Running unsigned code on BREW devices/LG/ESN change method

From Legacy Portable Computing Wiki

This is intended to be a step-by-step guide on how get an LG CDMA phone that does not yet have a patched firmware available to run unsigned BREW programs.

Note that this method involves changing the ESN, which will erase all currently installed BREW apps on the device. Please be sure to make a backup of your phone's EFS before continuing!

Currently compatible phones

These phones have the necessary requirements in order to work correctly for this guide:

  • LG VX6000 - This is a BREW 2.0 device; test mode must be enabled before beginning this guide, which can be enabled using LGDownload.
  • LG VX8000 - This is a BREW 2.0 device; test mode must be enabled before beginning this guide, which can be enabled using LGDownload.

Disclaimer

If you have any BREW apps or games on your phone, please back them up before changing the phone's ESN. Changing the ESN will make any previously installed BREW apps invalid on your device, and they will self-delete!

As this method involves changing the phone's ESN to that of a test signature, this may fall into IMEI "repair" territory. CDMA as a network technology has been mostly deprecated around the world, so any real risk of changing the ESN is low.

Prerequisites

Setting everything up

This method of BREW sideloading deals with changing the ESN to match a test signature.

The initial steps make use of RevSkills, where the 16-digit SPC and 6-digit SPC will be entered to allow for ESN changing.

After powering your phone on, open Device Manager and go to "Ports (COM & LPT)". Make note of the COM port that mentions LG diagnostic port or anything similar.

File:Placeholder

Connection Setup

Start RevSkills, go to Hardware -> Port Utils -> QC + AT-Cmd. A window called "QC Com Diag Window" should open, and then from there you can select the proper COM port to use.

Go to the DIAG tab and press the Send button near the top right. If information about your phone starts to appear in the text box, this means the diagnostic port is working correctly.

SP/SPC code entering

Once you have confirmed the connection is working properly, go to the CODE tab. Select the "Security Password" drop down menu and select your phone's model. As this guide is intended for LG devices, the LG default entry should work everywhere.

Press "Send SP". If the message "Password accepted." appears at the bottom, this means the SP code was valid.

After sending the SP code, click "Read SPC", and enter the SPC it read out in the window above the SP code text box. Then click "Send SPC". • If no SPC code is shown, don't fret. ASC_WriteProgram will display the phone's SPC as well.

At this point you can close RevSkills and move onto the CDMAWorkshop or ASC_WriteProgram_For_Mobiles steps.

ASC_WriteProgram_For_Mobiles

NOTE: The LG port must be set to COM2, otherwise it will not be able to find your phone.

Open the ASC_WriteProgram_For_Mobiles app, and click "READ NAM 1".

ESN Changing

If everything is working correctly, some information should appear in the text boxes. You may want to take a screenshot or save the information if you wish to ever revert the phone to its original network settings.

Click the ESN text box and type AB2B3C4F. This is the built-in ESN of the BREW test signature that you should've downloaded above. After that click "CHECK/CLEAR".

Once you have confirmed the ESN now has AB2B3C4F in the text box, fill in the "AKEY" box with "FFFFFFFFFFFFFFFFFFFF", then click the Write button.

Click "READ NAM 1" once again. If the ESN remains as AB2B3C4F, this is a good sign.

Double Checking the ESN change

This step isn't necessarily required, but it doesn't hurt to double check if the ESN change worked correctly.

Open RevSkills again, go to Hardware -> Port Utils -> QC + AT-Cmd, and select the same COM port as before.

Go to the CODE tab and click "Read ESN". If it still says AB2B3C4F, you're OK to move on to the next steps.

Physical Phone setup

The final steps involve setup that takes place on the actual phone, where the date/time are changed.

Changing the date and time

If you notice that apps loaded onto the phone instantly jump to the BREW AppManager when run, this means the date loaded onto the phone is past the test signature's expiry date.

The BREW test signature's expiry date when viewed in a hex editor appears as 2015103123314, or October 31st, 2015, 23:31:04(?). As long as the date you set is before that, you should be fine.

Putting apps onto the phone

In order to put BREW apps on the phone, you'll need either BitPim or RevSkills. This guide will go over both.

File naming schemes

In order for the phone to see the game, the files and folders need to be named in a specific way. Keep this in mind when adding files:

.mif and /mod/ folders should match. This means that an app with a MIF file named 12345.mif should have a folder in /mod/ named 12345 as well. The files inside of the /mod/(name) folder should be left alone.

If the BREW app comes with its own .sig file, delete it and replace it with the BREW test signature found above. The name of the .sig should have the same name as the .mod file inside of /mod/(name). This means that if the app has a MOD file named 12345.mod, the BREW test signature (.sig) file should also be named 12345.sig.

If a game does not show up on the phone and the files disappear when you check the filesystem again, one of these files was likely named incorrectly or the .sig file was not replaced with the BREW test signature. If you have checked these to be correct and the app still self-deletes, the MIF is likely encrypted.

BitPim

Open BitPim, go to View, and enable both "View protocol logging" and "View filesystem".

Once that's done, go to Edit, Settings, and then put in the COM port of your phone. For this example, "COM14" would be typed into the "Com Port" text box. If your phone has official Bitpim support in the "Phone type" menu, select that too. After that, click OK.

Click the "Filesystem" icon, and then click the + next to the blue folder icon. It will say "Retrieving..." for a bit, but if all goes well, it will show files and folders from your phone's EFS.

Open the "brew" folder by clicking the + to the left of the folder icon. There should be at least 2 other folders, those being "mif" and "mod".

The BREW app or game you download should come with a .mif file and a .mod file. Even if it has a .sig file of its own, it won't be needed as you'll need to send the BREW testsig instead of whatever signature file the game/app came with.

  • BREW 1.x to 2.x: To send an app to the phone, send the .mif file to the "brew" folder, by right clicking where the files are and pressing "New file ...". You'll also need to create a folder inside of the brew folder, and this is where all of the game's files will go. For example, 12345.mif would go in the mif folder, and any other files that came with the BREW app would go in /brew/12345/.
  • BREW 3.x and above (shown in screenshots): To send an app to the phone, send the .mif file to the "mif" folder by right clicking where the files are and pressing "New file ...", and then create a folder inside of the "mod" folder. Put the .mod file inside of the folder.

As for the .sig file, create a copy of the BREW testsig and rename it to the same name as the .mod file. For example, if you're sending a Pac-Man game that has a .mod file named "pac_man.mod", you would rename the BREW testsig to "pac_man.sig". Once you do that, send the .sig file to the subfolder you created inside of the "mod" folder.

You can send as many apps as the phone's storage will allow, but it takes patience. Transferring files that are more than a few megabytes can be painfully slow.

Once you're done sending apps to the phone, close Bitpim and restart the phone.

If all went well, you should see the apps you put on your phone in one of the BREW menus on your phone. Most of the time it'll either be in "Browse & Download" or in "Tools on the go" on Verizon phones.

All done! Now you can play BREW games and run BREW apps without needing to worry about ridiculous DRM tactics on a feature phone.

RevSkills

After starting RevSkills, go to Hardware -> Port Utils -> QC + AT-Cmd. A window called "QC Com Diag Window" should open, and then from there you can select the proper COM port to use.

Go to the EFS tab, and press Read Directories. If everything was set up correctly, it should say it's reading files and then eventually show some files and folders.

Open the "brew" folder by clicking on the + icon to the left of it. At least 2 other folders should show up, named "mif" and "mod".

In order to send an app to the phone, send the .mif file to the "mif" folder by right clicking a file and then clicking "Write File". It might seem like you're overwriting one of the files, but this is just how RevSkills is.

As for the .sig file, create a copy of the BREW testsig and rename it to the same name as the .mod file. For example, if you're sending a Pac-Man game that has a .mod file named "pac_man.mod", you would rename the BREW testsig to "pac_man.sig". Once you do that, send the .sig file to the subfolder you created inside of the "mod" folder.

You can send as many apps as the phone's storage will allow, but it takes patience. Transferring files can be sped up by changing the baud rate, but even then it isn't very fast.

Once you're done sending apps to the phone, close RevSkills and restart the phone.

If all went well, you should see the apps you put on your phone in one of the BREW menus on your phone. Most of the time it'll either be in "Browse & Download" or in "Tools on the go" on Verizon phones.

All done! Now you can play BREW games and run BREW apps without needing to worry about ridiculous DRM tactics on a feature phone.

BREW AppLoader

Once a phone's ESN matches the test signature ESN, it's also possible to use the "Loader" tool from the BREW MP SDK or an older version of the BREW SDK Tools to load apps onto the phone.

Load the apps onto your phone, restart, and then you're all set!