IMEI changing kit for GTA02

Fri Feb 7 23:38:32 CET 2014

On Fri 07 February 2014 22:25:23 Michael Spacefalcon wrote:
> Hello fellow freedom lovers,
> 
> I have just released the first version of the kit that allows a Neo
> Freerunner user to set his/her IMEISV to any value of his/her choice.
> Download it here:
> 
> ftp://ftp.ifctf.org/pub/GSM/GTA02/ffs-edit-kit-r1.tar.bz2
> 
> Operating instructions are inside the tarball.  The way in which this
> kit works is completely independent of what firmware version you have
> in flash: it can be moko11, leo2moko, or even blank or corrupt flash.
> (Just like with fc-loadtool, the chain starts with Calypso's on-die
> boot ROM, i.e., the wonderful hardware unbricking feature TI gave us
> in this baseband chip, similar in principle to FR's NOR U-Boot which
> is extra hardware just for unbricking.)
> 
> Please also note that many vendors' "standard" proprietary firmwares
> include undocumented AT commands for setting the IMEI, and as my
> experiments indicate, moko11 appears to be one of them:
> 
> ftp://ftp.ifctf.org/pub/GSM/hacks/imei-hacks-r1.tar.gz
> 
> However, I do not recommend using that AT at SC command, as the half-baked
> implementation does not make the proper distinction between IMEI and
> IMEISV, and the last 16th digit of the complete IMEISV (which is what
> the modem actually uses and sends over the air) ends up being set to a
> "random" value that is an artifact of the obfuscation scheme.
> 
> As an example, the original factory IMEI of the GTA02 I use for FC
> development is 35465101-961584-0; the original factory programming of
> the complete IMEISV is 35465101-961584-00.  However, if one uses that
> AT at SC hack to change it, it is then impossible to revert the complete
> IMEISV back to this original setting using the same AT at SC command!  If
> one feeds the correct obfuscated AT at SC string for setting
> 35465101-961584-0, the full IMEISV gets set to 35465101-961584-01
> instead of the original factory 35465101-961584-00.
> 
> In contrast, the FFS editing kit linked above allows you to set all 16
> digits of the IMEISV to whatever you choose; the kit provides the
> mechanism and you decide on the policy for what the SV digits should be.
> 
> However, considering that those with a desire to play with their IMEIs
> would probably find an AT command much more convenient than the rather
> cumbersome (albeit powerful) XRAM-agent-based mechanism presented in
> my current kit, I plan on making a new version of leo2moko that will
> include a new AT command for setting the IMEISV.
> 
> I will not be replicating the obfuscated AT at SC command, instead it
> will be a different AT command that sets all 16 digits explicitly and
> works without any obfuscation.  The syntax I propose is:
> 
> AT+SIMEISV="1234567890123456"
> 
> If anyone has an argument for a different syntax, please speak up now.
> 
> Viva la Revolucion,
> SF

you recall that single line I actually censored? (Must have been the only time 
in my life I did this) In the changelogs, around moko5 or something.

It actually been a weird "secret" AT command to change the IMEI, it claimed in 
changelogs that it had some really weird formula to add birthday^5 to old IMEI 
or sth and append that to the new IMEI, for "authentication" - and it never 
worked afaik.

cheers
jOERG
-- 
()  ascii ribbon campaign - against html e-mail     
/\  www.asciiribbon.org   - against proprietary attachments
(alas the above page got scrapped due to resignation(!!), so here some 
supplementary links:)
http://www.georgedillon.com/web/html_email_is_evil.shtml          
http://www.nonhtmlmail.org/campaign.html
http://www.georgedillon.com/web/html_email_is_evil_still.shtml    
http://www.gerstbach.at/2004/ascii/ (German)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.openmoko.org/pipermail/community/attachments/20140207/590b5de2/attachment.sig>