Archive for November, 2012

Got EVDO? Help me out!

Wednesday, November 14th, 2012

I’m trying to reverse engineer the EVDO Pilot Sets V2 QCDM log item so we can get EVDO signal strength while connected with ModemManager.  I’ve got most of it figured out, but half the battle of reverse engineering is getting enough variation in the data to see the patterns.  That’s where you come in.  I’m specifically interested in getting results from EVDO on 850MHz (Americas), 450MHz (Europe and Russia), and 1700MHz/AWS (North America), so if you’re in the US and you have Leap, Cricket, MetroPCS, US Cellular, C-Spire, nTelos, then you get bonus points.  But even if you have Verizon or Sprint, the data is still useful.

You obviously have to have an EVDO-capable WWAN data card or phone that uses Qualcomm chipsets and exposes a DIAG port, but luckily almost all devices that speak CDMA/EVDO are Qualcomm-based.  You don’t even need to have an active subscription, as the tool is read-only.

So if you’re game, grab this tarball and run ‘make’ in the extracted directory.  That’ll give you an ‘evdolog’ binary which when run dumps out the data I’m interested in.  When you’ve got the dump, mail it to me.  There’s a README in the tarball that has more detail on everything.

The tool doesn’t dump any personal data, just information about what radio channels your modem is listening on and information about what radio channels the modem might jump to if you move around.  The output looks like this:

SS: State: 1
SS: Band Class: 1
S: Channel: 75

L: PN:      3
L: AS ct:   1
L: AS win:  60
L: AS chan: 2123 (0x084B)
L: UNK 1:   63 (0x3F)
L: CA ct:   0
L: CA win:  0
L: RE ct:   14
L: RE win:  100
L: UNK 2:   0 (0x00)
L: Act 0:   PN: 30   6f 01 11 00 03 00 ba 3b
L: Rem 0:   PN: 33   00 00 4b 08 64 00 00 00
L: Rem 1:   PN: 36   00 00 4b 08 64 00 00 00
L: Rem 2:   PN: 402  34 00 4b 08 64 00 00 00
L: Rem 3:   PN: 279  06 00 4b 08 64 00 00 00
L: Rem 4:   PN: 27   00 00 4b 08 64 00 00 00
L: Rem 5:   PN: 21   00 00 4b 08 64 00 00 00
L: Rem 6:   PN: 126  00 00 4b 08 64 00 00 00
L: Rem 7:   PN: 399  00 00 4b 08 64 00 00 00
L: Rem 8:   PN: 318  00 00 4b 08 64 00 00 00
L: Rem 9:   PN: 24   00 00 4b 08 64 00 00 00
L: Rem 10:  PN: 300  00 00 4b 08 64 00 00 00
L: Rem 11:  PN: 504  00 00 4b 08 64 00 00 00
L: Rem 12:  PN: 507  00 00 4b 08 64 00 00 00
L: Rem 13:  PN: 510  00 00 4b 08 64 00 00 00

Which, if you know CDMA, you know there is no channel 2123 in band class 0 or 1, which is one reason I’m asking for data dumps here :)

Thanks!