[REF|R&D|RF] RF/Radio properties of Samsung ServiceMode

E:V:A · May 8, 2014

RF/Radio properties of the ServiceMode Application

Thread Difficulty: HARD
Thread Noob Patience: LOW

Thread Topic

This thread is a Reference and Research & Development thread for
investigating and to better document the various radio related variables
as found and displayed by the ServiceMode application. Here we are
particularly concerned with those found in Samsung phones, but as
you will see, this is more modem (BP/CP) dependent than phone model
dependent. So much of this info should also apply to other devices
using the same modem.

Off Topic?

If you have questions that does not directly concern the main focus
of this thread, please ask in the general forum. If you ask support
questions here, they will be deleted without warning.

If you're just looking for info how to enter the Service Menu on a recent
Samsung, look in this thread:
[REF][ServiceMode] How to make your Samsung perform dog tricks

Background

Because the ServiceMode (SM) application is really running in the
Modem under its own RTOS, it is limited in the presentation. So what
you see running in the AOS ServiceMode application is really just a
Java wrapper to code that is running in the RTOS. This severely
limits the information presented, if accessible at all.

Most mobile device manufacturers doesn't want their users to have
access to the ServiceMode functions, for various and good reasons.
Perhaps the best reason is that you can easily hard-brick your
device and/or mess up all the internal radio related settings.
However, we are already used to this, so why not have a better look
at the mobile network parameters within our devices. These can be
extremely useful from identifying network problems to detect and
prevent illegal or clandestine mobile network monitoring.

So what are the limiting factors of the ServiceMode Application?

It is a Java wrapper application that is usually made by
the device manufacturer (Samsung, HTC, Nokia etc) that
need to be present and compatible with your AOS FW.
(API, RIL etc)
The actual code is running in Modem RTOS and usually queried
by ServiceMode.apk by the use of a RIL_REQUEST_OEM_HOOK_RAW request,
that allows requests to circumvent the normal RIL filter.
The parameters present depends on the Modem FW versions.
(You will find many misspellings and other FUBAR objects in
various modem SM presentations.)
The displayed RF related parameters depend on the Modem HW,
and are thus completely different in an Intel XMM modem, than
for an Qualcomm MSM type modem/processor SoC, and so on.
The displayed RF related parameters depend on the network
you are currently using and connected to.

But the mobile network interface is transparent from the AOS AP point
of view, so a large set of radio parameters must comply to the 3GPP
standards in order for your device to function properly. But only a
very small subset of these RF parameters are part of the non-internal AOS API.

We want more!

By carefully looking at all the details and information that is
presented by the SM application, we can find out many more and
useful network details, such as ciphering modes, network types,
bands, and technology used. But to do this we need to understand
the language used. Unfortunately, many times the language does
not reflect the current 3GPP standards, so we are left to guess,
until some anonymous modem RF-expert/developer come along and
correct us.

So if you happen to know anything specific, this is where you
can really help this thread...

ServiceMode Vocabulary

Here I try to resolve some of the more obscure sounding items,
as found in the SM of mainly two devices.

(a) Samsung Galaxy S2 (GT-I9100, XXKI1 with Intel XMM6260 modem)
(b) Samsung Galaxy S4-mini (GT-I9195, XXUBML4 with Qualcomm MSM8930AB SoC)

In post#2 you will find an almost complete menu structure for
the UMTS MENU items as found in (b). I have not posted the items
for the LTE or CDMA menus, since I don't have that network, which
means I don't know how they would look. So feel free to post your
own findings, if you use those.

Also, remember that the end-point/detailed view of the menu
items, depend on your current network. I.e. you will see
different items, when connected to GSM vs. WCDMA, and so on.

In post#3 I show the detailed explanations of the various
3GPP defined RR timers as shown under the NAS/MM items.

In post#4 I attempt to describe the specific end-point menu items:

Code:

[SIZE=2]        [1] BASIC INFORMATION
        [1] MM INFORMATION
        [2] MM REJECT CAUSE
        [3] GMM REJECT CAUSE
        [3] AS INFORMATION
        [4] NEIGHBOUR CELL
[/SIZE]

I still need help deciphering some of those values.
(What exactly do they represent and mean?)

E:V:A · May 8, 2014

The root MAIN MENU

Code:

MAIN MENU
[1] [B]UMTS[/B]                
[2] CDMA                
[3] LTE                         
[4] SIM- Not Used.                     ==> <E>
[5] DOCOMO DEBUG SCREEN         
[6] run EFS SYNC()              
[7] DEBUG SCREEN

The UMTS MENU tree

Here is an almost complete menu structure for the UMTS MENU items
found in a GT-I9195. I have not posted the items for the LTE or CDMA
menus, since I don't have that network, which means I don't know how
they would look. So please post your own findings, if you use those.

Code:

[SIZE=2][1]     UMTS MAIN MENU
        [1] DEBUG SCREEN
        [2] VERSION INFORMATION
        [3] UMTS RF NV
        [4] GSM RF NV
        [5] AUDIO
        [6] COMMON
        [7] LTE BAND CONFIG CHECK
        ------------------------------

        [1]     DEBUG SCREEN
                [1] BASIC INFORMATION                   ==> <E>         Code: 0011
                [2] NAS INFORMATION
                [3] AS INFORMATION
                [4] NEIGHBOUR CELL
                [5] GPRS INFORMATION
                [6] SIM INFORMATION
                [7] HANDOVER
                [8] PHONE CONTROL
                [9] ANTENNA/ADC


                [1]     // BASIC INFORMATION            ==> <E> 

                        RRC: IDLE, Band1                                
                        MCC-MNC:nnn-01                                  
                        RX: 10663, RI: -59, CID: hhhhh
                        TX: 9713, PSC: 394
                        EcIo: -4, RSCP: -63                             
                        SpeechVER: FR FR FR                             
                        L1: PCH_Sleep                                   
                        Drx cycle: 64                                   
                        SIB19 is received                               
                        therm: 162 LNA: 0                               
                        Service: Available                              


                [2]     NAS INFORMATION

                        [1] MM INFORMATION
                        [2] MM REJECT CAUSE
                        [3] GMM REJECT CAUSE
                        [4] PS REJECT CAUSE
                        [5] RESET MM&GMM REJECT List
                        [6] EF_RAT INFORMATION
                        [7] SAT REFRESH INFO
                        [8] SMC RESULT INFO
                        [9] CALL END CAUSE


                        [1]     // MM INFORMATION

                                mm: Idle                                        
                                MCC-MNV: nnn-01                                 
                                LAC: hhh, RAC: nn                               
                                TIMER_T32:      10(S) 11(S) 12(A)
                                                13(S) 20(S) 30(S) 40(S)
                                GmmState: Registered(3)
                                SubState: normal(0)
                                PmmMode: IDLE(1)
                                rej_cause: 0, IuAttCnt: 0
                                TMSI: hhhhhhh

                        [2]     // MM REJECT CAUSE

                                MM reject Information List
                                1. Time: 1M 6D 0h00m00s
                                   Type: 0, Cause:0 000-000, GSM
                                2. Time: 1M 6D 0h00m00s
                                   Type: 0, Cause:0 000-000, GSM
                                3. Time: 1M 6D 0h00m00s
                                   Type: 0, Cause:0 000-000, GSM
                                4. Time: 1M 6D 0h00m00s
                                   Type: 0, Cause:0 000-000, GSM
                                5. Time: 1M 6D 0h00m00s
                                   Type: 0, Cause:0 000-000, GSM
                                6. Time: 1M 6D 0h00m00s
                                   Type: 0, Cause:0 000-000, GSM

                        [3]     // GMM REJECT CAUSE

                                GMM reject Information List
                                1. Time: 4M 9D 14h19m02s
                                   Type: 4, Cause:7 nnn-01, UMTS
                                2. Time: 1M 6D 0h00m00s
                                   Type: 0, Cause:0 000-000, GSM
                                3. Time: 1M 6D 0h00m00s
                                   Type: 0, Cause:0 000-000, GSM
                                4. Time: 1M 6D 0h00m00s
                                   Type: 0, Cause:0 000-000, GSM
                                5. Time: 1M 6D 0h00m00s
                                   Type: 0, Cause:0 000-000, GSM

                        [4]     // PS REJECT CAUSE
                                PDP and PDN recet List
                                - No Data

                        [5]     // RESET MM&GMM REJECT List             <== Immediately clears reject list!

                        [6]     // EF_RAT INFORMATION

                                Boot-up EF_RAT
                                NONE(-1)
                                Refreshed EF_RAT
                                1.GSM_WCDMA(1), 000-000
                                2.GSM_WCDMA(1), 000-000
                                3.GSM_WCDMA(1), 000-000
                                4.GSM_WCDMA(1), 000-000
                                5.GSM_WCDMA(1), 000-000

                        [7]     // SAT REFRESH INFO
                                <exactly the same as above>

                        [8]     // SMC RESULT INFO                      -->  <E>

                                RRC: IDLE, Band1
                                MCC-MNC: nnn-01
                                RX: 10663, RI: -59, CID: hhhhh
                                TX: 9713, PSC: 394
                                EcIo: -4, RSCP: -63
                                SpeechVER: FR FR FR
                                L1: PCH_Sleep
                                Drx cycle: 64
                                SIB19 is received
                                therm: 162 LNA: 0
                                Service: Available

                        [9]     // CALL END CAUSE                               -->  <E>
                                <exactly the same as above>


                [3]     // AS INFORMATION

                        RRC: IDLE, Band1
                        WCDMA: IDLE
                        RX: 10663, RI: -59, CID: hhhhh
                        TX: 9713, PSC: 394
                        EcIo: -4, RSCP: -63
                        VOC: FR FR FR, 0
                        L1: PCH_Sleep
                        CQI: 0, Sam: 0

                [4]     // NEIGHBOUR CELL
                        
                        Aset: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 394 -60 -7 53 29                    <== rapid changes
                        Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15          
                        Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15          
                        Sych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 403 -83 -51 31 -15          
                        Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 422 -121 -49 29 -1         
                        Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 262 -121 -49 0 0           
                        Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 102 -121 -49 0 0           
                        Asych: [/SIZE][SIZE=2][SIZE=2]10663[/SIZE] 450 -121 -49 0 0           


                [5]     GPRS INFORMATION
                        FUNCTION:ds_gprs_information

                [6]     SIM INFORMATION

                        [1] General Info
                        [2] QMI UIM status
                        [3] CHECK NV


                        [1]     // General Info

                                SIM Phase: 0                            
                                Card Capability: USIM                   
                                SIM voltage class: 1.8V SIM             
                                None                                    
                                None                                    
                                Proactive command:                      
                                00 00 00 00 00 00 00 00 00 00           - ^^ (10 Hex)

                        [2]     // QMI UIM status
                                
                                CARD_STATE:     Present                 
                                CARD_ERROR:     Unknown                 
                                APP_TYPE:       USIM                    
                                APP_STATE:      Ready                   
                                PERSO_STATE:    Ready                   
                                PERSO_FEATURE:  Unsupported             
                                PIN1_STATE:     Enabled_Verified 
                                pin1_num(3), puk1_num(10)
                                PIN2_STATE:     Enabled_Not_Verified
                                pin2_num(3), puk2_num(10)              

                        [3]     // CHECK NV

                                CHECK NV                                
                                Band pref: Unexpected value             
                                RTRE Configuration: SIM based           
                                FTM Mode: Online Mode                   
                                ENS: Disabled                          
                                UIM CLASS: UMTS


                [7]     HANDOVER

                        [1] HANDOVER GtoG
                        [2] HANDOVER GtoW
                        [3] HANDOVER WtoG
                        [4] HANDOVER TEST

                [8]     PHONE CONTROL

                        [1] DRX CONTROL                 
                        [2] FAKE SECURITY CONTROL       
                        [3] NAS CONTROL                 
                        [4] UE STATE CONTROL                            
                        [5] SIMULATION                                  
                        [6] NETWORK LOCK                                
                        [7] NETWORK CONTROL                             


                        [1]     // DRX CONTROL
                                DRX: Not Active
                                [1] DRX: ON
                                [2] DRX: OFF

                        [2]     // FAKE SECURITY CONTROL
                                FAKE SECURITY: OFF 
                                [1] FAKE SECURITY: ON
                                [2] FAKE SECURITY: OFF
                        
                        [3]     NAS CONTROL

                                [1] CIPHERING CONTROL
                                [2] INTEGRITY CONTROL
                                [3] SIM CLASS CONTROL
                                [4] REVISION CONTROL
                                [5] RRC(HSPA) CONTROL
                                [6] DUALMODE IMPROVEMENT CONTROL
                                [7] NAS AVOID SECURITY CONTROL


                                [1]     // CIPHERING CONTROL
                                        CIPHERING CONTROL: ON
                                        [1] CIPHERING: ON
                                        [2] CIPHERING: OFF

                                [2]     // INTEGRITY CONTROL
                                        INTEGRITY CONTROL: ON
                                        [1] INTEGRITY: ON
                                        [2] INTEGRITY: OFF

                                [3]     // SIM CLASS CONTROL
                                        UIM CLASS: UMTS
                                        [1] UIM CLASS: UMTS
                                        [2] UIM CLASS: GSM

                                [4]     REVISION CONTROL
                                        [1] DISPLAY REVISION 
                                        [2] CHENGE REVISION 

                                [5]     RRC(HSPA) CONTROL
                                        [1] DISPLAY RRC REVISION
                                        [2] CHANGE RRC REVISION

                                [6]     // DUALMODE IMPROVEMENT CONTROL
                                        DUALMODE IMPROVEMENT: NOT ACT
                                        [1] DUALMODE IMPROVEMENT: ON
                                        [2] DUALMODE IMPROVEMENT: OFF

                                [7]     NAS AVOID SECURITY CONTROL
                                        AVOID_SECURITY_CHECK: NOT ACT
                                        [1] SECURITY_CHECK: ON
                                        [2] SECURITY_CHECK: OFF


                        [4]     UE STATE CONTROL

                                [1] CALL CONNECT STATE
                                [2] CHANGE RAT TO WCDMA
                                [3] CHANGE RAT TO GSM

                        [5]     SIMULATION

                                [1] Modem Assert (Reset)
                                [2] SW WATCHDOG
                                [3] HW WATCHDOG
                                [4] CP Logging (Started)
                                [5] Realtime Log(OFF) - Don't!          <== WTF?
                        
                        [6]     NETWORK LOCK

                                [1] PERSO SHA256 Info
                                        SHA256_ENABLE_FLAG [1]

                        [7]     NETWORK CONTROL                         

                                [1] GCF
                                [2] BAND SELECTION                      ==> Code: [B]2263[/B] "BAND"
                                [3] SERVICE DOMAIN
                                [4] AQUISITION ORDER
                                [5] PLMN(AUTO/MANUAL) SELECTIO
                                [6] FPLMN
                                [7] IMSI replacement


                                [1]     GCF

                                        [1] GSM/(E)GPRS/WCDMA REL8
                                        [2] GSM/(E)GPRS/WCDMA REL7
                                        [3] GSM/(E)GPRS/WCDMA REL6
                                        [4] GSM/(E)GPRS/WCDMA REL5
                                        [5] SETTING CANCELLATION

                                [2]     BAND SELECTION

                                        [1] Automatic
                                        [2] WCDMA Band Preference
                                        [3] GSM Band Preference
                                        [4] LTE Band Preference


                                [3]     // SERVICE DOMAIN
                                        [1] CS + PS (*)
                                        [2] CS ONLY
                                        [3] PS ONLY

                                [4]     // AQUISITION ORDER
                                        [1] Automatic
                                        [2] GSM_UMTS
                                        [3] UMTS_GSM (*)
                                        [4] No Change

                                [5]     // PLMN(AUTO/MANUAL) SELECTIO
                                        [1] AUTOMATIC (*)
                                        [2] MANUAL

                                [6]     FPLMN

                                        [1] FPLMN READ
                                        [2] FPLMN DELETE ALL
                                        [3] FPLMN DELETE EXCL DOM

                                [7]     // IMSI replacement
                                        [1] Enable
                                        [2] Disable (*)



                [9]     ANTENNA/ADC
                                ds_antenna_adc


        ------------------------------
        [2]     VERSION INFORMATION
                [1] SW VERSION
                [2] HW VERSION

        [3]     UMTS RF
                [1] RF NV READ
                [2] RF NV WRITE
                [3] UMTS DIVERSITY CONTROL
                [4] RF CALIBRATION CHECK

        [4]     GSM RF
                [1] RF NV READ
                [2] RF NV WRITE
        
        [5]     AUDIO                           ==> Locked! See Note (a)
                ...

        [6]     COMMON
                [1] FTM
                [2] DEBUG INFO
                [3] RF SCANNING
                [4] DIAG CONFIG
                [5] WCDMA SET CHANNEL
                [6] NV REBUILD
                [7] FACTORY TEST
                [8] FORCE SLEEP
                [9] GPS


                [1]     FTM : OFF                ==> Locked! See Note (b)
                        [1] NOT SUPPORT 
                        [2] FTM : OFF

                [2]     DEBUG INFO
                        [1] MM REJECT CAUSE
                        [2] LOG DUMP
                        [3] UI DEBUG POPUP - N/S

                        
                [3]     RF SCANNING     
                        [1] SETTING
                        [2] START RF SCANNING
                        [3] RESULT TO PC
                        [4] RESULT TO SCREEN

                [4]     DIAG CONFIG
                        [1] USB  ( )
                        [2] UART (*)
                        [3] DBG MSG ON  (*)
                        [4] DBG MSG OFF ( )

                [5]     WCDMA SET CHANNEL       
                [6]     NV REBUILD              
                [7]     FACTORY TEST          
                [8]     FORCE SLEEP             
                [9]     GPS
                        co_gps_menu             

        
        [7]     LTE BAND CONFIG CHECK           --> <E>
[/SIZE]

(Where I have replaced my LAC/CID with "nnnnn" and "hhhhh", respectively)

Note that the end-point/detailed view of the menu items, depend on your
current network. I.e. you will see different items, when connected to GSM vs. WCDMA.

For example. Here is a picture comparing the BASIC INFORMATION view for LTE, CDMA and GSM/UMTS, respectively.

(Picture stolen from THIS website. Sorry, there is no owner/contact info there to ask for permission.)

So what does all those numbers mean?
That's what we will try to figure out in the next posts and in this thread! But first I will show you
another menu view. The menu that concerns the MM (Mobile Management) MENU items.
To get to the picture below:

MAIN MENU > [1] UMTS MAIN MENU > [1] DEBUG SCREEN > [2] NAS INFORMATION > [1] MM INFORMATION

Which should result in:

Code:

[SIZE=2]mm: Idle
MCC-MNV: nnn-01
LAC: hhh, RAC: nn
[B]TIMER_T32[/B]:      [B]10[/B](S) [B]11[/B](S) [B]12[/B](A)
                [B]13[/B](S) [B]20[/B](S) [B]30[/B](S) [B]40[/B](S)
GmmState: Registered(3)
SubState: normal(0)
PmmMode: IDLE(1)
rej_cause: 0, IuAttCnt: 0
TMSI: hhhhhhh[/SIZE]

< placeholder >

As you can see, these include the values of a few important RR timers used. In the menu above they are
marked with (S) or (A), for STOPPED and ACTIVE, respectively. These timers are discussed further in
the next section.

E:V:A · May 8, 2014

The Mobility Management (MM) Timers: MS-side

All the MM timers are defined and thorough;y explained in [1]. But here I
summarize the timers we have found in our SM as shown above. Where we
have the following timers clearly visible:

Code:

[SIZE=2]T3210
T3211
T3212
T3213
T3220
T3230
T3240
[/SIZE]

Here's a summary table also taken and edited from [1].

The very brief 3GPP summary for T3210/11/12/13 is:

< WIP placeholder>

The very brief 3GPP summary for T3220/30/40 is:

Code:

[SIZE=2][B]T3220[/B]   Timer is used during the MM states of: 
        
        - IMSI Detach Initiated

        Timer is started at IMSI Detach.
        Timer is stopped when: release from RM-sublayer
        At expiry it:   "enter Null or Idle, ATTEMPTING TO UPDATE" ??


[B]T3230[/B]   Timer is used during the MM states of:

        - Wait For Outgoing MM Connection
        - Wait For Additional Outgoing MM Connection
        - Wait TO Re-establish MM connection

        Timer is started in the mobile station when:
        
        - the MS makes a Ciphering Mode (CM) service request
        - the MS makes a Ciphering Mode (CM) re-establishment request

        Timer is stopped when:

        - the MS makes a CM setting
        - the MS receives a CM Service Reject 
        - the MS receives a CM Service Accept 
        
        At expiry it provides a release indicator.



[B]T3240[/B]   Timer is started in the mobile station when:
 
        - the mobile station receives a LOCATION UPDATING ACCEPT message completing a location updating procedure in the cases specified in subclauses 4.4.4.6 and 4.4.4.8;
        - the mobile station receives a LOCATION UPDATING REJECT message in the cases specified in subclause 4.4.4.7;
        - the mobile station has sent a CM SERVICE ABORT message as specified in subclause 4.5.1.7;
        - the mobile station has released or aborted all MM connections in the cases specified in 4.3.2.5, 4.3.5.2, 4.5.1.1, and 4.5.3.1;
        - the mobile station receives the paging message from network and enter the MM state 9 (WAIT FOR NETWORK COMMAND).

        Timer is stopped, reset, and started again at receipt of an MM message.

        Timer is stopped and reset (but not started) at receipt of a CM message that initiates establishment of an CM connection (an appropriate SETUP, REGISTER, or CP-DATA message as defined in 3GPP TS 24.008, 3GPP TS 24.010 [21] or 3GPP TS 24.011 [22]).

        If timer expires, the MS shall abort the RR connection and enter the MM state MM IDLE.
[/SIZE]

References:

[1] "Mobile Radio Interface Layer 3 specification, Core Network Protocols"
3GPP TS 24.008 V12.5.0 (2014-03): (678 pages)
[2]

E:V:A · May 8, 2014

The Variable Vocabulary

Here is a list of variable names, and their inferred meaning, as found in the SM shown above.

Code:

[SIZE=2]
RX              : Receive/Down-Link Channel aka "DL CH"                                             
TX              : Transmit/Up-Link Channel aka "UL CH"                                              
RI              : [dBm] RSSI (Receive Signal Strength Indicator)                                    
CID             : Cell ID                                                                           
PSC             : Primary Synchronization Code                                                      
EcIo            :                                       [1] Ec/Io = RSCP / RSSI = Eb/No - Gp
RSCP            : [dBm] Received Signal Code Power      [2,3] RSCP  = RSSI + Ec/No          
                                                                                                    
SpeechVER       : The Voice Codec in use                [EFR/FR/HR/AMR]                     
L1              :                                       [FACH,DCH,BCH,PCH_Sleep]            
Drx cycle       : Discontinuous Reception (DRX) Cycle                                               
therm           : Thermal Power (                                                                   
LNA             : Low Noise Amplifier ???                                                           


mm: Idle                : Mobile Management connection status ??                
lu: Upda                :                                                       
SS: Avail               : Subsystem System Simulator ?? Secondary Synchronization Signal ??
RAC                     : Routing Area Code                                     
TIMER_T32: 10 (S)       : Really refers to the T3210 timer, and where           
GmmState: Registered(3) :                                                       
SubState: normal(0)     :                                                       
PmmMode: IDLE(1)        :                                                       
rej_cause:0             :                                                       
luAttCnt:0              : Location Update (IMSI Attach?)/(Attempts?) Count        
TMSI: 9xxxxxxd          : Temporary Mobile Subscriber Identity                  
                                                                                
AS INFORMATION:         : Access Stratum                                        
VOC                     :                                                       
CQI                     : Channel-Quality Indication                            
Sam                     :                                                       
        "Specific Anthropomorphic Mannequin"        ??                            
        "Service Aware Manager" (Alcatel/Lucent)   ??                             

[/SIZE]

As you can see there are many not yet clearly defined items.
To clarify these (and others) is the main purpose of this thread!

< more crazy dragons to be >

E:V:A · May 8, 2014

< more crazy dragons to be >

E:V:A · Jun 26, 2014

A very nice book chapter and collection of useful baseband info and document links.

Benoit Michau, 2014
"Analyse de sécurité des modems mobiles"
[French]

oddball3 · Jul 10, 2014

LNA

E:V:A said:
The Variable Vocabulary

Here is a list of variable names, and their inferred meaning, as found in the SM shown above.

Code:

[SIZE=2] LNA : Low Noise Amplifier ???

LNA = Line Noise Attenuator/Attenuation

E:V:A · Jul 10, 2014

oddball3 said:
LNA = Line Noise Attenuator/Attenuation

Thanks for your attention, but I don't think that is correct, because this is a radio device and not an ADSL-router or other "line" dependent device. You'll have to try harder to convince me.

Links to a reliable source, helps.

oddball3 · Jul 16, 2014

E:V:A said:
Thanks for your attention, but I don't think that is correct, because this is a radio device and not an ADSL-router or other "line" dependent device. You'll have to try harder to convince me. Links to a reliable source, helps.

Not spot on, but proof of concept:

http://www.w3eee.com/Noiz .html

I had the perfect site I wanted to post here for you, and just to prove what a crappy country this is, our power utility decided to cut supply to our area :-\ I reckon I was about two sentences away from perfection haha!! Was so disappointed it's taken me since then to work up the enthusiasm to try again!!

Edit: Good Reference source - http://ieeexplore.ieee.org/xpl/logi...re.ieee.org/xpls/abs_all.jsp?arnumber=6471543

banisha · Dec 12, 2014

Few from me

PSC : Primary Scrambling Code (not synchronization)

L1 : RRC State [FACH,DCH,BCH,PCH_Sleep]

GmmState: Registered(3) : GPRS Mobiity Management status

PmmMode: IDLE(1) : Packet Mobiity Management status

vndnguyen · Jan 9, 2015

E:V:A said:
Code:

[SIZE=2]mm: Idle MCC-MNV: nnn-01 LAC: hhh, RAC: nn [B]TIMER_T32[/B]: [B]10[/B](S) [B]11[/B](S) [B]12[/B](A) [B]13[/B](S) [B]20[/B](S) [B]30[/B](S) [B]40[/B](S) GmmState: Registered(3) SubState: normal(0) PmmMode: IDLE(1) rej_cause: 0, IuAttCnt: 0 TMSI: hhhhhhh[/SIZE]

As you can see, these include the values of a few important RR timers used. In the menu above they are
marked with (S) or (A), for STOPPED and ACTIVE, respectively. These timers are discussed further in
the next section.

Interesting. But that way we can only know if a Timer is Stopped or Active.
How can we know the Value of these Timers?

Thanks.

E:V:A · Jan 13, 2015

vndnguyen said:
How can we know the Value of these Timers?

We can try to read its value from one of the SIM card EF files. I forgot which. We can also read it from the /dev/diag RF diagnostics device or possibly from the QMI (Qualcomm) debug ports. Or we can leave phone still and read the start/stop flags when they change. Or you can call the technicians of the MNO and ask.

vndnguyen · Jan 14, 2015

E:V:A said:
We can try to read its value from one of the SIM card EF files. I forgot which.

I can read the EF files on the SIM cards. But the problem is that we don't know which EF files store those timers?

We can also read it from the /dev/diag RF diagnostics device or possibly from the QMI (Qualcomm) debug ports.

Can you give some detailed instruction about it? I have no idea on it.

Or we can leave phone still and read the start/stop flags when they change.

This is not a good way to read.

Or you can call the technicians of the MNO and ask.

Yes, I'm working at that MNO. But I still want to read those timers directly from the phone.

sirkuazar · May 24, 2015

problem with gsm

hi gays.
i`ve a prblem with my phone.
in gsm(2g) don`t have signal but in 3g yes.

with this service menu... can i reparair?
please help me

hola chicos, tengo un problema: teniendo mi cel en gsm 2g no me toma señal, se queda sin servicio, pero al cambiar a 3g tengo altiro señal.
puedo con este menu repararlo y como? se agradece la ayuda

vndnguyen · May 25, 2015

sirkuazar said:
hi gays.
i`ve a prblem with my phone.
in gsm(2g) don`t have signal but in 3g yes.

with this service menu... can i reparair?
please help me

hola chicos, tengo un problema: teniendo mi cel en gsm 2g no me toma señal, se queda sin servicio, pero al cambiar a 3g tengo altiro señal.
puedo con este menu repararlo y como? se agradece la ayuda

Gays? I'm not a gay LOL

You would rather check your sim card as well as the mobile service before playing around with your phone. You can put the sim card into another phone to see if it works, etc...

awadh730 · May 28, 2017

:laugh::laugh::laugh::laugh:

vndnguyen said:
Gays? I'm not a gay LOL

You would rather check your sim card as well as the mobile service before playing around with your phone. You can put the sim card into another phone to see if it works, etc...

HHHHHHHHH

Topics

Topics

[REF|R&D|RF] RF/Radio properties of Samsung ServiceMode

E:V:A

Inactive Recognized Developer

E:V:A

Inactive Recognized Developer

Attachments

E:V:A

Inactive Recognized Developer

Attachments

E:V:A

Inactive Recognized Developer

E:V:A

Inactive Recognized Developer

E:V:A

Inactive Recognized Developer

oddball3

Member

E:V:A

Inactive Recognized Developer

oddball3

Member

banisha

New member

vndnguyen

Senior Member

E:V:A

Inactive Recognized Developer

vndnguyen

Senior Member

sirkuazar

Member

vndnguyen

Senior Member

awadh730

Senior Member

Similar threads

Top Liked Posts

New posts