• XDA Forums have been migrated to XenForo. We are aware of several issues including missing threads, logins not working, and more. To discuss, use this thread.
  • If you are experiencing issues logging in, we migrated and software and made it more secure. We recommend trying to reset your password.

[Guide] [XT16XX] [Solve] Moto G4/Plus IMEI=0 issue

HeethJain21

New member
Mar 10, 2015
454
205
0
Mumbai
Important:
Now since Official Oreo is out, you can simply update to Official Oreo via fastboot and your IMEI will be restored.
This method will not work if you have restored other device's persist from some Youtube video or some Internet guide.
Read post #3 if you have restored some other persist and do not have a backup of your original persist.


Hello everyone, this is a guide for solving the problem for IMEI = 0 on Moto G4/Plus which is caused after flashing stock ROM.
I got this problem last week and was constantly researching for the solution to this problem for the past 5 days and finally, I was able to get my IMEI back on my Moto G4 Plus (XT1643).

Note: I will be using stock firmware and stock ROM interchangeably in this thread as a lot of people consider it the same so don't get confused since I am by no means referring to the /firmware partition.

There are two common and major problems which occur while flashing custom/stock ROMs:
1. IMEI = Unknown and Baseband = Unknown
2. IMEI = 0

1st Problem:
Reason: You flashed the firmware/stock ROM which wasn't meant for your device.
Solution: Flash the firmware which is made for your device like XT1621 or XT1643, etc.

2nd Problem:
This is a major problem and there are two reasons for this:
1. Mess up your persist partition.
2. fastboot erase all command.

If your problem is caused by the first reason, it might be possible to fix it.
However, if the problem is caused by the second reason, I'm sorry I don't know if a solution to this problem exists.

Firstly you need to check if your device still has IMEI intact or not. For that use the following command through fastboot in the bootloader mode:
Code:
fastboot getvar imei
If the command returns an IMEI, it means that the IMEI is not completely lost and it can be recovered.

However, if the command returns IMEI as 0, then there are two reasons:
1. Either you flashed the bootloader that wasn't meant for your device. This can be solved by flashing the correct bootloader which is made for your device again by the command:
Code:
fastboot flash bootloader bootloader.img
2. If you have flashed the correct bootloader that is meant for your device and facing this issue, I'm sorry I don't think there is a solution to this problem. This problem is either caused by fastboot erase all command (which erases everything like IMEI from the device's motherboard or the place where IMEI is permanently stored) or some hardware issue.

Here is a little explanation:

Device specific or device unique IDs are stored in a separate place in the device like the motherboard or some other place which I am unaware of.
When EFS partition is created, it picks up the IMEI from that unique place in the device like the motherboard (or some other place which I am unaware of) where the IMEI is stored.

On every reboot, EFS partition is checked and if it does not exists, the Android system by default creates it.
When we flash stock ROM, we use the following commands:
Code:
fastboot erase modemst1
fastboot erase modemst2
These commands wipe the EFS partition and on rebooting, EFS partition is recreated.
But, in some cases, the EFS partition is not able to regenerate IMEI or the Android system is unable to recreate it and so we are left with IMEI = 0.

Here is a detailed explanation regarding this issue:
4) Explanation

4a) What happened to persist.

To understand what happened, you need to know a few things about filesystem permissions in Linux. Files and folders have user and group ownership, and permissions. Examples of owners are the system, root, user, etc. Examples of permissions are read access, write access, execute access. The permissions are applied at three levels 1) the user, 2) the group, 3) everyone else.

@rachitrawat's investigation into the failures showed that the issue was relating to the persist partition, specifically some files dhob.bin etc that are under the rfs sub folder in this partition. Under stock, these files/folders are owned by a user called rfs, and have group ownership under a group also called rfs. Additionally, the permissions on these files/folders are limited - only the rfs user can read/write/execute these files. Other users, groups, or everyone else, cannot access the files.

There was a change in the Oreo roms. If you flash and boot into an Oreo rom, and you look at the permissions/ownership, you will see that a user and group oem_2951 owns the rfs folder, and a group oem_2952 owns the hlos_rfs folder. Now this is a different name, but on its own, a different name does not mean different ownership.

In Linux, all users and groups are assigned an ID, i.e. a number. So something happened in lineage that changed the user IDs that are applied to the rfs folder.

If you look at the ownership of persist files/folders within TWRP, you will see that a STOCK PERSIST has the owner of the rfs folder as rfs_old. Similarly in TWRP, a LINEAGE PERSIST has the owner of the rfs folder as rfs. So TWRP is seeing owners differently again to stock and Lineage. Trying to run the above commands in TWRP will not fix the issue, as it will use ID 2951 for the user rfs, but we need it to be 3012 in stock (which TWRP sees as rfs_old).

In addition to the rfs folder, there is also another folder that is impacted - hlos_rfs. Its user owner is rfs, but its group owner if rfs_shared. A stock rfs_shared is shown as rfs_shared_o in TWRP. It appears that this folder is not as important in getting the IMEI back, but I have included the commands to restore ownership, to ensure there are no future errors.

4b) What happened to IMEI.

Despite the issue above, many people who flashed Oreo roms would have had no problems (other than I guess, bugs in the roms themselves). The change of ownership of the rfs folder didn't change the actual file content, so essentially all is intact. In fact, I verified that my dhob.bin and other files had the same md5sum in stock and lineage persist.

The issue of the IMEI changing to zero has only happened when people have flashed Stock roms. All of the guides that I have seen, have included the following commands (and equivalent commands have been included in the TWRP flashable stock builds as well):
Code:
fastboot erase modemst1
fastboot erase modemst2
The partitions modemst1 and modemst2 are your EFS. Normally, if your persist is pure stock, if either is erased, the modem re-creates them. But, referring to the above about permissions, if the rfs user (which is presumably used by the modem) cannot access the files (because the owner of the files is someone else, and the permissions on the files mean that only the owner can access them), then the modem cannot recreate the EFS, and the IMEI is left as zero.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------​

Solution:

I have made a youtube video for this which just shows how to fix the issue and does not goes into explanation of the problem as well as the solution. Here is the link: Moto G4/G4 Plus IMEI=0 fix

Pre-requisites:
  • You must be on Stock Nougat 7.0
  • You must be rooted (install Elemental-X kernel first and then flash Magisk otherwise you will have boot issues)
  • You must be on your own persist
  • Terminal app or adb drivers in PC/Laptop

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------​

Step 1: Check if there is a problem with persist

Note: The below commands are to be typed in a terminal app or adb shell.
Q) How to type in adb shell?
A) Open command prompt in the folder where you have adb and fastboot installed and type:

Code:
adb shell
So lets start now!

Code:
su
This command it to get root access for the terminal/shell. Grant the root access and you will see that the $ symbol is replaced with # symbol which means that root access has been granted.

Code:
ls -l /persist
If your presist has some problem, then you can see the following as the output.
Code:
athene_f:/ # ls -l /persist
total 176
drwxrwx--- 2 system    system    4096 2018-10-21 07:40 alarm
drwxr-xr-x 2 mot_pwric mot_pwric 4096 1969-12-31 19:02 batt_health
drwxrwx--- 2 bluetooth bluetooth 4096 2017-01-12 03:35 bluetooth
drwxr-xr-x 2 mot_tcmd  bluetooth 4096 1969-12-31 19:02 bt
drwxr-xr-x 4 mot_tcmd  mot_tcmd  4096 1969-12-31 19:02 camera
drwxr-xr-x 2 root      root      4096 2016-07-31 00:43 coresight
drwx------ 5 system    system    4096 2017-01-12 05:21 data
drwxrwx--- 2 system    graphics  4096 1969-12-31 19:02 display
drwxrwx--- 2 system    system    4096 1969-12-31 19:02 drm
drwxr-xr-x 4 mot_tcmd  mot_tcmd  4096 1970-01-01 06:48 factory
[COLOR="red"]drwxrwx--- 3 2951      2952      4096 1969-12-31 19:02 hlos_rfs[/COLOR]
drwx------ 2 root      root      4096 1969-12-31 19:00 lost+found
drwxrwx--- 2 radio     radio     4096 2016-08-04 20:26 mdm
drwxrwx--- 3 system    system    4096 2017-11-09 16:30 misc
drwxrwx--- 2 system    system    4096 1970-02-11 17:39 properties
drwxr-xr-x 8 mot_tcmd  mot_tcmd  4096 1969-12-31 19:02 public
[COLOR="red"]drwx------ 6 2951      2951      4096 1969-12-31 19:02 rfs[/COLOR]
drwxrws--- 2 mot_tpapi mot_tpapi 4096 2016-11-17 16:38 security
drwxrwxr-x 2 system    system    4096 2016-07-31 00:43 sensors
drwxrwx--- 2 system    system    4096 2018-09-10 18:13 time
drwxr-xr-x 2 mot_tcmd  mot_tcmd  4096 1969-12-31 19:02 wifi
drwxrwxr-x 2 mot_drm   mot_drm   4096 1969-12-31 19:02 wmdrm
athene_f:/ #
You can see system instead of these red number if you flash Soak Test before flashing Stock ROM, so no worries, as the process will remain the same.

As it can be seen in the red part, the owner of rfs folder is a number (2951) which means that the system is unable to identify its real owner.
Also the owner of hlos_rfs folder is a number too (2952) which also means that the system is unable to identity its real owner.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------​

Step 2: Check for the key persist files
Code:
find /persist -type f
If you run the above command, you will see something similar to this:
Code:
athene_f:/ # find /persist -type f
/persist/coresight/qdss.agent.sh
/persist/coresight/qdss.config.sh
/persist/coresight/qdss.functions.sh
/persist/sensors/sensors_settings
/persist/data/sfs/6lgxCka66cxdsueYeHhCqx+j1DI_
/persist/data/sfs/VsxbuQew8Rbt0TRZjDAX8S9tV+M_
/persist/data/sfs/KfLHQpS5zKuygZcMelQOTtWzBvw_
/persist/data/sfs/R9+zCYj56-AHybZuQCWLm2H46E4_
/persist/data/sfs/NjJIuGH0j7kE08PFwp1yw+BminY_
/persist/data/sfs/7pU6SoXdsBUbDsxRiZOHNIjPVtw_
/persist/data/sfs/yLawqeQeY8AQGJmo46PVJbfYVxY_
/persist/data/tz/tz_counter
/persist/data/tz/tz_counter.bak
/persist/data/app_g/wv_usage
/persist/camera/focus/offset_cal
/persist/camera/ledcal/rear
/persist/factory/audio/temp
/persist/factory/audio/cnt
/persist/factory/audio/acc
/persist/factory/audio/f0
/persist/factory/audio/ref_diff
/persist/factory/fti
/persist/public/hiddenmenu/data/mobile_data_rx
/persist/public/hiddenmenu/data/mobile_data_tx
/persist/public/hiddenmenu/data/wifi_data_rx
/persist/public/hiddenmenu/data/wifi_data_tx
/persist/public/hiddenmenu/data/factoryreset_time
/persist/public/hiddenmenu/data/activation_date
/persist/public/hiddenmenu/life_calls
/persist/public/hiddenmenu/life_timer
/persist/security/18.bin
/persist/mdm/oma_dm_update
/persist/.bt_nv.bin
/persist/rfs/shared/server_info.txt
/persist/rfs/msm/mpss/datablock/id_00
/persist/rfs/msm/mpss/datablock/id_01
/persist/rfs/msm/mpss/server_check.txt
[COLOR="Red"]/persist/rfs/msm/mpss/dhob.bin
/persist/rfs/msm/mpss/shob.bin[/COLOR]
[COLOR="Green"]/persist/rfs/msm/mpss/dhob.bin.bak[/COLOR]
/persist/rfs/msm/adsp/server_check.txt
/persist/bluetooth/.bt_nv.bin
/persist/time/ats_1
/persist/time/ats_2
/persist/time/ats_12
/persist/time/ats_13
/persist/time/ats_15
/persist/time/ats_16
/persist/.twrps
athene_f:/ #
Note: The key files here are dhob.bin, shob.bin, id_00 and id_01.
Your IMEI is stored in id_00 (first IMEI) and id_01 (second IMEI)
dhob.bin and shob.bin are responsible to create the EFS partition.


Note: If you do not have dhob.bin.bak, you will still be able to get your IMEI back (tested and confirmed working on Moto G4 Plus(athene)), however if you have some other device like Moto G5 Plus(potter) or Moto G5s Plus(sanders), you cannot get your IMEI back with this method however trying won't hurt.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------​

Step 3: Fix the your persist

For this step, there is also a TWRP flashable zip file which will fix the persist. So for those who do not want to type the commands manually, you can simply flash the zip file (Tested and working).
Downloads:
Link: https://www.androidfilehost.com/?fid=11410963190603873125
md5: 5aac75092fc84f46dd5c6bd443df0748


These commands will restore the owners of rfs and hlos_rfs folder back to their respective original owners (rfs and rfs_shared):
Code:
chown -R rfs:rfs /persist/rfs
chown -R rfs:rfs_shared /persist/hlos_rfs
Alternatively, you can also type:
Code:
chown -R 3012:3012 /persist/rfs
chown -R 3012:3013 /persist/hlos_rfs
You will see no output on typing the first command, however, you may or may not see any output after typing the second command (there was an output shown on my device but not on the other tested devices). I'm sorry I don't have that output stored, if someone who can see it, please repond so the thread can be updated.

3012 is infact the id for rfs folder and 3013 is the id for hlos_rfs folder so instead of typing their names, you can also type their ids.

Now, to check if the owners of rfs and hlos_rfs have been set back to their original ones, type this command:
Code:
ls -l /persist
If everything went fine, you should be able to see the following output:
The below output will be seen on a perfectly fine persist as well
Code:
athene_f:/ # ls -l /persist
total 176
drwxrwx--- 2 system    system     4096 2018-10-21 07:40 alarm
drwxr-xr-x 2 mot_pwric mot_pwric  4096 1969-12-31 19:02 batt_health
drwxrwx--- 2 bluetooth bluetooth  4096 2017-01-12 03:35 bluetooth
drwxr-xr-x 2 mot_tcmd  bluetooth  4096 1969-12-31 19:02 bt
drwxr-xr-x 4 mot_tcmd  mot_tcmd   4096 1969-12-31 19:02 camera
drwxr-xr-x 2 root      root       4096 2016-07-31 00:43 coresight
drwx------ 5 system    system     4096 2017-01-12 05:21 data
drwxrwx--- 2 system    graphics   4096 1969-12-31 19:02 display
drwxrwx--- 2 system    system     4096 1969-12-31 19:02 drm
drwxr-xr-x 4 mot_tcmd  mot_tcmd   4096 1970-01-01 06:48 factory
[COLOR="red"]drwxrwx--- 3 rfs       rfs_shared 4096 1969-12-31 19:02 hlos_rfs[/COLOR]
drwx------ 2 root      root       4096 1969-12-31 19:00 lost+found
drwxrwx--- 2 radio     radio      4096 2016-08-04 20:26 mdm
drwxrwx--- 3 system    system     4096 2017-11-09 16:30 misc
drwxrwx--- 2 system    system     4096 1970-02-11 17:39 properties
drwxr-xr-x 8 mot_tcmd  mot_tcmd   4096 1969-12-31 19:02 public
[COLOR="red"]drwx------ 6 rfs       rfs        4096 1969-12-31 19:02 rfs[/COLOR]
drwxrws--- 2 mot_tpapi mot_tpapi  4096 2016-11-17 16:38 security
drwxrwxr-x 2 system    system     4096 2016-07-31 00:43 sensors
drwxrwx--- 2 system    system     4096 2018-09-10 18:13 time
drwxr-xr-x 2 mot_tcmd  mot_tcmd   4096 1969-12-31 19:02 wifi
drwxrwxr-x 2 mot_drm   mot_drm    4096 1969-12-31 19:02 wmdrm
athene_f:/ #
As you can see here that the owner of rfs folder is rfs folder and the owner of hlos_rfs folder is rfs_shared folder, the problem has been resovled.

Reboot your device and the problem should be fixed and you will be able (hopefully) to get your IMEI back by either typing *#06# in phone dialer or in Settings>About Phone>Status>IMEI Information.
On rebooting, the system will check for the EFS folder and since it didn't exist earlier, it will be recreated by the system and therefore you will get your IMEI back.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------​

A huge thanx to NZedPred, rachitrawat, for doing in depth research in this problem and coming up with a solultion.
Also, I would like to thank Tyrantre who did a lot of research for this problem and has posted the workaround which was tried here in this thread here: Diag Mode with G4 for QPSD? which finally lead me to NZedPred's below thread as I could understand what was the problem due to which IMEI was set to 0 and why Diag mode wouldn't work.


Note: This thread was made with the help of the following guide which is confirmed to be working on Moto G5 Plus (potter) Fix Persist, resolve IMEI=0, Volte, 4G, Explanation, Requirements.

Note: This guide is made for G4/Plus and I have hardly done anything to fix this problem apart from making this thread, so all credits go to the respective owners who did research in this problem. This guide should work on other Motorola devices too as we aren't focusing on device-specific fixes that will only work on Moto G4 Plus.

Refer post #2 for fixing other issues faced after recovering IMEI.
 
Last edited:

HeethJain21

New member
Mar 10, 2015
454
205
0
Mumbai
Some Common Issues:

Here are the issues observed after recovering IMEI:
  • Sim card detected but no network
  • Baseband version changed
  • Volte not working

If you have any one of the above-mentioned problems, there is a specific thread made for those problems. Refer to this thread: [Guide] [XT16XX] [Solve] G4+ Baseband/Network/Volte issue, Lost 1 IMEI & fingerprint
Please discuss any issues related to the above-mentioned problems in the above-provided thread (link).

If you have any other issues apart from the issues mentioned above, discuss them here.

--------------------------------------------------------------------------​

Complete Backup Zip/Script (All partitions):

Now since you have faced this issue, make sure to take a complete backup of all the partitions so that if you ever face an issue like this in future, you will always have your partitions with you to restore your device.

Here is the link to the thread to take complete backup of all partitions: [Guide] [XT16XX] Moto G4/Plus Complete Partition Backup/Restore Zip/Script

The above thread can backup/restore using TWRP flashable zip files for convenience.
 
Last edited:

HeethJain21

New member
Mar 10, 2015
454
205
0
Mumbai
There are a few youtube videos and internet guides which tells you to restore somebody else's persist file. That persist file is same in the Youtube video as well as those Internet guide (I have checked them).

Persist is unique to each and every device and using somebody else's persist on your device will never work.

IMEI is stored in /persist/rfs/msm/mpss/datablock directory where there are two files named as id_00 and id_01.
id_00 contains your 1st IMEI and id_01 contains your second IMEI.

The persist (from those guide and youtube videos) lacks id_00 and id_01 and since you restored that persist, you have those files missing as well. Those files are unique to every device anyways so if you try to restore a persist which has those files, it won't work too as your device's IMEI is different altogether.

The only possible fix that comes to my mind is by manually editing the persist file.

On comparing both the files in a hex editor, it is found that both of them are completely same except from memory address/location 00000028 to 000000C7.
This makes me think that IMEI is stored between those memory locations.
Furthermore, the first 14 digits of IMEI are stored from 00000028 to 0000002F in a different manner.
This is how it is stored,

Lets take a sample random IMEI: 3 12 34 56 78 90 12 34
This will be stored as following: 3A 21 43 65 87 09 21 03

Code:
 3A [COLOR="Black"]21[/COLOR] [COLOR="DarkRed"]43[/COLOR] [COLOR="Red"]65[/COLOR] [COLOR="Magenta"]87[/COLOR] [COLOR="Sienna"]09[/COLOR] [COLOR="DarkOrange"]21[/COLOR] [COLOR="DarkOliveGreen"]03[/COLOR]
  3 [COLOR="black"]12[/COLOR] [COLOR="darkred"]34[/COLOR] [COLOR="red"]56[/COLOR] [COLOR="magenta"]78[/COLOR] [COLOR="sienna"]90[/COLOR] [COLOR="darkorange"]12[/COLOR] [COLOR="darkolivegreen"]34[/COLOR]
The first set of hex numbers is what is stored in id_00 and id_01
The second set of hex numbers is what the actual IMEI is.

As you can clearly notice the difference via colors that the digits are getting flipped. The persist is storing the last digit 4 in some different way.

Why is there a letter A in the start just after 3, I found that it means that the last digit of IMEI stored in persist is 0. And that makes sense to as when you flip the last two digits i.e 03, you indeed get 30 which indicates the last digit is 0.

I don't think I need to mention this, but if you have a dual sim device, the first thirteen digits of IMEI are same and only the last two digits are different.

Now, this makes me conclude that the last digit of actual IMEI is stored in some way in the rest of the id_00 and id_01. And since most of the content in both the files are same, we just have to compare the part which is different as that part has that last digit of the two IMEIs stored.

I can't upload the contents of my IMEI for obvious reasons. If we are able to find the pattern in which the last digit is stored inside those files, then I think we can edit them and it should solve the problem for those people. Of course, editing and putting on somebody else's IMEI in those files wouldn't work either as we have already tried replacing the entire id_00 and id_01 (infact entire working persist) but the IMEI still remains 0.

Perhaps there is someplace (not talking about fastboot imei) where IMEI is stored as well, and while generation of EFS, that place and the persist are checked together and if the IMEIs in both the places match, you get your IMEI and if not, then it knows that IMEI has tampered and hence it doesn't work.

This might be too dangerous as people could edit their IMEI and put on somebody else's IMEI and can create problems, but as I mentioned above, it doesn't work as you will need to have your own IMEI in persist.


Update: Thanx to @NZedPred for correcting me. Even on deleting id_00 and id_01, and then eraseing EFS, we still get our IMEI.
I also tried changing the first digit of dhob.bin file while keeping id_00 and if_01 intact and then erased EFS, but didn't get my IMEI.
So, dhob.bin is the one which is responsible for IMEI creation and I am not able to understand anything inside dhob.bin.

I am sorry, but I was already trying beyond my capabilities earlier by using many internet sources as reference and it was just by chance that I stumbled upon id_00 and id_01. I am going to stop here for now, as this stuff goes beyond my current capabilities. If I ever get to know anything, I will update it here so that if anybody else would like to continue, they could do it.

I am sorry I tag you here, @echo92, @strongst, @NZedPred, @rachitrawat. This is what I was able to find out. I request you to read this post, and please help if you can. Thank You.
 
Last edited:

HeethJain21

New member
Mar 10, 2015
454
205
0
Mumbai
If you run the ls -l /persist command on android P ROM (which is causing this IMEI issue), this is the output you get:
Code:
athene:/ # ls -l /persist
total 88
drwxrwx--- 2 system           system            4096 1970-01-10 08:37 alarm
drwxr-xr-x 2 vendor_mot_pwric vendor_mot_pwric  4096 1970-01-01 01:01 batt_health
drwxrwx--- 2 bluetooth        bluetooth         4096 2018-03-29 00:04 bluetooth
drwxr-xr-x 2 vendor_mot_tcmd  bluetooth         4096 1970-01-01 01:01 bt
drwxr-xr-x 4 vendor_mot_tcmd  vendor_mot_tcmd   4096 2018-03-29 00:04 camera
drwxr-xr-x 2 root             root              4096 2018-03-29 00:04 coresight
drwx------ 5 system           system            4096 2018-03-29 00:04 data
drwxrwx--- 2 system           graphics          4096 1970-01-01 01:01 display
drwxrwx--- 2 system           system            4096 1970-01-01 01:01 drm
drwxr-xr-x 4 vendor_mot_tcmd  vendor_mot_tcmd   4096 2018-03-29 00:04 factory
[COLOR="red"]drwxrwx--- 3 vendor_rfs       vendor_rfs_shared 4096 2018-03-29 00:04 hlos_rfs[/COLOR]
drwxrwx--- 2 root             root              4096 2018-03-29 00:04 lost+found
drwxrwx--- 2 radio            radio             4096 2018-03-29 00:04 mdm
drwxrwx--- 3 system           system            4096 2018-03-29 00:04 misc
drwxrwx--- 2 system           system            4096 1970-05-31 18:25 properties
drwxr-xr-x 8 vendor_mot_tcmd  vendor_mot_tcmd   4096 2018-03-29 00:04 public
[COLOR="Red"]drwx------ 6 vendor_rfs       vendor_rfs        4096 2018-03-29 00:04 rfs[/COLOR]
drwxrws--- 2 vendor_mot_tpapi vendor_mot_tpapi  4096 2018-03-29 00:04 security
drwxrwxr-x 2 system           system            4096 2018-03-29 00:04 sensors
drwxrwx--- 2 system           system            4096 2018-03-29 00:04 time
drwxr-xr-x 2 vendor_mot_tcmd  vendor_mot_tcmd   4096 1970-01-01 01:01 wifi
drwxrwxr-x 2 vendor_mot_drm   vendor_mot_drm    4096 1970-01-01 01:01 wmdrm
Notice how, android Pie is using vendor suffix prefix.
One fix that was thought was to fix the owners in android Pie ROM itself before flashing Stock ROM, but on rebooting, the owners were changed back to vendor_rfs and vendor_rfs_shared.

Also, if you flash an Oreo ROM after flashing Pie ROM (which broke IMEI), this is the output you get:
Code:
athene_f:/ # ls -l /persist
total 176
drwxrwx--- 2 system    system     4096 2018-10-21 07:40 alarm
drwxr-xr-x 2 mot_pwric mot_pwric  4096 1969-12-31 19:02 batt_health
drwxrwx--- 2 bluetooth bluetooth  4096 2017-01-12 03:35 bluetooth
drwxr-xr-x 2 mot_tcmd  bluetooth  4096 1969-12-31 19:02 bt
drwxr-xr-x 4 mot_tcmd  mot_tcmd   4096 1969-12-31 19:02 camera
drwxr-xr-x 2 root      root       4096 2016-07-31 00:43 coresight
drwx------ 5 system    system     4096 2017-01-12 05:21 data
drwxrwx--- 2 system    graphics   4096 1969-12-31 19:02 display
drwxrwx--- 2 system    system     4096 1969-12-31 19:02 drm
drwxr-xr-x 4 mot_tcmd  mot_tcmd   4096 1970-01-01 06:48 factory
[COLOR="red"]drwxrwx--- 3 root      root       4096 2018-03-29 00:04 hlos_rfs[/COLOR]
drwx------ 2 root      root       4096 1969-12-31 19:00 lost+found
drwxrwx--- 2 radio     radio      4096 2016-08-04 20:26 mdm
drwxrwx--- 3 system    system     4096 2017-11-09 16:30 misc
drwxrwx--- 2 system    system     4096 1970-02-11 17:39 properties
drwxr-xr-x 8 mot_tcmd  mot_tcmd   4096 1969-12-31 19:02 public
[COLOR="red"]drwx------ 6 root      root       4096 2018-03-29 00:04 rfs[/COLOR]
drwxrws--- 2 mot_tpapi mot_tpapi  4096 2016-11-17 16:38 security
drwxrwxr-x 2 system    system     4096 2016-07-31 00:43 sensors
drwxrwx--- 2 system    system     4096 2018-09-10 18:13 time
drwxr-xr-x 2 mot_tcmd  mot_tcmd   4096 1969-12-31 19:02 wifi
drwxrwxr-x 2 mot_drm   mot_drm    4096 1969-12-31 19:02 wmdrm
athene_f:/ #
Here are some of the points that can throw some light on the topic:

Hey all,
After spending hours on the IMEI 0 problem, here are my findings:

1. IMEI is stored in nv 550 variable in QCN. However, this variable is write protected. This means all IMEI write programs such as QCOM Write IMEI tool will fail.
2. Interestingly, only IMEI 1 is stored in the nv. IMEI 2 is derived by performing some fixed hex arithmetic on IMEI 1.
3. IMEI also seems encrypted since the nv 550 in QCN never has a correct hex notation of IMEI. For example, Only half of the IMEI is correct.
4. Any attempt to restore the QCN backup of someone else will successfully write all nv variables except nv 550. Means you cannot rewrite your factory IMEI.
5. The above is true even if you hexedit the QCN with your own IMEI. NV 550 is write protected.
6. modemst1 and modemst2 are sort of some baseband cache which are created by radio/bootloader using fsg. fsg seems to be some sort of backup partition for modemst.
7. After downgrading and erasing modemst1-2, these modemst are not recreated successfully by the modem. The nv 550 variable goes missing.
8. My guess is that modem has some checksum mechanism wherein if any discrepancy is found, the modemst cache recreation fails. Not sure.
9. Our IMEI is most likely intact somewhere (not talking about fastboot IMEI). Just not interpreted properly.
10. People who restored their efs after IMEI 0 are essentially restoring working cached modemst1-2. However, if fastboot erase modemst is done, it'll likely result in IMEI 0 again because modem cannot recreate modemst correctly.
 
Last edited:

Parth A.

New member
Oct 27, 2018
1
0
0
Thanks alot!!!
My friend was having the same problem, it worked for him?✌?
Edit: Volte is still not working in the device...
 
Last edited:

checksamir

New member
Dec 15, 2016
186
53
0
@Heeth21,

I am facing this issue after moving to stock. Getting IMEI on "fastboot getvar imei", however unable to restore it. I followed all the instructions you had shared. Any help or further instruction in this regard would be helpful.

Thanks in advance.
 
  • Like
Reactions: Pistero07

HeethJain21

New member
Mar 10, 2015
454
205
0
Mumbai
@Heeth21,

I am facing this issue after moving to stock. Getting IMEI on "fastboot getvar imei", however unable to restore it. I followed all the instructions you had shared. Any help or further instruction in this regard would be helpful.

Thanks in advance.
Can you post the output of this command in terminal?
Code:
su
ls -l /persist
Also of this command too:
Code:
su
find /persist -type f
If would be beneficial if you format it in code or you might just attach the output in a txt file.

Also can you tell me your baseband version. I think as far as I have observed, those who are getting this IMEI=0 issue, their basebands are ending with "u"
 
Last edited:

checksamir

New member
Dec 15, 2016
186
53
0
Can you post the output of this command in terminal?
Code:
su
ls -l /persist
Also of this command too:
Code:
su
find /persist -type f
If would be beneficial if you format it in code or you might just attach the output in a txt file.

Also can you tell me your baseband version. I think as far as I have observed, those who are getting this IMEI=0 issue, their basebands are ending with "u"

@Heeth21,

THanks for the quick response. Please find the attached output files in text and screenshot for baseband..
 

Attachments

  • Like
Reactions: Heeth21

checksamir

New member
Dec 15, 2016
186
53
0
The files seems proper.
Type these commands again and attach the output. A screenshot would help a lot.
Code:
su
chown -R rfs:rfs /persist/rfs
chown -R rfs:rfs_shared /persist/hlos_rfs
ls -l /persist
I had to try it twice: after executing code /persists/rfs, some file or path or folder was missing and it started something which eventually closed before I could take a screenshot. Next time I tried, there was nothing as such. Second screenshot attached for reference.

Really appreciated your quick responses.. :)
 

Attachments

Oliver1995

New member
Aug 5, 2017
30
6
0
Nao deu certo comigo, me ajuda por favor.

Hello, I'm sorry for bad English, I'm Brazilian. I'm translating through google translator.

I am with the same problem of this post, after flashing the stock rom the imei got 0, I did the procedures of this post but it did not work with me, my imei appears correctly with the command (fastboot gevtar imei)

but in command: (ls -l / persist) does not appear the number 2951 or 2952, but the name rfs, as if everything was okay (but the imei continues 0)


and in the command: (find / persist -type f) the line does not appear (/persist/rfs/msm/mpss/dhob.bin.bak)


I finally executed the commands (chown -R rfs: rfs / persist / rfs and
chown -R rfs: rfs_shared / persist / hlos_rfs) and restarted the cell phone but the imei continued 0 :(

the version of the base band is m8952_70030.25.03.62.02a

Is there any procedure I can try? I'll be very grateful.

---------- Post added at 01:53 AM ---------- Previous post was at 01:47 AM ----------

Hello, I'm sorry for bad English, I'm Brazilian. I'm translating through google translator.

I am with the same problem of this post, after flashing the stock rom the imei got 0, I did the procedures of this post but it did not work with me, my imei appears correctly with the command (fastboot gevtar imei)

but in command: (ls -l / persist) does not appear the number 2951 or 2952, but the name rfs, as if everything was okay (but the imei continues 0)

and in the command: (find / persist -type f) the line does not appear (/persist/rfs/msm/mpss/dhob.bin.bak)

I finally executed the commands (chown -R rfs: rfs / persist / rfs and
chown -R rfs: rfs_shared / persist / hlos_rfs) and restarted the cell phone but the imei continued 0 :(

the version of the base band is m8952_70030.25.03.62.02a

I'll try to send prints.

