Jump to content

UNLOCKING CDMA I910 GPS - please help us!

Guest aleis

By Guest aleis
in i9x0 Omnia - http://Omnia.MoDaCo.com

 Share

Recommended Posts

Guest JDawg183

Guest JDawg183

Posted
Posted
From what I read from skywings research, if the GPS firmware has the encryption, then you would be getting encrypted data. In best case, you would have to figure out how to decrypt it.

But see, thats the thing, it wouldnt be encrypted if you could trick the phone into thinking that the chip is actually part of another device. Many people people in this thread have been able to use "pucks" with their phone and they work fine, so if you could redirect the path somehow so that instead of checking internally, it goes whatever route you would need to if you were using an external GPS (i.e. to bluetooth) and, I know very little of programming, but go to somewhere within the registry where it tells the bluetooth how to handle when it receives something (if request=gps then redirect to whatever the chip would be called). Just my thought. Probably not the right way to do it, but if I understand correctly that is kind of what he is trying to accomplish.

  • Replies 2.3k
  • Created
  • Last Reply

Popular Days

Popular Days

Posted Images

Guest WoZZeR999

Guest WoZZeR999

Posted
Posted
But see, thats the thing, it wouldnt be encrypted if you could trick the phone into thinking that the chip is actually part of another device. Many people people in this thread have been able to use "pucks" with their phone and they work fine, so if you could redirect the path somehow so that instead of checking internally, it goes whatever route you would need to if you were using an external GPS (i.e. to bluetooth) and, I know very little of programming, but go to somewhere within the registry where it tells the bluetooth how to handle when it receives something (if request=gps then redirect to whatever the chip would be called). Just my thought. Probably not the right way to do it, but if I understand correctly that is kind of what he is trying to accomplish.

The way I read it, since the Firmware has the encryption, it would be SENDING encrypted data. If I have an encrypted hard drive, it does not matter if I have it as an external or internal hard drive, the bits being sent are encrypted.

Guest nickmdp

Guest nickmdp

Posted
Posted (edited)
From what I read from skywings research, if the GPS firmware has the encryption, then you would be getting encrypted data. In best case, you would have to figure out how to decrypt it. At worst case, you would have to send a challenge ID first (which you would have to figure out how it was calculated), get the returned data (and make sure that it is valid), and decrypt the GPS data based off of the challenge ID. If you can create a program that first reads the GPS data, and logs it to a file every x seconds we might be able to get somewhere with it. You can also set windows to use the gpsONE port drivers as well I believe. In HKLM\System\CurrentControlSet\GPS Intermediate Driver\Drivers\, you should be able to set CurrentDriver to GPSOnePort to have windows use the Port data as it's GPS driver. I'm not 100% sure about how that works though.

Yea, I'm pretty much doing it just to see if it is any difference since you should just be able to read the COM ports like a file. Also, assuming skywing's research was right, and that the protection starts once you make the call to GPSOpenDevice, then I would never encounter the encryption because I would only be calling CreateFile and DeviceIoControl to start and close the connection.

From the msdn references, the two methods seem to act quite differently, and I would be getting the data before it was parsed, and hopefully unencrypted. We can see where this goes, and if it somehow works, I would probably just pass it off to somebody who may be a bit more qualified than me to further develop it.

Edited by nickmdp
Guest aceofrazgriz

Guest aceofrazgriz

Posted
Posted
From the msdn references, the two methods seem to act quite differently, and I would be getting the data before it was parsed, and hopefully unencrypted. We can see where this goes, and if it somehow works, I would probably just pass it off to somebody who may be a bit more qualified than me to further develop it.

Good point. As mentioned in this thread a few times there are other ways to access the GPS to send/receive information. This def sounds like the best approach and i wish you much luck on anything. I'm up late nights, EST timezone if you need testing or anything else. I'm willing to help anyone with what i can, i got a decent amount of time, Visual Studio 2005 Pro and some decent knowledge.

Guest DeepBlueEditor

Guest DeepBlueEditor

Posted
Posted
Good point. As mentioned in this thread a few times there are other ways to access the GPS to send/receive information. This def sounds like the best approach and i wish you much luck on anything. I'm up late nights, EST timezone if you need testing or anything else. I'm willing to help anyone with what i can, i got a decent amount of time, Visual Studio 2005 Pro and some decent knowledge.

If you guys can pinpoint the actual hardware and firmware version of it, might be as simple as finding the web site or other helpful information on the manufacturer. Heck, maybe Samsung, knowing our issues might even volunteer the makers info. You can then look at their data on the chip(s) and firmware to determine a lot about it, like does it really use hardware based encryption or does it really look for handshaking. Worth a shot folks. Find the device specs and someone post them and we research geeks can see what we dig up on the device itself.

Sean

Guest dmk679

Guest dmk679

Posted
Posted
If you guys can pinpoint the actual hardware and firmware version of it, might be as simple as finding the web site or other helpful information on the manufacturer. Heck, maybe Samsung, knowing our issues might even volunteer the makers info. You can then look at their data on the chip(s) and firmware to determine a lot about it, like does it really use hardware based encryption or does it really look for handshaking. Worth a shot folks. Find the device specs and someone post them and we research geeks can see what we dig up on the device itself.

Sean

The i910 has the Qualcomm msm6281 chipset - not sure of firmware version. Based on the info gathered from using GPSTEST and GPSSRV, the verdict is that it does require an initial handshake (which activates the radio), then outputs encrypted lat/long that require decrypting. Best of luck finding additional information - we can use any additional info to help.

Guest Chugworth

Guest Chugworth

Posted
Posted
The i910 has the Qualcomm msm6281 chipset - not sure of firmware version. Based on the info gathered from using GPSTEST and GPSSRV, the verdict is that it does require an initial handshake (which activates the radio), then outputs encrypted lat/long that require decrypting. Best of luck finding additional information - we can use any additional info to help.

So basically what we need is an expert at software decompiling. Someone who can sort through VZNav and the associated DLLs to determine how the handshake works and how to decrypt the output.

Trouble is, the Omnia is more of a consumer phone than a geek phone. B)

Guest krelvinaz

Guest krelvinaz

Posted
Posted

I suspect it would be a lot easier to do that with the gpstest program since it is 1 module and is very basic in structure compared to VZNav.

Guest somedude

Guest somedude

Posted
Posted (edited)

okay, so we know gpstest post valid coordinates.

now if only we can broadcast the coordinates to the 3rd party applications some kind of way, we'll be done, right?

easier said than done i guess...

Edited by somedude
Guest aceofrazgriz

Guest aceofrazgriz

Posted
Posted (edited)
okay, so we know gpstest post valid coordinates.

now if only we can broadcast the coordinates to the 3rd party applications some kind of way, we'll be done, right?

easier said than done i guess...

very simply put, yes B)

i haven't done this yet, but i too will run thru all the crap some of the others guys here have done to see if i can replicate it and keep the info for extra reference since i check this topic almost religiously now lol

also, i'm confused, that cannot possible be the right chipset as there isn't CDMA support in it, and thats the radio needed for Verizon.

just found this: http://www.howardforums.com/archive/topic/1466894-1.html

it SEEMS that the chipset is the MSM6800 for the i910.

Edited by aceofrazgriz
Guest Chugworth

Guest Chugworth

Posted
Posted
I suspect it would be a lot easier to do that with the gpstest program since it is 1 module and is very basic in structure compared to VZNav.

You're right. Come on people, our answer is hidden in a 20kb EXE file! B)

Guest DeepBlueEditor

Guest DeepBlueEditor

Posted
Posted (edited)

Generic data sheet on the MSM6800.

http://www.datasheetpro.com/817052_downloa..._datasheet.html

In looking at the chipset alone, it is also used in this aircard. Might be worth investigating the other software used with this chipset by various operators, such as the Treo 800 which also has this same chipset. Link to a PDF on the aircard.

http://www.sierrawireless.com/resources/pr...heet_lowres.pdf

Backward engineering others software that uses this card may actually be easier?

Palm Treo 800 sales tool guide. See page 10:

http://images.intomobile.com/wp-content/up...sales-guide.pdf

Also listed as being in the Sprint AirCard 597E:

http://www.mycellphoneblog.com/sierra-wire...ecs-slashphone/

PS, all the other folks using this chipset state as well as Qualcomm that this is a stand alone GPS system not needing AGPS or other systems. It is a fully functional GPS system all it's own. The folks that keep telling us there is no hardware GPS are not correct.

One more big hint. This external modem setup booklet says this uses the MSM6800A chipset too. You guys might want to look at the specs on the software it uses. Cricket Wireless modem:

http://www.mycricket.com/resources/UM100C-...ual_English.pdf

Couldn't find any SDKs, programming docs for the beast or much else. Maybe a nice letter to the folks at Qualcomm about being developers might get a programming guide from them? If anyone wants to ask them please have at it. If not I'll write them a nice letter asking for programming info and see where that gets us.

S.

Edited by DeepBlueEditor
Guest WoZZeR999

Guest WoZZeR999

Posted
Posted (edited)

Well, I'm one step closer. Without changing any DLL's, only changing some Reg settings (not 100% sure if these matter yet), and enabling GPSOne with QPST, I can get a lock after about a minute with GPSTest. I'm getting accurate time and accurate date. I may do another hard reset, and see the bare min that I need to do for a lock. if my phone wasn't my camera at the moment, I would take a picture.

Edit: After a hard reset (QPST settings are written to rom) I can get a Sat fix with no reg settings.

Edited by WoZZeR999
Guest aceofrazgriz

Guest aceofrazgriz

Posted
Posted
Well, I'm one step closer. Without changing any DLL's, only changing some Reg settings (not 100% sure if these matter yet), and enabling GPSOne with QPST, I can get a lock after about a minute with GPSTest. I'm getting accurate time and accurate date. I may do another hard reset, and see the bare min that I need to do for a lock. if my phone wasn't my camera at the moment, I would take a picture.

Edit: After a hard reset (QPST settings are written to rom) I can get a Sat fix with no reg settings.

this sounds very promising. we still have to hardship or working in connection to software.

i'm starting to go thru and find all the stuff where people had any success and trying them myself. if anyone has most of this in mind or anything i would appreciate a PM if possible. thanks in advance. again, i offer help to anyone that would like some.

Guest DeepBlueEditor

Guest DeepBlueEditor

Posted
Posted (edited)

last clue I have for now...

From the spec sheet on the chipset. Note the highlighted segments:

P O S I T I O N L O C AT I O N

Highly accurate positioning for location-based services (LBS)

• Next-generation gpsOne® Assisted-GPS solutions provide enhanced GPS engines for

greater sensitivity and faster start times

• Enhanced filtering software optimizes GPS accuracy and availability for tracking and

satellite navigation applications

• Full integration with JAVA and BREW-based development environments delivers

support for commercially deployed location services

• Seamless operation in MS-Assisted, MS-Assisted Hybrid, MS-Based and Standalone

GPS modes provides optimal performance both on and off-network

• Support for both User Plane and Control Plane protocols including IS-801 Control

Plane and Trusted, V1 and V2 User Plane Assisted-GPS protocols

• Simultaneous operation capabilities

So, we know the protociol IS-801 and that is has built in JAVA and BREW capabilities. Anything new for you programming types? More info here?

http://www.ethereal.com/lists/ethereal-dev...3/msg00661.html

Programmers - potential motherload here - See page 22 of the PDF:

http://wiki.cdg.org/w/images/f/f9/Denver_prot_spec_.pdf

More on IS-801:

http://www.wipo.int/pctdb/en/wo.jsp?IA=US2...mp;DISPLAY=DESC

See this as well on handset protocols, especially page 11:

http://www.cdg.org/members_only/teams/GHRC...V6114-2NP_B.pdf

A thesis paper on User Plane issues as relates to security etc. Explains in near layman terms this User Plane mentioned above. Skip past the non-english at the front of this paper. Lots of goodies in here:

http://artemis.cslab.ntua.gr/Dienst/UI/1.0...ece/DT2006-0148

Excellent post in another forum explaining this all with another device (from 2006) We are reinventing the wheel here folks:

http://pdaphonehome.com/forums/ppc-6700-xv...a-6700-a-7.html

Also see this info from Verizons Developer site:

http://www.vzwdevelopers.com/aims/public/m...AQ.jsp#GenQues1

Excellent White Paper on Secure User Plane Location based services:

http://www.broadcom.com/collateral/wp/SUPL-WP100-R.pdf

I hope I have helped in some small way... off to bed for me.

