July 28, 2011
Activate your Sprint Galaxy Tab on Boost Mobile
Pre-reqs:
Working Boost Mobile CDMA/EVDO donor phone (such as Sanyo Incognito, I hear a Boost Samsung Intercept works too, possibly Innuendo). Make sure voice and data services are all working properly.
USB Drivers for donor phone (Incognito only seems to have 32bit XP drivers)
Windows XP Physical machine (CDMA Workshop will not run on a VM and due to the 32 bit XP driver limitation on the donor phone you may need a WinXP box)
Sprint Galaxy Tab running Gingerbread EF17 (May work on a VZW Tab?)
Samsung Galaxy Drivers (Same drivers work for Tab, Epic, Captivate, etc...)
The 6 digit SPC (aka MSL) unlock code for both phones.
- For Galaxy hardware, root the device then run 'getprop ril.MSL' from a terminal emulator or ADB shell
- For the donor phone, when you activate the device, the boost mobile website gives you the MSL to program the phone.
- There are other more complicated ways to get the MSL with CDMA workshop, but its a pain in the ass.
CDMA Workshop
QPST installed on your machine
QXDM installed on your machine
A little common sense
A large hammer
1. Connect donor phone to the PC and install drivers for it. Check device manager to see what COM port is assigned to the phone.
2. Open CDMA workshop, choose your COM port under COM settings and hit connect.
3. Go to the security TAB and enter your SPC unlock code, click the SPC button and choose send.
4. Under the memory tab click the read button under NV Items. You need to read the following NV items 1 at a time and save them to individual files (use the same number for 1st and last as to only read the items individually):
465
466
1192
1194
5. Close CDMA workshop and Open the QPST Configuration application. Go to the ports tab and click add new port. Make sure the port you add matches the port you saw in device manager.
6. Open the QXDM application. Click on options -> communications and select the COM port of your phone then click ok.
7. Next to view, click the drop down and choose "Command Output" under the "Common" heading.
8. Click in the command box at the bottom and run the command:
spc XXXXXX (where XXXXXX is your SPC unlock code)
9. Next run the command:
requestnvitemread ds_mip_ss_user_prof
10. Ignore the DIAG TX Item section, copy and paste everything under the DIAG RX Item section into a text document. These are your Sprint AAA and HA keys which match your active ESN for the donor phone, so name the file Sprint.txt.
11. Next run the command:
requestnvitemread ds_mip_ss_user_prof 1
12. Same as step 7, ignore DIAG TX Item and copy everything under DIAG RX Item into a text document. These are the AAA and HA keys for the Boost portion of Sprint's network which match your active ESN. Name the file Boost.txt.
13. Open the QPST Service Programming application and select your phone from the list that comes up under active phones.
14. Click "Read from Phone" on the bottom. You will be prompted for your 6 digit SPC/MSL lock code again.
15. Click "Save to File" and save in a safe place with all the other goodies we've accumulated so far. Take note of the filename and the phones model # (at the top left of the window), you'll need this for step 26. If the file won't save, you may need to add an extra number to the "Field Service" value in the Settings tab. Just add a 0 to the end of it, it's really not important.
16. Make sure everything is saved, close all programs and unplug the donor phone. Remove the battery from the donor phone and NEVER TURN IT ON AGAIN!
Now, programming the Tab...
17. Go into the Memo App and in the search box type ##8778#. Choose MODEM under the USB section.
18. Connect the tab to your computer via USB. Make sure the drivers install. In device manager find the COM port it is using.
19. Open CDMA Workshop, under the main tab select the proper COM port and click connect.
20. Backup the 4 NV items (Steps 3 & 4) like you did for the donor phone and save them in a safe place.
21. On the Memory tab, use the write function under NV Items to write the 4 files we saved from the donor phone earlier in this section (465, 466, 1192, 1194). Close CDMA workshop when complete.
22. Open QPST configuration and add a port for the tab like you did in step 5 for the donor phone.
23. Open QXDM. Go to options -> communications -> target port and select the COM port for the tab. On the drop down menu choose Command Output.
***IF YOU VALUE THE ESN ON YOUR TAB AND MAY WANT TO RETURN TO STOCK OR ACTIVATE ON SPRINT ONE DAY SAVE YOUR STOCK KEYS - THEY WILL BE ERASED FOREVER SOON!!!***
24. To back up your original AAA and HA keys run this command:
spc XXXXXX (where XXXXXX is your SPC unlock code)
requestnvitemread ds_mip_ss_user_prof
Then save everything under DIAG RX Item section like we did earlier on the donor phone. Save this file is a safe place!!! There is only a single profile for the Sprint keys which is why we only have to run the command once on the Tab (remember we did a similar command a second time to get the boost keys off of the donor phone).
25. Now run the following commands:
password 01F2030F5F678FF9
RequestNVItemRead meid (should show HEX on back of the tab)
RequestNVItemWrite meid 0x00A0000000000000 (0x00 is the HEX prefix followed by your donor's phone 14 character HEX MEID starting with the letter A)
RequestNVItemRead meid (verify it now shows the new HEX MEID)
RequestNVItemRead esn (save this output just in case)
RequestNVItemRead scm (save this output just in case)
(You can now close QXDM)
26. Open QPST Service programming and select the Tab for your active phone. Click the read from Phone button to populate all the data fields. (save to file for a backup like donor phone)
27. Click Connection -> new. Under work offline select your donor phone model (for Incognito it's SURF6025-ZRF6000-A). Then click the folder icon under the connection menu. Open the file you saved in step 15.
