Running unsigned code on BREW devices/Samsung

(subpage for Qualcomm BREW)

As mentioned in the BREW page, there are ways to run unsigned code on BREW devices, this method in particular dealing with changing the ESN to match a test signature.

This is intended to be a step-by-step guide on how to patch Samsung CDMA phones made before 2011 to run unsigned BREW programs.

= Currently compatible phones = These phones have the necessary requirements in order to work correctly for this guide:


 * Samsung MyShot II SCH-R460 - Fully working with no issues.
 * Samsung Intensity II SCH-U460 - Fully working with no issues. Has no option to change time/date, but defaults to January 1st, 1980 when no service is present.

= Currently incompatible phones = These phones have some restriction or other problem which prevents them from working correctly for this guide:


 * Samsung Intensity SCH-U450 - No known way to manually set date/time, meaning apps can't open. ESN changing and sideloading instructions works fine.
 * If you happen to find an SCH-U450 that has not been powered on or received cellular service since before 2015, this guide will work.

= Important Disclaimers = '''If you have any BREW apps or games on your phone, please back them up before changing its ESN. This will make any previously installed BREW apps invalid on your device, and they will self-delete!'''

'''As this method involves changing the phone's ESN to that of a test signature, this may fall into IMEI "repair" territory. CDMA as a network technology has been mostly deprecated around the world, so any real risk of changing the ESN is low.'''

= Prerequisites =

A computer running Windows 7 or above

The necessary drivers for your phone

A data cable for the phone

A known working 16-digit SP code for your model of phone

DFS Evolution

BREW test signature .sig file

RevSkills

= Setting everything up =

The initial steps make use of RevSkills, where the 16-digit SPC and 6-digit SPC will be entered to allow for ESN changing.

After powering your phone on, open Device Manager and go to "Ports (COM & LPT)". Make note of the COM port that mentions Samsung diagnostic ports or anything similar.



Connection Setup
Start RevSkills, go to Hardware -> Port Utils -> QC + AT-Cmd. A window called "QC Com Diag Window" should open, and then from there you can select the proper COM port to use.

Go to the DIAG tab and press the Send button near the top right. If information on your phone starts to appear, this means the diagnostic port is working correctly.



SP/SPC code entering
Once you have confirmed the connection is working properly, go to the CODE tab. Select the "Security Password" drop down menu and select your phone's model.

Press "Send SP". If the message "Password accepted." appears at the bottom, this means the SP code was valid.

After sending the SP code, click "Read SPC", and enter the SPC it read out in the window above the SP code text box. Then click "Send SPC".

At this point you can close RevSkills and move onto the DFS Evolution steps.

Connection Setup
'''Note: If an "Account manager" window opens, simply close it. No account features are necessary to change the phone's ESN.'''

Open the QualcommTool app in the DFS Evolution folder, and select the same COM port as you did in RevSkills. Right click it and press Connect.



ESN Changing
Go to the "Programming" tab and press Read. If everything is working correctly, some information should appear in the text boxes. You may want to take a screenshot or save the information if you wish to ever revert the phone to its original ESN.



Click the ESN text box and type AB2B3C4F. This is the built-in ESN of the BREW test signature that you should've downloaded above.

Once you have confirmed the ESN now has AB2B3C4F in the text box, click the Write button.

Click read once again. If the ESN remains as AB2B3C4F, this is a good sign.



Double Checking the ESN change
This step isn't necessarily required, but it doesn't hurt to double check if the ESN change worked correctly.

Open RevSkills again, go to Hardware -> Port Utils -> QC + AT-Cmd, and select the same COM port as before.

Go to the CODE tab and click "Read ESN". If it still says AB2B3C4F, you're OK to move on to the next steps.



= Physical Phone setup = The final steps involve setup that takes place on the actual phone, where the date/time are changed.

Changing the date and time
If you notice that apps loaded onto the phone instantly jump to the BREW AppManager when run, this means the date loaded onto the phone is past the test signature's expiry date.

The BREW test signature's expiry date when viewed in a hex editor appears as 2015103123314, or October 31st, 2015, 23:31:04(?). As long as the date you set is before that, you should be fine.

This will look different from phone to phone, but on a Samsung SCH-R460, you'd go to Settings -> Phone Settings -> Set Time -> Set Date.

