comparison doc/IMEI @ 725:232e36a227dd

doc/IMEI: updated for Compal IMEI discovery
author Mychaela Falconia <falcon@freecalypso.org>
date Tue, 25 Aug 2020 17:28:32 +0000
parents 4644799cb515
children
comparison
equal deleted inserted replaced
724:c2fe49987323 725:232e36a227dd
12 not to store the Luhn check digit in the GSM device's flash or EEPROM or 12 not to store the Luhn check digit in the GSM device's flash or EEPROM or
13 whatever, but it is not sent over the air: instead the IMEISV is sent. It 13 whatever, but it is not sent over the air: instead the IMEISV is sent. It
14 appears that the GSM standard authors' intent was that the IMEI part is stored 14 appears that the GSM standard authors' intent was that the IMEI part is stored
15 immutably in each manufactured device whereas the SV digits are added by the 15 immutably in each manufactured device whereas the SV digits are added by the
16 running firmware to indicate its version, but the IMEI handling scheme 16 running firmware to indicate its version, but the IMEI handling scheme
17 implemented in TI's reference firmware and retained by many of the TI-based GSM 17 implemented in TI's reference firmware and retained by many TI-based GSM device
18 device manufacturers (at least FIC/Openmoko and Foxconn/Pirelli) dispenses away 18 manufacturers (FIC/Openmoko, Foxconn/Pirelli, some module vendors, but notably
19 with the IMEI vs. IMEISV distinction. 19 NOT Compal) dispenses away with the IMEI vs. IMEISV distinction.
20 20
21 IMEI storage and retrieval in TI's reference firmware 21 IMEI storage and retrieval in TI's reference firmware
22 ===================================================== 22 =====================================================
23 23
24 When running on the plain Calypso as opposed to Calypso+, TI's TCS211 reference 24 When running on the plain Calypso as opposed to Calypso+, TI's TCS211 reference
54 reference fw: the factory-assigned IMEI is stored in an FFS file named 54 reference fw: the factory-assigned IMEI is stored in an FFS file named
55 /pcm/IMEI, and that is where the original mokoN firmwares look for it. Further 55 /pcm/IMEI, and that is where the original mokoN firmwares look for it. Further
56 blurring the distinction between the IMEI and the IMEISV, the 16 digits stored 56 blurring the distinction between the IMEI and the IMEISV, the 16 digits stored
57 in /pcm/IMEI (which the fw treats as the IMEISV) were factory-programmed as the 57 in /pcm/IMEI (which the fw treats as the IMEISV) were factory-programmed as the
58 15-digit IMEI (with the Luhn check digit) with an appended 0, i.e., the SV 58 15-digit IMEI (with the Luhn check digit) with an appended 0, i.e., the SV
59 digits get set to x0 where x is the Luhn check digit. 59 digits get set to x0 where x is the Luhn check digit. The same scheme has been
60 implemented on some Calypso-based packaged modem modules: Huawei GTM900-B and
61 one other module we call Tango.
60 62
61 Foxconn, the makers of the Pirelli DP-L10, have used the obfuscated version of 63 Foxconn, the makers of the Pirelli DP-L10, have used the obfuscated version of
62 TI's IMEI handling mechanism instead, with an additional twist: instead of 64 TI's IMEI handling mechanism instead, with an additional twist: instead of
63 storing the 16-byte encrypted datum in /gsm/imei.enc in FFS, they have moved it 65 storing the 16-byte encrypted datum in /gsm/imei.enc in FFS, they have moved it
64 into their own factory data record stored in a non-FFS sector of the flash. 66 into their own factory data record stored in a non-FFS sector of the flash.
65 The content of the 16 digits treated as the IMEISV by the G23M component of the 67 The content of the 16 digits treated as the IMEISV by the G23M component of the
66 fw is the same as Openmoko's: 15-digit IMEI with the Luhn check digit followed 68 fw is the same as Openmoko's: 15-digit IMEI with the Luhn check digit followed
67 by a 0 digit. 69 by a 0 digit.
68 70
69 Compal, the makers of Motorola C1xx phones, have similarly moved their IMEI out 71 Compal, the makers of Motorola C1xx phones, took a very different approach: they
70 of FFS into their own proprietary flash data structures, and we have never 72 completely departed from TI's way and implemented IMEI storage and retrieval
71 decoded the latter, hence we don't know exactly where and how their IMEI is 73 "by the book" instead - their IMEI is stored in the physically immutable OTP
72 stored. If you wish to run FreeCalypso firmware on these phones, you have to 74 cells of their Intel-style flash chip's protection register. Once we have made
73 set your own IMEISV for our fw even if you are not seeking to make it different 75 this discovery, our fc-loadtool now offers a new flash compal-imei command for
74 from the factory-assigned one, as we don't know how to retrieve the latter. 76 reading and saving this factory IMEI. This Compal factory OTP record is a true
77 15-digit IMEI with the Luhn check digit at the end, no blurring between IMEI and
78 IMEISV here. Compal's firmwares add their own SV digits identifying different
79 fw versions - their version is truly done "by the book".
75 80
76 Changing the IMEI 81 Changing the IMEI
77 ================= 82 =================
78 83
79 When someone says that they wish to change the IMEI on their phone, they need 84 When someone says that they wish to change the IMEI on their phone, they need
99 /pcm/IMEI in FFS, your new IMEISV will take effect not only with FreeCalypso 104 /pcm/IMEI in FFS, your new IMEISV will take effect not only with FreeCalypso
100 firmware, but also with the legacy mokoN fw versions, because they all look in 105 firmware, but also with the legacy mokoN fw versions, because they all look in
101 /pcm/IMEI. The same does NOT hold with Compal/Motorola or Foxconn/Pirelli 106 /pcm/IMEI. The same does NOT hold with Compal/Motorola or Foxconn/Pirelli
102 phones, however: if you wish to change their IMEI to be seen by their original 107 phones, however: if you wish to change their IMEI to be seen by their original
103 proprietary firmwares, you are on your own, as we do not currently have any 108 proprietary firmwares, you are on your own, as we do not currently have any
104 tools for accomplishing such a feat. 109 tools for accomplishing such a feat. Furthermore, changing the IMEI seen by
110 Compal's proprietary fw would require locating the IMEI reading code in their
111 fw and patching that code, as the IMEI record itself in the flash chip's
112 protection register is physically immutable. On the Pirelli DP-L10 the feat
113 would be simpler, as their factory data block can be rewritten - but we haven't
114 produced a tool for fooling Pirelli IMEIs, as there is no current need for such
115 a tool.
105 116
106 IMEI handling in FreeCalypso 117 IMEI handling in FreeCalypso
107 ============================ 118 ============================
108 119
109 The FreeCalypso family of projects has adopted the following IMEI storage and 120 The FreeCalypso family of projects has adopted the following IMEI storage and