MobileRead Forums - View Single Post

khmann · 08-07-2011, 10:50 PM

EDIT 10/18/11: This totally works. If you just want the "HOWTO", ignore these first two posts; I tend to babble online in web forums... kind of a "stream of consciousness" thing - and I like to get my Google keywords out there. Skip to the 3rd post for the nuts and bolts.
------------------------

OK... so for some reason I feel compelled to convert my Kindle 3 from AT&T GSM to Sprint CDMA. This is not about TOS (Theft of Service) which I absolutely do not condone, but better reception and the K2's embedded GPS.

So, I got a couple K2 CDMA cards... Novatel E727NV SPCS I believe is K2 US Wireless B002 - EVDO Rev0 and E727NV NW2 from Kindle DX is RevA. I have played with a number of GSM modems; these units are very unfriendly and Novatel provides no documentation. I gathered the following primarily through the Sprint SmartView software with the card in a WinXP. In my free time I might try to install a serial port sniffing shim and see how the Sprint software gathers this information, but I am wary of killing another card (see below)

I would like to caution against the idea that these units could be used in non-Kindle devices for arbitrary access... I had some success establishing a Kindle connection using AT commands, but made the mistake of clicking the "Connect" button to bring up a connection from Windows... "Connection Failed" and no longer performs with AT commands

GSM operators often control access in M2M (Machine 2 Machine) environments using a service-specific APN to which SIM cards are granted access. In CDMA, authentication seems to be username/password paired to ESN, all stored in the radio. Either way, access is tied to a specific profile is likely monitored for abnormalities to "protect revenue". In GSM, they can nuke your SIM and blacklist your IMEI. The CDMA equiv would be to disable your username/password and blacklist the ESN. Mobile operators are very adept at network monitoring... subtle differences in PPP implementation, combined with a knowledge of "allowed applications" on the platform; where DNS should be going, TCP ports in use, and volume of data transferred, etc. can trigger an alarm resulting in a permanent block. Don't waste your money trying to steal...

Anyway, I gathered the following info:

Code:

Network Name	Sprint
System ID	4376

E727NV SPCS, ESN: 5B??????, IC ID: 3229B-E725, FCCID: PKRNVWE725
PCB: REV 2 17018322, 009-9

>ati
Manufacturer: NOVATEL WIRELESS INCORPORATED
Model: E727 SPRINT
Revision: m6801B-RAPTOR65_S_HYBRID-131 [Sep 05 2008 12:00:00]
ESN: 0x5B??????
+GCAP: +CIS707-A, CIS-856-A, +MS, +ES, +DS

Device Description	Novatel Wireless Modem
Manufacturer		Novatel Wireless Incorporated
Modem Model		E727 SPRINT
Revision		131
ESN			5B??????		91/10??????
Firmware Version	131
User Name		shrek7?????@SPP0??.dl.sprintpcs.com
Phone Number		908???????
Home Carrier Name
Home Carrier ID		0
Prl version		50413
Imsi			908???????



E727NV WN2, ESN: 5B??????, IC ID: 3229B-E725, FCCID: PKRNVWE725
PCB: REV 2 17018322, 106-9

>ati
Manufacturer: NOVATEL WIRELESS INCORPORATED
Model: E727 SPRINT
Revision: m6801B-RAPTOR65_S_HYBRID-132 [Mar 25 2009 12:00:00]
ESN: 0x5B??????
+GCAP: +CIS707-A, CIS-856-A, +MS, +ES, +DS

Device Description	Novatel Wireless Modem #2
Manufacturer		Novatel Wireless Incorporated
Modem Model		E727 SPRINT
Revision		132
ESN			5B??????		91/11??????
Technology		CDMA
Firmware Version	132
User Name		whnet2?????@SPP3??.dl.sprintpcs.com
Phone Number		586???????
Home Carrier Name
Home Carrier ID		0
Prl version		50428
Imsi			586???????


