You are on page 1of 37

HTC EVO 4G on Virgin Mobile

Due to extreme demand I've decided to construct a A-Z guide on how to fully flash the the HTC Evo 4G to Virgin Mobile ( just like the name implies obviously).

Well, they're are a few items needed to complete this somewhat lengthy process. List of physical items: HTC Evo 4G Donor Virgin Mobile phone (The Lg rumor touch, Optimus V, or Samsung Intercept if you want 3g capabilities) Data sync cable for your computer Stress ball Ice cream

Now for the list of programs needed: LGPST LAB version 1.2 ( if using rumor touch or Optimus V as donor phone) CDMA Tools (version 2.7+) QPST QXDM Professional rEVOlutionary or unrEVOked

STEP 1. Extracting the info
Before we can begin touching the Evo, they are a few bits of information we'll be needing from your donor phone. In my case I had the LG Optimus V laying around from who-knows-when and I'll be referring most of these steps to the processes used to extract infromation from the phone. The things you'll be needing from the phone will be the: ESN, MEID, HA key (default VM HA key is vmug33k), the AAA key,

and NV Items 1192, and 1194. The ESN and MEID have to be the easiest bits of information to obtain. They can be easily read by CDMA tools, just be sure to download the DIAG drivers that are specific for your device. A lot of people get stumped with this program so don't fret it I'll break it down a bit for you guys.

STEP 1.2 Understanding CDMA tools
After installing your DIAG drivers, you're phone can be now located at a port. Before it can be located as a port you'll have to activate debugging on your donor phone. Navigate to your phone's settings> Applications> Development> and then make sure USB Debugging is checked off, plug your donor phone into the computer, and select charge only when the usb settings show up on your phone. Now to find what port your phone is in, for Windows 7 it's really simple: Control panel> in the search bar type "device manager" without the parenthesis and select device manager>

scroll down to the drop down bar titled PORTS and the only ports there should be your phone. .

Remember. if you can't google it. then select "connect to port". there's a good chance it doesn't exisist. . Open up your CDMA Workshop (version 2.7+) and click on the drop down menu onthe upper right and select your phones port. then "read" and you're done. Now that you've located the port you can read your phone in CDMA workshop.Windows XP steps are similar with a few exceptions but it's nothing you can't google.

Don't forget to grab those NV Items I mentioned earlier.CDMA tools should now display your MEID and ESN *HINT* Your MEID is the A00000xxxx or A1000xxxx number and your ESN is an 8-digit alphanumeric combination *END HINT*. The message pops up because the fully can't be fully read without reading the phone in LGNPST. Under the NV items box search for NV Items 1192 to 1194. don't sweat it. . expect an error message when trying to read your phone. Just connect your phone to CDMA tools and navigate to the Security tab. Also a side note: If using an LG phone as your donor.


We're better than that.2 and if you're . if there is anything I've learned over the years is: Whatever the developers do good. To read the Lg rumor touch or oV you'll need to get your hands on the LGNPST Lab version 1. The thing about these VM LG phones is that Virgin lock these bad boys up tight! Lucky for you. ESN and MEID only ensure us talk and text but no web or MMS which would be fine but not for us. STEP 1. hackers do better.4 Understanding LGNPST (SKIP IF USING SAMSUNG INTERCEPT OR OTHER NON-3g DONOR PHONE) Now that we have the ESN and MEID from our donor phone we're almost done. i still sleep fine at night. This isn't really hacking but whatever.Side note: You won't be able to read these NV Items on the Lg Rumor touch or Lg Optimus V unless you read them first with LGNPST. we want 3g no matter the cost (not literally).

dll file. Once you've installed the dll file you're phone can be recognixed by LGNPST. Your phone should be recognized automatically but if not just press the F key on your key board and click on "select dll" on the menu in the top left corner of the program. If your phone isn't already. Scroll down .using the Optimus like I did you'll also need the ls670. Installing LGNPST isn't that tricky but installing the DLL files threw me off a bit so I'll provide the dll file and a link to how to install it. plug it into your computer and run the LG product service tool.

. if it for a SEC code or MSL code it can be found in CDMA tools under security tab. Now. If it's grayed out click on "expand" then "deminish" it and it should be available to click on. click it. select ok.until you find the ls670. Just locate the SPC square and make sure to select the LG method from the drop down menu before reading it. Now you're almost set to read those AAA keys (FINALLY!!!!!!).dll file. locate the "phone settings" button on main page.

time to pop that little guy out.You should have your 6 digit code now and that should allow you to read the phone in LGNPST.6 Reading AAA keys You know that nifty little tool I mentioned earlier called QXDM? Yeah. I like this program . STEP 1. well. Now just read the phone and thats it! Your phone can now be completely read.

All joking aside try to get used to this program because once we start on the EVO you'll be needing it a bit. I really hate QXDM because of reasons that weren't it's fault. you'll need it to connect your phone to QXDM. QPST also needs to be ran in compatibility mode. If you're using Windows 7 don't forget to run this in compatability mode (windows xp SP3). really the way you finish your opponent is up to you. . click on add new port... To connect to QXDM you'll need to start up QPST Configuration and navigate to the ports tab..because once you're through with it you can fool your dumb friends into believing you programed some super awesome program. Make sure to also install QPST.

on the left select your phones port. and finally select the port and click enable. click ok. .

profile 0. select communications and select your port in the first drop down menu. and you're set! First they're a few commands you'll need to know to make this program work for what you need it. . navigate to the options tab. Each Virgin Mobile phone I've used to date have only 3 profiles. 1. To read these profiles for their AAA key you'll have to type in the command bar: "requestnvitemread ds_mip_ss_user_prof " followed by 0. You'll be needing to read the AAA keys from your data profiles.Now run QXDM. and 2.

you're now done (with that at least)! . After removing the first two characters (0x) you should have 32 characters and with that. So to read from profile 1 you'll write "requestnvitemread ds_mip_ss_user_prof 1".then 1. They'll be a a long stand of four sets of numbers. then 2. 89 97 26 26. if you got four groups like this 0x89 0x97 0x26 0x26 you'd read it. Each group is numbered 0-15 so ignore the first "aaa_shared_secret_length" and start writing down the others as I said. two green and two blue. Ignore the first 3 sets of numbers (both the "HA_SHARED" and the first set of "AAA_SHARED") and just copy all the numbers excluding the "0x" and the begining of each set for example.

9 Revise Now you should have all you need. and your MIN and MDN. . just take a quick gander at what you have. HA password.STEP 1.8 Ice Cream break!!!!!! STEP 1. You should your ESN. MEID. your AAA password.

Meid.I haven't gone over your MIN or MDN yet but its really simple. usually its under "my number" and "msid". your MIN is your phone number and your MDN is the second number on your phone which can easily be found in settings> about phone. STEP 2 Preping for sugery Now we get to the fun part! You need to prepare rewrite your evo but first. whatever you wanna say but it's over. In case you change your mind you'll have everything handy. Have this information and you're finally set. you're done. . everything. terminado. Take once last look at your brand new paper weight because you'll need to either turn it off for good or wipe the ESN and MEID to ensure it doesnt interrupt your phone service on your new EVO. When I went through this process I wrote down all the information by hand and it helpped me keep track of what I was doing so that's just a little tip for you guys. fin. I highly recommend you save your information on the EVO and write down everything that we took from the optimus ESN.

