Does every XDA II have a unique ID ?
If yes, is there a way to change that via software ?
Every XDA II has a unique IMEI number. You can find this underneath the battery in the back.
You *may* be able to query it in software by using a TAPI call:
lineGetGeneralInfo
http://msdn.microsoft.com/library/d...s/guide_ppc/htm/extapi_linegetgeneralinfo.asp
I haven't looked into it much, but I very much doubt you can change it.
there is also a unique id in the Disk-On-Chip chip.
Finding IMEI
Dialing *#06# will give you the same IMEI result as looking under the battery.
Sounds worse than I expected. Can anyone think of a way that both, the disk-on-chip ID and the IMEI number could be masked, changed, or hidden ?
PARANOYA.... but as always with these things, better be prepared.....
I don't know how yet, but the imei is derived from data in a flashable rom area, so in theory it should be possible to modify it.
the disk-on-chip id is in true read-only memory.
though you may be able to trick application into thinking it has changed by modifying the trueffs.dll driver.
afaik imei ist not changeable. every phone has a separate imei and it will be sent, also with cardnumber, at avery call to your provider .
for paranoia buy a phone and card on a flee market.
changing the imei is a matter of finding the place in the gsm rom where it is decoded from the data in rom.
you can either modify that code, or figure out the encoding, and change the encoded imei in rom.
not that it is easy, it involves some serious reverse engineering, but possible. we did it for the xda-1 too.
I understand that there is also some kind of checksum applied to the imei so putting any old numbers wont work on some phones, in fact it renders the phone useless, I dont know if this applies to the XDA2 although the XDA1 was very casual about the imei number, no checks whatsoever were carried out, even had my birthday as an imei in my old xda.
Any one interested in writing a utility to mask does numbers or even to change them at leasure ?
itsme said:
changing the imei is a matter of finding the place in the gsm rom where it is decoded from the data in rom.
you can either modify that code, or figure out the encoding, and change the encoded imei in rom.
not that it is easy, it involves some serious reverse engineering, but possible. we did it for the xda-1 too.
Click to expand...
Click to collapse
Itsme, as it has been done for the XDA 1, is there any chance it will be done for the XDA 2 ?
Laws differ from country to country, and I don't even want to go THERE...
But it would be remiss of me, not to point out that SIM unlocking is perfectly legal in the UK.
BUT, in the UK, to change an IMEI on a handset is illegal, and carries a 5 year prison sentence.
Other countries can be quite different I'm led to beleive though.
a while back ( 5 years or so ) I read a story about how they were identifying phones by fingerprinting the analog signal from the transmitter. apparently small differences in the analog parts make each phone uniquely identifyable.
hey itsme
do you still have this article... I would be very interested to read it...
I can not believe this... Honestly... this is impossible (and I do believe in aliens)
Neither the PA nor the RF of a mobile phone has anykind of serial register or an area where you could influence the signal to finger print it,
next thing that the signal get heavily disturbed while transmitted, they are happy enough if they find the normal payload ;-)
or was it 4 year and 50 weeks ago ;-)
Alex
it was not explicitly made different, just that analog parts are never exactly the same.
found it:
http://iwce-mrt.com/ar/radio_fight_cellular_cloning/
not sure if it would still work, in 7 years, cellphone technology has changed quite a bit.
if you search for 'radio frequency fingerprinting' on google you will find more on it.
chuck said:
as it has been done for the XDA 1, is there any chance it will be done for the XDA 2 ?
Click to expand...
Click to collapse
I'd say chance of 90%, where the 10% is for taking into account I didn't actually do it. The new method of unlocking the XDA 2 pretty much allows you to change all values in the phone.
hi itsme
I called our rf-radio specialists... they never hear about it and do not think it is possible.
Seven years about the radio of a mobile did indeed constist of many (hundert) discretes which all have of course have a tolerance, now a days the hole radio fits into a single chip with some discrets around.
The qualtiy of the radio also has greatly improved so the difference between manufators have become so small that it is not possible to judge different radios by their signals.
An other thing just came to my mind... this article is from america, here they use and used analog cell-phones... I am pretty sure this technologie refers to analog cellphone standart and not to a GSM one...
hey the more I think about it the more I like this explanation...
Now I can sleep better...
Alex
W4XY, do you know from experience if any checksum is used with the imei in the XDA2 or is it the same as the xda1 where just about any number could be used.?
I have no true idea if the algorithm is different for the IMEI in the XDA 2 as I have not looked at that in particular, but I suspect it will be the same as a lot of other stuff is still the same too.
An IMEI is supposed to satisfy a Luhn check - which is the same checksum algorithm as used for Credit Cards.
Useless fact: the number printed on a SIM card also satisfies the same check.
Related
Hi all
I was wondering if anyone knew the answer to the above question.
to explain a bit better:
If i change the IMEI on my XDA it will obviously show up on the phone. What i want to know is will the network see the new of old IMEI. Ie whis is sent out by the phone.
Also:
From that i have found out the new service which blocks off stolen phones work that runs in the UK work by the IMEI code of the phone.
How do i make sure i don't change my IMEI to a number that is registered as stolen and in turn block my phone off.
Also again:
If at a later stage my phone does get blocked will changing it back to the original IMEI unblock it?
After all this i'm wondering if i should bother changing the IMEI. Although it would be nice to have my DOB there.
Oops I think I posted this in the rwong place!!
To Adminstrators:
Sorry
If it is in the wrong place could you move it?
The IMEI is stored in two places: one is displayed, the other is used to send to the network. The Manipulator changes both locations. The chance you'll change your IMEI to one of a stolen phone is small, very small. (It's six digits if you exclude the manufacturer part, so the chance is definitely bigger than getting hit by a meteorite, but still)
We included the IMEI change bit because:
a) We could
b) Privacy concerns: we'd like to live in a world where people can have multiple identities that are hard to connect, even if their opponents happen to run the country / telco.
WOW!!
Thanks for the great answer. As soon as it is possible to change my imei and unblock my phone i'll be doing it. (I have version 4.20 so it don't work yet).
Does anyone know of a web site where it list all the imei that are recognised as stolen or a number i can call in the UK to find out. The local police are useless and don't know anything.
A number to report a stolen phone would be useful as well cos my little sis got her knicked.
It took a small group effort, but we cracked it.
Problem 1: Bug in limitation to %UREG command
First of all, on 4.20 they check to see whether the %UREG request lies within certain bounds as follows:
AT%UREG?addr,len:
if (addr < 0x3ef000 || addr > 0x3ef007) return(0);
if ((addr+len) < 0x3ef000 || (addr+len) > 0x3ef007) return(0);
Now because addr en len are both 32 bits, we can make use of the wrap (negative in effect). After the test above the maximum length will be limited to 100 (0x64).
So for instance:
AT%UREG?3FE004,FFFFFFFF
will read 100 bytes from 0x3FE004, clearly outside the range UREG was meant to be restricted to.
Problem 2: Obfuscation too easy
When executing the command above: after 74 bytes of FF, the obfuscated result code is displayed. The information needed to get the unlock code is contained twice, in the format ABCDABCDEFGHEFGH if a different letter is assigned to each unique nibble. Nibbles are first swapped to make EHAFGBCD. Then bits 3 of nibbles H, F and B are rotated left, so that nibble H gets bit 3 from F and so forth. After this, the whole 4 byte value is rotated into the lower bit. The result is the 8 digit unlock code in BCD, which can be supplied to the unlock command:
Code:
AT%SIDLCK=0,<8-digit unlock code>
Commentary:
Nice try: took us 2 person-days, probably still less than it took to think up, define, approve and program. :twisted:
The new version of The Manipulator, online now, supports unlocking of Radio Stack 4.20.
Yippee... the manipulator works for 4.20 !!!!!
Hi,
I must be a very lucky guy.
Just received my xda today (64mb ram, 4.20.00 radio version, 3.16.32 ENG rom, dated 2/13/03) and was fiddling with it about half and hour ago with the former xda manipulator program (ver 1.02) which recorded error messages and couldn't work. Then I looked into the net and found this posting just made( at 10.30 pm) and was the number 6 person to view the posting; downloaded the new manipulator and hey presto - the xda is unlocked !!!!
Only one thing though- don't see the gid lock, the imei number and the call timer entries in this new program(ver 1.1) which were present in the ver 1.02 program. Not a problem for me though as long as I could use the phone on my vodaphone sim.
Anyway, thank you so much for the hard work in cracking the 4.20; really appreciate it. Well done and keep up the magnificent work.
Cheers
Yup - it works a treat - unlocked in 10 seconds.
WELL DONE guys - thanks so much for all your input here. I now have an XDA that is truly useful and versatile.
BRILLIANT!!
