±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36464
New Yesterday: 1 Visitors: 157

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Chip Off/On IMEI Location/Swap

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Coligulus
Senior Member
 

Chip Off/On IMEI Location/Swap

Post Posted: Mar 09, 11 20:10

The title of this thread may be a bit confusing... Apologies.

I would like to canvas people's knowledge of chip off processes and IMEI storage to establish the following:

Is it fair to say that the digital store for the IMEI would be in a sector of the chip which would get removed during a chip off process?

And if so..

If the memory chip was removed from a handset and replaced into another of the exact same model (lets not get bogged down with secondary components etc) and powered on, the IMEI returned would reflect that of the original handset?

I welcome any thoughts people may have on the above and thanks in advance.

Colin
_________________
Colin Mortimer
AirWatch 
 
  

raoul
Member
 

Re: Chip Off/On IMEI Location/Swap

Post Posted: Mar 10, 11 10:32

It depends on the brand and even the model.

Nokia for example has the imei stored in 2 places, in OTP (one time program) erea and in FLASH ic (firmware) changing the chip will not work, you would need to recalculate and digitally sign it.

If you can give more info on brand / model I might be able to tell you more.  
 
  

trewmte
Senior Member
 

Re: Chip Off/On IMEI Location/Swap

Post Posted: Mar 10, 11 11:17

- raoul
Nokia for example has the imei stored in 2 places, in OTP (one time program) erea and in FLASH ic (firmware) changing the chip will not work, you would need to recalculate and digitally sign it.


Raoul, are you saying all Nokias or just some of the Nokia range?
Thanks
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

Coligulus
Senior Member
 

Re: Chip Off/On IMEI Location/Swap

Post Posted: Mar 10, 11 13:31

Thanks Raoul for your response.

The model in question is a Nokia 6300.

So following your response, where would the handset look for the IMEI if you entered *#06#? And which source would it read from to present to the network on powering on with active SIM etc..?

Do I assume from what you've said that if the IMEI in the OTP and the FLASH IC are not the same that the handset would not start up correctly?

Couldn't the OTP and FLASH IC both be removed and replaced to a new board theoretically speaking and this would bypass any digital signature issues?

Thanks in advance for your time.
_________________
Colin Mortimer
AirWatch 
 
  

raoul
Member
 

Re: Chip Off/On IMEI Location/Swap

Post Posted: Mar 10, 11 18:00

- trewmte
- raoul
Nokia for example has the imei stored in 2 places, in OTP (one time program) erea and in FLASH ic (firmware) changing the chip will not work, you would need to recalculate and digitally sign it.


Raoul, are you saying all Nokias or just some of the Nokia range?
Thanks


Depends on the platfrom

generaly speaking ;

-DCT4, has UEM and flash IC inside the UEM is 1 time program. You can change the UEM, recalculate the checksums and signature in flash, and you are done (from other phone, or simply use new UEM)

-BB5 has a RAPid, its like processor serial number inside the silecon from the processor (so cannot be changed) Flash IC gets a digital signature wich MUST match RAPid. So if you change RAP, it will never work (flash sign is based on old ID, and currently no weakness to make such sign yourself)

If you change flash IC you must ask nokia to make a new signature for te flash, they check in their database if imei 123456789012345 match to RAPID you request, if it not matches ---> you get no signature = no working phone.  
 
  

raoul
Member
 

Re: Chip Off/On IMEI Location/Swap

Post Posted: Mar 10, 11 18:06

- Coligulus
Thanks Raoul for your response.

The model in question is a Nokia 6300.

So following your response, where would the handset look for the IMEI if you entered *#06#? And which source would it read from to present to the network on powering on with active SIM etc..?

Do I assume from what you've said that if the IMEI in the OTP and the FLASH IC are not the same that the handset would not start up correctly?

Couldn't the OTP and FLASH IC both be removed and replaced to a new board theoretically speaking and this would bypass any digital signature issues?

Thanks in advance for your time.


Nokia 6300 = BB5, there are none known holes (solutions) to do this. Ofcource you can change the flash IC, and phone would bootup, but it would not get pass the watchdog cause the RAPid not match the one in flashic. Technically, high level nokia repair centers can change the flash IC, but this would not change the imei, as nokia ONLY signs files to the original RAPid that is available in their database.

this is "simplified" working explanation of the imei in nokia. Technically it is currently not possible in BB5 to change the imei and get a WORKING phone  
 
  

mark_w
Member
 

Re: Chip Off/On IMEI Location/Swap

Post Posted: Mar 10, 11 19:16

Hi Colin,

Forgive me as I'm not sure why you are asking the question, but if your asking this question because the IMEI on the manufacturer label behind the battery differs from the IMEI stored electronically, could it be due to a replacement of the mobile phones casing?  
 

Page 1 of 2
Page 1, 2  Next