Database Users

Engineering mode

I have been playing with my tmobile MDA (wizard) and in HKLM/software/HTC/engineermode there are some keys I find interesting. On mine LaunchEngineerModeAppDialStr is set to *#*#364#*#* (364 maps to 'eng' which is probably why it was chosen).
Has anyone played with this at all? I tried but I get 0 mobile srevice her eand got a message back saying 'please try you call later' (sms style) which I am certain came from the phonei tself. Normally I get just 'failed' rather than 'please try your call later'.
At any rate, it might be something fun to look at I know that some people were looking to get the tower IDs and other info, and usually engineering mode includes that.

update
I have an update to this. I have 2 SIMs both tmobile US. The old one is at least a year old, maybe more. It is totally inactive. The new one came with the phone. When I use the old one I get 'please try your cal llater' with the new one it goes into engineering mode and displays cellid and other bits of info. of course its not highly useful for me right now becuase I have no cell signal, but ...
The title bar reads 'gsm test mode' and there are 3 tabs. GSM, AMR and GPRS. At least now the key to get the dial string is known, if it wasnt before (I didnt see anything) and the fact that you can get tower IDs and other stuff (something someone wanted elsewhere).
the gsm test mode app appears to be a totoally different app as well (according to start->system->memory->running programs. I do not have good tools yet to see exactly where this app is and how to access it. But I am sure that if that program were located a debugger could provide useful info on extracting the syscalls or whatever is done to get access to the cellid and other bits of info.
Note cellids can be used to track location, they are fixed and reported, at least in the US., While you may not know exactly where someone is, by knowing which tower they are on you can guess. RSSI can be used in conjunction with this as the far field (where most radio communications occur) falls off at the inverse square, you can guess at the distance (but not direction). Multipath and other issues can affect this reading, so its not highly accurate but ...
Now does anyone know of a good tool like ps in unix that shows me not only the full program name but also any arguments given for WM5?

GSM Test Mode..
An easier way is to look in your \windows dorectory and look for the "GXM Test Mode.exe" ....

REQ: Tool/shortcut o switch from 3g to GSM and back

I tried this in another thread a while ago but as nobody even replied I thought I should try it again before I completely give up
Is there a tool (or can someone code one maybe?) to switch between 3G and GSM without going the "normal" route of
Settings-Phone-Options-Band(or whatever it´s called in the english version) and then change it to either WCDMA, GSM or Auto. Of course you will have to disconnect any active connection before you can do that.
A tool to accomplish the same thing would really help in improving battery life as with it you could switch to 3g only if needed (websurfing) and leave it in GSM mode most of the time.
If a tool is impossible to create, a shortcut to make the procedure above easier would help. too.

Yep i would love this too any takers :>
JEREMY

You could try writing a macro using mortscript - it can simulate taps on the
screen. And yes, I'd like to have such a tool, too..

Thanks for the Mortscript hint. I managed to write a tiny little scriptlet (it´s ridiculous really, but it does the job) that does the following through stylus tap simulation and app calls:
- Open the Phonepad
- open the options dialog
- select the "Band" tab
- change the band selection from 3g to GSM without clicking OK
- call a subscript which disconnects the current connection (otherwise a bandchange is not possible). The subscript is necessary as Mortscript will not process any command that comes after a "Disconnect"
- here I would like to click OK. But for the love of god...I can´t find the right coordinates on my Trion. Can anyone help?
- here I would like to close the phonepad again
Same stuf in a second script for GSM to 3g of course.
I´m pretty sure most of it can be done through SendTab/SendDown etc. Figured that out a little too late. Might clean it up a bit to make it less resolution-dependent.
Voila
Even without the last two steps it is rather useful. When you call the script it will do everything except press OK for you.

Band Tab
I upgraded to the Cingular (1.34) rom and now I do not have the "Band" tab on the phone settings. Has anyone else experienced this? I would love to have the utility to switch back and forth as the battery drain is too fast in
3G mode.
Thanks!

See this page for details:
http://www.securegsm.com/pages.php?pageid=85
"... If you do not see the “Band” tab, please download this CAB file and execute on your device. After executing this CAB file...
The above CAB file contains a registry change for your device. No special application is installed when you execute the above CAB file..."
Please note: login is required to download.
Alternatively, you can enable "Band" selection tab using registry editor.
BixbySpartan said:
I upgraded to the Cingular (1.34) rom and now I do not have the "Band" tab on the phone settings. Has anyone else experienced this? I would love to have the utility to switch back and forth as the battery drain is too fast in
3G mode.
Thanks!
Click to expand...
Click to collapse

SecureGSM -
The CAB file worked flawlessly. I appreciate the information and your assistance.
Thanks!

Ok, I cleaned up the two Mortscript scriplets to just use sendkeys. No more stylus tap simulation, makes it a lot more reliable.
Executing either script will now open the phonepad, go to options-band, diconnect the current connection and then change the band.
Unfortunately closing the phonepad doesn´t work riliably as it will leave the phonepad screen in the foreground and the UI will freeze.
Maybe someone a little more gifted can make this more interactive (e.g. ead what app is active and switch back to it after the band change or something).
For me it is good enough for now.
If anyone wants it, let me know.

What the heck. Maybe someone can make use of it.
VERY clumsy and thrown together in a couple of minutes. Should work on any Trion etc.
You will have to edit the window captions and paths as I did this on a German ROM.
"Telefon" is "phone" or whatever the phonepad caption/link to the phonepad is called.
Works on my Trion. Improvements as mentioned above more than welcome.
Latest Mortscript beta needed. Can be found here:
http://www.sto-helit.de/downloads/pocketpc/MortScript-4.0RC2.zip

uhmm.. just my 2 cents. there is slightly better way of doing this:
step #1: change band selection to GSM or to WCDMA directly in registry
step#2: flick device radio to flight mode on and then off
Also, step #2 will restart the radio regardles of established connection is present or not.
alternitevely if you would like to close data connection gracefully:
call datadisconnect.exe located in \windows. nice utility btw. it surely has CLI mode as well.
any C / C++ programmer should be able to get this project done in few hours at most.

SecureGSM said:
uhmm.. just my 2 cents. there is slightly better way of doing this:
step #1: change band selection to GSM or to WCDMA directly in registry
step#2: flick device radio to flight mode on and then off
Also, step #2 will restart the radio regardles of established connection is present or not.
alternitevely if you would like to close data connection gracefully:
call datadisconnect.exe located in \windows. nice utility btw. it surely has CLI mode as well.
any C / C++ programmer should be able to get this project done in few hours at most.
Click to expand...
Click to collapse
Great! As I said before, I just did this to have something (not much, I know).
Wouldn´t the "disadvantage" be, though, that you would have to enter your pin every time flightmode is turned off?
Do you know what registry entries this would be?
Is it HKLM,Software\OEM\UMTS,OpMode ? And if so, what would be the values for 3g, GSM and Auto?
EDIT: Think I found it. Auto=0, GSM=1, 3g=2
Is this correct?
Plus, is there any shortcut you can run to toggle flightmode? If so, these two things could be put into another Mortscript scriptlet (it can change the registry).
Thanks!

did a test over the last day I disabled incoming beams (which I've had ticked all the time apparently ) and I manually put the phone into 2g mode but had it connected all the time to gprs. man the battery life more than doubled I've still got 70% battery left after a heavy days of usage.
but I miss 3g speeds for web browsing tho. so I think a tool for 2g to 3g and back would be most appreciated preferably not using mortscript and with a message saying "switching to Xg mode" or something. unfortunately my programming skills are nearly non existant.
anyone
Jeremy

Install Flightmode.exe from WinMobileApps.com and run it via MortScript.
# UMTS
RegWriteDWord HKLM,Software\OEM\UMTS,OpMode,2
sleep 500
Run "\Programme\FlightMode\Flightmode.exe"
sleep 3000
Run "\Programme\FlightMode\Flightmode.exe"
Use OpMode, 1 for GSM only and 0 for Auto.

Thanks, but it was me posting this to ppc-welt

bball said:
Thanks, but it was me posting this to ppc-welt
Click to expand...
Click to collapse
I wasn't claiming to be the author, just wanted to share the information here. Usually it's the other way round, sharing information from the Developers in other forums. Hope it helps and, yes, bball appearently is the Author.

Nono, I didn´t take it like that, I was just surprised and thought it was quite funny to see my solution to this in the thread I originally asked for it

bball said:
Nono, I didn´t take it like that, I was just surprised and thought it was quite funny to see my solution to this in the thread I originally asked for it
Click to expand...
Click to collapse
Yeah, it is funny indeed. But the solution you found yourself hasn't been posted here so I was thinking it should be added so people in this forum can find it. This is the international forum to share information at.
Anyway, thank you for the great solution! It really works fine and I still have the great runtime of my Trion together with fast UMTS where I need/want it. I think this has a high value!

GSM & 3G switching via Skschema Scripts
Hi folks,
I know some of you have beens using Mortscript to change the network band in the registry and subsequently switch to 3G or GSM by clicking.
Well I had a look at seeing if I could do something similiar using a SKschema script.
This is what I have come up with so far.
Skschema has commands which allow it to switch the radio(gsm) on/off as well as writing and deleting values/keys to the registry. (Tested on the Hermes)
SwitchToGSM.sksc
This script Writes to registry the value "1" for OpMode, pauses 1 second, turns radio off, turns radio on and connects to your data connection(GPRS ONLY).
Code:
#r(#rgset) #p(HKLM;\SOFTWARE\OEM\UMTS;OpMode;DWORD;1) #sleep(1000)
#r(#gsmoff)
#r(#gsmon)
#r(#connect)
SwitchTo3G.sksc
This script Writes to registry the value "0" for OpMode, pauses 1 second, turns radio off, turns radio on and connects to your data connection(Auto - if 3G present it will connect to that).
Code:
#r(#rgset) #p(HKLM;\SOFTWARE\OEM\UMTS;OpMode;DWORD;0) #sleep(1000)
#r(#gsmoff)
#r(#gsmon)
#r(#connect)
You could assign both these Skschema scripts to a hardware buttons, even better if you use the voice notes button on the Hermes you could use one script for [press] and the other for [press & hold].
toggle2G_3G.sksc
This script I have tried to add some intelligence into the script, I wanted to use a script for 1 hardware button and for just one [press] to switch to GSM then a second [press] to 3G - so it really toggles between the two modes.
To achieve this I used a little bit of logic and an extra key in the registry.
Code:
#r(#rgget) #p(HKCU;\Software\sk\schema\rad;Gsense;DWORD;0)
#r(#iftrue) #p(set2G)
#r(#rgset) #p(HKLM;\SOFTWARE\OEM\UMTS;OpMode;DWORD;0)
#r(#rgset) #p(HKCU;\Software\sk\schema\rad;Gsense;DWORD;0)
#r(#goto) #p(act)
#r(#label) #p(set2G)
#r(#rgset) #p(HKLM;\SOFTWARE\OEM\UMTS;OpMode;DWORD;1)
#r(#rgdelkey) #p(HKCU;\Software\sk\schema;rad)
#r(#goto) #p(act)
#r(#label) #p(act)
#r(#disconnect) #sleep(1000)
#r(#gsmoff) #sleep(1000)
#r(#gsmon)
#r(#connect)
This is how the script works the "rad" key which I have put in the Skschema registry path, is completely functionless - It's merely there as a check.
The script firstly checks to see if this key exists?
If it does then the script moves along to the "set2G" line.
If it doesn't then the script continues, The OpMode value is changed to "0" - enables AUTO mode. Then the "rad" key is created and the script moves along to the "act" label.
following along from above at the "set2G" label, OpMode value is changed to "1" - enables GSM mode only. Then the "rad" key is deleted and the script moves along to the "act" label.
At the "act" label the current data connection (if present or not) is disconnected, a pause before doing this of 1 second, the radio is switched off with another pause of 1 second, followed by switching the radio back on. Finally the data connection is re-connected.
The "rad" key is used to enable the script to decide which switching is required to GSM or to 3G.
Maybe a similar toggle action in one script could be done in Mortscript?
For anybody with Skschema I have attached the 3 script files.
Chalky.
-------
checkout Skschema tutorials

enable Band selection
SecureGSM said:
Alternatively, you can enable "Band" selection tab using registry editor.
Click to expand...
Click to collapse
Can someone tell me which registry keys to change, to enable Band selection using registry editor? The cab file mentioned did nothing on my device when I clicked on it.
I looked in WM5_Tweaks_Other and saw nothing refering to band selection. Thanks.

Hi. I am doing a program with a botton icon to do this.
to activate only gprs:
1) Change the registry.
2) turn radio off.
3) turn radio on.
but only when i turn off the radio using comm panel the system "refresh" its data from registry and then it works. Any idea?
Thanks

Cell id Command line

Hi All,
Is there a tool which can get Cell id and LAC from command line for it to be used by other apps
Say I have script (mortscript)
Then I can call <Cellid APP> and get Cellid location where the device is
Then take action based on the Cell id.
Idea is to track the phone and let the owner know where all the phone on a web page.
I go from HOME -> LOC1 -> LOC2 ->Office (everyday)
Incase phone shows a path HOME -> LOC1 -> LOCX -> <UNKNOWN> .. the send a TEXT(SMS)/update page etc ... to alert the users.
Kind of way to make your phone secure.
Any suggestion if it can be done with any exiting tools and mortscript etc ...

http://www.xs4all.nl/~itsme/projects/xda/tools.html
has something called riltest ...
riltest - dumps all kinds of info from the phone via ril
But the zip files does not have this file... Could any one let me know if this file is available any where else.

Ok Got a riltest from Another forum which does similar ... ALMOST....
what it can do is dump all to a LOG file ... I am using a Mortscript
1. Run the app
2. make app to dump logs
3. get the details from the file.
4. close the app.
Now loop this for with a sleep ...
But still looking for better way.. Attached is the file for anyone who is looking for similar stuff.

Hi,
I too was looking for something in this line and ended up writing it myself.
Props to this chap for the code to get me started:
http://dalelane.co.uk/blog/?p=241
Basically you call 'RilCmdLine.exe' with a parameter indicating what field you want. It returns the field as an int to MortScript (I think you need MortScript 4.3b1 or above?).
Supports LAC, Country Code and Cell Tower ID.
The zip includes a test mortscript - you may just need to edit the path to RilCmdLine.exe
(Source code on request. I may even support it )
Hope this helps!
onion

Hi
Thanks for the exe file. However I am unable to see any result when I run the exe/mscr on my mobile (HTC 3300 WM6). I did edit the path also executed from cmd line on mobile.
Also Mortscript RunWait and Run will not return any results as per the Mortscript doc. So the result has to be redirected to a file.
Could you please check and let me know if the exe is required to be executed with different parameters.
Thanks

What version of Mortscript are you running?
I had to upgrade to 4.3b2 to get the return code from the exe.
Get it here
http://www.sto-helit.de/index.php?module=download&action=view&entry=125
In the notes for b1 mentioned the return code functionality being added.
Hope this sorts it for you

Perfect !! Thats works perfectly ... I updated to MortScript you have suggested.
Excellent Work !! ... Really good. Thanks man
Will it be possible that if I don't pass any Command line parameter ... Can I get all the values... Like CELL ID, LAC etc ..

Glad you like it
Unfortunately you can get all the values at once (at the minute you can only return numbers from the exe, so there is no way to separate them).
My original idea is something along what you suggest - if I get that working I will post a new exe up here.
Thanks

Thanks onionfx! This is just what I was looking for as well. Trying to do something similar to what wishme said. ;-) The common profile switchers out there are not very useful to me because I'm more of in a rural area, and cell towers are farther apart, so my home and work cellid overlap sometimes, so I want to also take into account signal strength to see if I can fine tune it better. Will probably use Mortscript since it's the only thing I've learnt to code with for Windows Mobile.
I'm bookmarking this page to see if you eventually get the prog to output all in one line (and reduce the CPU churn of calling the same prog several times).
BTW, how about also returning nearby cells in order of signal strength? That would be awesome to fine-tune your location even more!
Good work!
Cesar

Doing some thinking about this
I can't see any way of returning all the values at once.
The C code can only return an int in the range -2,147,483,648 to 2,147,483,647 and my CellID and LAC are 5 digits each so if they ever started with a digit greater than 2 I couldn't return it.
The 2 best options I think are writing another exe that dumps the data either to a file, or to the registry in a similar way as riltest above, but without the UI part.
Then write a script that could be included, and which has nice subs to access each parameter (or you are free to write your own script calls to do this).
I'm tending to the file as I imagine reading from the registry is a bit slower than reading the file (in one go and storing all the params as variables)?
Also I can do less damage if I use a dedicated file!
Anybody got any better ideas, or has a good reason to use the registry?
Goodnight

Are we talking about GSM signal strength
REGISTRY entry: HKLM\System\State\Phone\Signal Strength (DWORD value)
More here: http://wiki.modaco.com/index.php/Windows_Mobile_5_Registry_Tweaks
Also is it possible to get all other the cellids at any point not the one phone is connected to ? I have not see any app providing this info.
Except for Google maps on mobile (without GPS) it uses triangulation technique to get the Latitude and longitude of a location with all cell id locations available. for this method to work we requires atleast 3 cell id.
Does RILCELLTOWERINFO gives details about other towers also ?

I wonder what the requirements are for the command line tool?
It locks up when I run it on my MotoQ smartphone.

onionfx said:
Supports LAC, Country Code and Cell Tower ID.
The zip includes a test mortscript - you may just need to edit the path to RilCmdLine.exe
(Source code on request. I may even support it )
Click to expand...
Click to collapse
I can't get this to work. I get "-1" for all 3 values. Anyone offer any reasoning as to why this may be? I believe my ROM includes .Net framwork, but I'm not sure how to check.
Thanks

onionfx said:
Basically you call 'RilCmdLine.exe' with a parameter indicating what field you want. It returns the field as an int to MortScript (I think you need MortScript 4.3b1 or above?).
Supports LAC, Country Code and Cell Tower ID.
The zip includes a test mortscript - you may just need to edit the path to RilCmdLine.exe
(Source code on request. I may even support it )
Hope this helps!
onion
Click to expand...
Click to collapse
Excellent work! Thank you!

Thanks onionfx for your contribution. I might need it for a use similar to the one described by wishme.

How to get onto Boost Mobile

Okay, so I just spent an entire Saturday, Sunday evening, and Tuesday evening, about 15 hours of work total, to flash my phone, got everything working. IMO it was way too hard for how simple the task was because of a lack of clarity and information.
MY ADVICE: find two or three different guides, and use my advice below as a loose guide as well, the more info the better. the LEGAL FLASH GUIDE posted for noobs on this site is great, cause it goes step by step, but it does leave out some rather vital parts, so you have to have a good understanding of computers and have sound logical reasoning to get this done.
1) Buy an incognito and download Windows XP and a Virtual OS Software, don't waste your time installing XP and ruining your machine, run it virtually for the incognito modem driver.
2) USE DFS CDMA TOOL, CDMAWS IS USELESS, AND QXDM is only good for ESN AND MEID STUFF... type in the correct SPC which you can get from boost mobile by calling them and asking them for it.
3) SCREENSHOT ALL INFO UNDER PROGRAMMING TAB, including General, NAM, Data, Mobile IP, and then save your 4 NV files needed, 455 etc under NV tab.
4) Put Evo in diag mode on windows 7 side, and use QXDM to SCAN for your ESN LOCATIONS, don't play a guessing game, SCAN. 0 them out.
5) FOR MEID, I suggest googling your radio version and OS version to find a list of matching MEIDs, this will elimanate most for you, then once you've done this, do a scan for the remaining ones. Use HxD HEx editor to scan, THIS IS THE BEST PROGRAM, do not waste time with others. Use windows calculator to calculate locations of remaining hits.
6) once you've zero'd it out, restart the phone, it will rewrite the MEID, 0 out the locations again, then use QXDM to write the new meid, don't worry, it will figure out the ESN.
7) Now, go back to DFS TOOL, COPY ALL INFO from programming tab from old ****ty phone to new pretty evo.
8) You will likely get a "error 16" message once you switch over, just talk to the sprint lady and act confused and they'll fix your phone.
9) if you get error 67 you didn't copy the info in DFS to new phone correctly, you might have two different AAA keys and make sure you have the right amount of profiles and everything mathces mind your p's and q's.
will other phones work? Yes, DFS CDMA Tool iS AMAZING for reading encrypted information and is connected to their servers for many things, like updating PRL etc. some phones however do not use AAA shared keys, like blackberries.
will this work on verizon and virgin and alltell? yes, CDMA's all the same guys. just make sure your donor phone can be read correctly in DFS cdma tool and i don't see why you couldn't get this to work.

Is there a guide for this program???
Sent from my SPH-L900 using Tapatalk 2

I use cdma workshop .... it takes less than 30 minutes to flash the phone into boostmobile ... and you dont need qxdm nor qpst ... just one program *cdma workshop*
Sent from my SGH-T999 using XDA Premium HD app

[XMM6260][X-GOLD 626] Modem Specification / Documentation / Hack-Pack

Intel / Infineon XMM6260 & X-GOLD 626 Modem Hack-Pack Release!
After several unsuccessful months of trying to get my phone (application) to
talk AT-commands with the baseband processor (BP), I've had to learn a lot of
hardware and internal Android and OEM based tricks and secrets. Although this
have not been enough to make anything of practical use, it is definitely worth
sharing. If not at least some more talented people may be able to continue
where I have left of...
Now, it should be immediately stated that there is nothing revolutionary
in here, apart the Infineon manual for tuning your GSM modem, using the
AT CLI and GTI sequencer. This is something that could potentially be very
useful for better understanding the advanced features that the modem
platform incorporates. However, it is also a sure way of making a an
expensive brick out of your phone! You have been warned...
Brief Modem Description
The XMM6260 is the "platform" that consists of:
The X-GOLD 626 baseband processor
The SMARTi UE2 RF-transceiver DSP
The 3GPP Release 7 HSPA+ protocol stack with:
Downlink: Category 14, Uplink: Category 7
The X-GOLD 626 baseband processor (labelled "PMB 9811") is communicating
with the DSP RF-tranceiver chip called SMARTi-UE2 (labelled "PBM 5712 A1"),
using a communication interface that corresponds to the MIPI DigRF-3G
(V.3.09) standard. Through this protocol the BP can control some or all
aspects of the RF DSP.
Alternative Names
Infineon IFX6260
Intel IMC6260
Intel XMM626
Some other devices using this platform:
Code:
- Lava XOLO X900 [Phone] FCC ID: ???
- Lenovo K800 [Tablet/Pad] FCC ID: ???
- LG-P920 (LG ?) [Phone] FCC ID: BEJP920
- LG-P925 (LG Optimus 3D?) [Phone] FCC ID: BEJP925
- Huawei E369 (3G Hi-Universe) [USB 3G Modem] FCC ID: QISE369 (Russian distrubutor: Merlion)
- Huawei MU733/MU739 [PC/CE Module] FCC ID: QISMU739
- Samsung Galaxy Nexus (I9200) [Phone] FCC ID: ???
Other devices that may (!?) also contain the X-GOLD 626:
---------------------------------------------------------
- LG Optimus 4X HD [Phone] FCC ID: ???
- HTC One X [Phone] FCC ID: ???
- Huawei Ascend D Quad [Phone] FCC ID: QIS ???
- Huawei E392 (E392u-511) [LTE Multi-mode USB stick] FCC ID: QISE392U-511
- Huawei E353 (E352s-6) [HSPA+ USB stick] FCC ID: QIS ???
Hack-Pack Content
Code:
- Pictures/Diagrams:
- XMM6260 colored pinout map
- XMM6260 mounted in a Samsung Galaxy S2
- SMARTi UE DSP RF-tranceiver chip mounted in the SGS-2
- IPC xxxxxx stuff
- Infineon PhoneTools testing program
- Raw 1byte greyscale PNG of modem.bin from XXKI1
- PDF files/documents:
- ITA-RF-Adjustment-GSM (XMM6260 Specification)
- Infineon MIPI-HSI Product Brief
- X-GOLD 616 Product Brief
- Fairchild FSA9280/88A USB/UART switch/MUX datasheet
- Similar Modem AT sets/documents:
- AT_Command_Set_3GPP-TS-27007-940.pdf
- AT_Command_Set_AMOD_HSPA.pdf
- AT_Command_Set_Gobi.pdf
- AT_Command_Set_Motorola_XM7200S.pdf
- AT_Command_Set_Teltonika_TM3.pdf
- AT_Command_Set_iWOW_TR-900.pdf
- Text Files:
- 3GPP 27.007 AT-list
- XMM6260 official AT-set
- XMM6260 internal AT-set
- XMM6260 homebrew specifications
+ X-GOLD 626 Modem pinouts
+ MUX pinouts
+ AP connections (SGS2)
+ AP relevant info
- Strings of modem.bin (stock firmware image: [B]XXKI1[/B])
- Strings of drexe
- Strings of rild
- Strings of libril.so
- Strings of libsec-ril.so
- GT-I9100 stock (GB 2.3.4) binary files:
(Taken from: PDA:[B]XWKI4[/B], Phone:[B]XXKI1[/B])
- libKiesDataRouter.so
- libril.so
- libsec-ril.so
- libsecril-client.so
- drexe
- rild
- Android hardware hacking binaries (tools):
- dbus-monitor
- dbus-send
- hciconfig
- hcidump
- hcitool
- i2cdetect
- i2cdump
- i2cget
- i2cset
- ipcfilter
- ipcdump
- ipctool
- procmem
- showmap
- showslab
- strace
- tcpdump
- viewmem
+ various other content
Download Here! (57.72 MB)
The modem firmware referred to and studied can be
found here (Modem.bin.7z) or here, under "XXKI1".​-------------------------------------------------------------------------------
DISCLAIMER:
All the material in this collection was found on internet by
appropriate Google-Fu and/or by laborious manual creation.
Nothing is stolen or reversed, so I am not held responsible
for the origin or problems affiliated with the use of these
documents, programs or other binaries.
-------------------------------------------------------------------------------
​If you are a developer or other corporate official of Intel or Infineon:
Please contact your superiors and ask them to release the proper
datasheets and documentation of these products to the public.
Why? Because:
It would significantly increase the sales of your hardware, by promoting
a much more open approach to hardware development. There are currently
more than 10 open-sourced and open-hardware smartphone projects around
the world, who would benefit from the use of a more modern baseband than
what is currently and openly available.
.
It would significantly promote your hardware in front of your competitors,
as your company would be the first one to open up your documentation to the
public. Thus increasing public technical knowledge of your hardware, which
would ultimately lead to you having an easier time to find qualified
developers that cost you less!
.
It would significantly reduce the cost and time for firmware development,
while increasing the firmware code-quality and compatibility, as you
would be able to benefit from the large community and knowledge from
other professional developers as well as hardware-hackers.
(Yes, there are several bugs found in your firmware, but since there is
no way to report and discuss these with your developers, they will
continue to cost you money and head-scratching for all developers
having to deal with your platform.)
.
Your competitive advantage due to 1-3, would promote new and better
future hardware developments, that would not only benefit your
company/business but also society as a whole.
.
Its simply the right thing to do!
The thread where all this become crisply relevant is this one:
[A][SGS2][Serial] How to talk to the Modem with AT commands
There you will find all documents which I have found to date, which
is essentially none. At least nothing that can be of ANY practical use.

UPDATE: [2012-04-17]
As soon as I get a chance I'll update the HackPack (HP) with new data regarding the MUX
and some other hardware used in the SGS2. This data, as presented within HP, is simply wrong!​

Reserved 2 me 3

Awesome info I was also thinking looking at the ServiceMode application in the SGS2 could provide interesting information. BTW, do you know if the X-GOLD has a diagnostic mode similar to the one usually found in Qualcomm modems?

xd.bx said:
Awesome info I was also thinking looking at the ServiceMode application in the SGS2 could provide interesting information. BTW, do you know if the X-GOLD has a diagnostic mode similar to the one usually found in Qualcomm modems?
Click to expand...
Click to collapse
Thanks! The ServiceMode app is mostly interesting because its code actually reside inside the Modem firmware, where the java app is acting as a wrapper. I'm not familiar with the Qualcomm modems, could you elaborate on what that "diagnostic mode" does? (The x-gold firmware is FULL of various modes. Just depends on what you want to do, and to get the proper documentation on how to use it!)

Just found ... a bit older, but still very interesting
http://hwplatform.googlecode.com/svn/trunk/Infineon/

RNC States from libsec-ril.so
Hi
Very valuable information! Does anyone have an idea about how to get the information displayed from serviceMode programatically? Looks like most of it is being polled directly to the libsec-ril.so. In my case I'm interested in obtaining information about the RNC states on the handset

Thanks for this information
Thanks for the info E:V:A. I did quite some figuring out about the Radio/DSP unit of the Nokia DCT3 back in the day and also the GSM protocol (anyone remember Project Blacksphere / OpenGPA?).
Things have likely come a long way since then. One thing that is clearly different is that the baseband processor is completely isolated from the application processor. In the DCT3 there was one ARM processor that drove both the user interface and parts of the GSM protocol, and connected to a DSP for the low-level radio stuff.
I wonder how other things have changed with 3G. I may get back in the game. This will give me an headstart

Memory map and boot process
It appears that modem.bin consists of multiple partitions that are loaded separately at bootup of the device, reflecting the modem boot up sequence in libsec-ril.so:
Code:
Offset Size Address Description
0x000000 0x00f000 0x00800000 PSI
0x00f000 0x019000 0x60000000? EBL
0x028000 0x9d8000 0x60300000 Main image
0x9ff800 0x000800 Used for verification (buliding ReqSecStart command)?
0xa00000 0x200000 0x60e80000 NV data (file contains default data)
0xc00000 0x000200 Unused?
Offset is offset in file, address is flash/ram offset on device. Whereabouts about the EBL are a bit unknown, address 0x60000000 is based on a guess the others are sure.
Also I did an attempt at constructing the run-time memory map of the device, based on static analysis but as I've not found a way yet to actually probe it there are quite a few question marks.
Code:
Device memory map:
0x00000000 RAM/ROM? (what is here?)
0x00080000 PSI bootloader *RAM*
0x40000000 Flash (what is flashed here?)
0x60000000? Code (EBL)
0x60100000 Flash
0x60300000 Code (Flash)
0x60e80000 NVram data (Flash)
0xe0000000 Peripheral mapping for memory-mapped I/O (256MB)
0xffff0000 Memory (initial stack)
As for I/O devices in peripheral mapping, my understanding is still very limited and based on the bootloader only. I have a longer list of addresses from static analysis, but as I can't yet label anything it is pointless to publish. As usual, the upper bits (how many? 8?) select which peripheral, the lower bits (20?) select a port within that peripheral.
Code:
0xe4d00164 ? status bits
0xe4d00384 ? status bits
0xe8000070 ? status bits
Entry points:
Code:
Offset Address Description
0x000000 0x00080000 Boot loader
0x00f400 0x60000000? EBL
0x1a8000 0x60480000 Main stack
I'm trying to run this in QEMU and created a basic environment, but as my understanding of ARM kernel space (interrupt handling, timers, etc) is very limited, it currently gets stuck in a loop waiting for some other thread (or interrupt handler) to update an address.

just thought it might be of interest and help - http---en.samaanet.com/?p=2390

direct link:
http://en.samaanet.com/?p=2390

Polarfuchs said:
direct link:
http://en.samaanet.com/?p=2390
Click to expand...
Click to collapse
That's a direct rip-off of my XDA thread!
Any more posts with such links will be removed!

How should I know, I just posted the link as "service" because the user above me could't post links.

I've been informed that the download link doesn't work. i will upload again as soon as I have time...

Really interesting stuff you have got here.
One thing I've been searching for a while now: I own a Galaxy Nexus, which has a XMM6260 modem. Samsung had on their stock ROM a feature in service mode where you can check the power modes of the 3G data connection. Since the Galaxy S2 has the same modem, thus it should be possible to get that feature.
I'm interested in this stuff because my Galaxy Nexus likes to drain like crazy on the 3G network that I use and I suspect that it has to do with the 3G data power modes. 3G+wifi is extremely efficient in power use but 3G+mobile date is al big battery hog.
I hope you post a working link soon, than I can start reading this stuff.

Seems like this might be the best place to ask this... I also asked in the "fun with AT commands" thread so my apologies up front for the spam.
I'm looking for a fastboot friendly radio baseband I can flash with a 4.2.1 friendly RIL. This may be more than what I actually need but I've got a full telephony build of the Nexus 7 3G going and while SMS and MMS are fully functional I'm getting a CME ERROR: 4 when I try to do voice dialing and don't see anything coming in via logcat on an inbound call.
The mobile plan I'm using is full voice capable and verified as functional.
Doing a strings of the included RIL (libxgold-ril.so) shows all the necessary voice functions listed (although I guess this could be a false positive if it is interface based).
The modem mounts up on /dev/ttyACM0 and I'm able to do all the basics with radiooptions, except voice dialing and answering of course.
Any pointers / advice / direction would be greatly appreciated... coming up to speed real quick in this area.

XGold626 One X Pinout
I have removed my BB CPU and here is the pinout if it helps anyone

How to start?
I'm a rookie so is anyone can provide a step-by-step tutorial about how to send AT commands to the baseband processor directly? Right now I only can use i2cdetect to list i2c channels, but how to do next?
Thanks,
Andong

XGold 626 Reversing
witchspace said:
It appears that modem.bin consists of multiple partitions that are loaded separately at bootup of the device, reflecting the modem boot up sequence in libsec-ril.so:
[snip]
Click to expand...
Click to collapse
Hi!
Nice work. I'm working on reversing the xgold626 baseband as well. Specifically, I'm looking at the NELK2 baseband for my GT-i9300.
Perhaps we could join forces? Anyone else working on reversing the xgold626 baseband is welcome to contact me as well.
I'm reachable at: je at clevcode.org, or on my ircd (irc.clevcode.org, port 7000, SSL, nick je).
Cheers,
Joel

witchspace said:
It appears that modem.bin consists of multiple partitions that are loaded separately at bootup of the device, reflecting the modem boot up sequence in libsec-ril.so:...
I'm trying to run this in QEMU and created a basic environment, but as my understanding of ARM kernel space (interrupt handling, timers, etc) is very limited, it currently gets stuck in a loop waiting for some other thread (or interrupt handler) to update an address.
Click to expand...
Click to collapse
clevcoder said:
Specifically, I'm looking at the NELK2 baseband for my GT-i9300. Perhaps we could join forces? Anyone else working on reversing the xgold626 baseband is welcome to contact me as well.
Click to expand...
Click to collapse
Yep, that is very interesting. Send me PM if there are more interest in pursuing this further! What's the primary interest of doing this?