SUCCESSFULLY backup AAA/HA Shared Secret Keys
Warning: For informational and educational purposes only.
Application: Mostly to those using this device with another carrier - page plus, selectel, nextg, cricket, boost, and others.
Purpose: To reliably create a backup of the AAA/HA Secret keys.
Preface: Unlike some other phones, retrieving these keys is not a clear cut process on the Evo 4g Lte. In fact, using a program like DFS, nothing shows up in the Mobile IP/Shared secrets tab next to these fields after a read command. Using dfs with another phone such as a samsung gusto 2, the fields populate without issue.
These keys are needed to establish a 3g connection, be it with sprint, boost, page plus, etc.
It would appear that these keys only get generated during the initial handshake after the esn (meid) of the phone is placed on the account. Doing a *22890 (or *228, option 1 - reprogram) does not regenerate them. The only way i've found to do so is to perform an esn reset on the account. That is, the esn is removed off the account, then added back on (phone needs to be off during this). On the next reboot, the keys will get recreated and your data will work again.
This isn't so bad, but the problem is it involves contacting the carrier, and hoping they have a clue what you're talking about. Some page plus resellers offer a free, automated way of doing this. Other (selectel and nextg) resellers charge $2-6 for this service.
1) DFS (the demo works quite nicely)
2) QPST (use google to find it)
3) A hexeditor (hexedit32 works fine).
4) Sense enabled ROM that supports ##DIAG# mode.
Short version: Skip to step 9
Driver and getting the PC to recognize the device will not be covered here. There are numerous other threads discussing this topic to no end.
1) Place the phone into diag mode by dialing ##DIAG# from the dialer. These codes don't work in third party dialers. You will need to use the stock dialer.
2) If you already know your SPC/MSL code, skip to step 4.
3) To obtain the SPC/MSL code, open up DFS, select proper port, then enter "2011101116083112" or "41 74 64 77 61 6F 70" in the PWD field. Click the button immediately to the left of PWD to submit.
Under the programming/general tab, near the SPC heading (upper left side), click read. It will retrieve your MSL/SPC code. Make a note of it.
Click the Disconnect icon immediately to the right of the word PORTS at the top left. Or exit the program entirely. No two programs can access a com port at the same time. Failure to do this will cause failure with the next step.
4) Open up qpst configuration, select your device, then click start clients/efs explorer. It will prompt you for the msl/spc code. Enter it.
5) The folder structure will display once done loading - ~30 seconds typically. You will see a folded called NVM with a circle/line through it. This folder is not accessible yet.
6) In the root folder, create a new folder, "open sesame door"
7) Close EFS explorer and Reboot the phone
8) Repeat steps 4-5 to get the file structure back. You'll notice you can now access the NVM folder.
9) Navigate to nvm/num. Look for file 466. Drag and drop this to some folder in your system.
10) Open this file in a hex editor. You'll see the file is comprised of 34 bytes. 32 of these bytes reveal the AAA/HA keys
Note the following are in hex. The first 16 characters after the first "10" is your HA key in hex. The next set of numbers after the 2nd "10" is your AAA key in hex.
10 95 43 F3 73 60 CB 89 6B B5 98 67 51 B2 9A 2C
10 43 E1 42 5F 64 B4 4B 22 35 CD B7 C8 F1 69
HA key (red): 95 43 F3 73 60 CB 89 6B B5 98 67 51 B2 9A 2C
AAA key (blue):43 E1 42 5F 64 B4 4B 22 35 CD B7 C8 F1 69
11) In order for these keys to be useful [in dfs], the hex sequence has to be void of any spaces, especially at the end of the sequence.
HA Key: 9543F37360CB896BB5986751B29A2C2D
AAA key: 43E1425F64B44B2235CDB7C8F16919D9
I've confirmed the above method does indeed work by wiping out my data/mip profiles. Confirming that nvm file 466 contains no longer reflects contains any keys. Recreated the data and MIP profiles (but did not include the keys). Upon connecting, I got error #67 (unable to connect data).
Simply replacing the nvm file with a backup did not work. It still resulted in the error #67. Only after copying/pasting the actual keys back into dfs/mip Shared secrets profile section and rebooting did data functionality return.
If this was helpful, please click the thanks button.