Hello FC community, I just solved the long-standing mystery of where and how the original factory IMEI is stored on Compal phones. As it turns out, their IMEI is not stored in the main flash memory array at all, i.e., it does NOT live in the same "vital records" flash sector as RF calibration values - instead it is stored in the flash chip's so-called protection register.
Many flash chips offer a small additional programmable area that is separate from the main flash memory array; this additional small programmable area is security-oriented and not erasable - instead it is OTP, meaning one-time programmable. Some flash chip manufacturers call this area "secure silicon", others call it "protection register", but the essence remains the same: it is a small OTP memory that is effectively bundled together with the flash chip. The vast majority of embedded systems with NOR flash chips including most Calypso GSM phones and modems never use these OTP cells, but as we just discovered, Compal used the available 64 bits of OTP in their flash chip to store their IMEI. These protection register OTP cells do not appear in the regular flash array address space, thus they do not appear in dump files made with fc-loadtool or other equivalent tools. Instead reading this protection register requires issuing special commands to the flash chip: you need to give it the Read ID command, and when the chip is in Read ID mode, the protection register appears starting at offset 0x100. The 64-bit "user" portion of the protection register where the IMEI resides begins at offset 0x10A in Read ID mode. I am going to add a new command to fc-loadtool to read and decode this IMEI record in a user-friendly manner, but if you have a flash dump image taken from some phone which you no longer have, the IMEI is irretrievably lost, as it does not appear anywhere at all in the main flash memory array. How did I make this discovery? When our dear David started toying with the idea of transplanting Compal's vital data sectors from one C139 phone to another with fc-loadtool, my curiosity got the best of me, and I decided to test and see what would actually happen. On the Pirelli DP-L10 the IMEI record is protected against transplantation with the Calypso die ID: if you read the factory data sector from one Pirelli DP-L10 phone and transplant it to a different phone, the IMEI decryption and verification function will fail, and *#06# will display all zeros for the IMEI. I expected something similar to happen on the C139, so I tested it: I took a test subject phone with no SIM (so it won't turn on its Tx in the absence of a user making an emergency call) and rewrote its entire flash with bits from a different phone. Imagine my surprise when *#06# displayed the test subject phone's true IMEI instead of either the transplanted IMEI or some error! I applied rational thinking: if the IMEI resides somewhere entirely outside of the main flash memory array, where else can it reside? There is no separate EEPROM chip in these phones, so I went to the datasheet for Intel C3 flash these phones use to see if it has an "out of band" OTP area - yup, it does. I go in with fc-loadtool, issue the right command for the Read ID mode as explained in the flash chip datasheet, and look at the content of what Intel called the protection register - and sure enough, I see the phone's IMEI in there, thankfully without any obfuscation. What does this discovery mean for end users? Several takeaways: 1) If someone wishes to change the IMEI used by Motorola's official fw on C1xx phones, the only way to do so would be to reverse-engineer their fw, find the code that reads the IMEI from the flash chip's protection register, and patch that code - changing the content of the protection register itself is not possible because it is physically immutable after having been programmed once. If someone does wish to reverse-eng and patch Motorola's fw in this manner, it is a job which I leave to other hackers - not interested in going there myself. 2) Transplanting vital data sectors from one C1xx phone to another is still a bad idea. Doing so won't change the IMEI, but it will cause the phone to run with wrong RF calibration values. There is also other factory info (date of manufacture in particular) in those records which is just for the user, displayable with #02# - but if you fool with that info, you will only be fooling yourself. This newly discovered IMEI storage scheme applies to all known Compal phones, namely, all 3 known Mot C1xx subfamilies and Sony Ericsson J100. Hasta la Victoria, Siempre, Mychaela aka The Mother _______________________________________________ Community mailing list Community@freecalypso.org https://www.freecalypso.org/mailman/listinfo/community