You are on page 1of 13

CDMA WORKSHOP

CDMA Workshop is a professional universal service software, developed to work with


any CDMA 450/800/1900/EVDO(1xEVDO)/etc phones, fixed terminals, data
cards/modems based on any Qualcomm chipsets. It is the necessary tool for easy and fast
programming or re-programming CDMA items to any network, making clone phones,
unlocking, reading and changing ESN and MEID, security codes, such as: user lock,
SPC, MSL, FSC, OTKSL, Minlock, etc.. authentication security codes, such as: A-key,
Ssd_a, Ssd_b.. and many other things. CDMA Workshop combines all major functions
and operations which are necessary for full-functional work with CDMA phones and it is
a «must have» software for every serious technician, cellular/repair shops and dealers.

Supported Windows: Win 95/98/ME, NT, 2000, XP, 2003, Vista, Windows 7 (x32 and
x64)

Supported Interfaces: COM (serial), USB, USB-to-COM converters

"Nam Programming" tab - screen shot

In order to program phones to a necessary network you must write network settings such
as Mcc, Mnc, Sid-Nid pairs, Primary/Secondary channels, etc. You can write these
parameters here, as well as read existing network settings from any phone and create
your own collection of network settings for each network you necessary.

Note that some networks with enabled roaming function are required to be programmed
with valid IMSI also. Otherwise, incoming calls will fail. You can write valid "True
IMSI" to phone in this tab also.

"Evdo" tab - screen shot

There you can read and write PPP / EVDO settings and authentication parametres (user
names, passwords).
"Terminal" tab - screen shot

This is a low-level terminal for advanced users, which allow you to send internal
commands and receive answer from a handset in Hex or Ascii format. It useful in
different investigation and custom situations, for example it allow you to repair damaged
SPC (0x00, 0x00... 0x00 for example) when a handset does not accept any SPC.

It has a counter of total amount of bytes in commands, automatic CRC calculation and
commands history, in order to facilitate usage.

"Memory / Eeprom" tab - screen shot

• Read/Write/Scan - it is the Peek/Poke based functions. At first, you can scan memory
by using the "Scan Memory" function, in order to get a memory map and find readable
addresses. After that, you can use these found readable addresses in Read/Write functions
and in "Universal RAM" methods ("ESN", "SPC", "Cave" sections, see below).

Note that some models may restart when you try to get access to unreadable areas.

• "NV-items" section - You can backup / restore any amount of NV-items here. Doing
so you can backup / restore all phone settings: user settings, network settings, security
settings, RF calibrations, etc. CDMA Workshop has ability to make FULL backup of
NV-items for models (many modern and old models) which restart at trying of access to
some NV-items.

• "Flash" section - These functions use bootloaders for different MSM chipsets in
order to Read/Write flash-memory directly. By using these functions you can create your
own collection of full-flashes and use them to upgrade firmware, as well as to repair
phones with "software" problems (corrupted EFS, etc).
Supported chipsets: MSM 3000-5500, 5100, 6000, 6025/6050, 5105/5500/6000 (ZTE /
Axesstel)

"Security" tab - screen shot

• "ESN" section - You can change ESN (Electronic Serial Number) here. This function
is useful for repair damaged ESN or write new one in order to make clone phones. Note
that some brands and models will allow you to write new ESN by using "default" method
after entering internal security password (16 digits, see below) only (ex. Samsung,
Audiovox, Hyundai, Sky, Pantech models, etc).

- "Universal RAM" method will search all ESN addresses in RAM memory and save
them to a file, after that it will use these addresses to write new ESN directly. This
method is very useful to use and must be used for brands and models for which ESN
cannot be changed by the other methods, such as: some Epsilon models, Compal, Aiko,
ZTE, Axesstel, Novatel data cards, HTC, BlackBerry, Treo/Palm models, some of
Samsung M-series and many other brands and models.

- "Universal EFS" method will work on the majority modern models based on non-
locked EFS2 (Embedded File System), such as: latest Samsung Sprint/Verizon models,
Treo 700, 755, etc, Audiovox/UtStarcom models (6600, 6700, 120sp, 7025sp, etc),
Kyocera new models, new LG models, korean Samsung SCH-V, S-series, Motorola MS-
series (MS400, MS500, etc), ZTE phones/data cards and many other brands and models.

