20-09-2024 08:41 AM - edited 20-09-2024 08:50 AM
I have a OnePlus 5. I really like it and pre-ordered it when it first came out. I am in no desire to upgrade my phone – and yesterday I found that I couldn't make or receive phone calls with it. Smarty support told me that 3G was turned off in my postcode…yesterday too.
The OnePlus 5 is VoLTE compatible and has a 4G radio as parts of its system on a chip made by Qualcomm. The "VoLTE" switch was enabled in my system settings. So why no worky?
Herein began an absolute deep-dive into radio configuration settings, courtesy of others on XDA Forums who had similar experiences trying to get VoLTE to work. It transpires that Qualcomm chips have an extended firmware partition, EFS, normally hidden from the user, that contain a lot of configuration information about the radios – boring things like frequency ranges, SoC allowed clock speeds, etc, but also rather critical safety things like SAR calculations. As a result these firmware files are normally cryptographically signed by both Qualcomm using information provided by manufacturers – much more technical detail is here. In the midst of all of these are a variety of files like carrier_policy.xml which contains detailed information from the network operator that can, as illustrated by that blog post linked to above, just be plain wrong for a given handset in a given region, unfortunately, particularly if you travel internationally.
My symptoms were as follows: my phone appeared to support VoLTE but the icon wouldn't appear in the system taskbar. Dialling *#*#4636*#*# and choosing "Phone information" gives detailed info about the radio showing that it appears to be trying to use VoLTE, but I couldn't call anyone:
At this point I contacted Smarty support thinking that I had a misconfiguration in an APN ("access point network"). They took me through some generic troubleshooting steps that I somewhat knew would be pointless but I went through their steps. They confirmed that 3G had been switched off.
At this point I did a bit more digging around the XDA forums and found a) this was a common issue; and b) it was likely the firmware flashed on my phone had incorrect carrier information for 3G. So I downloaded QPST, the "Qualcomm platform support tools", a set of Windows-only executables designed for modifying these configuration files. I don't use windows natively, so I spun up a Windows 10 virtual machine on my linux desktop, dialled "*#801#" to bring up another hidden menu, enabled "Serial" and "Full-port switch" to expose a debugging interface on USB and permit talking to the device via an embedded usb -> serial apdator. It appeared as `05c6:9091 Qualcomm, Inc. Intex Aqua Fish & Jolla C Diagnostic Mode` in lsusb – different to the normal phone details - and enabled usb passthrough to the VM. I installed QPST and the Qualcomm user drivers ("QUD") which basically expose this connection as a serial port (COM7) in Windows. Apparently QPST does _not_ work in W11, but there are a variety of open source reimplementations on linux
I then used the Platform Device Configuration app (PDC.exe) to look at the loaded firmware profiles on the device's radios for VoLTE. Smarty is a 3 MVNO and I found that the H3G_UK profile was loaded ("Sub0" -- subscription 0, referring to the 1st sim card slot was active). PDC looks a bit like this:
At this point I read a forum post from someone else stating that H3G_Denmark worked for them. I swapped to this profile (right-click, SetSysConfig -> Sub0, activate). Magically VoLTE started working (yay) and I could make calls again (!!) and the icon appeared in the system bar.
(Bonus points if you recognise the app…)
At this point I extracted the files mbn mbcfg files and started having a look at why H3G_UK didn't work which clearly it _should_. The answer? There was no configuration info provided at all within it on my radio, meaning that despite being technically enabled and completely working Three had made either a conscious decision or an accidental cockup. Here's how I know this: let's look at the brief structure of the mcfg_sw.mbn file that is provided:
$ binwalk mcfg_sw.mbn
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, no machine, version 1 (SYSV)
4664 0x1238 Certificate in DER format (x509 v3), header length: 4, sequence length: 1011
5679 0x162F Certificate in DER format (x509 v3), header length: 4, sequence length: 1046
6729 0x1A49 Certificate in DER format (x509 v3), header length: 4, sequence length: 1009
38066 0x94B2 XML document, version: "1.0"
This indicates that they're little executable files for *nix with a bunch of cryptographic headers followed by plain text XML. Let's extract the XML and show it for both the H3G_UK file and H3G_Denmark: I've skipped the lines leading to this but these are the relevant bits of the configuration files shown as a diff:
(That's a bit hard to read, but here's the relevant bit below from a side-by-side diff)
<?xml version="1.0" ?> | <?xml version="2.0" ?>
<IWLAN_S2B_CONFIG> <IWLAN_S2B_CONFIG>
<GENERIC_VARIANT> <GENERIC_VARIANT>
<epdg_addr_info> <epdg_addr_info>
> <fqdn>epdg.epc.mnc020.mcc234.pub.3gppnetw
<static_fqdn_enabled>FALSE</static_fqdn_enabled> <static_fqdn_enabled>FALSE</static_fqdn_enabled>
<plmn_list/> | <pcscf_attr>
> <v4_attr_type_val>16389</v4_attr_type_val>
> <v6_attr_type_val>16386</v6_attr_type_val>
> </pcscf_attr>
</epdg_addr_info> </epdg_addr_info>
<ikev2_info> <ikev2_info>
> <ke_payload_enabled>FALSE</ke_payload_enabled>
<self_id> <self_id>
<id_type>ID_RFC822_ADDR</id_type> <id_type>ID_RFC822_ADDR</id_type>
<mac_enabled>FALSE</mac_enabled> <mac_enabled>FALSE</mac_enabled>
<identifier/> <identifier/>
</self_id> </self_id>
Note that the UK file has `<ke_payload_enabled>FALSE</ke_payload_enabled>' in there. I think ke stands for 'key exchange' and is part of the IKE VPN tunnel that is set up as part of an LTE border gateway connection. I think that this line serves to explicitly _disable_ VoLTE as a consequence because the IKEv2 tunnel that is part of the protocol can't be made. There are a few other configuration details listed, but mostly they are minor. I could fix this and then have to resign the whole firmware using a different root of trust...but that would be a ballache.
Very mysterious that despite technically working this whole thing serves to be misconfigured to the point of breaking and encouraging me to buy a new phone 😗. The whole switch-off is annoying. I understand why it is happening but 5G is a higher frequency, point-to-point mmWave protocol and where I am has lots of old stone buildings -- meaning that electrodynamically 3G worked very well, and 5G is appallingly **bleep**e. The phone service has become noticeably worse.
Hope this is vaguely useful for someone else. I told Smarty customer support about it all and they gave me a nice message at the end.
20-09-2024 09:33 AM - edited 20-09-2024 11:24 AM
Brilliantly informative post. The only thing I would add is that the current 5G in the UK is not mmWave, and while a lot of it is on a higher frequency than Three's 3G was on (around 3.5GHz instead of 2.1GHz), some networks (I'm thinking EE specifically) also have 5G on around 700MHz. I'm not sure if Three currently have any 5G on 700MHz, but they certainly have 4G in that frequency band, which should be better at penetrating buildings than their 3G ever was. In fact, all of Three's 4G coverage is at the same frequency or a lower frequency than their 3G was.
21-09-2024 00:01 AM
Hi @Landak 👋
I had a similar(?) 'palaver' with my SG J4+ 🙄
It had the capability for 'VoLTE' and 'WiFi Calling' and yet whatever I tried I could NOT get the options on the phone to enable these. And then 3G was turned off in my area and my phone just ended up as a 'pretty' brick 😤
I couldn't afford a replacement (this was a 'hand-me-down' from my sister) and so I did many hours of research of the 'tinterweb' as to why this was happening.
After all the research I found out that phones sold by providers are controlled by them, via THEIR firmware/software added to each handset sold, so that updates are not completed (even when manual software update is performed) unless you were using their network e.g. my SG J4+ was sold to my sister by Vodafone and so it needed to be connected to their network to receive software updates to enable the VoLTE and WiFi Calling options.
This is a VERY little known fact and, I'm sure, affects many now that 3G is being turned off.
So, again I did another round of research and found all the details and software needed to be able to 'Flash' my phone to an unbranded software so that updates were received from Samsung rather than Vodafone.
Hey Presto, I now have a phone that has VoLTE and WiFi Calling capability! Woop Woop!!🎉
When people see a phone is 'unlocked' they automatically think 'SIM' and yet it may still be locked into a provider by its firmware.
I really don't understand why people don't do more research on the internet for 'why' their phone doesn't work when 3G has been turned off as there is plenty of information out there 🤔🙄
07-10-2024 20:33 PM
Hi guys,
I live in the Highland capital of Inverness and have recently bought a Oneplus Nord 4.
I was on 3 mobile but decided to move to Smarty and my WhatsApp calls have been dropping all the time in fact random calls to the phone itself have been dropping too.
I contacted Oneplus and they advised a reset of networks etc which I did.
After this I noticed the Volte icon in my taskbar briefly but it's now disappeared.
I've had calls drop today which is why I'm on here.
Can anyone please give me some advice? I don't want to get another phone as this one is brand new but I'm really at a loss.
Any help would be appreciated.
Kind regards
Alexander