DFS User Manual ENG

DFS Professional CDMA Tool User Manual

Intellectual property of DFS Team. 2003-2011

Powered by Telecom Logic group

DFS CDMA

Professional CDMA Software

User Manual

Functional Capabilities

C2011-5A

May 09, 2011

Side information and technical support: http://cdmatool.com

DFS is a professional software that allows working with equipment of standard CDMA with different level of complexity. Software package DFS is fully automated and does not require deep knowledge of CDMA

technology for working with equipment. The main functionality of DFS is encapsulated and reduced in the interface down to the push-button mode of action decision (for instance, equipment unlocking or serial number

recovery is performed exclusively by pressing the buttons “Read SPC” or “Save ESN” without any additional adjustment, regardless of a model of equipment and complexity of the algorithm of a process). Capabilities of DFS are practically unlimited despite of the main algorithm encapsulation. Software package

DFS has tools for low-level impact on equipment (working with RAM, file system, flash-device) that gives an engineer wider spectrum of possible duties. DFS Team is not responsible for any damage caused directly or

indirectly (fault of engineer or software failure) to the equipment in the process of working with it. DFS Team provides technical support for the product remotely via website http://cdmatool.com and reserves the right to refuse further support to the user whose program copy has been compromised in any way (for

details in the license agreement).

http://cdmatool.com/




Starting

Main Capabilities:

Unblock of equipment (SPC, SIM, OTKSL, FSC, LockCode etc.)

Definition of CAVE (A-key, SSD-A, SSD-B)

Restore of ESN, MEID, IMEI

Complete or partial replacement of software equipment (Flashing)

Rollback and restore of NV area and RF part of equipment

Tools for work with file system FS, subsystem CEFS, subsystem EFS2, main memory RAM, EEPROM

Programming of number and data communication settings.

Requirements:

Operating system Windows 2000 and later editions (Win98 and earlier editions were not tested because of irrelevance)

Microsoft .NET Framework 2.0 and higher (http://download.microsoft.com)

Usage of RAM depends on executed task (~ 15Mb - 70Mb).

http://download.microsoft.com/



The First Launch

When you first start DFS, dialog box “About DFS” will appear on your PC. Here you must enter the authorization data on the site http://cdmatool.com (these data are used for update program in the future).

Prescribe your data and click “Apply”

Remember that one of the points of agreement is a condition where it is forbidden to distribute the registration

data. Attempt to resell, hacking software and other actions will lead to blocking your account.




Equipment Detection System

Port Manager Software package DFS is a multithreaded software that allows to run tasks simultaneously on different system

ports (the main application – performing long-term operations in a background flux. For instance, - read RAM or Flash).

Vocabulary: • Active process (port) - the process of DFS, querying system port, whose events are displayed in the interface.

• Background process (port) - the process of DFS, querying system port, whose events are not displayed. • Tool list of processes – tool of rapid processes (ports) control DFS.

Port manager allows to add system port to ports “allowed for searching for the equipment”. When launched, the

program scans all the allowed ports (if they are present in the system and active) for the equipment availability. Number of queried ports affects the program speed (every system port is queried in separate thread

asynchronously, that is, for the two ports two different streams are created, for three - three, etc.). It is not recommended to add modem ports of compound devices without necessity.

Drop-down list «Show» has 2 points: “Diagnostic only” and “All system ports”. On default is “Diagnostic

only” - all Diagnostic ports are displayed in the system. If you select “All system ports” - all ports will

be visible, including ports of all devices (modem, bluetooh, virtual ports, etc.).

On the field “Ports” one can add or exclude the system port from ones allowed for query. System ports prohibited from query are marked gray, ports allowed for query are marked black. Port status “prohibited”/ “allowed” can be changed by double click or using buttons “Add” / “Remove”. Adding system port to the list

of allowed for query ports launches new background process DFS, which is responsible for the selected port. Deletion of a port from the list destroys the corresponding process. When you add a device, at the bottom of

port manager it will appear a device and a summary.



DFS Main Menu Elements

Controlling Port It is not necessary to use port manager (PM) in order to switch between ports (processes). Picture shows main

elements of controlling ports DFS which allow the following: • Open/Close the current active port (a button with image of handset in circle. The color of a circle shows current state of the port. Green circle – the port is open; Red – the port is closed; Blue – the port is unavailable

or busy, DFS waits for access to the port). • Quick change the active port (drop-down list of ports existing in the system).

Attention! This list denotes only ports allowed for query by user. • Change port speed. (It is important for COM ports). • Abort the current operation of the process. (Button Abort)

Detailed port settings (such as read /write timeouts and DCB parameters) can be made at the general settings tab (general settings page will be described later).

Controlling Device The main aspects of the work with equipment are shown in the main menu.

• Unlock the equipment automatically, manually and ignoring the SPC (Mode IgnoreSPC is used if the SPC unknown and read it is not possible).

• Command line. It works in three modes. BT - sends accumulated bytes to the port "as is", BTCS – sends

accumulated command bytes with the checksum and the end of the packet flag (standard Qualcomm data communication packet), NVMI – forms full standard packet for reading or writing elements NV (it is needed only first 3 command bytes for reading, and for writing – first 3 bytes and 3 recording data bytes).

• Some well-known methods reset the device to factory settings. This option should be used carefully and only in case of need, rollbacking the settings of equipment prior to changes.

• Quick change of the device operation mode. Reboot, shutdown, test mode (option may not be supported by the device), switch to data communication mode (modems only).



• Known methods of switching port card to diagnostic mode. By default, DFS do not attempt to switch the equipment to diagnostic mode (NotUse). If you choose option which differs from NotUse in the list, DFS will

attempt to switch the equipment to diagnostic mode automatically according to the chosen method.



Diagnostics and Indication

The first tab DFS shows list of all available updates (Equipment), general information about used support DFS file (Status) and general diagnostic information about equipment (Diagnostic).

EQF: Group “EQF” displays information about available support files, inaccessible support files (limited by level of access). Currently in use EQF appears lower in the group “Current”. In case if the DFS could not find the

necessary EQF for the connected equipment, it is automatically used universal EQF (Qualcomm based).

Status and Diagnostic: Group “Status” displays the current status of equipment (data exchange with the base station). Here you can see information such as the serial number of equipment (broadcast), channels used for the network operator, SID/NID on which the equipment works, operation of equipment (Band Class), work

status (RX State), the state of operation at the moment (Entry/State). Group “Diagnostic” displays information about the version of firmware and hardware configuration, and also

the level of signal reception and transfer of voice packets.



DFS Indicators:

* Online - indicator of equipment state: - green color indicates diagnostic mode;

- blue - data communication mode (modem data mode); - yellow - data loading mode Download;

- red data loading mode Stream Download (flashing mode running Boot) * EQF - indicator of state EQF:

- green indicates that DFS, sees the equipment, you can continue to work; - yellow indicates that DFS, does not see the equipment, you can continue to work on the standard algorithm

Qualcomm Universal (in this mode QPST works, unblocking, changing serial numbers and other "non-standard" options are not available). If the device works as Qualcomm Universal, it is necessary to make the EQF and send to support (see below);

- red indicates that DFS can not identify equipment (Download or Streaming Download mode). You should work extremely carefully in «red» mode. DFS does not control user actions in this mode and therefore will not

be able to prevent the wrong actions, which can damage the equipment. * RPSI - displays port query mode:

- green displays diagnostic query; - blue - displays data query;

- red displays Download query; - yellow - Stream Download query.



Updates

EQF files are updated automatically at startup or manually by pressing the button “Update DFS” from the server DFS using authorization data entered at the first launch of the program. If a connection with the Internet is established via proxy server, enter the name of the proxy server and port in the appropriate field and click the

button “Enable Proxy”.

Tray- icon status - crossed, there is no Internet connection or a problem with your account – details in the tooltip tray- icon.

EQF - special file of DFS support, defining the algorithms of work with different equipment. EQF is necessary for the operations of unlocking and repairing ESN, MEID, IMEI. If the equipment is not known to DFS (no appropriate EQF file), DFS will work with equipment from an

algorithm Qualcomm (as it does QPST for example). In the majority of cases it is not dangerous, but for some devices programming in this mode may cause the device inoperable (basically it is about some models of

Samsung and Kyocera).



Programming the Equipment

Before writing parameters it is useful to read appropriate parameters, change necessary parameters, then to write the changes. This method of programming equipment will be the most correct!

General functions for all programming tabs Possibility to choose NAM (on default the equipment uses NAM1 for work – UseNam1).

Tab « »

Unlocking, Repairing ESN, MEID, IMEI, A-KEY, SSD-A, SSD-B

The first step to work with equipment is unlocking. In order to unlock the equipment it is necessary to read SPC

and send it to the equipment (SPC -> Send in the main menu - see the description of the main menu).

Groups Unlock, SIM UNLOCK, Serial Number, MEID, IMEI, CAVE can serve as reading and writing with corresponding sets of parameters.

Group SPC Calculator - calculator SPC for operator Metro PCS based on current ESN.



Tab « »

Programming NAM Parameters and PRL

Field IMSI allows to enter full number for programming equipment (in this format:

<MCC><MNC><MIN2><MIN1>), followed by automatic partition to the appropriate fields.

Group PRL allows to read, write, save and load PRL operator. In order to see a list of the PRL, it is necessary to download them to a folder DFS (\TelecomLogic\DFS\PRL).

Detailing of Station Class Mark (SCM)

Field Mould allows for previously saved programming template to fill automatically the fields specific to the mobile operator.



Tab « »

Programming Data Communication Parameters

On this tab you can program the data of data transfer protocol PРP, authorization methods of PАP, HDR

and set the mode of operation of the device in the network.

PPP authorization method usually holds the control couple "login-password" for authorization of the operating

system.

HRD authorization method has three pairs "login-password". Depending on the operator and the equipment it is used one or another pair “login-password” at the authorization EVDO (usually that is the couple “HDR

NAI - HDR Password”).

Groups of parameters “MODE”, “EVDO SCP options”, “Data config”, “Dial string”, “DNS

primary/secondary” allow to set up of the equipment in details in data communication mode.

== Annotation ==

PPP – Point-to-Point Protocol

PAP - Password Authentication Protocol CHAP - Challenge Handshake Authentication Protocol aka (HDR - Hight Data Rate)



Tab « »

Working with profiles of MIP

Group of parameters “Mobile IP main settings ” allows to change the regime of authorization SimpleIP,

PrefMobileIP, MobileIP depending on the operator and equipment.

Subgroup “Profile settings” is responsible for the profile activity of the equipment. “Number of profiles” is responsible for the current number of profiles in the system.

Subgroup “Registration settings” is responsible for the timeout and time slot of registration.

Group of settings “Profiles” To enable \ disable the profile it is necessary to use the right mouse button, menu appears “Enable Profile” \ “Disable Profile”.

When changing the status of the profile will change the icon

Saving and reading data in group settings “Mobile IP main settings” produced by buttons «Read» and «Write».

Group of settings “Selected profile settings” allows to perform detailed settings of the equipment with the profiles Mobile IP.

Saving data in group settings “Selected profile settings” produced by button «Write current profile

settings»



Tab « »

Unique Settings “Customize”

Tab Customize contains the unique settings for certain manufacturers and models.



NV Editing Utility

This utility allows to scan the specified range of volatile device memory by cells, browse the contents of the cells, make and save changes. The maximum size of 65535.

Button “Read range” reads NV cells indicated in the initial (Start) and end (End) address. Reading is in

automatic mode. Button “Read RF” reads NV cells with calibration apparatus. After reading cells the data is stored in the heap, use the button “Save” to save the data. The format of saved

NV parameters is suitable for browsing in XML-compatible programs (for example, a plain text notepad).

Writing is the corresponding buttons “Write all” or “Write RF”. Alternatively, you can record calibrations only of the full backup NV, DFS will select necessary cells NV automatically for recording calibrations.

Should pay attention to the difference between RF calibrations and full dump settings.

Recommended to do full dumps, but write RF only.

IMPORTANT! Recording full dump when absolutely necessary only.

Button “Import” allows to import NV of the older versions DFS format *.nvm or other programs (optional,

100% support is not guaranteed) format *.txt.

== Annotation ==

NV – Non-Volatile Memory



EFS File System

Utility for working with the equipment file system is a hybrid EFS Explorer that gives an opportunity to work

with the file system in random mode, and also supports non-standard (in any case departed from Qualcomm) systems (such as Read EFS (Kyocera).

By means of this utility it is possible to save or load the device system file on PC as tree-type structure representing the EFS image, if this operation is supported by the device.

It is possible to remove or save each element of EFS.



Main Memory Operation Utility

Memory of device operation utility allows the user to read, scan for the ability to read, save and edit the memory “on the fly”.

You can scan the following types of memory: RAM (read and display real-time, data retrieval and record);

DRAM (read and display real-time. Works in the presence of EQF only); EEPROM (similarly to RAM); CEFS (read and search data);

To scan memory for readability it is necessary to specify the scanning speed (Detail, Low, Medium, High) and

click “Scan”. To read a range of the memory it is necessary to choose type (Type), starting address (Start) and size (Size) required for reading the memory and click “Read”.

To display the memory unit of the selected address, click “Show”.

At the bottom of the monitor displays the reading speed (Speed) RAM, the read address (Current address) at the moment and the approximate end time of scan (Remaining time).

Data monitoring

«Data monitoring» allows to display a block of memory in the monitor. For movement on the address block,

you can use the button “Page up” and “Page down”. “Data monitoring” page displaying can be adjusted by the following Page parameters: Size_16x16, Size_16x64, Size_16x128.

Data analyzer «Data analyzer» allows to search from the memory by internal algorithms data of the following types: SPC, ESN, MEID, AKEY, SSDA, SSDB, Password PAP, PPP, AN, ANPPP, ANLONG. Search Mode «Digits» - search numbers of a given length (the length specified in the field of search modes, for

example, a query ?????? – search mode of six-digit numbers).



Search Mode “HEX” looking for a given set of bytes (mask specified in the field of search modes).

You can analyze on the fly “Online” or download the “File” external *.bin file.

Examples of Memory usage – see the applications.



Updating Software Utility

DMF – universal firmware file of DFS.

Update DMF occurs directly through the built- in download manager from the server.

To download firmware files need to go to the tab «Server», select the firmware file and click «Download». The loading process will go. Upon completion of loading window appears of successful download:

The full and partial replacement of the device software is made by the utility Download.



DMF files

Local: in this section displays all the firmware files (format *.dmf) that are in the folder \DFS\DMF.

Server: in this section displays all the firmware files (format *.dmf) that reside on the server program. Firmware found in the directory \DFS\DMF.

Current DMF

If the DMF file is selected in the section DMF files, it will be shown automatically a list of the contents of the firmware file (Boot, AMSS, CEFS2 etc).

Under the list of firmware files is displayed information about DMF: model, firmware version.

IMPORTANT! To flash the device it takes only to update the AMSS. Updating other parts of the firmware - only for professionals and may withdraw the device from the system, if the failure occurs during firmware.

Commands Contains buttons for managing software updates: “Write” and “Erase”. Lists “Override” and “NoOverride” are intended for heavily damaged devices. Mode “Override” erases the

current structure of the software modem before software update. It is recommended to use it only if equipment in normal mode can not update the software (DFS issues the message about the need to use this mode in

such cases). In “Override” mode it is required writing QCSBLH, QCSBL, OEMSBL



Process of Software Update Updating of the device software starts after the selection of the required DMF and required part of update

(AMSS, CEFS2 etc), by pressing the button “Write”.

IMPORTANT! If the device is in Download mode (DL) initially, it is required to select EQF manually in order to flash it, and try to flash after selection only.



Modem Diagnostic Utility

Modem diagnostic utility is an adapted functional of the program Windows HyperTerminal. The left side of utility displays the result of the standart modem query. The right side of utility allows to make arbitrary requests of AT commands.

“Load script” - loading a script file that can be used to send to the terminal a list of AT commands to the modem port.

“Save script” – saving a script file in the format *.atf



EQF Identifier

EQF Identifier allows user to read and save the device firmware identification. It is necessary when the

developer does not have the required equipment firmware edition for the user, but he has an edition compatible with it, and significant changes (except the firmware identification) are absent. In this case user can send the

saved “*.fwi” file to the DFS support service ([email protected]) with proper commentary (manufacturer, device model, the maximum information about the given firmware), thereafter the DFS developers will try to update EQF support file for recognition received edition of firmware as soon as possible.

mailto:[email protected]



DFS Settings

The group “Serial Port Settings” allows user to change DCB settings of the port. It is not recommended to

change these settings without having a deep knowledge in this area. The group “Timeout” allows user to change device latency time for DFS request for reading and writing

respectively. Increasing of latency time slows down the program but improves the reliability of the information received. It is not recommended to change these settings if the equipment works without any faults.

The group “PSI Request allows user to disable (not recommended) extended query of the equipment in case of non-standard reaction of the device to the query.

The group “File System Viewer” allows user to specify arbitrary Hex editor for browsing files of the file system. By default DFS uses WinHex.

It is possible to change also the temporary folder of the program. Ability to write in this folder is necessary for correct operation of the program (important for operating systems restricted the user rights).



Examples of Memory Usage

Example 1

Device: modem Cal-comp A600 (Cricket)

Purpose: reading PWD AN (CHAP) by CEFS Solution: connect, select a port, make sure that the program sees the device (tab “Equipment”, Status – green

colour of device inquiry and Current – model name)

Pass on the tab “Memory”, select Type – CEFS, click on the button “Read”. Wait until the process of memory reading is completed. After this pass to “Data analyzer” and select the required type of search (Search Type)

and see the results of the analysis “Result”.

Selecting one of the results, we can see the contents of the memory unit in the monitor. Similarly, we can look

for other types of data in different types of memory (RAM, DRAM, EEPROM).



Example 2 Device: modem Novatel U720 (Sprint)

Purpose: reading SPC by RAM Solution: connect, select a port, make sure that the program sees the device (tab “Equipment”, Status – green

colour of device inquiry and Current – model name)

Pass on the tab “Memory”, select Type – RAM, specify Start 01300000 and Size 00300000 click on the

button “Read”. The process of memory reading will go.

After completion pass to “Data analyzer”, select the required type of search (Search Type) and see the results “Result”.

In this range of memory found 2 results SPC. If select one of the addresses, then in the left window “Data

monitoring” the address structure and data of HEX and String will appear.



Example 3 Device: modem Novatel U720 (Sprint)

Purpose: restoring ESN by RAM Solution: connect, select a port, make sure that the program sees the device (tab “Equipment”, Status – green

colour of device inquiry and Current – model name). Send SPC.

Pass on the tab “Memory”, select Type – RAM, specify Start 01300000 and Size 00300000 click on the button “Read”. The process of memory reading will go.

After completion pass to “Data analyzer”, select the required type of search (Search Type) and see the results

“Result”.

To change the data select the first address and write zero ESN in the text field:

If press “Write” – write changes in current address. If press “Write to all addresses”, then write to all the addresses from the current group of ESN.



Before writing it is appeared a window with confirmation of writing:

Ram write 0x01522AAC CPS_OK

After that pass on the tab “General” and write correct ESN.

SET ESN CPS_OK OK

DFS User Manual ENG

Documents

Transcript of DFS User Manual ENG