[REF][ServiceMode] How to make your Samsung perform dog tricks

[E:V:A]

Every time Samsung releases a new series of phones, they try to make
it just a little harder for us to find and enter the Service Mode (SM)
menus. Understandably the Service Mode menus allow you to access
functions on your phone directly related to its operation, from
selecting particular service providers, unlocking your SIM card,
changing default networks, bands and destroying your internal
non-volatile (NV) memory, that contain all your IMEI, RF, EFS
parameters, and to make a complete factory wipe and reset.

So this is not to play around with, randomly!
You have been warned.

On the other hand, it also provides extremely useful detailed
information about your mobile network, including all radio related
systems like GPS, WiFi, BlueTooth and NFC. Most of this information
is not available through the usual AOS Java API, and probably will
never be, as vendors consider this area as off-limits to users and
amateur developers.


Note:
All this info was obtained on a European
Samsung Galaxy S4-mini (GT-I9195 LTE)
But reported to work also on:
Samsung Galaxy S5 on US Cellular (SM-G900R4)

[SIZE=2]Baseband:       I9195XXUBML4            [/SIZE]
[SIZE=2]Kernel:         3.4.0-2340422           [/SIZE]
[SIZE=2]                [email protected] #1      [/SIZE]
[SIZE=2]Build:          JDQ39.I9195XXUBML4      [/SIZE]
[SIZE=2]SE:             SEPF_GT-I9195_4.2.2_0022[/SIZE]

Getting into Service Mode (SM)

On this particular model, you have to do this:

Go to dial pad and enter: *#0011#

This will initially take you to Service Mode and showing you
various signal status items, by default. But it's a locked
entry. So to unlock and go to the Main Menu do this:

==> [MENU] + [Back]
==> [MENU] + [Key Input] + "Q0"
==> <wait ~5-10 seconds>
​

Now you can hit the thank you button below!
I have not seen this solution anywhere else, and
it required some reversing...


Understading the ServiceMode Menu

<WIP>

This will take some time to investigate, so anyone
who already knows, please post in this thread.


The ServiceMode Menu Structure (brief)

Go to Post#2 for formatted menu structure and items.

[SIZE=2]MAIN MENU[/SIZE]
[SIZE=2][1] UMTS        [/SIZE]
[SIZE=2][2] CDMA        [/SIZE]
[SIZE=2][3] LTE                [/SIZE]
[SIZE=2][4] SIM- Not Used.        --> <E>[/SIZE]
[SIZE=2][5] DOCOMO DEBUG SCREEN        [/SIZE]
[SIZE=2][6] run EFS SYNC()        [/SIZE]
[SIZE=2][7] DEBUG SCREEN        [/SIZE]

Some Important Codes

9900 SysDump

This is an important hidden code is that for making a wide range
of system dumps and changing many unknown logging functions.

This will give you a list of the following functions:

[SIZE=2]Menu Item                       Setting         Description[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]Run dumpstate/logcat/modem log  -               logcat -v threadtime -b radio -d -f /data/log/radio_*.log[/SIZE]
[SIZE=2]Delete dumpstate/logcat                         [/SIZE]
[SIZE=2]Run dumpstate/logcat                                            [/SIZE]
[SIZE=2]Copy Kernel Log to SD card                      [/SIZE]
[SIZE=2]Run CP based log                                [/SIZE]
[SIZE=2]Run Forced CP crash dump                        [/SIZE]
[SIZE=2]Copy to sdcard (include CP Ramdump)             [/SIZE]
[SIZE=2]Debug Level Disabled/LOW        -               Change debug level [LOW/MID/HIGH][/SIZE]

[SIZE=2]CP Debugging Popup UI:          Disabled        [/SIZE]
[SIZE=2]Silent Log:                     Off             dev.silentlog.on=(On,Off)[/SIZE]
[SIZE=2]Translation Assistant:          Off             persist.translation.assistant=(0,1)[/SIZE]
[SIZE=2]Low battery dump:               Off             [/SIZE]
[SIZE=2]Wakelock Monitoring:            OFF             [/SIZE]
[SIZE=2]TCP DUMP START                                  ro.product_ship=(true,false)            lucky_ril*.log[/SIZE]
[SIZE=2]Enable SecLog (currently disabled)              persist.log.seclevel=(0,1)[/SIZE]
[SIZE=2]MTT Logging Setting:            OFF             persist.brcm.log=(sdcard,none)          [Broadcom][/SIZE]
[SIZE=2]ACT data copy                                   [/SIZE]
[SIZE=2]Exit                                            [/SIZE]

9090 DIAG CONFIG

This is also important for changing the internal MUX used for
diagnostic debug output, to/from USB and UART.

[SIZE=2]DIAG CONFIG[/SIZE]
[SIZE=2][1] USB  ( )[/SIZE]
[SIZE=2][2] UART (*)[/SIZE]
[SIZE=2][3] DBG MSG ON  (*)[/SIZE]
[SIZE=2][4] DBG MSG OFF ( )[/SIZE]

Basically if you wanna use UART output, you will probably need
to build the MyWay box or use the correct resistance between
the USB ID and GND pins. (See my AnyWay thread.)

