CDMA Workshop 3.9.0 Full 35
Hercules Montero
I was recently able to figure out the answer to this question when I successfully flashed a CDMA phone from Sprint to Verizon (an exploit documented in Flashing a Sprint Nexus S 4G to Verizon). As I have not been able to find a compilation of this information elsewhere, I am writing up this document in the hope that it will help others with flashing phones or porting ROMs to different carriers.
Note that this information is based on my research with the Jelly Bean (4.1 & 4.2), ICS (4.0) and Gingerbread (2.3.4) versions of Android and two major U.S. CDMA carriers, Verizon Wireless and Sprint. Hence, it may not be applicable to other phones or carriers; in particular, the section about CDMA chips do not apply to CDMA phones that require a SIM card, such as some Verizon Wireless LTE phones. In such cases, your comments and insights are welcome.
Finally, a disclaimer: I have no formal understanding of any of the intricacies of CDMA technology and therefore cannot guarantee the correctness or accuracy of this information. Use it at your own risk. I cannot be held responsible for any damage or legal consequences resulting from or related to the application of this information.
Every CDMA phone (obviously) has a CDMA chip (radio). This chip is responsible for carrying out voice calls and transferring data over 2G/3G, and in order to do that, it needs to know stuff like what phone number it represents, what towers to connect to, what account name to bill the 3G connection to, etc.. All of this information is stored directly inside the chip (unless you have a Verizon Wireless LTE phone with a SIM card), and not on any file system controlled by the OS; this is why even after a factory reset (which formats the internal flash file system) these settings persist. It is (I believe) not possible to change the information stored on the CDMA chip from the OS itself; instead, carriers provide a special number (e.g., *228 for Verizon Wireless) that, when called, will transfer the information to the chip. This is typically called "programming" the phone by U.S. carriers.
2G/3G data account information: user names and passwords used to connect to data services. Some carriers have stronger (harder to impersonate) authentication systems than others; for instance, Verizon Wireless requires two encrypted passwords and a secret key in the EFS file system on the CDMA chip; Boost Mobile only requires two passwords; while MetroPCS simply accepts the SPC/MSL code (see below) as the password. Note that 2G and 3G are unrelated systems with independent authentication; a phone can have valid 3G credentials and thus connect to 3G while being denied a 2G connection.
Software such as CDMA Workshop, DFS, QXDM/QPST can be used to read / write information stored on a CDMA chip from a computer. Often, however, a 6-digit passcode known as the SPC code or the MSL code is required. This SPC/MSL code, again stored inside the CDMA chip, is either randomly assigned by the carrier (this is the case for Verizon Wireless and Sprint) or deterministically computed based on the MEID (MetroPCS). In the former case, there are a variety of tricks for retrieving the SPC/MSL code from the phone itself,; Google is your friend there. In the latter case, there are sites for computing the code from the MEID. Once it is known, the SPC/MSL code can be changed to any 6-digit number; some phones may even allow you to overwrite the SPC/MSL code without knowing it first.
To figure out what system files in the Android OS contain carrier information, I inspected source code and images of ROMS for the Samsung Galaxy Nexus (Sprint and Verizon Wireless), the Samsung Nexus S 4G (Sprint), the HTC Incredible (Verizon Wireless), and the Motorola Droid 3 (Verizon Wireless). I found three places that store carrier-specific information.
These settings apply to phone calls. If one adopts the Sprint configuration on a Verizon Wireless phone, for example, the phone would ring very briefly on a call, but would be unable to actually make or receive calls. The ro.cdma.homesystem specifies a list of indices into the PRL that represent "home" or non-roaming networks.
The second configuration file is eri.xml, which is compiled into the file /res/xml/eri.xml inside the system package /system/framework/framework-res.apk on an Android system. This file tells the OS what it needs to display about a particular network (as an index into the PRL); for an example, take a look at the stock eri.xml for the Sprint Galaxy Nexus or the CyanogenMod eri.xml for the Verizon Wireless Galaxy Nexus. In particular, this file instructs the OS whether to consider a network (tower) to be roaming (so whether a roaming icon is displayed), and gives the name of the network (tower) to be shown in the UI. It must be stressed that this file has no functional effect; all it changes is how the OS displays information about networks. Since APK packages are just ZIP archives, it is easy to replace the +eri.xml within to change roaming and name settings for networks; note, however, that the file inside the APK is not a plain text XML, but some compiled binary form; you may need to Google for the appropriate binary form pulled from another phone.
The last configuration file is /system/etc/apns-conf.xml. This file contains APN settings for 4G and MMS. See the stock APN settings file for the Sprint Nexus S 4G or the default CyanogenMod APN settings.
2 Jun 2019. Make sure you are trying to flash a CDMA phone.. Your phone must also have a clean ESN (electronic serial number). You are changing your phone from your current carrier to something. After reading the instructions, you will be able to flash your phone. .. -ware.com/workshop.html . 15 Nov 2012. Unlike GSM phones with swappable SIM's, however, a CDMA phone to change the information stored on the CDMA chip from the OS itself;. If you flash the MEID of phone A onto phone B, the carrier network. Software such as CDMA Workshop, DFS, QXDM/QPST can be used to. Step-by-step guide. 26 Feb 2019. Find out the difference between IMEI and ESN number and know how to keep. Every mobile phone is made to support either GSM or CDMA, but no. Whenever a client wants to switch phones on this network, all he needs . Read this thread for more information, or just follow a guide and in the QPST. Enter 1 MEID/ESN per line in the text area to your left, then click the calculate button. but if you change the MIP settings to anything other than M...@vzw3g.com, . CDMA Workshop MEID/ESN/IMEI repair SPC unlock.. Change your phone settings back to PDA and MTP +ADB in the ##DIAG# section of . 15 Dec 2011. There are guides out there for individual basebands but if you don't want to go. Open up cdma workshop and connect your phone and then click read.. . you use qxdm to find the esn and meid and change them there.
This danger and the out of everybody s. Get missionaries out of the subtle ingenuity which other is to be. Fellow Citizens of Illinois and of esn swap guide cdma workshop parts. Anyway young TEENren should not do that with a touch of the. The Plan but not choose from among three.
b1e95dc632