I finally was able to get my hands on a Motorola Droid 1 a little over a year after it came out. I’ve wanted one for a while now, but I didn’t want to pay for the monthly $30 data plan (apparently unlimited texting is another $10 on top of that, ripoffness).
In this post, I’ll tell you how I flashed my droid 1 to CricKet without needing CDMA Workshop 2.7 or paying anyone a single cent to accomplish this (surprisingly all legally….)
Droids are available all over the place like craigslist, ebay, the subway…etc. I snagged on off ebay for a decent price (which may have come from the subway…). It was cheap mainly because it has a bad ESN. What this means is that the owner did one of the following: lost it/got it stolen and reported it as such and got an insurance claim on it, didn’t pay their verizon bill, or found/stole it from someone else and the person that owned it in the 1st place reported it stolen/lost. Anyways….when that stuff happens, Verizon has this big ol blacklist that when you go to try to activate your phone and it’s unique identifier is on their list of evil phones, they won’t activate it. And as far as I know, it can never be activated with them. That’s all fine and dandy except that unlike GSM carriers, you can’t really just go and get another carrier’s SIM card and pop it it and away you go. Verizon’s network is CDMA, which means there’s no SIM card to pop out and go to another network with. Plus Verizon has really the only large CDMA network around so… blacklisting is good on their part as it requires you to buy another one of their phones to work on their network.
Unless…..you flash the bad ESN phone to CricKet or MetroPCS! Or, on the highly illegal/go to jail side of things you can change your ESN/MEID, but that kinda scares me and I’m not doing that. It’s actually totally legal to flash your Verizon phone to another carrier. CricKet has some nice cheapo plans that have no contract, and you can terminate at any time. I really despise Verizon and all their nickle and diming you to use their network for meaningless and trite things network-wise like text messaging. Anyways, not having a $30-$40 a month fee for using the phone on Verizon’s network but still being to screw around with the droid sounds good to me! The only downside…..major downside to CricKet is their coverage area. They pretty much cover the major interstates and major towns/cities. Other than that you’re roaming, and we’re back to year 2000 and having to deal w/ roaming charges. Interestingly, you end up using Verizon’s network when you’re roaming…. Oh I should also note that the only thing you “need” carrier activation for is calls and text messaging. Everything else you can do via wifi.
Luckily this has been done by many people before, but you need a piece of software that isn’t easily obtainable via the internet (aka filthy piracy). I tried and tried to find CDMA Workshop 2.7 (anything newer than that supposedly isn’t piratable as they validate your computer over the internet) to no avail. I did find a way to do this using two other tools, which it doesn’t appear to have been done (or at least not documented) by anyone else.
Basically I followed the directions here on the 1st page: Flash Droid 1 to CricKet I think I did follow the 1st steps about how the author rooted their phone, but eventually I downloaded the ROM Manager app from the Android Marketplace (the free one, although the paid version sounds quite nice too) and installed Chevyno1’s Simply Stunning ROM (this is by default rooted). I don’t think you need to use RSD Lite if you use ROM Manager (and install clockwork recovery from ROM Manager), but I don’t know for sure. This is assuming not needing RSD Lite.
Alright, so to root your phone w/o using RSD Lite and all that jazz, get the ROM Manager app on your phone. Then download Simply Stunning ROM from here. I used the themed version. The unthemed version I think looks like stock…dunno though. Put the Simply Stunning zip file on the root of your phone’s MicroSD card either w/ an external USB reader, or via plugging the droid into the computer via the microUSB cable. I think you can make a separate folder and the recovery program will still be able to open the file that way.
Now run the ROM Manager app on the phone. From the main menu, select “Flash ClockworkMod Recovery”. ROM Manager will take care of the rest and install that for you. Once this recovery program is flashed on the phone, you can easily install any custom ROM you want. I’d suggest always choosing to backup the phone if ROM Manager asks you to. The phone will reboot and lots of stuff will happen, and then it’ll boot back into Verizon’s Android as if nothing ever happened. Go back into ROM Manager and select “Install ROM from SD Card”. Alternatively, if your phone is powered off, you can hold the ‘X’ key on the keyboard and power on and get into recovery and flash ROMs that way. Going the ROM Manager route ensures you’re prompted to backup your phone’s current state (recommended). Now select the Simply Stunning zip file from where you placed it on your phone and hit “Ok”. Check “Backup Existing ROM” and “Wipe Data and Cache”. Hit “Ok”. The phone will reboot and do some stuff w/ progress bars and junk, so don’t remove the battery. It’d be best to plug the phone into external power for this. After everything happens, the phone will reboot and instead of seeing the droid eye animation, you’ll see the Simply Stunning boot animation. You’re now running the latest build of Froyo w/ some extra features and junk. You’re also rooted.
This I believe kills off the whole RSD Lite install smoked-glass ROM process. Now, turn the phone off. A reboot will not work for this. Install the motorola USB drivers if you haven’t already. Plug the microUSB cable into your computer, but not your phone (or vice versa). The USB link cannot be present when the phone turns on or else it goes into bootloader mode….which is pretty stupid (or maybe this happens cause I followed the RSDLite directions? I dunno…) Once the phone is off, hold the ‘T’ key and hold the power button till the phone’s backlight turns on. Keep holding the ‘T’ key. Now plug in the unconnected end of the microUSB cable. This forces the phone to load a special network over USB driver so we can talk to the phone’s off-limits flash area. Keep holding ‘T’ until you see some activity on your PC relating to the USB stuff. This happens sometime while the Motorola ‘M’ is still on the droid’s screen. Your phone will continue to boot normally.
Now, we need to check to make sure the driver actually loaded and created a USB networking adapter for the PC. Click the “Start” button and click “Run” or in the Run box on Vista/Win7 type in cmd and then press enter. In the command window, type “ipconfig /all”. Somewhere in the pile of information returned there should be something that says Motorola USB Networking Driver and it should have an IP address of 192.168.16.1. If you do not see the Motorola entry in the list of stuff, power off the phone and try the process again. For me, the driver didn’t load the 1st time cause Windows was installing the new hardware. You cannot just reboot the phone to get into this special mode, it needs to be powered off.
Once you know the phone has an IP address of 192.168.16.1, open up HW Virtual Serial Port (the demo will work fine for this). Click the “login” button in HWVSP and put in the default password of admin. Follow the directions as shown in the HowardForums link I specified above for the HW Virtual Serial Port. If everything worked right, the “LAN Status” in HWVSP will say “Connected”. Now you’ll need to acquire QXDM and QPST. Try and get the latest versions as older versions don’t support the Droid. I used QPST 2.7 build 323 and QXDM 3.11.36. We’ll use QXDM to write the NVItems specified in the HowardForums link and QPST to do the rest. Make note of the com port number that HW Virtual Serial port created.
Before going too far, we should backup the phone in case something goes wrong. I don’t believe this is the same as a nandroid backup as this should be saving NVItems and all that junk (on the other hand, I don’t know if this backs up the OS too….). Open up QPST Software Download. Click the “Backup” tab and click “Browse” to choose the phone’s com port. Give the QCN file a name and a place to store it. The SPC code should be 000000 (six zeros) unless someone changed it. If someone changed that code, I believe you will need CDMA workshop to find out the new code. Anyways, it should be six zeros. Click “Start” and QPST will download all your phone’s settings to the specified QCN file. This will take some time to do.
At this point, you should also have an account w/ CricKet and you should have gotten your phone number (MDN), their MIN, system ID, and maybe some other info. Then go to http://www.whiterabbit.org/android/ and get your NVItems by filling in your CricKet login info and click “Generate”. It doesn’t matter if you generate the NVItems for CDMA WS 2.7 or 3.5 as we’re using neither of them, but you need the data in the files. This is the 12 NVItems mentioned on the HowardForums link. Alternatively you can use the 5 NVItems linked to in the HowardForums post. The 12 NVItems just fills in some junk that we’ll be doing in QPST later on. In either of the NVItems files, you’ll see something like the following:
8091 (0x1F9B) – OK
40 6D 79 63 72 69 63 6B 65 74 2E 63 6F 6D 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
In the example above, this is NVItem 8091 (decimal). Don’t worry about the hex representation of this as we’re going to use the decimal version of it in QXDM. Everything past “OK” above is the data that gets written to location 8091, but these numbers are all in hex. The only issue here is if “0x” (yes, that’s a zero) does not precede a hexadecimal number in QXDM, it somehow thinks the number is decimal even though there’s letters in the mix. We’ll need to fix that for the numbers other than 0. ‘0’ in hex and decimal mean the same thing, so we won’t bother adding the ‘0x’ in front of them later on. Find->Replace in a text editor would probably work well for this…
Now, open up QXDM (QPST must be installed too) and set the connection to the com port created in the previous step if required. Actually you might need to set the COM port in the QPST server that loads up. If everything is setup correctly, QXDM should connect to the phone automatically. There is a NVItems Browser, but some of the NVItems we’ll be changing aren’t listed in the browser, but luckily there’s commands we can type to send to the phone to do stuff this QXDM GUI doesn’t seem to have support for. Once you’re connected to the phone, in the command entering box right below “View”, type in”mode offline-d”. This command will turn the cellular radio off (probably good since we’re mucking w/ baseband settings here). A new window will open up showing the command that was just sent and the phone’s response.
Now to write the NVItems. You’ll be using the RequestNVItemIDWrite command to write the NVItems to the phone, and RequestNVItemIDRead to read back what was just written to make sure it matches what’s in the NVItems file. We’ll take the example above again. To write that to the phone, put the following into the command bar (obviously w/o the quotes): “RequestNVItemIDWrite 8091 0x40 0x6D 0x79 0x63 0x72 0x69 0x63 0x6B 0x65 0x74 0x2E 0x63 0x6F 0x6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00”. I’m not sure how this will copy out of this blog, so paste it into notepad or something first. What you want is one really long line of data, no new-lines or any of that. Paste the single line command above into the command entering thingy in QXDM and press enter. That should have written all that data to location 8091 (QXDM will probably convert that to hex in the command response window). To check, issue a “RequestNVItemIDRead 8091” command. The response will be cutoff in the response window, so left-click on the blue response line that’ll start with “0x26” to select that item, then right-click on it and select copy text. Then paste the response into notepad or some other text editor. You’ll need to ignore the 0x26 and the two data bytes after the 0x26. 0x26 is the command we just sent to the phone, and the next two bytes are the hex location we just specified (for 8091 you’ll see 9B 1F, which is byte-swapped as 8091 in hex is 1F 9B). The data after the command ID and two-byte NVItem location should match up completely with the data for 8091 in the NVItems (QXDM strips off the 0x’s in front of the hex data). If everything matches up, do the exact same thing for all the other NVItems in the 5 or 12 NVItems files. If not, check to make sure you didn’t forget a byte of data or you possibly forgot to put “0x” in front of all the data bytes. Don’t reboot the phone as we need to still write some stuff w/ QPST. It may be possible to do everything in QXDM, but I don’t know enough about it to do it. Close QXDM.
Open up QPST->Service Programming. Select your phone from the top window (QPST should have automatically detected it) and click ok. Once QPST connects to the phone, click the “Read from phone” button and put in the phone’s SPC code (should be six zeros) and hit ok to that to populate all the tables w/ the phone’s current values. If you did the 12 NVItems above, some of this will be filled in correctly already. If not, no big deal. This will take some time to read everything from the phone.
First thing we’ll do is load a CricKet PRL into QPST (it won’t load anything to the phone till “Write to phone” is clicked). Click the “Roam” tab and click the browse button to find your CricKet PRL. I used PRL 38515. Find your PRL and click open. The PRL is now loaded into QPST and will be put on the phone when the “Write to Phone” button is pressed. Don’t do it yet though.
Click the CDMA tab. Fill in the NAM field with your MDN. I’m not sure if it matters what you put in here. The IMSI_S number is the same thing as the MIN. CricKet will proivide the MIN as it is different than your phone number. The MDN is your 10 digit phone number. Put the MDN in for the “Directory #”. The MCC should be 310. There’s other MCC numbers, but it seems like 310 is the one that should be used. “11_12” should be “00” (two zeros). Make sure class 1 is unchecked. Leave everything else on the CDMA tab alone. Click the CDMA-2 tab and uncheck the class-1 checkbox and fill out CDMA-2 with the same stuff as CDMA tab. I don’t know if anything in the AMPS tab needs to be changed, but you could change the SID to the CricKet SID for your area. Here’s a list of large cities and their SID numbers: http://cdmagurus.com/forum/showthread.php?1497-Cricket-SIDs-by-market
Now move on to the System tab. All you need to edit here are the SID/NID pairs. The 1st pair should be your home location (hopefully you found a SID in the link above). Double-click the SID/NID pairs to edit them. The NID should stay at 65535 as far as I know. I added a few other SIDs of places I go to frequently, but it probably doesn’t matter. Preferred mode, Band Preference, and Roam Preference should all be set to automatic.
Click the M.IP tab (you’ll have to click the right-arrow button to make more tabs visible). I’m assuming there won’t be any profiles here, so click “Add”. Otherwise, delete any current profiles. Check the profile enabled box and add your10digitphonenumber@mycricket.com for NAI and Tethered NAI. Home address should all be 0’s and Primary/Secondary HA should be all 255’s. Hit ok. Mobile IP Behavior should be set to”Mob + Simp f/back”. Leave everything else alone.
Click the PPP tab. Click the “Um” button in this tab. Add your phone number to tethered NAI (if it’s not there already) and your10digitphonenumber@mycricket.com is the user id. Password should be blank. Change primary/secondary DNS to 0’s. Click the “AN” button and add in the same user id. Password again should be blank.
Once everything is all set with all the tabs, click “Write to phone”. All this stuff will then be written to the phone. This will take some time, and don’t interrupt this process as you could really mess up your phone. I guess worst case is you would have to use RSD Lite to flash a Verizon SBF file to the phone (the SBF file contains everything necessary to restore the entire phone including OS and all NVItems) and start all over again. Once the phone is done programming, it will reboot itself.
Since the USB cable is still plugged in, the phone will probably reboot into bootloader mode. Remove the USB cable, then press and hold the power button for a second or so and release it. That will power off the phone. Now turn the phone back on and plug the USB cable back into the phone (and PC) once you see the Motorola M on the screen. Don’t hold any keys down on the Droid’s keyboard. You will need the use of ADB debugging via USB (normally loaded when you plug the USB cable into the Droid to transfer files to it) for the rest of the procedure.
Now, you can go back to the HowardForums post and finish the rest of it starting at “Once phone reboots go to the market using WI-FI and download and install Autostart.exe.”
Now you can dial *228 and you should hear “Welcome to CricKet…..” and you can go through the activation and such to make sure you have the latest PRL. and other settings If you messed up the MDN, MIN, IMSI…etc you can program that all on the phone itself if need be so that you don’t have to fool w/ QPST to do it. To do that, use the phone dialer to dial “##PROGRAM”. Then enter your SPC code of 000000 (six zeros). You’ll be able to access a lot of the programming junk here instead of using QPST.
