To find all "Secret Codes", special properties and other hidden phone features
and settings, used in the GT-I9300. The secret codes are not so secret, but
are often used to activate and manipulate many settings, such as debug modes,
network connections, factory test modes etc.
It is an unfortunate choice of
words but we will stick to this definition nonetheless for simplicity, since
it is also used in the source code by Samsung and AOS. Do not confuse secret
codes with VSC (Vertical Service Codes), USSD (Unstructured Supplementary
Service Data) or other MMI (Man Machine Interface) codes.
Although there are many "standard" codes common to many Samsung phones, they
do vary to some extent. This is because their functionality often depend on
the particular hardware, in particular the baseband processor (aka radio, DSP,
BP or CP) and the multiplexer chips that switches the various internal USB
paths, for example between MHL, BP and AP.
This is an informative reference thread on these features. If you have
relevant additional information you'd like to share, please post it here.
Background
From the Samsung Galaxy S2 experience we have gained the following
understanding when it come to the Factory/Service Mode menus and the
PhoneUtils applications. We are still to work out if this is still true for
the SGS3.
But first it is worth to note, that due to the more complicated, but better
organized phone applications in ICS, the way to enter secret codes have
changed from GB versions. Now all secret codes have to be prefixed with
"*#*#", followed by <code> and post fixed with "#*#*". [Note-1] However,
according to the GT-I9300 Service Manual, there are two codes that should work
without post- and pre-fixes. They are *#1234# (version) and *2767*3855#
(Factory reset! It will wipe your phone instantly, NO warnings, no going back,
no way to cancel.) [Note-2]
==================================================This same effect can be accomplished directly on the command line, with a
Newbie Practice Box
Go to your phone dialer and "dial" the following string:
*#*#197328640#*#*
This will trigger the Service Menu.
==================================================
direct URI broadcast call to the application receiver via:
Code:
am broadcast -a android.provider.Telephony.SECRET_CODE -d android_secret_code://1111
assembly/machine code) for the Engineering / Service Mode menu, is actually
located in the baseband processor firmware. What you actually see when you
enter this menu, is just a java based wrapper application, that make direct
function calls through various entry points, in the baseband kernel/firmware.
What does it mean? When you enter a specific "secret code", the wrapper
application (e.g. ServiceMenu.App) deciphers the code to a particular menu
entry in the baseband processor, where it is executed and whose result is
output to the wrapper application.
Third. Apart from hardware differences, because of the baseband firmware
dependance, the set of working secret codes will differ somewhat from your
location, depending on:
- Your Modem firmware
- Your AOS version (ICS 4.0.1, 4.0.4 etc.)
- Your CSC version (Regional codes)
Special Notes
[Note-1] This can be seen in the handleSecretCode() function in the SpecialCh****quenceMgr.java code.
[Note-2] These need testing and confirmation since they clearly contradict [Note-1].
[Note-3] Apparently the Samsung Galaxy S3 will come in at least two versions:
- The GT-I9300 (FCC-ID: A3LGTI9300 )
- The SCH-I939 (FCC-ID: A3LSCHI939 ) [Possibly the LTE version]
References
So how do you find new codes?
Well Google it! Then consider getting the following tools:
Then what to do?
- Get jd-gui (Often crashes)
- Get jad (doesn't crash, but is cmdline based)
- Get sgs2toext4 (and here)
- Get Disk Internals Linux Reader
- Get a disk image with deodexed Apps (see below)
The brief version. (For full version, see "References" in OP above.)
Alternatively you can deodex on your own...but don't ask me how to do it.
- Download all the tools shown above.
- Download the deodexed firmware images (see post#3)
- (If in Windows) Double click the sgs2toext4.
- Drag and drop the system.img file to the sgs2toext4 "drop window".
- You will now have a system.img.ext4 file, open this file with the LinuxReader tool.
- Save entire filesystem (from 5) in a new folder. Close.
- Go to the folder containing the *.apk(s) of interest.
- Make sure dex2jar.bat (win) is in your path and run it on your interesting.apk like this, for example:
This produces a new file: Samsungservice_dex2jar.jarCode:./path/to/dex2jar.bat Samsungservice.apk- Extract (7zip) this file in a new folder.
- Go to that folder in command line and enter the appropriate "jad" commands. For example, to decompile all class files globbed by Phone*.class and put the decompiled sources in the "src" sub-directory, do:
Code:jad -o -r -sjava -dsrc Phone*.class- Go to the source directory (../src) you just created.
- Enjoy your *.java files!
A few other Tools
http://www.sable.mcgill.ca/soot/
http://jdec.sourceforge.net/
http://stackoverflow.com/questions/6...whole-jar-file
http://askubuntu.com/questions/12930...mage-files-img
The information for this post was obtained by decompiling the
deodexed system image of the firmware shown below.
I9300XXALE8
Base Firmware: I9300XXALE8 (4.0.4)
Modem: XXLE8
CSC: OJVALE7
The latest GT-I9300 Stock Firmwares can be found here.
Here are the codes as found in:
serviceModeApp.apk: ServiceModeApp.class
Code:
Code Description JavaCall ---------------------------------------------------------------------------------------------------------------------- 197328640 || 2684 Start Service Mode / Enter SM Main Menu SendData('\001', '\001', '\000', '\000', '\000'); 1111 FTA SW Version SendData('\001', '\001', '\u1002', '\000', '\000'); 2222 FTA HW Version SendData('\001', '\001', '\u1003', '\000', '\000'); 8888 SendData('\001', '\001', '\u1003', '\000', '\000'); 2886 SendData('\001', '\001', ' ', '\000', '\000'); 6984125* SendData('\001', '\001', ' ', '\000', '\000'); 2767*2878 ? Factory reset (complete erase & format) SendData('\001', '\001', '!', '\000', '\000'); 0228 ADC Reading SendData('\001', '\001', '\005', '\000', '\000'); 0599 SendData('\001', '\001', '\024', '\000', '\000'); 1575 SendData('\001', '\001', '\025', '\000', '\000'); 2263 RF Band Selection SendData('\001', '\001', '\026', '\000', '\000'); 2580 SendData('\001', '\001', '\007', '\000', '\000'); 301279 || 279301 SendData('\001', '\001', '\024', '\000', '\000'); 32489 Ciphering Info SendData('\001', '\001', '\006', '\000', '\000'); 4238378 SendData('\001', '\001', '\027', '\000', '\000'); 4387264636 SendData('\001', '\001', '\037', '\000', '\000'); 7284 PhoneUtil: USB/UART I2C Mode Control SendData('\001', '\001', '\023', '\000', '\000'); 738767633 SendData('\001', '\001', '\034', '\000', '\000'); 73876766 SendData('\001', '\001', '\033', '\000', '\000'); 7387677763 SendData('\001', '\001', '\036', '\000', '\000'); 7387678378 SendData('\001', '\001', '\035', '\000', '\000'); 9090 Diagnostic Configuration SendData('\001', '\001', '\023', '\000', '\000'); 0011 SendData('\001', '\004', '\000', '\000', '\000'); 123456 SendData('\001', '\004', '\001', '\000', '\000'); <na> End Service Mode 1 () SendData('\002', '\004', '\000', '\000', '\000'); <na> End Service Mode 2 () SendData('\002', '\001', '\000', '\000', '\000');
As you can see in the table above, most of the hidden codes are just shortcuts
into various sub-menus (third parameter) of Service Mode application. However,
this does not exclude the use of other hidden codes, that can be used or detected
in other applications.
From a different file we have a some additional codes.
(Not including already covered or overlapping codes.)
serviceModeApp.apk: SecKeystringBroadcastReceiver.class
Code:
0000 147852 TestApnSettings: putExtra("testBed", "Suwon"); 1478963 TestApnSettings: putExtra("testBed", "Open_market"); 22558463 Reset Total Call Time 232331 232332 232337 3214789650 369852 TestApnSettings: putExtra("testBed", "Gumi"); 3698741 TestApnSettings: putExtra("testBed", "Delete_DB"); ------------------------------------------------------------------------------- 03 NAND Flash S/N (NandFlashHeaderRead) 745 RIL Dump Menu 746 Debug Dump Menu 0228 Battery Status 1111 IF SalesCode="CTC" THEN: TerminalMode 2222 IF SalesCode="CTC" THEN: TerminalMode 2263 8888 9900 || 0514 System Dump 279301 301279 3214789 GCF Mode Settings 5337632 NFC Test 22553767 Call Drop Log View 6335623 TESTMODE
or factory IMSI numbers, through statements like:
Code:
if ((mSalesCode.equals("CHM")) && (str.equals("827828868378")))
So there are probably many more codes to be found!
Other Stuff
Here are some unknown functions from: TerminalMode.class
Code:
DEBUG_SCR SendData('\001', '\004', '\000', 0, '\000');
EI_DEBUG_SCR SendData('\001', '\006', '\000', 0, '\000');
DATA_ADV SendData('\001', '\003', '\003', 0, '\000');
NAMBASIC SendData('\001', '\003', '\001', 0, '\000');
TESTMODE SendData('\001', '\001', '\000', 0, '\000');
NAMSIMPLE SendData('\001', '\003', '\002', 0, '\000');
TEST_CALL SendData('\004', '\007', c, 0, '\000');
Code:
-------------------------------------------------------------------------------
private class OemCommands (ServiceModeApp) value hex
-------------------------------------------------------------------------------
char OEM_SERVM_FUNCTAG = '\001';
OEM_SM_ACTION = '\000'; 00
OEM_SM_DUMMY = '\000'; 00
OEM_SM_END_MODE_MESSAGE = '\002'; 02
OEM_SM_ENTER_MODE_MESSAGE = '\001'; 01
OEM_SM_GET_DISPLAY_DATA_MESSAGE = '\004'; 04
OEM_SM_PROCESS_KEY_MESSAGE = '\003'; 03
OEM_SM_QUERY = '\001'; 01
OEM_SM_TYPE_MONITOR = '\004'; 04
OEM_SM_TYPE_MONITOR_SKT = '\001'; 01
OEM_SM_TYPE_NAM_EDIT = '\003'; 03
OEM_SM_TYPE_PHONE_TEST = '\005'; 05
OEM_SM_TYPE_SUB_ALL_VERSION_ENTER = '\004'; 04
OEM_SM_TYPE_SUB_BAND_SEL_ENTER = '\026'; 16
OEM_SM_TYPE_SUB_BATTERY_INFO_ENTER = '\005'; 05
OEM_SM_TYPE_SUB_BLUETOOTH_TEST_ENTER = '\t'; 09
OEM_SM_TYPE_SUB_CIPHERING_PROTECTION_ENTER = '\006'; 06
OEM_SM_TYPE_SUB_ENTER = '\000'; 00
OEM_SM_TYPE_SUB_FACTORY_PRECONFIG_ENTER = '\016'; 0e
OEM_SM_TYPE_SUB_FACTORY_RESET_ENTER = '\r'; od
OEM_SM_TYPE_SUB_FACTORY_VF_TEST_ENTER = '\031'; 19
OEM_SM_TYPE_SUB_FTA_HW_VERSION_ENTER = '\003'; 03
OEM_SM_TYPE_SUB_FTA_SW_VERSION_ENTER = '\002'; 02
OEM_SM_TYPE_SUB_GCF_TESTMODE_ENTER = '\027'; 17
OEM_SM_TYPE_SUB_GET_SELLOUT_SMS_INFO_ENTER = '\037'; 1f
OEM_SM_TYPE_SUB_GPSONE_SS_TEST_ENTER = '\025'; 15
OEM_SM_TYPE_SUB_GSM_FACTORY_AUDIO_LB_ENTER = '\030'; 18
OEM_SM_TYPE_SUB_IMEI_READ_ENTER = '\b'; 08
OEM_SM_TYPE_SUB_INTEGRITY_PROTECTION_ENTER = '\007'; 07
OEM_SM_TYPE_SUB_MELODY_TEST_ENTER = '\013'; 0b
OEM_SM_TYPE_SUB_MP3_TEST_ENTER = '\f'; oc
OEM_SM_TYPE_SUB_RRC_VERSION_ENTER = '\024'; 14
OEM_SM_TYPE_SUB_RSC_FILE_VERSION_ENTER = '\021'; 11
OEM_SM_TYPE_SUB_SELLOUT_SMS_DISABLE_ENTER = '\034'; 1c
OEM_SM_TYPE_SUB_SELLOUT_SMS_ENABLE_ENTER = '\033'; 1b
OEM_SM_TYPE_SUB_SELLOUT_SMS_PRODUCT_MODE_ON = '\036'; 1e
OEM_SM_TYPE_SUB_SELLOUT_SMS_TEST_MODE_ON = '\035'; 1d
OEM_SM_TYPE_SUB_SW_VERSION_ENTER = '\001'; 01
OEM_SM_TYPE_SUB_TFS4_EXPLORE_ENTER = '\017'; 0f
OEM_SM_TYPE_SUB_TOTAL_CALL_TIME_INFO_ENTER = '\032'; 1a
OEM_SM_TYPE_SUB_TST_AUTO_ANSWER_ENTER = ' '; 20
OEM_SM_TYPE_SUB_TST_FTA_HW_VERSION_ENTER = ----> # UTF-8: U+1003: e1 80 83 MYANMAR LETTER GHA
OEM_SM_TYPE_SUB_TST_FTA_SW_VERSION_ENTER = ----> # UTF-8: U+1002: e1 80 82 MYANMAR LETTER GA
OEM_SM_TYPE_SUB_TST_NV_RESET_ENTER = '!'; 21
OEM_SM_TYPE_SUB_USB_DRIVER_ENTER = '\022'; 12
OEM_SM_TYPE_SUB_USB_UART_DIAG_CONTROL_ENTER = '\023'; 13
OEM_SM_TYPE_SUB_VIBRATOR_TEST_ENTER = '\n'; 0a
OEM_SM_TYPE_TEST_AUTO = '\002'; 02
OEM_SM_TYPE_TEST_MANUAL = '\001'; 01
-------------------------------------------------------------------------------
private class OemCommands (TerminalMode)
-------------------------------------------------------------------------------
OEM_HIDDEN_FUNCTAG = 'Q';
OEM_HM_END_TEST_CALL_MESSAGE = '\t';
OEM_HM_TEST_CALL_MESSAGE = '\004';
OEM_HM_TYPE_TEST_CALL = '\007';
OEM_SERVM_FUNCTAG = '\001';
-------------------------------------------------------------------------------
private class OemCommands (SysDump:)
-------------------------------------------------------------------------------
OEM_DBG_STATE_GET = 6;
OEM_DEL_RIL_LOG = 13;
OEM_DPRAM_DUMP = 14;
OEM_DUMPSTATE = 3;
OEM_DUMPSTATE_ALL = 20;
OEM_ENABLE_LOG = 7;
OEM_GCF_MODE_GET = 15;
OEM_GCF_MODE_SET = 16;
OEM_IPC_DUMP_BIN = 9;
OEM_IPC_DUMP_LOG = 8;
OEM_KERNEL_LOG = 4;
OEM_LOGCAT_CLEAR = 5;
OEM_LOGCAT_MAIN = 1;
OEM_LOGCAT_RADIO = 2;
OEM_MODEM_FORCE_CRASH_EXIT = 23;
OEM_MODEM_LOG = 18;
OEM_NV_DATA_BACKUP = 17;
OEM_OEM_DUMPSTATE_MODEM_LOG_AUTO_START = 19;
OEM_RAMDUMP_MODE = 10;
OEM_RAMDUMP_STATE_GET = 11;
OEM_START_RIL_LOG = 12;
OEM_SYSDUMP_FUNCTAG = 7;
OEM_TCPDUMP_START = 21;
OEM_TCPDUMP_STOP = 22;
-------------------------------------------------------------------------------
Next we'll have a look at some interesting (or not?) system "properties".
For now, I'll just list some of those I found more interesting and potentially useful.
Code:
Property Setting/String Source Description ---------------------------------------------------------------------------------------------------------------------- dev.silentlog.on On SysDump: gsm.operator.numeric 45001 Sec_Ril_Dump: [RIL::FD] Samsung Testbed gsm.default.sidmode ? UART net.tcpdumping On SysDump: ? nfc.trace.mode On Enable NFC Trace Mode ril.FTM_MODE ? "FTM_MODE_KEY" ril.FS true PhoneUtils: updateRAFT() Activates RAFT (???) updates ril.OTPAuth SysDump: OTP Authentication ril.cdma.inecmmode true Is phone in ECM mode? ril.unique_number The RIL Unique Number (UN) ril.sms.gcf-mode On ? SMS "GCF" mode persist.log.seclevel On Switchable Log level? persist.sys.country ro.build.type eng SysDump: ro.debuggable On Enable Debug / DBG_ENG / Engineering Mode?? ---------------------------------------------------------------------------------------------------------------------- Country/Region Specific ---------------------------------------------------------------------------------------------------------------------- ro.board.platform ro.build.characteristics ro.csc.sales_code SKT | KIT | LGT PhoneFeature: makeFeatureForKor() ro.product.name espressorf | espresso10rf PhoneFeature: checkDBGLevel() aegis2vzw PhoneFeature: makeFeatureForKor() jaguars | jaguark | jaguarl
Code:
mFeatureList.put("emergency_for_cyber_terror", boolean2);
Special Files
As we know from other Samsung Galaxy class phones, there are a number
of files that can be created or modified in order to activate certain
functions. Here we list those found to date. Please post if you know
of other ones!
Apparently setting the "SubscriberID" (IMSI) to "999999999999999" also
activates certain test features. A sim with this IMSI is also known as
a "Factory SIM". However, if the SIM IMSI starts with either "45001" or
"00101" it is a "Test SIM".
[See: ServiceModeApp.apk:PhoneUtils.java:isFactoryMode() or
FactoryTest.apk:ModuleCommon.java:isFactorySim()]
Code:
File FileContent Description ------------------------------------------------------------------------------- /efs/FactoryApp/factorymode ON Enable Factory Mode /efs/FactoryApp/keystr ON Blocked (hidden code?) Key String(s) /efs/imei/mps_code.dat ? ? /efs/root/ERR ? Error Log /data/.psm.info ? WiFi Power Save Mode --------------------------------------- Various Log Files: --------------------------------------- /data/log/CallDropInfoLog.txt ? Dropped Calls Log /data/log/lucky_ril.log ? ? /data/log/dumpState_*.log ? ? System Dump Log /data/log/main_*.log ? ? /data/anr/traces.txt ? ? /data/log/err ? ? Error Log /data/log/err/AENEAS_TRACE_###.bin RF Aeneas Trace Log /data/log/err/MA_TRACE_###.bin RF MA Trace Log /mnt/sdcard/log ? ? --------------------------------------- System Files --------------------------------------- /sys/class/sec/switch/adc
Finally, we have two NVpasswords, that is used for uploading or dumping NVram, AFAIK. They are:
873283
3352225
and they can be found in Sec_Ril_Dump.class.
DISCALIMER:
As I do not have access to a GT-I9300, I have not been able to verify
any of the information in this thread! I apologize if there is any erroneous
information here. Please let me know and post new information here as
it become available. Also make sure you make a complete backup, before
attempting any of the codes or other trickery above!
No comments:
Post a Comment