Database Users

Bluetooth plugin?

url to where i can download that util, thanks!

not shure, but could be o2 plus.
you should find it in the hacking and developing forum.

It's new today plugin ( Wireless) in newest ROM's.
Search for Wireless Plugin.
One solutions here:http://forum.xda-developers.com/download.php?id=9920
So try ( no shure if it will work):
Activate registry settings.
1) "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Today\Items\"
2) New key named "Wireless" and open this. It has be here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Today\Items\"Wireless"
3) At the next key change values:
Name: "Flags" - DWORD: "00000000"
Name: "Options" - DWORD: "00000000"
Name: "DLL" - String value: "netui.dll"
Name: "Order" - DWORD: "00000000"
Name: "Enabled" - DWORD: "00000001"
Name: "Type" - DWORD: "00000004"
4) Restart device.
Activate the plugin in Today/settings menu.

AT-Commands?

Hi there,
maybe not a XDA specific Question but maybe s.o. could still help me.
I've got a SIEMENS emem ES75 GSM Modem wich I wanted to use as a SMS receiver for my Party next month (receive sms and project them onto a wall )
But I have some trouble controlling it using the AT-Commandset.
For example: the AT+GMM Command which should give me the name of the Manufacturer) Sometimes AT+ Commands are working, sometimes not.
As it works, I printed out the current settings using AT&V:
Code:
ACTIVE PROFILE:
E0 Q0 V1 X4 &C1 &D2 &S0 \Q0 \V1
S0:000 S3:013 S4:010 S5:008 S6:000 S7:060 S8:000 S10:002 S18:000
+CR: 0
+CRC: 0
+CMGF: 1
+CSDH: 0
+CNMI: 0,0,0,0,1
+ICF: 3
+IFC: 0,0
+ILRR: 0
+IPR: 115200
+CMEE: 0
^SMGO: 0,0
+CSMS: 0,1,1,1
^SACM: 0,"000000","FFFFFF"
^SLCC: 0
^SCKS: 0,1
^SSET: 0
+CREG: 0,1
+CLIP: 0,2
+CAOC: 0
+COPS: "T-MOBILE D"
+CGSMS: 3
Remember: it says "CURRENT PROFILE"
Then I used the AT&V Command when it did not work:
Code:
Current Settings............
E0 H0 Q0 V1
&C0 &D0 &P1 &R0 &S0
S00=000 S01=000 S02=043 S03=013 S04=010 S05=008 S06=000 S07=030
S08=000 S09=000 S10=000 S11=000 S12=050 S13=000 S14=000 S15=000
S16=000 S17=000 S18=000 S19=000 S20=000 S21=000 S22=000 S23=000
S24=000 S25=005 S26=001 S27=000 S28=000 S29=000 S30=000 S31=000
S32=000 S33=001 S34=000 S35=000 S36=000
#0 :
#1 :
#2 :
#3 :
#4 :
#5 :
#6 :
#7 :
#8 :
#9 :
Why does it output the "CURRENT SETTING" instead of the "CURRENT PROFILE"? And why can't I read the SMS? With this Setting it does not accept most of the AT+(..) commands. (AT+GMM, ...)
I sniffed the serial port communication from working applications and used the same commands and init-strings, but nothing
Any advice?

Nothing?

GPS help

guys i need a favour
here are settings for gpssetup2 on i5800 but i have recently changed it but didnt save original settings...and now i want to compare it...can somebody please write original settings?
here is what i have done:
1. Open stock dialer
2. Type: *#3214789650#
3. This should open GPSSetup2
4. Settings:
> Parameter
> Address
Server type: UMTS SLP
Address type: URL
Address: supl.google.com:7276
> Start mode
Start mode: Hot start
> SSL
Enable SSL: Disabled
> Position mode:
Position mode: option3
[v] Standalone
[ ] UP MS Based
[ ] UP MS Assisted
[v] 2G CP MS Based
[v] 2G CP MS Assisted
[v] 3G CP UE Based
[v] 3G CP UE Assisted
> Fix Request Settings:
> Session type: New Position
> Sessip operation: MS-Based
> Number of fixes: 999999999
> Time between fixes: 2000
> Session timeout: 10
> Accuracy: 50
> Server option: local
5. GPSOne XTRA: Enabled
o if you want you can try it yourself...see if that improves your gps...tnx

[REF][INFO][R&D] "Secret Codes" and other hidden features

"Secret Codes" and Hidden Features
Hacking for "Secret Codes" and other hidden phone features.
Skill Level: Easy
Posting
==================================================
Do NOT post general questions/requests on how to do
this or that, they will not be answered, simply
because we don't know yet. Rather try to find out
by yourself and share your results.
==================================================
Purpose
To find all "Secret Codes", special properties and other hidden phone features
and settings, used in the GT-I9300. The secret codes are not so secret, but
are often used to activate and manipulate many settings, such as debug modes,
network connections, factory test modes etc. It is an unfortunate choice of
words but we will stick to this definition nonetheless for simplicity, since
it is also used in the source code by Samsung and AOS. Do not confuse secret
codes with VSC (Vertical Service Codes), USSD (Unstructured Supplementary
Service Data) or other MMI (Man Machine Interface) codes.
Although there are many "standard" codes common to many Samsung phones, they
do vary to some extent. This is because their functionality often depend on
the particular hardware, in particular the baseband processor (aka radio, DSP,
BP or CP) and the multiplexer chips that switches the various internal USB
paths, for example between MHL, BP and AP.
This is an informative reference thread on these features. If you have
relevant additional information you'd like to share, please post it here.
Background
From the Samsung Galaxy S2 experience we have gained the following
understanding when it come to the Factory/Service Mode menus and the
PhoneUtils applications. We are still to work out if this is still true for
the SGS3.
But first it is worth to note, that due to the more complicated, but better
organized phone applications in ICS, the way to enter secret codes have
changed from GB versions. Now all secret codes have to be prefixed with
"*#*#", followed by <code> and post fixed with "#*#*". [Note-1] However,
according to the GT-I9300 Service Manual, there are two codes that should work
without post- and pre-fixes. They are *#1234# (version) and *2767*3855#
(Factory reset! It will wipe your phone instantly, NO warnings, no going back,
no way to cancel.) [Note-2]
==================================================
Newbie Practice Box
Go to your phone dialer and "dial" the following string:
*#*#197328640#*#*
This will trigger the Service Menu.
==================================================​This same effect can be accomplished directly on the command line, with a
direct URI broadcast call to the application receiver via:
Code:
[SIZE=2]am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://1111[/SIZE]
Second, it is essential to know that the actual program code (read
assembly/machine code) for the Engineering / Service Mode menu, is actually
located in the baseband processor firmware. What you actually see when you
enter this menu, is just a java based wrapper application, that make direct
function calls through various entry points, in the baseband kernel/firmware.
What does it mean? When you enter a specific "secret code", the wrapper
application (e.g. ServiceMenu.App) deciphers the code to a particular menu
entry in the baseband processor, where it is executed and whose result is
output to the wrapper application.
Third. Apart from hardware differences, because of the baseband firmware
dependance, the set of working secret codes will differ somewhat from your
location, depending on:
Your Modem firmware
Your AOS version (ICS 4.0.1, 4.0.4 etc.)
Your CSC version (Regional codes)
Special Notes
[Note-1] This can be seen in the handleSecretCode() function in the SpecialCh****quenceMgr.java code.
[Note-2] These need testing and confirmation since they clearly contradict [Note-1].
[Note-3] Apparently the Samsung Galaxy S3 will come in at least two versions:
The GT-I9300 (FCC-ID: A3LGTI9300 )
The SCH-I939 (FCC-ID: A3LSCHI939 ) [Possibly the LTE version]
References
[1] "[GUIDE] Noobs guide to extract Galaxy S3 stock firmware(.img)"
[2] "[All Stock Firmwares] I9300XXALE8 (4.0.4) - Kenya (OJV) [19-05-12]"
[3] "[HOW TO][Windows]Extract Deodex Sign and Zipalign an official ROM"
[4] "[GUIDE] dsixda's Android Kitchen - Now with SGS2 support (Windows/Linux/Mac)"
[5] "[REF] Unpacking and repacking stock rom .img files"
[6] "[Tool] Yaffey - Utility for reading, editing and writing YAFFS2 images" (code is here)
[7] "[TOOL] Auto Bloat Remover Tool For GS III!"
[8] "[GUIDE][TOOL] Guide To Create You're Own De-Bloat Tool/APK Installer/For Any Device"
Keywords: Secret, Codes, Hidden, Service, Factory, UART​

HOW TO (find new stuff)
So how do you find new codes?
Well Google it! Then consider getting the following tools:
Get jd-gui (Often crashes)
Get jad (doesn't crash, but is cmdline based)
Get sgs2toext4 (and here)
Get Disk Internals Linux Reader
Get a disk image with deodexed Apps (see below)
Then what to do?
The brief version. (For full version, see "References" in OP above.)
Download all the tools shown above.
Download the deodexed firmware images (see post#3)
(If in Windows) Double click the sgs2toext4.
Drag and drop the system.img file to the sgs2toext4 "drop window".
You will now have a system.img.ext4 file, open this file with the LinuxReader tool.
Save entire filesystem (from 5) in a new folder. Close.
Go to the folder containing the *.apk(s) of interest.
Make sure dex2jar.bat (win) is in your path and run it on your interesting.apk like this, for example:
Code:
./path/to/dex2jar.bat Samsungservice.apk
This produces a new file: Samsungservice_dex2jar.jar
Extract (7zip) this file in a new folder.
Go to that folder in command line and enter the appropriate "jad" commands. For example, to decompile all class files globbed by Phone*.class and put the decompiled sources in the "src" sub-directory, do:
Code:
jad -o -r -sjava -dsrc Phone*.class
Go to the source directory (../src) you just created.
Enjoy your *.java files!
Alternatively you can deodex on your own...but don't ask me how to do it.
A few other Tools
http://www.sable.mcgill.ca/soot/
http://jdec.sourceforge.net/
http://stackoverflow.com/questions/647116/how-to-decompile-a-whole-jar-file
http://askubuntu.com/questions/129305/how-can-i-open-binary-image-files-img​

The Secret Codes
The information for this post was obtained by decompiling the
deodexed system image of the firmware shown below.
I9300XXALE8
Base Firmware: I9300XXALE8 (4.0.4)
Modem: XXLE8
CSC: OJVALE7
The latest GT-I9300 Stock Firmwares can be found here.
Here are the codes as found in:
serviceModeApp.apk: ServiceModeApp.class
Code:
[SIZE=2]
Code Description JavaCall
----------------------------------------------------------------------------------------------------------------------
197328640 || 2684 Start Service Mode / Enter SM Main Menu SendData('\001', '\001', '\000', '\000', '\000');
1111 FTA SW Version SendData('\001', '\001', '\u1002', '\000', '\000');[/SIZE] [SIZE=2]
2222 FTA HW Version SendData('\001', '\001', '\u1003', '\000', '\000');
8888 SendData('\001', '\001', '\u1003', '\000', '\000');
2886 SendData('\001', '\001', ' ', '\000', '\000');
6984125* SendData('\001', '\001', ' ', '\000', '\000');
2767*2878 ? Factory reset (complete erase & format) SendData('\001', '\001', '!', '\000', '\000');
0228 ADC Reading SendData('\001', '\001', '\005', '\000', '\000');[/SIZE] [SIZE=2]
0599 SendData('\001', '\001', '\024', '\000', '\000');
1575 SendData('\001', '\001', '\025', '\000', '\000');
2263 RF Band Selection SendData('\001', '\001', '\026', '\000', '\000');
2580 SendData('\001', '\001', '\007', '\000', '\000');
301279 || 279301 SendData('\001', '\001', '\024', '\000', '\000');
32489 Ciphering Info SendData('\001', '\001', '\006', '\000', '\000');
4238378 SendData('\001', '\001', '\027', '\000', '\000');
4387264636 SendData('\001', '\001', '\037', '\000', '\000');
7284 PhoneUtil: USB/UART I2C Mode Control SendData('\001', '\001', '\023', '\000', '\000');
738767633 SendData('\001', '\001', '\034', '\000', '\000');
73876766 SendData('\001', '\001', '\033', '\000', '\000');
7387677763 SendData('\001', '\001', '\036', '\000', '\000');
7387678378 SendData('\001', '\001', '\035', '\000', '\000');
9090 Diagnostic Configuration SendData('\001', '\001', '\023', '\000', '\000');
0011 SendData('\001', '\004', '\000', '\000', '\000');[/SIZE] [SIZE=2]
123456 SendData('\001', '\004', '\001', '\000', '\000');
<na> End Service Mode 1 () SendData('\002', '\004', '\000', '\000', '\000');
<na> End Service Mode 2 () SendData('\002', '\001', '\000', '\000', '\000');
[/SIZE]
NOTE: In the table above, I have replaced printed UTF-8 (U+NNNN) characters with '\uNNNN'.
As you can see in the table above, most of the hidden codes are just shortcuts
into various sub-menus (third parameter) of Service Mode application. However,
this does not exclude the use of other hidden codes, that can be used or detected
in other applications.
From a different file we have a some additional codes.
(Not including already covered or overlapping codes.)
serviceModeApp.apk: SecKeystringBroadcastReceiver.class
Code:
[SIZE=2]0000
147852 TestApnSettings: putExtra("testBed", "Suwon");[/SIZE] [SIZE=2]
1478963 TestApnSettings: putExtra("testBed", "Open_market");
22558463 Reset Total Call Time
232331
232332
232337
3214789650
369852 TestApnSettings: putExtra("testBed", "Gumi");
3698741 TestApnSettings: putExtra("testBed", "Delete_DB");
-------------------------------------------------------------------------------
03 NAND Flash S/N (NandFlashHeaderRead)
745 RIL Dump Menu
746 Debug Dump Menu
0228 Battery Status
1111 IF SalesCode="CTC" THEN: TerminalMode
2222 IF SalesCode="CTC" THEN: TerminalMode
2263
8888
9900 || 0514 System Dump
279301
301279
3214789 GCF Mode Settings
5337632 NFC Test
22553767 Call Drop Log View
6335623
TESTMODE
[/SIZE]
These may not always work, since some of them depend on certain "Sales Codes"
or factory IMSI numbers, through statements like:
Code:
if ((mSalesCode.equals("CHM")) && (str.equals("827828868378")))
But these were only codes found in two files.
So there are probably many more codes to be found!
Other Stuff
Here are some unknown functions from: TerminalMode.class
Code:
[SIZE=2]DEBUG_SCR SendData('\001', '\004', '\000', 0, '\000');
EI_DEBUG_SCR SendData('\001', '\006', '\000', 0, '\000');
DATA_ADV SendData('\001', '\003', '\003', 0, '\000');
NAMBASIC SendData('\001', '\003', '\001', 0, '\000');
TESTMODE SendData('\001', '\001', '\000', 0, '\000');
NAMSIMPLE SendData('\001', '\003', '\002', 0, '\000');
TEST_CALL SendData('\004', '\007', c, 0, '\000');
[/SIZE]
Here is a list of all the OEM Commands used in the Service Mode App.
Code:
[SIZE=2]-------------------------------------------------------------------------------
private class OemCommands (ServiceModeApp) value hex
-------------------------------------------------------------------------------
char OEM_SERVM_FUNCTAG = '\001';
OEM_SM_ACTION = '\000'; 00
OEM_SM_DUMMY = '\000'; 00
OEM_SM_END_MODE_MESSAGE = '\002'; 02
OEM_SM_ENTER_MODE_MESSAGE = '\001'; 01
OEM_SM_GET_DISPLAY_DATA_MESSAGE = '\004'; 04
OEM_SM_PROCESS_KEY_MESSAGE = '\003'; 03
OEM_SM_QUERY = '\001'; 01
OEM_SM_TYPE_MONITOR = '\004'; 04
OEM_SM_TYPE_MONITOR_SKT = '\001'; 01
OEM_SM_TYPE_NAM_EDIT = '\003'; 03
OEM_SM_TYPE_PHONE_TEST = '\005'; 05
OEM_SM_TYPE_SUB_ALL_VERSION_ENTER = '\004'; 04
OEM_SM_TYPE_SUB_BAND_SEL_ENTER = '\026'; 16
OEM_SM_TYPE_SUB_BATTERY_INFO_ENTER = '\005'; 05
OEM_SM_TYPE_SUB_BLUETOOTH_TEST_ENTER = '\t'; 09
OEM_SM_TYPE_SUB_CIPHERING_PROTECTION_ENTER = '\006'; 06
OEM_SM_TYPE_SUB_ENTER = '\000'; 00
OEM_SM_TYPE_SUB_FACTORY_PRECONFIG_ENTER = '\016'; 0e
OEM_SM_TYPE_SUB_FACTORY_RESET_ENTER = '\r'; od
OEM_SM_TYPE_SUB_FACTORY_VF_TEST_ENTER = '\031'; 19
OEM_SM_TYPE_SUB_FTA_HW_VERSION_ENTER = '\003'; 03
OEM_SM_TYPE_SUB_FTA_SW_VERSION_ENTER = '\002'; 02
OEM_SM_TYPE_SUB_GCF_TESTMODE_ENTER = '\027'; 17
OEM_SM_TYPE_SUB_GET_SELLOUT_SMS_INFO_ENTER = '\037'; 1f
OEM_SM_TYPE_SUB_GPSONE_SS_TEST_ENTER = '\025'; 15
OEM_SM_TYPE_SUB_GSM_FACTORY_AUDIO_LB_ENTER = '\030'; 18
OEM_SM_TYPE_SUB_IMEI_READ_ENTER = '\b'; 08
OEM_SM_TYPE_SUB_INTEGRITY_PROTECTION_ENTER = '\007'; 07
OEM_SM_TYPE_SUB_MELODY_TEST_ENTER = '\013'; 0b
OEM_SM_TYPE_SUB_MP3_TEST_ENTER = '\f'; oc
OEM_SM_TYPE_SUB_RRC_VERSION_ENTER = '\024'; 14
OEM_SM_TYPE_SUB_RSC_FILE_VERSION_ENTER = '\021'; 11
OEM_SM_TYPE_SUB_SELLOUT_SMS_DISABLE_ENTER = '\034'; 1c
OEM_SM_TYPE_SUB_SELLOUT_SMS_ENABLE_ENTER = '\033'; 1b
OEM_SM_TYPE_SUB_SELLOUT_SMS_PRODUCT_MODE_ON = '\036'; 1e
OEM_SM_TYPE_SUB_SELLOUT_SMS_TEST_MODE_ON = '\035'; 1d
OEM_SM_TYPE_SUB_SW_VERSION_ENTER = '\001'; 01
OEM_SM_TYPE_SUB_TFS4_EXPLORE_ENTER = '\017'; 0f
OEM_SM_TYPE_SUB_TOTAL_CALL_TIME_INFO_ENTER = '\032'; 1a
OEM_SM_TYPE_SUB_TST_AUTO_ANSWER_ENTER = ' '; 20
OEM_SM_TYPE_SUB_TST_FTA_HW_VERSION_ENTER = ----> # UTF-8: U+1003: e1 80 83 MYANMAR LETTER GHA
OEM_SM_TYPE_SUB_TST_FTA_SW_VERSION_ENTER = ----> # UTF-8: U+1002: e1 80 82 MYANMAR LETTER GA
OEM_SM_TYPE_SUB_TST_NV_RESET_ENTER = '!'; 21
OEM_SM_TYPE_SUB_USB_DRIVER_ENTER = '\022'; 12
OEM_SM_TYPE_SUB_USB_UART_DIAG_CONTROL_ENTER = '\023'; 13
OEM_SM_TYPE_SUB_VIBRATOR_TEST_ENTER = '\n'; 0a
OEM_SM_TYPE_TEST_AUTO = '\002'; 02
OEM_SM_TYPE_TEST_MANUAL = '\001'; 01
-------------------------------------------------------------------------------
private class OemCommands (TerminalMode)
-------------------------------------------------------------------------------
OEM_HIDDEN_FUNCTAG = 'Q';
OEM_HM_END_TEST_CALL_MESSAGE = '\t';
OEM_HM_TEST_CALL_MESSAGE = '\004';
OEM_HM_TYPE_TEST_CALL = '\007';
OEM_SERVM_FUNCTAG = '\001';
-------------------------------------------------------------------------------
private class OemCommands (SysDump:)
-------------------------------------------------------------------------------
OEM_DBG_STATE_GET = 6;
OEM_DEL_RIL_LOG = 13;
OEM_DPRAM_DUMP = 14;
OEM_DUMPSTATE = 3;
OEM_DUMPSTATE_ALL = 20;
OEM_ENABLE_LOG = 7;
OEM_GCF_MODE_GET = 15;
OEM_GCF_MODE_SET = 16;
OEM_IPC_DUMP_BIN = 9;
OEM_IPC_DUMP_LOG = 8;
OEM_KERNEL_LOG = 4;
OEM_LOGCAT_CLEAR = 5;
OEM_LOGCAT_MAIN = 1;
OEM_LOGCAT_RADIO = 2;
OEM_MODEM_FORCE_CRASH_EXIT = 23;
OEM_MODEM_LOG = 18;
OEM_NV_DATA_BACKUP = 17;
OEM_OEM_DUMPSTATE_MODEM_LOG_AUTO_START = 19;
OEM_RAMDUMP_MODE = 10;
OEM_RAMDUMP_STATE_GET = 11;
OEM_START_RIL_LOG = 12;
OEM_SYSDUMP_FUNCTAG = 7;
OEM_TCPDUMP_START = 21;
OEM_TCPDUMP_STOP = 22;
-------------------------------------------------------------------------------
[/SIZE]
Enjoy!​

Special Properties
Next we'll have a look at some interesting (or not?) system "properties".
For now, I'll just list some of those I found more interesting and potentially useful.
Code:
[SIZE=2]Property Setting/String Source Description[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]dev.silentlog.on On SysDump: [/SIZE]
[SIZE=2]gsm.operator.numeric 45001 Sec_Ril_Dump: [RIL::FD] Samsung Testbed[/SIZE]
[SIZE=2]gsm.default.sidmode ? UART[/SIZE]
[SIZE=2]net.tcpdumping On SysDump: ?[/SIZE]
[SIZE=2]nfc.trace.mode On Enable NFC Trace Mode [/SIZE]
[SIZE=2]ril.FTM_MODE ? "FTM_MODE_KEY"[/SIZE]
[SIZE=2]ril.FS true PhoneUtils: updateRAFT() Activates RAFT (???) updates[/SIZE]
[SIZE=2]ril.OTPAuth SysDump: OTP Authentication [/SIZE]
[SIZE=2]ril.cdma.inecmmode true Is phone in ECM mode?[/SIZE]
[SIZE=2]ril.unique_number The RIL Unique Number (UN)[/SIZE]
[SIZE=2]ril.sms.gcf-mode On ? SMS "GCF" mode[/SIZE]
[SIZE=2]persist.log.seclevel On Switchable Log level?[/SIZE]
[SIZE=2]persist.sys.country [/SIZE]
[SIZE=2]ro.build.type eng SysDump: [/SIZE]
[SIZE=2]ro.debuggable On Enable Debug / DBG_ENG / Engineering Mode??[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]Country/Region Specific[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]ro.board.platform [/SIZE]
[SIZE=2]ro.build.characteristics [/SIZE]
[SIZE=2]ro.csc.sales_code SKT | KIT | LGT PhoneFeature: makeFeatureForKor() [/SIZE]
[SIZE=2]ro.product.name espressorf | espresso10rf PhoneFeature: checkDBGLevel() [/SIZE]
[SIZE=2] aegis2vzw PhoneFeature: makeFeatureForKor() [/SIZE]
[SIZE=2] jaguars | jaguark | jaguarl [/SIZE]
A particularly fun string is the following, found in the featureForKor() function:
Code:
[SIZE=2]mFeatureList.put("emergency_for_cyber_terror", boolean2);[/SIZE]
I'd really like to know what this does!
Special Files
As we know from other Samsung Galaxy class phones, there are a number
of files that can be created or modified in order to activate certain
functions. Here we list those found to date. Please post if you know
of other ones!
Apparently setting the "SubscriberID" (IMSI) to "999999999999999" also
activates certain test features. A sim with this IMSI is also known as
a "Factory SIM". However, if the SIM IMSI starts with either "45001" or
"00101" it is a "Test SIM".
[See: ServiceModeApp.apkhoneUtils.java:isFactoryMode() or
FactoryTest.apk:ModuleCommon.java:isFactorySim()]
Code:
[SIZE=2]File FileContent Description[/SIZE]
[SIZE=2]-------------------------------------------------------------------------------[/SIZE]
[SIZE=2]/efs/FactoryApp/factorymode ON Enable Factory Mode[/SIZE]
[SIZE=2]/efs/FactoryApp/keystr ON Blocked (hidden code?) Key String(s)[/SIZE]
[SIZE=2]/efs/imei/mps_code.dat ? ?[/SIZE]
[SIZE=2]/efs/root/ERR ? Error Log[/SIZE]
[SIZE=2]/data/.psm.info ? WiFi Power Save Mode [/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]Various Log Files:[/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]/data/log/CallDropInfoLog.txt ? Dropped Calls Log[/SIZE]
[SIZE=2]/data/log/lucky_ril.log ? ?[/SIZE]
[SIZE=2]/data/log/dumpState_*.log ? ? System Dump Log[/SIZE]
[SIZE=2]/data/log/main_*.log ? ? [/SIZE]
[SIZE=2]/data/anr/traces.txt ? ? [/SIZE]
[SIZE=2]/data/log/err ? ? Error Log[/SIZE]
[SIZE=2]/data/log/err/AENEAS_TRACE_###.bin RF Aeneas Trace Log[/SIZE]
[SIZE=2]/data/log/err/MA_TRACE_###.bin RF MA Trace Log[/SIZE]
[SIZE=2]/mnt/sdcard/log ? ?[/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]System Files [/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]/sys/class/sec/switch/adc [/SIZE]
(Note: Some of these paths need to be verified, as they may be relative...)
Finally, we have two NVpasswords, that is used for uploading or dumping NVram, AFAIK. They are:
873283
3352225
and they can be found in Sec_Ril_Dump.class.
DISCALIMER:
As I do not have access to a GT-I9300, I have not been able to verify
any of the information in this thread! I apologize if there is any erroneous
information here. Please let me know and post new information here as
it become available. Also make sure you make a complete backup, before
attempting any of the codes or other trickery above! ​

