Post Reply

[BOUNTY] ($205 so far) Enable HSPA+ on 1900 MHz / 1700MHz for VZW Galaxy S3 i535

OP newuser134

25th September 2012, 12:16 AM   |  #21  
Member
Flag Colorado Springs
Thanks Meter: 15
 
61 posts
Join Date:Joined: Jul 2009
More
While I am the first one to appreciate another person's efforts, do you mind putting the AT&T sim card back in and take screenshots of when you are actually on the network. I myself have operated the Verizon GS3 on AT&T and T-Mobile, albeit only on EDGE.

Thanks
25th September 2012, 12:32 AM   |  #22  
mybook4's Avatar
Senior Member
Thanks Meter: 263
 
444 posts
Join Date:Joined: Apr 2011
Donate to Me
More
Quote:
Originally Posted by Strothmann

I was able to get 3g on ATT.

Am I missing something? The radio being used is VRLG1 (i535), and the speeds are definitely edge (way less than a megabit).

How is this 3g?


Sent from my SCH-I535 using xda premium
25th September 2012, 02:46 AM   |  #23  
mybook4's Avatar
Senior Member
Thanks Meter: 263
 
444 posts
Join Date:Joined: Apr 2011
Donate to Me
More
Opened all the verizon modems and one AT&T modem in a hex editor to poke around.

Some observations:

All the radios seem to start similarly and have similar structure (portions of data/code spaced by portions of 0s). It's quite spacious in there (and explains why the 60 MB modems zip up to 20 MB).

VRLG1:
0x4cd7c Mentions something about "Samsung Root CA cert" - This is most likely in all of the modems and is probably nothing, but I wanted to note it anyway.

VRLEC, VRLF2, and VRLG1 all appear to have a signature from 0x02984600 to 0x2984700 (256 bytes or 2048 bit). I recall from peeking inside the signed kernel parition mmcblk0p7, other partitions in the boot chain also have a 2048 bit signature. VRLG7's signature appears to be at 0x029b0600 - 0x29b0700 (again, appears to be a 2048 bit signature).

The AT&T UCLH9 modem appears to be similar in structure as the verizon ones. There does appear to be a signature in the AT&T modem at 0x02a18600. It appears to be structured as a signature, then a string of 00 01 FF FF(repeating), then some data at the end. I remembered this being similar to the way the vzw stock kernel is signed so I opened my backup LF2 kernel (from early July) and verified this to be true.

Ralekdev describes the algorithm (in C) for checking the signature of the kernel parition in this post of the bootloader unlock thread http://forum.xda-developers.com/show...&postcount=107

"The goal is to make it so that after all the calculations the 256 byte block located at img_sig_data+0x100 has the contents 0x00, 0x01, 0xFF * 236, and then the sha1 of our boot.img"

-I wonder if any of the kernel partition checking code was reused for the modem checking code?

-I know this is far fetched, but hear me out. If we were able to find the modem checking code and write a little C program, we could run the algorithm against the both the verizon and AT&T modems and see if we get the same result (00 01 FF etc?). If we get the same result, then that may mean the same private key was used to sign both the AT&T and verizon modems. In other words, IF we find this out, we may be able to determine whether or not flashing the AT&T modem will brick a verizon GS3.

I've also PM'ed koriotto. Hopefully he/she gets back to us with more info about his previous post (about having flashed an AT&T modem on a verizon GS3).

...

And for a bit of humor, a few bytes into each of the modems, MS DOS 5.0 is referenced.
The Following User Says Thank You to mybook4 For This Useful Post: [ View ]
25th September 2012, 03:21 AM   |  #24  
OP Senior Member
Thanks Meter: 85
 
266 posts
Join Date:Joined: Dec 2009
More
Quote:
Originally Posted by mybook4

And for a bit of humor, a few bytes into each of the modems, MS DOS 5.0 is referenced.

Hehe, that was kinda funny about MS DOS 5.0, didn't expect that.

On a different note (and I'm not referring to the Note 2, lol), how do we format an external SD card to hold the right GTP guides, to boot from external storage, as Ralekdev described in the post you referenced a few days ago, which he said it would happen if the PBL went in to error handler? That would be another way to flash an AT&T modem and maybe recover from it even if it does brick at some point. So do we know for sure that it is possible to boot from an external storage device?
25th September 2012, 03:52 AM   |  #25  
mybook4's Avatar
Senior Member
Thanks Meter: 263
 
444 posts
Join Date:Joined: Apr 2011
Donate to Me
More
Quote:
Originally Posted by newuser134

Hehe, that was kinda funny about MS DOS 5.0, didn't expect that.

On a different note (and I'm not referring to the Note 2, lol), how do we format an external SD card to hold the right GTP guides, to boot from external storage, as Ralekdev described in the post you referenced a few days ago, which he said it would happen if the PBL went in to error handler? That would be another way to flash an AT&T modem and maybe recover from it even if it does brick at some point. So do we know for sure that it is possible to boot from an external storage device?

I'm not sure whether or not anyone tried booting from the external or internal sdcard. Not sure of the formatting, but maybe if the sdcard were block copied exactly like the boot chain (perhaps with dd), it could be done. If it works, like you said, it could prove very useful in resurrecting bricks or possibly getting around secure boot.

PS. Hadn't seen this until now... http://forum.xda-developers.com/show....php?t=1856327

It seems to be an amazing resource. I noticed that it has quite a bit of information regarding the boot chain. Hopefully this helps us.
25th September 2012, 04:15 AM   |  #26  
cvsolidx17's Avatar
Senior Member
Flag Boston
Thanks Meter: 43
 
280 posts
Join Date:Joined: Sep 2008
More
Quote:
Originally Posted by preusstang

You do realize that we will def. not be able to get T-Mobile 4G right? We're talking about HSPA+ here (3G data). TMO's 4G LTE uses different hardware. Please modify your post to reflect whether or not you're still in this.

Count me in for $20 towards at least AT&T ( this would let me use straight talk w/o messing with cdma workshop and the dirty clone job :/ )

BTW, thank you for starting this bounty. I hope this issue gains some momentum now!

Well for the record TMO doesn't have any LTE period atm. I was however referring to HSPA+ so I stand corrected. I'm still in. Hopefully this goes well

Sent from my SCH-I535 using Tapatalk 2
25th September 2012, 04:30 AM   |  #27  
Member
Flag Evansville
Thanks Meter: 11
 
71 posts
Join Date:Joined: Jan 2011
More
Quote:
Originally Posted by ac21365

While I am the first one to appreciate another person's efforts, do you mind putting the AT&T sim card back in and take screenshots of when you are actually on the network. I myself have operated the Verizon GS3 on AT&T and T-Mobile, albeit only on EDGE.

Thanks

The first 2 screenshots posted were on ATT network. the speed test screenshot was the only on Verizon.
25th September 2012, 11:35 PM   |  #28  
OP Senior Member
Thanks Meter: 85
 
266 posts
Join Date:Joined: Dec 2009
More
Ok, to those who want to look at the technical side of this, just found another piece of evidence implying that the i535 should be physically capable of operating on UMTS band II (wcdma 1900). Go to this link, go to the UMTS-Frequency Divided Domain table (the first table), rows 2 and 3 show the upload (transmit) and download (receive) paired frequencies of band I and band II.

i) The transmit frequency range for band I is 1920-1980 MHz.
ii) The transmit frequency range for band II is 1850-1910 MHz.
iii) The receive frequency range for band II is 1930-1990 MHz.

