Running unsigned code on BREW devices/LG

From Legacy Portable Computing Wiki

This method of BREW sideloading deals with patching parts of the firmware to remove the signature checks entirely, allowing test signatures with mismatched ESNs and differing dates to run no problem. Arguably, this is the best of the BREW sideloading solutions so far, as no ESN changing is required (thus no risk of old BREW apps deleting if the end-user does not back them up beforehand).

This is intended to be a step-by-step guide on how to patch an LG CDMA phone to run unsigned BREW programs.

Currently compatible phones

These phones have patched firmware files readily available and are guaranteed to work correctly for this guide:

  • LG VX5400 - Patch itself is working, but this phone will crash attempting to run some 3D BREW games. (low memory 3D games still run)
  • LG VX8300 - Fully working with no issues.
  • LG VX8610 Decoy - Fully working with no issues.
  • LG VX8700 Shine - Fully working with no issues.
  • LG VX8800 Venus - Should be fully working with no issues.
  • LG VX9100 enV2 - Fully working with no issues.
  • LG VX9200 enV3 - Fully working with no issues.
  • LG VX9700 Dare - Fully working with no issues. Only use LGNPST to flash this phone, the LGDownload DLL floating around is either not legitimate or does not function correctly.

Alternative method

If a phone you have does not currently have a firmware patch available, you can change the phone's ESN to match that of a test signature. While this does let you sideload your own apps, it comes with the downside that any apps that were previously on the phone will be deleted.

Disclaimers

As with any firmware modification or patch, there is a small but possible chance your phone will be bricked if something goes wrong. Do this on phones you won't be too upset about losing!

Usually there are files you need to put onto the device's EFS by manually loading each one with Revskills or Bitpim, or by using LGNPST's "Provision" -> "Script" -> "Choose script" function, with an original firmware package containing both the "Brew_Script" and "EFS_SCR" folders. If you notice your phone doesn't have the preloaded content it did prior to flashing, you may have forgotten to load necessary files back into the EFS.

If there is a DLL for your model of choice that is designed for LGNPST, it is strongly recommended to use LGNPST instead of LGDownload. There is a small cross-over between devices that may have both LGDownload and LGNPST DLLs available, though LGNPST is generally more stable.

Prerequisites

  • A computer running Windows 7 or above (Windows XP may work better for you with LGDownload)
  • A data cable for the phone you are trying to patch
  • LGDownload and LGNPST (sometimes a phone may only have a DLL available for one but not the other)
  • The DLL file for the specific model of phone you are trying to patch (you may find the one you need for LGDownload in this collection)
  • BREW test signature .sig file
  • Bitpim or RevSkills

Setting everything up

Since the process is a bit different for LGDownload and LGNPST, they'll be shown separately.

LGDownload

Power on the phone and then connect it to your computer.

Open Device Manager and then go to "Ports (COM & LPT)". The one you want to keep note of is the one called "LGE Mobile USB Serial Port" or something similar. Sometimes these are referred to as diagnostic ports.

Open LGDownload, go to "Config(C)", and then click "Port Setting". Select the comport that has the same number as the one shown in your device manager. For this example, it would be COM14. After that, press OK.

If everything went correctly, you should now see some phone information on the right side of the program. The TX and RX lights will flash too, which is normal.

The next step is crucial in not only getting the patch to work but also necessary for backing up the phone's ESN and other information. Follow carefully!

Making an NVS backup

Click "NV Edit(F11)" and then press "NV Edit Start". It will ask for the SPC code, which for Verizon CDMA phones is 000000. Enter that in and then press OK.

A window will pop up saying "NV Reading". Wait for this to finish.

If you get an error message after it finishes reading NV data, that's okay, as the NV edit function is only used in this guide to back up the NV data.

Keep LGDownload running, and open a folder to navigate to where LGDownload is installed. It will likely be in C:\LG Electronics\LGDownload\ .

Open the Models folder, and then open the folder that has the same name as the model number of the phone you're trying to patch. For this example, it would be called "VX9100".

You should see a file with .NVS extension that has the name of your phone's firmware and the name of the COM port it's using. Copy this file and back it up somewhere safe, as you will need it after flashing the phone with patched firmware.

It's important to back this file up because it contains the phone's ESN, phone number, and other CDMA information. Without it, everything will be defaulted to all 0s and BREW won't start when the ESN is all zeros.

Flashing the patched firmware

Since the patched firmware is only a .bin file, you can use the "BIN Download(F3)" to flash the patched firmware.

Alternatively, you can use the "Upgrade(F8)" option if you have the .SCR, .PRL, and ERI files saved. Usually these will also have a "Brew_script" and an "EFS_SCR" folder to go along with the .bin file.

Flashing the phone can take time, and it will restart several times before flashing is complete.

Restoring the NVS backup

Find the icon shown below, which is on the top left of the window. You can also do Ctrl + W to bring the window up instead.

A window will pop up asking you to enter the SPC code again. Enter your phone's SPC code. For Verizon CDMA phones, this should always be 000000.

Once a file selection window opens, navigate to where your .nvs file backup is and then press Open.

After that, you're now ready to load some BREW apps onto your phone!

LGNPST

Patching LGNPST

Before doing anything with LGNPST, make sure you rename and replace the "LGNPST_ACG.exe" file with the patched one included in the .7z archive.

If you get an error like this, you may have forgotten to patch the app before running it.

Note for Non-installer DLL files

For DLL files not packaged in an installer, you need to register the DLLs in order for LGNPST to recognize them.

To register the corresponding DLLs in LGNPST, open a command prompt window and type the following:

cd C:\Program Files (x86)\LG Electronics\LGNPST\

regsvr32 (name of LG DLL to install)

Connecting the phone

Power on the phone and then connect it to your computer.

Open Device Manager and then go to "Ports (COM & LPT)". The one you want to keep note of is the one called "LGE Mobile USB Serial Port" or something similar. Sometimes these are referred to as diagnostic ports.

Open LGNPST.

LGNPST should detect the phone on its own and show phone information not long after starting the program.

Making an NVS backup

In order to make a backup of the phone's NV data, click the "Phone setting" icon with a gear to the left of it. Another window should open with the name "LG Phone Setting".

(you can also reach the LG Phone Setting menu by clicking "Data (D)" and then "Phone setting")

Press the "Read" button to back up the NV data into an NVS file.

After it says "Complete", you can close the LG Phone Setting window, and click on the "Status" tab to tell LGNPST that the process is complete.

Keep LGNPST running, and open a folder to navigate to where LGNPST stores model folders. It will likely be in C:\LG Electronics\LGNPST\model .

Open the model folder, and then open the folder that has the same name as the model number of the phone you're trying to patch. For this example, it would be called "VX9100".

You should see a file with .NVS extension that has the name of your phone's firmware and the name of the COM port it's using. Copy this file and back it up somewhere safe, as you will need it after flashing the phone with patched firmware.

It's important to back this file up because it contains the phone's ESN, phone number, and other CDMA information. Without it, everything will be defaulted to all 0s and BREW won't start when the ESN is all zeros.

Flashing the patched firmware

You can use the "Upgrade" or "Binary Download" functions to flash the patched firmware to the device. It doesn't seem to make a difference, but if the firmware version is newer than the one currently on your phone, it's best to use the Upgrade function.

For both, click the folder icon to the right of "BIN file" and then navigate to where you have the patched .BIN file saved.

Once you have that done, press the START button to begin flashing. Flashing the phone can take time, and it will restart several times before flashing is complete.

Restoring the NVS backup

Select the "data" tab, click the folder icon to the right of "Data file" and then navigate to where you copied the .NVS file.

Once you have that done, press START and wait for the status tab to say "Complete".

After that, you're now ready to load some BREW apps onto your phone!

Putting apps onto the phone

In order to put BREW apps on the phone, you'll need either Bitpim or RevSkills. This guide will go over both.

File naming schemes

In order for the phone to see the game, the files and folders need to be named in a specific way. Keep this in mind when adding files:

.mif and /mod/ folders should match. This means that an app with a MIF file named 12345.mif should have a folder in /mod/ named 12345 as well. The files inside of the /mod/(name) folder should be left alone.

If the BREW app comes with its own .sig file, delete it and replace it with the BREW test signature found above. The name of the .sig should have the same name as the .mod file inside of /mod/(name). This means that if the app has a MOD file named 12345.mod, the BREW test signature (.sig) file should also be named 12345.sig.

If a game does not show up on the phone and the files disappear when you check the filesystem again, one of these files was likely named incorrectly or the .sig file was not replaced with the BREW test signature.

Bitpim

Open Bitpim, go to View, and enable both "View protocol logging" and "View filesystem".

Once that's done, go to Edit, Settings, and then put in the COM port of your phone. For this example, "COM14" would be typed into the "Com Port" text box. If your phone has official Bitpim support in the "Phone type" menu, select that too. After that, click OK.

Click the "Filesystem" icon, and then click the + next to the blue folder icon. It will say "Retrieving..." for a bit, but if all goes well, it will show files and folders from your phone's EFS.

Open the "brew" folder by clicking the + to the left of the folder icon. There should be at least 2 other folders, those being "mif" and "mod".

The BREW app or game you download should come with a .mif file and a .mod file. Even if it has a .sig file of its own, it won't be needed as you'll need to send the BREW testsig instead of whatever signature file the game/app came with.

In order to send an app to the phone, send the .mif file to the "mif" folder by right clicking where the files are and pressing "New file ...", and then create a folder inside of the "mod" folder. Put the .mod file inside of the folder.

As for the .sig file, create a copy of the BREW testsig and rename it to the same name as the .mod file. For example, if you're sending a Pac-Man game that has a .mod file named "pac_man.mod", you would rename the BREW testsig to "pac_man.sig". Once you do that, send the .sig file to the subfolder you created inside of the "mod" folder.

You can send as many apps as the phone's storage will allow, but it takes patience. Transferring files that are more than a few megabytes can be painfully slow.

Once you're done sending apps to the phone, close Bitpim and restart the phone.

If all went well, you should see the apps you put on your phone in one of the BREW menus on your phone. Most of the time it'll either be in "Browse & Download" or in "Tools on the go" on Verizon phones.

All done! Now you can play BREW games and run BREW apps without needing to worry about ridiculous DRM tactics on a feature phone.

RevSkills

After starting RevSkills, go to Hardware -> Port Utils -> QC + AT-Cmd. A window called "QC Com Diag Window" should open, and then from there you can select the proper COM port to use.

Go to the EFS tab, and press Read Directories. If everything was set up correctly, it should say it's reading files and then eventually show some files and folders.

Open the "brew" folder by clicking on the + icon to the left of it. At least 2 other folders should show up, named "mif" and "mod".

In order to send an app to the phone, send the .mif file to the "mif" folder by right clicking a file and then clicking "Write File". It might seem like you're overwriting one of the files, but this is just how RevSkills is.

As for the .sig file, create a copy of the BREW testsig and rename it to the same name as the .mod file. For example, if you're sending a Pac-Man game that has a .mod file named "pac_man.mod", you would rename the BREW testsig to "pac_man.sig". Once you do that, send the .sig file to the subfolder you created inside of the "mod" folder.

You can send as many apps as the phone's storage will allow, but it takes patience. Transferring files can be sped up by changing the baud rate, but even then it isn't very fast.

Once you're done sending apps to the phone, close RevSkills and restart the phone.

If all went well, you should see the apps you put on your phone in one of the BREW menus on your phone. Most of the time it'll either be in "Browse & Download" or in "Tools on the go" on Verizon phones.

All done! Now you can play BREW games and run BREW apps without needing to worry about ridiculous DRM tactics on a feature phone.

BREW AppLoader

Once a phone is patched, it's also possible to use the "Loader" tool from the BREW MP SDK or an old version of the BREW SDK Tools to load apps onto the phone.

Load the apps onto your phone, restart, and then you're all set!