Kara & Michael’s Blog

(How to obtain the MSL, password and phone unlock code for a Treo 700p without paying a cent or using any hardware other than the phone itself.)

I have a Treo 700p smartphone, which I’ve had for a couple of years and really enjoy. The 700p has been replaced by newer models but is still fairly ubiquitous.

One of the problems that often comes up among CDMA (Sprint/Verizon/Alltel) cell phone customers is that they would like to know the MSL code for their phones. The MSL, or Master Subsidy Lock, is a six-digit code that allows the user to access a phone’s reprogramming functions — to change carriers, for example. A carrier will generally withhold this number from a customer under contract as it is sometimes the only technical barrier to that customer using their device on a competitor’s network. In addition there are often advanced technical settings, unrelated to reprogramming the phone, that can only be accessed by someone with knowledge of the phone’s MSL code.

Apparently the 700p is a tough nut to crack with regard to the MSL — the only procedures I’ve found online for extracting it rely on the use of a custom-made serial cable and a PC. Complicated. So here’s how to easily retrieve the MSL for your Treo 700p, without using a serial link. In fact, this method can be accomplished entirely with software on the Treo, without any need for a PC. This method also allows you to obtain the PIN to unlock the phone and the Treo user password for private files. In other words, apart from obtaining your own MSL without having to beg your carrier, you can completely pwn any Treo of which you have physical possession.

You will need the SD Card version of the Treo Updater software that Palm released to update the 700p firmware to version 1.10. There’s one version for Sprint and one for Verizon, but the Sprint version should work fine since you won’t actually be updating the firmware. This should be true even if you’re with Alltel or a small regional provider. That software is available here: http://palmone.r3h.net/downloads.palm.com/SprintTreo700pSDUpdate.zip.

You’ll also need Resco Explorer, a commercial product that is available in a trial version or in pirated versions online. The 14-day trial version is available at http://www.resco.net/palm/explorer/. It’s a versatile file manager utility for the Treo that’s well worth buying, and it’s a critical piece of this solution.

If you have access to a PC, you can download these items with the PC, but you can also do it directly on the Treo with Blazer, provided you have an SD card to store the large (18MB) Treo updater ZIP file.

Once you have Resco Explorer installed, you will either:
a) Download the Treo Updater utility on the Treo, and use Resco Explorer to extract two of the files from the ZIP into the Treo’s RAM, or
b) Download the Treo Updater utility on a PC, extract two files from the ZIP file, and Hotsync those two files to the Treo’s internal memory (not to the SD card).

The two files in question are CDMAFirmwareUpdater.bprc and the corresponding language overlay for your region. For the US, that file is CDMAFirmwareUpdater_enUS.oprc.

Then, use Resco Explorer’s Applications menu to start CDMAFirmwareUpdater. The screen will go white for a little while and the updater menu will appear on the screen. DO NOT PRESS THE UPDATE BUTTON YET. Instead, press the “Menu” button on the keyboard (the key to the right of “Alt”) to bring up a hidden menu. The top option is “Debug”; select it. Then deselect every option except for “Backup NV.” Notice I said deselect; that is, “Backup NV” should be the only thing selected. Make sure you get this right or you can seriously screw up your phone. Now press the big “Update” button on the main updater screen and wait. Rather than updating the firmware, the software will backup the contents of the phone’s protected NVRAM area and then stop. This means you’ll have a copy of all the goodies within that protected memory.

When you see the message indicating that the update completed, dismiss it and you should return to the menu. Start up Resco Explorer and browse to the phone’s RAM [labeled "RAM (0:)"]. Locate a file called “CDMA NV Backup” and select it. Then bring up the menu bar, go to the File menu and select “View”. This will bring up the database in Resco Explorer’s internal viewer.

Here’s the good part. You’ll notice there is a drop-down list at the top of the screen listing Record numbers. Well, here’s where to find the information you’re after:

Record 315: Contains the user’s password for private files (look after the word “secret”).
Record 442: Contains the MSL in plain text (a six-digit numeric code).
Record 443: Contains the user’s phone lock PIN in plain text.

If you’re after the MSL, you can confirm that you’ve got the right number by bringing up the Phone application and dialing ##000000#, replacing the zeros with the MSL. If you have the right number, a phone reprogramming screen should appear, offering you the ability to change your MSN and MSID. Make sure you hit “Cancel” without changing anything.

Sometimes you may have trouble making data connections after entering the reprogramming screen, even if you don’t change anything. When you try to connect, you’ll see “Connecting to Unknown” and the connection will fail. If this occurs, go the Phone application, dial ##3282#, and select “Update Vision Profile” from the top menu bar of the screen that appears. Your data connection will be re-provisioned and everything should be fine again.

Happy hacking, and I’d appreciate knowing if this helps you.

Trackback URI | Comments RSS