Enable CP Debugging (Baseband)(hack)

[ryanbg]

UPDATE: You can enable CP Debug by just typing *#66336# and turn the option on.




If you don't know what this is, it might be a good idea to pass on this, as it won't really provide you any benefit.

Verizon disables CP debugging in the radio/service menu. I found a unique little proof-of-concept hack that I tested and was successful. So basically there's a file called cmdline in /proc which shows you the arguments ran at boot time. This file is from the kernel/ramdisk, and cannot be modified, as it's merely a symlink to the arguments in the kernel, and not a file itself. /proc is very dangerous for the uninformed/uneducated user, so continue at your own risk. I am not responsible for anything any of you do, ever.

Before you continue, understand this is a VERY dangerous process, and messing up can permanently destroy your device. I am not responsible for anything that happens to your device. It is your choice to utilize this information. Please follow my directions VERY carefully.

Step 1: Make a copy of your /proc/cmdline
It should look similar to this (note: do not use this example, it has been heavily modified to protect my private information and applies to my kernel/device specifically):

console=ttyS0,115200 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F cont_splash=1 ******************** 

[email protected] [email protected] sec_debug.reset_reason=0x1a2b3c00 lcd_attached=1 lcd_id=0x404024 androidboot.debug_level=0x4948 sec_debug.enable=1 sec_debug.enable_user=1 slub_debug=o msm_rtb.enable=1 

[B]androidboot.cp_debug_level=0x55FF sec_debug.enable_cp_debug=0[/B] cordon=REMOVED connie=SM-N900V_VZW_USA_REMOVED 

loglevel=8 samsung.hardware=SM-N900V samsung.board_rev=8 androidboot.emmc_checksum=3 androidboot.warranty_bit=0 

androidboot.bootloader=N900VVRUBMJE androidboot.nvdata_backup=0 androidboot.boot_recovery=0 androidboot.batt_check_recovery=0 

sec_debug.pm8941_rev=3 sec_debug.pm8841_rev=2 vmalloc=450m level=0x47494844 sec_pvs=0 batt_id_value=0 

androidboot.check_recovery_condition=0x0 androidboot.emmc=true androidboot.serialno=REMOVED androidboot.baseband=msm

Step 2: Take a look at the bolded line in the previous step. If we want to enable CP debugging, we'll need to change those values. Change androidboot.cp_debug_level=0x5500 instead of 0x55FF and obviously change sec_debug.enable_cp_debug=1 instead of 0. Save this copy to /sdcard or wherever you will remember it. Remember to save it without an extension so it's not a text document.

Step 3. Since cmdline is read at boot, how would changing this work? Well it appears that it reads some of these debugging values during runtime, instead of just at boot. We can't edit or modify /proc/cmdline, but we can bind it to another file so it reads our custom cmdline instead of the one from our kernel. Find your modified cmdline copy (i.e, /sdcard/cmdline) and take note of its location. Next, open adb shell or terminal emulator and type the following:

mount -r -o bind /sdcard/cmdline /proc/cmdline

Now check your logcat I use a nifty free app called aLogcat which can be found in the Play Store. You will need to run this command every time you boot/reboot, or you can write a script to do so at startup. You can also verify success by using the following command: cat /proc/cmdline and that should result in your modified cmdline appearing.

Keep in mind this log can contain sensitive information such as incoming text messages or google messages, which may leave you vulnerable. Surge1223 was also successful using this method on the Verizon S4 also. Again, PLEASE do not change any other values in CMDLINE as it will either not work since it takes those values at boot time, or it can render your device inoperable/bricked/unbootable.

I'm also currently exploring the possibility of enabling bands 26 and 41 (Sprint bands) on Verizon devices. Again, it won't really bring any benefit to most, but is more of a proof-of-concept type hack.

Thanks to surge1223 and bftb0 as always

 

[Surge1223]

This is very useful. Note this also enables you to grab the detailed logs from the sec_log location indicated in the cmdline, though this log is prob only useful to devs or enthusiasts.

 

[E:V:A]

This is very useful. Note this also enables you to grab the detailed logs from the sec_log location indicated in the cmdline, though this log is prob only useful to devs or enthusiasts.

How would do you do that? viewmem?
Also, what's the difference between:
sec_log= and sec_dbg=

Have you tried it? Can you post an example output?

 

[Surge1223]

How would do you do that? viewmem?
Also, what's the difference between:
sec_log= and sec_dbg=

Have you tried it? Can you post an example output?

Second to last post here I posted a lot of a sec_log http://forum.xda-developers.com/showthread.php?t=2691420 (I didn't post all of it because sec_log is a minimum of 1 MB) and yep I used viewmem to extract it As for sec_dbg, it isn't human readable per se.

Sent from my SCH-I545 using XDA Premium 4 mobile app

 

[E:V:A]

S As for sec_dbg, it isn't human readable per se.

Perfect! Probably the sec_dbg contain raw RF data or whatever is in the SHM buffer. Probably QXDM can read this, or try loading it in Wireshark...Um, no it probably need to be "translated/extracted" first.

 

[ryanbg]

Figured I'd update this post too, since I found the correct way to enable CP Debug Mode. Make sure HiddenMenu is enabled in /efs then dial *#66336# and turn CP Ramdump On (or MDM Ramdump if you're on an S4.)

 

[E:V:A]

...I'm also currently exploring the possibility of enabling bands 26 and 41 (Sprint bands) on Verizon devices.

Are you using a Sprint SIM?
If not, you'd probably need to look deeper, and perhaps reprogram part of SIM, enable correct PRL's and check for phone band support etc.

... Make sure HiddenMenu is enabled in /efs

What menu is that and how is that done?

I obviously don't have your device, but perhaps this is not Verizon specific...

 

[ryanbg]

Are you using a Sprint SIM?
If not, you'd probably need to look deeper, and perhaps reprogram part of SIM, enable correct PRL's and check for phone band support etc.


What menu is that and how is that done?

I obviously don't have your device, but perhaps this is not Verizon specific...

I believe the bands may be controlled by Qfuses, and some other parameters within the CP.

/efs/factoryapp/HiddenMenu -> ON

 

[E:V:A]

I believe the bands may be controlled by Qfuses, and some other parameters within the CP.

/efs/factoryapp/HiddenMenu -> ON

bands are not controlled by Qfuses. I've never heard of such a thing. Bands are controlled in NV items and/or in SIM card. If Qfuses are involved there must be a proxy app doing the fuse --> NV items translation. Or did you see something in the Qfuse register dump?

 

[ryanbg]

Deleted.

 

[E:V:A]

Deleted.

I be damned! Nice to be wrong sometimes. That's when you learn new stuff.
We'll then I just don't know how it works. I guess Verizon is such a big customer, they can do what they want. So the questions are, where is the physical location of those fuses? Where are they read and where is that information going?

 

[ryanbg]

I be damned! Nice to be wrong sometimes. That's when you learn new stuff.
We'll then I just don't know how it works. I guess Verizon is such a big customer, they can do what they want. So the questions are, where is the physical location of those fuses? Where are they read and where is that information going?

Their SoC package with integrated Baseband/CP is REALLY interesting. I think the CP = Hexagon, and the Hexagon DSP does all sorts of low-level non-radio business. The more I discover the more I'm intrigued.