The Telus LG Keybo 2: Hacker Hater (aka VX9200, CX9200, enV3)
I just bought my first cellphone in years. I know that sounds strange coming from an IT guy but my logic is sound: if you don't have one your boss can't call it. One of my colleagues is a big VoIP genius and he pointed out that by using a dial-out gateway and Telus' one-number-unlimited feature it's possible to have the equivalent of unlimited calling for $7 per month on a prepaid phone - plus the one-time cost of provisioning a phone number that forwards incoming calls back through the gateway (about $25). I've been horny for the newer android-based phones that are in circulation in the states but most of the ones I want don't operate on the Canadian bands yet and/or it will take a long time before they are rolled out up here, thus I decided for unlimited calling at $7 a month I may as well settle for a cheap phone in the mean time. I decided to tack on $10/month unlimited web browsing because it makes the e-mail and instant messaging packages moot.
The Keybo 2 is the closest thing to a smart phone in Telus' prepaid lineup, and at the time of writing the most expensive - clocking in at a modest $99. It sports a 160x96px external screen and flips open to reveal a large QWERTY keyboard and 320x240px internal screen. There are stereo speakers mounted on either side of the internal screen and to be perfectly frank they are better sounding than my laptop's. The Keybo 2 has a 3.2MP flash camera that takes decent pictures but crappy closeups.
In the United States (and possibly elsewhere) the Keybo 2 is marketed as the enV3. The Canadian model number is CX9200 and the US model is VX9200; as far as I can tell the difference is cosmetic. Verizon seems to be the main carrier for enVs in the states and Koodo is popular in Canada as well. Interestingly the Koodo and Verizon firmwares of the phone do not include Java support. It would seem that the popular thing to do with your Keybo is flash it to Telus' firmware if you're on a different provider. Unfortunately Telus' firmware is so locked down that one wonders just how bad Verizon's could be.
I've had a hell of a time over the past few days trying to find information on hacking the Keybo 2, most of the results I have found thus far only apply to the original Keybo (aka enV2 or VX9100), for example it no longer seems possible to simply overwrite application slots with other java apps to install them on the phone. Telus' proxy prevents users from downloading apps from the web that don't come from their store. I have tried altering the proxy settings to use a personal proxy on ports 8118, 80 and 110 but the browser fails to connect. I even tried popping the opera mini .jad and .jar files onto an SSL site and altering the .jad to pull from the new URL to no avail - the download begins, posts, then returns this error:
Issue has been reported. Please try again later. 950 Server Error (-1289)
then the browser bounces back to the Telus apps store. I tried renaming the .jar to .jax (and updating the .jad accordingly) also to no avail. I am beginning to suspect that the firmware has been modified to enforce some sort of DRM for applications. Custom ringtones are a pain in the ass as they definitely require DRM, fortunately they can be dropped into the phone's filesystem at /brew/shared/ringtone/ with BitPim (1.0.7+ supports the CX9200) and given DRM with the Sony-Ericsson DRM Packager.
I couldn't find the right SPC code for my particular phone anywhere (unlike the old Keybo/enV2 it does not have nvm_XXXX files) so I had to grab it with CDMA Workshop (it's 105495 by the way). With the correct SPC you can access the programming menus for your phone by dialing:
##DEBUG ##TELUS ##BROWSER ##TEST ##DATA
Note that you can get into ##DEBUG on any LG phone with the unlock code 183729.
Overall, this phone pisses me off because it could do so much more but Telus makes it extremely difficult to modify. While there is some community support for the Keybo/enV2 those of us with the new Keybo 2s and enV3s are practically on our own at present time. The fact that the Telus firmware is considered "the good firmware" is extremely discouraging, flashing your old Verizon enV2 to Telus' old Keybo firmware may let you load on some java apps but how to do this successfully on the newer Keybo 2's firmware is as yet a mystery.
Comments
@Simon
Open Device manager and plug in the phone (dev manager should flicker) then see which com port the phone is on then switch to the correct com port. It should work. If not check to make sure that you have the correct driver installed
Im looking to hack a lg cx9200 thats unactivated and to gain unlimited internet and need more service codes. You guys do it up the a hole executive sstyle
[...] The Telus LG Keybo 2: Hacker Hater (aka VX9200, CX9200, enV3 …Aug 31, 2010 … The Telus LG Keybo 2: Hacker Hater (aka VX9200, CX9200, enV3) … over the past few days trying to find information on hacking the Keybo 2, … [...]
does anyone know how to access the service menu ? I know for the enV3 with Verizon , you dial ##lgservicemenu , but i'm with Telus and that doesn't work ... x_x;
call *22803 thats what i did it reset mine@cieran420
Just wanted to remark I haven't done anything with this phone since the article. I hate this phone, do not buy it unless you get your kicks from the not-so-cheap thrill of pocket dialing.
I've learned from this experience that if you can't afford a decent phone you really don't need one badly enough. Wait and get yourself something nice from HTC.
@Casey
how do i upload to “/brew/shared/ringtone/” AND to “brew/mod/10889/ringtone/” ? i have BitPim but i don't know any other way of exporting the ringer to my phone other than the Send Phone Data button at the top ... :\
I need to reset the phone lock code on my CX9200. I have tried everything I can find. Pls help!!
@xpmule
Hey, I was wondering if you could help me out.
In security, restrictions, there are 2 folders,
1-calls, 2-messages
in incoming calls, you can allow all, contacts only and block all.
I would like to know if its possible to add "contacts only" in the incoming messages, in other words allowing only txt msg from people in your contact list, all others will be ignored or blocked, is it possible?
Thanks
@?????
Just a thought on this one-number thing... Does the service allow you to specify the CID number sent to your phone? Likewise, could you do this with a VOIP setup? If so, maybe you could insert a variable in there, such as "service's#"+"caller'snumber", so you could still setup your phone to display who's calling you.
@?????
So, did you have any luck with replacing the Applets? Obviously you're as busy as I am, but I was wondering if you would be willing to help me out at some point (probably not in the near future) with fixing my phone's schema. I can't get the original indicator bar for the external screen back, and it drives me nuts as it randomly changes back and forth whenever the phone is used. I'll have to go through the filesystem to see what's changed, so some checksums (or possibly the original graphic, if there is one) would be much appreciated.
@Sarah
Via Bluetooth? Sounds like unnecessary complication, unless your Mac doesn't support USB! ;)
@Casey
Nice find, although I can think of a few disadvantages (takes up 2x the space, can't send them to friends who's phones also require DRM'd files).
@Holly
1. You can't connect to your phone with BitPim while your phone is in mass storage mode.
2. Try the Browse button (below the Phone Wizard button, and beside "Com Port"). If the LG driver is properly installed, your phone will show up in this list whether it is available to use, or already busy (as when in mass storage mode).
Hi, I need some help with ringtones on my Keybo 2.
I connected the phone via USB, it shows me the "USB MASS STORAGE Connected..." message on the phone, but when I go through phone wizard the only option for ports is "auto"..
So I picked auto (with no other options), tried clicking on the files but it said "Failed to auto-detect the port to use. I couldn't detect any port candidates."
I need help! When I connected the phone it said it downloaded the driver automatically.. and I tried looking up an LG-CX9200 but couldn't find anything.
Check out Telecations.com for the cheapest call through service with many features that works with Telus one number unlimited.
I recently bought a KeyBo2 from Telus. Using BitPim, I was able to get ringtones to appear, but when I tried to set one, it gave me an error saying that it was non-DRM. I couldn't figure out how to use the SE DRM Packager, BUT it turns out that I didn't have to.
I've found that non-DRM mp3 ringtones can be used if you do the following:
1. take any spaces or punctuation (including _underscores_ ) from the filename
2. upload 2 copies of the ringtone, one to "/brew/shared/ringtone/" AND one to "brew/mod/10889/ringtone/"
Also, make sure they are less than 400kb and I've heard that the extension should be .mp3 (as opposed to .MP3 or Mp3, I guess). Mine were all .mp3 anyway. Good luck!
Have you had any experience hacking the Keybo 2 via Bluetooth on mac OSX? Although Bitpim is available for OSX, it doesn't seem to work for me. I can select my phone from the phone wizard, yet the only option for com ports is something called "/dev/cu.Bluetooth-PDA-Sync." not certain if this is a problem or not, but my Filesystem folder also shows up completely empty.
Would really appreciate any input.
if someone wanted more info on adding games/apps to the cx9200
iwould advise reading the procedure mentioned in this link..
http://www.howardforums.com/showthread.php/1415977-*official*-Lg-Keybo-aka-Lg-Env2-Hacking-thread/page49
its for the keybo1 but it DOES work for the keybo2
i can over write any existing app and am working on creating a
program that rebuilds the db's but havn't got it working yet.
the trick is to make sure some key pieces of info are in the internal .mf in the jar and in the .jad file
here is an example of a working .jad file i am using right now..
MVM-Allowed: true
NIM-Carrier: Telus
NIM-Device: LG.9200
Clamless_Operation_Required: true
ExternalLCDSupporting: false
Manifest-Version: 1.0
MicroEdition-Profile: MIDP-2.0
MicroEdition-Configuration: CLDC-1.1
Folder: Games
MIDlet-Name: Tetris
MIDlet-Version: 0.2.15
MIDlet-Vendor: iFone
MIDlet-Icon: /icon24x24.png
MIDlet-1: Tetris, /icon24x24.png, bluelava
MIDlet-Data-Size: 768
MIDlet-Jar-Size: 121777
and here is what my manifest.mf in the jar looks like..
Manifest-Version: 1.0
MicroEdition-Profile: MIDP-2.0
MicroEdition-Configuration: CLDC-1.1
MIDlet-Name: Tetris
MIDlet-Version: 0.2.15
MIDlet-Vendor: iFone
MIDlet-Icon: /icon24x24.png
MIDlet-1: Tetris, /icon24x24.png, bluelava
MIDlet-Data-Size: 768
also note that you can delete everything in the app folder
you overwrite and only need the .jar & .jad and then hex edit
the contentinfo and executioninfo db's mentioned in the link i posted earlier..
if you try hard enough it should work, it works fine for me.
i overwrote (and backed up) all the java apps on my Telus Keybo2
That's awesome! I'm going to give it a try tonight, time permitting. Thanks!
Thanks for the reply - changing the extension to .mp3 and using the default DRM method (forward lock) worked. WRT my other comment (themes), it seems resetting the phone's default settings does not completely restore the original theme. The top bar of the phone's outside screen (which shows the service indicators) will be light-grey instead of ???. I believe this was originally transparent, but I don't have a photo from before this happened. The only one I can find (http://www.mobileincanada.com/images/phone/telus-lg-keybo-2.jpg) may be a mock-up. Additionally, when the screen dims from inactivity while plugged in, this top bar's background will be replaced with the larger square of the Verizon skin (so either blue or red), and crops the image even more... This disappears when the keypad is unlocked again. I'll have to offload my data and see if I can restore the phone completely. :\
@xpmule
I e-mailed this poster asking for more information a few weeks ago but have not received a reply. If anyone else has been able to manually install apps please pipe up!
@mushbert
Try changing the extension to .mp3, the ringtone should appear in your Call Sounds > Call Ringtone menu with a yellow (as opposed to green) icon. Try removing spaces and special characters from the file name.
@AJJ
You will need to either run your own VoIP box (i.e. with trixbox/asterisk) or have a VoIP provider set you up with a dial-out gateway. The way it works is someone calls my vanity number which arrives at my VoIP provider's server. It then forwards the call to my real cellphone number, providing the number I have specified as the one-number-unlimited feature number as the caller ID. When I make an outgoing call I first call this number to connect to the VoIP server, where I am given a "second dial tone" at which I call the number I am actually trying to reach.
Could you clarify how you got ringtones working? I took a ~12sec/99KB MP3 file, ran it through DRM Packager on the default settings (forward lock) and dumped the resulting .dm file directly into the folder you specified. Even after rebooting, it does not display the new file in the list.
Hi, I just wanted to note that you can change the phone to use the original Verizon color themes that matched their cases (Spotlight blue/Wine red), by going into the ##5473784236368 (##lgservicemenu). It works, but it screws up the menus, most of which will stop displaying properly. You'll need to go into Settings > Phone Settings > Reset Defaults to fix this, as the Telus models do not have theme selection.
i understand the telus pre pay part how would you set the voip part up (plus the one-time cost of provisioning a phone number that forwards incoming calls back through the gateway (about $25).) thanks
hi iam curious how your gateway set up would work..
Not sure I understand the question, could you please rephrase it?
actualy when you said,
"it no longer seems possible to simply overwrite application slots with other java apps to install them on the phone."
is very wrong ;)
Ive overidden Telus Navigator and put on a bunch of different games so far. Im over at Howard forums if anyone wants more info
Don't hate me and I dont know how I ended up here but I have a retarded question for you...is it possible to load mp3 soundbytes onto my keybo2 to use as a ringtone?
From what i've been reading this is some sort of forum or something for people who know how to use phones and computers and stuff (obviously i'm the furthest thing from the lads on here) so perhaps yall could get me pointed in the right direction?
Cheers!
Thomas
@Reggie
Unfortunately I have had no further progress with my keybo. I have heard reports that Telus sets a unique code on every unit they sell now.
Just wondering if might be an update on whether you were able to get anymore functionality with your Keybo2? I also have been trying to get Opera Mini browser on my Keybo2 but without luck. Hoping you might have found a way to do it or perhaps some games.
Thank you for the tip on using CDMA Workshop to retrieve the code. Mine was different than your's.
Reggie
I'm sorry for this noob question, but how is it that I go about connecting my LG Keybo 2 to CDMA Workshop? I downloaded the demo version and I haven't been able to connect. I have read the help on this subject, but I must be missing something :(
You might have to do some screwing around in the hardware manager to get the usb-serial converter in the phone to show up as COM2, it usually defaults to COM13 and CDMA workshop's demo version will only work with COM1 or COM2.