For those who read the article till the end there are 5 easy steps to change IMEI in 3G modem ZTE MF626:
1. Run RW_NV_item_ZTE_MF.exe; it will create C:Channel1.nvm (in root) 2. Open C:Channel1.nvm (in root) in Winhex, wait. 3. Run QC Mobile Analysis Tool V5.06_IMEI_checksum, choose Network Calkulator in Calculators/Generators menu and calculate IMEI 4. Prepare IMEI for nvram format, or simply put “reverse” 5. Run “DL_MF626_MTS_RU_EUV1.00.05.exe”, wait in the open WinHEX, when C:Channel1.nvm file has changed, the window will pop up informing about changes in file. Write new IMEI, save it. When modem is finished, new IMEI will be in.
Takes about 12-20 minutes depending on the firmware image.
100% works on modems ZTE MF626 – these are modems from Beeline and MTS.
It should work on other ZTEs as well, because when firmware from ZTE MF100 is loaded into ZTE MF626, everything works (IMEI may become blank, and then it won’t get registered by the operator, I do not recommend this).
MTS shell can make calls and send SMS, but cannot make arbitrary USSD requests. The shell from MegaFon can’t make calls, but it makes any USSD requests and sends SMS.
The shell from MegaFon can’t make calls, but it makes any USSD requests and sends SMS.
Details on how to change the IMEI.
Option is the easiest – one EXE file and WinHEX editor ( new IMEI)
1.1 Download one of these (Google): “DL_MF626_MTS_RU_EUV1.00.05.exe” I downloaded this (for work with MegaFon) “DL_MF626_BLNMO_RU_EUV1.00.02.exe” Or “any firmware for ZTE MF626” with one EXE file
1.2 Insert the modem MF626 (WITHOUT SIM card!!!) install everything it asks for. Kill the “Connect Manager” process and delete the contents of C: Program FilesConnect Manager, so that during the flashing it does not start automatically and does not spoil anything for us.
1.3 Run “DL_MF626_MTS_RU_EUV1.00.05.exe”, which you downloaded. It automatically does three things (no settings, just two “start-stop” buttons): makes a backup of the modem, creating in the root of drive “C:Channel1.nvm” (if you launch “DL_MF626_MTS_RU_EUV1.00.05.exe”, for example, from drive E, the file is created in “E:Channel1.nvm”) fills the firmware into the modem restores the modem data from the previously created backup “C:Channel1.nvm” Bluntly (consciously, of course) re-flash the modem by running “DL_MF626_MTS_RU_EUV1.00.05.exe”.
1.4 Go to the root of the file “C:Channel1.nvm”, which was left after the modem reflashing, and open it in WinHEX. On the lines with 00016CF0 and 00016D00 offset you will see your IMAY, but it is “inverted” (underlined in red). Warning! For those who use WinHEX for the first time, if you click by accident on offset numeration, it will switch from 16 to 10 and your NAME will be at the offset at lines 00093424 and 00093440 on decimal notation.[/DATAENCODE
1.5 Where it is underlined in red (picture in the attachment), there is “reversed modem NAME”. It is reversed as follows:
it says 0A 21 43 65 87 09 21 43,
read as follows – A0 12 34 56 78 90 12 34 (0 12 34 56 78 90 12 34 is IMEI).
Note that the IMEI has 15 digits while the firmware has 16! The 16th character “A” is always added to the beginning – A 0 12 34 56 78 90 12 34 = A0 12 34 56 78 90 12 34. That is, before you write the IMEY it must be “flipped” with addition of character “A” to the beginning. So, add symbol “A” to the beginning and flip the IMAY one by one. Now the new NAME is ready to be written.
1.6 Go to the root of the file “C:Channel1.nvm”, which was left after the modem reflashing, and open it in WinHEX. Change NAME to the new one. Save it. Save file “C:Channel1.nvm” to another folder, for example, “C:TempChannel1.nvm”. Delete file “C:Channel1.nvm”.
1.7 Run “DL_MF626_MTS_RU_EUV1.00.05.exe” again, when it will finish modem backup, it will happen somewhere at step 20/100 (and it will be also written in progress and new file “C:Channel1.nvm” will be created). As soon as you see the new file “C:Channel1.nvm”, delete it at once and in its place drop our edited file with the new IMAGE we put into “C:TempChannel1.nvm”. You have about a minute for this file replacement operation.
1.8 The firmware updater will intelligently put the new IMEI where it needs to go. Done.
1.9 Go to Device Manager, find your modem there, open its properties, many tabs will open, on one of them find the “poll the modem” button, press it, the tab will show a lot of different answers AT commands, browse, find IMEI=012345678901234. That’s it.
If you found “IMEI= “, i.e. empty, you poured the firmware from another modem. This is a problem. The modem will not be registered by the operator. For that you need to restore IMEI.
The easiest way, it is to make a backup of the modem program “NV-items_reader_writer.exe” (“NV-item”), if you do not do this, then very long then you will walk around your modem with bamboozle (do not remember me!!!).
“NV-items_reader_writer.exe” does not know how to write new IMEI, when it is already there, writes “Read Only”, but when it is not there, that is, when it is empty, it easily writes your previously created backup there.
Way to change the second IMEI, fast.
To avoid flashing the modem twice and get “C:Channel1.nvm” immediately to write a new IMAGE into it, you need to run “RW_NV_item_ZTE_MF.exe” and then, when the file “C:Channel1.nvm” is received, replace IMAGE and put it into “C:TempChannel1.nvm”
The third way to change IMEI is the fastest in the beginning of the article.
Editing file “C:Channel1.nvm” on the fly with pre-prepared IMEM. It has to be done quickly.
=========================================================== The IMEI has 15 digits and the last digit is the checksum, which is calculated like the CC, i.e. you take the 14 digits of the IMEI and calculate the checksum. =========================================================== Generation of a new IMAGE.
IMEI checksum (and CC) can be calculated in QC Mobile Analysis Tool V5.06_IMEI_checksum (under Calculators/Generators choose Network Calkulator to calculate IMEI)
The first six digits 353180 TAC (Type Approval Code) is the phone model code, of which almost all the first two digits will be 35, except the iPhone, which has 01.
The next two digits 00 are the FAC (Final Assembly Code) country code of the final assembly.
Next 6 digits 768798 SNR (Serial Number) phone serial number
The last digit of 4 SP (Spare) is the control digit. TAC examples
TAC Manufacturer Model 01124500 Apple iPhone 01130000 Apple iPhone model MA712LL 01136400 Apple iPhone 01154600 Apple iPhone model MB384LL 01161200 Apple iPhone 3G 01193400 Apple iPhone 3G 01180800 Apple iPhone 3G model MB704LL 01181200 Apple iPhone 3G model MB496B 01174400 Apple iPhone 3G model MB496RS rostest 01194800 Apple iPhone 3GS 01215800 Apple iPhone 3GS 01216100 Apple iPhone 3GS 01226800 Apple iPhone 3GS 01215900 Apple iPhone 3GS model MC131B 01241700 Apple iPhone 4 01233800 Apple iPhone 4 model MC610LL 01233700 Apple iPhone 4 model MC603B 01233600 Apple iPhone 4 model MC608LL 01243000 Apple iPhone 4 model MC603KS 01254200 Apple iPhone 4 01300600 Apple iPhone 4S model MD260C 01332700 Apple iPhone 5 model MD642C
35896704 HTC Desire S 35902803 HTC Wildfire 35714904 Huawei e398u-15 lte stick 35191405 Motorola Defy Mini 35351200 Motorola V300 350151.. Nokia 3330
35089080 35099480 35148420 Nokia 3410 (NHM-2NX)
35148820 35154900 Nokia 6310i (NPL-1)
35151304 Nokia E72-1 (RM-530) 35274901 Nokia 6233 35291402 Nokia 6210 Navigator
35376800 35566600 Nokia 6230
35421803 Nokia 5310 (RM-303) 35433004 Nokia C5-00 (RM-645) 35524803 Nokia 2330c-2 (RM-512) 35685702 Nokia 6300 35693803 Nokia N900 35694603 Nokia 2700 35699601 Nokia N95 35700804 Nokia C1 35739804 Nokia N8 35788104 Nokia N950 35836800 Nokia 6230i 35837800 Nokia N6030 (RM-74) 35935003 Nokia 2720a-2 (RM-519) 449337.. tNokia 6210 35357800 Samsung SGH-A800 35679404 Samsung Galaxy Mini (GT-S5570) 35733104 Samsung Galaxy Gio 35853704 Samsung Galaxy SII 35226005 Samsung Galaxy SIII 35979504 Samsung Galaxy Note 35171005 Sony Ericsson Xperia S 35238402 Sony Ericsson K770i 35851004 Sony Ericsson Xperia Active 35405600 Wavecom M1306B 35837501 XDA Orbit 2 35316004 ZTE Blade 35972100 Lobster 544
330075 Alcatel One Touch Pocket 330140 Alcatel One Touch MAX 331007 Sagem 815 332051 Alcatel One Touch Gum DB 332093 Mitsubishi Trium Astral 446592 Panasonic G500 446639 Philips Fizz 447263 Motorola D160 447470 Siemens S10 447502 Philips Genie 447515 Siemens E10 447679 Philips Twist 447764 Motorola StarTAC 130 447766 Motorola CD160 447768 Motorola cd928 447769 Motorola CD930 447881 Siemens S8 447968 Siemens S10 active 448114 Motorola d520 448213 Nec DB-2000 448315 Samsung SGH600 448323 Philips Diga 448478 Siemens C10 448570 Panasonic EB-G520 448674 Philips Savvy DB 448903 Nokia 3210 448835 Motorola v3688 448836 Motorola m3188 448886 Siemens C25 448896 Nokia 3210 448951 Motorola m3288 448954 Motorola Timeport L7089 449102 Siemens s25 449123 Panasonic GD 90 449125 Siemens C25 Power 449142 Nokia 3210 449154 Nokia 3110 449191 Siemens C35i 449652 Motorola m3788 449654 Motorola m3588 449656 Motorola m3888 449680 Philips Savvy DB 450066 Sony CMD-Z1 450087 Sony CMD-C1 490010 AEG NHE-2AG 490113 Nokia 1611 490137 Nokia 8110 490138 Nokia 2110 490509 Ericsson GF768 490510 Ericsson GF688 490511 Ericsson GA628 490518 Nokia 6110 490525 Nokia 8810 490527 Nokia 6110 490530 Ericsson GH688 490531 Ericsson GH688 490532 Ericsson GH688 490533 Ericsson GA628 490535 Ericsson GA628 490541 Nokia 5110 490543 Nokia 9110 490542 Nokia 5110 490544 Nokia 5110 490546 Nokia 5110 RU 490548 Nokia 5110 490550 Nokia 5110 490565 Ericsson GA628 493009 Nokia 6150 GSM 900/1800 495022 Nokia 1620 520019 Ericsson T18s 520020 Ericsson A1018s 520023 Ericsson S868 520034 Ericsson T28s 520046 Ericsson 1018s 520047 Ericsson a1018s / GSM900/1800 520050 Ericsson 1018 520091 Ericsson T10
Choose the first 6 digits, then choose the second 6 digits of the serial number, of course, that the first digit “9” is not desirable, as the manufacturer could not get to it, start with “0” or “1”.
IMEI of iPhone can be checked on any online service where they do the unlocking and other things with iPhones.
TAS IMAGE Nokia can be checked at https://www.nokiaport.de/tacdatabase/?s=searchlng=
There are no antennas changing the speed of radio waves in the atmosphere of planet Earth and it cannot exist because the speed of light on planet Earth with its four dimensions is constant. This is learned in high school physics classes.
Base station GSM, CDMA, UMTS, WiFi, WiMax and others ALWAYS measure the speed (time) of the radio wave from the base station to the radio module of the client device (to the modem/phone) and by measuring it against the constant speed of light, obtain a very, very accurate distance. These parameters are used to control the transmit/receive power of the phone and the base station. It is true that interference and other radio wave propagation phenomena can give a slight error, but it is not tens of meters, but rather small fractions of meters at large distances.
The media and OPOSS (operators) mumbo-jumbo about 50-100 meters is the same as Hollywood mumbo-jumbo when the bad guys have to make a call for exactly at least 1 minute so that the good guys can determine where the call is coming from. You all realize, hopefully, that you don’t even have to pick up the phone to determine to the operator where the call is coming from, and the speed of the databases is not tied in any way to whether the call is ongoing or already over.
The operator determines your location very accurately, especially in a city. But “horizontally.” Vertically, it is already very difficult. It requires a spectral analyzer, an expensive box (as a rule 300-500 thousand dollars and more) with antennas, as a rule, very non-mobile. Every regional communications department and every enlarged regional (several regions) OPSOSA branch has such an iron as of late, and “planners” use it when designing mobile networks.
I can’t imagine that a group of people with at least 2-3 garbage collectors and 2-3 telcos or even communication supervisors on tiptoes would sneak into an entrance hall undetected and standing on the X-floor and determine that the modem is working either on this X-floor or one floor below or above. I can’t imagine how with such insecurity the trash would ask to open the door without a warrant.
Even if you get knocked over by garbage men with antennas, what’s the problem with breaking the sim and modem and into unisex, they’re small.
And you need to do specific things, probably in RU, to tie up the cops, optocos, communications oversight and stuff, so that they drag the spectroanalyzer to the X-floor.
Garbage collectors will not break down the door without a warrant – it’s not legal, they can get a warrant later, and the law allows it in exceptional cases that do not require a delay. But they can’t know exactly, not just the apartment, the floor can know /- 1.
It’s all questionable.
Unless you put a sign on your front door saying that the toughest hacker in the area lives in this entrance and in X-apartment, then the scum don’t need a spectroanalyzer. Experience tells me that if you’re under 25 and you’ve never been to the trash, your vanity has already worked against you and such a plaque has been hanging on the door of the entryway for a long time.
But TrueCrypt is your old friend in this case and in all others.
Buy a used phone of the model you prescribe to the modem, they will look for it. They will find it. And here you do not get lost – in the protocols carefully write the NAME of this second-hand phone, and also from the screen write the NAME in the protocol. The witnesses must be correct, require qualified (CPC RF) from the nearest communication salon or computer store, not grannies, so that the correct identification of the second-hand left phone was in the protocol. In the worst-case scenario, such a case may end up in court, where the identification of similar BUT DIFFERENT devices will make it impossible to convict you, but the investigators will understand that, too.
Don’t forget SORM is not a fairy tale, it’s a real threat to everyone. Mobile traffic is logged ALL the time. Use even the simplest and free VPN to get out of the country where you live.
Good luck to everyone. Don’t get sick.
buy non vbv cc