Tweet
KPC650 ESN Swap
hypothetically, could a kpc650 air card be used by transferring an esn off a active cellphone? i have seen this discussed on defcon15 youtube video but what all would need to be done for it to actually authenticate on the network? i would think it would be the same as cloning from cellphone to cellphone, but since they are two different types of devices would the "numbers" be compatible between the two? The video was very informative but I think it may have left out some important stuff, so hopefully someone can add to the purely educational learning experience.
tools needed:
qpst
bitpim for easy hex dumps
hexeditor
checksum calc
after looking through file explorer, for the swap to work i would think these files need to edited/swapped:
1. - swap or edit esn on air card with cell esn via nvm $sys file (question- does the original aircard $sys file need to be edited, checksum and reloaded or can you just backup/copy the cell phone $sys file to cpu & then overwrite the air card $sys with that one in QPST?)
2. - edit all other nvm files to replace any air card phone numbers with new cell phone numbers (found places in nvm_data, nvm_cdma, nvm_display)
anything else need to be edited? where would the .MIN file be changed/found as I didnt see anyplace on the air card with the .min ext.? Would the nvm_factory or nvm_minlock need to be edited? is there any other hidden files that need to be found & edited?
would authentication on the system for the air card work by using it as a dun modem like tethering the cell (#777) with the above edits or would more things need to be done like editing an A-key if the card has one? any steps missing here?
1st problem - even after steps 1 & 2, the original aircard phone # (MIN) still displays in the QPST properties (qpst configuration, etc) even though the ESN # is showing as changed and all NVM files show the new cell phone numbers in a hexdump.. there must be something else that needs to be edited - also aircard will not authenticate on system..
tools needed:
qpst
bitpim for easy hex dumps
hexeditor
checksum calc
after looking through file explorer, for the swap to work i would think these files need to edited/swapped:
1. - swap or edit esn on air card with cell esn via nvm $sys file (question- does the original aircard $sys file need to be edited, checksum and reloaded or can you just backup/copy the cell phone $sys file to cpu & then overwrite the air card $sys with that one in QPST?)
2. - edit all other nvm files to replace any air card phone numbers with new cell phone numbers (found places in nvm_data, nvm_cdma, nvm_display)
anything else need to be edited? where would the .MIN file be changed/found as I didnt see anyplace on the air card with the .min ext.? Would the nvm_factory or nvm_minlock need to be edited? is there any other hidden files that need to be found & edited?
would authentication on the system for the air card work by using it as a dun modem like tethering the cell (#777) with the above edits or would more things need to be done like editing an A-key if the card has one? any steps missing here?
1st problem - even after steps 1 & 2, the original aircard phone # (MIN) still displays in the QPST properties (qpst configuration, etc) even though the ESN # is showing as changed and all NVM files show the new cell phone numbers in a hexdump.. there must be something else that needs to be edited - also aircard will not authenticate on system..
Comment