Down the Prepaid Cellular Rabbit Hole (Part Two): In Which We Begin Part One of a Tutorial.

Greetings friends and fellow hackers!

I promised a tutorial on getting a 4G phone working on a 3G CDMA prepaid, and here it is.

Be warned the following is very wordy in the interest of being precise. There is an attached screenshot with step-number labels color-coded for easy follow-along.

In the following three part tutorial I am going to show you how to program a Verizon Samsung Galaxy Nexus phone for use on Verizon-based MVNOs (prepaid 3G CDMA service providers) such as PagePlus, Next G, and Talk-For-Good.

In this first part I will explain how you change the serial number on a “donor phone” and activate it masquerading as the Galaxy Nexus you wish to use (which I will refer to as the “target phone”). This procedure is applicable to other targets, but the programming in part 3 of our tutorial will not likely be the same.

In this example I use the Samsung Fascinate as the “donor” because it is affordable (easily had for $40 on eBay, used), easy to use, and can have it’s serial number or MEID changed several times. This saves us from having to clone it’s serial number onto our target phone, and therefore lets us re-use the Fascinate over and over again. I also recommend it because I can guarantee the steps here work completely on it.

We use the Verizon Galaxy Nexus as the “target” because it is the one I have activated twice, and can confirm working. Other models may be programmable, but you’d need to use someone else’s programming tutorial. The “donor” steps in part 1 and 2 of this tutorial will definitely work for pulling the HA, AAA, and AN keys which are needed to program a 4G/LTE phone to a 3G CDMA prepaid.

I must express that I CANNOT re-write this tutorial for other phone models. Please use the Samsung Fascinate as donor, and Verizon Samsung Galaxy Nexus if you wish to follow this tutorial exactly.

I must also express that using the MEIDs of phones you do not OWN and HAVE IN YOUR POSSESSION may be construed as theft of service via fraud and IS ILLEGAL. You must OWN and POSSESS the target and donor phones. If you use this tutorial, do so at your own risk and only as I describe. I cannot be held liable in any way for legal consequences you may incur.

Lastly, I must state that I am not liable for any damage to your phone this tutorial may cause, or any issues that may come up with your account and service. If the network sees two phones with the same MEID, that serial number will surely be banned.

To be on the safe side, REMOVE the battery from the phone you are not working with at the time. During this part of the tutorial, we will be working with the “donor” phone. The “target” should have it’s battery REMOVED for safety’s sake.

After we complete these steps, in part two of the tutorial we will pull the keys and the PRL. I will walk you through those steps as gracefully as these.

In part three we will program the Galaxy Nexus.

Before we begin part one, you will need the following:

1) DFS CDMA Tool software. This can be download from http://cdmatool.com/Download

2) An account for DFS. You can use the demo version without paying anything. Register for a demo account at http://cdmatool.com/Register

When you open DFS, log in using the account you just created. It will let you in, it will just make you wait about 20 seconds every time you run it.

3) A Micro USB cable to connect your Fascinate to your PC.

4) I recommend a PC running Windows 7. This procedure worked fine for me in Windows 7.

Now we get into the juicy stuff. I will now walk you through the 11 steps for getting the Fascinate to masquerade as your target phone.

1) Get your PagePlus, Next-G or Talk-For-Good account transferred to the target phone’s MEID. We’re going to activate the Fascinate “masquerading as” the target. The target phone had better not have it’s battery in it right now!

2) Factory reset Fascinate. After it reboots make sure everything including activation is erased.

3) When you power on the phone, bypass the activation nag screen by clicking Emergency Call and dialing *#83786633. You do not need to press Send.

4) Go ahead and put your Fascinate in Diagnostic Mode. Do this by going to the dialer and dialing **33284. When asked for SPC, enter 6 zero’s (000000). Scroll down to Dial Up Networking. Tap it, and set it to ‘On’. You will now be able to access the phone from the DFS software. Plug the Fascinate into your PC now.

5) Open DFS. Connect to your Fascinate’s COM port. It should list itself as ‘Samsung Mobile Modem Diagnostic Serial Port’. I’ve labeled the area with a red ‘#5’ for this step.

6) On the top line in DFS, enter the SPC (six zeroes, 000000) and then the Pwd of 2010031619780721. Click the blue circled triangle button (looks like a “Play” button) next to SPC, then the one next to Pwd. After each is sent, you should see “DEVICE UNLOCKED” in the DFS log window. I’ve labeled the two areas with green ‘#6’ marks for this step.

7) Now we actually change the MEID. In DFS, go under the Programming tab, then the General tab. go ahead and enter the HEX MEID for your target phone, and hit the red Write button to the right of it. I’ve labeled the field and button with blue ‘#7’ marks for this step.

8) After you hit write. Wait about 5 seconds. Clear what is in the MEID field, then hit read. If it comes back the same as you programmed, then congratulations, MEID programming was successful! If you want to double check the MEID saved, at the top right of DFS hit the Reset button to reset your phone, then read the MEID again to make sure the MEID you wrote stuck.

9) Now your Fascinate should have the target phone’s MEID.

10) We’ll want to unplug the Fascinate from the PC now.

11) Now that your Fascinate is masquerading as the target phone, go ahead and dial *22890. Once activation is successful and the Fascinate reboots, you can go ahead and update to the latest PRL using *22891. You need an up-to-date PRL because we’ll be copying it from the Fascinate to use on the target phone in the second part of this tutorial.

12) During the OTA activation the Fascinate will pull all the settings and keys you need for the target phone. Make sure that Talk, Text, MMS and 3G data are working correctly. If so, we are ready to proceed with the second part of the tutorial, in which we will pull the HA, AAA, and AN keys from the Fascinate, and also the PRL. These should be all we need for most LTE target phones.

If everything is working correctly, then congratulations! You are ready to pull keys from this phone in the next part of our tutorial!

See you next time in part two!

Attached is the screenshot referenced in steps 5, 6, and 7.

clip1dfs

 

Advertisements
This entry was posted in Uncategorized and tagged , , , , , , , , , . Bookmark the permalink.

2 Responses to Down the Prepaid Cellular Rabbit Hole (Part Two): In Which We Begin Part One of a Tutorial.

  1. CN says:

    This tutorial is appreciated, I can’t wait for part 3 and to get my Gnex over to PP, but I believe this part is what was really leading to questions in regards to utilizing a Fascinate as a donor phone.

    After reading through countless posts on HF and XDA about the process, it seems to be nearly the same process for getting a Sprint GNEX over to PP, aside from needing to Disable UIM on the VZ version.

    I am running the Team EOS rom already and familiar with the built-in diag tool (I’ve been switching to VZ prl’s when way out in the country and w/ zero sprint sefvice– however I’ve gotten to the point of just wanting to be rid of spring completely and have been off contract for months). Anyway, I believe the whole diag mode is pretty simple in my case because of the rom I’m on and a matter of transferring the resulting Fascinate PRL from your Part 2 here and getting it over to the Gnex (and making sure the fascinate is off before powering up the Gnex). I realize you have done this for two VZ versions of the phone, but I appreciate any insight or input you might have moving forward. Thanks again for such a helpful tutorial!

    • djnikochan says:

      If you’re able to program and use the GNex on PagePlus already, then you must be using the Sprint CDMA radio. That means your UIM is already “disabled”. In actuality, the radio does store many of the settings on the UIM card, but does not use it conventionally.

      If you’re programmed, have service, and having a working PRL flashed, you are basically ready to get rid of all the Sprint stuff and go to a Verizon ROM. All you have to do is flash a Verizon ROM to the phone and apply Xooz’s 3G patch, found here: http://forum.xda-developers.com/showpost.php?p=30953309&postcount=407

      Just be sure to flash all these steps from a Recovery mode like ClockworkMod, and not from Odin or Heimdall, as this can mess up your radio programming. I personally have CyanogenMod 10.1 flashed to mine, and they work fine once Xooz’s patch is applied. You will want to flash the ROM and the patch in the same session in recovery, then reboot. Otherwise you may lose your radio programming and/or PRL.

      I hope this is some help! I’ll get the second part of this up ASAP. I’ve just been a bit distracted since my truck isn’t running right now and I’ve been working a bit harder than usual at my job. Hang in there, friends! I’m pullin’ for ya; we’re all in this together.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s