IMEI changing kit for GTA02
joerg at openmoko.org
Fri Feb 7 23:38:32 CET 2014
On Fri 07 February 2014 22:25:23 Michael Spacefalcon wrote:
> Hello fellow freedom lovers,
> I have just released the first version of the kit that allows a Neo
> Freerunner user to set his/her IMEISV to any value of his/her choice.
> Download it here:
> Operating instructions are inside the tarball. The way in which this
> kit works is completely independent of what firmware version you have
> in flash: it can be moko11, leo2moko, or even blank or corrupt flash.
> (Just like with fc-loadtool, the chain starts with Calypso's on-die
> boot ROM, i.e., the wonderful hardware unbricking feature TI gave us
> in this baseband chip, similar in principle to FR's NOR U-Boot which
> is extra hardware just for unbricking.)
> Please also note that many vendors' "standard" proprietary firmwares
> include undocumented AT commands for setting the IMEI, and as my
> experiments indicate, moko11 appears to be one of them:
> However, I do not recommend using that AT at SC command, as the half-baked
> implementation does not make the proper distinction between IMEI and
> IMEISV, and the last 16th digit of the complete IMEISV (which is what
> the modem actually uses and sends over the air) ends up being set to a
> "random" value that is an artifact of the obfuscation scheme.
> As an example, the original factory IMEI of the GTA02 I use for FC
> development is 35465101-961584-0; the original factory programming of
> the complete IMEISV is 35465101-961584-00. However, if one uses that
> AT at SC hack to change it, it is then impossible to revert the complete
> IMEISV back to this original setting using the same AT at SC command! If
> one feeds the correct obfuscated AT at SC string for setting
> 35465101-961584-0, the full IMEISV gets set to 35465101-961584-01
> instead of the original factory 35465101-961584-00.
> In contrast, the FFS editing kit linked above allows you to set all 16
> digits of the IMEISV to whatever you choose; the kit provides the
> mechanism and you decide on the policy for what the SV digits should be.
> However, considering that those with a desire to play with their IMEIs
> would probably find an AT command much more convenient than the rather
> cumbersome (albeit powerful) XRAM-agent-based mechanism presented in
> my current kit, I plan on making a new version of leo2moko that will
> include a new AT command for setting the IMEISV.
> I will not be replicating the obfuscated AT at SC command, instead it
> will be a different AT command that sets all 16 digits explicitly and
> works without any obfuscation. The syntax I propose is:
> If anyone has an argument for a different syntax, please speak up now.
> Viva la Revolucion,
you recall that single line I actually censored? (Must have been the only time
in my life I did this) In the changelogs, around moko5 or something.
It actually been a weird "secret" AT command to change the IMEI, it claimed in
changelogs that it had some really weird formula to add birthday^5 to old IMEI
or sth and append that to the new IMEI, for "authentication" - and it never
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
(alas the above page got scrapped due to resignation(!!), so here some
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: This is a digitally signed message part.
More information about the community