S.

Edited by DeepBlueEditor
Guest aceofrazgriz

Guest aceofrazgriz

Posted
Posted

quick thing i just noticed going and playing with various things...

in the External GPS settings, while it should be set to automatically set it up on the last tab, first tab shows software port as 8 (as does in the registry) and the next tab... mine says (none) and anytime i change it, it automatically reverts back. does anyone have this happen? if anyone does that has VZNav installed (or will get the free trial day) could you open VZNav, leave it running and check this setting? see if it sets automatically or at least allows it to BE SET?

i'm looking for anything odd, and this sticks out.

Guest JDawg183

Guest JDawg183

Posted
Posted
quick thing i just noticed going and playing with various things...

in the External GPS settings, while it should be set to automatically set it up on the last tab, first tab shows software port as 8 (as does in the registry) and the next tab... mine says (none) and anytime i change it, it automatically reverts back. does anyone have this happen?

Yea, mine does the same thing. I thought that was odd too, but just figured i must be dumb

Guest JDawg183

Guest JDawg183

Posted
Posted

Ok, two thoughts here.

1. There are a few WM 6.5 roms floating around including a rom for the Omnia I900 on this site (link is http://www.modaco.com/content/i9x0-omnia-r...esearch-thread/ and i asked and they said specifically it was for the I900) . If someone were able to tweak that to where it would work with the I910, have a fresh rom, not touched by VZW, might that work?

2. This site ( http://forum.xda-developers.com/showpost.p...;postcount=2378 ) contains a rom for WM 6.5 for the Vogue (not the important part) but the page also states "CRITICAL: For GPS to work with different carriers than Bell install one of the cabs in the attachment below, that matches your carrier." and has a NFSFAN Verizon GPS Registry.cab file. Would that file be device specific, or only carrier specific? Might someone be able to tear that apart and figure something out from that? Just a couple thoughts

Guest balaams_ass

Guest balaams_ass

Posted
Posted (edited)

my too sense.

I was at edtechday (http://www.ithaca.edu/edtechday/) yesterday and spoke with John Smith (not his real name) who is the Verizon Wireless regional technical manger for upstate New York. I can't find his damnned business card* to give you his exact name and title. But when I asked him directly about unlocking the Omnia GPS and he said without hesitation, "2nd quarter service update".

I don't want to stop anyone's efforts on beating Verizon to the crack but thought I'd toss this info out there. And yes I know this post is not about hacking it but rather Verizon's promise and the last thing I want is for this to start more Verizon bashing, phone calling etc.... But it seems this is the most active thread on the GPS subject.

*UPDATE: I found the dang card. B)

Terrance J. Connor

Manager-Data Solutions

Rochester, NY

Edited by balaams_ass
Guest WoZZeR999

Guest WoZZeR999

Posted
Posted
Ok, two thoughts here.

1. There are a few WM 6.5 roms floating around including a rom for the Omnia I900 on this site (link is http://www.modaco.com/content/i9x0-omnia-r...esearch-thread/ and i asked and they said specifically it was for the I900) . If someone were able to tweak that to where it would work with the I910, have a fresh rom, not touched by VZW, might that work?

2. This site ( http://forum.xda-developers.com/showpost.p...;postcount=2378 ) contains a rom for WM 6.5 for the Vogue (not the important part) but the page also states "CRITICAL: For GPS to work with different carriers than Bell install one of the cabs in the attachment below, that matches your carrier." and has a NFSFAN Verizon GPS Registry.cab file. Would that file be device specific, or only carrier specific? Might someone be able to tear that apart and figure something out from that? Just a couple thoughts

That VZW Agps file is for HTC devices only.

Guest JDawg183

Guest JDawg183

Posted
Posted
That VZW Agps file is for HTC devices only.

Would there be a way to dissect it to figure out how Verizon is shutting us out? And what about my first question, would the install of a fresh, WM 6.5 rom give us GPS if someone could get 6.5 working for the 910?

Guest DeepBlueEditor

Guest DeepBlueEditor

Posted
Posted (edited)

I still think the best results will be had from looking at the protocol used to run the chip and writing something to completely go around VZW apps. Once someone with programming skilz understands the communications taking place between the hardware and the software it should be an easy thing for the real software hackers to come up with a GPS app that would be more universal to this chipset that would run on most phones that have this GPS hardware. After all, you would be communicating directly with the hardware that is capable of doing the job. This is supposing there is a way to talk directly to the chipset from BREW or JAVA, which by all indications there seems to be.

I'm a research kind of guy rather than a hacker myself. If we need more directed info, let me know what I shoul be searching for. I'll keep doing what I can but the above PDFs, etc give plenty of basic understanding of the signals inside the device and some of the actual bytes and responses sent/needed I believe. Those of you that have the ability to sniff out the signals inside and passing to and from the device will make the biggest waves in this project if you can find the handshaking between the chip and the software.

Or we just wait it out. That didn't work for the guys with the handsets mentioned in the other thread mentioned in my last note as I recall. I'm just sayin'.

Has anyone looked at the older ideas in this forum?

http://pdaphonehome.com/forums/ppc-6700-xv...ata-6700-a.html

What about the software tools they mentioned here? What about the 922 questions and the idea that the system does the 911 GPS location functions? Any inroads there that might be worth following this round?

Best of luck. Tired and my eyes hurt from all the reading last night.

S.

Edited by DeepBlueEditor
Guest WoZZeR999

Guest WoZZeR999

Posted
Posted
Would there be a way to dissect it to figure out how Verizon is shutting us out? And what about my first question, would the install of a fresh, WM 6.5 rom give us GPS if someone could get 6.5 working for the 910?

That cab file really only has a registry settings for something like HKLM/System/HTC/Supa GPS (don't remember the exact registry setting).

Read back a few post (could be a few pages now), and there is a report done by skywing, and there are multipul levels of security most likely. On top of a clean WM 6.5 rom (which we would also need new drivers for, it may be possible if the i900 got the 6.5 upgrade that we could mix and match files), a new radio firmware (some of the GPS security is probably done in firmware), the correct oemGPSOne that could talk to the new radio firmware, and on top of all that, a clean rom that we could cook with. Unless we get some genius that can cook a i910 rom without the VZW upgrade, I don't see it happening that way any time soon.

Guest JDawg183

Guest JDawg183

Posted
Posted
On top of a clean WM 6.5 rom (which we would also need new drivers for, it may be possible if the i900 got the 6.5 upgrade that we could mix and match files), a new radio firmware (some of the GPS security is probably done in firmware), the correct oemGPSOne that could talk to the new radio firmware, and on top of all that, a clean rom that we could cook with. Unless we get some genius that can cook a i910 rom without the VZW upgrade, I don't see it happening that way any time soon.

So that link to the working 6.5 rom for the i900 does us no good? No one can tear that apart and figure out how to get it to work for the 910? The guy running that tread said he could get one working if he had the 910 rom, but I dont know how to rip it out of my phone.

Guest aceofrazgriz

Guest aceofrazgriz

Posted
Posted

i haven't seen a WM6.5 rom for a CMDA phone, which is the underlying problem. the right person, with an i910 omnia, could POSSIBLY dump the ROM, extract drivers and all the things needed for phoen hardware, and integrate it somehow... but WM6.5 really isn't worth this hassle, nor is a GPS fix, its just too much for what we really want here. If what "John Smith" said is credible about 2nd Quater update, and that he didn't hesitate, this again brings much hope for a Verizon release and at least something to go on. But hell, we've done so much already why stop now?

I would like to mention again my post above about the External GPS settigns and how setting a hardware port doesn't work and only reverts back to "none." Th me this indicates that windows isn't recognizing the hardware, and that verizon put something in there to do this. Can anyone with VZNav check into this for us and see if it sets or is able to be set when VZNav is running?

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept