Google Pixel 6-9 IMEI editing research
--------------------------------------
Note: contents of this document may change at any time and might contain the
information that could fail to work under some circumstances. Use the
information solely at your own risk.
The document is released under CC0 into the public domain.
Prerequisites:
* Google Pixel 6 and above (with Exynos modem)
* Rooted Android system
The following partition stores both IMEIs in plain ASCII:
/dev/block/bootdevice/by-name/devinfo
They can be found after "imei1" string and zero byte and after "imei2" string
and zero byte respectively. They are stored in the so-called PS tag
structure under the corresponding DIUS-type tags.
Patching any of the IMEIs in the devinfo image, regardless of whether or not
/mnt/vendor/efs/nv_protected* files are deleted afterwards, causes the
device to report both IMEIs as 000000000000000 to both the OS and the
network after rebooting. In order to fix this, you need to perform the
following steps:
1. Reboot the phone into factory mode (either by setting the "bootmode"
devinfo tag to "factory" and changing its type from DIFR to DIUS or by
entering the fastboot mode and running "fastboot oem set_config bootmode
factory" and then rebooting). When booting in the factory mode, the word
"Factory" should appear instead of the first boot logo.
2. Under root, execute the AT+GOOGGETIMEISHA command (by writing to and
reading from /dev/umts_router) and read the hexadecimal string from its
result.
3. Write this hexadecimal string verbatim (as is) into the
/mnt/vendor/persist/modem/cpsha file.
4. Optionally change the bootmode back into "normal" and reboot the phone.
After reboot, the new IMEIs should be seen by the device and by the network.
