Many hackers are interested in USB GPRS modems. The thing is unusually convenient, but it also has an IMEI that can be used to calculate ... The article was found on the net. We do all actions at our own peril and risk! I think that by analogy it can be done for other modems of this manufacturer. I hasten to please - you can buy modems and then throw out the SIM card ...
Here is the article itself:
I want to share with you a way to completely restore the ZTE MF626 modem from a half-killed state, with the ability to restore the native, well, or any other IMEI, that's as you please, and other settings closed by the SPC code ... Without searching and calculating the SPC itself!
In the same way, it is possible to re-flash modems that have not yet been sewn, while saving their settings in case of errors during flashing, all this will be easy to pick up.
To work, you need two modems, one that is in a swoon (download state), and a live one (any ZTE MF626, any operator).
And the required parameter must be sewn without a wire, that is, the modem is directly into the socket !!!
You also need to get hold of three programs: QPST v2.7 build 301; WinHex v15.0.0 (or any other HEX editor, my choice fell on WinHex, and I advise you) and optional, but preferably RW NV item ZTE MF626, so, to support the pants.
I think you can find all this on the Internet without any problems, and if you don't find it, write to me, I'll soap them for you. And of course you need the firmware itself: MF626 M02 Upgrade Tool and driver version 1.2050.0.6 with the written lines in the [ZTEcomSerialPort] and [ZTEcomSerialPort.NTamd64] sections in the zteusbdiag.inf file.
Part 1 - If the modem is alive:
1) Run RW NV item ZTE MF626 and make a backup.
2) Open the C: drive and see the Channel1.nvm file there, it contains our backup.
3) We change its extension, for example, like this Channel1.nvm_, this is necessary in order if the firmware process is not entirely successful
4) Launch the MF626 M02 Upgrade Tool and sew.
During the backup, another Channel1.nvm is created, do not touch it.
In general, steps 1, 2 and 3 can be skipped, they are needed as a safety net to facilitate further work. I recommend that you do not skip them.
When the firmware is complete, distort the modem and install Telstra software, reboot, and enjoy the Internet!
Part 2 - When the modem (firmware) is dead:
5) This point is needed to restore / change IMEI. Run QPST v2.7 build 301 -> Service Programming -> Work Offline -> SURF6246-RTR6285-A2, prescribe IMEI, and write it down wherever you go.
6) Save and call the file, more and more interesting further. We close this software.
7) Go to where you saved the file and open it in QCNView (included in the QPST kit). Go to the Text View tab and find NV item: 550 [NV_UE_IMEI_I] in the text. index 0, in our case it will be 08 1a 32 54 06 12 11 22 02. We do not close the program yet.
8) To get Channel1.nvm, we look at points I.1-3 (at the very beginning of the article) just for this operation we need another modem, the one that is alive.
Now we start WinHex and open C: Channel1.nvm with it, press ALT + G or Position -> Go To Offset, type in New position: 169CC, and get to the first digit of our IMEI and change the HEX value to the one we received in QCNView. It must not go beyond Offset 169D4 !!! Then everything is simple, we save and we are already starting to rejoice. Yes, I almost forgot WinHex and QCNView can be closed.
9) We launch the flasher, plug in a live modem, nervously smoke ... we wait for the backup to be made, when it is ready, the modem starts to go into the download state, our task is to prevent this, I will tell you about my experience:
When I sewed my modem, I made the sound louder and when the characteristic sound of a disconnected device sounded and the LED on the modem went out, then I quickly ripped it out and stuck the dead modem, I will make a reservation again, it is better to pull out the modem earlier !!! the later, if it will be later, then you will need a third one to restore those two. If you need a driver after going into the download-state, then just install it, but only manually, it should get on the same port as before.
The driver will need to select the ZTE HS-USB Diagnostics Interface. Most likely, the first firmware will fail, do not get upset and start again step 5. And so if everything goes as it should, then while the firmware is being injected, we go to the C: drive, there we see two files, the first one: Channel1.nvm_ and Channel1.nvm.
The one that the second Channel1.nvm is deleted, and the first one is renamed to a similar one, that is, into Channel1.nvm. Then we sit and rejoice at how the modem is being sewn, the settings are restored, if suddenly a failure occurs and an error pops up, then rename the file again to Channel1.nvm_ and repeat step 5. By the way, when everything works, do not forget to restore the CD_STARTUP_FLAG and FLAG_NO_DOWNLOAD flags on the modem which is so protected from the download state and nervously tore them out, they can be taken with the EFS Explorer (QPST) utility on a restored modem.
Here is the article itself:
I want to share with you a way to completely restore the ZTE MF626 modem from a half-killed state, with the ability to restore the native, well, or any other IMEI, that's as you please, and other settings closed by the SPC code ... Without searching and calculating the SPC itself!
In the same way, it is possible to re-flash modems that have not yet been sewn, while saving their settings in case of errors during flashing, all this will be easy to pick up.
To work, you need two modems, one that is in a swoon (download state), and a live one (any ZTE MF626, any operator).
And the required parameter must be sewn without a wire, that is, the modem is directly into the socket !!!
You also need to get hold of three programs: QPST v2.7 build 301; WinHex v15.0.0 (or any other HEX editor, my choice fell on WinHex, and I advise you) and optional, but preferably RW NV item ZTE MF626, so, to support the pants.
I think you can find all this on the Internet without any problems, and if you don't find it, write to me, I'll soap them for you. And of course you need the firmware itself: MF626 M02 Upgrade Tool and driver version 1.2050.0.6 with the written lines in the [ZTEcomSerialPort] and [ZTEcomSerialPort.NTamd64] sections in the zteusbdiag.inf file.
Code:
% ZTEDevice0016% = ZTEportInstall6k, USBVID_19D2 & amp; PID_0016 & amp; MI_00Part 1 - If the modem is alive:
1) Run RW NV item ZTE MF626 and make a backup.
2) Open the C: drive and see the Channel1.nvm file there, it contains our backup.
3) We change its extension, for example, like this Channel1.nvm_, this is necessary in order if the firmware process is not entirely successful
4) Launch the MF626 M02 Upgrade Tool and sew.
During the backup, another Channel1.nvm is created, do not touch it.
In general, steps 1, 2 and 3 can be skipped, they are needed as a safety net to facilitate further work. I recommend that you do not skip them.
When the firmware is complete, distort the modem and install Telstra software, reboot, and enjoy the Internet!
Part 2 - When the modem (firmware) is dead:
5) This point is needed to restore / change IMEI. Run QPST v2.7 build 301 -> Service Programming -> Work Offline -> SURF6246-RTR6285-A2, prescribe IMEI, and write it down wherever you go.
6) Save and call the file, more and more interesting further. We close this software.
7) Go to where you saved the file and open it in QCNView (included in the QPST kit). Go to the Text View tab and find NV item: 550 [NV_UE_IMEI_I] in the text. index 0, in our case it will be 08 1a 32 54 06 12 11 22 02. We do not close the program yet.
8) To get Channel1.nvm, we look at points I.1-3 (at the very beginning of the article) just for this operation we need another modem, the one that is alive.
Now we start WinHex and open C: Channel1.nvm with it, press ALT + G or Position -> Go To Offset, type in New position: 169CC, and get to the first digit of our IMEI and change the HEX value to the one we received in QCNView. It must not go beyond Offset 169D4 !!! Then everything is simple, we save and we are already starting to rejoice. Yes, I almost forgot WinHex and QCNView can be closed.
9) We launch the flasher, plug in a live modem, nervously smoke ... we wait for the backup to be made, when it is ready, the modem starts to go into the download state, our task is to prevent this, I will tell you about my experience:
When I sewed my modem, I made the sound louder and when the characteristic sound of a disconnected device sounded and the LED on the modem went out, then I quickly ripped it out and stuck the dead modem, I will make a reservation again, it is better to pull out the modem earlier !!! the later, if it will be later, then you will need a third one to restore those two. If you need a driver after going into the download-state, then just install it, but only manually, it should get on the same port as before.
The driver will need to select the ZTE HS-USB Diagnostics Interface. Most likely, the first firmware will fail, do not get upset and start again step 5. And so if everything goes as it should, then while the firmware is being injected, we go to the C: drive, there we see two files, the first one: Channel1.nvm_ and Channel1.nvm.
The one that the second Channel1.nvm is deleted, and the first one is renamed to a similar one, that is, into Channel1.nvm. Then we sit and rejoice at how the modem is being sewn, the settings are restored, if suddenly a failure occurs and an error pops up, then rename the file again to Channel1.nvm_ and repeat step 5. By the way, when everything works, do not forget to restore the CD_STARTUP_FLAG and FLAG_NO_DOWNLOAD flags on the modem which is so protected from the download state and nervously tore them out, they can be taken with the EFS Explorer (QPST) utility on a restored modem.
