|
|
kbman给出的方案,我不懂,高手看看这是什么原理?
Ok, here is what I have come up with after going over the latest files you sent." F; Q# J8 c6 s
4 U7 s* ?& v3 q& p2 ~) F# J' eI will list each NV Item in question and compare what your values are to what is on my fully authenticated VZW phone and what I think should be set for your Pre with Profile 2 active.
1 h9 b* @) {& l1 D# e5 ], b* X4 w: HMy phone is a Motorola A4500 Napoleon, an unreleased model, but running VZW firmware with their network protocols and it also happens to me an MSM 6800 chipset similar to the PRE.
2 u. Z1 o* ~: hThere are many additional NV Item in your full backup that look like they may affect authentication that are not active on my phone, so I am unsure whether they are blocking or overwriting some settings.
0 k( A/ E( J% H5 T. S$ N, PWe will just have to get the known NV Items properly configured and see what happens.
1 h" N" F! N: H1 D1 v6 N
- o% {5 u9 F! j6 e' |' c6 YIn general practice, any modifications of this kind are best done while the phone is deactivated and then reactivated once the changes are successfully written. This can avoid many issues with the network resetting auth and flagging it for failure at bootup if the NV is incorrect.
- o7 v! B% G% q) p4 e! x% g
* b0 e$ S4 ]9 R* ~ zNV Item 219 OTKSL (One Time Keypad Security Lock)
: d) H1 \, G% G5 H% M! |- R5 a+ d9 H
Pre: 35 34 32 32 37 34( E7 W0 [ q( b
VZW:30 30 30 30 30 30" F4 g9 j* T$ v
7 |6 u8 l1 r" u7 C
This is like a secondary SPC that is used by Sprint and not by VZW. It may not matter but should be set to 0s like VZW and there is another NV Item for the number of attempts.4 t, g# m4 G0 K* P5 x7 ?
7 H( J& Y8 P. |: `NV Item 296 SPC Change Enabled7 B9 o7 |$ [$ N s- r/ [ t
# @; {9 B: B" I7 A/ M4 t, R
Pre: 00
: e5 @6 P# x0 m4 Z* i% \7 G) RVZW: 01
8 J) x; f4 a! o. D
. } a5 B* q+ y9 i5 }3 p; bShould be enabled for VZW OTAPA to function.
/ }; U8 j( K; x9 m# l. B7 v8 E1 U# Q! }; o$ R! t# ^
NV Item 304 OTKSL Flag9 g7 I [" g' w, _! ?1 [
+ ?" B0 z- |- U1 c, nPre: 01
' w4 O r( |5 G DVZW: 0F
. t7 z2 b ?) g5 E2 g: R/ ]0 w% O) |5 H7 T" F* y: g# a, p1 }+ F, J
This allows multiple uses of the OTKSL and is set for single use on yours and 15 uses on mine. When OTKSL is 000000 it won't matter but should conform to VZW settings.9 X3 P3 t* @5 |6 _
$ M* ]% n% Z/ z& g' e
NV Item 319 PAP Password7 {% s( ]0 h0 R$ r
2 Q! ?) l# h( A1 Y" F+ V5 S! V
Pre: 03 76 7a 77
% p P/ _' g( r& JVZW: INACTIVE/NOT SET8 Q. O9 S. [- b5 b [
- c K2 ^+ t7 B4 |+ M
This was probably written if you filled in all the possible password fields in the PPP tab of QPST.
" b, @, E7 H; H. V! Y$ k+ |, Q1 `This one is a legacy item and not used on VZW even thought the USER ID field Item 318 is set to MDN@vzw3g.com like the other user profile items.. E" n& G: \2 f( m- C; @, F
The fields are empty by default because these items are actually written with the shared secrets for EvDO MIP authentication. You may want to write a service programming with the password fields blank if it causes problems having them all written to "vzw". They "should" get written properly when the phone is set for EvDO and everything else is correct.. g' t* ~& G; T+ [
4 f& c/ h1 l' X1 l UNV Item 450 Data Throttle Enabled
7 h! f/ S/ O' F
: c. r* i3 o2 p6 m8 M8 \9 q8 QThis is enabled (01) on VZW but may be a legacy item and was not in either of your files but is in the data category in QXDM NV Browser and is active for VZW.See what your value is and set it to 01.
& B7 N4 B, [4 q0 j4 `/ p+ b( y* F4 E& g/ }& q8 x9 |( s
NV Item 459 Data Services QC Mobile IP% [2 G' p- \) _) i. q
& D7 w+ c) C( J" }. k* XPre: 00
1 U2 a# ~% o) Z/ w4 k) } ~VZW: 01. Q9 X9 Z0 Q v& ?; E1 l: K
! r+ a4 D8 y( Z1 \9 j$ G6 ~5 V& W/ VThis is important and must be enabled for VZW auth to work.
% [" h& B p7 F2 n./ r* y* R5 i) J) \% V
NV Item 459 Data Services Number of Profiles, M; D0 ~- J; w) v; }% W
1 H8 {0 k C. d1 Y/ N) q3 p6 }Pre: 06; x. m8 B% @' S- c5 v8 ^
VZW: 01
( e& h/ F3 Y/ ~9 j. A
7 Y+ L: e: \; F, r q! K XThis is where it gets a bit confusing. The Pre shows 6 profiles and your initial SP had data in all of them but there is now data in just the first 3 as per your latest SP. The first two are the Sprint profiles which apparently cannot be removed or altered because of the Palm security protocols. In any event, we are currently interested in having only the VZW profile 02 active and all the index bytes and indexes referencing that profile.) r, Z, ]7 D. ?: R/ ^7 P; g8 i
) M( Q( q$ ]3 a+ mNV Item 464 DS_MIP_Active_Prof+ `5 s7 a0 B; k9 r) y8 L9 n
p& |3 m; P0 xPre: 00
+ _' g3 P d3 o( DVZW: 00 (only profile 0 exists on default VZW)* ?1 k- l& o9 y9 X" A6 n
1 j( B2 @$ @% Y# r
This must be set to 02 and stick to set the VZW profile as active and all index bytes set to 02 as mentioned above.
/ P! m& N7 }3 t+ L+ h% n9 d
6 m( u7 D9 d- v* n8 g. c) FNV Item 465 DS_MIP_GEN_USER_PROF$ k; ^9 _& I5 V
2 M$ E: ^6 j% n1 y( ]# `! p- n
This is very important. There are 6 indexes 0-5 on the Pre and 02 is the VZW profile and appears to be correct on your phone. You will note the data is in 2 parts in the hex dump. The first part is the user profile as it appears in other items preceded by the index byte:$ [3 m5 n% _# H
$ k+ v% ^3 m, s
02 14 3x 3x 3x 3x 3x 3x 3x 3x 3x 3x 40 76 7a 77 33 67 2e 63 6f 6d b1 S6 @- X" j& i3 Z
3 T& [9 I* {5 P# E0 J7 k2 A& j
Lower down you see:
* C W* u9 U2 U% \! Q7 ?; ~' x01 2c 01 00 00 01 02 00 00 00 01 00 00 00 00 ff ff ff ff ff ff ff ff 00
) Q Z% D: p- A" a
% P! ?& v/ j1 l% d! |These are the values from the MIP profile for MN-HA SPI etc. represented as a hex string.
4 B" \9 J$ z2 p( C3 i6 `7 q0 \The password strings in Items 906 and 1192 on a properly authenticated VZW phone are composed of the shared secret strings in Item 466 followed by this hex string of MIP values from Item 465 and the User ID strings in Items 910 and 1194 are the same as the first section of 465. "XXXXXXXXXX@vzw3g.com"
, H. p; D; V- f. O5 [! fThe length byte 14 = 20(dec) is the length of that string in ASCII characters.
; F" {5 N* c6 D2 M( [! E B( c& P
`6 C9 X. d$ C6 A2 D# ?This is how the passwords all fit together with the rest of the authentication items and are built using the shared secrets.
$ D& m0 _) G- LFor Sprint and other carriers these are fixed values that are hashes of the MEID or ESN but on VZW they are dynamic and are sent via the network and written to the phone. They are a hash of the hardware ID of the phone but are created by an unknown algorithm and cannot be copied from another device or generated by the user.
4 P0 M5 R# @% x
- g# `9 z g, a1 {; n. @7 ]NV Item 466 DS_MIP_SS_USER_PROF/ X. P: L6 s4 T, m7 p W
C" W0 u2 W) q2 N
This is the actual shared secret string and is 35 bytes and is composed of a profile index byte followed by a length byte 10 then 16 bytes of the HA shared secret followed by another length byte 10 then 16 bytes of the AAA shared secret.The default values in an unactivated phone are as follows:4 f0 ^* ~; F3 j/ m5 X( r! c
E. i: n- u4 L y O: m0 Y
00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ K7 Z2 p! J5 J0 d; B) S w2 L& \) ]6 r$ p, i9 B, n
Yours should have 02 for the index byte.. I9 E& \" N; {9 d w
The first SP you sent included this Item and it had the correct Index but the length bytes were 0f instead of 10. The second file did not include this Item.2 D0 `; }" ~2 z1 v3 d, _
This Item must be written by the network as stated above. If it contains anything but default values it will be flagged and fail authentication and you won't have EvDO and will fallback to 1X.
, \! z' \7 L1 r! g* n8 o( _% }" b* p) h! e5 }0 P
NV Item 714 DS_MIP_Enable_Prof
% _, Y& R# ^9 R5 Y- S8 l! m
0 V- W, V! B7 f" l" tPre: 01 00 01 00 00 00+ d$ c2 O9 I$ u( e& G: P
VZW: 01 00 00 00 00 00
8 D; H- Z0 A% m- `! g. H8 G! ]" m( T) d4 B: h* m
Again, this reflects the fact that there is only one profile on a normal VZW phone and the Pre has six with 2 enabled, the primary Sprint profile 00 and the VZW profile 02.
% f) E+ d9 q* BI would try disabling the primary and only enabling the VZW profile but if that is not possible then it "should" work as it is currently written with multple enabled profiles and the active profile designated in 464. I don't know why there are all the extra profiles on this phone and it's messy and confusing. On many non smartphone Motos the MIP profile can be "unlocked" so that the primary profile can be edited and everything works. Unfortunately, I don't know how to do that on these phones or if it is possible, so we have to work with the additional profiles.8 `+ j3 J" h" A. [; H5 A- H, k
+ W: v4 ?9 U$ x3 ]' ~! }& J+ A
NV Item 889 DS_MIP_DMU_MN_AUTH
3 l8 L' |, D" _& z( W* Z, p$ g- a3 D& Q4 s% f2 ]# h
This is an Item that is not in any of the files you sent but is set on VZW and could be critical.
9 H: w6 r9 n5 p% k4 Z& D& |( eIt is 4 bytes of hex, an index byte and 3 mn_auth bytes: 00 80 01 00! o/ T: q( [0 s# j
! `- R! s$ x+ v
Yours should read: 02 80 01 00 following the active profile on your phone. Try reading that item from your phone in QXDM NV Browser and see what is there now.
! I n; k* f5 ?9 y
2 s1 k0 q( C+ \3 X. q+ ANV Item 906 PPP_Password
' ~3 }( L$ E: b+ N( Q. H O5 K5 X! A) A
/ r8 f# I x1 ~7 EPre: 03 76 7a 77
: B+ _) p8 }8 C* n: }1 h9 E& mVZW: As stated above this will be the shared secret string followed by the MIP profile hex string on a fully authenticated VZW phone.8 {* b9 L9 n+ C" m/ G
$ E# k a# i; I% D! M& P& w
NV Item 910 PPP_USER_ID
8 i% I; ^5 k& r5 o' x! P$ n* q1 F2 ?+ h( Q
As described above is the MDN@vzw3g.com in hex and is correct on your phone. There is no index byte just the length byte and the 20 character string.1 w7 \4 ?( a7 q$ ~' S, ~" i0 ~4 a
4 X S0 X, \8 b/ k5 Q1 K' o
NV Item 1192 NV_HDR_AN_AUTH_PASSWD_LONG
4 I! l! n/ P0 t4 r/ J( ]* G
2 Y2 _4 p# f& _" p4 WPre: 03 76 7a 77
6 j7 F% _6 P% f0 w. G5 q+ JVZW: This will be the same as 906 with shared secret string followed by MIP profile hex string6 N9 |; f$ r+ L
5 Y0 }7 r# l, j/ t7 z! }* pNV Item 1194 NV_HDR_AN_AUTH_USER_ID_LONG2 m4 C# l& r0 c4 J" C
9 K( E4 J' k0 V, f9 x! x
Pre: As above for 910 it is currently correct on your phone1 j2 i. @' D( L: p: C
% x, J$ H! L* x- L! uNV Item 2825 DS_MIP_RM_NAI Index 02. t! G3 E# ~- j1 D
, L9 o) y/ Z% U& Y8 OThis is the tethered NAI string for DUN connections and includes the dun. in the user ID string that differentiates normal data use from a tethered connection on VZW. It starts with a profile index byte 02 then a length byte of 18 followed by the MDN@dun.vzw3g.com string./ v; I2 r T* D3 Z9 y
This was correct in index 02 in your first SP but now has an incorrect length byte of 0a instead of 18 so it must be edited to be the same as Item 2953 DS_SIP_RM_NAI which is correct on both of the files you sent.
! ^5 U* [3 ] `1 x9 D# j6 O) @: M8 \; R
# c" f7 g+ g h3 k/ s
* q5 c; v, [7 w0 ^+ X+ MOk, those are all of what I believe to be the critical differences that I found in your files. There may be others as well and as I said, your NVM has many items included that are nonexistent on my phones that may affect this working.# Q, j3 u3 J3 e# x5 I
) a) D" p$ ]1 N2 y
This should give you a very good idea of what you need to look at and is about my best idea of what should work, given no other hidden issues./ G4 o+ v: m! j' \7 t' r# j. n
" \4 C2 M0 F' h* f
Feel free to get back to me with any questions and I'll try to answer them as best I can. If you get it working then it can be written up as method with the details fleshed out.
3 Y2 J* n% g( C% {( j2 C/ A! a' W* q$ o/ _) ^2 N. H3 `" w
Good luck and please let me know how it works out! |
|
|Archiver|手机版|小黑屋|吹友吧
( 京ICP备05078561号 )
狗仔卡
发表于 2009-8-26 08:43
显身卡
