[HOW-TO] [CDMA] Backup your HA and AAA keys

Search This thread
S

simonsimons34

Guest
Sometimes when you flash a new radio, or you mess around in QPST you can break your data. Whats behind the breakage you may ask? Its your AAA and HA shared secrets.

A little background information:

The HA key is what gets you 1x data on your carrier. This is carrier specific, however is NOT phone specific. This could be google'd if you really required it.

The AAA key:
This IS device specific, you cant google it. Its connected to your account, and the way to get it is not what some consider easy. This is what gets you EVDO speeds, with out it you are stuck on 1x. If you call your carrier they will not give it to you either.


Continuing on to more information...

We will need a few tools to backup the keys, some free some not.
Team BlueRidge Sense 2.1 (it contains proper apps for using DM PORT)
QPST (free find it online)
CDMA Workshop (the demo should be fine, you could also borrow it)
HTC DIAG drivers (Just google it and find the installation guide)
Time
A hex editor


Now for the fun.... (If something seems too vague, google it)

First, we must get msl, use the app MSL Reader in the market.

Now, dial ##PORT# on the you will get a menu, hit enable, and then
go ahead and enter your MSL.

Now, lets open QPST, set up the phone, and go to EFS in the services tab of QPST

Now in EFS, make a folder called "open sesame door" without quotes all lower case in the root directory of the file system

reboot your phone

Now---- Open CDMA workshop and connect to the com port of your phone

Lets do memory read here, see where stuff is

Readable area from: 013D:0000
Unreadable area from: 01EA:0000
Readable area from: C000:0000
Process is stopped at: C0F1:0000

That says, we can read 013D:0000 and C000:0000 Ill save you time and tell you we need to dump 013D:0000 however (for all vm ive seen)

So now, lets go back to cdma workshop (should be there already) and choose to read Memory, make sure eeprom is not checked

Start address will be 013D:0000 (what i mentioned earlier)
size 99999999

This will scan the phone and dump everything into a .bin

Lets get a snack while this dumps... It will take a while

_________________________________________________

Okay, now the thing is dumped, lets call this scan1.bin

Open this in hex now, and hit ctrl+f

search for the word "secret" No quotes of course

now (for vm) you will see vmug33k that is your HA key, the first one showed under secret is ALWAYS HA key

look down one line, whalla, your aaa key is right below. (BACK THIS UP email it to yourself take a picture, ect, DONT LOOSE IT EVER, YOU WONT GET IT BACK)

so now you have your keys backed up, i cant tell you what you can or cannot do with them, it is up to you the end user, however i cannot endorse flashing phones or any illegal activity. In the mannor I am providing this, it is to ONLY save your aaa key incase of a bad radio flash, if you ever find a leaked radio.
 

Will32

Senior Member
May 12, 2011
1,523
659
Benton
You're right Simon, you will not get that AAA secret back, better hope you have warranty if you lose it (i know from experience). Thanks for this.

On another note, do you know if their is a way to increase max speaker volume through qpst on this phone?
 
S

simonsimons34

Guest
You can but I can not say how as it's illegal in some cases. If you, the end user choose to, it is up to you. I can not endorse it, however, I can say, qpst is your friend

Sent from my HTC_A510c using Tapatalk
 

Majinko

New member
Jul 17, 2009
1
0
You say line below but that's a bit vague seeing as you don't say what offset length your using. Are you using 8, 10, 16 offset or what?
How long is the AKEY?
I'm a bit confused. I had it with QXDM but it doesn't work under Vista so I can't look it up the easy way.

Any help would be appreciated.
 

insink71

Senior Member
Nov 9, 2010
610
253
Greenville, SC
teamblueridge.org
QXDM runs on Win7, don't know why it wouldn't on Vista... [the key is one must run it in XP compatibility mode]. That being said, the above tutorial references a tool in QPST [which doesn't require compatibility mode] called EFS Explorer; then switches to CDMA ware. It works as prescribed; no QXDM needed [QXDM didn't work for me attempting the easy way; doesn't display second set of info].
On specific question, if you open the dumped file in a hex editor [like HxD], you can visually see your aaa key after searching, as the tutorial suggests you do. I didn't need to put any offsets in my hex editor. You will find the aaa key to be 10 characters I believe for our phones [or more [[double that]] in binary].
Hope that helps; thanks for the tut Simon.

Rob

Sent from my PC36100 using Tapatalk 2
 
Last edited: