Need Z Fold 2 5G Modem backup [QPST] - Samsung Galaxy Z Fold 2 Questions & Answers

Hi,
While I was modding my Z Fold 2. I messed up the modem and turns out my QPST backup is bad. Now, I'm screw. Can anyone provide the modem (.qmdl) backup of Z Fold 2 5G?
Thanks

KenSoftTH said:
Hi,
While I was modding my Z Fold 2. I messed up the modem and turns out my QPST backup is bad. Now, I'm screw. Can anyone provide the modem (.qmdl) backup of Z Fold 2 5G?
Thanks
Click to expand...
Click to collapse
How can you mod it? I have the LTE version and I don't have 5G. Do you need root for this modding?

Ken what did you mess up? I have some experience in the modem and may be able to help. There's not a lot that cant be reversed on the fold2 it seems. In service menu have you sync'd your efs, rebuilt nv and reloaded carrier after a modem flash? If there are some nv values or efs files you need I can share from the f9160. If your qcn is not 0, you may be able to read some of it in the qcn viewer. If you killed your efs that should be repairable although I back mine up in twrp so have not had to do that.
Id be interested in the f916u modem settings also to compare to my f9160. I want get 5g and full ca info working here in us. I have already opened up the lte bands. But really interested in the differences in the modem for the two models. Samsung has the modem so locked down that I cant change any bits in the modem files without it rejecting them so stuck with qxdm

saridnour said:
Ken what did you mess up? I have some experience in the modem and may be able to help. There's not a lot that cant be reversed on the fold2 it seems. In service menu have you sync'd your efs, rebuilt nv and reloaded carrier after a modem flash? If there are some nv values or efs files you need I can share from the f9160. If your qcn is not 0, you may be able to read some of it in the qcn viewer. If you killed your efs that should be repairable although I back mine up in twrp so have not had to do that.
Id be interested in the f916u modem settings also to compare to my f9160. I want get 5g and full ca info working here in us. I have already opened up the lte bands. But really interested in the differences in the modem for the two models. Samsung has the modem so locked down that I cant change any bits in the modem files without it rejecting them so stuck with qxdm
Click to expand...
Click to collapse
Hi, I flashed the stock rom and it seems to fixed it. I have also talked to qualcomm engineer and seems like there is not a lot of thing we can change Qualcomm just locked down everything on their newer chips.

Yeah Qualcomm or more Samsung seems to have locked it down but there is some play. I have been able to change my LTE bands to match that of US model (Added b66 and b71). Actually added all bands but then limited them with nv's to preferred frequencies for US/TMO so I could change them with say band selector if I travel. These are verified working. I can also lock down the N bands but so far cant add to them. This is where I'm trying to see where its locked and have an idea now (Frequency RIL db in an nbm). I have been able to create a custom carrier in the efs policy partition and seems to follow most of it but there are pieces it also seems not to. Like turning off the hardware mbn's still does not open bands which is odd (same in carrier policy, cant add but if hardware default is locked elsewhere the other bands would not be accessible here). I think it has to do with the mbn's in the SO path. Each is tied to a carrier selection and you can see the N bands listed (hex view) but any edits cause the files to not be usable or using from the ones from a us model (CRC assumed and vaultkeeper). This works on non Samsung Qualcomm chipped phones.
This may be due to being in retail mode also as test configurations the carriers use for tests are not working here. If I can find a way around vaultkeeper I can prove some of this. Need try putting the phone back in test mode and see if I can force them to load. I am rooted so do have a bit more flexibility.
More of this info over on USA based SM-F9160 SM-F916B and SM-F916N users thread.
@KenSoftTH Would it be possible to get a few efs file copies or NV values from you? I believe the plum list and ca lists will be different for these and portable.
I have extracted the carrier policy from the f916u FW but curious if its getting modified further when deployed. These can just be copied off using qpst/efs explorer. I plan to share the info on the opening/making preferred bands soon as soon as I have more to write up but willing to share early if you want to make yours a bit more worldly for travel. Glad you got yours back up. I did not realise this thread was that old.. There is so little for our phones on here.

saridnour said:
Yeah Qualcomm or more Samsung seems to have locked it down but there is some play. I have been able to change my LTE bands to match that of US model (Added b66 and b71). Actually added all bands but then limited them with nv's to preferred frequencies for US/TMO so I could change them with say band selector if I travel. These are verified working. I can also lock down the N bands but so far cant add to them. This is where I'm trying to see where its locked and have an idea now (Frequency RIL db in an nbm). I have been able to create a custom carrier in the efs policy partition and seems to follow most of it but there are pieces it also seems not to. Like turning off the hardware mbn's still does not open bands which is odd (same in carrier policy, cant add but if hardware default is locked elsewhere the other bands would not be accessible here). I think it has to do with the mbn's in the SO path. Each is tied to a carrier selection and you can see the N bands listed (hex view) but any edits cause the files to not be usable or using from the ones from a us model (CRC assumed and vaultkeeper). This works on non Samsung Qualcomm chipped phones.
This may be due to being in retail mode also as test configurations the carriers use for tests are not working here. If I can find a way around vaultkeeper I can prove some of this. Need try putting the phone back in test mode and see if I can force them to load. I am rooted so do have a bit more flexibility.
More of this info over on USA based SM-F9160 SM-F916B and SM-F916N users thread.
@KenSoftTH Would it be possible to get a few efs file copies or NV values from you? I believe the plum list and ca lists will be different for these and portable.
I have extracted the carrier policy from the f916u FW but curious if its getting modified further when deployed. These can just be copied off using qpst/efs explorer. I plan to share the info on the opening/making preferred bands soon as soon as I have more to write up but willing to share early if you want to make yours a bit more worldly for travel. Glad you got yours back up. I did not realise this thread was that old.. There is so little for our phones on here.
Click to expand...
Click to collapse
Can I have telegram, I have talked to both Samsung and Qualcomm engineer and it's long story, but in short, this is NOT possible.

Telegram: Contact @saridnour
t.me
Yeah any info would be helpful. Would still love to see a .qcn file for your F916u. I can dump the QCN to text view and do a diff with mine to see variances. May not be much but could help the LTE bands here in the US.
I cursed myself though stating that the modem was not hard to kill as the next day t's just what I did. I seem to have caused an issue with my IMEI/EFS. My numbers are corect but I now have a network blocked and IMEI certi failed status in service mode. Phone can only emergency call or wifi call over tmo. Really bummed right now

Thanks all I did get the back up data. There are a lot of differences.

is there any solution for imei certi failed
?

Related

Flashing AT&T modem on Verizon I535

Is it an absolute certainty that flashing another carrier version of GS3's radio on an I535 will hard brick it? Over on the AT&T GS3 forum lots of people have tried flashing modified and stock T-Mobile (T999) radios on their I747, and some lose signal, some lose imei (and can restore it), but no one seems to hard brick their phone. I read here that the modem is on mmcblk0 so it is the first thing that boots on an msm8960, so if you get the wrong one, it won't let the bootloader boot, you lose bootloader, Odin mode and custom recovery, hence no way to restore any modems or backups, and therefore hard brick. Well, if the AT&T hardware is the exact same, why is it that no one there has hard bricked theirs by flashing T999 modems (which is for an even more different chip type, msm8260A)? Shouldn't our CPU/modem module chip be able to boot from firmware made for a similar (or identical) chipset? How does our chipset even "know" it's a Verizon version before it boots the firmware? Has anyone done this and not hard bricked their I535? Are there any devs that have access to jtag, that would be willing to try to flash a stock or modified I747 or T999 modem to see if it works, if they know they'll be able to recover from it if it doesn't?
I understand unplugging your phone from your pc while Odin is flashing a radio WILL brick it, since there won't be anything to boot from next time, but if you flash a different version radio for another carrier's GS3, shouldn't it at least boot into bootloader, even if you might lose signal or some functionality temporarily? What I don't understand is how AT&T GS3's can flash T-Mobile radios then return to their own radio or restore, but if we flash an AT&T (or any other GS3) radio on ours, it will hard brick. Is there an unknown major difference between our version and the other versions that I'm not aware of?
What exactly are you trying to do by flashing the AT&T modem?
ECrispy said:
What exactly are you trying to do by flashing the AT&T modem?
Click to expand...
Click to collapse
I believe this phone has the ability to run on wcdma 1900 AND 2100, but I think Verizon's modem firmware has locked the 1900 band to disable the use of high speed data (3G , HSPA+) on domestic gsm carriers, but left 2100 open so people can use their GS3's overseas to roam on foreign gsm/wcdma networks when they choose to roam. It has been confirmed that many foreign gsm carriers offer their H+ data on wcdma 2100, no domestic carrier does. The AT&T and t-mobile versions both get wcdma 1900, somehow ours doesn't. I can use AT&T roms, use service menu or netmonitor to get into band selection, all gsm bands work, including 1900 MHz, but wcdma only works on 1900, only on what Verizon would need for roaming. I believe flashing an AT&T modem would unlock that band (or at least help confirm whether the hardware radio for that band is there or not). I would try it, but too many good devs here have advised against it, I just want to figure out why it is not advisable.
People say not to try it because it hasn't been done before. If you want to flash it, give it a shot. It might work and make this phone even better. Or, it could brick. But it is impossible to know really until someone tries.
con247 said:
People say not to try it because it hasn't been done before. If you want to flash it, give it a shot. It might work and make this phone even better. Or, it could brick. But it is impossible to know really until someone tries.
Click to expand...
Click to collapse
I'd hate to brick a perfectly good phone though, that's why I wanted to know I someone with jtag setup would be willing to do it on a "test" phone, like Adam was doing when trying to unlock the bootloader. If it does hard brick though, is it possible to recover with jtag? I don't want to do it if it will permanently hard brick. If jtag will recover it, or if someone with the equipment is willing to do it, that's why I wanted to do some research first and see if someone can make an educated guess.
The main thing I wanted to know from devs that read this, is if there is a reason they already know of why the Verizon 8960 chip would not boot off of the same firmware that the AT&T 8960 chip would? Is there any difference between them before loading the modem software, now that the bootloader is unlocked. This would be a question E.V.A or Adam, or any other knowledgable dev could answer.
Thanks for any more inputs.
newuser134 said:
I'd hate to brick a perfectly good phone though, that's why I wanted to know I someone with jtag setup would be willing to do it on a "test" phone, like Adam was doing when trying to unlock the bootloader. If it does hard brick though, is it possible to recover with jtag? I don't want to do it if it will permanently hard brick. If jtag will recover it, or if someone with the equipment is willing to do it, that's why I wanted to do some research first and see if someone can make an educated guess.
The main thing I wanted to know from devs that read this, is if there is a reason they already know of why the Verizon 8960 chip would not boot off of the same firmware that the AT&T 8960 chip would? Is there any difference between them before loading the modem software, now that the bootloader is unlocked. This would be a question E.V.A or Adam, or any other knowledgable dev could answer.
Thanks for any more inputs.
Click to expand...
Click to collapse
I would also like to see this happen, but I don't have any JTAG equipment around.
Some thoughts:
1) We may need to change more than just the modem partition (mmcblk0p1) for 1900Mhz WCDMA to work. For example, the Synergy IMEI backup script saves backup copies of modemst1, modemst2, efs, fsg, and backup (mmcblk0p12, mmcblk0p13, mmcblk0p11, mmcblk0p21, and mmcblk0p20). Clearly some cellular related data is stored in these partitions. Flashing just the AT&T modem might not play nice with the related partitions (although I don't see this preventing a boot as these partitions are not part of the boot chain; more likely you would boot to no cellular connection).
2) The bootloader unlocking thread has a lot of info regarding the boot chain partition order. I could be wrong, but I believe the modem hands off control to executable code at a very specific location in the next partition in the boot chain (after loading the executable code to memory?). If this location differs between the AT&T and verizon phones, it could cause a hard brick (a jump to the wrong location). During the bootloader unlocking efforts, Ralekdev was able to reverse several verizon GS3 bootloader partition's machine code (1s and 0s) into arm assembly and then reverse them to C. Using his methodology, we may be able to see if the AT&T and VZW modems (mmcblk0p1) both jump to the same partition at the same location. This could help us to know if flashing the AT&T would definitely hard brick (this isn't the only way the AT&T modem could hard brick, but identifying one way could stop us before we did hard brick). This is tedious work and we would need a full dump from someone with an AT&T phone (mmcblk0p1,2,3,etc). The alternative would be someone with JTAG and brass ones just flashing the modem.
Also check this out http://forum.xda-developers.com/showthread.php?p=31705003
It is the full partition layout for a 32GB i535.
PS, I read through some of the bootloader unlocking thread again (brings back good memories). This post by Ralekdev
http://forum.xda-developers.com/showthread.php?p=30082055 may explain why flashing an AT&T modem might hard brick. The AT&T modem would need to have the same hardware identifier and signature as the VZW one for the msm8960 to hand over execution to it. I'm gonna take a wild guess that it doesn't. I believe Verizon's locked bootloader may have just struck again.
Sent from my SCH-I535 using xda premium
mybook4 said:
I would also like to see this happen, but I don't have any JTAG equipment around.
Some thoughts:
1) We may need to change more than just the modem partition (mmcblk0p1) for 1900Mhz WCDMA to work. For example, the Synergy IMEI backup script saves backup copies of modemst1, modemst2, efs, fsg, and backup (mmcblk0p12, mmcblk0p13, mmcblk0p11, mmcblk0p21, and mmcblk0p20). Clearly some cellular related data is stored in these partitions. Flashing just the AT&T modem might not play nice with the related partitions (although I don't see this preventing a boot as these partitions are not part of the boot chain; more likely you would boot to no cellular connection).
2) The bootloader unlocking thread has a lot of info regarding the boot chain partition order. I could be wrong, but I believe the modem hands off control to executable code at a very specific location in the next partition in the boot chain (after loading the executable code to memory?). If this location differs between the AT&T and verizon phones, it could cause a hard brick (a jump to the wrong location). During the bootloader unlocking efforts, Ralekdev was able to reverse several verizon GS3 bootloader partition's machine code (1s and 0s) into arm assembly and then reverse them to C. Using his methodology, we may be able to see if the AT&T and VZW modems (mmcblk0p1) both jump to the same partition at the same location. This could help us to know if flashing the AT&T would definitely hard brick (this isn't the only way the AT&T modem could hard brick, but identifying one way could stop us before we did hard brick). This is tedious work and we would need a full dump from someone with an AT&T phone (mmcblk0p1,2,3,etc). The alternative would be someone with JTAG and brass ones just flashing the modem.
Also check this out http://forum.xda-developers.com/showthread.php?p=31705003
It is the full partition layout for a 32GB i535.
PS, I read through some of the bootloader unlocking thread again (brings back good memories). This post by Ralekdev
http://forum.xda-developers.com/showthread.php?p=30082055 may explain why flashing an AT&T modem might hard brick. The AT&T modem would need to have the same hardware identifier and signature as the VZW one for the msm8960 to hand over execution to it. I'm gonna take a wild guess that it doesn't. I believe Verizon's locked bootloader may have just struck again.
Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse
That's why I love this forum, I know that together we can get this to work eventually, if the phone can do it.
Please check out the bounty thread I created for this, and feel free to add your donations if you are also one of those that really want this to happen.
Thread link
mybook4 said:
PS, I read through some of the bootloader unlocking thread again (brings back good memories). This post by Ralekdev
http://forum.xda-developers.com/showthread.php?p=30082055 may explain why flashing an AT&T modem might hard brick. The AT&T modem would need to have the same hardware identifier and signature as the VZW one for the msm8960 to hand over execution to it. I'm gonna take a wild guess that it doesn't. I believe Verizon's locked bootloader may have just struck again.
Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse
I thought after unlocking the bootloader, the new one doesn't check for anything or any signatures, just like I can now use AT&T kernels without any problems. If the modem is on mmcblk0p1, if the modem boots before anything else, the AT&T modem must also be booting before anything else, so it must also hand execution of code over to the bootloader at some point, that point may be different for the AT&T and VZW modems, but they both must hand over at some point, so I don't see why it wouldn't be the same. It would be really annoying if all the other carrier versions could exchange modems but not with the VZW version. That seems like something else the dev community would get mad enough about to solve again, just to prove to Verizon it can be done.
So if this is possible, think there is possibility of even better reception since it would be opened up? but does vzw even use those?
newuser134 said:
I thought after unlocking the bootloader, the new one doesn't check for anything or any signatures, just like I can now use AT&T kernels without any problems. If the modem is on mmcblk0p1, if the modem boots before anything else, the AT&T modem must also be booting before anything else, so it must also hand execution of code over to the bootloader at some point, that point may be different for the AT&T and VZW modems, but they both must hand over at some point, so I don't see why it wouldn't be the same. It would be really annoying if all the other carrier versions could exchange modems but not with the VZW version. That seems like something else the dev community would get mad enough about to solve again, just to prove to Verizon it can be done.
Click to expand...
Click to collapse
You are probably right about the handover location being the same. It's probably an msm8960 thing, or at least samsung left it the same to make simultaneous development of all the US GS3 devices similar. All just speculation until we dive into the code or get someone to flash a modem.
Our current bootloader unlocking method was achieved by flashing an unsecure aboot partition (mmcblk0p5). In English (lol), there are several partitions in the boot chain leading to the kernel. The last one is aboot. The one after aboot is the kernel or the recovery partition (depending on whether you are or are not booting to recovery). Each partition in the boot chain checks to see that the next one has the correct signature before handing over execution to it. The unsecure aboot partition we now use to "unlock the bootloader" doesn't enforce (or just doesn't check) the signature of the kernel partition. This is why we are able to run custom kernels not signed by Samsung.
However, the bootloader partitions earlier than aboot still enforce signature checking before handing off execution. The first signature checks are done in hard coded msm8960 firmware. Although I'm not 100% certain of this, I believe the modem partition signature is checked in hardware by the msm8960 prior to execution (it would be a poor security system if it wasn't). So, unless we had Samsung's i535 private key used to sign the modem partition (something that would take more time than the current age of the universe to brute force on the world's fastest supercomputers), the AT&T modem would fail the signature check and the boot process would stop there. The AT&T and TMobile variants (and sprint for that matter) don't have Qualcomm's Secure Boot enabled, so their modem partition isn't subject to a signature check and enforcement.
On the bright side, if we were able to find a way to run a custom (non-i535) modem partition, we would have discovered a true bootloader unlock at one of the lowest levels.
Before the unsecure aboot partition was leaked and the i535 community rejoiced, there was some talk about seeing whether or not a QFuse for secure boot had been blown (permanently enabling secure boot). I don't think we ever found out with 100% certainty whether or not it was. If it isn't, we might still be able to disable secure boot, but it may involve a small hardware modification (a pull up or pull down resistor on an msm8960 GPIO pin. Annoying (and would take quite a while to locate the right one), but not too crazy to do with guts and a decent soldering iron. A software method is definitely preferred, but when you get that low level, you are sometimes dealing with read only segments.
PS, I think the bounty thread you started is a great idea! I'll be posting some of this info over there to get the ball rolling when I get the chance.
Sent from my SCH-I535 using xda premium
There are hardware differences too. This phone might not have an antenna capable of the 2100 band. Its just like we have those two extra prongs near the sim card that the other variants don't. So that is proof that our board is physically different and isn't just a software change between each variant. If it was discovered that removing 2100 support saved them money in assembly/manufacturing/etc they probably did it since 99% of the people using the phone wouldn't even know any different much less even care at all.
The phone does indeed do WCDMA on 2100, the question we all would like answered is what other bands is the phone capable of operating WCDMA on, and if it does have that hardware, we need to figure out what Verizon did to the software to have it disabled.
Sent from my Choco Taco using xda premium
mybook4 said:
You are probably right about the handover location being the same. It's probably an msm8960 thing, or at least samsung left it the same to make simultaneous development of all the US GS3 devices similar. All just speculation until we dive into the code or get someone to flash a modem.
Our current bootloader unlocking method was achieved by flashing an unsecure aboot partition (mmcblk0p5). In English (lol), there are several partitions in the boot chain leading to the kernel. The last one is aboot. The one after aboot is the kernel or the recovery partition (depending on whether you are or are not booting to recovery). Each partition in the boot chain checks to see that the next one has the correct signature before handing over execution to it. The unsecure aboot partition we now use to "unlock the bootloader" doesn't enforce (or just doesn't check) the signature of the kernel partition. This is why we are able to run custom kernels not signed by Samsung.
However, the bootloader partitions earlier than aboot still enforce signature checking before handing off execution. The first signature checks are done in hard coded msm8960 firmware. Although I'm not 100% certain of this, I believe the modem partition signature is checked in hardware by the msm8960 prior to execution (it would be a poor security system if it wasn't). So, unless we had Samsung's i535 private key used to sign the modem partition (something that would take more time than the current age of the universe to brute force on the world's fastest supercomputers), the AT&T modem would fail the signature check and the boot process would stop there. The AT&T and TMobile variants (and sprint for that matter) don't have Qualcomm's Secure Boot enabled, so their modem partition isn't subject to a signature check and enforcement.
On the bright side, if we were able to find a way to run a custom (non-i535) modem partition, we would have discovered a true bootloader unlock at one of the lowest levels.
Before the unsecure aboot partition was leaked and the i535 community rejoiced, there was some talk about seeing whether or not a QFuse for secure boot had been blown (permanently enabling secure boot). I don't think we ever found out with 100% certainty whether or not it was. If it isn't, we might still be able to disable secure boot, but it may involve a small hardware modification (a pull up or pull down resistor on an msm8960 GPIO pin. Annoying (and would take quite a while to locate the right one), but not too crazy to do with guts and a decent soldering iron. A software method is definitely preferred, but when you get that low level, you are sometimes dealing with read only segments.
PS, I think the bounty thread you started is a great idea! I'll be posting some of this info over there to get the ball rolling when I get the chance.
Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse
This is a great discussion, when we got the unsecure aboot a month ago, I thought of this same issue, because on phones like HTC, when you get S-off, the phone basically doesn't care what code you put on it, it just loads it (as long as it is executable code). However, we just created a "hole" in the signature check, as you said, the unsecure aboot is still signed with the right signature, it just doesn't check for more signatures after that point. I posted this question in a thread right at that point, I'll look for it, but I don't think anyone responded to it. To achieve a truly unlocked phone on the same level as the other carrier versions, the CPU secure boot needs to be disabled. That is why I was still bothered by "secure boot enabled" when you go into Odin mode. This is not to say that what the devs did wasn't unbelievable and we are still benefiting from the fruits of all their work on unlocking the bootloader, so we did reach that goal, but I'm just making an observation that to truly be able to flash any partition without worry of not making the hand-over to the next partition, secure boot needs to be disabled.
I did some work on Motorola 6811 micro controllers when I was in college, there were different versions, some were only test chips and thus programmable only once, using e-fuses, so I understand how incredibly stupid and annoying it would be if Verizon has blown the q-or e-fuses in everyone's I535, which we paid for just like those on other carrier networks, but we didn't get the same phone they did if this is in fact true. In the bootloader R&D thread, which is now closed, E.V.A and I shortly had a few posts about enabling the gpio pin to turn off secure boot, they were trying to figure out the right voltage for the pull up resistor source, I think it ended up being 3V or something like that (don't try it without doublechecking that), but apparently there was a different pin somewhere that grounded that gpio thru a FET transistor, so applying the pull up voltage didn't help. Another thought was that even though the q-fuse may not have been blown (I sure hope it wasn't), that the gpio was somehow pulled down internally through the chip inside with a weak ground (like a voltage divider), so a higher pull up current (bias) was needed to actually disable secure boot. Adam also mentioned that not all Samsung schematics are always correct, that even though the manual said a high is needed to disable secure boot, it may actually need to be grounded, so that it was internally pulled high, and that it needed to be grounded externally for it to work right. Another option would be that it's a combination of pins that need the right input, not just that one (I think it was q-fuse 6 or 7), so until the right voltage is applied to all those pins, secure boot won't get disabled.
This all assumes that he q-fuse isn't blown, so there is a way to disable secure boot. If it is blown, then it cannot be disabled. Then the only option would be to make a hybrid AT&T / VZW modem file that has the signature needed, but executes the same things as the AT&T modem, hence enabling the 1900 MHz band.
A final thought is that just like the original aboot never enforced security on the /system or /recovery partitions, maybe when secure boot is on, it enforces signature checks when they are in some partitions, but if the code in the specific partition doesn't ask for it, like the unsecure aboot now doesn't, maybe the modem isn't checked for signature, ad th modem doesn't check for signature when handing over to the next link in the boot chain. That's why I was saying we just need to do it, and have someone with jtag do it, so no one bricks their phone, but we get an answer to the question without making a mistake that can't be recovered from.
Your thoughts, and anyone else's, are greatly appreciated, and it would be great at this point, to continue on to tackle the issue of secure boot, and figure out what we can flash to this phone without bricking it.
hypertek said:
So if this is possible, think there is possibility of even better reception since it would be opened up? but does vzw even use those?
Click to expand...
Click to collapse
We're not really trying to improve reception, we're trying to open some frequencies for gsm/wcdma that would make this phone fully functional on AT&T or T-Mobile, it wouldn't really change anything on Verizon and CDMA/LTE. It would just make this phone a true multi-network phone. Right now it can get "4G" data on gsm carriers overseas, but not on AT&T or T-Mobile, when we solve this problem, it will get 3G/4G data on ANY gsm network, even domestic ones. So you could take your phone to AT&T or T-Mobile and get service there. We believe Verizon has locked those bands out to prevent this. Only then would this phone become truly amazing.
con247 said:
There are hardware differences too. This phone might not have an antenna capable of the 2100 band. Its just like we have those two extra prongs near the sim card that the other variants don't. So that is proof that our board is physically different and isn't just a software change between each variant. If it was discovered that removing 2100 support saved them money in assembly/manufacturing/etc they probably did it since 99% of the people using the phone wouldn't even know any different much less even care at all.
Click to expand...
Click to collapse
Yes, like ac21365 said, this phone does in fact receive wcdma 2100, we're uncertain about wcdma 1900, and although it is highly unlikely that this one might be there, wcdma 1700 (AWS band). Here's the interesting part though, the chipset in this phone is identical to the one in the AT&T version, I747, that one has both 2100 and 1900 bands. Our Verizon phone also has ALL the gsm bands that the AT&T version has (gsm 850, 900, 1800 and 1900), so the 1900 band filter, antenna and amplifier is already there for gsm. If they wanted to save money, why not remove all the gsm stuff since this is a CDMA phone? At this point, it would be cheaper to leave all the hardware stuff on the phone the way it is and just make them all the same, rather than make multiple versions, which would actually be more expensive. It is strange that all the gsm/wcdma bands that Verizon needs for their overseas gsm roaming is there, but the only one that would le you ge AT&T's "4G", is disabled, even though the chipset is physically able to receive/handle it. So it makes no sense that to save money, they left wcdma 2100 fully capable on this phone, but removed wcdma 1900. It could very likely be disabled by Verizon's modem software. That's why we want to get to the bottom of it. Hope this make sense.
I have flashed AT&T radios on my verizon sgs3 it doesnt get hard bricked just dont get signal at all. "Baseband Unknown". Just have to reflash the verizon modem and its good.
Still I cant assure ALL sgs3 will behave the same (I dont see why not but theres the warning).Flash ar your own risk.
koriotto said:
I have flashed AT&T radios on my verizon sgs3 it doesnt get hard bricked just dont get signal at all. "Baseband Unknown". Just have to reflash the verizon modem and its good.
Still I cant assure ALL sgs3 will behave the same (I dont see why not but theres the warning).Flash ar your own risk.
Click to expand...
Click to collapse
Just to clarify, you successfully flashed an AT&T GS3 modem (for a i747) to a Verizon GS3 (i535) and you were able to boot?
Which AT&T modem did you flash?
What CWM zip/odin tar file did you use?
What ROM are you running?
What does "Baseband version" show in settings -> about phone?
Sorry for the barrage of questions, but there quite a few people who are very interested in getting AT&T 1900Mhz HSPA/HSPA+ working on the i535.
Thanks in advance.
Sent from my SCH-I535 using xda premium
The fact that it didn't brick is a -very- interesting find. Hopefully we find out more!
koriotto said:
I have flashed AT&T radios on my verizon sgs3 it doesnt get hard bricked just dont get signal at all. "Baseband Unknown". Just have to reflash the verizon modem and its good.
Still I cant assure ALL sgs3 will behave the same (I dont see why not but theres the warning).Flash ar your own risk.
Click to expand...
Click to collapse
Accidentally or intentionally?
If intentionally, kudos to you for having balls of steel.
On another note, the earlier post articulating the difference between our unsecured aboot.img and a truly unlocked phone suggests that the developer edition might still be worth some consideration ... interesting.
Sent from my SCH-I535 using xda premium
koriotto said:
I have flashed AT&T radios on my verizon sgs3 it doesnt get hard bricked just dont get signal at all. "Baseband Unknown". Just have to reflash the verizon modem and its good.
Still I cant assure ALL sgs3 will behave the same (I dont see why not but theres the warning).Flash ar your own risk.
Click to expand...
Click to collapse
So could you kindly take some screenshots of the settings > about phone screen with the AT&T modem flashed? Could you post/upload the modem file you flashed, and post if you used a custom recovery (cwm or twrp) or Odin to flash the modem? Your help with this issue would be EXTREMELY useful and save everyone here a lot of time and worry, it would be great if you could post the modem file and give us a few screenshots to see here.
Thank you

[BOUNTY] ($205 so far) Enable HSPA+ on 1900 MHz / 1700MHz for VZW Galaxy S3 i535

Total is shown on 2nd post.
GO TO POST #3 FOR ACHIEVEMENTS, GOALS, NOTES and QUESTIONS
To get some momentum behind this, after reading lair12's "S3 as a world GSM phone" (Link), the great replies to my thread about flashing an AT&T radio to the I535 (Link), and judging from the wealth of information gathered by and the vast knowledge of the great devs such as E.V.A, Adam Outler and Ralekdev when they were working on unlocking the bootloader, I am starting this bounty thread to get some good devs behind this much sought after ability to get full domestic 3G and HSPA+ on the I535, for enabling either 1900MHz or 1700MHz WCDMA on I535 similar to what was done for Galaxy Note i717 (Link). Please add your donations publicly (NOT by pm) to this thread, similar to the bounty thread for unlocking the bootloader. I will update the thread periodically. All regular bounty disclaimers apply. Do any work to reach this goal at your own risk, if you mess up your phone, it's not my fault or anybody else's fault, or if you choose to test any software or firmware on it. Make sure you know what you're doing and that you won't damage your phone before you do it.
Copying the following from another thread:
Requirements to Receive Bounty:​
Be first person to create a method of enabling 1900/1700MHz 3G/HSPA+ capability on SCH-I535
Make a post in this thread with the following:
Proving it works with appropriate photos or screenshots
Providing full step-by-step instructions which anyone else can follow
Wait for another member to follow the method and confirm it works
Claim your bounty via PM from donors
Payment will be processed between each member and the bounty collector via PM on an individual basis.
*** Please note: No hardware modification of the phone's radio chips or antennae is allowed to achieve this goal, it will be by software/firmware/coding/flashing only. If the phone turns out to be missing both the wcdma 1900 or 1700 MHz radio(s), this bounty will be void as the goal will not be achievable without hardware modifications. Even if only one of the wcdma bands is "unlocked" and HSPA+ is achieved on only one domestic carrier, the bounty can still be received. ***
I will start myself by donating $50 to the person that reaches this goal first. Please make posts below for your donations. I will update the list and the total bounty regularly.
*** BUMP ***
Any dev with jtag willing to flash a stock or modified AT&T modem on i535 to try it, or edit the "padding" at the end of a stock i535 modem to see if it causes a brick?
Any dev (such as Ralekdev, or with similar knowledge) willing to modify the modem.bin file from an i535 with parts from an AT&T or T-Mobile modem to keep the i535 signatures and hand-off, but operate as an AT&T radio maybe to enable wcdma modulation on 1900 MHz? The RF path for 1900 MHz is already there for gsm 1900. We can involve the help of some AT&T or T-Mobile forum members and devs if dumps from AT&T / T-Mobile modems or other files are required, that part should not be that difficult.
Day 11:
TOTAL = $205​
Donations:​"newuser134" = $50
"ac21365" = $30
"Buff McBigstuff" = $25
"cvsolidx17" = $20
"mybook4" = $25 (for T-Mobile HSPA+) or $50 (for T-Mobile HSPA+ on 1700 AND 1900)
"preusstang" = $20
"worldlyinquirer" = $10​
As a separate item, you may wish to donate to replace or repair someone's hard bricked i535 phone if they flash an AT&T modem, when ALL options to find out, prior to actually flashing, have been exhausted to determine whether a cross-device modem flash would brick or not. In that case a volunteer would flash a modem with the agreement of others on this thread. Only in that case, would others who chose to before the flash took place, donate to help replace or repair that person's phone. So far these donations have been made for that purpose:
"mybook4" = $25
"newuser134" = $25​
Achievements / Steps
Main Goal: Enable HSPA+ data on 1700 MHz/1900 MHz (or both) on the Samsung GS3 SCH-i535
To enable the use of it on US gsm carriers (AT&T, T-Mobile) for voice, sms and high speed data
The VZW GS3 is capable of roaming on 850Mhz/900Mhz/1800Mhz/1900Mhz GSM and 2100Mhz WCDMA. As pointed out, if we have the necessary hardware to receive 1900Mhz, it is possible that flashing another modem may allow us to gain the capability to run WCDMA hspa/hspa+ over 1900Mhz.
Click to expand...
Click to collapse
WARNING, testing modems can result in a hard brick that is only recoverable by JTAG.
As answers are found, they will be posted here with links to the posts containing the results.
Main Milestones:
Find out whether or not all of our existing modems lack the ability to utilize hspa/hspa+ over 1900Mhz WCDMA (also verify the area the user tries the sim operates hspa/hspa+ on 1900Mhz WCDMA).
a) Try AT&T post paid sim using VRLF2 modem
b) Try AT&T post paid sim using VRLG1 modem
c) Try AT&T post paid sim using VRLG7 modem
d) Try AT&T post paid sim using VRLEC modem​
Find out whether or not it is possible to flash a modem other than the Verizon released/leaked modems. This is more of a follow up bootloader investigation. I recommend those investigating this to look in the original bootloader unlock thread opened by Adam Outler in the Original Development Section.
a) Find someone with JTAG skills who would be willing to attempt to​
i) hex edit an existing modem, changing some non-critical section (perhaps any padding that may exist at the end of the image). This would allow us to see whether or not secure boot checks the modem partition (unfortunately, it almost certainly does).
ii) flash an AT&T modem (will most likely fail due to a different hardware identifier and signature)​
b) Investigate whether or not secure boot can be disabled (even if it involves a small hardware mod to accomplish it). The bootloader unlocking thread has a decent amount of info on this, but we still would need to research further.
c) Reverse the machine code of the modem image to ARM assembly and then to C using Ralekdev's method described in the bootloader unlocking thread. This could give us some info on how the secure boot chain is enforced.​
Click to expand...
Click to collapse
*** Would modifying NV entries be the solution, if it's not, o not just, the modem? Either way, it is deeper than /system, because flashing a rooted stock AT&T rom (just /system, /data and kernel) did not unlock wcdma 1900, so it is something beyond the rom and kernel. See this post.
$30 towards this. Regardless whether it works or not, I just want someone to prove whether this phone has the proper hardware for WCDMA on 1900/1700.
Sent from my Choco Taco using xda premium
I have $25
Will donate $20 if I can successfully flash T-Mobile's as well as pull both 3g and 4G data
Sent from my SCH-I535 using Tapatalk 2
I'm in for $25 if we can get hspa+ working on TMobile.
$50 if we can get hspa+ working on TMobile for both 1900Mhz (WCDMA) and 1700/2100Mhz (AWS).
I'll be switching to TMobile when my contact ends. They still have unlimited data.
Sent from my SCH-I535 using xda premium
---------- Post added at 08:43 PM ---------- Previous post was at 08:14 PM ----------
The VZW GS3 is capable of roaming on 800Mhz/900Mhz/1800Mhz/1900Mhz GSM and 2100Mhz WCDMA. As pointed out by newuser134, if we have the necessary hardware to receive 1900Mhz, it is possible that flashing another modem may allow us to gain the capability to run WCDMA hspa/hspa+ over 1900Mhz.
Might be a good idea to focus on some areas to start. WARNING, testing modems can result in a hard brick that is only recoverable by JTAG. As we find answers, we should post them in the opening post with links to the posts containing the results.
1) Find out whether or not all of our existing modems lack the ability to utilize hspa/hspa+ over 1900Mhz WCDMA (also verify the area the user tries the sim operates hspa/hspa+ on 1900Mhz WCDMA).
a) Try AT&T post paid sim using LF2 modem
b) Try AT&T post paid sim using LG1 modem
c) Try AT&T post paid sim using LG7 modem
2) Find out whether or not it is possible to flash a modem other than the Verizon released/leaked modems. This is more of a follow up bootloader investigation. I recommend those investigating this to look in the original bootloader unlock thread opened by Adam Outler in the Original Development Section.
a) Find someone with JTAG skills who would be willing to attempt to
i) hex edit an existing modem, changing some non-critical section (perhaps any padding that may exist at the end of the image). This would allow us to see whether or not secure boot checks the modem partition (unfortunately, it almost certainly does).
ii) flash an AT&T modem (will most likely fail due to a different hardware identifier and signature)
b) Investigate whether or not secure boot can be disabled (even if it involves a small hardware mod to accomplish it). The bootloader unlocking thread has a decent amount of info on this, but we still would need to research further.
c) Reverse the machine code of the modem image to ARM assembly and then to C using Ralekdev's method described in the bootloader unlocking thread. This could give us some info on how the secure boot chain is enforced.
Some background info...
Some thoughts:
1) We may need to change more than just the modem partition (mmcblk0p1) for 1900Mhz WCDMA to work. For example, the Synergy IMEI backup script saves backup copies of modemst1, modemst2, efs, fsg, and backup (mmcblk0p12, mmcblk0p13, mmcblk0p11, mmcblk0p21, and mmcblk0p20). Clearly some cellular related data is stored in these partitions. Flashing just the AT&T modem might not play nice with the related partitions (although I don't see this preventing a boot as these partitions are not part of the boot chain; more likely you would boot to no cellular connection).
2) The bootloader unlocking thread has a lot of info regarding the boot chain partition order. I could be wrong, but I believe the modem hands off control to executable code at a very specific location in the next partition in the boot chain (after loading the executable code to memory?). If this location differs between the AT&T and verizon phones, it could cause a hard brick (a jump to the wrong location). During the bootloader unlocking efforts, Ralekdev was able to reverse several verizon GS3 bootloader partition's machine code (1s and 0s) into arm assembly and then reverse them to C. Using his methodology, we may be able to see if the AT&T and VZW modems (mmcblk0p1) both jump to the same partition at the same location. This could help us to know if flashing the AT&T would definitely hard brick (this isn't the only way the AT&T modem could hard brick, but identifying one way could stop us before we did hard brick). This is tedious work and we would need a full dump from someone with an AT&T phone (mmcblk0p1,2,3,etc). The alternative would be someone with JTAG and brass ones just flashing the modem.
Also check this out http://forum.xda-developers.com/show...php?p=31705003
It is the full partition layout for a 32GB i535.
PS, I read through some of the bootloader unlocking thread again (brings back good memories). This post by Ralekdev
http://forum.xda-developers.com/show...php?p=30082055 may explain why flashing an AT&T modem might hard brick. The AT&T modem would need to have the same hardware identifier and signature as the VZW one for the msm8960 to hand over execution to it. I'm gonna take a wild guess that it doesn't. I believe Verizon's locked bootloader may have just struck again.
Click to expand...
Click to collapse
Our current bootloader unlocking method was achieved by flashing an unsecure aboot partition (mmcblk0p5). In English (lol), there are several partitions in the boot chain leading to the kernel. The last one is aboot. The one after aboot is the kernel or the recovery partition (depending on whether you are or are not booting to recovery). Each partition in the boot chain checks to see that the next one has the correct signature before handing over execution to it. The unsecure aboot partition we now use to "unlock the bootloader" doesn't enforce (or just doesn't check) the signature of the kernel partition. This is why we are able to run custom kernels not signed by Samsung.
However, the bootloader partitions earlier than aboot still enforce signature checking before handing off execution. The first signature checks are done in hard coded msm8960 firmware. Although I'm not 100% certain of this, I believe the modem partition signature is checked in hardware by the msm8960 prior to execution (it would be a poor security system if it wasn't). So, unless we had Samsung's i535 private key used to sign the modem partition (something that would take more time than the current age of the universe to brute force on the world's fastest supercomputers), the AT&T modem would fail the signature check and the boot process would stop there. The AT&T and TMobile variants (and sprint for that matter) don't have Qualcomm's Secure Boot enabled, so their modem partition isn't subject to a signature check and enforcement.
On the bright side, if we were able to find a way to run a custom (non-i535) modem partition, we would have discovered a true bootloader unlock at one of the lowest levels.
Before the unsecure aboot partition was leaked and the i535 community rejoiced, there was some talk about seeing whether or not a QFuse for secure boot had been blown (permanently enabling secure boot). I don't think we ever found out with 100% certainty whether or not it was. If it isn't, we might still be able to disable secure boot, but it may involve a small hardware modification (a pull up or pull down resistor on an msm8960 GPIO pin. Annoying (and would take quite a while to locate the right one), but not too crazy to do with guts and a decent soldering iron. A software method is definitely preferred, but when you get that low level, you are sometimes dealing with read only segments.
Click to expand...
Click to collapse
The phone does indeed do WCDMA on 2100, the question we all would like answered is what other bands is the phone capable of operating WCDMA on, and if it does have that hardware, we need to figure out what Verizon did to the software to have it disabled.
Click to expand...
Click to collapse
This is a great discussion, when we got the unsecure aboot a month ago, I thought of this same issue, because on phones like HTC, when you get S-off, the phone basically doesn't care what code you put on it, it just loads it (as long as it is executable code). However, we just created a "hole" in the signature check, as you said, the unsecure aboot is still signed with the right signature, it just doesn't check for more signatures after that point. I posted this question in a thread right at that point, I'll look for it, but I don't think anyone responded to it. To achieve a truly unlocked phone on the same level as the other carrier versions, the CPU secure boot needs to be disabled. That is why I was still bothered by "secure boot enabled" when you go into Odin mode. This is not to say that what the devs did wasn't unbelievable and we are still benefiting from the fruits of all their work on unlocking the bootloader, so we did reach that goal, but I'm just making an observation that to truly be able to flash any partition without worry of not making the hand-over to the next partition, secure boot needs to be disabled.
I did some work on Motorola 6811 micro controllers when I was in college, there were different versions, some were only test chips and thus programmable only once, using e-fuses, so I understand how incredibly stupid and annoying it would be if Verizon has blown the q-or e-fuses in everyone's I535, which we paid for just like those on other carrier networks, but we didn't get the same phone they did if this is in fact true. In the bootloader R&D thread, which is now closed, E.V.A and I shortly had a few posts about enabling the gpio pin to turn off secure boot, they were trying to figure out the right voltage for the pull up resistor source, I think it ended up being 3V or something like that (don't try it without doublechecking that), but apparently there was a different pin somewhere that grounded that gpio thru a FET transistor, so applying the pull up voltage didn't help. Another thought was that even though the q-fuse may not have been blown (I sure hope it wasn't), that the gpio was somehow pulled down internally through the chip inside with a weak ground (like a voltage divider), so a higher pull up current (bias) was needed to actually disable secure boot. Adam also mentioned that not all Samsung schematics are always correct, that even though the manual said a high is needed to disable secure boot, it may actually need to be grounded, so that it was internally pulled high, and that it needed to be grounded externally for it to work right. Another option would be that it's a combination of pins that need the right input, not just that one (I think it was q-fuse 6 or 7), so until the right voltage is applied to all those pins, secure boot won't get disabled.
This all assumes that he q-fuse isn't blown, so there is a way to disable secure boot. If it is blown, then it cannot be disabled. Then the only option would be to make a hybrid AT&T / VZW modem file that has the signature needed, but executes the same things as the AT&T modem, hence enabling the 1900 MHz band.
A final thought is that just like the original aboot never enforced security on the /system or /recovery partitions, maybe when secure boot is on, it enforces signature checks when they are in some partitions, but if the code in the specific partition doesn't ask for it, like the unsecure aboot now doesn't, maybe the modem isn't checked for signature, ad th modem doesn't check for signature when handing over to the next link in the boot chain. That's why I was saying we just need to do it, and have someone with jtag do it, so no one bricks their phone, but we get an answer to the question without making a mistake that can't be recovered from.
Your thoughts, and anyone else's, are greatly appreciated, and it would be great at this point, to continue on to tackle the issue of secure boot, and figure out what we can flash to this phone without bricking it.
Click to expand...
Click to collapse
We're not really trying to improve reception, we're trying to open some frequencies for gsm/wcdma that would make this phone fully functional on AT&T or T-Mobile, it wouldn't really change anything on Verizon and CDMA/LTE. It would just make this phone a true multi-network phone. Right now it can get "4G" data on gsm carriers overseas, but not on AT&T or T-Mobile, when we solve this problem, it will get 3G/4G data on ANY gsm network, even domestic ones. So you could take your phone to AT&T or T-Mobile and get service there.
Click to expand...
Click to collapse
Yes, like ac21365 said, this phone does in fact receive wcdma 2100, we're uncertain about wcdma 1900, and although it is highly unlikely that this one might be there, wcdma 1700 (AWS band). Here's the interesting part though, the chipset in this phone is identical to the one in the AT&T version, I747, that one has both 2100 and 1900 bands. Our Verizon phone also has ALL the gsm bands that the AT&T version has (gsm 850, 900, 1800 and 1900), so the 1900 band filter, antenna and amplifier is already there for gsm. If they wanted to save money, why not remove all the gsm stuff since this is a CDMA phone? At this point, it would be cheaper to leave all the hardware stuff on the phone the way it is and just make them all the same, rather than make multiple versions, which would actually be more expensive. It is strange that all the gsm/wcdma bands that Verizon needs for their overseas gsm roaming is there, but the only one that would le you ge AT&T's "4G", is disabled, even though the chipset is physically able to receive/handle it. So it makes no sense that to save money, they left wcdma 2100 fully capable on this phone, but removed wcdma 1900. It could very likely be disabled by Verizon's modem software. That's why we want to get to the bottom of it.
Click to expand...
Click to collapse
Called the local at&t store. They wouldn't let me try a post paid sim in store unless I signed up for a plan. Very customer friendly, lol.
In other news, incubus posted that the developer edition of the vzw gs3 is available for sale. I'm curious if we can use some of the partitions? Finding someone who has bought this will be tough.
Sent from my SCH-I535 using xda premium
cvsolidx17 said:
Will donate $20 if I can successfully flash T-Mobile's as well as pull both 3g and 4G data
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
You do realize that we will def. not be able to get T-Mobile 4G right? We're talking about HSPA+ here (3G data). TMO's 4G LTE uses different hardware. Please modify your post to reflect whether or not you're still in this.
Count me in for $20 towards at least AT&T ( this would let me use straight talk w/o messing with cdma workshop and the dirty clone job :/ )
BTW, thank you for starting this bounty. I hope this issue gains some momentum now!
preusstang said:
You do realize that we will def. not be able to get T-Mobile 4G right? We're talking about HSPA+ here (3G data). TMO's 4G LTE uses different hardware. Please modify your post to reflect whether or not you're still in this.
Click to expand...
Click to collapse
I think what he means by that is T-Mobile's "4G", which they've had before even starting on their LTE, both T-Mobile and AT&T refer to HSPA+ as "4G", so that's what he means. The scope of this bounty never included LTE service from ANY other provider, so a donation for that wouldn't even be accepted as it is not possible to reach that goal. Just to reiterate, this bounty is for either wcdma 1900 OR wcdma 1700, or both, whichever is possible by hardware. We are not attempting to enable any other carrier's LTE service on this phone.
Hope that clarifies things a little.
mybook4 said:
Called the local at&t store. They wouldn't let me try a post paid sim in store unless I signed up for a plan. Very customer friendly, lol.
In other news, incubus posted that the developer edition of the vzw gs3 is available for sale. I'm curious if we can use some of the partitions? Finding someone who has bought this will be tough.
Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse
The signatures may not work on the hardware-coded signatures that these phones are looking for though, and even if they do, they probably didn't write its firmware to make the radio activate those bands we want though anyway. However, that phone may be the way for us to get to the solution; the dev edition doesn't have secure boot enabled (most likely, otherwise I wouldn't want one) but the hardware is IDENTICAL to the i535 (regular) version, so maybe if we could raise enough w/ the bounty to get one, we could flash att or t-mo modems, and see if that would enable 1900 wcdma band, right? It would help us on the way to "dev" the right modem file, hehe, since it's the dev edition.
Someone claims to have flashed an at&t modem on a Verizon GS3 and still been able to boot. Hopefully it isn't a spoof (that would be pretty messed up as it could lead others to hard brick their devices).
http://forum.xda-developers.com/showthread.php?p=31936888
Sent from my SCH-I535 using xda premium
mybook4 said:
Someone claims to have flashed an at&t modem on a Verizon GS3 and still been able to boot. Hopefully it isn't a spoof (that would be pretty messed up as it could lead others to hard brick their devices).
http://forum.xda-developers.com/showthread.php?p=31936888
Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse
It doesn't seem like a spoof or hoax, judging from the person's membership length and info. The other reason is that from what I've read on the AT&T sections, when they flash a pure (non-modified to utilize the i747 radios) T-Mobile (T999) modem, the i747 doesn't brick either, but it loses signal completely. Unless the information was gathered from those threads (which seems unlikely), it seems somewhat realistic. I don't know why anyone on this forum, after being a member for that long, would make up something that horrific and cause everyone on here to hard brick their phones. Now we just need to get someone with jtag, maybe Adam Outler, to flash an AT&T modem and see what happens.
newuser134 said:
It doesn't seem like a spoof or hoax, judging from the person's membership length and info. The other reason is that from what I've read on the AT&T sections, when they flash a pure (non-modified to utilize the i747 radios) T-Mobile (T999) modem, the i747 doesn't brick either, but it loses signal completely. Unless the information was gathered from those threads (which seems unlikely), it seems somewhat realistic. I don't know why anyone on this forum, after being a member for that long, would make up something that horrific and cause everyone on here to hard brick their phones. Now we just need to get someone with jtag, maybe Adam Outler, to flash an AT&T modem and see what happens.
Click to expand...
Click to collapse
Yeah, but there is one key difference between our GS3 and every other variant... Secure Boot. It's the only reason I'm hesitant/skeptical but I really hope the poster is genuine. If he/she is, I feel he/she should be included in the reward (if it turns out to be a breakthrough that helps us get working 1900Mhz hspa).
If an AT&T modem flash works on our device without bricking it, it must mean that either the modem partition (one of the earliest parts of the boot chain) isn't checked for signature / hardware identifier or that the AT&T modem he used was signed with the same private key used to sign our modems.
I wonder if the AT&T bootloader partitions do any checks of subsequent boot partitions? If they don't, this could be a way around secure boot. If they do, they may check to see if secure boot is enabled before actually enforcing the check. All this is speculation until we receive confirmation from the poster.
... <drumroll>...
Sent from my SCH-I535 using xda premium
mybook4 said:
Yeah, but there is one key difference between our GS3 and every other variant... Secure Boot. It's the only reason I'm hesitant/skeptical but I really hope the poster is genuine. If he/she is, I feel he/she should be included in the reward (if it turns out to be a breakthrough that helps us get working 1900Mhz hspa).
If an AT&T modem flash works on our device without bricking it, it must mean that either the modem partition (one of the earliest parts of the boot chain) isn't checked for signature / hardware identifier or that the AT&T modem he used was signed with the same private key used to sign our modems.
I wonder if the AT&T bootloader partitions do any checks of subsequent boot partitions? If they don't, this could be a way around secure boot. If they do, they may check to see if secure boot is enabled before actually enforcing the check. All this is speculation until we receive confirmation from the poster.
... <drumroll>...
Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse
That's what I was wondering about: If any checks are enforced even if a partition does have checks written into it if secure boot is disabled. What is the exact roll of secure boot? Does it only do hardware check on the first partition boot (modem), or is it like a "guard", and forces every subsequent partition look for a signature to? If the latter is true, then disabling secure boot would make ALL signature checks turn off and obsolete, making the phone truly unlocked whether the software code asks for signatures or not. If the initial condition is true (only checks the first boot partition) then like you said, getting a modem file that has no signature check would almost entirely get around secure boot, I wouldn't really bother us any more if we managed to get firmware that has no signature check, kind of like the unsecure aboot.
Why is it so difficult to get a dev with jtag setup to try this for us? To flash a stock AT&T or T-Mobile modem and see what happens?
I just came to a feeling of "revelation" after reading through some of the AT&T threads about the AT&T Note working on T-Mobile, to the conclusion that if a phone is capable of gsm on ANY band, it MUST also be capable of wcdma on that same band (as long as the phone has wcdma capability on other bands and is not a pre-3G/pre-wcdma era phone, like old flip phones, and we all know our phone is capable of wcdma 2100 AND gsm 1900).
This is why: the difference between gsm and wcdma is frequency/spectrum bandwidth and software manipulation by the CPU, kind of like wave and mp3 files. All the signals go to the same tranceiver, so if the phone has hardware for gsm 1900, it already has the hardware and RF path for wcdma 1900. It also has the ability to take larger chunks of a gsm band and use software to decode a wider frequency portion and turn in into a higher bandwidth (speed) wcdma connection. It's the modem software that does this. This wouldn't work if we were concluding the same thing for interchangeability between gsm and LTE, because LTE uses MiMo (multiple-in Multiple-out connections), and that is a different method of reaching higher data rates, it is not just a different modulation scheme using a wider bandwidth, so gsm and LTE aren't interchangeable even on the same frequency, but gsm and wcdma are. That's how they were able to change 3G into HSPA+ "4G", and receive higher data rates just by changing software, that's why 3G gsm phones can usually also get HSPA+ speeds on AT&T, but they don't call it 4G, just H+. That's why T-Mobile is going to re-farm its EDGE network to run HSPA+ on 1900 MHz, otherwise it would use it for LTE. The antennae are already there, the difference is modifying how the band is used with the help of software. Compare it to putting a large picture on a network of multiple tv screens as one big picture, instead of on just one screen. With the right software and multiple screens (in our case CPU power), it can be done.
That is why the 3G gsm/wcdma capable Verizon iPad 3 (newest version) can also receive AT&T's HSPA+, because the modem software is there, or the same iPhone 4s, if unlocked, can run on Verizon's CDMA 850/1900 and AT&T's wcdma 850/1900 without any hardware differences.
The difference between CDMA, gsm and wcdma is just software to understand the modulation/demodulation and the width of the frequency band, notice how they all use the same frequencies (850/900/1800/1900)? LTE is totally different and requires different bands (like 700, 1700 - this is not the same as 1700 AWS part of the band that is used for t-Mobile's wcdma) and won't work with the others.
All that is needed is the right modem software to literally "patch" the i535 radio to understand wcdma modulation on 1900 MHz, the same way it does on 2100 MHz. Right now it can receive wcdma on 1900 MHz, but it means nothing to the phone, it needs the ability to "read" it, we already know it has the ability to decode wcdma signals.
The only factors that decide this, are provisioning (sim), RF hardware (we know it is there for 1900 MHz) AND, the right modem software. When we put in an AT&T sim, we've provided 2 of these requirement, the one missing is the modem file. If someone can write the correct modem / shuffle the right files onto the right partitions (it may not be just the modem partition as we have seen from the imei problems), I know this phone could do it. I hope this proves it to everyone else the way it just proved it to me. I think that's why the Note was able to run on t-mobile, it had the RF hardware, it just needed the software decoding. Call it a codec if you will, that's all that's missing.
Now, if anyone is able to figure out what is needed, that's a different question, but being able to flash AT&T or t-mobile modems is the very first step. Now we need to figure out if it will brick or not.
wow I really hope this goes somewhere! as I will be planning to use my S3 on Simple Mobile once my contract ends with VZW
40$ vs 70$ is a huge difference for me
I was able to get 3g on ATT.
Strothmann said:
I was able to get 3g on ATT.
Click to expand...
Click to collapse
Anyone know why this says EDGE and shows edge speeds, but the icons say 3G or 4G? Shouldn't phone info say "UMTS" under network type?
ITs due to me revering back to vzw. when i took the screenshot.

[info] s3 sch-r530 u/c/m/x

[I'd like to create a thread to collect information for all variants of the R530. I'll update this first post with additional information people give during discussion. Sorry it is here in the Verizon sub, but this is the closest model]
The SCH-R530 is a special flavor of the Samsung Galaxy S3 with sub-favors: (you should probably puke now)
SCH-R530U is a US Cellular variant
SCH-R530C is a Cricket variant
SCH-R530M is a MetroPCS variant
SCH-R530X is a Generic variant
I suspect these are all the same hardware, but just different ROMs. I would like to confirm this.
I would like to know and post the newest firmware versions for each. (at least the names, if not the ROM files themselves) I'd like to know if ROMs are compatible, if modem firmwares are compatible, if bootloaders are compatible. The small community of owners need to pull together as much as possible.
Model -- Hardware Version / Firmware Versions / Baseband
SCH-R530U --
SCH-R530C --
SCH-R530M --
SCH-R530X -- R530X.01 / JSS15J.R530XWWUBMK4 / R530XWWUBMK4
Please post if you can add to this information!
I'm working on my dad's SCH-R530X (Generic CDMA). It was on a regional CDMA provider that he was not happy with -- he paid $500 to them in January for the phone. Edit: Today, he's on PagePlus, but without data for some reason.
Concerns (that someone may be able to help me with):
Once you go to KK 4.4 you can not go back? Your bootloader is updated and will not boot 4.3?
I'm running 4.3, can I root -> replace recovery -> custom ROM ... without tripping the KNOX warranty void? I've read that saferoot will not trip KNOX?
This phone seems to have an odd Call Audio Quality problem. While listening during a phone call (on the R530), the other party's voice cuts out. Specifically, it cuts out when the other person isn't speaking in their mic close enough or loud enough. It's as if the R530 is filtering out anything under a certain volume level. I've turned off Call Equalizer and Noise Reduction to try to solve this problem. I believe I've read people say a firmware/ROM update from US Cellular fixed this problem.
So you can see, I have some constraints: Still in warranty and don't want to void it by tripping KNOX. Want to try a newer firmware for call audio problem. Don't want to brick phone with incompatible firmware, unless US Cellular will work on this X/Generic phone.
Help would be appreciated.
I do have the USC and Cricket variants but the USC version is soft bricked.
HW: R530C.01
Firmware: JSS15J.R530CVVUCMK3
Baseband: R530CVVUCMK3
Also fyi, this and the USC version requires a sim card.
motoyola said:
I do have the USC and Cricket variants but the USC version is soft bricked.
HW: R530C.01
Firmware: JSS15J.R530CVVUCMK3
Baseband: R530CVVUCMK3
Also fyi, this and the USC version requires a sim card.
Click to expand...
Click to collapse
Thanks... I'll add the info. I think I'll make a spot to record if it has a SIM slot too -- as my 530X does not have a SIM slot and was labeled with a little sticker "3G CDMA"... but the MEID starts with a "9" and LTE visible in DFS.
syserr said:
Thanks... I'll add the info. I think I'll make a spot to record if it has a SIM slot too -- as my 530X does not have a SIM slot and was labeled with a little sticker "3G CDMA"... but the MEID starts with a "9" and LTE visible in DFS.
Click to expand...
Click to collapse
I have a regional version of the s3 as well, d2xar (sch-r530x) on Inland Cellular, primarily based in the north west US. as far as i can tell, i havent dissasembled my phone to see if there is a lte radio, in the original build.prop for my phone it is disabled on boot so it will not consume power since it is not being used. thus the 3g cdma only sticker. for the us cellular version i do not know if there is a kitkat firmware but if there is there is always the possiblity you will not beable to go back. as for the generic version it is only on 4.3 right now. eitherway the higher the bootloader version is better for customroms due to recoveries and features working better. as for saferoot i dont remember if it trips the warranty bit or not since ive long since written a custom recover to the device which tripped it but i do know itll make the stock rom list itself as custom in the settings after being rooted. also something to keep in mind with a custom rom is, unless you have the apns for your carrier eg, pageplus, usc, ect. you will not have mms capabilities. Im still tearing my build.prop and apn back up apart to see if i can include some of that info into a custom rom to fix mms, or a recovery that will inject it after a rom flash.
Update?
Lrs121 said:
I have a regional version of the s3 as well, d2xar (sch-r530x) on Inland Cellular, primarily based in the north west US. as far as i can tell, i havent dissasembled my phone to see if there is a lte radio, in the original build.prop for my phone it is disabled on boot so it will not consume power since it is not being used. thus the 3g cdma only sticker. for the us cellular version i do not know if there is a kitkat firmware but if there is there is always the possiblity you will not beable to go back. as for the generic version it is only on 4.3 right now. eitherway the higher the bootloader version is better for customroms due to recoveries and features working better. as for saferoot i dont remember if it trips the warranty bit or not since ive long since written a custom recover to the device which tripped it but i do know itll make the stock rom list itself as custom in the settings after being rooted. also something to keep in mind with a custom rom is, unless you have the apns for your carrier eg, pageplus, usc, ect. you will not have mms capabilities. Im still tearing my build.prop and apn back up apart to see if i can include some of that info into a custom rom to fix mms, or a recovery that will inject it after a rom flash.
Click to expand...
Click to collapse
Any update to this? I have the sticker too and it'd be great to have LTE on since this phone supports it, it seems. I've made this post
http://forum.xda-developers.com/galaxy-s3/general/s3-d2xar-cdma-how-to-set-straight-talk-t3012846
uplusion23 said:
Any update to this? I have the sticker too and it'd be great to have LTE on since this phone supports it, it seems. I've made this post
http://forum.xda-developers.com/galaxy-s3/general/s3-d2xar-cdma-how-to-set-straight-talk-t3012846
Click to expand...
Click to collapse
Last I checked there was a bug with the d2lte builds that break the ability to set apns... I made a cm10.2, I think, build that allowed changing the APN. Um if I remember right the physical design of the d2xar has hardware similar to the Verizon s3. I still don't know if there is an lte modem in the phone since there doesnt seem to be a sim card slot, though there maybe an integrated uicc. I haven't played with it much since I switched to using my nexus 5 on T-Mobile.
Lrs121 said:
Last I checked there was a bug with the d2lte builds that break the ability to set apns... I made a cm10.2, I think, build that allowed changing the APN. Um if I remember right the physical design of the d2xar has hardware similar to the Verizon s3. I still don't know if there is an lte modem in the phone since there doesnt seem to be a sim card slot, though there maybe an integrated uicc. I haven't played with it much since I switched to using my nexus 5 on T-Mobile.
Click to expand...
Click to collapse
I got to the service mode settings, which oddly enough it listed GSM and CDMA. Quite weird. To get there was even weirder. Sadly the D2xar doesn't support TWRP Recovery, and the only one that works is CWM by Philz.
uplusion23 said:
I got to the service mode settings, which oddly enough it listed GSM and CDMA. Quite weird. To get there was even weirder. Sadly the D2xar doesn't support TWRP Recovery, and the only one that works is CWM by Philz.
Click to expand...
Click to collapse
Yah I noticed that to when I was digging around for apns for my old carrier. As for twrp I got around that problem by building my own version using cyanogenmod and the d2lte device files. It made cyanogenmod delta updates possible on the d2lte build. Which are really nice. My source is floating around github, though you'd have to do a little digging to find everything. I do have precompiled twrp images on my webserver that I try to keep up to date for my friend who's brother has the same phone. If you go to my site its safe to ignore the certificate warnings, I have it set to force HTTPS and the reason the warning pops up is because I self signed it instead of paying for a company like verisign
Sorry for my superbly late reply. I've done a ton of digging with this phone. Turns out it only supports Evdo. So no LTE sadly. Even worse, using the Test Menu I can't bands to USA bands, only the (800 or 850?) Hz Global band. I can't get a connection. Well. The bars are listed as 2-3 generally, but it says "Roaming Indicator Off". I have the latest and only baseband, too.
(Wow. After two months of fiddling, as of typing this, I turned on cellular service, which is usually in Airplane mode, I got a " 3G" connection for the first time. Only for a second.)
I don't think I'll be able to switch this over to Straight Talk any time soon, though. I'll check your GitHub soon for that TWRP.
---------- Post added at 11:00 AM ---------- Previous post was at 10:49 AM ----------
uplusion23 said:
Sorry for my superbly late reply. I've done a ton of digging with this phone. Turns out it only supports Evdo. So no LTE sadly. Even worse, using the Test Menu I can't bands to USA bands, only the (800 or 850?) Hz Global band. I can't get a connection. Well. The bars are listed as 2-3 generally, but it says "Roaming Indicator Off". I have the latest and only baseband, too.
(Wow. After two months of fiddling, as of typing this, I turned on cellular service, which is usually in Airplane mode, I got a " 3G" connection for the first time. Only for a second.)
I don't think I'll be able to switch this over to Straight Talk any time soon, though. I'll check your GitHub soon for that TWRP.
Click to expand...
Click to collapse
Yeah, just of now I've been unable to re-acquire the "3G" that caused me to have a boost of hope. Now even when I attempt calling which it usually would bring me to the Verizon automated system, asking to make a collect call, since around here is primarily Verizon, I can't even get it to call. It now states that no mobile network is available, even when I have 2-3 bars.
You have no "3g" because your keys are wrong. Y'all need some QPST and see the whole logon process and baseband messages. Then you can really troubleshoot your phone.
I have a Verizon Samsung Galaxy S3 on the Straight Talk network. I check for software updates and it tells me the software is up to date however it says my phone is running off of 4.4.2 instead of the Lollipop or the one just under. Does anyone know if Lollipop 5.0 or 5.1 has reached the S3 yet? Or how to manually update my phone software so its not so low?
flash a custom rom with 5.x for your model.
nxb said:
flash a custom rom with 5.x for your model.
Click to expand...
Click to collapse
Phone is not rooted so how do I do that? I need or to be updated. My phone doesnt work right on 4.4.2
Sent from my SCH-I535 using XDA Free mobile app
you will have to root, trip knox and lose your warranty... there is no way to go back. on verizon you may be screwed if you have signed/locked bootloaders. search on XDA about unlocked bootloaders for verizon. also: http://androidforums.com/threads/verizon-verizon-bootloader-unlock.856221/
aaaand... make sure to back up your mmc boot partitions so you can debrick if you mess up.
p.s. prepare to learn a lot of technical things. if that sounds annoying and you don't want to spend a lot of time on it you might be better off buying a used phone.
nxb said:
you will have to root, trip knox and lose your warranty... there is no way to go back. on verizon you may be screwed if you have signed/locked bootloaders. search on XDA about unlocked bootloaders for verizon. also: http://androidforums.com/threads/verizon-verizon-bootloader-unlock.856221/
aaaand... make sure to back up your mmc boot partitions so you can debrick if you mess up.
p.s. prepare to learn a lot of technical things. if that sounds annoying and you don't want to spend a lot of time on it you might be better off buying a used phone.
Click to expand...
Click to collapse
I'm not using Verizon. I'm using straight talk on a Verizon phone
Sent from my SCH-I535 using XDA Free mobile app
ST only has GSM AT&T and CDMA verizon... if you have an I535 past 4.3 you have locked bootloader problems.
Needing the pit file for the SCH-R530C. PLEASE! I am at the end of my tether. Thank you in advance, DaMoose
DaMoose517 said:
Needing the pit file for the SCH-R530C. PLEASE! I am at the end of my tether. Thank you in advance, DaMoose
Click to expand...
Click to collapse
Do you have any idea if the 530c and the 530x share a similar partition table? If they do then I can pull the one from my 530x
Lrs121 said:
Do you have any idea if the 530c and the 530x share a similar partition table? If they do then I can pull the one from my 530x
Click to expand...
Click to collapse
I do not know. I'd love to take the chance, but the risk of totally bricking the R530C is there . . . heck, let me try it.

Question ROG 5 ULTIMATE BASEBAND

I have a tencent version, I unlocked the boot loader flashed over to the global version, then bootlocked the device. I just recently updated to Android 12, however my cellular service keeps dropping,. It didn't do this as much with android 11 ( it still dropped my cellular alot). Now when I launch any application say Call of Duty for example my T-Mobile sim on the second slot will show 5G for a brief moment then completely drop. Is there a diagnostic mode to change or reprogram the BASEBAND does anyone know how to do this?
I know that the claim was that the ROG 5 ULTIMATE does not have 5G for some reason but I believe this is absolutely false. I have seen the 5G working with at&t before they started pushing all the old devices out and going for the reseller hook, and now I am looking at sporadic 5G on TMobile. Even the diagnostic for the cellular menu says 5G as well as give the tower type. Can someone help me with changing the BASEBAND to the parameters that at&t uses and T-Mobile?. I can even see the towers through the diagnostic menu briefly, I can also upload a screen shot if necessary. This dropping connection is really starting to frustrate me to no end. ( I still have not dropped my phone bad enough to crack the display, but I think without a fix for the BASEBAND, I might subconsciously find myself in a position where the phone is physically damaged).
Please help me out with this, not only have I talked to everyone I can at AT&T where they said, " Get a new phone or quit the service." But I am actually paying extra because they won't allow my phone on the 5G network. I know there is a solution I just cannot find any information for this besides going to the FCC and looking up device parameters. And what is the commands or program to accomplish this because the diagnostic operator menu seems to be locked in parts of it, do I need root first?
Thank you
Just wait for the latest update
use the code *#*#4636#*#* in information in menu (upper right) select band of your zoneo select automatic

slb2 plmn-infolist-r15 info Verizon 5G

Have a OnePlus 8 5G T-Mobile variant and I'm looking for information on the title name can anyone point me to the right direction where that file or list of files would be located? Like what dictionary I currently have Qualcomm tools EFS tools and the explorer I have everything I need to check the phone but I have no idea where to look for those files or information on that above subject because this phone was somehow blocked from being on Verizon Nationwide 5G and I have gotten to enable 5G connectivity again but my status is 5G non-restricted it doesn't fully do the connection so I'm thinking somewhere along the line something is not sending through and I think it may be related to those files above or something having to do with the name of the subject above can anyone point me in the right direction? Or have any information? Thank you
What a Verizon SIM card does is it blocks the e n d c from being sent to the carrier I was able to disable that and make sure that it's sent so everything works as it should but I cannot connect to a 5G Tower like I should.
Here are some pictures so somebody knows what I'm talking about 5G state is not restricted but it won't connect
An alternative that I can think of is to flash the global ROM (or the modem. img) and see if it improves anything. The modem. img is different, of course, but it might help you.
Definitely going to try this, I also requested my bootloader unlock token the other day so I'm still waiting I'm about 4 days in so hopefully that comes soon and I'll definitely be trying all that.

Categories

Resources