Note 3 IMEI writing questions

[ecs87]

Dest is right, but not only do you need to have the modemst partitions but ALSO the FSG partition. If you don't have these three you'll never get your original IMEI back. To reset the EFS you must clear the three EFS data partitions mentioned above. There might be only one way to do it now...used to be able to do it through download mode until they locked down the reading of the PIT on the device. If you do some searching you might find out how to do it. I may even have a few threads over on XDA that get VERY close at explaining how to do it.

Also...how do you plan on writing the IMEI? If you have difficulty resetting the EFS without a box, you'll find it a hundred times more difficult writing the IMEI to the device without a box.

[wangshin248]

Quote:

Originally Posted by ecs87

Dest is right, but not only do you need to have the modemst partitions but ALSO the FSG partition. If you don't have these three you'll never get your original IMEI back. To reset the EFS you must clear the three EFS data partitions mentioned above. There might be only one way to do it now...used to be able to do it through download mode until they locked down the reading of the PIT on the device. If you do some searching you might find out how to do it. I may even have a few threads over on XDA that get VERY close at explaining how to do it.

Also...how do you plan on writing the IMEI? If you have difficulty resetting the EFS without a box, you'll find it a hundred times more difficult writing the IMEI to the device without a box.

Well...that's mean impoasible to back to orginal imei, right? Unlock by box is the stupid idea, you can use your fone outside the us but you cannot use it with any carrier inside us, now when i switch to another carriers, the service imei is blacklisted.

Any idea to connect my phone to another carrier without reseting to orginal imei???

[ecs87]

Write a service imei that isn't blacklisted...? You're gonna need either Octopus box or SPT box for this. Unless you're gonna follow the rabbit hole on AT commands and make your own UART cable.

[dest]

Quote:

Originally Posted by ecs87

Dest is right, but not only do you need to have the modemst partitions but ALSO the FSG partition. If you don't have these three you'll never get your original IMEI back. To reset the EFS you must clear the three EFS data partitions mentioned above. There might be only one way to do it now...used to be able to do it through download mode until they locked down the reading of the PIT on the device. If you do some searching you might find out how to do it. I may even have a few threads over on XDA that get VERY close at explaining how to do it.

Also...how do you plan on writing the IMEI? If you have difficulty resetting the EFS without a box, you'll find it a hundred times more difficult writing the IMEI to the device without a box.

No you don't need the FSG partition. That is only the backup partition. If you ever did adb reboot nvbackup, then modemst1 is copied to backup partition and modemst2 to FSG. Other than that they are useless.

Reading pit file via download mode is never blocked, in fact it is necessary to flash anything to the phone. Everytime you flash anything using odin or any other software, that software must first read the PIT in order to correctly flash those certain partitions into the MMC.

[ecs87]

I've tried writing backups of modemst1 and modemst2. It never rebuilds the entire EFS for me unless I restore all 3.

And Heimdall is unable to read the PIT of some Kit Kat devices such as the N900T and N900A. I was able to utilize Heimdall during 4.3. As soon as 4.4.2 official dropped, bam no more PIT reading by Heimdall. Odin however still works (thankfully) but I haven't quite found out how to inject FSG via Odin. I think I was successful once but the Modem blocked the file from being written to the partition.

[jot_saggu]

So can we read write akey or spc in samsung cdma android phones with this
'At' commands ( with rj45 cable )..?
If yes can u share those at-command
sorry for hurry ......

[ecs87]

No, we're strictly talking about GSM phones. I used some AT commands commonly used on GSM phones, but on the Sprint S5 as a test since I didn't have any GSM phones handy. This is to read the AKSEED used to calculate the one to send back, and to read the MSL on the modem (NOT QC COM PORT!!!!) to calculate and send back too. The details are in the majority of dest's posts on the first page of this thread.

[diosa]

Can anyone give little hint about akseed calculation ?
As i know its same in all old and new models.

[Alan_B]

This portion of code calculates the akseedno, making the debug line by line, is clearly seen when making value (AKSEEDNO=1,0) and calculated, then returns the calculated value ... Someone understands better than me?

For example, IN AKSEEDNO=1,0 (25021-245-2747) and calculates the AKSEEDNO=0,("6020-96-134")

Code:

007C3FC0  /> 55             PUSH EBP  (BREACKPOINT)
007C3FC1  |. 8BEC           MOV EBP,ESP
007C3FC3  |. 81EC E0000000  SUB ESP,0E0
007C3FC9  |. 53             PUSH EBX
007C3FCA  |. 56             PUSH ESI
007C3FCB  |. 57             PUSH EDI
007C3FCC  |. 51             PUSH ECX
007C3FCD  |. 8DBD 20FFFFFF  LEA EDI,DWORD PTR SS:[EBP-E0]
007C3FD3  |. B9 38000000    MOV ECX,38
007C3FD8  |. B8 CCCCCCCC    MOV EAX,CCCCCCCC
007C3FDD  |. F3:AB          REP STOS DWORD PTR ES:[EDI]
007C3FDF  |. 59             POP ECX
007C3FE0  |. 894D FC        MOV DWORD PTR SS:[EBP-4],ECX
007C3FE3  |. C745 EC 000000>MOV DWORD PTR SS:[EBP-14],0
007C3FEA  |. 8B45 EC        MOV EAX,DWORD PTR SS:[EBP-14]
007C3FED  |. 8945 F0        MOV DWORD PTR SS:[EBP-10],EAX
007C3FF0  |. 8B4D F0        MOV ECX,DWORD PTR SS:[EBP-10]
007C3FF3  |. 894D F4        MOV DWORD PTR SS:[EBP-C],ECX
007C3FF6  |. 8B55 F4        MOV EDX,DWORD PTR SS:[EBP-C]
007C3FF9  |. 8955 F8        MOV DWORD PTR SS:[EBP-8],EDX
007C3FFC  |. 6A 00          PUSH 0
007C3FFE  |. 6A 2D          PUSH 2D
007C4000  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
007C4003  |. 50             PUSH EAX
007C4004  |. 8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
007C4007  |. E8 39EFC3FF    CALL UMTS_IME.00402F45
007C400C  |. 8945 F8        MOV DWORD PTR SS:[EBP-8],EAX
007C400F  |. 8B4D F8        MOV ECX,DWORD PTR SS:[EBP-8]
007C4012  |. 51             PUSH ECX
007C4013  |. 6A 00          PUSH 0
007C4015  |. 6A 00          PUSH 0
007C4017  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
007C401A  |. 52             PUSH EDX
007C401B  |. 8D85 68FFFFFF  LEA EAX,DWORD PTR SS:[EBP-98]
007C4021  |. 50             PUSH EAX
007C4022  |. 8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
007C4025  |. E8 5433C4FF    CALL UMTS_IME.0040737E
007C402A  |. 8B4D F8        MOV ECX,DWORD PTR SS:[EBP-8]
007C402D  |. C6840D 68FFFFF>MOV BYTE PTR SS:[EBP+ECX-98],0
007C4035  |. 8D95 68FFFFFF  LEA EDX,DWORD PTR SS:[EBP-98]
007C403B  |. 52             PUSH EDX                                 ; /Arg1
007C403C  |. E8 DF390D00    CALL UMTS_IME.00897A20                   ; \UMTS_IME.00897A20
007C4041  |. 83C4 04        ADD ESP,4
007C4044  |. DD5D E4        FSTP QWORD PTR SS:[EBP-1C]
007C4047  |. 8B45 F8        MOV EAX,DWORD PTR SS:[EBP-8]
007C404A  |. 83C0 01        ADD EAX,1
007C404D  |. 8945 F4        MOV DWORD PTR SS:[EBP-C],EAX
007C4050  |. C685 68FFFFFF >MOV BYTE PTR SS:[EBP-98],0
007C4057  |. 8B4D F4        MOV ECX,DWORD PTR SS:[EBP-C]
007C405A  |. 51             PUSH ECX
007C405B  |. 6A 2D          PUSH 2D
007C405D  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
007C4060  |. 52             PUSH EDX
007C4061  |. 8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
007C4064  |. E8 DCEEC3FF    CALL UMTS_IME.00402F45
007C4069  |. 8945 F8        MOV DWORD PTR SS:[EBP-8],EAX
007C406C  |. 8B45 F8        MOV EAX,DWORD PTR SS:[EBP-8]
007C406F  |. 2B45 F4        SUB EAX,DWORD PTR SS:[EBP-C]
007C4072  |. 50             PUSH EAX
007C4073  |. 8B4D F4        MOV ECX,DWORD PTR SS:[EBP-C]
007C4076  |. 51             PUSH ECX
007C4077  |. 6A 00          PUSH 0
007C4079  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
007C407C  |. 52             PUSH EDX
007C407D  |. 8D85 68FFFFFF  LEA EAX,DWORD PTR SS:[EBP-98]
007C4083  |. 50             PUSH EAX
007C4084  |. 8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
007C4087  |. E8 F232C4FF    CALL UMTS_IME.0040737E
007C408C  |. 8B4D F8        MOV ECX,DWORD PTR SS:[EBP-8]
007C408F  |. 2B4D F4        SUB ECX,DWORD PTR SS:[EBP-C]
007C4092  |. C6840D 68FFFFF>MOV BYTE PTR SS:[EBP+ECX-98],0
007C409A  |. 8D95 68FFFFFF  LEA EDX,DWORD PTR SS:[EBP-98]
007C40A0  |. 52             PUSH EDX                                 ; /Arg1
007C40A1  |. E8 7A390D00    CALL UMTS_IME.00897A20                   ; \UMTS_IME.00897A20
007C40A6  |. 83C4 04        ADD ESP,4
007C40A9  |. DD5D DC        FSTP QWORD PTR SS:[EBP-24]
007C40AC  |. 8B45 F8        MOV EAX,DWORD PTR SS:[EBP-8]
007C40AF  |. 83C0 01        ADD EAX,1
007C40B2  |. 8945 F4        MOV DWORD PTR SS:[EBP-C],EAX
007C40B5  |. C685 68FFFFFF >MOV BYTE PTR SS:[EBP-98],0
007C40BC  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
007C40BF  |. 51             PUSH ECX
007C40C0  |. E8 FBF70C00    CALL UMTS_IME.008938C0
007C40C5  |. 83C4 04        ADD ESP,4
007C40C8  |. 2B45 F8        SUB EAX,DWORD PTR SS:[EBP-8]
007C40CB  |. 50             PUSH EAX
007C40CC  |. 8B55 F4        MOV EDX,DWORD PTR SS:[EBP-C]
007C40CF  |. 52             PUSH EDX
007C40D0  |. 6A 00          PUSH 0  (BREACKPOINT)
007C40D2  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
007C40D5  |. 50             PUSH EAX
007C40D6  |. 8D8D 68FFFFFF  LEA ECX,DWORD PTR SS:[EBP-98]
007C40DC  |. 51             PUSH ECX
007C40DD  |. 8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
007C40E0  |. E8 9932C4FF    CALL UMTS_IME.0040737E
007C40E5  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
007C40E8  |. 52             PUSH EDX
007C40E9  |. E8 D2F70C00    CALL UMTS_IME.008938C0
007C40EE  |. 83C4 04        ADD ESP,4
007C40F1  |. 2B45 F8        SUB EAX,DWORD PTR SS:[EBP-8]
007C40F4  |. C68405 68FFFFF>MOV BYTE PTR SS:[EBP+EAX-98],0
007C40FC  |. 8D85 68FFFFFF  LEA EAX,DWORD PTR SS:[EBP-98]
007C4102  |. 50             PUSH EAX                                 ; /Arg1
007C4103  |. E8 18390D00    CALL UMTS_IME.00897A20                   ; \UMTS_IME.00897A20
007C4108  |. 83C4 04        ADD ESP,4
007C410B  |. DD5D D4        FSTP QWORD PTR SS:[EBP-2C]
007C410E  |. 8B4D E8        MOV ECX,DWORD PTR SS:[EBP-18]
007C4111  |. 51             PUSH ECX
007C4112  |. 8B55 E4        MOV EDX,DWORD PTR SS:[EBP-1C]
007C4115  |. 52             PUSH EDX
007C4116  |. 8B45 D8        MOV EAX,DWORD PTR SS:[EBP-28]
007C4119  |. 50             PUSH EAX
007C411A  |. 8B4D D4        MOV ECX,DWORD PTR SS:[EBP-2C]
007C411D  |. 51             PUSH ECX
007C411E  |. 8B55 E0        MOV EDX,DWORD PTR SS:[EBP-20]
007C4121  |. 52             PUSH EDX
007C4122  |. 8B45 DC        MOV EAX,DWORD PTR SS:[EBP-24]
007C4125  |. 50             PUSH EAX
007C4126  |. 8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
007C4129  |. E8 FD0CC4FF    CALL UMTS_IME.00404E2B
007C412E  |. DD5D CC        FSTP QWORD PTR SS:[EBP-34]
007C4131  |. 8B4D E8        MOV ECX,DWORD PTR SS:[EBP-18]
007C4134  |. 51             PUSH ECX
007C4135  |. 8B55 E4        MOV EDX,DWORD PTR SS:[EBP-1C]
007C4138  |. 52             PUSH EDX
007C4139  |. E8 E62F0D00    CALL UMTS_IME.00897124
007C413E  |. DD1C24         FSTP QWORD PTR SS:[ESP]
007C4141  |. DD45 E4        FLD QWORD PTR SS:[EBP-1C]
007C4144  |. DC0D 28BDCF00  FMUL QWORD PTR DS:[CFBD28]
007C414A  |. 83EC 08        SUB ESP,8
007C414D  |. DD1C24         FSTP QWORD PTR SS:[ESP]
007C4150  |. E8 7B2F0D00    CALL UMTS_IME.008970D0
007C4155  |. 83C4 08        ADD ESP,8
007C4158  |. DD1C24         FSTP QWORD PTR SS:[ESP]
007C415B  |. 8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
007C415E  |. E8 0002C4FF    CALL UMTS_IME.00404363
007C4163  |. 8945 F0        MOV DWORD PTR SS:[EBP-10],EAX
007C4166  |. DD45 DC        FLD QWORD PTR SS:[EBP-24]
007C4169  |. DC4D E4        FMUL QWORD PTR SS:[EBP-1C]
007C416C  |. DC75 E4        FDIV QWORD PTR SS:[EBP-1C]
007C416F  |. DD9D 60FFFFFF  FSTP QWORD PTR SS:[EBP-A0]
007C4175  |. 8B45 E0        MOV EAX,DWORD PTR SS:[EBP-20]
007C4178  |. 50             PUSH EAX
007C4179  |. 8B4D DC        MOV ECX,DWORD PTR SS:[EBP-24]
007C417C  |. 51             PUSH ECX
007C417D  |. E8 A22F0D00    CALL UMTS_IME.00897124
007C4182  |. 83C4 08        ADD ESP,8
007C4185  |. DCBD 60FFFFFF  FDIVR QWORD PTR SS:[EBP-A0]
007C418B  |. 83EC 08        SUB ESP,8
007C418E  |. DD1C24         FSTP QWORD PTR SS:[ESP]
007C4191  |. 8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
007C4194  |. E8 CA01C4FF    CALL UMTS_IME.00404363
007C4199  |. 8945 EC        MOV DWORD PTR SS:[EBP-14],EAX
007C419C  |. 8B55 EC        MOV EDX,DWORD PTR SS:[EBP-14]
007C419F  |. 83C2 59        ADD EDX,59
007C41A2  |. 52             PUSH EDX                                 ; /Arg8
007C41A3  |. 6A 2D          PUSH 2D                                  ; |Arg7 = 0000002D
007C41A5  |. 8B45 F0        MOV EAX,DWORD PTR SS:[EBP-10]            ; |
007C41A8  |. 83C0 59        ADD EAX,59                               ; |
007C41AB  |. 50             PUSH EAX                                 ; |Arg6
007C41AC  |. 6A 2D          PUSH 2D                                  ; |Arg5 = 0000002D
007C41AE  |. DD45 CC        FLD QWORD PTR SS:[EBP-34]                ; |
007C41B1  |. DC05 9839D500  FADD QWORD PTR DS:[D53998]               ; |
007C41B7  |. 83EC 08        SUB ESP,8                                ; |
007C41BA  |. DD1C24         FSTP QWORD PTR SS:[ESP]                  ; |Arg3 (8-byte)
007C41BD  |. 68 8439D500    PUSH UMTS_IME.00D53984                   ; |Arg2 = 00D53984 ASCII "%.0f%c%ld%c%ld"
007C41C2  |. 8D8D 68FFFFFF  LEA ECX,DWORD PTR SS:[EBP-98]            ; |
007C41C8  |. 51             PUSH ECX                                 ; |Arg1
007C41C9  |. E8 32E70C00    CALL UMTS_IME.00892900                   ; \UMTS_IME.00892900
007C41CE  |. 83C4 20        ADD ESP,20
007C41D1  |. 8D95 68FFFFFF  LEA EDX,DWORD PTR SS:[EBP-98]
007C41D7  |. 52             PUSH EDX
007C41D8  |. 8B45 0C        MOV EAX,DWORD PTR SS:[EBP+C]
007C41DB  |. 50             PUSH EAX
007C41DC  |. E8 DFEE0C00    CALL UMTS_IME.008930C0
007C41E1  |. 83C4 08        ADD ESP,8
007C41E4  |. 5F             POP EDI
007C41E5  |. 5E             POP ESI
007C41E6  |. 5B             POP EBX
007C41E7  |. 81C4 E0000000  ADD ESP,0E0
007C41ED  |. 3BEC           CMP EBP,ESP
007C41EF  |. E8 CCE60C00    CALL UMTS_IME.008928C0
007C41F4  |. 8BE5           MOV ESP,EBP
007C41F6  |. 5D             POP EBP
007C41F7  \. C2 0800        RETN 8

[hitesh2000]

Quote:

Originally Posted by dest

This info isn't hidden, the best to get it is individual research. You are confused about a few things. You are trying to change imei using QUALCOMM port. This works in may models but this isn't how note 3 is done. All communication is doing using Samsung baseband instead of QUALCOMM CPU, using AT commands.


The MSL is always different in all phones. After reseting EFS, you can check the MSL by sending:
AT+MSLSECUR=1,0
which will return all zero's, if the EFS is reset. If not it will return the MSL ADDR, which then you need to calc the MSL code, and currently its not possible in newer phones.

You can send the default MSL to note 3 using this:
AT+MSLSECUR=2,R31D40458L_1101630E3C461D334539604F3 8123A12
This is only if efs is reset. If not then you need to send,
AT+MSLSECUR=2,[MSLCODE]
Again, the MSL cannot calc at this time so that's why we reset the EFS. Unless you have access to Samsung software of course.

Then you need to bypass AKSEED. To read the AKSEED you can send:
AT+AKSEEDNO=1,0
This is give you the AKSEED number, this is a random number that must be calc at the time. Everytime you send that command it will output a different number so you must calc and send back AKSEED using:
AT+AKSEEDNO=0,[AKSEEDNO]

After the akauth system and MSL is bypassed, you can change IMEI using AT+IMEITEST=2,[IMEI] and sign the IMEI using AT+IMEISIGN.

IMEISIGN requires certs for each imei, but in note 3 models those are not required if IMEI is superimei.

Communication can be done using putty. You have to send AT command first and wait for OK response. I suggest you learn more about AT modem communication first. DFS won't help you but it only communicates using qcm port.

Great info,
like to know what is reason of network loss in some models after imei repair,and what is done for network repair.

[ecs87]

The network loss is probably because everyone is using the same damn super IMEIs in one location. Solution? Find a method to sign the IMEI after its written so you don't have to use a Super IMEI.

[Brka]

Quote:

Originally Posted by ecs87

The network loss is probably because everyone is using the same damn super IMEIs in one location. Solution? Find a method to sign the IMEI after its written so you don't have to use a Super IMEI.

There is remote service available, that repairs IMEI+Cert's,
although, it's not cheap ... but at least is possible now.

p.s. It's not any 3rd-party method, because there is no way to sign IMEI,
other than Sammy does, so it's original factory solution.

p.s.2 - check attachment


b.r.
Alex

[cwcast]

It seem like reactivation tool.

[xk3r]

I can communicate by putty and UART box, but when i tried to write IMEI always get MSL auth error. Can someone help me to bypass MSL and AKSEENDO, I already catch like 7 certs with Dase ul and wants to write to test units.

[ecs87]

The MSL can be found in the Daseul log ONLY IF you've reset the default EFS (otherwise it'll give you the MSL for that exact phone you're working on, which won't help for future phones you service). The AKSEEDNO I doubt anyone can really help you out with. I assume most if not all of the box companies have some kind of algo calculator built inside of them where it calculates the AKSEEDNO, but I haven't seen any public documentation on any tools or methods to calculate it.

One work-around is to use a box (I'd prefer to use the SPT box in this case) to send the calculated AKSEEDNO. You perform the IMEI repair operation with the box, and untick reset/restart phone. You need the phone to still be ON after the IMEI repair. After repairing with the box the cert will fail. It's at this point you use the terminal to repair the CERT. You won't get MSL auth error or AKSEEDNO error because the box has already sent it. IF you restart the phone between the IMEI repair and the CERT repair it'll forget the box sent the MSL and AKSEEDNO and you'll be back at step 1.