Nuclear Elephant: Hacking the Motorola E815[/URL] ]About the Motorola E815
The Motorola E815 is Verizon's first EVDO-Capable handset, capable of viewing Verizon VCast's (streaming video). Its predecessor was the Motorola v710 which, in spite of some nice features, was crippled beyond reason. The E815 is a "new and improved" version of the v710, delivering many of the features users expected to see in its predecessor. It also supports many hidden and locked features the v710 originally didn't, including the Bluetooth OBEX (Object Exchange) service. We'll talk about how to enable some of these hidden features by editing the "seem".
What is a seem?
The Motorola E815 has what its hardware hackers refer to as a seem. A seem is a portion of nonvolatile memory, usually small in size, containing operational data and parameters. Typical modern Motorola phones include a seem, although they are usually slightly different between manufacturer chipsets. The Motorola E815 has 9,000 (0x2328) unique master seem records, but only really a half dozen that are interesting. Because the information a seem holds cannot typically be altered directly through the handset, specialized software and a USB data cable is required to perform "mods", or modifications.
How-To
Step 0:
To get set up for seem editing, you'll first need a Motorola USB data cable and some software. YOU CANNOT MODIFY A SEEM THROUGH BLUETOOTH. A Motorola USB cable can be purchased for anywhere between $10-$25 on eBay. I highly recommend you buy the OEM cable which includes a port to connect the AC adapter to. If you hose your handset, you may be able to recover if you have one of these cables, as the handset's interfaces are active when the handset is off and charging. On top of this, you'll need the following software:
* P2K Seem for v710/E815
* E815 Drivers
NOTE: The Motorola PST software used to be required in order to set the handset into a diagnostic state, but it is no longer required if you follow the instructions below.
P2K Seem* for v710/E815 and the E815 drivers, can be downloaded from
http://www.inetron.com. The P2K Seem tool is actually what you'll use to make modifications to the handset, after you place the phone into suspend mode.
Once you have all of this software installed, proceed to step 1.
* Special thanks to SuperDaveX for porting and maintaining P2K Seem on the v710 and e815.
Step 1:
The first thing to do is get the handset recognized by your PC and load the E815 drivers. There are two sets of devices your PC will recognize - one when the E815 is in standard operating mode, and another set of devices (including the Motorola test and command interfaces) when the device is in a suspended diagnostic mode.
Attach the E815 to the USB cable and your PC. Windows XP will immediately recognize the handset and prompt you for drivers. When prompted, point Windows at the directory containing them. This will likely be C:\Program Files\Motorola\MotoConnect.
Once you have the drivers installed, you must place the phone into 'Suspend Mode'. This brings up Motorola's diagnostic interfaces and allows P2K Seem to identify your handset. To do this, type Menu + 0 + HUBME + * (Menu, then 048263*) into the handset. You will be given a prompt for an OpCode. Type in 54* and press OK. The screen will immediately dim. Press the camera button on the outside of your handset to turn the backlight back on, and you should see 'SUCCEED'. Your handset is now suspended - DO NOT CLOSE THE FLIP! You may now be prompted to install additional Motorola drivers. There will be a total of four or five different drivers to install.
NOTE: If you are planning on using your E815 on a Macintosh, this is all fine and dandy (the OBEX mod does work on Mac), but you will need to make these initial modifications on a PC.
Once you've set up your USB drivers, you're ready to start modding seem data. The P2K Seem tool transfers seem data to/from your handset. In order to use the tool at any time, you'll first need to put your handset into the proper diagnostic mode. Just follow the above instructions. When you close the flip or power cycle the handset, the phone will be returned to normal operating mode. You should hear one USB device disconnect and three more connect. Now fire up the P2K Seem tool. You should see "Connected" at the bottom. If you don't, try disconnecting and reconnecting the handset from the USB cable, or as a last resort try powering down the handset and re-initiating a suspend.
Step 2
Once connected, newer versions of P2K Seem will already be configured to download seem 41A, which is the feature seem of the Motorola v710 (the E815's crippled kid sister). Change 41A to 2742, which is the correct value for the E815. (Strangely, 0x41A + 0x2328 = 0x2742). Change the Bytes field from 7A to 90. Before you do any modding, you want to back up your original handset's seem (incase you really screw something up). To do this, click 'Read from Phone'. You should see the data window populate with some data. Now click 'Save to File' and save this in a folder somewhere.
Step 3
This is where the fun begins. You can use the seem 2742 chart below to determine which features you want to enable/disable. Simply locate the correct byte in the file and click on it. For example, if you want to edit byte 6A, count from "60". Hexadecimal counts in this order: 0 1 2 3 4 5 6 7 8 9 A B C D E F. When you click on the byte, you'll see a list of "bits" underneath the data window. Each bit is a tiny little switch inside the handset. You can "turn on" or "turn off" whichever switches correspond to features you want to activate/deactivate.
Step 4
Once you have finished screwing around, you might want to save your new modded seem to disk; make sure you save it as a different filename from the original. Finally, when you're ready, click 'Save to Phone' and the new data will be written. You will need to restart your phone for the changes to take effect. It's recommended that you yank the battery just to be sure nothing attempts to write to that memory area on shutdown.
NOTE: If you've used ##DIALUP to enable dialup networking on the E815, you may need to re-enable it after making your seem edit.
What if I hose my phone?
If you have the USB cable with a charge port, you should be able to recover from most problems, although SuperDaveX did recently find a way to hose his v710 beyond repair. The E815 interfaces are alive when the phone is off and charging, so if you hose the phone perform these steps:
* Pull the battery
* Re-Insert the battery
* Leaving the phone off, plug in the charge cable to your USB adapter and plug the USB adapter into your PC (this, of course, requires that you have a USB cable with a charge port).
* You should be able to boot Motorola PST and connect to your interface to restore the original files/seems you hosed.
Isolating Bits
I thought it might make sense to write a small How-To for isolating feature bits. This is the process of identifying which offsets and bits affect what features. It's actually quite simple. DISCLAIMER: This could really hose your phone.
* Enable a large block of bits. This can be the whole file or just a few bytes. Using a hex editor, setting the value FF to a byte will set all the bits in that byte. You may also wish to disable a large block of bits, depending on what you think you might find.
* After enabling/disabling a large block of bits, upload the seem to your phone and yank the battery. Next, boot the phone up.
* Look through your options and such to see if there are any interesting features that were not there before (or were there, and are not now). Write down the name of the feature you want to isolate.
* Now, divide and conquer. Load up a backup copy of the seem but this time only enable half of the bits. Upload the seem, restart the phone. If you still see the option, you know that it's got to be in the half-block you set. Otherwise it's got to be in the other half. Set half the bits in the correct half-block (so you're now setting a quarter of the original bytes) and repeat. Within 4 or 5 tries, you'll isolate it to a single byte, at which point you can just enable them bit-by-bit to find the right one.
* Some functions (such as the engineering menu on the v600) are more complicated and require multiple bits to be set. This can get a little complex, but is still possible to isolate. As of right now, the engineering menu hasn't been enabled on the E815, so if you're feeling lucky give it a try.
Seem Mapping Table
The following table represents seem elements which have been discovered and tested on the E815. To submit an element, please notify me at
jonathan@nuclearelephant.com with complete details.
Seem Rec Length Offset/Bit Values Description
2742 1 90 (?) Miscellaneous Parameters (41A on v710)
0A/7 (1=On, 0=Off) Menu Item: Settings > Initial Setup > Backlight > Continuous
Dims Backlight instead of shutting off
24/2 (1=Enable, 0=Disable) Press and Hold 1 > Autodial Voice Mail Number
5F/5 (1=On, 0=Off) Menu Items: Camera > Picture Setup > Counter
5F/6 (1=On, 0=Off) Menu Items: Video Setup > Allow Alert
5F/7 (1=On, 0=Off) Menu Items: Video Setup > Video Quality
60/4 (1=On, 0=Off) Menu Items: Camera/Video > Setup > Exposure
62/5 (1=On, 0=Off) Menu Item: Messaging > Message Settings > PIX Message Setup > New / Edit / Delete
Enables editing of PIX servers
65/5 (1=On, 0=Off) Menu Items: Phonebook > Menu > Send, Pictures/Video > Menu > Copy > Bluetooth
Not Supported (Yet)
6A/0 (1=Enabled, 0=Disabled) Enable Bluetooth OBEX Profile
(and Media Transfer via Multimedia Studio / Mobile Phone Tools)
6A/3 (1=On, 0=Off) Menu Item: Security > Data Connection
Change 1XRTT Auth Settings and Service Type (QNC, Packet, Auto)
6F/7 (1=On, 0=Off) Menu Item: Hidden Setup Menu > GPS Settings
Basic Menu (Hide when enabling advanced menu)
71/5,6,7 72/0,1,2 (1=On, 0=Off) Menu Item: Hidden Setup Menu > GPS Settings
Enable Advanced GPS Settings Menu
75/5 (1=Enable, 0=Disable) Enable Copy/Move To/From Transflash Options
Other Hacks
Enable Dialup-Networking
To enable the Bluetooth DUN (Dialup-Networking) profile, punch ##DIALUP into your handset.
Modded Web Browsing
If you would like browse the web without using Verizon's web service, you can actually change your home page by downloading a file named WebSession from the handset's root (/) directory and hex-editing it. You will need a program called BitPIM to do this. First, you should go into the handset's "setup" menu (Menu + 0 + 73887 + *) and create a new Web Session. Call it 'Public Proxy' or whatever you like, and get IP/Port info from
http://www.publicproxyservers.com. You'll also want to mark it as the default session so that it will be used whenever your browser loads. Once created, install BitPIM, choose "Other CDMA Phone" from preferences and 'auto' for the device's port, then go to "View | File System". Download WebSession and use somethinglike XVI32 to hex-edit the
http://homepage portion of the file to whatever home page you would like to use (You are welcome to use mine). Then, just overwrite the old file and restart your phone.
Use Your own PIX Server
Use an alternative MMS server to send multimedia to your friends or yourself. See
http://www.nuclearelephant.com/projects/smilgw/
OpCode Interface
Opcode Interface: Menu + 0 + HUBME + *
54* to put phone into suspend mode. See for other opcodes.
