Related
Does every XDA II have a unique ID ?
If yes, is there a way to change that via software ?
Every XDA II has a unique IMEI number. You can find this underneath the battery in the back.
You *may* be able to query it in software by using a TAPI call:
lineGetGeneralInfo
http://msdn.microsoft.com/library/d...s/guide_ppc/htm/extapi_linegetgeneralinfo.asp
I haven't looked into it much, but I very much doubt you can change it.
there is also a unique id in the Disk-On-Chip chip.
Finding IMEI
Dialing *#06# will give you the same IMEI result as looking under the battery.
Sounds worse than I expected. Can anyone think of a way that both, the disk-on-chip ID and the IMEI number could be masked, changed, or hidden ?
PARANOYA.... but as always with these things, better be prepared.....
I don't know how yet, but the imei is derived from data in a flashable rom area, so in theory it should be possible to modify it.
the disk-on-chip id is in true read-only memory.
though you may be able to trick application into thinking it has changed by modifying the trueffs.dll driver.
afaik imei ist not changeable. every phone has a separate imei and it will be sent, also with cardnumber, at avery call to your provider .
for paranoia buy a phone and card on a flee market.
changing the imei is a matter of finding the place in the gsm rom where it is decoded from the data in rom.
you can either modify that code, or figure out the encoding, and change the encoded imei in rom.
not that it is easy, it involves some serious reverse engineering, but possible. we did it for the xda-1 too.
I understand that there is also some kind of checksum applied to the imei so putting any old numbers wont work on some phones, in fact it renders the phone useless, I dont know if this applies to the XDA2 although the XDA1 was very casual about the imei number, no checks whatsoever were carried out, even had my birthday as an imei in my old xda.
Any one interested in writing a utility to mask does numbers or even to change them at leasure ?
itsme said:
changing the imei is a matter of finding the place in the gsm rom where it is decoded from the data in rom.
you can either modify that code, or figure out the encoding, and change the encoded imei in rom.
not that it is easy, it involves some serious reverse engineering, but possible. we did it for the xda-1 too.
Click to expand...
Click to collapse
Itsme, as it has been done for the XDA 1, is there any chance it will be done for the XDA 2 ?
Laws differ from country to country, and I don't even want to go THERE...
But it would be remiss of me, not to point out that SIM unlocking is perfectly legal in the UK.
BUT, in the UK, to change an IMEI on a handset is illegal, and carries a 5 year prison sentence.
Other countries can be quite different I'm led to beleive though.
a while back ( 5 years or so ) I read a story about how they were identifying phones by fingerprinting the analog signal from the transmitter. apparently small differences in the analog parts make each phone uniquely identifyable.
hey itsme
do you still have this article... I would be very interested to read it...
I can not believe this... Honestly... this is impossible (and I do believe in aliens)
Neither the PA nor the RF of a mobile phone has anykind of serial register or an area where you could influence the signal to finger print it,
next thing that the signal get heavily disturbed while transmitted, they are happy enough if they find the normal payload ;-)
or was it 4 year and 50 weeks ago ;-)
Alex
it was not explicitly made different, just that analog parts are never exactly the same.
found it:
http://iwce-mrt.com/ar/radio_fight_cellular_cloning/
not sure if it would still work, in 7 years, cellphone technology has changed quite a bit.
if you search for 'radio frequency fingerprinting' on google you will find more on it.
chuck said:
as it has been done for the XDA 1, is there any chance it will be done for the XDA 2 ?
Click to expand...
Click to collapse
I'd say chance of 90%, where the 10% is for taking into account I didn't actually do it. The new method of unlocking the XDA 2 pretty much allows you to change all values in the phone.
hi itsme
I called our rf-radio specialists... they never hear about it and do not think it is possible.
Seven years about the radio of a mobile did indeed constist of many (hundert) discretes which all have of course have a tolerance, now a days the hole radio fits into a single chip with some discrets around.
The qualtiy of the radio also has greatly improved so the difference between manufators have become so small that it is not possible to judge different radios by their signals.
An other thing just came to my mind... this article is from america, here they use and used analog cell-phones... I am pretty sure this technologie refers to analog cellphone standart and not to a GSM one...
hey the more I think about it the more I like this explanation...
Now I can sleep better...
Alex
W4XY, do you know from experience if any checksum is used with the imei in the XDA2 or is it the same as the xda1 where just about any number could be used.?
I have no true idea if the algorithm is different for the IMEI in the XDA 2 as I have not looked at that in particular, but I suspect it will be the same as a lot of other stuff is still the same too.
An IMEI is supposed to satisfy a Luhn check - which is the same checksum algorithm as used for Credit Cards.
Useless fact: the number printed on a SIM card also satisfies the same check.
In addition to the low ringer and phone volume, missing are key lock function and automatic answer for hands free devices...just to name a few.
The question is...since, AT&T is now my provider can i install the Tmobile ROM and still use it on AT&T's network without any consequencies or annoyances?
Is there a solution to there missing features and others i might not know about?
if i change the rom to an i-mate jasjar or any other will it be unblocked?
No
why is that ?
I'm not an expert but Sometimes I wonder why is that, If we replace ech and every file of locked mda-pro with unlocked jasjar ?? then there should be no reason for a locked mda-pro.
can anyone explain inside science of locking & unlocking ?
I think it also depends on the definition of "blocked"
If the phone iteslf has had its IMEI blocked, then no amount of reprogramming/reflashing will unblock it.
If the phone has a simlock on it, then I believe this would be to do with something within the phone hardware itself.
Hi guys
That old chestnut again, locked and blocked are 2 completely different issues and unfortunately neither of these actually involves anything that is didrectly under the control of pocket windows.
There are 2 types of locking.
1) PUK locking (SIM Locking), this occurs if you incorrectly enter the SIM pin code 3 times in a row. If this happens you need to contact the network provider to get PUK unlock code, better still if you enter the PUK code incorrectly 5 times you will destroy the sim and need t get a new one.
2) Network Locking is a flag that specifies the LAIN of the mobile network that supplied the mobile phone and if this feature is enabled by the operator it will mean that only a SIM card that has the corect LAIN will work in that phone. I forget what LAIN stands for but basically it is used in the GSM international roaming world and therefore each operator has its own, the first few digits indciate the country then the last ones the specific network.
This can be disabled in 2 ways firstly by using and encrypted code specifically issued for your handset. Or secondly by trial and error by writing different values to the registers on the EPROM on the GSM unit itself. Eventually this will result in the phone unlocking itself. In order to do this the gsm engine needs to be removed from the handest and interfaced to a serial port. A 0 or a 1 is then sent to each register 1 ata time and the phone is then tested to see if it works. Depending on the size of the chip this takes a long time. However when you no the memeory location of the register this can then be done to any phone in a matter of minutes. this is basically the way modsyt of the unlocking systems are developed.
Finally IMEI blocking. This is done where the network has evidence that a crime has taken place either fraud commited on the handest, abusive phone calls or the unit has been stolen. If the network IMEI blocks it you have 2 options, 1 sell it in a diferent country ( Nigeria) or some chip sets contain the IMEI details on a flash chip. Again the registers are read over a serial interface and this can be rewritten. The first phones to support this IMEI in flash were the siemens TC35 gsm engines also the wavecom gsm modules support this. I am not really sure of any legitimate application for changing the IMEI of a mobile handest or even why this data is not writen in ROM but there you go.
I hope that helps to clear up issues relating to locking and blocking.
Regards
Charlie
thanks for such informative essay, we all are concerned about the network locking. I have noticed a tool to remove simlock from HTC wizard using same OS as HTC Universal. but in the above post its mentioned that OS has nothing to do with unlocking ..
But unloking tool of all old HTC devices running WM 2003 never took so long as in the case of Universal ? or may be quite possible that all good brains of our forum dont use Universal ?
As many of the recent windows mobile devices, the Xperia supports the network feature "Alternate Line Service" ("ALS") (http://en.wikipedia.org/wiki/Alternate_line_service) which allows to have two phonelines on one simcard.
One can easily switch between the lines with a dedicated menu, as shown here:
http://www.se-community.com/div/X1/line_change.jpg
The appearance of the second-line menus relies on an entry in the Customer Service Profile (CSP) of the subscriber simcard.
For instance, the menus appear when using simcards of Orange(UK) or One(AT), but not with T-Mobile or Vodafone simcards.
As some people find these menus annoying, especially when they are not subscribed to the ALS-service, they can easily remove them by setting the registry key "ShowALSPage" in HKLM/Software/OEM/PhoneSetting to "0".
Now, I have a particular problem:
I want the menus to appear even though my simcard does not have the necessary entry in the CSP. I am subscribed to the service with eplus(DE). However, this operators simcards only support a preliminary ALS-standard which was introduced in collaboration with Siemens almost ten years ago. Since Siemens mobilephones have vanished from the market, it would be nice if eplus would eventually update their simcards - what they still reject, unfortunately.
The eplus simcards hold the value 0x55 in the CSP, while, according to the final standard, 0x80 is expected for ALS capable sims. Till now, the only mobile phones interpreting eplus(DE) sims correctly are Siemens and the most recent Sonyericsson UIQ phones.
Some other mobilephones would still work with eplus(DE)-ALS service. For instance, on Nokia phones one can easily unlock the menus using CSP-override. Some Motorola phones simply always display the menus.
Is there any way to make the ALS-menus appear on Windows Mobile 6.0 devices, like the Xperia X1?
some info can be found here : http://www.expansys.com/ft.aspx?k=112991
I'm also interested in this feature..
Steven
Steven, does Orange(NL) support ALS at all?
As far as I know (and learned from their webside), they don't...
Usually, Orange-Sims are preactivated for ALS, if the service is applicable on the particular Orange network. For instance (and my own experience), the menus are displayed with simcards from Orange(UK) and Orange(CH), but not with simcards from Orange(FR) and Orange(CI). If you do not see the menus with your Orange(NL) simcard, it's pretty clear that Orange(NL) does not support the service. Since T-Mobile(NL) recently overtook Orange(NL), it is highly unlikely that the service will be introduced, as T-Mobile does not support ALS anywhere in the world.
BTW: The page you quoted discusses the general support of ALS by the Xperia handset. Yes, sure, it does support ALS, as long as the simcards are activated properly. However, this is not the case for eplus(DE) simcards - and this is why I'm posting here. You won't be able to use ALS on Orange(NL) even if you would be able to activate the menus, as ALS relies on a certain network configuration as well.
Do any one know how a windows mobile sends the IMEI to the network?
Which function in the api ?
i'm sure it is in the low level api , kernel or may be the coredll.dll but i cannot find any clue on it , and i don't have any idea on where to start to trace that.
Any help or clue would be grateful
Is it really sent??
I'm by no means an expert on this subject -- but is it really sent over the network? In my case the US ATT network? I'm not so sure it is...
...if so, why do they have to always ask me for it?
...if so, why aren't they automatically charging me an extra $30/mo. for a PDA data plan which they insist is REQUIRED for PDAs to connect-even though we all KNOW that's a lie and an ATT rip-off scheme?
...if so, why am I able to call them and give them ANY NON ATT IMEI over the phone and they not dispute it?
...jus a few questions to answer your question.
I'm not an expert either, but I can tell you that they see it. I like to think of the IMEI number as your "ip address" or your phone's "username" for the network. It has to be sent for access purposes and it would be stupid not to log that type of server access. Else how else would you be restricted from using other Cellular towers.
Wrong.
Read up on IMSI's and TMSI's
In the Netherlands the police used an IMEI number to send text messages to a stolen cellphone, even thought they had changed the simcard the phone would show: " This phone is stolen please bring it to the police" every 5 minutes...
Though I'm not an expert on this topic, I thought that the Radio Firmware handled all communications with the Cellular network, including IMEI. One reason I am inclined to go with the Radio Firmware is this simple reason: If it was handled by WM, somebody could probably figure out how to spoof it through WM at one point or another, in the same way that MAC addresses can be spoofed.
And as I said, I'm no expert on this, so please, somebody correct me if I'm blatantly incorrect.
Oh, and w00t! 400th post!
IMEI is for sure transmitted to the network, since this is registered on the BTS every time your signal "auth" on it , and the server logs it and checks if your phone is on the "blacklist" and then reject connection if it is the case.
Check here
But i wonder, technically, where from it is sent, maybe from the Radio firmware like previously posted ?
I guess, since we have some tools to read & change the IMEI on others HTC, it could be done on every models (if i understood right, the IMEI part is somewhere on "read only" and we first need to unlock the CID to unlock this part of memory and then modify / alter it.)
The tools is found here :
IMEI Updater
But works only for iWizard and some other models.
But couldnt we hook the function that retrieves the imei and alter it on the fly? (from the software point of view?) or should i digg in the flash memory?
Or is it hardcoded on the SPL or the IPL? When and what function is used to send it on the network ?
Also for al the legal issues, i might add that an opensource OpenBTS Project is running , and it is in a research-oriented initiative.
So no post saying that i want to change stolen Imei etc.. this is not the case.
I'm a developer for one year now, and i'm interested in mobile security and research.
ix0u said:
IMEI is for sure transmitted to the network, since this is registered on the BTS every time your signal "auth" on it , and the server logs it and checks if your phone is on the "blacklist" and then reject connection if it is the case.
Check here
But i wonder, technically, where from it is sent, maybe from the Radio firmware like previously posted ?
I guess, since we have some tools to read & change the IMEI on others HTC, it could be done on every models (if i understood right, the IMEI part is somewhere on "read only" and we first need to unlock the CID to unlock this part of memory and then modify / alter it.)
Click to expand...
Click to collapse
I think you'd have to Security Unlock as well. And I'm certain that it's stored somewhere in protected flash memory, at least on the Qualcomm based devices, because there have been isolated reports of IMEI changes after using Olipro's Kaiser SIM/CID unlocker/changer.
It works by flashing a modified radio firmware which security unlocks the device (until a different radio is flashed), then a program is run in Windows Mobile which somehow changes SIM lock and CID information. If you're curious, those cases concerning IMEI changes as a result of this tool are here and here. And if you really want to know about this issue, a visit to the XDA IRC channel, or a polite PM to cmonex, Jockeyw2001, Olipro, or Pof could probably clear this up, as those are the people who really know these devices. Good luck
Thank you very much DaveTheTytnIIGuy, at least i have a lead now, on where to go and who to ask.