[HowTo] [VZW XT907/926 RAZR M/HD] Unlock US GSM Carriers Using RadioComm

cellzealot

Senior Member
Jan 4, 2008
1,362
917
0
Philadelphia, PA
Introduction:

This post is a guide to show how to perform the NV edit required to unlock US GSM carriers(AT&T and T-Mobile etc.) on the VZW XT907/926 RAZR M/HD stock modem using a Motorola serviceware tool called RadioComm.
This is simply a different method to perform the same hack that was discovered by Arnold Snarb in the main thread about ATT/T-Mobile here.

http://forum.xda-developers.com/showpost.php?p=37123644&postcount=158

Despite the fact that he thanked me for leading the way in that post, he did some really brilliant analysis of the logs in QXDM to isolate this NV Item and saw something in the them that I had missed as well as guessing correctly about it's significance, and deserves all of the credit for this hack.
Everyone should please go and thank him in that post for the outstanding work.

He used a tool called DFS to access and edit NV Item 8322 and change the value of the first byte from 01 to 00 which disables the checking of the MCC/MNC against a list of banned networks and flags MCC 310 as Invalid Country Code.
That method requires booting into BP Tools mode from the boot menu and loading the Qualcomm diagnostic device interfaces.
The problem is that there are no signed 64bit drivers available and you must force load the drivers on Win7/8 64 bit for the diagnostic port in order to see the device properly and have NV read/write access.
This has been a stumbling block for many users and makes the NV editing unnecessarily difficult.

This method uses Factory boot mode and allows RadioComm to have full diagnostic mode access via the Motorola USB Networking driver that loads normally with the standard USB driver set. I will demonstrate 2 different ways to perform the edit, one manual and one using a preconfigured SEEM table file that writes the value in a single operation.

Neither of these methods is as easy as an update.zip install from custom recovery would be, but we don't have a binary that supports the motorola.update_nv function that we used for prior MDM6600 based devices available to us for the MSM8960 devices.
Given that some form of diagnostic mode software and a PC is required, I feel that RadioComm is probably an easier option for most users as it avoids the driver problems and has a clearer and simpler interface for NV read/write access than DFS.
Once you have the latest Motorola drivers installed and RadioComm loaded, this guide should make it very easy and safe to perform what is generally a complicated and potentially dangerous task of editing the radio NVM(Non Volatile Memory).

RadioComm itself is a terrifyingly complex piece of software with a GUI that can bring even the most seasoned and experienced phone hacker to their knees wondering what all the various windows, modules and buttons do.
It is the premier Motorola serviceware application and is designed by and intended for use by top level radio engineers and technicians.
It is an extremely powerful application that can access all models and chipsets of Motorola devices and perform a vast array of diagnostic testing and configuration operations and can be fully automated via multiple scripting languages.

It's just plain scary and confusing and very dangerous if not taken seriously.

Warning and disclaimer:

DO NOT PLAY AROUND WITH ANY FEATURES OR RANDOMLY HIT ANY BUTTONS IN RADIOCOMM!!!

YOU CAN RENDER YOUR PHONE DYSFUNCTIONAL OR UNBOOTABLE IN SECONDS!!!


This cannot be emphasized strongly enough!

Follow the instructions exactly as they are written and shown in the screenshots and you will find it very simple to use have no trouble doing the edit with either method.

You, the user, are the only person responsible for your actions and performing this hack will absolutely void your warranty the same way rooting or any other modifications to your device's software does!

That said, this hack will be undetectable and have no outward visible signs of having been performed other than the fact that any GSM SIM should work afterward.

Root is NOT required and this can be safely done and undone at will without making any other changes on the device and all normal services function properly on VZW's network with the edit in place. It appears to only affect the US GSM network block and nothing else.

Prerequisites:

You need to have a recent set of Motorola USB drivers v. 5.9.0 or greater installed on your PC with a full USB 2.0 compatible port.

You need a standard Motorola micro USB cable.

RadioComm 11.12.xx I have included a link to 11.12.2 below.

https://dl.dropbox.com/u/7632904/RadioComm_v11.12.2_Install.zip

This has been tested on Win7 64bit and WinXP SP3 32bit with .NET Framework 4.0 installed.

Method:

This guide assumes you already have RadioComm and the drivers properly installed and have rebooted both PC and the phone afterward.

The first instructions and screenshots describe the initial setup and manual method using the FTM Common 1 tab and the NV Access window in RadioComm.

When you first open RadioComm you will get a popup stating that the version is more than 2 months old. Just close it and continue.

Now go to the top left corner and hit the Main button and select the MA: Common/MDM6x00 as shown in the first screenshot.




Next, go to Settings/USB and select PST USB Driver as shown in the second screenshot.
Test Command Format should default to P2K05 lower in Setings menu.
Leave all other options default.



Now we are ready to connect the phone and perform the edit.

Make sure you have Connect as Media Device in USB settings and USB Debugging enabled in Developer Options.

Power off the phone and then hold both Vol Up and Down + Power to enter the boot menu.

Use the Vol Down key to scroll down in the menu to Factory and then Vol Up key to select and the phone will boot.

Connect the USB cable and RadioComm will enumerate the phone and the radio button in the top right will change colors.
It will cycle sever times red to yellow and eventually go green when the device is fully enumerated and shows as XT907 in the status bar
at the bottom of the screen. You can read the Software Version and MEID/ESN/pESN buttons to make sure everything is working properly.
Each successful read the GUI will flash green and the Command buffer will turn green and any selected button will be green.
Any unsuccessful attempt will turn red.
If not, then restart everything and check over all settings again before proceeding.

Now go to the tabs bar across the top middle of the GUI and select FTM Common 1 tab and go to the NV access window in the center right of that tab and select the top menu Item "FFFF Manual Entry" as shown in the third screenshot.



Now hit the Read button and you will get 2 popup windows.
In the first window you will enter the Decimal NV Item ID 8322 and in the second you will enter the byte length to be read 1 as shown in the fourth screenshot.



When you hit ok it will read the NV Item and flash green and display the data in the hex output buffer below and you will see 01 for the value as shown in the fifth screen shot.



Now highlight the 01 and change it to 00 and hit the write button and this time it will only popup once asking for the Decimal NV Item ID 8322. When you hit OK the item will be written and the GUI will again flash green for a successful write as shown in the sixth screenshot.



You are now finished and can either use the restart button at top right of RadioComm to reboot or manually restart the phone.

The last screen shot is edited to show the steps to use the NV/SEEM feature with a SEEM table file I have provided below to do all of the steps as a single operation. Some users may find this easier than manually editing in the NV Access window but it's really almost the same number of steps.

Go to the top left and hit Features and select NV/SEEM and another window will open and the radio button will cycle again a couple time as it re enumerates the device again it will go green finally. Follow the instructions in the seventh screenshot and be sure to use the Restart button in the main window after you close NV/SEEM because its suspends the phone and it will be black screen and unresponsive and require holding Vol keys and Power for 10 secs to reset it otherwise.



Congrats! All done now and the rest is just putting in a SIM and selecting GSM/UMTS in Network Settings and everything should just work!
Below is the link for the .NVM SEEM table file.

https://dl.dropbox.com/u/7632904/TBH_RAZR_M_GSM_Unlock.NVM

Please use this thread to discuss issues relating to this method and RadioComm and keep general discussion of the phone on US carriers in the other thread, thank you!

:cool:
 
Last edited:

Yehudah

Senior Member
Oct 14, 2012
213
51
0
Thanks man.. gonna try this when I get home tonight. I was actually just thinking about switching vendors from VZW to someone else and didn't really want to buy a new phone.

Maybe now I don't have to. Proof is in the pudding though, maybe I'll by a cheap month of Straight Talk to see if it works?
 

nrgyitguy

Senior Member
Nov 24, 2012
60
19
0
Thanks man.. gonna try this when I get home tonight. I was actually just thinking about switching vendors from VZW to someone else and didn't really want to buy a new phone.

Maybe now I don't have to. Proof is in the pudding though, maybe I'll by a cheap month of Straight Talk to see if it works?
Running RAZR M in US on straight talk now. Works wonderful!!!
 

cellzealot

Senior Member
Jan 4, 2008
1,362
917
0
Philadelphia, PA
Hmm, MDM6x00? Won't that work on the OG RAZR XT912 / Droid 4 as well?
The MA used in RadioComm is the same chip set base as the RAZR/D4 because it's the closest to the MSM8960 available in this version, which is more than 18 months old now.

What we really need is an updated version of RadioComm with full support for the newer chip sets.

This specific NV Item 8322 does not exist on the MDM6600 chip set devices and I have not been able to find a similar boolean switch item for those phones, unfortunately.

I have been logging with QXDM extensively searching for a way to disable the MCC/MNC block on MDM6600 without success so far.
I have dumps of all of the readable NV items from 0000-12000 from many devices running various builds and even a dump from Chinese engineering build on P3Droid's Dev model where everything is working as it should with open GSM on US carriers.

I would love some help from someone with a better understanding of the radio and diagnostic mode access than myself.
Very few people know how to use the software to even start analyzing the problem.
 

progrockguy

Senior Member
Feb 9, 2013
157
210
0
Remember to install the latest Motorola drivers and *especially* highlight the entire 01 and type 00. I was backspacing only the 1 and it did not "stick" when writing. So HIGHLIGHT, don't backspace. Works perfectly.
 
  • Like
Reactions: x86Daddy

cpslim

Member
Feb 17, 2013
22
2
33
fayetteville
:confused:is it possible to write the NV item to the Droid 4 then edit ? ?
The MA used in RadioComm is the same chip set base as the RAZR/D4 because it's the closest to the MSM8960 available in this version, which is more than 18 months old now.

What we really need is an updated version of RadioComm with full support for the newer chip sets.

This specific NV Item 8322 does not exist on the MDM6600 chip set devices and I have not been able to find a similar boolean switch item for those phones, unfortunately.

I have been logging with QXDM extensively searching for a way to disable the MCC/MNC block on MDM6600 without success so far.
I have dumps of all of the readable NV items from 0000-12000 from many devices running various builds and even a dump from Chinese engineering build on P3Droid's Dev model where everything is working as it should with open GSM on US carriers.

I would love some help from someone with a better understanding of the radio and diagnostic mode access than myself.
Very few people know how to use the software to even start analyzing the problem.
 

donslade

Senior Member
Mar 4, 2010
164
48
58
El Paso, TX
Followed instructions and worked perfectly. The key for me was the latest Motorola drivers AND the Motorola USB cable that came with the phone. I tried other cables that both charged and synced but the only that worked for this was the Moto cable. Using Win XP SP3 ( 12 year old OS on brand new work laptop. WTF!)
 
Last edited:

AKG0214

Member
Oct 26, 2012
22
2
0
i was wondering if this works on other networks such as boost mobile,net10, criket etc...? i honestly dont have enough money to buy a new phone and whatnot. the whole reason why i did this is because i lost my job and now i cant pay my phone bill and it keeps getting higher and higher.
 

queberican351

Senior Member
Dec 12, 2011
227
114
73
USA
i was wondering if this works on other networks such as boost mobile,net10, criket etc...? i honestly dont have enough money to buy a new phone and whatnot. the whole reason why i did this is because i lost my job and now i cant pay my phone bill and it keeps getting higher and higher.
Boost - No
Cricket - No
They're both cdma. This is to allow the GSM side (SIM CARD based) of the phone to work on other carriers. With that said, your best options are

Net10, Straight Talk, ATT, T-Mobile, Simple Mobile, H20, Orange, and there's a plethora of others out there. Post paid and pre-paid.


@DSDD

I beleive your XT902 is GSM by default. So if what your asking is will this bypass the network lock, no, the device needs to be unlocked by code. Then you can use it outside of the current carrier/country.
 

sipida

New member
Mar 10, 2013
1
0
0
after boot, it is set back to 01 again @ address 8322

my phone version is Bsmq_vzw-user 4.1.1 9.8.1Q_27-2 4 release-keysSM_BP_1139.000.32.62P

after write to 8322 with zeros, I read it again the confirm it is written, but after rebooting the phone, the value is back to 01 again.
I guess the verizon driver may override this value during rebooting?

any help?
should I root the phone?

==
thanks

Introduction:

This post is a guide to show how to perform the NV edit required to unlock US GSM carriers(AT&T and T-Mobile etc.) on the VZW XT907/926 RAZR M/HD stock modem using a Motorola serviceware tool called RadioComm.
This is simply a different method to perform the same hack that was discovered by Arnold Snarb in the main thread about ATT/T-Mobile here.

http://forum.xda-developers.com/showpost.php?p=37123644&postcount=158

Despite the fact that he thanked me for leading the way in that post, he did some really brilliant analysis of the logs in QXDM to isolate this NV Item and saw something in the them that I had missed as well as guessing correctly about it's significance, and deserves all of the credit for this hack.
Everyone should please go and thank him in that post for the outstanding work.

He used a tool called DFS to access and edit NV Item 8322 and change the value of the first byte from 01 to 00 which disables the checking of the MCC/MNC against a list of banned networks and flags MCC 310 as Invalid Country Code.
That method requires booting into BP Tools mode from the boot menu and loading the Qualcomm diagnostic device interfaces.
The problem is that there are no signed 64bit drivers available and you must force load the drivers on Win7/8 64 bit for the diagnostic port in order to see the device properly and have NV read/write access.
This has been a stumbling block for many users and makes the NV editing unnecessarily difficult.

This method uses Factory boot mode and allows RadioComm to have full diagnostic mode access via the Motorola USB Networking driver that loads normally with the standard USB driver set. I will demonstrate 2 different ways to perform the edit, one manual and one using a preconfigured SEEM table file that writes the value in a single operation.

Neither of these methods is as easy as an update.zip install from custom recovery would be, but we don't have a binary that supports the motorola.update_nv function that we used for prior MDM6600 based devices available to us for the MSM8960 devices.
Given that some form of diagnostic mode software and a PC is required, I feel that RadioComm is probably an easier option for most users as it avoids the driver problems and has a clearer and simpler interface for NV read/write access than DFS.
Once you have the latest Motorola drivers installed and RadioComm loaded, this guide should make it very easy and safe to perform what is generally a complicated and potentially dangerous task of editing the radio NVM(Non Volatile Memory).

RadioComm itself is a terrifyingly complex piece of software with a GUI that can bring even the most seasoned and experienced phone hacker to their knees wondering what all the various windows, modules and buttons do.
It is the premier Motorola serviceware application and is designed by and intended for use by top level radio engineers and technicians.
It is an extremely powerful application that can access all models and chipsets of Motorola devices and perform a vast array of diagnostic testing and configuration operations and can be fully automated via multiple scripting languages.

It's just plain scary and confusing and very dangerous if not taken seriously.

Warning and disclaimer:

DO NOT PLAY AROUND WITH ANY FEATURES OR RANDOMLY HIT ANY BUTTONS IN RADIOCOMM!!!

YOU CAN RENDER YOUR PHONE DYSFUNCTIONAL OR UNBOOTABLE IN SECONDS!!!


This cannot be emphasized strongly enough!

Follow the instructions exactly as they are written and shown in the screenshots and you will find it very simple to use have no trouble doing the edit with either method.

You, the user, are the only person responsible for your actions and performing this hack will absolutely void your warranty the same way rooting or any other modifications to your device's software does!

That said, this hack will be undetectable and have no outward visible signs of having been performed other than the fact that any GSM SIM should work afterward.

Root is NOT required and this can be safely done and undone at will without making any other changes on the device and all normal services function properly on VZW's network with the edit in place. It appears to only affect the US GSM network block and nothing else.

Prerequisites:

You need to have a recent set of Motorola USB drivers v. 5.9.0 or greater installed on your PC with a full USB 2.0 compatible port.

You need a standard Motorola micro USB cable.

RadioComm 11.12.xx I have included a link to 11.12.2 below.

https://dl.dropbox.com/u/7632904/RadioComm_v11.12.2_Install.zip

This has been tested on Win7 64bit and WinXP SP3 32bit with .NET Framework 4.0 installed.

Method:

This guide assumes you already have RadioComm and the drivers properly installed and have rebooted both PC and the phone afterward.

The first instructions and screenshots describe the initial setup and manual method using the FTM Common 1 tab and the NV Access window in RadioComm.

When you first open RadioComm you will get a popup stating that the version is more than 2 months old. Just close it and continue.

Now go to the top left corner and hit the Main button and select the MA: Common/MDM6x00 as shown in the first screenshot.




Next, go to Settings/USB and select PST USB Driver as shown in the second screenshot.
Test Command Format should default to P2K05 lower in Setings menu.
Leave all other options default.



Now we are ready to connect the phone and perform the edit.

Make sure you have Connect as Media Device in USB settings and USB Debugging enabled in Developer Options.

Power off the phone and then hold both Vol Up and Down + Power to enter the boot menu.

Use the Vol Down key to scroll down in the menu to Factory and then Vol Up key to select and the phone will boot.

Connect the USB cable and RadioComm will enumerate the phone and the radio button in the top right will change colors.
It will cycle sever times red to yellow and eventually go green when the device is fully enumerated and shows as XT907 in the status bar
at the bottom of the screen. You can read the Software Version and MEID/ESN/pESN buttons to make sure everything is working properly.
Each successful read the GUI will flash green and the Command buffer will turn green and any selected button will be green.
Any unsuccessful attempt will turn red.
If not, then restart everything and check over all settings again before proceeding.

Now go to the tabs bar across the top middle of the GUI and select FTM Common 1 tab and go to the NV access window in the center right of that tab and select the top menu Item "FFFF Manual Entry" as shown in the third screenshot.



Now hit the Read button and you will get 2 popup windows.
In the first window you will enter the Decimal NV Item ID 8322 and in the second you will enter the byte length to be read 1 as shown in the fourth screenshot.



When you hit ok it will read the NV Item and flash green and display the data in the hex output buffer below and you will see 01 for the value as shown in the fifth screen shot.



Now highlight the 01 and change it to 00 and hit the write button and this time it will only popup once asking for the Decimal NV Item ID 8322. When you hit OK the item will be written and the GUI will again flash green for a successful write as shown in the sixth screenshot.



You are now finished and can either use the restart button at top right of RadioComm to reboot or manually restart the phone.

The last screen shot is edited to show the steps to use the NV/SEEM feature with a SEEM table file I have provided below to do all of the steps as a single operation. Some users may find this easier than manually editing in the NV Access window but it's really almost the same number of steps.

Go to the top left and hit Features and select NV/SEEM and another window will open and the radio button will cycle again a couple time as it re enumerates the device again it will go green finally. Follow the instructions in the seventh screenshot and be sure to use the Restart button in the main window after you close NV/SEEM because its suspends the phone and it will be black screen and unresponsive and require holding Vol keys and Power for 10 secs to reset it otherwise.



Congrats! All done now and the rest is just putting in a SIM and selecting GSM/UMTS in Network Settings and everything should just work!
Below is the link for the .NVM SEEM table file.

https://dl.dropbox.com/u/7632904/TBH_RAZR_M_GSM_Unlock.NVM

Please use this thread to discuss issues relating to this method and RadioComm and keep general discussion of the phone on US carriers in the other thread, thank you!

:cool:


---------- Post added at 11:14 PM ---------- Previous post was at 10:48 PM ----------

tried again for couple of times, this time it actually works.
maybe last time I reboot the phone too early?

my phone version is Bsmq_vzw-user 4.1.1 9.8.1Q_27-2 4 release-keysSM_BP_1139.000.32.62P

after write to 8322 with zeros, I read it again the confirm it is written, but after rebooting the phone, the value is back to 01 again.
I guess the verizon driver may override this value during rebooting?

any help?
should I root the phone?

==
thanks
 

cellzealot

Senior Member
Jan 4, 2008
1,362
917
0
Philadelphia, PA
Glad you got it working. There is no VZW software on the phone capable of writing to the radio NV, so it's not being reverted by anything.

If anyone else has similar issues I would suggest trying the NV/SEEM method as that will definitely write the item properly.
 

dsdd

Member
May 11, 2009
5
0
0
@DSDD

I beleive your XT902 is GSM by default. So if what your asking is will this bypass the network lock, no, the device needs to be unlocked by code. Then you can use it outside of the current carrier/country.
XT902 has sim lock, and there is no way to key in unlock code. So I think it maybe unlocked by modifying another NV item.:confused:
 

b0uncyfr0

Senior Member
Oct 23, 2010
333
26
0
Sydney
Does this tutorial unlock mobile data usage on other carriers. I cannot seem to get data working on my XT907 in Australia. GSM and MMS work fine, so why doesnt Data?
 

cellzealot

Senior Member
Jan 4, 2008
1,362
917
0
Philadelphia, PA
I don't know for certain because I only have experience with domestic US GSM carriers, but I tend to doubt it.

You can try it and see and revert it easily if it doesn't work. You can also try flashing the Telstra XT905 NON-HLOS.bin(modem) and fsg.mbn(carrierEFS/NVM config).

This was the method used to get US GSM service on XT907 before the method shown here was discovered.
It works but is limited to GSM/EDGE data services here in the US.

I am inclined to think it is some other problem with the device because it should work as a global capable phone by default.
 

cellzealot

Senior Member
Jan 4, 2008
1,362
917
0
Philadelphia, PA
Several people have PMd me questions about this method and I would much prefer that they be posted here in the thread so that everyone may benefit from the information.

Please include as much information about your PC and driver versions and be as thorough as possible in explaining your problems.
 
  • Like
Reactions: wardcst