Recently I came across a thread from Team Black Hat describing a way of enabling free tethering on Verizon without root. In their write up they provide a flashable zip. Useless for us as we don't have root, or a recovery, but it got me thinking. All credit for this goes to Team Black Hat. They rock, I really hope they are working on rooting the droid 3 because they are android gods.
The original thread by TBH can be read here.
I'm not going to go too in depth here, because if you screw you have the possibility to brick your pretty new device. Also, It goes against your TOS with Verizon, and who knows one day they might work out a way to tell who is doing this. The more people who know and use this trick, the more likely it is they will find some way of detecting and or closing the hole.
But I couldn't leave my XDA brothers out of the loop! So with the standard disclaimer (I'm not responsible for anything you do, anything that comes of something you do, blah blah, you know the deal) I will outline the steps required to enable free tethering on our wonderful Droid 3s.
TeamBlackHat is releasing for the public the only permanent 3G Hotspot hack. Please be responsible and do not abuse this release. MyDroidWorld and TeamBlackHat are not responsible for your behavior nor your bills.
I did this on a windows 7 64 bit pc. The radiocom software would def be happier with a 32 bit xp system, it will throw a lot of errors, but it will work. More on that in a second.
1st. You need the most recent drivers for your computer so that your computer can see your phone. You can get them off the Motorola website, same as if you were going to use adb or RSDlite. The file I downloaded from the moto support site was called MotoHelper_2.0.49_Driver_5.0.0.exe
2nd. You need a copy of Radiocom. Radiocom is a piece of software thats supposed to be for moto employees only and allows you to read and write data directly to your software radio. You need to search the internet for it, because its a copyrighted file I can't post it for you. You need to find the latest version. The best version I found was RadioCOmm_v11.11.11_Install.msi - You also need the .net framework installed on your computer. You can get that from Microsoft's site for free.
3. You need a USB cable and a droid 3.
Now... crack a beer and lets get down to business.
1. Install the moto drivers and the .net framework. Install Radiocom. It will give you all sorts of errors, but it will install.
2. Next, find it under your start menu. Right click on it, and select "trouble shoot compatibility" I just ran with the suggested settings. Basically what this does is run the application under XP compatibility mode. Now take a sip of beer, you are gonna get some error messages but don't tweak.
a. You will still get the first screen that says do you want ot the following program from an unknown company to make changes on your computer - check yes.
b. it will say motorola datacard drivers 1.5.9 : this installation is intended for 32-bit os versions only.please use the 64bit version on this machine. click okay.
c. Installation incomplete: the installer was interrupted before motorola datacard drivers 1.5.9 could be instaled. You need to restart the installer to try again. hit close.
d. Warning: Motorola Dataard Drier installlation package ersion mismatch. the version supplied with this tool does not match the installed version on the machine. WE cannot guiarantee proper radio enumeration unless you install the latest version. the installation package will start again the next tiem this tool is started. Click OK
e. This version of RadioCOmm is more that 2 months old. This version may be out of date. Please visit the PDO compass webpage and download the latest version of RadioComm. - Click OK.
Radiocom will start! Phew!
you will have to select the chipset at start: I selected CDMA 1x (MSM 7500) w/ Android. I don't know if this is the best or most accurate one. I actually spent 45 minutes trying to search for exactly what our chipset base was... but I decided to be brave (or stupid) and went with this one and it worked. after it boots, Under settings in radiocom, USB, Select PST USB Driver.
3. Now, Connect your droid 3 to your computer and put it in PC mode. If you installed the drivers correctly you should get this cool little screen showing your phone and telling you some info about it that pops up from motos software. in radiocom software in the upper right of the screen right under the RC logo, the lgiht should turn green to show the phone is connected. You can test by pushing the GET button under the SW version. It should return your Android software version. DON'T PUSH ANY OTHER BUTTONS. YOU COULD REALLY SCREW SOMETHING UP.
Now a little background, you can read TBH's awesome explanation, but the quick and dirty one is that moto's software radio uses three different 128 char string identifiers for data requests. Thats how they can tell the difference between your phones web browser asking for data, and a laptop or Xoom connected to your phone asking for data. We are going to use Radiocom to make all three strings match the first string - so all data appears to be just for the phone. After doing so - your verizon installed hotspot app will work and the usb tethering option will too! ta da!
Team black Hat has made a screen shot showing all the steps required it can be viewed here.
I'll also try including it right here but i'm not sure how it will look:
3. now take a deep breath... use the arrows in the Radiocom program to find the tab marked P2K 1.
Look at the image and in your Radiocom program in the bottom left there is a box called STELEM/ RDELEM. First Select Dec entries.
Rdelem means read, and STELEM means write.
now this is very very important. Do not screw this part up. make sure again you have selected Dec entries, because if you enter the numbers below in hex mode and then hit DEC they will change and you will be reading and writing the wrong values which is BAD.
In Dec Mode
For ElementID: enter 8040
Record # 1
Now Hit RDELEM. the box in the top right should go green, a bunch of numbers should flash through but most importantly right next to where you entered the element ID and record number the box that says Data (hex only) will now have a 128 char string in there. Hilight the entire 128 byte string and copy it.
4. You are now going to change the element ID to 8041 (record, offset, length stay the same) and hit RDELEM. If you compare these two numbers they are different, this is how moto knows you are tethering. You would have to paste both into a word file becuase they both end in a bunch of 00's so in the tiny data box they look the same, but trust me they are different. Select the data in the databox for 8041 and delete it. Paste the number from 8040. Now hit STELEM. Again you should see a bunch of numbers go through that box on the top right and it should be green.
5. Now you are going to do the same things for element numbers 8042, and 8043. Remember each time to hit RDELEM first, paste the value from 8040, then hit STELEM.
6. Now hit the restart button next the text box top center. You phone will restart. it will say something scary at first like SIm card not found. This is normal. Give it a Second and it will be right back to normal, you will have your 3G icon and be able to make calls, send texts etc.
EXCEPT.... Now you can use the verizon mobile hotspot application and it won't send to that verizon website that says "would you like to pay for tethering?" - you have just successfully hacked your radio to make verizon believe all data requests are phone data requests.
We might not have root yet, but now we have free wireless tethering! I have had this running for about 24 hours and everything seems perfectly functional. My xoom connects right away to my phone and the distance is actually pretty good (like from bed to desk.. not just pocket to hand). Speeds are functional, just like you would get on the phone.
I hope I have made the wait for root just a little easier for my fellow XDA'ers... I know despite the fact I'm taking the Bar exam in 3 days I still check the forums every hour hoping against hope for some new news of root .... or hell... even video chat working in talk (gchat/huddle/etc).
Again I take no credit for this, All thanks to Team Black Hat! But if you wanted to press the thanks button it would make feel all warm and fuzzy inside =)
- faylix / local