Great post Buddy. But..........
But I didn't Understand Anything, lol better to say Nothing......... Too complicate for my simple mind.

This is some list! Great job!

Very good info there .. how about programming the sim with that IMSI will it have any effect.
Sent from my GT-I9300

tids2k said:
Very good info there .. how about programming the sim with that IMSI will it have any effect.
Click to expand...
Click to collapse
It certainly will, but you will have to find a SIM that is programmable!
You can buy programmable SIM cards from the Sysmocom website, but you need the tools to do so. Sysmocom is ran by some of the GSM security researchers and open source baseband developers...
Here is tutorial on how to clone a SIM card. However, this may be highly illegal in some countries, even for your own! Check your local laws.
(In addition it is a border-line topic on what we are allowed to post here on XDA.)
But Apple proposed, (and here) already some years ago, to have programmable SIM cards built into their devices. This would make perfect sense, since the whole idea about using SIM cards have been neglected and forgotten in the first place. (The original idea, was that it should be extremely easy to switch SIM cards, so that you could easily just borrow someone else's phone, put you card in and make a phone call. Even on designated SIM-holder enabled pay-phones! This has become forgotten and circumvented and damn hard to do with embedded sim cards deep inside your phone.) In addition most cellular providers have lobbied against it...

Definately would look at it. Here is the link for the time being ...
http://www.jaycar.com.au/productView.asp?ID=KC5361
I remember when Dejan found the binary hack way back in 2006 for BB5 Nokia phones, he posted files on his website on how to clone a simcard. But those times only 16bit chips were used.
Here is the scheme tics for the reader if any one interested.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
via Flying Daggers

tids2k said:
how about programming the sim with that IMSI will it have any effect.
Click to expand...
Click to collapse
No need to program a sim, there is a service code (*#46744674#) which will set your IMSI to 9999..., well it does on the SGS2 anyway.

Does it look like there are any menus where you can disable Fast Dormancy? *#9900# does not allow you to do this on the S3

Code:
Samsung Galaxy S3 .. Secret Codes found by tids2k
Thanks to E:V:A for his information and knowledge
HOW TO RUN THESE COMMANDS :
Connect your phone into debug mode .. Settings -> USB Debugging [] Enable it.
Then in MS-DOS C:\ type
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://****
where **** is the secret code :-) So let us begin
Secret Codes **** Function
2684 or 197328640 DEBUG MENU
0000 CSC SPECIFIC
827828868378 CSC SPECIFIC
2684 SERVICE MODE ( WATCHDOG/DUMPS/LOGS OPTIONS)
0011 CONNECTION STATUS
123456 CONNECTION STATUS
22558463 RESETS TOTAL TALK TIME
32489 CIPHERING INFO
2580 NON-SUPPORT
232337 BLUETOOTH ADAPTER ADDRESS
232331 BLUETOOTH RF TEST
232332 ??
9090 DIAG CONFIG (MODEM)
73876766 SELLOUT SMS ENABBLE
738767633 SELLOUT SMS DISABLE
7387678378 SELLOUT SELF SET TEST MODE
7387677763 SELLOUT SMS SET PRODUCT MODE
4238378 GCF SETTINGS
4387264636 SELLOUT SMS MAIN
1575 GPS SETTINGS
6984125 ????
2886 ??
2767*2878 ??
745 RIL COMMANDS ( NICE ONE )
746 ANOTHER DUMP TOOL ( NICE ONE )
9900 or 0514 SYSDUMP
1111 FTA SW VERSION
2222 or 8888 FTA HW VERSION
301279 or 279301 RRC ( HSPA ) CONTROL
2263 BAND SELECTION
5337632 SOME KIND OF SOUND
0228 BATTERY STATUS
03 NAND FLASH UNIQUE NO.
3214789 GCF MODE ENABLE/DISABLE
6335623 WIFI HIDDEN MENU
NOW FACTORY SETTINGS
06 IMEI
0589 LIGHT SENSOR TEST
80 TOUCH NOISE TEST
251 WAKELOCK ON
250 WAKELOCK OFF
350 REBOOT
5238973 LCD TYPE
4327 HDCP INFO
22235 ACCELEROMETER SENSOR INFO
0782 RCT CLOCK
86824 TOUCH KEY SENSTIVITY
0842 VIBRATION TEST
0673 SPEAKER/HEADPHONE/HEADSET TEST
0289 MELODY TEST
2663 TOUCH FIRMWARE UPDATE
2664 POINTER LOCATION
0588 PROXIMITY TEST
3264 RAM CHECK
7780 MASTER RESET
7769 PROXIMITY SENSOR TEST
87976633 FACTORY RESET
9999*3288 QWERTY COUNTER
767*2878 QWERTY COUNTER RESET
0283 LOOPBACK TEST
7328735824 LOT ID

three new tablets in work ... lol
if ((str1.startsWith("GT-P31")) || (str1.startsWith("GT-P51")) || (str1.startsWith("SCH-i705")));

tids2k said:
Code:
Samsung Galaxy S3 .. Secret Codes found by tids2k
Thanks to E:V:A for his information and knowledge
HOW TO RUN THESE COMMANDS :
Connect your phone into debug mode .. Settings -> USB Debugging [] Enable it.
Then in MS-DOS C:\ type
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://****
where **** is the secret code :-) So let us begin
Secret Codes **** Function
2684 or 197328640 DEBUG MENU
0000 CSC SPECIFIC
827828868378 CSC SPECIFIC
2684 SERVICE MODE ( WATCHDOG/DUMPS/LOGS OPTIONS)
0011 CONNECTION STATUS
123456 CONNECTION STATUS
22558463 RESETS TOTAL TALK TIME
32489 CIPHERING INFO
2580 NON-SUPPORT
232337 BLUETOOTH ADAPTER ADDRESS
232331 BLUETOOTH RF TEST
232332 ??
9090 DIAG CONFIG (MODEM)
73876766 SELLOUT SMS ENABBLE
738767633 SELLOUT SMS DISABLE
7387678378 SELLOUT SELF SET TEST MODE
7387677763 SELLOUT SMS SET PRODUCT MODE
4238378 GCF SETTINGS
4387264636 SELLOUT SMS MAIN
1575 GPS SETTINGS
6984125 ????
2886 ??
2767*2878 ??
745 RIL COMMANDS ( NICE ONE )
746 ANOTHER DUMP TOOL ( NICE ONE )
9900 or 0514 SYSDUMP
1111 FTA SW VERSION
2222 or 8888 FTA HW VERSION
301279 or 279301 RRC ( HSPA ) CONTROL
2263 BAND SELECTION
5337632 SOME KIND OF SOUND
0228 BATTERY STATUS
03 NAND FLASH UNIQUE NO.
3214789 GCF MODE ENABLE/DISABLE
6335623 WIFI HIDDEN MENU
NOW FACTORY SETTINGS
06 IMEI
0589 LIGHT SENSOR TEST
80 TOUCH NOISE TEST
251 WAKELOCK ON
250 WAKELOCK OFF
350 REBOOT
5238973 LCD TYPE
4327 HDCP INFO
22235 ACCELEROMETER SENSOR INFO
0782 RCT CLOCK
86824 TOUCH KEY SENSTIVITY
0842 VIBRATION TEST
0673 SPEAKER/HEADPHONE/HEADSET TEST
0289 MELODY TEST
2663 TOUCH FIRMWARE UPDATE
2664 POINTER LOCATION
0588 PROXIMITY TEST
3264 RAM CHECK
7780 MASTER RESET
7769 PROXIMITY SENSOR TEST
87976633 FACTORY RESET
9999*3288 QWERTY COUNTER
767*2878 QWERTY COUNTER RESET
0283 LOOPBACK TEST
7328735824 LOT ID
Click to expand...
Click to collapse
Untested, here; nevertheless - thanks for this info guys!!
Sent from my GT-I9300 using xda premium

This should all work. Didnt had much time to look for other commands, will do in a day or so.
Sent from my GT-I9300 using XDA Premium HD app

Odia said:
No need to program a sim, there is a service code (*#46744674#) which will set your IMSI to 9999..., well it does on the SGS2 anyway.
Click to expand...
Click to collapse
Thanks! Probably very useful, but
1) Is that temporary? (How to get back original after having use this code?)
2) Where is it located? (What App + class files?)

Odia said:
No need to program a sim, there is a service code (*#46744674#) which will set your IMSI to 9999..., well it does on the SGS2 anyway.
Click to expand...
Click to collapse
doesnt work on sgs III

Hi all,
a couple of month ago I build an app with shortcuts for the "secret" dialer codes within the galaxy S2, because I could not remember them all ...This app is special tailored for the galaxy S2, but should work on all SAMSUNG devices with TOUCHWIZ ... Not all codes will work on all devices, but a lot these codes work on other samsung touchwiz devices.
I tested the App with my GS3 and a lot of these codes still working ....
You could also add your own codes and ussd codes to an app internal database ... and some users even uses this database as hidden phone book
Check it out: https://play.google.com/store/apps/details?id=com.widgapp.HiddenFeaturesFREE
(Important: These codes will NOT work on most custom roms, Nexus S, Galaxy Nexus, HTC, Sony, Motorolla etc. ...I´m a little bit annoyed by comments like: Not working on my HTC, Sony, Nexus S, Samsung XYZ with custom rom zyx .... ...without Touchwiz, there is no possibility to use touchwiz firmware functions!)

SAMSUNG GALAXY S3 CODES SECRETS
*#06# Show IMEI number
*#0*# LCD Test Menu
*#*#4636#*#* user statistics and Phone Info
*#0011# Displays status information for the GSM
*#1234# View SW Version PDA, CSC, MODEM
*#12580*369# SW & HW Info
*#197328640# Service Mode
*#0228# ADC Reading
*#32489# (Ciphering Info)
*#232337# Bluetooth Address
*#232331# Bluetooth Test Mode
*#232338# WLAN MAC Address
*#232339# WLAN Test Mode
*#0842# Vibra Motor Test Mode
*#0782# Real Time Clock Test
*#0673# Audio Test Mode
*#0*# General Test Mode
*#2263# RF Band Selection
*#9090# Diagnostic ConfiguratioN
*#7284# USB I2C Mode Control
*#872564# USB Logging Control
*#4238378# GCF Configuration
*#0283# Audio Loopback Control
*#1575# GPS Control Menu
*#3214789650# LBS Test Mode
*#745# RIL Dump Menu
*#746# Debug Dump Menu
*#9900# System Dump Mode
*#44336# Sofware Version Info
*#7780# Factory Reset
*2767*3855# Full Factory Reset
*#0289# Melody Test Mode
*#2663# TSP / TSK firmware update
*#03# NAND Flash S/N
*#0589# Light Sensor Test Mode
*#0588# Proximity Sensor Test Mode
*#273283*255*3282*# Data Create Menu
*#273283*255*663282*# Data Create SD Card
*#3282*727336*# Data Usage Status
*#7594# Remap Shutdown to End Call TSK
*#34971539# Camera Firmware Update
*#526# WLAN Engineering Mode
*#528# WLAN Engineering Mode
*#7412365# Camera Firmware Menu
*#07# Test History
*#3214789# GCF Mode Status
*#272886# Auto Answer Selection
*#8736364# OTA Update Menu
*#301279# HSDPA/HSUPA Control Menu
*#7353# Quick Test Menu
*2767*4387264636# Sellout SMS / PCODE view
*#7465625# View Phone Lock Status
*7465625*638*# Configure Network Lock MCC/MNC
#7465625*638*# Insert Network Lock Keycode
*7465625*782*# Configure Network Lock NSP
#7465625*782*# Insert Partitial Network Lock Keycode
*7465625*77*# Insert Network Lock Keycode SP
#7465625*77*# Insert Operator Lock Keycode
*7465625*27*# Insert Network Lock Keycode NSP/CP
#7465625*27*# Insert Content Provider Keycode
*#272*IMEI# then we will get buyer code (For samsung galaxy sIII csc code)
*#*#7780#*#* Factory data reset - Clears Google-account data, system and program settings and installed programs. system will not be deleted, and OEM programs, as well as My Documents (pictures, music, videos)

ascsa said:
I tested the App with my GS3 and a lot of these codes still working ....
Click to expand...
Click to collapse
Hi! Thanks for your effort, but your post risk confusing people and corrupting this thread, because the red application functions (as shown in your table) only show that your app is not able to use those codes, and not that they do not work with SGS3.
TO ALL:
DO not post new codes here, unless you have either:
a) personally tested the codes on a GT-I9300
b) found and documented references in the source code, that can be independently verified.
Thanks!

[REF|R&D|RF] RF/Radio properties of Samsung ServiceMode

RF/Radio properties of the ServiceMode Application
Thread Difficulty: HARD
Thread Noob Patience: LOW
Thread Topic
This thread is a Reference and Research & Development thread for
investigating and to better document the various radio related variables
as found and displayed by the ServiceMode application. Here we are
particularly concerned with those found in Samsung phones, but as
you will see, this is more modem (BP/CP) dependent than phone model
dependent. So much of this info should also apply to other devices
using the same modem.
Off Topic?
If you have questions that does not directly concern the main focus
of this thread, please ask in the general forum. If you ask support
questions here, they will be deleted without warning.
If you're just looking for info how to enter the Service Menu on a recent
Samsung, look in this thread:
[REF][ServiceMode] How to make your Samsung perform dog tricks
Background
Because the ServiceMode (SM) application is really running in the
Modem under its own RTOS, it is limited in the presentation. So what
you see running in the AOS ServiceMode application is really just a
Java wrapper to code that is running in the RTOS. This severely
limits the information presented, if accessible at all.
Most mobile device manufacturers doesn't want their users to have
access to the ServiceMode functions, for various and good reasons.
Perhaps the best reason is that you can easily hard-brick your
device and/or mess up all the internal radio related settings.
However, we are already used to this, so why not have a better look
at the mobile network parameters within our devices. These can be
extremely useful from identifying network problems to detect and
prevent illegal or clandestine mobile network monitoring.
So what are the limiting factors of the ServiceMode Application?
It is a Java wrapper application that is usually made by
the device manufacturer (Samsung, HTC, Nokia etc) that
need to be present and compatible with your AOS FW.
(API, RIL etc)
The actual code is running in Modem RTOS and usually queried
by ServiceMode.apk by the use of a RIL_REQUEST_OEM_HOOK_RAW request,
that allows requests to circumvent the normal RIL filter.
The parameters present depends on the Modem FW versions.
(You will find many misspellings and other FUBAR objects in
various modem SM presentations.)
The displayed RF related parameters depend on the Modem HW,
and are thus completely different in an Intel XMM modem, than
for an Qualcomm MSM type modem/processor SoC, and so on.
The displayed RF related parameters depend on the network
you are currently using and connected to.
But the mobile network interface is transparent from the AOS AP point
of view, so a large set of radio parameters must comply to the 3GPP
standards in order for your device to function properly. But only a
very small subset of these RF parameters are part of the non-internal AOS API.
We want more!
By carefully looking at all the details and information that is
presented by the SM application, we can find out many more and
useful network details, such as ciphering modes, network types,
bands, and technology used. But to do this we need to understand
the language used. Unfortunately, many times the language does
not reflect the current 3GPP standards, so we are left to guess,
until some anonymous modem RF-expert/developer come along and
correct us.
So if you happen to know anything specific, this is where you
can really help this thread...
ServiceMode Vocabulary
Here I try to resolve some of the more obscure sounding items,
as found in the SM of mainly two devices.
(a) Samsung Galaxy S2 (GT-I9100, XXKI1 with Intel XMM6260 modem)
(b) Samsung Galaxy S4-mini (GT-I9195, XXUBML4 with Qualcomm MSM8930AB SoC)
In post#2 you will find an almost complete menu structure for
the UMTS MENU items as found in (b). I have not posted the items
for the LTE or CDMA menus, since I don't have that network, which
means I don't know how they would look. So feel free to post your
own findings, if you use those.
Also, remember that the end-point/detailed view of the menu
items, depend on your current network. I.e. you will see
different items, when connected to GSM vs. WCDMA, and so on.
In post#3 I show the detailed explanations of the various
3GPP defined RR timers as shown under the NAS/MM items.
In post#4 I attempt to describe the specific end-point menu items:
Code:
[SIZE=2] [1] BASIC INFORMATION
[1] MM INFORMATION
[2] MM REJECT CAUSE
[3] GMM REJECT CAUSE
[3] AS INFORMATION
[4] NEIGHBOUR CELL
[/SIZE]
I still need help deciphering some of those values.
(What exactly do they represent and mean?)
​

The root MAIN MENU
Code:
MAIN MENU
[1] [B]UMTS[/B]
[2] CDMA
[3] LTE
[4] SIM- Not Used. ==> <E>
[5] DOCOMO DEBUG SCREEN
[6] run EFS SYNC()
[7] DEBUG SCREEN
The UMTS MENU tree
Here is an almost complete menu structure for the UMTS MENU items
found in a GT-I9195. I have not posted the items for the LTE or CDMA
menus, since I don't have that network, which means I don't know how
they would look. So please post your own findings, if you use those.
Code:
[SIZE=2][1] UMTS MAIN MENU
[1] DEBUG SCREEN
[2] VERSION INFORMATION
[3] UMTS RF NV
[4] GSM RF NV
[5] AUDIO
[6] COMMON
[7] LTE BAND CONFIG CHECK
------------------------------
[1] DEBUG SCREEN
[1] BASIC INFORMATION ==> <E> Code: 0011
[2] NAS INFORMATION
[3] AS INFORMATION
[4] NEIGHBOUR CELL
[5] GPRS INFORMATION
[6] SIM INFORMATION
[7] HANDOVER
[8] PHONE CONTROL
[9] ANTENNA/ADC
[1] // BASIC INFORMATION ==> <E>
RRC: IDLE, Band1
MCC-MNC:nnn-01
RX: 10663, RI: -59, CID: hhhhh
TX: 9713, PSC: 394
EcIo: -4, RSCP: -63
SpeechVER: FR FR FR
L1: PCH_Sleep
Drx cycle: 64
SIB19 is received
therm: 162 LNA: 0
Service: Available
[2] NAS INFORMATION
[1] MM INFORMATION
[2] MM REJECT CAUSE
[3] GMM REJECT CAUSE
[4] PS REJECT CAUSE
[5] RESET MM&GMM REJECT List
[6] EF_RAT INFORMATION
[7] SAT REFRESH INFO
[8] SMC RESULT INFO
[9] CALL END CAUSE
[1] // MM INFORMATION
mm: Idle
MCC-MNV: nnn-01
LAC: hhh, RAC: nn
TIMER_T32: 10(S) 11(S) 12(A)
13(S) 20(S) 30(S) 40(S)
GmmState: Registered(3)
SubState: normal(0)
PmmMode: IDLE(1)
rej_cause: 0, IuAttCnt: 0
TMSI: hhhhhhh
[2] // MM REJECT CAUSE
MM reject Information List
1. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
2. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
3. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
4. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
5. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
6. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
[3] // GMM REJECT CAUSE
GMM reject Information List
1. Time: 4M 9D 14h19m02s
Type: 4, Cause:7 nnn-01, UMTS
2. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
3. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
4. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
5. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
[4] // PS REJECT CAUSE
PDP and PDN recet List
- No Data
[5] // RESET MM&GMM REJECT List <== Immediately clears reject list!
[6] // EF_RAT INFORMATION
Boot-up EF_RAT
NONE(-1)
Refreshed EF_RAT
1.GSM_WCDMA(1), 000-000
2.GSM_WCDMA(1), 000-000
3.GSM_WCDMA(1), 000-000
4.GSM_WCDMA(1), 000-000
5.GSM_WCDMA(1), 000-000
[7] // SAT REFRESH INFO
<exactly the same as above>
[8] // SMC RESULT INFO --> <E>
RRC: IDLE, Band1
MCC-MNC: nnn-01
RX: 10663, RI: -59, CID: hhhhh
TX: 9713, PSC: 394
EcIo: -4, RSCP: -63
SpeechVER: FR FR FR
L1: PCH_Sleep
Drx cycle: 64
SIB19 is received
therm: 162 LNA: 0
Service: Available
[9] // CALL END CAUSE --> <E>
<exactly the same as above>
[3] // AS INFORMATION
RRC: IDLE, Band1
WCDMA: IDLE
RX: 10663, RI: -59, CID: hhhhh
TX: 9713, PSC: 394
EcIo: -4, RSCP: -63
VOC: FR FR FR, 0
L1: PCH_Sleep
CQI: 0, Sam: 0
[4] // NEIGHBOUR CELL
Aset: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 394 -60 -7 53 29 <== rapid changes
Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15
Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15
Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 422 -121 -49 29 -1
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 262 -121 -49 0 0
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 102 -121 -49 0 0
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 450 -121 -49 0 0
[5] GPRS INFORMATION
FUNCTION:ds_gprs_information
[6] SIM INFORMATION
[1] General Info
[2] QMI UIM status
[3] CHECK NV
[1] // General Info
SIM Phase: 0
Card Capability: USIM
SIM voltage class: 1.8V SIM
None
None
Proactive command:
00 00 00 00 00 00 00 00 00 00 - ^^ (10 Hex)
[2] // QMI UIM status
CARD_STATE: Present
CARD_ERROR: Unknown
APP_TYPE: USIM
APP_STATE: Ready
PERSO_STATE: Ready
PERSO_FEATURE: Unsupported
PIN1_STATE: Enabled_Verified
pin1_num(3), puk1_num(10)
PIN2_STATE: Enabled_Not_Verified
pin2_num(3), puk2_num(10)
[3] // CHECK NV
CHECK NV
Band pref: Unexpected value
RTRE Configuration: SIM based
FTM Mode: Online Mode
ENS: Disabled
UIM CLASS: UMTS
[7] HANDOVER
[1] HANDOVER GtoG
[2] HANDOVER GtoW
[3] HANDOVER WtoG
[4] HANDOVER TEST
[8] PHONE CONTROL
[1] DRX CONTROL
[2] FAKE SECURITY CONTROL
[3] NAS CONTROL
[4] UE STATE CONTROL
[5] SIMULATION
[6] NETWORK LOCK
[7] NETWORK CONTROL
[1] // DRX CONTROL
DRX: Not Active
[1] DRX: ON
[2] DRX: OFF
[2] // FAKE SECURITY CONTROL
FAKE SECURITY: OFF
[1] FAKE SECURITY: ON
[2] FAKE SECURITY: OFF
[3] NAS CONTROL
[1] CIPHERING CONTROL
[2] INTEGRITY CONTROL
[3] SIM CLASS CONTROL
[4] REVISION CONTROL
[5] RRC(HSPA) CONTROL
[6] DUALMODE IMPROVEMENT CONTROL
[7] NAS AVOID SECURITY CONTROL
[1] // CIPHERING CONTROL
CIPHERING CONTROL: ON
[1] CIPHERING: ON
[2] CIPHERING: OFF
[2] // INTEGRITY CONTROL
INTEGRITY CONTROL: ON
[1] INTEGRITY: ON
[2] INTEGRITY: OFF
[3] // SIM CLASS CONTROL
UIM CLASS: UMTS
[1] UIM CLASS: UMTS
[2] UIM CLASS: GSM
[4] REVISION CONTROL
[1] DISPLAY REVISION
[2] CHENGE REVISION
[5] RRC(HSPA) CONTROL
[1] DISPLAY RRC REVISION
[2] CHANGE RRC REVISION
[6] // DUALMODE IMPROVEMENT CONTROL
DUALMODE IMPROVEMENT: NOT ACT
[1] DUALMODE IMPROVEMENT: ON
[2] DUALMODE IMPROVEMENT: OFF
[7] NAS AVOID SECURITY CONTROL
AVOID_SECURITY_CHECK: NOT ACT
[1] SECURITY_CHECK: ON
[2] SECURITY_CHECK: OFF
[4] UE STATE CONTROL
[1] CALL CONNECT STATE
[2] CHANGE RAT TO WCDMA
[3] CHANGE RAT TO GSM
[5] SIMULATION
[1] Modem Assert (Reset)
[2] SW WATCHDOG
[3] HW WATCHDOG
[4] CP Logging (Started)
[5] Realtime Log(OFF) - Don't! <== WTF?
[6] NETWORK LOCK
[1] PERSO SHA256 Info
SHA256_ENABLE_FLAG [1]
[7] NETWORK CONTROL
[1] GCF
[2] BAND SELECTION ==> Code: [B]2263[/B] "BAND"
[3] SERVICE DOMAIN
[4] AQUISITION ORDER
[5] PLMN(AUTO/MANUAL) SELECTIO
[6] FPLMN
[7] IMSI replacement
[1] GCF
[1] GSM/(E)GPRS/WCDMA REL8
[2] GSM/(E)GPRS/WCDMA REL7
[3] GSM/(E)GPRS/WCDMA REL6
[4] GSM/(E)GPRS/WCDMA REL5
[5] SETTING CANCELLATION
[2] BAND SELECTION
[1] Automatic
[2] WCDMA Band Preference
[3] GSM Band Preference
[4] LTE Band Preference
[3] // SERVICE DOMAIN
[1] CS + PS (*)
[2] CS ONLY
[3] PS ONLY
[4] // AQUISITION ORDER
[1] Automatic
[2] GSM_UMTS
[3] UMTS_GSM (*)
[4] No Change
[5] // PLMN(AUTO/MANUAL) SELECTIO
[1] AUTOMATIC (*)
[2] MANUAL
[6] FPLMN
[1] FPLMN READ
[2] FPLMN DELETE ALL
[3] FPLMN DELETE EXCL DOM
[7] // IMSI replacement
[1] Enable
[2] Disable (*)
[9] ANTENNA/ADC
ds_antenna_adc
------------------------------
[2] VERSION INFORMATION
[1] SW VERSION
[2] HW VERSION
[3] UMTS RF
[1] RF NV READ
[2] RF NV WRITE
[3] UMTS DIVERSITY CONTROL
[4] RF CALIBRATION CHECK
[4] GSM RF
[1] RF NV READ
[2] RF NV WRITE
[5] AUDIO ==> Locked! See Note (a)
...
[6] COMMON
[1] FTM
[2] DEBUG INFO
[3] RF SCANNING
[4] DIAG CONFIG
[5] WCDMA SET CHANNEL
[6] NV REBUILD
[7] FACTORY TEST
[8] FORCE SLEEP
[9] GPS
[1] FTM : OFF ==> Locked! See Note (b)
[1] NOT SUPPORT
[2] FTM : OFF
[2] DEBUG INFO
[1] MM REJECT CAUSE
[2] LOG DUMP
[3] UI DEBUG POPUP - N/S
[3] RF SCANNING
[1] SETTING
[2] START RF SCANNING
[3] RESULT TO PC
[4] RESULT TO SCREEN
[4] DIAG CONFIG
[1] USB ( )
[2] UART (*)
[3] DBG MSG ON (*)
[4] DBG MSG OFF ( )
[5] WCDMA SET CHANNEL
[6] NV REBUILD
[7] FACTORY TEST
[8] FORCE SLEEP
[9] GPS
co_gps_menu
[7] LTE BAND CONFIG CHECK --> <E>
[/SIZE]
(Where I have replaced my LAC/CID with "nnnnn" and "hhhhh", respectively)
Note that the end-point/detailed view of the menu items, depend on your
current network. I.e. you will see different items, when connected to GSM vs. WCDMA.
For example. Here is a picture comparing the BASIC INFORMATION view for LTE, CDMA and GSM/UMTS, respectively.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
(Picture stolen from THIS website. Sorry, there is no owner/contact info there to ask for permission.)
So what does all those numbers mean?
That's what we will try to figure out in the next posts and in this thread! But first I will show you
another menu view. The menu that concerns the MM (Mobile Management) MENU items.
To get to the picture below:
MAIN MENU > [1] UMTS MAIN MENU > [1] DEBUG SCREEN > [2] NAS INFORMATION > [1] MM INFORMATION
Which should result in:
Code:
[SIZE=2]mm: Idle
MCC-MNV: nnn-01
LAC: hhh, RAC: nn
[B]TIMER_T32[/B]: [B]10[/B](S) [B]11[/B](S) [B]12[/B](A)
[B]13[/B](S) [B]20[/B](S) [B]30[/B](S) [B]40[/B](S)
GmmState: Registered(3)
SubState: normal(0)
PmmMode: IDLE(1)
rej_cause: 0, IuAttCnt: 0
TMSI: hhhhhhh[/SIZE]
< placeholder >
As you can see, these include the values of a few important RR timers used. In the menu above they are
marked with (S) or (A), for STOPPED and ACTIVE, respectively. These timers are discussed further in
the next section.

The Mobility Management (MM) Timers: MS-side
All the MM timers are defined and thorough;y explained in [1]. But here I
summarize the timers we have found in our SM as shown above. Where we
have the following timers clearly visible:
Code:
[SIZE=2]T3210
T3211
T3212
T3213
T3220
T3230
T3240
[/SIZE]
Here's a summary table also taken and edited from [1].
The very brief 3GPP summary for T3210/11/12/13 is:
< WIP placeholder>
The very brief 3GPP summary for T3220/30/40 is:
Code:
[SIZE=2][B]T3220[/B] Timer is used during the MM states of:
- IMSI Detach Initiated
Timer is started at IMSI Detach.
Timer is stopped when: release from RM-sublayer
At expiry it: "enter Null or Idle, ATTEMPTING TO UPDATE" ??
[B]T3230[/B] Timer is used during the MM states of:
- Wait For Outgoing MM Connection
- Wait For Additional Outgoing MM Connection
- Wait TO Re-establish MM connection
Timer is started in the mobile station when:
- the MS makes a Ciphering Mode (CM) service request
- the MS makes a Ciphering Mode (CM) re-establishment request
Timer is stopped when:
- the MS makes a CM setting
- the MS receives a CM Service Reject
- the MS receives a CM Service Accept
At expiry it provides a release indicator.
[B]T3240[/B] Timer is started in the mobile station when:
- the mobile station receives a LOCATION UPDATING ACCEPT message completing a location updating procedure in the cases specified in subclauses 4.4.4.6 and 4.4.4.8;
- the mobile station receives a LOCATION UPDATING REJECT message in the cases specified in subclause 4.4.4.7;
- the mobile station has sent a CM SERVICE ABORT message as specified in subclause 4.5.1.7;
- the mobile station has released or aborted all MM connections in the cases specified in 4.3.2.5, 4.3.5.2, 4.5.1.1, and 4.5.3.1;
- the mobile station receives the paging message from network and enter the MM state 9 (WAIT FOR NETWORK COMMAND).
Timer is stopped, reset, and started again at receipt of an MM message.
Timer is stopped and reset (but not started) at receipt of a CM message that initiates establishment of an CM connection (an appropriate SETUP, REGISTER, or CP-DATA message as defined in 3GPP TS 24.008, 3GPP TS 24.010 [21] or 3GPP TS 24.011 [22]).
If timer expires, the MS shall abort the RR connection and enter the MM state MM IDLE.
[/SIZE]
References:
[1] "Mobile Radio Interface Layer 3 specification, Core Network Protocols"
3GPP TS 24.008 V12.5.0 (2014-03): (678 pages)
[2]

The Variable Vocabulary
Here is a list of variable names, and their inferred meaning, as found in the SM shown above.
Code:
[SIZE=2]
RX : Receive/Down-Link Channel aka "DL CH"
TX : Transmit/Up-Link Channel aka "UL CH"
RI : [dBm] RSSI (Receive Signal Strength Indicator)
CID : Cell ID
PSC : Primary Synchronization Code
EcIo : [1] Ec/Io = RSCP / RSSI = Eb/No - Gp
RSCP : [dBm] Received Signal Code Power [2,3] RSCP = RSSI + Ec/No
SpeechVER : The Voice Codec in use [EFR/FR/HR/AMR]
L1 : [FACH,DCH,BCH,PCH_Sleep]
Drx cycle : Discontinuous Reception (DRX) Cycle
therm : Thermal Power (
LNA : Low Noise Amplifier ???
mm: Idle : Mobile Management connection status ??
lu: Upda :
SS: Avail : Subsystem System Simulator ?? Secondary Synchronization Signal ??
RAC : Routing Area Code
TIMER_T32: 10 (S) : Really refers to the T3210 timer, and where
GmmState: Registered(3) :
SubState: normal(0) :
PmmMode: IDLE(1) :
rej_cause:0 :
luAttCnt:0 : Location Update (IMSI Attach?)/(Attempts?) Count
TMSI: 9xxxxxxd : Temporary Mobile Subscriber Identity
AS INFORMATION: : Access Stratum
VOC :
CQI : Channel-Quality Indication
Sam :
"Specific Anthropomorphic Mannequin" ??
"Service Aware Manager" (Alcatel/Lucent) ??
[/SIZE]
As you can see there are many not yet clearly defined items.
To clarify these (and others) is the main purpose of this thread!
< more crazy dragons to be >

< more crazy dragons to be >

A very nice book chapter and collection of useful baseband info and document links.
Benoit Michau, 2014
"Analyse de sécurité des modems mobiles"
[French]
Click to expand...
Click to collapse

LNA
E:V:A said:
The Variable Vocabulary
Here is a list of variable names, and their inferred meaning, as found in the SM shown above.
Code:
[SIZE=2]
LNA : Low Noise Amplifier ???
Click to expand...
Click to collapse
LNA = Line Noise Attenuator/Attenuation

oddball3 said:
LNA = Line Noise Attenuator/Attenuation
Click to expand...
Click to collapse
Thanks for your attention, but I don't think that is correct, because this is a radio device and not an ADSL-router or other "line" dependent device. You'll have to try harder to convince me. Links to a reliable source, helps.

E:V:A said:
Thanks for your attention, but I don't think that is correct, because this is a radio device and not an ADSL-router or other "line" dependent device. You'll have to try harder to convince me. Links to a reliable source, helps.
Click to expand...
Click to collapse
Not spot on, but proof of concept:
http://www.w3eee.com/Noiz .html
I had the perfect site I wanted to post here for you, and just to prove what a crappy country this is, our power utility decided to cut supply to our area :-\ I reckon I was about two sentences away from perfection haha!! Was so disappointed it's taken me since then to work up the enthusiasm to try again!!
Edit: Good Reference source - http://ieeexplore.ieee.org/xpl/logi...re.ieee.org/xpls/abs_all.jsp?arnumber=6471543

Few from me
PSC : Primary Scrambling Code (not synchronization)
L1 : RRC State [FACH,DCH,BCH,PCH_Sleep]
GmmState: Registered(3) : GPRS Mobiity Management status
PmmMode: IDLE(1) : Packet Mobiity Management status

E:V:A said:
Code:
[SIZE=2]mm: Idle
MCC-MNV: nnn-01
LAC: hhh, RAC: nn
[B]TIMER_T32[/B]: [B]10[/B](S) [B]11[/B](S) [B]12[/B](A)
[B]13[/B](S) [B]20[/B](S) [B]30[/B](S) [B]40[/B](S)
GmmState: Registered(3)
SubState: normal(0)
PmmMode: IDLE(1)
rej_cause: 0, IuAttCnt: 0
TMSI: hhhhhhh[/SIZE]
As you can see, these include the values of a few important RR timers used. In the menu above they are
marked with (S) or (A), for STOPPED and ACTIVE, respectively. These timers are discussed further in
the next section.
Click to expand...
Click to collapse
Interesting. But that way we can only know if a Timer is Stopped or Active.
How can we know the Value of these Timers?
Thanks.

vndnguyen said:
How can we know the Value of these Timers?
Click to expand...
Click to collapse
We can try to read its value from one of the SIM card EF files. I forgot which. We can also read it from the /dev/diag RF diagnostics device or possibly from the QMI (Qualcomm) debug ports. Or we can leave phone still and read the start/stop flags when they change. Or you can call the technicians of the MNO and ask.

E:V:A said:
We can try to read its value from one of the SIM card EF files. I forgot which.
Click to expand...
Click to collapse
I can read the EF files on the SIM cards. But the problem is that we don't know which EF files store those timers?
We can also read it from the /dev/diag RF diagnostics device or possibly from the QMI (Qualcomm) debug ports.
Click to expand...
Click to collapse
Can you give some detailed instruction about it? I have no idea on it.
Or we can leave phone still and read the start/stop flags when they change.
Click to expand...
Click to collapse
This is not a good way to read.
Or you can call the technicians of the MNO and ask.
Click to expand...
Click to collapse
Yes, I'm working at that MNO. But I still want to read those timers directly from the phone.

problem with gsm
hi gays.
i`ve a prblem with my phone.
in gsm(2g) don`t have signal but in 3g yes.
with this service menu... can i reparair?
please help me
hola chicos, tengo un problema: teniendo mi cel en gsm 2g no me toma señal, se queda sin servicio, pero al cambiar a 3g tengo altiro señal.
puedo con este menu repararlo y como? se agradece la ayuda

sirkuazar said:
hi gays.
i`ve a prblem with my phone.
in gsm(2g) don`t have signal but in 3g yes.
with this service menu... can i reparair?
please help me
hola chicos, tengo un problema: teniendo mi cel en gsm 2g no me toma señal, se queda sin servicio, pero al cambiar a 3g tengo altiro señal.
puedo con este menu repararlo y como? se agradece la ayuda
Click to expand...
Click to collapse
Gays? I'm not a gay LOL
You would rather check your sim card as well as the mobile service before playing around with your phone. You can put the sim card into another phone to see if it works, etc...

:laugh::laugh::laugh::laugh:
vndnguyen said:
Gays? I'm not a gay LOL
You would rather check your sim card as well as the mobile service before playing around with your phone. You can put the sim card into another phone to see if it works, etc...
Click to expand...
Click to collapse
HHHHHHHHH