5,599,616 Members 44,710 Now Online
XDA Developers Android and Mobile Development Forum

[BOUNTY] ($205 so far) Enable HSPA+ on 1900 MHz / 1700MHz for VZW Galaxy S3 i535

Tip us?
 
newuser134
Old
(Last edited by newuser134; 30th September 2012 at 05:57 AM.)
#1  
Senior Member - OP
Thanks Meter 77
Posts: 266
Join Date: Dec 2009
Arrow [BOUNTY] ($205 so far) Enable HSPA+ on 1900 MHz / 1700MHz for VZW Galaxy S3 i535

Total is shown on 2nd post.

GO TO POST #3 FOR ACHIEVEMENTS, GOALS, NOTES and QUESTIONS

To get some momentum behind this, after reading lair12's "S3 as a world GSM phone" (Link), the great replies to my thread about flashing an AT&T radio to the I535 (Link), and judging from the wealth of information gathered by and the vast knowledge of the great devs such as E.V.A, Adam Outler and Ralekdev when they were working on unlocking the bootloader, I am starting this bounty thread to get some good devs behind this much sought after ability to get full domestic 3G and HSPA+ on the I535, for enabling either 1900MHz or 1700MHz WCDMA on I535 similar to what was done for Galaxy Note i717 (Link). Please add your donations publicly (NOT by pm) to this thread, similar to the bounty thread for unlocking the bootloader. I will update the thread periodically. All regular bounty disclaimers apply. Do any work to reach this goal at your own risk, if you mess up your phone, it's not my fault or anybody else's fault, or if you choose to test any software or firmware on it. Make sure you know what you're doing and that you won't damage your phone before you do it.

Copying the following from another thread:

Requirements to Receive Bounty:


  • Be first person to create a method of enabling 1900/1700MHz 3G/HSPA+ capability on SCH-I535
  • Make a post in this thread with the following:
  • Proving it works with appropriate photos or screenshots
  • Providing full step-by-step instructions which anyone else can follow
  • Wait for another member to follow the method and confirm it works
  • Claim your bounty via PM from donors

Payment will be processed between each member and the bounty collector via PM on an individual basis.


*** Please note: No hardware modification of the phone's radio chips or antennae is allowed to achieve this goal, it will be by software/firmware/coding/flashing only. If the phone turns out to be missing both the wcdma 1900 or 1700 MHz radio(s), this bounty will be void as the goal will not be achievable without hardware modifications. Even if only one of the wcdma bands is "unlocked" and HSPA+ is achieved on only one domestic carrier, the bounty can still be received. ***

I will start myself by donating $50 to the person that reaches this goal first. Please make posts below for your donations. I will update the list and the total bounty regularly.

*** BUMP ***
  • Any dev with jtag willing to flash a stock or modified AT&T modem on i535 to try it, or edit the "padding" at the end of a stock i535 modem to see if it causes a brick?
  • Any dev (such as Ralekdev, or with similar knowledge) willing to modify the modem.bin file from an i535 with parts from an AT&T or T-Mobile modem to keep the i535 signatures and hand-off, but operate as an AT&T radio maybe to enable wcdma modulation on 1900 MHz? The RF path for 1900 MHz is already there for gsm 1900. We can involve the help of some AT&T or T-Mobile forum members and devs if dumps from AT&T / T-Mobile modems or other files are required, that part should not be that difficult.
The Following 8 Users Say Thank You to newuser134 For This Useful Post: [ Click to Expand ]
 
newuser134
Old
(Last edited by newuser134; 30th September 2012 at 06:22 AM.)
#2  
Senior Member - OP
Thanks Meter 77
Posts: 266
Join Date: Dec 2009
Day 11:
TOTAL = $205




Donations:

"newuser134" = $50
"ac21365" = $30
"Buff McBigstuff" = $25
"cvsolidx17" = $20
"mybook4" = $25 (for T-Mobile HSPA+) or $50 (for T-Mobile HSPA+ on 1700 AND 1900)
"preusstang" = $20
"worldlyinquirer" = $10


As a separate item, you may wish to donate to replace or repair someone's hard bricked i535 phone if they flash an AT&T modem, when ALL options to find out, prior to actually flashing, have been exhausted to determine whether a cross-device modem flash would brick or not. In that case a volunteer would flash a modem with the agreement of others on this thread. Only in that case, would others who chose to before the flash took place, donate to help replace or repair that person's phone. So far these donations have been made for that purpose:

"mybook4" = $25
"newuser134" = $25
 
newuser134
Old
(Last edited by newuser134; 30th September 2012 at 06:06 AM.)
#3  
Senior Member - OP
Thanks Meter 77
Posts: 266
Join Date: Dec 2009
Sign Achievements / Steps

Main Goal: Enable HSPA+ data on 1700 MHz/1900 MHz (or both) on the Samsung GS3 SCH-i535
To enable the use of it on US gsm carriers (AT&T, T-Mobile) for voice, sms and high speed data

Quote:
The VZW GS3 is capable of roaming on 850Mhz/900Mhz/1800Mhz/1900Mhz GSM and 2100Mhz WCDMA. As pointed out, if we have the necessary hardware to receive 1900Mhz, it is possible that flashing another modem may allow us to gain the capability to run WCDMA hspa/hspa+ over 1900Mhz.
WARNING, testing modems can result in a hard brick that is only recoverable by JTAG.

As answers are found, they will be posted here with links to the posts containing the results.

Quote:
Main Milestones:
  1. Find out whether or not all of our existing modems lack the ability to utilize hspa/hspa+ over 1900Mhz WCDMA (also verify the area the user tries the sim operates hspa/hspa+ on 1900Mhz WCDMA).
    a) Try AT&T post paid sim using VRLF2 modem
    b) Try AT&T post paid sim using VRLG1 modem
    c) Try AT&T post paid sim using VRLG7 modem
    d) Try AT&T post paid sim using VRLEC modem
  2. Find out whether or not it is possible to flash a modem other than the Verizon released/leaked modems. This is more of a follow up bootloader investigation. I recommend those investigating this to look in the original bootloader unlock thread opened by Adam Outler in the Original Development Section.

    a) Find someone with JTAG skills who would be willing to attempt to
    i) hex edit an existing modem, changing some non-critical section (perhaps any padding that may exist at the end of the image). This would allow us to see whether or not secure boot checks the modem partition (unfortunately, it almost certainly does).

    ii) flash an AT&T modem (will most likely fail due to a different hardware identifier and signature)
    b) Investigate whether or not secure boot can be disabled (even if it involves a small hardware mod to accomplish it). The bootloader unlocking thread has a decent amount of info on this, but we still would need to research further.

    c) Reverse the machine code of the modem image to ARM assembly and then to C using Ralekdev's method described in the bootloader unlocking thread. This could give us some info on how the secure boot chain is enforced.
*** Would modifying NV entries be the solution, if it's not, o not just, the modem? Either way, it is deeper than /system, because flashing a rooted stock AT&T rom (just /system, /data and kernel) did not unlock wcdma 1900, so it is something beyond the rom and kernel. See this post.
The Following User Says Thank You to newuser134 For This Useful Post: [ Click to Expand ]
 
ac21365
Old
#4  
Member
Thanks Meter 15
Posts: 60
Join Date: Jul 2009
Location: Colorado Springs
$30 towards this. Regardless whether it works or not, I just want someone to prove whether this phone has the proper hardware for WCDMA on 1900/1700.

Sent from my Choco Taco using xda premium
Nexus 4 on T-Mobile w/Unlimited everything
A1428 Black iPhone 5 16gb
Not in use: Verizon White Galaxy SIII 16gb
 
Buff McBigstuff
Old
#5  
Senior Member
Thanks Meter 28
Posts: 383
Join Date: Oct 2010
Location: Detroit
I have $25
 
cvsolidx17
Old
#6  
cvsolidx17's Avatar
Senior Member
Thanks Meter 26
Posts: 231
Join Date: Sep 2008
Location: Boston
Will donate $20 if I can successfully flash T-Mobile's as well as pull both 3g and 4G data

Sent from my SCH-I535 using Tapatalk 2
Boston is my city
Proud Nexus 5 Owner
Current ROM: Graviton v2.1
The Following User Says Thank You to cvsolidx17 For This Useful Post: [ Click to Expand ]
 
mybook4
Old
#7  
mybook4's Avatar
Senior Member
Thanks Meter 260
Posts: 440
Join Date: Apr 2011

 
DONATE TO ME
I'm in for $25 if we can get hspa+ working on TMobile.

$50 if we can get hspa+ working on TMobile for both 1900Mhz (WCDMA) and 1700/2100Mhz (AWS).

I'll be switching to TMobile when my contact ends. They still have unlimited data.

Sent from my SCH-I535 using xda premium

---------- Post added at 08:43 PM ---------- Previous post was at 08:14 PM ----------

The VZW GS3 is capable of roaming on 800Mhz/900Mhz/1800Mhz/1900Mhz GSM and 2100Mhz WCDMA. As pointed out by newuser134, if we have the necessary hardware to receive 1900Mhz, it is possible that flashing another modem may allow us to gain the capability to run WCDMA hspa/hspa+ over 1900Mhz.

Might be a good idea to focus on some areas to start. WARNING, testing modems can result in a hard brick that is only recoverable by JTAG. As we find answers, we should post them in the opening post with links to the posts containing the results.

1) Find out whether or not all of our existing modems lack the ability to utilize hspa/hspa+ over 1900Mhz WCDMA (also verify the area the user tries the sim operates hspa/hspa+ on 1900Mhz WCDMA).

a) Try AT&T post paid sim using LF2 modem
b) Try AT&T post paid sim using LG1 modem
c) Try AT&T post paid sim using LG7 modem


2) Find out whether or not it is possible to flash a modem other than the Verizon released/leaked modems. This is more of a follow up bootloader investigation. I recommend those investigating this to look in the original bootloader unlock thread opened by Adam Outler in the Original Development Section.

a) Find someone with JTAG skills who would be willing to attempt to

i) hex edit an existing modem, changing some non-critical section (perhaps any padding that may exist at the end of the image). This would allow us to see whether or not secure boot checks the modem partition (unfortunately, it almost certainly does).

ii) flash an AT&T modem (will most likely fail due to a different hardware identifier and signature)

b) Investigate whether or not secure boot can be disabled (even if it involves a small hardware mod to accomplish it). The bootloader unlocking thread has a decent amount of info on this, but we still would need to research further.

c) Reverse the machine code of the modem image to ARM assembly and then to C using Ralekdev's method described in the bootloader unlocking thread. This could give us some info on how the secure boot chain is enforced.



Some background info...


Quote:
Some thoughts:

1) We may need to change more than just the modem partition (mmcblk0p1) for 1900Mhz WCDMA to work. For example, the Synergy IMEI backup script saves backup copies of modemst1, modemst2, efs, fsg, and backup (mmcblk0p12, mmcblk0p13, mmcblk0p11, mmcblk0p21, and mmcblk0p20). Clearly some cellular related data is stored in these partitions. Flashing just the AT&T modem might not play nice with the related partitions (although I don't see this preventing a boot as these partitions are not part of the boot chain; more likely you would boot to no cellular connection).

2) The bootloader unlocking thread has a lot of info regarding the boot chain partition order. I could be wrong, but I believe the modem hands off control to executable code at a very specific location in the next partition in the boot chain (after loading the executable code to memory?). If this location differs between the AT&T and verizon phones, it could cause a hard brick (a jump to the wrong location). During the bootloader unlocking efforts, Ralekdev was able to reverse several verizon GS3 bootloader partition's machine code (1s and 0s) into arm assembly and then reverse them to C. Using his methodology, we may be able to see if the AT&T and VZW modems (mmcblk0p1) both jump to the same partition at the same location. This could help us to know if flashing the AT&T would definitely hard brick (this isn't the only way the AT&T modem could hard brick, but identifying one way could stop us before we did hard brick). This is tedious work and we would need a full dump from someone with an AT&T phone (mmcblk0p1,2,3,etc). The alternative would be someone with JTAG and brass ones just flashing the modem.

Also check this out http://forum.xda-developers.com/show...php?p=31705003

It is the full partition layout for a 32GB i535.

PS, I read through some of the bootloader unlocking thread again (brings back good memories). This post by Ralekdev
http://forum.xda-developers.com/show...php?p=30082055 may explain why flashing an AT&T modem might hard brick. The AT&T modem would need to have the same hardware identifier and signature as the VZW one for the msm8960 to hand over execution to it. I'm gonna take a wild guess that it doesn't. I believe Verizon's locked bootloader may have just struck again.
Quote:
Our current bootloader unlocking method was achieved by flashing an unsecure aboot partition (mmcblk0p5). In English (lol), there are several partitions in the boot chain leading to the kernel. The last one is aboot. The one after aboot is the kernel or the recovery partition (depending on whether you are or are not booting to recovery). Each partition in the boot chain checks to see that the next one has the correct signature before handing over execution to it. The unsecure aboot partition we now use to "unlock the bootloader" doesn't enforce (or just doesn't check) the signature of the kernel partition. This is why we are able to run custom kernels not signed by Samsung.

However, the bootloader partitions earlier than aboot still enforce signature checking before handing off execution. The first signature checks are done in hard coded msm8960 firmware. Although I'm not 100% certain of this, I believe the modem partition signature is checked in hardware by the msm8960 prior to execution (it would be a poor security system if it wasn't). So, unless we had Samsung's i535 private key used to sign the modem partition (something that would take more time than the current age of the universe to brute force on the world's fastest supercomputers), the AT&T modem would fail the signature check and the boot process would stop there. The AT&T and TMobile variants (and sprint for that matter) don't have Qualcomm's Secure Boot enabled, so their modem partition isn't subject to a signature check and enforcement.

On the bright side, if we were able to find a way to run a custom (non-i535) modem partition, we would have discovered a true bootloader unlock at one of the lowest levels.

Before the unsecure aboot partition was leaked and the i535 community rejoiced, there was some talk about seeing whether or not a QFuse for secure boot had been blown (permanently enabling secure boot). I don't think we ever found out with 100% certainty whether or not it was. If it isn't, we might still be able to disable secure boot, but it may involve a small hardware modification (a pull up or pull down resistor on an msm8960 GPIO pin. Annoying (and would take quite a while to locate the right one), but not too crazy to do with guts and a decent soldering iron. A software method is definitely preferred, but when you get that low level, you are sometimes dealing with read only segments.


Quote:
The phone does indeed do WCDMA on 2100, the question we all would like answered is what other bands is the phone capable of operating WCDMA on, and if it does have that hardware, we need to figure out what Verizon did to the software to have it disabled.


Quote:
This is a great discussion, when we got the unsecure aboot a month ago, I thought of this same issue, because on phones like HTC, when you get S-off, the phone basically doesn't care what code you put on it, it just loads it (as long as it is executable code). However, we just created a "hole" in the signature check, as you said, the unsecure aboot is still signed with the right signature, it just doesn't check for more signatures after that point. I posted this question in a thread right at that point, I'll look for it, but I don't think anyone responded to it. To achieve a truly unlocked phone on the same level as the other carrier versions, the CPU secure boot needs to be disabled. That is why I was still bothered by "secure boot enabled" when you go into Odin mode. This is not to say that what the devs did wasn't unbelievable and we are still benefiting from the fruits of all their work on unlocking the bootloader, so we did reach that goal, but I'm just making an observation that to truly be able to flash any partition without worry of not making the hand-over to the next partition, secure boot needs to be disabled.

I did some work on Motorola 6811 micro controllers when I was in college, there were different versions, some were only test chips and thus programmable only once, using e-fuses, so I understand how incredibly stupid and annoying it would be if Verizon has blown the q-or e-fuses in everyone's I535, which we paid for just like those on other carrier networks, but we didn't get the same phone they did if this is in fact true. In the bootloader R&D thread, which is now closed, E.V.A and I shortly had a few posts about enabling the gpio pin to turn off secure boot, they were trying to figure out the right voltage for the pull up resistor source, I think it ended up being 3V or something like that (don't try it without doublechecking that), but apparently there was a different pin somewhere that grounded that gpio thru a FET transistor, so applying the pull up voltage didn't help. Another thought was that even though the q-fuse may not have been blown (I sure hope it wasn't), that the gpio was somehow pulled down internally through the chip inside with a weak ground (like a voltage divider), so a higher pull up current (bias) was needed to actually disable secure boot. Adam also mentioned that not all Samsung schematics are always correct, that even though the manual said a high is needed to disable secure boot, it may actually need to be grounded, so that it was internally pulled high, and that it needed to be grounded externally for it to work right. Another option would be that it's a combination of pins that need the right input, not just that one (I think it was q-fuse 6 or 7), so until the right voltage is applied to all those pins, secure boot won't get disabled.

This all assumes that he q-fuse isn't blown, so there is a way to disable secure boot. If it is blown, then it cannot be disabled. Then the only option would be to make a hybrid AT&T / VZW modem file that has the signature needed, but executes the same things as the AT&T modem, hence enabling the 1900 MHz band.

A final thought is that just like the original aboot never enforced security on the /system or /recovery partitions, maybe when secure boot is on, it enforces signature checks when they are in some partitions, but if the code in the specific partition doesn't ask for it, like the unsecure aboot now doesn't, maybe the modem isn't checked for signature, ad th modem doesn't check for signature when handing over to the next link in the boot chain. That's why I was saying we just need to do it, and have someone with jtag do it, so no one bricks their phone, but we get an answer to the question without making a mistake that can't be recovered from.

