Long live Chinese OEMs, part 2

You know, I had to take a break, and from this blog as well. A lot happened in my life for last 6 months, but I had enough time to rethink a lot of stuff. Also, I got involved into many side-activities. For instance, I started learning Esperanto (still far from perfect to just switch my posts to it), wearing a fedora hat (and installing a Fedora Silverblue distro onto my Xiaomi laptop) and — one of my biggest new activities — got into 3D printing. This stuff is amazing, and probably I’ll write a post dedicated to it someday. But today, I’m going to cover another topic which, despite all the change around me, still remains my primary passion…

Which is…

…Good old IMEI editing. And I’m not here to talk about my recent Qualcomm findings about NV item extended subsystem. Well, quoting my own post in the group:

…first things first: the modemst1 and modemst2 partitions must be erased before any writing, otherwise the 07 error code (access denied) follows in the HDLC response.

The format itself is quite simple - for instance, these commands (not including HDLC footers with CRC) set the IMEI of SIM1 to 9999999999994 and of SIM2 to 111111111111119:

4b 30 02 00 26 02 00 00 08 9a 99 99 99 99 99 99 49

4b 30 02 00 26 02 01 00 08 1a 11 11 11 11 11 11 91

So, let’s look at the format:

  • 4b: start of extended subsystem command;
  • 30: specifies that we’re querying the NV subsystem;
  • 02 00: NV item write subcommand;
  • 26 02: NV item number (little-endian representation of the number 550, and this item is known as the storage for IMEI);
  • 00 00 or 01 00: little-endian context ID - the value of 00 00 corresponds to SIM 1, 01 00 corresponds to SIM2;
  • 08 xa xx xx xx xx xx xx xx - IMEI value in Qualcomm’s format (to convert an IMEI to that format, prepend 80a to the IMEI string and then swap each pair of characters).

And these commands will read both IMEIs:

4b 30 01 00 26 02 00 00
4b 30 01 00 26 02 01 00

Explanation:

  • 4b: start of extended subsystem command;
  • 30: specifies that we’re querying the NV subsystem;
  • 01 00: NV item read subcommand;
  • 26 02: NV item number (little-endian representation of the number 550, and this item is known as the storage for IMEI);
  • 00 00 or 01 00: little-endian context ID - the value of 00 00 corresponds to SIM 1, 01 00 corresponds to SIM2.

When successful, the read HDLC buffer will be filled with the appropriate IMEI values…Ideally the operation should be performed from the offline mode (one can swtich to it with 29 00 command and then reset the phone with 29 02 command), but this will also do…

Nothing more to explain here, folks. After extended NV subsystem call format had been discovered, I decided to switch to different platforms for the same goals, namely KaiOS-based MediaTek (MT6572) and Spreadtrums. But even this is not what I’m going to cover today. Today I’m going to cover simple GSM phones brought to us from China by numerous OEM brands. Their names differ from country to country (more or less global ones, like Philips, are more of an exception than a rule) but the platforms used by them are mainly the same: MediaTek MT6260A, MT6261D and MT6223 (for cardphones), Spreadtrum/Unisoc SC6531DA, SC6531E and SC6531F (the latter being mutually compatible), RDA SC6533G and CT8851. Despite such a limited choice of chipsets, their firmware ranges from very nice (Philips Xenium E181, Nomi i144) to straight away harmful (Bravis Base, most S-TELLs etc). Most 2G handsets sold here in 2019 are based upon MT6261D, SC6531E/F and SC6533G respectively, but older chipsets can also come across. Given that and the amount of OEM brands in just one country, one can imagine the diversity of the ROMs. Which, obviously, leads to the diversity of IMEI editing codes just as well.

Still, the similarities between different countries’ OEM brands are sometimes stunning. This is why I was able to use some Pakistani sources to update my own IMEI change codes list. So, let me first share my own experience and proceed with a generic code table afterwards.

Here are the codes that I have been able to use on various Spreadtrum/Unisoc OEM handsets (SC6531DA/SC6531E/SC6531F) at the time of writing:

  • #*8378#1# - being a generic engineering menu code as opposed to just an IMEI editor, this code opens up much more possibilities. Nevertheless, in the “Para set” submenu you’ll most likely be able to find “Update IMEI Number” as the last item. I first encountered this code on Bravis Base, and have been able to use it on a large amount of Spreadtrum phones (Bravis C246 Fruit, Nomi i144, Astro A284 etc., as well as miniphones like LONG-CZ J8) afterwards.
  • *#1122# - an old code for some SC6531E-based phones. Most likely will work on unaltered Chinese clones like S-TELL S3-07 (a clone of Servo 225 with half of the features disabled but malicious SMS sender still remaining).
  • *#020*# - a less-known code for monochrome SC6531DA-based phones like Nomi i144.
  • *#868*# - a code for a dedicated IMEI editor for current-gen SC6531E phone firmwares. A working example is Nomi i144c.
  • #*868*# - an alternative code for generic Spreadtrum engineering menu for SC6531E-based phones manufactured in 2017-2019. Working examples would be Nomi i144m and Ergo F185 Speak.
  • *#0011# - a code for a dedicated IMEI editor in some unspecified SC6531E-based models like Astro A171.
  • *#0623# - a code to launch IMEI editor in Rezone A170 Point, Servo R25 and probably other SC6531E-based phones with boards manufactured in 2017-2018.
  • *#66# - a code to launch the generic Spreadtrum engineering menu in Caterpillar CAT B26, probably the best 2G Spreadtrum phone I’ve ever encountered, based upon the newest cleaned-up Mocor version and the SC6531F chipset. Besides IMEI editing, this engineering menu also allows setting up lots of interesting stuff like screenshot taking.

Here are the codes that I have been able to use on various MediaTek OEM handsets (MT6260A/MT6261D/MT6223) at the time of writing:

  • *#5353# - worked on my noname cardphone with MT6223 inside.
  • *#1263# - worked on my MT6261D-based watchphone (noname Smart Watch V8, also has traces of Umeox 61D firmware inside).
  • *#0066# - worked on both of my Philips Xenium E181 handsets.
  • *#9999# - only worked on one of my Philips Xenium E181 handsets.

And here are the codes that I have been able to use on various RDA/Coolsand OEM handsets (SC6533G/CT8851) at the time of writing:

  • *#0160# - the most generic SIM1 IMEI editing code that worked for all of my SC6533G-based phones.
  • *#0161# - the most generic SIM2 IMEI editing code that worked for all of my SC6533G-based phones.
  • *#0162# - the most generic SIM3 IMEI editing code that worked for some of my SC6533G-based phones (although they didn’t have SIM3).
  • *#0163# - the most generic SIM4 IMEI editing code that worked for some of my SC6533G-based phones (although they didn’t have SIM4).
  • *#2012# - the SIM1 IMEI editing code that worked on my only CT8851-based phone, Viaan V182A.
  • *#2013# - the SIM2 IMEI editing code that worked on my only CT8851-based phone, Viaan V182A.

And now, the grand table of known codes, with my personal popularity rating and subjective comments if there are any.

Code Platform Example models Comments
*#0160# rda/mtk Aelion A600, Viaan V1820, Jinga Simple F200n The most famous IMEI editor code for Coolsand/RDA phones (SIM1) and some MediaTek Nokia clones
*#0161# rda Aelion A600, Viaan V1820, Jinga Simple F200n The most famous IMEI editor code for Coolsand/RDA phones (SIM2)
*#0162# rda Viaan V1820, Jinga Simple F200n The most famous IMEI editor code for Coolsand/RDA phones (SIM3)
*#0163# rda Viaan V1820, Jinga Simple F200n The most famous IMEI editor code for Coolsand/RDA phones (SIM4)
#*8378#1# spd Bravis Base, Astro A284 Generic engineering menu with “Para set” - “Update IMEI number” item
*#1263(*)# mtk Smart Watch V8 Most famous MT6261D-based watchphones IMEI editor code
*#5353# mtk 2Life S7 Most MT6223-based cardphones IMEI editor code
*#66(*)# spd CAT B26 Not to be confused with older MTK Factory Mode / equipment test menus
#*868*# spd Ergo F185 Speak, Nomi i144m Generic engineering menu with “Para set” - “Update IMEI number” item
*#868(*)# spd Nomi i144c Newer SC6531E models
*#020(*)# spd Nomi i144 Some monochrome models
*#1122#(*) spd S-TELL S3-07 Older SC6531E models
*#0066# mtk Philips Xenium E181 Various MT6261D
*#9999# mtk Philips Xenium E181 Various MT6261D
*#0011# spd Astro A171 Some new SC6531-based models
*#328# mtk Qmobile Power 9, Kechaoda K115 Said to be one of the most popular MT6260A/MT6261D IMEI editor codes
*#329# mtk Voice V130 Said to be one of the most popular MT6260A/MT6261D IMEI editor codes
*#435763# mtk Cherry Mobile B1, Oktel F11 Probably also some Sigmas - a new MTK fad
*#7548135(*)# spd Most Lava brand phones Generic engineering menu with “Para set” - “Update IMEI number” item
*#07# mtk Qmobile Commando 1 Some old generic AliExpress phones
*#44#(*) mtk Kechaoda K3 Some old generic AliExpress phones
#*8378#9# spd Qmobile E4 Alternative Spreadtrum engmenu code
*#2012# rda Viaan V182A Some CT8851 IMEI1
*#2013# rda Viaan V182A Some CT8851 IMEI2
*#0623# spd Rezone A170 Point, Servo R25 Popped up in 2019 but used on a bit older SC6531E boards
(*)#91(*)# spd ? Lots of Spreadtrum models
*#912*# spd ? Lots of Spreadtrum models
(*)#23265(*)# ? ? Popular code recently
*#8960*# ? ? Some fake Nokias
#*0066# spd ?
*#006# ? ?
*#0606# ? ?
*#066# ? ?
*#1264# mtk ?
(*)#1903(*)# ? ?
*#7003# ? ? Some fake Nokias
#*00# ? ?
(*)#13018180160# ? ? Fake Nokia 130
##2015# ? ?
(*)#2161106# ? ? Fake Nokia 216
*#18822828758# ? ? Fake Nokia 1280
*#0*# ? ?
*#00# ? ?
*#0123# ? ?
*#0124# ? ?
*#016# ? ?
*#0160*# ? ?
*#01611# ? ?
*#0161*# ? ?
*#0166# ? ?
*#0200(*)# ? ?
*#021(*)# ? ?
*#050(*)# ? ?
*#053# ? ?
*#060*# ? ?
*#06101# ? ?
*#06111# ? ?
*#062*# ? ?
*#06666# ? ?
*#0688# ? ?
*#0708# ? ?
*#078*# ? ?
*#079*# ? ?
*#0808# ? ?
*#0825# ? ?
*#1061# ? ?
*#1111# ? ?
*#112#(*) ? ?
*#114# ? ?
*#1144*# ? ?
*#12345# ? ?
*#135*# ? ?
*#13579# ? ?
*#147*# ? ?
*#1688# ? ?
*#16888# mtk ?
*#2015# ? ?
*#2017770770# ? ?
*#201789#(*) ? ?
*#2018*# ? ?
*#205315*# ? ?
*#222*# ? ?
*#263# ? ?
*#2663# ? ?
*#31# ? ?
*#32# ? ?
*#388# ? ?
*#36*# ? ?
*#364016# ? ?
*#55# ? ?
*#66800*# ? ?
*#702# ? ?
*#7070# ? ?
*#7224#* ? ?
*#7353# ? ?
*#7501# ? ?
*#820# ? ?
*#863# ? ?
***#863#*#* ? ?
*#880103*# ? ?
*#880113# ? ?
*#880123*# ? ?
*#88# ? ?
*#888(*)#(*) ? ?
*#88888# ? ?
*#8991# ? ?
*#9090# ? ?
*#911# ? ?
*#92702689 ? ?
*#9292# ? ?
*#9300*# ? ?
*#989988# ? ?
*#989989# ? ?

Now, as you can see, this table is vastly incomplete but it will definitely be updated from time to time.

Have fun!

_