Qualcomm IMS/VoLTE configuration demystify - OnePlus 8 Pro Questions & Answers

Background
It has been a long time since the Qualcomm first launched the IMS support in its AMSS(Adavanced Mobile Subscriber Software) subsytem since CDMA platforms,which is the major function part of VoLTE implementation on MSM platforms,but even years later,almost no one talks about this topic on internet,someone noticed about the Samsung IMS configuration,but it's higher layer and not applicable to original MSM platform phones.
Why no one talked about manual VoLTE configuration in the past
There are many reasons that caused such situation,first,the Qualcomm have NDA on its platform internal scheme,many engineers hesitate to share even some simple magic value about some NV items,which results complete blackbox to the APSS Android environment developers.Second,when there is limited number of available VoLTE phones,the manual configuration methods are hide by the selfish drive-test related device sellers,and they even try to block some useful info on some websites by abuse in order to hide the top business secret.I tried to talk about such topic in past days,but all got blocked in the end.Third,the phone vendors want you just to buy new phones to support the VoLTE,and they just choose to not support the sold devices,in some time,even add barricade,this is something that are not noticed by many customers
How it worked
Most of the Qualcomm IMS feature are implement in the AMSS subsystem,which means the configuration is saved in modem's memory,in this case,the EFS on QC phones,which means you will not got the VoLTE work through some Android side prop modification,like the most talked Magisk VoEnabler.Although these props in android environment are the key switch to launch the IMS function routine,but it will not work when you just opened the switch.They are just some RILJ/RIL control flags that decide which phone to be used(the imsphone or gsmphone in RILJ code).And such prop flags may vary from vendor to vendor,it might need extra prop to be set to make sure the IMS routine are properly called.In English,the Android side is just a client of the IMS-client inside modem AMSS subsystem,all of the actual IMS procedures are all completed in the modem environment.
How is it configured
There are many tools to configure such thing right now,I guess even some private ones,but the major way to configure the IMS configuration is through QXDM,it will have a plenty of NV items and EFS configuration in IMS section,the Qualcomm have internal guide since MSM8960,which talked about how to manually set those values to make the IMS VoLTE work.however I haven't see anyone even talked about it,may due too the reasons I talked above.Obviously,such manual configuration way is user un-friendly,the QC have to find some way else.This had introduced the MBN MCFG when Chinese rolling out the VoLTE,and such methods were invented by the OPPO I guess(patents about it).MBN format had been used by QC for years,but the mcfg mbn is different at least in some way,so no current available tools to parse it on other platform except the AMSS itself.So The MCFG MBN contains IMS related configuration stuff,but how to find what it actual contains?This problem remains unsolve until I found the ORCT by linneman in 2018,a simple and buggy toolkit to parse at least some recent MSM8996 platform MBNs ,and finnally got the proper contents in sw_mcfg.mbn file,Then it's the time to manually add those NV and items file into EFS through QPST,after all that the VoLTE finally worked.
Misconception about MCFG MBN
I guess people noticed something about MBN when some guy tried to use VoLTE on Pixel 2,then they made the Magisk VoEnabler,they thought they had loaded the proper sw_mcfg.mbn by replaceing the MBNs inside vendor partition,but none of them realized that they actually falled back to the generic 3GPP configuration of MSM platform,and after MSM8996,that configuration defaultly enabled the IMS feature to work on some 3GPP lab setting networks,interestingly very coincident work on live network
Further work
Android PDC
In fact,there is an app called MBN test which is considered as bloatware for many users,none of them realized it's the important tool kit like PDC used to choose the MBN for carriers,but on phone it self,it works through the RIL_PDC related command and have the same feature like Windows PDC,but this app got misconfigured when outside the factory,and its configuration methods are highly secreted by the vendors.no one willing to answer this question.
Android IMS NV configuration
After Android Lolipop,Google had introduced the carrierconfig framework,which provided some internal methods like nvReaditem,which can actually be used to configure the IMS parameters in modem side,but it's really weired that no one had realised about this usage on whole internet.I think it will be a more generic and one-click way to DIY VoLTE even on some other platform through those API,but no one ever talked about it
Add the ORCT mirror
GitHub - vtsingaras/orct: Open Radio Calibration Toolkit, an enhanced Open Source Implementation to replace Qualcomm's QRCT
Open Radio Calibration Toolkit, an enhanced Open Source Implementation to replace Qualcomm's QRCT - GitHub - vtsingaras/orct: Open Radio Calibration Toolkit, an enhanced Open Source Implementat...
github.com

Hey I'm wondering if you know how to change the identification domain. My carrier, Bell mobility, uses "ims.bell.ca" instead of the standard "ims.mnc610.mcc302.3gppnetwork.org".
My OnePlus 8 phone uses [email protected] as it's identification and the IMS core answer with 403 Forbidden.
A pixel 5 request [email protected] and it's working.
What do I need to change in the MBN to make it use "ims.bell.ca"?

Any news about this topic?
Based on other guides I am trying to load MBN files from other smartphones rom having the same soc (Snapdragon 845), but the new MBN file is not loaded and I see no error.

