Google Pixel 6-9 IMEI editing research
--------------------------------------
Note: contents of this document may change at any time and might contain the
information that could fail to work under some circumstances. Use the 
information solely at your own risk.

The document is released under CC0 into the public domain.

Prerequisites:

* Google Pixel 6 and above (with Exynos modem)
* Rooted Android system

The following partition stores both IMEIs in plain ASCII:

/dev/block/bootdevice/by-name/devinfo

They can be found after "imei1" string and zero byte and after "imei2" string
and zero byte respectively. They are stored in the so-called PS tag 
structure under the corresponding DIUS-type tags.

Patching any of the IMEIs in the devinfo image, regardless of whether or not
/mnt/vendor/efs/nv_protected* files are deleted afterwards, causes the 
device to report both IMEIs as 000000000000000 to both the OS and the 
network after rebooting. In order to fix this, you need to perform the 
following steps:

1. Reboot the phone into factory mode (either by setting the "bootmode"
devinfo tag to "factory" and changing its type from DIFR to DIUS or by 
entering the fastboot mode and running "fastboot oem set_config bootmode 
factory" and then rebooting). When booting in the factory mode, the word 
"Factory" should appear instead of the first boot logo.
2. Under root, execute the AT+GOOGGETIMEISHA command (by writing to and
reading from /dev/umts_router) and read the hexadecimal string from its 
result.
3. Write this hexadecimal string verbatim (as is) into the
/mnt/vendor/persist/modem/cpsha file.
4. Optionally change the bootmode back into "normal" and reboot the phone.
After reboot, the new IMEIs should be seen by the device and by the network.

--- Luxferre ---