Fun with IMEI (was testing the free calypso software)

Kai Lüke kaitobiaslueke at
Tue Feb 4 20:34:00 CET 2014

Hello community,

thanks to the recent activies I also thought about IMEI yesterday
evening and it was fun that other's also did. Setting IMEI would still
be a nice feature.
In addition it would be interessting for me (in times of surveillance)
whether silent sms (stealth ping) could be recognized and a report be
dropped to the mobile phone. Also the change to non-encrypted transfer
would be a similar event which might occure due to an IMSI catcher, so
generating a message (SMS?) warning the user would be helpful.

Also: Could the gsm module be made working without a SIM, i.e. just by
providing the necessary values like IMSI and Ki? As far as I don't know
the issue well, it's just a question ;)


Am 04.02.2014 01:23, schrieb Michael Spacefalcon:
> Norayr Chilingarian <norayr at> wrote:
>> Does anyone know what will happen in a cellular network where there is
>> more than one device has the same IMEI. In other words, if we all
>> could change our IMEI numbers, and use one imaginary number, are there
>> technical reasons for network to not work.
> joerg Reisenweber <joerg at> responded:
> : no technical but organizational. Usually that IMEI gets an instant ban, and
> : a fat bold red alarm logline in carrier's network logs.
> Yup, if all of us were to use the same IMEI number, it would be far
> too easy for our enemies to ban that one single number.
>> I mean, MAC address is used on a physical layer, so if two network
>> cards connected to the same switch have same MAC adresses, network
>> won't work. I guess switch will down both ports connected to those
>> devices.
> The analogy between IMEIs and Ethernet MAC addresses is a good one
> from a manufacturing/management perspective, but not in terms of
> network protocol usage.  Unlike MAC addresses, IMEIs are not used for
> any kind of addressing or routing anywhere in the network, only as a
> "management" identifier that is unnecessary in the strict technical
> sense.
> But from the perspective of a device manufacturer (which I will become
> soon, hopefully), IMEIs are just like Ethernet MAC addresses: the
> nominal requirement is that each be world-unique for all time (a rule
> that gets broken in reality with both MAC addresses and IMEIs), a
> manufacturer has to buy a range (supposedly "fresh" and unused) from a
> central registry, and then number individual produced units out of
> that range.
>> But I don't know how IMEI's work. Are they technically necessary so
>> that 3G/gsm network can be operational, or they are only used to
>> identify (and track) customers by devices?
> The latter.
> Before everyone starts changing their IMEIs just for the heck of it,
> let's analyze *rationally* how tracking works - or rather, what is the
> total set of data elements available to carriers (and their gov't
> partners etc) for tracking users, and how these data elements inter-
> relate.
> If you like maintaining a long-term-constant phone number at which
> your family and friends can reach you (i.e., the whole purpose for
> having a cellphone, at least for me), and you have a long-term-stable
> SIM card associated with that long-term-constant phone number, then it
> doesn't really matter if your IMEI is also constant or if you send the
> output of a PRNG (or even a TRNG) to the network as your IMEISV every
> time your phone/modem fw does the "register" operation.  The constant
> SIM card with its IMSI, as well as the associated MSISDN (phone number
> for your family and friends to call you at), is what tells the network
> that "you" are still the same "you", no matter what device you use or
> what IMEISV it transmits.  Yes, you can deregister from the network,
> then re-register with a different IMEI, making it look like you turned
> your phone off, moved your SIM card to another phone, then came back
> online with the latter - but what would be the point?
> Instead, there are only two scenarios I can think of in which it would
> make sense to change the IMEI of a GSM device:
> 1. If you really want to "disappear w/o trace", such that you discard
>    your old SIM, get a new SIM (prepaid, presumably) with a different
>    phone number (and deliberately make yourself unreachable at your
>    old one), and you want to make it look like the user of the new SIM
>    is a different person from the user of the old SIM - in this case
>    the same IMEI would indeed give you away, so you might want to
>    change it in this case.
> If the above applies to you (and it does *not* apply to me, as changing
> phone numbers constantly would defeat the whole purpose of a cellphone
> for me), then you need to be careful to change your IMEI *at exactly
> the same time* when you change your SIM - if there is any time skew
> between these two changes, such that a network sees {old IMEI, new SIM}
> or {new IMEI, old SIM} at any time, even just once, your anonymity
> effort will be instantly brought to naught!  If you want to do this, I
> would recommend pulling your old SIM out first, throwing it away, then
> doing the IMEI changing operation on the SIM-less modem, and then
> finally inserting your new SIM.
> 2. Changing one's IMEI may be necessary if your "legitimate" IMEI from
>    the manufacturer of your GSM device has been wrongfully banned or
>    blocked by some GSM network you wish to use, and you need to use
>    some non-blocked IMEI in order to get on the network.
> The wrongful ban scenario is particularly frightening when applied to
> whole classes of devices, rather than individual units.  The first 8
> digits of the IMEI comprise the Type Allocation Code (TAC), which is
> supposed to be allocated per each device type.  Hence if all
> manufacturers involved played by the rules (of which I have no
> knowledge), then every IMEI beginning with 35278901 is supposed to be
> a Pirelli DP-L10, every IMEI beginning with 35465101 is supposed to be
> an Openmoko GTA02, and so on.
> What if some repressive network operator decides to block all IMEIs
> belonging to easy-to-hack Calypso devices, e.g., block all IMEIs
> beginning with 35278901 or 35465101, on the reasoning that "only a
> criminal would want to use one of these phones"?  In that case we will
> need to lie to that network and pretend to be some Apple/Samsung/etc
> device in order to get GSM service, i.e., use an IMEI from one of
> those "sheeple device" ranges.
> VLR,
> SF
> _______________________________________________
> Openmoko community mailing list
> community at

More information about the community mailing list