Down the Prepaid Cellular Rabbit Hole (Part Three): In Which We Continue with Part Two of a Tutorial.

Greetings friends and fellow hackers!

Here is the long-awaited second part of my 4G CDMA/LTE phone flashing tutorial.

What follows will guide you through pulling the “keys” needed to program a Sprint or Verizon Galaxy Nexus onto a prepaid 3G service such as PagePlus, Talk-For-Good, or Next G.

Be warned the following is very wordy in the interest of being precise. There are attached screenshots with step-number labels color-coded for easy follow-along.

Make sure you’ve read part one first, and are up to speed with us, because we’re about to pull the keys from our working Samsung Fascinate. Once this is done, we’ll be ready to flash those keys to our 4G phone; a Galaxy Nexus in this example.

I must re-iterate that this tutorial is only for using a Verizon Samsung Fascinate as the “donor” phone, and a Sprint or Verizon Galaxy Nexus as the target. I can’t re-write it to fit the multitude of other devices out there, and recommend using these EXACT models if you want this to be sure to work.

I must also state that I am not liable for any damage to your phone this tutorial may cause, or any issues that may come up with your account and service. Follow these instructions VERY CAREFULLY.

OK. Are we ready? Let’s begin!

1) We want to make sure we have the Fascinate programmed according to part 1 of my tutorial. If you haven’t been through part one of my tutorial, STOP HERE. Go back. Begin again.

2) Since the Fascinate is now programmed and working (if it’s not, go back and start over on part one!) we want to MAKE SURE we have removed the battery from our GNex. They currenty share an MEID, and this is a very fast way to get an MEID banned.

3) Reboot your Fascinate just to make sure everything is working. Check to see that 3G, Talk, and Text are working after rebooting. Take a deep breath, as we’re about to dive in head first.

4) Go ahead and put your Fascinate in Diagnostic Mode. Do this by going to the dialer and dialing **33284. When asked for SPC, enter 6 zero’s (000000). Scroll down to Dial Up Networking. Tap it, and set it to ‘On’. You will now be able to access the phone from the DFS software. Plug the Fascinate into your PC now.

5) Open DFS. Connect to your Fascinate’s COM port. It should list itself as ‘Samsung Mobile Modem Diagnostic Serial Port’. I’ve labeled the area with a red ‘#5′ for this step.

6) On the top line in DFS, enter the SPC (six zeroes, 000000) and then the Pwd of 2010031619780721. Click the blue circled triangle button (looks like a “Play” button) next to SPC, then the one next to Pwd. After each is sent, you should see “DEVICE UNLOCKED” in the DFS log window. I’ve labeled the two areas with green ‘#6′ marks for this step.

7) Now, in the main screen of DFS, click the Data tab. Below you will find a screenshot with #7’s marked in blue showing this step. Put a checkmark in the box next to ‘Pwd’ in the HDR AN Long fields in the Data tab. It is blank now, but will be your ‘AN key’; one of the three keys we will need to program our GNex later.

8) Press the ‘Read’ button in the data tab and the HDR AN Long fields should fill in. If you have a string of hexadecimal digits in the HDR AN Long fields, then congratulations; it is working! Write down these hex digits as your ‘AN key’ and save them. I have marked these with blue #8’s.

9) Now go to the Mobile IP tab. I won’t label this step, because it’s very simple. It’ll be the third screenshot you see below. In the Mobile IP tab, click the ‘Read’ button. Your ‘AAA Shared Secret’ and ‘HA Shared Secret’ fields should now have populated with strings of hexadecimal numbers.

10) Write these numbers down and save them. These are the AAA Key and HA Key that you will need to program your GNex.

11) Breathe a sigh of relief. The hardest part (keys) is over. Now we move on to our PRL. PRLs can be obtained online, however, so this step is less critical. I will walk you through it just to make sure we have the best, most up-to-date PRL possible for our service provider.

12) Now we need to pull our PRL. I don’t have a screenshot for this one, but it’s also very simple. Go back to the NAM tab in DFS. On the far right of the tab (you may need to maximize the window; I did on my small-screen netbook) is the PRL column.

13) In the PRL column, click the blue ‘Read’ button at the bottom. This will read the PRL from the phone. Now click the black ‘Save’ button just up and to the right of the ‘Read’ button, in the PRL column. Save this file somewhere you can find it later. I usually save to my desktop during a project like this, but you can save it wherever you like.

14) The current PRL number is 53100 for PagePlus as of the time of this writing, and the file is just over 6 kilobytes in size. If you’re getting something similar, it’s probably working just fine.

15) Now that your keys and PRL are saved, congratulations! You have all the keys and files necessary to program your Galaxy Nexus onto PagePlus or other Verizon MVNOs! I’m sure you did a great job, and you deserve a pat on the back.

Attached below are the screenshots referenced in this part of the tutorial.

In part three, I will guide you through programming the Galaxy Nexus itself, for those of you having trouble.




