In order to use different mobile phone cards and 4G, network mode and 4G cracking are problems that need to be solved by users of many smuggled mobile phones and operators' customized phones. This is the beginning of many people's journey to Android.
This popular science article, which is mixed with tutorials, is entitled to give humanistic care to those who just entered the pit. The opportunity to write this is that the author has entered a Verzion version of S6 edge
According to the different ways of blocking set up by operators, the methods of cracking are various and difficult. It is roughly divided into four categories: system, build file, Qualcomm debugging tool and engineering mode.
System itself
The network soft shielding mode of some systems is very simple, just hiding the switch page. However, the Android activity mechanism (which can be regarded as a page, and all interfaces are composed of many activities) allows third-party applications to dig out the interfaces that the system deliberately hides.
more shortcut, And its hidden shortcut
In "more shortcut, nova desktop" and other applications that can view the system shortcut/activity page, you can find many scattered settings, and it is likely to include many content that should not appear in some models.
Hidden LTE switch, GSM/UMTS frequency band, roaming network settings page
For example, an LTE switch can be called out in S6 edge of version V. Although this switch cannot be clicked, it must not belong to something that will be added in Wanhei version V. It should be an element that has not been cleaned up in other versions of the system.
The set switch can control the GSM/UMTS frequency band and roaming network settings. In addition, there is a shortcut to enable 4G. However, it flashes, retreats, and disappears
Build.prop file
The build.prop file of RE Manager and G925V
The beginning of many people's struggle with Android is the RE manager and the build.prop file. Although this file has only 1-200 lines, by changing the above parameter values, you can easily change the machine model, language information, system DPI, network settings, system virtual memory and many other parameters.
Some extremely simple cracking exceptions are completed through it. For example, Samsung S4 LTE-A (SHV-E330), after its root, changes the model in system/build.prop from SHV-E330 to SM-N9005 (this is one of the versions of Note 3), which can open the support for FDD-LTE B1/3/5/7 at one go.
The left is the interface of network selection before modification, and the right is the interface of network selection after modification
In addition, for S6 edge version V, after changing system/csc/sales_code.dat to CHN, or changing the model and region name in build.prop to chn, the network mode selection menu and notification bar will change differently. The system interfaces of the Hong Kong version and the US version are interchangeable after a few letters are modified. Do you suddenly understand why Samsung's ROMs are particularly large? Because they actually cram the contents of N versions into it
Three debugging artifacts of Qualcomm
Because mobile phone manufacturers generally buy the solutions of Qualcomm/MTK and other chip manufacturers directly, and rarely make in-depth modifications, the debugging tools of chip manufacturers leave room for users to crack.
Due to the limited space, the Qualcomm SoC model with the largest population and the largest cracking method is taken as an example to illustrate. These models use QUALCOMM's baseband and RF chips, which can be used for network cracking through the classic "QUALCOMM three piece suite" QXDM, QPST and DFS. The three of them are also legendary number writing tools.
They are tools launched by Qualcomm to track data sent by mobile terminals, and are mainly used for network testing. Even if the machine does not unlock the BL lock, as long as it can root, it will have the opportunity to modify the network configuration file/EFS partition of the system through the debugging tools of Qualcomm and other chip manufacturers, so as to achieve the purpose of unlocking the network restrictions.
QXDM
The full name of QXDM is The QUALCOMMExtensible Diagnostic Monitor. There are only three main steps:
Open the hidden USB mode setting interface and enter the engineering mode from the dialing interface
Turn on the CP mode of the phone (from the original MTP+ADB to RNDIS+DM+Modem)
In QXDM's NV Browser, modify the values in 06828 and 06829 to 17592185995263 (4G band fully open), or 2061584302149 (including the domestic band 1/3/7/38/39/40/41)
There is also a DBEditor in it, where you can see the detailed descriptions of thousands of settings. Breaking Wang saw the minute by minute climax, and the novice scared urine every minute
QPST
Components included in QPST
QPST (Qualcomm Product Support Tool) is a transmission software group developed for Qualcomm chips. It includes EFS Explorer, Factory Test Mode Application, Memory Debug, QPST Configuration, RF NV Item Manager, Service Programming, and Software Download It can bypass the system, copy ringtones, change functional parameters of mobile phones and other operations.
In the Service Programming interface, you can make super detailed modifications to the network settings. There are more than 20 labels in the red box in the figure above
Screenshot of EFS Explorer
However, some of the related frequency bands are already supported, but the LTE status will automatically exit due to the difference in the carrier_policy.xml file and fall back to 3G/1x. For these devices, you can use the EFS Explorer in QPST to import and modify related files (refer to the cracking of US version Nexus 6)
DFS CDMA TOOL
It can modify almost the whole set of network settings, and also take the US version Nexus 6 as a reference. By modifying the DS QcMIP and the Retrieves interval in it, you can achieve the effect similar to that of adding the carrier_policy.xml file to the above QPST
For some models, this does not even require root. However, some users who are unlucky and need to use two or even three software at the same time may find that their modifications are actually interoperable. After modifying parameters on one side, the parameter values on the other side will also change correspondingly.
Endless engineering mode
Before connecting these three great tools, you need to turn on the CP (modem debugging) mode of the mobile phone. This is the biggest obstacle on the way to crack, because this obstacle is horizontal to the relatively unpopular engineering mode (that is, the interface that jumps after inputting a string of characters in the dial interface).
The left is the engineering mode code, and the right is the USB Setting mode
The dialing codes of different manufacturers, even different models, may be different when entering engineering mode. For example, HTC M8 uses # # 3424 #. Some unresponsive machines need to connect to the computer and input the adb code of "adb shell - su - setprop sys. usb. diag. config diagon" ("-" here means branch). Moto series, you can press the volume decrease and power supply at the same time to switch to the BPTOOLS option in AP Fastboot, and jump to the target CP mode in one breath.
Samsung can try * # 7284 # *, * # 0808 # and other codes. If it fails, after root, enter the/EFS/container/directory through the RE manager, and set the OFF in the Hidden Menu to ON (always uppercase). If not, enter the system folder to modify build.prop, and add sys. hidden menu. enable=1 at the bottom; Then go to system/csc/sales_code.dat and change CHN to VZW.
If the machine does not respond to the above scheme, find a machine with different versions of the same model, decompile and migrate the IOTHiddenMenu, the apk containing ServiceMode and Test, and insert it into the corresponding location. Although both deodex and decompilation now have relatively simple one click tools, it is still troublesome to do so, so we will not expand it here.
The road to enter the engineering mode may be very hard, but after entering, you will find that the door of the new world is slowly opening
The beginning of a new world
There are quite a number of codes for dial-up engineering mode. For different models, the specific code will be different. Here are some codes of S6 edge version V:
*#0011 # engineering mode ServiceMode (view the current frequency band value)
*#06# imei
*#0228 # battery status test
*#1234 # version
*#1111 # project mode
*#0 * # test mode
*#7353 # quick test menu
*#12580 * 369 # version display
But the following two things are about our network:
The first time I saw them, it was estimated that most people would be shocked, and there must be endless hope burning in Wang's heart.
DATA programming interface
DATA programming interface
The set of parameters that cannot be understood in QPST and DFS can also be directly input here.
The Hidden Menu, which has just been opened with great efforts, has a ready-made switch here
For the network mode not available in the system, more detailed options are provided here.
Main menu page of engineering mode
*#The main menu of 27663368378 # project mode was even more shocked. There were so many levels and items in it that it easily rolled over the setting items of the system itself.
There are also many interesting things found in it. For example, we can see that S6 edge is identified as MSM8974 here, which may be due to the use of Qualcomm's MDM9536M baseband.
The direct switches of 4G band actually appear inside, and there are options for shielding the network. Some operators modify it through MAIN MENU -- [2] UE SETTING&INFO -- [1] SETTING -- [1] PROTOCOL -- [2] NAS -- [1] NETWORK CONTROL -- [4] BAND SELECTION. Some models use this to shield the network. Click in and open the target network.
For telecom models that cannot fall back between 3 and 4G after being cracked, you can manually control the network mode here. CS is CDMA and PS is 4G. For models that cannot jump back to 4G from 2/3G or CDMA, they can automatically jump back to 4G with perfect LTE and other apps.
In this mode, you need to manually enter Q21182, Q211214 and other codes with key input to change the mode. Enthusiastic players can take a stroll in it and may find many surprises.
summary
These are all the 4G cracking methods that have precedents in the market. However, due to the large number of Android models and the large differences among manufacturers, this article can only use the American S6 edge and Nexus6 as a quick overview to give the new users a general understanding and impression of the current cracking methods. In addition, let me remind you again, please make a backup before you toss and crack
Of course, if you are not interested in doing anything, you can still wait for the system upgrade. Many machines will automatically unlock the network after upgrading. For example, after upgrading Android 5.1, S6 edge V will open the support for domestic frequency bands by default. You can directly use Unicom 4G and Telecom 4G, but at the cost that the new system cannot automatically fall back to Telecom 3G (telecom users are hit again).
Although the reason is just that I don't have money to buy a Chinese bank, I finally encourage you with an old saying: if the Ji guy doesn't bother, what's the difference with salted fish?
