Carrier programming on CDMA Android phones

Have you ever wondered how CDMA phones are programmed to a specific carrier for voice calls, SMS and data?

In the U.S., all major CDMA carriers operate on the same frequencies, which means that there is no inherent difference in hardware between phones sold by any of them, and that theoretically there is no reason why a Verizon Wireless phone cannot work on Sprint or MetroPCS or Virgin Mobile or Boost Mobile, for example. Unlike GSM phones with swappable SIM’s, however, a CDMA phone sold in the U.S. is typically locked to a particular carrier; so how is that done?

I was recently able to figure out the answer to this question when I successfully flashed a CDMA phone from Sprint to Verizon (an exploit documented in Flashing a Sprint Nexus S 4G to Verizon). As I have not been able to find a compilation of this information elsewhere, I am writing up this document in the hope that it will help others with flashing phones or porting ROMs to different carriers.

Note that this information is based on my research with the Jelly Bean (4.1 & 4.2), ICS (4.0) and Gingerbread (2.3.4) versions of Android and two major U.S. CDMA carriers, Verizon Wireless and Sprint. Hence, it may not be applicable to other phones or carriers; in particular, the section about CDMA chips do not apply to CDMA phones that require a SIM card, such as some Verizon Wireless LTE phones. In such cases, your comments and insights are welcome.

Finally, a disclaimer: I have no formal understanding of any of the intricacies of CDMA technology and therefore cannot guarantee the correctness or accuracy of this information. Use it at your own risk. I cannot be held responsible for any damage or legal consequences resulting from or related to the application of this information.

At a high level, there are two places where carrier information is stored on a CDMA Android phone: inside the CDMA chip (radio), and in Android OS system files.

Programming the CDMA chip

Every CDMA phone (obviously) has a CDMA chip (radio). This chip is responsible for carrying out voice calls and transferring data over 2G/3G, and in order to do that, it needs to know stuff like what phone number it represents, what towers to connect to, what account name to bill the 3G connection to, etc.. All of this information is stored directly inside the chip (unless you have a Verizon Wireless LTE phone with a SIM card), and not on any file system controlled by the OS; this is why even after a factory reset (which formats the internal flash file system) these settings persist. It is (I believe) not possible to change the information stored on the CDMA chip from the OS itself; instead, carriers provide a special number (e.g., *228 for Verizon Wireless) that, when called, will transfer the information to the chip. This is typically called "programming" the phone by U.S. carriers.

So what information exactly is stored inside the CDMA chip? Here’s an incomplete list:

• MEID: Unique serial number of the phone. This is like the MAC address of an ethernet / WiFi card in that it is the sole identifier of the CDMA chip. It is what carriers use to connect phone calls, deliver SMS’s, blacklist stolen phones, etc.. A fatal flaw, however, is that it is actually possible to modify (flash) the MEID of many, but not all, CDMA chips. If you flash the MEID of phone A onto phone B, the carrier network has no way of distinguishing between phone A and phone B, and phone B is able to make and receive calls, send and receive messages etc. as phone A. Unsurprisingly, this is illegal in many countries, including the U.S., and as such I will not discuss it here.

• Phone / account numbers: known as MDN and MIN, these store the phone and account numbers associated with the phone.

• 2G/3G data account information: user names and passwords used to connect to data services. Some carriers have stronger (harder to impersonate) authentication systems than others; for instance, Verizon Wireless requires two encrypted passwords and a secret key in the EFS file system on the CDMA chip; Boost Mobile only requires two passwords; while MetroPCS simply accepts the SPC/MSL code (see below) as the password. Note that 2G and 3G are unrelated systems with independent authentication; a phone can have valid 3G credentials and thus connect to 3G while being denied a 2G connection.

• PRL (Preferred Roaming List): a list of towers the phone can connect to. This is of course carrier- and location-specific. In some cases, updating the PRL (by calling a special number) can improve reception and save battery when the phone moves to a new geographical area; see Verizon Wireless’s explanation, for example.

Software such as CDMA Workshop, DFS, QXDM/QPST can be used to read / write information stored on a CDMA chip from a computer. Often, however, a 6-digit passcode known as the SPC code or the MSL code is required. This SPC/MSL code, again stored inside the CDMA chip, is either randomly assigned by the carrier (this is the case for Verizon Wireless and Sprint) or deterministically computed based on the MEID (MetroPCS). In the former case, there are a variety of tricks for retrieving the SPC/MSL code from the phone itself,; Google is your friend there. In the latter case, there are sites for computing the code from the MEID. Once it is known, the SPC/MSL code can be changed to any 6-digit number; some phones may even allow you to overwrite the SPC/MSL code without knowing it first.

Carrier configuration in the Android OS

To figure out what system files in the Android OS contain carrier information, I inspected source code and images of ROMS for the Samsung Galaxy Nexus (Sprint and Verizon Wireless), the Samsung Nexus S 4G (Sprint), the HTC Incredible (Verizon Wireless), and the Motorola Droid 3 (Verizon Wireless). I found three places that store carrier-specific information.

The first is /system/build.prop. Sprint phones contain the following lines:

ro.cdma.home.operator.numeric=310120
ro.cdma.home.operator.alpha=Sprint

while Verizon Wireless phones contain the following lines instead:

ro.cdma.home.operator.numeric=310004
ro.cdma.home.operator.alpha=Verizon
ro.cdma.homesystem=64,65,76,77,78,79,80,81,82,83

These settings apply to phone calls. If one adopts the Sprint configuration on a Verizon Wireless phone, for example, the phone would ring very briefly on a call, but would be unable to actually make or receive calls. The ro.cdma.homesystem specifies a list of indices into the PRL that represent "home" or non-roaming networks.

The second configuration file is eri.xml, which is compiled into the file /res/xml/eri.xml inside the system package /system/framework/framework-res.apk on an Android system. This file tells the OS what it needs to display about a particular network (as an index into the PRL); for an example, take a look at the stock eri.xml for the Sprint Galaxy Nexus or the CyanogenMod eri.xml for the Verizon Wireless Galaxy Nexus. In particular, this file instructs the OS whether to consider a network (tower) to be roaming (so whether a roaming icon is displayed), and gives the name of the network (tower) to be shown in the UI. It must be stressed that this file has no functional effect; all it changes is how the OS displays information about networks. Since APK packages are just ZIP archives, it is easy to replace the +eri.xml</literal> within to change roaming and name settings for networks; note, however, that the file inside the APK is not a plain text XML, but some compiled binary form; you may need to Google for the appropriate binary form pulled from another phone.

The last configuration file is /system/etc/apns-conf.xml. This file contains APN settings for 4G and MMS. See the stock APN settings file for the Sprint Nexus S 4G or the default CyanogenMod APN settings.

Step-by-step guide

If you’re interested in learning more about how exactly this works, you’re welcome to take a look at my follow-up article Flashing a Sprint Nexus S 4G to Verizon, which documents the process of flashing an actual phone.