5,604,122 Members 49,350 Now Online
XDA Developers Android and Mobile Development Forum

[HowTo] [VZW XT907/926 RAZR M/HD] Unlock US GSM Carriers Using RadioComm

Tip us?
 
cellzealot
Old
(Last edited by cellzealot; 26th February 2013 at 05:54 PM.) Reason: typos, syntax
#1  
Senior Member - OP
Thanks Meter 794
Posts: 1,264
Join Date: Jan 2008
Location: Skippack, PA
Tutorial [HowTo] [VZW XT907/926 RAZR M/HD] Unlock US GSM Carriers Using RadioComm

Introduction:

This post is a guide to show how to perform the NV edit required to unlock US GSM carriers(AT&T and T-Mobile etc.) on the VZW XT907/926 RAZR M/HD stock modem using a Motorola serviceware tool called RadioComm.
This is simply a different method to perform the same hack that was discovered by Arnold Snarb in the main thread about ATT/T-Mobile here.

http://forum.xda-developers.com/show...&postcount=158

Despite the fact that he thanked me for leading the way in that post, he did some really brilliant analysis of the logs in QXDM to isolate this NV Item and saw something in the them that I had missed as well as guessing correctly about it's significance, and deserves all of the credit for this hack.
Everyone should please go and thank him in that post for the outstanding work.

He used a tool called DFS to access and edit NV Item 8322 and change the value of the first byte from 01 to 00 which disables the checking of the MCC/MNC against a list of banned networks and flags MCC 310 as Invalid Country Code.
That method requires booting into BP Tools mode from the boot menu and loading the Qualcomm diagnostic device interfaces.
The problem is that there are no signed 64bit drivers available and you must force load the drivers on Win7/8 64 bit for the diagnostic port in order to see the device properly and have NV read/write access.
This has been a stumbling block for many users and makes the NV editing unnecessarily difficult.

This method uses Factory boot mode and allows RadioComm to have full diagnostic mode access via the Motorola USB Networking driver that loads normally with the standard USB driver set. I will demonstrate 2 different ways to perform the edit, one manual and one using a preconfigured SEEM table file that writes the value in a single operation.

Neither of these methods is as easy as an update.zip install from custom recovery would be, but we don't have a binary that supports the motorola.update_nv function that we used for prior MDM6600 based devices available to us for the MSM8960 devices.
Given that some form of diagnostic mode software and a PC is required, I feel that RadioComm is probably an easier option for most users as it avoids the driver problems and has a clearer and simpler interface for NV read/write access than DFS.
Once you have the latest Motorola drivers installed and RadioComm loaded, this guide should make it very easy and safe to perform what is generally a complicated and potentially dangerous task of editing the radio NVM(Non Volatile Memory).

RadioComm itself is a terrifyingly complex piece of software with a GUI that can bring even the most seasoned and experienced phone hacker to their knees wondering what all the various windows, modules and buttons do.
It is the premier Motorola serviceware application and is designed by and intended for use by top level radio engineers and technicians.
It is an extremely powerful application that can access all models and chipsets of Motorola devices and perform a vast array of diagnostic testing and configuration operations and can be fully automated via multiple scripting languages.

It's just plain scary and confusing and very dangerous if not taken seriously.

Warning and disclaimer:

DO NOT PLAY AROUND WITH ANY FEATURES OR RANDOMLY HIT ANY BUTTONS IN RADIOCOMM!!!

YOU CAN RENDER YOUR PHONE DYSFUNCTIONAL OR UNBOOTABLE IN SECONDS!!!


This cannot be emphasized strongly enough!

Follow the instructions exactly as they are written and shown in the screenshots and you will find it very simple to use have no trouble doing the edit with either method.

You, the user, are the only person responsible for your actions and performing this hack will absolutely void your warranty the same way rooting or any other modifications to your device's software does!

That said, this hack will be undetectable and have no outward visible signs of having been performed other than the fact that any GSM SIM should work afterward.

Root is NOT required and this can be safely done and undone at will without making any other changes on the device and all normal services function properly on VZW's network with the edit in place. It appears to only affect the US GSM network block and nothing else.

Prerequisites:

You need to have a recent set of Motorola USB drivers v. 5.9.0 or greater installed on your PC with a full USB 2.0 compatible port.

You need a standard Motorola micro USB cable.

RadioComm 11.12.xx I have included a link to 11.12.2 below.

https://dl.dropbox.com/u/7632904/Rad....2_Install.zip

This has been tested on Win7 64bit and WinXP SP3 32bit with .NET Framework 4.0 installed.

Method:

This guide assumes you already have RadioComm and the drivers properly installed and have rebooted both PC and the phone afterward.

The first instructions and screenshots describe the initial setup and manual method using the FTM Common 1 tab and the NV Access window in RadioComm.

When you first open RadioComm you will get a popup stating that the version is more than 2 months old. Just close it and continue.

Now go to the top left corner and hit the Main button and select the MA: Common/MDM6x00 as shown in the first screenshot.




Next, go to Settings/USB and select PST USB Driver as shown in the second screenshot.
Test Command Format should default to P2K05 lower in Setings menu.
Leave all other options default.



Now we are ready to connect the phone and perform the edit.

Make sure you have Connect as Media Device in USB settings and USB Debugging enabled in Developer Options.

Power off the phone and then hold both Vol Up and Down + Power to enter the boot menu.

Use the Vol Down key to scroll down in the menu to Factory and then Vol Up key to select and the phone will boot.

Connect the USB cable and RadioComm will enumerate the phone and the radio button in the top right will change colors.
It will cycle sever times red to yellow and eventually go green when the device is fully enumerated and shows as XT907 in the status bar
at the bottom of the screen. You can read the Software Version and MEID/ESN/pESN buttons to make sure everything is working properly.
Each successful read the GUI will flash green and the Command buffer will turn green and any selected button will be green.
Any unsuccessful attempt will turn red.
If not, then restart everything and check over all settings again before proceeding.

Now go to the tabs bar across the top middle of the GUI and select FTM Common 1 tab and go to the NV access window in the center right of that tab and select the top menu Item "FFFF Manual Entry" as shown in the third screenshot.



Now hit the Read button and you will get 2 popup windows.
In the first window you will enter the Decimal NV Item ID 8322 and in the second you will enter the byte length to be read 1 as shown in the fourth screenshot.



When you hit ok it will read the NV Item and flash green and display the data in the hex output buffer below and you will see 01 for the value as shown in the fifth screen shot.



Now highlight the 01 and change it to 00 and hit the write button and this time it will only popup once asking for the Decimal NV Item ID 8322. When you hit OK the item will be written and the GUI will again flash green for a successful write as shown in the sixth screenshot.



You are now finished and can either use the restart button at top right of RadioComm to reboot or manually restart the phone.

The last screen shot is edited to show the steps to use the NV/SEEM feature with a SEEM table file I have provided below to do all of the steps as a single operation. Some users may find this easier than manually editing in the NV Access window but it's really almost the same number of steps.

Go to the top left and hit Features and select NV/SEEM and another window will open and the radio button will cycle again a couple time as it re enumerates the device again it will go green finally. Follow the instructions in the seventh screenshot and be sure to use the Restart button in the main window after you close NV/SEEM because its suspends the phone and it will be black screen and unresponsive and require holding Vol keys and Power for 10 secs to reset it otherwise.



Congrats! All done now and the rest is just putting in a SIM and selecting GSM/UMTS in Network Settings and everything should just work!
Below is the link for the .NVM SEEM table file.

https://dl.dropbox.com/u/7632904/TBH...GSM_Unlock.NVM

Please use this thread to discuss issues relating to this method and RadioComm and keep general discussion of the phone on US carriers in the other thread, thank you!

CellZealot

TeamBlackHat

Digital alchemy for the Droid and beyond.
The Following 58 Users Say Thank You to cellzealot For This Useful Post: [ Click to Expand ]
 
cellzealot
Old
#2  
Senior Member - OP
Thanks Meter 794
Posts: 1,264
Join Date: Jan 2008
Location: Skippack, PA
<Reserved>
CellZealot

TeamBlackHat

Digital alchemy for the Droid and beyond.
 
Yehudah
Old
#3  
Yehudah's Avatar
Senior Member
Thanks Meter 27
Posts: 156
Join Date: Oct 2012
Thanks man.. gonna try this when I get home tonight. I was actually just thinking about switching vendors from VZW to someone else and didn't really want to buy a new phone.

Maybe now I don't have to. Proof is in the pudding though, maybe I'll by a cheap month of Straight Talk to see if it works?
 
nrgyitguy
Old
#4  
Junior Member
Thanks Meter 1
Posts: 17
Join Date: Nov 2012
Quote:
Originally Posted by Yehudah View Post
Thanks man.. gonna try this when I get home tonight. I was actually just thinking about switching vendors from VZW to someone else and didn't really want to buy a new phone.

Maybe now I don't have to. Proof is in the pudding though, maybe I'll by a cheap month of Straight Talk to see if it works?
Running RAZR M in US on straight talk now. Works wonderful!!!
 
bigdrill
Old
#5  
Junior Member
Thanks Meter 0
Posts: 1
Join Date: Dec 2010
Thanks a lot! im a total noob when it comes to most of this, but it worked perfect for me!!
 
Skrilax_CZ
Old
#6  
Skrilax_CZ's Avatar
Recognized Developer
Thanks Meter 1304
Posts: 881
Join Date: Dec 2009
Location: Prague

 
DONATE TO ME
Hmm, MDM6x00? Won't that work on the OG RAZR XT912 / Droid 4 as well?
PRIVATE MESSAGES regarding firmwares / support will NOT BE ANSWERED!

Motorola Photon Q
Bootloader: 10.9B
Firmware: CM 10.2
Nightly Builds: CM10.2

Motorola Droid MAXX
Bootloader: 30.B0
Firmware: CM 10.2
Nightly Builds: CM10.2

Acer Iconia A500
Bootloader: V9 0.03.14-MUL (dualboot + recovery + extfs boot + bootmenu)
Android: TegraOwnders JB-MR1 v13
LUbuntu: 13.04


2nd-init for Locked Bootloaders

Acer Iconia A500 / A501 Patched Bootloader Thread

Motorola Phones Stock Firmwares

You may donate me if you like my work.
The Following User Says Thank You to Skrilax_CZ For This Useful Post: [ Click to Expand ]
 
cellzealot
Old
#7  
Senior Member - OP
Thanks Meter 794
Posts: 1,264
Join Date: Jan 2008
Location: Skippack, PA
Quote:
Originally Posted by Skrilax_CZ View Post
Hmm, MDM6x00? Won't that work on the OG RAZR XT912 / Droid 4 as well?
The MA used in RadioComm is the same chip set base as the RAZR/D4 because it's the closest to the MSM8960 available in this version, which is more than 18 months old now.

What we really need is an updated version of RadioComm with full support for the newer chip sets.

This specific NV Item 8322 does not exist on the MDM6600 chip set devices and I have not been able to find a similar boolean switch item for those phones, unfortunately.

I have been logging with QXDM extensively searching for a way to disable the MCC/MNC block on MDM6600 without success so far.
I have dumps of all of the readable NV items from 0000-12000 from many devices running various builds and even a dump from Chinese engineering build on P3Droid's Dev model where everything is working as it should with open GSM on US carriers.

I would love some help from someone with a better understanding of the radio and diagnostic mode access than myself.
Very few people know how to use the software to even start analyzing the problem.
CellZealot

TeamBlackHat

Digital alchemy for the Droid and beyond.
 
progrockguy
Old
#8  
Senior Member
Thanks Meter 191
Posts: 134
Join Date: Feb 2013
Remember to install the latest Motorola drivers and *especially* highlight the entire 01 and type 00. I was backspacing only the 1 and it did not "stick" when writing. So HIGHLIGHT, don't backspace. Works perfectly.
The Following User Says Thank You to progrockguy For This Useful Post: [ Click to Expand ]
 
cpslim
Old
#9  
cpslim's Avatar
Junior Member
Thanks Meter 2
Posts: 19
Join Date: Feb 2013
Location: fayetteville
is it possible to write the NV item to the Droid 4 then edit ? ?
Quote:
Originally Posted by cellzealot View Post
The MA used in RadioComm is the same chip set base as the RAZR/D4 because it's the closest to the MSM8960 available in this version, which is more than 18 months old now.

What we really need is an updated version of RadioComm with full support for the newer chip sets.

This specific NV Item 8322 does not exist on the MDM6600 chip set devices and I have not been able to find a similar boolean switch item for those phones, unfortunately.

I have been logging with QXDM extensively searching for a way to disable the MCC/MNC block on MDM6600 without success so far.
I have dumps of all of the readable NV items from 0000-12000 from many devices running various builds and even a dump from Chinese engineering build on P3Droid's Dev model where everything is working as it should with open GSM on US carriers.

I would love some help from someone with a better understanding of the radio and diagnostic mode access than myself.
Very few people know how to use the software to even start analyzing the problem.
 
dsdd
Old
#10  
Junior Member
Thanks Meter 0
Posts: 5
Join Date: May 2009
Can I use a similar way to unlock XT902(Japanese Razr M)? I can't find 8322 in XT902.......

Tags
t-mobile, xt907
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes