changeset 725:232e36a227dd

doc/IMEI: updated for Compal IMEI discovery
author Mychaela Falconia <falcon@freecalypso.org>
date Tue, 25 Aug 2020 17:28:32 +0000
parents c2fe49987323
children d68275d47a32
files doc/IMEI
diffstat 1 files changed, 22 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- a/doc/IMEI	Tue Aug 25 16:20:38 2020 +0000
+++ b/doc/IMEI	Tue Aug 25 17:28:32 2020 +0000
@@ -14,9 +14,9 @@
 appears that the GSM standard authors' intent was that the IMEI part is stored
 immutably in each manufactured device whereas the SV digits are added by the
 running firmware to indicate its version, but the IMEI handling scheme
-implemented in TI's reference firmware and retained by many of the TI-based GSM
-device manufacturers (at least FIC/Openmoko and Foxconn/Pirelli) dispenses away
-with the IMEI vs. IMEISV distinction.
+implemented in TI's reference firmware and retained by many TI-based GSM device
+manufacturers (FIC/Openmoko, Foxconn/Pirelli, some module vendors, but notably
+NOT Compal) dispenses away with the IMEI vs. IMEISV distinction.
 
 IMEI storage and retrieval in TI's reference firmware
 =====================================================
@@ -56,7 +56,9 @@
 blurring the distinction between the IMEI and the IMEISV, the 16 digits stored
 in /pcm/IMEI (which the fw treats as the IMEISV) were factory-programmed as the
 15-digit IMEI (with the Luhn check digit) with an appended 0, i.e., the SV
-digits get set to x0 where x is the Luhn check digit.
+digits get set to x0 where x is the Luhn check digit.  The same scheme has been
+implemented on some Calypso-based packaged modem modules: Huawei GTM900-B and
+one other module we call Tango.
 
 Foxconn, the makers of the Pirelli DP-L10, have used the obfuscated version of
 TI's IMEI handling mechanism instead, with an additional twist: instead of
@@ -66,12 +68,15 @@
 fw is the same as Openmoko's: 15-digit IMEI with the Luhn check digit followed
 by a 0 digit.
 
-Compal, the makers of Motorola C1xx phones, have similarly moved their IMEI out
-of FFS into their own proprietary flash data structures, and we have never
-decoded the latter, hence we don't know exactly where and how their IMEI is
-stored.  If you wish to run FreeCalypso firmware on these phones, you have to
-set your own IMEISV for our fw even if you are not seeking to make it different
-from the factory-assigned one, as we don't know how to retrieve the latter.
+Compal, the makers of Motorola C1xx phones, took a very different approach: they
+completely departed from TI's way and implemented IMEI storage and retrieval
+"by the book" instead - their IMEI is stored in the physically immutable OTP
+cells of their Intel-style flash chip's protection register.  Once we have made
+this discovery, our fc-loadtool now offers a new flash compal-imei command for
+reading and saving this factory IMEI.  This Compal factory OTP record is a true
+15-digit IMEI with the Luhn check digit at the end, no blurring between IMEI and
+IMEISV here.  Compal's firmwares add their own SV digits identifying different
+fw versions - their version is truly done "by the book".
 
 Changing the IMEI
 =================
@@ -101,7 +106,13 @@
 /pcm/IMEI.  The same does NOT hold with Compal/Motorola or Foxconn/Pirelli
 phones, however: if you wish to change their IMEI to be seen by their original
 proprietary firmwares, you are on your own, as we do not currently have any
-tools for accomplishing such a feat.
+tools for accomplishing such a feat.  Furthermore, changing the IMEI seen by
+Compal's proprietary fw would require locating the IMEI reading code in their
+fw and patching that code, as the IMEI record itself in the flash chip's
+protection register is physically immutable.  On the Pirelli DP-L10 the feat
+would be simpler, as their factory data block can be rewritten - but we haven't
+produced a tool for fooling Pirelli IMEIs, as there is no current need for such
+a tool.
 
 IMEI handling in FreeCalypso
 ============================