Discussion of the 700p.


Post Reply
Joined:Mon Jan 10, 2005 1:10 pm

Post by zforce » Wed Apr 11, 2007 7:57 pm

Does anyone know how to get ##LOCATION# to populate with GPS coordinates?

User avatar
Joined:Tue Feb 28, 2006 9:57 pm

Post by LauraAmerica » Thu May 31, 2007 9:17 am

Ey, that would be a nice one :D

Joined:Sat Oct 21, 2006 7:15 am

Post by kocoman » Sun Jun 03, 2007 7:51 am

From Fearwall at vistabug.org forums

Treo 650/700p CDMA Modem/GPS API

The information in this post is related to CDMA Treo 650/700p phones. I poked at the phone that came from SprintPCS, but most information will be applicable to other CDMA Treos and some information will be applicable to all Treo smartphones.

We all know that Treo 650 is a GPS-capable device and there are rumors that cellular providers are currently busy developing location-aware applications (LBS, Location-Based Services). Unfortunately (and I see no good reason for it) no GPS API has been released to the public. Can it be hacked out? Yes. But don't scroll down to the end of post, I haven't found it yet. I started looking at the Treo650 yesterday and here is what I found so far:

1. There is a list of service commands, and most of them are not documented (a complete list is below)

2. The most interesting application is HtcCDMAActivationApp, which is responsible for configuration and debugging. The application calls some interesting libraries, Transparency Library, PmSystem Library, and PhoneInterface Library. The last one contains all the juicy functions. Since ActivationApp is a native ARM application is is not as simple to debug as PalmOS 68k applications. GPS functions may or may not be included in this library, but CDMA firmware that is available as a part of the firmware update includes GPS references. Does anyone have any information on the ASIC?

3. Phone application comes with debug info (Thank you, Palm!)

So far, I have not found the GPS API calls... To sweeten up your disapointment, here is a complete list of Treo650 maintenance shortcuts (use phone application to dial them):

Standard CDMA codes that CDMA Treos support:
##2539 "AKEY" A-Key
##33284 "DEBUG" debug
##786 "RTN" RTN STATUS (includes diagnostics menu)
##889 "TTY" TTY on/off
##7738 "PREV" mobile protocol revision
##8626337 "VOCODER" vocoder
##774 resets data config (In my case, PCS Vision configuration)
##3282 "DATA" data configuration editor (Shows all passwords, needs MSL, see below)
##5478 "LIST" ???
##56672225 "LOOPBACK" loopback calls
##865625 "UNLOCK" ???
##[MSL] NAM Setup (edit your own phone number), needs MSL (see below)

Additional Treo-specific diagnostic codes
##8463 "TIME" Shows Network time
##66 "ON" Radio On
##633 "OFF" Radio Off
##7277 "PASS" Passthrough on (also power cycles radio)
##7277633 "PASSOFF" Passthrough off
##8778 (powers off radio and goes to the bootloader)
##3424 "DIAG" (enables passthrough)
##72346 "RADIO" shows radio fw version
#43574357* "HELPHELP" Device Information
##744 ???
##83843733 "TETHERED" Tethered mode
##8766 "TRON" ???
##87633 "TROFF" ???
##377 Crash log
##726 ???
##88722366 "TTRACEON"
##887223633 "TTRACEOFF"
##28722366 "2TRACEON"
##287223633 "2TRACEOFF"
##798722366 "RXTRACEON"
##7987223633 "RXTRACEOFF"

No commands lsted above can harm your Treo (ulness you change the data and save it). All commands seem to be reversible by soft reset.

Some menus require the MSL (Master Subsidy Lock) code. It is a 6-digit number that is unique for your device. For CDMA Treos it depends on the last 4 digits of your phone number. How to get the MSL? I just called Sprint and told them that I couldn't access internet (which was true, by the way). They told me to dial ##774 to reset configuration. This function requires MSL to confirm, so they gave it to me. Alternatively you can use BitPin software to dump the content of nvram and retrieve the MSL (and other useful data) that is stored there.

Complete Treo650 CDMA Modem command set

Here it is. The modem is MSM 6050 by Qualcomm. Some information is available here

The modem chip is based on ARM7TDMI CPU and QDSP4000 DSP core.
The chip supports gpsOne and BREW.

If anyone happens to have a complete datasheet for MSM6050 or similar device or at least a memory map for it, please let me know.

More information on gpsOne is here and here

Below is a complete command set extracted from modem firmware. Qualcomm extension descriptions will appear on this page later.

Standard AT commands

Extended AT commands

Qualcomm extensions
$QCCLR Clear error log
$QCDMG Enter DM (diagnostic monitor) mode
$QCDMR Set DM baud rate
$QCDNSP Set primary DNS IP
$QCDNSS Set secondary DNS IP
$QCMIP Enable/disable MIP (Mobile IP)
$QCMIPP Select active MIP profile
$QCMIPT Enable/disable rfc2002bis authentication
$QCMIPEP Enable/disable current active profile
$QCMIPMASS Set MN-AAA shared secrets
$QCMIPMHSS Set MN-HA shared secrets
$QCMIPRT Set the reverse tunneling
$QCMIPNAI Set NAI for active profile
$QCMIPHA Set the Mobile Home Address
$QCMIPPHA Set Primary HA IP Address
$QCMIPSHA Set Secondary HA IP Address
$QCMIPGETP Return profile information
$QCMIPMASSX Set MN-AAA shared secrets in hex
$QCMIPMHSSX Set MN-HA shared secrets in hex
$QCPKND Enable/disable Automatic Packet Detection after a dial command
$QCPREV Display protocol revision
$QCRLPD Dump RLP protocol statistics
$QCRLPR Reset RLP protocol statistics
$QCRL3D Dump RLP 3 protocol statistics
$QCRL3R Reset RLP 3 protocol statistics
$QCPPPD Dump PPP protocol statistics
$QCPPPR Reset PPP protocol statistics
$QCIPD Dump IP protocol statistics
$QCIPR Reset IP protocol statistics
$QCUDPD Dump UDP protocol statistics
$QCUDPR Reset UDP protocol statistics
$QCTCPD Dump TCP protocol statistics
$QCTCPR Reset TCP protocol statistics
$QCMDR Set Medium Data Rate (MDR) (also known as HSPD)
$QCSCRM Enable/disable SCRM?ing
$QCTRTL Enable/disable R-SCH throttling.
$QCMTOM Originate Mobile-to-Mobile Packet Data call
$QCQNC Enable/disable the Quick Net Connect (QNC)
$QCSO Set data service option
$QCVAD Prearrangement setting
$QCCAV Answer incoming voice call

Available modem registers
S0 Automatic answering
S3 Carriage return character
S4 Line feed character
S5 Backspace character
S6 Pause before blind dialing
S7 Number of seconds to establish end-to-end data connection
S8 Number of seconds to pause when ?,? is encountered in dial string
S9 Carrier detect threshold in increments of 0.1 seconds
S10 Number of tenths of a second from carrier loss to disconnect
S11 DTMF tone duration and spacing in milliseconds


We're currently inspecting CDMAPhoneLibrary. Here is the first disappointment: PhnLibGetMdmPosition() trap is not supported. A complete list of supported library traps wll be posted later.

Now, two more disappointments: PhnLibGetPDSessionConfigParam() and PhnLibSetPDSessionConfigParam() are locked to just changing Location Privacy flag. These functions are intended to be used to set LBS server IP address and port. So, the conclusion is: There is no GPS-related API in the current library. The good news is that modem firmware contains all the necessary functions (and some debugging stuff, too). It might take some time to reverse-engineer communications between the library and the firmware.... For those who want to play with CDMA modem firmware, you have to load the image (extractable from Treo650 firmware upgrade application) at the base offset 0x20000. CDMA chip is based on the ARM processor with little-endian byte sex.

Also (many people asked): GPS/LBS data are not accessible via modem AT command interface.

Treo700p CDMA library is also missing all GPS/LBS functions sad

User avatar
PDAPhone Hacker Team
Joined:Tue Jan 04, 2005 5:58 pm
Location:Grand Prairie

Post by Shadowmite » Tue Jun 05, 2007 9:16 pm

Test reply

Joined:Sat Oct 21, 2006 7:15 am

Post by kocoman » Wed Jun 06, 2007 2:32 am

Yes its working now...

Hmm seem nobody is interested in ROM hacking anymore...
I upgrade my Telus ROM into Sprint MR.. but nobody seem interested at treocentral..

User avatar
Joined:Tue Feb 28, 2006 9:57 pm

Post by LauraAmerica » Wed Jun 06, 2007 8:04 am

kocoman wrote:Hmm seem nobody is interested in ROM hacking anymore...
I upgrade my Telus ROM into Sprint MR.. but nobody seem interested at treocentral..
I did the same yesterday with my Sprint 700p and reprogrammed it to another carrier. It lost the PRL after the update but nothing major.

Joined:Sat Oct 21, 2006 7:15 am


Post by kocoman » Fri Oct 05, 2007 12:04 pm

The PRL is stored in the nvram (but not part of CDMA_NV_Backup!!)
So a ROM upgrade/flash should NOT change the PRL.... you need to do the nverase/CDMAUpdater to touch the PRL


All above is GPS stuff, but returns ERROR, I guess the brew app in the rom hasn't been loaded..
how to load it ?
(Find it in the CDMAUpdater..)
still don't know how to use AT$BREW.. it seem to accept 2 character then outputs ("your 2 characters" ERROR 0011)
6b 6f 63 6f 6d 61 6e 20 6f 66 20 63 64 6d 61 2d 64 65 76 2d 74 65 61 6d

Post Reply