Hi.
I come from another post looking for a solution to my dilemma (http://forum.xda-developers.com/galaxy-s5/help/switch-stock-rom-t2866861#post55236673), thanks to fffft member found that I can open the band 4 of my cell S5 using the QPST program, however I can not find a modified .qcn file that corresponds to my model (G900F).
What I have done is make a backup of my original .qcn (which understand not share because there goes my IMEI) and I need advice from someone who knows that is the parameter that should change to open the AWS band 4.
Much appreciate your help.
I see that nobody has answered, if it was not for lack of cooperation, or because no one has had this problem.
Continue researching and achieve get qcn file G900M, which is super, but not left so installed as well, the QPST program generates an error and does not let install, so proceeded to compare them to see how different they are, and actually they are very different in their hexadecimal setting.
The issue now is, I need someone to tell me what are the parameter I have to modify my original qcn (my G900F) to enable AWS band 4.
Thank you for your help.
..
Hello again fffft.
I will try to explain everything in the best way. I can not send the file qcn G900M, because I have understood that within the IMEI can be identified, and the first thing I asked the person I give it to me was that change could not deliver it to anyone.
Now step by step to do was the following (taken from this forum http://forum.xda-developers.com/showthread.php?t=2291589 ):
Install phoneutil.apk in my phone.
Install QPST 2.7 build 323.
Choose the usb connection “RNDIS + DM + MODEM” from the menu that comes by typing *#0808#.
On the Ports tab of the program QSPT set the COM port corresponding to the cell (seeing that port recognizes the cell through Device Manager).
Choose “Start Clients” and choose “SOFTWARE DOWNLOAD”.
Hit the “Restore” tab, set port to COM number, choose the QCN file, and start.
Attached two images, one in which it is seen that the process is running smoothly, and a second in which shows the error.
With regard to your question about the RMNET protocol, for I must say I have no idea regards, because as I said I am still a newbie.
Finally and with respect to qcn file G900T me would be very very difficult to get the file G900M was relatively easy (not as easy lol) but because here in my country is the model that is sold, but the model does not get G900T no way.
I remain attentive to your suggestions, and thanks again for the help.
..
I thought S5 supports AWS band as well as other bands? I bought S5 from Rogers and use it with Wind mobile (Canada).
..
Hi.
Well, with my answer are attached to the two qcn files, not if it's okay to post them because I do not know which is the information that I'm giving, but I'll trust you fffft.
Review the entries with IMEI and clear, making this process and I thought this would be a very good explanation of why not to overwrite the original file leaves the cell, because the second IMEI not for the phone, but even if this were true, no understand how in the above forum they spread a qcn file for S4 that everyone could use.
Anyway, I hope that with this we can advance the issue to see if I can get out of this mess.
Thanks again.
..
Ok fffft, I found the parameter you say, but now my question is, as I edit the file qcn? I need some special program?
Loperaco said:
Ok fffft, I found the parameter you say, but now my question is, as I edit the file qcn? I need some special program?
Click to expand...
Click to collapse
Well, download the program XVI32 to edit the hexadecimal, apparently was successful but eventually the program generated the same mistake I had already seen, indicating "Could not reset the phone. COmmunication Errors Occurred".
Will you help me?
..
Hi there.
I have an interesting fact to share, because I could not properly complete the process to overwrite the qcn file then started to review the QPST program and its functions, among these I found the display content on qcn files through this for any entries who had been unable to write and determine that it was possible to write the file so qcn "hot" (ie directly on the phone) Oh and surprise! when I saw that the code / parameter that indicated fffft if I had changed even though the restore process had not been successful.
Anyway achieved modify the parameter in question and probe the cell after this, but still not achieve even connect AWS band 4, so despite the success the result was a failure.
Knowing this now accept suggestions from all of you experts.
..
Got a little further, but the bands did not get enabled...
fffft said:
Docx? Shouldn't those be .qcn files?
Anyway, you should try encouraging someone to post a NV dump from their 900T for comparison. You can check the existing AWS threads to confirm, but as I recall to enable AWS on earlier Galaxy models, required editing NV_RF_BC_CONFIG_l from 80 03 e8 04 to 80 03 e8 06
So ostensibly you will want to make the same change on your 900F. Comparing your NV to a 900T would lend confidence to that presumption.
.
Click to expand...
Click to collapse
fffft, Laperaco,
I am pursuing the same Band change as described here and have an update of the things that I was able to discover:
1) I was able to use QPST and pull NV backup from my phone - see my JJ_ATT_S5_Bands_Tester_No_IMEI (IMEI removed in Line 550)
**Note that I was not able to restore any QCN back to my phone in either USB mode (and I think this is what Loperaco was talking about), but...
2) I was able to program my phone directly using RF NV Item Manager, but did not get desired results (see below):
- a) I changed 1877 NV_RF_BC_CONFIG_l from 80 03 e8 04 to 80 03 e8 06 and nothing changed - i.e. radio still worked and I was still getting EDGE (no HSPA+)
- b) I tried changing the next line 1878 NV_RF_HW_CONFIG_I from f6 to 2c, because I saw that in another QCN file I found online. That actually "killed" my radio altogether, at least until I changed it back to f6
- c) Upon further inspection of the SM-N900T file I found online (too big to upload here), I saw that there are quite a few differences, which leads me to believe that additional configurations must be made to take advantage of the HSPA+ bands.
!! Please !! If someone with T-Mobile SGS5 looking at this, could you pull your QCN, mask IMEI if you'd like and post it here for comparison.
Otherwise, fffft, do you have any other thoughts regarding the changes needed...?
Last note that files are posted as .qcn.txt, becuase forum does not allow posting of qcn file extensions. Just remove .txt and you will have original qcn.
Thanks,
JJ
fffft said:
Your reluctance to document what you have done in detail is unfortunate because it prevents us from confirming that you did as you summarized or possibly discern any errors along the way. Nor did you tell us how you concluded that the phone did not connect to AWS, whether the changes were persistent after a reboot or what the service mode showed for activity after using the diagnostic menu to lock the handset to AWS, et cetera.
Of particular value would be a before and after NV dump from your phone, alongside a 900T NV dump. Which would illustrate both the required changes and any progress made with the attempted write.
To reply to your question, two obvious possibilities are apparent
1. That you changed the parameter as you summarized and that was insufficient to effect the desired change. Which would mean that the required parameter is different for the S5 than preceding Galaxy models for some reason e.g. that a different parameter needs editing or that radio changes are needed as well, even though that was not the case for the S3 & S4.
2. That you made some inadvertent error in your procedure that you didn't discern. No one can look for possible errors in the absence of you providing a detailed, step by step description of what you did though.
.
Click to expand...
Click to collapse
Ok ok, let me see how I can solve this.
First of all is not reluctance, I tried to be clear in how I do things, but I'll try again:
1. I bought a model of cell G900F that has disabled the AWS band 4.
2. I tried using the QPST program to replace the qcn file with one that corresponded to a G900M model, since in this model if the band 4 is enabled, but the process to make it in the program generated the error "Could not reset the phone. Communication Errors Occurred ".
3. I do not know how or if the QPST program writes an error log, so I do not know where to look it can be sent. I explain how to install and run the program each button is a bit wasteful, but I followed the steps in this forum http://forum.xda-developers.com/showthread.php?t=2291589
4. After this, and having received suggestions from fffft, I tried modifying the original qcn file from my phone, because I thought that perhaps the problem was because they were different models and finally the phone would not allow me to put a qcn file of another model. The modifications I did was change the parameter NV_RF_BC_CONFIG_l from 80 03 e8 04 to 80 03 e8 06. This is done by the program XVI32 modifying the hexadecimal.
5. I tried again using the option to restore the qcn file in QPST program, but got the same error "Could not reset the phone. Communication Errors Occurred".
6. I assumed I had to think of something else so it was when using the RF NV Manager (included in the installation program QSPT) for locate the actual file contents qcn on my phone, and I realized that despite the error obtained in restoring the file using the QPST program the parameter indicated in paragraph 4 of this list if it had changed.
7. I proceeded to check the signal and actually still had no access to the 4G network, the most that is connected to the HSDPA + network.
8. I read the comments from fffft and now I'm writing this.
I hope I was clear in my problem and have made a good step by step.
Now the issue is that:
A. I do not know how to access the diagnostic menu that enables or disables the AWS band, so I do not understand fffft what you're talking about.
B. I agree that modify only the parameter in question is not sufficient, otherwise the matter would be solved.
C. It is possible that I made a mistake as you point out, I finally am new to this, but still I explained my process so I am attentive to suggestions.
Thanks for the help.
JJ_Boja said:
fffft, Laperaco,
I am pursuing the same Band change as described here and have an update of the things that I was able to discover:
1) I was able to use QPST and pull NV backup from my phone - see my JJ_ATT_S5_Bands_Tester_No_IMEI (IMEI removed in Line 550)
**Note that I was not able to restore any QCN back to my phone in either USB mode (and I think this is what Loperaco was talking about), but...
2) I was able to program my phone directly using RF NV Item Manager, but did not get desired results (see below):
- a) I changed 1877 NV_RF_BC_CONFIG_l from 80 03 e8 04 to 80 03 e8 06 and nothing changed - i.e. radio still worked and I was still getting EDGE (no HSPA+)
- b) I tried changing the next line 1878 NV_RF_HW_CONFIG_I from f6 to 2c, because I saw that in another QCN file I found online. That actually "killed" my radio altogether, at least until I changed it back to f6
- c) Upon further inspection of the SM-N900T file I found online (too big to upload here), I saw that there are quite a few differences, which leads me to believe that additional configurations must be made to take advantage of the HSPA+ bands.
!! Please !! If someone with T-Mobile SGS5 looking at this, could you pull your QCN, mask IMEI if you'd like and post it here for comparison.
Otherwise, fffft, do you have any other thoughts regarding the changes needed...?
Last note that files are posted as .qcn.txt, becuase forum does not allow posting of qcn file extensions. Just remove .txt and you will have original qcn.
Thanks,
JJ
Click to expand...
Click to collapse
Hi JJ.
We are indeed talking about the same issue, however I see a difference and that is that despite not having the band 4 AWS enabled on your phone, this only gives you the edge band, however my phone without enabling the band 4 gives me HSDPA+, so my question, just out of curiosity, is what is the frequency at which your operator transmits the EDGE network?
Loperaco said:
5. I tried again using the option to restore the qcn file in QPST program, but got the same error "Could not reset the phone. Communication Errors Occurred".
6. I assumed I had to think of something else so it was when using the RF NV Manager (included in the installation program QSPT) for locate the actual file contents qcn on my phone, and I realized that despite the error obtained in restoring the file using the QPST program the parameter indicated in paragraph 4 of this list if it had changed.
Click to expand...
Click to collapse
Laperaco,
1) I was also unable to load qcn file from backup even without modifications, so...
2) I made modifications directly to the phone using RF NV Item Manager*
*Note from my post that changing line 1877 made no difference in connectivity for me.
3) This specific connection is below (although it naturally fluctuates):
Network Type: EDGE:2
GSM RSSI: -89db (63%) 12 asu
GSM Signal Strength: 13db (42%)
Preferred Network Type is LTE/GSM autio (PRL)*
*Non-GSM selections (WCDMA, LTE-only, etc) simply do not connect, so no HSPA+ for me
JJ
JJ_Boja said:
Laperaco,
1) I was also unable to load qcn file from backup even without modifications, so...
2) I made modifications directly to the phone using RF NV Item Manager*
*Note from my post that changing line 1877 made no difference in connectivity for me.
3) This specific connection is below (although it naturally fluctuates):
Network Type: EDGE:2
GSM RSSI: -89db (63%) 12 asu
GSM Signal Strength: 13db (42%)
Preferred Network Type is LTE/GSM autio (PRL)*
*Non-GSM selections (WCDMA, LTE-only, etc) simply do not connect, so no HSPA+ for me
JJ
Click to expand...
Click to collapse
Ok JJ, we are going through the same steps, we must wait for more help, I'll keep researching but I see that not many people have our problem.
I have a question is that with that code or through option that could see data that you send me.
Any information or change that has put it in the post.
..
Related
Introduction:
This post is a guide to show how to perform the NV edit required to unlock US GSM carriers(AT&T and T-Mobile etc.) on the VZW XT907/926 RAZR M/HD stock modem using a Motorola serviceware tool called RadioComm.
This is simply a different method to perform the same hack that was discovered by Arnold Snarb in the main thread about ATT/T-Mobile here.
http://forum.xda-developers.com/showpost.php?p=37123644&postcount=158
Despite the fact that he thanked me for leading the way in that post, he did some really brilliant analysis of the logs in QXDM to isolate this NV Item and saw something in the them that I had missed as well as guessing correctly about it's significance, and deserves all of the credit for this hack.
Everyone should please go and thank him in that post for the outstanding work.
He used a tool called DFS to access and edit NV Item 8322 and change the value of the first byte from 01 to 00 which disables the checking of the MCC/MNC against a list of banned networks and flags MCC 310 as Invalid Country Code.
That method requires booting into BP Tools mode from the boot menu and loading the Qualcomm diagnostic device interfaces.
The problem is that there are no signed 64bit drivers available and you must force load the drivers on Win7/8 64 bit for the diagnostic port in order to see the device properly and have NV read/write access.
This has been a stumbling block for many users and makes the NV editing unnecessarily difficult.
This method uses Factory boot mode and allows RadioComm to have full diagnostic mode access via the Motorola USB Networking driver that loads normally with the standard USB driver set. I will demonstrate 2 different ways to perform the edit, one manual and one using a preconfigured SEEM table file that writes the value in a single operation.
Neither of these methods is as easy as an update.zip install from custom recovery would be, but we don't have a binary that supports the motorola.update_nv function that we used for prior MDM6600 based devices available to us for the MSM8960 devices.
Given that some form of diagnostic mode software and a PC is required, I feel that RadioComm is probably an easier option for most users as it avoids the driver problems and has a clearer and simpler interface for NV read/write access than DFS.
Once you have the latest Motorola drivers installed and RadioComm loaded, this guide should make it very easy and safe to perform what is generally a complicated and potentially dangerous task of editing the radio NVM(Non Volatile Memory).
RadioComm itself is a terrifyingly complex piece of software with a GUI that can bring even the most seasoned and experienced phone hacker to their knees wondering what all the various windows, modules and buttons do.
It is the premier Motorola serviceware application and is designed by and intended for use by top level radio engineers and technicians.
It is an extremely powerful application that can access all models and chipsets of Motorola devices and perform a vast array of diagnostic testing and configuration operations and can be fully automated via multiple scripting languages.
It's just plain scary and confusing and very dangerous if not taken seriously.
Warning and disclaimer:
DO NOT PLAY AROUND WITH ANY FEATURES OR RANDOMLY HIT ANY BUTTONS IN RADIOCOMM!!!
YOU CAN RENDER YOUR PHONE DYSFUNCTIONAL OR UNBOOTABLE IN SECONDS!!!
This cannot be emphasized strongly enough!
Follow the instructions exactly as they are written and shown in the screenshots and you will find it very simple to use have no trouble doing the edit with either method.
You, the user, are the only person responsible for your actions and performing this hack will absolutely void your warranty the same way rooting or any other modifications to your device's software does!
That said, this hack will be undetectable and have no outward visible signs of having been performed other than the fact that any GSM SIM should work afterward.
Root is NOT required and this can be safely done and undone at will without making any other changes on the device and all normal services function properly on VZW's network with the edit in place. It appears to only affect the US GSM network block and nothing else.
Prerequisites:
You need to have a recent set of Motorola USB drivers v. 5.9.0 or greater installed on your PC with a full USB 2.0 compatible port.
You need a standard Motorola micro USB cable.
RadioComm 11.12.xx I have included a link to 11.12.2 below.
https://dl.dropbox.com/u/7632904/RadioComm_v11.12.2_Install.zip
This has been tested on Win7 64bit and WinXP SP3 32bit with .NET Framework 4.0 installed.
Method:
This guide assumes you already have RadioComm and the drivers properly installed and have rebooted both PC and the phone afterward.
The first instructions and screenshots describe the initial setup and manual method using the FTM Common 1 tab and the NV Access window in RadioComm.
When you first open RadioComm you will get a popup stating that the version is more than 2 months old. Just close it and continue.
Now go to the top left corner and hit the Main button and select the MA: Common/MDM6x00 as shown in the first screenshot.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Next, go to Settings/USB and select PST USB Driver as shown in the second screenshot.
Test Command Format should default to P2K05 lower in Setings menu.
Leave all other options default.
Now we are ready to connect the phone and perform the edit.
Make sure you have Connect as Media Device in USB settings and USB Debugging enabled in Developer Options.
Power off the phone and then hold both Vol Up and Down + Power to enter the boot menu.
Use the Vol Down key to scroll down in the menu to Factory and then Vol Up key to select and the phone will boot.
Connect the USB cable and RadioComm will enumerate the phone and the radio button in the top right will change colors.
It will cycle sever times red to yellow and eventually go green when the device is fully enumerated and shows as XT907 in the status bar
at the bottom of the screen. You can read the Software Version and MEID/ESN/pESN buttons to make sure everything is working properly.
Each successful read the GUI will flash green and the Command buffer will turn green and any selected button will be green.
Any unsuccessful attempt will turn red.
If not, then restart everything and check over all settings again before proceeding.
Now go to the tabs bar across the top middle of the GUI and select FTM Common 1 tab and go to the NV access window in the center right of that tab and select the top menu Item "FFFF Manual Entry" as shown in the third screenshot.
Now hit the Read button and you will get 2 popup windows.
In the first window you will enter the Decimal NV Item ID 8322 and in the second you will enter the byte length to be read 1 as shown in the fourth screenshot.
When you hit ok it will read the NV Item and flash green and display the data in the hex output buffer below and you will see 01 for the value as shown in the fifth screen shot.
Now highlight the 01 and change it to 00 and hit the write button and this time it will only popup once asking for the Decimal NV Item ID 8322. When you hit OK the item will be written and the GUI will again flash green for a successful write as shown in the sixth screenshot.
You are now finished and can either use the restart button at top right of RadioComm to reboot or manually restart the phone.
The last screen shot is edited to show the steps to use the NV/SEEM feature with a SEEM table file I have provided below to do all of the steps as a single operation. Some users may find this easier than manually editing in the NV Access window but it's really almost the same number of steps.
Go to the top left and hit Features and select NV/SEEM and another window will open and the radio button will cycle again a couple time as it re enumerates the device again it will go green finally. Follow the instructions in the seventh screenshot and be sure to use the Restart button in the main window after you close NV/SEEM because its suspends the phone and it will be black screen and unresponsive and require holding Vol keys and Power for 10 secs to reset it otherwise.
Congrats! All done now and the rest is just putting in a SIM and selecting GSM/UMTS in Network Settings and everything should just work!
Below is the link for the .NVM SEEM table file.
https://dl.dropbox.com/u/7632904/TBH_RAZR_M_GSM_Unlock.NVM
Please use this thread to discuss issues relating to this method and RadioComm and keep general discussion of the phone on US carriers in the other thread, thank you!
<Reserved>
Thanks man.. gonna try this when I get home tonight. I was actually just thinking about switching vendors from VZW to someone else and didn't really want to buy a new phone.
Maybe now I don't have to. Proof is in the pudding though, maybe I'll by a cheap month of Straight Talk to see if it works?
Yehudah said:
Thanks man.. gonna try this when I get home tonight. I was actually just thinking about switching vendors from VZW to someone else and didn't really want to buy a new phone.
Maybe now I don't have to. Proof is in the pudding though, maybe I'll by a cheap month of Straight Talk to see if it works?
Click to expand...
Click to collapse
Running RAZR M in US on straight talk now. Works wonderful!!!
Thanks a lot! im a total noob when it comes to most of this, but it worked perfect for me!!
Hmm, MDM6x00? Won't that work on the OG RAZR XT912 / Droid 4 as well?
Skrilax_CZ said:
Hmm, MDM6x00? Won't that work on the OG RAZR XT912 / Droid 4 as well?
Click to expand...
Click to collapse
The MA used in RadioComm is the same chip set base as the RAZR/D4 because it's the closest to the MSM8960 available in this version, which is more than 18 months old now.
