As far as I can tell the phone accepts them like they are written but doesn't actually write them. Even if it did I assume they would be overwritten at startup. Some of the locked seems are actually included in the flex file that comes with the flash so flexing might be the only way to truly overwrite them. The problem with that scenario is according to kbman if you screw up a flex it bricks the phone. Beyond that I cannot an accurate picture of the actual format of a CDMA motorola flex file. The info here http://wiki.howardforums.com/index.p...Guide#FLEX_BIN seems to be a GSM flex file format... I've figured out that last 4 bytes on each line of the flex file are a crc16 not sure of what though. And bytes 29-32 of each line are the seem.
edit: even if we flexed the seems *228 wouldn't work because they would still be locked and the auth keys still couldn't be written to I think assuming the bits that locked the seems aren't actually in those seems.
ok i dont think it works i made a flex file from my alltel 2742 seem and i used RSD Lite to flex the phone and it said it was written successfully
but it still didnt show up on the phone
e815 (bricked), e815 (2nd bricked), Mom's Bell e815
Old: v710, v120c, StarTac 7760
Carrier
vzw
Feedback Score
0
The GSM flex file is something completely different.
CDMA phones have two things both called "flex" but completely different as well. (so yes, three things all called flex but all not the same thing)
There's a flex_file.s (that's the filename), which is actually similar to part of the config portion of a GSM sim card. When you drop one of these in the root of the motorola cdma phone's file system, it gets uploaded to a special part of the radio chipset. This configures some things specific to making the radio work with certain networks. (we haven't tried seeing how mixing carrier's flex_file.s parts affects connectivity. it might not even do much at all. at least part of it is a phone book. standalone cdma modules also support changing this file, so check out documentation on units like MultiTech's CDMA modem module)
Then on CDMA phones there's a flex file (.hs files) These are just filesystem upload/command batches. They replace files on the filesystem, basically the same as a scripted p2kcommander. Using this, you can package images, seems (I think), and stuff for a phone and upload them all in one go. That's all it's there for. We have tools for making these already, but it'd be nice if they were a bit more userfriendly.
Originally Posted by null1281
As far as I can tell the phone accepts them like they are written but doesn't actually write them. Even if it did I assume they would be overwritten at startup. Some of the locked seems are actually included in the flex file that comes with the flash so flexing might be the only way to truly overwrite them. The problem with that scenario is according to kbman if you screw up a flex it bricks the phone. Beyond that I cannot an accurate picture of the actual format of a CDMA motorola flex file. The info here http://wiki.howardforums.com/index.p...Guide#FLEX_BIN seems to be a GSM flex file format... I've figured out that last 4 bytes on each line of the flex file are a crc16 not sure of what though. And bytes 29-32 of each line are the seem.
edit: even if we flexed the seems *228 wouldn't work because they would still be locked and the auth keys still couldn't be written to I think assuming the bits that locked the seems aren't actually in those seems.
the flex i made was a .hs flex and is in the exact same format as the one that came with the bell firmware and they are both .hs files and in a hex editor they are the same so im guesssing its right
Lexie69x: the .hs flex file that came with the bell firmware modifies the 01d1 and 01d2 seems so it should be possible for us to do the same. The firmware on the phone itself does modify those seems when you activate it so there is still some hope we can break this.
does anyone have a really big *.nvm so that we can back up all known seems in the vzw/alltel/vivo/bell firmwares
i made an nvm for all of the seems in the bell seem flex using evade's tools which took all of the data in in those seems from another f/w. when i tried to apply it to the bell f/w it errored out on the largest seem because it said something about write protection in the seem.....
[A directive occurred while processing this error]
this firmware is weird it genorates the username and password for 1x browser it does this because bell doesn't have an automated activation system (*228)
I am the proud new owner of a used MOTOKRZR k1m so I think I will have to give this firmware a try. Eventually I will want to tether my zaurus through the KRZR so if We can't get that working I'll have to flash to VIVO or Alltel, but with all these monster files that should be easy. I have a bunch of reading to do first, I haven't exactly been keeping up.