Rog
Just tried 1.1 on 6 phones, all with 4.20. Five of them unlocked no problem, but one of them, for some strange reason, didnt work, it read the sid code, but the one that it came back with was only 6 digits long, and when pressinng "UNLOCK" nothing more happened. All the other codes were about 8 digits long. I tried entering the code manually, butjust came back saying it wss incorrect!!!
Anyone come across this??
Many thanks in advance
Hmmm. It could be that the code (or the second half of it) starts with two zeroes, and now that you mention it: the manipulator doesn't display (or unock with) leading zeroes.
Could you try that six digit code with two leading zeroes, and (if that doesn't work) inser the zeroes in the six digit number as follows XXXX00XX or as follows 0XXX0XXX. Tell me if that's it, please...
(Expect 1.11 of The Manipulator in the next day or two...
IMEI Change
Great work guys i'll be unlocking my xda as soon as i get the serial cable. It is a combines serial and USB cable so if anyone has experience with this not working (Ordered from Expansys thenlet me know) otherwise i'll post here to let you know if it worked or not.
I would like to know if there are any plans to make a version of the communicator that ill change the imei.
If not will commands from hyperterminal work? (Sorry if this is not currently possible I havn't been motivated to look it all up but will be if it possible to change the IMEI through this.)
I know that ther version of Hyperterminal that come with in 2k and XP is more limited that the one in 95 and 98 so would another terminal emulation program do the job better (Reflections 420 for example).
Thanks again for the great work.
How do you find all this stuff out?? How do I learn.?
Minesh
@Peter Poelman ur a blinking genius mate, it was the last method (0XXX0XXX)
So now ive done 11 phones(R4.20), and all 11 unlocked, pretty good success rate i reckon
Keep up the great work guys
Re: IMEI Change
MineshT said:
I would like to know if there are any plans to make a version of the communicator that ill change the imei.
Click to expand...
Click to collapse
Manipulator (I assume that's what you mean) does change the IMEI, but not on 4.20 phones, because we can't easily reach the memory range. In fact we have ways to do it, but we didn't yet feel like doing the necessary programming work before they lock us out completely.
If not will commands from hyperterminal work?
Click to expand...
Click to collapse
There's no easy (or medium-hard) way to change the IMEI on 4.20 phones.
How do you find all this stuff out?? How do I learn.?
Click to expand...
Click to collapse
In this specific case, we looked at the ARM machine-code in the 4.20 binary contained in S-record form in the RSU upgrade package, using IDA (a disassembler program). We then figured out the %UREG restriction was lacking. Looking at the obfuscated code we figured we could break it without looking at further code (and the phone binary code guru was unavailable for the day), so we cracked it by just staring at enough possibilities. (We could set and reset the lock using different codes with AT%SIDLCK).
Not sure hacking phones is a specific skill one can learn. Even though we're mostly still pretty young, most of us are very experienced software developers, senior security experts. Electronics, programming and reverse-engineering experience of 20-25 years in some cases. But there's pretty good texts out there that describe disassembling other people's code, understanding embedded hardware and other areas of expertise you'd need.
Reverse-engineering needs a lot of the same skills that 'forward-engineering' does. If you have the skills needed to build something, you can begin to take it apart.
Current issues with The Manipulator
The Manipulator currently does not unlock phones which were locked and then user-upgraded to 4.20. So unlock first and then upgrade. Also, please read hotentot's post and my reply above for a problem that appears when the code has zeroes in certain positions.
Both issues will be addressed in the next version, due in a few days, when I know there's no other things that need fixin'.
to all XDA developers (is their a change IMEI software USB) if yes where can i find it & if no is it going to be developed any soon? when?
I doubt the developers will be writing software for that particular use on the xda1, if you have a serial cable it will work on the xda as long as the radio stack is the early versions, it wont work on radio stack 4.21 for instance.
so where can i get the early(<4.20) Radio version coz i wanna use the
manipulator programme with my XDA2 device ?
????????????????
Chanaging IMEI is a way to get RID of those SPIES who pry into our personal info. Violations of our right to privicy....
Emil, can you expand on that statement please, the imei is the phones identity tag, if you have a prepay sim card your identity is unknown, if you have a post pay contract sim then your details are known and your phone is trackable by the sim details regardless of the imei/phone used.
i want to reset the timer to know how much i talked ,so where can i found that radio version
As far as I know, xda manipulator is for xda1 only.
IMEI-change and call-timer reset
No software exists to change IMEI or reset timers on Himalaya/XDA-II. Also no software does it to the Wallaby/XDA over USB, and The Manipulator, the program that does it to the Wallaby via the serial port only works with certain Radio Stack versions.
We have no legal or moral problems with IMEI-changing or timer reset, but it's a lot of hard work to write something which overwrites parts of people's radio software reliably. The last thing we want is 300 people wrecking their phones and blaming us. This issue has sort of scared us away from this type of modification.
(Unlocking is different since it only reads the ROM and then uses the 'official' mechanism of AT-commands in the phone for unlocking.)
No idea whether this topic will be revisited at some point, but don't hold your breath...
I can help you to change IMEI for XDA I or XDA II
cgigate
tell me how ....pls
cgigate said:
I can help you to change IMEI for XDA I or XDA II
Click to expand...
Click to collapse
Will you tell how it all works, and maybe even create a wiki page on it? We have itsme's and W4XY's works, bu we need many more people to publish the results their trips into the phone ROM and bootloader...
Peter,
Can you tell me how to read or find my IMEI number. I have a phone that was a display model and the lable on the back was removed so I can't get it there and the system identity shows a generic IMEI number (as I've found with all the updated 2003 ones).
Thanks,
David
moto1 said:
Can you tell me how to read or find my IMEI number. I have a phone that was a display model and the lable on the back was removed so I can't get it there and the system identity shows a generic IMEI number (as I've found with all the updated 2003 ones).
Click to expand...
Click to collapse
Try dialing *#06# on the phone. This works on all GSM phones (since it is in the GSM specification to be approved as one).
That still gives the generic IMEI number with an extra "01" at the end. It seems to be a glitch in the 2003 software because the IMEI numbers are available before you upgrade but not after. I thought I was missing something but the other units with the upgrade are giving the same generic number (350314010000009). Does anyone else come up with that IMEI #.(May be T-Mobile only!)
David
nope
I upgraded my rom lots of time and never lost my original IMEI number (which is written inside the case, under the battery)
It must be in the "T-Mobile" upgrade that changes the number in the system settings.
no solution till now????!!!!!
if i change the rom to an i-mate jasjar or any other will it be unblocked?
No
why is that ?
I'm not an expert but Sometimes I wonder why is that, If we replace ech and every file of locked mda-pro with unlocked jasjar ?? then there should be no reason for a locked mda-pro.
can anyone explain inside science of locking & unlocking ?
I think it also depends on the definition of "blocked"
If the phone iteslf has had its IMEI blocked, then no amount of reprogramming/reflashing will unblock it.
If the phone has a simlock on it, then I believe this would be to do with something within the phone hardware itself.
Hi guys
That old chestnut again, locked and blocked are 2 completely different issues and unfortunately neither of these actually involves anything that is didrectly under the control of pocket windows.
There are 2 types of locking.
1) PUK locking (SIM Locking), this occurs if you incorrectly enter the SIM pin code 3 times in a row. If this happens you need to contact the network provider to get PUK unlock code, better still if you enter the PUK code incorrectly 5 times you will destroy the sim and need t get a new one.
2) Network Locking is a flag that specifies the LAIN of the mobile network that supplied the mobile phone and if this feature is enabled by the operator it will mean that only a SIM card that has the corect LAIN will work in that phone. I forget what LAIN stands for but basically it is used in the GSM international roaming world and therefore each operator has its own, the first few digits indciate the country then the last ones the specific network.
This can be disabled in 2 ways firstly by using and encrypted code specifically issued for your handset. Or secondly by trial and error by writing different values to the registers on the EPROM on the GSM unit itself. Eventually this will result in the phone unlocking itself. In order to do this the gsm engine needs to be removed from the handest and interfaced to a serial port. A 0 or a 1 is then sent to each register 1 ata time and the phone is then tested to see if it works. Depending on the size of the chip this takes a long time. However when you no the memeory location of the register this can then be done to any phone in a matter of minutes. this is basically the way modsyt of the unlocking systems are developed.
Finally IMEI blocking. This is done where the network has evidence that a crime has taken place either fraud commited on the handest, abusive phone calls or the unit has been stolen. If the network IMEI blocks it you have 2 options, 1 sell it in a diferent country ( Nigeria) or some chip sets contain the IMEI details on a flash chip. Again the registers are read over a serial interface and this can be rewritten. The first phones to support this IMEI in flash were the siemens TC35 gsm engines also the wavecom gsm modules support this. I am not really sure of any legitimate application for changing the IMEI of a mobile handest or even why this data is not writen in ROM but there you go.
I hope that helps to clear up issues relating to locking and blocking.
Regards
Charlie
thanks for such informative essay, we all are concerned about the network locking. I have noticed a tool to remove simlock from HTC wizard using same OS as HTC Universal. but in the above post its mentioned that OS has nothing to do with unlocking ..
But unloking tool of all old HTC devices running WM 2003 never took so long as in the case of Universal ? or may be quite possible that all good brains of our forum dont use Universal ?
Do any one know how a windows mobile sends the IMEI to the network?
Which function in the api ?
i'm sure it is in the low level api , kernel or may be the coredll.dll but i cannot find any clue on it , and i don't have any idea on where to start to trace that.
Any help or clue would be grateful
Is it really sent??
I'm by no means an expert on this subject -- but is it really sent over the network? In my case the US ATT network? I'm not so sure it is...
...if so, why do they have to always ask me for it?
...if so, why aren't they automatically charging me an extra $30/mo. for a PDA data plan which they insist is REQUIRED for PDAs to connect-even though we all KNOW that's a lie and an ATT rip-off scheme?
...if so, why am I able to call them and give them ANY NON ATT IMEI over the phone and they not dispute it?
...jus a few questions to answer your question.
I'm not an expert either, but I can tell you that they see it. I like to think of the IMEI number as your "ip address" or your phone's "username" for the network. It has to be sent for access purposes and it would be stupid not to log that type of server access. Else how else would you be restricted from using other Cellular towers.
Wrong.
Read up on IMSI's and TMSI's
In the Netherlands the police used an IMEI number to send text messages to a stolen cellphone, even thought they had changed the simcard the phone would show: " This phone is stolen please bring it to the police" every 5 minutes...
Though I'm not an expert on this topic, I thought that the Radio Firmware handled all communications with the Cellular network, including IMEI. One reason I am inclined to go with the Radio Firmware is this simple reason: If it was handled by WM, somebody could probably figure out how to spoof it through WM at one point or another, in the same way that MAC addresses can be spoofed.
And as I said, I'm no expert on this, so please, somebody correct me if I'm blatantly incorrect.
Oh, and w00t! 400th post!
IMEI is for sure transmitted to the network, since this is registered on the BTS every time your signal "auth" on it , and the server logs it and checks if your phone is on the "blacklist" and then reject connection if it is the case.
Check here
But i wonder, technically, where from it is sent, maybe from the Radio firmware like previously posted ?
I guess, since we have some tools to read & change the IMEI on others HTC, it could be done on every models (if i understood right, the IMEI part is somewhere on "read only" and we first need to unlock the CID to unlock this part of memory and then modify / alter it.)
The tools is found here :
IMEI Updater
But works only for iWizard and some other models.
But couldnt we hook the function that retrieves the imei and alter it on the fly? (from the software point of view?) or should i digg in the flash memory?
Or is it hardcoded on the SPL or the IPL? When and what function is used to send it on the network ?
Also for al the legal issues, i might add that an opensource OpenBTS Project is running , and it is in a research-oriented initiative.
So no post saying that i want to change stolen Imei etc.. this is not the case.
I'm a developer for one year now, and i'm interested in mobile security and research.
ix0u said:
IMEI is for sure transmitted to the network, since this is registered on the BTS every time your signal "auth" on it , and the server logs it and checks if your phone is on the "blacklist" and then reject connection if it is the case.
Check here
But i wonder, technically, where from it is sent, maybe from the Radio firmware like previously posted ?
I guess, since we have some tools to read & change the IMEI on others HTC, it could be done on every models (if i understood right, the IMEI part is somewhere on "read only" and we first need to unlock the CID to unlock this part of memory and then modify / alter it.)
Click to expand...
Click to collapse
I think you'd have to Security Unlock as well. And I'm certain that it's stored somewhere in protected flash memory, at least on the Qualcomm based devices, because there have been isolated reports of IMEI changes after using Olipro's Kaiser SIM/CID unlocker/changer.
It works by flashing a modified radio firmware which security unlocks the device (until a different radio is flashed), then a program is run in Windows Mobile which somehow changes SIM lock and CID information. If you're curious, those cases concerning IMEI changes as a result of this tool are here and here. And if you really want to know about this issue, a visit to the XDA IRC channel, or a polite PM to cmonex, Jockeyw2001, Olipro, or Pof could probably clear this up, as those are the people who really know these devices. Good luck
Thank you very much DaveTheTytnIIGuy, at least i have a lead now, on where to go and who to ask.