Database Info

BtT: Understanding Anansky's hack on 850 JAM

First of all, I'd like to say that I performed Anansky's BigStorage upgrade without a hitch on my 850MHz JAM running on Cingular's network. The only concern was that the device was reporting itself as a PM10A instead of a PM10C.
Precautions:
1. Use the write-protect feature on your SD card in the unlikely event that Windows or your PocketPC wishes to write or format it.
2. Use a smaller SD card, as the steps will create a ROM file as big as your card, and it'll take a while to load the file to make changes, update the SD card, etc.
3. Burn a copy of your downloaded ROM file to a CD for safety purposes.
4. Always keep your PocketPC charged either through your PC's USB port, or through a USB-to-AC adapter.
For those who want a quick rundown on how I did it:
1. From the FTP, download NTRW.EXE (version 2.0), ROMUPDATE.EXE, and MAGICIAN_OS1.11WWE_BIGSTORAGE_6.ZIP.
2. With your JAM connected via USB to your PC, disable ActiveSync's connections.
3. Enter the Bootloader and backup your entire ROM to your SD card using ROMUPDATE.EXE.
4. Read the contents of your SD card into a ROM file using NTRW.EXE. (Note that Administrator priviliges are required on your Windows account in order to read/write to the card)
5. Modify the first 416 decimal bytes of the OS1.11WWE_BIGSTORAGE.NB1 (extracted from the ZIP file) by using the first 416 decimal bytes from your ROM file.
6. Write the newly modified ROM file onto your SD card using NTRW.EXE.
7. Enter the Bootloader with the SD card inserted and flash the newly modified ROM to your device.
Notes:
1. I was able to reflash the official i-mate CE ROM (1.11) and Radio, thinking I'd force 850MHz support back into the device in the uncertain event it lost it during Anansky's upgrade. However:[list:44fd36694d]1. The Radio can't be flashed without the CE ROM being flashed alone first.
2. Any reflashing of the Radio or the CE ROM will lose your newly acquired 27MB Storage area. The Device Information applet will report a crazy value for the Storage area when in fact it's totally gone. The only way to restore it is to put your backed up old ROM image onto the SD card and perform the flash from the card.
2. The only way to find out how the hack was done is to look at the different versions of the hack and compare them byte-by-byte to the official updaters.
3. Perhaps one can perform another full SD-to-ROM backup with Anansky's upgrade and compare the files as well, then inject the compatible ROM portions and leave his hack in place.
4. Reflashing any of the ROM portions did NOT restore my model back to PM10C, which leads me to believe that it's outside that region untouched by the official flash utility.
5. I was only able to reflash with the official ROM updaters AND the hacked MaUpgradeUt_noID.exe from the FTP, and while it was in Bootloader mode only.
[/list:u:44fd36694d]
Lastly, I restored my original ROM image in its entirety and will try again sometime in the future to see if I can incorporate the 850MHz ROM into Anansky's hack. It was nice having the extra 27MB free for a short while, but until he comes back or someone else figures it all out, it'll be a risky endeavour in the event of another official ROM upgrade.

ADVANCED USERS ONLY. I take no responsibility for the information I provide below.
I dissected Anansky's ROM to find different sections which I could possibly compare. This is by no means accurate, but I have found certain locations to be of value.
Using the Magician ROM layout on http://wiki.xda-developers.com/index.php?pagename=MagicianRomLayout, I was able to build upon that template. Note that the values start with 80000000, but subtract that value and you get the starting points below.
00A6019C-00AC82D6 = UNKNOWN
00AE019C-00B3319A = UNKNOWN (REFERENCES TO RINGTONES)
00B6019C-00C3F3D5 = UNKNOWN (REFERENCES TO GPRS?)
00CB019C-00F88BF6 = UNKNOWN
00FB019C-014101CF = UNKNOWN
0143019C-0185B015 = UNKNOWN (APPROXIMATELY 4MB... RADIO ROM?)
0187019C-01995D38 = UNKNOWN (REFERENCES TO T9 DICTIONARY)
019E01AC-01CDDE58 = UNKNOWN (REFERENCES TO LDAP, DRM)
01DB019C-01E21343 = UNKNOWN (WINDOWS MEDIA PLAYER COMPONENTS?)
01E4019C-01EF8943 = UNKNOWN (SOLITAIRE / JAWBREAKER)
01F1019C-01F9B0CE = UNKNOWN (REFERENCES TO VPN)
01FC019C-0236A72B = UNKNOWN (APPROXIMATELY 3.8MB, REFERENCES TO NETWORK ADAPTERS, MODEM)
03F80140 = ANANSKY'S ROM CREDITS
03FB819C = MODEL (PM10A)
03F4015C = DATA STRING (UNKNOWN)
03F4019C = SPLASH SCREEN ("HTC MAGICIAN" VOLCANO)
For instance, if you wish to change the splash screen, you could replace the 153,600 decimal bytes starting at 03F4019C hexidecimal with your Splash2.NB file.
I have compared the 4MB block (0143019C-0185B015 hexidecimal) between my 1.11 NA ROM dump and Anansky's and found NO DIFFERENCE. It is possible that this section is the Radio ROM area, due to the size. I have to have the radio.nbk file decrypted in order to confirm.
If there are minute differences, I'll be sure to catch them now. Stay tuned.

I did something similar to find out, what he did. I first flashed Qtek's 1.11, then backed it up on SD card and wrote it to a file. Then I flashed Ananskys ROM and was now able to compare.
Unfortunately we know to few about the internals of the ROM (at least considering what's in the wiki).

