HTC EVO 4G on Virgin Mobile

Due to extreme demand I've decided to construct a A-Z guide on how to fully flash the the HTC Evo 4G to Virgin Mobile ( just like the name implies obviously).

Well, they're are a few items needed to complete this somewhat lengthy process. List of physical items: HTC Evo 4G Donor Virgin Mobile phone (The Lg rumor touch, Optimus V, or Samsung Intercept if you want 3g capabilities) Data sync cable for your computer Stress ball Ice cream

Now for the list of programs needed: LGPST LAB version 1.2 ( if using rumor touch or Optimus V as donor phone) CDMA Tools (version 2.7+) QPST QXDM Professional rEVOlutionary or unrEVOked

STEP 1. Extracting the info

Before we can begin touching the Evo, they are a few bits of information we'll be needing from your donor phone. In my case I had the LG Optimus V laying around from who-knows-when and I'll be referring most of these steps to the processes used to extract infromation from the phone. The things you'll be needing from the phone will be the: ESN, MEID, HA key (default VM HA key is vmug33k), the AAA key,

and NV Items 1192, and 1194. The ESN and MEID have to be the easiest bits of information to obtain. They can be easily read by CDMA tools, just be sure to download the DIAG drivers that are specific for your device. A lot of people get stumped with this program so don't fret it I'll break it down a bit for you guys.

STEP 1.2 Understanding CDMA tools

After installing your DIAG drivers, you're phone can be now located at a port. Before it can be located as a port you'll have to activate debugging on your donor phone. Navigate to your phone's settings> Applications> Development> and then make sure USB Debugging is checked off, plug your donor phone into the computer, and select charge only when the usb settings show up on your phone. Now to find what port your phone is in, for Windows 7 it's really simple: Control panel> in the search bar type "device manager" without the parenthesis and select device manager>

scroll down to the drop down bar titled PORTS and the only ports there should be your phone.

Windows XP steps are similar with a few exceptions but it's nothing you can't google. Remember, if you can't google it, there's a good chance it doesn't exisist. Now that you've located the port you can read your phone in CDMA workshop. Open up your CDMA Workshop (version 2.7+) and click on the drop down menu onthe upper right and select your phones port, then select "connect to port", then "read" and you're done.

CDMA tools should now display your MEID and ESN *HINT* Your MEID is the A00000xxxx or A1000xxxx number and your ESN is an 8-digit alphanumeric combination *END HINT*. Also a side note: If using an LG phone as your donor, expect an error message when trying to read your phone, don't sweat it. The message pops up because the fully can't be fully read without reading the phone in LGNPST. Don't forget to grab those NV Items I mentioned earlier. Just connect your phone to CDMA tools and navigate to the Security tab. Under the NV items box search for NV Items 1192 to 1194.

Side note: You won't be able to read these NV Items on the Lg Rumor touch or Lg Optimus V unless you read them first with LGNPST.

STEP 1.4 Understanding LGNPST (SKIP IF USING SAMSUNG INTERCEPT OR OTHER NON-3g DONOR PHONE)
Now that we have the ESN and MEID from our donor phone we're almost done. ESN and MEID only ensure us talk and text but no web or MMS which would be fine but not for us. We're better than that, we want 3g no matter the cost (not literally). The thing about these VM LG phones is that Virgin lock these bad boys up tight! Lucky for you, if there is anything I've learned over the years is: Whatever the developers do good, hackers do better. This isn't really hacking but whatever, i still sleep fine at night. To read the Lg rumor touch or oV you'll need to get your hands on the LGNPST Lab version 1.2 and if you're

using the Optimus like I did you'll also need the ls670.dll file. Installing LGNPST isn't that tricky but installing the DLL files threw me off a bit so I'll provide the dll file and a link to how to install it. Once you've installed the dll file you're phone can be recognixed by LGNPST. If your phone isn't already, plug it into your computer and run the LG product service tool.

