[INFO] Moto G IMEI=0

bludotos

Member
Aug 7, 2013
39
6
0
Unfortunately I knew all this :( was going to see if I can decompile the nonhob.bin file. (A look at it shows it does some interesting things. Maybe modify it to flash a backed hob or something?).



Sent from my XT1032 using XDA Free mobile app
 

skyguy126

Senior Member
Sep 17, 2014
454
110
43
github.com
Can we modify momdest to mount hob and dhob on boot. Or even make it so that once it has write access make it write the imei. Can someone please tell me how to unpack/decomplie momdest and motoboot. I am using my moto g as a test bench so I am pretty willing to do these things. :)

Update:
 
Last edited:

rootr

Senior Member
Oct 31, 2014
89
123
0
Srinagar
zeeshanhyder.com
Can we modify momdest to mount hob and dhob on boot. Or even make it so that once it has write access make it write the imei. Can someone please tell me how to unpack/decomplie momdest and motoboot. I am using my moto g as a test bench so I am pretty willing to do these things. :)

Update: (Deleted what I posted because I think its illegal :p) But decomplie NON-HLOS.bin and take a look at modem.b26 and modem.b21
The thing is these partitions are unmountable as they have no file system. Now trying to open with binary reader and figuring out stuff is too pro and nightmare for me. So another dead end here. Sorry but there is no way around here except to get your board replaced. :/
 

bludotos

Member
Aug 7, 2013
39
6
0
A lot of info in NON-HLOS.bin. I'm close to decompiling it. It does unlock the phone for us to modify it. Possibly reflash the hob and dhob partitions. If I can decompile it, I can compile it back. Its in C by the way.

Sent from my XT1032 using XDA Free mobile app
 
  • Like
Reactions: drfr

skyguy126

Senior Member
Sep 17, 2014
454
110
43
github.com
A lot of info in NON-HLOS.bin. I'm close to decompiling it. It does unlock the phone for us to modify it. Possibly reflash the hob and dhob partitions. If I can decompile it, I can compile it back. Its in C by the way.

Sent from my XT1032 using XDA Free mobile app
I just used a ext4 Unpacker and used HxD. But you seem really far ahead to helping us.
Cheers! :D

Edit: Do you mind sharing how you decompiled it?
 

bludotos

Member
Aug 7, 2013
39
6
0
I didn't decompile yet (not enough time and finals week) but I know enough about it to decompile it. Its an elf 32 bit executable and in C. I work all day today and have a final tomorrow. I'll decompile it this weekend.

Sent from my XT1032 using XDA Free mobile app
 
Last edited:

NextGenGTR

Senior Member
Nov 19, 2013
475
141
0
22
I had a problem before when my imei was 0 and my sim wasnt connecting to any network, i fixed it by flashing again a different build, i think i flashed a retail one which messed my imei till i flashed a three network which fixed it.
 

skyguy126

Senior Member
Sep 17, 2014
454
110
43
github.com
Hello. If "fastboot erase all" messed up your imei then there is no way to get it back. Trust me i have spent a considerable time to retrieve it back. First all as i have mentioned earlier and with lost101, we agreed on the following:

1. fastboot erase all deletes IMEI
2. The following partitions are erased with above command: hob,dhob,fsc,modemst1,modemst2,fsg
3. fsg,modemst1,modemst2 are restored when flashing stock rom but not hob,dhob,fsc which implies IMEI is stored in one of those.
4. modem requests for read/write permission to dhob and hob on bootup further strengthening theory.
5. These partitions do not get mounted on bootup only in fastboot. So unless you have custom bootloader that can access these partitions in boot mode, there is probably no way to get IMEI back.

But, if you messed up your radio and your IMEI is "Unknown", then there is very much chance to get back your IMEI. Just flash compatible radio. This case happens mostly when flashing cyanogens or other custom firmwares. As you can read on other posts people flashed their stock back and hence their IMEI is restored which actually was never erased and was there the whole time.

Lastly, trying to write IMEI with NV writing method such as DFS or any other tool will not bring back IMEI as it doesnt really write anything. IMO NV_550 variable which holds IMEI in most devices is useless in MotoG as i checked with DFS, it gave error unknown variable meaning MOTO G does not support it.

Hope that helps. :)

While we are waiting for the decompile to happen I might be able to help a bit. You mentioned there is an nv variable that holds the imei correct? There are several nv variable names in the momdest binary. I could list them in this thread and you could try and write to the different variable names. Can't hurt to try since you already lost your imei...
 

rootr

Senior Member
Oct 31, 2014
89
123
0
Srinagar
zeeshanhyder.com
I would surely have helped you but I already changed my motherboard. :/ Didn't have any option, I had to get my sim working. But please share your work as it can help others :)

Sent from my XT1033 using XDA Free mobile app
 

skyguy126

Senior Member
Sep 17, 2014
454
110
43
github.com
I would surely have helped you but I already changed my motherboard. :/ Didn't have any option, I had to get my sim working. But please share your work as it can help others :)

Sent from my XT1033 using XDA Free mobile app
I definitely will, I found some more information while examining the binary. There is a mode called "trusted boot" where all partitions are accessible and writeable. There might be a way to put your phone into trusted boot, but for that I need to examine motoboot.img The ext4 unpacker does not work on this file and nor do any iso extractors. Does anyone know how I can extract/decompile motoboot.img?
 
Last edited:

skyguy126

Senior Member
Sep 17, 2014
454
110
43
github.com
I said maybe because the bits and pieces of code I could read meant that all partitions are fully mounted. I found really weird things in the bootloader, gonna try and translate the information for you guys.

There are many things talking about a RAM DUMP and how to properly do it...

Let me post some screenshots... Might have found something huge!

There is a hidden command to pull partitions: fastboot oem ramdump enable
then fastboot oem ramdump pull

Unfortunately it's restricted and I'm trying to find out how to enable it!

EDIT: There are a load of hidden fastboot oem commands but they are all restricted.


Done for today, gonna do some more work this weekend. Anyone else feel free to help me.
 

Attachments

Last edited:
  • Like
Reactions: lost101

skyguy126

Senior Member
Sep 17, 2014
454
110
43
github.com
I said maybe because the bits and pieces of code I could read meant that all partitions are fully mounted. I found really weird things in the bootloader, gonna try and translate the information for you guys.

There are many things talking about a RAM DUMP and how to properly do it...

Let me post some screenshots... Might have found something huge!

There is a hidden command to pull partitions: fastboot oem ramdump enable
then fastboot oem ramdump pull

Unfortunately it's restricted and I'm trying to find out how to enable it!

EDIT: There are a load of hidden fastboot oem commands but they are all restricted.


Done for today, gonna do some more work this weekend. Anyone else feel free to help me.
Running fastboot oem cid_prov_req gives an unlock code similar to the bootloader unlock. But I believe there is another process that will put the device into production mode by using that code... In production mode we can do ramdumps and imei changes. Haven't figured out how to use that code though, working on it...

Does anyone know how to write to bootloader variables?
 

Attachments

Last edited:

skyguy126

Senior Member
Sep 17, 2014
454
110
43
github.com
Wut?!?!

Is this too good to be true......

Look at the attachment!

Popped it in HxD and yep the binary is there, its not a blank file. Looks like its encrypted though, but by examining the binary the encryption keys are stored in dhob. (Or maybe its the other way around :p)
 

Attachments

  • Like
Reactions: rootr

rootr

Senior Member
Oct 31, 2014
89
123
0
Srinagar
zeeshanhyder.com
Is this too good to be true......

Look at the attachment!

Popped it in HxD and yep the binary is there, its not a blank file. Looks like its encrypted though, but by examining the binary the encryption keys are stored in dhob. (Or maybe its the other way around :p)
Its a 512 kb file.....Probably a file system file.....try opening with ext2 or ext3?
 

skyguy126

Senior Member
Sep 17, 2014
454
110
43
github.com
Its a 512 kb file.....Probably a file system file.....try opening with ext2 or ext3?
No, I opened it with HxD and all the text is readable. Looks like some sort of encryption keys. (Which I know because of examining the radio image, hob contains encryption keys to decrypt dhob which contains the imei and other stuff) I also got dhob but it is unreadable in HxD probally because its encrypted. Has anyone already managed to extract the file or am I the first one?

EDIT: I even opened up the file with notepad++ and the text is still readable:

Here is an example (I replaced all the numbers and stuff because might contain personal information regarding my personal device):
Code:
<element>
		<id>00000</id>
		<index>0</index>
		<size>000</size>
		<data>
			fjkahfjksdhfkjsadhfkjasdfhalsdfhkjasdfhvbcxznvbxmnvb,xmcz
		</data>
	</element>

Anyone know how to decrypt dhob if I have the encryption keys
 
Last edited:
  • Like
Reactions: rootr

rootr

Senior Member
Oct 31, 2014
89
123
0
Srinagar
zeeshanhyder.com
No, I opened it with HxD and all the text is readable. Looks like some sort of encryption keys. (Which I know because of examining the radio image, hob contains encryption keys to decrypt dhob which contains the imei and other stuff) I also got dhob but it is unreadable in HxD probally because its encrypted. Has anyone already managed to extract the file or am I the first one?

EDIT: I even opened up the file with notepad++ and the text is still readable:

Here is an example (I replaced all the numbers and stuff because might contain personal information regarding my personal device):
Code:
<element>
		<id>00000</id>
		<index>0</index>
		<size>000</size>
		<data>
			fjkahfjksdhfkjsadhfkjasdfhalsdfhkjasdfhvbcxznvbxmnvb,xmcz
		</data>
	</element>

Anyone know how to decrypt dhob if I have the encryption keys
From where did you extract this hob file?