BeyoneTheTech,
A question completly unrelated to the big storage ROM. How is it that your JAM has a 850Mhz Processor?

It's 850MHz radio band, unfortunately not CPU speed! I live in North America where the 900MHz is not utilized due to many pre-cellular products hogging up the 900MHz frequency.
As for everyone else, I used a program called WinHex to byte-compare the minimal differences between Anansky's BigStorage ROM file and my own ROM dump file. Bear in mind it's almost in the morning now and I crazily did this at work, so the details will be minimal:
I noticed two byte differences - B8 01 (1B8 hex=440 dec) vs 80 00 (80 hex=120 dec). I did NOT change those because I found it once in the bootloader, so I assumed it might be related to the way it handles the Storage area/Extended ROM.
The second set of differences were where the string "PM10A" was found in Anansky's ROM. Mind you, "PM10A" was also found in my ROM file (in the CE ROM portion), so I took my bytes around the "PM10C" section near the end and transposed it into Anansky's ROM file.
Of course, there was a major differrence in the middle of the two ROM files: the Extended ROM data. I left that the way it was in Anansky's ROM, mostly zeros and some "header"-looking information.
Bottom line is I have what appears to be a fully-functioning ROM file that I flashed successfully onto my 850MHz-band i-mate JAM (running on Cingular's network in the Northeast Americas.) I have little doubt it's not utilizing the 850MHz band, since the byte changes were so minimal between Anansky's WWE ROM and my official NA (850MHz) WWE ROM. My Device Information applet reports "PM10C," of course because I hardcoded it into the ROM, but I also mapped the bytes around it from my original "850MHz" ROM. Oh, and I've got my 27MB back! :wink:

I don't particularly see a problem with having your PM10C device updated with Anansky's ROM. Although the machine will now identify itself as PM10A, people have reported still being on 850MHz cells... so there shouldn't really be a problem there.
The only issue is that now when i-Mate releases upgrades, I'm only able to flash the European and not the North American mods.
What exactly is the method to force a North American ROM upgrade onto a supposedly European JAM? I didn't save the backup which was on the SD card.

As I stated last night and bleary-eyed, there was very little difference between the North American (850MHz) and the WWE (900MHz) versions of the ROM dumps. I believe most, if not all of the differences resided in the Extended ROM. Just the changes noted below worked on my 850MHz JAM.
Using the os1.11wwe_bigstorage.nb1 file...
1. Write FF's into offset 0000028Ch to 00000293h, erasing the T-MOB101 designation.
2. Change the letter A (41h) to C (43h) at offset 03FB81A4h, so it should read "P M 1 0 C."
3. Change bytes 09 2D 4D 27 C7 to 09 2D 4C D1 8E at offset 03FB81DDh to 03FB81E1h. Again, this was near the PM10C designation, and it's unlikely that this code is my IMEI number, so I'm trying to retain as much of my original ROM as possible.
4. Change the splash screen if you wish (see previous post).
Perform a full backup with Sprite Backup or similar program.
SD-Flash the new file onto your JAM and you should be good to go.
Perform a full restore with Sprite Backup, ignoring any ROM upgrade warnings.
If you feel comfortable with hex editing, use WinHex with the ROM files. It opens files fast and can copy and "write" (not paste) the splash screen in one shot.
I am hoping that if someone can easily decrypt the new CE and Radio ROM images, they can be injected into Anansky's ROM dump, while someone who still has their Extended ROM area will be able to extract any new changes or updates in the CAB files.

Shawn_230 said:
What exactly is the method to force a North American ROM upgrade onto a supposedly European JAM? I didn't save the backup which was on the SD card.
Click to expand...
Click to collapse
Just use the "NoID" version of the MaUpgrade EXE found on the FTP, but remember: Any flashing after Anansky's hack will make your Extended ROM/Storage area disappear! Like I stated in my previous post, let's hope someone can create a new xda3nbftool to decrypt the new ROMs and we might be able to either "inject" it into Anansky's ROM dump file, or we can change the necessary bytes, reencrypt, then upgrade only that portion of the ROM to your Magician/JAM device.

BeyondtheTech said:
Just use the "NoID" version of the MaUpgrade EXE found on the FTP, but remember: Any flashing after Anansky's hack will make your Extended ROM/Storage area disappear!
Click to expand...
Click to collapse
BeyondtheTech, I had an 900mzh version but I am living in US too. Actually, there is a very simple solution w/o going thru the hacking of the rom (But it's good someone can experiment how Anansky's did it so that we could do it for the future rom update).
1. Grab the latest USA rom from imate.
2. extract it w/ Winrar and U will get 3 nbf files.
3. Keep the radio_.nbf and remove the other 2
4. Use the no id version of MaUpgrade and it will only update the radio
5. U radio is 850mzh version and U still have the big storage

FYI, I don't know if you actually tested your sets, because I did flash just the alleged "USA" radio portion on my 850MHz JAM and I did lose the BigStorage area entirely, which is why I said that any subsequent flashing will do just that.

BeyondtheTech said:
FYI, I don't know if you actually tested your sets, because I did flash just the alleged "USA" radio portion on my 850MHz JAM and I did lose the BigStorage area entirely, which is why I said that any subsequent flashing will do just that.
Click to expand...
Click to collapse
Of course, I did.

BeyondtheTech said:
ADVANCED USERS ONLY.
00A6019C-00AC82D6 = UNKNOWN
.../...
03F80140 = ANANSKY'S ROM CREDITS
03FB819C = MODEL (PM10A)
03F4015C = DATA STRING (UNKNOWN)
03F4019C = SPLASH SCREEN ("HTC MAGICIAN" VOLCANO)
I have compared the 4MB block (0143019C-0185B015 hexidecimal) between my 1.11 NA ROM dump and Anansky's and found NO DIFFERENCE. It is possible that this section is the Radio ROM area, due to the size. I have to have the radio.nbk file decrypted in order to confirm.
If there are minute differences, I'll be sure to catch them now. Stay tuned.
Click to expand...
Click to collapse
Following to BeyondtheTech post, I'm now shure that the so called 'big storage' is located between address:
023c0190 : 03f40190 (about 27 MB)
I've also determined that every 256 kB (+40000h), this 'virtual disk' include something similar to a 'sector header' conform to:
f0 f0 f0 f0 00 00 00 00 96 f2 e7 10 db d3 00 fc
Click to expand...
Click to collapse
this string is present at address:
02400140h, 02440140h, 02480140h, 02480140h .../...
03f00140h, 03f40140h
For checking the validity of my theory, I've copied about 15 MB of different files, before making a backup of my Qtek S100. It's confirm that the data are occupying this space.
Because, I'm normaly working on a french OS version, I need all accentuated; and diacritic characters to answer my mail. So my purpose is now to 'reverse engeneer' the Anansky method to include this very usefull 'big storage' on a french based OS.
So, I've merged all content of my original v1.11 French OS UpGrade from address 00000000h to 023c0100h... This personaly cooked OS is working, and all is in french... but 'no-big-storage' available unfortunately.
So, in the next step, I've tried to undestand, how 'virtual storage' is working under Qtek S100. Back to my original OS, with small 7 MB storage. On the hexadecimal point of view, nothing more than, with the Anansky backup version, except that the virtual disk is smaller... Everything is in order, according to my theory...
But because the 'big storage' is not even visible, my conculsion is simple: "the solution is in the 'registry', but I've not yet been able to go through the mystery:
HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\VDisk
"Name"="Extended_ROM"
"Folder"="Extended_ROM"
.../...
[HKEY_LOCAL_MACHINE\Drivers\Active\43]
"Hnd"=dword:0068e3f0
"Name"="DSK8:"
"Key"="Drivers\\VDisk"
"ClientInfo"=dword:00000000
.../...
[HKEY_LOCAL_MACHINE\Drivers\VDisk]
"Key"="Drivers\\VDisk"
"WindowBase"=dword:a2c00000
"Size"=dword:01300000
"Folder"="Extended_ROM"
"DisableInt"=dword:00000000
"OnBoard"=dword:00000001
"Dll"="VDISK.DLL"
"Index"=dword:00000008
"Prefix"="DSK"
"Profile"="VDisk"
.../...
[HKEY_LOCAL_MACHINE\Drivers\BuiltIn\FlshDrv]
"FolderName"="Storage"
Click to expand...
Click to collapse
Close to all references in the registry seem to be dedicated to the Extended_ROM (about 19 MB) that can become visible, but not writable... until yet.
I've found only one reference to the 'Storage' folder (about 7 MB on my QTek), but I don't understand how the OS know it's type, size, location, etc. Another thing is shure: the registry is not directely visible in the backup. I suppose that this file is compressed in ROM, and decompress to Ram for working (all modification disapear in case of har reset).
Lost of questions... :?:
Regards,
Thierry

To easy patch any ROM... folow this link ;-)
http://forum.xda-developers.com/viewtopic.php?t=22582

I am not sure it's in the registry as I did a byte compare of my backed up ROM (which was the 1.11 NA 850MHz from i-mate) to Anansky's (1.11 WWE) and found that the there were two sets of bytes that were different (changed?) in the bootloader area as well as the CE ROM, and of course, the 27MB chunk of data for the Extended ROM.
I think the bootloader may have something to do with the way the memory is set up.
The bytes that were different were in both places were B8 01 vs 80 00. 1B8h=440 and 80h=128, if that means anything. There were no other changes in the Radio or CE ROM areas, which leads me to believe that the 27MB area is just formatted differently (perhaps the start of the 7MB area was pulled back to the beginning of the Extended ROM area).
The only remaining change was near the end where it has the "PM10x" designation," but I doubt that has anything to do with the BigStorage area since I used his bytes and tried my bytes with no difference.
If you feel bold enough, you can mess with these two bytes (try a value in between) to see if it enlarges the 7MB storage space, corrupts it, makes it writable, etc.

pigot,
If you're willing to try this...
After you've injected your French ROM into the NB1 file, use a hex editor and change the following bytes:
On or around 00007E32h, change B8 01 to 80 00.
Do the same at 0211E32Eh, change B8 01 to 80 00.
Leave Anansky's changes in the Extended ROM and Storage area as well as the end of the file unless you want to call your device a PM10x.
SD-Flash it and tell me if you have the 27MB of Storage free with your French OS.

You are in the good way :lol: ... Those bytes (hB8 + h01 to h80 + h00) are the key. But not always they are in the same site in all the ROM's.
Bye. 8)

Seems to work great for me over the last couple of minutes at least! Upgraded a 3 day old UK o2 qtek s100.
Thanks a million.
BTW - what software is stored in the extended rom that we lose?
Vijay

MKS said:
You are in the good way :lol: ... Those bytes (hB8 + h01 to h80 + h00) are the key. But not always they are in the same site in all the ROM's.
Bye. 8)
Click to expand...
Click to collapse
Well, the application developped by MKS is a great job. It works perfectly for me on a v1.11 Fr... The process is very simple, and really accessible to even 'medium range' users. Sounds pretty good, isn't it?
Omho, the 'anansky trial' is over, and the big winner is MKS.
Thanks alot,
Thierry

[REF] Easiest way to SIM unlock your Elf/Elfin even if it's "MCC+MNC = None"

[REF] Easiest way to SIM unlock your Elf/Elfin even if it's "MCC+MNC = None"
First of all, sorry for my bad english...
Here goes the best way I found to unlock all Elf/Elfin, even those with the deadly "MCC+MNC=None" (wich is my elfin).
I saw some people say that when flashed with "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" the phone it's not SIM locked anymore, but after reflashing with another rom it got locked again.
I tried that myself and it was true, I flashed "Elf_Elfin_2.11.0.0_MFG_ModuleBuild", then flashed other rom (with only the OS part) over it and bam, was locked again.
So the locking part should be in the OS. After looking over the system files, I found two files (SIMLock.exe and SIMLock.exe.0416.MUI [my OS was BR Portuguese]) and thought "here is the locking problem" (because "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" don't have those files in the system folder!). Then I deleted those files and it wasn't SIM locked anymore... but it didn't find any networks.
So I serached a little more (google is your best friend in times like this) an discovered that the file rilgsm.dll is responsible for the network... It starts and calls SIMLock.exe, if SIMLock.exe returns a valid SIMcard, then rilgsm.dll starts the network service.
So that's the diference between "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" and the other roms, its rilgsm.dll don't have the part that calls to SIMLock.exe, it just starts the network service based on the SIM card you have inserted.
So I just took that dll from that test rom and copied over another rom and it worked like a charm!
Enough talking, here's what you gotta do to SIM unlock your Elf/Elfin (no matter what rom you have):
You will need this file (unlocked "rilgsm.dll")
- Extract the file you just downloaded to a temporary folder.
- Turn on your mobile WITHOUT the SIM Card.
- Connect your Elf to your PC (activesync).
- Find the files "rilgsm.dll", "SIMLock.exe" and "SIMLock.exe.0***.MUI" (the *** depends on the language of your OS) on the windows folder of your mobile and make a bakup of them (in case you want to SIM lock it again).
- Copy the extracted "rilgsm.dll" over the one on the windows folder (say yes when it asks to replace the file).
- Delete both "SIMLock.exe" and "SIMLock.exe.0***.MUI".
- Turn off your mobile.
- Insert any SIM Card (that didn't work before) and turn your mobile on again and enjoy your newly unlocked ELFin!
If you intend to flash some other rom, just copy the dll again and it's ready to go.
Hope this helps.

Great find!!!
For Rogers users who are using the regular stock ROM, it is probably a good idea for them to use the regular free unlocking method because rilgsm.dll is responsible for Rogers Name Display. Other than that, I hope it works well for everyone else!!!
Anyone else tried this?

yes, I have, did not work. phone does not have simlock.exe or simlock.exe.xxxx.mui on windows folder, and just replacing rilgsm.dll does not affect carrier lock. when inserting sim card from other operators, it still asks for subsidy code.
Tested phone is:
ELF010050
BSTAR502
IPL: 2.24.0002
SPL: 2.26.0000pof
99HEH077-00
Operator Tim Brazil
ps.: I tried as well when phone was with stock rom, and was the same thing.
br

Good idea!!
I haven't tried your procedure but I also know that OS contained in "unbricker rom" (test only rom) do SIM unlocking, so I believe this will work . I will try it soon in my free time. Thanks!!!

I'll try to reflash my elfin tomorrow and do some other tests with it, to see if there are any problems with some specific roms.
My elfin:
ELF010050
BSTAR502
IPL 2.24.0002
SPL 2.24.0000
99HEH077-00
Claro Brazil
I'll post something more tomorrow.
Sorry for the lack of testing before posting (newbie yet).

i would feel better by patching or replacing the simlock.exe file instead of changing the dll.

zerostuff, why don't you add a poll to this thread to see if it works for most people?

Thank you for the idea dsixda.
I sent the .exes and .dlls to a friend of mine and asked asked him if he can find the locking part in those files (because i'm just a normal user and don't know anything about hex editing and stuf).
And I'm still testing some roms on my elfin to see if I can find a working and a non-working way to unlock it (so far, all the roms are working).

thinking of buying a htc elf
hi all im thinking of buying a htc elf but its locked to orange is it easy to unlock and get rid of the orange start up logo .
would you give me step by step guide on how to do it ?
thanks in advance

As you can see, some is easy to unlock others no solution yet...

@ zerostuff
elfin ELF010050 BSTAR502 from Vivo Brazil, had the simlock.exe and simlock0416.exe.mui . I replaced those files with and small clock app, and replaced rilgsm.dll , and did not worked (error 'unavailable file', and then hang) . So, I deleted the simlock.* , and phone got into menu, but no signal.
indeed, this is a way to go, but still need improvements.
@ chester-lad-2009
search board, there are many topics regarding that. this topic is not for that discussion.
br

zerostuff said:
- Delete both "SIMLock.exe" and "SIMLock.exe.0***.MUI".
Click to expand...
Click to collapse
hi, i use onyx 4.43 rom and when i try to delete a message tell me "could not delete. i try in windows and in my elfin too using total comander and sktools. how can delete this files?

I've try on my HTC Touch 3450 (PT) substitute the file and i can't! And i can't found these 2 files...

Using Total Commander
First we move the rilgsm.dll to windows folder, then delete the two files SIMLock.exe & SIMLock.exe.0***.mui, and ignore the Warning! Could not delete 1 file(s)...
Then reboot the ELFin and it´s done....loooooool... No need to put codes...
Just doing those steps, it´s done the SIM_Unlock
Strange??? i don´t know, but work´s
Note: Tested with One PT ELF and One ELFin BRS, worked fine!!!

Great post works like a charm!
i needed to use another explorer since my original rom dont let me move or copy windows folder file!
i used WinFileCE.exe to do the trick , but it worked !
1 more thing , is it possible to cook a rom with this files inside!? because if i hard reset the phone it relocks it self by this method!!

These two files they realy removed???

I cant' remove this two files because the cellphone is using them, how can i stop process's on Windows Mobile?

Using TC I was able to copy rilgsm.dll to \Windows. But simlock.* are a different story and I wasn't able to delete them.
Anyway, using this version of rilgsm causes the phone connection to die: it cannot be set on from Comm Manager. And then after some time, Comm Manager throws two or three errors.
It's an HTC Touch from Claro, Argentina. The ROM is http://forum.xda-developers.com/showthread.php?t=442391
Code:
Touch version : Elfin
Device ID : ELF010150
CID : BSTAR301
IPL : 2.24.0002
SPL : 3.07.cmonex
ROM Version : 3.07.720.03
ExtROM Version : None
Operator Version: None
AKU Version : 1.2.7
Page Pool : 12 MB
RAM Size : 128 MB
ROM Size : 256 MB
Model No. : ELF0100
Part Number : 99HEH129-00
MCC+MNC : Not found
Any information you guys want or some tests that could be run in the device, just tell me.
Cheers.

Not worked Efl 3450 ( 64/128)
The idea was great, but not worked with Efl 3450 ( 64/128)...
My device was patched (IPL 2.27/SPL 2.28 cmonex) and Rom ELVES ROM V5.0 - CE OS 5.2.2021.
No files found in windows dir "SIMLock.exe" and "SIMLock.exe.0***.MUI", so i just copy this file (unlocked "rilgsm.dll") to windows dir and i did a soft reset.
Result: deviced hanged.. new soft reset: boot ok, but no radio ( even trying to turning on manually), just wi-fi working..(nice to make calls from skype )
I don't have any clues about how to bypass simlock..
Any help will be appreciate.
Cheers

RILGSM.dll is not locked/unlocked
The thing is, that file controls GSM<-->PDA radio functions. As you took RILGSM from a "test" rom (is unlocked one)
When u sim unlock a device, it doesnt overwrite RILGSM with "unlocked" properties
The solution will be rewrite a RILGSM.dll file, and write a SIMLOCK.exe file with spoof properties to make think device is unlocked

[Q] chat-ril and AT comand reference for MDM 6600 (Motorola Atrix 4G modem)

Hi,
can anyone tell me if you can use /system/bin/chat-ril to communicate with Motorola Atrix 4G modem?. The modem is MDM 6600 (I presume Qualcomm manufacturer). Manual page (or source code) would be great.
I need to send AT command to change frequency band form USA to EURO.
Also, If anyone has or can get the AT command reference for the MDM 6600 modem used in Motorola Atrix 4G?
This is a sample form logcat -b radio while setting USA radio band:
Code:
[5387]> QUERY_AVAILABLE_BAND_MODE
onReq: reqCode = 66, dataLen = 0
Ch4 > 5908AT+GRDE=10012,0,0,0
Read Ch4 << 5908+GRDE=10012,0,0,8,8001E80
[5387]< QUERY_AVAILABLE_BAND_MODE {2, 2}
[5388]> SET_BAND_MODE 2
onReq: reqCode = 65, dataLen = 4
Ch4 > 5909AT+SRDE=10012,0,0,8,0000A
Read Ch4 << 5909+SRDE=OK
[5388]< SET_BAND_MODE
What the hell is AT+GRDE ???

hi
i am also at the same point. i am in europe and selected usa gsm band. i am not able to use gsm. have you found something or any progress?

No, I haven't.
But, I this situation if you would have the AT&T SIM and account, you wouldn't be able to use your cell phone anywhere but in USA. The roaming wouldn't work.
This is just wrong!

gogy22 said:
No, I haven't.
But, I this situation if you would have the AT&T SIM and account, you wouldn't be able to use your cell phone anywhere but in USA. The roaming wouldn't work.
This is just wrong!
Click to expand...
Click to collapse
so there should be a solution.
how to update atrix firmware?

Same problem here...
We could try an "AT&F" to restore factory settings.
Not sure about the chat-ril syntax. Found the chat man page. Tried:
$ chat-ril '' 'AT&F'
[2] - Stopper (tty output) chat-ril "" AT
But does not seem to work. Is this the correct syntax ?

Cheshire Cat said:
Same problem here...
We could try an "AT&F" to restore factory settings.
Not sure about the chat-ril syntax. Found the chat man page. Tried:
$ chat-ril '' 'AT&F'
[2] - Stopper (tty output) chat-ril "" AT
But does not seem to work. Is this the correct syntax ?
Click to expand...
Click to collapse
Where did you find chat man page? Please share!

gogy22 said:
Where did you find chat man page? Please share!
Click to expand...
Click to collapse
If you are on UNIX, just type "man chat" on the console.
Otherwise search "chat man page" on the Internet (sorry, I'm not yet allowed to post links here ).

I've have managed to get GSM. I can make and receive call and 2G works, but not 3G. I don't know why... yet.
So, this is what I have done:
1. Boot Atrix holding the Volume Down key (Volume Up key is select so don't press it yet).
2. Select BP HW Bypass BP Only by pressing Volume Up key. There will be 5 new devices that Windows detects.
3. You will need MDM6600 Baseband drivers. The drivers I found are for Windows 7 x64 and they are not signed. So I needed to boot Windows (F8 key) with option "Disabe driver signature enforcement"
4. Then, you will need Qualcomm QPST or new QXDM. I used QPST 2.7 build 355.
5. Open QPST RF NV Item Manager. You need to select COM port assigned to MDM6600 Baseband Diagnostic Interface
I would suggest to be very careful with this tool since you can screw your phone beyond imagination. Just don't use any command that writes to phone.
6. select File -> Read form phone.
7. you need to find NV_BAND_PREF_I item. There should be 2 parameters NAM = 0 and BandPref = 0. At least I had those.
Just to remind, you do this at your own risk. My techincal skills are good, but not that good. I realy don't know what all the parametars mean. I did this and got GSM only. So think twice before you do this.
I would like to ask any of the developers to help on this matter. Now, if you feel lucky proceed with next step.
8. Before doing this read this whole thread! In BandPref enter 65535 or in hex FFFF and press button above "Write NV". The value FFFF should mean "Automatic band selection".
9. reboot the phone by removing the battery (don't know any other way)
The phone should register to network upon bootup.

Cheshire Cat said:
If you are on UNIX, just type "man chat" on the console.
Otherwise search "chat man page" on the Internet (sorry, I'm not yet allowed to post links here ).
Click to expand...
Click to collapse
I've gave up trying since if I manage to send AT commands to modem, I still don't know the AT command to send.

gogy22 said:
I've have managed to get GSM. I can make and receive call and 2G works, but not 3G. I don't know why... yet.
So, this is what I have done:
1. Boot Atrix holding the Volume Down key (Volume Up key is select so don't press it yet).
2. Select BP HW Bypass BP Only by pressing Volume Up key. There will be 5 new devices that Windows detects.
3. You will need Motorola USB drivers. The drivers I found are for Windows 7 x64 and they are not signed. So I needed to boot Windows (F8 key) with option "Disabe driver signature enforcement"
4. Then, you will need Qualcomm QPST or new QXDM. I used QPST 2.7 build 355.
5. Open QPST RF NV Item Manager. You need to select COM port assigned to MDM6600 Baseband Diagnostic Interface
I would suggest to be very careful with this tool since you can screw your phone beyond imagination. Just don't use any command that writes to phone.
6. select File -> Read form phone.
7. you need to find NV_BAND_PREF_I item. There should be 2 parameters NAM = 0 and BandPref = 0. At least I had those.
Just to remind, you do this at your own risk. My techincal skills are good, but not that good. I realy don't know what all the parametars mean. I did this and got GSM only. So think twice before you do this.
I would like to ask any of the developers to help on this matter. Now, if you feel lucky proceed with next step.
8. In BandPref enter 65535 or in hex FFFF and press button above "Write NV". The value FFFF should mean "Automatic band selection"
9. reboot the phone by removing the battery (don't know any other way)
The phone should register to network upon bootup.
Click to expand...
Click to collapse
Great job ! Have you tried forcing "CDMA only" ?
Same setup here, but can't get my Win7 systems (both 64 and 32 bit) to install the MSM6600 device drivers. Tried all Motorola drivers from 4.7 to 4.9 but none of the 5 devices are recognized.
Which drivers did you use ?

RESOLVED
Resolved flashing leaked firmware 1.5.2:
http://forum.xda-developers.com/showthread.php?t=991072
WARNING: Flashing 1.5.2 will restore the device to factory settings. BACKUP !

Cheshire Cat said:
Great job ! Have you tried forcing "CDMA only" ?
Same setup here, but can't get my Win7 systems (both 64 and 32 bit) to install the MSM6600 device drivers. Tried all Motorola drivers from 4.7 to 4.9 but none of the 5 devices are recognized.
Which drivers did you use ?
Click to expand...
Click to collapse
If you are still interested I'll try to find driver pack I've installed...
Cheshire Cat said:
Resolved flashing leaked firmware 1.5.2:
http://forum.xda-developers.com/showthread.php?t=991072
WARNING: Flashing 1.5.2 will restore the device to factory settings. BACKUP !
Click to expand...
Click to collapse
Regarding the firmware, couple of questions.
1. Are you in Europe? Does the 3G (UMTS/HSUPA/HSDPA) connection works?
I'm asking this because I have realized that the WCDMA I Band (2100 MHz) is not enabled, so the modem when searches the band automatically will not even include 2100 Mhz band.
2. When you uploaded the new firmware can you still boot Atrix to HW BP Bypass mode?
3. Can you get root with the new firmware?

gogy22 said:
If you are still interested I'll try to find driver pack I've installed...
Click to expand...
Click to collapse
Yes. Please let me know at least the driver version.
gogy22 said:
Regarding the firmware, couple of questions.
1. Are you in Europe? Does the 3G (UMTS/HSUPA/HSDPA) connection works?
I'm asking this because I have realized that the WCDMA I Band (2100 MHz) is not enabled, so the modem when searches the band automatically will not even include 2100 Mhz band.
Click to expand...
Click to collapse
I am in Europe.
- Dial: *#*#4636#*#*"
- Select: "Phone info"
- Select "GSM/CDMA (auto PRL)"
With this setting, my phone is currently displaying:
- Network type = UMTS
- Notification bar shows "H+"
- A few speed tests reach rx speed of about 4 Mbps, so it is definitely working
gogy22 said:
2. When you uploaded the new firmware can you still boot Atrix to HW BP Bypass mode?
Click to expand...
Click to collapse
Yes.
gogy22 said:
3. Can you get root with the new firmware?
Click to expand...
Click to collapse
Haven't tried yet.

Cheshire Cat said:
Yes. Please let me know at least the driver version.
Click to expand...
Click to collapse
Sorry, my bed. Actually, you need MDM6600 driver . Here you are. I have only x64. If you need x86 google it, I found these that way. Or tell me, I try to find where I got these.
Cheshire Cat said:
I am in Europe.
- Dial: *#*#4636#*#*"
- Select: "Phone info"
- Select "GSM/CDMA (auto PRL)"
Click to expand...
Click to collapse
This is the first thing I've tried, no luck. Which country are you in? Does your operator use WCDMA 2100 frequency or other?
Cheshire Cat said:
With this setting, my phone is currently displaying:
- Network type = UMTS
- Notification bar shows "H+"
- A few speed tests reach rx speed of about 4 Mbps, so it is definitely working
Click to expand...
Click to collapse
If its not a problem for you when you install the drivers can you send me your QCN file so I could compare with my values. You can use NV Item Manager to read from phone and write to file (sorry if I'm playing smart but I don't know you level of experience).

If anyone is interested, I managed to flash Atrix with OLYFR_U4_1.5.2_SIGNED SBF image. After the flash I have UMTS/HSDPA connectivity and the cell phone stayed unlocked.
I reviewed the modem configuration file .QCN files for both configurations. I seems the only difference is NV_BAND_PREF_I parameter.
With USA band selected it is:
NAM = 0 and BandPref = 0
And with the new flash image is:
NAM = 0 and BandPref = 384 (decimal, or 180 Hex)
( not the FFFF that I have stated before)

Gogy,
glad to know you have your Atrix working again.
Sorry for not getting back to you sooner.
My Atrix is gone. Dismissed. This phone is crawling with bugs and I am really becoming allergic to bugs due to very long daily exposure since I was a child...
Cheers.

Not pleased to hear that. Bugs? What bugs?
I didn't come accross any... yet, and I hope I won't.
Sent from my HTC Desire using XDA App

gogy22 said:
Not pleased to hear that. Bugs? What bugs?
I didn't come accross any... yet, and I hope I won't.
Click to expand...
Click to collapse
Lots of random issues.
Audio glitches, stuttering. Sudden resets when both cores are under stress. Reboot loops. Not powering up even if attached to the charger.Hot device even if apparently idle. Battery from 30% to 0% in 20 minutes. Buggy multimedia subsystem drivers. Cheap and noisy camera sensors.
All of the above also with stock firmware.
May well be hardware related, but really I don't want to find out.
Apart from issues, the user experience is crap: Motoblur lags behind competing products. Contacts images are not synced with Exchange servers. UI widgets are few and poorly designed. Mail and Calendar apps are a pain to use.
Google's crappy/broken/incomplete/poor Android API and the absurd choice of Java as the programming language have their responsibilities. But competing Android products do much better to work around these issues.
You asked me and I am just reporting my personal experience and opinion. YMMV.

motorola atrix 4g - usa band selected, no more euro service
currently living in the uk with an unlocked at&t motorola atrix 4g. accidently selected 'usa band' and have since not been able to locate service for any of the uk / european networks providers (eg, orange, o2, t-mobile) that were previously available.
i'm having a hard time deciphering whether or not this issue has been resolved:
1) has this issue been resolved by anyone as of yet? and if so,
2) can someone please provide clear step-by-step instructions, from start to finish, to demonstrate how to reach this resolution? i'm a bit of a layman
thank you all!

galthouse9 said:
1) has this issue been resolved by anyone as of yet? and if so,
Click to expand...
Click to collapse
Yes.
You just have to flash the non-official firmware 1.5.2 - ... at your own risk.
galthouse9 said:
2) can someone please provide clear step-by-step instructions, from start to finish, to demonstrate how to reach this resolution? i'm a bit of a layman
Click to expand...
Click to collapse
No problem.
This is the thread with the step-by-step instructions:
http://forum.xda-developers.com/showthread.php?t=991072
WARNING: Flashing 1.5.2 will restore the device to factory settings. BACKUP ALL YOUR IMPORTANT DATA !

[Q] [Lenovo] [MT6572] No signal , formated nvram!

Hello xda
first, i searched the forum and other sources for solution and didn't found any help
-My phone is Lenovo A319 dual sim
-i download the latest stock firmware for it from 4PDA
-then before flash i select the scatter in sp flash tool and did format all except bootloader.
-then flashed the firmware and everything done well.
-after powering on my phone with sim card it didn't recognize it (Both sim 1 and sim 2) - no imei - no serial number - baseband is ok.
-i fixed all of this and after some tries the phone recognize both sim(s) but just 1 bar signal in sim 2 (2G) out of 5
-and sim 1 keep doing searching and no service and randomly get network (G) and sometimes (3G) but can't make calls, ussid ... etc
*Things i have tried*
1-fixed imei with SN & IMEI Writer. (Done!.)
2-fixed SN with Maui META 3g and ini config file that i have found on the internet that supposed to fix 3g but it only fix SN:nullnull to SNNxxxxxxxxxx (where x is some letters and numbers). (Done!.)
3-flashed another secro.bin from another MT6572 device(original secro.bin from stock firmware a319 flashed already). (No Luck with network)
4-changed TX settings in RF Tool in Maui META 3g [ GSM900=TX:-13 - 1800=TX:-10].(No Luck with network)
5-some other playing in Eng. Menu (*#*#3646633#*#*).(No Luck with network)
Notice:
-firmware i have downloaded has a folder Called "APDB" that contains database files for my device and a file called "catcher_filter_1_wg_n.bin".
-firmware dosn't have nvram.img.
-i have no backup.
-i'm sure that is the problem can be solved by changing band settings in Maui META 3g in RF Tool but i have no idea how to accomplish such thing.
-i guess the problem i because the firmware is Russian and my phone work in Egypt so the band settings is vary from here to there.
i hope i can get some help, and sorry for my bad english
BR.

i found a stock rom for lenovo a319 that sim works with my sim perfectly.
now i want to move from stock to CM12.1.
cm12.1 has the same issue because of modem things.
-how can i change modem from the stock i have to work with Russian unofficial CM?
Update
after flashing cm 12.1 the signal gone again, when i try go back to it no signal too :\

bump!
iguess The Problem is in RF Data but i have no idea how to set it correctly
any help?

please tell me where you find the solution for sn repair, please pm it to me
privatezs said:
Hello xda
first, i searched the forum and other sources for solution and didn't found any help
-My phone is Lenovo A319 dual sim
-i download the latest stock firmware for it from 4PDA
-then before flash i select the scatter in sp flash tool and did format all except bootloader.
-then flashed the firmware and everything done well.
-after powering on my phone with sim card it didn't recognize it (Both sim 1 and sim 2) - no imei - no serial number - baseband is ok.
-i fixed all of this and after some tries the phone recognize both sim(s) but just 1 bar signal in sim 2 (2G) out of 5
-and sim 1 keep doing searching and no service and randomly get network (G) and sometimes (3G) but can't make calls, ussid ... etc
*Things i have tried*
1-fixed imei with SN & IMEI Writer. (Done!.)
2-fixed SN with Maui META 3g and ini config file that i have found on the internet that supposed to fix 3g but it only fix SN:nullnull to SNNxxxxxxxxxx (where x is some letters and numbers). (Done!.)
3-flashed another secro.bin from another MT6572 device(original secro.bin from stock firmware a319 flashed already). (No Luck with network)
4-changed TX settings in RF Tool in Maui META 3g [ GSM900=TX:-13 - 1800=TX:-10].(No Luck with network)
5-some other playing in Eng. Menu (*#*#3646633#*#*).(No Luck with network)
Notice:
-firmware i have downloaded has a folder Called "APDB" that contains database files for my device and a file called "catcher_filter_1_wg_n.bin".
-firmware dosn't have nvram.img.
-i have no backup.
-i'm sure that is the problem can be solved by changing band settings in Maui META 3g in RF Tool but i have no idea how to accomplish such thing.
-i guess the problem i because the firmware is Russian and my phone work in Egypt so the band settings is vary from here to there.
i hope i can get some help, and sorry for my bad english
BR.
Click to expand...
Click to collapse
please provide a link it would be helpful

Any solution? Since my Lenovo A319 has the same problem. Sometimes no network, EDGE, 3G or even H+. Hopefully someone already have the solution.
I'm in Indonesia, already using A319_ROW_DS_S318_150615 with Baseband Version MOLY_WR8_W1315_MD_WG_MP_V43_P2_2015/01/13

AbuIgras said:
Any solution? Since my Lenovo A319 has the same problem. Sometimes no network, EDGE, 3G or even H+. Hopefully someone already have the solution.
I'm in Indonesia, already using A319_ROW_DS_S318_150615 with Baseband Version MOLY_WR8_W1315_MD_WG_MP_V43_P2_2015/01/13
Click to expand...
Click to collapse
hello
iam not an expert but i had some problems the same way with 3g and gsm by seeking some infos in this fourms and others
i found that u can easly extract ur device modem data base by the following command "under adb "
" adb pull /etc/mddb C:/adb " notice that c:\adb is going to be the extraction destination
so u v just got ur own modem database
easly i guess u can extract similar working device modem and just go to Maui META v 9.1604.02.00 then load it there and apply it to ur own device by selecting Rf and then 3g settings also change ur imei to ur original ones
---------------
i hope that i'am saying a good and useful stuff or some one can correct the mistakes 4 me
** sorry that i was here for long time just learning without trying to give or share i hope that one day i will have some info to share..

dial *#06#.. if you got invalid imei, then...write down your both imei (you can see at the back of your phone) download and install chamelephon, open and write down both imei. apply and restart your device. enjoy

[MTK] [NVRAM] Bricked baseband while trying to unlock LTE bands

Hello everyone
So I have this $200 Xiaomi Redmi Pro (MT6797) on which I was trying to unlock LTE Bands.
I hooked it up to MAUI Meta and fiddled with nvram settings, trying to stay logical where possible... that's to say I've paid attention at indices, changed at all occurrences of settings, etc (I'm a programmer after all).
Nevertheless , after the N-th dry run, I've managed to touch the "right" value and now Android says no sim inserted (baseband version unknown in system info).
More importantly, I thought I could simply revert the changes, as I have kept track of them, but MAUI Meta now balks with a big red flashing MODEM Exception message, and will not connect.
Most importantly though, I have no nvram backup.
What are my options to revive this thing?
Will it go away with a factory reset, or are nvram changes done with MAUI Meta real?
Any TWRP options? (i.e. http://forum.xda-developers.com/showthread.php?t=2594364 )
Is it feasible to just flash someone else's Redmi Pro nvram backup (...yeah I know I must change IMEI's).
thanks a lot!

I have root access to the /NVRAM folder with a lot of files named MT03_000, xxxx_000 etc.
It would be wonderful if the specific file and offsets for all settings could be extrapolated from a nvram database file...
(The settings I've changed with MAUI Meta are NVRAM_EF_EL1_ANT_PDATABASE, NVRAM_EF_EL1_BAND_INDICATOR, and NVRAM_EF_EL1_MPRADJTBL)