DFS Professional CDMA Tool User Manual

Powered by Teleco m Logic group

DFS CDMA
Professional CDMA Software

User Manual
Functional Capabilities
C2011-5A
May 09, 2011

Side information and technical support:

http://cdmatool.com

DFS is a professional software that allows working with equipment of standard CDMA with different level of
complexity. Software package DFS is fully automated and does not require deep knowledge of CDMA
technology for working with equipment. The main functionality of DFS is encapsulated and reduced in the
interface down to the push-button mode of action decision (for instance, equipment unlocking or serial number
recovery is performed exclusively by pressing the buttons “Read SPC” or “Save ESN” without any additional
adjustment, regardless of a model of equipment and complexity of the algorithm of a process).
Capabilities of DFS are practically unlimited despite of the main algorithm encapsulation. Software package
DFS has tools for low- level impact on equipment (working with RAM, file system, flash-device) that gives an
engineer wider spectrum of possible duties. DFS Team is not responsible for any damage caused directly or
indirectly (fault of engineer or software failure) to the equipment in the process of working with it.
DFS Team provides technical support for the product remotely via website http://cdmatool.com and reserves
the right to refuse further support to the user whose program copy has been compromised in any way (for
details in the license agreement).

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Starting
Main Capabilities:

Unblock of equipment (SPC, SIM, OTKSL, FSC, LockCode etc.)

Definition of CAVE (A-key, SSD-A, SSD-B)
Restore of ESN, MEID, IMEI
Complete or partial replacement of software equipment (Flashing)
Rollback and restore of NV area and RF part of equipment
Tools for work with file system FS, subsystem CEFS, subsystem EFS2, main memory RAM, EEPROM
Programming of number and data communication settings.

Requirements:

Operating system Windows 2000 and later editions (Win98 and earlier editions were not tested because
of irrelevance)
Microsoft .NET Frame work 2.0 and higher (http://download.microsoft.com)
Usage of RAM depends on executed task (~ 15Mb - 70Mb).

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
The First Launch
When you first start DFS, dialog box “About DFS” will appear on your PC. Here you must enter
the authorization data on the site http://cdmatool.com (these data are used for update program in the future).

Prescribe your data and click “Apply”

Remember that one of the points of agreement is a condition where it is forbidden to distribute the registration
data. Attempt to resell, hacking software and other actions will lead to blocking your account.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Equipment Detection System
Port Manager
Software package DFS is a multithreaded software that allows to run tasks simultaneously on different system
ports (the main application – performing long-term operations in a background flux. For instance, - read RAM
or Flash).

Vocabulary:
• Active process (port) - the process of DFS, querying system port, whose events are displayed in the interface.
• Background process (port) - the process of DFS, querying system port, whose events are not displayed.
• Tool list of processes – tool of rapid processes (ports) control DFS.

Port manager allows to add system port to ports “allowed for searching for the equipment”. When launched, the
program scans all the allowed ports (if they are present in the system and active) for the equipment availability.
Number of queried ports affects the program speed (every system port is queried in separate thread
asynchronously, that is, for the two ports two different streams are created, for three - three, etc.). It is not
recommended to add modem ports of compound devices without necessity.

Drop-down list «Show» has 2 points: “Diagnostic only” and “All system ports”. On default is “Diagnostic
only” - all Diagnostic ports are displayed in the system. If you select “All system ports” - all ports will
be visible, including ports of all devices (modem, bluetooh, virtual ports, etc.).

On the field “Ports” one can add or exclude the system port from ones allowed for query. System ports
prohibited from query are marked gray, ports allowed for query are marked black. Port status “prohibited”/
“allowed” can be changed by double click or using buttons “Add” / “Remove”. Adding system port to the list
of allowed for query ports launches new background process DFS, which is responsible for the selected port.
Deletion of a port from the list destroys the corresponding process. When you add a device, at the bottom of
port manager it will appear a device and a summary.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual

DFS Main Menu Elements

Controlling Port
It is not necessary to use port manager (PM) in order to switch between ports (processes). Picture shows main
elements of controlling ports DFS which allow the following:
• Open/Close the current active port (a button with image of handset in circle. The color of a circle shows
current state of the port. Green circle – the port is open; Red – the port is closed; Blue – the port is unavailable
or busy, DFS waits for access to the port).
• Quick change the active port (drop-down list of ports existing in the system).
Attention! This list denotes only ports allowed for query by user.
• Change port speed. (It is important for COM ports).
• Abort the current operation of the process. (Button Abort)

Detailed port settings (such as read /write timeouts and DCB parameters) can be made at the general settings
tab (general settings page will be described later).

Controlling Device
The main aspects of the work with equipment are shown in the main menu.

• Unlock the equipment automatically, manually and ignoring the SPC (Mode IgnoreSPC is used if
the SPC unknown and read it is not possible).

• Command line. It works in three modes. BT - sends accumulated bytes to the port "as is", BTCS – sends
accumulated command bytes with the checksum and the end of the packet flag (standard Qualcomm data
communication packet), NVMI – forms full standard packet for reading or writing elements NV (it is needed
only first 3 command bytes for reading, and for writing – first 3 bytes and 3 recording data bytes).

• Some well-known methods reset the device to factory settings. This option should be used carefully and only
in case of need, rollbacking the settings of equipment prior to changes.

• Quick change of the device operation mode. Reboot, shutdown, test mode (option may not be supported by
the device), switch to data communication mode (modems only).

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual

• Known methods of switching port card to diagnostic mode. By default, DFS do not attempt to switch the
equipment to diagnostic mode (NotUse). If you choose option which differs from NotUse in the list, DFS will
attempt to switch the equipment to diagnostic mode automatically according to the chosen method.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Diagnostics and Indication
The first tab DFS shows list of all available updates (Equipment), general information about used support DFS
file (Status) and general diagnostic information about equipment (Diagnostic).

EQF:
Group “EQF” displays information about available support files, inaccessible support files (limited by level of
access). Currently in use EQF appears lower in the group “Current”. In case if the DFS could not find the
necessary EQF for the connected equipment, it is automatically used universal EQF (Qualcomm based).

Status and Diagnostic:

Group “Status” displays the current status of equipment (data exchange with the base station). Here you
can see information such as the serial number of equipment (broadcast), channels used for the
network operator, SID/NID on which the equipment works, operation of equipment (Band Class), work
status (RX State), the state of operation at the moment (Entry/State).
Group “Diagnostic” displays information about the version of firmware and hardware configuration, and also
the level of signal reception and transfer of voice packets.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
DFS Indicators:

* Online - indicator of equipment state:

- green color indicates diagnostic mode;
- blue - data communication mode (modem data mode);
- yellow - data loading mode Download;
- red data loading mode Stream Download (flashing mode running Boot)

* EQF - indicator of state EQF:

- green indicates that DFS, sees the equipment, you can continue to work;
- yellow indicates that DFS, does not see the equipment, you can continue to work on the standard algorithm
Qualcomm Universal (in this mode QPST works, unblocking, changing serial numbers and other "non-
standard" options are not available). If the device works as Qualcomm Universal, it is necessary to make
the EQF and send to support (see below);
- red indicates that DFS can not identify equipment (Download or Streaming Download mode). You should
work extremely carefully in «red» mode. DFS does not control user actions in this mode and therefore will not
be able to prevent the wrong actions, which can damage the equipment.

* RPSI - displays port query mode:

- green displays diagnostic query;
- blue - displays data query;
- red displays Download query;
- yellow - Stream Download query.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Updates

EQF files are updated automatically at startup or manually by pressing the button “Update DFS” from the
server DFS using authorization data entered at the first launch of the program. If a connection with the Internet
is established via proxy server, enter the name of the proxy server and port in the appropriate field and click the
button “Enable Proxy”.

Tray- icon status - crossed, there is no Internet connection or a problem with your account – details in the tooltip
tray- icon.

EQF - special file of DFS support, defining the algorithms of work with different equipment. EQF is necessary
for the operations of unlocking and repairing ESN, MEID, IMEI.
If the equipment is not known to DFS (no appropriate EQF file), DFS will work with equipment from an
algorithm Qualcomm (as it does QPST for example). In the majority of cases it is not dangerous, but for some
devices programming in this mode may cause the device inoperable (basically it is about some models of
Samsung and Kyocera).

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Programming the Equipment
Before writing parameters it is useful to read appropriate parameters, change necessary parameters, then to
write the changes. This method of programming equipment will be the most correct!

General functions for all programming tabs

Possibility to choose NAM (on default the equipment uses NAM1 for work – UseNam1).

Tab « »

Unlocking, Repairing ESN, MEID, IMEI, A-KEY, SSD-A, SSD-B

The first step to work with equipment is unlocking. In order to unlock the equipment it is necessary to read SPC
and send it to the equipment (SPC -> Send in the main menu - see the description of the main menu).

Groups Unlock, SIM UNLOCK, Serial Numbe r, MEID, IMEI, CAVE can serve as reading and writing with
corresponding sets of parameters.

Group SPC Calculator - calculator SPC for operator Metro PCS based on current ESN.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Tab « »

Programming NAM Parameters and PRL

Field IMSI allows to enter full number for programming equipment (in this format:
<MCC><MNC><MIN2><MIN1>), followed by automatic partition to the appropriate fields.

Group PRL allows to read, write, save and load PRL operator. In order to see a list of the PRL, it is necessary
to download them to a folder DFS (\TelecomLogic\DFS\PRL).

Detailing of Station Class Mark (SCM)

Field Mould allows for previously saved programming template to fill automatically the fields specific to the
mobile operator.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Tab « »

Programming Data Communication Parameters

On this tab you can program the data of data transfer protocol PРP, authorization methods of PАP, HDR
and set the mode of operation of the device in the network.

PPP authorization method usually holds the control couple "login-password" for authorization of the operating
system.

HRD authorization method has three pairs "login-password". Depending on the operator and the equipment it
is used one or another pair “login-password” at the authorization EVDO (usually that is the couple “HDR
NAI - HDR Password”).

Groups of parameters “MODE”, “EVDO SCP options ”, “Data config”, “Dial string”, “DNS
primary/secondary” allow to set up of the equipment in details in data communication mode.

== Annotation ==

PPP – Point-to-Point Protocol

PAP - Password Authentication Protocol
CHAP - Challenge Handshake Authentication Protocol aka (HDR - Hight Data Rate)

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Tab « »

Working with profiles of MIP

Group of parameters “Mobile IP main settings ” allows to change the regime of authorization SimpleIP,
PrefMobileIP, MobileIP depending on the operator and equipment.

Subgroup “Profile settings” is responsible for the profile activity of the equipment. “Number of profiles” is
responsible for the current number of profiles in the system.

Subgroup “Registration settings ” is responsible for the timeout and time slot of registration.

Group of settings “Profiles”

To enable \ disable the profile it is necessary to use the right mouse
button, menu appears “Enable Profile” \ “Disable Profile”.
When changing the status of the profile will change the icon

Saving and reading data in group settings “Mobile IP main settings”

produced by buttons «Read» and «Write».

Group of settings “Selected profile settings” allows to perform detailed

settings of the equipment with the profiles Mobile IP.

Saving data in group settings “Selected profile settings” produced by button «Write curre nt profile
settings »

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Tab « »

Unique Settings “Customize”

Tab Customize contains the unique settings for certain manufacturers and models.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
NV Editing Utility

This utility allows to scan the specified range of volatile device memory by cells, browse the contents of the
cells, make and save changes. The maximum size of 65535.

Button “Read range” reads NV cells indicated in the initial (Start) and end (End) address. Reading is in
automatic mode.
Button “Read RF” reads NV cells with calibration apparatus.
After reading cells the data is stored in the heap, use the button “Save” to save the data. The format of saved
NV parameters is suitable for browsing in XML-compatible programs (for example, a plain text notepad).

Writing is the corresponding buttons “Write all” or “Write RF”. Alternatively, you can
record calibrations only of the full backup NV, DFS will select necessary cells NV automatically for recording
calibrations.

Should pay attention to the difference between RF calibrations and full dump settings.
Recommended to do full dumps, but write RF only.

IMPORTANT! Recording full dump whe n absolutely necessary only.

Button “Import” allows to import NV of the older versions DFS format *.nvm or other programs (optional,
100% support is not guaranteed) format *.txt.

== Annotation ==

NV – Non-Volatile Memory

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
EFS File System

Utility for working with the equipment file system is a hybrid EFS Explorer that gives an opportunity to work
with the file system in random mode, and also supports non-standard (in any case departed from Qualcomm)
systems (such as Read EFS (Kyocera).

By means of this utility it is possible to save or load the device system file on PC as tree-type structure
representing the EFS image, if this operation is supported by the device.

It is possible to remove or save each element of EFS.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Main Memory Operation Utility
Memory of device operation utility allows the user to read, scan for the ability to read, save and edit the
memory “on the fly”.

You can scan the following types of memory:

RAM (read and display real-time, data retrieval and record);
DRAM (read and display real-time. Works in the presence of EQF only);
EEPROM (similarly to RAM);
CEFS (read and search data);

To scan me mory for readability it is necessary to specify the scanning speed (Detail, Low, Medium, High) and
click “Scan”.
To read a range of the memory it is necessary to choose type (Type), starting address (Start) and size (Size)
required for reading the memory and click “Read”.
To display the me mory unit of the selected address, click “Show”.

At the bottom of the monitor displays the reading speed (Speed) RAM, the read address (Current address) at
the moment and the approximate end time of scan (Remaining time).

Data monitoring

«Data monitoring» allows to display a block of memory in the monitor. For movement on the address block,
you can use the button “Page up” and “Page down”. “Data monitoring” page displaying can be adjusted by
the following Page parameters: Size_16x16, Size_16x64, Size_16x128.

Data analyzer

«Data analyzer» allows to search from the memory by internal algorithms data of the following types: SPC,
ESN, MEID, AKEY, SSDA, SSDB, Password PAP, PPP, AN, ANPPP, ANLONG.
Search Mode «Digits» - search numbers of a given length (the length specified in the field of search modes, for
example, a query ?????? – search mode of six-digit numbers).

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Search Mode “HEX” looking for a given set of bytes (mask specified in the field of search modes).

You can analyze on the fly “Online” or download the “File” external *.bin file.

Examples of Memory usage – see the applications.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Updating Software Utility

DMF – universal firmware file of DFS.

Update DMF occurs directly through the built- in download manager from the server.

To download firmware files need to go to the tab «Server», select the firmware file and click «Download».
The loading process will go. Upon completion of loading window appears of successful download:

The full and partial replacement of the device software is made by the utility Download.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual

DMF files

Local: in this section displays all the firmware files (format *.dmf) that are in the folder \DFS\DMF.

Server: in this section displays all the firmware files (format *.dmf) that reside on the server
program. Firmware found in the directory \DFS\DMF.

Current DMF
If the DMF file is selected in the section DMF files, it will be shown automatically a list of the contents of the
firmware file (Boot, AMSS, CEFS2 etc).

Under the list of firmware files is displayed information about DMF: model, firmware version.

IMPORTANT! To flash the device it takes only to update the AMSS. Updating other parts of the firmware -
only for professionals and may withdraw the device from the system, if the failure occurs during firmware.

Commands
Contains buttons for managing software updates: “Write ” and “Erase”.
Lists “Override” and “NoOverride” are intended for heavily damaged devices. Mode “Override” erases the
current structure of the software modem before software update. It is recommended to use it only if equipment
in normal mode can not update the software (DFS issues the message about the need to use this mode in
such cases). In “Override” mode it is required writing QCSBLH, QCSBL, OEMSBL

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Process of Software Update
Updating of the device software starts after the selection of the required DMF and required part of update
(AMSS, CEFS2 etc), by pressing the button “Write ”.

