[WIP] Band 4 (and maybe Band 17) on ChinaMobile OnePlus One – The plot thickens…

I have been making some progress on the OnePlus One. I am lucky enough have access to both versions – ChinaMobile and International – in the USA on T-Mobile Prepaid LTE.

Based on my research, the hardware appears to be identical between the variants, which would make the most sense from a manufacturing standpoint. However, the chip inside the OPO can have baseband filtering at a software level if I correctly interpret the available documentation. The differences between the two are noted here (and many other places) – ChinaMobile lacks Band 4 and Band 17 for WCDMA and LTE.

T-Mobile uses Band 4 / AWS / 1700 for LTE and WCDMA in my area. The international version supports Band 4 out of the box, pop in a SIM card and it hops on LTE no problem.

An interesting bit of note – *#*#4636#*#* > Phone information > three-dot upper right menu > Select radio band on BOTH phones has no mention of 1700, despite working on the International. Untouched stock NV values, they both show:

EURO Band (GSM-900 DCS-1800 WCDMA-IMT-2000)

USA Band (GSM-850 PCS-1900 WCDMA-850 WCDMA-PCS-1900)

On the ChinaMobile version, I made the edits suggested by the guides here and here – No luck getting anything beyond H/H+, so I started digging.

What I’ve learned so far:

DISCLAIMER: Anyone else attempting to try this, you should already be well versed in the guides linked in the previous paragraph. There has been a lot of trial and error here. Read as much as you possibly can before posting. If you don’t know what you are doing, DON’T TRY THIS. You can “brick” your phone, whatever that means these days. ALWAYS back up your EFS modemst1 and modemst2 BEFORE DOING ANYTHING.

ALSO BACKUP NV VALUES just for fun, at least to have the important lower range values like IMEI etc. This will SAVE YOU if anything goes wrong, which it probably will at some point. I’m not responsible for any of your actions.

There are a ton of NV values in the upper ranges (beyond FFFF, 65535) that ARE NOT readable by the older versions of QXDM or QPST or Qualcomm NV Tools, or CDMA Workshop for that matter. As far as I can tell, because they used a 16 bit unsigned integer they do not read high enough. The trick is to find a newer version of QXDM that can address these higher ranges.

Due to restrictions, I won’t post the link here, but do some googling for QPST-QCAT-QXDM 3.14.414.514.594 – Specifically I used QXDM Pro 3.14.594

Get that up and running in place of the older version (along with the proper HTC USB Modem drivers and setprop sys.usb.config diag,adb etc as already mentioned in the guides) and you will see what I’m talking about.

I spent many hours doing a comparison by hand. Qualcomm NV Tools (part of EFS Professional 2.1.80B) can only pull off the lower range values – furthermore – it cannot successfully restore any values to the OnePlus One based on my tests (verified by another post I cannot find at the moment). The output will read “success”, but the values don’t stick. These two factors rule out doing a merge and restore.

If you look at this list of Qualcomm NV Values (thanks @autoprime ) there are some important bits to note. Concentrate on the NV categories RF LTE Parts 1-4 and RF WCDMA Parts 1-2 that are well above the 65535 range of earlier versions.

I had both phones (China and Intl) hooked up to 2 different QXDM sessions side-by-side last night and found a few interesting pieces. The ChinaMobile version had RF LTE and RF WCDMA values in place for some Band 4 options that matched the Intl version exactly, but it was conspicuously lacking in others. I suspect while Factory flashing they only leave out the ones important for Band 4/17 functionality, but this is pure speculation. Again, I was concentrating on Band 4 due to my particular market, but I suspect that Band 17 is in a similar state.

65731 RF LTE B4 Rx CAL CHAN – Missing
65897 – OK
65900 – Missing
65906 – OK
65911 – OK
65912 – OK
65913 – OK
65914 – OK
65915 – OK
65916 – OK
65917 – OK
65918 – OK
65919 – OK
65920 – OK
65922 – Missing
65923 – Missing
65926 – Missing
65927 – Missing
65931 – Missing
65932 – Missing
65939 – OK
65943 – Missing
65946 – Missing

69833 – OK
69870 – Missing
69874 – Missing

69401 – Missing
69402 – Missing
69403 – Missing
69406 – Missing
69417 thru 69426 – OK

70712 – OK
70978 – OK
71300 – OK

Occasionally I notice a discrepancy between the two devices. For example, values 65944 and 65901… One phone will say “Parameter out of range” while the other reads “No such file or directory”.

I performed the edits on ChinaMobile to match International (in addition to matching the values originally mentioned in the other guides: 441, 946, 1877, 2954 and 6828) – rebooted… no luck. The values appear to stick, but it seems to be attempting to connect in a continuous cycle, beeping / vibrating. Goes from “No SIM Card Inserted”, to zero bars, “Emergency Calls Only”. Never hard reboots, and this behavior stops if I put on Airplane Mode..

All testing was done using Cyanogenmod 12.1 unofficial nightly userdebug compiled from source, no edits. To make this work, under Developer Options you need to enable the setting “Root access” for Apps and ADB – or setprop sys.usb.config diag,adb doesn’t seem to respond. Another reason why people may be experiencing difficulty is this “Root access” option is missing in the “official” (S) builds, and needs to be granted manually (via SuperSU or similar) – with varying degrees of success. I have flashed every version from CM11 22Q through the latest 12.1 S1N0 attempting to work this out.

It helps to enable the “Local terminal” option if you’ve got multiple phones trying to talk to QXDM and ADB doesn’t want to work.

It should be noted that flashing a ROM should not touch any of these values. I’m interested in static_nvbk (aka oppostanvbk) as it only started appearing in builds after 44S (when many people started noticing modem issues) – but that’s a whole other post entirely.

Furthermore, this should rule out any special “modem” needing to be flashed (NON-HLOS.bin et al) because I used the same zip file on both phones. The International picks up LTE fine, the ChinaMobile does not.

Back to the drawing board. Any insight would be greatly appreciated, I’ll post developments as they come. I feel like we’re on to something here.

 

UPDATE 09/10/2015
After some exploration, more information has surfaced. For anyone in need of an unofficial 12.1 nightly to do testing, here’s the one I’ve been using.

Enable Developer Options, then enable Advanced Reboot, Root Access for Apps and ADB, disable Update Cyanogen recovery (it sucks, use TWRP or Philz Touch), enable Android Debugging and Local terminal (it’s handy)

I flashed OxygenOS to both ChinaMobile and Intl – one thing that jumped out was a difference at the bottom of EngineerMode. Under RF_Version:

ChinaMobile: TDD_FDD_Ch_M
Intl: TDD_FDD_Am_M

By the looks of it, this is pulling a value from getprop ro.rf_version = “XXX” – a value unique to OxygenOS, does not appear in CM12.1

Where it’s pulling this value from is the important question, ie how it knows what type of phone it’s on (CM/Intl) despite using the same flashable zip (oxygenos_v1.0.0)

Nova Launcher’s Activities Widget lists over 180 “EngineerMode” options to choose from. If you long-press on each one, you can explore the menu without needing to create a shortcut icon. Not all of them appear to function properly, some functions require a “password”, and some parts are still in Chinese (more on that in a second).

Most notably:

LanguageSwitchToEnglishActivity – handy if you don’t speak Chinese, although it doesn’t seem to completely change some important parts, like certain Logging buttons (ahem)
network.BandMode and BandMode2
EngineeringMode – The primary Engineering Mode menu, though not all options from Activities appear to be immediately accessible
network.NetWorkSet
qualcomm.QualcommActivity
qualcomm.QualcommNV and NV2
qualcomm.DiagEnabled – Also available by dialing *#801#, can toggle Engineer Mode, Serial, Full port switch, and Rndis,diag switch. Apparently has similar effect to setprop sys.usb.config diag,adb – convenient.
qualcomm.LogSwitch
manualtest.ContactorTest
qualcomm.DeviceLog
manualtest.LTEDivAntTest
manualtest.ManualTest – Available from EngineerMode, contains all manual tests available *#808#
ADB Mode ? – *#8958378#

Regarding the updated version of QPST et al:

Under QPST Configuration, once the phone is in diagnostic mode (listed as MSM8974), the Start Clients menu has a few selections:

– EFS Explorer
– The ChinaMobile uniquely has a folder named “policyman”. This folder DOES NOT exist on the Intl model. I have confirmed that this is on the modemst partition. Flashing an EFS backup of the Intl to the ChinaMobile (modemst1 and 2) results in No SIM, Unknown IMEI – however, policyman is absent.
Inside policyman:
– carrier_policy.xml : VERY INTERESTING LINES re: disabling functionality in certain markets. Here’s a pastebin
– device_config
– rat_mast
– ue_mode
– The folder restores itself and the contents after reboot if either are deleted, despite having Attributes that would indicate otherwise (-AD)

– Service Programming
– Under the UMTS tab, the ChinaMobile version is missing the W-1700 checkbox compared to the Intl model.
– Attempting to check the box and write to phone results in error: NV_UE_IMEI_I – NV_READONLY_S

– Software Download
– Can apparently perform QCN backup and restore.

Separately available from the Start Menu folder QPST:

– eMMC Software Download : Very similar to the Chinese “unbrick” tools mentioned on other sites, notably MSM Downloader included with ColorOS and nubia ToolStudio 4.6.56 (the whole world hates you and your passworded files androidbrick.com guy… I fight for justice!)

– Memory Debug

– QCNView : If you perform QCN backups with the Software Download, this can be used to view them. No editing

– RF NV Manager : Mentioned before, only lists items relevant to RF_NV values, the first ~6000 or so, give or take.

Gonna keep chipping away at it. There’s bound to be a way to get Band 4 and 17 working! Good luck everyone!

  4 comments for “[WIP] Band 4 (and maybe Band 17) on ChinaMobile OnePlus One – The plot thickens…

  1. Eloston
    September 12, 2015 at 10:04 pm

    Wow, that’s quite a bit of hacking you’ve done already. Keep up the good work!

    While searching around on Baidu, I came across this post with some interesting information: http://www.oneplusbbs.com/thread-532151-1-1.html

    According to what I could make out of Google Translate (since I can’t read Chinese,) they say creating a blank policyman file (in place of the folder) will prevent the phone from creating carrier_policy.xml and the other files. Somehow this will result in “no carrier restrictions.” Maybe it’ll be worth trying just to see what will happen?

  2. Usama
    November 16, 2015 at 3:09 am

    Do you have the carrier_policy.xml for the US version?

    • November 18, 2015 at 11:02 am

      It’s been a little while since I’ve looked at this, but if I recall correctly that file doesn’t exist on the International version.

      I’m reasonably convinced there’s a fuse or something similar blown in the phones that differentiate Intl from Chinese versions. Engineering Mode from ColorOS is pulling a value from somewhere that I’m almost positive is not NV.

  3. Usama
    December 22, 2015 at 7:09 am

    Hi,
    Can you check what is the value of the SW_Version,device_mode and lte_bandperf in efs explorer of both devices?
    I think I got a way to get the changes stick, but I need to test it before.
    I got the US version, and in my case the device_mode is 1.
    I guess that in the chinese mode it will be 0, but I need to make sure.
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *