Google Pixel 6 IMEI editing research (WIP)
------------------------------------------
Note: this is a work in progress. Contents of this document may change at any
time and might contain the information that could fail to work under some 
circumstances. Use the information solely at your own risk.

The document is released under CC0 into the public domain.

Prerequisites:

* Google Pixel 6 (probably also 6 Pro) with Exynos 5123 modem
* Rooted Android system

# AT command interface #

Currently, the only known AT command interface is like this (from a root
shell):

echo 'your_cmd\r' > /dev/umts_router & cat /dev/umts_router

(minicom does not support this device; more reliable interaction to be
researched)

# Temporary IMEI change #

The physical SIM IMEI is stored at "CAL.Common.Imei" NV item, the eSIM IMEI
is stored at "CAL.Common.Imei_2nd" NV item.

To update physical SIM IMEI to abcdefghijklmno (where the letters stand for
corresponding IMEI digits), issue the following AT commands:

AT+GOOGSETNV="CAL.Common.Imei",0,"ab"
AT+GOOGSETNV="CAL.Common.Imei",1,"cd"
AT+GOOGSETNV="CAL.Common.Imei",2,"ef"
AT+GOOGSETNV="CAL.Common.Imei",3,"gh"
AT+GOOGSETNV="CAL.Common.Imei",4,"ij"
AT+GOOGSETNV="CAL.Common.Imei",5,"kl"
AT+GOOGSETNV="CAL.Common.Imei",6,"mn"
AT+GOOGSETNV="CAL.Common.Imei",7,"o0"
AT+GOOGSETNV="CAL.Common.Imei",8,"00"

To update eSIM IMEI to abcdefghijklmno (where the letters stand for
corresponding IMEI digits), issue the following AT commands:

AT+GOOGSETNV="CAL.Common.Imei_2nd",0,"ab"
AT+GOOGSETNV="CAL.Common.Imei_2nd",1,"cd"
AT+GOOGSETNV="CAL.Common.Imei_2nd",2,"ef"
AT+GOOGSETNV="CAL.Common.Imei_2nd",3,"gh"
AT+GOOGSETNV="CAL.Common.Imei_2nd",4,"ij"
AT+GOOGSETNV="CAL.Common.Imei_2nd",5,"kl"
AT+GOOGSETNV="CAL.Common.Imei_2nd",6,"mn"
AT+GOOGSETNV="CAL.Common.Imei_2nd",7,"o0"
AT+GOOGSETNV="CAL.Common.Imei_2nd",8,"00"

To apply the changes, issue the following AT commands to save the baseband
state and shut it down:

AT+GOOGFLUSHNV
AT+CFUN=4,1

Wait for up to 3 seconds and then issue this AT command to bring it back
online:

AT+CFUN=1

If everything updates correctly, the network should see your new IMEI. Refer
to your carrier's account page to verify this. Note that this change will 
not be reflected in *#06# or anywere else in the system, only in the 
cellular network.

The change will only stay in effect until the first reboot. To reset the
IMEIs without rebooting, issue the following commands:

AT+GOOGNVRESET
AT+CFUN=4,1

Wait for up to 3 seconds and then issue this AT command to bring it back
online:

AT+CFUN=1


# Persistent IMEI change #

The following partition stores both IMEIs in plain ASCII:

/dev/block/bootdevice/by-name/devinfo

They can be found after "imei1" string and zero byte and after "imei2" string
and zero byte respectively.

Patching any of the IMEIs in the devinfo image, regardless of whether or not
/mnt/vendor/efs/nv_protected* files are deleted afterwards, causes the 
device to report both IMEIs as 000000000000000 to both the OS and the 
network after rebooting. Other places to properly patch the IMEIs in 
addition to the devinfo partition are still being researched.

The devinfo partition size must be exactly 8192 bytes. Its corruption can
lead to a bootloop or radiomodule not working at all.

The devinfo change also modifies nv_protected.bin (and 'AT+GOOGBLOCKINFO'
output) accordingly. Despite this, effective IMEIs still are zeroing out.

Also, with the patched devinfo, both AT+GOOGGETIMEISHA and
AT+GOOGVERIFYIMEISHA return "+CME ERROR: unknown". With the stock devinfo, 
AT+GOOGVERIFYIMEISHA returns:

+GOOGVERIFYIMEISHA: IMEI SHA verified passed

This means there is some SHA hash of the IMEI pair stored elsewhere.

When a working method of IMEI persistence is found, it will be the only one
described in the document.

--- Luxferre ---