[INFO] Moto G IMEI=0

[bludotos]

Unfortunately I knew all this was going to see if I can decompile the nonhob.bin file. (A look at it shows it does some interesting things. Maybe modify it to flash a backed hob or something?).



Sent from my XT1032 using XDA Free mobile app

 

[skyguy126]

Can we modify momdest to mount hob and dhob on boot. Or even make it so that once it has write access make it write the imei. Can someone please tell me how to unpack/decomplie momdest and motoboot. I am using my moto g as a test bench so I am pretty willing to do these things.

Update:

 

[rootr]

Can we modify momdest to mount hob and dhob on boot. Or even make it so that once it has write access make it write the imei. Can someone please tell me how to unpack/decomplie momdest and motoboot. I am using my moto g as a test bench so I am pretty willing to do these things.

Update: (Deleted what I posted because I think its illegal ) But decomplie NON-HLOS.bin and take a look at modem.b26 and modem.b21

The thing is these partitions are unmountable as they have no file system. Now trying to open with binary reader and figuring out stuff is too pro and nightmare for me. So another dead end here. Sorry but there is no way around here except to get your board replaced. :/

 

[skyguy126]

We should ask pro devs for help like the guys at cyanogen or the people who make sunshine...

 

[rootr]

It's unlikely that they will spent considerable amount of time on this as it is very rare case and definitely not an easy one.

Sent from my XT1033 using XDA Free mobile app

 

[skyguy126]

I'm looking to JTAG my phone for a NAND dump. Any idea where I can do this?

 

[bludotos]

A lot of info in NON-HLOS.bin. I'm close to decompiling it. It does unlock the phone for us to modify it. Possibly reflash the hob and dhob partitions. If I can decompile it, I can compile it back. Its in C by the way.

Sent from my XT1032 using XDA Free mobile app

 

[skyguy126]

A lot of info in NON-HLOS.bin. I'm close to decompiling it. It does unlock the phone for us to modify it. Possibly reflash the hob and dhob partitions. If I can decompile it, I can compile it back. Its in C by the way.

Sent from my XT1032 using XDA Free mobile app

I just used a ext4 Unpacker and used HxD. But you seem really far ahead to helping us.
Cheers!

Edit: Do you mind sharing how you decompiled it?

 

[bludotos]

I didn't decompile yet (not enough time and finals week) but I know enough about it to decompile it. Its an elf 32 bit executable and in C. I work all day today and have a final tomorrow. I'll decompile it this weekend.

Sent from my XT1032 using XDA Free mobile app

 

[NextGenGTR]

I had a problem before when my imei was 0 and my sim wasnt connecting to any network, i fixed it by flashing again a different build, i think i flashed a retail one which messed my imei till i flashed a three network which fixed it.

 

[skyguy126]

Hello. If "fastboot erase all" messed up your imei then there is no way to get it back. Trust me i have spent a considerable time to retrieve it back. First all as i have mentioned earlier and with lost101, we agreed on the following:

1. fastboot erase all deletes IMEI
2. The following partitions are erased with above command: hob,dhob,fsc,modemst1,modemst2,fsg
3. fsg,modemst1,modemst2 are restored when flashing stock rom but not hob,dhob,fsc which implies IMEI is stored in one of those.
4. modem requests for read/write permission to dhob and hob on bootup further strengthening theory.
5. These partitions do not get mounted on bootup only in fastboot. So unless you have custom bootloader that can access these partitions in boot mode, there is probably no way to get IMEI back.

But, if you messed up your radio and your IMEI is "Unknown", then there is very much chance to get back your IMEI. Just flash compatible radio. This case happens mostly when flashing cyanogens or other custom firmwares. As you can read on other posts people flashed their stock back and hence their IMEI is restored which actually was never erased and was there the whole time.

Lastly, trying to write IMEI with NV writing method such as DFS or any other tool will not bring back IMEI as it doesnt really write anything. IMO NV_550 variable which holds IMEI in most devices is useless in MotoG as i checked with DFS, it gave error unknown variable meaning MOTO G does not support it.

Hope that helps.

While we are waiting for the decompile to happen I might be able to help a bit. You mentioned there is an nv variable that holds the imei correct? There are several nv variable names in the momdest binary. I could list them in this thread and you could try and write to the different variable names. Can't hurt to try since you already lost your imei...

 

[rootr]

I would surely have helped you but I already changed my motherboard. :/ Didn't have any option, I had to get my sim working. But please share your work as it can help others

Sent from my XT1033 using XDA Free mobile app

 

[skyguy126]

I would surely have helped you but I already changed my motherboard. :/ Didn't have any option, I had to get my sim working. But please share your work as it can help others

Sent from my XT1033 using XDA Free mobile app

I definitely will, I found some more information while examining the binary. There is a mode called "trusted boot" where all partitions are accessible and writeable. There might be a way to put your phone into trusted boot, but for that I need to examine motoboot.img The ext4 unpacker does not work on this file and nor do any iso extractors. Does anyone know how I can extract/decompile motoboot.img?

 

[rootr]

How do u know that with trusted boot all partitions are writeable?

Sent from my XT1033 using XDA Free mobile app

 

[skyguy126]

I said maybe because the bits and pieces of code I could read meant that all partitions are fully mounted. I found really weird things in the bootloader, gonna try and translate the information for you guys.

There are many things talking about a RAM DUMP and how to properly do it...

Let me post some screenshots... Might have found something huge!

There is a hidden command to pull partitions: fastboot oem ramdump enable
then fastboot oem ramdump pull

Unfortunately it's restricted and I'm trying to find out how to enable it!

EDIT: There are a load of hidden fastboot oem commands but they are all restricted.


Done for today, gonna do some more work this weekend. Anyone else feel free to help me.

 

[skyguy126]

I said maybe because the bits and pieces of code I could read meant that all partitions are fully mounted. I found really weird things in the bootloader, gonna try and translate the information for you guys.

There are many things talking about a RAM DUMP and how to properly do it...

Let me post some screenshots... Might have found something huge!

There is a hidden command to pull partitions: fastboot oem ramdump enable
then fastboot oem ramdump pull

Unfortunately it's restricted and I'm trying to find out how to enable it!

EDIT: There are a load of hidden fastboot oem commands but they are all restricted.


Done for today, gonna do some more work this weekend. Anyone else feel free to help me.

Running fastboot oem cid_prov_req gives an unlock code similar to the bootloader unlock. But I believe there is another process that will put the device into production mode by using that code... In production mode we can do ramdumps and imei changes. Haven't figured out how to use that code though, working on it...

Does anyone know how to write to bootloader variables?

 

[skyguy126]

Wut?!?!

Is this too good to be true......

Look at the attachment!

Popped it in HxD and yep the binary is there, its not a blank file. Looks like its encrypted though, but by examining the binary the encryption keys are stored in dhob. (Or maybe its the other way around )

 

[rootr]

Is this too good to be true......

Look at the attachment!

Popped it in HxD and yep the binary is there, its not a blank file. Looks like its encrypted though, but by examining the binary the encryption keys are stored in dhob. (Or maybe its the other way around )

Its a 512 kb file.....Probably a file system file.....try opening with ext2 or ext3?

 

[skyguy126]

Its a 512 kb file.....Probably a file system file.....try opening with ext2 or ext3?

No, I opened it with HxD and all the text is readable. Looks like some sort of encryption keys. (Which I know because of examining the radio image, hob contains encryption keys to decrypt dhob which contains the imei and other stuff) I also got dhob but it is unreadable in HxD probally because its encrypted. Has anyone already managed to extract the file or am I the first one?

EDIT: I even opened up the file with notepad++ and the text is still readable:

Here is an example (I replaced all the numbers and stuff because might contain personal information regarding my personal device):

<element>
		<id>00000</id>
		<index>0</index>
		<size>000</size>
		<data>
			fjkahfjksdhfkjsadhfkjasdfhalsdfhkjasdfhvbcxznvbxmnvb,xmcz
		</data>
	</element>

Anyone know how to decrypt dhob if I have the encryption keys

 

[rootr]

No, I opened it with HxD and all the text is readable. Looks like some sort of encryption keys. (Which I know because of examining the radio image, hob contains encryption keys to decrypt dhob which contains the imei and other stuff) I also got dhob but it is unreadable in HxD probally because its encrypted. Has anyone already managed to extract the file or am I the first one?

EDIT: I even opened up the file with notepad++ and the text is still readable:

Here is an example (I replaced all the numbers and stuff because might contain personal information regarding my personal device):

<element>
		<id>00000</id>
		<index>0</index>
		<size>000</size>
		<data>
			fjkahfjksdhfkjsadhfkjasdfhalsdfhkjasdfhvbcxznvbxmnvb,xmcz
		</data>
	</element>

Anyone know how to decrypt dhob if I have the encryption keys

From where did you extract this hob file?