Anyone that knows a little about RF transmitters and receivers would know the following:

From comparing i) and ii) it is obvious that since the radio chips are identical msm8960 in both i747 and i535, it would economically unviable to make the chips different in hardware so that one would be physically disabled from transmitting at 1910 MHz when it can transmit at 1920 MHz. We know the i535 operates on wcdma band I, so its lower transmit frequency is 1920 MHz, it would be more expensive than not to make its digitally controlled tuner to physically be disabled below 1920 MHz, and make a slightly different version that can transmit from 1910 MHz and down. If the radio chip in the i535 can transmit on the 1920-1980 range, it can probably, almost certainly, also transmit on the 1850-1910 range since the upper limit of one is so close to the lower limit of the other.

From i) and iii) it can be seen that the transmit range of band I almost entirely overlaps the receive range of band II, 1920-1980 vs. 1930-1990 MHz. People with knowledge about RF transceivers also know that digitally controlled RF transceivers are usually software controlled. If they can receive on a certain frequency range, they can also transmit on the same range, and vice versa, unless disable by software. If the i535 is capable of transmitting data in the range of 1920-1980 MHz with wcdma modulation, and it has the same radio chip that the i747 has, then it can also receive in that same range a signal with the same modulation, hence proving that in fact it can physically receive wcdma signals on band II as well.

These two comparisons above show with very little doubt that the i535 Galaxy S3 has the same physical capabilities to send and receive both wcdma 2100 and wcdma 1900 (band I and II), and the fact that an identical radio chip in the i747 (AT&T version Galaxy S3) can do this as well, should leave almost no doubt about the physical hardware being there. It is disabled by software only.

On the last column of the Frequency Divided Domain for UMTS on the page linked above, it shows where each band is mostly used. It seems that almost the entire world (with a few exceptions) uses wcdma 2100 for 3G/HSPA+ data, but only North America uses wcdma 1900 (even T-mobile has started using it now). So why on earth would a Verizon CDMA/EVDO/LTE phone have all gsm bands AND wcdma 2100, which is used everywhere else in the world but in North America, but then not have wcdma 1900 (that ONE single band) for savings? Why would it need wcdma or gsm at all? (because it was already on the phone's radio chip, and for roaming), why is it missing the ONLY band that other carriers here use for 3G/HSPA+? (because it was deliberately disabled by software/firmware to make this phone incompatible with domestic gsm providers' 3G/HSPA+).

Another thing to notice from the link above is that if you use Netmonitor to poke around in the UMTS band selection menu of the i535, one of the choices is IMT2000 under the wcdma menu. On the page linked, IMT2000 is defined in the text at the beginning of the page for all frequencies ranging for both the 1900 MHz band (II) and 2100 MHz (I), yet when you click on IMT2000 in the UMTS menu of the phone, it only shows wcdma 2100, it must be disabled by software. This is all proof that getting an AT&T (or T-Mobile) modem successfully flashed to the i535 (without bricking it) would enable wcdma 1900 and make it functional on domestic gsm providers' 3G/HSPA+ networks with data.

Please feel free to respond with your thoughts/comments on this.
The Following 2 Users Say Thank You to newuser134 For This Useful Post: [ View ]
26th September 2012, 01:36 AM   |  #29  
renzo.olivares's Avatar
Recognized Developer
Thanks Meter: 16,218
 
9,095 posts
Join Date:Joined: Jan 2011
Donate to Me
More
I might have something....can someone upload the att build.prop

Sent from my SCH-I535 using xda app-developers app
26th September 2012, 02:54 AM   |  #30  
mybook4's Avatar
Senior Member
Thanks Meter: 263
 
444 posts
Join Date:Joined: Apr 2011
Donate to Me
More
Quote:
Originally Posted by JoelZ9614

I might have something....can someone upload the att build.prop

Sent from my SCH-I535 using xda app-developers app

Cool. The easiest way to get the build prop is to download an AT&T rom (it's in /system/build.prop). Are you looking for AOSP or TW?

Sent from my SCH-I535 using xda premium

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Verizon Galaxy S III General by ThreadRank