Need to add ch13 to wireless. Ar6000 chip can do it, but i can find no config to set it. Reg domain missing on the x10. Anyong know how to re-add it? Phone is rooted, but cant find a config file either. Anyone have any ideas?
Cheers
Frank
Sent from my SO-01B using XDAu App
bummer, no one knows huh?
Sent from my X10i using XDA App
Have you tried to manually modify wpa_supplicant.conf? It's located at /data/misc/wifi/ I recommend you to use Root Explorer because it includes a text editor and can easily mount the partition. Be careful to not touch its original permissions or your wifi won't work. BR
Edit: I've been investigating this issue an there's no option in wpa_supplicant.conf to change channel range or to point to a channel, you just set the ssid. I hope it's not hardcoded in wlan_tools binary file... First thing I'd try is to write your wifi parameters into wpa_supplicant.conf and then cross your fingers
I don't think so...
I've spent hours on this (including reading source code from atheros used in openmoko) and I am starting to get an idea of how it is set.
Android passes a hex code to the ar6000 module when it loads it on boot..
That hex code is the regulatory domain... I am trying to find out what the codes are, and also where the X10 is installing that module.
you can do a lsmod as root in a terminal to see what I mean.
I could just use rmmod and insmod to remove/add the driver as needed, but would rather find the place where android is loading the module and edit it there to suit.
regards
Frank
PS, been using root explorer since the day it was rooted.
right now, I'm copying the entire system to the sdcard so I Can browse though it on the pc.
did a dump of the whole system to sdcard and then used agent ransack on a windows box to look inside all files including binaries to see if I can find where the ar6000 module is loaded, but can't find it anywhere.... lots of mentions, but nothing I can see as loading the module.
I may actually have to re-compile the ar6000 module and hard code it to all 14 channels.
I've downloaded the source from SE and I'm looking though the driver and related code trying to find a way to hard code 14 channels or some method of making it settable that doesn't involve locale
Hope you succeed. That's just ridiculous that SE sells X10 with the wrong domain in the first place so that users in Europe and Australia can't use channels 12 and 13. Even more ridiculous is that you cannot connect to ad-hoc network because that is disabled,only infrastructure mode is allowed. Maybe that could be patched too somehow...?
Im gonna set up a build enviroment and compile default ar6000.ko wifi_tools wpa_supplicant etc etc. My biggest concern is that just when i get it sorted...... someone will hack the bootloader and it won't be necessary anymore.
Don't know why they have done this.... i suspect to get the international approvals quickly without having to hack on the code.
Sent from my X10i using XDA App
MeZmeriZe_ said:
Im gonna set up a build enviroment and compile default ar6000.ko wifi_tools wpa_supplicant etc etc. My biggest concern is that just when i get it sorted...... someone will hack the bootloader and it won't be necessary anymore.
Don't know why they have done this.... i suspect to get the international approvals quickly without having to hack on the code.
Sent from my X10i using XDA App
Click to expand...
Click to collapse
I think the answer is the least common denominator. Why maintain two kernels, one with full number of channels available and one with a restricted set when the vast majority won't care and in most cases even won't know it's missing? It's easier to maintain one kernel with the lower number of channels since it'll work just fine on both markets.
Edit: Channel 14 is a japanese "bonus", so I'm disregarding this as it's only one country.
True, but the ar6000 is supposed to look at the locale set, and set the available channels from that. Unfortunately it seema SE broke it and locked it to 11 only. Needing 12 and 13 is more comman than you think
Sent from my X10i using XDA App
MeZmeriZe_ said:
True, but the ar6000 is supposed to look at the locale set, and set the available channels from that. Unfortunately it seema SE broke it and locked it to 11 only. Needing 12 and 13 is more comman than you think
Sent from my X10i using XDA App
Click to expand...
Click to collapse
Don't make assumptions about what I think, you'll look foolish. I know full well that those are useful channels, but I also know that it's illegal to use them in parts of the world. And when you're releasing a wireless device all over the world it sometimes makes more sense to limit the number of channels to the lowest common denominator.
Maybe i can look into japan rom and issue an patch in root thread
Sent from my X10i using XDA App
as i promised
http://hotfile.com/dl/52283415/58f59ba/wifi.rar.html
from docomo japan
this folder stays in /
jerpelea said:
as i promised
from docomo japan
this folder stays in /
Click to expand...
Click to collapse
So what do you suppose to do with those 3 files?
Simply copy them all in \ of the phone and reboot it?
Interesting, The module ar6000.ko IS actually different... for one thing it is 284 bytes smaller and a binary diff shows there is a small change early on in the file and a bit lopped off the end.
I put them in place in the root dir of the phone.... set the ownership:
chown -R root.root wifi
Turned off wifi so it unloaded the default module.
loaded it manually with insmod:
insmod /wifi/ar6000.ko
And off it went after turning the wifi back on.
Then renamed the old /system/wifi directory:
mv /system/wifi /system/old_wifi
and put the new one in it's place.
cp /wifi /system/wifi
works perfectly for normal wifi...
Just have to wait till I'm at work on Monday to find out if it gives me ch13. My big router has clagged wifi at present and a new card is on it's way from the US for it.. in the meantime I'm using a Siemens piece of junk that is also locked to 11 channels.
It is work I need ch13 for anyway.. will know on Monday.
Mr jerpelea, you are already a legend for your efforts rooting the phone, but you may have just put another feather in your cap.
MeZmeriZe_ said:
Interesting, The module ar6000.ko IS actually different... for one thing it is 284 bytes smaller and a binary diff shows there is a small change early on in the file and a bit lopped off the end.
I put them in place in the root dir of the phone.... set the ownership:
chown -R root.root wifi
Turned off wifi so it unloaded the default module.
loaded it manually with insmod:
insmod /wifi/ar6000.ko
And off it went after turning the wifi back on.
Then renamed the old /system/wifi directory:
mv /system/wifi /system/old_wifi
and put the new one in it's place.
cp /wifi /system/wifi
works perfectly for normal wifi...
Just have to wait till I'm at work on Monday to find out if it gives me ch13. My big router has clagged wifi at present and a new card is on it's way from the US for it.. in the meantime I'm using a Siemens piece of junk that is also locked to 11 channels.
It is work I need ch13 for anyway.. will know on Monday.
Mr jerpelea, you are already a legend for your efforts rooting the phone, but you may have just put another feather in your cap.
Click to expand...
Click to collapse
Unfortunately it still doesn't work, because they have disabled channels above 11 even in japanese firmware. :/
How do you know they disabled the japanese version? It is possible that we need to get japanese wlan_tools, wpa_supplicant and wmiconfig to get it working, not just the driver..... i cant think of any other reason they would change the driver like they have. I will be reflashing soon... i might put dotmoco japanese rom on first and test it properly
Sent from my X10i using XDA App
These files from japanese version are different simply because they are older versions. You won't get channels 12 and 13 if you substitute your files with those.
BUT I'VE FOUND A SOLUTION THAT REALLY WORKS!
You have to turn wifi off and hexedit file /data/misc/wifi/reg_code
Change its contents from 10 00 to 37 00 and you will now get full 13 channels!
Don't try to change to 40 00 (which would be for Japan), you won't get 14 channels because hardware supports just 13 and the driver would simply fail to load.
Wish there would be as simple solution as that also for the ad-hoc issue.
that is friggin awesome.... should tell jerpela so he can add it to root. funny, id looked at that file lots of times ant it never clicked that reg = region..... doh!
What is the ad-hoc issue? i wasnt aware there was one... have not tried it yet.
will look for the thread... lost in newbie "cant root" threads......
Sent from my X10i using XDA App
Hi Chilly,
Have you tested this?
I ask because it isn't working for me..
I made sure the permissions and ownership was the same as before, (system system for the one in data/misc) and also did the same for the one in /system/wifi and that one is owned root.root.
still not detecting 12 or 13... tis very odd... I am running the latest 23 rooted firmware... are you? Normal channels are working fine still.
Related
I know there have been some general questions about this, but I wanted to share what I've done and see if anyone can help get over the last hump. I have a USB GPS (GR-110 I got for next to nothing from Geeks awhile back). Running VEGAn 5.11 + supplements + Pershoot kernel.
So here's what I have working:
1) Plug in USB, get /dev/ttyUSB0. Woot! Thanks Pershoot!
2) Use stty to set the baudrate to 4800 (stty -F /dev/ttyUSB0 4800)
3) cat /dev/ttyUSB0 dumps out NEMA strings. Woo hoo! $SPGSV tells me I have 12 birds in view.
4) Now at this point, if you HAD to you could write a GPS faker like many of the bluetooth ones do. I don't know why none of them don't already have options for an arbitrary character device but if they did we'd be done here.
5) On the other hand, you know a built in GPS card would still be NEMA and still look like an RS232 port so.... turns out that's a property ro.kernel.android.gps. You can set this at the command line, but I suspect that the Android stack looks for GPS on start up and if it doesn't find it, that's that. So you edit build.prop to put in: ro.kernel.android.gps=ttyUSB0 [from what I can read it doesn't want /dev/ in front of it]
6) I do not know if the Android code sets the port to 4800 baud or not. In fact, it could be that it wants it at a different baud rate but I have no idea what that baud rate would be. So I decided to get in early on the boot process and make a few changes. If you look at my other posts, I have added an rc.local that runs right at the end of init.rc but is in "user space" (not overwritten on each boot). So I added this to the start of rc.local (important because my rc.local blocks later to wait for the sdcard mounts):
#gps
if [ -c /dev/ttyUSB0 ]
then
chmod 666 /dev/ttyUSB0
stty -F /dev/ttyUSB0 4800
fi
7) No joy. The buad rate and permissions are set, so I know the rc.local is running. I can stream data out of the GPS raw but Android just isn't seeing it.
8) I theorized that maybe Android is checking for GPS before I am running my script. To test that I used LCD Density changer to restart the Android stack. This is like a boot, but the Linux isn't rebooted. No difference.
9) Another theory would be Android expects its GPS at a different baud rate and is setting it.
10) Is there some Android service required that is disabled or just not started maybe?
I feel like I am soooooo close..... Any ideas?
Hi wd5gnr,
I've been working on something very similar on the android powered scroll tablet but instead using an internal serial port we've identified.
Made no progress is making android accept the nmea stream as its own internal gps (using ro.kernel.android.gps) so have started to write an android program similar to the BT GPS apps where it reads the serial port, parses out $GPGGA and then uses mock locations to update the location system. I'm at the point of splitting the identified string into its components.
While I know this isn't the cleanest of hacks but it 'should' work, i've built it from the SerialPort.sample code so you can change the serial port and baud rate in the options - it hopefully will work on any android system.
Will keep you updated on my progress
James
Oh, at least i find a post with people working on it...
First, i have an Advent Vega, that is similar to Gtab.
I make it work, but with time it crash.
My steps:
1) Do the same that the first post, get ttyUSB0, change baudrate, modify ro.kernel.android.gps...
2) In vega we have 3 libgps... the default, one for integrated ericsson 3g/gps and one for huawei ones. This integrated are optional and my tablet doesnt have, but i can remane any of the to libgps.so and use them. Anyway, with default may work, but i get it working with huawei one.
3) You need to activate gps in settings (if you have gps greyed in location settings, can use a widget, like power widget).
4) To test i used gpstest app, so once you get nmea data in ttyUSB0, activate gps with widget and start gpstest. Maybe you dont get data (i dont), so come back to terminal and with stty ask the port for the baudrate (dont remember the command). In my case it has 9600 baudrate, so need a aplication in windows to change gps usb baudrate to 9600 (search in the windows drivers of your usb gps)
5) Once changed in windows, i come back to android and change stty command to the correct baudrate (like i said 9600), and redo the steps (cat ttyUSB0, activate gps and launch gpstest)
AND GET DATA... but some time after it crash the full tablet...
No more time to test it, but it's in my to-do list.
I dont know if i explain it good, but you can ask anything.
Anyway an app that can choose which port to listen to will be much better.
Corvus.
jamescoxon said:
Hi wd5gnr,
I've been working on something very similar on the android powered scroll tablet but instead using an internal serial port we've identified.
Made no progress is making android accept the nmea stream as its own internal gps (using ro.kernel.android.gps) so have started to write an android program similar to the BT GPS apps where it reads the serial port, parses out $GPGGA and then uses mock locations to update the location system. I'm at the point of splitting the identified string into its components.
While I know this isn't the cleanest of hacks but it 'should' work, i've built it from the SerialPort.sample code so you can change the serial port and baud rate in the options - it hopefully will work on any android system.
Will keep you updated on my progress
James
Click to expand...
Click to collapse
I've thought about this too. Should be easy. Would be even easier if we had RxTx ported to this tablet. I saw someone has done this, but it is very specific to hardware and I haven't looked at what that would take. But I imagine just opening /dev/ttyUSB0 ought to work. I've been known to write a little code myself (http://www.ddj.com/embedded) and if I ever find time to get started on this I'll start it as a google code project and invite you ;-)
corvus said:
Oh, at least i find a post with people working on it...
2) In vega we have 3 libgps... the default, one for integrated ericsson 3g/gps and one for huawei ones. This integrated are optional and my tablet doesnt have, but i can remane any of the to libgps.so and use them. Anyway, with default may work, but i get it working with huawei one.
.
Click to expand...
Click to collapse
The only GPS lib I see in VEGAn 7 is /lib/hw/gps.goldfish.so
Goldfish is an emulator I think, so that is not promising.
You mention 9600 baud -- are you saying that the system sets the port to 9600 so you have to set the GPS to 9600 to match?
wd5gnr said:
I've thought about this too. Should be easy. Would be even easier if we had RxTx ported to this tablet. I saw someone has done this, but it is very specific to hardware and I haven't looked at what that would take. But I imagine just opening /dev/ttyUSB0 ought to work. I've been known to write a little code myself and if I ever find time to get started on this I'll start it as a google code project and invite you ;-)
Click to expand...
Click to collapse
Hey,
I've been using android-serialport-api (google it, i can't post links yet) as my access to the port. My current code (its very basic) is built off the serial console sample. In its current state it access the chosen serial port, extracts the $GPGGA string, parses it and then converts it from DDmm.mmm to DD.ddd. I'm now at the stage of posting it to mock locations - just need to do some extra reading on the subject. This really is just a proof fo concept app as for example it doesn't run in the background but i felt that all that can come in the future.
James
wd5gnr said:
The only GPS lib I see in VEGAn 7 is /lib/hw/gps.goldfish.so
Goldfish is an emulator I think, so that is not promising.
You mention 9600 baud -- are you saying that the system sets the port to 9600 so you have to set the GPS to 9600 to match?
Click to expand...
Click to collapse
Yes, you must have a libgsp.so for android to detect the gps.
And yes, depending the library used, the baudrate must set to 9600 or other.
Corvus.
jamescoxon said:
Hey,
I've been using android-serialport-api (google it, i can't post links yet) as my access to the port. My current code (its very basic) is built off the serial console sample. In its current state it access the chosen serial port, extracts the $GPGGA string, parses it and then converts it from DDmm.mmm to DD.ddd. I'm now at the stage of posting it to mock locations - just need to do some extra reading on the subject. This really is just a proof fo concept app as for example it doesn't run in the background but i felt that all that can come in the future.
James
Click to expand...
Click to collapse
Once you get a working app, please send me a priv so i can help you testing it...
Thanks.
Corvus.
so has anyone got usb gps to work yet?
On the malata site. there is a t11 rom for Android 2,2 which calls the Huawei GPS
http://www.malata.com/cn/downloadlist.aspx
T11 Tablet PC May 18, 2011 firmware (support plug-in 3G modem Huawei E261 Unicom)
Take a look at this:
http://forum.xda-developers.com/showpost.php?p=17385039&postcount=15
but before you use this appliction, you must run stty -F /dev/ttyUSB0 -ispeed 4800 (baudrate and port base on your device). Everything fine and fix without 1 second!
Hello,
I am curious how easy it is to compile a linux based app for various versions of android.
Is this possible?
I am interested in compiling the reaver tool.
Thanks,
Matt
Questions or Problems Should Not Be Posted in the Development Forum
Please Post in the Correct Forums
Moving to Q&A
As noone is answering you, i'll give it a try
I am not very familiar in this topic and only able to do get very simple apps compiled and running... so after having a quick glimpse on this one ( http://talk.maemo.org/showthread.php?t=81219 ) i think that the problem is not the reaver code but a) the promiscuous mode wireless driver (device depending) and b) the other dependencies like aircrack.
I would say as long as you dont find an aircrack port its senseless to ask for a reaver-droid
(Devs please correct me)
looks like you will just have to port aircrack too.. however, I do feel as if this would be a wonderfully malicous tool... I also think that it would also be best used on a computer as I would assume this software would eat your battery alive..
So.. 2 things to consider.. First, reaver on a cellphone is like giving rufees to satan for distribution and trusting him not to rape anyone.. second... how well would your hardware hold up to the several hour attack, and how much longer would it take on a cellphone compared to an actual computer?
any news on this?
i'm also interested
+1
I want this
I need this so bad. anybody know if there is a app like this available?
hammerlock13 said:
looks like you will just have to port aircrack too.. however, I do feel as if this would be a wonderfully malicous tool... I also think that it would also be best used on a computer as I would assume this software would eat your battery alive..
So.. 2 things to consider.. First, reaver on a cellphone is like giving rufees to satan for distribution and trusting him not to rape anyone.. second... how well would your hardware hold up to the several hour attack, and how much longer would it take on a cellphone compared to an actual computer?
Click to expand...
Click to collapse
The WPS vulnerability the reaver exploits requires little calculations. It just keeps brute forcing the WPS access point(if enabled), until the AP responds "hey you got it right, you are now my WPS registrar. You now have access to retrieve/set my wireless settings including pre-shared key."
It would still take lots of time in most cases and therefore battery. But it's not like you are actually cracking the encryption key.
I have taken the key off the bottom of an access point I had laying around and used my phone's built-in wpa_cli to plug that pin in and retrieve the pre shared key. That much is already possible with wpa_supplicant found on Linux OSes including android.
Air crack or similar would need to be ported to put the wifi device in promiscuous mode and I would assume that the device drivers would have to support that. This is, I believe, the biggest hurdle.
Sent from my Galaxy Nexus using Tapatalk 2
Hi all.
I've been interested in Reaver for mobile for a long time now, as it works perfectly on a pc. I managed to hack several routers with it (all of them are mine...), and it does give you the wifi password (pass key) in the end. So having this kind of tool on your mobile would be outstanding.
As for the time it takes - Reaver allows pausing attacks, and it stores the data collected so far locally, so it's possible to restart the attack later.
Don't know if you guys looked into this:
http://forum.xda-developers.com/showthread.php?t=1255203
I tried a different build of Backtrack a while ago, but I haven't got into the above one so far, but will try soon. Wonder if aircrack will work. It didn't before, since there was a problem with the drivers (HTC Sensation). If aircrack works, then reaver should also...
How about the micro android PC ?? and ras pi??
Hi guys,
Was just searching for reaver tool for mobiles, then I came across a micro android pc and that made me think of my ras pi....
has anyone tried running reaver on a ras pi ??
also, has anyone thought about reaver tool for a micro android PC ??
that sure wud be interesting.... and... for power, we can use OTG cable to power up micro PC and ras pi....
any thoughts??
tomer1981 said:
Hi all.
I've been interested in Reaver for mobile for a long time now, as it works perfectly on a pc. I managed to hack several routers with it (all of them are mine...), and it does give you the wifi password (pass key) in the end. So having this kind of tool on your mobile would be outstanding.
As for the time it takes - Reaver allows pausing attacks, and it stores the data collected so far locally, so it's possible to restart the attack later.
Don't know if you guys looked into this:
http://forum.xda-developers.com/showthread.php?t=1255203
I tried a different build of Backtrack a while ago, but I haven't got into the above one so far, but will try soon. Wonder if aircrack will work. It didn't before, since there was a problem with the drivers (HTC Sensation). If aircrack works, then reaver should also...
Click to expand...
Click to collapse
If you goto the link below in my signature.
It has black Ubuntu 12.04 with reaver and aircrack-ng for android.
You just need to know your screen size for your device and get drivers for your wifi or a external wireless card.
For some reason I stopped receiving updates on this thread, and thought it was dead.
I just wantd to mention that beyond the backtrack ports, there is also WPSPin.
I've been on the iphone for several months now (after the EVO) and am surprisingly disappointed with the lack of control (even when jailbroken). I just bought a Galaxy Tab 2 7", and will be getting back into Android shortly and look forward to messing around with backtrack.
reaver for Android
No problem do for android, but you must enabled wifi monitor mode
I tested it on my LG OPTIMUS 3D P920. Wash works well,reaver runs but does not work on my device(very slowly capturing packets and difficult to capture a beacons frame).
Install:
reaver.db --> in /sdcard/reaver/reaver.db
binaries reaver and wash from bin/ to somewhere where you can execute(you_path).
you must have enabled monitor mode!!!
example execution:
#/you_path/wash -i mon0 -C
or
#/you_path/reaver -i mon0 -b 00:00:00:0F:0F:0F -vv --dh-small
how one puts wlan0 in monitoring mode?
UPDATE have you compiled .ko? What ROM you are on? I'm on V30A (original 4.04)
lg optimus 3d
solnyshok said:
how one puts wlan0 in monitoring mode?
UPDATE have you compiled .ko? What ROM you are on? I'm on V30A (original 4.04)
Click to expand...
Click to collapse
I have V30A original too.
1) #sh airmon-ng start wlan0
OR
2)#iw dev wlan0 interface add mon0 type monitor
#ifconfig mon0 up
Both methods work on lg optimus 3d (V30a original driver),but you must have root.
unzip tools.zip,droped into /data and in terminal
$cd /data/tools
$export PATH=/data/tools:$PATH
$su
fann95 said:
I have V30A original too.
1) #sh airmon-ng start wlan0
OR
2)#iw dev wlan0 interface add mon0 type monitor
#ifconfig mon0 up
Both methods work on lg optimus 3d (V30a original driver),but you must have root.
tools.zip also includes new versions reaver and wash (compeled with new lib supplicant and last pcap lib +libnl-2)
very well captures the packets, but I did not fully test had, little WiFi points around with enabled wps
Click to expand...
Click to collapse
Thank you for quick reply @fann95. Do you mean that there is no need to compile kernel module for Optimus 3d, because original wifi driver is enough?
monitor mode
solnyshok said:
Thank you for quick reply @fann95. Do you mean that there is no need to compile kernel module for Optimus 3d, because original wifi driver is enough?
Click to expand...
Click to collapse
Yes. SE Xperia Mini,LG P920,Sony Xperia GO and other devices with wl12xx drivers no need to compile kernel module or instal addtional software
you can check $ iw list
and see what modes are supported by your driver
my port reaver for wl1271 chip (tested on lg optimus 3d with original ICS 4.0.4 (30a-EUR-XX) )
View attachment reaver_for_LGP920.zip
do not forget to disconnect all active WiFi connection (delete saved point) before using.
start without "-i mon0" option, to automatically activate the monitor mode (need root)
example:
$su
#reaver -b 00:11:22:33:44:55 -vv
can someone post a guide how to use reaver in android icecream sandwich smartphone?
all we need is the tools.zip file and the reaver.zip file and a terminal emulator??
eDIT: i did it but my card is not compatible and unable to work in monitor mode :/
I looking for someone with a guide to test reaver on my android.
thanks in advance!:good:
Hi *,
I'm very new to forum and hardware hacking. I'm also new to android dev (I have done some WP7 development).
I want to write application about radio conditions (RSCP, EcNo) and also wanna to decode ASN.1 messages to get some 3GPP layer 3 messages (RRC). To do that, I suppose that low level access is required.
So, is there any tutorials, guides etc. on how to do that for android devices (I know about android telephony class) or WP7/WP8 devices.
I also know that that is not possible on every device due manufacture restrictions.
I'm interested in Galaxy S(2/3), Nokia Lumia, Nexus, etc (device doesn't need to have qualcom chipset, all i wanna to do that).
I also know that some of companies like ASCOM are working together with chip suppliers for that kind of applications.
So, is it possible to do on market smartphones...
Thanks in advance for answers
Cheers!
TK
It's troublesome thing.
Every modern mobile solution does split into AP (Application Processor) and BP/CP/Modem (Baseband/Call Processor), sometimes these are integrated into one SoC (QC chips) or are splitted into 2 SoCs (like Exynos AP+QC/Infineon CP), on AP there's working ARMLinux with Android platform.
Platform does communicate with RIL HAL (proprietary lib), RIL does communicate with modem through some dedicated HW interface using kernel driver, nowaday its common shared-memory topology with abit of control through UART/GPIOs before RAM-share is set up (modem bootup, assuming AP does startup first, which is case in 2xSoC topology, on QC SoCs modem does startup first and does perform bootup of AP submodules).
The problem is - BP OS is closed source. In best case (rather unlikely) low-level transmission params might being received by RIL from AP but not being passed to platform, then you probably would need to patch RIL binary to expose these values to platform. If these transmission params aren't being transmitted from CP to AP, the easiest (and the ugliest) way to do is trying to find network structures inside of modem OS and pooling them from AP (assuming you've got direct access to all of CP memory). More advanced way would be integrating additional data into BP-RIL interface (modifying both RIL and modem binaries), what then narrows down to "best case".
If you aren't familiar with ARM assembly - analysing modem binary is pretty big task, prepare for at least few weeks of intense reversing.
This is a very interesting question!
So far, AFAIK, no one here at XDA (or elsewhere) have been able to successfully extract L1 radio parameters from the modem, using any form of API or other. So anyone who would successfully be able to do this, would be an instant XDA hero! (As for L3, I don't know.)
But then again, I don't think anyone have tried hard enough either. I have tried to a limited extent in my research of the Intel XMM6260 and trying to use some of the Android internal telephony API. Others have managed by hacking the AT command line interpreter, directly in the modem image of some limited versions of the 2xSoC's (like those of Intel/Infineon) used for jailbreaking <4S iPhones. These modem images are "only" 10 MB, whereas the Qualcomm modems "images" consists of 50-60 files and have a size up to 60 MB!! Although we should be able to find the AT command Processor (ATcP) in those...
As I see it today, we only have these options how to get these parameters in the Android eco-system.
1) We believe that the modem AT command interpreter/processor have the capability to provide radio parameters to the outside world. But this direct access often seem to be crippled:
a) by denying local or external terminal (UART) serial-access.
b) by being filtered by the RIL daemons and accompanying RIL libraries
c) by being complicated due to using modified IPC (shared memory) communication, rather than regular serial devices. However, by putting the device into "download/debug" mode, sometimes these devices re-appear!
(This is what ODIN, QPST and other programs does, see (4).)
2) We know that the Android internal phone API can use the following calls to get particular modem "stuff" (including sending AT commands): RIL_OEM_HOOK_RAW and RIL_OEM_HOOK_STR
The problem is that no one seem to know how to use it, nor how it depends on the hardware...
3) We know that the Service Mode's (settings/menu) are displaying many of these parameters, so that the phone OS certainly can get have access to these. So another option is to hack and understand how this is done by the service mode menu and the underlying modem software. This is where reverse engineering would come to its right!
4) We also know that many of the OEM phone debug/repair software, like QPST and QDART (Qualcomm) and "CDMA work-shop" etc. have full access to these variables as well...
Actually, if you're on a Qualcomm based device and can put it into QXDM mode, you can have all radio data to be output to the QXDM (3.12.754) software and possibly interface API. Thus... if we can understand the handshake and protocol they use we should eventually be able to make an app that can fetch this data as well...
Thx for your answers!
It looks like I need many hours to investigate and learn! Sound like fun, hope it will be...
I hope that soon I'll post something new on this thread about question.
Thx and hear ya!
Little update: Regarding radio conditions, here is telephony API http://developer.android.com/reference/android/telephony/package-summary.html and here is Signal strength class http://developer.android.com/reference/android/telephony/SignalStrength.html!
So I have these information (at least I hope so, because I don't have device for testing and I don't have dev environment set yet).
Also, regarding WP7 Samsung devices: there is samsung app called Diagnosis, where you can access root/debug screen in Test Mode... I was looking little into that app (I have unlocked Samsung Omnia W device), and there are very interesting informations, like list of neighbour cells with CellID and signal strength and many others (Handover test, antenna/ADC, RRC state, Tx Channel, Tx Power, EcIo, RSCP, L1 (looking now it's PCH_Sleep value ??), etc)
I need that kind of information + need to find way for decode L3 messages like RRC and RLC. From L3 you can find many other information (RAB establishment, IRAT handover, all 3GPP information element for GSM/WCDMA/LTE and so on!)...
hi *,
What about Gobi platform and GOBI dev?
BR
TheKrigla said:
hi *,
What about Gobi platform and GOBI dev?
BR
Click to expand...
Click to collapse
Hi, i was just looking for GOBI, too.
But they only show 4 Devices, with the Gobi-Modem inside:
qualcomm.com/gobi/products/finder?type=Smartphones
But there are buid in a few UMTS/USB-Sticks, Mobile Hotspots, a Router and some Notebooks (SubNotebooks),
Not bad, if you can use it as an external device, like the mobile router.
So it looks like a very special solution.
Did somebody check the HTC, Motorola or Samsung SDK ?
I am also trying to get low network info, and it looks like AT commands that exist (at least on my Samsung S3) do not provide this information. So I think emulating what QXDM does is the secret sauce... but that's hard
You can probably find what you need in the "QMI" related documents from THIS post... Let us know how it goes!
E:V:A said:
You can probably find what you need in the "QMI" related documents from THIS post... Let us know how it goes!
Click to expand...
Click to collapse
I quite don't fully understand how QMI works. The SDK appears (C++) to run on Windows. Is it possible run QMI directly on android? Also one post said that really low level information like Signaling can only be through the diag port. Perhaps there is a way to emulate QXDM on the android and connect to it to grab this info
Chipset access
I am wondering how tools like qualpoc from SwissQual work. They seem to have access to every damn thing happening in the android phone. Do they have any special API access from Qualcomm ?
enigma99a said:
I quite don't fully understand how QMI works. The SDK appears (C++) to run on Windows. Is it possible run QMI directly on android? Also one post said that really low level information like Signaling can only be through the diag port. Perhaps there is a way to emulate QXDM on the android and connect to it to grab this info
Click to expand...
Click to collapse
mknair said:
I am wondering how tools like qualpoc from SwissQual work. They seem to have access to every damn thing happening in the android phone. Do they have any special API access from Qualcomm ?
Click to expand...
Click to collapse
Thanks.
http://www.swissqual.com/
Probably nothing special. What is special, is that they have full access to all their documentation. If you can download their white papers and the Android app, I'll tell you how they do it!
Is it possible to connect something like a 4G dongle to the usb port to create a roaming RF scanner and get the RSCP ECIO details from that? It's a bit mental but it doesn't look like we will be able to get this detail from the phone without paying the tens of thousands for the documentation anytime soon...
I tried to connect a Sierra Wireless device which can provide this info but I cannot seem to compile the module against the kernel.
I got QMI talking just fine on android 100%. But I need layer 1 info etc as well (DIAG)... Qualcomm docs look easy enough for the packet structure but now i just need access... And I'm totally stuck. USB is one way, but isn't there to get access locally? Like through UART or some other means? I believe all communication goes to the /dev/diag device but so far I have not been able to get access
E:V:A said:
So far, AFAIK, no one here at XDA (or elsewhere) have been able to successfully extract L1 radio parameters from the modem, using any form of API or other. So anyone who would successfully be able to do this, would be an instant XDA hero! (As for L3, I don't know.)
Click to expand...
Click to collapse
Well, I guess I am a XDA hero then I have successfully extracted L1 radio info, etc on Android itself. DIAG is pretty powerful and not very well documented so I had to figure everything out myself, but when it works you can get just about anything possible.
enigma99a said:
Well, I guess I am a XDA hero then I have successfully extracted L1 radio info, etc on Android itself. DIAG is pretty powerful and not very well documented so I had to figure everything out myself, but when it works you can get just about anything possible.
Click to expand...
Click to collapse
Any thought about sharing solution?? Not cool man...
enigma99a said:
Well, I guess I am a XDA hero then I have successfully extracted L1 radio info, etc on Android itself. DIAG is pretty powerful and not very well documented so I had to figure everything out myself, but when it works you can get just about anything possible.
Click to expand...
Click to collapse
Is that right? There were never any heroes who didn't prove their worth. So why don't you share it with us? (Or if you don't want to share, at least tell us why not?)
E:V:A said:
Is that right? There were never any heroes who didn't prove their worth. So why don't you share it with us? (Or if you don't want to share, at least tell us why not?)
Click to expand...
Click to collapse
Yeah, sorry guys for the late reply. Basically I had to rewrite the diag driver to get diag info. And this project is for profit, so I can't put myself at a competitive disadvantage after spending many weeks on it But if anyone has questions, I would be happy to answer
Hi at all!! My hero, enigma99 please tell me (or who knows)!!
I'm developing a app with SDK that use the java methods of classes like SignalStrenght and Telephony. But those methods dont work very well. (they are slow, and in much smartphone dont return the Ec/Io)
Do you think if in 3g tecnhology (UMTS, HSPA) the modem part always returns all measure (RSCP and Ec/Io)??
What's the way to follow for return this values? recompiling kernel? programming with NDK?
enigma99a said:
Yeah, sorry guys for the late reply. Basically I had to rewrite the diag driver to get diag info. And this project is for profit, so I can't put myself at a competitive disadvantage after spending many weeks on it But if anyone has questions, I would be happy to answer
Click to expand...
Click to collapse
Is this for sale yet? Curious minds would like to know.
I live in europe, I have had several android devices (from most of the different Manufacturers).
On almost every phone I've had problems with slow/bad gps locks.. the fix, almost every time editing gps.conf to put in the
european ntp servers... this also meant rooting the phone...
Most of the time I actually don't care about rooting, I'm happy with the stock rom as is...
WHY do we have to root the devices to get them to work like they should?
I mean during first bootup of the phone when locales are chosen, why can't it set the correct ntp servers to where the device is going
to be used?
Am I totally stupid and missing something or are the manufacturers (or Android developers (Google)) stupid?
Anybody have any insight on this, or is it just going to be one of life's big mysteries?
//Christian
xt600crix said:
I live in europe, I have had several android devices (from most of the different Manufacturers).
On almost every phone I've had problems with slow/bad gps locks.. the fix, almost every time editing gps.conf to put in the
european ntp servers... this also meant rooting the phone...
Most of the time I actually don't care about rooting, I'm happy with the stock rom as is...
WHY do we have to root the devices to get them to work like they should?
I mean during first bootup of the phone when locales are chosen, why can't it set the correct ntp servers to where the device is going
to be used?
Am I totally stupid and missing something or are the manufacturers (or Android developers (Google)) stupid?
Anybody have any insight on this, or is it just going to be one of life's big mysteries?
//Christian
Click to expand...
Click to collapse
I used ES File Viewer. Go into the settings and choose Root Settings and check everything. I still wasn't able to save my changes so I copied gps.conf to another folder, made my changes and saved it. Then I copied my edited file back to the etc folder. It allowed me to replace the original file.
It hasn't fixed my GPS problem but at least I got that part done.
Good Luck!
Cynthia
Try the app FasterGPS
https://play.google.com/store/apps/details?id=org.fastergps&hl=en,
it does exactly what you are describing.
Hey guys when the latest RUU was released I pulled all the WiFi calling stuff out (well.. lots of bits and pieces) to update my fourth bar install... Figured I'd share it here. This will fix the increasing lag/delay with WiFi calling on all ICS sense based roms..
It shouldn't work on cm10 but i haven't tried it.I am pretty sure the movial implementation of WiFi calling requires many sense hooks though... But the interesting thing to me is that I have modified fourth bar quite a lot from the original to the point where there is practically no sensE stuff left whatsoever.. so it's either a modified telephony provider or it doesn't require sense at all... I haven't tested it much. Feel free to play around if you want.
Made this on the fly from my phone (and also is why I using DB) so let me know if it works if not I'll make one proper. Feel free to try on viper but if you do I'd suggest also.copying over htc frameworks.as well as telephony provider from a sense rom, just a suggestion!
You can tell.the update worked.because the WiFi calling active icon will be different. Oh and those using fourth.bar or speedrom..WiFi calling doesn't have to be permanent.. simply make a shortcut to the WiFi calling activity "wificall preferences" using apex or nova activity shortcuts.. you can also make shortcuts to the full IMS config including SIP reg server, auth info, protocol type, etc. I wouldn't mess with these.settings but could be useful to those porting. FLASH.THE ZIP.IN RECOVERY
LINK: http://db.tt/4B6tcCE1
(uHH... got a PM asking if it was odexed... these files are obviously deodexed..lol.. considering there's no .odex file... but yeah I mounted the system.img from the latest RUU, extracted it, deodexed the entire thing.. and pulled these out to make this zip. I've actually been combed through it with diff to the last RUU and there's really not a lot changed at all. Couple libs here and there, maybe a few other APKs... Not much at all!.. if you need it odexed, it's easy enough to reodex.. I actually prefer my phone to be odexed as well. Good tool to do this is called Dexo, The Universal Odexer.. you can find it on google. It's basically a couple of binaries and a script.. works like a DREAM and the basic script odexes your system apps as well as framework.. and it's easy enough to modify to odex data.. only thing with odexed data is you must delete the .odex file manually after you uninstall any apps because you'll get out of space etc errors if you do not... I find things are much MUCH faster on an odexed system, by far... matter of fact I'll go ahead and create another post with the Tool and a quick batch file I wrote for windows that makes the process very quick and easy.)
Good work :dance:
Just wondering, would there be anyway to get it to work with Miui
build.prop
might need to add this to the build prop if it isn't there
ro.ril.enable.ganlite=1
ro.ril.def.agps.feature=1
chevycowboyusa said:
might need to add this to the build prop if it isn't there
ro.ril.enable.ganlite=1
ro.ril.def.agps.feature=1
Click to expand...
Click to collapse
actually I think that's for the Kineto Gan implementation of Wifi calling, which uses a Userspace application (The one we tried to port over for Viper)
This is actually the Movial IMS implementation. Have you tried this implementation on viper perhaps? You would need some framework files, I think... but it's worth a shot honestly. I don't think it's as tightly hooked into Sense as a lot of us originally thought. I decompiled all of the APKs and I combed through it and I didn't really see any hooks into Sense.. I think that it more than likely depends on a modified telephony provider..
The Kineto Gan implementation used a bit of trickery with what's called a RIL switch, where it would (as the name implies) basically switch the RIL out on the fly between Kineto's RIL (for wifi calling) and the normal one. This implementation is a lot cleaner, and the configurations are included within the files themselves... It actually uses SIP. All the configuration info is actually easily found within the XMLs once the APKs are installed as system apps. The trickery is with the authentication. I've been running wireshark and capturing packets... between that and decompiling the APKs it appears that a basic SIP registration address is used for everyone, it's not unique. There's some kind of SIP address->mobile number translation that happens... the IMS project is open source, and the full source code is actually available on Google Code.. and it has even been updated for Jelly Bean. The interesting part is, I was able to compile the IMS Test App for ICS, take the configuration information I found.. entered it into the test App, and was able to establish half-way working service with the Test application. The thing is, even though it uses SIP, it's not your everyday run of the mill SIP. There's some wrapping and translation going on that uses info contained in the packets to determine where it's going (mobile number).. and don't even get me started on Text Messaging.... that looks like one giant hack-job...basically hijacking the SIP/RTP protocol for a proprietary implementation that just uses the base outline.
I tried to register with a regular SIP client using the configuration information I found (The password was TMO-VOIP-TRIAL) and i couldn't establish registration... and looking at the source I could definitely see why. There's a lot of stuff going on behind the scenes.
The good news is there's VERY LITTLE that appears to have been changed when it was updated for jellybean... what this means is... theoretically if someone was skilled enough they could take the DIFF's (which are freely available on google code) and update the IMS implementation for jellybean. It would take a good amount of time and effort, but I honestly think it's much more possible than a lot of people originally believed. It's the authentication part that's tricky..
But yeah, you might want to give it a shot on Viper! For a start I would probably move over ip-provider.apk, ims-service.apk, IPService.apk, WifiCall.apk (This is basically the on/off switch that Settings calls.. you can just use an activity shortcut to reach it though), and gba-service.apk
Push those all to /system/app
Then on the framework side I would move over javax.obex.jar, gba-service-lib.jar, and the other important one is going to be jsr-api.jar... I didn't know that it was related but it's clearly defined in the IMS source code (https://code.google.com/p/the-ims-open-source-project-for-android/source/browse/#git/jsr-api)
I would also copy over TelephonyProvider.apk and Phone.apk, for good measure. .. and see what happens.
You would need a way to trigger it ON, which can easily be done with Nova/Apex by making an activity shortcut to WIfiCall.apk, you can also make activity shortcuts to all the configuration options within the IMS-server itself but it comes preconfigured.
it's worth a shot... currently WiFi calling is working flawlessly for me on Fourth Bar and I have pretty much EVERYTHING htc related disabled. Including com.htc etc...
Could be in the HTC frameworks though.. or somewhere else... but it's def. worth a shot!
I think this is a awaresome job,although I don't know what's this...
Please do that!
Great work. I tried your file to no avail. Good catch on the other files. I read somewhere that phonesky is also required.
Biggest issue I had with the semi working one that I used is that it wouldn't read the SIM. I moved some files around and then it hung on connecting to the Wi-Fi due to a lack of server address
I'll follow your instructions tonight and see where I can get... I still am working on GPS and now vpn too. Last night I attempted a sense 3.6 venom build.
Wasn't pretty. Something kept failing in the updater script and I got too tired to pay with it..
**tried all the files and made the short cut..
No love.. It didn't work..
Still trying a few things
Any other ideas?
chevycowboyusa said:
Great work. I tried your file to no avail. Good catch on the other files. I read somewhere that phonesky is also required.
Biggest issue I had with the semi working one that I used is that it wouldn't read the SIM. I moved some files around and then it hung on connecting to the Wi-Fi due to a lack of server address
I'll follow your instructions tonight and see where I can get... I still am working on GPS and now vpn too. Last night I attempted a sense 3.6 venom build.
Wasn't pretty. Something kept failing in the updater script and I got too tired to pay with it..
**tried all the files and made the short cut..
No love.. It didn't work..
Still trying a few things
Any other ideas?
Click to expand...
Click to collapse
Hmm... there IS a build.prop entry that I actually just noticed
ro.ril.ims=1
I would try to add that.
Phonesky is just the updated google play market, I believe.
I would try that build.prop entry, then get a logcat if you can and post it. I'd try but currently can't really mess around with my phone as I need wifi calling for work stuff.
See what is going on in the logcat, or post it and I'll comb through it. See if there's API calls that are failing under something like Function does not exist or something or another.. that would seem to indicate some missing framework stuff that provides those functions. Then it might just be including said frameworks as well as altering the bootclasspath in the kernel (Pretty easy thing to do, just break the boot.img into parts with unpackbootimg, un-gzip the ramdisk with gzip and CPIO, edit the init.rc, recompress the ram disk with GZIP, then recompile the boot.img with mkbootimg) and I believe you'd also have to deodex the ROM itself, then if you wanted it odexed you'd have to odex it back with the correct BOOTCLASSPATH or else it will not boot. I'm not sure but I THINK deodexed APKs need to be built with the right bootclasspath.
There HAS to be a way to get it working on Viper. After all it's the same underlying android OS version.. The sensation guys got it worknig on CM9...
ok..
ericdjobs said:
Hmm... there IS a build.prop entry that I actually just noticed
ro.ril.ims=1
I would try to add that.
Phonesky is just the updated google play market, I believe.
I would try that build.prop entry, then get a logcat if you can and post it. I'd try but currently can't really mess around with my phone as I need wifi calling for work stuff.
See what is going on in the logcat, or post it and I'll comb through it. See if there's API calls that are failing under something like Function does not exist or something or another.. that would seem to indicate some missing framework stuff that provides those functions. Then it might just be including said frameworks as well as altering the bootclasspath in the kernel (Pretty easy thing to do, just break the boot.img into parts with unpackbootimg, un-gzip the ramdisk with gzip and CPIO, edit the init.rc, recompress the ram disk with GZIP, then recompile the boot.img with mkbootimg) and I believe you'd also have to deodex the ROM itself, then if you wanted it odexed you'd have to odex it back with the correct BOOTCLASSPATH or else it will not boot. I'm not sure but I THINK deodexed APKs need to be built with the right bootclasspath.
There HAS to be a way to get it working on Viper. After all it's the same underlying android OS version.. The sensation guys got it worknig on CM9...
Click to expand...
Click to collapse
I fixed VPN and I'm uploading it in a few. I think I noticed something as well. I went back to stock ota to see what was going on and noticed wifi calling isn't showing up in settings/more should be there with vpn/ wifi hotspot/ nfc etc....
ericdjobs said:
The trickery is with the authentication. I've been running wireshark and capturing packets... between that and decompiling the APKs it appears that a basic SIP registration address is used for everyone, it's not unique. There's some kind of SIP address->mobile number translation that happens... the IMS project is open source, and the full source code is actually available on Google Code.. and it has even been updated for Jelly Bean. The interesting part is, I was able to compile the IMS Test App for ICS, take the configuration information I found.. entered it into the test App, and was able to establish half-way working service with the Test application. The thing is, even though it uses SIP, it's not your everyday run of the mill SIP. There's some wrapping and translation going on that uses info contained in the packets to determine where it's going (mobile number).. and don't even get me started on Text Messaging.... that looks like one giant hack-job...basically hijacking the SIP/RTP protocol for a proprietary implementation that just uses the base outline.
I tried to register with a regular SIP client using the configuration information I found (The password was TMO-VOIP-TRIAL) and i couldn't establish registration... and looking at the source I could definitely see why. There's a lot of stuff going on behind the scenes.
Click to expand...
Click to collapse
How was the Test App half-way working for you? I didn't compile it, but I tried an apk I found a while back and it CLAIMED it was registered, but I couldn't make it call out. I tried random presence and subscribe options but I don't think they were taking and nothing happened when I called my mobile number from somewhere else. My guess is that I have to subscribe or set presence to something magic for my phone number. After not really finding what I should actually be doing from skimming the 4th or 5th spec, and noticing that the nexus 4 guys have a $1400 bounty and don't really have progress, I gave up.
Yeah there's a pile of authentication (on both sides) that IMS has over SIP. If I understand right, the first part of registration is similar, but then TMO's side says you're unauthorized along with a challenge that's supposed to be sent to the ISIM and part of a key for establishing an IPSec tunnel that everything else goes through. Can't tunnel, then use SIP because you need the key (and part of that probably comes from the ISIM too), and a regular SIP client will just think it failed.