0808 USB Settings

This is by far the most important code to know, because it is used to determine,
what drivers are enumerated when connecting your phone to PC via USB cable.
Technically it is a multiplexer (MUX) switch which determine whether the USB
port is directly connected to the CP (Cellular/baseband Processor/modem),
or the AP (Application Processor). This also selects what device features will be
enabled once connected. Such as ADB, RNDIS, and DM (Diagnostic Mode) etc.

To change the mux settings on a Samsung S4/mini, use your dialpad
to get to the "USBSettings" menu, like this:

For AOS <= 4.2.2, without SELinux, use *#7284# or *#3424#.
For AOS >= 4.2.2, with SELinux, use *#0808#.

[SIZE=2]USB 
( ) CP
( ) AP

USB Settings
( ) MTP
( ) MTP + ADB
( ) PTP
(o) PTP + ADB
( ) RNDIS + DM + MODEM
( ) RMNET + DM + MODEM
( ) DM + MODEM + ADB

[OK] [Reboot]
[/SIZE]

A few other service/secret codes

Similarly to my GT-I9300 "Secret Codes" thread, we find many of the
same codes present also in this phone. Do check that thread out, for
understanding how to find more codes relevant for your phone and AOS
version. Also note that most custom ROMs does not support all these,
as they are usually left out or forgotten about, since they are
vendor/modem specific.

Here I show only the most interesting & useful ones, and I have also
used the excellent website PhoneSpell to try to find sensible word
combinations for some of these numbers.

Now, many of these seem not to work at all, but they are present in
the ServiceMode application(s) code and rely on various other
properties being set before being available/activated. Another
type of block is is determined by the content of the EFS files:

/efs/FactoryApp/keystr
/efs/carrier/HiddenMenu

These can be set on a rooted phone by:

echo -n "OFF" > /efs/FactoryApp/keystr
echo -n "ON" >/efs/carrier/HiddenMenu
echo -n "ON" >/efs/FactoryApp/factorymode

(Somebody need to confirm the KeyString block boolean!)


Here is list of some particularly interesting properties that often
seem involved in blocking/enabling particular ServiceMenu
items/features.

[SIZE=2]property                                value/note[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]ril.tcpdumping=On                       [On,Off][/SIZE]
[SIZE=2]ril.OTPAuth=true                        OTP Authentication key is 6 random digits long[/SIZE]
[SIZE=2]ro.build.type=eng                       [eng, user]][/SIZE]
[SIZE=2]ro.cp_debug_level=                      [0x5500,0x55FF] [/SIZE]
[SIZE=2]ro.csc.sales_code=CHM                   [NONE, <many otehrs> ][/SIZE]
[SIZE=2]ro.csc.country_code=                    [KOREA, Unknown, ...]   KOREA allows extra menu item: "IMS"[/SIZE]
[SIZE=2]ro.product_ship=false                   [true,false][/SIZE]
[SIZE=2]ro.product.model=                       [/SIZE]
[SIZE=2]ro.factorytest=1
dev.silentlog.on=                       [0,1][/SIZE]
[SIZE=2]persist.radio.lteon=true                [true,false][/SIZE]

And here are some of the codes:

[SIZE=2]code            mnemonic        description[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]06              -               IMEI[/SIZE]

[SIZE=2]00112                   [/SIZE]
[SIZE=2]0228            0BAT            Battery status (ADC, RSSI reading)[/SIZE]
[SIZE=2]0514            -               [/SIZE]
[SIZE=2]0599            -[/SIZE]

[SIZE=2]1234            -               FW Versions for AP,CP,CSC[/SIZE]
[SIZE=2]123456          -[/SIZE]
[SIZE=2]1575            -               GPS test[/SIZE]
[SIZE=2]1111            -               FTA SW Version  [/SIZE]
[SIZE=2]2222            -               FTA FW Version[/SIZE]
[SIZE=2]8888            -               [/SIZE]
[SIZE=2]9090            -               USB/UART MUX debug switch[/SIZE]
[SIZE=2]99007788        -               [/SIZE]

[SIZE=2]197328640       -               Service Mode[/SIZE]
[SIZE=2]22558463        CALLTIME        Reset Total Call Time[/SIZE]
[SIZE=2]2263            BAND                            [/SIZE]
[SIZE=2]2580            <mid-col>       [/SIZE]
[SIZE=2]268435456       ANTIFKILO       "antenna IF kilo?? serviceModeApp_FB.apk / FTATDumpReceiver.class[/SIZE]
[SIZE=2]27663368378     CPMODEMTEST     [/SIZE]
[SIZE=2]2767*2878       APOS*CUST       Current firmware with factory default settings[/SIZE]

[SIZE=2]301279||279301  -               [/SIZE]
[SIZE=2]3214789650      -               Start Angry GPS                 Build.TYPE != "user"[/SIZE]
[SIZE=2]32489           -               Ciphering Info[/SIZE]
[SIZE=2]4238378         ICE/GCFTEST     GCF Settings?[/SIZE]
[SIZE=2]4387264636      GETRAMINFO      [/SIZE]
[SIZE=2]58366           LTEON                                           set persist.radio.lteon=true[/SIZE]
[SIZE=2]6201            -               [/SIZE]
[SIZE=2]638732          NETSEC                                          Build.TYPE != "user"[/SIZE]
[SIZE=2]66336           MODEM           CP Ram Dump (On/Off)            ro.cp_debug_level=[0x5500,0x55FF][/SIZE]
[SIZE=2]6984125*        MYTH1A5?        ?               [/SIZE]
[SIZE=2]7284            PATH            Set USB/UART path [/SIZE]

[SIZE=2]738767633       SETSOSOFF       Turn OFF SOS*[/SIZE]
[SIZE=2]73876766        SETSOSON        Turn ON SOS*[/SIZE]
[SIZE=2]7387677763      SETSOSPROF      Set SOS* profile[/SIZE]
[SIZE=2]7387678378      SETSOSTEST      Set SOS* test[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]
[SIZE=2]* SOS = Sell Out SMS[/SIZE]
[SIZE=2]<> = some kind of keypad pattern[/SIZE]
[SIZE=2]---------------------------------------------------------------------[/SIZE]

In addition to these numerical codes, there are also few alphanumeric ones.
These can be used from the command-line with the "am" command, like this:

[SIZE=2]am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://CP_RAMDUMP[/SIZE]

This might also work when already in ServiceMode, by entering the string
after selecting "Key Input" or "Select", from menu. (I have not checked.)

[SIZE=2]LTE_ANT_PATH_NORMAL[/SIZE]
[SIZE=2]CP_RAMDUMP[/SIZE]
[SIZE=2]DUMP_SVCIPC[/SIZE]
[SIZE=2]DEBUG_SCR[/SIZE]
[SIZE=2]EI_DEBUG_SCR[/SIZE]
[SIZE=2]DATA_ADV[/SIZE]
[SIZE=2]NAMBASIC[/SIZE]
[SIZE=2]TESTMODE[/SIZE]
[SIZE=2]NAMSIMPLE[/SIZE]
[SIZE=2]TEST_CALL[/SIZE]

The Samsung Diagnostics Menu

One special secret code is that of the Samsung Dignostic
Test Menu. This particular menu exsists on pretty much all
Android based Samsung phones. (AFAIK) The code is simply:

*#0*#

It provides for testing things like the Screen, Sound, Vibrator,
all the sensors and more. One one the cooler features for phones
that include an IR transmitter, is that you can use it on most
modern Samsung TV's as a remote control. Thus even easier to use
than any of Samsung's own Remote Control Apps, which are often
bloated and containing spyware.

The available test items you will find on this particular model are:

[SIZE=2][Red]           - screen pixel test[/SIZE]
[SIZE=2][Green]         - screen pixel test[/SIZE]
[SIZE=2][Blue]          - screen pixel test[/SIZE]
[SIZE=2][Receiver]      - (Ear) Receiver test[/SIZE]
[SIZE=2][Vibration]     -[/SIZE]
[SIZE=2][Dimming]       -[/SIZE]
[SIZE=2][Mega cam]      -[/SIZE]
[SIZE=2][Sensor]        -[/SIZE]
[SIZE=2][Touch]         -[/SIZE]
[SIZE=2][Sleep]         - sleep mode (power button) test[/SIZE]
[SIZE=2][Speaker]       - listen![/SIZE]
[SIZE=2][Sub key]       - testing keys [/SIZE]
[SIZE=2][Front cam]     -       [/SIZE]
[SIZE=2][IR LED]        - Samsung TV compatible IR remote control[/SIZE]
[SIZE=2][LOW FREQUENCY] - Listen 100/200/300 Hz[/SIZE]
[SIZE=2][Black]         - screen darkness test[/SIZE]

For other S4 models, check this YouTube video:
"Galaxy S4 Diagnostics Menu *#0*#"

For the S3 GT-I9300 check out the thread:
[REF][INFO][R&D] "Secret Codes" and other hidden features
​

 

[E:V:A]

The ServiceMode Menu Structure

This is really <WIP> as I don't have time to manually type in every damn menu
item for everyone else. So if you wanna help out filling in the blanks, please post
and I'll eventually add it here.

[SIZE=2]MAIN MENU[/SIZE]
[SIZE=2] [1] UMTS                [/SIZE]
[SIZE=2] [2] CDMA                [/SIZE]
[SIZE=2] [3] LTE                         [/SIZE]
[SIZE=2] [4] SIM- Not Used.              --> <E>[/SIZE]
[SIZE=2] [5] DOCOMO DEBUG SCREEN         [/SIZE]
[SIZE=2] [6] run EFS SYNC()              [/SIZE]
[SIZE=2] [7] DEBUG SCREEN                [/SIZE]
[SIZE=2] ---------------------------------------------------------------------[/SIZE]
[SIZE=2] [1]     UMTS MAIN MENU[/SIZE]
[SIZE=2]         [1] DEBUG SCREEN[/SIZE]
[SIZE=2]         [2] VERSION INFORMATION[/SIZE]
[SIZE=2]         [3] UMTS RF NV[/SIZE]
[SIZE=2]         [4] GSM RF NV[/SIZE]
[SIZE=2]         [5] AUDIO[/SIZE]
[SIZE=2]         [6] COMMON[/SIZE]
[SIZE=2]         [7] LTE BAND CONFIG CHECK[/SIZE]

[SIZE=2]         [1]     DEBUG SCREEN[/SIZE]
[SIZE=2]                 [1] BASIC INFORMATION[/SIZE]
[SIZE=2]                 [2] NAS INFORMATION[/SIZE]
[SIZE=2]                 [3] AS INFORMATION[/SIZE]
[SIZE=2]                 [4] NEIGHBOUR CELL[/SIZE]
[SIZE=2]                 [5] GPRS INFORMATION[/SIZE]
[SIZE=2]                 [6] SIM INFORMATION[/SIZE]
[SIZE=2]                 [7] HANDOVER[/SIZE]
[SIZE=2]                 [8] PHONE CONTROL[/SIZE]
[SIZE=2]                 [9] ANTENNA/ADC[/SIZE]

[SIZE=2]         [2]     VERSION INFORMATION[/SIZE]
[SIZE=2]                 [1] SW VERSION[/SIZE]
[SIZE=2]                 [2] HW VERSION[/SIZE]

[SIZE=2]         [3]     UMTS RF[/SIZE]
[SIZE=2]                 [1] RF NV READ[/SIZE]
[SIZE=2]                 [2] RF NV WRITE[/SIZE]
[SIZE=2]                 [3] UMTS DIVERSITY CONTROL[/SIZE]
[SIZE=2]                 [4] RF CALIBRATION CHECK[/SIZE]

[SIZE=2]         [4]     GSM RF[/SIZE]
[SIZE=2]                 [1] RF NV READ[/SIZE]
[SIZE=2]                 [2] RF NV WRITE[/SIZE]

[SIZE=2]         [5]     AUDIO                           Locked! ==> See Note (a)[/SIZE]
[SIZE=2]                 ...[/SIZE]

[SIZE=2]         [6]     COMMON[/SIZE]
[SIZE=2]                 [1] FTM[/SIZE]
[SIZE=2]                 [2] DEBUG INFO[/SIZE]
[SIZE=2]                 [3] RF SCANNING[/SIZE]
[SIZE=2]                 [4] DIAG CONFIG[/SIZE]
[SIZE=2]                 [5] WCDMA SET CHANNEL[/SIZE]
[SIZE=2]                 [6] NV REBUILD[/SIZE]
[SIZE=2]                 [7] FACTORY TEST[/SIZE]
[SIZE=2]                 [8] FORCE SLEEP[/SIZE]
[SIZE=2]                 [9] GPS[/SIZE]

[SIZE=2]                 [1]     FTM : OFF               Locked! ==> See Note (b)[/SIZE]
[SIZE=2]                         [1] NOT SUPPORT [/SIZE]
[SIZE=2]                         [2] FTM : OFF[/SIZE]

[SIZE=2]                 [2]     DEBUG INFO[/SIZE]
[SIZE=2]                         [1] MM REJECT CAUSE[/SIZE]
[SIZE=2]                         [2] LOG DUMP[/SIZE]
[SIZE=2]                         [3] UI DEBUG POPUP - N/S[/SIZE]


[SIZE=2]                 [3]     RF SCANNING     [/SIZE]
[SIZE=2]                         [1] SETTING[/SIZE]
[SIZE=2]                         [2] START RF SCANNING[/SIZE]
[SIZE=2]                         [3] RESULT TO PC[/SIZE]
[SIZE=2]                         [4] RESULT TO SCREEN[/SIZE]

[SIZE=2]                 [4]     DIAG CONFIG[/SIZE]
[SIZE=2]                         [1] USB  ( )[/SIZE]
[SIZE=2]                         [2] UART (*)[/SIZE]
[SIZE=2]                         [3] DBG MSG ON  (*)[/SIZE]
[SIZE=2]                         [4] DBG MSG OFF ( )[/SIZE]

[SIZE=2]                 [5]     WCDMA SET CHANNEL       ==> "WCDMA CHANNEL SET" NOT SUPPORT[/SIZE]
[SIZE=2]                 [6]     NV REBUILD              --> Not tested![/SIZE]
[SIZE=2]                 [7]     FACTORY TEST            --> Not tested![/SIZE]
[SIZE=2]                 [8]     FORCE SLEEP             --> Not tested![/SIZE]
[SIZE=2]                 [9]     GPS[/SIZE]
[SIZE=2]                         co_gps_menu             ==> unknown![/SIZE]


[SIZE=2]         [7]     LTE BAND CONFIG CHECK           --> <E>[/SIZE]

[SIZE=2] ---------------------------------------[/SIZE]
[SIZE=2] [2]     CDMA MAIN MENU[/SIZE]
[SIZE=2]         [1] COMMON[/SIZE]
[SIZE=2]         [2] DATA[/SIZE]
[SIZE=2]         [3] RF[/SIZE]
[SIZE=2]         [4] CONTROL[/SIZE]
[SIZE=2]         [5] DEBUG SCREEN[/SIZE]
[SIZE=2]         [6] SUSPEND (001)[/SIZE]
[SIZE=2]         [7] TEST SYS(012)[/SIZE]


