HTC evo (change wimax settings)
955 views
Skip to first unread message
radicaledwardwong
Oct 27, 2010, 3:09:59 PM10/27/10
to wimax hacking
Hi,
I'm looking for a way to change the wimax settings of my HTC Evo that
are locked on Sprint Network.
In my country we have another Wimax operator.
I know where to change/edit some parameters (##3282# menu) but I can't
change the frequencies.
I found some program on your google group site named "WimaxTool.apk"
and "WimaxSettings.apk".
I have successfuly installed WimaxTool.apk but can't install
WimaxSettings.apk.
C:\android-sdk-windows\tools>adb install WimaxSettings.apk
857 KB/s (41725 bytes in 0.047s)
pkg: /data/local/tmp/WimaxSettings.apk
Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE]
Catlog give me that :
D/AndroidRuntime( 930):
D/AndroidRuntime( 930): >>>>>>>>>>>>>> AndroidRuntime START
<<<<<<<<<<<<<<
D/AndroidRuntime( 930): CheckJNI is OFF
D/dalvikvm( 930): creating instr width table
D/AndroidRuntime( 930): --- registering native functions ---
D/PackageParser( 166): Scanning package: /data/app/vmdl67464.tmp
E/PackageManager( 166): Package com.htc.settings.wimax has no
signatures that m
atch those in shared user android.uid.system; ignoring!
W/PackageManager( 166): Package couldn't be installed in /data/app/
com.htc.sett
ings.wimax.apk
D/AndroidRuntime( 930): Shutting down VM
D/dalvikvm( 930): DestroyJavaVM waiting for non-daemon threads to
exit
D/dalvikvm( 930): DestroyJavaVM shutting VM down
D/dalvikvm( 930): HeapWorker thread shutting down
D/dalvikvm( 930): HeapWorker thread has shut down
D/jdwp ( 930): JDWP shutting down net...
I/jdwp ( 930): adbd disconnected
D/dalvikvm( 930): VM cleaning up
E/AndroidRuntime( 930): ERROR: thread attach failed
I'm using a Fresh Evo fresh-evo-0.3 ROM (I tried also with fresh-
evo-0.5.3, fresh-evo-1.0.1,fresh-evo-3.3.0.1).
It's been quite a long time now I'm searching for a way to make this
phone work on my Wimax network.
Any help would be greatly appreciated.
Rad.
I'm looking for a way to change the wimax settings of my HTC Evo that
are locked on Sprint Network.
In my country we have another Wimax operator.
I know where to change/edit some parameters (##3282# menu) but I can't
change the frequencies.
I found some program on your google group site named "WimaxTool.apk"
and "WimaxSettings.apk".
I have successfuly installed WimaxTool.apk but can't install
WimaxSettings.apk.
C:\android-sdk-windows\tools>adb install WimaxSettings.apk
857 KB/s (41725 bytes in 0.047s)
pkg: /data/local/tmp/WimaxSettings.apk
Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE]
Catlog give me that :
D/AndroidRuntime( 930):
D/AndroidRuntime( 930): >>>>>>>>>>>>>> AndroidRuntime START
<<<<<<<<<<<<<<
D/AndroidRuntime( 930): CheckJNI is OFF
D/dalvikvm( 930): creating instr width table
D/AndroidRuntime( 930): --- registering native functions ---
D/PackageParser( 166): Scanning package: /data/app/vmdl67464.tmp
E/PackageManager( 166): Package com.htc.settings.wimax has no
signatures that m
atch those in shared user android.uid.system; ignoring!
W/PackageManager( 166): Package couldn't be installed in /data/app/
com.htc.sett
ings.wimax.apk
D/AndroidRuntime( 930): Shutting down VM
D/dalvikvm( 930): DestroyJavaVM waiting for non-daemon threads to
exit
D/dalvikvm( 930): DestroyJavaVM shutting VM down
D/dalvikvm( 930): HeapWorker thread shutting down
D/dalvikvm( 930): HeapWorker thread has shut down
D/jdwp ( 930): JDWP shutting down net...
I/jdwp ( 930): adbd disconnected
D/dalvikvm( 930): VM cleaning up
E/AndroidRuntime( 930): ERROR: thread attach failed
I'm using a Fresh Evo fresh-evo-0.3 ROM (I tried also with fresh-
evo-0.5.3, fresh-evo-1.0.1,fresh-evo-3.3.0.1).
It's been quite a long time now I'm searching for a way to make this
phone work on my Wimax network.
Any help would be greatly appreciated.
Rad.
Daniel Hückmann
Oct 27, 2010, 6:51:40 PM10/27/10
to wimax-...@googlegroups.com
I don't have an Evo, but I do know that the chipset inside supports
Triple-band RF: 2.3-2.4, 2.5-2.7 (Clear/Sprint), 3.3-3.8 GHz (most
European operators.) Maybe someone who has one can chime in on where
the settings are hidden.
Triple-band RF: 2.3-2.4, 2.5-2.7 (Clear/Sprint), 3.3-3.8 GHz (most
European operators.) Maybe someone who has one can chime in on where
the settings are hidden.
Daniel Hückmann - Sophsec Intrusion Labs - Silicon Forest (PDX)
--------------------------------------------------------------------------
http://www.google.com/profiles/sanitybit
http://twitter.com/sanitybit
> --
> You received this message because you are subscribed to the Google Groups "wimax hacking" group.
> To post to this group, send email to wimax-...@googlegroups.com.
> To unsubscribe from this group, send email to wimax-hackin...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/wimax-hacking?hl=en.
>
>
radicaledwardwong
Oct 27, 2010, 8:56:46 PM10/27/10
to wimax hacking
I have root access to the system and I have found a few files related
to wimax settings :
- /data/misc/wimax/XXXXXXXXtree.xml
- wimax_properties
- wimax_dhcp.conf
I also unzipped system.img from PC36IMG, edit in HEX editor, change
the frequencies and reload but all with no effect.
I have a Wimax base station so I can see if the device is trying to
gain access to the network entry but it's not the case. I see nothing.
Rad.
On 27 oct, 12:51, Daniel Hückmann <sanity...@gmail.com> wrote:
> I don't have an Evo, but I do know that the chipset inside supports
> Triple-band RF: 2.3-2.4, 2.5-2.7 (Clear/Sprint), 3.3-3.8 GHz (most
> European operators.) Maybe someone who has one can chime in on where
> the settings are hidden.
>
> Daniel Hückmann - Sophsec Intrusion Labs - Silicon Forest (PDX)
> --------------------------------------------------------------------------http://www.google.com/profiles/sanitybithttp://twitter.com/sanitybit
to wimax settings :
- /data/misc/wimax/XXXXXXXXtree.xml
- wimax_properties
- wimax_dhcp.conf
I also unzipped system.img from PC36IMG, edit in HEX editor, change
the frequencies and reload but all with no effect.
I have a Wimax base station so I can see if the device is trying to
gain access to the network entry but it's not the case. I see nothing.
Rad.
On 27 oct, 12:51, Daniel Hückmann <sanity...@gmail.com> wrote:
> I don't have an Evo, but I do know that the chipset inside supports
> Triple-band RF: 2.3-2.4, 2.5-2.7 (Clear/Sprint), 3.3-3.8 GHz (most
> European operators.) Maybe someone who has one can chime in on where
> the settings are hidden.
>
> Daniel Hückmann - Sophsec Intrusion Labs - Silicon Forest (PDX)
simon1100f
Nov 13, 2010, 5:44:23 AM11/13/10
to wimax hacking
when i bought my EVO the wimax was not working. I tried to trouble
shoot the problem with sprint with no luck. About a week into it I
decided to work directly with Clearwire. In the process of trouble
shooting the problem I signed up for clearwire service, we finally
discovered that the problem was with a certain group of mac addresses
beginning with 38. several thousand EVO's we affected. As far as i
know I am the only sprint customer with my 4g service threw clearwire.
I am paying for clearwire service because i noticed once I changed the
RELM to Clearwire my speeds as much as doubled. While on sprint
average ping is around 250 to 300MS Download 3 to 5 MBs. On Clear ping
60 to 70MS and download between 9 and 10 continually! To change to
clearwire I changed the RELM to clearwire-wmx.net. Are you trying to
specifically change the frequencys or just the provider.
Simon
BTW I know i kinda hopped around i will explain in more detail later
as its past my bedtime
On Oct 27, 11:09 am, radicaledwardwong <radicaledwardw...@yahoo.fr>
wrote:
shoot the problem with sprint with no luck. About a week into it I
decided to work directly with Clearwire. In the process of trouble
shooting the problem I signed up for clearwire service, we finally
discovered that the problem was with a certain group of mac addresses
beginning with 38. several thousand EVO's we affected. As far as i
know I am the only sprint customer with my 4g service threw clearwire.
I am paying for clearwire service because i noticed once I changed the
RELM to Clearwire my speeds as much as doubled. While on sprint
average ping is around 250 to 300MS Download 3 to 5 MBs. On Clear ping
60 to 70MS and download between 9 and 10 continually! To change to
clearwire I changed the RELM to clearwire-wmx.net. Are you trying to
specifically change the frequencys or just the provider.
Simon
BTW I know i kinda hopped around i will explain in more detail later
as its past my bedtime
On Oct 27, 11:09 am, radicaledwardwong <radicaledwardw...@yahoo.fr>
wrote:
Steve Lechaix
Nov 13, 2010, 7:26:16 AM11/13/10
to wimax-...@googlegroups.com
Thanks for your answer
In my country we are not using REALM parameter and the frequencies are different .. starting from 26...
I really would like to setup this smartphone so I will be able to promote our wimax network here.
Anyway, I tried a lot of thing with the EVO but I never see it register on the tower antenna. It just scanning indefinably.
Someday I will try again but for the moment my Evo is just sleeping in its box.
Steve
2010/11/13 simon1100f <simonmc...@gmail.com>
kallisti5
Dec 29, 2010, 11:10:55 AM12/29/10
to wimax hacking
This might be a little late, but the EVO has a hidden WiMAX data
partition in memory where it stores it's RSA keys. You can obtain
access to this hidden WiMAX partition's data through the RA_MON 1.8.0
recovery tool.
1) Boot into the RA_MON recovery menu by holding volume down and
booting the phone
2) make a nandroid backup of the system
3) check /sdcard/nandroid/xxxx/xxxx/ for a file called wimax.img
4) this is your wimax data partition (no filesystem as far as I know).
The RSA keys within are unique per device based on your wimax MAC
address. (don't give it out or lose it!)
grep RSA wimax.img
Nandroid will allow you to flash your "backup" back to the phone, you
might be able to monkey with this image and change the operator /
network / etc
Good luck!
-- Alex
On Nov 13, 6:26 am, Steve Lechaix <slech...@gmail.com> wrote:
> Thanks for your answer
> In my country we are not using REALM parameter and the frequencies are
> different .. starting from 26...
> I really would like to setup this smartphone so I will be able to promote
> our wimax network here.
> Anyway, I tried a lot of thing with the EVO but I never see it register on
> the tower antenna. It just scanning indefinably.
> Someday I will try again but for the moment my Evo is just sleeping in its
> box.
>
> Steve
>
> 2010/11/13 simon1100f <simonmcdona...@gmail.com>
> > wimax-hackin...@googlegroups.com<wimax-hacking%2Bunsubscribe@goog legroups.com>
> > .
partition in memory where it stores it's RSA keys. You can obtain
access to this hidden WiMAX partition's data through the RA_MON 1.8.0
recovery tool.
1) Boot into the RA_MON recovery menu by holding volume down and
booting the phone
2) make a nandroid backup of the system
3) check /sdcard/nandroid/xxxx/xxxx/ for a file called wimax.img
4) this is your wimax data partition (no filesystem as far as I know).
The RSA keys within are unique per device based on your wimax MAC
address. (don't give it out or lose it!)
grep RSA wimax.img
Nandroid will allow you to flash your "backup" back to the phone, you
might be able to monkey with this image and change the operator /
network / etc
Good luck!
-- Alex
On Nov 13, 6:26 am, Steve Lechaix <slech...@gmail.com> wrote:
> Thanks for your answer
> In my country we are not using REALM parameter and the frequencies are
> different .. starting from 26...
> I really would like to setup this smartphone so I will be able to promote
> our wimax network here.
> Anyway, I tried a lot of thing with the EVO but I never see it register on
> the tower antenna. It just scanning indefinably.
