Compal IMEI mystery solved

[Mychaela Falconia]

Hello FC community,

I just solved the long-standing mystery of where and how the original
factory IMEI is stored on Compal phones.  As it turns out, their IMEI
is not stored in the main flash memory array at all, i.e., it does NOT
live in the same "vital records" flash sector as RF calibration values
- instead it is stored in the flash chip's so-called protection
register.

Many flash chips offer a small additional programmable area that is
separate from the main flash memory array; this additional small
programmable area is security-oriented and not erasable - instead it
is OTP, meaning one-time programmable.  Some flash chip manufacturers
call this area "secure silicon", others call it "protection register",
but the essence remains the same: it is a small OTP memory that is
effectively bundled together with the flash chip.  The vast majority
of embedded systems with NOR flash chips including most Calypso GSM
phones and modems never use these OTP cells, but as we just discovered,
Compal used the available 64 bits of OTP in their flash chip to store
their IMEI.

These protection register OTP cells do not appear in the regular flash
array address space, thus they do not appear in dump files made with
fc-loadtool or other equivalent tools.  Instead reading this protection
register requires issuing special commands to the flash chip: you need
to give it the Read ID command, and when the chip is in Read ID mode,
the protection register appears starting at offset 0x100.  The 64-bit
"user" portion of the protection register where the IMEI resides begins
at offset 0x10A in Read ID mode.  I am going to add a new command to
fc-loadtool to read and decode this IMEI record in a user-friendly
manner, but if you have a flash dump image taken from some phone which
you no longer have, the IMEI is irretrievably lost, as it does not
appear anywhere at all in the main flash memory array.

How did I make this discovery?  When our dear David started toying with
the idea of transplanting Compal's vital data sectors from one C139
phone to another with fc-loadtool, my curiosity got the best of me,
and I decided to test and see what would actually happen.  On the
Pirelli DP-L10 the IMEI record is protected against transplantation
with the Calypso die ID: if you read the factory data sector from one
Pirelli DP-L10 phone and transplant it to a different phone, the IMEI
decryption and verification function will fail, and *#06# will display
all zeros for the IMEI.  I expected something similar to happen on the
C139, so I tested it: I took a test subject phone with no SIM (so it
won't turn on its Tx in the absence of a user making an emergency
call) and rewrote its entire flash with bits from a different phone.
Imagine my surprise when *#06# displayed the test subject phone's true
IMEI instead of either the transplanted IMEI or some error!  I applied
rational thinking: if the IMEI resides somewhere entirely outside of
the main flash memory array, where else can it reside?  There is no
separate EEPROM chip in these phones, so I went to the datasheet for
Intel C3 flash these phones use to see if it has an "out of band" OTP
area - yup, it does.  I go in with fc-loadtool, issue the right command
for the Read ID mode as explained in the flash chip datasheet, and
look at the content of what Intel called the protection register - and
sure enough, I see the phone's IMEI in there, thankfully without any
obfuscation.

What does this discovery mean for end users?  Several takeaways:

1) If someone wishes to change the IMEI used by Motorola's official fw
on C1xx phones, the only way to do so would be to reverse-engineer
their fw, find the code that reads the IMEI from the flash chip's
protection register, and patch that code - changing the content of the
protection register itself is not possible because it is physically
immutable after having been programmed once.  If someone does wish to
reverse-eng and patch Motorola's fw in this manner, it is a job which
I leave to other hackers - not interested in going there myself.

2) Transplanting vital data sectors from one C1xx phone to another is
still a bad idea.  Doing so won't change the IMEI, but it will cause
the phone to run with wrong RF calibration values.  There is also
other factory info (date of manufacture in particular) in those
records which is just for the user, displayable with #02# - but if you
fool with that info, you will only be fooling yourself.

This newly discovered IMEI storage scheme applies to all known Compal
phones, namely, all 3 known Mot C1xx subfamilies and Sony Ericsson
J100.

Hasta la Victoria, Siempre,
Mychaela aka The Mother