Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,782,519 Members 38,145 Now Online
XDA Developers Android and Mobile Development Forum

[GUIDE]TBH inspired Free wireless tethering hack instructions for Droid 3

Tip us?
 
faylix
Old
(Last edited by faylix; 24th July 2011 at 03:54 AM.)
#1  
Senior Member - OP
Thanks Meter 64
Posts: 210
Join Date: Sep 2009
Location: Boston
Default [GUIDE]TBH inspired Free wireless tethering hack instructions for Droid 3

Wireless Tethering is one of the main things I miss about not having root. I specifically bought a wifi only Xoom because I knew I could just tether it to my phone. When I switched to the droid 3 believing it would come unlocked it was like a kick in face.

Recently I came across a thread from Team Black Hat describing a way of enabling free tethering on Verizon without root. In their write up they provide a flashable zip. Useless for us as we don't have root, or a recovery, but it got me thinking. All credit for this goes to Team Black Hat. They rock, I really hope they are working on rooting the droid 3 because they are android gods.
The original thread by TBH can be read here.

I'm not going to go too in depth here, because if you screw you have the possibility to brick your pretty new device. Also, It goes against your TOS with Verizon, and who knows one day they might work out a way to tell who is doing this. The more people who know and use this trick, the more likely it is they will find some way of detecting and or closing the hole.

But I couldn't leave my XDA brothers out of the loop! So with the standard disclaimer (I'm not responsible for anything you do, anything that comes of something you do, blah blah, you know the deal) I will outline the steps required to enable free tethering on our wonderful Droid 3s.

Quote:
Originally Posted by Team Black Hat
TeamBlackHat is releasing for the public the only permanent 3G Hotspot hack. Please be responsible and do not abuse this release. MyDroidWorld and TeamBlackHat are not responsible for your behavior nor your bills.

I did this on a windows 7 64 bit pc. The radiocom software would def be happier with a 32 bit xp system, it will throw a lot of errors, but it will work. More on that in a second.

1st. You need the most recent drivers for your computer so that your computer can see your phone. You can get them off the Motorola website, same as if you were going to use adb or RSDlite. The file I downloaded from the moto support site was called MotoHelper_2.0.49_Driver_5.0.0.exe

2nd. You need a copy of Radiocom. Radiocom is a piece of software thats supposed to be for moto employees only and allows you to read and write data directly to your software radio. You need to search the internet for it, because its a copyrighted file I can't post it for you. You need to find the latest version. The best version I found was RadioCOmm_v11.11.11_Install.msi - You also need the .net framework installed on your computer. You can get that from Microsoft's site for free.

3. You need a USB cable and a droid 3.

Now... crack a beer and lets get down to business.

1. Install the moto drivers and the .net framework. Install Radiocom. It will give you all sorts of errors, but it will install.

2. Next, find it under your start menu. Right click on it, and select "trouble shoot compatibility" I just ran with the suggested settings. Basically what this does is run the application under XP compatibility mode. Now take a sip of beer, you are gonna get some error messages but don't tweak.

a. You will still get the first screen that says do you want ot the following program from an unknown company to make changes on your computer - check yes.

b. it will say motorola datacard drivers 1.5.9 : this installation is intended for 32-bit os versions only.please use the 64bit version on this machine. click okay.

c. Installation incomplete: the installer was interrupted before motorola datacard drivers 1.5.9 could be instaled. You need to restart the installer to try again. hit close.

d. Warning: Motorola Dataard Drier installlation package ersion mismatch. the version supplied with this tool does not match the installed version on the machine. WE cannot guiarantee proper radio enumeration unless you install the latest version. the installation package will start again the next tiem this tool is started. Click OK

e. This version of RadioCOmm is more that 2 months old. This version may be out of date. Please visit the PDO compass webpage and download the latest version of RadioComm. - Click OK.

Radiocom will start! Phew!

you will have to select the chipset at start: I selected CDMA 1x (MSM 7500) w/ Android. I don't know if this is the best or most accurate one. I actually spent 45 minutes trying to search for exactly what our chipset base was... but I decided to be brave (or stupid) and went with this one and it worked. after it boots, Under settings in radiocom, USB, Select PST USB Driver.

3. Now, Connect your droid 3 to your computer and put it in PC mode. If you installed the drivers correctly you should get this cool little screen showing your phone and telling you some info about it that pops up from motos software. in radiocom software in the upper right of the screen right under the RC logo, the lgiht should turn green to show the phone is connected. You can test by pushing the GET button under the SW version. It should return your Android software version. DON'T PUSH ANY OTHER BUTTONS. YOU COULD REALLY SCREW SOMETHING UP.

Now a little background, you can read TBH's awesome explanation, but the quick and dirty one is that moto's software radio uses three different 128 char string identifiers for data requests. Thats how they can tell the difference between your phones web browser asking for data, and a laptop or Xoom connected to your phone asking for data. We are going to use Radiocom to make all three strings match the first string - so all data appears to be just for the phone. After doing so - your verizon installed hotspot app will work and the usb tethering option will too! ta da!

Team black Hat has made a screen shot showing all the steps required it can be viewed here.

I'll also try including it right here but i'm not sure how it will look:



3. now take a deep breath... use the arrows in the Radiocom program to find the tab marked P2K 1.

Look at the image and in your Radiocom program in the bottom left there is a box called STELEM/ RDELEM. First Select Dec entries.

Rdelem means read, and STELEM means write.

now this is very very important. Do not screw this part up. make sure again you have selected Dec entries, because if you enter the numbers below in hex mode and then hit DEC they will change and you will be reading and writing the wrong values which is BAD.

In Dec Mode

For ElementID: enter 8040
Record # 1
offset 0
length 128

Now Hit RDELEM. the box in the top right should go green, a bunch of numbers should flash through but most importantly right next to where you entered the element ID and record number the box that says Data (hex only) will now have a 128 char string in there. Hilight the entire 128 byte string and copy it.

4. You are now going to change the element ID to 8041 (record, offset, length stay the same) and hit RDELEM. If you compare these two numbers they are different, this is how moto knows you are tethering. You would have to paste both into a word file becuase they both end in a bunch of 00's so in the tiny data box they look the same, but trust me they are different. Select the data in the databox for 8041 and delete it. Paste the number from 8040. Now hit STELEM. Again you should see a bunch of numbers go through that box on the top right and it should be green.

5. Now you are going to do the same things for element numbers 8042, and 8043. Remember each time to hit RDELEM first, paste the value from 8040, then hit STELEM.

6. Now hit the restart button next the text box top center. You phone will restart. it will say something scary at first like SIm card not found. This is normal. Give it a Second and it will be right back to normal, you will have your 3G icon and be able to make calls, send texts etc.

EXCEPT.... Now you can use the verizon mobile hotspot application and it won't send to that verizon website that says "would you like to pay for tethering?" - you have just successfully hacked your radio to make verizon believe all data requests are phone data requests.

Ta DA!@

We might not have root yet, but now we have free wireless tethering! I have had this running for about 24 hours and everything seems perfectly functional. My xoom connects right away to my phone and the distance is actually pretty good (like from bed to desk.. not just pocket to hand). Speeds are functional, just like you would get on the phone.

I hope I have made the wait for root just a little easier for my fellow XDA'ers... I know despite the fact I'm taking the Bar exam in 3 days I still check the forums every hour hoping against hope for some new news of root .... or hell... even video chat working in talk (gchat/huddle/etc).

Again I take no credit for this, All thanks to Team Black Hat! But if you wanted to press the thanks button it would make feel all warm and fuzzy inside =)

- faylix / local
The Following 61 Users Say Thank You to faylix For This Useful Post: [ Click to Expand ]
 
hufn
Old
#2  
Junior Member
Thanks Meter 0
Posts: 20
Join Date: Aug 2007
Frigging awesome I was very strongly considering this phone and the only real drawback for me with lack of root was missing wireless tether and ad blocking. I could live without but having this makes it a no brainer.
 
faylix
Old
#3  
Senior Member - OP
Thanks Meter 64
Posts: 210
Join Date: Sep 2009
Location: Boston
Quote:
Originally Posted by hufn View Post
Frigging awesome I was very strongly considering this phone and the only real drawback for me with lack of root was missing wireless tether and ad blocking. I could live without but having this makes it a no brainer.
I was in exactly the same position.. loved the phone.. could wait for root.. didn't want to give up wireless tether.... but now we don't have too!

Just hit that thanks button, and pledge to donate money to whomever finally roots this beast ;0)

- faylix
 
cellzealot
Old
#4  
Senior Member
Thanks Meter 853
Posts: 1,322
Join Date: Jan 2008
Location: Philadelphia, PA
Nice job!

There is actually a great deal more to discuss regarding the NVM of the D3 and I will be doing so.

These instructions and screenshots should actually be updated to reflect the MDM6600 global chipset in the D3 and other global Droid models.

I am currently working on a comparison of a dump of the D3 NVM and an unlocked Droid Pro 3.8.7 engineering build to see if its possible to isolate the band unlock and apply it to the new radio.
So far it doesn't look good because there are so many differences in the radio NVM between them, but I have only just started examining it.

Thanks for giving credit where due and i emphasize that this is a very dangerous practice right now if you abuse it and VZW is making a concerted effort to identify and penalize such users.
CellZealot

TeamBlackHat

Digital alchemy for the Droid and beyond.
The Following 3 Users Say Thank You to cellzealot For This Useful Post: [ Click to Expand ]
 
faylix
Old
#5  
Senior Member - OP
Thanks Meter 64
Posts: 210
Join Date: Sep 2009
Location: Boston
Quote:
Originally Posted by cellzealot View Post
Nice job!

There is actually a great deal more to discuss regarding the NVM of the D3 and I will be doing so.

These instructions and screenshots should actually be updated to reflect the MDM6600 global chipset in the D3 and other global Droid models.

I am currently working on a comparison of a dump of the D3 NVM and an unlocked Droid Pro 3.8.7 engineering build to see if its possible to isolate the band unlock and apply it to the new radio.
So far it doesn't look good because there are so many differences in the radio NVM between them, but I have only just started examining it.

Thanks for giving credit where due and i emphasize that this is a very dangerous practice right now if you abuse it and VZW is making a concerted effort to identify and penalize such users.
Means a lot comimg from you guys. I have all the respect in the world for your efforts.

Have you considered looking a the pre release builds of the d3? I know the test units had unlocked bootloaders but when woody tried to flash the sbf with the unlocked bootloader it bricked his d3.

Maybe some analysis there would bear more fruit than the droid pro because of the hardware differences?

Im taking the bar exam this wed and thursday but then im all for attacking this thing head on. If nothing else ill rep you guys for free if anything comes of that c&d letter you got :) im your jewish lawyer on retainer - just pay me in exploits!

For real, shoot me an email, and ill be first in line to donate when this puppy is finally cracked.

Concerning radiocom, its amazing there is no security in place to keep us from writing directly to the memory space like this... if we could only just pull the bootloader from the test unit sbf and point radiocom at the right memory address that might be all she wrote!

Dunno about you but i thik MIUI would look mighty fine on here....

-faylix / local
 
djrajir
Old
#6  
Member
Thanks Meter 25
Posts: 68
Join Date: Oct 2009
Quote:
Originally Posted by cellzealot View Post
Nice job!

There is actually a great deal more to discuss regarding the NVM of the D3 and I will be doing so.

These instructions and screenshots should actually be updated to reflect the MDM6600 global chipset in the D3 and other global Droid models.

I am currently working on a comparison of a dump of the D3 NVM and an unlocked Droid Pro 3.8.7 engineering build to see if its possible to isolate the band unlock and apply it to the new radio.
So far it doesn't look good because there are so many differences in the radio NVM between them, but I have only just started examining it.

Thanks for giving credit where due and i emphasize that this is a very dangerous practice right now if you abuse it and VZW is making a concerted effort to identify and penalize such users.
This is good to hear, its nice to know some more people are working with this device. I was getting concerned that I jumped the gun buying it.

So now we have TBH working on unlocking the band, and woodyman & birdman working on finding an exploit for root.
Retired:
HTC Herald (T-Mobile Wing)
HTC Magic (T-Mobile MyTouch)
Samsung Galaxy S (T-Mobile Vibrant)
HTC Desire Z (T-Mobile G2)
Samsung Galaxy s 4g (T-Mobile)
Motorola Droid 3 (Verizon)

---
Current:
Galaxy Nexus (Verizon) - Liquid ICS
Samsung Galaxy TAB 10.1 - AOKP
 
neilrl79
Old
#7  
neilrl79's Avatar
Senior Member
Thanks Meter 132
Posts: 605
Join Date: Aug 2010
Location: Maryland

 
DONATE TO ME
This is a fantastic write-up, very well done. I installed all the appropriate software and did a "dry run" just to see everything. Do you know if this will stick through OTA updates?
 
cellzealot
Old
#8  
Senior Member
Thanks Meter 853
Posts: 1,322
Join Date: Jan 2008
Location: Philadelphia, PA
The NV edits survive a *228 service programming but will be overwritten by a complete radio update like a new version release would usually include.
CellZealot

TeamBlackHat

Digital alchemy for the Droid and beyond.
 
neilrl79
Old
#9  
neilrl79's Avatar
Senior Member
Thanks Meter 132
Posts: 605
Join Date: Aug 2010
Location: Maryland

 
DONATE TO ME
Quote:
Originally Posted by cellzealot View Post
The NV edits survive a *228 service programming but will be overwritten by a complete radio update like a new version release would usually include.
Thanks, i'm going to give it a go later tonight.
 
kingoanklebreakn
Old
#10  
Senior Member
Thanks Meter 17
Posts: 162
Join Date: Nov 2008
For some reason whenever I turn on the hotspot app my 3g cuts off then cuts back on and is white and has no access to the net.

The Following User Says Thank You to kingoanklebreakn For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes