FreeCalypso > hg > freecalypso-tools
comparison doc/IMEI @ 725:232e36a227dd
doc/IMEI: updated for Compal IMEI discovery
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Tue, 25 Aug 2020 17:28:32 +0000 |
| parents | 4644799cb515 |
| children |
comparison
equal
deleted
inserted
replaced
| 724:c2fe49987323 | 725:232e36a227dd |
|---|---|
| 12 not to store the Luhn check digit in the GSM device's flash or EEPROM or | 12 not to store the Luhn check digit in the GSM device's flash or EEPROM or |
| 13 whatever, but it is not sent over the air: instead the IMEISV is sent. It | 13 whatever, but it is not sent over the air: instead the IMEISV is sent. It |
| 14 appears that the GSM standard authors' intent was that the IMEI part is stored | 14 appears that the GSM standard authors' intent was that the IMEI part is stored |
| 15 immutably in each manufactured device whereas the SV digits are added by the | 15 immutably in each manufactured device whereas the SV digits are added by the |
| 16 running firmware to indicate its version, but the IMEI handling scheme | 16 running firmware to indicate its version, but the IMEI handling scheme |
| 17 implemented in TI's reference firmware and retained by many of the TI-based GSM | 17 implemented in TI's reference firmware and retained by many TI-based GSM device |
| 18 device manufacturers (at least FIC/Openmoko and Foxconn/Pirelli) dispenses away | 18 manufacturers (FIC/Openmoko, Foxconn/Pirelli, some module vendors, but notably |
| 19 with the IMEI vs. IMEISV distinction. | 19 NOT Compal) dispenses away with the IMEI vs. IMEISV distinction. |
| 20 | 20 |
| 21 IMEI storage and retrieval in TI's reference firmware | 21 IMEI storage and retrieval in TI's reference firmware |
| 22 ===================================================== | 22 ===================================================== |
| 23 | 23 |
| 24 When running on the plain Calypso as opposed to Calypso+, TI's TCS211 reference | 24 When running on the plain Calypso as opposed to Calypso+, TI's TCS211 reference |
| 54 reference fw: the factory-assigned IMEI is stored in an FFS file named | 54 reference fw: the factory-assigned IMEI is stored in an FFS file named |
| 55 /pcm/IMEI, and that is where the original mokoN firmwares look for it. Further | 55 /pcm/IMEI, and that is where the original mokoN firmwares look for it. Further |
| 56 blurring the distinction between the IMEI and the IMEISV, the 16 digits stored | 56 blurring the distinction between the IMEI and the IMEISV, the 16 digits stored |
| 57 in /pcm/IMEI (which the fw treats as the IMEISV) were factory-programmed as the | 57 in /pcm/IMEI (which the fw treats as the IMEISV) were factory-programmed as the |
| 58 15-digit IMEI (with the Luhn check digit) with an appended 0, i.e., the SV | 58 15-digit IMEI (with the Luhn check digit) with an appended 0, i.e., the SV |
| 59 digits get set to x0 where x is the Luhn check digit. | 59 digits get set to x0 where x is the Luhn check digit. The same scheme has been |
| 60 implemented on some Calypso-based packaged modem modules: Huawei GTM900-B and | |
| 61 one other module we call Tango. | |
| 60 | 62 |
| 61 Foxconn, the makers of the Pirelli DP-L10, have used the obfuscated version of | 63 Foxconn, the makers of the Pirelli DP-L10, have used the obfuscated version of |
| 62 TI's IMEI handling mechanism instead, with an additional twist: instead of | 64 TI's IMEI handling mechanism instead, with an additional twist: instead of |
| 63 storing the 16-byte encrypted datum in /gsm/imei.enc in FFS, they have moved it | 65 storing the 16-byte encrypted datum in /gsm/imei.enc in FFS, they have moved it |
| 64 into their own factory data record stored in a non-FFS sector of the flash. | 66 into their own factory data record stored in a non-FFS sector of the flash. |
| 65 The content of the 16 digits treated as the IMEISV by the G23M component of the | 67 The content of the 16 digits treated as the IMEISV by the G23M component of the |
| 66 fw is the same as Openmoko's: 15-digit IMEI with the Luhn check digit followed | 68 fw is the same as Openmoko's: 15-digit IMEI with the Luhn check digit followed |
| 67 by a 0 digit. | 69 by a 0 digit. |
| 68 | 70 |
| 69 Compal, the makers of Motorola C1xx phones, have similarly moved their IMEI out | 71 Compal, the makers of Motorola C1xx phones, took a very different approach: they |
| 70 of FFS into their own proprietary flash data structures, and we have never | 72 completely departed from TI's way and implemented IMEI storage and retrieval |
| 71 decoded the latter, hence we don't know exactly where and how their IMEI is | 73 "by the book" instead - their IMEI is stored in the physically immutable OTP |
| 72 stored. If you wish to run FreeCalypso firmware on these phones, you have to | 74 cells of their Intel-style flash chip's protection register. Once we have made |
| 73 set your own IMEISV for our fw even if you are not seeking to make it different | 75 this discovery, our fc-loadtool now offers a new flash compal-imei command for |
| 74 from the factory-assigned one, as we don't know how to retrieve the latter. | 76 reading and saving this factory IMEI. This Compal factory OTP record is a true |
| 77 15-digit IMEI with the Luhn check digit at the end, no blurring between IMEI and | |
| 78 IMEISV here. Compal's firmwares add their own SV digits identifying different | |
| 79 fw versions - their version is truly done "by the book". | |
| 75 | 80 |
| 76 Changing the IMEI | 81 Changing the IMEI |
| 77 ================= | 82 ================= |
| 78 | 83 |
| 79 When someone says that they wish to change the IMEI on their phone, they need | 84 When someone says that they wish to change the IMEI on their phone, they need |
| 99 /pcm/IMEI in FFS, your new IMEISV will take effect not only with FreeCalypso | 104 /pcm/IMEI in FFS, your new IMEISV will take effect not only with FreeCalypso |
| 100 firmware, but also with the legacy mokoN fw versions, because they all look in | 105 firmware, but also with the legacy mokoN fw versions, because they all look in |
| 101 /pcm/IMEI. The same does NOT hold with Compal/Motorola or Foxconn/Pirelli | 106 /pcm/IMEI. The same does NOT hold with Compal/Motorola or Foxconn/Pirelli |
| 102 phones, however: if you wish to change their IMEI to be seen by their original | 107 phones, however: if you wish to change their IMEI to be seen by their original |
| 103 proprietary firmwares, you are on your own, as we do not currently have any | 108 proprietary firmwares, you are on your own, as we do not currently have any |
| 104 tools for accomplishing such a feat. | 109 tools for accomplishing such a feat. Furthermore, changing the IMEI seen by |
| 110 Compal's proprietary fw would require locating the IMEI reading code in their | |
| 111 fw and patching that code, as the IMEI record itself in the flash chip's | |
| 112 protection register is physically immutable. On the Pirelli DP-L10 the feat | |
| 113 would be simpler, as their factory data block can be rewritten - but we haven't | |
| 114 produced a tool for fooling Pirelli IMEIs, as there is no current need for such | |
| 115 a tool. | |
| 105 | 116 |
| 106 IMEI handling in FreeCalypso | 117 IMEI handling in FreeCalypso |
| 107 ============================ | 118 ============================ |
| 108 | 119 |
| 109 The FreeCalypso family of projects has adopted the following IMEI storage and | 120 The FreeCalypso family of projects has adopted the following IMEI storage and |