[SIZE=2]         [1]     COMMON MENU (1/3) [/SIZE]
[SIZE=2]                 [1] READ RAW RSSI (018)[/SIZE]
[SIZE=2]                 [2] MODEL ID (019)[/SIZE]
[SIZE=2]                 [3] SNDNAM (020)[/SIZE]
[SIZE=2]                 [4] SNDVERSION (021)[/SIZE]
[SIZE=2]                 [5] SNDESN (022)[/SIZE]
[SIZE=2]                 [6] DATASVC ON (023)[/SIZE]
[SIZE=2]                 [7] DATASVC OFF (024)[/SIZE]
[SIZE=2]                 [8] VERSION (025)[/SIZE]
[SIZE=2]                 [9] NEXT PAGE >[/SIZE]

[SIZE=2]                 COMMON MENU (2/4)[/SIZE]
[SIZE=2]                 [1] REBUILD (026)[/SIZE]
[SIZE=2]                 [2] PHONE RESET (027)[/SIZE]
[SIZE=2]                 [3] FS RESET (029)[/SIZE]
[SIZE=2]                 [4] SIO TO DM (032)[/SIZE]
[SIZE=2]                 [5] MSL KEY(245)[/SIZE]
[SIZE=2]                 [6] MSL (246)[/SIZE]
[SIZE=2]                 [7] F3 MSG (249)[/SIZE]
[SIZE=2]                 [8] CUR BAND (253)[/SIZE]
[SIZE=2]                 [9] NEXT PAGE >[/SIZE]

[SIZE=2]                 COMMON MENU (3/4)[/SIZE]
[SIZE=2]                 [1] ERR LOG CLR (252)[/SIZE]
[SIZE=2]                 [2] SIM IN OUT CHECK (89)[/SIZE]
[SIZE=2]                 [3] MEMORY CHECK (90)[/SIZE]
[SIZE=2]                 [4] ACTIVATION_DATE (99)[/SIZE]
[SIZE=2]                 [5] SIO_MODE (032)[/SIZE]
[SIZE=2]                 [6] MOB CAI REV (110)[/SIZE]
[SIZE=2]                 [7] RECONDITIONED STATUS (200)[/SIZE]
[SIZE=2]                 [8] PREF MODE SET[/SIZE]
[SIZE=2]                 [9] NEXT PAGE >[/SIZE]

[SIZE=2]                 COMMON MENU (4/4)[/SIZE]
[SIZE=2]                 [1] RTRE CONFIG[/SIZE]
[SIZE=2]                 [2] SMS FORMAT SET[/SIZE]
[SIZE=2]                 [3] (UN)BLOCK VOICE MT[/SIZE]
[SIZE=2]                 [4] CHECK FACTORY CMD[/SIZE]


[SIZE=2]         [2]     DATA[/SIZE]
[SIZE=2]                 [1] WRITE NV (031)      [/SIZE]
[SIZE=2]                 [2] MRU2 TABLE (033)[/SIZE]
[SIZE=2]                 [3] NAI SET (034)[/SIZE]
[SIZE=2]                 [4] INFORMATION[/SIZE]
[SIZE=2]                 [5] VBATT[/SIZE]
[SIZE=2]                 [6] THERMISTER[/SIZE]
[SIZE=2]                 [7] eHRPD e/disable[/SIZE]

[SIZE=2]         [3]     RF[/SIZE]
[SIZE=2]                 [1] CALIBRATION         [/SIZE]
[SIZE=2]                 [2] COMMON              [/SIZE]
[SIZE=2]                 [3] PCS                 [/SIZE]
[SIZE=2]                 [4] CDMA                --> WLAN etc[/SIZE]
[SIZE=2]                 [5] GPS                 --> Nice![/SIZE]

[SIZE=2]         [4]     CONTROL                 --> Not tested![/SIZE]
[SIZE=2]         [5]     DEBUG SCREEN            --> Not tested![/SIZE]
[SIZE=2]         [6]     SUSPEND (001)           --> Not tested![/SIZE]
[SIZE=2]         [7]     TEST SYS(012)           --> Not tested![/SIZE]

[SIZE=2] ---------------------------------------[/SIZE]
[SIZE=2] [3]     LTE MAIN MENU           [/SIZE]
[SIZE=2]         [1] DEBUG SCREEN                [/SIZE]
[SIZE=2]         [2] LTE RF                      [/SIZE]
[SIZE=2]         [3] Reserved                    --> <E>[/SIZE]
[SIZE=2]         [4] BACKOFF PLMN TIMER (T3402)  [/SIZE]

[SIZE=2] [4] SIM- Not Used.                      --> <E>[/SIZE]
[SIZE=2] [5] DOCOMO DEBUG SCREEN                 --> See Note (c)[/SIZE]
[SIZE=2] [6] run EFS SYNC()                      --> Not tested![/SIZE]
[SIZE=2] [7] DEBUG SCREEN                        --> Not tested![/SIZE]

Special Notes for the above:

[SIZE=2]//   = The end point/window where the info is displayed 
       (This usually doesn't have a title.)

<E>  = A "Dead End" that take you into an oo-loop page or back 
       to a locked *#0011# state.

(a) For accessing this sub-menu you may need to:
        1. Unblock the KeyString file with:
           echo -n "OFF" > /efs/FactoryApp/keystr
        2. Enable the carrier HiddenMenu file with:
           echo -n "ON" >/efs/carrier/HiddenMenu
        3. Set the device shipping property:  ro.product_ship=FALSE

(b) For "FTM" (Factory Test Mode) you probably need to set:
        1. Enable the FactoryMode file with:  
           echo -n "ON" >/efs/FactoryApp/factorymode
        2. Set the factory test property:  ro.factorytest=1

(c) Not available for non-DOCOMO devices, need correct property(ies).
[/SIZE]

 

[E:V:A]

Some Useful Examples


Example-1: Removing SIM network lock

[SIZE=2]UMTS MAIN MENU[/SIZE]
[SIZE=2][1] DEBUG SCREEN.[/SIZE]
[SIZE=2][6] PHONE CONTROL.[/SIZE]
[SIZE=2][6] NETWORK LOCK[/SIZE]
[SIZE=2][3] PERSO SHA256 OFF[/SIZE]

[SIZE=2]Go Back to Main Menu[/SIZE]

[SIZE=2]UMTS MAIN MENU[/SIZE]
[SIZE=2][6] COMMON[/SIZE]
[SIZE=2][6] NV REBUILD.[/SIZE]
[SIZE=2][4] Restore Back-up.[/SIZE]

[SIZE=2]Reboot[/SIZE]

This has not been tested by me, since I don't use SIM locked providers.

So make sure you have a complete NANDroid backup of your phone in case something
goes wrong. I do not take any responsibility for damaged phone due to this procedure.

Please confirm if this method works for this phone.

​

 

[luisbraz]

This is bul****!


I don't see the possibility to do a simple "Boby, sit!"

 

[wiisixtyfour]

You should be able to get into service mode directly by using the code *#27663368378#

Sent from my SCH-I435 using XDA Free mobile app

 

[jmzwcn]

LTE BAND CONFIG CHECK don't work

[7] LTE BAND CONFIG CHECK

it still doesn't work after I -------------------------------------------------------
<E> = A "Dead End" that take you into an oo-loop page or back
to a locked *#0011# state.

(a) For accessing this sub-menu you need two things:
1. KeyString file unblocked: /efs/FactoryApp/keystr: "OFF"
2. Property: ro.product_ship=FALSE
--------------------------------------------------------------------------------------------

Actually I want to check if it support bands change. In China, CMCC seems to only support band41.

 

[ladislav.heller]

You should be able to get into service mode directly by using the code *#27663368378#

Sent from my SCH-I435 using XDA Free mobile app

Doesn't work on GT-I9195

 

[wiisixtyfour]

Doesn't work on GT-I9195

It works for me on the Verizon version. Make sure you set /efs/carrier/HiddenMenu to 'ON'.

Sent from my SCH-I435 using XDA Free mobile app

 

[ladislav.heller]

How to trigger the Nfc Test application?
Package name is com.sec.android.app.nfctest.

Decompiled NfcTestBroadcastReceiver.java file:

package com.sec.android.app.nfctest;

import android.content.*;
import android.net.Uri;
import android.nfc.NfcAdapter;
import android.util.Log;

// Referenced classes of package com.sec.android.app.nfctest:
//            NfcTestMain

public class NfcTestBroadcastReceiver extends BroadcastReceiver
{

    public NfcTestBroadcastReceiver()
    {
    }

    public void onReceive(Context context, Intent intent)
    {
        String s = intent.getAction();
        if(!s.equals("android.provider.Telephony.SECRET_CODE")) goto _L2; else goto _L1
_L1:
        Intent intent1 = new Intent("android.intent.action.MAIN");
        if(intent.getData().getHost().equals("[COLOR="Red"]6328378[/COLOR]"))
            intent1.setClass(context, com/sec/android/app/nfctest/NfcTestMain);
        intent1.setFlags(0x10000000);
        context.startActivity(intent1);
_L4:
        return;
_L2:
        if("android.intent.action.BCS_REQUEST".equals(s))
        {
            Log.i("NfcTestBroadcastReceiver", "BCS_REQUEST receive");
            if("AT+NFCVALUE".equalsIgnoreCase(intent.getStringExtra("command")))
            {
                NfcAdapter nfcadapter = NfcAdapter.getDefaultAdapter(context);
                Log.i("NfcTestBroadcastReceiver", "AT+NFCVALUE!!!");
                if(nfcadapter.isEnabled())
                {
                    Log.i("NfcTestBroadcastReceiver", "NFC STATE ON!!!");
                    context.sendBroadcast((new Intent("android.intent.action.BCS_RESPONSE")).putExtra("response", "ON"));
                } else
                {
                    Log.i("NfcTestBroadcastReceiver", "NFC STATE OFF!!!");
                    context.sendBroadcast((new Intent("android.intent.action.BCS_RESPONSE")).putExtra("response", "OFF"));
                }
            }
        }
        if(true) goto _L4; else goto _L3
_L3:
    }
}

Tried the secret code *#6328378# in phone dialer but nothing happened.

Update:
But it works from commandline:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://6328378

 

[E:V:A]

[7] LTE BAND CONFIG CHECK
it still doesn't work after I ...Actually I want to check if it support bands change. In China, CMCC seems to only support band41.

Does you phone actually support LTE?
What model?

It works for me on the Verizon version. Make sure you set /efs/carrier/HiddenMenu to 'ON'.

Thank you! Can you find out if there are there other files we should look out for. Can you post the output of "busybox ls -alR" for the /efs directory?

How to trigger the Nfc Test application?
Package name is com.sec.android.app.nfctest.
Decompiled NfcTestBroadcastReceiver.java file:
Tried the secret code *#6328378# in phone dialer but nothing happened.

Great Job! Thanks. BTW. "6328378" = "NFCTEST".
also see if there are some other related files in /efs/ that need to be "enabled".

Make sure to backup you EFS folder, and don't try to add delete files in there, it doesn't work as a normal directory... EFS is more like a solid part of memory. You can change values, but not the number of values (size).

 

[wiisixtyfour]

Thank you! Can you find out if there are there other files we should look out for. Can you post the output of "busybox ls -alR" for the /efs directory?

Here is the output from that command on my SCH-I435:

.:
drwxrwxr-x root     root              1969-12-31 15:00 .files
drwxrwxr-x system   system            2013-11-09 01:57 FactoryApp
drwx------ system   system            2012-12-31 16:00 U0BwJo4kmkmm-BgyzUZgoEY7pn8_
-rw------- radio    radio         212 2013-12-01 16:25 apn-changes.xml
drwxr-xr-x radio    radio             2013-11-09 01:49 bluetooth
drwxr-xr-x system   system            2012-12-31 16:02 carrier
drwx------ system   system            2012-12-31 16:00 drm
-rw------- system   system         12 2013-11-09 01:58 gyro_cal_data
-rw-r--r-- root     root           16 2012-12-31 16:00 h2k.dat
drwxrwxr-x radio    radio             2013-11-09 01:49 imei
-rw------- root     root            0 2014-05-01 11:17 log
drwx------ root     root              1969-12-31 15:00 lost+found
drwxrwx--- radio    system            2013-11-09 01:49 prov
drwx------ system   system            2012-12-31 16:00 prov_data
drwxrwxr-x system   system            2013-11-09 01:49 wifi

./.files:
drwxrwxr-x media    system            1969-12-31 15:00 .dm33
drwxrwxr-x media    system            1969-12-31 15:00 .dx1
drwxrwxr-x media    system            1969-12-31 15:00 .mp301

./.files/.dm33:

./.files/.dx1:

./.files/.mp301:

./FactoryApp:
-rwxr--r-- system   system          1 1970-01-01 15:00 baro_delta
-rw------- system   system          5 2014-05-01 06:18 batt_cable_count
-rwxrwxr-x media    system          2 2014-04-26 21:12 earjack_count
-rwxr--r-- system   system          2 2013-11-09 01:49 factorymode
-rwxrwxr-x system   radio           4 1969-12-31 15:00 fdata
-rwxrwxr-x system   radio           0 2012-12-31 08:00 hist_nv
-rwxr--r-- system   system         10 1970-01-01 15:00 hw_ver
-rwxr--r-- system   system          2 2013-11-09 01:49 keystr
-rwxr--r-- system   system          5 1970-01-01 15:00 prepay
-rwxr--r-- system   system         11 1970-01-01 15:00 serial_no
-rwxrwxr-x system   radio         270 2012-12-31 08:00 test_nv

./U0BwJo4kmkmm-BgyzUZgoEY7pn8_:
-rwx------ system   system       1072 2012-12-31 16:00 qen2gEqW2A+OTDT0KpoESJiYnrk_
-rwx------ system   system       1072 2012-12-31 16:00 zm0WY4lY7rpx3kcVTTDWeh8VFRU_

./bluetooth:
-rw-r--r-- radio    radio          17 2013-11-09 01:49 bt_addr

./carrier:
-rwxr--r-- system   system          2 2014-04-29 12:42 HiddenMenu

./drm:
drwx------ system   system            2012-12-31 16:00 h2k

./drm/h2k:
drwx------ system   system            2012-12-31 16:00 8tjfX-7nJB21LtUUWIMbdlUfZTU_

./drm/h2k/8tjfX-7nJB21LtUUWIMbdlUfZTU_:
-rwx------ system   system       1072 2012-12-31 16:00 HAv-sOqL1pMh2jiAzRoeKCzAmhE_
-rwx------ system   system       1072 2012-12-31 16:00 SNbX8rtYWzaqdrnXa79HbAt5OFM_

./imei:
-rwxrwxr-x radio    radio           3 2013-12-23 03:38 mps_code.dat

./lost+found:

./prov:
-rw-rw---- radio    system          0 2013-11-09 01:49 libdevkm.lock

./prov_data:
drwx------ system   system            2013-11-09 01:49 G+8IRqTrHDIvQWyDjPjJkVB5u6o_
drwx------ system   system            2012-12-31 16:00 bG5QQZ77nDjI2757PvvQ3rPPrVg_

./prov_data/G+8IRqTrHDIvQWyDjPjJkVB5u6o_:
-rwx------ system   system       1072 2013-11-09 01:49 3mvhJJQ5lPk1G+yj67Y71hI3inI_
-rwx------ system   system       1072 2013-11-09 01:49 I0jYBKhtBZN0Rru2UXWB+UZ7Vc0_
-rwx------ system   system       1072 2013-11-09 01:49 MHkfmzQg-bRYZzQ4Dc1M+rgodfA_
-rwx------ system   system       1072 2013-11-09 01:49 iaBl+cROT4fwHRANIx6tIUgBqSA_
-rwx------ system   system       1072 2013-11-09 01:49 qOk21RBBYMeZqVYofK+oU09QG2o_

./prov_data/bG5QQZ77nDjI2757PvvQ3rPPrVg_:
-rwx------ system   system       1072 2012-12-31 16:00 4OV1KOT1hf21qdU1tnH6b8mOYLI_
-rwx------ system   system       1072 2012-12-31 16:00 CuWlydrYrNFsWwuO0IaVlUQVxEg_
-rwx------ system   system       1072 2012-12-31 16:00 gh8lZ2gd7MCgXAgHEgG7apFzmR0_
-rwx------ system   system       1072 2012-12-31 16:00 pYEZlsu8egNLf3z5mqguGPyhE2Q_
-rwx------ system   system       1072 2012-12-31 16:00 z-yiAOMWDX7wyfLCg5VIl-fyXus_

./wifi:
-rw------- system   system         17 2013-11-09 01:49 .mac.cob
-rw-rw-r-- system   system         17 2013-11-09 01:49 .mac.info

Great Job! Thanks. BTW. "6328378" = "NFCTEST".
also see if there are some other related files in /efs/ that need to be "enabled".

Make sure to backup you EFS folder, and don't try to add delete files in there, it doesn't work as a normal directory... EFS is more like a solid part of memory. You can change values, but not the number of values (size).

The NFC test did not work for me either but I am not sure if anything else in EFS should be changed.

Sent from my SCH-I435 using XDA Free mobile app

 

[E:V:A]

@wiisixtyfour : Can you edit your post and wrap that output in "CODE" tags (the # icon in advanced editor) please. It formats much better and thus easier to read.

 

[wiisixtyfour]

@wiisixtyfour : Can you wrap that output in "CODE" tags (the # icon in advanced editor) please.

Yeah, sorry I'm on the XDA app and it doesn't have all the tags.

Sent from my SCH-I435 using XDA Free mobile app

 

[jmzwcn]

my model is i9195

i9195 BTU,have rooted

 

[E:V:A]

The NFC test did not work for me either but I am not sure if anything else in EFS should be changed.

Yeah, not sure what they did, but you can play with the other properties, but first try this:

[SIZE=2]echo -n "OFF" >/efs/FactoryApp/keystr
echo -n "ON" >/efs/FactoryApp/factorymode
echo -n "ON" >/efs/carrier/HiddenMenu
[/SIZE]

(You may also need to chmod these files before changing. And don't forget to change back after your done playing. It could be that factory mode disables some network functionality.)

Second, all the codes I mentioned in OP, are normally entered by "*#<code>#*", but some phones require this: "*#*#<code>#*#*" before working, so try that as well.

 

[ladislav.heller]

PreConfig application can be started using following command:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://83052020100812173552301071192687

 

[ladislav.heller]

Serial number, FCC ID and logo screen:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://737425

 

[dp929]

heres one for the sch-i435 users

Serial number, FCC ID and logo screen:

am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://737425

So im on att currently and had not been happy with the lack of lte due to this being a verizon branded phone (hspa+ was getting me 4.5 mbps at best ,which I owe major thanks to this thread for even getting me that far ) so after tearing through stacks of codes listed in the android manifest xml files attached to he system keystring apps and such (many of which I couldnt get to do much of anything ) I found one that I havent seen listed that goes Into some ims and lte functions which got me 11.5-12+ mbps ranges pretty darn consistantly. The hiddenkeystring for me is ( *#467# ) I am not saying these are great lte speeds but quite a bit better than I was pulling down before and as I said quite consistantly. Hope this helps

oh also I forgot to mention also gives some nice choices for native flash media as well as some various codecs for audio. oh and some tethering options kindof nice as I had recently lost the ability to hotspot and couldnot find a workaround app that was successful. Dam one other set of options regarding the e-9 won won stuff as far as the network I guess maybe

 

[E:V:A]

...The hiddenkeystring for me is ( *#467# ) ...

That doesn't work for the 9195, although they seem very similar.
What's your stock ROM and MODEM FW? Perhaps some getprops please.
@dp929 Can you post a screenshot?

 

[gonzalomorenorovetto]

Does anyone know how to stop the fm radio from asking for headphones?
I know it uses it as antenna but with an older samsung phone I disabled it, I just don't remember how, and the reception wasn't that bad
thanks