• Tech Help

  • Hex editing radio firmware for band modification help

Jumptoheaven Specifically [Login to see the link]

@Didex65 wrote; Some progress

Hello everyone, today I discovered a method of unlocking LTE bands on a MT6735M based phone (Alcatel One Touch PIXI 4). This might work on other MTK devices, but I have no way to test.

Everything you do is at your own risk and I'm not responsible if you brick your device! Always have the ROM backed up!

To perform this you need:
MTK EngineerMode access
SP FlashTool
Copy of the phone's stock ROM

A hex editor (I use HxD)

How to change the LTE unlocked bands:

  1. In your phone's stock ROM folder, there should be a file called "nvram.bin" open it in a hex editor.
  2. In the hex editor, go to offset 00021920 (other SoCs might have a completely different offset for the LTE bands values, some might not even have the NVRAM file!)
    That will look something like this:
    00021920 FF FF FF FF FF FF FF FF FB FB 01 00 00 00 01 00
    00021930 00 00 03 00 00 00 04 00 00 00 07 00 00 0D 00
    00021940 00 00 11 00 00 00 14 00 00 00 05 00 00 00 08 00

I made the values for LTE band bold to make it easier to see, however in the hex editor you have to find the start and end yourself depending on the bands your phone has already unlocked.
In my case the unlocked bands are: 01, 03, 04, 07, 0D, 11, 14 or in decimal 1, 3, 4, 7, 13, 17, 20.

All you have to do is change those values. Remember it's in hexadecimal, so if you want to unlock for example band 28, you don't write 28, but 1C. Also don't add any extra to the file, just overwrite values.
After changing the bands, just save the file and flash it with SP FlashTool. (Load scatter file, only select nvram and select the location of the file you edited, then flash.)

Then in MTK Engineer Mode check if you succeeded by going to tab telephony, select BandMode and scroll down to LTE.

This worked for me, however i can't guarantee that it wil work for you as well.

How can you find the right values in the NVRAM file? I personally spent about 40 minutes searching through the file to find these, though there might be a more efficient method.

I hope i can make this into an application which does everything automatically and for as many SoCs as possible, I'll give updates if i make any more progress on this.

      • KKgrLevel 1 - Junior Member

        • Post #13
        • Edited

        Jumptoheaven Yes that is what i saw a while back, do you think it will work on my galaxy folder 2? Also where do i find my phones stock ROM folder to find the NVRAM file, the one i have is samsung's divided into AP,BL etc.?

        • Kgr replied to this.

            • KKgrLevel 1 - Junior Member

              • Post #14

              Kgr I found a root file manager app but still cant find the .Nvram, anybody know where its located so i can pull it?

                  Jumptoheaven Techgen Oh I understand now. Just curious: Would people have the same question to take from one oneplus phone for use on another, or specifically the f30?

                        Kgr nvram is a separate partition (root file explorer allows you access to the system partition, nothing else) you will need to dump the nvram image, edit it with a hex editor and flash it back to your phone. You won't need mtk engineer mode (your device probably doesn't support it anyway).

                        • Kgr replied to this.

                            • KKgrLevel 1 - Junior Member

                              • Post #17

                              whynot Ok so i have a root file explorer how do i dump the nvram, i cant find it.

                                  Kgr sorry if I wasn't so clear in my previous post. Root file explorer won't help you because it only gives access to the system.img while nvram is a separate image. How did you root this phone? Did you use a tool to pull boot.img? If you did you could use it to pull nvram.img . Or if you got the stock rom you could open it and find nvram.img

                                  • Kgr replied to this.

                                      • KKgrLevel 1 - Junior Member

                                        • Post #20

                                        whynot So i rooted it with magisk. The Stock Rom i downloaded to patch and root isnt really openable, since this is a samsung device and its stock ROM is split into .md5 files.

                                          • KKgrLevel 1 - Junior Member

                                            • Post #21
                                            • Edited

                                            whynot Update i have full access to the stock rom files however i can't find nvram.

                                              • darthLevel 6 - Platinum Elite Member

                                                • Post #22

                                                From a root adb shell you can probably dd partitions to sdcard and pull them that way. Maybe look for /dev/block/by-name/nvram

                                                • Kgr replied to this.

                                                  • KKgrLevel 1 - Junior Member

                                                    • Post #23
                                                    • Edited

                                                    darth How exactly.

                                                      darth Ive never really done something like this before