|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
|
Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
GSM Programming & Reverse Engineering Here you can post all Kind of GSM Programming and Reverse Engineering tools and Secrets. |
| LinkBack | Thread Tools | Display Modes |
10-09-2014, 16:33 | #1 (permalink) |
Banned Join Date: Nov 2013 Location: Chicago, IL
Posts: 995
Member: 2076039 Status: Offline Thanks Meter: 648 | Question: logging with Daseul (G900P] The reason is...I need to log the QC DM commands sent to the phone, and the QXDM logger doesn't log this; neither does logcat with the radio buffer. OR if anyone has any information on how Daseul gets these logs that information would be equally as important. Thanks in advance :-) |
10-10-2014, 21:47 | #2 (permalink) |
No Life Poster Join Date: Mar 2009 Location: Europe Wienna
Posts: 1,269
Member: 984046 Status: Offline Thanks Meter: 255 | Daseul won't do anything until you enter username and password and go online. It will eventually perform calibration without credentials, but that's unuseful to you. And doubt that you have CMU200 or CMW500 Haltec |
10-11-2014, 20:51 | #3 (permalink) |
Banned Join Date: Nov 2013 Location: Chicago, IL
Posts: 995
Member: 2076039 Status: Offline Thanks Meter: 648 | I'm confused...let's say I know someone with guaranteed access to Daseul. They have a valid username and password. They've logged a G900T IMEI repair, actually a couple of them for me. What I'm asking is if the log is capable of reading QC DM subsystem commands sent OTA (IE: Sprint's update PRL, update Profile, UICC unlock, etc). |
10-11-2014, 21:10 | #4 (permalink) |
No Life Poster Join Date: Mar 2009 Location: Europe Wienna
Posts: 1,269
Member: 984046 Status: Offline Thanks Meter: 255 | There is variety different access to DB and Log abillity. Do you have Daseul log or did they use some aftermarked logger? Beacouse to enable logging in Daseul you'll need adittional username and pass. I am not sure what are you asking here. Did someone logged an com port where Anyway was connected during imeiwrite? I guess that's most that you'll able to get... Haltec |
10-13-2014, 10:37 | #5 (permalink) | |
No Life Poster Join Date: Jan 2004 Location: Unknown Age: 39
Posts: 9,227
Member: 49752 Status: Offline Sonork: QQ:1474246528 Thanks Meter: 6,085 | Quote:
rill log and other QMI,QC log can be enable by code 9900 to set debug level highest. you can enable all internal debugging logging level to high and log everything you need. you can use same command to copy all logs to sdcard or via adb to pull log files. such log for sure can help to understand how UICC unlock go. but still only system app access QMI command to read write protected nv. second nv is already known problem is to rewrite it without patch or wath patch baseband. due to write protection apply no one can change modem in working mode. Regards, Chevli | |
The Following User Says Thank You to stanner_austin For This Useful Post: |
10-13-2014, 22:11 | #6 (permalink) | |
Banned Join Date: Nov 2013 Location: Chicago, IL
Posts: 995
Member: 2076039 Status: Offline Thanks Meter: 648 | Quote:
Yes, he was able to see ALL AT commands performed during the S5 IMEI repair by Daseul (or Anyway if you'd like to call it that). | |
10-13-2014, 22:13 | #7 (permalink) | |
Banned Join Date: Nov 2013 Location: Chicago, IL
Posts: 995
Member: 2076039 Status: Offline Thanks Meter: 648 | Quote:
| |
10-14-2014, 05:21 | #8 (permalink) | |
No Life Poster Join Date: Jun 2004 Location: USA Age: 39
Posts: 1,142
Member: 67927 Status: Offline Thanks Meter: 108 | Quote:
| |
10-14-2014, 09:26 | #9 (permalink) |
No Life Poster Join Date: Mar 2009 Location: Europe Wienna
Posts: 1,269
Member: 984046 Status: Offline Thanks Meter: 255 | You'll might find this interesting. How does Modem code talk to Android code - Stack Overflow I completely misunderstood OP's intention. Sorry about that. Br Haltec |
10-14-2014, 18:12 | #10 (permalink) | |
Banned Join Date: Nov 2013 Location: Chicago, IL
Posts: 995
Member: 2076039 Status: Offline Thanks Meter: 648 | Quote:
I was able to see some hex code being sent back and forth regarding the account's profile 1 username, MIN, and MDN, but haven't found anything regarding the unlock. | |
10-14-2014, 18:13 | #11 (permalink) | |
Banned Join Date: Nov 2013 Location: Chicago, IL
Posts: 995
Member: 2076039 Status: Offline Thanks Meter: 648 | Quote:
| |
10-21-2014, 03:18 | #12 (permalink) | |
No Life Poster Join Date: Jun 2004 Location: USA Age: 39
Posts: 1,142
Member: 67927 Status: Offline Thanks Meter: 108 | Quote:
| |
10-21-2014, 21:21 | #13 (permalink) |
Banned Join Date: Nov 2013 Location: Chicago, IL
Posts: 995
Member: 2076039 Status: Offline Thanks Meter: 648 | I'm pretty sure I don't know the correct terminology for this, some places call it QC DM commands, some places call it AT commands (it's obviously not AT commands), some places call it QMI, etc. Here's an example of it: 00 4B13300000000000 4B1330006E766D2F6E756D2F313031323400 4B1330006E766D2F6E756D2F313031323400 4B13300041020000B60100006E766D2F6E756D2F3130313234 00 4B133000000000000000000030 4B13300000000000 These are the raw commands to process the L720 international unlock. I'm assuming 4B refers to the subsystem. Notice how in one of the commands it refers to /nvm/num/10124 if you convert it from hex to ASCII? Overall, this entire script is accessing /nvm/num/10124 and changing it from 00 to 30 (as you can also see from one of the commands). It doesn't even need the SPC to be sent...only the 16 character password. I'm looking for something similar to this in the G900P, but I don't even know how the guys got it for the L720. There is no documentation anywhere on this, only people telling users to use these commands. I can care less about being given the exact command; I want to know where to find these commands and the formatting of them. |
10-21-2014, 23:20 | #14 (permalink) | |
No Life Poster Join Date: Jun 2004 Location: USA Age: 39
Posts: 1,142
Member: 67927 Status: Offline Thanks Meter: 108 | Quote:
People figured that out by reversing the modem. It is the same with NVM 10080 for GSM phones which controls the unlock. | |
10-21-2014, 23:44 | #15 (permalink) |
Banned Join Date: Nov 2013 Location: Chicago, IL
Posts: 995
Member: 2076039 Status: Offline Thanks Meter: 648 | Interesting...! I wonder how we can access these vendor specific items (seems Samsung uses the 10000 range to store their vendor specific items...kinda like how Moto has stuck with the 8000 range). Sorry about the confusion earlier...the phone lingo can get confusing :-( |
Bookmarks |
| |
|