How to enter Service / Field Test Mode

[E3V3A]

This is not a real App issue, but may be helpful to understand how Service Mode (SM) or Field Test Mode (FTM) that can be reached on different devices, and on different firmwares (FW aka ROMs).

The SM is device and FW dependent, so what works on stock, usually don't work on a custom ROM, or completely different. The FW provide an OEM Java wrapper for this access, and AOSP, AOKP usually do not provide this wrapper, simply because they want it to work on all phones.

The SM is where you have direct modem access to all the internal and mobile network settings, that are not available in the AOS, API or UI. You can update FW, erase NV items, see all possible network parameters (that's what we want), factory reset phone, disable a multitude of other things, including bricking your phone! A typical (Samsung) SM screenshot may look something like this:

For example, if you own an HTC device running stock FW, you may try these:

*#*#197328640#*#*       – Service Mode (SM)
*#*#7262626#*#*         = Field-Test Mode (FTM)
*#*#3424#*#*            = HTC Function Test
*#2263#                 – Service Mode
##3424#                 – Diagnostic Mode
##33284#                – Debug Menu : (Debug Screen, Test Calls, RC Data, HDR/1X Selection, Voice Privacy, DTMF Set, Korea Mode Set)

For newer Samsung devices you may try *#0011*#, or the above.

If you have other devices, do search on XDA. You can also try to search for new codes inside your stock firmware by yourself.

---

Q: Why is this important?
A: Because AOS doesn't provide a reliable way to get detailed neighboring cell info, so we're using the multi-ril-client via OEM_HOOK requests to scrape the SM menu for details. So if you can get to this menu on any non-Samsung device, we would very much like to know which one, and the code you used, so that we can support it in our App.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[SecUpwN]

Thanks for opening this one, @E3V3A. As already mentioned on the other channels that we use, it seems like all the above mentioned codes are not valid for my HTC One since I run the latest and greatest AOKP. But through invoking the code *#*#4636#*#*, I get into the Test-Menu of the phone. From there, I can comfortably navigate to anything else like telephone information. I also can change the frequencies to be used from another sub menu. It is also possible to initiate an LTE-RAM-Dump.

My menu might no look like the screenshots you posted here, but judging from what I can do in these menus, my guess is that this IS the Service Menu, just in another flavor. Is there something that all Service Menus have in common so that I can perfectly verify that I have access to the menu we need?

[E3V3A]

Let me just re-quote myself:

I'm still not sure. It kind of sound like it. But there seem to be things missing, at least from those screen shots. I actually don't think there is a "real" SM app on your AOKP ROMs, so you may just be looking at some particular, but regular sub-menu of the settings.

So my conclusion is:

1. Yes, it is some kind of AOKP flavor of SM, but it is extremely limited, if not crippled. (The stuff you see, seem to be only what's already available from the AOS API.)
2. No, it's not the "real/full" SM, as it is missing RRC states, timers, ciphering, NV access, SIM details, TMSI, Channel, VOC, TX/RX levels, call drop details etc. etc.

[SecUpwN]

Darn it. I wish @AOKP, or my device maintainer @MarcLandis would chime in on this.

[tobykurien]

Sadly, all my devices have a custom ROM (based on CyanogenMod).

[E3V3A]

@tobykurien @SecUpwN
Thanks to THIS post, apparently Samsung ServiceMode has some extensions in CM HERE. Perhaps you can test to use that?

[SecUpwN]

Thanks for your recommendations, @E3V3A. How to use that? As I already said, it would be lovely to have some developers of @CyanogenMod supporting our attempts. Maybe @pawitp or @tompopielarczyk can tell us how to reach the data that we need (or help us implement a bridge)?

[pawitp]

I mainly work with Samsung devices and I am only familiar with Samsung service mode (of very few devices). Seeing that you said you have already implemented scraping data via service mode, I don't think I can provide any more information than you already have.

The service mode implementation linked above is Samsung-specific (and even Samsung devices have different protocols for service mode - linked code has 2 versions implemented). As far as I know, CM does not contain implementation for service mode for any other manufacturers (if they exist at all).

There's little to no reason for open-source ROMs to implement service mode as that involves a lot of reverse-engineering with very limited usefulness to the typical user (and developer).

[tobykurien]

This may be a bit unrelated, but would adb logcat -b radio output help? Some example output of this command:

D/RIL     (12073): onRequest: OEM_HOOK_RAW sState=3
D/RIL     (12073): RIL_REQUEST_OEM_HOOK_RAW: data[0]=9
D/RIL     (12073): RIL_REQUEST_OEM_HOOK_RAW: data[1]=2
D/RIL     (12073): RIL_REQUEST_OEM_HOOK_RAW: data[2]=0
D/RIL     (12073): RIL_REQUEST_OEM_HOOK_RAW: data[3]=6
D/RIL     (12073): RIL_REQUEST_OEM_HOOK_RAW: data[4]=1
D/RIL     (12073): RIL_REQUEST_OEM_HOOK_RAW: data[5]=1
D/RIL     (12073): else RIL_REQUEST_OEM_HOOK_RAW
E/RILC    (12073): RIL_onRequestComplete: invalid RIL_Token
E/RILClient(  103): processSolicited: Error 6
D/AT      (12073): Unsol: AT< +CSQ: 18,99
D/AT      (12073): Unsol: AT< +SPSCSQ: 18,99,0
D/RILC    (12073): [UNSL]< UNSOL_SIGNAL_STRENGTH {[signalStrength=14,bitErrorRate=99,                CDMA_SS.dbm=-1,CDMA_SSecio=-1,                EVDO_SS.dbm=-1,EVDO_SS.ecio=-1,                EVDO_SS.signalNoiseRatio=-1,                LTE_SS.signalStrength=-1,LTE_SS.rsrp=-1,LTE_SS.rsrq=-1,                LTE_SS.rssnr=-1,LTE_SS.cqi=-1]}

[E3V3A]

@tobykurien Is that from your Huawei or Motorola? It's interesting because it seem that it is still using AT to communicate with baseband. Also, what were you doing during that logcat?

[tobykurien]

That was from a (stock) Samsung Galaxy Star, it doesn't have a SIM card in it. I can send more logs, was just wondering if you knew about the radio logs.

[tobykurien]

Here's a dump of the radio logs from my Motorola: http://pastebin.com/bu0Wiw98

[E3V3A]

@tobykurien The Galaxy Star seem interesting as it shows the exact AT commands, which means that it's still using that to communicate with BP. What model is that exactly? And what do you mean it doesn't have a SIM card? You mean there is no SIM card slot, or simply that you didn't put one in? Anyway, this is off topic, but if it's stock, you can get to the service menu on that phone by trying with *#0011#* etc.

EDIT: Fixed swap as mentioned below.

[tobykurien]

Model GT-S5280. The last two characters of the service menu code you posted are swapped around, but yes, it works. It shows the kind of info we get from CellInfo. Yes I mean I haven't put a SIM card into that phone.

[SecUpwN]

Regarding the SamsungServiceMode, I received this from @pawitp via E-Mail:

As for the apk, since it private Android APIs, it needs to be compiled with the source tree. (See http://wiki.cyanogenmod.org/w/Build_for_galaxysmtd)

[E3V3A]

I wonder if THIS is the equivalent to ServiceMode on the LG devices (Verizon G2 and ATT G3 ). As stated here:

Open LG Hidden Menu (3845#*851#)
*Replace "851" with your devices model number, 850, 852, 855 etc.

Sprint users: 5689#*990# but the HiddenMenu is most likely limited. Use the adb commands below instead.

Maybe also trying this:

su
am start -a android.intent.action.MAIN -n com.lge.hiddenmenu/com.lge.hiddenmenu.HiddenMenu

[SecUpwN]

Thanks for pushing forward here. Since I have access to numerous phones, I will be testing this on the LG phones in my country tomorrow. EDIT: @E3V3A, the codes you mentioned do not seem to work on European phones, I wonder why. Are there different codes for each country or something?

[E3V3A]

Update: I've managed to get the Service Mode menu on my MTK based Arty A3 device with:

# am start -n com.mediatek.engineermode/.EngineerMode

There should be a short code for this, that you can use to dial, but that requires RE some of the APKs. (To do later.)

@SecUpwN Did you test it?

[SecUpwN]

@E3V3A, this is what I got. But that should be normal since the HTC One M7 is no MTK device.

root@m7:/ # am start -n com.mediatek.engineermode/.EngineerMode
Starting: Intent { cmp=com.mediatek.engineermode/.EngineerMode }
Error type 3
Error: Activity class {com.mediatek.engineermode/com.mediatek.engineermode.EngineerMode} does not exist.

[LeoChirkov]

Do you need just to start a hidden menu from your app or do some more complex task? You may use my app, which supports Sony, LG (not all), Motorola and HTC devices and can be easily extended to support more vendors. I'll be glad to do that and share the results with you, guys.

[SecUpwN]

Thanks for offering your help, @LeoChirkov. We'd essentially need to be able to access the Service Mode with the hidden details for scraping (like mobile network settings not available in the AOS, API or UI) - but that for as many devices as possible. Would access to those details be possible with your help?

[ghost]

@LeoChirkov String samsungCode = "0011";
Add that to your app Leo a lot of samsung phones use this code to access service menu.

[LeoChirkov]

I didn't dig so deep to find out if it's possible to get direct access to such features as changing network settings. Here what I think about possible solutions:

1. start service menu explicitly and change settings manually (cons: factory FW only, not user friendly; pros: no permissions required, easy to implement);
2. get direct access to network settings (cons: only rooted devices, app must be installed as system; pros: good user experience; undefined: work on devices with custom ROMs).

[SecUpwN]

only rooted devices, app must be installed as system

@LeoChirkov, have you tested our app yet? Our app has an AT Command Interface for rooted devices.

[LeoChirkov]

My bad, didn't test yet. Have you already tried to do some reverse engineering with service menu packages from any manufacturer?

[ghost]

@LeoChirkov @SecUpwN access to service mode programmatically is possible all you have to do is:

        Intent intent = new Intent();
        intent.setClassName("com.sec.phone", "com.sec.phone.SecPhoneService");

Only problem is you can't do this after 4.1 I think or less. To get the hooks to send to and get data back just logcat -b radio and manually open service menu then you will see every hook used depending what menu you go into. this data is sent back to the binded service and you can extract data from there.

[agilob]

Only problem is you can't do this after 4.1 I think or less.

AIMSICD requires 4.1 or newer. Is it worth to support only 4.1 which is used by 10%?

[ghost]

It wouldn't but the phones from the 10% would have a pretty good advantage by having access to phone service. Sucks really because we could get a crap load of data from this menu like timing advance,arfcn, tmsi, ciphermode (on certain phones).

works on anything < 4.1 so that would include other api's also plus it only works on samsung model phones so it is limited.

[agilob]

Yes, but AIMSICD requires >= 4.1 and that snipped works only on <= 4.1 and selected phones with extra support from manufacturers (also some HTCs, LGs and Sonys). So the question is, is it important to support decaying version of android - 4.1 and some unspecified phones where this support can be added or removed with any update?

I would say definitely yes, but we would need a bigger group of testers with dozens different mobile phones to test it independently or spy on users and send their device details to remove server and analyse it.

First option is possible, but difficult, srlabs didn't mange to create a comprehensive list of devices, so it will be even harder for non-profit; second option: are we really considering it. Nope.

[ghost]

I agree that is why this option is not coded into AIMSICD and has been known for some time that this was possible.

[ghost]

checkout darshak and you will see how he used this method to dump ramdump files to extract gsm data.