[BOUNTY] ($205 so far) Enable HSPA+ on 1900 MHz / 1700MHz for VZW Galaxy S3 i535

Search This thread
By:
Advanced…
A

ac21365

Senior Member
Jul 1, 2009
74
19
DFW
While I am the first one to appreciate another person's efforts, do you mind putting the AT&T sim card back in and take screenshots of when you are actually on the network. I myself have operated the Verizon GS3 on AT&T and T-Mobile, albeit only on EDGE.

Thanks
 
mybook4

mybook4

Senior Member
Apr 3, 2011
445
267
Opened all the verizon modems and one AT&T modem in a hex editor to poke around.

Some observations:

All the radios seem to start similarly and have similar structure (portions of data/code spaced by portions of 0s). It's quite spacious in there (and explains why the 60 MB modems zip up to 20 MB).

VRLG1:
0x4cd7c Mentions something about "Samsung Root CA cert" - This is most likely in all of the modems and is probably nothing, but I wanted to note it anyway.

VRLEC, VRLF2, and VRLG1 all appear to have a signature from 0x02984600 to 0x2984700 (256 bytes or 2048 bit). I recall from peeking inside the signed kernel parition mmcblk0p7, other partitions in the boot chain also have a 2048 bit signature. VRLG7's signature appears to be at 0x029b0600 - 0x29b0700 (again, appears to be a 2048 bit signature).

The AT&T UCLH9 modem appears to be similar in structure as the verizon ones. There does appear to be a signature in the AT&T modem at 0x02a18600. It appears to be structured as a signature, then a string of 00 01 FF FF(repeating), then some data at the end. I remembered this being similar to the way the vzw stock kernel is signed so I opened my backup LF2 kernel (from early July) and verified this to be true.

Ralekdev describes the algorithm (in C) for checking the signature of the kernel parition in this post of the bootloader unlock thread http://xdaforums.com/showpost.php?p=29227801&postcount=107

"The goal is to make it so that after all the calculations the 256 byte block located at img_sig_data+0x100 has the contents 0x00, 0x01, 0xFF * 236, and then the sha1 of our boot.img"

-I wonder if any of the kernel partition checking code was reused for the modem checking code?

-I know this is far fetched, but hear me out. If we were able to find the modem checking code and write a little C program, we could run the algorithm against the both the verizon and AT&T modems and see if we get the same result (00 01 FF etc?). If we get the same result, then that may mean the same private key was used to sign both the AT&T and verizon modems. In other words, IF we find this out, we may be able to determine whether or not flashing the AT&T modem will brick a verizon GS3.

I've also PM'ed koriotto. Hopefully he/she gets back to us with more info about his previous post (about having flashed an AT&T modem on a verizon GS3).

...

And for a bit of humor, a few bytes into each of the modems, MS DOS 5.0 is referenced.
 
  • Like
Reactions: newuser134
N

newuser134

Senior Member
Dec 18, 2009
286
92
mybook4 said:
And for a bit of humor, a few bytes into each of the modems, MS DOS 5.0 is referenced.
Click to expand...
Click to collapse

Hehe, that was kinda funny about MS DOS 5.0, didn't expect that.

On a different note (and I'm not referring to the Note 2, lol), how do we format an external SD card to hold the right GTP guides, to boot from external storage, as Ralekdev described in the post you referenced a few days ago, which he said it would happen if the PBL went in to error handler? That would be another way to flash an AT&T modem and maybe recover from it even if it does brick at some point. So do we know for sure that it is possible to boot from an external storage device?
 
mybook4

mybook4

Senior Member
Apr 3, 2011
445
267
newuser134 said:
Hehe, that was kinda funny about MS DOS 5.0, didn't expect that.

On a different note (and I'm not referring to the Note 2, lol), how do we format an external SD card to hold the right GTP guides, to boot from external storage, as Ralekdev described in the post you referenced a few days ago, which he said it would happen if the PBL went in to error handler? That would be another way to flash an AT&T modem and maybe recover from it even if it does brick at some point. So do we know for sure that it is possible to boot from an external storage device?
Click to expand...
Click to collapse

I'm not sure whether or not anyone tried booting from the external or internal sdcard. Not sure of the formatting, but maybe if the sdcard were block copied exactly like the boot chain (perhaps with dd), it could be done. If it works, like you said, it could prove very useful in resurrecting bricks or possibly getting around secure boot.

PS. Hadn't seen this until now... http://xdaforums.com/showthread.php?t=1856327

It seems to be an amazing resource. I noticed that it has quite a bit of information regarding the boot chain. Hopefully this helps us.
 
cvsolidx17

cvsolidx17

Senior Member
Sep 30, 2008
413
90
Boston
preusstang said:
You do realize that we will def. not be able to get T-Mobile 4G right? We're talking about HSPA+ here (3G data). TMO's 4G LTE uses different hardware. Please modify your post to reflect whether or not you're still in this.

Count me in for $20 towards at least AT&T ( this would let me use straight talk w/o messing with cdma workshop and the dirty clone job :/ )

BTW, thank you for starting this bounty. I hope this issue gains some momentum now!
Click to expand...
Click to collapse

Well for the record TMO doesn't have any LTE period atm. I was however referring to HSPA+ so I stand corrected. I'm still in. Hopefully this goes well

Sent from my SCH-I535 using Tapatalk 2
 
S

Strothmann

Senior Member
Jan 21, 2011
74
7
Evansville
ac21365 said:
While I am the first one to appreciate another person's efforts, do you mind putting the AT&T sim card back in and take screenshots of when you are actually on the network. I myself have operated the Verizon GS3 on AT&T and T-Mobile, albeit only on EDGE.

Thanks
Click to expand...
Click to collapse

The first 2 screenshots posted were on ATT network. the speed test screenshot was the only on Verizon.
 
N

newuser134

Senior Member
Dec 18, 2009
286
92
Ok, to those who want to look at the technical side of this, just found another piece of evidence implying that the i535 should be physically capable of operating on UMTS band II (wcdma 1900). Go to this link, go to the UMTS-Frequency Divided Domain table (the first table), rows 2 and 3 show the upload (transmit) and download (receive) paired frequencies of band I and band II.

i) The transmit frequency range for band I is 1920-1980 MHz.
ii) The transmit frequency range for band II is 1850-1910 MHz.
iii) The receive frequency range for band II is 1930-1990 MHz.

Anyone that knows a little about RF transmitters and receivers would know the following:

From comparing i) and ii) it is obvious that since the radio chips are identical msm8960 in both i747 and i535, it would economically unviable to make the chips different in hardware so that one would be physically disabled from transmitting at 1910 MHz when it can transmit at 1920 MHz. We know the i535 operates on wcdma band I, so its lower transmit frequency is 1920 MHz, it would be more expensive than not to make its digitally controlled tuner to physically be disabled below 1920 MHz, and make a slightly different version that can transmit from 1910 MHz and down. If the radio chip in the i535 can transmit on the 1920-1980 range, it can probably, almost certainly, also transmit on the 1850-1910 range since the upper limit of one is so close to the lower limit of the other.

From i) and iii) it can be seen that the transmit range of band I almost entirely overlaps the receive range of band II, 1920-1980 vs. 1930-1990 MHz. People with knowledge about RF transceivers also know that digitally controlled RF transceivers are usually software controlled. If they can receive on a certain frequency range, they can also transmit on the same range, and vice versa, unless disable by software. If the i535 is capable of transmitting data in the range of 1920-1980 MHz with wcdma modulation, and it has the same radio chip that the i747 has, then it can also receive in that same range a signal with the same modulation, hence proving that in fact it can physically receive wcdma signals on band II as well.

These two comparisons above show with very little doubt that the i535 Galaxy S3 has the same physical capabilities to send and receive both wcdma 2100 and wcdma 1900 (band I and II), and the fact that an identical radio chip in the i747 (AT&T version Galaxy S3) can do this as well, should leave almost no doubt about the physical hardware being there. It is disabled by software only.

On the last column of the Frequency Divided Domain for UMTS on the page linked above, it shows where each band is mostly used. It seems that almost the entire world (with a few exceptions) uses wcdma 2100 for 3G/HSPA+ data, but only North America uses wcdma 1900 (even T-mobile has started using it now). So why on earth would a Verizon CDMA/EVDO/LTE phone have all gsm bands AND wcdma 2100, which is used everywhere else in the world but in North America, but then not have wcdma 1900 (that ONE single band) for savings? Why would it need wcdma or gsm at all? (because it was already on the phone's radio chip, and for roaming), why is it missing the ONLY band that other carriers here use for 3G/HSPA+? (because it was deliberately disabled by software/firmware to make this phone incompatible with domestic gsm providers' 3G/HSPA+).

Another thing to notice from the link above is that if you use Netmonitor to poke around in the UMTS band selection menu of the i535, one of the choices is IMT2000 under the wcdma menu. On the page linked, IMT2000 is defined in the text at the beginning of the page for all frequencies ranging for both the 1900 MHz band (II) and 2100 MHz (I), yet when you click on IMT2000 in the UMTS menu of the phone, it only shows wcdma 2100, it must be disabled by software. This is all proof that getting an AT&T (or T-Mobile) modem successfully flashed to the i535 (without bricking it) would enable wcdma 1900 and make it functional on domestic gsm providers' 3G/HSPA+ networks with data.

Please feel free to respond with your thoughts/comments on this.
 
  • Like
Reactions: E:V:A and voodoomanx
renzo.olivares

renzo.olivares

Inactive Recognized Developer
Jan 6, 2011
9,231
16,142
I might have something....can someone upload the att build.prop

Sent from my SCH-I535 using xda app-developers app
 
mybook4

mybook4

Senior Member
Apr 3, 2011
445
267
JoelZ9614 said:
I might have something....can someone upload the att build.prop

Sent from my SCH-I535 using xda app-developers app
Click to expand...
Click to collapse

Cool. The easiest way to get the build prop is to download an AT&T rom (it's in /system/build.prop). Are you looking for AOSP or TW?

Sent from my SCH-I535 using xda premium
 
N

newuser134

Senior Member
Dec 18, 2009
286
92
JoelZ9614 said:
have u guys tried changing telephony.lteOnCdmaDevice=1 in your build.prop to telephony.lteOnGsmDevice=1 let me know if it works have some other ideas as well
Click to expand...
Click to collapse

A while ago I installed the UCALH1 stock rooted deodexed rom on my VZW GS3, with VRLG7 Verizon modem. I still couldn't get H+ to work, so I made a fully functional NAND backup and stored it, then I restored to my regular backed up CM-10 rom. I could easily restore that rooted AT&T rom for a min then get the build.prop file for you. Do you still need it, and would that file work for what you need it for? Let me know.
 
renzo.olivares

renzo.olivares

Inactive Recognized Developer
Jan 6, 2011
9,231
16,142
newuser134 said:
A while ago I installed the UCALH1 stock rooted deodexed rom on my VZW GS3, with VRLG7 Verizon modem. I still couldn't get H+ to work, so I made a fully functional NAND backup and stored it, then I restored to my regular backed up CM-10 rom. I could easily restore that rooted AT&T rom for a min then get the build.prop file for you. Do you still need it, and would that file work for what you need it for? Let me know.
Click to expand...
Click to collapse

no its cool =) just needed to confirm something if you could try the above that would be great
 
N

newuser134

Senior Member
Dec 18, 2009
286
92
mybook4 said:
Does anyone have an AT&T sim handy?

If not, we may want to consider raising funds to buy a month or two of AT&T service so that we can continuously test these kind of things.

Sent from my SCH-I535 using xda premium
Click to expand...
Click to collapse

I bought a 1-month prepaid $50 everything a while ago, it expired, however, I was told AT&T's prepaid plans do not let you get 3G, HSPA+ or LTE data, so at first I thought that was the reason I couldn't get HSPA+ to work at all. We may want to confirm this one way or another before we pay for that, because believe me, they DO NOT believe in refunds. If this turns out to be true, they do have monthly 4G data only plans for tablets or iPads, if that will work with a phone (obviously voice and text will be disabled, but unless it keeps the phone from establishing service at all, that wouldn't really affect our cause not to have voice or texting).

So first we want to confirm:
1) Can one get access to 3G/H+ data with an AT&T prepaid sim?
2) If the answer is no to the above, can a monthly data-only 4G sim plan be used on a phone?

Member ac21365 has a friend with an AT&T iPhone plan and post-paid sim, we might be able to get him to borrow his friend's sim for this, if that is not feasible, we'll have to find one somehow. I was also told they won't let you try their in-store sims on your own phone, they'll make you have to buy a plan.

Otherwise it would be very useful just to find a person on here that has an AT&T postpaid account with 4G and a VZW Galaxy S3.

On a different note, if there are NO other options, I'd be willing to buy a OneX or Note on AT&T, assuming they have a return period like Verizon does, like 15 days or 30 days, I know it'll cost a good amount and/or a restocking fee, but maybe we can at least raise some of the money here to do that, and then after that, a different person can do it if it's still needed after 30 days. I'm open to any suggestions. I'll pm ac21365 about his friend's sim.
 
Last edited:
A

ac21365

Senior Member
Jul 1, 2009
74
19
DFW
JoelZ9614 said:
have u guys tried changing telephony.lteOnCdmaDevice=1 in your build.prop to telephony.lteOnGsmDevice=1 let me know if it works have some other ideas as well
Click to expand...
Click to collapse

Would you mind elaborating on thoee other ideas? I dont have a chance to borrow the iPhone sim often, so the more things I could try in one sitting, the better.

Thanks for your interest in our project!

Sent from my Choco Taco using xda premium
 
You must log in or register to reply here.

Similar threads

eschelon
☆ ★ | ROM | SynergyROM VZW S3 | JB 4.1.2 | Floating Multiwindows! | Apr 20 r484 |★ ☆
Replies
24K
Views
4M
GeTex
GeTex
eMpTy43
[GUIDE] For beginners - Root Verizon Samsung Galaxy S3 SCH-i535/d2vzw
Replies
168
Views
332K
A
asiimov
droidstyle
[GUIDE][VZW Edition]How to root your Galaxy SIII & More!(ROMs/CWM/Stock)
Replies
1K
Views
586K
lazarus0000
lazarus0000
ktoonsez
  • Locked
[KERNEL][VZW][AOSP/TW][4.1/4.2/4.3/4.4][07/11/2014] KT747 - MA6 - KTweaker
Replies
5K
Views
820K
garwynn
garwynn
invisiblek
[ROM][Official][4.4.4] CyanogenMod 11.0 Nightlies for the Verizon Galaxy S3 (d2lte)
Replies
4K
Views
560K
Ibuprophen
Ibuprophen

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 8
    N
    newuser134
    Total is shown on 2nd post.

    GO TO POST #3 FOR ACHIEVEMENTS, GOALS, NOTES and QUESTIONS

    To get some momentum behind this, after reading lair12's "S3 as a world GSM phone" (Link), the great replies to my thread about flashing an AT&T radio to the I535 (Link), and judging from the wealth of information gathered by and the vast knowledge of the great devs such as E.V.A, Adam Outler and Ralekdev when they were working on unlocking the bootloader, I am starting this bounty thread to get some good devs behind this much sought after ability to get full domestic 3G and HSPA+ on the I535, for enabling either 1900MHz or 1700MHz WCDMA on I535 similar to what was done for Galaxy Note i717 (Link). Please add your donations publicly (NOT by pm) to this thread, similar to the bounty thread for unlocking the bootloader. I will update the thread periodically. All regular bounty disclaimers apply. Do any work to reach this goal at your own risk, if you mess up your phone, it's not my fault or anybody else's fault, or if you choose to test any software or firmware on it. Make sure you know what you're doing and that you won't damage your phone before you do it.

    Copying the following from another thread:

    Requirements to Receive Bounty:

    • Be first person to create a method of enabling 1900/1700MHz 3G/HSPA+ capability on SCH-I535
    • Make a post in this thread with the following:
    • Proving it works with appropriate photos or screenshots
    • Providing full step-by-step instructions which anyone else can follow
    • Wait for another member to follow the method and confirm it works
    • Claim your bounty via PM from donors

    Payment will be processed between each member and the bounty collector via PM on an individual basis.

    *** Please note: No hardware modification of the phone's radio chips or antennae is allowed to achieve this goal, it will be by software/firmware/coding/flashing only. If the phone turns out to be missing both the wcdma 1900 or 1700 MHz radio(s), this bounty will be void as the goal will not be achievable without hardware modifications. Even if only one of the wcdma bands is "unlocked" and HSPA+ is achieved on only one domestic carrier, the bounty can still be received. ***

    I will start myself by donating $50 to the person that reaches this goal first. Please make posts below for your donations. I will update the list and the total bounty regularly.

    *** BUMP ***
    • Any dev with jtag willing to flash a stock or modified AT&T modem on i535 to try it, or edit the "padding" at the end of a stock i535 modem to see if it causes a brick?
    • Any dev (such as Ralekdev, or with similar knowledge) willing to modify the modem.bin file from an i535 with parts from an AT&T or T-Mobile modem to keep the i535 signatures and hand-off, but operate as an AT&T radio maybe to enable wcdma modulation on 1900 MHz? The RF path for 1900 MHz is already there for gsm 1900. We can involve the help of some AT&T or T-Mobile forum members and devs if dumps from AT&T / T-Mobile modems or other files are required, that part should not be that difficult.
    View
    6
    Y
    Yura80
    Hi guys,
    I'm trying to do the same thing for HTC Rezound and already have results: it somewhat works on AT&T.

    Take a look at this thread
    Did someone already try this trick with S3?

    Also I would really appreciate if you can make a RF NV dump with DFS CDMA Tool (not QPST!) from a Verizon and/or AT&T S3 (there are instructions here) and share the NVM file. It might be very helpful for the Rezound.
    View
    6
    marcustaz
    marcustaz
    I am not a Dev by any means but I do have an att variant as well as verizon of this phone. I am certainly interested in getting my verizon on straight talk but I think it will need to be GSM based only i.e. converting it to mock an att variant, so I am following the progress of this thread. I will consider helping with a dump of my att phone let me know what to do.
    View
    6
    bedwa
    bedwa
    Ok... Sorry for the double post here, but one last update before bed. Since Samsung and Qualcomm are so nice to mount their firmware in the /firmware folder, I pulled firmware from the Japanese modem (scl21) and started swapping files in. I was good till I swapped the modem.mdt file in, which brought up the non-authorized software warning immediately. So, if I can only find some way around that... Or to modify the modem.mdt file so it doesnt trigger the bootloader block, this should work for us. I need sleep, but I'm not done trying yet.
    View
    5
    E:V:A
    E:V:A
    So I had another look at the i535.qcn file in QPST and QCNView.

    (1) Funny thing is that under the QPST "UMTS System" tab, all "Prefered Band's" are selected as shown below. If this is true info, that means that the band must be disabled somewhere else, in some other way.

    attachment.php



    (2) Browsing the NV-data with QCNView and looking at the "Feature Mask" and "Roaming Lists" headings, I have this info. This should be compared to that of the i747 and the bitmask should be understood. (Perhaps part in that document someone posted an image from earlier?)

    attachment.php



    (3) To "dry"-load a *.qcn file into QPST (378) you need to hexedit your QCN file at 0x300 to a Qaulcomm Model number that it can handle, since that QPST version doesn't seem to have enabled the MSM8960 models, but see (4). In this case I tried with QC model 4061 and it loaded.
    Code: 
    00000300  30 00 30 00 30 00 30 00  [B]34 [/B]00 [B]30 [/B]00 [B]36 [/B]00 [B]39 [/B]00  |0.0.0.0.[B]4[/B].[B]0[/B].[B]6[/B].[B]9[/B].|
change to:
00000300  30 00 30 00 30 00 30 00  34 00 30 00 36 00 [B][COLOR=Red]31 [/COLOR][/B]00  |0.0.0.0.4.0.6.[B][COLOR=Red]1[/COLOR][/B].|

    (4) About QPST, not sure what is the problem, it seem that the i535 QCN file is recognized (?) as Model 4069 when plugged in, which corresponds to the SURF8960, but is not present in drop down list, when file is loaded manually.
    The MSM8960 is definitely present in the code...
    Code: 
    ServiceProg.exe:  302244 MSM8960*
ServiceProg.exe:  302256 MSM8960*

QPSTServer.exe:  602f78 AO-8960 SURF7225A
QPSTServer.exe:  602fe0 SURF8960
    View

New posts