Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,728,708 Members 54,268 Now Online
XDA Developers Android and Mobile Development Forum

SUCCESSFULLY backup AAA/HA Shared Secret Keys

Tip us?
 
gpz1100
Old
#1  
gpz1100's Avatar
Senior Member - OP
Thanks Meter 280
Posts: 2,004
Join Date: Nov 2009
Default SUCCESSFULLY backup AAA/HA Shared Secret Keys

Warning: For informational and educational purposes only.

Application: Mostly to those using this device with another carrier - page plus, selectel, nextg, cricket, boost, and others.

Purpose: To reliably create a backup of the AAA/HA Secret keys.

Preface: Unlike some other phones, retrieving these keys is not a clear cut process on the Evo 4g Lte. In fact, using a program like DFS, nothing shows up in the Mobile IP/Shared secrets tab next to these fields after a read command. Using dfs with another phone such as a samsung gusto 2, the fields populate without issue.

These keys are needed to establish a 3g connection, be it with sprint, boost, page plus, etc.

It would appear that these keys only get generated during the initial handshake after the esn (meid) of the phone is placed on the account. Doing a *22890 (or *228, option 1 - reprogram) does not regenerate them. The only way i've found to do so is to perform an esn reset on the account. That is, the esn is removed off the account, then added back on (phone needs to be off during this). On the next reboot, the keys will get recreated and your data will work again.

This isn't so bad, but the problem is it involves contacting the carrier, and hoping they have a clue what you're talking about. Some page plus resellers offer a free, automated way of doing this. Other (selectel and nextg) resellers charge $2-6 for this service.

PROCESS

Software Requirements:

1) DFS (the demo works quite nicely)
2) QPST (use google to find it)
3) A hexeditor (hexedit32 works fine).
4) Sense enabled ROM that supports ##DIAG# mode.

Short version: Skip to step 9

Driver and getting the PC to recognize the device will not be covered here. There are numerous other threads discussing this topic to no end.

1) Place the phone into diag mode by dialing ##DIAG# from the dialer. These codes don't work in third party dialers. You will need to use the stock dialer.

2) If you already know your SPC/MSL code, skip to step 4.

3) To obtain the SPC/MSL code, open up DFS, select proper port, then enter "2011101116083112" or "41 74 64 77 61 6F 70" in the PWD field. Click the button immediately to the left of PWD to submit.

Under the programming/general tab, near the SPC heading (upper left side), click read. It will retrieve your MSL/SPC code. Make a note of it.

Click the Disconnect icon immediately to the right of the word PORTS at the top left. Or exit the program entirely. No two programs can access a com port at the same time. Failure to do this will cause failure with the next step.

4) Open up qpst configuration, select your device, then click start clients/efs explorer. It will prompt you for the msl/spc code. Enter it.

5) The folder structure will display once done loading - ~30 seconds typically. You will see a folded called NVM with a circle/line through it. This folder is not accessible yet.

6) In the root folder, create a new folder, "open sesame door"

7) Close EFS explorer and Reboot the phone

8) Repeat steps 4-5 to get the file structure back. You'll notice you can now access the NVM folder.

9) Navigate to nvm/num. Look for file 466. Drag and drop this to some folder in your system.

10) Open this file in a hex editor. You'll see the file is comprised of 34 bytes. 32 of these bytes reveal the AAA/HA keys

Note the following are in hex. The first 16 characters after the first "10" is your HA key in hex. The next set of numbers after the 2nd "10" is your AAA key in hex.

For example:

10 95 43 F3 73 60 CB 89 6B B5 98 67 51 B2 9A 2C
2D
10 43 E1 42 5F 64 B4 4B 22 35 CD B7 C8 F1 69
19 D9


HA key (red): 95 43 F3 73 60 CB 89 6B B5 98 67 51 B2 9A 2C
2D

AAA key (blue):43 E1 42 5F 64 B4 4B 22 35 CD B7 C8 F1 69
19 D9

11) In order for these keys to be useful [in dfs], the hex sequence has to be void of any spaces, especially at the end of the sequence.

HA Key: 9543F37360CB896BB5986751B29A2C2D

AAA key: 43E1425F64B44B2235CDB7C8F16919D9

I've confirmed the above method does indeed work by wiping out my data/mip profiles. Confirming that nvm file 466 contains no longer reflects contains any keys. Recreated the data and MIP profiles (but did not include the keys). Upon connecting, I got error #67 (unable to connect data).

Simply replacing the nvm file with a backup did not work. It still resulted in the error #67. Only after copying/pasting the actual keys back into dfs/mip Shared secrets profile section and rebooting did data functionality return.

If this was helpful, please click the thanks button.
Page Plus Flashing - True 3G (evdo)
Free Page Plus Ports/Activation - PM for more info

Vzw Samsung S4 - Page Plus
The Following 6 Users Say Thank You to gpz1100 For This Useful Post: [ Click to Expand ]
 
gpz1100
Old
#2  
gpz1100's Avatar
Senior Member - OP
Thanks Meter 280
Posts: 2,004
Join Date: Nov 2009
Reserved
Page Plus Flashing - True 3G (evdo)
Free Page Plus Ports/Activation - PM for more info

Vzw Samsung S4 - Page Plus
 
gpz1100
Old
#3  
gpz1100's Avatar
Senior Member - OP
Thanks Meter 280
Posts: 2,004
Join Date: Nov 2009
Reserved 2
Page Plus Flashing - True 3G (evdo)
Free Page Plus Ports/Activation - PM for more info

Vzw Samsung S4 - Page Plus
 
jdrogers84
Old
(Last edited by jdrogers84; 6th February 2014 at 02:36 PM.)
#4  
Member
Thanks Meter 4
Posts: 38
Join Date: Jul 2012
How do you know what each nv file/item contains per phone?

Sent from my SGH-I997 using Tapatalk
 
gpz1100
Old
#5  
gpz1100's Avatar
Senior Member - OP
Thanks Meter 280
Posts: 2,004
Join Date: Nov 2009
There are indexes out there. This topic only pertains to the AAA/HA keys.
Page Plus Flashing - True 3G (evdo)
Free Page Plus Ports/Activation - PM for more info

Vzw Samsung S4 - Page Plus
 
jdrogers84
Old
#6  
Member
Thanks Meter 4
Posts: 38
Join Date: Jul 2012
Do you happen to have any other options for a sprint S3?

 
asdfjkljkl5
Old
#7  
Junior Member
Thanks Meter 0
Posts: 7
Join Date: Jun 2013
Default tried this on evo 3d virgin mobile

I tried these same steps to get my ha and aaa keys on my evo 3d virgin mobile but i must have done something wrong. When i go into my 466 file I do not get the same pattern with the "10" followed by the ha key then another "10" followed by the aaa key. Instead I get a "06" followed by my ha key which is "secret" and the rest is zeros.

I assumed these same steps would work for the evo 3d. What am I doing wrong?

Tags
aaa ha, efs, keys, secrets
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


XDA PORTAL POSTS

But First, Let Me Take a #Selfie

“Today while browsing XDA,I’m going tocheck to seeif my favorite ROM has been updated–but … more

Easily Combine Text and Manage Your Android Clipboard with StuffMerge

Android clipboard management has always been impractical without the … more

Pale Moon Browser Ported to Android

Having a wide choice of third party applications is one of the most beautiful things that Android has to … more