What we really need is an updated version of RadioComm with full support for the newer chip sets.
This specific NV Item 8322 does not exist on the MDM6600 chip set devices and I have not been able to find a similar boolean switch item for those phones, unfortunately.
I have been logging with QXDM extensively searching for a way to disable the MCC/MNC block on MDM6600 without success so far.
I have dumps of all of the readable NV items from 0000-12000 from many devices running various builds and even a dump from Chinese engineering build on P3Droid's Dev model where everything is working as it should with open GSM on US carriers.
I would love some help from someone with a better understanding of the radio and diagnostic mode access than myself.
Very few people know how to use the software to even start analyzing the problem.
Remember to install the latest Motorola drivers and *especially* highlight the entire 01 and type 00. I was backspacing only the 1 and it did not "stick" when writing. So HIGHLIGHT, don't backspace. Works perfectly.
is it possible to write the NV item to the Droid 4 then edit ? ?
cellzealot said:
The MA used in RadioComm is the same chip set base as the RAZR/D4 because it's the closest to the MSM8960 available in this version, which is more than 18 months old now.
What we really need is an updated version of RadioComm with full support for the newer chip sets.
This specific NV Item 8322 does not exist on the MDM6600 chip set devices and I have not been able to find a similar boolean switch item for those phones, unfortunately.
I have been logging with QXDM extensively searching for a way to disable the MCC/MNC block on MDM6600 without success so far.
I have dumps of all of the readable NV items from 0000-12000 from many devices running various builds and even a dump from Chinese engineering build on P3Droid's Dev model where everything is working as it should with open GSM on US carriers.
I would love some help from someone with a better understanding of the radio and diagnostic mode access than myself.
Very few people know how to use the software to even start analyzing the problem.
Click to expand...
Click to collapse
Can I use a similar way to unlock XT902(Japanese Razr M)? I can't find 8322 in XT902.......
Followed instructions and worked perfectly. The key for me was the latest Motorola drivers AND the Motorola USB cable that came with the phone. I tried other cables that both charged and synced but the only that worked for this was the Moto cable. Using Win XP SP3 ( 12 year old OS on brand new work laptop. WTF!)
i was wondering if this works on other networks such as boost mobile,net10, criket etc...? i honestly dont have enough money to buy a new phone and whatnot. the whole reason why i did this is because i lost my job and now i cant pay my phone bill and it keeps getting higher and higher.
AKG0214 said:
i was wondering if this works on other networks such as boost mobile,net10, criket etc...? i honestly dont have enough money to buy a new phone and whatnot. the whole reason why i did this is because i lost my job and now i cant pay my phone bill and it keeps getting higher and higher.
Click to expand...
Click to collapse
Boost - No
Cricket - No
They're both cdma. This is to allow the GSM side (SIM CARD based) of the phone to work on other carriers. With that said, your best options are
Net10, Straight Talk, ATT, T-Mobile, Simple Mobile, H20, Orange, and there's a plethora of others out there. Post paid and pre-paid.
@DSDD
I beleive your XT902 is GSM by default. So if what your asking is will this bypass the network lock, no, the device needs to be unlocked by code. Then you can use it outside of the current carrier/country.
after boot, it is set back to 01 again @ address 8322
my phone version is Bsmq_vzw-user 4.1.1 9.8.1Q_27-2 4 release-keysSM_BP_1139.000.32.62P
after write to 8322 with zeros, I read it again the confirm it is written, but after rebooting the phone, the value is back to 01 again.
I guess the verizon driver may override this value during rebooting?
any help?
should I root the phone?
==
thanks
cellzealot said:
Introduction:
This post is a guide to show how to perform the NV edit required to unlock US GSM carriers(AT&T and T-Mobile etc.) on the VZW XT907/926 RAZR M/HD stock modem using a Motorola serviceware tool called RadioComm.
This is simply a different method to perform the same hack that was discovered by Arnold Snarb in the main thread about ATT/T-Mobile here.
http://forum.xda-developers.com/showpost.php?p=37123644&postcount=158
Despite the fact that he thanked me for leading the way in that post, he did some really brilliant analysis of the logs in QXDM to isolate this NV Item and saw something in the them that I had missed as well as guessing correctly about it's significance, and deserves all of the credit for this hack.
Everyone should please go and thank him in that post for the outstanding work.
He used a tool called DFS to access and edit NV Item 8322 and change the value of the first byte from 01 to 00 which disables the checking of the MCC/MNC against a list of banned networks and flags MCC 310 as Invalid Country Code.
That method requires booting into BP Tools mode from the boot menu and loading the Qualcomm diagnostic device interfaces.
The problem is that there are no signed 64bit drivers available and you must force load the drivers on Win7/8 64 bit for the diagnostic port in order to see the device properly and have NV read/write access.
This has been a stumbling block for many users and makes the NV editing unnecessarily difficult.
This method uses Factory boot mode and allows RadioComm to have full diagnostic mode access via the Motorola USB Networking driver that loads normally with the standard USB driver set. I will demonstrate 2 different ways to perform the edit, one manual and one using a preconfigured SEEM table file that writes the value in a single operation.
Neither of these methods is as easy as an update.zip install from custom recovery would be, but we don't have a binary that supports the motorola.update_nv function that we used for prior MDM6600 based devices available to us for the MSM8960 devices.
Given that some form of diagnostic mode software and a PC is required, I feel that RadioComm is probably an easier option for most users as it avoids the driver problems and has a clearer and simpler interface for NV read/write access than DFS.
Once you have the latest Motorola drivers installed and RadioComm loaded, this guide should make it very easy and safe to perform what is generally a complicated and potentially dangerous task of editing the radio NVM(Non Volatile Memory).
RadioComm itself is a terrifyingly complex piece of software with a GUI that can bring even the most seasoned and experienced phone hacker to their knees wondering what all the various windows, modules and buttons do.
It is the premier Motorola serviceware application and is designed by and intended for use by top level radio engineers and technicians.
It is an extremely powerful application that can access all models and chipsets of Motorola devices and perform a vast array of diagnostic testing and configuration operations and can be fully automated via multiple scripting languages.
It's just plain scary and confusing and very dangerous if not taken seriously.
Warning and disclaimer:
DO NOT PLAY AROUND WITH ANY FEATURES OR RANDOMLY HIT ANY BUTTONS IN RADIOCOMM!!!
YOU CAN RENDER YOUR PHONE DYSFUNCTIONAL OR UNBOOTABLE IN SECONDS!!!
This cannot be emphasized strongly enough!
Follow the instructions exactly as they are written and shown in the screenshots and you will find it very simple to use have no trouble doing the edit with either method.
You, the user, are the only person responsible for your actions and performing this hack will absolutely void your warranty the same way rooting or any other modifications to your device's software does!
That said, this hack will be undetectable and have no outward visible signs of having been performed other than the fact that any GSM SIM should work afterward.
Root is NOT required and this can be safely done and undone at will without making any other changes on the device and all normal services function properly on VZW's network with the edit in place. It appears to only affect the US GSM network block and nothing else.
Prerequisites:
You need to have a recent set of Motorola USB drivers v. 5.9.0 or greater installed on your PC with a full USB 2.0 compatible port.
You need a standard Motorola micro USB cable.
RadioComm 11.12.xx I have included a link to 11.12.2 below.
https://dl.dropbox.com/u/7632904/RadioComm_v11.12.2_Install.zip
This has been tested on Win7 64bit and WinXP SP3 32bit with .NET Framework 4.0 installed.
Method:
This guide assumes you already have RadioComm and the drivers properly installed and have rebooted both PC and the phone afterward.
The first instructions and screenshots describe the initial setup and manual method using the FTM Common 1 tab and the NV Access window in RadioComm.
When you first open RadioComm you will get a popup stating that the version is more than 2 months old. Just close it and continue.
Now go to the top left corner and hit the Main button and select the MA: Common/MDM6x00 as shown in the first screenshot.
Next, go to Settings/USB and select PST USB Driver as shown in the second screenshot.
Test Command Format should default to P2K05 lower in Setings menu.
Leave all other options default.
Now we are ready to connect the phone and perform the edit.
Make sure you have Connect as Media Device in USB settings and USB Debugging enabled in Developer Options.
Power off the phone and then hold both Vol Up and Down + Power to enter the boot menu.
Use the Vol Down key to scroll down in the menu to Factory and then Vol Up key to select and the phone will boot.
Connect the USB cable and RadioComm will enumerate the phone and the radio button in the top right will change colors.
It will cycle sever times red to yellow and eventually go green when the device is fully enumerated and shows as XT907 in the status bar
at the bottom of the screen. You can read the Software Version and MEID/ESN/pESN buttons to make sure everything is working properly.
Each successful read the GUI will flash green and the Command buffer will turn green and any selected button will be green.
Any unsuccessful attempt will turn red.
If not, then restart everything and check over all settings again before proceeding.
Now go to the tabs bar across the top middle of the GUI and select FTM Common 1 tab and go to the NV access window in the center right of that tab and select the top menu Item "FFFF Manual Entry" as shown in the third screenshot.
Now hit the Read button and you will get 2 popup windows.
In the first window you will enter the Decimal NV Item ID 8322 and in the second you will enter the byte length to be read 1 as shown in the fourth screenshot.
When you hit ok it will read the NV Item and flash green and display the data in the hex output buffer below and you will see 01 for the value as shown in the fifth screen shot.
Now highlight the 01 and change it to 00 and hit the write button and this time it will only popup once asking for the Decimal NV Item ID 8322. When you hit OK the item will be written and the GUI will again flash green for a successful write as shown in the sixth screenshot.
You are now finished and can either use the restart button at top right of RadioComm to reboot or manually restart the phone.
The last screen shot is edited to show the steps to use the NV/SEEM feature with a SEEM table file I have provided below to do all of the steps as a single operation. Some users may find this easier than manually editing in the NV Access window but it's really almost the same number of steps.
Go to the top left and hit Features and select NV/SEEM and another window will open and the radio button will cycle again a couple time as it re enumerates the device again it will go green finally. Follow the instructions in the seventh screenshot and be sure to use the Restart button in the main window after you close NV/SEEM because its suspends the phone and it will be black screen and unresponsive and require holding Vol keys and Power for 10 secs to reset it otherwise.
