(2023-11-20) Is this the true end of the epoch for Nokia phones? Not sure yet
-----------------------------------------------------------------------------
Finally, something about phones on this phlog. Moreover, about phones of my
favorite brand. I could blabber about any (genuine) Nokias from 1993 up to
2023 for hours but there's a single thing I always lacked in them (except
KaiOS models which compensate for it with plenty of other issues): ability
to edit IMEIs without special boxes or proprietary software. This _might_,
however, be about to change sooner than we think. A 30-year epoch of
untouchable IMEIs in Nokia non-smartphones might come to an end in the
forseeable future.

I personally thought it would never be possible until I realized that the
newest (2023-made and probably some 2022-made) Nokia feature phones (with
non-smartphone hardware, that is) are no longer made in Vietnam like they
were before. I also heard HMD had set up some local manufacturing for the
Indian market, well, in India, but as I'm not there, this doesn't concern me
much. All current-gen Nokia feature phones produced this year onwards and
sold where I live — 105-2023 2G, 106-2023, 110-2023 2G, 130-2023 and
150-2023 — are coming to us from China. Yes, officially. These are not
fakes. For the first time in history, we see official Nokia-branded keypad
phones manufactured in mainland China. This was enough for me to pick one of
them and see all the differences from the previous models. As HMD fully
stopped announcing the chipset for their GSM-only models, it was a bit of
hit and miss for me, but I ordered a new 130. And when it arrived, I was
surprised it didn't have Unisoc SC6531F or something like that (I know that
the new 105 and probably 106 and 110 do have SC6531E inside), but was still
running on MediaTek MT6261D. Anyway, this was only the beginning of my
surprises.

So, here it is, the model TA-1576, Nokia 130 2023. In some regions, it's
called 130 Music, and for the market of mainland China itself it was
released as a 125 (probably because they totally missed the real 125... and
for the greater good, I must add). It is quite a large barphone,
dimensionally similar to the aforementioned 125 but a tiny bit thinner and
narrower, which is a good thing in this case, and sporting yet another new
removable battery type, BL-L5H with 1400 mAh rated capacity. As if the
well-known BL-4UL wasn't good enough for that. Also, it looks like they
changed the UI font one more time, no one knows what for. Anyway, judging
merely by this amount of NIH syndrome, I thought that the inside of the
phone would be just as different. Oh, how damn right I was...

You see, I didn't even have to dump the firmware with MTreader, as the main
partitions seem to be encrypted anyway, to see the obvious: this phone, or
at least its board, was made in a totally different place. In case you
didn't know, all of the Vietnamese MediaTek-based Nokias (that were running
on MT6260, then MT6260A and MT6261D) tried to conceal in every possible way
they were MediaTek-based. The Series30+ was a major overhaul of MAUI, and a
good one at that. Not a single MAUI-specific secret code, besides a couple
of debug-oriented ones, actually worked on those devices. Microsoft and then
HMD spent a lot of effort even to conceal the fact those phones had an AT
command interface... Well, not for long, but those events are already
history, and I'm glad I was a part of it. But the fact remains the fact: on
those Nokias, you couldn't even dial the *#63342835# (*#mediatek#) code and
see the "MediaTek" word. If you could do this, it was an outright sign of a
fake.

Well, guess what: on this new fully official and original 130, you can. You
also can enter an engineering menu with *#3646633# (*#engmode#), see the
internal software version with *#8375# (*#ver5#), and yes, it's a different
screen than what you get on the traditional Nokia's *#0000#, you can also
enter a hardware test menu with *#15963#, or run quick tests with *#8378# or
stress tests with *#87#. Again, I found all this without being able to fully
analyze the firmware dump, but this was already enough for me to realize
this firmware is much, much closer to the vanilla MAUI than any of its
predecessors. I didn't, however, find the *#15963# code randomly. The phone
had a hidden clue where to start looking for it. But what I found is
something more.

Any MAUI firmware version string, as you might now, contains a hardware
revision substring. Usually it's an alphanumeric board identifier followed
by the last three characters of the chipset model and then some other data
after underscores. If you don't have a way to view this information via
codes (which I initially didn't have), you can use various options for
AT+EGMR subcommand. I ran the subcommand to get the board ID (AT+EGMR=0,4)
and I saw the following string there: SAGETEL61D_11C_HW. This tells us that
the chipset inside is indeed MT6261D and this is the revision 11C of the
board codenamed SAGETEL. In fact, if we run an Internet search on the
complete string, we already can find the device this board already had been
used in: Itel IT2160, a barphone from Transsion released in ca. 2018. Of
course, only the board is common with this Nokia but this inspired me to
download some firmware for this IT2160 (which, of course, wasn't encrypted)
and check for some codes from there. And, bizarrely enough, *#15963# was the
only new code that actually fit my 130-2023.

So, we have pure-MAUI secret codes for version, engineering and test menus
for this phone (and I'm pretty sure they are the same for 150-2023 too). The
main mystery, however, remains unsolved: are the IMEIs here editable in any
way? Well, my first thought would be to go the traditional AT command route
(by the way, yes, you have to sacrifice the USB storage mode if you set the
PS config to USB in the respective engineering menu setting). So I tried
AT+EGMR with corresponding parameters (AT+EGMR=1,7,"[new_imei]" for SIM1 and
AT+EGMR=1,10,"[new_imei]" for SIM2) but got "CME ERROR: unknown" in both
cases, while the read commands (AT+EGMR=0,7 and AT+EGMR=0,10 respectively)
do work fine. In the Vietnamese MediaTek-based Nokias though, the write
commands worked too but the result was ignored due to the NVRAM protection.
Here, it just looks like it was disabled on the AT command processor level,
whether or not protection is still there, I don't really know. Not gonna
lie, if I find a working code for this, it will become my favorite post-2013
Nokia. For now, I'm stuck. There is, however, some hope based on what I have
seen with *another* NVRAM field in the same area: PSN.

PSN (product serial number) is the Nokia's name of the internal serial number
that all phones like this have, be they on MediaTek or Unisoc. It's assigned
fully independently of IMEIs and, in case of MediaTek, can be accessed with
AT+EGMR command too under the field #5: AT+EGMR=0,5 for reading and
AT+EGMR=1,5,"[new_sn]" for writing. The biggest problem, however, is that
the PSN itself takes 25 characters, but the NVRAM field for it reserves 63
bytes and it actually is padded with whitespaces and ends with "10P"
substring that's not a part of the serial number per se. But that's not all:
it turns out that AT+EGMR command itself doesn't check the input length for
this field, so if you don't include the padding, you can easily misalign all
the subsequent NVRAM fields and mess up all calibration until you enter a
63-character long PSN. And guess what: this field is actually editable and
unprotected in this Nokia. So, in theory, by manipulating its contents, we
could manipulate all fixed-length fields/files that come after PSN in that
area. But that's something that has yet to be investigated. For now, the
IMEI question remains open.

From the normal user's perspective, some very strange decisions had been made
there as well. For instance, this phone has absolutely no way of viewing
images from the SD card and absolutely no way of setting them as wallpapers.
I didn't use any of the previous iterations of 130 and can't say whether or
not this is the case for them, but to me it sounds most illogical. Luckily,
there are 6 pre-installed wallpapers, but what's the reason to limit the
choice if you definitely allow to set your own ringtones here? Although this
is a strange one too — you can't do this from the profile or general tone
settings, only from the SD file manager itself. Same for message and alarm
tone customization.

In the mass storage connection mode, the phone gets identified as "0e8d:0002
MediaTek Inc. phone (mass storage mode) [Doro Primo 413]".  They didn't even
try to conceal anything at this point. But I also had a trouble connecting
*just to this Nokia* in the Mass Storage mode from my Arch Linux (Garuda),
until I found out I had to comment out the following line in
/lib/udev/rules.d/40-usb_modeswitch.rules file:

ATTR{idVendor}=="0e8d", ATTR{idProduct}=="0002", RUN+="usb_modeswitch '/%k'"

After that, everything went smoothly. Except, of course, the transfer itself
being extremely slow. If you have a card reader and have a large amount of
music to move, it will be your best bet. And, besides music (+ custom
ringtones and audio recordings), there's pretty much nothing else you can
use the SD card for in this phone (yes, even the phonebook VCard backup is
scrapped). The player, by the way, is marketed as the central feature of
this 130 and can be quickly entered by long-pressing the central D-pad key.
On the first run, it scans the entire card for music files and generates the
@Playlists/audio_play_list.sal file, whose format matches the one I
described in my MAUI knowledge base ([1]). It also creates some temporary
copy of this file's previous version, audio_play_list.sal.tmp, and the
MyFav.sal playlist file that reflects your "Favorites" player selection. As
far as I have seen, the format of MyFav.sal is exactly the same, with the
only visible difference being that the "Favorites" entries end with the 01
00 bytes instead of 00 00 bytes in both audio_play_list.sal and MyFav.sal
files.

Out of all this, what conclusions can I make? Is this really the end of the
epoch for Nokia featurephones? Not quite yet, but it is very close to that.
I mean, it still is a genuine Nokia, cased into very hard polycarbonate
plastic, having some IP52 dustproof rating, booting extremely fast, offering
good sound capabilities and (I suppose) not having any trojans in its
firmware. But in terms of how this firmware differs from all other
China-originated phones (and we see a proof that the hardware literally is
the same as one of them), the difference is almost non-existent now. And the
only thing that globally keeps this firmware from being fully identical is
not the S30+ UI on top of MAUI, it is the uncertainty about whether or not
boxless/dongle-less IMEI editing is possible here. That's why my research in
this area needs to continue, regardless of how long the pause has been.

--- Luxferre ---

[1]: gopher://hoi.st:70/0/docs/own/maui-kb-mt6261.txt

You are viewing proxied material from hoi.st. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.