Jump to content

Check us out:

- - - - -

TBH: Droid 3G Hotspot NVRAM Hack


219 replies to this topic

#1 OFFLINE   p3droid

    Chief Of Staff

  • Administrators
  • 1,396 posts
  • Device:Motorola Droid

Posted 14 October 2010 - 09:19 AM

TeamBlackHat is releasing for the public the only permanent 3G Hotspot hack. Please be responsible and do not abuse this release. MyDroidWorld and TeamBlackHat are not responsible for your behavior nor your bills.
___________________

MyDroidWorld and TeamBlackHat do not condone unauthorized tethering. It is highly recommend that you visit your local carrier's website to set up authorized means of tethering. Users should know that the carrier have all rights to suspend services and charge for unauthorized use of broadband services.

This thread is for information only and the hack is a simple proof of concept hack, we recommend that you follow the contract agreement with your carrier and seek only authorized tethering apps/programs.

Edited by p3droid, 14 October 2010 - 09:50 AM.

Posted Image
> Register at MDW | MDW Rules and Guidelines <
Click the Posted Image in a member's post to thank them for their post!


Remove Advertisements Sponsored Links

    MyDroidWorld.com



#2 OFFLINE   CellZealot

    Android Pro

  • Moderators
  • 414 posts
  • Device:D1,D2 dev, DX dev, D2G dev, D Pro dev, D3, Bionic

Posted 14 October 2010 - 09:36 AM

This thread is intended to explain the principles behind tethering and how to use RadioComm to modify the NVM to allow tethering via all methods
on any Motorola Droid device by all users, regardless of whether they are rooted or not.

This is the method we at TeamBlackHat used to create the Tether_Repair patches that were released recently for rooted DX/D2 users in update.zip format
and applied via the Koush bootstrap recovery.

It is based on years old knowledge developed in the early days of CDMA Motorola hacking on the V710/V3c/e815 devices.

All of the information, techniques and software tools to do this are in the public domain already.
What we did is simply take that knowledge and apply it with the latest Service software and methods to the Droid generation devices and packaged it
in a new format for delivery that was never previously available to us before the advent of Android.

We will be releasing the manual method for RadioComm when we have worked through all the details for doing it on Win 7.
Currently the versions of RadioComm available on the net are for Win XP only.

We did it initially as a Proof of Concept of methods for writing to NV items via update.zip using Motorola's own binaries that we have recently developed.
We were not intending to release it at all and all agreed that it would be very controversial and raise many ethical questions as well as attracting the wrong
kind of attention to us as a group at a time when we had just been served a C&D for leaking the 2.3.9 update.zip file.

All of this really came about as a direct result of the examination of the NVM we did investigating nenolod's claims about an Engineering mode "switch"
that unlocked the bootloader on DX/D2. Those claims turned out to be unfounded and false and our work, and in particular MotoCache1's incisive analysis
of the boot process with help from [mbm], was instrumental in revealing that fact.

Not exactly what we had in mind to do but we were among the few who had the tools and wherewithall to determine the validity of what nenolod was claiming,
particularly in the beginning when he had released very little hard data to back up his suggestion that there was such a string hiding in the NVM.

Nonetheless, while revisiting the NVM and exploring methods to dump the memory we came upon this set of NV items that determines how the radio builds the
authentication strings it autowrites at bootup for data services. I was aware of their existence for month's since they were revealed in a thread
I participated in on HoFo for service programming on the original Droid. That thread was directed towards the methods required to get the Droid on
a different carrier like Cricket or Metro.

In any event, I knew what they would do if modified in this way and decided to use that as a test of MotoCache1's work with the update.zip binaries.

I used RadioComm to edit them individually and MotoCache1 did the really brilliant work of turning this very old school hack into a beautiful,
elegantly delivered package. This proved the power of what we were capable of as a team and we still unanimously decided against releasing
a packaged theft of services hack as not the right thing to do.

We have reconsidered now in the light of these other exploits surfacing which utilize various software level tricks for getting "Free" tethering
with the new 3G Mobile Hotspot app included on DX and D2. I had always felt that this was inevitable and that others would soon put the pieces together
in the same way we had done.

This is a fundamentally different modality but accomplishes exactly the same thing as any other exploit designed to subvert VZW's intent
to differentiate between externally routed modem data and internal data use and charge for that service.
This includes all forms of exploits and applications like PDAnet and WMWiFiRouter(WinMo 6.1) and now Barnacle, whose entire business model is to use
software level methods to mask tethered data and have marketed them as such for years.

All of these methods absolutely violate the TOS agreement with VZW.

This method simply alters that behavior at the lowest level possible on the device, the radio NVM.
It works because of the way VZW chose to setup authentication on their network when they released the first EvDO capable phones in late 2004-2005.
The methods and software tools to access the NVM as well as the blocks put in place by Qualcomm and Motorola for protecting these
authentication components have evolved dynamically over the years with advancements in chipset design and software, but the principles
have always remained the same. Hex editing the NVM items via a given tool to make the Tethered NAI(Network Access Identifier) strings
match the NAI strings for internal data.

These are basically your user name on the network and consist of the MIP profile byte, a line length byte and your 10 digit telephone number
followed by either @dun.vzw3g.com for tethered NAI or @vzw3g.com for the NAI. By removing the "dun." from the tethered NAI string
you enable all forms of data use to appear to the network as internal and using the normal NAI string.

The difference between the current technique and former methods is that the items edited for this hack are not those strings themselves,
but actually where the default values are stored that the radio uses to build the full strings that it autowrites to the fixed, protected locations in the NVM
for the authentication components in the MIP(Mobile Internet Protocol) profile itself, which happens at bootup.

This is the means by which they prevented the items from being modified by typical service programming tools like QPST.
But, because we know the location for those hidden partial strings, it actually makes our work much simpler.
After editing these four strings, the phone itself uses those values to autowrite the properly configured MIP profile strings for you.

It couldn't be any easier!

Despite our initial concern about releasing this publicly, we have decided after much discussion to do so anyway.
With all of the recent exploits that are directly targeting the 3g Mobile Hotspot app we feel that revealing the way to do it properly
will level the playing field for everyone as well as giving the community a truer and more complete understanding of how it works.
This way users can make up their own minds as to whether to use any of the available methods of "free" tethering with a clear view
of the ethical and technical issues involved.

Hopefully this thread will generate a healthy discussion about the issues.

We at TeamBlackHat believe in providing the knowledge so users can make their own decisions with the best information available.

Please use your own judgment about whether to use this or any tethering modifications.

Enjoy!
CellZealot

TeamBlackHat

Digital alchemy for Droid and beyond

#3 OFFLINE   p3droid

    Chief Of Staff

  • Administrators
  • 1,396 posts
  • Device:Motorola Droid

Posted 14 October 2010 - 09:47 AM

So after reading the disclaimer and the Team Memo, you can now download the files. It is up to you to decide how to use this, so be wise and judicious in what you do.


Patch Directions:

1) Restart phone into recovery using Bootstrap
2) Select install zip from sdcard
3) Select choose zip from sdcard
4) Find the zip you saved to your sdcard
5) Press the camera button to install file
6) Reboot device

UnPatch Directions:

Do the same thing as above with the unpatch zip.
________________________

You can download these files directly to your phone from within the TeamBlackHat application which can be found in the Marketplace.
________________________


Manual Downloads Below



Droid X Downloads:

3G Hotspot Patch ---- Removed

3GHotspot Unpatch ---

Please Login HERE or Register HERE to see this link!





Droid 2 Downloads:

3G Hotspot Patch ---- Removed

3GHotspot Unpatch ---

Please Login HERE or Register HERE to see this link!


Edited by p3droid, 19 April 2011 - 06:54 AM.

Posted Image
> Register at MDW | MDW Rules and Guidelines <
Click the Posted Image in a member's post to thank them for their post!


#4 OFFLINE   Mark_Venture

    Junior Droid

  • Members
  • PipPipPip
  • 69 posts
  • Device:Thunderbolt and Bionic

Posted 14 October 2010 - 10:27 AM

Very nice! Thank you!

CellZealot said:

We at TeamBlackHat believe in providing the knowledge so users can make their own decisions with the best information available.

Please use your own judgment about whether to use this or any tethering modifications.
Very well said!!
Personal devices... Verizon Droid X, HTC Inc
for full list see -> http://mark.cdmaforu...m/equipment.htm <-

#5 OFFLINE   andr0id

    Droid

  • Members
  • 260 posts
  • Device:HTC Incredible. Motorola Droid. Motorola Droid 2. Motorola Droid X.

Posted 14 October 2010 - 11:14 AM

Good stuff, thanks to all who were involved! I just downloaded the BlackHat app to my X and my D2 :)

#6 OFFLINE   Natemz

    Android Pro

  • Members
  • 415 posts
  • Twitter:www.twitter.com/NatemZ
  • Device:Thunderbolt

Posted 14 October 2010 - 11:35 AM

Been using this hack for about a week now. Works great. TBH is the shiznit!


Follow me on Twitter @Natemz


#7 OFFLINE   zerog46

    Moderator

  • Members
  • 502 posts
  • Device:D1 - Dinc - DX

Posted 14 October 2010 - 11:40 AM

Yes they are.


> Register at MDW | MDW Rules and Guidelines <
Click the in a member's post to thank them for their post!


#8 OFFLINE   andr0id

    Droid

  • Members
  • 260 posts
  • Device:HTC Incredible. Motorola Droid. Motorola Droid 2. Motorola Droid X.

Posted 14 October 2010 - 11:41 AM

Natemz said:

Been using this hack for about a week now. Works great. TBH is the shiznit!

Ya I'm happy to see it! I have been so busy with life since the new college year has started, I have had no time for Android! Now things are finally settling down so I have more time to use some of these awesome development tools! I just added the Droid X and Droid 2 to my Incredible to complete the triforce of power! Got everything rooted and rommed, but now time to really get serious :)

#9 ONLINE   dburgessme2

    MDW Noob

  • Members
  • Pip
  • 4 posts
  • Device:Droid x

Posted 15 October 2010 - 05:28 AM

OK. Wanting to NOT root my phone if possible. But, have been reading these forums for a while to see when we'd be able to do this. Especially been watching over the past few days as all this has come about. I have TBH app and downloaded the tether patch to SD, renamed update.zip, moved to root (to SD card not under any folder). Rebooted into recovery mode and ran it through to the update.zip. So, all that seems good. However, it keeps failing due to verification signature. Anything else I should try? Tried this several times to no avail. Most things I've read simply lead me to thinking I'd need to be rooted to use a different recovery program (bootstrap??) that might work. But, really not wanting to fully root my phone.

I really appreciate everyone's work here. Any suggestions would be great.

Thanks!

#10 OFFLINE   CellZealot

    Android Pro

  • Moderators
  • 414 posts
  • Device:D1,D2 dev, DX dev, D2G dev, D Pro dev, D3, Bionic

Posted 15 October 2010 - 08:24 AM

The method posted here is an update.zip that requires that you are rooted with the Koush bootstrap recovery so that you can run unsigned update.zips.

We are working on several other methods including manually with RadioComm but it only runs under XP currently.

Give us a couple more days and we should have something that works for all users, rooted or not.
CellZealot

TeamBlackHat

Digital alchemy for Droid and beyond

#11 OFFLINE   n0qcu

    MDW Noob

  • Members
  • Pip
  • 2 posts
  • Device:Driod X

Posted 15 October 2010 - 01:52 PM

I am very new with this stuff.
I am rooted
but
What is Koush bootstrap recovery and where can I find it.

NEVER MIND I found what I needed.

The mod works great.

Edited by n0qcu, 16 October 2010 - 12:16 AM.
updated with results


#12 OFFLINE   CellZealot

    Android Pro

  • Moderators
  • 414 posts
  • Device:D1,D2 dev, DX dev, D2G dev, D Pro dev, D3, Bionic

Posted 15 October 2010 - 08:51 PM

Koush's bootstrap recovery is available in the market. It is a partial solution to the locked bootloader on the DX/D2 and allows loading ClockworkMod recovery image so you can load unsigned update.zips
for custom ROMs(system only) and other purposes like this one.
CellZealot

TeamBlackHat

Digital alchemy for Droid and beyond

#13 ONLINE   dburgessme2

    MDW Noob

  • Members
  • Pip
  • 4 posts
  • Device:Droid x

Posted 17 October 2010 - 11:39 AM

OK. Decided to Root after much contemplation. Used method by Sil3ntKi113.

I don't really want to start flashing ROM's as I'm ok with my basic stock Droid X.

I have the 3g Hotspot working now via bootstrap recovery.

I have a couple of questions I'd like to ask and hope that you guys will be able to take a moment and give me some clarity.

1) If Verizon comes out with future OTA update for Droid X, will my being rooted without new ROM's have any impact on that? Will I have to unroot first to be able to get those?

2) If I do have to unroot, will the bootstrap recovery and 3g Hotspot that is now working cease to work until re-rooting?

3) If I get any other "root" necessary Apps, how will future updates affect them as well?

4) thought about getting Titanium Backup. So, would that have to be done while rooted and only able to be recovered from Titanium Backup once rooted again if I have to unroot for an update?

Lot's of questions I know. I read these forums all the time and I see so much that much of it runs together.

Thanks!

#14 OFFLINE   nexus1

    MDW Noob

  • Members
  • Pip
  • 1 posts
  • Device:Droid2,DroidX,Droid,Milestone,NexusOne

Posted 17 October 2010 - 01:17 PM

Very Nice Writeup!



CellZealot said:

This thread is intended to explain the principles behind tethering and how to use RadioComm to modify the NVM to allow tethering via all methods
on any Motorola Droid device by all users, regardless of whether they are rooted or not.

It couldn't be any easier!


Please use your own judgment about whether to use this or any tethering modifications.

Enjoy!


#15 OFFLINE   andr0id

    Droid

  • Members
  • 260 posts
  • Device:HTC Incredible. Motorola Droid. Motorola Droid 2. Motorola Droid X.

Posted 17 October 2010 - 01:23 PM

OK I am not positive here, but I will tell ya what I think lol. I root and ROM my phone, and never want to see an OTA, so I am not worried about if they will get pushed to my phone or not. But here is what I believe happens, or has in the past anyway. When an OTA gets pushed to your phone, a series of checks will be preformed to see if your phone is supposed to receive it and is ready to do so. When you have a heavily customized device with a custom ROM on it, you will not pass the checks and will receive no notice to install the OTA. However, if you are just rooted and that is it, it is likely you will pass the checks and the OTA will be available for download for you. In many cases, Droid X included, if you install an OTA you will lose root, so yes Bootstrap and the 3G hotspot patch will not work until you root again(which may be a long time away as with a new OTA come a need for a new root method in most cases). The exception to this case would be unrEVOked forever which allows you to keep S-OFF root access even if you do install an OTA, but that does not apply here.

As for future root dependent apps, if you install an OTA,, you will lose root so the apps will be rendered useless until you root again. I personally love Titanium Backup. It is for root users only. I flash a lot of ROMs so, besides just having a backup of apps and their respective data, I use it to reinstall certain apps after I do a wipe for a fresh ROM. For example, I use it to reinstall apps that use a personal account to easily restore without having to set up the apps again. Like Dropbox, Foursquare, Catch Notes, etc. If I re-install Catch Notes from Titanium after I flash a new ROM, the app will be loaded just as it was when I backed it up, so all my notes will already be there without having to link my account and sync my notes. Hope that makes sense.

I like to pass on OTAs and wait for one of the awesome devs to make a ROM that is based off of the OTA, lots of times basically identical. That way you won't lose root. To me, that is more important on my Droid X than it is with my Incredible as Motorola is much more strict regarding development compared to HTC. So who knows what they will sneak into an update. I like the Dev community to take a look first so I don't do something that cannot be reversed. I also like to run custom ROMs as many of them get rid of unnecessary bloatware, as well as speeding up the phone lots! Plus all the cool personal details the devs bake in. I learned development, rooting, roms, etc from my HTC Incredible which was much easier to learn on compared to the Droid X tho. But if you want to do some cool stuff with your X, there are solid ways available and plenty of helpful people to guide ya thru. If you do decide to proceed, just make sure you read the direction thru at least TWICE, BEFORE doing anything, then follow them EXACTLY, and you will be fine. Lastly, ASK QUESTIONS if you are unsure of something. If ya do that, I think you will be happy with what is available for the X, P3, DroD, and others have made some pretty damn nice, speedy and responsive ROMs, and combined with other awesome tools such as Bootstrap and ROM Manager from Koush, the X can be more awesome than you would expect :) However, if you feel more comfortable with leaving your X alone, by all means do so! It is still an awesome phone!

Lastly, as I said before, the info I provided is what I am pretty sure to be true, but hopefully someone with a bit more knowledge can jump in and confirm or correct me. Enjoy!

#16 OFFLINE   dandroid

    Junior Droid

  • Members
  • PipPip
  • 12 posts
  • Device:droid,eris,hero,droid x, now INCREDIBLE!

Posted 18 October 2010 - 02:29 AM

i have my dx on cricket, does this mean ill get verizon wap for free or cricket? dandroid

#17 OFFLINE   CellZealot

    Android Pro

  • Moderators
  • 414 posts
  • Device:D1,D2 dev, DX dev, D2G dev, D Pro dev, D3, Bionic

Posted 18 October 2010 - 12:25 PM

Neither actually...it has to do with tethering not WAP access.
CellZealot

TeamBlackHat

Digital alchemy for Droid and beyond

#18 OFFLINE   dandroid

    Junior Droid

  • Members
  • PipPip
  • 12 posts
  • Device:droid,eris,hero,droid x, now INCREDIBLE!

Posted 18 October 2010 - 06:39 PM

CellZealot said:

Neither actually...it has to do with tethering not WAP access.

ok then would it affect my settings for apn or anything for cricket? Finally everything works including mms. Because cricket runs on a proxy does this work for my application for tethering?

Edited by dandroid, 18 October 2010 - 06:46 PM.


#19 OFFLINE   exodusjeremiah

    MDW Noob

  • Members
  • Pip
  • 6 posts
  • Device:droid

Posted 19 October 2010 - 01:59 AM

Can this be done on droid one if so where are the files

#20 OFFLINE   Icebluemale30

    Junior Droid

  • Members
  • PipPip
  • 18 posts
  • Twitter:http://twitter.com/icebluemale30
  • Device:Droid X

Posted 19 October 2010 - 07:11 AM

exodusjeremiah said:

Can this be done on droid one if so where are the files

The Droid 1 doesn't have the parts in it for a 3G hotspot try to do the wifi tethering hack get rooted first then install wireless tether look it up in the how to part of the forums





5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users