[GUIDE] Repairing IMEI with QPST (Qualcomm Snapdragon SoC's)

[noidodroid]

[GUIDE] Repairing IMEI with QPST (Qualcomm Snapdragon SoC's)

Hello guys. First a little history.. Coolpad Defiant 3632A - The pain in the 4ssphone

I worked on this phone for a client and used Uni Android Tools to attempt repairing the lost IMEI. This was unable to work any magic so I tried a handful of other tools / hardware of mine with no luck.. Possibility my phone has some security issues so that is why I was unable to repair. So I ended up repairing my IMEI on this Coolpad Defiant 3632A using QPST, Hex editor and simple IMEI conversion using DIAG Mode to backup/restore QCN and also adb shell root to dd the modem partitions etc. Interesting as well because I might have found a temp root during this process. Root should be required to carry out the commands i did and zero out the partitions i did but as far as I know the temp root method I tried earlier didnt work so still trying to figure out what all else i found / enabled and modified that allowed it. This handset is odd however, have had issues with it since past while since the start of modifying it. Handset is out to a client now here in a few days though so I think I will be done with it. Aside of this I would like to see someone flash that firmware I uploaded and posted to XDA here with UAT or QFIL for example and let me know if it worked out for them.

This method works on most Chinese Qualcomm based phones and HTC, LG and others. Just different system layouts and locations of blocks. Credits for all the help goto snapdragon unbricking I learned this from. Very simple, quick and easy. I would recommend it to those who have issues repairing qualcomm IMEI's with UAT/Other apps meanwhile until they fix the issues. This is of course also good to know just in case.

Now for the Steps to repair your Qualcomm phone. First you will need to download all of the files required for these steps [link]here[link]. Now onto the process.

**Warning** This can potentially screw up your phone rendering it the equivalent of a paper weight IF not done correctly. So pay attention to each step. I am not responsible for lost baseband's, lost IMEI's, bricked phones and nuclear war. Proceed with caution and via your own will.

*Phone I am using for this Guide is a [Coolpad Defiant 3632A]*

Step 1: Make sure your phone is a Qualcomm phone not mediatek, you have the files downloaded and you have root with the ability to get into Diag Mode on your phone. Some phones might not need Root. I didn't for mine..

Step 2: WRITE DOWN YOUR IMEI SOMEWHERE SAFE! IF you don't have it don't worry as your IMEI most likely is false / null. Whole reason we're here right? Ok. Now you want to connect your phone to your PC, enable diag mode on your phone, Install QPST Tools then open QPST Configuration. Goto Ports tab and make sure your phone / com port are showing up and then enable it. Next open QPST Software Download and navigate to the Backup tab.

Step 3: Make sure your com port is still showing and you are connected. Next click to the right of where it says xQCN file the "Browse" button and set a location and name your backup file something like coolpad_original_qcn.qcn . Save it as .qcn format not xQCN. Now click start and once it has finished we will get to zero'ing out the proper partition blocks on your phone.

Step 4: With diag enabled and your phone rooted (if needed) drop a root priveleged ADB shell in cmd prompt. What we are going to be doing is zero'ing out the partitions dealing with the baseband and IMEI. They are modemst1, modemst2 and fsg. Type in these commands (WARNING GETTING THE WRONG PARTITION COULD BRICK YOUR PHONE. SO MAKE SURE YOU ARE 100%)

Code:

cd /dev/block/platform/soc/
ls

This should return (in my case) "7824900.sdhci" . Remember yours and then type in

Code:

ls -al 7824900.sdhci/by-name

This should return a list of all partitions.

Should look similar to this

Code:

cp3632a:/dev/block/platform/soc # ls -al 7824900.sdhci/by-name
ls -al 7824900.sdhci/by-name
total 0
drwxr-xr-x 2 root root  960 1969-12-31 18:00 .
drwxr-xr-x 4 root root 1040 1969-12-31 18:00 ..
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 DDR -> /dev/block/mmcblk0p15
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 aboot -> /dev/block/mmcblk0p19
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 abootbak -> /dev/block/mmcblk0p20
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 apdp -> /dev/block/mmcblk0p41
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 boot -> /dev/block/mmcblk0p21
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 cache -> /dev/block/mmcblk0p24
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 cmnlib -> /dev/block/mmcblk0p35
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 cmnlib64 -> /dev/block/mmcblk0p37
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 cmnlib64bak -> /dev/block/mmcblk0p38
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 cmnlibbak -> /dev/block/mmcblk0p36
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 config -> /dev/block/mmcblk0p28
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 devcfg -> /dev/block/mmcblk0p10
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 devcfgbak -> /dev/block/mmcblk0p11
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 devinfo -> /dev/block/mmcblk0p23
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 dip -> /dev/block/mmcblk0p31
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 dpo -> /dev/block/mmcblk0p43
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 dsp -> /dev/block/mmcblk0p12
lrwxrwxrwx 1 root root   20 1969-12-31 18:00 fsc -> /dev/block/mmcblk0p2
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 fsg -> /dev/block/mmcblk0p16
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 keymaster -> /dev/block/mmcblk0p39
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 keymasterbak -> /dev/block/mmcblk0p40
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 keystore -> /dev/block/mmcblk0p27
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 limits -> /dev/block/mmcblk0p29
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 mcfg -> /dev/block/mmcblk0p34
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 mdtp -> /dev/block/mmcblk0p32
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 misc -> /dev/block/mmcblk0p26
lrwxrwxrwx 1 root root   20 1969-12-31 18:00 modem -> /dev/block/mmcblk0p1
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 modemst1 -> /dev/block/mmcblk0p13
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 modemst2 -> /dev/block/mmcblk0p14
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 mota -> /dev/block/mmcblk0p30
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 msadp -> /dev/block/mmcblk0p42
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 oem -> /dev/block/mmcblk0p44
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 params -> /dev/block/mmcblk0p18
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 persist -> /dev/block/mmcblk0p25
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 recovery -> /dev/block/mmcblk0p22
lrwxrwxrwx 1 root root   20 1969-12-31 18:00 rpm -> /dev/block/mmcblk0p6
lrwxrwxrwx 1 root root   20 1969-12-31 18:00 rpmbak -> /dev/block/mmcblk0p7
lrwxrwxrwx 1 root root   20 1969-12-31 18:00 sbl1 -> /dev/block/mmcblk0p4
lrwxrwxrwx 1 root root   20 1969-12-31 18:00 sbl1bak -> /dev/block/mmcblk0p5
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 sec -> /dev/block/mmcblk0p17
lrwxrwxrwx 1 root root   20 1969-12-31 18:00 ssd -> /dev/block/mmcblk0p3
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 syscfg -> /dev/block/mmcblk0p33
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 system -> /dev/block/mmcblk0p45
lrwxrwxrwx 1 root root   20 1969-12-31 18:00 tz -> /dev/block/mmcblk0p8
lrwxrwxrwx 1 root root   20 1969-12-31 18:00 tzbak -> /dev/block/mmcblk0p9
lrwxrwxrwx 1 root root   21 1969-12-31 18:00 userdata -> /dev/block/mmcblk0p46

Now find modemst1, modemst2 and fsg. Take note their numbers. We will use mine as example in the next commands. Simply replace yours. You should get the idea by now. So type in

Code:

dd if=/dev/zero of=/dev/block/mmcblk0p13

dd if=/dev/zero of=/dev/block/mmcblk0p14

dd if=/dev/zero of=/dev/block/mmcblk0p16

Step 5: Now you are ready to open up MiTeC Hex Editor and load up your QCN file. So do this. Once loaded you will want to search for 088a to find your IMEI within the file. Why? Thats how it is stored in hex format. The 08 will be what stays but the 3rd letter "8" is what your IMEI starts with so make sure you replace it.. e.g. IMEI 762429035623741 would be 087a.. and if it started with 6 086a etc.

Step 6: You should have located the string now that shows 087a then following will be the rest of your IMEI just reversed. Should look like this which is from our example IMEI in step 3, "087A 2624 0953 2673 1400". This translates out to 7 skip the first 08 and the A then 62429035623741 so 762429035623741.

Step 7: Open the last tool in the zip called IMEI Converter. Input your phones new (factory original) IMEI in the first box and take the output and replace "087A 2624 0953 2673 1400" with this string you just created. Save your file and MAKE SURE you do not overwrite your original QCN backup.

Step 8: Open up QPST Software Downloader and goto Restore tab. Select your file we saved in the last step and write it. Now reboot your phone. Check to see that your new imei is showing. In my case I had to run Net Tools > RF Tools > then "clean" the MBN in order for my IMEI to show. Well that's it! You're done.

noidodroid

[noidodroid]

Here are the files needed for the operation. https://www.androidfilehost.com/?fid...32744536985122

[UzUnlocker]

Try this SW To repair im3i

[pashamangl]

Quote:

Originally Posted by UzUnlocker

Try this SW To repair im3i

link does not work please provide a new one

[noidodroid]

Quote:

Originally Posted by pashamangl

link does not work please provide a new one

Usually software like his doesn't work and if so only for very few phones. The method I describe is fool proof just takes little more time. I would also recommend using Uni Android Tools for IMEI Repair.

[cell_pro]

thank for share
how to guide repair imei
for android units

[Leonelle]

How to "run Net Tools > RF Tools > then "clean" the MBN"?
Thanks

[DaltonT]

Quote:

Originally Posted by Leonelle

How to "run Net Tools > RF Tools > then "clean" the MBN"?
Thanks

Same question.

Dear noidodroid could you provide info on which tool "cleans the MBN"?

[noidodroid]

Quote:

In my case I had to run Net Tools > RF Tools > then "clean" the MBN in order for my IMEI to show.

Hey guys. What i meant by that.. Well it relates to the Coolpad phone I was using for the tutorial. So just ignore it! =]

[rerunshrink]

Quote:

Originally Posted by noidodroid

Usually software like his doesn't work and if so only for very few phones. The method I describe is fool proof just takes little more time. I would also recommend using Uni Android Tools for IMEI Repair.

This worked for me tyvm!

[noidodroid]

Quote:

Originally Posted by rerunshrink

This worked for me tyvm!

You are welcome! Pass my guide along to anyone in need of help. =]

[yurais]

Quote:

Originally Posted by noidodroid

Hey guys. What i meant by that.. Well it relates to the Coolpad phone I was using for the tutorial. So just ignore it! =]

Well, I do have the same phone, and I would like to take a look at those options,
can you tell me how to get to net tools ?