Running unsigned code on BREW devices/Smartfren XStre@m

From Legacy Portable Computing Wiki

This BREW sideloading method deals with changing the ESN to match a test signature.

This is intended to be a step-by-step guide on how to patch the Smartfren XStre@m (Alcatel) series of phones to run unsigned BREW programs.

Currently compatible phones

This method has been tested to be fully working on the Smartfren XStre@m E781A "Rev. 1" on firmwares "E2_SQID_V0.5.3", "E2_SQID_V0.6.3", and "E2_SQID_V0.7.4". It should work regardless of firmware version.

Note: Smartfren XStre@m New Looks (except for the ED782A) running early firmware may work with this guide, but this has not been tested and cannot be confirmed. The easiest way to tell is by the boot chime, if it isn't the smartfren sound then it is running an early firmware.

To check the firmware version, dial *#0000# on your phone.

To check if the "Diag Config" option exists , dial *#*#1706# on your phone, select "Programming", type 000000 (will be different if you did not do the "Enabling Diag Mode Features" section on the ED782A) at the "Enter Sec. Code" screen, then press the left softkey, this will open the programming menu, scroll down until the end, if it doesn't exist then you should be good to go, otherwise you're out of luck as the Qualcomm DIAG features become re-locked once the EFS is cleared, bricking the phone and make it unrecoverable.

These phones have the necessary requirements in order to work correctly for this guide:

  • Smartfren XStre@m E781A ("Rev 1" with any firmware versions) - Fully working with no issues.
  • Smartfren XStre@m New Look E781A ("Rev 2" with early firmware) - Should be fully working with no issues.

Currently incompatible phones

These phones have some restriction or other problems which prevent them from working correctly for this guide:

  • Smartfren XStre@m New Look E781A ("Rev 2" with later firmware) - Qualcomm DIAG features are locked and become re-locked once the EFS is cleared, which is currently a required step in order to change the ESN.
  • Smartfren XStre@m New Look ED782A (Any firmware versions) - Same as above applies.

Important Disclaimers

As this method involves clearing the EFS, restoring an NV backup using QPST, and installing a clean copy of system files, there is a small but possible chance your phone will be bricked if something goes wrong. Do this at your own risk!

Usually there are many system files you need to put onto the device's EFS by manually loading each one with QPST. If you notice your phone randomly crashes then reboot when you go to the main menu prior to copying system files, you may have forgotten to load necessary system files back into the EFS.

As this method also involves changing the phone's ESN to that of a test signature, this may fall into IMEI "repair" territory. CDMA as a network technology has been mostly deprecated around the world, so any real risk of changing the ESN is low.

Prerequisites

A computer running Windows 7 or above

A data cable for the phone you are trying to patch

  • Mini-USB for the original model (E781A "Rev 1")
  • Micro-USB for the "New Look" model (E781A "Rev 2" / ED782A)

BREW patch files for the specific model of phone you are trying to patch, EFS system files and NV backup are included inside of this archive

7-zip or another ZIP unpacker

QPST (2.7.460) - Used for restoring NV backup and installing EFS system files

RevSkills - Used for enabling or disabling FTM mode

BREW test signature .sig file

/bin/cat's AppUI replacement (Replaces the built-in "Black Jack" game, Optional)

Setting everything up

After powering your phone on, open Device Manager and go to "Ports (COM & LPT)". Make note of the COM port that mentions "EVDO Applications Interface".

Adding an extra brick-protection layer

Note: It is highly recommended to do this first because when the cdrom.iso is still on the phone, the phone may become stuck in a bootloop once FTM mode is enabled. The phone will still function without the virtual CD drive file present, the only difference will be the lack of virtual CD drive showing up upon boot.

1. Connect the phone to the PC

2. Install the phone's drivers. They are included in the phone itself, and can be installed once it's connected to a PC. The phone should show up as a virtual CD drive.

3. After the driver is installed, open the QPST Configuration app, click the "Ports" tab, then click "Add New Port" button.

4. Uncheck "Show Serial and USB/QC Diagnostic ports only", select "USB/Unknown (EVDO Applications Interface)", and then click the "OK" button. It will be detected as SURFQSC6055 (NAND).

5. Click "Start Clients" and then click "EFS Explorer".

6. The QPST EFS Explorer "Phone Selection" window will appear, click the "OK" button. It will start reading the phone's EFS, this will take several seconds.

7. Once it's finished, delete the cdrom.iso file and then close QPST EFS Explorer and QPST Configuration app.

Awesome! This makes FTM mode usable, adding an extra brick-protection layer to the phone.

Patching the phone

Note:

  • Make sure that the battery is fully charged before patching the phone and the "Adding an extra brick-protection layer" section is performed correctly, otherwise there's a chance the cdrom.iso file won't be deleted when clearing the EFS, posing the same problem as the unrecoverable FTM mode brick.
  • If you are affected by the "Clear EFS" situation (black screen after the "smartfren" logo) before patching the phone, you can skip step 2-6.

1. Extract the Smartfren_E781A_BREW_patch.zip archive to a folder.

2. Dial *#*#1706# on your phone. This will take you to the engineering menu.

3. Select "Debug".

4. Select "Clear EFS".

5. Type "Yes" (case-sensitive), and then press the left softkey.

6. This will freeze up the phone and will set the MEID code to all 0s, making it reprogrammable once again. Wait for at minimum 5 minutes, then remove the battery to force power-off the phone.

7. Reinsert the battery and connect to a PC (do not press the power button).

8. Wait until you see the black screen after the "smartfren" logo, then open RevSkills immediately before the phone reboots after a black screen for several seconds and do not turn off the phone's screen by keep pressing the OK button, otherwise the phone will reboot shortly after the screen turned off.

9. Go to Hardware -> Port Utils -> QC + AT-Cmd.

10. Select the "EVDO Applications Interface" in the Serial Com Port section, then go to DIAG tab.

11. Select "Enable FTM Mode" in the Diag Functions section, and then click Lets go.

12. The phone will reboot automatically, this will enter FTM mode (stuck at smartfren logo), allowing EFS system files to be copied to the phone without it constantly rebooting.

13. Close RevSkills and open QPST configuration app, do the same thing with step 3-4 on the "Adding an extra brick-protection layer" section, then open QPST Software Download.

14. Select "Restore" tab, then open the extracted E781A_ESN_AB2B3C4F_FTM.qcn file.

15. Check "Allow ESN mismatch", and then click "Start".

16. It will begin restoring the NV backup to the phone which only takes a few seconds, and the phone will eventually reboot when it's finished. The ESN will be set to AB2B3C4F, matching to that test signature.

17. Close QPST Software Download and then open QPST EFS Explorer.

18. The QPST EFS Explorer "Phone Selection" window will appear, click the "OK" button. It will start reading the phone's EFS, this will take several seconds.

19. Once it's finished, copy everything from the extracted EFS folder to the phone by drag and drop all of the files (You can copy non-existing folders and subfolders but QPST doesn't copy existing ones, otherwise they will break and you have to delete all of the files inside of that folder), do the same thing with "CGPS_ME", "CGPS_PE", "brew", "address", "card0", "hsmm" (download/ebook/java/others/photos/pictures/received/recorders/songs/videos), "mif", "mod", "shared", "sys" (download/priv), and "system" (config/contapp/font/image/ringer/string/theme/zi) file.

20. For all of the files and its subfolders inside of the "hsmm", "sys", and "system" folder, delete all files and its subfolders from that folder.

21. Copy everything from the extracted folder as shown below into the phone with the same folder:

  • "EFS\brew\hsmm" to (/brew/hsmm/)
  • "EFS\brew\sys" to (/brew/sys/)
  • "EFS\brew\system" to (/brew/system/)

22. For the "mod" folder, delete all files and its subfolders from the "obigo" folder first, and then delete the "obigo" folder when it's empty.

23. Copy everything from the extracted "EFS\brew\mod" folder into the phone (/brew/mod/)

24. Copy messages.png file from the extracted "Additions" folder into the phone (/brew/system/image/coreapp/mainmenu/), otherwise the phone will crash then reboot when you go to the main menu.

25. After it's all done, close QPST EFS Explorer and QPST Configuration app and then open RevSkills.

26. Go to Hardware -> Port Utils -> QC + AT-Cmd.

27. Select the "EVDO Applications Interface" in the Serial Com Port section, then go to DIAG tab.

28. Select "Disable FTM Mode" in the Diag Functions section, and then click Lets go.

29. The phone will reboot automatically and then boot to the idle screen.

30. Go to the main menu, "Games and Apps", and select "Black Jack" with the BREW icon

31. If the AppUI appears on the screen, you're successfully patched the phone and are ready to load some BREW apps onto your phone, congrats! Now you can remove the Smart Telecom or Smartfren R-UIM card as it will also disable the R-UIM requirement to get into the menu.

/bin/cat's AppUI replacement China Telecom's BREW AppManager

Turning on the airplane mode after patching the phone (Optional)

Note: You need a Smart Telecom or Smartfren R-UIM card in order to turn on airplane mode.

If you somehow see the signal with the "1X" icon instead of the plane icon on the top-left of the screen after patching a phone, the "oemconfig.dat" and "prefs.dat" file in the "/brew/sys/priv/" folder from the firmware "E2_SQID_V0.6.3" might be not compatible with other firmware versions and it will reset both "oemconfig.dat" and "prefs.dat" file back to it's original state which includes the config data for the airplane mode, this will begin to drain battery much quicker as the phone is constantly searching for CDMA signal and you cannot turn airplane mode on or off once you set the RTRE (RUIM) config to NV only.

1. Dial *#*#1706# on your phone. This will take you to the engineering menu.

2. Select "Programming".

3. Type 000000 at the "Enter Sec. Code" screen, then press the left softkey, this will open the programming menu.

4. Select "RTRE setting".

5. Select "USE RUIM".

6. Press the right softkey and the phone will reboot automatically.

7. Wait until you see the "Insert UIM card" message after the smartfren logo, then turn off the phone.

8. Insert the correct R-UIM card (Smart Telecom 1900MHz (64K cards only) / Smartfren 800MHz) (Otherwise you'll get the "Invalid UIM card" message with no way to dial numbers), then turn on the phone.

9. Go to the main menu, "Settings", and select "Settings"

10. Set the Airplane Mode to "On" and then press "Save"

11. Go back to the idle / standby screen.

12. Dial *#*#1706# on your phone. This will take you to the engineering menu.

13. Select "Programming".

14. Type 000000 at the "Enter Sec. Code" screen, then press the left softkey, this will open the programming menu.

15. Select "RTRE setting".

16. Select "USE NV".

17. Press the right softkey and the phone will reboot automatically.

Done! Now you can continue using the phone without needing to worry about draining the battery.

There's a chance that all of the sideload BREW apps will get self-deleted in some firmware versions, to check, go to the main menu, "Games and Apps", and select "Black Jack" with the BREW icon. If the AppUI still appears on the screen, you should be good to go, but if the "Black Jack" game appears on the screen, the "AppUI" that replaces the built-in "Black Jack" game got self-deleted and you have to restore it manually.

Restoring the AppUI

1. Extract the E781A_AppUI.zip archive to a folder.

2. Open the QPST configuration app, do the same thing with step 3-4 on the "Adding an extra brick-protection layer" section, then open QPST EFS Explorer.

3. The QPST EFS Explorer "Phone Selection" window will appear, click the "OK" button. It will start reading the phone's EFS, this will take several seconds.

4. Once it's finished, copy the appui folder from the extracted "E781A_AppUI" folder into the phone (/brew/mod/)

5. Copy the appui.mif file from the extracted "E781A_AppUI" folder into the phone (/brew/mif/)

6. Reboot the phone and try going to the main menu, "Games and Apps", and select "Black Jack" with the BREW icon.

The "AppUI" appears on the screen, you should be good to go.

Putting apps onto the phone

(the steps for sideloading the apps are the same as LG and any other Qualcomm BREW device, that is why the screenshots show LG-related material)

In order to put BREW apps on the phone, you'll need to use RevSkills.

File naming schemes

In order for the phone to see the game, the files and folders need to be named in a specific way. Keep this in mind when adding files:

.mif and /mod/ folders should match. This means that an app with a MIF file named 12345.mif should have a folder in /mod/ named 12345 as well. The files inside of the /mod/(name) folder should be left alone.

If the BREW app comes with its own .sig file, delete it and replace it with the BREW test signature found above. The name of the .sig should have the same name as the .mod file inside of /mod/(name). This means that if the app has a MOD file named 12345.mod, the BREW test signature (.sig) file should also be named 12345.sig.

If a game does not show up on the phone and the files disappear when you check the filesystem again, one of these files was likely named incorrectly or the .sig file was not replaced with the BREW test signature.

RevSkills

After starting RevSkills, go to Hardware -> Port Utils -> QC + AT-Cmd. A window called "QC Com Diag Window" should open, and then from there you can select the proper COM port to use.

Go to the EFS tab, and press Read Directories. If everything was set up correctly, it should say it's reading files and then eventually show some files and folders.

Open the "brew" folder by clicking on the + icon to the left of it. At least 2 other folders should show up, named "mif" and "mod".

In order to send an app to the phone, send the .mif file to the "mif" folder by right clicking a file and then clicking "Write File". It might seem like you're overwriting one of the files, but this is just how RevSkills is.

As for the .sig file, create a copy of the BREW testsig and rename it to the same name as the .mod file. For example, if you're sending a Pac-Man game that has a .mod file named "pac_man.mod", you would rename the BREW testsig to "pac_man.sig". Once you do that, send the .sig file to the subfolder you created inside of the "mod" folder.

You can send as many apps as the phone's storage will allow, but it takes patience. Transferring files can be sped up by changing the baud rate, but even then it isn't very fast.

Once you're done sending apps to the phone, close RevSkills and restart the phone.

If all went well, you should see the apps you put on your phone in one of the BREW menus on your phone. Most of the time it'll either be in "Browse & Download" or in "Tools on the go" on Verizon phones.

All done! Now you can play BREW games and run BREW apps without needing to worry about ridiculous DRM tactics on a feature phone.

BREW AppLoader

Once a phone's ESN matches the test signature ESN, it's also possible to use the "Loader" tool from the BREW MP SDK or an older version of the BREW SDK Tools to load apps onto the phone.

Load the apps onto your phone, restart, and then you're all set!