Is there any procedure I can try? I'll be very grateful.
 

HeethJain21

New member
Mar 10, 2015
454
205
0
Mumbai
but in command: (ls -l / persist) does not appear the number 2951 or 2952, but the name rfs, as if everything was okay (but the imei continues 0)

and in the command: (find / persist -type f) the line does not appear (/persist/rfs/msm/mpss/dhob.bin.bak)

I finally executed the commands (chown -R rfs: rfs / persist / rfs and
chown -R rfs: rfs_shared / persist / hlos_rfs) and restarted the cell phone but the imei continued 0 :(
The chown command won't do anything as the owners of the partitions are already rfs and rfs_shared.

Reflash stock rom again, and check if you get to see 2951 or 2952 on executing the command "ls -l /persist", and respond.

If you still don't get to see 2951 and 2952, then it seems you have tried doing some changes to your efs/persist partition by either restoring someone else's efs/persist or tried to edit yours.
 

BogartX

New member
Sep 4, 2018
6
1
0
what should I understand:It means that some custom roms erase imei while going back to stock,it can be recovered but volte cant:(
Is it right?
 

HeethJain21

New member
Mar 10, 2015
454
205
0
Mumbai
what should I understand:It means that some custom roms erase imei while going back to stock,it can be recovered but volte cant:(
Is it right?
Partially right. Some custom ROMs do some changes with the EFS folder which is responsible for the recreation of IMEI. However, while flashing the Stock ROM, if you do not erase EFS partition, then you will retain your IMEI.

The commands which erase EFS partitions are:
Code:
fastboot erase modemst1
fastboot erase modemst2
The modemst1 and modemst2 are indeed the EFS partition itself. So just skip the above lines while flashing Stock ROM if the custom ROM is doing some changes with the EFS partition, and you will not lose your IMEI.

Volte can be recovered but there is a condition which should be satisfied. The baseband should remain as Indian. If it does, then you will be having Volte working and if it doesn't, you won't be having Volte running.

The only ROMs which are causing this issue on our device currently are Android Pie ROMs. I hope when Official Oreo is released for our device, the new blobs and modem will solve this issue. The developers have already checked if there is something in the ROMs which is causing this issue, and they found no problems at all. Same was the case with Oreo ROMs on Moto G5/Plus and Moto G5s/Plus
 
Last edited:

Oliver1995

New member
Aug 5, 2017
30
6
0
The chown command won't do anything as the owners of the partitions are already rfs and rfs_shared.

Reflash stock rom again, and check if you get to see 2951 or 2952 on executing the command "ls -l /persist", and respond.

If you still don't get to see 2951 and 2952, then it seems you have tried doing some changes to your efs/persist partition by either restoring someone else's efs/persist or tried to edit yours.
yes actually I tried to restore the persistence of another person by a tutorial on youtube (I do not know if I can post the link here) and also did this tutorial to restore these files modem.img, fsg.img, hw.img: https://forum.xda-developers.com/moto-g4-plus/how-to/solve-moto-g4-plus-one-imei-fp-sensor-t3800410

already tried to reinstall the stock rom but does not appear the numbers 2951 or 2952 :(

Do not have any solution for this?
 
  • Like
Reactions: Pistero07

HeethJain21

New member
Mar 10, 2015
454
205
0
Mumbai
yes actually I tried to restore the persistence of another person by a tutorial on youtube (I do not know if I can post the link here) and also did this tutorial to restore these files modem.img, fsg.img, hw.img: https://forum.xda-developers.com/moto-g4-plus/how-to/solve-moto-g4-plus-one-imei-fp-sensor-t3800410

already tried to reinstall the stock rom but does not appear the numbers 2951 or 2952 :(

Do not have any solution for this?
Restore your original persist back. I have seen that tutorial. This issue can only be solved if you are on your own persist as every device has its unique persist.

It doesn't matter if you tried restoring modem, hw, fsg files. Just make sure you are on your own persist.

If you haven't taken a backup of your original unmodified persist, then I'm sorry that is a completely different issue which I don't think there is a soluton to.
 
Last edited:

HeethJain21

New member
Mar 10, 2015
454
205
0
Mumbai
This helped me alot,Thanks
In my case both sim are working,with no volte
But jio 4g voice or dialer app with data on is not working
I was hoping if you could atatch your build.prop so that we can compare and check for Volte solution.

You need to grant permissions to Jio4GVoice, enable mobile data (wifi should be off), and dial via Jio4GVoice. Check if this works (it should), and then you will have an ongoing activity notification for Jio4GVoice app
 
Our Apps
Get our official app! (coming soon)
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone