PRL Hacking:

PRL Hacking:

by The Prophet

What your wireless carrier doesn’t want you to know

What Is a PRL?It Matters In Montana

On CDMA handsets, the Preferred Roaming List is a binary file that controls which cellular and PCS systems you are allowed to use. You can only use the systems your carrier has specified, even if others are available.

How Are PRLs Released?

• On new phones

• Over the air (OTA) upgrades

• PST and data cable

• This guy will break your PRL if you piss him off

Wireless carriers can change PRLs (and your coverage) over the air without prior notice.

How Do I Hack My PRL…

…and really tick off my wireless carrier?

Before you get started, know the consequences:

–You will definitely void the warranty on your handset.–Changing your PRL probably violates your carrier’s Terms of Service.–Some people claim that this is illegal. It might be in Pennsylvania (where programming phones in any way at all is technically illegal), but there are no specific laws against PRL hacking.

Downloading Your PRL

• Using BitPim, unload the PRL:Using BitPim, unload the PRL:– Beware of decoys! On Sprint handsets, Beware of decoys! On Sprint handsets,

the files in /nvm/PRL are present, but the files in /nvm/PRL are present, but often blank.often blank.

– On most Sanyo handsets, the real PRL is On most Sanyo handsets, the real PRL is in the /nvm/nvm/nvm-0019 binary file.in the /nvm/nvm/nvm-0019 binary file.

• Using a hex editor, truncate the first Using a hex editor, truncate the first 86 bytes. The starting offset should 86 bytes. The starting offset should be 0F. Also truncate the nulls at the be 0F. Also truncate the nulls at the end.end.

• You can now use your favorite PRL You can now use your favorite PRL editor and/or disassembler.editor and/or disassembler.

What’s Inside A PRL?• Acquisition index: Instructs the handset

which channels to scan for each carrier.• Geography: PRLs can be split into areas.• Priorities: The order in which available

systems are scanned.• Home Systems: System IDs that are not

marked as roaming. Generally, these are the systems operated by your carrier.

• Roaming Systems: System IDs that are marked as roaming. Generally, these are systems operated by other carriers.

• Negative systems: System IDs upon which you are not allowed to roam.

What Can I Change?

• Unlike politics, essentially everything…

• …but be careful! Your carrier will catch on in a hurry if your phone is doing something it should never be able to do.

• The most useful things to change are System IDs, roaming priorities, and digital vs. analog preference.

• You can use any PRL editor – I like Nokia’s the best.

How Do I Upload A PRL?

• Carefully! You can fry your phone if Carefully! You can fry your phone if you make a mistake (like uploading an you make a mistake (like uploading an empty PRL), and your warranty will be empty PRL), and your warranty will be null and void.null and void.

• In general, you will need the Phone In general, you will need the Phone Service Tool (PST) provided by your Service Tool (PST) provided by your handset manufacturer. These tools are handset manufacturer. These tools are not sold, but are only provided to not sold, but are only provided to cellular carriers. You may be able to cellular carriers. You may be able to find a copy for your handset on the find a copy for your handset on the Overnet file trading network.Overnet file trading network.

Acknowledgments

• XFF and Cinema for the excellent XFF and Cinema for the excellent information provided on information provided on WirelessWavelength.comWirelessWavelength.com

• JaminMC, who figured out how to JaminMC, who figured out how to create custom PRLs.create custom PRLs.

• Justalurker, who developed a Justalurker, who developed a methodology for PRL interpretations methodology for PRL interpretations and stood his ground with Verizon and stood his ground with Verizon (despite threats of litigation).(despite threats of litigation).