Related

android dictionary

i found this in xperia x10 general section maybe we should have the same thread in our general section
[source] xperia x10 general section from kloud_
I was going through another site & came across a Terminology Guide. I couldn’t find something similar here so just wanted to take it upon myself to create a well organized post providing abbreviations & terminology so that any one, Master or Newbie, can have a quick reference guide to all things droid. I myself do not know everything but I do know some things & I believe with some help from the moderators & contributing members of xda-developers, we can throw together a one-stop-shop for all the droid info.
A special thanks to Sam Fisher at droidforums for the inspiration!!
Thanks to My_Immortal, OmegaRED^ & Spaarc for their suggestions & information shared!
________________
ADK: Android Development Kit, What people use to develop anything for the Android such as ROM's
The ADK (Android development kit) is divided into 3 parts
1. Android SDK (Software development Kit): used to make easy programs which only require touch & some sensors , e.g. Games
2. Android NDK ( Native Development Kit): this is used to Create apps which require Hardware or Use the native binaries & libraries of Android , eg. Camera , CyanogenMod Settings, Oxygen Settings , etc.
3. Android PDK ( Platform Development Kit): As the name suggests this is the main kit which allows to make all ".mk" files (eg. Android.mk , etc) & most of the files found on github
Basically Dev's like FXP , Z , Achotjan , kxhawkins , etc. Use the PDK to make AOSP/CM7 ROMs from source
& Also use NDK to edit the system apk's etc.. to make it stable
adb: Android Debug Bridge, a command-line debugging application included with the SDK. It provides tools to browse the device, copy tools on the device, & forward ports for debugging. If you are developing in Eclipse using the ADT Plugin, adb is integrated into your development environment.
AOSP: Android Open System Project, usually you will see this term when referring to a program or ROM. This will mean that the program or ROM was taken from Google & does not contain any modifications done by the phone Manufacturer or the phone service provider. This is Android the way Google intended.
Baseband or Radio: In communications & signal processing, the baseband describes signals & systems whose range of the frequencies measured from close to 0 hertz to a cut-off frequency, a maximum bandwidth or highest signal frequency; it is sometimes used to describe frequencies starting close to zero
Boot Loader/SPL: In literal terms, boot loader is code that is executed before any Operating System starts to run. The concept of boot loaders is universal to virtually all Operating systems that includes operating systems on your PC, laptop, Smartphone, & other such devices. Boot loaders basically package the instructions to boot operating system kernel & most of them also have their own debugging or modification environment. As the boot loader kicks off before any piece of software on your device, it makes it extremely processor specific & every motherboard has its own boot loader.
Boot Loader/SPL (Unlocked): A locked or unlocked boot loader is what gives you access to “root.” “Root” is another big word in the Android community. If you “root” a device, it means you have “super user” access or “administrator” access to the operating system that runs on your phone. Root access of your Android device gives you the ability to flash ROMs.
One of the most popular ROMs was created by a team called the CyanogenMod(CM), & their current rom is CM7, which is built on Android 2.3 Gingerbread. What this means is that if you have a phone that has an unlocked boot loader & root access, you can flash the CM7 ROM to your phone with a couple more steps. This also means that you can get access to most of the features in the latest version of Android that is commercially available, without having to wait for your manufacturer or carrier to give you an official update.
Boot Loop: Simply means something is preventing the phone from completing it's boot cycle & is stuck between the boot animation & the unlock screen, creating a looped animation. This is often fixed by either reloading a NAndroid, or Reflashing a ROM from the xRecovery/ClockworkMod Recovery/Flashtool.
Brick or Bricked: Jargon for a completely unrecoverable device, (no more than a brick or paperweight)
Note: It is my understanding that radio will boot first, followed by other systems. So it is IMPORTANT that your radio image/version will work with your SPL image/version. This is the one & only reason for phones being bricked. You cannot brick your phone by flashing a ROM or Boot image or recovery image. Once you flash the wrong radio for the SPL, the only known method of recovery is to send the phone back into SE for repair.
How do I know the phone is hard-bricked? A hard-bricked phone cannot boot into boot loader, recovery, or into normal operation modes. You cannot connect to a hard-bricked phone via adb or fastboot. You can only see one screen on the phone & it will be the first splash screen.
Bug or Software Bug: An Error or flaw in software that produces a failure or unexpected/unwanted result. Typically created from incorrect code, this is why some ROMs are better & smoother running than others because developers have taken the time to input "perfect" code (read put in a lot of hours & hard work)
Busybox: A single multicall binary that packages the functionality of most widely used standard Unix tools, BusyBox provides a fairly complete environment for any small or embedded system.
COMPCACHE: (compressed caching) is, in short, virtual swap, setting aside a certain percentage (usually 25%) of your RAM as 'compressed' swap. Compcache compresses the data that would normally go to swap, then moves it back into RAM, and reverses the process when moving it out of the 'compressed' swap. However, this is a classic space-time tradeoff. You effectively get more RAM from the compression, but it is slower than 'normal' RAM due to the CPU time required to compress and decompress the swapped pages.
ClockworkMod: A recovery program that is often used to apply updates, ROMs, or create a back up or restore a backup file
Dalvik: An open source, register-based virtual machine (VM) that’s part of the Android OS. The Dalvik VM executes files in the Dalvik Executable (.dex) format & relies on the Linux kernel for additional functionality like threading & low-level memory management. The virtual machine is register-based, and it can run classes compiled by a Java language compiler that have been transformed into its native format using the included "dx" tool.
Dalvik Cache: A program cache area for the program Dalvik. Dalvik is a java based virtual machine that is the basis for running your programs (the ones that have the .apk extension). In order to make access times faster (because there's not JIT (just in time) compiler installed by default), the dalvik-cache is the result of dalvik doing a optimization of the running program. It's similar to the prefetch files in Windows.
DDMS: Dalvik Debug Monitor Service, a GUI debugging application included with the SDK. It provides screen capture, log dump, and process examination capabilities. If you are developing in Eclipse using the ADT Plugin, DDMS is integrated into your development environment.
Deep Sleep: A state when the CPU is off, display dark, device is waiting for external input.
De-odex: Apk files have respective odexes that devs use to supposedly save space. Deodexing means you convert it back to a .dex file & put it back inside the apk. This allows you to easily replace files (not having to worry about odexes), but the main point was to deodex services.jar so that you can change all text to different colors (such as the clock color to white) & to deodex services.jar, you need to deodex everything.
Dev. or Developer: An individual that creates, or alters a file in such a manner as to advance the program
Drawable: A compiled visual resource that can be used as a background, title, or other part of the screen. A drawable is typically loaded into another UI element, for example as a background image. A drawable is not able to receive events, but does assign various other properties such as "state" and scheduling, to enable subclasses such as animation objects or image libraries. Many drawable objects are loaded from drawable resource files — xml or bitmap files that describe the image. Drawable resources are compiled into subclasses of android.graphics.drawable. For more information about drawables and other resources.
Fastboot: Protocol used to update the flash file system in Android devices from a host over USB. It allows flashing of unsigned partition images.
Flash: Rewrite the software/firmware on your phone using a computer to "flash" or completely rewrite the memory (ROM) of your phone. This is done using ODIN.
Flash Memory: a program technology that can be electrically erased & reprogrammed
Kernel: The main component of Android operating system.
It is a bridge between applications & the actual data processing done at the hardware level.
The kernel's responsibilities include managing the system's resources (the communication between hardware & software components).
[Usually as a basic component of an operating system, a kernel can provide the lowest-level abstraction layer for the resources
(especially processors & I/O devices) that application software must control to perform its function.