Your phone should be recognized automatically but if not just press the F key on your key board and click on "select dll" on the menu in the top left corner of the program. Scroll down

until you find the ls670.dll file,

click it, select ok. Now you're almost set to read those AAA keys (FINALLY!!!!!!), locate the "phone settings" button on main page. If it's grayed out click on "expand" then "deminish" it and it should be available to click on. Now, if it for a SEC code or MSL code it can be found in CDMA tools under security tab. Just locate the SPC square and make sure to select the LG method from the drop down menu before reading it.

You should have your 6 digit code now and that should allow you to read the phone in LGNPST. Now just read the phone and thats it! Your phone can now be completely read.

STEP 1.6 Reading AAA keys

You know that nifty little tool I mentioned earlier called QXDM? Yeah, well, time to pop that little guy out. I like this program

because once you're through with it you can fool your dumb friends into believing you programed some super awesome program, really the way you finish your opponent is up to you. All joking aside try to get used to this program because once we start on the EVO you'll be needing it a bit.

I really hate QXDM because of reasons that weren't it's fault. If you're using Windows 7 don't forget to run this in compatability mode (windows xp SP3). Make sure to also install QPST, you'll need it to connect your phone to QXDM. QPST also needs to be ran in compatibility mode. To connect to QXDM you'll need to start up QPST Configuration and navigate to the ports tab, click on add new port...,

on the left select your phones port, click ok, and finally select the port and click enable.

Now run QXDM, navigate to the options tab, select communications and select your port in the first drop down menu, and you're set! First they're a few commands you'll need to know to make this program work for what you need it. You'll be needing to read the AAA keys from your data profiles. Each Virgin Mobile phone I've used to date have only 3 profiles, profile 0, 1, and 2. To read these profiles for their AAA key you'll have to type in the command bar: "requestnvitemread ds_mip_ss_user_prof " followed by 0,

then 1, then 2. So to read from profile 1 you'll write "requestnvitemread ds_mip_ss_user_prof 1". They'll be a a long stand of four sets of numbers, two green and two blue. Ignore the first 3 sets of numbers (both the "HA_SHARED" and the first set of "AAA_SHARED") and just copy all the numbers excluding the "0x" and the begining of each set for example, if you got four groups like this 0x89 0x97 0x26 0x26 you'd read it, 89 97 26 26. Each group is numbered 0-15 so ignore the first "aaa_shared_secret_length" and start writing down the others as I said. After removing the first two characters (0x) you should have 32 characters and with that, you're now done (with that at least)!

STEP 1.8 Ice Cream break!!!!!! STEP 1.9 Revise

Now you should have all you need, just take a quick gander at what you have. You should your ESN, MEID, HA password, your AAA password, and your MIN and MDN.

I haven't gone over your MIN or MDN yet but its really simple, your MIN is your phone number and your MDN is the second number on your phone which can easily be found in settings> about phone, usually its under "my number" and "msid". Have this information and you're finally set, you're done, terminado, fin, whatever you wanna say but it's over. Take once last look at your brand new paper weight because you'll need to either turn it off for good or wipe the ESN and MEID to ensure it doesnt interrupt your phone service on your new EVO.

STEP 2 Preping for sugery

Now we get to the fun part! You need to prepare rewrite your evo but first, I highly recommend you save your information on the EVO and write down everything that we took from the optimus ESN, Meid, everything. In case you change your mind you'll have everything handy. When I went through this process I wrote down all the information by hand and it helpped me keep track of what I was doing so that's just a little tip for you guys.

First thing many will want to do is root your phone. Although it's not necesary, it'll help a bit with a few things during the flashing process (like finding your 6- digit spc without using CDMA workshop) but really what rooting brings to the table is more helpful for everyday use so wether or not you root it's up to you. Side note: without rooting you will not be able to reach 100% functionality.

STEP 2.2- ZEROING OUT THE PHONE

Finally the moment you've been waiting for! Now it's time to get down and dirty with our EVO. Rooting or not you'll need the EVO's diag drivers. Now, google was my friend here so just do a quick search for them and you'll find em'. This part here is by far the most time consuming step of the entire guide and expect to spend 30+ minutes so you'll have to be very patient. *Samsung Method* For Samsung owners this is surprisingly simple and only requires QXDM. In the command line enter: "password 01F2030F5F678FF9"

"RequestNVItemWrite MEID 000A0000000000000" without the parenthesis and replacing the A000... with your MEID. You can then enter command "RequestNVItemRead Meid" to make sure it stuck, if it did you're done if not, then you might want to try again or try the traditional method below.

*HTC Method* This method is also fairly easy and only requires QPST, QXDM, and 15 minutes of your precious, precious time. You're gonna want to make sure that your Evo has a port available too, dont want to forget your new "baby!" Open up QPST and select EFS explorer.

Enter your spc and let it read.

And make a new directory...

and name it "Open sesame door"

Now reboot your Evo. The nvm folder should no longer have a red circle around it, now you can navigate to the num folder located in the nvm folder and locate the 0 and 1943 files. Drag those to your desktop.

Open those files with your hex editing program and change everything to 0s.

And make sure to save it and place it back in the num folder. Before closing EFS explorer make sure to delete the "open

sesame door" folder so you can be on your merry way. Now that you've zero'd out the esn and meid you can navigate your way to QXDM.

In the command line enter "RequestNVItemWrite Meid 0x00A000000000000" replacing the A000 number with your meid. If it stuck you should be able to see it with the command "RequestNVItemRead Meid" and if it stuck it should show up there which means it stuck! Congrats, talk and text should now work.

*Traditional Method* (Long way) For this process you'll have to search for the MEID and ESN locations on the EVO via cdma tools. It's a tricky process but I'll walk you through it. Make sure to download winhex or another hex editing software for this step. 1.) Open up cdma workshop and connect your phone and then click read. Proceed to the security tab and enter your spc code and send it to the phone to unlock it.

2.) Go to the memory tab and click start under memory scan. Just leave the fields the way they are.

you should get something like Scanning memory for readable areas: Unreadable area from: 0000:0000 Readable area from: 00FA:0000 Unreadable area from: 0100:0000 Readable area from: 0109:0000

Unreadable area from: 01DC:0000 Process is stopped at: C000:0000

3.) Now for the tricky part. I'm not sure if this is how you figure out the number of bytes you need but it works fine for me. The memory is readable from 00FA:0000 to 0100:0000 so we take the number 0100:0000 and subtract it from 00FA:0000 and convert it to a decimal. To do this use the calculator tool in Windows. So open the calculator and click view and select programmer.

Now punch in 1000000. (The first zero doesn't matter, the same goes for the other address.) Then click subtract and punch in FA0000(of course replacing these addresses with the ones in your scan). Now when I hit equals I get the hex number 60000. To convert this to a decimal simply select dec.

As you can see I get the number 393216.

4.) Now in the memory / Eeprom area put in the number you calculated where it says bytes. Put in the first readable area in the start address field. Now click read and it will prompt you to

save the file somewhere so go ahead and do that.

5.) Now take your MEID number and put it in pairs of two then reverse them. For example if your MEID is A1000067452301 pair it like so A1 00 00 67 45 23 01 and reverse it like so 01 23 45 67 00 00 A1 remove the spaces and you get 012345670000A1

6.) Open the saved file in Winhex and press ctrl, alt and x. This will bring up a window so you can search certain hex numbers. Put in your reversed MEID without the spaces.

Click OK and it will take you to the first MEID it finds.

The address to the left of my MEID is 0000C590(or just C590) and the column for the beginning of my MEID is 4. Add 4 to C590 and you get C594. To get the first MEID address take the number you start the scan with(mine was FA0000) and add C594 to it. I get FAC594. This will be your first MEID address.

Write it down and move on to the next. If you press ctrl, alt and x and hit OK it will take you to the same address you were just at so what I do is change one of the numbers and then search again like so.

I changed the first pair to 00 so I can continue searching for MEID addresses. Continue this process for the rest of this file then you must do step 3-6 with your second readable areas. Mine again was 0109:0000 - 01DC:0000. The second readable area takes a very long time. My bytes ended up being 13,828,096. 7.) The last thing I did was do the entire process again only I put the phone in airplane mode. This may or may not be necessary. This same process can also be used to find your ESN locations. Just search the same files but put your reversed ESN in the search window in Winhex. After you open your scan results with winhex

-do a search for your meid in reverse, with no spaces. Make sure you check the "list search hits" box. It should list the locations of the results at the top.

-there's gonna be an offset number to the left of it, you can click on it and it changes, click it so it shows the an offset number that contains letters.

-Open up the windows calculator and make sure it's in "HEX" mode.. it usually starts up in "DEC" mode.

- If you did a searched, lets say "00FA-0000" for example, in cdma ws, your gonna want to take your offset number and add it to your original search location.. for example 00FA0000 with no dash.

-You'll come up with a result like this*example- 00FA0000+4EDC2C= 148DC2C which would be 0x0148DC2C

-Just add 0x0 or 0x00 (depending on the length of your result number) in front of it. -Do this for all the other locations & there you go, you have your addresses Overall it is a very time consuming process but if you do

everything correct it can save you a lot of time as opposed to looking up addresses someone else has posted. I have tried in the past and people with the same baseband had completely different addresses.

For some phones, you'll have what is refered to as "floaters" which are basically the one bastard that won't die in the action movies and becomes the worst super villan in the movies history when the sequel comes out. they're fairly simple to find just run the same process again but with your phone in airplane mode. You should of found 10 MEID locations and 15 or more ESN locations. If not I'm afraid you'll have to repeat this process (DUN DUN DUUUUUUN). once you find the locations, zero them out with qxdm. Connect your phone to qxdm and press the f4 hotkey once opened and start inputting the addresses you found and calculated. Look for your esn or meid and rewrite them as 0's. Once done, disconnect your phone DO NOT POWER DOWN, and remove the battery for a couple second then place back in and start up. Now connect your phone again and open up QPST. In the command bar type: "requestnvitemread esn" If done correctly

it should show all 0s. Then type in "requestnvitemread meid" and it should display 0s again. If it does then give yourself a pat on the back because you just saved the town and got rid of that super villan before he became a pest. Now would be a good time to eat Ice cream if you didn't finish it all the first time.

STEP 2.3-WRITING THE MEID

The beauty of the MEID is it calculates the ESN for you. open up QPST again and type in the command bar "requestnvitemwrite MEID" followed by 0x(DONOR MEID). For example, if I wanted to put my MEID I'd write "requestnvitemwrite MEID 0xA0000xxxxxx" just replace the A0000xxxx number with your donor meid. Remeber: The meid always begins with an "A" and is followed by either a 1000xxxxx or 0000xxxxx number. Now disconnect your phone, remove the battery and replace. Boot up your phone and navigate to Settings>About phone>Status Search to see if your DONOR MEID is in the MEID space. You could also check in QPST with "requestnvitemread MEID" and to be safe "Requestnvitemread ESN" and check to see if the esn stuck as well. If they both stuck now is a time to use your best happy

prospector dance moves because you've just set your new phone up with Talk and text.

