8110 pwned once again but this is just the sTARt

This day is a landmark I’ve been looking forward to since buying both my Nokias 8110 4G from our local online store. No, I still don’t have the Firehose loader/programmer binary with a correct signature but I’ve discovered something no less wonderful instead. And I got lucky that I managed to do that before my 6-week business trip to another edge of the Earth, which just happens to be scheduled for the coming weekend, because 8110 is not so usable there.

But let’s get straight to the core of things…

In case you didn’t know, I was genuinely wondering how Qualcomm’s EFS (which is something akin to MediaTek’s NVRAM) is physically arranged. You see, all these ###adbg#//dev/diag diagnostic ports and everything are fine but I still have to figure out the exact protocol, not something that can be just guessed by the look into 10-year-old leaked documentation. Physical arrangement is another thing. As a GerdaOS maintainer, I already knew before today which partitions are crucial for the radiomodule but don’t contain any sensitive data: modem, rpm and fsg. I also knew that the modemst1 and modemst2 partitions, which do contain sensitive data, are somehow encrypted and unreadable, but if you erase them, they get restored from somewhere on the next reboot.

Where do they get restored from? My first guess was modem and fsg, but it turned out that modem is just an EXT4 partition containing nothing but radio firmware binaries themselves. As for fsg partition, the guess was correct but it still doesn’t contain all the NV items, for instance, you won’t find IMEIs there. At all. And that fact left me puzzled as hell…

…Up until today. I just fiddled around /dev/block/bootdevice/by-name directory and decided to look up the contents of a partition I never opened before: tunning (sic, it has two n letters in the name). And it contained some references to NV items as well but… totally different than the ones in fsg. Including /nvm/num/550 (IMEI1) and /nvm/context1/550 (IMEI2)! And when I looked up the familiar patterns read from nvdiag_client -r -p /nvm/num/550, they totally showed up there.

Finally. But that’s not over. This file was a raw binary on an EMMC partition, but had some amazingly regular structure: despite having no filesystem, it appeared as one. Name - contents. Name - contents. And it also contained some strange ustar references. And then I realized where I had seen them before… and tried applying tar xf.

Voila.

Both fsg and tunning partitions are just TAR archives with logically structured EFS items critical for the phone’s radiomodule functioning. And they are totally unencrypted, unlike modemst1 and modemst2 partitions that get restored from them. So, by modifying their TAR contents and erasing modemst1 and modemst2, we can totally pwn the EFS. And having total FS control in a custom ROM such as GerdaOS, I can finally create a tool that I announced long ago: an IMEI randomizer. Yep, 8110 4G was suddenly pwned more easily than Nokia 1.

But first things first, we need to test this out. So, remembering the conversion rules (prepend ‘80a’ to the decimal IMEI, then split into pairs, then swap the digits in each pair - and here’s your 9-byte HEX value that you need to write into the file), I created a small shell script suitable for running in the busybox environment of a rooted (!) Nokia 8110 4G itself:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/system/bin/busybox sh

# Usage: qpwn.sh [sim number] [new IMEI - 15 decimals]

OPDIR=$(mktemp -d)
BLKPREF=/dev/block/bootdevice/by-name
SIMINDEX=$1
TARGETNAME=nvm/num/550
if [ "$SIMINDEX" = 2 ]; then
TARGETNAME=nvm/context1/550
fi
IMEI="80a$2"
cd $OPDIR
echo "Reading tunning partition..."
busybox tar xf $BLKPREF/tunning
PREP="$(echo -n $IMEI | busybox sed -re 's/([a0-9])([a0-9])/\\x\2\1/g')"
echo -ne "$PREP" > $TARGETNAME
echo "Writing tunning partition..."
busybox tar cf - . > $BLKPREF/tunning
echo "Formatting modemst1 and modemst2..."
dd if=/dev/zero of=$BLKPREF/modemst1
dd if=/dev/zero of=$BLKPREF/modemst2
echo "IMEI changed, reboot to apply"

And you know what? It works. And I mean, it really works. Now creating a frontend with a randomizer is just a matter of time…

…And something makes me sure that the next GerdaOS release won’t take long.

_