8110 4G IMEI manipulation method found (for rooted/custom ROMs)

[Luxferre]

Hi folks,

We're world's first again. Who has time, can look at my blog post about this finding. For everyone else, here are some brief news: the fsg and tunning partitions are just TAR archives, and the second one contains sensitive NV items, including nvm/num/550 and nvm/context1/550 which are responsible for IMEI1 and IMEI2 respectively.

I've been searching for this for over half a year.

In that blog post, a POC script to run form adb shell is also attached.

Have fun and be safe!

[speeduploop]

Hi Luxferre!

Really nice finding... :D

I also found the tar-archives some days before - but haven't examine all entries.

(that's where I found out that our 8110 seems to share modem software 3310 - I mentioned on discord)

So we are now able to repair IMEIs - one additional step taken ;)

mfg, speeduploop

NB: we could have find it earlier - with a simple 'file' call :D

emkay@yoga:~/Entwicklung/nokia8110/dumps_v13_bs$ file *

abootbak.img:     ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped

aboot.img:        ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped

boot.img:         Android bootimg, kernel, ramdisk, page size: 2048, cmdline (console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=)

cache.img:        Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (needs journal recovery) (extents) (large files)

config.img:       data

DDR.img:          data

devinfo.img:      data

fsc.img:          data

fsg.img:          POSIX tar archive (GNU)

keystore.img:     data

misc.img:         data

modem.img:        DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", sectors/cluster 32, root entries 512, Media descriptor 0xf8, sectors/FAT 17, sectors/track 63, heads 255, sectors 131072 (volumes > 32 MB), serial number 0xbc614e, unlabeled, FAT (16 bit)

modemst1.img:     TIM image, 24-Bit, Pixel at (48088,49697) Size=65024x47

modemst2.img:     data

oem.img:          data

pad.img:          data

persist.img:      Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (extents) (large files)

recovery_bak.img: Android bootimg, kernel, ramdisk, page size: 2048, cmdline (console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=)

recovery.img:     Android bootimg, kernel, ramdisk, page size: 2048, cmdline (console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=)

rpmbak.img:       ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped

rpm.img:          ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped

sbl1bak.img:      ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped

sbl1.img:         ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped

sec.img:          data

simlock.img:      data

splash.img:       data

ssd.img:          data

system.img:       Linux rev 1.0 ext4 filesystem data, UUID=da594c53-9beb-f85c-85c5-cedf76546f7a, volume name "system" (extents) (large files)

traceability.img: data

tunning.img:      POSIX tar archive (GNU)

tzbak.img:        ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped

tz.img:           ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped

userdata.img:     Linux rev 1.0 ext4 filesystem data, UUID=57f8f4bc-abf4-655f-bf67-946fc0f9f25b (extents) (large files)

[Tudor Pop]

Hi Luxferre.
Good work!
There is any app that can change one or both IMEIs after every event, like phone call and/or SMS? Or a similar feature that can be enabled on a custom Rom? If yes, can you help me?
Thank you.