- "Kyocera method" - This method is developed to work with Kyocera models based on
MSM chipsets up to MSM5100 (ex. 2035, 2135, 3035, 3245, 5135, 7135, s14,
1135/1155, 2235/2255, 2325/2345, SE44/SE47, Blade/Phantom, etc). For newer Kyocera
models you can use "Universal EFS" method.

- "LG method" - You can write new ESN on any LG (including newest) models by
using this methods.
- "Sanyo method" - You can write new ESN on Sanyo models up to Sanyo 8300 by
using this method.

- "Sierra Wireless cards method" - You can write new ESN on most Sierra Wireless
cards by using this methods (ex. AC580/Audiovox PC5220, 595, 597/MC5725, 598, etc).

- "ZTE / Axesstel method" - You can write new ESN on models based on MSM5105,
5500, 6000 chipset (ex. C100, 150, 160, 170, 180, 190, 200, 201, 202, 204, 220, 230,
231, 401, 631, 632, 705, etc, etc. Nokia 1255). You can use this method to write new
ESN on many Axesstel models also (ex. P800, L800, L1900, etc).

- "VK Mobile" - You can write new ESN on most VK_Mobile models by using this
method (ex. VK-100c, 200c, 220c, 300c, 600c, 650c, x100, 700c, etc).

- "Samsung EsnDev" - This method is used for Samsung models for Korean, Asia and
Oceania, Israeli, etc markets, such as: SCH-X, E-series, some V-series and some A-series
(ex. a562).

Some brands and models use encrypted ESN inside and/or hide real ESN and do not
allow to read real ESN by standard methods (ex. all Samsung SCH-V, S, B-series,
Motorola MS-series, korean market LG models, etc). You can use "Real ESN" option to
read real ESN for such models. This method is Universal and can be used on any CDMA
models.

You can see ESN prefix (ESN owner or phone manufacturer) in pop-up hint by moving
mouse cursor to the ESN field here also. This feature is very useful to see - is the current
ESN original or it already has once been changed.

P.S. The other available methods of changing ESN, please check in Demo version.
• "MEID" section - You can enable/disable and change MEID (Mobile Equipment
IDentifier) here. Newer models may use MEID as a additional authentication parameter
(with ESN). When MEID is enabled and used in phone, then ESN is called pESN
(pseudo ESN) in this case and pESN must be matching current MEID.

CDMA Workshop will check pESN and MEID matching at first reading of phone and
show a notification message automatically if pESN and MEID is not matching each
other.

CDMA Workshop will automatically re-calculate and write correct pESN at changing
MEID with using available methods.

Some brands and models use encrypted MEID inside and/or hide real MEID and do not
allow to read real MEID by standard methods. You can use "Real MEID" option to read
real MEID for such models. This method is Universal and can be used on any CDMA
models (MEID based).

- "Universal EFS" method will work on the majority modern models based on non-
locked EFS2, such as: Samsung, Kyocera, UTStarcom models, etc.

- "LG method" - You can write new MEID/pESN on all LG models (MEID based) by
using this method.

• "SPC" section - You can read/write and send SPC (Service Provider Code) unlock
code to a phone here. Note that some brands and models will allow you to read current
SPC by using "default" method after entering internal security password (16 digits, see
below) only (ex. Samsung, Audiovox, Hyundai, Sky, Pantech models, etc).

All CDMA phones are locked by using of SPC. You must unlock phone by using "SPC -
Send" button, before writing: network settings (NAM), PRL, NV-items, etc. CDMA
Workshop will show a notification message automatically, if phone require SPC to be
entered before such operations. When phone is unlocked you can change SPC to any
value.
- "Universal RAM" method can search and extract all 6-digit security codes (SPC,
MSL, FSC, Minlock, etc) directly from RAM memory. Security codes always located
somewhere in RAM memory. This method is very powerful and used for models for
which security codes cannot be read by the other methods: models which have no any
EFS support, old models or models which use locked EFS. (ex. all new Sanyo models,
HTC, BlackBerry, Treo/Palm models, Sierra AirCards, Novatel modems, etc)

- "Universal EFS" method will work on the majority modern and old models based on
any versions of EFS and read all 6-digit and 4-digit (user lock) security codes.

- "Direct Eeprom" - This method is quite similar "Universal RAM" method, but
designed to work with eeprom. Sometimes security codes are located in eeprom (ex. old
models, old Samsung models, all LG models, etc).

- "LG method" - You can read SPC on most LG models by using this method.

- "HTC method" - You can read SPC on most HTC models by using this method (ex.
HTC-6700, 6800, 6850, 6900, 6950, Touch Pro 2, etc).

- "SonyEricsson" - You can read SPC on all SonyEricsson models by using this method.

- "Motorola method" - This method is universal for most Motorola models. You can use
this method to read SPC, MSL and User Lock for many Motorola models with
"syn_feature" file in EFS (ex. c290, v710, e815, v3c, v3m, k1m, v9m and many other
models (non-locked EFS only)).

- "Kyocera Minlock (SPC3)" - This is a universal automatic method, used to read


Minlock unlock code (also known as SPC3 and Master code) on Kyocera models based
on EFS1 (kx1, kx4x4 / ke4x4, se44, se47, etc). For newer Kyocera models you can use
"Universal RAM" and "Universal EFS" methods to read SPC3.
P.S. The other available methods of reading SPC, please check in Demo version.

• "Password (16 digits)" section - Some brands and models are protected by internal
security password (16 digits). You must send a valid password by using "Send" button
for such models, in order to unlock writing ESN and reading SPC by using "Default"
methods, as well as reading/writing memory.

For example Kyocera, Sanyo, LG, etc do not use this kind of protection in their models.
Samsung Sprint models use the same password for all models, it called "Samsung -
(default)" in the list of passwords, same password is used in most other Samsung models
from other countries and regions (Latin America, Asia and Oceania, etc). You can add
very easily your own passwords to the general list of passwords also.

But even if you dont know password or it does not present in the list, you can read SPC,
Cave settings (A-key, etc) and change ESN by using "Universal EFS" methods.

• "User Lock" section - You can read/write 4-digit user lock here, as well as enable and
disable it.

"Cave" tab - screen shot

• "Cave" section - The A-key is used in many CDMA networks in authentication


process (besides a basic authentication parameters - ESN (MEID) and phone number) in
order to avoid cloning. Security of the A-key is critical in such CDMA systems. To make
clone phones A-key, Ssd_a (Ssd_b) must be also programmed in such networks. You can
read original Cave (Cellular Authentication and Voice Encryption) settings and write new
ones in this tab.

- "Universal EFS" method will read Cave settings on the majority modern and old
models based on any versions of EFS.

- "Universal RAM" method can search and extract Cave settings directly from RAM
memory. Cave settings always located somewhere in RAM memory. This method is used
for models for which Cave settings cannot be read by the other methods: models which
have no any EFS support, old models or models which use locked EFS.

- "LG method" - You can read Cave settings on most LG models by using this method.

- "SonyEricsson" - You can read Cave settings on all SonyEricsson models by using this
method.

• "A-Key Calculator" section - You can generate a valid A-key with 6-digit checksum
here. This is sometimes required for testing the phone's A-key entry function as well as
for the phone's activation. It used to be possible to obtain a valid A-key with cheksum
only from the cellular operator itself, now everyone can easily generate the secret
checksum value, enter those numbers into the phone just using the phone's keypad. When
you want to program the new A-key into the phone over the keypad you must enter 26
digits (20 digits A-key in DEC + 6-digit checksum).

"Other" tab - screen shot

• "PRL" section - You can read and write PRL files (Preferred Roaming List) here.

- "Read" - You can read PRL by using "Read" button from any existing phone and
create your own collection of PRL files for each network you necessary.

- "Write" - Use available methods to write PRL: Universal method for most CDMA
phones, LG and Sanyo methods (non-standard) specially for LG and Sanyo models.

You can clear available timers, change R-Uim settings and make rebuild Eeprom/EFS on
this tab also. Rebuild Eeprom is designed for Samsung models only, but this method is
works for many other brands also, such as Withus, Epsilon, Compal, etc. Sanyo method
will Reset/Rebuild EFS for new models started from Sanyo 8300, it will also open locked
EFS and reset all security codes to default values. Rebuild EFS is necessary in order to
change ESN on new Sanyo models also.

"Monitor" tab - screen shot


The "real-time network monitor" function is allow you to observe online/offline phone
activity and status. This function is very useful to finding and solving problems with non-
correct phone programming when phone cannot make calls or cannot find network.

By purchasing a software you will receive:

Full functional software, unlimited use.

Your personal or company registration key for one PC.

Ability to activate/deactivate your license and to move software to any other PC you
want.

Ability to upgrade your current PC with new components and get a new license key.

A special account to download the new versions of software. This account will expire in
12 months.

No shipping (downloadable from our site)

Lifetime e-mail technical support.

If you want to buy this program for several computers and want to get a volume discount,
please contact us.

CDMA Workshop is always in a development state and adding new features and
algorithms, we are working hard on every new version and we shall gladly accept and
consider your custom requests or bug reports in order to make CDMA Workshop more
powerful.
Pantech
*01763*737381# - master reset (user data, user code) without SIM
*01763*8371# - SW version
*01763*6371# - UNLOCK
*01763*3641# - Menu
justru kalo MIN jgn dikonversi ke heksa, biarin desimal (ex. 51009xxxxxxxx)
ESN handset diperlukan buat generate a-key
a-key dikonversi ke heksa, trus tinggal di-write ke handset (tanpa checksum tentunya)
Untuk EVDO Smart, yang penting handset, PDA, ato modem EVDO bisa bekerja di
frekuensi CDMA PCS 1900 MHz.

Untuk mengaktifkan service EVDO pada R-UIM ataupun kalau ingin melakukan inject
nomor SMART... bisa datang ke gallery Smart terdekat...

Klo tidak salah, sinyal 1x Smart pake channel PCS 1175 dan 1150... sedangkan EV
menggunakan channel PCS 1125 dan 1100 (mungkin ini berguna bagi yang ingin
membuat PRL Smart)
Untuk MOBI, 1x channel CDMA 384 dan 466.. EV make channel CDMA 425 dan 507

Parameter penting lainnya, baik JUMP ato MOBI menggunakan SIP (Simple IP only),
bukan MIP (Mobile IP).

Nah, yang terpenting untuk bisa menggunakan service 3,5G EVDO ini.. adalah HDR AN
AUTH user name dan password.. yaitu :

pada JUMP :
HDR AN AUTH user : MIN@sinarmas-telecom.net.id ; dimana MIN adalah Mobile
Identification Number
HDR AN AUTH pass : MIN

pada MOBI :
HDR AN AUTH user : nomor.mobi@evdo.mobile-8.net ; seperti yang tertera di
cover produk
HDR AN AUTH pass : password yang dikasi di cover produk

Itu dulu, mungkin bisa membantu bagi yang ingin menggunakan modem sendiri... klo
ada waktu saya akan tambah link untuk mendownload PRL Smart dan Fren termasuk
yang sudah support EVDO...
CEK JARINGAN APAKAH BISA 1x ato EV-DO
wah lupa tuh, coba aja deh, qpst service programming kalo ga salah, terus buka aja
tabnya satu2
tunggu master2 aja deh

???
Ane mau nanya nih gan? Mohon dijawab ya..
Dir Number kan masukin MDN ya kan?? nah maksimal kan 10 angka? Mdn kan ada
11 itu gimana ya gan??

Set USERNAME/PASS
user name MIN@smart-telecom.net.id, passw : ESN

Sedikit Pencerahan
1. upgrade firmware =SUDAHh

2. min-esn -akey-prl =SUADAH (pake cdmaworkshop) (pake dfs juga sudah


dicoba)

3.edit NAI pake hexeditor = SUDAH

4.PPP Aun : username & pass : smart


PPP Um : user: MIN@smart-telecom.net.id pass : ESN

gunakan QPST/EFS eksplorer:


cari PPP Files di folder nvm/num dgn EFS eksplorer
906: password (smart)
910: username (smart)
1192: password (ESN)
1194: username (MIN@smart-telecom.net.id) - SUDAH

HASILNYA : - SMS Lancar tapi begitu dial sinyal langsung ngilang messange :
the remote computer did not respond ..
kalau sms sudah jalan apakah prl sudah benar? (saya ngambil prl dari modem
pantec smart yg sudah jalan)

mohon pencerahan sedikit saja bos...

USERNAME (another)
pake password nya esn juga ga berhasil ya bro? masalahnya ane punya settingan
usernamenya = <min>@sinarmas-telecom.net.id , dan passwordnya = <min> bukan esn.
esn nya pake yang dec apa hex? thx
pake hex bro..