Chip Off/On IMEI Lo...
 
Notifications
Clear all

Chip Off/On IMEI Location/Swap

13 Posts
6 Users
0 Likes
1,464 Views
(@coligulus)
Posts: 165
Estimable Member
Topic starter
 

The title of this thread may be a bit confusing… Apologies.

I would like to canvas people's knowledge of chip off processes and IMEI storage to establish the following

Is it fair to say that the digital store for the IMEI would be in a sector of the chip which would get removed during a chip off process?

And if so..

If the memory chip was removed from a handset and replaced into another of the exact same model (lets not get bogged down with secondary components etc) and powered on, the IMEI returned would reflect that of the original handset?

I welcome any thoughts people may have on the above and thanks in advance.

Colin

 
Posted : 09/03/2011 8:10 pm
(@raoul)
Posts: 16
Active Member
 

It depends on the brand and even the model.

Nokia for example has the imei stored in 2 places, in OTP (one time program) erea and in FLASH ic (firmware) changing the chip will not work, you would need to recalculate and digitally sign it.

If you can give more info on brand / model I might be able to tell you more.

 
Posted : 10/03/2011 10:32 am
(@trewmte)
Posts: 1877
Noble Member
 

Nokia for example has the imei stored in 2 places, in OTP (one time program) erea and in FLASH ic (firmware) changing the chip will not work, you would need to recalculate and digitally sign it.

Raoul, are you saying all Nokias or just some of the Nokia range?
Thanks

 
Posted : 10/03/2011 11:17 am
(@coligulus)
Posts: 165
Estimable Member
Topic starter
 

Thanks Raoul for your response.

The model in question is a Nokia 6300.

So following your response, where would the handset look for the IMEI if you entered *#06#? And which source would it read from to present to the network on powering on with active SIM etc..?

Do I assume from what you've said that if the IMEI in the OTP and the FLASH IC are not the same that the handset would not start up correctly?

Couldn't the OTP and FLASH IC both be removed and replaced to a new board theoretically speaking and this would bypass any digital signature issues?

Thanks in advance for your time.

 
Posted : 10/03/2011 1:31 pm
(@raoul)
Posts: 16
Active Member
 

Nokia for example has the imei stored in 2 places, in OTP (one time program) erea and in FLASH ic (firmware) changing the chip will not work, you would need to recalculate and digitally sign it.

Raoul, are you saying all Nokias or just some of the Nokia range?
Thanks

Depends on the platfrom

generaly speaking ;

-DCT4, has UEM and flash IC inside the UEM is 1 time program. You can change the UEM, recalculate the checksums and signature in flash, and you are done (from other phone, or simply use new UEM)

-BB5 has a RAPid, its like processor serial number inside the silecon from the processor (so cannot be changed) Flash IC gets a digital signature wich MUST match RAPid. So if you change RAP, it will never work (flash sign is based on old ID, and currently no weakness to make such sign yourself)

If you change flash IC you must ask nokia to make a new signature for te flash, they check in their database if imei 123456789012345 match to RAPID you request, if it not matches —> you get no signature = no working phone.

 
Posted : 10/03/2011 6:00 pm
(@raoul)
Posts: 16
Active Member
 

Thanks Raoul for your response.

The model in question is a Nokia 6300.

So following your response, where would the handset look for the IMEI if you entered *#06#? And which source would it read from to present to the network on powering on with active SIM etc..?

Do I assume from what you've said that if the IMEI in the OTP and the FLASH IC are not the same that the handset would not start up correctly?

Couldn't the OTP and FLASH IC both be removed and replaced to a new board theoretically speaking and this would bypass any digital signature issues?

Thanks in advance for your time.

Nokia 6300 = BB5, there are none known holes (solutions) to do this. Ofcource you can change the flash IC, and phone would bootup, but it would not get pass the watchdog cause the RAPid not match the one in flashic. Technically, high level nokia repair centers can change the flash IC, but this would not change the imei, as nokia ONLY signs files to the original RAPid that is available in their database.

this is "simplified" working explanation of the imei in nokia. Technically it is currently not possible in BB5 to change the imei and get a WORKING phone

 
Posted : 10/03/2011 6:06 pm
(@mark_w)
Posts: 19
Active Member
 

Hi Colin,

Forgive me as I'm not sure why you are asking the question, but if your asking this question because the IMEI on the manufacturer label behind the battery differs from the IMEI stored electronically, could it be due to a replacement of the mobile phones casing?

 
Posted : 10/03/2011 7:16 pm
(@raoul)
Posts: 16
Active Member
 

Other example, SonyEricsson k800,
Has OTP imei, cannot change it. its inside the FLASH IC, but cannot be rewritten. Only way to do this is by changing flash IC and rewrite OTP area with some special service tool

But I could make a patch in flash IC, to cheat it*. When user wants to change imei, he simply dials some code *#54545*123456789012345# and it will be changed. *#06# would display imei 123456789012345, to the GSM tower the imei would also be 123456789012345

Just when you attach phone to some tool that can read OTP, it would reveal real IMEI number!

* cheat means a known weakness inside the Db2020 platform that I can use to execute own code, such weakness is not known for BB5 nokia.

 
Posted : 10/03/2011 9:08 pm
(@mark_w)
Posts: 19
Active Member
 

It checks at a different memory location for the IMEI value, one that isnt OTP and can be altered. I have tested some handsets that perform similar function, and an AT command AT+GSN I believe should reveal the correct IMEI.

 
Posted : 10/03/2011 9:17 pm
(@coligulus)
Posts: 165
Estimable Member
Topic starter
 

Mark/Raoul,

Thanks for the further thoughts and comments.

The issue is not that the handset label differs from the internal via switching the casing unfortunately, that would have made my life a lot easier… ;(

Perhaps a little more detail at this point would be useful

The claim is that the Nokia 6300 was water damaged and non functional and that parts of it were harvested and fitted into another handset as an explanation for the continued connection of the first handset's IMEI to the network.

I am aware that the IMEIs can be changed using specialist software as I have a range of tools here which could do it (of course as it is illegal I have never tested them) and I know there are 'places' where this can be done for a small fee. I assume that when the tools do the job they are changing both the flash chip and the OTP as per the comments so far.

Mark - you say that it checks at a different location than the OTP for the IMEI, do you mean when entering *#06# or do you mean where the handset reads the IMEI it will present to the network, or both?

At this point I think I know the answer to the original question however it would be useful still to have more comments or those of people who may have something to add.

Thanks all for your time.

 
Posted : 11/03/2011 1:50 pm
Page 1 / 2
Share: