|
Papers |
Hacking the Motorola v710Last Update: 12/21/2004 Please notify me of any corrections or suggested additions 
Jonathan A. Zdziarski
Do NOT email me with questions about your phone or this page will disappear again. New! Check out the E815 seem hacking page [ Info Page | Handset Review | SMIL GW | E815 Seem hacking ] Revision History
12/21/2004 - Added 75/5 (Transflash copy/move option)
Added 6A/0 (Bluetooth/Multimedia Studio)
11/5/2004 - Added 74/7 (Show 1X instead of D)
11/2/2004 - Added 59/6 (Hide ERI)
9/22/2004 - Added Flex Switch (Seem 294)
Added How-To for isolating bits
9/21/2004 - Changed info for 65/5 (adds Bluetooth copy+move OPTIONS ONLY)
Added Manual Train Option (6A/2)
Added Speakerphone Functionality (1D/7)
9/20/2004 - Added new Unknown Seems and Lengths: 101/0FF1, 0443/100, 052C/1F6,
054E/100, 061C/2EE, 050F/100, 0515/180
Added Picture Setup Options (5F/5, 60/2, 60/4, 6D/6)
Added Show Engineering Menu (46/7)
Added Web Sessions (2F/1)
Added Sync Option (65/4)
Added Contact Send Option (65/5)
Added Messaging > Information Services Setup (02/07, 03/00, 1F/2, 1F/3)
9/18/2004 - Added Offset 21/0 (DISABLE Menu Item: Mobile Web > Web Browser)
Added Offset 0D/7 (Menu Item: Settings > Connection > Bluetooth Link)
Added Offset 2E/5 (Force Analog Mode)
Identified total seem count (0x2328)
9/16/2004 - Genesis
Note for e815 Users: I do not own an e815 yet, but I have been told that seem 2742 appears to have many similarities to the v710's 41a seem including the bits for Transflash file transfer, and more importantly OBEX support. The e815, unlike the v710, actually has the OBEX profile but is locked. Enabling the Bluetooth push options (using 6A/0) reportedly restores OBEX support. What is a seem? The Motorola v710 and e815 have what is referred to as a seem. A seem is a portion of nonvolatile memory containing operational data and parameters for the phone. The Motorola v710 has 9,000 (0x2328) unique master seem records (after which the records merely repeat), and most of the information they hold cannot be directly altered through the handset. With some software and a data cable, however, there's a lot of modding that can be performed on the handset. How-To To get set up for seem editing, you'll first need a Motorola data cable and some software. A Motorola USB cable can be purchased for anywhere between $10-$25 on eBay. On top of this, you'll need a copy of the Motorola PST and p2k seem tailored specifically for the v710 (Thanks SuperDaveX!). Install both software packages and then reboot. The next thing you'll need to do is set up the USB drivers for your handset. To do this, attach the v710 to the USB cable and your PC. Boot Motorola PST (you'll see "PST Phone Programmer" on your desktop). When prompted for driver information, point Windows to C:\Program Files\Motorola\PST. There will be about 5 drivers to install, and they can all be found in this directory. Once you've set up your USB drivers, you're ready to start modding seem data. The p2k seem tool downloads and uploads seem data from your handset. In order to use the tool at any time, you'll first need to put your handset into the proper diagnostic mode. To do this, first start up the PST Phone Programmer. You should hear one USB device disconnect and three more connect. Now fire up the p2k seem tool. You should see "Connected" at the bottom. If you don't, try disconnecting and reconnecting the handset from the USB cable. Once you're online, you'll have five boxes and two buttons. The topmost two boxes allow you do download a range of seem files. It's usually best to work with only one seem at a time, so you'll want to fill in the number (hexadecimal) of the seem file you want to download into both boxes. A table can be found at the bottom of this page. For example, if you want to change the external LCD text, you may want to put 449 in both boxes. The middle box is the length of the seem (hexadecimal). The v710 requires this in order to upload or download seems. Enter the length of the seem you want to download from the table below. In our example, we'll use '20' which is the length of seem 449. Finally, to download your seem hit 'Download Seem'. You will be prompted for a directory and a format. Once the seem has been downloaded, you'll require a good hex editor in order to change it. XVI32 is a good, freeware hex editor and you can find it by searching google. If you're editing text, the process is relatively easy. Notice in our example (seem 449) that the text "Verizon Wireless" is spread out across the length of the file, with blank spaces (hex value 00) in between. This is because it is in what's called wide-character format. Foreign languages such as Chinese require two bytes for each character. Since English doesn't require the extra byte, just leave them zero'd out. If the seem your editing is for a bit at an offset, you'll need to understand how bits and bytes work (or you can use Tools -> Bit Manipulation in XVI32). Understanding bits is very simple: 147 <- Our Example Number 10010011 <- Bit Pattern 76543210 <- Bit PositionAs you can see above, every byte consists of eight bits. The bit position reads from right to left, so that bit 0 is actually the right-most bit. This is considered the LSB, or least-significant bit. Each bit represents a power of 2 and all of the bits are added together to determine the value of a byte. For example: 128 64 32 16 8 4 2 1 <- Bit Value 1 0 0 1 0 0 1 1 <- Bit Pattern 7 6 5 4 3 2 1 0 <- Bit PositionThe value of the larger "byte" in this example is 147 (128+16+2+1). If we were to set bit 0 to 0, the value of the byte would become 146, or if we set bit 7 to 0, the byte would become 19. It's fairly simple to break any value down into its bits in your head, with some practice. You can then write the new value of the byte into the file using your hex editor and you're ready to upload your seem! Uploading your seem is just as easy as downloading it. Type the seem number into the leftmost bottom box, and the record number in the box next to it (this is usually 1). If the length of your file has changed (e.g. if you're uploading a graphic) you'll need to adjust the length to read the hexadecimal value of the file length. Then just click 'Upload Seem', pick the file, and you're done!. What if I hose my phone? If you have the USB cable with a charge port, you should be able to recover from most problems, although SuperDaveX did recently find a way to hose his phone beyond repair. The v710 interfaces are alive when the phone is off and charging, so if you hose the phone perform these steps:
Isolating Bits I thought it might make sense to write a small How-To for isolating feature bits. This is the process of identifying which offsets and bits affect what features. It's actually quite simple. Before you start, you must first determine which seem you're going to be playing with. On the v710, the features are located in seem 41A, although it's possible they may also spread into other seems. If you see an interesting seem and you want to see if it does anything constructive, you can try changing it and see what happens. This assumes we'll be using seem 41A for now...
Seem Mapping Table The following table represents seem elements which have been discovered and tested on the v710.
|
|
|