[INFO][R&D] I9300 UART and NVDATA guide

[reinsn]

During the last weeks I was researching how to build a cable to establish an UART connection to my I9300. This guide should work but is still work in progress. Feel free to contribute.

Info: this is a guide for the international version I9300 with XMM6260 modem. The SGH-I747-variant uses a different baseband/modem from Qualcomm.

Warning: This guide allows you to interface your device at a very low level. You might brick your device or damage vital parts of it. A lot of this stuff is undocumented and there might be side effects. Be warned!

Short technical explanation:

By using a custom build USB cable you can establish a serial connection to your phone. It offers a UART interface to the XMM6260/X-Gold 626 modem used in the I9300.

The longer technical explanation:

The I9300 uses a FSA9485 USB Port Multimedia Switch (https://www.fairchildsemi.com/products/analog-mixed-signal/switches/accessory-switches/FSA9485.html) behind the MicroUSB port. This IC can detect what kind of accessories are plugged to your USB port. The detection is done by a resistor wired between GND and ID pin of the USB cable. Using a resistance level of 523K will trigger the UART Mode. While in UART mode the I9300 will use the D- and D+ pins of the MicroB-plug as serial TX/RX data lines.

What to to with it?

While booting you can see debugging output of the secondary bootloader (not that much though, mainly eMMC initialize). Once booted you can see modem output and send commands to it. Another option is to show "PDA" messages, but i never managed to get any output with this setting.

You can communicate to your modem using AT-commands. For more information I recommend reading E:V:A's great post "[XMM6260][X-GOLD 626] Modem Specification / Documentation / Hack-Pack". While his guide is focussing on the SGS2, i want to keep this guide I9300 specific.

How to build a cable?

Stuff you need:

• A USB to serial converter supporting 3,3V(!) TTL levels (lots of this stuff around, check eBay or your local electronics supplier. Common chipsets are FTDIs FT232RL or Silicon Labs CP21xx, just make sure it supports 3,3V!)
• A USB MicroB plug (like this https://www.sparkfun.com/products/10031 or I just sacrificed a cable for soldering directly to the connector which works too)
• a resistor with 523K resistance (close value will work)
• some wires
• a soldering iron

Wire it like this:

How to use it (tested with I9300XXELL4 (Android 4.1.2):

• Install the drivers for your USB to serial converter (running linux your device will most likely be autodetected and assigned to /dev/ttyUSB0 or similar)
• On your I9300 Dial *#7284# and set UART mode to "modem"
• use your favorite serial console and set the following parameters for the serial port: rate: 115200 baud, data: 8 bits, parity: none, stop bit: 1, software flow-control: enable

I prefer using the "screen"-command on linux: "screen -t 'ttyUSB0 115200 8n1' /dev/ttyUSB0 115200,-ixoff,-ixon"
Now connect your UART-cable to the phone (it will power up on its own due to the FSA9485 chip, no need to worry)

If you see console output like this you got it right:

PMIC rev = PASS2(2)
BUCK1OUT(vdd_mif) = 0x05
BUCK3DVS1(vdd_int) = 0x20
[MMC] there are pending interrupts 0x00010000
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
mmc_initialize: mmc->capacity = 30777344
�
AST_POWERON

AST_POWERON

AST_POWERON

Now you should be ready to send AT-commands to your phone.
Try send a simple "AT" and your phone should respond with "OK"

AT
OK

If everything above works you successfully managed to establish a serial console to your baseband processor. congratulations! proceed to the next post for tested AT commands.

Another warning at this time: Do not send random characters/commands to your modem. This is an easy way to brick your network connection or even your entire phone.

Troubleshooting:

• check the wiring, maybe you switched TX/RX data lines
• on linux check user rights on your /dev/ttyUSBX device, check with superuser if unsure
• to be extended

THX to:

• E:V:A for his great guides about modems/AT commands in general and the XMM6260
• the Replicant project: http://www.replicant.us/
• many other guys gave me a hint in the right direction which I forgot to mention here

 

[reinsn]

Supported AT commands on the I9300

Please take this warning serious! As this is a debugging console to your baseband/modem the wrong command can easily overwrite vital data on you phone. Think before typing!

I won't go into detail about AT command syntax here. I recommend to read the following infos before trying any own approaches:

• http://en.wikipedia.org/wiki/Hayes_command_set
• http://www.codeproject.com/Articles/85636/Introduction-to-AT-commands-and-its-uses
• http://forum.xda-developers.com/showthread.php?p=53175152#post53175152

AT commands are modem specific. Not all commands work on all modems, but there are still some general commands working on most phones!

Working AT commands:

AT+CLAC --> gives a list of all supported AT commands, though there are more commands which are undocumented, following output on I9300:

ATS
ATD
ATA
ATO
ATE
ATH
ATV
ATZ
ATl
ATm
ATQ
ATX
AT&F
AT&D
AT&C
AT\Q
AT+CGSMS
AT+CMGD
AT+CMGF
AT+CMGL
AT+CMGR
AT+CMGS
AT+CMGW
AT+CMMS
AT+CMSS
AT+CNMA
AT+CNMI
AT+CPMS
AT+CSCA
AT+CSCB
AT+CSMS
AT+XCSSMS
AT+XSMS
AT+XTESM
AT+CSDH
AT+CSAS
AT+CRES
AT+CMGC
AT+CSMP
AT+CGREG
AT+COPN
AT+COPS
AT+CREG
AT+CSQ
AT+XBANDSEL
AT+XCOPS
AT+XCSPAGING
AT+XEONS
AT+XREG
AT+XAACOPS
AT+XUBANDSEL
AT+XRAT
AT+CPLS
AT+CPOL
AT+XHOMEZR
AT+XCSQ
AT+CHUP
AT+CMOD
AT+CMUT
AT+CTFR
AT+VTS
AT+XCALLSTAT
AT+XDTMF
AT+XVTS
AT+CSTA
AT+CVHU
AT+VTD
AT+CCWE
AT+CR
AT+CRC
AT+XPROGRESS
AT+XREDIAL
AT+CAOC
AT+XLIN
AT+CCFC
AT+CCWA
AT+CHLD
AT+CLCC
AT+CLCK
AT+CLIP
AT+CLIR
AT+CNAP
AT+COLP
AT+COLR
AT+CPWD
AT+CSSN
AT+CUSD
AT+CCUG
AT+CBST
AT+CEER
AT+CGACT
AT+CGANS
AT+CGATT
AT+CGAUTO
AT+CGCLASS
AT+CGCMOD
AT+CGDATA
AT+CGDCONT
AT+CGDSCONT
AT+CGEQMIN
AT+CGEQNEG
AT+CGEQREQ
AT+CGEREP
AT+CGPADDR
AT+CGQMIN
AT+CGQREQ
AT+CGTFT
AT+XCGCLASS
AT+XDNS
AT+XGAUTH
AT+FCLASS
AT+CRLP
AT+XNVMPLMN
AT+XNVMMCC
AT+CBC
AT+CCID
AT+CCLK
AT+CFUN
AT+CGMI
AT+CGMM
AT+CGMR
AT+CGSN
AT+GSN
AT+CIMI
AT+CMEE
AT+CMUX
AT+CNUM
AT+CPIN
AT+CPWROFF
AT+CRSM
AT+CSCS
AT+CSIM
AT+CSVM
AT+CTZR
AT+CTZU
AT+IPR
AT+XCTMS
AT+XGENDATA
AT+XPINCNT
AT+XLOG
AT+XMER
AT+XSIMSTATE
AT+TRACE
AT+XL1SET
AT+XSIO
AT+XDLCTEST
AT+XPOW
AT+XCEER
AT+XEER
AT+XTRACECONFIG
AT+XMUX
AT+XFDOR
AT+XFDORT
AT+XCONFIG
AT+XAPP
AT+XHSDUPA
AT+XCAP
AT+CPIN2
AT+XDATACHANNEL
AT+CONNECTPORT
AT+CAMM
AT+CACM
AT+CCHO
AT+CCHC
AT+XCSP
AT+NEER
AT+CUAD
AT+XUICC
AT+XLEMA
AT+XSYSTRACE
AT+CLAC
AT+CPUC
AT+CLAN
AT+CGLA
AT+CRLA
AT+CPAS
AT+XSVM
AT+XNOTIFYDUNSTATUS
AT+XRXDIV
AT+XRXDIV3GRAB
AT+XMAGETKEY
AT+XMAGETBLOCK
AT+CPOS
AT+CPOSR
AT+CMOLR
AT+CMTLR
AT+CMTLRA
AT+XCPOSR
AT+XSETCAUSE
AT+XSPEECHINFO

ATV1 --> Enables verbose command results mode
ATE0 --> Turns off local echo
AT+SERIALNO=1,0 --> shows serial number
AT+CGSN --> shows IMEI
AT+XGENDATA --> shows modem version:

+XGENDATA: "    SP6260_M0_MODEM_03.1241_DB121008 2012-Dec-10 11:25:46 
                                                                          PDB_NOT_AVAILABLE 
                                                                                            *SP6260_M0_MODEM_03.1241*"

ATi --> shows device info:

Manufacturer: SAMSUNG 

 Model: I9300 

 Revision: I9300XXELL4 

 IMEI: XXXXXXXXXXXX

AT+HEADINFO=1,1 - Shows device information, "Unique Number" is not that unique. If you copy EFS you copy number.

+HEADINFO:1,1,1
Model Name = GT-I9300
Country/customer = -
Customer Code = DBT
Date = -
Charger = -
S/W version = I9300XXELL4
Unique Number = CVTXXXXXXXXXXXX
Memory Name = -
Sec Code = -

AT+IMEITEST=1,0 - shows "corrupted!!" with damaged EFS, not yet tested with good EFS

+IMEITEST:1,corrupted!!

AT+MSLSECUR=1,0 --> Some information I found indicates this is the first security mechanism. You need to send a device specific code to unlock write mode (AT+MSLSECUR=2,<UNLOCK CODE>). I saw examples in this form: AT+MSLSECUR=2,<SERIAL NUMBER>_<HEXADECIMAL KEY> but was not able to generate it.

AT+AKSEEDNO=1,0 --> It seems to be a challenge/response security mechanism: You have to respond to this challenge with another AT-command (AT+AKSEED=2,<RESPONSE CODE>). See next post for details.

AT+AKSEEDNO=1,0
+AKSEEDNO:1,16799-25-329

 

[reinsn]

Some related technical infos

EFS:

The modem stores its settings in your /efs partition (mmcblk0p3), more precisely in your nv_data.bin file. It might be wise to do a backup. (More information on EFS)

Modem Firmware:

Your modem is running a Real Time Operation System (RTOS) named ThreadX. It is stored in modem.bin and different versions can be flashed by Odin.

The ServiceMode.apk-application talks directly to the modem RTOS.

AKSEED
This seems to be a challenge-response security algorithm. Maybe somebody has a clue as i would love to find out how it works.

I have collected some AKSEED examples from the web:
Challenge: 29987-125-1427 - Correct response: 16096-95-115
Challenge: 8299-182-209 - Correct response: 7928-94-124
Challenge: 767-207-25 - Correct response: 309-93-128

 

[reinsn]

nv_data.bin

If you attempt to change the nv_data.bin within Android it will get restored from .nv_data.bak and .nv_core.bak. It is protected by a special MD5-hash which is stored in nv_data.bin.md5/.nv_data.bak.md5/.nv_core.bak.m5. The MD5-hash is generated from nv_data.bin, but can not be generated using a normal MD5-algorithm. If no backup is present a default nv_data.bin is created.

I assume the ril-daemon is responsible for checking the correct checksum and restoring the backup.

There are some offsets of interest in nv_data.bin (just assumptions, may be different on some modem firmwares):

I believe the modem settings related part starts at Offset 0x180000 with the String "SSNV".

0x181469 - Network Lock (i think its 5 bytes starting from 0x181469: Network Lock, Subset Network Lock, SP Lock, CP Lock, Data Lock)
0x18800F-0x188011 - Product Code (DBT,XEO,etc.)
0x188021-0x188023 - Product Code (DBT,XEO,etc.)
0x18815F-0x188165 - Serial Number
0x194004-0x194023 - Modem Version
0x194049-0x194053 - Firmware Version (I9300XXELL4,I9300XXDLIB,etc.)
0x18146e, 0x18148e, 0x1814ae, 0x1814ce, 0x1814ee - 5 times the same value, most likely a hash of the Unlock Code. The hashes are separated by "4A" hex. The hash is generated different than on SGS2 - see here


If anybody has further information regarding offsets, stored data and used encryption please post here or contact me!

 

[.NetRolller 3D]

MD5 generation: (cat nv_data.bin; echo -n Samsung_Android_RIL) | md5sum

EDIT: echo -n, not echo - n

Sent from my GT-I9305 using XDA Free mobile app

 

[reinsn]

MD5 generation: (cat nv_data.bin; echo - n Samsung_Android_RIL) | md5sum

Sent from my GT-I9305 using XDA Free mobile app

nice one...but you have to stop ril-daemon on device before replacing or it will revert to nv_data.bin from backup:

stop ril-daemon

 

[reinsn]

The data at 0x180004 to 0x180033 in nv_data.bin seems to be related to the AT+MSLSECUR command:

AT+MSLSECUR=1,0 on a phone with undamaged /efs responds the serial number:

AT+MSLSECUR=1,0
+MSLSECUR:1,RFXXXXXX

if you copy these offsets from undamaged /efs to another phone the data gets scrambled:

AT+MSLSECUR=1,0
+MSLSECUR:1,��Lb�šV��Ƨo~

if you edit these offsets to all "FF"s:

AT+MSLSECUR=1,0
+MSLSECUR:1,0000000000

so i assume it is somehow crypted by the serial number or another physical(?) unique identifier

 

[s3beginner1232]

AT+EGMR command

Does the AT+EGMR command work?