It typically makes these facilities available to application processes through inter-process communication mechanisms & system calls.
Operating system tasks are done differently by different kernels, depending on their design & implementation.]
Manifest File: An XML file that each application must define, to describe the application's package name, version, components (activities, intent filters, services), imported libraries, and describes the various activities, and so on. See The AndroidManifest.xml File for complete information.
Nine-patch / 9-patch / Ninepatch image
A re-sizeable bitmap resource that can be used for backgrounds or other images on the device.
Nandroid or Nandroid Backup: A file typically created in the custom recovery program, such as xRecovery, that is a carbon copy of whatever state your phone is in before a drastic change is made. The file then can be moved onto or off of the SD card for later use in case something should go wrong in the ROM or Update, or a Boot Loop occurs
ODIN: It is the program you can use to flash phones.
e.g. : 'Odin Multi-Downloader v3.95' is used to flash the Samsung Galaxy. It's usually included in firmware packs.
OEM: Original Equipment Manufacturer, the people who actually put together electronic hardware. Also refers to any equipment original to the phone, or produced by the company for the phone
OpenGL ES: Android provides OpenGL ES libraries that you can use for fast, complex 3D images. It is harder to use than a Canvas object, but better for 3D objects. The android.opengl and javax.microedition.khronos.opengles packages expose OpenGL ES functionality.
OS: Operating system, I.E. Windows Vista, LINUX or MAC or Android
OTA: Over-the-Air; method T-Mobile, & some other phone companies, uses to update Android phones. The new versions of Android are developed by Google & then released to OEM's, Sony Ericsson in our case. The OEM then writes drivers that enable the new software to work on the phone's hardware. They also develop any specialized UI (user interface), like Timescape & Mediascape, or other software they want to include. Once this is complete, they turn it over to the cell phone company, (e.g.)Tmobile, who then have to do the final checks to make sure the update works, & then distributes it over there data network using their cell transmitters.
Overclocking (OC): Speeding up the CPU past the factory presets to achieve a faster & more responsive device (prolonged run can be injurious to your device, so be careful.)
ROM: Read Only Memory, a program used to make changes to anything from the look of the home screen to icons to custom boot animation
Root: Common word associated with giving a user "super user" access to their phones programming & other various aspects that would normally not be possible, also known as "Jailbroken" for iPhone's, "Administrator Rights" in Windows OS.
Shell or SSH: The shell is the layer of programming that understands & executes the commands a user enters. In some systems, the shell is called a command interpreter. A shell usually implies an interface with a command syntax (think of the DOS operating system & its "C:>" prompts & user commands such as "dir" & "edit"). secure shell or ssh is a network protocol that allows data to be exchanged using a secure channel between two networked devices
SQLite: An embedded relational database management system contained in a relatively small (~275 kB) C programming library. It is multitasking concerning reads. Writes can be done only one-at-a-time. It is a popular choice for local/client storage on web browsers. It has many bindings to programming languages. It is arguably the most widely used database engine, as it is used today by several widespread browsers, operating systems, embedded systems among others
Stock: Simply means an unaltered state, such as when you first purchase your phone fromVerizon/Your Service Provider or when you repair your phone using PC Companion or SE Update Service(SEUS)
SU: "Super user", or root permissions
SWAP: is, in short, virtual RAM. With swap, a small portion of the hard drive is set aside and used like RAM. The computer will attempt to keep as much information as possible in RAM until the RAM is full. At that point, the computer will begin moving inactive blocks of memory (called pages) to the hard disk, freeing up RAM for active processes. If one of the pages on the hard disk needs to be accessed again, it will be moved back into RAM, and a different inactive page in RAM will be moved onto the hard disk ('swapped'). The trade off is disks and SD cards are considerably slower than physical RAM, so when something needs to be swapped, there is a noticeable performance hit.
Unlike traditional swap, Android's Memory Manager kills inactive processes to free up memory. Android signals to the process, then the process will usually write out a small bit of specific information about its state (for example, Google Maps may write out the map view coordinates; Browser might write the URL of the page being viewed) and then the process exits. When you next access that application, it is restarted: the application is loaded from storage, and retrieves the state information that it saved when it last closed. In some applications, this makes it seem as if the application never closed at all. This is not much different from traditional swap, except that Android apps are specially programed to write out very specific information, making Android's Memory Manager more efficient that swap.
Theme: A set of icons, backgrounds & app trays that change the aesthetics of the overall look of the Android & its applications. It has a set of properties (text size, background color, and so on) bundled together to define various default display settings. Android provides a few standard themes, listed in R.style (starting with "Theme_").
TUN/TAP: Refers to a network TUNnel, operates within layer 3 packets, or ip packets. Packets sent by a system via a TUN/TAP device are delivered to a user-space program that attaches itself to the device. A user space program may also pass packets into a TUN/TAP device. In this case TUN/TAP device delivers (or "injects") these packets to the operating system's network stack thus emulating their reception from an external source.
Underclocking(UC): Slowing down the CPU mainly to limit battery usage
Undervolting(UV): Basically keeping the clock speed same (or overclocking it) & reduce the voltage at each cpu cycle.
xRecovery: A recovery program based on the ClockworkMod Recovery sources used to apply updates, ROMs, or create a back up or restore a backup file
File Types:
.dex: Compiled Android application code file. Android programs are compiled into .dex (Dalvik Executable) files, which are in turn zipped into a single .apk file on the device. .dex files can be created by automatically translating compiled applications written in the Java programming language.
.sbf: Summation Briefcase File
.apk or APK's: An .apk file extension denotes an Android Package (APK) file, an .apk file can be opened & inspected using common archive tools. Each Android application is compiled and packaged in a single file that includes all of the application's code (.dex files), resources, assets, and manifest file. The application package file can have any name but must use the .apk extension. For example: myExampleAppname.apk. For convenience, an application package file is often referred to as an ".apk".
.tar: Similar to a zip file(derived from tape archive), a tar file archives multiple files into one file
.tgz: TGZ files (gnu-zipped .tar file) are commonly used as install packages for Slackware Linux.
pheeeeww!!This took sometime!!
Well this is all I can think of off the top of my head but as I think of more I will edit them in here & I encourage the mods to put things that I either forgot or just simply am not aware of. Also I request fellow user to suggest any terms frequently used & not added or any discrepancies found, kindly PM me!!
Thank you & happy hacking/flashing!!
_____________________________________
X10 LED States:-
--------------------------------------
W-LOD: White LED of DEATH.
--------------------------------------
Sometimes a R-LOD is similar to a W-LOD but the LED is red instead.
Usually results in a Reboot, or a Freeze or a Crash
-------------------------------
Flashing R-L: Red LED.
-------------------------------
Led flashes RED 3 times.
Indicates Requirement for Charge
--------------------------------
G-LS: Green LED Steady.
--------------------------------
LED goes Steady GREEN while USB is plugged in.
Flash Mode Entered/Fully Charged.
CPU : -
----------------------------------------
Central Processing Unit: -
----------------------------------------
It's pretty much the heart of your device pumping data through & from all the attached devices the Kernel & Modules is its soul & it's OS is it's skin & flesh.
-----------------------
Core Clock Speed: -
-----------------------
It is the actual clock speed that the CPU is running at. "Not the multiplied speed."
It's good to remember a CPU's performance is also effected by its memory's speed.
Similar rules exist for the GPU (Graphics Processing Unit).
Tnx for the info. This very useful specially to us noobs....
Sent from my E15i using xda premium
Everyone browse this forum must read this at least one time!!!!!!!!!!
Sent from my X8 using xda premium
AOSP: Android Open System Project, usually you will see this term when referring to a program or ROM.
Click to expand...
Click to collapse
AOSP is Android Open Source Project
posted via Tapatalk 2 Beta
Thanks for sharing.
Sent from my E15i using Tapatalk

[HowTo] [VZW XT907/926 RAZR M/HD] Unlock US GSM Carriers Using RadioComm

Introduction:
This post is a guide to show how to perform the NV edit required to unlock US GSM carriers(AT&T and T-Mobile etc.) on the VZW XT907/926 RAZR M/HD stock modem using a Motorola serviceware tool called RadioComm.
This is simply a different method to perform the same hack that was discovered by Arnold Snarb in the main thread about ATT/T-Mobile here.
http://forum.xda-developers.com/showpost.php?p=37123644&postcount=158
Despite the fact that he thanked me for leading the way in that post, he did some really brilliant analysis of the logs in QXDM to isolate this NV Item and saw something in the them that I had missed as well as guessing correctly about it's significance, and deserves all of the credit for this hack.
Everyone should please go and thank him in that post for the outstanding work.
He used a tool called DFS to access and edit NV Item 8322 and change the value of the first byte from 01 to 00 which disables the checking of the MCC/MNC against a list of banned networks and flags MCC 310 as Invalid Country Code.
That method requires booting into BP Tools mode from the boot menu and loading the Qualcomm diagnostic device interfaces.
The problem is that there are no signed 64bit drivers available and you must force load the drivers on Win7/8 64 bit for the diagnostic port in order to see the device properly and have NV read/write access.
This has been a stumbling block for many users and makes the NV editing unnecessarily difficult.
This method uses Factory boot mode and allows RadioComm to have full diagnostic mode access via the Motorola USB Networking driver that loads normally with the standard USB driver set. I will demonstrate 2 different ways to perform the edit, one manual and one using a preconfigured SEEM table file that writes the value in a single operation.
Neither of these methods is as easy as an update.zip install from custom recovery would be, but we don't have a binary that supports the motorola.update_nv function that we used for prior MDM6600 based devices available to us for the MSM8960 devices.
Given that some form of diagnostic mode software and a PC is required, I feel that RadioComm is probably an easier option for most users as it avoids the driver problems and has a clearer and simpler interface for NV read/write access than DFS.
Once you have the latest Motorola drivers installed and RadioComm loaded, this guide should make it very easy and safe to perform what is generally a complicated and potentially dangerous task of editing the radio NVM(Non Volatile Memory).
RadioComm itself is a terrifyingly complex piece of software with a GUI that can bring even the most seasoned and experienced phone hacker to their knees wondering what all the various windows, modules and buttons do.
It is the premier Motorola serviceware application and is designed by and intended for use by top level radio engineers and technicians.
It is an extremely powerful application that can access all models and chipsets of Motorola devices and perform a vast array of diagnostic testing and configuration operations and can be fully automated via multiple scripting languages.
It's just plain scary and confusing and very dangerous if not taken seriously.
Warning and disclaimer:
DO NOT PLAY AROUND WITH ANY FEATURES OR RANDOMLY HIT ANY BUTTONS IN RADIOCOMM!!!
YOU CAN RENDER YOUR PHONE DYSFUNCTIONAL OR UNBOOTABLE IN SECONDS!!!
This cannot be emphasized strongly enough!
Follow the instructions exactly as they are written and shown in the screenshots and you will find it very simple to use have no trouble doing the edit with either method.
You, the user, are the only person responsible for your actions and performing this hack will absolutely void your warranty the same way rooting or any other modifications to your device's software does!
That said, this hack will be undetectable and have no outward visible signs of having been performed other than the fact that any GSM SIM should work afterward.
Root is NOT required and this can be safely done and undone at will without making any other changes on the device and all normal services function properly on VZW's network with the edit in place. It appears to only affect the US GSM network block and nothing else.
Prerequisites:
You need to have a recent set of Motorola USB drivers v. 5.9.0 or greater installed on your PC with a full USB 2.0 compatible port.
You need a standard Motorola micro USB cable.
RadioComm 11.12.xx I have included a link to 11.12.2 below.
https://dl.dropbox.com/u/7632904/RadioComm_v11.12.2_Install.zip
This has been tested on Win7 64bit and WinXP SP3 32bit with .NET Framework 4.0 installed.
Method:
This guide assumes you already have RadioComm and the drivers properly installed and have rebooted both PC and the phone afterward.
The first instructions and screenshots describe the initial setup and manual method using the FTM Common 1 tab and the NV Access window in RadioComm.
When you first open RadioComm you will get a popup stating that the version is more than 2 months old. Just close it and continue.
Now go to the top left corner and hit the Main button and select the MA: Common/MDM6x00 as shown in the first screenshot.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Next, go to Settings/USB and select PST USB Driver as shown in the second screenshot.
Test Command Format should default to P2K05 lower in Setings menu.
Leave all other options default.
Now we are ready to connect the phone and perform the edit.
Make sure you have Connect as Media Device in USB settings and USB Debugging enabled in Developer Options.
Power off the phone and then hold both Vol Up and Down + Power to enter the boot menu.
Use the Vol Down key to scroll down in the menu to Factory and then Vol Up key to select and the phone will boot.
Connect the USB cable and RadioComm will enumerate the phone and the radio button in the top right will change colors.
It will cycle sever times red to yellow and eventually go green when the device is fully enumerated and shows as XT907 in the status bar
at the bottom of the screen. You can read the Software Version and MEID/ESN/pESN buttons to make sure everything is working properly.
Each successful read the GUI will flash green and the Command buffer will turn green and any selected button will be green.
Any unsuccessful attempt will turn red.
If not, then restart everything and check over all settings again before proceeding.
Now go to the tabs bar across the top middle of the GUI and select FTM Common 1 tab and go to the NV access window in the center right of that tab and select the top menu Item "FFFF Manual Entry" as shown in the third screenshot.
Now hit the Read button and you will get 2 popup windows.
In the first window you will enter the Decimal NV Item ID 8322 and in the second you will enter the byte length to be read 1 as shown in the fourth screenshot.
When you hit ok it will read the NV Item and flash green and display the data in the hex output buffer below and you will see 01 for the value as shown in the fifth screen shot.
Now highlight the 01 and change it to 00 and hit the write button and this time it will only popup once asking for the Decimal NV Item ID 8322. When you hit OK the item will be written and the GUI will again flash green for a successful write as shown in the sixth screenshot.
You are now finished and can either use the restart button at top right of RadioComm to reboot or manually restart the phone.
The last screen shot is edited to show the steps to use the NV/SEEM feature with a SEEM table file I have provided below to do all of the steps as a single operation. Some users may find this easier than manually editing in the NV Access window but it's really almost the same number of steps.
Go to the top left and hit Features and select NV/SEEM and another window will open and the radio button will cycle again a couple time as it re enumerates the device again it will go green finally. Follow the instructions in the seventh screenshot and be sure to use the Restart button in the main window after you close NV/SEEM because its suspends the phone and it will be black screen and unresponsive and require holding Vol keys and Power for 10 secs to reset it otherwise.
Congrats! All done now and the rest is just putting in a SIM and selecting GSM/UMTS in Network Settings and everything should just work!
Below is the link for the .NVM SEEM table file.
https://dl.dropbox.com/u/7632904/TBH_RAZR_M_GSM_Unlock.NVM
Please use this thread to discuss issues relating to this method and RadioComm and keep general discussion of the phone on US carriers in the other thread, thank you!
<Reserved>
Thanks man.. gonna try this when I get home tonight. I was actually just thinking about switching vendors from VZW to someone else and didn't really want to buy a new phone.
Maybe now I don't have to. Proof is in the pudding though, maybe I'll by a cheap month of Straight Talk to see if it works?
Yehudah said:
Thanks man.. gonna try this when I get home tonight. I was actually just thinking about switching vendors from VZW to someone else and didn't really want to buy a new phone.
Maybe now I don't have to. Proof is in the pudding though, maybe I'll by a cheap month of Straight Talk to see if it works?
Click to expand...
Click to collapse
Running RAZR M in US on straight talk now. Works wonderful!!!
Thanks a lot! im a total noob when it comes to most of this, but it worked perfect for me!!
Hmm, MDM6x00? Won't that work on the OG RAZR XT912 / Droid 4 as well?
Skrilax_CZ said:
Hmm, MDM6x00? Won't that work on the OG RAZR XT912 / Droid 4 as well?
Click to expand...
Click to collapse
The MA used in RadioComm is the same chip set base as the RAZR/D4 because it's the closest to the MSM8960 available in this version, which is more than 18 months old now.
What we really need is an updated version of RadioComm with full support for the newer chip sets.
This specific NV Item 8322 does not exist on the MDM6600 chip set devices and I have not been able to find a similar boolean switch item for those phones, unfortunately.
I have been logging with QXDM extensively searching for a way to disable the MCC/MNC block on MDM6600 without success so far.
I have dumps of all of the readable NV items from 0000-12000 from many devices running various builds and even a dump from Chinese engineering build on P3Droid's Dev model where everything is working as it should with open GSM on US carriers.
I would love some help from someone with a better understanding of the radio and diagnostic mode access than myself.
Very few people know how to use the software to even start analyzing the problem.
Remember to install the latest Motorola drivers and *especially* highlight the entire 01 and type 00. I was backspacing only the 1 and it did not "stick" when writing. So HIGHLIGHT, don't backspace. Works perfectly.
is it possible to write the NV item to the Droid 4 then edit ? ?
cellzealot said:
The MA used in RadioComm is the same chip set base as the RAZR/D4 because it's the closest to the MSM8960 available in this version, which is more than 18 months old now.
What we really need is an updated version of RadioComm with full support for the newer chip sets.
This specific NV Item 8322 does not exist on the MDM6600 chip set devices and I have not been able to find a similar boolean switch item for those phones, unfortunately.
I have been logging with QXDM extensively searching for a way to disable the MCC/MNC block on MDM6600 without success so far.
I have dumps of all of the readable NV items from 0000-12000 from many devices running various builds and even a dump from Chinese engineering build on P3Droid's Dev model where everything is working as it should with open GSM on US carriers.
I would love some help from someone with a better understanding of the radio and diagnostic mode access than myself.
Very few people know how to use the software to even start analyzing the problem.
Click to expand...
Click to collapse
Can I use a similar way to unlock XT902(Japanese Razr M)? I can't find 8322 in XT902.......
Followed instructions and worked perfectly. The key for me was the latest Motorola drivers AND the Motorola USB cable that came with the phone. I tried other cables that both charged and synced but the only that worked for this was the Moto cable. Using Win XP SP3 ( 12 year old OS on brand new work laptop. WTF!)
i was wondering if this works on other networks such as boost mobile,net10, criket etc...? i honestly dont have enough money to buy a new phone and whatnot. the whole reason why i did this is because i lost my job and now i cant pay my phone bill and it keeps getting higher and higher.
AKG0214 said:
i was wondering if this works on other networks such as boost mobile,net10, criket etc...? i honestly dont have enough money to buy a new phone and whatnot. the whole reason why i did this is because i lost my job and now i cant pay my phone bill and it keeps getting higher and higher.
Click to expand...
Click to collapse
Boost - No
Cricket - No
They're both cdma. This is to allow the GSM side (SIM CARD based) of the phone to work on other carriers. With that said, your best options are
Net10, Straight Talk, ATT, T-Mobile, Simple Mobile, H20, Orange, and there's a plethora of others out there. Post paid and pre-paid.
@DSDD
I beleive your XT902 is GSM by default. So if what your asking is will this bypass the network lock, no, the device needs to be unlocked by code. Then you can use it outside of the current carrier/country.
after boot, it is set back to 01 again @ address 8322
my phone version is Bsmq_vzw-user 4.1.1 9.8.1Q_27-2 4 release-keysSM_BP_1139.000.32.62P
after write to 8322 with zeros, I read it again the confirm it is written, but after rebooting the phone, the value is back to 01 again.
I guess the verizon driver may override this value during rebooting?
any help?
should I root the phone?
==
thanks
cellzealot said:
Introduction:
This post is a guide to show how to perform the NV edit required to unlock US GSM carriers(AT&T and T-Mobile etc.) on the VZW XT907/926 RAZR M/HD stock modem using a Motorola serviceware tool called RadioComm.
This is simply a different method to perform the same hack that was discovered by Arnold Snarb in the main thread about ATT/T-Mobile here.
http://forum.xda-developers.com/showpost.php?p=37123644&postcount=158
Despite the fact that he thanked me for leading the way in that post, he did some really brilliant analysis of the logs in QXDM to isolate this NV Item and saw something in the them that I had missed as well as guessing correctly about it's significance, and deserves all of the credit for this hack.
Everyone should please go and thank him in that post for the outstanding work.
He used a tool called DFS to access and edit NV Item 8322 and change the value of the first byte from 01 to 00 which disables the checking of the MCC/MNC against a list of banned networks and flags MCC 310 as Invalid Country Code.
That method requires booting into BP Tools mode from the boot menu and loading the Qualcomm diagnostic device interfaces.
The problem is that there are no signed 64bit drivers available and you must force load the drivers on Win7/8 64 bit for the diagnostic port in order to see the device properly and have NV read/write access.
This has been a stumbling block for many users and makes the NV editing unnecessarily difficult.
This method uses Factory boot mode and allows RadioComm to have full diagnostic mode access via the Motorola USB Networking driver that loads normally with the standard USB driver set. I will demonstrate 2 different ways to perform the edit, one manual and one using a preconfigured SEEM table file that writes the value in a single operation.
Neither of these methods is as easy as an update.zip install from custom recovery would be, but we don't have a binary that supports the motorola.update_nv function that we used for prior MDM6600 based devices available to us for the MSM8960 devices.
Given that some form of diagnostic mode software and a PC is required, I feel that RadioComm is probably an easier option for most users as it avoids the driver problems and has a clearer and simpler interface for NV read/write access than DFS.
Once you have the latest Motorola drivers installed and RadioComm loaded, this guide should make it very easy and safe to perform what is generally a complicated and potentially dangerous task of editing the radio NVM(Non Volatile Memory).
RadioComm itself is a terrifyingly complex piece of software with a GUI that can bring even the most seasoned and experienced phone hacker to their knees wondering what all the various windows, modules and buttons do.
It is the premier Motorola serviceware application and is designed by and intended for use by top level radio engineers and technicians.
It is an extremely powerful application that can access all models and chipsets of Motorola devices and perform a vast array of diagnostic testing and configuration operations and can be fully automated via multiple scripting languages.
It's just plain scary and confusing and very dangerous if not taken seriously.
Warning and disclaimer:
DO NOT PLAY AROUND WITH ANY FEATURES OR RANDOMLY HIT ANY BUTTONS IN RADIOCOMM!!!
YOU CAN RENDER YOUR PHONE DYSFUNCTIONAL OR UNBOOTABLE IN SECONDS!!!
This cannot be emphasized strongly enough!
Follow the instructions exactly as they are written and shown in the screenshots and you will find it very simple to use have no trouble doing the edit with either method.
You, the user, are the only person responsible for your actions and performing this hack will absolutely void your warranty the same way rooting or any other modifications to your device's software does!
That said, this hack will be undetectable and have no outward visible signs of having been performed other than the fact that any GSM SIM should work afterward.
Root is NOT required and this can be safely done and undone at will without making any other changes on the device and all normal services function properly on VZW's network with the edit in place. It appears to only affect the US GSM network block and nothing else.
Prerequisites:
You need to have a recent set of Motorola USB drivers v. 5.9.0 or greater installed on your PC with a full USB 2.0 compatible port.
You need a standard Motorola micro USB cable.
RadioComm 11.12.xx I have included a link to 11.12.2 below.
https://dl.dropbox.com/u/7632904/RadioComm_v11.12.2_Install.zip
This has been tested on Win7 64bit and WinXP SP3 32bit with .NET Framework 4.0 installed.
Method:
This guide assumes you already have RadioComm and the drivers properly installed and have rebooted both PC and the phone afterward.
The first instructions and screenshots describe the initial setup and manual method using the FTM Common 1 tab and the NV Access window in RadioComm.
When you first open RadioComm you will get a popup stating that the version is more than 2 months old. Just close it and continue.
Now go to the top left corner and hit the Main button and select the MA: Common/MDM6x00 as shown in the first screenshot.
Next, go to Settings/USB and select PST USB Driver as shown in the second screenshot.
Test Command Format should default to P2K05 lower in Setings menu.
Leave all other options default.
Now we are ready to connect the phone and perform the edit.
Make sure you have Connect as Media Device in USB settings and USB Debugging enabled in Developer Options.
Power off the phone and then hold both Vol Up and Down + Power to enter the boot menu.
Use the Vol Down key to scroll down in the menu to Factory and then Vol Up key to select and the phone will boot.
Connect the USB cable and RadioComm will enumerate the phone and the radio button in the top right will change colors.
It will cycle sever times red to yellow and eventually go green when the device is fully enumerated and shows as XT907 in the status bar
at the bottom of the screen. You can read the Software Version and MEID/ESN/pESN buttons to make sure everything is working properly.
Each successful read the GUI will flash green and the Command buffer will turn green and any selected button will be green.
Any unsuccessful attempt will turn red.
If not, then restart everything and check over all settings again before proceeding.
Now go to the tabs bar across the top middle of the GUI and select FTM Common 1 tab and go to the NV access window in the center right of that tab and select the top menu Item "FFFF Manual Entry" as shown in the third screenshot.
Now hit the Read button and you will get 2 popup windows.
In the first window you will enter the Decimal NV Item ID 8322 and in the second you will enter the byte length to be read 1 as shown in the fourth screenshot.
When you hit ok it will read the NV Item and flash green and display the data in the hex output buffer below and you will see 01 for the value as shown in the fifth screen shot.
Now highlight the 01 and change it to 00 and hit the write button and this time it will only popup once asking for the Decimal NV Item ID 8322. When you hit OK the item will be written and the GUI will again flash green for a successful write as shown in the sixth screenshot.
You are now finished and can either use the restart button at top right of RadioComm to reboot or manually restart the phone.
The last screen shot is edited to show the steps to use the NV/SEEM feature with a SEEM table file I have provided below to do all of the steps as a single operation. Some users may find this easier than manually editing in the NV Access window but it's really almost the same number of steps.
Go to the top left and hit Features and select NV/SEEM and another window will open and the radio button will cycle again a couple time as it re enumerates the device again it will go green finally. Follow the instructions in the seventh screenshot and be sure to use the Restart button in the main window after you close NV/SEEM because its suspends the phone and it will be black screen and unresponsive and require holding Vol keys and Power for 10 secs to reset it otherwise.
Congrats! All done now and the rest is just putting in a SIM and selecting GSM/UMTS in Network Settings and everything should just work!
Below is the link for the .NVM SEEM table file.
https://dl.dropbox.com/u/7632904/TBH_RAZR_M_GSM_Unlock.NVM
Please use this thread to discuss issues relating to this method and RadioComm and keep general discussion of the phone on US carriers in the other thread, thank you!
Click to expand...
Click to collapse
---------- Post added at 11:14 PM ---------- Previous post was at 10:48 PM ----------
tried again for couple of times, this time it actually works.
maybe last time I reboot the phone too early?
sipida said:
my phone version is Bsmq_vzw-user 4.1.1 9.8.1Q_27-2 4 release-keysSM_BP_1139.000.32.62P
after write to 8322 with zeros, I read it again the confirm it is written, but after rebooting the phone, the value is back to 01 again.
I guess the verizon driver may override this value during rebooting?
any help?
should I root the phone?
==
thanks
Click to expand...
Click to collapse
Glad you got it working. There is no VZW software on the phone capable of writing to the radio NV, so it's not being reverted by anything.
If anyone else has similar issues I would suggest trying the NV/SEEM method as that will definitely write the item properly.
queberican351 said:
@DSDD
I beleive your XT902 is GSM by default. So if what your asking is will this bypass the network lock, no, the device needs to be unlocked by code. Then you can use it outside of the current carrier/country.
Click to expand...
Click to collapse
XT902 has sim lock, and there is no way to key in unlock code. So I think it maybe unlocked by modifying another NV item.
Does this tutorial unlock mobile data usage on other carriers. I cannot seem to get data working on my XT907 in Australia. GSM and MMS work fine, so why doesnt Data?
I don't know for certain because I only have experience with domestic US GSM carriers, but I tend to doubt it.
You can try it and see and revert it easily if it doesn't work. You can also try flashing the Telstra XT905 NON-HLOS.bin(modem) and fsg.mbn(carrierEFS/NVM config).
This was the method used to get US GSM service on XT907 before the method shown here was discovered.
It works but is limited to GSM/EDGE data services here in the US.
I am inclined to think it is some other problem with the device because it should work as a global capable phone by default.
dsdd said:
XT902 has sim lock, and there is no way to key in unlock code. So I think it maybe unlocked by modifying another NV item.
Click to expand...
Click to collapse
If it has a sim lock and you can acquire the code open your dialer and press #073887* (#0SETUP*) and it'll prompt you for the code.
Several people have PMd me questions about this method and I would much prefer that they be posted here in the thread so that everyone may benefit from the information.
Please include as much information about your PC and driver versions and be as thorough as possible in explaining your problems.

How modify a qcn file to enable AWS band

Hi.
I come from another post looking for a solution to my dilemma (http://forum.xda-developers.com/galaxy-s5/help/switch-stock-rom-t2866861#post55236673), thanks to fffft member found that I can open the band 4 of my cell S5 using the QPST program, however I can not find a modified .qcn file that corresponds to my model (G900F).
What I have done is make a backup of my original .qcn (which understand not share because there goes my IMEI) and I need advice from someone who knows that is the parameter that should change to open the AWS band 4.
Much appreciate your help.
I see that nobody has answered, if it was not for lack of cooperation, or because no one has had this problem.
Continue researching and achieve get qcn file G900M, which is super, but not left so installed as well, the QPST program generates an error and does not let install, so proceeded to compare them to see how different they are, and actually they are very different in their hexadecimal setting.
The issue now is, I need someone to tell me what are the parameter I have to modify my original qcn (my G900F) to enable AWS band 4.
Thank you for your help.
..
Hello again fffft.
I will try to explain everything in the best way. I can not send the file qcn G900M, because I have understood that within the IMEI can be identified, and the first thing I asked the person I give it to me was that change could not deliver it to anyone.
Now step by step to do was the following (taken from this forum http://forum.xda-developers.com/showthread.php?t=2291589 ):
Install phoneutil.apk in my phone.
Install QPST 2.7 build 323.
Choose the usb connection “RNDIS + DM + MODEM” from the menu that comes by typing *#0808#.
On the Ports tab of the program QSPT set the COM port corresponding to the cell (seeing that port recognizes the cell through Device Manager).
Choose “Start Clients” and choose “SOFTWARE DOWNLOAD”.
Hit the “Restore” tab, set port to COM number, choose the QCN file, and start.
Attached two images, one in which it is seen that the process is running smoothly, and a second in which shows the error.
With regard to your question about the RMNET protocol, for I must say I have no idea regards, because as I said I am still a newbie.
Finally and with respect to qcn file G900T me would be very very difficult to get the file G900M was relatively easy (not as easy lol) but because here in my country is the model that is sold, but the model does not get G900T no way.
I remain attentive to your suggestions, and thanks again for the help.
..
I thought S5 supports AWS band as well as other bands? I bought S5 from Rogers and use it with Wind mobile (Canada).
..
Hi.
Well, with my answer are attached to the two qcn files, not if it's okay to post them because I do not know which is the information that I'm giving, but I'll trust you fffft.
Review the entries with IMEI and clear, making this process and I thought this would be a very good explanation of why not to overwrite the original file leaves the cell, because the second IMEI not for the phone, but even if this were true, no understand how in the above forum they spread a qcn file for S4 that everyone could use.
Anyway, I hope that with this we can advance the issue to see if I can get out of this mess.
Thanks again.
..
Ok fffft, I found the parameter you say, but now my question is, as I edit the file qcn? I need some special program?
Loperaco said:
Ok fffft, I found the parameter you say, but now my question is, as I edit the file qcn? I need some special program?
Click to expand...
Click to collapse
Well, download the program XVI32 to edit the hexadecimal, apparently was successful but eventually the program generated the same mistake I had already seen, indicating "Could not reset the phone. COmmunication Errors Occurred".
Will you help me?
..
Hi there.
I have an interesting fact to share, because I could not properly complete the process to overwrite the qcn file then started to review the QPST program and its functions, among these I found the display content on qcn files through this for any entries who had been unable to write and determine that it was possible to write the file so qcn "hot" (ie directly on the phone) Oh and surprise! when I saw that the code / parameter that indicated fffft if I had changed even though the restore process had not been successful.
Anyway achieved modify the parameter in question and probe the cell after this, but still not achieve even connect AWS band 4, so despite the success the result was a failure.
Knowing this now accept suggestions from all of you experts.
..
Got a little further, but the bands did not get enabled...
fffft said:
Docx? Shouldn't those be .qcn files?
Anyway, you should try encouraging someone to post a NV dump from their 900T for comparison. You can check the existing AWS threads to confirm, but as I recall to enable AWS on earlier Galaxy models, required editing NV_RF_BC_CONFIG_l from 80 03 e8 04 to 80 03 e8 06
So ostensibly you will want to make the same change on your 900F. Comparing your NV to a 900T would lend confidence to that presumption.
.
Click to expand...
Click to collapse
fffft, Laperaco,
I am pursuing the same Band change as described here and have an update of the things that I was able to discover:
1) I was able to use QPST and pull NV backup from my phone - see my JJ_ATT_S5_Bands_Tester_No_IMEI (IMEI removed in Line 550)
**Note that I was not able to restore any QCN back to my phone in either USB mode (and I think this is what Loperaco was talking about), but...
2) I was able to program my phone directly using RF NV Item Manager, but did not get desired results (see below):
- a) I changed 1877 NV_RF_BC_CONFIG_l from 80 03 e8 04 to 80 03 e8 06 and nothing changed - i.e. radio still worked and I was still getting EDGE (no HSPA+)
- b) I tried changing the next line 1878 NV_RF_HW_CONFIG_I from f6 to 2c, because I saw that in another QCN file I found online. That actually "killed" my radio altogether, at least until I changed it back to f6
- c) Upon further inspection of the SM-N900T file I found online (too big to upload here), I saw that there are quite a few differences, which leads me to believe that additional configurations must be made to take advantage of the HSPA+ bands.
!! Please !! If someone with T-Mobile SGS5 looking at this, could you pull your QCN, mask IMEI if you'd like and post it here for comparison.
Otherwise, fffft, do you have any other thoughts regarding the changes needed...?
Last note that files are posted as .qcn.txt, becuase forum does not allow posting of qcn file extensions. Just remove .txt and you will have original qcn.
Thanks,
JJ
fffft said:
Your reluctance to document what you have done in detail is unfortunate because it prevents us from confirming that you did as you summarized or possibly discern any errors along the way. Nor did you tell us how you concluded that the phone did not connect to AWS, whether the changes were persistent after a reboot or what the service mode showed for activity after using the diagnostic menu to lock the handset to AWS, et cetera.
Of particular value would be a before and after NV dump from your phone, alongside a 900T NV dump. Which would illustrate both the required changes and any progress made with the attempted write.
To reply to your question, two obvious possibilities are apparent
1. That you changed the parameter as you summarized and that was insufficient to effect the desired change. Which would mean that the required parameter is different for the S5 than preceding Galaxy models for some reason e.g. that a different parameter needs editing or that radio changes are needed as well, even though that was not the case for the S3 & S4.
2. That you made some inadvertent error in your procedure that you didn't discern. No one can look for possible errors in the absence of you providing a detailed, step by step description of what you did though.
.
Click to expand...
Click to collapse
Ok ok, let me see how I can solve this.
First of all is not reluctance, I tried to be clear in how I do things, but I'll try again:
1. I bought a model of cell G900F that has disabled the AWS band 4.
2. I tried using the QPST program to replace the qcn file with one that corresponded to a G900M model, since in this model if the band 4 is enabled, but the process to make it in the program generated the error "Could not reset the phone. Communication Errors Occurred ".
3. I do not know how or if the QPST program writes an error log, so I do not know where to look it can be sent. I explain how to install and run the program each button is a bit wasteful, but I followed the steps in this forum http://forum.xda-developers.com/showthread.php?t=2291589
4. After this, and having received suggestions from fffft, I tried modifying the original qcn file from my phone, because I thought that perhaps the problem was because they were different models and finally the phone would not allow me to put a qcn file of another model. The modifications I did was change the parameter NV_RF_BC_CONFIG_l from 80 03 e8 04 to 80 03 e8 06. This is done by the program XVI32 modifying the hexadecimal.
5. I tried again using the option to restore the qcn file in QPST program, but got the same error "Could not reset the phone. Communication Errors Occurred".
6. I assumed I had to think of something else so it was when using the RF NV Manager (included in the installation program QSPT) for locate the actual file contents qcn on my phone, and I realized that despite the error obtained in restoring the file using the QPST program the parameter indicated in paragraph 4 of this list if it had changed.
7. I proceeded to check the signal and actually still had no access to the 4G network, the most that is connected to the HSDPA + network.
8. I read the comments from fffft and now I'm writing this.
I hope I was clear in my problem and have made a good step by step.
Now the issue is that:
A. I do not know how to access the diagnostic menu that enables or disables the AWS band, so I do not understand fffft what you're talking about.
B. I agree that modify only the parameter in question is not sufficient, otherwise the matter would be solved.
C. It is possible that I made ​​a mistake as you point out, I finally am new to this, but still I explained my process so I am attentive to suggestions.
Thanks for the help.
JJ_Boja said:
fffft, Laperaco,
I am pursuing the same Band change as described here and have an update of the things that I was able to discover:
1) I was able to use QPST and pull NV backup from my phone - see my JJ_ATT_S5_Bands_Tester_No_IMEI (IMEI removed in Line 550)
**Note that I was not able to restore any QCN back to my phone in either USB mode (and I think this is what Loperaco was talking about), but...
2) I was able to program my phone directly using RF NV Item Manager, but did not get desired results (see below):
- a) I changed 1877 NV_RF_BC_CONFIG_l from 80 03 e8 04 to 80 03 e8 06 and nothing changed - i.e. radio still worked and I was still getting EDGE (no HSPA+)
- b) I tried changing the next line 1878 NV_RF_HW_CONFIG_I from f6 to 2c, because I saw that in another QCN file I found online. That actually "killed" my radio altogether, at least until I changed it back to f6
- c) Upon further inspection of the SM-N900T file I found online (too big to upload here), I saw that there are quite a few differences, which leads me to believe that additional configurations must be made to take advantage of the HSPA+ bands.
!! Please !! If someone with T-Mobile SGS5 looking at this, could you pull your QCN, mask IMEI if you'd like and post it here for comparison.
Otherwise, fffft, do you have any other thoughts regarding the changes needed...?
Last note that files are posted as .qcn.txt, becuase forum does not allow posting of qcn file extensions. Just remove .txt and you will have original qcn.
Thanks,
JJ
Click to expand...
Click to collapse
Hi JJ.
We are indeed talking about the same issue, however I see a difference and that is that despite not having the band 4 AWS enabled on your phone, this only gives you the edge band, however my phone without enabling the band 4 gives me HSDPA+, so my question, just out of curiosity, is what is the frequency at which your operator transmits the EDGE network?
Loperaco said:
5. I tried again using the option to restore the qcn file in QPST program, but got the same error "Could not reset the phone. Communication Errors Occurred".
6. I assumed I had to think of something else so it was when using the RF NV Manager (included in the installation program QSPT) for locate the actual file contents qcn on my phone, and I realized that despite the error obtained in restoring the file using the QPST program the parameter indicated in paragraph 4 of this list if it had changed.
Click to expand...
Click to collapse
Laperaco,
1) I was also unable to load qcn file from backup even without modifications, so...
2) I made modifications directly to the phone using RF NV Item Manager*
*Note from my post that changing line 1877 made no difference in connectivity for me.
3) This specific connection is below (although it naturally fluctuates):
Network Type: EDGE:2
GSM RSSI: -89db (63%) 12 asu
GSM Signal Strength: 13db (42%)
Preferred Network Type is LTE/GSM autio (PRL)*
*Non-GSM selections (WCDMA, LTE-only, etc) simply do not connect, so no HSPA+ for me
JJ
JJ_Boja said:
Laperaco,
1) I was also unable to load qcn file from backup even without modifications, so...
2) I made modifications directly to the phone using RF NV Item Manager*
*Note from my post that changing line 1877 made no difference in connectivity for me.
3) This specific connection is below (although it naturally fluctuates):
Network Type: EDGE:2
GSM RSSI: -89db (63%) 12 asu
GSM Signal Strength: 13db (42%)
Preferred Network Type is LTE/GSM autio (PRL)*
*Non-GSM selections (WCDMA, LTE-only, etc) simply do not connect, so no HSPA+ for me
JJ
Click to expand...
Click to collapse
Ok JJ, we are going through the same steps, we must wait for more help, I'll keep researching but I see that not many people have our problem.
I have a question is that with that code or through option that could see data that you send me.
Any information or change that has put it in the post.
..

Xiaomi Mi Bunny Watch Q internationalization

Please somebody help to modify firmware to enable international GPRS connections
What we currently have:
1. Mi Bunny Watch Q is Working on MT6261 SOC
2. Operating system is modified 2011 year Nucleos RTOS, which was widely used in older featurephones
3. Firmware is not available for separate downloading. Watch updating is OverTheAir (via Bluetooth connection from your smartphone with original APP, and, PROBABLY via GPRS connection) firmware files are called
SH08_PCB01_gprs_MT6260_S00.MAUI_11B_W13_08_MP_V15.bin
My current firmware version is MAUI.11B.W13.08.MP.V15
updates are downloaded from http://upgrade.imibaby.net/upgradeWatch
also you can find http://sw105-online.imibaby.net/ link in firmware - probably for watch activation
All we have now - full ROMdump of my watch divided to parts with Readback Extractor mtk
Also we can get acess to NVRAM and FAT partition with MauiMETA_v9.1635.23 tool (you need NVRAM database file for MT6261 chip - i've gt one from Keneksi X8 firmware kit ( or from official site ) also i have used scatter file from Keneksi to download ramdump with SP Flash Tool
Also there is good tool Binwalk which i don't know how to use well
4. Watch activation procedure looks like: ( english user manual for similar product )
-turn on the watch (lights on and sound prompt)
-insert SIMcard (sound prompt)
-----------we are currently here------------------
-GPRS connection is automatically established
-and watches time should set up the time (you get a sound prompt) /what notifies server of pairing ready status/ - this should be a sign and confirmation of successful internet connection
-you scan QR code in your user-manual (smartphone receives pairing settings from server) and establish connection between smartphone and WATCH
...
5. Watch officially supports only Chinese SIM cards. Confirmed by manufacturer. Chinese cellular operators settings are preinstalled. MNC MCC and APN can be found in firmware like 460 46000 46002 46007 etc
i have tryed to change MCC and MNC to my operators (25501) (my operator supports any APN so i got luck here)
and have got a breakthrough here - watch began to establish GPRS connections via "internet" APN
but no luck - time is not set up, i've got no "successful connection" sound prompt, and it is still impossible to activate it.
I have contacted manufacturer via Weibo and WeChat.
Everywhere i got refused with corporate security reasons, BUT at the very beginning i think some very helpful manager answered and tryed to give help (later he disappeared)
He requested from me to fill up XML form with my cellular operator's settings and sent image explaination
Hello,Mr Pumpkin
There is some instructions you can follow.
First,please make sure the sim card support calling in or calling out.
Secondly,be sure the sim card supports 2G GPRS connection.
You can consult the local operators about specific parameters.
The "code" parameter and "apn" parameter in the following table must be filled in correctly.
The other parameters are alternative.
Code:
<?xml version="1.0" encoding="UTF-8" ?>
- <Account>
- <AcntHdr>
<AcntVer>1.0</AcntVer>
</AcntHdr>
- <AcntBody>
- <SIM Operator="BEELINE" Code="25502">
- <Item Bearer="GPRS">
<AppType>WAP</AppType>
<Title>Beeline WAP GPRS</Title>
<APN>wap.beeline.ua</APN>
<Authentication>NONE</Authentication>
<Homepage>http://wap.beeline.ua</Homepage>
<Proxy Enable="Yes" ProxyAddress="172.29.18.192" ProxyPort="8080" />
<PrimaryDNS>null</PrimaryDNS>
<SecondDNS>null</SecondDNS>
<IPAddress>null</IPAddress>
<Subnet>null</Subnet>
<ConnectionType>HTTP</ConnectionType>
</Item>
Click to expand...
Click to collapse
There is excellent site with lots of information
https://www.dr-lex.be/hardware/china_phone_flashing.html
Also some discussion is going on MIUI forum and russian 4pda forum
International Apn settings
The answer from the Chinese manufacturer is an xml file that we should add to the device ROM. It is not so different to the following thread
https://forum.xda-developers.com/showthread.php?t=2387346
I have my bunny watch 2, that I have paired during a visit to Sz, and will try to add the xml file today. Hopefully we can get a connection.
EASolana said:
The answer from the Chinese manufacturer is an xml file that we should add to the device ROM. It is not so different to the following thread
https://forum.xda-developers.com/showthread.php?t=2387346
I have my bunny watch 2, that I have paired during a visit to Sz, and will try to add the xml file today. Hopefully we can get a connection.
Click to expand...
Click to collapse
Excellent desicion! I will try to do it.
I can assume, that developer didn't offered me this thing because we actually don't have access to ROM. We can get there only with MAUI META tool. Also the watch is not based on Android, so we will have to find correct folder to place the file and guess correct name for it.
Also XML should be specifically formatted, and we have this format from developer.
Easier said than done, but still I got some progress today.
After reviewing the ROM I was able to find several At commands to control the device.
I'm missing the sintaxis on many of them, but I was able to directly perform and receive a call from the Hyper terminal.
I named the xml file default.xml and placed on the root directory and several others but no luck achieving a Apn configuration.
Also I browsed the fat and nvram looking for hints on how the device was configured while using the Chinese card, but no luck there.
If I'm able to find the device configuration At command it should be pretty straightforward.
Just as a note, the App is fully Chinese, no options on the menu are translated.
EASolana said:
Easier said than done, but still I got some progress today. .
Click to expand...
Click to collapse
Some of terminal AT+ commands work excellent (like ATD Most interesting one is AT+DEBUG_ON and AT+DEBUG_OFF it changes usb connection type. ( With debug on you will get 2 usb devices (usb com, and modem)
About app - i have translated it to russian, if it can help )
Connecting outside of china
Well, today I got connection from outside of China.
I played with several of the At commands that were supposed to actually configure the settings, and all seemed to make the terminal hang.
But after rebooting the phone it got a connection. Now it's fully working.
I used the AT+CGDCONT command.
Then I reviewed again the Fat to look for changes and the only file that was modified is store_info. Dat file.
That file was loaded in the same back up you made, with China Mobile settings, and now mine has got the unicom settings.
For the information it contains it looks fairly similar to the format the engineer gave you a solution for.
EASolana said:
Well, today I got connection from outside of China
Click to expand...
Click to collapse
Excellent news. Now i just would like to have some more details, on how i could repeat your success.
AT+CGDCONT is not working for me - no answer from watch to this command.
Can you provide some more info. What MCC and MNC does your cellular operator has? What version of firmware do you use.
Did you actually implemented any changes to your firmware?
Which terminal software do you use? Which COM device you selected? Was DEBUG mode active?
Or what should i do to get my watch connected?
Thank you.
Hello,
EASolana said:
I have my bunny watch 2, that I have paired during a visit to Sz, and will try to add the xml file today. Hopefully we can get a connection.
Click to expand...
Click to collapse
Did you connected with a Chinese Sim card and then changed it to a foreign one?
So I first activated my device in China with a Xiaomi Sim card.
Then traveled back to Hk, and tried with Hk local China unicom, China Mobile and three Sim cards. None worked.
Then I tried the at command for setting up the Apn settings on the device. The commands would not give an OK response, so I do not know exactly which one worked.
Then rebooted the device, and it can connect with Three and China mobile cards. UNICOM still not working.
I saw the change in the file mentioned above. It changed from one operator to the other.
HK is not so far from China, so i think there could be native support for your operators.
Anyway, could you please provide other then China Mobile store_info.dat file from your FAT partition, and a ROMdump to compare. I think you have a more fresh watch firmware. Thank you
Today I'm in China so I will not be able to upload the files to a G drive location, tomorrow I should be able to upload them.
I have bought a new device today (this time the mini GPS, 6261 based) and done a backup before the network registration and after.
I can confirm that all changes are happening to the file named "store_info.dat", and all the new data is matching to the xml format you were given. But written on a low level way inside the .dat file.
The GPRS - APN settings are independent of the GSM settings. So you will need 2G settings for your local operator, be sure you are registered in the network by performing a call to your SIM Card number then modify the store_info file with your specific operator parameters. Be sure to do this on the Hex editor so file length is constant after your perform the modification.
EASolana said:
So you will need 2G settings for your local operator, be sure you are registered in the network by performing a call to your SIM Card number then modify the store_info file with your specific operator parameters. Be sure to do this on the Hex editor so file length is constant after your perform the modification.
Click to expand...
Click to collapse
I am bothered with MCC and MCC settings. All i can see in DAT file is apn for internet wap and mtp, but no readable data about cellular operator
Update: i have sniffed through the firmware again, and i got that China, Hong-Kong and Taiwan are natively supported by the watch... Probably you will get some problems with diferrent cellular operators, but all 3 MCC codes 460 466 and 454 are in firmware
If you keep looking in the firmware, just bellow the MCC codes you will actually find the APN settings. Keep searching to the bottom of the file and you will find the W. A. P... U. N.I.C.O.M... C.H.I.N.A...M.O.B.I.L.E part of the string, that means that beside replacing your MMC on the top of the file above by replacing the 460, 466, 454 codes, you also have to look toward the end of the file and replace the 460000, 454000, 46600 codes with your combination of MCC and MN settings.
Since you cannot add length to the file, remember to find an operator WAP setting that will fit in the current.
EASolana said:
460000, 454000, 46600 .
Click to expand...
Click to collapse
all of them? - i was trying all of this, except editing DAT file
Please, share your DAT file
Also please, tell me MCC and MNC of your HK cellular network, on which you have managed to make everything work (perferably for the first time with your watch)
By the way, sniffing around MTK6261 source code led me to interesting things
setting are really preinstalled
custom_config_account.c file from "Source_code_of_6261\code_6261A_L1\custom\common" gives a clue.
I think for now - i have to chose one cellular operator, and fix all it's settings to fit my needs
Yes! I did it!!!!!! Woohoo!!!!
FlamingPumpkin said:
all of them? - i was trying all of this, except editing DAT file
Please, share your DAT file
Also please, tell me MCC and MNC of your HK cellular network, on which you have managed to make everything work (perferably for the first time with your watch)
Click to expand...
Click to collapse
These are the operators that i have tried in HK.
China Mobile
Name: CMHK
APN: cmhk
MCC = 454
MNC = 12
MMSC = http://mms.hk.chinamobile.com/mms
454 07 Unicom
454 11 Hongkong Telecom
454 00 CSL
454 16 PCCW
454 06 Smartone-Vodafone
Attached is the DAT file.
Where you got the source code from?
Source_code_of_6261\code_6261A_L1\custom\comm on
EASolana said:
Where you got the source code from?
Source_code_of_6261\code_6261A_L1\custom\comm on
Click to expand...
Click to collapse
https://mega.nz/#F!JMsgDCYR!qn39qDJ5LzOz1TkUbdqvtQ
Time to sum up progress.
Activation option #1
Have your Chinese Seller activate the device using a Chinese Sim card before shipping, and this should ensure full communication in China, Hong Kong, Taiwan. (460.466.454) and possibly in the following places:
208 - France, 404 - India, 405 - India, 454 - Hong Kong, 455 - Macao, 466 - Taiwan, 502 - Malaysia, 505 - Australia, 510 - Indonesia, 515 - Philipines, 520 - Thailand, 525 - Singapore.
Given that MCC codes for several operators in those countries are included in the list inside the FW.
If you are choosing this way, you need to remember the device is only 2G - GMS 900/1800 compatible, so before you waste time, ensure you carrier is compatible. Australia has just dumpled 2G support so don't even try.
You can execute the following AT code before purchasing the SIM card, and it will tell you the carriers that the device could possibly connect: AT+COPS=?
It will reply the MCC Codes and operator name, with that information you can look for a valid unlocked and activated sim card.
Since device was activated in china it will easily go trough the regular process of scanning the QR code and adding the device to your APP.
Activation Option #2.
Modifiy the MCC parameters inside the FW and include your specific operator details.
FlammingPumpking, you can help us comment on how you succeed with activation.

Working solution for modding now the CSC files without having root via sideload/usb ?

Hi.
May i ask if someone can provide a WORKING solution to modify without rooting via methods like sideload, usb debugging and adb a working method to replace the existing
CSC Files to have some important features back without triggerung any samsung modify checkings when the rest of the system still untouched.
To prevent here huge manual shell typings, is there still a working "gui" based "commander" which can speed up such operations, which is still working with Android 10 ?
The existing Solutions are mostly from 2013-2016 and Android 5-7.
It looks like it needs much more time for a working twrp solution or updated magisk method comes out, so i don´t talk about a root solution, just a solution to easyly debloat a little bit and make nessassary
changes on my actualy running CSC settings.
Further more i have the question is there any working "hidden" dial-code for using the IMS settings system app without having root. The IMS-Settings App is another great solution to fix local problems
with VoWifi and VoLTE without the need of modify CSC files. Whatever works. Or can i start the IMS Settings via a adb command to just make one time manual nessassary changes ?
Such things are nessassary when you use Dual SIM from different countrys and you use just one CSC set from the primary country. This results in not correct setted VoLTE/VoWifi Settings for the 2nd Card, to have it basicly working in Roaming when the priority and Data-Mode is changed to the 2nd slot. In the past i overcome this issues by creating a custom CSC for the ENTIRE DACH-Region where i include any Provider from any country without the need to change the CSC code later.
Actualy the A51 is heavyly bloat-overloaded and many of the samsung bloat it is not possible to "deactivate" completly with the usual on board features. like Bixbly completly....

Categories

Resources