> Someday I will try again but for the moment my Evo is just sleeping in its
> box.
>
> Steve
>
> > .
Kenny
Dec 29, 2010, 12:45:01 PM12/29/10
to wimax-...@googlegroups.com
On Wed, 2010-12-29 at 08:10 -0800, kallisti5 wrote:
> 4) this is your wimax data partition (no filesystem as far as I know).
> 4) this is your wimax data partition (no filesystem as far as I know).
Nice find. What are the first 6 bytes of your wimax.img? Might be able
to help with the format.
--
Kenny
-+---+++-++-++++--+------+-+-++--++--+-+-++--+++-++----+-++-+++---+----+--+----+
kallisti5
Dec 29, 2010, 5:17:37 PM12/29/10
to wimax hacking
Here ya go, hopefully not putting *too* much data out there :)
/media/3D10-D7A8/nandroid/HT07VHL06776/BCDS-20101223-2000$ od -x
wimax.img | head -4
0000000 5448 2d43 6957 414d 2d58 5153 314e 3331
0000020 0030 0000 0000 0000 0000 0000 0000 0000
0000040 1c51 007a 0100 0000 0000 0000 0300 0000
0000060 0000 0000 5089 002a 5389 002a 0000 0000
/media/3D10-D7A8/nandroid/HT07VHL06776/BCDS-20101223-2000$ strings
wimax.img | grep RSA | grep KEY
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Thanks!
-- Alex
> smime.p7s
> 4KViewDownload
/media/3D10-D7A8/nandroid/HT07VHL06776/BCDS-20101223-2000$ od -x
wimax.img | head -4
0000000 5448 2d43 6957 414d 2d58 5153 314e 3331
0000020 0030 0000 0000 0000 0000 0000 0000 0000
0000040 1c51 007a 0100 0000 0000 0000 0300 0000
0000060 0000 0000 5089 002a 5389 002a 0000 0000
/media/3D10-D7A8/nandroid/HT07VHL06776/BCDS-20101223-2000$ strings
wimax.img | grep RSA | grep KEY
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Thanks!
-- Alex
> 4KViewDownload
Steve Lechaix
Dec 29, 2010, 5:27:51 PM12/29/10
to wimax-...@googlegroups.com
Thanks a lot for your input.
I'll make some test.
--
You received this message because you are subscribed to the Google Groups "wimax hacking" group.
To post to this group, send email to wimax-...@googlegroups.com.
To unsubscribe from this group, send email to wimax-hackin...@googlegroups.com.
kallisti5
Dec 29, 2010, 11:27:05 PM12/29/10
to wimax hacking
almost forgot... to print your *full* unique RSA private key out of
the wimax.img blob:
sed -n '/PRIVATE/,/PRIVATE/p' wimax.img
To print your full RSA private key directly on the evo *without*
messing with nandroid...
sed -n '/PRIVATE/,/PRIVATE/p' /dev/mtd/mtd0
Happy WiMax hacking.
-- Alex
On Dec 29, 4:27 pm, Steve Lechaix <slech...@gmail.com> wrote:
> Thanks a lot for your input.
> I'll make some test.
>
> Steve
>
> 2010/12/29 kallisti5 <kallist...@gmail.com>
> > wimax-hackin...@googlegroups.com<wimax-hacking%2Bunsubscribe@goog legroups.com>
> > .
the wimax.img blob:
sed -n '/PRIVATE/,/PRIVATE/p' wimax.img
To print your full RSA private key directly on the evo *without*
messing with nandroid...
sed -n '/PRIVATE/,/PRIVATE/p' /dev/mtd/mtd0
Happy WiMax hacking.
-- Alex
On Dec 29, 4:27 pm, Steve Lechaix <slech...@gmail.com> wrote:
> Thanks a lot for your input.
> I'll make some test.
>
> Steve
>
> > .
kallisti5
Dec 30, 2010, 12:13:14 AM12/30/10
to wimax hacking
I verified this is the WiMAX key and cert this evening...
Get your RSA private key:
sed -n '/BEGIN RSA/,/END RSA/p' /dev/mtd/mtd0
Get your Certificate:
sed -n '/BEGIN CERT/,/END CERT/p' /dev/mtd/mtd0
With the information above:
- have openssl generate an md5 for the RSA private key:
openssl rsa -noout -modulus -in id_wimax.rsa | openssl md5
- have openssl generate an md5 for the CERT:
openssl x509 -noout -modulus -in unknown.crt | openssl md5
The hashes above match so the rsa key signed the crt, so good so
far...
Lets look at the crt...
openssl x509 -noout -text -in unknown.crt
What is this?
Subject: C=TW, O=HTC Corporation, OU=WiMAX Forum(R) Devices,
CN=38E7XXXXXXXX
It just so happens the CN *exactly* matches the WiMAX MAC address of
my EVO.
So there ya go.
G'night!
-- Alex
Get your RSA private key:
sed -n '/BEGIN RSA/,/END RSA/p' /dev/mtd/mtd0
Get your Certificate:
sed -n '/BEGIN CERT/,/END CERT/p' /dev/mtd/mtd0
With the information above:
- have openssl generate an md5 for the RSA private key:
openssl rsa -noout -modulus -in id_wimax.rsa | openssl md5
- have openssl generate an md5 for the CERT:
openssl x509 -noout -modulus -in unknown.crt | openssl md5
The hashes above match so the rsa key signed the crt, so good so
far...
Lets look at the crt...
openssl x509 -noout -text -in unknown.crt
What is this?
Subject: C=TW, O=HTC Corporation, OU=WiMAX Forum(R) Devices,
CN=38E7XXXXXXXX
It just so happens the CN *exactly* matches the WiMAX MAC address of
my EVO.
So there ya go.
G'night!
-- Alex
Kenny
Dec 30, 2010, 5:24:19 AM12/30/10
to wimax-...@googlegroups.com
Well, it isn't a format I have seen before...
"HTC-WiMAX-SQN1130" (little endian)
If I can get two or more of these, then I could probably work it out.
Looks pretty basic. But since the keys are in PEM instead of DER, they
are nice and easy to pull out as you found. If you see anything else in
there that you are curious about, then I'd be happy to look at it more.
--
Kenny
-+---+++-++-++++--+------+-+-++--++--+-+-++--+++-++----+-++-+++---+----+--+----+
Spike Spiegel
Jan 2, 2011, 1:39:51 AM1/2/11
to wimax-...@googlegroups.com
Hi, here are my first 6 bytes of wimax.img, if it can help.
0000000 5448 2d43 6957 414d 2d58 5153 314e 3331
0000020 0030
0000 0000 0000 0000 0000 0000 0000
0000040 27b5 007a 0100 0000 0000 0000 0300 0000
0000060 0000 0000 3c28 002b 3f28 002b 0000 0000
Do you know how can I input my own certificate into the wimax.img file ?
I suppose I have to convert my certificate in hexa then paste into wimax.img but I'm not sure how to do it.
Does the Mac Address in my certificate have to be the same as my phone one ?
Also I tried to changed the frequencies in wimax.img (backup then restore) but it has no effect. When I go under Wimax Settings, Center frequency hasn't
changed.
Thanks
Steve
De : Kenny <ke...@romhat.net>
À : wimax-...@googlegroups.com
Envoyé le : Jeu 30 décembre 2010, 0h 24min 19s
Objet : Re: HTC evo (change wimax settings)
ErvisTheGreat
Jan 16, 2013, 5:02:13 PM1/16/13
to wimax-...@googlegroups.com
Hello all,,, is anyone still looking at this thread??
I am wanting to know if tehre is an easier way to c l o ne the macs off an evo that i put service on Clear with.. i have ben able to do it by mac clonaanin with some command like wlanmac 0000000 basically spoofin so i have two devices on same acnt. is therea better way to do this??
On Tuesday, January 8, 2013 2:36:23 AM UTC-5, Hui Jin wrote:
I am wanting to know if tehre is an easier way to c l o ne the macs off an evo that i put service on Clear with.. i have ben able to do it by mac clonaanin with some command like wlanmac 0000000 basically spoofin so i have two devices on same acnt. is therea better way to do this??
On Tuesday, January 8, 2013 2:36:23 AM UTC-5, Hui Jin wrote:
Hi guys,I know is it kind of late but it will be appreciated if you can give me some hints about how to change the mac address.Thanks,
Reply all
Reply to author
Forward
0 new messages