VistaBug forums

The information in this post is related to CDMA Treo 650/700p phones. I poked at the phone that came from SprintPCS, but most information will be applicable to other CDMA Treos and some information will be applicable to all Treo smartphones.

We all know that Treo 650 is a GPS-capable device and there are rumors that cellular providers are currently busy developing location-aware applications (LBS, Location-Based Services). Unfortunately (and I see no good reason for it) no GPS API has been released to the public. Can it be hacked out? Yes. But don't scroll down to the end of post, I haven't found it yet. I started looking at the Treo650 yesterday and here is what I found so far:

1. There is a list of service commands, and most of them are not documented (a complete list is below)

2. The most interesting application is HtcCDMAActivationApp, which is responsible for configuration and debugging. The application calls some interesting libraries, Transparency Library, PmSystem Library, and PhoneInterface Library. The last one contains all the juicy functions. Since ActivationApp is a native ARM application is is not as simple to debug as PalmOS 68k applications. GPS functions may or may not be included in this library, but CDMA firmware that is available as a part of the firmware update includes GPS references. Does anyone have any information on the ASIC?

3. Phone application comes with debug info (Thank you, Palm!)

So far, I have not found the GPS API calls... To sweeten up your disapointment, here is a complete list of Treo650 maintenance shortcuts (use phone application to dial them):

Standard CDMA codes that CDMA Treos support:
-------------------------------------------------
##2539 "AKEY" A-Key
##33284 "DEBUG" debug
##786 "RTN" RTN STATUS (includes diagnostics menu)
##889 "TTY" TTY on/off
##7738 "PREV" mobile protocol revision
##8626337 "VOCODER" vocoder
##774 resets data config (In my case, PCS Vision configuration)
##3282 "DATA" data configuration editor (Shows all passwords, needs MSL, see below)
##5478 "LIST" ???
##56672225 "LOOPBACK" loopback calls
##865625 "UNLOCK" ???
##[MSL] NAM Setup (edit your own phone number), needs MSL (see below)

Additional Treo-specific diagnostic codes
-----------------------------------------
##8463 "TIME" Shows Network time
##66 "ON" Radio On
##633 "OFF" Radio Off
##7277 "PASS" Passthrough on (also power cycles radio)
##7277633 "PASSOFF" Passthrough off
##8778 (powers off radio and goes to the bootloader)
##3424 "DIAG" (enables passthrough)
##72346 "RADIO" shows radio fw version
#43574357* "HELPHELP" Device Information
##744 ???
##83843733 "TETHERED" Tethered mode
##8766 "TRON" ???
##87633 "TROFF" ???
##377 Crash log
##726 ???
##88722366 "TTRACEON"
##887223633 "TTRACEOFF"
##28722366 "2TRACEON"
##287223633 "2TRACEOFF"
##798722366 "RXTRACEON"
##7987223633 "RXTRACEOFF"
------------------------

Treo 755p & Centro additionally support these:

##5872 "LUSB" USB logging
##5737425 "LSERIAL" serial logging
##3836  "EVDO" network settings  -- enables/disables 1xRTT & EVDO
##49878 "HWTST" Troubleshooter -- various hardware tests
##56228466 "LOCATION" Location information (GPS/LBS)


No commands listed above can harm your Treo (ulness you change the data and save it). All commands seem to be reversible by soft reset.

Some menus require the MSL (Master Subsidy Lock) code. It is a 6-digit number that is unique for your device. For CDMA Treos it depends on the last 4 digits of your phone number. How to get the MSL? I just called Sprint and told them that I couldn't access internet (which was true, by the way). They told me to dial ##774 to reset configuration. This function requires MSL to confirm, so they gave it to me. Alternatively you can use BitPin software to dump the content of nvram and retrieve the MSL (and other useful data) that is stored there.


Complete Treo650 CDMA Modem command set

Here it is. The modem is MSM 6050 by Qualcomm. Some information is available here

The modem chip is based on ARM7TDMI CPU and QDSP4000 DSP core.
The chip supports gpsOne and BREW.

If anyone happens to have a complete datasheet for MSM6050 or similar device or at least a memory map for it, please let me know.

More information on gpsOne is here and here

Below is a complete command set extracted from modem firmware. Qualcomm extension descriptions will appear on this page later.

Standard AT commands
--------------------
E
L
M
Q
V
X
Z
&C
&D
&F
&V

Extended AT commands
--------------------
+FCLASS
+CFG
+FCC
+FIS
+CAD
+CBC
+CBIP
+CDR
+CDS
+CFC
+CHV
+CHV0
+CMIP
+CMUX
+CQD
+CRC
+CRM
+CSQ
+CSS
+CTA
+CXT
+DR
+DS
+EB
+EFCS
+ER
+ES
+ESR
+ETBM
+FAA
+FAP
+FBO
+FBS
+FBU
+FCQ
+FCR
+FCT
+FDR
+FDT
+FEA
+FFC
+FHS
+FIE
+FIP
+FKS
+FLI
+FLO
+FLP
+FMI
+FMM
+FMR
+FMS
+FNR
+FNS
+FPA
+FPI
+FPP
+FPR
+FPS
+FPW
+FRQ
+FRY
+FSA
+FSP
+GCAP
+GMI
+GMM
+GMR
+GOI
+GSN
+ICF
+IFC
+ILRR
+IPR
+MA
+MR
+MS
+MV18R
+MV18S

Qualcomm extensions
-------------------
$QCCLR Clear error log
$QCDMG Enter DM (diagnostic monitor) mode
$QCDMR Set DM baud rate
$QCDNSP Set primary DNS IP
$QCDNSS Set secondary DNS IP
$QCMIP Enable/disable MIP (Mobile IP)
$QCMIPP Select active MIP profile
$QCMIPT Enable/disable rfc2002bis authentication
$QCMIPEP Enable/disable current active profile
$QCMIPMASS Set MN-AAA shared secrets
$QCMIPMHSS Set MN-HA shared secrets
$QCMIPMASPI Set MN-AAA SPIs
$QCMIPMHSPI Set MN-HA SPIs
$QCMIPRT Set the reverse tunneling
$QCMIPNAI Set NAI for active profile
$QCMIPHA Set the Mobile Home Address
$QCMIPPHA Set Primary HA IP Address
$QCMIPSHA Set Secondary HA IP Address
$QCMIPGETP Return profile information
$QCMIPMASSX Set MN-AAA shared secrets in hex
$QCMIPMHSSX Set MN-HA shared secrets in hex
$QCOTC
$QCPKND Enable/disable Automatic Packet Detection after a dial command
$QCPMA
$QCPREV Display protocol revision
$QCRLPD Dump RLP protocol statistics
$QCRLPR Reset RLP protocol statistics
$QCRL3D Dump RLP 3 protocol statistics
$QCRL3R Reset RLP 3 protocol statistics
$QCPPPD Dump PPP protocol statistics
$QCPPPR Reset PPP protocol statistics
$QCIPD Dump IP protocol statistics
$QCIPR Reset IP protocol statistics
$QCUDPD Dump UDP protocol statistics
$QCUDPR Reset UDP protocol statistics
$QCTCPD Dump TCP protocol statistics
$QCTCPR Reset TCP protocol statistics
$QCSCT
$QCMDR Set Medium Data Rate (MDR) (also known as HSPD)
$QCSCRM Enable/disable SCRM’ing
$QCTRTL Enable/disable R-SCH throttling.
$QCMTOM Originate Mobile-to-Mobile Packet Data call
$QCQNC Enable/disable the Quick Net Connect (QNC)
$QCSO Set data service option
$QCVAD Prearrangement setting
$QCCAV Answer incoming voice call

Available modem registers
--------------------------
S0 Automatic answering
S3 Carriage return character
S4 Line feed character
S5 Backspace character
S6 Pause before blind dialing
S7 Number of seconds to establish end-to-end data connection
S8 Number of seconds to pause when “,” is encountered in dial string
S9 Carrier detect threshold in increments of 0.1 seconds
S10 Number of tenths of a second from carrier loss to disconnect
S11 DTMF tone duration and spacing in milliseconds

Last edited by fearwall (2008-02-10 21:23:07)