Join Us!

Chip Off/On IMEI Lo...
 
Notifications
Clear all

Chip Off/On IMEI Location/Swap  

  RSS
Coligulus
(@coligulus)
Active Member

The title of this thread may be a bit confusing… Apologies.

I would like to canvas people's knowledge of chip off processes and IMEI storage to establish the following

Is it fair to say that the digital store for the IMEI would be in a sector of the chip which would get removed during a chip off process?

And if so..

If the memory chip was removed from a handset and replaced into another of the exact same model (lets not get bogged down with secondary components etc) and powered on, the IMEI returned would reflect that of the original handset?

I welcome any thoughts people may have on the above and thanks in advance.

Colin

Quote
Posted : 09/03/2011 8:10 pm
raoul
(@raoul)
New Member

It depends on the brand and even the model.

Nokia for example has the imei stored in 2 places, in OTP (one time program) erea and in FLASH ic (firmware) changing the chip will not work, you would need to recalculate and digitally sign it.

If you can give more info on brand / model I might be able to tell you more.

ReplyQuote
Posted : 10/03/2011 10:32 am
trewmte
(@trewmte)
Community Legend

Nokia for example has the imei stored in 2 places, in OTP (one time program) erea and in FLASH ic (firmware) changing the chip will not work, you would need to recalculate and digitally sign it.

Raoul, are you saying all Nokias or just some of the Nokia range?
Thanks

ReplyQuote
Posted : 10/03/2011 11:17 am
Coligulus
(@coligulus)
Active Member

Thanks Raoul for your response.

The model in question is a Nokia 6300.

So following your response, where would the handset look for the IMEI if you entered *#06#? And which source would it read from to present to the network on powering on with active SIM etc..?

Do I assume from what you've said that if the IMEI in the OTP and the FLASH IC are not the same that the handset would not start up correctly?

Couldn't the OTP and FLASH IC both be removed and replaced to a new board theoretically speaking and this would bypass any digital signature issues?

Thanks in advance for your time.

ReplyQuote
Posted : 10/03/2011 1:31 pm
raoul
(@raoul)
New Member

Nokia for example has the imei stored in 2 places, in OTP (one time program) erea and in FLASH ic (firmware) changing the chip will not work, you would need to recalculate and digitally sign it.

Raoul, are you saying all Nokias or just some of the Nokia range?
Thanks

Depends on the platfrom

generaly speaking ;

-DCT4, has UEM and flash IC inside the UEM is 1 time program. You can change the UEM, recalculate the checksums and signature in flash, and you are done (from other phone, or simply use new UEM)

-BB5 has a RAPid, its like processor serial number inside the silecon from the processor (so cannot be changed) Flash IC gets a digital signature wich MUST match RAPid. So if you change RAP, it will never work (flash sign is based on old ID, and currently no weakness to make such sign yourself)

If you change flash IC you must ask nokia to make a new signature for te flash, they check in their database if imei 123456789012345 match to RAPID you request, if it not matches —> you get no signature = no working phone.

ReplyQuote
Posted : 10/03/2011 6:00 pm
raoul
(@raoul)
New Member

Thanks Raoul for your response.

The model in question is a Nokia 6300.

So following your response, where would the handset look for the IMEI if you entered *#06#? And which source would it read from to present to the network on powering on with active SIM etc..?

Do I assume from what you've said that if the IMEI in the OTP and the FLASH IC are not the same that the handset would not start up correctly?

Couldn't the OTP and FLASH IC both be removed and replaced to a new board theoretically speaking and this would bypass any digital signature issues?

Thanks in advance for your time.

Nokia 6300 = BB5, there are none known holes (solutions) to do this. Ofcource you can change the flash IC, and phone would bootup, but it would not get pass the watchdog cause the RAPid not match the one in flashic. Technically, high level nokia repair centers can change the flash IC, but this would not change the imei, as nokia ONLY signs files to the original RAPid that is available in their database.

this is "simplified" working explanation of the imei in nokia. Technically it is currently not possible in BB5 to change the imei and get a WORKING phone

ReplyQuote
Posted : 10/03/2011 6:06 pm
mark_w
(@mark_w)
New Member

Hi Colin,

Forgive me as I'm not sure why you are asking the question, but if your asking this question because the IMEI on the manufacturer label behind the battery differs from the IMEI stored electronically, could it be due to a replacement of the mobile phones casing?

ReplyQuote
Posted : 10/03/2011 7:16 pm
raoul
(@raoul)
New Member

Other example, SonyEricsson k800,
Has OTP imei, cannot change it. its inside the FLASH IC, but cannot be rewritten. Only way to do this is by changing flash IC and rewrite OTP area with some special service tool

But I could make a patch in flash IC, to cheat it*. When user wants to change imei, he simply dials some code *#54545*123456789012345# and it will be changed. *#06# would display imei 123456789012345, to the GSM tower the imei would also be 123456789012345

Just when you attach phone to some tool that can read OTP, it would reveal real IMEI number!

* cheat means a known weakness inside the Db2020 platform that I can use to execute own code, such weakness is not known for BB5 nokia.

ReplyQuote
Posted : 10/03/2011 9:08 pm
mark_w
(@mark_w)
New Member

It checks at a different memory location for the IMEI value, one that isnt OTP and can be altered. I have tested some handsets that perform similar function, and an AT command AT+GSN I believe should reveal the correct IMEI.

ReplyQuote
Posted : 10/03/2011 9:17 pm
Coligulus
(@coligulus)
Active Member

Mark/Raoul,

Thanks for the further thoughts and comments.

The issue is not that the handset label differs from the internal via switching the casing unfortunately, that would have made my life a lot easier… ;(

Perhaps a little more detail at this point would be useful

The claim is that the Nokia 6300 was water damaged and non functional and that parts of it were harvested and fitted into another handset as an explanation for the continued connection of the first handset's IMEI to the network.

I am aware that the IMEIs can be changed using specialist software as I have a range of tools here which could do it (of course as it is illegal I have never tested them) and I know there are 'places' where this can be done for a small fee. I assume that when the tools do the job they are changing both the flash chip and the OTP as per the comments so far.

Mark - you say that it checks at a different location than the OTP for the IMEI, do you mean when entering *#06# or do you mean where the handset reads the IMEI it will present to the network, or both?

At this point I think I know the answer to the original question however it would be useful still to have more comments or those of people who may have something to add.

Thanks all for your time.

ReplyQuote
Posted : 11/03/2011 1:50 pm
raoul
(@raoul)
New Member

Mark/Raoul,
I am aware that the IMEIs can be changed using specialist software as I have a range of tools here which could do it (of course as it is illegal I have never tested them) and I know there are 'places' where this can be done for a small fee. I assume that when the tools do the job they are changing both the flash chip and the OTP as per the comments so far.
Thanks all for your time.

Nokia 6300= BB5 CANNOT be imei changed. Not possible at all!

perhaps I can check the imei in nokia warranty database. If it will not damage your case, PM me the imei number.

Also post a detailed high resolution photograph of the pcb, perhaps we can see if RAP is undefilled with epoxy glue

ReplyQuote
Posted : 11/03/2011 3:03 pm
Pistacyjka
(@pistacyjka)
New Member

Hi Roul,
I have read your posts about differences in Nokia's platform and how changing imei number can effect the phone. I have a situation that smartfon Samsung SM-G35F has two diffrent imei numbers. Different from manufacturer and from internal memory. Do you have some knowledge about that model? What kind of platform it has? I mean how it is possible to change imei from internal memory and if it cause damage on the phone or it will just not work?

Looking forward hearing from you.

ReplyQuote
Posted : 06/04/2020 2:17 pm
danielb
(@danielb)
Junior Member

Hi Roul,
I have read your posts about differences in Nokia's platform and how changing imei number can effect the phone. I have a situation that smartfon Samsung SM-G35F has two diffrent imei numbers. Different from manufacturer and from internal memory. Do you have some knowledge about that model? What kind of platform it has? I mean how it is possible to change imei from internal memory and if it cause damage on the phone or it will just not work?

Looking forward hearing from you.

If you are referring to the label on the casing of the device to the one recovered via the settings or *#06#, the label is often incorrect due to the casing (rear cover) being replaced because of damage or repair work being undertaken.

ReplyQuote
Posted : 07/04/2020 4:34 pm
Share: