Question: logging with Daseul (G900P] - GSM-Forum

ecs87 · 10-09-2014, 16:33

So a user contacted me with some IMEI repair logs done with Daseul and I saw some QC DM subsystem commands in there. Or at least I assume so. The format was hex and it started with 4B. My question is...can Daseul users log a phone without performing any operations on the phone? Like...let's say I had Daseul access (i dont) and hook up my G900P over UART. Will it start logging as soon as I plug my phone up or do I need to start the IMEI repair operation before it starts to log?

The reason is...I need to log the QC DM commands sent to the phone, and the QXDM logger doesn't log this; neither does logcat with the radio buffer. OR if anyone has any information on how Daseul gets these logs that information would be equally as important.

Thanks in advance :-)

Haltec · 10-10-2014, 21:47

Daseul won't do anything until you enter username and password and go online. It will eventually perform calibration without credentials, but that's unuseful to you. And doubt that you have CMU200 or CMW500

Haltec

ecs87 · 10-11-2014, 20:51

I'm confused...let's say I know someone with guaranteed access to Daseul. They have a valid username and password. They've logged a G900T IMEI repair, actually a couple of them for me. What I'm asking is if the log is capable of reading QC DM subsystem commands sent OTA (IE: Sprint's update PRL, update Profile, UICC unlock, etc).

Haltec · 10-11-2014, 21:10

There is variety different access to DB and Log abillity. Do you have Daseul log or did they use some aftermarked logger?

Beacouse to enable logging in Daseul you'll need adittional username
and pass.

I am not sure what are you asking here.

Did someone logged an com port where Anyway was connected during imeiwrite?

I guess that's most that you'll able to get...

Haltec

stanner_austin · 10-13-2014, 10:37

Quote:

Originally Posted by ecs87

I'm confused...let's say I know someone with guaranteed access to Daseul. They have a valid username and password. They've logged a G900T IMEI repair, actually a couple of them for me. What I'm asking is if the log is capable of reading QC DM subsystem commands sent OTA (IE: Sprint's update PRL, update Profile, UICC unlock, etc).

Hello
rill log and other QMI,QC log can be enable by code 9900 to set debug level highest.
you can enable all internal debugging logging level to high and log everything you need.

you can use same command to copy all logs to sdcard or via adb to pull log files.

such log for sure can help to understand how UICC unlock go. but still only system app access QMI command to read write protected nv.

second nv is already known problem is to rewrite it without patch or wath patch baseband.

due to write protection apply no one can change modem in working mode.

Regards,
Chevli

ecs87 · 10-13-2014, 22:11

Quote:

Originally Posted by Haltec

There is variety different access to DB and Log abillity. Do you have Daseul log or did they use some aftermarked logger?

Beacouse to enable logging in Daseul you'll need adittional username
and pass.

I am not sure what are you asking here.

Did someone logged an com port where Anyway was connected during imeiwrite?

I guess that's most that you'll able to get...

Haltec

I didn't do the log, I'm pretty sure someone was using the Daseul log, not a third party logger. I'm just asking if they'd be able to see those QMI commands in the log IF they were able to log in the Daseul program. Let's just say hypothetically that they had access for purposes of this post.

Yes, he was able to see ALL AT commands performed during the S5 IMEI repair by Daseul (or Anyway if you'd like to call it that).

ecs87 · 10-13-2014, 22:13

Quote:

Originally Posted by stanner_austin

Hello
rill log and other QMI,QC log can be enable by code 9900 to set debug level highest.
you can enable all internal debugging logging level to high and log everything you need.

you can use same command to copy all logs to sdcard or via adb to pull log files.

such log for sure can help to understand how UICC unlock go. but still only system app access QMI command to read write protected nv.

second nv is already known problem is to rewrite it without patch or wath patch baseband.

due to write protection apply no one can change modem in working mode.

Regards,
Chevli

Thanks for the reply Chevli. I've tried the 9900 command. These are blocked by Sprint. It does not allow me to log at any higher of a level and the logs copied to the SD card do not contain any QMI commands sent over the air. I'm confident that these QMI commands ARE able to be logged...we just need to find out where these logs are. Daseul seems to display the most verbose modem logs, so that's why I made this post

dest · 10-14-2014, 05:21

Quote:

Originally Posted by ecs87

Thanks for the reply Chevli. I've tried the 9900 command. These are blocked by Sprint. It does not allow me to log at any higher of a level and the logs copied to the SD card do not contain any QMI commands sent over the air. I'm confident that these QMI commands ARE able to be logged...we just need to find out where these logs are. Daseul seems to display the most verbose modem logs, so that's why I made this post

I am a little confused as well. No samsung program can sim unlock a sprint phone. This is because the phone thinks it is unlocked. If you are trying to log communications between system app and radio, then you will only see communication between system and RIL, not to the baseband it self. Radio log will show things you might be interested in. But like I said before you can only use those within android, meaning you have to create a system app and communicate with RIL not the baseband. As far as I know, you cannot log communication between RIL and baseband.

Haltec · 10-14-2014, 09:26

You'll might find this interesting.

How does Modem code talk to Android code - Stack Overflow

I completely misunderstood OP's intention. Sorry about that.

Br

Haltec

ecs87 · 10-14-2014, 18:12

Quote:

Originally Posted by dest

I am a little confused as well. No samsung program can sim unlock a sprint phone. This is because the phone thinks it is unlocked. If you are trying to log communications between system app and radio, then you will only see communication between system and RIL, not to the baseband it self. Radio log will show things you might be interested in. But like I said before you can only use those within android, meaning you have to create a system app and communicate with RIL not the baseband. As far as I know, you cannot log communication between RIL and baseband.

I didn't want it to unlock a Sprint phone; I have access to a Sprint account that is eligible for an unlock and by writing the NV items from it (from 0-12000) onto a S5 that I have, I'm able to UICC unlock it over WIFI. What I'm trying to do is log the UICC unlock process while it's doing it. I thought that Daseul would be able to log this process verbosely enough to get the QMI or AT commands performed during the process, but it probably won't be able to.

I was able to see some hex code being sent back and forth regarding the account's profile 1 username, MIN, and MDN, but haven't found anything regarding the unlock.

ecs87 · 10-14-2014, 18:13

Quote:

Originally Posted by stanner_austin

Hello
rill log and other QMI,QC log can be enable by code 9900 to set debug level highest.
you can enable all internal debugging logging level to high and log everything you need.

you can use same command to copy all logs to sdcard or via adb to pull log files.

such log for sure can help to understand how UICC unlock go. but still only system app access QMI command to read write protected nv.

second nv is already known problem is to rewrite it without patch or wath patch baseband.

due to write protection apply no one can change modem in working mode.

Regards,
Chevli

I take back what I said earlier about Sprint blocking the high level debugging. I must've been looking at another logging menu. By setting it to HIGH it did seem to log more things than previously over the radio. I was able to see a few QMI commands...but not the ones I was looking for

dest · 10-21-2014, 03:18

Quote:

Originally Posted by ecs87

I take back what I said earlier about Sprint blocking the high level debugging. I must've been looking at another logging menu. By setting it to HIGH it did seem to log more things than previously over the radio. I was able to see a few QMI commands...but not the ones I was looking for

Which one are you looking for? Can you give me an example of QMI command just to know that we are talking about the same thing.

ecs87 · 10-21-2014, 21:21

I'm pretty sure I don't know the correct terminology for this, some places call it QC DM commands, some places call it AT commands (it's obviously not AT commands), some places call it QMI, etc.

Here's an example of it:

00
4B13300000000000
4B1330006E766D2F6E756D2F313031323400
4B1330006E766D2F6E756D2F313031323400
4B13300041020000B60100006E766D2F6E756D2F3130313234 00
4B133000000000000000000030
4B13300000000000

These are the raw commands to process the L720 international unlock. I'm assuming 4B refers to the subsystem. Notice how in one of the commands it refers to /nvm/num/10124 if you convert it from hex to ASCII? Overall, this entire script is accessing /nvm/num/10124 and changing it from 00 to 30 (as you can also see from one of the commands). It doesn't even need the SPC to be sent...only the 16 character password.

I'm looking for something similar to this in the G900P, but I don't even know how the guys got it for the L720. There is no documentation anywhere on this, only people telling users to use these commands. I can care less about being given the exact command; I want to know where to find these commands and the formatting of them.

dest · 10-21-2014, 23:20

Quote:

Originally Posted by ecs87

I'm pretty sure I don't know the correct terminology for this, some places call it QC DM commands, some places call it AT commands (it's obviously not AT commands), some places call it QMI, etc.

Here's an example of it:

00
4B13300000000000
4B1330006E766D2F6E756D2F313031323400
4B1330006E766D2F6E756D2F313031323400
4B13300041020000B60100006E766D2F6E756D2F3130313234 00
4B133000000000000000000030
4B13300000000000

These are the raw commands to process the L720 international unlock. I'm assuming 4B refers to the subsystem. Notice how in one of the commands it refers to /nvm/num/10124 if you convert it from hex to ASCII? Overall, this entire script is accessing /nvm/num/10124 and changing it from 00 to 30 (as you can also see from one of the commands). It doesn't even need the SPC to be sent...only the 16 character password.

I'm looking for something similar to this in the G900P, but I don't even know how the guys got it for the L720. There is no documentation anywhere on this, only people telling users to use these commands. I can care less about being given the exact command; I want to know where to find these commands and the formatting of them.

I am aware of it, I made a similar one a long time ago. I thought you were asking about ril hook raw commands, that's why I asked.
People figured that out by reversing the modem. It is the same with NVM 10080 for GSM phones which controls the unlock.

ecs87 · 10-21-2014, 23:44

Interesting...! I wonder how we can access these vendor specific items (seems Samsung uses the 10000 range to store their vendor specific items...kinda like how Moto has stuck with the 8000 range). Sorry about the confusion earlier...the phone lingo can get confusing :-(

10-09-2014, 16:33	#1 (permalink)
ecs87 Banned Join Date: Nov 2013 Location: Chicago, IL Posts: 995 Member: 2076039 Status: Offline Thanks Meter: 648	Question: logging with Daseul (G900P] So a user contacted me with some IMEI repair logs done with Daseul and I saw some QC DM subsystem commands in there. Or at least I assume so. The format was hex and it started with 4B. My question is...can Daseul users log a phone without performing any operations on the phone? Like...let's say I had Daseul access (i dont) and hook up my G900P over UART. Will it start logging as soon as I plug my phone up or do I need to start the IMEI repair operation before it starts to log? The reason is...I need to log the QC DM commands sent to the phone, and the QXDM logger doesn't log this; neither does logcat with the radio buffer. OR if anyone has any information on how Daseul gets these logs that information would be equally as important. Thanks in advance :-)

10-10-2014, 21:47	#2 (permalink)
Haltec No Life Poster Join Date: Mar 2009 Location: Europe Wienna Posts: 1,269 Member: 984046 Status: Offline Thanks Meter: 255	Daseul won't do anything until you enter username and password and go online. It will eventually perform calibration without credentials, but that's unuseful to you. And doubt that you have CMU200 or CMW500 Haltec

10-11-2014, 20:51	#3 (permalink)
ecs87 Banned Join Date: Nov 2013 Location: Chicago, IL Posts: 995 Member: 2076039 Status: Offline Thanks Meter: 648	I'm confused...let's say I know someone with guaranteed access to Daseul. They have a valid username and password. They've logged a G900T IMEI repair, actually a couple of them for me. What I'm asking is if the log is capable of reading QC DM subsystem commands sent OTA (IE: Sprint's update PRL, update Profile, UICC unlock, etc).

10-11-2014, 21:10	#4 (permalink)
Haltec No Life Poster Join Date: Mar 2009 Location: Europe Wienna Posts: 1,269 Member: 984046 Status: Offline Thanks Meter: 255	There is variety different access to DB and Log abillity. Do you have Daseul log or did they use some aftermarked logger? Beacouse to enable logging in Daseul you'll need adittional username and pass. I am not sure what are you asking here. Did someone logged an com port where Anyway was connected during imeiwrite? I guess that's most that you'll able to get... Haltec

10-14-2014, 09:26	#9 (permalink)
Haltec No Life Poster Join Date: Mar 2009 Location: Europe Wienna Posts: 1,269 Member: 984046 Status: Offline Thanks Meter: 255	You'll might find this interesting. How does Modem code talk to Android code - Stack Overflow I completely misunderstood OP's intention. Sorry about that. Br Haltec

10-21-2014, 21:21	#13 (permalink)
ecs87 Banned Join Date: Nov 2013 Location: Chicago, IL Posts: 995 Member: 2076039 Status: Offline Thanks Meter: 648	I'm pretty sure I don't know the correct terminology for this, some places call it QC DM commands, some places call it AT commands (it's obviously not AT commands), some places call it QMI, etc. Here's an example of it: 00 4B13300000000000 4B1330006E766D2F6E756D2F313031323400 4B1330006E766D2F6E756D2F313031323400 4B13300041020000B60100006E766D2F6E756D2F3130313234 00 4B133000000000000000000030 4B13300000000000 These are the raw commands to process the L720 international unlock. I'm assuming 4B refers to the subsystem. Notice how in one of the commands it refers to /nvm/num/10124 if you convert it from hex to ASCII? Overall, this entire script is accessing /nvm/num/10124 and changing it from 00 to 30 (as you can also see from one of the commands). It doesn't even need the SPC to be sent...only the 16 character password. I'm looking for something similar to this in the G900P, but I don't even know how the guys got it for the L720. There is no documentation anywhere on this, only people telling users to use these commands. I can care less about being given the exact command; I want to know where to find these commands and the formatting of them.

10-21-2014, 23:44	#15 (permalink)
ecs87 Banned Join Date: Nov 2013 Location: Chicago, IL Posts: 995 Member: 2076039 Status: Offline Thanks Meter: 648	Interesting...! I wonder how we can access these vendor specific items (seems Samsung uses the 10000 range to store their vendor specific items...kinda like how Moto has stuck with the 8000 range). Sorry about the confusion earlier...the phone lingo can get confusing :-(