[BOUNTY] ($205 so far) Enable HSPA+ on 1900 MHz / 1700MHz for VZW Galaxy S3 i535

newuser134 · Sep 20, 2012

Total is shown on 2nd post.

GO TO POST #3 FOR ACHIEVEMENTS, GOALS, NOTES and QUESTIONS

To get some momentum behind this, after reading lair12's "S3 as a world GSM phone" (Link), the great replies to my thread about flashing an AT&T radio to the I535 (Link), and judging from the wealth of information gathered by and the vast knowledge of the great devs such as E.V.A, Adam Outler and Ralekdev when they were working on unlocking the bootloader, I am starting this bounty thread to get some good devs behind this much sought after ability to get full domestic 3G and HSPA+ on the I535, for enabling either 1900MHz or 1700MHz WCDMA on I535 similar to what was done for Galaxy Note i717 (Link). Please add your donations publicly (NOT by pm) to this thread, similar to the bounty thread for unlocking the bootloader. I will update the thread periodically. All regular bounty disclaimers apply. Do any work to reach this goal at your own risk, if you mess up your phone, it's not my fault or anybody else's fault, or if you choose to test any software or firmware on it. Make sure you know what you're doing and that you won't damage your phone before you do it.

Copying the following from another thread:

Requirements to Receive Bounty:

Be first person to create a method of enabling 1900/1700MHz 3G/HSPA+ capability on SCH-I535

Make a post in this thread with the following:

Proving it works with appropriate photos or screenshots

Providing full step-by-step instructions which anyone else can follow

Wait for another member to follow the method and confirm it works

Claim your bounty via PM from donors

Payment will be processed between each member and the bounty collector via PM on an individual basis.

*** Please note: No hardware modification of the phone's radio chips or antennae is allowed to achieve this goal, it will be by software/firmware/coding/flashing only. If the phone turns out to be missing both the wcdma 1900 or 1700 MHz radio(s), this bounty will be void as the goal will not be achievable without hardware modifications. Even if only one of the wcdma bands is "unlocked" and HSPA+ is achieved on only one domestic carrier, the bounty can still be received. ***

I will start myself by donating $50 to the person that reaches this goal first. Please make posts below for your donations. I will update the list and the total bounty regularly.

*** BUMP ***

Any dev with jtag willing to flash a stock or modified AT&T modem on i535 to try it, or edit the "padding" at the end of a stock i535 modem to see if it causes a brick?

Any dev (such as Ralekdev, or with similar knowledge) willing to modify the modem.bin file from an i535 with parts from an AT&T or T-Mobile modem to keep the i535 signatures and hand-off, but operate as an AT&T radio maybe to enable wcdma modulation on 1900 MHz? The RF path for 1900 MHz is already there for gsm 1900. We can involve the help of some AT&T or T-Mobile forum members and devs if dumps from AT&T / T-Mobile modems or other files are required, that part should not be that difficult.

newuser134 · Sep 20, 2012

Day 11:
TOTAL = $205

Donations:

"newuser134" = $50
"ac21365" = $30
"Buff McBigstuff" = $25
"cvsolidx17" = $20
"mybook4" = $25 (for T-Mobile HSPA+) or $50 (for T-Mobile HSPA+ on 1700 AND 1900)
"preusstang" = $20
"worldlyinquirer" = $10

As a separate item, you may wish to donate to replace or repair someone's hard bricked i535 phone if they flash an AT&T modem, when ALL options to find out, prior to actually flashing, have been exhausted to determine whether a cross-device modem flash would brick or not. In that case a volunteer would flash a modem with the agreement of others on this thread. Only in that case, would others who chose to before the flash took place, donate to help replace or repair that person's phone. So far these donations have been made for that purpose:

"mybook4" = $25
"newuser134" = $25

newuser134 · Sep 20, 2012

Achievements / Steps

Main Goal: Enable HSPA+ data on 1700 MHz/1900 MHz (or both) on the Samsung GS3 SCH-i535
To enable the use of it on US gsm carriers (AT&T, T-Mobile) for voice, sms and high speed data

The VZW GS3 is capable of roaming on 850Mhz/900Mhz/1800Mhz/1900Mhz GSM and 2100Mhz WCDMA. As pointed out, if we have the necessary hardware to receive 1900Mhz, it is possible that flashing another modem may allow us to gain the capability to run WCDMA hspa/hspa+ over 1900Mhz.

WARNING, testing modems can result in a hard brick that is only recoverable by JTAG.

As answers are found, they will be posted here with links to the posts containing the results.

Main Milestones:

Find out whether or not all of our existing modems lack the ability to utilize hspa/hspa+ over 1900Mhz WCDMA (also verify the area the user tries the sim operates hspa/hspa+ on 1900Mhz WCDMA).

a) Try AT&T post paid sim using VRLF2 modem
b) Try AT&T post paid sim using VRLG1 modem
c) Try AT&T post paid sim using VRLG7 modem
d) Try AT&T post paid sim using VRLEC modem

Find out whether or not it is possible to flash a modem other than the Verizon released/leaked modems. This is more of a follow up bootloader investigation. I recommend those investigating this to look in the original bootloader unlock thread opened by Adam Outler in the Original Development Section.

a) Find someone with JTAG skills who would be willing to attempt to

i) hex edit an existing modem, changing some non-critical section (perhaps any padding that may exist at the end of the image). This would allow us to see whether or not secure boot checks the modem partition (unfortunately, it almost certainly does).

ii) flash an AT&T modem (will most likely fail due to a different hardware identifier and signature)

b) Investigate whether or not secure boot can be disabled (even if it involves a small hardware mod to accomplish it). The bootloader unlocking thread has a decent amount of info on this, but we still would need to research further.

c) Reverse the machine code of the modem image to ARM assembly and then to C using Ralekdev's method described in the bootloader unlocking thread. This could give us some info on how the secure boot chain is enforced.

*** Would modifying NV entries be the solution, if it's not, o not just, the modem? Either way, it is deeper than /system, because flashing a rooted stock AT&T rom (just /system, /data and kernel) did not unlock wcdma 1900, so it is something beyond the rom and kernel. See this post.

ac21365 · Sep 20, 2012

$30 towards this. Regardless whether it works or not, I just want someone to prove whether this phone has the proper hardware for WCDMA on 1900/1700.

Sent from my Choco Taco using xda premium

Buff McBigstuff · Sep 20, 2012

I have $25

cvsolidx17 · Sep 20, 2012

Will donate $20 if I can successfully flash T-Mobile's as well as pull both 3g and 4G data

Sent from my SCH-I535 using Tapatalk 2

mybook4 · Sep 21, 2012

I'm in for $25 if we can get hspa+ working on TMobile.

$50 if we can get hspa+ working on TMobile for both 1900Mhz (WCDMA) and 1700/2100Mhz (AWS).

I'll be switching to TMobile when my contact ends. They still have unlimited data.

Sent from my SCH-I535 using xda premium

---------- Post added at 08:43 PM ---------- Previous post was at 08:14 PM ----------

The VZW GS3 is capable of roaming on 800Mhz/900Mhz/1800Mhz/1900Mhz GSM and 2100Mhz WCDMA. As pointed out by newuser134, if we have the necessary hardware to receive 1900Mhz, it is possible that flashing another modem may allow us to gain the capability to run WCDMA hspa/hspa+ over 1900Mhz.

Might be a good idea to focus on some areas to start. WARNING, testing modems can result in a hard brick that is only recoverable by JTAG. As we find answers, we should post them in the opening post with links to the posts containing the results.

1) Find out whether or not all of our existing modems lack the ability to utilize hspa/hspa+ over 1900Mhz WCDMA (also verify the area the user tries the sim operates hspa/hspa+ on 1900Mhz WCDMA).

a) Try AT&T post paid sim using LF2 modem
b) Try AT&T post paid sim using LG1 modem
c) Try AT&T post paid sim using LG7 modem

2) Find out whether or not it is possible to flash a modem other than the Verizon released/leaked modems. This is more of a follow up bootloader investigation. I recommend those investigating this to look in the original bootloader unlock thread opened by Adam Outler in the Original Development Section.

a) Find someone with JTAG skills who would be willing to attempt to

i) hex edit an existing modem, changing some non-critical section (perhaps any padding that may exist at the end of the image). This would allow us to see whether or not secure boot checks the modem partition (unfortunately, it almost certainly does).

ii) flash an AT&T modem (will most likely fail due to a different hardware identifier and signature)

b) Investigate whether or not secure boot can be disabled (even if it involves a small hardware mod to accomplish it). The bootloader unlocking thread has a decent amount of info on this, but we still would need to research further.

c) Reverse the machine code of the modem image to ARM assembly and then to C using Ralekdev's method described in the bootloader unlocking thread. This could give us some info on how the secure boot chain is enforced.

Some background info...

Some thoughts:

1) We may need to change more than just the modem partition (mmcblk0p1) for 1900Mhz WCDMA to work. For example, the Synergy IMEI backup script saves backup copies of modemst1, modemst2, efs, fsg, and backup (mmcblk0p12, mmcblk0p13, mmcblk0p11, mmcblk0p21, and mmcblk0p20). Clearly some cellular related data is stored in these partitions. Flashing just the AT&T modem might not play nice with the related partitions (although I don't see this preventing a boot as these partitions are not part of the boot chain; more likely you would boot to no cellular connection).

2) The bootloader unlocking thread has a lot of info regarding the boot chain partition order. I could be wrong, but I believe the modem hands off control to executable code at a very specific location in the next partition in the boot chain (after loading the executable code to memory?). If this location differs between the AT&T and verizon phones, it could cause a hard brick (a jump to the wrong location). During the bootloader unlocking efforts, Ralekdev was able to reverse several verizon GS3 bootloader partition's machine code (1s and 0s) into arm assembly and then reverse them to C. Using his methodology, we may be able to see if the AT&T and VZW modems (mmcblk0p1) both jump to the same partition at the same location. This could help us to know if flashing the AT&T would definitely hard brick (this isn't the only way the AT&T modem could hard brick, but identifying one way could stop us before we did hard brick). This is tedious work and we would need a full dump from someone with an AT&T phone (mmcblk0p1,2,3,etc). The alternative would be someone with JTAG and brass ones just flashing the modem.

Also check this out http://xdaforums.com/show...php?p=31705003

It is the full partition layout for a 32GB i535.

PS, I read through some of the bootloader unlocking thread again (brings back good memories). This post by Ralekdev
http://xdaforums.com/show...php?p=30082055 may explain why flashing an AT&T modem might hard brick. The AT&T modem would need to have the same hardware identifier and signature as the VZW one for the msm8960 to hand over execution to it. I'm gonna take a wild guess that it doesn't. I believe Verizon's locked bootloader may have just struck again.

Our current bootloader unlocking method was achieved by flashing an unsecure aboot partition (mmcblk0p5). In English (lol), there are several partitions in the boot chain leading to the kernel. The last one is aboot. The one after aboot is the kernel or the recovery partition (depending on whether you are or are not booting to recovery). Each partition in the boot chain checks to see that the next one has the correct signature before handing over execution to it. The unsecure aboot partition we now use to "unlock the bootloader" doesn't enforce (or just doesn't check) the signature of the kernel partition. This is why we are able to run custom kernels not signed by Samsung.

However, the bootloader partitions earlier than aboot still enforce signature checking before handing off execution. The first signature checks are done in hard coded msm8960 firmware. Although I'm not 100% certain of this, I believe the modem partition signature is checked in hardware by the msm8960 prior to execution (it would be a poor security system if it wasn't). So, unless we had Samsung's i535 private key used to sign the modem partition (something that would take more time than the current age of the universe to brute force on the world's fastest supercomputers), the AT&T modem would fail the signature check and the boot process would stop there. The AT&T and TMobile variants (and sprint for that matter) don't have Qualcomm's Secure Boot enabled, so their modem partition isn't subject to a signature check and enforcement.

On the bright side, if we were able to find a way to run a custom (non-i535) modem partition, we would have discovered a true bootloader unlock at one of the lowest levels.

Before the unsecure aboot partition was leaked and the i535 community rejoiced, there was some talk about seeing whether or not a QFuse for secure boot had been blown (permanently enabling secure boot). I don't think we ever found out with 100% certainty whether or not it was. If it isn't, we might still be able to disable secure boot, but it may involve a small hardware modification (a pull up or pull down resistor on an msm8960 GPIO pin. Annoying (and would take quite a while to locate the right one), but not too crazy to do with guts and a decent soldering iron. A software method is definitely preferred, but when you get that low level, you are sometimes dealing with read only segments.

The phone does indeed do WCDMA on 2100, the question we all would like answered is what other bands is the phone capable of operating WCDMA on, and if it does have that hardware, we need to figure out what Verizon did to the software to have it disabled.

This is a great discussion, when we got the unsecure aboot a month ago, I thought of this same issue, because on phones like HTC, when you get S-off, the phone basically doesn't care what code you put on it, it just loads it (as long as it is executable code). However, we just created a "hole" in the signature check, as you said, the unsecure aboot is still signed with the right signature, it just doesn't check for more signatures after that point. I posted this question in a thread right at that point, I'll look for it, but I don't think anyone responded to it. To achieve a truly unlocked phone on the same level as the other carrier versions, the CPU secure boot needs to be disabled. That is why I was still bothered by "secure boot enabled" when you go into Odin mode. This is not to say that what the devs did wasn't unbelievable and we are still benefiting from the fruits of all their work on unlocking the bootloader, so we did reach that goal, but I'm just making an observation that to truly be able to flash any partition without worry of not making the hand-over to the next partition, secure boot needs to be disabled.

I did some work on Motorola 6811 micro controllers when I was in college, there were different versions, some were only test chips and thus programmable only once, using e-fuses, so I understand how incredibly stupid and annoying it would be if Verizon has blown the q-or e-fuses in everyone's I535, which we paid for just like those on other carrier networks, but we didn't get the same phone they did if this is in fact true. In the bootloader R&D thread, which is now closed, E.V.A and I shortly had a few posts about enabling the gpio pin to turn off secure boot, they were trying to figure out the right voltage for the pull up resistor source, I think it ended up being 3V or something like that (don't try it without doublechecking that), but apparently there was a different pin somewhere that grounded that gpio thru a FET transistor, so applying the pull up voltage didn't help. Another thought was that even though the q-fuse may not have been blown (I sure hope it wasn't), that the gpio was somehow pulled down internally through the chip inside with a weak ground (like a voltage divider), so a higher pull up current (bias) was needed to actually disable secure boot. Adam also mentioned that not all Samsung schematics are always correct, that even though the manual said a high is needed to disable secure boot, it may actually need to be grounded, so that it was internally pulled high, and that it needed to be grounded externally for it to work right. Another option would be that it's a combination of pins that need the right input, not just that one (I think it was q-fuse 6 or 7), so until the right voltage is applied to all those pins, secure boot won't get disabled.

This all assumes that he q-fuse isn't blown, so there is a way to disable secure boot. If it is blown, then it cannot be disabled. Then the only option would be to make a hybrid AT&T / VZW modem file that has the signature needed, but executes the same things as the AT&T modem, hence enabling the 1900 MHz band.

A final thought is that just like the original aboot never enforced security on the /system or /recovery partitions, maybe when secure boot is on, it enforces signature checks when they are in some partitions, but if the code in the specific partition doesn't ask for it, like the unsecure aboot now doesn't, maybe the modem isn't checked for signature, ad th modem doesn't check for signature when handing over to the next link in the boot chain. That's why I was saying we just need to do it, and have someone with jtag do it, so no one bricks their phone, but we get an answer to the question without making a mistake that can't be recovered from.

Your thoughts, and anyone else's, are greatly appreciated, and it would be great at this point, to continue on to tackle the issue of secure boot, and figure out what we can flash to this phone without bricking it.

We're not really trying to improve reception, we're trying to open some frequencies for gsm/wcdma that would make this phone fully functional on AT&T or T-Mobile, it wouldn't really change anything on Verizon and CDMA/LTE. It would just make this phone a true multi-network phone. Right now it can get "4G" data on gsm carriers overseas, but not on AT&T or T-Mobile, when we solve this problem, it will get 3G/4G data on ANY gsm network, even domestic ones. So you could take your phone to AT&T or T-Mobile and get service there.

Yes, like ac21365 said, this phone does in fact receive wcdma 2100, we're uncertain about wcdma 1900, and although it is highly unlikely that this one might be there, wcdma 1700 (AWS band). Here's the interesting part though, the chipset in this phone is identical to the one in the AT&T version, I747, that one has both 2100 and 1900 bands. Our Verizon phone also has ALL the gsm bands that the AT&T version has (gsm 850, 900, 1800 and 1900), so the 1900 band filter, antenna and amplifier is already there for gsm. If they wanted to save money, why not remove all the gsm stuff since this is a CDMA phone? At this point, it would be cheaper to leave all the hardware stuff on the phone the way it is and just make them all the same, rather than make multiple versions, which would actually be more expensive. It is strange that all the gsm/wcdma bands that Verizon needs for their overseas gsm roaming is there, but the only one that would le you ge AT&T's "4G", is disabled, even though the chipset is physically able to receive/handle it. So it makes no sense that to save money, they left wcdma 2100 fully capable on this phone, but removed wcdma 1900. It could very likely be disabled by Verizon's modem software. That's why we want to get to the bottom of it.

mybook4 · Sep 22, 2012

Called the local at&t store. They wouldn't let me try a post paid sim in store unless I signed up for a plan. Very customer friendly, lol.

In other news, incubus posted that the developer edition of the vzw gs3 is available for sale. I'm curious if we can use some of the partitions? Finding someone who has bought this will be tough.

Sent from my SCH-I535 using xda premium

preusstang · Sep 22, 2012

cvsolidx17 said:
Will donate $20 if I can successfully flash T-Mobile's as well as pull both 3g and 4G data

Sent from my SCH-I535 using Tapatalk 2

You do realize that we will def. not be able to get T-Mobile 4G right? We're talking about HSPA+ here (3G data). TMO's 4G LTE uses different hardware. Please modify your post to reflect whether or not you're still in this.

Count me in for $20 towards at least AT&T ( this would let me use straight talk w/o messing with cdma workshop and the dirty clone job :/ )

BTW, thank you for starting this bounty. I hope this issue gains some momentum now!

newuser134 · Sep 22, 2012

preusstang said:
You do realize that we will def. not be able to get T-Mobile 4G right? We're talking about HSPA+ here (3G data). TMO's 4G LTE uses different hardware. Please modify your post to reflect whether or not you're still in this.

I think what he means by that is T-Mobile's "4G", which they've had before even starting on their LTE, both T-Mobile and AT&T refer to HSPA+ as "4G", so that's what he means. The scope of this bounty never included LTE service from ANY other provider, so a donation for that wouldn't even be accepted as it is not possible to reach that goal. Just to reiterate, this bounty is for either wcdma 1900 OR wcdma 1700, or both, whichever is possible by hardware. We are not attempting to enable any other carrier's LTE service on this phone.

Hope that clarifies things a little.

newuser134 · Sep 22, 2012

mybook4 said:
Called the local at&t store. They wouldn't let me try a post paid sim in store unless I signed up for a plan. Very customer friendly, lol.

In other news, incubus posted that the developer edition of the vzw gs3 is available for sale. I'm curious if we can use some of the partitions? Finding someone who has bought this will be tough.

Sent from my SCH-I535 using xda premium

The signatures may not work on the hardware-coded signatures that these phones are looking for though, and even if they do, they probably didn't write its firmware to make the radio activate those bands we want though anyway. However, that phone may be the way for us to get to the solution; the dev edition doesn't have secure boot enabled (most likely, otherwise I wouldn't want one) but the hardware is IDENTICAL to the i535 (regular) version, so maybe if we could raise enough w/ the bounty to get one, we could flash att or t-mo modems, and see if that would enable 1900 wcdma band, right? It would help us on the way to "dev" the right modem file, hehe, since it's the dev edition.

mybook4 · Sep 24, 2012

Someone claims to have flashed an at&t modem on a Verizon GS3 and still been able to boot. Hopefully it isn't a spoof (that would be pretty messed up as it could lead others to hard brick their devices).

http://xdaforums.com/showthread.php?p=31936888

Sent from my SCH-I535 using xda premium

newuser134 · Sep 24, 2012

mybook4 said:
Someone claims to have flashed an at&t modem on a Verizon GS3 and still been able to boot. Hopefully it isn't a spoof (that would be pretty messed up as it could lead others to hard brick their devices).

http://xdaforums.com/showthread.php?p=31936888

Sent from my SCH-I535 using xda premium

It doesn't seem like a spoof or hoax, judging from the person's membership length and info. The other reason is that from what I've read on the AT&T sections, when they flash a pure (non-modified to utilize the i747 radios) T-Mobile (T999) modem, the i747 doesn't brick either, but it loses signal completely. Unless the information was gathered from those threads (which seems unlikely), it seems somewhat realistic. I don't know why anyone on this forum, after being a member for that long, would make up something that horrific and cause everyone on here to hard brick their phones. Now we just need to get someone with jtag, maybe Adam Outler, to flash an AT&T modem and see what happens.

mybook4 · Sep 24, 2012

newuser134 said:
It doesn't seem like a spoof or hoax, judging from the person's membership length and info. The other reason is that from what I've read on the AT&T sections, when they flash a pure (non-modified to utilize the i747 radios) T-Mobile (T999) modem, the i747 doesn't brick either, but it loses signal completely. Unless the information was gathered from those threads (which seems unlikely), it seems somewhat realistic. I don't know why anyone on this forum, after being a member for that long, would make up something that horrific and cause everyone on here to hard brick their phones. Now we just need to get someone with jtag, maybe Adam Outler, to flash an AT&T modem and see what happens.

Yeah, but there is one key difference between our GS3 and every other variant... Secure Boot. It's the only reason I'm hesitant/skeptical but I really hope the poster is genuine. If he/she is, I feel he/she should be included in the reward (if it turns out to be a breakthrough that helps us get working 1900Mhz hspa).

If an AT&T modem flash works on our device without bricking it, it must mean that either the modem partition (one of the earliest parts of the boot chain) isn't checked for signature / hardware identifier or that the AT&T modem he used was signed with the same private key used to sign our modems.

I wonder if the AT&T bootloader partitions do any checks of subsequent boot partitions? If they don't, this could be a way around secure boot. If they do, they may check to see if secure boot is enabled before actually enforcing the check. All this is speculation until we receive confirmation from the poster.

... <drumroll>...

Sent from my SCH-I535 using xda premium

newuser134 · Sep 24, 2012

mybook4 said:
Yeah, but there is one key difference between our GS3 and every other variant... Secure Boot. It's the only reason I'm hesitant/skeptical but I really hope the poster is genuine. If he/she is, I feel he/she should be included in the reward (if it turns out to be a breakthrough that helps us get working 1900Mhz hspa).

If an AT&T modem flash works on our device without bricking it, it must mean that either the modem partition (one of the earliest parts of the boot chain) isn't checked for signature / hardware identifier or that the AT&T modem he used was signed with the same private key used to sign our modems.

I wonder if the AT&T bootloader partitions do any checks of subsequent boot partitions? If they don't, this could be a way around secure boot. If they do, they may check to see if secure boot is enabled before actually enforcing the check. All this is speculation until we receive confirmation from the poster.

... <drumroll>...

Sent from my SCH-I535 using xda premium

That's what I was wondering about: If any checks are enforced even if a partition does have checks written into it if secure boot is disabled. What is the exact roll of secure boot? Does it only do hardware check on the first partition boot (modem), or is it like a "guard", and forces every subsequent partition look for a signature to? If the latter is true, then disabling secure boot would make ALL signature checks turn off and obsolete, making the phone truly unlocked whether the software code asks for signatures or not. If the initial condition is true (only checks the first boot partition) then like you said, getting a modem file that has no signature check would almost entirely get around secure boot, I wouldn't really bother us any more if we managed to get firmware that has no signature check, kind of like the unsecure aboot.

Why is it so difficult to get a dev with jtag setup to try this for us? To flash a stock AT&T or T-Mobile modem and see what happens?

newuser134 · Sep 24, 2012

I just came to a feeling of "revelation" after reading through some of the AT&T threads about the AT&T Note working on T-Mobile, to the conclusion that if a phone is capable of gsm on ANY band, it MUST also be capable of wcdma on that same band (as long as the phone has wcdma capability on other bands and is not a pre-3G/pre-wcdma era phone, like old flip phones, and we all know our phone is capable of wcdma 2100 AND gsm 1900).

This is why: the difference between gsm and wcdma is frequency/spectrum bandwidth and software manipulation by the CPU, kind of like wave and mp3 files. All the signals go to the same tranceiver, so if the phone has hardware for gsm 1900, it already has the hardware and RF path for wcdma 1900. It also has the ability to take larger chunks of a gsm band and use software to decode a wider frequency portion and turn in into a higher bandwidth (speed) wcdma connection. It's the modem software that does this. This wouldn't work if we were concluding the same thing for interchangeability between gsm and LTE, because LTE uses MiMo (multiple-in Multiple-out connections), and that is a different method of reaching higher data rates, it is not just a different modulation scheme using a wider bandwidth, so gsm and LTE aren't interchangeable even on the same frequency, but gsm and wcdma are. That's how they were able to change 3G into HSPA+ "4G", and receive higher data rates just by changing software, that's why 3G gsm phones can usually also get HSPA+ speeds on AT&T, but they don't call it 4G, just H+. That's why T-Mobile is going to re-farm its EDGE network to run HSPA+ on 1900 MHz, otherwise it would use it for LTE. The antennae are already there, the difference is modifying how the band is used with the help of software. Compare it to putting a large picture on a network of multiple tv screens as one big picture, instead of on just one screen. With the right software and multiple screens (in our case CPU power), it can be done.

That is why the 3G gsm/wcdma capable Verizon iPad 3 (newest version) can also receive AT&T's HSPA+, because the modem software is there, or the same iPhone 4s, if unlocked, can run on Verizon's CDMA 850/1900 and AT&T's wcdma 850/1900 without any hardware differences.

The difference between CDMA, gsm and wcdma is just software to understand the modulation/demodulation and the width of the frequency band, notice how they all use the same frequencies (850/900/1800/1900)? LTE is totally different and requires different bands (like 700, 1700 - this is not the same as 1700 AWS part of the band that is used for t-Mobile's wcdma) and won't work with the others.

All that is needed is the right modem software to literally "patch" the i535 radio to understand wcdma modulation on 1900 MHz, the same way it does on 2100 MHz. Right now it can receive wcdma on 1900 MHz, but it means nothing to the phone, it needs the ability to "read" it, we already know it has the ability to decode wcdma signals.

The only factors that decide this, are provisioning (sim), RF hardware (we know it is there for 1900 MHz) AND, the right modem software. When we put in an AT&T sim, we've provided 2 of these requirement, the one missing is the modem file. If someone can write the correct modem / shuffle the right files onto the right partitions (it may not be just the modem partition as we have seen from the imei problems), I know this phone could do it. I hope this proves it to everyone else the way it just proved it to me. I think that's why the Note was able to run on t-mobile, it had the RF hardware, it just needed the software decoding. Call it a codec if you will, that's all that's missing.

Now, if anyone is able to figure out what is needed, that's a different question, but being able to flash AT&T or t-mobile modems is the very first step. Now we need to figure out if it will brick or not.

patt2k · Sep 24, 2012

wow I really hope this goes somewhere! as I will be planning to use my S3 on Simple Mobile once my contract ends with VZW

40$ vs 70$ is a huge difference for me

Strothmann · Sep 24, 2012

I was able to get 3g on ATT.

newuser134 · Sep 24, 2012

Strothmann said:
I was able to get 3g on ATT.

Anyone know why this says EDGE and shows edge speeds, but the icons say 3G or 4G? Shouldn't phone info say "UMTS" under network type?

Strothmann · Sep 25, 2012

ITs due to me revering back to vzw. when i took the screenshot.

[BOUNTY] ($205 so far) Enable HSPA+ on 1900 MHz / 1700MHz for VZW Galaxy S3 i535

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Similar threads

Top Liked Posts