FORUMS
Remove All Ads from XDA

*Work In Progress* XT912 UnLock Discussion

227 posts
Thanks Meter: 114
 
Post Reply Email Thread
This Is Not Instructions On How To UnLock
As of this time there is still no solution.....yet

I thought we needed a new thread to discuss how the unlock attempts and findings are coming along for the XT912 Droid Razr and the Droid 4.
It's come to attention a few times that the other thread's title alone is quite misleading, so the intention of this thread is to discuss what's been tried, what might be promising, and eventually with some hope luck and strategy - a solution.

Anyone with input on methods they've tried and if there were any results whether positive or otherwise please feel free to post in here.

Likewise, anyone willing to share methods and or instructions on where to or how to begin looking can feel free to share their knowledge.
The Following 5 Users Say Thank You to queberican351 For This Useful Post: [ View ] Gift queberican351 Ad-Free
12th February 2013, 07:17 AM |#4  
Member
Oklahoma City
Thanks Meter: 29
 
Donate to Me
More
Info 2 Where I stand
So far the nv items that I have found to be in the running for the unlock is 0x513c and 0x5072 pops up in QXDM before the cellular radio switches back to cdma. I have tried to access these nv items but get parameter bad. I have been looking for a solution to this issue and maybe we can get some more information that will show the other nv items that give the parameter bad error. According to some of the documentation that I have found the razr may even get t-mobile 3g on the 1700 frequency. My razr hd has t-mobile running on 3g here in oklahoma city.
12th February 2013, 10:17 AM |#5  
mattlgroff's Avatar
Inactive Recognized Developer
Flag San Diego
Thanks Meter: 2,490
 
Donate to Me
More
Quote:
Originally Posted by igwtapc

So far the nv items that I have found to be in the running for the unlock is 0x513c and 0x5072 pops up in QXDM before the cellular radio switches back to cdma. I have tried to access these nv items but get parameter bad. I have been looking for a solution to this issue and maybe we can get some more information that will show the other nv items that give the parameter bad error. According to some of the documentation that I have found the razr may even get t-mobile 3g on the 1700 frequency. My razr hd has t-mobile running on 3g here in oklahoma city.

1900 Mhz refarm most likely. http://www.airportal.de/
12th February 2013, 11:57 AM |#6  
Senior Member
Flag Philadelphia, PA
Thanks Meter: 922
 
More
Well, interestingly enough, tonight I found the mechanism for the lock.
I have been logging on the D4 with VZW SIM installed on a 32 bit XP box and I am not certain why I am seeing different things now but it maybe because they switched on LTE finally here.

In any event, the bottom line is that I found the messages in the logs referencing the Forbidden PLMN List with 4 entries.

MCC MNC
310 410
310 26
000 00
000 00

I have not yet located the exact location of that list but I feel that now that I am certain what I am searching for that I can find it and edit the list.

This is very exciting news indeed!
The Following User Says Thank You to cellzealot For This Useful Post: [ View ] Gift cellzealot Ad-Free
12th February 2013, 04:02 PM |#7  
queberican351's Avatar
OP Senior Member
Flag USA
Thanks Meter: 114
 
Donate to Me
More
Quote:
Originally Posted by cellzealot

Well, interestingly enough, tonight I found the mechanism for the lock.
I have been logging on the D4 with VZW SIM installed on a 32 bit XP box and I am not certain why I am seeing different things now but it maybe because they switched on LTE finally here.

In any event, the bottom line is that I found the messages in the logs referencing the Forbidden PLMN List with 4 entries.

MCC MNC
310 410
310 260
000 00
000 000

I have not yet located the exact location of that list but I feel that now that I am certain what I am searching for that I can find it and edit the list.

This is very exciting news indeed!

NICE work! You got me all excited and giddy now. I know we're not there yet, but damn we're close
12th February 2013, 05:43 PM |#8  
Member
Oklahoma City
Thanks Meter: 29
 
Donate to Me
More
Re: *Work In Progress* XT912 UnLock Discussion
How did you pull the log? What state was the phone in?

Sent from my DROID RAZR HD using xda app-developers app
12th February 2013, 06:09 PM |#9  
queberican351's Avatar
OP Senior Member
Flag USA
Thanks Meter: 114
 
Donate to Me
More
Quote:
Originally Posted by igwtapc

How did you pull the log? What state was the phone in?

Sent from my DROID RAZR HD using xda app-developers app

I know I generally read logs with logcat in adb shell (with adb debugging enabled)

to read the radio log

# logcat -b radio
12th February 2013, 07:49 PM |#10  
Senior Member
Flag Philadelphia, PA
Thanks Meter: 922
 
More
These are the logs generated by QXDM and are not on the phone at all. You cant see the diagnostic interfaces from the radio in those logs, just the RIL.

They are .isf files (Item Store Files) and are generated by QXDM Logging View(F1) and saved by default in the Program Files/QXDM/Bin directory.
You setup which message types are monitored in Logging View Config(F5).
If, like me in most cases, you don't know what you are looking for then you set a very broad set of message types and the logs are extremely large and verbose.
The one I generated last night for about 2 hours of logging is 225MB.

These files can be opened and "replayed" with the Item View(F11)function so you can search them and parse the messages, events and strings or raw item hex data in a split pane view.

It is definitely a huge step to have found the specific mechanism, but still does not necessarily mean there is a boolean switch as has been found before for other models. It may mean that the Forbidden PLMN list and Preferred PLMN list or acquisition databases need to be edited directly.

The phone is connected to the QC Diagnostic Port and not the QC BP Modem as it is for AT mode.

I crashed at 6:00 AM and need to go back and re examine the logs for more info.
There are many NV items that refer to the PLMN(Public Land Mobile Network) in various forms and the items referenced by igwtapc are non existent AFAIK.
I believe he maybe misreading the item IDs because they are expressed in Little Endian (Least Significant Byte First) format in the raw item hex output from QXDM.

In any event, there is a lot to look at now to find the specific means of undoing the block.

EDIT: added screenshots of logs
EDIT 2: I found the same sequence in the Bionic logs and it also checks the Forbidden PLMN List with 4 items but all the items are 000- 00 so it doesn't block anything!
So it seems clear that editing the Forbidden PLMN List should work as desired assuming we can locate it in the NVM.

Edit 3: I have found several items labeled Acquisition List 1, 2,3 and 4 that contain PLMN designations for various bands and have the ATT MCC/MNC pairs in them.
I have not yet found an item that contains values structured like I am anticipating for this list of 4 items.
These items also contain entry codes for each entry and I am not certain how they need to be properly edited even if they are the right items.

Learning lots from moment to moment here though and I wanted to let you in on some of the progress!

Edit 4: I found the item that controls the forbidden PLMN list and sets all values to 000- 00 for the 4 entries like the Bionic, but it was not enough by itself and it still gets flagged as invalid country code despite being able to successfully pass the NAS REG sequence with the cleared PLMN list.

The item is 6844 first byte changed to 00 from default 02 zeros the entries in the forbidden PLMN list.

I won't have much time to work on this further for a couple days but we are definitely closing in on this now!




The Following 8 Users Say Thank You to cellzealot For This Useful Post: [ View ] Gift cellzealot Ad-Free
13th February 2013, 11:59 PM |#11  
drdreww's Avatar
Junior Member
Thanks Meter: 1
 
More
Re: *Work In Progress* XT912 UnLock Discussion
Thanks for starting the new thread!
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes