Good luck!

    0
    Comment actions Permalink
  • Justis: Thanks for the great info!  I was aware of the Sprint HA key, hilarious!  If it's going to be the same for everyone, it's not really a secret... My problem is indeed that I'm concerned about losing my AAA key from my S3.  I still haven't been able to read it, but haven't tried downgrading the modem.  Would DFS read it at that point, or would it still require QPST?  I've done the ##786# reset on my wife's temporary phone (LG Marquee) so I'm familiar with it, but I didn't know if had any relation to the AAA key.  On that phone, it reset the network settings and did a factory reset.  I assumed it was a ##72786# combined with a factory reset of the OS.

    I wish there was a way to be certain about the AAA key being regenerated :)  I don't want to risk it with my S3 as I'm still hoping Sprint makes LTE devices BYODable (so we can stop jumping through these hoops).  I do have the AAA key from my Optimus S though, so I could... is there anyway to be certain that I can get the AAA key back?

    Thanks for the debug menu.  My EVDO is inactive, but that's likely because I'm on an older Airave that only supports 1X.  I'll try tomorrow.

    0
    Comment actions Permalink
  • No problem! I'm happy to help. The whole process of... MNVO transfer... is often times horribly documented and filled with false information, and it's great to see a community trying to organize and resolve that.

    I haven't really tried (I'm not worried about losing the AAA key, I'll figure something out if I ever change my mind), but what I found in my research was this: "One way to get AAA key from GS3 is to downgrade the radio to LG2. Then use QPST'S EFS Explorer to copy NV Item 1192 from GS3 to your PC. Use HxD Hex Editor to view content of file."

    It seems so, however, at least with the EVO 4G LTE (I would assume it'd be the same across most Sprint handsets, though) it also reset the <##msl#>

    I wouldn't be surprised if Sprint did do that... they've made serious progress with the freedoms their MVNOs are allowed (Republic Wireless and Ting for example!), but I don't know if it would happen anytime soon. If you're uncertain though, I wouldn't risk it. If I get some free time, I'll take a look at experimenting with a phone. I assume if I take an active phone, change the AAA key so that data no longer works, and then attempt a ##786# reset, and after provisioning, data works... well, I'll have to get my hands on a device that's not being used first.

    0
    Comment actions Permalink
  • I appreciate it!  Do you know if Sprint would be helpful with recreating the AAA key if I did lose it and it wasn't possible to recreate with a ##786#?  Ryan mentioned that it should be possible, but I haven't heard a definite "I've done this" from anyone.  I don't want to permanently lose the option of LTE on my phone, that's my main concern.  I can deal with my Optimus S being unusable if it comes to that.

    I did try the QPST explorer, but couldn't read much of anything from those NV items (they were empty I believe, and some were unreadable).  I didn't try the modem downgrade through, where would I find the old modem?

    0
    Comment actions Permalink
  • Well... it really, really, depends. I may have information that is of use to you, that I'm not comfortable posting publicly... friend request sent! (Justis Soselo). Hopefully I sent the right Peter Porter a request :P

    As for the radio, are you familiar with ODIN? If not, I can give you a brief run down. But otherwise, just flash this modem and it should work.  http://www.mediafire.com/?ve8ed01rpfr328w Link of thread with more info: http://forum.xda-developers.com/showthread.php?t=1787677

    Note: that *might* reset some of the other settings, I can't remember off the top of my head... but you should be able to rewrite everything from the optimus just fine.

    0
    Comment actions Permalink
  • Hey guys! I've been in the same boat as you all with the Optimus S, and GS3. Sadly I went down the path of attempting to write my GS3 AAA/HA keys without a backup. I've finished the donor pairing but 3G.. well it's not 3G. It's 1x clearly (regardless what the icon says).

