# HG changeset patch # User Mychaela Falconia # Date 1598376512 0 # Node ID 232e36a227dd575f58875bdb4860ddd7503747db # Parent c2fe499873237147ef3c3b27b23d985f0352b645 doc/IMEI: updated for Compal IMEI discovery diff -r c2fe49987323 -r 232e36a227dd doc/IMEI --- a/doc/IMEI Tue Aug 25 16:20:38 2020 +0000 +++ b/doc/IMEI Tue Aug 25 17:28:32 2020 +0000 @@ -14,9 +14,9 @@ appears that the GSM standard authors' intent was that the IMEI part is stored immutably in each manufactured device whereas the SV digits are added by the running firmware to indicate its version, but the IMEI handling scheme -implemented in TI's reference firmware and retained by many of the TI-based GSM -device manufacturers (at least FIC/Openmoko and Foxconn/Pirelli) dispenses away -with the IMEI vs. IMEISV distinction. +implemented in TI's reference firmware and retained by many TI-based GSM device +manufacturers (FIC/Openmoko, Foxconn/Pirelli, some module vendors, but notably +NOT Compal) dispenses away with the IMEI vs. IMEISV distinction. IMEI storage and retrieval in TI's reference firmware ===================================================== @@ -56,7 +56,9 @@ blurring the distinction between the IMEI and the IMEISV, the 16 digits stored in /pcm/IMEI (which the fw treats as the IMEISV) were factory-programmed as the 15-digit IMEI (with the Luhn check digit) with an appended 0, i.e., the SV -digits get set to x0 where x is the Luhn check digit. +digits get set to x0 where x is the Luhn check digit. The same scheme has been +implemented on some Calypso-based packaged modem modules: Huawei GTM900-B and +one other module we call Tango. Foxconn, the makers of the Pirelli DP-L10, have used the obfuscated version of TI's IMEI handling mechanism instead, with an additional twist: instead of @@ -66,12 +68,15 @@ fw is the same as Openmoko's: 15-digit IMEI with the Luhn check digit followed by a 0 digit. -Compal, the makers of Motorola C1xx phones, have similarly moved their IMEI out -of FFS into their own proprietary flash data structures, and we have never -decoded the latter, hence we don't know exactly where and how their IMEI is -stored. If you wish to run FreeCalypso firmware on these phones, you have to -set your own IMEISV for our fw even if you are not seeking to make it different -from the factory-assigned one, as we don't know how to retrieve the latter. +Compal, the makers of Motorola C1xx phones, took a very different approach: they +completely departed from TI's way and implemented IMEI storage and retrieval +"by the book" instead - their IMEI is stored in the physically immutable OTP +cells of their Intel-style flash chip's protection register. Once we have made +this discovery, our fc-loadtool now offers a new flash compal-imei command for +reading and saving this factory IMEI. This Compal factory OTP record is a true +15-digit IMEI with the Luhn check digit at the end, no blurring between IMEI and +IMEISV here. Compal's firmwares add their own SV digits identifying different +fw versions - their version is truly done "by the book". Changing the IMEI ================= @@ -101,7 +106,13 @@ /pcm/IMEI. The same does NOT hold with Compal/Motorola or Foxconn/Pirelli phones, however: if you wish to change their IMEI to be seen by their original proprietary firmwares, you are on your own, as we do not currently have any -tools for accomplishing such a feat. +tools for accomplishing such a feat. Furthermore, changing the IMEI seen by +Compal's proprietary fw would require locating the IMEI reading code in their +fw and patching that code, as the IMEI record itself in the flash chip's +protection register is physically immutable. On the Pirelli DP-L10 the feat +would be simpler, as their factory data block can be rewritten - but we haven't +produced a tool for fooling Pirelli IMEIs, as there is no current need for such +a tool. IMEI handling in FreeCalypso ============================