STEP 2.5-Writing DATA

Now that we can call our friends to brag about our new badass phone and show them how many people we've texted it's time to make them spaz out with 3g capabilites. For this you'll need QPST Configuration. Open it up and make sure your EVO is connected to QPST and select the Start Clients drop down menu and select Service Programing. This is where the magic happens. They'll be two tabs you'll be working with: the PPP Config tab and M.IP tab. Select the M.IP tab and make sure to disable or delete profiles 3, 4, 5, and 6 and make sure to add a profile 0. Under the profiles write: profile:0, enabled:no, nai:, tethered nai:, ha spi:3, aaa spi:2, rev tun:no, home:0.0.0.0, primary:dynamic, secondary:not set, dmu pub:0, mob auth:

profile:1, enabled:yes, nai: (DONOR MEID)@mdata.vmobl.com, tethered nai:, ha spi:21EF, aaa spi:21EF, rev tun:yes, home:0.0.0.0, primary:not set, secondary:not set, dmu pub:0, mob auth:

HA Shared: (change it to "text string" and enter "vmug33k") AAA Shared: (change it to 'HEX string" and enter DONOR AA Shared Secret)

profile:2, enb:yes, nai: (your MEID)@prov.vmobl.com, tethered nai:, ha spi:21EF, aaa spi:21EF, rev tun:yes, home:0.0.0.0, primary:not set, secondary:not set, dmu pub:0, mob auth:

HA Shared: (change it to "text string" and enter "vmug33k") AAA Shared: (change it to "HEX STRING" and enter DONOR AA Shared Secret) And you're done with the M.IP tab. Navigate to the PPP Config Tab. Under RM and UM dont touch it but for an - userid is [email protected] now just write to phone, wait until the phone reboots and disconnect it. Now you're phone should be done! 3g should be dancing around proud on the top on your notification bar.

STEP x.x-MMS FIX (optional)

If you're content with talk, text, and web go no further. If you do not wish to root your phone go no futher. If you want to root your phone and can't live without MMS then this is the step you'll want to go through. First you'll want to root your EVO obviously. I'm including the unrEVOked program with this guide but you'll have to google how to use it, just make sure to install clockworkmod. Now that your phone is rooted and has S-off I've included two ROMs that have the MMS patch, CM7 and a Ice Cream Sandwich AOKP rom. CM7 has the MMS patch built in but the ICS ROM has to be flashed along with the ROM. DISCLAIMER: ALL DATA WILL BE ERASED LIKE PICTURES, MUSIC, APPS, ETC. DO A BACKUP ON YOUR COMPUTER BEFORE FLASHING A ROM. To flash a ROM first make sure your phone isn't running fastboot. Make sure to uncheck it in your settings and power down your phone. Connect your EVO to your computer and put it in disk drive mode. You can now select from either CM7 or the Ice Cream Sandwich Rom I included. If flashing CM7, just copy the update-cm-7.2.0-4FEB2012-VirginMobile.zip file to your sd cards root. If flashing AOKP ICS, copy the VM_AOKP_24_PATCHER_EDITFY.zip, aokp_supersonic_build-24.zip, and gapps-ics-20120215-signed.zip to your phones root. Now press

and hold both the volume down button and the power button until a white recovery screen appears. When the screen appears wait 15 seconds to allow it to run its programs and the using the volume rocker to scroll up and down, highlight "recovery" and use the power button to select it. Your phone should display the EVO 4G boot sign for a few seconds before booting up Clock Work Mod. Now scroll down to wipe davik cache and use power to select it. Now scroll to Yes, Install and again using the power button to select it. Do the same again but this time scroll down to factory reset/user data. Now scroll down to Install Zip from sd card. Here scroll all the way to the bottom if flashing CM7 select the update-cm-7.2.0-4FEB2012-VirginMobile.zip and allow it to install. If flashing AOKP, select the aokp_supersonic_build-24.zip and flash it, repeat the same with the VM_AOKP_24_PATCHER_EDITFY.zip and gapps-ics-20120215-signed.zip. Now navigate back to the menu you first came into when you opened clock work mod and select reboot device now. That's it! You're done and now you should have Talk, SMS, MMS, and web working plus a nifty little Custom ROM.

I'd like to give thanks to brooksyx, Constrictor25, LeslieAnn, and Wienerwad of XDA forums for help with the MMS patch and

helping with the locating of the MEID and ESN locations. I hope this tutorial will be of service to many of you any questions just contact UncivilSavage of XDA Forums. Steve