"Secret Codes" and Hidden Features
Hacking for "Secret Codes" and other hidden phone features.
Skill Level: Easy
Posting
==================================================
Do NOT post general questions/requests on how to do
this or that, they will not be answered, simply
because we don't know yet. Rather try to find out
by yourself and share your results.
==================================================
Purpose
To find all "Secret Codes", special properties and other hidden phone features
and settings, used in the GT-I9300. The secret codes are not so secret, but
are often used to activate and manipulate many settings, such as debug modes,
network connections, factory test modes etc. It is an unfortunate choice of
words but we will stick to this definition nonetheless for simplicity, since
it is also used in the source code by Samsung and AOS. Do not confuse secret
codes with VSC (Vertical Service Codes), USSD (Unstructured Supplementary
Service Data) or other MMI (Man Machine Interface) codes.
Although there are many "standard" codes common to many Samsung phones, they
do vary to some extent. This is because their functionality often depend on
the particular hardware, in particular the baseband processor (aka radio, DSP,
BP or CP) and the multiplexer chips that switches the various internal USB
paths, for example between MHL, BP and AP.
This is an informative reference thread on these features. If you have
relevant additional information you'd like to share, please post it here.
Background
From the Samsung Galaxy S2 experience we have gained the following
understanding when it come to the Factory/Service Mode menus and the
PhoneUtils applications. We are still to work out if this is still true for
the SGS3.
But first it is worth to note, that due to the more complicated, but better
organized phone applications in ICS, the way to enter secret codes have
changed from GB versions. Now all secret codes have to be prefixed with
"*#*#", followed by <code> and post fixed with "#*#*". [Note-1] However,
according to the GT-I9300 Service Manual, there are two codes that should work
without post- and pre-fixes. They are *#1234# (version) and *2767*3855#
(Factory reset! It will wipe your phone instantly, NO warnings, no going back,
no way to cancel.) [Note-2]
==================================================
Newbie Practice Box
Go to your phone dialer and "dial" the following string:
*#*#197328640#*#*
This will trigger the Service Menu.
==================================================This same effect can be accomplished directly on the command line, with a
direct URI broadcast call to the application receiver via:
Code:
[SIZE=2]am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://1111[/SIZE]
Second, it is essential to know that the actual program code (read
assembly/machine code) for the Engineering / Service Mode menu, is actually
located in the baseband processor firmware. What you actually see when you
enter this menu, is just a java based wrapper application, that make direct
function calls through various entry points, in the baseband kernel/firmware.
What does it mean? When you enter a specific "secret code", the wrapper
application (e.g. ServiceMenu.App) deciphers the code to a particular menu
entry in the baseband processor, where it is executed and whose result is
output to the wrapper application.
Third. Apart from hardware differences, because of the baseband firmware
dependance, the set of working secret codes will differ somewhat from your
location, depending on:
Your Modem firmware
Your AOS version (ICS 4.0.1, 4.0.4 etc.)
Your CSC version (Regional codes)
Special Notes
[Note-1] This can be seen in the handleSecretCode() function in the SpecialCh****quenceMgr.java code.
[Note-2] These need testing and confirmation since they clearly contradict [Note-1].
[Note-3] Apparently the Samsung Galaxy S3 will come in at least two versions:
The GT-I9300 (FCC-ID: A3LGTI9300 )
The SCH-I939 (FCC-ID: A3LSCHI939 ) [Possibly the LTE version]
References
[1] "[GUIDE] Noobs guide to extract Galaxy S3 stock firmware(.img)"
[2] "[All Stock Firmwares] I9300XXALE8 (4.0.4) - Kenya (OJV) [19-05-12]"
[3] "[HOW TO][Windows]Extract Deodex Sign and Zipalign an official ROM"
[4] "[GUIDE] dsixda's Android Kitchen - Now with SGS2 support (Windows/Linux/Mac)"
[5] "[REF] Unpacking and repacking stock rom .img files"
[6] "[Tool] Yaffey - Utility for reading, editing and writing YAFFS2 images" (code is here)
[7] "[TOOL] Auto Bloat Remover Tool For GS III!"
[8] "[GUIDE][TOOL] Guide To Create You're Own De-Bloat Tool/APK Installer/For Any Device"
Keywords: Secret, Codes, Hidden, Service, Factory, UART
HOW TO (find new stuff)
So how do you find new codes?
Well Google it! Then consider getting the following tools:
Get jd-gui (Often crashes)
Get jad (doesn't crash, but is cmdline based)
Get sgs2toext4 (and here)
Get Disk Internals Linux Reader
Get a disk image with deodexed Apps (see below)
Then what to do?
The brief version. (For full version, see "References" in OP above.)
Download all the tools shown above.
Download the deodexed firmware images (see post#3)
(If in Windows) Double click the sgs2toext4.
Drag and drop the system.img file to the sgs2toext4 "drop window".
You will now have a system.img.ext4 file, open this file with the LinuxReader tool.
Save entire filesystem (from 5) in a new folder. Close.
Go to the folder containing the *.apk(s) of interest.
Make sure dex2jar.bat (win) is in your path and run it on your interesting.apk like this, for example:
Code:
./path/to/dex2jar.bat Samsungservice.apk
This produces a new file: Samsungservice_dex2jar.jar
Extract (7zip) this file in a new folder.
Go to that folder in command line and enter the appropriate "jad" commands. For example, to decompile all class files globbed by Phone*.class and put the decompiled sources in the "src" sub-directory, do:
Code:
jad -o -r -sjava -dsrc Phone*.class
Go to the source directory (../src) you just created.
Enjoy your *.java files!
Alternatively you can deodex on your own...but don't ask me how to do it.
A few other Tools
http://www.sable.mcgill.ca/soot/
http://jdec.sourceforge.net/
http://stackoverflow.com/questions/647116/how-to-decompile-a-whole-jar-file
http://askubuntu.com/questions/129305/how-can-i-open-binary-image-files-img
The Secret Codes
The information for this post was obtained by decompiling the
deodexed system image of the firmware shown below.
I9300XXALE8
Base Firmware: I9300XXALE8 (4.0.4)
Modem: XXLE8
CSC: OJVALE7
The latest GT-I9300 Stock Firmwares can be found here.
Here are the codes as found in:
serviceModeApp.apk: ServiceModeApp.class
Code:
[SIZE=2]
Code Description JavaCall
----------------------------------------------------------------------------------------------------------------------
197328640 || 2684 Start Service Mode / Enter SM Main Menu SendData('\001', '\001', '\000', '\000', '\000');
1111 FTA SW Version SendData('\001', '\001', '\u1002', '\000', '\000');[/SIZE] [SIZE=2]
2222 FTA HW Version SendData('\001', '\001', '\u1003', '\000', '\000');
8888 SendData('\001', '\001', '\u1003', '\000', '\000');
2886 SendData('\001', '\001', ' ', '\000', '\000');
6984125* SendData('\001', '\001', ' ', '\000', '\000');
2767*2878 ? Factory reset (complete erase & format) SendData('\001', '\001', '!', '\000', '\000');
0228 ADC Reading SendData('\001', '\001', '\005', '\000', '\000');[/SIZE] [SIZE=2]
0599 SendData('\001', '\001', '\024', '\000', '\000');
1575 SendData('\001', '\001', '\025', '\000', '\000');
2263 RF Band Selection SendData('\001', '\001', '\026', '\000', '\000');
2580 SendData('\001', '\001', '\007', '\000', '\000');
301279 || 279301 SendData('\001', '\001', '\024', '\000', '\000');
32489 Ciphering Info SendData('\001', '\001', '\006', '\000', '\000');
4238378 SendData('\001', '\001', '\027', '\000', '\000');
4387264636 SendData('\001', '\001', '\037', '\000', '\000');
7284 PhoneUtil: USB/UART I2C Mode Control SendData('\001', '\001', '\023', '\000', '\000');
738767633 SendData('\001', '\001', '\034', '\000', '\000');
73876766 SendData('\001', '\001', '\033', '\000', '\000');
7387677763 SendData('\001', '\001', '\036', '\000', '\000');
7387678378 SendData('\001', '\001', '\035', '\000', '\000');
9090 Diagnostic Configuration SendData('\001', '\001', '\023', '\000', '\000');
0011 SendData('\001', '\004', '\000', '\000', '\000');[/SIZE] [SIZE=2]
123456 SendData('\001', '\004', '\001', '\000', '\000');
<na> End Service Mode 1 () SendData('\002', '\004', '\000', '\000', '\000');
<na> End Service Mode 2 () SendData('\002', '\001', '\000', '\000', '\000');
[/SIZE]
NOTE: In the table above, I have replaced printed UTF-8 (U+NNNN) characters with '\uNNNN'.
As you can see in the table above, most of the hidden codes are just shortcuts
into various sub-menus (third parameter) of Service Mode application. However,
this does not exclude the use of other hidden codes, that can be used or detected
in other applications.
From a different file we have a some additional codes.
(Not including already covered or overlapping codes.)
serviceModeApp.apk: SecKeystringBroadcastReceiver.class
Code:
[SIZE=2]0000
147852 TestApnSettings: putExtra("testBed", "Suwon");[/SIZE] [SIZE=2]
1478963 TestApnSettings: putExtra("testBed", "Open_market");
22558463 Reset Total Call Time
232331
232332
232337
3214789650
369852 TestApnSettings: putExtra("testBed", "Gumi");
3698741 TestApnSettings: putExtra("testBed", "Delete_DB");
-------------------------------------------------------------------------------
03 NAND Flash S/N (NandFlashHeaderRead)
745 RIL Dump Menu
746 Debug Dump Menu
0228 Battery Status
1111 IF SalesCode="CTC" THEN: TerminalMode
2222 IF SalesCode="CTC" THEN: TerminalMode
2263
8888
9900 || 0514 System Dump
279301
301279
3214789 GCF Mode Settings
5337632 NFC Test
22553767 Call Drop Log View
6335623
TESTMODE
[/SIZE]
These may not always work, since some of them depend on certain "Sales Codes"
or factory IMSI numbers, through statements like:
Code:
if ((mSalesCode.equals("CHM")) && (str.equals("827828868378")))
But these were only codes found in two files.
So there are probably many more codes to be found!
Other Stuff
Here are some unknown functions from: TerminalMode.class
Code:
[SIZE=2]DEBUG_SCR SendData('\001', '\004', '\000', 0, '\000');
EI_DEBUG_SCR SendData('\001', '\006', '\000', 0, '\000');
DATA_ADV SendData('\001', '\003', '\003', 0, '\000');
NAMBASIC SendData('\001', '\003', '\001', 0, '\000');
TESTMODE SendData('\001', '\001', '\000', 0, '\000');
NAMSIMPLE SendData('\001', '\003', '\002', 0, '\000');
TEST_CALL SendData('\004', '\007', c, 0, '\000');
[/SIZE]
Here is a list of all the OEM Commands used in the Service Mode App.
Code:
[SIZE=2]-------------------------------------------------------------------------------
private class OemCommands (ServiceModeApp) value hex
-------------------------------------------------------------------------------
char OEM_SERVM_FUNCTAG = '\001';
OEM_SM_ACTION = '\000'; 00
OEM_SM_DUMMY = '\000'; 00
OEM_SM_END_MODE_MESSAGE = '\002'; 02
OEM_SM_ENTER_MODE_MESSAGE = '\001'; 01
OEM_SM_GET_DISPLAY_DATA_MESSAGE = '\004'; 04
OEM_SM_PROCESS_KEY_MESSAGE = '\003'; 03
OEM_SM_QUERY = '\001'; 01
OEM_SM_TYPE_MONITOR = '\004'; 04
OEM_SM_TYPE_MONITOR_SKT = '\001'; 01
OEM_SM_TYPE_NAM_EDIT = '\003'; 03
OEM_SM_TYPE_PHONE_TEST = '\005'; 05
OEM_SM_TYPE_SUB_ALL_VERSION_ENTER = '\004'; 04
OEM_SM_TYPE_SUB_BAND_SEL_ENTER = '\026'; 16
OEM_SM_TYPE_SUB_BATTERY_INFO_ENTER = '\005'; 05
OEM_SM_TYPE_SUB_BLUETOOTH_TEST_ENTER = '\t'; 09
OEM_SM_TYPE_SUB_CIPHERING_PROTECTION_ENTER = '\006'; 06
OEM_SM_TYPE_SUB_ENTER = '\000'; 00
OEM_SM_TYPE_SUB_FACTORY_PRECONFIG_ENTER = '\016'; 0e
OEM_SM_TYPE_SUB_FACTORY_RESET_ENTER = '\r'; od
OEM_SM_TYPE_SUB_FACTORY_VF_TEST_ENTER = '\031'; 19
OEM_SM_TYPE_SUB_FTA_HW_VERSION_ENTER = '\003'; 03
OEM_SM_TYPE_SUB_FTA_SW_VERSION_ENTER = '\002'; 02
OEM_SM_TYPE_SUB_GCF_TESTMODE_ENTER = '\027'; 17
OEM_SM_TYPE_SUB_GET_SELLOUT_SMS_INFO_ENTER = '\037'; 1f
OEM_SM_TYPE_SUB_GPSONE_SS_TEST_ENTER = '\025'; 15
OEM_SM_TYPE_SUB_GSM_FACTORY_AUDIO_LB_ENTER = '\030'; 18
OEM_SM_TYPE_SUB_IMEI_READ_ENTER = '\b'; 08
OEM_SM_TYPE_SUB_INTEGRITY_PROTECTION_ENTER = '\007'; 07
OEM_SM_TYPE_SUB_MELODY_TEST_ENTER = '\013'; 0b
OEM_SM_TYPE_SUB_MP3_TEST_ENTER = '\f'; oc
OEM_SM_TYPE_SUB_RRC_VERSION_ENTER = '\024'; 14
OEM_SM_TYPE_SUB_RSC_FILE_VERSION_ENTER = '\021'; 11
OEM_SM_TYPE_SUB_SELLOUT_SMS_DISABLE_ENTER = '\034'; 1c
OEM_SM_TYPE_SUB_SELLOUT_SMS_ENABLE_ENTER = '\033'; 1b
OEM_SM_TYPE_SUB_SELLOUT_SMS_PRODUCT_MODE_ON = '\036'; 1e
OEM_SM_TYPE_SUB_SELLOUT_SMS_TEST_MODE_ON = '\035'; 1d
OEM_SM_TYPE_SUB_SW_VERSION_ENTER = '\001'; 01
OEM_SM_TYPE_SUB_TFS4_EXPLORE_ENTER = '\017'; 0f
OEM_SM_TYPE_SUB_TOTAL_CALL_TIME_INFO_ENTER = '\032'; 1a
OEM_SM_TYPE_SUB_TST_AUTO_ANSWER_ENTER = ' '; 20
OEM_SM_TYPE_SUB_TST_FTA_HW_VERSION_ENTER = ----> # UTF-8: U+1003: e1 80 83 MYANMAR LETTER GHA
OEM_SM_TYPE_SUB_TST_FTA_SW_VERSION_ENTER = ----> # UTF-8: U+1002: e1 80 82 MYANMAR LETTER GA
OEM_SM_TYPE_SUB_TST_NV_RESET_ENTER = '!'; 21
OEM_SM_TYPE_SUB_USB_DRIVER_ENTER = '\022'; 12
OEM_SM_TYPE_SUB_USB_UART_DIAG_CONTROL_ENTER = '\023'; 13
OEM_SM_TYPE_SUB_VIBRATOR_TEST_ENTER = '\n'; 0a
OEM_SM_TYPE_TEST_AUTO = '\002'; 02
OEM_SM_TYPE_TEST_MANUAL = '\001'; 01
-------------------------------------------------------------------------------
private class OemCommands (TerminalMode)
-------------------------------------------------------------------------------
OEM_HIDDEN_FUNCTAG = 'Q';
OEM_HM_END_TEST_CALL_MESSAGE = '\t';
OEM_HM_TEST_CALL_MESSAGE = '\004';
OEM_HM_TYPE_TEST_CALL = '\007';
OEM_SERVM_FUNCTAG = '\001';
-------------------------------------------------------------------------------
private class OemCommands (SysDump:)
-------------------------------------------------------------------------------
OEM_DBG_STATE_GET = 6;
OEM_DEL_RIL_LOG = 13;
OEM_DPRAM_DUMP = 14;
OEM_DUMPSTATE = 3;
OEM_DUMPSTATE_ALL = 20;
OEM_ENABLE_LOG = 7;
OEM_GCF_MODE_GET = 15;
OEM_GCF_MODE_SET = 16;
OEM_IPC_DUMP_BIN = 9;
OEM_IPC_DUMP_LOG = 8;
OEM_KERNEL_LOG = 4;
OEM_LOGCAT_CLEAR = 5;
OEM_LOGCAT_MAIN = 1;
OEM_LOGCAT_RADIO = 2;
OEM_MODEM_FORCE_CRASH_EXIT = 23;
OEM_MODEM_LOG = 18;
OEM_NV_DATA_BACKUP = 17;
OEM_OEM_DUMPSTATE_MODEM_LOG_AUTO_START = 19;
OEM_RAMDUMP_MODE = 10;
OEM_RAMDUMP_STATE_GET = 11;
OEM_START_RIL_LOG = 12;
OEM_SYSDUMP_FUNCTAG = 7;
OEM_TCPDUMP_START = 21;
OEM_TCPDUMP_STOP = 22;
-------------------------------------------------------------------------------
[/SIZE]
Enjoy!
Special Properties
Next we'll have a look at some interesting (or not?) system "properties".
For now, I'll just list some of those I found more interesting and potentially useful.
Code:
[SIZE=2]Property Setting/String Source Description[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]dev.silentlog.on On SysDump: [/SIZE]
[SIZE=2]gsm.operator.numeric 45001 Sec_Ril_Dump: [RIL::FD] Samsung Testbed[/SIZE]
[SIZE=2]gsm.default.sidmode ? UART[/SIZE]
[SIZE=2]net.tcpdumping On SysDump: ?[/SIZE]
[SIZE=2]nfc.trace.mode On Enable NFC Trace Mode [/SIZE]
[SIZE=2]ril.FTM_MODE ? "FTM_MODE_KEY"[/SIZE]
[SIZE=2]ril.FS true PhoneUtils: updateRAFT() Activates RAFT (???) updates[/SIZE]
[SIZE=2]ril.OTPAuth SysDump: OTP Authentication [/SIZE]
[SIZE=2]ril.cdma.inecmmode true Is phone in ECM mode?[/SIZE]
[SIZE=2]ril.unique_number The RIL Unique Number (UN)[/SIZE]
[SIZE=2]ril.sms.gcf-mode On ? SMS "GCF" mode[/SIZE]
[SIZE=2]persist.log.seclevel On Switchable Log level?[/SIZE]
[SIZE=2]persist.sys.country [/SIZE]
[SIZE=2]ro.build.type eng SysDump: [/SIZE]
[SIZE=2]ro.debuggable On Enable Debug / DBG_ENG / Engineering Mode??[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]Country/Region Specific[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]ro.board.platform [/SIZE]
[SIZE=2]ro.build.characteristics [/SIZE]
[SIZE=2]ro.csc.sales_code SKT | KIT | LGT PhoneFeature: makeFeatureForKor() [/SIZE]
[SIZE=2]ro.product.name espressorf | espresso10rf PhoneFeature: checkDBGLevel() [/SIZE]
[SIZE=2] aegis2vzw PhoneFeature: makeFeatureForKor() [/SIZE]
[SIZE=2] jaguars | jaguark | jaguarl [/SIZE]
A particularly fun string is the following, found in the featureForKor() function:
Code:
[SIZE=2]mFeatureList.put("emergency_for_cyber_terror", boolean2);[/SIZE]
I'd really like to know what this does!
Special Files
As we know from other Samsung Galaxy class phones, there are a number
of files that can be created or modified in order to activate certain
functions. Here we list those found to date. Please post if you know
of other ones!
Apparently setting the "SubscriberID" (IMSI) to "999999999999999" also
activates certain test features. A sim with this IMSI is also known as
a "Factory SIM". However, if the SIM IMSI starts with either "45001" or
"00101" it is a "Test SIM".
[See: ServiceModeApp.apkhoneUtils.java:isFactoryMode() or
FactoryTest.apk:ModuleCommon.java:isFactorySim()]
Code:
[SIZE=2]File FileContent Description[/SIZE]
[SIZE=2]-------------------------------------------------------------------------------[/SIZE]
[SIZE=2]/efs/FactoryApp/factorymode ON Enable Factory Mode[/SIZE]
[SIZE=2]/efs/FactoryApp/keystr ON Blocked (hidden code?) Key String(s)[/SIZE]
[SIZE=2]/efs/imei/mps_code.dat ? ?[/SIZE]
[SIZE=2]/efs/root/ERR ? Error Log[/SIZE]
[SIZE=2]/data/.psm.info ? WiFi Power Save Mode [/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]Various Log Files:[/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]/data/log/CallDropInfoLog.txt ? Dropped Calls Log[/SIZE]
[SIZE=2]/data/log/lucky_ril.log ? ?[/SIZE]
[SIZE=2]/data/log/dumpState_*.log ? ? System Dump Log[/SIZE]
[SIZE=2]/data/log/main_*.log ? ? [/SIZE]
[SIZE=2]/data/anr/traces.txt ? ? [/SIZE]
[SIZE=2]/data/log/err ? ? Error Log[/SIZE]
[SIZE=2]/data/log/err/AENEAS_TRACE_###.bin RF Aeneas Trace Log[/SIZE]
[SIZE=2]/data/log/err/MA_TRACE_###.bin RF MA Trace Log[/SIZE]
[SIZE=2]/mnt/sdcard/log ? ?[/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]System Files [/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]/sys/class/sec/switch/adc [/SIZE]
(Note: Some of these paths need to be verified, as they may be relative...)
Finally, we have two NVpasswords, that is used for uploading or dumping NVram, AFAIK. They are:
873283
3352225
and they can be found in Sec_Ril_Dump.class.
DISCALIMER:
As I do not have access to a GT-I9300, I have not been able to verify
any of the information in this thread! I apologize if there is any erroneous
information here. Please let me know and post new information here as
it become available. Also make sure you make a complete backup, before
attempting any of the codes or other trickery above!
Great post Buddy. But..........
But I didn't Understand Anything, lol better to say Nothing......... Too complicate for my simple mind.
This is some list! Great job!
Very good info there .. how about programming the sim with that IMSI will it have any effect.
Sent from my GT-I9300
tids2k said:
Very good info there .. how about programming the sim with that IMSI will it have any effect.
Click to expand...
Click to collapse
It certainly will, but you will have to find a SIM that is programmable!
You can buy programmable SIM cards from the Sysmocom website, but you need the tools to do so. Sysmocom is ran by some of the GSM security researchers and open source baseband developers...
Here is tutorial on how to clone a SIM card. However, this may be highly illegal in some countries, even for your own! Check your local laws.
(In addition it is a border-line topic on what we are allowed to post here on XDA.)
But Apple proposed, (and here) already some years ago, to have programmable SIM cards built into their devices. This would make perfect sense, since the whole idea about using SIM cards have been neglected and forgotten in the first place. (The original idea, was that it should be extremely easy to switch SIM cards, so that you could easily just borrow someone else's phone, put you card in and make a phone call. Even on designated SIM-holder enabled pay-phones! This has become forgotten and circumvented and damn hard to do with embedded sim cards deep inside your phone.) In addition most cellular providers have lobbied against it...
Definately would look at it. Here is the link for the time being ...
http://www.jaycar.com.au/productView.asp?ID=KC5361
I remember when Dejan found the binary hack way back in 2006 for BB5 Nokia phones, he posted files on his website on how to clone a simcard. But those times only 16bit chips were used.
Here is the scheme tics for the reader if any one interested.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
via Flying Daggers
tids2k said:
how about programming the sim with that IMSI will it have any effect.
Click to expand...
Click to collapse
No need to program a sim, there is a service code (*#46744674#) which will set your IMSI to 9999..., well it does on the SGS2 anyway.
Does it look like there are any menus where you can disable Fast Dormancy? *#9900# does not allow you to do this on the S3
Code:
Samsung Galaxy S3 .. Secret Codes found by tids2k
Thanks to E:V:A for his information and knowledge
HOW TO RUN THESE COMMANDS :
Connect your phone into debug mode .. Settings -> USB Debugging [] Enable it.
Then in MS-DOS C:\ type
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://****
where **** is the secret code :-) So let us begin
Secret Codes **** Function
2684 or 197328640 DEBUG MENU
0000 CSC SPECIFIC
827828868378 CSC SPECIFIC
2684 SERVICE MODE ( WATCHDOG/DUMPS/LOGS OPTIONS)
0011 CONNECTION STATUS
123456 CONNECTION STATUS
22558463 RESETS TOTAL TALK TIME
32489 CIPHERING INFO
2580 NON-SUPPORT
232337 BLUETOOTH ADAPTER ADDRESS
232331 BLUETOOTH RF TEST
232332 ??
9090 DIAG CONFIG (MODEM)
73876766 SELLOUT SMS ENABBLE
738767633 SELLOUT SMS DISABLE
7387678378 SELLOUT SELF SET TEST MODE
7387677763 SELLOUT SMS SET PRODUCT MODE
4238378 GCF SETTINGS
4387264636 SELLOUT SMS MAIN
1575 GPS SETTINGS
6984125 ????
2886 ??
2767*2878 ??
745 RIL COMMANDS ( NICE ONE )
746 ANOTHER DUMP TOOL ( NICE ONE )
9900 or 0514 SYSDUMP
1111 FTA SW VERSION
2222 or 8888 FTA HW VERSION
301279 or 279301 RRC ( HSPA ) CONTROL
2263 BAND SELECTION
5337632 SOME KIND OF SOUND
0228 BATTERY STATUS
03 NAND FLASH UNIQUE NO.
3214789 GCF MODE ENABLE/DISABLE
6335623 WIFI HIDDEN MENU
NOW FACTORY SETTINGS
06 IMEI
0589 LIGHT SENSOR TEST
80 TOUCH NOISE TEST
251 WAKELOCK ON
250 WAKELOCK OFF
350 REBOOT
5238973 LCD TYPE
4327 HDCP INFO
22235 ACCELEROMETER SENSOR INFO
0782 RCT CLOCK
86824 TOUCH KEY SENSTIVITY
0842 VIBRATION TEST
0673 SPEAKER/HEADPHONE/HEADSET TEST
0289 MELODY TEST
2663 TOUCH FIRMWARE UPDATE
2664 POINTER LOCATION
0588 PROXIMITY TEST
3264 RAM CHECK
7780 MASTER RESET
7769 PROXIMITY SENSOR TEST
87976633 FACTORY RESET
9999*3288 QWERTY COUNTER
767*2878 QWERTY COUNTER RESET
0283 LOOPBACK TEST
7328735824 LOT ID
three new tablets in work ... lol
if ((str1.startsWith("GT-P31")) || (str1.startsWith("GT-P51")) || (str1.startsWith("SCH-i705")));
tids2k said:
Code:
Samsung Galaxy S3 .. Secret Codes found by tids2k
Thanks to E:V:A for his information and knowledge
HOW TO RUN THESE COMMANDS :
Connect your phone into debug mode .. Settings -> USB Debugging [] Enable it.
Then in MS-DOS C:\ type
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://****
where **** is the secret code :-) So let us begin
Secret Codes **** Function
2684 or 197328640 DEBUG MENU
0000 CSC SPECIFIC
827828868378 CSC SPECIFIC
2684 SERVICE MODE ( WATCHDOG/DUMPS/LOGS OPTIONS)
0011 CONNECTION STATUS
123456 CONNECTION STATUS
22558463 RESETS TOTAL TALK TIME
32489 CIPHERING INFO
2580 NON-SUPPORT
232337 BLUETOOTH ADAPTER ADDRESS
232331 BLUETOOTH RF TEST
232332 ??
9090 DIAG CONFIG (MODEM)
73876766 SELLOUT SMS ENABBLE
738767633 SELLOUT SMS DISABLE
7387678378 SELLOUT SELF SET TEST MODE
7387677763 SELLOUT SMS SET PRODUCT MODE
4238378 GCF SETTINGS
4387264636 SELLOUT SMS MAIN
1575 GPS SETTINGS
6984125 ????
2886 ??
2767*2878 ??
745 RIL COMMANDS ( NICE ONE )
746 ANOTHER DUMP TOOL ( NICE ONE )
9900 or 0514 SYSDUMP
1111 FTA SW VERSION
2222 or 8888 FTA HW VERSION
301279 or 279301 RRC ( HSPA ) CONTROL
2263 BAND SELECTION
5337632 SOME KIND OF SOUND
0228 BATTERY STATUS
03 NAND FLASH UNIQUE NO.
3214789 GCF MODE ENABLE/DISABLE
6335623 WIFI HIDDEN MENU
NOW FACTORY SETTINGS
06 IMEI
0589 LIGHT SENSOR TEST
80 TOUCH NOISE TEST
251 WAKELOCK ON
250 WAKELOCK OFF
350 REBOOT
5238973 LCD TYPE
4327 HDCP INFO
22235 ACCELEROMETER SENSOR INFO
0782 RCT CLOCK
86824 TOUCH KEY SENSTIVITY
0842 VIBRATION TEST
0673 SPEAKER/HEADPHONE/HEADSET TEST
0289 MELODY TEST
2663 TOUCH FIRMWARE UPDATE
2664 POINTER LOCATION
0588 PROXIMITY TEST
3264 RAM CHECK
7780 MASTER RESET
7769 PROXIMITY SENSOR TEST
87976633 FACTORY RESET
9999*3288 QWERTY COUNTER
767*2878 QWERTY COUNTER RESET
0283 LOOPBACK TEST
7328735824 LOT ID
Click to expand...
Click to collapse
Untested, here; nevertheless - thanks for this info guys!!
Sent from my GT-I9300 using xda premium
This should all work. Didnt had much time to look for other commands, will do in a day or so.
Sent from my GT-I9300 using XDA Premium HD app
Odia said:
No need to program a sim, there is a service code (*#46744674#) which will set your IMSI to 9999..., well it does on the SGS2 anyway.
Click to expand...
Click to collapse
Thanks! Probably very useful, but
1) Is that temporary? (How to get back original after having use this code?)
2) Where is it located? (What App + class files?)
Odia said:
No need to program a sim, there is a service code (*#46744674#) which will set your IMSI to 9999..., well it does on the SGS2 anyway.
Click to expand...
Click to collapse
doesnt work on sgs III
Hi all,
a couple of month ago I build an app with shortcuts for the "secret" dialer codes within the galaxy S2, because I could not remember them all ...This app is special tailored for the galaxy S2, but should work on all SAMSUNG devices with TOUCHWIZ ... Not all codes will work on all devices, but a lot these codes work on other samsung touchwiz devices.
I tested the App with my GS3 and a lot of these codes still working ....
You could also add your own codes and ussd codes to an app internal database ... and some users even uses this database as hidden phone book
Check it out: https://play.google.com/store/apps/details?id=com.widgapp.HiddenFeaturesFREE
(Important: These codes will NOT work on most custom roms, Nexus S, Galaxy Nexus, HTC, Sony, Motorolla etc. ...I´m a little bit annoyed by comments like: Not working on my HTC, Sony, Nexus S, Samsung XYZ with custom rom zyx .... ...without Touchwiz, there is no possibility to use touchwiz firmware functions!)
SAMSUNG GALAXY S3 CODES SECRETS
*#06# Show IMEI number
*#0*# LCD Test Menu
*#*#4636#*#* user statistics and Phone Info
*#0011# Displays status information for the GSM
*#1234# View SW Version PDA, CSC, MODEM
*#12580*369# SW & HW Info
*#197328640# Service Mode
*#0228# ADC Reading
*#32489# (Ciphering Info)
*#232337# Bluetooth Address
*#232331# Bluetooth Test Mode
*#232338# WLAN MAC Address
*#232339# WLAN Test Mode
*#0842# Vibra Motor Test Mode
*#0782# Real Time Clock Test
*#0673# Audio Test Mode
*#0*# General Test Mode
*#2263# RF Band Selection
*#9090# Diagnostic ConfiguratioN
*#7284# USB I2C Mode Control
*#872564# USB Logging Control
*#4238378# GCF Configuration
*#0283# Audio Loopback Control
*#1575# GPS Control Menu
*#3214789650# LBS Test Mode
*#745# RIL Dump Menu
*#746# Debug Dump Menu
*#9900# System Dump Mode
*#44336# Sofware Version Info
*#7780# Factory Reset
*2767*3855# Full Factory Reset
*#0289# Melody Test Mode
*#2663# TSP / TSK firmware update
*#03# NAND Flash S/N
*#0589# Light Sensor Test Mode
*#0588# Proximity Sensor Test Mode
*#273283*255*3282*# Data Create Menu
*#273283*255*663282*# Data Create SD Card
*#3282*727336*# Data Usage Status
*#7594# Remap Shutdown to End Call TSK
*#34971539# Camera Firmware Update
*#526# WLAN Engineering Mode
*#528# WLAN Engineering Mode
*#7412365# Camera Firmware Menu
*#07# Test History
*#3214789# GCF Mode Status
*#272886# Auto Answer Selection
*#8736364# OTA Update Menu
*#301279# HSDPA/HSUPA Control Menu
*#7353# Quick Test Menu
*2767*4387264636# Sellout SMS / PCODE view
*#7465625# View Phone Lock Status
*7465625*638*# Configure Network Lock MCC/MNC
#7465625*638*# Insert Network Lock Keycode
*7465625*782*# Configure Network Lock NSP
#7465625*782*# Insert Partitial Network Lock Keycode
*7465625*77*# Insert Network Lock Keycode SP
#7465625*77*# Insert Operator Lock Keycode
*7465625*27*# Insert Network Lock Keycode NSP/CP
#7465625*27*# Insert Content Provider Keycode
*#272*IMEI# then we will get buyer code (For samsung galaxy sIII csc code)
*#*#7780#*#* Factory data reset - Clears Google-account data, system and program settings and installed programs. system will not be deleted, and OEM programs, as well as My Documents (pictures, music, videos)
ascsa said:
I tested the App with my GS3 and a lot of these codes still working ....
Click to expand...
Click to collapse
Hi! Thanks for your effort, but your post risk confusing people and corrupting this thread, because the red application functions (as shown in your table) only show that your app is not able to use those codes, and not that they do not work with SGS3.
TO ALL:
DO not post new codes here, unless you have either:
a) personally tested the codes on a GT-I9300
b) found and documented references in the source code, that can be independently verified.
Thanks!
Related
need verizon phone key sequence not not computer code. Generic over the phone support instructions that are givin to any one that calls to upgrade a used phone or add a new line. that you manual enter when changing a line to a new phone
something like #623# but i need the exact one customer support gives you when you call to add a new headset.
I will then give you the solution for sprint and nextel
I want to have i700 verizon phone on by midnight so could one of you geniuses help me get the ability to change the pre-programed phone number io did it 2 times for but i have no memory.
I have 30 lines with nextel and i believe we can wrap this issue up for the boys over at the treo academy pocketpcgeeks.com,
I will stick this like candy just need some participation
thank you
<<SAMSUNG>> Samsung sph-n240, n400, a460, a500, etc Nam Programming :
Nam Set: ##Spc
Test Mode: 47*869#1235
Debug Menu: ##33284,ok
Service Menu: Menu+8+0 (#889)
Reset (Life time, Clear Memory, etc): ##786,ok
A-key: ##2539,ok
Label Selection: ##3882,ok
Label(Home, Work, etc) : **523,ok
NGG Setting (Gateway, etc.): ##2769737,ok
Vocoder: ##8626337,ok
CAI Change: ##7738,ok
Enable TTY: ##889,ok
Samsung a530, a610, a620, a660, a670, etc Nam Programming :
Nam Set: Menu, 6, *
Nam Set: ##3238, ok
Nam Set: ##SPC (##000000), ok
Service Menu: Menu, 9, *
Test Mode: 47*68#13580
Test Mode: 47*869#1235
Samsung X, E, V, S-series (korean models), e250, v420, s350, etc Nam Programming :
Nam Set: 6548#0**4#6
Nam Set: 47*869#08#9
Nam Set: 74153697193
Test Mode: 5809540*45680 (88 - EFS reset)
Debug Menu: Menu(hold 2sec)+0, 6725 or 9720 or 1973 or 0415
Debug Menu: Menu+0(hold 2sec), 6725 or 9720 or 1973 or 0415
Debug Menu: Home(top of keypad)+0, 6725 or 9720 or 1973 or 0415
Samsung sch-411, 611, n105, a100, a300, a2000, etc Nam Programming :
Nam Set: 47*869#08#9
Nam Set: Menu+60
Test Mode: *759#813580
Test Mode: 5809540*45680
A-key: Menu+0, 25##
External Audio: Menu+0, ####
Debug Menu: Menu+8, 0415 or Spc
Debug Menu: Menu+9, 0415 or Spc
Brief NAM Programing: Menu+40,626 (not all version)
LCD Contrast: Menu+45 (not all version)
SIO Mode: Menu+49
SIO Mode: Menu+69
Samsung N356 (India version) Nam Programming :
Test Mode: Menu, 5, down arrow, *
Test Mode: **00## (in some flashes)
Samsung i700, etc Nam Programming :
Nam Set: Go to start and select "PHONE" from the drop down menu, dial #83587
Samsung i300, etc Nam Programming :
1. Tap on the Phone Icon with stylus
2. Press #907*9#0 ENTER LOCK should appear on screen
3. Enter OTKSL
4. SVC MENU will appear press 1
5. Enter 10 digit MIN and then press SAVE
6. Press SAVE again
7. Press 3 and then press SAVE 6 times
8. Enter the HOME SID and press SAVE once
9. Press END key twice
TEST MODE COMMANDS:
n105_test_mode.txt
a500_test_mode.txt
a530_test_mode.txt
<<KYOCERA>> Kyocera 2345, 3035, 5135, 6035, Se47, KX, KE - series, etc Nam Programming :
Nam Set: 111111+Jog Dial(Ok)
CAI Change: ##7738,ok
Enable TTY: ##889,ok
Life Timer: ##786,ok
A-key: ##2539,ok
Tips:
On some kyocera handsets the factory service module has not been disabled
and the phone can be programmed without the Spc by inputting:
Nam Set: ##333333 menu (service)
Qualcomm qcp-800 Nam Pogramming :
Nam Set: Menu+3+0+Spc
Field Test: Menu+7+0+Fsc
<<SANYO>> Sanyo 4900, 5150, 5300, 8100, etc Nam Programming :
Nam Set: ##Spc+Ok+Key Down+Ok
Advanced Setup: ##3282+Ok+Key Down+Ok+Msl
A-key: ##2539+Ok+Key Down+Ok
Version: ##**837+Ok+Key Down+Ok
Debug Menu: ##FSC+Ok+Key Down+Ok
Airtime menu: ##8463+Ok+Key Down+Ok
Change CAI: ##7738+Ok+Key Down+Ok
Vocoder: ##8626337+Ok+Key Down+Ok
Reverse Logistic: ##786+Ok+Key Down+Ok
Set IP Address: ##2769737+Ok+Key Down+Ok
TTY On/Off: ##889+Ok+Key Down+Ok
Ready Link: ##4636+Ok+Key Down+Ok
Browser Init On/Off: ##4682+Ok+Key Down+Ok
Picture Token: ##25327+Ok+Key Down+Ok
Unknown Code: ##5282277+Ok+Key Down+Ok
(SPC=000000, FSC=040793)
Sanyo scp-A011, smp-A017, etc Nam Programming :
Nam Set: F9(3 beep) + 0*72696#767
<<AUDIOVOX / UTSTARCOM>> Audiovox 4000, 9000, 9100, 9155, 9500, etc Nam Programming :
Power the phone ON and wait until the little light on top goes out, then press:
Nam Set: 289,Fcn, #,1
Service menu: Fcn,0,0, FSC
Power the phone ON and press:
Test Mode: Hold (2,*,Rcl) + Power
Test Mode Commands:
99 - download - flash phone
124 - inam data write
125 - version
126 - get ESN
127 - get SPC
128 - get User lock
129 - is WFTV data write
137 - get FSC code
138 - NPcode (nam program code)
139 - dscode
141 - restart
218 - Read_Addr
000 - is cdma mode
001 - is fm mode
002 - is pcs mode
008 - is reg read addr
020 - is lna_range
Audiovox (Hyundai) cdm-100, 130, 135, 8300, 8500, 8600, etc Nam Programming :
Nam Set: ##20022002, end
Read user lock: #5625*, end
DM baud rate: ##2283, end
DM mode enable: **1004, end
DS mode enable: **1005, end
Misc. Test: ##27752345, end
S/W Test1: ##27732726, end
S/W Test2: ##2240, end
Debug screen: ##2773, end
Clear MRU: ##6782, end
Rfnu_Contents: ##2250, end
?????: ##1133, end
?????: ##1144, end
P_Rev: ##7738, end
GPS Test: ##4771, end
A-Key: 2538**
SMS Eng: ##767364, end
Battery_adc: ##2768, end
Tests: ##1122, end
Audiovox 8610, 8910, etc Nam programming :
Name Set: ##847446, end, 111111
Audiovox pcx-3500xl Nam Programming :
Nam Set: ##2726+Send+1998+1+Spc+1
Audiovox-107 Nam Programming :
Nam Set: 45680*47*869#1
Audiovox CMP-3 Nam Programming :
Nam Set: 45680*47*869#1
Dm Mode: Menu, 6, 6
Audiovox 9950 Nam Programming :
Nam Set: ##3282
Audiovox Z800 (Audiovox 7900, Sharp) Nam Programming :
Nam Set: m + # + envelope key + * + 1
Audiovox Thera (Toshiba 2032) Nam Programming :
Thera Nam Programming User Manual - nam_thera.pdf
Audiovox (UTStarcom) PPC 6600, 6700, etc Nam Programming :
Nam Set: ##SPC + Send
Nam Set: #*#SPC + Send
Nam Set: ##SPC#
DM mode: ##3424 + Send
DM mode: #*#3424 + Send
DM mode: ##3424#
Programming User Manual - programming_instructions.pdf
<<MOTOROLA>> Motorola 7760, 7860, 2260, 8160, etc Nam Programming :
Nam Set: Fcn,0000000000000, Rcl
Nam Set: 74663#, Fcn, Fcn
Test Mode: Fcn, 00**83786633, Sto
Motorola v60c, v120c etc Nam Programming :
Nam Set: 74663#, Menu, Menu, Spc
Nam Set: Menu, 073887, * (type quickly)
Test Mode: Menu, 073887*, Spc
Debug Mode: ##33284
Force the phone into DIGITAL ONLY mode:
1) ##33284 (Debug)
2) RIGHT Softkey (Next) Twice
3) Down arrow 10 times to "PrefMod"
4) RIGHT Softkey (Change) until you see "DigOnly"
5) LEFT softkey (Exit)
6) MENU then LEFT Softkey return to idle screen
7) ##33284 (The last 4 will not display if you have done it correctly)
Motorola Razr V3C Nam Programming:
Nam Set: 74663 # clr clr
Nam Set: #073887* , then SPC
Motorola Q Nam Programming:
Nam Set: [Send] + 074663 + [Send] + [Send], Selecct NAM#
Motorola t182, c210, etc Nam Programming :
Nam Set: ##298645665, end
Short Nam: ##073887, sto
Debug Menu: ##1111, end
Service Menu: ##2222, end
Sound NS/EC on/off switch: ##1113, end
Motorola v710, v730, v740, ms150, etc Nam Programming :
Nam Set: 8378*# + press 3 times NATE (spc - 071082)
Test Mode: Menu, 073887*, Spc
Service Menu: #758353266#646#
Motorola StarTac 2004 Nam Programming :
Nam Set: 5759789*#, press "Rec" button 3 times, (spc - 915037)
Motorola ms200, ms400, ms800, etc Nam Programming :
Nam Set: 5759789*#, press "Camera" button 3 times, (spc - 915037)
Nam Set: 246791538*#, press "Camera" button 3 times, (spc - 915037)
Motorola v6060 Nam Programming :
Nam Set:147*369#456*0#
MOTOROLA TEST MODE :
v60, c120, c331, etc:
1) Turn on the phone. Press MENU 0 7 3 8 8 7 *
2) The phone will require you to "Enter a Security Code", press 000000, OK
3) Scroll down to "Test mode" choose SELECT. Scroll down to "Enable"
choose SELECT. Your phone is now in test mode.
4) Signal strength is the 3_rd number down on the left hand side of the screen.
5) To toggle between regular mode and test mode: Press MODE then
quickly press the BUTTON DIRECTLY TO THE LEFT OF MENU.
6) To turn off the test mode the phone must be in regular mode, then follow
the above sequence and scroll down to where it says "DISABLE" instead of
"ENABLE" and choose select.
Motorola Bible (old models) - bible.txt
<<NOKIA>> Nokia 3280, 3285, 3580, 3585, 5185, 6185, 8280, etc Nam Programming :
Nam Set: *3001#12345#
Software Version: *#837#
Software Version: *#9999#
Esn Number: *#92772689#
Restart Phone: *#75681#
Restart Phone: *#75682#
Nokia 8887 Nam Programming :
Nam Set: *3001#12345#
Version: *#0000#
Evrc: *#8378#
Esn/Data/Timer: *#92772689#
SID: *#743#
Nokia 8587 Nam Programming :
Nam Set: *#626#7764726#
A-Key: #8159357022#4579# (26 digits)
A-Key: #8159357022#4547# (20 digits)
Version: *#0000#
Version: *#837#
Vocoder: *#3872#
Change language: Menu 5, 3, 1
Change DM mode: *#7678#
Debug Screen: *#8378#
Debug: *#8380#
Field Test Menu: *#83788#
SPC Unlock, Factory Reset :
Full Factory Reset: *#7370#
Resets all settings including non-user changeable items (like SPC)
NOKIA TEST MODE:
51xx, 61xx, 71xx, 3285, 63xx, etc :
1) Turn on the phone. Press *3001#12345#
2) Scroll up to where it says "Field Test" and choose SELECT
3) Highlight "Enable" and choose OK. Turn the phone off then back on.
4) If the test mode screen does not show up press MENU and scroll
down to "Field Test" choose SELECT. Press 0 1 then choose OK.
5) Lower left or upper left number is the signal strength.
6) To turn off the test mode press MENU and scroll down to where it says
"Field Test" choose SELECT. Press 0 0 and then choose OK.
3360, 6360, etc :
1) Turn on the phone. Press *3001#12345#
2) Scroll up to where it says "Field Test" and choose SELECT
3) Highlight "Enable" and choose OK. Turn the phone off then back on.
4) If the test mode screen does not show up press MENU and scroll
down to "Field Test" choose SELECT. Press 2 1 0 1 then choose OK.
5) Lower left or upper left number is the signal strength.
6) To turn off the test mode press MENU and scroll down to where it says
"Field Test" choose SELECT. Press 2 1 0 0 and then choose OK.
<<LG>> Lg LX,VX-series, VX4400, VX6000, etc Nam Programming :
Nam Set: ##Spc(#)
Nam Set: Menu, 0
Advanced Settings: ##2342(#)
Vocoder: ##8626337,ok(#)
CAI Change: ##7738,ok(#)
Enable TTY: ##889,ok(#)
A-key: ##2539,ok(#)
Reset (Life time, Clear Memory, etc): ##786,ok(#)
lgc-300, etc Nam Programming :
Nam Set: Menu, 9, Spc
A-key: Press "Sto" 3sec, 2539**
lgc-330w, etc Nam Programming :
Nam Set: Menu, 4, 0, Spc
A-key: 2539**
lgc-510, v111, etc Nam Programming :
Nam Set: Menu, 3, 0, Spc
A-key: 2539**
lgc-500, 800w, etc Nam Programming :
Nam Set: Menu, 9 , 0, Spc
Debug Mode: Menu, 7, 0, Fsc
Debug Mode: Menu, 8, 0, Fsc
A-key: 2539**
<<ERICSSON / SONY-ERICSSON>> SonyEricsson T608, etc Nam Programming :
Nam Set: 923885, joystick >, 111111
Nam Set shot: 987, joystick >, 111111
Nam Set long: 222652, joystick >, 111111
Vocoder: ##8626337, joystick >, 111111
Debug screen: ##33284, joystick >
Life Timer: ##786, joystick >
SW ver: 9#4#3#, joystick >
Edit Profile: ##3282, joystick >
Service menu: *#06*
Ericsson A1228c, T61, etc Nam Programming :
Short NAM: 987+Menu
Long NAM: 923885+Menu+Spc
CDMA Mode: 904093+Menu
Analog Mode: 904095+Menu
QNC: 904097+Menu
Debug Screen: 904090+Menu
DM Mode: 904050+Menu
<<EPSILON / COMPAL>> Epsilon vc-5x, Compal 1100, etc Nam Programming :
Nam Set:: **321456987##
Short Nam: **147258963##
Service Menu 1: **1232580##
Service Menu 2: **078987##
Service Menu 3: **1234756##
Show SPC: **3214569871472365##
Version: **1470963##
Debug: **000000##
A-key: 2539**
Reset: **14789##
<<SK TELETECH>> Sky All Models Nam Programming :
Nam Set: #7583538324#626#
Nam Set: *759#364*7388464#
Min simple mode: #758353266#646#
Irm simple mode #758353266#476#
Voice memo: #8767#277#
Test Mode: #7583538324#8378#
A-key: #758353266#2539#
Service Menu: Menu+4+0+Spc
Service Menu: Menu+5+0+Spc
<<WITHUS / MODOTTEL>> Withus wce-100, 200, 300, etc Nam Programming :
Nam Set: ##948487+Save
Nam Set: ##948482+Save
ESN write: ##66835+Save (wce200 only)
SMS Settings: ##76766
NVM Rebuild: ##777464
<<GTRAN>> Gtran gcp-2000 Nam Programming :
Nam Set: 01#737+Spc
Debug Menu: 01#324+Spc
Debug Mode: 01#727
Test Mode: 01#764+Spc
System Test Mode: 01#768+Spc
Gtran gcp-5000 Nam Programming :
Debug Mode: 01#727+Spc
Test Mode: 01#765
<<HYUNDAI>> Hyundai hwp-110 Nam Programming :
Nam Set: #86904**89397#
DM Mode: ##2740*
(Open phone, inter code, close phone)
Hyundai hgc-120, 130, 200 Nam Programming :
Nam Set: #86904**89397#
Hyundai hgc-310, 600, 610 Nam Programming :
Nam Set: ##20022002, end, 1, Spc Code
Field Test: ##20022002, end, 1, Master Code
Hyundai Curitel h100, 150, hx510b, 520, etc Nam Programming :
Nam Set: ##20022002, end, 1, Spc Code
Field Test: ##20022002, end, 1, Master Code
A-key: 2539**
Debug Menu: ##27732726, end
Sar Test: ##27752345, end
Baud Rate: ##36**, end
DM mode enable: **1004, end
DS mode enable: **1005, end
Test Bell/Voice/Led/Dot: ##1122, end
RF Mode: ##2240, end
Ras Ram: ##2774, end
Cmux1: **0481, end
Cmux2: **0482, end
RX Mode Fax: **0492, end
RX Mode Data: **0491, end
RX Mode Reset: **0490, end
<<HUAWEI>> Huawei ETS-668, 678, 688, etc Nam Programming :
Debug Mode: ##44+Menu
Debug Screen: ##33+Menu
CDG2 Test enable: ##234+Menu
CDG2 Test disable: ##432+Menu
China Lang Select: ##123+Menu
Blocking Debug Code: ###888+Menu
Home System Only On: ##461+Menu
Home System Only Off: ##460+Menu
Master Code for all Huawei models is - 309296
<<PANTECH / CURITEL>> Pantech hx-525b, 550, 570, 575, etc Nam Programming:
Nam Set: ##13*92*#62* + Pwr
Debug Mode: ##*193*762534#* + Pwr (R-UIM mode disable)
Debug Mode: ##27732726 (R-UIM mode enable)
DM Mode Enable: ***18*#826*
Full Reset: ##03*934#9367*192#397#7412569746 + Pwr
MultiTest: ##22635*262* + Pwr
Cmux1: ***12*#811# + Pwr
Cmux1: ***37*#922* + Pwr
RX Mode Data: ***83*#247 + Pwr
RX Mode Reset: ***64*#133# + Pwr
DS Mode On: ***12045#*# + Pwr
RF NV Init: ##0*#*63861829372# + Pwr
RAS_RAM: ##3*13091#1279#* + Pwr
<<TREO>> Palm One Treo 600, 650, 700, etc Nam Programming :
Nam Set: ##SPC + Send
Nam Set: #*#SPC + Send
Nam Set: ##SPC#
DM mode: ##3424 + Send
DM mode: #*#3424 + Send
DM mode: ##3424#
Debug: ##33284
Programming User Manual - programming_instructions.pdf
Resetting Treo - resetting_treo650.doc
<<AXESSTEL>> P800, T800, P1900, T1900, etc Nam Programming :
Nam Set: 47*68#47*869#
DM mode: ##9* + Send
Data cable select: menu + 7 + 1 + #
Data Manager: **##11
Data (Internet): **##13
Data USB: **##32
<<VK MOBILE>> VK-100C, 110C, 200C, etc Nam Programming :
Nam Set: 153147539741593
Test Mode: 153147539123258 (88 - clear efs)
<<GIGA TELECOM>> Z510, Z710i(gcd-456) Nam Programming :
Nam Set: Menu+0+Spc
<<AnyDATA>> AMC450 Nam Programming :
Nam Set: *74269#*748#96148063+SEL
<<ZTE>> ZTE C150, C160, C170, C180, C220, etc Nam Programming:
Nam Set: *983*3641# (R-UIM mode)
Nam Set: #1463*389*
ZTE C201 Nam Programming:
Nam Set: *983*7358#
<<UBIQUAM>> U100, U105, U200, U300, etc Nam Programming :
Nam Set: ##3435871
BREW Set Menu: ##8242739
System Test: ##33582
Handset Test: ##3435873
Handset Test: ##3435875
Factory Test Mode: ##3435874
<<SYNERTEK>> Synertek S200 Nam Programming :
Nam Set: Menu+0+Spc
A-Key: 2539**+Save
Test vibro/rx/tx: ##5555+Save
Debug Screen: ##33+Save
Debug Screen: ##523+Save
RF Test: ####+Save
LCD type: ##325+Save
Synertek S500 Nam Programming :
SAR Test Strife test: *#0000#
Debug screen: *#8378#
Clear LCD: *#848378#
Debug menu: *#443336# (R-UIM mode)
CDG , Service option: *#234#
Function Test, LCD Contrast: *#878#
<<SONY>> Sony CM-M1300, 3300, Z200 Nam Programming :
Nam Set: 111111+Ok(Jog Dial)+Select+Programming+Ok+Spc
Hi there,
maybe not a XDA specific Question but maybe s.o. could still help me.
I've got a SIEMENS emem ES75 GSM Modem wich I wanted to use as a SMS receiver for my Party next month (receive sms and project them onto a wall )
But I have some trouble controlling it using the AT-Commandset.
For example: the AT+GMM Command which should give me the name of the Manufacturer) Sometimes AT+ Commands are working, sometimes not.
As it works, I printed out the current settings using AT&V:
Code:
ACTIVE PROFILE:
E0 Q0 V1 X4 &C1 &D2 &S0 \Q0 \V1
S0:000 S3:013 S4:010 S5:008 S6:000 S7:060 S8:000 S10:002 S18:000
+CR: 0
+CRC: 0
+CMGF: 1
+CSDH: 0
+CNMI: 0,0,0,0,1
+ICF: 3
+IFC: 0,0
+ILRR: 0
+IPR: 115200
+CMEE: 0
^SMGO: 0,0
+CSMS: 0,1,1,1
^SACM: 0,"000000","FFFFFF"
^SLCC: 0
^SCKS: 0,1
^SSET: 0
+CREG: 0,1
+CLIP: 0,2
+CAOC: 0
+COPS: "T-MOBILE D"
+CGSMS: 3
Remember: it says "CURRENT PROFILE"
Then I used the AT&V Command when it did not work:
Code:
Current Settings............
E0 H0 Q0 V1
&C0 &D0 &P1 &R0 &S0
S00=000 S01=000 S02=043 S03=013 S04=010 S05=008 S06=000 S07=030
S08=000 S09=000 S10=000 S11=000 S12=050 S13=000 S14=000 S15=000
S16=000 S17=000 S18=000 S19=000 S20=000 S21=000 S22=000 S23=000
S24=000 S25=005 S26=001 S27=000 S28=000 S29=000 S30=000 S31=000
S32=000 S33=001 S34=000 S35=000 S36=000
#0 :
#1 :
#2 :
#3 :
#4 :
#5 :
#6 :
#7 :
#8 :
#9 :
Why does it output the "CURRENT SETTING" instead of the "CURRENT PROFILE"? And why can't I read the SMS? With this Setting it does not accept most of the AT+(..) commands. (AT+GMM, ...)
I sniffed the serial port communication from working applications and used the same commands and init-strings, but nothing
Any advice?
Nothing?
Hello,
I am using a Galaxy S4 with an S View Cover. This cover has a magnet in it, which the phone uses to "know" if it is closed or open. It also has a little window in it.
All AOSP Roms except the Google Edition Roms for the Galaxy S4 don't support the S View Cover.
So I thought to myself, I should make something that makes the S View Cover useful on AOSP roms. Preferably an App which can be installed on any AOSP rom. So I poked around and found out that I can find out the state of the cover (i.e. open/closed) by using the getevent command inside of an adb shell.
The exact command that gives me the state of the cover is getevent /dev/input/event18
which gives me the events of the device "gpio_keys".
When I close the cover it returns the following numbers:
0005 0015 00000000
0000 0000 00000000
When I open the cover it returns this:
0005 0015 00000001
0000 0000 00000000
So what I need is the last number of the first line. I tried limiting the output of getevent with grep, but I've never used it before and I wasn't successful.
My programming abilities are very limited, especially when it comes to object oriented stuff like java. At work we use ABAP (a programming language for SAP ERP systems) and most of what we do doesn't require any understanding of objects. I already found some stuff that would allow me to run shell commands, but I can't get it working:
Code:
Log.v("MyApp", "Started");
String myStringArray[]= {"getevent","/dev/input/event18"};
String line;
try {
Process process = Runtime.getRuntime().exec(myStringArray);
InputStreamReader inputstreamreader = new InputStreamReader(process.getInputStream());
BufferedReader bufferedReader = new BufferedReader(inputstreamreader);
bufferedReader.read();
while ((line = bufferedReader.readLine()) != null) {
Log.v("MyApp", line);
}
InputStreamReader errstreamreader = new InputStreamReader(process.getErrorStream());
BufferedReader errReader = new BufferedReader(errstreamreader);
errReader.read();
while ((line = errReader.readLine()) != null) {
Log.v("MyApp", line);
}
} catch(java.io.IOException e){
}
Log.v("MyApp", "Finished");
This code produces an error message:
V/MyApp ( 6090): ould not open /dev/input/event18, Permission denied
When I use getevent in the adb shell it works without super user permissions (root). What permissions do I need to get this working?
I'm a beginner and I don't really understand android permissions.
Hmm.. I guess you'll need super user permissions to do something like that.
Try reading the following link: http://stackoverflow.com/questions/7707889/android-system-permissions-through-root
Hope it gives you some pointers in the right direction
If you need proper root support, use roottools. root in java is a pain in the ass, root tools fixes it
http://code.google.com/p/roottools/downloads/list
and i think there is some sysfs interface for this as well.
this is my output btw
Code:
add device 1: /dev/input/event19
name: "sec_touchkey"
add device 2: /dev/input/event2
name: "max77693-muic"
add device 3: /dev/input/event0
name: "pmic8xxx_pwrkey"
add device 4: /dev/input/event17
name: "apq8064-tabla-snd-card Headset Jack"
add device 5: /dev/input/event16
name: "apq8064-tabla-snd-card Button Jack"
add device 6: /dev/input/event18
name: "gpio-keys"
add device 7: /dev/input/event15
name: "ssp_context"
add device 8: /dev/input/event14
name: "step_cnt_sensor"
add device 9: /dev/input/event13
name: "step_det_sensor"
add device 10: /dev/input/event12
name: "sig_motion_sensor"
add device 11: /dev/input/event11
name: "geomagnetic_sensor"
add device 12: /dev/input/event10
name: "temp_humidity_sensor"
add device 13: /dev/input/event9
name: "proximity_sensor"
add device 14: /dev/input/event8
name: "light_sensor"
add device 15: /dev/input/event7
name: "gesture_sensor"
add device 16: /dev/input/event6
name: "pressure_sensor"
add device 17: /dev/input/event5
name: "gyro_sensor"
add device 18: /dev/input/event4
name: "accelerometer_sensor"
add device 19: /dev/input/event1
name: "sii8240_rcp"
could not get driver version for /dev/input/mice, Not a typewriter
add device 20: /dev/input/event3
name: "sec_touchscreen"
and then 4 and 8 gets spammed.
btw also set permissions to 666 when you want to read a file from an app
Can you guys please explain how to parse and understand what the values from this command returns:
Code:
getevent /dev/input/event0
?
I wish to just get the coordinate of the touch event.
From my understanding, even using "event0" isn't safe, as it could be something else that's the touchscreen. Is there anyway to get the correct one?
Every time Samsung releases a new series of phones, they try to make
it just a little harder for us to find and enter the Service Mode (SM)
menus. Understandably the Service Mode menus allow you to access
functions on your phone directly related to its operation, from
selecting particular service providers, unlocking your SIM card,
changing default networks, bands and destroying your internal
non-volatile (NV) memory, that contain all your IMEI, RF, EFS
parameters, and to make a complete factory wipe and reset.
So this is not to play around with, randomly!
You have been warned.
On the other hand, it also provides extremely useful detailed
information about your mobile network, including all radio related
systems like GPS, WiFi, BlueTooth and NFC. Most of this information
is not available through the usual AOS Java API, and probably will
never be, as vendors consider this area as off-limits to users and
amateur developers.
Note:
All this info was obtained on a European
Samsung Galaxy S4-mini (GT-I9195 LTE)
But reported to work also on:
Samsung Galaxy S5 on US Cellular (SM-G900R4)
Code:
[SIZE=2]Baseband: I9195XXUBML4 [/SIZE]
[SIZE=2]Kernel: 3.4.0-2340422 [/SIZE]
[SIZE=2] [email protected] #1 [/SIZE]
[SIZE=2]Build: JDQ39.I9195XXUBML4 [/SIZE]
[SIZE=2]SE: SEPF_GT-I9195_4.2.2_0022[/SIZE]
Getting into Service Mode (SM)
On this particular model, you have to do this:
Go to dial pad and enter: *#0011#
This will initially take you to Service Mode and showing you
various signal status items, by default. But it's a locked
entry. So to unlock and go to the Main Menu do this:==> [MENU] + [Back]
==> [MENU] + [Key Input] + "Q0"
==> <wait ~5-10 seconds>Now you can hit the thank you button below!
I have not seen this solution anywhere else, and
it required some reversing...
Understading the ServiceMode Menu
<WIP>
This will take some time to investigate, so anyone
who already knows, please post in this thread.
The ServiceMode Menu Structure (brief)
Go to Post#2 for formatted menu structure and items.
Code:
[SIZE=2]MAIN MENU[/SIZE]
[SIZE=2][1] UMTS [/SIZE]
[SIZE=2][2] CDMA [/SIZE]
[SIZE=2][3] LTE [/SIZE]
[SIZE=2][4] SIM- Not Used. --> <E>[/SIZE]
[SIZE=2][5] DOCOMO DEBUG SCREEN [/SIZE]
[SIZE=2][6] run EFS SYNC() [/SIZE]
[SIZE=2][7] DEBUG SCREEN [/SIZE]
Some Important Codes
9900 SysDump
This is an important hidden code is that for making a wide range
of system dumps and changing many unknown logging functions.
This will give you a list of the following functions:
Code:
[SIZE=2]Menu Item Setting Description[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]Run dumpstate/logcat/modem log - logcat -v threadtime -b radio -d -f /data/log/radio_*.log[/SIZE]
[SIZE=2]Delete dumpstate/logcat [/SIZE]
[SIZE=2]Run dumpstate/logcat [/SIZE]
[SIZE=2]Copy Kernel Log to SD card [/SIZE]
[SIZE=2]Run CP based log [/SIZE]
[SIZE=2]Run Forced CP crash dump [/SIZE]
[SIZE=2]Copy to sdcard (include CP Ramdump) [/SIZE]
[SIZE=2]Debug Level Disabled/LOW - Change debug level [LOW/MID/HIGH][/SIZE]
[SIZE=2]CP Debugging Popup UI: Disabled [/SIZE]
[SIZE=2]Silent Log: Off dev.silentlog.on=(On,Off)[/SIZE]
[SIZE=2]Translation Assistant: Off persist.translation.assistant=(0,1)[/SIZE]
[SIZE=2]Low battery dump: Off [/SIZE]
[SIZE=2]Wakelock Monitoring: OFF [/SIZE]
[SIZE=2]TCP DUMP START ro.product_ship=(true,false) lucky_ril*.log[/SIZE]
[SIZE=2]Enable SecLog (currently disabled) persist.log.seclevel=(0,1)[/SIZE]
[SIZE=2]MTT Logging Setting: OFF persist.brcm.log=(sdcard,none) [Broadcom][/SIZE]
[SIZE=2]ACT data copy [/SIZE]
[SIZE=2]Exit [/SIZE]
9090 DIAG CONFIG
This is also important for changing the internal MUX used for
diagnostic debug output, to/from USB and UART.
Code:
[SIZE=2]DIAG CONFIG[/SIZE]
[SIZE=2][1] USB ( )[/SIZE]
[SIZE=2][2] UART (*)[/SIZE]
[SIZE=2][3] DBG MSG ON (*)[/SIZE]
[SIZE=2][4] DBG MSG OFF ( )[/SIZE]
Basically if you wanna use UART output, you will probably need
to build the MyWay box or use the correct resistance between
the USB ID and GND pins. (See my AnyWay thread.)
0808 USB Settings
This is by far the most important code to know, because it is used to determine,
what drivers are enumerated when connecting your phone to PC via USB cable.
Technically it is a multiplexer (MUX) switch which determine whether the USB
port is directly connected to the CP (Cellular/baseband Processor/modem),
or the AP (Application Processor). This also selects what device features will be
enabled once connected. Such as ADB, RNDIS, and DM (Diagnostic Mode) etc.
To change the mux settings on a Samsung S4/mini, use your dialpad
to get to the "USBSettings" menu, like this:
For AOS <= 4.2.2, without SELinux, use *#7284# or *#3424#.
For AOS >= 4.2.2, with SELinux, use *#0808#.
Code:
[SIZE=2]USB
( ) CP
( ) AP
USB Settings
( ) MTP
( ) MTP + ADB
( ) PTP
(o) PTP + ADB
( ) RNDIS + DM + MODEM
( ) RMNET + DM + MODEM
( ) DM + MODEM + ADB
[OK] [Reboot]
[/SIZE]
A few other service/secret codes
Similarly to my GT-I9300 "Secret Codes" thread, we find many of the
same codes present also in this phone. Do check that thread out, for
understanding how to find more codes relevant for your phone and AOS
version. Also note that most custom ROMs does not support all these,
as they are usually left out or forgotten about, since they are
vendor/modem specific.
Here I show only the most interesting & useful ones, and I have also
used the excellent website PhoneSpell to try to find sensible word
combinations for some of these numbers.
Now, many of these seem not to work at all, but they are present in
the ServiceMode application(s) code and rely on various other
properties being set before being available/activated. Another
type of block is is determined by the content of the EFS files:
/efs/FactoryApp/keystr
/efs/carrier/HiddenMenu
These can be set on a rooted phone by:
Code:
echo -n "OFF" > /efs/FactoryApp/keystr
echo -n "ON" >/efs/carrier/HiddenMenu
echo -n "ON" >/efs/FactoryApp/factorymode
(Somebody need to confirm the KeyString block boolean!)
Here is list of some particularly interesting properties that often
seem involved in blocking/enabling particular ServiceMenu
items/features.
Code:
[SIZE=2]property value/note[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]ril.tcpdumping=On [On,Off][/SIZE]
[SIZE=2]ril.OTPAuth=true OTP Authentication key is 6 random digits long[/SIZE]
[SIZE=2]ro.build.type=eng [eng, user]][/SIZE]
[SIZE=2]ro.cp_debug_level= [0x5500,0x55FF] [/SIZE]
[SIZE=2]ro.csc.sales_code=CHM [NONE, <many otehrs> ][/SIZE]
[SIZE=2]ro.csc.country_code= [KOREA, Unknown, ...] KOREA allows extra menu item: "IMS"[/SIZE]
[SIZE=2]ro.product_ship=false [true,false][/SIZE]
[SIZE=2]ro.product.model= [/SIZE]
[SIZE=2]ro.factorytest=1
dev.silentlog.on= [0,1][/SIZE]
[SIZE=2]persist.radio.lteon=true [true,false][/SIZE]
And here are some of the codes:
Code:
[SIZE=2]code mnemonic description[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]06 - IMEI[/SIZE]
[SIZE=2]00112 [/SIZE]
[SIZE=2]0228 0BAT Battery status (ADC, RSSI reading)[/SIZE]
[SIZE=2]0514 - [/SIZE]
[SIZE=2]0599 -[/SIZE]
[SIZE=2]1234 - FW Versions for AP,CP,CSC[/SIZE]
[SIZE=2]123456 -[/SIZE]
[SIZE=2]1575 - GPS test[/SIZE]
[SIZE=2]1111 - FTA SW Version [/SIZE]
[SIZE=2]2222 - FTA FW Version[/SIZE]
[SIZE=2]8888 - [/SIZE]
[SIZE=2]9090 - USB/UART MUX debug switch[/SIZE]
[SIZE=2]99007788 - [/SIZE]
[SIZE=2]197328640 - Service Mode[/SIZE]
[SIZE=2]22558463 CALLTIME Reset Total Call Time[/SIZE]
[SIZE=2]2263 BAND [/SIZE]
[SIZE=2]2580 <mid-col> [/SIZE]
[SIZE=2]268435456 ANTIFKILO "antenna IF kilo?? serviceModeApp_FB.apk / FTATDumpReceiver.class[/SIZE]
[SIZE=2]27663368378 CPMODEMTEST [/SIZE]
[SIZE=2]2767*2878 APOS*CUST Current firmware with factory default settings[/SIZE]
[SIZE=2]301279||279301 - [/SIZE]
[SIZE=2]3214789650 - Start Angry GPS Build.TYPE != "user"[/SIZE]
[SIZE=2]32489 - Ciphering Info[/SIZE]
[SIZE=2]4238378 ICE/GCFTEST GCF Settings?[/SIZE]
[SIZE=2]4387264636 GETRAMINFO [/SIZE]
[SIZE=2]58366 LTEON set persist.radio.lteon=true[/SIZE]
[SIZE=2]6201 - [/SIZE]
[SIZE=2]638732 NETSEC Build.TYPE != "user"[/SIZE]
[SIZE=2]66336 MODEM CP Ram Dump (On/Off) ro.cp_debug_level=[0x5500,0x55FF][/SIZE]
[SIZE=2]6984125* MYTH1A5? ? [/SIZE]
[SIZE=2]7284 PATH Set USB/UART path [/SIZE]
[SIZE=2]738767633 SETSOSOFF Turn OFF SOS*[/SIZE]
[SIZE=2]73876766 SETSOSON Turn ON SOS*[/SIZE]
[SIZE=2]7387677763 SETSOSPROF Set SOS* profile[/SIZE]
[SIZE=2]7387678378 SETSOSTEST Set SOS* test[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]* SOS = Sell Out SMS[/SIZE]
[SIZE=2]<> = some kind of keypad pattern[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
In addition to these numerical codes, there are also few alphanumeric ones.
These can be used from the command-line with the "am" command, like this:
Code:
[SIZE=2]am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://CP_RAMDUMP[/SIZE]
This might also work when already in ServiceMode, by entering the string
after selecting "Key Input" or "Select", from menu. (I have not checked.)
Code:
[SIZE=2]LTE_ANT_PATH_NORMAL[/SIZE]
[SIZE=2]CP_RAMDUMP[/SIZE]
[SIZE=2]DUMP_SVCIPC[/SIZE]
[SIZE=2]DEBUG_SCR[/SIZE]
[SIZE=2]EI_DEBUG_SCR[/SIZE]
[SIZE=2]DATA_ADV[/SIZE]
[SIZE=2]NAMBASIC[/SIZE]
[SIZE=2]TESTMODE[/SIZE]
[SIZE=2]NAMSIMPLE[/SIZE]
[SIZE=2]TEST_CALL[/SIZE]
The Samsung Diagnostics Menu
One special secret code is that of the Samsung Dignostic
Test Menu. This particular menu exsists on pretty much all
Android based Samsung phones. (AFAIK) The code is simply:
*#0*#
It provides for testing things like the Screen, Sound, Vibrator,
all the sensors and more. One one the cooler features for phones
that include an IR transmitter, is that you can use it on most
modern Samsung TV's as a remote control. Thus even easier to use
than any of Samsung's own Remote Control Apps, which are often
bloated and containing spyware.
The available test items you will find on this particular model are:
Code:
[SIZE=2][Red] - screen pixel test[/SIZE]
[SIZE=2][Green] - screen pixel test[/SIZE]
[SIZE=2][Blue] - screen pixel test[/SIZE]
[SIZE=2][Receiver] - (Ear) Receiver test[/SIZE]
[SIZE=2][Vibration] -[/SIZE]
[SIZE=2][Dimming] -[/SIZE]
[SIZE=2][Mega cam] -[/SIZE]
[SIZE=2][Sensor] -[/SIZE]
[SIZE=2][Touch] -[/SIZE]
[SIZE=2][Sleep] - sleep mode (power button) test[/SIZE]
[SIZE=2][Speaker] - listen![/SIZE]
[SIZE=2][Sub key] - testing keys [/SIZE]
[SIZE=2][Front cam] - [/SIZE]
[SIZE=2][IR LED] - Samsung TV compatible IR remote control[/SIZE]
[SIZE=2][LOW FREQUENCY] - Listen 100/200/300 Hz[/SIZE]
[SIZE=2][Black] - screen darkness test[/SIZE]
For other S4 models, check this YouTube video:
"Galaxy S4 Diagnostics Menu *#0*#"
For the S3 GT-I9300 check out the thread:
[REF][INFO][R&D] "Secret Codes" and other hidden features
The ServiceMode Menu Structure
This is really <WIP> as I don't have time to manually type in every damn menu
item for everyone else. So if you wanna help out filling in the blanks, please post
and I'll eventually add it here.
Code:
[SIZE=2]MAIN MENU[/SIZE]
[SIZE=2] [1] UMTS [/SIZE]
[SIZE=2] [2] CDMA [/SIZE]
[SIZE=2] [3] LTE [/SIZE]
[SIZE=2] [4] SIM- Not Used. --> <E>[/SIZE]
[SIZE=2] [5] DOCOMO DEBUG SCREEN [/SIZE]
[SIZE=2] [6] run EFS SYNC() [/SIZE]
[SIZE=2] [7] DEBUG SCREEN [/SIZE]
[SIZE=2] ---------------------------------------------------------------------[/SIZE]
[SIZE=2] [1] UMTS MAIN MENU[/SIZE]
[SIZE=2] [1] DEBUG SCREEN[/SIZE]
[SIZE=2] [2] VERSION INFORMATION[/SIZE]
[SIZE=2] [3] UMTS RF NV[/SIZE]
[SIZE=2] [4] GSM RF NV[/SIZE]
[SIZE=2] [5] AUDIO[/SIZE]
[SIZE=2] [6] COMMON[/SIZE]
[SIZE=2] [7] LTE BAND CONFIG CHECK[/SIZE]
[SIZE=2] [1] DEBUG SCREEN[/SIZE]
[SIZE=2] [1] BASIC INFORMATION[/SIZE]
[SIZE=2] [2] NAS INFORMATION[/SIZE]
[SIZE=2] [3] AS INFORMATION[/SIZE]
[SIZE=2] [4] NEIGHBOUR CELL[/SIZE]
[SIZE=2] [5] GPRS INFORMATION[/SIZE]
[SIZE=2] [6] SIM INFORMATION[/SIZE]
[SIZE=2] [7] HANDOVER[/SIZE]
[SIZE=2] [8] PHONE CONTROL[/SIZE]
[SIZE=2] [9] ANTENNA/ADC[/SIZE]
[SIZE=2] [2] VERSION INFORMATION[/SIZE]
[SIZE=2] [1] SW VERSION[/SIZE]
[SIZE=2] [2] HW VERSION[/SIZE]
[SIZE=2] [3] UMTS RF[/SIZE]
[SIZE=2] [1] RF NV READ[/SIZE]
[SIZE=2] [2] RF NV WRITE[/SIZE]
[SIZE=2] [3] UMTS DIVERSITY CONTROL[/SIZE]
[SIZE=2] [4] RF CALIBRATION CHECK[/SIZE]
[SIZE=2] [4] GSM RF[/SIZE]
[SIZE=2] [1] RF NV READ[/SIZE]
[SIZE=2] [2] RF NV WRITE[/SIZE]
[SIZE=2] [5] AUDIO Locked! ==> See Note (a)[/SIZE]
[SIZE=2] ...[/SIZE]
[SIZE=2] [6] COMMON[/SIZE]
[SIZE=2] [1] FTM[/SIZE]
[SIZE=2] [2] DEBUG INFO[/SIZE]
[SIZE=2] [3] RF SCANNING[/SIZE]
[SIZE=2] [4] DIAG CONFIG[/SIZE]
[SIZE=2] [5] WCDMA SET CHANNEL[/SIZE]
[SIZE=2] [6] NV REBUILD[/SIZE]
[SIZE=2] [7] FACTORY TEST[/SIZE]
[SIZE=2] [8] FORCE SLEEP[/SIZE]
[SIZE=2] [9] GPS[/SIZE]
[SIZE=2] [1] FTM : OFF Locked! ==> See Note (b)[/SIZE]
[SIZE=2] [1] NOT SUPPORT [/SIZE]
[SIZE=2] [2] FTM : OFF[/SIZE]
[SIZE=2] [2] DEBUG INFO[/SIZE]
[SIZE=2] [1] MM REJECT CAUSE[/SIZE]
[SIZE=2] [2] LOG DUMP[/SIZE]
[SIZE=2] [3] UI DEBUG POPUP - N/S[/SIZE]
[SIZE=2] [3] RF SCANNING [/SIZE]
[SIZE=2] [1] SETTING[/SIZE]
[SIZE=2] [2] START RF SCANNING[/SIZE]
[SIZE=2] [3] RESULT TO PC[/SIZE]
[SIZE=2] [4] RESULT TO SCREEN[/SIZE]
[SIZE=2] [4] DIAG CONFIG[/SIZE]
[SIZE=2] [1] USB ( )[/SIZE]
[SIZE=2] [2] UART (*)[/SIZE]
[SIZE=2] [3] DBG MSG ON (*)[/SIZE]
[SIZE=2] [4] DBG MSG OFF ( )[/SIZE]
[SIZE=2] [5] WCDMA SET CHANNEL ==> "WCDMA CHANNEL SET" NOT SUPPORT[/SIZE]
[SIZE=2] [6] NV REBUILD --> Not tested![/SIZE]
[SIZE=2] [7] FACTORY TEST --> Not tested![/SIZE]
[SIZE=2] [8] FORCE SLEEP --> Not tested![/SIZE]
[SIZE=2] [9] GPS[/SIZE]
[SIZE=2] co_gps_menu ==> unknown![/SIZE]
[SIZE=2] [7] LTE BAND CONFIG CHECK --> <E>[/SIZE]
[SIZE=2] ---------------------------------------[/SIZE]
[SIZE=2] [2] CDMA MAIN MENU[/SIZE]
[SIZE=2] [1] COMMON[/SIZE]
[SIZE=2] [2] DATA[/SIZE]
[SIZE=2] [3] RF[/SIZE]
[SIZE=2] [4] CONTROL[/SIZE]
[SIZE=2] [5] DEBUG SCREEN[/SIZE]
[SIZE=2] [6] SUSPEND (001)[/SIZE]
[SIZE=2] [7] TEST SYS(012)[/SIZE]
[SIZE=2] [1] COMMON MENU (1/3) [/SIZE]
[SIZE=2] [1] READ RAW RSSI (018)[/SIZE]
[SIZE=2] [2] MODEL ID (019)[/SIZE]
[SIZE=2] [3] SNDNAM (020)[/SIZE]
[SIZE=2] [4] SNDVERSION (021)[/SIZE]
[SIZE=2] [5] SNDESN (022)[/SIZE]
[SIZE=2] [6] DATASVC ON (023)[/SIZE]
[SIZE=2] [7] DATASVC OFF (024)[/SIZE]
[SIZE=2] [8] VERSION (025)[/SIZE]
[SIZE=2] [9] NEXT PAGE >[/SIZE]
[SIZE=2] COMMON MENU (2/4)[/SIZE]
[SIZE=2] [1] REBUILD (026)[/SIZE]
[SIZE=2] [2] PHONE RESET (027)[/SIZE]
[SIZE=2] [3] FS RESET (029)[/SIZE]
[SIZE=2] [4] SIO TO DM (032)[/SIZE]
[SIZE=2] [5] MSL KEY(245)[/SIZE]
[SIZE=2] [6] MSL (246)[/SIZE]
[SIZE=2] [7] F3 MSG (249)[/SIZE]
[SIZE=2] [8] CUR BAND (253)[/SIZE]
[SIZE=2] [9] NEXT PAGE >[/SIZE]
[SIZE=2] COMMON MENU (3/4)[/SIZE]
[SIZE=2] [1] ERR LOG CLR (252)[/SIZE]
[SIZE=2] [2] SIM IN OUT CHECK (89)[/SIZE]
[SIZE=2] [3] MEMORY CHECK (90)[/SIZE]
[SIZE=2] [4] ACTIVATION_DATE (99)[/SIZE]
[SIZE=2] [5] SIO_MODE (032)[/SIZE]
[SIZE=2] [6] MOB CAI REV (110)[/SIZE]
[SIZE=2] [7] RECONDITIONED STATUS (200)[/SIZE]
[SIZE=2] [8] PREF MODE SET[/SIZE]
[SIZE=2] [9] NEXT PAGE >[/SIZE]
[SIZE=2] COMMON MENU (4/4)[/SIZE]
[SIZE=2] [1] RTRE CONFIG[/SIZE]
[SIZE=2] [2] SMS FORMAT SET[/SIZE]
[SIZE=2] [3] (UN)BLOCK VOICE MT[/SIZE]
[SIZE=2] [4] CHECK FACTORY CMD[/SIZE]
[SIZE=2] [2] DATA[/SIZE]
[SIZE=2] [1] WRITE NV (031) [/SIZE]
[SIZE=2] [2] MRU2 TABLE (033)[/SIZE]
[SIZE=2] [3] NAI SET (034)[/SIZE]
[SIZE=2] [4] INFORMATION[/SIZE]
[SIZE=2] [5] VBATT[/SIZE]
[SIZE=2] [6] THERMISTER[/SIZE]
[SIZE=2] [7] eHRPD e/disable[/SIZE]
[SIZE=2] [3] RF[/SIZE]
[SIZE=2] [1] CALIBRATION [/SIZE]
[SIZE=2] [2] COMMON [/SIZE]
[SIZE=2] [3] PCS [/SIZE]
[SIZE=2] [4] CDMA --> WLAN etc[/SIZE]
[SIZE=2] [5] GPS --> Nice![/SIZE]
[SIZE=2] [4] CONTROL --> Not tested![/SIZE]
[SIZE=2] [5] DEBUG SCREEN --> Not tested![/SIZE]
[SIZE=2] [6] SUSPEND (001) --> Not tested![/SIZE]
[SIZE=2] [7] TEST SYS(012) --> Not tested![/SIZE]
[SIZE=2] ---------------------------------------[/SIZE]
[SIZE=2] [3] LTE MAIN MENU [/SIZE]
[SIZE=2] [1] DEBUG SCREEN [/SIZE]
[SIZE=2] [2] LTE RF [/SIZE]
[SIZE=2] [3] Reserved --> <E>[/SIZE]
[SIZE=2] [4] BACKOFF PLMN TIMER (T3402) [/SIZE]
[SIZE=2] [4] SIM- Not Used. --> <E>[/SIZE]
[SIZE=2] [5] DOCOMO DEBUG SCREEN --> See Note (c)[/SIZE]
[SIZE=2] [6] run EFS SYNC() --> Not tested![/SIZE]
[SIZE=2] [7] DEBUG SCREEN --> Not tested![/SIZE]
Special Notes for the above:
Code:
[SIZE=2]// = The end point/window where the info is displayed
(This usually doesn't have a title.)
<E> = A "Dead End" that take you into an oo-loop page or back
to a locked *#0011# state.
(a) For accessing this sub-menu you may need to:
1. Unblock the KeyString file with:
echo -n "OFF" > /efs/FactoryApp/keystr
2. Enable the carrier HiddenMenu file with:
echo -n "ON" >/efs/carrier/HiddenMenu
3. Set the device shipping property: ro.product_ship=FALSE
(b) For "FTM" (Factory Test Mode) you probably need to set:
1. Enable the FactoryMode file with:
echo -n "ON" >/efs/FactoryApp/factorymode
2. Set the factory test property: ro.factorytest=1
(c) Not available for non-DOCOMO devices, need correct property(ies).
[/SIZE]
Some Useful Examples
Example-1: Removing SIM network lock
Code:
[SIZE=2]UMTS MAIN MENU[/SIZE]
[SIZE=2][1] DEBUG SCREEN.[/SIZE]
[SIZE=2][6] PHONE CONTROL.[/SIZE]
[SIZE=2][6] NETWORK LOCK[/SIZE]
[SIZE=2][3] PERSO SHA256 OFF[/SIZE]
[SIZE=2]Go Back to Main Menu[/SIZE]
[SIZE=2]UMTS MAIN MENU[/SIZE]
[SIZE=2][6] COMMON[/SIZE]
[SIZE=2][6] NV REBUILD.[/SIZE]
[SIZE=2][4] Restore Back-up.[/SIZE]
[SIZE=2]Reboot[/SIZE]
This has not been tested by me, since I don't use SIM locked providers.
So make sure you have a complete NANDroid backup of your phone in case something
goes wrong. I do not take any responsibility for damaged phone due to this procedure.
Please confirm if this method works for this phone.
This is bul****!
I don't see the possibility to do a simple "Boby, sit!"
You should be able to get into service mode directly by using the code *#27663368378#
Sent from my SCH-I435 using XDA Free mobile app
LTE BAND CONFIG CHECK don't work
[7] LTE BAND CONFIG CHECK
it still doesn't work after I -------------------------------------------------------
<E> = A "Dead End" that take you into an oo-loop page or back
to a locked *#0011# state.
(a) For accessing this sub-menu you need two things:
1. KeyString file unblocked: /efs/FactoryApp/keystr: "OFF"
2. Property: ro.product_ship=FALSE
--------------------------------------------------------------------------------------------
Actually I want to check if it support bands change. In China, CMCC seems to only support band41.
wiisixtyfour said:
You should be able to get into service mode directly by using the code *#27663368378#
Sent from my SCH-I435 using XDA Free mobile app
Click to expand...
Click to collapse
Doesn't work on GT-I9195
ladislav.heller said:
Doesn't work on GT-I9195
Click to expand...
Click to collapse
It works for me on the Verizon version. Make sure you set /efs/carrier/HiddenMenu to 'ON'.
Sent from my SCH-I435 using XDA Free mobile app
How to trigger the Nfc Test application?
Package name is com.sec.android.app.nfctest.
Decompiled NfcTestBroadcastReceiver.java file:
Code:
package com.sec.android.app.nfctest;
import android.content.*;
import android.net.Uri;
import android.nfc.NfcAdapter;
import android.util.Log;
// Referenced classes of package com.sec.android.app.nfctest:
// NfcTestMain
public class NfcTestBroadcastReceiver extends BroadcastReceiver
{
public NfcTestBroadcastReceiver()
{
}
public void onReceive(Context context, Intent intent)
{
String s = intent.getAction();
if(!s.equals("android.provider.Telephony.SECRET_CODE")) goto _L2; else goto _L1
_L1:
Intent intent1 = new Intent("android.intent.action.MAIN");
if(intent.getData().getHost().equals("[COLOR="Red"]6328378[/COLOR]"))
intent1.setClass(context, com/sec/android/app/nfctest/NfcTestMain);
intent1.setFlags(0x10000000);
context.startActivity(intent1);
_L4:
return;
_L2:
if("android.intent.action.BCS_REQUEST".equals(s))
{
Log.i("NfcTestBroadcastReceiver", "BCS_REQUEST receive");
if("AT+NFCVALUE".equalsIgnoreCase(intent.getStringExtra("command")))
{
NfcAdapter nfcadapter = NfcAdapter.getDefaultAdapter(context);
Log.i("NfcTestBroadcastReceiver", "AT+NFCVALUE!!!");
if(nfcadapter.isEnabled())
{
Log.i("NfcTestBroadcastReceiver", "NFC STATE ON!!!");
context.sendBroadcast((new Intent("android.intent.action.BCS_RESPONSE")).putExtra("response", "ON"));
} else
{
Log.i("NfcTestBroadcastReceiver", "NFC STATE OFF!!!");
context.sendBroadcast((new Intent("android.intent.action.BCS_RESPONSE")).putExtra("response", "OFF"));
}
}
}
if(true) goto _L4; else goto _L3
_L3:
}
}
Tried the secret code *#6328378# in phone dialer but nothing happened.
Update:
But it works from commandline:
Code:
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://6328378
jmzwcn said:
[7] LTE BAND CONFIG CHECK
it still doesn't work after I ...Actually I want to check if it support bands change. In China, CMCC seems to only support band41.
Click to expand...
Click to collapse
Does you phone actually support LTE?
What model?
wiisixtyfour said:
It works for me on the Verizon version. Make sure you set /efs/carrier/HiddenMenu to 'ON'.
Click to expand...
Click to collapse
Thank you! Can you find out if there are there other files we should look out for. Can you post the output of "busybox ls -alR" for the /efs directory?
ladislav.heller said:
How to trigger the Nfc Test application?
Package name is com.sec.android.app.nfctest.
Decompiled NfcTestBroadcastReceiver.java file:
Tried the secret code *#6328378# in phone dialer but nothing happened.
Click to expand...
Click to collapse
Great Job! Thanks. BTW. "6328378" = "NFCTEST".
also see if there are some other related files in /efs/ that need to be "enabled".
Make sure to backup you EFS folder, and don't try to add delete files in there, it doesn't work as a normal directory... EFS is more like a solid part of memory. You can change values, but not the number of values (size).
E:V:A said:
Thank you! Can you find out if there are there other files we should look out for. Can you post the output of "busybox ls -alR" for the /efs directory?
Click to expand...
Click to collapse
Here is the output from that command on my SCH-I435:
Code:
.:
drwxrwxr-x root root 1969-12-31 15:00 .files
drwxrwxr-x system system 2013-11-09 01:57 FactoryApp
drwx------ system system 2012-12-31 16:00 U0BwJo4kmkmm-BgyzUZgoEY7pn8_
-rw------- radio radio 212 2013-12-01 16:25 apn-changes.xml
drwxr-xr-x radio radio 2013-11-09 01:49 bluetooth
drwxr-xr-x system system 2012-12-31 16:02 carrier
drwx------ system system 2012-12-31 16:00 drm
-rw------- system system 12 2013-11-09 01:58 gyro_cal_data
-rw-r--r-- root root 16 2012-12-31 16:00 h2k.dat
drwxrwxr-x radio radio 2013-11-09 01:49 imei
-rw------- root root 0 2014-05-01 11:17 log
drwx------ root root 1969-12-31 15:00 lost+found
drwxrwx--- radio system 2013-11-09 01:49 prov
drwx------ system system 2012-12-31 16:00 prov_data
drwxrwxr-x system system 2013-11-09 01:49 wifi
./.files:
drwxrwxr-x media system 1969-12-31 15:00 .dm33
drwxrwxr-x media system 1969-12-31 15:00 .dx1
drwxrwxr-x media system 1969-12-31 15:00 .mp301
./.files/.dm33:
./.files/.dx1:
./.files/.mp301:
./FactoryApp:
-rwxr--r-- system system 1 1970-01-01 15:00 baro_delta
-rw------- system system 5 2014-05-01 06:18 batt_cable_count
-rwxrwxr-x media system 2 2014-04-26 21:12 earjack_count
-rwxr--r-- system system 2 2013-11-09 01:49 factorymode
-rwxrwxr-x system radio 4 1969-12-31 15:00 fdata
-rwxrwxr-x system radio 0 2012-12-31 08:00 hist_nv
-rwxr--r-- system system 10 1970-01-01 15:00 hw_ver
-rwxr--r-- system system 2 2013-11-09 01:49 keystr
-rwxr--r-- system system 5 1970-01-01 15:00 prepay
-rwxr--r-- system system 11 1970-01-01 15:00 serial_no
-rwxrwxr-x system radio 270 2012-12-31 08:00 test_nv
./U0BwJo4kmkmm-BgyzUZgoEY7pn8_:
-rwx------ system system 1072 2012-12-31 16:00 qen2gEqW2A+OTDT0KpoESJiYnrk_
-rwx------ system system 1072 2012-12-31 16:00 zm0WY4lY7rpx3kcVTTDWeh8VFRU_
./bluetooth:
-rw-r--r-- radio radio 17 2013-11-09 01:49 bt_addr
./carrier:
-rwxr--r-- system system 2 2014-04-29 12:42 HiddenMenu
./drm:
drwx------ system system 2012-12-31 16:00 h2k
./drm/h2k:
drwx------ system system 2012-12-31 16:00 8tjfX-7nJB21LtUUWIMbdlUfZTU_
./drm/h2k/8tjfX-7nJB21LtUUWIMbdlUfZTU_:
-rwx------ system system 1072 2012-12-31 16:00 HAv-sOqL1pMh2jiAzRoeKCzAmhE_
-rwx------ system system 1072 2012-12-31 16:00 SNbX8rtYWzaqdrnXa79HbAt5OFM_
./imei:
-rwxrwxr-x radio radio 3 2013-12-23 03:38 mps_code.dat
./lost+found:
./prov:
-rw-rw---- radio system 0 2013-11-09 01:49 libdevkm.lock
./prov_data:
drwx------ system system 2013-11-09 01:49 G+8IRqTrHDIvQWyDjPjJkVB5u6o_
drwx------ system system 2012-12-31 16:00 bG5QQZ77nDjI2757PvvQ3rPPrVg_
./prov_data/G+8IRqTrHDIvQWyDjPjJkVB5u6o_:
-rwx------ system system 1072 2013-11-09 01:49 3mvhJJQ5lPk1G+yj67Y71hI3inI_
-rwx------ system system 1072 2013-11-09 01:49 I0jYBKhtBZN0Rru2UXWB+UZ7Vc0_
-rwx------ system system 1072 2013-11-09 01:49 MHkfmzQg-bRYZzQ4Dc1M+rgodfA_
-rwx------ system system 1072 2013-11-09 01:49 iaBl+cROT4fwHRANIx6tIUgBqSA_
-rwx------ system system 1072 2013-11-09 01:49 qOk21RBBYMeZqVYofK+oU09QG2o_
./prov_data/bG5QQZ77nDjI2757PvvQ3rPPrVg_:
-rwx------ system system 1072 2012-12-31 16:00 4OV1KOT1hf21qdU1tnH6b8mOYLI_
-rwx------ system system 1072 2012-12-31 16:00 CuWlydrYrNFsWwuO0IaVlUQVxEg_
-rwx------ system system 1072 2012-12-31 16:00 gh8lZ2gd7MCgXAgHEgG7apFzmR0_
-rwx------ system system 1072 2012-12-31 16:00 pYEZlsu8egNLf3z5mqguGPyhE2Q_
-rwx------ system system 1072 2012-12-31 16:00 z-yiAOMWDX7wyfLCg5VIl-fyXus_
./wifi:
-rw------- system system 17 2013-11-09 01:49 .mac.cob
-rw-rw-r-- system system 17 2013-11-09 01:49 .mac.info
E:V:A said:
Great Job! Thanks. BTW. "6328378" = "NFCTEST".
also see if there are some other related files in /efs/ that need to be "enabled".
Make sure to backup you EFS folder, and don't try to add delete files in there, it doesn't work as a normal directory... EFS is more like a solid part of memory. You can change values, but not the number of values (size).
Click to expand...
Click to collapse
The NFC test did not work for me either but I am not sure if anything else in EFS should be changed.
Sent from my SCH-I435 using XDA Free mobile app
@wiisixtyfour : Can you edit your post and wrap that output in "CODE" tags (the # icon in advanced editor) please. It formats much better and thus easier to read.
E:V:A said:
@wiisixtyfour : Can you wrap that output in "CODE" tags (the # icon in advanced editor) please.
Click to expand...
Click to collapse
Yeah, sorry I'm on the XDA app and it doesn't have all the tags.
Sent from my SCH-I435 using XDA Free mobile app
my model is i9195
i9195 BTU,have rooted
wiisixtyfour said:
The NFC test did not work for me either but I am not sure if anything else in EFS should be changed.
Click to expand...
Click to collapse
Yeah, not sure what they did, but you can play with the other properties, but first try this:
Code:
[SIZE=2]echo -n "OFF" >/efs/FactoryApp/keystr
echo -n "ON" >/efs/FactoryApp/factorymode
echo -n "ON" >/efs/carrier/HiddenMenu
[/SIZE]
(You may also need to chmod these files before changing. And don't forget to change back after your done playing. It could be that factory mode disables some network functionality.)
Second, all the codes I mentioned in OP, are normally entered by "*#<code>#*", but some phones require this: "*#*#<code>#*#*" before working, so try that as well.
PreConfig application can be started using following command:
Code:
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://83052020100812173552301071192687
Serial number, FCC ID and logo screen:
Code:
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://737425
heres one for the sch-i435 users
ladislav.heller said:
Serial number, FCC ID and logo screen:
Code:
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://737425
Click to expand...
Click to collapse
So im on att currently and had not been happy with the lack of lte due to this being a verizon branded phone (hspa+ was getting me 4.5 mbps at best ,which I owe major thanks to this thread for even getting me that far ) so after tearing through stacks of codes listed in the android manifest xml files attached to he system keystring apps and such (many of which I couldnt get to do much of anything ) I found one that I havent seen listed that goes Into some ims and lte functions which got me 11.5-12+ mbps ranges pretty darn consistantly. The hiddenkeystring for me is ( *#467# ) I am not saying these are great lte speeds but quite a bit better than I was pulling down before and as I said quite consistantly. Hope this helps
oh also I forgot to mention also gives some nice choices for native flash media as well as some various codecs for audio. oh and some tethering options kindof nice as I had recently lost the ability to hotspot and couldnot find a workaround app that was successful. Dam one other set of options regarding the e-9 won won stuff as far as the network I guess maybe
dp929 said:
...The hiddenkeystring for me is ( *#467# ) ...
Click to expand...
Click to collapse
That doesn't work for the 9195, although they seem very similar.
What's your stock ROM and MODEM FW? Perhaps some getprops please.
@dp929 Can you post a screenshot?
Does anyone know how to stop the fm radio from asking for headphones?
I know it uses it as antenna but with an older samsung phone I disabled it, I just don't remember how, and the reception wasn't that bad
thanks
RF/Radio properties of the ServiceMode Application
Thread Difficulty: HARD
Thread Noob Patience: LOW
Thread Topic
This thread is a Reference and Research & Development thread for
investigating and to better document the various radio related variables
as found and displayed by the ServiceMode application. Here we are
particularly concerned with those found in Samsung phones, but as
you will see, this is more modem (BP/CP) dependent than phone model
dependent. So much of this info should also apply to other devices
using the same modem.
Off Topic?
If you have questions that does not directly concern the main focus
of this thread, please ask in the general forum. If you ask support
questions here, they will be deleted without warning.
If you're just looking for info how to enter the Service Menu on a recent
Samsung, look in this thread:
[REF][ServiceMode] How to make your Samsung perform dog tricks
Background
Because the ServiceMode (SM) application is really running in the
Modem under its own RTOS, it is limited in the presentation. So what
you see running in the AOS ServiceMode application is really just a
Java wrapper to code that is running in the RTOS. This severely
limits the information presented, if accessible at all.
Most mobile device manufacturers doesn't want their users to have
access to the ServiceMode functions, for various and good reasons.
Perhaps the best reason is that you can easily hard-brick your
device and/or mess up all the internal radio related settings.
However, we are already used to this, so why not have a better look
at the mobile network parameters within our devices. These can be
extremely useful from identifying network problems to detect and
prevent illegal or clandestine mobile network monitoring.
So what are the limiting factors of the ServiceMode Application?
It is a Java wrapper application that is usually made by
the device manufacturer (Samsung, HTC, Nokia etc) that
need to be present and compatible with your AOS FW.
(API, RIL etc)
The actual code is running in Modem RTOS and usually queried
by ServiceMode.apk by the use of a RIL_REQUEST_OEM_HOOK_RAW request,
that allows requests to circumvent the normal RIL filter.
The parameters present depends on the Modem FW versions.
(You will find many misspellings and other FUBAR objects in
various modem SM presentations.)
The displayed RF related parameters depend on the Modem HW,
and are thus completely different in an Intel XMM modem, than
for an Qualcomm MSM type modem/processor SoC, and so on.
The displayed RF related parameters depend on the network
you are currently using and connected to.
But the mobile network interface is transparent from the AOS AP point
of view, so a large set of radio parameters must comply to the 3GPP
standards in order for your device to function properly. But only a
very small subset of these RF parameters are part of the non-internal AOS API.
We want more!
By carefully looking at all the details and information that is
presented by the SM application, we can find out many more and
useful network details, such as ciphering modes, network types,
bands, and technology used. But to do this we need to understand
the language used. Unfortunately, many times the language does
not reflect the current 3GPP standards, so we are left to guess,
until some anonymous modem RF-expert/developer come along and
correct us.
So if you happen to know anything specific, this is where you
can really help this thread...
ServiceMode Vocabulary
Here I try to resolve some of the more obscure sounding items,
as found in the SM of mainly two devices.
(a) Samsung Galaxy S2 (GT-I9100, XXKI1 with Intel XMM6260 modem)
(b) Samsung Galaxy S4-mini (GT-I9195, XXUBML4 with Qualcomm MSM8930AB SoC)
In post#2 you will find an almost complete menu structure for
the UMTS MENU items as found in (b). I have not posted the items
for the LTE or CDMA menus, since I don't have that network, which
means I don't know how they would look. So feel free to post your
own findings, if you use those.
Also, remember that the end-point/detailed view of the menu
items, depend on your current network. I.e. you will see
different items, when connected to GSM vs. WCDMA, and so on.
In post#3 I show the detailed explanations of the various
3GPP defined RR timers as shown under the NAS/MM items.
In post#4 I attempt to describe the specific end-point menu items:
Code:
[SIZE=2] [1] BASIC INFORMATION
[1] MM INFORMATION
[2] MM REJECT CAUSE
[3] GMM REJECT CAUSE
[3] AS INFORMATION
[4] NEIGHBOUR CELL
[/SIZE]
I still need help deciphering some of those values.
(What exactly do they represent and mean?)
The root MAIN MENU
Code:
MAIN MENU
[1] [B]UMTS[/B]
[2] CDMA
[3] LTE
[4] SIM- Not Used. ==> <E>
[5] DOCOMO DEBUG SCREEN
[6] run EFS SYNC()
[7] DEBUG SCREEN
The UMTS MENU tree
Here is an almost complete menu structure for the UMTS MENU items
found in a GT-I9195. I have not posted the items for the LTE or CDMA
menus, since I don't have that network, which means I don't know how
they would look. So please post your own findings, if you use those.
Code:
[SIZE=2][1] UMTS MAIN MENU
[1] DEBUG SCREEN
[2] VERSION INFORMATION
[3] UMTS RF NV
[4] GSM RF NV
[5] AUDIO
[6] COMMON
[7] LTE BAND CONFIG CHECK
------------------------------
[1] DEBUG SCREEN
[1] BASIC INFORMATION ==> <E> Code: 0011
[2] NAS INFORMATION
[3] AS INFORMATION
[4] NEIGHBOUR CELL
[5] GPRS INFORMATION
[6] SIM INFORMATION
[7] HANDOVER
[8] PHONE CONTROL
[9] ANTENNA/ADC
[1] // BASIC INFORMATION ==> <E>
RRC: IDLE, Band1
MCC-MNC:nnn-01
RX: 10663, RI: -59, CID: hhhhh
TX: 9713, PSC: 394
EcIo: -4, RSCP: -63
SpeechVER: FR FR FR
L1: PCH_Sleep
Drx cycle: 64
SIB19 is received
therm: 162 LNA: 0
Service: Available
[2] NAS INFORMATION
[1] MM INFORMATION
[2] MM REJECT CAUSE
[3] GMM REJECT CAUSE
[4] PS REJECT CAUSE
[5] RESET MM&GMM REJECT List
[6] EF_RAT INFORMATION
[7] SAT REFRESH INFO
[8] SMC RESULT INFO
[9] CALL END CAUSE
[1] // MM INFORMATION
mm: Idle
MCC-MNV: nnn-01
LAC: hhh, RAC: nn
TIMER_T32: 10(S) 11(S) 12(A)
13(S) 20(S) 30(S) 40(S)
GmmState: Registered(3)
SubState: normal(0)
PmmMode: IDLE(1)
rej_cause: 0, IuAttCnt: 0
TMSI: hhhhhhh
[2] // MM REJECT CAUSE
MM reject Information List
1. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
2. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
3. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
4. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
5. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
6. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
[3] // GMM REJECT CAUSE
GMM reject Information List
1. Time: 4M 9D 14h19m02s
Type: 4, Cause:7 nnn-01, UMTS
2. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
3. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
4. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
5. Time: 1M 6D 0h00m00s
Type: 0, Cause:0 000-000, GSM
[4] // PS REJECT CAUSE
PDP and PDN recet List
- No Data
[5] // RESET MM&GMM REJECT List <== Immediately clears reject list!
[6] // EF_RAT INFORMATION
Boot-up EF_RAT
NONE(-1)
Refreshed EF_RAT
1.GSM_WCDMA(1), 000-000
2.GSM_WCDMA(1), 000-000
3.GSM_WCDMA(1), 000-000
4.GSM_WCDMA(1), 000-000
5.GSM_WCDMA(1), 000-000
[7] // SAT REFRESH INFO
<exactly the same as above>
[8] // SMC RESULT INFO --> <E>
RRC: IDLE, Band1
MCC-MNC: nnn-01
RX: 10663, RI: -59, CID: hhhhh
TX: 9713, PSC: 394
EcIo: -4, RSCP: -63
SpeechVER: FR FR FR
L1: PCH_Sleep
Drx cycle: 64
SIB19 is received
therm: 162 LNA: 0
Service: Available
[9] // CALL END CAUSE --> <E>
<exactly the same as above>
[3] // AS INFORMATION
RRC: IDLE, Band1
WCDMA: IDLE
RX: 10663, RI: -59, CID: hhhhh
TX: 9713, PSC: 394
EcIo: -4, RSCP: -63
VOC: FR FR FR, 0
L1: PCH_Sleep
CQI: 0, Sam: 0
[4] // NEIGHBOUR CELL
Aset: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 394 -60 -7 53 29 <== rapid changes
Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15
Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15
Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 422 -121 -49 29 -1
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 262 -121 -49 0 0
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 102 -121 -49 0 0
Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 450 -121 -49 0 0
[5] GPRS INFORMATION
FUNCTION:ds_gprs_information
[6] SIM INFORMATION
[1] General Info
[2] QMI UIM status
[3] CHECK NV
[1] // General Info
SIM Phase: 0
Card Capability: USIM
SIM voltage class: 1.8V SIM
None
None
Proactive command:
00 00 00 00 00 00 00 00 00 00 - ^^ (10 Hex)
[2] // QMI UIM status
CARD_STATE: Present
CARD_ERROR: Unknown
APP_TYPE: USIM
APP_STATE: Ready
PERSO_STATE: Ready
PERSO_FEATURE: Unsupported
PIN1_STATE: Enabled_Verified
pin1_num(3), puk1_num(10)
PIN2_STATE: Enabled_Not_Verified
pin2_num(3), puk2_num(10)
[3] // CHECK NV
CHECK NV
Band pref: Unexpected value
RTRE Configuration: SIM based
FTM Mode: Online Mode
ENS: Disabled
UIM CLASS: UMTS
[7] HANDOVER
[1] HANDOVER GtoG
[2] HANDOVER GtoW
[3] HANDOVER WtoG
[4] HANDOVER TEST
[8] PHONE CONTROL
[1] DRX CONTROL
[2] FAKE SECURITY CONTROL
[3] NAS CONTROL
[4] UE STATE CONTROL
[5] SIMULATION
[6] NETWORK LOCK
[7] NETWORK CONTROL
[1] // DRX CONTROL
DRX: Not Active
[1] DRX: ON
[2] DRX: OFF
[2] // FAKE SECURITY CONTROL
FAKE SECURITY: OFF
[1] FAKE SECURITY: ON
[2] FAKE SECURITY: OFF
[3] NAS CONTROL
[1] CIPHERING CONTROL
[2] INTEGRITY CONTROL
[3] SIM CLASS CONTROL
[4] REVISION CONTROL
[5] RRC(HSPA) CONTROL
[6] DUALMODE IMPROVEMENT CONTROL
[7] NAS AVOID SECURITY CONTROL
[1] // CIPHERING CONTROL
CIPHERING CONTROL: ON
[1] CIPHERING: ON
[2] CIPHERING: OFF
[2] // INTEGRITY CONTROL
INTEGRITY CONTROL: ON
[1] INTEGRITY: ON
[2] INTEGRITY: OFF
[3] // SIM CLASS CONTROL
UIM CLASS: UMTS
[1] UIM CLASS: UMTS
[2] UIM CLASS: GSM
[4] REVISION CONTROL
[1] DISPLAY REVISION
[2] CHENGE REVISION
[5] RRC(HSPA) CONTROL
[1] DISPLAY RRC REVISION
[2] CHANGE RRC REVISION
[6] // DUALMODE IMPROVEMENT CONTROL
DUALMODE IMPROVEMENT: NOT ACT
[1] DUALMODE IMPROVEMENT: ON
[2] DUALMODE IMPROVEMENT: OFF
[7] NAS AVOID SECURITY CONTROL
AVOID_SECURITY_CHECK: NOT ACT
[1] SECURITY_CHECK: ON
[2] SECURITY_CHECK: OFF
[4] UE STATE CONTROL
[1] CALL CONNECT STATE
[2] CHANGE RAT TO WCDMA
[3] CHANGE RAT TO GSM
[5] SIMULATION
[1] Modem Assert (Reset)
[2] SW WATCHDOG
[3] HW WATCHDOG
[4] CP Logging (Started)
[5] Realtime Log(OFF) - Don't! <== WTF?
[6] NETWORK LOCK
[1] PERSO SHA256 Info
SHA256_ENABLE_FLAG [1]
[7] NETWORK CONTROL
[1] GCF
[2] BAND SELECTION ==> Code: [B]2263[/B] "BAND"
[3] SERVICE DOMAIN
[4] AQUISITION ORDER
[5] PLMN(AUTO/MANUAL) SELECTIO
[6] FPLMN
[7] IMSI replacement
[1] GCF
[1] GSM/(E)GPRS/WCDMA REL8
[2] GSM/(E)GPRS/WCDMA REL7
[3] GSM/(E)GPRS/WCDMA REL6
[4] GSM/(E)GPRS/WCDMA REL5
[5] SETTING CANCELLATION
[2] BAND SELECTION
[1] Automatic
[2] WCDMA Band Preference
[3] GSM Band Preference
[4] LTE Band Preference
[3] // SERVICE DOMAIN
[1] CS + PS (*)
[2] CS ONLY
[3] PS ONLY
[4] // AQUISITION ORDER
[1] Automatic
[2] GSM_UMTS
[3] UMTS_GSM (*)
[4] No Change
[5] // PLMN(AUTO/MANUAL) SELECTIO
[1] AUTOMATIC (*)
[2] MANUAL
[6] FPLMN
[1] FPLMN READ
[2] FPLMN DELETE ALL
[3] FPLMN DELETE EXCL DOM
[7] // IMSI replacement
[1] Enable
[2] Disable (*)
[9] ANTENNA/ADC
ds_antenna_adc
------------------------------
[2] VERSION INFORMATION
[1] SW VERSION
[2] HW VERSION
[3] UMTS RF
[1] RF NV READ
[2] RF NV WRITE
[3] UMTS DIVERSITY CONTROL
[4] RF CALIBRATION CHECK
[4] GSM RF
[1] RF NV READ
[2] RF NV WRITE
[5] AUDIO ==> Locked! See Note (a)
...
[6] COMMON
[1] FTM
[2] DEBUG INFO
[3] RF SCANNING
[4] DIAG CONFIG
[5] WCDMA SET CHANNEL
[6] NV REBUILD
[7] FACTORY TEST
[8] FORCE SLEEP
[9] GPS
[1] FTM : OFF ==> Locked! See Note (b)
[1] NOT SUPPORT
[2] FTM : OFF
[2] DEBUG INFO
[1] MM REJECT CAUSE
[2] LOG DUMP
[3] UI DEBUG POPUP - N/S
[3] RF SCANNING
[1] SETTING
[2] START RF SCANNING
[3] RESULT TO PC
[4] RESULT TO SCREEN
[4] DIAG CONFIG
[1] USB ( )
[2] UART (*)
[3] DBG MSG ON (*)
[4] DBG MSG OFF ( )
[5] WCDMA SET CHANNEL
[6] NV REBUILD
[7] FACTORY TEST
[8] FORCE SLEEP
[9] GPS
co_gps_menu
[7] LTE BAND CONFIG CHECK --> <E>
[/SIZE]
(Where I have replaced my LAC/CID with "nnnnn" and "hhhhh", respectively)
Note that the end-point/detailed view of the menu items, depend on your
current network. I.e. you will see different items, when connected to GSM vs. WCDMA.
For example. Here is a picture comparing the BASIC INFORMATION view for LTE, CDMA and GSM/UMTS, respectively.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
(Picture stolen from THIS website. Sorry, there is no owner/contact info there to ask for permission.)
So what does all those numbers mean?
That's what we will try to figure out in the next posts and in this thread! But first I will show you
another menu view. The menu that concerns the MM (Mobile Management) MENU items.
To get to the picture below:
MAIN MENU > [1] UMTS MAIN MENU > [1] DEBUG SCREEN > [2] NAS INFORMATION > [1] MM INFORMATION
Which should result in:
Code:
[SIZE=2]mm: Idle
MCC-MNV: nnn-01
LAC: hhh, RAC: nn
[B]TIMER_T32[/B]: [B]10[/B](S) [B]11[/B](S) [B]12[/B](A)
[B]13[/B](S) [B]20[/B](S) [B]30[/B](S) [B]40[/B](S)
GmmState: Registered(3)
SubState: normal(0)
PmmMode: IDLE(1)
rej_cause: 0, IuAttCnt: 0
TMSI: hhhhhhh[/SIZE]
< placeholder >
As you can see, these include the values of a few important RR timers used. In the menu above they are
marked with (S) or (A), for STOPPED and ACTIVE, respectively. These timers are discussed further in
the next section.
The Mobility Management (MM) Timers: MS-side
All the MM timers are defined and thorough;y explained in [1]. But here I
summarize the timers we have found in our SM as shown above. Where we
have the following timers clearly visible:
Code:
[SIZE=2]T3210
T3211
T3212
T3213
T3220
T3230
T3240
[/SIZE]
Here's a summary table also taken and edited from [1].
The very brief 3GPP summary for T3210/11/12/13 is:
< WIP placeholder>
The very brief 3GPP summary for T3220/30/40 is:
Code:
[SIZE=2][B]T3220[/B] Timer is used during the MM states of:
- IMSI Detach Initiated
Timer is started at IMSI Detach.
Timer is stopped when: release from RM-sublayer
At expiry it: "enter Null or Idle, ATTEMPTING TO UPDATE" ??
[B]T3230[/B] Timer is used during the MM states of:
- Wait For Outgoing MM Connection
- Wait For Additional Outgoing MM Connection
- Wait TO Re-establish MM connection
Timer is started in the mobile station when:
- the MS makes a Ciphering Mode (CM) service request
- the MS makes a Ciphering Mode (CM) re-establishment request
Timer is stopped when:
- the MS makes a CM setting
- the MS receives a CM Service Reject
- the MS receives a CM Service Accept
At expiry it provides a release indicator.
[B]T3240[/B] Timer is started in the mobile station when:
- the mobile station receives a LOCATION UPDATING ACCEPT message completing a location updating procedure in the cases specified in subclauses 4.4.4.6 and 4.4.4.8;
- the mobile station receives a LOCATION UPDATING REJECT message in the cases specified in subclause 4.4.4.7;
- the mobile station has sent a CM SERVICE ABORT message as specified in subclause 4.5.1.7;
- the mobile station has released or aborted all MM connections in the cases specified in 4.3.2.5, 4.3.5.2, 4.5.1.1, and 4.5.3.1;
- the mobile station receives the paging message from network and enter the MM state 9 (WAIT FOR NETWORK COMMAND).
Timer is stopped, reset, and started again at receipt of an MM message.
Timer is stopped and reset (but not started) at receipt of a CM message that initiates establishment of an CM connection (an appropriate SETUP, REGISTER, or CP-DATA message as defined in 3GPP TS 24.008, 3GPP TS 24.010 [21] or 3GPP TS 24.011 [22]).
If timer expires, the MS shall abort the RR connection and enter the MM state MM IDLE.
[/SIZE]
References:
[1] "Mobile Radio Interface Layer 3 specification, Core Network Protocols"
3GPP TS 24.008 V12.5.0 (2014-03): (678 pages)
[2]
The Variable Vocabulary
Here is a list of variable names, and their inferred meaning, as found in the SM shown above.
Code:
[SIZE=2]
RX : Receive/Down-Link Channel aka "DL CH"
TX : Transmit/Up-Link Channel aka "UL CH"
RI : [dBm] RSSI (Receive Signal Strength Indicator)
CID : Cell ID
PSC : Primary Synchronization Code
EcIo : [1] Ec/Io = RSCP / RSSI = Eb/No - Gp
RSCP : [dBm] Received Signal Code Power [2,3] RSCP = RSSI + Ec/No
SpeechVER : The Voice Codec in use [EFR/FR/HR/AMR]
L1 : [FACH,DCH,BCH,PCH_Sleep]
Drx cycle : Discontinuous Reception (DRX) Cycle
therm : Thermal Power (
LNA : Low Noise Amplifier ???
mm: Idle : Mobile Management connection status ??
lu: Upda :
SS: Avail : Subsystem System Simulator ?? Secondary Synchronization Signal ??
RAC : Routing Area Code
TIMER_T32: 10 (S) : Really refers to the T3210 timer, and where
GmmState: Registered(3) :
SubState: normal(0) :
PmmMode: IDLE(1) :
rej_cause:0 :
luAttCnt:0 : Location Update (IMSI Attach?)/(Attempts?) Count
TMSI: 9xxxxxxd : Temporary Mobile Subscriber Identity
AS INFORMATION: : Access Stratum
VOC :
CQI : Channel-Quality Indication
Sam :
"Specific Anthropomorphic Mannequin" ??
"Service Aware Manager" (Alcatel/Lucent) ??
[/SIZE]
As you can see there are many not yet clearly defined items.
To clarify these (and others) is the main purpose of this thread!
< more crazy dragons to be >
< more crazy dragons to be >
A very nice book chapter and collection of useful baseband info and document links.
Benoit Michau, 2014
"Analyse de sécurité des modems mobiles"
[French]
Click to expand...
Click to collapse
LNA
E:V:A said:
The Variable Vocabulary
Here is a list of variable names, and their inferred meaning, as found in the SM shown above.
Code:
[SIZE=2]
LNA : Low Noise Amplifier ???
Click to expand...
Click to collapse
LNA = Line Noise Attenuator/Attenuation
oddball3 said:
LNA = Line Noise Attenuator/Attenuation
Click to expand...
Click to collapse
Thanks for your attention, but I don't think that is correct, because this is a radio device and not an ADSL-router or other "line" dependent device. You'll have to try harder to convince me. Links to a reliable source, helps.
E:V:A said:
Thanks for your attention, but I don't think that is correct, because this is a radio device and not an ADSL-router or other "line" dependent device. You'll have to try harder to convince me. Links to a reliable source, helps.
Click to expand...
Click to collapse
Not spot on, but proof of concept:
http://www.w3eee.com/Noiz .html
I had the perfect site I wanted to post here for you, and just to prove what a crappy country this is, our power utility decided to cut supply to our area :-\ I reckon I was about two sentences away from perfection haha!! Was so disappointed it's taken me since then to work up the enthusiasm to try again!!
Edit: Good Reference source - http://ieeexplore.ieee.org/xpl/logi...re.ieee.org/xpls/abs_all.jsp?arnumber=6471543
Few from me
PSC : Primary Scrambling Code (not synchronization)
L1 : RRC State [FACH,DCH,BCH,PCH_Sleep]
GmmState: Registered(3) : GPRS Mobiity Management status
PmmMode: IDLE(1) : Packet Mobiity Management status
E:V:A said:
Code:
[SIZE=2]mm: Idle
MCC-MNV: nnn-01
LAC: hhh, RAC: nn
[B]TIMER_T32[/B]: [B]10[/B](S) [B]11[/B](S) [B]12[/B](A)
[B]13[/B](S) [B]20[/B](S) [B]30[/B](S) [B]40[/B](S)
GmmState: Registered(3)
SubState: normal(0)
PmmMode: IDLE(1)
rej_cause: 0, IuAttCnt: 0
TMSI: hhhhhhh[/SIZE]
As you can see, these include the values of a few important RR timers used. In the menu above they are
marked with (S) or (A), for STOPPED and ACTIVE, respectively. These timers are discussed further in
the next section.
Click to expand...
Click to collapse
Interesting. But that way we can only know if a Timer is Stopped or Active.
How can we know the Value of these Timers?
Thanks.
vndnguyen said:
How can we know the Value of these Timers?
Click to expand...
Click to collapse
We can try to read its value from one of the SIM card EF files. I forgot which. We can also read it from the /dev/diag RF diagnostics device or possibly from the QMI (Qualcomm) debug ports. Or we can leave phone still and read the start/stop flags when they change. Or you can call the technicians of the MNO and ask.
E:V:A said:
We can try to read its value from one of the SIM card EF files. I forgot which.
Click to expand...
Click to collapse
I can read the EF files on the SIM cards. But the problem is that we don't know which EF files store those timers?
We can also read it from the /dev/diag RF diagnostics device or possibly from the QMI (Qualcomm) debug ports.
Click to expand...
Click to collapse
Can you give some detailed instruction about it? I have no idea on it.
Or we can leave phone still and read the start/stop flags when they change.
Click to expand...
Click to collapse
This is not a good way to read.
Or you can call the technicians of the MNO and ask.
Click to expand...
Click to collapse
Yes, I'm working at that MNO. But I still want to read those timers directly from the phone.
problem with gsm
hi gays.
i`ve a prblem with my phone.
in gsm(2g) don`t have signal but in 3g yes.
with this service menu... can i reparair?
please help me
hola chicos, tengo un problema: teniendo mi cel en gsm 2g no me toma señal, se queda sin servicio, pero al cambiar a 3g tengo altiro señal.
puedo con este menu repararlo y como? se agradece la ayuda
sirkuazar said:
hi gays.
i`ve a prblem with my phone.
in gsm(2g) don`t have signal but in 3g yes.
with this service menu... can i reparair?
please help me
hola chicos, tengo un problema: teniendo mi cel en gsm 2g no me toma señal, se queda sin servicio, pero al cambiar a 3g tengo altiro señal.
puedo con este menu repararlo y como? se agradece la ayuda
Click to expand...
Click to collapse
Gays? I'm not a gay LOL
You would rather check your sim card as well as the mobile service before playing around with your phone. You can put the sim card into another phone to see if it works, etc...
:laugh::laugh::laugh::laugh:
vndnguyen said:
Gays? I'm not a gay LOL
You would rather check your sim card as well as the mobile service before playing around with your phone. You can put the sim card into another phone to see if it works, etc...
Click to expand...
Click to collapse
HHHHHHHHH