8110 LTE bands unlocking

[Collin McMillan]

Hi All

I have a Nokia 8110 and 6300.  I am located in the US.  I have been on a quest for a simple privacy phone, so GerdaOS on the 8110 is great.  Many thanks to the team.  The phone is close to perfection for me, great form factor, private, easy to use, etc. etc.

I have been using it as a 3G device in the US.  It supports band 5, for which AT&T has decent coverage nationwide.  I would be happy with this except that in February AT&T will shut down 3G on band 5.

Supposedly it is possible to unlock other frequencies for LTE (bands 2 and 17 would be great).  There is an option in the IMEI tool in GerdaOS that I assume implements the procedure described here: https://groups.google.com/g/bananahackers/c/IQk9MmalwM4/m/ataGhvpuDQAJ 

I ran the script in that post as well, and also changed my IMEI to the 6300's numbers, since the 6300 works fine on LTE.  I haven't been able to make it work yet.

I do think the script is doing something because when I dump the contents of /dev/block/bootdevice/by-name/tunning, files nvm/num/6828 and nvm/num/6829, the value is the "new" one written by the script.  I confirmed this by power cycling the device and running:

# busybox tar xf  /dev/block/bootdevice/by-name/tunning

Then looking for nvm/num/682[8-9]

I also double checked this using QXDM in Windows.

Poking around with other NV data, I also found several values like:

66267    RFNV LTE B1 Max TX Power DB10    /nv/item_files/rfnv/00020992    RF LTE

with readable values like:

1    1    RFNV_LTE_B1_MAX_TX_POWER_DB10_I[0]    16    UINT16
225    225    RFNV_LTE_B1_MAX_TX_POWER_DB10_I[1]    16    UINT16

The corresponding names for other channels like B2 are there:

66692    RFNV LTE B2 Max TX Power DB10    /nv/item_files/rfnv/00020993    RF LTE

but they are empty.

I have some limited experience working with 4G modem programming in Linux (Sierra Wireless products), but I don't know quite how these values work for this device.

In theory the Snapdragon X5 modem accompanying the 205 CPU should support all these frequencies.

Can anyone confirm a procedure that opens other bands for LTE in the US on the 8110?

Some possibilities:

- This is actually not possible due to another hardware constraint beyond the modem. Maybe the amplifier or antenna.  I may be able to replace the antenna with the one from the 6300.  Changing the amp is probably beyond my ability.

- This blog refers to a security code needing to be sent (https://chronovir.us/2019/04/23/Either-Qual-or-Comm/).  The end of the thread above mentions going to offline mode, setting a code, then setting the 6828 and 6829 values.  Maybe I need to "go offline" and set some code?

- I have the TA-1048 model from Europe.  There is a TA-1059 version for sale here in the US.  Maybe there is some hardware difference that makes it possible with the TA-1059?  I would buy one if I were certain it would work, but I don't want to just waste $70 to find out.

Anyway, sorry for the long post, and THANK YOU for this project.  GerdaOS on this phone is exactly what I've been looking for.

Collin

---

http://www.cse.nd.edu/~cmc/

[Tudor Pop]

Have you tried to flash TA-1059 firmware to your Nokia european version?

However, since LTE, 4G and 3G means different frequencies, I'm afraid that phone radio modem is different, for different frequencies. Also I think that radio modem firmware is different from LTE to 3G and 4G.

[Collin McMillan]

I have not tried to flash the 1059 firmware -- good suggestion I will look into that.

My understanding is that the Qualcomm 205 platform uses the Snapdragon X5 modem, which technically is supposed to be able to use both US and EU frequencies.  I am going to open up the phone to check the actual part numbers.  When you say there are different firmware for LTE, 3G, 4G, do you mean that there are three different firmwares to load somewhere?

The thing is, people have reported success in making this work.  Not only for the 8110, but for the CAT B35, which is very very similar hardware under the hood.

[Collin McMillan]

Well I am getting a little closer.  I used QCSuper to capture the packets when trying to connect.  Some good news buried in there.  The process seems to be:

LTE DL_SCH SIB1 packet received on channel 5 (this is a Verizon tower near me according to the cellIdentity key in the packet)

LTE DL_SCH SIB2/SIB3 packets received on channel 5

LTE DL_SCH SIB1 packet received on channel 4 (an AT&T cell near me according to cellIdentity)

(then nothing for about 20 seconds)

UMTS SI_BCH received on channel 5

(continued negotiation of UMTS signal)

I also used "adb logcat" to print out debug messages.  I get several messages like this:

11-29 20:37:43.434   452   452 D SIGNAL_STRENGTH: nsMobileSignalStrength mLevel=4,mGsmSignalStrength=14,mGsmBitErrorRate=0,mCdmaDbm=-120,mCdmaEcio=-160,mEvdoDbm=-120,mEvdoEcio=-1,mEvdoSnr=-1,mLteSignalStrength=99,mLteRsrp=2147483647,mLteRsrq=2147483647,mLteRssnr=2147483647,mLteCqi=2147483647,mTimingAdvance=99,mTdScdmaRscp=2147483647

So evidently the phone thinks the signal strength on LTE is unreachable (99), so it drops to UTMS.

The good news in here is that the phone *is* receiving messages on channel 4.  For some reason I can't capture transmitted LTE packets, but I suspect what is happening is that the device receives LTE on channel 5 and sees that it is Verizon.  Then it also receives a channel 4 packet from AT&T, but for some reason cannot complete the connection.  This is either due to a software error or perhaps the antenna is not suited for this purpose.

The FCC documents show three Rx antennas but one Tx: https://fccid.io/2AJOTTA-1048/Internal-Photos/Internal-photos-3753493

One idea I had is that the Tx antenna is no good for band 4, even though the modem seems to be capable.  So my next step is to open the phone and see if I can change the antenna for one that I know is suitable for band 4 (and others).

Open to any ideas (or cautions).