IMEI changing problem

  • Thread starter Thread starter myjames
  • Start date Start date
Is possible with a patch change the otp check or change the IMEI after the OTP is checked??, How can i programed flash and/or eeprom?
 
well it sound very nonsense to downgrade a phone but in theory it could work .... however, is there any way to get the FW and EP of a A45? if ywe letme know wher and I could bring some answers to our doubts. on the other hand, I wonder if there is a way of disabling the OTP area... off course i'm not an experto but is the OTP check stores in a sinlge chip??

Best regards

jay
 
problem is with that bloody flag... if there is way to change the state it will solve the riddle. The problem is if with the tools we have it is enough or is there a need to apply some particular voltage as some particular test point.


@carmobile

nothing to do with what we are saying mate

al
 
The C56v29 FW is in http://www.s86948218.onlinehome.us/c56.rar any can helpme i need help to make or modify the patches for this FW
 
this is getting quite interesting

will be posting results soon when i get some time to play with this.. jsut boguth a good 2nd hand C55 to mess with it

@ 0xFEDF

this method can be applied to all siemens if it works on C55 then?

the problem is where to operate in their respective flashes.... got any more info on the "area" for other models mate?

quite nice to experiment with it .. by the way...

PS. mates it is better if we explicitly say that what we are discussing here is for experimental purposes and own use only and we do not condone any abuse of such information that may be used for illegal purposes. Presume all others discussing this thread agree with this.

thanks
al
 
You are wrong. IMEI Was get from OTP.
Acid program use unique techniqie to do this possible.
I dont know how ot works but it works
 
; S55 v20
; change IMEI String

9951CE: 88908880 FA7B0094 ; new IMEI routine
3B9400: FFFFFFFF E6FE0015 ; mov r14, #1500h
3B9404: FFFFFFFF E6FFEE01 ; mov r15, #1EEh
3B9408: FFFFFFFF FABFAE81 ; jump String_cpy
3B9500: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 20494D4549206E6F7420666F756E6400 ; new IMEI as String

All offsets are for V-Klay.
And I don't have info for other phones.
 
that flash ic`s use in siemens x5x and x6x series have a zone `otp` realy?or just emulated one?maybe with `read only` atribute?maybe it`s not otp but it`s imposibile to write with usual software like freia or it`s imposibile by cable!anyone have tried to write that flash chip on external programer?maybe it`s only solution.
 
Procedure Compare_Get_IMEIs:

seg178:1EBA mov [-r0], r9
seg178:1EBC mov [-r0], r8
seg178:1EBE sub r0, #0Ah
seg178:1EC2 mov r8, r12
seg178:1EC4 mov r9, r13
seg178:1EC6 calls 0B2h, Get_Flash_IMEI
seg178:1ECA cmp r4, #0
seg178:1ECC jmpr cc_Z, loc_B21F2C
seg178:1ECE mov r12, r0
seg178:1ED0 and r12, #3FFFh
seg178:1ED4 mov r13, unk_403E02
seg178:1ED8 calls 0B2h, Get_EEPROM_IMEI
seg178:1EDC cmp r4, #0
seg178:1EDE jmpr cc_Z, Compare_IMEIs
seg178:1EE0 cmp r4, #4
seg178:1EE2 jmpr cc_Z, Copy_IMEI
seg178:1EE4 jmpr cc_UC, loc_B21F26

This part of procedure compare IMEIs OTP and EEPROM

seg178:1EE6 Compare_IMEIs:
seg178:1EE6 mov r12, #8
seg178:1EE8 mov [-r0], r12
seg178:1EEA mov r12, #2
seg178:1EEC add r12, r0
seg178:1EEE and r12, #3FFFh
seg178:1EF2 mov r13, unk_403E02
seg178:1EF6 mov r14, r8
seg178:1EF8 mov r15, r9
seg178:1EFA calls 0B2h, Compare

If IMEIs dont mach r40 and Phone cannot start

seg178:1EFE add r0, #2
seg178:1F00 cmp r4, #0
seg178:1F02 jmpr cc_NZ, loc_B21F26; IMEI is BAD
seg178:1F04 mov r12, #0
seg178:1F06 jmpr cc_UC, loc_B21F28 ; IMEI is GOOD

End of part

seg178:1F08 Copy_IMEI:
seg178:1F08 mov r12, #8
seg178:1F0A mov [-r0], r12
seg178:1F0C mov r12, #2
seg178:1F0E add r12, r0
seg178:1F10 and r12, #3FFFh
seg178:1F14 mov r13, unk_403E02
seg178:1F18 mov r14, r8
seg178:1F1A mov r15, r9
seg178:1F1C calls 0B2h, memcopy
seg178:1F20 add r0, #2
seg178:1F22 mov r12, #3
seg178:1F24 jmpr cc_UC, loc_B21F28
seg178:1F26 loc_B21F26:
seg178:1F26 mov r12, #2
seg178:1F28
seg178:1F28 loc_B21F28:
seg178:1F28 mov r4, r12
seg178:1F2A jmpr cc_UC, loc_B21F34
seg178:1F2C loc_B21F2C: Compare_Get_IMEIs+12j
seg178:1F2C mov r12, r8
seg178:1F2E mov r13, r9
seg178:1F30 calls 0B2h, Get_EEPROM_IMEI
seg178:1F34 loc_B21F34:
seg178:1F34 add r0, #0Ah
seg178:1F38 mov r8, [r0+]
seg178:1F3A mov r9, [r0+]
seg178:1F3C rets
seg178:1F3C ; End of function Compare_Get_IMEIs


BEST REARDS ANDREW911
 
;Patch for C56 v.29 phones - NOT TESTED !!!
;(c) Sinclair

;Disable CRC check
10F5F4: DA90FEEE CC00CC00 ; disable CRC1
14B5C2: 2D 0D ; disable CRC2

;IMEI patching :-)
3AAD54: 88908880 FA8B8465
0B6584: FFFFFFFF E6FE9025
0B6588: FFFFFFFF E6FF2D02
0B658C: FFFFFFFF FADCD0B9
0B6590: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 20494D4549206E6F7420666F756E6400 ; new IMEI as String

Use V-Klay to apply this patch to phone. If phone don't work after patching - just rollback patch or restore firmware from backup.

This patch is NOT TESTED!!!
 
the free IMEI change patches don't change the IMEI that is send to provider. But the
IMEI changer Tool make this change.

The IMEI that is send to provider is 100% changed. Tested and works.

@Andrew911 have you tested my progrem? I don't think so. Do you really beleave I
will release this patches for free? Why? IMEI changing is only for making money so
why developing an free patch? With this work I can pay my work for new free tools
(SPC2 x65 support, x65 Theme Editor, x65 EEPROM tool, ...)
 
p.s.siemens a50 have nothing `otp`inside!if you wont to change imei you must downgrade to c45 witch don`t have `otp`chek,correct!but this doesn`t meen that have otp zone!
 
You may need unlock Your phone after unsuccesfull patching!
Or restore EEPROM from backup.
 
@Andrew

my foul mate. However is there a suitable way to overcome the check as done in SonyEricssons?

thanks mate
al
 
Very thanx but the patch not work for me


When i press *#06# say: "IMEI NOT FOUND" and the phone say: "Movil Robado" (Phone reported in english)

The patch is apply to the phone directly or to the .fls file?
I need make a testpoint before apply this patch? if 2 persons apply this patch they have the same IMEI? i can disable the otp check?

any idea?
 
Back
Top