![<?echo $_SERVER['SERVER_NAME'];?>](/template/twentyseventeen/skin/images/header.jpg)
For many users of parallel phones and operators' customized machines, in order to use different phone cards and 4G, network mode and 4G cracking are problems that need to be solved by themselves. This is the beginning of many people taking the Android tossing road.
This popular science, mixed with tutorials, is also a matter of right-to-left human friend care. And the opportunity to write this, is the author into a Verzion version of the S6 edge ......
According to the different methods of blockade established by operators, the methods of cracking are also bizarre and difficult. This is roughly divided into four categories: system, build file, Qualcomm debugging tool, and engineering mode.
The system itself
Part of the system's network soft shield is very simple, just hide the switch page. But Android's activity mechanism (it can be used as a page, all interfaces are composed of many activities), so that third-party applications can dug out the system specifically hidden interface.
More shortcut, and its hidden shortcuts
In applications such as "more shortcut, nova desktop," which allows you to view system shortcuts/activity pages, you can find a lot of scattered settings, and it is likely to include many things that shouldn't appear on some models.
Hidden LTE Switch, GSM/UMTS Band, Roaming Network Settings Page
For example, in the V version S6 edge, an LTE switch can be called. Although this switch cannot be set, this is absolutely not a problem that the V version will join. It should be an element that has not been cleaned up in other versions of the system.
The set switch can control the GSM/UMTS frequency band, roaming network settings, and there is also a 4G enabled shortcut, but it, flash, retreat,...
Build.prop file
RE Manager and G925V build.prop file
Many people start tossing Android, both RE Manager and build.prop files. Although there are only 1-200 lines of this file, changing the above parameter values ​​can easily change the machine model, language information, system DPI, network settings, system virtual memory and many other parameters.
Some unusual and simple cracking special cases are accomplished through it, such as the Samsung S4 LTE-A (SHV-E330). After the root, change the model in system/build.prop from SHV-E330 to SM-N9005 (this is Note one of the versions of Note 3, you can open support for FDD-LTE B1/3/5/7 in one breath.
Left is modified, right is the modified network selection interface
In addition, for the V version S6 edge, after changing the system/csc/sales_code.dat to CHN, or changing the model and area name in build.prop to chn, the network mode selection menu and notification bar will appear different. Variety. The Hong Kong and U.S. version of the system interface was changed after a few letters of amendment. Did you immediately understand why Samsung's ROM is particularly large? Because they actually put the contents of the N versions in it...
High-tech debugging three artifacts
Because mobile phone manufacturers generally directly buy solutions such as Qualcomm/MTK and other chip makers, and rarely make deep-seated changes, chip makers' debugging tools leave room for cracking.
Due to the limited space, the Qualcomm SoC model with the largest amount of security and the most cracked method is used as an example. These models are based on Qualcomm's baseband and RF chips and can be cracked through the classic "Qualcomm Trio" QXDM, QPST and DFS. And three of them are legendary tool for writing numbers.
They are tools that Qualcomm Inc. introduced to track data sent from mobile terminals. Its main purpose is network testing. Even if the machine does not solve the BL lock, as long as it can root, there will be opportunities to modify the network configuration file/EFS partition of the system through debugging tools such as Qualcomm and other chip manufacturers, so as to achieve the purpose of unlocking the network restriction.
QXDM
QXDM stands for The QUALCOMM Extensible Diagnostic Monitor. The main steps are actually only 3 steps:
Open the hidden USB mode setting interface, enter the project mode from the dialing interface
Open the phone's CP mode (from the original MTP + ADB to RNDIS + DM + Modem)
The value of 06828 and 06829 is modified in QXDM's NV Browser (NV Value Viewer/Manager) to (4G band fully open), or (including domestic band 1/3/7/38/39) /40/41)
There is also a DBEditor inside it, where you can see the specific instructions for the 10,000 settings. Crack Wang saw this minute climax, novice to see the minute to scare urine ... ...
QPST
QPST Included Components
QPST (Qualcomm Product Support Tool) is a transmission software group developed for Qualcomm chips. It includes EFS Explorer, Factory Test Mode Application, memory debug, QPST Configuration, NV Item Manager, and Service Programming. Some components, such as software downloads, can bypass the system, perform ring tone duplication, change phone function parameters, and so on.
In the Service Programming interface, you can modify the network settings in a super-detailed way. There are more than 20 labels in the red box on the picture...
EFS Explorer Screenshots
While some of them already have relevant frequency band support, due to the difference in the carrier_policy.xml file, the LTE status automatically drops back to 3G/1x. For this part of the device, you can use the EFS Explorer (EFS Partition Manager) in QPST to import and modify related files (refer to US version of the Nexus 6 crack)
DFS CDMA TOOL
It can be used to modify almost the entire set of network settings. The US Nexus 6 is also used as a reference. The DS QcMIP and the Retries interval can be modified to achieve the same effect as the QPST's addition of the carrier_policy.xml file above.
For some models, this does not even require root. Part of the bad luck, you need to use two or even three software friends at the same time, you may find that the modifications between the actual exchange between them, in which one side after modifying the parameters, the other side of the parameter values ​​will also have a corresponding The change.
Endless engineering modeBefore connecting these three great tools, you need to turn on the CP (modem debugging) mode of your phone. This is the biggest hurdle on your way to the road, because the road is over the unpopular project mode (it is usually input on the dialing interface). Jumping interface after a string of characters).
The left is the project mode code and the right is the USB Setting mode
Different manufacturers, even different types of models, enter the project dial code will be different, such as the HTC M8 is used to 3424. Partially unresponsive machines need to connect to the computer to enter the adb code of "adb shell - su- setprop sys.usb.diag.config diagon" ("-" here refers to the branch). For the moto series, you can press the volume reduction and power supply at the same time, go to the AP Fastboot and jump to the BPTOOLS option, and jump to the target CP mode at one go.
Samsung can try 7284, 0808 and other codes. If it fails, after root, enter the /EFS/carrier/ directory through the RE Manager and turn OFF HiddenMenu ON (must be capitalized). If it still doesn't work, go to the system folder and change build.prop. At the bottom, add sys.hiddenmenu.enable=1. Then go to system/csc/sales_code.dat and change CHN to VZW.
If the machine does not respond to any of the above solutions, find a different version of the same machine, decompile and migrate the IOTiddenMenu, and include the APK with ServiceMode and Test and place it in the corresponding location. Although deodex and decompilation now have relatively simple one-click tools, it is still more troublesome and will not be expanded here.
The way to get into the engineering model may be hard for the lake, but after entering, you will find the door to the new world slowly opening...
The beginning of a new worldThere are quite a few dial-up project mode codes. For different models, this specific code will also be different. Here is a partial V version of S6 edge code:
0011 Engineering Mode Service Mode (Check Current Band Value)
06 imei
0228 battery status test
1234 version
1111 Engineering Mode
0 test mode
7353 Quick Test Menu
version display
However, it's about the following two that are related to our tossing the Internet:
3282 DATA programming interface
Engineering Mode Main Menu
When they first saw them, it was estimated that most people would be scared, and cracking Wang's heart surely burned endless hope.
DATA programming interface
DATA programming interface
The pile of invisible parameters adjusted in QPST and DFS can also be directly input here.
HiddenMenu just opened with painstaking efforts, actually has a ready-made switch here......
There are no more network options in the system. There are more detailed options available here.
Project Mode Main Menu Page
The main menu of the project mode is more frightening, with many levels and projects inside, and it can easily crush the system's own settings.
There will be a lot of interesting things in it, for example, here we see that the S6 edge is identified as the MSM8974, probably because of the use of Qualcomm's MDM9536M baseband.
The direct switching of the 4G frequency band actually appears inside, shielding the network options and so on. Part of the operators is through this modification, through MAIN MENU--[2]UE SETTING & INFO--[1]SETTING--[1]PROTOCOL--[2]NAS--[1]NETWORK CONTROL-- [4] After BAND SELECTION there will be such a lot of options, some models is to use this to achieve the purpose of shielding the network, click to open the target network.
For a telecom model that can't fall back between 3G and 4G after it is cracked, you can manually control the network mode here. CS is CDMA and PS is 4G. For models that cannot jump back to 4G from 2/3G and CDMA, they can automatically jump back to 4G in conjunction with perfect LTE and other apps.
In this mode, you need to manually input Q21182, Q211214 and other codes with key input to change the mode. Passionate players can linger inside, and you may find many surprises.
These are all precedent 4G cracking methods on the market, but due to the large number of Android models and large vendor differences, this article can only use the US version of the S6 edge, Nexus6 as the outline of the water type, let the machine just entered the crack pit, right The current crack method has a general understanding and impression. In addition, remind you again that before tossing and cracking, please make a backup...
Of course, if there is no toss interest friends can still wait for the system upgrade, many machines will automatically unlock the network after the upgrade, such as V version of the S6 edge upgrade Android 5.1 after the default open support for the domestic frequency band can be used directly Unicom 4G and Telecom 4G, but the price is that the new system cannot fall back to Telecom's 3G (telecom users are subject to crit again).
Although the cause was simply no money to buy the country bank, it ended up with an old saying: If the machine is not tossing, what is the difference between it and salted fish?