TBH Free Wireless Tethering Hack Instructions

[MikeJ92YJ]

"This thread is intended to explain the principles behind tethering and how to use RadioComm to modify the NVM to allow tethering via all methods
on any Motorola Droid device by all users, regardless of whether they are rooted or not.

This is the method we at TeamBlackHat used to create the Tether_Repair patches that were released recently for rooted DX/D2 users in update.zip format
and applied via the Koush bootstrap recovery.

It is based on years old knowledge developed in the early days of CDMA Motorola hacking on the V710/V3c/e815 devices.

All of the information, techniques and software tools to do this are in the public domain already.
What we did is simply take that knowledge and apply it with the latest Service software and methods to the Droid generation devices and packaged it
in a new format for delivery that was never previously available to us before the advent of Android.

We will be releasing the manual method for RadioComm when we have worked through all the details for doing it on Win 7.
Currently the versions of RadioComm available on the net are for Win XP only.

We did it initially as a Proof of Concept of methods for writing to NV items via update.zip using Motorola's own binaries that we have recently developed.
We were not intending to release it at all and all agreed that it would be very controversial and raise many ethical questions as well as attracting the wrong
kind of attention to us as a group at a time when we had just been served a C&D for leaking the 2.3.9 update.zip file.

All of this really came about as a direct result of the examination of the NVM we did investigating nenolod's claims about an Engineering mode "switch"
that unlocked the bootloader on DX/D2. Those claims turned out to be unfounded and false and our work, and in particular MotoCache1's incisive analysis
of the boot process with help from [mbm], was instrumental in revealing that fact.

Not exactly what we had in mind to do but we were among the few who had the tools and wherewithall to determine the validity of what nenolod was claiming,
particularly in the beginning when he had released very little hard data to back up his suggestion that there was such a string hiding in the NVM.

Nonetheless, while revisiting the NVM and exploring methods to dump the memory we came upon this set of NV items that determines how the radio builds the
authentication strings it autowrites at bootup for data services. I was aware of their existence for month's since they were revealed in a thread
I participated in on HoFo for service programming on the original Droid. That thread was directed towards the methods required to get the Droid on
a different carrier like Cricket or Metro.

In any event, I knew what they would do if modified in this way and decided to use that as a test of MotoCache1's work with the update.zip binaries.

I used RadioComm to edit them individually and MotoCache1 did the really brilliant work of turning this very old school hack into a beautiful,
elegantly delivered package. This proved the power of what we were capable of as a team and we still unanimously decided against releasing
a packaged theft of services hack as not the right thing to do.

We have reconsidered now in the light of these other exploits surfacing which utilize various software level tricks for getting "Free" tethering
with the new 3G Mobile Hotspot app included on DX and D2. I had always felt that this was inevitable and that others would soon put the pieces together
in the same way we had done.

This is a fundamentally different modality but accomplishes exactly the same thing as any other exploit designed to subvert VZW's intent
to differentiate between externally routed modem data and internal data use and charge for that service.
This includes all forms of exploits and applications like PDAnet and WMWiFiRouter(WinMo 6.1) and now Barnacle, whose entire business model is to use
software level methods to mask tethered data and have marketed them as such for years.

All of these methods absolutely violate the TOS agreement with VZW.

This method simply alters that behavior at the lowest level possible on the device, the radio NVM.
It works because of the way VZW chose to setup authentication on their network when they released the first EvDO capable phones in late 2004-2005.
The methods and software tools to access the NVM as well as the blocks put in place by Qualcomm and Motorola for protecting these
authentication components have evolved dynamically over the years with advancements in chipset design and software, but the principles
have always remained the same. Hex editing the NVM items via a given tool to make the Tethered NAI(Network Access Identifier) strings
match the NAI strings for internal data.

These are basically your user name on the network and consist of the MIP profile byte, a line length byte and your 10 digit telephone number
followed by either @dun.vzw3g.com for tethered NAI or @vzw3g.com for the NAI. By removing the "dun." from the tethered NAI string
you enable all forms of data use to appear to the network as internal and using the normal NAI string.

The difference between the current technique and former methods is that the items edited for this hack are not those strings themselves,
but actually where the default values are stored that the radio uses to build the full strings that it autowrites to the fixed, protected locations in the NVM
for the authentication components in the MIP(Mobile Internet Protocol) profile itself, which happens at bootup.

This is the means by which they prevented the items from being modified by typical service programming tools like QPST.
But, because we know the location for those hidden partial strings, it actually makes our work much simpler.
After editing these four strings, the phone itself uses those values to autowrite the properly configured MIP profile strings for you.

It couldn't be any easier!

Despite our initial concern about releasing this publicly, we have decided after much discussion to do so anyway.
With all of the recent exploits that are directly targeting the 3g Mobile Hotspot app we feel that revealing the way to do it properly
will level the playing field for everyone as well as giving the community a truer and more complete understanding of how it works.
This way users can make up their own minds as to whether to use any of the available methods of "free" tethering with a clear view
of the ethical and technical issues involved.

Hopefully this thread will generate a healthy discussion about the issues.

We at TeamBlackHat believe in providing the knowledge so users can make their own decisions with the best information available.

Please use your own judgment about whether to use this or any tethering modifications.

Enjoy!

CellZealot

TeamBlackHat"

[MikeJ92YJ]

Disclaimer:
TeamBlackHat does not condone unauthorized tethering. It is highly recommend that you visit your local carrier's website to set up authorized means of tethering. Users should know that the carrier have all rights to suspend services and charge for unauthorized use of broadband services.

This thread is for information only and the hack is a simple proof of concept hack, we recommend that you follow the contract agreement with your carrier and seek only authorized tethering apps/programs.

"I did this on a windows 7 64 bit pc. The radiocom software would def be happier with a 32 bit xp system, it will throw a lot of errors, but it will work.

Part 1

1st. You need the most recent Motorola drivers for your computer so that your computer can see your phone. You can get them off the Motorola website, same as if you were going to use adb or RSDlite.

2nd. You need a copy of Radiocomm. Radiocomm is a piece of software thats supposed to be for moto employees only and allows you to read and write data directly to your software radio. You need to search the internet for it, because its a copyrighted file I can't post it for you. You need to find the latest version. You also need the .net framework installed on your computer. You can get that from Microsoft's site for free.

3. You need a USB cable.


Part 2

1. Install the moto drivers and the .net framework. Install Radiocom. It will give you all sorts of errors, but it will install.

2. Next, find it on your Desktop. Right click on it, and select "trouble shoot compatibility" I just ran with the suggested settings. Basically what this does is run the application under XP compatibility mode. You're gonna get some error messages.

a. You will still get the first screen that says do you want ot the following program from an unknown company to make changes on your computer - check yes.

b. It will say motorola datacard drivers 1.5.9 : this installation is intended for 32-bit os versions only. Please use the 64bit version on this machine. Click okay.

c. Installation incomplete: The installer was interrupted before motorola datacard drivers 1.5.9 could be installed. You need to restart the installer to try again. Hit close.

d. Warning: Motorola DataCard Driver installlation package version mismatch. The version supplied with this tool does not match the installed version on the machine. WE cannot guarantee proper radio enumeration unless you install the latest version. The installation package will start again the next time this tool is started. Click OK.

e. This version of RadioComm is more that 2 months old. This version may be out of date. Please visit the PDO compass webpage and download the latest version of RadioComm. - Click OK.

f. RadioComm will start.

Part 3

You will have to select the chipset at start: I selected CDMA 1x (MSM 7500) w/ Android. After it boots, Under settings in RadioComm>USB>Select PST USB Driver.

3. Now, Connect your device to your computer and put it in PC mode. If you installed the drivers correctly you should get this little screen showing your phone and telling you some info about it that pops up from motos software. Inside RadioComm, In the upper right of the screen right under the RC logo, the light should turn green. You can test by pushing the GET button under the SW version. It should return your Android software version. DON'T PUSH ANY OTHER BUTTONS. YOU COULD REALLY SCREW SOMETHING UP.

Part 4

4. Use the arrows in the Radiocom program to find the tab marked P2K 1.

Look at the image and in your RadioComm program in the bottom left there is a box called STELEM/ RDELEM. First Select Dec entries.

Rdelem means read, and STELEM means write.

Now this is very very important. Do not screw this part up. Make sure again you have selected Dec entries, because if you enter the numbers below in hex mode and then hit DEC they will change and you will be reading and writing the wrong values which is BAD.

In Dec Mode

For ElementID: enter 8040
Record # 1
offset 0
length 128

Now Hit RDELEM. The box in the top right should go green, A bunch of numbers should flash through but most importantly right next to where you entered the element ID and record number the box that says Data (hex only) will now have a 128 char string in there. Hi-light the entire 128 byte string and copy it.

5. You are now going to change the element ID to 8041 (record, offset, length stay the same) and hit RDELEM. If you compare these two numbers they are different, This is how moto knows you are tethering. You would have to paste both into a word file becuase they both end in a bunch of 00's so in the tiny data box they look the same, But trust me they are different. Select the data in the databox for 8041 and delete it. Paste the number from 8040. Now hit STELEM. Again you should see a bunch of numbers go through that box on the top right and it should be green.

6. Now you are going to do the same things for element numbers 8042, and 8043. Remember each time to hit RDELEM first, paste the value from 8040, then hit STELEM.

7. Now hit the restart button next the text box top center. Your phone will restart. It may say something at first: SIM card not found. This is normal. Give it a second and it will be right back to normal, You will have your 3G icon and be able to make calls, send texts, etc."

Special Thanks To faylix @ Xda For These Instructions.

[MikeJ92YJ]

I Have Confirmed For Educational Purposes That This Did Work On My DroidX2.

WARNING : RadioComm Has The Ability To Render Your Device Useless If You Go Messing Where You Shouldn't. I Do Not Have Any Guarantee That A Nandroid Or SBF Would Fix It.

[mjs1015]

Can you tell me what the lastest version of radiocomm is? Having trouble finding it.

Sent from my DROID2 using DroidForums

[masters]

RadioComm_V_11.1.0 is the latest one I found on the net.. But I have not downloaded it..

[mjs1015]

Ok well I found verion 11.11.11 but I can't seem to get it to read my phone. Not sure why. Any suggestions?

Sent from my DROID2 using DroidForums

[MikeJ92YJ]

I Cannot Give Anymore Information Other Than What I Posted. I Do Not Condone This For Use Other Than Knowing It Exists And Is An Exploit. You Can Do What You Want With This As The Disclaimer States. The Directions Are Clear, If You Cant Get It To Work I Would Avoid Proceeding As This Could Render Your Phone Useless.

[Snow02]

Put your phone in PC mode. Make sure you have the latest moto drivers installed.

[mjs1015]

Just curious if anyone has tried this and gotten it to work other than TBH?

Sent from my DROID2 using DroidForums

[MikeJ92YJ]

Nope, It's Been Really Quiet. The First Place That Would Give That Kind Of Info Is Xda. As Soon As Something Drops I'll Post It Everywhere For People To Know.