Congrats! All done now and the rest is just putting in a SIM and selecting GSM/UMTS in Network Settings and everything should just work!
Below is the link for the .NVM SEEM table file.
https://dl.dropbox.com/u/7632904/TBH_RAZR_M_GSM_Unlock.NVM
Please use this thread to discuss issues relating to this method and RadioComm and keep general discussion of the phone on US carriers in the other thread, thank you!
Click to expand...
Click to collapse
---------- Post added at 11:14 PM ---------- Previous post was at 10:48 PM ----------
tried again for couple of times, this time it actually works.
maybe last time I reboot the phone too early?
sipida said:
my phone version is Bsmq_vzw-user 4.1.1 9.8.1Q_27-2 4 release-keysSM_BP_1139.000.32.62P
after write to 8322 with zeros, I read it again the confirm it is written, but after rebooting the phone, the value is back to 01 again.
I guess the verizon driver may override this value during rebooting?
any help?
should I root the phone?
==
thanks
Click to expand...
Click to collapse
Glad you got it working. There is no VZW software on the phone capable of writing to the radio NV, so it's not being reverted by anything.
If anyone else has similar issues I would suggest trying the NV/SEEM method as that will definitely write the item properly.
queberican351 said:
@DSDD
I beleive your XT902 is GSM by default. So if what your asking is will this bypass the network lock, no, the device needs to be unlocked by code. Then you can use it outside of the current carrier/country.
Click to expand...
Click to collapse
XT902 has sim lock, and there is no way to key in unlock code. So I think it maybe unlocked by modifying another NV item.
Does this tutorial unlock mobile data usage on other carriers. I cannot seem to get data working on my XT907 in Australia. GSM and MMS work fine, so why doesnt Data?
I don't know for certain because I only have experience with domestic US GSM carriers, but I tend to doubt it.
You can try it and see and revert it easily if it doesn't work. You can also try flashing the Telstra XT905 NON-HLOS.bin(modem) and fsg.mbn(carrierEFS/NVM config).
This was the method used to get US GSM service on XT907 before the method shown here was discovered.
It works but is limited to GSM/EDGE data services here in the US.
I am inclined to think it is some other problem with the device because it should work as a global capable phone by default.
dsdd said:
XT902 has sim lock, and there is no way to key in unlock code. So I think it maybe unlocked by modifying another NV item.
Click to expand...
Click to collapse
If it has a sim lock and you can acquire the code open your dialer and press #073887* (#0SETUP*) and it'll prompt you for the code.
Several people have PMd me questions about this method and I would much prefer that they be posted here in the thread so that everyone may benefit from the information.
Please include as much information about your PC and driver versions and be as thorough as possible in explaining your problems.
As I brought Band3 for NEXUS5, here, we are bringing 4G LTE band1 IMT 2100MHz for users such as, but
not limited to:
China Telecom,
Japan AU/NTT Docomo/Softbank,
Korea LG U+ /SK Telecom,
Philippines Smart,
Thailand DTAC/TrueMove-H
according http://en.wikipedia.org/wiki/List_of_LTE_networks#Asia and more:
Czech Republic Vodafone
Poland Play/P4
according http://en.wikipedia.org/wiki/List_of_LTE_networks#Europe
20150412 UPDATE: we are in Trial of more bands,as attachment names at POST#33:
Band 2 and band 4 for XT1100 View attachment 3257101
and Band 1 and band 8 or Band 1/9/19 or Band 1/8/9/19 for XT1103 View attachment 3257100
I am sorry below English language is not good, it is come from Google Translation^_^ from my Chinese post.
attachment docx is more clear since more detail images can are attched inside:
EN:View attachment 3187257
CN:View attachment 3187214
NEXUS 6 US MOTO XT1103 Band1 Enablement Tutorials
Foreword:
With the US version NEXUS6 XT1103 Chinese users, most of them come for China Telecom
, but is there such a telecommunications in many indoor shopping centers and car parks, do 4G LTE band1 2100MHz coverage, but also greater bandwidth than band3 15MHz with 20MHz bandwidth with China Telecom license.
What is a pity, XT1103 band1 RF front-end is shipped out without factory calibration, so only official usage is [email protected] only for China Telecom.In fact, as NEXUS5 band3 enablement, NEXUS6 RF front-end hardware also left a tiny space to enable it. The following tutorial is the first edition, With more extensive testing,It will needs correction on your demands.
I am sorry I do not have English version computer to reworks the Chinese screen captures,
I believe you have some way to understand around.
STEP1: using TWRP backup EFS
you can nexus6 of TWRP-Backup-EFS. More insurance after the phone Root, you canalso EFS Professional to backup your original EFS.
Thus, When need to restore the original state , Just use TWRP-Restore- to select the original EFS and slide the button to restore any changed below.
STEP2: Install the driver Moto BP Tools Driver
Mobile side: the phone off, then press the power button + volume down key, enter fastboot mode, use the volume keys to select BP Tools, and then turn the power button to confirm. Open usb diag device port.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
View attachment 3187207 View attachment 3187208
1. Connect your phone to your computer, then prompted to install "diag_mdm" drive (or right-click "My Computer" and select "Properties" - "Device Manager" to install "diag_mdm" drive)
2. Right-click on the "diag_mdm", select "Update Driver Software" and then select "Browse my computer for driver software."
3. Select "choose from a list of device drivers in your computer."
4. Select "Show all devices", the "Next" button.
5. select "Disk"
6. Click "Browse"
7. Select the folder where you drive, point to open after selecting "momdm", then OK.
8. Select the "Motorola USB Diagnostic Port", click "Next."
9, warning, Click "Yes"
10, in the Device Manager port as shown below to show that the installation was successful (Note: The port number com93 vary)
STEP3: Write qcn
Phone side: the phone off, then press the power button + volume button, enter fastboot mode, use the volume keys to select BP Tools, and then turn the power button to confirm, so you can open the usb diag device port.
1.the installation QPST. Do not use lower version 2.7 build 422, otherwise it will not recognize the device. please find such installation by yourself.
2. open QPST configuration, the first point of Ports tab, select the device displayed, the first point below "remove", Prompt window popuped, and then point "Yes".
3, Chick "Add New Port".
4. Select the port of your device com port, and then "OK" button.
5, open the folder points QPST Software Download, click on "Restore" tab, click Browse to select the desired brush into qcn file:
View attachment XT1100_LTE_B1_To_XT1103_24226_6735_6736_RxAdded_TxOverrided.qcn.zip
(Here, the only difference vs nexus5 enabled band3 ,XT1103 purchased from Google Play, MOTO did not change default SPC, 000000),
Check Allow phone / file ESN mismatch, the final blow: Point Start, Errors box appears Could not Reset the Phone error normal, qcn has finished writing, after using the Power button off, then boot directly out LTE signal, the restart, do not use QuickBoot like Reboot, to ensure safety.
FINALLY: Check Whether Band1 Enablement successful methods
Method 1: Insert China telecom USIM cards, confirming a place where band1 with LTE Cell ID can be found with the end of HEX is 00,01,02,03,04,05 of LTE base stations (in the dial-up interface, enter * # * # 4636 # * # *, open "mobile phone information ", the" Set preferred network type "to LET ONLY, and then find the" Location: LAC = 7101 CID = 1924c01 "in this column, the CELL ID is inside this CID.
Method 2: Use the LTE Discovery watch band states.
NOTE: These two methods are there GCI (CID) guessing band, is only applicable to some of operators such as China Telecom, the absence of good planning China Unicom 4G CellID, and also China Mobile is not applicable for this .
[email protected], we have LTE Discovery update to 3.19, support NEXUS6 display the real MODEM LTE Band!! thanks for Danial and his great team!!
While you want to Check real band PC tool QXDM may help if you have such tool, menu path is View-LTE- RRC layer-RRC/NAS Status Screen- Frequency band, wait for 10mintues for update or use airplane mode on/off to Tigger update.
In case you are not in LTE covered area, but just want to check the qcn is applied or not, reset your phone in boot loader mode, select BP TOOLS again,them use QXDM-view-NV Browser-Item 06828- read to get the value, it should be 1099830466655 for add band1 while stock default is 1099830466654,
Other qcn XT1103 add:
B1/8 1099830466783
B1/9/19 1099830729055
B1/8/9/19 1099830729183
XT1100 add:
B2/4 1099646632415, @default 1099646632405
Here we must thank:
Q39705630 enthusiastic and efficient testing and Draft this tutorial V0.1 version;
Q562552826 provide XT1103 of qcn file, doing preliminary analysis;
Q386499038 provide XT1100 qcn file, do the final release qcn file parameter reference;
Other Reference Tutorial IN Chinese:
1. CN version band1 enablement:
http://bbs.gfan.com/android-7863761-1-1.html
2.NEXUS6 RF parameters such as PC-side backup method qcn
http://bbs.gfan.com/android-7741730-1-1.html
3. Some tools on LTE band1 signal monitoring
http://bbs.gfan.com/android-7684876-1-1.html
。chinese here hei
Sent from my SPH-L720 using XDA Premium 4 mobile app
Could you send the xt1100'qcn to me? Q2954103426 . If I retore xt1100's qcn to xt1103, it only can make xt1103 support band same as xt1100?
Hi, I messed up my NV values and I can't get signal anymore. Can you please post original XT1103 QCN file so we can restore the backup? Thanks.
Done! Working here in philippines smart user here! Thanks OP!
MrDreamSky said:
。chinese here hei
Click to expand...
Click to collapse
Yes. I can not Choose where I was born, But I can choose whether I can contribute.
While American Dream is on the Sky, Chinese Dream is running on the ground even we are weak, I am expecting to contribute for the global. haha
MaxChuang said:
Could you send the xt1100'qcn to me? Q2954103426 . If I retore xt1100's qcn to xt1103, it only can make xt1103 support band same as xt1100?
Click to expand...
Click to collapse
No, you can not enable all the band but some, and it need some technical filtering job,
RF front end hardware is arm and body of RF driver software soul.
I will try to bring band8, but need more weeks to find time gap during my work.
messedupqcn said:
Hi, I messed up my NV values and I can't get signal anymore. Can you please post original XT1103 QCN file so we can restore the backup? Thanks.
Click to expand...
Click to collapse
Please note the normal QPST-Software Download backup qcn will not works for restoring,
and older QPST-RF NV Item manager backuped Qcn can not cover all RF nv now, so it is also not good choice for you to restore Solutions for your issue,
Soution1. In case you only lost your signal after you use 4636-Phone Info-Select UMTS band- US band, Try to set NV00441 to 0xFFFF with this qcn, by QPST-Software Download, an old post is here:
http://forum.xda-developers.com/nexus-6/help/help-locked-nexus-to-usa-band-t2975290/page2
Solution2. for others failture reason, To NEXUS6 reflash the factory images will help to reset all your nv from backup eMMC partition,
How to is here: http://forum.xda-developers.com/nexus-6/general/guide-flash-factory-images-nexus-6shamu-t2954008
Just wondering though, the com should be com93? Ir it could be any digit? Because i got com25 and i still insist it im flashing..it worked but it cannot tell the band im using that should be band 1.
Azlun said:
No, you can not enable all the band but some, and it need some technical filtering job,
RF front end hardware is arm and body of RF driver software soul.
I will try to bring band8, but need more weeks to find time gap during my work.
Click to expand...
Click to collapse
Thanks for your contribution !
I am curious if carrier aggregation can be configured ,too.
Yeah, I would like to know if carrier aggregation can be configured
Azlun said:
Please note the normal QPST-Software Download backup qcn will not works for restoring,
and older QPST-RF NV Item manager backuped Qcn can not cover all RF nv now, so it is also not good choice for you to restore Solutions for your issue,
Soution1. In case you only lost your signal after you use 4636-Phone Info-Select UMTS band- US band, Try to set NV00441 to 0xFFFF with this qcn, by QPST-Software Download, an old post is here:
http://forum.xda-developers.com/nexus-6/help/help-locked-nexus-to-usa-band-t2975290/page2
Solution2. for others failture reason, To NEXUS6 reflash the factory images will help to reset all your nv from backup eMMC partition,
How to is here: http://forum.xda-developers.com/nexus-6/general/guide-flash-factory-images-nexus-6shamu-t2954008
Click to expand...
Click to collapse
Thanks! Is fastboot flash radio enough to restore everything to normal? :laugh:
edit: looks like you have to reflash everything. Oh well.
---------- Post added at 06:28 AM ---------- Previous post was at 06:14 AM ----------
I restored the factory image and it's fine. There's a bug with the current factory image where it doesn't flash system and userdata when you run flash-all.sh, but it seems to have flashed the nv value backup without that. I didn't reflash system and userdata manually so I get to keep my phone without wiping.
Any idea why line 6828 in NV browser says 268501086 in my XT1103? According to LTE band calculator, this means the phone supports band 2/3/4/5/7/17/29. But Google Play says the phone supports 2/3/4/5/7/12/13/17/25/26/29/41. Any idea why this supports seemingly less bands?
Looks like some Moto X have this band configuration, but my Nexus 6 shouldn't. Can someone confirm their stock line 6828?
Will this change stick even after a firmware upgrade, say, after upgrading to Lollipop 5.1?
Is this technique applicable to a D820 Nexus 5 as well?
mimsiroll said:
Just wondering though, the com should be com93? Ir it could be any digit? Because i got com25 and i still insist it im flashing..it worked but it cannot tell the band im using that should be band 1.
Click to expand...
Click to collapse
COMxx is depand on PC, it can be any number.
messedupqcn said:
Thanks! Is fastboot flash radio enough to restore everything to normal? :laugh:
edit: looks like you have to reflash everything. Oh well.
---------- Post added at 06:28 AM ---------- Previous post was at 06:14 AM ----------
I restored the factory image and it's fine. There's a bug with the current factory image where it doesn't flash system and userdata when you run flash-all.sh, but it seems to have flashed the nv value backup without that. I didn't reflash system and userdata manually so I get to keep my phone without wiping.
Any idea why line 6828 in NV browser says 268501086 in my XT1103? According to LTE band calculator, this means the phone supports band 2/3/4/5/7/17/29. But Google Play says the phone supports 2/3/4/5/7/12/13/17/25/26/29/41. Any idea why this supports seemingly less bands?
Looks like some Moto X have this band configuration, but my Nexus 6 shouldn't. Can someone confirm their stock line 6828?
Click to expand...
Click to collapse
1: Is fastboot flash radio enough to restore everything to normal?
Az:I never try, may be you can try when you have enough partition backuped.
2. for nv6828, the stock default is 1099830466654
and after my qcn written, it should be changed to 1099830466655 (add band1)
in fact there is many other nv added and overrided, so a EFS backup before qcn write in is suggested.
I can not understand why your value become an unknow one.
<!-- Add Band1 in LTE bands over XT1103
default 1099830466654 decially = binary:
00000000 00000000 00000001 00000000 00010011 00000001 00011000 01011110B
(band 41 29/26/25 17 13/12 7/5/4/3/2 )
= 1099830466655 decially = binary:
00000000 00000000 00000001 00000000 00010011 00000001 00011000 01011111B
(band 41 29/26/25 17 13/12 7/5/4/3/2/!1!)
** other referenece,
ONLY Band8 = 128
-->
<NvItem id="6828" subscriptionid="0" name="NV_LTE_BC_CONFIG_I" mapping="direct" encoding="dec" index="0">1099830466655,0</NvItem>
Biggster said:
Will this change stick even after a firmware upgrade, say, after upgrading to Lollipop 5.1?
Is this technique applicable to a D820 Nexus 5 as well?
Click to expand...
Click to collapse
1 my NV items will be kept in EFS until a factory restore including erase EFS partition to trigger factory EFS restoring.
so OTA upgrade will be fine, but next factory image whole reflashing will erase nv items in this qcn.
That is MOTO design while LG NEXUS5 have not such issue.
2. NEXUS5 D820 can enabled band3 band8 in the same way if you are in track of http://forum.xda-developers.com/google-nexus-5/general/radio-enable-lte-band-3-nexus-5-d820-t2928561
but qcn in that post will NOT bring CDMA+LTE 1xSRLTE dual-stanby working, it is still in LTE only mode.
why NEXUS6 support 1xSRLTE is come from facotry by default, DI4.0 new modem firmware and trigger by right carrier_policy.xml from m_bing.
Hmm, I seem to remember my line 6828 was the same unknown value before I changed anything. Stock. Then when I flashed your qcn, it became the 1099830466655. I have no idea why my phone came with less bands stock. it is XT1103 Bought from moto US store. no way to test it either, until I am out of the US
Solved.
Anyone know how to get the SPC/MSL code if it's not all zeros? My N6 is Amazon sprint version but I'm using it out of US.
Sent from my Nexus ⑥
XT1100 to XT1103?
Is it possible to convert an XT1100 to an XT1103? Is it a hardware thing?
I would like to enable band 2 and 4 in the XT1100, is that at all possible?
I have both an XT1103 (borrowed) and my own, an XT1100. Could I copy the NV values from the 1103 onto the 1100? Would it cause any damage to try?
I dont mind formatting, but I also don't want a brick.
Thanks,
Sam.
How could I enable LTE band 4? Really thats the only one I need to enable. Any help is much appreciated. I am more than willing to test as well.
WORK IN PROGRESS.. UNTIL NOW NOT GETTING 100%
This was for CM11s, Don't try on CM12s
As soon as we found right procedure we'll Update here
This tutorial is not for newbies.. If you are not little advance user don't do this
After reboot Values reset to Orignal setting (Reset)
need to prevent NV recovery
1. Download Files Here containing all the necessary files and extract it on desktop.
2. Enable Android Debugging on your phone and connect it to your computer,
3. Open up ADB and type the following:
Code:
adb shell
su
setprop sys.usb.config diag,adb
4. Launch Device Manager go to & expand Other Devices,
Right click Android (or something related) listed under that menu
Choose Update Driver Software,
Browse my computer for driver software,
Let me pick from a list of device drivers on my computer,
Just Click Next,
Have Disk,
Browse to where you extracted YU Diagnostics Driver folder
Inside you will find 32bit and 64bit versions, pick one as per your OS
Select htcdiag.inf (for 32bit) or HtcUsbMdmV64.inf (for 64bit) file that you will Open.
Accept all warning messages and let the installation of the driver complete.
5. Once everything is done installing, under Modems or Ports (Com & LPT) in Device Manager you will find HTC USB Modem.
Right click and select Properties; in this you will see Port: COM<number>. Remember that COM<number> or write it down.
6. Open QPST v2.7 Build 4.11 > run as administrator setup.exe (Don’t run QPST.2.7.411.msi)
7. Open QPST Configuration from Start Menu,
Go to the Ports tab,
Click on Add New Port (right bottom corner);
In the Port field type in the COM<number> you wrote down/remembered from step 5 and in Port Label type YU and finally click OK (left bottom corner).
If you've followed all the steps correctly until here, you should be able to see something like this in the Active Phones tab:
View attachment 3258366
Keep QPST Configuration window open
8. Open QXDM-3.12.714 > run as administrator setup.exe (Don’t run QXDMInstaller.msi)
9. Open QXDM Professional (run as administrator),
go to Options menu,
Select Communications
Set Target port to your phone COM<number> you wrote down/remembered from step 5 from dropdown list, Press OK.
View attachment 3258367
10. Back to QXDM main window, in the "View" drop-down menu, selects NV Browser
View attachment 3258368
now the fun part begins
View attachment 3259381
Put check mark on Dual SIM (as shown above SS) for apply all setting to both SIMs (Thanks to @tirta.agung)
11. Inside the NV Browser window,
Scroll down and click on line 01877 (rf_bc_config)
Click the Read button save original value in notepad in case something goes wrong.
Replace Input value with 3460734838925427584
Click on Write button.
12. Inside the NV Browser window,
Scroll down and click on line 00946 (band_pref_16_31);
Click the Read button, save original value in notepad in case something goes wrong.
Replace Input value with 0x0FF8 (please don't be an idiot and don't edit the empty one with "nam" in the name)
Click on Write button.
13. Inside the NV Browser window,
scroll down and click on line 02954 (band_pref_32_63);
click the Read button, save original value in notepad in case something goes wrong.
replace Input value with 805765120 (please don't be an idiot and don't edit the empty one with "nam" in the name)
click on Write button.
14. Inside the NV Browser window,
scroll down and click on line 00441 (band_pref);
click the Read button, save original value in notepad in case something goes wrong.
replace Input value with 0x380 or 0xFFFF (please don't be an idiot and don't edit the empty one with "nam" in the name)
click on Write button.
If you have problem with selection, you can edit it directly from your phone: *#*#4636#*#* /Phone information /Menu /Select radio band > Automatic
15. Inside the NV Browser window,
scroll down and click on line 06828 (lte_bc_config);
click the Read button, save original value in notepad in case something goes wrong.
replace Input value with 1904863 (please don't be an idiot and don't edit the empty one with "ext" in the name)
click on Write button.
16. Now Close QXDM; Wait 30 seconds,
disable Android Debugging on your phone,
unplug it and reboot your device;
Once it comes back on, it might take a minute or two for it to acquire signal so don't panic.
DO this on your own risk.. No body is responcible for any lost
Conclusion:
The only real way to know if the whole thing got applied is to do steps 1 through 10 again (obviously skipping installations)
and reading all values or if you are in an area where you previously had bad or no reception.
You can see unlocked GSM/UMPTS bands from the *#*#4636#*#* /Phone information /Menu /Select radio band
For more features of QXDM i.e. recover lost IMEI or ESN go HERE (Thanks to @tirta.agung)
Credits:
Thanks to @BlackSoulxxx for his original work with the Qualcomm baseband software, for the modified Drivers and for the LTE NV values
Thanks to @olokos for his original tutorial
Thanks to @devilsshadow for his original tutorial
Thanks to @Albirew for his original tutorial
Thanks to @tirta.agung for bringing the original thread to my attention & Guide me in many ways
Thanks to @fards for finding the diagnostics command that made all this possible
Thanks to @hem12 who raised my will for finding these tutorials.
Thanks to @d3athwarrior for post this tutorial.
Reserved
Don't forget to put check marks on dual sims, and apply all settings to sim0 and sim1 (see attachment). By the way before u messed things up, back up your modemst1, modemst2, fsc, and fsg.
By the way we can also use qxdm to recover lost imei, just go to 0550, and insert your imei for SIM 1 (sim0 in qxdm) and SIM 2 (sim1 in qxdm), for example:
Code:
If your IMEI was: 954091051099226, then the boxes would look like so:
8
9a
45
90
1
15
90
29
62
or also recover lost esn (item no 0 and 5597) or meid (1943 and 5598).
Great guide, guys !:good::good::good:
---------- Post added at 04:02 AM ---------- Previous post was at 03:59 AM ----------
Some error down there: "OPO" and huge load of credited people that seem dont fit in here. Clearly copied from OPO thread?
BlackSoulxxx said:
Great guide, guys !:good::good::good:
---------- Post added at 04:02 AM ---------- Previous post was at 03:59 AM ----------
Some error down there: "OPO" and huge load of credited people that seem dont fit in here. Clearly copied from OPO thread?
Click to expand...
Click to collapse
Yes you'r right.. I don't want to leave anyone in credit for them work :good:
OPO removed :Hawkeye:
but that works for me..
Need help for prevent NV recovery from you all
If it's the same as the 1+1, replacing /system/bin/rmt_storage with a version not locked would prevent nv recovery (do you know if NV values were sticking in an older version? If so, take it's rmt_storage and try to replace current one with older one, I think it's worth trying)
Albirew said:
If it's the same as the 1+1, replacing /system/bin/rmt_storage with a version not locked would prevent nv recovery (do you know if NV values were sticking in an older version? If so, take it's rmt_storage and try to replace current one with older one, I think it's worth trying)
Click to expand...
Click to collapse
Hmmm, as far as I know, all NV settings, including IMEI, or MEID, ESN, etc, resides in your modemst1 and modemst2 partition. If you don't believe me and eager to try, first make a backup of those two partitions, then format or wipe the two partition inside your phone (use fastboot to do this), I'll bet for your YU, now your IMEI and NV settings are all gone.
To be honest, I just found out from this thread that there is an rmt_storage in CM phones, wkwkwkwkw, . If the rmt_storage function is trough, then CM is locking the phone NV settings from the HLOS side not Non-HLOS side. I'll do some research on this rmt_storage.
Need Help from your side
tirta.agung said:
Don't forget to put check marks on dual sims, and apply all settings to sim0 and sim1 (see attachment). By the way before u messed things up, back up your modemst1, modemst2, fsc, and fsg.
.....
or also recover lost esn (item no 0 and 5597) or meid (1943 and 5598).
Click to expand...
Click to collapse
BlackSoulxxx said:
Great guide, guys !:good::good::good:
Some error down there: "OPO" and huge load of credited people that seem dont fit in here. Clearly copied from OPO thread?
Click to expand...
Click to collapse
Albirew said:
If it's the same as the
.....
current one with older one, I think it's worth trying)
Click to expand...
Click to collapse
Now current status is
when I connect mobile
it shows me like that
Even I change USB config to diag,adb
thru ADB or manually
this time its present in default.prop
I try both
trying to disable MTP in mobile USB connection is not working
Window for Settings > Storage > 3dot > USB computer connection is working
but when I disable MTP.. its not working3
So need help from your side..
how I enter / install diag mode
@tirta.agung
I read your complete Guide regarding unbrick YU
but as that post has multipal guides ... I little confused ..
Sorry I am Xtreme noob for all that
Can you guide me an easy way to connect with QPST for enable LTE band
Can I try
Guide #3. REVIVING YOUR IMEIs (That for 32bit or 64bit)??
for connect QXDM
ekhasti said:
@tirta.agung
I read your complete Guide regarding unbrick YU
but as that post has multipal guides ... I little confused ..
Sorry I am Xtreme noob for all that
Can you guide me an easy way to connect with QPST for enable LTE band
Can I try
Guide #3. REVIVING YOUR IMEIs (That for 32bit or 64bit)??
for connect QXDM
Click to expand...
Click to collapse
Yes use guide number three, and download the necessary file there. By the way, to use the guide you have to be in stock CM kitkat.
How to use these tools for Xperia C6602
Long story short, did it work in the end for more than 1 person?
thanks for the post. but i have a Lollipop rom. I will wait for you to update the thread ....
Can we try this in lollipop??? Is there any update on this???
ekhasti said:
WORK IN PROGRESS.. UNTIL NOW NOT GETTING 100%
CM12s
As soon as we found right procedure we'll Update here
Click to expand...
Click to collapse
Hi there, attached is boot.img and a hack rmt_storage for CM 12.1. Just flash the boot.img to your phone and connect it with QXDM. Your phone will be recognized as qualcomm diagnostic port 903A. Copy and paste (you can use TWRP's file manager to do this) the rmt_storage to "/system/bin" and change its permission (chmod) to 0755. This will make your changes stick upon reboot.
By the way, to use all these files, you need to be on stock CM 12.1. I haven't tried it on any other ROM.
Bro...im on cm12.1 ...rooted...I didn't understand the procedure... Pls can u explain step by step ..pls....wats that qxad ..? Is a software...? Wer I get that..,pls reply bro
Sent from my AO5510 using XDA Free mobile app
tirta.agung said:
Hi there, attached is boot.img and a hack rmt_storage for CM 12.1. Just flash the boot.img to your phone and connect it with QXDM. Your phone will be recognized as qualcomm diagnostic port 903A. Copy and paste (you can use TWRP's file manager to do this) the rmt_storage to "/system/bin" and change its permission (chmod) to 0755. This will make your changes stick upon reboot.
By the way, to use all these files, you need to be on stock CM 12.1. I haven't tried it on any other ROM.
Click to expand...
Click to collapse
Now i upgraded to cm13.....can these two files work for me....pls reply
Sent from my AO5510 using XDA Forums
@ekhasti
I have tried doing this on Yureka - CM11 XNPH05Q. Installed all the drivers & softwares successfully. When I startup the QPST config to add a new port,
1. I have to uncheck the "Show serial and USB/QC diag ports only" to make the HTCUSBModem port visible.
2. Although I am able to add the port successfully I am unable to see the phone number, it says "No Phone".
Since it is unable to get the phone details I am unable to proceed further. Nothing is visible/editable QXDM. either.
I have manually edited the build.prop file to make sure USB debugging is enabled but to no avail. Please check the attached files, what is it that I am missing?
P.S - I am able to get my IMEI number using *#06#
Any suggestion Guys???
bluebl0od said:
Any suggestion Guys???
Click to expand...
Click to collapse
Guys, I am eagerly waiting for your updates
Helo from Slovenia,
perhaps i found a way to boost signal or unlock bands in Yotaphone 2.
Go to android secret menu *#*#4636#*#*
Then go information about phone menu and scroll down.
There is a option for choosing priority band, normaly its choosen LTE/WCDMA
Klick on this and switch the options to TD-SCDMA,GSM/WCDMA and LTE or TD-SCDMA,LTE,CDMA,EvDo GSM, WCDMA
Now watch the signal boosting
I checked same locations driving yesterday and today with car. Where i yesterday got no signal, today i got fully edge signal.
And no signal outage today no matter the location
Check this option and let me know if it works there too. I tried on Android 4.4.3 and 5 work both.
I put the first one, but how can I see the difference? the problems was not getting the 2G signal at all if I force in 2G. But if I force it now, your suggested settings will change.
What is the difference between TD-SCDMA,GSM/WCDMA and LTE or TD-SCDMA,LTE,CDMA,EvDo GSM, WCDMA?
May I ask you which mobile operator you have and which radio & firmware you use on your YotaPhone2?
TheArt. said:
I put the first one, but how can I see the difference? the problems was not getting the 2G signal at all if I force in 2G. But if I force it now, your suggested settings will change.
What is the difference between TD-SCDMA,GSM/WCDMA and LTE or TD-SCDMA,LTE,CDMA,EvDo GSM, WCDMA?
May I ask you which mobile operator you have and which radio & firmware you use on your YotaPhone2?
Click to expand...
Click to collapse
you have to go to spots/locations where you got no signal before and try it now ?
Setting your phone to the wrong settings so it fails over to 2G will no doubt improve your signal strength no end. But personally I would prefer to get fast internet on the move, and leave your radio settings well alone!
There are apps you can get that are called 'signal boosters' they just work by turning off your phone radio and then on again. If you were not connected to a nearby cell but one farther away this will 'boost your signal' ...
You're probably experiencing either or both of these effects. as well as the 4G effect - which is that if you have a local 4G aerial all the cellphones that can do so will be connecting to that, leaving you free to connect to an empty 3G cell instead with lots of bandwidth. Maybe not what you had planned to do, but actually improving your performance by setting the wrong settings
Did anyone already find the secret USB menu code to put the device into Modem mode? As the YotaPhone has a Qualcomm processor, this could be used to enable additional LTE bands, which really would help with reception like in [GUIDE] Add all GSM and LTE bands to your phone.
seems cool! We have to test
Crazyphil01 said:
Did anyone already find the secret USB menu code to put the device into Modem mode? As the YotaPhone has a Qualcomm processor, this could be used to enable additional LTE bands, which really would help with reception like in [GUIDE] Add all GSM and LTE bands to your phone.
Click to expand...
Click to collapse
Modem mode can setted by change buildprop sys.usb.config=diag.
Next read this.
w()$k said:
Modem mode can setted by change buildprop sys.usb.config=diag.
Next read this.
Click to expand...
Click to collapse
Ah, I haven't noticed that post, so we're making progress but no clear results yet :fingers-crossed:
here on XDA there's also this thread about unlocking frequencies: https://forum.xda-developers.com/yotaphone-one/help/unlocking-additional-radio-basebands-t3523000
TD-WCDMA won't work in spain. TD stands for Time Division and many countries work with FD (Frecuency Division)
Hi,
I am much interested in changing the LTE of YD206, has anyone suceed yet on this phone? A tuto would be really awesome! As I am new to android it would definitly help!
@TheArt. could you eventually translate the post please? My russian is far not good enought and google translated does not make much sens...! Did you succeed modifying the bands?
UNLOCK LTE BAND B20 - 800Mhz and B38
I will translate here the work of three 4pda users who must be thanked a lot for their work! unkernet, ssho and BoyNG. Thank also to mamant1988 who put everything together.
The original 4pda guide can be found here (in russian): http://4pda.ru/forum/index.php?showtopic=797643&view=findpost&p=59716629
UNLOCK B20 LTE BAND ON YD206
Starting point is a rooted YD206 with latest RU 134 firmware, TWRP and ADB-USB-debug enabled. Do this procedure carefully and write down all the modifications and default values. The changes are performed on NVRAM level, so flashing firmwares will not affect them. Flashing firmwares will, however, affect modified baseband, as any other "radio" part as usual.
Download here the .zip archive which contains what is needed for this guide, including some screenshots of how things should be displayed.
Download the modified baseband RU-CN here and put it into the internal memory of the phone: it will be flashed in the end.
Install QPST and QXDM Qualcomm programs on Windows, they are in the above archive.
Enable the installation of unsigned drivers in Windows (like this). This is needed to install drivers for the diagnostical port later on.
Download Terminal Emulator from Play Store.
In the Terminal, write the following to get root access:
Code:
su
then:
Code:
setprop sys.usb.config diag,adb
Connect the phone via USB to the PC, in the Device Manager it should pop up as "Android Device" or similar, without a specific driver.
Right click on it and perform these actions: update drivers, search on this computer, choose driver from already installed drivers, show all devices, next, install from disk, there point to the .inf file corresponding to your system (32bit -> x86, 64bit -> x64) found in \YotaLTE\Modified HTCDiagDriver\Win x64HtcUsbMdmV64.inf (for 64bit).
After installation, go to properties of this new driver HTC USB Modem and check the number of the port displayed there, COM3 or COM4, for example.
Lower the 38400 value which you find there, click OK.
Execute as an admin C:\Program Files (x86)\Qualcomm\QPST\bin\QPSTConfig.exe.
Choose the second section Ports, then "Add new port".
In the field Port put the one which was displayed in the modem section, COM3 for example.
In Port Label field write "Yota" or whatever, and then OK.
In the first section Active Phones the smartphone should be displayed.
KEEP QPSTConfig.exe PROGRAM OPENED.
Also, start C:\Program Files (x86)\Qualcomm\QXDM\Bin\QXDM.exe using admin privileges
Here, click Option, then Communications.
In the Target Port choose the same port as before, then OK.
Click View, New, Common, NV Browser. In the Category Filter choose LTE.
Choose 06828 LTE BC Config and then press "read".
Correct the number you see, for example 1099511627781 in 1099512152069 for B20 and click Write to save.
Close all the programs, and reboot the phone directly into TWRP (VOL UP + POWER), here find the update_S01_003_4240_RU1_M05_patched.zip baseband and flash it.
At this point it is advised to clean dalvik cache and cache with TWRP.
Done! Reboot.
If it is not working, reset everything by flashing stock baseband, putting back the values changed above and start again. It is not necessary to flash the modified RU-CN baseband, if with the CN one the phone is performing at 100%. I suggest to flash to see the differences. By the way, remember to unlock one band at a time.
To unlock B38 band (there is lack of information about YD206 already having it or not) the number is 1236951105541. For example, if the initial number found in LTE config was: 1236950581253, it means that the bands LTE B1/B3/B38/B41 were active. To verify by yourself download LTE Band Calculator.
Some attempts have been made also to unlock B7 band, but without success for now. It seems that the baseband crashes after a second when triying to connect to that LTE band. Further research needed!
After all the hassle I just went through to obtain a YD201 instead of a YD206 so I could have Band 20
Great news for YD206 owners anyway, thanks for sharing!
hippy dave said:
After all the hassle I just went through to obtain a YD201 instead of a YD206 so I could have Band 20
Great news for YD206 owners anyway, thanks for sharing!
Click to expand...
Click to collapse
Me too.
Tried drivers installation with a yd201 (just for take a look about the wifi issue) and they are not compatible.
I guess modifying the inf files would do the trick.
Hi, I try to unlock LTE band, but su command doesn't work in terminal .... it said su: not found.
velociraptor68 said:
Hi, I try to unlock LTE band, but su command doesn't work in terminal .... it said su: not found.
Click to expand...
Click to collapse
Do you have root? Do you give root permission to Terminal Emulator?
Just did the procedure, can't confirm if it's working on 800MHz B20 yet because I can't find a way to force it or even know if its available in my region from my Network, because I live in the city and they use mostly the 1800MHz, 2G Only works correctly and it seems that somehow it also solves the Proximity Sensor, I will give feedback at how it behaves tomorrow when I will be on the move, but until now everything seems well and smooth, Many Thanks for the persons that worked on the fix, I guess Yota should be hiring! And to @TheArt who translates all the good stuff!
band17
Hello,
Would it work to unlock band 17 At&t? Is that enough modify config 6828 number by calculator?
Hello,
I am from Bosnia and got Yotaphone 2 from China (YD206) and installed latest RU software 1.132, but I noticed that my phone only works in big cities. As soon as I leave for the countryside, there is no signal/service.
Is there another version of software I can try to upgrade to, to get these bands in the countryside as well, or the problem is with the limitation of phone's hardware?
Thanks!
Miroslav1999 said:
Hello,
I am from Bosnia and got Yotaphone 2 from China (YD206) and installed latest RU software 1.132, but I noticed that my phone only works in big cities. As soon as I leave for the countryside, there is no signal/service.
Is there another version of software I can try to upgrade to, to get these bands in the countryside as well, or the problem is with the limitation of phone's hardware?
Thanks!
Click to expand...
Click to collapse
Whats the coverage in your contry?
Maybe outside big cities there are not mobile connection in the frequency that yotaphone can support
borekon said:
Whats the coverage in your contry?
Maybe outside big cities there are not mobile connection in the frequency that yotaphone can support
Click to expand...
Click to collapse
GSM : 900 (E-GSM) 1800 (DCS)
UMTS: B1(2100) UMTS B8 (900 GSM)
That is what I found out from google. I am not sure what is the better way to find out what Yota covers and what is available here.
If someone knows please let me know.
If I perhaps flash the phone with EU software rather than RU which I currently have, would that unlock some bands?
I accidentally restored TWRP backup of another Zuk Z2 phone on my new pgone and in this process over-wrote the EFS partition. This left me with a phone having no IMEI, no mac for Wifi and Bluetooth. Effectively No Network on phone.
Worried, I searched across internet to find out ways to restore IMEIs and get my phone working again. The way out was to restore xqcn file and use it to get back IMEIs, mac address etc. But there were various posts and mixed feedbacks. Even when I restored modified xqcn and got IMEIs back, it had only one sim actually working and other had no signal.
I spent many hours searching for finding right steps. It was a long tiring process wherein close to 2 days were gone trying multiple methods, flashing QPST roms around 10 times to observe network in Stock ROM , in Custom ROMs and after reflashing etc etc etc . Shouts go out to Akrapovic & Nordicus for their detailed posts which helped me in understanding lot many things and also finalizing key steps to restore IMEIs, MAC etc and getting phone working
Pre-requisites:
1) QPST installed on PC; Download v 2.7.453 from here or elsewhere if you know of
2) ADB / Fastboot installed
3) Drivers Installed for Zuk Z2
4) Hex Editor to edit xcqn file
5) WriteDualIMEI_W_G_eMMC - to write IMEIs once xqcn has been restored
6) Zuk Z2 rooted with ADB enabled through developer options and connected to computer
For points 2 and 5, pls refer here to download the files and tools.
So the solution which worked for me, and one which has been tried and tested is following:
1) First check the IMEIs dialing *#06#.
If you see IMEI and matching with that on your box, there is no issue and you should stop.
If you see blank / error, process further
2) The EFS is corrupt and hence we don't see IMEIs. Follow this paget and get the EFS partition wiped out to properly prepare EFS for restore of xqcn in next steps.
I had restored xqcn file without wiping EFS partition and later on had issues. But all these issues were gone when first wiped EFS and then restored xqcn. So will suggest doing same.
3) Get the xqcn for our phone Zuk Z2 from here original credits to 唐大土土 and Nordicus who shared it here
Use HexEditor to search below default values and replace them with your devices value. IMEIs / MEID is available on box. MAC can be assumed suitably
MEID: 22 22 22 22 22 22 22
IMEI1: 33 33 33 33 33 33 33 33
IMEI2: 44 44 44 44 44 44 44 44
WIFIMAC: 55 55 55 55 55 55
BTMAC: 66 66 66 66 66 66
4) To be on safer side and avoid other variabilities, it is suggested to first flash QPST rom to ensure that apart from EFS all other partitions are fine. This is optional.
5) Now with rooted phone connected to PC, open command prompt on PC and go to adb folder. From there type these commands
Code:
adb shell
su (looking at the phone screen, as during this second command you need to grant root rights)
setprop sys.usb.config diag
Once done you will see in device manager 3 new com ports are open. If some errors or no success in getting com ports opened you can try following too
Code:
adb shell
su (looking at the phone screen, as during this second command you need to grant root rights)
setprop sys.usb.config diag,rmnet,adb
setprop sys.usb.config diag,acm_smd,acm_tty,rmnet_bam,mass_storage,adb
6) In Device Manager, you will see a com port title Qualcomm Android Diagnosis etc, note the com no.
7) Open QPST, click "Add new port" and enter the port in both places (Port and Port Label), which is written in the device manager.
Next Click Start Client -> Software download. Go to Restore tab, and use the modified xqcn file which you saved in step 2 and press Start.
If any error, tick the check box "Allow phone/file ESN mismatch" and press Start
8) Once restore is 100% done, close the QPST and open the WriteDualIMEI_W_G_eMMC, and put in the IMEIs and flash. You should see Green Pass.
9) Reboot phone and dial *#06# - the IMEIs should be seen. Bingo, job done... give me thanks. Just put in SIM and network should be back.
For Step 7, if more details required, pls refer this post with step by step details
Hope this helps !! I will be extremely happy if this guide helps you in restoring IMEIs, repairing lost network and radio issues.
Reserved
Reserved for FAQs and other experiences.
If i keep a backup of efs patition using twrp..will i be safe in case the partition is corrupt or unreadable?
Bidyadhar said:
If i keep a backup of efs patition using twrp..will i be safe in case the partition is corrupt or unreadable?
Click to expand...
Click to collapse
Yes, that will help in future. Also should take backup of xqcn file using QPST.
I had the lost IMEI problem before, but I did not need rooted phone to solve it. Just turn off the phone, then press Volume (-), and finally connect at the same time the usb cable (make sure drivers were installed before!). You will see 3 new devices, the important is the diagnostics one. Take note of the COM port, and you can use QFIL to backup/flash the qcn. All without root
rainbyte said:
I had the lost IMEI problem before, but I did not need rooted phone to solve it. Just turn off the phone, then press Volume (-), and finally connect at the same time the usb cable (make sure drivers were installed before!). You will see 3 new devices, the important is the diagnostics one. Take note of the COM port, and you can use QFIL to backup/flash the qcn. All without root
Click to expand...
Click to collapse
Interesting, was not aware of this. Is this EDL mode?
mGforCe said:
Yes, that will help in future. Also should take backup of xqcn file using QPST.
Click to expand...
Click to collapse
Sir, can you please tell me how to backup xqcn?
Sent from my Z2 Plus using Tapatalk
Bidyadhar said:
Sir, can you please tell me how to backup xqcn?
Sent from my Z2 Plus using Tapatalk
Click to expand...
Click to collapse
Go till Step 7 as per first post and therein choose backup in place of restore. That's it !
mGforCe said:
Interesting, was not aware of this. Is this EDL mode?
Click to expand...
Click to collapse
I think is not EDL mode, because usb vendor and product ids are different. When I had the IMEI problem, I tried to restore qcn from EDL mode to no avail. After that, I found the suggestion of using Vol(-) and it worked, but it is a diffrent mode, because screen is not black in this one, it shows some options instead (sdcard flash, qcn restore, etc).
mGforCe said:
Use HexEditor to search below default values and replace them with your devices value
Click to expand...
Click to collapse
Please, write here a guide how to edit this values in HEX-editor.
Thanks in advance!
sergsinger said:
Please, write here a guide how to edit this values in HEX-editor.
Thanks in advance!
Click to expand...
Click to collapse
Pls refer below quoted text from OP
Use HexEditor to search below default values and replace them with your devices value. IMEIs / MEID is available on box. MAC can be assumed suitably
MEID: 22 22 22 22 22 22 22
IMEI1: 33 33 33 33 33 33 33 33
IMEI2: 44 44 44 44 44 44 44 44
WIFIMAC: 55 55 55 55 55 55
BTMAC: 66 66 66 66 66 66
Click to expand...
Click to collapse
Use Search and replace feature of Hex Editor to replace above value with your device values
mGforCe said:
Pls refer below quoted text
Click to expand...
Click to collapse
Man, I've tried to do it with two different editors with no luck, because I'm not so close to operate with it. So I ask you to write guide.
Regards.
Problem solved, done by myself.
sergsinger said:
[Man, I've tried to do it with two different editors with no luck, because I'm not so close to operate with it. So I ask you to write guide.
Regards.
Problem solved, done by myself.
Click to expand...
Click to collapse
Good, why don't you share small guide on same for other users now.
mGforCe said:
why don't you share small guide on same for other users now
Click to expand...
Click to collapse
It looks strange. I've asked you to do this, but now you ask me to write a small guide...
I've used Hex Workshop (it's not an advertisement, because I've tried to edit QCN-file with few different editors and they wasn't so friendly to use).
1) Open editor, choose QCN.
Press "Search" and put in data of MEID, Wi-Fi and Bluetooth MACs:
MEID: 22 22 22 22 22 22 22
WIFIMAC: 55 55 55 55 55 55
BTMAC: 66 66 66 66 66 66
!!! Please, notice, that Wi-Fi MAC, that you can see in menu of phone is shown as "54 55 55 55 55 55", but in editor it will be found as "55 55 55 55 55 55" and even in three places. I've changed in all three, because edition of one only doesn't change MAC after reboot.
3) Check after reboot:
- Wi-Fi and Bluetooth MACs are native
- MEID has changed, but it become upside down by group consist of 2 digits (first two digits are now in the end and so on). Problem was solved by "MEID/ESN Tool".
Press "Volume -" and "Power On/Off" (release Power after vibration) until you see "Menu from 0 to 5" (SD update...GetInfo). Connect phone to PC. Launch "MEID/ESN Tool", press "Initialize" (COM-port will be shown), then press button "MEID" and set checkbox "do MEID", enter native MEID (it is like IMEI w/o last digit; it is shown on the box and on the film from the back of the phone), press "Write".
!!! I've tried to change MEID in "MEID/ESN Tool" before QCN was edited, but this was unsuccessful, MEID didn't changed. MEID become native after I've edited QCN in hex-editor and then used "MEID/ESN Tool" as mentioned above.
4) The last one - recover native IMEIs. IMEIs were changed via programm "WriteDualIMEI(W+G_eMMC)". Press "Volume -" and "Power On/Off" (release Power after vibration) until you see "Menu from 0 to 5" (SD update...GetInfo). Connect phone to PC. Launch "WriteDualIMEI(W+G_eMMC)" and enter native IMEIs, press "Start". After reboot you will get native IMEIs.
!!! I've tried to edit IMEIs in hex-editor. But QCN include IMEIs consist of 16 digits, but regular IMEI consist of 15. I've replaced last (useless) number by pressing "space" on keyboard and after reboot there wasn't network. I've supposed that I need to put not a "space", but something like "leave an empty cell" in hex-editor. I haven't tried to do this because I have "WriteDualIMEI(W+G_eMMC)".
@sergsinger don't know why it's strange.. we can give back to xda community only by sharing our knowledge!
Since you had learnt and done it yourself, why not to share the same.
rainbyte said:
I had the lost IMEI problem before, but I did not need rooted phone to solve it. Just turn off the phone, then press Volume (-), and finally connect at the same time the usb cable (make sure drivers were installed before!). You will see 3 new devices, the important is the diagnostics one. Take note of the COM port, and you can use QFIL to backup/flash the qcn. All without root
Click to expand...
Click to collapse
i try your method without rooting, but it didn't work, can you send me qcn file to edit for z2132, also to edit with hex editor is find and replace imei 3333...33 with our imei number is ok or there is other method, also where to look for meid.
sunnythehoney said:
i try your method without rooting, but it didn't work, can you send me qcn file to edit for z2132, also to edit with hex editor is find and replace imei 3333...33 with our imei number is ok or there is other method, also where to look for meid.
Click to expand...
Click to collapse
Pls read OP in detail...the xqcn file is shared there...also to write IMEI you will need tool WriteDualIMEI_W_G_eMMC
Again pls read and download all tools as mentioned in OP as pre-requisite
mGforCe said:
Pls read OP in detail...the xqcn file is shared there...also to write IMEI you will need tool WriteDualIMEI_W_G_eMMC
Again pls read and download all tools as mentioned in OP as pre-requisite
Click to expand...
Click to collapse
i download above 66...6.xqcn file posted above and edit with hexeditor by replacing meid:22.....22 by imei translator hex number. same for imei numbers and restore through qpst config. and then use writedualimei_w_g_emmc all operations shows no error completed successfully but after reboot when dial *#06# shows null meid or imei. now i am going to try by inverting meid no by inverting regular meid no. and imei in inverting pair and make first 8 as 8A. see what happen
sunnythehoney said:
i download above 66...6.xqcn file posted above and edit with hexeditor by replacing meid:22.....22 by imei translator hex number. same for imei numbers and restore through qpst config. and then use writedualimei_w_g_emmc all operations shows no error completed successfully but after reboot when dial *#06# shows null meid or imei. now i am going to try by inverting meid no by inverting regular meid no. and imei in inverting pair and make first 8 as 8A. see what happen
Click to expand...
Click to collapse
where did you find your mied no i am having the same problem
badri21 said:
where did you find your mied
Click to expand...
Click to collapse
It is shown on the box & film from the back of the phone. Usually it is like first IMEI w/o last digit.
In hex-editor MEID which comes with QCN will be simply found by typing "22 22 22 22 22 22 22" in search bar.