This part here is by far the most time consuming step of the entire guide and expect to spend 30+ minutes so you'll have to be very patient.digit spc without using CDMA workshop) but really what rooting brings to the table is more helpful for everyday use so wether or not you root it's up to you.First thing many will want to do is root your phone. Although it's not necesary. it'll help a bit with a few things during the flashing process (like finding your 6. STEP 2. *Samsung Method* For Samsung owners this is surprisingly simple and only requires QXDM. Now. google was my friend here so just do a quick search for them and you'll find em'. Rooting or not you'll need the EVO's diag drivers. In the command line enter: "password 01F2030F5F678FF9" . Side note: without rooting you will not be able to reach 100% functionality.ZEROING OUT THE PHONE Finally the moment you've been waiting for! Now it's time to get down and dirty with our EVO.2.

"RequestNVItemWrite MEID 0×00A0000000000000" without the parenthesis and replacing the A000. then you might want to try again or try the traditional method below. if it did you're done if not. *HTC Method* This method is also fairly easy and only requires QPST. with your MEID. You're gonna want to make sure that your Evo has a port available too. and 15 minutes of your precious. . dont want to forget your new "baby!" Open up QPST and select EFS explorer. precious time. QXDM... You can then enter command "RequestNVItemRead Meid" to make sure it stuck.

.Enter your spc and let it read.

.. and name it "Open sesame door" .And make a new directory.

now you can navigate to the num folder located in the nvm folder and locate the 0 and 1943 files. Drag those to your desktop. .Now reboot your Evo. The nvm folder should no longer have a red circle around it.

.Open those files with your hex editing program and change everything to 0s.

And make sure to save it and place it back in the num folder. Before closing EFS explorer make sure to delete the "open .

talk and text should now work. Now that you've zero'd out the esn and meid you can navigate your way to QXDM. . If it stuck you should be able to see it with the command "RequestNVItemRead Meid" and if it stuck it should show up there which means it stuck! Congrats.sesame door" folder so you can be on your merry way. In the command line enter "RequestNVItemWrite Meid 0x00A000000000000" replacing the A000 number with your meid.

2.*Traditional Method* (Long way) For this process you'll have to search for the MEID and ESN locations on the EVO via cdma tools. It's a tricky process but I'll walk you through it. Make sure to download winhex or another hex editing software for this step.) Go to the memory tab and click start under memory scan. Proceed to the security tab and enter your spc code and send it to the phone to unlock it. 1.) Open up cdma workshop and connect your phone and then click read. Just leave the fields the way they are. you should get something like Scanning memory for readable areas: Unreadable area from: 0000:0000 Readable area from: 00FA:0000 Unreadable area from: 0100:0000 Readable area from: 0109:0000 .

Now when I hit equals I get the hex number 60000.) Now in the memory / Eeprom area put in the number you calculated where it says bytes. I'm not sure if this is how you figure out the number of bytes you need but it works fine for me. Now click read and it will prompt you to . To convert this to a decimal simply select dec.) Now for the tricky part. So open the calculator and click view and select programmer. Put in the first readable area in the start address field. As you can see I get the number 393216. the same goes for the other address. 4. To do this use the calculator tool in Windows. The memory is readable from 00FA:0000 to 0100:0000 so we take the number 0100:0000 and subtract it from 00FA:0000 and convert it to a decimal.Unreadable area from: 01DC:0000 Process is stopped at: C000:0000 3.) Then click subtract and punch in FA0000(of course replacing these addresses with the ones in your scan). Now punch in 1000000. (The first zero doesn't matter.

To get the first MEID address take the number you start the scan with(mine was FA0000) and add C594 to it. The address to the left of my MEID is 0000C590(or just C590) and the column for the beginning of my MEID is 4. Add 4 to C590 and you get the file somewhere so go ahead and do that. 5. Put in your reversed MEID without the spaces. For example if your MEID is A1000067452301 pair it like so A1 00 00 67 45 23 01 and reverse it like so 01 23 45 67 00 00 A1 remove the spaces and you get 012345670000A1 6. . Click OK and it will take you to the first MEID it finds. This will bring up a window so you can search certain hex numbers. I get FAC594. alt and x.) Open the saved file in Winhex and press ctrl. This will be your first MEID address.) Now take your MEID number and put it in pairs of two then reverse them.

If you press ctrl. 7. My bytes ended up being 13. Make sure you check the "list search hits" box. This may or may not be necessary. Continue this process for the rest of this file then you must do step 3-6 with your second readable areas. This same process can also be used to find your ESN locations. . with no spaces. Mine again was 0109:0000 .01DC:0000. Just search the same files but put your reversed ESN in the search window in Winhex. alt and x and hit OK it will take you to the same address you were just at so what I do is change one of the numbers and then search again like so. I changed the first pair to 00 so I can continue searching for MEID addresses.096.Write it down and move on to the next. It should list the locations of the results at the top. After you open your scan results with winhex -do a search for your meid in reverse. The second readable area takes a very long time.) The last thing I did was do the entire process again only I put the phone in airplane mode.828.

-there's gonna be an offset number to the left of it.. -You'll come up with a result like this*example.. click it so it shows the an offset number that contains letters. it usually starts up in "DEC" mode. your gonna want to take your offset number and add it to your original search location. -Open up the windows calculator and make sure it's in "HEX" mode. lets say "00FA-0000" for example.00FA0000+4EDC2C= 148DC2C which would be 0x0148DC2C -Just add 0x0 or 0x00 (depending on the length of your result number) in front of it. . -Do this for all the other locations & there you go.If you did a searched. you can click on it and it changes. in cdma ws. you have your addresses Overall it is a very time consuming process but if you do . for example 00FA0000 with no dash.

Look for your esn or meid and rewrite them as 0's. Now connect your phone again and open up QPST. Connect your phone to qxdm and press the f4 hotkey once opened and start inputting the addresses you found and calculated. disconnect your phone DO NOT POWER DOWN. they're fairly simple to find just run the same process again but with your phone in airplane mode. If not I'm afraid you'll have to repeat this process (DUN DUN DUUUUUUN). once you find the locations. I have tried in the past and people with the same baseband had completely different addresses. In the command bar type: "requestnvitemread esn" If done correctly . For some phones. and remove the battery for a couple second then place back in and start up. You should of found 10 MEID locations and 15 or more ESN locations. you'll have what is refered to as "floaters" which are basically the one bastard that won't die in the action movies and becomes the worst super villan in the movies history when the sequel comes out.everything correct it can save you a lot of time as opposed to looking up addresses someone else has posted. zero them out with qxdm. Once done.

Then type in "requestnvitemread meid" and it should display 0s again. If they both stuck now is a time to use your best happy . If it does then give yourself a pat on the back because you just saved the town and got rid of that super villan before he became a should show all 0s. Now disconnect your phone.3-WRITING THE MEID The beauty of the MEID is it calculates the ESN for you. Now would be a good time to eat Ice cream if you didn't finish it all the first time. open up QPST again and type in the command bar "requestnvitemwrite MEID" followed by 0x(DONOR MEID). You could also check in QPST with "requestnvitemread MEID" and to be safe "Requestnvitemread ESN" and check to see if the esn stuck as well. Remeber: The meid always begins with an "A" and is followed by either a 1000xxxxx or 0000xxxxx number. remove the battery and replace. if I wanted to put my MEID I'd write "requestnvitemwrite MEID 0xA0000xxxxxx" just replace the A0000xxxx number with your donor meid. Boot up your phone and navigate to Settings>About phone>Status Search to see if your DONOR MEID is in the MEID space. For example. STEP 2.

and 6 and make sure to add a profile 0. rev tun:yes. 5. For this you'll need QPST Configuration. tethered nai:.0. enabled:no. secondary:not set. nai:. Open it up and make sure your EVO is connected to QPST and select the Start Clients drop down menu and select Service Programing. nai: (DONOR MEID)@mdata. dmu 4.vmobl. They'll be two tabs you'll be working with: the PPP Config tab and M. primary:dynamic.0. secondary:not set. dmu pub:0. Select the M. mob auth: . mob auth: profile:1. home:0. tethered nai:. aaa spi:21EF. ha spi:3. rev tun:no. primary:not set. ha spi:21EF.IP tab and make sure to disable or delete profiles 3.prospector dance moves because you've just set your new phone up with Talk and text. Under the profiles write: profile:0.IP tab. enabled:yes.0.0. aaa spi:2.5-Writing DATA Now that we can call our friends to brag about our new badass phone and show them how many people we've texted it's time to make them spaz out with 3g capabilites. STEP 2. home:0. This is where the magic happens.

aaa spi:21EF. dmu pub:0.HA Shared: (change it to "text string" and enter "vmug33k") AAA Shared: (change it to 'HEX string" and enter DONOR AA Shared Secret) tethered nai:. primary:not set. home:0. Under RM and UM dont touch it but for an . nai: (your MEID)@prov. wait until the phone reboots and disconnect it. enb:yes. Now you're phone should be done! 3g should be dancing around proud on the top on your notification bar.userid is meid@mdata. STEP x. mob auth: HA Shared: (change it to "text string" and enter "vmug33k") AAA Shared: (change it to "HEX STRING" and enter DONOR AA Shared Secret) And you're done with the M.vmobl. secondary:not set.0.0.x-MMS FIX (optional) . Navigate to the PPP Config Tab.IP tab. ha now just write to phone. rev tun:yes.0.

DISCLAIMER: ALL DATA WILL BE ERASED LIKE PICTURES.2. Make sure to uncheck it in your settings and power down your phone. To flash a ROM first make sure your phone isn't running to your phones root. If you do not wish to root your phone go no futher. CM7 has the MMS patch built in but the ICS ROM has to be flashed along with the file to your sd cards root. ETC.If you're content with talk. I'm including the unrEVOked program with this guide but you'll have to google how to use it. MUSIC. If flashing AOKP ICS. If flashing CM7. DO A BACKUP ON YOUR COMPUTER BEFORE FLASHING A ROM. Now that your phone is rooted and has S-off I've included two ROMs that have the MMS patch. First you'll want to root your EVO obviously. APPS. and gapps-ics-20120215-signed. just copy the update-cm-7. CM7 and a Ice Cream Sandwich AOKP Now press . text. aokp_supersonic_build-24.0-4FEB2012-VirginMobile. You can now select from either CM7 or the Ice Cream Sandwich Rom I included. and web go no further. just make sure to install clockworkmod. Connect your EVO to your computer and put it in disk drive mode. If you want to root your phone and can't live without MMS then this is the step you'll want to go through. copy the VM_AOKP_24_PATCHER_EDITFY.

Now scroll to Yes. SMS. LeslieAnn. When the screen appears wait 15 seconds to allow it to run its programs and the using the volume rocker to scroll up and and and allow it to and flash it. select the aokp_supersonic_build-24.2. If flashing AOKP. and Wienerwad of XDA forums for help with the MMS patch and . Here scroll all the way to the bottom if flashing CM7 select the update-cm-7. repeat the same with the VM_AOKP_24_PATCHER_EDITFY.and hold both the volume down button and the power button until a white recovery screen appears. and web working plus a nifty little Custom ROM. That's it! You're done and now you should have Talk. Now scroll down to wipe davik cache and use power to select it. Constrictor25. Install and again using the power button to select I'd like to give thanks to brooksyx. MMS. highlight "recovery" and use the power button to select it. Your phone should display the EVO 4G boot sign for a few seconds before booting up Clock Work Mod. Do the same again but this time scroll down to factory reset/user data. Now navigate back to the menu you first came into when you opened clock work mod and select reboot device now. Now scroll down to Install Zip from sd card.

I hope this tutorial will be of service to many of you any questions just contact UncivilSavage of XDA Forums.helping with the locating of the MEID and ESN locations. Steve .