[REF][INFO][R&D] "Secret Codes" and other hidden features
"Secret Codes" and Hidden Features
Hacking for "Secret Codes" and other hidden phone features.
Skill Level: Easy
Posting
==================================================
Do NOT post general questions/requests on how to do
this or that, they will not be answered, simply
because we don't know yet. Rather try to find out
by yourself and share your results. ==================================================
Purpose
To find all "Secret Codes", special properties and other hidden phone features
and settings, used in the GT-I9300. The secret codes are not so secret, but
are often used to activate and manipulate many settings, such as debug modes,
network connections, factory test modes etc. It is an unfortunate choice of
words but we will stick to this definition nonetheless for simplicity, since
it is also used in the source code by Samsung and AOS. Do not confuse secret
codes with VSC (Vertical Service Codes), USSD (Unstructured Supplementary Service Data) or other MMI (Man Machine Interface) codes.
Although there are many "standard" codes common to many Samsung phones, they
do vary to some extent. This is because their functionality often depend on
the particular hardware, in particular the baseband processor (aka radio, DSP,
BP or CP) and the multiplexer chips that switches the various internal USB
paths, for example between MHL, BP and AP.
This is an informative reference thread on these features. If you have
relevant additional information you'd like to share, please post it here.
Background
From the Samsung Galaxy S2 experience we have gained the following
understanding when it come to the Factory/Service Mode menus and the PhoneUtils applications. We are still to work out if this is still true for
the SGS3.
But first it is worth to note, that due to the more complicated, but better
organized phone applications in ICS, the way to enter secret codes have
changed from GB versions. Now all secret codes have to be prefixed with
"*#*#", followed by <code> and post fixed with "#*#*". [Note-1] However,
according to the GT-I9300 Service Manual, there are two codes that should work
without post- and pre-fixes. They are *#1234# (version) and *2767*3855#
(Factory reset! It will wipe your phone instantly, NO warnings, no going back,
no way to cancel.) [Note-2]
================================================== Newbie Practice Box
Go to your phone dialer and "dial" the following string: *#*#197328640#*#*
This will trigger the Service Menu.
==================================================
This same effect can be accomplished directly on the command line, with a
direct URI broadcast call to the application receiver via:
Code:
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://1111
Second, it is essential to know that the actual program code (read
assembly/machine code) for the Engineering / Service Mode menu, is actually
located in the baseband processor firmware. What you actually see when you
enter this menu, is just a java based wrapper application, that make direct
function calls through various entry points, in the baseband kernel/firmware.
What does it mean? When you enter a specific "secret code", the wrapper
application (e.g. ServiceMenu.App) deciphers the code to a particular menu
entry in the baseband processor, where it is executed and whose result is
output to the wrapper application.
Third. Apart from hardware differences, because of the baseband firmware
dependance, the set of working secret codes will differ somewhat from your
location, depending on:
Your Modem firmware
Your AOS version (ICS 4.0.1, 4.0.4 etc.)
Your CSC version (Regional codes)
Special Notes
[Note-1] This can be seen in the handleSecretCode() function in the SpecialCh****quenceMgr.java code.
[Note-2] These need testing and confirmation since they clearly contradict [Note-1].
[Note-3] Apparently the Samsung Galaxy S3 will come in at least two versions:
The GT-I9300 (FCC-ID: A3LGTI9300 )
The SCH-I939 (FCC-ID: A3LSCHI939 ) [Possibly the LTE version]
Then what to do?
The brief version. (For full version, see "References" in OP above.)
Download all the tools shown above.
Download the deodexed firmware images (see post#3)
(If in Windows) Double click the sgs2toext4.
Drag and drop the system.img file to the sgs2toext4 "drop window".
You will now have a system.img.ext4 file, open this file with the LinuxReader tool.
Save entire filesystem (from 5) in a new folder. Close.
Go to the folder containing the *.apk(s) of interest.
Make sure dex2jar.bat (win) is in your path and run it on your interesting.apk like this, for example:
Code:
./path/to/dex2jar.bat Samsungservice.apk
This produces a new file: Samsungservice_dex2jar.jar
Extract (7zip) this file in a new folder.
Go to that folder in command line and enter the appropriate "jad" commands. For example, to decompile all class files globbed by Phone*.class and put the decompiled sources in the "src" sub-directory, do:
Code:
jad -o -r -sjava -dsrc Phone*.class
Go to the source directory (../src) you just created.
Enjoy your *.java files!
Alternatively you can deodex on your own...but don't ask me how to do it.
NOTE: In the table above, I have replaced printed UTF-8 (U+NNNN) characters with '\uNNNN'.
As you can see in the table above, most of the hidden codes are just shortcuts
into various sub-menus (third parameter) of Service Mode application. However,
this does not exclude the use of other hidden codes, that can be used or detected
in other applications.
From a different file we have a some additional codes.
(Not including already covered or overlapping codes.)
Next we'll have a look at some interesting (or not?) system "properties".
For now, I'll just list some of those I found more interesting and potentially useful.
Code:
Property Setting/String Source Description
----------------------------------------------------------------------------------------------------------------------
dev.silentlog.on On SysDump:
gsm.operator.numeric 45001 Sec_Ril_Dump: [RIL::FD] Samsung Testbed
gsm.default.sidmode ? UART
net.tcpdumping On SysDump: ?
nfc.trace.mode On Enable NFC Trace Mode
ril.FTM_MODE ? "FTM_MODE_KEY"
ril.FS true PhoneUtils: updateRAFT() Activates RAFT (???) updates
ril.OTPAuth SysDump: OTP Authentication
ril.cdma.inecmmode true Is phone in ECM mode?
ril.unique_number The RIL Unique Number (UN)
ril.sms.gcf-mode On ? SMS "GCF" mode
persist.log.seclevel On Switchable Log level?
persist.sys.country
ro.build.type eng SysDump:
ro.debuggable On Enable Debug / DBG_ENG / Engineering Mode??
----------------------------------------------------------------------------------------------------------------------
Country/Region Specific
----------------------------------------------------------------------------------------------------------------------
ro.board.platform
ro.build.characteristics
ro.csc.sales_code SKT | KIT | LGT PhoneFeature: makeFeatureForKor()
ro.product.name espressorf | espresso10rf PhoneFeature: checkDBGLevel()
aegis2vzw PhoneFeature: makeFeatureForKor()
jaguars | jaguark | jaguarl
A particularly fun string is the following, found in the featureForKor() function:
As we know from other Samsung Galaxy class phones, there are a number
of files that can be created or modified in order to activate certain
functions. Here we list those found to date. Please post if you know
of other ones!
Apparently setting the "SubscriberID" (IMSI) to "999999999999999" also
activates certain test features. A sim with this IMSI is also known as
a "Factory SIM". However, if the SIM IMSI starts with either "45001" or
"00101" it is a "Test SIM".
[See: ServiceModeApp.apk:PhoneUtils.java:isFactoryMode() or FactoryTest.apk:ModuleCommon.java:isFactorySim()]
Code:
File FileContent Description
-------------------------------------------------------------------------------
/efs/FactoryApp/factorymode ON Enable Factory Mode
/efs/FactoryApp/keystr ON Blocked (hidden code?) Key String(s)
/efs/imei/mps_code.dat ? ?
/efs/root/ERR ? Error Log
/data/.psm.info ? WiFi Power Save Mode
---------------------------------------
Various Log Files:
---------------------------------------
/data/log/CallDropInfoLog.txt ? Dropped Calls Log
/data/log/lucky_ril.log ? ?
/data/log/dumpState_*.log ? ? System Dump Log
/data/log/main_*.log ? ?
/data/anr/traces.txt ? ?
/data/log/err ? ? Error Log
/data/log/err/AENEAS_TRACE_###.bin RF Aeneas Trace Log
/data/log/err/MA_TRACE_###.bin RF MA Trace Log
/mnt/sdcard/log ? ?
---------------------------------------
System Files
---------------------------------------
/sys/class/sec/switch/adc
(Note: Some of these paths need to be verified, as they may be relative...)
Finally, we have two NVpasswords, that is used for uploading or dumping NVram, AFAIK. They are: 873283 3352225
and they can be found in Sec_Ril_Dump.class.
DISCALIMER:
As I do not have access to a GT-I9300, I have not been able to verify
any of the information in this thread! I apologize if there is any erroneous
information here. Please let me know and post new information here as
it become available. Also make sure you make a complete backup, before
attempting any of the codes or other trickery above!
I ignore PMs with questions that could be answered by searching. If you PM me, I probly won't respond.
Check out my developer pages. Add me to your circles on Google Plus.
Very good info there .. how about programming the sim with that IMSI will it have any effect.
It certainly will, but you will have to find a SIM that is programmable!
You can buy programmable SIM cards from the Sysmocom website, but you need the tools to do so. Sysmocom is ran by some of the GSM security researchers and open source baseband developers...
Here is tutorial on how to clone a SIM card. However, this may be highly illegal in some countries, even for your own! Check your local laws.
(In addition it is a border-line topic on what we are allowed to post here on XDA.)
But Apple proposed, (and here) already some years ago, to have programmable SIM cards built into their devices. This would make perfect sense, since the whole idea about using SIM cards have been neglected and forgotten in the first place. (The original idea, was that it should be extremely easy to switch SIM cards, so that you could easily just borrow someone else's phone, put you card in and make a phone call. Even on designated SIM-holder enabled pay-phones! This has become forgotten and circumvented and damn hard to do with embedded sim cards deep inside your phone.) In addition most cellular providers have lobbied against it...
I remember when Dejan found the binary hack way back in 2006 for BB5 Nokia phones, he posted files on his website on how to clone a simcard. But those times only 16bit chips were used.
Here is the scheme tics for the reader if any one interested.
via Flying Daggers
s IV>htc one>sgs III>huawie quad xl>ipad 3>lg x3>htc z3tA>samsung galaxy note>samsung galaxy s II lte hd>iphone 4(g)>samsung galaxy s2 >htc desire hd>samsung galaxy s >htc desire (cancelled) :d>htc touch hd2>htc touch hd>nokia n97>iphone 3g>nokia n96>nokia n95> nokia n70
With over 700,000 apps in the Google Play store and more than 48 billion app installs, it’s … more
XDA Developers was founded by developers, for developers. It is now a valuable resource for people who want to make the most of their mobile devices, from customizing the look and feel to adding new functionality. Are you a developer?
Introducing XDA:DevCon A Conference For Developers By Developers
>
[REF][INFO][R&D] "Secret Codes" and other hidden features
Print
Email
[REF][INFO][R&D] "Secret Codes" and other hidden features
View Profile
View Forum Posts
Great post Buddy. But..........
Too complicate for my simple mind. 
Follow on Twitter
Follow on Google+
View GitHub profile
>samsung galaxy s2 >htc desire hd>samsung galaxy s >htc desire (cancelled) :d>htc touch hd2>htc touch hd>nokia n97>iphone 3g>nokia n96>nokia n95> nokia n70 
Linear Mode
