Mychaela Falconia mychaela.falconia at gmail.com
Tue Jun 2 23:17:29 UTC 2020

Hi David,

> Now I used these fc-loadtool commands to put the flash from the old stolen
> model onto the new phone:-
> flash erase-program-boot my_c139.bin 10000
> flash erase 10000 360000
> flash program-bin 10000 my_c139.bin 10000 360000

Good, these commands you have used are indeed correct for use cases
like yours - but these commands very deliberately do NOT rewrite the
entire flash, instead they rewrite only the firmware portion of it.

> But, to my surprise the IMEI has not changed - ie it's the same as before the
> flash operation,

It shouldn't be a surprise - your phone is behaving exactly as it
should.  You have rewritten the firmware portion of the flash while
leaving the vital data area untouched; the vital data area of the
flash which you thankfully didn't touch (thank all the gods that you
didn't issue wrong loadtool commands and try to reflash that area)
stores the IMEI (in some encrypted or obfuscated form apparently),
factory RF calibration values and unknown other data.

> whereas I expected it would now have the IMEI of the stolen phone.

Why did you expect so?  The behaviour you seemingly expected would
occur only if you were to rewrite your *entire* phone flash with bits
from a different phone - but doing so would be an extremely bad idea
and should NEVER be done:

* Transplanting RF calibration values from one phone to a different
one will almost certainly put its radio operation officially out of
compliance, as these RF parameters are calibrated per individual unit.
In reality your chances of getting caught will be nil, and the degree
of non-compliance may well be below the GSM 05.05 spec's very generous
2 dB tolerance, but doing a blind transplant of this sort would still
be morally wrong and grounds for severe disapproval and censure from

* The IMEI appears to be stored in some encrypted or obfuscated form,
and I wasn't able to locate it in Compal's factory data records.  TI
had an example IMEI obfuscation scheme in which the IMEI is encrypted
with DES, with the Calypso die ID used as the DES key, and this scheme
has been adopted by Foxconn for Pirelli DP-L10.  If Compal used the
same scheme or some other in which the Calypso die ID is used as part
of IMEI record decoding or verification, then a transplanted IMEI will
be detected and rejected.  Think of it as akin to organ transplant
rejection - not fun.

> So question - will I have the correct calibration figures for this hardware
> - ie will those figures, like the IMEI, also have remained unchanged?

Yes - if the loadtool commands you issued were indeed as you said,
then you have only rewritten the firmware portion and not the vital
data area of your phone flash, and you still have the correct
calibration values and IMEI untouched.

> Guessing not, as we pull those figures out of the flash dump.

Not with loadtool commands which you cited - these rewrite only the fw
portion and not the vital data sectors.

Or maybe when you said "we pull those figures out of the flash dump",
perhaps you were referring to the procedure for running FreeCalypso fw
on these phones?  In that case yes, we do extract RF calibration
values out of the flash dump - but it must be the *correct* flash
dump!  You need to make a complete flash dump from your *current*
phone, not the other specimen, and use it for FC installation purposes
when the time comes.

> Is the phone likely to behave badly with this "wrong" flash?

*Would* it be likely to behave badly if you were to go counter to my
instructions and transplant the vital data sectors?  Most likely the
error will be quite small, to where the altered RF operation would be
wrong morally, but not practically.  But if some bad boy were to
carelessly transplant RF calibration values on his phone in blatant
disregard of my instructions and admonitions, don't bring that phone
to Themyscira, or I in my capacity as the High Priestess of
Telecommunications for the Women's Republic of Themyscira will unleash
the full wrath of our equivalent of FCC on you. :)

> I saw that the software versions (from #02#) are identical but I guess that
> is beside the point.

There is the "base" SW version, and then FFE and LPE versions.  Your
base fw version may very well be the same, but FFE and/or LPE must be
different in order to go from carrier branding to pure Motorola

Have you saved a complete flash dump from your current C139 phone in
its original state prior to reflashing it?  If you have, run the Unix
strings command on it and grep for FFE and LPE strings.  And if you
haven't made and saved a flash dump first, then it was very
irresponsible of you!  You lucked out in that you haven't rewritten
your vital data sectors with a transplant (or at least it appears so
from your post), but if you had rewritten those sectors and didn't
have a backup that can be restored, then that phone would have to be
scrapped and physically destroyed, which would be unforgivable given
that you need a rare EU-bands version of C139 and can't use a North
American C139 phone of which I have a huge stash.


More information about the Community mailing list