Your thoughts, and anyone else's, are greatly appreciated, and it would be great at this point, to continue on to tackle the issue of secure boot, and figure out what we can flash to this phone without bricking it.

Quote:
We're not really trying to improve reception, we're trying to open some frequencies for gsm/wcdma that would make this phone fully functional on AT&T or T-Mobile, it wouldn't really change anything on Verizon and CDMA/LTE. It would just make this phone a true multi-network phone. Right now it can get "4G" data on gsm carriers overseas, but not on AT&T or T-Mobile, when we solve this problem, it will get 3G/4G data on ANY gsm network, even domestic ones. So you could take your phone to AT&T or T-Mobile and get service there.

Quote:
Yes, like ac21365 said, this phone does in fact receive wcdma 2100, we're uncertain about wcdma 1900, and although it is highly unlikely that this one might be there, wcdma 1700 (AWS band). Here's the interesting part though, the chipset in this phone is identical to the one in the AT&T version, I747, that one has both 2100 and 1900 bands. Our Verizon phone also has ALL the gsm bands that the AT&T version has (gsm 850, 900, 1800 and 1900), so the 1900 band filter, antenna and amplifier is already there for gsm. If they wanted to save money, why not remove all the gsm stuff since this is a CDMA phone? At this point, it would be cheaper to leave all the hardware stuff on the phone the way it is and just make them all the same, rather than make multiple versions, which would actually be more expensive. It is strange that all the gsm/wcdma bands that Verizon needs for their overseas gsm roaming is there, but the only one that would le you ge AT&T's "4G", is disabled, even though the chipset is physically able to receive/handle it. So it makes no sense that to save money, they left wcdma 2100 fully capable on this phone, but removed wcdma 1900. It could very likely be disabled by Verizon's modem software. That's why we want to get to the bottom of it.
-----------------------------------------------------------
Like what I do? Donate to the coffee fund
The Following 3 Users Say Thank You to mybook4 For This Useful Post: [ Click to Expand ]
 
mybook4
Old
#8  
mybook4's Avatar
Senior Member
Thanks Meter 260
Posts: 440
Join Date: Apr 2011

 
DONATE TO ME
Called the local at&t store. They wouldn't let me try a post paid sim in store unless I signed up for a plan. Very customer friendly, lol.

In other news, incubus posted that the developer edition of the vzw gs3 is available for sale. I'm curious if we can use some of the partitions? Finding someone who has bought this will be tough.



Sent from my SCH-I535 using xda premium
-----------------------------------------------------------
Like what I do? Donate to the coffee fund
The Following User Says Thank You to mybook4 For This Useful Post: [ Click to Expand ]
 
preusstang
Old
#9  
Senior Member
Thanks Meter 61
Posts: 161
Join Date: Jan 2011
Quote:
Originally Posted by cvsolidx17 View Post
Will donate $20 if I can successfully flash T-Mobile's as well as pull both 3g and 4G data

Sent from my SCH-I535 using Tapatalk 2
You do realize that we will def. not be able to get T-Mobile 4G right? We're talking about HSPA+ here (3G data). TMO's 4G LTE uses different hardware. Please modify your post to reflect whether or not you're still in this.

Count me in for $20 towards at least AT&T ( this would let me use straight talk w/o messing with cdma workshop and the dirty clone job :/ )

BTW, thank you for starting this bounty. I hope this issue gains some momentum now!
The Following User Says Thank You to preusstang For This Useful Post: [ Click to Expand ]
 
newuser134
Old
(Last edited by newuser134; 22nd September 2012 at 05:46 PM.)
#10  
Senior Member - OP
Thanks Meter 77
Posts: 266
Join Date: Dec 2009
Quote:
Originally Posted by preusstang View Post
You do realize that we will def. not be able to get T-Mobile 4G right? We're talking about HSPA+ here (3G data). TMO's 4G LTE uses different hardware. Please modify your post to reflect whether or not you're still in this.
I think what he means by that is T-Mobile's "4G", which they've had before even starting on their LTE, both T-Mobile and AT&T refer to HSPA+ as "4G", so that's what he means. The scope of this bounty never included LTE service from ANY other provider, so a donation for that wouldn't even be accepted as it is not possible to reach that goal. Just to reiterate, this bounty is for either wcdma 1900 OR wcdma 1700, or both, whichever is possible by hardware. We are not attempting to enable any other carrier's LTE service on this phone.

Hope that clarifies things a little.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes