8110 4G IMEI manipulation method found (for rooted/custom ROMs)

940 views
Skip to first unread message

Luxferre

unread,
Apr 9, 2019, 2:09:14 PM4/9/19
to comp.mobile.nokia.8110
Hi folks,

We're world's first again. Who has time, can look at my blog post about this finding. For everyone else, here are some brief news: the fsg and tunning partitions are just TAR archives, and the second one contains sensitive NV items, including nvm/num/550 and nvm/context1/550 which are responsible for IMEI1 and IMEI2 respectively.

I've been searching for this for over half a year.
In that blog post, a POC script to run form adb shell is also attached.

Have fun and be safe!

speeduploop

unread,
Apr 9, 2019, 2:30:13 PM4/9/19
to comp.mobile.nokia.8110
Hi Luxferre!

Really nice finding... :D

I also found the tar-archives some days before - but haven't examine all entries.
(that's where I found out that our 8110 seems to share modem software 3310 - I mentioned on discord)

So we are now able to repair IMEIs - one additional step taken ;)

mfg, speeduploop

NB: we could have find it earlier - with a simple 'file' call :D
emkay@yoga:~/Entwicklung/nokia8110/dumps_v13_bs$ file *
abootbak.img:     ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
aboot.img:        ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
boot.img:         Android bootimg, kernel, ramdisk, page size: 2048, cmdline (console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=)
cache.img:        Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (needs journal recovery) (extents) (large files)
config.img:       data
DDR.img:          data
devinfo.img:      data
fsc.img:          data
fsg.img:          POSIX tar archive (GNU)
keystore.img:     data
misc.img:         data
modem.img:        DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", sectors/cluster 32, root entries 512, Media descriptor 0xf8, sectors/FAT 17, sectors/track 63, heads 255, sectors 131072 (volumes > 32 MB), serial number 0xbc614e, unlabeled, FAT (16 bit)
modemst1.img:     TIM image, 24-Bit, Pixel at (48088,49697) Size=65024x47
modemst2.img:     data
oem.img:          data
pad.img:          data
persist.img:      Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (extents) (large files)
recovery_bak.img: Android bootimg, kernel, ramdisk, page size: 2048, cmdline (console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=)
recovery.img:     Android bootimg, kernel, ramdisk, page size: 2048, cmdline (console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=)
rpmbak.img:       ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
rpm.img:          ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
sbl1bak.img:      ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
sbl1.img:         ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
sec.img:          data
simlock.img:      data
splash.img:       data
ssd.img:          data
system.img:       Linux rev 1.0 ext4 filesystem data, UUID=da594c53-9beb-f85c-85c5-cedf76546f7a, volume name "system" (extents) (large files)
traceability.img: data
tunning.img:      POSIX tar archive (GNU)
tzbak.img:        ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
tz.img:           ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
userdata.img:     Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (extents) (large files)

Tudor Pop

unread,
May 10, 2021, 7:28:45 PM5/10/21
to comp.mobile.nokia.8110
Hi Luxferre.
Good work!
There is any app that can change one or both IMEIs after every event, like phone call and/or SMS? Or a similar feature that can be enabled on a custom Rom? If yes, can you help me?
Thank you.
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages