*UPDATED* 6/26/2012 Motorola Razr/Maxx, Droid 4,HTC Rezound Will work on any GSM

Search This thread

joshw0000

Senior Member
Jun 15, 2010
3,992
410
Google Pixel 6 Pro
What will happen if I flash either of those .ZIP files onto my XT910?

I'm tempted to try it, to see if it shows up as a CDMA/LTE radio instead. When I do the *#*#4636#*#* it has WCDMA listed as a possible network selection. I'm on a GSM/HSPA network which has LTE support, and I'd really like to enable the LTE radio if possible.

Also, is it possible for me to retrieve the current motorola.update_nv string so I can compare with the ones in both of the .ZIPs?

It'd be neat to see if someone could get a 910 to function as a 912. Since all Razr's are essentially the same I don't see why it wouldn't be possible. Unless you can change the imei (which is dangerous and illegal) you'd not be able to activate the phone on Verizon (they wouldn't issue you a sim card) but an existing sim card might work. Has anyone tried to flash a Verizon leak on a 910? Here's what a 912 on ICS should look like.

EDIT- photo showed gps location....not good.

Note that the preferred network type is displayed as "unknown". So I'm not sure how you'd select the correct mode if it were even possible.

Sent from my DROID RAZR using Tapatalk
 

roll0ver

Member
Feb 7, 2011
11
1
Update will happen to unlock the GSM in the phone. But we don't know when.

Sent from my unknown using XDA Premium App

Thanks, is the 'update' you're referring to ICS from motorola/verizon? To clarify will this update allow us to further tweak the phone to access GSM with US-based carriers (ATT, T-mobile)?

Thanks for all your work on this!
 

pedrotorresfilho

Senior Member
Jan 4, 2012
1,595
1,098
decantodepoetas.blogspot.com
Thanks, is the 'update' you're referring to ICS from motorola/verizon? To clarify will this update allow us to further tweak the phone to access GSM with US-based carriers (ATT, T-mobile)?

Thanks for all your work on this!

Yes. The next ics might turn xt912 real global, as stated by vrz. Will work on any gsm based networks and in USA too.

Enviado de meu XT910 usando o Tapatalk 2
 

cellzealot

Senior Member
Jan 4, 2008
1,314
815
Philadelphia, PA
The recent ICS builds for both the Razr and the Droid 4 definitely enable global GSM/UMTS by default, but do not allow US GSM carriers like ATT and T Mobile.

The same string can be used to edit the NV_RF_BC_CONFIG_I item 1877 of the Gingerbread builds to accomplish the same thing. Some further editing of the build.prop maybe needed on GB builds for full function on some networks.

The block on US GSM carriers is entirely separate and there is no SIM lock code required as there is on GSM models and previous VZW global models.
 

roll0ver

Member
Feb 7, 2011
11
1
The recent ICS builds for both the Razr and the Droid 4 definitely enable global GSM/UMTS by default, but do not allow US GSM carriers like ATT and T Mobile.

The same string can be used to edit the NV_RF_BC_CONFIG_I item 1877 of the Gingerbread builds to accomplish the same thing. Some further editing of the build.prop maybe needed on GB builds for full function on some networks.

The block on US GSM carriers is entirely separate and there is no SIM lock code required as there is on GSM models and previous VZW global models.

That is what I thought, so ICS will bring us no closer to understanding the US carrier block?
 

labsONE

Member
Jul 15, 2008
39
6
I hate to bring my own brand of noobishness out to ask/exclaim/say/whatnot, but I have a couple theories on how it's locking out:

1: IMSI lock. It's checking to see if the IMSI's 'mask' of sorts is a US-based carrier's prefix and locking out.

2: Network/MNC lock. It's checking and blocking access to US-based towers (ie 310 410).

I want to point more towards #2 as I had an AT&T SIM working for a few moments in my RAZR -- but it wouldn't touch the AT&T network. It gladly hopped onto Rogers Wireless, though, with that AT&T SIM in, and it gladly authenticated me as an AT&T user (and even dialing 611 got me the "Welcome to GoPhone, by AT&T!" message).