= Putting apps onto the phone =

(the steps for sideloading the apps are the same as LG and any other Qualcomm BREW device, that is why the screenshots show LG-related material)

In order to put BREW apps on the phone, you'll need either Bitpim or RevSkills. This guide will go over both.

File naming schemes
In order for the phone to see the game, the files and folders need to be named in a specific way. Keep this in mind when adding files:

.mif and /mod/ folders should match. This means that an app with a MIF file named 12345.mif should have a folder in /mod/ named 12345 as well. The files inside of the /mod/(name) folder should be left alone.

If the BREW app comes with its own .sig file, delete it and replace it with the BREW test signature found above. The name of the .sig should have the same name as the .mod file inside of /mod/(name). This means that if the app has a MOD file named 12345.mod, the BREW test signature (.sig) file should also be named 12345.sig.

If a game does not show up on the phone and the files disappear when you check the filesystem again, one of these files was likely named incorrectly or the .sig file was not replaced with the BREW test signature.

Bitpim
Open Bitpim, go to View, and enable both "View protocol logging" and "View filesystem".

Once that's done, go to Edit, Settings, and then put in the COM port of your phone. For this example, "COM14" would be typed into the "Com Port" text box. If your phone has official Bitpim support in the "Phone type" menu, select that too. After that, click OK.



Click the "Filesystem" icon, and then click the + next to the blue folder icon. It will say "Retrieving..." for a bit, but if all goes well, it will show files and folders from your phone's EFS.



Open the "brew" folder by clicking the + to the left of the folder icon. There should be at least 2 other folders, those being "mif" and "mod".

The BREW app or game you download should come with a .mif file and a .mod file. Even if it has a .sig file of its own, it won't be needed as you'll need to send the BREW testsig instead of whatever signature file the game/app came with.

In order to send an app to the phone, send the .mif file to the "mif" folder by right clicking where the files are and pressing "New file ...", and then create a folder inside of the "mod" folder. Put the .mod file inside of the folder.

As for the .sig file, create a copy of the BREW testsig and rename it to the same name as the .mod file. For example, if you're sending a Pac-Man game that has a .mod file named "pac_man.mod", you would rename the BREW testsig to "pac_man.sig". Once you do that, send the .sig file to the subfolder you created inside of the "mod" folder.



You can send as many apps as the phone's storage will allow, but it takes patience. Transferring files that are more than a few megabytes can be painfully slow.

Once you're done sending apps to the phone, close Bitpim and restart the phone.

If all went well, you should see the apps you put on your phone in one of the BREW menus on your phone. Most of the time it'll either be in "Browse & Download" or in "Tools on the go" on Verizon phones.

'''All done! Now you can play BREW games and run BREW apps without needing to worry about ridiculous DRM tactics on a feature phone.'''

RevSkills
After starting RevSkills, go to Hardware -> Port Utils -> QC + AT-Cmd. A window called "QC Com Diag Window" should open, and then from there you can select the proper COM port to use.



Go to the EFS tab, and press Read Directories. If everything was set up correctly, it should say it's reading files and then eventually show some files and folders.



Open the "brew" folder by clicking on the + icon to the left of it. At least 2 other folders should show up, named "mif" and "mod".

In order to send an app to the phone, send the .mif file to the "mif" folder by right clicking a file and then clicking "Write File". It might seem like you're overwriting one of the files, but this is just how RevSkills is.

As for the .sig file, create a copy of the BREW testsig and rename it to the same name as the .mod file. For example, if you're sending a Pac-Man game that has a .mod file named "pac_man.mod", you would rename the BREW testsig to "pac_man.sig". Once you do that, send the .sig file to the subfolder you created inside of the "mod" folder.



You can send as many apps as the phone's storage will allow, but it takes patience. Transferring files can be sped up by changing the baud rate, but even then it isn't very fast.

Once you're done sending apps to the phone, close RevSkills and restart the phone.

If all went well, you should see the apps you put on your phone in one of the BREW menus on your phone. Most of the time it'll either be in "Browse & Download" or in "Tools on the go" on Verizon phones.

'''All done! Now you can play BREW games and run BREW apps without needing to worry about ridiculous DRM tactics on a feature phone.'''

BREW AppLoader
Once a phone's ESN matches the test signature ESN, it's also possible to use the "Loader" tool from the BREW MP SDK or an older version of the BREW SDK Tools to load apps onto the phone.

Load the apps onto your phone, restart, and then you're all set!