AT&V (under Windows driver)
&C: 2; &D: 2; &F: 0; E: 1; L: 0; M: 0; Q: 0; V: 1; X: 0; Z: 0; S0: 0;
S3: 13; S4: 10; S5: 8; S6: 2; S7: 50; S8: 2; S9: 6; S10: 14; S11: 95;
+FCLASS: 0; +ICF: 3,3; +IFC: 2,2; +IPR: 115200; +DR: 0; +DS: 0,0,2048,6;
+CDR: 0; +CDS: 0,1,2048,6; +CFC: 0; +CFG: ""; +CMUX: C,2; +CQD: 10;
+CRC: 0; +CRM: 2; +CTA: 60; +CXT: 0; +EB: 1,0,30; +EFCS: 1; +ER: 0;
+ES: 3,0,2; +ESR: 1; +ETBM: 1,1,20; +ILRR: 0; +MA: ; +MR: 0; +MS: ;
+MV18R: 0; +MV18S: 0,0,0; +FAA: 0; +FAP: 0,0,0; +FBO: 0; +FBU: 0;
+FCQ: 1,0; +FCC: 0,1,0,0,0,0,0,0;  +FCR: 0; +FCT: 1E; +FEA: 0;
+FFC: 0,0,0,0; +FHS: 0; +FIE: 0; +FIP: 0; +FIS: 0,1,0,0,0,0,0,0;
+FLI: ""; +FLO: 1; +FLP: 0; +FMS: 0; +FNR: 0,0,0,0; +FNS: ""; +FPA: "";
+FPI: ""; +FPP: 0; +FPR: 8; +FPS: 1; +FPW: ""; +FRQ: 0,0; +FRY: 0;
+FSA: ""; +FSP: 0; +IOTA: 1; +OMADM: 1; +PRL: 1; +HFA: 0; +GPSNMEA: 1;
+GPSLOCATION: 1

looking at the Kindle WAN scripts, seems that connection setup is way more straightforward then the Anydata DTP-600W, which seems to require a firmware download. The 3.1 K3's 3G kernel module automatically detects the VID 1410, PID 8000 IDs, but makes no provision for selecting the correct modem type in PPP chat script.

Be aware that _all_ of this data is available to Amazon (regardless of how hacked up your device is), and should they choose to co-ordinate their server logs with Sprint they would immediately know what is going on. Hopefully they do not disapprove that I want to buy books on the beach where there is no ATT...

08-07-2011, 10:50 PM	#1
khmann Enthusiast Posts: 43 Karma: 1658 Join Date: Jul 2011 Device: b006	k3-CDMA EDIT 10/18/11: This totally works. If you just want the "HOWTO", ignore these first two posts; I tend to babble online in web forums... kind of a "stream of consciousness" thing - and I like to get my Google keywords out there. Skip to the 3rd post for the nuts and bolts. ------------------------ OK... so for some reason I feel compelled to convert my Kindle 3 from AT&T GSM to Sprint CDMA. This is not about TOS (Theft of Service) which I absolutely do not condone, but better reception and the K2's embedded GPS. So, I got a couple K2 CDMA cards... Novatel E727NV SPCS I believe is K2 US Wireless B002 - EVDO Rev0 and E727NV NW2 from Kindle DX is RevA. I have played with a number of GSM modems; these units are very unfriendly and Novatel provides no documentation. I gathered the following primarily through the Sprint SmartView software with the card in a WinXP. In my free time I might try to install a serial port sniffing shim and see how the Sprint software gathers this information, but I am wary of killing another card (see below) I would like to caution against the idea that these units could be used in non-Kindle devices for arbitrary access... I had some success establishing a Kindle connection using AT commands, but made the mistake of clicking the "Connect" button to bring up a connection from Windows... "Connection Failed" and no longer performs with AT commands GSM operators often control access in M2M (Machine 2 Machine) environments using a service-specific APN to which SIM cards are granted access. In CDMA, authentication seems to be username/password paired to ESN, all stored in the radio. Either way, access is tied to a specific profile is likely monitored for abnormalities to "protect revenue". In GSM, they can nuke your SIM and blacklist your IMEI. The CDMA equiv would be to disable your username/password and blacklist the ESN. Mobile operators are very adept at network monitoring... subtle differences in PPP implementation, combined with a knowledge of "allowed applications" on the platform; where DNS should be going, TCP ports in use, and volume of data transferred, etc. can trigger an alarm resulting in a permanent block. Don't waste your money trying to steal... Anyway, I gathered the following info: Code: Network Name Sprint System ID 4376 E727NV SPCS, ESN: 5B??????, IC ID: 3229B-E725, FCCID: PKRNVWE725 PCB: REV 2 17018322, 009-9 >ati Manufacturer: NOVATEL WIRELESS INCORPORATED Model: E727 SPRINT Revision: m6801B-RAPTOR65_S_HYBRID-131 [Sep 05 2008 12:00:00] ESN: 0x5B?????? +GCAP: +CIS707-A, CIS-856-A, +MS, +ES, +DS Device Description Novatel Wireless Modem Manufacturer Novatel Wireless Incorporated Modem Model E727 SPRINT Revision 131 ESN 5B?????? 91/10?????? Firmware Version 131 User Name shrek7?????@SPP0??.dl.sprintpcs.com Phone Number 908??????? Home Carrier Name Home Carrier ID 0 Prl version 50413 Imsi 908??????? E727NV WN2, ESN: 5B??????, IC ID: 3229B-E725, FCCID: PKRNVWE725 PCB: REV 2 17018322, 106-9 >ati Manufacturer: NOVATEL WIRELESS INCORPORATED Model: E727 SPRINT Revision: m6801B-RAPTOR65_S_HYBRID-132 [Mar 25 2009 12:00:00] ESN: 0x5B?????? +GCAP: +CIS707-A, CIS-856-A, +MS, +ES, +DS Device Description Novatel Wireless Modem #2 Manufacturer Novatel Wireless Incorporated Modem Model E727 SPRINT Revision 132 ESN 5B?????? 91/11?????? Technology CDMA Firmware Version 132 User Name whnet2?????@SPP3??.dl.sprintpcs.com Phone Number 586??????? Home Carrier Name Home Carrier ID 0 Prl version 50428 Imsi 586??????? AT&V (under Windows driver) &C: 2; &D: 2; &F: 0; E: 1; L: 0; M: 0; Q: 0; V: 1; X: 0; Z: 0; S0: 0; S3: 13; S4: 10; S5: 8; S6: 2; S7: 50; S8: 2; S9: 6; S10: 14; S11: 95; +FCLASS: 0; +ICF: 3,3; +IFC: 2,2; +IPR: 115200; +DR: 0; +DS: 0,0,2048,6; +CDR: 0; +CDS: 0,1,2048,6; +CFC: 0; +CFG: ""; +CMUX: C,2; +CQD: 10; +CRC: 0; +CRM: 2; +CTA: 60; +CXT: 0; +EB: 1,0,30; +EFCS: 1; +ER: 0; +ES: 3,0,2; +ESR: 1; +ETBM: 1,1,20; +ILRR: 0; +MA: ; +MR: 0; +MS: ; +MV18R: 0; +MV18S: 0,0,0; +FAA: 0; +FAP: 0,0,0; +FBO: 0; +FBU: 0; +FCQ: 1,0; +FCC: 0,1,0,0,0,0,0,0; +FCR: 0; +FCT: 1E; +FEA: 0; +FFC: 0,0,0,0; +FHS: 0; +FIE: 0; +FIP: 0; +FIS: 0,1,0,0,0,0,0,0; +FLI: ""; +FLO: 1; +FLP: 0; +FMS: 0; +FNR: 0,0,0,0; +FNS: ""; +FPA: ""; +FPI: ""; +FPP: 0; +FPR: 8; +FPS: 1; +FPW: ""; +FRQ: 0,0; +FRY: 0; +FSA: ""; +FSP: 0; +IOTA: 1; +OMADM: 1; +PRL: 1; +HFA: 0; +GPSNMEA: 1; +GPSLOCATION: 1 looking at the Kindle WAN scripts, seems that connection setup is way more straightforward then the Anydata DTP-600W, which seems to require a firmware download. The 3.1 K3's 3G kernel module automatically detects the VID 1410, PID 8000 IDs, but makes no provision for selecting the correct modem type in PPP chat script. Be aware that _all_ of this data is available to Amazon (regardless of how hacked up your device is), and should they choose to co-ordinate their server logs with Sprint they would immediately know what is going on. Hopefully they do not disapprove that I want to buy books on the beach where there is no ATT... Last edited by khmann; 10-18-2011 at 10:31 PM.