UNLOCKING CDMA I910 GPS - please help us!

[Guest WoZZeR999]

Taken directly from Samsung's site:

Connectivity Bluetooth

close

Bluetooth

A short-range wireless radio technology that allows electronic devices to connect to one another.

Yes

USB

close

USB

A type of plug-in connection that is used to connect devices

Yes

Internet HTML Browser

close

Internet HTML Browser

The authoring language used to create documents on the World Wide Web.

Yes

Outlook Sync

close

Outlook Sync

Synchronize your emails & contacts.

Yes

WIFI

close

WIFI

Wireless local area networks that describes the generic wireless interface of mobile computing devices.

Yes

AGPS

close

AGPS

Assisted GPS is a type of handset-based position location technology.

Yes

NFC

close

NFC

Near Field Communication

Yes

PC Sync Application

close

PC Sync Application

An application to connect the phone to a computer with a cable and synchronize calendar.

8GB Internal User Memory

Edited March 23, 2009 by WoZZeR999

[Guest aceofrazgriz]

you guys are mixing up the AGPS with the GPS again. VZNav doesn't use the actual GPS chip, its AGPS using cell towers for location, same with the 911 thing, its not full GPS which is why the options are "911 Only" and "Location On"

AGPS is far different from GPS. its not just a letter being added for nothing.

[Guest WoZZeR999]

No, I understand the difference, but for the sake of argument, any type of "Location device" is a step up from having nothing. I don't think that anyone has taken apart a i910 to even check to see if there is a true GPS chip in it. If so, this whole talk of "Unlocking GPS" is no different than "Unlocking AGPS".

The i900 has been opened up, and it has a GPS, but we are finding more and more differences between the i900 and i910, so AGPS may be the best we CAN get. Your post is about a helpful as people whining that they are going to contact Verizon and bitch to them, thank you for the effort, but it does not help people use their phone to locate them selves.

[Guest dmk679]

The i910 has the qualcomm msm6281 chipset ( link ). This chipset includes: gpsOne position-location assisted-GPS (A-GPS) solution. Anyways, enough arguing about this, we need to continue working on a gps unlock solution...and enough on the Verizon bashing. Everyone pretty much feels the same way, it sucks, but we need to remain focused on fixing the problem at hand. If you want to complain to verizon, go to their website, call them, go on a hunger strike or whatever, but please stop posting on a forum that is trying to unlock the gps.

Upon running GPSTEST, I am only receiving encrypted coordinates. My GPSTEST log file is basically the same as my GPSSRV log file, with the failure starting at:

oGPSSetDeviceParam( GPS_DEVICE_PARAM_GPS_START_FIX ) failed - 00000006

But if people here can get GPSTEST to obtain correct lat/long, then I would like to start down the path of modifying GPSSRV using the appropriate the GPSTEST functions. To do this, I need to get GPSTEST to work properly on my device. Any help would be appreciated.

Most of my digging indicates our problem is the difference between the vx6800 and i910 oemgpsone.dll. The i910 oemgpsone.dll is twice the size of vx6800! The oGPSSetDeviceParam function in the two DLL files appears completely different in IDA Pro. We need to be able import and call the appropriate functions in the i910 oemgpsone.dll to make this work.

Also, can someone post the i910-specific LBSDriver.dll? (edit: nevermind, I have LBSDriver.dll from the rom dump)

Edited March 24, 2009 by dmk679

[Guest TheDrizzle]

The i910 has the qualcomm msm6281 chipset ( link ). This chipset includes: gpsOne position-location assisted-GPS (A-GPS) solution. Anyways, enough arguing about this, we need to continue working on a gps unlock solution...and enough on the Verizon bashing. Everyone pretty much feels the same way, it sucks, but we need to remain focused on fixing the problem at hand. If you want to complain to verizon, go to their website, call them, go on a hunger strike or whatever, but please stop posting on a forum that is trying to unlock the gps.

Upon running GPSTEST, I am only receiving encrypted coordinates. My GPSTEST log file is basically the same as my GPSSRV log file, with the failure starting at:

oGPSSetDeviceParam( GPS_DEVICE_PARAM_GPS_START_FIX ) failed - 00000006

But if people here can get GPSTEST to obtain correct lat/long, then I would like to start down the path of modifying GPSSRV using the appropriate the GPSTEST functions. To do this, I need to get GPSTEST to work properly on my device. Any help would be appreciated.

Most of my digging indicates our problem is the difference between the vx6800 and i910 oemgpsone.dll. The i910 oemgpsone.dll is twice the size of vx6800! The oGPSSetDeviceParam function in the two DLL files appears completely different in IDA Pro. We need to be able import and call the appropriate functions in the i910 oemgpsone.dll to make this work.

Also, can someone post the i910-specific LBSDriver.dll?

I swear that Moogle got gpstest to output valid coordinates. Post #276 (here) has the first post I can find where he go it to work. Has this already been proven to be wrong or a fluke that only worked once?

[Guest dmk679]

I swear that Moogle got gpstest to output valid coordinates. Post #276 (here) has the first post I can find where he go it to work. Has this already been proven to be wrong or a fluke that only worked once?

I did see the post by Moogle where he received valid lat/long using GPSTEST. I need to be able to recreate this activity and run through the calls to oemgpsone.dll to be able to progress, otherwise, we need to tackle using a different method. Thus far, I have been unable to obtain valid lat/long using GPSTEST using "stock" i910 dll's or dll's from the vx6800 (skywing's versions).

[Guest somedude]

Monday mornings between 9AM and 12PM EST?

sure, thats a good time.

We should start the assualt soon.

Between us trying to find a hack, and harassing verizon, somethings got to give! Either way, im confident we'll have working gps soon.

Edited March 24, 2009 by somedude

[Guest aceofrazgriz]

I did see the post by Moogle where he received valid lat/long using GPSTEST. I need to be able to recreate this activity and run through the calls to oemgpsone.dll to be able to progress, otherwise, we need to tackle using a different method. Thus far, I have been unable to obtain valid lat/long using GPSTEST using "stock" i910 dll's or dll's from the vx6800 (skywing's versions).

i THINK somewhere in here a i900 user posted files for the GPS to be used to test on the i910. i must have missed that post, only read about the first 20 pages lol. this died down it seems, we need to get it picked back up again as the hope for a verizon fix is extremely slim.

and somedude... maybe if they STOP getting harrassed about it they may feel like getting around to the update quicker. pissing off a company (or annoying call centers workers) doesn't result in anything. be civil, they do actually appreciate that.

[Guest theonewon]

i THINK somewhere in here a i900 user posted files for the GPS to be used to test on the i910. i must have missed that post, only read about the first 20 pages lol. this died down it seems, we need to get it picked back up again as the hope for a verizon fix is extremely slim.

and somedude... maybe if they STOP getting harrassed about it they may feel like getting around to the update quicker. pissing off a company (or annoying call centers workers) doesn't result in anything. be civil, they do actually appreciate that.

Places in this post we have already discussed about how Verizon is going to be unlocking the GPS in a firmware upgrade specific to the i910. the said that they will be releasing it around June 1st!! so i see little use in still trying to "hack" the GPS on Verizon phones unless in some way with the "unlock" in the new firmware the still have it "locked"

so i recommend just being patient and waiting till June till we can really see if Verizon holds up to their word.

[Guest J. Brad Harris]

I did see the post by Moogle where he received valid lat/long using GPSTEST. I need to be able to recreate this activity and run through the calls to oemgpsone.dll to be able to progress, otherwise, we need to tackle using a different method. Thus far, I have been unable to obtain valid lat/long using GPSTEST using "stock" i910 dll's or dll's from the vx6800 (skywing's versions).

I get valid GPS Coordinates from GPSTest by doing the following:

Fire up VZNavigator (must be activated) and then use the "Maps & Traffic / Where Am I" map. Let this show your location.

Leave VZNavigator running, start GPSTest.

GPSTest will give Lat/Long coords that are correct (albiet backwards). The Valid coordinates will stay valid for about 1-2 seconds...and then they will become non-sense...keep watching the screen, and about every 5 seconds the non-sense will update to realistic coordinates for another 1-2 seconds. I've discovered that the correct coordinates are shown whenever the {Sats} field is updated...so if it adds another sat or drops one, the valid coordinates are shown for a second or so, and then back to gibberish.

my coords from GPSTest:

long: 30.391339

lat: -84.229596

And thats correct (but backwards)

Hope this helps.

Also, I'm a software developer with all the tools needed to crack this guy, if only someone would point me in the right direction. I need the source for GPSSrv and GPSTest and I feel I could crack this wide open in a matter of days. I much prefer .NET (I'm lazy), but I can work in native as well.

Brad Harris

[Guest J. Brad Harris]

Places in this post we have already discussed about how Verizon is going to be unlocking the GPS in a firmware upgrade specific to the i910. the said that they will be releasing it around June 1st!! so i see little use in still trying to "hack" the GPS on Verizon phones unless in some way with the "unlock" in the new firmware the still have it "locked"

so i recommend just being patient and waiting till June till we can really see if Verizon holds up to their word.

Sometimes we just want to play with our devices and see what we can get out of them. It may be about personal gratification as much as anything else. As far as the "hacking" is concerned, please realize that what we are doing is troubleshooting and fixing a feature that our phones have, but a bug in the drivers means it won't operate up to expectations without a patch. If verizon is truly releasing an unlocked ROM in the near future, then they fully intend us to have a fully usable GPS, in which case they won't mind us figuring out how to do it sooner. If they are NOT going to release a new ROM which unlocks the GPS (my suspicion) then we need to keep this going with as much momentum as possible.

Back to the matter at hand, If I could get someone thats up on all the latest here to PM me with a sitrep I might could research some more on my actual phone with the GPS working (via VZNavigator or GPSTest).

Thanks,

Brad Harris

[Guest WoZZeR999]

I had noticed a while back when I was doing some testing, that as long as GPSTest was the ONLY program trying to get GPS coords, it was pretty accurate. I also noticed that while driving, I got a higher percentage of correct coords. At that time, I had enabled GPSone (I believe, don't remember the exact name, I'm at work right now) through QPST. I also gave it the same ip/port that was recommended for the vx6800 fix. I don't have a lot of programming experience, but I am pretty good at troubleshooting, and can get a decent idea of what's going on with IDA.

I can't get GPSTest to run anymore (GPSSec error), so maybe tonight I'll go and do a hard reset and start playing with the GPS again.

Edit: I did not have to have VZNav open. I may have been using some other dll's though. I will try again after I do a hard reset. I am also going to make the QPST change first before using edited dll files.

Edited March 24, 2009 by WoZZeR999

[Guest dmk679]

Places in this post we have already discussed about how Verizon is going to be unlocking the GPS in a firmware upgrade specific to the i910. the said that they will be releasing it around June 1st!! so i see little use in still trying to "hack" the GPS on Verizon phones unless in some way with the "unlock" in the new firmware the still have it "locked"

so i recommend just being patient and waiting till June till we can really see if Verizon holds up to their word.

It is fine if you want to wait around for Verizon to fix this feature, but from my standpoint I want to work on unlocking this functionality. The title of this thread is "UNLOCKING CDMA I910 GPS" - for those not on board or those who want to wait for Verizon, I am fine with that decision but please be mindful of the purpose of this thread.

Brad: thanks for the info re: GPSTEST working successfully with VZNAV. We need to get GPSTEST to consistently obtain successfull lat/long without VZNAV. As Wozzer mentioned, some people have gotten it working but I have been unable to replicate. I have politely asked for source code from skywing (http://www.nynaeve.net/ ) for GPSTEST and GPSSRV but have not recieved a response. Do you have software development experience using visual studio on a windows mobile environment?

[Guest WoZZeR999]

With the source, I could probably figure out what I am doing through trial and error. I think one of the main problems with GPSTest is that it refreshes too often, so by lowering the sync time, it may get more accurate results.

You may need to install VZNav first, or just install the Certs (I will try that too). I will try to come up with the exact steps needed to get GPSTest working, if someone can work on either getting the source, or creating a replica of it. I seem to remember getting GPSTest running right from a hard reset, and maybe even a reprogramming (*228, option 2). If it does not require that, and only DLLs/Registry settings, I will create a cab to get GPSTest running.

If you are getting an error that says something about GPSSec, that is what I'm trying to fix. If it opens, try again after a soft reset, and do no open any other GPS programs and see if you get even 1 sync to correct coords. I believe that if you even get that 1, then we can work with that. If you can't open it, that's where the problem lies.

Also, use GPSTest-Mod (few pages back I think), it will stay open in the background. You can create a folder on your storage card called TestApp (I believe, I gave the exact folder name), to get the GPS log.

I would really like to get this unlocked before Verizon (just so I can say we did it!), so anyone who actually wants to help, please stay in this thread. For everyone who wants to just bitch say say "Verizon sucks donkey nuts, please unlock this phone for me kind douchebag", please start another thread to whine with your friends. If we make good headroom and can get reproducible results, I will probably start a new thread.

[Guest pantsman]

Been following along, and working on and off, but I haven't had anything to contribute yet. I still don't but I do have a lot of Windows/.NET programming experience and it would help me a lot if somebody could get the source to GPSTest or some other, preferably simple, known working (for other phones that is) GPS app as I haven't been able to find one yet. I've been working with some of the GPS programming tutorials on the net but it's hard to learn this stuff when I'm testing on a device that doesn't work in the first place. I may spring for a bluetooth GPS module so that way I can write my own app and make sure it at least works with that.

Anyhow, if anybody can track down source for a GPS app that would be very helpful.

[Guest WoZZeR999]

Steps I've taken to try to get a fresh start

From a complete hard reset (Start -> Settings -> Hard Reset, Clear All Data, Pass is last 4 of your phone number)


When reset, dial *228, option 1, reset when done (automatic)


When reset, dial *228, option 2, reset when done (automatic)


Start -> Settings -> Phone -> Services tab -> GPS, Location on


Start -> Settings -> Power -> Set to 'None' on both battery and external, allow screen to dim


Open GPSTest-Mod, wait for sync.[/code]


I was indoors when I started this test, so I never got the initial sync.  I will try again while I am driving home to see if I can get a sync.   I know these steps will get GPSTest to run and from what I've seen while dissecting GPSTest in IDA, the program does things that oemGPSOne.dll does.  I believe that is almost an exe version of a working oemGPSOne dll.  I will try to do a little with my phone as possible to see if I can get a fix.

Edited March 24, 2009 by WoZZeR999

[Guest dmk679]

Steps I've taken to try to get a fresh start

From a complete hard reset (Start -> Settings -> Hard Reset, Clear All Data, Pass is last 4 of your phone number)


When reset, dial *228, option 1, reset when done (automatic)


When reset, dial *228, option 2, reset when done (automatic)


Start -> Settings -> Phone -> Services tab -> GPS, Location on


Start -> Settings -> Power -> Set to 'None' on both battery and external, allow screen to dim


Open GPSTest-Mod, wait for sync.

I was indoors when I started this test, so I never got the initial sync. I will try again while I am driving home to see if I can get a sync. I know these steps will get GPSTest to run and from what I've seen while dissecting GPSTest in IDA, the program does things that oemGPSOne.dll does. I believe that is almost an exe version of a working oemGPSOne dll. I will try to do a little with my phone as possible to see if I can get a fix.

Let us know what you find out. GPSTest does import functions from oemgpsone.dll like the one we keep getting an error on (oGPSSetDeviceParam). I am also going to try to grab a copy of the i770 gpsone.dll and compare to the i910 oemgpsone.dll. They are approximately the same size and I need to see if they are the same using Windiff and IDA - this is more of a curiousity from my end but if there are subtle differences then at least we have another dll file to try.

[Guest WoZZeR999]

Hmmm, I'll try putting a different oemGPSOne file I have in the same file as the program to see if I can get a device set.

Does anyone know the format of GPSOneFileSimulation.txt? Another option would be to use that as the GPS program (update it and stuff through a few script, not 100% sure yet, but could be interesting).

If I remember correctly, windows read from directory first, then /windows directory, so the modified (or alternate) oemgps would only have to be in the same folder as what ever program needed it.

[Guest roc22]

I took a different approach and emailed samsung instead of verizon to ask about the GPS and here is what I got back. What I got back was suprising and I went to the Samsung site and their literature no longer lists GPS as a feature on the phone see pdf link. PDF

"Dear John,

Thank you for your inquiry. The built-in GPS feature of the phone supports Emergency 911 only. This is so that in case of emergency, you can be located by emergency services. There is no support for the use of 3rd party GPS devices at this time, nor do we have information about future development in this area.

Do you have more questions regarding your Samsung Mobile Phone? For 24 hour information and assistance, we offer our new FAQ/ARS System (Automated Response System) at http://www.samsung.com/us/support/faqs/supportFaq.do. Be certain to check the Handy Resources links at the bottom of the page for quick access to things like the Owner's Manual, Warranty Information, Accessories, and more.

It's like having your very own personal Samsung Technician at your fingertips.

We do thank you for your interest in Samsung products.

Sincerely,

Technical Support"

Original Question (choose Samsung i910 when sending in question)

The GPS on this phone is currently locked. Verizon blames this on samsung and says it is waiting on you for a firmware update, and that they are hoping to have unlocked GPS functionality available by the 2nd half of 2009. Can you confirm this is the case and about when you will be sending updated firmware to verizon?

　

I spoke to 3 Samsung Tech's myself over the last 3 weeks and this is completely opposite of what all 3 of them told me. Verizon's reason (as they claim) for locking the GPS is because it is a security risk for their network. We all know that this is pure BS but the Samsung tech's (all 3 of them) leveled with me and said, "Verizon signed a contract with us to have a model of the Omnia exclusive to them with certain clauses intact, encrypting the GPS functionality being one of them. We are contractually obligated to obey their request and Verizon is the ONLY party who can override or alter that clause." If in fact the GPS is going to be unlocked it will happen 1 of 2 ways:

1. Verizon will have to honor their word and unlock it by June 30th, or
   
2. We'll have to do it ourselves.
   

Edited March 24, 2009 by roc22

[Guest drewbax]

I have been testing some random things on my i910. I have noticed that iGO 8 will autodetect the GPS receiver on port 8 at baud 57600. But as soon as I try to run it with VZ navigator running it is unable to detect any GPS receiver at all. SO I KNOW there is a chip in there or there would not be a port allocated to it and the Navigation software says that "GPS receiver is connected."

Just a passing thought.

[Guest J. Brad Harris]

Brad: thanks for the info re: GPSTEST working successfully with VZNAV. We need to get GPSTEST to consistently obtain successfull lat/long without VZNAV. As Wozzer mentioned, some people have gotten it working but I have been unable to replicate. I have politely asked for source code from skywing (http://www.nynaeve.net/ ) for GPSTEST and GPSSRV but have not recieved a response. Do you have software development experience using visual studio on a windows mobile environment?

Yes, I have VS experience w/ WM. That is what I do for a living. I write applications for *un-named state agency*, some of the applications have a mobile component.

[Guest dwallersv]

I have been testing some random things on my i910. I have noticed that iGO 8 will autodetect the GPS receiver on port 8 at baud 57600. But as soon as I try to run it with VZ navigator running it is unable to detect any GPS receiver at all. SO I KNOW there is a chip in there or there would not be a port allocated to it and the Navigation software says that "GPS receiver is connected."

Just a passing thought.

While I unfortunately can't help with the actual hacking and development (although I'm happy to be a test platform to run anything you guys want, gather data, and send it back), I'd add this thought: Clearly this is doable, because VZNavigator does it. Combined with some of the other anecdotal and hearsay evidence in this thread, seems likely that VZNavigator passes a key to the GPS APIs at startup, or when it makes requests for location data. The latter would explain the behavior seen so far -- occasional clear data once in awhile through GPSTest when VZNav is running, probably when the latter is requesting an update. For a brief window, the chip or driver uses the key to decode and sends good data until some timeout when it resets again.

Also possible that VZNav is simply decrypting internally, which would be harder to crack, but this makes the intermittent success with GPSTest harder to explain.

In any case, seems to me focusing on VZNav and trying to crack that app would be the best approach at this point. I'm willing to chip in to pay for a month of VZNav access... if we get enough volunteers to chip in, we probably could get a few months committed for each of the 3 or 4 guys here who can do the cracking and hacking.

Edited March 24, 2009 by dwallersv

[Guest dmk679]

from skywings article on uninformed

The first such protection embedded into LBSDriver.dll is a digital signature check on the main process executable corresponding to any program that attempts to load LBSDriver.dll. This check is ultimately triggered when the GPSOpenDevice export on LBSDriver.dll is called. Specifically, the calling process module is confirmed to be signed by a custom certificate. If this is not the case, then an error dialog is shown, and the GPSOpenDevice request is denied. This check is based on calling GetModuleFileName(NULL, ...)[8] to retrieve the path to the main process image, which is then run through the aforementioned signature check.

Additionally, LBSDriver.dll also connects to an Autodesk-operated server in order to determine if the calling program is authorized to use LBSDriver.dll. In addition to verifying that the calling program is approved as a GPS-enabled application, the Autodesk-operated server also appears to indicate back to the client whether or not the user's account has been provisioned for a subscription location-enabled application, such as VZ Navigator. A program hoping to utilize LBSDriver.dll must pass these checks in order to successfully acquire a location fix using the built-in gpsOne hardware.

The Autodesk-operated server also provides configuration information (such as Position Determining Entity (PDE) addresses) that is later used in the assisted GPS process. However, this configuration information appears to be more or less static, at least for the critical portions necessary to enable assisted GPS, and can thus be cached and reused by third-party programs without even needing to go through the Autodesk server.

For anyone that has not read skywings article on uninformed, my first suggestion is to read it. It discusses the security mechanisms around the gps module on the vx6800, many of which apply in similar fashion to the i910. This article has been posted previously within this thread. The above article excerpt indicates why targeting the VZNAV protection mechanism involves bypassing several security mechanisms in LBSDRIVER.dll. This is a difficult route to tackle IMO.

[Guest nickmdp]

For anyone that has not read skywings article on uninformed, my first suggestion is to read it. It discusses the security mechanisms around the gps module on the vx6800, many of which apply in similar fashion to the i910. This article has been posted previously within this thread. The above article excerpt indicates why targeting the VZNAV protection mechanism involves bypassing several security mechanisms in LBSDRIVER.dll. This is a difficult route to tackle IMO.

Assuming that information is correct, I may have found a way to get GPS data without ever calling GPSOpenDevice. MSDN GPS Architecture , as shown in the link, there are two ways to get the GPS data in windows mobile. The first way is through the normal GPS API that outputs the protected GPS data, while there is also the raw GPS data which is not parsed, and should be unprotected.

I plan to try and take a further look at this and possibly make an example GPSTest that would rely on the raw data, to see if it has any success.

[Guest aceofrazgriz]

good info i'll have to take a look.

btw: for fun (and because someone mentioned it) i just finished dismantling my i910 using an i900 service manual, couldn't find one for the i910. While i couldn't get the last screw out for the main PCB i did notice some large differences including the fact that the connection for the GPS in the i910 is completely different from that in the i900. While no, i couldn't confirm if the chip was there... bastard screw... you'd think after all the nonsense with people talking to sammy and vzw that they woulda spoke up that it wasn't there. but there was something visible where the GPS chip is on the i900 when i slightly lifted the PCB and look under. just some food for thought on the difference of connection for the i910 vs the i900. now the fun begins, putting it back together.

Edited March 24, 2009 by aceofrazgriz