Google Pixel 6 IMEI editing research (WIP) ------------------------------------------ Note: this is a work in progress. Contents of this document may change at any time and might contain the information that could fail to work under some circumstances. Use the information solely at your own risk. The document is released under CC0 into the public domain. Prerequisites: * Google Pixel 6 (probably also 6 Pro) with Exynos 5123 modem * Rooted Android system # AT command interface # Currently, the only known AT command interface is like this (from a root shell): echo 'your_cmd\r' > /dev/umts_router & cat /dev/umts_router (minicom does not support this device; more reliable interaction to be researched) # Temporary IMEI change # The physical SIM IMEI is stored at "CAL.Common.Imei" NV item, the eSIM IMEI is stored at "CAL.Common.Imei_2nd" NV item. To update physical SIM IMEI to abcdefghijklmno (where the letters stand for corresponding IMEI digits), issue the following AT commands: AT+GOOGSETNV="CAL.Common.Imei",0,"ab" AT+GOOGSETNV="CAL.Common.Imei",1,"cd" AT+GOOGSETNV="CAL.Common.Imei",2,"ef" AT+GOOGSETNV="CAL.Common.Imei",3,"gh" AT+GOOGSETNV="CAL.Common.Imei",4,"ij" AT+GOOGSETNV="CAL.Common.Imei",5,"kl" AT+GOOGSETNV="CAL.Common.Imei",6,"mn" AT+GOOGSETNV="CAL.Common.Imei",7,"o0" AT+GOOGSETNV="CAL.Common.Imei",8,"00" To update eSIM IMEI to abcdefghijklmno (where the letters stand for corresponding IMEI digits), issue the following AT commands: AT+GOOGSETNV="CAL.Common.Imei_2nd",0,"ab" AT+GOOGSETNV="CAL.Common.Imei_2nd",1,"cd" AT+GOOGSETNV="CAL.Common.Imei_2nd",2,"ef" AT+GOOGSETNV="CAL.Common.Imei_2nd",3,"gh" AT+GOOGSETNV="CAL.Common.Imei_2nd",4,"ij" AT+GOOGSETNV="CAL.Common.Imei_2nd",5,"kl" AT+GOOGSETNV="CAL.Common.Imei_2nd",6,"mn" AT+GOOGSETNV="CAL.Common.Imei_2nd",7,"o0" AT+GOOGSETNV="CAL.Common.Imei_2nd",8,"00" To apply the changes, issue the following AT commands to save the baseband state and shut it down: AT+GOOGFLUSHNV AT+CFUN=4,1 Wait for up to 3 seconds and then issue this AT command to bring it back online: AT+CFUN=1 If everything updates correctly, the network should see your new IMEI. Refer to your carrier's account page to verify this. Note that this change will not be reflected in *#06# or anywere else in the system, only in the cellular network. The change will only stay in effect until the first reboot. To reset the IMEIs without rebooting, issue the following commands: AT+GOOGNVRESET AT+CFUN=4,1 Wait for up to 3 seconds and then issue this AT command to bring it back online: AT+CFUN=1 # Persistent IMEI change # The following partition stores both IMEIs in plain ASCII: /dev/block/bootdevice/by-name/devinfo They can be found after "imei1" string and zero byte and after "imei2" string and zero byte respectively. Patching any of the IMEIs in the devinfo image, regardless of whether or not /mnt/vendor/efs/nv_protected* files are deleted afterwards, causes the device to report both IMEIs as 000000000000000 to both the OS and the network after rebooting. Other places to properly patch the IMEIs in addition to the devinfo partition are still being researched. The devinfo partition size must be exactly 8192 bytes. Its corruption can lead to a bootloop or radiomodule not working at all. The devinfo change also modifies nv_protected.bin (and 'AT+GOOGBLOCKINFO' output) accordingly. Despite this, effective IMEIs still are zeroing out. Also, with the patched devinfo, both AT+GOOGGETIMEISHA and AT+GOOGVERIFYIMEISHA return "+CME ERROR: unknown". With the stock devinfo, AT+GOOGVERIFYIMEISHA returns: +GOOGVERIFYIMEISHA: IMEI SHA verified passed This means there is some SHA hash of the IMEI pair stored elsewhere. When a working method of IMEI persistence is found, it will be the only one described in the document. --- Luxferre ---