    Now, as a tangent, I have other devices. I had a GS1 (Epic4G) cloning a TouchPro2 when I was still with sprint (circumventing the SERO limitations at the time). So, that phone during the reflashing process also lost it's original AAA/HA keys. Well I tried activating it on Ting and was having major provisioning issues and 3G issues (4G WiMax worked though). After talking to a rep and going through countless tries we finally came to the ##72786#. That didn't do much though. As a last resort, he suggested the ##786# method. Having nothing to lose, I tried it. BAM! 3G and provisioning worked! Now, I just did this about an hour ago, so I still need to go in and confirm the AAA has been regenerated, but from a user perspective, it's working. 

     

    This gives me high hopes that the GS3 can also generate the AAA as well. My current hope - because the Optimus S is such a pain to work with, is to now use the Epic4G as the donor device. Strangelly and unrelated, the Epic4G gets WiMax here, so I'd actually be losing "4G" by using it as a donor and not being able to use LTE.. go figure...   Anyways I'll keep you guys posted, I'll even try changing my Epic's AAA and resetting it again to confirm it is regenerated.

    0
    Comment actions Permalink
  • Thanks for the comment, Tim! I was hopeful that reset would resolve it, as far as I know it should regenerate everything like that. If you want to get 3g, i can hopefully help... Try going to ##debug# in the dialer, entering 777468, and then clicking evdo engineering protocol. What is the an-aaa status? That might be simpler than starting over with the epic... However, if you've already started with that, don't mind me :-)

    Also, with the s3 and stock touch wiz, AFAIK there is only a 3g indicator. Roms like freegs3 sometimes add one for 1x.

    0
    Comment actions Permalink
  • Wow, thanks Justis!

    Okay so I'm in that menu - also what's up with the 777468 unlock code, where'd that come from. I was trying to get into that menu earlier, after it wouldn't accept the MSL I gave up. 

    AN-AAA: FAIL

    Sounds like it's broken...

    0
    Comment actions Permalink
  • 777468, if mapped out in t9, is "SPRINT" ;-)
    Definitely broken, but not beyond repair. Basically 1x is transmitting fine, but 3g (which is dependent on the proper AAA key) isn't, because of that key or username. I would double check in dfs or whatever you use that the username and key are accurate... If necessary, try flipping to hex instead of Dec, or vice versa. That was actually the issue that I ran into, silly enough! Since I made sure I was using the proper format I haven't experienced any issues whatsoever.

    0
    Comment actions Permalink
  • Justis - Thanks for the info. I'm guessing I probably forgot about the AAA/HA keys when I cloned it. I'm having a hard time being able to write back to them. Long story short, I ended up going with the TP2 as the donor simply because it's so easy to get all the AAA/HA keys from it. I've downgraded to GL2 on the GS3. I've tried DFS, and though it says it writes, when I try to read them back it fails. I do the same with CDMAWS, says I wrote, but still can't read back. I tried QPST 2.7 b378 (Roaming List Could not be read), it doesn't really even want to connect. Seems these keys are the hardest part of this whole process. 

    Not sure where to go how. 

    0
    Comment actions Permalink
  • Scratch that! I was able to get them using QPST (version listed above) - simply had to use the EFS Explorer. Seems the 1192 was written fine as it shows the same value that the TP2 does, sadly data still isn't working, not even 1x this time. Back to the drawing board.

    0
    Comment actions Permalink
  • Generally the s3 can't read back unless you're on a certain radio (LG2), however you don't really need to worry about reading back - it'll still write. But it seems you've beaten that! The trickiest part is making sure the profile is right: on my s3, updating profile does nothing and throws back a connection error, however manually entering it works fine... what I've noticed is that, with some versions of dfs/possibly other software, the profiles get disabled, thus preventing any mobile data whatsoever... make sure profile 0 and 1 (i think... double check on your donor) are activated. Also, do a side by side comparison with screenshots of your donor, just to be sure.

    0
    Comment actions Permalink
  • Just wanted to update, as you mentioned, DFS wasn't showing/reading the profile information back, but it was being written. I have it fully operational now. Finally where it should be again. I can use QPST to confirm the data is written.

    0
    Comment actions Permalink
  • Now that Ting allows bringing over Sprint LTE phones, has anyone tried porting your SGS3 that you had previously ported using a donor phone?
    Like many of you, I don't think I was able to save the original SGS3 AAA key before overwriting it with the donor's. I'm guessing without the original AAA key, it can't be done...

