[REF][INFO][R&D] "Secret Codes" and other hidden features

Search This thread

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,221
-∇ϕ
"Secret Codes" and Hidden Features

Hacking for "Secret Codes" and other hidden phone features.

Skill Level: Easy

Posting

==================================================
Do NOT post general questions/requests on how to do
this or that, they will not be answered, simply
because we don't know yet. Rather try to find out
by yourself and share your results.
==================================================

Purpose

To find all "Secret Codes", special properties and other hidden phone features
and settings, used in the GT-I9300. The secret codes are not so secret, but
are often used to activate and manipulate many settings, such as debug modes,
network connections, factory test modes etc. It is an unfortunate choice of
words but we will stick to this definition nonetheless for simplicity, since
it is also used in the source code by Samsung and AOS. Do not confuse secret
codes with VSC (Vertical Service Codes), USSD (Unstructured Supplementary
Service Data) or other MMI (Man Machine Interface) codes.

Although there are many "standard" codes common to many Samsung phones, they
do vary to some extent. This is because their functionality often depend on
the particular hardware, in particular the baseband processor (aka radio, DSP,
BP or CP) and the multiplexer chips that switches the various internal USB
paths, for example between MHL, BP and AP.

This is an informative reference thread on these features. If you have
relevant additional information you'd like to share, please post it here.

Background

From the Samsung Galaxy S2 experience we have gained the following
understanding when it come to the Factory/Service Mode menus and the
PhoneUtils applications. We are still to work out if this is still true for
the SGS3.

But first it is worth to note, that due to the more complicated, but better
organized phone applications in ICS, the way to enter secret codes have
changed from GB versions. Now all secret codes have to be prefixed with
"*#*#", followed by <code> and post fixed with "#*#*". [Note-1] However,
according to the GT-I9300 Service Manual, there are two codes that should work
without post- and pre-fixes. They are *#1234# (version) and *2767*3855#
(Factory reset! It will wipe your phone instantly, NO warnings, no going back,
no way to cancel.) [Note-2]
==================================================
Newbie Practice Box
Go to your phone dialer and "dial" the following string:
*#*#197328640#*#*
This will trigger the Service Menu.
==================================================

This same effect can be accomplished directly on the command line, with a
direct URI broadcast call to the application receiver via:

Code:
[SIZE=2]am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://1111[/SIZE]
Second, it is essential to know that the actual program code (read
assembly/machine code) for the Engineering / Service Mode menu, is actually
located in the baseband processor firmware. What you actually see when you
enter this menu, is just a java based wrapper application, that make direct
function calls through various entry points, in the baseband kernel/firmware.
What does it mean? When you enter a specific "secret code", the wrapper
application (e.g. ServiceMenu.App) deciphers the code to a particular menu
entry in the baseband processor, where it is executed and whose result is
output to the wrapper application.

Third. Apart from hardware differences, because of the baseband firmware
dependance, the set of working secret codes will differ somewhat from your
location, depending on:

  • Your Modem firmware
  • Your AOS version (ICS 4.0.1, 4.0.4 etc.)
  • Your CSC version (Regional codes)

Special Notes

[Note-1] This can be seen in the handleSecretCode() function in the SpecialCh****quenceMgr.java code.
[Note-2] These need testing and confirmation since they clearly contradict [Note-1].
[Note-3] Apparently the Samsung Galaxy S3 will come in at least two versions:

  1. The GT-I9300 (FCC-ID: A3LGTI9300 )
  2. The SCH-I939 (FCC-ID: A3LSCHI939 ) [Possibly the LTE version]


References

[1] "[GUIDE] Noobs guide to extract Galaxy S3 stock firmware(.img)"
[2] "[All Stock Firmwares] I9300XXALE8 (4.0.4) - Kenya (OJV) [19-05-12]"
[3] "[HOW TO][Windows]Extract Deodex Sign and Zipalign an official ROM"
[4] "[GUIDE] dsixda's Android Kitchen - Now with SGS2 support (Windows/Linux/Mac)"
[5] "[REF] Unpacking and repacking stock rom .img files"
[6] "[Tool] Yaffey - Utility for reading, editing and writing YAFFS2 images" (code is here)
[7] "[TOOL] Auto Bloat Remover Tool For GS III!"
[8] "[GUIDE][TOOL] Guide To Create You're Own De-Bloat Tool/APK Installer/For Any Device"

Keywords: Secret, Codes, Hidden, Service, Factory, UART
 
Last edited:

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,221
-∇ϕ
HOW TO (find new stuff)

So how do you find new codes?
Well Google it! Then consider getting the following tools:

Then what to do?
The brief version. (For full version, see "References" in OP above.)


  1. Download all the tools shown above.
  2. Download the deodexed firmware images (see post#3)
  3. (If in Windows) Double click the sgs2toext4.
  4. Drag and drop the system.img file to the sgs2toext4 "drop window".
  5. You will now have a system.img.ext4 file, open this file with the LinuxReader tool.
  6. Save entire filesystem (from 5) in a new folder. Close.
  7. Go to the folder containing the *.apk(s) of interest.
  8. Make sure dex2jar.bat (win) is in your path and run it on your interesting.apk like this, for example:
    Code:
    ./path/to/dex2jar.bat Samsungservice.apk
    This produces a new file: Samsungservice_dex2jar.jar
  9. Extract (7zip) this file in a new folder.
  10. Go to that folder in command line and enter the appropriate "jad" commands. For example, to decompile all class files globbed by Phone*.class and put the decompiled sources in the "src" sub-directory, do:
    Code:
    jad -o -r -sjava -dsrc Phone*.class
  11. Go to the source directory (../src) you just created.
  12. Enjoy your *.java files!
Alternatively you can deodex on your own...but don't ask me how to do it.

A few other Tools

http://www.sable.mcgill.ca/soot/
http://jdec.sourceforge.net/
http://stackoverflow.com/questions/647116/how-to-decompile-a-whole-jar-file
http://askubuntu.com/questions/129305/how-can-i-open-binary-image-files-img
 
Last edited:

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,221
-∇ϕ
The Secret Codes

The information for this post was obtained by decompiling the
deodexed system image of the firmware shown below.

I9300XXALE8

Base Firmware: I9300XXALE8 (4.0.4)
Modem: XXLE8
CSC: OJVALE7

The latest GT-I9300 Stock Firmwares can be found here.

Here are the codes as found in:
serviceModeApp.apk: ServiceModeApp.class
Code:
[SIZE=2]
Code                    Description                                             JavaCall        
----------------------------------------------------------------------------------------------------------------------
197328640 || 2684       Start Service Mode / Enter SM Main Menu                 SendData('\001', '\001', '\000', '\000', '\000');

1111                    FTA SW Version                                          SendData('\001', '\001', '\u1002', '\000', '\000');[/SIZE] [SIZE=2]
2222                    FTA HW Version                                          SendData('\001', '\001', '\u1003', '\000', '\000');
8888                                                                            SendData('\001', '\001', '\u1003', '\000', '\000');
2886                                                                            SendData('\001', '\001', ' ',    '\000', '\000');
6984125*                                                                        SendData('\001', '\001', ' ',    '\000', '\000');       
2767*2878               ? Factory reset (complete erase & format)               SendData('\001', '\001', '!',    '\000', '\000');


0228                    ADC Reading                                             SendData('\001', '\001', '\005', '\000', '\000');[/SIZE]  [SIZE=2]
0599                                                                            SendData('\001', '\001', '\024', '\000', '\000');
1575                                                                            SendData('\001', '\001', '\025', '\000', '\000');
2263                    RF Band Selection                                       SendData('\001', '\001', '\026', '\000', '\000');
2580                                                                            SendData('\001', '\001', '\007', '\000', '\000');
301279 || 279301                                                                SendData('\001', '\001', '\024', '\000', '\000');
32489                   Ciphering Info                                          SendData('\001', '\001', '\006', '\000', '\000');
4238378                                                                         SendData('\001', '\001', '\027', '\000', '\000');
4387264636                                                                      SendData('\001', '\001', '\037', '\000', '\000');       
7284                    PhoneUtil: USB/UART I2C Mode Control                    SendData('\001', '\001', '\023', '\000', '\000');
738767633                                                                       SendData('\001', '\001', '\034', '\000', '\000');       
73876766                                                                        SendData('\001', '\001', '\033', '\000', '\000');               
7387677763                                                                      SendData('\001', '\001', '\036', '\000', '\000');
7387678378                                                                      SendData('\001', '\001', '\035', '\000', '\000');       
9090                    Diagnostic Configuration                                SendData('\001', '\001', '\023', '\000', '\000');

0011                                                                            SendData('\001', '\004', '\000', '\000', '\000');[/SIZE] [SIZE=2]
123456                                                                          SendData('\001', '\004', '\001', '\000', '\000');
<na>                    End Service Mode 1 ()                                   SendData('\002', '\004', '\000', '\000', '\000');
<na>                    End Service Mode 2 ()                                   SendData('\002', '\001', '\000', '\000', '\000');
[/SIZE]
NOTE: In the table above, I have replaced printed UTF-8 (U+NNNN) characters with '\uNNNN'.

