[WIP] Unlocking Note 2 modem for GSM/AWS

This is NOT in relation to changing IMEI/ESN as that is ILLEGAL! This thread is about enabling our baseband/modems to operate on different frequencies/couriers.

Trying the VZW unlock thread first HERE
I'm flashing a VZW ROM right now to check APN menu, etc. Sprint even with hack doesn't show APN.


There are several threads on how to unlock Verizon/Tmobile/ATT modems to work on each other with varying levels of success. I feel that we have a iPhone 4s/5 like device that has the same chipset just different locks around the software to prevent unlocking. I was moved by the community's involvement in adding a SIM card slot to the Note 2 and want this mod to work on US couriers.

Basically put, I want to make any US variant S3/Note 2 an international version. The hardware is the same, it's the NVRAM/Firmware prohibiting us.

This is the SIM card mod for the SPR N2:
http://xdaforums.com/showthread.php?t=1959005

Enabling AWS (T-Mobile) on ATT Note 2:
http://xdaforums.com/showthread.php?p=35933247

Verizon S3 on T-Mobile:
http://xdaforums.com/showthread.php?t=2013647

Verizon S3 on world GSM:
http://xdaforums.com/showthread.php?t=1809314

The primary method of unlocking modem bands is flashing a QCN file that modifies NVRAM params. In the ATT T-Mobile thread the hack works by flashing over a ESN/IMEI stripped T-Mobile qcn backup file.

I tried following this process but was blocked by a "Roaming Lists could not be read" error at 16% when trying to backup my NVRAM using QPST. I attempted flashing the file anyway and received a "Could not Communicate in Diagnostic Mode" error. My modem then would not see any networks. I then flashed a ATT modem which bootlooped my device.

I feel the Roaming List could not be read is the main issue into how Sprint locked down this device for US GSM. In SIM tech, the courier provides a preferred list of up to 80 couriers the phone is to connect to first when roaming due to courier roaming agreements instead of the strongest signal first. As the Spr model uses a chip for a SIM it's possible that the "SIM" could not be read to provide roaming lists and GSM could be blacklisted in this chip as it is more sophisticated then a SIM smartcard. Now that I flashed a ATT modem I'm going to try to download the NVItems again using QPST.

I restored my TWRP backup and sideloaded a SPR modem, back at stock all working.

The alternative is to use the "IMEI/ESN" backup tool:
http://xdaforums.com/showthread.php?t=1867442

I will continue experimenting and will report progress.

When writing back my NVRAM dump I get this list of readonly/locked items:
(NV Items http://xdaforums.com/showthread.php?t=1954029)
Writing NV-items from a file:
Unsuccessfully written NV-items:
00000 (0x0000) - Password (16 digits) is required
0^"Electronic Serial Number"^"Security*"
00001 (0x0001) - Read only item
1^"Electronic Serial Number Checksum"^"Security*"
01943 (0x0797) - Password (16 digits) is required
797^"DCS TX Burst Ramp Down Index 11"^"GSM*"
05597 (0x15DD) - Read only item
05598 (0x15DE) - Read only item
These two are unknown but people get them when doing AWS unlocks:
http://xdaforums.com/showpost.php?p=36078971&postcount=81

Found a AWS/ATT modified TXT file, I flashed it and reset
http://xdaforums.com/showpost.php?p=36008901&postcount=49

Mobile networks show a previously unselectable item WCDMA only as selected which is not in the menu, the network status is unknown. I have a feeling the nv-item is trying to reference a menu item that is not in my ROM.

Next I'm going to ODIN the stock ATT rom over and see what happens.

FAIL! modem.bin won't flash.

Flashed Stock AIO modem+firmware+rom, etc odin to phone and flashed LJC modem manually. No data and was reporting WCDMA only from the last NV items hack. It seems NV-ITEMS are persistent across a complete and total stock restore+modem flash (twice) wipes and bricks. I restored my backup TXT for nv items and stock network has returned.

I'm flashing CM next for Sprint as it has "- Removed preset Network mode/selection (allows for more network modes)"
http://xdaforums.com/showthread.php?t=2047667

Hopefully with the NV Items hack and a ROM without network modes locked w/ a SIM card board I should be gold.

Here is NV Items when flashing on stock ODIN:

Writing NV-items from a file:
Unsuccessfully written NV-items:
00000 (0x0000) - Password (16 digits) is required
00001 (0x0001) - Read only item
00005 (0x0005) - Command failed
00018 (0x0012) - Command failed
00031 (0x001F) - Command failed
00032 (0x0020) - Read only item
00033 (0x0021) - Read only item
00034 (0x0022) - Command failed
00035 (0x0023) - Command failed
00036 (0x0024) - Command failed
00037 (0x0025) - Read only item
00048 (0x0030) - Command failed
00049 (0x0031) - Command failed
00050 (0x0032) - Command failed
00176 (0x00B0) - Read only item
00177 (0x00B1) - Read only item
00178 (0x00B2) - Command failed
00209 (0x00D1) - Read only item
00210 (0x00D2) - Command failed
00211 (0x00D3) - Command failed
00212 (0x00D4) - Command failed
00213 (0x00D5) - Command failed
00215 (0x00D7) - Command failed
00258 (0x0102) - Command failed
00259 (0x0103) - Command failed
00260 (0x0104) - Command failed
00261 (0x0105) - Command failed
00262 (0x0106) - Read only item
00263 (0x0107) - Read only item
00264 (0x0108) - Read only item
00265 (0x0109) - Read only item
00266 (0x010A) - Read only item
00296 (0x0128) - Command failed
01943 (0x0797) - Password (16 digits) is required
05597 (0x15DD) - Read only item
05598 (0x15DE) - Read only item
Done.

1/10/13 6:17pm
http://xdaforums.com/showthread.php?t=2016575
Trying new international ATT rom. CM10 didn't have what I needed for network selections.

I have successfully detected a GSM network type although it's going to need some work.. I got to go home and eat.

1/11/13 11:14am
Using the RF NV editor from QPST I can edit all NV-Items with no roaming lists error.

BY FOLLOWING THESE INSTRUCTIONS YOU ARE INTENTIONALLY BRICKING YOUR DEVICE. I HAVE TESTED RECOVERY BACK TO STOCK WITH A ODIN FLASH AND RESTORATION OF MY NV-ITEMS BACKUP. I TAKE NO RESPONSIBILITY FOR YOUR DEVICE AND THESE INSTRUCTIONS ARE PROVIDED AS-IS.

That being said I have ODIN flashshed ATT firmwares over, international firmwares over, changed numerous NVItems settings and have been successful in restoring my device to fully operational stock with working radio/service. At one point I had to go into download mode and odin TWRP and ADB sideload a modem due to a boot loop but I was still able to recover.

*DO NOT PROCEED UNLESS YOU ARE AWARE OF HOW TO UNBRICK YOUR DEVICE AND RESTORE IMEI/NV-ITEMS*
To enable USB file transfer at anytime dial *#7284# Qualcomm USB Settings and select MTP+ADB

Here is a howto/recap of what I have accomplished:
**YOU MUST BE ROOTED**
You need the SIM card board for this to work otherwise you are simply experimenting. Get one HERE

1. Get the Note 2 toolkit and drivers per your device HERE This is the easiest method of getting all required tools/software for a brick restore and other flashes.
2. Get the Samsung NV Items tool HERE
3. Get your MSL using the *root required* Get my MSL app HERE Write it down and keep it in a safe place!
4. Dial *#7284# go to Qualcomm USB Settings and select RNDIS+DM+MODEM
5. Plug or Replug your device and wait for drivers to install
6. Open Device Manager and expand Ports (COM & LPT) (windows xp/7/8), make a note of which COM SAMSUNG Mobile USB Serial Port (COM*) (If you do not see the port listed then you didn't install drivers, wait for driver install or you didn't enable Qualcomm diag properly)
7. Open NV-items_reader_writer.exe and select your COM* from Port: dropdown. Put your MSL # in where it says 000000. Make sure BOTH checkboxes are checked and click connect. Click Read. Should say in console "Log message: > SPC is correct. Phone unlocked".
If you get "Log message: > Phone does not accept SPC. SPC is not correct" then try 000000 as MSL
8. Click Read and wait 5-10 mins for your nvitems to be read. SAVE THE TEXT FILE somewhere where you won't loose it and MAKE A BACKUP. Email it to yourself and upload it to dropbox. If you loose this file then you could permabrick your device!
9. Download the AWS ATT NvItems unlock file HERE Click DOWNLOAD and save the txt file to your desktop or somewhere where you will remember.
10. Open or go to NV-items_reader_writer.exe. Do the connect, MSL, read and select com port if you closed the app. Click WRITE and select the text file you downloaded in step 9 "nv aftr qxdm removed imei.txt". After writing click on Mode and Reboot or simply reboot your phone.

At this point you are on a Sprint Rom/Kernel/Modem with a GSM compatible radio. Your Sprint software has no idea what is going on and most likely won't connect to GSM even with a SIM card inserted. If you go into Settings->Mobile networks you wont see options to set APN. This is because the Sprint ROM/Radio isn't setup to connect to GSM. Try THIS to "unlock" US GSM couriers on Sprint ROM

11. Flash this ATT ROM: (others may work, although you need a ROM with NO included Kernel/Modem)
HERE
This is the [ROM][4.1.2][XXDLL1] Asylum TJ v1ROM with no modem/kernel/etc. Wipe Dalvik, factory reset, cache. I also wiped system before installing but you may not need to.
12. Boot and verify the rom boots.
At this point you can experiment with the Mobile Networks settings and should see APN options. Change your Network mode and see if you can get any listings for "Network operators" when selecting manual. If you can see ATT/T-MOBILE then report your findings!
13. Next is to flash over a ATT modem/radio in TWRP. Download the modem HERE
THIS MODEM WILL CAUSE YOUR DEVICE TO BOOT LOOP. Although I found on my device it only rebooted every 5 mins or so.
14. After booting you should be able to see ATT/TMOBILE in your network operators settings. Make sure to play with Network mode. I don't have a SIM card and so my lockscreen said "Emergency Calls Only" and I couldn't get into the Mobile Networks menu as it told me to "Please insert SIM card"
At this step I'm fairly certian the GSM bands are unlocked as most people only see Emergency Calls Only when their device is not registered. Normally this is caused by invalid or unauthorized SIM/IMEI/APN settings on a normal GSM phone.

RECOVERY

1. Download Sprint firmware HERE
2. Extract the ZIP to your desktop so you have the "COMBINATION_L900VPLJ1_L900VPALJ1_CL265523_HWID04_HW-Rev0406_user_low_ship.tar.md5" file on your desktop
3. Go into download mode HOW TO
4. Open Odin from C:\Samsung Galaxy Note2 ToolKit\Odin3_v3.07.exe
5. Connect your device
6. Click PDA and select "COMBINATION_L900VPLJ1_L900VPALJ1_CL265523_HWID04_HW-Rev0406_user_low_ship.tar.md5"
It will check MD5 and it'll take a minute
7. Click Start and wait for your device to flash & reboot.
8. Dial *#7284# and go to Qualcomm USB Settings and select RNDIS+DM+MODEM.
9. Open NV-items_reader_writer.exe
10. Find your COM port from earlier in your device manager, same as last time
11. Connect, Read. IF YOU GET SPC ERROR TYPE YOUR MSL or TRY 000000
12. Click Write and select your NV-ITEMS BACKUP .txt FILE
13. After writing click on Mode and Reboot or simply reboot your phone.
14. Dial *#7284# Qualcomm USB Settings and select MTP+ADB

You should now have a fully operational Stock device.

To enable USB file transfer at anytime dial *#7284# Qualcomm USB Settings and select MTP+ADB

If you have issues past this point then you didn't follow instructions completely or you experienced something different then what I experienced. The most important step of unbricking is restoring your NV-ITEMS. Odin flashing of stock firmware/etc is normal procedures as per any unbrick. You are welcome to try modifying the ATT modem to not bootloop (most likely LTE issues as Sprint radio doesn't operate on ATT LTE frequencies) by following THIS post. You can also try the Sprint ROM/Modem by following the Verizon APN/Network hack HERE

Some roms won't let you do *#7284# for ADB/MTP. The way around this (if you need to transfer files and MTP isnt anabled) is to sideload files from TWRP or find the verizon method for dialer codes for Qualcomm USB settings menu. There was a dialer only instruction post but I can't find it now. If all else fails then simply ODIN to stock.

I can successfully see a ATT/T-Mobile GSM network type with the NV-Items hack. I need to do the sim card mod now. I'll order parts this weekend and until then there isn't too much I can do.

I can now run a ATT flashed modem. When selecting Mobile Networks it tells me to insert a sim card. I'm getting reboots every 3-5 minutes but I think it's kernel related. The ROM is half the battle, ATT modem boot looped on SPR ROM. I should be able to connect to GSM once I do the SIM hack for proof of concept.

Recap:
NV-Items of the ATT to T-Mobile flashed (AWS/GSM unlock, use both ATT and Tmobile on ATT GN2)
Flashed ATT ROM
Failed flashing ATT Persues kernel (stuck at samsung logo)
Flashed Sprint Persues kernel
Flashed ATT modem

I desperately need the NV-ITEMS from an international phone in txt format.
http://xdaforums.com/showthread.php?p=36559274

From my understanding the customization of the chipset is in relation to LTE frequencies which are hawdware related. It's the same for the Nexus 4, it supports LTE unofficially on band 4 due to LG keeping in their Optimus LTE chip. Nexus 4 on LTE only works in certain areas in the country due to ATT only providing LTE band 4 in very limited areas.

I doubt I can "unlock" to the point where a Sprint/Verizon phone can see each other's LTE frequencies as LTE is a different chip in question (most frequently) as LTE courier customization is specific to the courier/device.

I may be wrong as it depends on the chip in question and how it's implemented. I need to find a photo of both Sprint/Verizon mainboards and compare. My work focuses on GSM/AWS bands for HSDPA+ and 3G as it is more likely to work as the chipset known supports these bands. Please feel free to post pics of the boards or chipset info and I'll look into it.

Due to my NV-Items trick I now can use QPST to dump a full nvitems+more. I cannot restore items though

When in GSM mode I'm getting an Emergency Calls Only/Enter SIM which means it should work with a SIM chip.
ATT modem + ATT/AWS nvitems unlock on ATT ROM; SPR Kernel.

Buying a cracked screen working ATT Note 2 sometime today for $325 for additional testing

Post #2 contains instructions.

I have just found a Verizon hack thread to get US GSM data/voice working without all this hacking. I'll try it out and report back
http://xdaforums.com/showthread.php?t=2044449

Flashed Deodex Vzw ROM:
http://xdaforums.com/showthread.php?t=2044351

Flashed APN editor:
http://xdaforums.com/showthread.php?t=2044449

I can see verizon networks, no LTE. Trying GSM now.

digiblur said:

Yeah, I really doubt you will get VZW LTE working as for one you will not Auth with their system. Second I am sure the transceiver in our version of the phone is not capable of that frequency on the LTE path.

-- "Sensorly or it didn't happen!"

Click to expand...

Click to collapse

Agreed, my goal is to get HSDPA GSM data working on Sprint Note 2. Verizon allready has a method of unlocking http://xdaforums.com/showthread.php?t=2044449. I do agree that it's impossible for LTE to work on any method as LTE chip is a whole different ballgame than what I'm attempting. It may be possible but someone would have to start by getting a VZW and SPR mainboard and comparing chips. Even if you somehow get the radio working you would might need to hack the ESN which is ILLEGAL, although VZW does use SIM cards..

However I can see VZW frequencies on my Note 2 right now. Alternating between EVDOa and eHRPD.

Skripka said:

Side note... Altering an ESN isn't just caps illegal, it is caps/bold/underscored/red font illegal. A federal felony from what I've read.

Sent from my SPH-L900 using Tapatalk HD

Click to expand...

Click to collapse

Yup, modifying ESN has absolutely nothing to do with my research. My goal is to utilize a provider's SIM on GSM to connect to ATT/TMobile with stock IMEI/ESN. Verizon uses a SIM in their Note2/S3 in which if they accept your ESN/IMEI with their SIM is their discretion. ESN/IMEI, etc is stored in NV Items which is in the modem baseband, not the ASIC. Swapping SIM cards are perfectly legal so removal/replacement of the embedded SIM is legal. ESN/IMEI is like a car's VIN which is illegal to touch, SIM is more like a license plate on a car. I'm a firm believer in its your device do what you want but once you enable your modem to interact with the public infrastructure you are bound to it's rules, period.

On another note I have a ATT Note 2 now but I sold the Sprint Note 2 to get the Nexus 4. I can continue my research into GSM on my Sprint S3 and provide dumps for the ATT Note 2.

I'm fairly certain that I have accomplished a US GSM unlock on my Sprint Note 2 as it exhibits the same symptoms as a Unlocked phone without a SIM, Emergency Calls Only. However I do not see ATT/T-Mobile in my network operators menu which I'm sure the VZW APN hack will fix or it's because I don't have a SIM.

It's going to take someone with a Sprint S3/Note 2 with SIM mod and some tinkering around to get this to work. I'll get a SIM board for my S3 but it's going to take some time as I'm busy with work and my girlfriend. If anything was learned, it was that the S3/Note 2 is pretty much damn near unbrickable. I've flashed every firmware known to man, trashed my NV ITEMS, wiped my ESN/MSL and recovered to absolutely working activationable stock. Don't be afraid to experiment, just BACKUP and BACKUP your BACKUPS.