We must believe that Qualcomm's modern SoC surely support numerous LTE bands and modes, for it's hard to put different specs of SoC to a large production line.
It's a matter of software.
I've experienced diag mode hacks on LG, Samsung devices. With Qualcomm's QPST you can tune a lot of radio stuff.
Pixel have similar hack as: https://gist.github.com/coeusite/86f6318c13c5bc15aef13345f1bb3ed4
The main idea is:
- enable diag mode (setprop sys.usb.config diag,adb) with AOSP self-built firmware (actually you can just simply flash vendor.img fetched from here https://developers.google.com/android/drivers)
- patch carrier_policy.xml to support CSFB
However, there is a setback: this patch will be reverted by OTA or a SIM card reload.
Then you need to backup and restore the patched EFS (/dev/block/platform/soc/624000.ufshc/by-name/modemst(1or2)).
Another solution is to patch the modem.img, details introduced here:
The modem.img contains radio firmware and carrier configs etc.
Pixel's modem.img is a FAT system image.
After "mount -t vfat modem.img -o rw,umask=0000,shortname=lower modem", you can find all carrier configs at modem_pr/mcfg/configs/mcfg_sw.
The config mcfg_sw.mbn is an ELF compiled by ARM Compiler based on the vendor's config set. Likely it is running in the radio modem processor.
What if we copy configs from other devices that natively support more carriers?
OnePlus 3T is one choice, same Snapdragon 821 SoC. The modem firmware is located in NON-HLOS.img.
Much richer config set here:
├── apac
│ ├── airtel
│ ├── dcm
│ ├── kddi
│ ├── reliance
│ └── sbm
├── china
│ ├── cmcc
│ ├── ct
│ └── cu
├── common
│ ├── default
│ ├── row
│ └── w_one
├── eu
│ ├── dt
│ ├── ee
│ ├── h3g
│ ├── orange
│ ├── telefoni
│ └── vodafone
├── korea
│ ├── lgu
│ ├── skt
│ └── tta
├── na
│ ├── amx
│ ├── att
│ ├── sprint
│ ├── tmo
│ ├── uscc
│ └── verizon
├── oem
│ └── overseas
├── russia
│ ├── beeline
│ └── megafon
├── sa
│ └── brazil
└── sea
├── 3hk
├── ais
├── dtac
├── hkt
├── smartfre
├── smartone
├── trumove
└── ytl
Now the problem is that modem.img in Pixel is truncated to real data size, we don't have enough spaces to add more configs.
Two ways to go:
1, extend the original modem.img
Firstly file modem.img:
DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", Bytes/sector 4096, sectors/cluster 4, root entries 512, Media descriptor 0xf8, sectors/FAT 3, sectors/track 63, heads 255, sectors 16384 (volumes > 32 MB), reserved 0x1, serial number 0xbc614e, unlabeled, FAT (16 bit)
The real filesystem is 4096*16384=67108864, but the modem.img size is lower, which means some tool compact the image to the actually used size. We can append the "lost" bytes, and do fsck:
dd if=/dev/zero bs=1 count=8421376 >> modem.img
OnePlus 3T is one choice, same Snapdragon 821 SoC. The modem firmware is located in NON-HLOS.img.
Much richer config set here:
├── apac
│ ├── airtel
│ ├── dcm
│ ├── kddi
│ ├── reliance
│ └── sbm
├── china
│ ├── cmcc
│ ├── ct
│ └── cu
├── common
│ ├── default
│ ├── row
│ └── w_one
├── eu
│ ├── dt
│ ├── ee
│ ├── h3g
│ ├── orange
│ ├── telefoni
│ └── vodafone
├── korea
│ ├── lgu
│ ├── skt
│ └── tta
├── na
│ ├── amx
│ ├── att
│ ├── sprint
│ ├── tmo
│ ├── uscc
│ └── verizon
├── oem
│ └── overseas
├── russia
│ ├── beeline
│ └── megafon
├── sa
│ └── brazil
└── sea
├── 3hk
├── ais
├── dtac
├── hkt
├── smartfre
├── smartone
├── trumove
└── ytl
Now the problem is that modem.img in Pixel is truncated to real data size, we don't have enough spaces to add more configs.
Two ways to go:
1, extend the original modem.img
Firstly file modem.img:
DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", Bytes/sector 4096, sectors/cluster 4, root entries 512, Media descriptor 0xf8, sectors/FAT 3, sectors/track 63, heads 255, sectors 16384 (volumes > 32 MB), reserved 0x1, serial number 0xbc614e, unlabeled, FAT (16 bit)
The real filesystem is 4096*16384=67108864, but the modem.img size is lower, which means some tool compact the image to the actually used size. We can append the "lost" bytes, and do fsck:
dd if=/dev/zero bs=1 count=8421376 >> modem.img
fsck.vfat -v -y modem.img
2, mkfs a new image (I actually have not tested, you may try):
truncate -s 67108864 modem.img
mkfs.vfat -S 4096 -F 16 modem.img
After the config set replaced, we have a brand new modem.img, let's flash it:
fastboot flash modem modem.img (only flash the active slot)
Another problem came, by far modemst/EFS still was configured with old modem.img, how to manually trigger the modemst/EFS update?
I've tested OTA or a SIM card reload mentioned before, the chance is pretty low.
Finally I find a way: remove /data/misc/radio
Network connected.
You're welcomed to comment if you come to any question.
5 条评论:
The modem.img does not seem to mount properly in rw. Reading is fine but the files written to it get corrupted inside the img. Creating a new img as stated in the bottom of the post should be viable though.
Removing the /data/misc/radio does not have a 100% chance at getting the mbn loaded into nvram in my case.
I once managed to get a mbn (Telstra, AUS) with 256QAM working, can not seem to reproduce it.
My mission is to get euro LTE CA combinations & 256QAM working on a Verizon pixel XL, all the regular euro bands are supported luckily, I believe there is more to it than replacing the mbns in my case, most likely there being a filter for CA band combinations defined in the NVRAM.
> The modem.img does not seem to mount properly in rw. Reading is fine but the files written to it get corrupted inside the img. Creating a new img as stated in the bottom of the post should be viable though.
I've just tested on June modem of Pixel XL, dd and mount method should be working.
> Removing the /data/misc/radio does not have a 100% chance at getting the mbn loaded into nvram in my case.
Maybe try SIM card changing. In my test, I flashed a AOSP vendor.img and checked the modify time of carrier_policy in policyman folder with QPST. And then don't forget to flash factory vendor.img to restore the function of radio.
You can clear /data/ and frp partition, it's 100 percent case I know to trigger mbn reloading.
You can try June modem.img with OnePlus 3T mbn config https://pan.baidu.com/s/1I2e6CE75v38cfDPaMaRZFw password:1024
How would I do this on pixel to enable ca in France using bouygues? Can somebody upload modem config folder or mcfg_sw.mbn from orange?
发表评论