Restoring evo RSA keys manually [HOWTO]

Search This thread

haxt

Member
Jul 27, 2009
7
7
I was one of the people that did the initial backup methods (telling you how to backup your certificate and rsa keys) or using cat which doesn't actually backup your wimax.img properly. After hours of playing around in a hex editor I finally got my 4g working again, and i'll explain how :)

****EDIT****

I added a hex converter you can use for your rsa key if you are too lazy to find one on google. I say to use hex instead of text replace because it's safer in regards to \n's

I was too lazy to make a gui for it but its haxt.net/evohex.php?rsa=yourrsa&cert=yourcert [obviously replace it with your 2 values]

Also, don't try to flash this image without editing it. The rsa key is invalid until you put your valid key in!

***********

Note - this won't work for anybody who actually has no idea what their RSA keys/certificate is.

So there are a few things you need first.

1. Your phones wimax mac address (take out your battery and look at the sticker)
2. Your RSA private key
3. Your Certificate
4. The wimax image file template I attached here in the zip

To simplify, use XVI32 freeware hex editor. If you search "BEGIN" you will see begin rsa key and begin certificate. You need to copy these values for later use.

Download the template file and open it in the hex editor.

Our template's mac is 00:18:41:81:8B:5C

Our templates Certificate is :

http://pastebin.com/vEnKFtS8

Our templates RSA Certificate is :

http://pastebin.com/gJbrh3ii

Convert both of these strings to hexidecimal and write them down! (it will look like a bunch of 4D 49 49 44 6B 44 43 43 41 6E 69 67 41 77 49 42 41 67 49 51 5A 4F 75 35 44 5A 4C 55 44 76 44 57 4B 57 2F 36 6D 48 66 4C 4F 54 type stuff)

If you don't know what your rsa key or certificate is, open it up in a unix friendly text editor(on windows i recommend notepad++). Search case sensitive for BEGIN. You will see the begin rsa key and begin certificate. Copy all of the text in between with no spaces or newlines! Now convert these both to hex and write them down.

Hit search -> replace on xvi32, click hex search and paste your converted hex for the templates RSA key.. and then replace with the hex value of YOUR rsa key. Do the same thing for the certificate as well.

The length of our templates rsa key might be different than yours, and your ending file size MUST be the same as your starting file size(the template is 12,582,912 bytes). There are a bunch of null characters in the template after --END KEY--- you might need to add or remove some to correct this! Just click on one and press the delete key if you have to :p



Now the only thing you have to do is fix your mac. In your new wimax partition file, text search for 00:18:41:81 to Replace that mac with your mac but subtract 1 from the last digit(if your mac was 00:23:76:EC:21:D4 put 00:23:76:EC:21:D3).

Replace the first 2 of the 3 instances with your mac -- minus 1. (If it ends on a letter, B would become A, C would become B, etc.

The last instance of your mac, put the actual mac address with nothing subtracted as it appears on the sticker under your battery.



Once you have saved the file.. name it something like wimax_fixed_resized.img and copy it to your sdcard.

Boot to fastboot and run "fastboot erase wimax"

Reboot to your recovery and adb shell in.

type "mount /sdcard" so you can run flash_image properly.

Run flash_image wimax /sdcard/wimax_fixed_resized.img
(or whatever you named it)


Profit!
 

Attachments

  • wimaxtemplate.zip
    3.3 MB · Views: 679
Last edited:

redsolar

Senior Member
Jan 3, 2009
124
0
One highly recommended addition to this is to use the correct ROM base version while you do this for testing if your wimax restored correctly. Quite often firmware/wimax mismatches will cause things to not auto connect, or various odd issues (true story)

Thanks for writing this up - I was planning on doing it at some point with a full guide on how to backup and restore the whole nine yards, but this will do in the meantime for people who want to restore things.
 

kybeck55

Senior Member
Oct 10, 2010
83
10
I was one of the people that did the initial backup methods (telling you how to backup your certificate and rsa keys) or using cat which doesn't actually backup your wimax.img properly. After hours of playing around in a hex editor I finally got my 4g working again, and i'll explain how :)

****EDIT****

I added a hex converter you can use for your rsa key if you are too lazy to find one on google. I say to use hex instead of text replace because it's safer in regards to \n's

I was too lazy to make a gui for it but its haxt.net/evohex.php?rsa=yourrsa&cert=yourcert [obviously replace it with your 2 values]

***********

Note - this won't work for anybody who actually has no idea what their RSA keys/certificate is.

So there are a few things you need first.

1. Your phones wimax mac address (take out your battery and look at the sticker)
2. Your RSA private key
3. Your Certificate
4. A wimax.img from an evo that has has an intact wimax partition(borrow a friends nandroid backup).

To simplify, use XVI32 freeware hex editor. If you search "BEGIN" you will see begin rsa key and begin certificate. You need to copy these values for later use.

Next, open up the backup you got from a friend and save the certificate/rsa information between the ---BEGIN --- and ---END --- tags.

Now that you have the rsa key/certificate for both it is time to run a str_replace.

(Make sure to look at the original file size of the backup you got of someones wimax.img. Once you are done the file size needs to be the same).

Take YOUR rsa key and convert it to hexidecimal.. you can find tons of sites that will do this .. just google convert string to hex (it will be a long string of stuff like 4D 49 49 44 6B 44 43 43 41 6E 69 67 41 77 49 42 41 67 49 51).

Next, take your buddies RSA key and convert it to hex as well.

Open a copy of your buddies backup now and this will be used as the template for your new wimax partition. Hit search -> replace. For the hex to search paste your buddies RSA key you converted to hex.. and for the replace with.. put the hex of your rsa key.

Repeat these last steps for the certificate as well (convert to hex and replace your buddies certificate with your own certificate text)

REMEMBER!!!! if the length is not the same of the certificate/key you can fix this by adding or removing the blank bytes at the end of the ---END RSA or --END CERTIFICATE area.

You should be able to save the file now and the size should be exactly the same as the original backup you borrowed.



Now the only thing you have to do is fix your mac. In your new wimax partition file, search for 00: to locate the mac address of your buddies partition. You might find a few random ones first but just look at the surrounding text to know it's their mac. Replace that string with your mac but subtract 1 from the last digit(if your mac was 00:23:76:EC:21:D4 put 00:23:76:EC:21:D3).

Replace the first 2 of the 3 instances with your mac -- minus 1. (If it ends on a letter, B would become A, C would become B, etc.

The last instance of your mac, put the actual mac address with nothing subtracted as it appears on the sticker under your battery.



Once you have saved the file.. name it something like wimax_fixed_resized.img and copy it to your sdcard.

Boot to fastboot and run "fastboot erase wimax"

Reboot to your recovery and adb shell in.

type "mount /sdcard" so you can run flash_image properly.

Run flash_image wimax /sdcard/wimax_fixed_resized.img
(or whatever you named it)


Profit!
is there any way to break it down anymore? and do you have to use a buddies backup? i have my RSA keys i made a backup a while ago... cant you just use one of your old backups and replace wimax? thanks in advance and thanks for the post.
 

Caanon

Senior Member
Aug 1, 2010
101
11
Great post, had been wondering how to actually restore the wimax keys once you had 'em.

Question for any devs that may have them: are the RSA keys generated by or linked to MAC ID somehow? Would it be possible to use backups of an one phone's keys with the another phone's baseband MAC ID?
 

haxt

Member
Jul 27, 2009
7
7
I'll try to clean up the post to make it an easier read tomorrow but if you have an intact backup of your wimax image you can just restore it with flash_image or fastboot.. or just restore the nandroid backup. This is just for people that have the key itself but the image they have might be corrupted. If it would help everyone I can take a working wimax.img and remove the RSA keys so you can just download it as a template and put your keys in
 

haxt

Member
Jul 27, 2009
7
7
I updated the thread.. has a template file in there too with dummy certs and keys to make it easier for you guys.
 

Caanon

Senior Member
Aug 1, 2010
101
11
That's exactly what it does.

Good news and bad news...

Bad news is that I wasn't ever able to fix it. I tried flashing up and down all the radios I could find, trying all the radio/rom combos I could think of. RUU'd even, and no dice.

Good news is that it might not have actually been your fault. I ended up biting the bullet and going to the Sprint store to explain what was going wrong. The tech looked at it and said, "Let me guess, this happened after an update, right?" Apparently this is a "known issue" to Sprint, and it actually ended up happening to the tech herself about a week before it happened to mine. They ordered me a refurb no charge (I have insurance, but didn't have to use it I don't think) and got it a few days later. New one connects to 4g no problem, and 4g on CM works like a charm (thanks toast and shin!).
 

NYCHitman1

Recognized Developer
Apr 9, 2010
5,596
6,780
New York
Google Pixel 2 XL
Google Pixel 3
Good news and bad news...

Bad news is that I wasn't ever able to fix it. I tried flashing up and down all the radios I could find, trying all the radio/rom combos I could think of. RUU'd even, and no dice.

Good news is that it might not have actually been your fault. I ended up biting the bullet and going to the Sprint store to explain what was going wrong. The tech looked at it and said, "Let me guess, this happened after an update, right?" Apparently this is a "known issue" to Sprint, and it actually ended up happening to the tech herself about a week before it happened to mine. They ordered me a refurb no charge (I have insurance, but didn't have to use it I don't think) and got it a few days later. New one connects to 4g no problem, and 4g on CM works like a charm (thanks toast and shin!).

Damn! I really don't want to go through all that trouble right now. Lol, eff it. I'll wait for the next best thing.

Sent from my PC36100 using XDA App
 

gpz1100

Senior Member
Nov 28, 2009
3,118
608
Question, wouldn't it be easier to just backup the existing wimax.img and restore it if/when needed using recovery? Or does this method address something that can't be done via recovery?
 

ericvbp21

Senior Member
Sep 14, 2007
292
54
i am confused when it come to this. is there a video or something. i know for a fact that i lost my RSA keys and i have used the "WiMAX Keys Checker" to check it and it say they are missing. but during my first initial backup i see the "img" file in there. i can't connect to 4g anymore so i am guessing for some reason it can't read it when i restore to the old version of my evo or when i change rom. i need some serious slow help
 

aph

Senior Member
Aug 9, 2007
651
192
New York, NY
i am confused when it come to this. is there a video or something. i know for a fact that i lost my RSA keys and i have used the "WiMAX Keys Checker" to check it and it say they are missing. but during my first initial backup i see the "img" file in there. i can't connect to 4g anymore so i am guessing for some reason it can't read it when i restore to the old version of my evo or when i change rom. i need some serious slow help

Flash the WiMAX radio again and Update Profile, it will grab the keys from the carrier based on your phone's programming information
 

yong9n

New member
Apr 8, 2009
4
0
Flash the WiMAX radio again and Update Profile, it will grab the keys from the carrier based on your phone's programming information
i flashed the wimax radio and updated the profile but it still does the same thing. any idea? I do have the RSA keys so i don't know why it doesn't grab 4G....
 

bilsoncs

Member
Apr 26, 2008
16
1
Lake Country, MN
Well I thought I lost my RES keys after doing haxts back up, after I checked using Explorer and there was no res_OEM.key file. I did the back up again, still no file. I used Astro on my phone and the files where there. (res_OEM.key 4,575 KB & res_OEM.keycat 16,863 KB. Now a day later and the files show up using Explorer? I did do a winmax back up before I did anything and that is still there. Bottom line, if you think you lost you res keys after doing a backup, check it with a file manager program on your phone.
 

igotitiscool

Member
Jun 17, 2010
26
0
i am confused when it come to this. is there a video or something. i know for a fact that i lost my RSA keys and i have used the "WiMAX Keys Checker" to check it and it say they are missing. but during my first initial backup i see the "img" file in there. i can't connect to 4g anymore so i am guessing for some reason it can't read it when i restore to the old version of my evo or when i change rom. i need some serious slow help


I have my keys (WiMAX Keys Checker) but i can only connect when i do a restore of the orginal EVO rom from backup, but on all other roms(elite II for now) it just saids searching and never conects. Please help

edit drop and broke the phone that im talking about.. got new one thur insurance and rooted it and and 4 g works with no problme wonder what i ddi when i root the first phone
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 7
    I was one of the people that did the initial backup methods (telling you how to backup your certificate and rsa keys) or using cat which doesn't actually backup your wimax.img properly. After hours of playing around in a hex editor I finally got my 4g working again, and i'll explain how :)

    ****EDIT****

    I added a hex converter you can use for your rsa key if you are too lazy to find one on google. I say to use hex instead of text replace because it's safer in regards to \n's

    I was too lazy to make a gui for it but its haxt.net/evohex.php?rsa=yourrsa&cert=yourcert [obviously replace it with your 2 values]

    Also, don't try to flash this image without editing it. The rsa key is invalid until you put your valid key in!

    ***********

    Note - this won't work for anybody who actually has no idea what their RSA keys/certificate is.

    So there are a few things you need first.

    1. Your phones wimax mac address (take out your battery and look at the sticker)
    2. Your RSA private key
    3. Your Certificate
    4. The wimax image file template I attached here in the zip

    To simplify, use XVI32 freeware hex editor. If you search "BEGIN" you will see begin rsa key and begin certificate. You need to copy these values for later use.

    Download the template file and open it in the hex editor.

    Our template's mac is 00:18:41:81:8B:5C

    Our templates Certificate is :

    http://pastebin.com/vEnKFtS8

    Our templates RSA Certificate is :

    http://pastebin.com/gJbrh3ii

    Convert both of these strings to hexidecimal and write them down! (it will look like a bunch of 4D 49 49 44 6B 44 43 43 41 6E 69 67 41 77 49 42 41 67 49 51 5A 4F 75 35 44 5A 4C 55 44 76 44 57 4B 57 2F 36 6D 48 66 4C 4F 54 type stuff)

    If you don't know what your rsa key or certificate is, open it up in a unix friendly text editor(on windows i recommend notepad++). Search case sensitive for BEGIN. You will see the begin rsa key and begin certificate. Copy all of the text in between with no spaces or newlines! Now convert these both to hex and write them down.

    Hit search -> replace on xvi32, click hex search and paste your converted hex for the templates RSA key.. and then replace with the hex value of YOUR rsa key. Do the same thing for the certificate as well.

    The length of our templates rsa key might be different than yours, and your ending file size MUST be the same as your starting file size(the template is 12,582,912 bytes). There are a bunch of null characters in the template after --END KEY--- you might need to add or remove some to correct this! Just click on one and press the delete key if you have to :p



    Now the only thing you have to do is fix your mac. In your new wimax partition file, text search for 00:18:41:81 to Replace that mac with your mac but subtract 1 from the last digit(if your mac was 00:23:76:EC:21:D4 put 00:23:76:EC:21:D3).

    Replace the first 2 of the 3 instances with your mac -- minus 1. (If it ends on a letter, B would become A, C would become B, etc.

    The last instance of your mac, put the actual mac address with nothing subtracted as it appears on the sticker under your battery.



    Once you have saved the file.. name it something like wimax_fixed_resized.img and copy it to your sdcard.

    Boot to fastboot and run "fastboot erase wimax"

    Reboot to your recovery and adb shell in.

    type "mount /sdcard" so you can run flash_image properly.

    Run flash_image wimax /sdcard/wimax_fixed_resized.img
    (or whatever you named it)


    Profit!
    2
    This totally worked for me.

    I did a nandroid backup of my wimax initially and after having done TONS of different roms I assumed I'd never have a problem.

    Well low and behold I got the dreaded BAD MAC ADDRESS of ""00:16:08:00:24:05"

    I thought "oh that's easy, I'll just nandroid restore it"... well nandroid restore said the file was corrupt and wouldn't restore for some reason.

    After reading page after page from another thread I assumed I was screwed and would basically end up replacing my phone.

    LUCKILY I stumbled upon your thread only to notice that in actuality my wimax.img was not actually corrupt after all once I found I could easily open it with the hex editor.

    So I just took my nandroid backed up wimax.img and without even erasing my wimax partition I flashed it with the command you had: "flash_image wimax /sdcard/wimax.img" (yeah I put it on the core directory of the sdcard)

    TADA!

    I'm now 4G'ed up and am happy to know that there will always be this easy way of undoing the borked 4G.

    Thanks again.