(How to obtain the MSL, password and phone unlock code for a Treo 700p without paying a cent or using any hardware other than the phone itself.)
I have a Treo 700p smartphone, which I’ve had for a couple of years and really enjoy. The 700p has been replaced by newer models but is still fairly ubiquitous.
One of the problems that often comes up among CDMA (Sprint/Verizon/Alltel) cell phone customers is that they would like to know the MSL code for their phones. The MSL, or Master Subsidy Lock, is a six-digit code that allows the user to access a phone’s reprogramming functions — to change carriers, for example. A carrier will generally withhold this number from a customer under contract as it is sometimes the only technical barrier to that customer using their device on a competitor’s network. In addition there are often advanced technical settings, unrelated to reprogramming the phone, that can only be accessed by someone with knowledge of the phone’s MSL code.
Apparently the 700p is a tough nut to crack with regard to the MSL — the only procedures I’ve found online for extracting it rely on the use of a custom-made serial cable and a PC. Complicated. So here’s how to easily retrieve the MSL for your Treo 700p, without using a serial link. In fact, this method can be accomplished entirely with software on the Treo, without any need for a PC. This method also allows you to obtain the PIN to unlock the phone and the Treo user password for private files. In other words, apart from obtaining your own MSL without having to beg your carrier, you can completely pwn any Treo of which you have physical possession.
You will need the SD Card version of the Treo Updater software that Palm released to update the 700p firmware to version 1.10. There’s one version for Sprint and one for Verizon, but the Sprint version should work fine since you won’t actually be updating the firmware. This should be true even if you’re with Alltel or a small regional provider. That software is available here: http://palmone.r3h.net/downloads.palm.com/SprintTreo700pSDUpdate.zip.
You’ll also need Resco Explorer, a commercial product that is available in a trial version or in pirated versions online. The 14-day trial version is available at http://www.resco.net/palm/explorer/. It’s a versatile file manager utility for the Treo that’s well worth buying, and it’s a critical piece of this solution.
If you have access to a PC, you can download these items with the PC, but you can also do it directly on the Treo with Blazer, provided you have an SD card to store the large (18MB) Treo updater ZIP file.
Once you have Resco Explorer installed, you will either:
a) Download the Treo Updater utility on the Treo, and use Resco Explorer to extract two of the files from the ZIP into the Treo’s RAM, or
b) Download the Treo Updater utility on a PC, extract two files from the ZIP file, and Hotsync those two files to the Treo’s internal memory (not to the SD card).
The two files in question are CDMAFirmwareUpdater.bprc and the corresponding language overlay for your region. For the US, that file is CDMAFirmwareUpdater_enUS.oprc.
Then, use Resco Explorer’s Applications menu to start CDMAFirmwareUpdater. The screen will go white for a little while and the updater menu will appear on the screen. DO NOT PRESS THE UPDATE BUTTON YET. Instead, press the “Menu” button on the keyboard (the key to the right of “Alt”) to bring up a hidden menu. The top option is “Debug”; select it. Then deselect every option except for “Backup NV.” Notice I said deselect; that is, “Backup NV” should be the only thing selected. Make sure you get this right or you can seriously screw up your phone. Now press the big “Update” button on the main updater screen and wait. Rather than updating the firmware, the software will backup the contents of the phone’s protected NVRAM area and then stop. This means you’ll have a copy of all the goodies within that protected memory.
When you see the message indicating that the update completed, dismiss it and you should return to the menu. Start up Resco Explorer and browse to the phone’s RAM [labeled "RAM (0:)"]. Locate a file called “CDMA NV Backup” and select it. Then bring up the menu bar, go to the File menu and select “View”. This will bring up the database in Resco Explorer’s internal viewer.
Here’s the good part. You’ll notice there is a drop-down list at the top of the screen listing Record numbers. Well, here’s where to find the information you’re after:
EDIT: The record numbers below worked for me, but they probably won’t work for you. Apparently Resco’s viewer interprets the NV data file as a Palm database, yielding somewhat unpredictable results. I’m sure there are particular offsets within the file that you could look at to find your MSL/password/whatever, but since the point of this process is to do it without using a PC, my best advice is to start at record 250 or so and flip through them until you find what you’re looking for. It’ll be fairly obvious.
Record 315: Contains the user’s password for private files (look after the word “secret”).
Record 442: Contains the MSL in plain text (a six-digit numeric code).
Record 443: Contains the user’s phone lock PIN in plain text.
If you’re after the MSL, you can confirm that you’ve got the right number by bringing up the Phone application and dialing ##000000#, replacing the zeros with the MSL. If you have the right number, a phone reprogramming screen should appear, offering you the ability to change your MSN and MSID. Make sure you hit “Cancel” without changing anything.
Sometimes you may have trouble making data connections after entering the reprogramming screen, even if you don’t change anything. When you try to connect, you’ll see “Connecting to Unknown” and the connection will fail. If this occurs, go the Phone application, dial ##3282#, and select “Update Vision Profile” from the top menu bar of the screen that appears. Your data connection will be re-provisioned and everything should be fine again.
Happy hacking, and I’d appreciate knowing if this helps you.
14 Comments
having some troubles….
after moving cdmafirmware.bprc and …enUS.oprc to internal memory…. I don’t see an applications menu in resco explorer, however I tried to open the files and the .bprc file gives me a ‘no permission’ error.
any thoughts appreciated.
thanks
Well I will be trying this as my ex-husband hacked my Treo 700p. So thanks and I hope this works.
Stac
Hey…..I can’t get Resco to run the updater file. it just shows the hex code.
How do you get it to run?
Donna, if you’re using a newer version of Resco Explorer you may need to change the extension of the .bprc file to .prc. Don’t rename the .oprc file.
I have a palm 700p and it keeps looping on the first screen (Access Powered). I have tried the soft reset. I am sure there is someone who can pick off the data even in such a state. I would if someone could help me because Palm would not.
Mordechai: Have you tried a warm reset? Hold the “up” button on the d-pad while you press the reset button. The phone will boot without starting any of the startup applications, so things like the Phone won’t work. This gives you an opportunity to back up critical parts of your data or to remove the application causing the problem before performing a regular soft reset.
If your Treo is looping like that after a warm reset, there is truly nothing you can do except a hard reset. Something is corrupted to the extent that the Treo is unable to boot. In the future, consider using a tool like Resco Explorer to keep a current backup of your Palm’s internal memory on the SD card. Then it won’t matter if you have to do a hard reset.
Yes I have tried a warm reset & to no avail. I am curious, when hard drives on computers go bad there are ways to retrieve the data from that hard drive and I do not mean just my y making it a secondary drive in another computer. Is there no way to for this to be done with the palm?
Mordechai: You’d be talking about recovering the data from a flash memory chip soldered onto the main board of your Treo, something far less removable than a hard drive. Anything’s technically possible, but it would likely cost thousands of dollars to have someone perform that kind of data recovery for you.
Data recovery from hard drives–the kind that doesn’t involve just sticking the drive into another computer, as you pointed out–is also usually extremely expensive, because it requires special tools and manual effort.
I copied the files over like you said but then when I go to launch the application it just says launch error “the application cannot be launched because it is missing localization information.” I moved the localization file to RAM as well as the app but it doesn’t seem to be working?
Michael,
THANK YOU so much. It worked like a charm on my Sprint Treo 700p. Some details.
Background Info
-I ported my number from Sprint to a different carrier on a new handset but forgot to ask Sprint for my MSL first, just in case I changed my mind and missed the 700p
-I missed the Treo’s voice quality so I wanted to go back to Sprint, they wanted a 2 year contract, so this ruled Sprint out.
-I tried to get the MSL from Sprint so I could go on to VZW or metroPCS on a month to month basis. I tried 3 different Sprint customer service employees, they all said NO, we only provide the MSL if you still have an active phone line with us. (I just ported my number 2 weeks ago, still paying them for this month’s service…)
-So thinking that any CS major worth his or her salt should not give up easily on this, I found your page via Google and followed your procedure. Everything worked as you’ve outlined. Some minor observations:
-I did use the older version of Resco Explorer (the 4.x version, circa 2008) to stay in synch with your procedure
-The record numbers were only “off by 1″. My MSL was in #441 instead of #442
-Record 440 contained my Contract Start date
-the only other install problem I had was lack of space on the phone RAM, so I had to remove some apps and photos, before synching the CDMA updater.
-I used the Palm Desktop Synch process to install Resco Explorer and CDMAUpdater because my Treo’s Internet service was already disconnected.
Thanks again.
Thank You so much… i had trouble getting the CDMAFirmwareUpdater.bprc & CDMAFirmwareUpdater_enUS.oprc to be seen as a program. i ended up installing it using HotSync. once Resco Explorer saw it, i was able to back up the CDMA NV Backup without a problem.
next i transfered the file to my SD card and opened it in a txt editor. i went to line 442 and sure enough there was the MSL number (what i did was tried every 6 digit number which ended up being right were you said it, but the txt editor i was using did not have a go to line function so bla…)
it works! Thank you! you were a great help. i wish everyone would give props where props are due… and today, props are due for your post! thank you. you are the man!
Danny
hi can u send me the connection two get internet on my phone treo700p
help me please
Hi carley, I’d be happy to try to help, but you need to tell me what problem you’re having first. I don’t have a Treo anymore (this is an old article) but I’ll do the best I can.
Post a Comment