IMPORTANT! If the device is in Download mode (DL) initially, it is required to select EQF manually in
order to flash it, and try to flash after selection only.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Modem Diagnostic Utility
Modem diagnostic utility is an adapted functional of the program Windows HyperTerminal.
The left side of utility displays the result of the standart modem query. The right side of utility allows to make
arbitrary requests of AT commands.

“Load script” - loading a script file that can be used to send to the terminal a list of AT commands to
the modem port.

“Save script” – saving a script file in the format *.atf

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
EQF Identifier

EQF Identifier allows user to read and save the device firmware identification. It is necessary when the
developer does not have the required equipment firmware edition for the user, but he has an edition compatible
with it, and significant changes (except the firmware identification) are absent. In this case user can send the
saved “*.fwi” file to the DFS support service (support@cdmatool.com) with proper commentary
(manufacturer, device model, the maximum information about the given firmware), thereafter the DFS
developers will try to update EQF support file for recognition received edition of firmware as soon as possible.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
DFS Settings

The group “Serial Port Settings” allows user to change DCB settings of the port. It is not recommended to
change these settings without having a deep knowledge in this area.
The group “Timeout” allows user to change device latency time for DFS request for reading and writing
respectively. Increasing of latency time slows down the program but improves the reliability of the informatio n
received. It is not recommended to change these settings if the equipment works without any faults.

The group “PSI Request allows user to disable (not recommended) extended query of the equipment in case of
non-standard reaction of the device to the query.

The group “File System Vie wer” allows user to specify arbitrary Hex editor for browsing files of the file
system. By default DFS uses WinHex.
It is possible to change also the temporary folder of the program. Ability to write in this folder is necessary for
correct operation of the program (important for operating systems restricted the user rights).

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Examples of Memory Usage
Example 1
Device: modem Cal-comp A600 (Cricket)
Purpose: reading PWD AN (CHAP) by CEFS
Solution: connect, select a port, make sure that the program sees the device (tab “Equipment”, Status – green
colour of device inquiry and Current – model name)

Pass on the tab “Memory”, select Type – CEFS, click on the button “Read”. Wait until the process of memory
reading is completed. After this pass to “Data analyzer” and select the required type of search (Search Type)
and see the results of the analysis “Result”.

Selecting one of the results, we can see the contents of the memory unit in the monitor. Similarly, we can look
for other types of data in different types of memory (RAM, DRAM, EEPROM).

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Example 2
Device: modem Novatel U720 (Sprint)
Purpose: reading SPC by RAM
Solution: connect, select a port, make sure that the program sees the device (tab “Equipment”, Status – green
colour of device inquiry and Current – model name)

Pass on the tab “Memory”, select Type – RAM, specify Start 01300000 and Size 00300000 click on the
button “Read”. The process of memory reading will go.

After completion pass to “Data analyzer”, select the required type of search (Search Type) and see the results
“Result”.

In this range of memory found 2 results SPC. If select one of the addresses, then in the left window “Data
monitoring” the address structure and data of HEX and String will appear.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Example 3
Device: modem Novatel U720 (Sprint)
Purpose: restoring ESN by RAM
Solution: connect, select a port, make sure that the program sees the device (tab “Equipment”, Status – green
colour of device inquiry and Current – model name). Send SPC.

Pass on the tab “Memory”, select Type – RAM, specify Start 01300000 and Size 00300000 click on the
button “Read”. The process of memory reading will go.

After completion pass to “Data analyzer”, select the required type of search (Search Type) and see the results
“Result”.

To change the data select the first address and write zero ESN in the text field:

If press “Write” – write changes in current address.

If press “Write to all addresses”, then write to all the addresses from the current group of ESN.

Intellectual property of DFS Team. 2003-2011

 DFS Professional CDMA Tool User Manual
Before writing it is appeared a window with confirmation of writing:

Ram write 0x01522AAC CPS_OK

After that pass on the tab “General” and write correct ESN.

SET ESN CPS_OK OK

Intellectual property of DFS Team. 2003-2011