Tutorial: How to modify ESN and read SPL unlock code

[krazieintentz]

At the request of some users I have been asked to post how I solved an issue with my phone. A while ago upon flashing my Sprint Mogul, my esn was reset to 000000, as well as my MSID, and SPL code.

This shouldn't happen, but is possible. At that point my phone was bricked because there is no way to connect to the Sprint network without having the proper ESN registered on my account.

I will show you how I was able to restore my software ESN and SPL code using software.

NOTE: This is for educational purposes only!!!! I am not responsible for any thing that happens to your phone, or with your service provider after following these instructions.

NOTE: Using this for anything else other than education is illegal. As dictated by the FCC, changing the ESN of any mobile device is against the law. Also called cloning.

---------------------------------------------------------------------------

So now that I have those disclaimers out of the way. Here is what you will need.

1. Your windows mobile phone, Ive only tried it with a Titan (PCC6800) but should work with most cdma phones.

2. A USB sync cable.

3. CDMA workshop. This is the program we will be using to read and write to your phone. It can be found at http://www.cdma-ware.com/workshop.html

(Click on download demo at the bottom).

---------------------------------------------------------------------------
What to do.

1. Install the demo. It is a rar file. Just unzip the rar file to a location and that is it. You will have a new folder called "CDMA_WORKSHOP" with the program exe inside. There is no installation process, Just click on the CDMA icon in the folder and the program will launch.

2. Now that we have installed the program. Lets set up the device.

I am running windows XP so these steps might be different from what you may have to do.

Open control panel in windows. Click on system. Click on the Hardware tab at the top. Then click on Device manager.

A new window will load with all the components connected to your computer.

Click on the "+" next to Ports (Coms & LPT) and the "+" next to modems. This will give you a list of devices under those categories.

Leave this window open! and connect your device using the USB cable. You don't have to disable Active sync, but you can if you like. Or just stop the process when it asks to sync.


Now go to the phones Dial pad and press ##3424#. This will put the phone in diagnostics mode. You will see a screen on the phone displaying DMR items and data, this screen will disappear after some time.

Now go back to the device manager. You will have two new items. A HTC modem under the modems tab, and a HTC diagnostics Interface under ports. Note the COM port number of the diagnostics interface.

It is in parenthesis. If it is COM 8 or higher we will need to change it. (This is due to restrictions of the demo software).

If you have a COM of 1 - 7 you can skip this step.

Change the COM port by right clicking on the Diagnostic link interface and selecting properties. In the new window click on the Ports setting Tab at the top. Then click on the advance button on the lower right. A new window will appear with a drop down box. Select a different com port and click ok. It may say the com is already in use, click ok, and restart the computer. Repeat all previous steps again after the computer restarts.


3. Open CDMA workshop. Select the com port of the diagnostics cable and click on connect. It will say port connected sucessfully. If you get an error make sure you have the right com port and your phone is in diagnostics mode.

Then click on read. It will read all the data of your phone and display it in phone information.

4. Click on the security tab at the top of the program. you will see a box for esn. If you click read it will attemp to read the ESN from your phone. If you type in a HEX esn, and click write, it will change your phones esn to what you typed in the box.

5. Under the SPC tab, click on the SPC button and a side menu of read or write will appear. you can also read the unlock code, or write your own, this will allow you to set the unlock code to something you can remember, other then the number based of the ESN

The drop down box at the top, is for the program to use different methods to read your security file and pull the unlock code out of it. For most phones default works.

6. you can check your changes by going to the phones information menu. ##778#

and click on view, to check your new esn. Click on edit and try your new unlock code.

There is a lot more you can do with this program such as read the ROM change the way it operates. Its actually a program used to repair phones and perform maintenance. But for those you will need to purchase the full version for $100.

Again use at your own risk!!! If you are interested in what other things you can do, or want to know how to diagnose your phone further just ask.

Krazie Intentz

[Shadowmite]

This more than likely only worked because your phone was in the factory "clean" mode of a all zero esn. If a phone has a normal esn security will block the write unless you are supercid. See the posts on this please if you have issues with his method.

[Mills00013]

very excellent write up. i have already archived this page for when XDA decides to take it down

[krazieintentz]

Quote:

Originally Posted by Shadowmite This more than likely only worked because your phone was in the factory "clean" mode of a all zero esn. If a phone has a normal esn security will block the write unless you are supercid. See the posts on this please if you have issues with his method.

Actually, I tried this on a normally working titan with no problems. I don't think the phones security is strictly based off the phones ESN, where having 0's will allow an ESN overwrite but any other value wont.

If you are having problems please let me know of what type.

[Shadowmite]

No, I ASSURE you, you obviously have not tried this since you fixed your esn, or your phone is different than everyone elses. cdmaworkshop was one of the first things tested and it DOES NOT write the esn to a ppc-6800. The NVM is READ ONLY if the device is not supercid and if the ESN is not 0's to begin with.

[krazieintentz]

Quote:

Originally Posted by Shadowmite No, I ASSURE you, you obviously have not tried this since you fixed your esn, or your phone is different than everyone elses. cdmaworkshop was one of the first things tested and it DOES NOT write the esn to a ppc-6800. The NVM is READ ONLY if the device is not supercid and if the ESN is not 0's to begin with.

I am able to change the esn on my phone still using this method however if you are right or wrong the purpose of this thread was to solve the problem of resetting an ESN of all 0's as mentioned in the original post, in which case it works as stated by you.

Krazie Intentz

[madman34]

Quote:

Originally Posted by Shadowmite No, I ASSURE you, you obviously have not tried this since you fixed your esn, or your phone is different than everyone elses. cdmaworkshop was one of the first things tested and it DOES NOT write the esn to a ppc-6800. The NVM is READ ONLY if the device is not supercid and if the ESN is not 0's to begin with.

When he had this problem and posted on it I thought and replied that I bet the file permissions were wiped and now he has a truely unsecured unit, probably is what happened if he can change it with that util.

[Shadowmite]

He should read his CID, I betcha anything it's 00000000 thus the reason he can change it. Perhaps as you suggest when his ESN got 00'd the CID did at well. Still, this is strange.

[abbas]

So how did he manage to trash the ESN? Maybe that can be used as a method of changing the ESN.

[vickylife007]

So omo Oodua, who is your service provider? We may have the same motivation here, want to change service provider. Apart from getting your intended service provided PRL, how do you register your phone with their network?...... Except ofcourse if you use your mogul as a clone of a phone already registered in that network. Am with Reltel, is that your service provider too?