Flash Epic 4G Touch To Boost Mobile COMPLETE Guide

The Complete Guide for Flashing an Epic 4g Touch to Boost Mobile Information Compiled by j7jman

DISCLAIMER

This guide is provided as an educational purpose, extend your horizon. No illegal activities can or should be done using this guide, nor can I be held responsible for it. I will also not be held responsible for any damage done to your phone by the use of this guide since you are acting under your own will.

What you need

-Boost Mobile Phone with 3G Capabilities (preferably a Sanyo Incognito)

-Driver for Epic 4G Touch- Link (Kies or the Samsung ones would work)

The Following 3 can be found here- Link

-Drivers for your donor phone

-CDMA Workshop 2.7+

-QPST 2.7+

-QXDM 3.11+

*Not required but open up a text document to take notes and whatnot, it won’t hurt.

Lets Begin.

EXTRACTING ALL DATA FROM DONOR

Step 1: Get your Donor phone MSL Code. The Master Subsidy Lock (MSL aka SPC) is a six digit code that is used to program your phone. There are two ways you can retrieve this code.

One way is by calling boost mobile and telling them you have an “issue with your mobile data”. It really sucks waiting for a representative though right?.. Not any more.. Dial 611 and after the voice says "for spanish, press 2" and starts talking again, press 8 twice fast. it will transfer you straight to a representative. Tell them about the non existent issue and they'll give you instructions. During these instructions they’ll tell you to press ## and six numbers and # again.. those six numbers are your MSL! Cool huh?
Another way is using Boostmobile.com. Log into your account using your 4 digit pin. If you don't remember it or know it, use that nifty little trick previously explained and ask a boost representative for your pin. After logging in click on “Update Handset”. You’re going to see a set of numbers underneath “Current Phone Information:”.. Highlight, Copy, and Paste those numbers into the area below where it says, “Enter your MEID/ESN”. You’re going to want to save this number you’ll need it again. Then change the last digit to something different. Click next. Don’t follow those instructions they’re pointless. Repeat these steps again but instead enter the ORIGINAL set of numbers you copied and then click next. It should display those instructions again, and your actual MSL.

Step 2: Extract Data- After You’ve installed the drivers for your donor phone (Incognito) you have to extract four memory files called NV items using CDMA Workshop. These NV items are important because we need them so the the Boost Mobile/ Sprint Network can Identify your Epic and allow it access to data services. The we have to save a copy of your phone’s information profile using QPSD.

A) QPSD Configuration: Before anything we have to find out what port number your phone is using. Connect your Incognito to your pc. A screen will pop up on the Incognito saying connect to pc or something, don’t select anything. Open Service Programming hopefully you’ll see your phone is connected, and it port #. Click “enable” if it isn’t already enabled. If you don't see your phone listed click “Add New Port” on the bottom right and uncheck “Show Serial and USB/QC Diagnostic ports only”. If you see click it, hit ok and then enable it. Don’t forget to remember your port number. Exit when done.

B) CDMA Workshop: Now we need to save those NV files I mentioned earlier. Open CDMA Workshop and select your COM Port # then click read. Go to the security tab and enter your six digit MSL/SPC code. Click on SPC then click “Send”. You Should get a message saying the SPC code is correct and the phone is unlocked. Click on the memory tab and then look at the NV Items Section. Click on read. We need NV items 465, 466 1192, 1194. So where it says First put 465 & where it says Last put 465. We are doing this so we only save NVitem 465. Save it as 465. Do the same for the other three NV Items: 466, 1192. and 1184.

Example:

First NV Item: 465 / Last NV Item: 465
First NV Item: 466 / Last NV Item: 466
First NV Item: 1192 / Last NV Item: 1192
First NV Item:1194 / Last NV Item: 1194

*Make sure you save these in a designated folder named “Boost NV Items”.

C) QPSD Service Programming: Now we need your donor phone’s information such as phone number, and data profile. I think this is the easiest way to get it, we’re almost done with the donor phone :D! Open up QPSD Service Programming, you should your phone listed so click “ok”.

Don’t see it? Try and unplug and plug it in again.
Still doesn’t work?? Plug your donor phone into another usb port and re-do the QPST Configuration step. :(

After you've successfully connected the Donor phone and see it listed click ok then “Read From Phone” Enter your Six Digit MSl/SPC code then enter. Now what you want to do is save all that information that’s in all those tabs, we’ll need some of it for your new phone. Click on the “Save to File” button and save it as “Incognito Data” in a designated folder. Exit the program

Step 3: Copy Data Profile Passwords- In order for your 3g data to work we need two sets of passwords for two data profiles. Profile 0- The Sprint profile, and Profile 1- The Boost Profile. Each profile has one HA password and one AAA password. Both profile’s share the same HA password but have different AAA passwords. We will use QXDM to find these “Secret” passwords.

A) Open QXDM, Select Options > Communications and select your port number, then click ok. Next click on View > New > Common > Command Output. A black box will appear, this is where information will be displayed. Now in the white command box located in the UPPER part of the program type the following command:

spc YOUR6DIGITSPC <HIT ENTER>

requestnvitemread ds_mip_ss_user_prof

<ENTER>

*You will get a bunch of data, it will start with the DIAG TX Item section. Ignore this part and go down until you see the DIAG RX. Select and copy this part to the end of the output to a notepad text file and save it as “Sprint Passwords”

After you’ve saved that type the Following in the Command Box:

requestnvitemread ds_mip_ss_user_prof 1 <HIT ENTER>

*Again, You will get a bunch of data, it will start with the DIAG TX Item section. Ignore this part and go down until you see the DIAG RX. Select and copy this part to the end of the output to a notepad text file and save it as “Boost Passwords”

B) Exit QXDM, disconnect your donor phone, put it in airplane mode and turn it off. Never have them on at the same time!! Take out the battery and type/write down the MEID, it can be found next to where it says “HEX:” in the battery compartment.. save to a notepad text file or something we will definitely need this.

Put that old S.O.B. to the side here comes the real stuff!

Step 4: Inserting Data- Now that we have all the data we need to use CDMA Workshop to write (copy) those NV items to your Epic 4g Touch, QPST to insert required information such as phone number and data profile information, and finally QXDM to change your MEID/ESN.

A) Before We do anything to your New Epic 4G Touch we the phones MSL/SPC, it’s a lot easier to get though. Turn the Wifi on and download an app called Connectbot. Open Connectbot. In the small dropdown box on the bottom left that says SSH, click and choose local. Put Android or whatever in the nickname box and hit enter.

Click on Android.
Use the command "getprop ril.MSL" and hit enter.
Your MSL will be displayed.

**After Getting your MSL/SPC I HIGHLY recommend doing a factory reset by dialing ##786#. This is so we can avoid issues when inputting the NV files into the phone. When you do the reset click cancel on the “hands Free Activation”.

B) After you’ve installed the Epic 4G Touch Drivers, Dial ##8778# and select “CP” then connect your phone to your pc. Go Back to step 2 A so you can find out what port number your phone is connected to. When you connect it it should finish installing some drivers and you’ll be good to go.

C) Open CDMA Workshop. Click on the port number and then click read. Go to the security tab and you’ll see a field that says “FFFFFFFFFF”. Delete all of them and copy and paste this code: 01F2030F5F678FF9, then click send. Go to where your SPC/MSL should be and put your SPC/MSL in the required field and click send. It Should Say your Phone is Unlocked. Remember those NV items we saved before? We’re going to need to Write them to your Epic. Head over to the Memory tab and click on “Write” in the NV Items Section. A window will pop up asking you to select which NV Item you wish to write to your phone. Pick 465 and hit ok, then it will write that file to your phone. Do the same for the other three NV Items we saved earlier. When you are done exit CDMA Workshop.. Some people speculate on whether rebooting upon exiting CDMA Workshop ruins to input, in my opinion I always reboot when the application asks. You can choose to or not, it’s up to you.

D) Open QXDM Pro- Changing your MEID/ESN- Click on the Communications tab and select Target Port and then choose your phone (the only option).

Now type The Following Commands in the White Command bar, Make sure you have the Black Command Output window open.

Type- Password 01F2030F5F678FF9 < Hit Enter >

Type- requestnvitemread meid < Hit Enter >

Type- requestnvitemwrite meid 0x00Axxxxxxxxxxxxx <Put your Donor’s Meid right after the 0x00.

***Now we have to make sure your MEID is the same as your donor phone.Type the following commands to verify:

Type- requestnvitemread meid <You should see your donor’s MEID

Type- requestnvitemread esn <your Donors ESN

Type- requestnvitemread scm

*If everything worked correctly Exit QXDM, Keep your phone connected and move on to the next step.

E) Open QPST Service Programming. Select your phone, click ok, then Read From Phone and enter your 6 digit SPC/MSL. Maximize the window then press Ctrl+N. Select “Work Offline”. Click on the pulldown menu and select “SURF6025-ZRF6000-A”. This will be blank so we need to open up the file we saved earlier named “Incognito Data” by clicking on “Load From File” at the bottom right. Now you have two windows, one displaying the Epic’s information and one with the Incognito information. You need to copy the incognito data to the epic from the following tabs:

CDMA Tab- Copy the Directory # and the IMSI_S number.
CDMA 2 Tab- Copy the Directory # and IMSI_S number.
AMPS Tab- Copy the Directory # and Phone Number
Roam Tab- Copy Directory #
PPP Tab- Under the AM section look at the PPP Authentication area and make sure it says YourMEID@hcm.sprintpcs.com under User I.D. (Password should be left blank.)

Head over to the M.IP Tab This is where we will insert information that’s required so we can get 3g working.

Click on Profile 0 and click edit. Make sure the information looks like this:

NAI: YOURMEID@hcm.sprintpcs.com

Home address: 0.0.0.0

Primary HA address: 68.28.15.12

Secondary HA address: 68.28.31.12

SPI: 4D2

Rev Tunnel Preferred: Checked

Click on Profile 1 and Click edit. Make sure that the box next to “Profile Enabled” in the upper left corner. Then Make insert this information.

NAI: YourName@myboostmobile.sprintpcs.com

Home address: 0.0.0.0

Primary HA address: 255.255.255.255

Secondary HA address: 68.28.89.76

SPI: 4D2

Rev Tunnel Preferred: Checked

*Keep the M.IP tab open we have one last step in QPST... The HA and AAA Passwords for each of the profiles.

F) HA and AAA Passwords- Now lets find your HA and AAA keys for both your profiles. Open the Sprint and Boost Password notepad files we saved earlier. If you look in the output data in the notepad files, you will see 2 sections each with [0-15] lines, the passwords are the very last 2 digits of each line. I’ll explain and show you an example.

Sprint (Profile 0 in the M.IP Tab)

HA Password is 12 digits long
AAA Password is 32 Digits long

Boost (Profile 1 in the M.IP Tab)

HA Password is 12 Digits Long
AAA Password is 12 Digits Long

Here is an Example..

This is “my” Sprint (Profile 0) data output:

DIAG RX item:

index = 0

mn_ha_shared_secret_length = 0x06

mn_ha_shared_secret[0] = 0x12<Start here

mn_ha_shared_secret[1] = 0x34

mn_ha_shared_secret[2] = 0x64

mn_ha_shared_secret[3] = 0x45

mn_ha_shared_secret[4] = 0x45

mn_ha_shared_secret[5] = 0x78 <End Here

mn_ha_shared_secret[6] = 0x00

mn_ha_shared_secret[7] = 0x00

mn_ha_shared_secret[8] = 0x00

mn_ha_shared_secret[9] = 0x00

mn_ha_shared_secret[10] = 0x00

mn_ha_shared_secret[11] = 0x00

mn_ha_shared_secret[12] = 0x00

mn_ha_shared_secret[13] = 0x00

mn_ha_shared_secret[14] = 0x00

mn_ha_shared_secret[15] = 0x00

mn_aaa_shared_secret_length = 0x10

mn_aaa_shared_secret[0] = 0xE8 <Start Here

mn_aaa_shared_secret[1] = 0x13

mn_aaa_shared_secret[2] = 0xE3

mn_aaa_shared_secret[3] = 0x80

mn_aaa_shared_secret[4] = 0x13

mn_aaa_shared_secret[5] = 0x15

mn_aaa_shared_secret[6] = 0xES

mn_aaa_shared_secret[7] = 0x78

mn_aaa_shared_secret[8] = 0x8D

mn_aaa_shared_secret[9] = 0xD4

mn_aaa_shared_secret[10] = 0x78

mn_aaa_shared_secret[11] = 0x0B

mn_aaa_shared_secret[12] = 0x45

mn_aaa_shared_secret[13] = 0x18

mn_aaa_shared_secret[14] = 0x88

mn_aaa_shared_secret[15] = 0x78 <End Here

What you want to do is take the last 2 digits from each line and write/type them. So for My Sprint (Profile 0) output, My HA Password would be 123464454578 and my AAA Password is E813E3801315ES788DD4780B45188878

Do the same for boost’s HA and AAA Passwords, remember Boost’s (Profile 1) AAA Password is only 12 digits, so the start and end points for the Profile 0 AAA Password would be irrelevant.

G) Go Back To the M.IP Tab. Click on Profile 0 and then hit “Edit”. Where it says “Enter Shared Secret” click “Enter HEX Value” put Sprint’s HA Password in the Ha section and the AAA Password (32 digits) in the AAA section. When you’re finished click “Ok”. Do the Same for Profile 1, But insert Boost’s Passwords instead. Remember, the AAA Password for Profile 1 is only 12 digits.

Once you’re done entering your passwords Make sure “Active User” in the M.IP Tab is “0”. If you want to change your SPC/MSL code then head over to the first Tab (Settings) and where it says “Service Programming” change it to Six Zeros (000000). This will make it easier to remember if you need use it ever again.
Optional: If you want to manually update your prl, you can do so by inserting a new prl file under the “Roam” tab. Click browse and search for your the previously downloaded prl file. If you don’t have one and want one click this link. (Thanks Whosdaman!)
Click Write to Phone :D We’re done with the computer!! (hopefully)

FINAL STEP!!

When Your phone reboots, A hands free activation will probably come up, let it do its thing.. I did anyway. If it doesn’t activate make sure you have 3g data working (the little 3g symbol and arrows) because if 3g doesnt work it can't activate. If the Hands free activation never came up, simply go to “Settings” and scroll down to “Activate this Device”. Now one easy step, get MMS working. Dial ##3282# and Tap EDIT. Enter your SPC/MSL (it should be all zeros if you changed it in QPSD) Now Tap Others and the MMSC URL. Change it to http://mm.myboostmobile.com ..If you haven’t already dial ##8778# and select “AP”. If you’re on a CM Rom dialer codes might not work so you shouldn’t have been able to do this in the first place. If you have know idea what the hell a CM rom is then disregard my last sentence :p.

*Note- Using odin to change your modem might erase all the information you inserted using QPSD Service Programming, including your HA and AAA passwords. I’ve personally never tried this because I’ve heard people say it can and can’t happen, so it’s up to you. I recommend not doing it.

ALL DONE NOW!! do a backflip, cartwheel, scream, or just sit there like a normal person and play with your phone!

Credits for this Complete Guide go to Leviuqse, eljean, ebuechler3, and anyone else thats helped out over at the XDA Forums. Thanks!! A lot of this information can be found scattered throughout the web but because of you’s It was easier to put together a fully detailed guide. I Appreciate it, and so should anyone else who used this. Now head over to XDA forums and show these dudes some love.. and while you're at it.. I, j7jman, can use some too haha.. If you have any questions let me know.. later