28. Arrange the 2 windows in QPST side by side so you can easily compare them. Now we need to configure the following sections of the tablet to look exactly like the donor.
CDMA (Ignore the Channel and EVRC sections but make everything else match.)
CDMA-2
AMPS
System (Only the 1st SID/NID have to be populated with 4139/65535. Make the others 0/0)
Roam
On the M.IP tab, make sure the active user is 0.
At this point the radio in the Galaxy Tab is basically ready to register on the network for Voice, SMS and 1xRTT data. We're in the home stretch, now for some 3G love and MMS.
29. We need to get your AAA and HA keys from the sprint.txt and boost.txt files we created earlier. Open those txt files and you should have something like this:
DIAG RX item:
index = 0
mn_ha_shared_secret_length = 0x06
mn_ha_shared_secret[0] = 0x12
mn_ha_shared_secret[1] = 0x34
mn_ha_shared_secret[2] = 0x64
mn_ha_shared_secret[3] = 0x45
mn_ha_shared_secret[4] = 0x45
mn_ha_shared_secret[5] = 0x78
mn_ha_shared_secret[6] = 0x00
mn_ha_shared_secret[7] = 0x00
mn_ha_shared_secret[8] = 0x00
mn_ha_shared_secret[9] = 0x00
mn_ha_shared_secret[10] = 0x00
mn_ha_shared_secret[11] = 0x00
mn_ha_shared_secret[12] = 0x00
mn_ha_shared_secret[13] = 0x00
mn_ha_shared_secret[14] = 0x00
mn_ha_shared_secret[15] = 0x00
mn_aaa_shared_secret_length = 0x10
mn_aaa_shared_secret[0] = 0xE8
mn_aaa_shared_secret[1] = 0x13
mn_aaa_shared_secret[2] = 0xE3
mn_aaa_shared_secret[3] = 0x80
mn_aaa_shared_secret[4] = 0x13
mn_aaa_shared_secret[5] = 0x15
mn_aaa_shared_secret[6] = 0xES
mn_aaa_shared_secret[7] = 0x78
mn_aaa_shared_secret[8] = 0x8D
mn_aaa_shared_secret[9] = 0xD4
mn_aaa_shared_secret[10] = 0x78
mn_aaa_shared_secret[11] = 0x0B
mn_aaa_shared_secret[12] = 0x45
mn_aaa_shared_secret[13] = 0x18
mn_aaa_shared_secret[14] = 0x88
mn_aaa_shared_secret[15] = 0x78
These values translate into HA key 123464454578 and AAA key E813E3801315ES788DD4780B45188878. These keys are derived from the 2 characters after the x at the end of each line. You will need your AAA and HA keys for both Boost and Sprint (total of 4 keys). The Sprint AAA key is 32 characters and the others are all 12.
30. Like the other sections (CDMA, CDMA2, AMPS, etc...) we need to make the M.IP tabs match from the donor to the Galaxy Tab. When you're done you'll have 2 profiles in the M.IP section. Profile 0 being Sprint and Profile 1 being Boost. You will need to enter your AAA and HA keys for each profile as HEX values. Don't forget to make all the other info the same!
31. Once you've triple checked everything and your absolutely sure YOU'VE BACKED UP YOUR ORIGINAL KEYS click write to phone and the Galaxy Tab will reboot. Within a few minutes (15 at the most) of it being booted back up, you should have either seen a 3G icon with dancing arrows or some kind of error. If you got an error, go back into QPST programming and see what you fat-fingered.
32. Now that your Galaxy Tab is provisioned including 3G all that's left to fix is MMS. Go back into the memo app and type ##3282# in the search box. Tap edit and enter your SPC lock code. Tap Others and go to the MMSC URL. Change this URL to
http://mm.myboostmobile.com (write the original down if you ever want to revert)
33. For extra credit, go into multimedia and remove the RTSP and HTTPPD proxy ports and addresses. This seems to help streaming content performance when on 3G. Even if it doesn't, who wants all their shit going through someone else's proxy. (write the originals down if you ever want to revert)
34. Just as a quick check go back into Memo and enter ##8778# in the search box. Make sure your USB is set back to PDA instead of MODEM.
35. Make sure everything on your Galaxy Tab is kickin' ass and that all the files we created in the process are BACKED UP in MANY PLACES! Then take the big fucking hammer and smash the shit out of the donor phone!
That's it... 3G has been working for me, navigation works, WiFi works... I haven't tested everything but Gmail, Web, Youtube all seem to work just fine too so we should be good to go. Free texting over Google Voice works like a champ as well.
Incognito XP drivers:
http://devphone.org/files/Incognito_Drivers.zip
Sprint Galaxy Tab drivers:
http://devphone.org/files/gtab7/Sprint_P100_Samsung_GALAXY_Tab_USB_Drivers.msi
The rest of the files you will have to find on your own!
Pro-Tip: If you still want to use the donor phone MAKE SURE you turn off the Tab or put it in air plane mode. NEVER HAVE THEM BOTH ON AT THE SAME TIME! You have been warned!
Tip 2: When you put your Tab to sleep (turn the screen off) it will disable wifi and kick over to 3G. To stop that from happening and using data for the day you need to change the WiFi sleep policy. Settings>Wireless and network>Wi-Fi settings>(hit menu key) Advanced>Wi-Fi sleep policy and change it to Never. But the safest way is to put the Tab in airplane mode and only take it out when you want to use 3G as you can still enable wifi in airplane mode.