Do any one know how a windows mobile sends the IMEI to the network?
Which function in the api ?
i'm sure it is in the low level api , kernel or may be the coredll.dll but i cannot find any clue on it , and i don't have any idea on where to start to trace that.
Any help or clue would be grateful
Is it really sent??
I'm by no means an expert on this subject -- but is it really sent over the network? In my case the US ATT network? I'm not so sure it is...
...if so, why do they have to always ask me for it?
...if so, why aren't they automatically charging me an extra $30/mo. for a PDA data plan which they insist is REQUIRED for PDAs to connect-even though we all KNOW that's a lie and an ATT rip-off scheme?
...if so, why am I able to call them and give them ANY NON ATT IMEI over the phone and they not dispute it?
...jus a few questions to answer your question.
I'm not an expert either, but I can tell you that they see it. I like to think of the IMEI number as your "ip address" or your phone's "username" for the network. It has to be sent for access purposes and it would be stupid not to log that type of server access. Else how else would you be restricted from using other Cellular towers.
Wrong.
Read up on IMSI's and TMSI's
In the Netherlands the police used an IMEI number to send text messages to a stolen cellphone, even thought they had changed the simcard the phone would show: " This phone is stolen please bring it to the police" every 5 minutes...
Though I'm not an expert on this topic, I thought that the Radio Firmware handled all communications with the Cellular network, including IMEI. One reason I am inclined to go with the Radio Firmware is this simple reason: If it was handled by WM, somebody could probably figure out how to spoof it through WM at one point or another, in the same way that MAC addresses can be spoofed.
And as I said, I'm no expert on this, so please, somebody correct me if I'm blatantly incorrect.
Oh, and w00t! 400th post!
IMEI is for sure transmitted to the network, since this is registered on the BTS every time your signal "auth" on it , and the server logs it and checks if your phone is on the "blacklist" and then reject connection if it is the case.
Check here
But i wonder, technically, where from it is sent, maybe from the Radio firmware like previously posted ?
I guess, since we have some tools to read & change the IMEI on others HTC, it could be done on every models (if i understood right, the IMEI part is somewhere on "read only" and we first need to unlock the CID to unlock this part of memory and then modify / alter it.)
The tools is found here :
IMEI Updater
But works only for iWizard and some other models.
But couldnt we hook the function that retrieves the imei and alter it on the fly? (from the software point of view?) or should i digg in the flash memory?
Or is it hardcoded on the SPL or the IPL? When and what function is used to send it on the network ?
Also for al the legal issues, i might add that an opensource OpenBTS Project is running , and it is in a research-oriented initiative.
So no post saying that i want to change stolen Imei etc.. this is not the case.
I'm a developer for one year now, and i'm interested in mobile security and research.
ix0u said:
IMEI is for sure transmitted to the network, since this is registered on the BTS every time your signal "auth" on it , and the server logs it and checks if your phone is on the "blacklist" and then reject connection if it is the case.
Check here
But i wonder, technically, where from it is sent, maybe from the Radio firmware like previously posted ?
I guess, since we have some tools to read & change the IMEI on others HTC, it could be done on every models (if i understood right, the IMEI part is somewhere on "read only" and we first need to unlock the CID to unlock this part of memory and then modify / alter it.)
Click to expand...
Click to collapse
I think you'd have to Security Unlock as well. And I'm certain that it's stored somewhere in protected flash memory, at least on the Qualcomm based devices, because there have been isolated reports of IMEI changes after using Olipro's Kaiser SIM/CID unlocker/changer.
It works by flashing a modified radio firmware which security unlocks the device (until a different radio is flashed), then a program is run in Windows Mobile which somehow changes SIM lock and CID information. If you're curious, those cases concerning IMEI changes as a result of this tool are here and here. And if you really want to know about this issue, a visit to the XDA IRC channel, or a polite PM to cmonex, Jockeyw2001, Olipro, or Pof could probably clear this up, as those are the people who really know these devices. Good luck
Thank you very much DaveTheTytnIIGuy, at least i have a lead now, on where to go and who to ask.
Related
Hi all
I was wondering if anyone knew the answer to the above question.
to explain a bit better:
If i change the IMEI on my XDA it will obviously show up on the phone. What i want to know is will the network see the new of old IMEI. Ie whis is sent out by the phone.
Also:
From that i have found out the new service which blocks off stolen phones work that runs in the UK work by the IMEI code of the phone.
How do i make sure i don't change my IMEI to a number that is registered as stolen and in turn block my phone off.
Also again:
If at a later stage my phone does get blocked will changing it back to the original IMEI unblock it?
After all this i'm wondering if i should bother changing the IMEI. Although it would be nice to have my DOB there.
Oops I think I posted this in the rwong place!!
To Adminstrators:
Sorry
If it is in the wrong place could you move it?
The IMEI is stored in two places: one is displayed, the other is used to send to the network. The Manipulator changes both locations. The chance you'll change your IMEI to one of a stolen phone is small, very small. (It's six digits if you exclude the manufacturer part, so the chance is definitely bigger than getting hit by a meteorite, but still)
We included the IMEI change bit because:
a) We could
b) Privacy concerns: we'd like to live in a world where people can have multiple identities that are hard to connect, even if their opponents happen to run the country / telco.
WOW!!
Thanks for the great answer. As soon as it is possible to change my imei and unblock my phone i'll be doing it. (I have version 4.20 so it don't work yet).
Does anyone know of a web site where it list all the imei that are recognised as stolen or a number i can call in the UK to find out. The local police are useless and don't know anything.
A number to report a stolen phone would be useful as well cos my little sis got her knicked.
Does every XDA II have a unique ID ?
If yes, is there a way to change that via software ?
Every XDA II has a unique IMEI number. You can find this underneath the battery in the back.
You *may* be able to query it in software by using a TAPI call:
lineGetGeneralInfo
http://msdn.microsoft.com/library/d...s/guide_ppc/htm/extapi_linegetgeneralinfo.asp
I haven't looked into it much, but I very much doubt you can change it.
there is also a unique id in the Disk-On-Chip chip.
Finding IMEI
Dialing *#06# will give you the same IMEI result as looking under the battery.
Sounds worse than I expected. Can anyone think of a way that both, the disk-on-chip ID and the IMEI number could be masked, changed, or hidden ?
PARANOYA.... but as always with these things, better be prepared.....
I don't know how yet, but the imei is derived from data in a flashable rom area, so in theory it should be possible to modify it.
the disk-on-chip id is in true read-only memory.
though you may be able to trick application into thinking it has changed by modifying the trueffs.dll driver.
afaik imei ist not changeable. every phone has a separate imei and it will be sent, also with cardnumber, at avery call to your provider .
for paranoia buy a phone and card on a flee market.
changing the imei is a matter of finding the place in the gsm rom where it is decoded from the data in rom.
you can either modify that code, or figure out the encoding, and change the encoded imei in rom.
not that it is easy, it involves some serious reverse engineering, but possible. we did it for the xda-1 too.
I understand that there is also some kind of checksum applied to the imei so putting any old numbers wont work on some phones, in fact it renders the phone useless, I dont know if this applies to the XDA2 although the XDA1 was very casual about the imei number, no checks whatsoever were carried out, even had my birthday as an imei in my old xda.
Any one interested in writing a utility to mask does numbers or even to change them at leasure ?
itsme said:
changing the imei is a matter of finding the place in the gsm rom where it is decoded from the data in rom.
you can either modify that code, or figure out the encoding, and change the encoded imei in rom.
not that it is easy, it involves some serious reverse engineering, but possible. we did it for the xda-1 too.
Click to expand...
Click to collapse
Itsme, as it has been done for the XDA 1, is there any chance it will be done for the XDA 2 ?
Laws differ from country to country, and I don't even want to go THERE...
But it would be remiss of me, not to point out that SIM unlocking is perfectly legal in the UK.
BUT, in the UK, to change an IMEI on a handset is illegal, and carries a 5 year prison sentence.
Other countries can be quite different I'm led to beleive though.
a while back ( 5 years or so ) I read a story about how they were identifying phones by fingerprinting the analog signal from the transmitter. apparently small differences in the analog parts make each phone uniquely identifyable.
hey itsme
do you still have this article... I would be very interested to read it...
I can not believe this... Honestly... this is impossible (and I do believe in aliens)
Neither the PA nor the RF of a mobile phone has anykind of serial register or an area where you could influence the signal to finger print it,
next thing that the signal get heavily disturbed while transmitted, they are happy enough if they find the normal payload ;-)
or was it 4 year and 50 weeks ago ;-)
Alex
it was not explicitly made different, just that analog parts are never exactly the same.
found it:
http://iwce-mrt.com/ar/radio_fight_cellular_cloning/
not sure if it would still work, in 7 years, cellphone technology has changed quite a bit.
if you search for 'radio frequency fingerprinting' on google you will find more on it.
chuck said:
as it has been done for the XDA 1, is there any chance it will be done for the XDA 2 ?
Click to expand...
Click to collapse
I'd say chance of 90%, where the 10% is for taking into account I didn't actually do it. The new method of unlocking the XDA 2 pretty much allows you to change all values in the phone.
hi itsme
I called our rf-radio specialists... they never hear about it and do not think it is possible.
Seven years about the radio of a mobile did indeed constist of many (hundert) discretes which all have of course have a tolerance, now a days the hole radio fits into a single chip with some discrets around.
The qualtiy of the radio also has greatly improved so the difference between manufators have become so small that it is not possible to judge different radios by their signals.
An other thing just came to my mind... this article is from america, here they use and used analog cell-phones... I am pretty sure this technologie refers to analog cellphone standart and not to a GSM one...
hey the more I think about it the more I like this explanation...
Now I can sleep better...
Alex
W4XY, do you know from experience if any checksum is used with the imei in the XDA2 or is it the same as the xda1 where just about any number could be used.?
I have no true idea if the algorithm is different for the IMEI in the XDA 2 as I have not looked at that in particular, but I suspect it will be the same as a lot of other stuff is still the same too.
An IMEI is supposed to satisfy a Luhn check - which is the same checksum algorithm as used for Credit Cards.
Useless fact: the number printed on a SIM card also satisfies the same check.
to all XDA developers (is their a change IMEI software USB) if yes where can i find it & if no is it going to be developed any soon? when?
I doubt the developers will be writing software for that particular use on the xda1, if you have a serial cable it will work on the xda as long as the radio stack is the early versions, it wont work on radio stack 4.21 for instance.
so where can i get the early(<4.20) Radio version coz i wanna use the
manipulator programme with my XDA2 device ?
????????????????
Chanaging IMEI is a way to get RID of those SPIES who pry into our personal info. Violations of our right to privicy....
Emil, can you expand on that statement please, the imei is the phones identity tag, if you have a prepay sim card your identity is unknown, if you have a post pay contract sim then your details are known and your phone is trackable by the sim details regardless of the imei/phone used.
i want to reset the timer to know how much i talked ,so where can i found that radio version
As far as I know, xda manipulator is for xda1 only.
IMEI-change and call-timer reset
No software exists to change IMEI or reset timers on Himalaya/XDA-II. Also no software does it to the Wallaby/XDA over USB, and The Manipulator, the program that does it to the Wallaby via the serial port only works with certain Radio Stack versions.
We have no legal or moral problems with IMEI-changing or timer reset, but it's a lot of hard work to write something which overwrites parts of people's radio software reliably. The last thing we want is 300 people wrecking their phones and blaming us. This issue has sort of scared us away from this type of modification.
(Unlocking is different since it only reads the ROM and then uses the 'official' mechanism of AT-commands in the phone for unlocking.)
No idea whether this topic will be revisited at some point, but don't hold your breath...
I can help you to change IMEI for XDA I or XDA II
cgigate
tell me how ....pls
cgigate said:
I can help you to change IMEI for XDA I or XDA II
Click to expand...
Click to collapse
Will you tell how it all works, and maybe even create a wiki page on it? We have itsme's and W4XY's works, bu we need many more people to publish the results their trips into the phone ROM and bootloader...
Peter,
Can you tell me how to read or find my IMEI number. I have a phone that was a display model and the lable on the back was removed so I can't get it there and the system identity shows a generic IMEI number (as I've found with all the updated 2003 ones).
Thanks,
David
moto1 said:
Can you tell me how to read or find my IMEI number. I have a phone that was a display model and the lable on the back was removed so I can't get it there and the system identity shows a generic IMEI number (as I've found with all the updated 2003 ones).
Click to expand...
Click to collapse
Try dialing *#06# on the phone. This works on all GSM phones (since it is in the GSM specification to be approved as one).
That still gives the generic IMEI number with an extra "01" at the end. It seems to be a glitch in the 2003 software because the IMEI numbers are available before you upgrade but not after. I thought I was missing something but the other units with the upgrade are giving the same generic number (350314010000009). Does anyone else come up with that IMEI #.(May be T-Mobile only!)
David
nope
I upgraded my rom lots of time and never lost my original IMEI number (which is written inside the case, under the battery)
It must be in the "T-Mobile" upgrade that changes the number in the system settings.
no solution till now????!!!!!
if i change the rom to an i-mate jasjar or any other will it be unblocked?
No
why is that ?
I'm not an expert but Sometimes I wonder why is that, If we replace ech and every file of locked mda-pro with unlocked jasjar ?? then there should be no reason for a locked mda-pro.
can anyone explain inside science of locking & unlocking ?
I think it also depends on the definition of "blocked"
If the phone iteslf has had its IMEI blocked, then no amount of reprogramming/reflashing will unblock it.
If the phone has a simlock on it, then I believe this would be to do with something within the phone hardware itself.
Hi guys
That old chestnut again, locked and blocked are 2 completely different issues and unfortunately neither of these actually involves anything that is didrectly under the control of pocket windows.
There are 2 types of locking.
1) PUK locking (SIM Locking), this occurs if you incorrectly enter the SIM pin code 3 times in a row. If this happens you need to contact the network provider to get PUK unlock code, better still if you enter the PUK code incorrectly 5 times you will destroy the sim and need t get a new one.
2) Network Locking is a flag that specifies the LAIN of the mobile network that supplied the mobile phone and if this feature is enabled by the operator it will mean that only a SIM card that has the corect LAIN will work in that phone. I forget what LAIN stands for but basically it is used in the GSM international roaming world and therefore each operator has its own, the first few digits indciate the country then the last ones the specific network.
This can be disabled in 2 ways firstly by using and encrypted code specifically issued for your handset. Or secondly by trial and error by writing different values to the registers on the EPROM on the GSM unit itself. Eventually this will result in the phone unlocking itself. In order to do this the gsm engine needs to be removed from the handest and interfaced to a serial port. A 0 or a 1 is then sent to each register 1 ata time and the phone is then tested to see if it works. Depending on the size of the chip this takes a long time. However when you no the memeory location of the register this can then be done to any phone in a matter of minutes. this is basically the way modsyt of the unlocking systems are developed.
Finally IMEI blocking. This is done where the network has evidence that a crime has taken place either fraud commited on the handest, abusive phone calls or the unit has been stolen. If the network IMEI blocks it you have 2 options, 1 sell it in a diferent country ( Nigeria) or some chip sets contain the IMEI details on a flash chip. Again the registers are read over a serial interface and this can be rewritten. The first phones to support this IMEI in flash were the siemens TC35 gsm engines also the wavecom gsm modules support this. I am not really sure of any legitimate application for changing the IMEI of a mobile handest or even why this data is not writen in ROM but there you go.
I hope that helps to clear up issues relating to locking and blocking.
Regards
Charlie
thanks for such informative essay, we all are concerned about the network locking. I have noticed a tool to remove simlock from HTC wizard using same OS as HTC Universal. but in the above post its mentioned that OS has nothing to do with unlocking ..
But unloking tool of all old HTC devices running WM 2003 never took so long as in the case of Universal ? or may be quite possible that all good brains of our forum dont use Universal ?
Thanks to everyone invovled with the unlocking of telephone calls. I am a Canadian user on Bell with a Bell Tab and using it as my only device (with a BT headset of course!).
I have a Galaxy S and an application from my work restricts access based on IMEI. Because I have both devices and I swap my sim when I want to carry soemthing smaller, is it possible to mirror/duplicate the IMEI from the S to the Tab? As only one device will be on the network at any given time I don't see why this would be a problem but I don't know much about how IMEI is used on mobile networks.
I read some posts about scrubbing the IMEI but nothing about replacing it.
Thanks,
Greg
Are you sure that the access is restricted based on the imei and not the mac address ?
pakalrtb said:
Are you sure that the access is restricted based on the imei and not the mac address ?
Click to expand...
Click to collapse
And its really easy to change the wifi mac to any other value you would like, especially to that of an old device that does have network access.
But if the app queries the imei then you're stuck.
Yeah, it's definately looking at the IMEI, it's part of registering for the service. So there's no way to re-program it? That's a bummer.
Part of making it work on froyo requires me to figure out how to get Samsung Social Hub as the app itself doesn't like froyo on the Galaxy S but with social hub I can read email. Such bad software but that's what I got. Okay, guess I need to tell my gatekeeper guy to change my imei for the service from the Galaxy S to the Tab.
You need a piece of hardware called an sptbox to change the imei number on your phone. It costs $250 and I think you have to buy it from China or some reseller, of which, there doesn't appear to be any in North America. Doesn't seem worth it to me.