New EVDO vulnerability

All palm forums are here


Post Reply
Joined:Sat Oct 21, 2006 7:15 am
New EVDO vulnerability

Post by kocoman » Thu Jan 28, 2010 7:19 pm

Should Telus take down the EVDO network for this vulnerability?
See thread:


What you need:
1. Inactive EVDO phone or inactive EVDO data card that you don’t plan to sell/reuse anymore. (used on any network, does not have to be Telus) (to prove the concept) (could also work with “active” for the more experienced, data account sharing etc later on if success.)
2. Good EV coverage, ie: does not drop back to 1X (or know how to force EV in the NV settings)
3. Must have tried successfully with #777 with tethering the phone in the past (easier with data cards)
4. “A Telus EVDO PRL” if not getting a EV icon, or was provisioned on other networks, ie: USA, Bell
5. Your SPC/MSL
6. Know how to connect your phone with QPST/Qualcomm (ie: not Nokia)
7. An active account (with Telus or Koodo) with a EVDO phone on it, ie: prepaid, smartphone, datacard, friend to share/enemy to kick out/stranger’s from OTA scans. You need their phone# and EVDO ESN (It does not work with 3G+ or MEID or 1X)
8. Copy down your existing settings. AN, Um, M.IP, NAI. In qpst
9. Willing to risk loss something and not blame me!!!

1. Open up QPST Configuration, then make sure the “Diag” port gets detected by it.
2. Open “Service Programming”
3. Read from phone, enter MSL
4. Go to the PPP Config Tab, then Um
5. Copy down the “User ID” and save it somewhere.
6. Do step 4 again, but with the AN tab
7. Now go back to the Um tab, then depending on your network/phone config (trial and error)
If your active account is Telus prepaid: (free) – also for regular accounts with WAP, smartphones, etc or for Treo 700p/755p
If your active account is koodo (free)
If you want to use “tethering” charges (ie: have data card plan)

8. Enter one of the above in the user ID.
9. For the password, it’s ALL the 11 digit of the ESN of that account in DECIMAL – check it in eCare (you have to include the zero if necessary)
10. Repeat for the AN tab
11. Now go to the M.IP tab
12. Double click on the “enabled” profile. (There should only be one “enabled”)
13. Copy down the NAI settings to somewhere.
14. In the NAI field, enter the user ID in step 8
15. The Tethered NAI should be blank
16. The AAA shared secret, click on Enter Text String button.
17. Then enter the ESN from step 9
18. You could also fill in the HA, but Telus does not use MIP usually.
19. Save settings to phone
20. Try connecting with #777. Not sure if WAP portals would work.
21. If not work, make sure the PRL is Telus (Bell would work too for free roaming in Eastern Canada, but not sure about Western Canada)

Its so many steps and without pictures, but a reference for someone who want to try it then report back. Its not for n00b.
6b 6f 63 6f 6d 61 6e 20 6f 66 20 63 64 6d 61 2d 64 65 76 2d 74 65 61 6d

Joined:Tue Feb 02, 2010 4:51 pm

Re: New EVDO vulnerability

Post by Rayborn » Tue Feb 02, 2010 4:52 pm

the same goes for most if not all US CDMA providers.

Joined:Sat Oct 21, 2006 7:15 am

Re: New EVDO vulnerability

Post by kocoman » Fri Sep 03, 2010 9:15 am

NEW NOTES - updated for MEID

1) So if the account is MEID based, just convert the MEID from DEC to HEX. (because QPST "MIP" tab complains that the password is over 16 digits)
Then put all those HEX MEID into the password fields where "ESN" was supposed to go

2) Use Profile 1 (enable it), disable profile 0. (don't delete profile 0)
Then select Simple IP only

3) in Windows dialer, put that NAI and password in. make sure your "Watcher, etc" app is not changing it back to something else
6b 6f 63 6f 6d 61 6e 20 6f 66 20 63 64 6d 61 2d 64 65 76 2d 74 65 61 6d

Post Reply