This is more a set of tips than anything. I will go over the general concept of scanning readable memory. This should work with just about any software you have available for these purposes. I will nonetheless use CDMA Workshop as the example although in the end there are much more efficient FREE tools out there to get this done quicker and much more intuitively.
The Reasons:
What does scanning readable memory entail?
It is the process that comes BEFORE memory dumping. In short it is process of finding the memory addresses you can access for whatever your purpose is. Instead of dumping the RAM blindly on the first take (which will probably get you nowhere), you first find what the proper ranges of readable memory are and then proceed to the long -winded task of memory dumping.
The goal is to get the most exact ranges possible. Once you have these, the dumping process is an uneventful piece of cake.
It should be noted that memory ranges vary from phone to phone and moreover from firmware/radio version.
Is it safe for the phone? Can I brick it?
Nope! Highly doubtful! It is 100% SAFE!!!! You're not doing any writing to the device, you're just poking to see what you can get from it. So it is an absolutely safe process as long as you don't accidentaly choose Write in the app at some point. The worst that could happen is that the phone decides to reboot on you or locks you out from reading the memory until your reboot it. That's about it.
How long does it take?
The scanning under 30 minutes on a phone that doesnt give you many issues. Probably over an hour on a picky resetting phone. The dump though will depend a lot on how big the readable area is. Could be from 45 minutes to over an hour. It all depends. This is why the scanning is so important. If you have dead-on ranges, you should be able to pull it from the first dump!
How can I scan/dump the memory?
There's a plethora of tools to do this. Even though I prefer DFS Demo for this as it's the perfect marriage between CWS's Memory tab and QXDM. You can use many tools: CDMA Workshop, DFS, UniCDMA, QMAT....
You will also need a word-processor of some kind to take note of your findings.
Why should this be important?
Well, if you don't know what exact areas of the memory you have from the start you might run into many issues afterwards that will probably force you to rescan and dump all over again. Each time, it takes THE SAME AMOUNT OF TIME! Additionaly you might end up with missing locations when attempting a repair by zeroing out addresses and the likes. Likewise, if you're scanning for ANYTHING and you don't have the best possible dump to start with you'll have a lower possibility of finding it on the dump (SPC, AAA keys, etc...).
You can't always just leave CDMA Workshop overnight scanning the Memory for you either... some phones reboot during the process to hinder you from achieving this and that'll give you more than just headaches. You might end up smashing some phones altogether because of improper guidance. Now, I'm pretty sure we don't want that do we?
What's all this scanning and dumping good for anyway?
So many things!!!! SPC on most phones, MEID/ESN repair, reading inaccessible Profile 1 keys from some Boost/Sprint phones. You just have to know what you're after. A dump is basically the whole terrain of the phone's editable inner workings. With a Hex editor and the proper guidance you can get just about anything from it. Here as some common examples on how to go about reaching whatever you're looking for depending on the situation:
MEID/ESN locations: These are written backwards per each 2 characters: ESN is A1B2C3D4. In the Memory it should appear as the following Hex string: D4 C3 B2 A1. The same applies to the MEID. You can search for these using your favorite Hex editor.
In these cases, when zeroing out, it is VERY IMPORTANT to know where the dump began in order to add this value with the address within the file itself to have it be accessible when looking for the address in the live memory. Example: your dump began at 0001:0000, you search the dump and find that within the file it's at offset 0000ABCD. You open your favorite Hex value calculator, add these two, and the sum of both should lead you to it in live memory. For these you obviously don't need a calculator as the sum of both is clearly 0001:ABCD though lolz
[Only registered and activated users can see links. ] <--- VERY useful online calculator
SPC: This one's a little more archaic than one might think as it involves some trial and error but works nonetheless. Some phones you'll just have to open the dump with WordPad or WinHex and skim through it looking for combinations of lonely 6 numbers together and testing them out. Usually, the SPC repeats itself, which should give you a better clue of which on is the real one. Mind you, once you have the ranges you can use them using CDMA Workshop's Universal RAM method in the SPC search area under Security. You don't need to resort to this outlined method if CDMA Workshop picks it up first since it's the same process but automated!
Sprint Profile 1 AAA Shared Key: This is useful for Boost migration proper Data provisioning. There are much easier means to acquiring this (like through commands in QXDM, or browsing the NVM's data area but those aren't always easily accesible) and if you have access to Profile 0's 1192 NVM item you don't really NEED this as the phone will add it itself through the OTA but, this is the last resort if you have no choice and will provide it simply as a sample of a possible solution to a specific problem.
It is a 6 number/letter combination usually found close to the NAI of the phone. It should look like "j0el34" for example. You should begin by searching Text strings in the Hex editor using the end of the NAI (hcm.sprintpcs.com) and looking for the combo in the text portion around the NAI for it.
The Process:
Where do I start?
You have a phone you want to start working on and have no idea where to begin scanning...
As a basic rule of thumb, you should scan from 0000:0000 - 0200:0000 using CWS using the default 65536 Byte Step (which is actually skipping every 0000:FFFF amount of addresses). The Step is the amount of bytes CDMA Workshop will skip during the scan.
This is a GREAT starting point to get a good idea of what you're dealing with. If you have the SPC for the phone or the manufaturer 16 digit password, or both you should use them first. Some phones don't permit you to read the memory directly without at least one of them. So, if you're not having any success getting ANY readable areas, this is your problem.
If you got readable at 0200:0000, you should extend the scan further. You don't need to start over from 0000:0000, you should begin from 0200:0000 and try up to 0300:0000 and see what you get. Phones usually reboot after you've reached an address that's inexistent, so this should be a good indication of where you're standing. Any other reboot during scan is another matter entirely (covered a bit further).
Analizing the results (aka, Narrowing down):
Lets get down to some Hexadecimal basics as these addresses are in hex: B is greater than A and after 9 comes A all the way up to F which is the highest starting with 0. Hence, ANY LETTER is greater than any number. Following this logic after 39 comes 3A and after 3F comes 40... if this is still confusing you should read a bit more on your own about it as I won't get into it here deeper than this.
What you initially got (if you got anything at all and the phone didn't reboot or did anything weird) is a general range of where to begin looking. Now we need to find what the real range is. You're going to focus on the unreadable and readable addresses. Chances are, those points start even earlier than the initial scan suggests.
We're going to run mini-scans now with a smaller Step: 1024 Bytes starting 0001:0000 BEFORE the address given by the initial scan and ending with the address. That is if one of your addresses was 0025:0000, you're going to start the scan at 0024:000 and end it in 0025:0000. If it was a readable point, it should begin unreadable and begin readable and vice versa. These should be your real start or ending points. There is still some margin of error in these mini scans: ±0000:0400.
If you REALLY want to get even more exact than this, you can rescan each address again 0000:0400 BEFORE this last address using a 1 byte Step. This should get you the EXACT byte where you can begin/end your dumping.
Special cases:
No readable addresses.
This could mean one of many things: you need the SPC or the 16 digit password to read ANY portion of the memory directly, or you just have a picky phone that locks out if it detects the memory's being scanned. (knock knock: SPRINT!!!).
Phone reboots:
Usually, this means the phone simply doesn't like being poked in the wrong places, so it'll reboot if it finds you're scanning an address that's not supposed to be accessed. Which means the following: you'll have to poke the addresses from scratch yourself! This is where CDMA Workshop won't be of much help. DFS Demo will help you much better here with the use of the Show feature in the RAM tab.
The general outline of the process is the same as the past process, but this time, it won't be done automatically: you have to yourself peek into the addresses yourself to see which ones net you any kind of readable data. You should start in the higher valued addresses and from the differences you find you begin to narrow down. Once you find a readable area you can just use the Scan option to find the next unreadable area. You should be focusing on where the start rather than where they end in this case.
Usually, if the phone is indeed still readable 0040:0000 is accesible. Then you narrow down yourself 1:0000 by 1:0000 until the phone reboots again, and if it does it means you reached the first readable/unreadable area for that given range. So you start from the last readable byte and begin shrinking from there. DFS is PERFECT for this job as it lets you view the current memory as you access it, and even lets you choose a range to scan from the same screen and much more intuitive Step choosing.
I have a range! Now what?
YOU BEGIN TO DUMP!!!! I suggest using DFS or QMAT demos over CDMA Workshop to dump. This mainly because you can choose the specific range to dump instead of having to input yourself the amount of bytes like in CDMA Workshop, which is inexact for the most part unless you calculate properly the amount of bytes the dump will end up being. Additionally DFS is detailed enough to add the beggining sector of the actual dump in the filename which, in turn is CRUCIAL to making sure you know specific byte in the dump corresponds to the actual memory of the phone specially when you end up with 3 or 4 chunks of dumped memory (which will probably be the case lol).
Hopefully this helped you in your endeavors. Thanks for reading!
Bookmarks