As you can see in the table above, most of the hidden codes are just shortcuts
into various sub-menus (third parameter) of Service Mode application. However,
this does not exclude the use of other hidden codes, that can be used or detected
in other applications.

From a different file we have a some additional codes.
(Not including already covered or overlapping codes.)

serviceModeApp.apk: SecKeystringBroadcastReceiver.class
Code:
[SIZE=2]0000                            

147852                  TestApnSettings: putExtra("testBed", "Suwon");[/SIZE] [SIZE=2]
1478963                 TestApnSettings: putExtra("testBed", "Open_market");
22558463                Reset Total Call Time
232331                  
232332                  
232337                  
3214789650                      
369852                  TestApnSettings: putExtra("testBed", "Gumi");
3698741                 TestApnSettings: putExtra("testBed", "Delete_DB");
-------------------------------------------------------------------------------
03                      NAND Flash S/N (NandFlashHeaderRead)
745                     RIL Dump Menu
746                     Debug Dump Menu
0228                    Battery Status
1111                    IF SalesCode="CTC" THEN: TerminalMode
2222                    IF SalesCode="CTC" THEN: TerminalMode
2263                    
8888                    
9900 || 0514            System Dump
        
279301                  
301279                  
3214789                 GCF Mode Settings
5337632                 NFC Test
22553767                Call Drop Log View      
                                
6335623                 
TESTMODE                
[/SIZE]
These may not always work, since some of them depend on certain "Sales Codes"
or factory IMSI numbers, through statements like:
Code:
if ((mSalesCode.equals("CHM")) && (str.equals("827828868378")))

But these were only codes found in two files.
So there are probably many more codes to be found!

Other Stuff

Here are some unknown functions from: TerminalMode.class
Code:
[SIZE=2]DEBUG_SCR       SendData('\001', '\004', '\000', 0, '\000');
EI_DEBUG_SCR    SendData('\001', '\006', '\000', 0, '\000');
DATA_ADV        SendData('\001', '\003', '\003', 0, '\000');
NAMBASIC        SendData('\001', '\003', '\001', 0, '\000');
TESTMODE        SendData('\001', '\001', '\000', 0, '\000');
NAMSIMPLE       SendData('\001', '\003', '\002', 0, '\000');
TEST_CALL       SendData('\004', '\007', c, 0, '\000');
[/SIZE]
Here is a list of all the OEM Commands used in the Service Mode App.
Code:
[SIZE=2]-------------------------------------------------------------------------------
private class OemCommands (ServiceModeApp)      value           hex
-------------------------------------------------------------------------------
char OEM_SERVM_FUNCTAG = '\001';

OEM_SM_ACTION                                   = '\000';       00
OEM_SM_DUMMY                                    = '\000';       00
OEM_SM_END_MODE_MESSAGE                         = '\002';       02
OEM_SM_ENTER_MODE_MESSAGE                       = '\001';       01
OEM_SM_GET_DISPLAY_DATA_MESSAGE                 = '\004';       04
OEM_SM_PROCESS_KEY_MESSAGE                      = '\003';       03
OEM_SM_QUERY                                    = '\001';       01
OEM_SM_TYPE_MONITOR                             = '\004';       04
OEM_SM_TYPE_MONITOR_SKT                         = '\001';       01
OEM_SM_TYPE_NAM_EDIT                            = '\003';       03
OEM_SM_TYPE_PHONE_TEST                          = '\005';       05
OEM_SM_TYPE_SUB_ALL_VERSION_ENTER               = '\004';       04
OEM_SM_TYPE_SUB_BAND_SEL_ENTER                  = '\026';       16
OEM_SM_TYPE_SUB_BATTERY_INFO_ENTER              = '\005';       05
OEM_SM_TYPE_SUB_BLUETOOTH_TEST_ENTER            = '\t';         09
OEM_SM_TYPE_SUB_CIPHERING_PROTECTION_ENTER      = '\006';       06
OEM_SM_TYPE_SUB_ENTER                           = '\000';       00
OEM_SM_TYPE_SUB_FACTORY_PRECONFIG_ENTER         = '\016';       0e
OEM_SM_TYPE_SUB_FACTORY_RESET_ENTER             = '\r';         od
OEM_SM_TYPE_SUB_FACTORY_VF_TEST_ENTER           = '\031';       19
OEM_SM_TYPE_SUB_FTA_HW_VERSION_ENTER            = '\003';       03
OEM_SM_TYPE_SUB_FTA_SW_VERSION_ENTER            = '\002';       02
OEM_SM_TYPE_SUB_GCF_TESTMODE_ENTER              = '\027';       17
OEM_SM_TYPE_SUB_GET_SELLOUT_SMS_INFO_ENTER      = '\037';       1f
OEM_SM_TYPE_SUB_GPSONE_SS_TEST_ENTER            = '\025';       15
OEM_SM_TYPE_SUB_GSM_FACTORY_AUDIO_LB_ENTER      = '\030';       18
OEM_SM_TYPE_SUB_IMEI_READ_ENTER                 = '\b';         08
OEM_SM_TYPE_SUB_INTEGRITY_PROTECTION_ENTER      = '\007';       07
OEM_SM_TYPE_SUB_MELODY_TEST_ENTER               = '\013';       0b
OEM_SM_TYPE_SUB_MP3_TEST_ENTER                  = '\f';         oc
OEM_SM_TYPE_SUB_RRC_VERSION_ENTER               = '\024';       14
OEM_SM_TYPE_SUB_RSC_FILE_VERSION_ENTER          = '\021';       11
OEM_SM_TYPE_SUB_SELLOUT_SMS_DISABLE_ENTER       = '\034';       1c
OEM_SM_TYPE_SUB_SELLOUT_SMS_ENABLE_ENTER        = '\033';       1b
OEM_SM_TYPE_SUB_SELLOUT_SMS_PRODUCT_MODE_ON     = '\036';       1e
OEM_SM_TYPE_SUB_SELLOUT_SMS_TEST_MODE_ON        = '\035';       1d
OEM_SM_TYPE_SUB_SW_VERSION_ENTER                = '\001';       01
OEM_SM_TYPE_SUB_TFS4_EXPLORE_ENTER              = '\017';       0f
OEM_SM_TYPE_SUB_TOTAL_CALL_TIME_INFO_ENTER      = '\032';       1a
OEM_SM_TYPE_SUB_TST_AUTO_ANSWER_ENTER           = ' ';          20
OEM_SM_TYPE_SUB_TST_FTA_HW_VERSION_ENTER        = ---->         # UTF-8: U+1003: e1 80 83  MYANMAR LETTER GHA
OEM_SM_TYPE_SUB_TST_FTA_SW_VERSION_ENTER        = ---->         # UTF-8: U+1002: e1 80 82  MYANMAR LETTER GA
OEM_SM_TYPE_SUB_TST_NV_RESET_ENTER              = '!';          21
OEM_SM_TYPE_SUB_USB_DRIVER_ENTER                = '\022';       12
OEM_SM_TYPE_SUB_USB_UART_DIAG_CONTROL_ENTER     = '\023';       13
OEM_SM_TYPE_SUB_VIBRATOR_TEST_ENTER             = '\n';         0a
OEM_SM_TYPE_TEST_AUTO                           = '\002';       02
OEM_SM_TYPE_TEST_MANUAL                         = '\001';       01

-------------------------------------------------------------------------------
private class OemCommands (TerminalMode)
-------------------------------------------------------------------------------
OEM_HIDDEN_FUNCTAG                              = 'Q';
OEM_HM_END_TEST_CALL_MESSAGE                    = '\t';
OEM_HM_TEST_CALL_MESSAGE                        = '\004';
OEM_HM_TYPE_TEST_CALL                           = '\007';
OEM_SERVM_FUNCTAG                               = '\001';

-------------------------------------------------------------------------------
private class OemCommands (SysDump:)
-------------------------------------------------------------------------------
OEM_DBG_STATE_GET =             6;
OEM_DEL_RIL_LOG =               13;
OEM_DPRAM_DUMP =                14;
OEM_DUMPSTATE =                 3;
OEM_DUMPSTATE_ALL =             20;
OEM_ENABLE_LOG =                7;
OEM_GCF_MODE_GET =              15;
OEM_GCF_MODE_SET =              16;
OEM_IPC_DUMP_BIN =              9;
OEM_IPC_DUMP_LOG =              8;
OEM_KERNEL_LOG =                4;
OEM_LOGCAT_CLEAR =              5;
OEM_LOGCAT_MAIN =               1;
OEM_LOGCAT_RADIO =              2;
OEM_MODEM_FORCE_CRASH_EXIT =    23;
OEM_MODEM_LOG =                 18;
OEM_NV_DATA_BACKUP =            17;
OEM_OEM_DUMPSTATE_MODEM_LOG_AUTO_START = 19;
OEM_RAMDUMP_MODE =              10;
OEM_RAMDUMP_STATE_GET =         11;
OEM_START_RIL_LOG =             12;
OEM_SYSDUMP_FUNCTAG =           7;
OEM_TCPDUMP_START =             21;
OEM_TCPDUMP_STOP =              22;
-------------------------------------------------------------------------------
[/SIZE]
Enjoy!
 
Last edited:

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,221
-∇ϕ
Special Properties

Next we'll have a look at some interesting (or not?) system "properties".
For now, I'll just list some of those I found more interesting and potentially useful.

Code:
[SIZE=2]Property                Setting/String                  Source                                  Description[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]dev.silentlog.on        On                              SysDump:                                [/SIZE]
[SIZE=2]gsm.operator.numeric    45001                           Sec_Ril_Dump:                   [RIL::FD] Samsung Testbed[/SIZE]
[SIZE=2]gsm.default.sidmode                                                                     ? UART[/SIZE]
[SIZE=2]net.tcpdumping          On                              SysDump:                        ?[/SIZE]
[SIZE=2]nfc.trace.mode          On                                                              Enable NFC Trace Mode [/SIZE]

[SIZE=2]ril.FTM_MODE                                                                            ? "FTM_MODE_KEY"[/SIZE]
[SIZE=2]ril.FS                  true                            PhoneUtils: updateRAFT()        Activates RAFT (???) updates[/SIZE]
[SIZE=2]ril.OTPAuth                                             SysDump:                        OTP Authentication [/SIZE]
[SIZE=2]ril.cdma.inecmmode      true                                                            Is phone in ECM mode?[/SIZE]
[SIZE=2]ril.unique_number                                                                       The RIL Unique Number (UN)[/SIZE]
[SIZE=2]ril.sms.gcf-mode        On                                                              ? SMS "GCF" mode[/SIZE]

[SIZE=2]persist.log.seclevel    On                                                              Switchable Log level?[/SIZE]
[SIZE=2]persist.sys.country                                                                             [/SIZE]
[SIZE=2]ro.build.type           eng                             SysDump:                                [/SIZE]
[SIZE=2]ro.debuggable           On                                                              Enable Debug / DBG_ENG / Engineering Mode??[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]Country/Region Specific[/SIZE]
[SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
[SIZE=2]ro.board.platform                                       [/SIZE]
[SIZE=2]ro.build.characteristics                                [/SIZE]
[SIZE=2]ro.csc.sales_code       SKT | KIT | LGT                 PhoneFeature: makeFeatureForKor()       [/SIZE]
[SIZE=2]ro.product.name         espressorf | espresso10rf       PhoneFeature: checkDBGLevel()           [/SIZE]
[SIZE=2]                        aegis2vzw                       PhoneFeature: makeFeatureForKor()       [/SIZE]
[SIZE=2]                        jaguars | jaguark | jaguarl     [/SIZE]
A particularly fun string is the following, found in the featureForKor() function:
Code:
[SIZE=2]mFeatureList.put("emergency_for_cyber_terror", boolean2);[/SIZE]
I'd really like to know what this does!

Special Files

As we know from other Samsung Galaxy class phones, there are a number
of files that can be created or modified in order to activate certain
functions. Here we list those found to date. Please post if you know
of other ones!

Apparently setting the "SubscriberID" (IMSI) to "999999999999999" also
activates certain test features. A sim with this IMSI is also known as
a "Factory SIM". However, if the SIM IMSI starts with either "45001" or
"00101" it is a "Test SIM".

[See: ServiceModeApp.apk:phoneUtils.java:isFactoryMode() or
FactoryTest.apk:ModuleCommon.java:isFactorySim()]

Code:
[SIZE=2]File                            FileContent     Description[/SIZE]
[SIZE=2]-------------------------------------------------------------------------------[/SIZE]
[SIZE=2]/efs/FactoryApp/factorymode     ON              Enable Factory Mode[/SIZE]
[SIZE=2]/efs/FactoryApp/keystr          ON              Blocked (hidden code?) Key String(s)[/SIZE]
[SIZE=2]/efs/imei/mps_code.dat          ?               ?[/SIZE]
[SIZE=2]/efs/root/ERR                   ?               Error Log[/SIZE]
[SIZE=2]/data/.psm.info                 ?               WiFi Power Save Mode    [/SIZE]

[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]Various Log Files:[/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]/data/log/CallDropInfoLog.txt   ?               Dropped Calls Log[/SIZE]
[SIZE=2]/data/log/lucky_ril.log         ?               ?[/SIZE]
[SIZE=2]/data/log/dumpState_*.log       ?               ? System Dump Log[/SIZE]
[SIZE=2]/data/log/main_*.log            ?               ? [/SIZE]
[SIZE=2]/data/anr/traces.txt            ?               ? [/SIZE]
[SIZE=2]/data/log/err                   ?               ? Error Log[/SIZE]
[SIZE=2]/data/log/err/AENEAS_TRACE_###.bin              RF Aeneas Trace Log[/SIZE]
[SIZE=2]/data/log/err/MA_TRACE_###.bin                  RF MA Trace Log[/SIZE]
[SIZE=2]/mnt/sdcard/log                 ?               ?[/SIZE]

[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]System Files [/SIZE]
[SIZE=2]---------------------------------------[/SIZE]
[SIZE=2]/sys/class/sec/switch/adc                       [/SIZE]
(Note: Some of these paths need to be verified, as they may be relative...)

Finally, we have two NVpasswords, that is used for uploading or dumping NVram, AFAIK. They are:
873283
3352225
and they can be found in Sec_Ril_Dump.class.

DISCALIMER:

As I do not have access to a GT-I9300, I have not been able to verify
any of the information in this thread! I apologize if there is any erroneous
information here. Please let me know and post new information here as
it become available. Also make sure you make a complete backup, before
attempting any of the codes or other trickery above
!
 
Last edited:

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,221
-∇ϕ
Very good info there .. how about programming the sim with that IMSI will it have any effect.

It certainly will, but you will have to find a SIM that is programmable!

You can buy programmable SIM cards from the Sysmocom website, but you need the tools to do so. Sysmocom is ran by some of the GSM security researchers and open source baseband developers...

Here is tutorial on how to clone a SIM card. However, this may be highly illegal in some countries, even for your own! Check your local laws.
(In addition it is a border-line topic on what we are allowed to post here on XDA.)

But Apple proposed, (and here) already some years ago, to have programmable SIM cards built into their devices. This would make perfect sense, since the whole idea about using SIM cards have been neglected and forgotten in the first place. (The original idea, was that it should be extremely easy to switch SIM cards, so that you could easily just borrow someone else's phone, put you card in and make a phone call. Even on designated SIM-holder enabled pay-phones! This has become forgotten and circumvented and damn hard to do with embedded sim cards deep inside your phone.) In addition most cellular providers have lobbied against it...
 
  • Like
Reactions: alhokagi

tids2k

Senior Member
Apr 21, 2009
2,739
955
Sydney
Google Pixel 6 Pro
Definately would look at it. Here is the link for the time being ...

http://www.jaycar.com.au/productView.asp?ID=KC5361

I remember when Dejan found the binary hack way back in 2006 for BB5 Nokia phones, he posted files on his website on how to clone a simcard. But those times only 16bit chips were used.

Here is the scheme tics for the reader if any one interested.

t-000165--circuit2.jpg


via Flying Daggers
 
Last edited:
  • Like
Reactions: E:V:A

tids2k

Senior Member
Apr 21, 2009
2,739
955
Sydney
Google Pixel 6 Pro
Code:
             Samsung Galaxy S3 .. Secret Codes found by tids2k
			 
			 Thanks to E:V:A for his information and knowledge
			 
			 
HOW TO RUN THESE COMMANDS :

Connect your phone into debug mode .. Settings -> USB Debugging [] Enable it.

Then in MS-DOS C:\ type

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://****

where **** is the secret code  :-)    So let us begin

Secret Codes	****						Function

2684 or 197328640						DEBUG MENU
0000                                    CSC SPECIFIC
827828868378							CSC SPECIFIC
2684									SERVICE MODE ( WATCHDOG/DUMPS/LOGS OPTIONS)
0011									CONNECTION STATUS
123456								CONNECTION STATUS
22558463								RESETS TOTAL TALK TIME
32489								CIPHERING INFO
2580									NON-SUPPORT
232337								BLUETOOTH ADAPTER ADDRESS
232331								BLUETOOTH RF TEST
232332								??
9090									DIAG CONFIG (MODEM)
73876766								SELLOUT SMS ENABBLE
738767633								SELLOUT SMS DISABLE
7387678378							SELLOUT SELF SET TEST MODE
7387677763							SELLOUT SMS SET PRODUCT MODE
4238378								GCF SETTINGS
4387264636							SELLOUT SMS MAIN
1575									GPS SETTINGS
6984125								????
2886									??
2767*2878								??
745									RIL COMMANDS ( NICE ONE )
746									ANOTHER DUMP TOOL ( NICE ONE )
9900 or 0514							SYSDUMP
1111									FTA SW VERSION
2222 or 8888							FTA HW VERSION
301279 or 279301						        RRC ( HSPA ) CONTROL
2263									BAND SELECTION
5337632								SOME KIND OF SOUND
0228									BATTERY STATUS
03									NAND FLASH UNIQUE NO.
3214789								GCF MODE ENABLE/DISABLE
6335623								WIFI HIDDEN MENU


NOW FACTORY SETTINGS


06									IMEI
0589									LIGHT SENSOR TEST
80									TOUCH NOISE TEST
251									WAKELOCK ON
250									WAKELOCK OFF
350									REBOOT
5238973								LCD TYPE
4327									HDCP INFO
22235								ACCELEROMETER SENSOR INFO
0782									RCT CLOCK
86824								TOUCH KEY SENSTIVITY
0842									VIBRATION TEST
0673									SPEAKER/HEADPHONE/HEADSET TEST
0289									MELODY TEST
2663									TOUCH FIRMWARE UPDATE
2664									POINTER LOCATION
0588									PROXIMITY TEST
3264									RAM CHECK
7780									MASTER RESET
7769									PROXIMITY SENSOR TEST
87976633								FACTORY RESET
9999*3288								QWERTY COUNTER
767*2878								QWERTY COUNTER RESET
0283									LOOPBACK TEST
7328735824							LOT ID
 
Last edited:

jake

Senior Member
Sep 29, 2011
661
714
Code:
             Samsung Galaxy S3 .. Secret Codes found by tids2k
			 
			 Thanks to E:V:A for his information and knowledge
			 
			 
HOW TO RUN THESE COMMANDS :

Connect your phone into debug mode .. Settings -> USB Debugging [] Enable it.

Then in MS-DOS C:\ type

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://****

where **** is the secret code  :-)    So let us begin

Secret Codes	****						Function

2684 or 197328640						DEBUG MENU
0000                                    CSC SPECIFIC
827828868378							CSC SPECIFIC
2684									SERVICE MODE ( WATCHDOG/DUMPS/LOGS OPTIONS)
0011									CONNECTION STATUS
123456								CONNECTION STATUS
22558463								RESETS TOTAL TALK TIME
32489								CIPHERING INFO
2580									NON-SUPPORT
232337								BLUETOOTH ADAPTER ADDRESS
232331								BLUETOOTH RF TEST
232332								??
9090									DIAG CONFIG (MODEM)
73876766								SELLOUT SMS ENABBLE
738767633								SELLOUT SMS DISABLE
7387678378							SELLOUT SELF SET TEST MODE
7387677763							SELLOUT SMS SET PRODUCT MODE
4238378								GCF SETTINGS
4387264636							SELLOUT SMS MAIN
1575									GPS SETTINGS
6984125								????
2886									??
2767*2878								??
745									RIL COMMANDS ( NICE ONE )
746									ANOTHER DUMP TOOL ( NICE ONE )
9900 or 0514							SYSDUMP
1111									FTA SW VERSION
2222 or 8888							FTA HW VERSION
301279 or 279301						        RRC ( HSPA ) CONTROL
2263									BAND SELECTION
5337632								SOME KIND OF SOUND
0228									BATTERY STATUS
03									NAND FLASH UNIQUE NO.
3214789								GCF MODE ENABLE/DISABLE
6335623								WIFI HIDDEN MENU


NOW FACTORY SETTINGS


06									IMEI
0589									LIGHT SENSOR TEST
80									TOUCH NOISE TEST
251									WAKELOCK ON
250									WAKELOCK OFF
350									REBOOT
5238973								LCD TYPE
4327									HDCP INFO
22235								ACCELEROMETER SENSOR INFO
0782									RCT CLOCK
86824								TOUCH KEY SENSTIVITY
0842									VIBRATION TEST
0673									SPEAKER/HEADPHONE/HEADSET TEST
0289									MELODY TEST
2663									TOUCH FIRMWARE UPDATE
2664									POINTER LOCATION
0588									PROXIMITY TEST
3264									RAM CHECK
7780									MASTER RESET
7769									PROXIMITY SENSOR TEST
87976633								FACTORY RESET
9999*3288								QWERTY COUNTER
767*2878								QWERTY COUNTER RESET
0283									LOOPBACK TEST
7328735824							LOT ID

Untested, here; nevertheless - thanks for this info guys!!

Sent from my GT-I9300 using xda premium
 

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,221
-∇ϕ
No need to program a sim, there is a service code (*#46744674#) which will set your IMSI to 9999..., well it does on the SGS2 anyway.
Thanks! Probably very useful, but
1) Is that temporary? (How to get back original after having use this code?)
2) Where is it located? (What App + class files?)
 

ascsa

Senior Member
Oct 25, 2011
996
576
Hi all,

a couple of month ago I build an app with shortcuts for the "secret" dialer codes within the galaxy S2, because I could not remember them all ...This app is special tailored for the galaxy S2, but should work on all SAMSUNG devices with TOUCHWIZ ... Not all codes will work on all devices, but a lot these codes work on other samsung touchwiz devices.

I tested the App with my GS3 and a lot of these codes still working ....

picture.php


You could also add your own codes and ussd codes to an app internal database ... and some users even uses this database as hidden phone book :D

Check it out: https://play.google.com/store/apps/details?id=com.widgapp.HiddenFeaturesFREE



(Important: These codes will NOT work on most custom roms, Nexus S, Galaxy Nexus, HTC, Sony, Motorolla etc. ...I´m a little bit annoyed by comments like: Not working on my HTC, Sony, Nexus S, Samsung XYZ with custom rom zyx ...:mad:. ...without Touchwiz, there is no possibility to use touchwiz firmware functions!)
 

anil84

Senior Member
May 17, 2012
863
403
Mumbai
SAMSUNG GALAXY S3 CODES SECRETS

*#06# Show IMEI number
*#0*# LCD Test Menu
*#*#4636#*#* user statistics and Phone Info
*#0011# Displays status information for the GSM
*#1234# View SW Version PDA, CSC, MODEM
*#12580*369# SW & HW Info
*#197328640# Service Mode
*#0228# ADC Reading
*#32489# (Ciphering Info)
*#232337# Bluetooth Address
*#232331# Bluetooth Test Mode
*#232338# WLAN MAC Address
*#232339# WLAN Test Mode
*#0842# Vibra Motor Test Mode
*#0782# Real Time Clock Test
*#0673# Audio Test Mode
*#0*# General Test Mode
*#2263# RF Band Selection
*#9090# Diagnostic ConfiguratioN
*#7284# USB I2C Mode Control
*#872564# USB Logging Control
*#4238378# GCF Configuration
*#0283# Audio Loopback Control
*#1575# GPS Control Menu
*#3214789650# LBS Test Mode
*#745# RIL Dump Menu
*#746# Debug Dump Menu
*#9900# System Dump Mode
*#44336# Sofware Version Info
*#7780# Factory Reset
*2767*3855# Full Factory Reset
*#0289# Melody Test Mode
*#2663# TSP / TSK firmware update
*#03# NAND Flash S/N
*#0589# Light Sensor Test Mode
*#0588# Proximity Sensor Test Mode
*#273283*255*3282*# Data Create Menu
*#273283*255*663282*# Data Create SD Card
*#3282*727336*# Data Usage Status
*#7594# Remap Shutdown to End Call TSK
*#34971539# Camera Firmware Update
*#526# WLAN Engineering Mode
*#528# WLAN Engineering Mode
*#7412365# Camera Firmware Menu
*#07# Test History
*#3214789# GCF Mode Status
*#272886# Auto Answer Selection
*#8736364# OTA Update Menu
*#301279# HSDPA/HSUPA Control Menu
*#7353# Quick Test Menu
*2767*4387264636# Sellout SMS / PCODE view
*#7465625# View Phone Lock Status
*7465625*638*# Configure Network Lock MCC/MNC
#7465625*638*# Insert Network Lock Keycode
*7465625*782*# Configure Network Lock NSP
#7465625*782*# Insert Partitial Network Lock Keycode
*7465625*77*# Insert Network Lock Keycode SP
#7465625*77*# Insert Operator Lock Keycode
*7465625*27*# Insert Network Lock Keycode NSP/CP
#7465625*27*# Insert Content Provider Keycode
*#272*IMEI# then we will get buyer code (For samsung galaxy sIII csc code)
*#*#7780#*#* Factory data reset - Clears Google-account data, system and program settings and installed programs. system will not be deleted, and OEM programs, as well as My Documents (pictures, music, videos)
 

E:V:A

Inactive Recognized Developer
Dec 6, 2011
1,447
2,221
-∇ϕ
I tested the App with my GS3 and a lot of these codes still working ....
Hi! Thanks for your effort, but your post risk confusing people and corrupting this thread, because the red application functions (as shown in your table) only show that your app is not able to use those codes, and not that they do not work with SGS3.

TO ALL:

DO not post new codes here, unless you have either:

a)
personally tested the codes on a GT-I9300
b)
found and documented references in the source code, that can be independently verified.

Thanks!
 

Top Liked Posts

  • There are no posts matching your filters.
  • 31
    "Secret Codes" and Hidden Features

    Hacking for "Secret Codes" and other hidden phone features.

    Skill Level: Easy

    Posting

    ==================================================
    Do NOT post general questions/requests on how to do
    this or that, they will not be answered, simply
    because we don't know yet. Rather try to find out
    by yourself and share your results.
    ==================================================

    Purpose

    To find all "Secret Codes", special properties and other hidden phone features
    and settings, used in the GT-I9300. The secret codes are not so secret, but
    are often used to activate and manipulate many settings, such as debug modes,
    network connections, factory test modes etc. It is an unfortunate choice of
    words but we will stick to this definition nonetheless for simplicity, since
    it is also used in the source code by Samsung and AOS. Do not confuse secret
    codes with VSC (Vertical Service Codes), USSD (Unstructured Supplementary
    Service Data) or other MMI (Man Machine Interface) codes.

    Although there are many "standard" codes common to many Samsung phones, they
    do vary to some extent. This is because their functionality often depend on
    the particular hardware, in particular the baseband processor (aka radio, DSP,
    BP or CP) and the multiplexer chips that switches the various internal USB
    paths, for example between MHL, BP and AP.

    This is an informative reference thread on these features. If you have
    relevant additional information you'd like to share, please post it here.

    Background

    From the Samsung Galaxy S2 experience we have gained the following
    understanding when it come to the Factory/Service Mode menus and the
    PhoneUtils applications. We are still to work out if this is still true for
    the SGS3.

    But first it is worth to note, that due to the more complicated, but better
    organized phone applications in ICS, the way to enter secret codes have
    changed from GB versions. Now all secret codes have to be prefixed with
    "*#*#", followed by <code> and post fixed with "#*#*". [Note-1] However,
    according to the GT-I9300 Service Manual, there are two codes that should work
    without post- and pre-fixes. They are *#1234# (version) and *2767*3855#
    (Factory reset! It will wipe your phone instantly, NO warnings, no going back,
    no way to cancel.) [Note-2]
    ==================================================
    Newbie Practice Box
    Go to your phone dialer and "dial" the following string:
    *#*#197328640#*#*
    This will trigger the Service Menu.
    ==================================================

    This same effect can be accomplished directly on the command line, with a
    direct URI broadcast call to the application receiver via:

    Code:
    [SIZE=2]am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://1111[/SIZE]
    Second, it is essential to know that the actual program code (read
    assembly/machine code) for the Engineering / Service Mode menu, is actually
    located in the baseband processor firmware. What you actually see when you
    enter this menu, is just a java based wrapper application, that make direct
    function calls through various entry points, in the baseband kernel/firmware.
    What does it mean? When you enter a specific "secret code", the wrapper
    application (e.g. ServiceMenu.App) deciphers the code to a particular menu
    entry in the baseband processor, where it is executed and whose result is
    output to the wrapper application.

    Third. Apart from hardware differences, because of the baseband firmware
    dependance, the set of working secret codes will differ somewhat from your
    location, depending on:

    • Your Modem firmware
    • Your AOS version (ICS 4.0.1, 4.0.4 etc.)
    • Your CSC version (Regional codes)

    Special Notes

    [Note-1] This can be seen in the handleSecretCode() function in the SpecialCh****quenceMgr.java code.
    [Note-2] These need testing and confirmation since they clearly contradict [Note-1].
    [Note-3] Apparently the Samsung Galaxy S3 will come in at least two versions:

    1. The GT-I9300 (FCC-ID: A3LGTI9300 )
    2. The SCH-I939 (FCC-ID: A3LSCHI939 ) [Possibly the LTE version]


    References

    [1] "[GUIDE] Noobs guide to extract Galaxy S3 stock firmware(.img)"
    [2] "[All Stock Firmwares] I9300XXALE8 (4.0.4) - Kenya (OJV) [19-05-12]"
    [3] "[HOW TO][Windows]Extract Deodex Sign and Zipalign an official ROM"
    [4] "[GUIDE] dsixda's Android Kitchen - Now with SGS2 support (Windows/Linux/Mac)"
    [5] "[REF] Unpacking and repacking stock rom .img files"
    [6] "[Tool] Yaffey - Utility for reading, editing and writing YAFFS2 images" (code is here)
    [7] "[TOOL] Auto Bloat Remover Tool For GS III!"
    [8] "[GUIDE][TOOL] Guide To Create You're Own De-Bloat Tool/APK Installer/For Any Device"

    Keywords: Secret, Codes, Hidden, Service, Factory, UART
    14
    SAMSUNG GALAXY S3 CODES SECRETS

    *#06# Show IMEI number
    *#0*# LCD Test Menu
    *#*#4636#*#* user statistics and Phone Info
    *#0011# Displays status information for the GSM
    *#1234# View SW Version PDA, CSC, MODEM
    *#12580*369# SW & HW Info
    *#197328640# Service Mode
    *#0228# ADC Reading
    *#32489# (Ciphering Info)
    *#232337# Bluetooth Address
    *#232331# Bluetooth Test Mode
    *#232338# WLAN MAC Address
    *#232339# WLAN Test Mode
    *#0842# Vibra Motor Test Mode
    *#0782# Real Time Clock Test
    *#0673# Audio Test Mode
    *#0*# General Test Mode
    *#2263# RF Band Selection
    *#9090# Diagnostic ConfiguratioN
    *#7284# USB I2C Mode Control
    *#872564# USB Logging Control
    *#4238378# GCF Configuration
    *#0283# Audio Loopback Control
    *#1575# GPS Control Menu
    *#3214789650# LBS Test Mode
    *#745# RIL Dump Menu
    *#746# Debug Dump Menu
    *#9900# System Dump Mode
    *#44336# Sofware Version Info
    *#7780# Factory Reset
    *2767*3855# Full Factory Reset
    *#0289# Melody Test Mode
    *#2663# TSP / TSK firmware update
    *#03# NAND Flash S/N
    *#0589# Light Sensor Test Mode
    *#0588# Proximity Sensor Test Mode
    *#273283*255*3282*# Data Create Menu
    *#273283*255*663282*# Data Create SD Card
    *#3282*727336*# Data Usage Status
    *#7594# Remap Shutdown to End Call TSK
    *#34971539# Camera Firmware Update
    *#526# WLAN Engineering Mode
    *#528# WLAN Engineering Mode
    *#7412365# Camera Firmware Menu
    *#07# Test History
    *#3214789# GCF Mode Status
    *#272886# Auto Answer Selection
    *#8736364# OTA Update Menu
    *#301279# HSDPA/HSUPA Control Menu
    *#7353# Quick Test Menu
    *2767*4387264636# Sellout SMS / PCODE view
    *#7465625# View Phone Lock Status
    *7465625*638*# Configure Network Lock MCC/MNC
    #7465625*638*# Insert Network Lock Keycode
    *7465625*782*# Configure Network Lock NSP
    #7465625*782*# Insert Partitial Network Lock Keycode
    *7465625*77*# Insert Network Lock Keycode SP
    #7465625*77*# Insert Operator Lock Keycode
    *7465625*27*# Insert Network Lock Keycode NSP/CP
    #7465625*27*# Insert Content Provider Keycode
    *#272*IMEI# then we will get buyer code (For samsung galaxy sIII csc code)
    *#*#7780#*#* Factory data reset - Clears Google-account data, system and program settings and installed programs. system will not be deleted, and OEM programs, as well as My Documents (pictures, music, videos)
    13
    Special Properties

    Next we'll have a look at some interesting (or not?) system "properties".
    For now, I'll just list some of those I found more interesting and potentially useful.

    Code:
    [SIZE=2]Property                Setting/String                  Source                                  Description[/SIZE]
    [SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
    [SIZE=2]dev.silentlog.on        On                              SysDump:                                [/SIZE]
    [SIZE=2]gsm.operator.numeric    45001                           Sec_Ril_Dump:                   [RIL::FD] Samsung Testbed[/SIZE]
    [SIZE=2]gsm.default.sidmode                                                                     ? UART[/SIZE]
    [SIZE=2]net.tcpdumping          On                              SysDump:                        ?[/SIZE]
    [SIZE=2]nfc.trace.mode          On                                                              Enable NFC Trace Mode [/SIZE]
    
    [SIZE=2]ril.FTM_MODE                                                                            ? "FTM_MODE_KEY"[/SIZE]
    [SIZE=2]ril.FS                  true                            PhoneUtils: updateRAFT()        Activates RAFT (???) updates[/SIZE]
    [SIZE=2]ril.OTPAuth                                             SysDump:                        OTP Authentication [/SIZE]
    [SIZE=2]ril.cdma.inecmmode      true                                                            Is phone in ECM mode?[/SIZE]
    [SIZE=2]ril.unique_number                                                                       The RIL Unique Number (UN)[/SIZE]
    [SIZE=2]ril.sms.gcf-mode        On                                                              ? SMS "GCF" mode[/SIZE]
    
    [SIZE=2]persist.log.seclevel    On                                                              Switchable Log level?[/SIZE]
    [SIZE=2]persist.sys.country                                                                             [/SIZE]
    [SIZE=2]ro.build.type           eng                             SysDump:                                [/SIZE]
    [SIZE=2]ro.debuggable           On                                                              Enable Debug / DBG_ENG / Engineering Mode??[/SIZE]
    [SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
    [SIZE=2]Country/Region Specific[/SIZE]
    [SIZE=2]----------------------------------------------------------------------------------------------------------------------[/SIZE]
    [SIZE=2]ro.board.platform                                       [/SIZE]
    [SIZE=2]ro.build.characteristics                                [/SIZE]
    [SIZE=2]ro.csc.sales_code       SKT | KIT | LGT                 PhoneFeature: makeFeatureForKor()       [/SIZE]
    [SIZE=2]ro.product.name         espressorf | espresso10rf       PhoneFeature: checkDBGLevel()           [/SIZE]
    [SIZE=2]                        aegis2vzw                       PhoneFeature: makeFeatureForKor()       [/SIZE]
    [SIZE=2]                        jaguars | jaguark | jaguarl     [/SIZE]
    A particularly fun string is the following, found in the featureForKor() function:
    Code:
    [SIZE=2]mFeatureList.put("emergency_for_cyber_terror", boolean2);[/SIZE]
    I'd really like to know what this does!

    Special Files

    As we know from other Samsung Galaxy class phones, there are a number
    of files that can be created or modified in order to activate certain
    functions. Here we list those found to date. Please post if you know
    of other ones!

    Apparently setting the "SubscriberID" (IMSI) to "999999999999999" also
    activates certain test features. A sim with this IMSI is also known as
    a "Factory SIM". However, if the SIM IMSI starts with either "45001" or
    "00101" it is a "Test SIM".

    [See: ServiceModeApp.apk:phoneUtils.java:isFactoryMode() or
    FactoryTest.apk:ModuleCommon.java:isFactorySim()]

    Code:
    [SIZE=2]File                            FileContent     Description[/SIZE]
    [SIZE=2]-------------------------------------------------------------------------------[/SIZE]
    [SIZE=2]/efs/FactoryApp/factorymode     ON              Enable Factory Mode[/SIZE]
    [SIZE=2]/efs/FactoryApp/keystr          ON              Blocked (hidden code?) Key String(s)[/SIZE]
    [SIZE=2]/efs/imei/mps_code.dat          ?               ?[/SIZE]
    [SIZE=2]/efs/root/ERR                   ?               Error Log[/SIZE]
    [SIZE=2]/data/.psm.info                 ?               WiFi Power Save Mode    [/SIZE]
    
    [SIZE=2]---------------------------------------[/SIZE]
    [SIZE=2]Various Log Files:[/SIZE]
    [SIZE=2]---------------------------------------[/SIZE]
    [SIZE=2]/data/log/CallDropInfoLog.txt   ?               Dropped Calls Log[/SIZE]
    [SIZE=2]/data/log/lucky_ril.log         ?               ?[/SIZE]
    [SIZE=2]/data/log/dumpState_*.log       ?               ? System Dump Log[/SIZE]
    [SIZE=2]/data/log/main_*.log            ?               ? [/SIZE]
    [SIZE=2]/data/anr/traces.txt            ?               ? [/SIZE]
    [SIZE=2]/data/log/err                   ?               ? Error Log[/SIZE]
    [SIZE=2]/data/log/err/AENEAS_TRACE_###.bin              RF Aeneas Trace Log[/SIZE]
    [SIZE=2]/data/log/err/MA_TRACE_###.bin                  RF MA Trace Log[/SIZE]
    [SIZE=2]/mnt/sdcard/log                 ?               ?[/SIZE]
    
    [SIZE=2]---------------------------------------[/SIZE]
    [SIZE=2]System Files [/SIZE]
    [SIZE=2]---------------------------------------[/SIZE]
    [SIZE=2]/sys/class/sec/switch/adc                       [/SIZE]
    (Note: Some of these paths need to be verified, as they may be relative...)

    Finally, we have two NVpasswords, that is used for uploading or dumping NVram, AFAIK. They are:
    873283
    3352225
    and they can be found in Sec_Ril_Dump.class.

    DISCALIMER:

    As I do not have access to a GT-I9300, I have not been able to verify
    any of the information in this thread! I apologize if there is any erroneous
    information here. Please let me know and post new information here as
    it become available. Also make sure you make a complete backup, before
    attempting any of the codes or other trickery above
    !
    8
    The Secret Codes

    The information for this post was obtained by decompiling the
    deodexed system image of the firmware shown below.

    I9300XXALE8

    Base Firmware: I9300XXALE8 (4.0.4)
    Modem: XXLE8
    CSC: OJVALE7

    The latest GT-I9300 Stock Firmwares can be found here.

    Here are the codes as found in:
    serviceModeApp.apk: ServiceModeApp.class
    Code:
    [SIZE=2]
    Code                    Description                                             JavaCall        
    ----------------------------------------------------------------------------------------------------------------------
    197328640 || 2684       Start Service Mode / Enter SM Main Menu                 SendData('\001', '\001', '\000', '\000', '\000');
    
    1111                    FTA SW Version                                          SendData('\001', '\001', '\u1002', '\000', '\000');[/SIZE] [SIZE=2]
    2222                    FTA HW Version                                          SendData('\001', '\001', '\u1003', '\000', '\000');
    8888                                                                            SendData('\001', '\001', '\u1003', '\000', '\000');
    2886                                                                            SendData('\001', '\001', ' ',    '\000', '\000');
    6984125*                                                                        SendData('\001', '\001', ' ',    '\000', '\000');       
    2767*2878               ? Factory reset (complete erase & format)               SendData('\001', '\001', '!',    '\000', '\000');
    
    
    0228                    ADC Reading                                             SendData('\001', '\001', '\005', '\000', '\000');[/SIZE]  [SIZE=2]
    0599                                                                            SendData('\001', '\001', '\024', '\000', '\000');
    1575                                                                            SendData('\001', '\001', '\025', '\000', '\000');
    2263                    RF Band Selection                                       SendData('\001', '\001', '\026', '\000', '\000');
    2580                                                                            SendData('\001', '\001', '\007', '\000', '\000');
    301279 || 279301                                                                SendData('\001', '\001', '\024', '\000', '\000');
    32489                   Ciphering Info                                          SendData('\001', '\001', '\006', '\000', '\000');
    4238378                                                                         SendData('\001', '\001', '\027', '\000', '\000');
    4387264636                                                                      SendData('\001', '\001', '\037', '\000', '\000');       
    7284                    PhoneUtil: USB/UART I2C Mode Control                    SendData('\001', '\001', '\023', '\000', '\000');
    738767633                                                                       SendData('\001', '\001', '\034', '\000', '\000');       
    73876766                                                                        SendData('\001', '\001', '\033', '\000', '\000');               
    7387677763                                                                      SendData('\001', '\001', '\036', '\000', '\000');
    7387678378                                                                      SendData('\001', '\001', '\035', '\000', '\000');       
    9090                    Diagnostic Configuration                                SendData('\001', '\001', '\023', '\000', '\000');
    
    0011                                                                            SendData('\001', '\004', '\000', '\000', '\000');[/SIZE] [SIZE=2]
    123456                                                                          SendData('\001', '\004', '\001', '\000', '\000');
    <na>                    End Service Mode 1 ()                                   SendData('\002', '\004', '\000', '\000', '\000');
    <na>                    End Service Mode 2 ()                                   SendData('\002', '\001', '\000', '\000', '\000');
    [/SIZE]
    NOTE: In the table above, I have replaced printed UTF-8 (U+NNNN) characters with '\uNNNN'.

    As you can see in the table above, most of the hidden codes are just shortcuts
    into various sub-menus (third parameter) of Service Mode application. However,
    this does not exclude the use of other hidden codes, that can be used or detected
    in other applications.

    From a different file we have a some additional codes.
    (Not including already covered or overlapping codes.)

    serviceModeApp.apk: SecKeystringBroadcastReceiver.class
    Code:
    [SIZE=2]0000                            
    
    147852                  TestApnSettings: putExtra("testBed", "Suwon");[/SIZE] [SIZE=2]
    1478963                 TestApnSettings: putExtra("testBed", "Open_market");
    22558463                Reset Total Call Time
    232331                  
    232332                  
    232337                  
    3214789650                      
    369852                  TestApnSettings: putExtra("testBed", "Gumi");
    3698741                 TestApnSettings: putExtra("testBed", "Delete_DB");
    -------------------------------------------------------------------------------
    03                      NAND Flash S/N (NandFlashHeaderRead)
    745                     RIL Dump Menu
    746                     Debug Dump Menu
    0228                    Battery Status
    1111                    IF SalesCode="CTC" THEN: TerminalMode
    2222                    IF SalesCode="CTC" THEN: TerminalMode
    2263                    
    8888                    
    9900 || 0514            System Dump
            
    279301                  
    301279                  
    3214789                 GCF Mode Settings
    5337632                 NFC Test
    22553767                Call Drop Log View      
                                    
    6335623                 
    TESTMODE                
    [/SIZE]
    These may not always work, since some of them depend on certain "Sales Codes"
    or factory IMSI numbers, through statements like:
    Code:
    if ((mSalesCode.equals("CHM")) && (str.equals("827828868378")))

    But these were only codes found in two files.
    So there are probably many more codes to be found!

    Other Stuff

    Here are some unknown functions from: TerminalMode.class
    Code:
    [SIZE=2]DEBUG_SCR       SendData('\001', '\004', '\000', 0, '\000');
    EI_DEBUG_SCR    SendData('\001', '\006', '\000', 0, '\000');
    DATA_ADV        SendData('\001', '\003', '\003', 0, '\000');
    NAMBASIC        SendData('\001', '\003', '\001', 0, '\000');
    TESTMODE        SendData('\001', '\001', '\000', 0, '\000');
    NAMSIMPLE       SendData('\001', '\003', '\002', 0, '\000');
    TEST_CALL       SendData('\004', '\007', c, 0, '\000');
    [/SIZE]
    Here is a list of all the OEM Commands used in the Service Mode App.
    Code:
    [SIZE=2]-------------------------------------------------------------------------------
    private class OemCommands (ServiceModeApp)      value           hex
    -------------------------------------------------------------------------------
    char OEM_SERVM_FUNCTAG = '\001';
    
    OEM_SM_ACTION                                   = '\000';       00
    OEM_SM_DUMMY                                    = '\000';       00
    OEM_SM_END_MODE_MESSAGE                         = '\002';       02
    OEM_SM_ENTER_MODE_MESSAGE                       = '\001';       01
    OEM_SM_GET_DISPLAY_DATA_MESSAGE                 = '\004';       04
    OEM_SM_PROCESS_KEY_MESSAGE                      = '\003';       03
    OEM_SM_QUERY                                    = '\001';       01
    OEM_SM_TYPE_MONITOR                             = '\004';       04
    OEM_SM_TYPE_MONITOR_SKT                         = '\001';       01
    OEM_SM_TYPE_NAM_EDIT                            = '\003';       03
    OEM_SM_TYPE_PHONE_TEST                          = '\005';       05
    OEM_SM_TYPE_SUB_ALL_VERSION_ENTER               = '\004';       04
    OEM_SM_TYPE_SUB_BAND_SEL_ENTER                  = '\026';       16
    OEM_SM_TYPE_SUB_BATTERY_INFO_ENTER              = '\005';       05
    OEM_SM_TYPE_SUB_BLUETOOTH_TEST_ENTER            = '\t';         09
    OEM_SM_TYPE_SUB_CIPHERING_PROTECTION_ENTER      = '\006';       06
    OEM_SM_TYPE_SUB_ENTER                           = '\000';       00
    OEM_SM_TYPE_SUB_FACTORY_PRECONFIG_ENTER         = '\016';       0e
    OEM_SM_TYPE_SUB_FACTORY_RESET_ENTER             = '\r';         od
    OEM_SM_TYPE_SUB_FACTORY_VF_TEST_ENTER           = '\031';       19
    OEM_SM_TYPE_SUB_FTA_HW_VERSION_ENTER            = '\003';       03
    OEM_SM_TYPE_SUB_FTA_SW_VERSION_ENTER            = '\002';       02
    OEM_SM_TYPE_SUB_GCF_TESTMODE_ENTER              = '\027';       17
    OEM_SM_TYPE_SUB_GET_SELLOUT_SMS_INFO_ENTER      = '\037';       1f
    OEM_SM_TYPE_SUB_GPSONE_SS_TEST_ENTER            = '\025';       15
    OEM_SM_TYPE_SUB_GSM_FACTORY_AUDIO_LB_ENTER      = '\030';       18
    OEM_SM_TYPE_SUB_IMEI_READ_ENTER                 = '\b';         08
    OEM_SM_TYPE_SUB_INTEGRITY_PROTECTION_ENTER      = '\007';       07
    OEM_SM_TYPE_SUB_MELODY_TEST_ENTER               = '\013';       0b
    OEM_SM_TYPE_SUB_MP3_TEST_ENTER                  = '\f';         oc
    OEM_SM_TYPE_SUB_RRC_VERSION_ENTER               = '\024';       14
    OEM_SM_TYPE_SUB_RSC_FILE_VERSION_ENTER          = '\021';       11
    OEM_SM_TYPE_SUB_SELLOUT_SMS_DISABLE_ENTER       = '\034';       1c
    OEM_SM_TYPE_SUB_SELLOUT_SMS_ENABLE_ENTER        = '\033';       1b
    OEM_SM_TYPE_SUB_SELLOUT_SMS_PRODUCT_MODE_ON     = '\036';       1e
    OEM_SM_TYPE_SUB_SELLOUT_SMS_TEST_MODE_ON        = '\035';       1d
    OEM_SM_TYPE_SUB_SW_VERSION_ENTER                = '\001';       01
    OEM_SM_TYPE_SUB_TFS4_EXPLORE_ENTER              = '\017';       0f
    OEM_SM_TYPE_SUB_TOTAL_CALL_TIME_INFO_ENTER      = '\032';       1a
    OEM_SM_TYPE_SUB_TST_AUTO_ANSWER_ENTER           = ' ';          20
    OEM_SM_TYPE_SUB_TST_FTA_HW_VERSION_ENTER        = ---->         # UTF-8: U+1003: e1 80 83  MYANMAR LETTER GHA
    OEM_SM_TYPE_SUB_TST_FTA_SW_VERSION_ENTER        = ---->         # UTF-8: U+1002: e1 80 82  MYANMAR LETTER GA
    OEM_SM_TYPE_SUB_TST_NV_RESET_ENTER              = '!';          21
    OEM_SM_TYPE_SUB_USB_DRIVER_ENTER                = '\022';       12
    OEM_SM_TYPE_SUB_USB_UART_DIAG_CONTROL_ENTER     = '\023';       13
    OEM_SM_TYPE_SUB_VIBRATOR_TEST_ENTER             = '\n';         0a
    OEM_SM_TYPE_TEST_AUTO                           = '\002';       02
    OEM_SM_TYPE_TEST_MANUAL                         = '\001';       01
    
    -------------------------------------------------------------------------------
    private class OemCommands (TerminalMode)
    -------------------------------------------------------------------------------
    OEM_HIDDEN_FUNCTAG                              = 'Q';
    OEM_HM_END_TEST_CALL_MESSAGE                    = '\t';
    OEM_HM_TEST_CALL_MESSAGE                        = '\004';
    OEM_HM_TYPE_TEST_CALL                           = '\007';
    OEM_SERVM_FUNCTAG                               = '\001';
    
    -------------------------------------------------------------------------------
    private class OemCommands (SysDump:)
    -------------------------------------------------------------------------------
    OEM_DBG_STATE_GET =             6;
    OEM_DEL_RIL_LOG =               13;
    OEM_DPRAM_DUMP =                14;
    OEM_DUMPSTATE =                 3;
    OEM_DUMPSTATE_ALL =             20;
    OEM_ENABLE_LOG =                7;
    OEM_GCF_MODE_GET =              15;
    OEM_GCF_MODE_SET =              16;
    OEM_IPC_DUMP_BIN =              9;
    OEM_IPC_DUMP_LOG =              8;
    OEM_KERNEL_LOG =                4;
    OEM_LOGCAT_CLEAR =              5;
    OEM_LOGCAT_MAIN =               1;
    OEM_LOGCAT_RADIO =              2;
    OEM_MODEM_FORCE_CRASH_EXIT =    23;
    OEM_MODEM_LOG =                 18;
    OEM_NV_DATA_BACKUP =            17;
    OEM_OEM_DUMPSTATE_MODEM_LOG_AUTO_START = 19;
    OEM_RAMDUMP_MODE =              10;
    OEM_RAMDUMP_STATE_GET =         11;
    OEM_START_RIL_LOG =             12;
    OEM_SYSDUMP_FUNCTAG =           7;
    OEM_TCPDUMP_START =             21;
    OEM_TCPDUMP_STOP =              22;
    -------------------------------------------------------------------------------
    [/SIZE]
    Enjoy!
    5
    HOW TO (find new stuff)

    So how do you find new codes?
    Well Google it! Then consider getting the following tools:

    Then what to do?
    The brief version. (For full version, see "References" in OP above.)


    1. Download all the tools shown above.
    2. Download the deodexed firmware images (see post#3)
    3. (If in Windows) Double click the sgs2toext4.
    4. Drag and drop the system.img file to the sgs2toext4 "drop window".
    5. You will now have a system.img.ext4 file, open this file with the LinuxReader tool.
    6. Save entire filesystem (from 5) in a new folder. Close.
    7. Go to the folder containing the *.apk(s) of interest.
    8. Make sure dex2jar.bat (win) is in your path and run it on your interesting.apk like this, for example:
      Code:
      ./path/to/dex2jar.bat Samsungservice.apk
      This produces a new file: Samsungservice_dex2jar.jar
    9. Extract (7zip) this file in a new folder.
    10. Go to that folder in command line and enter the appropriate "jad" commands. For example, to decompile all class files globbed by Phone*.class and put the decompiled sources in the "src" sub-directory, do:
      Code:
      jad -o -r -sjava -dsrc Phone*.class
    11. Go to the source directory (../src) you just created.
    12. Enjoy your *.java files!
    Alternatively you can deodex on your own...but don't ask me how to do it.

    A few other Tools

    http://www.sable.mcgill.ca/soot/
    http://jdec.sourceforge.net/
    http://stackoverflow.com/questions/647116/how-to-decompile-a-whole-jar-file
    http://askubuntu.com/questions/129305/how-can-i-open-binary-image-files-img