I live on the Canadian border and thus I can pick up the Bell/Telus/Rogers networks depending where I am in town.
 

roll0ver

Member
Feb 7, 2011
11
1
I hate to bring my own brand of noobishness out to ask/exclaim/say/whatnot, but I have a couple theories on how it's locking out:

1: IMSI lock. It's checking to see if the IMSI's 'mask' of sorts is a US-based carrier's prefix and locking out.

2: Network/MNC lock. It's checking and blocking access to US-based towers (ie 310 410).

I want to point more towards #2 as I had an AT&T SIM working for a few moments in my RAZR -- but it wouldn't touch the AT&T network. It gladly hopped onto Rogers Wireless, though, with that AT&T SIM in, and it gladly authenticated me as an AT&T user (and even dialing 611 got me the "Welcome to GoPhone, by AT&T!" message).

I live on the Canadian border and thus I can pick up the Bell/Telus/Rogers networks depending where I am in town.
I welcome any contribution and certainly haven't seen these points raised in this thread heretofore.

---------- Post added at 08:01 PM ---------- Previous post was at 07:58 PM ----------

that is correct. I have been trying to isolate the mechanism by examining the NVM, but without success so far and it may not be accessible to us at all.

Any contribution that might help with the search, would crowdsourcing be helpful at all?
 
  • Like
Reactions: dewired

labsONE

Member
Jul 15, 2008
39
6
Yeah, I'm back: it's blocking the MCC/MNC of US-based networks. That's why my bloody AT&T SIM would work in my RAZR.

This is the same lock that they use on the Droid 3 and other 'global' equipped phones (like the iPhone). It blocks US networks but allows foreign ones. We might need to find another radio and/or unlock the bootloader (which, let's be honest, probably won't happen for quite some time).
 
Last edited:
  • Like
Reactions: cellzealot

roll0ver

Member
Feb 7, 2011
11
1
Yeah, I'm back: it's blocking the MCC/MNC of US-based networks. That's why my bloody AT&T SIM would work in my RAZR.

This is the same lock that they use on the Droid 3 and other 'global' equipped phones (like the iPhone). It blocks US networks but allows foreign ones. We might need to find another radio and/or unlock the bootloader (which, let's be honest, probably won't happen for quite some time).

So the block would need to be spoofed so that it thinks it is dealing with non-US country codes while not effecting actual tower interaction?
 

labsONE

Member
Jul 15, 2008
39
6
So the block would need to be spoofed so that it thinks it is dealing with non-US country codes while not effecting actual tower interaction?

No. It's specifically blocking tower access to US networks. This is (most likely) in the actual baseband software on the MDM6600 and most likely not in the NVM.

Now I do question if using a SIM interposer (ie the Gevey cards) would work like it does on the iPhone -- if so, then we might have one solution for intra-American use.

Have we tried, say, a DROID3 radio? I do know there's a D3 radio that unlocks American use if memory serves. If I had a spare RAZR to work on I'd experiment with flashing a few different radios from other 'international' phones.
 

cellzealot

Senior Member
Jan 4, 2008
1,314
815
Philadelphia, PA
The radios are signed to the specific hardware so you can only flash a radio for that device.

I am sorry, I work weekends and will try to post back late tonight what I have been working on in the NVM. I agree, that it may not be there at all, but elsewhere in the radio image.

The lock does not exist on the Bionic with the same basebands as the razr and D4, so we have an "unlocked" model to examine as well as a band unlocked Chinese engineering build that cannot be flashed to stock hardware, but has been dumped by my partner P3 Droid, from his dev phone.

Short answer is we have things to look at for clues and I certainly would love to see more people taking a closer look at the problem.
 

roll0ver

Member
Feb 7, 2011
11
1
Short answer is we have things to look at for clues and I certainly would love to see more people taking a closer look at the problem.

Please let us know how we can help, I am certainly no expert on these matters. I do have a RAZR I have activated with PPC that I am willing to test. I have experience with rooting and flashing ROMs, etc. but not with the bits within such as the radio.

When you refer to looking, is it as simple as that, looking through the two code bases to isolate the differences?
 

cellzealot

Senior Member
Jan 4, 2008
1,314
815
Philadelphia, PA
The radio is separate from the OS and other partitions in the AP(Applications Processor) layer and is literally on a different chip, the BP(Baseband Processor) that has an EFS(Embedded File System).
Part of that EFS is the NVM(Non Volatile Memory) where all of the operating parameters for the radio are stored.

Using RadioComm and other serviceware apps you can pull and read and write to those memory addresses and change how the radio works. I have made tables that dump basically the entire readable NVM as a file and then you can compare the hex data to isolate differences and attempt to find the right bits or flags that control the band lock.

Its complicated and requires experience reading the hex output and a general understanding of how the NVM is organized so you know both where to look and what you are looking at.

It is also very easy to break things by editing the wrong values and render your phone useless and require flashing the radio to return to a default configuration.

So, the short answer is, while I would love to have some help doing the work, it's not something that many people have a good enough understanding about to be able to contribute effectively.
 

joshw0000

Senior Member
Jun 15, 2010
3,992
410
Google Pixel 6 Pro
The radio is separate from the OS and other partitions in the AP(Applications Processor) layer and is literally on a different chip, the BP(Baseband Processor) that has an EFS(Embedded File System).
Part of that EFS is the NVM(Non Volatile Memory) where all of the operating parameters for the radio are stored.

Using RadioComm and other serviceware apps you can pull and read and write to those memory addresses and change how the radio works. I have made tables that dump basically the entire readable NVM as a file and then you can compare the hex data to isolate differences and attempt to find the right bits or flags that control the band lock.

Its complicated and requires experience reading the hex output and a general understanding of how the NVM is organized so you know both where to look and what you are looking at.

It is also very easy to break things by editing the wrong values and render your phone useless and require flashing the radio to return to a default configuration.

So, the short answer is, while I would love to have some help doing the work, it's not something that many people have a good enough understanding about to be able to contribute effectively.

I'd buy you lunch if I could pick your brain. Not many people with your knowledge will take the time to explain these things.

Sent from my DROID RAZR using Tapatalk
 

joshw0000

Senior Member
Jun 15, 2010
3,992
410
Google Pixel 6 Pro
Just curious, what format are you dumping the tables to? If it's excel or csv, I would love to help out. Although I'm sure you're capable, I could use conditional formatting or some other formula to compare and highlight cells in both dumps to easily identify differences.

If my limited knowledge of using SQLite Editor to sim unlock Samsung phones and hack tethering on Moto phones tells me anything, we should be looking for a "1" to change to a" 0" right?

Sent from my DROID RAZR using Tapatalk
 

cellzealot

Senior Member
Jan 4, 2008
1,314
815
Philadelphia, PA
Hehe...that was the really short version...not thorough in the least!

I wish there were more devs who knew how to use the software tools and diagnostic mode interfaces better. I have been messing with these things for years, so I feel comfortable poking around in the NVM, but I am nobody's idea of an expert, unfortunately.

;)
 

Top Liked Posts

  • There are no posts matching your filters.
  • 17
    TBH Band Config Unlock zip Install for Razr

    It's not "Magic code".

    It is just a zip installation of the NVM edit using the updater-binary from an official OTA update.zip to write the 8 byte string for the band config to NV Item 1877.

    The NVM is updated every time you get an OTA in order to increment the version numbers and dates. We just used the binary for our own needs.

    So far, we have not had complete success with this on the D4 or Razr on stock hardware with T Mobile or ATT in the US. There appears to be a different form of lock in effect for domestic GSM carriers, because there are many reports of it working with international carriers, at least on D4.

    There is a Chinese engineering ICS build that P3droid has running on his eng Razr and everything works out of the box with that radio image. It cannot be loaded on stock hardware unfortunately.
    We dumped the entire NVM from it and I have been going through it to find a potential solution. There are many differences in the NVM and it will take some time to work through them to determine their impact.

    Edit: I have included the Razr version of the TBH band config zip files for those interested in testing this.

    These files MUST be run from Razr bootstrap recovery and NOT Safestrap.
    The unlock zip writes the GSM band config string and the relock zip writes the stock string to revert if you need to for any reason.

    They do no other modifications to the device and any build.prop edits or additional apns-conf.xml or system libs must be done manually if desired.

    Please post back with any information regarding success or failure using these files, thanks!
    The files did not upload from my dropbox properly, sorry. I will have to reattach them from PC later.

    Edit 2: I reuploaded the files. These have been tested on mine and P3droid's Razrs and should work fine.
    As people quickly discovered, the D4 files work on the Razr too, so you can use either. The binaries are compatible and the string is the same. The Chinese ICS build has a slightly altered string that you can also try in RadioComm if desired.
    The first 2 bytes are different: 8001E80400000200
    6
    ***UPDATE 6/26/2012***

    Ok, not all the info that I got before was 100% correct. It looks like RAZR / MAXX is unlocked only for Global(GSM) use which is outside of USA. The Tmobile and ATT sims are not fully working as of right now.

    We have couple amazing Devs which are working to resolve this issue.

    Please PM me if you want me to update the OP.

    -----------------------------------------------------------------------------

    On the Bionic forum people found a way to activate disabled feature of couple 4g verizon phones to be able to use it on GSM networks.

    Can someone test it please?

    http://xdaforums.com/showthread.php?t=1297714

    ***UPDATE***

    Follow this steps to make it work: http://xdaforums.com/showpost.php?p=25967009&postcount=118
    4
    how did you do it , as in the steps and the carrier you used, att or tmo.
    assuming it's att as you are on 850 3g, also can you please post a pic for us.
    we will be so happy :)

    Actually its pretty easy , no need of Radio Comm

    I have a Moto CDMA XT912

    Steps :

    [optional] Flash this : ICS ROM > http://bit.ly/JW8j8w
    [optional] Flash this : GAPPS > http://bit.ly/JW7vAG

    Flash this : GSM PATCH > http://bit.ly/JW7Hjd
    FLash this : "MAGIC code" lol > http://xdaforums.com/attachment.php?attachmentid=1048524&d=1336485537

    Reboot , and done ! , you'll have GSM enabled [ all bands ]
    4
    I am not giving up anyone. Right now still working on unlock for xt912 for my wife since she hates changing phones. Can't ask for anything better then a phone that can do both CDMA and gsm. We are planning a trip to Asia after the baby is born.

    Sent from my DROID RAZR HD using xda app-developers app
    4
    The first thing I did after completing the edit on my RAZR M and testing it was to check the NVM of my D4 for the same item. It is not present on any of the MDM6600 chipset devices, unfortunately.

    There are a number of other items that contain single byte boolean switches(01 on 00 off) in the 8000-8400 range, which is the main section of Motorola proprietary NVM area and I have tried all of them and none of them enables US GSM carriers.

    I have also tried logging with QXDM in order to try to replicate the method used to isolate the 8322 item in the MSM8960 chipset based devices but without any results so far.

    This was deliberately setup on those devices as a boolean switch by the Moto engineers and there is not necessarily a corollary item or switch on the MDM6600 based devices.
    I have dumped the NVM from all of my devices including Bionic, D4, RAZR and Xoom many times and logged QXDM for hours monitoring the radio searching for clues to the nature and location of the MCC block and have tried many varied combinations of NV edits.

    I have spent hundreds of hours doing this over the past year since their release over many firmware revisions and configurations and have NVM dumps from other users devices and engineering models with the unlocked Chinese radio and everything working as it should and still have not found the solution.

    I am not saying I haven't missed anything nor thought through all of the possibilities, but I have amassed a considerable amount of information and studied it at length.
    We have tools and techniques for access and analysis of the radios and the images and haven't found the answer yet.

    I just wanted to make clear that much of this ground has been covered and there is a lot of work that has been done thus far.