    0
    Comment actions Permalink
  • I just did yesterday - here's what I had to do:

    1. Return to stock rom (I was running Cyanogen)

    2. reprogram the original MEID

    3. Boot and perform a ##768# to return to stock and regenerate the AAA keys

    4. Boot again and test activation (everything worked)

    5. Enjoy!

    0
    Comment actions Permalink
  • Oops meant ##786# sorry.

    0
    Comment actions Permalink
  • I will add this, I haven't  tested LTE because I don't live in an LTE area, but can get to one this weekend and will test it out as well. Otherwise everything else worked perfect. I confirmed the ##786# reset works on other Samsung devices as well (Epic4G).

    0
    Comment actions Permalink
  • Tim, that's great to hear! Can you get true 3G at least? That I think would be enough to confirm that the AAA key works.

    0
    Comment actions Permalink
  • Also, can you keep the Ting number or do you have to get a new one?

    0
    Comment actions Permalink
  • Heh, the question of "true" 3G is questionable, but yes 3G is working. (3G is horrible in my area, that's why I jest). You can also port a number or keep your Ting number. If you want to keep your Ting number, go ahead and Activate the device with whatever new number and give Ting a call, it's a 2 minute process to get the old Ting number programmed. Usually requiring a bit of manual entry with ##<mls># for the MDN and MSID. And don't forget to program the MMS settings.

    0
    Comment actions Permalink
  • I went ahead with it, but ran into an issue - couldn't write the original MEID because it wouldn't accept the 16-digit internal password. Turns out that Android 4.1.2 somehow messes up that password - http://forum.gsmhosting.com/vbb/f770/samsung-galaxy-s-iii-sch-r530m-16-digit-password-1591543/index3.html#post9232277
    After going back to 4.1.1 (which wasn't as straight-forward as I'd hoped), I was able to get everything working. I'm back on 4.1.2 now, with 3G.
    Thanks for the trail-blazing!

    0
    Comment actions Permalink
  • I dont get why people keep leaving incomplete instructions.

    "

    I just did yesterday - here's what I had to do:

    1. Return to stock rom (I was running Cyanogen)

    2. reprogram the original MEID

    3. Boot and perform a ##768# to return to stock and regenerate the AAA keys

    4. Boot again and test activation (everything worked)

    5. Enjoy!"

     

    Why didnt you mention that we needed a MSL? If we were already using a donor esn/meid, are we supposed to use the msl from it and its listed in our ting.com account? If so, its not working for me when I try to do the reset with it. Says its invalid. So right now i have a non functioning phone until Ting gets back in the office. =(

    0
    Comment actions Permalink
  • You use the MSL/SPC for the phone you're working on, donor has nothing to do with that. If you don't know it, the tools you used to access/reprogram the MEID should also be able to handle the MSL. Also, if you activate the phone's MEID on ting.com, the MSL originally associated with it will be sent in the activation email.

    Note that at the time I'm writing this, you'll need to wait another 4.5 hours before attempting to activate on the site ( Sprint maintenance window).

    0
    Comment actions Permalink
  • Ah, ok. So after I do the carrier reset with the MSL, I cant activate it on https://ting.com/byod/devices for another 4.5 hours? If I try to do it now, it says its an invalid ESN.

    0
    Comment actions Permalink
  • Right -- during the window things will error like that anyway, so you can't count on the response until after the maintenance is finished.

    And you are able to attempt to BYOD + activate it on the site before doing anything with the phone, since the phone and backend activations are separate things. The backend provisioning must be completed before the phone can perform its own activation anyway, and doing it ahead of time will let you find out if there's still something wrong with the MEID or BYOD process that would prevent it from working at all, in which case you'd have to stick with the donor.

    Obviously you've already started the process so it's kind of beside the point now, but maybe that'll be useful information for someone in the future.

    0
    Comment actions Permalink

Please sign in to leave a comment.