Lexie69x: the .hs flex file that came with the bell firmware modifies the 01d1 and 01d2 seems so it should be possible for us to do the same. The firmware on the phone itself does modify those seems when you activate it so there is still some hope we can break this.
I am using Seem2Flex and the flexes are made correctly because i used a cricket flex i created and wrote it to alltel firmware and it worked succeefuly let me know if u need it so i can ypload it to my server for download
Bell e815(Dropped) - Verizon E815(SOLD) - Alltel E815(BRICKED)
Carrier
Verizon Wireless
Feedback Score
0
Wow. The QPST QCN backup of my VZW k1m contains 640 nv items!
I will be able to use this to create a much expanded seem table for this phone.
Has anyone ever tried editing seems in a QCN and writing it back changed to the phone with QPST?
Also Radiocomm's "Radio Backup" reads and writes seems in QC mode (modem) rather than p2k mode. It may succeed where other techniques fail. (Although it didn't work with the E815.)
I created another large 620 seem nvm table that has the upper range included, beyond where the qcn files stop. between them it should be very close to a full record. I will send it to you in a PM.
Yes, Mark I, there is a lot of interesting stuff in the qcn files...it's just figuring out what to do with that information that presents the challenge!
Oh and thanks for the backup in that thread on the Bell forum, but I consider any real discussion there to be a lost cause.
Incredibly defeatist and reactionary bunch of folks you got over there...
Last edited by kbman; 06-07-2007 at 04:23 PM.
kbman
Droid Bionic does GSM on US bands! (And open MIP profile too! )
If we knew what we were doing, they wouldn't call it research. - Albert Einstein
Sounds good, do you want me to run this new NVM table as well?
No problem about the Bell forum. There's obviously not as many users that frequent it compared to this forum and a lot of those that do either work for Bell Mobility or their stores. Those guys are very helpful when it comes to things like features, upcoming phones and policies - but of course they tow the company line and refuse to entertain the possibility of doing something not sanctioned by Bell. I believe they find it easier to just pretend that it's impossible to add a non Bell sold phone to the network then to explain why it's not easy/practical for most users.
They are correct in the fact that unless you know someone with pull in the data department at Bell you will not get data functioning on a non-Bell phone. The way that Bell's system is set up for data provisioning is unlike most other carriers and absolutely requires that the phone's ESN be set up in their system. That could be part of the reason it took 6 months for Bell to add data support to their K1m and also why it's currently not possible to get it working with VZW. The K1m is the first Bell Mobility Motorola phone to support EV-DO (on the Bell Mobility network) - the E815 and the V3C didn't. Hopefully we can figure it all out
Ok, I just got back from vacation and hoped right back on getting this firmware to work. And it looks like I have gotten pretty dam lucky I got the nai in QPST to stay as XXXXXXXXXX@vzw3g.com. Not 100% sure of what I did to make it work but it may have been a simple 275a edit. Looking for someone else to test it out so just tell me if you can and we will talk.
V3mM (VZW, flashed to Alltel, edited for Midwest Wireless)
V3cM (VZW, flashed to Alltel, edited for Midwest Wireless)
Carrier
Midwest Wireless
Feedback Score
0
I think my situation is a little bit different than yours, but mine stuck too.
I am using an actual Bell K1m and I'm on Midwest Wireless. I didn't really do any seem edits for it to take; I just put the info into QPST, wrote to the phone, and they both stuck - NAI & tethered NAI! I've never seen that before.
I can send you or tell you what I have for any specific seems you want to look at.
Also, maybe someone has already mentioned this... but the HA & AAA shared secret information is listed a little differently than normal in the 01d2 seem. The HA shared secret doesn't start after "10", it starts after "08".
Is this of any significance?
More can be accomplished with a kind word and a large pile of cash than a kind word alone.
Originally Posted by null1281
Reply With Quote
Bookmarks